@zuplo/runtime 6.70.9 → 6.70.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/out/esm/{chunk-YYF572GK.js → chunk-PG5BJ2JU.js} +3 -3
  2. package/out/esm/index.js +1 -1
  3. package/out/esm/mcp-gateway/index.js +99 -73
  4. package/out/esm/mcp-gateway/index.js.map +1 -1
  5. package/package.json +1 -1
  6. /package/out/esm/{chunk-YYF572GK.js.LEGAL.txt → chunk-PG5BJ2JU.js.LEGAL.txt} +0 -0
  7. /package/out/esm/{chunk-YYF572GK.js.map → chunk-PG5BJ2JU.js.map} +0 -0
package/out/esm/mcp-gateway/index.js CHANGED
@@ -22,37 +22,37 @@
22
22
  * DEALINGS IN THE SOFTWARE.
23
23
  *--------------------------------------------------------------------------------------------*/
24
24
 
25
- import{$ as Zl,G as Hl,H as vi,I as xw,J as Gl,K as f,L as Bl,M as V,N as Y,O as Vl,P as Fl,Q as ue,R,S as I,T as fe,U as ne,V as bi,W as Ri,X as ee,Y as Ve,Z as P,_ as se,a as Ht,aa as Ii,ba as Kl,ca as Wl,da as u,ea as W,i as Nn,j as jl,p as wi,y as Ct}from"../chunk-YYF572GK.js";import{d as Si}from"../chunk-BHMDFTZV.js";import{a as L}from"../chunk-ZJ5LRHNO.js";import{U as ra,V as Tt,a as o,c as C,e as Ll}from"../chunk-FFHHHNST.js";var Kn=C(F=>{"use strict";Object.defineProperty(F,"__esModule",{value:!0});F.regexpCode=F.getEsmExportName=F.getProperty=F.safeStringify=F.stringify=F.strConcat=F.addCodeArg=F.str=F._=F.nil=F._Code=F.Name=F.IDENTIFIER=F._CodeOrName=void 0;var Fn=class{static{o(this,"_CodeOrName")}};F._CodeOrName=Fn;F.IDENTIFIER=/^[a-z$_][a-z$_0-9]*$/i;var _r=class extends Fn{static{o(this,"Name")}constructor(t){if(super(),!F.IDENTIFIER.test(t))throw new Error("CodeGen: name must be a valid identifier");this.str=t}toString(){return this.str}emptyStr(){return!1}get names(){return{[this.str]:1}}};F.Name=_r;var Je=class extends Fn{static{o(this,"_Code")}constructor(t){super(),this._items=typeof t=="string"?[t]:t}toString(){return this.str}emptyStr(){if(this._items.length>1)return!1;let t=this._items[0];return t===""||t==='""'}get str(){var t;return(t=this._str)!==null&&t!==void 0?t:this._str=this._items.reduce((r,n)=>`${r}${n}`,"")}get names(){var t;return(t=this._names)!==null&&t!==void 0?t:this._names=this._items.reduce((r,n)=>(n instanceof _r&&(r[n.str]=(r[n.str]||0)+1),r),{})}};F._Code=Je;F.nil=new Je("");function mp(e,...t){let r=[e[0]],n=0;for(;n<t.length;)oc(r,t[n]),r.push(e[++n]);return new Je(r)}o(mp,"_");F._=mp;var nc=new Je("+");function fp(e,...t){let r=[Zn(e[0])],n=0;for(;n<t.length;)r.push(nc),oc(r,t[n]),r.push(nc,Zn(e[++n]));return tv(r),new Je(r)}o(fp,"str");F.str=fp;function oc(e,t){t instanceof Je?e.push(...t._items):t instanceof _r?e.push(t):e.push(ov(t))}o(oc,"addCodeArg");F.addCodeArg=oc;function tv(e){let t=1;for(;t<e.length-1;){if(e[t]===nc){let r=rv(e[t-1],e[t+1]);if(r!==void 0){e.splice(t-1,3,r);continue}e[t++]="+"}t++}}o(tv,"optimize");function rv(e,t){if(t==='""')return e;if(e==='""')return t;if(typeof e=="string")return t instanceof _r||e[e.length-1]!=='"'?void 0:typeof t!="string"?`${e.slice(0,-1)}${t}"`:t[0]==='"'?e.slice(0,-1)+t.slice(1):void 0;if(typeof t=="string"&&t[0]==='"'&&!(e instanceof _r))return`"${e}${t.slice(1)}`}o(rv,"mergeExprItems");function nv(e,t){return t.emptyStr()?e:e.emptyStr()?t:fp`${e}${t}`}o(nv,"strConcat");F.strConcat=nv;function ov(e){return typeof e=="number"||typeof e=="boolean"||e===null?e:Zn(Array.isArray(e)?e.join(","):e)}o(ov,"interpolate");function av(e){return new Je(Zn(e))}o(av,"stringify");F.stringify=av;function Zn(e){return JSON.stringify(e).replace(/\u2028/g,"\\u2028").replace(/\u2029/g,"\\u2029")}o(Zn,"safeStringify");F.safeStringify=Zn;function sv(e){return typeof e=="string"&&F.IDENTIFIER.test(e)?new Je(`.${e}`):mp`[${e}]`}o(sv,"getProperty");F.getProperty=sv;function iv(e){if(typeof e=="string"&&F.IDENTIFIER.test(e))return new Je(`${e}`);throw new Error(`CodeGen: invalid export name: ${e}, use explicit $id name mapping`)}o(iv,"getEsmExportName");F.getEsmExportName=iv;function cv(e){return new Je(e.toString())}o(cv,"regexpCode");F.regexpCode=cv});var ic=C(Me=>{"use strict";Object.defineProperty(Me,"__esModule",{value:!0});Me.ValueScope=Me.ValueScopeName=Me.Scope=Me.varKinds=Me.UsedValueState=void 0;var ze=Kn(),ac=class extends Error{static{o(this,"ValueError")}constructor(t){super(`CodeGen: "code" for ${t} not defined`),this.value=t.value}},ya;(function(e){e[e.Started=0]="Started",e[e.Completed=1]="Completed"})(ya||(Me.UsedValueState=ya={}));Me.varKinds={const:new ze.Name("const"),let:new ze.Name("let"),var:new ze.Name("var")};var wa=class{static{o(this,"Scope")}constructor({prefixes:t,parent:r}={}){this._names={},this._prefixes=t,this._parent=r}toName(t){return t instanceof ze.Name?t:this.name(t)}name(t){return new ze.Name(this._newName(t))}_newName(t){let r=this._names[t]||this._nameGroup(t);return`${t}${r.index++}`}_nameGroup(t){var r,n;if(!((n=(r=this._parent)===null||r===void 0?void 0:r._prefixes)===null||n===void 0)&&n.has(t)||this._prefixes&&!this._prefixes.has(t))throw new Error(`CodeGen: prefix "${t}" is not allowed in this scope`);return this._names[t]={prefix:t,index:0}}};Me.Scope=wa;var Sa=class extends ze.Name{static{o(this,"ValueScopeName")}constructor(t,r){super(r),this.prefix=t}setValue(t,{property:r,itemIndex:n}){this.value=t,this.scopePath=(0,ze._)`.${new ze.Name(r)}[${n}]`}};Me.ValueScopeName=Sa;var uv=(0,ze._)`\n`,sc=class extends wa{static{o(this,"ValueScope")}constructor(t){super(t),this._values={},this._scope=t.scope,this.opts={...t,_n:t.lines?uv:ze.nil}}get(){return this._scope}name(t){return new Sa(t,this._newName(t))}value(t,r){var n;if(r.ref===void 0)throw new Error("CodeGen: ref must be passed in value");let a=this.toName(t),{prefix:s}=a,i=(n=r.key)!==null&&n!==void 0?n:r.ref,c=this._values[s];if(c){let l=c.get(i);if(l)return l}else c=this._values[s]=new Map;c.set(i,a);let d=this._scope[s]||(this._scope[s]=[]),p=d.length;return d[p]=r.ref,a.setValue(r,{property:s,itemIndex:p}),a}getValue(t,r){let n=this._values[t];if(n)return n.get(r)}scopeRefs(t,r=this._values){return this._reduceValues(r,n=>{if(n.scopePath===void 0)throw new Error(`CodeGen: name "${n}" has no value`);return(0,ze._)`${t}${n.scopePath}`})}scopeCode(t=this._values,r,n){return this._reduceValues(t,a=>{if(a.value===void 0)throw new Error(`CodeGen: name "${a}" has no value`);return a.value.code},r,n)}_reduceValues(t,r,n={},a){let s=ze.nil;for(let i in t){let c=t[i];if(!c)continue;let d=n[i]=n[i]||new Map;c.forEach(p=>{if(d.has(p))return;d.set(p,ya.Started);let l=r(p);if(l){let m=this.opts.es5?Me.varKinds.var:Me.varKinds.const;s=(0,ze._)`${s}${m} ${p} = ${l};${this.opts._n}`}else if(l=a?.(p))s=(0,ze._)`${s}${l}${this.opts._n}`;else throw new ac(p);d.set(p,ya.Completed)})}return s}};Me.ValueScope=sc});var D=C(q=>{"use strict";Object.defineProperty(q,"__esModule",{value:!0});q.or=q.and=q.not=q.CodeGen=q.operators=q.varKinds=q.ValueScopeName=q.ValueScope=q.Scope=q.Name=q.regexpCode=q.stringify=q.getProperty=q.nil=q.strConcat=q.str=q._=void 0;var G=Kn(),ot=ic(),Yt=Kn();Object.defineProperty(q,"_",{enumerable:!0,get:o(function(){return Yt._},"get")});Object.defineProperty(q,"str",{enumerable:!0,get:o(function(){return Yt.str},"get")});Object.defineProperty(q,"strConcat",{enumerable:!0,get:o(function(){return Yt.strConcat},"get")});Object.defineProperty(q,"nil",{enumerable:!0,get:o(function(){return Yt.nil},"get")});Object.defineProperty(q,"getProperty",{enumerable:!0,get:o(function(){return Yt.getProperty},"get")});Object.defineProperty(q,"stringify",{enumerable:!0,get:o(function(){return Yt.stringify},"get")});Object.defineProperty(q,"regexpCode",{enumerable:!0,get:o(function(){return Yt.regexpCode},"get")});Object.defineProperty(q,"Name",{enumerable:!0,get:o(function(){return Yt.Name},"get")});var Ia=ic();Object.defineProperty(q,"Scope",{enumerable:!0,get:o(function(){return Ia.Scope},"get")});Object.defineProperty(q,"ValueScope",{enumerable:!0,get:o(function(){return Ia.ValueScope},"get")});Object.defineProperty(q,"ValueScopeName",{enumerable:!0,get:o(function(){return Ia.ValueScopeName},"get")});Object.defineProperty(q,"varKinds",{enumerable:!0,get:o(function(){return Ia.varKinds},"get")});q.operators={GT:new G._Code(">"),GTE:new G._Code(">="),LT:new G._Code("<"),LTE:new G._Code("<="),EQ:new G._Code("==="),NEQ:new G._Code("!=="),NOT:new G._Code("!"),OR:new G._Code("||"),AND:new G._Code("&&"),ADD:new G._Code("+")};var xt=class{static{o(this,"Node")}optimizeNodes(){return this}optimizeNames(t,r){return this}},cc=class extends xt{static{o(this,"Def")}constructor(t,r,n){super(),this.varKind=t,this.name=r,this.rhs=n}render({es5:t,_n:r}){let n=t?ot.varKinds.var:this.varKind,a=this.rhs===void 0?"":` = ${this.rhs}`;return`${n} ${this.name}${a};`+r}optimizeNames(t,r){if(t[this.name.str])return this.rhs&&(this.rhs=Kr(this.rhs,t,r)),this}get names(){return this.rhs instanceof G._CodeOrName?this.rhs.names:{}}},va=class extends xt{static{o(this,"Assign")}constructor(t,r,n){super(),this.lhs=t,this.rhs=r,this.sideEffects=n}render({_n:t}){return`${this.lhs} = ${this.rhs};`+t}optimizeNames(t,r){if(!(this.lhs instanceof G.Name&&!t[this.lhs.str]&&!this.sideEffects))return this.rhs=Kr(this.rhs,t,r),this}get names(){let t=this.lhs instanceof G.Name?{}:{...this.lhs.names};return Ra(t,this.rhs)}},uc=class extends va{static{o(this,"AssignOp")}constructor(t,r,n,a){super(t,n,a),this.op=r}render({_n:t}){return`${this.lhs} ${this.op}= ${this.rhs};`+t}},dc=class extends xt{static{o(this,"Label")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`${this.label}:`+t}},lc=class extends xt{static{o(this,"Break")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`break${this.label?` ${this.label}`:""};`+t}},pc=class extends xt{static{o(this,"Throw")}constructor(t){super(),this.error=t}render({_n:t}){return`throw ${this.error};`+t}get names(){return this.error.names}},mc=class extends xt{static{o(this,"AnyCode")}constructor(t){super(),this.code=t}render({_n:t}){return`${this.code};`+t}optimizeNodes(){return`${this.code}`?this:void 0}optimizeNames(t,r){return this.code=Kr(this.code,t,r),this}get names(){return this.code instanceof G._CodeOrName?this.code.names:{}}},Wn=class extends xt{static{o(this,"ParentNode")}constructor(t=[]){super(),this.nodes=t}render(t){return this.nodes.reduce((r,n)=>r+n.render(t),"")}optimizeNodes(){let{nodes:t}=this,r=t.length;for(;r--;){let n=t[r].optimizeNodes();Array.isArray(n)?t.splice(r,1,...n):n?t[r]=n:t.splice(r,1)}return t.length>0?this:void 0}optimizeNames(t,r){let{nodes:n}=this,a=n.length;for(;a--;){let s=n[a];s.optimizeNames(t,r)||(dv(t,s.names),n.splice(a,1))}return n.length>0?this:void 0}get names(){return this.nodes.reduce((t,r)=>Sr(t,r.names),{})}},kt=class extends Wn{static{o(this,"BlockNode")}render(t){return"{"+t._n+super.render(t)+"}"+t._n}},fc=class extends Wn{static{o(this,"Root")}},Zr=class extends kt{static{o(this,"Else")}};Zr.kind="else";var yr=class e extends kt{static{o(this,"If")}constructor(t,r){super(r),this.condition=t}render(t){let r=`if(${this.condition})`+super.render(t);return this.else&&(r+="else "+this.else.render(t)),r}optimizeNodes(){super.optimizeNodes();let t=this.condition;if(t===!0)return this.nodes;let r=this.else;if(r){let n=r.optimizeNodes();r=this.else=Array.isArray(n)?new Zr(n):n}if(r)return t===!1?r instanceof e?r:r.nodes:this.nodes.length?this:new e(hp(t),r instanceof e?[r]:r.nodes);if(!(t===!1||!this.nodes.length))return this}optimizeNames(t,r){var n;if(this.else=(n=this.else)===null||n===void 0?void 0:n.optimizeNames(t,r),!!(super.optimizeNames(t,r)||this.else))return this.condition=Kr(this.condition,t,r),this}get names(){let t=super.names;return Ra(t,this.condition),this.else&&Sr(t,this.else.names),t}};yr.kind="if";var wr=class extends kt{static{o(this,"For")}};wr.kind="for";var hc=class extends wr{static{o(this,"ForLoop")}constructor(t){super(),this.iteration=t}render(t){return`for(${this.iteration})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iteration=Kr(this.iteration,t,r),this}get names(){return Sr(super.names,this.iteration.names)}},gc=class extends wr{static{o(this,"ForRange")}constructor(t,r,n,a){super(),this.varKind=t,this.name=r,this.from=n,this.to=a}render(t){let r=t.es5?ot.varKinds.var:this.varKind,{name:n,from:a,to:s}=this;return`for(${r} ${n}=${a}; ${n}<${s}; ${n}++)`+super.render(t)}get names(){let t=Ra(super.names,this.from);return Ra(t,this.to)}},ba=class extends wr{static{o(this,"ForIter")}constructor(t,r,n,a){super(),this.loop=t,this.varKind=r,this.name=n,this.iterable=a}render(t){return`for(${this.varKind} ${this.name} ${this.loop} ${this.iterable})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iterable=Kr(this.iterable,t,r),this}get names(){return Sr(super.names,this.iterable.names)}},Jn=class extends kt{static{o(this,"Func")}constructor(t,r,n){super(),this.name=t,this.args=r,this.async=n}render(t){return`${this.async?"async ":""}function ${this.name}(${this.args})`+super.render(t)}};Jn.kind="func";var Yn=class extends Wn{static{o(this,"Return")}render(t){return"return "+super.render(t)}};Yn.kind="return";var _c=class extends kt{static{o(this,"Try")}render(t){let r="try"+super.render(t);return this.catch&&(r+=this.catch.render(t)),this.finally&&(r+=this.finally.render(t)),r}optimizeNodes(){var t,r;return super.optimizeNodes(),(t=this.catch)===null||t===void 0||t.optimizeNodes(),(r=this.finally)===null||r===void 0||r.optimizeNodes(),this}optimizeNames(t,r){var n,a;return super.optimizeNames(t,r),(n=this.catch)===null||n===void 0||n.optimizeNames(t,r),(a=this.finally)===null||a===void 0||a.optimizeNames(t,r),this}get names(){let t=super.names;return this.catch&&Sr(t,this.catch.names),this.finally&&Sr(t,this.finally.names),t}},Xn=class extends kt{static{o(this,"Catch")}constructor(t){super(),this.error=t}render(t){return`catch(${this.error})`+super.render(t)}};Xn.kind="catch";var Qn=class extends kt{static{o(this,"Finally")}render(t){return"finally"+super.render(t)}};Qn.kind="finally";var yc=class{static{o(this,"CodeGen")}constructor(t,r={}){this._values={},this._blockStarts=[],this._constants={},this.opts={...r,_n:r.lines?`
26
- `:""},this._extScope=t,this._scope=new ot.Scope({parent:t}),this._nodes=[new fc]}toString(){return this._root.render(this.opts)}name(t){return this._scope.name(t)}scopeName(t){return this._extScope.name(t)}scopeValue(t,r){let n=this._extScope.value(t,r);return(this._values[n.prefix]||(this._values[n.prefix]=new Set)).add(n),n}getScopeValue(t,r){return this._extScope.getValue(t,r)}scopeRefs(t){return this._extScope.scopeRefs(t,this._values)}scopeCode(){return this._extScope.scopeCode(this._values)}_def(t,r,n,a){let s=this._scope.toName(r);return n!==void 0&&a&&(this._constants[s.str]=n),this._leafNode(new cc(t,s,n)),s}const(t,r,n){return this._def(ot.varKinds.const,t,r,n)}let(t,r,n){return this._def(ot.varKinds.let,t,r,n)}var(t,r,n){return this._def(ot.varKinds.var,t,r,n)}assign(t,r,n){return this._leafNode(new va(t,r,n))}add(t,r){return this._leafNode(new uc(t,q.operators.ADD,r))}code(t){return typeof t=="function"?t():t!==G.nil&&this._leafNode(new mc(t)),this}object(...t){let r=["{"];for(let[n,a]of t)r.length>1&&r.push(","),r.push(n),(n!==a||this.opts.es5)&&(r.push(":"),(0,G.addCodeArg)(r,a));return r.push("}"),new G._Code(r)}if(t,r,n){if(this._blockNode(new yr(t)),r&&n)this.code(r).else().code(n).endIf();else if(r)this.code(r).endIf();else if(n)throw new Error('CodeGen: "else" body without "then" body');return this}elseIf(t){return this._elseNode(new yr(t))}else(){return this._elseNode(new Zr)}endIf(){return this._endBlockNode(yr,Zr)}_for(t,r){return this._blockNode(t),r&&this.code(r).endFor(),this}for(t,r){return this._for(new hc(t),r)}forRange(t,r,n,a,s=this.opts.es5?ot.varKinds.var:ot.varKinds.let){let i=this._scope.toName(t);return this._for(new gc(s,i,r,n),()=>a(i))}forOf(t,r,n,a=ot.varKinds.const){let s=this._scope.toName(t);if(this.opts.es5){let i=r instanceof G.Name?r:this.var("_arr",r);return this.forRange("_i",0,(0,G._)`${i}.length`,c=>{this.var(s,(0,G._)`${i}[${c}]`),n(s)})}return this._for(new ba("of",a,s,r),()=>n(s))}forIn(t,r,n,a=this.opts.es5?ot.varKinds.var:ot.varKinds.const){if(this.opts.ownProperties)return this.forOf(t,(0,G._)`Object.keys(${r})`,n);let s=this._scope.toName(t);return this._for(new ba("in",a,s,r),()=>n(s))}endFor(){return this._endBlockNode(wr)}label(t){return this._leafNode(new dc(t))}break(t){return this._leafNode(new lc(t))}return(t){let r=new Yn;if(this._blockNode(r),this.code(t),r.nodes.length!==1)throw new Error('CodeGen: "return" should have one node');return this._endBlockNode(Yn)}try(t,r,n){if(!r&&!n)throw new Error('CodeGen: "try" without "catch" and "finally"');let a=new _c;if(this._blockNode(a),this.code(t),r){let s=this.name("e");this._currNode=a.catch=new Xn(s),r(s)}return n&&(this._currNode=a.finally=new Qn,this.code(n)),this._endBlockNode(Xn,Qn)}throw(t){return this._leafNode(new pc(t))}block(t,r){return this._blockStarts.push(this._nodes.length),t&&this.code(t).endBlock(r),this}endBlock(t){let r=this._blockStarts.pop();if(r===void 0)throw new Error("CodeGen: not in self-balancing block");let n=this._nodes.length-r;if(n<0||t!==void 0&&n!==t)throw new Error(`CodeGen: wrong number of nodes: ${n} vs ${t} expected`);return this._nodes.length=r,this}func(t,r=G.nil,n,a){return this._blockNode(new Jn(t,r,n)),a&&this.code(a).endFunc(),this}endFunc(){return this._endBlockNode(Jn)}optimize(t=1){for(;t-- >0;)this._root.optimizeNodes(),this._root.optimizeNames(this._root.names,this._constants)}_leafNode(t){return this._currNode.nodes.push(t),this}_blockNode(t){this._currNode.nodes.push(t),this._nodes.push(t)}_endBlockNode(t,r){let n=this._currNode;if(n instanceof t||r&&n instanceof r)return this._nodes.pop(),this;throw new Error(`CodeGen: not in block "${r?`${t.kind}/${r.kind}`:t.kind}"`)}_elseNode(t){let r=this._currNode;if(!(r instanceof yr))throw new Error('CodeGen: "else" without "if"');return this._currNode=r.else=t,this}get _root(){return this._nodes[0]}get _currNode(){let t=this._nodes;return t[t.length-1]}set _currNode(t){let r=this._nodes;r[r.length-1]=t}};q.CodeGen=yc;function Sr(e,t){for(let r in t)e[r]=(e[r]||0)+(t[r]||0);return e}o(Sr,"addNames");function Ra(e,t){return t instanceof G._CodeOrName?Sr(e,t.names):e}o(Ra,"addExprNames");function Kr(e,t,r){if(e instanceof G.Name)return n(e);if(!a(e))return e;return new G._Code(e._items.reduce((s,i)=>(i instanceof G.Name&&(i=n(i)),i instanceof G._Code?s.push(...i._items):s.push(i),s),[]));function n(s){let i=r[s.str];return i===void 0||t[s.str]!==1?s:(delete t[s.str],i)}function a(s){return s instanceof G._Code&&s._items.some(i=>i instanceof G.Name&&t[i.str]===1&&r[i.str]!==void 0)}}o(Kr,"optimizeExpr");function dv(e,t){for(let r in t)e[r]=(e[r]||0)-(t[r]||0)}o(dv,"subtractNames");function hp(e){return typeof e=="boolean"||typeof e=="number"||e===null?!e:(0,G._)`!${wc(e)}`}o(hp,"not");q.not=hp;var lv=gp(q.operators.AND);function pv(...e){return e.reduce(lv)}o(pv,"and");q.and=pv;var mv=gp(q.operators.OR);function fv(...e){return e.reduce(mv)}o(fv,"or");q.or=fv;function gp(e){return(t,r)=>t===G.nil?r:r===G.nil?t:(0,G._)`${wc(t)} ${e} ${wc(r)}`}o(gp,"mappend");function wc(e){return e instanceof G.Name?e:(0,G._)`(${e})`}o(wc,"par")});var Z=C(j=>{"use strict";Object.defineProperty(j,"__esModule",{value:!0});j.checkStrictMode=j.getErrorPath=j.Type=j.useFunc=j.setEvaluated=j.evaluatedPropsToName=j.mergeEvaluated=j.eachItem=j.unescapeJsonPointer=j.escapeJsonPointer=j.escapeFragment=j.unescapeFragment=j.schemaRefOrVal=j.schemaHasRulesButRef=j.schemaHasRules=j.checkUnknownRules=j.alwaysValidSchema=j.toHash=void 0;var X=D(),hv=Kn();function gv(e){let t={};for(let r of e)t[r]=!0;return t}o(gv,"toHash");j.toHash=gv;function _v(e,t){return typeof t=="boolean"?t:Object.keys(t).length===0?!0:(wp(e,t),!Sp(t,e.self.RULES.all))}o(_v,"alwaysValidSchema");j.alwaysValidSchema=_v;function wp(e,t=e.schema){let{opts:r,self:n}=e;if(!r.strictSchema||typeof t=="boolean")return;let a=n.RULES.keywords;for(let s in t)a[s]||Rp(e,`unknown keyword: "${s}"`)}o(wp,"checkUnknownRules");j.checkUnknownRules=wp;function Sp(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(t[r])return!0;return!1}o(Sp,"schemaHasRules");j.schemaHasRules=Sp;function yv(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(r!=="$ref"&&t.all[r])return!0;return!1}o(yv,"schemaHasRulesButRef");j.schemaHasRulesButRef=yv;function wv({topSchemaRef:e,schemaPath:t},r,n,a){if(!a){if(typeof r=="number"||typeof r=="boolean")return r;if(typeof r=="string")return(0,X._)`${r}`}return(0,X._)`${e}${t}${(0,X.getProperty)(n)}`}o(wv,"schemaRefOrVal");j.schemaRefOrVal=wv;function Sv(e){return vp(decodeURIComponent(e))}o(Sv,"unescapeFragment");j.unescapeFragment=Sv;function vv(e){return encodeURIComponent(vc(e))}o(vv,"escapeFragment");j.escapeFragment=vv;function vc(e){return typeof e=="number"?`${e}`:e.replace(/~/g,"~0").replace(/\//g,"~1")}o(vc,"escapeJsonPointer");j.escapeJsonPointer=vc;function vp(e){return e.replace(/~1/g,"/").replace(/~0/g,"~")}o(vp,"unescapeJsonPointer");j.unescapeJsonPointer=vp;function bv(e,t){if(Array.isArray(e))for(let r of e)t(r);else t(e)}o(bv,"eachItem");j.eachItem=bv;function _p({mergeNames:e,mergeToName:t,mergeValues:r,resultToName:n}){return(a,s,i,c)=>{let d=i===void 0?s:i instanceof X.Name?(s instanceof X.Name?e(a,s,i):t(a,s,i),i):s instanceof X.Name?(t(a,i,s),s):r(s,i);return c===X.Name&&!(d instanceof X.Name)?n(a,d):d}}o(_p,"makeMergeEvaluated");j.mergeEvaluated={props:_p({mergeNames:o((e,t,r)=>e.if((0,X._)`${r} !== true && ${t} !== undefined`,()=>{e.if((0,X._)`${t} === true`,()=>e.assign(r,!0),()=>e.assign(r,(0,X._)`${r} || {}`).code((0,X._)`Object.assign(${r}, ${t})`))}),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,X._)`${r} !== true`,()=>{t===!0?e.assign(r,!0):(e.assign(r,(0,X._)`${r} || {}`),bc(e,r,t))}),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:{...e,...t},"mergeValues"),resultToName:bp}),items:_p({mergeNames:o((e,t,r)=>e.if((0,X._)`${r} !== true && ${t} !== undefined`,()=>e.assign(r,(0,X._)`${t} === true ? true : ${r} > ${t} ? ${r} : ${t}`)),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,X._)`${r} !== true`,()=>e.assign(r,t===!0?!0:(0,X._)`${r} > ${t} ? ${r} : ${t}`)),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:Math.max(e,t),"mergeValues"),resultToName:o((e,t)=>e.var("items",t),"resultToName")})};function bp(e,t){if(t===!0)return e.var("props",!0);let r=e.var("props",(0,X._)`{}`);return t!==void 0&&bc(e,r,t),r}o(bp,"evaluatedPropsToName");j.evaluatedPropsToName=bp;function bc(e,t,r){Object.keys(r).forEach(n=>e.assign((0,X._)`${t}${(0,X.getProperty)(n)}`,!0))}o(bc,"setEvaluated");j.setEvaluated=bc;var yp={};function Rv(e,t){return e.scopeValue("func",{ref:t,code:yp[t.code]||(yp[t.code]=new hv._Code(t.code))})}o(Rv,"useFunc");j.useFunc=Rv;var Sc;(function(e){e[e.Num=0]="Num",e[e.Str=1]="Str"})(Sc||(j.Type=Sc={}));function Iv(e,t,r){if(e instanceof X.Name){let n=t===Sc.Num;return r?n?(0,X._)`"[" + ${e} + "]"`:(0,X._)`"['" + ${e} + "']"`:n?(0,X._)`"/" + ${e}`:(0,X._)`"/" + ${e}.replace(/~/g, "~0").replace(/\\//g, "~1")`}return r?(0,X.getProperty)(e).toString():"/"+vc(e)}o(Iv,"getErrorPath");j.getErrorPath=Iv;function Rp(e,t,r=e.opts.strictSchema){if(r){if(t=`strict mode: ${t}`,r===!0)throw new Error(t);e.self.logger.warn(t)}}o(Rp,"checkStrictMode");j.checkStrictMode=Rp});var Ot=C(Rc=>{"use strict";Object.defineProperty(Rc,"__esModule",{value:!0});var Ce=D(),Tv={data:new Ce.Name("data"),valCxt:new Ce.Name("valCxt"),instancePath:new Ce.Name("instancePath"),parentData:new Ce.Name("parentData"),parentDataProperty:new Ce.Name("parentDataProperty"),rootData:new Ce.Name("rootData"),dynamicAnchors:new Ce.Name("dynamicAnchors"),vErrors:new Ce.Name("vErrors"),errors:new Ce.Name("errors"),this:new Ce.Name("this"),self:new Ce.Name("self"),scope:new Ce.Name("scope"),json:new Ce.Name("json"),jsonPos:new Ce.Name("jsonPos"),jsonLen:new Ce.Name("jsonLen"),jsonPart:new Ce.Name("jsonPart")};Rc.default=Tv});var eo=C(Ee=>{"use strict";Object.defineProperty(Ee,"__esModule",{value:!0});Ee.extendErrors=Ee.resetErrorsCount=Ee.reportExtraError=Ee.reportError=Ee.keyword$DataError=Ee.keywordError=void 0;var B=D(),Ta=Z(),ke=Ot();Ee.keywordError={message:o(({keyword:e})=>(0,B.str)`must pass "${e}" keyword validation`,"message")};Ee.keyword$DataError={message:o(({keyword:e,schemaType:t})=>t?(0,B.str)`"${e}" keyword must be ${t} ($data)`:(0,B.str)`"${e}" keyword is invalid ($data)`,"message")};function Cv(e,t=Ee.keywordError,r,n){let{it:a}=e,{gen:s,compositeRule:i,allErrors:c}=a,d=Cp(e,t,r);n??(i||c)?Ip(s,d):Tp(a,(0,B._)`[${d}]`)}o(Cv,"reportError");Ee.reportError=Cv;function Ev(e,t=Ee.keywordError,r){let{it:n}=e,{gen:a,compositeRule:s,allErrors:i}=n,c=Cp(e,t,r);Ip(a,c),s||i||Tp(n,ke.default.vErrors)}o(Ev,"reportExtraError");Ee.reportExtraError=Ev;function Av(e,t){e.assign(ke.default.errors,t),e.if((0,B._)`${ke.default.vErrors} !== null`,()=>e.if(t,()=>e.assign((0,B._)`${ke.default.vErrors}.length`,t),()=>e.assign(ke.default.vErrors,null)))}o(Av,"resetErrorsCount");Ee.resetErrorsCount=Av;function Pv({gen:e,keyword:t,schemaValue:r,data:n,errsCount:a,it:s}){if(a===void 0)throw new Error("ajv implementation error");let i=e.name("err");e.forRange("i",a,ke.default.errors,c=>{e.const(i,(0,B._)`${ke.default.vErrors}[${c}]`),e.if((0,B._)`${i}.instancePath === undefined`,()=>e.assign((0,B._)`${i}.instancePath`,(0,B.strConcat)(ke.default.instancePath,s.errorPath))),e.assign((0,B._)`${i}.schemaPath`,(0,B.str)`${s.errSchemaPath}/${t}`),s.opts.verbose&&(e.assign((0,B._)`${i}.schema`,r),e.assign((0,B._)`${i}.data`,n))})}o(Pv,"extendErrors");Ee.extendErrors=Pv;function Ip(e,t){let r=e.const("err",t);e.if((0,B._)`${ke.default.vErrors} === null`,()=>e.assign(ke.default.vErrors,(0,B._)`[${r}]`),(0,B._)`${ke.default.vErrors}.push(${r})`),e.code((0,B._)`${ke.default.errors}++`)}o(Ip,"addError");function Tp(e,t){let{gen:r,validateName:n,schemaEnv:a}=e;a.$async?r.throw((0,B._)`new ${e.ValidationError}(${t})`):(r.assign((0,B._)`${n}.errors`,t),r.return(!1))}o(Tp,"returnErrors");var vr={keyword:new B.Name("keyword"),schemaPath:new B.Name("schemaPath"),params:new B.Name("params"),propertyName:new B.Name("propertyName"),message:new B.Name("message"),schema:new B.Name("schema"),parentSchema:new B.Name("parentSchema")};function Cp(e,t,r){let{createErrors:n}=e.it;return n===!1?(0,B._)`{}`:xv(e,t,r)}o(Cp,"errorObjectCode");function xv(e,t,r={}){let{gen:n,it:a}=e,s=[kv(a,r),Ov(e,r)];return Uv(e,t,s),n.object(...s)}o(xv,"errorObject");function kv({errorPath:e},{instancePath:t}){let r=t?(0,B.str)`${e}${(0,Ta.getErrorPath)(t,Ta.Type.Str)}`:e;return[ke.default.instancePath,(0,B.strConcat)(ke.default.instancePath,r)]}o(kv,"errorInstancePath");function Ov({keyword:e,it:{errSchemaPath:t}},{schemaPath:r,parentSchema:n}){let a=n?t:(0,B.str)`${t}/${e}`;return r&&(a=(0,B.str)`${a}${(0,Ta.getErrorPath)(r,Ta.Type.Str)}`),[vr.schemaPath,a]}o(Ov,"errorSchemaPath");function Uv(e,{params:t,message:r},n){let{keyword:a,data:s,schemaValue:i,it:c}=e,{opts:d,propertyName:p,topSchemaRef:l,schemaPath:m}=c;n.push([vr.keyword,a],[vr.params,typeof t=="function"?t(e):t||(0,B._)`{}`]),d.messages&&n.push([vr.message,typeof r=="function"?r(e):r]),d.verbose&&n.push([vr.schema,i],[vr.parentSchema,(0,B._)`${l}${m}`],[ke.default.data,s]),p&&n.push([vr.propertyName,p])}o(Uv,"extraErrorProps")});var Ap=C(Wr=>{"use strict";Object.defineProperty(Wr,"__esModule",{value:!0});Wr.boolOrEmptySchema=Wr.topBoolOrEmptySchema=void 0;var Nv=eo(),$v=D(),zv=Ot(),Mv={message:"boolean schema is false"};function Dv(e){let{gen:t,schema:r,validateName:n}=e;r===!1?Ep(e,!1):typeof r=="object"&&r.$async===!0?t.return(zv.default.data):(t.assign((0,$v._)`${n}.errors`,null),t.return(!0))}o(Dv,"topBoolOrEmptySchema");Wr.topBoolOrEmptySchema=Dv;function qv(e,t){let{gen:r,schema:n}=e;n===!1?(r.var(t,!1),Ep(e)):r.var(t,!0)}o(qv,"boolOrEmptySchema");Wr.boolOrEmptySchema=qv;function Ep(e,t){let{gen:r,data:n}=e,a={gen:r,keyword:"false schema",data:n,schema:!1,schemaCode:!1,schemaValue:!1,params:{},it:e};(0,Nv.reportError)(a,Mv,void 0,t)}o(Ep,"falseSchemaError")});var Ic=C(Jr=>{"use strict";Object.defineProperty(Jr,"__esModule",{value:!0});Jr.getRules=Jr.isJSONType=void 0;var Lv=["string","number","integer","boolean","null","object","array"],jv=new Set(Lv);function Hv(e){return typeof e=="string"&&jv.has(e)}o(Hv,"isJSONType");Jr.isJSONType=Hv;function Gv(){let e={number:{type:"number",rules:[]},string:{type:"string",rules:[]},array:{type:"array",rules:[]},object:{type:"object",rules:[]}};return{types:{...e,integer:!0,boolean:!0,null:!0},rules:[{rules:[]},e.number,e.string,e.array,e.object],post:{rules:[]},all:{},keywords:{}}}o(Gv,"getRules");Jr.getRules=Gv});var Tc=C(Xt=>{"use strict";Object.defineProperty(Xt,"__esModule",{value:!0});Xt.shouldUseRule=Xt.shouldUseGroup=Xt.schemaHasRulesForType=void 0;function Bv({schema:e,self:t},r){let n=t.RULES.types[r];return n&&n!==!0&&Pp(e,n)}o(Bv,"schemaHasRulesForType");Xt.schemaHasRulesForType=Bv;function Pp(e,t){return t.rules.some(r=>xp(e,r))}o(Pp,"shouldUseGroup");Xt.shouldUseGroup=Pp;function xp(e,t){var r;return e[t.keyword]!==void 0||((r=t.definition.implements)===null||r===void 0?void 0:r.some(n=>e[n]!==void 0))}o(xp,"shouldUseRule");Xt.shouldUseRule=xp});var to=C(Ae=>{"use strict";Object.defineProperty(Ae,"__esModule",{value:!0});Ae.reportTypeError=Ae.checkDataTypes=Ae.checkDataType=Ae.coerceAndCheckDataType=Ae.getJSONTypes=Ae.getSchemaTypes=Ae.DataType=void 0;var Vv=Ic(),Fv=Tc(),Zv=eo(),M=D(),kp=Z(),Yr;(function(e){e[e.Correct=0]="Correct",e[e.Wrong=1]="Wrong"})(Yr||(Ae.DataType=Yr={}));function Kv(e){let t=Op(e.type);if(t.includes("null")){if(e.nullable===!1)throw new Error("type: null contradicts nullable: false")}else{if(!t.length&&e.nullable!==void 0)throw new Error('"nullable" cannot be used without "type"');e.nullable===!0&&t.push("null")}return t}o(Kv,"getSchemaTypes");Ae.getSchemaTypes=Kv;function Op(e){let t=Array.isArray(e)?e:e?[e]:[];if(t.every(Vv.isJSONType))return t;throw new Error("type must be JSONType or JSONType[]: "+t.join(","))}o(Op,"getJSONTypes");Ae.getJSONTypes=Op;function Wv(e,t){let{gen:r,data:n,opts:a}=e,s=Jv(t,a.coerceTypes),i=t.length>0&&!(s.length===0&&t.length===1&&(0,Fv.schemaHasRulesForType)(e,t[0]));if(i){let c=Ec(t,n,a.strictNumbers,Yr.Wrong);r.if(c,()=>{s.length?Yv(e,t,s):Ac(e)})}return i}o(Wv,"coerceAndCheckDataType");Ae.coerceAndCheckDataType=Wv;var Up=new Set(["string","number","integer","boolean","null"]);function Jv(e,t){return t?e.filter(r=>Up.has(r)||t==="array"&&r==="array"):[]}o(Jv,"coerceToTypes");function Yv(e,t,r){let{gen:n,data:a,opts:s}=e,i=n.let("dataType",(0,M._)`typeof ${a}`),c=n.let("coerced",(0,M._)`undefined`);s.coerceTypes==="array"&&n.if((0,M._)`${i} == 'object' && Array.isArray(${a}) && ${a}.length == 1`,()=>n.assign(a,(0,M._)`${a}[0]`).assign(i,(0,M._)`typeof ${a}`).if(Ec(t,a,s.strictNumbers),()=>n.assign(c,a))),n.if((0,M._)`${c} !== undefined`);for(let p of r)(Up.has(p)||p==="array"&&s.coerceTypes==="array")&&d(p);n.else(),Ac(e),n.endIf(),n.if((0,M._)`${c} !== undefined`,()=>{n.assign(a,c),Xv(e,c)});function d(p){switch(p){case"string":n.elseIf((0,M._)`${i} == "number" || ${i} == "boolean"`).assign(c,(0,M._)`"" + ${a}`).elseIf((0,M._)`${a} === null`).assign(c,(0,M._)`""`);return;case"number":n.elseIf((0,M._)`${i} == "boolean" || ${a} === null
27
- || (${i} == "string" && ${a} && ${a} == +${a})`).assign(c,(0,M._)`+${a}`);return;case"integer":n.elseIf((0,M._)`${i} === "boolean" || ${a} === null
28
- || (${i} === "string" && ${a} && ${a} == +${a} && !(${a} % 1))`).assign(c,(0,M._)`+${a}`);return;case"boolean":n.elseIf((0,M._)`${a} === "false" || ${a} === 0 || ${a} === null`).assign(c,!1).elseIf((0,M._)`${a} === "true" || ${a} === 1`).assign(c,!0);return;case"null":n.elseIf((0,M._)`${a} === "" || ${a} === 0 || ${a} === false`),n.assign(c,null);return;case"array":n.elseIf((0,M._)`${i} === "string" || ${i} === "number"
29
- || ${i} === "boolean" || ${a} === null`).assign(c,(0,M._)`[${a}]`)}}o(d,"coerceSpecificType")}o(Yv,"coerceData");function Xv({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,M._)`${t} !== undefined`,()=>e.assign((0,M._)`${t}[${r}]`,n))}o(Xv,"assignParentData");function Cc(e,t,r,n=Yr.Correct){let a=n===Yr.Correct?M.operators.EQ:M.operators.NEQ,s;switch(e){case"null":return(0,M._)`${t} ${a} null`;case"array":s=(0,M._)`Array.isArray(${t})`;break;case"object":s=(0,M._)`${t} && typeof ${t} == "object" && !Array.isArray(${t})`;break;case"integer":s=i((0,M._)`!(${t} % 1) && !isNaN(${t})`);break;case"number":s=i();break;default:return(0,M._)`typeof ${t} ${a} ${e}`}return n===Yr.Correct?s:(0,M.not)(s);function i(c=M.nil){return(0,M.and)((0,M._)`typeof ${t} == "number"`,c,r?(0,M._)`isFinite(${t})`:M.nil)}}o(Cc,"checkDataType");Ae.checkDataType=Cc;function Ec(e,t,r,n){if(e.length===1)return Cc(e[0],t,r,n);let a,s=(0,kp.toHash)(e);if(s.array&&s.object){let i=(0,M._)`typeof ${t} != "object"`;a=s.null?i:(0,M._)`!${t} || ${i}`,delete s.null,delete s.array,delete s.object}else a=M.nil;s.number&&delete s.integer;for(let i in s)a=(0,M.and)(a,Cc(i,t,r,n));return a}o(Ec,"checkDataTypes");Ae.checkDataTypes=Ec;var Qv={message:o(({schema:e})=>`must be ${e}`,"message"),params:o(({schema:e,schemaValue:t})=>typeof e=="string"?(0,M._)`{type: ${e}}`:(0,M._)`{type: ${t}}`,"params")};function Ac(e){let t=eb(e);(0,Zv.reportError)(t,Qv)}o(Ac,"reportTypeError");Ae.reportTypeError=Ac;function eb(e){let{gen:t,data:r,schema:n}=e,a=(0,kp.schemaRefOrVal)(e,n,"type");return{gen:t,keyword:"type",data:r,schema:n.type,schemaCode:a,schemaValue:a,parentSchema:n,params:{},it:e}}o(eb,"getTypeErrorContext")});var $p=C(Ca=>{"use strict";Object.defineProperty(Ca,"__esModule",{value:!0});Ca.assignDefaults=void 0;var Xr=D(),tb=Z();function rb(e,t){let{properties:r,items:n}=e.schema;if(t==="object"&&r)for(let a in r)Np(e,a,r[a].default);else t==="array"&&Array.isArray(n)&&n.forEach((a,s)=>Np(e,s,a.default))}o(rb,"assignDefaults");Ca.assignDefaults=rb;function Np(e,t,r){let{gen:n,compositeRule:a,data:s,opts:i}=e;if(r===void 0)return;let c=(0,Xr._)`${s}${(0,Xr.getProperty)(t)}`;if(a){(0,tb.checkStrictMode)(e,`default is ignored for: ${c}`);return}let d=(0,Xr._)`${c} === undefined`;i.useDefaults==="empty"&&(d=(0,Xr._)`${d} || ${c} === null || ${c} === ""`),n.if(d,(0,Xr._)`${c} = ${(0,Xr.stringify)(r)}`)}o(Np,"assignDefault")});var Ye=C(J=>{"use strict";Object.defineProperty(J,"__esModule",{value:!0});J.validateUnion=J.validateArray=J.usePattern=J.callValidateCode=J.schemaProperties=J.allSchemaProperties=J.noPropertyInData=J.propertyInData=J.isOwnProperty=J.hasPropFunc=J.reportMissingProp=J.checkMissingProp=J.checkReportMissingProp=void 0;var te=D(),Pc=Z(),Qt=Ot(),nb=Z();function ob(e,t){let{gen:r,data:n,it:a}=e;r.if(kc(r,n,t,a.opts.ownProperties),()=>{e.setParams({missingProperty:(0,te._)`${t}`},!0),e.error()})}o(ob,"checkReportMissingProp");J.checkReportMissingProp=ob;function ab({gen:e,data:t,it:{opts:r}},n,a){return(0,te.or)(...n.map(s=>(0,te.and)(kc(e,t,s,r.ownProperties),(0,te._)`${a} = ${s}`)))}o(ab,"checkMissingProp");J.checkMissingProp=ab;function sb(e,t){e.setParams({missingProperty:t},!0),e.error()}o(sb,"reportMissingProp");J.reportMissingProp=sb;function zp(e){return e.scopeValue("func",{ref:Object.prototype.hasOwnProperty,code:(0,te._)`Object.prototype.hasOwnProperty`})}o(zp,"hasPropFunc");J.hasPropFunc=zp;function xc(e,t,r){return(0,te._)`${zp(e)}.call(${t}, ${r})`}o(xc,"isOwnProperty");J.isOwnProperty=xc;function ib(e,t,r,n){let a=(0,te._)`${t}${(0,te.getProperty)(r)} !== undefined`;return n?(0,te._)`${a} && ${xc(e,t,r)}`:a}o(ib,"propertyInData");J.propertyInData=ib;function kc(e,t,r,n){let a=(0,te._)`${t}${(0,te.getProperty)(r)} === undefined`;return n?(0,te.or)(a,(0,te.not)(xc(e,t,r))):a}o(kc,"noPropertyInData");J.noPropertyInData=kc;function Mp(e){return e?Object.keys(e).filter(t=>t!=="__proto__"):[]}o(Mp,"allSchemaProperties");J.allSchemaProperties=Mp;function cb(e,t){return Mp(t).filter(r=>!(0,Pc.alwaysValidSchema)(e,t[r]))}o(cb,"schemaProperties");J.schemaProperties=cb;function ub({schemaCode:e,data:t,it:{gen:r,topSchemaRef:n,schemaPath:a,errorPath:s},it:i},c,d,p){let l=p?(0,te._)`${e}, ${t}, ${n}${a}`:t,m=[[Qt.default.instancePath,(0,te.strConcat)(Qt.default.instancePath,s)],[Qt.default.parentData,i.parentData],[Qt.default.parentDataProperty,i.parentDataProperty],[Qt.default.rootData,Qt.default.rootData]];i.opts.dynamicRef&&m.push([Qt.default.dynamicAnchors,Qt.default.dynamicAnchors]);let h=(0,te._)`${l}, ${r.object(...m)}`;return d!==te.nil?(0,te._)`${c}.call(${d}, ${h})`:(0,te._)`${c}(${h})`}o(ub,"callValidateCode");J.callValidateCode=ub;var db=(0,te._)`new RegExp`;function lb({gen:e,it:{opts:t}},r){let n=t.unicodeRegExp?"u":"",{regExp:a}=t.code,s=a(r,n);return e.scopeValue("pattern",{key:s.toString(),ref:s,code:(0,te._)`${a.code==="new RegExp"?db:(0,nb.useFunc)(e,a)}(${r}, ${n})`})}o(lb,"usePattern");J.usePattern=lb;function pb(e){let{gen:t,data:r,keyword:n,it:a}=e,s=t.name("valid");if(a.allErrors){let c=t.let("valid",!0);return i(()=>t.assign(c,!1)),c}return t.var(s,!0),i(()=>t.break()),s;function i(c){let d=t.const("len",(0,te._)`${r}.length`);t.forRange("i",0,d,p=>{e.subschema({keyword:n,dataProp:p,dataPropType:Pc.Type.Num},s),t.if((0,te.not)(s),c)})}o(i,"validateItems")}o(pb,"validateArray");J.validateArray=pb;function mb(e){let{gen:t,schema:r,keyword:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(r.some(d=>(0,Pc.alwaysValidSchema)(a,d))&&!a.opts.unevaluated)return;let i=t.let("valid",!1),c=t.name("_valid");t.block(()=>r.forEach((d,p)=>{let l=e.subschema({keyword:n,schemaProp:p,compositeRule:!0},c);t.assign(i,(0,te._)`${i} || ${c}`),e.mergeValidEvaluated(l,c)||t.if((0,te.not)(i))})),e.result(i,()=>e.reset(),()=>e.error(!0))}o(mb,"validateUnion");J.validateUnion=mb});var Lp=C(ft=>{"use strict";Object.defineProperty(ft,"__esModule",{value:!0});ft.validateKeywordUsage=ft.validSchemaType=ft.funcKeywordCode=ft.macroKeywordCode=void 0;var Oe=D(),br=Ot(),fb=Ye(),hb=eo();function gb(e,t){let{gen:r,keyword:n,schema:a,parentSchema:s,it:i}=e,c=t.macro.call(i.self,a,s,i),d=qp(r,n,c);i.opts.validateSchema!==!1&&i.self.validateSchema(c,!0);let p=r.name("valid");e.subschema({schema:c,schemaPath:Oe.nil,errSchemaPath:`${i.errSchemaPath}/${n}`,topSchemaRef:d,compositeRule:!0},p),e.pass(p,()=>e.error(!0))}o(gb,"macroKeywordCode");ft.macroKeywordCode=gb;function _b(e,t){var r;let{gen:n,keyword:a,schema:s,parentSchema:i,$data:c,it:d}=e;wb(d,t);let p=!c&&t.compile?t.compile.call(d.self,s,i,d):t.validate,l=qp(n,a,p),m=n.let("valid");e.block$data(m,h),e.ok((r=t.valid)!==null&&r!==void 0?r:m);function h(){if(t.errors===!1)y(),t.modifying&&Dp(e),S(()=>e.error());else{let v=t.async?_():w();t.modifying&&Dp(e),S(()=>yb(e,v))}}o(h,"validateKeyword");function _(){let v=n.let("ruleErrs",null);return n.try(()=>y((0,Oe._)`await `),b=>n.assign(m,!1).if((0,Oe._)`${b} instanceof ${d.ValidationError}`,()=>n.assign(v,(0,Oe._)`${b}.errors`),()=>n.throw(b))),v}o(_,"validateAsync");function w(){let v=(0,Oe._)`${l}.errors`;return n.assign(v,null),y(Oe.nil),v}o(w,"validateSync");function y(v=t.async?(0,Oe._)`await `:Oe.nil){let b=d.opts.passContext?br.default.this:br.default.self,T=!("compile"in t&&!c||t.schema===!1);n.assign(m,(0,Oe._)`${v}${(0,fb.callValidateCode)(e,l,b,T)}`,t.modifying)}o(y,"assignValid");function S(v){var b;n.if((0,Oe.not)((b=t.valid)!==null&&b!==void 0?b:m),v)}o(S,"reportErrs")}o(_b,"funcKeywordCode");ft.funcKeywordCode=_b;function Dp(e){let{gen:t,data:r,it:n}=e;t.if(n.parentData,()=>t.assign(r,(0,Oe._)`${n.parentData}[${n.parentDataProperty}]`))}o(Dp,"modifyData");function yb(e,t){let{gen:r}=e;r.if((0,Oe._)`Array.isArray(${t})`,()=>{r.assign(br.default.vErrors,(0,Oe._)`${br.default.vErrors} === null ? ${t} : ${br.default.vErrors}.concat(${t})`).assign(br.default.errors,(0,Oe._)`${br.default.vErrors}.length`),(0,hb.extendErrors)(e)},()=>e.error())}o(yb,"addErrs");function wb({schemaEnv:e},t){if(t.async&&!e.$async)throw new Error("async keyword in sync schema")}o(wb,"checkAsyncKeyword");function qp(e,t,r){if(r===void 0)throw new Error(`keyword "${t}" failed to compile`);return e.scopeValue("keyword",typeof r=="function"?{ref:r}:{ref:r,code:(0,Oe.stringify)(r)})}o(qp,"useKeyword");function Sb(e,t,r=!1){return!t.length||t.some(n=>n==="array"?Array.isArray(e):n==="object"?e&&typeof e=="object"&&!Array.isArray(e):typeof e==n||r&&typeof e>"u")}o(Sb,"validSchemaType");ft.validSchemaType=Sb;function vb({schema:e,opts:t,self:r,errSchemaPath:n},a,s){if(Array.isArray(a.keyword)?!a.keyword.includes(s):a.keyword!==s)throw new Error("ajv implementation error");let i=a.dependencies;if(i?.some(c=>!Object.prototype.hasOwnProperty.call(e,c)))throw new Error(`parent schema must have dependencies of ${s}: ${i.join(",")}`);if(a.validateSchema&&!a.validateSchema(e[s])){let d=`keyword "${s}" value is invalid at path "${n}": `+r.errorsText(a.validateSchema.errors);if(t.validateSchema==="log")r.logger.error(d);else throw new Error(d)}}o(vb,"validateKeywordUsage");ft.validateKeywordUsage=vb});var Hp=C(er=>{"use strict";Object.defineProperty(er,"__esModule",{value:!0});er.extendSubschemaMode=er.extendSubschemaData=er.getSubschema=void 0;var ht=D(),jp=Z();function bb(e,{keyword:t,schemaProp:r,schema:n,schemaPath:a,errSchemaPath:s,topSchemaRef:i}){if(t!==void 0&&n!==void 0)throw new Error('both "keyword" and "schema" passed, only one allowed');if(t!==void 0){let c=e.schema[t];return r===void 0?{schema:c,schemaPath:(0,ht._)`${e.schemaPath}${(0,ht.getProperty)(t)}`,errSchemaPath:`${e.errSchemaPath}/${t}`}:{schema:c[r],schemaPath:(0,ht._)`${e.schemaPath}${(0,ht.getProperty)(t)}${(0,ht.getProperty)(r)}`,errSchemaPath:`${e.errSchemaPath}/${t}/${(0,jp.escapeFragment)(r)}`}}if(n!==void 0){if(a===void 0||s===void 0||i===void 0)throw new Error('"schemaPath", "errSchemaPath" and "topSchemaRef" are required with "schema"');return{schema:n,schemaPath:a,topSchemaRef:i,errSchemaPath:s}}throw new Error('either "keyword" or "schema" must be passed')}o(bb,"getSubschema");er.getSubschema=bb;function Rb(e,t,{dataProp:r,dataPropType:n,data:a,dataTypes:s,propertyName:i}){if(a!==void 0&&r!==void 0)throw new Error('both "data" and "dataProp" passed, only one allowed');let{gen:c}=t;if(r!==void 0){let{errorPath:p,dataPathArr:l,opts:m}=t,h=c.let("data",(0,ht._)`${t.data}${(0,ht.getProperty)(r)}`,!0);d(h),e.errorPath=(0,ht.str)`${p}${(0,jp.getErrorPath)(r,n,m.jsPropertySyntax)}`,e.parentDataProperty=(0,ht._)`${r}`,e.dataPathArr=[...l,e.parentDataProperty]}if(a!==void 0){let p=a instanceof ht.Name?a:c.let("data",a,!0);d(p),i!==void 0&&(e.propertyName=i)}s&&(e.dataTypes=s);function d(p){e.data=p,e.dataLevel=t.dataLevel+1,e.dataTypes=[],t.definedProperties=new Set,e.parentData=t.data,e.dataNames=[...t.dataNames,p]}o(d,"dataContextProps")}o(Rb,"extendSubschemaData");er.extendSubschemaData=Rb;function Ib(e,{jtdDiscriminator:t,jtdMetadata:r,compositeRule:n,createErrors:a,allErrors:s}){n!==void 0&&(e.compositeRule=n),a!==void 0&&(e.createErrors=a),s!==void 0&&(e.allErrors=s),e.jtdDiscriminator=t,e.jtdMetadata=r}o(Ib,"extendSubschemaMode");er.extendSubschemaMode=Ib});var Oc=C((pL,Gp)=>{"use strict";Gp.exports=o(function e(t,r){if(t===r)return!0;if(t&&r&&typeof t=="object"&&typeof r=="object"){if(t.constructor!==r.constructor)return!1;var n,a,s;if(Array.isArray(t)){if(n=t.length,n!=r.length)return!1;for(a=n;a--!==0;)if(!e(t[a],r[a]))return!1;return!0}if(t.constructor===RegExp)return t.source===r.source&&t.flags===r.flags;if(t.valueOf!==Object.prototype.valueOf)return t.valueOf()===r.valueOf();if(t.toString!==Object.prototype.toString)return t.toString()===r.toString();if(s=Object.keys(t),n=s.length,n!==Object.keys(r).length)return!1;for(a=n;a--!==0;)if(!Object.prototype.hasOwnProperty.call(r,s[a]))return!1;for(a=n;a--!==0;){var i=s[a];if(!e(t[i],r[i]))return!1}return!0}return t!==t&&r!==r},"equal")});var Vp=C((fL,Bp)=>{"use strict";var tr=Bp.exports=function(e,t,r){typeof t=="function"&&(r=t,t={}),r=t.cb||r;var n=typeof r=="function"?r:r.pre||function(){},a=r.post||function(){};Ea(t,n,a,e,"",e)};tr.keywords={additionalItems:!0,items:!0,contains:!0,additionalProperties:!0,propertyNames:!0,not:!0,if:!0,then:!0,else:!0};tr.arrayKeywords={items:!0,allOf:!0,anyOf:!0,oneOf:!0};tr.propsKeywords={$defs:!0,definitions:!0,properties:!0,patternProperties:!0,dependencies:!0};tr.skipKeywords={default:!0,enum:!0,const:!0,required:!0,maximum:!0,minimum:!0,exclusiveMaximum:!0,exclusiveMinimum:!0,multipleOf:!0,maxLength:!0,minLength:!0,pattern:!0,format:!0,maxItems:!0,minItems:!0,uniqueItems:!0,maxProperties:!0,minProperties:!0};function Ea(e,t,r,n,a,s,i,c,d,p){if(n&&typeof n=="object"&&!Array.isArray(n)){t(n,a,s,i,c,d,p);for(var l in n){var m=n[l];if(Array.isArray(m)){if(l in tr.arrayKeywords)for(var h=0;h<m.length;h++)Ea(e,t,r,m[h],a+"/"+l+"/"+h,s,a,l,n,h)}else if(l in tr.propsKeywords){if(m&&typeof m=="object")for(var _ in m)Ea(e,t,r,m[_],a+"/"+l+"/"+Tb(_),s,a,l,n,_)}else(l in tr.keywords||e.allKeys&&!(l in tr.skipKeywords))&&Ea(e,t,r,m,a+"/"+l,s,a,l,n)}r(n,a,s,i,c,d,p)}}o(Ea,"_traverse");function Tb(e){return e.replace(/~/g,"~0").replace(/\//g,"~1")}o(Tb,"escapeJsonPtr")});var ro=C(De=>{"use strict";Object.defineProperty(De,"__esModule",{value:!0});De.getSchemaRefs=De.resolveUrl=De.normalizeId=De._getFullPath=De.getFullPath=De.inlineRef=void 0;var Cb=Z(),Eb=Oc(),Ab=Vp(),Pb=new Set(["type","format","pattern","maxLength","minLength","maxProperties","minProperties","maxItems","minItems","maximum","minimum","uniqueItems","multipleOf","required","enum","const"]);function xb(e,t=!0){return typeof e=="boolean"?!0:t===!0?!Uc(e):t?Fp(e)<=t:!1}o(xb,"inlineRef");De.inlineRef=xb;var kb=new Set(["$ref","$recursiveRef","$recursiveAnchor","$dynamicRef","$dynamicAnchor"]);function Uc(e){for(let t in e){if(kb.has(t))return!0;let r=e[t];if(Array.isArray(r)&&r.some(Uc)||typeof r=="object"&&Uc(r))return!0}return!1}o(Uc,"hasRef");function Fp(e){let t=0;for(let r in e){if(r==="$ref")return 1/0;if(t++,!Pb.has(r)&&(typeof e[r]=="object"&&(0,Cb.eachItem)(e[r],n=>t+=Fp(n)),t===1/0))return 1/0}return t}o(Fp,"countKeys");function Zp(e,t="",r){r!==!1&&(t=Qr(t));let n=e.parse(t);return Kp(e,n)}o(Zp,"getFullPath");De.getFullPath=Zp;function Kp(e,t){return e.serialize(t).split("#")[0]+"#"}o(Kp,"_getFullPath");De._getFullPath=Kp;var Ob=/#\/?$/;function Qr(e){return e?e.replace(Ob,""):""}o(Qr,"normalizeId");De.normalizeId=Qr;function Ub(e,t,r){return r=Qr(r),e.resolve(t,r)}o(Ub,"resolveUrl");De.resolveUrl=Ub;var Nb=/^[a-z_][-a-z0-9._]*$/i;function $b(e,t){if(typeof e=="boolean")return{};let{schemaId:r,uriResolver:n}=this.opts,a=Qr(e[r]||t),s={"":a},i=Zp(n,a,!1),c={},d=new Set;return Ab(e,{allKeys:!0},(m,h,_,w)=>{if(w===void 0)return;let y=i+h,S=s[w];typeof m[r]=="string"&&(S=v.call(this,m[r])),b.call(this,m.$anchor),b.call(this,m.$dynamicAnchor),s[h]=S;function v(T){let U=this.opts.uriResolver.resolve;if(T=Qr(S?U(S,T):T),d.has(T))throw l(T);d.add(T);let $=this.refs[T];return typeof $=="string"&&($=this.refs[$]),typeof $=="object"?p(m,$.schema,T):T!==Qr(y)&&(T[0]==="#"?(p(m,c[T],T),c[T]=m):this.refs[T]=y),T}o(v,"addRef");function b(T){if(typeof T=="string"){if(!Nb.test(T))throw new Error(`invalid anchor "${T}"`);v.call(this,`#${T}`)}}o(b,"addAnchor")}),c;function p(m,h,_){if(h!==void 0&&!Eb(m,h))throw l(_)}o(p,"checkAmbiguosRef");function l(m){return new Error(`reference "${m}" resolves to more than one schema`)}o(l,"ambiguos")}o($b,"getSchemaRefs");De.getSchemaRefs=$b});var ao=C(rr=>{"use strict";Object.defineProperty(rr,"__esModule",{value:!0});rr.getData=rr.KeywordCxt=rr.validateFunctionCode=void 0;var Qp=Ap(),Wp=to(),$c=Tc(),Aa=to(),zb=$p(),oo=Lp(),Nc=Hp(),x=D(),N=Ot(),Mb=ro(),Ut=Z(),no=eo();function Db(e){if(rm(e)&&(nm(e),tm(e))){jb(e);return}em(e,()=>(0,Qp.topBoolOrEmptySchema)(e))}o(Db,"validateFunctionCode");rr.validateFunctionCode=Db;function em({gen:e,validateName:t,schema:r,schemaEnv:n,opts:a},s){a.code.es5?e.func(t,(0,x._)`${N.default.data}, ${N.default.valCxt}`,n.$async,()=>{e.code((0,x._)`"use strict"; ${Jp(r,a)}`),Lb(e,a),e.code(s)}):e.func(t,(0,x._)`${N.default.data}, ${qb(a)}`,n.$async,()=>e.code(Jp(r,a)).code(s))}o(em,"validateFunction");function qb(e){return(0,x._)`{${N.default.instancePath}="", ${N.default.parentData}, ${N.default.parentDataProperty}, ${N.default.rootData}=${N.default.data}${e.dynamicRef?(0,x._)`, ${N.default.dynamicAnchors}={}`:x.nil}}={}`}o(qb,"destructureValCxt");function Lb(e,t){e.if(N.default.valCxt,()=>{e.var(N.default.instancePath,(0,x._)`${N.default.valCxt}.${N.default.instancePath}`),e.var(N.default.parentData,(0,x._)`${N.default.valCxt}.${N.default.parentData}`),e.var(N.default.parentDataProperty,(0,x._)`${N.default.valCxt}.${N.default.parentDataProperty}`),e.var(N.default.rootData,(0,x._)`${N.default.valCxt}.${N.default.rootData}`),t.dynamicRef&&e.var(N.default.dynamicAnchors,(0,x._)`${N.default.valCxt}.${N.default.dynamicAnchors}`)},()=>{e.var(N.default.instancePath,(0,x._)`""`),e.var(N.default.parentData,(0,x._)`undefined`),e.var(N.default.parentDataProperty,(0,x._)`undefined`),e.var(N.default.rootData,N.default.data),t.dynamicRef&&e.var(N.default.dynamicAnchors,(0,x._)`{}`)})}o(Lb,"destructureValCxtES5");function jb(e){let{schema:t,opts:r,gen:n}=e;em(e,()=>{r.$comment&&t.$comment&&am(e),Fb(e),n.let(N.default.vErrors,null),n.let(N.default.errors,0),r.unevaluated&&Hb(e),om(e),Wb(e)})}o(jb,"topSchemaObjCode");function Hb(e){let{gen:t,validateName:r}=e;e.evaluated=t.const("evaluated",(0,x._)`${r}.evaluated`),t.if((0,x._)`${e.evaluated}.dynamicProps`,()=>t.assign((0,x._)`${e.evaluated}.props`,(0,x._)`undefined`)),t.if((0,x._)`${e.evaluated}.dynamicItems`,()=>t.assign((0,x._)`${e.evaluated}.items`,(0,x._)`undefined`))}o(Hb,"resetEvaluated");function Jp(e,t){let r=typeof e=="object"&&e[t.schemaId];return r&&(t.code.source||t.code.process)?(0,x._)`/*# sourceURL=${r} */`:x.nil}o(Jp,"funcSourceUrl");function Gb(e,t){if(rm(e)&&(nm(e),tm(e))){Bb(e,t);return}(0,Qp.boolOrEmptySchema)(e,t)}o(Gb,"subschemaCode");function tm({schema:e,self:t}){if(typeof e=="boolean")return!e;for(let r in e)if(t.RULES.all[r])return!0;return!1}o(tm,"schemaCxtHasRules");function rm(e){return typeof e.schema!="boolean"}o(rm,"isSchemaObj");function Bb(e,t){let{schema:r,gen:n,opts:a}=e;a.$comment&&r.$comment&&am(e),Zb(e),Kb(e);let s=n.const("_errs",N.default.errors);om(e,s),n.var(t,(0,x._)`${s} === ${N.default.errors}`)}o(Bb,"subSchemaObjCode");function nm(e){(0,Ut.checkUnknownRules)(e),Vb(e)}o(nm,"checkKeywords");function om(e,t){if(e.opts.jtd)return Yp(e,[],!1,t);let r=(0,Wp.getSchemaTypes)(e.schema),n=(0,Wp.coerceAndCheckDataType)(e,r);Yp(e,r,!n,t)}o(om,"typeAndKeywords");function Vb(e){let{schema:t,errSchemaPath:r,opts:n,self:a}=e;t.$ref&&n.ignoreKeywordsWithRef&&(0,Ut.schemaHasRulesButRef)(t,a.RULES)&&a.logger.warn(`$ref: keywords ignored in schema at path "${r}"`)}o(Vb,"checkRefsAndKeywords");function Fb(e){let{schema:t,opts:r}=e;t.default!==void 0&&r.useDefaults&&r.strictSchema&&(0,Ut.checkStrictMode)(e,"default is ignored in the schema root")}o(Fb,"checkNoDefault");function Zb(e){let t=e.schema[e.opts.schemaId];t&&(e.baseId=(0,Mb.resolveUrl)(e.opts.uriResolver,e.baseId,t))}o(Zb,"updateContext");function Kb(e){if(e.schema.$async&&!e.schemaEnv.$async)throw new Error("async schema in sync schema")}o(Kb,"checkAsyncSchema");function am({gen:e,schemaEnv:t,schema:r,errSchemaPath:n,opts:a}){let s=r.$comment;if(a.$comment===!0)e.code((0,x._)`${N.default.self}.logger.log(${s})`);else if(typeof a.$comment=="function"){let i=(0,x.str)`${n}/$comment`,c=e.scopeValue("root",{ref:t.root});e.code((0,x._)`${N.default.self}.opts.$comment(${s}, ${i}, ${c}.schema)`)}}o(am,"commentKeyword");function Wb(e){let{gen:t,schemaEnv:r,validateName:n,ValidationError:a,opts:s}=e;r.$async?t.if((0,x._)`${N.default.errors} === 0`,()=>t.return(N.default.data),()=>t.throw((0,x._)`new ${a}(${N.default.vErrors})`)):(t.assign((0,x._)`${n}.errors`,N.default.vErrors),s.unevaluated&&Jb(e),t.return((0,x._)`${N.default.errors} === 0`))}o(Wb,"returnResults");function Jb({gen:e,evaluated:t,props:r,items:n}){r instanceof x.Name&&e.assign((0,x._)`${t}.props`,r),n instanceof x.Name&&e.assign((0,x._)`${t}.items`,n)}o(Jb,"assignEvaluated");function Yp(e,t,r,n){let{gen:a,schema:s,data:i,allErrors:c,opts:d,self:p}=e,{RULES:l}=p;if(s.$ref&&(d.ignoreKeywordsWithRef||!(0,Ut.schemaHasRulesButRef)(s,l))){a.block(()=>im(e,"$ref",l.all.$ref.definition));return}d.jtd||Yb(e,t),a.block(()=>{for(let h of l.rules)m(h);m(l.post)});function m(h){(0,$c.shouldUseGroup)(s,h)&&(h.type?(a.if((0,Aa.checkDataType)(h.type,i,d.strictNumbers)),Xp(e,h),t.length===1&&t[0]===h.type&&r&&(a.else(),(0,Aa.reportTypeError)(e)),a.endIf()):Xp(e,h),c||a.if((0,x._)`${N.default.errors} === ${n||0}`))}o(m,"groupKeywords")}o(Yp,"schemaKeywords");function Xp(e,t){let{gen:r,schema:n,opts:{useDefaults:a}}=e;a&&(0,zb.assignDefaults)(e,t.type),r.block(()=>{for(let s of t.rules)(0,$c.shouldUseRule)(n,s)&&im(e,s.keyword,s.definition,t.type)})}o(Xp,"iterateKeywords");function Yb(e,t){e.schemaEnv.meta||!e.opts.strictTypes||(Xb(e,t),e.opts.allowUnionTypes||Qb(e,t),eR(e,e.dataTypes))}o(Yb,"checkStrictTypes");function Xb(e,t){if(t.length){if(!e.dataTypes.length){e.dataTypes=t;return}t.forEach(r=>{sm(e.dataTypes,r)||zc(e,`type "${r}" not allowed by context "${e.dataTypes.join(",")}"`)}),rR(e,t)}}o(Xb,"checkContextTypes");function Qb(e,t){t.length>1&&!(t.length===2&&t.includes("null"))&&zc(e,"use allowUnionTypes to allow union type keyword")}o(Qb,"checkMultipleTypes");function eR(e,t){let r=e.self.RULES.all;for(let n in r){let a=r[n];if(typeof a=="object"&&(0,$c.shouldUseRule)(e.schema,a)){let{type:s}=a.definition;s.length&&!s.some(i=>tR(t,i))&&zc(e,`missing type "${s.join(",")}" for keyword "${n}"`)}}}o(eR,"checkKeywordTypes");function tR(e,t){return e.includes(t)||t==="number"&&e.includes("integer")}o(tR,"hasApplicableType");function sm(e,t){return e.includes(t)||t==="integer"&&e.includes("number")}o(sm,"includesType");function rR(e,t){let r=[];for(let n of e.dataTypes)sm(t,n)?r.push(n):t.includes("integer")&&n==="number"&&r.push("integer");e.dataTypes=r}o(rR,"narrowSchemaTypes");function zc(e,t){let r=e.schemaEnv.baseId+e.errSchemaPath;t+=` at "${r}" (strictTypes)`,(0,Ut.checkStrictMode)(e,t,e.opts.strictTypes)}o(zc,"strictTypesError");var Pa=class{static{o(this,"KeywordCxt")}constructor(t,r,n){if((0,oo.validateKeywordUsage)(t,r,n),this.gen=t.gen,this.allErrors=t.allErrors,this.keyword=n,this.data=t.data,this.schema=t.schema[n],this.$data=r.$data&&t.opts.$data&&this.schema&&this.schema.$data,this.schemaValue=(0,Ut.schemaRefOrVal)(t,this.schema,n,this.$data),this.schemaType=r.schemaType,this.parentSchema=t.schema,this.params={},this.it=t,this.def=r,this.$data)this.schemaCode=t.gen.const("vSchema",cm(this.$data,t));else if(this.schemaCode=this.schemaValue,!(0,oo.validSchemaType)(this.schema,r.schemaType,r.allowUndefined))throw new Error(`${n} value must be ${JSON.stringify(r.schemaType)}`);("code"in r?r.trackErrors:r.errors!==!1)&&(this.errsCount=t.gen.const("_errs",N.default.errors))}result(t,r,n){this.failResult((0,x.not)(t),r,n)}failResult(t,r,n){this.gen.if(t),n?n():this.error(),r?(this.gen.else(),r(),this.allErrors&&this.gen.endIf()):this.allErrors?this.gen.endIf():this.gen.else()}pass(t,r){this.failResult((0,x.not)(t),void 0,r)}fail(t){if(t===void 0){this.error(),this.allErrors||this.gen.if(!1);return}this.gen.if(t),this.error(),this.allErrors?this.gen.endIf():this.gen.else()}fail$data(t){if(!this.$data)return this.fail(t);let{schemaCode:r}=this;this.fail((0,x._)`${r} !== undefined && (${(0,x.or)(this.invalid$data(),t)})`)}error(t,r,n){if(r){this.setParams(r),this._error(t,n),this.setParams({});return}this._error(t,n)}_error(t,r){(t?no.reportExtraError:no.reportError)(this,this.def.error,r)}$dataError(){(0,no.reportError)(this,this.def.$dataError||no.keyword$DataError)}reset(){if(this.errsCount===void 0)throw new Error('add "trackErrors" to keyword definition');(0,no.resetErrorsCount)(this.gen,this.errsCount)}ok(t){this.allErrors||this.gen.if(t)}setParams(t,r){r?Object.assign(this.params,t):this.params=t}block$data(t,r,n=x.nil){this.gen.block(()=>{this.check$data(t,n),r()})}check$data(t=x.nil,r=x.nil){if(!this.$data)return;let{gen:n,schemaCode:a,schemaType:s,def:i}=this;n.if((0,x.or)((0,x._)`${a} === undefined`,r)),t!==x.nil&&n.assign(t,!0),(s.length||i.validateSchema)&&(n.elseIf(this.invalid$data()),this.$dataError(),t!==x.nil&&n.assign(t,!1)),n.else()}invalid$data(){let{gen:t,schemaCode:r,schemaType:n,def:a,it:s}=this;return(0,x.or)(i(),c());function i(){if(n.length){if(!(r instanceof x.Name))throw new Error("ajv implementation error");let d=Array.isArray(n)?n:[n];return(0,x._)`${(0,Aa.checkDataTypes)(d,r,s.opts.strictNumbers,Aa.DataType.Wrong)}`}return x.nil}function c(){if(a.validateSchema){let d=t.scopeValue("validate$data",{ref:a.validateSchema});return(0,x._)`!${d}(${r})`}return x.nil}}subschema(t,r){let n=(0,Nc.getSubschema)(this.it,t);(0,Nc.extendSubschemaData)(n,this.it,t),(0,Nc.extendSubschemaMode)(n,t);let a={...this.it,...n,items:void 0,props:void 0};return Gb(a,r),a}mergeEvaluated(t,r){let{it:n,gen:a}=this;n.opts.unevaluated&&(n.props!==!0&&t.props!==void 0&&(n.props=Ut.mergeEvaluated.props(a,t.props,n.props,r)),n.items!==!0&&t.items!==void 0&&(n.items=Ut.mergeEvaluated.items(a,t.items,n.items,r)))}mergeValidEvaluated(t,r){let{it:n,gen:a}=this;if(n.opts.unevaluated&&(n.props!==!0||n.items!==!0))return a.if(r,()=>this.mergeEvaluated(t,x.Name)),!0}};rr.KeywordCxt=Pa;function im(e,t,r,n){let a=new Pa(e,r,t);"code"in r?r.code(a,n):a.$data&&r.validate?(0,oo.funcKeywordCode)(a,r):"macro"in r?(0,oo.macroKeywordCode)(a,r):(r.compile||r.validate)&&(0,oo.funcKeywordCode)(a,r)}o(im,"keywordCode");var nR=/^\/(?:[^~]|~0|~1)*$/,oR=/^([0-9]+)(#|\/(?:[^~]|~0|~1)*)?$/;function cm(e,{dataLevel:t,dataNames:r,dataPathArr:n}){let a,s;if(e==="")return N.default.rootData;if(e[0]==="/"){if(!nR.test(e))throw new Error(`Invalid JSON-pointer: ${e}`);a=e,s=N.default.rootData}else{let p=oR.exec(e);if(!p)throw new Error(`Invalid JSON-pointer: ${e}`);let l=+p[1];if(a=p[2],a==="#"){if(l>=t)throw new Error(d("property/index",l));return n[t-l]}if(l>t)throw new Error(d("data",l));if(s=r[t-l],!a)return s}let i=s,c=a.split("/");for(let p of c)p&&(s=(0,x._)`${s}${(0,x.getProperty)((0,Ut.unescapeJsonPointer)(p))}`,i=(0,x._)`${i} && ${s}`);return i;function d(p,l){return`Cannot access ${p} ${l} levels up, current level is ${t}`}}o(cm,"getData");rr.getData=cm});var xa=C(Dc=>{"use strict";Object.defineProperty(Dc,"__esModule",{value:!0});var Mc=class extends Error{static{o(this,"ValidationError")}constructor(t){super("validation failed"),this.errors=t,this.ajv=this.validation=!0}};Dc.default=Mc});var so=C(jc=>{"use strict";Object.defineProperty(jc,"__esModule",{value:!0});var qc=ro(),Lc=class extends Error{static{o(this,"MissingRefError")}constructor(t,r,n,a){super(a||`can't resolve reference ${n} from id ${r}`),this.missingRef=(0,qc.resolveUrl)(t,r,n),this.missingSchema=(0,qc.normalizeId)((0,qc.getFullPath)(t,this.missingRef))}};jc.default=Lc});var Oa=C(Xe=>{"use strict";Object.defineProperty(Xe,"__esModule",{value:!0});Xe.resolveSchema=Xe.getCompilingSchema=Xe.resolveRef=Xe.compileSchema=Xe.SchemaEnv=void 0;var at=D(),aR=xa(),Rr=Ot(),st=ro(),um=Z(),sR=ao(),en=class{static{o(this,"SchemaEnv")}constructor(t){var r;this.refs={},this.dynamicAnchors={};let n;typeof t.schema=="object"&&(n=t.schema),this.schema=t.schema,this.schemaId=t.schemaId,this.root=t.root||this,this.baseId=(r=t.baseId)!==null&&r!==void 0?r:(0,st.normalizeId)(n?.[t.schemaId||"$id"]),this.schemaPath=t.schemaPath,this.localRefs=t.localRefs,this.meta=t.meta,this.$async=n?.$async,this.refs={}}};Xe.SchemaEnv=en;function Gc(e){let t=dm.call(this,e);if(t)return t;let r=(0,st.getFullPath)(this.opts.uriResolver,e.root.baseId),{es5:n,lines:a}=this.opts.code,{ownProperties:s}=this.opts,i=new at.CodeGen(this.scope,{es5:n,lines:a,ownProperties:s}),c;e.$async&&(c=i.scopeValue("Error",{ref:aR.default,code:(0,at._)`require("ajv/dist/runtime/validation_error").default`}));let d=i.scopeName("validate");e.validateName=d;let p={gen:i,allErrors:this.opts.allErrors,data:Rr.default.data,parentData:Rr.default.parentData,parentDataProperty:Rr.default.parentDataProperty,dataNames:[Rr.default.data],dataPathArr:[at.nil],dataLevel:0,dataTypes:[],definedProperties:new Set,topSchemaRef:i.scopeValue("schema",this.opts.code.source===!0?{ref:e.schema,code:(0,at.stringify)(e.schema)}:{ref:e.schema}),validateName:d,ValidationError:c,schema:e.schema,schemaEnv:e,rootId:r,baseId:e.baseId||r,schemaPath:at.nil,errSchemaPath:e.schemaPath||(this.opts.jtd?"":"#"),errorPath:(0,at._)`""`,opts:this.opts,self:this},l;try{this._compilations.add(e),(0,sR.validateFunctionCode)(p),i.optimize(this.opts.code.optimize);let m=i.toString();l=`${i.scopeRefs(Rr.default.scope)}return ${m}`,this.opts.code.process&&(l=this.opts.code.process(l,e));let _=new Function(`${Rr.default.self}`,`${Rr.default.scope}`,l)(this,this.scope.get());if(this.scope.value(d,{ref:_}),_.errors=null,_.schema=e.schema,_.schemaEnv=e,e.$async&&(_.$async=!0),this.opts.code.source===!0&&(_.source={validateName:d,validateCode:m,scopeValues:i._values}),this.opts.unevaluated){let{props:w,items:y}=p;_.evaluated={props:w instanceof at.Name?void 0:w,items:y instanceof at.Name?void 0:y,dynamicProps:w instanceof at.Name,dynamicItems:y instanceof at.Name},_.source&&(_.source.evaluated=(0,at.stringify)(_.evaluated))}return e.validate=_,e}catch(m){throw delete e.validate,delete e.validateName,l&&this.logger.error("Error compiling schema, function code:",l),m}finally{this._compilations.delete(e)}}o(Gc,"compileSchema");Xe.compileSchema=Gc;function iR(e,t,r){var n;r=(0,st.resolveUrl)(this.opts.uriResolver,t,r);let a=e.refs[r];if(a)return a;let s=dR.call(this,e,r);if(s===void 0){let i=(n=e.localRefs)===null||n===void 0?void 0:n[r],{schemaId:c}=this.opts;i&&(s=new en({schema:i,schemaId:c,root:e,baseId:t}))}if(s!==void 0)return e.refs[r]=cR.call(this,s)}o(iR,"resolveRef");Xe.resolveRef=iR;function cR(e){return(0,st.inlineRef)(e.schema,this.opts.inlineRefs)?e.schema:e.validate?e:Gc.call(this,e)}o(cR,"inlineOrCompile");function dm(e){for(let t of this._compilations)if(uR(t,e))return t}o(dm,"getCompilingSchema");Xe.getCompilingSchema=dm;function uR(e,t){return e.schema===t.schema&&e.root===t.root&&e.baseId===t.baseId}o(uR,"sameSchemaEnv");function dR(e,t){let r;for(;typeof(r=this.refs[t])=="string";)t=r;return r||this.schemas[t]||ka.call(this,e,t)}o(dR,"resolve");function ka(e,t){let r=this.opts.uriResolver.parse(t),n=(0,st._getFullPath)(this.opts.uriResolver,r),a=(0,st.getFullPath)(this.opts.uriResolver,e.baseId,void 0);if(Object.keys(e.schema).length>0&&n===a)return Hc.call(this,r,e);let s=(0,st.normalizeId)(n),i=this.refs[s]||this.schemas[s];if(typeof i=="string"){let c=ka.call(this,e,i);return typeof c?.schema!="object"?void 0:Hc.call(this,r,c)}if(typeof i?.schema=="object"){if(i.validate||Gc.call(this,i),s===(0,st.normalizeId)(t)){let{schema:c}=i,{schemaId:d}=this.opts,p=c[d];return p&&(a=(0,st.resolveUrl)(this.opts.uriResolver,a,p)),new en({schema:c,schemaId:d,root:e,baseId:a})}return Hc.call(this,r,i)}}o(ka,"resolveSchema");Xe.resolveSchema=ka;var lR=new Set(["properties","patternProperties","enum","dependencies","definitions"]);function Hc(e,{baseId:t,schema:r,root:n}){var a;if(((a=e.fragment)===null||a===void 0?void 0:a[0])!=="/")return;for(let c of e.fragment.slice(1).split("/")){if(typeof r=="boolean")return;let d=r[(0,um.unescapeFragment)(c)];if(d===void 0)return;r=d;let p=typeof r=="object"&&r[this.opts.schemaId];!lR.has(c)&&p&&(t=(0,st.resolveUrl)(this.opts.uriResolver,t,p))}let s;if(typeof r!="boolean"&&r.$ref&&!(0,um.schemaHasRulesButRef)(r,this.RULES)){let c=(0,st.resolveUrl)(this.opts.uriResolver,t,r.$ref);s=ka.call(this,n,c)}let{schemaId:i}=this.opts;if(s=s||new en({schema:r,schemaId:i,root:n,baseId:t}),s.schema!==s.root.schema)return s}o(Hc,"getJsonPointer")});var lm=C((CL,pR)=>{pR.exports={$id:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#",description:"Meta-schema for $data reference (JSON AnySchema extension proposal)",type:"object",required:["$data"],properties:{$data:{type:"string",anyOf:[{format:"relative-json-pointer"},{format:"json-pointer"}]}},additionalProperties:!1}});var Vc=C((EL,hm)=>{"use strict";var mR=RegExp.prototype.test.bind(/^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/iu),mm=RegExp.prototype.test.bind(/^(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)$/u);function Bc(e){let t="",r=0,n=0;for(n=0;n<e.length;n++)if(r=e[n].charCodeAt(0),r!==48){if(!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n];break}for(n+=1;n<e.length;n++){if(r=e[n].charCodeAt(0),!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n]}return t}o(Bc,"stringArrayToHexStripped");var fR=RegExp.prototype.test.bind(/[^!"$&'()*+,\-.;=_`a-z{}~]/u);function pm(e){return e.length=0,!0}o(pm,"consumeIsZone");function hR(e,t,r){if(e.length){let n=Bc(e);if(n!=="")t.push(n);else return r.error=!0,!1;e.length=0}return!0}o(hR,"consumeHextets");function gR(e){let t=0,r={error:!1,address:"",zone:""},n=[],a=[],s=!1,i=!1,c=hR;for(let d=0;d<e.length;d++){let p=e[d];if(!(p==="["||p==="]"))if(p===":"){if(s===!0&&(i=!0),!c(a,n,r))break;if(++t>7){r.error=!0;break}d>0&&e[d-1]===":"&&(s=!0),n.push(":");continue}else if(p==="%"){if(!c(a,n,r))break;c=pm}else{a.push(p);continue}}return a.length&&(c===pm?r.zone=a.join(""):i?n.push(a.join("")):n.push(Bc(a))),r.address=n.join(""),r}o(gR,"getIPV6");function fm(e){if(_R(e,":")<2)return{host:e,isIPV6:!1};let t=gR(e);if(t.error)return{host:e,isIPV6:!1};{let r=t.address,n=t.address;return t.zone&&(r+="%"+t.zone,n+="%25"+t.zone),{host:r,isIPV6:!0,escapedHost:n}}}o(fm,"normalizeIPv6");function _R(e,t){let r=0;for(let n=0;n<e.length;n++)e[n]===t&&r++;return r}o(_R,"findToken");function yR(e){let t=e,r=[],n=-1,a=0;for(;a=t.length;){if(a===1){if(t===".")break;if(t==="/"){r.push("/");break}else{r.push(t);break}}else if(a===2){if(t[0]==="."){if(t[1]===".")break;if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&(t[1]==="."||t[1]==="/")){r.push("/");break}}else if(a===3&&t==="/.."){r.length!==0&&r.pop(),r.push("/");break}if(t[0]==="."){if(t[1]==="."){if(t[2]==="/"){t=t.slice(3);continue}}else if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&t[1]==="."){if(t[2]==="/"){t=t.slice(2);continue}else if(t[2]==="."&&t[3]==="/"){t=t.slice(3),r.length!==0&&r.pop();continue}}if((n=t.indexOf("/",1))===-1){r.push(t);break}else r.push(t.slice(0,n)),t=t.slice(n)}return r.join("")}o(yR,"removeDotSegments");function wR(e,t){let r=t!==!0?escape:unescape;return e.scheme!==void 0&&(e.scheme=r(e.scheme)),e.userinfo!==void 0&&(e.userinfo=r(e.userinfo)),e.host!==void 0&&(e.host=r(e.host)),e.path!==void 0&&(e.path=r(e.path)),e.query!==void 0&&(e.query=r(e.query)),e.fragment!==void 0&&(e.fragment=r(e.fragment)),e}o(wR,"normalizeComponentEncoding");function SR(e){let t=[];if(e.userinfo!==void 0&&(t.push(e.userinfo),t.push("@")),e.host!==void 0){let r=unescape(e.host);if(!mm(r)){let n=fm(r);n.isIPV6===!0?r=`[${n.escapedHost}]`:r=e.host}t.push(r)}return(typeof e.port=="number"||typeof e.port=="string")&&(t.push(":"),t.push(String(e.port))),t.length?t.join(""):void 0}o(SR,"recomposeAuthority");hm.exports={nonSimpleDomain:fR,recomposeAuthority:SR,normalizeComponentEncoding:wR,removeDotSegments:yR,isIPv4:mm,isUUID:mR,normalizeIPv6:fm,stringArrayToHexStripped:Bc}});var Sm=C((PL,wm)=>{"use strict";var{isUUID:vR}=Vc(),bR=/([\da-z][\d\-a-z]{0,31}):((?:[\w!$'()*+,\-.:;=@]|%[\da-f]{2})+)/iu,RR=["http","https","ws","wss","urn","urn:uuid"];function IR(e){return RR.indexOf(e)!==-1}o(IR,"isValidSchemeName");function Fc(e){return e.secure===!0?!0:e.secure===!1?!1:e.scheme?e.scheme.length===3&&(e.scheme[0]==="w"||e.scheme[0]==="W")&&(e.scheme[1]==="s"||e.scheme[1]==="S")&&(e.scheme[2]==="s"||e.scheme[2]==="S"):!1}o(Fc,"wsIsSecure");function gm(e){return e.host||(e.error=e.error||"HTTP URIs must have a host."),e}o(gm,"httpParse");function _m(e){let t=String(e.scheme).toLowerCase()==="https";return(e.port===(t?443:80)||e.port==="")&&(e.port=void 0),e.path||(e.path="/"),e}o(_m,"httpSerialize");function TR(e){return e.secure=Fc(e),e.resourceName=(e.path||"/")+(e.query?"?"+e.query:""),e.path=void 0,e.query=void 0,e}o(TR,"wsParse");function CR(e){if((e.port===(Fc(e)?443:80)||e.port==="")&&(e.port=void 0),typeof e.secure=="boolean"&&(e.scheme=e.secure?"wss":"ws",e.secure=void 0),e.resourceName){let[t,r]=e.resourceName.split("?");e.path=t&&t!=="/"?t:void 0,e.query=r,e.resourceName=void 0}return e.fragment=void 0,e}o(CR,"wsSerialize");function ER(e,t){if(!e.path)return e.error="URN can not be parsed",e;let r=e.path.match(bR);if(r){let n=t.scheme||e.scheme||"urn";e.nid=r[1].toLowerCase(),e.nss=r[2];let a=`${n}:${t.nid||e.nid}`,s=Zc(a);e.path=void 0,s&&(e=s.parse(e,t))}else e.error=e.error||"URN can not be parsed.";return e}o(ER,"urnParse");function AR(e,t){if(e.nid===void 0)throw new Error("URN without nid cannot be serialized");let r=t.scheme||e.scheme||"urn",n=e.nid.toLowerCase(),a=`${r}:${t.nid||n}`,s=Zc(a);s&&(e=s.serialize(e,t));let i=e,c=e.nss;return i.path=`${n||t.nid}:${c}`,t.skipEscape=!0,i}o(AR,"urnSerialize");function PR(e,t){let r=e;return r.uuid=r.nss,r.nss=void 0,!t.tolerant&&(!r.uuid||!vR(r.uuid))&&(r.error=r.error||"UUID is not valid."),r}o(PR,"urnuuidParse");function xR(e){let t=e;return t.nss=(e.uuid||"").toLowerCase(),t}o(xR,"urnuuidSerialize");var ym={scheme:"http",domainHost:!0,parse:gm,serialize:_m},kR={scheme:"https",domainHost:ym.domainHost,parse:gm,serialize:_m},Ua={scheme:"ws",domainHost:!0,parse:TR,serialize:CR},OR={scheme:"wss",domainHost:Ua.domainHost,parse:Ua.parse,serialize:Ua.serialize},UR={scheme:"urn",parse:ER,serialize:AR,skipNormalize:!0},NR={scheme:"urn:uuid",parse:PR,serialize:xR,skipNormalize:!0},Na={http:ym,https:kR,ws:Ua,wss:OR,urn:UR,"urn:uuid":NR};Object.setPrototypeOf(Na,null);function Zc(e){return e&&(Na[e]||Na[e.toLowerCase()])||void 0}o(Zc,"getSchemeHandler");wm.exports={wsIsSecure:Fc,SCHEMES:Na,isValidSchemeName:IR,getSchemeHandler:Zc}});var Rm=C((kL,za)=>{"use strict";var{normalizeIPv6:$R,removeDotSegments:io,recomposeAuthority:zR,normalizeComponentEncoding:$a,isIPv4:MR,nonSimpleDomain:DR}=Vc(),{SCHEMES:qR,getSchemeHandler:vm}=Sm();function LR(e,t){return typeof e=="string"?e=gt(Nt(e,t),t):typeof e=="object"&&(e=Nt(gt(e,t),t)),e}o(LR,"normalize");function jR(e,t,r){let n=r?Object.assign({scheme:"null"},r):{scheme:"null"},a=bm(Nt(e,n),Nt(t,n),n,!0);return n.skipEscape=!0,gt(a,n)}o(jR,"resolve");function bm(e,t,r,n){let a={};return n||(e=Nt(gt(e,r),r),t=Nt(gt(t,r),r)),r=r||{},!r.tolerant&&t.scheme?(a.scheme=t.scheme,a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=io(t.path||""),a.query=t.query):(t.userinfo!==void 0||t.host!==void 0||t.port!==void 0?(a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=io(t.path||""),a.query=t.query):(t.path?(t.path[0]==="/"?a.path=io(t.path):((e.userinfo!==void 0||e.host!==void 0||e.port!==void 0)&&!e.path?a.path="/"+t.path:e.path?a.path=e.path.slice(0,e.path.lastIndexOf("/")+1)+t.path:a.path=t.path,a.path=io(a.path)),a.query=t.query):(a.path=e.path,t.query!==void 0?a.query=t.query:a.query=e.query),a.userinfo=e.userinfo,a.host=e.host,a.port=e.port),a.scheme=e.scheme),a.fragment=t.fragment,a}o(bm,"resolveComponent");function HR(e,t,r){return typeof e=="string"?(e=unescape(e),e=gt($a(Nt(e,r),!0),{...r,skipEscape:!0})):typeof e=="object"&&(e=gt($a(e,!0),{...r,skipEscape:!0})),typeof t=="string"?(t=unescape(t),t=gt($a(Nt(t,r),!0),{...r,skipEscape:!0})):typeof t=="object"&&(t=gt($a(t,!0),{...r,skipEscape:!0})),e.toLowerCase()===t.toLowerCase()}o(HR,"equal");function gt(e,t){let r={host:e.host,scheme:e.scheme,userinfo:e.userinfo,port:e.port,path:e.path,query:e.query,nid:e.nid,nss:e.nss,uuid:e.uuid,fragment:e.fragment,reference:e.reference,resourceName:e.resourceName,secure:e.secure,error:""},n=Object.assign({},t),a=[],s=vm(n.scheme||r.scheme);s&&s.serialize&&s.serialize(r,n),r.path!==void 0&&(n.skipEscape?r.path=unescape(r.path):(r.path=escape(r.path),r.scheme!==void 0&&(r.path=r.path.split("%3A").join(":")))),n.reference!=="suffix"&&r.scheme&&a.push(r.scheme,":");let i=zR(r);if(i!==void 0&&(n.reference!=="suffix"&&a.push("//"),a.push(i),r.path&&r.path[0]!=="/"&&a.push("/")),r.path!==void 0){let c=r.path;!n.absolutePath&&(!s||!s.absolutePath)&&(c=io(c)),i===void 0&&c[0]==="/"&&c[1]==="/"&&(c="/%2F"+c.slice(2)),a.push(c)}return r.query!==void 0&&a.push("?",r.query),r.fragment!==void 0&&a.push("#",r.fragment),a.join("")}o(gt,"serialize");var GR=/^(?:([^#/:?]+):)?(?:\/\/((?:([^#/?@]*)@)?(\[[^#/?\]]+\]|[^#/:?]*)(?::(\d*))?))?([^#?]*)(?:\?([^#]*))?(?:#((?:.|[\n\r])*))?/u;function Nt(e,t){let r=Object.assign({},t),n={scheme:void 0,userinfo:void 0,host:"",port:void 0,path:"",query:void 0,fragment:void 0},a=!1;r.reference==="suffix"&&(r.scheme?e=r.scheme+":"+e:e="//"+e);let s=e.match(GR);if(s){if(n.scheme=s[1],n.userinfo=s[3],n.host=s[4],n.port=parseInt(s[5],10),n.path=s[6]||"",n.query=s[7],n.fragment=s[8],isNaN(n.port)&&(n.port=s[5]),n.host)if(MR(n.host)===!1){let d=$R(n.host);n.host=d.host.toLowerCase(),a=d.isIPV6}else a=!0;n.scheme===void 0&&n.userinfo===void 0&&n.host===void 0&&n.port===void 0&&n.query===void 0&&!n.path?n.reference="same-document":n.scheme===void 0?n.reference="relative":n.fragment===void 0?n.reference="absolute":n.reference="uri",r.reference&&r.reference!=="suffix"&&r.reference!==n.reference&&(n.error=n.error||"URI is not a "+r.reference+" reference.");let i=vm(r.scheme||n.scheme);if(!r.unicodeSupport&&(!i||!i.unicodeSupport)&&n.host&&(r.domainHost||i&&i.domainHost)&&a===!1&&DR(n.host))try{n.host=URL.domainToASCII(n.host.toLowerCase())}catch(c){n.error=n.error||"Host's domain name can not be converted to ASCII: "+c}(!i||i&&!i.skipNormalize)&&(e.indexOf("%")!==-1&&(n.scheme!==void 0&&(n.scheme=unescape(n.scheme)),n.host!==void 0&&(n.host=unescape(n.host))),n.path&&(n.path=escape(unescape(n.path))),n.fragment&&(n.fragment=encodeURI(decodeURIComponent(n.fragment)))),i&&i.parse&&i.parse(n,r)}else n.error=n.error||"URI can not be parsed.";return n}o(Nt,"parse");var Kc={SCHEMES:qR,normalize:LR,resolve:jR,resolveComponent:bm,equal:HR,serialize:gt,parse:Nt};za.exports=Kc;za.exports.default=Kc;za.exports.fastUri=Kc});var Tm=C(Wc=>{"use strict";Object.defineProperty(Wc,"__esModule",{value:!0});var Im=Rm();Im.code='require("ajv/dist/runtime/uri").default';Wc.default=Im});var Um=C(ve=>{"use strict";Object.defineProperty(ve,"__esModule",{value:!0});ve.CodeGen=ve.Name=ve.nil=ve.stringify=ve.str=ve._=ve.KeywordCxt=void 0;var BR=ao();Object.defineProperty(ve,"KeywordCxt",{enumerable:!0,get:o(function(){return BR.KeywordCxt},"get")});var tn=D();Object.defineProperty(ve,"_",{enumerable:!0,get:o(function(){return tn._},"get")});Object.defineProperty(ve,"str",{enumerable:!0,get:o(function(){return tn.str},"get")});Object.defineProperty(ve,"stringify",{enumerable:!0,get:o(function(){return tn.stringify},"get")});Object.defineProperty(ve,"nil",{enumerable:!0,get:o(function(){return tn.nil},"get")});Object.defineProperty(ve,"Name",{enumerable:!0,get:o(function(){return tn.Name},"get")});Object.defineProperty(ve,"CodeGen",{enumerable:!0,get:o(function(){return tn.CodeGen},"get")});var VR=xa(),xm=so(),FR=Ic(),co=Oa(),ZR=D(),uo=ro(),Ma=to(),Yc=Z(),Cm=lm(),KR=Tm(),km=o((e,t)=>new RegExp(e,t),"defaultRegExp");km.code="new RegExp";var WR=["removeAdditional","useDefaults","coerceTypes"],JR=new Set(["validate","serialize","parse","wrapper","root","schema","keyword","pattern","formats","validate$data","func","obj","Error"]),YR={errorDataPath:"",format:"`validateFormats: false` can be used instead.",nullable:'"nullable" keyword is supported by default.',jsonPointers:"Deprecated jsPropertySyntax can be used instead.",extendRefs:"Deprecated ignoreKeywordsWithRef can be used instead.",missingRefs:"Pass empty schema with $id that should be ignored to ajv.addSchema.",processCode:"Use option `code: {process: (code, schemaEnv: object) => string}`",sourceCode:"Use option `code: {source: true}`",strictDefaults:"It is default now, see option `strict`.",strictKeywords:"It is default now, see option `strict`.",uniqueItems:'"uniqueItems" keyword is always validated.',unknownFormats:"Disable strict mode or pass `true` to `ajv.addFormat` (or `formats` option).",cache:"Map is used as cache, schema object as key.",serialize:"Map is used as cache, schema object as key.",ajvErrors:"It is default now."