@zuplo/runtime 6.70.62 → 6.70.66

package/out/esm/mcp-gateway/index.js

@@ -22,28 +22,29 @@
  *  DEALINGS IN THE SOFTWARE.
  *--------------------------------------------------------------------------------------------*/
     
-import{$b as Ye,Ab as Ds,Ac as H,Bb as Hs,Bc as ao,Cb as zs,Cc as so,Db as Ls,Dc as hr,Eb as Bs,Ec as co,Fb as js,Fc as uo,G as Un,Gb as Ns,Gc as gr,H as l,Hb as Gs,Hc as _e,I as kn,Ib as $s,Ic as lo,J as cr,Jb as Fs,Jc as po,K as te,Kb as Bn,Kc as mo,L as Pn,Lb as jn,Lc as fo,M as y,Mb as Nn,Mc as ho,N as ue,Nb as xt,Nc as go,O as vt,Ob as dr,Oc as yo,P as Tn,Pb as At,Pc as b,Q as En,Qb as Ut,Qc as x,R as On,Rb as We,Rc as pe,S as d,Sb as Gn,Sc as U,T as $,Tb as $n,Tc as wo,Ub as Fn,Uc as Zs,Vb as Ve,Vc as Ks,Wb as Zn,Xb as kt,Yb as Kn,Z as Mn,Zb as ur,_b as Jn,a as bt,ac as Pt,bc as Wn,cc as Vn,dc as Yn,ec as Xn,fc as J,gb as we,gc as M,hb as T,hc as Qn,i as ye,ib as qn,ic as eo,j as In,jb as Dn,jc as R,kb as k,kc as ne,l as xn,lb as Hn,lc as Tt,mb as g,mc as B,nb as ke,nc as Z,ob as Pe,oc as to,p as An,pb as Te,pc as ro,qb as Ee,qc as Et,r as Ct,rb as St,rc as no,sb as zn,sc as oe,tb as F,tc as lr,ub as Ln,uc as pr,vb as re,vc as oo,wb as w,wc as Ot,xb as It,xc as mr,yb as D,yc as fr,zb as le,zc as io}from"../chunk-HYUYKNAF.js";import{d as sr}from"../chunk-JRXZBVXH.js";import{a as C}from"../chunk-LGEY3NNC.js";import{$ as de,a as n,aa as h,ba as q,ca as Sn,da as Rt}from"../chunk-ZIKV2LUM.js";$();function Js(e){let t=Ut.safeParse(e);return t.success?t.data.id:void 0}n(Js,"parseJsonRpcRequestId");function _o(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return Js(t)}catch{return}}n(_o,"readJsonRpcRequestIdFromBody");function Mt(e){return Gn.parse({jsonrpc:At,...e.id===void 0?{}:{id:e.id},error:{code:e.error.code,message:e.error.message,...e.error.data===void 0?{}:{data:e.error.data}}})}n(Mt,"jsonRpcErrorResponse");function Ro(e){return new Fn([$n.parse({mode:"url",message:e.message,elicitationId:e.elicitationId,url:e.url})],e.message)}n(Ro,"urlElicitationRequiredError");var qt=d.record(d.string(),d.unknown()),Ws=d.record(d.string(),d.unknown()),Vs=d.object({name:d.string().min(1),description:d.string().min(1).optional(),annotations:Ws.optional(),_meta:qt.optional()}).strict(),Ys=d.object({name:d.string().min(1),description:d.string().min(1).optional(),_meta:qt.optional()}).strict(),Xs=d.object({uri:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:qt.optional()}).strict(),Qs=d.object({uriTemplate:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:qt.optional()}).strict(),ec=d.array(d.union([d.string(),Vs])),tc=d.array(d.union([d.string(),Ys])),rc=d.array(d.union([d.string(),Xs])),nc=d.array(d.union([d.string(),Qs])),oc=d.object({tools:ec.optional(),prompts:tc.optional(),resources:rc.optional(),resourceTemplates:nc.optional()}).strict(),wr=[{option:"tools",listMethod:"tools/list",resultProperty:"tools",itemProperty:"name",directMethods:[{method:"tools/call",paramProperty:"name"}]},{option:"prompts",listMethod:"prompts/list",resultProperty:"prompts",itemProperty:"name",directMethods:[{method:"prompts/get",paramProperty:"name"}]},{option:"resources",listMethod:"resources/list",resultProperty:"resources",itemProperty:"uri",directMethods:[{method:"resources/read",paramProperty:"uri"}]},{option:"resourceTemplates",listMethod:"resources/templates/list",resultProperty:"resourceTemplates",itemProperty:"uriTemplate",directMethods:[]}];function ic(e,t){return qn(oc,e,`MCP capability filter policy "${t}"`)}n(ic,"parseMcpCapabilityFilterOptions");function z(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(z,"isRecord");function ac(e,t){if(!z(e))return;let r=e[t];return typeof r=="string"?r:void 0}n(ac,"readParamString");function _r(e){let t=e.id;return typeof t=="string"||typeof t=="number"||t===null?t:void 0}n(_r,"readRequestId");function So(e){return e===void 0?void 0:JSON.stringify(e)}n(So,"requestIdKey");function sc(e){let t={};for(let r of wr){let o=e[r.option];if(o===void 0)continue;let i=new Map;for(let a of o){let s=lc(a,r.itemProperty);s!==void 0&&i.set(s.key,s)}t[r.option]=i}return t}n(sc,"buildProjectionMaps");function Rr(e){return wr.find(t=>t.listMethod===e)}n(Rr,"findListRule");function cc(e){return e.requests.some(t=>{if(!z(t))return!1;let r=Rr(t.method);return r!==void 0&&e.projectionMaps[r.option]!==void 0})}n(cc,"shouldFilterListResponses");function dc(e){for(let t of wr){let r=e.projectionMaps[t.option];if(r!==void 0)for(let o of t.directMethods){if(e.request.method!==o.method)continue;let i=ac(e.request.params,o.paramProperty);if(i!==void 0&&!r.has(i))return{id:_r(e.request)}}}}n(dc,"findDisallowedDirectAccess");function uc(e){return Response.json(Mt({id:e,error:{code:We.MethodNotFound,message:"Method not found"}}))}n(uc,"methodNotFoundResponse");function lc(e,t){if(typeof e=="string")return{key:e,overlay:{}};if(!z(e))return;let r=e[t];if(typeof r=="string")return{key:r,overlay:e}}n(lc,"buildProjection");function bo(e){let t=e.base[e.property],r=e.overlay[e.property];return z(r)?z(t)?{...t,...r}:r:t}n(bo,"mergeRecordProperty");function pc(e,t){let r={...e,...t.overlay},o=bo({base:e,overlay:t.overlay,property:"annotations"});o!==void 0&&(r.annotations=o);let i=bo({base:e,overlay:t.overlay,property:"_meta"});return i!==void 0&&(r._meta=i),r}n(pc,"applyProjection");function Co(e,t,r){if(!z(e))return e;let o=e.result;if(!z(o))return e;let i=o[t.resultProperty];return!Array.isArray(i)||!i.every(a=>z(a)&&typeof a[t.itemProperty]=="string")?e:{...e,result:{...o,[t.resultProperty]:i.flatMap(a=>{if(!z(a))return[];let s=a[t.itemProperty];if(typeof s!="string")return[];let c=r.get(s);return c===void 0?[]:[pc(a,c)]})}}}n(Co,"filterAndProjectItems");function mc(e){let t=new Map;if(!Array.isArray(e))return t;for(let r of e){if(!z(r))continue;let o=Rr(r.method),i=_r(r),a=So(i);o!==void 0&&a!==void 0&&t.set(a,o)}return t}n(mc,"buildListRulesByResponseId");function fc(e){if(Array.isArray(e.responseBody)){let o=mc(e.requestBody);return o.size===0?e.responseBody:e.responseBody.map(i=>{if(!z(i)||"error"in i)return i;let a=So(_r(i)),s=a===void 0?void 0:o.get(a),c=s===void 0?void 0:e.projectionMaps[s.option];return s===void 0||c===void 0?i:Co(i,s,c)})}if(!z(e.requestBody)||!z(e.responseBody)||"error"in e.responseBody)return e.responseBody;let t=Rr(e.requestBody.method),r=t===void 0?void 0:e.projectionMaps[t.option];return t===void 0||r===void 0?e.responseBody:Co(e.responseBody,t,r)}n(fc,"filterJsonRpcResponse");async function vo(e){return e.clone().json()}n(vo,"readJson");function hc(e){return e.headers.get("content-type")?.includes("json")??!1}n(hc,"isJsonResponse");var yr=class extends Ct{static{n(this,"McpCapabilityFilterInboundPolicy")}#e;constructor(t,r){let o=ic(t,r);super(o,r),this.#e=sc(o)}async handler(t,r){bt("policy.inbound.mcp-capability-filter");let o;try{o=await vo(t)}catch{return t}let i=Array.isArray(o)?o:[o];for(let a of i){if(!z(a))continue;let s=dc({request:a,projectionMaps:this.#e});if(s!==void 0)return uc(s.id)}return cc({requests:i,projectionMaps:this.#e})&&r.addResponseSendingHook(async a=>{if(!hc(a))return a;let s;try{s=await vo(a)}catch{return a}let c=fc({requestBody:o,responseBody:s,projectionMaps:this.#e});if(c===s)return a;let u=new Headers(a.headers);return u.delete("content-length"),new Response(JSON.stringify(c),{status:a.status,statusText:a.statusText,headers:u})}),t}};var br;br=globalThis.crypto;async function gc(e){return(await br).getRandomValues(new Uint8Array(e))}n(gc,"getRandomValues");async function yc(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,o="";for(;o.length<e;){let i=await gc(e-o.length);for(let a of i)a<r&&(o+=t[a%t.length])}return o}n(yc,"random");async function wc(e){return await yc(e)}n(wc,"generateVerifier");async function _c(e){let t=await(await br).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}n(_c,"generateChallenge");async function Cr(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await wc(e),r=await _c(t);return{code_verifier:t,code_challenge:r}}n(Cr,"pkceChallenge");$();var E=kn().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:En.custom,message:"URL must be parseable",fatal:!0}),Un}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),Dt=vt({resource:l().url(),authorization_servers:y(E).optional(),jwks_uri:l().url().optional(),scopes_supported:y(l()).optional(),bearer_methods_supported:y(l()).optional(),resource_signing_alg_values_supported:y(l()).optional(),resource_name:l().optional(),resource_documentation:l().optional(),resource_policy_uri:l().url().optional(),resource_tos_uri:l().url().optional(),tls_client_certificate_bound_access_tokens:te().optional(),authorization_details_types_supported:y(l()).optional(),dpop_signing_alg_values_supported:y(l()).optional(),dpop_bound_access_tokens_required:te().optional()}),Xe=vt({issuer:l(),authorization_endpoint:E,token_endpoint:E,registration_endpoint:E.optional(),scopes_supported:y(l()).optional(),response_types_supported:y(l()),response_modes_supported:y(l()).optional(),grant_types_supported:y(l()).optional(),token_endpoint_auth_methods_supported:y(l()).optional(),token_endpoint_auth_signing_alg_values_supported:y(l()).optional(),service_documentation:E.optional(),revocation_endpoint:E.optional(),revocation_endpoint_auth_methods_supported:y(l()).optional(),revocation_endpoint_auth_signing_alg_values_supported:y(l()).optional(),introspection_endpoint:l().optional(),introspection_endpoint_auth_methods_supported:y(l()).optional(),introspection_endpoint_auth_signing_alg_values_supported:y(l()).optional(),code_challenge_methods_supported:y(l()).optional(),client_id_metadata_document_supported:te().optional()}),Rc=vt({issuer:l(),authorization_endpoint:E,token_endpoint:E,userinfo_endpoint:E.optional(),jwks_uri:E,registration_endpoint:E.optional(),scopes_supported:y(l()).optional(),response_types_supported:y(l()),response_modes_supported:y(l()).optional(),grant_types_supported:y(l()).optional(),acr_values_supported:y(l()).optional(),subject_types_supported:y(l()),id_token_signing_alg_values_supported:y(l()),id_token_encryption_alg_values_supported:y(l()).optional(),id_token_encryption_enc_values_supported:y(l()).optional(),userinfo_signing_alg_values_supported:y(l()).optional(),userinfo_encryption_alg_values_supported:y(l()).optional(),userinfo_encryption_enc_values_supported:y(l()).optional(),request_object_signing_alg_values_supported:y(l()).optional(),request_object_encryption_alg_values_supported:y(l()).optional(),request_object_encryption_enc_values_supported:y(l()).optional(),token_endpoint_auth_methods_supported:y(l()).optional(),token_endpoint_auth_signing_alg_values_supported:y(l()).optional(),display_values_supported:y(l()).optional(),claim_types_supported:y(l()).optional(),claims_supported:y(l()).optional(),service_documentation:l().optional(),claims_locales_supported:y(l()).optional(),ui_locales_supported:y(l()).optional(),claims_parameter_supported:te().optional(),request_parameter_supported:te().optional(),request_uri_parameter_supported:te().optional(),require_request_uri_registration:te().optional(),op_policy_uri:E.optional(),op_tos_uri:E.optional(),client_id_metadata_document_supported:te().optional()}),Ht=ue({...Rc.shape,...Xe.pick({code_challenge_methods_supported:!0}).shape}),Oe=ue({access_token:l(),id_token:l().optional(),token_type:l(),expires_in:On.number().optional(),scope:l().optional(),refresh_token:l().optional()}).strip(),xo=ue({error:l(),error_description:l().optional(),error_uri:l().optional()}),Io=E.optional().or(Tn("").transform(()=>{})),bc=ue({redirect_uris:y(E),token_endpoint_auth_method:l().optional(),grant_types:y(l()).optional(),response_types:y(l()).optional(),client_name:l().optional(),client_uri:E.optional(),logo_uri:Io,scope:l().optional(),contacts:y(l()).optional(),tos_uri:Io,policy_uri:l().optional(),jwks_uri:E.optional(),jwks:Pn().optional(),software_id:l().optional(),software_version:l().optional(),software_statement:l().optional()}).strip(),zt=ue({client_id:l(),client_secret:l().optional(),client_id_issued_at:cr().optional(),client_secret_expires_at:cr().optional()}).strip(),Qe=bc.merge(zt),Vf=ue({error:l(),error_description:l().optional()}).strip(),Yf=ue({token:l(),token_type_hint:l().optional()}).strip();function Ao(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}n(Ao,"resourceUrlFromServerUrl");function Uo({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),o=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==o.origin||r.pathname.length<o.pathname.length)return!1;let i=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",a=o.pathname.endsWith("/")?o.pathname:o.pathname+"/";return i.startsWith(a)}n(Uo,"checkResourceAllowed");var A=class extends Error{static{n(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},et=class extends A{static{n(this,"InvalidRequestError")}};et.errorCode="invalid_request";var Re=class extends A{static{n(this,"InvalidClientError")}};Re.errorCode="invalid_client";var be=class extends A{static{n(this,"InvalidGrantError")}};be.errorCode="invalid_grant";var Ce=class extends A{static{n(this,"UnauthorizedClientError")}};Ce.errorCode="unauthorized_client";var tt=class extends A{static{n(this,"UnsupportedGrantTypeError")}};tt.errorCode="unsupported_grant_type";var rt=class extends A{static{n(this,"InvalidScopeError")}};rt.errorCode="invalid_scope";var nt=class extends A{static{n(this,"AccessDeniedError")}};nt.errorCode="access_denied";var ie=class extends A{static{n(this,"ServerError")}};ie.errorCode="server_error";var ot=class extends A{static{n(this,"TemporarilyUnavailableError")}};ot.errorCode="temporarily_unavailable";var it=class extends A{static{n(this,"UnsupportedResponseTypeError")}};it.errorCode="unsupported_response_type";var at=class extends A{static{n(this,"UnsupportedTokenTypeError")}};at.errorCode="unsupported_token_type";var st=class extends A{static{n(this,"InvalidTokenError")}};st.errorCode="invalid_token";var ct=class extends A{static{n(this,"MethodNotAllowedError")}};ct.errorCode="method_not_allowed";var dt=class extends A{static{n(this,"TooManyRequestsError")}};dt.errorCode="too_many_requests";var ve=class extends A{static{n(this,"InvalidClientMetadataError")}};ve.errorCode="invalid_client_metadata";var ut=class extends A{static{n(this,"InsufficientScopeError")}};ut.errorCode="insufficient_scope";var lt=class extends A{static{n(this,"InvalidTargetError")}};lt.errorCode="invalid_target";var ko={[et.errorCode]:et,[Re.errorCode]:Re,[be.errorCode]:be,[Ce.errorCode]:Ce,[tt.errorCode]:tt,[rt.errorCode]:rt,[nt.errorCode]:nt,[ie.errorCode]:ie,[ot.errorCode]:ot,[it.errorCode]:it,[at.errorCode]:at,[st.errorCode]:st,[ct.errorCode]:ct,[dt.errorCode]:dt,[ve.errorCode]:ve,[ut.errorCode]:ut,[lt.errorCode]:lt};function Cc(e){return["client_secret_basic","client_secret_post","none"].includes(e)}n(Cc,"isClientAuthMethod");var vr="code",Sr="S256";function vc(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&Cc(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}n(vc,"selectClientAuthMethod");function Sc(e,t,r,o){let{client_id:i,client_secret:a}=t;switch(e){case"client_secret_basic":Ic(i,a,r);return;case"client_secret_post":xc(i,a,o);return;case"none":Ac(i,o);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}n(Sc,"applyClientAuthentication");function Ic(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let o=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${o}`)}n(Ic,"applyBasicAuth");function xc(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}n(xc,"applyPostAuth");function Ac(e,t){t.set("client_id",e)}n(Ac,"applyPublicAuth");async function To(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let o=xo.parse(JSON.parse(r)),{error:i,error_description:a,error_uri:s}=o,c=ko[i]||ie;return new c(a||"",s)}catch(o){let i=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${o}. Raw body: ${r}`;return new ie(i)}}n(To,"parseErrorResponse");async function Ar(e,t){try{return await Ir(e,t)}catch(r){if(r instanceof Re||r instanceof Ce)return await e.invalidateCredentials?.("all"),await Ir(e,t);if(r instanceof be)return await e.invalidateCredentials?.("tokens"),await Ir(e,t);throw r}}n(Ar,"auth");async function Ir(e,{serverUrl:t,authorizationCode:r,scope:o,resourceMetadataUrl:i,fetchFn:a}){let s=await e.discoveryState?.(),c,u,p,f=i;if(!f&&s?.resourceMetadataUrl&&(f=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(u=s.authorizationServerUrl,c=s.resourceMetadata,p=s.authorizationServerMetadata??await Mo(u,{fetchFn:a}),!c)try{c=await Oo(t,{resourceMetadataUrl:f},a)}catch{}(p!==s.authorizationServerMetadata||c!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(u),resourceMetadataUrl:f?.toString(),resourceMetadata:c,authorizationServerMetadata:p})}else{let P=await Oc(t,{resourceMetadataUrl:f,fetchFn:a});u=P.authorizationServerUrl,p=P.authorizationServerMetadata,c=P.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(u),resourceMetadataUrl:f?.toString(),resourceMetadata:c,authorizationServerMetadata:p})}let _=await Uc(t,e,c),S=o||c?.scopes_supported?.join(" ")||e.clientMetadata.scope,I=await Promise.resolve(e.clientInformation());if(!I){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let P=p?.client_id_metadata_document_supported===!0,O=e.clientMetadataUrl;if(O&&!Ur(O))throw new ve(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${O}`);if(P&&O)I={client_id:O},await e.saveClientInformation?.(I);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let vn=await zc(u,{metadata:p,clientMetadata:e.clientMetadata,scope:S,fetchFn:a});await e.saveClientInformation(vn),I=vn}}let G=!e.redirectUrl;if(r!==void 0||G){let P=await Hc(e,u,{metadata:p,resource:_,authorizationCode:r,fetchFn:a});return await e.saveTokens(P),"AUTHORIZED"}let K=await e.tokens();if(K?.refresh_token)try{let P=await Dc(u,{metadata:p,clientInformation:I,refreshToken:K.refresh_token,resource:_,addClientAuthentication:e.addClientAuthentication,fetchFn:a});return await e.saveTokens(P),"AUTHORIZED"}catch(P){if(!(!(P instanceof A)||P instanceof ie))throw P}let Q=e.state?await e.state():void 0,{authorizationUrl:Je,codeVerifier:ee}=await Mc(u,{metadata:p,clientInformation:I,state:Q,redirectUrl:e.redirectUrl,scope:S,resource:_});return await e.saveCodeVerifier(ee),await e.redirectToAuthorization(Je),"REDIRECT"}n(Ir,"authInternal");function Ur(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}n(Ur,"isHttpsUrl");async function Uc(e,t,r){let o=Ao(e);if(t.validateResourceURL)return await t.validateResourceURL(o,r?.resource);if(r){if(!Uo({requestedResource:o,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${o} (or origin)`);return new URL(r.resource)}}n(Uc,"selectResourceURL");function Eo(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,o]=t.split(" ");if(r.toLowerCase()!=="bearer"||!o)return{};let i=xr(e,"resource_metadata")||void 0,a;if(i)try{a=new URL(i)}catch{}let s=xr(e,"scope")||void 0,c=xr(e,"error")||void 0;return{resourceMetadataUrl:a,scope:s,error:c}}n(Eo,"extractWWWAuthenticateParams");function xr(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let o=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),i=r.match(o);return i?i[1]||i[2]:null}n(xr,"extractFieldFromWwwAuth");async function Oo(e,t,r=fetch){let o=await Tc(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!o||o.status===404)throw await o?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!o.ok)throw await o.body?.cancel(),new Error(`HTTP ${o.status} trying to load well-known OAuth protected resource metadata.`);return Dt.parse(await o.json())}n(Oo,"discoverOAuthProtectedResourceMetadata");async function kr(e,t,r=fetch){try{return await r(e,{headers:t})}catch(o){if(o instanceof TypeError)return t?kr(e,void 0,r):void 0;throw o}}n(kr,"fetchWithCorsRetry");function kc(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}n(kc,"buildWellKnownPath");async function Po(e,t,r=fetch){return await kr(e,{"MCP-Protocol-Version":t},r)}n(Po,"tryMetadataDiscovery");function Pc(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}n(Pc,"shouldAttemptFallback");async function Tc(e,t,r,o){let i=new URL(e),a=o?.protocolVersion??dr,s;if(o?.metadataUrl)s=new URL(o.metadataUrl);else{let u=kc(t,i.pathname);s=new URL(u,o?.metadataServerUrl??i),s.search=i.search}let c=await Po(s,a,r);if(!o?.metadataUrl&&Pc(c,i.pathname)){let u=new URL(`/.well-known/${t}`,i);c=await Po(u,a,r)}return c}n(Tc,"discoverMetadataWithFallback");function Ec(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",o=[];if(!r)return o.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),o.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),o;let i=t.pathname;return i.endsWith("/")&&(i=i.slice(0,-1)),o.push({url:new URL(`/.well-known/oauth-authorization-server${i}`,t.origin),type:"oauth"}),o.push({url:new URL(`/.well-known/openid-configuration${i}`,t.origin),type:"oidc"}),o.push({url:new URL(`${i}/.well-known/openid-configuration`,t.origin),type:"oidc"}),o}n(Ec,"buildDiscoveryUrls");async function Mo(e,{fetchFn:t=fetch,protocolVersion:r=dr}={}){let o={"MCP-Protocol-Version":r,Accept:"application/json"},i=Ec(e);for(let{url:a,type:s}of i){let c=await kr(a,o,t);if(c){if(!c.ok){if(await c.body?.cancel(),c.status>=400&&c.status<500)continue;throw new Error(`HTTP ${c.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${a}`)}return s==="oauth"?Xe.parse(await c.json()):Ht.parse(await c.json())}}}n(Mo,"discoverAuthorizationServerMetadata");async function Oc(e,t){let r,o;try{r=await Oo(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(o=r.authorization_servers[0])}catch{}o||(o=String(new URL("/",e)));let i=await Mo(o,{fetchFn:t?.fetchFn});return{authorizationServerUrl:o,authorizationServerMetadata:i,resourceMetadata:r}}n(Oc,"discoverOAuthServerInfo");async function Mc(e,{metadata:t,clientInformation:r,redirectUrl:o,scope:i,state:a,resource:s}){let c;if(t){if(c=new URL(t.authorization_endpoint),!t.response_types_supported.includes(vr))throw new Error(`Incompatible auth server: does not support response type ${vr}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(Sr))throw new Error(`Incompatible auth server: does not support code challenge method ${Sr}`)}else c=new URL("/authorize",e);let u=await Cr(),p=u.code_verifier,f=u.code_challenge;return c.searchParams.set("response_type",vr),c.searchParams.set("client_id",r.client_id),c.searchParams.set("code_challenge",f),c.searchParams.set("code_challenge_method",Sr),c.searchParams.set("redirect_uri",String(o)),a&&c.searchParams.set("state",a),i&&c.searchParams.set("scope",i),i?.includes("offline_access")&&c.searchParams.append("prompt","consent"),s&&c.searchParams.set("resource",s.href),{authorizationUrl:c,codeVerifier:p}}n(Mc,"startAuthorization");function qc(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}n(qc,"prepareAuthorizationCodeRequest");async function qo(e,{metadata:t,tokenRequestParams:r,clientInformation:o,addClientAuthentication:i,resource:a,fetchFn:s}){let c=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),u=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(a&&r.set("resource",a.href),i)await i(u,r,c,t);else if(o){let f=t?.token_endpoint_auth_methods_supported??[],_=vc(o,f);Sc(_,o,u,r)}let p=await(s??fetch)(c,{method:"POST",headers:u,body:r});if(!p.ok)throw await To(p);return Oe.parse(await p.json())}n(qo,"executeTokenRequest");async function Dc(e,{metadata:t,clientInformation:r,refreshToken:o,resource:i,addClientAuthentication:a,fetchFn:s}){let c=new URLSearchParams({grant_type:"refresh_token",refresh_token:o}),u=await qo(e,{metadata:t,tokenRequestParams:c,clientInformation:r,addClientAuthentication:a,resource:i,fetchFn:s});return{refresh_token:o,...u}}n(Dc,"refreshAuthorization");async function Hc(e,t,{metadata:r,resource:o,authorizationCode:i,fetchFn:a}={}){let s=e.clientMetadata.scope,c;if(e.prepareTokenRequest&&(c=await e.prepareTokenRequest(s)),!c){if(!i)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let p=await e.codeVerifier();c=qc(i,p,e.redirectUrl)}let u=await e.clientInformation();return qo(t,{metadata:r,tokenRequestParams:c,clientInformation:u??void 0,addClientAuthentication:e.addClientAuthentication,resource:o,fetchFn:a})}n(Hc,"fetchToken");async function zc(e,{metadata:t,clientMetadata:r,scope:o,fetchFn:i}){let a;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");a=new URL(t.registration_endpoint)}else a=new URL("/register",e);let s=await(i??fetch)(a,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...o!==void 0?{scope:o}:{}})});if(!s.ok)throw await To(s);return Qe.parse(await s.json())}n(zc,"registerClient");var Pr="zuplo.com",Lc=new Set(["co.jp","co.kr","co.nz","co.uk","com.au","com.br","com.cn","com.mx","com.sg","co.in"]),Bc=[".example.test",".example.com",".example.org",".invalid",".localhost",".test"];function Do(e){return`https://www.google.com/s2/favicons?domain=${e}&sz=128`}n(Do,"s2FaviconHref");function jc(e){return`https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&drop_404_icon=true&fallback_opts=TYPE,SIZE,URL&url=http://${e}&size=128`}n(jc,"strictFaviconHref");var Lt=Do(Pr);function Tr(e){let t=e.toLowerCase();return t===Pr||t==="zuplo.app"||t==="zuplo.dev"||t.endsWith(".zuplo.app")||t.endsWith(".zuplo.dev")?Do(Pr):jc(e)}n(Tr,"resolveIconHref");function Nc(e){try{return new URL(`http://${e}`).hostname}catch{return e}}n(Nc,"hostnameFromHost");function Gc(e){return e==="localhost"||e.includes(":")||/^\d{1,3}(?:\.\d{1,3}){3}$/.test(e)}n(Gc,"isLocalOrAddressHost");function $c(e){let t=Nc(e).toLowerCase().replace(/\.$/,"");if(Gc(t)||Bc.some(a=>t===a.slice(1)||t.endsWith(a)))return t;let r=t.split(".").filter(Boolean);if(r.length<=2)return t;let o=r.slice(-2).join("."),i=Lc.has(o)?3:2;return r.slice(-i).join(".")}n($c,"inferFaviconDomain");function Er(e){return{src:Tr($c(e)),mimeType:"image/png",sizes:["128x128"]}}n(Er,"resolveMcpFaviconIcon");function Bt(e){try{return Er(new URL(e).host)}catch{return}}n(Bt,"resolveMcpFaviconIconFromUrl");function Me(e){let t=J().connectionsById.get(e);if(!t)throw new q(`Unknown upstream server "${e}". Check the route's MCP upstream policy and ensure policies.json declares a matching upstream connection.`);return{displayName:t.displayName,...t.description===void 0?{}:{description:t.description},...t.serverInfo===void 0?{}:{serverInfo:t.serverInfo},transport:{baseUrl:t.mcpUrl,resourceMetadataUrl:t.protectedResourceMetadataUrl}}}n(Me,"getUpstreamServerConfig");function Fc(e){let t=J().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw new q(`Unknown auth profile "${String(e.authProfileId)}" for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares a matching auth mode for that upstream connection.`);return t.authProfileId}n(Fc,"resolveUpstreamAuthProfileId");function Or(e){Fc(e);let t=J().connectionsById.get(e.upstreamServerId);if(!t)throw new q(`Auth profile could not be resolved for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares the upstream connection before this handler runs.`);return t.authConfig}n(Or,"getUpstreamAuthConfig");function qe(e,t){return Or({upstreamServerId:e,authProfileId:t})}n(qe,"requireUpstreamOAuthConfig");function W(e){return new h({message:e,extensionMembers:{[g]:"invalid_request"}})}n(W,"invalidOutboundUrl");function Zc(){let e=sr.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_IDP??globalThis.process?.env?.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_IDP;return typeof e=="string"&&e==="1"}n(Zc,"isTestOnlyAllowHttpLoopbackIdpEnabled");function Kc(){let e=sr.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_CIMD??globalThis.process?.env?.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_CIMD;return typeof e=="string"&&e==="1"}n(Kc,"isTestOnlyAllowHttpLoopbackCimdEnabled");var Jc=new Set(["undefined","null","nan"]);function qr(e,t){if(!e.hostname)throw W(`Outbound URL has an empty hostname (got ${JSON.stringify(t)}). This typically indicates an unset $env(...) reference or a JS template literal coercing \`undefined\` into a URL. Check the policy options or runtime config that produced this URL.`);if(Jc.has(e.hostname.toLowerCase()))throw W(`Outbound URL hostname is ${JSON.stringify(e.hostname)} (from ${JSON.stringify(t)}). This almost always means an environment variable referenced by $env(...) is unset and a JS value was string-coerced into a URL. Set the missing env var or fix the policy option that produced this URL.`)}n(qr,"assertSafeOutboundHostname");var Wc=new Set(["localhost","169.254.169.254","metadata.google.internal","metadata"]),Vc=[{first:0},{first:10},{first:127},{first:169,secondMin:254,secondMax:254},{first:172,secondMin:16,secondMax:31},{first:192,secondMin:168,secondMax:168},{first:100,secondMin:64,secondMax:127},{first:224,firstMax:239},{first:240,firstMax:255}];function Ho(e){if(!/^\d+\.\d+\.\d+\.\d+$/.test(e))return;let t=e.split(".").map(r=>Number(r));if(!(t.length!==4||t.some(r=>Number.isNaN(r)||r<0||r>255)))return t}n(Ho,"parseIpv4Octets");function Yc([e,t],r){let o=r.firstMax??r.first;return e<r.first||e>o?!1:r.secondMin===void 0||r.secondMax===void 0?!0:t>=r.secondMin&&t<=r.secondMax}n(Yc,"ipv4RangeMatches");function zo(e){let t=Ho(e);return t!==void 0&&Vc.some(r=>Yc(t,r))}n(zo,"isPrivateIpv4");function Mr(e){if(!e||e.length>4)return;let t=Number.parseInt(e,16);return Number.isNaN(t)||t<0||t>65535?void 0:t}n(Mr,"parseIpv6Word");function Xc(e,t){return[e>>8&255,e&255,t>>8&255,t&255].join(".")}n(Xc,"formatIpv4FromWords");function Qc(e){let t=e.slice(7),r=Ho(t);if(r!==void 0)return r.join(".");let[o,i,a]=t.split(":"),s=Mr(o),c=Mr(i);return a===void 0&&s!==void 0&&c!==void 0?Xc(s,c):void 0}n(Qc,"parseIpv6MappedIpv4");function ed(e){return Mr(e.split(":").find(Boolean))}n(ed,"readFirstIpv6Hextet");function td(e){let t=we(e);if(!t.includes(":"))return!1;if(t==="::"||t==="::1")return!0;if(t.startsWith("::ffff:")){let o=Qc(t);return o===void 0||zo(o)}let r=ed(t);return r===void 0?!1:(r&65024)===64512||(r&65472)===65152}n(td,"isPrivateIpv6");function Dr(e){let t=we(e);return Wc.has(t)||t.endsWith(".internal")||zo(t)||td(t)}n(Dr,"isBlockedOutboundHostname");function jt(e){let t=new URL(e);if(t.protocol!=="https:"&&t.protocol!=="http:")throw W(`Unsupported outbound protocol: ${t.protocol}`);qr(t,e);let r=T(t);if(t.protocol==="http:"&&!r)throw W("Configured outbound HTTP URLs must target loopback hosts.");let o=we(t.hostname);if(!r&&Dr(o))throw W(`Blocked outbound host: ${o}`);return t}n(jt,"validateConfiguredOutboundUrl");function Lo(e){let t=new URL(e),r=T(t),o=r&&Zc();if(t.protocol!=="https:"&&!o)throw W("Identity provider URLs must use https.");if(t.username||t.password||t.search||t.hash)throw W("Identity provider URLs must not include credentials, query params, or fragments.");qr(t,e);let i=we(t.hostname);if(!r&&Dr(i))throw W(`Blocked identity provider host: ${i}`);return t}n(Lo,"validateIdentityProviderUrl");function Bo(e,t){let r=new URL(e),o=r.protocol==="http:"&&T(r)&&Kc();if(r.protocol!=="https:"&&!o||r.pathname==="/"||r.username||r.password||r.hash)throw W(`CIMD ${t} must be an HTTPS URL with a path and no credentials or fragment.`);if(qr(r,e),!o&&Dr(r.hostname))throw W(`CIMD ${t} points at a blocked host.`);return r}n(Bo,"validateCimdUrl");function Nt(e){return Bo(e,"client_id")}n(Nt,"validateCimdClientMetadataUrl");function Se(e){return Bo(e,"jwks_uri")}n(Se,"validateCimdClientJwksUrl");function jo(e,t){if(!t)return;if(t.aborted){e.abort(t.reason);return}let r=n(()=>e.abort(t.reason),"abort");return t.addEventListener("abort",r,{once:!0}),()=>t.removeEventListener("abort",r)}n(jo,"mergeAbortSignals");async function rd(e){try{await e.cancel()}catch{}}n(rd,"cancelReader");async function Gt(e,t){if(!e)return new Uint8Array;let r=e.getReader(),o=[],i=0,a=await r.read();for(;!a.done;){let u=a.value;if(i+=u.byteLength,i>t.maxBytes)throw await rd(r),t.createLimitError();o.push(u),a=await r.read()}let s=new Uint8Array(i),c=0;for(let u of o)s.set(u,c),c+=u.byteLength;return s}n(Gt,"readBoundedByteStream");var nd=2,od=1024*1024,id=1e4,ad=new Set([301,302,303,307,308]),sd=["authorization","proxy-authorization","cookie","cookie2"];function Hr(e){return typeof e=="string"?e:e instanceof URL?e.toString():e.url}n(Hr,"readRequestUrl");function De(e,t){return t?.method!==void 0?t.method.toUpperCase():e instanceof Request?e.method.toUpperCase():"GET"}n(De,"readRequestMethod");function cd(e,t,r){let o=e.headers.get("content-length");if(!o)return;let i=Number.parseInt(o,10);if(Number.isFinite(i)&&i>t)throw new h({message:"Outbound response exceeded the maximum allowed size.",extensionMembers:{[g]:r}})}n(cd,"assertContentLengthWithinLimit");async function dd(e,t,r){return cd(e,t,r),Gt(e.body,{maxBytes:t,createLimitError:n(()=>new h({message:"Outbound response exceeded the maximum allowed size.",extensionMembers:{[g]:r}}),"createLimitError")})}n(dd,"readBoundedResponseBody");function ud(e,t){let r=new ArrayBuffer(t.byteLength);return new Uint8Array(r).set(t),new Response(r,{status:e.status,statusText:e.statusText,headers:e.headers})}n(ud,"responseFromBufferedBody");function ld(e,t){if(!ad.has(e.status))return;let r=e.headers.get("location");if(r)return new URL(r,t).toString()}n(ld,"resolveRedirectUrl");function No(e,t){try{return t.validateUrl(e)}catch(r){throw new h({message:"Outbound URL was not allowed.",extensionMembers:{[g]:t.problemCode}},{cause:r})}}n(No,"validateOutboundUrl");function pd(e,t){throw e instanceof h&&St(e.extensionMembers?.[g])?e:new h({message:"Outbound fetch failed.",extensionMembers:{[g]:t}},{cause:e})}n(pd,"normalizeFetchError");function pt(e,t){if(e===void 0)return;let r={event:t.event,code:t.problemCode,method:t.method};if(t.host!==void 0&&(r.host=t.host),t.extra!==void 0)for(let[o,i]of Object.entries(t.extra))i!==void 0&&(r[o]=i);t.error!==void 0&&B(r,"error",t.error),e.log.warn(r,"Outbound HTTP exchange rejected")}n(pt,"logOutboundFailure");async function md(e,t,r,o,i,a,s){let c=De(r,o);try{return await t(r,o)}catch(u){let p=u instanceof DOMException&&u.name==="AbortError";pt(e,{event:p?"outbound_fetch_aborted":"outbound_fetch_failed",problemCode:i,method:c,host:Z(a),error:u,extra:{abortReason:s()}}),pd(u,i)}}n(md,"fetchWithNormalizedError");function fd(e){if(e.redirects>=e.maxRedirects)throw new h({message:"Outbound redirects exceeded the maximum allowed depth.",extensionMembers:{[g]:e.problemCode}});if(e.method!=="GET"&&e.method!=="HEAD")throw new h({message:"Outbound redirect after a non-idempotent request was blocked.",extensionMembers:{[g]:e.problemCode}})}n(fd,"assertRedirectAllowed");function hd(e,t){let r=new Headers(e);for(let o of sd)r.delete(o);for(let o of t)r.delete(o);return r}n(hd,"stripCrossOriginHeaders");function gd(e,t,r,o,i){let a={...e,method:t,redirect:"manual",signal:r};return o&&(a.headers=hd(e.headers,i)),a}n(gd,"buildRedirectInit");function yd(e,t,r){let o={...t,redirect:"manual",signal:r};return o.headers===void 0&&e instanceof Request&&(o.headers=e.headers),o}n(yd,"buildInitialRequestInit");function wd(e){let t=De(e.currentInput,e.currentInit);fd({redirects:e.redirects,maxRedirects:e.maxRedirects,method:t,problemCode:e.problemCode});let r=No(e.redirectUrl,{problemCode:e.problemCode,validateUrl:e.validateUrl}),o=new URL(e.currentUrl),i=r.origin!==o.origin,a=r.toString();return{currentInput:a,currentUrl:a,currentInit:gd(e.currentInit,t,e.signal,i,e.additionalCrossOriginStrippedHeaders),redirects:e.redirects+1}}n(wd,"followRedirect");async function zr(e,t,r){let o=r.problemCode??"invalid_request",i=r.maxRedirects??nd,a=r.maxResponseBytes??od,s=r.timeoutMs??id,c=r.fetchImpl??fetch,u=r.additionalCrossOriginStrippedHeaders??[],p=r.context,f=new AbortController,_=jo(f,t.signal),S=!1,I=setTimeout(()=>{S=!0,f.abort()},s),G=e,K=yd(e,t,f.signal),Q;try{Q=No(Hr(e),{problemCode:o,validateUrl:r.validateUrl}).toString()}catch(ee){throw pt(p,{event:"outbound_url_blocked",problemCode:o,method:De(e,t),host:Z(Hr(e)),error:ee}),clearTimeout(I),_?.(),ee}let Je=0;try{for(;;){let ee=await md(p,c,G,K,o,Q,()=>S?`timeout_after_${s}ms`:void 0),P=ld(ee,Q);if(P!==void 0)try{let O=wd({currentInput:G,currentInit:K,currentUrl:Q,redirectUrl:P,redirects:Je,maxRedirects:i,problemCode:o,validateUrl:r.validateUrl,signal:f.signal,additionalCrossOriginStrippedHeaders:u});G=O.currentInput,K=O.currentInit,Q=O.currentUrl,Je=O.redirects;continue}catch(O){throw pt(p,{event:"outbound_redirect_blocked",problemCode:o,method:De(G,K),host:Z(Q),error:O,extra:{redirects:Je,maxRedirects:i,redirectTargetHost:Z(P)}}),O}try{return ud(ee,await dd(ee,a,o))}catch(O){throw pt(p,{event:"outbound_response_size_exceeded",problemCode:o,method:De(G,K),host:Z(Q),error:O,extra:{maxResponseBytes:a,status:ee.status}}),O}}}finally{clearTimeout(I),_?.()}}n(zr,"runSafeOutboundExchange");async function $t(e,t,r){let o=await zr(e,t,r);try{return{response:o,json:await o.clone().json()}}catch(i){throw pt(r.context,{event:"outbound_json_parse_failed",problemCode:r.problemCode??"invalid_request",method:De(e,t),host:Z(Hr(e)),error:i,extra:{status:o.status,contentType:o.headers.get("content-type")??void 0}}),new h({message:"Outbound JSON response could not be parsed.",extensionMembers:{[g]:r.problemCode??"invalid_request"}},{cause:i})}}n($t,"runSafeOutboundJsonExchange");function Go(e,t={},r={}){return zr(e,t,{...r,validateUrl:jt})}n(Go,"fetchConfiguredOutbound");function $o(e,t={},r={}){return $t(e,t,{...r,validateUrl:Lo})}n($o,"fetchIdentityProviderJson");function Fo(e,t={},r={}){return $t(e,t,{...r,validateUrl:Nt})}n(Fo,"fetchCimdClientMetadataJson");function Zo(e,t={},r={}){return $t(e,t,{...r,validateUrl:Se})}n(Zo,"fetchCimdClientJwksJson");$();import{errors as Qo,jwtVerify as ei,SignJWT as ti}from"jose";var L="zuplo-mcp-gateway",j=L,N="HS256";import{base64url as _d}from"jose";var Rd=new TextEncoder,bd="MCP gateway could not initialize secure key material.",Cd=32,Ko=new Map,Jo=new Map,vd;function Sd(){return vd??Sn.instance.authPrivateKey}n(Sd,"readAuthPrivateKey");function Wo(e){return new de(bd,e===void 0?void 0:{cause:e})}n(Wo,"createGeneratedKeyMaterialError");function Vo(e,t){let r=_d.decode(t);if(r.byteLength!==Cd)throw new Error(`Generated deployment auth key ${e} is invalid.`);return r}n(Vo,"decodeJwkKeyField");function Id(e){let t=Sd();if(!t)throw Wo();try{let r=JSON.parse(t);if(r.kty!=="OKP"||r.crv!=="Ed25519"||typeof r.d!="string"||typeof r.x!="string")throw new Error("Generated deployment auth key is not an Ed25519 JWK.");let o=Vo("d",r.d);Vo("x",r.x);let i=Rd.encode(`zuplo-mcp-gateway:${e}:Ed25519:`),a=new Uint8Array(i.byteLength+o.byteLength);return a.set(i),a.set(o,i.byteLength),a}catch(r){throw Wo(r)}}n(Id,"decodeGeneratedKeyMaterial");function xd(e){let t=Ko.get(e);return t||(t=Id(e),Ko.set(e,t)),t}n(xd,"getMasterKeyMaterial");async function V(e){let t=Jo.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(xd(e.keyMaterialPurpose));return Jo.set(e.purpose,r),r}n(V,"readCachedDerivedKey");var Ad="SHA-256";var Ud="zuplo-mcp-gateway:",kd=new TextEncoder,Yo=new WeakMap;async function me(e,t){let r=Yo.get(e);r||(r=new Map,Yo.set(e,r));let o=r.get(t);if(o)return o;let i=await Pd(e,t);return r.set(t,i),i}n(me,"deriveGatewaySigningKey");async function Pd(e,t){let r=Xo(e),o=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),i=kd.encode(`${Ud}${t}`),a=await crypto.subtle.deriveBits({name:"HKDF",hash:Ad,salt:new Uint8Array,info:Xo(i)},o,32*8);return new Uint8Array(a)}n(Pd,"hkdfExpand");function Xo(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(Xo,"copyToArrayBuffer");var ri=15*60,Td=15*60,Ed=Jn.extend({id:po}),Od=Ed.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),ni=ur.extend({id:mo,purpose:d.literal("browser_connect")}),Md=ur.extend({purpose:d.literal("browser_connect")}),qd=ni.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),oi=ri*1e3;async function ii(){return V({purpose:"oauth-state",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>me(e,"oauth-state"),"derive")})}n(ii,"getOAuthStateKey");async function ai(){return V({purpose:"browser-connect",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>me(e,"browser-connect"),"derive")})}n(ai,"getBrowserConnectKey");async function si(e){let t=Math.floor(Date.now()/1e3)+ri;return new ti(e).setProtectedHeader({alg:N,typ:"JWT"}).setIssuer(L).setAudience(j).setIssuedAt().setExpirationTime(t).sign(await ii())}n(si,"signOAuthState");async function Ft(e){try{let{payload:t}=await ei(e,await ii(),{algorithms:[N],issuer:L,audience:j});return Od.parse(t)}catch(t){throw t instanceof Qo.JWTExpired?new h({message:"OAuth state has expired",extensionMembers:{[g]:"oauth_state_expired"}},{cause:t}):new h({message:"OAuth state could not be verified",extensionMembers:{[g]:"oauth_state_invalid"}},{cause:t})}}n(Ft,"verifyOAuthState");async function ci(e){let t=Math.floor(Date.now()/1e3)+Td,r=Md.parse(e),o=ni.parse({...r,id:yo()});return new ti(o).setProtectedHeader({alg:N,typ:"JWT"}).setIssuer(L).setAudience(j).setIssuedAt().setExpirationTime(t).sign(await ai())}n(ci,"signBrowserConnectTicket");async function di(e){try{let{payload:t}=await ei(e,await ai(),{algorithms:[N],issuer:L,audience:j});return qd.parse(t)}catch(t){throw t instanceof Qo.JWTExpired?new h({message:"Browser connect ticket has expired",extensionMembers:{[g]:"oauth_state_expired"}},{cause:t}):new h({message:"Browser connect ticket could not be verified",extensionMembers:{[g]:"oauth_state_invalid"}},{cause:t})}}n(di,"verifyBrowserConnectTicket");async function ui(e){if((await b().consumeBrowserConnectTicket({id:e.id,expiresAt:R(new Date(e.exp*1e3)),now:R(new Date)})).kind==="consumed")throw new h({message:"Browser connect ticket has already been used",extensionMembers:{[g]:"oauth_state_reused"}})}n(ui,"consumeBrowserConnectTicket");function Dd(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}n(Dd,"buildConnectRequiredMessage");async function Hd(e){let t=k(e.requestUrl,e.requestHeaders),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("operationId",e.operationId),r.searchParams.set("browserTicket",await ci({...Ye(e),purpose:"browser_connect"})),r.toString()}n(Hd,"buildGatewayBrowserTicketUrl");function zd(e){return M().actionPath(`/auth/connections/${encodeURIComponent(e)}/connect`)}n(zd,"buildGatewayConnectPath");async function Lr(e){return Hd({...e,path:zd(e.upstreamServerId),redirect:!0})}n(Lr,"buildGatewayConnectUrl");async function Zt(e){let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await Lr(t),message:Dd(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}n(Zt,"buildRedirectConnectRequiredResponse");function li(e){return Ld({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}n(li,"buildAdminConnectRequiredResponse");function Ld(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}n(Ld,"buildAdminSetupRequiredResponse");$();var pi=new Set(["client_id","code_challenge","code_challenge_method","display","login_hint","nonce","prompt","redirect_uri","response_mode","response_type","state"]);function Bd(e,t){return e&&e.length>0?e.join(t):void 0}n(Bd,"joinOAuthScopes");function jd(e){if(e?.authorization_endpoint===void 0)return e;let t=new URL(e.authorization_endpoint);for(let r of pi)t.searchParams.delete(r);return{...e,authorization_endpoint:t.toString()}}n(jd,"sanitizeAuthorizationServerMetadata");function Br(e){let t=jd(e.authorizationServerMetadata);return t===e.authorizationServerMetadata?e:{...e,authorizationServerMetadata:t}}n(Br,"sanitizeOAuthDiscoveryState");function mi(e){let t=new URL(e);for(let r of pi){let o=t.searchParams.getAll(r);o.length<=1||(t.searchParams.delete(r),t.searchParams.set(r,o.at(-1)??""))