@zuplo/runtime 6.70.57 → 6.70.60

package/out/esm/mcp-gateway/index.js

@@ -22,28 +22,28 @@
  *  DEALINGS IN THE SOFTWARE.
  *--------------------------------------------------------------------------------------------*/
     
-import{$b as kt,Ab as Ds,Ac as oo,Bb as Hs,Bc as io,Cb as zs,Cc as fr,Db as Ls,Dc as ao,Eb as Bs,Ec as so,Fb as js,Fc as hr,G as An,Gb as Ns,Gc as _e,H as l,Hb as Gs,Hc as co,I as Un,Ib as $s,Ic as uo,J as sr,Jb as zn,Jc as lo,K as ee,Kb as Ln,Kc as po,L as kn,Lb as Bn,Lc as mo,M as y,Mb as It,Mc as fo,N as de,Nb as cr,Nc as ho,O as Ct,Ob as xt,Oc as b,P as Pn,Pb as At,Pc as x,Q as Tn,Qb as Je,Qc as le,R as En,Rb as jn,Rc as U,S as d,Sb as Nn,Sc as go,T as G,Tb as Gn,Tc as Fs,Ub as We,Vb as $n,Wb as Ut,Xb as Fn,Yb as dr,Z as On,Zb as Zn,_b as Ve,a as Rt,ac as Kn,bc as Jn,cc as Wn,dc as Vn,ec as K,fc as Yn,gb as ye,gc as Xn,hb as T,hc as R,i as ge,ib as qn,ic as re,j as Sn,jb as g,jc as k,kb as Ue,kc as Pt,l as In,lb as ke,lc as L,mb as Pe,mc as F,nb as Te,nc as Qn,ob as vt,oc as eo,p as xn,pb as Mn,pc as Tt,qb as $,qc as to,r as bt,rb as Dn,rc as ne,sb as te,sc as ur,tb as _,tc as lr,ub as St,uc as ro,vb as M,vc as Et,wb as ue,wc as pr,xb as Hn,xc as mr,yb as qs,yc as no,zb as Ms,zc as D}from"../chunk-XAW2AYUG.js";import{d as ar}from"../chunk-JRXZBVXH.js";import{a as C}from"../chunk-4SACVMDH.js";import{$ as ce,a as n,aa as h,ba as q,ca as vn,da as wt}from"../chunk-ZIKV2LUM.js";G();function Zs(e){let t=At.safeParse(e);return t.success?t.data.id:void 0}n(Zs,"parseJsonRpcRequestId");function yo(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return Zs(t)}catch{return}}n(yo,"readJsonRpcRequestIdFromBody");function Ot(e){return jn.parse({jsonrpc:xt,...e.id===void 0?{}:{id:e.id},error:{code:e.error.code,message:e.error.message,...e.error.data===void 0?{}:{data:e.error.data}}})}n(Ot,"jsonRpcErrorResponse");function _o(e){return new Gn([Nn.parse({mode:"url",message:e.message,elicitationId:e.elicitationId,url:e.url})],e.message)}n(_o,"urlElicitationRequiredError");var qt=d.record(d.string(),d.unknown()),Ks=d.record(d.string(),d.unknown()),Js=d.object({name:d.string().min(1),description:d.string().min(1).optional(),annotations:Ks.optional(),_meta:qt.optional()}).strict(),Ws=d.object({name:d.string().min(1),description:d.string().min(1).optional(),_meta:qt.optional()}).strict(),Vs=d.object({uri:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:qt.optional()}).strict(),Ys=d.object({uriTemplate:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:qt.optional()}).strict(),Xs=d.array(d.union([d.string(),Js])),Qs=d.array(d.union([d.string(),Ws])),ec=d.array(d.union([d.string(),Vs])),tc=d.array(d.union([d.string(),Ys])),rc=d.object({tools:Xs.optional(),prompts:Qs.optional(),resources:ec.optional(),resourceTemplates:tc.optional()}).strict(),yr=[{option:"tools",listMethod:"tools/list",resultProperty:"tools",itemProperty:"name",directMethods:[{method:"tools/call",paramProperty:"name"}]},{option:"prompts",listMethod:"prompts/list",resultProperty:"prompts",itemProperty:"name",directMethods:[{method:"prompts/get",paramProperty:"name"}]},{option:"resources",listMethod:"resources/list",resultProperty:"resources",itemProperty:"uri",directMethods:[{method:"resources/read",paramProperty:"uri"}]},{option:"resourceTemplates",listMethod:"resources/templates/list",resultProperty:"resourceTemplates",itemProperty:"uriTemplate",directMethods:[]}];function nc(e,t){return Hn(rc,e,`MCP capability filter policy "${t}"`)}n(nc,"parseMcpCapabilityFilterOptions");function H(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(H,"isRecord");function oc(e,t){if(!H(e))return;let r=e[t];return typeof r=="string"?r:void 0}n(oc,"readParamString");function _r(e){let t=e.id;return typeof t=="string"||typeof t=="number"||t===null?t:void 0}n(_r,"readRequestId");function Co(e){return e===void 0?void 0:JSON.stringify(e)}n(Co,"requestIdKey");function ic(e){let t={};for(let r of yr){let o=e[r.option];if(o===void 0)continue;let i=new Map;for(let a of o){let s=dc(a,r.itemProperty);s!==void 0&&i.set(s.key,s)}t[r.option]=i}return t}n(ic,"buildProjectionMaps");function wr(e){return yr.find(t=>t.listMethod===e)}n(wr,"findListRule");function ac(e){return e.requests.some(t=>{if(!H(t))return!1;let r=wr(t.method);return r!==void 0&&e.projectionMaps[r.option]!==void 0})}n(ac,"shouldFilterListResponses");function sc(e){for(let t of yr){let r=e.projectionMaps[t.option];if(r!==void 0)for(let o of t.directMethods){if(e.request.method!==o.method)continue;let i=oc(e.request.params,o.paramProperty);if(i!==void 0&&!r.has(i))return{id:_r(e.request)}}}}n(sc,"findDisallowedDirectAccess");function cc(e){return Response.json(Ot({id:e,error:{code:Je.MethodNotFound,message:"Method not found"}}))}n(cc,"methodNotFoundResponse");function dc(e,t){if(typeof e=="string")return{key:e,overlay:{}};if(!H(e))return;let r=e[t];if(typeof r=="string")return{key:r,overlay:e}}n(dc,"buildProjection");function wo(e){let t=e.base[e.property],r=e.overlay[e.property];return H(r)?H(t)?{...t,...r}:r:t}n(wo,"mergeRecordProperty");function uc(e,t){let r={...e,...t.overlay},o=wo({base:e,overlay:t.overlay,property:"annotations"});o!==void 0&&(r.annotations=o);let i=wo({base:e,overlay:t.overlay,property:"_meta"});return i!==void 0&&(r._meta=i),r}n(uc,"applyProjection");function Ro(e,t,r){if(!H(e))return e;let o=e.result;if(!H(o))return e;let i=o[t.resultProperty];return!Array.isArray(i)||!i.every(a=>H(a)&&typeof a[t.itemProperty]=="string")?e:{...e,result:{...o,[t.resultProperty]:i.flatMap(a=>{if(!H(a))return[];let s=a[t.itemProperty];if(typeof s!="string")return[];let c=r.get(s);return c===void 0?[]:[uc(a,c)]})}}}n(Ro,"filterAndProjectItems");function lc(e){let t=new Map;if(!Array.isArray(e))return t;for(let r of e){if(!H(r))continue;let o=wr(r.method),i=_r(r),a=Co(i);o!==void 0&&a!==void 0&&t.set(a,o)}return t}n(lc,"buildListRulesByResponseId");function pc(e){if(Array.isArray(e.responseBody)){let o=lc(e.requestBody);return o.size===0?e.responseBody:e.responseBody.map(i=>{if(!H(i)||"error"in i)return i;let a=Co(_r(i)),s=a===void 0?void 0:o.get(a),c=s===void 0?void 0:e.projectionMaps[s.option];return s===void 0||c===void 0?i:Ro(i,s,c)})}if(!H(e.requestBody)||!H(e.responseBody)||"error"in e.responseBody)return e.responseBody;let t=wr(e.requestBody.method),r=t===void 0?void 0:e.projectionMaps[t.option];return t===void 0||r===void 0?e.responseBody:Ro(e.responseBody,t,r)}n(pc,"filterJsonRpcResponse");async function bo(e){return e.clone().json()}n(bo,"readJson");function mc(e){return e.headers.get("content-type")?.includes("json")??!1}n(mc,"isJsonResponse");var gr=class extends bt{static{n(this,"McpCapabilityFilterInboundPolicy")}#e;constructor(t,r){let o=nc(t,r);super(o,r),this.#e=ic(o)}async handler(t,r){Rt("policy.inbound.mcp-capability-filter");let o;try{o=await bo(t)}catch{return t}let i=Array.isArray(o)?o:[o];for(let a of i){if(!H(a))continue;let s=sc({request:a,projectionMaps:this.#e});if(s!==void 0)return cc(s.id)}return ac({requests:i,projectionMaps:this.#e})&&r.addResponseSendingHook(async a=>{if(!mc(a))return a;let s;try{s=await bo(a)}catch{return a}let c=pc({requestBody:o,responseBody:s,projectionMaps:this.#e});if(c===s)return a;let u=new Headers(a.headers);return u.delete("content-length"),new Response(JSON.stringify(c),{status:a.status,statusText:a.statusText,headers:u})}),t}};var Rr;Rr=globalThis.crypto;async function fc(e){return(await Rr).getRandomValues(new Uint8Array(e))}n(fc,"getRandomValues");async function hc(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,o="";for(;o.length<e;){let i=await fc(e-o.length);for(let a of i)a<r&&(o+=t[a%t.length])}return o}n(hc,"random");async function gc(e){return await hc(e)}n(gc,"generateVerifier");async function yc(e){let t=await(await Rr).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}n(yc,"generateChallenge");async function br(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await gc(e),r=await yc(t);return{code_verifier:t,code_challenge:r}}n(br,"pkceChallenge");G();var E=Un().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:Tn.custom,message:"URL must be parseable",fatal:!0}),An}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),Mt=Ct({resource:l().url(),authorization_servers:y(E).optional(),jwks_uri:l().url().optional(),scopes_supported:y(l()).optional(),bearer_methods_supported:y(l()).optional(),resource_signing_alg_values_supported:y(l()).optional(),resource_name:l().optional(),resource_documentation:l().optional(),resource_policy_uri:l().url().optional(),resource_tos_uri:l().url().optional(),tls_client_certificate_bound_access_tokens:ee().optional(),authorization_details_types_supported:y(l()).optional(),dpop_signing_alg_values_supported:y(l()).optional(),dpop_bound_access_tokens_required:ee().optional()}),Ye=Ct({issuer:l(),authorization_endpoint:E,token_endpoint:E,registration_endpoint:E.optional(),scopes_supported:y(l()).optional(),response_types_supported:y(l()),response_modes_supported:y(l()).optional(),grant_types_supported:y(l()).optional(),token_endpoint_auth_methods_supported:y(l()).optional(),token_endpoint_auth_signing_alg_values_supported:y(l()).optional(),service_documentation:E.optional(),revocation_endpoint:E.optional(),revocation_endpoint_auth_methods_supported:y(l()).optional(),revocation_endpoint_auth_signing_alg_values_supported:y(l()).optional(),introspection_endpoint:l().optional(),introspection_endpoint_auth_methods_supported:y(l()).optional(),introspection_endpoint_auth_signing_alg_values_supported:y(l()).optional(),code_challenge_methods_supported:y(l()).optional(),client_id_metadata_document_supported:ee().optional()}),_c=Ct({issuer:l(),authorization_endpoint:E,token_endpoint:E,userinfo_endpoint:E.optional(),jwks_uri:E,registration_endpoint:E.optional(),scopes_supported:y(l()).optional(),response_types_supported:y(l()),response_modes_supported:y(l()).optional(),grant_types_supported:y(l()).optional(),acr_values_supported:y(l()).optional(),subject_types_supported:y(l()),id_token_signing_alg_values_supported:y(l()),id_token_encryption_alg_values_supported:y(l()).optional(),id_token_encryption_enc_values_supported:y(l()).optional(),userinfo_signing_alg_values_supported:y(l()).optional(),userinfo_encryption_alg_values_supported:y(l()).optional(),userinfo_encryption_enc_values_supported:y(l()).optional(),request_object_signing_alg_values_supported:y(l()).optional(),request_object_encryption_alg_values_supported:y(l()).optional(),request_object_encryption_enc_values_supported:y(l()).optional(),token_endpoint_auth_methods_supported:y(l()).optional(),token_endpoint_auth_signing_alg_values_supported:y(l()).optional(),display_values_supported:y(l()).optional(),claim_types_supported:y(l()).optional(),claims_supported:y(l()).optional(),service_documentation:l().optional(),claims_locales_supported:y(l()).optional(),ui_locales_supported:y(l()).optional(),claims_parameter_supported:ee().optional(),request_parameter_supported:ee().optional(),request_uri_parameter_supported:ee().optional(),require_request_uri_registration:ee().optional(),op_policy_uri:E.optional(),op_tos_uri:E.optional(),client_id_metadata_document_supported:ee().optional()}),Dt=de({..._c.shape,...Ye.pick({code_challenge_methods_supported:!0}).shape}),Ee=de({access_token:l(),id_token:l().optional(),token_type:l(),expires_in:En.number().optional(),scope:l().optional(),refresh_token:l().optional()}).strip(),So=de({error:l(),error_description:l().optional(),error_uri:l().optional()}),vo=E.optional().or(Pn("").transform(()=>{})),wc=de({redirect_uris:y(E),token_endpoint_auth_method:l().optional(),grant_types:y(l()).optional(),response_types:y(l()).optional(),client_name:l().optional(),client_uri:E.optional(),logo_uri:vo,scope:l().optional(),contacts:y(l()).optional(),tos_uri:vo,policy_uri:l().optional(),jwks_uri:E.optional(),jwks:kn().optional(),software_id:l().optional(),software_version:l().optional(),software_statement:l().optional()}).strip(),Ht=de({client_id:l(),client_secret:l().optional(),client_id_issued_at:sr().optional(),client_secret_expires_at:sr().optional()}).strip(),Xe=wc.merge(Ht),Kf=de({error:l(),error_description:l().optional()}).strip(),Jf=de({token:l(),token_type_hint:l().optional()}).strip();function Io(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}n(Io,"resourceUrlFromServerUrl");function xo({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),o=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==o.origin||r.pathname.length<o.pathname.length)return!1;let i=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",a=o.pathname.endsWith("/")?o.pathname:o.pathname+"/";return i.startsWith(a)}n(xo,"checkResourceAllowed");var A=class extends Error{static{n(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},Qe=class extends A{static{n(this,"InvalidRequestError")}};Qe.errorCode="invalid_request";var we=class extends A{static{n(this,"InvalidClientError")}};we.errorCode="invalid_client";var Re=class extends A{static{n(this,"InvalidGrantError")}};Re.errorCode="invalid_grant";var be=class extends A{static{n(this,"UnauthorizedClientError")}};be.errorCode="unauthorized_client";var et=class extends A{static{n(this,"UnsupportedGrantTypeError")}};et.errorCode="unsupported_grant_type";var tt=class extends A{static{n(this,"InvalidScopeError")}};tt.errorCode="invalid_scope";var rt=class extends A{static{n(this,"AccessDeniedError")}};rt.errorCode="access_denied";var oe=class extends A{static{n(this,"ServerError")}};oe.errorCode="server_error";var nt=class extends A{static{n(this,"TemporarilyUnavailableError")}};nt.errorCode="temporarily_unavailable";var ot=class extends A{static{n(this,"UnsupportedResponseTypeError")}};ot.errorCode="unsupported_response_type";var it=class extends A{static{n(this,"UnsupportedTokenTypeError")}};it.errorCode="unsupported_token_type";var at=class extends A{static{n(this,"InvalidTokenError")}};at.errorCode="invalid_token";var st=class extends A{static{n(this,"MethodNotAllowedError")}};st.errorCode="method_not_allowed";var ct=class extends A{static{n(this,"TooManyRequestsError")}};ct.errorCode="too_many_requests";var Ce=class extends A{static{n(this,"InvalidClientMetadataError")}};Ce.errorCode="invalid_client_metadata";var dt=class extends A{static{n(this,"InsufficientScopeError")}};dt.errorCode="insufficient_scope";var ut=class extends A{static{n(this,"InvalidTargetError")}};ut.errorCode="invalid_target";var Ao={[Qe.errorCode]:Qe,[we.errorCode]:we,[Re.errorCode]:Re,[be.errorCode]:be,[et.errorCode]:et,[tt.errorCode]:tt,[rt.errorCode]:rt,[oe.errorCode]:oe,[nt.errorCode]:nt,[ot.errorCode]:ot,[it.errorCode]:it,[at.errorCode]:at,[st.errorCode]:st,[ct.errorCode]:ct,[Ce.errorCode]:Ce,[dt.errorCode]:dt,[ut.errorCode]:ut};function Rc(e){return["client_secret_basic","client_secret_post","none"].includes(e)}n(Rc,"isClientAuthMethod");var Cr="code",vr="S256";function bc(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&Rc(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}n(bc,"selectClientAuthMethod");function Cc(e,t,r,o){let{client_id:i,client_secret:a}=t;switch(e){case"client_secret_basic":vc(i,a,r);return;case"client_secret_post":Sc(i,a,o);return;case"none":Ic(i,o);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}n(Cc,"applyClientAuthentication");function vc(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let o=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${o}`)}n(vc,"applyBasicAuth");function Sc(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}n(Sc,"applyPostAuth");function Ic(e,t){t.set("client_id",e)}n(Ic,"applyPublicAuth");async function ko(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let o=So.parse(JSON.parse(r)),{error:i,error_description:a,error_uri:s}=o,c=Ao[i]||oe;return new c(a||"",s)}catch(o){let i=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${o}. Raw body: ${r}`;return new oe(i)}}n(ko,"parseErrorResponse");async function xr(e,t){try{return await Sr(e,t)}catch(r){if(r instanceof we||r instanceof be)return await e.invalidateCredentials?.("all"),await Sr(e,t);if(r instanceof Re)return await e.invalidateCredentials?.("tokens"),await Sr(e,t);throw r}}n(xr,"auth");async function Sr(e,{serverUrl:t,authorizationCode:r,scope:o,resourceMetadataUrl:i,fetchFn:a}){let s=await e.discoveryState?.(),c,u,p,f=i;if(!f&&s?.resourceMetadataUrl&&(f=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(u=s.authorizationServerUrl,c=s.resourceMetadata,p=s.authorizationServerMetadata??await Eo(u,{fetchFn:a}),!c)try{c=await To(t,{resourceMetadataUrl:f},a)}catch{}(p!==s.authorizationServerMetadata||c!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(u),resourceMetadataUrl:f?.toString(),resourceMetadata:c,authorizationServerMetadata:p})}else{let P=await Tc(t,{resourceMetadataUrl:f,fetchFn:a});u=P.authorizationServerUrl,p=P.authorizationServerMetadata,c=P.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(u),resourceMetadataUrl:f?.toString(),resourceMetadata:c,authorizationServerMetadata:p})}let w=await xc(t,e,c),S=o||c?.scopes_supported?.join(" ")||e.clientMetadata.scope,I=await Promise.resolve(e.clientInformation());if(!I){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let P=p?.client_id_metadata_document_supported===!0,O=e.clientMetadataUrl;if(O&&!Ar(O))throw new Ce(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${O}`);if(P&&O)I={client_id:O},await e.saveClientInformation?.(I);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let Cn=await Dc(u,{metadata:p,clientMetadata:e.clientMetadata,scope:S,fetchFn:a});await e.saveClientInformation(Cn),I=Cn}}let N=!e.redirectUrl;if(r!==void 0||N){let P=await Mc(e,u,{metadata:p,resource:w,authorizationCode:r,fetchFn:a});return await e.saveTokens(P),"AUTHORIZED"}let Z=await e.tokens();if(Z?.refresh_token)try{let P=await qc(u,{metadata:p,clientInformation:I,refreshToken:Z.refresh_token,resource:w,addClientAuthentication:e.addClientAuthentication,fetchFn:a});return await e.saveTokens(P),"AUTHORIZED"}catch(P){if(!(!(P instanceof A)||P instanceof oe))throw P}let X=e.state?await e.state():void 0,{authorizationUrl:Ke,codeVerifier:Q}=await Ec(u,{metadata:p,clientInformation:I,state:X,redirectUrl:e.redirectUrl,scope:S,resource:w});return await e.saveCodeVerifier(Q),await e.redirectToAuthorization(Ke),"REDIRECT"}n(Sr,"authInternal");function Ar(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}n(Ar,"isHttpsUrl");async function xc(e,t,r){let o=Io(e);if(t.validateResourceURL)return await t.validateResourceURL(o,r?.resource);if(r){if(!xo({requestedResource:o,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${o} (or origin)`);return new URL(r.resource)}}n(xc,"selectResourceURL");function Po(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,o]=t.split(" ");if(r.toLowerCase()!=="bearer"||!o)return{};let i=Ir(e,"resource_metadata")||void 0,a;if(i)try{a=new URL(i)}catch{}let s=Ir(e,"scope")||void 0,c=Ir(e,"error")||void 0;return{resourceMetadataUrl:a,scope:s,error:c}}n(Po,"extractWWWAuthenticateParams");function Ir(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let o=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),i=r.match(o);return i?i[1]||i[2]:null}n(Ir,"extractFieldFromWwwAuth");async function To(e,t,r=fetch){let o=await kc(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!o||o.status===404)throw await o?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!o.ok)throw await o.body?.cancel(),new Error(`HTTP ${o.status} trying to load well-known OAuth protected resource metadata.`);return Mt.parse(await o.json())}n(To,"discoverOAuthProtectedResourceMetadata");async function Ur(e,t,r=fetch){try{return await r(e,{headers:t})}catch(o){if(o instanceof TypeError)return t?Ur(e,void 0,r):void 0;throw o}}n(Ur,"fetchWithCorsRetry");function Ac(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}n(Ac,"buildWellKnownPath");async function Uo(e,t,r=fetch){return await Ur(e,{"MCP-Protocol-Version":t},r)}n(Uo,"tryMetadataDiscovery");function Uc(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}n(Uc,"shouldAttemptFallback");async function kc(e,t,r,o){let i=new URL(e),a=o?.protocolVersion??cr,s;if(o?.metadataUrl)s=new URL(o.metadataUrl);else{let u=Ac(t,i.pathname);s=new URL(u,o?.metadataServerUrl??i),s.search=i.search}let c=await Uo(s,a,r);if(!o?.metadataUrl&&Uc(c,i.pathname)){let u=new URL(`/.well-known/${t}`,i);c=await Uo(u,a,r)}return c}n(kc,"discoverMetadataWithFallback");function Pc(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",o=[];if(!r)return o.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),o.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),o;let i=t.pathname;return i.endsWith("/")&&(i=i.slice(0,-1)),o.push({url:new URL(`/.well-known/oauth-authorization-server${i}`,t.origin),type:"oauth"}),o.push({url:new URL(`/.well-known/openid-configuration${i}`,t.origin),type:"oidc"}),o.push({url:new URL(`${i}/.well-known/openid-configuration`,t.origin),type:"oidc"}),o}n(Pc,"buildDiscoveryUrls");async function Eo(e,{fetchFn:t=fetch,protocolVersion:r=cr}={}){let o={"MCP-Protocol-Version":r,Accept:"application/json"},i=Pc(e);for(let{url:a,type:s}of i){let c=await Ur(a,o,t);if(c){if(!c.ok){if(await c.body?.cancel(),c.status>=400&&c.status<500)continue;throw new Error(`HTTP ${c.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${a}`)}return s==="oauth"?Ye.parse(await c.json()):Dt.parse(await c.json())}}}n(Eo,"discoverAuthorizationServerMetadata");async function Tc(e,t){let r,o;try{r=await To(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(o=r.authorization_servers[0])}catch{}o||(o=String(new URL("/",e)));let i=await Eo(o,{fetchFn:t?.fetchFn});return{authorizationServerUrl:o,authorizationServerMetadata:i,resourceMetadata:r}}n(Tc,"discoverOAuthServerInfo");async function Ec(e,{metadata:t,clientInformation:r,redirectUrl:o,scope:i,state:a,resource:s}){let c;if(t){if(c=new URL(t.authorization_endpoint),!t.response_types_supported.includes(Cr))throw new Error(`Incompatible auth server: does not support response type ${Cr}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(vr))throw new Error(`Incompatible auth server: does not support code challenge method ${vr}`)}else c=new URL("/authorize",e);let u=await br(),p=u.code_verifier,f=u.code_challenge;return c.searchParams.set("response_type",Cr),c.searchParams.set("client_id",r.client_id),c.searchParams.set("code_challenge",f),c.searchParams.set("code_challenge_method",vr),c.searchParams.set("redirect_uri",String(o)),a&&c.searchParams.set("state",a),i&&c.searchParams.set("scope",i),i?.includes("offline_access")&&c.searchParams.append("prompt","consent"),s&&c.searchParams.set("resource",s.href),{authorizationUrl:c,codeVerifier:p}}n(Ec,"startAuthorization");function Oc(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}n(Oc,"prepareAuthorizationCodeRequest");async function Oo(e,{metadata:t,tokenRequestParams:r,clientInformation:o,addClientAuthentication:i,resource:a,fetchFn:s}){let c=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),u=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(a&&r.set("resource",a.href),i)await i(u,r,c,t);else if(o){let f=t?.token_endpoint_auth_methods_supported??[],w=bc(o,f);Cc(w,o,u,r)}let p=await(s??fetch)(c,{method:"POST",headers:u,body:r});if(!p.ok)throw await ko(p);return Ee.parse(await p.json())}n(Oo,"executeTokenRequest");async function qc(e,{metadata:t,clientInformation:r,refreshToken:o,resource:i,addClientAuthentication:a,fetchFn:s}){let c=new URLSearchParams({grant_type:"refresh_token",refresh_token:o}),u=await Oo(e,{metadata:t,tokenRequestParams:c,clientInformation:r,addClientAuthentication:a,resource:i,fetchFn:s});return{refresh_token:o,...u}}n(qc,"refreshAuthorization");async function Mc(e,t,{metadata:r,resource:o,authorizationCode:i,fetchFn:a}={}){let s=e.clientMetadata.scope,c;if(e.prepareTokenRequest&&(c=await e.prepareTokenRequest(s)),!c){if(!i)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let p=await e.codeVerifier();c=Oc(i,p,e.redirectUrl)}let u=await e.clientInformation();return Oo(t,{metadata:r,tokenRequestParams:c,clientInformation:u??void 0,addClientAuthentication:e.addClientAuthentication,resource:o,fetchFn:a})}n(Mc,"fetchToken");async function Dc(e,{metadata:t,clientMetadata:r,scope:o,fetchFn:i}){let a;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");a=new URL(t.registration_endpoint)}else a=new URL("/register",e);let s=await(i??fetch)(a,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...o!==void 0?{scope:o}:{}})});if(!s.ok)throw await ko(s);return Xe.parse(await s.json())}n(Dc,"registerClient");var kr="zuplo.com",Hc=new Set(["co.jp","co.kr","co.nz","co.uk","com.au","com.br","com.cn","com.mx","com.sg","co.in"]),zc=[".example.test",".example.com",".example.org",".invalid",".localhost",".test"];function qo(e){return`https://www.google.com/s2/favicons?domain=${e}&sz=128`}n(qo,"s2FaviconHref");function Lc(e){return`https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&drop_404_icon=true&fallback_opts=TYPE,SIZE,URL&url=http://${e}&size=128`}n(Lc,"strictFaviconHref");var zt=qo(kr);function Pr(e){let t=e.toLowerCase();return t===kr||t==="zuplo.app"||t==="zuplo.dev"||t.endsWith(".zuplo.app")||t.endsWith(".zuplo.dev")?qo(kr):Lc(e)}n(Pr,"resolveIconHref");function Bc(e){try{return new URL(`http://${e}`).hostname}catch{return e}}n(Bc,"hostnameFromHost");function jc(e){return e==="localhost"||e.includes(":")||/^\d{1,3}(?:\.\d{1,3}){3}$/.test(e)}n(jc,"isLocalOrAddressHost");function Nc(e){let t=Bc(e).toLowerCase().replace(/\.$/,"");if(jc(t)||zc.some(a=>t===a.slice(1)||t.endsWith(a)))return t;let r=t.split(".").filter(Boolean);if(r.length<=2)return t;let o=r.slice(-2).join("."),i=Hc.has(o)?3:2;return r.slice(-i).join(".")}n(Nc,"inferFaviconDomain");function Tr(e){return{src:Pr(Nc(e)),mimeType:"image/png",sizes:["128x128"]}}n(Tr,"resolveMcpFaviconIcon");function Lt(e){try{return Tr(new URL(e).host)}catch{return}}n(Lt,"resolveMcpFaviconIconFromUrl");function Oe(e){let t=K().connectionsById.get(e);if(!t)throw new q(`Unknown upstream server "${e}". Check the route's MCP upstream policy and ensure policies.json declares a matching upstream connection.`);return{displayName:t.displayName,...t.description===void 0?{}:{description:t.description},...t.serverInfo===void 0?{}:{serverInfo:t.serverInfo},transport:{baseUrl:t.mcpUrl,resourceMetadataUrl:t.protectedResourceMetadataUrl}}}n(Oe,"getUpstreamServerConfig");function Gc(e){let t=K().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw new q(`Unknown auth profile "${String(e.authProfileId)}" for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares a matching auth mode for that upstream connection.`);return t.authProfileId}n(Gc,"resolveUpstreamAuthProfileId");function Er(e){Gc(e);let t=K().connectionsById.get(e.upstreamServerId);if(!t)throw new q(`Auth profile could not be resolved for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares the upstream connection before this handler runs.`);return t.authConfig}n(Er,"getUpstreamAuthConfig");function qe(e,t){return Er({upstreamServerId:e,authProfileId:t})}n(qe,"requireUpstreamOAuthConfig");function J(e){return new h({message:e,extensionMembers:{[g]:"invalid_request"}})}n(J,"invalidOutboundUrl");function $c(){let e=ar.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_IDP??globalThis.process?.env?.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_IDP;return typeof e=="string"&&e==="1"}n($c,"isTestOnlyAllowHttpLoopbackIdpEnabled");function Fc(){let e=ar.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_CIMD??globalThis.process?.env?.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_CIMD;return typeof e=="string"&&e==="1"}n(Fc,"isTestOnlyAllowHttpLoopbackCimdEnabled");var Zc=new Set(["undefined","null","nan"]);function qr(e,t){if(!e.hostname)throw J(`Outbound URL has an empty hostname (got ${JSON.stringify(t)}). This typically indicates an unset $env(...) reference or a JS template literal coercing \`undefined\` into a URL. Check the policy options or runtime config that produced this URL.`);if(Zc.has(e.hostname.toLowerCase()))throw J(`Outbound URL hostname is ${JSON.stringify(e.hostname)} (from ${JSON.stringify(t)}). This almost always means an environment variable referenced by $env(...) is unset and a JS value was string-coerced into a URL. Set the missing env var or fix the policy option that produced this URL.`)}n(qr,"assertSafeOutboundHostname");var Kc=new Set(["localhost","169.254.169.254","metadata.google.internal","metadata"]),Jc=[{first:0},{first:10},{first:127},{first:169,secondMin:254,secondMax:254},{first:172,secondMin:16,secondMax:31},{first:192,secondMin:168,secondMax:168},{first:100,secondMin:64,secondMax:127},{first:224,firstMax:239},{first:240,firstMax:255}];function Mo(e){if(!/^\d+\.\d+\.\d+\.\d+$/.test(e))return;let t=e.split(".").map(r=>Number(r));if(!(t.length!==4||t.some(r=>Number.isNaN(r)||r<0||r>255)))return t}n(Mo,"parseIpv4Octets");function Wc([e,t],r){let o=r.firstMax??r.first;return e<r.first||e>o?!1:r.secondMin===void 0||r.secondMax===void 0?!0:t>=r.secondMin&&t<=r.secondMax}n(Wc,"ipv4RangeMatches");function Do(e){let t=Mo(e);return t!==void 0&&Jc.some(r=>Wc(t,r))}n(Do,"isPrivateIpv4");function Or(e){if(!e||e.length>4)return;let t=Number.parseInt(e,16);return Number.isNaN(t)||t<0||t>65535?void 0:t}n(Or,"parseIpv6Word");function Vc(e,t){return[e>>8&255,e&255,t>>8&255,t&255].join(".")}n(Vc,"formatIpv4FromWords");function Yc(e){let t=e.slice(7),r=Mo(t);if(r!==void 0)return r.join(".");let[o,i,a]=t.split(":"),s=Or(o),c=Or(i);return a===void 0&&s!==void 0&&c!==void 0?Vc(s,c):void 0}n(Yc,"parseIpv6MappedIpv4");function Xc(e){return Or(e.split(":").find(Boolean))}n(Xc,"readFirstIpv6Hextet");function Qc(e){let t=ye(e);if(!t.includes(":"))return!1;if(t==="::"||t==="::1")return!0;if(t.startsWith("::ffff:")){let o=Yc(t);return o===void 0||Do(o)}let r=Xc(t);return r===void 0?!1:(r&65024)===64512||(r&65472)===65152}n(Qc,"isPrivateIpv6");function Mr(e){let t=ye(e);return Kc.has(t)||t.endsWith(".internal")||Do(t)||Qc(t)}n(Mr,"isBlockedOutboundHostname");function Bt(e){let t=new URL(e);if(t.protocol!=="https:"&&t.protocol!=="http:")throw J(`Unsupported outbound protocol: ${t.protocol}`);qr(t,e);let r=T(t);if(t.protocol==="http:"&&!r)throw J("Configured outbound HTTP URLs must target loopback hosts.");let o=ye(t.hostname);if(!r&&Mr(o))throw J(`Blocked outbound host: ${o}`);return t}n(Bt,"validateConfiguredOutboundUrl");function Ho(e){let t=new URL(e),r=T(t),o=r&&$c();if(t.protocol!=="https:"&&!o)throw J("Identity provider URLs must use https.");if(t.username||t.password||t.search||t.hash)throw J("Identity provider URLs must not include credentials, query params, or fragments.");qr(t,e);let i=ye(t.hostname);if(!r&&Mr(i))throw J(`Blocked identity provider host: ${i}`);return t}n(Ho,"validateIdentityProviderUrl");function zo(e,t){let r=new URL(e),o=r.protocol==="http:"&&T(r)&&Fc();if(r.protocol!=="https:"&&!o||r.pathname==="/"||r.username||r.password||r.hash)throw J(`CIMD ${t} must be an HTTPS URL with a path and no credentials or fragment.`);if(qr(r,e),!o&&Mr(r.hostname))throw J(`CIMD ${t} points at a blocked host.`);return r}n(zo,"validateCimdUrl");function jt(e){return zo(e,"client_id")}n(jt,"validateCimdClientMetadataUrl");function ve(e){return zo(e,"jwks_uri")}n(ve,"validateCimdClientJwksUrl");function Lo(e,t){if(!t)return;if(t.aborted){e.abort(t.reason);return}let r=n(()=>e.abort(t.reason),"abort");return t.addEventListener("abort",r,{once:!0}),()=>t.removeEventListener("abort",r)}n(Lo,"mergeAbortSignals");async function ed(e){try{await e.cancel()}catch{}}n(ed,"cancelReader");async function Nt(e,t){if(!e)return new Uint8Array;let r=e.getReader(),o=[],i=0,a=await r.read();for(;!a.done;){let u=a.value;if(i+=u.byteLength,i>t.maxBytes)throw await ed(r),t.createLimitError();o.push(u),a=await r.read()}let s=new Uint8Array(i),c=0;for(let u of o)s.set(u,c),c+=u.byteLength;return s}n(Nt,"readBoundedByteStream");var td=2,rd=1024*1024,nd=1e4,od=new Set([301,302,303,307,308]),id=["authorization","proxy-authorization","cookie","cookie2"];function Dr(e){return typeof e=="string"?e:e instanceof URL?e.toString():e.url}n(Dr,"readRequestUrl");function Me(e,t){return t?.method!==void 0?t.method.toUpperCase():e instanceof Request?e.method.toUpperCase():"GET"}n(Me,"readRequestMethod");function ad(e,t,r){let o=e.headers.get("content-length");if(!o)return;let i=Number.parseInt(o,10);if(Number.isFinite(i)&&i>t)throw new h({message:"Outbound response exceeded the maximum allowed size.",extensionMembers:{[g]:r}})}n(ad,"assertContentLengthWithinLimit");async function sd(e,t,r){return ad(e,t,r),Nt(e.body,{maxBytes:t,createLimitError:n(()=>new h({message:"Outbound response exceeded the maximum allowed size.",extensionMembers:{[g]:r}}),"createLimitError")})}n(sd,"readBoundedResponseBody");function cd(e,t){let r=new ArrayBuffer(t.byteLength);return new Uint8Array(r).set(t),new Response(r,{status:e.status,statusText:e.statusText,headers:e.headers})}n(cd,"responseFromBufferedBody");function dd(e,t){if(!od.has(e.status))return;let r=e.headers.get("location");if(r)return new URL(r,t).toString()}n(dd,"resolveRedirectUrl");function Bo(e,t){try{return t.validateUrl(e)}catch(r){throw new h({message:"Outbound URL was not allowed.",extensionMembers:{[g]:t.problemCode}},{cause:r})}}n(Bo,"validateOutboundUrl");function ud(e,t){throw e instanceof h&&vt(e.extensionMembers?.[g])?e:new h({message:"Outbound fetch failed.",extensionMembers:{[g]:t}},{cause:e})}n(ud,"normalizeFetchError");function lt(e,t){if(e===void 0)return;let r={event:t.event,code:t.problemCode,method:t.method};if(t.host!==void 0&&(r.host=t.host),t.extra!==void 0)for(let[o,i]of Object.entries(t.extra))i!==void 0&&(r[o]=i);t.error!==void 0&&L(r,"error",t.error),e.log.warn(r,"Outbound HTTP exchange rejected")}n(lt,"logOutboundFailure");async function ld(e,t,r,o,i,a,s){let c=Me(r,o);try{return await t(r,o)}catch(u){let p=u instanceof DOMException&&u.name==="AbortError";lt(e,{event:p?"outbound_fetch_aborted":"outbound_fetch_failed",problemCode:i,method:c,host:F(a),error:u,extra:{abortReason:s()}}),ud(u,i)}}n(ld,"fetchWithNormalizedError");function pd(e){if(e.redirects>=e.maxRedirects)throw new h({message:"Outbound redirects exceeded the maximum allowed depth.",extensionMembers:{[g]:e.problemCode}});if(e.method!=="GET"&&e.method!=="HEAD")throw new h({message:"Outbound redirect after a non-idempotent request was blocked.",extensionMembers:{[g]:e.problemCode}})}n(pd,"assertRedirectAllowed");function md(e,t){let r=new Headers(e);for(let o of id)r.delete(o);for(let o of t)r.delete(o);return r}n(md,"stripCrossOriginHeaders");function fd(e,t,r,o,i){let a={...e,method:t,redirect:"manual",signal:r};return o&&(a.headers=md(e.headers,i)),a}n(fd,"buildRedirectInit");function hd(e,t,r){let o={...t,redirect:"manual",signal:r};return o.headers===void 0&&e instanceof Request&&(o.headers=e.headers),o}n(hd,"buildInitialRequestInit");function gd(e){let t=Me(e.currentInput,e.currentInit);pd({redirects:e.redirects,maxRedirects:e.maxRedirects,method:t,problemCode:e.problemCode});let r=Bo(e.redirectUrl,{problemCode:e.problemCode,validateUrl:e.validateUrl}),o=new URL(e.currentUrl),i=r.origin!==o.origin,a=r.toString();return{currentInput:a,currentUrl:a,currentInit:fd(e.currentInit,t,e.signal,i,e.additionalCrossOriginStrippedHeaders),redirects:e.redirects+1}}n(gd,"followRedirect");async function Hr(e,t,r){let o=r.problemCode??"invalid_request",i=r.maxRedirects??td,a=r.maxResponseBytes??rd,s=r.timeoutMs??nd,c=r.fetchImpl??fetch,u=r.additionalCrossOriginStrippedHeaders??[],p=r.context,f=new AbortController,w=Lo(f,t.signal),S=!1,I=setTimeout(()=>{S=!0,f.abort()},s),N=e,Z=hd(e,t,f.signal),X;try{X=Bo(Dr(e),{problemCode:o,validateUrl:r.validateUrl}).toString()}catch(Q){throw lt(p,{event:"outbound_url_blocked",problemCode:o,method:Me(e,t),host:F(Dr(e)),error:Q}),clearTimeout(I),w?.(),Q}let Ke=0;try{for(;;){let Q=await ld(p,c,N,Z,o,X,()=>S?`timeout_after_${s}ms`:void 0),P=dd(Q,X);if(P!==void 0)try{let O=gd({currentInput:N,currentInit:Z,currentUrl:X,redirectUrl:P,redirects:Ke,maxRedirects:i,problemCode:o,validateUrl:r.validateUrl,signal:f.signal,additionalCrossOriginStrippedHeaders:u});N=O.currentInput,Z=O.currentInit,X=O.currentUrl,Ke=O.redirects;continue}catch(O){throw lt(p,{event:"outbound_redirect_blocked",problemCode:o,method:Me(N,Z),host:F(X),error:O,extra:{redirects:Ke,maxRedirects:i,redirectTargetHost:F(P)}}),O}try{return cd(Q,await sd(Q,a,o))}catch(O){throw lt(p,{event:"outbound_response_size_exceeded",problemCode:o,method:Me(N,Z),host:F(X),error:O,extra:{maxResponseBytes:a,status:Q.status}}),O}}}finally{clearTimeout(I),w?.()}}n(Hr,"runSafeOutboundExchange");async function Gt(e,t,r){let o=await Hr(e,t,r);try{return{response:o,json:await o.clone().json()}}catch(i){throw lt(r.context,{event:"outbound_json_parse_failed",problemCode:r.problemCode??"invalid_request",method:Me(e,t),host:F(Dr(e)),error:i,extra:{status:o.status,contentType:o.headers.get("content-type")??void 0}}),new h({message:"Outbound JSON response could not be parsed.",extensionMembers:{[g]:r.problemCode??"invalid_request"}},{cause:i})}}n(Gt,"runSafeOutboundJsonExchange");function jo(e,t={},r={}){return Hr(e,t,{...r,validateUrl:Bt})}n(jo,"fetchConfiguredOutbound");function No(e,t={},r={}){return Gt(e,t,{...r,validateUrl:Ho})}n(No,"fetchIdentityProviderJson");function Go(e,t={},r={}){return Gt(e,t,{...r,validateUrl:jt})}n(Go,"fetchCimdClientMetadataJson");function $o(e,t={},r={}){return Gt(e,t,{...r,validateUrl:ve})}n($o,"fetchCimdClientJwksJson");G();import{errors as Yo,jwtVerify as Xo,SignJWT as Qo}from"jose";var z="zuplo-mcp-gateway",B=z,j="HS256";import{base64url as yd}from"jose";var _d=new TextEncoder,wd="MCP gateway could not initialize secure key material.",Rd=32,Fo=new Map,Zo=new Map,bd;function Cd(){return bd??vn.instance.authPrivateKey}n(Cd,"readAuthPrivateKey");function Ko(e){return new ce(wd,e===void 0?void 0:{cause:e})}n(Ko,"createGeneratedKeyMaterialError");function Jo(e,t){let r=yd.decode(t);if(r.byteLength!==Rd)throw new Error(`Generated deployment auth key ${e} is invalid.`);return r}n(Jo,"decodeJwkKeyField");function vd(e){let t=Cd();if(!t)throw Ko();try{let r=JSON.parse(t);if(r.kty!=="OKP"||r.crv!=="Ed25519"||typeof r.d!="string"||typeof r.x!="string")throw new Error("Generated deployment auth key is not an Ed25519 JWK.");let o=Jo("d",r.d);Jo("x",r.x);let i=_d.encode(`zuplo-mcp-gateway:${e}:Ed25519:`),a=new Uint8Array(i.byteLength+o.byteLength);return a.set(i),a.set(o,i.byteLength),a}catch(r){throw Ko(r)}}n(vd,"decodeGeneratedKeyMaterial");function Sd(e){let t=Fo.get(e);return t||(t=vd(e),Fo.set(e,t)),t}n(Sd,"getMasterKeyMaterial");async function W(e){let t=Zo.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(Sd(e.keyMaterialPurpose));return Zo.set(e.purpose,r),r}n(W,"readCachedDerivedKey");var Id="SHA-256";var xd="zuplo-mcp-gateway:",Ad=new TextEncoder,Wo=new WeakMap;async function pe(e,t){let r=Wo.get(e);r||(r=new Map,Wo.set(e,r));let o=r.get(t);if(o)return o;let i=await Ud(e,t);return r.set(t,i),i}n(pe,"deriveGatewaySigningKey");async function Ud(e,t){let r=Vo(e),o=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),i=Ad.encode(`${xd}${t}`),a=await crypto.subtle.deriveBits({name:"HKDF",hash:Id,salt:new Uint8Array,info:Vo(i)},o,32*8);return new Uint8Array(a)}n(Ud,"hkdfExpand");function Vo(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(Vo,"copyToArrayBuffer");var ei=15*60,kd=15*60,Pd=Zn.extend({id:uo}),Td=Pd.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),ti=dr.extend({id:lo,purpose:d.literal("browser_connect")}),Ed=dr.extend({purpose:d.literal("browser_connect")}),Od=ti.