},XR={ignoreKeywordsWithRef:"",jsPropertySyntax:"",unicode:'"minLength"/"maxLength" account for unicode characters by default.'},Em=200;function QR(e){var t,r,n,a,s,i,c,d,p,l,m,h,_,w,y,S,v,b,T,U,$,Be,It,gi,_i;let Un=e.strict,yi=(t=e.code)===null||t===void 0?void 0:t.optimize,Dl=yi===!0||yi===void 0?1:yi||0,ql=(n=(r=e.code)===null||r===void 0?void 0:r.regExp)!==null&&n!==void 0?n:km,Pw=(a=e.uriResolver)!==null&&a!==void 0?a:KR.default;return{strictSchema:(i=(s=e.strictSchema)!==null&&s!==void 0?s:Un)!==null&&i!==void 0?i:!0,strictNumbers:(d=(c=e.strictNumbers)!==null&&c!==void 0?c:Un)!==null&&d!==void 0?d:!0,strictTypes:(l=(p=e.strictTypes)!==null&&p!==void 0?p:Un)!==null&&l!==void 0?l:"log",strictTuples:(h=(m=e.strictTuples)!==null&&m!==void 0?m:Un)!==null&&h!==void 0?h:"log",strictRequired:(w=(_=e.strictRequired)!==null&&_!==void 0?_:Un)!==null&&w!==void 0?w:!1,code:e.code?{...e.code,optimize:Dl,regExp:ql}:{optimize:Dl,regExp:ql},loopRequired:(y=e.loopRequired)!==null&&y!==void 0?y:Em,loopEnum:(S=e.loopEnum)!==null&&S!==void 0?S:Em,meta:(v=e.meta)!==null&&v!==void 0?v:!0,messages:(b=e.messages)!==null&&b!==void 0?b:!0,inlineRefs:(T=e.inlineRefs)!==null&&T!==void 0?T:!0,schemaId:(U=e.schemaId)!==null&&U!==void 0?U:"$id",addUsedSchema:($=e.addUsedSchema)!==null&&$!==void 0?$:!0,validateSchema:(Be=e.validateSchema)!==null&&Be!==void 0?Be:!0,validateFormats:(It=e.validateFormats)!==null&&It!==void 0?It:!0,unicodeRegExp:(gi=e.unicodeRegExp)!==null&&gi!==void 0?gi:!0,int32range:(_i=e.int32range)!==null&&_i!==void 0?_i:!0,uriResolver:Pw}}o(QR,"requiredOptions");var lo=class{static{o(this,"Ajv")}constructor(t={}){this.schemas={},this.refs={},this.formats={},this._compilations=new Set,this._loading={},this._cache=new Map,t=this.opts={...t,...QR(t)};let{es5:r,lines:n}=this.opts.code;this.scope=new ZR.ValueScope({scope:{},prefixes:JR,es5:r,lines:n}),this.logger=aI(t.logger);let a=t.validateFormats;t.validateFormats=!1,this.RULES=(0,FR.getRules)(),Am.call(this,YR,t,"NOT SUPPORTED"),Am.call(this,XR,t,"DEPRECATED","warn"),this._metaOpts=nI.call(this),t.formats&&tI.call(this),this._addVocabularies(),this._addDefaultMetaSchema(),t.keywords&&rI.call(this,t.keywords),typeof t.meta=="object"&&this.addMetaSchema(t.meta),eI.call(this),t.validateFormats=a}_addVocabularies(){this.addKeyword("$async")}_addDefaultMetaSchema(){let{$data:t,meta:r,schemaId:n}=this.opts,a=Cm;n==="id"&&(a={...Cm},a.id=a.$id,delete a.$id),r&&t&&this.addMetaSchema(a,a[n],!1)}defaultMeta(){let{meta:t,schemaId:r}=this.opts;return this.opts.defaultMeta=typeof t=="object"?t[r]||t:void 0}validate(t,r){let n;if(typeof t=="string"){if(n=this.getSchema(t),!n)throw new Error(`no schema with key or ref "${t}"`)}else n=this.compile(t);let a=n(r);return"$async"in n||(this.errors=n.errors),a}compile(t,r){let n=this._addSchema(t,r);return n.validate||this._compileSchemaEnv(n)}compileAsync(t,r){if(typeof this.opts.loadSchema!="function")throw new Error("options.loadSchema should be a function");let{loadSchema:n}=this.opts;return a.call(this,t,r);async function a(l,m){await s.call(this,l.$schema);let h=this._addSchema(l,m);return h.validate||i.call(this,h)}async function s(l){l&&!this.getSchema(l)&&await a.call(this,{$ref:l},!0)}async function i(l){try{return this._compileSchemaEnv(l)}catch(m){if(!(m instanceof xm.default))throw m;return c.call(this,m),await d.call(this,m.missingSchema),i.call(this,l)}}function c({missingSchema:l,missingRef:m}){if(this.refs[l])throw new Error(`AnySchema ${l} is loaded but ${m} cannot be resolved`)}async function d(l){let m=await p.call(this,l);this.refs[l]||await s.call(this,m.$schema),this.refs[l]||this.addSchema(m,l,r)}async function p(l){let m=this._loading[l];if(m)return m;try{return await(this._loading[l]=n(l))}finally{delete this._loading[l]}}}addSchema(t,r,n,a=this.opts.validateSchema){if(Array.isArray(t)){for(let i of t)this.addSchema(i,void 0,n,a);return this}let s;if(typeof t=="object"){let{schemaId:i}=this.opts;if(s=t[i],s!==void 0&&typeof s!="string")throw new Error(`schema ${i} must be string`)}return r=(0,uo.normalizeId)(r||s),this._checkUnique(r),this.schemas[r]=this._addSchema(t,n,r,a,!0),this}addMetaSchema(t,r,n=this.opts.validateSchema){return this.addSchema(t,r,!0,n),this}validateSchema(t,r){if(typeof t=="boolean")return!0;let n;if(n=t.$schema,n!==void 0&&typeof n!="string")throw new Error("$schema must be a string");if(n=n||this.opts.defaultMeta||this.defaultMeta(),!n)return this.logger.warn("meta-schema not available"),this.errors=null,!0;let a=this.validate(n,t);if(!a&&r){let s="schema is invalid: "+this.errorsText();if(this.opts.validateSchema==="log")this.logger.error(s);else throw new Error(s)}return a}getSchema(t){let r;for(;typeof(r=Pm.call(this,t))=="string";)t=r;if(r===void 0){let{schemaId:n}=this.opts,a=new co.SchemaEnv({schema:{},schemaId:n});if(r=co.resolveSchema.call(this,a,t),!r)return;this.refs[t]=r}return r.validate||this._compileSchemaEnv(r)}removeSchema(t){if(t instanceof RegExp)return this._removeAllSchemas(this.schemas,t),this._removeAllSchemas(this.refs,t),this;switch(typeof t){case"undefined":return this._removeAllSchemas(this.schemas),this._removeAllSchemas(this.refs),this._cache.clear(),this;case"string":{let r=Pm.call(this,t);return typeof r=="object"&&this._cache.delete(r.schema),delete this.schemas[t],delete this.refs[t],this}case"object":{let r=t;this._cache.delete(r);let n=t[this.opts.schemaId];return n&&(n=(0,uo.normalizeId)(n),delete this.schemas[n],delete this.refs[n]),this}default:throw new Error("ajv.removeSchema: invalid parameter")}}addVocabulary(t){for(let r of t)this.addKeyword(r);return this}addKeyword(t,r){let n;if(typeof t=="string")n=t,typeof r=="object"&&(this.logger.warn("these parameters are deprecated, see docs for addKeyword"),r.keyword=n);else if(typeof t=="object"&&r===void 0){if(r=t,n=r.keyword,Array.isArray(n)&&!n.length)throw new Error("addKeywords: keyword must be string or non-empty array")}else throw new Error("invalid addKeywords parameters");if(iI.call(this,n,r),!r)return(0,Yc.eachItem)(n,s=>Jc.call(this,s)),this;uI.call(this,r);let a={...r,type:(0,Ma.getJSONTypes)(r.type),schemaType:(0,Ma.getJSONTypes)(r.schemaType)};return(0,Yc.eachItem)(n,a.type.length===0?s=>Jc.call(this,s,a):s=>a.type.forEach(i=>Jc.call(this,s,a,i))),this}getKeyword(t){let r=this.RULES.all[t];return typeof r=="object"?r.definition:!!r}removeKeyword(t){let{RULES:r}=this;delete r.keywords[t],delete r.all[t];for(let n of r.rules){let a=n.rules.findIndex(s=>s.keyword===t);a>=0&&n.rules.splice(a,1)}return this}addFormat(t,r){return typeof r=="string"&&(r=new RegExp(r)),this.formats[t]=r,this}errorsText(t=this.errors,{separator:r=", ",dataVar:n="data"}={}){return!t||t.length===0?"No errors":t.map(a=>`${n}${a.instancePath} ${a.message}`).reduce((a,s)=>a+r+s)}$dataMetaSchema(t,r){let n=this.RULES.all;t=JSON.parse(JSON.stringify(t));for(let a of r){let s=a.split("/").slice(1),i=t;for(let c of s)i=i[c];for(let c in n){let d=n[c];if(typeof d!="object")continue;let{$data:p}=d.definition,l=i[c];p&&l&&(i[c]=Om(l))}}return t}_removeAllSchemas(t,r){for(let n in t){let a=t[n];(!r||r.test(n))&&(typeof a=="string"?delete t[n]:a&&!a.meta&&(this._cache.delete(a.schema),delete t[n]))}}_addSchema(t,r,n,a=this.opts.validateSchema,s=this.opts.addUsedSchema){let i,{schemaId:c}=this.opts;if(typeof t=="object")i=t[c];else{if(this.opts.jtd)throw new Error("schema must be object");if(typeof t!="boolean")throw new Error("schema must be object or boolean")}let d=this._cache.get(t);if(d!==void 0)return d;n=(0,uo.normalizeId)(i||n);let p=uo.getSchemaRefs.call(this,t,n);return d=new co.SchemaEnv({schema:t,schemaId:c,meta:r,baseId:n,localRefs:p}),this._cache.set(d.schema,d),s&&!n.startsWith("#")&&(n&&this._checkUnique(n),this.refs[n]=d),a&&this.validateSchema(t,!0),d}_checkUnique(t){if(this.schemas[t]||this.refs[t])throw new Error(`schema with key or id "${t}" already exists`)}_compileSchemaEnv(t){if(t.meta?this._compileMetaSchema(t):co.compileSchema.call(this,t),!t.validate)throw new Error("ajv implementation error");return t.validate}_compileMetaSchema(t){let r=this.opts;this.opts=this._metaOpts;try{co.compileSchema.call(this,t)}finally{this.opts=r}}};lo.ValidationError=VR.default;lo.MissingRefError=xm.default;ve.default=lo;function Am(e,t,r,n="error"){for(let a in e){let s=a;s in t&&this.logger[n](`${r}: option ${a}. ${e[s]}`)}}o(Am,"checkOptions");function Pm(e){return e=(0,uo.normalizeId)(e),this.schemas[e]||this.refs[e]}o(Pm,"getSchEnv");function eI(){let e=this.opts.schemas;if(e)if(Array.isArray(e))this.addSchema(e);else for(let t in e)this.addSchema(e[t],t)}o(eI,"addInitialSchemas");function tI(){for(let e in this.opts.formats){let t=this.opts.formats[e];t&&this.addFormat(e,t)}}o(tI,"addInitialFormats");function rI(e){if(Array.isArray(e)){this.addVocabulary(e);return}this.logger.warn("keywords option as map is deprecated, pass array");for(let t in e){let r=e[t];r.keyword||(r.keyword=t),this.addKeyword(r)}}o(rI,"addInitialKeywords");function nI(){let e={...this.opts};for(let t of WR)delete e[t];return e}o(nI,"getMetaSchemaOptions");var oI={log(){},warn(){},error(){}};function aI(e){if(e===!1)return oI;if(e===void 0)return console;if(e.log&&e.warn&&e.error)return e;throw new Error("logger must implement log, warn and error methods")}o(aI,"getLogger");var sI=/^[a-z_$][a-z0-9_$:-]*$/i;function iI(e,t){let{RULES:r}=this;if((0,Yc.eachItem)(e,n=>{if(r.keywords[n])throw new Error(`Keyword ${n} is already defined`);if(!sI.test(n))throw new Error(`Keyword ${n} has invalid name`)}),!!t&&t.$data&&!("code"in t||"validate"in t))throw new Error('$data keyword must have "code" or "validate" function')}o(iI,"checkKeyword");function Jc(e,t,r){var n;let a=t?.post;if(r&&a)throw new Error('keyword with "post" flag cannot have "type"');let{RULES:s}=this,i=a?s.post:s.rules.find(({type:d})=>d===r);if(i||(i={type:r,rules:[]},s.rules.push(i)),s.keywords[e]=!0,!t)return;let c={keyword:e,definition:{...t,type:(0,Ma.getJSONTypes)(t.type),schemaType:(0,Ma.getJSONTypes)(t.schemaType)}};t.before?cI.call(this,i,c,t.before):i.rules.push(c),s.all[e]=c,(n=t.implements)===null||n===void 0||n.forEach(d=>this.addKeyword(d))}o(Jc,"addRule");function cI(e,t,r){let n=e.rules.findIndex(a=>a.keyword===r);n>=0?e.rules.splice(n,0,t):(e.rules.push(t),this.logger.warn(`rule ${r} is not defined`))}o(cI,"addBeforeRule");function uI(e){let{metaSchema:t}=e;t!==void 0&&(e.$data&&this.opts.$data&&(t=Om(t)),e.validateSchema=this.compile(t,!0))}o(uI,"keywordMetaschema");var dI={$ref:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#"};function Om(e){return{anyOf:[e,dI]}}o(Om,"schemaOrData")});var Nm=C(Xc=>{"use strict";Object.defineProperty(Xc,"__esModule",{value:!0});var lI={keyword:"id",code(){throw new Error('NOT SUPPORTED: keyword "id", use "$id" for schema ID')}};Xc.default=lI});var Dm=C(Ir=>{"use strict";Object.defineProperty(Ir,"__esModule",{value:!0});Ir.callRef=Ir.getValidate=void 0;var pI=so(),$m=Ye(),qe=D(),rn=Ot(),zm=Oa(),Da=Z(),mI={keyword:"$ref",schemaType:"string",code(e){let{gen:t,schema:r,it:n}=e,{baseId:a,schemaEnv:s,validateName:i,opts:c,self:d}=n,{root:p}=s;if((r==="#"||r==="#/")&&a===p.baseId)return m();let l=zm.resolveRef.call(d,p,a,r);if(l===void 0)throw new pI.default(n.opts.uriResolver,a,r);if(l instanceof zm.SchemaEnv)return h(l);return _(l);function m(){if(s===p)return qa(e,i,s,s.$async);let w=t.scopeValue("root",{ref:p});return qa(e,(0,qe._)`${w}.validate`,p,p.$async)}function h(w){let y=Mm(e,w);qa(e,y,w,w.$async)}function _(w){let y=t.scopeValue("schema",c.code.source===!0?{ref:w,code:(0,qe.stringify)(w)}:{ref:w}),S=t.name("valid"),v=e.subschema({schema:w,dataTypes:[],schemaPath:qe.nil,topSchemaRef:y,errSchemaPath:r},S);e.mergeEvaluated(v),e.ok(S)}}};function Mm(e,t){let{gen:r}=e;return t.validate?r.scopeValue("validate",{ref:t.validate}):(0,qe._)`${r.scopeValue("wrapper",{ref:t})}.validate`}o(Mm,"getValidate");Ir.getValidate=Mm;function qa(e,t,r,n){let{gen:a,it:s}=e,{allErrors:i,schemaEnv:c,opts:d}=s,p=d.passContext?rn.default.this:qe.nil;n?l():m();function l(){if(!c.$async)throw new Error("async schema referenced by sync schema");let w=a.let("valid");a.try(()=>{a.code((0,qe._)`await ${(0,$m.callValidateCode)(e,t,p)}`),_(t),i||a.assign(w,!0)},y=>{a.if((0,qe._)`!(${y} instanceof ${s.ValidationError})`,()=>a.throw(y)),h(y),i||a.assign(w,!1)}),e.ok(w)}o(l,"callAsyncRef");function m(){e.result((0,$m.callValidateCode)(e,t,p),()=>_(t),()=>h(t))}o(m,"callSyncRef");function h(w){let y=(0,qe._)`${w}.errors`;a.assign(rn.default.vErrors,(0,qe._)`${rn.default.vErrors} === null ? ${y} : ${rn.default.vErrors}.concat(${y})`),a.assign(rn.default.errors,(0,qe._)`${rn.default.vErrors}.length`)}o(h,"addErrorsFrom");function _(w){var y;if(!s.opts.unevaluated)return;let S=(y=r?.validate)===null||y===void 0?void 0:y.evaluated;if(s.props!==!0)if(S&&!S.dynamicProps)S.props!==void 0&&(s.props=Da.mergeEvaluated.props(a,S.props,s.props));else{let v=a.var("props",(0,qe._)`${w}.evaluated.props`);s.props=Da.mergeEvaluated.props(a,v,s.props,qe.Name)}if(s.items!==!0)if(S&&!S.dynamicItems)S.items!==void 0&&(s.items=Da.mergeEvaluated.items(a,S.items,s.items));else{let v=a.var("items",(0,qe._)`${w}.evaluated.items`);s.items=Da.mergeEvaluated.items(a,v,s.items,qe.Name)}}o(_,"addEvaluatedFrom")}o(qa,"callRef");Ir.callRef=qa;Ir.default=mI});var qm=C(Qc=>{"use strict";Object.defineProperty(Qc,"__esModule",{value:!0});var fI=Nm(),hI=Dm(),gI=["$schema","$id","$defs","$vocabulary",{keyword:"$comment"},"definitions",fI.default,hI.default];Qc.default=gI});var Lm=C(eu=>{"use strict";Object.defineProperty(eu,"__esModule",{value:!0});var La=D(),nr=La.operators,ja={maximum:{okStr:"<=",ok:nr.LTE,fail:nr.GT},minimum:{okStr:">=",ok:nr.GTE,fail:nr.LT},exclusiveMaximum:{okStr:"<",ok:nr.LT,fail:nr.GTE},exclusiveMinimum:{okStr:">",ok:nr.GT,fail:nr.LTE}},_I={message:o(({keyword:e,schemaCode:t})=>(0,La.str)`must be ${ja[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,La._)`{comparison: ${ja[e].okStr}, limit: ${t}}`,"params")},yI={keyword:Object.keys(ja),type:"number",schemaType:"number",$data:!0,error:_I,code(e){let{keyword:t,data:r,schemaCode:n}=e;e.fail$data((0,La._)`${r} ${ja[t].fail} ${n} || isNaN(${r})`)}};eu.default=yI});var jm=C(tu=>{"use strict";Object.defineProperty(tu,"__esModule",{value:!0});var po=D(),wI={message:o(({schemaCode:e})=>(0,po.str)`must be multiple of ${e}`,"message"),params:o(({schemaCode:e})=>(0,po._)`{multipleOf: ${e}}`,"params")},SI={keyword:"multipleOf",type:"number",schemaType:"number",$data:!0,error:wI,code(e){let{gen:t,data:r,schemaCode:n,it:a}=e,s=a.opts.multipleOfPrecision,i=t.let("res"),c=s?(0,po._)`Math.abs(Math.round(${i}) - ${i}) > 1e-${s}`:(0,po._)`${i} !== parseInt(${i})`;e.fail$data((0,po._)`(${n} === 0 || (${i} = ${r}/${n}, ${c}))`)}};tu.default=SI});var Gm=C(ru=>{"use strict";Object.defineProperty(ru,"__esModule",{value:!0});function Hm(e){let t=e.length,r=0,n=0,a;for(;n<t;)r++,a=e.charCodeAt(n++),a>=55296&&a<=56319&&n<t&&(a=e.charCodeAt(n),(a&64512)===56320&&n++);return r}o(Hm,"ucs2length");ru.default=Hm;Hm.code='require("ajv/dist/runtime/ucs2length").default'});var Bm=C(nu=>{"use strict";Object.defineProperty(nu,"__esModule",{value:!0});var Tr=D(),vI=Z(),bI=Gm(),RI={message({keyword:e,schemaCode:t}){let r=e==="maxLength"?"more":"fewer";return(0,Tr.str)`must NOT have ${r} than ${t} characters`},params:o(({schemaCode:e})=>(0,Tr._)`{limit: ${e}}`,"params")},II={keyword:["maxLength","minLength"],type:"string",schemaType:"number",$data:!0,error:RI,code(e){let{keyword:t,data:r,schemaCode:n,it:a}=e,s=t==="maxLength"?Tr.operators.GT:Tr.operators.LT,i=a.opts.unicode===!1?(0,Tr._)`${r}.length`:(0,Tr._)`${(0,vI.useFunc)(e.gen,bI.default)}(${r})`;e.fail$data((0,Tr._)`${i} ${s} ${n}`)}};nu.default=II});var Vm=C(ou=>{"use strict";Object.defineProperty(ou,"__esModule",{value:!0});var TI=Ye(),Ha=D(),CI={message:o(({schemaCode:e})=>(0,Ha.str)`must match pattern "${e}"`,"message"),params:o(({schemaCode:e})=>(0,Ha._)`{pattern: ${e}}`,"params")},EI={keyword:"pattern",type:"string",schemaType:"string",$data:!0,error:CI,code(e){let{data:t,$data:r,schema:n,schemaCode:a,it:s}=e,i=s.opts.unicodeRegExp?"u":"",c=r?(0,Ha._)`(new RegExp(${a}, ${i}))`:(0,TI.usePattern)(e,n);e.fail$data((0,Ha._)`!${c}.test(${t})`)}};ou.default=EI});var Fm=C(au=>{"use strict";Object.defineProperty(au,"__esModule",{value:!0});var mo=D(),AI={message({keyword:e,schemaCode:t}){let r=e==="maxProperties"?"more":"fewer";return(0,mo.str)`must NOT have ${r} than ${t} properties`},params:o(({schemaCode:e})=>(0,mo._)`{limit: ${e}}`,"params")},PI={keyword:["maxProperties","minProperties"],type:"object",schemaType:"number",$data:!0,error:AI,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxProperties"?mo.operators.GT:mo.operators.LT;e.fail$data((0,mo._)`Object.keys(${r}).length ${a} ${n}`)}};au.default=PI});var Zm=C(su=>{"use strict";Object.defineProperty(su,"__esModule",{value:!0});var fo=Ye(),ho=D(),xI=Z(),kI={message:o(({params:{missingProperty:e}})=>(0,ho.str)`must have required property '${e}'`,"message"),params:o(({params:{missingProperty:e}})=>(0,ho._)`{missingProperty: ${e}}`,"params")},OI={keyword:"required",type:"object",schemaType:"array",$data:!0,error:kI,code(e){let{gen:t,schema:r,schemaCode:n,data:a,$data:s,it:i}=e,{opts:c}=i;if(!s&&r.length===0)return;let d=r.length>=c.loopRequired;if(i.allErrors?p():l(),c.strictRequired){let _=e.parentSchema.properties,{definedProperties:w}=e.it;for(let y of r)if(_?.[y]===void 0&&!w.has(y)){let S=i.schemaEnv.baseId+i.errSchemaPath,v=`required property "${y}" is not defined at "${S}" (strictRequired)`;(0,xI.checkStrictMode)(i,v,i.opts.strictRequired)}}function p(){if(d||s)e.block$data(ho.nil,m);else for(let _ of r)(0,fo.checkReportMissingProp)(e,_)}o(p,"allErrorsMode");function l(){let _=t.let("missing");if(d||s){let w=t.let("valid",!0);e.block$data(w,()=>h(_,w)),e.ok(w)}else t.if((0,fo.checkMissingProp)(e,r,_)),(0,fo.reportMissingProp)(e,_),t.else()}o(l,"exitOnErrorMode");function m(){t.forOf("prop",n,_=>{e.setParams({missingProperty:_}),t.if((0,fo.noPropertyInData)(t,a,_,c.ownProperties),()=>e.error())})}o(m,"loopAllRequired");function h(_,w){e.setParams({missingProperty:_}),t.forOf(_,n,()=>{t.assign(w,(0,fo.propertyInData)(t,a,_,c.ownProperties)),t.if((0,ho.not)(w),()=>{e.error(),t.break()})},ho.nil)}o(h,"loopUntilMissing")}};su.default=OI});var Km=C(iu=>{"use strict";Object.defineProperty(iu,"__esModule",{value:!0});var go=D(),UI={message({keyword:e,schemaCode:t}){let r=e==="maxItems"?"more":"fewer";return(0,go.str)`must NOT have ${r} than ${t} items`},params:o(({schemaCode:e})=>(0,go._)`{limit: ${e}}`,"params")},NI={keyword:["maxItems","minItems"],type:"array",schemaType:"number",$data:!0,error:UI,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxItems"?go.operators.GT:go.operators.LT;e.fail$data((0,go._)`${r}.length ${a} ${n}`)}};iu.default=NI});var Ga=C(cu=>{"use strict";Object.defineProperty(cu,"__esModule",{value:!0});var Wm=Oc();Wm.code='require("ajv/dist/runtime/equal").default';cu.default=Wm});var Jm=C(du=>{"use strict";Object.defineProperty(du,"__esModule",{value:!0});var uu=to(),be=D(),$I=Z(),zI=Ga(),MI={message:o(({params:{i:e,j:t}})=>(0,be.str)`must NOT have duplicate items (items ## ${t} and ${e} are identical)`,"message"),params:o(({params:{i:e,j:t}})=>(0,be._)`{i: ${e}, j: ${t}}`,"params")},DI={keyword:"uniqueItems",type:"array",schemaType:"boolean",$data:!0,error:MI,code(e){let{gen:t,data:r,$data:n,schema:a,parentSchema:s,schemaCode:i,it:c}=e;if(!n&&!a)return;let d=t.let("valid"),p=s.items?(0,uu.getSchemaTypes)(s.items):[];e.block$data(d,l,(0,be._)`${i} === false`),e.ok(d);function l(){let w=t.let("i",(0,be._)`${r}.length`),y=t.let("j");e.setParams({i:w,j:y}),t.assign(d,!0),t.if((0,be._)`${w} > 1`,()=>(m()?h:_)(w,y))}o(l,"validateUniqueItems");function m(){return p.length>0&&!p.some(w=>w==="object"||w==="array")}o(m,"canOptimize");function h(w,y){let S=t.name("item"),v=(0,uu.checkDataTypes)(p,S,c.opts.strictNumbers,uu.DataType.Wrong),b=t.const("indices",(0,be._)`{}`);t.for((0,be._)`;${w}--;`,()=>{t.let(S,(0,be._)`${r}[${w}]`),t.if(v,(0,be._)`continue`),p.length>1&&t.if((0,be._)`typeof ${S} == "string"`,(0,be._)`${S} += "_"`),t.if((0,be._)`typeof ${b}[${S}] == "number"`,()=>{t.assign(y,(0,be._)`${b}[${S}]`),e.error(),t.assign(d,!1).break()}).code((0,be._)`${b}[${S}] = ${w}`)})}o(h,"loopN");function _(w,y){let S=(0,$I.useFunc)(t,zI.default),v=t.name("outer");t.label(v).for((0,be._)`;${w}--;`,()=>t.for((0,be._)`${y} = ${w}; ${y}--;`,()=>t.if((0,be._)`${S}(${r}[${w}], ${r}[${y}])`,()=>{e.error(),t.assign(d,!1).break(v)})))}o(_,"loopN2")}};du.default=DI});var Ym=C(pu=>{"use strict";Object.defineProperty(pu,"__esModule",{value:!0});var lu=D(),qI=Z(),LI=Ga(),jI={message:"must be equal to constant",params:o(({schemaCode:e})=>(0,lu._)`{allowedValue: ${e}}`,"params")},HI={keyword:"const",$data:!0,error:jI,code(e){let{gen:t,data:r,$data:n,schemaCode:a,schema:s}=e;n||s&&typeof s=="object"?e.fail$data((0,lu._)`!${(0,qI.useFunc)(t,LI.default)}(${r}, ${a})`):e.fail((0,lu._)`${s} !== ${r}`)}};pu.default=HI});var Xm=C(mu=>{"use strict";Object.defineProperty(mu,"__esModule",{value:!0});var _o=D(),GI=Z(),BI=Ga(),VI={message:"must be equal to one of the allowed values",params:o(({schemaCode:e})=>(0,_o._)`{allowedValues: ${e}}`,"params")},FI={keyword:"enum",schemaType:"array",$data:!0,error:VI,code(e){let{gen:t,data:r,$data:n,schema:a,schemaCode:s,it:i}=e;if(!n&&a.length===0)throw new Error("enum must have non-empty array");let c=a.length>=i.opts.loopEnum,d,p=o(()=>d??(d=(0,GI.useFunc)(t,BI.default)),"getEql"),l;if(c||n)l=t.let("valid"),e.block$data(l,m);else{if(!Array.isArray(a))throw new Error("ajv implementation error");let _=t.const("vSchema",s);l=(0,_o.or)(...a.map((w,y)=>h(_,y)))}e.pass(l);function m(){t.assign(l,!1),t.forOf("v",s,_=>t.if((0,_o._)`${p()}(${r}, ${_})`,()=>t.assign(l,!0).break()))}o(m,"loopEnum");function h(_,w){let y=a[w];return typeof y=="object"&&y!==null?(0,_o._)`${p()}(${r}, ${_}[${w}])`:(0,_o._)`${r} === ${y}`}o(h,"equalCode")}};mu.default=FI});var Qm=C(fu=>{"use strict";Object.defineProperty(fu,"__esModule",{value:!0});var ZI=Lm(),KI=jm(),WI=Bm(),JI=Vm(),YI=Fm(),XI=Zm(),QI=Km(),eT=Jm(),tT=Ym(),rT=Xm(),nT=[ZI.default,KI.default,WI.default,JI.default,YI.default,XI.default,QI.default,eT.default,{keyword:"type",schemaType:["string","array"]},{keyword:"nullable",schemaType:"boolean"},tT.default,rT.default];fu.default=nT});var gu=C(yo=>{"use strict";Object.defineProperty(yo,"__esModule",{value:!0});yo.validateAdditionalItems=void 0;var Cr=D(),hu=Z(),oT={message:o(({params:{len:e}})=>(0,Cr.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,Cr._)`{limit: ${e}}`,"params")},aT={keyword:"additionalItems",type:"array",schemaType:["boolean","object"],before:"uniqueItems",error:oT,code(e){let{parentSchema:t,it:r}=e,{items:n}=t;if(!Array.isArray(n)){(0,hu.checkStrictMode)(r,'"additionalItems" is ignored when "items" is not an array of schemas');return}ef(e,n)}};function ef(e,t){let{gen:r,schema:n,data:a,keyword:s,it:i}=e;i.items=!0;let c=r.const("len",(0,Cr._)`${a}.length`);if(n===!1)e.setParams({len:t.length}),e.pass((0,Cr._)`${c} <= ${t.length}`);else if(typeof n=="object"&&!(0,hu.alwaysValidSchema)(i,n)){let p=r.var("valid",(0,Cr._)`${c} <= ${t.length}`);r.if((0,Cr.not)(p),()=>d(p)),e.ok(p)}function d(p){r.forRange("i",t.length,c,l=>{e.subschema({keyword:s,dataProp:l,dataPropType:hu.Type.Num},p),i.allErrors||r.if((0,Cr.not)(p),()=>r.break())})}o(d,"validateItems")}o(ef,"validateAdditionalItems");yo.validateAdditionalItems=ef;yo.default=aT});var _u=C(wo=>{"use strict";Object.defineProperty(wo,"__esModule",{value:!0});wo.validateTuple=void 0;var tf=D(),Ba=Z(),sT=Ye(),iT={keyword:"items",type:"array",schemaType:["object","array","boolean"],before:"uniqueItems",code(e){let{schema:t,it:r}=e;if(Array.isArray(t))return rf(e,"additionalItems",t);r.items=!0,!(0,Ba.alwaysValidSchema)(r,t)&&e.ok((0,sT.validateArray)(e))}};function rf(e,t,r=e.schema){let{gen:n,parentSchema:a,data:s,keyword:i,it:c}=e;l(a),c.opts.unevaluated&&r.length&&c.items!==!0&&(c.items=Ba.mergeEvaluated.items(n,r.length,c.items));let d=n.name("valid"),p=n.const("len",(0,tf._)`${s}.length`);r.forEach((m,h)=>{(0,Ba.alwaysValidSchema)(c,m)||(n.if((0,tf._)`${p} > ${h}`,()=>e.subschema({keyword:i,schemaProp:h,dataProp:h},d)),e.ok(d))});function l(m){let{opts:h,errSchemaPath:_}=c,w=r.length,y=w===m.minItems&&(w===m.maxItems||m[t]===!1);if(h.strictTuples&&!y){let S=`"${i}" is ${w}-tuple, but minItems or maxItems/${t} are not specified or different at path "${_}"`;(0,Ba.checkStrictMode)(c,S,h.strictTuples)}}o(l,"checkStrictTuple")}o(rf,"validateTuple");wo.validateTuple=rf;wo.default=iT});var nf=C(yu=>{"use strict";Object.defineProperty(yu,"__esModule",{value:!0});var cT=_u(),uT={keyword:"prefixItems",type:"array",schemaType:["array"],before:"uniqueItems",code:o(e=>(0,cT.validateTuple)(e,"items"),"code")};yu.default=uT});var af=C(wu=>{"use strict";Object.defineProperty(wu,"__esModule",{value:!0});var of=D(),dT=Z(),lT=Ye(),pT=gu(),mT={message:o(({params:{len:e}})=>(0,of.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,of._)`{limit: ${e}}`,"params")},fT={keyword:"items",type:"array",schemaType:["object","boolean"],before:"uniqueItems",error:mT,code(e){let{schema:t,parentSchema:r,it:n}=e,{prefixItems:a}=r;n.items=!0,!(0,dT.alwaysValidSchema)(n,t)&&(a?(0,pT.validateAdditionalItems)(e,a):e.ok((0,lT.validateArray)(e)))}};wu.default=fT});var sf=C(Su=>{"use strict";Object.defineProperty(Su,"__esModule",{value:!0});var Qe=D(),Va=Z(),hT={message:o(({params:{min:e,max:t}})=>t===void 0?(0,Qe.str)`must contain at least ${e} valid item(s)`:(0,Qe.str)`must contain at least ${e} and no more than ${t} valid item(s)`,"message"),params:o(({params:{min:e,max:t}})=>t===void 0?(0,Qe._)`{minContains: ${e}}`:(0,Qe._)`{minContains: ${e}, maxContains: ${t}}`,"params")},gT={keyword:"contains",type:"array",schemaType:["object","boolean"],before:"uniqueItems",trackErrors:!0,error:hT,code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:s}=e,i,c,{minContains:d,maxContains:p}=n;s.opts.next?(i=d===void 0?1:d,c=p):i=1;let l=t.const("len",(0,Qe._)`${a}.length`);if(e.setParams({min:i,max:c}),c===void 0&&i===0){(0,Va.checkStrictMode)(s,'"minContains" == 0 without "maxContains": "contains" keyword ignored');return}if(c!==void 0&&i>c){(0,Va.checkStrictMode)(s,'"minContains" > "maxContains" is always invalid'),e.fail();return}if((0,Va.alwaysValidSchema)(s,r)){let y=(0,Qe._)`${l} >= ${i}`;c!==void 0&&(y=(0,Qe._)`${y} && ${l} <= ${c}`),e.pass(y);return}s.items=!0;let m=t.name("valid");c===void 0&&i===1?_(m,()=>t.if(m,()=>t.break())):i===0?(t.let(m,!0),c!==void 0&&t.if((0,Qe._)`${a}.length > 0`,h)):(t.let(m,!1),h()),e.result(m,()=>e.reset());function h(){let y=t.name("_valid"),S=t.let("count",0);_(y,()=>t.if(y,()=>w(S)))}o(h,"validateItemsWithCount");function _(y,S){t.forRange("i",0,l,v=>{e.subschema({keyword:"contains",dataProp:v,dataPropType:Va.Type.Num,compositeRule:!0},y),S()})}o(_,"validateItems");function w(y){t.code((0,Qe._)`${y}++`),c===void 0?t.if((0,Qe._)`${y} >= ${i}`,()=>t.assign(m,!0).break()):(t.if((0,Qe._)`${y} > ${c}`,()=>t.assign(m,!1).break()),i===1?t.assign(m,!0):t.if((0,Qe._)`${y} >= ${i}`,()=>t.assign(m,!0)))}o(w,"checkLimits")}};Su.default=gT});var df=C(_t=>{"use strict";Object.defineProperty(_t,"__esModule",{value:!0});_t.validateSchemaDeps=_t.validatePropertyDeps=_t.error=void 0;var vu=D(),_T=Z(),So=Ye();_t.error={message:o(({params:{property:e,depsCount:t,deps:r}})=>{let n=t===1?"property":"properties";return(0,vu.str)`must have ${n} ${r} when property ${e} is present`},"message"),params:o(({params:{property:e,depsCount:t,deps:r,missingProperty:n}})=>(0,vu._)`{property: ${e},
25
+ import{$ as pe,H as Sp,I as Ds,J as Yw,K as wp,L as h,M as vp,N as K,O as ee,P as Rp,Q as bp,R as he,S as b,T as C,U as Se,V as se,W as Ms,X as qs,Y as ne,Z as Xe,_ as P,a as Wt,aa as Cp,b as _p,ba as $s,ca as Ip,da as Tp,ea as c,fa as Y,j as Vn,k as yp,q as zs,z as Ut}from"../chunk-PG5BJ2JU.js";import{d as Ns}from"../chunk-BHMDFTZV.js";import{a as H}from"../chunk-ZJ5LRHNO.js";import{U as _a,V as Ot,W as gp,a as o,c as T,e as fp}from"../chunk-FFHHHNST.js";var ao=T(W=>{"use strict";Object.defineProperty(W,"__esModule",{value:!0});W.regexpCode=W.getEsmExportName=W.getProperty=W.safeStringify=W.stringify=W.strConcat=W.addCodeArg=W.str=W._=W.nil=W._Code=W.Name=W.IDENTIFIER=W._CodeOrName=void 0;var no=class{static{o(this,"_CodeOrName")}};W._CodeOrName=no;W.IDENTIFIER=/^[a-z$_][a-z$_0-9]*$/i;var Rr=class extends no{static{o(this,"Name")}constructor(t){if(super(),!W.IDENTIFIER.test(t))throw new Error("CodeGen: name must be a valid identifier");this.str=t}toString(){return this.str}emptyStr(){return!1}get names(){return{[this.str]:1}}};W.Name=Rr;var rt=class extends no{static{o(this,"_Code")}constructor(t){super(),this._items=typeof t=="string"?[t]:t}toString(){return this.str}emptyStr(){if(this._items.length>1)return!1;let t=this._items[0];return t===""||t==='""'}get str(){var t;return(t=this._str)!==null&&t!==void 0?t:this._str=this._items.reduce((r,n)=>`${r}${n}`,"")}get names(){var t;return(t=this._names)!==null&&t!==void 0?t:this._names=this._items.reduce((r,n)=>(n instanceof Rr&&(r[n.str]=(r[n.str]||0)+1),r),{})}};W._Code=rt;W.nil=new rt("");function Bp(e,...t){let r=[e[0]],n=0;for(;n<t.length;)Sc(r,t[n]),r.push(e[++n]);return new rt(r)}o(Bp,"_");W._=Bp;var yc=new rt("+");function Vp(e,...t){let r=[oo(e[0])],n=0;for(;n<t.length;)r.push(yc),Sc(r,t[n]),r.push(yc,oo(e[++n]));return RR(r),new rt(r)}o(Vp,"str");W.str=Vp;function Sc(e,t){t instanceof rt?e.push(...t._items):t instanceof Rr?e.push(t):e.push(IR(t))}o(Sc,"addCodeArg");W.addCodeArg=Sc;function RR(e){let t=1;for(;t<e.length-1;){if(e[t]===yc){let r=bR(e[t-1],e[t+1]);if(r!==void 0){e.splice(t-1,3,r);continue}e[t++]="+"}t++}}o(RR,"optimize");function bR(e,t){if(t==='""')return e;if(e==='""')return t;if(typeof e=="string")return t instanceof Rr||e[e.length-1]!=='"'?void 0:typeof t!="string"?`${e.slice(0,-1)}${t}"`:t[0]==='"'?e.slice(0,-1)+t.slice(1):void 0;if(typeof t=="string"&&t[0]==='"'&&!(e instanceof Rr))return`"${e}${t.slice(1)}`}o(bR,"mergeExprItems");function CR(e,t){return t.emptyStr()?e:e.emptyStr()?t:Vp`${e}${t}`}o(CR,"strConcat");W.strConcat=CR;function IR(e){return typeof e=="number"||typeof e=="boolean"||e===null?e:oo(Array.isArray(e)?e.join(","):e)}o(IR,"interpolate");function TR(e){return new rt(oo(e))}o(TR,"stringify");W.stringify=TR;function oo(e){return JSON.stringify(e).replace(/\u2028/g,"\\u2028").replace(/\u2029/g,"\\u2029")}o(oo,"safeStringify");W.safeStringify=oo;function AR(e){return typeof e=="string"&&W.IDENTIFIER.test(e)?new rt(`.${e}`):Bp`[${e}]`}o(AR,"getProperty");W.getProperty=AR;function kR(e){if(typeof e=="string"&&W.IDENTIFIER.test(e))return new rt(`${e}`);throw new Error(`CodeGen: invalid export name: ${e}, use explicit $id name mapping`)}o(kR,"getEsmExportName");W.getEsmExportName=kR;function PR(e){return new rt(e.toString())}o(PR,"regexpCode");W.regexpCode=PR});var Rc=T(Ge=>{"use strict";Object.defineProperty(Ge,"__esModule",{value:!0});Ge.ValueScope=Ge.ValueScopeName=Ge.Scope=Ge.varKinds=Ge.UsedValueState=void 0;var He=ao(),wc=class extends Error{static{o(this,"ValueError")}constructor(t){super(`CodeGen: "code" for ${t} not defined`),this.value=t.value}},Ua;(function(e){e[e.Started=0]="Started",e[e.Completed=1]="Completed"})(Ua||(Ge.UsedValueState=Ua={}));Ge.varKinds={const:new He.Name("const"),let:new He.Name("let"),var:new He.Name("var")};var za=class{static{o(this,"Scope")}constructor({prefixes:t,parent:r}={}){this._names={},this._prefixes=t,this._parent=r}toName(t){return t instanceof He.Name?t:this.name(t)}name(t){return new He.Name(this._newName(t))}_newName(t){let r=this._names[t]||this._nameGroup(t);return`${t}${r.index++}`}_nameGroup(t){var r,n;if(!((n=(r=this._parent)===null||r===void 0?void 0:r._prefixes)===null||n===void 0)&&n.has(t)||this._prefixes&&!this._prefixes.has(t))throw new Error(`CodeGen: prefix "${t}" is not allowed in this scope`);return this._names[t]={prefix:t,index:0}}};Ge.Scope=za;var Na=class extends He.Name{static{o(this,"ValueScopeName")}constructor(t,r){super(r),this.prefix=t}setValue(t,{property:r,itemIndex:n}){this.value=t,this.scopePath=(0,He._)`.${new He.Name(r)}[${n}]`}};Ge.ValueScopeName=Na;var ER=(0,He._)`\n`,vc=class extends za{static{o(this,"ValueScope")}constructor(t){super(t),this._values={},this._scope=t.scope,this.opts={...t,_n:t.lines?ER:He.nil}}get(){return this._scope}name(t){return new Na(t,this._newName(t))}value(t,r){var n;if(r.ref===void 0)throw new Error("CodeGen: ref must be passed in value");let a=this.toName(t),{prefix:i}=a,s=(n=r.key)!==null&&n!==void 0?n:r.ref,u=this._values[i];if(u){let p=u.get(s);if(p)return p}else u=this._values[i]=new Map;u.set(s,a);let d=this._scope[i]||(this._scope[i]=[]),l=d.length;return d[l]=r.ref,a.setValue(r,{property:i,itemIndex:l}),a}getValue(t,r){let n=this._values[t];if(n)return n.get(r)}scopeRefs(t,r=this._values){return this._reduceValues(r,n=>{if(n.scopePath===void 0)throw new Error(`CodeGen: name "${n}" has no value`);return(0,He._)`${t}${n.scopePath}`})}scopeCode(t=this._values,r,n){return this._reduceValues(t,a=>{if(a.value===void 0)throw new Error(`CodeGen: name "${a}" has no value`);return a.value.code},r,n)}_reduceValues(t,r,n={},a){let i=He.nil;for(let s in t){let u=t[s];if(!u)continue;let d=n[s]=n[s]||new Map;u.forEach(l=>{if(d.has(l))return;d.set(l,Ua.Started);let p=r(l);if(p){let m=this.opts.es5?Ge.varKinds.var:Ge.varKinds.const;i=(0,He._)`${i}${m} ${l} = ${p};${this.opts._n}`}else if(p=a?.(l))i=(0,He._)`${i}${p}${this.opts._n}`;else throw new wc(l);d.set(l,Ua.Completed)})}return i}};Ge.ValueScope=vc});var L=T(j=>{"use strict";Object.defineProperty(j,"__esModule",{value:!0});j.or=j.and=j.not=j.CodeGen=j.operators=j.varKinds=j.ValueScopeName=j.ValueScope=j.Scope=j.Name=j.regexpCode=j.stringify=j.getProperty=j.nil=j.strConcat=j.str=j._=void 0;var B=ao(),dt=Rc(),or=ao();Object.defineProperty(j,"_",{enumerable:!0,get:o(function(){return or._},"get")});Object.defineProperty(j,"str",{enumerable:!0,get:o(function(){return or.str},"get")});Object.defineProperty(j,"strConcat",{enumerable:!0,get:o(function(){return or.strConcat},"get")});Object.defineProperty(j,"nil",{enumerable:!0,get:o(function(){return or.nil},"get")});Object.defineProperty(j,"getProperty",{enumerable:!0,get:o(function(){return or.getProperty},"get")});Object.defineProperty(j,"stringify",{enumerable:!0,get:o(function(){return or.stringify},"get")});Object.defineProperty(j,"regexpCode",{enumerable:!0,get:o(function(){return or.regexpCode},"get")});Object.defineProperty(j,"Name",{enumerable:!0,get:o(function(){return or.Name},"get")});var $a=Rc();Object.defineProperty(j,"Scope",{enumerable:!0,get:o(function(){return $a.Scope},"get")});Object.defineProperty(j,"ValueScope",{enumerable:!0,get:o(function(){return $a.ValueScope},"get")});Object.defineProperty(j,"ValueScopeName",{enumerable:!0,get:o(function(){return $a.ValueScopeName},"get")});Object.defineProperty(j,"varKinds",{enumerable:!0,get:o(function(){return $a.varKinds},"get")});j.operators={GT:new B._Code(">"),GTE:new B._Code(">="),LT:new B._Code("<"),LTE:new B._Code("<="),EQ:new B._Code("==="),NEQ:new B._Code("!=="),NOT:new B._Code("!"),OR:new B._Code("||"),AND:new B._Code("&&"),ADD:new B._Code("+")};var Mt=class{static{o(this,"Node")}optimizeNodes(){return this}optimizeNames(t,r){return this}},bc=class extends Mt{static{o(this,"Def")}constructor(t,r,n){super(),this.varKind=t,this.name=r,this.rhs=n}render({es5:t,_n:r}){let n=t?dt.varKinds.var:this.varKind,a=this.rhs===void 0?"":` = ${this.rhs}`;return`${n} ${this.name}${a};`+r}optimizeNames(t,r){if(t[this.name.str])return this.rhs&&(this.rhs=nn(this.rhs,t,r)),this}get names(){return this.rhs instanceof B._CodeOrName?this.rhs.names:{}}},Da=class extends Mt{static{o(this,"Assign")}constructor(t,r,n){super(),this.lhs=t,this.rhs=r,this.sideEffects=n}render({_n:t}){return`${this.lhs} = ${this.rhs};`+t}optimizeNames(t,r){if(!(this.lhs instanceof B.Name&&!t[this.lhs.str]&&!this.sideEffects))return this.rhs=nn(this.rhs,t,r),this}get names(){let t=this.lhs instanceof B.Name?{}:{...this.lhs.names};return qa(t,this.rhs)}},Cc=class extends Da{static{o(this,"AssignOp")}constructor(t,r,n,a){super(t,n,a),this.op=r}render({_n:t}){return`${this.lhs} ${this.op}= ${this.rhs};`+t}},Ic=class extends Mt{static{o(this,"Label")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`${this.label}:`+t}},Tc=class extends Mt{static{o(this,"Break")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`break${this.label?` ${this.label}`:""};`+t}},Ac=class extends Mt{static{o(this,"Throw")}constructor(t){super(),this.error=t}render({_n:t}){return`throw ${this.error};`+t}get names(){return this.error.names}},kc=class extends Mt{static{o(this,"AnyCode")}constructor(t){super(),this.code=t}render({_n:t}){return`${this.code};`+t}optimizeNodes(){return`${this.code}`?this:void 0}optimizeNames(t,r){return this.code=nn(this.code,t,r),this}get names(){return this.code instanceof B._CodeOrName?this.code.names:{}}},io=class extends Mt{static{o(this,"ParentNode")}constructor(t=[]){super(),this.nodes=t}render(t){return this.nodes.reduce((r,n)=>r+n.render(t),"")}optimizeNodes(){let{nodes:t}=this,r=t.length;for(;r--;){let n=t[r].optimizeNodes();Array.isArray(n)?t.splice(r,1,...n):n?t[r]=n:t.splice(r,1)}return t.length>0?this:void 0}optimizeNames(t,r){let{nodes:n}=this,a=n.length;for(;a--;){let i=n[a];i.optimizeNames(t,r)||(xR(t,i.names),n.splice(a,1))}return n.length>0?this:void 0}get names(){return this.nodes.reduce((t,r)=>Ir(t,r.names),{})}},qt=class extends io{static{o(this,"BlockNode")}render(t){return"{"+t._n+super.render(t)+"}"+t._n}},Pc=class extends io{static{o(this,"Root")}},rn=class extends qt{static{o(this,"Else")}};rn.kind="else";var br=class e extends qt{static{o(this,"If")}constructor(t,r){super(r),this.condition=t}render(t){let r=`if(${this.condition})`+super.render(t);return this.else&&(r+="else "+this.else.render(t)),r}optimizeNodes(){super.optimizeNodes();let t=this.condition;if(t===!0)return this.nodes;let r=this.else;if(r){let n=r.optimizeNodes();r=this.else=Array.isArray(n)?new rn(n):n}if(r)return t===!1?r instanceof e?r:r.nodes:this.nodes.length?this:new e(Fp(t),r instanceof e?[r]:r.nodes);if(!(t===!1||!this.nodes.length))return this}optimizeNames(t,r){var n;if(this.else=(n=this.else)===null||n===void 0?void 0:n.optimizeNames(t,r),!!(super.optimizeNames(t,r)||this.else))return this.condition=nn(this.condition,t,r),this}get names(){let t=super.names;return qa(t,this.condition),this.else&&Ir(t,this.else.names),t}};br.kind="if";var Cr=class extends qt{static{o(this,"For")}};Cr.kind="for";var Ec=class extends Cr{static{o(this,"ForLoop")}constructor(t){super(),this.iteration=t}render(t){return`for(${this.iteration})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iteration=nn(this.iteration,t,r),this}get names(){return Ir(super.names,this.iteration.names)}},xc=class extends Cr{static{o(this,"ForRange")}constructor(t,r,n,a){super(),this.varKind=t,this.name=r,this.from=n,this.to=a}render(t){let r=t.es5?dt.varKinds.var:this.varKind,{name:n,from:a,to:i}=this;return`for(${r} ${n}=${a}; ${n}<${i}; ${n}++)`+super.render(t)}get names(){let t=qa(super.names,this.from);return qa(t,this.to)}},Ma=class extends Cr{static{o(this,"ForIter")}constructor(t,r,n,a){super(),this.loop=t,this.varKind=r,this.name=n,this.iterable=a}render(t){return`for(${this.varKind} ${this.name} ${this.loop} ${this.iterable})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iterable=nn(this.iterable,t,r),this}get names(){return Ir(super.names,this.iterable.names)}},so=class extends qt{static{o(this,"Func")}constructor(t,r,n){super(),this.name=t,this.args=r,this.async=n}render(t){return`${this.async?"async ":""}function ${this.name}(${this.args})`+super.render(t)}};so.kind="func";var co=class extends io{static{o(this,"Return")}render(t){return"return "+super.render(t)}};co.kind="return";var Oc=class extends qt{static{o(this,"Try")}render(t){let r="try"+super.render(t);return this.catch&&(r+=this.catch.render(t)),this.finally&&(r+=this.finally.render(t)),r}optimizeNodes(){var t,r;return super.optimizeNodes(),(t=this.catch)===null||t===void 0||t.optimizeNodes(),(r=this.finally)===null||r===void 0||r.optimizeNodes(),this}optimizeNames(t,r){var n,a;return super.optimizeNames(t,r),(n=this.catch)===null||n===void 0||n.optimizeNames(t,r),(a=this.finally)===null||a===void 0||a.optimizeNames(t,r),this}get names(){let t=super.names;return this.catch&&Ir(t,this.catch.names),this.finally&&Ir(t,this.finally.names),t}},uo=class extends qt{static{o(this,"Catch")}constructor(t){super(),this.error=t}render(t){return`catch(${this.error})`+super.render(t)}};uo.kind="catch";var lo=class extends qt{static{o(this,"Finally")}render(t){return"finally"+super.render(t)}};lo.kind="finally";var Uc=class{static{o(this,"CodeGen")}constructor(t,r={}){this._values={},this._blockStarts=[],this._constants={},this.opts={...r,_n:r.lines?`
26
+ `:""},this._extScope=t,this._scope=new dt.Scope({parent:t}),this._nodes=[new Pc]}toString(){return this._root.render(this.opts)}name(t){return this._scope.name(t)}scopeName(t){return this._extScope.name(t)}scopeValue(t,r){let n=this._extScope.value(t,r);return(this._values[n.prefix]||(this._values[n.prefix]=new Set)).add(n),n}getScopeValue(t,r){return this._extScope.getValue(t,r)}scopeRefs(t){return this._extScope.scopeRefs(t,this._values)}scopeCode(){return this._extScope.scopeCode(this._values)}_def(t,r,n,a){let i=this._scope.toName(r);return n!==void 0&&a&&(this._constants[i.str]=n),this._leafNode(new bc(t,i,n)),i}const(t,r,n){return this._def(dt.varKinds.const,t,r,n)}let(t,r,n){return this._def(dt.varKinds.let,t,r,n)}var(t,r,n){return this._def(dt.varKinds.var,t,r,n)}assign(t,r,n){return this._leafNode(new Da(t,r,n))}add(t,r){return this._leafNode(new Cc(t,j.operators.ADD,r))}code(t){return typeof t=="function"?t():t!==B.nil&&this._leafNode(new kc(t)),this}object(...t){let r=["{"];for(let[n,a]of t)r.length>1&&r.push(","),r.push(n),(n!==a||this.opts.es5)&&(r.push(":"),(0,B.addCodeArg)(r,a));return r.push("}"),new B._Code(r)}if(t,r,n){if(this._blockNode(new br(t)),r&&n)this.code(r).else().code(n).endIf();else if(r)this.code(r).endIf();else if(n)throw new Error('CodeGen: "else" body without "then" body');return this}elseIf(t){return this._elseNode(new br(t))}else(){return this._elseNode(new rn)}endIf(){return this._endBlockNode(br,rn)}_for(t,r){return this._blockNode(t),r&&this.code(r).endFor(),this}for(t,r){return this._for(new Ec(t),r)}forRange(t,r,n,a,i=this.opts.es5?dt.varKinds.var:dt.varKinds.let){let s=this._scope.toName(t);return this._for(new xc(i,s,r,n),()=>a(s))}forOf(t,r,n,a=dt.varKinds.const){let i=this._scope.toName(t);if(this.opts.es5){let s=r instanceof B.Name?r:this.var("_arr",r);return this.forRange("_i",0,(0,B._)`${s}.length`,u=>{this.var(i,(0,B._)`${s}[${u}]`),n(i)})}return this._for(new Ma("of",a,i,r),()=>n(i))}forIn(t,r,n,a=this.opts.es5?dt.varKinds.var:dt.varKinds.const){if(this.opts.ownProperties)return this.forOf(t,(0,B._)`Object.keys(${r})`,n);let i=this._scope.toName(t);return this._for(new Ma("in",a,i,r),()=>n(i))}endFor(){return this._endBlockNode(Cr)}label(t){return this._leafNode(new Ic(t))}break(t){return this._leafNode(new Tc(t))}return(t){let r=new co;if(this._blockNode(r),this.code(t),r.nodes.length!==1)throw new Error('CodeGen: "return" should have one node');return this._endBlockNode(co)}try(t,r,n){if(!r&&!n)throw new Error('CodeGen: "try" without "catch" and "finally"');let a=new Oc;if(this._blockNode(a),this.code(t),r){let i=this.name("e");this._currNode=a.catch=new uo(i),r(i)}return n&&(this._currNode=a.finally=new lo,this.code(n)),this._endBlockNode(uo,lo)}throw(t){return this._leafNode(new Ac(t))}block(t,r){return this._blockStarts.push(this._nodes.length),t&&this.code(t).endBlock(r),this}endBlock(t){let r=this._blockStarts.pop();if(r===void 0)throw new Error("CodeGen: not in self-balancing block");let n=this._nodes.length-r;if(n<0||t!==void 0&&n!==t)throw new Error(`CodeGen: wrong number of nodes: ${n} vs ${t} expected`);return this._nodes.length=r,this}func(t,r=B.nil,n,a){return this._blockNode(new so(t,r,n)),a&&this.code(a).endFunc(),this}endFunc(){return this._endBlockNode(so)}optimize(t=1){for(;t-- >0;)this._root.optimizeNodes(),this._root.optimizeNames(this._root.names,this._constants)}_leafNode(t){return this._currNode.nodes.push(t),this}_blockNode(t){this._currNode.nodes.push(t),this._nodes.push(t)}_endBlockNode(t,r){let n=this._currNode;if(n instanceof t||r&&n instanceof r)return this._nodes.pop(),this;throw new Error(`CodeGen: not in block "${r?`${t.kind}/${r.kind}`:t.kind}"`)}_elseNode(t){let r=this._currNode;if(!(r instanceof br))throw new Error('CodeGen: "else" without "if"');return this._currNode=r.else=t,this}get _root(){return this._nodes[0]}get _currNode(){let t=this._nodes;return t[t.length-1]}set _currNode(t){let r=this._nodes;r[r.length-1]=t}};j.CodeGen=Uc;function Ir(e,t){for(let r in t)e[r]=(e[r]||0)+(t[r]||0);return e}o(Ir,"addNames");function qa(e,t){return t instanceof B._CodeOrName?Ir(e,t.names):e}o(qa,"addExprNames");function nn(e,t,r){if(e instanceof B.Name)return n(e);if(!a(e))return e;return new B._Code(e._items.reduce((i,s)=>(s instanceof B.Name&&(s=n(s)),s instanceof B._Code?i.push(...s._items):i.push(s),i),[]));function n(i){let s=r[i.str];return s===void 0||t[i.str]!==1?i:(delete t[i.str],s)}function a(i){return i instanceof B._Code&&i._items.some(s=>s instanceof B.Name&&t[s.str]===1&&r[s.str]!==void 0)}}o(nn,"optimizeExpr");function xR(e,t){for(let r in t)e[r]=(e[r]||0)-(t[r]||0)}o(xR,"subtractNames");function Fp(e){return typeof e=="boolean"||typeof e=="number"||e===null?!e:(0,B._)`!${zc(e)}`}o(Fp,"not");j.not=Fp;var OR=Zp(j.operators.AND);function UR(...e){return e.reduce(OR)}o(UR,"and");j.and=UR;var zR=Zp(j.operators.OR);function NR(...e){return e.reduce(zR)}o(NR,"or");j.or=NR;function Zp(e){return(t,r)=>t===B.nil?r:r===B.nil?t:(0,B._)`${zc(t)} ${e} ${zc(r)}`}o(Zp,"mappend");function zc(e){return e instanceof B.Name?e:(0,B._)`(${e})`}o(zc,"par")});var J=T(G=>{"use strict";Object.defineProperty(G,"__esModule",{value:!0});G.checkStrictMode=G.getErrorPath=G.Type=G.useFunc=G.setEvaluated=G.evaluatedPropsToName=G.mergeEvaluated=G.eachItem=G.unescapeJsonPointer=G.escapeJsonPointer=G.escapeFragment=G.unescapeFragment=G.schemaRefOrVal=G.schemaHasRulesButRef=G.schemaHasRules=G.checkUnknownRules=G.alwaysValidSchema=G.toHash=void 0;var te=L(),DR=ao();function MR(e){let t={};for(let r of e)t[r]=!0;return t}o(MR,"toHash");G.toHash=MR;function qR(e,t){return typeof t=="boolean"?t:Object.keys(t).length===0?!0:(Jp(e,t),!Yp(t,e.self.RULES.all))}o(qR,"alwaysValidSchema");G.alwaysValidSchema=qR;function Jp(e,t=e.schema){let{opts:r,self:n}=e;if(!r.strictSchema||typeof t=="boolean")return;let a=n.RULES.keywords;for(let i in t)a[i]||em(e,`unknown keyword: "${i}"`)}o(Jp,"checkUnknownRules");G.checkUnknownRules=Jp;function Yp(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(t[r])return!0;return!1}o(Yp,"schemaHasRules");G.schemaHasRules=Yp;function $R(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(r!=="$ref"&&t.all[r])return!0;return!1}o($R,"schemaHasRulesButRef");G.schemaHasRulesButRef=$R;function LR({topSchemaRef:e,schemaPath:t},r,n,a){if(!a){if(typeof r=="number"||typeof r=="boolean")return r;if(typeof r=="string")return(0,te._)`${r}`}return(0,te._)`${e}${t}${(0,te.getProperty)(n)}`}o(LR,"schemaRefOrVal");G.schemaRefOrVal=LR;function jR(e){return Xp(decodeURIComponent(e))}o(jR,"unescapeFragment");G.unescapeFragment=jR;function HR(e){return encodeURIComponent(Dc(e))}o(HR,"escapeFragment");G.escapeFragment=HR;function Dc(e){return typeof e=="number"?`${e}`:e.replace(/~/g,"~0").replace(/\//g,"~1")}o(Dc,"escapeJsonPointer");G.escapeJsonPointer=Dc;function Xp(e){return e.replace(/~1/g,"/").replace(/~0/g,"~")}o(Xp,"unescapeJsonPointer");G.unescapeJsonPointer=Xp;function GR(e,t){if(Array.isArray(e))for(let r of e)t(r);else t(e)}o(GR,"eachItem");G.eachItem=GR;function Kp({mergeNames:e,mergeToName:t,mergeValues:r,resultToName:n}){return(a,i,s,u)=>{let d=s===void 0?i:s instanceof te.Name?(i instanceof te.Name?e(a,i,s):t(a,i,s),s):i instanceof te.Name?(t(a,s,i),i):r(i,s);return u===te.Name&&!(d instanceof te.Name)?n(a,d):d}}o(Kp,"makeMergeEvaluated");G.mergeEvaluated={props:Kp({mergeNames:o((e,t,r)=>e.if((0,te._)`${r} !== true && ${t} !== undefined`,()=>{e.if((0,te._)`${t} === true`,()=>e.assign(r,!0),()=>e.assign(r,(0,te._)`${r} || {}`).code((0,te._)`Object.assign(${r}, ${t})`))}),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,te._)`${r} !== true`,()=>{t===!0?e.assign(r,!0):(e.assign(r,(0,te._)`${r} || {}`),Mc(e,r,t))}),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:{...e,...t},"mergeValues"),resultToName:Qp}),items:Kp({mergeNames:o((e,t,r)=>e.if((0,te._)`${r} !== true && ${t} !== undefined`,()=>e.assign(r,(0,te._)`${t} === true ? true : ${r} > ${t} ? ${r} : ${t}`)),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,te._)`${r} !== true`,()=>e.assign(r,t===!0?!0:(0,te._)`${r} > ${t} ? ${r} : ${t}`)),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:Math.max(e,t),"mergeValues"),resultToName:o((e,t)=>e.var("items",t),"resultToName")})};function Qp(e,t){if(t===!0)return e.var("props",!0);let r=e.var("props",(0,te._)`{}`);return t!==void 0&&Mc(e,r,t),r}o(Qp,"evaluatedPropsToName");G.evaluatedPropsToName=Qp;function Mc(e,t,r){Object.keys(r).forEach(n=>e.assign((0,te._)`${t}${(0,te.getProperty)(n)}`,!0))}o(Mc,"setEvaluated");G.setEvaluated=Mc;var Wp={};function BR(e,t){return e.scopeValue("func",{ref:t,code:Wp[t.code]||(Wp[t.code]=new DR._Code(t.code))})}o(BR,"useFunc");G.useFunc=BR;var Nc;(function(e){e[e.Num=0]="Num",e[e.Str=1]="Str"})(Nc||(G.Type=Nc={}));function VR(e,t,r){if(e instanceof te.Name){let n=t===Nc.Num;return r?n?(0,te._)`"[" + ${e} + "]"`:(0,te._)`"['" + ${e} + "']"`:n?(0,te._)`"/" + ${e}`:(0,te._)`"/" + ${e}.replace(/~/g, "~0").replace(/\\//g, "~1")`}return r?(0,te.getProperty)(e).toString():"/"+Dc(e)}o(VR,"getErrorPath");G.getErrorPath=VR;function em(e,t,r=e.opts.strictSchema){if(r){if(t=`strict mode: ${t}`,r===!0)throw new Error(t);e.self.logger.warn(t)}}o(em,"checkStrictMode");G.checkStrictMode=em});var $t=T(qc=>{"use strict";Object.defineProperty(qc,"__esModule",{value:!0});var Ue=L(),FR={data:new Ue.Name("data"),valCxt:new Ue.Name("valCxt"),instancePath:new Ue.Name("instancePath"),parentData:new Ue.Name("parentData"),parentDataProperty:new Ue.Name("parentDataProperty"),rootData:new Ue.Name("rootData"),dynamicAnchors:new Ue.Name("dynamicAnchors"),vErrors:new Ue.Name("vErrors"),errors:new Ue.Name("errors"),this:new Ue.Name("this"),self:new Ue.Name("self"),scope:new Ue.Name("scope"),json:new Ue.Name("json"),jsonPos:new Ue.Name("jsonPos"),jsonLen:new Ue.Name("jsonLen"),jsonPart:new Ue.Name("jsonPart")};qc.default=FR});var po=T(ze=>{"use strict";Object.defineProperty(ze,"__esModule",{value:!0});ze.extendErrors=ze.resetErrorsCount=ze.reportExtraError=ze.reportError=ze.keyword$DataError=ze.keywordError=void 0;var Z=L(),La=J(),qe=$t();ze.keywordError={message:o(({keyword:e})=>(0,Z.str)`must pass "${e}" keyword validation`,"message")};ze.keyword$DataError={message:o(({keyword:e,schemaType:t})=>t?(0,Z.str)`"${e}" keyword must be ${t} ($data)`:(0,Z.str)`"${e}" keyword is invalid ($data)`,"message")};function ZR(e,t=ze.keywordError,r,n){let{it:a}=e,{gen:i,compositeRule:s,allErrors:u}=a,d=nm(e,t,r);n??(s||u)?tm(i,d):rm(a,(0,Z._)`[${d}]`)}o(ZR,"reportError");ze.reportError=ZR;function KR(e,t=ze.keywordError,r){let{it:n}=e,{gen:a,compositeRule:i,allErrors:s}=n,u=nm(e,t,r);tm(a,u),i||s||rm(n,qe.default.vErrors)}o(KR,"reportExtraError");ze.reportExtraError=KR;function WR(e,t){e.assign(qe.default.errors,t),e.if((0,Z._)`${qe.default.vErrors} !== null`,()=>e.if(t,()=>e.assign((0,Z._)`${qe.default.vErrors}.length`,t),()=>e.assign(qe.default.vErrors,null)))}o(WR,"resetErrorsCount");ze.resetErrorsCount=WR;function JR({gen:e,keyword:t,schemaValue:r,data:n,errsCount:a,it:i}){if(a===void 0)throw new Error("ajv implementation error");let s=e.name("err");e.forRange("i",a,qe.default.errors,u=>{e.const(s,(0,Z._)`${qe.default.vErrors}[${u}]`),e.if((0,Z._)`${s}.instancePath === undefined`,()=>e.assign((0,Z._)`${s}.instancePath`,(0,Z.strConcat)(qe.default.instancePath,i.errorPath))),e.assign((0,Z._)`${s}.schemaPath`,(0,Z.str)`${i.errSchemaPath}/${t}`),i.opts.verbose&&(e.assign((0,Z._)`${s}.schema`,r),e.assign((0,Z._)`${s}.data`,n))})}o(JR,"extendErrors");ze.extendErrors=JR;function tm(e,t){let r=e.const("err",t);e.if((0,Z._)`${qe.default.vErrors} === null`,()=>e.assign(qe.default.vErrors,(0,Z._)`[${r}]`),(0,Z._)`${qe.default.vErrors}.push(${r})`),e.code((0,Z._)`${qe.default.errors}++`)}o(tm,"addError");function rm(e,t){let{gen:r,validateName:n,schemaEnv:a}=e;a.$async?r.throw((0,Z._)`new ${e.ValidationError}(${t})`):(r.assign((0,Z._)`${n}.errors`,t),r.return(!1))}o(rm,"returnErrors");var Tr={keyword:new Z.Name("keyword"),schemaPath:new Z.Name("schemaPath"),params:new Z.Name("params"),propertyName:new Z.Name("propertyName"),message:new Z.Name("message"),schema:new Z.Name("schema"),parentSchema:new Z.Name("parentSchema")};function nm(e,t,r){let{createErrors:n}=e.it;return n===!1?(0,Z._)`{}`:YR(e,t,r)}o(nm,"errorObjectCode");function YR(e,t,r={}){let{gen:n,it:a}=e,i=[XR(a,r),QR(e,r)];return eb(e,t,i),n.object(...i)}o(YR,"errorObject");function XR({errorPath:e},{instancePath:t}){let r=t?(0,Z.str)`${e}${(0,La.getErrorPath)(t,La.Type.Str)}`:e;return[qe.default.instancePath,(0,Z.strConcat)(qe.default.instancePath,r)]}o(XR,"errorInstancePath");function QR({keyword:e,it:{errSchemaPath:t}},{schemaPath:r,parentSchema:n}){let a=n?t:(0,Z.str)`${t}/${e}`;return r&&(a=(0,Z.str)`${a}${(0,La.getErrorPath)(r,La.Type.Str)}`),[Tr.schemaPath,a]}o(QR,"errorSchemaPath");function eb(e,{params:t,message:r},n){let{keyword:a,data:i,schemaValue:s,it:u}=e,{opts:d,propertyName:l,topSchemaRef:p,schemaPath:m}=u;n.push([Tr.keyword,a],[Tr.params,typeof t=="function"?t(e):t||(0,Z._)`{}`]),d.messages&&n.push([Tr.message,typeof r=="function"?r(e):r]),d.verbose&&n.push([Tr.schema,s],[Tr.parentSchema,(0,Z._)`${p}${m}`],[qe.default.data,i]),l&&n.push([Tr.propertyName,l])}o(eb,"extraErrorProps")});var am=T(on=>{"use strict";Object.defineProperty(on,"__esModule",{value:!0});on.boolOrEmptySchema=on.topBoolOrEmptySchema=void 0;var tb=po(),rb=L(),nb=$t(),ob={message:"boolean schema is false"};function ab(e){let{gen:t,schema:r,validateName:n}=e;r===!1?om(e,!1):typeof r=="object"&&r.$async===!0?t.return(nb.default.data):(t.assign((0,rb._)`${n}.errors`,null),t.return(!0))}o(ab,"topBoolOrEmptySchema");on.topBoolOrEmptySchema=ab;function ib(e,t){let{gen:r,schema:n}=e;n===!1?(r.var(t,!1),om(e)):r.var(t,!0)}o(ib,"boolOrEmptySchema");on.boolOrEmptySchema=ib;function om(e,t){let{gen:r,data:n}=e,a={gen:r,keyword:"false schema",data:n,schema:!1,schemaCode:!1,schemaValue:!1,params:{},it:e};(0,tb.reportError)(a,ob,void 0,t)}o(om,"falseSchemaError")});var $c=T(an=>{"use strict";Object.defineProperty(an,"__esModule",{value:!0});an.getRules=an.isJSONType=void 0;var sb=["string","number","integer","boolean","null","object","array"],cb=new Set(sb);function ub(e){return typeof e=="string"&&cb.has(e)}o(ub,"isJSONType");an.isJSONType=ub;function db(){let e={number:{type:"number",rules:[]},string:{type:"string",rules:[]},array:{type:"array",rules:[]},object:{type:"object",rules:[]}};return{types:{...e,integer:!0,boolean:!0,null:!0},rules:[{rules:[]},e.number,e.string,e.array,e.object],post:{rules:[]},all:{},keywords:{}}}o(db,"getRules");an.getRules=db});var Lc=T(ar=>{"use strict";Object.defineProperty(ar,"__esModule",{value:!0});ar.shouldUseRule=ar.shouldUseGroup=ar.schemaHasRulesForType=void 0;function lb({schema:e,self:t},r){let n=t.RULES.types[r];return n&&n!==!0&&im(e,n)}o(lb,"schemaHasRulesForType");ar.schemaHasRulesForType=lb;function im(e,t){return t.rules.some(r=>sm(e,r))}o(im,"shouldUseGroup");ar.shouldUseGroup=im;function sm(e,t){var r;return e[t.keyword]!==void 0||((r=t.definition.implements)===null||r===void 0?void 0:r.some(n=>e[n]!==void 0))}o(sm,"shouldUseRule");ar.shouldUseRule=sm});var mo=T(Ne=>{"use strict";Object.defineProperty(Ne,"__esModule",{value:!0});Ne.reportTypeError=Ne.checkDataTypes=Ne.checkDataType=Ne.coerceAndCheckDataType=Ne.getJSONTypes=Ne.getSchemaTypes=Ne.DataType=void 0;var pb=$c(),mb=Lc(),hb=po(),$=L(),cm=J(),sn;(function(e){e[e.Correct=0]="Correct",e[e.Wrong=1]="Wrong"})(sn||(Ne.DataType=sn={}));function fb(e){let t=um(e.type);if(t.includes("null")){if(e.nullable===!1)throw new Error("type: null contradicts nullable: false")}else{if(!t.length&&e.nullable!==void 0)throw new Error('"nullable" cannot be used without "type"');e.nullable===!0&&t.push("null")}return t}o(fb,"getSchemaTypes");Ne.getSchemaTypes=fb;function um(e){let t=Array.isArray(e)?e:e?[e]:[];if(t.every(pb.isJSONType))return t;throw new Error("type must be JSONType or JSONType[]: "+t.join(","))}o(um,"getJSONTypes");Ne.getJSONTypes=um;function gb(e,t){let{gen:r,data:n,opts:a}=e,i=_b(t,a.coerceTypes),s=t.length>0&&!(i.length===0&&t.length===1&&(0,mb.schemaHasRulesForType)(e,t[0]));if(s){let u=Hc(t,n,a.strictNumbers,sn.Wrong);r.if(u,()=>{i.length?yb(e,t,i):Gc(e)})}return s}o(gb,"coerceAndCheckDataType");Ne.coerceAndCheckDataType=gb;var dm=new Set(["string","number","integer","boolean","null"]);function _b(e,t){return t?e.filter(r=>dm.has(r)||t==="array"&&r==="array"):[]}o(_b,"coerceToTypes");function yb(e,t,r){let{gen:n,data:a,opts:i}=e,s=n.let("dataType",(0,$._)`typeof ${a}`),u=n.let("coerced",(0,$._)`undefined`);i.coerceTypes==="array"&&n.if((0,$._)`${s} == 'object' && Array.isArray(${a}) && ${a}.length == 1`,()=>n.assign(a,(0,$._)`${a}[0]`).assign(s,(0,$._)`typeof ${a}`).if(Hc(t,a,i.strictNumbers),()=>n.assign(u,a))),n.if((0,$._)`${u} !== undefined`);for(let l of r)(dm.has(l)||l==="array"&&i.coerceTypes==="array")&&d(l);n.else(),Gc(e),n.endIf(),n.if((0,$._)`${u} !== undefined`,()=>{n.assign(a,u),Sb(e,u)});function d(l){switch(l){case"string":n.elseIf((0,$._)`${s} == "number" || ${s} == "boolean"`).assign(u,(0,$._)`"" + ${a}`).elseIf((0,$._)`${a} === null`).assign(u,(0,$._)`""`);return;case"number":n.elseIf((0,$._)`${s} == "boolean" || ${a} === null
27
+ || (${s} == "string" && ${a} && ${a} == +${a})`).assign(u,(0,$._)`+${a}`);return;case"integer":n.elseIf((0,$._)`${s} === "boolean" || ${a} === null
28
+ || (${s} === "string" && ${a} && ${a} == +${a} && !(${a} % 1))`).assign(u,(0,$._)`+${a}`);return;case"boolean":n.elseIf((0,$._)`${a} === "false" || ${a} === 0 || ${a} === null`).assign(u,!1).elseIf((0,$._)`${a} === "true" || ${a} === 1`).assign(u,!0);return;case"null":n.elseIf((0,$._)`${a} === "" || ${a} === 0 || ${a} === false`),n.assign(u,null);return;case"array":n.elseIf((0,$._)`${s} === "string" || ${s} === "number"
29
+ || ${s} === "boolean" || ${a} === null`).assign(u,(0,$._)`[${a}]`)}}o(d,"coerceSpecificType")}o(yb,"coerceData");function Sb({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,$._)`${t} !== undefined`,()=>e.assign((0,$._)`${t}[${r}]`,n))}o(Sb,"assignParentData");function jc(e,t,r,n=sn.Correct){let a=n===sn.Correct?$.operators.EQ:$.operators.NEQ,i;switch(e){case"null":return(0,$._)`${t} ${a} null`;case"array":i=(0,$._)`Array.isArray(${t})`;break;case"object":i=(0,$._)`${t} && typeof ${t} == "object" && !Array.isArray(${t})`;break;case"integer":i=s((0,$._)`!(${t} % 1) && !isNaN(${t})`);break;case"number":i=s();break;default:return(0,$._)`typeof ${t} ${a} ${e}`}return n===sn.Correct?i:(0,$.not)(i);function s(u=$.nil){return(0,$.and)((0,$._)`typeof ${t} == "number"`,u,r?(0,$._)`isFinite(${t})`:$.nil)}}o(jc,"checkDataType");Ne.checkDataType=jc;function Hc(e,t,r,n){if(e.length===1)return jc(e[0],t,r,n);let a,i=(0,cm.toHash)(e);if(i.array&&i.object){let s=(0,$._)`typeof ${t} != "object"`;a=i.null?s:(0,$._)`!${t} || ${s}`,delete i.null,delete i.array,delete i.object}else a=$.nil;i.number&&delete i.integer;for(let s in i)a=(0,$.and)(a,jc(s,t,r,n));return a}o(Hc,"checkDataTypes");Ne.checkDataTypes=Hc;var wb={message:o(({schema:e})=>`must be ${e}`,"message"),params:o(({schema:e,schemaValue:t})=>typeof e=="string"?(0,$._)`{type: ${e}}`:(0,$._)`{type: ${t}}`,"params")};function Gc(e){let t=vb(e);(0,hb.reportError)(t,wb)}o(Gc,"reportTypeError");Ne.reportTypeError=Gc;function vb(e){let{gen:t,data:r,schema:n}=e,a=(0,cm.schemaRefOrVal)(e,n,"type");return{gen:t,keyword:"type",data:r,schema:n.type,schemaCode:a,schemaValue:a,parentSchema:n,params:{},it:e}}o(vb,"getTypeErrorContext")});var pm=T(ja=>{"use strict";Object.defineProperty(ja,"__esModule",{value:!0});ja.assignDefaults=void 0;var cn=L(),Rb=J();function bb(e,t){let{properties:r,items:n}=e.schema;if(t==="object"&&r)for(let a in r)lm(e,a,r[a].default);else t==="array"&&Array.isArray(n)&&n.forEach((a,i)=>lm(e,i,a.default))}o(bb,"assignDefaults");ja.assignDefaults=bb;function lm(e,t,r){let{gen:n,compositeRule:a,data:i,opts:s}=e;if(r===void 0)return;let u=(0,cn._)`${i}${(0,cn.getProperty)(t)}`;if(a){(0,Rb.checkStrictMode)(e,`default is ignored for: ${u}`);return}let d=(0,cn._)`${u} === undefined`;s.useDefaults==="empty"&&(d=(0,cn._)`${d} || ${u} === null || ${u} === ""`),n.if(d,(0,cn._)`${u} = ${(0,cn.stringify)(r)}`)}o(lm,"assignDefault")});var nt=T(Q=>{"use strict";Object.defineProperty(Q,"__esModule",{value:!0});Q.validateUnion=Q.validateArray=Q.usePattern=Q.callValidateCode=Q.schemaProperties=Q.allSchemaProperties=Q.noPropertyInData=Q.propertyInData=Q.isOwnProperty=Q.hasPropFunc=Q.reportMissingProp=Q.checkMissingProp=Q.checkReportMissingProp=void 0;var oe=L(),Bc=J(),ir=$t(),Cb=J();function Ib(e,t){let{gen:r,data:n,it:a}=e;r.if(Fc(r,n,t,a.opts.ownProperties),()=>{e.setParams({missingProperty:(0,oe._)`${t}`},!0),e.error()})}o(Ib,"checkReportMissingProp");Q.checkReportMissingProp=Ib;function Tb({gen:e,data:t,it:{opts:r}},n,a){return(0,oe.or)(...n.map(i=>(0,oe.and)(Fc(e,t,i,r.ownProperties),(0,oe._)`${a} = ${i}`)))}o(Tb,"checkMissingProp");Q.checkMissingProp=Tb;function Ab(e,t){e.setParams({missingProperty:t},!0),e.error()}o(Ab,"reportMissingProp");Q.reportMissingProp=Ab;function mm(e){return e.scopeValue("func",{ref:Object.prototype.hasOwnProperty,code:(0,oe._)`Object.prototype.hasOwnProperty`})}o(mm,"hasPropFunc");Q.hasPropFunc=mm;function Vc(e,t,r){return(0,oe._)`${mm(e)}.call(${t}, ${r})`}o(Vc,"isOwnProperty");Q.isOwnProperty=Vc;function kb(e,t,r,n){let a=(0,oe._)`${t}${(0,oe.getProperty)(r)} !== undefined`;return n?(0,oe._)`${a} && ${Vc(e,t,r)}`:a}o(kb,"propertyInData");Q.propertyInData=kb;function Fc(e,t,r,n){let a=(0,oe._)`${t}${(0,oe.getProperty)(r)} === undefined`;return n?(0,oe.or)(a,(0,oe.not)(Vc(e,t,r))):a}o(Fc,"noPropertyInData");Q.noPropertyInData=Fc;function hm(e){return e?Object.keys(e).filter(t=>t!=="__proto__"):[]}o(hm,"allSchemaProperties");Q.allSchemaProperties=hm;function Pb(e,t){return hm(t).filter(r=>!(0,Bc.alwaysValidSchema)(e,t[r]))}o(Pb,"schemaProperties");Q.schemaProperties=Pb;function Eb({schemaCode:e,data:t,it:{gen:r,topSchemaRef:n,schemaPath:a,errorPath:i},it:s},u,d,l){let p=l?(0,oe._)`${e}, ${t}, ${n}${a}`:t,m=[[ir.default.instancePath,(0,oe.strConcat)(ir.default.instancePath,i)],[ir.default.parentData,s.parentData],[ir.default.parentDataProperty,s.parentDataProperty],[ir.default.rootData,ir.default.rootData]];s.opts.dynamicRef&&m.push([ir.default.dynamicAnchors,ir.default.dynamicAnchors]);let f=(0,oe._)`${p}, ${r.object(...m)}`;return d!==oe.nil?(0,oe._)`${u}.call(${d}, ${f})`:(0,oe._)`${u}(${f})`}o(Eb,"callValidateCode");Q.callValidateCode=Eb;var xb=(0,oe._)`new RegExp`;function Ob({gen:e,it:{opts:t}},r){let n=t.unicodeRegExp?"u":"",{regExp:a}=t.code,i=a(r,n);return e.scopeValue("pattern",{key:i.toString(),ref:i,code:(0,oe._)`${a.code==="new RegExp"?xb:(0,Cb.useFunc)(e,a)}(${r}, ${n})`})}o(Ob,"usePattern");Q.usePattern=Ob;function Ub(e){let{gen:t,data:r,keyword:n,it:a}=e,i=t.name("valid");if(a.allErrors){let u=t.let("valid",!0);return s(()=>t.assign(u,!1)),u}return t.var(i,!0),s(()=>t.break()),i;function s(u){let d=t.const("len",(0,oe._)`${r}.length`);t.forRange("i",0,d,l=>{e.subschema({keyword:n,dataProp:l,dataPropType:Bc.Type.Num},i),t.if((0,oe.not)(i),u)})}o(s,"validateItems")}o(Ub,"validateArray");Q.validateArray=Ub;function zb(e){let{gen:t,schema:r,keyword:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(r.some(d=>(0,Bc.alwaysValidSchema)(a,d))&&!a.opts.unevaluated)return;let s=t.let("valid",!1),u=t.name("_valid");t.block(()=>r.forEach((d,l)=>{let p=e.subschema({keyword:n,schemaProp:l,compositeRule:!0},u);t.assign(s,(0,oe._)`${s} || ${u}`),e.mergeValidEvaluated(p,u)||t.if((0,oe.not)(s))})),e.result(s,()=>e.reset(),()=>e.error(!0))}o(zb,"validateUnion");Q.validateUnion=zb});var _m=T(wt=>{"use strict";Object.defineProperty(wt,"__esModule",{value:!0});wt.validateKeywordUsage=wt.validSchemaType=wt.funcKeywordCode=wt.macroKeywordCode=void 0;var $e=L(),Ar=$t(),Nb=nt(),Db=po();function Mb(e,t){let{gen:r,keyword:n,schema:a,parentSchema:i,it:s}=e,u=t.macro.call(s.self,a,i,s),d=gm(r,n,u);s.opts.validateSchema!==!1&&s.self.validateSchema(u,!0);let l=r.name("valid");e.subschema({schema:u,schemaPath:$e.nil,errSchemaPath:`${s.errSchemaPath}/${n}`,topSchemaRef:d,compositeRule:!0},l),e.pass(l,()=>e.error(!0))}o(Mb,"macroKeywordCode");wt.macroKeywordCode=Mb;function qb(e,t){var r;let{gen:n,keyword:a,schema:i,parentSchema:s,$data:u,it:d}=e;Lb(d,t);let l=!u&&t.compile?t.compile.call(d.self,i,s,d):t.validate,p=gm(n,a,l),m=n.let("valid");e.block$data(m,f),e.ok((r=t.valid)!==null&&r!==void 0?r:m);function f(){if(t.errors===!1)y(),t.modifying&&fm(e),w(()=>e.error());else{let v=t.async?_():S();t.modifying&&fm(e),w(()=>$b(e,v))}}o(f,"validateKeyword");function _(){let v=n.let("ruleErrs",null);return n.try(()=>y((0,$e._)`await `),R=>n.assign(m,!1).if((0,$e._)`${R} instanceof ${d.ValidationError}`,()=>n.assign(v,(0,$e._)`${R}.errors`),()=>n.throw(R))),v}o(_,"validateAsync");function S(){let v=(0,$e._)`${p}.errors`;return n.assign(v,null),y($e.nil),v}o(S,"validateSync");function y(v=t.async?(0,$e._)`await `:$e.nil){let R=d.opts.passContext?Ar.default.this:Ar.default.self,I=!("compile"in t&&!u||t.schema===!1);n.assign(m,(0,$e._)`${v}${(0,Nb.callValidateCode)(e,p,R,I)}`,t.modifying)}o(y,"assignValid");function w(v){var R;n.if((0,$e.not)((R=t.valid)!==null&&R!==void 0?R:m),v)}o(w,"reportErrs")}o(qb,"funcKeywordCode");wt.funcKeywordCode=qb;function fm(e){let{gen:t,data:r,it:n}=e;t.if(n.parentData,()=>t.assign(r,(0,$e._)`${n.parentData}[${n.parentDataProperty}]`))}o(fm,"modifyData");function $b(e,t){let{gen:r}=e;r.if((0,$e._)`Array.isArray(${t})`,()=>{r.assign(Ar.default.vErrors,(0,$e._)`${Ar.default.vErrors} === null ? ${t} : ${Ar.default.vErrors}.concat(${t})`).assign(Ar.default.errors,(0,$e._)`${Ar.default.vErrors}.length`),(0,Db.extendErrors)(e)},()=>e.error())}o($b,"addErrs");function Lb({schemaEnv:e},t){if(t.async&&!e.$async)throw new Error("async keyword in sync schema")}o(Lb,"checkAsyncKeyword");function gm(e,t,r){if(r===void 0)throw new Error(`keyword "${t}" failed to compile`);return e.scopeValue("keyword",typeof r=="function"?{ref:r}:{ref:r,code:(0,$e.stringify)(r)})}o(gm,"useKeyword");function jb(e,t,r=!1){return!t.length||t.some(n=>n==="array"?Array.isArray(e):n==="object"?e&&typeof e=="object"&&!Array.isArray(e):typeof e==n||r&&typeof e>"u")}o(jb,"validSchemaType");wt.validSchemaType=jb;function Hb({schema:e,opts:t,self:r,errSchemaPath:n},a,i){if(Array.isArray(a.keyword)?!a.keyword.includes(i):a.keyword!==i)throw new Error("ajv implementation error");let s=a.dependencies;if(s?.some(u=>!Object.prototype.hasOwnProperty.call(e,u)))throw new Error(`parent schema must have dependencies of ${i}: ${s.join(",")}`);if(a.validateSchema&&!a.validateSchema(e[i])){let d=`keyword "${i}" value is invalid at path "${n}": `+r.errorsText(a.validateSchema.errors);if(t.validateSchema==="log")r.logger.error(d);else throw new Error(d)}}o(Hb,"validateKeywordUsage");wt.validateKeywordUsage=Hb});var Sm=T(sr=>{"use strict";Object.defineProperty(sr,"__esModule",{value:!0});sr.extendSubschemaMode=sr.extendSubschemaData=sr.getSubschema=void 0;var vt=L(),ym=J();function Gb(e,{keyword:t,schemaProp:r,schema:n,schemaPath:a,errSchemaPath:i,topSchemaRef:s}){if(t!==void 0&&n!==void 0)throw new Error('both "keyword" and "schema" passed, only one allowed');if(t!==void 0){let u=e.schema[t];return r===void 0?{schema:u,schemaPath:(0,vt._)`${e.schemaPath}${(0,vt.getProperty)(t)}`,errSchemaPath:`${e.errSchemaPath}/${t}`}:{schema:u[r],schemaPath:(0,vt._)`${e.schemaPath}${(0,vt.getProperty)(t)}${(0,vt.getProperty)(r)}`,errSchemaPath:`${e.errSchemaPath}/${t}/${(0,ym.escapeFragment)(r)}`}}if(n!==void 0){if(a===void 0||i===void 0||s===void 0)throw new Error('"schemaPath", "errSchemaPath" and "topSchemaRef" are required with "schema"');return{schema:n,schemaPath:a,topSchemaRef:s,errSchemaPath:i}}throw new Error('either "keyword" or "schema" must be passed')}o(Gb,"getSubschema");sr.getSubschema=Gb;function Bb(e,t,{dataProp:r,dataPropType:n,data:a,dataTypes:i,propertyName:s}){if(a!==void 0&&r!==void 0)throw new Error('both "data" and "dataProp" passed, only one allowed');let{gen:u}=t;if(r!==void 0){let{errorPath:l,dataPathArr:p,opts:m}=t,f=u.let("data",(0,vt._)`${t.data}${(0,vt.getProperty)(r)}`,!0);d(f),e.errorPath=(0,vt.str)`${l}${(0,ym.getErrorPath)(r,n,m.jsPropertySyntax)}`,e.parentDataProperty=(0,vt._)`${r}`,e.dataPathArr=[...p,e.parentDataProperty]}if(a!==void 0){let l=a instanceof vt.Name?a:u.let("data",a,!0);d(l),s!==void 0&&(e.propertyName=s)}i&&(e.dataTypes=i);function d(l){e.data=l,e.dataLevel=t.dataLevel+1,e.dataTypes=[],t.definedProperties=new Set,e.parentData=t.data,e.dataNames=[...t.dataNames,l]}o(d,"dataContextProps")}o(Bb,"extendSubschemaData");sr.extendSubschemaData=Bb;function Vb(e,{jtdDiscriminator:t,jtdMetadata:r,compositeRule:n,createErrors:a,allErrors:i}){n!==void 0&&(e.compositeRule=n),a!==void 0&&(e.createErrors=a),i!==void 0&&(e.allErrors=i),e.jtdDiscriminator=t,e.jtdMetadata=r}o(Vb,"extendSubschemaMode");sr.extendSubschemaMode=Vb});var Zc=T((w1,wm)=>{"use strict";wm.exports=o(function e(t,r){if(t===r)return!0;if(t&&r&&typeof t=="object"&&typeof r=="object"){if(t.constructor!==r.constructor)return!1;var n,a,i;if(Array.isArray(t)){if(n=t.length,n!=r.length)return!1;for(a=n;a--!==0;)if(!e(t[a],r[a]))return!1;return!0}if(t.constructor===RegExp)return t.source===r.source&&t.flags===r.flags;if(t.valueOf!==Object.prototype.valueOf)return t.valueOf()===r.valueOf();if(t.toString!==Object.prototype.toString)return t.toString()===r.toString();if(i=Object.keys(t),n=i.length,n!==Object.keys(r).length)return!1;for(a=n;a--!==0;)if(!Object.prototype.hasOwnProperty.call(r,i[a]))return!1;for(a=n;a--!==0;){var s=i[a];if(!e(t[s],r[s]))return!1}return!0}return t!==t&&r!==r},"equal")});var Rm=T((R1,vm)=>{"use strict";var cr=vm.exports=function(e,t,r){typeof t=="function"&&(r=t,t={}),r=t.cb||r;var n=typeof r=="function"?r:r.pre||function(){},a=r.post||function(){};Ha(t,n,a,e,"",e)};cr.keywords={additionalItems:!0,items:!0,contains:!0,additionalProperties:!0,propertyNames:!0,not:!0,if:!0,then:!0,else:!0};cr.arrayKeywords={items:!0,allOf:!0,anyOf:!0,oneOf:!0};cr.propsKeywords={$defs:!0,definitions:!0,properties:!0,patternProperties:!0,dependencies:!0};cr.skipKeywords={default:!0,enum:!0,const:!0,required:!0,maximum:!0,minimum:!0,exclusiveMaximum:!0,exclusiveMinimum:!0,multipleOf:!0,maxLength:!0,minLength:!0,pattern:!0,format:!0,maxItems:!0,minItems:!0,uniqueItems:!0,maxProperties:!0,minProperties:!0};function Ha(e,t,r,n,a,i,s,u,d,l){if(n&&typeof n=="object"&&!Array.isArray(n)){t(n,a,i,s,u,d,l);for(var p in n){var m=n[p];if(Array.isArray(m)){if(p in cr.arrayKeywords)for(var f=0;f<m.length;f++)Ha(e,t,r,m[f],a+"/"+p+"/"+f,i,a,p,n,f)}else if(p in cr.propsKeywords){if(m&&typeof m=="object")for(var _ in m)Ha(e,t,r,m[_],a+"/"+p+"/"+Fb(_),i,a,p,n,_)}else(p in cr.keywords||e.allKeys&&!(p in cr.skipKeywords))&&Ha(e,t,r,m,a+"/"+p,i,a,p,n)}r(n,a,i,s,u,d,l)}}o(Ha,"_traverse");function Fb(e){return e.replace(/~/g,"~0").replace(/\//g,"~1")}o(Fb,"escapeJsonPtr")});var ho=T(Be=>{"use strict";Object.defineProperty(Be,"__esModule",{value:!0});Be.getSchemaRefs=Be.resolveUrl=Be.normalizeId=Be._getFullPath=Be.getFullPath=Be.inlineRef=void 0;var Zb=J(),Kb=Zc(),Wb=Rm(),Jb=new Set(["type","format","pattern","maxLength","minLength","maxProperties","minProperties","maxItems","minItems","maximum","minimum","uniqueItems","multipleOf","required","enum","const"]);function Yb(e,t=!0){return typeof e=="boolean"?!0:t===!0?!Kc(e):t?bm(e)<=t:!1}o(Yb,"inlineRef");Be.inlineRef=Yb;var Xb=new Set(["$ref","$recursiveRef","$recursiveAnchor","$dynamicRef","$dynamicAnchor"]);function Kc(e){for(let t in e){if(Xb.has(t))return!0;let r=e[t];if(Array.isArray(r)&&r.some(Kc)||typeof r=="object"&&Kc(r))return!0}return!1}o(Kc,"hasRef");function bm(e){let t=0;for(let r in e){if(r==="$ref")return 1/0;if(t++,!Jb.has(r)&&(typeof e[r]=="object"&&(0,Zb.eachItem)(e[r],n=>t+=bm(n)),t===1/0))return 1/0}return t}o(bm,"countKeys");function Cm(e,t="",r){r!==!1&&(t=un(t));let n=e.parse(t);return Im(e,n)}o(Cm,"getFullPath");Be.getFullPath=Cm;function Im(e,t){return e.serialize(t).split("#")[0]+"#"}o(Im,"_getFullPath");Be._getFullPath=Im;var Qb=/#\/?$/;function un(e){return e?e.replace(Qb,""):""}o(un,"normalizeId");Be.normalizeId=un;function eC(e,t,r){return r=un(r),e.resolve(t,r)}o(eC,"resolveUrl");Be.resolveUrl=eC;var tC=/^[a-z_][-a-z0-9._]*$/i;function rC(e,t){if(typeof e=="boolean")return{};let{schemaId:r,uriResolver:n}=this.opts,a=un(e[r]||t),i={"":a},s=Cm(n,a,!1),u={},d=new Set;return Wb(e,{allKeys:!0},(m,f,_,S)=>{if(S===void 0)return;let y=s+f,w=i[S];typeof m[r]=="string"&&(w=v.call(this,m[r])),R.call(this,m.$anchor),R.call(this,m.$dynamicAnchor),i[f]=w;function v(I){let N=this.opts.uriResolver.resolve;if(I=un(w?N(w,I):I),d.has(I))throw p(I);d.add(I);let M=this.refs[I];return typeof M=="string"&&(M=this.refs[M]),typeof M=="object"?l(m,M.schema,I):I!==un(y)&&(I[0]==="#"?(l(m,u[I],I),u[I]=m):this.refs[I]=y),I}o(v,"addRef");function R(I){if(typeof I=="string"){if(!tC.test(I))throw new Error(`invalid anchor "${I}"`);v.call(this,`#${I}`)}}o(R,"addAnchor")}),u;function l(m,f,_){if(f!==void 0&&!Kb(m,f))throw p(_)}o(l,"checkAmbiguosRef");function p(m){return new Error(`reference "${m}" resolves to more than one schema`)}o(p,"ambiguos")}o(rC,"getSchemaRefs");Be.getSchemaRefs=rC});var _o=T(ur=>{"use strict";Object.defineProperty(ur,"__esModule",{value:!0});ur.getData=ur.KeywordCxt=ur.validateFunctionCode=void 0;var Em=am(),Tm=mo(),Jc=Lc(),Ga=mo(),nC=pm(),go=_m(),Wc=Sm(),E=L(),D=$t(),oC=ho(),Lt=J(),fo=po();function aC(e){if(Um(e)&&(zm(e),Om(e))){cC(e);return}xm(e,()=>(0,Em.topBoolOrEmptySchema)(e))}o(aC,"validateFunctionCode");ur.validateFunctionCode=aC;function xm({gen:e,validateName:t,schema:r,schemaEnv:n,opts:a},i){a.code.es5?e.func(t,(0,E._)`${D.default.data}, ${D.default.valCxt}`,n.$async,()=>{e.code((0,E._)`"use strict"; ${Am(r,a)}`),sC(e,a),e.code(i)}):e.func(t,(0,E._)`${D.default.data}, ${iC(a)}`,n.