}return t}n(mi,"normalizeDuplicateSingletonAuthorizationRequestParams");function Kt(e){let t=new URL(e);return T(t)&&we(t.hostname)!=="localhost"&&(t.hostname="localhost"),t}n(Kt,"normalizeLoopbackOAuthRedirectUri");function fi(e){return Bd(e.state?.resourceMetadata?.scopes_supported,e.delimiter)}n(fi,"readProtectedResourceMetadataScope");function Nd(e){return`Zuplo MCP Gateway - ${e}`}n(Nd,"buildGatewayOAuthClientName");function Gd(e,t){return e&&e.length>0?e.join(t):void 0}n(Gd,"joinOAuthScopeList");function jr(e){return new URL(M().actionPath(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`),e.origin).toString()}n(jr,"buildOAuthClientMetadataDocumentUrl");function Nr(e){let t=Me(e.upstreamServerId);return{client_name:Nd(t.displayName),client_uri:new URL("/",e.origin).toString(),redirect_uris:[e.redirectUri],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",...e.scope===void 0?{}:{scope:e.scope},token_endpoint_auth_method:"none"}}n(Nr,"buildGatewayOAuthClientMetadata");function hi(e,t,r){let o=qe(t,r),i=Gd(o.scopes,o.scopeDelimiter);return{client_id:jr({origin:e,upstreamServerId:t}),...Nr({origin:e,upstreamServerId:t,redirectUri:Kt(new URL(o.redirectPath,e)).toString(),scope:i})}}n(hi,"buildOAuthClientMetadataDocument");$();import{base64url as fe}from"jose";var $d="SHA-256",ze="AES-GCM",Fd=12,$r="zuplo-secret",Fr=1,gi="generated:auth_private_key:token-encryption",Zd=d.object({version:d.literal(Fr),keyId:d.literal(gi),algorithm:d.literal(ze),iv:d.string().min(1),ciphertext:d.string().min(1)}).strict();function He(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(He,"copyToArrayBuffer");async function Gr(){return V({purpose:"token-encryption",keyMaterialPurpose:"token-encryption",derive:n(async e=>{let t=await crypto.subtle.digest($d,He(e));return crypto.subtle.importKey("raw",t,{name:ze},!1,["encrypt","decrypt"])},"derive")})}n(Gr,"getEncryptionKey");function yi(e){return He(new TextEncoder().encode(`${$r}:v${e.version}:${e.keyId}`))}n(yi,"getAssociatedData");function Kd(e){return`${$r}:v${e.version}:${fe.encode(new TextEncoder().encode(JSON.stringify(e)))}`}n(Kd,"encodeEnvelope");function Jd(e){let t=`${$r}:v${Fr}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),o=new TextDecoder().decode(fe.decode(r));return Zd.parse(JSON.parse(o))}n(Jd,"decodeEnvelope");async function Jt(e){let t=await Gr(),r=crypto.getRandomValues(new Uint8Array(Fd)),o={version:Fr,keyId:gi},i=await crypto.subtle.encrypt({name:ze,iv:r,additionalData:yi(o)},t,new TextEncoder().encode(e));return Kd({...o,algorithm:ze,iv:fe.encode(r),ciphertext:fe.encode(new Uint8Array(i))})}n(Jt,"encryptSecret");async function mt(e){let t=Jd(e);if(t){let s=await Gr(),c=await crypto.subtle.decrypt({name:ze,iv:He(fe.decode(t.iv)),additionalData:yi(t)},s,He(fe.decode(t.ciphertext)));return new TextDecoder().decode(c)}let[r,o]=e.split(".");if(!r||!o)throw new de("Encrypted payload is malformed");let i=await Gr(),a=await crypto.subtle.decrypt({name:ze,iv:He(fe.decode(r))},i,He(fe.decode(o)));return new TextDecoder().decode(a)}n(mt,"decryptSecret");var Wd=d.union([Qe,zt]),wi=d.object({authorizationServerUrl:d.url(),resourceMetadataUrl:d.url().optional(),resourceMetadata:Dt.optional(),authorizationServerMetadata:d.union([Xe,Ht]).optional()}).passthrough(),Vd="Bearer",Yd="__zuplo_refresh_only_upstream_access_token__";function Xd(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}n(Xd,"splitScopes");function Qd(e){return Et.parse(e)}n(Qd,"parsePkceCodeVerifier");function eu(e){if(typeof e.expires_in=="number")return R(new Date(Date.now()+e.expires_in*1e3))}n(eu,"readTokenExpiry");async function _i(e){if(e!==void 0)return Jt(JSON.stringify(e))}n(_i,"encryptJson");async function Ri(e,t){if(!e)return;let r=await mt(e);try{return t.parse(JSON.parse(r))}catch(o){throw new h({message:"Stored upstream OAuth JSON state is invalid.",extensionMembers:{[g]:"oauth_state_invalid"}},{cause:o})}}n(Ri,"decryptJson");function tu(e){if(e===void 0)return;e=Br(e);let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}n(tu,"toOAuthDiscoveryState");function ru(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}n(ru,"clientInformationAllowsRedirectUri");function nu(e){return e.clientMetadataUrl===void 0?"redirect_uris"in e.clientInformation:"redirect_uris"in e.clientInformation||e.clientInformation.client_id===e.clientMetadataUrl}n(nu,"clientInformationMatchesCurrentClientMetadataUrl");function ou(e){return e.clientMetadataUrl!==void 0&&!("redirect_uris"in e.clientInformation)&&e.clientInformation.client_id===e.clientMetadataUrl}n(ou,"isUrlBasedClientInformation");function iu(e,t){return t===void 0?e:{...e,scope:t}}n(iu,"applyOAuthClientMetadataScope");function bi(e,t){return fi({state:e,delimiter:t})}n(bi,"readResourceMetadataScope");function au(e,t){return e&&e.length>0?e.join(t):void 0}n(au,"joinOAuthScopeList");function su(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw new q(`Manual OAuth registration for upstream "${e.upstreamServerId}" requires clientSecret. Set the env var that backs the client secret or use tokenEndpointAuthMethod "none".`);return Qe.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}n(su,"buildManualOAuthClientInformation");function cu(e,t){let r=jr({origin:new URL(t).origin,upstreamServerId:e});return Ur(r)?r:void 0}n(cu,"buildClientMetadataUrl");function Ci(e){for(let t of e)if(t!==void 0)return t}n(Ci,"firstDefined");function du(e){let t=qe(e.target.upstreamServerId,e.target.authProfileId),r=au(t.scopes,t.scopeDelimiter),o=Nr({origin:new URL(e.redirectUri).origin,upstreamServerId:e.target.upstreamServerId,redirectUri:e.redirectUri,scope:r});if(t.clientRegistration.mode==="manual")return{clientMetadata:o,configuredScope:r,scopeDelimiter:t.scopeDelimiter,configuredClientInformation:su({clientMetadata:o,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let i=cu(e.target.upstreamServerId,e.redirectUri);return i===void 0?{clientMetadata:o,configuredScope:r,scopeDelimiter:t.scopeDelimiter}:{clientMetadata:o,configuredScope:r,scopeDelimiter:t.scopeDelimiter,clientMetadataUrl:i}}n(du,"buildInitialOAuthClientSetup");function uu(e,t){if(t===void 0)return Ci([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}n(uu,"readEncryptedClientInformation");function lu(e){return Ci([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}n(lu,"readEncryptedDiscoveryState");var Ie=class{static{n(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredScope;scopeDelimiter;configuredClientInformation;challengeScope;inferredScope;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=du({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredScope=r.configuredScope,this.scopeDelimiter=r.scopeDelimiter,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=uu(t,this.configuredClientInformation),this.encryptedDiscoveryState=lu(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return iu(this.clientMetadataValue,this.readEffectiveScope())}async state(){let t=await this.createPendingState();return si({id:t.id,...Ye({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,!ou({clientInformation:t,clientMetadataUrl:this.clientMetadataUrl})&&(this.encryptedClientInformation=await _i(t),await this.syncPendingState(!1)))}async discoveryState(){return this.loadPersistedDiscoveryState()}applyChallengeScope(t){this.challengeScope=t}async saveDiscoveryState(t){let r=Br(wi.parse(t));this.cachedDiscoveryState=r,this.discoveryStateLoaded=!0,this.inferredScope=bi(r,this.scopeDelimiter),this.encryptedDiscoveryState=await _i(r),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=Oe.parse(t),o=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0,i=r.refresh_token?await Jt(r.refresh_token):this.connection?.encryptedRefreshToken;this.cachedTokens=r.refresh_token||!this.connection?.encryptedRefreshToken?r:Oe.parse({...r,refresh_token:await mt(this.connection.encryptedRefreshToken)}),this.tokensLoaded=!0;let a={id:this.connection?.id??ho(),ownerMode:this.target.owner.mode,subjectId:o,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await Jt(r.access_token),encryptedRefreshToken:i,scopes:Xd(r.scope??this.readEffectiveScope()),expiresAt:eu(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await b().upsertUpstreamConnection(a)}async redirectToAuthorization(t){let r=mi(t);this.authorizationUrlValue=r.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:Qd(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw new h({message:"OAuth code verifier is missing",extensionMembers:{[g]:"oauth_state_invalid"}});return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",o=t==="all"||t==="client",i=t==="all"||t==="discovery",a=t==="all"||t==="verifier";o&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),i&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0,this.challengeScope=void 0,this.inferredScope=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(a),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:go(),...Ye({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,operationId:this.target.operationId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:R(new Date(Date.now()+oi)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await b().saveUpstreamOAuthState({record:t}),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await Ri(this.encryptedClientInformation,Wd)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&(!ru(t,this.redirectUriValue)||!nu({clientInformation:t,clientMetadataUrl:this.clientMetadataUrl}))){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}return t===void 0&&this.pendingState?.codeVerifier!==void 0&&this.clientMetadataUrl!==void 0&&(t=zt.parse({client_id:this.clientMetadataUrl})),this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=tu(await Ri(this.encryptedDiscoveryState,wi))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.inferredScope=bi(this.cachedDiscoveryState,this.scopeDelimiter),this.cachedDiscoveryState}readEffectiveScope(){return this.configuredScope??this.challengeScope??this.inferredScope}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection||this.connection.status!=="active")return;let t=this.connection.encryptedAccessToken?await mt(this.connection.encryptedAccessToken):void 0,r=this.connection.encryptedRefreshToken?await mt(this.connection.encryptedRefreshToken):void 0;if(!t&&!r)return;let o=Oe.parse({access_token:t??Yd,token_type:Vd,refresh_token:r,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=o,o}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await b().upsertUpstreamConnection(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var pu=3e4,mu=256*1024,fu=2;function hu(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}n(hu,"hasUsableAccessToken");var gu="does not support dynamic client registration",yu=["Resource server does not implement OAuth 2.0 Protected Resource Metadata","trying to load well-known OAuth protected resource metadata"],wu=["HTTP 403 Forbidden","Access Denied","permission to access"];function _u(e){return e instanceof Error&&e.message.includes(gu)}n(_u,"isDynamicClientRegistrationUnsupported");function Ru(e){return e instanceof Error&&yu.some(t=>e.message.includes(t))}n(Ru,"isProtectedResourceMetadataUnavailable");function bu(e){return e instanceof Error&&wu.some(t=>e.message.includes(t))}n(bu,"isUpstreamProviderAccessDenied");function Cu(e){if(e.error instanceof h&&e.error.extensionMembers?.[g]!==void 0)return e.error;if(_u(e.error))return new h({message:`The authorization server for ${e.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register an OAuth client for the gateway manually before retrying.`,extensionMembers:{[g]:"upstream_client_registration_required"}},{cause:e.error});if(Ru(e.error))return new h({message:`The upstream MCP server "${e.upstreamServerId}" does not publish OAuth protected resource metadata at "${e.resourceMetadataUrl}". Configure protectedResourceMetadataUrl to a working metadata document, use a provider-supported legacy client, or contact the provider to approve/allowlist this gateway OAuth client before retrying.`,extensionMembers:{[g]:"upstream_oauth_discovery_unavailable"}},{cause:e.error});if(bu(e.error))return new h({message:`The upstream provider denied access while connecting ${e.upstreamServerId}. Confirm the provider allows this gateway and its OAuth client, then retry.`,extensionMembers:{[g]:"upstream_provider_access_denied"}},{cause:e.error})}n(Cu,"mapUpstreamOAuthSetupError");function vu(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}n(vu,"readOAuthFetchRequest");function Su(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}n(Su,"responseLooksJson");function Iu(e,t){let r=e.headers.get("content-type")??"",o=t.trimStart().toLowerCase();return r.includes("html")||o.startsWith("<!doctype html")||o.startsWith("<html")}n(Iu,"responseLooksHtml");function xu(e){let t=e.response.statusText?` ${e.response.statusText}`:"",r=e.response.headers.get("content-type")??"text/html";throw new h({message:`The upstream provider returned ${e.response.status}${t} (${r}) from ${e.request.url.toString()} while connecting ${e.upstreamServerId}.`,extensionMembers:{[g]:e.response.status===403?"upstream_provider_access_denied":"upstream_token_exchange_failed",[Te]:e.response.status,[ke]:r,[Ee]:e.request.url.toString(),[Pe]:e.body}})}n(xu,"throwUpstreamHtmlError");function vi(e){return async(t,r)=>{let o=vu(t),i=await Go(t,r,{maxRedirects:fu,maxResponseBytes:mu,problemCode:"upstream_token_exchange_failed",timeoutMs:pu}),a=await i.clone().text();if(!i.ok&&Iu(i,a)&&xu({upstreamServerId:e,request:o,response:i,body:a}),!Su(i,a))return i;try{JSON.parse(a)}catch(s){throw new h({message:`Upstream OAuth fetch ${o.url.origin}${o.url.pathname} for ${e} returned invalid JSON.`,extensionMembers:{[g]:"upstream_token_exchange_failed"}},{cause:s})}return i}}n(vi,"createUpstreamOAuthFetch");async function Si(e,t){e.applyChallengeScope(t.requestedScope);try{let r={serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:vi(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),await Ar(e,r)}catch(r){let o=Cu({upstreamServerId:t.upstreamServerId,resourceMetadataUrl:t.resourceMetadataUrl,error:r});throw o!==void 0?o:r}}n(Si,"runUpstreamOAuth");async function Au(e,t){e.applyChallengeScope(t.requestedScope);let r={serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:vi(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),Ar(e,r)}n(Au,"exchangeUpstreamAuthorizationCode");async function Ii(e,t){let r=await Si(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?new h({message:`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}}):new h({message:`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}})}n(Ii,"requireUpstreamAuthorizationRedirect");async function xi(e){if(!e.forceRefresh&&hu(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await Si(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope}});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw new h({message:`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}});if(!e.provider.authorizationUrl)throw new h({message:`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}});return{kind:"connect_required",payload:await Eu({requestUrl:e.target.request.url,requestHeaders:e.target.request.headers,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.target.operationId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}n(xi,"authorizeUpstreamOAuthSession");async function Uu(e){let t=await Ft(e.stateToken),r=await b().consumeUpstreamOAuthState({id:t.id,now:R(new Date)}),o=ku(r);return Pu({storedState:o,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),Tu(o),o}n(Uu,"consumeStoredCallbackState");function ku(e){switch(e.kind){case"consumed":throw new h({message:"OAuth state has already been used",extensionMembers:{[g]:"oauth_state_reused"}});case"missing":throw new h({message:"OAuth state is missing or expired",extensionMembers:{[g]:"oauth_state_expired"}});case"available":return e.record}}n(ku,"readConsumedCallbackState");function Pu(e){if(![e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.operationId===e.signedState.operationId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw new h({message:"OAuth callback did not match the initiating request",extensionMembers:{[g]:"oauth_callback_mismatch"}})}n(Pu,"assertStoredCallbackStateMatches");function Tu(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw new h({message:"OAuth state has expired",extensionMembers:{[g]:"oauth_state_expired"}})}n(Tu,"assertStoredCallbackStateFresh");async function Eu(e){if(e.owner.mode==="shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),li(r)}let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),Zt(t)}n(Eu,"buildOAuthConnectRequiredResponse");async function Ai(e){let t=await Uu({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=Pt(t),[o]=await b().batchGetUpstreamConnections([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),i={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};o!==void 0&&(i.connection=o);let a=new Ie(i),s=await Au(a,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?new h({message:`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}}):new h({message:`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}})}n(Ai,"finishUpstreamOAuthCallback");function Ou(e){return Kt(new URL(e.callbackPath,k(e.requestUrl,e.requestHeaders))).toString()}n(Ou,"buildGatewayOAuthRedirectUri");async function Ui(e){let t=Me(e.upstreamServerId),r=qe(e.upstreamServerId,e.authProfileId),o=Ou({callbackPath:r.redirectPath,requestUrl:e.request.url,requestHeaders:e.request.headers}),i="preloadedConnection"in e?e.preloadedConnection:(await b().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:i,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:o,returnOrigin:k(e.request.url,e.request.headers)}}}n(Ui,"prepareUpstreamOAuthRequest");async function ki(e){let t=await Ui(e),r=new Ie({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return Ii(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(ki,"startUpstreamConnect");async function Pi(e){let t=await Ui(e),r=new Ie({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return xi({target:e,provider:r,connection:t.connection,forceRefresh:e.forceRefresh,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope},upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(Pi,"authorizeUpstreamRequest");async function Le(e){let{routeAuth:t}=e;return Pi({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,forceRefresh:e.forceRefresh,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope},...e.preloadedConnection===void 0?{}:{preloadedConnection:e.preloadedConnection},...t.returnTo===void 0?{}:{returnTo:t.returnTo}})}n(Le,"resolveUpstreamCredentialForRoute");async function Ti(e){let t={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,operationId:e.connectRequest.operationId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},r=await ki(t);return{authProfileId:e.connectRequest.authProfileId,authUrl:r,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,operationId:e.connectRequest.operationId}}n(Ti,"startUpstreamConnectForRequest");async function Ei(e){let r=(await Ft(e.callbackRequest.state)).authProfileId;return Or({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r}),Ai({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:Me(e.callbackRequest.upstreamServerId)})}n(Ei,"finishUpstreamCallbackForRequest");function Mu(e){return{upstreamServerId:e.connection.upstreamServerId,operationId:e.operationId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:e.connection.ownerMode}}n(Mu,"buildRouteAuthBaseFromConnection");function Mi(e){return{upstreamServerId:e.connection.id,operationId:e.operationId,authProfileId:Wn(e.connection.id,e.connection.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:e.connection.ownerMode}}n(Mi,"buildRouteAuthBaseFromPolicyOptions");function Wt(e,t){let o=J().byOperationId.get(t);if(!o)throw new q(`Unknown MCP route "${t}". Ensure routes.oas.json declares this operationId before starting an upstream connection flow.`);if(o.connection===void 0)throw new q(`MCP route "${t}" does not declare an MCP token exchange policy. Add one before starting an upstream connection flow.`);if(o.connection.upstreamServerId!==e)throw new q(`MCP route "${t}" does not bind upstream "${e}". Check the route's MCP upstream policies and bind the upstream before starting an upstream connection flow.`);return Mu({connection:o.connection,operationId:t})}n(Wt,"resolveRouteAuthBase");function Oi(e,t){switch(e){case"user":return kt(t);case"shared":return Kn()}}n(Oi,"buildOwnerForSubject");function Be(e,t){switch(e.ownerMode){case"shared":return{...e,ownerMode:"shared",owner:Oi(e.ownerMode,t),initiatedBySubjectId:t};case"user":return{...e,ownerMode:"user",owner:Oi(e.ownerMode,t),initiatedBySubjectId:t}}}n(Be,"resolveRouteAuthForSubject");var qu=We.InvalidRequest,Du=new Set(["connection","keep-alive","proxy-authenticate","te","trailer","transfer-encoding","upgrade"]);function Hu(e,t){return{credentialType:e.type,forceRefresh:t}}n(Hu,"buildCredentialResolvedAttributes");function zu(e){switch(e){case"admin_connect_required":return"admin_connect_required";case"authenticating":return"connect_required"}}n(zu,"connectRequiredReasonCode");function qi(e){x(e.context,{eventType:C.MCP_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:Hu(e.credential,e.forceRefresh===!0)})}n(qi,"emitCredentialResolvedAnalyticsEvent");function Di(e){let t={forceRefresh:e.forceRefresh===!0,nextAction:e.payload.nextAction,state:e.payload.state};if(x(e.context,{eventType:C.MCP_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:t}),e.payload.state==="reconsent_required"){x(e.context,{eventType:C.MCP_AUTH_UPSTREAM_RECONSENT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"reconsent_required",reasonClass:"auth",attributes:t});return}x(e.context,{eventType:C.MCP_AUTH_UPSTREAM_CONNECT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:zu(e.payload.state),reasonClass:"auth",attributes:t})}n(Di,"emitCredentialMissingAnalyticsEvents");function Lu(e){let t=e.route.raw();return xt.parse(t?.operationId)}n(Lu,"readOperationId");async function Bu(e,t,r,o){let i=await Le({request:e,routeAuth:t});if(i.kind==="connect_required")return Di({context:o,payload:i.payload,routeBinding:t}),o.log.info({event:"mcp_upstream_connect_required",upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId},"MCP upstream proxy: upstream connection required"),{kind:"connect_required",payload:i.payload};let a=i.credential;qi({context:o,credential:a,routeBinding:t});let s=await a.provider.tokens();return s?{kind:"headers",headers:[["authorization",`${s.token_type??"Bearer"} ${s.access_token}`]]}:(o.log.warn({event:"mcp_upstream_no_tokens",upstreamServerId:t.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens"),Response.json({error:"no_upstream_tokens"},{status:401}))}n(Bu,"buildCredentialHeaders");var ju=new Set(["authorization","cookie","cookie2"]);function Nu(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return t&&typeof t=="object"&&!Array.isArray(t)&&"method"in t&&typeof t.method=="string"?t.method:void 0}catch{return}}n(Nu,"readJsonRequestMethod");function Gu(e){let t=e.headers.get("content-type")??"";return/\bapplication\/(?:[\w.+-]+\+)?json\b/i.test(t)}n(Gu,"isJsonResponse");function Zr(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(Zr,"isRecord");function $u(e){return Array.isArray(e)&&e.length>0}n($u,"hasIconList");function Fu(e){if(e.connection.serverInfo?.icons!==void 0&&e.connection.serverInfo.icons.length>0)return e.connection.serverInfo.icons;try{let t=Bt(Bn(e.context.route.handler));return t===void 0?void 0:[t]}catch{return}}n(Fu,"readFallbackServerIcons");function Zu(e){if(!Zr(e.body))return e.body;let t=e.body.result;if(!Zr(t))return e.body;let r=t.serverInfo;return!Zr(r)||$u(r.icons)?e.body:{...e.body,result:{...t,serverInfo:{...r,icons:e.icons}}}}n(Zu,"addMissingServerIcons");function Ku(e,t){let r=new Headers(e.headers);for(let o of ju)r.delete(o);for(let[o,i]of t)r.set(o,i);return new xn(e,{headers:r})}n(Ku,"applyUpstreamHeaders");function Ju(e){let t=new Headers(e.headers);for(let r of Du)t.delete(r);return t}n(Ju,"buildProxyHeaders");async function Wu(e){if(!(e.method==="GET"||e.method==="HEAD"))return e.clone().arrayBuffer()}n(Wu,"readRetryBody");function Hi(e,t){let r=t.authUrl===void 0?void 0:Ro({message:t.message,elicitationId:["connect",t.operationId,t.upstreamServerId,t.authProfileId].join(":"),url:t.authUrl});return Response.json(Mt({id:_o(e),error:{code:r?.code??qu,message:t.message,data:{...r?.data??{},connectRequired:t}}}))}n(Hi,"connectRequiredJsonRpcResponse");async function Vu(e){let{scope:t}=Eo(e.upstreamResponse),r=await Le({request:e.request,routeAuth:e.routeAuth,forceRefresh:!0,...t===void 0?{}:{requestedScope:t}});if(r.kind==="connect_required")return Di({context:e.context,payload:r.payload,routeBinding:e.routeAuth,forceRefresh:!0}),{kind:"connect_required",payload:r.payload};let o=new Headers(e.headers),i=r.credential;qi({context:e.context,credential:i,routeBinding:e.routeAuth,forceRefresh:!0});let a=await i.provider.tokens();return a?(o.set("authorization",`${a.token_type??"Bearer"} ${a.access_token}`),{kind:"headers",headers:o}):(e.context.log.warn({event:"mcp_upstream_no_tokens_after_refresh",upstreamServerId:e.routeAuth.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens after refresh"),{kind:"response",response:Response.json({error:"no_upstream_tokens"},{status:401})})}n(Vu,"applyRefreshedCredentialHeaders");function Yu(e){e.context.addResponseSendingHook(async(t,r)=>{if(t.status!==401)return t;let o=await Vu({request:e.request,context:e.context,headers:Ju(r),routeAuth:e.routeAuth,upstreamResponse:t});if(o.kind==="connect_required")return Hi(e.requestBody,o.payload);if(o.kind==="response")return o.response;let i=jn({handler:e.context.route.handler,request:r,body:e.requestBody,headers:o.headers});return Rt.fetch(i.url,i.init)})}n(Yu,"installUpstreamAuthRetryHook");function Xu(e){if(Nu(e.requestBody)!=="initialize")return;let t=Fu({connection:e.connection,context:e.context});t===void 0||t.length===0||e.context.addResponseSendingHook(async r=>{if(!Gu(r))return r;let o;try{o=await r.clone().json()}catch{return r}let i=Zu({body:o,icons:t});if(i===o)return r;let a=new Headers(r.headers);return a.delete("content-length"),new Response(JSON.stringify(i),{status:r.status,statusText:r.statusText,headers:a})})}n(Xu,"installInitializeIconHook");async function Kr(e,t,r){let o=Lu(t),i=await Wu(e),a=Mi({connection:r,operationId:o}),s=_e(e.user,e.url,e.headers);to(t,s);let c=Be(a,s.subjectId),u=await Bu(e,c,r,t);if(!(u instanceof Response)&&u.kind==="connect_required")return Hi(i,u.payload);if(u instanceof Response)return u;let p=Ku(e,u.headers);return Yu({request:p,context:t,requestBody:i,routeAuth:c}),Xu({context:t,requestBody:i,connection:r}),p}n(Kr,"mcpTokenExchangePolicy");var Jr=class extends Ct{static{n(this,"McpTokenExchangeInboundPolicy")}constructor(t,r){let o=Vn(t,r);super(o,r)}async handler(t,r){return bt("policy.inbound.mcp-token-exchange"),Kr(t,r,this.options)}};$();var zi=Symbol("Html");function Qu(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}n(Qu,"escapeHtml");function el(e){return e===null||typeof e!="object"?!1:e[zi]===!0}n(el,"isHtml");function Li(e){return e==null||e===!1?"":Array.isArray(e)?e.map(Li).join(""):el(e)?e.value:Qu(String(e))}n(Li,"renderValue");function ae(e){return{[zi]:!0,value:e}}n(ae,"trustedHtml");var Y=ae("");function v(e,...t){let r=e[0]??"";for(let o=0;o<t.length;o+=1)r+=Li(t[o]),r+=e[o+1]??"";return ae(r)}n(v,"html");function je(e){return e.value}n(je,"renderHtml");function Bi(e){return v`<p class="card__description">${e.detail}</p>${e.guidance} ${e.technicalDetails} ${e.action}`}n(Bi,"renderBrowserErrorPage");var Ne=ae('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;justify-content:center;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;min-height:40px;padding:8px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.reconnect-action{align-items:center;margin-right:auto;display:inline-flex;position:relative}.reconnect-button{gap:7px}.tooltip{width:16px;height:16px;color:var(--accent);background:color-mix(in srgb,var(--accent)8%,transparent);cursor:help;border:1.5px solid;border-radius:50%;justify-content:center;align-items:center;font-size:10.5px;font-weight:700;line-height:1;display:inline-flex;position:relative}.tooltip:after{content:attr(aria-label);z-index:10;border-radius:var(--radius-sm);background:var(--accent);width:280px;max-width:min(280px,100vw - 48px);color:var(--accent-text);box-shadow:var(--shadow);text-align:left;white-space:normal;opacity:0;pointer-events:none;padding:12px 14px;font-size:13px;font-weight:600;line-height:1.45;transition:opacity .12s;position:absolute;bottom:calc(100% + 12px);left:50%;transform:translate(-50%)}.tooltip:before{content:"";z-index:11;border-left:7px solid #0000;border-right:7px solid #0000;border-top:8px solid var(--accent);opacity:0;pointer-events:none;transition:opacity .12s;position:absolute;bottom:calc(100% + 5px);left:50%;transform:translate(-50%)}.tooltip:hover:after,.tooltip:hover:before,.tooltip:focus-visible:after,.tooltip:focus-visible:before{opacity:1}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}.reconnect-action{justify-content:center;width:100%;margin-right:0}.reconnect-action .button{flex:1}.tooltip:after{left:auto;right:0;transform:none}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function Ge(e){return v`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" href="${e.iconHref}" /><style>
+import{$b as nt,$c as To,Ab as lc,Ac as se,Bb as pc,Bc as br,Cb as mc,Cc as Ir,Db as fc,Dc as ho,Eb as hc,Ec as Jt,Fb as gc,Fc as Cr,G as Dn,Gb as yc,Gc as Sr,H as l,Hb as _c,Hc as go,I as zn,Ib as wc,Ic as P,J as gr,Jb as Rc,Jc as yo,K as oe,Kb as Wn,Kc as _o,L as jn,Lb as Vn,Lc as vr,M as _,Mb as Yn,Mc as wo,N as fe,Nb as Dt,Nc as Ro,O as Ot,Ob as yr,Oc as Ar,P as Hn,Pb as zt,Pc as bo,Q as Bn,Qb as jt,Qc as Ae,R as Ln,Rb as tt,Rc as Io,S as d,Sb as Xn,Sc as it,T as N,Tb as Qn,Tc as Co,Ub as eo,Uc as Gt,Vb as rt,Vc as at,Wb as to,Wc as So,Xb as ze,Xc as vo,Yb as ro,Yc as Ao,Z as Nn,Zb as _r,Zc as xo,_b as no,_c as ko,a as Pt,ac as Ht,ad as Uo,bc as oo,bd as Ft,cc as io,cd as Po,dc as ao,dd as Eo,ec as so,ed as b,fc as V,fd as v,gb as Jn,gc as z,gd as ce,hb as J,hc as co,hd as A,i as ve,ib as Gn,ic as uo,id as Oo,j as On,jb as Fn,jc as I,jd as bc,kb as U,kc as ae,kd as Ic,l as qn,lb as $n,lc as je,mb as g,mc as G,nb as Me,nc as Q,ob as De,oc as lo,p as Mn,pb as he,pc as po,qb as ge,qc as _e,r as Et,rb as qt,rc as wr,sb as Zn,sc as Bt,tb as X,tc as Rr,ub as Kn,uc as Lt,vb as ie,vc as ot,wb as w,wc as He,xb as Mt,xc as mo,yb as H,yc as Nt,zb as ye,zc as fo}from"../chunk-WDGKR433.js";import"../chunk-JRXZBVXH.js";import{a as C}from"../chunk-C2TBCXWG.js";import{$ as W,a as n,aa as f,ba as j,ca as En,da as Ut}from"../chunk-ZIKV2LUM.js";N();function Cc(e){let t=jt.safeParse(e);return t.success?t.data.id:void 0}n(Cc,"parseJsonRpcRequestId");function qo(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return Cc(t)}catch{return}}n(qo,"readJsonRpcRequestIdFromBody");function $t(e){return Xn.parse({jsonrpc:zt,...e.id===void 0?{}:{id:e.id},error:{code:e.error.code,message:e.error.message,...e.error.data===void 0?{}:{data:e.error.data}}})}n($t,"jsonRpcErrorResponse");function Mo(e){return new eo([Qn.parse({mode:"url",message:e.message,elicitationId:e.elicitationId,url:e.url})],e.message)}n(Mo,"urlElicitationRequiredError");var Zt=d.record(d.string(),d.unknown()),Sc=d.record(d.string(),d.unknown()),vc=d.object({name:d.string().min(1),description:d.string().min(1).optional(),annotations:Sc.optional(),_meta:Zt.optional()}).strict(),Ac=d.object({name:d.string().min(1),description:d.string().min(1).optional(),_meta:Zt.optional()}).strict(),xc=d.object({uri:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:Zt.optional()}).strict(),kc=d.object({uriTemplate:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:Zt.optional()}).strict(),Tc=d.array(d.union([d.string(),vc])),Uc=d.array(d.union([d.string(),Ac])),Pc=d.array(d.union([d.string(),xc])),Ec=d.array(d.union([d.string(),kc])),Oc=d.object({tools:Tc.optional(),prompts:Uc.optional(),resources:Pc.optional(),resourceTemplates:Ec.optional()}).strict(),kr=[{option:"tools",listMethod:"tools/list",resultProperty:"tools",itemProperty:"name",directMethods:[{method:"tools/call",paramProperty:"name"}]},{option:"prompts",listMethod:"prompts/list",resultProperty:"prompts",itemProperty:"name",directMethods:[{method:"prompts/get",paramProperty:"name"}]},{option:"resources",listMethod:"resources/list",resultProperty:"resources",itemProperty:"uri",directMethods:[{method:"resources/read",paramProperty:"uri"}]},{option:"resourceTemplates",listMethod:"resources/templates/list",resultProperty:"resourceTemplates",itemProperty:"uriTemplate",directMethods:[]}];function qc(e,t){return Gn(Oc,e,`MCP capability filter policy "${t}"`)}n(qc,"parseMcpCapabilityFilterOptions");function B(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(B,"isRecord");function Mc(e,t){if(!B(e))return;let r=e[t];return typeof r=="string"?r:void 0}n(Mc,"readParamString");function Tr(e){let t=e.id;return typeof t=="string"||typeof t=="number"||t===null?t:void 0}n(Tr,"readRequestId");function Ho(e){return e===void 0?void 0:JSON.stringify(e)}n(Ho,"requestIdKey");function Dc(e){let t={};for(let r of kr){let o=e[r.option];if(o===void 0)continue;let i=new Map;for(let a of o){let c=Bc(a,r.itemProperty);c!==void 0&&i.set(c.key,c)}t[r.option]=i}return t}n(Dc,"buildProjectionMaps");function Ur(e){return kr.find(t=>t.listMethod===e)}n(Ur,"findListRule");function zc(e){return e.requests.some(t=>{if(!B(t))return!1;let r=Ur(t.method);return r!==void 0&&e.projectionMaps[r.option]!==void 0})}n(zc,"shouldFilterListResponses");function jc(e){for(let t of kr){let r=e.projectionMaps[t.option];if(r!==void 0)for(let o of t.directMethods){if(e.request.method!==o.method)continue;let i=Mc(e.request.params,o.paramProperty);if(i!==void 0&&!r.has(i))return{id:Tr(e.request)}}}}n(jc,"findDisallowedDirectAccess");function Hc(e){return Response.json($t({id:e,error:{code:tt.MethodNotFound,message:"Method not found"}}))}n(Hc,"methodNotFoundResponse");function Bc(e,t){if(typeof e=="string")return{key:e,overlay:{}};if(!B(e))return;let r=e[t];if(typeof r=="string")return{key:r,overlay:e}}n(Bc,"buildProjection");function Do(e){let t=e.base[e.property],r=e.overlay[e.property];return B(r)?B(t)?{...t,...r}:r:t}n(Do,"mergeRecordProperty");function Lc(e,t){let r={...e,...t.overlay},o=Do({base:e,overlay:t.overlay,property:"annotations"});o!==void 0&&(r.annotations=o);let i=Do({base:e,overlay:t.overlay,property:"_meta"});return i!==void 0&&(r._meta=i),r}n(Lc,"applyProjection");function zo(e,t,r){if(!B(e))return e;let o=e.result;if(!B(o))return e;let i=o[t.resultProperty];return!Array.isArray(i)||!i.every(a=>B(a)&&typeof a[t.itemProperty]=="string")?e:{...e,result:{...o,[t.resultProperty]:i.flatMap(a=>{if(!B(a))return[];let c=a[t.itemProperty];if(typeof c!="string")return[];let s=r.get(c);return s===void 0?[]:[Lc(a,s)]})}}}n(zo,"filterAndProjectItems");function Nc(e){let t=new Map;if(!Array.isArray(e))return t;for(let r of e){if(!B(r))continue;let o=Ur(r.method),i=Tr(r),a=Ho(i);o!==void 0&&a!==void 0&&t.set(a,o)}return t}n(Nc,"buildListRulesByResponseId");function Jc(e){if(Array.isArray(e.responseBody)){let o=Nc(e.requestBody);return o.size===0?e.responseBody:e.responseBody.map(i=>{if(!B(i)||"error"in i)return i;let a=Ho(Tr(i)),c=a===void 0?void 0:o.get(a),s=c===void 0?void 0:e.projectionMaps[c.option];return c===void 0||s===void 0?i:zo(i,c,s)})}if(!B(e.requestBody)||!B(e.responseBody)||"error"in e.responseBody)return e.responseBody;let t=Ur(e.requestBody.method),r=t===void 0?void 0:e.projectionMaps[t.option];return t===void 0||r===void 0?e.responseBody:zo(e.responseBody,t,r)}n(Jc,"filterJsonRpcResponse");async function jo(e){return e.clone().json()}n(jo,"readJson");function Gc(e){return e.headers.get("content-type")?.includes("json")??!1}n(Gc,"isJsonResponse");var xr=class extends Et{static{n(this,"McpCapabilityFilterInboundPolicy")}#e;constructor(t,r){let o=qc(t,r);super(o,r),this.#e=Dc(o)}async handler(t,r){Pt("policy.inbound.mcp-capability-filter");let o;try{o=await jo(t)}catch{return t}let i=Array.isArray(o)?o:[o];for(let a of i){if(!B(a))continue;let c=jc({request:a,projectionMaps:this.#e});if(c!==void 0)return Hc(c.id)}return zc({requests:i,projectionMaps:this.#e})&&r.addResponseSendingHook(async a=>{if(!Gc(a))return a;let c;try{c=await jo(a)}catch{return a}let s=Jc({requestBody:o,responseBody:c,projectionMaps:this.#e});if(s===c)return a;let u=new Headers(a.headers);return u.delete("content-length"),new Response(JSON.stringify(s),{status:a.status,statusText:a.statusText,headers:u})}),t}};var Pr;Pr=globalThis.crypto;async function Fc(e){return(await Pr).getRandomValues(new Uint8Array(e))}n(Fc,"getRandomValues");async function $c(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,o="";for(;o.length<e;){let i=await Fc(e-o.length);for(let a of i)a<r&&(o+=t[a%t.length])}return o}n($c,"random");async function Zc(e){return await $c(e)}n(Zc,"generateVerifier");async function Kc(e){let t=await(await Pr).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}n(Kc,"generateChallenge");async function Er(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await Zc(e),r=await Kc(t);return{code_verifier:t,code_challenge:r}}n(Er,"pkceChallenge");N();var M=zn().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:Bn.custom,message:"URL must be parseable",fatal:!0}),Dn}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),Kt=Ot({resource:l().url(),authorization_servers:_(M).optional(),jwks_uri:l().url().optional(),scopes_supported:_(l()).optional(),bearer_methods_supported:_(l()).optional(),resource_signing_alg_values_supported:_(l()).optional(),resource_name:l().optional(),resource_documentation:l().optional(),resource_policy_uri:l().url().optional(),resource_tos_uri:l().url().optional(),tls_client_certificate_bound_access_tokens:oe().optional(),authorization_details_types_supported:_(l()).optional(),dpop_signing_alg_values_supported:_(l()).optional(),dpop_bound_access_tokens_required:oe().optional()}),st=Ot({issuer:l(),authorization_endpoint:M,token_endpoint:M,registration_endpoint:M.optional(),scopes_supported:_(l()).optional(),response_types_supported:_(l()),response_modes_supported:_(l()).optional(),grant_types_supported:_(l()).optional(),token_endpoint_auth_methods_supported:_(l()).optional(),token_endpoint_auth_signing_alg_values_supported:_(l()).optional(),service_documentation:M.optional(),revocation_endpoint:M.optional(),revocation_endpoint_auth_methods_supported:_(l()).optional(),revocation_endpoint_auth_signing_alg_values_supported:_(l()).optional(),introspection_endpoint:l().optional(),introspection_endpoint_auth_methods_supported:_(l()).optional(),introspection_endpoint_auth_signing_alg_values_supported:_(l()).optional(),code_challenge_methods_supported:_(l()).optional(),client_id_metadata_document_supported:oe().optional()}),Wc=Ot({issuer:l(),authorization_endpoint:M,token_endpoint:M,userinfo_endpoint:M.optional(),jwks_uri:M,registration_endpoint:M.optional(),scopes_supported:_(l()).optional(),response_types_supported:_(l()),response_modes_supported:_(l()).optional(),grant_types_supported:_(l()).optional(),acr_values_supported:_(l()).optional(),subject_types_supported:_(l()),id_token_signing_alg_values_supported:_(l()),id_token_encryption_alg_values_supported:_(l()).optional(),id_token_encryption_enc_values_supported:_(l()).optional(),userinfo_signing_alg_values_supported:_(l()).optional(),userinfo_encryption_alg_values_supported:_(l()).optional(),userinfo_encryption_enc_values_supported:_(l()).optional(),request_object_signing_alg_values_supported:_(l()).optional(),request_object_encryption_alg_values_supported:_(l()).optional(),request_object_encryption_enc_values_supported:_(l()).optional(),token_endpoint_auth_methods_supported:_(l()).optional(),token_endpoint_auth_signing_alg_values_supported:_(l()).optional(),display_values_supported:_(l()).optional(),claim_types_supported:_(l()).optional(),claims_supported:_(l()).optional(),service_documentation:l().optional(),claims_locales_supported:_(l()).optional(),ui_locales_supported:_(l()).optional(),claims_parameter_supported:oe().optional(),request_parameter_supported:oe().optional(),request_uri_parameter_supported:oe().optional(),require_request_uri_registration:oe().optional(),op_policy_uri:M.optional(),op_tos_uri:M.optional(),client_id_metadata_document_supported:oe().optional()}),Wt=fe({...Wc.shape,...st.pick({code_challenge_methods_supported:!0}).shape}),Be=fe({access_token:l(),id_token:l().optional(),token_type:l(),expires_in:Ln.number().optional(),scope:l().optional(),refresh_token:l().optional()}).strip(),Lo=fe({error:l(),error_description:l().optional(),error_uri:l().optional()}),Bo=M.optional().or(Hn("").transform(()=>{})),Vc=fe({redirect_uris:_(M),token_endpoint_auth_method:l().optional(),grant_types:_(l()).optional(),response_types:_(l()).optional(),client_name:l().optional(),client_uri:M.optional(),logo_uri:Bo,scope:l().optional(),contacts:_(l()).optional(),tos_uri:Bo,policy_uri:l().optional(),jwks_uri:M.optional(),jwks:jn().optional(),software_id:l().optional(),software_version:l().optional(),software_statement:l().optional()}).strip(),Vt=fe({client_id:l(),client_secret:l().optional(),client_id_issued_at:gr().optional(),client_secret_expires_at:gr().optional()}).strip(),ct=Vc.merge(Vt),Th=fe({error:l(),error_description:l().optional()}).strip(),Uh=fe({token:l(),token_type_hint:l().optional()}).strip();function No(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}n(No,"resourceUrlFromServerUrl");function Jo({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),o=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==o.origin||r.pathname.length<o.pathname.length)return!1;let i=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",a=o.pathname.endsWith("/")?o.pathname:o.pathname+"/";return i.startsWith(a)}n(Jo,"checkResourceAllowed");var x=class extends Error{static{n(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},dt=class extends x{static{n(this,"InvalidRequestError")}};dt.errorCode="invalid_request";var xe=class extends x{static{n(this,"InvalidClientError")}};xe.errorCode="invalid_client";var ke=class extends x{static{n(this,"InvalidGrantError")}};ke.errorCode="invalid_grant";var Te=class extends x{static{n(this,"UnauthorizedClientError")}};Te.errorCode="unauthorized_client";var ut=class extends x{static{n(this,"UnsupportedGrantTypeError")}};ut.errorCode="unsupported_grant_type";var lt=class extends x{static{n(this,"InvalidScopeError")}};lt.errorCode="invalid_scope";var pt=class extends x{static{n(this,"AccessDeniedError")}};pt.errorCode="access_denied";var de=class extends x{static{n(this,"ServerError")}};de.errorCode="server_error";var mt=class extends x{static{n(this,"TemporarilyUnavailableError")}};mt.errorCode="temporarily_unavailable";var ft=class extends x{static{n(this,"UnsupportedResponseTypeError")}};ft.errorCode="unsupported_response_type";var ht=class extends x{static{n(this,"UnsupportedTokenTypeError")}};ht.errorCode="unsupported_token_type";var gt=class extends x{static{n(this,"InvalidTokenError")}};gt.errorCode="invalid_token";var yt=class extends x{static{n(this,"MethodNotAllowedError")}};yt.errorCode="method_not_allowed";var _t=class extends x{static{n(this,"TooManyRequestsError")}};_t.errorCode="too_many_requests";var Ue=class extends x{static{n(this,"InvalidClientMetadataError")}};Ue.errorCode="invalid_client_metadata";var wt=class extends x{static{n(this,"InsufficientScopeError")}};wt.errorCode="insufficient_scope";var Rt=class extends x{static{n(this,"InvalidTargetError")}};Rt.errorCode="invalid_target";var Go={[dt.errorCode]:dt,[xe.errorCode]:xe,[ke.errorCode]:ke,[Te.errorCode]:Te,[ut.errorCode]:ut,[lt.errorCode]:lt,[pt.errorCode]:pt,[de.errorCode]:de,[mt.errorCode]:mt,[ft.errorCode]:ft,[ht.errorCode]:ht,[gt.errorCode]:gt,[yt.errorCode]:yt,[_t.errorCode]:_t,[Ue.errorCode]:Ue,[wt.errorCode]:wt,[Rt.errorCode]:Rt};function Yc(e){return["client_secret_basic","client_secret_post","none"].includes(e)}n(Yc,"isClientAuthMethod");var Or="code",qr="S256";function Xc(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&Yc(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}n(Xc,"selectClientAuthMethod");function Qc(e,t,r,o){let{client_id:i,client_secret:a}=t;switch(e){case"client_secret_basic":ed(i,a,r);return;case"client_secret_post":td(i,a,o);return;case"none":rd(i,o);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}n(Qc,"applyClientAuthentication");function ed(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let o=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${o}`)}n(ed,"applyBasicAuth");function td(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}n(td,"applyPostAuth");function rd(e,t){t.set("client_id",e)}n(rd,"applyPublicAuth");async function $o(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let o=Lo.parse(JSON.parse(r)),{error:i,error_description:a,error_uri:c}=o,s=Go[i]||de;return new s(a||"",c)}catch(o){let i=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${o}. Raw body: ${r}`;return new de(i)}}n($o,"parseErrorResponse");async function zr(e,t){try{return await Mr(e,t)}catch(r){if(r instanceof xe||r instanceof Te)return await e.invalidateCredentials?.