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),ri=ei*1e3;async function ni(){return W({purpose:"oauth-state",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>pe(e,"oauth-state"),"derive")})}n(ni,"getOAuthStateKey");async function oi(){return W({purpose:"browser-connect",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>pe(e,"browser-connect"),"derive")})}n(oi,"getBrowserConnectKey");async function ii(e){let t=Math.floor(Date.now()/1e3)+ei;return new Qo(e).setProtectedHeader({alg:j,typ:"JWT"}).setIssuer(z).setAudience(B).setIssuedAt().setExpirationTime(t).sign(await ni())}n(ii,"signOAuthState");async function $t(e){try{let{payload:t}=await Xo(e,await ni(),{algorithms:[j],issuer:z,audience:B});return Td.parse(t)}catch(t){throw t instanceof Yo.JWTExpired?new h({message:"OAuth state has expired",extensionMembers:{[g]:"oauth_state_expired"}},{cause:t}):new h({message:"OAuth state could not be verified",extensionMembers:{[g]:"oauth_state_invalid"}},{cause:t})}}n($t,"verifyOAuthState");async function ai(e){let t=Math.floor(Date.now()/1e3)+kd,r=Ed.parse(e),o=ti.parse({...r,id:ho()});return new Qo(o).setProtectedHeader({alg:j,typ:"JWT"}).setIssuer(z).setAudience(B).setIssuedAt().setExpirationTime(t).sign(await oi())}n(ai,"signBrowserConnectTicket");async function si(e){try{let{payload:t}=await Xo(e,await oi(),{algorithms:[j],issuer:z,audience:B});return Od.parse(t)}catch(t){throw t instanceof Yo.JWTExpired?new h({message:"Browser connect ticket has expired",extensionMembers:{[g]:"oauth_state_expired"}},{cause:t}):new h({message:"Browser connect ticket could not be verified",extensionMembers:{[g]:"oauth_state_invalid"}},{cause:t})}}n(si,"verifyBrowserConnectTicket");async function ci(e){if((await b().consumeBrowserConnectTicket({id:e.id,expiresAt:R(new Date(e.exp*1e3)),now:R(new Date)})).kind==="consumed")throw new h({message:"Browser connect ticket has already been used",extensionMembers:{[g]:"oauth_state_reused"}})}n(ci,"consumeBrowserConnectTicket");function qd(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}n(qd,"buildConnectRequiredMessage");async function Md(e){let t=k(e.requestUrl,e.requestHeaders),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("operationId",e.operationId),r.searchParams.set("browserTicket",await ai({...Ve(e),purpose:"browser_connect"})),r.toString()}n(Md,"buildGatewayBrowserTicketUrl");function Dd(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}n(Dd,"buildGatewayConnectPath");async function zr(e){return Md({...e,path:Dd(e.upstreamServerId),redirect:!0})}n(zr,"buildGatewayConnectUrl");async function Ft(e){let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await zr(t),message:qd(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}n(Ft,"buildRedirectConnectRequiredResponse");function di(e){return Hd({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}n(di,"buildAdminConnectRequiredResponse");function Hd(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}n(Hd,"buildAdminSetupRequiredResponse");G();var ui=new Set(["client_id","code_challenge","code_challenge_method","display","login_hint","nonce","prompt","redirect_uri","response_mode","response_type","state"]);function zd(e,t){return e&&e.length>0?e.join(t):void 0}n(zd,"joinOAuthScopes");function Ld(e){if(e?.authorization_endpoint===void 0)return e;let t=new URL(e.authorization_endpoint);for(let r of ui)t.searchParams.delete(r);return{...e,authorization_endpoint:t.toString()}}n(Ld,"sanitizeAuthorizationServerMetadata");function Lr(e){let t=Ld(e.authorizationServerMetadata);return t===e.authorizationServerMetadata?e:{...e,authorizationServerMetadata:t}}n(Lr,"sanitizeOAuthDiscoveryState");function li(e){let t=new URL(e);for(let r of ui){let o=t.searchParams.getAll(r);o.length<=1||(t.searchParams.delete(r),t.searchParams.set(r,o.at(-1)??""))}return t}n(li,"normalizeDuplicateSingletonAuthorizationRequestParams");function Zt(e){let t=new URL(e);return T(t)&&ye(t.hostname)!=="localhost"&&(t.hostname="localhost"),t}n(Zt,"normalizeLoopbackOAuthRedirectUri");function pi(e){return zd(e.state?.resourceMetadata?.scopes_supported,e.delimiter)}n(pi,"readProtectedResourceMetadataScope");function Bd(e){return`Zuplo MCP Gateway - ${e}`}n(Bd,"buildGatewayOAuthClientName");function jd(e,t){return e&&e.length>0?e.join(t):void 0}n(jd,"joinOAuthScopeList");function Br(e){return new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`,e.origin).toString()}n(Br,"buildOAuthClientMetadataDocumentUrl");function jr(e){let t=Oe(e.upstreamServerId);return{client_name:Bd(t.displayName),client_uri:new URL("/",e.origin).toString(),redirect_uris:[e.redirectUri],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",...e.scope===void 0?{}:{scope:e.scope},token_endpoint_auth_method:"none"}}n(jr,"buildGatewayOAuthClientMetadata");function mi(e,t,r){let o=qe(t,r),i=jd(o.scopes,o.scopeDelimiter);return{client_id:Br({origin:e,upstreamServerId:t}),...jr({origin:e,upstreamServerId:t,redirectUri:Zt(new URL(o.redirectPath,e)).toString(),scope:i})}}n(mi,"buildOAuthClientMetadataDocument");G();import{base64url as me}from"jose";var Nd="SHA-256",He="AES-GCM",Gd=12,Gr="zuplo-secret",$r=1,fi="generated:auth_private_key:token-encryption",$d=d.object({version:d.literal($r),keyId:d.literal(fi),algorithm:d.literal(He),iv:d.string().min(1),ciphertext:d.string().min(1)}).strict();function De(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(De,"copyToArrayBuffer");async function Nr(){return W({purpose:"token-encryption",keyMaterialPurpose:"token-encryption",derive:n(async e=>{let t=await crypto.subtle.digest(Nd,De(e));return crypto.subtle.importKey("raw",t,{name:He},!1,["encrypt","decrypt"])},"derive")})}n(Nr,"getEncryptionKey");function hi(e){return De(new TextEncoder().encode(`${Gr}:v${e.version}:${e.keyId}`))}n(hi,"getAssociatedData");function Fd(e){return`${Gr}:v${e.version}:${me.encode(new TextEncoder().encode(JSON.stringify(e)))}`}n(Fd,"encodeEnvelope");function Zd(e){let t=`${Gr}:v${$r}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),o=new TextDecoder().decode(me.decode(r));return $d.parse(JSON.parse(o))}n(Zd,"decodeEnvelope");async function Kt(e){let t=await Nr(),r=crypto.getRandomValues(new Uint8Array(Gd)),o={version:$r,keyId:fi},i=await crypto.subtle.encrypt({name:He,iv:r,additionalData:hi(o)},t,new TextEncoder().encode(e));return Fd({...o,algorithm:He,iv:me.encode(r),ciphertext:me.encode(new Uint8Array(i))})}n(Kt,"encryptSecret");async function pt(e){let t=Zd(e);if(t){let s=await Nr(),c=await crypto.subtle.decrypt({name:He,iv:De(me.decode(t.iv)),additionalData:hi(t)},s,De(me.decode(t.ciphertext)));return new TextDecoder().decode(c)}let[r,o]=e.split(".");if(!r||!o)throw new ce("Encrypted payload is malformed");let i=await Nr(),a=await crypto.subtle.decrypt({name:He,iv:De(me.decode(r))},i,De(me.decode(o)));return new TextDecoder().decode(a)}n(pt,"decryptSecret");var Kd=d.union([Xe,Ht]),gi=d.object({authorizationServerUrl:d.url(),resourceMetadataUrl:d.url().optional(),resourceMetadata:Mt.optional(),authorizationServerMetadata:d.union([Ye,Dt]).optional()}).passthrough(),Jd="Bearer",Wd="__zuplo_refresh_only_upstream_access_token__";function Vd(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}n(Vd,"splitScopes");function Yd(e){return Tt.parse(e)}n(Yd,"parsePkceCodeVerifier");function Xd(e){if(typeof e.expires_in=="number")return R(new Date(Date.now()+e.expires_in*1e3))}n(Xd,"readTokenExpiry");async function yi(e){if(e!==void 0)return Kt(JSON.stringify(e))}n(yi,"encryptJson");async function _i(e,t){if(!e)return;let r=await pt(e);try{return t.parse(JSON.parse(r))}catch(o){throw new h({message:"Stored upstream OAuth JSON state is invalid.",extensionMembers:{[g]:"oauth_state_invalid"}},{cause:o})}}n(_i,"decryptJson");function Qd(e){if(e===void 0)return;e=Lr(e);let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}n(Qd,"toOAuthDiscoveryState");function eu(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}n(eu,"clientInformationAllowsRedirectUri");function tu(e){return e.clientMetadataUrl===void 0?"redirect_uris"in e.clientInformation:"redirect_uris"in e.clientInformation||e.clientInformation.client_id===e.clientMetadataUrl}n(tu,"clientInformationMatchesCurrentClientMetadataUrl");function ru(e){return e.clientMetadataUrl!==void 0&&!("redirect_uris"in e.clientInformation)&&e.clientInformation.client_id===e.clientMetadataUrl}n(ru,"isUrlBasedClientInformation");function nu(e,t){return t===void 0?e:{...e,scope:t}}n(nu,"applyOAuthClientMetadataScope");function wi(e,t){return pi({state:e,delimiter:t})}n(wi,"readResourceMetadataScope");function ou(e,t){return e&&e.length>0?e.join(t):void 0}n(ou,"joinOAuthScopeList");function iu(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw new q(`Manual OAuth registration for upstream "${e.upstreamServerId}" requires clientSecret. Set the env var that backs the client secret or use tokenEndpointAuthMethod "none".`);return Xe.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}n(iu,"buildManualOAuthClientInformation");function au(e,t){let r=Br({origin:new URL(t).origin,upstreamServerId:e});return Ar(r)?r:void 0}n(au,"buildClientMetadataUrl");function Ri(e){for(let t of e)if(t!==void 0)return t}n(Ri,"firstDefined");function su(e){let t=qe(e.target.upstreamServerId,e.target.authProfileId),r=ou(t.scopes,t.scopeDelimiter),o=jr({origin:new URL(e.redirectUri).origin,upstreamServerId:e.target.upstreamServerId,redirectUri:e.redirectUri,scope:r});if(t.clientRegistration.mode==="manual")return{clientMetadata:o,configuredScope:r,scopeDelimiter:t.scopeDelimiter,configuredClientInformation:iu({clientMetadata:o,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let i=au(e.target.upstreamServerId,e.redirectUri);return i===void 0?{clientMetadata:o,configuredScope:r,scopeDelimiter:t.scopeDelimiter}:{clientMetadata:o,configuredScope:r,scopeDelimiter:t.scopeDelimiter,clientMetadataUrl:i}}n(su,"buildInitialOAuthClientSetup");function cu(e,t){if(t===void 0)return Ri([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}n(cu,"readEncryptedClientInformation");function du(e){return Ri([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}n(du,"readEncryptedDiscoveryState");var Se=class{static{n(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredScope;scopeDelimiter;configuredClientInformation;challengeScope;inferredScope;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=su({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredScope=r.configuredScope,this.scopeDelimiter=r.scopeDelimiter,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=cu(t,this.configuredClientInformation),this.encryptedDiscoveryState=du(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return nu(this.clientMetadataValue,this.readEffectiveScope())}async state(){let t=await this.createPendingState();return ii({id:t.id,...Ve({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,!ru({clientInformation:t,clientMetadataUrl:this.clientMetadataUrl})&&(this.encryptedClientInformation=await yi(t),await this.syncPendingState(!1)))}async discoveryState(){return this.loadPersistedDiscoveryState()}applyChallengeScope(t){this.challengeScope=t}async saveDiscoveryState(t){let r=Lr(gi.parse(t));this.cachedDiscoveryState=r,this.discoveryStateLoaded=!0,this.inferredScope=wi(r,this.scopeDelimiter),this.encryptedDiscoveryState=await yi(r),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=Ee.parse(t),o=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0,i=r.refresh_token?await Kt(r.refresh_token):this.connection?.encryptedRefreshToken;this.cachedTokens=r.refresh_token||!this.connection?.encryptedRefreshToken?r:Ee.parse({...r,refresh_token:await pt(this.connection.encryptedRefreshToken)}),this.tokensLoaded=!0;let a={id:this.connection?.id??mo(),ownerMode:this.target.owner.mode,subjectId:o,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await Kt(r.access_token),encryptedRefreshToken:i,scopes:Vd(r.scope??this.readEffectiveScope()),expiresAt:Xd(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await b().upsertUpstreamConnection(a)}async redirectToAuthorization(t){let r=li(t);this.authorizationUrlValue=r.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:Yd(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw new h({message:"OAuth code verifier is missing",extensionMembers:{[g]:"oauth_state_invalid"}});return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",o=t==="all"||t==="client",i=t==="all"||t==="discovery",a=t==="all"||t==="verifier";o&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),i&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0,this.challengeScope=void 0,this.inferredScope=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(a),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:fo(),...Ve({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,operationId:this.target.operationId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:R(new Date(Date.now()+ri)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await b().saveUpstreamOAuthState({record:t}),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await _i(this.encryptedClientInformation,Kd)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&(!eu(t,this.redirectUriValue)||!tu({clientInformation:t,clientMetadataUrl:this.clientMetadataUrl}))){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}return t===void 0&&this.pendingState?.codeVerifier!==void 0&&this.clientMetadataUrl!==void 0&&(t=Ht.parse({client_id:this.clientMetadataUrl})),this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=Qd(await _i(this.encryptedDiscoveryState,gi))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.inferredScope=wi(this.cachedDiscoveryState,this.scopeDelimiter),this.cachedDiscoveryState}readEffectiveScope(){return this.configuredScope??this.challengeScope??this.inferredScope}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection||this.connection.status!=="active")return;let t=this.connection.encryptedAccessToken?await pt(this.connection.encryptedAccessToken):void 0,r=this.connection.encryptedRefreshToken?await pt(this.connection.encryptedRefreshToken):void 0;if(!t&&!r)return;let o=Ee.parse({access_token:t??Wd,token_type:Jd,refresh_token:r,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=o,o}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await b().upsertUpstreamConnection(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var uu=3e4,lu=256*1024,pu=2;function mu(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}n(mu,"hasUsableAccessToken");var fu="does not support dynamic client registration",hu=["Resource server does not implement OAuth 2.0 Protected Resource Metadata","trying to load well-known OAuth protected resource metadata"],gu=["HTTP 403 Forbidden","Access Denied","permission to access"];function yu(e){return e instanceof Error&&e.message.includes(fu)}n(yu,"isDynamicClientRegistrationUnsupported");function _u(e){return e instanceof Error&&hu.some(t=>e.message.includes(t))}n(_u,"isProtectedResourceMetadataUnavailable");function wu(e){return e instanceof Error&&gu.some(t=>e.message.includes(t))}n(wu,"isUpstreamProviderAccessDenied");function Ru(e){if(e.error instanceof h&&e.error.extensionMembers?.[g]!==void 0)return e.error;if(yu(e.error))return new h({message:`The authorization server for ${e.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register an OAuth client for the gateway manually before retrying.`,extensionMembers:{[g]:"upstream_client_registration_required"}},{cause:e.error});if(_u(e.error))return new h({message:`The upstream MCP server "${e.upstreamServerId}" does not publish OAuth protected resource metadata at "${e.resourceMetadataUrl}". Configure protectedResourceMetadataUrl to a working metadata document, use a provider-supported legacy client, or contact the provider to approve/allowlist this gateway OAuth client before retrying.`,extensionMembers:{[g]:"upstream_oauth_discovery_unavailable"}},{cause:e.error});if(wu(e.error))return new h({message:`The upstream provider denied access while connecting ${e.upstreamServerId}. Confirm the provider allows this gateway and its OAuth client, then retry.`,extensionMembers:{[g]:"upstream_provider_access_denied"}},{cause:e.error})}n(Ru,"mapUpstreamOAuthSetupError");function bu(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}n(bu,"readOAuthFetchRequest");function Cu(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}n(Cu,"responseLooksJson");function vu(e,t){let r=e.headers.get("content-type")??"",o=t.trimStart().toLowerCase();return r.includes("html")||o.startsWith("<!doctype html")||o.startsWith("<html")}n(vu,"responseLooksHtml");function Su(e){let t=e.response.statusText?` ${e.response.statusText}`:"",r=e.response.headers.get("content-type")??"text/html";throw new h({message:`The upstream provider returned ${e.response.status}${t} (${r}) from ${e.request.url.toString()} while connecting ${e.upstreamServerId}.`,extensionMembers:{[g]:e.response.status===403?"upstream_provider_access_denied":"upstream_token_exchange_failed",[Pe]:e.response.status,[Ue]:r,[Te]:e.request.url.toString(),[ke]:e.body}})}n(Su,"throwUpstreamHtmlError");function bi(e){return async(t,r)=>{let o=bu(t),i=await jo(t,r,{maxRedirects:pu,maxResponseBytes:lu,problemCode:"upstream_token_exchange_failed",timeoutMs:uu}),a=await i.clone().text();if(!i.ok&&vu(i,a)&&Su({upstreamServerId:e,request:o,response:i,body:a}),!Cu(i,a))return i;try{JSON.parse(a)}catch(s){throw new h({message:`Upstream OAuth fetch ${o.url.origin}${o.url.pathname} for ${e} returned invalid JSON.`,extensionMembers:{[g]:"upstream_token_exchange_failed"}},{cause:s})}return i}}n(bi,"createUpstreamOAuthFetch");async function Ci(e,t){e.applyChallengeScope(t.requestedScope);try{let r={serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:bi(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),await xr(e,r)}catch(r){let o=Ru({upstreamServerId:t.upstreamServerId,resourceMetadataUrl:t.resourceMetadataUrl,error:r});throw o!==void 0?o:r}}n(Ci,"runUpstreamOAuth");async function Iu(e,t){e.applyChallengeScope(t.requestedScope);let r={serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:bi(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),xr(e,r)}n(Iu,"exchangeUpstreamAuthorizationCode");async function vi(e,t){let r=await Ci(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?new h({message:`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}}):new h({message:`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}})}n(vi,"requireUpstreamAuthorizationRedirect");async function Si(e){if(!e.forceRefresh&&mu(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await Ci(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope}});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw new h({message:`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}});if(!e.provider.authorizationUrl)throw new h({message:`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}});return{kind:"connect_required",payload:await Pu({requestUrl:e.target.request.url,requestHeaders:e.target.request.headers,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.target.operationId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}n(Si,"authorizeUpstreamOAuthSession");async function xu(e){let t=await $t(e.stateToken),r=await b().consumeUpstreamOAuthState({id:t.id,now:R(new Date)}),o=Au(r);return Uu({storedState:o,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),ku(o),o}n(xu,"consumeStoredCallbackState");function Au(e){switch(e.kind){case"consumed":throw new h({message:"OAuth state has already been used",extensionMembers:{[g]:"oauth_state_reused"}});case"missing":throw new h({message:"OAuth state is missing or expired",extensionMembers:{[g]:"oauth_state_expired"}});case"available":return e.record}}n(Au,"readConsumedCallbackState");function Uu(e){if(![e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.operationId===e.signedState.operationId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw new h({message:"OAuth callback did not match the initiating request",extensionMembers:{[g]:"oauth_callback_mismatch"}})}n(Uu,"assertStoredCallbackStateMatches");function ku(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw new h({message:"OAuth state has expired",extensionMembers:{[g]:"oauth_state_expired"}})}n(ku,"assertStoredCallbackStateFresh");async function Pu(e){if(e.owner.mode==="shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),di(r)}let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),Ft(t)}n(Pu,"buildOAuthConnectRequiredResponse");async function Ii(e){let t=await xu({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=kt(t),[o]=await b().batchGetUpstreamConnections([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),i={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};o!==void 0&&(i.connection=o);let a=new Se(i),s=await Iu(a,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?new h({message:`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}}):new h({message:`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}})}n(Ii,"finishUpstreamOAuthCallback");function Tu(e){return Zt(new URL(e.callbackPath,k(e.requestUrl,e.requestHeaders))).toString()}n(Tu,"buildGatewayOAuthRedirectUri");async function xi(e){let t=Oe(e.upstreamServerId),r=qe(e.upstreamServerId,e.authProfileId),o=Tu({callbackPath:r.redirectPath,requestUrl:e.request.url,requestHeaders:e.request.headers}),i="preloadedConnection"in e?e.preloadedConnection:(await b().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:i,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:o,returnOrigin:k(e.request.url,e.request.headers)}}}n(xi,"prepareUpstreamOAuthRequest");async function Ai(e){let t=await xi(e),r=new Se({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return vi(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(Ai,"startUpstreamConnect");async function Ui(e){let t=await xi(e),r=new Se({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return Si({target:e,provider:r,connection:t.connection,forceRefresh:e.forceRefresh,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope},upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(Ui,"authorizeUpstreamRequest");async function ze(e){let{routeAuth:t}=e;return Ui({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,forceRefresh:e.forceRefresh,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope},...e.preloadedConnection===void 0?{}:{preloadedConnection:e.preloadedConnection},...t.returnTo===void 0?{}:{returnTo:t.returnTo}})}n(ze,"resolveUpstreamCredentialForRoute");async function ki(e){let t={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,operationId:e.connectRequest.operationId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},r=await Ai(t);return{authProfileId:e.connectRequest.authProfileId,authUrl:r,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,operationId:e.connectRequest.operationId}}n(ki,"startUpstreamConnectForRequest");async function Pi(e){let r=(await $t(e.callbackRequest.state)).authProfileId;return Er({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r}),Ii({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:Oe(e.callbackRequest.upstreamServerId)})}n(Pi,"finishUpstreamCallbackForRequest");function Eu(e){return{upstreamServerId:e.connection.upstreamServerId,operationId:e.operationId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:e.connection.ownerMode}}n(Eu,"buildRouteAuthBaseFromConnection");function Ei(e){return{upstreamServerId:e.connection.id,operationId:e.operationId,authProfileId:Kn(e.connection.id,e.connection.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:e.connection.ownerMode}}n(Ei,"buildRouteAuthBaseFromPolicyOptions");function Jt(e,t){let o=K().byOperationId.get(t);if(!o)throw new q(`Unknown MCP route "${t}". Ensure routes.oas.json declares this operationId before starting an upstream connection flow.`);if(o.connection===void 0)throw new q(`MCP route "${t}" does not declare an MCP token exchange policy. Add one before starting an upstream connection flow.`);if(o.connection.upstreamServerId!==e)throw new q(`MCP route "${t}" does not bind upstream "${e}". Check the route's MCP upstream policies and bind the upstream before starting an upstream connection flow.`);return Eu({connection:o.connection,operationId:t})}n(Jt,"resolveRouteAuthBase");function Ti(e,t){switch(e){case"user":return Ut(t);case"shared":return Fn()}}n(Ti,"buildOwnerForSubject");function Le(e,t){switch(e.ownerMode){case"shared":return{...e,ownerMode:"shared",owner:Ti(e.ownerMode,t),initiatedBySubjectId:t};case"user":return{...e,ownerMode:"user",owner:Ti(e.ownerMode,t),initiatedBySubjectId:t}}}n(Le,"resolveRouteAuthForSubject");var Ou=Je.InvalidRequest,qu=new Set(["connection","keep-alive","proxy-authenticate","te","trailer","transfer-encoding","upgrade"]);function Mu(e,t){return{credentialType:e.type,forceRefresh:t}}n(Mu,"buildCredentialResolvedAttributes");function Du(e){switch(e){case"admin_connect_required":return"admin_connect_required";case"authenticating":return"connect_required"}}n(Du,"connectRequiredReasonCode");function Oi(e){x(e.context,{eventType:C.MCP_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:Mu(e.credential,e.forceRefresh===!0)})}n(Oi,"emitCredentialResolvedAnalyticsEvent");function qi(e){let t={forceRefresh:e.forceRefresh===!0,nextAction:e.payload.nextAction,state:e.payload.state};if(x(e.context,{eventType:C.MCP_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:t}),e.payload.state==="reconsent_required"){x(e.context,{eventType:C.MCP_AUTH_UPSTREAM_RECONSENT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"reconsent_required",reasonClass:"auth",attributes:t});return}x(e.context,{eventType:C.MCP_AUTH_UPSTREAM_CONNECT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:Du(e.payload.state),reasonClass:"auth",attributes:t})}n(qi,"emitCredentialMissingAnalyticsEvents");function Hu(e){let t=e.route.raw();return It.parse(t?.operationId)}n(Hu,"readOperationId");async function zu(e,t,r,o){let i=await ze({request:e,routeAuth:t});if(i.kind==="connect_required")return qi({context:o,payload:i.payload,routeBinding:t}),o.log.info({event:"mcp_upstream_connect_required",upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId},"MCP upstream proxy: upstream connection required"),{kind:"connect_required",payload:i.payload};let a=i.credential;Oi({context:o,credential:a,routeBinding:t});let s=await a.provider.tokens();return s?{kind:"headers",headers:[["authorization",`${s.token_type??"Bearer"} ${s.access_token}`]]}:(o.log.warn({event:"mcp_upstream_no_tokens",upstreamServerId:t.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens"),Response.json({error:"no_upstream_tokens"},{status:401}))}n(zu,"buildCredentialHeaders");var Lu=new Set(["authorization","cookie","cookie2"]);function Bu(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return t&&typeof t=="object"&&!Array.isArray(t)&&"method"in t&&typeof t.method=="string"?t.method:void 0}catch{return}}n(Bu,"readJsonRequestMethod");function ju(e){let t=e.headers.get("content-type")??"";return/\bapplication\/(?:[\w.+-]+\+)?json\b/i.test(t)}n(ju,"isJsonResponse");function Fr(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(Fr,"isRecord");function Nu(e){return Array.isArray(e)&&e.length>0}n(Nu,"hasIconList");function Gu(e){if(e.connection.serverInfo?.icons!==void 0&&e.connection.serverInfo.icons.length>0)return e.connection.serverInfo.icons;try{let t=Lt(zn(e.context.route.handler));return t===void 0?void 0:[t]}catch{return}}n(Gu,"readFallbackServerIcons");function $u(e){if(!Fr(e.body))return e.body;let t=e.body.result;if(!Fr(t))return e.body;let r=t.serverInfo;return!Fr(r)||Nu(r.icons)?e.body:{...e.body,result:{...t,serverInfo:{...r,icons:e.icons}}}}n($u,"addMissingServerIcons");function Fu(e,t){let r=new Headers(e.headers);for(let o of Lu)r.delete(o);for(let[o,i]of t)r.set(o,i);return new In(e,{headers:r})}n(Fu,"applyUpstreamHeaders");function Zu(e){let t=new Headers(e.headers);for(let r of qu)t.delete(r);return t}n(Zu,"buildProxyHeaders");async function Ku(e){if(!(e.method==="GET"||e.method==="HEAD"))return e.clone().arrayBuffer()}n(Ku,"readRetryBody");function Mi(e,t){let r=t.authUrl===void 0?void 0:_o({message:t.message,elicitationId:["connect",t.operationId,t.upstreamServerId,t.authProfileId].join(":"),url:t.authUrl});return Response.json(Ot({id:yo(e),error:{code:r?.code??Ou,message:t.message,data:{...r?.data??{},connectRequired:t}}}))}n(Mi,"connectRequiredJsonRpcResponse");async function Ju(e){let{scope:t}=Po(e.upstreamResponse),r=await ze({request:e.request,routeAuth:e.routeAuth,forceRefresh:!0,...t===void 0?{}:{requestedScope:t}});if(r.kind==="connect_required")return qi({context:e.context,payload:r.payload,routeBinding:e.routeAuth,forceRefresh:!0}),{kind:"connect_required",payload:r.payload};let o=new Headers(e.headers),i=r.credential;Oi({context:e.context,credential:i,routeBinding:e.routeAuth,forceRefresh:!0});let a=await i.provider.tokens();return a?(o.set("authorization",`${a.token_type??"Bearer"} ${a.access_token}`),{kind:"headers",headers:o}):(e.context.log.warn({event:"mcp_upstream_no_tokens_after_refresh",upstreamServerId:e.routeAuth.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens after refresh"),{kind:"response",response:Response.json({error:"no_upstream_tokens"},{status:401})})}n(Ju,"applyRefreshedCredentialHeaders");function Wu(e){e.context.addResponseSendingHook(async(t,r)=>{if(t.status!==401)return t;let o=await Ju({request:e.request,context:e.context,headers:Zu(r),routeAuth:e.routeAuth,upstreamResponse:t});if(o.kind==="connect_required")return Mi(e.requestBody,o.payload);if(o.kind==="response")return o.response;let i=Ln({handler:e.context.route.handler,request:r,body:e.requestBody,headers:o.headers});return wt.fetch(i.url,i.init)})}n(Wu,"installUpstreamAuthRetryHook");function Vu(e){if(Bu(e.requestBody)!=="initialize")return;let t=Gu({connection:e.connection,context:e.context});t===void 0||t.length===0||e.context.addResponseSendingHook(async r=>{if(!ju(r))return r;let o;try{o=await r.clone().json()}catch{return r}let i=$u({body:o,icons:t});if(i===o)return r;let a=new Headers(r.headers);return a.delete("content-length"),new Response(JSON.stringify(i),{status:r.status,statusText:r.statusText,headers:a})})}n(Vu,"installInitializeIconHook");async function Zr(e,t,r){let o=Hu(t),i=await Ku(e),a=Ei({connection:r,operationId:o}),s=_e(e.user,e.url,e.headers);Qn(t,s);let c=Le(a,s.subjectId),u=await zu(e,c,r,t);if(!(u instanceof Response)&&u.kind==="connect_required")return Mi(i,u.payload);if(u instanceof Response)return u;let p=Fu(e,u.headers);return Wu({request:p,context:t,requestBody:i,routeAuth:c}),Vu({context:t,requestBody:i,connection:r}),p}n(Zr,"mcpTokenExchangePolicy");var Kr=class extends bt{static{n(this,"McpTokenExchangeInboundPolicy")}constructor(t,r){let o=Jn(t,r);super(o,r)}async handler(t,r){return Rt("policy.inbound.mcp-token-exchange"),Zr(t,r,this.options)}};G();var Di=Symbol("Html");function Yu(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}n(Yu,"escapeHtml");function Xu(e){return e===null||typeof e!="object"?!1:e[Di]===!0}n(Xu,"isHtml");function Hi(e){return e==null||e===!1?"":Array.isArray(e)?e.map(Hi).join(""):Xu(e)?e.value:Yu(String(e))}n(Hi,"renderValue");function ie(e){return{[Di]:!0,value:e}}n(ie,"trustedHtml");var V=ie("");function v(e,...t){let r=e[0]??"";for(let o=0;o<t.length;o+=1)r+=Hi(t[o]),r+=e[o+1]??"";return ie(r)}n(v,"html");function Be(e){return e.value}n(Be,"renderHtml");function zi(e){return v`<p class="card__description">${e.detail}</p>${e.guidance} ${e.technicalDetails} ${e.action}`}n(zi,"renderBrowserErrorPage");var je=ie('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;justify-content:center;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;min-height:40px;padding:8px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.reconnect-action{align-items:center;margin-right:auto;display:inline-flex;position:relative}.reconnect-button{gap:7px}.tooltip{width:16px;height:16px;color:var(--accent);background:color-mix(in srgb,var(--accent)8%,transparent);cursor:help;border:1.5px solid;border-radius:50%;justify-content:center;align-items:center;font-size:10.5px;font-weight:700;line-height:1;display:inline-flex;position:relative}.tooltip:after{content:attr(aria-label);z-index:10;border-radius:var(--radius-sm);background:var(--accent);width:280px;max-width:min(280px,100vw - 48px);color:var(--accent-text);box-shadow:var(--shadow);text-align:left;white-space:normal;opacity:0;pointer-events:none;padding:12px 14px;font-size:13px;font-weight:600;line-height:1.45;transition:opacity .12s;position:absolute;bottom:calc(100% + 12px);left:50%;transform:translate(-50%)}.tooltip:before{content:"";z-index:11;border-left:7px solid #0000;border-right:7px solid #0000;border-top:8px solid var(--accent);opacity:0;pointer-events:none;transition:opacity .12s;position:absolute;bottom:calc(100% + 5px);left:50%;transform:translate(-50%)}.tooltip:hover:after,.tooltip:hover:before,.tooltip:focus-visible:after,.tooltip:focus-visible:before{opacity:1}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}.reconnect-action{justify-content:center;width:100%;margin-right:0}.reconnect-action .button{flex:1}.tooltip:after{left:auto;right:0;transform:none}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function Ne(e){return v`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" href="${e.iconHref}" /><style>
+import{$b as Ye,Ab as Ds,Ac as H,Bb as Hs,Bc as ao,Cb as zs,Cc as so,Db as Ls,Dc as hr,Eb as Bs,Ec as co,Fb as js,Fc as uo,G as Un,Gb as Ns,Gc as gr,H as l,Hb as Gs,Hc as _e,I as kn,Ib as $s,Ic as lo,J as cr,Jb as Fs,Jc as po,K as te,Kb as Bn,Kc as mo,L as Pn,Lb as jn,Lc as fo,M as y,Mb as Nn,Mc as ho,N as ue,Nb as xt,Nc as go,O as vt,Ob as dr,Oc as yo,P as Tn,Pb as At,Pc as b,Q as En,Qb as Ut,Qc as x,R as On,Rb as We,Rc as pe,S as d,Sb as Gn,Sc as U,T as $,Tb as $n,Tc as wo,Ub as Fn,Uc as Zs,Vb as Ve,Vc as Ks,Wb as Zn,Xb as kt,Yb as Kn,Z as Mn,Zb as ur,_b as Jn,a as bt,ac as Pt,bc as Wn,cc as Vn,dc as Yn,ec as Xn,fc as J,gb as we,gc as M,hb as T,hc as Qn,i as ye,ib as qn,ic as eo,j as In,jb as Dn,jc as R,kb as k,kc as ne,l as xn,lb as Hn,lc as Tt,mb as g,mc as B,nb as ke,nc as Z,ob as Pe,oc as to,p as An,pb as Te,pc as ro,qb as Ee,qc as Et,r as Ct,rb as St,rc as no,sb as zn,sc as oe,tb as F,tc as lr,ub as Ln,uc as pr,vb as re,vc as oo,wb as w,wc as Ot,xb as It,xc as mr,yb as D,yc as fr,zb as le,zc as io}from"../chunk-6WKYPMAI.js";import{d as sr}from"../chunk-JRXZBVXH.js";import{a as C}from"../chunk-4SACVMDH.js";import{$ as de,a as n,aa as h,ba as q,ca as Sn,da as Rt}from"../chunk-ZIKV2LUM.js";$();function Js(e){let t=Ut.safeParse(e);return t.success?t.data.id:void 0}n(Js,"parseJsonRpcRequestId");function _o(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return Js(t)}catch{return}}n(_o,"readJsonRpcRequestIdFromBody");function Mt(e){return Gn.parse({jsonrpc:At,...e.id===void 0?{}:{id:e.id},error:{code:e.error.code,message:e.error.message,...e.error.data===void 0?{}:{data:e.error.data}}})}n(Mt,"jsonRpcErrorResponse");function Ro(e){return new Fn([$n.parse({mode:"url",message:e.message,elicitationId:e.elicitationId,url:e.url})],e.message)}n(Ro,"urlElicitationRequiredError");var qt=d.record(d.string(),d.unknown()),Ws=d.record(d.string(),d.unknown()),Vs=d.object({name:d.string().min(1),description:d.string().min(1).optional(),annotations:Ws.optional(),_meta:qt.optional()}).strict(),Ys=d.object({name:d.string().min(1),description:d.string().min(1).optional(),_meta:qt.optional()}).strict(),Xs=d.object({uri:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:qt.optional()}).strict(),Qs=d.object({uriTemplate:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:qt.optional()}).strict(),ec=d.array(d.union([d.string(),Vs])),tc=d.array(d.union([d.string(),Ys])),rc=d.array(d.union([d.string(),Xs])),nc=d.array(d.union([d.string(),Qs])),oc=d.object({tools:ec.optional(),prompts:tc.optional(),resources:rc.optional(),resourceTemplates:nc.optional()}).strict(),wr=[{option:"tools",listMethod:"tools/list",resultProperty:"tools",itemProperty:"name",directMethods:[{method:"tools/call",paramProperty:"name"}]},{option:"prompts",listMethod:"prompts/list",resultProperty:"prompts",itemProperty:"name",directMethods:[{method:"prompts/get",paramProperty:"name"}]},{option:"resources",listMethod:"resources/list",resultProperty:"resources",itemProperty:"uri",directMethods:[{method:"resources/read",paramProperty:"uri"}]},{option:"resourceTemplates",listMethod:"resources/templates/list",resultProperty:"resourceTemplates",itemProperty:"uriTemplate",directMethods:[]}];function ic(e,t){return qn(oc,e,`MCP capability filter policy "${t}"`)}n(ic,"parseMcpCapabilityFilterOptions");function z(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(z,"isRecord");function ac(e,t){if(!z(e))return;let r=e[t];return typeof r=="string"?r:void 0}n(ac,"readParamString");function _r(e){let t=e.id;return typeof t=="string"||typeof t=="number"||t===null?t:void 0}n(_r,"readRequestId");function So(e){return e===void 0?void 0:JSON.stringify(e)}n(So,"requestIdKey");function sc(e){let t={};for(let r of wr){let o=e[r.option];if(o===void 0)continue;let i=new Map;for(let a of o){let s=lc(a,r.itemProperty);s!==void 0&&i.set(s.key,s)}t[r.option]=i}return t}n(sc,"buildProjectionMaps");function Rr(e){return wr.find(t=>t.listMethod===e)}n(Rr,"findListRule");function cc(e){return e.requests.some(t=>{if(!z(t))return!1;let r=Rr(t.method);return r!==void 0&&e.projectionMaps[r.option]!==void 0})}n(cc,"shouldFilterListResponses");function dc(e){for(let t of wr){let r=e.projectionMaps[t.option];if(r!==void 0)for(let o of t.directMethods){if(e.request.method!==o.method)continue;let i=ac(e.request.params,o.paramProperty);if(i!==void 0&&!r.has(i))return{id:_r(e.request)}}}}n(dc,"findDisallowedDirectAccess");function uc(e){return Response.json(Mt({id:e,error:{code:We.MethodNotFound,message:"Method not found"}}))}n(uc,"methodNotFoundResponse");function lc(e,t){if(typeof e=="string")return{key:e,overlay:{}};if(!z(e))return;let r=e[t];if(typeof r=="string")return{key:r,overlay:e}}n(lc,"buildProjection");function bo(e){let t=e.base[e.property],r=e.overlay[e.property];return z(r)?z(t)?{...t,...r}:r:t}n(bo,"mergeRecordProperty");function pc(e,t){let r={...e,...t.overlay},o=bo({base:e,overlay:t.overlay,property:"annotations"});o!==void 0&&(r.annotations=o);let i=bo({base:e,overlay:t.overlay,property:"_meta"});return i!==void 0&&(r._meta=i),r}n(pc,"applyProjection");function Co(e,t,r){if(!z(e))return e;let o=e.result;if(!z(o))return e;let i=o[t.resultProperty];return!Array.isArray(i)||!i.every(a=>z(a)&&typeof a[t.itemProperty]=="string")?e:{...e,result:{...o,[t.resultProperty]:i.flatMap(a=>{if(!z(a))return[];let s=a[t.itemProperty];if(typeof s!="string")return[];let c=r.get(s);return c===void 0?[]:[pc(a,c)]})}}}n(Co,"filterAndProjectItems");function mc(e){let t=new Map;if(!Array.isArray(e))return t;for(let r of e){if(!z(r))continue;let o=Rr(r.method),i=_r(r),a=So(i);o!==void 0&&a!==void 0&&t.set(a,o)}return t}n(mc,"buildListRulesByResponseId");function fc(e){if(Array.isArray(e.responseBody)){let o=mc(e.requestBody);return o.size===0?e.responseBody:e.responseBody.map(i=>{if(!z(i)||"error"in i)return i;let a=So(_r(i)),s=a===void 0?void 0:o.get(a),c=s===void 0?void 0:e.projectionMaps[s.option];return s===void 0||c===void 0?i:Co(i,s,c)})}if(!z(e.requestBody)||!z(e.responseBody)||"error"in e.responseBody)return e.responseBody;let t=Rr(e.requestBody.method),r=t===void 0?void 0:e.projectionMaps[t.option];return t===void 0||r===void 0?e.responseBody:Co(e.responseBody,t,r)}n(fc,"filterJsonRpcResponse");async function vo(e){return e.clone().json()}n(vo,"readJson");function hc(e){return e.headers.get("content-type")?.includes("json")??!1}n(hc,"isJsonResponse");var yr=class extends Ct{static{n(this,"McpCapabilityFilterInboundPolicy")}#e;constructor(t,r){let o=ic(t,r);super(o,r),this.#e=sc(o)}async handler(t,r){bt("policy.inbound.mcp-capability-filter");let o;try{o=await vo(t)}catch{return t}let i=Array.isArray(o)?o:[o];for(let a of i){if(!z(a))continue;let s=dc({request:a,projectionMaps:this.#e});if(s!==void 0)return uc(s.id)}return cc({requests:i,projectionMaps:this.#e})&&r.addResponseSendingHook(async a=>{if(!hc(a))return a;let s;try{s=await vo(a)}catch{return a}let c=fc({requestBody:o,responseBody:s,projectionMaps:this.#e});if(c===s)return a;let u=new Headers(a.headers);return u.delete("content-length"),new Response(JSON.stringify(c),{status:a.status,statusText:a.statusText,headers:u})}),t}};var br;br=globalThis.crypto;async function gc(e){return(await br).getRandomValues(new Uint8Array(e))}n(gc,"getRandomValues");async function yc(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,o="";for(;o.length<e;){let i=await gc(e-o.length);for(let a of i)a<r&&(o+=t[a%t.length])}return o}n(yc,"random");async function wc(e){return await yc(e)}n(wc,"generateVerifier");async function _c(e){let t=await(await br).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}n(_c,"generateChallenge");async function Cr(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await wc(e),r=await _c(t);return{code_verifier:t,code_challenge:r}}n(Cr,"pkceChallenge");$();var E=kn().