$async,()=>e.code(Am(r,a)).code(i))}o(xm,"validateFunction");function iC(e){return(0,E._)`{${D.default.instancePath}="", ${D.default.parentData}, ${D.default.parentDataProperty}, ${D.default.rootData}=${D.default.data}${e.dynamicRef?(0,E._)`, ${D.default.dynamicAnchors}={}`:E.nil}}={}`}o(iC,"destructureValCxt");function sC(e,t){e.if(D.default.valCxt,()=>{e.var(D.default.instancePath,(0,E._)`${D.default.valCxt}.${D.default.instancePath}`),e.var(D.default.parentData,(0,E._)`${D.default.valCxt}.${D.default.parentData}`),e.var(D.default.parentDataProperty,(0,E._)`${D.default.valCxt}.${D.default.parentDataProperty}`),e.var(D.default.rootData,(0,E._)`${D.default.valCxt}.${D.default.rootData}`),t.dynamicRef&&e.var(D.default.dynamicAnchors,(0,E._)`${D.default.valCxt}.${D.default.dynamicAnchors}`)},()=>{e.var(D.default.instancePath,(0,E._)`""`),e.var(D.default.parentData,(0,E._)`undefined`),e.var(D.default.parentDataProperty,(0,E._)`undefined`),e.var(D.default.rootData,D.default.data),t.dynamicRef&&e.var(D.default.dynamicAnchors,(0,E._)`{}`)})}o(sC,"destructureValCxtES5");function cC(e){let{schema:t,opts:r,gen:n}=e;xm(e,()=>{r.$comment&&t.$comment&&Dm(e),mC(e),n.let(D.default.vErrors,null),n.let(D.default.errors,0),r.unevaluated&&uC(e),Nm(e),gC(e)})}o(cC,"topSchemaObjCode");function uC(e){let{gen:t,validateName:r}=e;e.evaluated=t.const("evaluated",(0,E._)`${r}.evaluated`),t.if((0,E._)`${e.evaluated}.dynamicProps`,()=>t.assign((0,E._)`${e.evaluated}.props`,(0,E._)`undefined`)),t.if((0,E._)`${e.evaluated}.dynamicItems`,()=>t.assign((0,E._)`${e.evaluated}.items`,(0,E._)`undefined`))}o(uC,"resetEvaluated");function Am(e,t){let r=typeof e=="object"&&e[t.schemaId];return r&&(t.code.source||t.code.process)?(0,E._)`/*# sourceURL=${r} */`:E.nil}o(Am,"funcSourceUrl");function dC(e,t){if(Um(e)&&(zm(e),Om(e))){lC(e,t);return}(0,Em.boolOrEmptySchema)(e,t)}o(dC,"subschemaCode");function Om({schema:e,self:t}){if(typeof e=="boolean")return!e;for(let r in e)if(t.RULES.all[r])return!0;return!1}o(Om,"schemaCxtHasRules");function Um(e){return typeof e.schema!="boolean"}o(Um,"isSchemaObj");function lC(e,t){let{schema:r,gen:n,opts:a}=e;a.$comment&&r.$comment&&Dm(e),hC(e),fC(e);let i=n.const("_errs",D.default.errors);Nm(e,i),n.var(t,(0,E._)`${i} === ${D.default.errors}`)}o(lC,"subSchemaObjCode");function zm(e){(0,Lt.checkUnknownRules)(e),pC(e)}o(zm,"checkKeywords");function Nm(e,t){if(e.opts.jtd)return km(e,[],!1,t);let r=(0,Tm.getSchemaTypes)(e.schema),n=(0,Tm.coerceAndCheckDataType)(e,r);km(e,r,!n,t)}o(Nm,"typeAndKeywords");function pC(e){let{schema:t,errSchemaPath:r,opts:n,self:a}=e;t.$ref&&n.ignoreKeywordsWithRef&&(0,Lt.schemaHasRulesButRef)(t,a.RULES)&&a.logger.warn(`$ref: keywords ignored in schema at path "${r}"`)}o(pC,"checkRefsAndKeywords");function mC(e){let{schema:t,opts:r}=e;t.default!==void 0&&r.useDefaults&&r.strictSchema&&(0,Lt.checkStrictMode)(e,"default is ignored in the schema root")}o(mC,"checkNoDefault");function hC(e){let t=e.schema[e.opts.schemaId];t&&(e.baseId=(0,oC.resolveUrl)(e.opts.uriResolver,e.baseId,t))}o(hC,"updateContext");function fC(e){if(e.schema.$async&&!e.schemaEnv.$async)throw new Error("async schema in sync schema")}o(fC,"checkAsyncSchema");function Dm({gen:e,schemaEnv:t,schema:r,errSchemaPath:n,opts:a}){let i=r.$comment;if(a.$comment===!0)e.code((0,E._)`${D.default.self}.logger.log(${i})`);else if(typeof a.$comment=="function"){let s=(0,E.str)`${n}/$comment`,u=e.scopeValue("root",{ref:t.root});e.code((0,E._)`${D.default.self}.opts.$comment(${i}, ${s}, ${u}.schema)`)}}o(Dm,"commentKeyword");function gC(e){let{gen:t,schemaEnv:r,validateName:n,ValidationError:a,opts:i}=e;r.$async?t.if((0,E._)`${D.default.errors} === 0`,()=>t.return(D.default.data),()=>t.throw((0,E._)`new ${a}(${D.default.vErrors})`)):(t.assign((0,E._)`${n}.errors`,D.default.vErrors),i.unevaluated&&_C(e),t.return((0,E._)`${D.default.errors} === 0`))}o(gC,"returnResults");function _C({gen:e,evaluated:t,props:r,items:n}){r instanceof E.Name&&e.assign((0,E._)`${t}.props`,r),n instanceof E.Name&&e.assign((0,E._)`${t}.items`,n)}o(_C,"assignEvaluated");function km(e,t,r,n){let{gen:a,schema:i,data:s,allErrors:u,opts:d,self:l}=e,{RULES:p}=l;if(i.$ref&&(d.ignoreKeywordsWithRef||!(0,Lt.schemaHasRulesButRef)(i,p))){a.block(()=>qm(e,"$ref",p.all.$ref.definition));return}d.jtd||yC(e,t),a.block(()=>{for(let f of p.rules)m(f);m(p.post)});function m(f){(0,Jc.shouldUseGroup)(i,f)&&(f.type?(a.if((0,Ga.checkDataType)(f.type,s,d.strictNumbers)),Pm(e,f),t.length===1&&t[0]===f.type&&r&&(a.else(),(0,Ga.reportTypeError)(e)),a.endIf()):Pm(e,f),u||a.if((0,E._)`${D.default.errors} === ${n||0}`))}o(m,"groupKeywords")}o(km,"schemaKeywords");function Pm(e,t){let{gen:r,schema:n,opts:{useDefaults:a}}=e;a&&(0,nC.assignDefaults)(e,t.type),r.block(()=>{for(let i of t.rules)(0,Jc.shouldUseRule)(n,i)&&qm(e,i.keyword,i.definition,t.type)})}o(Pm,"iterateKeywords");function yC(e,t){e.schemaEnv.meta||!e.opts.strictTypes||(SC(e,t),e.opts.allowUnionTypes||wC(e,t),vC(e,e.dataTypes))}o(yC,"checkStrictTypes");function SC(e,t){if(t.length){if(!e.dataTypes.length){e.dataTypes=t;return}t.forEach(r=>{Mm(e.dataTypes,r)||Yc(e,`type "${r}" not allowed by context "${e.dataTypes.join(",")}"`)}),bC(e,t)}}o(SC,"checkContextTypes");function wC(e,t){t.length>1&&!(t.length===2&&t.includes("null"))&&Yc(e,"use allowUnionTypes to allow union type keyword")}o(wC,"checkMultipleTypes");function vC(e,t){let r=e.self.RULES.all;for(let n in r){let a=r[n];if(typeof a=="object"&&(0,Jc.shouldUseRule)(e.schema,a)){let{type:i}=a.definition;i.length&&!i.some(s=>RC(t,s))&&Yc(e,`missing type "${i.join(",")}" for keyword "${n}"`)}}}o(vC,"checkKeywordTypes");function RC(e,t){return e.includes(t)||t==="number"&&e.includes("integer")}o(RC,"hasApplicableType");function Mm(e,t){return e.includes(t)||t==="integer"&&e.includes("number")}o(Mm,"includesType");function bC(e,t){let r=[];for(let n of e.dataTypes)Mm(t,n)?r.push(n):t.includes("integer")&&n==="number"&&r.push("integer");e.dataTypes=r}o(bC,"narrowSchemaTypes");function Yc(e,t){let r=e.schemaEnv.baseId+e.errSchemaPath;t+=` at "${r}" (strictTypes)`,(0,Lt.checkStrictMode)(e,t,e.opts.strictTypes)}o(Yc,"strictTypesError");var Ba=class{static{o(this,"KeywordCxt")}constructor(t,r,n){if((0,go.validateKeywordUsage)(t,r,n),this.gen=t.gen,this.allErrors=t.allErrors,this.keyword=n,this.data=t.data,this.schema=t.schema[n],this.$data=r.$data&&t.opts.$data&&this.schema&&this.schema.$data,this.schemaValue=(0,Lt.schemaRefOrVal)(t,this.schema,n,this.$data),this.schemaType=r.schemaType,this.parentSchema=t.schema,this.params={},this.it=t,this.def=r,this.$data)this.schemaCode=t.gen.const("vSchema",$m(this.$data,t));else if(this.schemaCode=this.schemaValue,!(0,go.validSchemaType)(this.schema,r.schemaType,r.allowUndefined))throw new Error(`${n} value must be ${JSON.stringify(r.schemaType)}`);("code"in r?r.trackErrors:r.errors!==!1)&&(this.errsCount=t.gen.const("_errs",D.default.errors))}result(t,r,n){this.failResult((0,E.not)(t),r,n)}failResult(t,r,n){this.gen.if(t),n?n():this.error(),r?(this.gen.else(),r(),this.allErrors&&this.gen.endIf()):this.allErrors?this.gen.endIf():this.gen.else()}pass(t,r){this.failResult((0,E.not)(t),void 0,r)}fail(t){if(t===void 0){this.error(),this.allErrors||this.gen.if(!1);return}this.gen.if(t),this.error(),this.allErrors?this.gen.endIf():this.gen.else()}fail$data(t){if(!this.$data)return this.fail(t);let{schemaCode:r}=this;this.fail((0,E._)`${r} !== undefined && (${(0,E.or)(this.invalid$data(),t)})`)}error(t,r,n){if(r){this.setParams(r),this._error(t,n),this.setParams({});return}this._error(t,n)}_error(t,r){(t?fo.reportExtraError:fo.reportError)(this,this.def.error,r)}$dataError(){(0,fo.reportError)(this,this.def.$dataError||fo.keyword$DataError)}reset(){if(this.errsCount===void 0)throw new Error('add "trackErrors" to keyword definition');(0,fo.resetErrorsCount)(this.gen,this.errsCount)}ok(t){this.allErrors||this.gen.if(t)}setParams(t,r){r?Object.assign(this.params,t):this.params=t}block$data(t,r,n=E.nil){this.gen.block(()=>{this.check$data(t,n),r()})}check$data(t=E.nil,r=E.nil){if(!this.$data)return;let{gen:n,schemaCode:a,schemaType:i,def:s}=this;n.if((0,E.or)((0,E._)`${a} === undefined`,r)),t!==E.nil&&n.assign(t,!0),(i.length||s.validateSchema)&&(n.elseIf(this.invalid$data()),this.$dataError(),t!==E.nil&&n.assign(t,!1)),n.else()}invalid$data(){let{gen:t,schemaCode:r,schemaType:n,def:a,it:i}=this;return(0,E.or)(s(),u());function s(){if(n.length){if(!(r instanceof E.Name))throw new Error("ajv implementation error");let d=Array.isArray(n)?n:[n];return(0,E._)`${(0,Ga.checkDataTypes)(d,r,i.opts.strictNumbers,Ga.DataType.Wrong)}`}return E.nil}function u(){if(a.validateSchema){let d=t.scopeValue("validate$data",{ref:a.validateSchema});return(0,E._)`!${d}(${r})`}return E.nil}}subschema(t,r){let n=(0,Wc.getSubschema)(this.it,t);(0,Wc.extendSubschemaData)(n,this.it,t),(0,Wc.extendSubschemaMode)(n,t);let a={...this.it,...n,items:void 0,props:void 0};return dC(a,r),a}mergeEvaluated(t,r){let{it:n,gen:a}=this;n.opts.unevaluated&&(n.props!==!0&&t.props!==void 0&&(n.props=Lt.mergeEvaluated.props(a,t.props,n.props,r)),n.items!==!0&&t.items!==void 0&&(n.items=Lt.mergeEvaluated.items(a,t.items,n.items,r)))}mergeValidEvaluated(t,r){let{it:n,gen:a}=this;if(n.opts.unevaluated&&(n.props!==!0||n.items!==!0))return a.if(r,()=>this.mergeEvaluated(t,E.Name)),!0}};ur.KeywordCxt=Ba;function qm(e,t,r,n){let a=new Ba(e,r,t);"code"in r?r.code(a,n):a.$data&&r.validate?(0,go.funcKeywordCode)(a,r):"macro"in r?(0,go.macroKeywordCode)(a,r):(r.compile||r.validate)&&(0,go.funcKeywordCode)(a,r)}o(qm,"keywordCode");var CC=/^\/(?:[^~]|~0|~1)*$/,IC=/^([0-9]+)(#|\/(?:[^~]|~0|~1)*)?$/;function $m(e,{dataLevel:t,dataNames:r,dataPathArr:n}){let a,i;if(e==="")return D.default.rootData;if(e[0]==="/"){if(!CC.test(e))throw new Error(`Invalid JSON-pointer: ${e}`);a=e,i=D.default.rootData}else{let l=IC.exec(e);if(!l)throw new Error(`Invalid JSON-pointer: ${e}`);let p=+l[1];if(a=l[2],a==="#"){if(p>=t)throw new Error(d("property/index",p));return n[t-p]}if(p>t)throw new Error(d("data",p));if(i=r[t-p],!a)return i}let s=i,u=a.split("/");for(let l of u)l&&(i=(0,E._)`${i}${(0,E.getProperty)((0,Lt.unescapeJsonPointer)(l))}`,s=(0,E._)`${s} && ${i}`);return s;function d(l,p){return`Cannot access ${l} ${p} levels up, current level is ${t}`}}o($m,"getData");ur.getData=$m});var Va=T(Qc=>{"use strict";Object.defineProperty(Qc,"__esModule",{value:!0});var Xc=class extends Error{static{o(this,"ValidationError")}constructor(t){super("validation failed"),this.errors=t,this.ajv=this.validation=!0}};Qc.default=Xc});var yo=T(ru=>{"use strict";Object.defineProperty(ru,"__esModule",{value:!0});var eu=ho(),tu=class extends Error{static{o(this,"MissingRefError")}constructor(t,r,n,a){super(a||`can't resolve reference ${n} from id ${r}`),this.missingRef=(0,eu.resolveUrl)(t,r,n),this.missingSchema=(0,eu.normalizeId)((0,eu.getFullPath)(t,this.missingRef))}};ru.default=tu});var Za=T(ot=>{"use strict";Object.defineProperty(ot,"__esModule",{value:!0});ot.resolveSchema=ot.getCompilingSchema=ot.resolveRef=ot.compileSchema=ot.SchemaEnv=void 0;var lt=L(),TC=Va(),kr=$t(),pt=ho(),Lm=J(),AC=_o(),dn=class{static{o(this,"SchemaEnv")}constructor(t){var r;this.refs={},this.dynamicAnchors={};let n;typeof t.schema=="object"&&(n=t.schema),this.schema=t.schema,this.schemaId=t.schemaId,this.root=t.root||this,this.baseId=(r=t.baseId)!==null&&r!==void 0?r:(0,pt.normalizeId)(n?.[t.schemaId||"$id"]),this.schemaPath=t.schemaPath,this.localRefs=t.localRefs,this.meta=t.meta,this.$async=n?.$async,this.refs={}}};ot.SchemaEnv=dn;function ou(e){let t=jm.call(this,e);if(t)return t;let r=(0,pt.getFullPath)(this.opts.uriResolver,e.root.baseId),{es5:n,lines:a}=this.opts.code,{ownProperties:i}=this.opts,s=new lt.CodeGen(this.scope,{es5:n,lines:a,ownProperties:i}),u;e.$async&&(u=s.scopeValue("Error",{ref:TC.default,code:(0,lt._)`require("ajv/dist/runtime/validation_error").default`}));let d=s.scopeName("validate");e.validateName=d;let l={gen:s,allErrors:this.opts.allErrors,data:kr.default.data,parentData:kr.default.parentData,parentDataProperty:kr.default.parentDataProperty,dataNames:[kr.default.data],dataPathArr:[lt.nil],dataLevel:0,dataTypes:[],definedProperties:new Set,topSchemaRef:s.scopeValue("schema",this.opts.code.source===!0?{ref:e.schema,code:(0,lt.stringify)(e.schema)}:{ref:e.schema}),validateName:d,ValidationError:u,schema:e.schema,schemaEnv:e,rootId:r,baseId:e.baseId||r,schemaPath:lt.nil,errSchemaPath:e.schemaPath||(this.opts.jtd?"":"#"),errorPath:(0,lt._)`""`,opts:this.opts,self:this},p;try{this._compilations.add(e),(0,AC.validateFunctionCode)(l),s.optimize(this.opts.code.optimize);let m=s.toString();p=`${s.scopeRefs(kr.default.scope)}return ${m}`,this.opts.code.process&&(p=this.opts.code.process(p,e));let _=new Function(`${kr.default.self}`,`${kr.default.scope}`,p)(this,this.scope.get());if(this.scope.value(d,{ref:_}),_.errors=null,_.schema=e.schema,_.schemaEnv=e,e.$async&&(_.$async=!0),this.opts.code.source===!0&&(_.source={validateName:d,validateCode:m,scopeValues:s._values}),this.opts.unevaluated){let{props:S,items:y}=l;_.evaluated={props:S instanceof lt.Name?void 0:S,items:y instanceof lt.Name?void 0:y,dynamicProps:S instanceof lt.Name,dynamicItems:y instanceof lt.Name},_.source&&(_.source.evaluated=(0,lt.stringify)(_.evaluated))}return e.validate=_,e}catch(m){throw delete e.validate,delete e.validateName,p&&this.logger.error("Error compiling schema, function code:",p),m}finally{this._compilations.delete(e)}}o(ou,"compileSchema");ot.compileSchema=ou;function kC(e,t,r){var n;r=(0,pt.resolveUrl)(this.opts.uriResolver,t,r);let a=e.refs[r];if(a)return a;let i=xC.call(this,e,r);if(i===void 0){let s=(n=e.localRefs)===null||n===void 0?void 0:n[r],{schemaId:u}=this.opts;s&&(i=new dn({schema:s,schemaId:u,root:e,baseId:t}))}if(i!==void 0)return e.refs[r]=PC.call(this,i)}o(kC,"resolveRef");ot.resolveRef=kC;function PC(e){return(0,pt.inlineRef)(e.schema,this.opts.inlineRefs)?e.schema:e.validate?e:ou.call(this,e)}o(PC,"inlineOrCompile");function jm(e){for(let t of this._compilations)if(EC(t,e))return t}o(jm,"getCompilingSchema");ot.getCompilingSchema=jm;function EC(e,t){return e.schema===t.schema&&e.root===t.root&&e.baseId===t.baseId}o(EC,"sameSchemaEnv");function xC(e,t){let r;for(;typeof(r=this.refs[t])=="string";)t=r;return r||this.schemas[t]||Fa.call(this,e,t)}o(xC,"resolve");function Fa(e,t){let r=this.opts.uriResolver.parse(t),n=(0,pt._getFullPath)(this.opts.uriResolver,r),a=(0,pt.getFullPath)(this.opts.uriResolver,e.baseId,void 0);if(Object.keys(e.schema).length>0&&n===a)return nu.call(this,r,e);let i=(0,pt.normalizeId)(n),s=this.refs[i]||this.schemas[i];if(typeof s=="string"){let u=Fa.call(this,e,s);return typeof u?.schema!="object"?void 0:nu.call(this,r,u)}if(typeof s?.schema=="object"){if(s.validate||ou.call(this,s),i===(0,pt.normalizeId)(t)){let{schema:u}=s,{schemaId:d}=this.opts,l=u[d];return l&&(a=(0,pt.resolveUrl)(this.opts.uriResolver,a,l)),new dn({schema:u,schemaId:d,root:e,baseId:a})}return nu.call(this,r,s)}}o(Fa,"resolveSchema");ot.resolveSchema=Fa;var OC=new Set(["properties","patternProperties","enum","dependencies","definitions"]);function nu(e,{baseId:t,schema:r,root:n}){var a;if(((a=e.fragment)===null||a===void 0?void 0:a[0])!=="/")return;for(let u of e.fragment.slice(1).split("/")){if(typeof r=="boolean")return;let d=r[(0,Lm.unescapeFragment)(u)];if(d===void 0)return;r=d;let l=typeof r=="object"&&r[this.opts.schemaId];!OC.has(u)&&l&&(t=(0,pt.resolveUrl)(this.opts.uriResolver,t,l))}let i;if(typeof r!="boolean"&&r.$ref&&!(0,Lm.schemaHasRulesButRef)(r,this.RULES)){let u=(0,pt.resolveUrl)(this.opts.uriResolver,t,r.$ref);i=Fa.call(this,n,u)}let{schemaId:s}=this.opts;if(i=i||new dn({schema:r,schemaId:s,root:n,baseId:t}),i.schema!==i.root.schema)return i}o(nu,"getJsonPointer")});var Hm=T((z1,UC)=>{UC.exports={$id:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#",description:"Meta-schema for $data reference (JSON AnySchema extension proposal)",type:"object",required:["$data"],properties:{$data:{type:"string",anyOf:[{format:"relative-json-pointer"},{format:"json-pointer"}]}},additionalProperties:!1}});var iu=T((N1,Fm)=>{"use strict";var zC=RegExp.prototype.test.bind(/^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/iu),Bm=RegExp.prototype.test.bind(/^(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)$/u);function au(e){let t="",r=0,n=0;for(n=0;n<e.length;n++)if(r=e[n].charCodeAt(0),r!==48){if(!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n];break}for(n+=1;n<e.length;n++){if(r=e[n].charCodeAt(0),!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n]}return t}o(au,"stringArrayToHexStripped");var NC=RegExp.prototype.test.bind(/[^!"$&'()*+,\-.;=_`a-z{}~]/u);function Gm(e){return e.length=0,!0}o(Gm,"consumeIsZone");function DC(e,t,r){if(e.length){let n=au(e);if(n!=="")t.push(n);else return r.error=!0,!1;e.length=0}return!0}o(DC,"consumeHextets");function MC(e){let t=0,r={error:!1,address:"",zone:""},n=[],a=[],i=!1,s=!1,u=DC;for(let d=0;d<e.length;d++){let l=e[d];if(!(l==="["||l==="]"))if(l===":"){if(i===!0&&(s=!0),!u(a,n,r))break;if(++t>7){r.error=!0;break}d>0&&e[d-1]===":"&&(i=!0),n.push(":");continue}else if(l==="%"){if(!u(a,n,r))break;u=Gm}else{a.push(l);continue}}return a.length&&(u===Gm?r.zone=a.join(""):s?n.push(a.join("")):n.push(au(a))),r.address=n.join(""),r}o(MC,"getIPV6");function Vm(e){if(qC(e,":")<2)return{host:e,isIPV6:!1};let t=MC(e);if(t.error)return{host:e,isIPV6:!1};{let r=t.address,n=t.address;return t.zone&&(r+="%"+t.zone,n+="%25"+t.zone),{host:r,isIPV6:!0,escapedHost:n}}}o(Vm,"normalizeIPv6");function qC(e,t){let r=0;for(let n=0;n<e.length;n++)e[n]===t&&r++;return r}o(qC,"findToken");function $C(e){let t=e,r=[],n=-1,a=0;for(;a=t.length;){if(a===1){if(t===".")break;if(t==="/"){r.push("/");break}else{r.push(t);break}}else if(a===2){if(t[0]==="."){if(t[1]===".")break;if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&(t[1]==="."||t[1]==="/")){r.push("/");break}}else if(a===3&&t==="/.."){r.length!==0&&r.pop(),r.push("/");break}if(t[0]==="."){if(t[1]==="."){if(t[2]==="/"){t=t.slice(3);continue}}else if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&t[1]==="."){if(t[2]==="/"){t=t.slice(2);continue}else if(t[2]==="."&&t[3]==="/"){t=t.slice(3),r.length!==0&&r.pop();continue}}if((n=t.indexOf("/",1))===-1){r.push(t);break}else r.push(t.slice(0,n)),t=t.slice(n)}return r.join("")}o($C,"removeDotSegments");function LC(e,t){let r=t!==!0?escape:unescape;return e.scheme!==void 0&&(e.scheme=r(e.scheme)),e.userinfo!==void 0&&(e.userinfo=r(e.userinfo)),e.host!==void 0&&(e.host=r(e.host)),e.path!==void 0&&(e.path=r(e.path)),e.query!==void 0&&(e.query=r(e.query)),e.fragment!==void 0&&(e.fragment=r(e.fragment)),e}o(LC,"normalizeComponentEncoding");function jC(e){let t=[];if(e.userinfo!==void 0&&(t.push(e.userinfo),t.push("@")),e.host!==void 0){let r=unescape(e.host);if(!Bm(r)){let n=Vm(r);n.isIPV6===!0?r=`[${n.escapedHost}]`:r=e.host}t.push(r)}return(typeof e.port=="number"||typeof e.port=="string")&&(t.push(":"),t.push(String(e.port))),t.length?t.join(""):void 0}o(jC,"recomposeAuthority");Fm.exports={nonSimpleDomain:NC,recomposeAuthority:jC,normalizeComponentEncoding:LC,removeDotSegments:$C,isIPv4:Bm,isUUID:zC,normalizeIPv6:Vm,stringArrayToHexStripped:au}});var Ym=T((M1,Jm)=>{"use strict";var{isUUID:HC}=iu(),GC=/([\da-z][\d\-a-z]{0,31}):((?:[\w!$'()*+,\-.:;=@]|%[\da-f]{2})+)/iu,BC=["http","https","ws","wss","urn","urn:uuid"];function VC(e){return BC.indexOf(e)!==-1}o(VC,"isValidSchemeName");function su(e){return e.secure===!0?!0:e.secure===!1?!1:e.scheme?e.scheme.length===3&&(e.scheme[0]==="w"||e.scheme[0]==="W")&&(e.scheme[1]==="s"||e.scheme[1]==="S")&&(e.scheme[2]==="s"||e.scheme[2]==="S"):!1}o(su,"wsIsSecure");function Zm(e){return e.host||(e.error=e.error||"HTTP URIs must have a host."),e}o(Zm,"httpParse");function Km(e){let t=String(e.scheme).toLowerCase()==="https";return(e.port===(t?443:80)||e.port==="")&&(e.port=void 0),e.path||(e.path="/"),e}o(Km,"httpSerialize");function FC(e){return e.secure=su(e),e.resourceName=(e.path||"/")+(e.query?"?"+e.query:""),e.path=void 0,e.query=void 0,e}o(FC,"wsParse");function ZC(e){if((e.port===(su(e)?443:80)||e.port==="")&&(e.port=void 0),typeof e.secure=="boolean"&&(e.scheme=e.secure?"wss":"ws",e.secure=void 0),e.resourceName){let[t,r]=e.resourceName.split("?");e.path=t&&t!=="/"?t:void 0,e.query=r,e.resourceName=void 0}return e.fragment=void 0,e}o(ZC,"wsSerialize");function KC(e,t){if(!e.path)return e.error="URN can not be parsed",e;let r=e.path.match(GC);if(r){let n=t.scheme||e.scheme||"urn";e.nid=r[1].toLowerCase(),e.nss=r[2];let a=`${n}:${t.nid||e.nid}`,i=cu(a);e.path=void 0,i&&(e=i.parse(e,t))}else e.error=e.error||"URN can not be parsed.";return e}o(KC,"urnParse");function WC(e,t){if(e.nid===void 0)throw new Error("URN without nid cannot be serialized");let r=t.scheme||e.scheme||"urn",n=e.nid.toLowerCase(),a=`${r}:${t.nid||n}`,i=cu(a);i&&(e=i.serialize(e,t));let s=e,u=e.nss;return s.path=`${n||t.nid}:${u}`,t.skipEscape=!0,s}o(WC,"urnSerialize");function JC(e,t){let r=e;return r.uuid=r.nss,r.nss=void 0,!t.tolerant&&(!r.uuid||!HC(r.uuid))&&(r.error=r.error||"UUID is not valid."),r}o(JC,"urnuuidParse");function YC(e){let t=e;return t.nss=(e.uuid||"").toLowerCase(),t}o(YC,"urnuuidSerialize");var Wm={scheme:"http",domainHost:!0,parse:Zm,serialize:Km},XC={scheme:"https",domainHost:Wm.domainHost,parse:Zm,serialize:Km},Ka={scheme:"ws",domainHost:!0,parse:FC,serialize:ZC},QC={scheme:"wss",domainHost:Ka.domainHost,parse:Ka.parse,serialize:Ka.serialize},eI={scheme:"urn",parse:KC,serialize:WC,skipNormalize:!0},tI={scheme:"urn:uuid",parse:JC,serialize:YC,skipNormalize:!0},Wa={http:Wm,https:XC,ws:Ka,wss:QC,urn:eI,"urn:uuid":tI};Object.setPrototypeOf(Wa,null);function cu(e){return e&&(Wa[e]||Wa[e.toLowerCase()])||void 0}o(cu,"getSchemeHandler");Jm.exports={wsIsSecure:su,SCHEMES:Wa,isValidSchemeName:VC,getSchemeHandler:cu}});var eh=T(($1,Ya)=>{"use strict";var{normalizeIPv6:rI,removeDotSegments:So,recomposeAuthority:nI,normalizeComponentEncoding:Ja,isIPv4:oI,nonSimpleDomain:aI}=iu(),{SCHEMES:iI,getSchemeHandler:Xm}=Ym();function sI(e,t){return typeof e=="string"?e=Rt(jt(e,t),t):typeof e=="object"&&(e=jt(Rt(e,t),t)),e}o(sI,"normalize");function cI(e,t,r){let n=r?Object.assign({scheme:"null"},r):{scheme:"null"},a=Qm(jt(e,n),jt(t,n),n,!0);return n.skipEscape=!0,Rt(a,n)}o(cI,"resolve");function Qm(e,t,r,n){let a={};return n||(e=jt(Rt(e,r),r),t=jt(Rt(t,r),r)),r=r||{},!r.tolerant&&t.scheme?(a.scheme=t.scheme,a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=So(t.path||""),a.query=t.query):(t.userinfo!==void 0||t.host!==void 0||t.port!==void 0?(a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=So(t.path||""),a.query=t.query):(t.path?(t.path[0]==="/"?a.path=So(t.path):((e.userinfo!==void 0||e.host!==void 0||e.port!==void 0)&&!e.path?a.path="/"+t.path:e.path?a.path=e.path.slice(0,e.path.lastIndexOf("/")+1)+t.path:a.path=t.path,a.path=So(a.path)),a.query=t.query):(a.path=e.path,t.query!==void 0?a.query=t.query:a.query=e.query),a.userinfo=e.userinfo,a.host=e.host,a.port=e.port),a.scheme=e.scheme),a.fragment=t.fragment,a}o(Qm,"resolveComponent");function uI(e,t,r){return typeof e=="string"?(e=unescape(e),e=Rt(Ja(jt(e,r),!0),{...r,skipEscape:!0})):typeof e=="object"&&(e=Rt(Ja(e,!0),{...r,skipEscape:!0})),typeof t=="string"?(t=unescape(t),t=Rt(Ja(jt(t,r),!0),{...r,skipEscape:!0})):typeof t=="object"&&(t=Rt(Ja(t,!0),{...r,skipEscape:!0})),e.toLowerCase()===t.toLowerCase()}o(uI,"equal");function Rt(e,t){let r={host:e.host,scheme:e.scheme,userinfo:e.userinfo,port:e.port,path:e.path,query:e.query,nid:e.nid,nss:e.nss,uuid:e.uuid,fragment:e.fragment,reference:e.reference,resourceName:e.resourceName,secure:e.secure,error:""},n=Object.assign({},t),a=[],i=Xm(n.scheme||r.scheme);i&&i.serialize&&i.serialize(r,n),r.path!==void 0&&(n.skipEscape?r.path=unescape(r.path):(r.path=escape(r.path),r.scheme!==void 0&&(r.path=r.path.split("%3A").join(":")))),n.reference!=="suffix"&&r.scheme&&a.push(r.scheme,":");let s=nI(r);if(s!==void 0&&(n.reference!=="suffix"&&a.push("//"),a.push(s),r.path&&r.path[0]!=="/"&&a.push("/")),r.path!==void 0){let u=r.path;!n.absolutePath&&(!i||!i.absolutePath)&&(u=So(u)),s===void 0&&u[0]==="/"&&u[1]==="/"&&(u="/%2F"+u.slice(2)),a.push(u)}return r.query!==void 0&&a.push("?",r.query),r.fragment!==void 0&&a.push("#",r.fragment),a.join("")}o(Rt,"serialize");var dI=/^(?:([^#/:?]+):)?(?:\/\/((?:([^#/?@]*)@)?(\[[^#/?\]]+\]|[^#/:?]*)(?::(\d*))?))?([^#?]*)(?:\?([^#]*))?(?:#((?:.|[\n\r])*))?/u;function jt(e,t){let r=Object.assign({},t),n={scheme:void 0,userinfo:void 0,host:"",port:void 0,path:"",query:void 0,fragment:void 0},a=!1;r.reference==="suffix"&&(r.scheme?e=r.scheme+":"+e:e="//"+e);let i=e.match(dI);if(i){if(n.scheme=i[1],n.userinfo=i[3],n.host=i[4],n.port=parseInt(i[5],10),n.path=i[6]||"",n.query=i[7],n.fragment=i[8],isNaN(n.port)&&(n.port=i[5]),n.host)if(oI(n.host)===!1){let d=rI(n.host);n.host=d.host.toLowerCase(),a=d.isIPV6}else a=!0;n.scheme===void 0&&n.userinfo===void 0&&n.host===void 0&&n.port===void 0&&n.query===void 0&&!n.path?n.reference="same-document":n.scheme===void 0?n.reference="relative":n.fragment===void 0?n.reference="absolute":n.reference="uri",r.reference&&r.reference!=="suffix"&&r.reference!==n.reference&&(n.error=n.error||"URI is not a "+r.reference+" reference.");let s=Xm(r.scheme||n.scheme);if(!r.unicodeSupport&&(!s||!s.unicodeSupport)&&n.host&&(r.domainHost||s&&s.domainHost)&&a===!1&&aI(n.host))try{n.host=URL.domainToASCII(n.host.toLowerCase())}catch(u){n.error=n.error||"Host's domain name can not be converted to ASCII: "+u}(!s||s&&!s.skipNormalize)&&(e.indexOf("%")!==-1&&(n.scheme!==void 0&&(n.scheme=unescape(n.scheme)),n.host!==void 0&&(n.host=unescape(n.host))),n.path&&(n.path=escape(unescape(n.path))),n.fragment&&(n.fragment=encodeURI(decodeURIComponent(n.fragment)))),s&&s.parse&&s.parse(n,r)}else n.error=n.error||"URI can not be parsed.";return n}o(jt,"parse");var uu={SCHEMES:iI,normalize:sI,resolve:cI,resolveComponent:Qm,equal:uI,serialize:Rt,parse:jt};Ya.exports=uu;Ya.exports.default=uu;Ya.exports.fastUri=uu});var rh=T(du=>{"use strict";Object.defineProperty(du,"__esModule",{value:!0});var th=eh();th.code='require("ajv/dist/runtime/uri").default';du.default=th});var dh=T(Ie=>{"use strict";Object.defineProperty(Ie,"__esModule",{value:!0});Ie.CodeGen=Ie.Name=Ie.nil=Ie.stringify=Ie.str=Ie._=Ie.KeywordCxt=void 0;var lI=_o();Object.defineProperty(Ie,"KeywordCxt",{enumerable:!0,get:o(function(){return lI.KeywordCxt},"get")});var ln=L();Object.defineProperty(Ie,"_",{enumerable:!0,get:o(function(){return ln._},"get")});Object.defineProperty(Ie,"str",{enumerable:!0,get:o(function(){return ln.str},"get")});Object.defineProperty(Ie,"stringify",{enumerable:!0,get:o(function(){return ln.stringify},"get")});Object.defineProperty(Ie,"nil",{enumerable:!0,get:o(function(){return ln.nil},"get")});Object.defineProperty(Ie,"Name",{enumerable:!0,get:o(function(){return ln.Name},"get")});Object.defineProperty(Ie,"CodeGen",{enumerable:!0,get:o(function(){return ln.CodeGen},"get")});var pI=Va(),sh=yo(),mI=$c(),wo=Za(),hI=L(),vo=ho(),Xa=mo(),pu=J(),nh=Hm(),fI=rh(),ch=o((e,t)=>new RegExp(e,t),"defaultRegExp");ch.code="new RegExp";var gI=["removeAdditional","useDefaults","coerceTypes"],_I=new Set(["validate","serialize","parse","wrapper","root","schema","keyword","pattern","formats","validate$data","func","obj","Error"]),yI={errorDataPath:"",format:"`validateFormats: false` can be used instead.",nullable:'"nullable" keyword is supported by default.',jsonPointers:"Deprecated jsPropertySyntax can be used instead.",extendRefs:"Deprecated ignoreKeywordsWithRef can be used instead.",missingRefs:"Pass empty schema with $id that should be ignored to ajv.addSchema.",processCode:"Use option `code: {process: (code, schemaEnv: object) => string}`",sourceCode:"Use option `code: {source: true}`",strictDefaults:"It is default now, see option `strict`.",strictKeywords:"It is default now, see option `strict`.",uniqueItems:'"uniqueItems" keyword is always validated.',unknownFormats:"Disable strict mode or pass `true` to `ajv.addFormat` (or `formats` option).",cache:"Map is used as cache, schema object as key.",serialize:"Map is used as cache, schema object as key.",ajvErrors:"It is default now."},SI={ignoreKeywordsWithRef:"",jsPropertySyntax:"",unicode:'"minLength"/"maxLength" account for unicode characters by default.'},oh=200;function wI(e){var t,r,n,a,i,s,u,d,l,p,m,f,_,S,y,w,v,R,I,N,M,Ye,xt,xs,Os;let Bn=e.strict,Us=(t=e.code)===null||t===void 0?void 0:t.optimize,mp=Us===!0||Us===void 0?1:Us||0,hp=(n=(r=e.code)===null||r===void 0?void 0:r.regExp)!==null&&n!==void 0?n:ch,Jw=(a=e.uriResolver)!==null&&a!==void 0?a:fI.default;return{strictSchema:(s=(i=e.strictSchema)!==null&&i!==void 0?i:Bn)!==null&&s!==void 0?s:!0,strictNumbers:(d=(u=e.strictNumbers)!==null&&u!==void 0?u:Bn)!==null&&d!==void 0?d:!0,strictTypes:(p=(l=e.strictTypes)!==null&&l!==void 0?l:Bn)!==null&&p!==void 0?p:"log",strictTuples:(f=(m=e.strictTuples)!==null&&m!==void 0?m:Bn)!==null&&f!==void 0?f:"log",strictRequired:(S=(_=e.strictRequired)!==null&&_!==void 0?_:Bn)!==null&&S!==void 0?S:!1,code:e.code?{...e.code,optimize:mp,regExp:hp}:{optimize:mp,regExp:hp},loopRequired:(y=e.loopRequired)!==null&&y!==void 0?y:oh,loopEnum:(w=e.loopEnum)!==null&&w!==void 0?w:oh,meta:(v=e.meta)!==null&&v!==void 0?v:!0,messages:(R=e.messages)!==null&&R!==void 0?R:!0,inlineRefs:(I=e.inlineRefs)!==null&&I!==void 0?I:!0,schemaId:(N=e.schemaId)!==null&&N!==void 0?N:"$id",addUsedSchema:(M=e.addUsedSchema)!==null&&M!==void 0?M:!0,validateSchema:(Ye=e.validateSchema)!==null&&Ye!==void 0?Ye:!0,validateFormats:(xt=e.validateFormats)!==null&&xt!==void 0?xt:!0,unicodeRegExp:(xs=e.unicodeRegExp)!==null&&xs!==void 0?xs:!0,int32range:(Os=e.int32range)!==null&&Os!==void 0?Os:!0,uriResolver:Jw}}o(wI,"requiredOptions");var Ro=class{static{o(this,"Ajv")}constructor(t={}){this.schemas={},this.refs={},this.formats={},this._compilations=new Set,this._loading={},this._cache=new Map,t=this.opts={...t,...wI(t)};let{es5:r,lines:n}=this.opts.code;this.scope=new hI.ValueScope({scope:{},prefixes:_I,es5:r,lines:n}),this.logger=TI(t.logger);let a=t.validateFormats;t.validateFormats=!1,this.RULES=(0,mI.getRules)(),ah.call(this,yI,t,"NOT SUPPORTED"),ah.call(this,SI,t,"DEPRECATED","warn"),this._metaOpts=CI.call(this),t.formats&&RI.call(this),this._addVocabularies(),this._addDefaultMetaSchema(),t.keywords&&bI.call(this,t.keywords),typeof t.meta=="object"&&this.addMetaSchema(t.meta),vI.call(this),t.validateFormats=a}_addVocabularies(){this.addKeyword("$async")}_addDefaultMetaSchema(){let{$data:t,meta:r,schemaId:n}=this.opts,a=nh;n==="id"&&(a={...nh},a.id=a.$id,delete a.$id),r&&t&&this.addMetaSchema(a,a[n],!1)}defaultMeta(){let{meta:t,schemaId:r}=this.opts;return this.opts.defaultMeta=typeof t=="object"?t[r]||t:void 0}validate(t,r){let n;if(typeof t=="string"){if(n=this.getSchema(t),!n)throw new Error(`no schema with key or ref "${t}"`)}else n=this.compile(t);let a=n(r);return"$async"in n||(this.errors=n.errors),a}compile(t,r){let n=this._addSchema(t,r);return n.validate||this._compileSchemaEnv(n)}compileAsync(t,r){if(typeof this.opts.loadSchema!="function")throw new Error("options.loadSchema should be a function");let{loadSchema:n}=this.opts;return a.call(this,t,r);async function a(p,m){await i.call(this,p.$schema);let f=this._addSchema(p,m);return f.validate||s.call(this,f)}async function i(p){p&&!this.getSchema(p)&&await a.call(this,{$ref:p},!0)}async function s(p){try{return this._compileSchemaEnv(p)}catch(m){if(!(m instanceof sh.default))throw m;return u.call(this,m),await d.call(this,m.missingSchema),s.call(this,p)}}function u({missingSchema:p,missingRef:m}){if(this.refs[p])throw new Error(`AnySchema ${p} is loaded but ${m} cannot be resolved`)}async function d(p){let m=await l.call(this,p);this.refs[p]||await i.call(this,m.$schema),this.refs[p]||this.addSchema(m,p,r)}async function l(p){let m=this._loading[p];if(m)return m;try{return await(this._loading[p]=n(p))}finally{delete this._loading[p]}}}addSchema(t,r,n,a=this.opts.validateSchema){if(Array.isArray(t)){for(let s of t)this.addSchema(s,void 0,n,a);return this}let i;if(typeof t=="object"){let{schemaId:s}=this.opts;if(i=t[s],i!==void 0&&typeof i!="string")throw new Error(`schema ${s} must be string`)}return r=(0,vo.normalizeId)(r||i),this._checkUnique(r),this.schemas[r]=this._addSchema(t,n,r,a,!0),this}addMetaSchema(t,r,n=this.opts.validateSchema){return this.addSchema(t,r,!0,n),this}validateSchema(t,r){if(typeof t=="boolean")return!0;let n;if(n=t.$schema,n!==void 0&&typeof n!="string")throw new Error("$schema must be a string");if(n=n||this.opts.defaultMeta||this.defaultMeta(),!n)return this.logger.warn("meta-schema not available"),this.errors=null,!0;let a=this.validate(n,t);if(!a&&r){let i="schema is invalid: "+this.errorsText();if(this.opts.validateSchema==="log")this.logger.error(i);else throw new Error(i)}return a}getSchema(t){let r;for(;typeof(r=ih.call(this,t))=="string";)t=r;if(r===void 0){let{schemaId:n}=this.opts,a=new wo.SchemaEnv({schema:{},schemaId:n});if(r=wo.resolveSchema.call(this,a,t),!r)return;this.refs[t]=r}return r.validate||this._compileSchemaEnv(r)}removeSchema(t){if(t instanceof RegExp)return this._removeAllSchemas(this.schemas,t),this._removeAllSchemas(this.refs,t),this;switch(typeof t){case"undefined":return this._removeAllSchemas(this.schemas),this._removeAllSchemas(this.refs),this._cache.clear(),this;case"string":{let r=ih.call(this,t);return typeof r=="object"&&this._cache.delete(r.schema),delete this.schemas[t],delete this.refs[t],this}case"object":{let r=t;this._cache.delete(r);let n=t[this.opts.schemaId];return n&&(n=(0,vo.normalizeId)(n),delete this.schemas[n],delete this.refs[n]),this}default:throw new Error("ajv.removeSchema: invalid parameter")}}addVocabulary(t){for(let r of t)this.addKeyword(r);return this}addKeyword(t,r){let n;if(typeof t=="string")n=t,typeof r=="object"&&(this.logger.warn("these parameters are deprecated, see docs for addKeyword"),r.keyword=n);else if(typeof t=="object"&&r===void 0){if(r=t,n=r.keyword,Array.isArray(n)&&!n.length)throw new Error("addKeywords: keyword must be string or non-empty array")}else throw new Error("invalid addKeywords parameters");if(kI.call(this,n,r),!r)return(0,pu.eachItem)(n,i=>lu.call(this,i)),this;EI.call(this,r);let a={...r,type:(0,Xa.getJSONTypes)(r.type),schemaType:(0,Xa.getJSONTypes)(r.schemaType)};return(0,pu.eachItem)(n,a.type.length===0?i=>lu.call(this,i,a):i=>a.type.forEach(s=>lu.call(this,i,a,s))),this}getKeyword(t){let r=this.RULES.all[t];return typeof r=="object"?r.definition:!!r}removeKeyword(t){let{RULES:r}=this;delete r.keywords[t],delete r.all[t];for(let n of r.rules){let a=n.rules.findIndex(i=>i.keyword===t);a>=0&&n.rules.splice(a,1)}return this}addFormat(t,r){return typeof r=="string"&&(r=new RegExp(r)),this.formats[t]=r,this}errorsText(t=this.errors,{separator:r=", ",dataVar:n="data"}={}){return!t||t.length===0?"No errors":t.map(a=>`${n}${a.instancePath} ${a.message}`).reduce((a,i)=>a+r+i)}$dataMetaSchema(t,r){let n=this.RULES.all;t=JSON.parse(JSON.stringify(t));for(let a of r){let i=a.split("/").slice(1),s=t;for(let u of i)s=s[u];for(let u in n){let d=n[u];if(typeof d!="object")continue;let{$data:l}=d.definition,p=s[u];l&&p&&(s[u]=uh(p))}}return t}_removeAllSchemas(t,r){for(let n in t){let a=t[n];(!r||r.test(n))&&(typeof a=="string"?delete t[n]:a&&!a.meta&&(this._cache.delete(a.schema),delete t[n]))}}_addSchema(t,r,n,a=this.opts.validateSchema,i=this.opts.addUsedSchema){let s,{schemaId:u}=this.opts;if(typeof t=="object")s=t[u];else{if(this.opts.jtd)throw new Error("schema must be object");if(typeof t!="boolean")throw new Error("schema must be object or boolean")}let d=this._cache.get(t);if(d!==void 0)return d;n=(0,vo.normalizeId)(s||n);let l=vo.getSchemaRefs.call(this,t,n);return d=new wo.SchemaEnv({schema:t,schemaId:u,meta:r,baseId:n,localRefs:l}),this._cache.set(d.schema,d),i&&!n.startsWith("#")&&(n&&this._checkUnique(n),this.refs[n]=d),a&&this.validateSchema(t,!0),d}_checkUnique(t){if(this.schemas[t]||this.refs[t])throw new Error(`schema with key or id "${t}" already exists`)}_compileSchemaEnv(t){if(t.meta?this._compileMetaSchema(t):wo.compileSchema.call(this,t),!t.validate)throw new Error("ajv implementation error");return t.validate}_compileMetaSchema(t){let r=this.opts;this.opts=this._metaOpts;try{wo.compileSchema.call(this,t)}finally{this.opts=r}}};Ro.ValidationError=pI.default;Ro.MissingRefError=sh.default;Ie.default=Ro;function ah(e,t,r,n="error"){for(let a in e){let i=a;i in t&&this.logger[n](`${r}: option ${a}. ${e[i]}`)}}o(ah,"checkOptions");function ih(e){return e=(0,vo.normalizeId)(e),this.schemas[e]||this.refs[e]}o(ih,"getSchEnv");function vI(){let e=this.opts.schemas;if(e)if(Array.isArray(e))this.addSchema(e);else for(let t in e)this.addSchema(e[t],t)}o(vI,"addInitialSchemas");function RI(){for(let e in this.opts.formats){let t=this.opts.formats[e];t&&this.addFormat(e,t)}}o(RI,"addInitialFormats");function bI(e){if(Array.isArray(e)){this.addVocabulary(e);return}this.logger.warn("keywords option as map is deprecated, pass array");for(let t in e){let r=e[t];r.keyword||(r.keyword=t),this.addKeyword(r)}}o(bI,"addInitialKeywords");function CI(){let e={...this.opts};for(let t of gI)delete e[t];return e}o(CI,"getMetaSchemaOptions");var II={log(){},warn(){},error(){}};function TI(e){if(e===!1)return II;if(e===void 0)return console;if(e.log&&e.warn&&e.error)return e;throw new Error("logger must implement log, warn and error methods")}o(TI,"getLogger");var AI=/^[a-z_$][a-z0-9_$:-]*$/i;function kI(e,t){let{RULES:r}=this;if((0,pu.eachItem)(e,n=>{if(r.keywords[n])throw new Error(`Keyword ${n} is already defined`);if(!AI.test(n))throw new Error(`Keyword ${n} has invalid name`)}),!!t&&t.$data&&!("code"in t||"validate"in t))throw new Error('$data keyword must have "code" or "validate" function')}o(kI,"checkKeyword");function lu(e,t,r){var n;let a=t?.post;if(r&&a)throw new Error('keyword with "post" flag cannot have "type"');let{RULES:i}=this,s=a?i.post:i.rules.find(({type:d})=>d===r);if(s||(s={type:r,rules:[]},i.rules.push(s)),i.keywords[e]=!0,!t)return;let u={keyword:e,definition:{...t,type:(0,Xa.getJSONTypes)(t.type),schemaType:(0,Xa.getJSONTypes)(t.schemaType)}};t.before?PI.call(this,s,u,t.before):s.rules.push(u),i.all[e]=u,(n=t.implements)===null||n===void 0||n.forEach(d=>this.addKeyword(d))}o(lu,"addRule");function PI(e,t,r){let n=e.rules.findIndex(a=>a.keyword===r);n>=0?e.rules.splice(n,0,t):(e.rules.push(t),this.logger.warn(`rule ${r} is not defined`))}o(PI,"addBeforeRule");function EI(e){let{metaSchema:t}=e;t!==void 0&&(e.$data&&this.opts.$data&&(t=uh(t)),e.validateSchema=this.compile(t,!0))}o(EI,"keywordMetaschema");var xI={$ref:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#"};function uh(e){return{anyOf:[e,xI]}}o(uh,"schemaOrData")});var lh=T(mu=>{"use strict";Object.defineProperty(mu,"__esModule",{value:!0});var OI={keyword:"id",code(){throw new Error('NOT SUPPORTED: keyword "id", use "$id" for schema ID')}};mu.default=OI});var fh=T(Pr=>{"use strict";Object.defineProperty(Pr,"__esModule",{value:!0});Pr.callRef=Pr.getValidate=void 0;var UI=yo(),ph=nt(),Ve=L(),pn=$t(),mh=Za(),Qa=J(),zI={keyword:"$ref",schemaType:"string",code(e){let{gen:t,schema:r,it:n}=e,{baseId:a,schemaEnv:i,validateName:s,opts:u,self:d}=n,{root:l}=i;if((r==="#"||r==="#/")&&a===l.baseId)return m();let p=mh.resolveRef.call(d,l,a,r);if(p===void 0)throw new UI.default(n.opts.uriResolver,a,r);if(p instanceof mh.SchemaEnv)return f(p);return _(p);function m(){if(i===l)return ei(e,s,i,i.$async);let S=t.scopeValue("root",{ref:l});return ei(e,(0,Ve._)`${S}.validate`,l,l.$async)}function f(S){let y=hh(e,S);ei(e,y,S,S.$async)}function _(S){let y=t.scopeValue("schema",u.code.source===!0?{ref:S,code:(0,Ve.stringify)(S)}:{ref:S}),w=t.name("valid"),v=e.subschema({schema:S,dataTypes:[],schemaPath:Ve.nil,topSchemaRef:y,errSchemaPath:r},w);e.mergeEvaluated(v),e.ok(w)}}};function hh(e,t){let{gen:r}=e;return t.validate?r.scopeValue("validate",{ref:t.validate}):(0,Ve._)`${r.scopeValue("wrapper",{ref:t})}.validate`}o(hh,"getValidate");Pr.getValidate=hh;function ei(e,t,r,n){let{gen:a,it:i}=e,{allErrors:s,schemaEnv:u,opts:d}=i,l=d.passContext?pn.default.this:Ve.nil;n?p():m();function p(){if(!u.$async)throw new Error("async schema referenced by sync schema");let S=a.let("valid");a.try(()=>{a.code((0,Ve._)`await ${(0,ph.callValidateCode)(e,t,l)}`),_(t),s||a.assign(S,!0)},y=>{a.if((0,Ve._)`!(${y} instanceof ${i.ValidationError})`,()=>a.throw(y)),f(y),s||a.assign(S,!1)}),e.ok(S)}o(p,"callAsyncRef");function m(){e.result((0,ph.callValidateCode)(e,t,l),()=>_(t),()=>f(t))}o(m,"callSyncRef");function f(S){let y=(0,Ve._)`${S}.errors`;a.assign(pn.default.vErrors,(0,Ve._)`${pn.default.vErrors} === null ? ${y} : ${pn.default.vErrors}.concat(${y})`),a.assign(pn.default.errors,(0,Ve._)`${pn.default.vErrors}.length`)}o(f,"addErrorsFrom");function _(S){var y;if(!i.opts.unevaluated)return;let w=(y=r?.validate)===null||y===void 0?void 0:y.evaluated;if(i.props!==!0)if(w&&!w.dynamicProps)w.props!==void 0&&(i.props=Qa.mergeEvaluated.props(a,w.props,i.props));else{let v=a.var("props",(0,Ve._)`${S}.evaluated.props`);i.props=Qa.mergeEvaluated.props(a,v,i.props,Ve.Name)}if(i.items!==!0)if(w&&!w.dynamicItems)w.items!==void 0&&(i.items=Qa.mergeEvaluated.items(a,w.items,i.items));else{let v=a.var("items",(0,Ve._)`${S}.evaluated.items`);i.items=Qa.mergeEvaluated.items(a,v,i.items,Ve.Name)}}o(_,"addEvaluatedFrom")}o(ei,"callRef");Pr.callRef=ei;Pr.default=zI});var gh=T(hu=>{"use strict";Object.defineProperty(hu,"__esModule",{value:!0});var NI=lh(),DI=fh(),MI=["$schema","$id","$defs","$vocabulary",{keyword:"$comment"},"definitions",NI.default,DI.default];hu.default=MI});var _h=T(fu=>{"use strict";Object.defineProperty(fu,"__esModule",{value:!0});var ti=L(),dr=ti.operators,ri={maximum:{okStr:"<=",ok:dr.LTE,fail:dr.GT},minimum:{okStr:">=",ok:dr.GTE,fail:dr.LT},exclusiveMaximum:{okStr:"<",ok:dr.LT,fail:dr.GTE},exclusiveMinimum:{okStr:">",ok:dr.GT,fail:dr.LTE}},qI={message:o(({keyword:e,schemaCode:t})=>(0,ti.str)`must be ${ri[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,ti._)`{comparison: ${ri[e].okStr}, limit: ${t}}`,"params")},$I={keyword:Object.keys(ri),type:"number",schemaType:"number",$data:!0,error:qI,code(e){let{keyword:t,data:r,schemaCode:n}=e;e.fail$data((0,ti._)`${r} ${ri[t].fail} ${n} || isNaN(${r})`)}};fu.default=$I});var yh=T(gu=>{"use strict";Object.defineProperty(gu,"__esModule",{value:!0});var bo=L(),LI={message:o(({schemaCode:e})=>(0,bo.str)`must be multiple of ${e}`,"message"),params:o(({schemaCode:e})=>(0,bo._)`{multipleOf: ${e}}`,"params")},jI={keyword:"multipleOf",type:"number",schemaType:"number",$data:!0,error:LI,code(e){let{gen:t,data:r,schemaCode:n,it:a}=e,i=a.opts.multipleOfPrecision,s=t.let("res"),u=i?(0,bo._)`Math.abs(Math.round(${s}) - ${s}) > 1e-${i}`:(0,bo._)`${s} !== parseInt(${s})`;e.fail$data((0,bo._)`(${n} === 0 || (${s} = ${r}/${n}, ${u}))`)}};gu.default=jI});var wh=T(_u=>{"use strict";Object.defineProperty(_u,"__esModule",{value:!0});function Sh(e){let t=e.length,r=0,n=0,a;for(;n<t;)r++,a=e.charCodeAt(n++),a>=55296&&a<=56319&&n<t&&(a=e.charCodeAt(n),(a&64512)===56320&&n++);return r}o(Sh,"ucs2length");_u.default=Sh;Sh.code='require("ajv/dist/runtime/ucs2length").default'});var vh=T(yu=>{"use strict";Object.defineProperty(yu,"__esModule",{value:!0});var Er=L(),HI=J(),GI=wh(),BI={message({keyword:e,schemaCode:t}){let r=e==="maxLength"?"more":"fewer";return(0,Er.str)`must NOT have ${r} than ${t} characters`},params:o(({schemaCode:e})=>(0,Er._)`{limit: ${e}}`,"params")},VI={keyword:["maxLength","minLength"],type:"string",schemaType:"number",$data:!0,error:BI,code(e){let{keyword:t,data:r,schemaCode:n,it:a}=e,i=t==="maxLength"?Er.operators.GT:Er.operators.LT,s=a.opts.unicode===!1?(0,Er._)`${r}.length`:(0,Er._)`${(0,HI.useFunc)(e.gen,GI.default)}(${r})`;e.fail$data((0,Er._)`${s} ${i} ${n}`)}};yu.default=VI});var Rh=T(Su=>{"use strict";Object.defineProperty(Su,"__esModule",{value:!0});var FI=nt(),ni=L(),ZI={message:o(({schemaCode:e})=>(0,ni.str)`must match pattern "${e}"`,"message"),params:o(({schemaCode:e})=>(0,ni._)`{pattern: ${e}}`,"params")},KI={keyword:"pattern",type:"string",schemaType:"string",$data:!0,error:ZI,code(e){let{data:t,$data:r,schema:n,schemaCode:a,it:i}=e,s=i.opts.unicodeRegExp?"u":"",u=r?(0,ni._)`(new RegExp(${a}, ${s}))`:(0,FI.usePattern)(e,n);e.fail$data((0,ni._)`!${u}.test(${t})`)}};Su.default=KI});var bh=T(wu=>{"use strict";Object.defineProperty(wu,"__esModule",{value:!0});var Co=L(),WI={message({keyword:e,schemaCode:t}){let r=e==="maxProperties"?"more":"fewer";return(0,Co.str)`must NOT have ${r} than ${t} properties`},params:o(({schemaCode:e})=>(0,Co._)`{limit: ${e}}`,"params")},JI={keyword:["maxProperties","minProperties"],type:"object",schemaType:"number",$data:!0,error:WI,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxProperties"?Co.operators.GT:Co.operators.LT;e.fail$data((0,Co._)`Object.keys(${r}).length ${a} ${n}`)}};wu.default=JI});var Ch=T(vu=>{"use strict";Object.defineProperty(vu,"__esModule",{value:!0});var Io=nt(),To=L(),YI=J(),XI={message:o(({params:{missingProperty:e}})=>(0,To.str)`must have required property '${e}'`,"message"),params:o(({params:{missingProperty:e}})=>(0,To._)`{missingProperty: ${e}}`,"params")},QI={keyword:"required",type:"object",schemaType:"array",$data:!0,error:XI,code(e){let{gen:t,schema:r,schemaCode:n,data:a,$data:i,it:s}=e,{opts:u}=s;if(!i&&r.length===0)return;let d=r.length>=u.loopRequired;if(s.allErrors?l():p(),u.strictRequired){let _=e.parentSchema.properties,{definedProperties:S}=e.it;for(let y of r)if(_?.[y]===void 0&&!S.has(y)){let w=s.schemaEnv.baseId+s.errSchemaPath,v=`required property "${y}" is not defined at "${w}" (strictRequired)`;(0,YI.checkStrictMode)(s,v,s.opts.strictRequired)}}function l(){if(d||i)e.block$data(To.nil,m);else for(let _ of r)(0,Io.checkReportMissingProp)(e,_)}o(l,"allErrorsMode");function p(){let _=t.let("missing");if(d||i){let S=t.let("valid",!0);e.block$data(S,()=>f(_,S)),e.ok(S)}else t.if((0,Io.checkMissingProp)(e,r,_)),(0,Io.reportMissingProp)(e,_),t.else()}o(p,"exitOnErrorMode");function m(){t.forOf("prop",n,_=>{e.setParams({missingProperty:_}),t.if((0,Io.noPropertyInData)(t,a,_,u.ownProperties),()=>e.error())})}o(m,"loopAllRequired");function f(_,S){e.setParams({missingProperty:_}),t.forOf(_,n,()=>{t.assign(S,(0,Io.propertyInData)(t,a,_,u.ownProperties)),t.if((0,To.not)(S),()=>{e.error(),t.break()})},To.nil)}o(f,"loopUntilMissing")}};vu.default=QI});var Ih=T(Ru=>{"use strict";Object.defineProperty(Ru,"__esModule",{value:!0});var Ao=L(),eT={message({keyword:e,schemaCode:t}){let r=e==="maxItems"?"more":"fewer";return(0,Ao.str)`must NOT have ${r} than ${t} items`},params:o(({schemaCode:e})=>(0,Ao._)`{limit: ${e}}`,"params")},tT={keyword:["maxItems","minItems"],type:"array",schemaType:"number",$data:!0,error:eT,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxItems"?Ao.operators.GT:Ao.operators.LT;e.fail$data((0,Ao._)`${r}.length ${a} ${n}`)}};Ru.default=tT});var oi=T(bu=>{"use strict";Object.defineProperty(bu,"__esModule",{value:!0});var Th=Zc();Th.code='require("ajv/dist/runtime/equal").default';bu.default=Th});var Ah=T(Iu=>{"use strict";Object.defineProperty(Iu,"__esModule",{value:!0});var Cu=mo(),Te=L(),rT=J(),nT=oi(),oT={message:o(({params:{i:e,j:t}})=>(0,Te.str)`must NOT have duplicate items (items ## ${t} and ${e} are identical)`,"message"),params:o(({params:{i:e,j:t}})=>(0,Te._)`{i: ${e}, j: ${t}}`,"params")},aT={keyword:"uniqueItems",type:"array",schemaType:"boolean",$data:!0,error:oT,code(e){let{gen:t,data:r,$data:n,schema:a,parentSchema:i,schemaCode:s,it:u}=e;if(!n&&!a)return;let d=t.let("valid"),l=i.items?(0,Cu.getSchemaTypes)(i.items):[];e.block$data(d,p,(0,Te._)`${s} === false`),e.ok(d);function p(){let S=t.let("i",(0,Te._)`${r}.length`),y=t.let("j");e.setParams({i:S,j:y}),t.assign(d,!0),t.if((0,Te._)`${S} > 1`,()=>(m()?f:_)(S,y))}o(p,"validateUniqueItems");function m(){return l.length>0&&!l.some(S=>S==="object"||S==="array")}o(m,"canOptimize");function f(S,y){let w=t.name("item"),v=(0,Cu.checkDataTypes)(l,w,u.opts.strictNumbers,Cu.DataType.Wrong),R=t.const("indices",(0,Te._)`{}`);t.for((0,Te._)`;${S}--;`,()=>{t.let(w,(0,Te._)`${r}[${S}]`),t.if(v,(0,Te._)`continue`),l.length>1&&t.if((0,Te._)`typeof ${w} == "string"`,(0,Te._)`${w} += "_"`),t.if((0,Te._)`typeof ${R}[${w}] == "number"`,()=>{t.assign(y,(0,Te._)`${R}[${w}]`),e.error(),t.assign(d,!1).break()}).code((0,Te._)`${R}[${w}] = ${S}`)})}o(f,"loopN");function _(S,y){let w=(0,rT.useFunc)(t,nT.default),v=t.name("outer");t.label(v).for((0,Te._)`;${S}--;`,()=>t.for((0,Te._)`${y} = ${S}; ${y}--;`,()=>t.if((0,Te._)`${w}(${r}[${S}], ${r}[${y}])`,()=>{e.error(),t.assign(d,!1).break(v)})))}o(_,"loopN2")}};Iu.default=aT});var kh=T(Au=>{"use strict";Object.defineProperty(Au,"__esModule",{value:!0});var Tu=L(),iT=J(),sT=oi(),cT={message:"must be equal to constant",params:o(({schemaCode:e})=>(0,Tu._)`{allowedValue: ${e}}`,"params")},uT={keyword:"const",$data:!0,error:cT,code(e){let{gen:t,data:r,$data:n,schemaCode:a,schema:i}=e;n||i&&typeof i=="object"?e.fail$data((0,Tu._)`!${(0,iT.useFunc)(t,sT.default)}(${r}, ${a})`):e.fail((0,Tu._)`${i} !== ${r}`)}};Au.default=uT});var Ph=T(ku=>{"use strict";Object.defineProperty(ku,"__esModule",{value:!0});var ko=L(),dT=J(),lT=oi(),pT={message:"must be equal to one of the allowed values",params:o(({schemaCode:e})=>(0,ko._)`{allowedValues: ${e}}`,"params")},mT={keyword:"enum",schemaType:"array",$data:!0,error:pT,code(e){let{gen:t,data:r,$data:n,schema:a,schemaCode:i,it:s}=e;if(!n&&a.length===0)throw new Error("enum must have non-empty array");let u=a.length>=s.opts.loopEnum,d,l=o(()=>d??(d=(0,dT.useFunc)(t,lT.default)),"getEql"),p;if(u||n)p=t.let("valid"),e.block$data(p,m);else{if(!Array.isArray(a))throw new Error("ajv implementation error");let _=t.const("vSchema",i);p=(0,ko.or)(...a.map((S,y)=>f(_,y)))}e.pass(p);function m(){t.assign(p,!1),t.forOf("v",i,_=>t.if((0,ko._)`${l()}(${r}, ${_})`,()=>t.assign(p,!0).break()))}o(m,"loopEnum");function f(_,S){let y=a[S];return typeof y=="object"&&y!==null?(0,ko._)`${l()}(${r}, ${_}[${S}])`:(0,ko._)`${r} === ${y}`}o(f,"equalCode")}};ku.default=mT});var Eh=T(Pu=>{"use strict";Object.defineProperty(Pu,"__esModule",{value:!0});var hT=_h(),fT=yh(),gT=vh(),_T=Rh(),yT=bh(),ST=Ch(),wT=Ih(),vT=Ah(),RT=kh(),bT=Ph(),CT=[hT.default,fT.default,gT.default,_T.default,yT.default,ST.default,wT.default,vT.default,{keyword:"type",schemaType:["string","array"]},{keyword:"nullable",schemaType:"boolean"},RT.default,bT.default];Pu.default=CT});var xu=T(Po=>{"use strict";Object.defineProperty(Po,"__esModule",{value:!0});Po.validateAdditionalItems=void 0;var xr=L(),Eu=J(),IT={message:o(({params:{len:e}})=>(0,xr.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,xr._)`{limit: ${e}}`,"params")},TT={keyword:"additionalItems",type:"array",schemaType:["boolean","object"],before:"uniqueItems",error:IT,code(e){let{parentSchema:t,it:r}=e,{items:n}=t;if(!Array.isArray(n)){(0,Eu.checkStrictMode)(r,'"additionalItems" is ignored when "items" is not an array of schemas');return}xh(e,n)}};function xh(e,t){let{gen:r,schema:n,data:a,keyword:i,it:s}=e;s.items=!0;let u=r.const("len",(0,xr._)`${a}.length`);if(n===!1)e.setParams({len:t.length}),e.pass((0,xr._)`${u} <= ${t.length}`);else if(typeof n=="object"&&!(0,Eu.alwaysValidSchema)(s,n)){let l=r.var("valid",(0,xr._)`${u} <= ${t.length}`);r.if((0,xr.not)(l),()=>d(l)),e.ok(l)}function d(l){r.forRange("i",t.length,u,p=>{e.subschema({keyword:i,dataProp:p,dataPropType:Eu.Type.Num},l),s.allErrors||r.if((0,xr.not)(l),()=>r.break())})}o(d,"validateItems")}o(xh,"validateAdditionalItems");Po.validateAdditionalItems=xh;Po.default=TT});var Ou=T(Eo=>{"use strict";Object.defineProperty(Eo,"__esModule",{value:!0});Eo.validateTuple=void 0;var Oh=L(),ai=J(),AT=nt(),kT={keyword:"items",type:"array",schemaType:["object","array","boolean"],before:"uniqueItems",code(e){let{schema:t,it:r}=e;if(Array.isArray(t))return Uh(e,"additionalItems",t);r.items=!0,!(0,ai.alwaysValidSchema)(r,t)&&e.ok((0,AT.validateArray)(e))}};function Uh(e,t,r=e.schema){let{gen:n,parentSchema:a,data:i,keyword:s,it:u}=e;p(a),u.opts.unevaluated&&r.length&&u.items!==!0&&(u.items=ai.mergeEvaluated.items(n,r.length,u.items));let d=n.name("valid"),l=n.const("len",(0,Oh._)`${i}.length`);r.forEach((m,f)=>{(0,ai.alwaysValidSchema)(u,m)||(n.if((0,Oh._)`${l} > ${f}`,()=>e.subschema({keyword:s,schemaProp:f,dataProp:f},d)),e.ok(d))});function p(m){let{opts:f,errSchemaPath:_}=u,S=r.length,y=S===m.minItems&&(S===m.maxItems||m[t]===!1);if(f.strictTuples&&!y){let w=`"${s}" is ${S}-tuple, but minItems or maxItems/${t} are not specified or different at path "${_}"`;(0,ai.checkStrictMode)(u,w,f.strictTuples)}}o(p,"checkStrictTuple")}o(Uh,"validateTuple");Eo.validateTuple=Uh;Eo.default=kT});var zh=T(Uu=>{"use strict";Object.defineProperty(Uu,"__esModule",{value:!0});var PT=Ou(),ET={keyword:"prefixItems",type:"array",schemaType:["array"],before:"uniqueItems",code:o(e=>(0,PT.validateTuple)(e,"items"),"code")};Uu.default=ET});var Dh=T(zu=>{"use strict";Object.defineProperty(zu,"__esModule",{value:!0});var Nh=L(),xT=J(),OT=nt(),UT=xu(),zT={message:o(({params:{len:e}})=>(0,Nh.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,Nh._)`{limit: ${e}}`,"params")},NT={keyword:"items",type:"array",schemaType:["object","boolean"],before:"uniqueItems",error:zT,code(e){let{schema:t,parentSchema:r,it:n}=e,{prefixItems:a}=r;n.items=!0,!(0,xT.alwaysValidSchema)(n,t)&&(a?(0,UT.validateAdditionalItems)(e,a):e.ok((0,OT.validateArray)(e)))}};zu.default=NT});var Mh=T(Nu=>{"use strict";Object.defineProperty(Nu,"__esModule",{value:!0});var at=L(),ii=J(),DT={message:o(({params:{min:e,max:t}})=>t===void 0?(0,at.str)`must contain at least ${e} valid item(s)`:(0,at.str)`must contain at least ${e} and no more than ${t} valid item(s)`,"message"),params:o(({params:{min:e,max:t}})=>t===void 0?(0,at._)`{minContains: ${e}}`:(0,at._)`{minContains: ${e}, maxContains: ${t}}`,"params")},MT={keyword:"contains",type:"array",schemaType:["object","boolean"],before:"uniqueItems",trackErrors:!0,error:DT,code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:i}=e,s,u,{minContains:d,maxContains:l}=n;i.opts.next?(s=d===void 0?1:d,u=l):s=1;let p=t.const("len",(0,at._)`${a}.length`);if(e.setParams({min:s,max:u}),u===void 0&&s===0){(0,ii.checkStrictMode)(i,'"minContains" == 0 without "maxContains": "contains" keyword ignored');return}if(u!==void 0&&s>u){(0,ii.checkStrictMode)(i,'"minContains" > "maxContains" is always invalid'),e.fail();return}if((0,ii.alwaysValidSchema)(i,r)){let y=(0,at._)`${p} >= ${s}`;u!==void 0&&(y=(0,at._)`${y} && ${p} <= ${u}`),e.pass(y);return}i.items=!0;let m=t.name("valid");u===void 0&&s===1?_(m,()=>t.if(m,()=>t.break())):s===0?(t.let(m,!0),u!==void 0&&t.if((0,at._)`${a}.length > 0`,f)):(t.let(m,!1),f()),e.result(m,()=>e.reset());function f(){let y=t.name("_valid"),w=t.let("count",0);_(y,()=>t.if(y,()=>S(w)))}o(f,"validateItemsWithCount");function _(y,w){t.forRange("i",0,p,v=>{e.subschema({keyword:"contains",dataProp:v,dataPropType:ii.Type.Num,compositeRule:!0},y),w()})}o(_,"validateItems");function S(y){t.code((0,at._)`${y}++`),u===void 0?t.if((0,at._)`${y} >= ${s}`,()=>t.assign(m,!0).break()):(t.if((0,at._)`${y} > ${u}`,()=>t.assign(m,!1).break()),s===1?t.assign(m,!0):t.if((0,at._)`${y} >= ${s}`,()=>t.assign(m,!0)))}o(S,"checkLimits")}};Nu.default=MT});var Lh=T(bt=>{"use strict";Object.defineProperty(bt,"__esModule",{value:!0});bt.validateSchemaDeps=bt.validatePropertyDeps=bt.error=void 0;var Du=L(),qT=J(),xo=nt();bt.error={message:o(({params:{property:e,depsCount:t,deps:r}})=>{let n=t===1?"property":"properties";return(0,Du.str)`must have ${n} ${r} when property ${e} is present`},"message"),params:o(({params:{property:e,depsCount:t,deps:r,missingProperty:n}})=>(0,Du._)`{property: ${e},
30
30
  missingProperty: ${n},
31
31
  depsCount: ${t},
32
- deps: ${r}}`,"params")};var yT={keyword:"dependencies",type:"object",schemaType:"object",error:_t.error,code(e){let[t,r]=wT(e);cf(e,t),uf(e,r)}};function wT({schema:e}){let t={},r={};for(let n in e){if(n==="__proto__")continue;let a=Array.isArray(e[n])?t:r;a[n]=e[n]}return[t,r]}o(wT,"splitDependencies");function cf(e,t=e.schema){let{gen:r,data:n,it:a}=e;if(Object.keys(t).length===0)return;let s=r.let("missing");for(let i in t){let c=t[i];if(c.length===0)continue;let d=(0,So.propertyInData)(r,n,i,a.opts.ownProperties);e.setParams({property:i,depsCount:c.length,deps:c.join(", ")}),a.allErrors?r.if(d,()=>{for(let p of c)(0,So.checkReportMissingProp)(e,p)}):(r.if((0,vu._)`${d} && (${(0,So.checkMissingProp)(e,c,s)})`),(0,So.reportMissingProp)(e,s),r.else())}}o(cf,"validatePropertyDeps");_t.validatePropertyDeps=cf;function uf(e,t=e.schema){let{gen:r,data:n,keyword:a,it:s}=e,i=r.name("valid");for(let c in t)(0,_T.alwaysValidSchema)(s,t[c])||(r.if((0,So.propertyInData)(r,n,c,s.opts.ownProperties),()=>{let d=e.subschema({keyword:a,schemaProp:c},i);e.mergeValidEvaluated(d,i)},()=>r.var(i,!0)),e.ok(i))}o(uf,"validateSchemaDeps");_t.validateSchemaDeps=uf;_t.default=yT});var pf=C(bu=>{"use strict";Object.defineProperty(bu,"__esModule",{value:!0});var lf=D(),ST=Z(),vT={message:"property name must be valid",params:o(({params:e})=>(0,lf._)`{propertyName: ${e.propertyName}}`,"params")},bT={keyword:"propertyNames",type:"object",schemaType:["object","boolean"],error:vT,code(e){let{gen:t,schema:r,data:n,it:a}=e;if((0,ST.alwaysValidSchema)(a,r))return;let s=t.name("valid");t.forIn("key",n,i=>{e.setParams({propertyName:i}),e.subschema({keyword:"propertyNames",data:i,dataTypes:["string"],propertyName:i,compositeRule:!0},s),t.if((0,lf.not)(s),()=>{e.error(!0),a.allErrors||t.break()})}),e.ok(s)}};bu.default=bT});var Iu=C(Ru=>{"use strict";Object.defineProperty(Ru,"__esModule",{value:!0});var Fa=Ye(),it=D(),RT=Ot(),Za=Z(),IT={message:"must NOT have additional properties",params:o(({params:e})=>(0,it._)`{additionalProperty: ${e.additionalProperty}}`,"params")},TT={keyword:"additionalProperties",type:["object"],schemaType:["boolean","object"],allowUndefined:!0,trackErrors:!0,error:IT,code(e){let{gen:t,schema:r,parentSchema:n,data:a,errsCount:s,it:i}=e;if(!s)throw new Error("ajv implementation error");let{allErrors:c,opts:d}=i;if(i.props=!0,d.removeAdditional!=="all"&&(0,Za.alwaysValidSchema)(i,r))return;let p=(0,Fa.allSchemaProperties)(n.properties),l=(0,Fa.allSchemaProperties)(n.patternProperties);m(),e.ok((0,it._)`${s} === ${RT.default.errors}`);function m(){t.forIn("key",a,S=>{!p.length&&!l.length?w(S):t.if(h(S),()=>w(S))})}o(m,"checkAdditionalProperties");function h(S){let v;if(p.length>8){let b=(0,Za.schemaRefOrVal)(i,n.properties,"properties");v=(0,Fa.isOwnProperty)(t,b,S)}else p.length?v=(0,it.or)(...p.map(b=>(0,it._)`${S} === ${b}`)):v=it.nil;return l.length&&(v=(0,it.or)(v,...l.map(b=>(0,it._)`${(0,Fa.usePattern)(e,b)}.test(${S})`))),(0,it.not)(v)}o(h,"isAdditional");function _(S){t.code((0,it._)`delete ${a}[${S}]`)}o(_,"deleteAdditional");function w(S){if(d.removeAdditional==="all"||d.removeAdditional&&r===!1){_(S);return}if(r===!1){e.setParams({additionalProperty:S}),e.error(),c||t.break();return}if(typeof r=="object"&&!(0,Za.alwaysValidSchema)(i,r)){let v=t.name("valid");d.removeAdditional==="failing"?(y(S,v,!1),t.if((0,it.not)(v),()=>{e.reset(),_(S)})):(y(S,v),c||t.if((0,it.not)(v),()=>t.break()))}}o(w,"additionalPropertyCode");function y(S,v,b){let T={keyword:"additionalProperties",dataProp:S,dataPropType:Za.Type.Str};b===!1&&Object.assign(T,{compositeRule:!0,createErrors:!1,allErrors:!1}),e.subschema(T,v)}o(y,"applyAdditionalSchema")}};Ru.default=TT});var hf=C(Cu=>{"use strict";Object.defineProperty(Cu,"__esModule",{value:!0});var CT=ao(),mf=Ye(),Tu=Z(),ff=Iu(),ET={keyword:"properties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:s}=e;s.opts.removeAdditional==="all"&&n.additionalProperties===void 0&&ff.default.code(new CT.KeywordCxt(s,ff.default,"additionalProperties"));let i=(0,mf.allSchemaProperties)(r);for(let m of i)s.definedProperties.add(m);s.opts.unevaluated&&i.length&&s.props!==!0&&(s.props=Tu.mergeEvaluated.props(t,(0,Tu.toHash)(i),s.props));let c=i.filter(m=>!(0,Tu.alwaysValidSchema)(s,r[m]));if(c.length===0)return;let d=t.name("valid");for(let m of c)p(m)?l(m):(t.if((0,mf.propertyInData)(t,a,m,s.opts.ownProperties)),l(m),s.allErrors||t.else().var(d,!0),t.endIf()),e.it.definedProperties.add(m),e.ok(d);function p(m){return s.opts.useDefaults&&!s.compositeRule&&r[m].default!==void 0}o(p,"hasDefault");function l(m){e.subschema({keyword:"properties",schemaProp:m,dataProp:m},d)}o(l,"applyPropertySchema")}};Cu.default=ET});var wf=C(Eu=>{"use strict";Object.defineProperty(Eu,"__esModule",{value:!0});var gf=Ye(),Ka=D(),_f=Z(),yf=Z(),AT={keyword:"patternProperties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,data:n,parentSchema:a,it:s}=e,{opts:i}=s,c=(0,gf.allSchemaProperties)(r),d=c.filter(y=>(0,_f.alwaysValidSchema)(s,r[y]));if(c.length===0||d.length===c.length&&(!s.opts.unevaluated||s.props===!0))return;let p=i.strictSchema&&!i.allowMatchingProperties&&a.properties,l=t.name("valid");s.props!==!0&&!(s.props instanceof Ka.Name)&&(s.props=(0,yf.evaluatedPropsToName)(t,s.props));let{props:m}=s;h();function h(){for(let y of c)p&&_(y),s.allErrors?w(y):(t.var(l,!0),w(y),t.if(l))}o(h,"validatePatternProperties");function _(y){for(let S in p)new RegExp(y).test(S)&&(0,_f.checkStrictMode)(s,`property ${S} matches pattern ${y} (use allowMatchingProperties)`)}o(_,"checkMatchingProperties");function w(y){t.forIn("key",n,S=>{t.if((0,Ka._)`${(0,gf.usePattern)(e,y)}.test(${S})`,()=>{let v=d.includes(y);v||e.subschema({keyword:"patternProperties",schemaProp:y,dataProp:S,dataPropType:yf.Type.Str},l),s.opts.unevaluated&&m!==!0?t.assign((0,Ka._)`${m}[${S}]`,!0):!v&&!s.allErrors&&t.if((0,Ka.not)(l),()=>t.break())})})}o(w,"validateProperties")}};Eu.default=AT});var Sf=C(Au=>{"use strict";Object.defineProperty(Au,"__esModule",{value:!0});var PT=Z(),xT={keyword:"not",schemaType:["object","boolean"],trackErrors:!0,code(e){let{gen:t,schema:r,it:n}=e;if((0,PT.alwaysValidSchema)(n,r)){e.fail();return}let a=t.name("valid");e.subschema({keyword:"not",compositeRule:!0,createErrors:!1,allErrors:!1},a),e.failResult(a,()=>e.reset(),()=>e.error())},error:{message:"must NOT be valid"}};Au.default=xT});var vf=C(Pu=>{"use strict";Object.defineProperty(Pu,"__esModule",{value:!0});var kT=Ye(),OT={keyword:"anyOf",schemaType:"array",trackErrors:!0,code:kT.validateUnion,error:{message:"must match a schema in anyOf"}};Pu.default=OT});var bf=C(xu=>{"use strict";Object.defineProperty(xu,"__esModule",{value:!0});var Wa=D(),UT=Z(),NT={message:"must match exactly one schema in oneOf",params:o(({params:e})=>(0,Wa._)`{passingSchemas: ${e.passing}}`,"params")},$T={keyword:"oneOf",schemaType:"array",trackErrors:!0,error:NT,code(e){let{gen:t,schema:r,parentSchema:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(a.opts.discriminator&&n.discriminator)return;let s=r,i=t.let("valid",!1),c=t.let("passing",null),d=t.name("_valid");e.setParams({passing:c}),t.block(p),e.result(i,()=>e.reset(),()=>e.error(!0));function p(){s.forEach((l,m)=>{let h;(0,UT.alwaysValidSchema)(a,l)?t.var(d,!0):h=e.subschema({keyword:"oneOf",schemaProp:m,compositeRule:!0},d),m>0&&t.if((0,Wa._)`${d} && ${i}`).assign(i,!1).assign(c,(0,Wa._)`[${c}, ${m}]`).else(),t.if(d,()=>{t.assign(i,!0),t.assign(c,m),h&&e.mergeEvaluated(h,Wa.Name)})})}o(p,"validateOneOf")}};xu.default=$T});var Rf=C(ku=>{"use strict";Object.defineProperty(ku,"__esModule",{value:!0});var zT=Z(),MT={keyword:"allOf",schemaType:"array",code(e){let{gen:t,schema:r,it:n}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");let a=t.name("valid");r.forEach((s,i)=>{if((0,zT.alwaysValidSchema)(n,s))return;let c=e.subschema({keyword:"allOf",schemaProp:i},a);e.ok(a),e.mergeEvaluated(c)})}};ku.default=MT});var Cf=C(Ou=>{"use strict";Object.defineProperty(Ou,"__esModule",{value:!0});var Ja=D(),Tf=Z(),DT={message:o(({params:e})=>(0,Ja.str)`must match "${e.ifClause}" schema`,"message"),params:o(({params:e})=>(0,Ja._)`{failingKeyword: ${e.ifClause}}`,"params")},qT={keyword:"if",schemaType:["object","boolean"],trackErrors:!0,error:DT,code(e){let{gen:t,parentSchema:r,it:n}=e;r.then===void 0&&r.else===void 0&&(0,Tf.checkStrictMode)(n,'"if" without "then" and "else" is ignored');let a=If(n,"then"),s=If(n,"else");if(!a&&!s)return;let i=t.let("valid",!0),c=t.name("_valid");if(d(),e.reset(),a&&s){let l=t.let("ifClause");e.setParams({ifClause:l}),t.if(c,p("then",l),p("else",l))}else a?t.if(c,p("then")):t.if((0,Ja.not)(c),p("else"));e.pass(i,()=>e.error(!0));function d(){let l=e.subschema({keyword:"if",compositeRule:!0,createErrors:!1,allErrors:!1},c);e.mergeEvaluated(l)}o(d,"validateIf");function p(l,m){return()=>{let h=e.subschema({keyword:l},c);t.assign(i,c),e.mergeValidEvaluated(h,i),m?t.assign(m,(0,Ja._)`${l}`):e.setParams({ifClause:l})}}o(p,"validateClause")}};function If(e,t){let r=e.schema[t];return r!==void 0&&!(0,Tf.alwaysValidSchema)(e,r)}o(If,"hasSchema");Ou.default=qT});var Ef=C(Uu=>{"use strict";Object.defineProperty(Uu,"__esModule",{value:!0});var LT=Z(),jT={keyword:["then","else"],schemaType:["object","boolean"],code({keyword:e,parentSchema:t,it:r}){t.if===void 0&&(0,LT.checkStrictMode)(r,`"${e}" without "if" is ignored`)}};Uu.default=jT});var Af=C(Nu=>{"use strict";Object.defineProperty(Nu,"__esModule",{value:!0});var HT=gu(),GT=nf(),BT=_u(),VT=af(),FT=sf(),ZT=df(),KT=pf(),WT=Iu(),JT=hf(),YT=wf(),XT=Sf(),QT=vf(),eC=bf(),tC=Rf(),rC=Cf(),nC=Ef();function oC(e=!1){let t=[XT.default,QT.default,eC.default,tC.default,rC.default,nC.default,KT.default,WT.default,ZT.default,JT.default,YT.default];return e?t.push(GT.default,VT.default):t.push(HT.default,BT.default),t.push(FT.default),t}o(oC,"getApplicator");Nu.default=oC});var Pf=C($u=>{"use strict";Object.defineProperty($u,"__esModule",{value:!0});var de=D(),aC={message:o(({schemaCode:e})=>(0,de.str)`must match format "${e}"`,"message"),params:o(({schemaCode:e})=>(0,de._)`{format: ${e}}`,"params")},sC={keyword:"format",type:["number","string"],schemaType:"string",$data:!0,error:aC,code(e,t){let{gen:r,data:n,$data:a,schema:s,schemaCode:i,it:c}=e,{opts:d,errSchemaPath:p,schemaEnv:l,self:m}=c;if(!d.validateFormats)return;a?h():_();function h(){let w=r.scopeValue("formats",{ref:m.formats,code:d.code.formats}),y=r.const("fDef",(0,de._)`${w}[${i}]`),S=r.let("fType"),v=r.let("format");r.if((0,de._)`typeof ${y} == "object" && !(${y} instanceof RegExp)`,()=>r.assign(S,(0,de._)`${y}.type || "string"`).assign(v,(0,de._)`${y}.validate`),()=>r.assign(S,(0,de._)`"string"`).assign(v,y)),e.fail$data((0,de.or)(b(),T()));function b(){return d.strictSchema===!1?de.nil:(0,de._)`${i} && !${v}`}o(b,"unknownFmt");function T(){let U=l.$async?(0,de._)`(${y}.async ? await ${v}(${n}) : ${v}(${n}))`:(0,de._)`${v}(${n})`,$=(0,de._)`(typeof ${v} == "function" ? ${U} : ${v}.test(${n}))`;return(0,de._)`${v} && ${v} !== true && ${S} === ${t} && !${$}`}o(T,"invalidFmt")}o(h,"validate$DataFormat");function _(){let w=m.formats[s];if(!w){b();return}if(w===!0)return;let[y,S,v]=T(w);y===t&&e.pass(U());function b(){if(d.strictSchema===!1){m.logger.warn($());return}throw new Error($());function $(){return`unknown format "${s}" ignored in schema at path "${p}"`}}o(b,"unknownFormat");function T($){let Be=$ instanceof RegExp?(0,de.regexpCode)($):d.code.formats?(0,de._)`${d.code.formats}${(0,de.getProperty)(s)}`:void 0,It=r.scopeValue("formats",{key:s,ref:$,code:Be});return typeof $=="object"&&!($ instanceof RegExp)?[$.type||"string",$.validate,(0,de._)`${It}.validate`]:["string",$,It]}o(T,"getFormat");function U(){if(typeof w=="object"&&!(w instanceof RegExp)&&w.async){if(!l.$async)throw new Error("async format in sync schema");return(0,de._)`await ${v}(${n})`}return typeof S=="function"?(0,de._)`${v}(${n})`:(0,de._)`${v}.test(${n})`}o(U,"validCondition")}o(_,"validateFormat")}};$u.default=sC});var xf=C(zu=>{"use strict";Object.defineProperty(zu,"__esModule",{value:!0});var iC=Pf(),cC=[iC.default];zu.default=cC});var kf=C(nn=>{"use strict";Object.defineProperty(nn,"__esModule",{value:!0});nn.contentVocabulary=nn.metadataVocabulary=void 0;nn.metadataVocabulary=["title","description","default","deprecated","readOnly","writeOnly","examples"];nn.contentVocabulary=["contentMediaType","contentEncoding","contentSchema"]});var Uf=C(Mu=>{"use strict";Object.defineProperty(Mu,"__esModule",{value:!0});var uC=qm(),dC=Qm(),lC=Af(),pC=xf(),Of=kf(),mC=[uC.default,dC.default,(0,lC.default)(),pC.default,Of.metadataVocabulary,Of.contentVocabulary];Mu.default=mC});var $f=C(Ya=>{"use strict";Object.defineProperty(Ya,"__esModule",{value:!0});Ya.DiscrError=void 0;var Nf;(function(e){e.Tag="tag",e.Mapping="mapping"})(Nf||(Ya.DiscrError=Nf={}))});var Mf=C(qu=>{"use strict";Object.defineProperty(qu,"__esModule",{value:!0});var on=D(),Du=$f(),zf=Oa(),fC=so(),hC=Z(),gC={message:o(({params:{discrError:e,tagName:t}})=>e===Du.DiscrError.Tag?`tag "${t}" must be string`:`value of tag "${t}" must be in oneOf`,"message"),params:o(({params:{discrError:e,tag:t,tagName:r}})=>(0,on._)`{error: ${e}, tag: ${r}, tagValue: ${t}}`,"params")},_C={keyword:"discriminator",type:"object",schemaType:"object",error:gC,code(e){let{gen:t,data:r,schema:n,parentSchema:a,it:s}=e,{oneOf:i}=a;if(!s.opts.discriminator)throw new Error("discriminator: requires discriminator option");let c=n.propertyName;if(typeof c!="string")throw new Error("discriminator: requires propertyName");if(n.mapping)throw new Error("discriminator: mapping is not supported");if(!i)throw new Error("discriminator: requires oneOf keyword");let d=t.let("valid",!1),p=t.const("tag",(0,on._)`${r}${(0,on.getProperty)(c)}`);t.if((0,on._)`typeof ${p} == "string"`,()=>l(),()=>e.error(!1,{discrError:Du.DiscrError.Tag,tag:p,tagName:c})),e.ok(d);function l(){let _=h();t.if(!1);for(let w in _)t.elseIf((0,on._)`${p} === ${w}`),t.assign(d,m(_[w]));t.else(),e.error(!1,{discrError:Du.DiscrError.Mapping,tag:p,tagName:c}),t.endIf()}o(l,"validateMapping");function m(_){let w=t.name("valid"),y=e.subschema({keyword:"oneOf",schemaProp:_},w);return e.mergeEvaluated(y,on.Name),w}o(m,"applyTagSchema");function h(){var _;let w={},y=v(a),S=!0;for(let U=0;U<i.length;U++){let $=i[U];if($?.$ref&&!(0,hC.schemaHasRulesButRef)($,s.self.RULES)){let It=$.$ref;if($=zf.resolveRef.call(s.self,s.schemaEnv.root,s.baseId,It),$ instanceof zf.SchemaEnv&&($=$.schema),$===void 0)throw new fC.default(s.opts.uriResolver,s.baseId,It)}let Be=(_=$?.properties)===null||_===void 0?void 0:_[c];if(typeof Be!="object")throw new Error(`discriminator: oneOf subschemas (or referenced schemas) must have "properties/${c}"`);S=S&&(y||v($)),b(Be,U)}if(!S)throw new Error(`discriminator: "${c}" must be required`);return w;function v({required:U}){return Array.isArray(U)&&U.includes(c)}function b(U,$){if(U.const)T(U.const,$);else if(U.enum)for(let Be of U.enum)T(Be,$);else throw new Error(`discriminator: "properties/${c}" must have "const" or "enum"`)}function T(U,$){if(typeof U!="string"||U in w)throw new Error(`discriminator: "${c}" values must be unique strings`);w[U]=$}}o(h,"getMapping")}};qu.default=_C});var Df=C((K1,yC)=>{yC.exports={$schema:"http://json-schema.org/draft-07/schema#",$id:"http://json-schema.org/draft-07/schema#",title:"Core schema meta-schema",definitions:{schemaArray:{type:"array",minItems:1,items:{$ref:"#"}},nonNegativeInteger:{type:"integer",minimum:0},nonNegativeIntegerDefault0:{allOf:[{$ref:"#/definitions/nonNegativeInteger"},{default:0}]},simpleTypes:{enum:["array","boolean","integer","null","number","object","string"]},stringArray:{type:"array",items:{type:"string"},uniqueItems:!0,default:[]}},type:["object","boolean"],properties:{$id:{type:"string",format:"uri-reference"},$schema:{type:"string",format:"uri"},$ref:{type:"string",format:"uri-reference"},$comment:{type:"string"},title:{type:"string"},description:{type:"string"},default:!0,readOnly:{type:"boolean",default:!1},examples:{type:"array",items:!0},multipleOf:{type:"number",exclusiveMinimum:0},maximum:{type:"number"},exclusiveMaximum:{type:"number"},minimum:{type:"number"},exclusiveMinimum:{type:"number"},maxLength:{$ref:"#/definitions/nonNegativeInteger"},minLength:{$ref:"#/definitions/nonNegativeIntegerDefault0"},pattern:{type:"string",format:"regex"},additionalItems:{$ref:"#"},items:{anyOf:[{$ref:"#"},{$ref:"#/definitions/schemaArray"}],default:!0},maxItems:{$ref:"#/definitions/nonNegativeInteger"},minItems:{$ref:"#/definitions/nonNegativeIntegerDefault0"},uniqueItems:{type:"boolean",default:!1},contains:{$ref:"#"},maxProperties:{$ref:"#/definitions/nonNegativeInteger"},minProperties:{$ref:"#/definitions/nonNegativeIntegerDefault0"},required:{$ref:"#/definitions/stringArray"},additionalProperties:{$ref:"#"},definitions:{type:"object",additionalProperties:{$ref:"#"},default:{}},properties:{type:"object",additionalProperties:{$ref:"#"},default:{}},patternProperties:{type:"object",additionalProperties:{$ref:"#"},propertyNames:{format:"regex"},default:{}},dependencies:{type:"object",additionalProperties:{anyOf:[{$ref:"#"},{$ref:"#/definitions/stringArray"}]}},propertyNames:{$ref:"#"},const:!0,enum:{type:"array",items:!0,minItems:1,uniqueItems:!0},type:{anyOf:[{$ref:"#/definitions/simpleTypes"},{type:"array",items:{$ref:"#/definitions/simpleTypes"},minItems:1,uniqueItems:!0}]},format:{type:"string"},contentMediaType:{type:"string"},contentEncoding:{type:"string"},if:{$ref:"#"},then:{$ref:"#"},else:{$ref:"#"},allOf:{$ref:"#/definitions/schemaArray"},anyOf:{$ref:"#/definitions/schemaArray"},oneOf:{$ref:"#/definitions/schemaArray"},not:{$ref:"#"}},default:!0}});var ju=C((re,Lu)=>{"use strict";Object.defineProperty(re,"__esModule",{value:!0});re.MissingRefError=re.ValidationError=re.CodeGen=re.Name=re.nil=re.stringify=re.str=re._=re.KeywordCxt=re.Ajv=void 0;var wC=Um(),SC=Uf(),vC=Mf(),qf=Df(),bC=["/properties"],Xa="http://json-schema.org/draft-07/schema",an=class extends wC.default{static{o(this,"Ajv")}_addVocabularies(){super._addVocabularies(),SC.default.forEach(t=>this.addVocabulary(t)),this.opts.discriminator&&this.addKeyword(vC.default)}_addDefaultMetaSchema(){if(super._addDefaultMetaSchema(),!this.opts.meta)return;let t=this.opts.$data?this.$dataMetaSchema(qf,bC):qf;this.addMetaSchema(t,Xa,!1),this.refs["http://json-schema.org/schema"]=Xa}defaultMeta(){return this.opts.defaultMeta=super.defaultMeta()||(this.getSchema(Xa)?Xa:void 0)}};re.Ajv=an;Lu.exports=re=an;Lu.exports.Ajv=an;Object.defineProperty(re,"__esModule",{value:!0});re.default=an;var RC=ao();Object.defineProperty(re,"KeywordCxt",{enumerable:!0,get:o(function(){return RC.KeywordCxt},"get")});var sn=D();Object.defineProperty(re,"_",{enumerable:!0,get:o(function(){return sn._},"get")});Object.defineProperty(re,"str",{enumerable:!0,get:o(function(){return sn.str},"get")});Object.defineProperty(re,"stringify",{enumerable:!0,get:o(function(){return sn.stringify},"get")});Object.defineProperty(re,"nil",{enumerable:!0,get:o(function(){return sn.nil},"get")});Object.defineProperty(re,"Name",{enumerable:!0,get:o(function(){return sn.Name},"get")});Object.defineProperty(re,"CodeGen",{enumerable:!0,get:o(function(){return sn.CodeGen},"get")});var IC=xa();Object.defineProperty(re,"ValidationError",{enumerable:!0,get:o(function(){return IC.default},"get")});var TC=so();Object.defineProperty(re,"MissingRefError",{enumerable:!0,get:o(function(){return TC.default},"get")})});var Zf=C(wt=>{"use strict";Object.defineProperty(wt,"__esModule",{value:!0});wt.formatNames=wt.fastFormats=wt.fullFormats=void 0;function yt(e,t){return{validate:e,compare:t}}o(yt,"fmtDef");wt.fullFormats={date:yt(Gf,Vu),time:yt(Gu(!0),Fu),"date-time":yt(Lf(!0),Vf),"iso-time":yt(Gu(),Bf),"iso-date-time":yt(Lf(),Ff),duration:/^P(?!