("all"),await Mr(e,t);if(r instanceof ke)return await e.invalidateCredentials?.("tokens"),await Mr(e,t);throw r}}n(zr,"auth");async function Mr(e,{serverUrl:t,authorizationCode:r,scope:o,resourceMetadataUrl:i,fetchFn:a}){let c=await e.discoveryState?.(),s,u,p,h=i;if(!h&&c?.resourceMetadataUrl&&(h=new URL(c.resourceMetadataUrl)),c?.authorizationServerUrl){if(u=c.authorizationServerUrl,s=c.resourceMetadata,p=c.authorizationServerMetadata??await Wo(u,{fetchFn:a}),!s)try{s=await Ko(t,{resourceMetadataUrl:h},a)}catch{}(p!==c.authorizationServerMetadata||s!==c.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(u),resourceMetadataUrl:h?.toString(),resourceMetadata:s,authorizationServerMetadata:p})}else{let q=await cd(t,{resourceMetadataUrl:h,fetchFn:a});u=q.authorizationServerUrl,p=q.authorizationServerMetadata,s=q.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(u),resourceMetadataUrl:h?.toString(),resourceMetadata:s,authorizationServerMetadata:p})}let y=await nd(t,e,s),T=o||s?.scopes_supported?.join(" ")||e.clientMetadata.scope,R=await Promise.resolve(e.clientInformation());if(!R){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let q=p?.client_id_metadata_document_supported===!0,D=e.clientMetadataUrl;if(D&&!jr(D))throw new Ue(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${D}`);if(q&&D)R={client_id:D},await e.saveClientInformation?.(R);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let Pn=await md(u,{metadata:p,clientMetadata:e.clientMetadata,scope:T,fetchFn:a});await e.saveClientInformation(Pn),R=Pn}}let O=!e.redirectUrl;if(r!==void 0||O){let q=await pd(e,u,{metadata:p,resource:y,authorizationCode:r,fetchFn:a});return await e.saveTokens(q),"AUTHORIZED"}let E=await e.tokens();if(E?.refresh_token)try{let q=await ld(u,{metadata:p,clientInformation:R,refreshToken:E.refresh_token,resource:y,addClientAuthentication:e.addClientAuthentication,fetchFn:a});return await e.saveTokens(q),"AUTHORIZED"}catch(q){if(!(!(q instanceof x)||q instanceof de))throw q}let re=e.state?await e.state():void 0,{authorizationUrl:et,codeVerifier:ne}=await dd(u,{metadata:p,clientInformation:R,state:re,redirectUrl:e.redirectUrl,scope:T,resource:y});return await e.saveCodeVerifier(ne),await e.redirectToAuthorization(et),"REDIRECT"}n(Mr,"authInternal");function jr(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}n(jr,"isHttpsUrl");async function nd(e,t,r){let o=No(e);if(t.validateResourceURL)return await t.validateResourceURL(o,r?.resource);if(r){if(!Jo({requestedResource:o,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${o} (or origin)`);return new URL(r.resource)}}n(nd,"selectResourceURL");function Zo(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,o]=t.split(" ");if(r.toLowerCase()!=="bearer"||!o)return{};let i=Dr(e,"resource_metadata")||void 0,a;if(i)try{a=new URL(i)}catch{}let c=Dr(e,"scope")||void 0,s=Dr(e,"error")||void 0;return{resourceMetadataUrl:a,scope:c,error:s}}n(Zo,"extractWWWAuthenticateParams");function Dr(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let o=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),i=r.match(o);return i?i[1]||i[2]:null}n(Dr,"extractFieldFromWwwAuth");async function Ko(e,t,r=fetch){let o=await ad(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!o||o.status===404)throw await o?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!o.ok)throw await o.body?.cancel(),new Error(`HTTP ${o.status} trying to load well-known OAuth protected resource metadata.`);return Kt.parse(await o.json())}n(Ko,"discoverOAuthProtectedResourceMetadata");async function Hr(e,t,r=fetch){try{return await r(e,{headers:t})}catch(o){if(o instanceof TypeError)return t?Hr(e,void 0,r):void 0;throw o}}n(Hr,"fetchWithCorsRetry");function od(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}n(od,"buildWellKnownPath");async function Fo(e,t,r=fetch){return await Hr(e,{"MCP-Protocol-Version":t},r)}n(Fo,"tryMetadataDiscovery");function id(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}n(id,"shouldAttemptFallback");async function ad(e,t,r,o){let i=new URL(e),a=o?.protocolVersion??yr,c;if(o?.metadataUrl)c=new URL(o.metadataUrl);else{let u=od(t,i.pathname);c=new URL(u,o?.metadataServerUrl??i),c.search=i.search}let s=await Fo(c,a,r);if(!o?.metadataUrl&&id(s,i.pathname)){let u=new URL(`/.well-known/${t}`,i);s=await Fo(u,a,r)}return s}n(ad,"discoverMetadataWithFallback");function sd(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",o=[];if(!r)return o.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),o.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),o;let i=t.pathname;return i.endsWith("/")&&(i=i.slice(0,-1)),o.push({url:new URL(`/.well-known/oauth-authorization-server${i}`,t.origin),type:"oauth"}),o.push({url:new URL(`/.well-known/openid-configuration${i}`,t.origin),type:"oidc"}),o.push({url:new URL(`${i}/.well-known/openid-configuration`,t.origin),type:"oidc"}),o}n(sd,"buildDiscoveryUrls");async function Wo(e,{fetchFn:t=fetch,protocolVersion:r=yr}={}){let o={"MCP-Protocol-Version":r,Accept:"application/json"},i=sd(e);for(let{url:a,type:c}of i){let s=await Hr(a,o,t);if(s){if(!s.ok){if(await s.body?.cancel(),s.status>=400&&s.status<500)continue;throw new Error(`HTTP ${s.status} trying to load ${c==="oauth"?"OAuth":"OpenID provider"} metadata from ${a}`)}return c==="oauth"?st.parse(await s.json()):Wt.parse(await s.json())}}}n(Wo,"discoverAuthorizationServerMetadata");async function cd(e,t){let r,o;try{r=await Ko(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(o=r.authorization_servers[0])}catch{}o||(o=String(new URL("/",e)));let i=await Wo(o,{fetchFn:t?.fetchFn});return{authorizationServerUrl:o,authorizationServerMetadata:i,resourceMetadata:r}}n(cd,"discoverOAuthServerInfo");async function dd(e,{metadata:t,clientInformation:r,redirectUrl:o,scope:i,state:a,resource:c}){let s;if(t){if(s=new URL(t.authorization_endpoint),!t.response_types_supported.includes(Or))throw new Error(`Incompatible auth server: does not support response type ${Or}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(qr))throw new Error(`Incompatible auth server: does not support code challenge method ${qr}`)}else s=new URL("/authorize",e);let u=await Er(),p=u.code_verifier,h=u.code_challenge;return s.searchParams.set("response_type",Or),s.searchParams.set("client_id",r.client_id),s.searchParams.set("code_challenge",h),s.searchParams.set("code_challenge_method",qr),s.searchParams.set("redirect_uri",String(o)),a&&s.searchParams.set("state",a),i&&s.searchParams.set("scope",i),i?.includes("offline_access")&&s.searchParams.append("prompt","consent"),c&&s.searchParams.set("resource",c.href),{authorizationUrl:s,codeVerifier:p}}n(dd,"startAuthorization");function ud(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}n(ud,"prepareAuthorizationCodeRequest");async function Vo(e,{metadata:t,tokenRequestParams:r,clientInformation:o,addClientAuthentication:i,resource:a,fetchFn:c}){let s=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),u=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(a&&r.set("resource",a.href),i)await i(u,r,s,t);else if(o){let h=t?.token_endpoint_auth_methods_supported??[],y=Xc(o,h);Qc(y,o,u,r)}let p=await(c??fetch)(s,{method:"POST",headers:u,body:r});if(!p.ok)throw await $o(p);return Be.parse(await p.json())}n(Vo,"executeTokenRequest");async function ld(e,{metadata:t,clientInformation:r,refreshToken:o,resource:i,addClientAuthentication:a,fetchFn:c}){let s=new URLSearchParams({grant_type:"refresh_token",refresh_token:o}),u=await Vo(e,{metadata:t,tokenRequestParams:s,clientInformation:r,addClientAuthentication:a,resource:i,fetchFn:c});return{refresh_token:o,...u}}n(ld,"refreshAuthorization");async function pd(e,t,{metadata:r,resource:o,authorizationCode:i,fetchFn:a}={}){let c=e.clientMetadata.scope,s;if(e.prepareTokenRequest&&(s=await e.prepareTokenRequest(c)),!s){if(!i)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let p=await e.codeVerifier();s=ud(i,p,e.redirectUrl)}let u=await e.clientInformation();return Vo(t,{metadata:r,tokenRequestParams:s,clientInformation:u??void 0,addClientAuthentication:e.addClientAuthentication,resource:o,fetchFn:a})}n(pd,"fetchToken");async function md(e,{metadata:t,clientMetadata:r,scope:o,fetchFn:i}){let a;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");a=new URL(t.registration_endpoint)}else a=new URL("/register",e);let c=await(i??fetch)(a,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...o!==void 0?{scope:o}:{}})});if(!c.ok)throw await $o(c);return ct.parse(await c.json())}n(md,"registerClient");var Br="zuplo.com",fd=new Set(["co.jp","co.kr","co.nz","co.uk","com.au","com.br","com.cn","com.mx","com.sg","co.in"]),hd=[".example.test",".example.com",".example.org",".invalid",".localhost",".test"];function Yo(e){return`https://www.google.com/s2/favicons?domain=${e}&sz=128`}n(Yo,"s2FaviconHref");function gd(e){return`https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&drop_404_icon=true&fallback_opts=TYPE,SIZE,URL&url=http://${e}&size=128`}n(gd,"strictFaviconHref");var Yt=Yo(Br);function Lr(e){let t=e.toLowerCase();return t===Br||t==="zuplo.app"||t==="zuplo.dev"||t.endsWith(".zuplo.app")||t.endsWith(".zuplo.dev")?Yo(Br):gd(e)}n(Lr,"resolveIconHref");function yd(e){try{return new URL(`http://${e}`).hostname}catch{return e}}n(yd,"hostnameFromHost");function _d(e){return e==="localhost"||e.includes(":")||/^\d{1,3}(?:\.\d{1,3}){3}$/.test(e)}n(_d,"isLocalOrAddressHost");function wd(e){let t=yd(e).toLowerCase().replace(/\.$/,"");if(_d(t)||hd.some(a=>t===a.slice(1)||t.endsWith(a)))return t;let r=t.split(".").filter(Boolean);if(r.length<=2)return t;let o=r.slice(-2).join("."),i=fd.has(o)?3:2;return r.slice(-i).join(".")}n(wd,"inferFaviconDomain");function Nr(e){return{src:Lr(wd(e)),mimeType:"image/png",sizes:["128x128"]}}n(Nr,"resolveMcpFaviconIcon");function Xt(e){try{return Nr(new URL(e).host)}catch{return}}n(Xt,"resolveMcpFaviconIconFromUrl");function we(e){let t=V().connectionsById.get(e);if(!t)throw new j(`Unknown upstream server "${e}". Check the route's MCP upstream policy and ensure policies.json declares a matching upstream connection.`);return{displayName:t.displayName,description:t.description,serverInfo:t.serverInfo,transport:{baseUrl:t.mcpUrl,resourceMetadataUrl:t.protectedResourceMetadataUrl}}}n(we,"getUpstreamServerConfig");function Qt(e){let t=V().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw new j(`Unknown auth profile "${String(e.authProfileId)}" for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares a matching auth mode for that upstream connection.`);return t.authConfig}n(Qt,"getUpstreamAuthConfig");function Le(e,t){let r=Qt({upstreamServerId:e,authProfileId:t});if(r.mode!=="shared-oauth"&&r.mode!=="user-oauth")throw new j(`Upstream server "${e}" does not use upstream OAuth. Select authMode "shared-oauth" or "user-oauth" before starting an upstream OAuth connection flow.`);return r.oauth}n(Le,"requireUpstreamOAuthConfig");function Xo(e,t){let r=Qt({upstreamServerId:e,authProfileId:t});if(r.mode!=="id-jag")throw new j(`Upstream server "${e}" does not use upstream ID-JAG. Select authMode "id-jag" before requesting an upstream XAA token exchange.`);return r.idJag}n(Xo,"requireUpstreamIdJagConfig");function Qo(e,t){if(!t)return;if(t.aborted){e.abort(t.reason);return}let r=n(()=>e.abort(t.reason),"abort");return t.addEventListener("abort",r,{once:!0}),()=>t.removeEventListener("abort",r)}n(Qo,"mergeAbortSignals");async function Rd(e){try{await e.cancel()}catch{}}n(Rd,"cancelReader");async function er(e,t){if(!e)return new Uint8Array;let r=e.getReader(),o=[],i=0,a=await r.read();for(;!a.done;){let u=a.value;if(i+=u.byteLength,i>t.maxBytes)throw await Rd(r),t.createLimitError();o.push(u),a=await r.read()}let c=new Uint8Array(i),s=0;for(let u of o)c.set(u,s),s+=u.byteLength;return c}n(er,"readBoundedByteStream");var bd=2,Id=1024*1024,Cd=1e4,Sd=new Set([301,302,303,307,308]),vd=["authorization","proxy-authorization","cookie","cookie2"];function Jr(e){return typeof e=="string"?e:e instanceof URL?e.toString():e.url}n(Jr,"readRequestUrl");function Ne(e,t){return t?.method!==void 0?t.method.toUpperCase():e instanceof Request?e.method.toUpperCase():"GET"}n(Ne,"readRequestMethod");function Ad(e,t,r){let o=e.headers.get("content-length");if(!o)return;let i=Number.parseInt(o,10);if(Number.isFinite(i)&&i>t)throw new f({message:"Outbound response exceeded the maximum allowed size.",extensionMembers:{[g]:r}})}n(Ad,"assertContentLengthWithinLimit");async function xd(e,t,r){return Ad(e,t,r),er(e.body,{maxBytes:t,createLimitError:n(()=>new f({message:"Outbound response exceeded the maximum allowed size.",extensionMembers:{[g]:r}}),"createLimitError")})}n(xd,"readBoundedResponseBody");function kd(e,t){let r=new ArrayBuffer(t.byteLength);return new Uint8Array(r).set(t),new Response(r,{status:e.status,statusText:e.statusText,headers:e.headers})}n(kd,"responseFromBufferedBody");function Td(e,t){if(!Sd.has(e.status))return;let r=e.headers.get("location");if(r)return new URL(r,t).toString()}n(Td,"resolveRedirectUrl");function ei(e,t){try{return t.validateUrl(e)}catch(r){throw new f({message:"Outbound URL was not allowed.",extensionMembers:{[g]:t.problemCode}},{cause:r})}}n(ei,"validateOutboundUrl");function Ud(e,t){throw e instanceof f&&qt(e.extensionMembers?.[g])?e:new f({message:"Outbound fetch failed.",extensionMembers:{[g]:t}},{cause:e})}n(Ud,"normalizeFetchError");function bt(e,t){if(e===void 0)return;let r={event:t.event,code:t.problemCode,method:t.method};if(t.host!==void 0&&(r.host=t.host),t.extra!==void 0)for(let[o,i]of Object.entries(t.extra))i!==void 0&&(r[o]=i);t.error!==void 0&&G(r,"error",t.error),e.log.warn(r,"Outbound HTTP exchange rejected")}n(bt,"logOutboundFailure");async function Pd(e,t,r,o,i,a,c){let s=Ne(r,o);try{return await t(r,o)}catch(u){let p=u instanceof DOMException&&u.name==="AbortError";bt(e,{event:p?"outbound_fetch_aborted":"outbound_fetch_failed",problemCode:i,method:s,host:Q(a),error:u,extra:{abortReason:c()}}),Ud(u,i)}}n(Pd,"fetchWithNormalizedError");function Ed(e){if(e.redirects>=e.maxRedirects)throw new f({message:"Outbound redirects exceeded the maximum allowed depth.",extensionMembers:{[g]:e.problemCode}});if(e.method!=="GET"&&e.method!=="HEAD")throw new f({message:"Outbound redirect after a non-idempotent request was blocked.",extensionMembers:{[g]:e.problemCode}})}n(Ed,"assertRedirectAllowed");function Od(e,t){let r=new Headers(e);for(let o of vd)r.delete(o);for(let o of t)r.delete(o);return r}n(Od,"stripCrossOriginHeaders");function qd(e,t,r,o,i){let a={...e,method:t,redirect:"manual",signal:r};return o&&(a.headers=Od(e.headers,i)),a}n(qd,"buildRedirectInit");function Md(e,t,r){let o={...t,redirect:"manual",signal:r};return o.headers===void 0&&e instanceof Request&&(o.headers=e.headers),o}n(Md,"buildInitialRequestInit");function Dd(e){let t=Ne(e.currentInput,e.currentInit);Ed({redirects:e.redirects,maxRedirects:e.maxRedirects,method:t,problemCode:e.problemCode});let r=ei(e.redirectUrl,{problemCode:e.problemCode,validateUrl:e.validateUrl}),o=new URL(e.currentUrl),i=r.origin!==o.origin,a=r.toString();return{currentInput:a,currentUrl:a,currentInit:qd(e.currentInit,t,e.signal,i,e.additionalCrossOriginStrippedHeaders),redirects:e.redirects+1}}n(Dd,"followRedirect");async function Gr(e,t,r){let o=r.problemCode??"invalid_request",i=r.maxRedirects??bd,a=r.maxResponseBytes??Id,c=r.timeoutMs??Cd,s=r.fetchImpl??fetch,u=r.additionalCrossOriginStrippedHeaders??[],p=r.context,h=new AbortController,y=Qo(h,t.signal),T=!1,R=setTimeout(()=>{T=!0,h.abort()},c),O=e,E=Md(e,t,h.signal),re;try{re=ei(Jr(e),{problemCode:o,validateUrl:r.validateUrl}).toString()}catch(ne){throw bt(p,{event:"outbound_url_blocked",problemCode:o,method:Ne(e,t),host:Q(Jr(e)),error:ne}),clearTimeout(R),y?.(),ne}let et=0;try{for(;;){let ne=await Pd(p,s,O,E,o,re,()=>T?`timeout_after_${c}ms`:void 0),q=Td(ne,re);if(q!==void 0)try{let D=Dd({currentInput:O,currentInit:E,currentUrl:re,redirectUrl:q,redirects:et,maxRedirects:i,problemCode:o,validateUrl:r.validateUrl,signal:h.signal,additionalCrossOriginStrippedHeaders:u});O=D.currentInput,E=D.currentInit,re=D.currentUrl,et=D.redirects;continue}catch(D){throw bt(p,{event:"outbound_redirect_blocked",problemCode:o,method:Ne(O,E),host:Q(re),error:D,extra:{redirects:et,maxRedirects:i,redirectTargetHost:Q(q)}}),D}try{return kd(ne,await xd(ne,a,o))}catch(D){throw bt(p,{event:"outbound_response_size_exceeded",problemCode:o,method:Ne(O,E),host:Q(re),error:D,extra:{maxResponseBytes:a,status:ne.status}}),D}}}finally{clearTimeout(R),y?.()}}n(Gr,"runSafeOutboundExchange");async function It(e,t,r){let o=await Gr(e,t,r);try{return{response:o,json:await o.clone().json()}}catch(i){throw bt(r.context,{event:"outbound_json_parse_failed",problemCode:r.problemCode??"invalid_request",method:Ne(e,t),host:Q(Jr(e)),error:i,extra:{status:o.status,contentType:o.headers.get("content-type")??void 0}}),new f({message:"Outbound JSON response could not be parsed.",extensionMembers:{[g]:r.problemCode??"invalid_request"}},{cause:i})}}n(It,"runSafeOutboundJsonExchange");function ti(e,t={},r={}){return Gr(e,t,{...r,validateUrl:it})}n(ti,"fetchConfiguredOutbound");function ri(e,t={},r={}){return It(e,t,{...r,validateUrl:it})}n(ri,"fetchConfiguredOutboundJson");function tr(e,t={},r={}){return It(e,t,{...r,validateUrl:Co})}n(tr,"fetchIdentityProviderJson");function ni(e,t={},r={}){return It(e,t,{...r,validateUrl:Gt})}n(ni,"fetchCimdClientMetadataJson");function oi(e,t={},r={}){return It(e,t,{...r,validateUrl:at})}n(oi,"fetchCimdClientJwksJson");N();import{errors as li,jwtVerify as pi,SignJWT as mi}from"jose";var L="zuplo-mcp-gateway",F=L,$="HS256";import{base64url as zd}from"jose";var jd=new TextEncoder,Hd="MCP gateway could not initialize secure key material.",Bd=32,ii=new Map,ai=new Map,Ld;function Nd(){return Ld??En.instance.authPrivateKey}n(Nd,"readAuthPrivateKey");function si(e){return new W(Hd,e===void 0?void 0:{cause:e})}n(si,"createGeneratedKeyMaterialError");function ci(e,t){let r=zd.decode(t);if(r.byteLength!==Bd)throw new Error(`Generated deployment auth key ${e} is invalid.`);return r}n(ci,"decodeJwkKeyField");function Jd(e){let t=Nd();if(!t)throw si();try{let r=JSON.parse(t);if(r.kty!=="OKP"||r.crv!=="Ed25519"||typeof r.d!="string"||typeof r.x!="string")throw new Error("Generated deployment auth key is not an Ed25519 JWK.");let o=ci("d",r.d);ci("x",r.x);let i=jd.encode(`zuplo-mcp-gateway:${e}:Ed25519:`),a=new Uint8Array(i.byteLength+o.byteLength);return a.set(i),a.set(o,i.byteLength),a}catch(r){throw si(r)}}n(Jd,"decodeGeneratedKeyMaterial");function Gd(e){let t=ii.get(e);return t||(t=Jd(e),ii.set(e,t)),t}n(Gd,"getMasterKeyMaterial");async function ee(e){let t=ai.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(Gd(e.keyMaterialPurpose));return ai.set(e.purpose,r),r}n(ee,"readCachedDerivedKey");var Fd="SHA-256";var $d="zuplo-mcp-gateway:",Zd=new TextEncoder,di=new WeakMap;async function Re(e,t){let r=di.get(e);r||(r=new Map,di.set(e,r));let o=r.get(t);if(o)return o;let i=await Kd(e,t);return r.set(t,i),i}n(Re,"deriveGatewaySigningKey");async function Kd(e,t){let r=ui(e),o=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),i=Zd.encode(`${$d}${t}`),a=await crypto.subtle.deriveBits({name:"HKDF",hash:Fd,salt:new Uint8Array,info:ui(i)},o,32*8);return new Uint8Array(a)}n(Kd,"hkdfExpand");function ui(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(ui,"copyToArrayBuffer");var fi=15*60,Wd=15*60,Vd=no.extend({id:ko}),Yd=Vd.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),hi=_r.extend({id:To,purpose:d.literal("browser_connect")}),Xd=_r.extend({purpose:d.literal("browser_connect")}),Qd=hi.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),gi=fi*1e3;async function yi(){return ee({purpose:"oauth-state",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>Re(e,"oauth-state"),"derive")})}n(yi,"getOAuthStateKey");async function _i(){return ee({purpose:"browser-connect",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>Re(e,"browser-connect"),"derive")})}n(_i,"getBrowserConnectKey");async function wi(e){let t=Math.floor(Date.now()/1e3)+fi;return new mi(e).setProtectedHeader({alg:$,typ:"JWT"}).setIssuer(L).setAudience(F).setIssuedAt().setExpirationTime(t).sign(await yi())}n(wi,"signOAuthState");async function rr(e){try{let{payload:t}=await pi(e,await yi(),{algorithms:[$],issuer:L,audience:F});return Yd.parse(t)}catch(t){throw t instanceof li.JWTExpired?new f({message:"OAuth state has expired",extensionMembers:{[g]:"oauth_state_expired"}},{cause:t}):new f({message:"OAuth state could not be verified",extensionMembers:{[g]:"oauth_state_invalid"}},{cause:t})}}n(rr,"verifyOAuthState");async function Ri(e){let t=Math.floor(Date.now()/1e3)+Wd,r=Xd.parse(e),o=hi.parse({...r,id:Eo()});return new mi(o).setProtectedHeader({alg:$,typ:"JWT"}).setIssuer(L).setAudience(F).setIssuedAt().setExpirationTime(t).sign(await _i())}n(Ri,"signBrowserConnectTicket");async function bi(e){try{let{payload:t}=await pi(e,await _i(),{algorithms:[$],issuer:L,audience:F});return Qd.parse(t)}catch(t){throw t instanceof li.JWTExpired?new f({message:"Browser connect ticket has expired",extensionMembers:{[g]:"oauth_state_expired"}},{cause:t}):new f({message:"Browser connect ticket could not be verified",extensionMembers:{[g]:"oauth_state_invalid"}},{cause:t})}}n(bi,"verifyBrowserConnectTicket");async function Ii(e){if((await b().consumeBrowserConnectTicket({id:e.id,expiresAt:I(new Date(e.exp*1e3)),now:I(new Date)})).kind==="consumed")throw new f({message:"Browser connect ticket has already been used",extensionMembers:{[g]:"oauth_state_reused"}})}n(Ii,"consumeBrowserConnectTicket");function eu(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}n(eu,"buildConnectRequiredMessage");async function tu(e){let t=U(e.requestUrl,e.requestHeaders),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("operationId",e.operationId),r.searchParams.set("browserTicket",await Ri({...nt(e),purpose:"browser_connect"})),r.toString()}n(tu,"buildGatewayBrowserTicketUrl");function ru(e){return z().actionPath(`/auth/connections/${encodeURIComponent(e)}/connect`)}n(ru,"buildGatewayConnectPath");async function Fr(e){return tu({...e,path:ru(e.upstreamServerId),redirect:!0})}n(Fr,"buildGatewayConnectUrl");async function nr(e){let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await Fr(t),message:eu(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}n(nr,"buildRedirectConnectRequiredResponse");function Ci(e){return nu({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}n(Ci,"buildAdminConnectRequiredResponse");function nu(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}n(nu,"buildAdminSetupRequiredResponse");N();var Si=new Set(["client_id","code_challenge","code_challenge_method","display","login_hint","nonce","prompt","redirect_uri","response_mode","response_type","state"]);function ou(e,t){return e&&e.length>0?e.join(t):void 0}n(ou,"joinOAuthScopes");function iu(e){if(e?.authorization_endpoint===void 0)return e;let t=new URL(e.authorization_endpoint);for(let r of Si)t.searchParams.delete(r);return{...e,authorization_endpoint:t.toString()}}n(iu,"sanitizeAuthorizationServerMetadata");function $r(e){let t=iu(e.authorizationServerMetadata);return t===e.authorizationServerMetadata?e:{...e,authorizationServerMetadata:t}}n($r,"sanitizeOAuthDiscoveryState");function vi(e){let t=new URL(e);for(let r of Si){let o=t.searchParams.getAll(r);o.length<=1||(t.searchParams.delete(r),t.searchParams.set(r,o.at(-1)??""))}return t}n(vi,"normalizeDuplicateSingletonAuthorizationRequestParams");function or(e){let t=new URL(e);return J(t)&&Jn(t.hostname)!=="localhost"&&(t.hostname="localhost"),t}n(or,"normalizeLoopbackOAuthRedirectUri");function Ai(e){return ou(e.state?.resourceMetadata?.scopes_supported,e.delimiter)}n(Ai,"readProtectedResourceMetadataScope");function au(e){return`Zuplo MCP Gateway - ${e}`}n(au,"buildGatewayOAuthClientName");function su(e,t){return e&&e.length>0?e.join(t):void 0}n(su,"joinOAuthScopeList");function Zr(e){return new URL(z().actionPath(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`),e.origin).toString()}n(Zr,"buildOAuthClientMetadataDocumentUrl");function Kr(e){let t=we(e.upstreamServerId);return{client_name:au(t.displayName),client_uri:new URL("/",e.origin).toString(),redirect_uris:[e.redirectUri],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",...e.scope===void 0?{}:{scope:e.scope},token_endpoint_auth_method:"none"}}n(Kr,"buildGatewayOAuthClientMetadata");function xi(e,t,r){let o=Le(t,r),i=su(o.scopes,o.scopeDelimiter);return{client_id:Zr({origin:e,upstreamServerId:t}),...Kr({origin:e,upstreamServerId:t,redirectUri:or(new URL(o.redirectPath,e)).toString(),scope:i})}}n(xi,"buildOAuthClientMetadataDocument");N();import{base64url as be}from"jose";var cu="SHA-256",Ge="AES-GCM",du=12,Vr="zuplo-secret",Yr=1,ki="generated:auth_private_key:token-encryption",uu=d.object({version:d.literal(Yr),keyId:d.literal(ki),algorithm:d.literal(Ge),iv:d.string().min(1),ciphertext:d.string().min(1)}).strict();function Je(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(Je,"copyToArrayBuffer");async function Wr(){return ee({purpose:"token-encryption",keyMaterialPurpose:"token-encryption",derive:n(async e=>{let t=await crypto.subtle.digest(cu,Je(e));return crypto.subtle.importKey("raw",t,{name:Ge},!1,["encrypt","decrypt"])},"derive")})}n(Wr,"getEncryptionKey");function Ti(e){return Je(new TextEncoder().encode(`${Vr}:v${e.version}:${e.keyId}`))}n(Ti,"getAssociatedData");function lu(e){return`${Vr}:v${e.version}:${be.encode(new TextEncoder().encode(JSON.stringify(e)))}`}n(lu,"encodeEnvelope");function pu(e){let t=`${Vr}:v${Yr}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),o=new TextDecoder().decode(be.decode(r));return uu.parse(JSON.parse(o))}n(pu,"decodeEnvelope");async function ue(e){let t=await Wr(),r=crypto.getRandomValues(new Uint8Array(du)),o={version:Yr,keyId:ki},i=await crypto.subtle.encrypt({name:Ge,iv:r,additionalData:Ti(o)},t,new TextEncoder().encode(e));return lu({...o,algorithm:Ge,iv:be.encode(r),ciphertext:be.encode(new Uint8Array(i))})}n(ue,"encryptSecret");async function Ie(e){let t=pu(e);if(t){let c=await Wr(),s=await crypto.subtle.decrypt({name:Ge,iv:Je(be.decode(t.iv)),additionalData:Ti(t)},c,Je(be.decode(t.ciphertext)));return new TextDecoder().decode(s)}let[r,o]=e.split(".");if(!r||!o)throw new W("Encrypted payload is malformed");let i=await Wr(),a=await crypto.subtle.decrypt({name:Ge,iv:Je(be.decode(r))},i,Je(be.decode(o)));return new TextDecoder().decode(a)}n(Ie,"decryptSecret");var mu=d.union([ct,Vt]),Ui=d.object({authorizationServerUrl:d.url(),resourceMetadataUrl:d.url().optional(),resourceMetadata:Kt.optional(),authorizationServerMetadata:d.union([st,Wt]).optional()}).passthrough(),fu="Bearer",hu="__zuplo_refresh_only_upstream_access_token__";function gu(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}n(gu,"splitScopes");function yu(e){return Nt.parse(e)}n(yu,"parsePkceCodeVerifier");function _u(e){if(typeof e.expires_in=="number")return I(new Date(Date.now()+e.expires_in*1e3))}n(_u,"readTokenExpiry");async function Pi(e){if(e!==void 0)return ue(JSON.stringify(e))}n(Pi,"encryptJson");async function Ei(e,t){if(!e)return;let r=await Ie(e);try{return t.parse(JSON.parse(r))}catch(o){throw new f({message:"Stored upstream OAuth JSON state is invalid.",extensionMembers:{[g]:"oauth_state_invalid"}},{cause:o})}}n(Ei,"decryptJson");function wu(e){if(e===void 0)return;e=$r(e);let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}n(wu,"toOAuthDiscoveryState");function Ru(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}n(Ru,"clientInformationAllowsRedirectUri");function bu(e){return e.clientMetadataUrl===void 0?"redirect_uris"in e.clientInformation:"redirect_uris"in e.clientInformation||e.clientInformation.client_id===e.clientMetadataUrl}n(bu,"clientInformationMatchesCurrentClientMetadataUrl");function Iu(e){return e.clientMetadataUrl!==void 0&&!("redirect_uris"in e.clientInformation)&&e.clientInformation.client_id===e.clientMetadataUrl}n(Iu,"isUrlBasedClientInformation");function Cu(e,t){return t===void 0?e:{...e,scope:t}}n(Cu,"applyOAuthClientMetadataScope");function Oi(e,t){return Ai({state:e,delimiter:t})}n(Oi,"readResourceMetadataScope");function Su(e,t){return e&&e.length>0?e.join(t):void 0}n(Su,"joinOAuthScopeList");function vu(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw new j(`Manual OAuth registration for upstream "${e.upstreamServerId}" requires clientSecret. Set the env var that backs the client secret or use tokenEndpointAuthMethod "none".`);return ct.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}n(vu,"buildManualOAuthClientInformation");function Au(e,t){let r=Zr({origin:new URL(t).origin,upstreamServerId:e});return jr(r)?r:void 0}n(Au,"buildClientMetadataUrl");function qi(e){for(let t of e)if(t!==void 0)return t}n(qi,"firstDefined");function xu(e){let t=Le(e.target.upstreamServerId,e.target.authProfileId),r=Su(t.scopes,t.scopeDelimiter),o=Kr({origin:new URL(e.redirectUri).origin,upstreamServerId:e.target.upstreamServerId,redirectUri:e.redirectUri,scope:r});if(t.clientRegistration.mode==="manual")return{clientMetadata:o,configuredScope:r,scopeDelimiter:t.scopeDelimiter,configuredClientInformation:vu({clientMetadata:o,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let i=Au(e.target.upstreamServerId,e.redirectUri);return i===void 0?{clientMetadata:o,configuredScope:r,scopeDelimiter:t.scopeDelimiter}:{clientMetadata:o,configuredScope:r,scopeDelimiter:t.scopeDelimiter,clientMetadataUrl:i}}n(xu,"buildInitialOAuthClientSetup");function ku(e,t){if(t===void 0)return qi([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}n(ku,"readEncryptedClientInformation");function Tu(e){return qi([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}n(Tu,"readEncryptedDiscoveryState");var Pe=class{static{n(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredScope;scopeDelimiter;configuredClientInformation;challengeScope;inferredScope;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=xu({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredScope=r.configuredScope,this.scopeDelimiter=r.scopeDelimiter,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=ku(t,this.configuredClientInformation),this.encryptedDiscoveryState=Tu(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return Cu(this.clientMetadataValue,this.readEffectiveScope())}async state(){let t=await this.createPendingState();return wi({id:t.id,...nt({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,!Iu({clientInformation:t,clientMetadataUrl:this.clientMetadataUrl})&&(this.encryptedClientInformation=await Pi(t),await this.syncPendingState(!1)))}async discoveryState(){return this.loadPersistedDiscoveryState()}applyChallengeScope(t){this.challengeScope=t}async saveDiscoveryState(t){let r=$r(Ui.parse(t));this.cachedDiscoveryState=r,this.discoveryStateLoaded=!0,this.inferredScope=Oi(r,this.scopeDelimiter),this.encryptedDiscoveryState=await Pi(r),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=Be.parse(t),o=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0,i=r.refresh_token?await ue(r.refresh_token):this.connection?.encryptedRefreshToken;this.cachedTokens=r.refresh_token||!this.connection?.encryptedRefreshToken?r:Be.parse({...r,refresh_token:await Ie(this.connection.encryptedRefreshToken)}),this.tokensLoaded=!0;let a={id:this.connection?.id??Ft(),ownerMode:this.target.owner.mode,subjectId:o,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await ue(r.access_token),encryptedRefreshToken:i,scopes:gu(r.scope??this.readEffectiveScope()),expiresAt:_u(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await b().upsertUpstreamConnection(a)}async redirectToAuthorization(t){let r=vi(t);this.authorizationUrlValue=r.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:yu(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw new f({message:"OAuth code verifier is missing",extensionMembers:{[g]:"oauth_state_invalid"}});return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",o=t==="all"||t==="client",i=t==="all"||t==="discovery",a=t==="all"||t==="verifier";o&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),i&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0,this.challengeScope=void 0,this.inferredScope=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(a),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:Po(),...nt({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,operationId:this.target.operationId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:I(new Date(Date.now()+gi)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await b().saveUpstreamOAuthState({record:t}),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await Ei(this.encryptedClientInformation,mu)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&(!Ru(t,this.redirectUriValue)||!bu({clientInformation:t,clientMetadataUrl:this.clientMetadataUrl}))){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}return t===void 0&&this.pendingState?.codeVerifier!==void 0&&this.clientMetadataUrl!==void 0&&(t=Vt.parse({client_id:this.clientMetadataUrl})),this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=wu(await Ei(this.encryptedDiscoveryState,Ui))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.inferredScope=Oi(this.cachedDiscoveryState,this.scopeDelimiter),this.cachedDiscoveryState}readEffectiveScope(){return this.configuredScope??this.challengeScope??this.inferredScope}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection||this.connection.status!=="active")return;let t=this.connection.encryptedAccessToken?await Ie(this.connection.encryptedAccessToken):void 0,r=this.connection.encryptedRefreshToken?await Ie(this.connection.encryptedRefreshToken):void 0;if(!t&&!r)return;let o=Be.parse({access_token:t??hu,token_type:fu,refresh_token:r,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=o,o}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await b().upsertUpstreamConnection(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var Uu=3e4,Pu=256*1024,Eu=2;function Ou(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}n(Ou,"hasUsableAccessToken");var qu="does not support dynamic client registration",Mu=["Resource server does not implement OAuth 2.0 Protected Resource Metadata","trying to load well-known OAuth protected resource metadata"],Du=["HTTP 403 Forbidden","Access Denied","permission to access"];function zu(e){return e instanceof Error&&e.message.includes(qu)}n(zu,"isDynamicClientRegistrationUnsupported");function ju(e){return e instanceof Error&&Mu.some(t=>e.message.includes(t))}n(ju,"isProtectedResourceMetadataUnavailable");function Hu(e){return e instanceof Error&&Du.some(t=>e.message.includes(t))}n(Hu,"isUpstreamProviderAccessDenied");function Bu(e){if(e.error instanceof f&&e.error.extensionMembers?.[g]!==void 0)return e.error;if(zu(e.error))return new f({message:`The authorization server for ${e.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register an OAuth client for the gateway manually before retrying.`,extensionMembers:{[g]:"upstream_client_registration_required"}},{cause:e.error});if(ju(e.error))return new f({message:`The upstream MCP server "${e.upstreamServerId}" does not publish OAuth protected resource metadata at "${e.resourceMetadataUrl}". Configure protectedResourceMetadataUrl to a working metadata document, use a provider-supported legacy client, or contact the provider to approve/allowlist this gateway OAuth client before retrying.`,extensionMembers:{[g]:"upstream_oauth_discovery_unavailable"}},{cause:e.error});if(Hu(e.error))return new f({message:`The upstream provider denied access while connecting ${e.upstreamServerId}. Confirm the provider allows this gateway and its OAuth client, then retry.`,extensionMembers:{[g]:"upstream_provider_access_denied"}},{cause:e.error})}n(Bu,"mapUpstreamOAuthSetupError");function Lu(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}n(Lu,"readOAuthFetchRequest");function Nu(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}n(Nu,"responseLooksJson");function Ju(e,t){let r=e.headers.get("content-type")??"",o=t.trimStart().toLowerCase();return r.includes("html")||o.startsWith("<!doctype html")||o.startsWith("<html")}n(Ju,"responseLooksHtml");function Gu(e){let t=e.response.statusText?` ${e.response.statusText}`:"",r=e.response.headers.get("content-type")??"text/html";throw new f({message:`The upstream provider returned ${e.response.status}${t} (${r}) from ${e.request.url.toString()} while connecting ${e.upstreamServerId}.`,extensionMembers:{[g]:e.response.status===403?"upstream_provider_access_denied":"upstream_token_exchange_failed",[he]:e.response.status,[Me]:r,[ge]:e.request.url.toString(),[De]:e.body}})}n(Gu,"throwUpstreamHtmlError");function Mi(e){return async(t,r)=>{let o=Lu(t),i=await ti(t,r,{maxRedirects:Eu,maxResponseBytes:Pu,problemCode:"upstream_token_exchange_failed",timeoutMs:Uu}),a=await i.clone().text();if(!i.ok&&Ju(i,a)&&Gu({upstreamServerId:e,request:o,response:i,body:a}),!Nu(i,a))return i;try{JSON.parse(a)}catch(c){throw new f({message:`Upstream OAuth fetch ${o.url.origin}${o.url.pathname} for ${e} returned invalid JSON.`,extensionMembers:{[g]:"upstream_token_exchange_failed"}},{cause:c})}return i}}n(Mi,"createUpstreamOAuthFetch");async function Di(e,t){e.applyChallengeScope(t.requestedScope);try{let r={serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:Mi(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),await zr(e,r)}catch(r){let o=Bu({upstreamServerId:t.upstreamServerId,resourceMetadataUrl:t.resourceMetadataUrl,error:r});throw o!==void 0?o:r}}n(Di,"runUpstreamOAuth");async function Fu(e,t){e.applyChallengeScope(t.requestedScope);let r={serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:Mi(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),zr(e,r)}n(Fu,"exchangeUpstreamAuthorizationCode");async function zi(e,t){let r=await Di(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?new f({message:`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}}):new f({message:`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}})}n(zi,"requireUpstreamAuthorizationRedirect");async function ji(e){if(!e.forceRefresh&&Ou(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await Di(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope}});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw new f({message:`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}});if(!e.provider.authorizationUrl)throw new f({message:`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}});return{kind:"connect_required",payload:await Vu({requestUrl:e.target.request.url,requestHeaders:e.target.request.headers,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.target.operationId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}n(ji,"authorizeUpstreamOAuthSession");async function $u(e){let t=await rr(e.stateToken),r=await b().consumeUpstreamOAuthState({id:t.id,now:I(new Date)}),o=Zu(r);return Ku({storedState:o,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),Wu(o),o}n($u,"consumeStoredCallbackState");function Zu(e){switch(e.kind){case"consumed":throw new f({message:"OAuth state has already been used",extensionMembers:{[g]:"oauth_state_reused"}});case"missing":throw new f({message:"OAuth state is missing or expired",extensionMembers:{[g]:"oauth_state_expired"}});case"available":return e.record}}n(Zu,"readConsumedCallbackState");function Ku(e){if(![e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.operationId===e.signedState.operationId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw new f({message:"OAuth callback did not match the initiating request",extensionMembers:{[g]:"oauth_callback_mismatch"}})}n(Ku,"assertStoredCallbackStateMatches");function Wu(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw new f({message:"OAuth state has expired",extensionMembers:{[g]:"oauth_state_expired"}})}n(Wu,"assertStoredCallbackStateFresh");async function Vu(e){if(e.owner.mode==="shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),Ci(r)}let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),nr(t)}n(Vu,"buildOAuthConnectRequiredResponse");async function Hi(e){let t=await $u({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=Ht(t),[o]=await b().batchGetUpstreamConnections([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),i={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};o!==void 0&&(i.connection=o);let a=new Pe(i),c=await Fu(a,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(c==="AUTHORIZED")return t;throw c!=="REDIRECT"?new f({message:`Unexpected OAuth result for ${e.upstreamServerId}: ${c}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}}):new f({message:`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}})}n(Hi,"finishUpstreamOAuthCallback");N();import{importPKCS8 as Yu,SignJWT as Xu}from"jose";var Li=1e4,Ni=64*1024,Ji=2,Qu=300,Z=d.string().min(1),el=d.object({access_token:Z,issued_token_type:Z,token_type:Z,expires_in:d.number().int().positive().optional(),scope:Z.optional()}).passthrough(),tl=d.object({id_token:Z,token_type:Z.optional(),expires_in:d.number().int().positive().optional(),refresh_token:Z.optional(),scope:Z.optional()}).passthrough(),rl=d.object({access_token:Z,token_type:Z,expires_in:d.number().int().positive().optional(),scope:Z.optional(),resource:Z.optional(),refresh_token:Z.optional()}).passthrough();function Bi(e){return encodeURIComponent(e).replace(/%20/g,"+")}n(Bi,"formEncodeClientCredential");function nl(e){return e.replaceAll("\\n",`