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:En.custom,message:"URL must be parseable",fatal:!0}),Un}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),Dt=vt({resource:l().url(),authorization_servers:y(E).optional(),jwks_uri:l().url().optional(),scopes_supported:y(l()).optional(),bearer_methods_supported:y(l()).optional(),resource_signing_alg_values_supported:y(l()).optional(),resource_name:l().optional(),resource_documentation:l().optional(),resource_policy_uri:l().url().optional(),resource_tos_uri:l().url().optional(),tls_client_certificate_bound_access_tokens:te().optional(),authorization_details_types_supported:y(l()).optional(),dpop_signing_alg_values_supported:y(l()).optional(),dpop_bound_access_tokens_required:te().optional()}),Xe=vt({issuer:l(),authorization_endpoint:E,token_endpoint:E,registration_endpoint:E.optional(),scopes_supported:y(l()).optional(),response_types_supported:y(l()),response_modes_supported:y(l()).optional(),grant_types_supported:y(l()).optional(),token_endpoint_auth_methods_supported:y(l()).optional(),token_endpoint_auth_signing_alg_values_supported:y(l()).optional(),service_documentation:E.optional(),revocation_endpoint:E.optional(),revocation_endpoint_auth_methods_supported:y(l()).optional(),revocation_endpoint_auth_signing_alg_values_supported:y(l()).optional(),introspection_endpoint:l().optional(),introspection_endpoint_auth_methods_supported:y(l()).optional(),introspection_endpoint_auth_signing_alg_values_supported:y(l()).optional(),code_challenge_methods_supported:y(l()).optional(),client_id_metadata_document_supported:te().optional()}),Rc=vt({issuer:l(),authorization_endpoint:E,token_endpoint:E,userinfo_endpoint:E.optional(),jwks_uri:E,registration_endpoint:E.optional(),scopes_supported:y(l()).optional(),response_types_supported:y(l()),response_modes_supported:y(l()).optional(),grant_types_supported:y(l()).optional(),acr_values_supported:y(l()).optional(),subject_types_supported:y(l()),id_token_signing_alg_values_supported:y(l()),id_token_encryption_alg_values_supported:y(l()).optional(),id_token_encryption_enc_values_supported:y(l()).optional(),userinfo_signing_alg_values_supported:y(l()).optional(),userinfo_encryption_alg_values_supported:y(l()).optional(),userinfo_encryption_enc_values_supported:y(l()).optional(),request_object_signing_alg_values_supported:y(l()).optional(),request_object_encryption_alg_values_supported:y(l()).optional(),request_object_encryption_enc_values_supported:y(l()).optional(),token_endpoint_auth_methods_supported:y(l()).optional(),token_endpoint_auth_signing_alg_values_supported:y(l()).optional(),display_values_supported:y(l()).optional(),claim_types_supported:y(l()).optional(),claims_supported:y(l()).optional(),service_documentation:l().optional(),claims_locales_supported:y(l()).optional(),ui_locales_supported:y(l()).optional(),claims_parameter_supported:te().optional(),request_parameter_supported:te().optional(),request_uri_parameter_supported:te().optional(),require_request_uri_registration:te().optional(),op_policy_uri:E.optional(),op_tos_uri:E.optional(),client_id_metadata_document_supported:te().optional()}),Ht=ue({...Rc.shape,...Xe.pick({code_challenge_methods_supported:!0}).shape}),Oe=ue({access_token:l(),id_token:l().optional(),token_type:l(),expires_in:On.number().optional(),scope:l().optional(),refresh_token:l().optional()}).strip(),xo=ue({error:l(),error_description:l().optional(),error_uri:l().optional()}),Io=E.optional().or(Tn("").transform(()=>{})),bc=ue({redirect_uris:y(E),token_endpoint_auth_method:l().optional(),grant_types:y(l()).optional(),response_types:y(l()).optional(),client_name:l().optional(),client_uri:E.optional(),logo_uri:Io,scope:l().optional(),contacts:y(l()).optional(),tos_uri:Io,policy_uri:l().optional(),jwks_uri:E.optional(),jwks:Pn().optional(),software_id:l().optional(),software_version:l().optional(),software_statement:l().optional()}).strip(),zt=ue({client_id:l(),client_secret:l().optional(),client_id_issued_at:cr().optional(),client_secret_expires_at:cr().optional()}).strip(),Qe=bc.merge(zt),Vf=ue({error:l(),error_description:l().optional()}).strip(),Yf=ue({token:l(),token_type_hint:l().optional()}).strip();function Ao(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}n(Ao,"resourceUrlFromServerUrl");function Uo({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),o=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==o.origin||r.pathname.length<o.pathname.length)return!1;let i=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",a=o.pathname.endsWith("/")?o.pathname:o.pathname+"/";return i.startsWith(a)}n(Uo,"checkResourceAllowed");var A=class extends Error{static{n(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},et=class extends A{static{n(this,"InvalidRequestError")}};et.errorCode="invalid_request";var Re=class extends A{static{n(this,"InvalidClientError")}};Re.errorCode="invalid_client";var be=class extends A{static{n(this,"InvalidGrantError")}};be.errorCode="invalid_grant";var Ce=class extends A{static{n(this,"UnauthorizedClientError")}};Ce.errorCode="unauthorized_client";var tt=class extends A{static{n(this,"UnsupportedGrantTypeError")}};tt.errorCode="unsupported_grant_type";var rt=class extends A{static{n(this,"InvalidScopeError")}};rt.errorCode="invalid_scope";var nt=class extends A{static{n(this,"AccessDeniedError")}};nt.errorCode="access_denied";var ie=class extends A{static{n(this,"ServerError")}};ie.errorCode="server_error";var ot=class extends A{static{n(this,"TemporarilyUnavailableError")}};ot.errorCode="temporarily_unavailable";var it=class extends A{static{n(this,"UnsupportedResponseTypeError")}};it.errorCode="unsupported_response_type";var at=class extends A{static{n(this,"UnsupportedTokenTypeError")}};at.errorCode="unsupported_token_type";var st=class extends A{static{n(this,"InvalidTokenError")}};st.errorCode="invalid_token";var ct=class extends A{static{n(this,"MethodNotAllowedError")}};ct.errorCode="method_not_allowed";var dt=class extends A{static{n(this,"TooManyRequestsError")}};dt.errorCode="too_many_requests";var ve=class extends A{static{n(this,"InvalidClientMetadataError")}};ve.errorCode="invalid_client_metadata";var ut=class extends A{static{n(this,"InsufficientScopeError")}};ut.errorCode="insufficient_scope";var lt=class extends A{static{n(this,"InvalidTargetError")}};lt.errorCode="invalid_target";var ko={[et.errorCode]:et,[Re.errorCode]:Re,[be.errorCode]:be,[Ce.errorCode]:Ce,[tt.errorCode]:tt,[rt.errorCode]:rt,[nt.errorCode]:nt,[ie.errorCode]:ie,[ot.errorCode]:ot,[it.errorCode]:it,[at.errorCode]:at,[st.errorCode]:st,[ct.errorCode]:ct,[dt.errorCode]:dt,[ve.errorCode]:ve,[ut.errorCode]:ut,[lt.errorCode]:lt};function Cc(e){return["client_secret_basic","client_secret_post","none"].includes(e)}n(Cc,"isClientAuthMethod");var vr="code",Sr="S256";function vc(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&Cc(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}n(vc,"selectClientAuthMethod");function Sc(e,t,r,o){let{client_id:i,client_secret:a}=t;switch(e){case"client_secret_basic":Ic(i,a,r);return;case"client_secret_post":xc(i,a,o);return;case"none":Ac(i,o);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}n(Sc,"applyClientAuthentication");function Ic(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let o=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${o}`)}n(Ic,"applyBasicAuth");function xc(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}n(xc,"applyPostAuth");function Ac(e,t){t.set("client_id",e)}n(Ac,"applyPublicAuth");async function To(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let o=xo.parse(JSON.parse(r)),{error:i,error_description:a,error_uri:s}=o,c=ko[i]||ie;return new c(a||"",s)}catch(o){let i=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${o}. Raw body: ${r}`;return new ie(i)}}n(To,"parseErrorResponse");async function Ar(e,t){try{return await Ir(e,t)}catch(r){if(r instanceof Re||r instanceof Ce)return await e.invalidateCredentials?.("all"),await Ir(e,t);if(r instanceof be)return await e.invalidateCredentials?.("tokens"),await Ir(e,t);throw r}}n(Ar,"auth");async function Ir(e,{serverUrl:t,authorizationCode:r,scope:o,resourceMetadataUrl:i,fetchFn:a}){let s=await e.discoveryState?.(),c,u,p,f=i;if(!f&&s?.resourceMetadataUrl&&(f=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(u=s.authorizationServerUrl,c=s.resourceMetadata,p=s.authorizationServerMetadata??await Mo(u,{fetchFn:a}),!c)try{c=await Oo(t,{resourceMetadataUrl:f},a)}catch{}(p!==s.authorizationServerMetadata||c!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(u),resourceMetadataUrl:f?.toString(),resourceMetadata:c,authorizationServerMetadata:p})}else{let P=await Oc(t,{resourceMetadataUrl:f,fetchFn:a});u=P.authorizationServerUrl,p=P.authorizationServerMetadata,c=P.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(u),resourceMetadataUrl:f?.toString(),resourceMetadata:c,authorizationServerMetadata:p})}let _=await Uc(t,e,c),S=o||c?.scopes_supported?.join(" ")||e.clientMetadata.scope,I=await Promise.resolve(e.clientInformation());if(!I){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let P=p?.client_id_metadata_document_supported===!0,O=e.clientMetadataUrl;if(O&&!Ur(O))throw new ve(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${O}`);if(P&&O)I={client_id:O},await e.saveClientInformation?.(I);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let vn=await zc(u,{metadata:p,clientMetadata:e.clientMetadata,scope:S,fetchFn:a});await e.saveClientInformation(vn),I=vn}}let G=!e.redirectUrl;if(r!==void 0||G){let P=await Hc(e,u,{metadata:p,resource:_,authorizationCode:r,fetchFn:a});return await e.saveTokens(P),"AUTHORIZED"}let K=await e.tokens();if(K?.refresh_token)try{let P=await Dc(u,{metadata:p,clientInformation:I,refreshToken:K.refresh_token,resource:_,addClientAuthentication:e.addClientAuthentication,fetchFn:a});return await e.saveTokens(P),"AUTHORIZED"}catch(P){if(!(!(P instanceof A)||P instanceof ie))throw P}let Q=e.state?await e.state():void 0,{authorizationUrl:Je,codeVerifier:ee}=await Mc(u,{metadata:p,clientInformation:I,state:Q,redirectUrl:e.redirectUrl,scope:S,resource:_});return await e.saveCodeVerifier(ee),await e.redirectToAuthorization(Je),"REDIRECT"}n(Ir,"authInternal");function Ur(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}n(Ur,"isHttpsUrl");async function Uc(e,t,r){let o=Ao(e);if(t.validateResourceURL)return await t.validateResourceURL(o,r?.resource);if(r){if(!Uo({requestedResource:o,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${o} (or origin)`);return new URL(r.resource)}}n(Uc,"selectResourceURL");function Eo(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,o]=t.split(" ");if(r.toLowerCase()!=="bearer"||!o)return{};let i=xr(e,"resource_metadata")||void 0,a;if(i)try{a=new URL(i)}catch{}let s=xr(e,"scope")||void 0,c=xr(e,"error")||void 0;return{resourceMetadataUrl:a,scope:s,error:c}}n(Eo,"extractWWWAuthenticateParams");function xr(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let o=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),i=r.match(o);return i?i[1]||i[2]:null}n(xr,"extractFieldFromWwwAuth");async function Oo(e,t,r=fetch){let o=await Tc(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!o||o.status===404)throw await o?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!o.ok)throw await o.body?.cancel(),new Error(`HTTP ${o.status} trying to load well-known OAuth protected resource metadata.`);return Dt.parse(await o.json())}n(Oo,"discoverOAuthProtectedResourceMetadata");async function kr(e,t,r=fetch){try{return await r(e,{headers:t})}catch(o){if(o instanceof TypeError)return t?kr(e,void 0,r):void 0;throw o}}n(kr,"fetchWithCorsRetry");function kc(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}n(kc,"buildWellKnownPath");async function Po(e,t,r=fetch){return await kr(e,{"MCP-Protocol-Version":t},r)}n(Po,"tryMetadataDiscovery");function Pc(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}n(Pc,"shouldAttemptFallback");async function Tc(e,t,r,o){let i=new URL(e),a=o?.protocolVersion??dr,s;if(o?.metadataUrl)s=new URL(o.metadataUrl);else{let u=kc(t,i.pathname);s=new URL(u,o?.metadataServerUrl??i),s.search=i.search}let c=await Po(s,a,r);if(!o?.metadataUrl&&Pc(c,i.pathname)){let u=new URL(`/.well-known/${t}`,i);c=await Po(u,a,r)}return c}n(Tc,"discoverMetadataWithFallback");function Ec(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",o=[];if(!r)return o.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),o.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),o;let i=t.pathname;return i.endsWith("/")&&(i=i.slice(0,-1)),o.push({url:new URL(`/.well-known/oauth-authorization-server${i}`,t.origin),type:"oauth"}),o.push({url:new URL(`/.well-known/openid-configuration${i}`,t.origin),type:"oidc"}),o.push({url:new URL(`${i}/.well-known/openid-configuration`,t.origin),type:"oidc"}),o}n(Ec,"buildDiscoveryUrls");async function Mo(e,{fetchFn:t=fetch,protocolVersion:r=dr}={}){let o={"MCP-Protocol-Version":r,Accept:"application/json"},i=Ec(e);for(let{url:a,type:s}of i){let c=await kr(a,o,t);if(c){if(!c.ok){if(await c.body?.cancel(),c.status>=400&&c.status<500)continue;throw new Error(`HTTP ${c.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${a}`)}return s==="oauth"?Xe.parse(await c.json()):Ht.parse(await c.json())}}}n(Mo,"discoverAuthorizationServerMetadata");async function Oc(e,t){let r,o;try{r=await Oo(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(o=r.authorization_servers[0])}catch{}o||(o=String(new URL("/",e)));let i=await Mo(o,{fetchFn:t?.fetchFn});return{authorizationServerUrl:o,authorizationServerMetadata:i,resourceMetadata:r}}n(Oc,"discoverOAuthServerInfo");async function Mc(e,{metadata:t,clientInformation:r,redirectUrl:o,scope:i,state:a,resource:s}){let c;if(t){if(c=new URL(t.authorization_endpoint),!t.response_types_supported.includes(vr))throw new Error(`Incompatible auth server: does not support response type ${vr}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(Sr))throw new Error(`Incompatible auth server: does not support code challenge method ${Sr}`)}else c=new URL("/authorize",e);let u=await Cr(),p=u.code_verifier,f=u.code_challenge;return c.searchParams.set("response_type",vr),c.searchParams.set("client_id",r.client_id),c.searchParams.set("code_challenge",f),c.searchParams.set("code_challenge_method",Sr),c.searchParams.set("redirect_uri",String(o)),a&&c.searchParams.set("state",a),i&&c.searchParams.set("scope",i),i?.includes("offline_access")&&c.searchParams.append("prompt","consent"),s&&c.searchParams.set("resource",s.href),{authorizationUrl:c,codeVerifier:p}}n(Mc,"startAuthorization");function qc(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}n(qc,"prepareAuthorizationCodeRequest");async function qo(e,{metadata:t,tokenRequestParams:r,clientInformation:o,addClientAuthentication:i,resource:a,fetchFn:s}){let c=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),u=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(a&&r.set("resource",a.href),i)await i(u,r,c,t);else if(o){let f=t?.token_endpoint_auth_methods_supported??[],_=vc(o,f);Sc(_,o,u,r)}let p=await(s??fetch)(c,{method:"POST",headers:u,body:r});if(!p.ok)throw await To(p);return Oe.parse(await p.json())}n(qo,"executeTokenRequest");async function Dc(e,{metadata:t,clientInformation:r,refreshToken:o,resource:i,addClientAuthentication:a,fetchFn:s}){let c=new URLSearchParams({grant_type:"refresh_token",refresh_token:o}),u=await qo(e,{metadata:t,tokenRequestParams:c,clientInformation:r,addClientAuthentication:a,resource:i,fetchFn:s});return{refresh_token:o,...u}}n(Dc,"refreshAuthorization");async function Hc(e,t,{metadata:r,resource:o,authorizationCode:i,fetchFn:a}={}){let s=e.clientMetadata.scope,c;if(e.prepareTokenRequest&&(c=await e.prepareTokenRequest(s)),!c){if(!i)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let p=await e.codeVerifier();c=qc(i,p,e.redirectUrl)}let u=await e.clientInformation();return qo(t,{metadata:r,tokenRequestParams:c,clientInformation:u??void 0,addClientAuthentication:e.addClientAuthentication,resource:o,fetchFn:a})}n(Hc,"fetchToken");async function zc(e,{metadata:t,clientMetadata:r,scope:o,fetchFn:i}){let a;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");a=new URL(t.registration_endpoint)}else a=new URL("/register",e);let s=await(i??fetch)(a,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...o!==void 0?{scope:o}:{}})});if(!s.ok)throw await To(s);return Qe.parse(await s.json())}n(zc,"registerClient");var Pr="zuplo.com",Lc=new Set(["co.jp","co.kr","co.nz","co.uk","com.au","com.br","com.cn","com.mx","com.sg","co.in"]),Bc=[".example.test",".example.com",".example.org",".invalid",".localhost",".test"];function Do(e){return`https://www.google.com/s2/favicons?domain=${e}&sz=128`}n(Do,"s2FaviconHref");function jc(e){return`https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&drop_404_icon=true&fallback_opts=TYPE,SIZE,URL&url=http://${e}&size=128`}n(jc,"strictFaviconHref");var Lt=Do(Pr);function Tr(e){let t=e.toLowerCase();return t===Pr||t==="zuplo.app"||t==="zuplo.dev"||t.endsWith(".zuplo.app")||t.endsWith(".zuplo.dev")?Do(Pr):jc(e)}n(Tr,"resolveIconHref");function Nc(e){try{return new URL(`http://${e}`).hostname}catch{return e}}n(Nc,"hostnameFromHost");function Gc(e){return e==="localhost"||e.includes(":")||/^\d{1,3}(?:\.\d{1,3}){3}$/.test(e)}n(Gc,"isLocalOrAddressHost");function $c(e){let t=Nc(e).toLowerCase().replace(/\.$/,"");if(Gc(t)||Bc.some(a=>t===a.slice(1)||t.endsWith(a)))return t;let r=t.split(".").filter(Boolean);if(r.length<=2)return t;let o=r.slice(-2).join("."),i=Lc.has(o)?3:2;return r.slice(-i).join(".")}n($c,"inferFaviconDomain");function Er(e){return{src:Tr($c(e)),mimeType:"image/png",sizes:["128x128"]}}n(Er,"resolveMcpFaviconIcon");function Bt(e){try{return Er(new URL(e).host)}catch{return}}n(Bt,"resolveMcpFaviconIconFromUrl");function Me(e){let t=J().connectionsById.get(e);if(!t)throw new q(`Unknown upstream server "${e}". Check the route's MCP upstream policy and ensure policies.json declares a matching upstream connection.`);return{displayName:t.displayName,...t.description===void 0?{}:{description:t.description},...t.serverInfo===void 0?{}:{serverInfo:t.serverInfo},transport:{baseUrl:t.mcpUrl,resourceMetadataUrl:t.protectedResourceMetadataUrl}}}n(Me,"getUpstreamServerConfig");function Fc(e){let t=J().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw new q(`Unknown auth profile "${String(e.authProfileId)}" for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares a matching auth mode for that upstream connection.`);return t.authProfileId}n(Fc,"resolveUpstreamAuthProfileId");function Or(e){Fc(e);let t=J().connectionsById.get(e.upstreamServerId);if(!t)throw new q(`Auth profile could not be resolved for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares the upstream connection before this handler runs.`);return t.authConfig}n(Or,"getUpstreamAuthConfig");function qe(e,t){return Or({upstreamServerId:e,authProfileId:t})}n(qe,"requireUpstreamOAuthConfig");function W(e){return new h({message:e,extensionMembers:{[g]:"invalid_request"}})}n(W,"invalidOutboundUrl");function Zc(){let e=sr.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_IDP??globalThis.process?.env?.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_IDP;return typeof e=="string"&&e==="1"}n(Zc,"isTestOnlyAllowHttpLoopbackIdpEnabled");function Kc(){let e=sr.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_CIMD??globalThis.process?.env?.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_CIMD;return typeof e=="string"&&e==="1"}n(Kc,"isTestOnlyAllowHttpLoopbackCimdEnabled");var Jc=new Set(["undefined","null","nan"]);function qr(e,t){if(!e.hostname)throw W(`Outbound URL has an empty hostname (got ${JSON.stringify(t)}). This typically indicates an unset $env(...) reference or a JS template literal coercing \`undefined\` into a URL. Check the policy options or runtime config that produced this URL.`);if(Jc.has(e.hostname.toLowerCase()))throw W(`Outbound URL hostname is ${JSON.stringify(e.hostname)} (from ${JSON.stringify(t)}). This almost always means an environment variable referenced by $env(...) is unset and a JS value was string-coerced into a URL. Set the missing env var or fix the policy option that produced this URL.`)}n(qr,"assertSafeOutboundHostname");var Wc=new Set(["localhost","169.254.169.254","metadata.google.internal","metadata"]),Vc=[{first:0},{first:10},{first:127},{first:169,secondMin:254,secondMax:254},{first:172,secondMin:16,secondMax:31},{first:192,secondMin:168,secondMax:168},{first:100,secondMin:64,secondMax:127},{first:224,firstMax:239},{first:240,firstMax:255}];function Ho(e){if(!/^\d+\.\d+\.\d+\.\d+$/.test(e))return;let t=e.split(".").map(r=>Number(r));if(!(t.length!==4||t.some(r=>Number.isNaN(r)||r<0||r>255)))return t}n(Ho,"parseIpv4Octets");function Yc([e,t],r){let o=r.firstMax??r.first;return e<r.first||e>o?!1:r.secondMin===void 0||r.secondMax===void 0?!0:t>=r.secondMin&&t<=r.secondMax}n(Yc,"ipv4RangeMatches");function zo(e){let t=Ho(e);return t!==void 0&&Vc.some(r=>Yc(t,r))}n(zo,"isPrivateIpv4");function Mr(e){if(!e||e.length>4)return;let t=Number.parseInt(e,16);return Number.isNaN(t)||t<0||t>65535?void 0:t}n(Mr,"parseIpv6Word");function Xc(e,t){return[e>>8&255,e&255,t>>8&255,t&255].join(".")}n(Xc,"formatIpv4FromWords");function Qc(e){let t=e.slice(7),r=Ho(t);if(r!==void 0)return r.join(".");let[o,i,a]=t.split(":"),s=Mr(o),c=Mr(i);return a===void 0&&s!==void 0&&c!==void 0?Xc(s,c):void 0}n(Qc,"parseIpv6MappedIpv4");function ed(e){return Mr(e.split(":").find(Boolean))}n(ed,"readFirstIpv6Hextet");function td(e){let t=we(e);if(!t.includes(":"))return!1;if(t==="::"||t==="::1")return!0;if(t.startsWith("::ffff:")){let o=Qc(t);return o===void 0||zo(o)}let r=ed(t);return r===void 0?!1:(r&65024)===64512||(r&65472)===65152}n(td,"isPrivateIpv6");function Dr(e){let t=we(e);return Wc.has(t)||t.endsWith(".internal")||zo(t)||td(t)}n(Dr,"isBlockedOutboundHostname");function jt(e){let t=new URL(e);if(t.protocol!=="https:"&&t.protocol!=="http:")throw W(`Unsupported outbound protocol: ${t.protocol}`);qr(t,e);let r=T(t);if(t.protocol==="http:"&&!r)throw W("Configured outbound HTTP URLs must target loopback hosts.");let o=we(t.hostname);if(!r&&Dr(o))throw W(`Blocked outbound host: ${o}`);return t}n(jt,"validateConfiguredOutboundUrl");function Lo(e){let t=new URL(e),r=T(t),o=r&&Zc();if(t.protocol!=="https:"&&!o)throw W("Identity provider URLs must use https.");if(t.username||t.password||t.search||t.hash)throw W("Identity provider URLs must not include credentials, query params, or fragments.");qr(t,e);let i=we(t.hostname);if(!r&&Dr(i))throw W(`Blocked identity provider host: ${i}`);return t}n(Lo,"validateIdentityProviderUrl");function Bo(e,t){let r=new URL(e),o=r.protocol==="http:"&&T(r)&&Kc();if(r.protocol!=="https:"&&!o||r.pathname==="/"||r.username||r.password||r.hash)throw W(`CIMD ${t} must be an HTTPS URL with a path and no credentials or fragment.`);if(qr(r,e),!o&&Dr(r.hostname))throw W(`CIMD ${t} points at a blocked host.`);return r}n(Bo,"validateCimdUrl");function Nt(e){return Bo(e,"client_id")}n(Nt,"validateCimdClientMetadataUrl");function Se(e){return Bo(e,"jwks_uri")}n(Se,"validateCimdClientJwksUrl");function jo(e,t){if(!t)return;if(t.aborted){e.abort(t.reason);return}let r=n(()=>e.abort(t.reason),"abort");return t.addEventListener("abort",r,{once:!0}),()=>t.removeEventListener("abort",r)}n(jo,"mergeAbortSignals");async function rd(e){try{await e.cancel()}catch{}}n(rd,"cancelReader");async function Gt(e,t){if(!e)return new Uint8Array;let r=e.getReader(),o=[],i=0,a=await r.read();for(;!a.done;){let u=a.value;if(i+=u.byteLength,i>t.maxBytes)throw await rd(r),t.createLimitError();o.push(u),a=await r.read()}let s=new Uint8Array(i),c=0;for(let u of o)s.set(u,c),c+=u.byteLength;return s}n(Gt,"readBoundedByteStream");var nd=2,od=1024*1024,id=1e4,ad=new Set([301,302,303,307,308]),sd=["authorization","proxy-authorization","cookie","cookie2"];function Hr(e){return typeof e=="string"?e:e instanceof URL?e.toString():e.url}n(Hr,"readRequestUrl");function De(e,t){return t?.method!==void 0?t.method.toUpperCase():e instanceof Request?e.method.toUpperCase():"GET"}n(De,"readRequestMethod");function cd(e,t,r){let o=e.headers.get("content-length");if(!o)return;let i=Number.parseInt(o,10);if(Number.isFinite(i)&&i>t)throw new h({message:"Outbound response exceeded the maximum allowed size.",extensionMembers:{[g]:r}})}n(cd,"assertContentLengthWithinLimit");async function dd(e,t,r){return cd(e,t,r),Gt(e.body,{maxBytes:t,createLimitError:n(()=>new h({message:"Outbound response exceeded the maximum allowed size.",extensionMembers:{[g]:r}}),"createLimitError")})}n(dd,"readBoundedResponseBody");function ud(e,t){let r=new ArrayBuffer(t.byteLength);return new Uint8Array(r).set(t),new Response(r,{status:e.status,statusText:e.statusText,headers:e.headers})}n(ud,"responseFromBufferedBody");function ld(e,t){if(!ad.has(e.status))return;let r=e.headers.get("location");if(r)return new URL(r,t).toString()}n(ld,"resolveRedirectUrl");function No(e,t){try{return t.validateUrl(e)}catch(r){throw new h({message:"Outbound URL was not allowed.",extensionMembers:{[g]:t.problemCode}},{cause:r})}}n(No,"validateOutboundUrl");function pd(e,t){throw e instanceof h&&St(e.extensionMembers?.[g])?e:new h({message:"Outbound fetch failed.",extensionMembers:{[g]:t}},{cause:e})}n(pd,"normalizeFetchError");function pt(e,t){if(e===void 0)return;let r={event:t.event,code:t.problemCode,method:t.method};if(t.host!==void 0&&(r.host=t.host),t.extra!==void 0)for(let[o,i]of Object.entries(t.extra))i!==void 0&&(r[o]=i);t.error!==void 0&&B(r,"error",t.error),e.log.warn(r,"Outbound HTTP exchange rejected")}n(pt,"logOutboundFailure");async function md(e,t,r,o,i,a,s){let c=De(r,o);try{return await t(r,o)}catch(u){let p=u instanceof DOMException&&u.name==="AbortError";pt(e,{event:p?"outbound_fetch_aborted":"outbound_fetch_failed",problemCode:i,method:c,host:Z(a),error:u,extra:{abortReason:s()}}),pd(u,i)}}n(md,"fetchWithNormalizedError");function fd(e){if(e.redirects>=e.maxRedirects)throw new h({message:"Outbound redirects exceeded the maximum allowed depth.",extensionMembers:{[g]:e.problemCode}});if(e.method!=="GET"&&e.method!=="HEAD")throw new h({message:"Outbound redirect after a non-idempotent request was blocked.",extensionMembers:{[g]:e.problemCode}})}n(fd,"assertRedirectAllowed");function hd(e,t){let r=new Headers(e);for(let o of sd)r.delete(o);for(let o of t)r.delete(o);return r}n(hd,"stripCrossOriginHeaders");function gd(e,t,r,o,i){let a={...e,method:t,redirect:"manual",signal:r};return o&&(a.headers=hd(e.headers,i)),a}n(gd,"buildRedirectInit");function yd(e,t,r){let o={...t,redirect:"manual",signal:r};return o.headers===void 0&&e instanceof Request&&(o.headers=e.headers),o}n(yd,"buildInitialRequestInit");function wd(e){let t=De(e.currentInput,e.currentInit);fd({redirects:e.redirects,maxRedirects:e.maxRedirects,method:t,problemCode:e.problemCode});let r=No(e.redirectUrl,{problemCode:e.problemCode,validateUrl:e.validateUrl}),o=new URL(e.currentUrl),i=r.origin!==o.origin,a=r.toString();return{currentInput:a,currentUrl:a,currentInit:gd(e.currentInit,t,e.signal,i,e.additionalCrossOriginStrippedHeaders),redirects:e.redirects+1}}n(wd,"followRedirect");async function zr(e,t,r){let o=r.problemCode??"invalid_request",i=r.maxRedirects??nd,a=r.maxResponseBytes??od,s=r.timeoutMs??id,c=r.fetchImpl??fetch,u=r.additionalCrossOriginStrippedHeaders??[],p=r.context,f=new AbortController,_=jo(f,t.signal),S=!1,I=setTimeout(()=>{S=!0,f.abort()},s),G=e,K=yd(e,t,f.signal),Q;try{Q=No(Hr(e),{problemCode:o,validateUrl:r.validateUrl}).toString()}catch(ee){throw pt(p,{event:"outbound_url_blocked",problemCode:o,method:De(e,t),host:Z(Hr(e)),error:ee}),clearTimeout(I),_?.(),ee}let Je=0;try{for(;;){let ee=await md(p,c,G,K,o,Q,()=>S?`timeout_after_${s}ms`:void 0),P=ld(ee,Q);if(P!==void 0)try{let O=wd({currentInput:G,currentInit:K,currentUrl:Q,redirectUrl:P,redirects:Je,maxRedirects:i,problemCode:o,validateUrl:r.validateUrl,signal:f.signal,additionalCrossOriginStrippedHeaders:u});G=O.currentInput,K=O.currentInit,Q=O.currentUrl,Je=O.redirects;continue}catch(O){throw pt(p,{event:"outbound_redirect_blocked",problemCode:o,method:De(G,K),host:Z(Q),error:O,extra:{redirects:Je,maxRedirects:i,redirectTargetHost:Z(P)}}),O}try{return ud(ee,await dd(ee,a,o))}catch(O){throw pt(p,{event:"outbound_response_size_exceeded",problemCode:o,method:De(G,K),host:Z(Q),error:O,extra:{maxResponseBytes:a,status:ee.status}}),O}}}finally{clearTimeout(I),_?.()}}n(zr,"runSafeOutboundExchange");async function $t(e,t,r){let o=await zr(e,t,r);try{return{response:o,json:await o.clone().json()}}catch(i){throw pt(r.context,{event:"outbound_json_parse_failed",problemCode:r.problemCode??"invalid_request",method:De(e,t),host:Z(Hr(e)),error:i,extra:{status:o.status,contentType:o.headers.get("content-type")??void 0}}),new h({message:"Outbound JSON response could not be parsed.",extensionMembers:{[g]:r.problemCode??"invalid_request"}},{cause:i})}}n($t,"runSafeOutboundJsonExchange");function Go(e,t={},r={}){return zr(e,t,{...r,validateUrl:jt})}n(Go,"fetchConfiguredOutbound");function $o(e,t={},r={}){return $t(e,t,{...r,validateUrl:Lo})}n($o,"fetchIdentityProviderJson");function Fo(e,t={},r={}){return $t(e,t,{...r,validateUrl:Nt})}n(Fo,"fetchCimdClientMetadataJson");function Zo(e,t={},r={}){return $t(e,t,{...r,validateUrl:Se})}n(Zo,"fetchCimdClientJwksJson");$();import{errors as Qo,jwtVerify as ei,SignJWT as ti}from"jose";var L="zuplo-mcp-gateway",j=L,N="HS256";import{base64url as _d}from"jose";var Rd=new TextEncoder,bd="MCP gateway could not initialize secure key material.",Cd=32,Ko=new Map,Jo=new Map,vd;function Sd(){return vd??Sn.instance.authPrivateKey}n(Sd,"readAuthPrivateKey");function Wo(e){return new de(bd,e===void 0?void 0:{cause:e})}n(Wo,"createGeneratedKeyMaterialError");function Vo(e,t){let r=_d.decode(t);if(r.byteLength!==Cd)throw new Error(`Generated deployment auth key ${e} is invalid.`);return r}n(Vo,"decodeJwkKeyField");function Id(e){let t=Sd();if(!t)throw Wo();try{let r=JSON.parse(t);if(r.kty!=="OKP"||r.crv!=="Ed25519"||typeof r.d!="string"||typeof r.x!="string")throw new Error("Generated deployment auth key is not an Ed25519 JWK.");let o=Vo("d",r.d);Vo("x",r.x);let i=Rd.encode(`zuplo-mcp-gateway:${e}:Ed25519:`),a=new Uint8Array(i.byteLength+o.byteLength);return a.set(i),a.set(o,i.byteLength),a}catch(r){throw Wo(r)}}n(Id,"decodeGeneratedKeyMaterial");function xd(e){let t=Ko.get(e);return t||(t=Id(e),Ko.set(e,t)),t}n(xd,"getMasterKeyMaterial");async function V(e){let t=Jo.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(xd(e.keyMaterialPurpose));return Jo.set(e.purpose,r),r}n(V,"readCachedDerivedKey");var Ad="SHA-256";var Ud="zuplo-mcp-gateway:",kd=new TextEncoder,Yo=new WeakMap;async function me(e,t){let r=Yo.get(e);r||(r=new Map,Yo.set(e,r));let o=r.get(t);if(o)return o;let i=await Pd(e,t);return r.set(t,i),i}n(me,"deriveGatewaySigningKey");async function Pd(e,t){let r=Xo(e),o=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),i=kd.encode(`${Ud}${t}`),a=await crypto.subtle.deriveBits({name:"HKDF",hash:Ad,salt:new Uint8Array,info:Xo(i)},o,32*8);return new Uint8Array(a)}n(Pd,"hkdfExpand");function Xo(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(Xo,"copyToArrayBuffer");var ri=15*60,Td=15*60,Ed=Jn.extend({id:po}),Od=Ed.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),ni=ur.extend({id:mo,purpose:d.literal("browser_connect")}),Md=ur.extend({purpose:d.literal("browser_connect")}),qd=ni.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),oi=ri*1e3;async function ii(){return V({purpose:"oauth-state",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>me(e,"oauth-state"),"derive")})}n(ii,"getOAuthStateKey");async function ai(){return V({purpose:"browser-connect",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>me(e,"browser-connect"),"derive")})}n(ai,"getBrowserConnectKey");async function si(e){let t=Math.floor(Date.now()/1e3)+ri;return new ti(e).setProtectedHeader({alg:N,typ:"JWT"}).setIssuer(L).setAudience(j).setIssuedAt().setExpirationTime(t).sign(await ii())}n(si,"signOAuthState");async function Ft(e){try{let{payload:t}=await ei(e,await ii(),{algorithms:[N],issuer:L,audience:j});return Od.parse(t)}catch(t){throw t instanceof Qo.JWTExpired?new h({message:"OAuth state has expired",extensionMembers:{[g]:"oauth_state_expired"}},{cause:t}):new h({message:"OAuth state could not be verified",extensionMembers:{[g]:"oauth_state_invalid"}},{cause:t})}}n(Ft,"verifyOAuthState");async function ci(e){let t=Math.floor(Date.now()/1e3)+Td,r=Md.parse(e),o=ni.parse({...r,id:yo()});return new ti(o).setProtectedHeader({alg:N,typ:"JWT"}).setIssuer(L).setAudience(j).setIssuedAt().setExpirationTime(t).sign(await ai())}n(ci,"signBrowserConnectTicket");async function di(e){try{let{payload:t}=await ei(e,await ai(),{algorithms:[N],issuer:L,audience:j});return qd.parse(t)}catch(t){throw t instanceof Qo.JWTExpired?new h({message:"Browser connect ticket has expired",extensionMembers:{[g]:"oauth_state_expired"}},{cause:t}):new h({message:"Browser connect ticket could not be verified",extensionMembers:{[g]:"oauth_state_invalid"}},{cause:t})}}n(di,"verifyBrowserConnectTicket");async function ui(e){if((await b().consumeBrowserConnectTicket({id:e.id,expiresAt:R(new Date(e.exp*1e3)),now:R(new Date)})).kind==="consumed")throw new h({message:"Browser connect ticket has already been used",extensionMembers:{[g]:"oauth_state_reused"}})}n(ui,"consumeBrowserConnectTicket");function Dd(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}n(Dd,"buildConnectRequiredMessage");async function Hd(e){let t=k(e.requestUrl,e.requestHeaders),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("operationId",e.operationId),r.searchParams.set("browserTicket",await ci({...Ye(e),purpose:"browser_connect"})),r.toString()}n(Hd,"buildGatewayBrowserTicketUrl");function zd(e){return M().actionPath(`/auth/connections/${encodeURIComponent(e)}/connect`)}n(zd,"buildGatewayConnectPath");async function Lr(e){return Hd({...e,path:zd(e.upstreamServerId),redirect:!0})}n(Lr,"buildGatewayConnectUrl");async function Zt(e){let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await Lr(t),message:Dd(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}n(Zt,"buildRedirectConnectRequiredResponse");function li(e){return Ld({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}n(li,"buildAdminConnectRequiredResponse");function Ld(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}n(Ld,"buildAdminSetupRequiredResponse");$();var pi=new Set(["client_id","code_challenge","code_challenge_method","display","login_hint","nonce","prompt","redirect_uri","response_mode","response_type","state"]);function Bd(e,t){return e&&e.length>0?e.join(t):void 0}n(Bd,"joinOAuthScopes");function jd(e){if(e?.authorization_endpoint===void 0)return e;let t=new URL(e.authorization_endpoint);for(let r of pi)t.searchParams.delete(r);return{...e,authorization_endpoint:t.toString()}}n(jd,"sanitizeAuthorizationServerMetadata");function Br(e){let t=jd(e.authorizationServerMetadata);return t===e.authorizationServerMetadata?e:{...e,authorizationServerMetadata:t}}n(Br,"sanitizeOAuthDiscoveryState");function mi(e){let t=new URL(e);for(let r of pi){let o=t.searchParams.getAll(r);o.length<=1||(t.searchParams.delete(r),t.searchParams.set(r,o.at(-1)??""))}return t}n(mi,"normalizeDuplicateSingletonAuthorizationRequestParams");function Kt(e){let t=new URL(e);return T(t)&&we(t.hostname)!=="localhost"&&(t.hostname="localhost"),t}n(Kt,"normalizeLoopbackOAuthRedirectUri");function fi(e){return Bd(e.state?.resourceMetadata?.scopes_supported,e.delimiter)}n(fi,"readProtectedResourceMetadataScope");function Nd(e){return`Zuplo MCP Gateway - ${e}`}n(Nd,"buildGatewayOAuthClientName");function Gd(e,t){return e&&e.length>0?e.join(t):void 0}n(Gd,"joinOAuthScopeList");function jr(e){return new URL(M().actionPath(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`),e.origin).toString()}n(jr,"buildOAuthClientMetadataDocumentUrl");function Nr(e){let t=Me(e.upstreamServerId);return{client_name:Nd(t.displayName),client_uri:new URL("/",e.origin).toString(),redirect_uris:[e.redirectUri],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",...e.scope===void 0?{}:{scope:e.scope},token_endpoint_auth_method:"none"}}n(Nr,"buildGatewayOAuthClientMetadata");function hi(e,t,r){let o=qe(t,r),i=Gd(o.scopes,o.scopeDelimiter);return{client_id:jr({origin:e,upstreamServerId:t}),...Nr({origin:e,upstreamServerId:t,redirectUri:Kt(new URL(o.redirectPath,e)).toString(),scope:i})}}n(hi,"buildOAuthClientMetadataDocument");$();import{base64url as fe}from"jose";var $d="SHA-256",ze="AES-GCM",Fd=12,$r="zuplo-secret",Fr=1,gi="generated:auth_private_key:token-encryption",Zd=d.object({version:d.literal(Fr),keyId:d.literal(gi),algorithm:d.literal(ze),iv:d.string().min(1),ciphertext:d.string().min(1)}).strict();function He(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(He,"copyToArrayBuffer");async function Gr(){return V({purpose:"token-encryption",keyMaterialPurpose:"token-encryption",derive:n(async e=>{let t=await crypto.subtle.digest($d,He(e));return crypto.subtle.importKey("raw",t,{name:ze},!1,["encrypt","decrypt"])},"derive")})}n(Gr,"getEncryptionKey");function yi(e){return He(new TextEncoder().encode(`${$r}:v${e.version}:${e.keyId}`))}n(yi,"getAssociatedData");function Kd(e){return`${$r}:v${e.version}:${fe.encode(new TextEncoder().encode(JSON.stringify(e)))}`}n(Kd,"encodeEnvelope");function Jd(e){let t=`${$r}:v${Fr}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),o=new TextDecoder().decode(fe.decode(r));return Zd.parse(JSON.parse(o))}n(Jd,"decodeEnvelope");async function Jt(e){let t=await Gr(),r=crypto.getRandomValues(new Uint8Array(Fd)),o={version:Fr,keyId:gi},i=await crypto.subtle.encrypt({name:ze,iv:r,additionalData:yi(o)},t,new TextEncoder().encode(e));return Kd({...o,algorithm:ze,iv:fe.encode(r),ciphertext:fe.encode(new Uint8Array(i))})}n(Jt,"encryptSecret");async function mt(e){let t=Jd(e);if(t){let s=await Gr(),c=await crypto.subtle.decrypt({name:ze,iv:He(fe.decode(t.iv)),additionalData:yi(t)},s,He(fe.decode(t.ciphertext)));return new TextDecoder().decode(c)}let[r,o]=e.split(".");if(!r||!o)throw new de("Encrypted payload is malformed");let i=await Gr(),a=await crypto.subtle.decrypt({name:ze,iv:He(fe.decode(r))},i,He(fe.decode(o)));return new TextDecoder().decode(a)}n(mt,"decryptSecret");var Wd=d.union([Qe,zt]),wi=d.object({authorizationServerUrl:d.url(),resourceMetadataUrl:d.url().optional(),resourceMetadata:Dt.optional(),authorizationServerMetadata:d.union([Xe,Ht]).optional()}).passthrough(),Vd="Bearer",Yd="__zuplo_refresh_only_upstream_access_token__";function Xd(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}n(Xd,"splitScopes");function Qd(e){return Et.parse(e)}n(Qd,"parsePkceCodeVerifier");function eu(e){if(typeof e.expires_in=="number")return R(new Date(Date.now()+e.expires_in*1e3))}n(eu,"readTokenExpiry");async function _i(e){if(e!==void 0)return Jt(JSON.stringify(e))}n(_i,"encryptJson");async function Ri(e,t){if(!e)return;let r=await mt(e);try{return t.parse(JSON.parse(r))}catch(o){throw new h({message:"Stored upstream OAuth JSON state is invalid.",extensionMembers:{[g]:"oauth_state_invalid"}},{cause:o})}}n(Ri,"decryptJson");function tu(e){if(e===void 0)return;e=Br(e);let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}n(tu,"toOAuthDiscoveryState");function ru(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}n(ru,"clientInformationAllowsRedirectUri");function nu(e){return e.clientMetadataUrl===void 0?"redirect_uris"in e.clientInformation:"redirect_uris"in e.clientInformation||e.clientInformation.client_id===e.clientMetadataUrl}n(nu,"clientInformationMatchesCurrentClientMetadataUrl");function ou(e){return e.clientMetadataUrl!==void 0&&!("redirect_uris"in e.clientInformation)&&e.clientInformation.client_id===e.clientMetadataUrl}n(ou,"isUrlBasedClientInformation");function iu(e,t){return t===void 0?e:{...e,scope:t}}n(iu,"applyOAuthClientMetadataScope");function bi(e,t){return fi({state:e,delimiter:t})}n(bi,"readResourceMetadataScope");function au(e,t){return e&&e.length>0?e.join(t):void 0}n(au,"joinOAuthScopeList");function su(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw new q(`Manual OAuth registration for upstream "${e.upstreamServerId}" requires clientSecret. Set the env var that backs the client secret or use tokenEndpointAuthMethod "none".`);return Qe.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}n(su,"buildManualOAuthClientInformation");function cu(e,t){let r=jr({origin:new URL(t).origin,upstreamServerId:e});return Ur(r)?r:void 0}n(cu,"buildClientMetadataUrl");function Ci(e){for(let t of e)if(t!==void 0)return t}n(Ci,"firstDefined");function du(e){let t=qe(e.target.upstreamServerId,e.target.authProfileId),r=au(t.scopes,t.scopeDelimiter),o=Nr({origin:new URL(e.redirectUri).origin,upstreamServerId:e.target.upstreamServerId,redirectUri:e.redirectUri,scope:r});if(t.clientRegistration.mode==="manual")return{clientMetadata:o,configuredScope:r,scopeDelimiter:t.scopeDelimiter,configuredClientInformation:su({clientMetadata:o,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let i=cu(e.target.upstreamServerId,e.redirectUri);return i===void 0?