$)((\d+Y)?(\d+M)?(\d+D)?(T(?=\d)(\d+H)?(\d+M)?(\d+S)?)?|(\d+W)?)$/,uri:kC,"uri-reference":/^(?:[a-z][a-z0-9+\-.]*:)?(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'"()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?(?:\?(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i,"uri-template":/^(?:(?:[^\x00-\x20"'<>%\\^`{|}]|%[0-9a-f]{2})|\{[+#./;?&=,!@|]?(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?(?:,(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?)*\})*$/i,url:/^(?:https?|ftp):\/\/(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)(?:\.(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu,email:/^[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/i,hostname:/^(?=.{1,253}\.?$)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[-0-9a-z]{0,61}[0-9a-z])?)*\.?$/i,ipv4:/^(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)$/,ipv6:/^((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))$/i,regex:DC,uuid:/^(?:urn:uuid:)?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$/i,"json-pointer":/^(?:\/(?:[^~/]|~0|~1)*)*$/,"json-pointer-uri-fragment":/^#(?:\/(?:[a-z0-9_\-.!$&'()*+,;:=@]|%[0-9a-f]{2}|~0|~1)*)*$/i,"relative-json-pointer":/^(?:0|[1-9][0-9]*)(?:#|(?:\/(?:[^~/]|~0|~1)*)*)$/,byte:OC,int32:{type:"number",validate:$C},int64:{type:"number",validate:zC},float:{type:"number",validate:Hf},double:{type:"number",validate:Hf},password:!0,binary:!0};wt.fastFormats={...wt.fullFormats,date:yt(/^\d\d\d\d-[0-1]\d-[0-3]\d$/,Vu),time:yt(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,Fu),"date-time":yt(/^\d\d\d\d-[0-1]\d-[0-3]\dt(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,Vf),"iso-time":yt(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,Bf),"iso-date-time":yt(/^\d\d\d\d-[0-1]\d-[0-3]\d[t\s](?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,Ff),uri:/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/)?[^\s]*$/i,"uri-reference":/^(?:(?:[a-z][a-z0-9+\-.]*:)?\/?\/)?(?:[^\\\s#][^\s#]*)?(?:#[^\\\s]*)?$/i,email:/^[a-z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)*$/i};wt.formatNames=Object.keys(wt.fullFormats);function CC(e){return e%4===0&&(e%100!==0||e%400===0)}o(CC,"isLeapYear");var EC=/^(\d\d\d\d)-(\d\d)-(\d\d)$/,AC=[0,31,28,31,30,31,30,31,31,30,31,30,31];function Gf(e){let t=EC.exec(e);if(!t)return!1;let r=+t[1],n=+t[2],a=+t[3];return n>=1&&n<=12&&a>=1&&a<=(n===2&&CC(r)?29:AC[n])}o(Gf,"date");function Vu(e,t){if(e&&t)return e>t?1:e<t?-1:0}o(Vu,"compareDate");var Hu=/^(\d\d):(\d\d):(\d\d(?:\.\d+)?)(z|([+-])(\d\d)(?::?(\d\d))?)?$/i;function Gu(e){return o(function(r){let n=Hu.exec(r);if(!n)return!1;let a=+n[1],s=+n[2],i=+n[3],c=n[4],d=n[5]==="-"?-1:1,p=+(n[6]||0),l=+(n[7]||0);if(p>23||l>59||e&&!c)return!1;if(a<=23&&s<=59&&i<60)return!0;let m=s-l*d,h=a-p*d-(m<0?1:0);return(h===23||h===-1)&&(m===59||m===-1)&&i<61},"time")}o(Gu,"getTime");function Fu(e,t){if(!(e&&t))return;let r=new Date("2020-01-01T"+e).valueOf(),n=new Date("2020-01-01T"+t).valueOf();if(r&&n)return r-n}o(Fu,"compareTime");function Bf(e,t){if(!(e&&t))return;let r=Hu.exec(e),n=Hu.exec(t);if(r&&n)return e=r[1]+r[2]+r[3],t=n[1]+n[2]+n[3],e>t?1:e<t?-1:0}o(Bf,"compareIsoTime");var Bu=/t|\s/i;function Lf(e){let t=Gu(e);return o(function(n){let a=n.split(Bu);return a.length===2&&Gf(a[0])&&t(a[1])},"date_time")}o(Lf,"getDateTime");function Vf(e,t){if(!(e&&t))return;let r=new Date(e).valueOf(),n=new Date(t).valueOf();if(r&&n)return r-n}o(Vf,"compareDateTime");function Ff(e,t){if(!(e&&t))return;let[r,n]=e.split(Bu),[a,s]=t.split(Bu),i=Vu(r,a);if(i!==void 0)return i||Fu(n,s)}o(Ff,"compareIsoDateTime");var PC=/\/|:/,xC=/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)(?:\?(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i;function kC(e){return PC.test(e)&&xC.test(e)}o(kC,"uri");var jf=/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/gm;function OC(e){return jf.lastIndex=0,jf.test(e)}o(OC,"byte");var UC=-(2**31),NC=2**31-1;function $C(e){return Number.isInteger(e)&&e<=NC&&e>=UC}o($C,"validateInt32");function zC(e){return Number.isInteger(e)}o(zC,"validateInt64");function Hf(){return!0}o(Hf,"validateNumber");var MC=/[^\\]\\Z/;function DC(e){if(MC.test(e))return!1;try{return new RegExp(e),!0}catch{return!1}}o(DC,"regex")});var Kf=C(cn=>{"use strict";Object.defineProperty(cn,"__esModule",{value:!0});cn.formatLimitDefinition=void 0;var qC=ju(),ct=D(),or=ct.operators,Qa={formatMaximum:{okStr:"<=",ok:or.LTE,fail:or.GT},formatMinimum:{okStr:">=",ok:or.GTE,fail:or.LT},formatExclusiveMaximum:{okStr:"<",ok:or.LT,fail:or.GTE},formatExclusiveMinimum:{okStr:">",ok:or.GT,fail:or.LTE}},LC={message:o(({keyword:e,schemaCode:t})=>(0,ct.str)`should be ${Qa[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,ct._)`{comparison: ${Qa[e].okStr}, limit: ${t}}`,"params")};cn.formatLimitDefinition={keyword:Object.keys(Qa),type:"string",schemaType:"string",$data:!0,error:LC,code(e){let{gen:t,data:r,schemaCode:n,keyword:a,it:s}=e,{opts:i,self:c}=s;if(!i.validateFormats)return;let d=new qC.KeywordCxt(s,c.RULES.all.format.definition,"format");d.$data?p():l();function p(){let h=t.scopeValue("formats",{ref:c.formats,code:i.code.formats}),_=t.const("fmt",(0,ct._)`${h}[${d.schemaCode}]`);e.fail$data((0,ct.or)((0,ct._)`typeof ${_} != "object"`,(0,ct._)`${_} instanceof RegExp`,(0,ct._)`typeof ${_}.compare != "function"`,m(_)))}o(p,"validate$DataFormat");function l(){let h=d.schema,_=c.formats[h];if(!_||_===!0)return;if(typeof _!="object"||_ instanceof RegExp||typeof _.compare!="function")throw new Error(`"${a}": format "${h}" does not define "compare" function`);let w=t.scopeValue("formats",{key:h,ref:_,code:i.code.formats?(0,ct._)`${i.code.formats}${(0,ct.getProperty)(h)}`:void 0});e.fail$data(m(w))}o(l,"validateFormat");function m(h){return(0,ct._)`${h}.compare(${r}, ${n}) ${Qa[a].fail} 0`}o(m,"compareCode")},dependencies:["format"]};var jC=o(e=>(e.addKeyword(cn.formatLimitDefinition),e),"formatLimitPlugin");cn.default=jC});var Xf=C((vo,Yf)=>{"use strict";Object.defineProperty(vo,"__esModule",{value:!0});var un=Zf(),HC=Kf(),Zu=D(),Wf=new Zu.Name("fullFormats"),GC=new Zu.Name("fastFormats"),Ku=o((e,t={keywords:!0})=>{if(Array.isArray(t))return Jf(e,t,un.fullFormats,Wf),e;let[r,n]=t.mode==="fast"?[un.fastFormats,GC]:[un.fullFormats,Wf],a=t.formats||un.formatNames;return Jf(e,a,r,n),t.keywords&&(0,HC.default)(e),e},"formatsPlugin");Ku.get=(e,t="full")=>{let n=(t==="fast"?un.fastFormats:un.fullFormats)[e];if(!n)throw new Error(`Unknown format "${e}"`);return n};function Jf(e,t,r,n){var a,s;(a=(s=e.opts.code).formats)!==null&&a!==void 0||(s.formats=(0,Zu._)`require("ajv-formats/dist/formats").${n}`);for(let i of t)e.addFormat(i,r[i])}o(Jf,"addFormats");Yf.exports=vo=Ku;Object.defineProperty(vo,"__esModule",{value:!0});vo.default=Ku});xw();function Gt(e){return!!e._zod}o(Gt,"isZ4Schema");function xe(e,t){return Gt(e)?vi(e,t):e.safeParse(t)}o(xe,"safeParse");function jr(e){if(!e)return;let t;if(Gt(e)?t=e._zod?.def?.shape:t=e.shape,!!t){if(typeof t=="function")try{return t()}catch{return}return t}}o(jr,"getObjectShape");function Jl(e){if(Gt(e)){let s=e._zod?.def;if(s){if(s.value!==void 0)return s.value;if(Array.isArray(s.values)&&s.values.length>0)return s.values[0]}}let r=e._def;if(r){if(r.value!==void 0)return r.value;if(Array.isArray(r.values)&&r.values.length>0)return r.values[0]}let n=e.value;if(n!==void 0)return n}o(Jl,"getLiteralValue");W();var Vt="2025-11-25",Yl="2025-03-26",Ft=[Vt,"2025-06-18","2025-03-26","2024-11-05","2024-10-07"],Zt="io.modelcontextprotocol/related-task",oa="2.0",he=Zl(e=>e!==null&&(typeof e=="object"||typeof e=="function")),Xl=ne([f(),V().int()]),Ql=f(),p$=fe({ttl:V().optional(),pollInterval:V().optional()}),Uw=I({ttl:V().optional()}),Nw=I({taskId:f()}),Ti=fe({progressToken:Xl.optional(),[Zt]:Nw.optional()}),Fe=I({_meta:Ti.optional()}),$n=Fe.extend({task:Uw.optional()}),ep=o(e=>$n.safeParse(e).success,"isTaskAugmentedRequestParams"),ye=I({method:f(),params:Fe.loose().optional()}),Ke=I({_meta:Ti.optional()}),We=I({method:f(),params:Ke.loose().optional()}),we=fe({_meta:Ti.optional()}),aa=ne([f(),V().int()]),tp=I({jsonrpc:P(oa),id:aa,...ye.shape}).strict(),mt=o(e=>tp.safeParse(e).success,"isJSONRPCRequest"),rp=I({jsonrpc:P(oa),...We.shape}).strict(),np=o(e=>rp.safeParse(e).success,"isJSONRPCNotification"),Ci=I({jsonrpc:P(oa),id:aa,result:we}).strict(),nt=o(e=>Ci.safeParse(e).success,"isJSONRPCResultResponse");var A;(function(e){e[e.ConnectionClosed=-32e3]="ConnectionClosed",e[e.RequestTimeout=-32001]="RequestTimeout",e[e.ParseError=-32700]="ParseError",e[e.InvalidRequest=-32600]="InvalidRequest",e[e.MethodNotFound=-32601]="MethodNotFound",e[e.InvalidParams=-32602]="InvalidParams",e[e.InternalError=-32603]="InternalError",e[e.UrlElicitationRequired=-32042]="UrlElicitationRequired"})(A||(A={}));var Ei=I({jsonrpc:P(oa),id:aa.optional(),error:I({code:V().int(),message:f(),data:ue().optional()})}).strict();var Gr=o(e=>Ei.safeParse(e).success,"isJSONRPCErrorResponse");var hr=ne([tp,rp,Ci,Ei]),m$=ne([Ci,Ei]),Et=we.strict(),$w=Ke.extend({requestId:aa.optional(),reason:f().optional()}),sa=We.extend({method:P("notifications/cancelled"),params:$w}),zw=I({src:f(),mimeType:f().optional(),sizes:R(f()).optional(),theme:Ve(["light","dark"]).optional()}),zn=I({icons:R(zw).optional()}),Hr=I({name:f(),title:f().optional()}),Br=Hr.extend({...Hr.shape,...zn.shape,version:f(),websiteUrl:f().optional(),description:f().optional()}),Mw=Ri(I({applyDefaults:Y().optional()}),ee(f(),ue())),Dw=Ii(e=>e&&typeof e=="object"&&!Array.isArray(e)&&Object.keys(e).length===0?{form:{}}:e,Ri(I({form:Mw.optional(),url:he.optional()}),ee(f(),ue()).optional())),qw=fe({list:he.optional(),cancel:he.optional(),requests:fe({sampling:fe({createMessage:he.optional()}).optional(),elicitation:fe({create:he.optional()}).optional()}).optional()}),Lw=fe({list:he.optional(),cancel:he.optional(),requests:fe({tools:fe({call:he.optional()}).optional()}).optional()}),jw=I({experimental:ee(f(),he).optional(),sampling:I({context:he.optional(),tools:he.optional()}).optional(),elicitation:Dw.optional(),roots:I({listChanged:Y().optional()}).optional(),tasks:qw.optional(),extensions:ee(f(),he).optional()}),Hw=Fe.extend({protocolVersion:f(),capabilities:jw,clientInfo:Br}),ia=ye.extend({method:P("initialize"),params:Hw}),Ai=o(e=>ia.safeParse(e).success,"isInitializeRequest"),Gw=I({experimental:ee(f(),he).optional(),logging:he.optional(),completions:he.optional(),prompts:I({listChanged:Y().optional()}).optional(),resources:I({subscribe:Y().optional(),listChanged:Y().optional()}).optional(),tools:I({listChanged:Y().optional()}).optional(),tasks:Lw.optional(),extensions:ee(f(),he).optional()}),Pi=we.extend({protocolVersion:f(),capabilities:Gw,serverInfo:Br,instructions:f().optional()}),ca=We.extend({method:P("notifications/initialized"),params:Ke.optional()}),op=o(e=>ca.safeParse(e).success,"isInitializedNotification"),ua=ye.extend({method:P("ping"),params:Fe.optional()}),Bw=I({progress:V(),total:se(V()),message:se(f())}),Vw=I({...Ke.shape,...Bw.shape,progressToken:Xl}),da=We.extend({method:P("notifications/progress"),params:Vw}),Fw=Fe.extend({cursor:Ql.optional()}),Mn=ye.extend({params:Fw.optional()}),Dn=we.extend({nextCursor:Ql.optional()}),Zw=Ve(["working","input_required","completed","failed","cancelled"]),qn=I({taskId:f(),status:Zw,ttl:ne([V(),Vl()]),createdAt:f(),lastUpdatedAt:f(),pollInterval:se(V()),statusMessage:se(f())}),At=we.extend({task:qn}),Kw=Ke.merge(qn),Ln=We.extend({method:P("notifications/tasks/status"),params:Kw}),la=ye.extend({method:P("tasks/get"),params:Fe.extend({taskId:f()})}),pa=we.merge(qn),ma=ye.extend({method:P("tasks/result"),params:Fe.extend({taskId:f()})}),f$=we.loose(),fa=Mn.extend({method:P("tasks/list")}),ha=Dn.extend({tasks:R(qn)}),ga=ye.extend({method:P("tasks/cancel"),params:Fe.extend({taskId:f()})}),ap=we.merge(qn),sp=I({uri:f(),mimeType:se(f()),_meta:ee(f(),ue()).optional()}),ip=sp.extend({text:f()}),xi=f().refine(e=>{try{return atob(e),!0}catch{return!1}},{message:"Invalid Base64 string"}),cp=sp.extend({blob:xi}),jn=Ve(["user","assistant"]),Vr=I({audience:R(jn).optional(),priority:V().min(0).max(1).optional(),lastModified:Gl.datetime({offset:!0}).optional()}),up=I({...Hr.shape,...zn.shape,uri:f(),description:se(f()),mimeType:se(f()),size:se(V()),annotations:Vr.optional(),_meta:se(fe({}))}),Ww=I({...Hr.shape,...zn.shape,uriTemplate:f(),description:se(f()),mimeType:se(f()),annotations:Vr.optional(),_meta:se(fe({}))}),ki=Mn.extend({method:P("resources/list")}),Oi=Dn.extend({resources:R(up)}),Jw=Mn.extend({method:P("resources/templates/list")}),Ui=Dn.extend({resourceTemplates:R(Ww)}),Ni=Fe.extend({uri:f()}),Yw=Ni,$i=ye.extend({method:P("resources/read"),params:Yw}),zi=we.extend({contents:R(ne([ip,cp]))}),Mi=We.extend({method:P("notifications/resources/list_changed"),params:Ke.optional()}),Xw=Ni,Qw=ye.extend({method:P("resources/subscribe"),params:Xw}),eS=Ni,tS=ye.extend({method:P("resources/unsubscribe"),params:eS}),rS=Ke.extend({uri:f()}),nS=We.extend({method:P("notifications/resources/updated"),params:rS}),oS=I({name:f(),description:se(f()),required:se(Y())}),aS=I({...Hr.shape,...zn.shape,description:se(f()),arguments:se(R(oS)),_meta:se(fe({}))}),Di=Mn.extend({method:P("prompts/list")}),qi=Dn.extend({prompts:R(aS)}),sS=Fe.extend({name:f(),arguments:ee(f(),f()).optional()}),Li=ye.extend({method:P("prompts/get"),params:sS}),ji=I({type:P("text"),text:f(),annotations:Vr.optional(),_meta:ee(f(),ue()).optional()}),Hi=I({type:P("image"),data:xi,mimeType:f(),annotations:Vr.optional(),_meta:ee(f(),ue()).optional()}),Gi=I({type:P("audio"),data:xi,mimeType:f(),annotations:Vr.optional(),_meta:ee(f(),ue()).optional()}),iS=I({type:P("tool_use"),name:f(),id:f(),input:ee(f(),ue()),_meta:ee(f(),ue()).optional()}),cS=I({type:P("resource"),resource:ne([ip,cp]),annotations:Vr.optional(),_meta:ee(f(),ue()).optional()}),uS=up.extend({type:P("resource_link")}),Bi=ne([ji,Hi,Gi,uS,cS]),dS=I({role:jn,content:Bi}),Vi=we.extend({description:f().optional(),messages:R(dS)}),Fi=We.extend({method:P("notifications/prompts/list_changed"),params:Ke.optional()}),lS=I({title:f().optional(),readOnlyHint:Y().optional(),destructiveHint:Y().optional(),idempotentHint:Y().optional(),openWorldHint:Y().optional()}),pS=I({taskSupport:Ve(["required","optional","forbidden"]).optional()}),dp=I({...Hr.shape,...zn.shape,description:f().optional(),inputSchema:I({type:P("object"),properties:ee(f(),he).optional(),required:R(f()).optional()}).catchall(ue()),outputSchema:I({type:P("object"),properties:ee(f(),he).optional(),required:R(f()).optional()}).catchall(ue()).optional(),annotations:lS.optional(),execution:pS.optional(),_meta:ee(f(),ue()).optional()}),Zi=Mn.extend({method:P("tools/list")}),Ki=Dn.extend({tools:R(dp)}),Kt=we.extend({content:R(Bi).default([]),structuredContent:ee(f(),ue()).optional(),isError:Y().optional()}),h$=Kt.or(we.extend({toolResult:ue()})),mS=$n.extend({name:f(),arguments:ee(f(),ue()).optional()}),Hn=ye.extend({method:P("tools/call"),params:mS}),Wi=We.extend({method:P("notifications/tools/list_changed"),params:Ke.optional()}),lp=I({autoRefresh:Y().default(!0),debounceMs:V().int().nonnegative().default(300)}),Gn=Ve(["debug","info","notice","warning","error","critical","alert","emergency"]),fS=Fe.extend({level:Gn}),Ji=ye.extend({method:P("logging/setLevel"),params:fS}),hS=Ke.extend({level:Gn,logger:f().optional(),data:ue()}),gS=We.extend({method:P("notifications/message"),params:hS}),_S=I({name:f().optional()}),yS=I({hints:R(_S).optional(),costPriority:V().min(0).max(1).optional(),speedPriority:V().min(0).max(1).optional(),intelligencePriority:V().min(0).max(1).optional()}),wS=I({mode:Ve(["auto","required","none"]).optional()}),SS=I({type:P("tool_result"),toolUseId:f().describe("The unique identifier for the corresponding tool call."),content:R(Bi).default([]),structuredContent:I({}).loose().optional(),isError:Y().optional(),_meta:ee(f(),ue()).optional()}),vS=bi("type",[ji,Hi,Gi]),na=bi("type",[ji,Hi,Gi,iS,SS]),bS=I({role:jn,content:ne([na,R(na)]),_meta:ee(f(),ue()).optional()}),RS=$n.extend({messages:R(bS),modelPreferences:yS.optional(),systemPrompt:f().optional(),includeContext:Ve(["none","thisServer","allServers"]).optional(),temperature:V().optional(),maxTokens:V().int(),stopSequences:R(f()).optional(),metadata:he.optional(),tools:R(dp).optional(),toolChoice:wS.optional()}),Yi=ye.extend({method:P("sampling/createMessage"),params:RS}),gr=we.extend({model:f(),stopReason:se(Ve(["endTurn","stopSequence","maxTokens"]).or(f())),role:jn,content:vS}),Bn=we.extend({model:f(),stopReason:se(Ve(["endTurn","stopSequence","maxTokens","toolUse"]).or(f())),role:jn,content:ne([na,R(na)])}),IS=I({type:P("boolean"),title:f().optional(),description:f().optional(),default:Y().optional()}),TS=I({type:P("string"),title:f().optional(),description:f().optional(),minLength:V().optional(),maxLength:V().optional(),format:Ve(["email","uri","date","date-time"]).optional(),default:f().optional()}),CS=I({type:Ve(["number","integer"]),title:f().optional(),description:f().optional(),minimum:V().optional(),maximum:V().optional(),default:V().optional()}),ES=I({type:P("string"),title:f().optional(),description:f().optional(),enum:R(f()),default:f().optional()}),AS=I({type:P("string"),title:f().optional(),description:f().optional(),oneOf:R(I({const:f(),title:f()})),default:f().optional()}),PS=I({type:P("string"),title:f().optional(),description:f().optional(),enum:R(f()),enumNames:R(f()).optional(),default:f().optional()}),xS=ne([ES,AS]),kS=I({type:P("array"),title:f().optional(),description:f().optional(),minItems:V().optional(),maxItems:V().optional(),items:I({type:P("string"),enum:R(f())}),default:R(f()).optional()}),OS=I({type:P("array"),title:f().optional(),description:f().optional(),minItems:V().optional(),maxItems:V().optional(),items:I({anyOf:R(I({const:f(),title:f()}))}),default:R(f()).optional()}),US=ne([kS,OS]),NS=ne([PS,xS,US]),$S=ne([NS,IS,TS,CS]),zS=$n.extend({mode:P("form").optional(),message:f(),requestedSchema:I({type:P("object"),properties:ee(f(),$S),required:R(f()).optional()})}),MS=$n.extend({mode:P("url"),message:f(),elicitationId:f(),url:f().url()}),DS=ne([zS,MS]),Xi=ye.extend({method:P("elicitation/create"),params:DS}),qS=Ke.extend({elicitationId:f()}),LS=We.extend({method:P("notifications/elicitation/complete"),params:qS}),Wt=we.extend({action:Ve(["accept","decline","cancel"]),content:Ii(e=>e===null?void 0:e,ee(f(),ne([f(),V(),Y(),R(f())])).optional())}),jS=I({type:P("ref/resource"),uri:f()});var HS=I({type:P("ref/prompt"),name:f()}),GS=Fe.extend({ref:ne([HS,jS]),argument:I({name:f(),value:f()}),context:I({arguments:ee(f(),f()).optional()}).optional()}),BS=ye.extend({method:P("completion/complete"),params:GS});var Qi=we.extend({completion:fe({values:R(f()).max(100),total:se(V().int()),hasMore:se(Y())})}),VS=I({uri:f().startsWith("file://"),name:f().optional(),_meta:ee(f(),ue()).optional()}),FS=ye.extend({method:P("roots/list"),params:Fe.optional()}),ec=we.extend({roots:R(VS)}),ZS=We.extend({method:P("notifications/roots/list_changed"),params:Ke.optional()}),g$=ne([ua,ia,BS,Ji,Li,Di,ki,Jw,$i,Qw,tS,Hn,Zi,la,ma,fa,ga]),_$=ne([sa,da,ca,ZS,Ln]),y$=ne([Et,gr,Bn,Wt,ec,pa,ha,At]),w$=ne([ua,Yi,Xi,FS,la,ma,fa,ga]),S$=ne([sa,da,gS,nS,Mi,Wi,Fi,Ln,LS]),v$=ne([Et,Pi,Qi,Vi,qi,Oi,Ui,zi,Kt,Ki,pa,ha,At]),E=class e extends Error{static{o(this,"McpError")}constructor(t,r,n){super(`MCP error ${t}: ${r}`),this.code=t,this.data=n,this.name="McpError"}static fromError(t,r,n){if(t===A.UrlElicitationRequired&&n){let a=n;if(a.elicitations)return new Bt(a.elicitations,r)}return new e(t,r,n)}},Bt=class extends E{static{o(this,"UrlElicitationRequiredError")}constructor(t,r=`URL elicitation${t.length>1?"s":""} required`){super(A.UrlElicitationRequired,r,{elicitations:t})}get elicitations(){return this.data?.elicitations??[]}};function Jt(e){return e==="completed"||e==="failed"||e==="cancelled"}o(Jt,"isTerminal");var KS=Symbol("Let zodToJsonSchema decide on which parser to use");var yz=new Set("ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz0123456789");function tc(e){let r=jr(e)?.method;if(!r)throw new Error("Schema is missing a method literal");let n=Jl(r);if(typeof n!="string")throw new Error("Schema method literal must be a string");return n}o(tc,"getMethodLiteral");function rc(e,t){let r=xe(e,t);if(!r.success)throw r.error;return r.data}o(rc,"parseWithCompat");var ev=6e4,Fr=class{static{o(this,"Protocol")}constructor(t){this._options=t,this._requestMessageId=0,this._requestHandlers=new Map,this._requestHandlerAbortControllers=new Map,this._notificationHandlers=new Map,this._responseHandlers=new Map,this._progressHandlers=new Map,this._timeoutInfo=new Map,this._pendingDebouncedNotifications=new Set,this._taskProgressTokens=new Map,this._requestResolvers=new Map,this.setNotificationHandler(sa,r=>{this._oncancel(r)}),this.setNotificationHandler(da,r=>{this._onprogress(r)}),this.setRequestHandler(ua,r=>({})),this._taskStore=t?.taskStore,this._taskMessageQueue=t?.taskMessageQueue,this._taskStore&&(this.setRequestHandler(la,async(r,n)=>{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new E(A.InvalidParams,"Failed to retrieve task: Task not found");return{...a}}),this.setRequestHandler(ma,async(r,n)=>{let a=o(async()=>{let s=r.params.taskId;if(this._taskMessageQueue){let c;for(;c=await this._taskMessageQueue.dequeue(s,n.sessionId);){if(c.type==="response"||c.type==="error"){let d=c.message,p=d.id,l=this._requestResolvers.get(p);if(l)if(this._requestResolvers.delete(p),c.type==="response")l(d);else{let m=d,h=new E(m.error.code,m.error.message,m.error.data);l(h)}else{let m=c.type==="response"?"Response":"Error";this._onerror(new Error(`${m} handler missing for request ${p}`))}continue}await this._transport?.send(c.message,{relatedRequestId:n.requestId})}}let i=await this._taskStore.getTask(s,n.sessionId);if(!i)throw new E(A.InvalidParams,`Task not found: ${s}`);if(!Jt(i.status))return await this._waitForTaskUpdate(s,n.signal),await a();if(Jt(i.status)){let c=await this._taskStore.getTaskResult(s,n.sessionId);return this._clearTaskQueue(s),{...c,_meta:{...c._meta,[Zt]:{taskId:s}}}}return await a()},"handleTaskResult");return await a()}),this.setRequestHandler(fa,async(r,n)=>{try{let{tasks:a,nextCursor:s}=await this._taskStore.listTasks(r.params?.cursor,n.sessionId);return{tasks:a,nextCursor:s,_meta:{}}}catch(a){throw new E(A.InvalidParams,`Failed to list tasks: ${a instanceof Error?a.message:String(a)}`)}}),this.setRequestHandler(ga,async(r,n)=>{try{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new E(A.InvalidParams,`Task not found: ${r.params.taskId}`);if(Jt(a.status))throw new E(A.InvalidParams,`Cannot cancel task in terminal status: ${a.status}`);await this._taskStore.updateTaskStatus(r.params.taskId,"cancelled","Client cancelled task execution.",n.sessionId),this._clearTaskQueue(r.params.taskId);let s=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!s)throw new E(A.InvalidParams,`Task not found after cancellation: ${r.params.taskId}`);return{_meta:{},...s}}catch(a){throw a instanceof E?a:new E(A.InvalidRequest,`Failed to cancel task: ${a instanceof Error?a.message:String(a)}`)}}))}async _oncancel(t){if(!t.params.requestId)return;this._requestHandlerAbortControllers.get(t.params.requestId)?.abort(t.params.reason)}_setupTimeout(t,r,n,a,s=!1){this._timeoutInfo.set(t,{timeoutId:setTimeout(a,r),startTime:Date.now(),timeout:r,maxTotalTimeout:n,resetTimeoutOnProgress:s,onTimeout:a})}_resetTimeout(t){let r=this._timeoutInfo.get(t);if(!r)return!1;let n=Date.now()-r.startTime;if(r.maxTotalTimeout&&n>=r.maxTotalTimeout)throw this._timeoutInfo.delete(t),E.fromError(A.RequestTimeout,"Maximum total timeout exceeded",{maxTotalTimeout:r.maxTotalTimeout,totalElapsed:n});return clearTimeout(r.timeoutId),r.timeoutId=setTimeout(r.onTimeout,r.timeout),!0}_cleanupTimeout(t){let r=this._timeoutInfo.get(t);r&&(clearTimeout(r.timeoutId),this._timeoutInfo.delete(t))}async connect(t){if(this._transport)throw new Error("Already connected to a transport. Call close() before connecting to a new transport, or use a separate Protocol instance per connection.");this._transport=t;let r=this.transport?.onclose;this._transport.onclose=()=>{r?.(),this._onclose()};let n=this.transport?.onerror;this._transport.onerror=s=>{n?.(s),this._onerror(s)};let a=this._transport?.onmessage;this._transport.onmessage=(s,i)=>{a?.(s,i),nt(s)||Gr(s)?this._onresponse(s):mt(s)?this._onrequest(s,i):np(s)?this._onnotification(s):this._onerror(new Error(`Unknown message type: ${JSON.stringify(s)}`))},await this._transport.start()}_onclose(){let t=this._responseHandlers;this._responseHandlers=new Map,this._progressHandlers.clear(),this._taskProgressTokens.clear(),this._pendingDebouncedNotifications.clear();for(let n of this._timeoutInfo.values())clearTimeout(n.timeoutId);this._timeoutInfo.clear();for(let n of this._requestHandlerAbortControllers.values())n.abort();this._requestHandlerAbortControllers.clear();let r=E.fromError(A.ConnectionClosed,"Connection closed");this._transport=void 0,this.onclose?.();for(let n of t.values())n(r)}_onerror(t){this.onerror?.(t)}_onnotification(t){let r=this._notificationHandlers.get(t.method)??this.fallbackNotificationHandler;r!==void 0&&Promise.resolve().then(()=>r(t)).catch(n=>this._onerror(new Error(`Uncaught error in notification handler: ${n}`)))}_onrequest(t,r){let n=this._requestHandlers.get(t.method)??this.fallbackRequestHandler,a=this._transport,s=t.params?._meta?.[Zt]?.taskId;if(n===void 0){let l={jsonrpc:"2.0",id:t.id,error:{code:A.MethodNotFound,message:"Method not found"}};s&&this._taskMessageQueue?this._enqueueTaskMessage(s,{type:"error",message:l,timestamp:Date.now()},a?.sessionId).catch(m=>this._onerror(new Error(`Failed to enqueue error response: ${m}`))):a?.send(l).catch(m=>this._onerror(new Error(`Failed to send an error response: ${m}`)));return}let i=new AbortController;this._requestHandlerAbortControllers.set(t.id,i);let c=ep(t.params)?t.params.task:void 0,d=this._taskStore?this.requestTaskStore(t,a?.sessionId):void 0,p={signal:i.signal,sessionId:a?.sessionId,_meta:t.params?._meta,sendNotification:o(async l=>{if(i.signal.aborted)return;let m={relatedRequestId:t.id};s&&(m.relatedTask={taskId:s}),await this.notification(l,m)},"sendNotification"),sendRequest:o(async(l,m,h)=>{if(i.signal.aborted)throw new E(A.ConnectionClosed,"Request was cancelled");let _={...h,relatedRequestId:t.id};s&&!_.relatedTask&&(_.relatedTask={taskId:s});let w=_.relatedTask?.taskId??s;return w&&d&&await d.updateTaskStatus(w,"input_required"),await this.request(l,m,_)},"sendRequest"),authInfo:r?.authInfo,requestId:t.id,requestInfo:r?.requestInfo,taskId:s,taskStore:d,taskRequestedTtl:c?.ttl,closeSSEStream:r?.closeSSEStream,closeStandaloneSSEStream:r?.closeStandaloneSSEStream};Promise.resolve().then(()=>{c&&this.assertTaskHandlerCapability(t.method)}).then(()=>n(t,p)).then(async l=>{if(i.signal.aborted)return;let m={result:l,jsonrpc:"2.0",id:t.id};s&&this._taskMessageQueue?await this._enqueueTaskMessage(s,{type:"response",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)},async l=>{if(i.signal.aborted)return;let m={jsonrpc:"2.0",id:t.id,error:{code:Number.isSafeInteger(l.code)?l.code:A.InternalError,message:l.message??"Internal error",...l.data!==void 0&&{data:l.data}}};s&&this._taskMessageQueue?await this._enqueueTaskMessage(s,{type:"error",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)}).catch(l=>this._onerror(new Error(`Failed to send response: ${l}`))).finally(()=>{this._requestHandlerAbortControllers.get(t.id)===i&&this._requestHandlerAbortControllers.delete(t.id)})}_onprogress(t){let{progressToken:r,...n}=t.params,a=Number(r),s=this._progressHandlers.get(a);if(!s){this._onerror(new Error(`Received a progress notification for an unknown token: ${JSON.stringify(t)}`));return}let i=this._responseHandlers.get(a),c=this._timeoutInfo.get(a);if(c&&i&&c.resetTimeoutOnProgress)try{this._resetTimeout(a)}catch(d){this._responseHandlers.delete(a),this._progressHandlers.delete(a),this._cleanupTimeout(a),i(d);return}s(n)}_onresponse(t){let r=Number(t.id),n=this._requestResolvers.get(r);if(n){if(this._requestResolvers.delete(r),nt(t))n(t);else{let i=new E(t.error.code,t.error.message,t.error.data);n(i)}return}let a=this._responseHandlers.get(r);if(a===void 0){this._onerror(new Error(`Received a response for an unknown message ID: ${JSON.stringify(t)}`));return}this._responseHandlers.delete(r),this._cleanupTimeout(r);let s=!1;if(nt(t)&&t.result&&typeof t.result=="object"){let i=t.result;if(i.task&&typeof i.task=="object"){let c=i.task;typeof c.taskId=="string"&&(s=!0,this._taskProgressTokens.set(c.taskId,r))}}if(s||this._progressHandlers.delete(r),nt(t))a(t);else{let i=E.fromError(t.error.code,t.error.message,t.error.data);a(i)}}get transport(){return this._transport}async close(){await this._transport?.close()}async*requestStream(t,r,n){let{task:a}=n??{};if(!a){try{yield{type:"result",result:await this.request(t,r,n)}}catch(i){yield{type:"error",error:i instanceof E?i:new E(A.InternalError,String(i))}}return}let s;try{let i=await this.request(t,At,n);if(i.task)s=i.task.taskId,yield{type:"taskCreated",task:i.task};else throw new E(A.InternalError,"Task creation did not return a task");for(;;){let c=await this.getTask({taskId:s},n);if(yield{type:"taskStatus",task:c},Jt(c.status)){c.status==="completed"?yield{type:"result",result:await this.getTaskResult({taskId:s},r,n)}:c.status==="failed"?yield{type:"error",error:new E(A.InternalError,`Task ${s} failed`)}:c.status==="cancelled"&&(yield{type:"error",error:new E(A.InternalError,`Task ${s} was cancelled`)});return}if(c.status==="input_required"){yield{type:"result",result:await this.getTaskResult({taskId:s},r,n)};return}let d=c.pollInterval??this._options?.defaultTaskPollInterval??1e3;await new Promise(p=>setTimeout(p,d)),n?.signal?.throwIfAborted()}}catch(i){yield{type:"error",error:i instanceof E?i:new E(A.InternalError,String(i))}}}request(t,r,n){let{relatedRequestId:a,resumptionToken:s,onresumptiontoken:i,task:c,relatedTask:d}=n??{};return new Promise((p,l)=>{let m=o(b=>{l(b)},"earlyReject");if(!this._transport){m(new Error("Not connected"));return}if(this._options?.enforceStrictCapabilities===!0)try{this.assertCapabilityForMethod(t.method),c&&this.assertTaskCapability(t.method)}catch(b){m(b);return}n?.signal?.throwIfAborted();let h=this._requestMessageId++,_={...t,jsonrpc:"2.0",id:h};n?.onprogress&&(this._progressHandlers.set(h,n.onprogress),_.params={...t.params,_meta:{...t.params?._meta||{},progressToken:h}}),c&&(_.params={..._.params,task:c}),d&&(_.params={..._.params,_meta:{..._.params?._meta||{},[Zt]:d}});let w=o(b=>{this._responseHandlers.delete(h),this._progressHandlers.delete(h),this._cleanupTimeout(h),this._transport?.send({jsonrpc:"2.0",method:"notifications/cancelled",params:{requestId:h,reason:String(b)}},{relatedRequestId:a,resumptionToken:s,onresumptiontoken:i}).catch(U=>this._onerror(new Error(`Failed to send cancellation: ${U}`)));let T=b instanceof E?b:new E(A.RequestTimeout,String(b));l(T)},"cancel");this._responseHandlers.set(h,b=>{if(!n?.signal?.aborted){if(b instanceof Error)return l(b);try{let T=xe(r,b.result);T.success?p(T.data):l(T.error)}catch(T){l(T)}}}),n?.signal?.addEventListener("abort",()=>{w(n?.signal?.reason)});let y=n?.timeout??ev,S=o(()=>w(E.fromError(A.RequestTimeout,"Request timed out",{timeout:y})),"timeoutHandler");this._setupTimeout(h,y,n?.maxTotalTimeout,S,n?.resetTimeoutOnProgress??!1);let v=d?.taskId;if(v){let b=o(T=>{let U=this._responseHandlers.get(h);U?U(T):this._onerror(new Error(`Response handler missing for side-channeled request ${h}`))},"responseResolver");this._requestResolvers.set(h,b),this._enqueueTaskMessage(v,{type:"request",message:_,timestamp:Date.now()}).catch(T=>{this._cleanupTimeout(h),l(T)})}else this._transport.send(_,{relatedRequestId:a,resumptionToken:s,onresumptiontoken:i}).catch(b=>{this._cleanupTimeout(h),l(b)})})}async getTask(t,r){return this.request({method:"tasks/get",params:t},pa,r)}async getTaskResult(t,r,n){return this.request({method:"tasks/result",params:t},r,n)}async listTasks(t,r){return this.request({method:"tasks/list",params:t},ha,r)}async cancelTask(t,r){return this.request({method:"tasks/cancel",params:t},ap,r)}async notification(t,r){if(!this._transport)throw new Error("Not connected");this.assertNotificationCapability(t.method);let n=r?.relatedTask?.taskId;if(n){let c={...t,jsonrpc:"2.0",params:{...t.params,_meta:{...t.params?._meta||{},[Zt]:r.relatedTask}}};await this._enqueueTaskMessage(n,{type:"notification",message:c,timestamp:Date.now()});return}if((this._options?.debouncedNotificationMethods??[]).includes(t.method)&&!t.params&&!r?.relatedRequestId&&!r?.relatedTask){if(this._pendingDebouncedNotifications.has(t.method))return;this._pendingDebouncedNotifications.add(t.method),Promise.resolve().then(()=>{if(this._pendingDebouncedNotifications.delete(t.method),!this._transport)return;let c={...t,jsonrpc:"2.0"};r?.relatedTask&&(c={...c,params:{...c.params,_meta:{...c.params?._meta||{},[Zt]:r.relatedTask}}}),this._transport?.send(c,r).catch(d=>this._onerror(d))});return}let i={...t,jsonrpc:"2.0"};r?.relatedTask&&(i={...i,params:{...i.params,_meta:{...i.params?._meta||{},[Zt]:r.relatedTask}}}),await this._transport.send(i,r)}setRequestHandler(t,r){let n=tc(t);this.assertRequestHandlerCapability(n),this._requestHandlers.set(n,(a,s)=>{let i=rc(t,a);return Promise.resolve(r(i,s))})}removeRequestHandler(t){this._requestHandlers.delete(t)}assertCanSetRequestHandler(t){if(this._requestHandlers.has(t))throw new Error(`A request handler for ${t} already exists, which would be overridden`)}setNotificationHandler(t,r){let n=tc(t);this._notificationHandlers.set(n,a=>{let s=rc(t,a);return Promise.resolve(r(s))})}removeNotificationHandler(t){this._notificationHandlers.delete(t)}_cleanupTaskProgressHandler(t){let r=this._taskProgressTokens.get(t);r!==void 0&&(this._progressHandlers.delete(r),this._taskProgressTokens.delete(t))}async _enqueueTaskMessage(t,r,n){if(!this._taskStore||!this._taskMessageQueue)throw new Error("Cannot enqueue task message: taskStore and taskMessageQueue are not configured");let a=this._options?.maxTaskQueueSize;await this._taskMessageQueue.enqueue(t,r,n,a)}async _clearTaskQueue(t,r){if(this._taskMessageQueue){let n=await this._taskMessageQueue.dequeueAll(t,r);for(let a of n)if(a.type==="request"&&mt(a.message)){let s=a.message.id,i=this._requestResolvers.get(s);i?(i(new E(A.InternalError,"Task cancelled or completed")),this._requestResolvers.delete(s)):this._onerror(new Error(`Resolver missing for request ${s} during task ${t} cleanup`))}}}async _waitForTaskUpdate(t,r){let n=this._options?.defaultTaskPollInterval??1e3;try{let a=await this._taskStore?.getTask(t);a?.pollInterval&&(n=a.pollInterval)}catch{}return new Promise((a,s)=>{if(r.aborted){s(new E(A.InvalidRequest,"Request cancelled"));return}let i=setTimeout(a,n);r.addEventListener("abort",()=>{clearTimeout(i),s(new E(A.InvalidRequest,"Request cancelled"))},{once:!0})})}requestTaskStore(t,r){let n=this._taskStore;if(!n)throw new Error("No task store configured");return{createTask:o(async a=>{if(!t)throw new Error("No request provided");return await n.createTask(a,t.id,{method:t.method,params:t.params},r)},"createTask"),getTask:o(async a=>{let s=await n.getTask(a,r);if(!s)throw new E(A.InvalidParams,"Failed to retrieve task: Task not found");return s},"getTask"),storeTaskResult:o(async(a,s,i)=>{await n.storeTaskResult(a,s,i,r);let c=await n.getTask(a,r);if(c){let d=Ln.parse({method:"notifications/tasks/status",params:c});await this.notification(d),Jt(c.status)&&this._cleanupTaskProgressHandler(a)}},"storeTaskResult"),getTaskResult:o(a=>n.getTaskResult(a,r),"getTaskResult"),updateTaskStatus:o(async(a,s,i)=>{let c=await n.getTask(a,r);if(!c)throw new E(A.InvalidParams,`Task "${a}" not found - it may have been cleaned up`);if(Jt(c.status))throw new E(A.InvalidParams,`Cannot update task "${a}" from terminal status "${c.status}" to "${s}". Terminal states (completed, failed, cancelled) cannot transition to other states.`);await n.updateTaskStatus(a,s,i,r);let d=await n.getTask(a,r);if(d){let p=Ln.parse({method:"notifications/tasks/status",params:d});await this.notification(p),Jt(d.status)&&this._cleanupTaskProgressHandler(a)}},"updateTaskStatus"),listTasks:o(a=>n.listTasks(a,r),"listTasks")}}};function pp(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}o(pp,"isPlainObject");function _a(e,t){let r={...e};for(let n in t){let a=n,s=t[a];if(s===void 0)continue;let i=r[a];pp(i)&&pp(s)?r[a]={...i,...s}:r[a]=s}return r}o(_a,"mergeCapabilities");var Qf=Ll(ju(),1),eh=Ll(Xf(),1);function BC(){let e=new Qf.default({strict:!1,validateFormats:!0,validateSchema:!1,allErrors:!0});return(0,eh.default)(e),e}o(BC,"createDefaultAjvInstance");var dn=class{static{o(this,"AjvJsonSchemaValidator")}constructor(t){this._ajv=t??BC()}getValidator(t){let r="$id"in t&&typeof t.$id=="string"?this._ajv.getSchema(t.$id)??this._ajv.compile(t):this._ajv.compile(t);return n=>r(n)?{valid:!0,data:n,errorMessage:void 0}:{valid:!1,data:void 0,errorMessage:this._ajv.errorsText(r.errors)}}};var es=class{static{o(this,"ExperimentalServerTasks")}constructor(t){this._server=t}requestStream(t,r,n){return this._server.requestStream(t,r,n)}createMessageStream(t,r){let n=this._server.getClientCapabilities();if((t.tools||t.toolChoice)&&!n?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let a=t.messages[t.messages.length-1],s=Array.isArray(a.content)?a.content:[a.content],i=s.some(l=>l.type==="tool_result"),c=t.messages.length>1?t.messages[t.messages.length-2]:void 0,d=c?Array.isArray(c.content)?c.content:[c.content]:[],p=d.some(l=>l.type==="tool_use");if(i){if(s.some(l=>l.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!p)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(p){let l=new Set(d.filter(h=>h.type==="tool_use").map(h=>h.id)),m=new Set(s.filter(h=>h.type==="tool_result").map(h=>h.toolUseId));if(l.size!==m.size||![...l].every(h=>m.has(h)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return this.requestStream({method:"sampling/createMessage",params:t},gr,r)}elicitInputStream(t,r){let n=this._server.getClientCapabilities(),a=t.mode??"form";switch(a){case"url":{if(!n?.elicitation?.url)throw new Error("Client does not support url elicitation.");break}case"form":{if(!n?.elicitation?.form)throw new Error("Client does not support form elicitation.");break}}let s=a==="form"&&t.mode===void 0?{...t,mode:"form"}:t;return this.requestStream({method:"elicitation/create",params:s},Wt,r)}async getTask(t,r){return this._server.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._server.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._server.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._server.cancelTask({taskId:t},r)}};function ts(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"tools/call":if(!e.tools?.call)throw new Error(`${r} does not support task creation for tools/call (required for ${t})`);break;default:break}}o(ts,"assertToolsCallTaskCapability");function rs(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"sampling/createMessage":if(!e.sampling?.createMessage)throw new Error(`${r} does not support task creation for sampling/createMessage (required for ${t})`);break;case"elicitation/create":if(!e.elicitation?.create)throw new Error(`${r} does not support task creation for elicitation/create (required for ${t})`);break;default:break}}o(rs,"assertClientRequestTaskCapability");var ns=class extends Fr{static{o(this,"Server")}constructor(t,r){super(r),this._serverInfo=t,this._loggingLevels=new Map,this.LOG_LEVEL_SEVERITY=new Map(Gn.options.map((n,a)=>[n,a])),this.isMessageIgnored=(n,a)=>{let s=this._loggingLevels.get(a);return s?this.LOG_LEVEL_SEVERITY.get(n)<this.LOG_LEVEL_SEVERITY.get(s):!1},this._capabilities=r?.capabilities??{},this._instructions=r?.instructions,this._jsonSchemaValidator=r?.jsonSchemaValidator??new dn,this.setRequestHandler(ia,n=>this._oninitialize(n)),this.setNotificationHandler(ca,()=>this.oninitialized?.()),this._capabilities.logging&&this.setRequestHandler(Ji,async(n,a)=>{let s=a.sessionId||a.requestInfo?.headers["mcp-session-id"]||void 0,{level:i}=n.params,c=Gn.safeParse(i);return c.success&&this._loggingLevels.set(s,c.data),{}})}get experimental(){return this._experimental||(this._experimental={tasks:new es(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=_a(this._capabilities,t)}setRequestHandler(t,r){let a=jr(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let s;if(Gt(a)){let c=a;s=c._zod?.def?.value??c.value}else{let c=a;s=c._def?.value??c.value}if(typeof s!="string")throw new Error("Schema method literal must be a string");if(s==="tools/call"){let c=o(async(d,p)=>{let l=xe(Hn,d);if(!l.success){let w=l.error instanceof Error?l.error.message:String(l.error);throw new E(A.InvalidParams,`Invalid tools/call request: ${w}`)}let{params:m}=l.data,h=await Promise.resolve(r(d,p));if(m.task){let w=xe(At,h);if(!w.success){let y=w.error instanceof Error?w.error.message:String(w.error);throw new E(A.InvalidParams,`Invalid task creation result: ${y}`)}return w.data}let _=xe(Kt,h);if(!_.success){let w=_.error instanceof Error?_.error.message:String(_.error);throw new E(A.InvalidParams,`Invalid tools/call result: ${w}`)}return _.data},"wrappedHandler");return super.setRequestHandler(t,c)}return super.setRequestHandler(t,r)}assertCapabilityForMethod(t){switch(t){case"sampling/createMessage":if(!this._clientCapabilities?.sampling)throw new Error(`Client does not support sampling (required for ${t})`);break;case"elicitation/create":if(!this._clientCapabilities?.elicitation)throw new Error(`Client does not support elicitation (required for ${t})`);break;case"roots/list":if(!this._clientCapabilities?.roots)throw new Error(`Client does not support listing roots (required for ${t})`);break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/message":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"notifications/resources/updated":case"notifications/resources/list_changed":if(!this._capabilities.resources)throw new Error(`Server does not support notifying about resources (required for ${t})`);break;case"notifications/tools/list_changed":if(!this._capabilities.tools)throw new Error(`Server does not support notifying of tool list changes (required for ${t})`);break;case"notifications/prompts/list_changed":if(!this._capabilities.prompts)throw new Error(`Server does not support notifying of prompt list changes (required for ${t})`);break;case"notifications/elicitation/complete":if(!this._clientCapabilities?.elicitation?.url)throw new Error(`Client does not support URL elicitation (required for ${t})`);break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"completion/complete":if(!this._capabilities.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"logging/setLevel":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._capabilities.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":if(!this._capabilities.resources)throw new Error(`Server does not support resources (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._capabilities.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Server does not support tasks capability (required for ${t})`);break;case"ping":case"initialize":break}}assertTaskCapability(t){rs(this._clientCapabilities?.tasks?.requests,t,"Client")}assertTaskHandlerCapability(t){this._capabilities&&ts(this._capabilities.tasks?.requests,t,"Server")}async _oninitialize(t){let r=t.params.protocolVersion;return this._clientCapabilities=t.params.capabilities,this._clientVersion=t.params.clientInfo,{protocolVersion:Ft.includes(r)?r:Vt,capabilities:this.getCapabilities(),serverInfo:this._serverInfo,...this._instructions&&{instructions:this._instructions}}}getClientCapabilities(){return this._clientCapabilities}getClientVersion(){return this._clientVersion}getCapabilities(){return this._capabilities}async ping(){return this.request({method:"ping"},Et)}async createMessage(t,r){if((t.tools||t.toolChoice)&&!this._clientCapabilities?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let n=t.messages[t.messages.length-1],a=Array.isArray(n.content)?n.content:[n.content],s=a.some(p=>p.type==="tool_result"),i=t.messages.length>1?t.messages[t.messages.length-2]:void 0,c=i?Array.isArray(i.content)?i.content:[i.content]:[],d=c.some(p=>p.type==="tool_use");if(s){if(a.some(p=>p.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!d)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(d){let p=new Set(c.filter(m=>m.type==="tool_use").map(m=>m.id)),l=new Set(a.filter(m=>m.type==="tool_result").map(m=>m.toolUseId));if(p.size!==l.size||![...p].every(m=>l.has(m)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return t.tools?this.request({method:"sampling/createMessage",params:t},Bn,r):this.request({method:"sampling/createMessage",params:t},gr,r)}async elicitInput(t,r){switch(t.mode??"form"){case"url":{if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support url elicitation.");let a=t;return this.request({method:"elicitation/create",params:a},Wt,r)}case"form":{if(!this._clientCapabilities?.elicitation?.form)throw new Error("Client does not support form elicitation.");let a=t.mode==="form"?t:{...t,mode:"form"},s=await this.request({method:"elicitation/create",params:a},Wt,r);if(s.action==="accept"&&s.content&&a.requestedSchema)try{let c=this._jsonSchemaValidator.getValidator(a.requestedSchema)(s.content);if(!c.valid)throw new E(A.InvalidParams,`Elicitation response content does not match requested schema: ${c.errorMessage}`)}catch(i){throw i instanceof E?i:new E(A.InternalError,`Error validating elicitation response: ${i instanceof Error?i.message:String(i)}`)}return s}}}createElicitationCompletionNotifier(t,r){if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support URL elicitation (required for notifications/elicitation/complete)");return()=>this.notification({method:"notifications/elicitation/complete",params:{elicitationId:t}},r)}async listRoots(t,r){return this.request({method:"roots/list",params:t},ec,r)}async sendLoggingMessage(t,r){if(this._capabilities.logging&&!this.isMessageIgnored(t.level,r))return this.notification({method:"notifications/message",params:t})}async sendResourceUpdated(t){return this.notification({method:"notifications/resources/updated",params:t})}async sendResourceListChanged(){return this.notification({method:"notifications/resources/list_changed"})}async sendToolListChanged(){return this.notification({method:"notifications/tools/list_changed"})}async sendPromptListChanged(){return this.notification({method:"notifications/prompts/list_changed"})}};var os=class{static{o(this,"WebStandardStreamableHTTPServerTransport")}constructor(t={}){this._started=!1,this._hasHandledRequest=!1,this._streamMapping=new Map,this._requestToStreamMapping=new Map,this._requestResponseMap=new Map,this._initialized=!1,this._enableJsonResponse=!1,this._standaloneSseStreamId="_GET_stream",this.sessionIdGenerator=t.sessionIdGenerator,this._enableJsonResponse=t.enableJsonResponse??!1,this._eventStore=t.eventStore,this._onsessioninitialized=t.onsessioninitialized,this._onsessionclosed=t.onsessionclosed,this._allowedHosts=t.allowedHosts,this._allowedOrigins=t.allowedOrigins,this._enableDnsRebindingProtection=t.enableDnsRebindingProtection??!1,this._retryInterval=t.retryInterval}async start(){if(this._started)throw new Error("Transport already started");this._started=!0}createJsonErrorResponse(t,r,n,a){let s={code:r,message:n};return a?.data!==void 0&&(s.data=a.data),new Response(JSON.stringify({jsonrpc:"2.0",error:s,id:null}),{status:t,headers:{"Content-Type":"application/json",...a?.headers}})}validateRequestHeaders(t){if(this._enableDnsRebindingProtection){if(this._allowedHosts&&this._allowedHosts.length>0){let r=t.headers.get("host");if(!r||!this._allowedHosts.includes(r)){let n=`Invalid Host header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}if(this._allowedOrigins&&this._allowedOrigins.length>0){let r=t.headers.get("origin");if(r&&!this._allowedOrigins.includes(r)){let n=`Invalid Origin header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}}}async handleRequest(t,r){if(!this.sessionIdGenerator&&this._hasHandledRequest)throw new Error("Stateless transport cannot be reused across requests. Create a new transport per request.");this._hasHandledRequest=!0;let n=this.validateRequestHeaders(t);if(n)return n;switch(t.method){case"POST":return this.handlePostRequest(t,r);case"GET":return this.handleGetRequest(t);case"DELETE":return this.handleDeleteRequest(t);default:return this.handleUnsupportedRequest()}}async writePrimingEvent(t,r,n,a){if(!this._eventStore||a<"2025-11-25")return;let s=await this._eventStore.storeEvent(n,{}),i=`id: ${s}
32
+ deps: ${r}}`,"params")};var $T={keyword:"dependencies",type:"object",schemaType:"object",error:bt.error,code(e){let[t,r]=LT(e);qh(e,t),$h(e,r)}};function LT({schema:e}){let t={},r={};for(let n in e){if(n==="__proto__")continue;let a=Array.isArray(e[n])?t:r;a[n]=e[n]}return[t,r]}o(LT,"splitDependencies");function qh(e,t=e.schema){let{gen:r,data:n,it:a}=e;if(Object.keys(t).length===0)return;let i=r.let("missing");for(let s in t){let u=t[s];if(u.length===0)continue;let d=(0,xo.propertyInData)(r,n,s,a.opts.ownProperties);e.setParams({property:s,depsCount:u.length,deps:u.join(", ")}),a.allErrors?r.if(d,()=>{for(let l of u)(0,xo.checkReportMissingProp)(e,l)}):(r.if((0,Du._)`${d} && (${(0,xo.checkMissingProp)(e,u,i)})`),(0,xo.reportMissingProp)(e,i),r.else())}}o(qh,"validatePropertyDeps");bt.validatePropertyDeps=qh;function $h(e,t=e.schema){let{gen:r,data:n,keyword:a,it:i}=e,s=r.name("valid");for(let u in t)(0,qT.alwaysValidSchema)(i,t[u])||(r.if((0,xo.propertyInData)(r,n,u,i.opts.ownProperties),()=>{let d=e.subschema({keyword:a,schemaProp:u},s);e.mergeValidEvaluated(d,s)},()=>r.var(s,!0)),e.ok(s))}o($h,"validateSchemaDeps");bt.validateSchemaDeps=$h;bt.default=$T});var Hh=T(Mu=>{"use strict";Object.defineProperty(Mu,"__esModule",{value:!0});var jh=L(),jT=J(),HT={message:"property name must be valid",params:o(({params:e})=>(0,jh._)`{propertyName: ${e.propertyName}}`,"params")},GT={keyword:"propertyNames",type:"object",schemaType:["object","boolean"],error:HT,code(e){let{gen:t,schema:r,data:n,it:a}=e;if((0,jT.alwaysValidSchema)(a,r))return;let i=t.name("valid");t.forIn("key",n,s=>{e.setParams({propertyName:s}),e.subschema({keyword:"propertyNames",data:s,dataTypes:["string"],propertyName:s,compositeRule:!0},i),t.if((0,jh.not)(i),()=>{e.error(!0),a.allErrors||t.break()})}),e.ok(i)}};Mu.default=GT});var $u=T(qu=>{"use strict";Object.defineProperty(qu,"__esModule",{value:!0});var si=nt(),mt=L(),BT=$t(),ci=J(),VT={message:"must NOT have additional properties",params:o(({params:e})=>(0,mt._)`{additionalProperty: ${e.additionalProperty}}`,"params")},FT={keyword:"additionalProperties",type:["object"],schemaType:["boolean","object"],allowUndefined:!0,trackErrors:!0,error:VT,code(e){let{gen:t,schema:r,parentSchema:n,data:a,errsCount:i,it:s}=e;if(!i)throw new Error("ajv implementation error");let{allErrors:u,opts:d}=s;if(s.props=!0,d.removeAdditional!=="all"&&(0,ci.alwaysValidSchema)(s,r))return;let l=(0,si.allSchemaProperties)(n.properties),p=(0,si.allSchemaProperties)(n.patternProperties);m(),e.ok((0,mt._)`${i} === ${BT.default.errors}`);function m(){t.forIn("key",a,w=>{!l.length&&!p.length?S(w):t.if(f(w),()=>S(w))})}o(m,"checkAdditionalProperties");function f(w){let v;if(l.length>8){let R=(0,ci.schemaRefOrVal)(s,n.properties,"properties");v=(0,si.isOwnProperty)(t,R,w)}else l.length?v=(0,mt.or)(...l.map(R=>(0,mt._)`${w} === ${R}`)):v=mt.nil;return p.length&&(v=(0,mt.or)(v,...p.map(R=>(0,mt._)`${(0,si.usePattern)(e,R)}.test(${w})`))),(0,mt.not)(v)}o(f,"isAdditional");function _(w){t.code((0,mt._)`delete ${a}[${w}]`)}o(_,"deleteAdditional");function S(w){if(d.removeAdditional==="all"||d.removeAdditional&&r===!1){_(w);return}if(r===!1){e.setParams({additionalProperty:w}),e.error(),u||t.break();return}if(typeof r=="object"&&!(0,ci.alwaysValidSchema)(s,r)){let v=t.name("valid");d.removeAdditional==="failing"?(y(w,v,!1),t.if((0,mt.not)(v),()=>{e.reset(),_(w)})):(y(w,v),u||t.if((0,mt.not)(v),()=>t.break()))}}o(S,"additionalPropertyCode");function y(w,v,R){let I={keyword:"additionalProperties",dataProp:w,dataPropType:ci.Type.Str};R===!1&&Object.assign(I,{compositeRule:!0,createErrors:!1,allErrors:!1}),e.subschema(I,v)}o(y,"applyAdditionalSchema")}};qu.default=FT});var Vh=T(ju=>{"use strict";Object.defineProperty(ju,"__esModule",{value:!0});var ZT=_o(),Gh=nt(),Lu=J(),Bh=$u(),KT={keyword:"properties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:i}=e;i.opts.removeAdditional==="all"&&n.additionalProperties===void 0&&Bh.default.code(new ZT.KeywordCxt(i,Bh.default,"additionalProperties"));let s=(0,Gh.allSchemaProperties)(r);for(let m of s)i.definedProperties.add(m);i.opts.unevaluated&&s.length&&i.props!==!0&&(i.props=Lu.mergeEvaluated.props(t,(0,Lu.toHash)(s),i.props));let u=s.filter(m=>!(0,Lu.alwaysValidSchema)(i,r[m]));if(u.length===0)return;let d=t.name("valid");for(let m of u)l(m)?p(m):(t.if((0,Gh.propertyInData)(t,a,m,i.opts.ownProperties)),p(m),i.allErrors||t.else().var(d,!0),t.endIf()),e.it.definedProperties.add(m),e.ok(d);function l(m){return i.opts.useDefaults&&!i.compositeRule&&r[m].default!==void 0}o(l,"hasDefault");function p(m){e.subschema({keyword:"properties",schemaProp:m,dataProp:m},d)}o(p,"applyPropertySchema")}};ju.default=KT});var Wh=T(Hu=>{"use strict";Object.defineProperty(Hu,"__esModule",{value:!0});var Fh=nt(),ui=L(),Zh=J(),Kh=J(),WT={keyword:"patternProperties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,data:n,parentSchema:a,it:i}=e,{opts:s}=i,u=(0,Fh.allSchemaProperties)(r),d=u.filter(y=>(0,Zh.alwaysValidSchema)(i,r[y]));if(u.length===0||d.length===u.length&&(!i.opts.unevaluated||i.props===!0))return;let l=s.strictSchema&&!s.allowMatchingProperties&&a.properties,p=t.name("valid");i.props!==!0&&!(i.props instanceof ui.Name)&&(i.props=(0,Kh.evaluatedPropsToName)(t,i.props));let{props:m}=i;f();function f(){for(let y of u)l&&_(y),i.allErrors?S(y):(t.var(p,!0),S(y),t.if(p))}o(f,"validatePatternProperties");function _(y){for(let w in l)new RegExp(y).test(w)&&(0,Zh.checkStrictMode)(i,`property ${w} matches pattern ${y} (use allowMatchingProperties)`)}o(_,"checkMatchingProperties");function S(y){t.forIn("key",n,w=>{t.if((0,ui._)`${(0,Fh.usePattern)(e,y)}.test(${w})`,()=>{let v=d.includes(y);v||e.subschema({keyword:"patternProperties",schemaProp:y,dataProp:w,dataPropType:Kh.Type.Str},p),i.opts.unevaluated&&m!==!0?t.assign((0,ui._)`${m}[${w}]`,!0):!v&&!i.allErrors&&t.if((0,ui.not)(p),()=>t.break())})})}o(S,"validateProperties")}};Hu.default=WT});var Jh=T(Gu=>{"use strict";Object.defineProperty(Gu,"__esModule",{value:!0});var JT=J(),YT={keyword:"not",schemaType:["object","boolean"],trackErrors:!0,code(e){let{gen:t,schema:r,it:n}=e;if((0,JT.alwaysValidSchema)(n,r)){e.fail();return}let a=t.name("valid");e.subschema({keyword:"not",compositeRule:!0,createErrors:!1,allErrors:!1},a),e.failResult(a,()=>e.reset(),()=>e.error())},error:{message:"must NOT be valid"}};Gu.default=YT});var Yh=T(Bu=>{"use strict";Object.defineProperty(Bu,"__esModule",{value:!0});var XT=nt(),QT={keyword:"anyOf",schemaType:"array",trackErrors:!0,code:XT.validateUnion,error:{message:"must match a schema in anyOf"}};Bu.default=QT});var Xh=T(Vu=>{"use strict";Object.defineProperty(Vu,"__esModule",{value:!0});var di=L(),eA=J(),tA={message:"must match exactly one schema in oneOf",params:o(({params:e})=>(0,di._)`{passingSchemas: ${e.passing}}`,"params")},rA={keyword:"oneOf",schemaType:"array",trackErrors:!0,error:tA,code(e){let{gen:t,schema:r,parentSchema:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(a.opts.discriminator&&n.discriminator)return;let i=r,s=t.let("valid",!1),u=t.let("passing",null),d=t.name("_valid");e.setParams({passing:u}),t.block(l),e.result(s,()=>e.reset(),()=>e.error(!0));function l(){i.forEach((p,m)=>{let f;(0,eA.alwaysValidSchema)(a,p)?t.var(d,!0):f=e.subschema({keyword:"oneOf",schemaProp:m,compositeRule:!0},d),m>0&&t.if((0,di._)`${d} && ${s}`).assign(s,!1).assign(u,(0,di._)`[${u}, ${m}]`).else(),t.if(d,()=>{t.assign(s,!0),t.assign(u,m),f&&e.mergeEvaluated(f,di.Name)})})}o(l,"validateOneOf")}};Vu.default=rA});var Qh=T(Fu=>{"use strict";Object.defineProperty(Fu,"__esModule",{value:!0});var nA=J(),oA={keyword:"allOf",schemaType:"array",code(e){let{gen:t,schema:r,it:n}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");let a=t.name("valid");r.forEach((i,s)=>{if((0,nA.alwaysValidSchema)(n,i))return;let u=e.subschema({keyword:"allOf",schemaProp:s},a);e.ok(a),e.mergeEvaluated(u)})}};Fu.default=oA});var rf=T(Zu=>{"use strict";Object.defineProperty(Zu,"__esModule",{value:!0});var li=L(),tf=J(),aA={message:o(({params:e})=>(0,li.str)`must match "${e.ifClause}" schema`,"message"),params:o(({params:e})=>(0,li._)`{failingKeyword: ${e.ifClause}}`,"params")},iA={keyword:"if",schemaType:["object","boolean"],trackErrors:!0,error:aA,code(e){let{gen:t,parentSchema:r,it:n}=e;r.then===void 0&&r.else===void 0&&(0,tf.checkStrictMode)(n,'"if" without "then" and "else" is ignored');let a=ef(n,"then"),i=ef(n,"else");if(!a&&!i)return;let s=t.let("valid",!0),u=t.name("_valid");if(d(),e.reset(),a&&i){let p=t.let("ifClause");e.setParams({ifClause:p}),t.if(u,l("then",p),l("else",p))}else a?t.if(u,l("then")):t.if((0,li.not)(u),l("else"));e.pass(s,()=>e.error(!0));function d(){let p=e.subschema({keyword:"if",compositeRule:!0,createErrors:!1,allErrors:!1},u);e.mergeEvaluated(p)}o(d,"validateIf");function l(p,m){return()=>{let f=e.subschema({keyword:p},u);t.assign(s,u),e.mergeValidEvaluated(f,s),m?t.assign(m,(0,li._)`${p}`):e.setParams({ifClause:p})}}o(l,"validateClause")}};function ef(e,t){let r=e.schema[t];return r!==void 0&&!(0,tf.alwaysValidSchema)(e,r)}o(ef,"hasSchema");Zu.default=iA});var nf=T(Ku=>{"use strict";Object.defineProperty(Ku,"__esModule",{value:!0});var sA=J(),cA={keyword:["then","else"],schemaType:["object","boolean"],code({keyword:e,parentSchema:t,it:r}){t.if===void 0&&(0,sA.checkStrictMode)(r,`"${e}" without "if" is ignored`)}};Ku.default=cA});var of=T(Wu=>{"use strict";Object.defineProperty(Wu,"__esModule",{value:!0});var uA=xu(),dA=zh(),lA=Ou(),pA=Dh(),mA=Mh(),hA=Lh(),fA=Hh(),gA=$u(),_A=Vh(),yA=Wh(),SA=Jh(),wA=Yh(),vA=Xh(),RA=Qh(),bA=rf(),CA=nf();function IA(e=!1){let t=[SA.default,wA.default,vA.default,RA.default,bA.default,CA.default,fA.default,gA.default,hA.default,_A.default,yA.default];return e?t.push(dA.default,pA.default):t.push(uA.default,lA.default),t.push(mA.default),t}o(IA,"getApplicator");Wu.default=IA});var af=T(Ju=>{"use strict";Object.defineProperty(Ju,"__esModule",{value:!0});var fe=L(),TA={message:o(({schemaCode:e})=>(0,fe.str)`must match format "${e}"`,"message"),params:o(({schemaCode:e})=>(0,fe._)`{format: ${e}}`,"params")},AA={keyword:"format",type:["number","string"],schemaType:"string",$data:!0,error:TA,code(e,t){let{gen:r,data:n,$data:a,schema:i,schemaCode:s,it:u}=e,{opts:d,errSchemaPath:l,schemaEnv:p,self:m}=u;if(!d.validateFormats)return;a?f():_();function f(){let S=r.scopeValue("formats",{ref:m.formats,code:d.code.formats}),y=r.const("fDef",(0,fe._)`${S}[${s}]`),w=r.let("fType"),v=r.let("format");r.if((0,fe._)`typeof ${y} == "object" && !(${y} instanceof RegExp)`,()=>r.assign(w,(0,fe._)`${y}.type || "string"`).assign(v,(0,fe._)`${y}.validate`),()=>r.assign(w,(0,fe._)`"string"`).assign(v,y)),e.fail$data((0,fe.or)(R(),I()));function R(){return d.strictSchema===!1?fe.nil:(0,fe._)`${s} && !${v}`}o(R,"unknownFmt");function I(){let N=p.$async?(0,fe._)`(${y}.async ? await ${v}(${n}) : ${v}(${n}))`:(0,fe._)`${v}(${n})`,M=(0,fe._)`(typeof ${v} == "function" ? ${N} : ${v}.test(${n}))`;return(0,fe._)`${v} && ${v} !== true && ${w} === ${t} && !${M}`}o(I,"invalidFmt")}o(f,"validate$DataFormat");function _(){let S=m.formats[i];if(!S){R();return}if(S===!0)return;let[y,w,v]=I(S);y===t&&e.pass(N());function R(){if(d.strictSchema===!1){m.logger.warn(M());return}throw new Error(M());function M(){return`unknown format "${i}" ignored in schema at path "${l}"`}}o(R,"unknownFormat");function I(M){let Ye=M instanceof RegExp?(0,fe.regexpCode)(M):d.code.formats?(0,fe._)`${d.code.formats}${(0,fe.getProperty)(i)}`:void 0,xt=r.scopeValue("formats",{key:i,ref:M,code:Ye});return typeof M=="object"&&!(M instanceof RegExp)?[M.type||"string",M.validate,(0,fe._)`${xt}.validate`]:["string",M,xt]}o(I,"getFormat");function N(){if(typeof S=="object"&&!(S instanceof RegExp)&&S.async){if(!p.$async)throw new Error("async format in sync schema");return(0,fe._)`await ${v}(${n})`}return typeof w=="function"?(0,fe._)`${v}(${n})`:(0,fe._)`${v}.test(${n})`}o(N,"validCondition")}o(_,"validateFormat")}};Ju.default=AA});var sf=T(Yu=>{"use strict";Object.defineProperty(Yu,"__esModule",{value:!0});var kA=af(),PA=[kA.default];Yu.default=PA});var cf=T(mn=>{"use strict";Object.defineProperty(mn,"__esModule",{value:!0});mn.contentVocabulary=mn.metadataVocabulary=void 0;mn.metadataVocabulary=["title","description","default","deprecated","readOnly","writeOnly","examples"];mn.contentVocabulary=["contentMediaType","contentEncoding","contentSchema"]});var df=T(Xu=>{"use strict";Object.defineProperty(Xu,"__esModule",{value:!0});var EA=gh(),xA=Eh(),OA=of(),UA=sf(),uf=cf(),zA=[EA.default,xA.default,(0,OA.default)(),UA.default,uf.metadataVocabulary,uf.contentVocabulary];Xu.default=zA});var pf=T(pi=>{"use strict";Object.defineProperty(pi,"__esModule",{value:!0});pi.DiscrError=void 0;var lf;(function(e){e.Tag="tag",e.Mapping="mapping"})(lf||(pi.DiscrError=lf={}))});var hf=T(ed=>{"use strict";Object.defineProperty(ed,"__esModule",{value:!0});var hn=L(),Qu=pf(),mf=Za(),NA=yo(),DA=J(),MA={message:o(({params:{discrError:e,tagName:t}})=>e===Qu.DiscrError.Tag?`tag "${t}" must be string`:`value of tag "${t}" must be in oneOf`,"message"),params:o(({params:{discrError:e,tag:t,tagName:r}})=>(0,hn._)`{error: ${e}, tag: ${r}, tagValue: ${t}}`,"params")},qA={keyword:"discriminator",type:"object",schemaType:"object",error:MA,code(e){let{gen:t,data:r,schema:n,parentSchema:a,it:i}=e,{oneOf:s}=a;if(!i.opts.discriminator)throw new Error("discriminator: requires discriminator option");let u=n.propertyName;if(typeof u!="string")throw new Error("discriminator: requires propertyName");if(n.mapping)throw new Error("discriminator: mapping is not supported");if(!s)throw new Error("discriminator: requires oneOf keyword");let d=t.let("valid",!1),l=t.const("tag",(0,hn._)`${r}${(0,hn.getProperty)(u)}`);t.if((0,hn._)`typeof ${l} == "string"`,()=>p(),()=>e.error(!1,{discrError:Qu.DiscrError.Tag,tag:l,tagName:u})),e.ok(d);function p(){let _=f();t.if(!1);for(let S in _)t.elseIf((0,hn._)`${l} === ${S}`),t.assign(d,m(_[S]));t.else(),e.error(!1,{discrError:Qu.DiscrError.Mapping,tag:l,tagName:u}),t.endIf()}o(p,"validateMapping");function m(_){let S=t.name("valid"),y=e.subschema({keyword:"oneOf",schemaProp:_},S);return e.mergeEvaluated(y,hn.Name),S}o(m,"applyTagSchema");function f(){var _;let S={},y=v(a),w=!0;for(let N=0;N<s.length;N++){let M=s[N];if(M?.$ref&&!(0,DA.schemaHasRulesButRef)(M,i.self.RULES)){let xt=M.$ref;if(M=mf.resolveRef.call(i.self,i.schemaEnv.root,i.baseId,xt),M instanceof mf.SchemaEnv&&(M=M.schema),M===void 0)throw new NA.default(i.opts.uriResolver,i.baseId,xt)}let Ye=(_=M?.properties)===null||_===void 0?void 0:_[u];if(typeof Ye!="object")throw new Error(`discriminator: oneOf subschemas (or referenced schemas) must have "properties/${u}"`);w=w&&(y||v(M)),R(Ye,N)}if(!w)throw new Error(`discriminator: "${u}" must be required`);return S;function v({required:N}){return Array.isArray(N)&&N.includes(u)}function R(N,M){if(N.const)I(N.const,M);else if(N.enum)for(let Ye of N.enum)I(Ye,M);else throw new Error(`discriminator: "properties/${u}" must have "const" or "enum"`)}function I(N,M){if(typeof N!="string"||N in S)throw new Error(`discriminator: "${u}" values must be unique strings`);S[N]=M}}o(f,"getMapping")}};ed.default=qA});var ff=T((rG,$A)=>{$A.exports={$schema:"http://json-schema.org/draft-07/schema#",$id:"http://json-schema.org/draft-07/schema#",title:"Core schema meta-schema",definitions:{schemaArray:{type:"array",minItems:1,items:{$ref:"#"}},nonNegativeInteger:{type:"integer",minimum:0},nonNegativeIntegerDefault0:{allOf:[{$ref:"#/definitions/nonNegativeInteger"},{default:0}]},simpleTypes:{enum:["array","boolean","integer","null","number","object","string"]},stringArray:{type:"array",items:{type:"string"},uniqueItems:!0,default:[]}},type:["object","boolean"],properties:{$id:{type:"string",format:"uri-reference"},$schema:{type:"string",format:"uri"},$ref:{type:"string",format:"uri-reference"},$comment:{type:"string"},title:{type:"string"},description:{type:"string"},default:!0,readOnly:{type:"boolean",default:!1},examples:{type:"array",items:!0},multipleOf:{type:"number",exclusiveMinimum:0},maximum:{type:"number"},exclusiveMaximum:{type:"number"},minimum:{type:"number"},exclusiveMinimum:{type:"number"},maxLength:{$ref:"#/definitions/nonNegativeInteger"},minLength:{$ref:"#/definitions/nonNegativeIntegerDefault0"},pattern:{type:"string",format:"regex"},additionalItems:{$ref:"#"},items:{anyOf:[{$ref:"#"},{$ref:"#/definitions/schemaArray"}],default:!0},maxItems:{$ref:"#/definitions/nonNegativeInteger"},minItems:{$ref:"#/definitions/nonNegativeIntegerDefault0"},uniqueItems:{type:"boolean",default:!1},contains:{$ref:"#"},maxProperties:{$ref:"#/definitions/nonNegativeInteger"},minProperties:{$ref:"#/definitions/nonNegativeIntegerDefault0"},required:{$ref:"#/definitions/stringArray"},additionalProperties:{$ref:"#"},definitions:{type:"object",additionalProperties:{$ref:"#"},default:{}},properties:{type:"object",additionalProperties:{$ref:"#"},default:{}},patternProperties:{type:"object",additionalProperties:{$ref:"#"},propertyNames:{format:"regex"},default:{}},dependencies:{type:"object",additionalProperties:{anyOf:[{$ref:"#"},{$ref:"#/definitions/stringArray"}]}},propertyNames:{$ref:"#"},const:!0,enum:{type:"array",items:!0,minItems:1,uniqueItems:!0},type:{anyOf:[{$ref:"#/definitions/simpleTypes"},{type:"array",items:{$ref:"#/definitions/simpleTypes"},minItems:1,uniqueItems:!0}]},format:{type:"string"},contentMediaType:{type:"string"},contentEncoding:{type:"string"},if:{$ref:"#"},then:{$ref:"#"},else:{$ref:"#"},allOf:{$ref:"#/definitions/schemaArray"},anyOf:{$ref:"#/definitions/schemaArray"},oneOf:{$ref:"#/definitions/schemaArray"},not:{$ref:"#"}},default:!0}});var rd=T((ae,td)=>{"use strict";Object.defineProperty(ae,"__esModule",{value:!0});ae.MissingRefError=ae.ValidationError=ae.CodeGen=ae.Name=ae.nil=ae.stringify=ae.str=ae._=ae.KeywordCxt=ae.Ajv=void 0;var LA=dh(),jA=df(),HA=hf(),gf=ff(),GA=["/properties"],mi="http://json-schema.org/draft-07/schema",fn=class extends LA.default{static{o(this,"Ajv")}_addVocabularies(){super._addVocabularies(),jA.default.forEach(t=>this.addVocabulary(t)),this.opts.discriminator&&this.addKeyword(HA.default)}_addDefaultMetaSchema(){if(super._addDefaultMetaSchema(),!this.opts.meta)return;let t=this.opts.$data?this.$dataMetaSchema(gf,GA):gf;this.addMetaSchema(t,mi,!1),this.refs["http://json-schema.org/schema"]=mi}defaultMeta(){return this.opts.defaultMeta=super.defaultMeta()||(this.getSchema(mi)?mi:void 0)}};ae.Ajv=fn;td.exports=ae=fn;td.exports.Ajv=fn;Object.defineProperty(ae,"__esModule",{value:!0});ae.default=fn;var BA=_o();Object.defineProperty(ae,"KeywordCxt",{enumerable:!0,get:o(function(){return BA.KeywordCxt},"get")});var gn=L();Object.defineProperty(ae,"_",{enumerable:!0,get:o(function(){return gn._},"get")});Object.defineProperty(ae,"str",{enumerable:!0,get:o(function(){return gn.str},"get")});Object.defineProperty(ae,"stringify",{enumerable:!0,get:o(function(){return gn.stringify},"get")});Object.defineProperty(ae,"nil",{enumerable:!0,get:o(function(){return gn.nil},"get")});Object.defineProperty(ae,"Name",{enumerable:!0,get:o(function(){return gn.Name},"get")});Object.defineProperty(ae,"CodeGen",{enumerable:!0,get:o(function(){return gn.CodeGen},"get")});var VA=Va();Object.defineProperty(ae,"ValidationError",{enumerable:!0,get:o(function(){return VA.default},"get")});var FA=yo();Object.defineProperty(ae,"MissingRefError",{enumerable:!0,get:o(function(){return FA.default},"get")})});var Cf=T(It=>{"use strict";Object.defineProperty(It,"__esModule",{value:!0});It.formatNames=It.fastFormats=It.fullFormats=void 0;function Ct(e,t){return{validate:e,compare:t}}o(Ct,"fmtDef");It.fullFormats={date:Ct(wf,id),time:Ct(od(!0),sd),"date-time":Ct(_f(!0),Rf),"iso-time":Ct(od(),vf),"iso-date-time":Ct(_f(),bf),duration:/^P(?!$)((\d+Y)?(\d+M)?(\d+D)?(T(?=\d)(\d+H)?(\d+M)?(\d+S)?)?|(\d+W)?)$/,uri:XA,"uri-reference":/^(?:[a-z][a-z0-9+\-.]*:)?(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'"()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?(?:\?(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i,"uri-template":/^(?:(?:[^\x00-\x20"'<>%\\^`{|}]|%[0-9a-f]{2})|\{[+#./;?&=,!@|]?(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?(?:,(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?)*\})*$/i,url:/^(?:https?|ftp):\/\/(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)(?:\.(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu,email:/^[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/i,hostname:/^(?=.{1,253}\.?$)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[-0-9a-z]{0,61}[0-9a-z])?)*\.?$/i,ipv4:/^(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)$/,ipv6:/^((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))$/i,regex:ak,uuid:/^(?:urn:uuid:)?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$/i,"json-pointer":/^(?:\/(?:[^~/]|~0|~1)*)*$/,"json-pointer-uri-fragment":/^#(?:\/(?:[a-z0-9_\-.!$&'()*+,;:=@]|%[0-9a-f]{2}|~0|~1)*)*$/i,"relative-json-pointer":/^(?:0|[1-9][0-9]*)(?:#|(?:\/(?:[^~/]|~0|~1)*)*)$/,byte:QA,int32:{type:"number",validate:rk},int64:{type:"number",validate:nk},float:{type:"number",validate:Sf},double:{type:"number",validate:Sf},password:!0,binary:!0};It.fastFormats={...It.fullFormats,date:Ct(/^\d\d\d\d-[0-1]\d-[0-3]\d$/,id),time:Ct(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,sd),"date-time":Ct(/^\d\d\d\d-[0-1]\d-[0-3]\dt(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,Rf),"iso-time":Ct(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,vf),"iso-date-time":Ct(/^\d\d\d\d-[0-1]\d-[0-3]\d[t\s](?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,bf),uri:/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/)?[^\s]*$/i,"uri-reference":/^(?:(?:[a-z][a-z0-9+\-.]*:)?\/?\/)?(?:[^\\\s#][^\s#]*)?(?:#[^\\\s]*)?$/i,email:/^[a-z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)*$/i};It.formatNames=Object.keys(It.fullFormats);function ZA(e){return e%4===0&&(e%100!==0||e%400===0)}o(ZA,"isLeapYear");var KA=/^(\d\d\d\d)-(\d\d)-(\d\d)$/,WA=[0,31,28,31,30,31,30,31,31,30,31,30,31];function wf(e){let t=KA.exec(e);if(!t)return!1;let r=+t[1],n=+t[2],a=+t[3];return n>=1&&n<=12&&a>=1&&a<=(n===2&&ZA(r)?29:WA[n])}o(wf,"date");function id(e,t){if(e&&t)return e>t?1:e<t?-1:0}o(id,"compareDate");var nd=/^(\d\d):(\d\d):(\d\d(?:\.\d+)?)(z|([+-])(\d\d)(?::?(\d\d))?)?$/i;function od(e){return o(function(r){let n=nd.exec(r);if(!n)return!1;let a=+n[1],i=+n[2],s=+n[3],u=n[4],d=n[5]==="-"?-1:1,l=+(n[6]||0),p=+(n[7]||0);if(l>23||p>59||e&&!u)return!1;if(a<=23&&i<=59&&s<60)return!0;let m=i-p*d,f=a-l*d-(m<0?1:0);return(f===23||f===-1)&&(m===59||m===-1)&&s<61},"time")}o(od,"getTime");function sd(e,t){if(!(e&&t))return;let r=new Date("2020-01-01T"+e).valueOf(),n=new Date("2020-01-01T"+t).valueOf();if(r&&n)return r-n}o(sd,"compareTime");function vf(e,t){if(!(e&&t))return;let r=nd.exec(e),n=nd.exec(t);if(r&&n)return e=r[1]+r[2]+r[3],t=n[1]+n[2]+n[3],e>t?1:e<t?-1:0}o(vf,"compareIsoTime");var ad=/t|\s/i;function _f(e){let t=od(e);return o(function(n){let a=n.split(ad);return a.length===2&&wf(a[0])&&t(a[1])},"date_time")}o(_f,"getDateTime");function Rf(e,t){if(!(e&&t))return;let r=new Date(e).valueOf(),n=new Date(t).valueOf();if(r&&n)return r-n}o(Rf,"compareDateTime");function bf(e,t){if(!(e&&t))return;let[r,n]=e.split(ad),[a,i]=t.split(ad),s=id(r,a);if(s!==void 0)return s||sd(n,i)}o(bf,"compareIsoDateTime");var JA=/\/|:/,YA=/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)(?:\?(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i;function XA(e){return JA.test(e)&&YA.test(e)}o(XA,"uri");var yf=/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/gm;function QA(e){return yf.lastIndex=0,yf.test(e)}o(QA,"byte");var ek=-(2**31),tk=2**31-1;function rk(e){return Number.isInteger(e)&&e<=tk&&e>=ek}o(rk,"validateInt32");function nk(e){return Number.isInteger(e)}o(nk,"validateInt64");function Sf(){return!0}o(Sf,"validateNumber");var ok=/[^\\]\\Z/;function ak(e){if(ok.test(e))return!1;try{return new RegExp(e),!0}catch{return!1}}o(ak,"regex")});var If=T(_n=>{"use strict";Object.defineProperty(_n,"__esModule",{value:!0});_n.formatLimitDefinition=void 0;var ik=rd(),ht=L(),lr=ht.operators,hi={formatMaximum:{okStr:"<=",ok:lr.LTE,fail:lr.GT},formatMinimum:{okStr:">=",ok:lr.GTE,fail:lr.LT},formatExclusiveMaximum:{okStr:"<",ok:lr.LT,fail:lr.GTE},formatExclusiveMinimum:{okStr:">",ok:lr.GT,fail:lr.LTE}},sk={message:o(({keyword:e,schemaCode:t})=>(0,ht.str)`should be ${hi[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,ht._)`{comparison: ${hi[e].okStr}, limit: ${t}}`,"params")};_n.formatLimitDefinition={keyword:Object.keys(hi),type:"string",schemaType:"string",$data:!0,error:sk,code(e){let{gen:t,data:r,schemaCode:n,keyword:a,it:i}=e,{opts:s,self:u}=i;if(!s.validateFormats)return;let d=new ik.KeywordCxt(i,u.RULES.all.format.definition,"format");d.$data?l():p();function l(){let f=t.scopeValue("formats",{ref:u.formats,code:s.code.formats}),_=t.const("fmt",(0,ht._)`${f}[${d.schemaCode}]`);e.fail$data((0,ht.or)((0,ht._)`typeof ${_} != "object"`,(0,ht._)`${_} instanceof RegExp`,(0,ht._)`typeof ${_}.compare != "function"`,m(_)))}o(l,"validate$DataFormat");function p(){let f=d.schema,_=u.formats[f];if(!_||_===!0)return;if(typeof _!="object"||_ instanceof RegExp||typeof _.compare!="function")throw new Error(`"${a}": format "${f}" does not define "compare" function`);let S=t.scopeValue("formats",{key:f,ref:_,code:s.code.formats?(0,ht._)`${s.code.formats}${(0,ht.getProperty)(f)}`:void 0});e.fail$data(m(S))}o(p,"validateFormat");function m(f){return(0,ht._)`${f}.compare(${r}, ${n}) ${hi[a].fail} 0`}o(m,"compareCode")},dependencies:["format"]};var ck=o(e=>(e.addKeyword(_n.formatLimitDefinition),e),"formatLimitPlugin");_n.default=ck});var Pf=T((Oo,kf)=>{"use strict";Object.defineProperty(Oo,"__esModule",{value:!0});var yn=Cf(),uk=If(),cd=L(),Tf=new cd.Name("fullFormats"),dk=new cd.Name("fastFormats"),ud=o((e,t={keywords:!0})=>{if(Array.isArray(t))return Af(e,t,yn.fullFormats,Tf),e;let[r,n]=t.mode==="fast"?[yn.fastFormats,dk]:[yn.fullFormats,Tf],a=t.formats||yn.formatNames;return Af(e,a,r,n),t.keywords&&(0,uk.default)(e),e},"formatsPlugin");ud.get=(e,t="full")=>{let n=(t==="fast"?yn.fastFormats:yn.fullFormats)[e];if(!n)throw new Error(`Unknown format "${e}"`);return n};function Af(e,t,r,n){var a,i;(a=(i=e.opts.code).formats)!==null&&a!==void 0||(i.formats=(0,cd._)`require("ajv-formats/dist/formats").