+`)}n(nl,"normalizePem");async function ol(e){let t=e.clientAuth.algorithm??"RS256",r=e.clientAuth.expiresInSeconds??Qu,o=await Yu(nl(e.clientAuth.privateKeyPem),t),i={alg:t,typ:"JWT",...e.clientAuth.keyId===void 0?{}:{kid:e.clientAuth.keyId}};return new Xu({jti:crypto.randomUUID()}).setProtectedHeader(i).setIssuer(e.clientAuth.clientId).setSubject(e.clientAuth.clientId).setAudience(e.clientAuth.audience??e.tokenUrl).setIssuedAt().setExpirationTime(`${r}s`).sign(o)}n(ol,"createPrivateKeyJwtClientAssertion");async function il(e){switch(e.clientAuth.method){case"client_secret_post":e.form.set("client_id",e.clientAuth.clientId),e.form.set("client_secret",e.clientAuth.clientSecret);return;case"client_secret_basic":{let t=Bi(e.clientAuth.clientId),r=Bi(e.clientAuth.clientSecret);e.headers.authorization=`Basic ${btoa(`${t}:${r}`)}`;return}case"private_key_jwt":e.form.set("client_id",e.clientAuth.clientId),e.form.set("client_assertion_type",Lt),e.form.set("client_assertion",await ol({clientAuth:e.clientAuth,tokenUrl:e.tokenUrl}));return}}n(il,"appendClientAuthentication");async function Xr(e){let t={"Content-Type":"application/x-www-form-urlencoded"};return await il({form:e.form,headers:t,clientAuth:e.clientAuth,tokenUrl:e.tokenUrl}),{method:"POST",headers:t,body:e.form.toString()}}n(Xr,"buildFormRequest");function Gi(e){return(t,r)=>tr(t,r,{context:e,maxRedirects:Ji,maxResponseBytes:Ni,problemCode:"upstream_token_exchange_failed",timeoutMs:Li})}n(Gi,"defaultIdpFetchJson");function al(e){return(t,r)=>ri(t,r,{context:e,maxRedirects:Ji,maxResponseBytes:Ni,problemCode:"upstream_token_exchange_failed",timeoutMs:Li})}n(al,"defaultResourceAsFetchJson");function Ct(e){let t={[g]:e.code,[ge]:e.tokenUrl};return e.response!==void 0&&(t[he]=e.response.status),new f({message:e.message,extensionMembers:t},e.cause===void 0?void 0:{cause:e.cause})}n(Ct,"runtimeError");function Qr(e){if(!e.response.ok)throw Ct({code:"upstream_token_exchange_failed",message:(()=>{switch(e.stage){case"idp_refresh_token":return"IdP refresh-token grant failed while renewing the upstream ID-JAG subject token.";case"idp_token_exchange":return"IdP token exchange failed while requesting an upstream ID-JAG.";case"resource_as_jwt_bearer":return"Upstream Resource AS rejected the ID-JAG JWT-bearer exchange."}})(),tokenUrl:e.tokenUrl,response:e.response})}n(Qr,"assertTokenEndpointSucceeded");function sl(e){let t=tl.safeParse(e.json);if(!t.success)throw Ct({code:"upstream_token_response_invalid",message:"IdP refresh-token grant returned an invalid subject-token response.",tokenUrl:e.tokenUrl,response:e.response,cause:t.error});let r={idToken:t.data.id_token};return t.data.expires_in!==void 0&&(r.expiresIn=t.data.expires_in),t.data.refresh_token!==void 0&&(r.refreshToken=t.data.refresh_token),t.data.scope!==void 0&&(r.scope=t.data.scope),r}n(sl,"parseIdpRefreshTokenResponse");function cl(e){let t=el.safeParse(e.json);if(!t.success)throw Ct({code:"upstream_token_response_invalid",message:"IdP token exchange returned an invalid ID-JAG response.",tokenUrl:e.tokenUrl,response:e.response,cause:t.error});if(t.data.issued_token_type!==Rr||t.data.token_type.toLowerCase()!=="n_a")throw Ct({code:"upstream_token_response_invalid",message:"IdP token exchange response did not contain an ID-JAG assertion.",tokenUrl:e.tokenUrl,response:e.response});let r={assertion:t.data.access_token};return t.data.expires_in!==void 0&&(r.expiresIn=t.data.expires_in),t.data.scope!==void 0&&(r.scope=t.data.scope),r}n(cl,"parseIdJagTokenExchangeResponse");function dl(e){let t=rl.safeParse(e.json);if(!t.success)throw Ct({code:"upstream_token_response_invalid",message:"Upstream Resource AS returned an invalid JWT-bearer token response.",tokenUrl:e.tokenUrl,response:e.response,cause:t.error});let r={accessToken:t.data.access_token,tokenType:t.data.token_type};return t.data.expires_in!==void 0&&(r.expiresIn=t.data.expires_in),t.data.scope!==void 0&&(r.scope=t.data.scope),t.data.resource!==void 0&&(r.resource=t.data.resource),t.data.refresh_token!==void 0&&(r.refreshToken=t.data.refresh_token),r}n(dl,"parseAccessTokenResponse");async function Fi(e){let t=new URLSearchParams({grant_type:Bt,requested_token_type:Rr,subject_token:e.subjectToken,subject_token_type:e.subjectTokenType,audience:e.audience});e.resource!==void 0&&t.set("resource",e.resource),e.scope!==void 0&&t.set("scope",e.scope),e.authorizationDetails!==void 0&&t.set("authorization_details",JSON.stringify(e.authorizationDetails));let r=e.fetchJson??Gi(e.context),{response:o,json:i}=await r(e.idp.tokenUrl,await Xr({form:t,clientAuth:e.clientAuth,tokenUrl:e.idp.tokenUrl}));return Qr({response:o,tokenUrl:e.idp.tokenUrl,stage:"idp_token_exchange"}),cl({json:i,response:o,tokenUrl:e.idp.tokenUrl})}n(Fi,"requestIdJag");async function $i(e){let t=new URLSearchParams({grant_type:"refresh_token",refresh_token:e.refreshToken}),r=e.fetchJson??Gi(e.context),{response:o,json:i}=await r(e.idp.tokenUrl,await Xr({form:t,clientAuth:e.clientAuth,tokenUrl:e.idp.tokenUrl}));return Qr({response:o,tokenUrl:e.idp.tokenUrl,stage:"idp_refresh_token"}),sl({json:i,response:o,tokenUrl:e.idp.tokenUrl})}n($i,"refreshIdpSubjectToken");async function Zi(e){let t=new URLSearchParams({grant_type:_e,assertion:e.assertion});e.resource!==void 0&&t.set("resource",e.resource),e.scope!==void 0&&t.set("scope",e.scope);let r=e.fetchJson??al(e.context),{response:o,json:i}=await r(e.resourceAs.tokenUrl,await Xr({form:t,clientAuth:e.clientAuth,tokenUrl:e.resourceAs.tokenUrl}));return Qr({response:o,tokenUrl:e.resourceAs.tokenUrl,stage:"resource_as_jwt_bearer"}),dl({json:i,response:o,tokenUrl:e.resourceAs.tokenUrl})}n(Zi,"exchangeIdJagForAccessToken");function ul(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}n(ul,"hasUsableAccessToken");function ll(e){if(e.tokenType.toLowerCase()!=="bearer")throw new f({message:"Upstream Resource AS returned a token type the MCP gateway cannot send as a bearer token.",extensionMembers:{[g]:"upstream_token_response_invalid"}})}n(ll,"assertBearerToken");function pl(e,t){if(t===He)return!1;let r=e?.metadata?.idpSubjectTokenExpiresAt;return r!==void 0&&new Date(r).getTime()<=Date.now()}n(pl,"hasExpiredSubjectToken");async function ml(e){let t=await Ie(e.encryptedSubjectToken);if(e.subjectTokenType!==He)return{connection:e.connection,subjectToken:t,subjectTokenType:e.subjectTokenType};let r=await $i({idp:e.idp,refreshToken:t,clientAuth:e.clientAuth,context:e.context});return r.refreshToken===void 0?{connection:e.connection,subjectToken:r.idToken,subjectTokenType:ot}:{connection:await b().upsertUpstreamConnection({id:e.connection.id,ownerMode:e.connection.ownerMode,subjectId:e.connection.subjectId,upstreamServerId:e.connection.upstreamServerId,authProfileId:e.connection.authProfileId,status:"active",encryptedAccessToken:e.connection.encryptedAccessToken,encryptedRefreshToken:e.connection.encryptedRefreshToken,scopes:e.connection.scopes,expiresAt:e.connection.expiresAt,metadata:{...e.connection.metadata??{},encryptedIdpSubjectToken:await ue(r.refreshToken),idpSubjectTokenType:He,idpSubjectTokenExpiresAt:void 0}}),subjectToken:r.idToken,subjectTokenType:ot}}n(ml,"resolveIdJagSubjectToken");async function Ki(e){let t="preloadedConnection"in e?e.preloadedConnection:(await b().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(!e.forceRefresh&&ul(t))return{kind:"authorized",credential:{type:"bearer_token",token:await Ie(t.encryptedAccessToken)}};let r=t?.metadata?.encryptedIdpSubjectToken,o=t?.metadata?.idpSubjectTokenType;if(t?.status!=="active"||r===void 0||o===void 0||pl(t,o))return{kind:"connect_required",payload:{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,message:`An IdP subject-token binding is required for ${e.upstreamDisplayName} before this tool can use XAA / ID-JAG.`,nextAction:"admin_setup_required"}};let i=we(e.upstreamServerId),a=Xo(e.upstreamServerId,e.authProfileId),c=a.resourceAs.resource??i.transport.baseUrl,s=e.requestedScope??(a.scopes.length===0?void 0:a.scopes.join(a.scopeDelimiter)),u=await ml({connection:t,encryptedSubjectToken:r,subjectTokenType:o,idp:{tokenUrl:a.idp.tokenUrl},clientAuth:a.idp.clientAuth,context:e.context}),p=await Fi({idp:{tokenUrl:a.idp.tokenUrl},subjectToken:u.subjectToken,subjectTokenType:u.subjectTokenType,audience:a.resourceAs.audience,resource:c,scope:s,clientAuth:a.idp.clientAuth,context:e.context}),h=p.scope??s,y=await Zi({resourceAs:{tokenUrl:a.resourceAs.tokenUrl},assertion:p.assertion,resource:c,scope:h,clientAuth:a.resourceAs.clientAuth,context:e.context});if(ll(y),t!==void 0){let T=y.scope??h;await b().upsertUpstreamConnection({id:u.connection.id,ownerMode:u.connection.ownerMode,subjectId:u.connection.subjectId,upstreamServerId:u.connection.upstreamServerId,authProfileId:u.connection.authProfileId,status:"active",encryptedAccessToken:await ue(y.accessToken),encryptedRefreshToken:u.connection.encryptedRefreshToken,scopes:T?.split(/[,\s]+/).filter(Boolean)??[],expiresAt:y.expiresIn===void 0?void 0:I(new Date(Date.now()+y.expiresIn*1e3)),metadata:u.connection.metadata})}return{kind:"authorized",credential:{type:"bearer_token",token:y.accessToken}}}n(Ki,"authorizeUpstreamIdJagRequest");function fl(e){return or(new URL(e.callbackPath,U(e.requestUrl,e.requestHeaders))).toString()}n(fl,"buildGatewayOAuthRedirectUri");async function Wi(e){let t=we(e.upstreamServerId),r=Le(e.upstreamServerId,e.authProfileId),o=fl({callbackPath:r.redirectPath,requestUrl:e.request.url,requestHeaders:e.request.headers}),i="preloadedConnection"in e?e.preloadedConnection:(await b().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:i,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,returnTo:e.returnTo},redirectUri:o,returnOrigin:U(e.request.url,e.request.headers)}}}n(Wi,"prepareUpstreamOAuthRequest");async function Vi(e){let t=await Wi(e),r=new Pe({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return zi(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(Vi,"startUpstreamConnect");async function Yi(e){let t=await Wi(e),r=new Pe({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return ji({target:e,provider:r,connection:t.connection,forceRefresh:e.forceRefresh,requestedScope:e.requestedScope,upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(Yi,"authorizeUpstreamRequest");async function Fe(e){let{routeAuth:t}=e;switch(t.authMode){case"shared-oauth":case"user-oauth":return Yi({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,forceRefresh:e.forceRefresh,requestedScope:e.requestedScope,...e.preloadedConnection===void 0?{}:{preloadedConnection:e.preloadedConnection},returnTo:t.returnTo});case"id-jag":return Ki({request:e.request,context:e.context,authMode:t.authMode,ownerMode:t.ownerMode,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,upstreamDisplayName:t.upstreamDisplayName,forceRefresh:e.forceRefresh,requestedScope:e.requestedScope,...e.preloadedConnection===void 0?{}:{preloadedConnection:e.preloadedConnection},returnTo:t.returnTo})}let r=t;throw new W(`Unsupported upstream auth route context ${JSON.stringify(r)}.`)}n(Fe,"resolveUpstreamCredentialForRoute");async function Xi(e){if(e.connectRequest.authMode==="id-jag")throw new W(`Upstream server ${e.connectRequest.upstreamServerId} uses XAA / ID-JAG and does not support browser OAuth connection flows.`);let t=await Vi({request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,operationId:e.connectRequest.operationId,returnTo:e.connectRequest.returnTo});return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,operationId:e.connectRequest.operationId}}n(Xi,"startUpstreamConnectForRequest");async function Qi(e){let r=(await rr(e.callbackRequest.state)).authProfileId;if(Qt({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r}).mode==="id-jag")throw new W(`Upstream server ${e.callbackRequest.upstreamServerId} uses XAA / ID-JAG and does not support OAuth callbacks.`);return Hi({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:we(e.callbackRequest.upstreamServerId)})}n(Qi,"finishUpstreamCallbackForRequest");function hl(e){return{upstreamServerId:e.connection.upstreamServerId,operationId:e.operationId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:e.connection.ownerMode}}n(hl,"buildRouteAuthBaseFromConnection");function ea(e){return{upstreamServerId:e.connection.id,operationId:e.operationId,authProfileId:oo(e.connection.id,e.connection.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:e.connection.ownerMode}}n(ea,"buildRouteAuthBaseFromPolicyOptions");function ir(e,t){let o=V().byOperationId.get(t);if(!o)throw new j(`Unknown MCP route "${t}". Ensure routes.oas.json declares this operationId before starting an upstream connection flow.`);if(o.connection===void 0)throw new j(`MCP route "${t}" does not declare an MCP token exchange policy. Add one before starting an upstream connection flow.`);if(o.connection.upstreamServerId!==e)throw new j(`MCP route "${t}" does not bind upstream "${e}". Check the route's MCP upstream policies and bind the upstream before starting an upstream connection flow.`);return hl({connection:o.connection,operationId:t})}n(ir,"resolveRouteAuthBase");function en(e,t){switch(e){case"user":return ze(t);case"shared":return ro()}}n(en,"buildOwnerForSubject");function $e(e,t){switch(e.authMode){case"shared-oauth":return{...e,authMode:"shared-oauth",ownerMode:"shared",owner:en("shared",t),initiatedBySubjectId:t};case"user-oauth":return{...e,authMode:"user-oauth",ownerMode:"user",owner:en("user",t),initiatedBySubjectId:t};case"id-jag":return{...e,authMode:"id-jag",ownerMode:"user",owner:en("user",t),initiatedBySubjectId:t}}}n($e,"resolveRouteAuthForSubject");var gl=tt.InvalidRequest,yl=new Set(["connection","keep-alive","proxy-authenticate","te","trailer","transfer-encoding","upgrade"]);function _l(e,t){return{credentialType:e.type,forceRefresh:t}}n(_l,"buildCredentialResolvedAttributes");function wl(e){switch(e){case"admin_connect_required":return"admin_connect_required";case"authenticating":return"connect_required"}}n(wl,"connectRequiredReasonCode");function ta(e){v(e.context,{eventType:C.MCP_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:_l(e.credential,e.forceRefresh===!0)})}n(ta,"emitCredentialResolvedAnalyticsEvent");function ra(e){let t={forceRefresh:e.forceRefresh===!0,nextAction:e.payload.nextAction,state:e.payload.state};if(v(e.context,{eventType:C.MCP_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:t}),e.payload.state==="reconsent_required"){v(e.context,{eventType:C.MCP_AUTH_UPSTREAM_RECONSENT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"reconsent_required",reasonClass:"auth",attributes:t});return}v(e.context,{eventType:C.MCP_AUTH_UPSTREAM_CONNECT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:wl(e.payload.state),reasonClass:"auth",attributes:t})}n(ra,"emitCredentialMissingAnalyticsEvents");function Rl(e){let t=e.route.raw();return Dt.parse(t?.operationId)}n(Rl,"readOperationId");async function bl(e,t,r,o){let i=await Fe({request:e,context:o,routeAuth:t});if(i.kind==="connect_required")return ra({context:o,payload:i.payload,routeBinding:t}),o.log.info({event:"mcp_upstream_connect_required",upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId},"MCP upstream proxy: upstream connection required"),{kind:"connect_required",payload:i.payload};let a=i.credential;if(ta({context:o,credential:a,routeBinding:t}),a.type==="bearer_token")return{kind:"headers",headers:[["authorization",`Bearer ${a.token}`]]};let c=await a.provider.tokens();return c?{kind:"headers",headers:[["authorization",`${c.token_type??"Bearer"} ${c.access_token}`]]}:(o.log.warn({event:"mcp_upstream_no_tokens",upstreamServerId:t.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens"),Response.json({error:"no_upstream_tokens"},{status:401}))}n(bl,"buildCredentialHeaders");var Il=new Set(["authorization","cookie","cookie2"]);function Cl(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return t&&typeof t=="object"&&!Array.isArray(t)&&"method"in t&&typeof t.method=="string"?t.method:void 0}catch{return}}n(Cl,"readJsonRequestMethod");function Sl(e){let t=e.headers.get("content-type")??"";return/\bapplication\/(?:[\w.+-]+\+)?json\b/i.test(t)}n(Sl,"isJsonResponse");function tn(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(tn,"isRecord");function vl(e){return Array.isArray(e)&&e.length>0}n(vl,"hasIconList");function Al(e){if(e.connection.serverInfo?.icons!==void 0&&e.connection.serverInfo.icons.length>0)return e.connection.serverInfo.icons;try{let t=Xt(Wn(e.context.route.handler));return t===void 0?void 0:[t]}catch{return}}n(Al,"readFallbackServerIcons");function xl(e){if(!tn(e.body))return e.body;let t=e.body.result;if(!tn(t))return e.body;let r=t.serverInfo;return!tn(r)||vl(r.icons)?e.body:{...e.body,result:{...t,serverInfo:{...r,icons:e.icons}}}}n(xl,"addMissingServerIcons");function kl(e,t){let r=new Headers(e.headers);for(let o of Il)r.delete(o);for(let[o,i]of t)r.set(o,i);return new qn(e,{headers:r})}n(kl,"applyUpstreamHeaders");function Tl(e){let t=new Headers(e.headers);for(let r of yl)t.delete(r);return t}n(Tl,"buildProxyHeaders");async function Ul(e){if(!(e.method==="GET"||e.method==="HEAD"))return e.clone().arrayBuffer()}n(Ul,"readRetryBody");function na(e,t){let r=t.authUrl===void 0?void 0:Mo({message:t.message,elicitationId:["connect",t.operationId,t.upstreamServerId,t.authProfileId].join(":"),url:t.authUrl});return Response.json($t({id:qo(e),error:{code:r?.code??gl,message:t.message,data:{...r?.data??{},connectRequired:t}}}))}n(na,"connectRequiredJsonRpcResponse");async function Pl(e){let{scope:t}=Zo(e.upstreamResponse),r=await Fe({request:e.request,context:e.context,routeAuth:e.routeAuth,forceRefresh:!0,requestedScope:t});if(r.kind==="connect_required")return ra({context:e.context,payload:r.payload,routeBinding:e.routeAuth,forceRefresh:!0}),{kind:"connect_required",payload:r.payload};let o=new Headers(e.headers),i=r.credential;if(ta({context:e.context,credential:i,routeBinding:e.routeAuth,forceRefresh:!0}),i.type==="bearer_token")return o.set("authorization",`Bearer ${i.token}`),{kind:"headers",headers:o};let a=await i.provider.tokens();return a?(o.set("authorization",`${a.token_type??"Bearer"} ${a.access_token}`),{kind:"headers",headers:o}):(e.context.log.warn({event:"mcp_upstream_no_tokens_after_refresh",upstreamServerId:e.routeAuth.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens after refresh"),{kind:"response",response:Response.json({error:"no_upstream_tokens"},{status:401})})}n(Pl,"applyRefreshedCredentialHeaders");function El(e){e.context.addResponseSendingHook(async(t,r)=>{if(t.status!==401)return t;let o=await Pl({request:e.request,context:e.context,headers:Tl(r),routeAuth:e.routeAuth,upstreamResponse:t});if(o.kind==="connect_required")return na(e.requestBody,o.payload);if(o.kind==="response")return o.response;let i=Vn({handler:e.context.route.handler,request:r,body:e.requestBody,headers:o.headers});return Ut.fetch(i.url,i.init)})}n(El,"installUpstreamAuthRetryHook");function Ol(e){if(Cl(e.requestBody)!=="initialize")return;let t=Al({connection:e.connection,context:e.context});t===void 0||t.length===0||e.context.addResponseSendingHook(async r=>{if(!Sl(r))return r;let o;try{o=await r.clone().json()}catch{return r}let i=xl({body:o,icons:t});if(i===o)return r;let a=new Headers(r.headers);return a.delete("content-length"),new Response(JSON.stringify(i),{status:r.status,statusText:r.statusText,headers:a})})}n(Ol,"installInitializeIconHook");async function rn(e,t,r){let o=Rl(t),i=await Ul(e),a=ea({connection:r,operationId:o}),c=Ae(e.user,e.url,e.headers);t.log.setLogProperties?.({requestId:t.requestId}),lo(t,c);let s=$e(a,c.subjectId),u=await bl(e,s,r,t);if(!(u instanceof Response)&&u.kind==="connect_required")return na(i,u.payload);if(u instanceof Response)return u;let p=kl(e,u.headers);return El({request:p,context:t,requestBody:i,routeAuth:s}),Ol({context:t,requestBody:i,connection:r}),p}n(rn,"mcpTokenExchangePolicy");var nn=class extends Et{static{n(this,"McpTokenExchangeInboundPolicy")}constructor(t,r){let o=io(t,r);super(o,r)}async handler(t,r){return Pt("policy.inbound.mcp-token-exchange"),rn(t,r,this.options)}};N();var oa=Symbol("Html");function ql(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}n(ql,"escapeHtml");function Ml(e){return e===null||typeof e!="object"?!1:e[oa]===!0}n(Ml,"isHtml");function ia(e){return e==null||e===!1?"":Array.isArray(e)?e.map(ia).join(""):Ml(e)?e.value:ql(String(e))}n(ia,"renderValue");function le(e){return{[oa]:!0,value:e}}n(le,"trustedHtml");var Y=le("");function S(e,...t){let r=e[0]??"";for(let o=0;o<t.length;o+=1)r+=ia(t[o]),r+=e[o+1]??"";return le(r)}n(S,"html");function Ze(e){return e.value}n(Ze,"renderHtml");function aa(e){return S`<p class="card__description">${e.detail}</p>${e.guidance} ${e.technicalDetails} ${e.action}`}n(aa,"renderBrowserErrorPage");var Ke=le('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;justify-content:center;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;min-height:40px;padding:8px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.reconnect-action{align-items:center;margin-right:auto;display:inline-flex;position:relative}.reconnect-button{gap:7px}.tooltip{width:16px;height:16px;color:var(--accent);background:color-mix(in srgb,var(--accent)8%,transparent);cursor:help;border:1.5px solid;border-radius:50%;justify-content:center;align-items:center;font-size:10.5px;font-weight:700;line-height:1;display:inline-flex;position:relative}.tooltip:after{content:attr(aria-label);z-index:10;border-radius:var(--radius-sm);background:var(--accent);width:280px;max-width:min(280px,100vw - 48px);color:var(--accent-text);box-shadow:var(--shadow);text-align:left;white-space:normal;opacity:0;pointer-events:none;padding:12px 14px;font-size:13px;font-weight:600;line-height:1.45;transition:opacity .12s;position:absolute;bottom:calc(100% + 12px);left:50%;transform:translate(-50%)}.tooltip:before{content:"";z-index:11;border-left:7px solid #0000;border-right:7px solid #0000;border-top:8px solid var(--accent);opacity:0;pointer-events:none;transition:opacity .12s;position:absolute;bottom:calc(100% + 5px);left:50%;transform:translate(-50%)}.tooltip:hover:after,.tooltip:hover:before,.tooltip:focus-visible:after,.tooltip:focus-visible:before{opacity:1}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}.reconnect-action{justify-content:center;width:100%;margin-right:0}.reconnect-action .button{flex:1}.tooltip:after{left:auto;right:0;transform:none}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function We(e){return S`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" href="${e.iconHref}" /><style>
       ${e.styles}
-    </style></head><body><main class="card"><header class="card__head">${e.headerIcon}<h1 class="card__title">${e.heading}</h1>${e.subhead}</header><div class="card__body">${e.body}</div>${e.footer}</main></body></html>`}n(Ge,"renderShell");var tl="text/html; charset=utf-8";function $e(e){try{return new URL(e).host}catch{return""}}n($e,"safeHostFromUrl");function X(e){let t=nl(e.kind??"authorization_failed"),r=rl(e);return new Response(je(Ge({title:e.title??t.title,iconHref:"",styles:Ne,headerIcon:Y,heading:e.title??t.title,subhead:"",body:Bi({detail:e.detail,guidance:v`<p class="card__description">${t.guidance}</p>`,technicalDetails:cl({diagnostic:r,upstreamHtml:e.upstreamHtml}),action:al(e.action)}),footer:""})),{status:e.status??400,headers:{"content-type":tl,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(X,"browserErrorPageResponse");function rl(e){let t=e.diagnostic?.code??e.code??"unknown";return{code:t,stage:e.diagnostic?.stage??ol(t),timestamp:e.diagnostic?.timestamp??new Date().toISOString(),...e.requestId===void 0&&e.diagnostic?.requestId===void 0?{}:{requestId:e.diagnostic?.requestId??e.requestId},...e.diagnostic?.operationId===void 0?{}:{operationId:e.diagnostic.operationId},...e.diagnostic?.routePath===void 0?{}:{routePath:e.diagnostic.routePath},...e.diagnostic?.upstreamServerId===void 0?{}:{upstreamServerId:e.diagnostic.upstreamServerId},...e.diagnostic?.authProfileId===void 0?{}:{authProfileId:e.diagnostic.authProfileId},...e.diagnostic?.upstreamUrl===void 0?{}:{upstreamUrl:e.diagnostic.upstreamUrl},...e.diagnostic?.metadataUrl===void 0?{}:{metadataUrl:e.diagnostic.metadataUrl},...e.diagnostic?.httpStatus===void 0?{}:{httpStatus:e.diagnostic.httpStatus},...e.diagnostic?.contentType===void 0?{}:{contentType:e.diagnostic.contentType},...e.diagnostic?.providerError===void 0?{}:{providerError:e.diagnostic.providerError},...e.diagnostic?.providerErrorDescription===void 0?{}:{providerErrorDescription:e.diagnostic.providerErrorDescription},suggestedFix:e.diagnostic?.suggestedFix??il(t),underlyingError:e.diagnostic?.underlyingError??e.developerDetail}}n(rl,"buildBrowserErrorDiagnostic");function nl(e){switch(e){case"session_expired":return{title:"Authorization expired",guidance:"Return to your MCP client and reconnect. Expired authorization requests cannot be resumed."};case"access_denied":return{title:"Authorization canceled",guidance:"Return to your MCP client to retry if you want to grant access."};case"configuration_error":return{title:"Configuration needs attention",guidance:"Contact your workspace admin with this error code. The gateway or upstream configuration must be fixed before retrying."};case"connection_failed":return{title:"Connection failed",guidance:"Return to your MCP client and reconnect this upstream. If this keeps happening, contact your gateway administrator with this error code."};case"invalid_request":return{title:"Authorization request invalid",guidance:"Return to your MCP client and try connecting again. If this keeps happening, the client request may need to be fixed."};case"admin_required":return{title:"Admin setup required",guidance:"Contact your workspace admin with this error code. This connection cannot be completed until setup is finished."};case"internal_error":return{title:"Gateway error",guidance:"Try again later from your MCP client. If this keeps happening, contact your gateway administrator with this error code."};case"authorization_failed":return{title:"Authorization failed",guidance:"Return to your MCP client and start authorization again. If this keeps happening, contact your gateway administrator with this error code."}}}n(nl,"readBrowserErrorPagePresentation");function ol(e){switch(e){case"upstream_oauth_discovery_unavailable":return"upstream_oauth_discovery";case"upstream_client_registration_required":return"upstream_oauth_client_registration";case"upstream_provider_access_denied":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"upstream_token_exchange";case"provider_access_denied":return"upstream_oauth_callback";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"upstream_oauth_state";case"browser_login_verification_failed":return"downstream_browser_login";case"authentication_required":case"identity_context_missing":return"downstream_auth";case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"gateway_configuration";case"server_error":case"internal_server_error":return"gateway_internal";default:return"gateway_request"}}n(ol,"readBrowserErrorStage");function il(e){switch(e){case"upstream_oauth_discovery_unavailable":return"Confirm the upstream MCP URL and OAuth protected resource metadata. If the provider requires approval, configure the provider app or contact the provider.";case"upstream_client_registration_required":return"Register an OAuth client with the upstream provider, then configure the gateway to use that client before retrying.";case"upstream_provider_access_denied":return"Confirm the provider allows this gateway, OAuth client, and upstream MCP URL, then retry the connection.";case"upstream_token_exchange_failed":return"Retry the connection. If it repeats, verify the upstream OAuth client, redirect URI, token endpoint, and provider allowlist.";case"upstream_token_response_invalid":return"Verify the upstream token endpoint returns a valid OAuth token response for this gateway client.";case"provider_access_denied":return"Start the connection again if access was denied by mistake. Otherwise, grant the requested upstream provider access.";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"Start a new connection from the MCP client. The previous browser authorization request cannot be resumed.";case"browser_login_verification_failed":return"Retry the browser login flow. If it repeats, verify the downstream login callback configuration.";case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"Check the MCP route, upstream server, and auth profile entries in the gateway configuration.";case"authentication_required":case"identity_context_missing":return"Verify the normal Zuplo auth policy runs before the MCP gateway policy and sets request.user.";case"server_error":case"internal_server_error":return"Retry later and check gateway logs with the request ID.";default:return"Check the gateway configuration and request details associated with this error code."}}n(il,"readBrowserErrorSuggestedFix");function al(e){return e===void 0?Y:v`<a class="button button--primary button--block" href="${e.href}">${e.label}</a>`}n(al,"renderAction");function sl(e){let t=[["Error code",e.code],["Stage",e.stage],["Request ID",e.requestId],["Time",e.timestamp],["Gateway route",e.routePath],["Operation ID",e.operationId],["Upstream",e.upstreamServerId],["Auth profile",e.authProfileId],["Upstream URL",e.upstreamUrl],["Metadata URL",e.metadataUrl],["HTTP status",e.httpStatus],["Content type",e.contentType],["Provider error",e.providerError],["Provider error description",e.providerErrorDescription],["Suggested fix",e.suggestedFix],["Underlying error",e.underlyingError]].filter(r=>r[1]!==void 0).map(([r,o])=>`${r}: ${o}`).join(`
-`);return v`<pre class="banner__message" style="white-space: pre-wrap; overflow-wrap: anywhere; margin-top: 8px;"><code>${t}</code></pre>`}n(sl,"renderTechnicalPre");function Vt(e){return e.value===void 0||e.value===""?Y:v`<p class="banner__message"><strong>${e.label}:</strong> <code>${e.value}</code></p>`}n(Vt,"renderOptionalTechnicalRow");function cl(e){return v`<section class="banner banner--warning" aria-label="Developer details">
+    </style></head><body><main class="card"><header class="card__head">${e.headerIcon}<h1 class="card__title">${e.heading}</h1>${e.subhead}</header><div class="card__body">${e.body}</div>${e.footer}</main></body></html>`}n(We,"renderShell");var Dl="text/html; charset=utf-8";function Ve(e){try{return new URL(e).host}catch{return""}}n(Ve,"safeHostFromUrl");function te(e){let t=jl(e.kind??"authorization_failed"),r=zl(e);return new Response(Ze(We({title:e.title??t.title,iconHref:"",styles:Ke,headerIcon:Y,heading:e.title??t.title,subhead:"",body:aa({detail:e.detail,guidance:S`<p class="card__description">${t.guidance}</p>`,technicalDetails:Jl({diagnostic:r,upstreamHtml:e.upstreamHtml}),action:Ll(e.action)}),footer:""})),{status:e.status??400,headers:{"content-type":Dl,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(te,"browserErrorPageResponse");function zl(e){let t=e.diagnostic?.code??e.code??"unknown";return{code:t,stage:e.diagnostic?.stage??Hl(t),timestamp:e.diagnostic?.timestamp??new Date().toISOString(),...e.requestId===void 0&&e.diagnostic?.requestId===void 0?{}:{requestId:e.diagnostic?.requestId??e.requestId},...e.diagnostic?.operationId===void 0?{}:{operationId:e.diagnostic.operationId},...e.diagnostic?.routePath===void 0?{}:{routePath:e.diagnostic.routePath},...e.diagnostic?.upstreamServerId===void 0?{}:{upstreamServerId:e.diagnostic.upstreamServerId},...e.diagnostic?.authProfileId===void 0?{}:{authProfileId:e.diagnostic.authProfileId},...e.diagnostic?.upstreamUrl===void 0?{}:{upstreamUrl:e.diagnostic.upstreamUrl},...e.diagnostic?.metadataUrl===void 0?{}:{metadataUrl:e.diagnostic.metadataUrl},...e.diagnostic?.httpStatus===void 0?{}:{httpStatus:e.diagnostic.httpStatus},...e.diagnostic?.contentType===void 0?{}:{contentType:e.diagnostic.contentType},...e.diagnostic?.providerError===void 0?{}:{providerError:e.diagnostic.providerError},...e.diagnostic?.providerErrorDescription===void 0?{}:{providerErrorDescription:e.diagnostic.providerErrorDescription},suggestedFix:e.diagnostic?.suggestedFix??Bl(t),underlyingError:e.diagnostic?.underlyingError??e.developerDetail}}n(zl,"buildBrowserErrorDiagnostic");function jl(e){switch(e){case"session_expired":return{title:"Authorization expired",guidance:"Return to your MCP client and reconnect. Expired authorization requests cannot be resumed."};case"access_denied":return{title:"Authorization canceled",guidance:"Return to your MCP client to retry if you want to grant access."};case"configuration_error":return{title:"Configuration needs attention",guidance:"Contact your workspace admin with this error code. The gateway or upstream configuration must be fixed before retrying."};case"connection_failed":return{title:"Connection failed",guidance:"Return to your MCP client and reconnect this upstream. If this keeps happening, contact your gateway administrator with this error code."};case"invalid_request":return{title:"Authorization request invalid",guidance:"Return to your MCP client and try connecting again. If this keeps happening, the client request may need to be fixed."};case"admin_required":return{title:"Admin setup required",guidance:"Contact your workspace admin with this error code. This connection cannot be completed until setup is finished."};case"internal_error":return{title:"Gateway error",guidance:"Try again later from your MCP client. If this keeps happening, contact your gateway administrator with this error code."};case"authorization_failed":return{title:"Authorization failed",guidance:"Return to your MCP client and start authorization again. If this keeps happening, contact your gateway administrator with this error code."}}}n(jl,"readBrowserErrorPagePresentation");function Hl(e){switch(e){case"upstream_oauth_discovery_unavailable":return"upstream_oauth_discovery";case"upstream_client_registration_required":return"upstream_oauth_client_registration";case"upstream_provider_access_denied":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"upstream_token_exchange";case"provider_access_denied":return"upstream_oauth_callback";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"upstream_oauth_state";case"browser_login_verification_failed":return"downstream_browser_login";case"authentication_required":case"identity_context_missing":return"downstream_auth";case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"gateway_configuration";case"server_error":case"internal_server_error":return"gateway_internal";default:return"gateway_request"}}n(Hl,"readBrowserErrorStage");function Bl(e){switch(e){case"upstream_oauth_discovery_unavailable":return"Confirm the upstream MCP URL and OAuth protected resource metadata. If the provider requires approval, configure the provider app or contact the provider.";case"upstream_client_registration_required":return"Register an OAuth client with the upstream provider, then configure the gateway to use that client before retrying.";case"upstream_provider_access_denied":return"Confirm the provider allows this gateway, OAuth client, and upstream MCP URL, then retry the connection.";case"upstream_token_exchange_failed":return"Retry the connection. If it repeats, verify the upstream OAuth client, redirect URI, token endpoint, and provider allowlist.";case"upstream_token_response_invalid":return"Verify the upstream token endpoint returns a valid OAuth token response for this gateway client.";case"provider_access_denied":return"Start the connection again if access was denied by mistake. Otherwise, grant the requested upstream provider access.";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"Start a new connection from the MCP client. The previous browser authorization request cannot be resumed.";case"browser_login_verification_failed":return"Retry the browser login flow. If it repeats, verify the downstream login callback configuration.";case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"Check the MCP route, upstream server, and auth profile entries in the gateway configuration.";case"authentication_required":case"identity_context_missing":return"Verify the normal Zuplo auth policy runs before the MCP gateway policy and sets request.user.";case"server_error":case"internal_server_error":return"Retry later and check gateway logs with the request ID.";default:return"Check the gateway configuration and request details associated with this error code."}}n(Bl,"readBrowserErrorSuggestedFix");function Ll(e){return e===void 0?Y:S`<a class="button button--primary button--block" href="${e.href}">${e.label}</a>`}n(Ll,"renderAction");function Nl(e){let t=[["Error code",e.code],["Stage",e.stage],["Request ID",e.requestId],["Time",e.timestamp],["Gateway route",e.routePath],["Operation ID",e.operationId],["Upstream",e.upstreamServerId],["Auth profile",e.authProfileId],["Upstream URL",e.upstreamUrl],["Metadata URL",e.metadataUrl],["HTTP status",e.httpStatus],["Content type",e.contentType],["Provider error",e.providerError],["Provider error description",e.providerErrorDescription],["Suggested fix",e.suggestedFix],["Underlying error",e.underlyingError]].filter(r=>r[1]!==void 0).map(([r,o])=>`${r}: ${o}`).join(`
+`);return S`<pre class="banner__message" style="white-space: pre-wrap; overflow-wrap: anywhere; margin-top: 8px;"><code>${t}</code></pre>`}n(Nl,"renderTechnicalPre");function ar(e){return e.value===void 0||e.value===""?Y:S`<p class="banner__message"><strong>${e.label}:</strong> <code>${e.value}</code></p>`}n(ar,"renderOptionalTechnicalRow");function Jl(e){return S`<section class="banner banner--warning" aria-label="Developer details">
     <span class="banner__icon" aria-hidden="true">!</span>
     <div class="banner__body">
       <p class="banner__title">Developer details</p>
       <p class="banner__message" data-gateway-error-code="${e.diagnostic.code}">
         <strong>Error code:</strong> <code>${e.diagnostic.code}</code>
       </p>
-      ${Vt({label:"Stage",value:e.diagnostic.stage})}
-      ${Vt({label:"Request ID",value:e.diagnostic.requestId})}
-      ${Vt({label:"Suggested fix",value:e.diagnostic.suggestedFix})}
-      ${Vt({label:"Reason",value:e.diagnostic.underlyingError})}
-      ${sl(e.diagnostic)}
-      ${dl(e.upstreamHtml)}
+      ${ar({label:"Stage",value:e.diagnostic.stage})}
+      ${ar({label:"Request ID",value:e.diagnostic.requestId})}
+      ${ar({label:"Suggested fix",value:e.diagnostic.suggestedFix})}
+      ${ar({label:"Reason",value:e.diagnostic.underlyingError})}
+      ${Nl(e.diagnostic)}
+      ${Gl(e.upstreamHtml)}
     </div>
-  </section>`}n(cl,"renderTechnicalDetails");function dl(e){return e===void 0?Y:v`<iframe
+  </section>`}n(Jl,"renderTechnicalDetails");function Gl(e){return e===void 0?Y:S`<iframe
     title="Upstream HTML error response"
     sandbox
     srcdoc="${e}"
     style="border: 1px solid var(--warning-border); border-radius: var(--radius-sm); background: white; width: 100%; min-height: 220px; margin-top: 8px;"