{clientMetadata:o,configuredScope:r,scopeDelimiter:t.scopeDelimiter}:{clientMetadata:o,configuredScope:r,scopeDelimiter:t.scopeDelimiter,clientMetadataUrl:i}}n(du,"buildInitialOAuthClientSetup");function uu(e,t){if(t===void 0)return Ci([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}n(uu,"readEncryptedClientInformation");function lu(e){return Ci([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}n(lu,"readEncryptedDiscoveryState");var Ie=class{static{n(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredScope;scopeDelimiter;configuredClientInformation;challengeScope;inferredScope;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=du({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredScope=r.configuredScope,this.scopeDelimiter=r.scopeDelimiter,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=uu(t,this.configuredClientInformation),this.encryptedDiscoveryState=lu(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return iu(this.clientMetadataValue,this.readEffectiveScope())}async state(){let t=await this.createPendingState();return si({id:t.id,...Ye({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,!ou({clientInformation:t,clientMetadataUrl:this.clientMetadataUrl})&&(this.encryptedClientInformation=await _i(t),await this.syncPendingState(!1)))}async discoveryState(){return this.loadPersistedDiscoveryState()}applyChallengeScope(t){this.challengeScope=t}async saveDiscoveryState(t){let r=Br(wi.parse(t));this.cachedDiscoveryState=r,this.discoveryStateLoaded=!0,this.inferredScope=bi(r,this.scopeDelimiter),this.encryptedDiscoveryState=await _i(r),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=Oe.parse(t),o=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0,i=r.refresh_token?await Jt(r.refresh_token):this.connection?.encryptedRefreshToken;this.cachedTokens=r.refresh_token||!this.connection?.encryptedRefreshToken?r:Oe.parse({...r,refresh_token:await mt(this.connection.encryptedRefreshToken)}),this.tokensLoaded=!0;let a={id:this.connection?.id??ho(),ownerMode:this.target.owner.mode,subjectId:o,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await Jt(r.access_token),encryptedRefreshToken:i,scopes:Xd(r.scope??this.readEffectiveScope()),expiresAt:eu(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await b().upsertUpstreamConnection(a)}async redirectToAuthorization(t){let r=mi(t);this.authorizationUrlValue=r.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:Qd(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw new h({message:"OAuth code verifier is missing",extensionMembers:{[g]:"oauth_state_invalid"}});return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",o=t==="all"||t==="client",i=t==="all"||t==="discovery",a=t==="all"||t==="verifier";o&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),i&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0,this.challengeScope=void 0,this.inferredScope=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(a),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:go(),...Ye({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,operationId:this.target.operationId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:R(new Date(Date.now()+oi)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await b().saveUpstreamOAuthState({record:t}),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await Ri(this.encryptedClientInformation,Wd)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&(!ru(t,this.redirectUriValue)||!nu({clientInformation:t,clientMetadataUrl:this.clientMetadataUrl}))){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}return t===void 0&&this.pendingState?.codeVerifier!==void 0&&this.clientMetadataUrl!==void 0&&(t=zt.parse({client_id:this.clientMetadataUrl})),this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=tu(await Ri(this.encryptedDiscoveryState,wi))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.inferredScope=bi(this.cachedDiscoveryState,this.scopeDelimiter),this.cachedDiscoveryState}readEffectiveScope(){return this.configuredScope??this.challengeScope??this.inferredScope}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection||this.connection.status!=="active")return;let t=this.connection.encryptedAccessToken?await mt(this.connection.encryptedAccessToken):void 0,r=this.connection.encryptedRefreshToken?await mt(this.connection.encryptedRefreshToken):void 0;if(!t&&!r)return;let o=Oe.parse({access_token:t??Yd,token_type:Vd,refresh_token:r,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=o,o}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await b().upsertUpstreamConnection(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var pu=3e4,mu=256*1024,fu=2;function hu(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}n(hu,"hasUsableAccessToken");var gu="does not support dynamic client registration",yu=["Resource server does not implement OAuth 2.0 Protected Resource Metadata","trying to load well-known OAuth protected resource metadata"],wu=["HTTP 403 Forbidden","Access Denied","permission to access"];function _u(e){return e instanceof Error&&e.message.includes(gu)}n(_u,"isDynamicClientRegistrationUnsupported");function Ru(e){return e instanceof Error&&yu.some(t=>e.message.includes(t))}n(Ru,"isProtectedResourceMetadataUnavailable");function bu(e){return e instanceof Error&&wu.some(t=>e.message.includes(t))}n(bu,"isUpstreamProviderAccessDenied");function Cu(e){if(e.error instanceof h&&e.error.extensionMembers?.[g]!==void 0)return e.error;if(_u(e.error))return new h({message:`The authorization server for ${e.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register an OAuth client for the gateway manually before retrying.`,extensionMembers:{[g]:"upstream_client_registration_required"}},{cause:e.error});if(Ru(e.error))return new h({message:`The upstream MCP server "${e.upstreamServerId}" does not publish OAuth protected resource metadata at "${e.resourceMetadataUrl}". Configure protectedResourceMetadataUrl to a working metadata document, use a provider-supported legacy client, or contact the provider to approve/allowlist this gateway OAuth client before retrying.`,extensionMembers:{[g]:"upstream_oauth_discovery_unavailable"}},{cause:e.error});if(bu(e.error))return new h({message:`The upstream provider denied access while connecting ${e.upstreamServerId}. Confirm the provider allows this gateway and its OAuth client, then retry.`,extensionMembers:{[g]:"upstream_provider_access_denied"}},{cause:e.error})}n(Cu,"mapUpstreamOAuthSetupError");function vu(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}n(vu,"readOAuthFetchRequest");function Su(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}n(Su,"responseLooksJson");function Iu(e,t){let r=e.headers.get("content-type")??"",o=t.trimStart().toLowerCase();return r.includes("html")||o.startsWith("<!doctype html")||o.startsWith("<html")}n(Iu,"responseLooksHtml");function xu(e){let t=e.response.statusText?` ${e.response.statusText}`:"",r=e.response.headers.get("content-type")??"text/html";throw new h({message:`The upstream provider returned ${e.response.status}${t} (${r}) from ${e.request.url.toString()} while connecting ${e.upstreamServerId}.`,extensionMembers:{[g]:e.response.status===403?"upstream_provider_access_denied":"upstream_token_exchange_failed",[Te]:e.response.status,[ke]:r,[Ee]:e.request.url.toString(),[Pe]:e.body}})}n(xu,"throwUpstreamHtmlError");function vi(e){return async(t,r)=>{let o=vu(t),i=await Go(t,r,{maxRedirects:fu,maxResponseBytes:mu,problemCode:"upstream_token_exchange_failed",timeoutMs:pu}),a=await i.clone().text();if(!i.ok&&Iu(i,a)&&xu({upstreamServerId:e,request:o,response:i,body:a}),!Su(i,a))return i;try{JSON.parse(a)}catch(s){throw new h({message:`Upstream OAuth fetch ${o.url.origin}${o.url.pathname} for ${e} returned invalid JSON.`,extensionMembers:{[g]:"upstream_token_exchange_failed"}},{cause:s})}return i}}n(vi,"createUpstreamOAuthFetch");async function Si(e,t){e.applyChallengeScope(t.requestedScope);try{let r={serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:vi(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),await Ar(e,r)}catch(r){let o=Cu({upstreamServerId:t.upstreamServerId,resourceMetadataUrl:t.resourceMetadataUrl,error:r});throw o!==void 0?o:r}}n(Si,"runUpstreamOAuth");async function Au(e,t){e.applyChallengeScope(t.requestedScope);let r={serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:vi(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),Ar(e,r)}n(Au,"exchangeUpstreamAuthorizationCode");async function Ii(e,t){let r=await Si(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?new h({message:`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}}):new h({message:`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}})}n(Ii,"requireUpstreamAuthorizationRedirect");async function xi(e){if(!e.forceRefresh&&hu(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await Si(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope}});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw new h({message:`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}});if(!e.provider.authorizationUrl)throw new h({message:`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}});return{kind:"connect_required",payload:await Eu({requestUrl:e.target.request.url,requestHeaders:e.target.request.headers,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.target.operationId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}n(xi,"authorizeUpstreamOAuthSession");async function Uu(e){let t=await Ft(e.stateToken),r=await b().consumeUpstreamOAuthState({id:t.id,now:R(new Date)}),o=ku(r);return Pu({storedState:o,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),Tu(o),o}n(Uu,"consumeStoredCallbackState");function ku(e){switch(e.kind){case"consumed":throw new h({message:"OAuth state has already been used",extensionMembers:{[g]:"oauth_state_reused"}});case"missing":throw new h({message:"OAuth state is missing or expired",extensionMembers:{[g]:"oauth_state_expired"}});case"available":return e.record}}n(ku,"readConsumedCallbackState");function Pu(e){if(![e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.operationId===e.signedState.operationId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw new h({message:"OAuth callback did not match the initiating request",extensionMembers:{[g]:"oauth_callback_mismatch"}})}n(Pu,"assertStoredCallbackStateMatches");function Tu(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw new h({message:"OAuth state has expired",extensionMembers:{[g]:"oauth_state_expired"}})}n(Tu,"assertStoredCallbackStateFresh");async function Eu(e){if(e.owner.mode==="shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),li(r)}let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),Zt(t)}n(Eu,"buildOAuthConnectRequiredResponse");async function Ai(e){let t=await Uu({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=Pt(t),[o]=await b().batchGetUpstreamConnections([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),i={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};o!==void 0&&(i.connection=o);let a=new Ie(i),s=await Au(a,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?new h({message:`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}}):new h({message:`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}})}n(Ai,"finishUpstreamOAuthCallback");function Ou(e){return Kt(new URL(e.callbackPath,k(e.requestUrl,e.requestHeaders))).toString()}n(Ou,"buildGatewayOAuthRedirectUri");async function Ui(e){let t=Me(e.upstreamServerId),r=qe(e.upstreamServerId,e.authProfileId),o=Ou({callbackPath:r.redirectPath,requestUrl:e.request.url,requestHeaders:e.request.headers}),i="preloadedConnection"in e?e.preloadedConnection:(await b().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:i,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:o,returnOrigin:k(e.request.url,e.request.headers)}}}n(Ui,"prepareUpstreamOAuthRequest");async function ki(e){let t=await Ui(e),r=new Ie({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return Ii(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(ki,"startUpstreamConnect");async function Pi(e){let t=await Ui(e),r=new Ie({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return xi({target:e,provider:r,connection:t.connection,forceRefresh:e.forceRefresh,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope},upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(Pi,"authorizeUpstreamRequest");async function Le(e){let{routeAuth:t}=e;return Pi({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,forceRefresh:e.forceRefresh,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope},...e.preloadedConnection===void 0?{}:{preloadedConnection:e.preloadedConnection},...t.returnTo===void 0?{}:{returnTo:t.returnTo}})}n(Le,"resolveUpstreamCredentialForRoute");async function Ti(e){let t={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,operationId:e.connectRequest.operationId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},r=await ki(t);return{authProfileId:e.connectRequest.authProfileId,authUrl:r,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,operationId:e.connectRequest.operationId}}n(Ti,"startUpstreamConnectForRequest");async function Ei(e){let r=(await Ft(e.callbackRequest.state)).authProfileId;return Or({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r}),Ai({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:Me(e.callbackRequest.upstreamServerId)})}n(Ei,"finishUpstreamCallbackForRequest");function Mu(e){return{upstreamServerId:e.connection.upstreamServerId,operationId:e.operationId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:e.connection.ownerMode}}n(Mu,"buildRouteAuthBaseFromConnection");function Mi(e){return{upstreamServerId:e.connection.id,operationId:e.operationId,authProfileId:Wn(e.connection.id,e.connection.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:e.connection.ownerMode}}n(Mi,"buildRouteAuthBaseFromPolicyOptions");function Wt(e,t){let o=J().byOperationId.get(t);if(!o)throw new q(`Unknown MCP route "${t}". Ensure routes.oas.json declares this operationId before starting an upstream connection flow.`);if(o.connection===void 0)throw new q(`MCP route "${t}" does not declare an MCP token exchange policy. Add one before starting an upstream connection flow.`);if(o.connection.upstreamServerId!==e)throw new q(`MCP route "${t}" does not bind upstream "${e}". Check the route's MCP upstream policies and bind the upstream before starting an upstream connection flow.`);return Mu({connection:o.connection,operationId:t})}n(Wt,"resolveRouteAuthBase");function Oi(e,t){switch(e){case"user":return kt(t);case"shared":return Kn()}}n(Oi,"buildOwnerForSubject");function Be(e,t){switch(e.ownerMode){case"shared":return{...e,ownerMode:"shared",owner:Oi(e.ownerMode,t),initiatedBySubjectId:t};case"user":return{...e,ownerMode:"user",owner:Oi(e.ownerMode,t),initiatedBySubjectId:t}}}n(Be,"resolveRouteAuthForSubject");var qu=We.InvalidRequest,Du=new Set(["connection","keep-alive","proxy-authenticate","te","trailer","transfer-encoding","upgrade"]);function Hu(e,t){return{credentialType:e.type,forceRefresh:t}}n(Hu,"buildCredentialResolvedAttributes");function zu(e){switch(e){case"admin_connect_required":return"admin_connect_required";case"authenticating":return"connect_required"}}n(zu,"connectRequiredReasonCode");function qi(e){x(e.context,{eventType:C.MCP_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:Hu(e.credential,e.forceRefresh===!0)})}n(qi,"emitCredentialResolvedAnalyticsEvent");function Di(e){let t={forceRefresh:e.forceRefresh===!0,nextAction:e.payload.nextAction,state:e.payload.state};if(x(e.context,{eventType:C.MCP_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:t}),e.payload.state==="reconsent_required"){x(e.context,{eventType:C.MCP_AUTH_UPSTREAM_RECONSENT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"reconsent_required",reasonClass:"auth",attributes:t});return}x(e.context,{eventType:C.MCP_AUTH_UPSTREAM_CONNECT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:zu(e.payload.state),reasonClass:"auth",attributes:t})}n(Di,"emitCredentialMissingAnalyticsEvents");function Lu(e){let t=e.route.raw();return xt.parse(t?.operationId)}n(Lu,"readOperationId");async function Bu(e,t,r,o){let i=await Le({request:e,routeAuth:t});if(i.kind==="connect_required")return Di({context:o,payload:i.payload,routeBinding:t}),o.log.info({event:"mcp_upstream_connect_required",upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId},"MCP upstream proxy: upstream connection required"),{kind:"connect_required",payload:i.payload};let a=i.credential;qi({context:o,credential:a,routeBinding:t});let s=await a.provider.tokens();return s?{kind:"headers",headers:[["authorization",`${s.token_type??"Bearer"} ${s.access_token}`]]}:(o.log.warn({event:"mcp_upstream_no_tokens",upstreamServerId:t.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens"),Response.json({error:"no_upstream_tokens"},{status:401}))}n(Bu,"buildCredentialHeaders");var ju=new Set(["authorization","cookie","cookie2"]);function Nu(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return t&&typeof t=="object"&&!Array.isArray(t)&&"method"in t&&typeof t.method=="string"?t.method:void 0}catch{return}}n(Nu,"readJsonRequestMethod");function Gu(e){let t=e.headers.get("content-type")??"";return/\bapplication\/(?:[\w.+-]+\+)?json\b/i.test(t)}n(Gu,"isJsonResponse");function Zr(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(Zr,"isRecord");function $u(e){return Array.isArray(e)&&e.length>0}n($u,"hasIconList");function Fu(e){if(e.connection.serverInfo?.icons!==void 0&&e.connection.serverInfo.icons.length>0)return e.connection.serverInfo.icons;try{let t=Bt(Bn(e.context.route.handler));return t===void 0?void 0:[t]}catch{return}}n(Fu,"readFallbackServerIcons");function Zu(e){if(!Zr(e.body))return e.body;let t=e.body.result;if(!Zr(t))return e.body;let r=t.serverInfo;return!Zr(r)||$u(r.icons)?e.body:{...e.body,result:{...t,serverInfo:{...r,icons:e.icons}}}}n(Zu,"addMissingServerIcons");function Ku(e,t){let r=new Headers(e.headers);for(let o of ju)r.delete(o);for(let[o,i]of t)r.set(o,i);return new xn(e,{headers:r})}n(Ku,"applyUpstreamHeaders");function Ju(e){let t=new Headers(e.headers);for(let r of Du)t.delete(r);return t}n(Ju,"buildProxyHeaders");async function Wu(e){if(!(e.method==="GET"||e.method==="HEAD"))return e.clone().arrayBuffer()}n(Wu,"readRetryBody");function Hi(e,t){let r=t.authUrl===void 0?void 0:Ro({message:t.message,elicitationId:["connect",t.operationId,t.upstreamServerId,t.authProfileId].join(":"),url:t.authUrl});return Response.json(Mt({id:_o(e),error:{code:r?.code??qu,message:t.message,data:{...r?.data??{},connectRequired:t}}}))}n(Hi,"connectRequiredJsonRpcResponse");async function Vu(e){let{scope:t}=Eo(e.upstreamResponse),r=await Le({request:e.request,routeAuth:e.routeAuth,forceRefresh:!0,...t===void 0?{}:{requestedScope:t}});if(r.kind==="connect_required")return Di({context:e.context,payload:r.payload,routeBinding:e.routeAuth,forceRefresh:!0}),{kind:"connect_required",payload:r.payload};let o=new Headers(e.headers),i=r.credential;qi({context:e.context,credential:i,routeBinding:e.routeAuth,forceRefresh:!0});let a=await i.provider.tokens();return a?(o.set("authorization",`${a.token_type??"Bearer"} ${a.access_token}`),{kind:"headers",headers:o}):(e.context.log.warn({event:"mcp_upstream_no_tokens_after_refresh",upstreamServerId:e.routeAuth.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens after refresh"),{kind:"response",response:Response.json({error:"no_upstream_tokens"},{status:401})})}n(Vu,"applyRefreshedCredentialHeaders");function Yu(e){e.context.addResponseSendingHook(async(t,r)=>{if(t.status!==401)return t;let o=await Vu({request:e.request,context:e.context,headers:Ju(r),routeAuth:e.routeAuth,upstreamResponse:t});if(o.kind==="connect_required")return Hi(e.requestBody,o.payload);if(o.kind==="response")return o.response;let i=jn({handler:e.context.route.handler,request:r,body:e.requestBody,headers:o.headers});return Rt.fetch(i.url,i.init)})}n(Yu,"installUpstreamAuthRetryHook");function Xu(e){if(Nu(e.requestBody)!=="initialize")return;let t=Fu({connection:e.connection,context:e.context});t===void 0||t.length===0||e.context.addResponseSendingHook(async r=>{if(!Gu(r))return r;let o;try{o=await r.clone().json()}catch{return r}let i=Zu({body:o,icons:t});if(i===o)return r;let a=new Headers(r.headers);return a.delete("content-length"),new Response(JSON.stringify(i),{status:r.status,statusText:r.statusText,headers:a})})}n(Xu,"installInitializeIconHook");async function Kr(e,t,r){let o=Lu(t),i=await Wu(e),a=Mi({connection:r,operationId:o}),s=_e(e.user,e.url,e.headers);to(t,s);let c=Be(a,s.subjectId),u=await Bu(e,c,r,t);if(!(u instanceof Response)&&u.kind==="connect_required")return Hi(i,u.payload);if(u instanceof Response)return u;let p=Ku(e,u.headers);return Yu({request:p,context:t,requestBody:i,routeAuth:c}),Xu({context:t,requestBody:i,connection:r}),p}n(Kr,"mcpTokenExchangePolicy");var Jr=class extends Ct{static{n(this,"McpTokenExchangeInboundPolicy")}constructor(t,r){let o=Vn(t,r);super(o,r)}async handler(t,r){return bt("policy.inbound.mcp-token-exchange"),Kr(t,r,this.options)}};$();var zi=Symbol("Html");function Qu(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}n(Qu,"escapeHtml");function el(e){return e===null||typeof e!="object"?!1:e[zi]===!0}n(el,"isHtml");function Li(e){return e==null||e===!1?"":Array.isArray(e)?e.map(Li).join(""):el(e)?e.value:Qu(String(e))}n(Li,"renderValue");function ae(e){return{[zi]:!0,value:e}}n(ae,"trustedHtml");var Y=ae("");function v(e,...t){let r=e[0]??"";for(let o=0;o<t.length;o+=1)r+=Li(t[o]),r+=e[o+1]??"";return ae(r)}n(v,"html");function je(e){return e.value}n(je,"renderHtml");function Bi(e){return v`<p class="card__description">${e.detail}</p>${e.guidance} ${e.technicalDetails} ${e.action}`}n(Bi,"renderBrowserErrorPage");var Ne=ae('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;justify-content:center;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;min-height:40px;padding:8px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.reconnect-action{align-items:center;margin-right:auto;display:inline-flex;position:relative}.reconnect-button{gap:7px}.tooltip{width:16px;height:16px;color:var(--accent);background:color-mix(in srgb,var(--accent)8%,transparent);cursor:help;border:1.5px solid;border-radius:50%;justify-content:center;align-items:center;font-size:10.5px;font-weight:700;line-height:1;display:inline-flex;position:relative}.tooltip:after{content:attr(aria-label);z-index:10;border-radius:var(--radius-sm);background:var(--accent);width:280px;max-width:min(280px,100vw - 48px);color:var(--accent-text);box-shadow:var(--shadow);text-align:left;white-space:normal;opacity:0;pointer-events:none;padding:12px 14px;font-size:13px;font-weight:600;line-height:1.45;transition:opacity .12s;position:absolute;bottom:calc(100% + 12px);left:50%;transform:translate(-50%)}.tooltip:before{content:"";z-index:11;border-left:7px solid #0000;border-right:7px solid #0000;border-top:8px solid var(--accent);opacity:0;pointer-events:none;transition:opacity .12s;position:absolute;bottom:calc(100% + 5px);left:50%;transform:translate(-50%)}.tooltip:hover:after,.tooltip:hover:before,.tooltip:focus-visible:after,.tooltip:focus-visible:before{opacity:1}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}.reconnect-action{justify-content:center;width:100%;margin-right:0}.reconnect-action .button{flex:1}.tooltip:after{left:auto;right:0;transform:none}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function Ge(e){return v`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" href="${e.iconHref}" /><style>
       ${e.styles}
-    </style></head><body><main class="card"><header class="card__head">${e.headerIcon}<h1 class="card__title">${e.heading}</h1>${e.subhead}</header><div class="card__body">${e.body}</div>${e.footer}</main></body></html>`}n(Ne,"renderShell");var Qu="text/html; charset=utf-8";function Ge(e){try{return new URL(e).host}catch{return""}}n(Ge,"safeHostFromUrl");function Y(e){let t=tl(e.kind??"authorization_failed"),r=el(e);return new Response(Be(Ne({title:e.title??t.title,iconHref:"",styles:je,headerIcon:V,heading:e.title??t.title,subhead:"",body:zi({detail:e.detail,guidance:v`<p class="card__description">${t.guidance}</p>`,technicalDetails:al({diagnostic:r,upstreamHtml:e.upstreamHtml}),action:ol(e.action)}),footer:""})),{status:e.status??400,headers:{"content-type":Qu,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(Y,"browserErrorPageResponse");function el(e){let t=e.diagnostic?.code??e.code??"unknown";return{code:t,stage:e.diagnostic?.stage??rl(t),timestamp:e.diagnostic?.timestamp??new Date().toISOString(),...e.requestId===void 0&&e.diagnostic?.requestId===void 0?{}:{requestId:e.diagnostic?.requestId??e.requestId},...e.diagnostic?.operationId===void 0?{}:{operationId:e.diagnostic.operationId},...e.diagnostic?.routePath===void 0?{}:{routePath:e.diagnostic.routePath},...e.diagnostic?.upstreamServerId===void 0?{}:{upstreamServerId:e.diagnostic.upstreamServerId},...e.diagnostic?.authProfileId===void 0?{}:{authProfileId:e.diagnostic.authProfileId},...e.diagnostic?.upstreamUrl===void 0?{}:{upstreamUrl:e.diagnostic.upstreamUrl},...e.diagnostic?.metadataUrl===void 0?{}:{metadataUrl:e.diagnostic.metadataUrl},...e.diagnostic?.httpStatus===void 0?{}:{httpStatus:e.diagnostic.httpStatus},...e.diagnostic?.contentType===void 0?{}:{contentType:e.diagnostic.contentType},...e.diagnostic?.providerError===void 0?{}:{providerError:e.diagnostic.providerError},...e.diagnostic?.providerErrorDescription===void 0?{}:{providerErrorDescription:e.diagnostic.providerErrorDescription},suggestedFix:e.diagnostic?.suggestedFix??nl(t),underlyingError:e.diagnostic?.underlyingError??e.developerDetail}}n(el,"buildBrowserErrorDiagnostic");function tl(e){switch(e){case"session_expired":return{title:"Authorization expired",guidance:"Return to your MCP client and reconnect. Expired authorization requests cannot be resumed."};case"access_denied":return{title:"Authorization canceled",guidance:"Return to your MCP client to retry if you want to grant access."};case"configuration_error":return{title:"Configuration needs attention",guidance:"Contact your workspace admin with this error code. The gateway or upstream configuration must be fixed before retrying."};case"connection_failed":return{title:"Connection failed",guidance:"Return to your MCP client and reconnect this upstream. If this keeps happening, contact your gateway administrator with this error code."};case"invalid_request":return{title:"Authorization request invalid",guidance:"Return to your MCP client and try connecting again. If this keeps happening, the client request may need to be fixed."};case"admin_required":return{title:"Admin setup required",guidance:"Contact your workspace admin with this error code. This connection cannot be completed until setup is finished."};case"internal_error":return{title:"Gateway error",guidance:"Try again later from your MCP client. If this keeps happening, contact your gateway administrator with this error code."};case"authorization_failed":return{title:"Authorization failed",guidance:"Return to your MCP client and start authorization again. If this keeps happening, contact your gateway administrator with this error code."}}}n(tl,"readBrowserErrorPagePresentation");function rl(e){switch(e){case"upstream_oauth_discovery_unavailable":return"upstream_oauth_discovery";case"upstream_client_registration_required":return"upstream_oauth_client_registration";case"upstream_provider_access_denied":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"upstream_token_exchange";case"provider_access_denied":return"upstream_oauth_callback";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"upstream_oauth_state";case"browser_login_verification_failed":return"downstream_browser_login";case"authentication_required":case"identity_context_missing":return"downstream_auth";case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"gateway_configuration";case"server_error":case"internal_server_error":return"gateway_internal";default:return"gateway_request"}}n(rl,"readBrowserErrorStage");function nl(e){switch(e){case"upstream_oauth_discovery_unavailable":return"Confirm the upstream MCP URL and OAuth protected resource metadata. If the provider requires approval, configure the provider app or contact the provider.";case"upstream_client_registration_required":return"Register an OAuth client with the upstream provider, then configure the gateway to use that client before retrying.";case"upstream_provider_access_denied":return"Confirm the provider allows this gateway, OAuth client, and upstream MCP URL, then retry the connection.";case"upstream_token_exchange_failed":return"Retry the connection. If it repeats, verify the upstream OAuth client, redirect URI, token endpoint, and provider allowlist.";case"upstream_token_response_invalid":return"Verify the upstream token endpoint returns a valid OAuth token response for this gateway client.";case"provider_access_denied":return"Start the connection again if access was denied by mistake. Otherwise, grant the requested upstream provider access.";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"Start a new connection from the MCP client. The previous browser authorization request cannot be resumed.";case"browser_login_verification_failed":return"Retry the browser login flow. If it repeats, verify the downstream login callback configuration.";case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"Check the MCP route, upstream server, and auth profile entries in the gateway configuration.";case"authentication_required":case"identity_context_missing":return"Verify the normal Zuplo auth policy runs before the MCP gateway policy and sets request.user.";case"server_error":case"internal_server_error":return"Retry later and check gateway logs with the request ID.";default:return"Check the gateway configuration and request details associated with this error code."}}n(nl,"readBrowserErrorSuggestedFix");function ol(e){return e===void 0?V:v`<a class="button button--primary button--block" href="${e.href}">${e.label}</a>`}n(ol,"renderAction");function il(e){let t=[["Error code",e.code],["Stage",e.stage],["Request ID",e.requestId],["Time",e.timestamp],["Gateway route",e.routePath],["Operation ID",e.operationId],["Upstream",e.upstreamServerId],["Auth profile",e.authProfileId],["Upstream URL",e.upstreamUrl],["Metadata URL",e.metadataUrl],["HTTP status",e.httpStatus],["Content type",e.contentType],["Provider error",e.providerError],["Provider error description",e.providerErrorDescription],["Suggested fix",e.suggestedFix],["Underlying error",e.underlyingError]].filter(r=>r[1]!==void 0).map(([r,o])=>`${r}: ${o}`).join(`
-`);return v`<pre class="banner__message" style="white-space: pre-wrap; overflow-wrap: anywhere; margin-top: 8px;"><code>${t}</code></pre>`}n(il,"renderTechnicalPre");function Wt(e){return e.value===void 0||e.value===""?V:v`<p class="banner__message"><strong>${e.label}:</strong> <code>${e.value}</code></p>`}n(Wt,"renderOptionalTechnicalRow");function al(e){return v`<section class="banner banner--warning" aria-label="Developer details">
+    </style></head><body><main class="card"><header class="card__head">${e.headerIcon}<h1 class="card__title">${e.heading}</h1>${e.subhead}</header><div class="card__body">${e.body}</div>${e.footer}</main></body></html>`}n(Ge,"renderShell");var tl="text/html; charset=utf-8";function $e(e){try{return new URL(e).host}catch{return""}}n($e,"safeHostFromUrl");function X(e){let t=nl(e.kind??"authorization_failed"),r=rl(e);return new Response(je(Ge({title:e.title??t.title,iconHref:"",styles:Ne,headerIcon:Y,heading:e.title??t.title,subhead:"",body:Bi({detail:e.detail,guidance:v`<p class="card__description">${t.guidance}</p>`,technicalDetails:cl({diagnostic:r,upstreamHtml:e.upstreamHtml}),action:al(e.action)}),footer:""})),{status:e.status??400,headers:{"content-type":tl,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(X,"browserErrorPageResponse");function rl(e){let t=e.diagnostic?.code??e.code??"unknown";return{code:t,stage:e.diagnostic?.stage??ol(t),timestamp:e.diagnostic?.timestamp??new Date().toISOString(),...e.requestId===void 0&&e.diagnostic?.requestId===void 0?{}:{requestId:e.diagnostic?.requestId??e.requestId},...e.diagnostic?.operationId===void 0?{}:{operationId:e.diagnostic.operationId},...e.diagnostic?.routePath===void 0?{}:{routePath:e.diagnostic.routePath},...e.diagnostic?.upstreamServerId===void 0?{}:{upstreamServerId:e.diagnostic.upstreamServerId},...e.diagnostic?.authProfileId===void 0?{}:{authProfileId:e.diagnostic.authProfileId},...e.diagnostic?.upstreamUrl===void 0?{}:{upstreamUrl:e.diagnostic.upstreamUrl},...e.diagnostic?.metadataUrl===void 0?{}:{metadataUrl:e.diagnostic.metadataUrl},...e.diagnostic?.httpStatus===void 0?{}:{httpStatus:e.diagnostic.httpStatus},...e.diagnostic?.contentType===void 0?{}:{contentType:e.diagnostic.contentType},...e.diagnostic?.providerError===void 0?{}:{providerError:e.diagnostic.providerError},...e.diagnostic?.providerErrorDescription===void 0?{}:{providerErrorDescription:e.diagnostic.providerErrorDescription},suggestedFix:e.diagnostic?.suggestedFix??il(t),underlyingError:e.diagnostic?.underlyingError??e.developerDetail}}n(rl,"buildBrowserErrorDiagnostic");function nl(e){switch(e){case"session_expired":return{title:"Authorization expired",guidance:"Return to your MCP client and reconnect. Expired authorization requests cannot be resumed."};case"access_denied":return{title:"Authorization canceled",guidance:"Return to your MCP client to retry if you want to grant access."};case"configuration_error":return{title:"Configuration needs attention",guidance:"Contact your workspace admin with this error code. The gateway or upstream configuration must be fixed before retrying."};case"connection_failed":return{title:"Connection failed",guidance:"Return to your MCP client and reconnect this upstream. If this keeps happening, contact your gateway administrator with this error code."};case"invalid_request":return{title:"Authorization request invalid",guidance:"Return to your MCP client and try connecting again. If this keeps happening, the client request may need to be fixed."};case"admin_required":return{title:"Admin setup required",guidance:"Contact your workspace admin with this error code. This connection cannot be completed until setup is finished."};case"internal_error":return{title:"Gateway error",guidance:"Try again later from your MCP client. If this keeps happening, contact your gateway administrator with this error code."};case"authorization_failed":return{title:"Authorization failed",guidance:"Return to your MCP client and start authorization again. If this keeps happening, contact your gateway administrator with this error code."}}}n(nl,"readBrowserErrorPagePresentation");function ol(e){switch(e){case"upstream_oauth_discovery_unavailable":return"upstream_oauth_discovery";case"upstream_client_registration_required":return"upstream_oauth_client_registration";case"upstream_provider_access_denied":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"upstream_token_exchange";case"provider_access_denied":return"upstream_oauth_callback";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"upstream_oauth_state";case"browser_login_verification_failed":return"downstream_browser_login";case"authentication_required":case"identity_context_missing":return"downstream_auth";case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"gateway_configuration";case"server_error":case"internal_server_error":return"gateway_internal";default:return"gateway_request"}}n(ol,"readBrowserErrorStage");function il(e){switch(e){case"upstream_oauth_discovery_unavailable":return"Confirm the upstream MCP URL and OAuth protected resource metadata. If the provider requires approval, configure the provider app or contact the provider.";case"upstream_client_registration_required":return"Register an OAuth client with the upstream provider, then configure the gateway to use that client before retrying.";case"upstream_provider_access_denied":return"Confirm the provider allows this gateway, OAuth client, and upstream MCP URL, then retry the connection.";case"upstream_token_exchange_failed":return"Retry the connection. If it repeats, verify the upstream OAuth client, redirect URI, token endpoint, and provider allowlist.";case"upstream_token_response_invalid":return"Verify the upstream token endpoint returns a valid OAuth token response for this gateway client.";case"provider_access_denied":return"Start the connection again if access was denied by mistake. Otherwise, grant the requested upstream provider access.";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"Start a new connection from the MCP client. The previous browser authorization request cannot be resumed.";case"browser_login_verification_failed":return"Retry the browser login flow. If it repeats, verify the downstream login callback configuration.";case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"Check the MCP route, upstream server, and auth profile entries in the gateway configuration.";case"authentication_required":case"identity_context_missing":return"Verify the normal Zuplo auth policy runs before the MCP gateway policy and sets request.user.";case"server_error":case"internal_server_error":return"Retry later and check gateway logs with the request ID.";default:return"Check the gateway configuration and request details associated with this error code."}}n(il,"readBrowserErrorSuggestedFix");function al(e){return e===void 0?Y:v`<a class="button button--primary button--block" href="${e.href}">${e.label}</a>`}n(al,"renderAction");function sl(e){let t=[["Error code",e.code],["Stage",e.stage],["Request ID",e.requestId],["Time",e.timestamp],["Gateway route",e.routePath],["Operation ID",e.operationId],["Upstream",e.upstreamServerId],["Auth profile",e.authProfileId],["Upstream URL",e.upstreamUrl],["Metadata URL",e.metadataUrl],["HTTP status",e.httpStatus],["Content type",e.contentType],["Provider error",e.providerError],["Provider error description",e.providerErrorDescription],["Suggested fix",e.suggestedFix],["Underlying error",e.underlyingError]].filter(r=>r[1]!==void 0).map(([r,o])=>`${r}: ${o}`).join(`
+`);return v`<pre class="banner__message" style="white-space: pre-wrap; overflow-wrap: anywhere; margin-top: 8px;"><code>${t}</code></pre>`}n(sl,"renderTechnicalPre");function Vt(e){return e.value===void 0||e.value===""?Y:v`<p class="banner__message"><strong>${e.label}:</strong> <code>${e.value}</code></p>`}n(Vt,"renderOptionalTechnicalRow");function cl(e){return v`<section class="banner banner--warning" aria-label="Developer details">
     <span class="banner__icon" aria-hidden="true">!</span>
     <div class="banner__body">
       <p class="banner__title">Developer details</p>
       <p class="banner__message" data-gateway-error-code="${e.diagnostic.code}">
         <strong>Error code:</strong> <code>${e.diagnostic.code}</code>
       </p>
-      ${Wt({label:"Stage",value:e.diagnostic.stage})}
-      ${Wt({label:"Request ID",value:e.diagnostic.requestId})}
-      ${Wt({label:"Suggested fix",value:e.diagnostic.suggestedFix})}
-      ${Wt({label:"Reason",value:e.diagnostic.underlyingError})}
-      ${il(e.diagnostic)}
-      ${sl(e.upstreamHtml)}
+      ${Vt({label:"Stage",value:e.diagnostic.stage})}
+      ${Vt({label:"Request ID",value:e.diagnostic.requestId})}
+      ${Vt({label:"Suggested fix",value:e.diagnostic.suggestedFix})}
+      ${Vt({label:"Reason",value:e.diagnostic.underlyingError})}
+      ${sl(e.diagnostic)}
+      ${dl(e.upstreamHtml)}
     </div>
-  </section>`}n(al,"renderTechnicalDetails");function sl(e){return e===void 0?V:v`<iframe
+  </section>`}n(cl,"renderTechnicalDetails");function dl(e){return e===void 0?Y:v`<iframe
     title="Upstream HTML error response"
     sandbox
     srcdoc="${e}"
     style="border: 1px solid var(--warning-border); border-radius: var(--radius-sm); background: white; width: 100%; min-height: 220px; margin-top: 8px;"