${n}`);for(let s of t)e.addFormat(s,r[s])}o(Af,"addFormats");kf.exports=Oo=ud;Object.defineProperty(Oo,"__esModule",{value:!0});Oo.default=ud});Yw();function Jt(e){return!!e._zod}o(Jt,"isZ4Schema");function Me(e,t){return Jt(e)?Ds(e,t):e.safeParse(t)}o(Me,"safeParse");function Jr(e){if(!e)return;let t;if(Jt(e)?t=e._zod?.def?.shape:t=e.shape,!!t){if(typeof t=="function")try{return t()}catch{return}return t}}o(Jr,"getObjectShape");function Ap(e){if(Jt(e)){let i=e._zod?.def;if(i){if(i.value!==void 0)return i.value;if(Array.isArray(i.values)&&i.values.length>0)return i.values[0]}}let r=e._def;if(r){if(r.value!==void 0)return r.value;if(Array.isArray(r.values)&&r.values.length>0)return r.values[0]}let n=e.value;if(n!==void 0)return n}o(Ap,"getLiteralValue");Y();var Xt="2025-11-25",kp="2025-03-26",Qt=[Xt,"2025-06-18","2025-03-26","2024-11-05","2024-10-07"],er="io.modelcontextprotocol/related-task",Sa="2.0",we=Cp(e=>e!==null&&(typeof e=="object"||typeof e=="function")),Pp=se([h(),K().int()]),Ep=h(),wM=Se({ttl:K().optional(),pollInterval:K().optional()}),ev=C({ttl:K().optional()}),tv=C({taskId:h()}),Ls=Se({progressToken:Pp.optional(),[er]:tv.optional()}),Qe=C({_meta:Ls.optional()}),Fn=Qe.extend({task:ev.optional()}),xp=o(e=>Fn.safeParse(e).success,"isTaskAugmentedRequestParams"),Re=C({method:h(),params:Qe.loose().optional()}),et=C({_meta:Ls.optional()}),tt=C({method:h(),params:et.loose().optional()}),be=Se({_meta:Ls.optional()}),wa=se([h(),K().int()]),Op=C({jsonrpc:P(Sa),id:wa,...Re.shape}).strict(),St=o(e=>Op.safeParse(e).success,"isJSONRPCRequest"),Up=C({jsonrpc:P(Sa),...tt.shape}).strict(),zp=o(e=>Up.safeParse(e).success,"isJSONRPCNotification"),js=C({jsonrpc:P(Sa),id:wa,result:be}).strict(),ut=o(e=>js.safeParse(e).success,"isJSONRPCResultResponse");var k;(function(e){e[e.ConnectionClosed=-32e3]="ConnectionClosed",e[e.RequestTimeout=-32001]="RequestTimeout",e[e.ParseError=-32700]="ParseError",e[e.InvalidRequest=-32600]="InvalidRequest",e[e.MethodNotFound=-32601]="MethodNotFound",e[e.InvalidParams=-32602]="InvalidParams",e[e.InternalError=-32603]="InternalError",e[e.UrlElicitationRequired=-32042]="UrlElicitationRequired"})(k||(k={}));var Hs=C({jsonrpc:P(Sa),id:wa.optional(),error:C({code:K().int(),message:h(),data:he().optional()})}).strict();var Xr=o(e=>Hs.safeParse(e).success,"isJSONRPCErrorResponse");var wr=se([Op,Up,js,Hs]),vM=se([js,Hs]),zt=be.strict(),rv=et.extend({requestId:wa.optional(),reason:h().optional()}),va=tt.extend({method:P("notifications/cancelled"),params:rv}),nv=C({src:h(),mimeType:h().optional(),sizes:b(h()).optional(),theme:Xe(["light","dark"]).optional()}),Zn=C({icons:b(nv).optional()}),Yr=C({name:h(),title:h().optional()}),Qr=Yr.extend({...Yr.shape,...Zn.shape,version:h(),websiteUrl:h().optional(),description:h().optional()}),ov=qs(C({applyDefaults:ee().optional()}),ne(h(),he())),av=$s(e=>e&&typeof e=="object"&&!Array.isArray(e)&&Object.keys(e).length===0?{form:{}}:e,qs(C({form:ov.optional(),url:we.optional()}),ne(h(),he()).optional())),iv=Se({list:we.optional(),cancel:we.optional(),requests:Se({sampling:Se({createMessage:we.optional()}).optional(),elicitation:Se({create:we.optional()}).optional()}).optional()}),sv=Se({list:we.optional(),cancel:we.optional(),requests:Se({tools:Se({call:we.optional()}).optional()}).optional()}),cv=C({experimental:ne(h(),we).optional(),sampling:C({context:we.optional(),tools:we.optional()}).optional(),elicitation:av.optional(),roots:C({listChanged:ee().optional()}).optional(),tasks:iv.optional(),extensions:ne(h(),we).optional()}),uv=Qe.extend({protocolVersion:h(),capabilities:cv,clientInfo:Qr}),Ra=Re.extend({method:P("initialize"),params:uv}),Gs=o(e=>Ra.safeParse(e).success,"isInitializeRequest"),dv=C({experimental:ne(h(),we).optional(),logging:we.optional(),completions:we.optional(),prompts:C({listChanged:ee().optional()}).optional(),resources:C({subscribe:ee().optional(),listChanged:ee().optional()}).optional(),tools:C({listChanged:ee().optional()}).optional(),tasks:sv.optional(),extensions:ne(h(),we).optional()}),Bs=be.extend({protocolVersion:h(),capabilities:dv,serverInfo:Qr,instructions:h().optional()}),ba=tt.extend({method:P("notifications/initialized"),params:et.optional()}),Np=o(e=>ba.safeParse(e).success,"isInitializedNotification"),Ca=Re.extend({method:P("ping"),params:Qe.optional()}),lv=C({progress:K(),total:pe(K()),message:pe(h())}),pv=C({...et.shape,...lv.shape,progressToken:Pp}),Ia=tt.extend({method:P("notifications/progress"),params:pv}),mv=Qe.extend({cursor:Ep.optional()}),Kn=Re.extend({params:mv.optional()}),Wn=be.extend({nextCursor:Ep.optional()}),hv=Xe(["working","input_required","completed","failed","cancelled"]),Jn=C({taskId:h(),status:hv,ttl:se([K(),Rp()]),createdAt:h(),lastUpdatedAt:h(),pollInterval:pe(K()),statusMessage:pe(h())}),Nt=be.extend({task:Jn}),fv=et.merge(Jn),Yn=tt.extend({method:P("notifications/tasks/status"),params:fv}),Ta=Re.extend({method:P("tasks/get"),params:Qe.extend({taskId:h()})}),Aa=be.merge(Jn),ka=Re.extend({method:P("tasks/result"),params:Qe.extend({taskId:h()})}),RM=be.loose(),Pa=Kn.extend({method:P("tasks/list")}),Ea=Wn.extend({tasks:b(Jn)}),xa=Re.extend({method:P("tasks/cancel"),params:Qe.extend({taskId:h()})}),Dp=be.merge(Jn),Mp=C({uri:h(),mimeType:pe(h()),_meta:ne(h(),he()).optional()}),qp=Mp.extend({text:h()}),Vs=h().refine(e=>{try{return atob(e),!0}catch{return!1}},{message:"Invalid Base64 string"}),$p=Mp.extend({blob:Vs}),Xn=Xe(["user","assistant"]),en=C({audience:b(Xn).optional(),priority:K().min(0).max(1).optional(),lastModified:wp.datetime({offset:!0}).optional()}),Lp=C({...Yr.shape,...Zn.shape,uri:h(),description:pe(h()),mimeType:pe(h()),size:pe(K()),annotations:en.optional(),_meta:pe(Se({}))}),gv=C({...Yr.shape,...Zn.shape,uriTemplate:h(),description:pe(h()),mimeType:pe(h()),annotations:en.optional(),_meta:pe(Se({}))}),Fs=Kn.extend({method:P("resources/list")}),Zs=Wn.extend({resources:b(Lp)}),_v=Kn.extend({method:P("resources/templates/list")}),Ks=Wn.extend({resourceTemplates:b(gv)}),Ws=Qe.extend({uri:h()}),yv=Ws,Js=Re.extend({method:P("resources/read"),params:yv}),Ys=be.extend({contents:b(se([qp,$p]))}),Xs=tt.extend({method:P("notifications/resources/list_changed"),params:et.optional()}),Sv=Ws,wv=Re.extend({method:P("resources/subscribe"),params:Sv}),vv=Ws,Rv=Re.extend({method:P("resources/unsubscribe"),params:vv}),bv=et.extend({uri:h()}),Cv=tt.extend({method:P("notifications/resources/updated"),params:bv}),Iv=C({name:h(),description:pe(h()),required:pe(ee())}),Tv=C({...Yr.shape,...Zn.shape,description:pe(h()),arguments:pe(b(Iv)),_meta:pe(Se({}))}),Qs=Kn.extend({method:P("prompts/list")}),ec=Wn.extend({prompts:b(Tv)}),Av=Qe.extend({name:h(),arguments:ne(h(),h()).optional()}),tc=Re.extend({method:P("prompts/get"),params:Av}),rc=C({type:P("text"),text:h(),annotations:en.optional(),_meta:ne(h(),he()).optional()}),nc=C({type:P("image"),data:Vs,mimeType:h(),annotations:en.optional(),_meta:ne(h(),he()).optional()}),oc=C({type:P("audio"),data:Vs,mimeType:h(),annotations:en.optional(),_meta:ne(h(),he()).optional()}),kv=C({type:P("tool_use"),name:h(),id:h(),input:ne(h(),he()),_meta:ne(h(),he()).optional()}),Pv=C({type:P("resource"),resource:se([qp,$p]),annotations:en.optional(),_meta:ne(h(),he()).optional()}),Ev=Lp.extend({type:P("resource_link")}),ac=se([rc,nc,oc,Ev,Pv]),xv=C({role:Xn,content:ac}),ic=be.extend({description:h().optional(),messages:b(xv)}),sc=tt.extend({method:P("notifications/prompts/list_changed"),params:et.optional()}),Ov=C({title:h().optional(),readOnlyHint:ee().optional(),destructiveHint:ee().optional(),idempotentHint:ee().optional(),openWorldHint:ee().optional()}),Uv=C({taskSupport:Xe(["required","optional","forbidden"]).optional()}),jp=C({...Yr.shape,...Zn.shape,description:h().optional(),inputSchema:C({type:P("object"),properties:ne(h(),we).optional(),required:b(h()).optional()}).catchall(he()),outputSchema:C({type:P("object"),properties:ne(h(),we).optional(),required:b(h()).optional()}).catchall(he()).optional(),annotations:Ov.optional(),execution:Uv.optional(),_meta:ne(h(),he()).optional()}),cc=Kn.extend({method:P("tools/list")}),uc=Wn.extend({tools:b(jp)}),tr=be.extend({content:b(ac).default([]),structuredContent:ne(h(),he()).optional(),isError:ee().optional()}),bM=tr.or(be.extend({toolResult:he()})),zv=Fn.extend({name:h(),arguments:ne(h(),he()).optional()}),Qn=Re.extend({method:P("tools/call"),params:zv}),dc=tt.extend({method:P("notifications/tools/list_changed"),params:et.optional()}),Hp=C({autoRefresh:ee().default(!0),debounceMs:K().int().nonnegative().default(300)}),eo=Xe(["debug","info","notice","warning","error","critical","alert","emergency"]),Nv=Qe.extend({level:eo}),lc=Re.extend({method:P("logging/setLevel"),params:Nv}),Dv=et.extend({level:eo,logger:h().optional(),data:he()}),Mv=tt.extend({method:P("notifications/message"),params:Dv}),qv=C({name:h().optional()}),$v=C({hints:b(qv).optional(),costPriority:K().min(0).max(1).optional(),speedPriority:K().min(0).max(1).optional(),intelligencePriority:K().min(0).max(1).optional()}),Lv=C({mode:Xe(["auto","required","none"]).optional()}),jv=C({type:P("tool_result"),toolUseId:h().describe("The unique identifier for the corresponding tool call."),content:b(ac).default([]),structuredContent:C({}).loose().optional(),isError:ee().optional(),_meta:ne(h(),he()).optional()}),Hv=Ms("type",[rc,nc,oc]),ya=Ms("type",[rc,nc,oc,kv,jv]),Gv=C({role:Xn,content:se([ya,b(ya)]),_meta:ne(h(),he()).optional()}),Bv=Fn.extend({messages:b(Gv),modelPreferences:$v.optional(),systemPrompt:h().optional(),includeContext:Xe(["none","thisServer","allServers"]).optional(),temperature:K().optional(),maxTokens:K().int(),stopSequences:b(h()).optional(),metadata:we.optional(),tools:b(jp).optional(),toolChoice:Lv.optional()}),pc=Re.extend({method:P("sampling/createMessage"),params:Bv}),vr=be.extend({model:h(),stopReason:pe(Xe(["endTurn","stopSequence","maxTokens"]).or(h())),role:Xn,content:Hv}),to=be.extend({model:h(),stopReason:pe(Xe(["endTurn","stopSequence","maxTokens","toolUse"]).or(h())),role:Xn,content:se([ya,b(ya)])}),Vv=C({type:P("boolean"),title:h().optional(),description:h().optional(),default:ee().optional()}),Fv=C({type:P("string"),title:h().optional(),description:h().optional(),minLength:K().optional(),maxLength:K().optional(),format:Xe(["email","uri","date","date-time"]).optional(),default:h().optional()}),Zv=C({type:Xe(["number","integer"]),title:h().optional(),description:h().optional(),minimum:K().optional(),maximum:K().optional(),default:K().optional()}),Kv=C({type:P("string"),title:h().optional(),description:h().optional(),enum:b(h()),default:h().optional()}),Wv=C({type:P("string"),title:h().optional(),description:h().optional(),oneOf:b(C({const:h(),title:h()})),default:h().optional()}),Jv=C({type:P("string"),title:h().optional(),description:h().optional(),enum:b(h()),enumNames:b(h()).optional(),default:h().optional()}),Yv=se([Kv,Wv]),Xv=C({type:P("array"),title:h().optional(),description:h().optional(),minItems:K().optional(),maxItems:K().optional(),items:C({type:P("string"),enum:b(h())}),default:b(h()).optional()}),Qv=C({type:P("array"),title:h().optional(),description:h().optional(),minItems:K().optional(),maxItems:K().optional(),items:C({anyOf:b(C({const:h(),title:h()}))}),default:b(h()).optional()}),eR=se([Xv,Qv]),tR=se([Jv,Yv,eR]),rR=se([tR,Vv,Fv,Zv]),nR=Fn.extend({mode:P("form").optional(),message:h(),requestedSchema:C({type:P("object"),properties:ne(h(),rR),required:b(h()).optional()})}),oR=Fn.extend({mode:P("url"),message:h(),elicitationId:h(),url:h().url()}),aR=se([nR,oR]),mc=Re.extend({method:P("elicitation/create"),params:aR}),iR=et.extend({elicitationId:h()}),sR=tt.extend({method:P("notifications/elicitation/complete"),params:iR}),rr=be.extend({action:Xe(["accept","decline","cancel"]),content:$s(e=>e===null?void 0:e,ne(h(),se([h(),K(),ee(),b(h())])).optional())}),cR=C({type:P("ref/resource"),uri:h()});var uR=C({type:P("ref/prompt"),name:h()}),dR=Qe.extend({ref:se([uR,cR]),argument:C({name:h(),value:h()}),context:C({arguments:ne(h(),h()).optional()}).optional()}),lR=Re.extend({method:P("completion/complete"),params:dR});var hc=be.extend({completion:Se({values:b(h()).max(100),total:pe(K().int()),hasMore:pe(ee())})}),pR=C({uri:h().startsWith("file://"),name:h().optional(),_meta:ne(h(),he()).optional()}),mR=Re.extend({method:P("roots/list"),params:Qe.optional()}),fc=be.extend({roots:b(pR)}),hR=tt.extend({method:P("notifications/roots/list_changed"),params:et.optional()}),CM=se([Ca,Ra,lR,lc,tc,Qs,Fs,_v,Js,wv,Rv,Qn,cc,Ta,ka,Pa,xa]),IM=se([va,Ia,ba,hR,Yn]),TM=se([zt,vr,to,rr,fc,Aa,Ea,Nt]),AM=se([Ca,pc,mc,mR,Ta,ka,Pa,xa]),kM=se([va,Ia,Mv,Cv,Xs,dc,sc,Yn,sR]),PM=se([zt,Bs,hc,ic,ec,Zs,Ks,Ys,tr,uc,Aa,Ea,Nt]),A=class e extends Error{static{o(this,"McpError")}constructor(t,r,n){super(`MCP error ${t}: ${r}`),this.code=t,this.data=n,this.name="McpError"}static fromError(t,r,n){if(t===k.UrlElicitationRequired&&n){let a=n;if(a.elicitations)return new Yt(a.elicitations,r)}return new e(t,r,n)}},Yt=class extends A{static{o(this,"UrlElicitationRequiredError")}constructor(t,r=`URL elicitation${t.length>1?"s":""} required`){super(k.UrlElicitationRequired,r,{elicitations:t})}get elicitations(){return this.data?.elicitations??[]}};function nr(e){return e==="completed"||e==="failed"||e==="cancelled"}o(nr,"isTerminal");var fR=Symbol("Let zodToJsonSchema decide on which parser to use");var Tq=new Set("ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz0123456789");function gc(e){let r=Jr(e)?.method;if(!r)throw new Error("Schema is missing a method literal");let n=Ap(r);if(typeof n!="string")throw new Error("Schema method literal must be a string");return n}o(gc,"getMethodLiteral");function _c(e,t){let r=Me(e,t);if(!r.success)throw r.error;return r.data}o(_c,"parseWithCompat");var vR=6e4,tn=class{static{o(this,"Protocol")}constructor(t){this._options=t,this._requestMessageId=0,this._requestHandlers=new Map,this._requestHandlerAbortControllers=new Map,this._notificationHandlers=new Map,this._responseHandlers=new Map,this._progressHandlers=new Map,this._timeoutInfo=new Map,this._pendingDebouncedNotifications=new Set,this._taskProgressTokens=new Map,this._requestResolvers=new Map,this.setNotificationHandler(va,r=>{this._oncancel(r)}),this.setNotificationHandler(Ia,r=>{this._onprogress(r)}),this.setRequestHandler(Ca,r=>({})),this._taskStore=t?.taskStore,this._taskMessageQueue=t?.taskMessageQueue,this._taskStore&&(this.setRequestHandler(Ta,async(r,n)=>{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new A(k.InvalidParams,"Failed to retrieve task: Task not found");return{...a}}),this.setRequestHandler(ka,async(r,n)=>{let a=o(async()=>{let i=r.params.taskId;if(this._taskMessageQueue){let u;for(;u=await this._taskMessageQueue.dequeue(i,n.sessionId);){if(u.type==="response"||u.type==="error"){let d=u.message,l=d.id,p=this._requestResolvers.get(l);if(p)if(this._requestResolvers.delete(l),u.type==="response")p(d);else{let m=d,f=new A(m.error.code,m.error.message,m.error.data);p(f)}else{let m=u.type==="response"?"Response":"Error";this._onerror(new Error(`${m} handler missing for request ${l}`))}continue}await this._transport?.send(u.message,{relatedRequestId:n.requestId})}}let s=await this._taskStore.getTask(i,n.sessionId);if(!s)throw new A(k.InvalidParams,`Task not found: ${i}`);if(!nr(s.status))return await this._waitForTaskUpdate(i,n.signal),await a();if(nr(s.status)){let u=await this._taskStore.getTaskResult(i,n.sessionId);return this._clearTaskQueue(i),{...u,_meta:{...u._meta,[er]:{taskId:i}}}}return await a()},"handleTaskResult");return await a()}),this.setRequestHandler(Pa,async(r,n)=>{try{let{tasks:a,nextCursor:i}=await this._taskStore.listTasks(r.params?.cursor,n.sessionId);return{tasks:a,nextCursor:i,_meta:{}}}catch(a){throw new A(k.InvalidParams,`Failed to list tasks: ${a instanceof Error?a.message:String(a)}`)}}),this.setRequestHandler(xa,async(r,n)=>{try{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new A(k.InvalidParams,`Task not found: ${r.params.taskId}`);if(nr(a.status))throw new A(k.InvalidParams,`Cannot cancel task in terminal status: ${a.status}`);await this._taskStore.updateTaskStatus(r.params.taskId,"cancelled","Client cancelled task execution.",n.sessionId),this._clearTaskQueue(r.params.taskId);let i=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!i)throw new A(k.InvalidParams,`Task not found after cancellation: ${r.params.taskId}`);return{_meta:{},...i}}catch(a){throw a instanceof A?a:new A(k.InvalidRequest,`Failed to cancel task: ${a instanceof Error?a.message:String(a)}`)}}))}async _oncancel(t){if(!t.params.requestId)return;this._requestHandlerAbortControllers.get(t.params.requestId)?.abort(t.params.reason)}_setupTimeout(t,r,n,a,i=!1){this._timeoutInfo.set(t,{timeoutId:setTimeout(a,r),startTime:Date.now(),timeout:r,maxTotalTimeout:n,resetTimeoutOnProgress:i,onTimeout:a})}_resetTimeout(t){let r=this._timeoutInfo.get(t);if(!r)return!1;let n=Date.now()-r.startTime;if(r.maxTotalTimeout&&n>=r.maxTotalTimeout)throw this._timeoutInfo.delete(t),A.fromError(k.RequestTimeout,"Maximum total timeout exceeded",{maxTotalTimeout:r.maxTotalTimeout,totalElapsed:n});return clearTimeout(r.timeoutId),r.timeoutId=setTimeout(r.onTimeout,r.timeout),!0}_cleanupTimeout(t){let r=this._timeoutInfo.get(t);r&&(clearTimeout(r.timeoutId),this._timeoutInfo.delete(t))}async connect(t){if(this._transport)throw new Error("Already connected to a transport. Call close() before connecting to a new transport, or use a separate Protocol instance per connection.");this._transport=t;let r=this.transport?.onclose;this._transport.onclose=()=>{r?.(),this._onclose()};let n=this.transport?.onerror;this._transport.onerror=i=>{n?.(i),this._onerror(i)};let a=this._transport?.onmessage;this._transport.onmessage=(i,s)=>{a?.(i,s),ut(i)||Xr(i)?this._onresponse(i):St(i)?this._onrequest(i,s):zp(i)?this._onnotification(i):this._onerror(new Error(`Unknown message type: ${JSON.stringify(i)}`))},await this._transport.start()}_onclose(){let t=this._responseHandlers;this._responseHandlers=new Map,this._progressHandlers.clear(),this._taskProgressTokens.clear(),this._pendingDebouncedNotifications.clear();for(let n of this._timeoutInfo.values())clearTimeout(n.timeoutId);this._timeoutInfo.clear();for(let n of this._requestHandlerAbortControllers.values())n.abort();this._requestHandlerAbortControllers.clear();let r=A.fromError(k.ConnectionClosed,"Connection closed");this._transport=void 0,this.onclose?.();for(let n of t.values())n(r)}_onerror(t){this.onerror?.(t)}_onnotification(t){let r=this._notificationHandlers.get(t.method)??this.fallbackNotificationHandler;r!==void 0&&Promise.resolve().then(()=>r(t)).catch(n=>this._onerror(new Error(`Uncaught error in notification handler: ${n}`)))}_onrequest(t,r){let n=this._requestHandlers.get(t.method)??this.fallbackRequestHandler,a=this._transport,i=t.params?._meta?.[er]?.taskId;if(n===void 0){let p={jsonrpc:"2.0",id:t.id,error:{code:k.MethodNotFound,message:"Method not found"}};i&&this._taskMessageQueue?this._enqueueTaskMessage(i,{type:"error",message:p,timestamp:Date.now()},a?.sessionId).catch(m=>this._onerror(new Error(`Failed to enqueue error response: ${m}`))):a?.send(p).catch(m=>this._onerror(new Error(`Failed to send an error response: ${m}`)));return}let s=new AbortController;this._requestHandlerAbortControllers.set(t.id,s);let u=xp(t.params)?t.params.task:void 0,d=this._taskStore?this.requestTaskStore(t,a?.sessionId):void 0,l={signal:s.signal,sessionId:a?.sessionId,_meta:t.params?._meta,sendNotification:o(async p=>{if(s.signal.aborted)return;let m={relatedRequestId:t.id};i&&(m.relatedTask={taskId:i}),await this.notification(p,m)},"sendNotification"),sendRequest:o(async(p,m,f)=>{if(s.signal.aborted)throw new A(k.ConnectionClosed,"Request was cancelled");let _={...f,relatedRequestId:t.id};i&&!_.relatedTask&&(_.relatedTask={taskId:i});let S=_.relatedTask?.taskId??i;return S&&d&&await d.updateTaskStatus(S,"input_required"),await this.request(p,m,_)},"sendRequest"),authInfo:r?.authInfo,requestId:t.id,requestInfo:r?.requestInfo,taskId:i,taskStore:d,taskRequestedTtl:u?.ttl,closeSSEStream:r?.closeSSEStream,closeStandaloneSSEStream:r?.closeStandaloneSSEStream};Promise.resolve().then(()=>{u&&this.assertTaskHandlerCapability(t.method)}).then(()=>n(t,l)).then(async p=>{if(s.signal.aborted)return;let m={result:p,jsonrpc:"2.0",id:t.id};i&&this._taskMessageQueue?await this._enqueueTaskMessage(i,{type:"response",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)},async p=>{if(s.signal.aborted)return;let m={jsonrpc:"2.0",id:t.id,error:{code:Number.isSafeInteger(p.code)?p.code:k.InternalError,message:p.message??"Internal error",...p.data!==void 0&&{data:p.data}}};i&&this._taskMessageQueue?await this._enqueueTaskMessage(i,{type:"error",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)}).catch(p=>this._onerror(new Error(`Failed to send response: ${p}`))).finally(()=>{this._requestHandlerAbortControllers.get(t.id)===s&&this._requestHandlerAbortControllers.delete(t.id)})}_onprogress(t){let{progressToken:r,...n}=t.params,a=Number(r),i=this._progressHandlers.get(a);if(!i){this._onerror(new Error(`Received a progress notification for an unknown token: ${JSON.stringify(t)}`));return}let s=this._responseHandlers.get(a),u=this._timeoutInfo.get(a);if(u&&s&&u.resetTimeoutOnProgress)try{this._resetTimeout(a)}catch(d){this._responseHandlers.delete(a),this._progressHandlers.delete(a),this._cleanupTimeout(a),s(d);return}i(n)}_onresponse(t){let r=Number(t.id),n=this._requestResolvers.get(r);if(n){if(this._requestResolvers.delete(r),ut(t))n(t);else{let s=new A(t.error.code,t.error.message,t.error.data);n(s)}return}let a=this._responseHandlers.get(r);if(a===void 0){this._onerror(new Error(`Received a response for an unknown message ID: ${JSON.stringify(t)}`));return}this._responseHandlers.delete(r),this._cleanupTimeout(r);let i=!1;if(ut(t)&&t.result&&typeof t.result=="object"){let s=t.result;if(s.task&&typeof s.task=="object"){let u=s.task;typeof u.taskId=="string"&&(i=!0,this._taskProgressTokens.set(u.taskId,r))}}if(i||this._progressHandlers.delete(r),ut(t))a(t);else{let s=A.fromError(t.error.code,t.error.message,t.error.data);a(s)}}get transport(){return this._transport}async close(){await this._transport?.close()}async*requestStream(t,r,n){let{task:a}=n??{};if(!a){try{yield{type:"result",result:await this.request(t,r,n)}}catch(s){yield{type:"error",error:s instanceof A?s:new A(k.InternalError,String(s))}}return}let i;try{let s=await this.request(t,Nt,n);if(s.task)i=s.task.taskId,yield{type:"taskCreated",task:s.task};else throw new A(k.InternalError,"Task creation did not return a task");for(;;){let u=await this.getTask({taskId:i},n);if(yield{type:"taskStatus",task:u},nr(u.status)){u.status==="completed"?yield{type:"result",result:await this.getTaskResult({taskId:i},r,n)}:u.status==="failed"?yield{type:"error",error:new A(k.InternalError,`Task ${i} failed`)}:u.status==="cancelled"&&(yield{type:"error",error:new A(k.InternalError,`Task ${i} was cancelled`)});return}if(u.status==="input_required"){yield{type:"result",result:await this.getTaskResult({taskId:i},r,n)};return}let d=u.pollInterval??this._options?.defaultTaskPollInterval??1e3;await new Promise(l=>setTimeout(l,d)),n?.signal?.throwIfAborted()}}catch(s){yield{type:"error",error:s instanceof A?s:new A(k.InternalError,String(s))}}}request(t,r,n){let{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s,task:u,relatedTask:d}=n??{};return new Promise((l,p)=>{let m=o(R=>{p(R)},"earlyReject");if(!this._transport){m(new Error("Not connected"));return}if(this._options?.enforceStrictCapabilities===!0)try{this.assertCapabilityForMethod(t.method),u&&this.assertTaskCapability(t.method)}catch(R){m(R);return}n?.signal?.throwIfAborted();let f=this._requestMessageId++,_={...t,jsonrpc:"2.0",id:f};n?.onprogress&&(this._progressHandlers.set(f,n.onprogress),_.params={...t.params,_meta:{...t.params?._meta||{},progressToken:f}}),u&&(_.params={..._.params,task:u}),d&&(_.params={..._.params,_meta:{..._.params?._meta||{},[er]:d}});let S=o(R=>{this._responseHandlers.delete(f),this._progressHandlers.delete(f),this._cleanupTimeout(f),this._transport?.send({jsonrpc:"2.0",method:"notifications/cancelled",params:{requestId:f,reason:String(R)}},{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s}).catch(N=>this._onerror(new Error(`Failed to send cancellation: ${N}`)));let I=R instanceof A?R:new A(k.RequestTimeout,String(R));p(I)},"cancel");this._responseHandlers.set(f,R=>{if(!n?.signal?.aborted){if(R instanceof Error)return p(R);try{let I=Me(r,R.result);I.success?l(I.data):p(I.error)}catch(I){p(I)}}}),n?.signal?.addEventListener("abort",()=>{S(n?.signal?.reason)});let y=n?.timeout??vR,w=o(()=>S(A.fromError(k.RequestTimeout,"Request timed out",{timeout:y})),"timeoutHandler");this._setupTimeout(f,y,n?.maxTotalTimeout,w,n?.resetTimeoutOnProgress??!1);let v=d?.taskId;if(v){let R=o(I=>{let N=this._responseHandlers.get(f);N?N(I):this._onerror(new Error(`Response handler missing for side-channeled request ${f}`))},"responseResolver");this._requestResolvers.set(f,R),this._enqueueTaskMessage(v,{type:"request",message:_,timestamp:Date.now()}).catch(I=>{this._cleanupTimeout(f),p(I)})}else this._transport.send(_,{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s}).catch(R=>{this._cleanupTimeout(f),p(R)})})}async getTask(t,r){return this.request({method:"tasks/get",params:t},Aa,r)}async getTaskResult(t,r,n){return this.request({method:"tasks/result",params:t},r,n)}async listTasks(t,r){return this.request({method:"tasks/list",params:t},Ea,r)}async cancelTask(t,r){return this.request({method:"tasks/cancel",params:t},Dp,r)}async notification(t,r){if(!this._transport)throw new Error("Not connected");this.assertNotificationCapability(t.method);let n=r?.relatedTask?.taskId;if(n){let u={...t,jsonrpc:"2.0",params:{...t.params,_meta:{...t.params?._meta||{},[er]:r.relatedTask}}};await this._enqueueTaskMessage(n,{type:"notification",message:u,timestamp:Date.now()});return}if((this._options?.debouncedNotificationMethods??[]).includes(t.method)&&!t.params&&!r?.relatedRequestId&&!r?.relatedTask){if(this._pendingDebouncedNotifications.has(t.method))return;this._pendingDebouncedNotifications.add(t.method),Promise.resolve().then(()=>{if(this._pendingDebouncedNotifications.delete(t.method),!this._transport)return;let u={...t,jsonrpc:"2.0"};r?.relatedTask&&(u={...u,params:{...u.params,_meta:{...u.params?._meta||{},[er]:r.relatedTask}}}),this._transport?.send(u,r).catch(d=>this._onerror(d))});return}let s={...t,jsonrpc:"2.0"};r?.relatedTask&&(s={...s,params:{...s.params,_meta:{...s.params?._meta||{},[er]:r.relatedTask}}}),await this._transport.send(s,r)}setRequestHandler(t,r){let n=gc(t);this.assertRequestHandlerCapability(n),this._requestHandlers.set(n,(a,i)=>{let s=_c(t,a);return Promise.resolve(r(s,i))})}removeRequestHandler(t){this._requestHandlers.delete(t)}assertCanSetRequestHandler(t){if(this._requestHandlers.has(t))throw new Error(`A request handler for ${t} already exists, which would be overridden`)}setNotificationHandler(t,r){let n=gc(t);this._notificationHandlers.set(n,a=>{let i=_c(t,a);return Promise.resolve(r(i))})}removeNotificationHandler(t){this._notificationHandlers.delete(t)}_cleanupTaskProgressHandler(t){let r=this._taskProgressTokens.get(t);r!==void 0&&(this._progressHandlers.delete(r),this._taskProgressTokens.delete(t))}async _enqueueTaskMessage(t,r,n){if(!this._taskStore||!this._taskMessageQueue)throw new Error("Cannot enqueue task message: taskStore and taskMessageQueue are not configured");let a=this._options?.maxTaskQueueSize;await this._taskMessageQueue.enqueue(t,r,n,a)}async _clearTaskQueue(t,r){if(this._taskMessageQueue){let n=await this._taskMessageQueue.dequeueAll(t,r);for(let a of n)if(a.type==="request"&&St(a.message)){let i=a.message.id,s=this._requestResolvers.get(i);s?(s(new A(k.InternalError,"Task cancelled or completed")),this._requestResolvers.delete(i)):this._onerror(new Error(`Resolver missing for request ${i} during task ${t} cleanup`))}}}async _waitForTaskUpdate(t,r){let n=this._options?.defaultTaskPollInterval??1e3;try{let a=await this._taskStore?.getTask(t);a?.pollInterval&&(n=a.pollInterval)}catch{}return new Promise((a,i)=>{if(r.aborted){i(new A(k.InvalidRequest,"Request cancelled"));return}let s=setTimeout(a,n);r.addEventListener("abort",()=>{clearTimeout(s),i(new A(k.InvalidRequest,"Request cancelled"))},{once:!0})})}requestTaskStore(t,r){let n=this._taskStore;if(!n)throw new Error("No task store configured");return{createTask:o(async a=>{if(!t)throw new Error("No request provided");return await n.createTask(a,t.id,{method:t.method,params:t.params},r)},"createTask"),getTask:o(async a=>{let i=await n.getTask(a,r);if(!i)throw new A(k.InvalidParams,"Failed to retrieve task: Task not found");return i},"getTask"),storeTaskResult:o(async(a,i,s)=>{await n.storeTaskResult(a,i,s,r);let u=await n.getTask(a,r);if(u){let d=Yn.parse({method:"notifications/tasks/status",params:u});await this.notification(d),nr(u.status)&&this._cleanupTaskProgressHandler(a)}},"storeTaskResult"),getTaskResult:o(a=>n.getTaskResult(a,r),"getTaskResult"),updateTaskStatus:o(async(a,i,s)=>{let u=await n.getTask(a,r);if(!u)throw new A(k.InvalidParams,`Task "${a}" not found - it may have been cleaned up`);if(nr(u.status))throw new A(k.InvalidParams,`Cannot update task "${a}" from terminal status "${u.status}" to "${i}". Terminal states (completed, failed, cancelled) cannot transition to other states.`);await n.updateTaskStatus(a,i,s,r);let d=await n.getTask(a,r);if(d){let l=Yn.parse({method:"notifications/tasks/status",params:d});await this.notification(l),nr(d.status)&&this._cleanupTaskProgressHandler(a)}},"updateTaskStatus"),listTasks:o(a=>n.listTasks(a,r),"listTasks")}}};function Gp(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}o(Gp,"isPlainObject");function Oa(e,t){let r={...e};for(let n in t){let a=n,i=t[a];if(i===void 0)continue;let s=r[a];Gp(s)&&Gp(i)?r[a]={...s,...i}:r[a]=i}return r}o(Oa,"mergeCapabilities");var Ef=fp(rd(),1),xf=fp(Pf(),1);function lk(){let e=new Ef.default({strict:!1,validateFormats:!0,validateSchema:!1,allErrors:!0});return(0,xf.default)(e),e}o(lk,"createDefaultAjvInstance");var Sn=class{static{o(this,"AjvJsonSchemaValidator")}constructor(t){this._ajv=t??lk()}getValidator(t){let r="$id"in t&&typeof t.$id=="string"?this._ajv.getSchema(t.$id)??this._ajv.compile(t):this._ajv.compile(t);return n=>r(n)?{valid:!0,data:n,errorMessage:void 0}:{valid:!1,data:void 0,errorMessage:this._ajv.errorsText(r.errors)}}};var fi=class{static{o(this,"ExperimentalServerTasks")}constructor(t){this._server=t}requestStream(t,r,n){return this._server.requestStream(t,r,n)}createMessageStream(t,r){let n=this._server.getClientCapabilities();if((t.tools||t.toolChoice)&&!n?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let a=t.messages[t.messages.length-1],i=Array.isArray(a.content)?a.content:[a.content],s=i.some(p=>p.type==="tool_result"),u=t.messages.length>1?t.messages[t.messages.length-2]:void 0,d=u?Array.isArray(u.content)?u.content:[u.content]:[],l=d.some(p=>p.type==="tool_use");if(s){if(i.some(p=>p.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!l)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(l){let p=new Set(d.filter(f=>f.type==="tool_use").map(f=>f.id)),m=new Set(i.filter(f=>f.type==="tool_result").map(f=>f.toolUseId));if(p.size!==m.size||![...p].every(f=>m.has(f)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return this.requestStream({method:"sampling/createMessage",params:t},vr,r)}elicitInputStream(t,r){let n=this._server.getClientCapabilities(),a=t.mode??"form";switch(a){case"url":{if(!n?.elicitation?.url)throw new Error("Client does not support url elicitation.");break}case"form":{if(!n?.elicitation?.form)throw new Error("Client does not support form elicitation.");break}}let i=a==="form"&&t.mode===void 0?{...t,mode:"form"}:t;return this.requestStream({method:"elicitation/create",params:i},rr,r)}async getTask(t,r){return this._server.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._server.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._server.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._server.cancelTask({taskId:t},r)}};function gi(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"tools/call":if(!e.tools?.call)throw new Error(`${r} does not support task creation for tools/call (required for ${t})`);break;default:break}}o(gi,"assertToolsCallTaskCapability");function _i(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"sampling/createMessage":if(!e.sampling?.createMessage)throw new Error(`${r} does not support task creation for sampling/createMessage (required for ${t})`);break;case"elicitation/create":if(!e.elicitation?.create)throw new Error(`${r} does not support task creation for elicitation/create (required for ${t})`);break;default:break}}o(_i,"assertClientRequestTaskCapability");var yi=class extends tn{static{o(this,"Server")}constructor(t,r){super(r),this._serverInfo=t,this._loggingLevels=new Map,this.LOG_LEVEL_SEVERITY=new Map(eo.options.map((n,a)=>[n,a])),this.isMessageIgnored=(n,a)=>{let i=this._loggingLevels.get(a);return i?this.LOG_LEVEL_SEVERITY.get(n)<this.LOG_LEVEL_SEVERITY.get(i):!1},this._capabilities=r?.capabilities??{},this._instructions=r?.instructions,this._jsonSchemaValidator=r?.jsonSchemaValidator??new Sn,this.setRequestHandler(Ra,n=>this._oninitialize(n)),this.setNotificationHandler(ba,()=>this.oninitialized?.()),this._capabilities.logging&&this.setRequestHandler(lc,async(n,a)=>{let i=a.sessionId||a.requestInfo?.headers["mcp-session-id"]||void 0,{level:s}=n.params,u=eo.safeParse(s);return u.success&&this._loggingLevels.set(i,u.data),{}})}get experimental(){return this._experimental||(this._experimental={tasks:new fi(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=Oa(this._capabilities,t)}setRequestHandler(t,r){let a=Jr(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let i;if(Jt(a)){let u=a;i=u._zod?.def?.value??u.value}else{let u=a;i=u._def?.value??u.value}if(typeof i!="string")throw new Error("Schema method literal must be a string");if(i==="tools/call"){let u=o(async(d,l)=>{let p=Me(Qn,d);if(!p.success){let S=p.error instanceof Error?p.error.message:String(p.error);throw new A(k.InvalidParams,`Invalid tools/call request: ${S}`)}let{params:m}=p.data,f=await Promise.resolve(r(d,l));if(m.task){let S=Me(Nt,f);if(!S.success){let y=S.error instanceof Error?S.error.message:String(S.error);throw new A(k.InvalidParams,`Invalid task creation result: ${y}`)}return S.data}let _=Me(tr,f);if(!_.success){let S=_.error instanceof Error?_.error.message:String(_.error);throw new A(k.InvalidParams,`Invalid tools/call result: ${S}`)}return _.data},"wrappedHandler");return super.setRequestHandler(t,u)}return super.setRequestHandler(t,r)}assertCapabilityForMethod(t){switch(t){case"sampling/createMessage":if(!this._clientCapabilities?.sampling)throw new Error(`Client does not support sampling (required for ${t})`);break;case"elicitation/create":if(!this._clientCapabilities?.elicitation)throw new Error(`Client does not support elicitation (required for ${t})`);break;case"roots/list":if(!this._clientCapabilities?.roots)throw new Error(`Client does not support listing roots (required for ${t})`);break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/message":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"notifications/resources/updated":case"notifications/resources/list_changed":if(!this._capabilities.resources)throw new Error(`Server does not support notifying about resources (required for ${t})`);break;case"notifications/tools/list_changed":if(!this._capabilities.tools)throw new Error(`Server does not support notifying of tool list changes (required for ${t})`);break;case"notifications/prompts/list_changed":if(!this._capabilities.prompts)throw new Error(`Server does not support notifying of prompt list changes (required for ${t})`);break;case"notifications/elicitation/complete":if(!this._clientCapabilities?.elicitation?.url)throw new Error(`Client does not support URL elicitation (required for ${t})`);break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"completion/complete":if(!this._capabilities.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"logging/setLevel":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._capabilities.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":if(!this._capabilities.resources)throw new Error(`Server does not support resources (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._capabilities.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Server does not support tasks capability (required for ${t})`);break;case"ping":case"initialize":break}}assertTaskCapability(t){_i(this._clientCapabilities?.tasks?.requests,t,"Client")}assertTaskHandlerCapability(t){this._capabilities&&gi(this._capabilities.tasks?.requests,t,"Server")}async _oninitialize(t){let r=t.params.protocolVersion;return this._clientCapabilities=t.params.capabilities,this._clientVersion=t.params.clientInfo,{protocolVersion:Qt.includes(r)?r:Xt,capabilities:this.getCapabilities(),serverInfo:this._serverInfo,...this._instructions&&{instructions:this._instructions}}}getClientCapabilities(){return this._clientCapabilities}getClientVersion(){return this._clientVersion}getCapabilities(){return this._capabilities}async ping(){return this.request({method:"ping"},zt)}async createMessage(t,r){if((t.tools||t.toolChoice)&&!this._clientCapabilities?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let n=t.messages[t.messages.length-1],a=Array.isArray(n.content)?n.content:[n.content],i=a.some(l=>l.type==="tool_result"),s=t.messages.length>1?t.messages[t.messages.length-2]:void 0,u=s?Array.isArray(s.content)?s.content:[s.content]:[],d=u.some(l=>l.type==="tool_use");if(i){if(a.some(l=>l.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!d)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(d){let l=new Set(u.filter(m=>m.type==="tool_use").map(m=>m.id)),p=new Set(a.filter(m=>m.type==="tool_result").map(m=>m.toolUseId));if(l.size!==p.size||![...l].every(m=>p.has(m)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return t.tools?this.request({method:"sampling/createMessage",params:t},to,r):this.request({method:"sampling/createMessage",params:t},vr,r)}async elicitInput(t,r){switch(t.mode??"form"){case"url":{if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support url elicitation.");let a=t;return this.request({method:"elicitation/create",params:a},rr,r)}case"form":{if(!this._clientCapabilities?.elicitation?.form)throw new Error("Client does not support form elicitation.");let a=t.mode==="form"?t:{...t,mode:"form"},i=await this.request({method:"elicitation/create",params:a},rr,r);if(i.action==="accept"&&i.content&&a.requestedSchema)try{let u=this._jsonSchemaValidator.getValidator(a.requestedSchema)(i.content);if(!u.valid)throw new A(k.InvalidParams,`Elicitation response content does not match requested schema: ${u.errorMessage}`)}catch(s){throw s instanceof A?s:new A(k.InternalError,`Error validating elicitation response: ${s instanceof Error?s.message:String(s)}`)}return i}}}createElicitationCompletionNotifier(t,r){if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support URL elicitation (required for notifications/elicitation/complete)");return()=>this.notification({method:"notifications/elicitation/complete",params:{elicitationId:t}},r)}async listRoots(t,r){return this.request({method:"roots/list",params:t},fc,r)}async sendLoggingMessage(t,r){if(this._capabilities.logging&&!this.isMessageIgnored(t.level,r))return this.notification({method:"notifications/message",params:t})}async sendResourceUpdated(t){return this.notification({method:"notifications/resources/updated",params:t})}async sendResourceListChanged(){return this.notification({method:"notifications/resources/list_changed"})}async sendToolListChanged(){return this.notification({method:"notifications/tools/list_changed"})}async sendPromptListChanged(){return this.notification({method:"notifications/prompts/list_changed"})}};var Si=class{static{o(this,"WebStandardStreamableHTTPServerTransport")}constructor(t={}){this._started=!1,this._hasHandledRequest=!1,this._streamMapping=new Map,this._requestToStreamMapping=new Map,this._requestResponseMap=new Map,this._initialized=!1,this._enableJsonResponse=!1,this._standaloneSseStreamId="_GET_stream",this.sessionIdGenerator=t.sessionIdGenerator,this._enableJsonResponse=t.enableJsonResponse??!1,this._eventStore=t.eventStore,this._onsessioninitialized=t.onsessioninitialized,this._onsessionclosed=t.onsessionclosed,this._allowedHosts=t.allowedHosts,this._allowedOrigins=t.allowedOrigins,this._enableDnsRebindingProtection=t.enableDnsRebindingProtection??!1,this._retryInterval=t.retryInterval}async start(){if(this._started)throw new Error("Transport already started");this._started=!0}createJsonErrorResponse(t,r,n,a){let i={code:r,message:n};return a?.data!==void 0&&(i.data=a.data),new Response(JSON.stringify({jsonrpc:"2.0",error:i,id:null}),{status:t,headers:{"Content-Type":"application/json",...a?.headers}})}validateRequestHeaders(t){if(this._enableDnsRebindingProtection){if(this._allowedHosts&&this._allowedHosts.length>0){let r=t.headers.get("host");if(!r||!this._allowedHosts.includes(r)){let n=`Invalid Host header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}if(this._allowedOrigins&&this._allowedOrigins.length>0){let r=t.headers.get("origin");if(r&&!this._allowedOrigins.includes(r)){let n=`Invalid Origin header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}}}async handleRequest(t,r){if(!this.sessionIdGenerator&&this._hasHandledRequest)throw new Error("Stateless transport cannot be reused across requests. Create a new transport per request.");this._hasHandledRequest=!0;let n=this.validateRequestHeaders(t);if(n)return n;switch(t.method){case"POST":return this.handlePostRequest(t,r);case"GET":return this.handleGetRequest(t);case"DELETE":return this.handleDeleteRequest(t);default:return this.handleUnsupportedRequest()}}async writePrimingEvent(t,r,n,a){if(!this._eventStore||a<"2025-11-25")return;let i=await this._eventStore.storeEvent(n,{}),s=`id: ${i}
33
33
  data:
34
34
 
35
- `;this._retryInterval!==void 0&&(i=`id: ${s}
35
+ `;this._retryInterval!==void 0&&(s=`id: ${i}
36
36
  retry: ${this._retryInterval}
37
37
  data:
38
38
 
39
- `),t.enqueue(r.encode(i))}async handleGetRequest(t){if(!t.headers.get("accept")?.includes("text/event-stream"))return this.onerror?.(new Error("Not Acceptable: Client must accept text/event-stream")),this.createJsonErrorResponse(406,-32e3,"Not Acceptable: Client must accept text/event-stream");let n=this.validateSession(t);if(n)return n;let a=this.validateProtocolVersion(t);if(a)return a;if(this._eventStore){let p=t.headers.get("last-event-id");if(p)return this.replayEvents(p)}if(this._streamMapping.get(this._standaloneSseStreamId)!==void 0)return this.onerror?.(new Error("Conflict: Only one SSE stream is allowed per session")),this.createJsonErrorResponse(409,-32e3,"Conflict: Only one SSE stream is allowed per session");let s=new TextEncoder,i,c=new ReadableStream({start:o(p=>{i=p},"start"),cancel:o(()=>{this._streamMapping.delete(this._standaloneSseStreamId)},"cancel")}),d={"Content-Type":"text/event-stream","Cache-Control":"no-cache, no-transform",Connection:"keep-alive"};return this.sessionId!==void 0&&(d["mcp-session-id"]=this.sessionId),this._streamMapping.set(this._standaloneSseStreamId,{controller:i,encoder:s,cleanup:o(()=>{this._streamMapping.delete(this._standaloneSseStreamId);try{i.close()}catch{}},"cleanup")}),new Response(c,{headers:d})}async replayEvents(t){if(!this._eventStore)return this.onerror?.(new Error("Event store not configured")),this.createJsonErrorResponse(400,-32e3,"Event store not configured");try{let r;if(this._eventStore.getStreamIdForEventId){if(r=await this._eventStore.getStreamIdForEventId(t),!r)return this.onerror?.(new Error("Invalid event ID format")),this.createJsonErrorResponse(400,-32e3,"Invalid event ID format");if(this._streamMapping.get(r)!==void 0)return this.onerror?.(new Error("Conflict: Stream already has an active connection")),this.createJsonErrorResponse(409,-32e3,"Conflict: Stream already has an active connection")}let n={"Content-Type":"text/event-stream","Cache-Control":"no-cache, no-transform",Connection:"keep-alive"};this.sessionId!==void 0&&(n["mcp-session-id"]=this.sessionId);let a=new TextEncoder,s,i=new ReadableStream({start:o(d=>{s=d},"start"),cancel:o(()=>{},"cancel")}),c=await this._eventStore.replayEventsAfter(t,{send:o(async(d,p)=>{if(!this.writeSSEEvent(s,a,p,d)){this.onerror?.(new Error("Failed replay events"));try{s.close()}catch{}}},"send")});return this._streamMapping.set(c,{controller:s,encoder:a,cleanup:o(()=>{this._streamMapping.delete(c);try{s.close()}catch{}},"cleanup")}),new Response(i,{headers:n})}catch(r){return this.onerror?.(r),this.createJsonErrorResponse(500,-32e3,"Error replaying events")}}writeSSEEvent(t,r,n,a){try{let s=`event: message
40
- `;return a&&(s+=`id: ${a}
41
- `),s+=`data: ${JSON.stringify(n)}
39
+ `),t.enqueue(r.encode(s))}async handleGetRequest(t){if(!t.headers.get("accept")?.includes("text/event-stream"))return this.onerror?.(new Error("Not Acceptable: Client must accept text/event-stream")),this.createJsonErrorResponse(406,-32e3,"Not Acceptable: Client must accept text/event-stream");let n=this.validateSession(t);if(n)return n;let a=this.validateProtocolVersion(t);if(a)return a;if(this._eventStore){let l=t.headers.get("last-event-id");if(l)return this.replayEvents(l)}if(this._streamMapping.get(this._standaloneSseStreamId)!==void 0)return this.onerror?.(new Error("Conflict: Only one SSE stream is allowed per session")),this.createJsonErrorResponse(409,-32e3,"Conflict: Only one SSE stream is allowed per session");let i=new TextEncoder,s,u=new ReadableStream({start:o(l=>{s=l},"start"),cancel:o(()=>{this._streamMapping.delete(this._standaloneSseStreamId)},"cancel")}),d={"Content-Type":"text/event-stream","Cache-Control":"no-cache, no-transform",Connection:"keep-alive"};return this.sessionId!==void 0&&(d["mcp-session-id"]=this.sessionId),this._streamMapping.set(this._standaloneSseStreamId,{controller:s,encoder:i,cleanup:o(()=>{this._streamMapping.delete(this._standaloneSseStreamId);try{s.close()}catch{}},"cleanup")}),new Response(u,{headers:d})}async replayEvents(t){if(!this._eventStore)return this.onerror?.(new Error("Event store not configured")),this.createJsonErrorResponse(400,-32e3,"Event store not configured");try{let r;if(this._eventStore.getStreamIdForEventId){if(r=await this._eventStore.getStreamIdForEventId(t),!r)return this.onerror?.(new Error("Invalid event ID format")),this.createJsonErrorResponse(400,-32e3,"Invalid event ID format");if(this._streamMapping.get(r)!==void 0)return this.onerror?.(new Error("Conflict: Stream already has an active connection")),this.createJsonErrorResponse(409,-32e3,"Conflict: Stream already has an active connection")}let n={"Content-Type":"text/event-stream","Cache-Control":"no-cache, no-transform",Connection:"keep-alive"};this.sessionId!==void 0&&(n["mcp-session-id"]=this.sessionId);let a=new TextEncoder,i,s=new ReadableStream({start:o(d=>{i=d},"start"),cancel:o(()=>{},"cancel")}),u=await this._eventStore.replayEventsAfter(t,{send:o(async(d,l)=>{if(!this.writeSSEEvent(i,a,l,d)){this.onerror?.(new Error("Failed replay events"));try{i.close()}catch{}}},"send")});return this._streamMapping.set(u,{controller:i,encoder:a,cleanup:o(()=>{this._streamMapping.delete(u);try{i.close()}catch{}},"cleanup")}),new Response(s,{headers:n})}catch(r){return this.onerror?.(r),this.createJsonErrorResponse(500,-32e3,"Error replaying events")}}writeSSEEvent(t,r,n,a){try{let i=`event: message
40
+ `;return a&&(i+=`id: ${a}
41
+ `),i+=`data: ${JSON.stringify(n)}
42
42
 
43
- `,t.enqueue(r.encode(s)),!0}catch(s){return this.onerror?.(s),!1}}handleUnsupportedRequest(){return this.onerror?.(new Error("Method not allowed.")),new Response(JSON.stringify({jsonrpc:"2.0",error:{code:-32e3,message:"Method not allowed."},id:null}),{status:405,headers:{Allow:"GET, POST, DELETE","Content-Type":"application/json"}})}async handlePostRequest(t,r){try{let n=t.headers.get("accept");if(!n?.includes("application/json")||!n.includes("text/event-stream"))return this.onerror?.(new Error("Not Acceptable: Client must accept both application/json and text/event-stream")),this.createJsonErrorResponse(406,-32e3,"Not Acceptable: Client must accept both application/json and text/event-stream");let a=t.headers.get("content-type");if(!a||!a.includes("application/json"))return this.onerror?.(new Error("Unsupported Media Type: Content-Type must be application/json")),this.createJsonErrorResponse(415,-32e3,"Unsupported Media Type: Content-Type must be application/json");let s={headers:Object.fromEntries(t.headers.entries()),url:new URL(t.url)},i;if(r?.parsedBody!==void 0)i=r.parsedBody;else try{i=await t.json()}catch{return this.onerror?.(new Error("Parse error: Invalid JSON")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON")}let c;try{Array.isArray(i)?c=i.map(v=>hr.parse(v)):c=[hr.parse(i)]}catch{return this.onerror?.(new Error("Parse error: Invalid JSON-RPC message")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON-RPC message")}let d=c.some(Ai);if(d){if(this._initialized&&this.sessionId!==void 0)return this.onerror?.(new Error("Invalid Request: Server already initialized")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Server already initialized");if(c.length>1)return this.onerror?.(new Error("Invalid Request: Only one initialization request is allowed")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Only one initialization request is allowed");this.sessionId=this.sessionIdGenerator?.(),this._initialized=!0,this.sessionId&&this._onsessioninitialized&&await Promise.resolve(this._onsessioninitialized(this.sessionId))}if(!d){let v=this.validateSession(t);if(v)return v;let b=this.validateProtocolVersion(t);if(b)return b}if(!c.some(mt)){for(let v of c)this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:s});return new Response(null,{status:202})}let l=crypto.randomUUID(),m=c.find(v=>Ai(v)),h=m?m.params.protocolVersion:t.headers.get("mcp-protocol-version")??Yl;if(this._enableJsonResponse)return new Promise(v=>{this._streamMapping.set(l,{resolveJson:v,cleanup:o(()=>{this._streamMapping.delete(l)},"cleanup")});for(let b of c)mt(b)&&this._requestToStreamMapping.set(b.id,l);for(let b of c)this.onmessage?.(b,{authInfo:r?.authInfo,requestInfo:s})});let _=new TextEncoder,w,y=new ReadableStream({start:o(v=>{w=v},"start"),cancel:o(()=>{this._streamMapping.delete(l)},"cancel")}),S={"Content-Type":"text/event-stream","Cache-Control":"no-cache",Connection:"keep-alive"};this.sessionId!==void 0&&(S["mcp-session-id"]=this.sessionId);for(let v of c)mt(v)&&(this._streamMapping.set(l,{controller:w,encoder:_,cleanup:o(()=>{this._streamMapping.delete(l);try{w.close()}catch{}},"cleanup")}),this._requestToStreamMapping.set(v.id,l));await this.writePrimingEvent(w,_,l,h);for(let v of c){let b,T;mt(v)&&this._eventStore&&h>="2025-11-25"&&(b=o(()=>{this.closeSSEStream(v.id)},"closeSSEStream"),T=o(()=>{this.closeStandaloneSSEStream()},"closeStandaloneSSEStream")),this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:s,closeSSEStream:b,closeStandaloneSSEStream:T})}return new Response(y,{status:200,headers:S})}catch(n){return this.onerror?.(n),this.createJsonErrorResponse(400,-32700,"Parse error",{data:String(n)})}}async handleDeleteRequest(t){let r=this.validateSession(t);if(r)return r;let n=this.validateProtocolVersion(t);return n||(await Promise.resolve(this._onsessionclosed?.(this.sessionId)),await this.close(),new Response(null,{status:200}))}validateSession(t){if(this.sessionIdGenerator===void 0)return;if(!this._initialized)return this.onerror?.(new Error("Bad Request: Server not initialized")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Server not initialized");let r=t.headers.get("mcp-session-id");if(!r)return this.onerror?.(new Error("Bad Request: Mcp-Session-Id header is required")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Mcp-Session-Id header is required");if(r!==this.sessionId)return this.onerror?.(new Error("Session not found")),this.createJsonErrorResponse(404,-32001,"Session not found")}validateProtocolVersion(t){let r=t.headers.get("mcp-protocol-version");if(r!==null&&!Ft.includes(r))return this.onerror?.(new Error(`Bad Request: Unsupported protocol version: ${r} (supported versions: ${Ft.join(", ")})`)),this.createJsonErrorResponse(400,-32e3,`Bad Request: Unsupported protocol version: ${r} (supported versions: ${Ft.join(", ")})`)}async close(){this._streamMapping.forEach(({cleanup:t})=>{t()}),this._streamMapping.clear(),this._requestResponseMap.clear(),this.onclose?.()}closeSSEStream(t){let r=this._requestToStreamMapping.get(t);if(!r)return;let n=this._streamMapping.get(r);n&&n.cleanup()}closeStandaloneSSEStream(){let t=this._streamMapping.get(this._standaloneSseStreamId);t&&t.cleanup()}async send(t,r){let n=r?.relatedRequestId;if((nt(t)||Gr(t))&&(n=t.id),n===void 0){if(nt(t)||Gr(t))throw new Error("Cannot send a response on a standalone SSE stream unless resuming a previous client request");let i;this._eventStore&&(i=await this._eventStore.storeEvent(this._standaloneSseStreamId,t));let c=this._streamMapping.get(this._standaloneSseStreamId);if(c===void 0)return;c.controller&&c.encoder&&this.writeSSEEvent(c.controller,c.encoder,t,i);return}let a=this._requestToStreamMapping.get(n);if(!a)throw new Error(`No connection established for request ID: ${String(n)}`);let s=this._streamMapping.get(a);if(!this._enableJsonResponse&&s?.controller&&s?.encoder){let i;this._eventStore&&(i=await this._eventStore.storeEvent(a,t)),this.writeSSEEvent(s.controller,s.encoder,t,i)}if(nt(t)||Gr(t)){this._requestResponseMap.set(n,t);let i=Array.from(this._requestToStreamMapping.entries()).filter(([d,p])=>p===a).map(([d])=>d);if(i.every(d=>this._requestResponseMap.has(d))){if(!s)throw new Error(`No connection established for request ID: ${String(n)}`);if(this._enableJsonResponse&&s.resolveJson){let d={"Content-Type":"application/json"};this.sessionId!==void 0&&(d["mcp-session-id"]=this.sessionId);let p=i.map(l=>this._requestResponseMap.get(l));p.length===1?s.resolveJson(new Response(JSON.stringify(p[0]),{status:200,headers:d})):s.resolveJson(new Response(JSON.stringify(p),{status:200,headers:d}))}else s.cleanup();for(let d of i)this._requestResponseMap.delete(d),this._requestToStreamMapping.delete(d)}}}};function Wu(e){return e.length>512?`${e.slice(0,512)}\u2026`:e}o(Wu,"truncate");function th(e){return"cause"in e?e.cause:void 0}o(th,"readCause");function Re(e,t,r){if(!(r instanceof Error)){r!=null&&(e[`${t}Message`]=Wu(String(r)));return}e[`${t}Name`]=r.name,e[`${t}Message`]=Wu(r.message);let n=th(r);for(let a=1;a<=4&&n instanceof Error;a+=1){let s=a===1?"cause":`cause${a}`;e[`${s}Name`]=n.name,e[`${s}Message`]=Wu(n.message),n=th(n)}}o(Re,"addErrorLogFields");function et(e){if(e!==void 0)try{return typeof e=="string"?new URL(e).host:e.host}catch{return}}o(et,"safeHost");function rh(e,t){let r=Object.entries(t).filter(n=>n[1]!==void 0);r.length!==0&&e.log.setLogProperties?.(Object.fromEntries(r))}o(rh,"setLogProperties");function Ju(e,t){rh(e,{tenantId:t.tenantId,subjectId:t.subjectId})}o(Ju,"applyGatewayPrincipalLogProperties");function nh(e,t){rh(e,{upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId})}o(nh,"applyGatewayRouteLogProperties");var ln={runtime:{invalid_request:{code:"invalid_request",seam:"runtime",status:400,title:"Bad Request",publicDetail:"The request did not match the route contract.",oauthError:"invalid_request"},forbidden:{code:"forbidden",seam:"runtime",status:403,title:"Forbidden",publicDetail:"The request is not allowed.",oauthError:"invalid_request"},not_found:{code:"not_found",seam:"runtime",status:404,title:"Not Found",publicDetail:"The requested resource was not found.",oauthError:"invalid_request"},internal_server_error:{code:"internal_server_error",seam:"runtime",status:500,title:"Internal Server Error",publicDetail:"The gateway failed to process the request.",oauthError:"server_error"}},config:{virtual_server_not_enabled:{code:"virtual_server_not_enabled",seam:"config",status:404,title:"Not Found",publicDetail:"The requested virtual server is not enabled."},unknown_upstream_server:{code:"unknown_upstream_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream server is not configured.",oauthError:"invalid_request"},unknown_virtual_server:{code:"unknown_virtual_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server is not configured.",oauthError:"invalid_target"},unknown_auth_profile:{code:"unknown_auth_profile",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream auth profile is not configured.",oauthError:"invalid_request"},virtual_server_upstream_mismatch:{code:"virtual_server_upstream_mismatch",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server does not belong to the selected upstream server.",oauthError:"invalid_request"}},downstream_auth:{authentication_required:{code:"authentication_required",seam:"downstream_auth",status:401,title:"Unauthorized",publicDetail:"Authentication is required to access this route.",oauthError:"invalid_client"},identity_context_missing:{code:"identity_context_missing",seam:"downstream_auth",status:403,title:"Forbidden",publicDetail:"Authenticated requests must include a gateway principal subject.",oauthError:"invalid_request"}},downstream_oauth:{browser_login_verification_failed:{code:"browser_login_verification_failed",seam:"downstream_oauth",status:400,title:"Connection failed",publicDetail:"The gateway could not verify the browser login response. Retry the login flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_auth:{provider_access_denied:{code:"provider_access_denied",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream authorization request was denied. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_invalid:{code:"oauth_state_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request could not be verified. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_expired:{code:"oauth_state_expired",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request expired. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_reused:{code:"oauth_state_reused",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"This upstream connection request was already used. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_callback_mismatch:{code:"oauth_callback_mismatch",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream callback did not match the initiating connection request.",callbackFailure:!0,oauthError:"invalid_request"},upstream_token_exchange_failed:{code:"upstream_token_exchange_failed",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The gateway could not complete the upstream token exchange. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"},upstream_client_registration_required:{code:"upstream_client_registration_required",seam:"upstream_auth",status:400,title:"Upstream OAuth client registration required",publicDetail:"The upstream authorization server supports neither gateway-hosted Client ID Metadata Documents nor Dynamic Client Registration. Register an upstream OAuth client manually before retrying.",oauthError:"invalid_request"},upstream_token_response_invalid:{code:"upstream_token_response_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream token response was invalid. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_mcp:{upstream_capability_invocation_failed:{code:"upstream_capability_invocation_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability invocation failed. Retry later or reconnect the upstream if the issue persists."},upstream_import_failed:{code:"upstream_import_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability import failed. Retry later or reconnect the upstream if the issue persists."}}},oh={...ln.runtime,...ln.config,...ln.downstream_auth,...ln.downstream_oauth,...ln.upstream_auth,...ln.upstream_mcp};function Yu(e){return typeof e=="string"&&Object.hasOwn(oh,e)}o(Yu,"isGatewayProblemCode");function as(e){return Yu(e)&&Le(e).callbackFailure===!0}o(as,"isGatewayCallbackFailureCode");function Le(e){return oh[e]}o(Le,"readGatewayProblemDefinition");var ah="gatewayCode";function sh(e){let t=Le(e);return{title:t.title,body:t.publicDetail}}o(sh,"readGatewayCallbackFailureContent");function ae(e){if(!(e instanceof ra))return;let t=e.extensionMembers?.[ah];return Yu(t)?t:void 0}o(ae,"readGatewayProblemCode");function g(e,t,r){let n=typeof e=="string"?{code:e,...t===void 0?{}:{publicDetail:t,privateDetail:t},...r===void 0?{}:{cause:r}}:e,a=Le(n.code),s=n.privateDetail??(ss(n.code)?n.publicDetail??a.publicDetail:a.publicDetail),i=FC(n);return new ra({message:s,extensionMembers:{[ah]:n.code}},i===void 0?void 0:{cause:i})}o(g,"createGatewayRuntimeError");async function je(e,t,r){let n=Le(r.code),a=ZC(r.code,r.detail),s=ss(r.code)?r.title??n.title:n.title,c={problem:{...Nn.getProblemFromStatus(n.status,{detail:a,instance:r.instance,type:r.type}),...r.extensions??{},status:n.status,title:s,detail:a,code:r.code}};return r.headers!==void 0&&(c.additionalHeaders=r.headers),Nn.format(c,e,t)}o(je,"gatewayProblemResponse");function ss(e){return Le(e).status<500}o(ss,"canExposeGatewayProblemDetail");function FC(e){return!e.privateDetail||ss(e.code)?e.cause:e.cause===void 0?new Error(e.privateDetail):new Error(e.privateDetail,{cause:e.cause})}o(FC,"readRuntimeErrorCause");function ZC(e,t){let r=Le(e);return ss(e)&&t||r.publicDetail}o(ZC,"readSafeGatewayProblemDetail");W();var KC=["tenant_shared_oauth","user_oauth","static_secret","user_static_secret","tenant_static_secret"],WC=["none","client_secret_basic","client_secret_post"],ut=u.string().min(1).brand(),ge=u.string().min(1).brand(),dt=u.string().min(1).brand(),St=u.string().min(1).brand(),is=u.enum(KC),Xu=u.enum(WC),cs=u.string().trim().min(1).regex(/^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/,"must be a valid HTTP header name"),Qu=u.object({name:cs,value:u.string().min(1).optional(),required:u.boolean().default(!0)}).strict();var ed=new Map;function us(e){ed.set(e.policyType,e)}o(us,"registerMcpAuthorizationPolicy");function td(e){if(e!==void 0)return ed.get(e)}o(td,"getMcpAuthorizationPolicy");function ds(e){return td(e)!==void 0}o(ds,"isRegisteredMcpAuthorizationPolicyType");function rd(){return[...ed.keys()]}o(rd,"listMcpAuthorizationPolicyTypes");W();var uh=ut,JC=u.object({mode:u.literal("auto")}).strict(),YC=u.object({mode:u.literal("manual"),clientId:u.string().trim().min(1),clientSecret:u.string().min(1).optional(),tokenEndpointAuthMethod:Xu.default("client_secret_basic")}).strict().superRefine((e,t)=>{e.tokenEndpointAuthMethod!=="none"&&!e.clientSecret&&t.addIssue({code:u.ZodIssueCode.custom,message:`${e.tokenEndpointAuthMethod} requires clientSecret`,path:["clientSecret"]})}),dh=u.discriminatedUnion("mode",[JC,YC]),XC=dh.default({mode:"auto"}),nd=u.object({scopes:u.array(u.string().min(1)).default([]),scopeDelimiter:u.string().min(1).default(" "),clientRegistration:XC}).strict(),ih=nd.extend({redirectPath:u.string().startsWith("/auth/connections/")}).strict(),lh=new Set(["connection","content-length","cookie","host","proxy-authenticate","proxy-authorization","sec-websocket-key","set-cookie","te","trailer","transfer-encoding","upgrade"]),QC=new Set([...lh,"accept","authorization","content-type","mcp-protocol-version","mcp-session-id","proxy-connection"]),eE=u.object({kind:u.literal("bearer_token"),token:u.string().min(1)}).strict(),tE=u.object({kind:u.literal("headers"),headers:u.array(u.object({name:cs,value:u.string().min(1)}).strict()).min(1)}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.headers.entries()){let s=a.name.toLowerCase();lh.has(s)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for static secret injection`,path:["headers",n,"name"]}),r.has(s)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Duplicate static secret header ${a.name}`,path:["headers",n,"name"]}),r.add(s)}}),od=u.discriminatedUnion("kind",[eE,tE]),rE=u.object({kind:u.literal("basic_auth_app_password"),usernameLabel:u.string().min(1).default("Username"),passwordLabel:u.string().min(1).default("App password")}).strict(),nE=u.object({kind:u.literal("bearer_token"),label:u.string().min(1).default("API key"),capture:u.enum(["browser_login"]).optional()}).strict(),ad=u.discriminatedUnion("kind",[rE,nE]),sd=u.object({kind:u.literal("bearer_token"),label:u.string().min(1).default("API key")}).strict(),oE=u.discriminatedUnion("mode",[u.object({mode:u.literal("tenant_shared_oauth"),oauth:ih}).strict(),u.object({mode:u.literal("user_oauth"),oauth:ih}).strict(),u.object({mode:u.literal("static_secret"),secret:od}).strict(),u.object({mode:u.literal("user_static_secret"),secret:ad}).strict(),u.object({mode:u.literal("tenant_static_secret"),secret:sd}).strict()]),aE=u.object({baseUrl:u.url(),resourceMetadataUrl:u.url(),requestHeaders:u.array(Qu).default([])}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.requestHeaders.entries()){let s=a.name.toLowerCase();QC.has(s)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for native MCP transport request headers`,path:["requestHeaders",n,"name"]}),r.has(s)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Duplicate native MCP transport request header ${a.name}`,path:["requestHeaders",n,"name"]}),r.add(s)}}),Wj=u.object({displayName:u.string().min(1),description:u.string().min(1).optional(),serverInfo:Br.optional(),authProfiles:u.record(dt,oE),transport:aE}).strict().superRefine((e,t)=>{Object.keys(e.authProfiles).length===0&&t.addIssue({code:u.ZodIssueCode.custom,message:"authProfiles must contain at least one profile",path:["authProfiles"]})}),sE=u.object({tenant_shared_oauth:nd.optional(),user_oauth:nd.optional(),static_secret:u.object({secret:od}).strict().optional(),user_static_secret:u.object({secret:ad}).strict().optional(),tenant_static_secret:u.object({secret:sd}).strict().optional()}).strict().superRefine((e,t)=>{Object.values(e).every(r=>r===void 0)&&t.addIssue({code:u.ZodIssueCode.custom,message:"authProfiles must contain at least one upstream auth profile"})}),ch=u.object({id:uh,displayName:u.string().min(1),description:u.string().min(1).optional(),serverInfo:Br.optional(),mcpUrl:u.url(),protectedResourceMetadataUrl:u.url(),requestHeaders:u.array(Qu).default([]),authProfiles:sE}).strict(),iE=u.object({name:cs,value:u.string().min(1).optional(),required:u.boolean().default(!0)}).strict(),ls={id:uh.optional(),displayName:u.string().min(1),summary:u.string().min(1).optional(),serverInfo:Br.optional(),mcpUrl:u.url(),protectedResourceMetadataUrl:u.url().optional(),requestHeaders:u.array(iE).default([])},cE=u.discriminatedUnion("authMode",[u.object({...ls,authMode:u.enum(["tenant_shared_oauth","user_oauth"]),scopes:u.array(u.string().min(1)).default([]),scopeDelimiter:u.string().min(1).default(" "),clientRegistration:dh.optional(),clientId:u.string().trim().min(1).optional(),clientSecret:u.string().min(1).optional(),tokenEndpointAuthMethod:Xu.optional()}).strict(),u.object({...ls,authMode:u.literal("static_secret"),secret:od}).strict(),u.object({...ls,authMode:u.literal("user_static_secret"),secret:ad}).strict(),u.object({...ls,authMode:u.literal("tenant_static_secret"),secret:sd}).strict()]);function ph(e){throw g("internal_server_error",e)}o(ph,"throwGatewayConfigError");function uE(e){let t="mcp-upstream-";return e.startsWith(t)||ph(`Upstream policy ${e} must use the ${t}{upstream-id} naming convention when id is omitted.`),ut.parse(e.slice(t.length))}o(uE,"inferUpstreamConnectionIdFromPolicyName");function dE(e){let t=new URL(e),r=t.pathname==="/"?"":t.pathname;return`${t.origin}/.well-known/oauth-protected-resource${r}`}o(dE,"buildDefaultProtectedResourceMetadataUrl");function pn(e,t){return dt.parse(`${e}:${t}`)}o(pn,"buildUpstreamAuthProfileId");function ps(e,t){let r=ch.safeParse(e);if(r.success)return r.data;let n=cE.parse(e),a=n.id??(t===void 0?void 0:uE(t));a===void 0&&ph("Upstream policy options must include id when policy name is unavailable.");let s=n.requestHeaders.map(c=>({name:c.name,value:c.value,required:c.required})),i=(()=>{switch(n.authMode){case"tenant_shared_oauth":case"user_oauth":{let c=n.clientRegistration??(n.clientId===void 0?{mode:"auto"}:{mode:"manual",clientId:n.clientId,...n.clientSecret===void 0?{}:{clientSecret:n.clientSecret},...n.tokenEndpointAuthMethod===void 0?{}:{tokenEndpointAuthMethod:n.tokenEndpointAuthMethod}});return{[n.authMode]:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,clientRegistration:c}}}case"static_secret":case"user_static_secret":case"tenant_static_secret":return{[n.authMode]:{secret:n.secret}}}})();return ch.parse({id:a,displayName:n.displayName,...n.summary===void 0?{}:{description:n.summary},...n.serverInfo===void 0?{}:{serverInfo:n.serverInfo},mcpUrl:n.mcpUrl,protectedResourceMetadataUrl:n.protectedResourceMetadataUrl??dE(n.mcpUrl),requestHeaders:s,authProfiles:i})}o(ps,"parseUpstreamConnectionPolicyOptions");function mh(e){return e.mode==="tenant_shared_oauth"||e.mode==="user_oauth"}o(mh,"isUpstreamOAuthAuthConfig");W();var lE=u.looseObject({name:u.string().min(1),version:u.string().min(1).optional()}),pE=u.looseObject({}),mE=u.looseObject({name:St,namespace:St.optional(),upstreamPolicy:u.string().min(1).optional(),enabled:u.boolean().optional(),inputSchema:pE}),fE=u.looseObject({name:St,namespace:St.optional(),upstreamPolicy:u.string().min(1).optional(),enabled:u.boolean().optional()}),hE=u.looseObject({name:St,uri:u.string().min(1),upstreamPolicy:u.string().min(1).optional(),upstreamUri:u.string().min(1).optional(),enabled:u.boolean().optional()}),gE=u.enum(["openapi","upstream_mcp"]),_E=u.object({catalogSource:gE.default("openapi"),serverInfo:lE.optional(),tools:u.array(mE).default([]),prompts:u.array(fE).default([]),resources:u.array(hE).default([])}).strict();function fh(e){return _E.parse(e??{})}o(fh,"parseVirtualServerRouteOptions");function ms(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(ms,"toMcpTool");function fs(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(fs,"toMcpPrompt");function hs(e){let{enabled:t,upstreamPolicyName:r,upstreamUri:n,...a}=e;return a}o(hs,"toMcpResource");var yE="mcp-upstream-connection-inbound",hh="/mcp/";function Pe(e){throw new Tt(e)}o(Pe,"throwRegistryError");function gh(e){return e.policyType===yE}o(gh,"isUpstreamConnectionPolicy");function wE(e){return ds(e.policyType)}o(wE,"isMcpOAuthInboundPolicy");function SE(e){e.startsWith(hh)||Pe(`MCP virtual server route ${e} must use a /mcp/{virtualServerId} path.`);let t=e.slice(hh.length);return(!t||t.includes("/"))&&Pe(`MCP virtual server route ${e} must use exactly one /mcp/{virtualServerId} path segment.`),ge.parse(t)}o(SE,"readVirtualServerIdFromPath");function vE(e){let t=Object.keys(e.connection.authProfiles);t.length!==1&&Pe(`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];return r===void 0&&Pe(`Upstream policy ${e.policyName} does not declare an auth mode.`),is.parse(r)}o(vE,"readSingleAuthMode");function bE(e){let t=e.connection.authProfiles[e.authMode];t||Pe(`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=`/auth/connections/${encodeURIComponent(e.connection.id)}/callback`;switch(e.authMode){case"tenant_shared_oauth":case"user_oauth":{let n=t;return{mode:e.authMode,oauth:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,redirectPath:r,clientRegistration:n.clientRegistration}}}case"static_secret":return{mode:"static_secret",secret:t.secret};case"user_static_secret":return{mode:"user_static_secret",secret:t.secret};case"tenant_static_secret":return{mode:"tenant_static_secret",secret:t.secret}}}o(bE,"buildResolvedAuthConfig");function RE(e){let t=vE({policyName:e.policyName,connection:e.connection}),r=pn(e.connection.id,t),n=bE({connection:e.connection,authMode:t,authProfileId:r}),a={displayName:e.connection.displayName,...e.connection.description===void 0?{}:{description:e.connection.description},...e.connection.serverInfo===void 0?{}:{serverInfo:e.connection.serverInfo},authProfiles:{[r]:n},transport:{baseUrl:e.connection.mcpUrl,resourceMetadataUrl:e.connection.protectedResourceMetadataUrl,requestHeaders:e.connection.requestHeaders}};return{policyName:e.policyName,upstreamServerId:e.connection.id,config:a,authMode:t,authProfileId:r,authConfig:n}}o(RE,"buildRegisteredConnection");function IE(e){let t=new Map;for(let r of e)t.has(r.name)&&Pe(`Duplicate policy name ${r.name} in policies.json.`),t.set(r.name,{name:r.name,policyType:r.policyType,handler:{options:r.handler.options}});return t}o(IE,"buildPolicyMap");function TE(e){let t=new Map,r=new Set;for(let n of e.values()){if(!gh(n))continue;let a=ps(n.handler.options,n.name);r.has(a.id)&&Pe(`Duplicate upstream MCP connection id ${a.id} in policies.json.`),r.add(a.id);let s=RE({policyName:n.name,connection:a});t.set(n.name,s)}return t}o(TE,"buildConnectionsByPolicyName");function CE(e){if(typeof e.raw!="function")return;let t=e.raw();if(!(!t||typeof t.operationId!="string"||t.operationId===""))return t.operationId}o(CE,"readOperationId");function _h(e){let t=e.namespace===void 0?e.name:`${e.namespace}.${e.name}`;try{return St.parse(t)}catch{Pe(`MCP virtual server route ${e.routePath} declares invalid published capability name ${t}.`)}}o(_h,"buildPublishedCapabilityName");function cd(e){if(e.authoredPolicyName!==void 0)return e.connections.find(r=>r.policyName===e.authoredPolicyName)||Pe(`MCP virtual server route ${e.routePath} declares capability ${e.capabilityName} for upstream policy ${e.authoredPolicyName}, but that policy is not bound to the route.`),e.authoredPolicyName;if(e.connections.length===1)return e.connections[0]?.policyName;Pe(`MCP virtual server route ${e.routePath} declares aggregate capability ${e.capabilityName} without upstreamPolicy.`)}o(cd,"readCapabilityUpstreamPolicy");function id(e){e.seen.has(e.key)&&Pe(`MCP virtual server route ${e.routePath} declares duplicate ${e.kind} ${e.key}.`),e.seen.add(e.key)}o(id,"assertUniqueCatalogKey");function EE(e){let{namespace:t,upstreamPolicy:r,...n}=e.tool,a=_h({name:e.tool.name,namespace:e.tool.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.tool.name,upstreamPolicyName:cd({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(EE,"normalizeCatalogTool");function AE(e){let{namespace:t,upstreamPolicy:r,...n}=e.prompt,a=_h({name:e.prompt.name,namespace:e.prompt.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.prompt.name,upstreamPolicyName:cd({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(AE,"normalizeCatalogPrompt");function PE(e){let{upstreamPolicy:t,...r}=e.resource;return{...r,upstreamUri:e.resource.upstreamUri??e.resource.uri,upstreamPolicyName:cd({authoredPolicyName:t,capabilityName:e.resource.uri,connections:e.connections,routePath:e.routePath})}}o(PE,"normalizeCatalogResource");function xE(e){let t=e.catalog.catalogSource,r=e.catalog.tools.map(d=>EE({tool:d,connections:e.connections,routePath:e.routePath})),n=e.catalog.prompts.map(d=>AE({prompt:d,connections:e.connections,routePath:e.routePath})),a=e.catalog.resources.map(d=>PE({resource:d,connections:e.connections,routePath:e.routePath})),s=new Set;for(let d of r)id({kind:"tool",key:d.name,routePath:e.routePath,seen:s});let i=new Set;for(let d of n)id({kind:"prompt",key:d.name,routePath:e.routePath,seen:i});let c=new Set;for(let d of a)id({kind:"resource",key:String(d.uri),routePath:e.routePath,seen:c});return{catalogSource:t,...e.catalog.serverInfo===void 0?