-  ></iframe>`}n(dl,"renderUpstreamHtml");var ji="application/json",ul="application/x-www-form-urlencoded";function Yt(e,t){return new h({message:e,extensionMembers:{[g]:"invalid_request"}},t===void 0?void 0:{cause:t})}n(Yt,"invalidRequestError");function ll(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}n(ll,"normalizeContentType");function pl(e,t){return e===t?!0:t===ji&&e.endsWith("+json")}n(pl,"contentTypeMatches");function ml(e,t){if(!t||t.length===0)return;let r=ll(e.headers.get("content-type"));if(!t.some(o=>pl(r,o)))throw Yt(`Request body must be ${t.join(" or ")}.`)}n(ml,"assertExpectedContentType");function fl(e,t,r){let o=e.headers.get("content-length");if(!o)return;let i=Number.parseInt(o,10);if(Number.isFinite(i)&&i>t)throw Yt(`${r} exceeded the maximum allowed size.`)}n(fl,"assertContentLengthWithinLimit");async function Ni(e,t){let r=t.label??"Request body";ml(e,t.expectedContentTypes),fl(e,t.maxBytes,r);let o=await Gt(e.body,{maxBytes:t.maxBytes,createLimitError:n(()=>Yt(`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(o)}n(Ni,"readBoundedTextBody");async function Gi(e,t){let r=await Ni(e,{...t,expectedContentTypes:[ji]});try{return JSON.parse(r)}catch(o){throw Yt("Request body must be valid JSON.",o)}}n(Gi,"readBoundedJsonBody");async function $i(e,t){let r=await Ni(e,{...t,expectedContentTypes:[ul]});return new URLSearchParams(r)}n($i,"readBoundedFormUrlEncodedBody");$();$();import{errors as Fi,jwtVerify as Zi,SignJWT as Ki}from"jose";var hl={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},m=class extends Error{static{n(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,o=hl[t],i){super(r,i),this.name="OAuthProtocolError",this.errorCode=t,this.status=o}};var gl=5*60,yl=d.object({purpose:d.literal("gateway_browser_login"),transactionId:lr,stateId:pr,exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),wl=d.object({purpose:d.literal("gateway_authorization_setup"),transactionId:lr,stateId:pr,exp:d.number().int().positive(),iat:d.number().int().positive().optional()});async function Ji(){return V({purpose:"browser-login",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>me(e,"browser-login"),"derive")})}n(Ji,"getBrowserLoginKey");async function Wi(){return V({purpose:"authorization-csrf",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>me(e,"authorization-csrf"),"derive")})}n(Wi,"getCsrfKey");function Vi(e){return{now:e.now??new Date,ttlSeconds:Yi()}}n(Vi,"readPendingTransactionDependencies");function Yi(){return D().browserLogin.stateTtlSeconds}n(Yi,"readBrowserLoginStateTtlSeconds");function _l(e){let t=M();return T(e)&&t.isActionPath(e.pathname,"/oauth/dev-login")}n(_l,"isLoopbackDevLoginUrl");function Rl(e){let t=D().browserLogin,r=M(),o=new URL(le("url")),i=new URL(r.actionPath("/oauth/callback"),Tt(e.requestUrl,e.requestHeaders));return _l(o)?(o.searchParams.set("redirect_uri",i.toString()),o.searchParams.set("state",e.state),o):(o.searchParams.set("response_type","code"),o.searchParams.set("client_id",le("clientId")),o.searchParams.set("redirect_uri",i.toString()),o.searchParams.set("scope",t.scope),o.searchParams.set("state",e.state),o.searchParams.set("nonce",e.nonce),t.audience&&o.searchParams.set("audience",t.audience),o)}n(Rl,"buildBrowserLoginUrl");function bl(e,t){return e.subjectId===t.subjectId}n(bl,"principalsMatch");function Xi(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}n(Xi,"toPendingPrincipal");function Qi(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,operationId:e.transaction.operationId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:R(e.now),expiresAt:R(ne(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw w("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:Xi(e.principal)}}n(Qi,"createTransactionRecord");async function ea(e){let{id:t,...r}=e.record,o=await b().startAuthorization({...r,transactionId:t,...e.client===void 0?{}:{client:e.client}});switch(o.kind){case"started":return o.transaction;case"already_exists":throw w("oauth_state_reused","Authorization transaction state already exists.");case"invalid_client":throw new m("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new m("invalid_request","redirect_uri is not registered for the client.")}}n(ea,"startPendingTransaction");async function Cl(e){return new Ki({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:N,typ:"JWT"}).setIssuer(L).setAudience(j).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await Ji())}n(Cl,"signBrowserLoginState");async function ta(e){return new Ki({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:fr()}).setProtectedHeader({alg:N,typ:"JWT"}).setIssuer(L).setAudience(j).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await Wi())}n(ta,"signCsrfToken");async function Wr(e){try{let{payload:t}=await Zi(e,await Ji(),{algorithms:[N],issuer:L,audience:j}),r=yl.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof Fi.JWTExpired?w("oauth_state_expired","Browser login state has expired.",t):w("oauth_state_invalid","Browser login state could not be verified.",t)}}n(Wr,"verifyBrowserLoginStateToken");async function Xt(e){try{let{payload:t}=await Zi(e,await Wi(),{algorithms:[N],issuer:L,audience:j});return{transactionId:wl.parse(t).transactionId}}catch(t){throw t instanceof Fi.JWTExpired?w("oauth_state_expired","Authorization setup state has expired.",t):w("oauth_state_invalid","Authorization setup state could not be verified.",t)}}n(Xt,"verifyCsrfToken");function Vr(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}n(Vr,"pendingStateErrorCode");function vl(e){return e.kind==="available"?{kind:"available",record:e.transaction}:e}n(vl,"toPendingAuthorizationGetResult");function Sl(e){return e.kind==="advanced"?{kind:"advanced",record:e.transaction}:e}n(Sl,"toPendingAuthorizationAdvanceResult");function Yr(e){return e==="principal_mismatch"?"oauth_callback_mismatch":Vr(e==="consumed_already"?"consumed_already":e)}n(Yr,"setupDecisionErrorCode");async function ra(e){let t=e.now??new Date,r=await Xt(e.csrfToken),o=await b().markAuthorizationSetupApproved({transactionId:r.transactionId,currentStateHash:await U(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:R(t)});if(o.kind!=="marked")throw w(Yr(o.kind),"Authorization setup state is invalid, expired, or already used.");return na({kind:"available",record:o.transaction})}n(ra,"markSetupApproved");function na(e){if(e.kind!=="available")throw w(Vr(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw w("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}n(na,"requireAwaitingSetup");function Il(e){if(!bl(e.currentBrowserPrincipal,e.transaction.principal))throw w("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}n(Il,"requireCurrentPrincipalMatches");async function oa(e){let t=e.now??new Date,r=Yi(),o=mr(),i=fr(),a=await Cl({transactionId:o,stateId:i,ttlSeconds:r}),s=Qi({id:o,transaction:e.transaction,currentStateHash:await U(a),phase:"awaiting_login",now:t,ttlSeconds:r});if(s.phase!=="awaiting_login")throw w("oauth_state_invalid","Authorization transaction did not start in login phase.");let c=await ea({record:s,client:e.transaction.client});if(c.phase!=="awaiting_login")throw w("oauth_state_invalid","Authorization transaction did not start in login phase.");return{transaction:c,browserLoginStateToken:a,browserLoginUrl:Rl({state:a,nonce:i,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}})}}n(oa,"startAwaitingLogin");async function ia(e){let{now:t,ttlSeconds:r}=Vi(e),o=mr(),i=await ta({transactionId:o,ttlSeconds:r}),a=Qi({id:o,transaction:e.transaction,currentStateHash:await U(i),phase:"awaiting_setup",principal:e.principal,now:t,ttlSeconds:r});if(a.phase!=="awaiting_setup")throw w("oauth_state_invalid","Authorization transaction did not start in setup phase.");let s=await ea({record:a,client:e.transaction.client});if(s.phase!=="awaiting_setup")throw w("oauth_state_invalid","Authorization transaction did not start in setup phase.");return{transaction:s,csrfToken:i}}n(ia,"startAwaitingSetup");async function aa(e){let{now:t,ttlSeconds:r}=Vi(e),o=await Wr(e.browserLoginStateToken),i=await ta({transactionId:o.transactionId,ttlSeconds:r}),a=Sl(await b().advancePendingAuthorization({transactionId:o.transactionId,expectedPhase:"awaiting_login",currentStateHash:await U(e.browserLoginStateToken),nextStateHash:await U(i),nextPhase:"awaiting_setup",principal:Xi(e.principal),now:R(t)}));if(a.kind!=="advanced")throw w(Vr(a.kind),"Browser login state is invalid, expired, or already used.");if(a.record.phase!=="awaiting_setup")throw w("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:a.record,csrfToken:i}}n(aa,"completeLogin");async function sa(e){let t=await Xr(e);return Il({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}n(sa,"getSetup");async function Xr(e){let t=e.now??new Date,r=await Xt(e.csrfToken);return na(vl(await b().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await U(e.csrfToken),now:R(t)})))}n(Xr,"getSetupTransaction");async function xl(e){let t=await Xt(e.csrfToken),r=pe(),o=R(ne(e.now,gl)),i=await b().decideAuthorizationSetup({decision:"approve",transactionId:t.transactionId,currentStateHash:await U(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await U(r),authorizationCodeExpiresAt:o,grantId:io(),now:R(e.now)});if(i.kind!=="approved")throw w(i.kind==="cancelled"?"oauth_state_invalid":Yr(i.kind),"Authorization setup state is invalid, expired, or already used.");let a=new URL(i.transaction.redirectUri);return a.searchParams.set("code",r),i.transaction.clientState&&a.searchParams.set("state",i.transaction.clientState),a}n(xl,"createAuthorizationCodeRedirectWithDecision");async function Al(e){let t=await Xt(e.csrfToken),r=await b().decideAuthorizationSetup({decision:"cancel",transactionId:t.transactionId,currentStateHash:await U(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:R(e.now)});if(r.kind!=="cancelled")throw w(r.kind==="approved"?"oauth_state_invalid":Yr(r.kind),"Authorization setup state is invalid, expired, or already used.");return Ul({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}n(Al,"createCancelRedirectWithDecision");function Ul(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}n(Ul,"buildClientCancelRedirect");async function ca(e){let t=e.now??new Date;return xl({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(ca,"approve");async function da(e){let t=e.now??new Date;return Al({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(da,"cancel");$();import{createRemoteJWKSet as kl,errors as Fe,jwtVerify as ua,SignJWT as Pl}from"jose";var tn="zuplo_mcp_session",Tl=d.object({purpose:d.literal("gateway_browser_session"),sub:Ve,browserLoginOrigin:d.string().min(1),roles:d.array(d.string().min(1)).optional(),exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),El=d.object({id_token:d.string().min(1),token_type:d.string().min(1).optional(),expires_in:d.number().optional(),access_token:d.string().min(1).optional(),refresh_token:d.string().min(1).optional(),scope:d.string().min(1).optional()}),Ol=d.object({error:d.string().min(1).optional(),error_description:d.string().min(1).optional(),error_uri:d.string().min(1).optional()}),Ml=d.object({sub:Ve,nonce:d.string().min(1)}).catchall(d.unknown()),Qr;function ql(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let o=r.indexOf("=");if(o<0)continue;let i=r.slice(0,o).trim(),a=r.slice(o+1).trim();if(i)try{t.set(i,decodeURIComponent(a))}catch{t.set(i,a)}}return t}n(ql,"parseCookieHeader");async function la(){return V({purpose:"browser-session",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>me(e,"browser-session"),"derive")})}n(la,"getBrowserSessionKey");function en(e,t){let r=new URL(k(e,t)),o=[`${tn}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return r.protocol==="https:"&&o.push("Secure"),o.join("; ")}n(en,"buildBrowserSessionEvictionCookie");function Dl(e){let t=new URL(k(e.requestUrl,e.requestHeaders)),r=[`${tn}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}n(Dl,"serializeSessionCookie");function pa(){return new URL(le("url")).origin}n(pa,"readBrowserLoginOrigin");function Hl(e){let t=Ol.safeParse(e);if(!t.success)return{};let r={};return t.data.error!==void 0&&(r.idpError=t.data.error),t.data.error_description!==void 0&&(r.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(r.idpErrorUri=t.data.error_uri.slice(0,256)),r}n(Hl,"readIdpErrorFields");function zl(e){return e instanceof Fe.JWTExpired?"expired":e instanceof Fe.JWTClaimValidationFailed?"claim":e instanceof Fe.JWSSignatureVerificationFailed?"signature":e instanceof Fe.JWKSNoMatchingKey?"jwks_no_match":e instanceof Fe.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(zl,"readJwtFailureKind");function Ll(e){return e instanceof Error&&"cause"in e?e.cause:e}n(Ll,"readErrorCause");function Bl(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}n(Bl,"readRuntimeGatewayCode");function jl(){if(!Qr){let e=D();Qr=kl(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return Qr}n(jl,"readFederatedJwks");function ma(e){if(!e.user)throw w("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return _e(e.user,e.url)}n(ma,"resolveCurrentRequestPrincipal");async function Qt(e,t={}){let r=ql(e.headers.get("cookie")).get(tn);if(!r)return{};try{let{payload:o}=await ua(r,await la(),{algorithms:[N],issuer:L,audience:j}),i=Tl.parse(o);if(i.browserLoginOrigin!==pa())return{evictCookie:en(e.url,e.headers)};let a={subjectId:i.sub};return i.roles&&i.roles.length>0&&(a.roles=i.roles),{principal:a}}catch(o){return o instanceof Fe.JWTExpired?{evictCookie:en(e.url,e.headers)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:o instanceof Error?o.name:"unknown",errorMessage:o instanceof Error?o.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:en(e.url,e.headers)})}}n(Qt,"readBrowserSession");async function er(e){let t=D().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:pa()};e.principal.roles&&(r.roles=e.principal.roles);let o=await new Pl(r).setProtectedHeader({alg:N,typ:"JWT"}).setIssuer(L).setAudience(j).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await la());return Dl({value:o,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},ttlSeconds:t})}n(er,"createBrowserSessionCookie");async function Nl(e){let t=D(),r=le("tokenUrl"),o=le("clientId"),i=le("clientSecret"),a=new URL(M().actionPath("/oauth/callback"),Tt(e.requestUrl,e.requestHeaders)).toString(),s=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:a,client_id:o,client_secret:i});try{let{response:c,json:u}=await $o(r,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:s},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,...e.context===void 0?{}:{context:e.context}});if(!c.ok){let S=Hl(u);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:Z(r),idpStatus:c.status,...S},"Federated browser login token exchange returned non-2xx from the identity provider"),w({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${c.status}${S.idpError?` idp_error=${S.idpError}`:""}${S.idpErrorDescription?` idp_error_description=${S.idpErrorDescription}`:""})`)})}let p=El.parse(u),f;try{({payload:f}=await ua(p.id_token,jl(),{issuer:t.oidc.issuer,audience:o}))}catch(S){let I={};throw B(I,"error",S),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:zl(S),idpHost:Z(r),expectedIssuer:t.oidc.issuer,...I},"Federated id_token failed jose verification"),S}if(f.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:Z(r),nonceMissingFromIdToken:f.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),w("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let _=Ml.parse(f);return _e({sub:_.sub,data:_},e.requestUrl)}catch(c){let u=re(c)??Bl(c);throw u!==void 0&&u!=="browser_login_verification_failed"?c:w("browser_login_verification_failed","Federated browser login callback could not be verified.",Ll(c))}}n(Nl,"exchangeFederatedAuthorizationCode");async function fa(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await Qt(e.request,t);if(r.principal)return r.principal;let o=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!o)throw w("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");return Nl({code:o,nonce:e.stateId,requestUrl:e.request.url,requestHeaders:e.request.headers,...e.context===void 0?{}:{context:e.context}})}n(fa,"resolveBrowserLoginCallbackPrincipal");$();var Gl="chatgpt.com",$l="ChatGPT CIMD client metadata could not be used by this gateway. In ChatGPT advanced OAuth settings, change Registration method to Dynamic Client Registration (DCR), keep the discovered Registration URL, and retry connecting.",rn="dcr:pkjwt:";function ha(e){if(Fl(e.clientId))return $l}n(ha,"readCimdInvalidClientCompatibilityMessage");function Fl(e){try{let t=new URL(e);return t.protocol==="https:"&&t.hostname===Gl&&t.pathname.startsWith("/oauth/")&&t.pathname.endsWith("/client.json")}catch{return!1}}n(Fl,"isChatGptCimdClientId");function ga(e){return`${rn}${e.clientId}:${Zl(e.jwksUri)}`}n(ga,"createPrivateKeyJwtDcrCompatibilityClientId");function ya(e){if(!tr(e))return;let t=e.slice(rn.length),r=t.indexOf(":");if(r===-1)return;let o=Kl(t.slice(r+1));if(o!==void 0){try{Se(o)}catch{return}return o}}n(ya,"readPrivateKeyJwtDcrCompatibilityJwksUri");function tr(e){return e.startsWith(rn)}n(tr,"isPrivateKeyJwtDcrCompatibilityClientId");function Zl(e){let t=new TextEncoder().encode(e),r="";for(let o of t)r+=String.fromCharCode(o);return btoa(r).replaceAll("+","-").replaceAll("/","_").replace(/=+$/,"")}n(Zl,"encodeBase64Url");function Kl(e){let t=e.replaceAll("-","+").replaceAll("_","/"),r=t.padEnd(t.length+(4-t.length%4)%4,"="),o;try{o=atob(r)}catch{return}let i=new Uint8Array(o.length);for(let a=0;a<o.length;a+=1)i[a]=o.charCodeAt(a);return new TextDecoder().decode(i)}n(Kl,"decodeBase64Url");var Jl=new Set(["about","blob","data","file","ftp","ftps","javascript","mailto","urn","ws","wss"]);function Wl(e){return e.protocol.replace(/:$/u,"").toLowerCase()}n(Wl,"readScheme");function Vl(e){return e.protocol==="https:"}n(Vl,"isSpecCompliantRedirectUri");function Yl(e){let t=Wl(e);return t.length>0&&t!=="http"&&t!=="https"&&!Jl.has(t)}n(Yl,"isNativeAppCustomSchemeRedirectUri");var _a=[{id:"oauth.redirect_uri.https",mode:"strict",accepts:n(e=>Vl(e),"accepts")},{id:"oauth.redirect_uri.loopback_http",mode:"native_app",accepts:n(e=>T(e),"accepts"),matches:n((e,t)=>T(e)&&T(t)&&e.pathname===t.pathname&&e.search===t.search,"matches")},{id:"oauth.redirect_uri.custom_scheme",mode:"native_app",accepts:n(e=>Yl(e),"accepts")}];function Ra(e){let t=_a.find(r=>r.accepts(e.url));return t===void 0?{kind:"rejected"}:{kind:"allowed",ruleId:t.id,mode:t.mode}}n(Ra,"evaluateBuiltInRedirectUriCompatibility");function wa(e){try{return new URL(e)}catch{return}}n(wa,"parseUrl");function ba(e){if(e.registeredRedirectUri===e.requestedRedirectUri)return!0;let t=wa(e.registeredRedirectUri),r=wa(e.requestedRedirectUri);return t===void 0||r===void 0?!1:_a.some(o=>o.matches?.(t,r))}n(ba,"redirectUriMatchesBuiltInCompatibility");var Xl=1e4,Ql=5*1024,ep=0,tp=90*24*60*60,nn=["authorization_code","refresh_token"],on=["code"],rp=d.object({client_name:d.string().min(1).optional(),redirect_uris:d.array(d.string().min(1)).min(1),grant_types:d.array(d.enum(nn)).min(1).max(2).optional(),response_types:d.array(d.enum(on)).min(1).max(1).optional(),scope:d.literal(H).optional(),token_endpoint_auth_method:oo.optional(),jwks_uri:d.string().min(1).optional()});function np(e){try{let t=new URL(e);return(t.protocol==="https:"||t.protocol==="http:"&&T(t))&&t.pathname!=="/"}catch{return!1}}n(np,"isCimdClientIdCandidate");function Ca(e,t){throw new m("invalid_client",ha({clientId:e})??"OAuth client is not registered.",void 0,t===void 0?void 0:{cause:t})}n(Ca,"invalidCimdClientError");function Ze(e,t="invalid_request"){if(op(e))throw new m(t,"redirect_uris must not include raw whitespace or control characters.");let r;try{r=new URL(e)}catch{throw new m(t,"redirect_uris must be absolute URIs.")}if(r.hash||r.username||r.password)throw new m(t,"redirect_uris must not include credentials or fragments.");if(Ra({url:r}).kind==="rejected")throw new m(t,"redirect_uris must use HTTPS, loopback HTTP, or a native-app private-use URI scheme.")}n(Ze,"assertValidRedirectUri");function op(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}n(op,"hasForbiddenRawRedirectUriCharacter");async function ip(e){let{response:t,json:r}=await Fo(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:ep,maxResponseBytes:Ql,timeoutMs:Xl});if(!t.ok)throw w("invalid_request","CIMD metadata could not be fetched.");let o=Ot(r);for(let i of o.redirect_uris)Ze(i,"invalid_request");if(o.jwks_uri!==void 0&&Se(o.jwks_uri),o.client_id!==e.clientId)throw w("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");return o}n(ip,"fetchCimdMetadata");async function ap(e){let t=Nt(e),r=await ip({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}n(ap,"resolveCimdClient");async function rr(e,t){let r=oe.parse(e);if(np(r)){D().gateway.downstreamCimdEnabled||Ca(r);try{return await ap(r)}catch(i){Ca(r,i)}}let o=await b().readClient({clientId:r});if(o.kind==="found"){let i=o.client,a=ya(i.clientId),s=a===void 0?i.tokenEndpointAuthMethod:"private_key_jwt",c=i.jwksUri??a;if(s==="private_key_jwt"&&c===void 0)throw new m("invalid_client","Dynamic private_key_jwt client is missing JWKS metadata. Re-run client registration before authorization.");let u=Ot({client_id:i.clientId,client_name:i.clientName,redirect_uris:i.redirectUris,token_endpoint_auth_method:s,...c===void 0?{}:{jwks_uri:c}}),p={kind:"dcr",clientId:r,metadata:u};return i.hashedClientSecret&&(p.hashedClientSecret=i.hashedClientSecret),p}throw new m("invalid_client",r.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}n(rr,"resolveClient");function va(e,t){if(!e.metadata.redirect_uris.some(r=>ba({registeredRedirectUri:r,requestedRedirectUri:t})))throw w("invalid_request","redirect_uri is not registered for the client.")}n(va,"assertRedirectRegistered");function sp(e){let t=Sa(e.grant_types),r=e.response_types??[...on];if(!cp(t))throw new m("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!dp(r))throw new m("invalid_client_metadata","response_types must be code.");if(!up(e.scope))throw new m("invalid_client_metadata",`Only the ${H} scope is supported.`)}n(sp,"assertSupportedDcrRequest");function Sa(e){return e===void 0?[...nn]:Array.from(new Set(e))}n(Sa,"normalizeGrantTypes");function cp(e){return e.length===0?!1:e.every(t=>nn.includes(t))}n(cp,"isSupportedGrantTypes");function dp(e){return e.length===on.length&&e[0]==="code"}n(dp,"isSupportedResponseTypes");function up(e){return e===void 0||e===H}n(up,"isSupportedDcrScope");function lp(e){try{Se(e)}catch(t){throw new m("invalid_client_metadata","jwks_uri must be an HTTPS URL with a path, no credentials or fragment, and must not point at a blocked host.",void 0,{cause:t})}}n(lp,"assertValidDcrJwksUri");function pp(e){return e.tokenEndpointAuthMethod==="private_key_jwt"&&e.jwksUri!==void 0?oe.parse(ga({clientId:crypto.randomUUID(),jwksUri:e.jwksUri})):oe.parse(`dcr:${crypto.randomUUID()}`)}n(pp,"createDcrClientId");function ft(e){if(e===void 0||e===H)return H;throw new m("invalid_request",`Only the ${H} scope is supported.`)}n(ft,"assertSupportedOAuthScope");function Ke(e,t,r){let o;try{o=new URL(t)}catch{throw new m("invalid_target","resource must be an absolute URI.")}if(o.hash)throw new m("invalid_target","resource must not include a fragment.");if(o.protocol!=="https:"&&!T(o))throw new m("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let i=k(e,r),a=eo(),s=a?[...a.byOperationId.values()].find(c=>new URL(c.routePath,i).toString()===t):void 0;if(!s)throw new m("invalid_target","resource must match a published MCP route.");return s}n(Ke,"resolveResource");async function Ia(e){let t;try{t=rp.parse(e)}catch(I){if(I instanceof d.ZodError){let G=I.issues.some(K=>K.path[0]==="redirect_uris");throw new m(G?"invalid_redirect_uri":"invalid_client_metadata",I.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:I})}throw I}sp(t);for(let I of t.redirect_uris)Ze(I,"invalid_redirect_uri");if(t.token_endpoint_auth_method==="private_key_jwt"&&t.jwks_uri===void 0)throw new m("invalid_client_metadata","jwks_uri is required for private_key_jwt clients.");t.jwks_uri!==void 0&&lp(t.jwks_uri);let r=new Date,o=t.token_endpoint_auth_method??"none",i=o==="private_key_jwt"?"none":o,a=pp({tokenEndpointAuthMethod:o,jwksUri:t.jwks_uri}),s=Ot({client_id:a,client_name:t.client_name??"Dynamically registered MCP client",redirect_uris:t.redirect_uris,token_endpoint_auth_method:o,...t.jwks_uri===void 0?{}:{jwks_uri:t.jwks_uri}}),c=ne(r,tp),u=Math.floor(r.getTime()/1e3),p=Math.floor(c.getTime()/1e3),f={client_id:s.client_id,client_name:s.client_name,redirect_uris:s.redirect_uris,grant_types:Sa(t.grant_types),response_types:["code"],scope:H,token_endpoint_auth_method:s.token_endpoint_auth_method,client_id_issued_at:u,...s.jwks_uri===void 0?{}:{jwks_uri:s.jwks_uri}},_={clientId:s.client_id,clientName:s.client_name,redirectUris:s.redirect_uris,tokenEndpointAuthMethod:i,createdAt:R(r),clientExpiresAt:R(c)};if(o==="client_secret_basic"||o==="client_secret_post"){let I=pe();_.hashedClientSecret=await U(I),_.clientSecretExpiresAt=R(c),f.client_secret=I,f.client_secret_expires_at=p,f.client_secret_issued_at=u}if((await b().registerClient(_)).kind==="already_exists")throw w("invalid_request","OAuth client is already registered.");return f}n(Ia,"registerDownstreamClient");function nr(e){return v`<img class="card__icon" src="${e.iconHref}" alt="" width="48" height="48" referrerpolicy="no-referrer" onerror=" this.onerror = null; this.src = '${e.fallbackIconHref}'; " />`}n(nr,"renderShellIcon");function xa(e){return v`<form class="actions" method="post" action="${e.setupAction}" ${e.submitOnceAttrs}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate >Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve" ${e.authorizeAttrs} >Authorize</button></form>`}n(xa,"renderActions");var s_=ae('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>');var c_=ae('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),d_=ae('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>');var u_=ae('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>');var mp="data:,",Aa=v`data-submit-once="true" onsubmit="if (this.dataset.submitted === 'true') return false; this.dataset.submitted = 'true'; setTimeout(() => this.querySelectorAll('button').forEach((button) => { button.disabled = true; }), 0);"`,Ua=v`data-activate-once="true" onclick="if (this.dataset.activated === 'true') return false; this.dataset.activated = 'true'; this.setAttribute('aria-disabled', 'true'); this.style.pointerEvents = 'none';"`;function fp(e,t,r){if(e)try{let o=new URL(t).origin,i=new URL(e,o);return i.origin!==o||!i.pathname.startsWith(r.actionPath("/auth/connections/"))?void 0:i.toString()}catch{return}}n(fp,"safeGatewayConnectHref");function hp(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}n(hp,"deriveMode");function gp(e){return xa({state:e.state,setupAction:e.gateway.actionPath("/oauth/setup"),submitOnceAttrs:Aa,authorizeAttrs:Y})}n(gp,"renderActions");function an(e,t,r,o){for(let i of e){if(i.ownerMode!=="user"||i.status!==r)continue;let a=fp(i.connectUrl,t,o);if(a)return a}}n(an,"firstUserConnectHref");function yp(e){let t=e.connectHref?v`<a class="button button--primary" href="${e.connectHref}" ${Ua}>Connect</a>`:v`<button class="button button--primary" type="button" disabled aria-disabled="true">Connect</button>`;return v`<form class="actions" method="post" action="${e.gateway.actionPath("/oauth/setup")}" ${Aa}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button>${t}</form>`}n(yp,"renderSetupActions");function wp(e){return e?v`<span class="reconnect-action"><a class="button button--secondary reconnect-button" href="${e}" ${Ua}>Re-connect<span class="tooltip" tabindex="0" aria-label="Reset or change how the gateway connects to the upstream service, including changing scopes.">?</span></a></span>`:Y}n(wp,"renderReconnectAction");function _p(e){try{let t=new URL(e);return t.protocol==="https:"||t.protocol==="http:"?!0:t.protocol==="data:"&&/^data:image\/(?:png|jpe?g|webp|svg\+xml);/i.test(e)}catch{return!1}}n(_p,"isRenderableIconHref");function ka(e){return e?.find(t=>_p(t.src))?.src}n(ka,"readIconHref");function Rp(e){return ka(e.serverIcons)??(e.transportHost===void 0?void 0:Er(e.transportHost).src)}n(Rp,"readUpstreamIconHref");function bp(e){let t=ka(e.routeIcons);if(t!==void 0)return t;for(let r of e.upstreams){let o=Rp(r);if(o!==void 0)return o}}n(bp,"readHeaderIconHref");function Cp(e){return v`<p class="card__subtitle">Authorize '<strong>${e.clientDisplayName}</strong>' to access '<strong>${e.routeDisplayName}</strong>' on your behalf?</p>`}n(Cp,"renderBody");function sn(e){let t=hp(e.upstreams),r=an(e.upstreams,e.gatewayOrigin,"not_connected",e.gateway),o=an(e.upstreams,e.gatewayOrigin,"reconsent_required",e.gateway),i=an(e.upstreams,e.gatewayOrigin,"active",e.gateway),a=t==="setup"?r??o:void 0,s=bp({routeIcons:e.routeIcons,upstreams:e.upstreams}),c=t==="setup"?v`<footer class="card__footer">${yp({state:e.state,connectHref:a,gateway:e.gateway})}</footer>`:v`<footer class="card__footer">${wp(i)}${gp({state:e.state,gateway:e.gateway})}</footer>`;return je(Ge({title:`Authorize access \xB7 ${e.routeDisplayName}`,iconHref:s??mp,styles:Ne,headerIcon:s===void 0?Y:nr({iconHref:s,fallbackIconHref:Lt}),heading:"Authorize access",subhead:Y,body:Cp({routeDisplayName:e.routeDisplayName,clientDisplayName:e.clientDisplayName}),footer:c}))}n(sn,"renderConsentPage");var vp=1e4,Pa="mcp-session-id",Sp;function Ma(){return{tools:[],prompts:[],resources:[]}}n(Ma,"emptyCapabilities");function Ip(){return new Headers({accept:"application/json, text/event-stream","content-type":"application/json","mcp-protocol-version":hr})}n(Ip,"buildReadinessHeaders");async function Ta(e){let t=await e.provider.tokens();if(!t)return;let r=Ip();return r.set("authorization",`${t.token_type??"Bearer"} ${t.access_token}`),r}n(Ta,"buildAsyncCredentialHeaders");function Ea(e){return new Request(e.upstreamUrl,{method:"POST",headers:e.headers,body:JSON.stringify(Ut.parse({jsonrpc:At,id:1,method:"initialize",params:{protocolVersion:hr,capabilities:{},clientInfo:{name:"zuplo-mcp-gateway-readiness",version:"0.0.0"}}}))})}n(Ea,"buildInitializePreflight");async function cn(e){jt(e.url);let t=new AbortController,r=setTimeout(()=>t.abort(),vp);try{let o=new Request(e,{redirect:"manual",signal:t.signal});return await Rt.fetch(o)}finally{clearTimeout(r)}}n(cn,"runPreflight");function dn(e){e.body?.cancel().catch(()=>{})}n(dn,"releasePreflightBody");async function xp(e){let t=e.response.headers.get(Pa);if(!t)return;let r=new Headers(e.headers);r.set(Pa,t),r.delete("content-type");try{let o=await cn(new Request(e.upstreamUrl,{method:"DELETE",headers:r}));dn(o)}catch{}}n(xp,"terminatePreflightSession");async function qa(e){let{response:t}=e;return dn(t),t.status>=200&&t.status<300?(await xp(e),{kind:"ready",upstreamStatus:t.status,capabilities:Ma()}):t.status===401||t.status===403?{kind:"upstream_auth_rejected",status:t.status,message:"Upstream MCP server rejected the configured credential."}:{kind:"upstream_unavailable",status:t.status,message:"Upstream MCP server did not accept the readiness preflight."}}n(qa,"classifyResponse");function Oa(e){let t={status:e.state==="reconsent_required"?"reconsent_required":"not_connected",connected:!1};return e.nextAction==="admin_setup_required"?{kind:"admin_setup_required",payload:e,connectionStatus:t}:{kind:"connect_required",payload:e,connectionStatus:t}}n(Oa,"connectRequiredResult");async function Ap(e){try{return qa({response:await cn(e.request),upstreamUrl:e.upstreamUrl,headers:e.headers})}catch(t){return{kind:"upstream_unavailable",message:t instanceof Error?t.message:"Upstream MCP server readiness preflight failed."}}}n(Ap,"classifyPreflight");async function Up(e){let t=e.route.connection;if(t===void 0)return{kind:"ready",upstreamStatus:204,capabilities:Ma()};let r=Wt(t.upstreamServerId,e.route.operationId),o=Be(r,e.subjectId),i=e.returnTo===void 0?o:{...o,returnTo:e.returnTo},a=new Request(e.requestUrl,{...e.requestHeaders===void 0?{}:{headers:e.requestHeaders}}),s=await Le({request:a,routeAuth:i,preloadedConnection:e.preloadedConnection});if(s.kind==="connect_required")return Oa(s.payload);let c=await Ta(s.credential);if(c===void 0)return{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens."};let u=Ea({upstreamUrl:t.mcpUrl,headers:c}),p;try{p=await cn(u)}catch(S){return{kind:"upstream_unavailable",message:S instanceof Error?S.message:"Upstream MCP server readiness preflight failed."}}if(p.status!==401)return qa({response:p,upstreamUrl:t.mcpUrl,headers:c});dn(p);let f=await Le({request:a,routeAuth:i,forceRefresh:!0,preloadedConnection:e.preloadedConnection});if(f.kind==="connect_required")return Oa(f.payload);let _=await Ta(f.credential);return _===void 0?{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens after refresh."}:Ap({request:Ea({upstreamUrl:t.mcpUrl,headers:_}),upstreamUrl:t.mcpUrl,headers:_})}n(Up,"checkUpstreamRouteReadinessImpl");function Da(e){return(Sp??Up)(e)}n(Da,"checkUpstreamRouteReadiness");function kp(e){try{return new URL(e).host}catch{return}}n(kp,"safeUrlHost");function Pp(e){return e.scopes}n(Pp,"readOAuthScopes");function Ha(e){return e!==void 0&&e.length>0}n(Ha,"hasItems");function Tp(e){let t=e.serverInfo?.icons;if(Ha(t))return t;let r=Bt(e.mcpUrl);return r===void 0?void 0:[r]}n(Tp,"readServerIcons");async function Ep(e){if(!(e.returnTo===void 0||!e.isUserOwned))return Lr({requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,operationId:e.route.operationId,returnTo:e.returnTo})}n(Ep,"readConnectUrl");function xe(e,t){return t===void 0?{}:{[e]:t}}n(xe,"optionalRequirementField");function Op(e){return e.readiness!==void 0?e.readiness:e.isUserOwned?fo(e.connection):{connected:!0,status:"active"}}n(Op,"readSetupConnectionStatus");function Mp(e){let t=Pp(e);return Ha(t)?t:void 0}n(Mp,"readScopesRequested");function qp(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}n(qp,"readUpdatedAt");function Dp(){return{tools:[],prompts:[],resources:[]}}n(Dp,"readRouteCapabilities");async function Hp(e){let{authConfig:t,authMode:r,description:o,displayName:i,mcpUrl:a,ownerMode:s,upstreamServerId:c,authProfileId:u}=e.registeredConnection,p=s==="user",f=Op({connection:e.connection,isUserOwned:p,readiness:e.readiness}),_=e.readiness?.connectUrl??await Ep({...e,connected:f.connected,isUserOwned:p});return{upstreamServerId:c,authProfileId:u,authMode:r,ownerMode:s,upstreamDisplayName:i,status:f.status,connected:f.connected,capabilities:Dp(),...xe("description",o),...xe("transportHost",kp(a)),...xe("scopesRequested",Mp(t)),...xe("serverIcons",Tp(e.registeredConnection)),...xe("connectUrl",_),...xe("updatedAt",qp({connectionStatus:f,isUserOwned:p})),...xe("expiresAt",e.readiness?.expiresAt??e.connection?.expiresAt)}}n(Hp,"buildSetupRequirement");function za(e){let t=J().byOperationId.get(e);if(!t)throw w("unknown_mcp_route",`Unknown MCP route: ${e}`);return t}n(za,"requireRoute");async function un(e){let t=za(e.transaction.operationId),r=kt(e.transaction.principal.subjectId),o=[],i=new Map,a=t.connection;if(a===void 0)return[];a.ownerMode==="user"&&(i.set(a,o.length),o.push({owner:r,upstreamServerId:a.upstreamServerId,authProfileId:a.authProfileId}));let s=await b().batchGetUpstreamConnections(o),c=[],u=a.ownerMode==="user",p=i.get(a),f=await Da({requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},route:t,subjectId:e.transaction.principal.subjectId,preloadedConnection:u&&p!==void 0?s[p]:void 0,...e.returnTo===void 0?{}:{returnTo:e.returnTo}}),_=(()=>{if("connectionStatus"in f&&f.connectionStatus)return f.connectionStatus})(),S=(f.kind==="connect_required"||f.kind==="admin_setup_required")&&f.payload.authUrl!==void 0?f.payload.authUrl:void 0;return c.push(await Hp({connection:u&&p!==void 0?s[p]:void 0,registeredConnection:a,route:t,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},returnTo:e.returnTo,transaction:e.transaction,userOwner:r,readiness:_===void 0?void 0:{..._,...S===void 0?{}:{connectUrl:S}}})),c}n(un,"requirementsForSetup");function zp(e){return e.route.connection?.displayName??e.route.operationId}n(zp,"readRouteDisplayName");async function ln(e){let t=za(e.transaction.operationId),r=zp({route:t}),o=await b().readClient({clientId:e.transaction.clientId}),i=o.kind==="found"?o.client:void 0,a={gatewayOrigin:k(e.requestUrl,e.requestHeaders),routeDisplayName:r,clientDisplayName:i?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},s=t.connection?.description;return s!==void 0&&(a.routeDescription=s),a}n(ln,"consentContext");function pn(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}n(pn,"hasUnresolvedUserUpstream");var Lp=["mcp_user"],Bp="dev-browser-user",jp=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/{routePath} where {routePath} is the published MCP route path without a leading slash and each segment is URL-encoded as needed, for example /oauth/authorize/mcp/linear, or add resource={protected resource URI from protected-resource metadata}."].join(" "),Np=d.object({response_type:d.literal("code"),client_id:d.string().min(1),redirect_uri:d.string().min(1),resource:d.url(),code_challenge:d.string().min(43),code_challenge_method:ro,state:d.string().min(1).optional(),scope:d.literal(H).default(H)}),Gp=d.enum(["continue","approve","cancel"]).default("continue"),$p=d.object({state:d.string().min(1),decision:Gp}),he=class extends Error{static{n(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function La(e){return typeof e=="string"&&e.length>0?e:void 0}n(La,"readQueryString");function Fp(e,t){let r=La(e.query.resource);if(t===void 0){if(r!==void 0)return r;throw new m("invalid_target",jp)}let o=uo(t,e.url,e.headers);if(r===void 0||r===o)return o;throw new m("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}n(Fp,"requireAuthorizeResource");async function Zp(e,t){let r={};t!==void 0&&(r.context=t);let o=await Qt(e,r);if(o.principal)return{principal:o.principal};if(!e.user)return o.evictCookie===void 0?{}:{setCookie:o.evictCookie};let i=ma(e);return{principal:i,setCookie:await er({principal:i,requestUrl:e.url,requestHeaders:e.headers})}}n(Zp,"resolveBrowserPrincipal");async function Kp(e,t){let r={};t!==void 0&&(r.context=t);let o=await Qt(e,r);if(!o.principal)throw w("authentication_required","Authorization setup requires a current browser session.");return o.principal}n(Kp,"requireSetupPrincipal");function Ba(e){return`${M().actionPath("/oauth/setup")}?state=${encodeURIComponent(e)}`}n(Ba,"buildSetupReturnTo");async function ja(e){let t=await un({transaction:e.transaction,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},returnTo:Ba(e.csrfToken)}),r=await ln({transaction:e.transaction,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}}),o={kind:"setup_page",html:sn({state:e.csrfToken,operationId:e.transaction.operationId,gateway:M(),upstreams:t,...r})};return e.setCookie!==void 0&&(o.setCookie=e.setCookie),o}n(ja,"renderSetup");function Jp(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}n(Jp,"toAuthorizationTransactionClient");async function mn(e,t={}){let r=Np.parse({...e.query,resource:Fp(e,t.operationId),state:La(e.query.state)}),o=ft(r.scope);Ze(r.redirect_uri,"invalid_request");let i=new Date,a=oe.parse(r.client_id),s=await rr(r.client_id,i);va(s,r.redirect_uri);try{let c=Ke(e.url,r.resource,e.headers),u=Jp(s);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:a,operationId:c.operationId,scope:o,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved"),t.context&&x(t.context,{eventType:C.MCP_OAUTH_AUTHORIZE_STARTED,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:a,scope:o,responseType:r.response_type}});let p={clientId:s?.clientId??a,...u===void 0?{}:{client:u},redirectUri:r.redirect_uri,resource:r.resource,operationId:c.operationId,scope:o,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:f,setCookie:_}=await Zp(e,t.context);if(!f){let I=await oa({transaction:p,requestUrl:e.url,requestHeaders:e.headers,now:i});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:a,operationId:c.operationId},"Downstream OAuth authorize: redirecting to browser login (no session)");let G={kind:"redirect",location:I.browserLoginUrl};return _!==void 0&&(G.setCookie=_),G}let S=await ia({transaction:p,principal:f,now:i});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:a,operationId:c.operationId,subjectId:f.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),t.context&&x(t.context,{eventType:C.MCP_OAUTH_AUTHORIZE_AWAITING_SETUP,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:a,scope:o,responseType:r.response_type,subjectId:f.subjectId}}),ja({transaction:S.transaction,csrfToken:S.csrfToken,requestUrl:e.url,requestHeaders:e.headers,setCookie:_})}catch(c){throw Wp({redirectUri:r.redirect_uri,clientState:r.state,cause:c})}}n(mn,"authorizeDownstreamClient");function Wp(e){if(e.cause instanceof he)return e.cause;let t=Vp(e.cause);return t?new he({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}n(Wp,"toDownstreamAuthorizeRedirectError");function Vp(e){if(e instanceof m)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof d.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}n(Vp,"mapToOAuthRedirectError");async function Na(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let p=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,f=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...p===void 0?{}:{idpErrorDescription:p},...f===void 0?{}:{idpErrorUri:f}},"Identity provider redirected browser-login callback with an error"),w("provider_access_denied",p??"The delegated browser login was not completed.")}let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),w("oauth_state_invalid","Browser login callback is missing state.");let i=await Wr(o),a={request:e,stateId:i.stateId};t.context!==void 0&&(a.context=t.context);let s=await fa(a),c=await aa({browserLoginStateToken:o,principal:s}),u=await ja({transaction:c.transaction,csrfToken:c.csrfToken,requestUrl:e.url,requestHeaders:e.headers});return u.setCookie=await er({principal:s,requestUrl:e.url,requestHeaders:e.headers}),u}n(Na,"completeBrowserLoginCallback");async function Ga(e){let t=D(),r=new URL(e.url);if(!T(r))throw w("forbidden","Local browser login is only available on loopback HTTP origins.");let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw w("oauth_state_invalid","Local browser login is missing state.");let i=M().actionPath("/oauth/callback"),a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:i,k(e.url)),s=new URL(k(e.url)).origin;if(a.origin!==s||a.pathname!==i)throw w("oauth_callback_mismatch",`Local browser login redirect_uri must target this gateway's ${i} route.`);a.searchParams.set("state",o);let c={subjectId:Ve.parse(Bp),roles:Lp};return{kind:"redirect",location:a,setCookie:await er({principal:c,requestUrl:e.url,requestHeaders:e.headers})}}n(Ga,"completeLocalDevBrowserLogin");function Yp(e){let t=e.method==="POST"?e.body:e.query;return $p.parse(t)}n(Yp,"readSetupContinueRequest");async function $a(e){let{state:t,decision:r}=Yp({method:e.request.method,query:e.request.query,body:e.body}),o=new Date,i=await Xr({csrfToken:t,now:o}),a=await Kp(e.request,e.context);if(r==="cancel")return{kind:"redirect",location:await da({csrfToken:t,currentBrowserPrincipal:a,now:o})};let s=await sa({csrfToken:t,currentBrowserPrincipal:a,now:o}),c=await un({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers,returnTo:Ba(t)});if(r==="approve"&&pn(c)&&await ra({csrfToken:t,currentBrowserPrincipal:a,now:o}),pn(c)){let u=await ln({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers});return{kind:"setup_page",html:sn({state:t,operationId:s.operationId,gateway:M(),upstreams:c,...u})}}return{kind:"redirect",location:await ca({csrfToken:t,currentBrowserPrincipal:a,now:o})}}n($a,"continueDownstreamAuthorizeSetup");$();import{createLocalJWKSet as Xp,decodeJwt as Qp,errors as ht,jwtVerify as em}from"jose";var tm=new Set(["authorization_code","refresh_token"]),rm="urn:ietf:params:oauth:client-assertion-type:jwt-bearer",nm=1e4,om=32*1024,im=2,Fa=d.object({client_id:d.string().min(1).optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),am=d.discriminatedUnion("grant_type",[Fa.extend({grant_type:d.literal("authorization_code"),code:d.string().min(1),redirect_uri:d.string().min(1),code_verifier:Et,resource:d.url().optional(),scope:d.literal(H).optional()}),Fa.extend({grant_type:d.literal("refresh_token"),refresh_token:d.string().min(1),resource:d.url().optional(),scope:d.literal(H).optional()})]);function sm(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!tm.has(t)))throw new m("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}n(sm,"assertSupportedGrantType");var cm=d.object({token:d.string().min(1),client_id:d.string().min(1).optional(),token_type_hint:d.string().optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),dm=d.object({keys:d.array(d.record(d.string(),d.unknown())).min(1)}).passthrough();function Za(){return D().gateway.accessTokenTtlSeconds}n(Za,"readAccessTokenTtlSeconds");function um(){return D().gateway.refreshTokenTtlSeconds}n(um,"readRefreshTokenTtlSeconds");function lm(e,t){let r=Za(),o=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),i=Math.min(r,o);return{expiresAt:R(ne(e,i)),expiresIn:i}}n(lm,"calculateAccessTokenExpiresAt");function Ka(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new m("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new m("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new m("invalid_client","Malformed HTTP Basic client authentication.")