-  ></iframe>`}n(sl,"renderUpstreamHtml");var Li="application/json",cl="application/x-www-form-urlencoded";function Vt(e,t){return new h({message:e,extensionMembers:{[g]:"invalid_request"}},t===void 0?void 0:{cause:t})}n(Vt,"invalidRequestError");function dl(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}n(dl,"normalizeContentType");function ul(e,t){return e===t?!0:t===Li&&e.endsWith("+json")}n(ul,"contentTypeMatches");function ll(e,t){if(!t||t.length===0)return;let r=dl(e.headers.get("content-type"));if(!t.some(o=>ul(r,o)))throw Vt(`Request body must be ${t.join(" or ")}.`)}n(ll,"assertExpectedContentType");function pl(e,t,r){let o=e.headers.get("content-length");if(!o)return;let i=Number.parseInt(o,10);if(Number.isFinite(i)&&i>t)throw Vt(`${r} exceeded the maximum allowed size.`)}n(pl,"assertContentLengthWithinLimit");async function Bi(e,t){let r=t.label??"Request body";ll(e,t.expectedContentTypes),pl(e,t.maxBytes,r);let o=await Nt(e.body,{maxBytes:t.maxBytes,createLimitError:n(()=>Vt(`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(o)}n(Bi,"readBoundedTextBody");async function ji(e,t){let r=await Bi(e,{...t,expectedContentTypes:[Li]});try{return JSON.parse(r)}catch(o){throw Vt("Request body must be valid JSON.",o)}}n(ji,"readBoundedJsonBody");async function Ni(e,t){let r=await Bi(e,{...t,expectedContentTypes:[cl]});return new URLSearchParams(r)}n(Ni,"readBoundedFormUrlEncodedBody");G();G();import{errors as Gi,jwtVerify as $i,SignJWT as Fi}from"jose";var ml={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},m=class extends Error{static{n(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,o=ml[t],i){super(r,i),this.name="OAuthProtocolError",this.errorCode=t,this.status=o}};var fl=5*60,hl=d.object({purpose:d.literal("gateway_browser_login"),transactionId:ur,stateId:lr,exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),gl=d.object({purpose:d.literal("gateway_authorization_setup"),transactionId:ur,stateId:lr,exp:d.number().int().positive(),iat:d.number().int().positive().optional()});async function Zi(){return W({purpose:"browser-login",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>pe(e,"browser-login"),"derive")})}n(Zi,"getBrowserLoginKey");async function Ki(){return W({purpose:"authorization-csrf",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>pe(e,"authorization-csrf"),"derive")})}n(Ki,"getCsrfKey");function Ji(e){return{now:e.now??new Date,ttlSeconds:Wi()}}n(Ji,"readPendingTransactionDependencies");function Wi(){return M().browserLogin.stateTtlSeconds}n(Wi,"readBrowserLoginStateTtlSeconds");function yl(e){return T(e)&&e.pathname==="/oauth/dev-login"}n(yl,"isLoopbackDevLoginUrl");function _l(e){let t=M().browserLogin,r=new URL(ue("url")),o=new URL("/oauth/callback",Pt(e.requestUrl,e.requestHeaders));return yl(r)?(r.searchParams.set("redirect_uri",o.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",ue("clientId")),r.searchParams.set("redirect_uri",o.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}n(_l,"buildBrowserLoginUrl");function wl(e,t){return e.subjectId===t.subjectId}n(wl,"principalsMatch");function Vi(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}n(Vi,"toPendingPrincipal");function Yi(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,operationId:e.transaction.operationId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:R(e.now),expiresAt:R(re(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw _("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:Vi(e.principal)}}n(Yi,"createTransactionRecord");async function Xi(e){let{id:t,...r}=e.record,o=await b().startAuthorization({...r,transactionId:t,...e.client===void 0?{}:{client:e.client}});switch(o.kind){case"started":return o.transaction;case"already_exists":throw _("oauth_state_reused","Authorization transaction state already exists.");case"invalid_client":throw new m("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new m("invalid_request","redirect_uri is not registered for the client.")}}n(Xi,"startPendingTransaction");async function Rl(e){return new Fi({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:j,typ:"JWT"}).setIssuer(z).setAudience(B).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await Zi())}n(Rl,"signBrowserLoginState");async function Qi(e){return new Fi({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:mr()}).setProtectedHeader({alg:j,typ:"JWT"}).setIssuer(z).setAudience(B).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await Ki())}n(Qi,"signCsrfToken");async function Jr(e){try{let{payload:t}=await $i(e,await Zi(),{algorithms:[j],issuer:z,audience:B}),r=hl.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof Gi.JWTExpired?_("oauth_state_expired","Browser login state has expired.",t):_("oauth_state_invalid","Browser login state could not be verified.",t)}}n(Jr,"verifyBrowserLoginStateToken");async function Yt(e){try{let{payload:t}=await $i(e,await Ki(),{algorithms:[j],issuer:z,audience:B});return{transactionId:gl.parse(t).transactionId}}catch(t){throw t instanceof Gi.JWTExpired?_("oauth_state_expired","Authorization setup state has expired.",t):_("oauth_state_invalid","Authorization setup state could not be verified.",t)}}n(Yt,"verifyCsrfToken");function Wr(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}n(Wr,"pendingStateErrorCode");function bl(e){return e.kind==="available"?{kind:"available",record:e.transaction}:e}n(bl,"toPendingAuthorizationGetResult");function Cl(e){return e.kind==="advanced"?{kind:"advanced",record:e.transaction}:e}n(Cl,"toPendingAuthorizationAdvanceResult");function Vr(e){return e==="principal_mismatch"?"oauth_callback_mismatch":Wr(e==="consumed_already"?"consumed_already":e)}n(Vr,"setupDecisionErrorCode");async function ea(e){let t=e.now??new Date,r=await Yt(e.csrfToken),o=await b().markAuthorizationSetupApproved({transactionId:r.transactionId,currentStateHash:await U(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:R(t)});if(o.kind!=="marked")throw _(Vr(o.kind),"Authorization setup state is invalid, expired, or already used.");return ta({kind:"available",record:o.transaction})}n(ea,"markSetupApproved");function ta(e){if(e.kind!=="available")throw _(Wr(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw _("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}n(ta,"requireAwaitingSetup");function vl(e){if(!wl(e.currentBrowserPrincipal,e.transaction.principal))throw _("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}n(vl,"requireCurrentPrincipalMatches");async function ra(e){let t=e.now??new Date,r=Wi(),o=pr(),i=mr(),a=await Rl({transactionId:o,stateId:i,ttlSeconds:r}),s=Yi({id:o,transaction:e.transaction,currentStateHash:await U(a),phase:"awaiting_login",now:t,ttlSeconds:r});if(s.phase!=="awaiting_login")throw _("oauth_state_invalid","Authorization transaction did not start in login phase.");let c=await Xi({record:s,client:e.transaction.client});if(c.phase!=="awaiting_login")throw _("oauth_state_invalid","Authorization transaction did not start in login phase.");return{transaction:c,browserLoginStateToken:a,browserLoginUrl:_l({state:a,nonce:i,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}})}}n(ra,"startAwaitingLogin");async function na(e){let{now:t,ttlSeconds:r}=Ji(e),o=pr(),i=await Qi({transactionId:o,ttlSeconds:r}),a=Yi({id:o,transaction:e.transaction,currentStateHash:await U(i),phase:"awaiting_setup",principal:e.principal,now:t,ttlSeconds:r});if(a.phase!=="awaiting_setup")throw _("oauth_state_invalid","Authorization transaction did not start in setup phase.");let s=await Xi({record:a,client:e.transaction.client});if(s.phase!=="awaiting_setup")throw _("oauth_state_invalid","Authorization transaction did not start in setup phase.");return{transaction:s,csrfToken:i}}n(na,"startAwaitingSetup");async function oa(e){let{now:t,ttlSeconds:r}=Ji(e),o=await Jr(e.browserLoginStateToken),i=await Qi({transactionId:o.transactionId,ttlSeconds:r}),a=Cl(await b().advancePendingAuthorization({transactionId:o.transactionId,expectedPhase:"awaiting_login",currentStateHash:await U(e.browserLoginStateToken),nextStateHash:await U(i),nextPhase:"awaiting_setup",principal:Vi(e.principal),now:R(t)}));if(a.kind!=="advanced")throw _(Wr(a.kind),"Browser login state is invalid, expired, or already used.");if(a.record.phase!=="awaiting_setup")throw _("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:a.record,csrfToken:i}}n(oa,"completeLogin");async function ia(e){let t=await Yr(e);return vl({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}n(ia,"getSetup");async function Yr(e){let t=e.now??new Date,r=await Yt(e.csrfToken);return ta(bl(await b().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await U(e.csrfToken),now:R(t)})))}n(Yr,"getSetupTransaction");async function Sl(e){let t=await Yt(e.csrfToken),r=le(),o=R(re(e.now,fl)),i=await b().decideAuthorizationSetup({decision:"approve",transactionId:t.transactionId,currentStateHash:await U(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await U(r),authorizationCodeExpiresAt:o,grantId:no(),now:R(e.now)});if(i.kind!=="approved")throw _(i.kind==="cancelled"?"oauth_state_invalid":Vr(i.kind),"Authorization setup state is invalid, expired, or already used.");let a=new URL(i.transaction.redirectUri);return a.searchParams.set("code",r),i.transaction.clientState&&a.searchParams.set("state",i.transaction.clientState),a}n(Sl,"createAuthorizationCodeRedirectWithDecision");async function Il(e){let t=await Yt(e.csrfToken),r=await b().decideAuthorizationSetup({decision:"cancel",transactionId:t.transactionId,currentStateHash:await U(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:R(e.now)});if(r.kind!=="cancelled")throw _(r.kind==="approved"?"oauth_state_invalid":Vr(r.kind),"Authorization setup state is invalid, expired, or already used.");return xl({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}n(Il,"createCancelRedirectWithDecision");function xl(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}n(xl,"buildClientCancelRedirect");async function aa(e){let t=e.now??new Date;return Sl({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(aa,"approve");async function sa(e){let t=e.now??new Date;return Il({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(sa,"cancel");G();import{createRemoteJWKSet as Al,errors as $e,jwtVerify as ca,SignJWT as Ul}from"jose";var en="zuplo_mcp_session",kl=d.object({purpose:d.literal("gateway_browser_session"),sub:We,browserLoginOrigin:d.string().min(1),roles:d.array(d.string().min(1)).optional(),exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Pl=d.object({id_token:d.string().min(1),token_type:d.string().min(1).optional(),expires_in:d.number().optional(),access_token:d.string().min(1).optional(),refresh_token:d.string().min(1).optional(),scope:d.string().min(1).optional()}),Tl=d.object({error:d.string().min(1).optional(),error_description:d.string().min(1).optional(),error_uri:d.string().min(1).optional()}),El=d.object({sub:We,nonce:d.string().min(1)}).catchall(d.unknown()),Xr;function Ol(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let o=r.indexOf("=");if(o<0)continue;let i=r.slice(0,o).trim(),a=r.slice(o+1).trim();if(i)try{t.set(i,decodeURIComponent(a))}catch{t.set(i,a)}}return t}n(Ol,"parseCookieHeader");async function da(){return W({purpose:"browser-session",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>pe(e,"browser-session"),"derive")})}n(da,"getBrowserSessionKey");function Qr(e,t){let r=new URL(k(e,t)),o=[`${en}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return r.protocol==="https:"&&o.push("Secure"),o.join("; ")}n(Qr,"buildBrowserSessionEvictionCookie");function ql(e){let t=new URL(k(e.requestUrl,e.requestHeaders)),r=[`${en}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}n(ql,"serializeSessionCookie");function ua(){return new URL(ue("url")).origin}n(ua,"readBrowserLoginOrigin");function Ml(e){let t=Tl.safeParse(e);if(!t.success)return{};let r={};return t.data.error!==void 0&&(r.idpError=t.data.error),t.data.error_description!==void 0&&(r.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(r.idpErrorUri=t.data.error_uri.slice(0,256)),r}n(Ml,"readIdpErrorFields");function Dl(e){return e instanceof $e.JWTExpired?"expired":e instanceof $e.JWTClaimValidationFailed?"claim":e instanceof $e.JWSSignatureVerificationFailed?"signature":e instanceof $e.JWKSNoMatchingKey?"jwks_no_match":e instanceof $e.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(Dl,"readJwtFailureKind");function Hl(e){return e instanceof Error&&"cause"in e?e.cause:e}n(Hl,"readErrorCause");function zl(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}n(zl,"readRuntimeGatewayCode");function Ll(){if(!Xr){let e=M();Xr=Al(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return Xr}n(Ll,"readFederatedJwks");function la(e){if(!e.user)throw _("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return _e(e.user,e.url)}n(la,"resolveCurrentRequestPrincipal");async function Xt(e,t={}){let r=Ol(e.headers.get("cookie")).get(en);if(!r)return{};try{let{payload:o}=await ca(r,await da(),{algorithms:[j],issuer:z,audience:B}),i=kl.parse(o);if(i.browserLoginOrigin!==ua())return{evictCookie:Qr(e.url,e.headers)};let a={subjectId:i.sub};return i.roles&&i.roles.length>0&&(a.roles=i.roles),{principal:a}}catch(o){return o instanceof $e.JWTExpired?{evictCookie:Qr(e.url,e.headers)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:o instanceof Error?o.name:"unknown",errorMessage:o instanceof Error?o.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:Qr(e.url,e.headers)})}}n(Xt,"readBrowserSession");async function Qt(e){let t=M().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:ua()};e.principal.roles&&(r.roles=e.principal.roles);let o=await new Ul(r).setProtectedHeader({alg:j,typ:"JWT"}).setIssuer(z).setAudience(B).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await da());return ql({value:o,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},ttlSeconds:t})}n(Qt,"createBrowserSessionCookie");async function Bl(e){let t=M(),r=ue("tokenUrl"),o=ue("clientId"),i=ue("clientSecret"),a=new URL("/oauth/callback",Pt(e.requestUrl,e.requestHeaders)).toString(),s=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:a,client_id:o,client_secret:i});try{let{response:c,json:u}=await No(r,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:s},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,...e.context===void 0?{}:{context:e.context}});if(!c.ok){let S=Ml(u);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:F(r),idpStatus:c.status,...S},"Federated browser login token exchange returned non-2xx from the identity provider"),_({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${c.status}${S.idpError?` idp_error=${S.idpError}`:""}${S.idpErrorDescription?` idp_error_description=${S.idpErrorDescription}`:""})`)})}let p=Pl.parse(u),f;try{({payload:f}=await ca(p.id_token,Ll(),{issuer:t.oidc.issuer,audience:o}))}catch(S){let I={};throw L(I,"error",S),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:Dl(S),idpHost:F(r),expectedIssuer:t.oidc.issuer,...I},"Federated id_token failed jose verification"),S}if(f.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:F(r),nonceMissingFromIdToken:f.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),_("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let w=El.parse(f);return _e({sub:w.sub,data:w},e.requestUrl)}catch(c){let u=te(c)??zl(c);throw u!==void 0&&u!=="browser_login_verification_failed"?c:_("browser_login_verification_failed","Federated browser login callback could not be verified.",Hl(c))}}n(Bl,"exchangeFederatedAuthorizationCode");async function pa(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await Xt(e.request,t);if(r.principal)return r.principal;let o=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!o)throw _("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");return Bl({code:o,nonce:e.stateId,requestUrl:e.request.url,requestHeaders:e.request.headers,...e.context===void 0?{}:{context:e.context}})}n(pa,"resolveBrowserLoginCallbackPrincipal");G();var jl="chatgpt.com",Nl="ChatGPT CIMD client metadata could not be used by this gateway. In ChatGPT advanced OAuth settings, change Registration method to Dynamic Client Registration (DCR), keep the discovered Registration URL, and retry connecting.",tn="dcr:pkjwt:";function ma(e){if(Gl(e.clientId))return Nl}n(ma,"readCimdInvalidClientCompatibilityMessage");function Gl(e){try{let t=new URL(e);return t.protocol==="https:"&&t.hostname===jl&&t.pathname.startsWith("/oauth/")&&t.pathname.endsWith("/client.json")}catch{return!1}}n(Gl,"isChatGptCimdClientId");function fa(e){return`${tn}${e.clientId}:${$l(e.jwksUri)}`}n(fa,"createPrivateKeyJwtDcrCompatibilityClientId");function ha(e){if(!er(e))return;let t=e.slice(tn.length),r=t.indexOf(":");if(r===-1)return;let o=Fl(t.slice(r+1));if(o!==void 0){try{ve(o)}catch{return}return o}}n(ha,"readPrivateKeyJwtDcrCompatibilityJwksUri");function er(e){return e.startsWith(tn)}n(er,"isPrivateKeyJwtDcrCompatibilityClientId");function $l(e){let t=new TextEncoder().encode(e),r="";for(let o of t)r+=String.fromCharCode(o);return btoa(r).replaceAll("+","-").replaceAll("/","_").replace(/=+$/,"")}n($l,"encodeBase64Url");function Fl(e){let t=e.replaceAll("-","+").replaceAll("_","/"),r=t.padEnd(t.length+(4-t.length%4)%4,"="),o;try{o=atob(r)}catch{return}let i=new Uint8Array(o.length);for(let a=0;a<o.length;a+=1)i[a]=o.charCodeAt(a);return new TextDecoder().decode(i)}n(Fl,"decodeBase64Url");var Zl=new Set(["about","blob","data","file","ftp","ftps","javascript","mailto","urn","ws","wss"]);function Kl(e){return e.protocol.replace(/:$/u,"").toLowerCase()}n(Kl,"readScheme");function Jl(e){return e.protocol==="https:"}n(Jl,"isSpecCompliantRedirectUri");function Wl(e){let t=Kl(e);return t.length>0&&t!=="http"&&t!=="https"&&!Zl.has(t)}n(Wl,"isNativeAppCustomSchemeRedirectUri");var ya=[{id:"oauth.redirect_uri.https",mode:"strict",accepts:n(e=>Jl(e),"accepts")},{id:"oauth.redirect_uri.loopback_http",mode:"native_app",accepts:n(e=>T(e),"accepts"),matches:n((e,t)=>T(e)&&T(t)&&e.pathname===t.pathname&&e.search===t.search,"matches")},{id:"oauth.redirect_uri.custom_scheme",mode:"native_app",accepts:n(e=>Wl(e),"accepts")}];function _a(e){let t=ya.find(r=>r.accepts(e.url));return t===void 0?{kind:"rejected"}:{kind:"allowed",ruleId:t.id,mode:t.mode}}n(_a,"evaluateBuiltInRedirectUriCompatibility");function ga(e){try{return new URL(e)}catch{return}}n(ga,"parseUrl");function wa(e){if(e.registeredRedirectUri===e.requestedRedirectUri)return!0;let t=ga(e.registeredRedirectUri),r=ga(e.requestedRedirectUri);return t===void 0||r===void 0?!1:ya.some(o=>o.matches?.(t,r))}n(wa,"redirectUriMatchesBuiltInCompatibility");var Vl=1e4,Yl=5*1024,Xl=0,Ql=90*24*60*60,rn=["authorization_code","refresh_token"],nn=["code"],ep=d.object({client_name:d.string().min(1).optional(),redirect_uris:d.array(d.string().min(1)).min(1),grant_types:d.array(d.enum(rn)).min(1).max(2).optional(),response_types:d.array(d.enum(nn)).min(1).max(1).optional(),scope:d.literal(D).optional(),token_endpoint_auth_method:ro.optional(),jwks_uri:d.string().min(1).optional()});function tp(e){try{let t=new URL(e);return(t.protocol==="https:"||t.protocol==="http:"&&T(t))&&t.pathname!=="/"}catch{return!1}}n(tp,"isCimdClientIdCandidate");function Ra(e,t){throw new m("invalid_client",ma({clientId:e})??"OAuth client is not registered.",void 0,t===void 0?void 0:{cause:t})}n(Ra,"invalidCimdClientError");function Fe(e,t="invalid_request"){if(rp(e))throw new m(t,"redirect_uris must not include raw whitespace or control characters.");let r;try{r=new URL(e)}catch{throw new m(t,"redirect_uris must be absolute URIs.")}if(r.hash||r.username||r.password)throw new m(t,"redirect_uris must not include credentials or fragments.");if(_a({url:r}).kind==="rejected")throw new m(t,"redirect_uris must use HTTPS, loopback HTTP, or a native-app private-use URI scheme.")}n(Fe,"assertValidRedirectUri");function rp(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}n(rp,"hasForbiddenRawRedirectUriCharacter");async function np(e){let{response:t,json:r}=await Go(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:Xl,maxResponseBytes:Yl,timeoutMs:Vl});if(!t.ok)throw _("invalid_request","CIMD metadata could not be fetched.");let o=Et(r);for(let i of o.redirect_uris)Fe(i,"invalid_request");if(o.jwks_uri!==void 0&&ve(o.jwks_uri),o.client_id!==e.clientId)throw _("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");return o}n(np,"fetchCimdMetadata");async function op(e){let t=jt(e),r=await np({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}n(op,"resolveCimdClient");async function tr(e,t){let r=ne.parse(e);if(tp(r)){M().gateway.downstreamCimdEnabled||Ra(r);try{return await op(r)}catch(i){Ra(r,i)}}let o=await b().readClient({clientId:r});if(o.kind==="found"){let i=o.client,a=ha(i.clientId),s=a===void 0?i.tokenEndpointAuthMethod:"private_key_jwt",c=i.jwksUri??a;if(s==="private_key_jwt"&&c===void 0)throw new m("invalid_client","Dynamic private_key_jwt client is missing JWKS metadata. Re-run client registration before authorization.");let u=Et({client_id:i.clientId,client_name:i.clientName,redirect_uris:i.redirectUris,token_endpoint_auth_method:s,...c===void 0?{}:{jwks_uri:c}}),p={kind:"dcr",clientId:r,metadata:u};return i.hashedClientSecret&&(p.hashedClientSecret=i.hashedClientSecret),p}throw new m("invalid_client",r.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}n(tr,"resolveClient");function ba(e,t){if(!e.metadata.redirect_uris.some(r=>wa({registeredRedirectUri:r,requestedRedirectUri:t})))throw _("invalid_request","redirect_uri is not registered for the client.")}n(ba,"assertRedirectRegistered");function ip(e){let t=Ca(e.grant_types),r=e.response_types??[...nn];if(!ap(t))throw new m("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!sp(r))throw new m("invalid_client_metadata","response_types must be code.");if(!cp(e.scope))throw new m("invalid_client_metadata",`Only the ${D} scope is supported.`)}n(ip,"assertSupportedDcrRequest");function Ca(e){return e===void 0?[...rn]:Array.from(new Set(e))}n(Ca,"normalizeGrantTypes");function ap(e){return e.length===0?!1:e.every(t=>rn.includes(t))}n(ap,"isSupportedGrantTypes");function sp(e){return e.length===nn.length&&e[0]==="code"}n(sp,"isSupportedResponseTypes");function cp(e){return e===void 0||e===D}n(cp,"isSupportedDcrScope");function dp(e){try{ve(e)}catch(t){throw new m("invalid_client_metadata","jwks_uri must be an HTTPS URL with a path, no credentials or fragment, and must not point at a blocked host.",void 0,{cause:t})}}n(dp,"assertValidDcrJwksUri");function up(e){return e.tokenEndpointAuthMethod==="private_key_jwt"&&e.jwksUri!==void 0?ne.parse(fa({clientId:crypto.randomUUID(),jwksUri:e.jwksUri})):ne.parse(`dcr:${crypto.randomUUID()}`)}n(up,"createDcrClientId");function mt(e){if(e===void 0||e===D)return D;throw new m("invalid_request",`Only the ${D} scope is supported.`)}n(mt,"assertSupportedOAuthScope");function Ze(e,t,r){let o;try{o=new URL(t)}catch{throw new m("invalid_target","resource must be an absolute URI.")}if(o.hash)throw new m("invalid_target","resource must not include a fragment.");if(o.protocol!=="https:"&&!T(o))throw new m("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let i=k(e,r),a=Xn(),s=a?[...a.byOperationId.values()].find(c=>new URL(c.routePath,i).toString()===t):void 0;if(!s)throw new m("invalid_target","resource must match a published MCP route.");return s}n(Ze,"resolveResource");async function va(e){let t;try{t=ep.parse(e)}catch(I){if(I instanceof d.ZodError){let N=I.issues.some(Z=>Z.path[0]==="redirect_uris");throw new m(N?"invalid_redirect_uri":"invalid_client_metadata",I.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:I})}throw I}ip(t);for(let I of t.redirect_uris)Fe(I,"invalid_redirect_uri");if(t.token_endpoint_auth_method==="private_key_jwt"&&t.jwks_uri===void 0)throw new m("invalid_client_metadata","jwks_uri is required for private_key_jwt clients.");t.jwks_uri!==void 0&&dp(t.jwks_uri);let r=new Date,o=t.token_endpoint_auth_method??"none",i=o==="private_key_jwt"?"none":o,a=up({tokenEndpointAuthMethod:o,jwksUri:t.jwks_uri}),s=Et({client_id:a,client_name:t.client_name??"Dynamically registered MCP client",redirect_uris:t.redirect_uris,token_endpoint_auth_method:o,...t.jwks_uri===void 0?{}:{jwks_uri:t.jwks_uri}}),c=re(r,Ql),u=Math.floor(r.getTime()/1e3),p=Math.floor(c.getTime()/1e3),f={client_id:s.client_id,client_name:s.client_name,redirect_uris:s.redirect_uris,grant_types:Ca(t.grant_types),response_types:["code"],scope:D,token_endpoint_auth_method:s.token_endpoint_auth_method,client_id_issued_at:u,...s.jwks_uri===void 0?{}:{jwks_uri:s.jwks_uri}},w={clientId:s.client_id,clientName:s.client_name,redirectUris:s.redirect_uris,tokenEndpointAuthMethod:i,createdAt:R(r),clientExpiresAt:R(c)};if(o==="client_secret_basic"||o==="client_secret_post"){let I=le();w.hashedClientSecret=await U(I),w.clientSecretExpiresAt=R(c),f.client_secret=I,f.client_secret_expires_at=p,f.client_secret_issued_at=u}if((await b().registerClient(w)).kind==="already_exists")throw _("invalid_request","OAuth client is already registered.");return f}n(va,"registerDownstreamClient");function rr(e){return v`<img class="card__icon" src="${e.iconHref}" alt="" width="48" height="48" referrerpolicy="no-referrer" onerror=" this.onerror = null; this.src = '${e.fallbackIconHref}'; " />`}n(rr,"renderShellIcon");function Sa(e){return v`<form class="actions" method="post" action="/oauth/setup" ${e.submitOnceAttrs}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate >Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve" ${e.authorizeAttrs} >Authorize</button></form>`}n(Sa,"renderActions");var ew=ie('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>');var tw=ie('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),rw=ie('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>');var nw=ie('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>');var lp="data:,",Ia=v`data-submit-once="true" onsubmit="if (this.dataset.submitted === 'true') return false; this.dataset.submitted = 'true'; setTimeout(() => this.querySelectorAll('button').forEach((button) => { button.disabled = true; }), 0);"`,xa=v`data-activate-once="true" onclick="if (this.dataset.activated === 'true') return false; this.dataset.activated = 'true'; this.setAttribute('aria-disabled', 'true'); this.style.pointerEvents = 'none';"`;function pp(e,t){if(e)try{let r=new URL(t).origin,o=new URL(e,r);return o.origin!==r||!o.pathname.startsWith("/auth/connections/")?void 0:o.toString()}catch{return}}n(pp,"safeGatewayConnectHref");function mp(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}n(mp,"deriveMode");function fp(e){return Sa({state:e.state,submitOnceAttrs:Ia,authorizeAttrs:V})}n(fp,"renderActions");function on(e,t,r){for(let o of e){if(o.ownerMode!=="user"||o.status!==r)continue;let i=pp(o.connectUrl,t);if(i)return i}}n(on,"firstUserConnectHref");function hp(e){let t=e.connectHref?v`<a class="button button--primary" href="${e.connectHref}" ${xa}>Connect</a>`:v`<button class="button button--primary" type="button" disabled aria-disabled="true">Connect</button>`;return v`<form class="actions" method="post" action="/oauth/setup" ${Ia}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button>${t}</form>`}n(hp,"renderSetupActions");function gp(e){return e?v`<span class="reconnect-action"><a class="button button--secondary reconnect-button" href="${e}" ${xa}>Re-connect<span class="tooltip" tabindex="0" aria-label="Reset or change how the gateway connects to the upstream service, including changing scopes.">?</span></a></span>`:V}n(gp,"renderReconnectAction");function yp(e){try{let t=new URL(e);return t.protocol==="https:"||t.protocol==="http:"?!0:t.protocol==="data:"&&/^data:image\/(?:png|jpe?g|webp|svg\+xml);/i.test(e)}catch{return!1}}n(yp,"isRenderableIconHref");function Aa(e){return e?.find(t=>yp(t.src))?.src}n(Aa,"readIconHref");function _p(e){return Aa(e.serverIcons)??(e.transportHost===void 0?void 0:Tr(e.transportHost).src)}n(_p,"readUpstreamIconHref");function wp(e){let t=Aa(e.routeIcons);if(t!==void 0)return t;for(let r of e.upstreams){let o=_p(r);if(o!==void 0)return o}}n(wp,"readHeaderIconHref");function Rp(e){return v`<p class="card__subtitle">Authorize '<strong>${e.clientDisplayName}</strong>' to access '<strong>${e.routeDisplayName}</strong>' on your behalf?</p>`}n(Rp,"renderBody");function an(e){let t=mp(e.upstreams),r=on(e.upstreams,e.gatewayOrigin,"not_connected"),o=on(e.upstreams,e.gatewayOrigin,"reconsent_required"),i=on(e.upstreams,e.gatewayOrigin,"active"),a=t==="setup"?r??o:void 0,s=wp({routeIcons:e.routeIcons,upstreams:e.upstreams}),c=t==="setup"?v`<footer class="card__footer">${hp({state:e.state,connectHref:a})}</footer>`:v`<footer class="card__footer">${gp(i)}${fp({state:e.state})}</footer>`;return Be(Ne({title:`Authorize access \xB7 ${e.routeDisplayName}`,iconHref:s??lp,styles:je,headerIcon:s===void 0?V:rr({iconHref:s,fallbackIconHref:zt}),heading:"Authorize access",subhead:V,body:Rp({routeDisplayName:e.routeDisplayName,clientDisplayName:e.clientDisplayName}),footer:c}))}n(an,"renderConsentPage");var bp=1e4,Ua="mcp-session-id",Cp;function Ea(){return{tools:[],prompts:[],resources:[]}}n(Ea,"emptyCapabilities");function vp(){return new Headers({accept:"application/json, text/event-stream","content-type":"application/json","mcp-protocol-version":fr})}n(vp,"buildReadinessHeaders");async function ka(e){let t=await e.provider.tokens();if(!t)return;let r=vp();return r.set("authorization",`${t.token_type??"Bearer"} ${t.access_token}`),r}n(ka,"buildAsyncCredentialHeaders");function Pa(e){return new Request(e.upstreamUrl,{method:"POST",headers:e.headers,body:JSON.stringify(At.parse({jsonrpc:xt,id:1,method:"initialize",params:{protocolVersion:fr,capabilities:{},clientInfo:{name:"zuplo-mcp-gateway-readiness",version:"0.0.0"}}}))})}n(Pa,"buildInitializePreflight");async function sn(e){Bt(e.url);let t=new AbortController,r=setTimeout(()=>t.abort(),bp);try{let o=new Request(e,{redirect:"manual",signal:t.signal});return await wt.fetch(o)}finally{clearTimeout(r)}}n(sn,"runPreflight");function cn(e){e.body?.cancel().catch(()=>{})}n(cn,"releasePreflightBody");async function Sp(e){let t=e.response.headers.get(Ua);if(!t)return;let r=new Headers(e.headers);r.set(Ua,t),r.delete("content-type");try{let o=await sn(new Request(e.upstreamUrl,{method:"DELETE",headers:r}));cn(o)}catch{}}n(Sp,"terminatePreflightSession");async function Oa(e){let{response:t}=e;return cn(t),t.status>=200&&t.status<300?(await Sp(e),{kind:"ready",upstreamStatus:t.status,capabilities:Ea()}):t.status===401||t.status===403?{kind:"upstream_auth_rejected",status:t.status,message:"Upstream MCP server rejected the configured credential."}:{kind:"upstream_unavailable",status:t.status,message:"Upstream MCP server did not accept the readiness preflight."}}n(Oa,"classifyResponse");function Ta(e){let t={status:e.state==="reconsent_required"?"reconsent_required":"not_connected",connected:!1};return e.nextAction==="admin_setup_required"?{kind:"admin_setup_required",payload:e,connectionStatus:t}:{kind:"connect_required",payload:e,connectionStatus:t}}n(Ta,"connectRequiredResult");async function Ip(e){try{return Oa({response:await sn(e.request),upstreamUrl:e.upstreamUrl,headers:e.headers})}catch(t){return{kind:"upstream_unavailable",message:t instanceof Error?t.message:"Upstream MCP server readiness preflight failed."}}}n(Ip,"classifyPreflight");async function xp(e){let t=e.route.connection;if(t===void 0)return{kind:"ready",upstreamStatus:204,capabilities:Ea()};let r=Jt(t.upstreamServerId,e.route.operationId),o=Le(r,e.subjectId),i=e.returnTo===void 0?o:{...o,returnTo:e.returnTo},a=new Request(e.requestUrl,{...e.requestHeaders===void 0?{}:{headers:e.requestHeaders}}),s=await ze({request:a,routeAuth:i,preloadedConnection:e.preloadedConnection});if(s.kind==="connect_required")return Ta(s.payload);let c=await ka(s.credential);if(c===void 0)return{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens."};let u=Pa({upstreamUrl:t.mcpUrl,headers:c}),p;try{p=await sn(u)}catch(S){return{kind:"upstream_unavailable",message:S instanceof Error?S.message:"Upstream MCP server readiness preflight failed."}}if(p.status!==401)return Oa({response:p,upstreamUrl:t.mcpUrl,headers:c});cn(p);let f=await ze({request:a,routeAuth:i,forceRefresh:!0,preloadedConnection:e.preloadedConnection});if(f.kind==="connect_required")return Ta(f.payload);let w=await ka(f.credential);return w===void 0?{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens after refresh."}:Ip({request:Pa({upstreamUrl:t.mcpUrl,headers:w}),upstreamUrl:t.mcpUrl,headers:w})}n(xp,"checkUpstreamRouteReadinessImpl");function qa(e){return(Cp??xp)(e)}n(qa,"checkUpstreamRouteReadiness");function Ap(e){try{return new URL(e).host}catch{return}}n(Ap,"safeUrlHost");function Up(e){return e.scopes}n(Up,"readOAuthScopes");function Ma(e){return e!==void 0&&e.length>0}n(Ma,"hasItems");function kp(e){let t=e.serverInfo?.icons;if(Ma(t))return t;let r=Lt(e.mcpUrl);return r===void 0?void 0:[r]}n(kp,"readServerIcons");async function Pp(e){if(!(e.returnTo===void 0||!e.isUserOwned))return zr({requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,operationId:e.route.operationId,returnTo:e.returnTo})}n(Pp,"readConnectUrl");function Ie(e,t){return t===void 0?{}:{[e]:t}}n(Ie,"optionalRequirementField");function Tp(e){return e.readiness!==void 0?e.readiness:e.isUserOwned?po(e.connection):{connected:!0,status:"active"}}n(Tp,"readSetupConnectionStatus");function Ep(e){let t=Up(e);return Ma(t)?t:void 0}n(Ep,"readScopesRequested");function Op(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}n(Op,"readUpdatedAt");function qp(){return{tools:[],prompts:[],resources:[]}}n(qp,"readRouteCapabilities");async function Mp(e){let{authConfig:t,authMode:r,description:o,displayName:i,mcpUrl:a,ownerMode:s,upstreamServerId:c,authProfileId:u}=e.registeredConnection,p=s==="user",f=Tp({connection:e.connection,isUserOwned:p,readiness:e.readiness}),w=e.readiness?.connectUrl??await Pp({...e,connected:f.connected,isUserOwned:p});return{upstreamServerId:c,authProfileId:u,authMode:r,ownerMode:s,upstreamDisplayName:i,status:f.status,connected:f.connected,capabilities:qp(),...Ie("description",o),...Ie("transportHost",Ap(a)),...Ie("scopesRequested",Ep(t)),...Ie("serverIcons",kp(e.registeredConnection)),...Ie("connectUrl",w),...Ie("updatedAt",Op({connectionStatus:f,isUserOwned:p})),...Ie("expiresAt",e.readiness?.expiresAt??e.connection?.expiresAt)}}n(Mp,"buildSetupRequirement");function Da(e){let t=K().byOperationId.get(e);if(!t)throw _("unknown_mcp_route",`Unknown MCP route: ${e}`);return t}n(Da,"requireRoute");async function dn(e){let t=Da(e.transaction.operationId),r=Ut(e.transaction.principal.subjectId),o=[],i=new Map,a=t.connection;if(a===void 0)return[];a.ownerMode==="user"&&(i.set(a,o.length),o.push({owner:r,upstreamServerId:a.upstreamServerId,authProfileId:a.authProfileId}));let s=await b().batchGetUpstreamConnections(o),c=[],u=a.ownerMode==="user",p=i.get(a),f=await qa({requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},route:t,subjectId:e.transaction.principal.subjectId,preloadedConnection:u&&p!==void 0?s[p]:void 0,...e.returnTo===void 0?{}:{returnTo:e.returnTo}}),w=(()=>{if("connectionStatus"in f&&f.connectionStatus)return f.connectionStatus})(),S=(f.kind==="connect_required"||f.kind==="admin_setup_required")&&f.payload.authUrl!==void 0?f.payload.authUrl:void 0;return c.push(await Mp({connection:u&&p!==void 0?s[p]:void 0,registeredConnection:a,route:t,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},returnTo:e.returnTo,transaction:e.transaction,userOwner:r,readiness:w===void 0?void 0:{...w,...S===void 0?{}:{connectUrl:S}}})),c}n(dn,"requirementsForSetup");function Dp(e){return e.route.connection?.displayName??e.route.operationId}n(Dp,"readRouteDisplayName");async function un(e){let t=Da(e.transaction.operationId),r=Dp({route:t}),o=await b().readClient({clientId:e.transaction.clientId}),i=o.kind==="found"?o.client:void 0,a={gatewayOrigin:k(e.requestUrl,e.requestHeaders),routeDisplayName:r,clientDisplayName:i?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},s=t.connection?.description;return s!==void 0&&(a.routeDescription=s),a}n(un,"consentContext");function ln(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}n(ln,"hasUnresolvedUserUpstream");var Hp=["mcp_user"],zp="dev-browser-user",Lp=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/{routePath} where {routePath} is the published MCP route path without a leading slash and each segment is URL-encoded as needed, for example /oauth/authorize/mcp/linear, or add resource={protected resource URI from protected-resource metadata}."].join(" "),Bp=d.object({response_type:d.literal("code"),client_id:d.string().min(1),redirect_uri:d.string().min(1),resource:d.url(),code_challenge:d.string().min(43),code_challenge_method:eo,state:d.string().min(1).optional(),scope:d.literal(D).default(D)}),jp=d.enum(["continue","approve","cancel"]).default("continue"),Np=d.object({state:d.string().min(1),decision:jp}),fe=class extends Error{static{n(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function Ha(e){return typeof e=="string"&&e.length>0?e:void 0}n(Ha,"readQueryString");function Gp(e,t){let r=Ha(e.query.resource);if(t===void 0){if(r!==void 0)return r;throw new m("invalid_target",Lp)}let o=so(t,e.url,e.headers);if(r===void 0||r===o)return o;throw new m("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}n(Gp,"requireAuthorizeResource");async function $p(e,t){let r={};t!==void 0&&(r.context=t);let o=await Xt(e,r);if(o.principal)return{principal:o.principal};if(!e.user)return o.evictCookie===void 0?{}:{setCookie:o.evictCookie};let i=la(e);return{principal:i,setCookie:await Qt({principal:i,requestUrl:e.url,requestHeaders:e.headers})}}n($p,"resolveBrowserPrincipal");async function Fp(e,t){let r={};t!==void 0&&(r.context=t);let o=await Xt(e,r);if(!o.principal)throw _("authentication_required","Authorization setup requires a current browser session.");return o.principal}n(Fp,"requireSetupPrincipal");function za(e){return`/oauth/setup?state=${encodeURIComponent(e)}`}n(za,"buildSetupReturnTo");async function La(e){let t=await dn({transaction:e.transaction,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},returnTo:za(e.csrfToken)}),r=await un({transaction:e.transaction,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}}),o={kind:"setup_page",html:an({state:e.csrfToken,operationId:e.transaction.operationId,upstreams:t,...r})};return e.setCookie!==void 0&&(o.setCookie=e.setCookie),o}n(La,"renderSetup");function Zp(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}n(Zp,"toAuthorizationTransactionClient");async function pn(e,t={}){let r=Bp.parse({...e.query,resource:Gp(e,t.operationId),state:Ha(e.query.state)}),o=mt(r.scope);Fe(r.redirect_uri,"invalid_request");let i=new Date,a=ne.parse(r.client_id),s=await tr(r.client_id,i);ba(s,r.redirect_uri);try{let c=Ze(e.url,r.resource,e.headers),u=Zp(s);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:a,operationId:c.operationId,scope:o,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved"),t.context&&x(t.context,{eventType:C.MCP_OAUTH_AUTHORIZE_STARTED,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:a,scope:o,responseType:r.response_type}});let p={clientId:s?.clientId??a,...u===void 0?{}:{client:u},redirectUri:r.redirect_uri,resource:r.resource,operationId:c.operationId,scope:o,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:f,setCookie:w}=await $p(e,t.context);if(!f){let I=await ra({transaction:p,requestUrl:e.url,requestHeaders:e.headers,now:i});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:a,operationId:c.operationId},"Downstream OAuth authorize: redirecting to browser login (no session)");let N={kind:"redirect",location:I.browserLoginUrl};return w!==void 0&&(N.setCookie=w),N}let S=await na({transaction:p,principal:f,now:i});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:a,operationId:c.operationId,subjectId:f.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),t.context&&x(t.context,{eventType:C.MCP_OAUTH_AUTHORIZE_AWAITING_SETUP,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:a,scope:o,responseType:r.response_type,subjectId:f.subjectId}}),La({transaction:S.transaction,csrfToken:S.csrfToken,requestUrl:e.url,requestHeaders:e.headers,setCookie:w})}catch(c){throw Kp({redirectUri:r.redirect_uri,clientState:r.state,cause:c})}}n(pn,"authorizeDownstreamClient");function Kp(e){if(e.cause instanceof fe)return e.cause;let t=Jp(e.cause);return t?new fe({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}n(Kp,"toDownstreamAuthorizeRedirectError");function Jp(e){if(e instanceof m)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof d.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}n(Jp,"mapToOAuthRedirectError");async function Ba(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let p=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,f=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...p===void 0?{}:{idpErrorDescription:p},...f===void 0?{}:{idpErrorUri:f}},"Identity provider redirected browser-login callback with an error"),_("provider_access_denied",p??"The delegated browser login was not completed.")}let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),_("oauth_state_invalid","Browser login callback is missing state.");let i=await Jr(o),a={request:e,stateId:i.stateId};t.context!