{}:{serverInfo:e.catalog.serverInfo},tools:r,prompts:n,resources:a}}o(xE,"normalizeVirtualServerCatalog");function kE(e){let t=new Map,r=new Set;for(let n of e.routes){let a=n.policies?.inbound??[];if(a.length===0)continue;let s=a[0],i=s===void 0?void 0:e.policyByName.get(s);if(!i||!wE(i))continue;let c=CE(n);c||Pe(`MCP virtual server route ${n.path} must declare an operationId in routes.oas.json.`),r.has(c)&&Pe(`Duplicate MCP virtual server operationId ${c} across routes.`),r.add(c);let d=SE(n.path);t.has(d)&&Pe(`Duplicate MCP virtual server id ${d} across routes.`);let p=[];for(let h of a.slice(1)){let _=e.policyByName.get(h);if(!_||!gh(_))continue;let w=e.connectionsByPolicyName.get(h);w||Pe(`Upstream connection policy ${h} referenced by route ${n.path} could not be resolved.`),p.push(w)}let l=fh(n.handler.options),m=xE({catalog:l,connections:p,routePath:n.path});m.catalogSource==="upstream_mcp"&&p.length!==1&&Pe(`MCP virtual server route ${n.path} uses upstream MCP catalog mode but declares ${p.length} upstream bindings; upstream MCP catalog mode requires exactly one upstream binding.`),t.set(d,{virtualServerId:d,operationId:c,routePath:n.path,handlerExport:n.handler.export,serverInfo:m.serverInfo,catalog:m,connections:p})}return t}o(kE,"buildVirtualServers");function yh(e){let t=IE(e.policies),r=TE(t),n=kE({routes:e.routes,policyByName:t,connectionsByPolicyName:r}),a=new Map;for(let s of r.values())a.set(s.upstreamServerId,s);return{byVirtualServerId:n,connectionsById:a}}o(yh,"buildGatewayConnectionRegistry");var gs;function wh(e){gs=e}o(wh,"setGatewayConnectionRegistry");function tt(){if(!gs)throw g("internal_server_error","MCP gateway connection registry has not been initialized. Ensure routes.oas.json declares at least one MCP virtual server route and policies.json registers an `mcp-oauth-inbound` (or wrapper) policy.");return gs}o(tt,"getGatewayConnectionRegistry");function Sh(e){let t=tt().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown MCP virtual server: ${e}`);return t}o(Sh,"getRegisteredVirtualServer");function bo(e){let t=tt().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(bo,"requireRegisteredVirtualServer");function vh(){return gs}o(vh,"tryGetGatewayConnectionRegistry");var bh=new Ct("gateway-route");function Rh(e,t){bh.set(e,t)}o(Rh,"setGatewayRouteContext");function Ro(e){return bh.get(e)}o(Ro,"readGatewayRouteContext");function mn(e){let t=Ro(e);if(!t)throw g("internal_server_error","Gateway route context has not been set");return t}o(mn,"requireGatewayRouteContext");var Er="2025-06-18";var OE=new Set(["localhost","::1"]);function rt(e){return e.replace(/^\[(.*)\]$/,"$1").replace(/\.+$/,"").toLowerCase()}o(rt,"normalizeHostname");function Ue(e){let t=rt(e.hostname);return e.protocol==="http:"&&(OE.has(t)||/^127(?:\.\d{1,3}){3}$/.test(t))}o(Ue,"isLoopbackHttpUrl");function Q(e){return new URL(e).origin}o(Q,"readGatewayRequestOrigin");import{metrics as UE,context as _s,propagation as Th,SpanKind as Ch,SpanStatusCode as ud,trace as Io}from"@opentelemetry/api";var NE="mcp-gateway",$E="mcp-gateway",zE=Er,ME="2.0",Eh=Io.getTracer(NE),dd=UE.getMeter($E),DE=dd.createHistogram("mcp.client.operation.duration",{description:"The duration of the MCP request or notification as observed on the sender.",unit:"s"}),qE=dd.createHistogram("mcp.server.operation.duration",{description:"MCP request or notification duration as observed on the receiver.",unit:"s"}),LE=dd.createHistogram("mcp.client.session.duration",{description:"The duration of the MCP session as observed on the MCP client.",unit:"s"}),jE=["traceparent","tracestate","baggage"];function ld(){return performance.now()/1e3}o(ld,"nowSeconds");function Ah(e,t){t(Math.max(ld()-e,0))}o(Ah,"recordDurationSeconds");function Ih(e){return e===void 0?void 0:String(e)}o(Ih,"stringifyAttribute");function Ie(e,t,r){r!==void 0&&(e[t]=r)}o(Ie,"assignAttribute");function HE(e){if(e.capabilityType==="tool"||e.capabilityType==="prompt")return e.capabilityName}o(HE,"readTargetName");function Ph(e){let t=HE({kind:"client",...e});return t?`${e.methodName} ${t}`:e.methodName}o(Ph,"buildMcpOperationSpanName");function pd(e){let t={"mcp.method.name":e.methodName};return Ie(t,"jsonrpc.protocol.version",e.jsonRpcProtocolVersion??ME),Ie(t,"jsonrpc.request.id",Ih(e.jsonRpcRequestId)),Ie(t,"mcp.protocol.version",e.mcpProtocolVersion??zE),Ie(t,"mcp.session.id",e.mcpSessionId),Ie(t,"mcp.resource.uri",e.resourceUri),Ie(t,"rpc.response.status_code",Ih(e.rpcResponseStatusCode)),Ie(t,"error.type",e.errorType),e.capabilityType==="tool"&&(Ie(t,"gen_ai.operation.name","execute_tool"),Ie(t,"gen_ai.tool.name",e.capabilityName)),e.capabilityType==="prompt"&&Ie(t,"gen_ai.prompt.name",e.capabilityName),Ie(t,"network.protocol.name",e.networkProtocolName?.toLowerCase()),Ie(t,"network.protocol.version",e.networkProtocolVersion),Ie(t,"network.transport",e.networkTransport),Ie(t,"server.address",e.serverAddress),Ie(t,"server.port",e.serverPort),Ie(t,"client.address",e.clientAddress),Ie(t,"client.port",e.clientPort),t}o(pd,"buildMcpOperationAttributes");function GE(e){let t=pd({methodName:"initialize",...e});return delete t["mcp.method.name"],t}o(GE,"buildMcpSessionAttributes");function xh(e,t,r){e.setAttribute("error.type",r),e.setStatus({code:ud.ERROR}),t instanceof Error&&e.recordException(t)}o(xh,"setSpanError");function kh(e){let t=e?.code;return typeof t=="string"||typeof t=="number"?String(t):e instanceof Error?e.name:"_OTHER"}o(kh,"readErrorType");function BE(e){let t=e&&typeof e=="object"?e._meta:void 0;return!t||typeof t!="object"?_s.active():Th.extract(_s.active(),t,{get(r,n){let a=r[n];return typeof a=="string"?a:void 0},keys(r){return Object.keys(r)}})}o(BE,"readServerParentContext");function VE(e){let t=Io.getSpanContext(_s.active()),r=Io.getSpanContext(e);if(!(!t||!Io.isSpanContextValid(t))&&!(r&&Io.isSpanContextValid(r)&&t.traceId===r.traceId&&t.spanId===r.spanId))return[{context:t}]}o(VE,"readAmbientSpanLink");function Oh(e){return e&&typeof e=="object"&&e.isError===!0?"tool_error":void 0}o(Oh,"readResultErrorType");async function Ar(e,t){let r=ld(),n=pd({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});return Eh.startActiveSpan(Ph(e),{kind:Ch.CLIENT,attributes:n},async a=>{try{let s=await t(),i=Oh(s);return i&&(a.setAttribute("error.type",i),a.setStatus({code:ud.ERROR}),n["error.type"]=i),s}catch(s){let i=e.errorType??kh(s);throw n["error.type"]=i,xh(a,s,i),s}finally{Ah(r,s=>{DE.record(s,n)}),a.end()}})}o(Ar,"runMcpClientOperation");async function Pr(e,t){let r=ld(),n=BE(e.params),a=pd({kind:"server",networkProtocolName:"http",networkTransport:"tcp",...e}),s=VE(n);return Eh.startActiveSpan(Ph(e),{kind:Ch.SERVER,attributes:a,...s?{links:s}:{}},n,async i=>{try{let c=await t(),d=Oh(c);return d&&(i.setAttribute("error.type",d),i.setStatus({code:ud.ERROR}),a["error.type"]=d),c}catch(c){let d=e.errorType??kh(c);throw a["error.type"]=d,xh(i,c,d),c}finally{Ah(r,c=>{qE.record(c,a)}),i.end()}})}o(Pr,"runMcpServerOperation");function Uh(e){let t={...e??{},_meta:{...e?._meta&&typeof e._meta=="object"?e._meta:{}}};return Th.inject(_s.active(),t._meta,{set(r,n,a){jE.includes(n)&&(r[n]=a)}}),t}o(Uh,"injectMcpTraceContextIntoParams");function Nh(e,t){let r=GE({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});LE.record(Math.max(t,0),r)}o(Nh,"recordMcpClientSessionDuration");var md=new Ct("route-upstream-bindings");function FE(e){let t=md.get(e);if(t)return t;let r={bindings:[]};return md.set(e,r),r}o(FE,"readOrCreateRouteUpstreamBindingRegistry");function $h(e){return`${e.upstreamServerId}:${e.authProfileId}`}o($h,"buildRouteBindingDuplicateKey");function fd(e,t){let r=FE(e),n=$h(t);if(r.bindings.find(s=>$h(s)===n)!==void 0)throw g("internal_server_error",`Route declares duplicate upstream binding ${t.upstreamServerId} + ${t.authProfileId}.`);r.bindings.push(t)}o(fd,"appendResolvedUpstreamBindingContext");function zh(e){return md.get(e)?.bindings??[]}o(zh,"readResolvedUpstreamBindingContexts");W();function lt(e){return Q(e)}o(lt,"readGatewayOAuthIssuer");W();var fn=u.string().trim().min(1),To={accessTokenTtlSeconds:900,refreshTokenTtlSeconds:2592e3,cimdEnabled:!0},ZE=u.object({issuer:u.url(),jwksUrl:u.url(),audience:fn}),KE=u.object({url:u.url(),tokenUrl:u.url().optional(),clientId:fn.optional(),clientSecret:fn.optional(),scope:fn.default("openid profile email"),audience:fn.optional(),remoteTimeoutMs:u.coerce.number().int().positive().default(1e4),stateTtlSeconds:u.coerce.number().int().positive().default(900),sessionTtlSeconds:u.coerce.number().int().positive().default(28800)}).strict(),WE=u.object({accessTokenTtlSeconds:u.coerce.number().int().positive().default(To.accessTokenTtlSeconds),refreshTokenTtlSeconds:u.coerce.number().int().positive().default(To.refreshTokenTtlSeconds),cimdEnabled:u.boolean().default(To.cimdEnabled)}).strict().default(To),JE=u.object({oidc:ZE,browserLogin:KE,gateway:WE.optional().default(To),devTenantId:fn.optional()}).strict();function Mh(e){return YE(e.browserLogin.url)?"local_dev":"federated_oidc"}o(Mh,"readBrowserLoginKind");function YE(e){let t;try{t=new URL(e)}catch{return!1}return Ue(t)&&t.pathname==="/oauth/dev-login"}o(YE,"isLoopbackDevLoginUrl");function ys(e){return JE.parse(e)}o(ys,"parseMcpOAuthRuntimeConfig");var hd;function Dh(e){hd=e}o(Dh,"setGatewayOAuthConfig");function _e(){if(!hd)throw g("internal_server_error","MCP gateway OAuth config has not been initialized. An `mcp-oauth-inbound` policy (or a provider-specific wrapper such as `mcp-auth0-oauth-inbound`) must be registered in policies.json so the gateway can derive its OAuth runtime configuration from policy options.");return hd}o(_e,"getGatewayOAuthConfig");W();var XE=43,QE=128,eA=/^[A-Za-z0-9._~-]+$/,gd="S256",hn=u.literal(gd),ws=u.string().min(XE).max(QE).regex(eA);W();W();var Ne=u.string().datetime({offset:!0}).brand();function K(e){return Ne.parse(e.toISOString())}o(K,"toIsoTimestamp");function ar(e,t){return new Date(e.getTime()+t*1e3)}o(ar,"addSeconds");var Ss=["none","client_secret_post","client_secret_basic"],tA=[...Ss,"private_key_jwt"],rA=["awaiting_login","awaiting_setup"],nA=u.string().min(1).brand(),oA=u.string().min(1).brand(),Ze=u.string().min(1).brand(),$t=u.uuid().brand(),sr=u.uuid().brand(),vs=u.uuid().brand(),Co=u.enum(Ss),aA=u.enum(tA),_d=u.enum(rA),qh=u.object({client_id:Ze,client_name:u.string().min(1),redirect_uris:u.array(u.string().min(1)).min(1),token_endpoint_auth_method:aA.default("none")}),Lh=u.object({clientId:Ze,clientName:u.string().min(1),redirectUris:u.array(u.string().min(1)),tokenEndpointAuthMethod:Co,hashedClientSecret:u.string().optional(),clientSecretExpiresAt:Ne.optional(),clientExpiresAt:Ne,revokedAt:Ne.optional(),createdAt:Ne}),yd=u.object({clientId:Ze,resource:u.string(),virtualServerId:ge,tenantId:nA,subjectId:oA,scope:u.string(),roles:u.array(u.string()),createdAt:Ne,expiresAt:Ne}),jh=yd.extend({id:sr,redirectUri:u.string(),clientState:u.string().optional(),codeChallenge:u.string(),codeChallengeMethod:hn}),Hh=yd.extend({id:$t,currentRefreshTokenHash:u.string().optional(),previousRefreshTokenHash:u.string().optional(),revokedAt:Ne.optional(),revokedReason:u.string().optional()}),Gh=yd.extend({tokenHash:u.string(),grantId:$t,revokedAt:Ne.optional()});function wd(){return sr.parse(crypto.randomUUID())}o(wd,"createDownstreamAuthorizationTransactionId");function Sd(){return vs.parse(crypto.randomUUID())}o(Sd,"createDownstreamBrowserLoginStateId");function Bh(){return $t.parse(crypto.randomUUID())}o(Bh,"createDownstreamGrantId");var oe="mcp:tools";function Rs(e,t){if(e===t)return!0;let r=new URL(e),n=new URL(t);return Ue(r)&&Ue(n)&&rt(r.hostname)===rt(n.hostname)&&r.pathname===n.pathname&&r.search===n.search}o(Rs,"redirectUriMatchesRegistration");function Vh(e){return Ue(e)&&e.pathname==="/oauth/dev-login"}o(Vh,"isLoopbackDevLoginUrl");function bs(e,t){return new URL(e,lt(t)).toString()}o(bs,"buildGatewayOAuthUrl");function vd(e){return new URL(`/mcp/${encodeURIComponent(e.virtualServerId)}`,Q(e.requestUrl)).toString()}o(vd,"buildScopedAuthorizationServerIssuer");function sA(e){return new URL(`/oauth/authorize/mcp/${encodeURIComponent(e.virtualServerId)}`,Q(e.requestUrl)).toString()}o(sA,"buildScopedAuthorizationEndpoint");function bd(e){let t=_e();return{issuer:lt(e),authorization_endpoint:bs("/oauth/authorize",e),token_endpoint:bs("/oauth/token",e),registration_endpoint:bs("/oauth/register",e),revocation_endpoint:bs("/oauth/revoke",e),response_types_supported:["code"],response_modes_supported:["query"],grant_types_supported:["authorization_code","refresh_token"],scopes_supported:[oe],code_challenge_methods_supported:[gd],token_endpoint_auth_methods_supported:Ss,revocation_endpoint_auth_methods_supported:["client_secret_basic","client_secret_post","none"],client_id_metadata_document_supported:t.gateway.cimdEnabled,"x-zuplo-browser-login-kind":Mh(t)}}o(bd,"buildAuthorizationServerMetadata");function Fh(e){let t=vd(e);return{...bd(e.requestUrl),issuer:t,authorization_endpoint:sA(e)}}o(Fh,"buildScopedAuthorizationServerMetadata");async function Zh(e,t){try{let r=ge.parse(e.params.virtualServerId),n=bo(r);return Response.json(iA(n.virtualServerId,e.url))}catch(r){let n=ae(r);return je(e,t,{code:n==="unknown_virtual_server"?n:"not_found",detail:(r instanceof Error?r.message:void 0)??"The requested protected resource metadata document was not found."})}}o(Zh,"protectedResourceMetadataHandler");function iA(e,t){return{resource:Eo(e,t),resource_name:e,authorization_servers:[vd({virtualServerId:e,requestUrl:t})],bearer_methods_supported:["header"],scopes_supported:[oe],mcp_protocol_version:Er}}o(iA,"buildProtectedResourceMetadataResponseBody");function Eo(e,t){return new URL(`/mcp/${encodeURIComponent(e)}`,Q(t)).toString()}o(Eo,"buildCanonicalMcpResourceForVirtualServer");function Kh(e,t){return new URL(`/.well-known/oauth-protected-resource/mcp/${encodeURIComponent(e)}`,Q(t)).toString()}o(Kh,"buildProtectedResourceMetadataUrlForVirtualServer");var cA=u.record(u.string(),u.unknown()),Wh=u.string().min(1),uA=u.union([Wh.transform(e=>[e]),u.array(Wh)]),$e=u.string().min(1).brand(),le=u.string().min(1).brand(),dA=["zuploSubjectId","zuplo_subject_id","gatewaySubjectId","gateway_subject_id","subjectId","subject_id","https://zuplo.com/subject_id"],lA=["https://zuplo.com/roles","roles","role","permissions","groups"],pA=$e.parse("zuplo-poc"),Jh=new Ct("gateway-principal");function mA(e){let t=cA.safeParse(e);return t.success?t.data:{}}o(mA,"toClaimRecord");function fA(e){return e.issues[0]?.message??"Gateway principal is invalid"}o(fA,"readValidationFailureDetail");function hA(e,t,r){for(let s of dA){let i=le.safeParse(t[s]);if(i.success)return i.data}let n=le.safeParse(e?.sub);if(!n.success)throw g("identity_context_missing",fA(n.error));let a=typeof t.iss=="string"?t.iss:void 0;return!a||a===lt(r)?n.data:le.parse(`${a}|${n.data}`)}o(hA,"readNormalizedSubjectId");function gA(e){let t=new Set;for(let r of lA){let n=uA.safeParse(e[r]);if(n.success)for(let a of n.data)t.add(a)}return t.size>0?[...t]:void 0}o(gA,"readRoles");function gn(e,t){let r=mA(e?.data),n={subjectId:hA(e,r,t),tenantId:pA},a=gA(r);return a&&(n.roles=a),n}o(gn,"parseGatewayPrincipal");function Yh(e){let t=Id(e);if(!t)throw g("identity_context_missing","Gateway principal has not been hydrated");return t}o(Yh,"requireGatewayPrincipal");function Xh(e,t){Jh.set(e,t)}o(Xh,"setGatewayPrincipal");function Id(e){return Jh.get(e)}o(Id,"readGatewayPrincipal");function _n(e){let r=['realm="OAuth"',`resource_metadata="${Rd(Kh(e.virtualServerId,e.requestUrl))}"`];return e.error!==void 0&&r.push(`error="${e.error}"`),e.errorDescription!==void 0&&r.push(`error_description="${Rd(e.errorDescription)}"`),e.scope!==void 0&&r.push(`scope="${Rd(e.scope)}"`),`Bearer ${r.join(", ")}`}o(_n,"buildGatewayBearerChallenge");function Rd(e){let t="";for(let r=0;r<e.length;r+=1){let n=e.charCodeAt(r);n<=31||n===127||(t+=e[r])}return t.replaceAll("\\","\\\\").replaceAll('"','\\"')}o(Rd,"sanitizeQuotedHeaderParameter");var _A=2,Qh=4,yA=24,wA=16,eg=512,SA=/(token|secret|authorization|password|cookie|credential|client[_-]?secret|code[_-]?verifier|(^|[_-])(code|state|verifier)($|[_-]))/i,vA=/("(?:access_token|refresh_token|id_token|client_secret|authorization|password|cookie|code|state|code_verifier)"\s*:\s*")([^"]*)(")/gi,bA=/\b(access[_-]?token|refresh[_-]?token|id[_-]?token|client[_-]?secret|password|cookie|code|state|code[_-]?verifier)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|[^\s,;&]+)/gi,RA=/\b(authorization)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|(?:Bearer|Basic)\s+[^\s,;]+|[^\s,;]+)/gi,IA=/\bBearer\s+[A-Za-z0-9._~+/=-]+/gi,TA=/\bBasic\s+[A-Za-z0-9+/=-]+/gi;function tg(e){let t=e.route;return t&&typeof t=="object"?t:void 0}o(tg,"readRoute");function CA(e){let t=tg(e)?.path;return typeof t=="string"&&t.length>0?t:void 0}o(CA,"readRoutePath");function EA(e){let t=tg(e)?.raw;if(typeof t!="function")return;let r=t();if(!r||typeof r!="object")return;let n=r.operationId;return typeof n=="string"&&n.length>0?n:void 0}o(EA,"readRouteOperationId");function AA(e){if(!(e===void 0||!Number.isFinite(e)||e<100))return`${Math.trunc(e/100)}xx`}o(AA,"deriveStatusClass");function PA(e,t){if(!(!e&&!t))return e==="user"?t==="user_oauth"?"upstream_user_attributed":"gateway_user_attributed_only":e==="tenant_shared"?"tenant_shared_upstream_identity":e==="none"?"machine_identity":"unknown"}o(PA,"deriveOriginAttributionMode");function xA(e){if(!e)return;let t=e.toLowerCase();return t.includes("desktop")||t.includes("claude")||t.includes("chatgpt")?"desktop":t.includes("vscode")||t.includes("cursor")||t.includes("zed")||t.includes("jetbrains")||t.includes("ide")?"ide":t.includes("extension")?"extension":t.includes("agent")||t.includes("bot")||t.includes("worker")||t.includes("service")?"service":"unknown"}o(xA,"deriveClientKind");function kA(e,t){return t==="success"?"none":e===L.MCP_GATEWAY_REQUEST_RECEIVED||e===L.MCP_GATEWAY_REQUEST_REJECTED||e===L.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR?"ingress":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===L.MCP_GATEWAY_INITIALIZE_NEGOTIATED?"routing":e===L.MCP_GATEWAY_POLICY_DECISION?"policy":e===L.MCP_GATEWAY_GUARDRAIL_DECISION?"guardrail":e===L.MCP_GATEWAY_RATE_LIMIT_DECISION?"policy":e.startsWith("mcp_gateway_upstream_")||e.startsWith("mcp_gateway_capability_")||e.startsWith("mcp_gateway_catalog_")?"upstream":e===L.MCP_GATEWAY_REQUEST_COMPLETED?"egress":"none"}o(kA,"deriveFailureStage");function OA(e,t){return t==="success"?"none":t==="application_error"?"mcp_application":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===L.MCP_GATEWAY_POLICY_DECISION||e===L.MCP_GATEWAY_GUARDRAIL_DECISION||e===L.MCP_GATEWAY_RATE_LIMIT_DECISION?"policy":e.startsWith("mcp_gateway_upstream_")||e===L.MCP_GATEWAY_CAPABILITY_FAILED||e===L.MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED?"upstream":e===L.MCP_GATEWAY_REQUEST_REJECTED||e===L.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR?"client":"gateway"}o(OA,"deriveFailureOrigin");function UA(e,t){return t==="success"?"none":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===L.MCP_GATEWAY_POLICY_DECISION?"policy":e===L.MCP_GATEWAY_GUARDRAIL_DECISION?"guardrail":e===L.MCP_GATEWAY_RATE_LIMIT_DECISION?"rate_limit":e.startsWith("mcp_gateway_upstream_")?"upstream":e===L.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR||e===L.MCP_GATEWAY_REQUEST_REJECTED?"protocol":"none"}o(UA,"deriveReasonClass");function NA(e){return e.length<=eg?e:`${e.slice(0,eg)}...`}o(NA,"truncateAnalyticsString");function $A(e){return NA(e.replace(vA,"$1[REDACTED]$3").replace(RA,"$1$2[REDACTED]").replace(bA,"$1$2[REDACTED]").replace(IA,"Bearer [REDACTED]").replace(TA,"Basic [REDACTED]"))}o($A,"redactAnalyticsString");function rg(e,t){if(e!==void 0){if(e===null||typeof e=="boolean")return e;if(typeof e=="string")return $A(e);if(typeof e=="number")return Number.isFinite(e)?e:void 0;if(Array.isArray(e))return t>=Qh?"[DEPTH_LIMIT]":e.slice(0,wA).map(r=>rg(r,t+1)).filter(r=>r!==void 0);if(typeof e=="object")return e instanceof Date?e.toISOString():t>=Qh?"[DEPTH_LIMIT]":ng(e,t+1)}}o(rg,"sanitizeAnalyticsValue");function ng(e,t=0){if(!e)return;let r={};for(let[n,a]of Object.entries(e).slice(0,yA)){if(SA.test(n)){r[n]="[REDACTED]";continue}let s=rg(a,t);s!==void 0&&(r[n]=s)}return Object.keys(r).length===0?void 0:r}o(ng,"sanitizeMcpGatewayAnalyticsAttributes");function O(e){return e===void 0?null:e}o(O,"nullable");function zA(e){let t=e.environment;return t&&typeof t=="object"&&typeof t.name=="string"?t.name:null}o(zA,"readEnvironment");function MA(e){let t=e.requestId;return typeof t=="string"&&t.length>0?t:null}o(MA,"readRequestId");function DA(e){if(e===void 0)return null;try{return JSON.stringify(e)}catch{return null}}o(DA,"attributesToJsonString");function qA(e,t){let r=Id(e),n=Ro(e),a=ng(t.attributes),s=MA(e),i=t.ownerMode??t.routeBinding?.ownerMode??null,c=t.upstreamAuthMode??t.routeBinding?.authMode??null,d=t.virtualServerName??t.routeBinding?.virtualServerId??n?.virtualServerId??null,p=t.upstreamServerName??t.routeBinding?.upstreamServerId??n?.upstreamServerId??null,l=t.upstreamServerTitle??t.routeBinding?.upstreamDisplayName??null,m=t.authProfileId??t.routeBinding?.authProfileId??n?.authProfileId??null,h=t.clientKind??xA(t.clientName)??null,_=PA(i??void 0,c??void 0)??null,w=AA(t.httpStatusCode)??null,y=t.reasonClass??UA(t.eventType,t.outcome),S=t.failureOrigin??OA(t.eventType,t.outcome),v=t.failureStage??kA(t.eventType,t.outcome);return{schemaVersion:_A,outcome:t.outcome,tenantId:O(r?.tenantId),subjectId:O(r?.subjectId),environment:zA(e),traceId:t.traceId??s,spanId:O(t.spanId),parentEventId:O(t.parentEventId),mcpSessionId:O(t.mcpSessionId),routeSurface:O(t.routeSurface),routePath:CA(e)??null,operationId:EA(e)??null,virtualServerName:d,virtualServerTitle:O(t.virtualServerTitle),upstreamServerName:p,upstreamServerTitle:l,upstreamBindingId:O(t.upstreamBindingId),clientName:O(t.clientName),clientTitle:O(t.clientTitle),clientVersion:O(t.clientVersion),clientKind:h,authProfileId:m,upstreamAuthMode:c,ownerMode:i,authMethod:O(t.authMethod),originAttributionMode:_,httpMethod:O(t.httpMethod),httpStatusCode:O(t.httpStatusCode),statusClass:w,mcpMethod:O(t.mcpMethod),mcpProtocolVersion:O(t.mcpProtocolVersion),mcpStatus:O(t.mcpStatus),mcpErrorType:O(t.mcpErrorType),applicationError:O(t.applicationError),applicationErrorCode:O(t.applicationErrorCode),toolResultIsError:O(t.toolResultIsError),capabilityType:O(t.capabilityType),capabilityName:O(t.capabilityName),capabilityTitle:O(t.capabilityTitle),upstreamCapabilityName:O(t.upstreamCapabilityName),upstreamCapabilityTitle:O(t.upstreamCapabilityTitle),capabilitySchemaHash:O(t.capabilitySchemaHash),policyId:O(t.policyId),policyAction:O(t.policyAction),guardrailType:O(t.guardrailType),guardrailDirection:O(t.guardrailDirection),guardrailFindingCount:O(t.guardrailFindingCount),redactionCount:O(t.redactionCount),requestMutated:O(t.requestMutated),responseMutated:O(t.responseMutated),latencyMs:O(t.latencyMs),gatewayLatencyMs:O(t.gatewayLatencyMs),upstreamLatencyMs:O(t.upstreamLatencyMs),authLatencyMs:O(t.authLatencyMs),policyLatencyMs:O(t.policyLatencyMs),requestBytes:O(t.requestBytes),responseBytes:O(t.responseBytes),estimatedInputTokens:O(t.estimatedInputTokens),estimatedOutputTokens:O(t.estimatedOutputTokens),estimatedContextTokens:O(t.estimatedContextTokens),contextPressureBucket:O(t.contextPressureBucket),responseMimeTypes:O(t.responseMimeTypes),base64Suspected:O(t.base64Suspected),truncated:O(t.truncated),isLargePayloadRequest:O(t.isLargePayloadRequest),isLargePayloadResponse:O(t.isLargePayloadResponse),payloadCaptureMode:O(t.payloadCaptureMode),reasonCode:O(t.reasonCode),reasonClass:y,errorType:t.errorType??t.reasonCode??null,failureOrigin:S,failureStage:v,customMetadataJson:O(t.customMetadataJson),attributesJson:DA(a)}}o(qA,"buildMcpGatewayAnalyticsMetadata");function He(e,t){try{e.analyticsContext.addAnalyticsEvent(t.value??1,t.eventType,qA(e,t),t.unit)}catch(r){e.log?.warn?.({event:"mcp_gateway_analytics_emit_failed",errorName:r instanceof Error?r.name:"unknown"})}}o(He,"emitMcpGatewayAnalyticsEvent");function Ge(e){let t=tt().connectionsById.get(e);if(!t)throw g("unknown_upstream_server",`Unknown upstream server: ${e}`);return t.config}o(Ge,"getUpstreamServerConfig");function LA(e){let t=tt().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw g("unknown_auth_profile",`Unknown auth profile ${String(e.authProfileId)} for upstream server ${e.upstreamServerId}.`);return t.authProfileId}o(LA,"resolveUpstreamAuthProfileId");function ir(e){LA(e);let t=tt().connectionsById.get(e.upstreamServerId);if(!t)throw g("unknown_auth_profile",`Auth profile could not be resolved for upstream server ${e.upstreamServerId}.`);return t.authConfig}o(ir,"getUpstreamAuthConfig");function xr(e,t){let r=ir({upstreamServerId:e,authProfileId:t});if(!mh(r))throw g("invalid_request",`Upstream server ${e} does not use upstream OAuth.`);return r.oauth}o(xr,"requireUpstreamOAuthConfig");var jA={tenant_shared_oauth:{authMode:"tenant_shared_oauth",ownerMode:"tenant_shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},user_oauth:{authMode:"user_oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},static_secret:{authMode:"static_secret",ownerMode:"none",connectSupport:"none",connectUnsupportedDetail:"Static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"configured_static_secret"},tenant_static_secret:{authMode:"tenant_static_secret",ownerMode:"tenant_shared",connectSupport:"none",connectUnsupportedDetail:"Tenant static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"tenant_static_secret_connection"},user_static_secret:{authMode:"user_static_secret",ownerMode:"user",connectSupport:"user_static_secret_capture",connectUnsupportedDetail:void 0,callbackSupport:"none",credentialAcquisition:"user_static_secret_connection"}};function vt(e){return jA[e]}o(vt,"describeUpstreamAuthMode");function Td(e){return vt(e).ownerMode}o(Td,"resolveOwnerModeForUpstreamAuthMode");W();var Cd=u.string().trim().min(1),HA=u.object({TOKEN_ENCRYPTION_KEY:Cd,OAUTH_STATE_SIGNING_KEY:Cd,TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING:Cd.optional()}),GA=["TOKEN_ENCRYPTION_KEY","OAUTH_STATE_SIGNING_KEY","TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING"];function BA(e){let t=Si[e];return typeof t=="string"?t:void 0}o(BA,"readEnvValue");function VA(){let e={};for(let t of GA){let r=BA(t);r!==void 0&&(e[t]=r)}return e}o(VA,"readRawEnv");var Ed;function FA(e){return e.issues.map(t=>`- ${t.path.length>0?t.path.map(String).join("."):"environment"}: ${t.message}`)}o(FA,"formatZodIssues");function ZA(e){return new Tt(["Invalid MCP gateway environment configuration.","Validation failed for these environment variables:",...FA(e)].join(`
44
- `),{cause:e})}o(ZA,"createEnvValidationError");function KA(e){let t=HA.safeParse(e);if(!t.success)throw ZA(t.error);return t.data}o(KA,"parseGatewayEnv");function WA(){return Ed||(Ed=KA(VA())),Ed}o(WA,"readEnv");function Is(){return WA()}o(Is,"getEnv");W();W();function JA(e){if(e instanceof Date)return e;let t=new Date(e);if(Number.isNaN(t.getTime()))throw new Error("Expected a valid timestamp",{cause:new Error(`received: ${String(e)}`)});return t}o(JA,"parseDate");function cr(e,t){if(typeof e!="string")return e;try{return JSON.parse(e)}catch(r){throw new Error(`Persisted ${t} must be valid JSON`,{cause:r})}}o(cr,"parseJsonValue");function Ad(e,t){return u.array(u.string()).parse(cr(e,t))}o(Ad,"parseStringArray");var ie=u.union([u.date(),u.string()]).transform(e=>JA(e));var YA=u.object({current_state_hash:u.string(),phase:_d,consumed_at:ie.nullable(),expires_at:ie}),XA=u.object({id:$t,revoked_at:ie.nullable().optional(),expires_at:ie,matched:u.enum(["current","previous"])}),QA=u.object({id:$t,matched:u.literal("current")}),eP=u.object({client_id:Ze,client_name:u.string(),redirect_uris:u.unknown(),token_endpoint_auth_method:Co,hashed_client_secret:u.string().nullable(),client_secret_expires_at:ie.nullable(),client_expires_at:ie,revoked_at:ie.nullable(),created_at:ie}).transform(e=>{let t={clientId:e.client_id,clientName:e.client_name,redirectUris:Ad(e.redirect_uris,"redirect_uris"),tokenEndpointAuthMethod:e.token_endpoint_auth_method,createdAt:K(e.created_at),clientExpiresAt:K(e.client_expires_at)};return e.hashed_client_secret&&(t.hashedClientSecret=e.hashed_client_secret),e.client_secret_expires_at&&(t.clientSecretExpiresAt=K(e.client_secret_expires_at)),e.revoked_at&&(t.revokedAt=K(e.revoked_at)),Lh.parse(t)}),Pd=u.object({id:sr,current_state_hash:u.string(),phase:_d,principal_subject_id:le.nullable(),principal_tenant_id:$e.nullable(),principal_roles:u.unknown().nullable(),client_id:Ze,redirect_uri:u.string(),resource:u.string(),virtual_server_id:ge,client_state:u.string().nullable(),scope:u.string(),code_challenge:u.string(),code_challenge_method:hn,created_at:ie,expires_at:ie,consumed_at:ie.nullable()}).transform(e=>{let t={id:e.id,currentStateHash:e.current_state_hash,clientId:e.client_id,redirectUri:e.redirect_uri,resource:e.resource,virtualServerId:e.virtual_server_id,scope:e.scope,codeChallenge:e.code_challenge,codeChallengeMethod:e.code_challenge_method,createdAt:K(e.created_at),expiresAt:K(e.expires_at)};if(e.client_state&&(t.clientState=e.client_state),e.consumed_at&&(t.consumedAt=K(e.consumed_at)),e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal_subject_id||!e.principal_tenant_id)throw new Error("Awaiting-setup pending authorization row is missing principal.");return{...t,phase:"awaiting_setup",principal:{subjectId:e.principal_subject_id,tenantId:e.principal_tenant_id,...e.principal_roles===null?{}:{roles:u.array(u.string()).parse(cr(e.principal_roles,"principal_roles"))}}}}),tP=u.object({id:sr});function ag(e){return{clientId:e.client_id,resource:e.resource,virtualServerId:e.virtual_server_id,tenantId:e.tenant_id,subjectId:e.subject_id,scope:e.scope,roles:Ad(e.roles,"roles"),createdAt:K(e.created_at),expiresAt:K(e.expires_at)}}o(ag,"downstreamGrantAccessFields");var og=u.object({id:$t,client_id:Ze,resource:u.string(),virtual_server_id:ge,tenant_id:$e,subject_id:le,scope:u.string(),roles:u.unknown(),current_refresh_token_hash:u.string().nullable(),previous_refresh_token_hash:u.string().nullable(),created_at:ie,expires_at:ie,revoked_at:ie.nullable(),revoked_reason:u.string().nullable()}).transform(e=>{let t={id:e.id,...ag(e)};return e.current_refresh_token_hash&&(t.currentRefreshTokenHash=e.current_refresh_token_hash),e.previous_refresh_token_hash&&(t.previousRefreshTokenHash=e.previous_refresh_token_hash),e.revoked_at&&(t.revokedAt=K(e.revoked_at)),e.revoked_reason&&(t.revokedReason=e.revoked_reason),Hh.parse(t)}),rP=u.object({token_hash:u.string(),grant_id:$t,client_id:Ze,resource:u.string(),virtual_server_id:ge,tenant_id:$e,subject_id:le,scope:u.string(),roles:u.unknown(),created_at:ie,expires_at:ie,revoked_at:ie.nullable()}).transform(e=>{let t={tokenHash:e.token_hash,grantId:e.grant_id,...ag(e)};return e.revoked_at&&(t.revokedAt=K(e.revoked_at)),Gh.parse(t)});function sg(e){return[e.clientId,e.redirectUri,e.resource,e.virtualServerId,e.tenantId,e.subjectId,e.scope,JSON.stringify(e.roles),e.codeChallenge,e.codeChallengeMethod,new Date(e.createdAt),new Date(e.expiresAt)]}o(sg,"authorizationTransactionValues");function nP(e,t){let r=jh.parse(t);return e.query(`INSERT INTO downstream_oauth_authorization_transactions (
43
+ `,t.enqueue(r.encode(i)),!0}catch(i){return this.onerror?.(i),!1}}handleUnsupportedRequest(){return this.onerror?.(new Error("Method not allowed.")),new Response(JSON.stringify({jsonrpc:"2.0",error:{code:-32e3,message:"Method not allowed."},id:null}),{status:405,headers:{Allow:"GET, POST, DELETE","Content-Type":"application/json"}})}async handlePostRequest(t,r){try{let n=t.headers.get("accept");if(!n?.includes("application/json")||!n.includes("text/event-stream"))return this.onerror?.(new Error("Not Acceptable: Client must accept both application/json and text/event-stream")),this.createJsonErrorResponse(406,-32e3,"Not Acceptable: Client must accept both application/json and text/event-stream");let a=t.headers.get("content-type");if(!a||!a.includes("application/json"))return this.onerror?.(new Error("Unsupported Media Type: Content-Type must be application/json")),this.createJsonErrorResponse(415,-32e3,"Unsupported Media Type: Content-Type must be application/json");let i={headers:Object.fromEntries(t.headers.entries()),url:new URL(t.url)},s;if(r?.parsedBody!==void 0)s=r.parsedBody;else try{s=await t.json()}catch{return this.onerror?.(new Error("Parse error: Invalid JSON")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON")}let u;try{Array.isArray(s)?u=s.map(v=>wr.parse(v)):u=[wr.parse(s)]}catch{return this.onerror?.(new Error("Parse error: Invalid JSON-RPC message")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON-RPC message")}let d=u.some(Gs);if(d){if(this._initialized&&this.sessionId!==void 0)return this.onerror?.(new Error("Invalid Request: Server already initialized")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Server already initialized");if(u.length>1)return this.onerror?.(new Error("Invalid Request: Only one initialization request is allowed")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Only one initialization request is allowed");this.sessionId=this.sessionIdGenerator?.(),this._initialized=!0,this.sessionId&&this._onsessioninitialized&&await Promise.resolve(this._onsessioninitialized(this.sessionId))}if(!d){let v=this.validateSession(t);if(v)return v;let R=this.validateProtocolVersion(t);if(R)return R}if(!u.some(St)){for(let v of u)this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:i});return new Response(null,{status:202})}let p=crypto.randomUUID(),m=u.find(v=>Gs(v)),f=m?m.params.protocolVersion:t.headers.get("mcp-protocol-version")??kp;if(this._enableJsonResponse)return new Promise(v=>{this._streamMapping.set(p,{resolveJson:v,cleanup:o(()=>{this._streamMapping.delete(p)},"cleanup")});for(let R of u)St(R)&&this._requestToStreamMapping.set(R.id,p);for(let R of u)this.onmessage?.(R,{authInfo:r?.authInfo,requestInfo:i})});let _=new TextEncoder,S,y=new ReadableStream({start:o(v=>{S=v},"start"),cancel:o(()=>{this._streamMapping.delete(p)},"cancel")}),w={"Content-Type":"text/event-stream","Cache-Control":"no-cache",Connection:"keep-alive"};this.sessionId!==void 0&&(w["mcp-session-id"]=this.sessionId);for(let v of u)St(v)&&(this._streamMapping.set(p,{controller:S,encoder:_,cleanup:o(()=>{this._streamMapping.delete(p);try{S.close()}catch{}},"cleanup")}),this._requestToStreamMapping.set(v.id,p));await this.writePrimingEvent(S,_,p,f);for(let v of u){let R,I;St(v)&&this._eventStore&&f>="2025-11-25"&&(R=o(()=>{this.closeSSEStream(v.id)},"closeSSEStream"),I=o(()=>{this.closeStandaloneSSEStream()},"closeStandaloneSSEStream")),this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:i,closeSSEStream:R,closeStandaloneSSEStream:I})}return new Response(y,{status:200,headers:w})}catch(n){return this.onerror?.(n),this.createJsonErrorResponse(400,-32700,"Parse error",{data:String(n)})}}async handleDeleteRequest(t){let r=this.validateSession(t);if(r)return r;let n=this.validateProtocolVersion(t);return n||(await Promise.resolve(this._onsessionclosed?.(this.sessionId)),await this.close(),new Response(null,{status:200}))}validateSession(t){if(this.sessionIdGenerator===void 0)return;if(!this._initialized)return this.onerror?.(new Error("Bad Request: Server not initialized")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Server not initialized");let r=t.headers.get("mcp-session-id");if(!r)return this.onerror?.(new Error("Bad Request: Mcp-Session-Id header is required")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Mcp-Session-Id header is required");if(r!==this.sessionId)return this.onerror?.(new Error("Session not found")),this.createJsonErrorResponse(404,-32001,"Session not found")}validateProtocolVersion(t){let r=t.headers.get("mcp-protocol-version");if(r!==null&&!Qt.includes(r))return this.onerror?.(new Error(`Bad Request: Unsupported protocol version: ${r} (supported versions: ${Qt.join(", ")})`)),this.createJsonErrorResponse(400,-32e3,`Bad Request: Unsupported protocol version: ${r} (supported versions: ${Qt.join(", ")})`)}async close(){this._streamMapping.forEach(({cleanup:t})=>{t()}),this._streamMapping.clear(),this._requestResponseMap.clear(),this.onclose?.()}closeSSEStream(t){let r=this._requestToStreamMapping.get(t);if(!r)return;let n=this._streamMapping.get(r);n&&n.cleanup()}closeStandaloneSSEStream(){let t=this._streamMapping.get(this._standaloneSseStreamId);t&&t.cleanup()}async send(t,r){let n=r?.relatedRequestId;if((ut(t)||Xr(t))&&(n=t.id),n===void 0){if(ut(t)||Xr(t))throw new Error("Cannot send a response on a standalone SSE stream unless resuming a previous client request");let s;this._eventStore&&(s=await this._eventStore.storeEvent(this._standaloneSseStreamId,t));let u=this._streamMapping.get(this._standaloneSseStreamId);if(u===void 0)return;u.controller&&u.encoder&&this.writeSSEEvent(u.controller,u.encoder,t,s);return}let a=this._requestToStreamMapping.get(n);if(!a)throw new Error(`No connection established for request ID: ${String(n)}`);let i=this._streamMapping.get(a);if(!this._enableJsonResponse&&i?.controller&&i?.encoder){let s;this._eventStore&&(s=await this._eventStore.storeEvent(a,t)),this.writeSSEEvent(i.controller,i.encoder,t,s)}if(ut(t)||Xr(t)){this._requestResponseMap.set(n,t);let s=Array.from(this._requestToStreamMapping.entries()).filter(([d,l])=>l===a).map(([d])=>d);if(s.every(d=>this._requestResponseMap.has(d))){if(!i)throw new Error(`No connection established for request ID: ${String(n)}`);if(this._enableJsonResponse&&i.resolveJson){let d={"Content-Type":"application/json"};this.sessionId!==void 0&&(d["mcp-session-id"]=this.sessionId);let l=s.map(p=>this._requestResponseMap.get(p));l.length===1?i.resolveJson(new Response(JSON.stringify(l[0]),{status:200,headers:d})):i.resolveJson(new Response(JSON.stringify(l),{status:200,headers:d}))}else i.cleanup();for(let d of s)this._requestResponseMap.delete(d),this._requestToStreamMapping.delete(d)}}}};function dd(e){return e.length>512?`${e.slice(0,512)}\u2026`:e}o(dd,"truncate");function Of(e){return"cause"in e?e.cause:void 0}o(Of,"readCause");function Ae(e,t,r){if(!(r instanceof Error)){r!=null&&(e[`${t}Message`]=dd(String(r)));return}e[`${t}Name`]=r.name,e[`${t}Message`]=dd(r.message);let n=Of(r);for(let a=1;a<=4&&n instanceof Error;a+=1){let i=a===1?"cause":`cause${a}`;e[`${i}Name`]=n.name,e[`${i}Message`]=dd(n.message),n=Of(n)}}o(Ae,"addErrorLogFields");function it(e){if(e!==void 0)try{return typeof e=="string"?new URL(e).host:e.host}catch{return}}o(it,"safeHost");function Uf(e,t){let r=Object.entries(t).filter(n=>n[1]!==void 0);r.length!==0&&e.log.setLogProperties?.(Object.fromEntries(r))}o(Uf,"setLogProperties");function ld(e,t){Uf(e,{tenantId:t.tenantId,subjectId:t.subjectId})}o(ld,"applyGatewayPrincipalLogProperties");function zf(e,t){Uf(e,{upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId})}o(zf,"applyGatewayRouteLogProperties");var wn={runtime:{invalid_request:{code:"invalid_request",seam:"runtime",status:400,title:"Bad Request",publicDetail:"The request did not match the route contract.",oauthError:"invalid_request"},forbidden:{code:"forbidden",seam:"runtime",status:403,title:"Forbidden",publicDetail:"The request is not allowed.",oauthError:"invalid_request"},not_found:{code:"not_found",seam:"runtime",status:404,title:"Not Found",publicDetail:"The requested resource was not found.",oauthError:"invalid_request"},internal_server_error:{code:"internal_server_error",seam:"runtime",status:500,title:"Internal Server Error",publicDetail:"The gateway failed to process the request.",oauthError:"server_error"}},config:{virtual_server_not_enabled:{code:"virtual_server_not_enabled",seam:"config",status:404,title:"Not Found",publicDetail:"The requested virtual server is not enabled."},unknown_upstream_server:{code:"unknown_upstream_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream server is not configured.",oauthError:"invalid_request"},unknown_virtual_server:{code:"unknown_virtual_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server is not configured.",oauthError:"invalid_target"},unknown_auth_profile:{code:"unknown_auth_profile",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream auth profile is not configured.",oauthError:"invalid_request"},virtual_server_upstream_mismatch:{code:"virtual_server_upstream_mismatch",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server does not belong to the selected upstream server.",oauthError:"invalid_request"}},downstream_auth:{authentication_required:{code:"authentication_required",seam:"downstream_auth",status:401,title:"Unauthorized",publicDetail:"Authentication is required to access this route.",oauthError:"invalid_client"},identity_context_missing:{code:"identity_context_missing",seam:"downstream_auth",status:403,title:"Forbidden",publicDetail:"Authenticated requests must include a gateway principal subject.",oauthError:"invalid_request"}},downstream_oauth:{browser_login_verification_failed:{code:"browser_login_verification_failed",seam:"downstream_oauth",status:400,title:"Connection failed",publicDetail:"The gateway could not verify the browser login response. Retry the login flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_auth:{provider_access_denied:{code:"provider_access_denied",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream authorization request was denied. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_invalid:{code:"oauth_state_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request could not be verified. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_expired:{code:"oauth_state_expired",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request expired. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_reused:{code:"oauth_state_reused",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"This upstream connection request was already used. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_callback_mismatch:{code:"oauth_callback_mismatch",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream callback did not match the initiating connection request.",callbackFailure:!0,oauthError:"invalid_request"},upstream_token_exchange_failed:{code:"upstream_token_exchange_failed",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The gateway could not complete the upstream token exchange. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"},upstream_client_registration_required:{code:"upstream_client_registration_required",seam:"upstream_auth",status:400,title:"Upstream OAuth client registration required",publicDetail:"The upstream authorization server supports neither gateway-hosted Client ID Metadata Documents nor Dynamic Client Registration. Register an upstream OAuth client manually before retrying.",oauthError:"invalid_request"},upstream_token_response_invalid:{code:"upstream_token_response_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream token response was invalid. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_mcp:{upstream_capability_invocation_failed:{code:"upstream_capability_invocation_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability invocation failed. Retry later or reconnect the upstream if the issue persists."},upstream_import_failed:{code:"upstream_import_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability import failed. Retry later or reconnect the upstream if the issue persists."}}},Nf={...wn.runtime,...wn.config,...wn.downstream_auth,...wn.downstream_oauth,...wn.upstream_auth,...wn.upstream_mcp};function Uo(e){return typeof e=="string"&&Object.hasOwn(Nf,e)}o(Uo,"isGatewayProblemCode");function wi(e){return Uo(e)&&Fe(e).callbackFailure===!0}o(wi,"isGatewayCallbackFailureCode");function Fe(e){return Nf[e]}o(Fe,"readGatewayProblemDefinition");function pd(e){switch(e){case 400:return"invalid_request";case 401:return"authentication_required";case 403:return"forbidden";case 404:return"not_found";default:return"internal_server_error"}}o(pd,"readDefaultGatewayProblemCodeForStatus");var Df="gatewayCode";function Mf(e){let t=Fe(e);return{title:t.title,body:t.publicDetail}}o(Mf,"readGatewayCallbackFailureContent");function de(e){if(!(e instanceof _a))return;let t=e.extensionMembers?.[Df];return Uo(t)?t:void 0}o(de,"readGatewayProblemCode");function g(e,t,r){let n=typeof e=="string"?{code:e,...t===void 0?{}:{publicDetail:t,privateDetail:t},...r===void 0?{}:{cause:r}}:e,a=Fe(n.code),i=n.privateDetail??(vi(n.code)?n.publicDetail??a.publicDetail:a.publicDetail),s=mk(n);return new _a({message:i,extensionMembers:{[Df]:n.code}},s===void 0?void 0:{cause:s})}o(g,"createGatewayRuntimeError");async function Ze(e,t,r){let n=Fe(r.code),a=hk(r.code,r.detail),i=vi(r.code)?r.title??n.title:n.title,u={problem:{...Vn.getProblemFromStatus(n.status,{detail:a,instance:r.instance,type:r.type}),...r.extensions??{},status:n.status,title:i,detail:a,code:r.code}};return r.headers!==void 0&&(u.additionalHeaders=r.headers),Vn.format(u,e,t)}o(Ze,"gatewayProblemResponse");function vi(e){return Fe(e).status<500}o(vi,"canExposeGatewayProblemDetail");function mk(e){return!e.privateDetail||vi(e.code)?e.cause:e.cause===void 0?new Error(e.privateDetail):new Error(e.privateDetail,{cause:e.cause})}o(mk,"readRuntimeErrorCause");function hk(e,t){let r=Fe(e);return vi(e)&&t||r.publicDetail}o(hk,"readSafeGatewayProblemDetail");Y();var fk=["tenant_shared_oauth","user_oauth","static_secret","user_static_secret","tenant_static_secret"],gk=["none","client_secret_basic","client_secret_post"],ke=c.string().min(1).brand(),me=c.string().min(1).brand(),Pe=c.string().min(1).brand(),Tt=c.string().min(1).brand(),Ri=c.enum(fk),md=c.enum(gk),bi=c.string().trim().min(1).regex(/^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/,"must be a valid HTTP header name"),hd=c.object({name:bi,value:c.string().min(1).optional(),required:c.boolean().default(!0)}).strict();var fd=new Map;function Ci(e){fd.set(e.policyType,e)}o(Ci,"registerMcpAuthorizationPolicy");function gd(e){if(e!==void 0)return fd.get(e)}o(gd,"getMcpAuthorizationPolicy");function Ii(e){return gd(e)!==void 0}o(Ii,"isRegisteredMcpAuthorizationPolicyType");function _d(){return[...fd.keys()]}o(_d,"listMcpAuthorizationPolicyTypes");Y();var Lf=ke,_k=c.object({mode:c.literal("auto")}).strict(),yk=c.object({mode:c.literal("manual"),clientId:c.string().trim().min(1),clientSecret:c.string().min(1).optional(),tokenEndpointAuthMethod:md.default("client_secret_basic")}).strict().superRefine((e,t)=>{e.tokenEndpointAuthMethod!=="none"&&!e.clientSecret&&t.addIssue({code:c.ZodIssueCode.custom,message:`${e.tokenEndpointAuthMethod} requires clientSecret`,path:["clientSecret"]})}),jf=c.discriminatedUnion("mode",[_k,yk]),Sk=jf.default({mode:"auto"}),yd=c.object({scopes:c.array(c.string().min(1)).default([]),scopeDelimiter:c.string().min(1).default(" "),clientRegistration:Sk}).strict(),qf=yd.extend({redirectPath:c.string().startsWith("/auth/connections/")}).strict(),Hf=new Set(["connection","content-length","cookie","host","proxy-authenticate","proxy-authorization","sec-websocket-key","set-cookie","te","trailer","transfer-encoding","upgrade"]),wk=new Set([...Hf,"accept","authorization","content-type","mcp-protocol-version","mcp-session-id","proxy-connection"]),vk=c.object({kind:c.literal("bearer_token"),token:c.string().min(1)}).strict(),Rk=c.object({kind:c.literal("headers"),headers:c.array(c.object({name:bi,value:c.string().min(1)}).strict()).min(1)}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.headers.entries()){let i=a.name.toLowerCase();Hf.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for static secret injection`,path:["headers",n,"name"]}),r.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Duplicate static secret header ${a.name}`,path:["headers",n,"name"]}),r.add(i)}}),Sd=c.discriminatedUnion("kind",[vk,Rk]),bk=c.object({kind:c.literal("basic_auth_app_password"),usernameLabel:c.string().min(1).default("Username"),passwordLabel:c.string().min(1).default("App password")}).strict(),Ck=c.object({kind:c.literal("bearer_token"),label:c.string().min(1).default("API key"),capture:c.enum(["browser_login"]).optional()}).strict(),wd=c.discriminatedUnion("kind",[bk,Ck]),vd=c.object({kind:c.literal("bearer_token"),label:c.string().min(1).default("API key")}).strict(),Ik=c.discriminatedUnion("mode",[c.object({mode:c.literal("tenant_shared_oauth"),oauth:qf}).strict(),c.object({mode:c.literal("user_oauth"),oauth:qf}).strict(),c.object({mode:c.literal("static_secret"),secret:Sd}).strict(),c.object({mode:c.literal("user_static_secret"),secret:wd}).strict(),c.object({mode:c.literal("tenant_static_secret"),secret:vd}).strict()]),Tk=c.object({baseUrl:c.url(),resourceMetadataUrl:c.url(),requestHeaders:c.array(hd).default([])}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.requestHeaders.entries()){let i=a.name.toLowerCase();wk.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for native MCP transport request headers`,path:["requestHeaders",n,"name"]}),r.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Duplicate native MCP transport request header ${a.name}`,path:["requestHeaders",n,"name"]}),r.add(i)}}),rB=c.object({displayName:c.string().min(1),description:c.string().min(1).optional(),serverInfo:Qr.optional(),authProfiles:c.record(Pe,Ik),transport:Tk}).strict().superRefine((e,t)=>{Object.keys(e.authProfiles).length===0&&t.addIssue({code:c.ZodIssueCode.custom,message:"authProfiles must contain at least one profile",path:["authProfiles"]})}),Ak=c.object({tenant_shared_oauth:yd.optional(),user_oauth:yd.optional(),static_secret:c.object({secret:Sd}).strict().optional(),user_static_secret:c.object({secret:wd}).strict().optional(),tenant_static_secret:c.object({secret:vd}).strict().optional()}).strict().superRefine((e,t)=>{Object.values(e).every(r=>r===void 0)&&t.addIssue({code:c.ZodIssueCode.custom,message:"authProfiles must contain at least one upstream auth profile"})}),$f=c.object({id:Lf,displayName:c.string().min(1),description:c.string().min(1).optional(),serverInfo:Qr.optional(),mcpUrl:c.url(),protectedResourceMetadataUrl:c.url(),requestHeaders:c.array(hd).default([]),authProfiles:Ak}).strict(),kk=c.object({name:bi,value:c.string().min(1).optional(),required:c.boolean().default(!0)}).strict(),Ti={id:Lf.optional(),displayName:c.string().min(1),summary:c.string().min(1).optional(),serverInfo:Qr.optional(),mcpUrl:c.url(),protectedResourceMetadataUrl:c.url().optional(),requestHeaders:c.array(kk).default([])},Pk=c.discriminatedUnion("authMode",[c.object({...Ti,authMode:c.enum(["tenant_shared_oauth","user_oauth"]),scopes:c.array(c.string().min(1)).default([]),scopeDelimiter:c.string().min(1).default(" "),clientRegistration:jf.optional(),clientId:c.string().trim().min(1).optional(),clientSecret:c.string().min(1).optional(),tokenEndpointAuthMethod:md.optional()}).strict(),c.object({...Ti,authMode:c.literal("static_secret"),secret:Sd}).strict(),c.object({...Ti,authMode:c.literal("user_static_secret"),secret:wd}).strict(),c.object({...Ti,authMode:c.literal("tenant_static_secret"),secret:vd}).strict()]);function Gf(e){throw g("internal_server_error",e)}o(Gf,"throwGatewayConfigError");function Ek(e){let t="mcp-upstream-";return e.startsWith(t)||Gf(`Upstream policy ${e} must use the ${t}{upstream-id} naming convention when id is omitted.`),ke.parse(e.slice(t.length))}o(Ek,"inferUpstreamConnectionIdFromPolicyName");function xk(e){let t=new URL(e),r=t.pathname==="/"?"":t.pathname;return`${t.origin}/.well-known/oauth-protected-resource${r}`}o(xk,"buildDefaultProtectedResourceMetadataUrl");function vn(e,t){return Pe.parse(`${e}:${t}`)}o(vn,"buildUpstreamAuthProfileId");function Ai(e,t){let r=$f.safeParse(e);if(r.success)return r.data;let n=Pk.parse(e),a=n.id??(t===void 0?void 0:Ek(t));a===void 0&&Gf("Upstream policy options must include id when policy name is unavailable.");let i=n.requestHeaders.map(u=>({name:u.name,value:u.value,required:u.required})),s=(()=>{switch(n.authMode){case"tenant_shared_oauth":case"user_oauth":{let u=n.clientRegistration??(n.clientId===void 0?{mode:"auto"}:{mode:"manual",clientId:n.clientId,...n.clientSecret===void 0?{}:{clientSecret:n.clientSecret},...n.tokenEndpointAuthMethod===void 0?{}:{tokenEndpointAuthMethod:n.tokenEndpointAuthMethod}});return{[n.authMode]:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,clientRegistration:u}}}case"static_secret":case"user_static_secret":case"tenant_static_secret":return{[n.authMode]:{secret:n.secret}}}})();return $f.parse({id:a,displayName:n.displayName,...n.summary===void 0?{}:{description:n.summary},...n.serverInfo===void 0?{}:{serverInfo:n.serverInfo},mcpUrl:n.mcpUrl,protectedResourceMetadataUrl:n.protectedResourceMetadataUrl??xk(n.mcpUrl),requestHeaders:i,authProfiles:s})}o(Ai,"parseUpstreamConnectionPolicyOptions");function Bf(e){return e.mode==="tenant_shared_oauth"||e.mode==="user_oauth"}o(Bf,"isUpstreamOAuthAuthConfig");Y();var Ok=c.looseObject({name:c.string().min(1),version:c.string().min(1).optional()}),Uk=c.looseObject({}),zk=c.looseObject({name:Tt,namespace:Tt.optional(),upstreamPolicy:c.string().min(1).optional(),enabled:c.boolean().optional(),inputSchema:Uk}),Nk=c.looseObject({name:Tt,namespace:Tt.optional(),upstreamPolicy:c.string().min(1).optional(),enabled:c.boolean().optional()}),Dk=c.looseObject({name:Tt,uri:c.string().min(1),upstreamPolicy:c.string().min(1).optional(),upstreamUri:c.string().min(1).optional(),enabled:c.boolean().optional()}),Mk=c.enum(["openapi","upstream_mcp"]),qk=c.object({catalogSource:Mk.default("openapi"),serverInfo:Ok.optional(),tools:c.array(zk).default([]),prompts:c.array(Nk).default([]),resources:c.array(Dk).default([])}).strict();function Vf(e){return qk.parse(e??{})}o(Vf,"parseVirtualServerRouteOptions");function ki(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(ki,"toMcpTool");function Pi(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(Pi,"toMcpPrompt");function Ei(e){let{enabled:t,upstreamPolicyName:r,upstreamUri:n,...a}=e;return a}o(Ei,"toMcpResource");var $k="mcp-upstream-connection-inbound",Ff="/mcp/";function De(e){throw new Ot(e)}o(De,"throwRegistryError");function Zf(e){return e.policyType===$k}o(Zf,"isUpstreamConnectionPolicy");function Lk(e){return Ii(e.policyType)}o(Lk,"isMcpOAuthInboundPolicy");function jk(e){e.startsWith(Ff)||De(`MCP virtual server route ${e} must use a /mcp/{virtualServerId} path.`);let t=e.slice(Ff.length);return(!t||t.includes("/"))&&De(`MCP virtual server route ${e} must use exactly one /mcp/{virtualServerId} path segment.`),me.parse(t)}o(jk,"readVirtualServerIdFromPath");function Hk(e){let t=Object.keys(e.connection.authProfiles);t.length!==1&&De(`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];return r===void 0&&De(`Upstream policy ${e.policyName} does not declare an auth mode.`),Ri.parse(r)}o(Hk,"readSingleAuthMode");function Gk(e){let t=e.connection.authProfiles[e.authMode];t||De(`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=`/auth/connections/${encodeURIComponent(e.connection.id)}/callback`;switch(e.authMode){case"tenant_shared_oauth":case"user_oauth":{let n=t;return{mode:e.authMode,oauth:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,redirectPath:r,clientRegistration:n.clientRegistration}}}case"static_secret":return{mode:"static_secret",secret:t.secret};case"user_static_secret":return{mode:"user_static_secret",secret:t.secret};case"tenant_static_secret":return{mode:"tenant_static_secret",secret:t.secret}}}o(Gk,"buildResolvedAuthConfig");function Bk(e){let t=Hk({policyName:e.policyName,connection:e.connection}),r=vn(e.connection.id,t),n=Gk({connection:e.connection,authMode:t,authProfileId:r}),a={displayName:e.connection.displayName,...e.connection.description===void 0?{}:{description:e.connection.description},...e.connection.serverInfo===void 0?{}:{serverInfo:e.connection.serverInfo},authProfiles:{[r]:n},transport:{baseUrl:e.connection.mcpUrl,resourceMetadataUrl:e.connection.protectedResourceMetadataUrl,requestHeaders:e.connection.requestHeaders}};return{policyName:e.policyName,upstreamServerId:e.connection.id,config:a,authMode:t,authProfileId:r,authConfig:n}}o(Bk,"buildRegisteredConnection");function Vk(e){let t=new Map;for(let r of e)t.has(r.name)&&De(`Duplicate policy name ${r.name} in policies.json.`),t.set(r.name,{name:r.name,policyType:r.policyType,handler:{options:r.handler.options}});return t}o(Vk,"buildPolicyMap");function Fk(e){let t=new Map,r=new Set;for(let n of e.values()){if(!Zf(n))continue;let a=Ai(n.handler.options,n.name);r.has(a.id)&&De(`Duplicate upstream MCP connection id ${a.id} in policies.json.`),r.add(a.id);let i=Bk({policyName:n.name,connection:a});t.set(n.name,i)}return t}o(Fk,"buildConnectionsByPolicyName");function Zk(e){if(typeof e.raw!="function")return;let t=e.raw();if(!(!t||typeof t.operationId!="string"||t.operationId===""))return t.operationId}o(Zk,"readOperationId");function Kf(e){let t=e.namespace===void 0?e.name:`${e.namespace}.${e.name}`;try{return Tt.parse(t)}catch{De(`MCP virtual server route ${e.routePath} declares invalid published capability name ${t}.`)}}o(Kf,"buildPublishedCapabilityName");function bd(e){if(e.authoredPolicyName!==void 0)return e.connections.find(r=>r.policyName===e.authoredPolicyName)||De(`MCP virtual server route ${e.routePath} declares capability ${e.capabilityName} for upstream policy ${e.authoredPolicyName}, but that policy is not bound to the route.`),e.authoredPolicyName;if(e.connections.length===1)return e.connections[0]?.policyName;De(`MCP virtual server route ${e.routePath} declares aggregate capability ${e.capabilityName} without upstreamPolicy.`)}o(bd,"readCapabilityUpstreamPolicy");function Rd(e){e.seen.has(e.key)&&De(`MCP virtual server route ${e.routePath} declares duplicate ${e.kind} ${e.key}.`),e.seen.add(e.key)}o(Rd,"assertUniqueCatalogKey");function Kk(e){let{namespace:t,upstreamPolicy:r,...n}=e.tool,a=Kf({name:e.tool.name,namespace:e.tool.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.tool.name,upstreamPolicyName:bd({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(Kk,"normalizeCatalogTool");function Wk(e){let{namespace:t,upstreamPolicy:r,...n}=e.prompt,a=Kf({name:e.prompt.name,namespace:e.prompt.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.prompt.name,upstreamPolicyName:bd({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(Wk,"normalizeCatalogPrompt");function Jk(e){let{upstreamPolicy:t,...r}=e.resource;return{...r,upstreamUri:e.resource.upstreamUri??e.resource.uri,upstreamPolicyName:bd({authoredPolicyName:t,capabilityName:e.resource.uri,connections:e.connections,routePath:e.routePath})}}o(Jk,"normalizeCatalogResource");function Yk(e){let t=e.catalog.catalogSource,r=e.catalog.tools.map(d=>Kk({tool:d,connections:e.connections,routePath:e.routePath})),n=e.catalog.prompts.map(d=>Wk({prompt:d,connections:e.connections,routePath:e.routePath})),a=e.catalog.resources.map(d=>Jk({resource:d,connections:e.connections,routePath:e.routePath})),i=new Set;for(let d of r)Rd({kind:"tool",key:d.name,routePath:e.routePath,seen:i});let s=new Set;for(let d of n)Rd({kind:"prompt",key:d.name,routePath:e.routePath,seen:s});let u=new Set;for(let d of a)Rd({kind:"resource",key:String(d.uri),routePath:e.routePath,seen:u});return{catalogSource:t,...e.catalog.serverInfo===void 0?{}:{serverInfo:e.catalog.serverInfo},tools:r,prompts:n,resources:a}}o(Yk,"normalizeVirtualServerCatalog");function Xk(e){let t=new Map,r=new Set;for(let n of e.routes){let a=n.policies?.inbound??[];if(a.length===0)continue;let i=a[0],s=i===void 0?void 0:e.policyByName.get(i);if(!s||!Lk(s))continue;let u=Zk(n);u||De(`MCP virtual server route ${n.path} must declare an operationId in routes.oas.json.`),r.has(u)&&De(`Duplicate MCP virtual server operationId ${u} across routes.`),r.add(u);let d=jk(n.path);t.has(d)&&De(`Duplicate MCP virtual server id ${d} across routes.`);let l=[];for(let f of a.slice(1)){let _=e.policyByName.get(f);if(!_||!Zf(_))continue;let S=e.connectionsByPolicyName.get(f);S||De(`Upstream connection policy ${f} referenced by route ${n.path} could not be resolved.`),l.push(S)}let p=Vf(n.handler.options),m=Yk({catalog:p,connections:l,routePath:n.path});m.catalogSource==="upstream_mcp"&&l.length!==1&&De(`MCP virtual server route ${n.path} uses upstream MCP catalog mode but declares ${l.length} upstream bindings; upstream MCP catalog mode requires exactly one upstream binding.`),t.set(d,{virtualServerId:d,operationId:u,routePath:n.path,handlerExport:n.handler.export,serverInfo:m.serverInfo,catalog:m,connections:l})}return t}o(Xk,"buildVirtualServers");function Wf(e){let t=Vk(e.policies),r=Fk(t),n=Xk({routes:e.routes,policyByName:t,connectionsByPolicyName:r}),a=new Map;for(let i of r.values())a.set(i.upstreamServerId,i);return{byVirtualServerId:n,connectionsById:a}}o(Wf,"buildGatewayConnectionRegistry");var xi;function Jf(e){xi=e}o(Jf,"setGatewayConnectionRegistry");function st(){if(!xi)throw g("internal_server_error","MCP gateway connection registry has not been initialized. Ensure routes.oas.json declares at least one MCP virtual server route and policies.json registers an `mcp-oauth-inbound` (or wrapper) policy.");return xi}o(st,"getGatewayConnectionRegistry");function Yf(e){let t=st().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown MCP virtual server: ${e}`);return t}o(Yf,"getRegisteredVirtualServer");function zo(e){let t=st().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(zo,"requireRegisteredVirtualServer");function Xf(){return xi}o(Xf,"tryGetGatewayConnectionRegistry");var Qf=new Ut("gateway-route");function eg(e,t){Qf.set(e,t)}o(eg,"setGatewayRouteContext");function No(e){return Qf.get(e)}o(No,"readGatewayRouteContext");function Rn(e){let t=No(e);if(!t)throw g("internal_server_error","Gateway route context has not been set");return t}o(Rn,"requireGatewayRouteContext");var Or="2025-06-18";var Qk=new Set(["localhost","::1"]);function ct(e){return e.replace(/^\[(.*)\]$/,"$1").replace(/\.+$/,"").toLowerCase()}o(ct,"normalizeHostname");function Le(e){let t=ct(e.hostname);return e.protocol==="http:"&&(Qk.has(t)||/^127(?:\.\d{1,3}){3}$/.test(t))}o(Le,"isLoopbackHttpUrl");function re(e){return new URL(e).origin}o(re,"readGatewayRequestOrigin");import{metrics as eP,context as Oi,propagation as rg,SpanKind as ng,SpanStatusCode as Cd,trace as Do}from"@opentelemetry/api";var tP="mcp-gateway",rP="mcp-gateway",nP=Or,oP="2.0",og=Do.getTracer(tP),Id=eP.getMeter(rP),aP=Id.createHistogram("mcp.client.operation.duration",{description:"The duration of the MCP request or notification as observed on the sender.",unit:"s"}),iP=Id.createHistogram("mcp.server.operation.duration",{description:"MCP request or notification duration as observed on the receiver.",unit:"s"}),sP=Id.createHistogram("mcp.client.session.duration",{description:"The duration of the MCP session as observed on the MCP client.",unit:"s"}),cP=["traceparent","tracestate","baggage"];function Td(){return performance.now()/1e3}o(Td,"nowSeconds");function ag(e,t){t(Math.max(Td()-e,0))}o(ag,"recordDurationSeconds");function tg(e){return e===void 0?void 0:String(e)}o(tg,"stringifyAttribute");function Ee(e,t,r){r!==void 0&&(e[t]=r)}o(Ee,"assignAttribute");function uP(e){if(e.capabilityType==="tool"||e.capabilityType==="prompt")return e.capabilityName}o(uP,"readTargetName");function ig(e){let t=uP({kind:"client",...e});return t?`${e.methodName} ${t}`:e.methodName}o(ig,"buildMcpOperationSpanName");function Ad(e){let t={"mcp.method.name":e.methodName};return Ee(t,"jsonrpc.protocol.version",e.jsonRpcProtocolVersion??oP),Ee(t,"jsonrpc.request.id",tg(e.jsonRpcRequestId)),Ee(t,"mcp.protocol.version",e.mcpProtocolVersion??nP),Ee(t,"mcp.session.id",e.mcpSessionId),Ee(t,"mcp.resource.uri",e.resourceUri),Ee(t,"rpc.response.status_code",tg(e.rpcResponseStatusCode)),Ee(t,"error.type",e.errorType),e.capabilityType==="tool"&&(Ee(t,"gen_ai.operation.name","execute_tool"),Ee(t,"gen_ai.tool.name",e.capabilityName)),e.capabilityType==="prompt"&&Ee(t,"gen_ai.prompt.name",e.capabilityName),Ee(t,"network.protocol.name",e.networkProtocolName?.toLowerCase()),Ee(t,"network.protocol.version",e.networkProtocolVersion),Ee(t,"network.transport",e.networkTransport),Ee(t,"server.address",e.serverAddress),Ee(t,"server.port",e.serverPort),Ee(t,"client.address",e.clientAddress),Ee(t,"client.port",e.clientPort),t}o(Ad,"buildMcpOperationAttributes");function dP(e){let t=Ad({methodName:"initialize",...e});return delete t["mcp.method.name"],t}o(dP,"buildMcpSessionAttributes");function sg(e,t,r){e.setAttribute("error.type",r),e.setStatus({code:Cd.ERROR}),t instanceof Error&&e.recordException(t)}o(sg,"setSpanError");function cg(e){let t=e?.code;return typeof t=="string"||typeof t=="number"?String(t):e instanceof Error?e.name:"_OTHER"}o(cg,"readErrorType");function lP(e){let t=e&&typeof e=="object"?e._meta:void 0;return!t||typeof t!="object"?Oi.active():rg.extract(Oi.active(),t,{get(r,n){let a=r[n];return typeof a=="string"?a:void 0},keys(r){return Object.keys(r)}})}o(lP,"readServerParentContext");function pP(e){let t=Do.getSpanContext(Oi.active()),r=Do.getSpanContext(e);if(!(!t||!Do.isSpanContextValid(t))&&!(r&&Do.isSpanContextValid(r)&&t.traceId===r.traceId&&t.spanId===r.spanId))return[{context:t}]}o(pP,"readAmbientSpanLink");function ug(e){return e&&typeof e=="object"&&e.isError===!0?"tool_error":void 0}o(ug,"readResultErrorType");async function Ur(e,t){let r=Td(),n=Ad({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});return og.startActiveSpan(ig(e),{kind:ng.CLIENT,attributes:n},async a=>{try{let i=await t(),s=ug(i);return s&&(a.setAttribute("error.type",s),a.setStatus({code:Cd.ERROR}),n["error.type"]=s),i}catch(i){let s=e.errorType??cg(i);throw n["error.type"]=s,sg(a,i,s),i}finally{ag(r,i=>{aP.record(i,n)}),a.end()}})}o(Ur,"runMcpClientOperation");async function zr(e,t){let r=Td(),n=lP(e.params),a=Ad({kind:"server",networkProtocolName:"http",networkTransport:"tcp",...e}),i=pP(n);return og.startActiveSpan(ig(e),{kind:ng.SERVER,attributes:a,...i?{links:i}:{}},n,async s=>{try{let u=await t(),d=ug(u);return d&&(s.setAttribute("error.type",d),s.setStatus({code:Cd.ERROR}),a["error.type"]=d),u}catch(u){let d=e.errorType??cg(u);throw a["error.type"]=d,sg(s,u,d),u}finally{ag(r,u=>{iP.record(u,a)}),s.end()}})}o(zr,"runMcpServerOperation");function dg(e){let t={...e??{},_meta:{...e?._meta&&typeof e._meta=="object"?e._meta:{}}};return rg.inject(Oi.active(),t._meta,{set(r,n,a){cP.includes(n)&&(r[n]=a)}}),t}o(dg,"injectMcpTraceContextIntoParams");function lg(e,t){let r=dP({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});sP.record(Math.max(t,0),r)}o(lg,"recordMcpClientSessionDuration");var kd=new Ut("route-upstream-bindings");function mP(e){let t=kd.get(e);if(t)return t;let r={bindings:[]};return kd.set(e,r),r}o(mP,"readOrCreateRouteUpstreamBindingRegistry");function pg(e){return`${e.upstreamServerId}:${e.authProfileId}`}o(pg,"buildRouteBindingDuplicateKey");function Pd(e,t){let r=mP(e),n=pg(t);if(r.bindings.find(i=>pg(i)===n)!==void 0)throw g("internal_server_error",`Route declares duplicate upstream binding ${t.upstreamServerId} + ${t.authProfileId}.`);r.bindings.push(t)}o(Pd,"appendResolvedUpstreamBindingContext");function mg(e){return kd.get(e)?.bindings??[]}o(mg,"readResolvedUpstreamBindingContexts");Y();var V=c.string().datetime({offset:!0}).brand();function O(e){return V.parse(e.toISOString())}o(O,"toIsoTimestamp");function ft(e,t){return new Date(e.getTime()+t*1e3)}o(ft,"addSeconds");Y();var bn=c.string().trim().min(1),Mo={accessTokenTtlSeconds:900,refreshTokenTtlSeconds:2592e3,cimdEnabled:!0},hP=c.object({issuer:c.url(),jwksUrl:c.url(),audience:bn}),fP=c.object({url:c.url(),tokenUrl:c.url().optional(),clientId:bn.optional(),clientSecret:bn.optional(),scope:bn.default("openid profile email"),audience:bn.optional(),remoteTimeoutMs:c.coerce.number().int().positive().default(1e4),stateTtlSeconds:c.coerce.number().int().positive().default(900),sessionTtlSeconds:c.coerce.number().int().positive().default(28800)}).strict(),gP=c.object({accessTokenTtlSeconds:c.coerce.number().int().positive().default(Mo.accessTokenTtlSeconds),refreshTokenTtlSeconds:c.coerce.number().int().positive().default(Mo.refreshTokenTtlSeconds),cimdEnabled:c.boolean().default(Mo.cimdEnabled)}).strict().default(Mo),_P=c.object({oidc:hP,browserLogin:fP,gateway:gP.optional().default(Mo),devTenantId:bn.optional()}).strict();function hg(e){return yP(e.browserLogin.url)?"local_dev":"federated_oidc"}o(hg,"readBrowserLoginKind");function yP(e){let t;try{t=new URL(e)}catch{return!1}return Le(t)&&t.pathname==="/oauth/dev-login"}o(yP,"isLoopbackDevLoginUrl");function Ui(e){return _P.parse(e)}o(Ui,"parseMcpOAuthRuntimeConfig");var Ed;function fg(e){Ed=e}o(fg,"setGatewayOAuthConfig");function ve(){if(!Ed)throw g("internal_server_error","MCP gateway OAuth config has not been initialized. An `mcp-oauth-inbound` policy (or a provider-specific wrapper such as `mcp-auth0-oauth-inbound`) must be registered in policies.json so the gateway can derive its OAuth runtime configuration from policy options.");return Ed}o(ve,"getGatewayOAuthConfig");function gt(e){return re(e)}o(gt,"readGatewayOAuthIssuer");Y();var SP=43,wP=128,vP=/^[A-Za-z0-9._~-]+$/,xd="S256",Cn=c.literal(xd),zi=c.string().min(SP).max(wP).regex(vP);Y();var Ni=["none","client_secret_post","client_secret_basic"],RP=[...Ni,"private_key_jwt"],bP=["awaiting_login","awaiting_setup"],CP=c.string().min(1).brand(),IP=c.string().min(1).brand(),le=c.string().min(1).brand(),_t=c.uuid().brand(),je=c.uuid().brand(),Di=c.uuid().brand(),qo=c.enum(Ni),TP=c.enum(RP),Od=c.enum(bP),gg=c.object({client_id:le,client_name:c.string().min(1),redirect_uris:c.array(c.string().min(1)).min(1),token_endpoint_auth_method:TP.default("none")}),$o=c.object({clientId:le,clientName:c.string().min(1),redirectUris:c.array(c.string().min(1)),tokenEndpointAuthMethod:qo,hashedClientSecret:c.string().optional(),clientSecretExpiresAt:V.optional(),clientExpiresAt:V,revokedAt:V.optional(),createdAt:V}),Ud=c.object({clientId:le,resource:c.string(),virtualServerId:me,tenantId:CP,subjectId:IP,scope:c.string(),roles:c.array(c.string()),createdAt:V,expiresAt:V}),_g=Ud.extend({id:je,redirectUri:c.string(),clientState:c.string().optional(),codeChallenge:c.string(),codeChallengeMethod:Cn}),Lo=Ud.extend({id:_t,currentRefreshTokenHash:c.string().optional(),previousRefreshTokenHash:c.string().optional(),revokedAt:V.optional(),revokedReason:c.string().optional()}),In=Ud.extend({tokenHash:c.string(),grantId:_t,revokedAt:V.optional()});function zd(){return je.parse(crypto.randomUUID())}o(zd,"createDownstreamAuthorizationTransactionId");function Nd(){return Di.parse(crypto.randomUUID())}o(Nd,"createDownstreamBrowserLoginStateId");function Dd(){return _t.parse(crypto.randomUUID())}o(Dd,"createDownstreamGrantId");var ce="mcp:tools";function qi(e,t){if(e===t)return!0;let r=new URL(e),n=new URL(t);return Le(r)&&Le(n)&&ct(r.hostname)===ct(n.hostname)&&r.pathname===n.pathname&&r.search===n.search}o(qi,"redirectUriMatchesRegistration");function yg(e){return Le(e)&&e.pathname==="/oauth/dev-login"}o(yg,"isLoopbackDevLoginUrl");function Mi(e,t){return new URL(e,gt(t)).toString()}o(Mi,"buildGatewayOAuthUrl");function Md(e){return new URL(`/mcp/${encodeURIComponent(e.virtualServerId)}`,re(e.requestUrl)).toString()}o(Md,"buildScopedAuthorizationServerIssuer");function AP(e){return new URL(`/oauth/authorize/mcp/${encodeURIComponent(e.virtualServerId)}`,re(e.requestUrl)).toString()}o(AP,"buildScopedAuthorizationEndpoint");function qd(e){let t=ve();return{issuer:gt(e),authorization_endpoint:Mi("/oauth/authorize",e),token_endpoint:Mi("/oauth/token",e),registration_endpoint:Mi("/oauth/register",e),revocation_endpoint:Mi("/oauth/revoke",e),response_types_supported:["code"],response_modes_supported:["query"],grant_types_supported:["authorization_code","refresh_token"],scopes_supported:[ce],code_challenge_methods_supported:[xd],token_endpoint_auth_methods_supported:Ni,revocation_endpoint_auth_methods_supported:["client_secret_basic","client_secret_post","none"],client_id_metadata_document_supported:t.gateway.cimdEnabled,"x-zuplo-browser-login-kind":hg(t)}}o(qd,"buildAuthorizationServerMetadata");function Sg(e){let t=Md(e);return{...qd(e.requestUrl),issuer:t,authorization_endpoint:AP(e)}}o(Sg,"buildScopedAuthorizationServerMetadata");async function wg(e,t){try{let r=me.parse(e.params.virtualServerId),n=zo(r);return Response.json(kP(n.virtualServerId,e.url))}catch(r){let n=de(r);return Ze(e,t,{code:n==="unknown_virtual_server"?n:"not_found",detail:(r instanceof Error?r.message:void 0)??"The requested protected resource metadata document was not found."})}}o(wg,"protectedResourceMetadataHandler");function kP(e,t){return{resource:Nr(e,t),resource_name:e,authorization_servers:[Md({virtualServerId:e,requestUrl:t})],bearer_methods_supported:["header"],scopes_supported:[ce],mcp_protocol_version:Or}}o(kP,"buildProtectedResourceMetadataResponseBody");function Nr(e,t){return new URL(`/mcp/${encodeURIComponent(e)}`,re(t)).toString()}o(Nr,"buildCanonicalMcpResourceForVirtualServer");function vg(e,t){return new URL(`/.well-known/oauth-protected-resource/mcp/${encodeURIComponent(e)}`,re(t)).toString()}o(vg,"buildProtectedResourceMetadataUrlForVirtualServer");import{base64url as $d}from"jose";var PP="sha256:",EP=32;function Rg(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(Rg,"copyToArrayBuffer");function xP(e,t){if(e.length!==t.length)return!1;let r=0;for(let n=0;n<e.length;n++)r|=e.charCodeAt(n)^t.charCodeAt(n);return r===0}o(xP,"constantTimeEqual");function Ke(){let e=crypto.getRandomValues(new Uint8Array(EP));return $d.encode(e)}o(Ke,"createOpaqueToken");async function F(e){let t=await crypto.subtle.digest("SHA-256",Rg(new TextEncoder().encode(e)));return`${PP}${$d.encode(new Uint8Array(t))}`}o(F,"hashOpaqueValue");async function bg(e){let t=await F(e.value);return xP(t,e.expectedHash)}o(bg,"verifyOpaqueValue");async function Ld(e){let t=await crypto.subtle.digest("SHA-256",Rg(new TextEncoder().encode(e)));return $d.encode(new Uint8Array(t))}o(Ld,"calculatePkceS256Challenge");Y();var OP=c.record(c.string(),c.unknown()),Cg=c.string().min(1),UP=c.union([Cg.transform(e=>[e]),c.array(Cg)]),ue=c.string().min(1).brand(),X=c.string().min(1).brand(),zP=["zuploSubjectId","zuplo_subject_id","gatewaySubjectId","gateway_subject_id","subjectId","subject_id","https://zuplo.com/subject_id"],NP=["https://zuplo.com/roles","roles","role","permissions","groups"],DP=ue.parse("zuplo-poc"),Ig=new Ut("gateway-principal");function MP(e){let t=OP.safeParse(e);return t.success?t.data:{}}o(MP,"toClaimRecord");function qP(e){return e.issues[0]?.message??"Gateway principal is invalid"}o(qP,"readValidationFailureDetail");function $P(e,t,r){for(let i of zP){let s=X.safeParse(t[i]);if(s.success)return s.data}let n=X.safeParse(e?.sub);if(!n.success)throw g("identity_context_missing",qP(n.error));let a=typeof t.iss=="string"?t.iss:void 0;return!a||a===gt(r)?n.data:X.parse(`${a}|${n.data}`)}o($P,"readNormalizedSubjectId");function LP(e){let t=new Set;for(let r of NP){let n=UP.safeParse(e[r]);if(n.success)for(let a of n.data)t.add(a)}return t.size>0?[...t]:void 0}o(LP,"readRoles");function Tn(e,t){let r=MP(e?.data),n={subjectId:$P(e,r,t),tenantId:DP},a=LP(r);return a&&(n.roles=a),n}o(Tn,"parseGatewayPrincipal");function Tg(e){let t=Hd(e);if(!t)throw g("identity_context_missing","Gateway principal has not been hydrated");return t}o(Tg,"requireGatewayPrincipal");function Ag(e,t){Ig.set(e,t)}o(Ag,"setGatewayPrincipal");function Hd(e){return Ig.get(e)}o(Hd,"readGatewayPrincipal");function An(e){let r=['realm="OAuth"',`resource_metadata="${jd(vg(e.virtualServerId,e.requestUrl))}"`];return e.error!==void 0&&r.push(`error="${e.error}"`),e.errorDescription!==void 0&&r.push(`error_description="${jd(e.errorDescription)}"`),e.scope!==void 0&&r.push(`scope="${jd(e.scope)}"`),`Bearer ${r.join(", ")}`}o(An,"buildGatewayBearerChallenge");function jd(e){let t="";for(let r=0;r<e.length;r+=1){let n=e.charCodeAt(r);n<=31||n===127||(t+=e[r])}return t.replaceAll("\\","\\\\").replaceAll('"','\\"')}o(jd,"sanitizeQuotedHeaderParameter");Y();var Gd=c.string().trim().min(1),jP=c.object({TOKEN_ENCRYPTION_KEY:Gd,OAUTH_STATE_SIGNING_KEY:Gd,TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING:Gd.optional()}),HP=["TOKEN_ENCRYPTION_KEY","OAUTH_STATE_SIGNING_KEY","TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING"];function GP(e){let t=Ns[e];return typeof t=="string"?t:void 0}o(GP,"readEnvValue");function BP(){let e={};for(let t of HP){let r=GP(t);r!==void 0&&(e[t]=r)}return e}o(BP,"readRawEnv");var Bd;function VP(e){return e.issues.map(t=>`- ${t.path.length>0?t.path.map(String).join("."):"environment"}: ${t.message}`)}o(VP,"formatZodIssues");function FP(e){return new Ot(["Invalid MCP gateway environment configuration.","Validation failed for these environment variables:",...VP(e)].join(`