}}n(Ka,"readBasicClientSecret");function Ja(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new m("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t!==void 0)return t;if(e.clientAssertion!==void 0){try{let r=Qp(e.clientAssertion);if(typeof r.iss=="string"&&typeof r.sub=="string"&&r.iss===r.sub)return r.iss}catch{throw new m("invalid_client","Malformed private_key_jwt client assertion.")}throw new m("invalid_client","private_key_jwt client assertion must identify the client with matching iss and sub claims.")}throw new m("invalid_client","Client authentication or client_id is required.")}n(Ja,"resolveAuthenticatedClientId");function pm(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new m("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}n(pm,"resolveClientSecretInput");function mm(e){return e.clientAssertion!==void 0||e.clientAssertionType!==void 0}n(mm,"hasClientAssertion");function fm(e){if(e.requestUrl===void 0)throw new m("invalid_request","Request URL is required for private_key_jwt client authentication.");let t=new URL(M().actionPath(e.pathname),k(e.requestUrl,e.requestHeaders));return t.search="",t.hash="",t.toString()}n(fm,"buildEndpointAudience");function hm(e){return e instanceof ht.JWTExpired?"expired":e instanceof ht.JWTClaimValidationFailed?"claim":e instanceof ht.JWSSignatureVerificationFailed?"signature":e instanceof ht.JWKSNoMatchingKey?"jwks_no_match":e instanceof ht.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(hm,"readJwtFailureKind");async function gm(e){let{response:t,json:r}=await Zo(e.jwksUri,{headers:{accept:"application/json"}},{context:e.context,maxRedirects:im,maxResponseBytes:om,timeoutMs:nm});if(!t.ok)throw new m("invalid_client","Client JWKS could not be fetched.");return dm.parse(r)}n(gm,"fetchClientJwks");async function ym(e){if(e.clientAssertionType!==rm||e.clientAssertion===void 0)throw new m("invalid_request","private_key_jwt client authentication requires a JWT bearer client_assertion and client_assertion_type.");let t=oe.parse(e.clientId),r=await rr(t,e.now);if(r.metadata.token_endpoint_auth_method!=="private_key_jwt")throw new m("invalid_client","Client is not registered for private_key_jwt authentication.");let o=r.metadata.jwks_uri;if(o===void 0)throw new m("invalid_client","Client JWKS URI is required for private_key_jwt authentication.");let i=fm({requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,pathname:e.endpointPathname});try{let a=await gm({jwksUri:o,context:e.context});await em(e.clientAssertion,Xp(a),{issuer:t,subject:t,audience:i,currentDate:e.now})}catch(a){throw e.context?.log.warn({event:"oauth_private_key_jwt_client_auth_failed",clientId:t,failureKind:hm(a)},"OAuth private_key_jwt client authentication failed"),new m("invalid_client","Client authentication failed.")}return tr(t)?{method:"none",clientId:t}:{method:"private_key_jwt",clientId:t}}n(ym,"verifyPrivateKeyJwtClientAssertion");async function wm(e){let t=oe.parse(e.clientId);if(tr(t))throw new m("invalid_client","Client is registered for private_key_jwt authentication.");return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await U(e.clientSecret)}}n(wm,"buildRuntimeHttpClientAuth");async function Wa(e){if(mm({clientAssertion:e.clientAssertion,clientAssertionType:e.clientAssertionType})){if(e.basicClientSecret!==void 0||e.bodyClientSecret!==void 0)throw new m("invalid_request","Use only one client authentication method per request.");return ym(e)}let t=pm({basicClientSecret:e.basicClientSecret,bodyClientSecret:e.bodyClientSecret});return wm({clientId:e.clientId,...t})}n(Wa,"resolveRuntimeHttpClientAuth");async function Va(e){sm(e.body);let t=am.parse(e.body),r=Ka(e.authorizationHeader),o=Ja({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),i=new Date,a=await Wa({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/token",now:i,context:e.context});return _m({parsed:t,clientId:o,clientAuth:a,now:i,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,context:e.context})}n(Va,"exchangeDownstreamToken");async function _m(e){if(e.parsed.grant_type==="authorization_code"){Ze(e.parsed.redirect_uri,"invalid_request"),ft(e.parsed.scope),e.parsed.resource!==void 0&&Ke(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let c=pe(),u=pe(),p=R(ne(e.now,um())),f=lm(e.now,p),_=await b().exchangeAuthorizationCode({clientAuth:e.clientAuth,codeHash:await U(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await wo(e.parsed.code_verifier),currentRefreshTokenHash:await U(c),accessTokenHash:await U(u),grantExpiresAt:p,accessTokenExpiresAt:f.expiresAt,now:R(e.now)});if(_.kind==="invalid_client")throw new m("invalid_client","Client authentication failed.");if(_.kind==="resource_mismatch")throw new m("invalid_target","Token request resource must match the authorization code resource.");if(_.kind!=="exchanged")throw new m("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context&&x(e.context,{eventType:C.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"authorization_code"}}),{access_token:u,token_type:"Bearer",expires_in:f.expiresIn,refresh_token:c,scope:_.grant.scope,resource:_.grant.resource}}ft(e.parsed.scope),e.parsed.resource!==void 0&&Ke(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let t=await U(e.parsed.refresh_token),r=e.parsed.refresh_token,o=pe(),i=R(ne(e.now,Za())),a=await b().refreshToken({clientAuth:e.clientAuth,currentRefreshTokenHash:t,nextRefreshTokenHash:t,accessTokenHash:await U(o),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:i,now:R(e.now)});if(a.kind==="invalid_client")throw new m("invalid_client","Client authentication failed.");if(a.kind==="resource_mismatch")throw new m("invalid_target","Token request resource must match the refresh token grant resource.");if(a.kind!=="rotated")throw new m("invalid_grant","Refresh token is invalid, expired, or revoked.");Ke(e.requestUrl??a.grant.resource,a.grant.resource,e.requestHeaders);let s=a.accessToken.expiresAt;return e.context&&x(e.context,{eventType:C.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"refresh_token"}}),{access_token:o,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(s).getTime()-e.now.getTime())/1e3)),refresh_token:r,scope:a.grant.scope,resource:a.grant.resource}}n(_m,"exchangeDownstreamTokenWithRuntimeHttp");async function Ya(e){let t=cm.parse(e.body),r=Ka(e.authorizationHeader),o=Ja({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),i=new Date;if((await b().revokeOAuthToken({clientAuth:await Wa({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/revoke",now:i,context:e.context}),tokenHash:await U(t.token),now:R(i)})).kind==="invalid_client")throw new m("invalid_client","Client authentication failed.");e.context?.log.info({event:"oauth_token_revoked",clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed"),e.context&&x(e.context,{eventType:C.MCP_OAUTH_TOKEN_REVOKED,outcome:"success",attributes:{clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}}})}n(Ya,"revokeDownstreamToken");var Rm=64*1024,bm=16*1024,Cm="text/html; charset=utf-8";function vm(e){let t={};for(let[r,o]of e.entries())t[r]=o;return t}n(vm,"formDataToObject");async function Sm(e){return Gi(e,{maxBytes:Rm,label:"Request body"})}n(Sm,"readJsonBody");async function hn(e){return vm(await $i(e,{maxBytes:bm,label:"Request body"}))}n(hn,"readFormBody");async function Qa(e,t,r){let o=re(r),i=r instanceof d.ZodError?ge(r):void 0,a={code:o??(r instanceof d.ZodError?"invalid_request":"internal_server_error")};return i!==void 0&&(a.detail=i),It(e,t,a)}n(Qa,"handleProblem");function es(e){return e?.requestId}n(es,"readBrowserRequestId");function ts(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[Pe];return typeof t=="string"?t:void 0}n(ts,"readUpstreamHtmlError");function Xa(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(Xa,"readRuntimeErrorExtensionString");function Im(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(Im,"readRuntimeErrorExtensionNumber");function xm(e){try{return new URL(e.url).pathname}catch{return}}n(xm,"readBrowserRequestPath");function Ae(e){let t={code:e.code,requestId:e.requestId,routePath:xm(e.request),underlyingError:e.underlyingError};return e.error instanceof h&&(t.httpStatus=Im(e.error,Te),t.contentType=Xa(e.error,ke),t.upstreamUrl=Xa(e.error,Ee)),t}n(Ae,"buildBrowserErrorDiagnostic");function gt(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}n(gt,"oauthErrorResponse");function Am(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}n(Am,"readOAuthProtocolHeaders");function Um(e,t){let r=F("internal_server_error");return gt({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:Am(e,t)})}n(Um,"oauthProtocolErrorResponse");function fn(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}n(fn,"readZodOAuthErrorCode");function km(e){let t={error:fn(e)},r=ge(e);return r!==void 0&&(t.errorDescription=r),gt(t)}n(km,"oauthZodErrorResponse");function Pm(e){let t=re(e);if(t===void 0)return;let r=F(t);if(r.oauthError===void 0)return;let o={error:r.oauthError,status:Em(r.oauthError)};return r.oauthError==="server_error"?o.errorDescription=r.publicDetail:e instanceof Error?o.errorDescription=e.message:o.errorDescription=r.publicDetail,gt(o)}n(Pm,"oauthGatewayProblemResponse");function Tm(){let t={error:"server_error",status:500,errorDescription:F("internal_server_error").publicDetail};return gt(t)}n(Tm,"oauthFallbackErrorResponse");function Em(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}n(Em,"readOAuthStatus");function gn(e,t={}){return e instanceof he?os(e):e instanceof m?Um(e,t):e instanceof d.ZodError?km(e):Pm(e)??Tm()}n(gn,"oauthProblemResponse");function yn(e,t,r){let o=$e(e.url),i=es(t);if(r instanceof he)return os(r);if(r instanceof m){let c=F("internal_server_error");return X({host:o,kind:Om(r.errorCode),title:"Authorization failed",detail:r.errorCode==="server_error"?c.publicDetail:r.message,developerDetail:r.errorCode==="server_error"?c.publicDetail:r.message,code:r.errorCode,diagnostic:Ae({request:e,requestId:i,code:r.errorCode,underlyingError:r.errorCode==="server_error"?c.publicDetail:r.message,error:r}),requestId:i,status:r.status})}if(r instanceof d.ZodError)return X({host:o,kind:"invalid_request",detail:ge(r)??"The authorization request was invalid.",developerDetail:ge(r)??"The authorization request was invalid.",code:fn(r),diagnostic:Ae({request:e,requestId:i,code:fn(r),underlyingError:ge(r)??"The authorization request was invalid.",error:r}),requestId:i});let a=re(r);if(a!==void 0){let c=F(a);return X({host:o,kind:ns(a),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:a,diagnostic:Ae({request:e,requestId:i,code:a,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:i,upstreamHtml:ts(r),status:c.status})}let s=F("internal_server_error");return X({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"server_error",diagnostic:Ae({request:e,requestId:i,code:"server_error",underlyingError:s.publicDetail,error:r}),requestId:i,status:s.status})}n(yn,"browserOAuthProblemResponse");function rs(e,t,r){let o=$e(e.url),i=es(t),a=re(r);if(a!==void 0){let c=F(a);return X({host:o,kind:ns(a),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:a,diagnostic:Ae({request:e,requestId:i,code:a,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:i,upstreamHtml:ts(r),status:c.status})}if(r instanceof d.ZodError)return X({host:o,kind:"invalid_request",detail:ge(r)??"The authorization request was invalid.",developerDetail:ge(r)??"The authorization request was invalid.",code:"invalid_request",diagnostic:Ae({request:e,requestId:i,code:"invalid_request",underlyingError:ge(r)??"The authorization request was invalid.",error:r}),requestId:i});let s=F("internal_server_error");return X({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"internal_server_error",diagnostic:Ae({request:e,requestId:i,code:"internal_server_error",underlyingError:s.publicDetail,error:r}),requestId:i,status:s.status})}n(rs,"browserGatewayProblemResponse");function Om(e){return e==="server_error"?"internal_error":"invalid_request"}n(Om,"readOAuthBrowserErrorKind");function ns(e){if(F(e).status>=500)return"internal_error";switch(e){case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"configuration_error";case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"invalid_request":case"authentication_required":case"forbidden":case"not_found":case"too_many_requests":case"identity_context_missing":return"invalid_request";case"upstream_capability_invocation_failed":case"upstream_capability_unavailable":case"upstream_import_failed":return"connection_failed";case"internal_server_error":return"internal_error"}return"authorization_failed"}n(ns,"readGatewayBrowserErrorKind");function se(e,t,r){let o={event:t},i=!1;if(r instanceof m)o.oauthError=r.errorCode,o.status=r.status,B(o,"error",r);else if(r instanceof he)o.oauthError=r.errorCode,B(o,"error",r);else if(r instanceof d.ZodError){o.code="invalid_request",B(o,"error",r);let a=r.issues[0];a&&(o.zodPath=a.path.join("."))}else{let a=re(r);if(a!==void 0){let s=F(a);o.code=a,o.status=s.status,s.oauthError!==void 0&&(o.oauthError=s.oauthError),i=s.status>=500||s.oauthError==="server_error",B(o,"error",r)}else i=!0,B(o,"error",r)}if(i){let a=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(o,a.message)}else e.log.warn(o,"OAuth handler rejected the request")}n(se,"logUnexpectedOAuthHandlerError");function os(e){let t;try{t=new URL(e.redirectUri)}catch{return gt({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}n(os,"downstreamAuthorizeRedirectErrorResponse");function ge(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}n(ge,"formatZodErrorDetail");function Mm(e,t){let r={event:"browser_login_callback_failed",code:re(t)??"invalid_request"};B(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}n(Mm,"logBrowserLoginCallbackFailure");function is(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}n(is,"redirectResultResponse");function or(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":Cm,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return is(e)}n(or,"authorizeResultResponse");async function as(e,t){try{return Response.json(ao(e.url,e.headers))}catch(r){return se(t,"oauth_authorization_server_metadata_failed",r),Qa(e,t,r)}}n(as,"authorizationServerMetadataHandler");async function ss(e,t){try{let r=gr(e.params.routePath);return Response.json(so({operationId:r.operationId,requestUrl:e.url,requestHeaders:e.headers}))}catch(r){return se(t,"oauth_authorization_server_metadata_failed",r),Qa(e,t,r)}}n(ss,"scopedAuthorizationServerMetadataHandler");async function cs(e,t){try{let r=await Ia(await Sm(e)),o=r,i=typeof o.client_id=="string"?o.client_id:void 0,a=typeof o.client_name=="string"?o.client_name:void 0,s=Array.isArray(o.redirect_uris)?o.redirect_uris.length:void 0,c=typeof o.token_endpoint_auth_method=="string"?o.token_endpoint_auth_method:void 0;return t.log.info({event:"oauth_dcr_client_registered",clientId:i,clientName:a,redirectUriCount:s,tokenEndpointAuthMethod:c},"OAuth Dynamic Client Registration completed"),x(t,{eventType:C.MCP_OAUTH_CLIENT_REGISTERED,outcome:"success",clientName:a,attributes:{clientId:i,redirectUriCount:s,tokenEndpointAuthMethod:c}}),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return se(t,"oauth_register_failed",r),gn(r)}}n(cs,"registerHandler");async function ds(e,t){try{return or(await mn(e,{context:t}))}catch(r){return se(t,"oauth_authorize_failed",r),yn(e,t,r)}}n(ds,"authorizeHandler");async function us(e,t){try{let r=gr(e.params.routePath);return or(await mn(e,{operationId:r.operationId,context:t}))}catch(r){return se(t,"oauth_authorize_scoped_failed",r),yn(e,t,r)}}n(us,"scopedAuthorizeHandler");async function ls(e,t){try{let r=await Na(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),or(r)}catch(r){return Mm(t,r),rs(e,t,r)}}n(ls,"callbackHandler");async function ps(e,t){try{return is(await Ga(e))}catch(r){return se(t,"oauth_dev_login_failed",r),yn(e,t,r)}}n(ps,"devLoginHandler");async function ms(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await $a({request:e,body:e.method==="POST"?await hn(e):void 0,context:t});return or(r)}catch(r){return se(t,"oauth_setup_failed",r),rs(e,t,r)}}n(ms,"setupHandler");async function fs(e,t){try{return Response.json(await Va({body:await hn(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return se(t,"oauth_token_failed",r),gn(r)}}n(fs,"tokenHandler");async function hs(e,t){try{return await Ya({body:await hn(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return se(t,"oauth_revoke_failed",r),gn(r)}}n(hs,"revokeHandler");function gs(e){return v`<p data-gateway-error-code="${e.code}">${e.body}</p>`}n(gs,"renderBrowserResult");var qm="text/html; charset=utf-8",Dm="none";function Hm(e){let t=Tr(e.host);return Ge({title:e.title,iconHref:t,styles:Ne,headerIcon:nr({iconHref:t,fallbackIconHref:Lt}),heading:e.title,subhead:"",body:gs({body:e.body,code:e.code??Dm}),footer:""})}n(Hm,"browserResultHtml");function zm(e,t=200){return new Response(je(e),{status:t,headers:{"content-type":qm,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(zm,"browserResultResponse");function ys(e){return zm(Hm(e))}n(ys,"browserConnectionSuccessResponse");function ir(e,t,r={}){let o=Ln(t);return X({host:e,kind:Lm(t),detail:o.body,developerDetail:r.developerDetail,code:t,diagnostic:r.diagnostic,upstreamHtml:r.upstreamHtml})}n(ir,"browserConnectionFailureResponse");function Lm(e){switch(e){case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required"}}n(Lm,"readCallbackFailureBrowserErrorKind");var Bm={connect:"Connect",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},ws=Symbol("upstream-request");function yt(e,t){Object.defineProperty(e,ws,{configurable:!0,value:t})}n(yt,"setUpstreamRequestContext");function jm(e){let t=e[ws];if(!t)throw new de("Upstream request context has not been set");return t}n(jm,"readUpstreamRequestContext");function Nm(e,t){return t.some(r=>r===e)}n(Nm,"requestContextMatchesKind");function Gm(e){return typeof e=="string"?[e]:e}n(Gm,"toExpectedKinds");function wt(e,t){let r=jm(e),o=Gm(t);if(!Nm(r.kind,o)){let i=Bm[o[0]];throw new de(`${i} request context has not been set`)}return r}n(wt,"requireUpstreamRequestContext");function Ue(e){if(typeof e=="string"&&e.length!==0)return e}n(Ue,"readOptionalQueryString");function $m(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw new de(`Validated path parameter ${t} is missing`);return Fm(r,t)}n($m,"requirePathString");function Fm(e,t){try{return decodeURIComponent(e)}catch(r){throw new h({message:`Path parameter "${t}" must be valid URL encoding.`,extensionMembers:{[g]:"invalid_request"}},{cause:r})}}n(Fm,"decodePathString");function Zm(e){let t=Ue(e);return t?xt.parse(t):void 0}n(Zm,"readOptionalOperationId");function Km(e){let t=J().connectionsById.get(e);if(t!==void 0)return t.authProfileId;throw new h({message:`No upstream connection is registered for ${e}.`,extensionMembers:{[g]:"unknown_upstream_server"}})}n(Km,"readRegisteredAuthProfileId");function Jm(e){let t=Zm(e);if(!t)throw new h({message:"operationId query parameter is required.",extensionMembers:{[g]:"invalid_request"}});return t}n(Jm,"readRequiredOperationId");function Wm(e){let t=Zn(Ue(e));return t===void 0?{}:{returnTo:t}}n(Wm,"readOptionalReturnTo");function Vm(e){let t=Ue(e.query.error_description);return t===void 0?{}:{errorDescription:t}}n(Vm,"readOptionalProviderErrorDescription");function Ym(e,t,r,o){return{kind:"connect",...Be(e,t.subjectId),...o===void 0?{}:{returnTo:o},redirect:r}}n(Ym,"buildConnectContextForUser");function Xm(e,t,r){let o=Pt(t);if(o.mode!==e.ownerMode)throw new h({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[g]:"oauth_callback_mismatch"}});return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:o,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}n(Xm,"buildConnectContextForTicket");async function Qm(e,t){let r=Wt(t,Jm(e.query.operationId)),o=e.query.redirect==="true",i=Ue(e.query.browserTicket);if(e.user){if(i)throw new h({message:"Use either an authenticated gateway request or a browser connect ticket, not both.",extensionMembers:{[g]:"invalid_request"}});let s=_e(e.user,e.url);return Ym(r,s,o,Wm(e.query.returnTo).returnTo)}if(!i)throw new h({message:"Authentication is required to start the upstream connection flow.",extensionMembers:{[g]:"authentication_required"}});let a=await di(i);if(a.ownerMode!==r.ownerMode||a.upstreamServerId!==r.upstreamServerId||a.authProfileId!==r.authProfileId||a.operationId!==r.operationId)throw new h({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[g]:"oauth_callback_mismatch"}});return await ui(a),Xm(r,a,o)}n(Qm,"resolveConnectContext");async function ef(e,t,r){let o=Nn.parse($m(e,"connection"));switch(r){case"connect":yt(e,await Qm(e,o));return;case"callback":{let i=Ue(e.query.error);if(i){yt(e,{kind:"callback_provider_error",upstreamServerId:o,error:i,...Vm(e)});return}let a=Ue(e.query.code),s=Ue(e.query.state);if(a&&s){yt(e,{kind:"callback_authorization_code",upstreamServerId:o,code:a,state:s});return}yt(e,{kind:"callback_invalid",upstreamServerId:o});return}case"client_metadata":yt(e,{kind:"client_metadata",upstreamServerId:o,authProfileId:Km(o)});return}}n(ef,"resolveUpstreamRequestInbound");async function tf(e,t,r){try{await ef(e,t,r);return}catch(o){let i=o instanceof h?o.extensionMembers?.[g]:void 0,a=o instanceof Error?o.message:void 0;switch(i){case"invalid_request":case"unknown_upstream_server":case"oauth_callback_mismatch":return ye.badRequest(e,t,{code:i,detail:a});case"authentication_required":return ye.unauthorized(e,t,{code:i,detail:a});default:throw o}}}n(tf,"applyUpstreamRequestContext");function ar(e,t){return n(async(o,i)=>{let a=await tf(o,i,e);return a||t(o,i)},"wrapped")}n(ar,"withUpstreamRequestContext");var rf=["callback_authorization_code","callback_provider_error","callback_invalid"];function wn(e){try{return new URL(e.url).pathname}catch{return}}n(wn,"readBrowserRequestPath");function nf(e){return"cause"in e?e.cause:void 0}n(nf,"readErrorCause");function of(e){return e.stack?.split(`
-`).slice(1,4).map(t=>t.trim()).join(" | ")}n(of,"readFirstStackFrame");function _s(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=of(r))}n(_s,"addErrorAttributes");function _n(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[g];return St(t)?t:void 0}n(_n,"readRuntimeGatewayCode");function Rs(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(Rs,"readRuntimeErrorExtensionString");function af(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(af,"readRuntimeErrorExtensionNumber");function sf(e,t,r,o){switch(r.kind){case"callback_provider_error":return t.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:r.upstreamServerId,providerError:r.error,...r.errorDescription===void 0?{}:{providerErrorDescription:r.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),x(t,{eventType:C.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:r.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:r.error,errorDescription:r.errorDescription}}),ir(o,"provider_access_denied",{developerDetail:r.errorDescription??r.error,diagnostic:{code:"provider_access_denied",requestId:t.requestId,routePath:wn(e),upstreamServerId:r.upstreamServerId,providerError:r.error,providerErrorDescription:r.errorDescription,underlyingError:r.errorDescription??r.error}});case"callback_invalid":return t.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:r.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),ir(o,"oauth_state_invalid",{diagnostic:{code:"oauth_state_invalid",requestId:t.requestId,routePath:wn(e),upstreamServerId:r.upstreamServerId}});case"callback_authorization_code":return r}}n(sf,"requireAuthorizationCallbackRequest");function cf(e,t){x(e,{eventType:C.MCP_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}n(cf,"emitCallbackReceivedAnalyticsEvent");function df(e,t){x(e,{eventType:C.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.operationId})}n(df,"emitTokenExchangeSucceededAnalyticsEvent");function uf(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return ys({host:$e(e.url),title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}n(uf,"buildSuccessfulCallbackResponse");function lf(e){let t={detail:e instanceof Error?e.message:void 0};return _s(t,"error",e),e instanceof Error&&_s(t,"cause",nf(e)),t}n(lf,"buildTokenExchangeFailureAttributes");function pf(e){x(e.context,{eventType:C.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:_n(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:lf(e.error)})}n(pf,"emitTokenExchangeFailedAnalyticsEvent");function mf(e){let t=e.error,r=_n(t),o=zn(r)?r:"upstream_token_exchange_failed",i={code:o,requestId:e.context.requestId,routePath:wn(e.request),upstreamServerId:e.callbackRequest.upstreamServerId,underlyingError:t instanceof Error?t.message:void 0,...t instanceof h?{httpStatus:af(t,Te),contentType:Rs(t,ke),upstreamUrl:Rs(t,Ee)}:{}};return ir(e.host,o,{developerDetail:t instanceof Error?t.message:void 0,diagnostic:i,upstreamHtml:ff(t)})}n(mf,"tokenExchangeFailureResponse");function ff(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[Pe];return typeof t=="string"?t:void 0}n(ff,"readUpstreamHtmlError");async function Rn(e,t){let r=wt(e,rf),o=$e(e.url),i=sf(e,t,r,o);if(i instanceof Response)return i;cf(t,i);try{let a=await Ei({request:e,callbackRequest:i});return df(t,a),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:a.upstreamServerId,operationId:a.operationId,authProfileId:a.authProfileId,ownerMode:a.ownerMode},"Upstream OAuth token exchange completed; user connection established"),uf(e,a)}catch(a){let s={event:"upstream_oauth_token_exchange_failed",code:_n(a)??"upstream_token_exchange_failed",upstreamServerId:i.upstreamServerId};return B(s,"error",a),t.log.warn(s,"Upstream OAuth token exchange failed; user shown connection-failure page"),pf({context:t,callbackRequest:i,error:a}),mf({request:e,context:t,host:o,callbackRequest:i,error:a})}}n(Rn,"callbackHandler");function hf(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}n(hf,"clientMetadataProblemDetail");async function bs(e,t){let r=wt(e,"connect"),o=await Ti({request:e,connectRequest:r});if(x(t,{eventType:C.MCP_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:o.operationId,upstreamServerTitle:o.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,operationId:o.operationId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(o.authUrl,302);let i=await Zt({requestUrl:e.url,requestHeaders:e.headers,owner:o.owner,initiatedBySubjectId:o.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,upstreamDisplayName:o.upstreamDisplayName,operationId:o.operationId,subject:"MCP route",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(i,{status:428})}n(bs,"connectHandler");async function Cs(e,t){let r=wt(e,"client_metadata");try{let o=k(e.url,e.headers),i=hi(o,r.upstreamServerId,r.authProfileId);return Response.json(i)}catch(o){if(!(o instanceof q))throw o;let i=o instanceof Error?o.message:String(o);return t.log.warn({event:"oauth_client_metadata_request_failed",upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:i},"Failed to serve OAuth client metadata document for upstream connection"),ye.notFound(e,t,{code:"not_found",detail:hf(o)})}}n(Cs,"oauthClientMetadataHandler");function gf(e,t){return e.mount==="root"?e.path:t.actionPath(e.path)}n(gf,"resolveInternalRoutePath");var yf={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function wf(){return new Response(null,{status:204,headers:yf})}n(wf,"buildWellKnownPreflightResponse");function _f(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}n(_f,"withWellKnownCorsHeaders");function bn(e){return async(t,r)=>t.method==="OPTIONS"?wf():_f(await e(t,r))}n(bn,"wrapWellKnownHandler");var Is=[{routeName:"oauth_as_metadata",mount:"root",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:bn(as),corsPolicy:"anything-goes"},{routeName:"oauth_as_metadata_scoped",mount:"root",path:"/.well-known/oauth-authorization-server/:routePath*",methods:["GET","OPTIONS"],handler:bn(ss),corsPolicy:"anything-goes"},{routeName:"oauth_protected_resource_metadata",mount:"root",path:"/.well-known/oauth-protected-resource/:routePath*",methods:["GET","OPTIONS"],handler:bn(co),corsPolicy:"anything-goes"},{routeName:"oauth_register",mount:"action",path:"/oauth/register",methods:["POST"],handler:cs},{routeName:"oauth_authorize",mount:"action",path:"/oauth/authorize",methods:["GET"],handler:ds},{routeName:"oauth_authorize_scoped",mount:"action",path:"/oauth/authorize/:routePath*",methods:["GET"],handler:us},{routeName:"oauth_callback",mount:"action",path:"/oauth/callback",methods:["GET"],handler:ls},{routeName:"oauth_dev_login",mount:"action",path:"/oauth/dev-login",methods:["GET"],handler:ps},{routeName:"oauth_setup",mount:"action",path:"/oauth/setup",methods:["GET","POST"],handler:ms},{routeName:"oauth_token",mount:"action",path:"/oauth/token",methods:["POST"],handler:fs},{routeName:"oauth_revoke",mount:"action",path:"/oauth/revoke",methods:["POST"],handler:hs},{routeName:"upstream_client_metadata",mount:"action",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:ar("client_metadata",Cs)},{routeName:"upstream_connect",mount:"action",path:"/auth/connections/:connection/connect",methods:["GET"],handler:ar("connect",bs)},{routeName:"upstream_callback",mount:"action",path:"/auth/connections/:connection/callback",methods:["GET"],handler:ar("callback",Rn)}],Rf=Is.filter(e=>!e.routeName.startsWith("upstream_")),bf=Is.filter(e=>e.routeName.startsWith("upstream_"));function Cf(e){let t=Yn({routes:e.routes,policies:e.policies,gateway:e.gateway});return Xn(t),t}n(Cf,"initializeMcpGatewayConnectionRegistry");function vf(e){return[...e.byOperationId.values()].some(t=>t.downstreamOAuth!==void 0)}n(vf,"hasDownstreamOAuthRoutes");function Sf(e){let t=new Map;for(let o of e.byOperationId.values())o.downstreamOAuth&&t.set(o.downstreamOAuth.policyName,o.downstreamOAuth.config);if(t.size===1)return[...t.values()][0];let r=[...t.keys()].map(o=>`"${o}"`).join(", ");throw new q(`MCP gateway found multiple attached OAuth policies: ${r}. Multiple downstream MCP OAuth configs in one gateway are not supported yet; use one MCP OAuth policy across MCP routes or split these routes into separate gateways.`)}n(Sf,"readSingletonDownstreamOAuthConfig");function If(e,t,r){let o=String(t.params.routePath??""),i=e.byRoutePath.get(no(o));if(i===void 0)return;let a=i?.downstreamOAuth?.config;return a===void 0?It(t,r,{code:"not_found",detail:"The requested MCP route does not expose downstream OAuth."}):a}n(If,"readScopedDownstreamOAuthConfig");function xf(e){return e.path==="/.well-known/oauth-authorization-server/:routePath*"||e.path==="/.well-known/oauth-protected-resource/:routePath*"||e.path==="/oauth/authorize/:routePath*"}n(xf,"routeUsesScopedOAuthConfig");function vs(e,t,r){return async(o,i)=>{if(r){let u=await r(o,i);if(u instanceof Response)return u;u&&Dn(i,u)}let a=o.method==="OPTIONS",s=Date.now();a||i.log.info({event:`${e}_received`,method:o.method},`MCP gateway: ${e} received`);let c=await t(o,i);return a||i.log.info({event:`${e}_responded`,status:c.status,durationMs:Date.now()-s},`MCP gateway: ${e} responded`),c}}n(vs,"wrapInternalHandler");function Ss(e,t,r,o){e.addPluginRoute({path:gf(t,r),methods:t.methods,handler:o,processors:[An],corsPolicy:t.corsPolicy??"none"})}n(Ss,"addInternalRoute");function xs(e,t){let r=Cf(t),o=vf(r),i=r.connectionsById.size>0,a,s=n(()=>(a===void 0&&(a=Sf(r)),a),"readSingletonOAuthConfig");if(o)for(let c of Rf){let u=xf(c)?(p,f)=>If(r,p,f):s;Ss(e,c,r.gateway,vs(c.routeName,c.handler,u))}if(i)for(let c of bf)Ss(e,c,r.gateway,vs(c.routeName,c.handler))}n(xs,"registerMcpGatewayInternalRoutes");var Cn=class extends In{static{n(this,"McpGatewayPlugin")}#e;constructor(t={}){super(),this.#e=Hn(t)}registerRoutes(t){let r=t.parsedRouteData;r&&xs(t.router,{routes:r.routes,policies:r.policies,gateway:this.#e})}};var Af=new TextDecoder;function Uf(e){if(e)try{return JSON.parse(Af.decode(e))}catch{return}}n(Uf,"readBodyJson");function ce(e){return e&&typeof e=="object"?e:void 0}n(ce,"readRecord");function _t(e,t){let r=ce(e)?.[t];return typeof r=="string"?r:void 0}n(_t,"readStringProperty");function Us(e,t){let r=ce(e)?.[t];return typeof r=="number"?r:void 0}n(Us,"readNumberProperty");function As(e,t){return Us(e,"code")??(t.status>=400?t.status:void 0)}n(As,"readErrorCode");function ks(e){return Array.isArray(e)?e.map(ks).find(t=>t?.method):ce(e)}n(ks,"readJsonRpcMessage");function Ps(e){let t=ks(Uf(e)),r=typeof t?.method=="string"?t.method:"",o=t?.params;switch(r){case"tools/list":return{mcpMethod:r,capabilityType:"tool"};case"tools/call":return{mcpMethod:r,capabilityType:"tool",capabilityName:_t(o,"name")};case"prompts/list":return{mcpMethod:r,capabilityType:"prompt"};case"prompts/get":return{mcpMethod:r,capabilityType:"prompt",capabilityName:_t(o,"name")};case"resources/list":case"resources/templates/list":return{mcpMethod:r,capabilityType:"resource"};case"resources/read":{let i=_t(o,"uri");return{mcpMethod:r,capabilityType:"resource",capabilityName:i,resourceUri:i}}default:return null}}n(Ps,"buildBaseCapabilityInput");function Ts(e){return e==="tools/list"||e==="prompts/list"||e==="resources/list"||e==="resources/templates/list"}n(Ts,"isCapabilityListMethod");function kf(e,t,r){let a=ce(r)?.[e==="resources/templates/list"?"resourceTemplates":t==="tool"?"tools":t==="prompt"?"prompts":"resources"];return Array.isArray(a)?a.length:void 0}n(kf,"readItemCount");async function Pf(e){try{return await e.clone().json()}catch{return}}n(Pf,"readResponseJson");function Es(e){let t=Ps(e);return!t||Ts(t.mcpMethod)?null:{eventType:C.MCP_CAPABILITY_INVOKED,outcome:"success",...t}}n(Es,"buildCapabilityInvokedAnalyticsInput");async function Os(e,t){let r=Ps(e);if(!r)return null;let o=ce(await Pf(t)),i=ce(o?.error),a=ce(i?.data),s=o?.result,c=r.mcpMethod==="tools/call"&&ce(s)?.isError===!0;if(ce(a?.connectRequired))return{eventType:C.MCP_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",...r,httpStatusCode:t.status,reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required",errorCode:Us(i,"code"),mcpErrorType:_t(i,"message")};if(Ts(r.mcpMethod)){let u=t.status>=400?void 0:kf(r.mcpMethod,r.capabilityType,s);return{eventType:C.MCP_CAPABILITY_LISTED,outcome:t.status>=400||i?"failure":"success",...r,httpStatusCode:t.status,...t.status>=400||i?{reasonCode:"upstream_capability_list_failed",reasonClass:"upstream",errorType:"capability_list_error",errorCode:As(i,t)}:{},...u===void 0?{}:{attributes:{itemCount:u}}}}return t.status>=400||i?{eventType:C.MCP_CAPABILITY_FAILED,outcome:"failure",...r,httpStatusCode:t.status,reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"capability_error",errorCode:As(i,t),mcpErrorType:_t(i,"message")}:{eventType:C.MCP_CAPABILITY_COMPLETED,outcome:c?"application_error":"success",...r,httpStatusCode:t.status,toolResultIsError:c,applicationError:c}}n(Os,"buildCapabilityFinalAnalyticsInput");var Tf={Allow:"POST"};async function Ef(e){try{return await e.clone().arrayBuffer()}catch{return}}n(Ef,"readRequestBody");function Ms(e){try{let t=Qn(e.route.path);return{virtualServerName:t.operationId,upstreamServerName:t.connection?.upstreamServerId,upstreamServerTitle:t.connection?.displayName,authProfileId:t.connection?.authProfileId,upstreamAuthMode:t.connection?.authMode}}catch{return{}}}n(Ms,"readRouteAnalyticsFields");function qs(e){return lo(e.user,e.url,e.headers)?.subjectId}n(qs,"readRequestSubjectId");function Of(e){let t=Es(e.requestBody);t&&x(e.context,{...t,...Ms(e.context),httpMethod:e.request.method,subjectId:qs(e.request),transport:"http"})}n(Of,"emitCapabilityInvokedAnalytics");async function Mf(e){let t=await Os(e.requestBody,e.response);t&&x(e.context,{...t,...Ms(e.context),httpMethod:e.request.method,subjectId:qs(e.request),transport:"http",latencyMs:Date.now()-e.startedAt})}n(Mf,"emitCapabilityFinalAnalytics");async function qf(e,t){if(e.method==="GET")return ye.methodNotAllowed(e,t,{detail:"MCP Gateway routes support stateless Streamable HTTP requests over POST. Server-sent event GET streams are not supported."},Tf);let r=Date.now(),o=await Ef(e);Of({context:t,request:e,requestBody:o});let i=await Mn(e,t);return await Mf({context:t,request:e,requestBody:o,response:i,startedAt:r}),i}n(qf,"McpProxyHandler");export{Zs as McpAuth0OAuthInboundPolicy,yr as McpCapabilityFilterInboundPolicy,Ds as McpClerkOAuthInboundPolicy,Hs as McpCognitoOAuthInboundPolicy,zs as McpEntraOAuthInboundPolicy,Cn as McpGatewayPlugin,Ls as McpGoogleOAuthInboundPolicy,Bs as McpKeycloakOAuthInboundPolicy,js as McpLogtoOAuthInboundPolicy,Ks as McpOAuthInboundPolicy,Ns as McpOktaOAuthInboundPolicy,Gs as McpOneLoginOAuthInboundPolicy,$s as McpPingOAuthInboundPolicy,qf as McpProxyHandler,Jr as McpTokenExchangeInboundPolicy,Fs as McpWorkosOAuthInboundPolicy};