==void 0&&(a.context=t.context);let s=await pa(a),c=await oa({browserLoginStateToken:o,principal:s}),u=await La({transaction:c.transaction,csrfToken:c.csrfToken,requestUrl:e.url,requestHeaders:e.headers});return u.setCookie=await Qt({principal:s,requestUrl:e.url,requestHeaders:e.headers}),u}n(Ba,"completeBrowserLoginCallback");async function ja(e){let t=M(),r=new URL(e.url);if(!T(r))throw _("forbidden","Local browser login is only available on loopback HTTP origins.");let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw _("oauth_state_invalid","Local browser login is missing state.");let i=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",k(e.url)),a=new URL(k(e.url)).origin;if(i.origin!==a||i.pathname!=="/oauth/callback")throw _("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");i.searchParams.set("state",o);let s={subjectId:We.parse(zp),roles:Hp};return{kind:"redirect",location:i,setCookie:await Qt({principal:s,requestUrl:e.url,requestHeaders:e.headers})}}n(ja,"completeLocalDevBrowserLogin");function Wp(e){let t=e.method==="POST"?e.body:e.query;return Np.parse(t)}n(Wp,"readSetupContinueRequest");async function Na(e){let{state:t,decision:r}=Wp({method:e.request.method,query:e.request.query,body:e.body}),o=new Date,i=await Yr({csrfToken:t,now:o}),a=await Fp(e.request,e.context);if(r==="cancel")return{kind:"redirect",location:await sa({csrfToken:t,currentBrowserPrincipal:a,now:o})};let s=await ia({csrfToken:t,currentBrowserPrincipal:a,now:o}),c=await dn({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers,returnTo:za(t)});if(r==="approve"&&ln(c)&&await ea({csrfToken:t,currentBrowserPrincipal:a,now:o}),ln(c)){let u=await un({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers});return{kind:"setup_page",html:an({state:t,operationId:s.operationId,upstreams:c,...u})}}return{kind:"redirect",location:await aa({csrfToken:t,currentBrowserPrincipal:a,now:o})}}n(Na,"continueDownstreamAuthorizeSetup");G();import{createLocalJWKSet as Vp,decodeJwt as Yp,errors as ft,jwtVerify as Xp}from"jose";var Qp=new Set(["authorization_code","refresh_token"]),em="urn:ietf:params:oauth:client-assertion-type:jwt-bearer",tm=1e4,rm=32*1024,nm=2,Ga=d.object({client_id:d.string().min(1).optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),om=d.discriminatedUnion("grant_type",[Ga.extend({grant_type:d.literal("authorization_code"),code:d.string().min(1),redirect_uri:d.string().min(1),code_verifier:Tt,resource:d.url().optional(),scope:d.literal(D).optional()}),Ga.extend({grant_type:d.literal("refresh_token"),refresh_token:d.string().min(1),resource:d.url().optional(),scope:d.literal(D).optional()})]);function im(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!Qp.has(t)))throw new m("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}n(im,"assertSupportedGrantType");var am=d.object({token:d.string().min(1),client_id:d.string().min(1).optional(),token_type_hint:d.string().optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),sm=d.object({keys:d.array(d.record(d.string(),d.unknown())).min(1)}).passthrough();function $a(){return M().gateway.accessTokenTtlSeconds}n($a,"readAccessTokenTtlSeconds");function cm(){return M().gateway.refreshTokenTtlSeconds}n(cm,"readRefreshTokenTtlSeconds");function dm(e,t){let r=$a(),o=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),i=Math.min(r,o);return{expiresAt:R(re(e,i)),expiresIn:i}}n(dm,"calculateAccessTokenExpiresAt");function Fa(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new m("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new m("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new m("invalid_client","Malformed HTTP Basic client authentication.")}}n(Fa,"readBasicClientSecret");function Za(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new m("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t!==void 0)return t;if(e.clientAssertion!==void 0){try{let r=Yp(e.clientAssertion);if(typeof r.iss=="string"&&typeof r.sub=="string"&&r.iss===r.sub)return r.iss}catch{throw new m("invalid_client","Malformed private_key_jwt client assertion.")}throw new m("invalid_client","private_key_jwt client assertion must identify the client with matching iss and sub claims.")}throw new m("invalid_client","Client authentication or client_id is required.")}n(Za,"resolveAuthenticatedClientId");function um(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new m("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}n(um,"resolveClientSecretInput");function lm(e){return e.clientAssertion!==void 0||e.clientAssertionType!==void 0}n(lm,"hasClientAssertion");function pm(e){if(e.requestUrl===void 0)throw new m("invalid_request","Request URL is required for private_key_jwt client authentication.");let t=new URL(e.pathname,k(e.requestUrl,e.requestHeaders));return t.search="",t.hash="",t.toString()}n(pm,"buildEndpointAudience");function mm(e){return e instanceof ft.JWTExpired?"expired":e instanceof ft.JWTClaimValidationFailed?"claim":e instanceof ft.JWSSignatureVerificationFailed?"signature":e instanceof ft.JWKSNoMatchingKey?"jwks_no_match":e instanceof ft.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(mm,"readJwtFailureKind");async function fm(e){let{response:t,json:r}=await $o(e.jwksUri,{headers:{accept:"application/json"}},{context:e.context,maxRedirects:nm,maxResponseBytes:rm,timeoutMs:tm});if(!t.ok)throw new m("invalid_client","Client JWKS could not be fetched.");return sm.parse(r)}n(fm,"fetchClientJwks");async function hm(e){if(e.clientAssertionType!==em||e.clientAssertion===void 0)throw new m("invalid_request","private_key_jwt client authentication requires a JWT bearer client_assertion and client_assertion_type.");let t=ne.parse(e.clientId),r=await tr(t,e.now);if(r.metadata.token_endpoint_auth_method!=="private_key_jwt")throw new m("invalid_client","Client is not registered for private_key_jwt authentication.");let o=r.metadata.jwks_uri;if(o===void 0)throw new m("invalid_client","Client JWKS URI is required for private_key_jwt authentication.");let i=pm({requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,pathname:e.endpointPathname});try{let a=await fm({jwksUri:o,context:e.context});await Xp(e.clientAssertion,Vp(a),{issuer:t,subject:t,audience:i,currentDate:e.now})}catch(a){throw e.context?.log.warn({event:"oauth_private_key_jwt_client_auth_failed",clientId:t,failureKind:mm(a)},"OAuth private_key_jwt client authentication failed"),new m("invalid_client","Client authentication failed.")}return er(t)?{method:"none",clientId:t}:{method:"private_key_jwt",clientId:t}}n(hm,"verifyPrivateKeyJwtClientAssertion");async function gm(e){let t=ne.parse(e.clientId);if(er(t))throw new m("invalid_client","Client is registered for private_key_jwt authentication.");return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await U(e.clientSecret)}}n(gm,"buildRuntimeHttpClientAuth");async function Ka(e){if(lm({clientAssertion:e.clientAssertion,clientAssertionType:e.clientAssertionType})){if(e.basicClientSecret!==void 0||e.bodyClientSecret!==void 0)throw new m("invalid_request","Use only one client authentication method per request.");return hm(e)}let t=um({basicClientSecret:e.basicClientSecret,bodyClientSecret:e.bodyClientSecret});return gm({clientId:e.clientId,...t})}n(Ka,"resolveRuntimeHttpClientAuth");async function Ja(e){im(e.body);let t=om.parse(e.body),r=Fa(e.authorizationHeader),o=Za({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),i=new Date,a=await Ka({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/token",now:i,context:e.context});return ym({parsed:t,clientId:o,clientAuth:a,now:i,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,context:e.context})}n(Ja,"exchangeDownstreamToken");async function ym(e){if(e.parsed.grant_type==="authorization_code"){Fe(e.parsed.redirect_uri,"invalid_request"),mt(e.parsed.scope),e.parsed.resource!==void 0&&Ze(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let c=le(),u=le(),p=R(re(e.now,cm())),f=dm(e.now,p),w=await b().exchangeAuthorizationCode({clientAuth:e.clientAuth,codeHash:await U(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await go(e.parsed.code_verifier),currentRefreshTokenHash:await U(c),accessTokenHash:await U(u),grantExpiresAt:p,accessTokenExpiresAt:f.expiresAt,now:R(e.now)});if(w.kind==="invalid_client")throw new m("invalid_client","Client authentication failed.");if(w.kind==="resource_mismatch")throw new m("invalid_target","Token request resource must match the authorization code resource.");if(w.kind!=="exchanged")throw new m("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context&&x(e.context,{eventType:C.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"authorization_code"}}),{access_token:u,token_type:"Bearer",expires_in:f.expiresIn,refresh_token:c,scope:w.grant.scope,resource:w.grant.resource}}mt(e.parsed.scope),e.parsed.resource!==void 0&&Ze(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let t=await U(e.parsed.refresh_token),r=e.parsed.refresh_token,o=le(),i=R(re(e.now,$a())),a=await b().refreshToken({clientAuth:e.clientAuth,currentRefreshTokenHash:t,nextRefreshTokenHash:t,accessTokenHash:await U(o),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:i,now:R(e.now)});if(a.kind==="invalid_client")throw new m("invalid_client","Client authentication failed.");if(a.kind==="resource_mismatch")throw new m("invalid_target","Token request resource must match the refresh token grant resource.");if(a.kind!=="rotated")throw new m("invalid_grant","Refresh token is invalid, expired, or revoked.");Ze(e.requestUrl??a.grant.resource,a.grant.resource,e.requestHeaders);let s=a.accessToken.expiresAt;return e.context&&x(e.context,{eventType:C.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"refresh_token"}}),{access_token:o,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(s).getTime()-e.now.getTime())/1e3)),refresh_token:r,scope:a.grant.scope,resource:a.grant.resource}}n(ym,"exchangeDownstreamTokenWithRuntimeHttp");async function Wa(e){let t=am.parse(e.body),r=Fa(e.authorizationHeader),o=Za({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),i=new Date;if((await b().revokeOAuthToken({clientAuth:await Ka({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/revoke",now:i,context:e.context}),tokenHash:await U(t.token),now:R(i)})).kind==="invalid_client")throw new m("invalid_client","Client authentication failed.");e.context?.log.info({event:"oauth_token_revoked",clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed"),e.context&&x(e.context,{eventType:C.MCP_OAUTH_TOKEN_REVOKED,outcome:"success",attributes:{clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}}})}n(Wa,"revokeDownstreamToken");var _m=64*1024,wm=16*1024,Rm="text/html; charset=utf-8";function bm(e){let t={};for(let[r,o]of e.entries())t[r]=o;return t}n(bm,"formDataToObject");async function Cm(e){return ji(e,{maxBytes:_m,label:"Request body"})}n(Cm,"readJsonBody");async function fn(e){return bm(await Ni(e,{maxBytes:wm,label:"Request body"}))}n(fn,"readFormBody");async function Ya(e,t,r){let o=te(r),i=r instanceof d.ZodError?he(r):void 0,a={code:o??(r instanceof d.ZodError?"invalid_request":"internal_server_error")};return i!==void 0&&(a.detail=i),St(e,t,a)}n(Ya,"handleProblem");function Xa(e){return e?.requestId}n(Xa,"readBrowserRequestId");function Qa(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[ke];return typeof t=="string"?t:void 0}n(Qa,"readUpstreamHtmlError");function Va(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(Va,"readRuntimeErrorExtensionString");function vm(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(vm,"readRuntimeErrorExtensionNumber");function Sm(e){try{return new URL(e.url).pathname}catch{return}}n(Sm,"readBrowserRequestPath");function xe(e){let t={code:e.code,requestId:e.requestId,routePath:Sm(e.request),underlyingError:e.underlyingError};return e.error instanceof h&&(t.httpStatus=vm(e.error,Pe),t.contentType=Va(e.error,Ue),t.upstreamUrl=Va(e.error,Te)),t}n(xe,"buildBrowserErrorDiagnostic");function ht(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}n(ht,"oauthErrorResponse");function Im(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}n(Im,"readOAuthProtocolHeaders");function xm(e,t){let r=$("internal_server_error");return ht({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:Im(e,t)})}n(xm,"oauthProtocolErrorResponse");function mn(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}n(mn,"readZodOAuthErrorCode");function Am(e){let t={error:mn(e)},r=he(e);return r!==void 0&&(t.errorDescription=r),ht(t)}n(Am,"oauthZodErrorResponse");function Um(e){let t=te(e);if(t===void 0)return;let r=$(t);if(r.oauthError===void 0)return;let o={error:r.oauthError,status:Pm(r.oauthError)};return r.oauthError==="server_error"?o.errorDescription=r.publicDetail:e instanceof Error?o.errorDescription=e.message:o.errorDescription=r.publicDetail,ht(o)}n(Um,"oauthGatewayProblemResponse");function km(){let t={error:"server_error",status:500,errorDescription:$("internal_server_error").publicDetail};return ht(t)}n(km,"oauthFallbackErrorResponse");function Pm(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}n(Pm,"readOAuthStatus");function hn(e,t={}){return e instanceof fe?rs(e):e instanceof m?xm(e,t):e instanceof d.ZodError?Am(e):Um(e)??km()}n(hn,"oauthProblemResponse");function gn(e,t,r){let o=Ge(e.url),i=Xa(t);if(r instanceof fe)return rs(r);if(r instanceof m){let c=$("internal_server_error");return Y({host:o,kind:Tm(r.errorCode),title:"Authorization failed",detail:r.errorCode==="server_error"?c.publicDetail:r.message,developerDetail:r.errorCode==="server_error"?c.publicDetail:r.message,code:r.errorCode,diagnostic:xe({request:e,requestId:i,code:r.errorCode,underlyingError:r.errorCode==="server_error"?c.publicDetail:r.message,error:r}),requestId:i,status:r.status})}if(r instanceof d.ZodError)return Y({host:o,kind:"invalid_request",detail:he(r)??"The authorization request was invalid.",developerDetail:he(r)??"The authorization request was invalid.",code:mn(r),diagnostic:xe({request:e,requestId:i,code:mn(r),underlyingError:he(r)??"The authorization request was invalid.",error:r}),requestId:i});let a=te(r);if(a!==void 0){let c=$(a);return Y({host:o,kind:ts(a),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:a,diagnostic:xe({request:e,requestId:i,code:a,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:i,upstreamHtml:Qa(r),status:c.status})}let s=$("internal_server_error");return Y({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"server_error",diagnostic:xe({request:e,requestId:i,code:"server_error",underlyingError:s.publicDetail,error:r}),requestId:i,status:s.status})}n(gn,"browserOAuthProblemResponse");function es(e,t,r){let o=Ge(e.url),i=Xa(t),a=te(r);if(a!==void 0){let c=$(a);return Y({host:o,kind:ts(a),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:a,diagnostic:xe({request:e,requestId:i,code:a,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:i,upstreamHtml:Qa(r),status:c.status})}if(r instanceof d.ZodError)return Y({host:o,kind:"invalid_request",detail:he(r)??"The authorization request was invalid.",developerDetail:he(r)??"The authorization request was invalid.",code:"invalid_request",diagnostic:xe({request:e,requestId:i,code:"invalid_request",underlyingError:he(r)??"The authorization request was invalid.",error:r}),requestId:i});let s=$("internal_server_error");return Y({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"internal_server_error",diagnostic:xe({request:e,requestId:i,code:"internal_server_error",underlyingError:s.publicDetail,error:r}),requestId:i,status:s.status})}n(es,"browserGatewayProblemResponse");function Tm(e){return e==="server_error"?"internal_error":"invalid_request"}n(Tm,"readOAuthBrowserErrorKind");function ts(e){if($(e).status>=500)return"internal_error";switch(e){case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"configuration_error";case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"invalid_request":case"authentication_required":case"forbidden":case"not_found":case"too_many_requests":case"identity_context_missing":return"invalid_request";case"upstream_capability_invocation_failed":case"upstream_capability_unavailable":case"upstream_import_failed":return"connection_failed";case"internal_server_error":return"internal_error"}return"authorization_failed"}n(ts,"readGatewayBrowserErrorKind");function ae(e,t,r){let o={event:t},i=!1;if(r instanceof m)o.oauthError=r.errorCode,o.status=r.status,L(o,"error",r);else if(r instanceof fe)o.oauthError=r.errorCode,L(o,"error",r);else if(r instanceof d.ZodError){o.code="invalid_request",L(o,"error",r);let a=r.issues[0];a&&(o.zodPath=a.path.join("."))}else{let a=te(r);if(a!==void 0){let s=$(a);o.code=a,o.status=s.status,s.oauthError!==void 0&&(o.oauthError=s.oauthError),i=s.status>=500||s.oauthError==="server_error",L(o,"error",r)}else i=!0,L(o,"error",r)}if(i){let a=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(o,a.message)}else e.log.warn(o,"OAuth handler rejected the request")}n(ae,"logUnexpectedOAuthHandlerError");function rs(e){let t;try{t=new URL(e.redirectUri)}catch{return ht({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}n(rs,"downstreamAuthorizeRedirectErrorResponse");function he(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}n(he,"formatZodErrorDetail");function Em(e,t){let r={event:"browser_login_callback_failed",code:te(t)??"invalid_request"};L(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}n(Em,"logBrowserLoginCallbackFailure");function ns(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}n(ns,"redirectResultResponse");function nr(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":Rm,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return ns(e)}n(nr,"authorizeResultResponse");async function os(e,t){try{return Response.json(oo(e.url,e.headers))}catch(r){return ae(t,"oauth_authorization_server_metadata_failed",r),Ya(e,t,r)}}n(os,"authorizationServerMetadataHandler");async function is(e,t){try{let r=hr(e.params.routePath);return Response.json(io({operationId:r.operationId,requestUrl:e.url,requestHeaders:e.headers}))}catch(r){return ae(t,"oauth_authorization_server_metadata_failed",r),Ya(e,t,r)}}n(is,"scopedAuthorizationServerMetadataHandler");async function as(e,t){try{let r=await va(await Cm(e)),o=r,i=typeof o.client_id=="string"?o.client_id:void 0,a=typeof o.client_name=="string"?o.client_name:void 0,s=Array.isArray(o.redirect_uris)?o.redirect_uris.length:void 0,c=typeof o.token_endpoint_auth_method=="string"?o.token_endpoint_auth_method:void 0;return t.log.info({event:"oauth_dcr_client_registered",clientId:i,clientName:a,redirectUriCount:s,tokenEndpointAuthMethod:c},"OAuth Dynamic Client Registration completed"),x(t,{eventType:C.MCP_OAUTH_CLIENT_REGISTERED,outcome:"success",clientName:a,attributes:{clientId:i,redirectUriCount:s,tokenEndpointAuthMethod:c}}),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return ae(t,"oauth_register_failed",r),hn(r)}}n(as,"registerHandler");async function ss(e,t){try{return nr(await pn(e,{context:t}))}catch(r){return ae(t,"oauth_authorize_failed",r),gn(e,t,r)}}n(ss,"authorizeHandler");async function cs(e,t){try{let r=hr(e.params.routePath);return nr(await pn(e,{operationId:r.operationId,context:t}))}catch(r){return ae(t,"oauth_authorize_scoped_failed",r),gn(e,t,r)}}n(cs,"scopedAuthorizeHandler");async function ds(e,t){try{let r=await Ba(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),nr(r)}catch(r){return Em(t,r),es(e,t,r)}}n(ds,"callbackHandler");async function us(e,t){try{return ns(await ja(e))}catch(r){return ae(t,"oauth_dev_login_failed",r),gn(e,t,r)}}n(us,"devLoginHandler");async function ls(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await Na({request:e,body:e.method==="POST"?await fn(e):void 0,context:t});return nr(r)}catch(r){return ae(t,"oauth_setup_failed",r),es(e,t,r)}}n(ls,"setupHandler");async function ps(e,t){try{return Response.json(await Ja({body:await fn(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return ae(t,"oauth_token_failed",r),hn(r)}}n(ps,"tokenHandler");async function ms(e,t){try{return await Wa({body:await fn(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return ae(t,"oauth_revoke_failed",r),hn(r)}}n(ms,"revokeHandler");function fs(e){return v`<p data-gateway-error-code="${e.code}">${e.body}</p>`}n(fs,"renderBrowserResult");var Om="text/html; charset=utf-8",qm="none";function Mm(e){let t=Pr(e.host);return Ne({title:e.title,iconHref:t,styles:je,headerIcon:rr({iconHref:t,fallbackIconHref:zt}),heading:e.title,subhead:"",body:fs({body:e.body,code:e.code??qm}),footer:""})}n(Mm,"browserResultHtml");function Dm(e,t=200){return new Response(Be(e),{status:t,headers:{"content-type":Om,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(Dm,"browserResultResponse");function hs(e){return Dm(Mm(e))}n(hs,"browserConnectionSuccessResponse");function or(e,t,r={}){let o=Dn(t);return Y({host:e,kind:Hm(t),detail:o.body,developerDetail:r.developerDetail,code:t,diagnostic:r.diagnostic,upstreamHtml:r.upstreamHtml})}n(or,"browserConnectionFailureResponse");function Hm(e){switch(e){case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required"}}n(Hm,"readCallbackFailureBrowserErrorKind");var zm={connect:"Connect",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},gs=Symbol("upstream-request");function gt(e,t){Object.defineProperty(e,gs,{configurable:!0,value:t})}n(gt,"setUpstreamRequestContext");function Lm(e){let t=e[gs];if(!t)throw new ce("Upstream request context has not been set");return t}n(Lm,"readUpstreamRequestContext");function Bm(e,t){return t.some(r=>r===e)}n(Bm,"requestContextMatchesKind");function jm(e){return typeof e=="string"?[e]:e}n(jm,"toExpectedKinds");function yt(e,t){let r=Lm(e),o=jm(t);if(!Bm(r.kind,o)){let i=zm[o[0]];throw new ce(`${i} request context has not been set`)}return r}n(yt,"requireUpstreamRequestContext");function Ae(e){if(typeof e=="string"&&e.length!==0)return e}n(Ae,"readOptionalQueryString");function Nm(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw new ce(`Validated path parameter ${t} is missing`);return Gm(r,t)}n(Nm,"requirePathString");function Gm(e,t){try{return decodeURIComponent(e)}catch(r){throw new h({message:`Path parameter "${t}" must be valid URL encoding.`,extensionMembers:{[g]:"invalid_request"}},{cause:r})}}n(Gm,"decodePathString");function $m(e){let t=Ae(e);return t?It.parse(t):void 0}n($m,"readOptionalOperationId");function Fm(e){let t=K().connectionsById.get(e);if(t!==void 0)return t.authProfileId;throw new h({message:`No upstream connection is registered for ${e}.`,extensionMembers:{[g]:"unknown_upstream_server"}})}n(Fm,"readRegisteredAuthProfileId");function Zm(e){let t=$m(e);if(!t)throw new h({message:"operationId query parameter is required.",extensionMembers:{[g]:"invalid_request"}});return t}n(Zm,"readRequiredOperationId");function Km(e){let t=$n(Ae(e));return t===void 0?{}:{returnTo:t}}n(Km,"readOptionalReturnTo");function Jm(e){let t=Ae(e.query.error_description);return t===void 0?{}:{errorDescription:t}}n(Jm,"readOptionalProviderErrorDescription");function Wm(e,t,r,o){return{kind:"connect",...Le(e,t.subjectId),...o===void 0?{}:{returnTo:o},redirect:r}}n(Wm,"buildConnectContextForUser");function Vm(e,t,r){let o=kt(t);if(o.mode!==e.ownerMode)throw new h({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[g]:"oauth_callback_mismatch"}});return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:o,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}n(Vm,"buildConnectContextForTicket");async function Ym(e,t){let r=Jt(t,Zm(e.query.operationId)),o=e.query.redirect==="true",i=Ae(e.query.browserTicket);if(e.user){if(i)throw new h({message:"Use either an authenticated gateway request or a browser connect ticket, not both.",extensionMembers:{[g]:"invalid_request"}});let s=_e(e.user,e.url);return Wm(r,s,o,Km(e.query.returnTo).returnTo)}if(!i)throw new h({message:"Authentication is required to start the upstream connection flow.",extensionMembers:{[g]:"authentication_required"}});let a=await si(i);if(a.ownerMode!==r.ownerMode||a.upstreamServerId!==r.upstreamServerId||a.authProfileId!==r.authProfileId||a.operationId!==r.operationId)throw new h({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[g]:"oauth_callback_mismatch"}});return await ci(a),Vm(r,a,o)}n(Ym,"resolveConnectContext");async function Xm(e,t,r){let o=Bn.parse(Nm(e,"connection"));switch(r){case"connect":gt(e,await Ym(e,o));return;case"callback":{let i=Ae(e.query.error);if(i){gt(e,{kind:"callback_provider_error",upstreamServerId:o,error:i,...Jm(e)});return}let a=Ae(e.query.code),s=Ae(e.query.state);if(a&&s){gt(e,{kind:"callback_authorization_code",upstreamServerId:o,code:a,state:s});return}gt(e,{kind:"callback_invalid",upstreamServerId:o});return}case"client_metadata":gt(e,{kind:"client_metadata",upstreamServerId:o,authProfileId:Fm(o)});return}}n(Xm,"resolveUpstreamRequestInbound");async function Qm(e,t,r){try{await Xm(e,t,r);return}catch(o){let i=o instanceof h?o.extensionMembers?.[g]:void 0,a=o instanceof Error?o.message:void 0;switch(i){case"invalid_request":case"unknown_upstream_server":case"oauth_callback_mismatch":return ge.badRequest(e,t,{code:i,detail:a});case"authentication_required":return ge.unauthorized(e,t,{code:i,detail:a});default:throw o}}}n(Qm,"applyUpstreamRequestContext");function ir(e,t){return n(async(o,i)=>{let a=await Qm(o,i,e);return a||t(o,i)},"wrapped")}n(ir,"withUpstreamRequestContext");var ef=["callback_authorization_code","callback_provider_error","callback_invalid"];function yn(e){try{return new URL(e.url).pathname}catch{return}}n(yn,"readBrowserRequestPath");function tf(e){return"cause"in e?e.cause:void 0}n(tf,"readErrorCause");function rf(e){return e.stack?.split(`
-`).slice(1,4).map(t=>t.trim()).join(" | ")}n(rf,"readFirstStackFrame");function ys(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=rf(r))}n(ys,"addErrorAttributes");function _n(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[g];return vt(t)?t:void 0}n(_n,"readRuntimeGatewayCode");function _s(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(_s,"readRuntimeErrorExtensionString");function nf(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(nf,"readRuntimeErrorExtensionNumber");function of(e,t,r,o){switch(r.kind){case"callback_provider_error":return t.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:r.upstreamServerId,providerError:r.error,...r.errorDescription===void 0?{}:{providerErrorDescription:r.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),x(t,{eventType:C.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:r.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:r.error,errorDescription:r.errorDescription}}),or(o,"provider_access_denied",{developerDetail:r.errorDescription??r.error,diagnostic:{code:"provider_access_denied",requestId:t.requestId,routePath:yn(e),upstreamServerId:r.upstreamServerId,providerError:r.error,providerErrorDescription:r.errorDescription,underlyingError:r.errorDescription??r.error}});case"callback_invalid":return t.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:r.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),or(o,"oauth_state_invalid",{diagnostic:{code:"oauth_state_invalid",requestId:t.requestId,routePath:yn(e),upstreamServerId:r.upstreamServerId}});case"callback_authorization_code":return r}}n(of,"requireAuthorizationCallbackRequest");function af(e,t){x(e,{eventType:C.MCP_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}n(af,"emitCallbackReceivedAnalyticsEvent");function sf(e,t){x(e,{eventType:C.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.operationId})}n(sf,"emitTokenExchangeSucceededAnalyticsEvent");function cf(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return hs({host:Ge(e.url),title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}n(cf,"buildSuccessfulCallbackResponse");function df(e){let t={detail:e instanceof Error?e.message:void 0};return ys(t,"error",e),e instanceof Error&&ys(t,"cause",tf(e)),t}n(df,"buildTokenExchangeFailureAttributes");function uf(e){x(e.context,{eventType:C.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:_n(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:df(e.error)})}n(uf,"emitTokenExchangeFailedAnalyticsEvent");function lf(e){let t=e.error,r=_n(t),o=Mn(r)?r:"upstream_token_exchange_failed",i={code:o,requestId:e.context.requestId,routePath:yn(e.request),upstreamServerId:e.callbackRequest.upstreamServerId,underlyingError:t instanceof Error?t.message:void 0,...t instanceof h?{httpStatus:nf(t,Pe),contentType:_s(t,Ue),upstreamUrl:_s(t,Te)}:{}};return or(e.host,o,{developerDetail:t instanceof Error?t.message:void 0,diagnostic:i,upstreamHtml:pf(t)})}n(lf,"tokenExchangeFailureResponse");function pf(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[ke];return typeof t=="string"?t:void 0}n(pf,"readUpstreamHtmlError");async function wn(e,t){let r=yt(e,ef),o=Ge(e.url),i=of(e,t,r,o);if(i instanceof Response)return i;af(t,i);try{let a=await Pi({request:e,callbackRequest:i});return sf(t,a),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:a.upstreamServerId,operationId:a.operationId,authProfileId:a.authProfileId,ownerMode:a.ownerMode},"Upstream OAuth token exchange completed; user connection established"),cf(e,a)}catch(a){let s={event:"upstream_oauth_token_exchange_failed",code:_n(a)??"upstream_token_exchange_failed",upstreamServerId:i.upstreamServerId};return L(s,"error",a),t.log.warn(s,"Upstream OAuth token exchange failed; user shown connection-failure page"),uf({context:t,callbackRequest:i,error:a}),lf({request:e,context:t,host:o,callbackRequest:i,error:a})}}n(wn,"callbackHandler");function mf(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}n(mf,"clientMetadataProblemDetail");async function ws(e,t){let r=yt(e,"connect"),o=await ki({request:e,connectRequest:r});if(x(t,{eventType:C.MCP_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:o.operationId,upstreamServerTitle:o.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,operationId:o.operationId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(o.authUrl,302);let i=await Ft({requestUrl:e.url,requestHeaders:e.headers,owner:o.owner,initiatedBySubjectId:o.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,upstreamDisplayName:o.upstreamDisplayName,operationId:o.operationId,subject:"MCP route",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(i,{status:428})}n(ws,"connectHandler");async function Rs(e,t){let r=yt(e,"client_metadata");try{let o=k(e.url,e.headers),i=mi(o,r.upstreamServerId,r.authProfileId);return Response.json(i)}catch(o){if(!(o instanceof q))throw o;let i=o instanceof Error?o.message:String(o);return t.log.warn({event:"oauth_client_metadata_request_failed",upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:i},"Failed to serve OAuth client metadata document for upstream connection"),ge.notFound(e,t,{code:"not_found",detail:mf(o)})}}n(Rs,"oauthClientMetadataHandler");var ff={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function hf(){return new Response(null,{status:204,headers:ff})}n(hf,"buildWellKnownPreflightResponse");function gf(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}n(gf,"withWellKnownCorsHeaders");function Rn(e){return async(t,r)=>t.method==="OPTIONS"?hf():gf(await e(t,r))}n(Rn,"wrapWellKnownHandler");var vs=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:Rn(os),corsPolicy:"anything-goes"},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/:routePath*",methods:["GET","OPTIONS"],handler:Rn(is),corsPolicy:"anything-goes"},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/:routePath*",methods:["GET","OPTIONS"],handler:Rn(ao),corsPolicy:"anything-goes"},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:as},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:ss},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/:routePath*",methods:["GET"],handler:cs},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:ds},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:us},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:ls},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:ps},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:ms},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:ir("client_metadata",Rs)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:ir("connect",ws)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:ir("callback",wn)}],yf=vs.filter(e=>!e.routeName.startsWith("upstream_")),_f=vs.filter(e=>e.routeName.startsWith("upstream_"));function wf(e){let t=Wn({routes:e.routes,policies:e.policies});return Vn(t),t}n(wf,"initializeMcpGatewayConnectionRegistry");function Rf(e){return[...e.byOperationId.values()].some(t=>t.downstreamOAuth!==void 0)}n(Rf,"hasDownstreamOAuthRoutes");function bf(e){let t=new Map;for(let o of e.byOperationId.values())o.downstreamOAuth&&t.set(o.downstreamOAuth.policyName,o.downstreamOAuth.config);if(t.size===1)return[...t.values()][0];let r=[...t.keys()].map(o=>`"${o}"`).join(", ");throw new q(`MCP gateway found multiple attached OAuth policies: ${r}. Multiple downstream MCP OAuth configs in one gateway are not supported yet; use one MCP OAuth policy across MCP routes or split these routes into separate gateways.`)}n(bf,"readSingletonDownstreamOAuthConfig");function Cf(e,t,r){let o=String(t.params.routePath??""),i=e.byRoutePath.get(to(o));if(i===void 0)return;let a=i?.downstreamOAuth?.config;return a===void 0?St(t,r,{code:"not_found",detail:"The requested MCP route does not expose downstream OAuth."}):a}n(Cf,"readScopedDownstreamOAuthConfig");function vf(e){return e.path==="/.well-known/oauth-authorization-server/:routePath*"||e.path==="/.well-known/oauth-protected-resource/:routePath*"||e.path==="/oauth/authorize/:routePath*"}n(vf,"routeUsesScopedOAuthConfig");function bs(e,t,r){return async(o,i)=>{if(r){let u=await r(o,i);if(u instanceof Response)return u;u&&qn(i,u)}let a=o.method==="OPTIONS",s=Date.now();a||i.log.info({event:`${e}_received`,method:o.method},`MCP gateway: ${e} received`);let c=await t(o,i);return a||i.log.info({event:`${e}_responded`,status:c.status,durationMs:Date.now()-s},`MCP gateway: ${e} responded`),c}}n(bs,"wrapInternalHandler");function Cs(e,t,r){e.addPluginRoute({path:t.path,methods:t.methods,handler:r,processors:[xn],corsPolicy:t.corsPolicy??"none"})}n(Cs,"addInternalRoute");function Ss(e,t){let r=wf(t),o=Rf(r),i=r.connectionsById.size>0,a,s=n(()=>(a===void 0&&(a=bf(r)),a),"readSingletonOAuthConfig");if(o)for(let c of yf){let u=vf(c)?(p,f)=>Cf(r,p,f):s;Cs(e,c,bs(c.routeName,c.handler,u))}if(i)for(let c of _f)Cs(e,c,bs(c.routeName,c.handler))}n(Ss,"registerMcpGatewayInternalRoutes");var bn=class extends Sn{static{n(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;r&&Ss(t.router,{routes:r.routes,policies:r.policies})}};var Sf=new TextDecoder;function If(e){if(e)try{return JSON.parse(Sf.decode(e))}catch{return}}n(If,"readBodyJson");function se(e){return e&&typeof e=="object"?e:void 0}n(se,"readRecord");function _t(e,t){let r=se(e)?.[t];return typeof r=="string"?r:void 0}n(_t,"readStringProperty");function xs(e,t){let r=se(e)?.[t];return typeof r=="number"?r:void 0}n(xs,"readNumberProperty");function Is(e,t){return xs(e,"code")??(t.status>=400?t.status:void 0)}n(Is,"readErrorCode");function As(e){return Array.isArray(e)?e.map(As).find(t=>t?.method):se(e)}n(As,"readJsonRpcMessage");function Us(e){let t=As(If(e)),r=typeof t?.method=="string"?t.method:"",o=t?.params;switch(r){case"tools/list":return{mcpMethod:r,capabilityType:"tool"};case"tools/call":return{mcpMethod:r,capabilityType:"tool",capabilityName:_t(o,"name")};case"prompts/list":return{mcpMethod:r,capabilityType:"prompt"};case"prompts/get":return{mcpMethod:r,capabilityType:"prompt",capabilityName:_t(o,"name")};case"resources/list":case"resources/templates/list":return{mcpMethod:r,capabilityType:"resource"};case"resources/read":{let i=_t(o,"uri");return{mcpMethod:r,capabilityType:"resource",capabilityName:i,resourceUri:i}}default:return null}}n(Us,"buildBaseCapabilityInput");function ks(e){return e==="tools/list"||e==="prompts/list"||e==="resources/list"||e==="resources/templates/list"}n(ks,"isCapabilityListMethod");function xf(e,t,r){let a=se(r)?.[e==="resources/templates/list"?"resourceTemplates":t==="tool"?"tools":t==="prompt"?"prompts":"resources"];return Array.isArray(a)?a.length:void 0}n(xf,"readItemCount");async function Af(e){try{return await e.clone().json()}catch{return}}n(Af,"readResponseJson");function Ps(e){let t=Us(e);return!t||ks(t.mcpMethod)?null:{eventType:C.MCP_CAPABILITY_INVOKED,outcome:"success",...t}}n(Ps,"buildCapabilityInvokedAnalyticsInput");async function Ts(e,t){let r=Us(e);if(!r)return null;let o=se(await Af(t)),i=se(o?.error),a=se(i?.data),s=o?.result,c=r.mcpMethod==="tools/call"&&se(s)?.isError===!0;if(se(a?.connectRequired))return{eventType:C.MCP_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",...r,httpStatusCode:t.status,reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required",errorCode:xs(i,"code"),mcpErrorType:_t(i,"message")};if(ks(r.mcpMethod)){let u=t.status>=400?void 0:xf(r.mcpMethod,r.capabilityType,s);return{eventType:C.MCP_CAPABILITY_LISTED,outcome:t.status>=400||i?"failure":"success",...r,httpStatusCode:t.status,...t.status>=400||i?{reasonCode:"upstream_capability_list_failed",reasonClass:"upstream",errorType:"capability_list_error",errorCode:Is(i,t)}:{},...u===void 0?{}:{attributes:{itemCount:u}}}}return t.status>=400||i?{eventType:C.MCP_CAPABILITY_FAILED,outcome:"failure",...r,httpStatusCode:t.status,reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"capability_error",errorCode:Is(i,t),mcpErrorType:_t(i,"message")}:{eventType:C.MCP_CAPABILITY_COMPLETED,outcome:c?"application_error":"success",...r,httpStatusCode:t.status,toolResultIsError:c,applicationError:c}}n(Ts,"buildCapabilityFinalAnalyticsInput");var Uf={Allow:"POST"};async function kf(e){try{return await e.clone().arrayBuffer()}catch{return}}n(kf,"readRequestBody");function Es(e){try{let t=Yn(e.route.path);return{virtualServerName:t.operationId,upstreamServerName:t.connection?.upstreamServerId,upstreamServerTitle:t.connection?.displayName,authProfileId:t.connection?.authProfileId,upstreamAuthMode:t.connection?.authMode}}catch{return{}}}n(Es,"readRouteAnalyticsFields");function Os(e){return co(e.user,e.url,e.headers)?.subjectId}n(Os,"readRequestSubjectId");function Pf(e){let t=Ps(e.requestBody);t&&x(e.context,{...t,...Es(e.context),httpMethod:e.request.method,subjectId:Os(e.request),transport:"http"})}n(Pf,"emitCapabilityInvokedAnalytics");async function Tf(e){let t=await Ts(e.requestBody,e.response);t&&x(e.context,{...t,...Es(e.context),httpMethod:e.request.method,subjectId:Os(e.request),transport:"http",latencyMs:Date.now()-e.startedAt})}n(Tf,"emitCapabilityFinalAnalytics");async function Ef(e,t){if(e.method==="GET")return ge.methodNotAllowed(e,t,{detail:"MCP Gateway routes support stateless Streamable HTTP requests over POST. Server-sent event GET streams are not supported."},Uf);let r=Date.now(),o=await kf(e);Pf({context:t,request:e,requestBody:o});let i=await On(e,t);return await Tf({context:t,request:e,requestBody:o,response:i,startedAt:r}),i}n(Ef,"McpProxyHandler");export{Fs as McpAuth0OAuthInboundPolicy,gr as McpCapabilityFilterInboundPolicy,qs as McpClerkOAuthInboundPolicy,Ms as McpCognitoOAuthInboundPolicy,Ds as McpEntraOAuthInboundPolicy,bn as McpGatewayPlugin,Hs as McpGoogleOAuthInboundPolicy,zs as McpKeycloakOAuthInboundPolicy,Ls as McpLogtoOAuthInboundPolicy,Bs as McpOAuthInboundPolicy,js as McpOktaOAuthInboundPolicy,Ns as McpOneLoginOAuthInboundPolicy,Gs as McpPingOAuthInboundPolicy,Ef as McpProxyHandler,Kr as McpTokenExchangeInboundPolicy,$s as McpWorkosOAuthInboundPolicy};