44
+ `),{cause:e})}o(FP,"createEnvValidationError");function ZP(e){let t=jP.safeParse(e);if(!t.success)throw FP(t.error);return t.data}o(ZP,"parseGatewayEnv");function KP(){return Bd||(Bd=ZP(BP())),Bd}o(KP,"readEnv");function $i(){return KP()}o($i,"getEnv");Y();Y();function WP(e){if(e instanceof Date)return e;let t=new Date(e);if(Number.isNaN(t.getTime()))throw new Error("Expected a valid timestamp",{cause:new Error(`received: ${String(e)}`)});return t}o(WP,"parseDate");function pr(e,t){if(typeof e!="string")return e;try{return JSON.parse(e)}catch(r){throw new Error(`Persisted ${t} must be valid JSON`,{cause:r})}}o(pr,"parseJsonValue");function Vd(e,t){return c.array(c.string()).parse(pr(e,t))}o(Vd,"parseStringArray");var ie=c.union([c.date(),c.string()]).transform(e=>WP(e));var JP=c.object({current_state_hash:c.string(),phase:Od,consumed_at:ie.nullable(),expires_at:ie}),YP=c.object({id:_t,revoked_at:ie.nullable().optional(),expires_at:ie,matched:c.enum(["current","previous"])}),XP=c.object({id:_t,matched:c.literal("current")}),QP=c.object({client_id:le,client_name:c.string(),redirect_uris:c.unknown(),token_endpoint_auth_method:qo,hashed_client_secret:c.string().nullable(),client_secret_expires_at:ie.nullable(),client_expires_at:ie,revoked_at:ie.nullable(),created_at:ie}).transform(e=>{let t={clientId:e.client_id,clientName:e.client_name,redirectUris:Vd(e.redirect_uris,"redirect_uris"),tokenEndpointAuthMethod:e.token_endpoint_auth_method,createdAt:O(e.created_at),clientExpiresAt:O(e.client_expires_at)};return e.hashed_client_secret&&(t.hashedClientSecret=e.hashed_client_secret),e.client_secret_expires_at&&(t.clientSecretExpiresAt=O(e.client_secret_expires_at)),e.revoked_at&&(t.revokedAt=O(e.revoked_at)),$o.parse(t)}),Fd=c.object({id:je,current_state_hash:c.string(),phase:Od,principal_subject_id:X.nullable(),principal_tenant_id:ue.nullable(),principal_roles:c.unknown().nullable(),client_id:le,redirect_uri:c.string(),resource:c.string(),virtual_server_id:me,client_state:c.string().nullable(),scope:c.string(),code_challenge:c.string(),code_challenge_method:Cn,created_at:ie,expires_at:ie,consumed_at:ie.nullable()}).transform(e=>{let t={id:e.id,currentStateHash:e.current_state_hash,clientId:e.client_id,redirectUri:e.redirect_uri,resource:e.resource,virtualServerId:e.virtual_server_id,scope:e.scope,codeChallenge:e.code_challenge,codeChallengeMethod:e.code_challenge_method,createdAt:O(e.created_at),expiresAt:O(e.expires_at)};if(e.client_state&&(t.clientState=e.client_state),e.consumed_at&&(t.consumedAt=O(e.consumed_at)),e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal_subject_id||!e.principal_tenant_id)throw new Error("Awaiting-setup pending authorization row is missing principal.");return{...t,phase:"awaiting_setup",principal:{subjectId:e.principal_subject_id,tenantId:e.principal_tenant_id,...e.principal_roles===null?{}:{roles:c.array(c.string()).parse(pr(e.principal_roles,"principal_roles"))}}}}),eE=c.object({id:je});function Pg(e){return{clientId:e.client_id,resource:e.resource,virtualServerId:e.virtual_server_id,tenantId:e.tenant_id,subjectId:e.subject_id,scope:e.scope,roles:Vd(e.roles,"roles"),createdAt:O(e.created_at),expiresAt:O(e.expires_at)}}o(Pg,"downstreamGrantAccessFields");var kg=c.object({id:_t,client_id:le,resource:c.string(),virtual_server_id:me,tenant_id:ue,subject_id:X,scope:c.string(),roles:c.unknown(),current_refresh_token_hash:c.string().nullable(),previous_refresh_token_hash:c.string().nullable(),created_at:ie,expires_at:ie,revoked_at:ie.nullable(),revoked_reason:c.string().nullable()}).transform(e=>{let t={id:e.id,...Pg(e)};return e.current_refresh_token_hash&&(t.currentRefreshTokenHash=e.current_refresh_token_hash),e.previous_refresh_token_hash&&(t.previousRefreshTokenHash=e.previous_refresh_token_hash),e.revoked_at&&(t.revokedAt=O(e.revoked_at)),e.revoked_reason&&(t.revokedReason=e.revoked_reason),Lo.parse(t)}),tE=c.object({token_hash:c.string(),grant_id:_t,client_id:le,resource:c.string(),virtual_server_id:me,tenant_id:ue,subject_id:X,scope:c.string(),roles:c.unknown(),created_at:ie,expires_at:ie,revoked_at:ie.nullable()}).transform(e=>{let t={tokenHash:e.token_hash,grantId:e.grant_id,...Pg(e)};return e.revoked_at&&(t.revokedAt=O(e.revoked_at)),In.parse(t)});function Eg(e){return[e.clientId,e.redirectUri,e.resource,e.virtualServerId,e.tenantId,e.subjectId,e.scope,JSON.stringify(e.roles),e.codeChallenge,e.codeChallengeMethod,new Date(e.createdAt),new Date(e.expiresAt)]}o(Eg,"authorizationTransactionValues");function rE(e,t){let r=_g.parse(t);return e.query(`INSERT INTO downstream_oauth_authorization_transactions (
45
45
  id, client_id, redirect_uri, resource, virtual_server_id, tenant_id,
46
46
  subject_id, scope, roles, code_challenge, code_challenge_method,
47
47
  created_at, expires_at
48
- ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::jsonb, $10, $11, $12, $13)`,[r.id,...sg(r)])}o(nP,"insertAuthorizationTransaction");function oP(e,t){return e.query(`INSERT INTO downstream_oauth_authorization_codes (
48
+ ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::jsonb, $10, $11, $12, $13)`,[r.id,...Eg(r)])}o(rE,"insertAuthorizationTransaction");function nE(e,t){return e.query(`INSERT INTO downstream_oauth_authorization_codes (
49
49
  code_hash, transaction_id, grant_id, client_id, redirect_uri, resource,
50
50
  virtual_server_id, tenant_id, subject_id, scope, roles,
51
51
  code_challenge, code_challenge_method, created_at, expires_at
52
- ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11::jsonb, $12, $13, $14, $15)`,[t.codeHash,t.id,t.grantId,...sg(t)])}o(oP,"insertAuthorizationCode");function aP(e,t){return e&&!e.revokedAt?new Date(e.expiresAt).getTime()<=t.getTime()?{kind:"expired"}:void 0:{kind:"revoked"}}o(aP,"accessTokenGrantValidationFailure");var Ts=class{constructor(t){this.db=t}static{o(this,"PostgresDownstreamOAuthRepository")}async readPendingAuthorizationStatus(t){return u.array(YA).parse(await this.db.query(`SELECT current_state_hash, phase, consumed_at, expires_at
52
+ ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11::jsonb, $12, $13, $14, $15)`,[t.codeHash,t.id,t.grantId,...Eg(t)])}o(nE,"insertAuthorizationCode");function oE(e,t){return e&&!e.revokedAt?new Date(e.expiresAt).getTime()<=t.getTime()?{kind:"expired"}:void 0:{kind:"revoked"}}o(oE,"accessTokenGrantValidationFailure");var Li=class{constructor(t){this.db=t}static{o(this,"PostgresDownstreamOAuthRepository")}async readPendingAuthorizationStatus(t){return c.array(JP).parse(await this.db.query(`SELECT current_state_hash, phase, consumed_at, expires_at
53
53
  FROM downstream_oauth_pending_authorization_transactions
54
54
  WHERE id = $1
55
- LIMIT 1`,[t]))[0]}async readPendingAuthorizationAdvanceFailure(t){let r=await this.readPendingAuthorizationStatus(t.id);return r?r.consumed_at?{kind:"consumed"}:new Date(r.expires_at).getTime()<=t.now.getTime()?{kind:"expired"}:r.current_state_hash!==t.currentStateHash?{kind:"stale_hash"}:r.phase!==t.expectedPhase?{kind:"wrong_phase",current:r.phase}:{kind:"stale_hash"}:{kind:"missing"}}async readPendingAuthorizationConsumeFailure(t){let r=await this.readPendingAuthorizationStatus(t.id);return r?r.consumed_at?{kind:"consumed_already"}:new Date(r.expires_at).getTime()<=t.now.getTime()?{kind:"expired"}:r.current_state_hash!==t.currentStateHash?{kind:"stale_hash"}:{kind:"stale_hash"}:{kind:"missing"}}async getDcrClient(t){return u.array(eP).parse(await this.db.query(`SELECT
55
+ LIMIT 1`,[t]))[0]}async readPendingAuthorizationAdvanceFailure(t){let r=await this.readPendingAuthorizationStatus(t.id);return r?r.consumed_at?{kind:"consumed"}:new Date(r.expires_at).getTime()<=t.now.getTime()?{kind:"expired"}:r.current_state_hash!==t.currentStateHash?{kind:"stale_hash"}:r.phase!==t.expectedPhase?{kind:"wrong_phase",current:r.phase}:{kind:"stale_hash"}:{kind:"missing"}}async readPendingAuthorizationConsumeFailure(t){let r=await this.readPendingAuthorizationStatus(t.id);return r?r.consumed_at?{kind:"consumed_already"}:new Date(r.expires_at).getTime()<=t.now.getTime()?{kind:"expired"}:r.current_state_hash!==t.currentStateHash?{kind:"stale_hash"}:{kind:"stale_hash"}:{kind:"missing"}}async getDcrClient(t){return c.array(QP).parse(await this.db.query(`SELECT
56
56
  client_id,
57
57
  client_name,
58
58
  redirect_uris,
@@ -76,14 +76,14 @@ data:
76
76
  client_expires_at,
77
77
  revoked_at,
78
78
  created_at
79
- ) VALUES ($1, $2, $3::jsonb, $4, $5, $6, $7, $8, $9)`,[t.clientId,t.clientName,JSON.stringify(t.redirectUris),t.tokenEndpointAuthMethod,t.hashedClientSecret??null,t.clientSecretExpiresAt?new Date(t.clientSecretExpiresAt):null,new Date(t.clientExpiresAt),t.revokedAt?new Date(t.revokedAt):null,new Date(t.createdAt)])}async savePendingAuthorizationTransaction(t){return u.array(tP).parse(await this.db.query(`INSERT INTO downstream_oauth_pending_authorization_transactions (
79
+ ) VALUES ($1, $2, $3::jsonb, $4, $5, $6, $7, $8, $9)`,[t.clientId,t.clientName,JSON.stringify(t.redirectUris),t.tokenEndpointAuthMethod,t.hashedClientSecret??null,t.clientSecretExpiresAt?new Date(t.clientSecretExpiresAt):null,new Date(t.clientExpiresAt),t.revokedAt?new Date(t.revokedAt):null,new Date(t.createdAt)])}async savePendingAuthorizationTransaction(t){return c.array(eE).parse(await this.db.query(`INSERT INTO downstream_oauth_pending_authorization_transactions (
80
80
  id, current_state_hash, phase, principal_subject_id,
81
81
  principal_tenant_id, principal_roles, client_id, redirect_uri,
82
82
  resource, virtual_server_id, client_state, scope, code_challenge,
83
83
  code_challenge_method, created_at, expires_at, consumed_at
84
84
  ) VALUES ($1, $2, $3, $4, $5, $6::jsonb, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17)
85
85
  ON CONFLICT (id) DO NOTHING
86
- RETURNING id`,[t.id,t.currentStateHash,t.phase,t.phase==="awaiting_setup"?t.principal.subjectId:null,t.phase==="awaiting_setup"?t.principal.tenantId:null,t.phase==="awaiting_setup"&&t.principal.roles!==void 0?JSON.stringify(t.principal.roles):null,t.clientId,t.redirectUri,t.resource,t.virtualServerId,t.clientState??null,t.scope,t.codeChallenge,t.codeChallengeMethod,new Date(t.createdAt),new Date(t.expiresAt),t.consumedAt?new Date(t.consumedAt):null])).length>0?{kind:"saved"}:{kind:"already_exists"}}async advancePendingAuthorizationTransaction(t){let n=u.array(Pd).parse(await this.db.query(`UPDATE downstream_oauth_pending_authorization_transactions
86
+ RETURNING id`,[t.id,t.currentStateHash,t.phase,t.phase==="awaiting_setup"?t.principal.subjectId:null,t.phase==="awaiting_setup"?t.principal.tenantId:null,t.phase==="awaiting_setup"&&t.principal.roles!==void 0?JSON.stringify(t.principal.roles):null,t.clientId,t.redirectUri,t.resource,t.virtualServerId,t.clientState??null,t.scope,t.codeChallenge,t.codeChallengeMethod,new Date(t.createdAt),new Date(t.expiresAt),t.consumedAt?new Date(t.consumedAt):null])).length>0?{kind:"saved"}:{kind:"already_exists"}}async advancePendingAuthorizationTransaction(t){let n=c.array(Fd).parse(await this.db.query(`UPDATE downstream_oauth_pending_authorization_transactions
87
87
  SET current_state_hash = $4,
88
88
  phase = $5,
89
89
  principal_subject_id = $6,
@@ -94,19 +94,19 @@ data:
94
94
  AND phase = $3
95
95
  AND consumed_at IS NULL
96
96
  AND expires_at > $9
97
- RETURNING *`,[t.id,t.currentStateHash,t.expectedPhase,t.nextStateHash,t.nextPhase,t.principal.subjectId,t.principal.tenantId,t.principal.roles===void 0?null:JSON.stringify(t.principal.roles),t.now]))[0];return n?{kind:"advanced",record:n}:this.readPendingAuthorizationAdvanceFailure(t)}async getPendingAuthorizationTransaction(t){let n=u.array(Pd).parse(await this.db.query(`SELECT *
97
+ RETURNING *`,[t.id,t.currentStateHash,t.expectedPhase,t.nextStateHash,t.nextPhase,t.principal.subjectId,t.principal.tenantId,t.principal.roles===void 0?null:JSON.stringify(t.principal.roles),t.now]))[0];return n?{kind:"advanced",record:n}:this.readPendingAuthorizationAdvanceFailure(t)}async getPendingAuthorizationTransaction(t){let n=c.array(Fd).parse(await this.db.query(`SELECT *
98
98
  FROM downstream_oauth_pending_authorization_transactions
99
99
  WHERE id = $1
100
- LIMIT 1`,[t.id]))[0];return n?n.consumedAt?{kind:"consumed"}:new Date(n.expiresAt).getTime()<=t.now.getTime()?{kind:"expired"}:n.currentStateHash!==t.currentStateHash?{kind:"stale_hash"}:{kind:"available",record:n}:{kind:"missing"}}async consumePendingAuthorizationTransaction(t){let n=u.array(Pd).parse(await this.db.query(`UPDATE downstream_oauth_pending_authorization_transactions
100
+ LIMIT 1`,[t.id]))[0];return n?n.consumedAt?{kind:"consumed"}:new Date(n.expiresAt).getTime()<=t.now.getTime()?{kind:"expired"}:n.currentStateHash!==t.currentStateHash?{kind:"stale_hash"}:{kind:"available",record:n}:{kind:"missing"}}async consumePendingAuthorizationTransaction(t){let n=c.array(Fd).parse(await this.db.query(`UPDATE downstream_oauth_pending_authorization_transactions
101
101
  SET consumed_at = $3
102
102
  WHERE id = $1
103
103
  AND current_state_hash = $2
104
104
  AND consumed_at IS NULL
105
105
  AND expires_at > $3
106
- RETURNING *`,[t.id,t.currentStateHash,t.now]))[0];return n?{kind:"consumed",record:n}:this.readPendingAuthorizationConsumeFailure(t)}async issueAuthorizationCode(t){await this.db.transaction(r=>[nP(r,t),oP(r,t)])}async exchangeAuthorizationCode(t){let n=u.array(u.object({redirect_uri:u.string()})).parse(await this.db.query(`SELECT redirect_uri
106
+ RETURNING *`,[t.id,t.currentStateHash,t.now]))[0];return n?{kind:"consumed",record:n}:this.readPendingAuthorizationConsumeFailure(t)}async issueAuthorizationCode(t){await this.db.transaction(r=>[rE(r,t),nE(r,t)])}async exchangeAuthorizationCode(t){let n=c.array(c.object({redirect_uri:c.string()})).parse(await this.db.query(`SELECT redirect_uri
107
107
  FROM downstream_oauth_authorization_codes
108
108
  WHERE code_hash = $1
109
- LIMIT 1`,[t.codeHash]))[0]?.redirect_uri,a=n!==void 0&&Rs(n,t.redirectUri)?n:t.redirectUri,i=u.array(u.record(u.string(),u.unknown())).parse(await this.db.query(`WITH candidate AS (
109
+ LIMIT 1`,[t.codeHash]))[0]?.redirect_uri,a=n!==void 0&&qi(n,t.redirectUri)?n:t.redirectUri,s=c.array(c.record(c.string(),c.unknown())).parse(await this.db.query(`WITH candidate AS (
110
110
  SELECT *
111
111
  FROM downstream_oauth_authorization_codes
112
112
  WHERE code_hash = $1
@@ -212,18 +212,18 @@ data:
212
212
  END AS kind,
213
213
  inserted_grant.*
214
214
  FROM (SELECT 1) AS marker
215
- LEFT JOIN inserted_grant ON TRUE`,[t.codeHash,t.clientId,a,t.resource,t.codeChallenge,t.currentRefreshTokenHash,t.accessTokenHash,t.now,new Date(t.grantExpiresAt),new Date(t.accessTokenExpiresAt)]))[0],c=u.enum(["exchanged","consumed","missing","expired","resource_mismatch","binding_mismatch"]).parse(i?.kind??"missing");return c!=="exchanged"?{kind:c}:{kind:"exchanged",grant:og.parse(i)}}async getGrant(t){return u.array(og).parse(await this.db.query(`SELECT *
215
+ LEFT JOIN inserted_grant ON TRUE`,[t.codeHash,t.clientId,a,t.resource,t.codeChallenge,t.currentRefreshTokenHash,t.accessTokenHash,t.now,new Date(t.grantExpiresAt),new Date(t.accessTokenExpiresAt)]))[0],u=c.enum(["exchanged","consumed","missing","expired","resource_mismatch","binding_mismatch"]).parse(s?.kind??"missing");return u!=="exchanged"?{kind:u}:{kind:"exchanged",grant:kg.parse(s)}}async getGrant(t){return c.array(kg).parse(await this.db.query(`SELECT *
216
216
  FROM downstream_oauth_grants
217
217
  WHERE id = $1
218
218
  LIMIT 1`,[t]))[0]}async saveAccessToken(t){await this.db.query(`INSERT INTO downstream_oauth_access_tokens (
219
219
  token_hash, grant_id, client_id, resource, virtual_server_id, tenant_id,
220
220
  subject_id, scope, roles, created_at, expires_at, revoked_at
221
- ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::jsonb, $10, $11, $12)`,[t.tokenHash,t.grantId,t.clientId,t.resource,t.virtualServerId,t.tenantId,t.subjectId,t.scope,JSON.stringify(t.roles),new Date(t.createdAt),new Date(t.expiresAt),t.revokedAt?new Date(t.revokedAt):null])}async validateAccessToken(t){let n=u.array(rP).parse(await this.db.query(`SELECT access_tokens.*
221
+ ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::jsonb, $10, $11, $12)`,[t.tokenHash,t.grantId,t.clientId,t.resource,t.virtualServerId,t.tenantId,t.subjectId,t.scope,JSON.stringify(t.roles),new Date(t.createdAt),new Date(t.expiresAt),t.revokedAt?new Date(t.revokedAt):null])}async validateAccessToken(t){let n=c.array(tE).parse(await this.db.query(`SELECT access_tokens.*
222
222
  FROM downstream_oauth_access_tokens AS access_tokens
223
223
  JOIN downstream_oauth_grants AS grants
224
224
  ON grants.id = access_tokens.grant_id
225
225
  WHERE access_tokens.token_hash = $1
226
- LIMIT 1`,[t.tokenHash]))[0];if(!n)return{kind:"missing"};if(n.revokedAt)return{kind:"revoked"};if(new Date(n.expiresAt).getTime()<=t.now.getTime())return{kind:"expired"};let a=await this.getGrant(n.grantId),s=aP(a,t.now);return s||{kind:"valid",record:n}}async rotateRefreshToken(t){let r=await this.rotateCurrentRefreshToken(t);if(!r)return this.resolveUnrotatedRefreshToken(t);let n=await this.getGrant(r.id);return n?{kind:"rotated",grant:n,matched:r.matched}:{kind:"missing"}}async rotateCurrentRefreshToken(t){return u.array(QA).parse(await this.db.query(`WITH candidate AS (
226
+ LIMIT 1`,[t.tokenHash]))[0];if(!n)return{kind:"missing"};if(n.revokedAt)return{kind:"revoked"};if(new Date(n.expiresAt).getTime()<=t.now.getTime())return{kind:"expired"};let a=await this.getGrant(n.grantId),i=oE(a,t.now);return i||{kind:"valid",record:n}}async rotateRefreshToken(t){let r=await this.rotateCurrentRefreshToken(t);if(!r)return this.resolveUnrotatedRefreshToken(t);let n=await this.getGrant(r.id);return n?{kind:"rotated",grant:n,matched:r.matched}:{kind:"missing"}}async rotateCurrentRefreshToken(t){return c.array(XP).parse(await this.db.query(`WITH candidate AS (
227
227
  SELECT id,
228
228
  'current' AS matched
229
229
  FROM downstream_oauth_grants
@@ -245,7 +245,7 @@ data:
245
245
  AND grants.expires_at > $4
246
246
  AND ($5::text IS NULL OR grants.resource = $5)
247
247
  AND grants.current_refresh_token_hash = $1
248
- RETURNING grants.*, candidate.matched`,[t.currentTokenHash,t.nextTokenHash,t.clientId,t.now,t.resource??null]))[0]}async resolveUnrotatedRefreshToken(t){let r=await this.findRefreshTokenGrantStatus(t,!0),n=await this.refreshTokenGrantFailure(t,r);if(n)return n;if(r)return{kind:"missing"};let a=await this.findRefreshTokenGrantStatus(t,!1),s=await this.refreshTokenGrantFailure(t,a);return s||(a&&t.resource!==void 0?{kind:"resource_mismatch"}:{kind:"missing"})}async findRefreshTokenGrantStatus(t,r){let n=r?"AND ($3::text IS NULL OR resource = $3)":"",a=r?[t.clientId,t.currentTokenHash,t.resource??null]:[t.clientId,t.currentTokenHash];return u.array(XA).parse(await this.db.query(`SELECT id,
248
+ RETURNING grants.*, candidate.matched`,[t.currentTokenHash,t.nextTokenHash,t.clientId,t.now,t.resource??null]))[0]}async resolveUnrotatedRefreshToken(t){let r=await this.findRefreshTokenGrantStatus(t,!0),n=await this.refreshTokenGrantFailure(t,r);if(n)return n;if(r)return{kind:"missing"};let a=await this.findRefreshTokenGrantStatus(t,!1),i=await this.refreshTokenGrantFailure(t,a);return i||(a&&t.resource!==void 0?{kind:"resource_mismatch"}:{kind:"missing"})}async findRefreshTokenGrantStatus(t,r){let n=r?"AND ($3::text IS NULL OR resource = $3)":"",a=r?[t.clientId,t.currentTokenHash,t.resource??null]:[t.clientId,t.currentTokenHash];return c.array(YP).parse(await this.db.query(`SELECT id,
249
249
  revoked_at,
250
250
  expires_at,
251
251
  CASE
@@ -259,22 +259,22 @@ data:
259
259
  current_refresh_token_hash = $2
260
260
  OR previous_refresh_token_hash = $2
261
261
  )
262
- LIMIT 1`,a))[0]}async refreshTokenGrantFailure(t,r){if(r){if(r.revoked_at)return{kind:"revoked"};if(r.expires_at.getTime()<=t.now.getTime())return{kind:"expired"};if(r.matched==="previous")return await this.revokeGrant({grantId:r.id,now:t.now,reason:"refresh_token_replay"}),{kind:"revoked"}}}async revokeOAuthToken(t){let n=u.array(u.object({token_hash:u.string(),client_id:Ze})).parse(await this.db.query(`SELECT token_hash, client_id
262
+ LIMIT 1`,a))[0]}async refreshTokenGrantFailure(t,r){if(r){if(r.revoked_at)return{kind:"revoked"};if(r.expires_at.getTime()<=t.now.getTime())return{kind:"expired"};if(r.matched==="previous")return await this.revokeGrant({grantId:r.id,now:t.now,reason:"refresh_token_replay"}),{kind:"revoked"}}}async revokeOAuthToken(t){let n=c.array(c.object({token_hash:c.string(),client_id:le})).parse(await this.db.query(`SELECT token_hash, client_id
263
263
  FROM downstream_oauth_access_tokens
264
264
  WHERE token_hash = $1
265
265
  LIMIT 1`,[t.tokenHash]))[0];if(n)return n.client_id!==t.clientId?{kind:"client_mismatch"}:(await this.db.query(`UPDATE downstream_oauth_access_tokens
266
266
  SET revoked_at = $2
267
- WHERE token_hash = $1 AND revoked_at IS NULL`,[t.tokenHash,t.now]),{kind:"revoked_access_token"});let s=u.array(u.object({id:$t,client_id:Ze})).parse(await this.db.query(`SELECT id, client_id
267
+ WHERE token_hash = $1 AND revoked_at IS NULL`,[t.tokenHash,t.now]),{kind:"revoked_access_token"});let i=c.array(c.object({id:_t,client_id:le})).parse(await this.db.query(`SELECT id, client_id
268
268
  FROM downstream_oauth_grants
269
269
  WHERE current_refresh_token_hash = $1
270
270
  OR previous_refresh_token_hash = $1
271
271
  ORDER BY created_at DESC
272
- LIMIT 1`,[t.tokenHash]))[0];return s?this.revokeRefreshTokenGrantForOAuthToken(t,s):{kind:"missing"}}async revokeRefreshTokenGrantForOAuthToken(t,r){return r.client_id!==t.clientId?{kind:"client_mismatch"}:this.revokeGrantForOAuthToken(t,r.id)}async revokeGrantForOAuthToken(t,r){return await this.revokeGrant({grantId:r,now:t.now,reason:"token_revocation"}),{kind:"revoked_grant"}}async revokeGrant(t){await this.db.transaction(r=>[r.query(`UPDATE downstream_oauth_grants
272
+ LIMIT 1`,[t.tokenHash]))[0];return i?this.revokeRefreshTokenGrantForOAuthToken(t,i):{kind:"missing"}}async revokeRefreshTokenGrantForOAuthToken(t,r){return r.client_id!==t.clientId?{kind:"client_mismatch"}:this.revokeGrantForOAuthToken(t,r.id)}async revokeGrantForOAuthToken(t,r){return await this.revokeGrant({grantId:r,now:t.now,reason:"token_revocation"}),{kind:"revoked_grant"}}async revokeGrant(t){await this.db.transaction(r=>[r.query(`UPDATE downstream_oauth_grants
273
273
  SET revoked_at = $2,
274
274
  revoked_reason = $3
275
275
  WHERE id = $1 AND revoked_at IS NULL`,[t.grantId,t.now,t.reason]),r.query(`UPDATE downstream_oauth_access_tokens
276
276
  SET revoked_at = $2
277
- WHERE grant_id = $1 AND revoked_at IS NULL`,[t.grantId,t.now])])}};var Cs=class{constructor(t,r){this.raw=t;this.singleShotExecutor=r}static{o(this,"HttpPgQuery")}[Symbol.toStringTag]="HttpPgQuery";then(t,r){return this.singleShotExecutor(this.raw).then(t,r)}catch(t){return this.singleShotExecutor(this.raw).catch(t)}finally(t){return this.singleShotExecutor(this.raw).finally(t)}};function sP(e){return e instanceof Cs}o(sP,"isHttpPgQuery");function iP(e){let t;try{t=new URL(e)}catch(n){throw new Error("Database connection string is not a valid URL. Expected: postgresql://user:password@host.tld/dbname",{cause:n})}if(t.protocol!=="postgresql:"&&t.protocol!=="postgres:")throw g("internal_server_error",`Database connection string must use postgres:// or postgresql:// (got ${t.protocol})`);if(!t.hostname)throw g("internal_server_error","Database connection string is missing the host.");let r=t.hostname.replace(/^[^.]+\./,"api.");return{host:t.hostname,fetchEndpoint:`https://${r}/sql`}}o(iP,"parseConnectionString");function cP(e){return typeof e=="object"&&e!==null&&typeof e.message=="string"?e.message??"Unknown postgres error":"Unknown postgres error"}o(cP,"readErrorMessage");function uP(e){return typeof e=="object"&&e!==null&&Array.isArray(e.rows)}o(uP,"isSingleResponse");function dP(e){return typeof e=="object"&&e!==null&&Array.isArray(e.results)}o(dP,"isBatchResponse");function ig(e,t={}){let{fetchEndpoint:r}=iP(e),n=t.fetchFn??fetch;async function a(d){let p=await s({query:d.query,params:d.params});if(!uP(p))throw g("internal_server_error","Unexpected postgres response shape: missing `rows`.");return p.rows}o(a,"runSingle");async function s(d){let p=await n(r,{method:"POST",headers:{"content-type":"application/json","Neon-Connection-String":e,"Neon-Raw-Text-Output":"true"},body:JSON.stringify(d)});if(!p.ok){let l;try{l=await p.json()}catch{l=void 0}let m=new Error(cP(l));throw g({code:"internal_server_error",privateDetail:`Postgres HTTP request failed (status ${p.status})`,cause:m})}return p.json()}o(s,"runRequest");function i(){return{query(d,p){return new Cs({query:d,params:p??[]},a)}}}o(i,"buildQueryDatabase");let c=i();return{query:c.query,async transaction(d){let l=d(c).map((h,_)=>{if(!sP(h))throw new Error(`transaction callback returned an unexpected query operation at index ${_}. Each statement must be a direct \`db.query(...)\` call (do not \`await\` inside the callback).`);return h.raw}),m=await s({queries:l.map(h=>({query:h.query,params:h.params}))});if(!dP(m))throw new Error("Unexpected postgres response shape: missing `results` for transaction.");return m.results.map(h=>h.rows)}}}o(ig,"createHttpPostgresGatewayDatabase");var lP=`
277
+ WHERE grant_id = $1 AND revoked_at IS NULL`,[t.grantId,t.now])])}};var ji=class{constructor(t,r){this.raw=t;this.singleShotExecutor=r}static{o(this,"HttpPgQuery")}[Symbol.toStringTag]="HttpPgQuery";then(t,r){return this.singleShotExecutor(this.raw).then(t,r)}catch(t){return this.singleShotExecutor(this.raw).catch(t)}finally(t){return this.singleShotExecutor(this.raw).finally(t)}};function aE(e){return e instanceof ji}o(aE,"isHttpPgQuery");function iE(e){let t;try{t=new URL(e)}catch(n){throw new Error("Database connection string is not a valid URL. Expected: postgresql://user:password@host.tld/dbname",{cause:n})}if(t.protocol!=="postgresql:"&&t.protocol!=="postgres:")throw g("internal_server_error",`Database connection string must use postgres:// or postgresql:// (got ${t.protocol})`);if(!t.hostname)throw g("internal_server_error","Database connection string is missing the host.");let r=t.hostname.replace(/^[^.]+\./,"api.");return{host:t.hostname,fetchEndpoint:`https://${r}/sql`}}o(iE,"parseConnectionString");function sE(e){return typeof e=="object"&&e!==null&&typeof e.message=="string"?e.message??"Unknown postgres error":"Unknown postgres error"}o(sE,"readErrorMessage");function cE(e){return typeof e=="object"&&e!==null&&Array.isArray(e.rows)}o(cE,"isSingleResponse");function uE(e){return typeof e=="object"&&e!==null&&Array.isArray(e.results)}o(uE,"isBatchResponse");function xg(e,t={}){let{fetchEndpoint:r}=iE(e),n=t.fetchFn??fetch;async function a(d){let l=await i({query:d.query,params:d.params});if(!cE(l))throw g("internal_server_error","Unexpected postgres response shape: missing `rows`.");return l.rows}o(a,"runSingle");async function i(d){let l=await n(r,{method:"POST",headers:{"content-type":"application/json","Neon-Connection-String":e,"Neon-Raw-Text-Output":"true"},body:JSON.stringify(d)});if(!l.ok){let p;try{p=await l.json()}catch{p=void 0}let m=new Error(sE(p));throw g({code:"internal_server_error",privateDetail:`Postgres HTTP request failed (status ${l.status})`,cause:m})}return l.json()}o(i,"runRequest");function s(){return{query(d,l){return new ji({query:d,params:l??[]},a)}}}o(s,"buildQueryDatabase");let u=s();return{query:u.query,async transaction(d){let p=d(u).map((f,_)=>{if(!aE(f))throw new Error(`transaction callback returned an unexpected query operation at index ${_}. Each statement must be a direct \`db.query(...)\` call (do not \`await\` inside the callback).`);return f.raw}),m=await i({queries:p.map(f=>({query:f.query,params:f.params}))});if(!uE(m))throw new Error("Unexpected postgres response shape: missing `results` for transaction.");return m.results.map(f=>f.rows)}}}o(xg,"createHttpPostgresGatewayDatabase");var dE=`
278
278
  DO $$
279
279
  BEGIN
280
280
  IF to_regclass('public.downstream_oauth_pending_authorization_transactions') IS NULL THEN
@@ -427,11 +427,11 @@ BEGIN
427
427
  EXECUTE $check$ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD CONSTRAINT downstream_oauth_pending_authorization_code_challenge_method_check CHECK ("downstream_oauth_pending_authorization_transactions"."code_challenge_method" = 'S256')$check$;
428
428
  END IF;
429
429
  END $$;
430
- `,pP=`
430
+ `,lE=`
431
431
  DROP INDEX IF EXISTS public.downstream_oauth_cimd_metadata_cache_expiry_idx;
432
- `,mP=`
432
+ `,pE=`
433
433
  DROP TABLE IF EXISTS public.downstream_oauth_cimd_metadata_cache;
434
- `,fP=`
434
+ `,mE=`
435
435
  DO $$
436
436
  BEGIN
437
437
  IF to_regclass('public.upstream_connections') IS NULL THEN
@@ -449,9 +449,27 @@ BEGIN
449
449
  EXECUTE $check$ALTER TABLE public.upstream_connections ADD CONSTRAINT upstream_connections_owner_shape_check CHECK (("upstream_connections"."owner_mode" = 'user' AND "upstream_connections"."tenant_id" IS NOT NULL AND "upstream_connections"."user_id" IS NOT NULL)
450
450
  OR ("upstream_connections"."owner_mode" = 'tenant_shared' AND "upstream_connections"."tenant_id" IS NOT NULL AND "upstream_connections"."user_id" IS NULL))$check$;
451
451
  END $$;
452
- `,hP=[lP,pP,mP,fP].join(`
452
+ `,hE=[dE,lE,pE,mE].join(`
453
453
  --> statement-breakpoint
454
- `),cg=[{tag:"0000_messy_makkari",sql:`CREATE TABLE "browser_connect_ticket_consumptions" (
454
+ `),fE=`
455
+ DO $$
456
+ BEGIN
457
+ IF to_regclass('public.upstream_connections') IS NULL THEN
458
+ RETURN;
459
+ END IF;
460
+
461
+ IF EXISTS (
462
+ SELECT 1
463
+ FROM information_schema.columns
464
+ WHERE table_schema = 'public'
465
+ AND table_name = 'upstream_connections'
466
+ AND column_name = 'id'
467
+ AND data_type = 'uuid'
468
+ ) THEN
469
+ EXECUTE 'ALTER TABLE public.upstream_connections ALTER COLUMN id TYPE text USING id::text';
470
+ END IF;
471
+ END $$;
472
+ `,Og=[{tag:"0000_messy_makkari",sql:`CREATE TABLE "browser_connect_ticket_consumptions" (
455
473
  "id" uuid PRIMARY KEY NOT NULL,
456
474
  "consumed_at" timestamp with time zone NOT NULL,
457
475
  "expires_at" timestamp with time zone NOT NULL
@@ -584,7 +602,7 @@ CREATE TABLE "downstream_oauth_pending_authorization_transactions" (
584
602
  );
585
603
  --> statement-breakpoint
586
604
  CREATE TABLE "upstream_connections" (
587
- "id" uuid PRIMARY KEY NOT NULL,
605
+ "id" text PRIMARY KEY NOT NULL,
588
606
  "tenant_id" text,
589
607
  "owner_mode" text NOT NULL,
590
608
  "user_id" text,
@@ -636,44 +654,52 @@ CREATE INDEX "downstream_oauth_grants_expiry_idx" ON "downstream_oauth_grants" U
636
654
  CREATE INDEX "downstream_oauth_pending_authorization_expiry_idx" ON "downstream_oauth_pending_authorization_transactions" USING btree ("expires_at");--> statement-breakpoint
637
655
  CREATE INDEX "upstream_oauth_state_consumptions_expiry_idx" ON "upstream_oauth_state_consumptions" USING btree ("expires_at");--> statement-breakpoint
638
656
  CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING btree ("expires_at");
639
- `},{tag:"0001_self_heal_pending_authorization",sql:hP}];var Po="_runtime_applied_migrations",gP=`
640
- CREATE TABLE IF NOT EXISTS ${Po} (
657
+ `},{tag:"0001_self_heal_pending_authorization",sql:hE},{tag:"0002_upstream_connection_id_text",sql:fE}];var Ho="_runtime_applied_migrations",gE=`
658
+ CREATE TABLE IF NOT EXISTS ${Ho} (
641
659
  tag text PRIMARY KEY NOT NULL,
642
660
  applied_at timestamp with time zone NOT NULL DEFAULT now()
643
661
  )
644
- `,Ao;async function _P(e){if(Ao)return Ao;Ao=(async()=>{await e.query(gP),await e.query(`INSERT INTO ${Po} (tag)
662
+ `,jo;async function _E(e){if(jo)return jo;jo=(async()=>{await e.query(gE),await e.query(`INSERT INTO ${Ho} (tag)
645
663
  SELECT '0000_messy_makkari'
646
664
  WHERE to_regclass('public.audit_events') IS NOT NULL
647
665
  AND NOT EXISTS (
648
- SELECT 1 FROM ${Po}
666
+ SELECT 1 FROM ${Ho}
649
667
  WHERE tag = '0000_messy_makkari'
650
668
  )
651
- ON CONFLICT (tag) DO NOTHING`);let t=await e.query(`SELECT tag FROM ${Po}`),r=new Set(t.map(n=>n.tag));for(let n of cg){if(r.has(n.tag))continue;let a=n.sql.split(/-->\s*statement-breakpoint/g).map(s=>s.trim()).filter(s=>s.length>0);for(let s of a)await e.query(s);await e.query(`INSERT INTO ${Po} (tag) VALUES ($1)`,[n.tag])}})();try{await Ao}catch(t){throw Ao=void 0,t}}o(_P,"ensureGatewayMigrationsApplied");function ug(e){let t=o(()=>_P(e),"ensureReady");return{query:o((n,a)=>(async()=>(await t(),e.query(n,a)))(),"query"),async transaction(n){return await t(),e.transaction(n)}}}o(ug,"createMigrationGatedDatabase");W();W();var yP=["user","tenant_shared"],yn=u.enum(yP);function ur(e,t){if(!e)throw g("forbidden","User-owned upstream connections require an authenticated tenant.");return{mode:"user",tenantId:e,subjectId:t}}o(ur,"buildUserUpstreamConnectionOwner");function Es(e){if(!e)throw g("forbidden","Tenant-shared upstream connections require an authenticated tenant.");return{mode:"tenant_shared",tenantId:e}}o(Es,"buildTenantSharedUpstreamConnectionOwner");W();W();function As(e){if(e===void 0||e.length===0)return;if(!e.startsWith("/")||e.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path.");let t=new URL(e,"https://gateway.local");if(t.origin!=="https://gateway.local"||t.username||t.password||t.hash||t.pathname.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path without credentials or fragments.");return`${t.pathname}${t.search}`}o(As,"parseSafeRelativeReturnTo");var dg=u.object({tenantId:$e.optional(),ownerMode:yn,initiatedBySubjectId:le,ownerSubjectId:le.optional(),upstreamServerId:ut,authProfileId:dt,virtualServerId:ge,returnTo:u.string().min(1).transform(e=>As(e)).optional()});function lg(e,t){e.ownerMode==="user"&&!e.ownerSubjectId&&t.addIssue({code:u.ZodIssueCode.custom,message:"User-owned state requires ownerSubjectId",path:["ownerSubjectId"]}),e.ownerMode==="user"&&!e.tenantId&&t.addIssue({code:u.ZodIssueCode.custom,message:"User-owned state requires tenantId",path:["tenantId"]}),e.ownerMode==="tenant_shared"&&(e.tenantId||t.addIssue({code:u.ZodIssueCode.custom,message:"Tenant-shared state requires tenantId",path:["tenantId"]}),e.ownerSubjectId&&t.addIssue({code:u.ZodIssueCode.custom,message:"Tenant-shared state must not include ownerSubjectId",path:["ownerSubjectId"]}))}o(lg,"validateUpstreamOwnerState");var wn=dg.superRefine(lg),pg=dg.omit({returnTo:!0}).superRefine(lg);function xo(e){return wn.parse({tenantId:e.owner.tenantId,ownerMode:e.owner.mode,initiatedBySubjectId:e.initiatedBySubjectId,ownerSubjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,returnTo:e.returnTo})}o(xo,"buildUpstreamOwnerState");function Sn(e){if(e.ownerMode==="tenant_shared")return Es(e.tenantId);if(!e.ownerSubjectId)throw g("oauth_state_invalid","User-owned upstream state is missing the owner subject.");if(!e.tenantId)throw g("oauth_state_invalid","User-owned upstream state is missing the tenant.");return ur(e.tenantId,e.ownerSubjectId)}o(Sn,"resolveUpstreamConnectionOwnerFromState");var wP=["active","not_connected","reconsent_required"],SP=["basic_auth_app_password","bearer_token"],mg=u.uuid().brand(),Ps=u.uuid().brand(),xd=u.uuid().brand(),kd=u.enum(wP),vP=u.enum(SP),fg=u.object({encryptedClientInformation:u.string().optional(),encryptedDiscoveryState:u.string().optional(),connectedBySubjectId:le.optional()}),Od=fg.extend({encryptedStaticSecret:u.string().optional(),staticSecretKind:vP.optional(),staticSecretLabel:u.string().min(1).optional(),staticSecretUsername:u.string().min(1).optional()}),bP=u.object({id:mg,tenantId:$e.optional(),subjectId:le.optional(),ownerMode:yn,upstreamServerId:ut,authProfileId:dt,status:kd,encryptedAccessToken:u.string().optional(),encryptedRefreshToken:u.string().optional(),scopes:u.array(u.string()),expiresAt:Ne.optional(),metadata:Od.optional(),createdAt:Ne,updatedAt:Ne});function RP(e,t){e.ownerMode==="user"&&!e.subjectId&&t.addIssue({code:u.ZodIssueCode.custom,message:"User-owned upstream connections require subjectId",path:["subjectId"]}),e.ownerMode==="tenant_shared"&&!e.tenantId&&t.addIssue({code:u.ZodIssueCode.custom,message:"Tenant-shared upstream connections require tenantId",path:["tenantId"]})}o(RP,"validateUpstreamConnectionOwnerShape");var hg=bP.superRefine(RP),gg=wn.extend({id:Ps,callbackPath:u.string().min(1),expiresAt:Ne,codeVerifier:u.string().optional(),redirectUri:u.url(),returnOrigin:u.url().optional()}).extend(fg.shape);function _g(e){let t=e?.status??"not_connected",r={connected:t==="active",status:t};return e?.updatedAt!==void 0&&(r.updatedAt=e.updatedAt),r}o(_g,"readUpstreamConnectionStatus");function xs(){return mg.parse(crypto.randomUUID())}o(xs,"createUpstreamConnectionId");function yg(){return Ps.parse(crypto.randomUUID())}o(yg,"createOAuthStateId");function wg(){return xd.parse(crypto.randomUUID())}o(wg,"createBrowserConnectTicketId");var IP=u.unknown().transform(e=>cr(e,"upstream connection scopes")).pipe(u.array(u.string())),TP=u.unknown().transform(e=>{if(e!=null)return cr(e,"upstream connection metadata")}).transform(e=>{if(!e||typeof e!="object"||Array.isArray(e))return;let t=Od.safeParse(e);if(t.success)return Object.values(t.data).some(r=>r!==void 0)?t.data:void 0}),Sg=u.object({id:u.uuid(),tenant_id:$e.nullable(),owner_mode:yn,user_id:le.nullable(),upstream_server_id:ut,auth_profile_id:dt,status:kd,encrypted_access_token:u.string().nullable(),encrypted_refresh_token:u.string().nullable(),scopes:IP,expires_at:ie.nullable(),metadata:TP,created_at:ie,updated_at:ie}).transform(e=>hg.parse({id:e.id,tenantId:e.tenant_id??void 0,ownerMode:e.owner_mode,subjectId:e.user_id??void 0,upstreamServerId:e.upstream_server_id,authProfileId:e.auth_profile_id,status:e.status,encryptedAccessToken:e.encrypted_access_token??void 0,encryptedRefreshToken:e.encrypted_refresh_token??void 0,scopes:e.scopes,expiresAt:e.expires_at?K(e.expires_at):void 0,metadata:e.metadata,createdAt:K(e.created_at),updatedAt:K(e.updated_at)}));function CP(e){let t=e.firstParam??1,r=`$${t}`,n=`$${t+1}`,a=`$${t+2}`;switch(e.owner.mode){case"user":return{whereClause:`owner_mode = ${r}
652
- AND tenant_id IS NOT DISTINCT FROM ${n}
653
- AND user_id = ${a}
654
- AND upstream_server_id = $${t+3}
655
- AND auth_profile_id = $${t+4}`,params:[e.owner.mode,e.owner.tenantId??null,e.owner.subjectId,e.upstreamServerId,e.authProfileId]};case"tenant_shared":return{whereClause:`owner_mode = ${r}
656
- AND tenant_id = ${n}
657
- AND user_id IS NULL
658
- AND upstream_server_id = ${a}
659
- AND auth_profile_id = $${t+3}`,params:[e.owner.mode,e.owner.tenantId,e.upstreamServerId,e.authProfileId]}}}o(CP,"buildOwnerLookup");function EP(e){if(!e)return null;let t={};for(let[r,n]of Object.entries(e))typeof n=="string"&&(t[r]=n);return Object.keys(t).length>0?JSON.stringify(t):null}o(EP,"metadataToDatabaseValue");function AP(e){if(!e)throw g("internal_server_error","Failed to persist upstream connection");return e}o(AP,"requirePersistedUpstreamConnection");var ks=class{constructor(t){this.db=t}static{o(this,"PostgresUpstreamConnectionRepository")}async get(t,r,n){let a=CP({owner:t,upstreamServerId:r,authProfileId:n});return u.array(Sg).parse(await this.db.query(`SELECT
660
- id,
661
- tenant_id,
669
+ ON CONFLICT (tag) DO NOTHING`);let t=await e.query(`SELECT tag FROM ${Ho}`),r=new Set(t.map(n=>n.tag));for(let n of Og){if(r.has(n.tag))continue;let a=n.sql.split(/-->\s*statement-breakpoint/g).map(i=>i.trim()).filter(i=>i.length>0);for(let i of a)await e.query(i);await e.query(`INSERT INTO ${Ho} (tag) VALUES ($1)`,[n.tag])}})();try{await jo}catch(t){throw jo=void 0,t}}o(_E,"ensureGatewayMigrationsApplied");function Ug(e){let t=o(()=>_E(e),"ensureReady");return{query:o((n,a)=>(async()=>(await t(),e.query(n,a)))(),"query"),async transaction(n){return await t(),e.transaction(n)}}}o(Ug,"createMigrationGatedDatabase");Y();Y();var yE=["user","tenant_shared"],Ht=c.enum(yE);function mr(e,t){if(!e)throw g("forbidden","User-owned upstream connections require an authenticated tenant.");return{mode:"user",tenantId:e,subjectId:t}}o(mr,"buildUserUpstreamConnectionOwner");function Hi(e){if(!e)throw g("forbidden","Tenant-shared upstream connections require an authenticated tenant.");return{mode:"tenant_shared",tenantId:e}}o(Hi,"buildTenantSharedUpstreamConnectionOwner");Y();Y();function Gi(e){if(e===void 0||e.length===0)return;if(!e.startsWith("/")||e.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path.");let t=new URL(e,"https://gateway.local");if(t.origin!=="https://gateway.local"||t.username||t.password||t.hash||t.pathname.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path without credentials or fragments.");return`${t.pathname}${t.search}`}o(Gi,"parseSafeRelativeReturnTo");var zg=c.object({tenantId:ue.optional(),ownerMode:Ht,initiatedBySubjectId:X,ownerSubjectId:X.optional(),upstreamServerId:ke,authProfileId:Pe,virtualServerId:me,returnTo:c.string().min(1).transform(e=>Gi(e)).optional()});function Ng(e,t){e.ownerMode==="user"&&!e.ownerSubjectId&&t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned state requires ownerSubjectId",path:["ownerSubjectId"]}),e.ownerMode==="user"&&!e.tenantId&&t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned state requires tenantId",path:["tenantId"]}),e.ownerMode==="tenant_shared"&&(e.tenantId||t.addIssue({code:c.ZodIssueCode.custom,message:"Tenant-shared state requires tenantId",path:["tenantId"]}),e.ownerSubjectId&&t.addIssue({code:c.ZodIssueCode.custom,message:"Tenant-shared state must not include ownerSubjectId",path:["ownerSubjectId"]}))}o(Ng,"validateUpstreamOwnerState");var kn=zg.superRefine(Ng),Dg=zg.omit({returnTo:!0}).superRefine(Ng);function Go(e){return kn.parse({tenantId:e.owner.tenantId,ownerMode:e.owner.mode,initiatedBySubjectId:e.initiatedBySubjectId,ownerSubjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,returnTo:e.returnTo})}o(Go,"buildUpstreamOwnerState");function Pn(e){if(e.ownerMode==="tenant_shared")return Hi(e.tenantId);if(!e.ownerSubjectId)throw g("oauth_state_invalid","User-owned upstream state is missing the owner subject.");if(!e.tenantId)throw g("oauth_state_invalid","User-owned upstream state is missing the tenant.");return mr(e.tenantId,e.ownerSubjectId)}o(Pn,"resolveUpstreamConnectionOwnerFromState");var SE=["active","not_connected","reconsent_required"],wE=["basic_auth_app_password","bearer_token"],Mg=c.string().trim().min(1).brand(),En=c.uuid().brand(),Bo=c.uuid().brand(),xn=c.enum(SE),vE=c.enum(wE),qg=c.object({encryptedClientInformation:c.string().optional(),encryptedDiscoveryState:c.string().optional(),connectedBySubjectId:X.optional()}),Zd=qg.extend({encryptedStaticSecret:c.string().optional(),staticSecretKind:vE.optional(),staticSecretLabel:c.string().min(1).optional(),staticSecretUsername:c.string().min(1).optional()}).strict(),RE=c.object({id:Mg,tenantId:ue.optional(),subjectId:X.optional(),ownerMode:Ht,upstreamServerId:ke,authProfileId:Pe,status:xn,encryptedAccessToken:c.string().min(1).optional(),encryptedRefreshToken:c.string().min(1).optional(),scopes:c.array(c.string()),expiresAt:V.optional(),metadata:Zd.optional(),createdAt:V,updatedAt:V});function Kd(e,t){e.ownerMode==="user"&&(e.tenantId||t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned upstream connections require tenantId",path:["tenantId"]}),e.subjectId||t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned upstream connections require subjectId",path:["subjectId"]})),e.ownerMode==="tenant_shared"&&(e.tenantId||t.addIssue({code:c.ZodIssueCode.custom,message:"Tenant-shared upstream connections require tenantId",path:["tenantId"]}),e.subjectId!==void 0&&t.addIssue({code:c.ZodIssueCode.custom,message:"Tenant-shared upstream connections must not include subjectId",path:["subjectId"]}))}o(Kd,"validateUpstreamConnectionOwnerShape");var Gt=RE.superRefine(Kd);function Dr(e){return JSON.stringify([e.owner.mode,e.owner.tenantId,e.owner.mode==="user"?e.owner.subjectId:"",e.upstreamServerId,e.authProfileId])}o(Dr,"readUpstreamConnectionLookupKey");var Vo=kn.extend({id:En,callbackPath:c.string().min(1),expiresAt:V,codeVerifier:c.string().optional(),redirectUri:c.url(),returnOrigin:c.url().optional()}).extend(qg.shape);function $g(e){let t=e?.status??"not_connected",r={connected:t==="active",status:t};return e?.updatedAt!==void 0&&(r.updatedAt=e.updatedAt),r}o($g,"readUpstreamConnectionStatus");function Bi(){return Mg.parse(`mcpgw2uc_${crypto.randomUUID()}`)}o(Bi,"createUpstreamConnectionId");function Lg(){return En.parse(crypto.randomUUID())}o(Lg,"createOAuthStateId");function jg(){return Bo.parse(crypto.randomUUID())}o(jg,"createBrowserConnectTicketId");var Hg=c.unknown().transform(e=>pr(e,"upstream connection scopes")).pipe(c.array(c.string())),Gg=c.unknown().transform(e=>{if(e!=null)return pr(e,"upstream connection metadata")}).transform(e=>{if(!e||typeof e!="object"||Array.isArray(e))return;let t=Zd.safeParse(e);if(t.success)return Object.values(t.data).some(r=>r!==void 0)?t.data:void 0}),bE=c.object({id:c.string().min(1),tenant_id:ue.nullable(),owner_mode:Ht,user_id:X.nullable(),upstream_server_id:ke,auth_profile_id:Pe,status:xn,encrypted_access_token:c.string().nullable(),encrypted_refresh_token:c.string().nullable(),scopes:Hg,expires_at:ie.nullable(),metadata:Gg,created_at:ie,updated_at:ie}).transform(e=>Gt.parse({id:e.id,tenantId:e.tenant_id??void 0,ownerMode:e.owner_mode,subjectId:e.user_id??void 0,upstreamServerId:e.upstream_server_id,authProfileId:e.auth_profile_id,status:e.status,encryptedAccessToken:e.encrypted_access_token??void 0,encryptedRefreshToken:e.encrypted_refresh_token??void 0,scopes:e.scopes,expiresAt:e.expires_at?O(e.expires_at):void 0,metadata:e.metadata,createdAt:O(e.created_at),updatedAt:O(e.updated_at)})),CE=c.object({requested_ordinal:c.number(),id:c.string().min(1).nullable(),tenant_id:ue.nullable(),owner_mode:Ht.nullable(),user_id:X.nullable(),upstream_server_id:ke.nullable(),auth_profile_id:Pe.nullable(),status:xn.nullable(),encrypted_access_token:c.string().nullable(),encrypted_refresh_token:c.string().nullable(),scopes:Hg.nullable(),expires_at:ie.nullable(),metadata:Gg,created_at:ie.nullable(),updated_at:ie.nullable()}).transform(e=>{if(e.id!==null)return Gt.parse({id:e.id,tenantId:e.tenant_id??void 0,ownerMode:e.owner_mode,subjectId:e.user_id??void 0,upstreamServerId:e.upstream_server_id,authProfileId:e.auth_profile_id,status:e.status,encryptedAccessToken:e.encrypted_access_token??void 0,encryptedRefreshToken:e.encrypted_refresh_token??void 0,scopes:e.scopes??[],expiresAt:e.expires_at?O(e.expires_at):void 0,metadata:e.metadata,createdAt:O(e.created_at),updatedAt:O(e.updated_at)})});function IE(e){let t=[],r=e.map((n,a)=>{let i=t.length+1;return t.push(a,n.owner.mode,n.owner.tenantId,n.owner.mode==="user"?n.owner.subjectId:null,n.upstreamServerId,n.authProfileId),`($${i}::integer, $${i+1}, $${i+2}, $${i+3}, $${i+4}, $${i+5})`});return{params:t,sql:`WITH requested(
670
+ requested_ordinal,
662
671
  owner_mode,
672
+ tenant_id,
663
673
  user_id,
664
674
  upstream_server_id,
665
- auth_profile_id,
666
- status,
667
- encrypted_access_token,
668
- encrypted_refresh_token,
669
- scopes,
670
- expires_at,
671
- metadata,
672
- created_at,
673
- updated_at
674
- FROM upstream_connections
675
- WHERE ${a.whereClause}
676
- LIMIT 1`,a.params))[0]}async upsert(t){let r=new Date,n=u.array(Sg).parse(await this.db.query(`INSERT INTO upstream_connections (
675
+ auth_profile_id
676
+ ) AS (
677
+ VALUES ${r.join(", ")}
678
+ )
679
+ SELECT
680
+ requested.requested_ordinal,
681
+ upstream_connections.id,
682
+ upstream_connections.tenant_id,
683
+ upstream_connections.owner_mode,
684
+ upstream_connections.user_id,
685
+ upstream_connections.upstream_server_id,
686
+ upstream_connections.auth_profile_id,
687
+ upstream_connections.status,
688
+ upstream_connections.encrypted_access_token,
689
+ upstream_connections.encrypted_refresh_token,
690
+ upstream_connections.scopes,
691
+ upstream_connections.expires_at,
692
+ upstream_connections.metadata,
693
+ upstream_connections.created_at,
694
+ upstream_connections.updated_at
695
+ FROM requested
696
+ LEFT JOIN upstream_connections
697
+ ON upstream_connections.owner_mode = requested.owner_mode
698
+ AND upstream_connections.tenant_id IS NOT DISTINCT FROM requested.tenant_id
699
+ AND upstream_connections.user_id IS NOT DISTINCT FROM requested.user_id
700
+ AND upstream_connections.upstream_server_id = requested.upstream_server_id
701
+ AND upstream_connections.auth_profile_id = requested.auth_profile_id
702
+ ORDER BY requested.requested_ordinal`}}o(IE,"buildBatchGetQuery");function TE(e){if(!e)return null;let t={};for(let[r,n]of Object.entries(e))typeof n=="string"&&(t[r]=n);return Object.keys(t).length>0?JSON.stringify(t):null}o(TE,"metadataToDatabaseValue");function AE(e){if(!e)throw g("internal_server_error","Failed to persist upstream connection");return e}o(AE,"requirePersistedUpstreamConnection");var Vi=class{constructor(t){this.db=t}static{o(this,"PostgresUpstreamConnectionRepository")}async batchGet(t){if(t.length===0)return[];let r=IE(t);return c.array(CE).parse(await this.db.query(r.sql,r.params))}async upsert(t){let r=new Date,n=c.array(bE).parse(await this.db.query(`INSERT INTO upstream_connections (
677
703
  id,
678
704
  tenant_id,
679
705
  owner_mode,
@@ -727,7 +753,7 @@ CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING
727
753
  expires_at,
728
754
  metadata,
729
755
  created_at,
730
- updated_at`,[t.id,t.tenantId??null,t.ownerMode,t.subjectId??null,t.upstreamServerId,t.authProfileId,t.status,t.encryptedAccessToken??null,t.encryptedRefreshToken??null,JSON.stringify(t.scopes),t.expiresAt?new Date(t.expiresAt):null,EP(t.metadata),r]));return AP(n[0])}};W();var PP=60*60*24*1e3,xP=u.object({kind:u.enum(["available","consumed","missing"]),record:u.unknown().nullable()}),kP=u.object({inserted:u.preprocess(e=>{if(typeof e!="string")return e;switch(e.toLowerCase()){case"true":case"t":case"1":return!0;case"false":case"f":case"0":return!1;default:return e}},u.boolean())});function vg(e,t){let r=e[0];if(!r)throw g("internal_server_error",`Postgres ${t} query returned no result row`);return r}o(vg,"requireSingleRow");function OP(e){return gg.parse(cr(e,"upstream OAuth state record"))}o(OP,"parseStoredOAuthStateRecord");var Os=class{constructor(t){this.db=t}static{o(this,"PostgresOAuthStateStore")}async save(t){let r=new Date;await this.db.query(`INSERT INTO upstream_oauth_states (
756
+ updated_at`,[t.id,t.tenantId??null,t.ownerMode,t.subjectId??null,t.upstreamServerId,t.authProfileId,t.status,t.encryptedAccessToken??null,t.encryptedRefreshToken??null,JSON.stringify(t.scopes),t.expiresAt?new Date(t.expiresAt):null,TE(t.metadata),r]));return AE(n[0])}};Y();var kE=60*60*24*1e3,PE=c.object({kind:c.enum(["available","consumed","missing"]),record:c.unknown().nullable()}),EE=c.object({inserted:c.preprocess(e=>{if(typeof e!="string")return e;switch(e.toLowerCase()){case"true":case"t":case"1":return!0;case"false":case"f":case"0":return!1;default:return e}},c.boolean())});function Bg(e,t){let r=e[0];if(!r)throw g("internal_server_error",`Postgres ${t} query returned no result row`);return r}o(Bg,"requireSingleRow");function xE(e){return Vo.parse(pr(e,"upstream OAuth state record"))}o(xE,"parseStoredOAuthStateRecord");var Fi=class{constructor(t){this.db=t}static{o(this,"PostgresOAuthStateStore")}async save(t){let r=new Date;await this.db.query(`INSERT INTO upstream_oauth_states (
731
757
  id,
732
758
  record,
733
759
  expires_at,
@@ -737,7 +763,7 @@ CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING
737
763
  ON CONFLICT (id) DO UPDATE
738
764
  SET record = EXCLUDED.record,
739
765
  expires_at = EXCLUDED.expires_at,
740
- updated_at = EXCLUDED.updated_at`,[t.id,JSON.stringify(t),new Date(t.expiresAt),r])}async consumeForCallback(t){let r=new Date,n=new Date(r.getTime()+PP),a=vg(u.array(xP).parse(await this.db.query(`WITH expired_state_cleanup AS (
766
+ updated_at = EXCLUDED.updated_at`,[t.id,JSON.stringify(t),new Date(t.expiresAt),r])}async consumeForCallback(t){let r=new Date,n=new Date(r.getTime()+kE),a=Bg(c.array(PE).parse(await this.db.query(`WITH expired_state_cleanup AS (
741
767
  DELETE FROM upstream_oauth_states
742
768
  WHERE id = $1
743
769
  AND expires_at <= $2
@@ -788,7 +814,7 @@ CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING
788
814
  WHEN EXISTS (SELECT 1 FROM candidate) THEN 'consumed'
789
815
  ELSE 'missing'
790
816
  END AS kind,
791
- (SELECT record FROM deleted_state LIMIT 1) AS record`,[t,r,n])),"OAuth state consume");if(a.kind==="available"){if(a.record===null)throw g("internal_server_error","Consumed OAuth state row did not include a record");return{kind:"available",record:OP(a.record)}}return{kind:a.kind}}},Us=class{constructor(t){this.db=t}static{o(this,"PostgresBrowserConnectTicketStore")}async consume(t,r){let n=new Date;return vg(u.array(kP).parse(await this.db.query(`WITH expired_consumption_cleanup AS (
817
+ (SELECT record FROM deleted_state LIMIT 1) AS record`,[t,r,n])),"OAuth state consume");if(a.kind==="available"){if(a.record===null)throw g("internal_server_error","Consumed OAuth state row did not include a record");return{kind:"available",record:xE(a.record)}}return{kind:a.kind}}},Zi=class{constructor(t){this.db=t}static{o(this,"PostgresBrowserConnectTicketStore")}async consume(t,r){let n=new Date;return Bg(c.array(EE).parse(await this.db.query(`WITH expired_consumption_cleanup AS (
792
818
  DELETE FROM browser_connect_ticket_consumptions
793
819
  WHERE id = $1
794
820
  AND expires_at <= $2
@@ -806,11 +832,11 @@ CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING
806
832
  ON CONFLICT (id) DO NOTHING
807
833
  RETURNING id
808
834
  )
809
- SELECT EXISTS (SELECT 1 FROM inserted_consumption) AS inserted`,[t,n,r])),"browser connect ticket consume").inserted?{kind:"available"}:{kind:"consumed"}}};var UP="__zuploMcpGatewayStorageBackend";function NP(e){return{upstreamConnectionRepository:new ks(e),downstreamOAuthRepository:new Ts(e),oauthStateStore:new Os(e),browserConnectTicketStore:new Us(e)}}o(NP,"createPostgresStorageBackend");var Ud;function $P(){let e=Is().TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING;if(!e)throw g("internal_server_error","TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING is required for the MCP gateway HTTP postgres backend.");return e}o($P,"requireDatabaseUrl");function zP(){let e=ig($P()),t=ug(e);return NP(t)}o(zP,"buildProductionStorageBackend");function H(){let e=globalThis[UP];return e||(Ud||(Ud=zP()),Ud)}o(H,"getStorage");W();import{errors as Ag,jwtVerify as Pg,SignJWT as xg}from"jose";import{base64url as MP}from"jose";var DP=new TextEncoder,Nd=32;function bg(e,t={}){let r=[qP(e),DP.encode(e)],n;for(let a of r)if(a){if(a.byteLength>=Nd){n=a;break}(n===void 0||a.byteLength>n.byteLength)&&(n=a)}if(n===void 0||n.byteLength<Nd){let a=t.name??"secret key material",s=n?.byteLength??0;throw new Error(`${a} must decode to at least ${Nd} bytes (got ${s}). Generate a high-entropy value with for example: openssl rand -base64 32 | tr '+/' '-_' | tr -d '='.`)}return n}o(bg,"decodeConfiguredSecretKeyMaterial");function qP(e){try{return MP.decode(e)}catch{return}}o(qP,"tryDecodeBase64Url");var Rg=new Map,Ig=new Map;function LP(e){let t=Rg.get(e);return t||(t=bg(Is()[e],{name:e}),Rg.set(e,t)),t}o(LP,"getMasterKeyMaterial");async function bt(e){let t=Ig.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(LP(e.envVar));return Ig.set(e.purpose,r),r}o(bt,"readCachedDerivedKey");var jP="SHA-256";var HP="zuplo-mcp-gateway:",GP=new TextEncoder,Tg=new WeakMap;async function dr(e,t){let r=Tg.get(e);r||(r=new Map,Tg.set(e,r));let n=r.get(t);if(n)return n;let a=await BP(e,t);return r.set(t,a),a}o(dr,"deriveGatewaySigningKey");async function BP(e,t){let r=Cg(e),n=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),a=GP.encode(`${HP}${t}`),s=await crypto.subtle.deriveBits({name:"HKDF",hash:jP,salt:new Uint8Array,info:Cg(a)},n,32*8);return new Uint8Array(s)}o(BP,"hkdfExpand");function Cg(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(Cg,"copyToArrayBuffer");var Ns="HS256",kg=15*60,VP=15*60,$s="zuplo-mcp-gateway",zs="zuplo-mcp-gateway",FP=pg.extend({id:Ps}),ZP=FP.extend({exp:u.number().int().positive(),iat:u.number().int().positive().optional()}),Og=wn.extend({id:xd,purpose:u.literal("browser_connect")}),KP=wn.extend({purpose:u.literal("browser_connect")}),WP=Og.extend({exp:u.number().int().positive(),iat:u.number().int().positive().optional()}),Ug=kg*1e3;async function Ng(){return bt({purpose:"oauth-state",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>dr(e,"oauth-state"),"derive")})}o(Ng,"getOAuthStateKey");async function $g(){return bt({purpose:"browser-connect",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>dr(e,"browser-connect"),"derive")})}o($g,"getBrowserConnectKey");async function zg(e){let t=Math.floor(Date.now()/1e3)+kg;return new xg(e).setProtectedHeader({alg:Ns,typ:"JWT"}).setIssuer($s).setAudience(zs).setIssuedAt().setExpirationTime(t).sign(await Ng())}o(zg,"signOAuthState");async function Ms(e){try{let{payload:t}=await Pg(e,await Ng(),{algorithms:[Ns],issuer:$s,audience:zs});return ZP.parse(t)}catch(t){throw t instanceof Ag.JWTExpired?g("oauth_state_expired","OAuth state has expired",t):g("oauth_state_invalid","OAuth state could not be verified",t)}}o(Ms,"verifyOAuthState");async function Mg(e){let t=Math.floor(Date.now()/1e3)+VP,r=KP.parse(e),n=Og.parse({...r,id:wg()});return new xg(n).setProtectedHeader({alg:Ns,typ:"JWT"}).setIssuer($s).setAudience(zs).setIssuedAt().setExpirationTime(t).sign(await $g())}o(Mg,"signBrowserConnectTicket");async function Ds(e){try{let{payload:t}=await Pg(e,await $g(),{algorithms:[Ns],issuer:$s,audience:zs});return WP.parse(t)}catch(t){throw t instanceof Ag.JWTExpired?g("oauth_state_expired","Browser connect ticket has expired",t):g("oauth_state_invalid","Browser connect ticket could not be verified",t)}}o(Ds,"verifyBrowserConnectTicket");async function qs(e){if((await H().browserConnectTicketStore.consume(e.id,new Date(e.exp*1e3))).kind==="consumed")throw g("oauth_state_reused","Browser connect ticket has already been used")}o(qs,"consumeBrowserConnectTicket");function JP(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}o(JP,"buildConnectRequiredMessage");async function Dg(e){let t=Q(e.requestUrl),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("virtualServerId",e.virtualServerId),r.searchParams.set("browserTicket",await Mg({...xo(e),purpose:"browser_connect"})),r.toString()}o(Dg,"buildGatewayBrowserTicketUrl");function YP(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}o(YP,"buildGatewayConnectPath");async function $d(e){return Dg({...e,path:YP(e.upstreamServerId),redirect:!0})}o($d,"buildGatewayConnectUrl");async function qg(e){return Dg({...e,path:`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`})}o(qg,"buildGatewayAppPasswordCaptureUrl");async function vn(e){let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await $d(t),message:JP(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}o(vn,"buildRedirectConnectRequiredResponse");function Lg(e){return jg({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}o(Lg,"buildAdminConnectRequiredResponse");function jg(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}o(jg,"buildAdminSetupRequiredResponse");function Hg(e){return jg({...e,message:e.requiresReconsent?`An administrator must replace the ${e.upstreamDisplayName} static credential before this tool can be used.`:`An administrator must configure the ${e.upstreamDisplayName} static credential before this tool can be used.`})}o(Hg,"buildAdminStaticSecretRequiredResponse");W();import{base64url as lr}from"jose";var XP="SHA-256",Rn="AES-GCM",QP=12,Md="zuplo-secret",Dd=1,Gg="env:TOKEN_ENCRYPTION_KEY",ex=u.object({version:u.literal(Dd),keyId:u.literal(Gg),algorithm:u.literal(Rn),iv:u.string().min(1),ciphertext:u.string().min(1)}).strict();function bn(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(bn,"copyToArrayBuffer");async function zd(){return bt({purpose:"token-encryption",envVar:"TOKEN_ENCRYPTION_KEY",derive:o(async e=>{let t=await crypto.subtle.digest(XP,bn(e));return crypto.subtle.importKey("raw",t,{name:Rn},!1,["encrypt","decrypt"])},"derive")})}o(zd,"getEncryptionKey");function Bg(e){return bn(new TextEncoder().encode(`${Md}:v${e.version}:${e.keyId}`))}o(Bg,"getAssociatedData");function tx(e){return`${Md}:v${e.version}:${lr.encode(new TextEncoder().encode(JSON.stringify(e)))}`}o(tx,"encodeEnvelope");function rx(e){let t=`${Md}:v${Dd}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),n=new TextDecoder().decode(lr.decode(r));return ex.parse(JSON.parse(n))}o(rx,"decodeEnvelope");async function kr(e){let t=await zd(),r=crypto.getRandomValues(new Uint8Array(QP)),n={version:Dd,keyId:Gg},a=await crypto.subtle.encrypt({name:Rn,iv:r,additionalData:Bg(n)},t,new TextEncoder().encode(e));return tx({...n,algorithm:Rn,iv:lr.encode(r),ciphertext:lr.encode(new Uint8Array(a))})}o(kr,"encryptSecret");async function zt(e){let t=rx(e);if(t){let i=await zd(),c=await crypto.subtle.decrypt({name:Rn,iv:bn(lr.decode(t.iv)),additionalData:Bg(t)},i,bn(lr.decode(t.ciphertext)));return new TextDecoder().decode(c)}let[r,n]=e.split(".");if(!r||!n)throw g("internal_server_error","Encrypted payload is malformed");let a=await zd(),s=await crypto.subtle.decrypt({name:Rn,iv:bn(lr.decode(r))},a,bn(lr.decode(n)));return new TextDecoder().decode(s)}o(zt,"decryptSecret");function nx(e,t){let r=ir({upstreamServerId:e,authProfileId:t});if(r.mode!=="tenant_static_secret")throw g("invalid_request",`Upstream server ${e} does not use tenant static credentials.`);return r.secret}o(nx,"requireTenantStaticSecretConfig");function Vg(e){return e?.status==="active"&&e.metadata?.staticSecretKind==="bearer_token"&&!!e.metadata.encryptedStaticSecret}o(Vg,"hasUsableTenantStaticSecret");async function ox(e){if(!Vg(e.connection))throw g("internal_server_error","Stored tenant static credential is incomplete.");return{type:"bearer_token",token:await zt(e.connection.metadata.encryptedStaticSecret)}}o(ox,"resolveTenantStaticSecretCredential");async function Fg(e){let t=Ge(e.upstreamServerId);nx(e.upstreamServerId,e.authProfileId);let r=await H().upstreamConnectionRepository.get(e.owner,e.upstreamServerId,e.authProfileId);if(Vg(r))return{kind:"authorized",credential:await ox({connection:r})};let n={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:Hg(n)}}o(Fg,"resolveTenantStaticSecretCredentialForRequest");W();async function qd(e){let t=H().upstreamConnectionRepository,r=await t.get(e.owner,e.upstreamServerId,e.authProfileId);return t.upsert({id:r?.id??xs(),tenantId:e.owner.tenantId,ownerMode:e.owner.mode,subjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,status:"active",encryptedAccessToken:void 0,encryptedRefreshToken:void 0,scopes:[],expiresAt:void 0,metadata:e.metadata})}o(qd,"upsertStaticSecretConnection");var ax=u.string().trim().min(1).max(320),sx=u.string().min(1).max(4096),ix=u.string().trim().min(1).max(4096);function Ld(e,t){let r=ir({upstreamServerId:e,authProfileId:t});if(r.mode!=="user_static_secret")throw g("invalid_request",`Upstream server ${e} does not use user static credentials.`);return r.secret}o(Ld,"requireUserStaticSecretConfig");function cx(e){let t=new TextEncoder().encode(e),r="";for(let n of t)r+=String.fromCharCode(n);return btoa(r)}o(cx,"encodeBase64Utf8");function ux(e){return`Basic ${cx(`${e.username}:${e.appPassword}`)}`}o(ux,"buildBasicAuthHeader");function Zg(e){return e?.status==="active"&&!!e.metadata?.encryptedStaticSecret}o(Zg,"hasEncryptedUserStaticSecret");async function dx(e){if(!Zg(e.connection))throw g("internal_server_error","Stored user static credential is incomplete.");if(e.connection.metadata.staticSecretKind==="bearer_token")return{type:"bearer_token",token:await zt(e.connection.metadata.encryptedStaticSecret)};if(e.connection.metadata.staticSecretKind==="basic_auth_app_password"&&e.connection.metadata.staticSecretUsername)return{type:"headers",headers:{Authorization:ux({username:e.connection.metadata.staticSecretUsername,appPassword:await zt(e.connection.metadata.encryptedStaticSecret)})}};throw g("internal_server_error","Stored user static credential kind is unsupported.")}o(dx,"resolveUserStaticSecretCredential");async function Kg(e){if(Ld(e.upstreamServerId,e.authProfileId).kind!=="basic_auth_app_password")throw g("invalid_request","This upstream does not use username and app-password credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=ax.parse(e.username),n=sx.parse(e.appPassword);return qd({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await kr(n),staticSecretKind:"basic_auth_app_password",staticSecretUsername:r}})}o(Kg,"saveUserStaticSecretCredential");async function Ls(e){let t=Ld(e.upstreamServerId,e.authProfileId);if(t.kind!=="bearer_token")throw g("invalid_request","This upstream does not use bearer token credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=ix.parse(e.token);return qd({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await kr(r),staticSecretKind:t.kind,staticSecretLabel:t.label}})}o(Ls,"saveUserStaticBearerTokenCredential");function jd(e,t){return Ld(e,t)}o(jd,"readUserStaticSecretCaptureConfig");async function Wg(e){let t=Ge(e.upstreamServerId);if(e.owner.mode!=="user")throw g("internal_server_error","User static credential flow resolved a non-user owner.");let r=await H().upstreamConnectionRepository.get(e.owner,e.upstreamServerId,e.authProfileId);if(Zg(r))return{kind:"authorized",credential:await dx({connection:r})};let n={requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:await vn(n)}}o(Wg,"resolveUserStaticSecretCredentialForRequest");function Jg(e){if(e.owner.mode!=="user")throw g("invalid_request","User static credential capture requires a user-owned connection.");return qg({requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}})}o(Jg,"buildUserStaticSecretConnectUrl");var Hd;Hd=globalThis.crypto;async function lx(e){return(await Hd).getRandomValues(new Uint8Array(e))}o(lx,"getRandomValues");async function px(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,n="";for(;n.length<e;){let a=await lx(e-n.length);for(let s of a)s<r&&(n+=t[s%t.length])}return n}o(px,"random");async function mx(e){return await px(e)}o(mx,"generateVerifier");async function fx(e){let t=await(await Hd).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}o(fx,"generateChallenge");async function Gd(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await mx(e),r=await fx(t);return{code_verifier:t,code_challenge:r}}o(Gd,"pkceChallenge");W();var Te=Bl().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:Kl.custom,message:"URL must be parseable",fatal:!0}),Hl}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),js=fe({resource:f().url(),authorization_servers:R(Te).optional(),jwks_uri:f().url().optional(),scopes_supported:R(f()).optional(),bearer_methods_supported:R(f()).optional(),resource_signing_alg_values_supported:R(f()).optional(),resource_name:f().optional(),resource_documentation:f().optional(),resource_policy_uri:f().url().optional(),resource_tos_uri:f().url().optional(),tls_client_certificate_bound_access_tokens:Y().optional(),authorization_details_types_supported:R(f()).optional(),dpop_signing_alg_values_supported:R(f()).optional(),dpop_bound_access_tokens_required:Y().optional()}),ko=fe({issuer:f(),authorization_endpoint:Te,token_endpoint:Te,registration_endpoint:Te.optional(),scopes_supported:R(f()).optional(),response_types_supported:R(f()),response_modes_supported:R(f()).optional(),grant_types_supported:R(f()).optional(),token_endpoint_auth_methods_supported:R(f()).optional(),token_endpoint_auth_signing_alg_values_supported:R(f()).optional(),service_documentation:Te.optional(),revocation_endpoint:Te.optional(),revocation_endpoint_auth_methods_supported:R(f()).optional(),revocation_endpoint_auth_signing_alg_values_supported:R(f()).optional(),introspection_endpoint:f().optional(),introspection_endpoint_auth_methods_supported:R(f()).optional(),introspection_endpoint_auth_signing_alg_values_supported:R(f()).optional(),code_challenge_methods_supported:R(f()).optional(),client_id_metadata_document_supported:Y().optional()}),hx=fe({issuer:f(),authorization_endpoint:Te,token_endpoint:Te,userinfo_endpoint:Te.optional(),jwks_uri:Te,registration_endpoint:Te.optional(),scopes_supported:R(f()).optional(),response_types_supported:R(f()),response_modes_supported:R(f()).optional(),grant_types_supported:R(f()).optional(),acr_values_supported:R(f()).optional(),subject_types_supported:R(f()),id_token_signing_alg_values_supported:R(f()),id_token_encryption_alg_values_supported:R(f()).optional(),id_token_encryption_enc_values_supported:R(f()).optional(),userinfo_signing_alg_values_supported:R(f()).optional(),userinfo_encryption_alg_values_supported:R(f()).optional(),userinfo_encryption_enc_values_supported:R(f()).optional(),request_object_signing_alg_values_supported:R(f()).optional(),request_object_encryption_alg_values_supported:R(f()).optional(),request_object_encryption_enc_values_supported:R(f()).optional(),token_endpoint_auth_methods_supported:R(f()).optional(),token_endpoint_auth_signing_alg_values_supported:R(f()).optional(),display_values_supported:R(f()).optional(),claim_types_supported:R(f()).optional(),claims_supported:R(f()).optional(),service_documentation:f().optional(),claims_locales_supported:R(f()).optional(),ui_locales_supported:R(f()).optional(),claims_parameter_supported:Y().optional(),request_parameter_supported:Y().optional(),request_uri_parameter_supported:Y().optional(),require_request_uri_registration:Y().optional(),op_policy_uri:Te.optional(),op_tos_uri:Te.optional(),client_id_metadata_document_supported:Y().optional()}),Hs=I({...hx.shape,...ko.pick({code_challenge_methods_supported:!0}).shape}),Oo=I({access_token:f(),id_token:f().optional(),token_type:f(),expires_in:Wl.number().optional(),scope:f().optional(),refresh_token:f().optional()}).strip(),Xg=I({error:f(),error_description:f().optional(),error_uri:f().optional()}),Yg=Te.optional().or(P("").transform(()=>{})),gx=I({redirect_uris:R(Te),token_endpoint_auth_method:f().optional(),grant_types:R(f()).optional(),response_types:R(f()).optional(),client_name:f().optional(),client_uri:Te.optional(),logo_uri:Yg,scope:f().optional(),contacts:R(f()).optional(),tos_uri:Yg,policy_uri:f().optional(),jwks_uri:Te.optional(),jwks:Fl().optional(),software_id:f().optional(),software_version:f().optional(),software_statement:f().optional()}).strip(),Bd=I({client_id:f(),client_secret:f().optional(),client_id_issued_at:V().optional(),client_secret_expires_at:V().optional()}).strip(),Uo=gx.merge(Bd),V2=I({error:f(),error_description:f().optional()}).strip(),F2=I({token:f(),token_type_hint:f().optional()}).strip();function Qg(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}o(Qg,"resourceUrlFromServerUrl");function e_({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),n=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==n.origin||r.pathname.length<n.pathname.length)return!1;let a=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",s=n.pathname.endsWith("/")?n.pathname:n.pathname+"/";return a.startsWith(s)}o(e_,"checkResourceAllowed");var pe=class extends Error{static{o(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},No=class extends pe{static{o(this,"InvalidRequestError")}};No.errorCode="invalid_request";var Or=class extends pe{static{o(this,"InvalidClientError")}};Or.errorCode="invalid_client";var Ur=class extends pe{static{o(this,"InvalidGrantError")}};Ur.errorCode="invalid_grant";var Nr=class extends pe{static{o(this,"UnauthorizedClientError")}};Nr.errorCode="unauthorized_client";var $o=class extends pe{static{o(this,"UnsupportedGrantTypeError")}};$o.errorCode="unsupported_grant_type";var zo=class extends pe{static{o(this,"InvalidScopeError")}};zo.errorCode="invalid_scope";var Mo=class extends pe{static{o(this,"AccessDeniedError")}};Mo.errorCode="access_denied";var Mt=class extends pe{static{o(this,"ServerError")}};Mt.errorCode="server_error";var Do=class extends pe{static{o(this,"TemporarilyUnavailableError")}};Do.errorCode="temporarily_unavailable";var qo=class extends pe{static{o(this,"UnsupportedResponseTypeError")}};qo.errorCode="unsupported_response_type";var Lo=class extends pe{static{o(this,"UnsupportedTokenTypeError")}};Lo.errorCode="unsupported_token_type";var jo=class extends pe{static{o(this,"InvalidTokenError")}};jo.errorCode="invalid_token";var Ho=class extends pe{static{o(this,"MethodNotAllowedError")}};Ho.errorCode="method_not_allowed";var Go=class extends pe{static{o(this,"TooManyRequestsError")}};Go.errorCode="too_many_requests";var $r=class extends pe{static{o(this,"InvalidClientMetadataError")}};$r.errorCode="invalid_client_metadata";var Bo=class extends pe{static{o(this,"InsufficientScopeError")}};Bo.errorCode="insufficient_scope";var Vo=class extends pe{static{o(this,"InvalidTargetError")}};Vo.errorCode="invalid_target";var t_={[No.errorCode]:No,[Or.errorCode]:Or,[Ur.errorCode]:Ur,[Nr.errorCode]:Nr,[$o.errorCode]:$o,[zo.errorCode]:zo,[Mo.errorCode]:Mo,[Mt.errorCode]:Mt,[Do.errorCode]:Do,[qo.errorCode]:qo,[Lo.errorCode]:Lo,[jo.errorCode]:jo,[Ho.errorCode]:Ho,[Go.errorCode]:Go,[$r.errorCode]:$r,[Bo.errorCode]:Bo,[Vo.errorCode]:Vo};var Dt=class extends Error{static{o(this,"UnauthorizedError")}constructor(t){super(t??"Unauthorized")}};function _x(e){return["client_secret_basic","client_secret_post","none"].includes(e)}o(_x,"isClientAuthMethod");var Vd="code",Fd="S256";function yx(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&_x(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}o(yx,"selectClientAuthMethod");function wx(e,t,r,n){let{client_id:a,client_secret:s}=t;switch(e){case"client_secret_basic":Sx(a,s,r);return;case"client_secret_post":vx(a,s,n);return;case"none":bx(a,n);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}o(wx,"applyClientAuthentication");function Sx(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let n=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${n}`)}o(Sx,"applyBasicAuth");function vx(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}o(vx,"applyPostAuth");function bx(e,t){t.set("client_id",e)}o(bx,"applyPublicAuth");async function n_(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let n=Xg.parse(JSON.parse(r)),{error:a,error_description:s,error_uri:i}=n,c=t_[a]||Mt;return new c(s||"",i)}catch(n){let a=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${n}. Raw body: ${r}`;return new Mt(a)}}o(n_,"parseErrorResponse");async function pr(e,t){try{return await Zd(e,t)}catch(r){if(r instanceof Or||r instanceof Nr)return await e.invalidateCredentials?.