+  ></iframe>`}n(Gl,"renderUpstreamHtml");var sa="application/json",Fl="application/x-www-form-urlencoded";function sr(e,t){return new f({message:e,extensionMembers:{[g]:"invalid_request"}},t===void 0?void 0:{cause:t})}n(sr,"invalidRequestError");function $l(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}n($l,"normalizeContentType");function Zl(e,t){return e===t?!0:t===sa&&e.endsWith("+json")}n(Zl,"contentTypeMatches");function Kl(e,t){if(!t||t.length===0)return;let r=$l(e.headers.get("content-type"));if(!t.some(o=>Zl(r,o)))throw sr(`Request body must be ${t.join(" or ")}.`)}n(Kl,"assertExpectedContentType");function Wl(e,t,r){let o=e.headers.get("content-length");if(!o)return;let i=Number.parseInt(o,10);if(Number.isFinite(i)&&i>t)throw sr(`${r} exceeded the maximum allowed size.`)}n(Wl,"assertContentLengthWithinLimit");async function ca(e,t){let r=t.label??"Request body";Kl(e,t.expectedContentTypes),Wl(e,t.maxBytes,r);let o=await er(e.body,{maxBytes:t.maxBytes,createLimitError:n(()=>sr(`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(o)}n(ca,"readBoundedTextBody");async function da(e,t){let r=await ca(e,{...t,expectedContentTypes:[sa]});try{return JSON.parse(r)}catch(o){throw sr("Request body must be valid JSON.",o)}}n(da,"readBoundedJsonBody");async function ua(e,t){let r=await ca(e,{...t,expectedContentTypes:[Fl]});return new URLSearchParams(r)}n(ua,"readBoundedFormUrlEncodedBody");N();N();import{errors as la,jwtVerify as pa,SignJWT as ma}from"jose";var Vl={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},m=class extends Error{static{n(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,o=Vl[t],i){super(r,i),this.name="OAuthProtocolError",this.errorCode=t,this.status=o}};var Yl=5*60,Xl=d.object({purpose:d.literal("gateway_browser_login"),transactionId:br,stateId:Ir,exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Ql=d.object({purpose:d.literal("gateway_authorization_setup"),transactionId:br,stateId:Ir,exp:d.number().int().positive(),iat:d.number().int().positive().optional()});async function fa(){return ee({purpose:"browser-login",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>Re(e,"browser-login"),"derive")})}n(fa,"getBrowserLoginKey");async function ha(){return ee({purpose:"authorization-csrf",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>Re(e,"authorization-csrf"),"derive")})}n(ha,"getCsrfKey");function ga(e){return{now:e.now??new Date,ttlSeconds:ya()}}n(ga,"readPendingTransactionDependencies");function ya(){return H().browserLogin.stateTtlSeconds}n(ya,"readBrowserLoginStateTtlSeconds");function ep(e){let t=z();return J(e)&&t.isActionPath(e.pathname,"/oauth/dev-login")}n(ep,"isLoopbackDevLoginUrl");function tp(e){let t=H().browserLogin,r=z(),o=new URL(ye("url")),i=new URL(r.actionPath("/oauth/callback"),je(e.requestUrl,e.requestHeaders));return ep(o)?(o.searchParams.set("redirect_uri",i.toString()),o.searchParams.set("state",e.state),o):(o.searchParams.set("response_type","code"),o.searchParams.set("client_id",ye("clientId")),o.searchParams.set("redirect_uri",i.toString()),o.searchParams.set("scope",t.scope),o.searchParams.set("state",e.state),o.searchParams.set("nonce",e.nonce),t.audience&&o.searchParams.set("audience",t.audience),o)}n(tp,"buildBrowserLoginUrl");function rp(e,t){return e.subjectId===t.subjectId}n(rp,"principalsMatch");function _a(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}n(_a,"toPendingPrincipal");function wa(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,operationId:e.transaction.operationId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:I(e.now),expiresAt:I(ae(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw w("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:_a(e.principal)}}n(wa,"createTransactionRecord");async function Ra(e){let{id:t,...r}=e.record,o=await b().startAuthorization({...r,transactionId:t,...e.client===void 0?{}:{client:e.client}});switch(o.kind){case"started":return o.transaction;case"already_exists":throw w("oauth_state_reused","Authorization transaction state already exists.");case"invalid_client":throw new m("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new m("invalid_request","redirect_uri is not registered for the client.")}}n(Ra,"startPendingTransaction");async function np(e){return new ma({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:$,typ:"JWT"}).setIssuer(L).setAudience(F).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await fa())}n(np,"signBrowserLoginState");async function ba(e){return new ma({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:Sr()}).setProtectedHeader({alg:$,typ:"JWT"}).setIssuer(L).setAudience(F).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await ha())}n(ba,"signCsrfToken");async function on(e){try{let{payload:t}=await pa(e,await fa(),{algorithms:[$],issuer:L,audience:F}),r=Xl.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof la.JWTExpired?w("oauth_state_expired","Browser login state has expired.",t):w("oauth_state_invalid","Browser login state could not be verified.",t)}}n(on,"verifyBrowserLoginStateToken");async function cr(e){try{let{payload:t}=await pa(e,await ha(),{algorithms:[$],issuer:L,audience:F});return{transactionId:Ql.parse(t).transactionId}}catch(t){throw t instanceof la.JWTExpired?w("oauth_state_expired","Authorization setup state has expired.",t):w("oauth_state_invalid","Authorization setup state could not be verified.",t)}}n(cr,"verifyCsrfToken");function an(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}n(an,"pendingStateErrorCode");function op(e){return e.kind==="available"?{kind:"available",record:e.transaction}:e}n(op,"toPendingAuthorizationGetResult");function ip(e){return e.kind==="advanced"?{kind:"advanced",record:e.transaction}:e}n(ip,"toPendingAuthorizationAdvanceResult");function sn(e){return e==="principal_mismatch"?"oauth_callback_mismatch":an(e==="consumed_already"?"consumed_already":e)}n(sn,"setupDecisionErrorCode");async function Ia(e){let t=e.now??new Date,r=await cr(e.csrfToken),o=await b().markAuthorizationSetupApproved({transactionId:r.transactionId,currentStateHash:await A(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:I(t)});if(o.kind!=="marked")throw w(sn(o.kind),"Authorization setup state is invalid, expired, or already used.");return Ca({kind:"available",record:o.transaction})}n(Ia,"markSetupApproved");function Ca(e){if(e.kind!=="available")throw w(an(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw w("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}n(Ca,"requireAwaitingSetup");function ap(e){if(!rp(e.currentBrowserPrincipal,e.transaction.principal))throw w("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}n(ap,"requireCurrentPrincipalMatches");async function Sa(e){let t=e.now??new Date,r=ya(),o=Cr(),i=Sr(),a=await np({transactionId:o,stateId:i,ttlSeconds:r}),c=wa({id:o,transaction:e.transaction,currentStateHash:await A(a),phase:"awaiting_login",now:t,ttlSeconds:r});if(c.phase!=="awaiting_login")throw w("oauth_state_invalid","Authorization transaction did not start in login phase.");let s=await Ra({record:c,client:e.transaction.client});if(s.phase!=="awaiting_login")throw w("oauth_state_invalid","Authorization transaction did not start in login phase.");return{transaction:s,browserLoginStateToken:a,browserLoginUrl:tp({state:a,nonce:i,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}})}}n(Sa,"startAwaitingLogin");async function va(e){let{now:t,ttlSeconds:r}=ga(e),o=Cr(),i=await ba({transactionId:o,ttlSeconds:r}),a=wa({id:o,transaction:e.transaction,currentStateHash:await A(i),phase:"awaiting_setup",principal:e.principal,now:t,ttlSeconds:r});if(a.phase!=="awaiting_setup")throw w("oauth_state_invalid","Authorization transaction did not start in setup phase.");let c=await Ra({record:a,client:e.transaction.client});if(c.phase!=="awaiting_setup")throw w("oauth_state_invalid","Authorization transaction did not start in setup phase.");return{transaction:c,csrfToken:i}}n(va,"startAwaitingSetup");async function Aa(e){let{now:t,ttlSeconds:r}=ga(e),o=await on(e.browserLoginStateToken),i=await ba({transactionId:o.transactionId,ttlSeconds:r}),a=ip(await b().advancePendingAuthorization({transactionId:o.transactionId,expectedPhase:"awaiting_login",currentStateHash:await A(e.browserLoginStateToken),nextStateHash:await A(i),nextPhase:"awaiting_setup",principal:_a(e.principal),now:I(t)}));if(a.kind!=="advanced")throw w(an(a.kind),"Browser login state is invalid, expired, or already used.");if(a.record.phase!=="awaiting_setup")throw w("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:a.record,csrfToken:i}}n(Aa,"completeLogin");async function xa(e){let t=await cn(e);return ap({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}n(xa,"getSetup");async function cn(e){let t=e.now??new Date,r=await cr(e.csrfToken);return Ca(op(await b().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await A(e.csrfToken),now:I(t)})))}n(cn,"getSetupTransaction");async function sp(e){let t=await cr(e.csrfToken),r=ce(),o=I(ae(e.now,Yl)),i=await b().decideAuthorizationSetup({decision:"approve",transactionId:t.transactionId,currentStateHash:await A(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await A(r),authorizationCodeExpiresAt:o,grantId:go(),now:I(e.now)});if(i.kind!=="approved")throw w(i.kind==="cancelled"?"oauth_state_invalid":sn(i.kind),"Authorization setup state is invalid, expired, or already used.");let a=new URL(i.transaction.redirectUri);return a.searchParams.set("code",r),i.transaction.clientState&&a.searchParams.set("state",i.transaction.clientState),a}n(sp,"createAuthorizationCodeRedirectWithDecision");async function cp(e){let t=await cr(e.csrfToken),r=await b().decideAuthorizationSetup({decision:"cancel",transactionId:t.transactionId,currentStateHash:await A(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:I(e.now)});if(r.kind!=="cancelled")throw w(r.kind==="approved"?"oauth_state_invalid":sn(r.kind),"Authorization setup state is invalid, expired, or already used.");return dp({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}n(cp,"createCancelRedirectWithDecision");function dp(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}n(dp,"buildClientCancelRedirect");async function ka(e){let t=e.now??new Date;return sp({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(ka,"approve");async function Ta(e){let t=e.now??new Date;return cp({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(Ta,"cancel");N();import{createRemoteJWKSet as up,errors as Ye,jwtVerify as Ua,SignJWT as lp}from"jose";var ln="zuplo_mcp_session",pp=d.object({purpose:d.literal("gateway_browser_session"),sub:rt,browserLoginOrigin:d.string().min(1),roles:d.array(d.string().min(1)).optional(),exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),mp=d.object({id_token:d.string().min(1),token_type:d.string().min(1).optional(),expires_in:d.number().optional(),access_token:d.string().min(1).optional(),refresh_token:d.string().min(1).optional(),scope:d.string().min(1).optional()}),fp=d.object({error:d.string().min(1).optional(),error_description:d.string().min(1).optional(),error_uri:d.string().min(1).optional()}),hp=d.object({sub:rt,nonce:d.string().min(1)}).catchall(d.unknown()),dn;function gp(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let o=r.indexOf("=");if(o<0)continue;let i=r.slice(0,o).trim(),a=r.slice(o+1).trim();if(i)try{t.set(i,decodeURIComponent(a))}catch{t.set(i,a)}}return t}n(gp,"parseCookieHeader");async function Pa(){return ee({purpose:"browser-session",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>Re(e,"browser-session"),"derive")})}n(Pa,"getBrowserSessionKey");function un(e,t){let r=new URL(U(e,t)),o=[`${ln}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return r.protocol==="https:"&&o.push("Secure"),o.join("; ")}n(un,"buildBrowserSessionEvictionCookie");function yp(e){let t=new URL(U(e.requestUrl,e.requestHeaders)),r=[`${ln}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}n(yp,"serializeSessionCookie");function Ea(){return new URL(ye("url")).origin}n(Ea,"readBrowserLoginOrigin");function _p(e){let t=fp.safeParse(e);if(!t.success)return{};let r={};return t.data.error!==void 0&&(r.idpError=t.data.error),t.data.error_description!==void 0&&(r.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(r.idpErrorUri=t.data.error_uri.slice(0,256)),r}n(_p,"readIdpErrorFields");function wp(e){return e instanceof Ye.JWTExpired?"expired":e instanceof Ye.JWTClaimValidationFailed?"claim":e instanceof Ye.JWSSignatureVerificationFailed?"signature":e instanceof Ye.JWKSNoMatchingKey?"jwks_no_match":e instanceof Ye.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(wp,"readJwtFailureKind");function Rp(e){return e instanceof Error&&"cause"in e?e.cause:e}n(Rp,"readErrorCause");function bp(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}n(bp,"readRuntimeGatewayCode");function Ip(){if(!dn){let e=H();dn=up(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return dn}n(Ip,"readFederatedJwks");function Oa(e){if(!e.user)throw w("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return Ae(e.user,e.url)}n(Oa,"resolveCurrentRequestPrincipal");async function dr(e,t={}){let r=gp(e.headers.get("cookie")).get(ln);if(!r)return{};try{let{payload:o}=await Ua(r,await Pa(),{algorithms:[$],issuer:L,audience:F}),i=pp.parse(o);if(i.browserLoginOrigin!==Ea())return{evictCookie:un(e.url,e.headers)};let a={subjectId:i.sub};return i.roles&&i.roles.length>0&&(a.roles=i.roles),{principal:a}}catch(o){return o instanceof Ye.JWTExpired?{evictCookie:un(e.url,e.headers)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:o instanceof Error?o.name:"unknown",errorMessage:o instanceof Error?o.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:un(e.url,e.headers)})}}n(dr,"readBrowserSession");async function ur(e){let t=H().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:Ea()};e.principal.roles&&(r.roles=e.principal.roles);let o=await new lp(r).setProtectedHeader({alg:$,typ:"JWT"}).setIssuer(L).setAudience(F).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await Pa());return yp({value:o,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,ttlSeconds:t})}n(ur,"createBrowserSessionCookie");async function Cp(e){let t=H(),r=ye("tokenUrl"),o=ye("clientId"),i=ye("clientSecret"),a=new URL(z().actionPath("/oauth/callback"),je(e.requestUrl,e.requestHeaders)).toString(),c=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:a,client_id:o,client_secret:i});try{let{response:s,json:u}=await tr(r,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:c},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,context:e.context});if(!s.ok){let R=_p(u);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:Q(r),idpStatus:s.status,...R},"Federated browser login token exchange returned non-2xx from the identity provider"),w({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${s.status}${R.idpError?` idp_error=${R.idpError}`:""}${R.idpErrorDescription?` idp_error_description=${R.idpErrorDescription}`:""})`)})}let p=mp.parse(u),h;try{({payload:h}=await Ua(p.id_token,Ip(),{issuer:t.oidc.issuer,audience:o}))}catch(R){let O={};throw G(O,"error",R),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:wp(R),idpHost:Q(r),expectedIssuer:t.oidc.issuer,...O},"Federated id_token failed jose verification"),R}if(h.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:Q(r),nonceMissingFromIdToken:h.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),w("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let y=hp.parse(h);return{principal:Ae({sub:y.sub,data:y},e.requestUrl),subjectToken:{token:p.id_token,tokenType:ot,expiresAt:typeof h.exp=="number"?I(new Date(h.exp*1e3)):void 0}}}catch(s){let u=ie(s)??bp(s);throw u!==void 0&&u!=="browser_login_verification_failed"?s:w("browser_login_verification_failed","Federated browser login callback could not be verified.",Rp(s))}}n(Cp,"exchangeFederatedAuthorizationCode");async function qa(e){let t=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(t)return Cp({code:t,nonce:e.stateId,requestUrl:e.request.url,requestHeaders:e.request.headers,context:e.context});let r=await dr(e.request,{context:e.context});if(r.principal)return{principal:r.principal};throw w("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.")}n(qa,"resolveBrowserLoginCallbackIdentity");N();var Sp=new Set(["about","blob","data","file","ftp","ftps","javascript","mailto","urn","ws","wss"]);function vp(e){return e.protocol.replace(/:$/u,"").toLowerCase()}n(vp,"readScheme");function Ap(e){return e.protocol==="https:"}n(Ap,"isSpecCompliantRedirectUri");function xp(e){let t=vp(e);return t.length>0&&t!=="http"&&t!=="https"&&!Sp.has(t)}n(xp,"isNativeAppCustomSchemeRedirectUri");var Da=[{id:"oauth.redirect_uri.https",mode:"strict",accepts:n(e=>Ap(e),"accepts")},{id:"oauth.redirect_uri.loopback_http",mode:"native_app",accepts:n(e=>J(e),"accepts"),matches:n((e,t)=>J(e)&&J(t)&&e.pathname===t.pathname&&e.search===t.search,"matches")},{id:"oauth.redirect_uri.custom_scheme",mode:"native_app",accepts:n(e=>xp(e),"accepts")}];function za(e){let t=Da.find(r=>r.accepts(e.url));return t===void 0?{kind:"rejected"}:{kind:"allowed",ruleId:t.id,mode:t.mode}}n(za,"evaluateBuiltInRedirectUriCompatibility");function Ma(e){try{return new URL(e)}catch{return}}n(Ma,"parseUrl");function ja(e){if(e.registeredRedirectUri===e.requestedRedirectUri)return!0;let t=Ma(e.registeredRedirectUri),r=Ma(e.requestedRedirectUri);return t===void 0||r===void 0?!1:Da.some(o=>o.matches?.(t,r))}n(ja,"redirectUriMatchesBuiltInCompatibility");var kp=1e4,Tp=5*1024,Up=0,Pp=90*24*60*60,Ha=["authorization_code","refresh_token",Bt,_e],Ep=["authorization_code","refresh_token"],Ba=[po],Op=["code"],qp=d.object({client_name:d.string().min(1).optional(),redirect_uris:d.array(d.string().min(1)).min(1),grant_types:d.array(d.enum(Ha)).min(1).max(Ha.length).optional(),authorization_grant_profiles_supported:d.array(d.enum(Ba)).min(1).max(Ba.length).optional(),response_types:d.array(d.enum(Op)).min(1).max(1).optional(),scope:d.literal(P).optional(),token_endpoint_auth_method:ho.optional(),jwks_uri:d.string().min(1).optional()});function Mp(e){try{let t=new URL(e);return(t.protocol==="https:"||t.protocol==="http:"&&J(t))&&t.pathname!=="/"}catch{return!1}}n(Mp,"isCimdClientIdCandidate");function La(e,t){throw new m("invalid_client",So({clientId:e})??"OAuth client is not registered.",void 0,t===void 0?void 0:{cause:t})}n(La,"invalidCimdClientError");function Xe(e,t="invalid_request"){if(Dp(e))throw new m(t,"redirect_uris must not include raw whitespace or control characters.");let r;try{r=new URL(e)}catch{throw new m(t,"redirect_uris must be absolute URIs.")}if(r.hash||r.username||r.password)throw new m(t,"redirect_uris must not include credentials or fragments.");if(za({url:r}).kind==="rejected")throw new m(t,"redirect_uris must use HTTPS, loopback HTTP, or a native-app private-use URI scheme.")}n(Xe,"assertValidRedirectUri");function Dp(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}n(Dp,"hasForbiddenRawRedirectUriCharacter");async function zp(e){let{response:t,json:r}=await ni(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:Up,maxResponseBytes:Tp,timeoutMs:kp});if(!t.ok)throw w("invalid_request","CIMD metadata could not be fetched.");let o=Jt(r);for(let i of o.redirect_uris)Xe(i,"invalid_request");if(o.jwks_uri!==void 0&&at(o.jwks_uri),o.client_id!==e.clientId)throw w("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");return o}n(zp,"fetchCimdMetadata");async function jp(e){let t=Gt(e),r=await zp({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}n(jp,"resolveCimdClient");async function lr(e,t){let r=se.parse(e);if(Mp(r)){H().gateway.downstreamCimdEnabled||La(r);try{return await jp(r)}catch(i){La(r,i)}}let o=await b().readClient({clientId:r});if(o.kind==="found"){let i=o.client,a=Ao(i.clientId),c=a===void 0?i.tokenEndpointAuthMethod:"private_key_jwt",s=i.jwksUri??a;if(c==="private_key_jwt"&&s===void 0)throw new m("invalid_client","Dynamic private_key_jwt client is missing JWKS metadata. Re-run client registration before authorization.");let u=Jt({client_id:i.clientId,client_name:i.clientName,redirect_uris:i.redirectUris,token_endpoint_auth_method:c,...s===void 0?{}:{jwks_uri:s}}),p={kind:"dcr",clientId:r,metadata:u};return i.hashedClientSecret&&(p.hashedClientSecret=i.hashedClientSecret),p}throw new m("invalid_client",r.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}n(lr,"resolveClient");function Na(e,t){if(!e.metadata.redirect_uris.some(r=>ja({registeredRedirectUri:r,requestedRedirectUri:t})))throw w("invalid_request","redirect_uri is not registered for the client.")}n(Na,"assertRedirectRegistered");function Hp(e){return e===void 0?[...Ep]:Array.from(new Set(e))}n(Hp,"normalizeGrantTypes");function Bp(e){try{at(e)}catch(t){throw new m("invalid_client_metadata","jwks_uri must be an HTTPS URL with a path, no credentials or fragment, and must not point at a blocked host.",void 0,{cause:t})}}n(Bp,"assertValidDcrJwksUri");function Lp(e){return e.tokenEndpointAuthMethod==="private_key_jwt"&&e.jwksUri!==void 0?se.parse(vo({clientId:crypto.randomUUID(),jwksUri:e.jwksUri})):se.parse(`dcr:${crypto.randomUUID()}`)}n(Lp,"createDcrClientId");function Qe(e){if(e===void 0||e===P)return P;throw new m("invalid_request",`Only the ${P} scope is supported.`)}n(Qe,"assertSupportedOAuthScope");function Ee(e,t,r){let o;try{o=new URL(t)}catch{throw new m("invalid_target","resource must be an absolute URI.")}if(o.hash)throw new m("invalid_target","resource must not include a fragment.");if(o.protocol!=="https:"&&!J(o))throw new m("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let i=U(e,r),a=uo(),c=a?[...a.byOperationId.values()].find(s=>new URL(s.routePath,i).toString()===t):void 0;if(!c)throw new m("invalid_target","resource must match a published MCP route.");return c}n(Ee,"resolveResource");async function Ja(e){let t;try{t=qp.parse(e)}catch(R){if(R instanceof d.ZodError){let O=R.issues.some(E=>E.path[0]==="redirect_uris");throw new m(O?"invalid_redirect_uri":"invalid_client_metadata",R.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:R})}throw R}for(let R of t.redirect_uris)Xe(R,"invalid_redirect_uri");if(t.token_endpoint_auth_method==="private_key_jwt"&&t.jwks_uri===void 0)throw new m("invalid_client_metadata","jwks_uri is required for private_key_jwt clients.");t.jwks_uri!==void 0&&Bp(t.jwks_uri);let r=new Date,o=t.token_endpoint_auth_method??"none",i=o==="private_key_jwt"?"none":o,a=Lp({tokenEndpointAuthMethod:o,jwksUri:t.jwks_uri}),c=Jt({client_id:a,client_name:t.client_name??"Dynamically registered MCP client",redirect_uris:t.redirect_uris,token_endpoint_auth_method:o,...t.jwks_uri===void 0?{}:{jwks_uri:t.jwks_uri}}),s=ae(r,Pp),u=Math.floor(r.getTime()/1e3),p=Math.floor(s.getTime()/1e3),h={client_id:c.client_id,client_name:c.client_name,redirect_uris:c.redirect_uris,grant_types:Hp(t.grant_types),authorization_grant_profiles_supported:t.authorization_grant_profiles_supported,response_types:["code"],scope:P,token_endpoint_auth_method:c.token_endpoint_auth_method,client_id_issued_at:u,jwks_uri:c.jwks_uri},y={clientId:c.client_id,clientName:c.client_name,redirectUris:c.redirect_uris,tokenEndpointAuthMethod:i,createdAt:I(r),clientExpiresAt:I(s)};if(o==="client_secret_basic"||o==="client_secret_post"){let R=ce();y.hashedClientSecret=await A(R),y.clientSecretExpiresAt=I(s),h.client_secret=R,h.client_secret_expires_at=p,h.client_secret_issued_at=u}if((await b().registerClient(y)).kind==="already_exists")throw w("invalid_request","OAuth client is already registered.");return h}n(Ja,"registerDownstreamClient");function Np(e){return e?.metadata?.idpSubjectTokenType!==He&&e?.metadata?.idpSubjectTokenExpiresAt!==void 0&&new Date(e.metadata.idpSubjectTokenExpiresAt).getTime()<=Date.now()?!1:e?.status==="active"&&e.metadata?.encryptedIdpSubjectToken!==void 0&&e.metadata.idpSubjectTokenType!==void 0}n(Np,"hasStoredIdJagSubjectTokenBinding");async function Ga(e){let t=ze(e.principal.subjectId);return(await b().batchGetUpstreamConnections([{owner:t,upstreamServerId:e.connection.upstreamServerId,authProfileId:e.connection.authProfileId}]))[0]}n(Ga,"readIdJagSubjectConnection");async function pn(e){let t=V().byOperationId.get(e.operationId);if(t?.connection===void 0||t.connection.authMode!=="id-jag")return!1;let r=await Ga({connection:t.connection,principal:e.principal});return!Np(r)}n(pn,"requiresIdJagSubjectTokenBinding");async function Fa(e){if(e.subjectToken===void 0)return;let t=V().byOperationId.get(e.transaction.operationId);if(t?.connection===void 0||t.connection.authMode!=="id-jag"||e.principal.subjectId!==e.transaction.principal.subjectId)return;let r=await Ga({connection:t.connection,principal:e.principal});return b().upsertUpstreamConnection({id:r?.id??Ft(),ownerMode:"user",subjectId:e.transaction.principal.subjectId,upstreamServerId:t.connection.upstreamServerId,authProfileId:t.connection.authProfileId,status:"active",encryptedAccessToken:r?.encryptedAccessToken,encryptedRefreshToken:r?.encryptedRefreshToken,scopes:r?.scopes??[],expiresAt:r?.expiresAt,metadata:{...r?.metadata??{},encryptedIdpSubjectToken:await ue(e.subjectToken.token),idpSubjectTokenType:e.subjectToken.tokenType,idpSubjectTokenExpiresAt:e.subjectToken.expiresAt}})}n(Fa,"bindIdJagSubjectTokenForAuthorizationTransaction");function pr(e){return S`<img class="card__icon" src="${e.iconHref}" alt="" width="48" height="48" referrerpolicy="no-referrer" onerror=" this.onerror = null; this.src = '${e.fallbackIconHref}'; " />`}n(pr,"renderShellIcon");function $a(e){return S`<form class="actions" method="post" action="${e.setupAction}" ${e.submitOnceAttrs}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate >Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve" ${e.authorizeAttrs} >Authorize</button></form>`}n($a,"renderActions");var Za=le('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>');function Ka(e){return S`<div class="banner banner--warning" role="status"><span class="banner__icon" aria-hidden="true">${e.icon}</span><div class="banner__body"><p class="banner__title">Setup required</p><p class="banner__message">${e.message}</p></div></div>`}n(Ka,"renderBannerWarning");var uR=le('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),lR=le('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>');var pR=le('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>');var Jp="data:,",Wa=S`data-submit-once="true" onsubmit="if (this.dataset.submitted === 'true') return false; this.dataset.submitted = 'true'; setTimeout(() => this.querySelectorAll('button').forEach((button) => { button.disabled = true; }), 0);"`,Va=S`data-activate-once="true" onclick="if (this.dataset.activated === 'true') return false; this.dataset.activated = 'true'; this.setAttribute('aria-disabled', 'true'); this.style.pointerEvents = 'none';"`;function Gp(e,t,r){if(e)try{let o=new URL(t).origin,i=new URL(e,o);return i.origin!==o||!i.pathname.startsWith(r.actionPath("/auth/connections/"))?void 0:i.toString()}catch{return}}n(Gp,"safeGatewayConnectHref");function Fp(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}n(Fp,"deriveMode");function $p(e){return $a({state:e.state,setupAction:e.gateway.actionPath("/oauth/setup"),submitOnceAttrs:Wa,authorizeAttrs:Y})}n($p,"renderActions");function mn(e,t,r,o){for(let i of e){if(i.ownerMode!=="user"||i.status!==r)continue;let a=Gp(i.connectUrl,t,o);if(a)return a}}n(mn,"firstUserConnectHref");function Zp(e){let t=e.connectHref===void 0?Y:S`<a class="button button--primary" href="${e.connectHref}" ${Va}>Connect</a>`;return S`<form class="actions" method="post" action="${e.gateway.actionPath("/oauth/setup")}" ${Wa}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button>${t}</form>`}n(Zp,"renderSetupActions");function Kp(e){return e?S`<span class="reconnect-action"><a class="button button--secondary reconnect-button" href="${e}" ${Va}>Re-connect<span class="tooltip" tabindex="0" aria-label="Reset or change how the gateway connects to the upstream service, including changing scopes.">?</span></a></span>`:Y}n(Kp,"renderReconnectAction");function Wp(e){try{let t=new URL(e);return t.protocol==="https:"||t.protocol==="http:"?!0:t.protocol==="data:"&&/^data:image\/(?:png|jpe?g|webp|svg\+xml);/i.test(e)}catch{return!1}}n(Wp,"isRenderableIconHref");function Ya(e){return e?.find(t=>Wp(t.src))?.src}n(Ya,"readIconHref");function Vp(e){return Ya(e.serverIcons)??(e.transportHost===void 0?void 0:Nr(e.transportHost).src)}n(Vp,"readUpstreamIconHref");function Yp(e){let t=Ya(e.routeIcons);if(t!==void 0)return t;for(let r of e.upstreams){let o=Vp(r);if(o!==void 0)return o}}n(Yp,"readHeaderIconHref");function Xp(e){let t=e.setupMessage===void 0?Y:Ka({icon:Za,message:e.setupMessage});return S`<p class="card__subtitle">Authorize '<strong>${e.clientDisplayName}</strong>' to access '<strong>${e.routeDisplayName}</strong>' on your behalf?</p>${t}`}n(Xp,"renderBody");function fn(e){let t=Fp(e.upstreams),r=mn(e.upstreams,e.gatewayOrigin,"not_connected",e.gateway),o=mn(e.upstreams,e.gatewayOrigin,"reconsent_required",e.gateway),i=mn(e.upstreams,e.gatewayOrigin,"active",e.gateway),a=t==="setup"?r??o:void 0,c=t==="setup"?e.upstreams.find(p=>p.ownerMode==="user"&&p.status!=="active"&&p.connectUrl===void 0&&p.setupMessage!==void 0)?.setupMessage:void 0,s=Yp({routeIcons:e.routeIcons,upstreams:e.upstreams}),u=t==="setup"?S`<footer class="card__footer">${Zp({state:e.state,connectHref:a,gateway:e.gateway})}</footer>`:S`<footer class="card__footer">${Kp(i)}${$p({state:e.state,gateway:e.gateway})}</footer>`;return Ze(We({title:`Authorize access \xB7 ${e.routeDisplayName}`,iconHref:s??Jp,styles:Ke,headerIcon:s===void 0?Y:pr({iconHref:s,fallbackIconHref:Yt}),heading:"Authorize access",subhead:Y,body:Xp({routeDisplayName:e.routeDisplayName,clientDisplayName:e.clientDisplayName,setupMessage:c}),footer:u}))}n(fn,"renderConsentPage");var Qp=1e4,Xa="mcp-session-id",em;function ns(){return{tools:[],prompts:[],resources:[]}}n(ns,"emptyCapabilities");function Qa(){return new Headers({accept:"application/json, text/event-stream","content-type":"application/json","mcp-protocol-version":vr})}n(Qa,"buildReadinessHeaders");async function es(e){if(e.type==="bearer_token"){let o=Qa();return o.set("authorization",`Bearer ${e.token}`),o}let t=await e.provider.tokens();if(!t)return;let r=Qa();return r.set("authorization",`${t.token_type??"Bearer"} ${t.access_token}`),r}n(es,"buildAsyncCredentialHeaders");function ts(e){return new Request(e.upstreamUrl,{method:"POST",headers:e.headers,body:JSON.stringify(jt.parse({jsonrpc:zt,id:1,method:"initialize",params:{protocolVersion:vr,capabilities:{},clientInfo:{name:"zuplo-mcp-gateway-readiness",version:"0.0.0"}}}))})}n(ts,"buildInitializePreflight");async function hn(e){it(e.url);let t=new AbortController,r=setTimeout(()=>t.abort(),Qp);try{let o=new Request(e,{redirect:"manual",signal:t.signal});return await Ut.fetch(o)}finally{clearTimeout(r)}}n(hn,"runPreflight");function gn(e){e.body?.cancel().catch(()=>{})}n(gn,"releasePreflightBody");async function tm(e){let t=e.response.headers.get(Xa);if(!t)return;let r=new Headers(e.headers);r.set(Xa,t),r.delete("content-type");try{let o=await hn(new Request(e.upstreamUrl,{method:"DELETE",headers:r}));gn(o)}catch{}}n(tm,"terminatePreflightSession");async function os(e){let{response:t}=e;return gn(t),t.status>=200&&t.status<300?(await tm(e),{kind:"ready",upstreamStatus:t.status,capabilities:ns()}):t.status===401||t.status===403?{kind:"upstream_auth_rejected",status:t.status,message:"Upstream MCP server rejected the configured credential."}:{kind:"upstream_unavailable",status:t.status,message:"Upstream MCP server did not accept the readiness preflight."}}n(os,"classifyResponse");function rs(e){let t={status:e.state==="reconsent_required"?"reconsent_required":"not_connected",connected:!1};return e.nextAction==="admin_setup_required"?{kind:"admin_setup_required",payload:e,connectionStatus:t}:{kind:"connect_required",payload:e,connectionStatus:t}}n(rs,"connectRequiredResult");async function rm(e){try{return os({response:await hn(e.request),upstreamUrl:e.upstreamUrl,headers:e.headers})}catch(t){return{kind:"upstream_unavailable",message:t instanceof Error?t.message:"Upstream MCP server readiness preflight failed."}}}n(rm,"classifyPreflight");async function nm(e){let t=e.route.connection;if(t===void 0)return{kind:"ready",upstreamStatus:204,capabilities:ns()};let r=ir(t.upstreamServerId,e.route.operationId),o=$e(r,e.subjectId),i=e.returnTo===void 0?o:{...o,returnTo:e.returnTo},a=new Request(e.requestUrl,{headers:e.requestHeaders}),c=await Fe({request:a,routeAuth:i,preloadedConnection:e.preloadedConnection});if(c.kind==="connect_required")return rs(c.payload);let s=await es(c.credential);if(s===void 0)return{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens."};let u=ts({upstreamUrl:t.mcpUrl,headers:s}),p;try{p=await hn(u)}catch(T){return{kind:"upstream_unavailable",message:T instanceof Error?T.message:"Upstream MCP server readiness preflight failed."}}if(p.status!==401)return os({response:p,upstreamUrl:t.mcpUrl,headers:s});gn(p);let h=await Fe({request:a,routeAuth:i,forceRefresh:!0,preloadedConnection:e.preloadedConnection});if(h.kind==="connect_required")return rs(h.payload);let y=await es(h.credential);return y===void 0?{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens after refresh."}:rm({request:ts({upstreamUrl:t.mcpUrl,headers:y}),upstreamUrl:t.mcpUrl,headers:y})}n(nm,"checkUpstreamRouteReadinessImpl");function is(e){return(em??nm)(e)}n(is,"checkUpstreamRouteReadiness");function om(e){try{return new URL(e).host}catch{return}}n(om,"safeUrlHost");function as(e){return e!==void 0&&e.length>0}n(as,"hasItems");function im(e){let t=e.serverInfo?.icons;if(as(t))return t;let r=Xt(e.mcpUrl);return r===void 0?void 0:[r]}n(im,"readServerIcons");async function am(e){let{authConfig:t,authMode:r,description:o,displayName:i,mcpUrl:a,ownerMode:c,upstreamServerId:s,authProfileId:u}=e.registeredConnection,p=c==="user",h=p&&r!=="id-jag",y=e.readiness??(p?Uo(e.connection):{connected:!0,status:"active"}),T=h?e.readiness?.connectUrl??(e.returnTo!==void 0?await Fr({requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:s,authProfileId:u,operationId:e.route.operationId,returnTo:e.returnTo}):void 0):void 0,R=t.mode==="id-jag"?t.idJag.scopes:t.oauth.scopes;return{upstreamServerId:s,authProfileId:u,authMode:r,ownerMode:c,upstreamDisplayName:i,description:o,transportHost:om(a),scopesRequested:as(R)?R:void 0,serverIcons:im(e.registeredConnection),status:y.status,connected:y.connected,capabilities:{tools:[],prompts:[],resources:[]},connectUrl:T,setupMessage:e.setupMessage,updatedAt:p&&"updatedAt"in y&&y.updatedAt!==void 0?y.updatedAt:void 0,expiresAt:e.readiness?.expiresAt??e.connection?.expiresAt}}n(am,"buildSetupRequirement");function ss(e){let t=V().byOperationId.get(e);if(!t)throw w("unknown_mcp_route",`Unknown MCP route: ${e}`);return t}n(ss,"requireRoute");async function yn(e){let t=ss(e.transaction.operationId),r=ze(e.transaction.principal.subjectId),o=t.connection;if(o===void 0)return[];let a=o.ownerMode==="user"?(await b().batchGetUpstreamConnections([{owner:r,upstreamServerId:o.upstreamServerId,authProfileId:o.authProfileId}]))[0]:void 0,c=await is({requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,route:t,subjectId:e.transaction.principal.subjectId,preloadedConnection:a,returnTo:e.returnTo}),s="connectionStatus"in c?c.connectionStatus:void 0,u=(c.kind==="connect_required"||c.kind==="admin_setup_required")&&c.payload.authUrl!==void 0?c.payload.authUrl:void 0,p=c.kind==="admin_setup_required"?c.payload.message:void 0;return[await am({connection:a,registeredConnection:o,route:t,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,returnTo:e.returnTo,transaction:e.transaction,userOwner:r,setupMessage:p,readiness:s===void 0?void 0:{...s,connectUrl:u}})]}n(yn,"requirementsForSetup");async function _n(e){let t=ss(e.transaction.operationId),r=await b().readClient({clientId:e.transaction.clientId}),o=r.kind==="found"?r.client:void 0,i={gatewayOrigin:U(e.requestUrl,e.requestHeaders),routeDisplayName:t.connection?.displayName??t.operationId,clientDisplayName:o?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},a=t.connection?.description;return a!==void 0&&(i.routeDescription=a),i}n(_n,"consentContext");function wn(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}n(wn,"hasUnresolvedUserUpstream");var sm=["mcp_user"],cm="dev-browser-user",dm=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/{routePath} where {routePath} is the published MCP route path without a leading slash and each segment is URL-encoded as needed, for example /oauth/authorize/mcp/linear, or add resource={protected resource URI from protected-resource metadata}."].join(" "),um=d.object({response_type:d.literal("code"),client_id:d.string().min(1),redirect_uri:d.string().min(1),resource:d.url(),code_challenge:d.string().min(43),code_challenge_method:mo,state:d.string().min(1).optional(),scope:d.literal(P).default(P)}),lm=d.enum(["continue","approve","cancel"]).default("continue"),pm=d.object({state:d.string().min(1),decision:lm}),Ce=class extends Error{static{n(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function cs(e){return typeof e=="string"&&e.length>0?e:void 0}n(cs,"readQueryString");function mm(e,t){let r=cs(e.query.resource);if(t===void 0){if(r!==void 0)return r;throw new m("invalid_target",dm)}let o=Ro(t,e.url,e.headers);if(r===void 0||r===o)return o;throw new m("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}n(mm,"requireAuthorizeResource");async function fm(e,t){let r={};t!==void 0&&(r.context=t);let o=await dr(e,r);if(o.principal)return{principal:o.principal};if(!e.user)return o.evictCookie===void 0?{}:{setCookie:o.evictCookie};let i=Oa(e);return{principal:i,setCookie:await ur({principal:i,requestUrl:e.url,requestHeaders:e.headers})}}n(fm,"resolveBrowserPrincipal");async function hm(e,t){let r={};t!==void 0&&(r.context=t);let o=await dr(e,r);if(!o.principal)throw w("authentication_required","Authorization setup requires a current browser session.");return o.principal}n(hm,"requireSetupPrincipal");function ds(e){return`${z().actionPath("/oauth/setup")}?state=${encodeURIComponent(e)}`}n(ds,"buildSetupReturnTo");async function us(e){let t=await yn({transaction:e.transaction,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,returnTo:ds(e.csrfToken)}),r=await _n({transaction:e.transaction,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders}),o={kind:"setup_page",html:fn({state:e.csrfToken,operationId:e.transaction.operationId,gateway:z(),upstreams:t,...r})};return e.setCookie!==void 0&&(o.setCookie=e.setCookie),o}n(us,"renderSetup");function gm(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}n(gm,"toAuthorizationTransactionClient");async function Rn(e,t={}){let r=um.parse({...e.query,resource:mm(e,t.operationId),state:cs(e.query.state)}),o=Qe(r.scope);Xe(r.redirect_uri,"invalid_request");let i=new Date,a=se.parse(r.client_id),c=await lr(r.client_id,i);Na(c,r.redirect_uri);try{let s=Ee(e.url,r.resource,e.headers),u=gm(c);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:a,operationId:s.operationId,scope:o,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved"),t.context&&v(t.context,{eventType:C.MCP_OAUTH_AUTHORIZE_STARTED,outcome:"success",virtualServerName:s.operationId,attributes:{clientId:a,scope:o,responseType:r.response_type}});let p={clientId:c?.clientId??a,...u===void 0?{}:{client:u},redirectUri:r.redirect_uri,resource:r.resource,operationId:s.operationId,scope:o,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:h,setCookie:y}=await fm(e,t.context),T=h===void 0?!1:await pn({operationId:s.operationId,principal:h});if(!h||T){let O=await Sa({transaction:p,requestUrl:e.url,requestHeaders:e.headers,now:i});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:a,operationId:s.operationId,reason:h?"id_jag_subject_binding_missing":"no_browser_session"},"Downstream OAuth authorize: redirecting to browser login");let E={kind:"redirect",location:O.browserLoginUrl};return y!==void 0&&(E.setCookie=y),E}let R=await va({transaction:p,principal:h,now:i});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:a,operationId:s.operationId,subjectId:h.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),t.context&&v(t.context,{eventType:C.MCP_OAUTH_AUTHORIZE_AWAITING_SETUP,outcome:"success",virtualServerName:s.operationId,attributes:{clientId:a,scope:o,responseType:r.response_type,subjectId:h.subjectId}}),us({transaction:R.transaction,csrfToken:R.csrfToken,requestUrl:e.url,requestHeaders:e.headers,setCookie:y})}catch(s){throw ym({redirectUri:r.redirect_uri,clientState:r.state,cause:s})}}n(Rn,"authorizeDownstreamClient");function ym(e){if(e.cause instanceof Ce)return e.cause;let t=_m(e.cause);return t?new Ce({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}n(ym,"toDownstreamAuthorizeRedirectError");function _m(e){if(e instanceof m)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof d.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}n(_m,"mapToOAuthRedirectError");async function ls(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let p=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,h=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...p===void 0?{}:{idpErrorDescription:p},...h===void 0?{}:{idpErrorUri:h}},"Identity provider redirected browser-login callback with an error"),w("provider_access_denied",p??"The delegated browser login was not completed.")}let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),w("oauth_state_invalid","Browser login callback is missing state.");let i=await on(o),a={request:e,stateId:i.stateId};t.context!==void 0&&(a.context=t.context);let c=await qa(a),s=await Aa({browserLoginStateToken:o,principal:c.principal});if(await Fa({transaction:s.transaction,principal:c.principal,subjectToken:c.subjectToken}),await pn({operationId:s.transaction.operationId,principal:c.principal}))throw w("browser_login_verification_failed","The identity provider did not return the subject token required for XAA / ID-JAG.");let u=await us({transaction:s.transaction,csrfToken:s.csrfToken,requestUrl:e.url,requestHeaders:e.headers});return u.setCookie=await ur({principal:c.principal,requestUrl:e.url,requestHeaders:e.headers}),u}n(ls,"completeBrowserLoginCallback");async function ps(e){let t=H(),r=new URL(e.url);if(!J(r))throw w("forbidden","Local browser login is only available on loopback HTTP origins.");let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw w("oauth_state_invalid","Local browser login is missing state.");let i=z().actionPath("/oauth/callback"),a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:i,U(e.url)),c=new URL(U(e.url)).origin;if(a.origin!==c||a.pathname!==i)throw w("oauth_callback_mismatch",`Local browser login redirect_uri must target this gateway's ${i} route.`);a.searchParams.set("state",o);let s={subjectId:rt.parse(cm),roles:sm};return{kind:"redirect",location:a,setCookie:await ur({principal:s,requestUrl:e.url,requestHeaders:e.headers})}}n(ps,"completeLocalDevBrowserLogin");function wm(e){let t=e.method==="POST"?e.body:e.query;return pm.parse(t)}n(wm,"readSetupContinueRequest");async function ms(e){let{state:t,decision:r}=wm({method:e.request.method,query:e.request.query,body:e.body}),o=new Date,i=await cn({csrfToken:t,now:o}),a=await hm(e.request,e.context);if(r==="cancel")return{kind:"redirect",location:await Ta({csrfToken:t,currentBrowserPrincipal:a,now:o})};let c=await xa({csrfToken:t,currentBrowserPrincipal:a,now:o}),s=await yn({transaction:c,requestUrl:e.request.url,requestHeaders:e.request.headers,returnTo:ds(t)});if(r==="approve"&&wn(s)&&await Ia({csrfToken:t,currentBrowserPrincipal:a,now:o}),wn(s)){let u=await _n({transaction:c,requestUrl:e.request.url,requestHeaders:e.request.headers});return{kind:"setup_page",html:fn({state:t,operationId:c.operationId,gateway:z(),upstreams:s,...u})}}return{kind:"redirect",location:await ka({csrfToken:t,currentBrowserPrincipal:a,now:o})}}n(ms,"continueDownstreamAuthorizeSetup");N();import{createLocalJWKSet as Em,decodeJwt as Om,errors as vt,jwtVerify as qm}from"jose";N();import{createRemoteJWKSet as Rm,decodeJwt as bm,decodeProtectedHeader as Im,errors as St,jwtVerify as Cm}from"jose";var _s=30,k=d.string().min(1),Sm=d.union([k,d.array(k).min(1)]),vm=d.union([k,d.array(k).min(1)]),Am=d.object({type:k,locations:d.array(k).optional(),actions:d.array(k).optional(),datatypes:d.array(k).optional(),identifier:k.optional(),privileges:d.array(k).optional()}).passthrough(),xm=d.object({iss:d.url(),sub:k,aud:Sm,client_id:k,resource:vm.optional(),scope:k.optional(),authorization_details:d.array(Am).optional(),jti:k,iat:d.number().int(),nbf:d.number().int().optional(),exp:d.number().int(),tenant:k.optional(),aud_tenant:k.optional(),aud_sub:k.optional(),sub_id:k.optional(),act:d.unknown().optional(),email:k.optional(),auth_time:d.number().int().optional(),acr:k.optional(),amr:d.array(k).optional(),cnf:d.unknown().optional()}).passthrough();function K(e){throw new m("invalid_grant",e)}n(K,"throwInvalidGrant");function km(e){return e instanceof St.JWTExpired?"expired":e instanceof St.JWTClaimValidationFailed?"claim":e instanceof St.JWSSignatureVerificationFailed?"signature":e instanceof St.JWKSNoMatchingKey?"jwks_no_match":e instanceof St.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(km,"readJwtFailureKind");function Tm(e){return Array.isArray(e.aud)?(e.aud.length!==1&&K("ID-JAG audience must contain exactly one value."),e.aud[0]):e.aud}n(Tm,"readSingleAudience");function fs(e){try{let t=xm.parse(e);return Tm(t),t}catch(t){if(t instanceof m)throw t;K("ID-JAG claims are invalid.")}}n(fs,"parseIdJagClaims");function Um(e,t){e.idJag.enabled||K("ID-JAG grant is not enabled.");let r=e.idJag.trustedIssuers.find(o=>o.issuer===t);return r===void 0&&K("ID-JAG issuer is not trusted."),r}n(Um,"readTrustedIssuer");function Pm(e){let t=e.authorizationDetails;if(t===void 0)return;if(e.allowedTypes===void 0)return t;let r=new Set(e.allowedTypes);return t.filter(o=>r.has(o.type))}n(Pm,"readGrantedAuthorizationDetails");function hs(e){if(e.clientAuth.method==="none")throw new m("invalid_client","Client authentication failed.");e.claims.client_id!==e.authenticatedClientId&&K("ID-JAG client_id must match the authenticated client."),e.trustedIssuer.expectedClientIds!==void 0&&!e.trustedIssuer.expectedClientIds.includes(e.claims.client_id)&&K("ID-JAG client_id is not allowed for this issuer.")}n(hs,"assertClientBinding");function gs(e){e.cnf!==void 0&&K("ID-JAG cnf-bound assertions require DPoP support.")}n(gs,"assertProofOfPossessionNotDeferred");function ys(e){let t=Math.floor(e.now.getTime()/1e3)+_s;e.claims.iat>t&&K("ID-JAG iat must not be in the future.")}n(ys,"assertIssuedAtNotInFuture");async function ws(e){let t;try{t=Im(e.assertion)}catch{K("ID-JAG assertion is malformed.")}t.typ!==wr&&K('ID-JAG header typ must be "oauth-id-jag+jwt".');let r;try{r=fs(bm(e.assertion))}catch(s){if(s instanceof m)throw s;K("ID-JAG assertion is malformed.")}let o=je(e.requestUrl,e.requestHeaders),i=[o];e.requestedResource!==void 0&&e.requestedResource!==o&&i.push(e.requestedResource);let a=Um(e.config,r.iss);i.includes(r.iss)&&K("ID-JAG issuer must be different from the gateway."),hs({claims:r,trustedIssuer:a,authenticatedClientId:e.authenticatedClientId,clientAuth:e.clientAuth}),gs(r),ys({claims:r,now:e.now});let c;try{let s=Rm(new URL(a.jwksUrl)),{payload:u}=await Cm(e.assertion,s,{issuer:a.issuer,audience:i,currentDate:e.now,clockTolerance:_s,typ:wr});c=fs(u)}catch(s){e.context?.log.warn({event:"oauth_id_jag_verification_failed",issuer:a.issuer,failureKind:km(s)},"OAuth ID-JAG assertion verification failed"),K("ID-JAG assertion verification failed.")