+  ></iframe>`}n(dl,"renderUpstreamHtml");var ji="application/json",ul="application/x-www-form-urlencoded";function Yt(e,t){return new h({message:e,extensionMembers:{[g]:"invalid_request"}},t===void 0?void 0:{cause:t})}n(Yt,"invalidRequestError");function ll(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}n(ll,"normalizeContentType");function pl(e,t){return e===t?!0:t===ji&&e.endsWith("+json")}n(pl,"contentTypeMatches");function ml(e,t){if(!t||t.length===0)return;let r=ll(e.headers.get("content-type"));if(!t.some(o=>pl(r,o)))throw Yt(`Request body must be ${t.join(" or ")}.`)}n(ml,"assertExpectedContentType");function fl(e,t,r){let o=e.headers.get("content-length");if(!o)return;let i=Number.parseInt(o,10);if(Number.isFinite(i)&&i>t)throw Yt(`${r} exceeded the maximum allowed size.`)}n(fl,"assertContentLengthWithinLimit");async function Ni(e,t){let r=t.label??"Request body";ml(e,t.expectedContentTypes),fl(e,t.maxBytes,r);let o=await Gt(e.body,{maxBytes:t.maxBytes,createLimitError:n(()=>Yt(`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(o)}n(Ni,"readBoundedTextBody");async function Gi(e,t){let r=await Ni(e,{...t,expectedContentTypes:[ji]});try{return JSON.parse(r)}catch(o){throw Yt("Request body must be valid JSON.",o)}}n(Gi,"readBoundedJsonBody");async function $i(e,t){let r=await Ni(e,{...t,expectedContentTypes:[ul]});return new URLSearchParams(r)}n($i,"readBoundedFormUrlEncodedBody");$();$();import{errors as Fi,jwtVerify as Zi,SignJWT as Ki}from"jose";var hl={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},m=class extends Error{static{n(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,o=hl[t],i){super(r,i),this.name="OAuthProtocolError",this.errorCode=t,this.status=o}};var gl=5*60,yl=d.object({purpose:d.literal("gateway_browser_login"),transactionId:lr,stateId:pr,exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),wl=d.object({purpose:d.literal("gateway_authorization_setup"),transactionId:lr,stateId:pr,exp:d.number().int().positive(),iat:d.number().int().positive().optional()});async function Ji(){return V({purpose:"browser-login",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>me(e,"browser-login"),"derive")})}n(Ji,"getBrowserLoginKey");async function Wi(){return V({purpose:"authorization-csrf",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>me(e,"authorization-csrf"),"derive")})}n(Wi,"getCsrfKey");function Vi(e){return{now:e.now??new Date,ttlSeconds:Yi()}}n(Vi,"readPendingTransactionDependencies");function Yi(){return D().browserLogin.stateTtlSeconds}n(Yi,"readBrowserLoginStateTtlSeconds");function _l(e){let t=M();return T(e)&&t.isActionPath(e.pathname,"/oauth/dev-login")}n(_l,"isLoopbackDevLoginUrl");function Rl(e){let t=D().browserLogin,r=M(),o=new URL(le("url")),i=new URL(r.actionPath("/oauth/callback"),Tt(e.requestUrl,e.requestHeaders));return _l(o)?(o.searchParams.set("redirect_uri",i.toString()),o.searchParams.set("state",e.state),o):(o.searchParams.set("response_type","code"),o.searchParams.set("client_id",le("clientId")),o.searchParams.set("redirect_uri",i.toString()),o.searchParams.set("scope",t.scope),o.searchParams.set("state",e.state),o.searchParams.set("nonce",e.nonce),t.audience&&o.searchParams.set("audience",t.audience),o)}n(Rl,"buildBrowserLoginUrl");function bl(e,t){return e.subjectId===t.subjectId}n(bl,"principalsMatch");function Xi(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}n(Xi,"toPendingPrincipal");function Qi(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,operationId:e.transaction.operationId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:R(e.now),expiresAt:R(ne(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw w("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:Xi(e.principal)}}n(Qi,"createTransactionRecord");async function ea(e){let{id:t,...r}=e.record,o=await b().startAuthorization({...r,transactionId:t,...e.client===void 0?{}:{client:e.client}});switch(o.kind){case"started":return o.transaction;case"already_exists":throw w("oauth_state_reused","Authorization transaction state already exists.");case"invalid_client":throw new m("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new m("invalid_request","redirect_uri is not registered for the client.")}}n(ea,"startPendingTransaction");async function Cl(e){return new Ki({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:N,typ:"JWT"}).setIssuer(L).setAudience(j).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await Ji())}n(Cl,"signBrowserLoginState");async function ta(e){return new Ki({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:fr()}).setProtectedHeader({alg:N,typ:"JWT"}).setIssuer(L).setAudience(j).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await Wi())}n(ta,"signCsrfToken");async function Wr(e){try{let{payload:t}=await Zi(e,await Ji(),{algorithms:[N],issuer:L,audience:j}),r=yl.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof Fi.JWTExpired?w("oauth_state_expired","Browser login state has expired.",t):w("oauth_state_invalid","Browser login state could not be verified.",t)}}n(Wr,"verifyBrowserLoginStateToken");async function Xt(e){try{let{payload:t}=await Zi(e,await Wi(),{algorithms:[N],issuer:L,audience:j});return{transactionId:wl.parse(t).transactionId}}catch(t){throw t instanceof Fi.JWTExpired?w("oauth_state_expired","Authorization setup state has expired.",t):w("oauth_state_invalid","Authorization setup state could not be verified.",t)}}n(Xt,"verifyCsrfToken");function Vr(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}n(Vr,"pendingStateErrorCode");function vl(e){return e.kind==="available"?{kind:"available",record:e.transaction}:e}n(vl,"toPendingAuthorizationGetResult");function Sl(e){return e.kind==="advanced"?{kind:"advanced",record:e.transaction}:e}n(Sl,"toPendingAuthorizationAdvanceResult");function Yr(e){return e==="principal_mismatch"?"oauth_callback_mismatch":Vr(e==="consumed_already"?"consumed_already":e)}n(Yr,"setupDecisionErrorCode");async function ra(e){let t=e.now??new Date,r=await Xt(e.csrfToken),o=await b().markAuthorizationSetupApproved({transactionId:r.transactionId,currentStateHash:await U(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:R(t)});if(o.kind!=="marked")throw w(Yr(o.kind),"Authorization setup state is invalid, expired, or already used.");return na({kind:"available",record:o.transaction})}n(ra,"markSetupApproved");function na(e){if(e.kind!=="available")throw w(Vr(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw w("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}n(na,"requireAwaitingSetup");function Il(e){if(!bl(e.currentBrowserPrincipal,e.transaction.principal))throw w("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}n(Il,"requireCurrentPrincipalMatches");async function oa(e){let t=e.now??new Date,r=Yi(),o=mr(),i=fr(),a=await Cl({transactionId:o,stateId:i,ttlSeconds:r}),s=Qi({id:o,transaction:e.transaction,currentStateHash:await U(a),phase:"awaiting_login",now:t,ttlSeconds:r});if(s.phase!=="awaiting_login")throw w("oauth_state_invalid","Authorization transaction did not start in login phase.");let c=await ea({record:s,client:e.transaction.client});if(c.phase!=="awaiting_login")throw w("oauth_state_invalid","Authorization transaction did not start in login phase.");return{transaction:c,browserLoginStateToken:a,browserLoginUrl:Rl({state:a,nonce:i,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}})}}n(oa,"startAwaitingLogin");async function ia(e){let{now:t,ttlSeconds:r}=Vi(e),o=mr(),i=await ta({transactionId:o,ttlSeconds:r}),a=Qi({id:o,transaction:e.transaction,currentStateHash:await U(i),phase:"awaiting_setup",principal:e.principal,now:t,ttlSeconds:r});if(a.phase!=="awaiting_setup")throw w("oauth_state_invalid","Authorization transaction did not start in setup phase.");let s=await ea({record:a,client:e.transaction.client});if(s.phase!=="awaiting_setup")throw w("oauth_state_invalid","Authorization transaction did not start in setup phase.");return{transaction:s,csrfToken:i}}n(ia,"startAwaitingSetup");async function aa(e){let{now:t,ttlSeconds:r}=Vi(e),o=await Wr(e.browserLoginStateToken),i=await ta({transactionId:o.transactionId,ttlSeconds:r}),a=Sl(await b().advancePendingAuthorization({transactionId:o.transactionId,expectedPhase:"awaiting_login",currentStateHash:await U(e.browserLoginStateToken),nextStateHash:await U(i),nextPhase:"awaiting_setup",principal:Xi(e.principal),now:R(t)}));if(a.kind!=="advanced")throw w(Vr(a.kind),"Browser login state is invalid, expired, or already used.");if(a.record.phase!=="awaiting_setup")throw w("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:a.record,csrfToken:i}}n(aa,"completeLogin");async function sa(e){let t=await Xr(e);return Il({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}n(sa,"getSetup");async function Xr(e){let t=e.now??new Date,r=await Xt(e.csrfToken);return na(vl(await b().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await U(e.csrfToken),now:R(t)})))}n(Xr,"getSetupTransaction");async function xl(e){let t=await Xt(e.csrfToken),r=pe(),o=R(ne(e.now,gl)),i=await b().decideAuthorizationSetup({decision:"approve",transactionId:t.transactionId,currentStateHash:await U(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await U(r),authorizationCodeExpiresAt:o,grantId:io(),now:R(e.now)});if(i.kind!=="approved")throw w(i.kind==="cancelled"?"oauth_state_invalid":Yr(i.kind),"Authorization setup state is invalid, expired, or already used.");let a=new URL(i.transaction.redirectUri);return a.searchParams.set("code",r),i.transaction.clientState&&a.searchParams.set("state",i.transaction.clientState),a}n(xl,"createAuthorizationCodeRedirectWithDecision");async function Al(e){let t=await Xt(e.csrfToken),r=await b().decideAuthorizationSetup({decision:"cancel",transactionId:t.transactionId,currentStateHash:await U(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:R(e.now)});if(r.kind!=="cancelled")throw w(r.kind==="approved"?"oauth_state_invalid":Yr(r.kind),"Authorization setup state is invalid, expired, or already used.");return Ul({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}n(Al,"createCancelRedirectWithDecision");function Ul(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}n(Ul,"buildClientCancelRedirect");async function ca(e){let t=e.now??new Date;return xl({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(ca,"approve");async function da(e){let t=e.now??new Date;return Al({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(da,"cancel");$();import{createRemoteJWKSet as kl,errors as Fe,jwtVerify as ua,SignJWT as Pl}from"jose";var tn="zuplo_mcp_session",Tl=d.object({purpose:d.literal("gateway_browser_session"),sub:Ve,browserLoginOrigin:d.string().min(1),roles:d.array(d.string().min(1)).optional(),exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),El=d.object({id_token:d.string().min(1),token_type:d.string().min(1).optional(),expires_in:d.number().optional(),access_token:d.string().min(1).optional(),refresh_token:d.string().min(1).optional(),scope:d.string().min(1).optional()}),Ol=d.object({error:d.string().min(1).optional(),error_description:d.string().min(1).optional(),error_uri:d.string().min(1).optional()}),Ml=d.object({sub:Ve,nonce:d.string().min(1)}).catchall(d.unknown()),Qr;function ql(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let o=r.indexOf("=");if(o<0)continue;let i=r.slice(0,o).trim(),a=r.slice(o+1).trim();if(i)try{t.set(i,decodeURIComponent(a))}catch{t.set(i,a)}}return t}n(ql,"parseCookieHeader");async function la(){return V({purpose:"browser-session",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>me(e,"browser-session"),"derive")})}n(la,"getBrowserSessionKey");function en(e,t){let r=new URL(k(e,t)),o=[`${tn}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return r.protocol==="https:"&&o.push("Secure"),o.join("; ")}n(en,"buildBrowserSessionEvictionCookie");function Dl(e){let t=new URL(k(e.requestUrl,e.requestHeaders)),r=[`${tn}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}n(Dl,"serializeSessionCookie");function pa(){return new URL(le("url")).origin}n(pa,"readBrowserLoginOrigin");function Hl(e){let t=Ol.safeParse(e);if(!t.success)return{};let r={};return t.data.error!==void 0&&(r.idpError=t.data.error),t.data.error_description!==void 0&&(r.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(r.idpErrorUri=t.data.error_uri.slice(0,256)),r}n(Hl,"readIdpErrorFields");function zl(e){return e instanceof Fe.JWTExpired?"expired":e instanceof Fe.JWTClaimValidationFailed?"claim":e instanceof Fe.JWSSignatureVerificationFailed?"signature":e instanceof Fe.JWKSNoMatchingKey?"jwks_no_match":e instanceof Fe.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(zl,"readJwtFailureKind");function Ll(e){return e instanceof Error&&"cause"in e?e.cause:e}n(Ll,"readErrorCause");function Bl(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}n(Bl,"readRuntimeGatewayCode");function jl(){if(!Qr){let e=D();Qr=kl(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return Qr}n(jl,"readFederatedJwks");function ma(e){if(!e.user)throw w("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return _e(e.user,e.url)}n(ma,"resolveCurrentRequestPrincipal");async function Qt(e,t={}){let r=ql(e.headers.get("cookie")).get(tn);if(!r)return{};try{let{payload:o}=await ua(r,await la(),{algorithms:[N],issuer:L,audience:j}),i=Tl.parse(o);if(i.browserLoginOrigin!==pa())return{evictCookie:en(e.url,e.headers)};let a={subjectId:i.sub};return i.roles&&i.roles.length>0&&(a.roles=i.roles),{principal:a}}catch(o){return o instanceof Fe.JWTExpired?{evictCookie:en(e.url,e.headers)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:o instanceof Error?o.name:"unknown",errorMessage:o instanceof Error?o.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:en(e.url,e.headers)})}}n(Qt,"readBrowserSession");async function er(e){let t=D().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:pa()};e.principal.roles&&(r.roles=e.principal.roles);let o=await new Pl(r).setProtectedHeader({alg:N,typ:"JWT"}).setIssuer(L).setAudience(j).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await la());return Dl({value:o,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},ttlSeconds:t})}n(er,"createBrowserSessionCookie");async function Nl(e){let t=D(),r=le("tokenUrl"),o=le("clientId"),i=le("clientSecret"),a=new URL(M().actionPath("/oauth/callback"),Tt(e.requestUrl,e.requestHeaders)).toString(),s=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:a,client_id:o,client_secret:i});try{let{response:c,json:u}=await $o(r,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:s},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,...e.context===void 0?{}:{context:e.context}});if(!c.ok){let S=Hl(u);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:Z(r),idpStatus:c.status,...S},"Federated browser login token exchange returned non-2xx from the identity provider"),w({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${c.status}${S.idpError?` idp_error=${S.idpError}`:""}${S.idpErrorDescription?` idp_error_description=${S.idpErrorDescription}`:""})`)})}let p=El.parse(u),f;try{({payload:f}=await ua(p.id_token,jl(),{issuer:t.oidc.issuer,audience:o}))}catch(S){let I={};throw B(I,"error",S),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:zl(S),idpHost:Z(r),expectedIssuer:t.oidc.issuer,...I},"Federated id_token failed jose verification"),S}if(f.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:Z(r),nonceMissingFromIdToken:f.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),w("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let _=Ml.parse(f);return _e({sub:_.sub,data:_},e.requestUrl)}catch(c){let u=re(c)??Bl(c);throw u!==void 0&&u!=="browser_login_verification_failed"?c:w("browser_login_verification_failed","Federated browser login callback could not be verified.",Ll(c))}}n(Nl,"exchangeFederatedAuthorizationCode");async function fa(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await Qt(e.request,t);if(r.principal)return r.principal;let o=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!o)throw w("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");return Nl({code:o,nonce:e.stateId,requestUrl:e.request.url,requestHeaders:e.request.headers,...e.context===void 0?{}:{context:e.context}})}n(fa,"resolveBrowserLoginCallbackPrincipal");$();var Gl="chatgpt.com",$l="ChatGPT CIMD client metadata could not be used by this gateway. In ChatGPT advanced OAuth settings, change Registration method to Dynamic Client Registration (DCR), keep the discovered Registration URL, and retry connecting.",rn="dcr:pkjwt:";function ha(e){if(Fl(e.clientId))return $l}n(ha,"readCimdInvalidClientCompatibilityMessage");function Fl(e){try{let t=new URL(e);return t.protocol==="https:"&&t.hostname===Gl&&t.pathname.startsWith("/oauth/")&&t.pathname.endsWith("/client.json")}catch{return!1}}n(Fl,"isChatGptCimdClientId");function ga(e){return`${rn}${e.clientId}:${Zl(e.jwksUri)}`}n(ga,"createPrivateKeyJwtDcrCompatibilityClientId");function ya(e){if(!tr(e))return;let t=e.slice(rn.length),r=t.indexOf(":");if(r===-1)return;let o=Kl(t.slice(r+1));if(o!==void 0){try{Se(o)}catch{return}return o}}n(ya,"readPrivateKeyJwtDcrCompatibilityJwksUri");function tr(e){return e.startsWith(rn)}n(tr,"isPrivateKeyJwtDcrCompatibilityClientId");function Zl(e){let t=new TextEncoder().encode(e),r="";for(let o of t)r+=String.fromCharCode(o);return btoa(r).replaceAll("+","-").replaceAll("/","_").replace(/=+$/,"")}n(Zl,"encodeBase64Url");function Kl(e){let t=e.replaceAll("-","+").replaceAll("_","/"),r=t.padEnd(t.length+(4-t.length%4)%4,"="),o;try{o=atob(r)}catch{return}let i=new Uint8Array(o.length);for(let a=0;a<o.length;a+=1)i[a]=o.charCodeAt(a);return new TextDecoder().decode(i)}n(Kl,"decodeBase64Url");var Jl=new Set(["about","blob","data","file","ftp","ftps","javascript","mailto","urn","ws","wss"]);function Wl(e){return e.protocol.replace(/:$/u,"").toLowerCase()}n(Wl,"readScheme");function Vl(e){return e.protocol==="https:"}n(Vl,"isSpecCompliantRedirectUri");function Yl(e){let t=Wl(e);return t.length>0&&t!=="http"&&t!=="https"&&!Jl.has(t)}n(Yl,"isNativeAppCustomSchemeRedirectUri");var _a=[{id:"oauth.redirect_uri.https",mode:"strict",accepts:n(e=>Vl(e),"accepts")},{id:"oauth.redirect_uri.loopback_http",mode:"native_app",accepts:n(e=>T(e),"accepts"),matches:n((e,t)=>T(e)&&T(t)&&e.pathname===t.pathname&&e.search===t.search,"matches")},{id:"oauth.redirect_uri.custom_scheme",mode:"native_app",accepts:n(e=>Yl(e),"accepts")}];function Ra(e){let t=_a.find(r=>r.accepts(e.url));return t===void 0?{kind:"rejected"}:{kind:"allowed",ruleId:t.id,mode:t.mode}}n(Ra,"evaluateBuiltInRedirectUriCompatibility");function wa(e){try{return new URL(e)}catch{return}}n(wa,"parseUrl");function ba(e){if(e.registeredRedirectUri===e.requestedRedirectUri)return!0;let t=wa(e.registeredRedirectUri),r=wa(e.requestedRedirectUri);return t===void 0||r===void 0?!1:_a.some(o=>o.matches?.(t,r))}n(ba,"redirectUriMatchesBuiltInCompatibility");var Xl=1e4,Ql=5*1024,ep=0,tp=90*24*60*60,nn=["authorization_code","refresh_token"],on=["code"],rp=d.object({client_name:d.string().min(1).optional(),redirect_uris:d.array(d.string().min(1)).min(1),grant_types:d.array(d.enum(nn)).min(1).max(2).optional(),response_types:d.array(d.enum(on)).min(1).max(1).optional(),scope:d.literal(H).optional(),token_endpoint_auth_method:oo.optional(),jwks_uri:d.string().min(1).optional()});function np(e){try{let t=new URL(e);return(t.protocol==="https:"||t.protocol==="http:"&&T(t))&&t.pathname!=="/"}catch{return!1}}n(np,"isCimdClientIdCandidate");function Ca(e,t){throw new m("invalid_client",ha({clientId:e})??"OAuth client is not registered.",void 0,t===void 0?void 0:{cause:t})}n(Ca,"invalidCimdClientError");function Ze(e,t="invalid_request"){if(op(e))throw new m(t,"redirect_uris must not include raw whitespace or control characters.");let r;try{r=new URL(e)}catch{throw new m(t,"redirect_uris must be absolute URIs.")}if(r.hash||r.username||r.password)throw new m(t,"redirect_uris must not include credentials or fragments.");if(Ra({url:r}).kind==="rejected")throw new m(t,"redirect_uris must use HTTPS, loopback HTTP, or a native-app private-use URI scheme.")}n(Ze,"assertValidRedirectUri");function op(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}n(op,"hasForbiddenRawRedirectUriCharacter");async function ip(e){let{response:t,json:r}=await Fo(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:ep,maxResponseBytes:Ql,timeoutMs:Xl});if(!t.ok)throw w("invalid_request","CIMD metadata could not be fetched.");let o=Ot(r);for(let i of o.redirect_uris)Ze(i,"invalid_request");if(o.jwks_uri!==void 0&&Se(o.jwks_uri),o.client_id!==e.clientId)throw w("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");return o}n(ip,"fetchCimdMetadata");async function ap(e){let t=Nt(e),r=await ip({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}n(ap,"resolveCimdClient");async function rr(e,t){let r=oe.parse(e);if(np(r)){D().gateway.downstreamCimdEnabled||Ca(r);try{return await ap(r)}catch(i){Ca(r,i)}}let o=await b().readClient({clientId:r});if(o.kind==="found"){let i=o.client,a=ya(i.clientId),s=a===void 0?i.tokenEndpointAuthMethod:"private_key_jwt",c=i.jwksUri??a;if(s==="private_key_jwt"&&c===void 0)throw new m("invalid_client","Dynamic private_key_jwt client is missing JWKS metadata. Re-run client registration before authorization.");let u=Ot({client_id:i.clientId,client_name:i.clientName,redirect_uris:i.redirectUris,token_endpoint_auth_method:s,...c===void 0?{}:{jwks_uri:c}}),p={kind:"dcr",clientId:r,metadata:u};return i.hashedClientSecret&&(p.hashedClientSecret=i.hashedClientSecret),p}throw new m("invalid_client",r.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}n(rr,"resolveClient");function va(e,t){if(!e.metadata.redirect_uris.some(r=>ba({registeredRedirectUri:r,requestedRedirectUri:t})))throw w("invalid_request","redirect_uri is not registered for the client.")}n(va,"assertRedirectRegistered");function sp(e){let t=Sa(e.grant_types),r=e.response_types??[...on];if(!cp(t))throw new m("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!dp(r))throw new m("invalid_client_metadata","response_types must be code.");if(!up(e.scope))throw new m("invalid_client_metadata",`Only the ${H} scope is supported.`)}n(sp,"assertSupportedDcrRequest");function Sa(e){return e===void 0?[...nn]:Array.from(new Set(e))}n(Sa,"normalizeGrantTypes");function cp(e){return e.length===0?!1:e.every(t=>nn.includes(t))}n(cp,"isSupportedGrantTypes");function dp(e){return e.length===on.length&&e[0]==="code"}n(dp,"isSupportedResponseTypes");function up(e){return e===void 0||e===H}n(up,"isSupportedDcrScope");function lp(e){try{Se(e)}catch(t){throw new m("invalid_client_metadata","jwks_uri must be an HTTPS URL with a path, no credentials or fragment, and must not point at a blocked host.",void 0,{cause:t})}}n(lp,"assertValidDcrJwksUri");function pp(e){return e.tokenEndpointAuthMethod==="private_key_jwt"&&e.jwksUri!==void 0?oe.parse(ga({clientId:crypto.randomUUID(),jwksUri:e.jwksUri})):oe.parse(`dcr:${crypto.randomUUID()}`)}n(pp,"createDcrClientId");function ft(e){if(e===void 0||e===H)return H;throw new m("invalid_request",`Only the ${H} scope is supported.`)}n(ft,"assertSupportedOAuthScope");function Ke(e,t,r){let o;try{o=new URL(t)}catch{throw new m("invalid_target","resource must be an absolute URI.")}if(o.hash)throw new m("invalid_target","resource must not include a fragment.");if(o.protocol!=="https:"&&!T(o))throw new m("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let i=k(e,r),a=eo(),s=a?[...a.byOperationId.values()].find(c=>new URL(c.routePath,i).toString()===t):void 0;if(!s)throw new m("invalid_target","resource must match a published MCP route.");return s}n(Ke,"resolveResource");async function Ia(e){let t;try{t=rp.parse(e)}catch(I){if(I instanceof d.ZodError){let G=I.issues.some(K=>K.path[0]==="redirect_uris");throw new m(G?"invalid_redirect_uri":"invalid_client_metadata",I.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:I})}throw I}sp(t);for(let I of t.redirect_uris)Ze(I,"invalid_redirect_uri");if(t.token_endpoint_auth_method==="private_key_jwt"&&t.jwks_uri===void 0)throw new m("invalid_client_metadata","jwks_uri is required for private_key_jwt clients.");t.jwks_uri!==void 0&&lp(t.jwks_uri);let r=new Date,o=t.token_endpoint_auth_method??"none",i=o==="private_key_jwt"?"none":o,a=pp({tokenEndpointAuthMethod:o,jwksUri:t.jwks_uri}),s=Ot({client_id:a,client_name:t.client_name??"Dynamically registered MCP client",redirect_uris:t.redirect_uris,token_endpoint_auth_method:o,...t.jwks_uri===void 0?{}:{jwks_uri:t.jwks_uri}}),c=ne(r,tp),u=Math.floor(r.getTime()/1e3),p=Math.floor(c.getTime()/1e3),f={client_id:s.client_id,client_name:s.client_name,redirect_uris:s.redirect_uris,grant_types:Sa(t.grant_types),response_types:["code"],scope:H,token_endpoint_auth_method:s.token_endpoint_auth_method,client_id_issued_at:u,...s.jwks_uri===void 0?{}:{jwks_uri:s.jwks_uri}},_={clientId:s.client_id,clientName:s.client_name,redirectUris:s.redirect_uris,tokenEndpointAuthMethod:i,createdAt:R(r),clientExpiresAt:R(c)};if(o==="client_secret_basic"||o==="client_secret_post"){let I=pe();_.hashedClientSecret=await U(I),_.clientSecretExpiresAt=R(c),f.client_secret=I,f.client_secret_expires_at=p,f.client_secret_issued_at=u}if((await b().registerClient(_)).kind==="already_exists")throw w("invalid_request","OAuth client is already registered.");return f}n(Ia,"registerDownstreamClient");function nr(e){return v`<img class="card__icon" src="${e.iconHref}" alt="" width="48" height="48" referrerpolicy="no-referrer" onerror=" this.onerror = null; this.src = '${e.fallbackIconHref}'; " />`}n(nr,"renderShellIcon");function xa(e){return v`<form class="actions" method="post" action="${e.setupAction}" ${e.submitOnceAttrs}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate >Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve" ${e.authorizeAttrs} >Authorize</button></form>`}n(xa,"renderActions");var s_=ae('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>');var c_=ae('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),d_=ae('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>');var u_=ae('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>');var mp="data:,",Aa=v`data-submit-once="true" onsubmit="if (this.dataset.submitted === 'true') return false; this.dataset.submitted = 'true'; setTimeout(() => this.querySelectorAll('button').forEach((button) => { button.disabled = true; }), 0);"`,Ua=v`data-activate-once="true" onclick="if (this.dataset.activated === 'true') return false; this.dataset.activated = 'true'; this.setAttribute('aria-disabled', 'true'); this.style.pointerEvents = 'none';"`;function fp(e,t,r){if(e)try{let o=new URL(t).origin,i=new URL(e,o);return i.origin!==o||!i.pathname.startsWith(r.actionPath("/auth/connections/"))?void 0:i.toString()}catch{return}}n(fp,"safeGatewayConnectHref");function hp(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}n(hp,"deriveMode");function gp(e){return xa({state:e.state,setupAction:e.gateway.actionPath("/oauth/setup"),submitOnceAttrs:Aa,authorizeAttrs:Y})}n(gp,"renderActions");function an(e,t,r,o){for(let i of e){if(i.ownerMode!=="user"||i.status!==r)continue;let a=fp(i.connectUrl,t,o);if(a)return a}}n(an,"firstUserConnectHref");function yp(e){let t=e.connectHref?v`<a class="button button--primary" href="${e.connectHref}" ${Ua}>Connect</a>`:v`<button class="button button--primary" type="button" disabled aria-disabled="true">Connect</button>`;return v`<form class="actions" method="post" action="${e.gateway.actionPath("/oauth/setup")}" ${Aa}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button>${t}</form>`}n(yp,"renderSetupActions");function wp(e){return e?v`<span class="reconnect-action"><a class="button button--secondary reconnect-button" href="${e}" ${Ua}>Re-connect<span class="tooltip" tabindex="0" aria-label="Reset or change how the gateway connects to the upstream service, including changing scopes.">?</span></a></span>`:Y}n(wp,"renderReconnectAction");function _p(e){try{let t=new URL(e);return t.protocol==="https:"||t.protocol==="http:"?!0:t.protocol==="data:"&&/^data:image\/(?:png|jpe?g|webp|svg\+xml);/i.test(e)}catch{return!1}}n(_p,"isRenderableIconHref");function ka(e){return e?.find(t=>_p(t.src))?.src}n(ka,"readIconHref");function Rp(e){return ka(e.serverIcons)??(e.transportHost===void 0?void 0:Er(e.transportHost).src)}n(Rp,"readUpstreamIconHref");function bp(e){let t=ka(e.routeIcons);if(t!==void 0)return t;for(let r of e.upstreams){let o=Rp(r);if(o!==void 0)return o}}n(bp,"readHeaderIconHref");function Cp(e){return v`<p class="card__subtitle">Authorize '<strong>${e.clientDisplayName}</strong>' to access '<strong>${e.routeDisplayName}</strong>' on your behalf?</p>`}n(Cp,"renderBody");function sn(e){let t=hp(e.upstreams),r=an(e.upstreams,e.gatewayOrigin,"not_connected",e.gateway),o=an(e.upstreams,e.gatewayOrigin,"reconsent_required",e.gateway),i=an(e.upstreams,e.gatewayOrigin,"active",e.gateway),a=t==="setup"?r??o:void 0,s=bp({routeIcons:e.routeIcons,upstreams:e.upstreams}),c=t==="setup"?v`<footer class="card__footer">${yp({state:e.state,connectHref:a,gateway:e.gateway})}</footer>`:v`<footer class="card__footer">${wp(i)}${gp({state:e.state,gateway:e.gateway})}</footer>`;return je(Ge({title:`Authorize access \xB7 ${e.routeDisplayName}`,iconHref:s??mp,styles:Ne,headerIcon:s===void 0?Y:nr({iconHref:s,fallbackIconHref:Lt}),heading:"Authorize access",subhead:Y,body:Cp({routeDisplayName:e.routeDisplayName,clientDisplayName:e.clientDisplayName}),footer:c}))}n(sn,"renderConsentPage");var vp=1e4,Pa="mcp-session-id",Sp;function Ma(){return{tools:[],prompts:[],resources:[]}}n(Ma,"emptyCapabilities");function Ip(){return new Headers({accept:"application/json, text/event-stream","content-type":"application/json","mcp-protocol-version":hr})}n(Ip,"buildReadinessHeaders");async function Ta(e){let t=await e.provider.tokens();if(!t)return;let r=Ip();return r.set("authorization",`${t.token_type??"Bearer"} ${t.access_token}`),r}n(Ta,"buildAsyncCredentialHeaders");function Ea(e){return new Request(e.upstreamUrl,{method:"POST",headers:e.headers,body:JSON.stringify(Ut.parse({jsonrpc:At,id:1,method:"initialize",params:{protocolVersion:hr,capabilities:{},clientInfo:{name:"zuplo-mcp-gateway-readiness",version:"0.0.0"}}}))})}n(Ea,"buildInitializePreflight");async function cn(e){jt(e.url);let t=new AbortController,r=setTimeout(()=>t.abort(),vp);try{let o=new Request(e,{redirect:"manual",signal:t.signal});return await Rt.fetch(o)}finally{clearTimeout(r)}}n(cn,"runPreflight");function dn(e){e.body?.cancel().catch(()=>{})}n(dn,"releasePreflightBody");async function xp(e){let t=e.response.headers.get(Pa);if(!t)return;let r=new Headers(e.headers);r.set(Pa,t),r.delete("content-type");try{let o=await cn(new Request(e.upstreamUrl,{method:"DELETE",headers:r}));dn(o)}catch{}}n(xp,"terminatePreflightSession");async function qa(e){let{response:t}=e;return dn(t),t.status>=200&&t.status<300?(await xp(e),{kind:"ready",upstreamStatus:t.status,capabilities:Ma()}):t.status===401||t.status===403?{kind:"upstream_auth_rejected",status:t.status,message:"Upstream MCP server rejected the configured credential."}:{kind:"upstream_unavailable",status:t.status,message:"Upstream MCP server did not accept the readiness preflight."}}n(qa,"classifyResponse");function Oa(e){let t={status:e.state==="reconsent_required"?"reconsent_required":"not_connected",connected:!1};return e.nextAction==="admin_setup_required"?{kind:"admin_setup_required",payload:e,connectionStatus:t}:{kind:"connect_required",payload:e,connectionStatus:t}}n(Oa,"connectRequiredResult");async function Ap(e){try{return qa({response:await cn(e.request),upstreamUrl:e.upstreamUrl,headers:e.headers})}catch(t){return{kind:"upstream_unavailable",message:t instanceof Error?t.message:"Upstream MCP server readiness preflight failed."}}}n(Ap,"classifyPreflight");async function Up(e){let t=e.route.connection;if(t===void 0)return{kind:"ready",upstreamStatus:204,capabilities:Ma()};let r=Wt(t.upstreamServerId,e.route.operationId),o=Be(r,e.subjectId),i=e.returnTo===void 0?o:{...o,returnTo:e.returnTo},a=new Request(e.requestUrl,{...e.requestHeaders===void 0?{}:{headers:e.requestHeaders}}),s=await Le({request:a,routeAuth:i,preloadedConnection:e.preloadedConnection});if(s.kind==="connect_required")return Oa(s.payload);let c=await Ta(s.credential);if(c===void 0)return{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens."};let u=Ea({upstreamUrl:t.mcpUrl,headers:c}),p;try{p=await cn(u)}catch(S){return{kind:"upstream_unavailable",message:S instanceof Error?S.message:"Upstream MCP server readiness preflight failed."}}if(p.status!==401)return qa({response:p,upstreamUrl:t.mcpUrl,headers:c});dn(p);let f=await Le({request:a,routeAuth:i,forceRefresh:!0,preloadedConnection:e.preloadedConnection});if(f.kind==="connect_required")return Oa(f.payload);let _=await Ta(f.credential);return _===void 0?{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens after refresh."}:Ap({request:Ea({upstreamUrl:t.mcpUrl,headers:_}),upstreamUrl:t.mcpUrl,headers:_})}n(Up,"checkUpstreamRouteReadinessImpl");function Da(e){return(Sp??Up)(e)}n(Da,"checkUpstreamRouteReadiness");function kp(e){try{return new URL(e).host}catch{return}}n(kp,"safeUrlHost");function Pp(e){return e.scopes}n(Pp,"readOAuthScopes");function Ha(e){return e!==void 0&&e.length>0}n(Ha,"hasItems");function Tp(e){let t=e.serverInfo?.icons;if(Ha(t))return t;let r=Bt(e.mcpUrl);return r===void 0?void 0:[r]}n(Tp,"readServerIcons");async function Ep(e){if(!(e.returnTo===void 0||!e.isUserOwned))return Lr({requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,operationId:e.route.operationId,returnTo:e.returnTo})}n(Ep,"readConnectUrl");function xe(e,t){return t===void 0?{}:{[e]:t}}n(xe,"optionalRequirementField");function Op(e){return e.readiness!==void 0?e.readiness:e.isUserOwned?fo(e.connection):{connected:!0,status:"active"}}n(Op,"readSetupConnectionStatus");function Mp(e){let t=Pp(e);return Ha(t)?t:void 0}n(Mp,"readScopesRequested");function qp(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}n(qp,"readUpdatedAt");function Dp(){return{tools:[],prompts:[],resources:[]}}n(Dp,"readRouteCapabilities");async function Hp(e){let{authConfig:t,authMode:r,description:o,displayName:i,mcpUrl:a,ownerMode:s,upstreamServerId:c,authProfileId:u}=e.registeredConnection,p=s==="user",f=Op({connection:e.connection,isUserOwned:p,readiness:e.readiness}),_=e.readiness?.connectUrl??await Ep({...e,connected:f.connected,isUserOwned:p});return{upstreamServerId:c,authProfileId:u,authMode:r,ownerMode:s,upstreamDisplayName:i,status:f.status,connected:f.connected,capabilities:Dp(),...xe("description",o),...xe("transportHost",kp(a)),...xe("scopesRequested",Mp(t)),...xe("serverIcons",Tp(e.registeredConnection)),...xe("connectUrl",_),...xe("updatedAt",qp({connectionStatus:f,isUserOwned:p})),...xe("expiresAt",e.readiness?.expiresAt??e.connection?.expiresAt)}}n(Hp,"buildSetupRequirement");function za(e){let t=J().byOperationId.get(e);if(!t)throw w("unknown_mcp_route",`Unknown MCP route: ${e}`);return t}n(za,"requireRoute");async function un(e){let t=za(e.transaction.operationId),r=kt(e.transaction.principal.subjectId),o=[],i=new Map,a=t.connection;if(a===void 0)return[];a.ownerMode==="user"&&(i.set(a,o.length),o.push({owner:r,upstreamServerId:a.upstreamServerId,authProfileId:a.authProfileId}));let s=await b().batchGetUpstreamConnections(o),c=[],u=a.ownerMode==="user",p=i.get(a),f=await Da({requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},route:t,subjectId:e.transaction.principal.subjectId,preloadedConnection:u&&p!==void 0?s[p]:void 0,...e.returnTo===void 0?{}:{returnTo:e.returnTo}}),_=(()=>{if("connectionStatus"in f&&f.connectionStatus)return f.connectionStatus})(),S=(f.kind==="connect_required"||f.kind==="admin_setup_required")&&f.payload.authUrl!==void 0?f.payload.authUrl:void 0;return c.push(await Hp({connection:u&&p!==void 0?s[p]:void 0,registeredConnection:a,route:t,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},returnTo:e.returnTo,transaction:e.transaction,userOwner:r,readiness:_===void 0?void 0:{..._,...S===void 0?{}:{connectUrl:S}}})),c}n(un,"requirementsForSetup");function zp(e){return e.route.connection?.displayName??e.route.operationId}n(zp,"readRouteDisplayName");async function ln(e){let t=za(e.transaction.operationId),r=zp({route:t}),o=await b().readClient({clientId:e.transaction.clientId}),i=o.kind==="found"?o.client:void 0,a={gatewayOrigin:k(e.requestUrl,e.requestHeaders),routeDisplayName:r,clientDisplayName:i?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},s=t.connection?.description;return s!==void 0&&(a.routeDescription=s),a}n(ln,"consentContext");function pn(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}n(pn,"hasUnresolvedUserUpstream");var Lp=["mcp_user"],Bp="dev-browser-user",jp=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/{routePath} where {routePath} is the published MCP route path without a leading slash and each segment is URL-encoded as needed, for example /oauth/authorize/mcp/linear, or add resource={protected resource URI from protected-resource metadata}."].join(" "),Np=d.object({response_type:d.literal("code"),client_id:d.string().min(1),redirect_uri:d.string().min(1),resource:d.url(),code_challenge:d.string().min(43),code_challenge_method:ro,state:d.string().min(1).optional(),scope:d.literal(H).default(H)}),Gp=d.enum(["continue","approve","cancel"]).default("continue"),$p=d.object({state:d.string().min(1),decision:Gp}),he=class extends Error{static{n(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function La(e){return typeof e=="string"&&e.length>0?e:void 0}n(La,"readQueryString");function Fp(e,t){let r=La(e.query.resource);if(t===void 0){if(r!==void 0)return r;throw new m("invalid_target",jp)}let o=uo(t,e.url,e.headers);if(r===void 0||r===o)return o;throw new m("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}n(Fp,"requireAuthorizeResource");async function Zp(e,t){let r={};t!==void 0&&(r.context=t);let o=await Qt(e,r);if(o.principal)return{principal:o.principal};if(!e.user)return o.evictCookie===void 0?{}:{setCookie:o.evictCookie};let i=ma(e);return{principal:i,setCookie:await er({principal:i,requestUrl:e.url,requestHeaders:e.headers})}}n(Zp,"resolveBrowserPrincipal");async function Kp(e,t){let r={};t!==void 0&&(r.context=t);let o=await Qt(e,r);if(!o.principal)throw w("authentication_required","Authorization setup requires a current browser session.");return o.principal}n(Kp,"requireSetupPrincipal");function Ba(e){return`${M().actionPath("/oauth/setup")}?state=${encodeURIComponent(e)}`}n(Ba,"buildSetupReturnTo");async function ja(e){let t=await un({transaction:e.transaction,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},returnTo:Ba(e.csrfToken)}),r=await ln({transaction:e.transaction,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}}),o={kind:"setup_page",html:sn({state:e.csrfToken,operationId:e.transaction.operationId,gateway:M(),upstreams:t,...r})};return e.setCookie!==void 0&&(o.setCookie=e.setCookie),o}n(ja,"renderSetup");function Jp(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}n(Jp,"toAuthorizationTransactionClient");async function mn(e,t={}){let r=Np.parse({...e.query,resource:Fp(e,t.operationId),state:La(e.query.state)}),o=ft(r.scope);Ze(r.redirect_uri,"invalid_request");let i=new Date,a=oe.parse(r.client_id),s=await rr(r.client_id,i);va(s,r.redirect_uri);try{let c=Ke(e.url,r.resource,e.headers),u=Jp(s);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:a,operationId:c.operationId,scope:o,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved"),t.context&&x(t.context,{eventType:C.MCP_OAUTH_AUTHORIZE_STARTED,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:a,scope:o,responseType:r.response_type}});let p={clientId:s?.clientId??a,...u===void 0?{}:{client:u},redirectUri:r.redirect_uri,resource:r.resource,operationId:c.operationId,scope:o,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:f,setCookie:_}=await Zp(e,t.context);if(!f){let I=await oa({transaction:p,requestUrl:e.url,requestHeaders:e.headers,now:i});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:a,operationId:c.operationId},"Downstream OAuth authorize: redirecting to browser login (no session)");let G={kind:"redirect",location:I.browserLoginUrl};return _!==void 0&&(G.setCookie=_),G}let S=await ia({transaction:p,principal:f,now:i});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:a,operationId:c.operationId,subjectId:f.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),t.context&&x(t.context,{eventType:C.MCP_OAUTH_AUTHORIZE_AWAITING_SETUP,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:a,scope:o,responseType:r.response_type,subjectId:f.subjectId}}),ja({transaction:S.transaction,csrfToken:S.csrfToken,requestUrl:e.url,requestHeaders:e.headers,setCookie:_})}catch(c){throw Wp({redirectUri:r.redirect_uri,clientState:r.state,cause:c})}}n(mn,"authorizeDownstreamClient");function Wp(e){if(e.cause instanceof he)return e.cause;let t=Vp(e.cause);return t?new he({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}n(Wp,"toDownstreamAuthorizeRedirectError");function Vp(e){if(e instanceof m)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof d.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}n(Vp,"mapToOAuthRedirectError");async function Na(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let p=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,f=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...p===void 0?{}:{idpErrorDescription:p},...f===void 0?{}:{idpErrorUri:f}},"Identity provider redirected browser-login callback with an error"),w("provider_access_denied",p??"The delegated browser login was not completed.")