}return hs({claims:c,trustedIssuer:a,authenticatedClientId:e.authenticatedClientId,clientAuth:e.clientAuth}),gs(c),ys({claims:c,now:e.now}),{claims:c,trustedIssuer:a,subjectId:bo({issuer:c.iss,subject:c.sub,gatewayIssuer:o,subjectMapping:a.subjectMapping,tenant:c.tenant}),grantedAuthorizationDetails:Pm({authorizationDetails:c.authorization_details,allowedTypes:e.config.idJag.enabled?e.config.idJag.authorizationDetailsTypesAllowed:void 0})}}n(ws,"verifyIdJagAssertion");var Mm=new Set(["authorization_code","refresh_token",_e]),Dm=1e4,zm=32*1024,jm=2,Hm=60*60,bn=d.object({client_id:d.string().min(1).optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),Bm=d.discriminatedUnion("grant_type",[bn.extend({grant_type:d.literal("authorization_code"),code:d.string().min(1),redirect_uri:d.string().min(1),code_verifier:Nt,resource:d.url().optional(),scope:d.literal(P).optional()}),bn.extend({grant_type:d.literal("refresh_token"),refresh_token:d.string().min(1),resource:d.url().optional(),scope:d.literal(P).optional()}),bn.extend({grant_type:d.literal(_e),assertion:d.string().min(1),resource:d.url().optional(),scope:d.literal(P).optional(),authorization_details:d.string().min(1).optional()})]);function Lm(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!Mm.has(t)))throw new m("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}n(Lm,"assertSupportedGrantType");var Nm=d.object({token:d.string().min(1),client_id:d.string().min(1).optional(),token_type_hint:d.string().optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),Jm=d.object({keys:d.array(d.record(d.string(),d.unknown())).min(1)}).passthrough();function bs(){return H().gateway.accessTokenTtlSeconds}n(bs,"readAccessTokenTtlSeconds");function Gm(){return H().gateway.refreshTokenTtlSeconds}n(Gm,"readRefreshTokenTtlSeconds");function Rs(e,t){let r=bs(),o=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),i=Math.min(r,o);return{expiresAt:I(ae(e,i)),expiresIn:i}}n(Rs,"calculateAccessTokenExpiresAt");function Fm(e){let t=e.claimedResource===void 0?[]:Array.isArray(e.claimedResource)?e.claimedResource:[e.claimedResource];if(e.requestedResource!==void 0){if(t.length>0&&!t.includes(e.requestedResource))throw new m("invalid_target","Token request resource must match the ID-JAG resource.");return e.requestedResource}if(t.length===0)throw new m("invalid_target","resource is required for the ID-JAG JWT bearer grant.");if(t.length!==1)throw new m("invalid_target","ID-JAG resource arrays require a token request resource.");return t[0]}n(Fm,"readIdJagResource");function $m(e){if(e.claimAuthorizationDetails===void 0)return;let t=(e.grantedAuthorizationDetails??[]).filter(r=>r.locations?.includes(e.resource)===!0);if(t.length===0)throw new m("invalid_grant","ID-JAG authorization_details must authorize the requested resource.");return t}n($m,"readIdJagGrantedAuthorizationDetails");function Zm(e){if(e.claimScope?.split(/\s+/).includes(P)===!0||(e.grantedAuthorizationDetails?.length??0)>0)return P;if(e.claimScope===void 0)throw new m("invalid_grant",`ID-JAG must include ${P} scope or matching authorization_details.`);if(!e.claimScope.split(/\s+/).includes(P))throw new m("invalid_grant",`ID-JAG scope must include ${P}.`);return P}n(Zm,"readIdJagGrantedScope");function Km(e){if(e!==void 0&&e.get("dpop")!==null)throw new m("invalid_request","DPoP proofs are not supported for the ID-JAG JWT bearer grant.")}n(Km,"assertNoDpopProofForIdJag");function Is(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new m("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new m("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new m("invalid_client","Malformed HTTP Basic client authentication.")}}n(Is,"readBasicClientSecret");function Cs(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new m("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t!==void 0)return t;if(e.clientAssertion!==void 0){try{let r=Om(e.clientAssertion);if(typeof r.iss=="string"&&typeof r.sub=="string"&&r.iss===r.sub)return r.iss}catch{throw new m("invalid_client","Malformed private_key_jwt client assertion.")}throw new m("invalid_client","private_key_jwt client assertion must identify the client with matching iss and sub claims.")}throw new m("invalid_client","Client authentication or client_id is required.")}n(Cs,"resolveAuthenticatedClientId");function Wm(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new m("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}n(Wm,"resolveClientSecretInput");function Vm(e){return e.clientAssertion!==void 0||e.clientAssertionType!==void 0}n(Vm,"hasClientAssertion");function Ym(e){if(e.requestUrl===void 0)throw new m("invalid_request","Request URL is required for private_key_jwt client authentication.");let t=new URL(z().actionPath(e.pathname),U(e.requestUrl,e.requestHeaders));return t.search="",t.hash="",t.toString()}n(Ym,"buildEndpointAudience");function Xm(e){return e instanceof vt.JWTExpired?"expired":e instanceof vt.JWTClaimValidationFailed?"claim":e instanceof vt.JWSSignatureVerificationFailed?"signature":e instanceof vt.JWKSNoMatchingKey?"jwks_no_match":e instanceof vt.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(Xm,"readJwtFailureKind");async function Qm(e){let{response:t,json:r}=await oi(e.jwksUri,{headers:{accept:"application/json"}},{context:e.context,maxRedirects:jm,maxResponseBytes:zm,timeoutMs:Dm});if(!t.ok)throw new m("invalid_client","Client JWKS could not be fetched.");return Jm.parse(r)}n(Qm,"fetchClientJwks");async function ef(e){if(e.clientAssertionType!==Lt||e.clientAssertion===void 0)throw new m("invalid_request","private_key_jwt client authentication requires a JWT bearer client_assertion and client_assertion_type.");let t=se.parse(e.clientId),r=await lr(t,e.now);if(r.metadata.token_endpoint_auth_method!=="private_key_jwt")throw new m("invalid_client","Client is not registered for private_key_jwt authentication.");let o=r.metadata.jwks_uri;if(o===void 0)throw new m("invalid_client","Client JWKS URI is required for private_key_jwt authentication.");let i=Ym({requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,pathname:e.endpointPathname});try{let a=await Qm({jwksUri:o,context:e.context}),{payload:c}=await qm(e.clientAssertion,Em(a),{issuer:t,subject:t,audience:i,currentDate:e.now}),s=Math.floor(e.now.getTime()/1e3)+Hm;if(typeof c.exp!="number"||c.exp>s)throw new m("invalid_client","Client authentication failed.")}catch(a){throw e.context?.log.warn({event:"oauth_private_key_jwt_client_auth_failed",clientId:t,failureKind:Xm(a)},"OAuth private_key_jwt client authentication failed"),new m("invalid_client","Client authentication failed.")}return{method:"private_key_jwt",clientId:t}}n(ef,"verifyPrivateKeyJwtClientAssertion");async function tf(e){let t=se.parse(e.clientId);if(xo(t))throw new m("invalid_client","Client is registered for private_key_jwt authentication.");return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await A(e.clientSecret)}}n(tf,"buildRuntimeHttpClientAuth");async function Ss(e){if(Vm({clientAssertion:e.clientAssertion,clientAssertionType:e.clientAssertionType})){if(e.basicClientSecret!==void 0||e.bodyClientSecret!==void 0)throw new m("invalid_request","Use only one client authentication method per request.");return ef(e)}let t=Wm({basicClientSecret:e.basicClientSecret,bodyClientSecret:e.bodyClientSecret});return tf({clientId:e.clientId,...t})}n(Ss,"resolveRuntimeHttpClientAuth");async function vs(e){Lm(e.body);let t=Bm.parse(e.body),r=Is(e.authorizationHeader),o=Cs({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),i=new Date,a=await Ss({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/token",now:i,context:e.context});return rf({parsed:t,clientId:o,clientAuth:a,now:i,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,context:e.context})}n(vs,"exchangeDownstreamToken");async function rf(e){if(e.parsed.grant_type==="authorization_code"){Xe(e.parsed.redirect_uri,"invalid_request"),Qe(e.parsed.scope),e.parsed.resource!==void 0&&Ee(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let s=ce(),u=ce(),p=I(ae(e.now,Gm())),h=Rs(e.now,p),y=await b().exchangeAuthorizationCode({clientAuth:e.clientAuth,codeHash:await A(e.parsed.code),redirectUri:e.parsed.redirect_uri,resource:e.parsed.resource,codeChallenge:await Oo(e.parsed.code_verifier),currentRefreshTokenHash:await A(s),accessTokenHash:await A(u),grantExpiresAt:p,accessTokenExpiresAt:h.expiresAt,now:I(e.now)});if(y.kind==="invalid_client")throw new m("invalid_client","Client authentication failed.");if(y.kind==="resource_mismatch")throw new m("invalid_target","Token request resource must match the authorization code resource.");if(y.kind!=="exchanged")throw new m("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context&&v(e.context,{eventType:C.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"authorization_code"}}),{access_token:u,token_type:"Bearer",expires_in:h.expiresIn,refresh_token:s,scope:y.grant.scope,resource:y.grant.resource}}if(e.parsed.grant_type===_e){Qe(e.parsed.scope),Km(e.requestHeaders);let s=await ws({assertion:e.parsed.assertion,authenticatedClientId:e.clientId,clientAuth:e.clientAuth,requestUrl:e.requestUrl??e.parsed.resource??"",requestHeaders:e.requestHeaders,requestedResource:e.parsed.resource,now:e.now,context:e.context,config:H()}),u=Fm({claimedResource:s.claims.resource,requestedResource:e.parsed.resource}),p=Ee(e.requestUrl??u,u,e.requestHeaders),h=$m({claimAuthorizationDetails:s.claims.authorization_details,grantedAuthorizationDetails:s.grantedAuthorizationDetails,resource:u}),y=Zm({claimScope:s.claims.scope,grantedAuthorizationDetails:h}),T=ce(),R=I(new Date(s.claims.exp*1e3)),O=Rs(e.now,R),E=await b().issueAccessTokenForIdJag({clientAuth:e.clientAuth,accessTokenHash:await A(T),subjectId:s.subjectId,resource:u,operationId:p.operationId,scope:y,authorizationDetails:h,accessTokenExpiresAt:O.expiresAt,now:I(e.now),idJag:{issuer:s.claims.iss,jti:s.claims.jti,tenant:s.claims.tenant,expiresAt:R}});if(E.kind==="invalid_client")throw new m("invalid_client","Client authentication failed.");if(E.kind==="resource_mismatch")throw new m("invalid_target","Token request resource must match the ID-JAG resource.");return e.context&&v(e.context,{eventType:C.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"jwt-bearer"}}),{access_token:T,token_type:"Bearer",expires_in:O.expiresIn,scope:E.grant.scope,resource:E.grant.resource,...h===void 0?{}:{authorization_details:h}}}Qe(e.parsed.scope),e.parsed.resource!==void 0&&Ee(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let t=await A(e.parsed.refresh_token),r=e.parsed.refresh_token,o=ce(),i=I(ae(e.now,bs())),a=await b().refreshToken({clientAuth:e.clientAuth,currentRefreshTokenHash:t,nextRefreshTokenHash:t,accessTokenHash:await A(o),resource:e.parsed.resource,accessTokenExpiresAt:i,now:I(e.now)});if(a.kind==="invalid_client")throw new m("invalid_client","Client authentication failed.");if(a.kind==="resource_mismatch")throw new m("invalid_target","Token request resource must match the refresh token grant resource.");if(a.kind!=="rotated")throw new m("invalid_grant","Refresh token is invalid, expired, or revoked.");Ee(e.requestUrl??a.grant.resource,a.grant.resource,e.requestHeaders);let c=a.accessToken.expiresAt;return e.context&&v(e.context,{eventType:C.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"refresh_token"}}),{access_token:o,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(c).getTime()-e.now.getTime())/1e3)),refresh_token:r,scope:a.grant.scope,resource:a.grant.resource}}n(rf,"exchangeDownstreamTokenWithRuntimeHttp");async function As(e){let t=Nm.parse(e.body),r=Is(e.authorizationHeader),o=Cs({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),i=new Date;if((await b().revokeOAuthToken({clientAuth:await Ss({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/revoke",now:i,context:e.context}),tokenHash:await A(t.token),now:I(i)})).kind==="invalid_client")throw new m("invalid_client","Client authentication failed.");e.context?.log.info({event:"oauth_token_revoked",clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed"),e.context&&v(e.context,{eventType:C.MCP_OAUTH_TOKEN_REVOKED,outcome:"success",attributes:{clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}}})}n(As,"revokeDownstreamToken");var nf=64*1024,of=16*1024,af="text/html; charset=utf-8";function sf(e){let t={};for(let[r,o]of e.entries())t[r]=o;return t}n(sf,"formDataToObject");async function cf(e){return da(e,{maxBytes:nf,label:"Request body"})}n(cf,"readJsonBody");async function Cn(e){return sf(await ua(e,{maxBytes:of,label:"Request body"}))}n(Cn,"readFormBody");async function ks(e,t,r){let o=ie(r),i=r instanceof d.ZodError?Se(r):void 0,a={code:o??(r instanceof d.ZodError?"invalid_request":"internal_server_error")};return i!==void 0&&(a.detail=i),Mt(e,t,a)}n(ks,"handleProblem");function Ts(e){return e?.requestId}n(Ts,"readBrowserRequestId");function Us(e){if(!(e instanceof f))return;let t=e.extensionMembers?.[De];return typeof t=="string"?t:void 0}n(Us,"readUpstreamHtmlError");function xs(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(xs,"readRuntimeErrorExtensionString");function df(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(df,"readRuntimeErrorExtensionNumber");function uf(e){try{return new URL(e.url).pathname}catch{return}}n(uf,"readBrowserRequestPath");function Oe(e){let t={code:e.code,requestId:e.requestId,routePath:uf(e.request),underlyingError:e.underlyingError};return e.error instanceof f&&(t.httpStatus=df(e.error,he),t.contentType=xs(e.error,Me),t.upstreamUrl=xs(e.error,ge)),t}n(Oe,"buildBrowserErrorDiagnostic");function At(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}n(At,"oauthErrorResponse");function lf(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}n(lf,"readOAuthProtocolHeaders");function pf(e,t){let r=X("internal_server_error");return At({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:lf(e,t)})}n(pf,"oauthProtocolErrorResponse");function In(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}n(In,"readZodOAuthErrorCode");function mf(e){let t={error:In(e)},r=Se(e);return r!==void 0&&(t.errorDescription=r),At(t)}n(mf,"oauthZodErrorResponse");function ff(e){let t=ie(e);if(t===void 0)return;let r=X(t);if(r.oauthError===void 0)return;let o={error:r.oauthError,status:gf(r.oauthError)};return r.oauthError==="server_error"?o.errorDescription=r.publicDetail:e instanceof Error?o.errorDescription=e.message:o.errorDescription=r.publicDetail,At(o)}n(ff,"oauthGatewayProblemResponse");function hf(){let t={error:"server_error",status:500,errorDescription:X("internal_server_error").publicDetail};return At(t)}n(hf,"oauthFallbackErrorResponse");function gf(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}n(gf,"readOAuthStatus");function Sn(e,t={}){return e instanceof Ce?Os(e):e instanceof m?pf(e,t):e instanceof d.ZodError?mf(e):ff(e)??hf()}n(Sn,"oauthProblemResponse");function vn(e,t,r){let o=Ve(e.url),i=Ts(t);if(r instanceof Ce)return Os(r);if(r instanceof m){let s=X("internal_server_error");return te({host:o,kind:yf(r.errorCode),title:"Authorization failed",detail:r.errorCode==="server_error"?s.publicDetail:r.message,developerDetail:r.errorCode==="server_error"?s.publicDetail:r.message,code:r.errorCode,diagnostic:Oe({request:e,requestId:i,code:r.errorCode,underlyingError:r.errorCode==="server_error"?s.publicDetail:r.message,error:r}),requestId:i,status:r.status})}if(r instanceof d.ZodError)return te({host:o,kind:"invalid_request",detail:Se(r)??"The authorization request was invalid.",developerDetail:Se(r)??"The authorization request was invalid.",code:In(r),diagnostic:Oe({request:e,requestId:i,code:In(r),underlyingError:Se(r)??"The authorization request was invalid.",error:r}),requestId:i});let a=ie(r);if(a!==void 0){let s=X(a);return te({host:o,kind:Es(a),detail:s.publicDetail,developerDetail:s.status>=500||!(r instanceof Error)?s.publicDetail:r.message,code:a,diagnostic:Oe({request:e,requestId:i,code:a,underlyingError:s.status>=500||!(r instanceof Error)?s.publicDetail:r.message,error:r}),requestId:i,upstreamHtml:Us(r),status:s.status})}let c=X("internal_server_error");return te({host:o,kind:"internal_error",detail:c.publicDetail,developerDetail:c.publicDetail,code:"server_error",diagnostic:Oe({request:e,requestId:i,code:"server_error",underlyingError:c.publicDetail,error:r}),requestId:i,status:c.status})}n(vn,"browserOAuthProblemResponse");function Ps(e,t,r){let o=Ve(e.url),i=Ts(t),a=ie(r);if(a!==void 0){let s=X(a);return te({host:o,kind:Es(a),detail:s.publicDetail,developerDetail:s.status>=500||!(r instanceof Error)?s.publicDetail:r.message,code:a,diagnostic:Oe({request:e,requestId:i,code:a,underlyingError:s.status>=500||!(r instanceof Error)?s.publicDetail:r.message,error:r}),requestId:i,upstreamHtml:Us(r),status:s.status})}if(r instanceof d.ZodError)return te({host:o,kind:"invalid_request",detail:Se(r)??"The authorization request was invalid.",developerDetail:Se(r)??"The authorization request was invalid.",code:"invalid_request",diagnostic:Oe({request:e,requestId:i,code:"invalid_request",underlyingError:Se(r)??"The authorization request was invalid.",error:r}),requestId:i});let c=X("internal_server_error");return te({host:o,kind:"internal_error",detail:c.publicDetail,developerDetail:c.publicDetail,code:"internal_server_error",diagnostic:Oe({request:e,requestId:i,code:"internal_server_error",underlyingError:c.publicDetail,error:r}),requestId:i,status:c.status})}n(Ps,"browserGatewayProblemResponse");function yf(e){return e==="server_error"?"internal_error":"invalid_request"}n(yf,"readOAuthBrowserErrorKind");function Es(e){if(X(e).status>=500)return"internal_error";switch(e){case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"configuration_error";case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"invalid_request":case"authentication_required":case"forbidden":case"not_found":case"too_many_requests":case"identity_context_missing":return"invalid_request";case"upstream_capability_invocation_failed":case"upstream_capability_unavailable":case"upstream_import_failed":return"connection_failed";case"internal_server_error":return"internal_error"}return"authorization_failed"}n(Es,"readGatewayBrowserErrorKind");function pe(e,t,r){let o={event:t},i=!1;if(r instanceof m)o.oauthError=r.errorCode,o.status=r.status,G(o,"error",r);else if(r instanceof Ce)o.oauthError=r.errorCode,G(o,"error",r);else if(r instanceof d.ZodError){o.code="invalid_request",G(o,"error",r);let a=r.issues[0];a&&(o.zodPath=a.path.join("."))}else{let a=ie(r);if(a!==void 0){let c=X(a);o.code=a,o.status=c.status,c.oauthError!==void 0&&(o.oauthError=c.oauthError),i=c.status>=500||c.oauthError==="server_error",G(o,"error",r)}else i=!0,G(o,"error",r)}if(i){let a=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(o,a.message)}else e.log.warn(o,"OAuth handler rejected the request")}n(pe,"logUnexpectedOAuthHandlerError");function Os(e){let t;try{t=new URL(e.redirectUri)}catch{return At({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}n(Os,"downstreamAuthorizeRedirectErrorResponse");function Se(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}n(Se,"formatZodErrorDetail");function _f(e,t){let r={event:"browser_login_callback_failed",code:ie(t)??"invalid_request"};G(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}n(_f,"logBrowserLoginCallbackFailure");function qs(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}n(qs,"redirectResultResponse");function mr(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":af,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return qs(e)}n(mr,"authorizeResultResponse");async function Ms(e,t){try{return Response.json(yo(e.url,e.headers))}catch(r){return pe(t,"oauth_authorization_server_metadata_failed",r),ks(e,t,r)}}n(Ms,"authorizationServerMetadataHandler");async function Ds(e,t){try{let r=Ar(e.params.routePath);return Response.json(_o({operationId:r.operationId,requestUrl:e.url,requestHeaders:e.headers}))}catch(r){return pe(t,"oauth_authorization_server_metadata_failed",r),ks(e,t,r)}}n(Ds,"scopedAuthorizationServerMetadataHandler");async function zs(e,t){try{let r=await Ja(await cf(e)),o=r.client_id,i=r.client_name,a=r.redirect_uris.length,c=r.token_endpoint_auth_method;return t.log.info({event:"oauth_dcr_client_registered",clientId:o,clientName:i,redirectUriCount:a,tokenEndpointAuthMethod:c},"OAuth Dynamic Client Registration completed"),v(t,{eventType:C.MCP_OAUTH_CLIENT_REGISTERED,outcome:"success",clientName:i,attributes:{clientId:o,redirectUriCount:a,tokenEndpointAuthMethod:c}}),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return pe(t,"oauth_register_failed",r),Sn(r)}}n(zs,"registerHandler");async function js(e,t){try{return mr(await Rn(e,{context:t}))}catch(r){return pe(t,"oauth_authorize_failed",r),vn(e,t,r)}}n(js,"authorizeHandler");async function Hs(e,t){try{let r=Ar(e.params.routePath);return mr(await Rn(e,{operationId:r.operationId,context:t}))}catch(r){return pe(t,"oauth_authorize_scoped_failed",r),vn(e,t,r)}}n(Hs,"scopedAuthorizeHandler");async function Bs(e,t){try{let r=await ls(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),mr(r)}catch(r){return _f(t,r),Ps(e,t,r)}}n(Bs,"callbackHandler");async function Ls(e,t){try{return qs(await ps(e))}catch(r){return pe(t,"oauth_dev_login_failed",r),vn(e,t,r)}}n(Ls,"devLoginHandler");async function Ns(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await ms({request:e,body:e.method==="POST"?await Cn(e):void 0,context:t});return mr(r)}catch(r){return pe(t,"oauth_setup_failed",r),Ps(e,t,r)}}n(Ns,"setupHandler");async function Js(e,t){try{return Response.json(await vs({body:await Cn(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return pe(t,"oauth_token_failed",r),Sn(r)}}n(Js,"tokenHandler");async function Gs(e,t){try{return await As({body:await Cn(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return pe(t,"oauth_revoke_failed",r),Sn(r)}}n(Gs,"revokeHandler");function Fs(e){return S`<p data-gateway-error-code="${e.code}">${e.body}</p>`}n(Fs,"renderBrowserResult");var wf="text/html; charset=utf-8",Rf="none";function bf(e){let t=Lr(e.host);return We({title:e.title,iconHref:t,styles:Ke,headerIcon:pr({iconHref:t,fallbackIconHref:Yt}),heading:e.title,subhead:"",body:Fs({body:e.body,code:e.code??Rf}),footer:""})}n(bf,"browserResultHtml");function If(e,t=200){return new Response(Ze(e),{status:t,headers:{"content-type":wf,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(If,"browserResultResponse");function $s(e){return If(bf(e))}n($s,"browserConnectionSuccessResponse");function fr(e,t,r={}){let o=Kn(t);return te({host:e,kind:Cf(t),detail:o.body,developerDetail:r.developerDetail,code:t,diagnostic:r.diagnostic,upstreamHtml:r.upstreamHtml})}n(fr,"browserConnectionFailureResponse");function Cf(e){switch(e){case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required"}}n(Cf,"readCallbackFailureBrowserErrorKind");var Sf={connect:"Connect",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},Zs=Symbol("upstream-request");function xt(e,t){Object.defineProperty(e,Zs,{configurable:!0,value:t})}n(xt,"setUpstreamRequestContext");function vf(e){let t=e[Zs];if(!t)throw new W("Upstream request context has not been set");return t}n(vf,"readUpstreamRequestContext");function Af(e,t){return t.some(r=>r===e)}n(Af,"requestContextMatchesKind");function xf(e){return typeof e=="string"?[e]:e}n(xf,"toExpectedKinds");function kt(e,t){let r=vf(e),o=xf(t);if(!Af(r.kind,o)){let i=Sf[o[0]];throw new W(`${i} request context has not been set`)}return r}n(kt,"requireUpstreamRequestContext");function qe(e){if(typeof e=="string"&&e.length!==0)return e}n(qe,"readOptionalQueryString");function kf(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw new W(`Validated path parameter ${t} is missing`);return Tf(r,t)}n(kf,"requirePathString");function Tf(e,t){try{return decodeURIComponent(e)}catch(r){throw new f({message:`Path parameter "${t}" must be valid URL encoding.`,extensionMembers:{[g]:"invalid_request"}},{cause:r})}}n(Tf,"decodePathString");function Uf(e){let t=qe(e);return t?Dt.parse(t):void 0}n(Uf,"readOptionalOperationId");function Pf(e){let t=V().connectionsById.get(e);if(t!==void 0)return t.authProfileId;throw new f({message:`No upstream connection is registered for ${e}.`,extensionMembers:{[g]:"unknown_upstream_server"}})}n(Pf,"readRegisteredAuthProfileId");function Ef(e){let t=Uf(e);if(!t)throw new f({message:"operationId query parameter is required.",extensionMembers:{[g]:"invalid_request"}});return t}n(Ef,"readRequiredOperationId");async function Of(e,t){let r=ir(t,Ef(e.query.operationId));if(r.authMode==="id-jag")throw new f({message:"This upstream uses XAA / ID-JAG and does not support browser OAuth connection flows.",extensionMembers:{[g]:"invalid_request"}});let o=e.query.redirect==="true",i=qe(e.query.browserTicket);if(e.user){if(i)throw new f({message:"Use either an authenticated gateway request or a browser connect ticket, not both.",extensionMembers:{[g]:"invalid_request"}});let s=Ae(e.user,e.url),u={kind:"connect",...$e(r,s.subjectId),redirect:o},p=to(qe(e.query.returnTo));return p!==void 0&&(u.returnTo=p),u}if(!i)throw new f({message:"Authentication is required to start the upstream connection flow.",extensionMembers:{[g]:"authentication_required"}});let a=await bi(i);if(a.ownerMode!==r.ownerMode||a.upstreamServerId!==r.upstreamServerId||a.authProfileId!==r.authProfileId||a.operationId!==r.operationId)throw new f({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[g]:"oauth_callback_mismatch"}});await Ii(a);let c=Ht(a);switch(r.authMode){case"shared-oauth":{if(c.mode!=="shared")throw new f({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[g]:"oauth_callback_mismatch"}});let s={kind:"connect",...r,authMode:"shared-oauth",ownerMode:"shared",owner:c,initiatedBySubjectId:a.initiatedBySubjectId,redirect:o};return a.returnTo!==void 0&&(s.returnTo=a.returnTo),s}case"user-oauth":{if(c.mode!=="user")throw new f({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[g]:"oauth_callback_mismatch"}});let s={kind:"connect",...r,authMode:"user-oauth",ownerMode:"user",owner:c,initiatedBySubjectId:a.initiatedBySubjectId,redirect:o};return a.returnTo!==void 0&&(s.returnTo=a.returnTo),s}}}n(Of,"resolveConnectContext");async function qf(e,t,r){let o=Yn.parse(kf(e,"connection"));switch(r){case"connect":xt(e,await Of(e,o));return;case"callback":{let i=qe(e.query.error);if(i){let s={kind:"callback_provider_error",upstreamServerId:o,error:i},u=qe(e.query.error_description);u!==void 0&&(s.errorDescription=u),xt(e,s);return}let a=qe(e.query.code),c=qe(e.query.state);if(a&&c){xt(e,{kind:"callback_authorization_code",upstreamServerId:o,code:a,state:c});return}xt(e,{kind:"callback_invalid",upstreamServerId:o});return}case"client_metadata":xt(e,{kind:"client_metadata",upstreamServerId:o,authProfileId:Pf(o)});return}}n(qf,"resolveUpstreamRequestInbound");async function Mf(e,t,r){try{await qf(e,t,r);return}catch(o){let i=o instanceof f?o.extensionMembers?.[g]:void 0,a=o instanceof Error?o.message:void 0;switch(i){case"invalid_request":case"unknown_upstream_server":case"oauth_callback_mismatch":return ve.badRequest(e,t,{code:i,detail:a});case"authentication_required":return ve.unauthorized(e,t,{code:i,detail:a});default:throw o}}}n(Mf,"applyUpstreamRequestContext");function hr(e,t){return n(async(o,i)=>{let a=await Mf(o,i,e);return a||t(o,i)},"wrapped")}n(hr,"withUpstreamRequestContext");var Df=["callback_authorization_code","callback_provider_error","callback_invalid"];function An(e){try{return new URL(e.url).pathname}catch{return}}n(An,"readBrowserRequestPath");function zf(e){return"cause"in e?e.cause:void 0}n(zf,"readErrorCause");function jf(e){return e.stack?.split(`
+`).slice(1,4).map(t=>t.trim()).join(" | ")}n(jf,"readFirstStackFrame");function Ks(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=jf(r))}n(Ks,"addErrorAttributes");function xn(e){if(!(e instanceof f))return;let t=e.extensionMembers?.[g];return qt(t)?t:void 0}n(xn,"readRuntimeGatewayCode");function Ws(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(Ws,"readRuntimeErrorExtensionString");function Hf(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(Hf,"readRuntimeErrorExtensionNumber");function Bf(e,t,r,o){switch(r.kind){case"callback_provider_error":return t.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:r.upstreamServerId,providerError:r.error,...r.errorDescription===void 0?{}:{providerErrorDescription:r.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),v(t,{eventType:C.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:r.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:r.error,errorDescription:r.errorDescription}}),fr(o,"provider_access_denied",{developerDetail:r.errorDescription??r.error,diagnostic:{code:"provider_access_denied",requestId:t.requestId,routePath:An(e),upstreamServerId:r.upstreamServerId,providerError:r.error,providerErrorDescription:r.errorDescription,underlyingError:r.errorDescription??r.error}});case"callback_invalid":return t.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:r.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),fr(o,"oauth_state_invalid",{diagnostic:{code:"oauth_state_invalid",requestId:t.requestId,routePath:An(e),upstreamServerId:r.upstreamServerId}});case"callback_authorization_code":return r}}n(Bf,"requireAuthorizationCallbackRequest");function Lf(e,t){v(e,{eventType:C.MCP_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}n(Lf,"emitCallbackReceivedAnalyticsEvent");function Nf(e,t){v(e,{eventType:C.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.operationId})}n(Nf,"emitTokenExchangeSucceededAnalyticsEvent");function Jf(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return $s({host:Ve(e.url),title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}n(Jf,"buildSuccessfulCallbackResponse");function Gf(e){let t={detail:e instanceof Error?e.message:void 0};return Ks(t,"error",e),e instanceof Error&&Ks(t,"cause",zf(e)),t}n(Gf,"buildTokenExchangeFailureAttributes");function Ff(e){v(e.context,{eventType:C.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:xn(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:Gf(e.error)})}n(Ff,"emitTokenExchangeFailedAnalyticsEvent");function $f(e){let t=e.error,r=xn(t),o=Zn(r)?r:"upstream_token_exchange_failed",i={code:o,requestId:e.context.requestId,routePath:An(e.request),upstreamServerId:e.callbackRequest.upstreamServerId,underlyingError:t instanceof Error?t.message:void 0,...t instanceof f?{httpStatus:Hf(t,he),contentType:Ws(t,Me),upstreamUrl:Ws(t,ge)}:{}};return fr(e.host,o,{developerDetail:t instanceof Error?t.message:void 0,diagnostic:i,upstreamHtml:Zf(t)})}n($f,"tokenExchangeFailureResponse");function Zf(e){if(!(e instanceof f))return;let t=e.extensionMembers?.[De];return typeof t=="string"?t:void 0}n(Zf,"readUpstreamHtmlError");async function kn(e,t){let r=kt(e,Df),o=Ve(e.url),i=Bf(e,t,r,o);if(i instanceof Response)return i;Lf(t,i);try{let a=await Qi({request:e,callbackRequest:i});return Nf(t,a),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:a.upstreamServerId,operationId:a.operationId,authProfileId:a.authProfileId,ownerMode:a.ownerMode},"Upstream OAuth token exchange completed; user connection established"),Jf(e,a)}catch(a){let c={event:"upstream_oauth_token_exchange_failed",code:xn(a)??"upstream_token_exchange_failed",upstreamServerId:i.upstreamServerId};return G(c,"error",a),t.log.warn(c,"Upstream OAuth token exchange failed; user shown connection-failure page"),Ff({context:t,callbackRequest:i,error:a}),$f({request:e,context:t,host:o,callbackRequest:i,error:a})}}n(kn,"callbackHandler");function Kf(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}n(Kf,"clientMetadataProblemDetail");async function Vs(e,t){let r=kt(e,"connect"),o=await Xi({request:e,connectRequest:r});if(v(t,{eventType:C.MCP_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:o.operationId,upstreamServerTitle:o.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,operationId:o.operationId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(o.authUrl,302);let i=await nr({requestUrl:e.url,requestHeaders:e.headers,owner:o.owner,initiatedBySubjectId:o.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,upstreamDisplayName:o.upstreamDisplayName,operationId:o.operationId,subject:"MCP route",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(i,{status:428})}n(Vs,"connectHandler");async function Ys(e,t){let r=kt(e,"client_metadata");try{let o=U(e.url,e.headers),i=xi(o,r.upstreamServerId,r.authProfileId);return Response.json(i)}catch(o){if(!(o instanceof j))throw o;let i=o instanceof Error?o.message:String(o);return t.log.warn({event:"oauth_client_metadata_request_failed",upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:i},"Failed to serve OAuth client metadata document for upstream connection"),ve.notFound(e,t,{code:"not_found",detail:Kf(o)})}}n(Ys,"oauthClientMetadataHandler");function Wf(e,t){return e.mount==="root"?e.path:t.actionPath(e.path)}n(Wf,"resolveInternalRoutePath");var Vf={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function Yf(){return new Response(null,{status:204,headers:Vf})}n(Yf,"buildWellKnownPreflightResponse");function Xf(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}n(Xf,"withWellKnownCorsHeaders");function Tn(e){return async(t,r)=>t.method==="OPTIONS"?Yf():Xf(await e(t,r))}n(Tn,"wrapWellKnownHandler");var ec=[{routeName:"oauth_as_metadata",mount:"root",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:Tn(Ms),corsPolicy:"anything-goes"},{routeName:"oauth_as_metadata_scoped",mount:"root",path:"/.well-known/oauth-authorization-server/:routePath*",methods:["GET","OPTIONS"],handler:Tn(Ds),corsPolicy:"anything-goes"},{routeName:"oauth_protected_resource_metadata",mount:"root",path:"/.well-known/oauth-protected-resource/:routePath*",methods:["GET","OPTIONS"],handler:Tn(wo),corsPolicy:"anything-goes"},{routeName:"oauth_register",mount:"action",path:"/oauth/register",methods:["POST"],handler:zs},{routeName:"oauth_authorize",mount:"action",path:"/oauth/authorize",methods:["GET"],handler:js},{routeName:"oauth_authorize_scoped",mount:"action",path:"/oauth/authorize/:routePath*",methods:["GET"],handler:Hs},{routeName:"oauth_callback",mount:"action",path:"/oauth/callback",methods:["GET"],handler:Bs},{routeName:"oauth_dev_login",mount:"action",path:"/oauth/dev-login",methods:["GET"],handler:Ls},{routeName:"oauth_setup",mount:"action",path:"/oauth/setup",methods:["GET","POST"],handler:Ns},{routeName:"oauth_token",mount:"action",path:"/oauth/token",methods:["POST"],handler:Js},{routeName:"oauth_revoke",mount:"action",path:"/oauth/revoke",methods:["POST"],handler:Gs},{routeName:"upstream_client_metadata",mount:"action",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:hr("client_metadata",Ys)},{routeName:"upstream_connect",mount:"action",path:"/auth/connections/:connection/connect",methods:["GET"],handler:hr("connect",Vs)},{routeName:"upstream_callback",mount:"action",path:"/auth/connections/:connection/callback",methods:["GET"],handler:hr("callback",kn)}],Qf=ec.filter(e=>!e.routeName.startsWith("upstream_")),eh=ec.filter(e=>e.routeName.startsWith("upstream_"));function th(e){let t=ao({routes:e.routes,policies:e.policies,gateway:e.gateway});return so(t),t}n(th,"initializeMcpGatewayConnectionRegistry");function rh(e){return[...e.byOperationId.values()].some(t=>t.downstreamOAuth!==void 0)}n(rh,"hasDownstreamOAuthRoutes");function nh(e){let t=new Map;for(let o of e.byOperationId.values())o.downstreamOAuth&&t.set(o.downstreamOAuth.policyName,o.downstreamOAuth.config);if(t.size===1)return[...t.values()][0];let r=[...t.keys()].map(o=>`"${o}"`).join(", ");throw new j(`MCP gateway found multiple attached OAuth policies: ${r}. Multiple downstream MCP OAuth configs in one gateway are not supported yet; use one MCP OAuth policy across MCP routes or split these routes into separate gateways.`)}n(nh,"readSingletonDownstreamOAuthConfig");function oh(e,t,r){let o=String(t.params.routePath??""),i=e.byRoutePath.get(fo(o));if(i===void 0)return;let a=i?.downstreamOAuth?.config;return a===void 0?Mt(t,r,{code:"not_found",detail:"The requested MCP route does not expose downstream OAuth."}):a}n(oh,"readScopedDownstreamOAuthConfig");function ih(e){return e.path==="/.well-known/oauth-authorization-server/:routePath*"||e.path==="/.well-known/oauth-protected-resource/:routePath*"||e.path==="/oauth/authorize/:routePath*"}n(ih,"routeUsesScopedOAuthConfig");function Xs(e,t,r){return async(o,i)=>{if(i.log.setLogProperties?.({requestId:i.requestId}),r){let u=await r(o,i);if(u instanceof Response)return u;u&&Fn(i,u)}let a=o.method==="OPTIONS",c=Date.now();a||i.log.info({event:`${e}_received`,method:o.method},`MCP gateway: ${e} received`);let s=await t(o,i);return a||i.log.info({event:`${e}_responded`,status:s.status,durationMs:Date.now()-c},`MCP gateway: ${e} responded`),s}}n(Xs,"wrapInternalHandler");function Qs(e,t,r,o){e.addPluginRoute({path:Wf(t,r),methods:t.methods,handler:o,processors:[Mn],corsPolicy:t.corsPolicy??"none"})}n(Qs,"addInternalRoute");function tc(e,t){let r=th(t),o=rh(r),i=r.connectionsById.size>0,a,c=n(()=>(a===void 0&&(a=nh(r)),a),"readSingletonOAuthConfig");if(o)for(let s of Qf){let u=ih(s)?(p,h)=>oh(r,p,h):c;Qs(e,s,r.gateway,Xs(s.routeName,s.handler,u))}if(i)for(let s of eh)Qs(e,s,r.gateway,Xs(s.routeName,s.handler))}n(tc,"registerMcpGatewayInternalRoutes");var Un=class extends On{static{n(this,"McpGatewayPlugin")}#e;constructor(t={}){super(),this.#e=$n(t)}registerRoutes(t){let r=t.parsedRouteData;r&&tc(t.router,{routes:r.routes,policies:r.policies,gateway:this.#e})}};var ah=new TextDecoder;function sh(e){if(e)try{return JSON.parse(ah.decode(e))}catch{return}}n(sh,"readBodyJson");function me(e){return e&&typeof e=="object"?e:void 0}n(me,"readRecord");function Tt(e,t){let r=me(e)?.[t];return typeof r=="string"?r:void 0}n(Tt,"readStringProperty");function nc(e,t){let r=me(e)?.[t];return typeof r=="number"?r:void 0}n(nc,"readNumberProperty");function rc(e,t){return nc(e,"code")??(t.status>=400?t.status:void 0)}n(rc,"readErrorCode");function oc(e){return Array.isArray(e)?e.map(oc).find(t=>t?.method):me(e)}n(oc,"readJsonRpcMessage");function ic(e){let t=oc(sh(e)),r=typeof t?.method=="string"?t.method:"",o=t?.params;switch(r){case"tools/list":return{mcpMethod:r,capabilityType:"tool"};case"tools/call":return{mcpMethod:r,capabilityType:"tool",capabilityName:Tt(o,"name")};case"prompts/list":return{mcpMethod:r,capabilityType:"prompt"};case"prompts/get":return{mcpMethod:r,capabilityType:"prompt",capabilityName:Tt(o,"name")};case"resources/list":case"resources/templates/list":return{mcpMethod:r,capabilityType:"resource"};case"resources/read":{let i=Tt(o,"uri");return{mcpMethod:r,capabilityType:"resource",capabilityName:i,resourceUri:i}}default:return null}}n(ic,"buildBaseCapabilityInput");function ac(e){return e==="tools/list"||e==="prompts/list"||e==="resources/list"||e==="resources/templates/list"}n(ac,"isCapabilityListMethod");function ch(e,t,r){let a=me(r)?.[e==="resources/templates/list"?"resourceTemplates":t==="tool"?"tools":t==="prompt"?"prompts":"resources"];return Array.isArray(a)?a.length:void 0}n(ch,"readItemCount");async function dh(e){try{return await e.clone().json()}catch{return}}n(dh,"readResponseJson");function sc(e){let t=ic(e);return!t||ac(t.mcpMethod)?null:{eventType:C.MCP_CAPABILITY_INVOKED,outcome:"success",...t}}n(sc,"buildCapabilityInvokedAnalyticsInput");async function cc(e,t){let r=ic(e);if(!r)return null;let o=me(await dh(t)),i=me(o?.error),a=me(i?.data),c=o?.result,s=r.mcpMethod==="tools/call"&&me(c)?.isError===!0;if(me(a?.connectRequired))return{eventType:C.MCP_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",...r,httpStatusCode:t.status,reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required",errorCode:nc(i,"code"),mcpErrorType:Tt(i,"message")};if(ac(r.mcpMethod)){let u=t.status>=400?void 0:ch(r.mcpMethod,r.capabilityType,c);return{eventType:C.MCP_CAPABILITY_LISTED,outcome:t.status>=400||i?"failure":"success",...r,httpStatusCode:t.status,...t.status>=400||i?{reasonCode:"upstream_capability_list_failed",reasonClass:"upstream",errorType:"capability_list_error",errorCode:rc(i,t)}:{},...u===void 0?{}:{attributes:{itemCount:u}}}}return t.status>=400||i?{eventType:C.MCP_CAPABILITY_FAILED,outcome:"failure",...r,httpStatusCode:t.status,reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"capability_error",errorCode:rc(i,t),mcpErrorType:Tt(i,"message")}:{eventType:C.MCP_CAPABILITY_COMPLETED,outcome:s?"application_error":"success",...r,httpStatusCode:t.status,toolResultIsError:s,applicationError:s}}n(cc,"buildCapabilityFinalAnalyticsInput");var uh={Allow:"POST"};async function lh(e){try{return await e.clone().arrayBuffer()}catch{return}}n(lh,"readRequestBody");function dc(e){try{let t=co(e.route.path);return{virtualServerName:t.operationId,upstreamServerName:t.connection?.upstreamServerId,upstreamServerTitle:t.connection?.displayName,authProfileId:t.connection?.authProfileId,upstreamAuthMode:t.connection?.authMode}}catch{return{}}}n(dc,"readRouteAnalyticsFields");function uc(e){return Io(e.user,e.url,e.headers)?.subjectId}n(uc,"readRequestSubjectId");function ph(e){let t=sc(e.requestBody);t&&v(e.context,{...t,...dc(e.context),httpMethod:e.request.method,subjectId:uc(e.request),transport:"http"})}n(ph,"emitCapabilityInvokedAnalytics");async function mh(e){let t=await cc(e.requestBody,e.response);t&&v(e.context,{...t,...dc(e.context),httpMethod:e.request.method,subjectId:uc(e.request),transport:"http",latencyMs:Date.now()-e.startedAt})}n(mh,"emitCapabilityFinalAnalytics");async function fh(e,t){if(e.method==="GET")return ve.methodNotAllowed(e,t,{detail:"MCP Gateway routes support stateless Streamable HTTP requests over POST. Server-sent event GET streams are not supported."},uh);let r=Date.now(),o=await lh(e);ph({context:t,request:e,requestBody:o});let i=await Nn(e,t);return await mh({context:t,request:e,requestBody:o,response:i,startedAt:r}),i}n(fh,"McpProxyHandler");export{bc as McpAuth0OAuthInboundPolicy,xr as McpCapabilityFilterInboundPolicy,lc as McpClerkOAuthInboundPolicy,pc as McpCognitoOAuthInboundPolicy,mc as McpEntraOAuthInboundPolicy,Un as McpGatewayPlugin,fc as McpGoogleOAuthInboundPolicy,hc as McpKeycloakOAuthInboundPolicy,gc as McpLogtoOAuthInboundPolicy,Ic as McpOAuthInboundPolicy,yc as McpOktaOAuthInboundPolicy,_c as McpOneLoginOAuthInboundPolicy,wc as McpPingOAuthInboundPolicy,fh as McpProxyHandler,nn as McpTokenExchangeInboundPolicy,Rc as McpWorkosOAuthInboundPolicy};
 //# sourceMappingURL=index.js.map