}let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),w("oauth_state_invalid","Browser login callback is missing state.");let i=await Wr(o),a={request:e,stateId:i.stateId};t.context!==void 0&&(a.context=t.context);let s=await fa(a),c=await aa({browserLoginStateToken:o,principal:s}),u=await ja({transaction:c.transaction,csrfToken:c.csrfToken,requestUrl:e.url,requestHeaders:e.headers});return u.setCookie=await er({principal:s,requestUrl:e.url,requestHeaders:e.headers}),u}n(Na,"completeBrowserLoginCallback");async function Ga(e){let t=D(),r=new URL(e.url);if(!T(r))throw w("forbidden","Local browser login is only available on loopback HTTP origins.");let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw w("oauth_state_invalid","Local browser login is missing state.");let i=M().actionPath("/oauth/callback"),a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:i,k(e.url)),s=new URL(k(e.url)).origin;if(a.origin!==s||a.pathname!==i)throw w("oauth_callback_mismatch",`Local browser login redirect_uri must target this gateway's ${i} route.`);a.searchParams.set("state",o);let c={subjectId:Ve.parse(Bp),roles:Lp};return{kind:"redirect",location:a,setCookie:await er({principal:c,requestUrl:e.url,requestHeaders:e.headers})}}n(Ga,"completeLocalDevBrowserLogin");function Yp(e){let t=e.method==="POST"?e.body:e.query;return $p.parse(t)}n(Yp,"readSetupContinueRequest");async function $a(e){let{state:t,decision:r}=Yp({method:e.request.method,query:e.request.query,body:e.body}),o=new Date,i=await Xr({csrfToken:t,now:o}),a=await Kp(e.request,e.context);if(r==="cancel")return{kind:"redirect",location:await da({csrfToken:t,currentBrowserPrincipal:a,now:o})};let s=await sa({csrfToken:t,currentBrowserPrincipal:a,now:o}),c=await un({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers,returnTo:Ba(t)});if(r==="approve"&&pn(c)&&await ra({csrfToken:t,currentBrowserPrincipal:a,now:o}),pn(c)){let u=await ln({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers});return{kind:"setup_page",html:sn({state:t,operationId:s.operationId,gateway:M(),upstreams:c,...u})}}return{kind:"redirect",location:await ca({csrfToken:t,currentBrowserPrincipal:a,now:o})}}n($a,"continueDownstreamAuthorizeSetup");$();import{createLocalJWKSet as Xp,decodeJwt as Qp,errors as ht,jwtVerify as em}from"jose";var tm=new Set(["authorization_code","refresh_token"]),rm="urn:ietf:params:oauth:client-assertion-type:jwt-bearer",nm=1e4,om=32*1024,im=2,Fa=d.object({client_id:d.string().min(1).optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),am=d.discriminatedUnion("grant_type",[Fa.extend({grant_type:d.literal("authorization_code"),code:d.string().min(1),redirect_uri:d.string().min(1),code_verifier:Et,resource:d.url().optional(),scope:d.literal(H).optional()}),Fa.extend({grant_type:d.literal("refresh_token"),refresh_token:d.string().min(1),resource:d.url().optional(),scope:d.literal(H).optional()})]);function sm(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!tm.has(t)))throw new m("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}n(sm,"assertSupportedGrantType");var cm=d.object({token:d.string().min(1),client_id:d.string().min(1).optional(),token_type_hint:d.string().optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),dm=d.object({keys:d.array(d.record(d.string(),d.unknown())).min(1)}).passthrough();function Za(){return D().gateway.accessTokenTtlSeconds}n(Za,"readAccessTokenTtlSeconds");function um(){return D().gateway.refreshTokenTtlSeconds}n(um,"readRefreshTokenTtlSeconds");function lm(e,t){let r=Za(),o=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),i=Math.min(r,o);return{expiresAt:R(ne(e,i)),expiresIn:i}}n(lm,"calculateAccessTokenExpiresAt");function Ka(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new m("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new m("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new m("invalid_client","Malformed HTTP Basic client authentication.")}}n(Ka,"readBasicClientSecret");function Ja(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new m("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t!==void 0)return t;if(e.clientAssertion!==void 0){try{let r=Qp(e.clientAssertion);if(typeof r.iss=="string"&&typeof r.sub=="string"&&r.iss===r.sub)return r.iss}catch{throw new m("invalid_client","Malformed private_key_jwt client assertion.")}throw new m("invalid_client","private_key_jwt client assertion must identify the client with matching iss and sub claims.")}throw new m("invalid_client","Client authentication or client_id is required.")}n(Ja,"resolveAuthenticatedClientId");function pm(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new m("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}n(pm,"resolveClientSecretInput");function mm(e){return e.clientAssertion!==void 0||e.clientAssertionType!==void 0}n(mm,"hasClientAssertion");function fm(e){if(e.requestUrl===void 0)throw new m("invalid_request","Request URL is required for private_key_jwt client authentication.");let t=new URL(M().actionPath(e.pathname),k(e.requestUrl,e.requestHeaders));return t.search="",t.hash="",t.toString()}n(fm,"buildEndpointAudience");function hm(e){return e instanceof ht.JWTExpired?"expired":e instanceof ht.JWTClaimValidationFailed?"claim":e instanceof ht.JWSSignatureVerificationFailed?"signature":e instanceof ht.JWKSNoMatchingKey?"jwks_no_match":e instanceof ht.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(hm,"readJwtFailureKind");async function gm(e){let{response:t,json:r}=await Zo(e.jwksUri,{headers:{accept:"application/json"}},{context:e.context,maxRedirects:im,maxResponseBytes:om,timeoutMs:nm});if(!t.ok)throw new m("invalid_client","Client JWKS could not be fetched.");return dm.parse(r)}n(gm,"fetchClientJwks");async function ym(e){if(e.clientAssertionType!==rm||e.clientAssertion===void 0)throw new m("invalid_request","private_key_jwt client authentication requires a JWT bearer client_assertion and client_assertion_type.");let t=oe.parse(e.clientId),r=await rr(t,e.now);if(r.metadata.token_endpoint_auth_method!=="private_key_jwt")throw new m("invalid_client","Client is not registered for private_key_jwt authentication.");let o=r.metadata.jwks_uri;if(o===void 0)throw new m("invalid_client","Client JWKS URI is required for private_key_jwt authentication.");let i=fm({requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,pathname:e.endpointPathname});try{let a=await gm({jwksUri:o,context:e.context});await em(e.clientAssertion,Xp(a),{issuer:t,subject:t,audience:i,currentDate:e.now})}catch(a){throw e.context?.log.warn({event:"oauth_private_key_jwt_client_auth_failed",clientId:t,failureKind:hm(a)},"OAuth private_key_jwt client authentication failed"),new m("invalid_client","Client authentication failed.")}return tr(t)?{method:"none",clientId:t}:{method:"private_key_jwt",clientId:t}}n(ym,"verifyPrivateKeyJwtClientAssertion");async function wm(e){let t=oe.parse(e.clientId);if(tr(t))throw new m("invalid_client","Client is registered for private_key_jwt authentication.");return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await U(e.clientSecret)}}n(wm,"buildRuntimeHttpClientAuth");async function Wa(e){if(mm({clientAssertion:e.clientAssertion,clientAssertionType:e.clientAssertionType})){if(e.basicClientSecret!==void 0||e.bodyClientSecret!==void 0)throw new m("invalid_request","Use only one client authentication method per request.");return ym(e)}let t=pm({basicClientSecret:e.basicClientSecret,bodyClientSecret:e.bodyClientSecret});return wm({clientId:e.clientId,...t})}n(Wa,"resolveRuntimeHttpClientAuth");async function Va(e){sm(e.body);let t=am.parse(e.body),r=Ka(e.authorizationHeader),o=Ja({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),i=new Date,a=await Wa({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/token",now:i,context:e.context});return _m({parsed:t,clientId:o,clientAuth:a,now:i,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,context:e.context})}n(Va,"exchangeDownstreamToken");async function _m(e){if(e.parsed.grant_type==="authorization_code"){Ze(e.parsed.redirect_uri,"invalid_request"),ft(e.parsed.scope),e.parsed.resource!==void 0&&Ke(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let c=pe(),u=pe(),p=R(ne(e.now,um())),f=lm(e.now,p),_=await b().exchangeAuthorizationCode({clientAuth:e.clientAuth,codeHash:await U(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await wo(e.parsed.code_verifier),currentRefreshTokenHash:await U(c),accessTokenHash:await U(u),grantExpiresAt:p,accessTokenExpiresAt:f.expiresAt,now:R(e.now)});if(_.kind==="invalid_client")throw new m("invalid_client","Client authentication failed.");if(_.kind==="resource_mismatch")throw new m("invalid_target","Token request resource must match the authorization code resource.");if(_.kind!=="exchanged")throw new m("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context&&x(e.context,{eventType:C.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"authorization_code"}}),{access_token:u,token_type:"Bearer",expires_in:f.expiresIn,refresh_token:c,scope:_.grant.scope,resource:_.grant.resource}}ft(e.parsed.scope),e.parsed.resource!==void 0&&Ke(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let t=await U(e.parsed.refresh_token),r=e.parsed.refresh_token,o=pe(),i=R(ne(e.now,Za())),a=await b().refreshToken({clientAuth:e.clientAuth,currentRefreshTokenHash:t,nextRefreshTokenHash:t,accessTokenHash:await U(o),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:i,now:R(e.now)});if(a.kind==="invalid_client")throw new m("invalid_client","Client authentication failed.");if(a.kind==="resource_mismatch")throw new m("invalid_target","Token request resource must match the refresh token grant resource.");if(a.kind!=="rotated")throw new m("invalid_grant","Refresh token is invalid, expired, or revoked.");Ke(e.requestUrl??a.grant.resource,a.grant.resource,e.requestHeaders);let s=a.accessToken.expiresAt;return e.context&&x(e.context,{eventType:C.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"refresh_token"}}),{access_token:o,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(s).getTime()-e.now.getTime())/1e3)),refresh_token:r,scope:a.grant.scope,resource:a.grant.resource}}n(_m,"exchangeDownstreamTokenWithRuntimeHttp");async function Ya(e){let t=cm.parse(e.body),r=Ka(e.authorizationHeader),o=Ja({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),i=new Date;if((await b().revokeOAuthToken({clientAuth:await Wa({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/revoke",now:i,context:e.context}),tokenHash:await U(t.token),now:R(i)})).kind==="invalid_client")throw new m("invalid_client","Client authentication failed.");e.context?.log.info({event:"oauth_token_revoked",clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed"),e.context&&x(e.context,{eventType:C.MCP_OAUTH_TOKEN_REVOKED,outcome:"success",attributes:{clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}}})}n(Ya,"revokeDownstreamToken");var Rm=64*1024,bm=16*1024,Cm="text/html; charset=utf-8";function vm(e){let t={};for(let[r,o]of e.entries())t[r]=o;return t}n(vm,"formDataToObject");async function Sm(e){return Gi(e,{maxBytes:Rm,label:"Request body"})}n(Sm,"readJsonBody");async function hn(e){return vm(await $i(e,{maxBytes:bm,label:"Request body"}))}n(hn,"readFormBody");async function Qa(e,t,r){let o=re(r),i=r instanceof d.ZodError?ge(r):void 0,a={code:o??(r instanceof d.ZodError?"invalid_request":"internal_server_error")};return i!==void 0&&(a.detail=i),It(e,t,a)}n(Qa,"handleProblem");function es(e){return e?.requestId}n(es,"readBrowserRequestId");function ts(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[Pe];return typeof t=="string"?t:void 0}n(ts,"readUpstreamHtmlError");function Xa(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(Xa,"readRuntimeErrorExtensionString");function Im(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(Im,"readRuntimeErrorExtensionNumber");function xm(e){try{return new URL(e.url).pathname}catch{return}}n(xm,"readBrowserRequestPath");function Ae(e){let t={code:e.code,requestId:e.requestId,routePath:xm(e.request),underlyingError:e.underlyingError};return e.error instanceof h&&(t.httpStatus=Im(e.error,Te),t.contentType=Xa(e.error,ke),t.upstreamUrl=Xa(e.error,Ee)),t}n(Ae,"buildBrowserErrorDiagnostic");function gt(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}n(gt,"oauthErrorResponse");function Am(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}n(Am,"readOAuthProtocolHeaders");function Um(e,t){let r=F("internal_server_error");return gt({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:Am(e,t)})}n(Um,"oauthProtocolErrorResponse");function fn(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}n(fn,"readZodOAuthErrorCode");function km(e){let t={error:fn(e)},r=ge(e);return r!==void 0&&(t.errorDescription=r),gt(t)}n(km,"oauthZodErrorResponse");function Pm(e){let t=re(e);if(t===void 0)return;let r=F(t);if(r.oauthError===void 0)return;let o={error:r.oauthError,status:Em(r.oauthError)};return r.oauthError==="server_error"?o.errorDescription=r.publicDetail:e instanceof Error?o.errorDescription=e.message:o.errorDescription=r.publicDetail,gt(o)}n(Pm,"oauthGatewayProblemResponse");function Tm(){let t={error:"server_error",status:500,errorDescription:F("internal_server_error").publicDetail};return gt(t)}n(Tm,"oauthFallbackErrorResponse");function Em(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}n(Em,"readOAuthStatus");function gn(e,t={}){return e instanceof he?os(e):e instanceof m?Um(e,t):e instanceof d.ZodError?km(e):Pm(e)??Tm()}n(gn,"oauthProblemResponse");function yn(e,t,r){let o=$e(e.url),i=es(t);if(r instanceof he)return os(r);if(r instanceof m){let c=F("internal_server_error");return X({host:o,kind:Om(r.errorCode),title:"Authorization failed",detail:r.errorCode==="server_error"?c.publicDetail:r.message,developerDetail:r.errorCode==="server_error"?c.publicDetail:r.message,code:r.errorCode,diagnostic:Ae({request:e,requestId:i,code:r.errorCode,underlyingError:r.errorCode==="server_error"?c.publicDetail:r.message,error:r}),requestId:i,status:r.status})}if(r instanceof d.ZodError)return X({host:o,kind:"invalid_request",detail:ge(r)??"The authorization request was invalid.",developerDetail:ge(r)??"The authorization request was invalid.",code:fn(r),diagnostic:Ae({request:e,requestId:i,code:fn(r),underlyingError:ge(r)??"The authorization request was invalid.",error:r}),requestId:i});let a=re(r);if(a!==void 0){let c=F(a);return X({host:o,kind:ns(a),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:a,diagnostic:Ae({request:e,requestId:i,code:a,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:i,upstreamHtml:ts(r),status:c.status})}let s=F("internal_server_error");return X({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"server_error",diagnostic:Ae({request:e,requestId:i,code:"server_error",underlyingError:s.publicDetail,error:r}),requestId:i,status:s.status})}n(yn,"browserOAuthProblemResponse");function rs(e,t,r){let o=$e(e.url),i=es(t),a=re(r);if(a!==void 0){let c=F(a);return X({host:o,kind:ns(a),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:a,diagnostic:Ae({request:e,requestId:i,code:a,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:i,upstreamHtml:ts(r),status:c.status})}if(r instanceof d.ZodError)return X({host:o,kind:"invalid_request",detail:ge(r)??"The authorization request was invalid.",developerDetail:ge(r)??"The authorization request was invalid.",code:"invalid_request",diagnostic:Ae({request:e,requestId:i,code:"invalid_request",underlyingError:ge(r)??"The authorization request was invalid.",error:r}),requestId:i});let s=F("internal_server_error");return X({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"internal_server_error",diagnostic:Ae({request:e,requestId:i,code:"internal_server_error",underlyingError:s.publicDetail,error:r}),requestId:i,status:s.status})}n(rs,"browserGatewayProblemResponse");function Om(e){return e==="server_error"?"internal_error":"invalid_request"}n(Om,"readOAuthBrowserErrorKind");function ns(e){if(F(e).status>=500)return"internal_error";switch(e){case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"configuration_error";case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"invalid_request":case"authentication_required":case"forbidden":case"not_found":case"too_many_requests":case"identity_context_missing":return"invalid_request";case"upstream_capability_invocation_failed":case"upstream_capability_unavailable":case"upstream_import_failed":return"connection_failed";case"internal_server_error":return"internal_error"}return"authorization_failed"}n(ns,"readGatewayBrowserErrorKind");function se(e,t,r){let o={event:t},i=!1;if(r instanceof m)o.oauthError=r.errorCode,o.status=r.status,B(o,"error",r);else if(r instanceof he)o.oauthError=r.errorCode,B(o,"error",r);else if(r instanceof d.ZodError){o.code="invalid_request",B(o,"error",r);let a=r.issues[0];a&&(o.zodPath=a.path.join("."))}else{let a=re(r);if(a!==void 0){let s=F(a);o.code=a,o.status=s.status,s.oauthError!==void 0&&(o.oauthError=s.oauthError),i=s.status>=500||s.oauthError==="server_error",B(o,"error",r)}else i=!0,B(o,"error",r)}if(i){let a=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(o,a.message)}else e.log.warn(o,"OAuth handler rejected the request")}n(se,"logUnexpectedOAuthHandlerError");function os(e){let t;try{t=new URL(e.redirectUri)}catch{return gt({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}n(os,"downstreamAuthorizeRedirectErrorResponse");function ge(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}n(ge,"formatZodErrorDetail");function Mm(e,t){let r={event:"browser_login_callback_failed",code:re(t)??"invalid_request"};B(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}n(Mm,"logBrowserLoginCallbackFailure");function is(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}n(is,"redirectResultResponse");function or(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":Cm,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return is(e)}n(or,"authorizeResultResponse");async function as(e,t){try{return Response.json(ao(e.url,e.headers))}catch(r){return se(t,"oauth_authorization_server_metadata_failed",r),Qa(e,t,r)}}n(as,"authorizationServerMetadataHandler");async function ss(e,t){try{let r=gr(e.params.routePath);return Response.json(so({operationId:r.operationId,requestUrl:e.url,requestHeaders:e.headers}))}catch(r){return se(t,"oauth_authorization_server_metadata_failed",r),Qa(e,t,r)}}n(ss,"scopedAuthorizationServerMetadataHandler");async function cs(e,t){try{let r=await Ia(await Sm(e)),o=r,i=typeof o.client_id=="string"?o.client_id:void 0,a=typeof o.client_name=="string"?o.client_name:void 0,s=Array.isArray(o.redirect_uris)?o.redirect_uris.length:void 0,c=typeof o.token_endpoint_auth_method=="string"?o.token_endpoint_auth_method:void 0;return t.log.info({event:"oauth_dcr_client_registered",clientId:i,clientName:a,redirectUriCount:s,tokenEndpointAuthMethod:c},"OAuth Dynamic Client Registration completed"),x(t,{eventType:C.MCP_OAUTH_CLIENT_REGISTERED,outcome:"success",clientName:a,attributes:{clientId:i,redirectUriCount:s,tokenEndpointAuthMethod:c}}),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return se(t,"oauth_register_failed",r),gn(r)}}n(cs,"registerHandler");async function ds(e,t){try{return or(await mn(e,{context:t}))}catch(r){return se(t,"oauth_authorize_failed",r),yn(e,t,r)}}n(ds,"authorizeHandler");async function us(e,t){try{let r=gr(e.params.routePath);return or(await mn(e,{operationId:r.operationId,context:t}))}catch(r){return se(t,"oauth_authorize_scoped_failed",r),yn(e,t,r)}}n(us,"scopedAuthorizeHandler");async function ls(e,t){try{let r=await Na(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),or(r)}catch(r){return Mm(t,r),rs(e,t,r)}}n(ls,"callbackHandler");async function ps(e,t){try{return is(await Ga(e))}catch(r){return se(t,"oauth_dev_login_failed",r),yn(e,t,r)}}n(ps,"devLoginHandler");async function ms(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await $a({request:e,body:e.method==="POST"?await hn(e):void 0,context:t});return or(r)}catch(r){return se(t,"oauth_setup_failed",r),rs(e,t,r)}}n(ms,"setupHandler");async function fs(e,t){try{return Response.json(await Va({body:await hn(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return se(t,"oauth_token_failed",r),gn(r)}}n(fs,"tokenHandler");async function hs(e,t){try{return await Ya({body:await hn(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return se(t,"oauth_revoke_failed",r),gn(r)}}n(hs,"revokeHandler");function gs(e){return v`<p data-gateway-error-code="${e.code}">${e.body}</p>`}n(gs,"renderBrowserResult");var qm="text/html; charset=utf-8",Dm="none";function Hm(e){let t=Tr(e.host);return Ge({title:e.title,iconHref:t,styles:Ne,headerIcon:nr({iconHref:t,fallbackIconHref:Lt}),heading:e.title,subhead:"",body:gs({body:e.body,code:e.code??Dm}),footer:""})}n(Hm,"browserResultHtml");function zm(e,t=200){return new Response(je(e),{status:t,headers:{"content-type":qm,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(zm,"browserResultResponse");function ys(e){return zm(Hm(e))}n(ys,"browserConnectionSuccessResponse");function ir(e,t,r={}){let o=Ln(t);return X({host:e,kind:Lm(t),detail:o.body,developerDetail:r.developerDetail,code:t,diagnostic:r.diagnostic,upstreamHtml:r.upstreamHtml})}n(ir,"browserConnectionFailureResponse");function Lm(e){switch(e){case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required"}}n(Lm,"readCallbackFailureBrowserErrorKind");var Bm={connect:"Connect",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},ws=Symbol("upstream-request");function yt(e,t){Object.defineProperty(e,ws,{configurable:!0,value:t})}n(yt,"setUpstreamRequestContext");function jm(e){let t=e[ws];if(!t)throw new de("Upstream request context has not been set");return t}n(jm,"readUpstreamRequestContext");function Nm(e,t){return t.some(r=>r===e)}n(Nm,"requestContextMatchesKind");function Gm(e){return typeof e=="string"?[e]:e}n(Gm,"toExpectedKinds");function wt(e,t){let r=jm(e),o=Gm(t);if(!Nm(r.kind,o)){let i=Bm[o[0]];throw new de(`${i} request context has not been set`)}return r}n(wt,"requireUpstreamRequestContext");function Ue(e){if(typeof e=="string"&&e.length!==0)return e}n(Ue,"readOptionalQueryString");function $m(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw new de(`Validated path parameter ${t} is missing`);return Fm(r,t)}n($m,"requirePathString");function Fm(e,t){try{return decodeURIComponent(e)}catch(r){throw new h({message:`Path parameter "${t}" must be valid URL encoding.`,extensionMembers:{[g]:"invalid_request"}},{cause:r})}}n(Fm,"decodePathString");function Zm(e){let t=Ue(e);return t?xt.parse(t):void 0}n(Zm,"readOptionalOperationId");function Km(e){let t=J().connectionsById.get(e);if(t!==void 0)return t.authProfileId;throw new h({message:`No upstream connection is registered for ${e}.`,extensionMembers:{[g]:"unknown_upstream_server"}})}n(Km,"readRegisteredAuthProfileId");function Jm(e){let t=Zm(e);if(!t)throw new h({message:"operationId query parameter is required.",extensionMembers:{[g]:"invalid_request"}});return t}n(Jm,"readRequiredOperationId");function Wm(e){let t=Zn(Ue(e));return t===void 0?{}:{returnTo:t}}n(Wm,"readOptionalReturnTo");function Vm(e){let t=Ue(e.query.error_description);return t===void 0?{}:{errorDescription:t}}n(Vm,"readOptionalProviderErrorDescription");function Ym(e,t,r,o){return{kind:"connect",...Be(e,t.subjectId),...o===void 0?{}:{returnTo:o},redirect:r}}n(Ym,"buildConnectContextForUser");function Xm(e,t,r){let o=Pt(t);if(o.mode!==e.ownerMode)throw new h({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[g]:"oauth_callback_mismatch"}});return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:o,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}n(Xm,"buildConnectContextForTicket");async function Qm(e,t){let r=Wt(t,Jm(e.query.operationId)),o=e.query.redirect==="true",i=Ue(e.query.browserTicket);if(e.user){if(i)throw new h({message:"Use either an authenticated gateway request or a browser connect ticket, not both.",extensionMembers:{[g]:"invalid_request"}});let s=_e(e.user,e.url);return Ym(r,s,o,Wm(e.query.returnTo).returnTo)}if(!i)throw new h({message:"Authentication is required to start the upstream connection flow.",extensionMembers:{[g]:"authentication_required"}});let a=await di(i);if(a.ownerMode!==r.ownerMode||a.upstreamServerId!==r.upstreamServerId||a.authProfileId!==r.authProfileId||a.operationId!==r.operationId)throw new h({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[g]:"oauth_callback_mismatch"}});return await ui(a),Xm(r,a,o)}n(Qm,"resolveConnectContext");async function ef(e,t,r){let o=Nn.parse($m(e,"connection"));switch(r){case"connect":yt(e,await Qm(e,o));return;case"callback":{let i=Ue(e.query.error);if(i){yt(e,{kind:"callback_provider_error",upstreamServerId:o,error:i,...Vm(e)});return}let a=Ue(e.query.code),s=Ue(e.query.state);if(a&&s){yt(e,{kind:"callback_authorization_code",upstreamServerId:o,code:a,state:s});return}yt(e,{kind:"callback_invalid",upstreamServerId:o});return}case"client_metadata":yt(e,{kind:"client_metadata",upstreamServerId:o,authProfileId:Km(o)});return}}n(ef,"resolveUpstreamRequestInbound");async function tf(e,t,r){try{await ef(e,t,r);return}catch(o){let i=o instanceof h?o.extensionMembers?.[g]:void 0,a=o instanceof Error?o.message:void 0;switch(i){case"invalid_request":case"unknown_upstream_server":case"oauth_callback_mismatch":return ye.badRequest(e,t,{code:i,detail:a});case"authentication_required":return ye.unauthorized(e,t,{code:i,detail:a});default:throw o}}}n(tf,"applyUpstreamRequestContext");function ar(e,t){return n(async(o,i)=>{let a=await tf(o,i,e);return a||t(o,i)},"wrapped")}n(ar,"withUpstreamRequestContext");var rf=["callback_authorization_code","callback_provider_error","callback_invalid"];function wn(e){try{return new URL(e.url).pathname}catch{return}}n(wn,"readBrowserRequestPath");function nf(e){return"cause"in e?e.cause:void 0}n(nf,"readErrorCause");function of(e){return e.stack?.split(`
+`).slice(1,4).map(t=>t.trim()).join(" | ")}n(of,"readFirstStackFrame");function _s(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=of(r))}n(_s,"addErrorAttributes");function _n(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[g];return St(t)?t:void 0}n(_n,"readRuntimeGatewayCode");function Rs(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(Rs,"readRuntimeErrorExtensionString");function af(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(af,"readRuntimeErrorExtensionNumber");function sf(e,t,r,o){switch(r.kind){case"callback_provider_error":return t.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:r.upstreamServerId,providerError:r.error,...r.errorDescription===void 0?{}:{providerErrorDescription:r.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),x(t,{eventType:C.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:r.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:r.error,errorDescription:r.errorDescription}}),ir(o,"provider_access_denied",{developerDetail:r.errorDescription??r.error,diagnostic:{code:"provider_access_denied",requestId:t.requestId,routePath:wn(e),upstreamServerId:r.upstreamServerId,providerError:r.error,providerErrorDescription:r.errorDescription,underlyingError:r.errorDescription??r.error}});case"callback_invalid":return t.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:r.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),ir(o,"oauth_state_invalid",{diagnostic:{code:"oauth_state_invalid",requestId:t.requestId,routePath:wn(e),upstreamServerId:r.upstreamServerId}});case"callback_authorization_code":return r}}n(sf,"requireAuthorizationCallbackRequest");function cf(e,t){x(e,{eventType:C.MCP_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}n(cf,"emitCallbackReceivedAnalyticsEvent");function df(e,t){x(e,{eventType:C.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.operationId})}n(df,"emitTokenExchangeSucceededAnalyticsEvent");function uf(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return ys({host:$e(e.url),title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}n(uf,"buildSuccessfulCallbackResponse");function lf(e){let t={detail:e instanceof Error?e.message:void 0};return _s(t,"error",e),e instanceof Error&&_s(t,"cause",nf(e)),t}n(lf,"buildTokenExchangeFailureAttributes");function pf(e){x(e.context,{eventType:C.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:_n(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:lf(e.error)})}n(pf,"emitTokenExchangeFailedAnalyticsEvent");function mf(e){let t=e.error,r=_n(t),o=zn(r)?r:"upstream_token_exchange_failed",i={code:o,requestId:e.context.requestId,routePath:wn(e.request),upstreamServerId:e.callbackRequest.upstreamServerId,underlyingError:t instanceof Error?t.message:void 0,...t instanceof h?{httpStatus:af(t,Te),contentType:Rs(t,ke),upstreamUrl:Rs(t,Ee)}:{}};return ir(e.host,o,{developerDetail:t instanceof Error?t.message:void 0,diagnostic:i,upstreamHtml:ff(t)})}n(mf,"tokenExchangeFailureResponse");function ff(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[Pe];return typeof t=="string"?t:void 0}n(ff,"readUpstreamHtmlError");async function Rn(e,t){let r=wt(e,rf),o=$e(e.url),i=sf(e,t,r,o);if(i instanceof Response)return i;cf(t,i);try{let a=await Ei({request:e,callbackRequest:i});return df(t,a),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:a.upstreamServerId,operationId:a.operationId,authProfileId:a.authProfileId,ownerMode:a.ownerMode},"Upstream OAuth token exchange completed; user connection established"),uf(e,a)}catch(a){let s={event:"upstream_oauth_token_exchange_failed",code:_n(a)??"upstream_token_exchange_failed",upstreamServerId:i.upstreamServerId};return B(s,"error",a),t.log.warn(s,"Upstream OAuth token exchange failed; user shown connection-failure page"),pf({context:t,callbackRequest:i,error:a}),mf({request:e,context:t,host:o,callbackRequest:i,error:a})}}n(Rn,"callbackHandler");function hf(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}n(hf,"clientMetadataProblemDetail");async function bs(e,t){let r=wt(e,"connect"),o=await Ti({request:e,connectRequest:r});if(x(t,{eventType:C.MCP_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:o.operationId,upstreamServerTitle:o.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,operationId:o.operationId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(o.authUrl,302);let i=await Zt({requestUrl:e.url,requestHeaders:e.headers,owner:o.owner,initiatedBySubjectId:o.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,upstreamDisplayName:o.upstreamDisplayName,operationId:o.operationId,subject:"MCP route",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(i,{status:428})}n(bs,"connectHandler");async function Cs(e,t){let r=wt(e,"client_metadata");try{let o=k(e.url,e.headers),i=hi(o,r.upstreamServerId,r.authProfileId);return Response.json(i)}catch(o){if(!(o instanceof q))throw o;let i=o instanceof Error?o.message:String(o);return t.log.warn({event:"oauth_client_metadata_request_failed",upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:i},"Failed to serve OAuth client metadata document for upstream connection"),ye.notFound(e,t,{code:"not_found",detail:hf(o)})}}n(Cs,"oauthClientMetadataHandler");function gf(e,t){return e.mount==="root"?e.path:t.actionPath(e.path)}n(gf,"resolveInternalRoutePath");var yf={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function wf(){return new Response(null,{status:204,headers:yf})}n(wf,"buildWellKnownPreflightResponse");function _f(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}n(_f,"withWellKnownCorsHeaders");function bn(e){return async(t,r)=>t.method==="OPTIONS"?wf():_f(await e(t,r))}n(bn,"wrapWellKnownHandler");var Is=[{routeName:"oauth_as_metadata",mount:"root",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:bn(as),corsPolicy:"anything-goes"},{routeName:"oauth_as_metadata_scoped",mount:"root",path:"/.well-known/oauth-authorization-server/:routePath*",methods:["GET","OPTIONS"],handler:bn(ss),corsPolicy:"anything-goes"},{routeName:"oauth_protected_resource_metadata",mount:"root",path:"/.well-known/oauth-protected-resource/:routePath*",methods:["GET","OPTIONS"],handler:bn(co),corsPolicy:"anything-goes"},{routeName:"oauth_register",mount:"action",path:"/oauth/register",methods:["POST"],handler:cs},{routeName:"oauth_authorize",mount:"action",path:"/oauth/authorize",methods:["GET"],handler:ds},{routeName:"oauth_authorize_scoped",mount:"action",path:"/oauth/authorize/:routePath*",methods:["GET"],handler:us},{routeName:"oauth_callback",mount:"action",path:"/oauth/callback",methods:["GET"],handler:ls},{routeName:"oauth_dev_login",mount:"action",path:"/oauth/dev-login",methods:["GET"],handler:ps},{routeName:"oauth_setup",mount:"action",path:"/oauth/setup",methods:["GET","POST"],handler:ms},{routeName:"oauth_token",mount:"action",path:"/oauth/token",methods:["POST"],handler:fs},{routeName:"oauth_revoke",mount:"action",path:"/oauth/revoke",methods:["POST"],handler:hs},{routeName:"upstream_client_metadata",mount:"action",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:ar("client_metadata",Cs)},{routeName:"upstream_connect",mount:"action",path:"/auth/connections/:connection/connect",methods:["GET"],handler:ar("connect",bs)},{routeName:"upstream_callback",mount:"action",path:"/auth/connections/:connection/callback",methods:["GET"],handler:ar("callback",Rn)}],Rf=Is.filter(e=>!e.routeName.startsWith("upstream_")),bf=Is.filter(e=>e.routeName.startsWith("upstream_"));function Cf(e){let t=Yn({routes:e.routes,policies:e.policies,gateway:e.gateway});return Xn(t),t}n(Cf,"initializeMcpGatewayConnectionRegistry");function vf(e){return[...e.byOperationId.values()].some(t=>t.downstreamOAuth!==void 0)}n(vf,"hasDownstreamOAuthRoutes");function Sf(e){let t=new Map;for(let o of e.byOperationId.values())o.downstreamOAuth&&t.set(o.downstreamOAuth.policyName,o.downstreamOAuth.config);if(t.size===1)return[...t.values()][0];let r=[...t.keys()].map(o=>`"${o}"`).join(", ");throw new q(`MCP gateway found multiple attached OAuth policies: ${r}. Multiple downstream MCP OAuth configs in one gateway are not supported yet; use one MCP OAuth policy across MCP routes or split these routes into separate gateways.`)}n(Sf,"readSingletonDownstreamOAuthConfig");function If(e,t,r){let o=String(t.params.routePath??""),i=e.byRoutePath.get(no(o));if(i===void 0)return;let a=i?.downstreamOAuth?.config;return a===void 0?It(t,r,{code:"not_found",detail:"The requested MCP route does not expose downstream OAuth."}):a}n(If,"readScopedDownstreamOAuthConfig");function xf(e){return e.path==="/.well-known/oauth-authorization-server/:routePath*"||e.path==="/.well-known/oauth-protected-resource/:routePath*"||e.path==="/oauth/authorize/:routePath*"}n(xf,"routeUsesScopedOAuthConfig");function vs(e,t,r){return async(o,i)=>{if(r){let u=await r(o,i);if(u instanceof Response)return u;u&&Dn(i,u)}let a=o.method==="OPTIONS",s=Date.now();a||i.log.info({event:`${e}_received`,method:o.method},`MCP gateway: ${e} received`);let c=await t(o,i);return a||i.log.info({event:`${e}_responded`,status:c.status,durationMs:Date.now()-s},`MCP gateway: ${e} responded`),c}}n(vs,"wrapInternalHandler");function Ss(e,t,r,o){e.addPluginRoute({path:gf(t,r),methods:t.methods,handler:o,processors:[An],corsPolicy:t.corsPolicy??"none"})}n(Ss,"addInternalRoute");function xs(e,t){let r=Cf(t),o=vf(r),i=r.connectionsById.size>0,a,s=n(()=>(a===void 0&&(a=Sf(r)),a),"readSingletonOAuthConfig");if(o)for(let c of Rf){let u=xf(c)?(p,f)=>If(r,p,f):s;Ss(e,c,r.gateway,vs(c.routeName,c.handler,u))}if(i)for(let c of bf)Ss(e,c,r.gateway,vs(c.routeName,c.handler))}n(xs,"registerMcpGatewayInternalRoutes");var Cn=class extends In{static{n(this,"McpGatewayPlugin")}#e;constructor(t={}){super(),this.#e=Hn(t)}registerRoutes(t){let r=t.parsedRouteData;r&&xs(t.router,{routes:r.routes,policies:r.policies,gateway:this.#e})}};var Af=new TextDecoder;function Uf(e){if(e)try{return JSON.parse(Af.decode(e))}catch{return}}n(Uf,"readBodyJson");function ce(e){return e&&typeof e=="object"?e:void 0}n(ce,"readRecord");function _t(e,t){let r=ce(e)?.[t];return typeof r=="string"?r:void 0}n(_t,"readStringProperty");function Us(e,t){let r=ce(e)?.[t];return typeof r=="number"?r:void 0}n(Us,"readNumberProperty");function As(e,t){return Us(e,"code")??(t.status>=400?t.status:void 0)}n(As,"readErrorCode");function ks(e){return Array.isArray(e)?e.map(ks).find(t=>t?.method):ce(e)}n(ks,"readJsonRpcMessage");function Ps(e){let t=ks(Uf(e)),r=typeof t?.method=="string"?t.method:"",o=t?.params;switch(r){case"tools/list":return{mcpMethod:r,capabilityType:"tool"};case"tools/call":return{mcpMethod:r,capabilityType:"tool",capabilityName:_t(o,"name")};case"prompts/list":return{mcpMethod:r,capabilityType:"prompt"};case"prompts/get":return{mcpMethod:r,capabilityType:"prompt",capabilityName:_t(o,"name")};case"resources/list":case"resources/templates/list":return{mcpMethod:r,capabilityType:"resource"};case"resources/read":{let i=_t(o,"uri");return{mcpMethod:r,capabilityType:"resource",capabilityName:i,resourceUri:i}}default:return null}}n(Ps,"buildBaseCapabilityInput");function Ts(e){return e==="tools/list"||e==="prompts/list"||e==="resources/list"||e==="resources/templates/list"}n(Ts,"isCapabilityListMethod");function kf(e,t,r){let a=ce(r)?.[e==="resources/templates/list"?"resourceTemplates":t==="tool"?"tools":t==="prompt"?"prompts":"resources"];return Array.isArray(a)?a.length:void 0}n(kf,"readItemCount");async function Pf(e){try{return await e.clone().json()}catch{return}}n(Pf,"readResponseJson");function Es(e){let t=Ps(e);return!t||Ts(t.mcpMethod)?null:{eventType:C.MCP_CAPABILITY_INVOKED,outcome:"success",...t}}n(Es,"buildCapabilityInvokedAnalyticsInput");async function Os(e,t){let r=Ps(e);if(!r)return null;let o=ce(await Pf(t)),i=ce(o?.error),a=ce(i?.data),s=o?.result,c=r.mcpMethod==="tools/call"&&ce(s)?.isError===!0;if(ce(a?.connectRequired))return{eventType:C.MCP_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",...r,httpStatusCode:t.status,reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required",errorCode:Us(i,"code"),mcpErrorType:_t(i,"message")};if(Ts(r.mcpMethod)){let u=t.status>=400?void 0:kf(r.mcpMethod,r.capabilityType,s);return{eventType:C.MCP_CAPABILITY_LISTED,outcome:t.status>=400||i?"failure":"success",...r,httpStatusCode:t.status,...t.status>=400||i?{reasonCode:"upstream_capability_list_failed",reasonClass:"upstream",errorType:"capability_list_error",errorCode:As(i,t)}:{},...u===void 0?{}:{attributes:{itemCount:u}}}}return t.status>=400||i?{eventType:C.MCP_CAPABILITY_FAILED,outcome:"failure",...r,httpStatusCode:t.status,reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"capability_error",errorCode:As(i,t),mcpErrorType:_t(i,"message")}:{eventType:C.MCP_CAPABILITY_COMPLETED,outcome:c?"application_error":"success",...r,httpStatusCode:t.status,toolResultIsError:c,applicationError:c}}n(Os,"buildCapabilityFinalAnalyticsInput");var Tf={Allow:"POST"};async function Ef(e){try{return await e.clone().arrayBuffer()}catch{return}}n(Ef,"readRequestBody");function Ms(e){try{let t=Qn(e.route.path);return{virtualServerName:t.operationId,upstreamServerName:t.connection?.upstreamServerId,upstreamServerTitle:t.connection?.displayName,authProfileId:t.connection?.authProfileId,upstreamAuthMode:t.connection?.authMode}}catch{return{}}}n(Ms,"readRouteAnalyticsFields");function qs(e){return lo(e.user,e.url,e.headers)?.subjectId}n(qs,"readRequestSubjectId");function Of(e){let t=Es(e.requestBody);t&&x(e.context,{...t,...Ms(e.context),httpMethod:e.request.method,subjectId:qs(e.request),transport:"http"})}n(Of,"emitCapabilityInvokedAnalytics");async function Mf(e){let t=await Os(e.requestBody,e.response);t&&x(e.context,{...t,...Ms(e.context),httpMethod:e.request.method,subjectId:qs(e.request),transport:"http",latencyMs:Date.now()-e.startedAt})}n(Mf,"emitCapabilityFinalAnalytics");async function qf(e,t){if(e.method==="GET")return ye.methodNotAllowed(e,t,{detail:"MCP Gateway routes support stateless Streamable HTTP requests over POST. Server-sent event GET streams are not supported."},Tf);let r=Date.now(),o=await Ef(e);Of({context:t,request:e,requestBody:o});let i=await Mn(e,t);return await Mf({context:t,request:e,requestBody:o,response:i,startedAt:r}),i}n(qf,"McpProxyHandler");export{Zs as McpAuth0OAuthInboundPolicy,yr as McpCapabilityFilterInboundPolicy,Ds as McpClerkOAuthInboundPolicy,Hs as McpCognitoOAuthInboundPolicy,zs as McpEntraOAuthInboundPolicy,Cn as McpGatewayPlugin,Ls as McpGoogleOAuthInboundPolicy,Bs as McpKeycloakOAuthInboundPolicy,js as McpLogtoOAuthInboundPolicy,Ks as McpOAuthInboundPolicy,Ns as McpOktaOAuthInboundPolicy,Gs as McpOneLoginOAuthInboundPolicy,$s as McpPingOAuthInboundPolicy,qf as McpProxyHandler,Jr as McpTokenExchangeInboundPolicy,Fs as McpWorkosOAuthInboundPolicy};
 //# sourceMappingURL=index.js.map