("all"),await Zd(e,t);if(r instanceof Ur)return await e.invalidateCredentials?.("tokens"),await Zd(e,t);throw r}}o(pr,"auth");async function Zd(e,{serverUrl:t,authorizationCode:r,scope:n,resourceMetadataUrl:a,fetchFn:s}){let i=await e.discoveryState?.(),c,d,p,l=a;if(!l&&i?.resourceMetadataUrl&&(l=new URL(i.resourceMetadataUrl)),i?.authorizationServerUrl){if(d=i.authorizationServerUrl,c=i.resourceMetadata,p=i.authorizationServerMetadata??await a_(d,{fetchFn:s}),!c)try{c=await o_(t,{resourceMetadataUrl:l},s)}catch{}(p!==i.authorizationServerMetadata||c!==i.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:l?.toString(),resourceMetadata:c,authorizationServerMetadata:p})}else{let T=await Ax(t,{resourceMetadataUrl:l,fetchFn:s});d=T.authorizationServerUrl,p=T.authorizationServerMetadata,c=T.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:l?.toString(),resourceMetadata:c,authorizationServerMetadata:p})}let m=await Rx(t,e,c),h=n||c?.scopes_supported?.join(" ")||e.clientMetadata.scope,_=await Promise.resolve(e.clientInformation());if(!_){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let T=p?.client_id_metadata_document_supported===!0,U=e.clientMetadataUrl;if(U&&!Wd(U))throw new $r(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${U}`);if(T&&U)_={client_id:U},await e.saveClientInformation?.(_);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let Be=await Ux(d,{metadata:p,clientMetadata:e.clientMetadata,scope:h,fetchFn:s});await e.saveClientInformation(Be),_=Be}}let w=!e.redirectUrl;if(r!==void 0||w){let T=await Ox(e,d,{metadata:p,resource:m,authorizationCode:r,fetchFn:s});return await e.saveTokens(T),"AUTHORIZED"}let y=await e.tokens();if(y?.refresh_token)try{let T=await kx(d,{metadata:p,clientInformation:_,refreshToken:y.refresh_token,resource:m,addClientAuthentication:e.addClientAuthentication,fetchFn:s});return await e.saveTokens(T),"AUTHORIZED"}catch(T){if(!(!(T instanceof pe)||T instanceof Mt))throw T}let S=e.state?await e.state():void 0,{authorizationUrl:v,codeVerifier:b}=await Px(d,{metadata:p,clientInformation:_,state:S,redirectUrl:e.redirectUrl,scope:h,resource:m});return await e.saveCodeVerifier(b),await e.redirectToAuthorization(v),"REDIRECT"}o(Zd,"authInternal");function Wd(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o(Wd,"isHttpsUrl");async function Rx(e,t,r){let n=Qg(e);if(t.validateResourceURL)return await t.validateResourceURL(n,r?.resource);if(r){if(!e_({requestedResource:n,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${n} (or origin)`);return new URL(r.resource)}}o(Rx,"selectResourceURL");function Jd(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,n]=t.split(" ");if(r.toLowerCase()!=="bearer"||!n)return{};let a=Kd(e,"resource_metadata")||void 0,s;if(a)try{s=new URL(a)}catch{}let i=Kd(e,"scope")||void 0,c=Kd(e,"error")||void 0;return{resourceMetadataUrl:s,scope:i,error:c}}o(Jd,"extractWWWAuthenticateParams");function Kd(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let n=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),a=r.match(n);return a?a[1]||a[2]:null}o(Kd,"extractFieldFromWwwAuth");async function o_(e,t,r=fetch){let n=await Cx(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!n||n.status===404)throw await n?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!n.ok)throw await n.body?.cancel(),new Error(`HTTP ${n.status} trying to load well-known OAuth protected resource metadata.`);return js.parse(await n.json())}o(o_,"discoverOAuthProtectedResourceMetadata");async function Yd(e,t,r=fetch){try{return await r(e,{headers:t})}catch(n){if(n instanceof TypeError)return t?Yd(e,void 0,r):void 0;throw n}}o(Yd,"fetchWithCorsRetry");function Ix(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}o(Ix,"buildWellKnownPath");async function r_(e,t,r=fetch){return await Yd(e,{"MCP-Protocol-Version":t},r)}o(r_,"tryMetadataDiscovery");function Tx(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}o(Tx,"shouldAttemptFallback");async function Cx(e,t,r,n){let a=new URL(e),s=n?.protocolVersion??Vt,i;if(n?.metadataUrl)i=new URL(n.metadataUrl);else{let d=Ix(t,a.pathname);i=new URL(d,n?.metadataServerUrl??a),i.search=a.search}let c=await r_(i,s,r);if(!n?.metadataUrl&&Tx(c,a.pathname)){let d=new URL(`/.well-known/${t}`,a);c=await r_(d,s,r)}return c}o(Cx,"discoverMetadataWithFallback");function Ex(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",n=[];if(!r)return n.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),n.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),n;let a=t.pathname;return a.endsWith("/")&&(a=a.slice(0,-1)),n.push({url:new URL(`/.well-known/oauth-authorization-server${a}`,t.origin),type:"oauth"}),n.push({url:new URL(`/.well-known/openid-configuration${a}`,t.origin),type:"oidc"}),n.push({url:new URL(`${a}/.well-known/openid-configuration`,t.origin),type:"oidc"}),n}o(Ex,"buildDiscoveryUrls");async function a_(e,{fetchFn:t=fetch,protocolVersion:r=Vt}={}){let n={"MCP-Protocol-Version":r,Accept:"application/json"},a=Ex(e);for(let{url:s,type:i}of a){let c=await Yd(s,n,t);if(c){if(!c.ok){if(await c.body?.cancel(),c.status>=400&&c.status<500)continue;throw new Error(`HTTP ${c.status} trying to load ${i==="oauth"?"OAuth":"OpenID provider"} metadata from ${s}`)}return i==="oauth"?ko.parse(await c.json()):Hs.parse(await c.json())}}}o(a_,"discoverAuthorizationServerMetadata");async function Ax(e,t){let r,n;try{r=await o_(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(n=r.authorization_servers[0])}catch{}n||(n=String(new URL("/",e)));let a=await a_(n,{fetchFn:t?.fetchFn});return{authorizationServerUrl:n,authorizationServerMetadata:a,resourceMetadata:r}}o(Ax,"discoverOAuthServerInfo");async function Px(e,{metadata:t,clientInformation:r,redirectUrl:n,scope:a,state:s,resource:i}){let c;if(t){if(c=new URL(t.authorization_endpoint),!t.response_types_supported.includes(Vd))throw new Error(`Incompatible auth server: does not support response type ${Vd}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(Fd))throw new Error(`Incompatible auth server: does not support code challenge method ${Fd}`)}else c=new URL("/authorize",e);let d=await Gd(),p=d.code_verifier,l=d.code_challenge;return c.searchParams.set("response_type",Vd),c.searchParams.set("client_id",r.client_id),c.searchParams.set("code_challenge",l),c.searchParams.set("code_challenge_method",Fd),c.searchParams.set("redirect_uri",String(n)),s&&c.searchParams.set("state",s),a&&c.searchParams.set("scope",a),a?.includes("offline_access")&&c.searchParams.append("prompt","consent"),i&&c.searchParams.set("resource",i.href),{authorizationUrl:c,codeVerifier:p}}o(Px,"startAuthorization");function xx(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}o(xx,"prepareAuthorizationCodeRequest");async function s_(e,{metadata:t,tokenRequestParams:r,clientInformation:n,addClientAuthentication:a,resource:s,fetchFn:i}){let c=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),d=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(s&&r.set("resource",s.href),a)await a(d,r,c,t);else if(n){let l=t?.token_endpoint_auth_methods_supported??[],m=yx(n,l);wx(m,n,d,r)}let p=await(i??fetch)(c,{method:"POST",headers:d,body:r});if(!p.ok)throw await n_(p);return Oo.parse(await p.json())}o(s_,"executeTokenRequest");async function kx(e,{metadata:t,clientInformation:r,refreshToken:n,resource:a,addClientAuthentication:s,fetchFn:i}){let c=new URLSearchParams({grant_type:"refresh_token",refresh_token:n}),d=await s_(e,{metadata:t,tokenRequestParams:c,clientInformation:r,addClientAuthentication:s,resource:a,fetchFn:i});return{refresh_token:n,...d}}o(kx,"refreshAuthorization");async function Ox(e,t,{metadata:r,resource:n,authorizationCode:a,fetchFn:s}={}){let i=e.clientMetadata.scope,c;if(e.prepareTokenRequest&&(c=await e.prepareTokenRequest(i)),!c){if(!a)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let p=await e.codeVerifier();c=xx(a,p,e.redirectUrl)}let d=await e.clientInformation();return s_(t,{metadata:r,tokenRequestParams:c,clientInformation:d??void 0,addClientAuthentication:e.addClientAuthentication,resource:n,fetchFn:s})}o(Ox,"fetchToken");async function Ux(e,{metadata:t,clientMetadata:r,scope:n,fetchFn:a}){let s;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");s=new URL(t.registration_endpoint)}else s=new URL("/register",e);let i=await(a??fetch)(s,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...n!==void 0?{scope:n}:{}})});if(!i.ok)throw await n_(i);return Uo.parse(await i.json())}o(Ux,"registerClient");var Nx=new Set(["localhost","169.254.169.254","metadata.google.internal","metadata"]),$x=[{first:0},{first:10},{first:127},{first:169,secondMin:254,secondMax:254},{first:172,secondMin:16,secondMax:31},{first:192,secondMin:168,secondMax:168},{first:100,secondMin:64,secondMax:127},{first:224,firstMax:239},{first:240,firstMax:255}];function i_(e){if(!/^\d+\.\d+\.\d+\.\d+$/.test(e))return;let t=e.split(".").map(r=>Number(r));if(!(t.length!==4||t.some(r=>Number.isNaN(r)||r<0||r>255)))return t}o(i_,"parseIpv4Octets");function zx([e,t],r){let n=r.firstMax??r.first;return e<r.first||e>n?!1:r.secondMin===void 0||r.secondMax===void 0?!0:t>=r.secondMin&&t<=r.secondMax}o(zx,"ipv4RangeMatches");function c_(e){let t=i_(e);return t!==void 0&&$x.some(r=>zx(t,r))}o(c_,"isPrivateIpv4");function Xd(e){if(!e||e.length>4)return;let t=Number.parseInt(e,16);return Number.isNaN(t)||t<0||t>65535?void 0:t}o(Xd,"parseIpv6Word");function Mx(e,t){return[e>>8&255,e&255,t>>8&255,t&255].join(".")}o(Mx,"formatIpv4FromWords");function Dx(e){let t=e.slice(7),r=i_(t);if(r!==void 0)return r.join(".");let[n,a,s]=t.split(":"),i=Xd(n),c=Xd(a);return s===void 0&&i!==void 0&&c!==void 0?Mx(i,c):void 0}o(Dx,"parseIpv6MappedIpv4");function qx(e){return Xd(e.split(":").find(Boolean))}o(qx,"readFirstIpv6Hextet");function Lx(e){let t=rt(e);if(!t.includes(":"))return!1;if(t==="::"||t==="::1")return!0;if(t.startsWith("::ffff:")){let n=Dx(t);return n===void 0||c_(n)}let r=qx(t);return r===void 0?!1:(r&65024)===64512||(r&65472)===65152}o(Lx,"isPrivateIpv6");function Qd(e){let t=rt(e);return Nx.has(t)||t.endsWith(".internal")||c_(t)||Lx(t)}o(Qd,"isBlockedOutboundHostname");function u_(e){let t=new URL(e);if(t.protocol!=="https:"&&t.protocol!=="http:")throw g("invalid_request",`Unsupported outbound protocol: ${t.protocol}`);let r=Ue(t);if(t.protocol==="http:"&&!r)throw g("invalid_request","Configured outbound HTTP URLs must target loopback hosts.");let n=rt(t.hostname);if(!r&&Qd(n))throw g("invalid_request",`Blocked outbound host: ${n}`);return t}o(u_,"validateConfiguredOutboundUrl");function d_(e){let t=new URL(e);if(t.protocol!=="https:")throw g("invalid_request","Identity provider URLs must use https.");if(t.username||t.password||t.search||t.hash)throw g("invalid_request","Identity provider URLs must not include credentials, query params, or fragments.");let r=rt(t.hostname);if(Qd(r))throw g("invalid_request",`Blocked identity provider host: ${r}`);return t}o(d_,"validateIdentityProviderUrl");function Gs(e){let t=new URL(e);if(t.protocol!=="https:"||t.pathname==="/"||t.username||t.password||t.search||t.hash)throw g("invalid_request","CIMD client_id must be an HTTPS URL with a path and no credentials, query, or fragment.");if(Qd(t.hostname))throw g("invalid_request","CIMD client_id points at a blocked host.");return t}o(Gs,"validateCimdClientMetadataUrl");function l_(e,t){if(!t)return;if(t.aborted){e.abort(t.reason);return}let r=o(()=>e.abort(t.reason),"abort");return t.addEventListener("abort",r,{once:!0}),()=>t.removeEventListener("abort",r)}o(l_,"mergeAbortSignals");async function jx(e){try{await e.cancel()}catch{}}o(jx,"cancelReader");async function Bs(e,t){if(!e)return new Uint8Array;let r=e.getReader(),n=[],a=0,s=await r.read();for(;!s.done;){let d=s.value;if(a+=d.byteLength,a>t.maxBytes)throw await jx(r),t.createLimitError();n.push(d),s=await r.read()}let i=new Uint8Array(a),c=0;for(let d of n)i.set(d,c),c+=d.byteLength;return i}o(Bs,"readBoundedByteStream");var Hx=2,Gx=1024*1024,Bx=1e4,Vx=new Set([301,302,303,307,308]),Fx=["authorization","proxy-authorization","cookie","cookie2"];function el(e){return typeof e=="string"?e:e instanceof URL?e.toString():e.url}o(el,"readRequestUrl");function In(e,t){return t?.method!==void 0?t.method.toUpperCase():e instanceof Request?e.method.toUpperCase():"GET"}o(In,"readRequestMethod");function Zx(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g(r,"Outbound response exceeded the maximum allowed size.")}o(Zx,"assertContentLengthWithinLimit");async function Kx(e,t,r){return Zx(e,t,r),Bs(e.body,{maxBytes:t,createLimitError:o(()=>g(r,"Outbound response exceeded the maximum allowed size."),"createLimitError")})}o(Kx,"readBoundedResponseBody");function Wx(e,t){let r=new ArrayBuffer(t.byteLength);return new Uint8Array(r).set(t),new Response(r,{status:e.status,statusText:e.statusText,headers:e.headers})}o(Wx,"responseFromBufferedBody");function Jx(e,t){if(!Vx.has(e.status))return;let r=e.headers.get("location");if(r)return new URL(r,t).toString()}o(Jx,"resolveRedirectUrl");function p_(e,t){try{return t.validateUrl(e)}catch(r){throw g(t.problemCode,"Outbound URL was not allowed.",r)}}o(p_,"validateOutboundUrl");function Yx(e,t){throw ae(e)!==void 0?e:g(t,"Outbound fetch failed.",e)}o(Yx,"normalizeFetchError");function Fo(e,t){if(e===void 0)return;let r={event:t.event,code:t.problemCode,method:t.method};if(t.host!==void 0&&(r.host=t.host),t.extra!==void 0)for(let[n,a]of Object.entries(t.extra))a!==void 0&&(r[n]=a);t.error!==void 0&&Re(r,"error",t.error),e.log.warn(r,"Outbound HTTP exchange rejected")}o(Fo,"logOutboundFailure");async function Xx(e,t,r,n,a,s,i){let c=In(r,n);try{return await t(r,n)}catch(d){let p=d instanceof DOMException&&d.name==="AbortError";Fo(e,{event:p?"outbound_fetch_aborted":"outbound_fetch_failed",problemCode:a,method:c,host:et(s),error:d,extra:{abortReason:i()}}),Yx(d,a)}}o(Xx,"fetchWithNormalizedError");function Qx(e){if(e.redirects>=e.maxRedirects)throw g(e.problemCode,"Outbound redirects exceeded the maximum allowed depth.");if(e.method!=="GET"&&e.method!=="HEAD")throw g(e.problemCode,"Outbound redirect after a non-idempotent request was blocked.")}o(Qx,"assertRedirectAllowed");function ek(e,t){let r=new Headers(e);for(let n of Fx)r.delete(n);for(let n of t)r.delete(n);return r}o(ek,"stripCrossOriginHeaders");function tk(e,t,r,n,a){let s={...e,method:t,redirect:"manual",signal:r};return n&&(s.headers=ek(e.headers,a)),s}o(tk,"buildRedirectInit");function rk(e,t,r){let n={...t,redirect:"manual",signal:r};return n.headers===void 0&&e instanceof Request&&(n.headers=e.headers),n}o(rk,"buildInitialRequestInit");function nk(e){let t=In(e.currentInput,e.currentInit);Qx({redirects:e.redirects,maxRedirects:e.maxRedirects,method:t,problemCode:e.problemCode});let r=p_(e.redirectUrl,{problemCode:e.problemCode,validateUrl:e.validateUrl}),n=new URL(e.currentUrl),a=r.origin!==n.origin,s=r.toString();return{currentInput:s,currentUrl:s,currentInit:tk(e.currentInit,t,e.signal,a,e.additionalCrossOriginStrippedHeaders),redirects:e.redirects+1}}o(nk,"followRedirect");async function tl(e,t,r){let n=r.problemCode??"invalid_request",a=r.maxRedirects??Hx,s=r.maxResponseBytes??Gx,i=r.timeoutMs??Bx,c=r.fetchImpl??fetch,d=r.additionalCrossOriginStrippedHeaders??[],p=r.context,l=new AbortController,m=l_(l,t.signal),h=!1,_=setTimeout(()=>{h=!0,l.abort()},i),w=e,y=rk(e,t,l.signal),S;try{S=p_(el(e),{problemCode:n,validateUrl:r.validateUrl}).toString()}catch(b){throw Fo(p,{event:"outbound_url_blocked",problemCode:n,method:In(e,t),host:et(el(e)),error:b}),clearTimeout(_),m?.(),b}let v=0;try{for(;;){let b=await Xx(p,c,w,y,n,S,()=>h?`timeout_after_${i}ms`:void 0),T=Jx(b,S);if(T!==void 0)try{let U=nk({currentInput:w,currentInit:y,currentUrl:S,redirectUrl:T,redirects:v,maxRedirects:a,problemCode:n,validateUrl:r.validateUrl,signal:l.signal,additionalCrossOriginStrippedHeaders:d});w=U.currentInput,y=U.currentInit,S=U.currentUrl,v=U.redirects;continue}catch(U){throw Fo(p,{event:"outbound_redirect_blocked",problemCode:n,method:In(w,y),host:et(S),error:U,extra:{redirects:v,maxRedirects:a,redirectTargetHost:et(T)}}),U}try{return Wx(b,await Kx(b,s,n))}catch(U){throw Fo(p,{event:"outbound_response_size_exceeded",problemCode:n,method:In(w,y),host:et(S),error:U,extra:{maxResponseBytes:s,status:b.status}}),U}}}finally{clearTimeout(_),m?.()}}o(tl,"runSafeOutboundExchange");async function rl(e,t,r){let n=await tl(e,t,r);try{return{response:n,json:await n.clone().json()}}catch(a){throw Fo(r.context,{event:"outbound_json_parse_failed",problemCode:r.problemCode??"invalid_request",method:In(e,t),host:et(el(e)),error:a,extra:{status:n.status,contentType:n.headers.get("content-type")??void 0}}),g(r.problemCode??"invalid_request","Outbound JSON response could not be parsed.",a)}}o(rl,"runSafeOutboundJsonExchange");function Vs(e,t={},r={}){return tl(e,t,{...r,validateUrl:u_})}o(Vs,"fetchConfiguredOutbound");function m_(e,t={},r={}){return rl(e,t,{...r,validateUrl:d_})}o(m_,"fetchIdentityProviderJson");function f_(e,t={},r={}){return rl(e,t,{...r,validateUrl:Gs})}o(f_,"fetchCimdClientMetadataJson");W();function nl(e){return`Zuplo MCP Gateway - ${e}`}o(nl,"buildGatewayOAuthClientName");function h_(e,t){let r=new URL(e,Q(t));return Ue(r)&&rt(r.hostname)!=="localhost"&&(r.hostname="localhost"),r.toString()}o(h_,"buildGatewayOAuthRedirectUri");function ol(e){let t=new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`,e.origin);return t.searchParams.set("authProfileId",e.authProfileId),t.toString()}o(ol,"buildOAuthClientMetadataDocumentUrl");function g_(e){return Q(e)}o(g_,"requireOAuthClientMetadataOrigin");function __(e,t,r){let n=Ge(t),a=xr(t,r);return{client_id:ol({origin:e,upstreamServerId:t,authProfileId:r}),client_name:nl(n.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(a.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"}}o(__,"buildOAuthClientMetadataDocument");var ok=u.union([Uo,Bd]),ak=u.object({authorizationServerUrl:u.url(),resourceMetadataUrl:u.url().optional(),resourceMetadata:js.optional(),authorizationServerMetadata:u.union([ko,Hs]).optional()}).passthrough(),sk="Bearer";function ik(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}o(ik,"splitScopes");function ck(e){return ws.parse(e)}o(ck,"parsePkceCodeVerifier");function uk(e){if(typeof e.expires_in=="number")return K(new Date(Date.now()+e.expires_in*1e3))}o(uk,"readTokenExpiry");async function y_(e){if(e!==void 0)return kr(JSON.stringify(e))}o(y_,"encryptJson");async function w_(e,t){if(!e)return;let r=await zt(e);try{return t.parse(JSON.parse(r))}catch(n){throw g("oauth_state_invalid","Stored upstream OAuth JSON state is invalid.",n)}}o(w_,"decryptJson");function dk(e){if(e===void 0)return;let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}o(dk,"toOAuthDiscoveryState");function lk(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}o(lk,"clientInformationAllowsRedirectUri");function pk(e,t,r){let n=Ge(e),a=xr(e,t),s;return a.scopes.length>0&&(s=a.scopes.join(a.scopeDelimiter)),{client_name:nl(n.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:s,token_endpoint_auth_method:"none"}}o(pk,"buildOAuthClientMetadata");function mk(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw g("internal_server_error",`Manual OAuth registration for ${e.upstreamServerId} requires clientSecret.`);return Uo.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}o(mk,"buildManualOAuthClientInformation");function fk(e,t,r){let n=ol({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return Wd(n)?n:void 0}o(fk,"buildClientMetadataUrl");function S_(e){for(let t of e)if(t!==void 0)return t}o(S_,"firstDefined");function hk(e){let t=xr(e.target.upstreamServerId,e.target.authProfileId),r=pk(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredClientInformation:mk({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let n=fk(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return n===void 0?{clientMetadata:r}:{clientMetadata:r,clientMetadataUrl:n}}o(hk,"buildInitialOAuthClientSetup");function gk(e,t){if(t===void 0)return S_([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}o(gk,"readEncryptedClientInformation");function _k(e){return S_([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}o(_k,"readEncryptedDiscoveryState");var zr=class{static{o(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredClientInformation;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=hk({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=gk(t,this.configuredClientInformation),this.encryptedDiscoveryState=_k(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return this.clientMetadataValue}async state(){let t=await this.createPendingState();return zg({id:t.id,...xo({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.encryptedClientInformation=await y_(t),await this.syncPendingState(!1))}async discoveryState(){return this.loadPersistedDiscoveryState()}async saveDiscoveryState(t){this.cachedDiscoveryState=t,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=await y_(t),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=Oo.parse(t),n=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0;this.cachedTokens=r,this.tokensLoaded=!0;let a={id:this.connection?.id??xs(),tenantId:this.target.owner.tenantId,ownerMode:this.target.owner.mode,subjectId:n,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await kr(r.access_token),encryptedRefreshToken:r.refresh_token?await kr(r.refresh_token):void 0,scopes:ik(r.scope??this.clientMetadataValue.scope),expiresAt:uk(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="tenant_shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await H().upstreamConnectionRepository.upsert(a)}async redirectToAuthorization(t){this.authorizationUrlValue=t.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:ck(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw g("oauth_state_invalid","OAuth code verifier is missing");return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",n=t==="all"||t==="client",a=t==="all"||t==="discovery",s=t==="all"||t==="verifier";n&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),a&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(s),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:yg(),...xo({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,virtualServerId:this.target.virtualServerId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:K(new Date(Date.now()+Ug)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="tenant_shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await H().oauthStateStore.save(t),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await w_(this.encryptedClientInformation,ok)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&!lk(t,this.redirectUriValue)){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1);return}return this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=dk(await w_(this.encryptedDiscoveryState,ak))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.cachedDiscoveryState}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection?.encryptedAccessToken||this.connection.status!=="active")return;let t=Oo.parse({access_token:await zt(this.connection.encryptedAccessToken),token_type:sk,refresh_token:this.connection.encryptedRefreshToken?await zt(this.connection.encryptedRefreshToken):void 0,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=t,t}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,tenantId:this.connection.tenantId,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await H().upstreamConnectionRepository.upsert(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var yk=1e4,wk=256*1024,Sk=2;function vk(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}o(vk,"hasUsableAccessToken");var bk="does not support dynamic client registration";function Rk(e){return e instanceof Error&&e.message.includes(bk)}o(Rk,"isDynamicClientRegistrationUnsupported");function Ik(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}o(Ik,"readOAuthFetchRequest");function Tk(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}o(Tk,"responseLooksJson");function v_(e){return async(t,r)=>{let n=Ik(t),a=await Vs(t,r,{maxRedirects:Sk,maxResponseBytes:wk,problemCode:"upstream_token_exchange_failed",timeoutMs:yk}),s=await a.clone().text();if(!Tk(a,s))return a;try{JSON.parse(s)}catch(i){throw g("upstream_token_exchange_failed",`Upstream OAuth fetch ${n.url.origin}${n.url.pathname} for ${e} returned invalid JSON.`,i)}return a}}o(v_,"createUpstreamOAuthFetch");async function b_(e,t){try{return await pr(e,{serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:v_(t.upstreamServerId)})}catch(r){throw Rk(r)?g("upstream_client_registration_required",`The authorization server for ${t.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register a client for the gateway manually before retrying.`,r):r}}o(b_,"runUpstreamOAuth");async function Ck(e,t){return pr(e,{serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:v_(t.upstreamServerId)})}o(Ck,"exchangeUpstreamAuthorizationCode");async function R_(e,t){let r=await b_(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?g("upstream_token_exchange_failed",`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`):g("upstream_token_exchange_failed",`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`)}o(R_,"requireUpstreamAuthorizationRedirect");async function I_(e){if(vk(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await b_(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`);if(!e.provider.authorizationUrl)throw g("upstream_token_exchange_failed",`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`);return{kind:"connect_required",payload:await kk({requestUrl:e.target.request.url,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.target.virtualServerId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}o(I_,"authorizeUpstreamOAuthSession");async function Ek(e){let t=await Ms(e.stateToken),r=await H().oauthStateStore.consumeForCallback(t.id),n=Ak(r);return Pk({storedState:n,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),xk(n),n}o(Ek,"consumeStoredCallbackState");function Ak(e){switch(e.kind){case"consumed":throw g("oauth_state_reused","OAuth state has already been used");case"missing":throw g("oauth_state_expired","OAuth state is missing or expired");case"available":return e.record}}o(Ak,"readConsumedCallbackState");function Pk(e){if(![e.storedState.tenantId===e.signedState.tenantId,e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.virtualServerId===e.signedState.virtualServerId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw g("oauth_callback_mismatch","OAuth callback did not match the initiating request")}o(Pk,"assertStoredCallbackStateMatches");function xk(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw g("oauth_state_expired","OAuth state has expired")}o(xk,"assertStoredCallbackStateFresh");async function kk(e){if(e.owner.mode==="tenant_shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),Lg(r)}let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),vn(t)}o(kk,"buildOAuthConnectRequiredResponse");async function T_(e){let t=await Ek({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=Sn(t),n=await H().upstreamConnectionRepository.get(r,t.upstreamServerId,t.authProfileId),a={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};n!==void 0&&(a.connection=n);let s=new zr(a),i=await Ck(s,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(i==="AUTHORIZED")return t;throw i!=="REDIRECT"?g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.upstreamServerId}: ${i}`):g("upstream_token_exchange_failed",`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`)}o(T_,"finishUpstreamOAuthCallback");async function C_(e){let t=Ge(e.upstreamServerId),r=xr(e.upstreamServerId,e.authProfileId),n=h_(r.redirectPath,e.request.url),a=await H().upstreamConnectionRepository.get(e.owner,e.upstreamServerId,e.authProfileId);return{upstreamServerConfig:t,connection:a,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:n,returnOrigin:Q(e.request.url)}}}o(C_,"prepareUpstreamOAuthRequest");async function E_(e){let t=await C_(e),r=new zr({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return R_(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(E_,"startUpstreamConnect");async function A_(e){let t=await C_(e),r=new zr({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return I_({target:e,provider:r,connection:t.connection,upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(A_,"authorizeUpstreamRequest");function Ok(e,t){switch(e.kind){case"bearer_token":{if(!e.token)throw g("internal_server_error",`Static bearer token is not configured for upstream ${t}.`);return{type:"bearer_token",token:e.token}}case"headers":{let r={};for(let n of e.headers){if(!n.value)throw g("internal_server_error",`Static header ${n.name} is not configured for upstream ${t}.`);r[n.name]=n.value}return{type:"headers",headers:r}}}}o(Ok,"resolveStaticSecretCredential");async function P_(e){let{routeAuth:t}=e;switch(t.authMode){case"tenant_shared_oauth":case"user_oauth":return A_({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId});case"tenant_static_secret":return Fg({owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId});case"static_secret":{let n=ir({upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId});if(n.mode!=="static_secret")throw g("internal_server_error",`Resolved static-secret credential context loaded ${n.mode} config.`);return{kind:"authorized",credential:Ok(n.secret,t.upstreamServerId)}}case"user_static_secret":return Wg({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId})}throw g("internal_server_error",`Unsupported upstream auth route context ${JSON.stringify(t)}.`)}o(P_,"resolveUpstreamCredentialForRoute");async function x_(e){let t=ur(e.principal.tenantId,e.principal.subjectId),r=tt().byVirtualServerId.get(e.virtualServerId);if(r)for(let n of r.connections)n.authConfig.mode!=="user_static_secret"||n.authConfig.secret.kind!=="bearer_token"||n.authConfig.secret.capture!=="browser_login"||await Ls({owner:t,initiatedBySubjectId:e.principal.subjectId,upstreamServerId:n.upstreamServerId,authProfileId:n.authProfileId,token:e.apiKey})}o(x_,"saveBrowserLoginApiKeyCredentialsForVirtualServer");async function k_(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,virtualServerId:e.connectRequest.virtualServerId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},n=vt(e.connectRequest.authMode);switch(n.connectSupport){case"oauth_authorization":t=await E_(r);break;case"user_static_secret_capture":t=await Jg(r);break;case"none":throw g("invalid_request",n.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,virtualServerId:e.connectRequest.virtualServerId}}o(k_,"startUpstreamConnectForRequest");async function O_(e){let r=(await Ms(e.callbackRequest.state)).authProfileId,n=ir({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if(vt(n.mode).callbackSupport!=="authorization_code")throw g("invalid_request",`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return T_({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:Ge(e.callbackRequest.upstreamServerId)})}o(O_,"finishUpstreamCallbackForRequest");var Fs=class{static{o(this,"ExperimentalClientTasks")}constructor(t){this._client=t}async*callToolStream(t,r=Kt,n){let a=this._client,s={...n,task:n?.task??(a.isToolTask(t.name)?{}:void 0)},i=a.requestStream({method:"tools/call",params:t},r,s),c=a.getToolOutputValidator(t.name);for await(let d of i){if(d.type==="result"&&c){let p=d.result;if(!p.structuredContent&&!p.isError){yield{type:"error",error:new E(A.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`)};return}if(p.structuredContent)try{let l=c(p.structuredContent);if(!l.valid){yield{type:"error",error:new E(A.InvalidParams,`Structured content does not match the tool's output schema: ${l.errorMessage}`)};return}}catch(l){if(l instanceof E){yield{type:"error",error:l};return}yield{type:"error",error:new E(A.InvalidParams,`Failed to validate structured content: ${l instanceof Error?l.message:String(l)}`)};return}}yield d}}async getTask(t,r){return this._client.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._client.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._client.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._client.cancelTask({taskId:t},r)}requestStream(t,r,n){return this._client.requestStream(t,r,n)}};function Zs(e,t){if(!(!e||t===null||typeof t!="object")){if(e.type==="object"&&e.properties&&typeof e.properties=="object"){let r=t,n=e.properties;for(let a of Object.keys(n)){let s=n[a];r[a]===void 0&&Object.prototype.hasOwnProperty.call(s,"default")&&(r[a]=s.default),r[a]!==void 0&&Zs(s,r[a])}}if(Array.isArray(e.anyOf))for(let r of e.anyOf)typeof r!="boolean"&&Zs(r,t);if(Array.isArray(e.oneOf))for(let r of e.oneOf)typeof r!="boolean"&&Zs(r,t)}}o(Zs,"applyElicitationDefaults");function Uk(e){if(!e)return{supportsFormMode:!1,supportsUrlMode:!1};let t=e.form!==void 0,r=e.url!==void 0;return{supportsFormMode:t||!t&&!r,supportsUrlMode:r}}o(Uk,"getSupportedElicitationModes");var Ks=class extends Fr{static{o(this,"Client")}constructor(t,r){super(r),this._clientInfo=t,this._cachedToolOutputValidators=new Map,this._cachedKnownTaskTools=new Set,this._cachedRequiredTaskTools=new Set,this._listChangedDebounceTimers=new Map,this._capabilities=r?.capabilities??{},this._jsonSchemaValidator=r?.jsonSchemaValidator??new dn,r?.listChanged&&(this._pendingListChangedConfig=r.listChanged)}_setupListChangedHandlers(t){t.tools&&this._serverCapabilities?.tools?.listChanged&&this._setupListChangedHandler("tools",Wi,t.tools,async()=>(await this.listTools()).tools),t.prompts&&this._serverCapabilities?.prompts?.listChanged&&this._setupListChangedHandler("prompts",Fi,t.prompts,async()=>(await this.listPrompts()).prompts),t.resources&&this._serverCapabilities?.resources?.listChanged&&this._setupListChangedHandler("resources",Mi,t.resources,async()=>(await this.listResources()).resources)}get experimental(){return this._experimental||(this._experimental={tasks:new Fs(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=_a(this._capabilities,t)}setRequestHandler(t,r){let a=jr(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let s;if(Gt(a)){let c=a;s=c._zod?.def?.value??c.value}else{let c=a;s=c._def?.value??c.value}if(typeof s!="string")throw new Error("Schema method literal must be a string");let i=s;if(i==="elicitation/create"){let c=o(async(d,p)=>{let l=xe(Xi,d);if(!l.success){let b=l.error instanceof Error?l.error.message:String(l.error);throw new E(A.InvalidParams,`Invalid elicitation request: ${b}`)}let{params:m}=l.data;m.mode=m.mode??"form";let{supportsFormMode:h,supportsUrlMode:_}=Uk(this._capabilities.elicitation);if(m.mode==="form"&&!h)throw new E(A.InvalidParams,"Client does not support form-mode elicitation requests");if(m.mode==="url"&&!_)throw new E(A.InvalidParams,"Client does not support URL-mode elicitation requests");let w=await Promise.resolve(r(d,p));if(m.task){let b=xe(At,w);if(!b.success){let T=b.error instanceof Error?b.error.message:String(b.error);throw new E(A.InvalidParams,`Invalid task creation result: ${T}`)}return b.data}let y=xe(Wt,w);if(!y.success){let b=y.error instanceof Error?y.error.message:String(y.error);throw new E(A.InvalidParams,`Invalid elicitation result: ${b}`)}let S=y.data,v=m.mode==="form"?m.requestedSchema:void 0;if(m.mode==="form"&&S.action==="accept"&&S.content&&v&&this._capabilities.elicitation?.form?.applyDefaults)try{Zs(v,S.content)}catch{}return S},"wrappedHandler");return super.setRequestHandler(t,c)}if(i==="sampling/createMessage"){let c=o(async(d,p)=>{let l=xe(Yi,d);if(!l.success){let S=l.error instanceof Error?l.error.message:String(l.error);throw new E(A.InvalidParams,`Invalid sampling request: ${S}`)}let{params:m}=l.data,h=await Promise.resolve(r(d,p));if(m.task){let S=xe(At,h);if(!S.success){let v=S.error instanceof Error?S.error.message:String(S.error);throw new E(A.InvalidParams,`Invalid task creation result: ${v}`)}return S.data}let w=m.tools||m.toolChoice?Bn:gr,y=xe(w,h);if(!y.success){let S=y.error instanceof Error?y.error.message:String(y.error);throw new E(A.InvalidParams,`Invalid sampling result: ${S}`)}return y.data},"wrappedHandler");return super.setRequestHandler(t,c)}return super.setRequestHandler(t,r)}assertCapability(t,r){if(!this._serverCapabilities?.[t])throw new Error(`Server does not support ${t} (required for ${r})`)}async connect(t,r){if(await super.connect(t),t.sessionId===void 0)try{let n=await this.request({method:"initialize",params:{protocolVersion:Vt,capabilities:this._capabilities,clientInfo:this._clientInfo}},Pi,r);if(n===void 0)throw new Error(`Server sent invalid initialize result: ${n}`);if(!Ft.includes(n.protocolVersion))throw new Error(`Server's protocol version is not supported: ${n.protocolVersion}`);this._serverCapabilities=n.capabilities,this._serverVersion=n.serverInfo,t.setProtocolVersion&&t.setProtocolVersion(n.protocolVersion),this._instructions=n.instructions,await this.notification({method:"notifications/initialized"}),this._pendingListChangedConfig&&(this._setupListChangedHandlers(this._pendingListChangedConfig),this._pendingListChangedConfig=void 0)}catch(n){throw this.close(),n}}getServerCapabilities(){return this._serverCapabilities}getServerVersion(){return this._serverVersion}getInstructions(){return this._instructions}assertCapabilityForMethod(t){switch(t){case"logging/setLevel":if(!this._serverCapabilities?.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._serverCapabilities?.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":case"resources/subscribe":case"resources/unsubscribe":if(!this._serverCapabilities?.resources)throw new Error(`Server does not support resources (required for ${t})`);if(t==="resources/subscribe"&&!this._serverCapabilities.resources.subscribe)throw new Error(`Server does not support resource subscriptions (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._serverCapabilities?.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"completion/complete":if(!this._serverCapabilities?.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"initialize":break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/roots/list_changed":if(!this._capabilities.roots?.listChanged)throw new Error(`Client does not support roots list changed notifications (required for ${t})`);break;case"notifications/initialized":break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"sampling/createMessage":if(!this._capabilities.sampling)throw new Error(`Client does not support sampling capability (required for ${t})`);break;case"elicitation/create":if(!this._capabilities.elicitation)throw new Error(`Client does not support elicitation capability (required for ${t})`);break;case"roots/list":if(!this._capabilities.roots)throw new Error(`Client does not support roots capability (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Client does not support tasks capability (required for ${t})`);break;case"ping":break}}assertTaskCapability(t){ts(this._serverCapabilities?.tasks?.requests,t,"Server")}assertTaskHandlerCapability(t){this._capabilities&&rs(this._capabilities.tasks?.requests,t,"Client")}async ping(t){return this.request({method:"ping"},Et,t)}async complete(t,r){return this.request({method:"completion/complete",params:t},Qi,r)}async setLoggingLevel(t,r){return this.request({method:"logging/setLevel",params:{level:t}},Et,r)}async getPrompt(t,r){return this.request({method:"prompts/get",params:t},Vi,r)}async listPrompts(t,r){return this.request({method:"prompts/list",params:t},qi,r)}async listResources(t,r){return this.request({method:"resources/list",params:t},Oi,r)}async listResourceTemplates(t,r){return this.request({method:"resources/templates/list",params:t},Ui,r)}async readResource(t,r){return this.request({method:"resources/read",params:t},zi,r)}async subscribeResource(t,r){return this.request({method:"resources/subscribe",params:t},Et,r)}async unsubscribeResource(t,r){return this.request({method:"resources/unsubscribe",params:t},Et,r)}async callTool(t,r=Kt,n){if(this.isToolTaskRequired(t.name))throw new E(A.InvalidRequest,`Tool "${t.name}" requires task-based execution. Use client.experimental.tasks.callToolStream() instead.`);let a=await this.request({method:"tools/call",params:t},r,n),s=this.getToolOutputValidator(t.name);if(s){if(!a.structuredContent&&!a.isError)throw new E(A.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`);if(a.structuredContent)try{let i=s(a.structuredContent);if(!i.valid)throw new E(A.InvalidParams,`Structured content does not match the tool's output schema: ${i.errorMessage}`)}catch(i){throw i instanceof E?i:new E(A.InvalidParams,`Failed to validate structured content: ${i instanceof Error?i.message:String(i)}`)}}return a}isToolTask(t){return this._serverCapabilities?.tasks?.requests?.tools?.call?this._cachedKnownTaskTools.has(t):!1}isToolTaskRequired(t){return this._cachedRequiredTaskTools.has(t)}cacheToolMetadata(t){this._cachedToolOutputValidators.clear(),this._cachedKnownTaskTools.clear(),this._cachedRequiredTaskTools.clear();for(let r of t){if(r.outputSchema){let a=this._jsonSchemaValidator.getValidator(r.outputSchema);this._cachedToolOutputValidators.set(r.name,a)}let n=r.execution?.taskSupport;(n==="required"||n==="optional")&&this._cachedKnownTaskTools.add(r.name),n==="required"&&this._cachedRequiredTaskTools.add(r.name)}}getToolOutputValidator(t){return this._cachedToolOutputValidators.get(t)}async listTools(t,r){let n=await this.request({method:"tools/list",params:t},Ki,r);return this.cacheToolMetadata(n.tools),n}_setupListChangedHandler(t,r,n,a){let s=lp.safeParse(n);if(!s.success)throw new Error(`Invalid ${t} listChanged options: ${s.error.message}`);if(typeof n.onChanged!="function")throw new Error(`Invalid ${t} listChanged options: onChanged must be a function`);let{autoRefresh:i,debounceMs:c}=s.data,{onChanged:d}=n,p=o(async()=>{if(!i){d(null,null);return}try{let m=await a();d(null,m)}catch(m){let h=m instanceof Error?m:new Error(String(m));d(h,null)}},"refresh"),l=o(()=>{if(c){let m=this._listChangedDebounceTimers.get(t);m&&clearTimeout(m);let h=setTimeout(p,c);this._listChangedDebounceTimers.set(t,h)}else p()},"handler");this.setNotificationHandler(r,l)}async sendRootsListChanged(){return this.notification({method:"notifications/roots/list_changed"})}};function Ws(e){return e?e instanceof Headers?Object.fromEntries(e.entries()):Array.isArray(e)?Object.fromEntries(e):{...e}:{}}o(Ws,"normalizeHeaders");function U_(e=fetch,t){return t?async(r,n)=>{let a={...t,...n,headers:n?.headers?{...Ws(t.headers),...Ws(n.headers)}:t.headers};return e(r,a)}:e}o(U_,"createFetchWithInit");var Js=class extends Error{static{o(this,"ParseError")}constructor(t,r){super(t),this.name="ParseError",this.type=r.type,this.field=r.field,this.value=r.value,this.line=r.line}};function al(e){}o(al,"noop");function N_(e){if(typeof e=="function")throw new TypeError("`callbacks` must be an object, got a function instead. Did you mean `{onEvent: fn}`?");let{onEvent:t=al,onError:r=al,onRetry:n=al,onComment:a}=e,s="",i=!0,c,d="",p="";function l(y){let S=i?y.replace(/^\xEF\xBB\xBF/,""):y,[v,b]=Nk(`${s}${S}`);for(let T of v)m(T);s=b,i=!1}o(l,"feed");function m(y){if(y===""){_();return}if(y.startsWith(":")){a&&a(y.slice(y.startsWith(": ")?2:1));return}let S=y.indexOf(":");if(S!==-1){let v=y.slice(0,S),b=y[S+1]===" "?2:1,T=y.slice(S+b);h(v,T,y);return}h(y,"",y)}o(m,"parseLine");function h(y,S,v){switch(y){case"event":p=S;break;case"data":d=`${d}${S}
810
- `;break;case"id":c=S.includes("\0")?void 0:S;break;case"retry":/^\d+$/.test(S)?n(parseInt(S,10)):r(new Js(`Invalid \`retry\` value: "${S}"`,{type:"invalid-retry",value:S,line:v}));break;default:r(new Js(`Unknown field "${y.length>20?`${y.slice(0,20)}\u2026`:y}"`,{type:"unknown-field",field:y,value:S,line:v}));break}}o(h,"processField");function _(){d.length>0&&t({id:c,event:p||void 0,data:d.endsWith(`
811
- `)?d.slice(0,-1):d}),c=void 0,d="",p=""}o(_,"dispatchEvent");function w(y={}){s&&y.consume&&m(s),i=!0,c=void 0,d="",p="",s=""}return o(w,"reset"),{feed:l,reset:w}}o(N_,"createParser");function Nk(e){let t=[],r="",n=0;for(;n<e.length;){let a=e.indexOf("\r",n),s=e.indexOf(`
812
- `,n),i=-1;if(a!==-1&&s!==-1?i=Math.min(a,s):a!==-1?a===e.length-1?i=-1:i=a:s!==-1&&(i=s),i===-1){r=e.slice(n);break}else{let c=e.slice(n,i);t.push(c),n=i+1,e[n-1]==="\r"&&e[n]===`
813
- `&&n++}}return[t,r]}o(Nk,"splitLines");var Ys=class extends TransformStream{static{o(this,"EventSourceParserStream")}constructor({onError:t,onRetry:r,onComment:n}={}){let a;super({start(s){a=N_({onEvent:o(i=>{s.enqueue(i)},"onEvent"),onError(i){t==="terminate"?s.error(i):typeof t=="function"&&t(i)},onRetry:r,onComment:n})},transform(s){a.feed(s)}})}};var $k={initialReconnectionDelay:1e3,maxReconnectionDelay:3e4,reconnectionDelayGrowFactor:1.5,maxRetries:2},mr=class extends Error{static{o(this,"StreamableHTTPError")}constructor(t,r){super(`Streamable HTTP error: ${r}`),this.code=t}},Xs=class{static{o(this,"StreamableHTTPClientTransport")}constructor(t,r){this._hasCompletedAuthFlow=!1,this._url=t,this._resourceMetadataUrl=void 0,this._scope=void 0,this._requestInit=r?.requestInit,this._authProvider=r?.authProvider,this._fetch=r?.fetch,this._fetchWithInit=U_(r?.fetch,r?.requestInit),this._sessionId=r?.sessionId,this._reconnectionOptions=r?.reconnectionOptions??$k}async _authThenStart(){if(!this._authProvider)throw new Dt("No auth provider");let t;try{t=await pr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})}catch(r){throw this.onerror?.(r),r}if(t!=="AUTHORIZED")throw new Dt;return await this._startOrAuthSse({resumptionToken:void 0})}async _commonHeaders(){let t={};if(this._authProvider){let n=await this._authProvider.tokens();n&&(t.Authorization=`Bearer ${n.access_token}`)}this._sessionId&&(t["mcp-session-id"]=this._sessionId),this._protocolVersion&&(t["mcp-protocol-version"]=this._protocolVersion);let r=Ws(this._requestInit?.headers);return new Headers({...t,...r})}async _startOrAuthSse(t){let{resumptionToken:r}=t;try{let n=await this._commonHeaders();n.set("Accept","text/event-stream"),r&&n.set("last-event-id",r);let a=await(this._fetch??fetch)(this._url,{method:"GET",headers:n,signal:this._abortController?.signal});if(!a.ok){if(await a.body?.cancel(),a.status===401&&this._authProvider)return await this._authThenStart();if(a.status===405)return;throw new mr(a.status,`Failed to open SSE stream: ${a.statusText}`)}this._handleSseStream(a.body,t,!0)}catch(n){throw this.onerror?.(n),n}}_getNextReconnectionDelay(t){if(this._serverRetryMs!==void 0)return this._serverRetryMs;let r=this._reconnectionOptions.initialReconnectionDelay,n=this._reconnectionOptions.reconnectionDelayGrowFactor,a=this._reconnectionOptions.maxReconnectionDelay;return Math.min(r*Math.pow(n,t),a)}_scheduleReconnection(t,r=0){let n=this._reconnectionOptions.maxRetries;if(r>=n){this.onerror?.(new Error(`Maximum reconnection attempts (${n}) exceeded.`));return}let a=this._getNextReconnectionDelay(r);this._reconnectionTimeout=setTimeout(()=>{this._startOrAuthSse(t).catch(s=>{this.onerror?.(new Error(`Failed to reconnect SSE stream: ${s instanceof Error?s.message:String(s)}`)),this._scheduleReconnection(t,r+1)})},a)}_handleSseStream(t,r,n){if(!t)return;let{onresumptiontoken:a,replayMessageId:s}=r,i,c=!1,d=!1;o(async()=>{try{let l=t.pipeThrough(new TextDecoderStream).pipeThrough(new Ys({onRetry:o(_=>{this._serverRetryMs=_},"onRetry")})).getReader();for(;;){let{value:_,done:w}=await l.read();if(w)break;if(_.id&&(i=_.id,c=!0,a?.(_.id)),!!_.data&&(!_.event||_.event==="message"))try{let y=hr.parse(JSON.parse(_.data));nt(y)&&(d=!0,s!==void 0&&(y.id=s)),this.onmessage?.(y)}catch(y){this.onerror?.(y)}}(n||c)&&!d&&this._abortController&&!this._abortController.signal.aborted&&this._scheduleReconnection({resumptionToken:i,onresumptiontoken:a,replayMessageId:s},0)}catch(l){if(this.onerror?.(new Error(`SSE stream disconnected: ${l}`)),(n||c)&&!d&&this._abortController&&!this._abortController.signal.aborted)try{this._scheduleReconnection({resumptionToken:i,onresumptiontoken:a,replayMessageId:s},0)}catch(_){this.onerror?.(new Error(`Failed to reconnect: ${_ instanceof Error?_.message:String(_)}`))}}},"processStream")()}async start(){if(this._abortController)throw new Error("StreamableHTTPClientTransport already started! If using Client class, note that connect() calls start() automatically.");this._abortController=new AbortController}async finishAuth(t){if(!this._authProvider)throw new Dt("No auth provider");if(await pr(this._authProvider,{serverUrl:this._url,authorizationCode:t,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new Dt("Failed to authorize")}async close(){this._reconnectionTimeout&&(clearTimeout(this._reconnectionTimeout),this._reconnectionTimeout=void 0),this._abortController?.abort(),this.onclose?.()}async send(t,r){try{let{resumptionToken:n,onresumptiontoken:a}=r||{};if(n){this._startOrAuthSse({resumptionToken:n,replayMessageId:mt(t)?t.id:void 0}).catch(h=>this.onerror?.(h));return}let s=await this._commonHeaders();s.set("content-type","application/json"),s.set("accept","application/json, text/event-stream");let i={...this._requestInit,method:"POST",headers:s,body:JSON.stringify(t),signal:this._abortController?.signal},c=await(this._fetch??fetch)(this._url,i),d=c.headers.get("mcp-session-id");if(d&&(this._sessionId=d),!c.ok){let h=await c.text().catch(()=>null);if(c.status===401&&this._authProvider){if(this._hasCompletedAuthFlow)throw new mr(401,"Server returned 401 after successful authentication");let{resourceMetadataUrl:_,scope:w}=Jd(c);if(this._resourceMetadataUrl=_,this._scope=w,await pr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new Dt;return this._hasCompletedAuthFlow=!0,this.send(t)}if(c.status===403&&this._authProvider){let{resourceMetadataUrl:_,scope:w,error:y}=Jd(c);if(y==="insufficient_scope"){let S=c.headers.get("WWW-Authenticate");if(this._lastUpscopingHeader===S)throw new mr(403,"Server returned 403 after trying upscoping");if(w&&(this._scope=w),_&&(this._resourceMetadataUrl=_),this._lastUpscopingHeader=S??void 0,await pr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetch})!=="AUTHORIZED")throw new Dt;return this.send(t)}}throw new mr(c.status,`Error POSTing to endpoint: ${h}`)}if(this._hasCompletedAuthFlow=!1,this._lastUpscopingHeader=void 0,c.status===202){await c.body?.cancel(),op(t)&&this._startOrAuthSse({resumptionToken:void 0}).catch(h=>this.onerror?.(h));return}let l=(Array.isArray(t)?t:[t]).filter(h=>"method"in h&&"id"in h&&h.id!==void 0).length>0,m=c.headers.get("content-type");if(l)if(m?.includes("text/event-stream"))this._handleSseStream(c.body,{onresumptiontoken:a},!1);else if(m?.includes("application/json")){let h=await c.json(),_=Array.isArray(h)?h.map(w=>hr.parse(w)):[hr.parse(h)];for(let w of _)this.onmessage?.(w)}else throw await c.body?.cancel(),new mr(-1,`Unexpected content type: ${m}`);else await c.body?.cancel()}catch(n){throw this.onerror?.(n),n}}get sessionId(){return this._sessionId}async terminateSession(){if(this._sessionId)try{let t=await this._commonHeaders(),r={...this._requestInit,method:"DELETE",headers:t,signal:this._abortController?.signal},n=await(this._fetch??fetch)(this._url,r);if(await n.body?.cancel(),!n.ok&&n.status!==405)throw new mr(n.status,`Failed to terminate session: ${n.statusText}`);this._sessionId=void 0}catch(t){throw this.onerror?.(t),t}}setProtocolVersion(t){this._protocolVersion=t}get protocolVersion(){return this._protocolVersion}async resumeStream(t,r){await this._startOrAuthSse({resumptionToken:t,onresumptiontoken:r?.onresumptiontoken})}};function $_(e=[]){let t={};for(let r of e){if(!r.value){if(r.required)throw g("internal_server_error",`Native MCP transport header ${r.name} is required but has no value configured.`);continue}t[r.name]=r.value}return t}o($_,"resolveNativeMcpRequestHeaders");var zk={name:"zuplo-mcp-gateway",version:"0.1.0"},Mk=5,Dk=500,D_=3e4,qk=2*1024*1024,Lk=2;function z_(){return performance.now()/1e3}o(z_,"nowSeconds");function jk(e){if(e.port)return Number(e.port);if(e.protocol==="https:")return 443;if(e.protocol==="http:")return 80}o(jk,"readServerPort");function Hk(e,t){return{mcpSessionId:t,serverAddress:e.hostname,serverPort:jk(e)}}o(Hk,"buildNativeMcpOperationContext");function Tn(e){return Uh(e)}o(Tn,"withTraceMeta");function sl(e){if(e>Dk)throw g("upstream_import_failed","Upstream import exceeded the maximum allowed capability count.")}o(sl,"assertImportedCapabilityBudget");function M_(e){return Object.keys(e).length===0?{}:{requestInit:{headers:e}}}o(M_,"buildRequestInit");function Gk(e){return(t,r)=>Vs(t,r,{additionalCrossOriginStrippedHeaders:e,maxRedirects:Lk,maxResponseBytes:qk,problemCode:"upstream_capability_invocation_failed",timeoutMs:D_})}o(Gk,"createNativeMcpFetch");function Bk(e){return new Promise((t,r)=>{let n=setTimeout(()=>{r(g("upstream_capability_invocation_failed","Upstream MCP request exceeded the maximum allowed time."))},D_);e.then(a=>{clearTimeout(n),t(a)},a=>{clearTimeout(n),r(a)})})}o(Bk,"withNativeMcpRequestTimeout");function Vk(e,t=[]){let r=$_(t),n=e?.type==="headers"?Object.keys(e.headers):[],a=[...Object.keys(r),...n],s={fetch:Gk(a)};if(!e)return{...s,...M_(r)};switch(e.type){case"mcp_oauth_provider":return{authProvider:e.provider,...s,...M_(r)};case"bearer_token":return{...s,requestInit:{headers:{...r,Authorization:`Bearer ${e.token}`}}};case"headers":return{...s,requestInit:{headers:{...r,...e.headers}}}}}o(Vk,"buildNativeMcpTransportOptions");async function Cn(e,t,r){let{transport:n}=Ge(e),a=new URL(n.baseUrl),s=new Xs(a,Vk(r,n.requestHeaders)),i=new Ks(zk,{capabilities:{}});return Bk((async()=>{let c=z_();await i.connect(s);let d=s.sessionId,p=Hk(a,d);try{return await t(i,p)}finally{if(s.sessionId)try{await s.terminateSession()}catch{}await i.close(),d&&Nh(p,z_()-c)}})())}o(Cn,"withNativeMcpClient");async function Fk(e,t,r){let n=[],a,s=0;do{if(s>=Mk)throw g("upstream_capability_invocation_failed",`${e} pagination exceeded the maximum allowed page count.`);let i=await t(a);s+=1,n.push(...r(i)),a=i.nextCursor}while(a);return n}o(Fk,"collectPaginatedSdkItems");async function il(e){return e.enabled?Fk(e.label,e.fetchPage,e.readItems):[]}o(il,"listNativeMcpCapabilityItems");async function q_(e){return Cn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ar({methodName:"tools/list",...r},()=>il({enabled:!!n?.tools,label:"Tool list",fetchPage:o(s=>t.listTools(Tn(s?{cursor:s}:void 0)),"fetchPage"),readItems:o(s=>s.tools,"readItems")}));return sl(a.length),{tools:a}},e.credential)}o(q_,"listNativeMcpTools");async function L_(e){return Cn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ar({methodName:"prompts/list",...r},()=>il({enabled:!!n?.prompts,label:"Prompt list",fetchPage:o(s=>t.listPrompts(Tn(s?{cursor:s}:void 0)),"fetchPage"),readItems:o(s=>s.prompts,"readItems")}));return sl(a.length),{prompts:a}},e.credential)}o(L_,"listNativeMcpPrompts");async function j_(e){return Cn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ar({methodName:"resources/list",...r},()=>il({enabled:!!n?.resources,label:"Resource list",fetchPage:o(s=>t.listResources(Tn(s?{cursor:s}:void 0)),"fetchPage"),readItems:o(s=>s.resources,"readItems")}));return sl(a.length),{resources:a}},e.credential)}o(j_,"listNativeMcpResources");async function H_(e){return Cn(e.upstreamServerId,(t,r)=>Ar({methodName:"tools/call",capabilityType:"tool",capabilityName:e.params.name,...r},async()=>await t.callTool(Tn(e.params))),e.credential)}o(H_,"callNativeMcpTool");async function G_(e){return Cn(e.upstreamServerId,(t,r)=>Ar({methodName:"prompts/get",capabilityType:"prompt",capabilityName:e.params.name,...r},()=>t.getPrompt(Tn(e.params))),e.credential)}o(G_,"getNativeMcpPrompt");async function B_(e){return Cn(e.upstreamServerId,(t,r)=>Ar({methodName:"resources/read",capabilityType:"resource",resourceUri:e.params.uri,...r},()=>t.readResource(Tn(e.params))),e.credential)}o(B_,"readNativeMcpResource");var Zo=class extends E{static{o(this,"ConnectRequiredMcpError")}constructor(t){super(A.InvalidRequest,t.message),this.name="ConnectRequiredMcpError"}};function Zk(e){return{content:[{type:"text",text:e}],isError:!0}}o(Zk,"buildToolErrorResult");function Kk(e){return e.authUrl?new Bt([{mode:"url",elicitationId:crypto.randomUUID(),message:e.message,url:e.authUrl}],e.message):new Zo(e)}o(Kk,"toConnectRequiredError");function Wk(e){return{credentialType:e.type,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}o(Wk,"buildCredentialResolvedAttributes");function Jk(e){He(e.context,{eventType:L.MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:Wk(e.credential)})}o(Jk,"emitCredentialResolvedAnalyticsEvent");function Yk(e){He(e.context,{eventType:L.MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}})}o(Yk,"emitCredentialMissingAnalyticsEvent");function Xk(e){let t=new Map;return r=>{let n=`${r.upstreamServerId}:${r.authProfileId}:${r.ownerMode}`,a=t.get(n);if(a)return a;let s=(async()=>{let i=await P_({request:e.request,routeAuth:r});if(i.kind==="connect_required")throw Yk({context:e.context,payload:i.payload,routeBinding:r}),Kk(i.payload);return Jk({context:e.context,credential:i.credential,routeBinding:r}),i.credential})();return t.set(n,s),s}}o(Xk,"createCredentialResolver");var V_=500;function Qk(e){return e.length<=V_?e:`${e.slice(0,V_)}...`}o(Qk,"truncateAnalyticsDetail");function eO(e){He(e.context,{eventType:L.MCP_GATEWAY_CAPABILITY_COMPLETED,outcome:e.result.isError===!0?"application_error":"success",routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",toolResultIsError:e.result.isError===!0,applicationError:e.result.isError===!0})}o(eO,"emitToolInvocationCompletedAnalyticsEvent");function tO(e){return e instanceof Bt||e instanceof Zo?{eventType:L.MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required"}:e instanceof E&&e.code===A.InvalidParams?{eventType:L.MCP_GATEWAY_CAPABILITY_FAILED,outcome:"failure",reasonCode:"invalid_tool_arguments",reasonClass:"client",errorType:"tool_error",mcpErrorType:"InvalidParams"}:{eventType:L.MCP_GATEWAY_CAPABILITY_FAILED,outcome:"failure",reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"tool_error"}}o(tO,"classifyToolInvocationFailure");function rO(e){let t=e.error instanceof Error?e.error.message:String(e.error),r=tO(e.error);He(e.context,{eventType:r.eventType,outcome:r.outcome,routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",reasonCode:r.reasonCode,reasonClass:r.reasonClass,errorType:r.errorType,mcpErrorType:r.mcpErrorType,attributes:{detail:Qk(t)}})}o(rO,"emitToolInvocationFailedAnalyticsEvent");var nO=256*1024;function oO(e){if(e.arguments===void 0)return;let t;try{t=new TextEncoder().encode(JSON.stringify(e.arguments)).length}catch{throw new E(A.InvalidParams,"Tool arguments must be JSON-serializable.")}if(t>nO)throw new E(A.InvalidParams,"Tool arguments exceed the maximum allowed size.")}o(oO,"assertToolArgumentsWithinLimit");function cl(e){if(e.routeBindings.length===1)return e.routeBindings[0];let t=e.routeBindings.filter(r=>r.connectionPolicyName===e.upstreamPolicyName);if(t.length!==1)throw new E(A.InvalidRequest,`Published item ${e.capabilityName} on virtual server ${e.virtualServerId} is claimed by ${t.length} upstream bindings.`);return t[0]}o(cl,"findBindingForPublishedCapability");function En(e){let t=e.routeBindings[0];if(e.routeBindings.length!==1||t===void 0)throw new E(A.InternalError,`Upstream MCP catalog mode for virtual server ${e.publishedVirtualServer.virtualServerId} requires exactly one upstream binding.`);return t}o(En,"requireSingleTransparentBinding");function aO(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:En(e),upstreamName:e.toolName};let t=e.publishedVirtualServer.catalog.tools.find(r=>r.name===e.toolName&&r.enabled!==!1);if(!t)throw new E(A.MethodNotFound,`Tool ${e.toolName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:cl({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(aO,"resolvePublishedToolRoute");function sO(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:En(e),upstreamName:e.promptName};let t=e.publishedVirtualServer.catalog.prompts.find(r=>r.name===e.promptName&&r.enabled!==!1);if(!t)throw new E(A.MethodNotFound,`Prompt ${e.promptName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:cl({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(sO,"resolvePublishedPromptRoute");function iO(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:En(e),upstreamUri:e.resourceUri};let t=e.publishedVirtualServer.catalog.resources.find(r=>r.uri===e.resourceUri&&r.enabled!==!1);if(!t)throw new E(A.MethodNotFound,`Resource ${e.resourceUri} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:cl({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamUri:t.upstreamUri}}o(iO,"resolvePublishedResourceRoute");function F_(e){let t=Xk({context:e.context,request:e.request});return{async listTools(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{tools:e.publishedVirtualServer.catalog.tools.filter(n=>n.enabled!==!1).map(ms)};let r=En(e);return q_({upstreamServerId:r.upstreamServerId,credential:await t(r)})},async callTool(r){let n=aO({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,toolName:r.name});try{oO(r);let a=await t(n.binding),s=await H_({upstreamServerId:n.binding.upstreamServerId,params:{...r,name:n.upstreamName},credential:a});return eO({context:e.context,routeBinding:n.binding,toolName:r.name,result:s}),e.context.log.debug({event:"upstream_tool_invocation_succeeded",toolName:r.name,upstreamName:n.upstreamName,upstreamServerId:n.binding.upstreamServerId,authProfileId:n.binding.authProfileId,isError:s.isError===!0},"Upstream tool invocation completed"),s}catch(a){if(rO({context:e.context,routeBinding:n.binding,toolName:r.name,error:a}),a instanceof Bt||a instanceof Zo)throw e.context.log.info({event:"upstream_tool_invocation_connect_required",toolName:r.name,upstreamServerId:n.binding.upstreamServerId,authProfileId:n.binding.authProfileId,ownerMode:n.binding.ownerMode,hasAuthUrl:a instanceof Bt},"Upstream tool invocation requires user to complete a connect flow"),a;let s={event:"upstream_tool_invocation_failed",code:"upstream_capability_invocation_failed",toolName:r.name,upstreamName:n.upstreamName,upstreamServerId:n.binding.upstreamServerId,authProfileId:n.binding.authProfileId};return a instanceof E&&(s.mcpErrorCode=a.code),a instanceof Error?(s.errorName=a.name,s.errorMessage=a.message,a.cause instanceof Error&&(s.causeName=a.cause.name,s.causeMessage=a.cause.message)):s.errorMessage=String(a),e.context.log.warn(s,"Upstream tool invocation failed; returning generic gateway error to MCP client"),Zk(Le("upstream_capability_invocation_failed").publicDetail)}},async listPrompts(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{prompts:e.publishedVirtualServer.catalog.prompts.filter(n=>n.enabled!==!1).map(fs)};let r=En(e);return L_({upstreamServerId:r.upstreamServerId,credential:await t(r)})},async getPrompt(r){let n=sO({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,promptName:r.name});return G_({upstreamServerId:n.binding.upstreamServerId,params:{...r,name:n.upstreamName},credential:await t(n.binding)})},async listResources(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{resources:e.publishedVirtualServer.catalog.resources.filter(n=>n.enabled!==!1).map(hs)};let r=En(e);return j_({upstreamServerId:r.upstreamServerId,credential:await t(r)})},async readResource(r){let n=iO({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,resourceUri:r.uri});return B_({upstreamServerId:n.binding.upstreamServerId,params:{...r,uri:n.upstreamUri},credential:await t(n.binding)})}}}o(F_,"createCapabilityDispatcher");var cO="0.1.0",K_="POST",uO="POST, OPTIONS";function ul(e){return Response.json({jsonrpc:"2.0",id:null,error:{code:-32e3,message:e}},{status:405,headers:{Allow:K_}})}o(ul,"jsonRpcMethodNotAllowedResponse");function dO(e){let t={Allow:K_},r=e.headers.get("origin"),n=e.headers.get("access-control-request-method");if(r&&n){t["Access-Control-Allow-Methods"]=uO;let a=e.headers.get("access-control-request-headers");a&&(t["Access-Control-Allow-Headers"]=a)}return new Response(null,{status:204,headers:t})}o(dO,"buildOptionsResponse");function An(e){let t=e&&typeof e=="object"?e.id:void 0;return typeof t=="string"||typeof t=="number"?t:void 0}o(An,"readJsonRpcRequestId");function dl(e){return e&&typeof e=="object"?e.params:void 0}o(dl,"readMcpRequestParams");function Z_(e,t){return e.headers.get(t)??void 0}o(Z_,"readMcpHeader");function lO(e){return{mcpProtocolVersion:Z_(e,"mcp-protocol-version")??Er,mcpSessionId:Z_(e,"mcp-session-id")}}o(lO,"buildServerTelemetryBase");function pO(e){if(e.headers.has("mcp-protocol-version"))return e;let t=new Headers(e.headers);return t.set("mcp-protocol-version",Er),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(pO,"ensureProtocolVersionHeader");async function ll(e,t){if(e.method==="OPTIONS")return dO(e);if(e.method==="GET")return ul("Standalone SSE GET is not supported by this stateless virtual MCP server. Use POST streamable HTTP for MCP requests.");if(e.method==="DELETE")return ul("Session termination via DELETE is not supported because this virtual MCP server is stateless.");if(e.method!=="POST")return ul("Only POST is supported by this virtual MCP server.");let r=mn(t),n=Sh(r.virtualServerId),a=zh(t);if(n.catalog.catalogSource==="upstream_mcp"&&a.length!==1)throw t.log.error({event:"virtual_server_binding_count_invalid",code:"internal_server_error",virtualServerId:r.virtualServerId,bindingCount:a.length,catalogSource:n.catalog.catalogSource},"MCP virtual server route requires exactly one upstream binding"),g("internal_server_error",`MCP virtual server route requires exactly one upstream binding; found ${a.length}.`);let s=lO(e),i=F_({context:t,publishedVirtualServer:n,request:e,routeBindings:a}),c=Q(e.url),d=new os({enableDnsRebindingProtection:!0,allowedOrigins:[c]}),p=new ns(n.catalog.serverInfo??{name:r.virtualServerId,version:cO},{capabilities:{prompts:{},resources:{},tools:{}}});p.setRequestHandler(Zi,async m=>Pr({methodName:"tools/list",params:dl(m),jsonRpcRequestId:An(m),...s},()=>i.listTools())),p.setRequestHandler(Hn,async m=>Pr({methodName:"tools/call",capabilityType:"tool",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:An(m),...s},()=>i.callTool(m.params))),p.setRequestHandler(Di,async m=>Pr({methodName:"prompts/list",params:dl(m),jsonRpcRequestId:An(m),...s},()=>i.listPrompts())),p.setRequestHandler(Li,async m=>Pr({methodName:"prompts/get",capabilityType:"prompt",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:An(m),...s},()=>i.getPrompt(m.params))),p.setRequestHandler(ki,async m=>Pr({methodName:"resources/list",params:dl(m),jsonRpcRequestId:An(m),...s},()=>i.listResources())),p.setRequestHandler($i,async m=>Pr({methodName:"resources/read",capabilityType:"resource",resourceUri:m.params.uri,params:m.params,jsonRpcRequestId:An(m),...s},()=>i.readResource(m.params))),await p.connect(d);let l=await d.handleRequest(e);return pO(l)}o(ll,"virtualServerHandler");async function mO(e,t){return Ht("handler.mcp-virtual-server"),ll(e,t)}o(mO,"McpVirtualServerHandler");import{base64url as pl}from"jose";var fO="sha256:",hO=32;function W_(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(W_,"copyToArrayBuffer");function gO(e,t){if(e.length!==t.length)return!1;let r=0;for(let n=0;n<e.length;n++)r|=e.charCodeAt(n)^t.charCodeAt(n);return r===0}o(gO,"constantTimeEqual");function qt(){let e=crypto.getRandomValues(new Uint8Array(hO));return pl.encode(e)}o(qt,"createOpaqueToken");async function ce(e){let t=await crypto.subtle.digest("SHA-256",W_(new TextEncoder().encode(e)));return`${fO}${pl.encode(new Uint8Array(t))}`}o(ce,"hashOpaqueValue");async function J_(e){let t=await ce(e.value);return gO(t,e.expectedHash)}o(J_,"verifyOpaqueValue");async function Y_(e){let t=await crypto.subtle.digest("SHA-256",W_(new TextEncoder().encode(e)));return pl.encode(new Uint8Array(t))}o(Y_,"calculatePkceS256Challenge");function _O(e){let t=e.headers.get("authorization"),[r,n]=t?.split(/\s+/,2)??[];if(!(r?.toLowerCase()!=="bearer"||!n))return n}o(_O,"readBearerToken");function yO(e,t,r){return je(e,t,{code:"authentication_required",detail:"Gateway access token is required.",headers:{"WWW-Authenticate":r}})}o(yO,"gatewayAuthenticationRequiredResponse");async function wO(e,t,r){let n=await H().downstreamOAuthRepository.validateAccessToken({tokenHash:await ce(e),now:new Date});if(n.kind!=="valid")throw t.log.warn({event:"gateway_access_token_validate_failed",code:"authentication_required",validationKind:n.kind,virtualServerId:r},"Gateway access token validation failed"),g("authentication_required","Gateway access token is expired, revoked, or invalid.");return n.record}o(wO,"validateGatewayAccessToken");function SO(e,t){if(e.accessToken.resource!==e.resource||e.accessToken.virtualServerId!==e.virtualServerId)throw t.log.warn({event:"gateway_access_token_resource_mismatch",code:"authentication_required",expectedResource:e.resource,tokenResource:e.accessToken.resource,expectedVirtualServerId:e.virtualServerId,tokenVirtualServerId:e.accessToken.virtualServerId,clientId:e.accessToken.clientId},"Gateway access token resource does not match the requested MCP resource"),g("authentication_required","Gateway access token was not issued for this MCP resource.")}o(SO,"assertAccessTokenResource");function vO(e,t,r){return je(e,t,{code:"forbidden",detail:"Gateway access token is missing the required MCP scope.",headers:{"WWW-Authenticate":_n({virtualServerId:r,requestUrl:e.url,error:"insufficient_scope",errorDescription:`The access token is missing the ${oe} scope required by this MCP resource.`,scope:oe})}})}o(vO,"insufficientScopeResponse");function bO(e){return{subjectId:e.subjectId,tenantId:e.tenantId,roles:e.roles}}o(bO,"principalFromAccessToken");function RO(e){let t=ae(e.error),r={event:"gateway_access_token_rejected",code:t??"authentication_required",virtualServerId:e.virtualServerId};return e.error instanceof Error?(r.errorName=e.error.name,r.errorMessage=e.error.message):e.error!==void 0&&e.error!==null&&(r.errorMessage=String(e.error)),e.context.log.warn(r,"Gateway access token rejected; MCP request denied"),je(e.request,e.context,{code:t??"authentication_required",detail:e.error instanceof Error?e.error.message:"Gateway access token could not be verified.",headers:{"WWW-Authenticate":_n({virtualServerId:e.virtualServerId,requestUrl:e.request.url,error:"invalid_token",errorDescription:"The access token is expired, malformed, or invalid."})}})}o(RO,"gatewayTokenRejectedResponse");async function ml(e,t){let r=mn(t),n=Eo(r.virtualServerId,e.url),a=_O(e),s=_n({virtualServerId:r.virtualServerId,requestUrl:e.url});if(!a)return t.log.debug({event:"gateway_access_token_missing",code:"authentication_required",virtualServerId:r.virtualServerId,hasAuthorizationHeader:e.headers.get("authorization")!==null},"MCP request did not include a gateway access token"),yO(e,t,s);try{let i=await wO(a,t,r.virtualServerId);if(SO({accessToken:i,resource:n,virtualServerId:r.virtualServerId},t),i.scope!==oe)return t.log.warn({event:"gateway_access_token_insufficient_scope",code:"forbidden",tokenScope:i.scope,requiredScope:oe,virtualServerId:r.virtualServerId,clientId:i.clientId},"Gateway access token does not have the required MCP scope"),vO(e,t,r.virtualServerId);let c=bO(i);return Xh(t,c),Ju(t,c),e}catch(i){return RO({request:e,context:t,error:i,virtualServerId:r.virtualServerId})}}o(ml,"gatewayTokenInbound");var Pn={OAUTH_PROTECTED_RESOURCE_METADATA:"oauth_metadata",VIRTUAL_MCP_SERVER:"gateway",OTHER:"other"},IO="oauth-protected-resource-metadata",TO="/.well-known/oauth-protected-resource/";function CO(e){let r=(typeof e.route.raw=="function"?e.route.raw():void 0)?.operationId;return typeof r=="string"?r:void 0}o(CO,"readRouteOperationId");function EO(e){return e.hasGatewayRouteContext?Pn.VIRTUAL_MCP_SERVER:e.routeOperationId===IO||e.routeOperationId===void 0&&e.routePath.startsWith(TO)?Pn.OAUTH_PROTECTED_RESOURCE_METADATA:Pn.OTHER}o(EO,"classifyAnalyticsRouteSurface");function AO(e){let t=e.route.path;return{routePath:t,routeSurface:EO({routePath:t,routeOperationId:CO(e),hasGatewayRouteContext:Ro(e)!==void 0})}}o(AO,"readAnalyticsRequestContext");function PO(e){return e.response.status===405&&e.response.headers.has("allow")&&e.routeSurface===Pn.VIRTUAL_MCP_SERVER}o(PO,"isIntentionalMethodRejection");function xO(e){return PO(e)||e.response.status===401&&e.routeSurface===Pn.OAUTH_PROTECTED_RESOURCE_METADATA?"success":e.response.status>=400?"failure":"success"}o(xO,"classifyRequestCompletedOutcome");async function fl(e,t){let r=Date.now(),n=AO(t);return t.addResponseSendingFinalHook(a=>{let s=xO({response:a,routeSurface:n.routeSurface});He(t,{eventType:L.MCP_GATEWAY_REQUEST_COMPLETED,outcome:s,routeSurface:n.routeSurface,httpStatusCode:a.status,httpMethod:e.method,latencyMs:Date.now()-r})}),e}o(fl,"analyticsContextInbound");function kO(e){return e instanceof Response}o(kO,"isResponse");var X_="/mcp/";function OO(e){let t=e.route.path;if(!t.startsWith(X_))throw g("internal_server_error",`Route ${t} is bound to mcp-oauth-inbound but does not match the /mcp/{virtualServerId} convention.`);let r=t.slice(X_.length);if(!r||r.includes("/"))throw g("internal_server_error",`Route ${t} is bound to mcp-oauth-inbound but must use exactly one /mcp/{virtualServerId} segment.`);return r}o(OO,"readVirtualServerIdFromRoute");async function Ko(e,t){let n={virtualServerId:ge.parse(OO(t))};Rh(t,n),nh(t,n);let a=await fl(e,t);return kO(a)?a:ml(a,t)}o(Ko,"mcpOAuthInboundPolicy");var UO=o(async(e,t,r,n)=>(Ht("policy.inbound.mcp-auth0-oauth"),Ko(e,t)),"McpAuth0OAuthInboundPolicy");function NO(e){let t=`https://${e.auth0Domain}/`,r=`https://${e.auth0Domain}/.well-known/jwks.json`,n=`https://${e.auth0Domain}/authorize`,a=`https://${e.auth0Domain}/oauth/token`;return ys({oidc:{issuer:t,jwksUrl:r,audience:e.audience},browserLogin:{url:n,tokenUrl:a,clientId:e.clientId,clientSecret:e.clientSecret,scope:e.scope??"openid profile email",audience:e.audience,...e.browserLoginOverrides??{}},gateway:e.gateway,devTenantId:e.devTenantId})}o(NO,"buildAuth0McpOAuthRuntimeConfig");var $O={policyType:"mcp-auth0-oauth-inbound",displayName:"MCP OAuth (Auth0)",getConfig(e){return NO(e)}};us($O);var zO=o(async(e,t,r,n)=>(Ht("policy.inbound.mcp-oauth"),Ko(e,t)),"McpOAuthInboundPolicy"),MO={policyType:"mcp-oauth-inbound",displayName:"MCP OAuth",getConfig(e){return ys(e)}};us(MO);function DO(e){let t=vt(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,virtualServerId:e.virtualServerId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.config.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}o(DO,"buildRouteAuthBaseFromConnection");function ey(e){if(!e.connection.authProfiles[e.authMode])throw g("internal_server_error",`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=vt(e.authMode);return{upstreamServerId:e.connection.id,virtualServerId:e.virtualServerId,authProfileId:pn(e.connection.id,e.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.authMode,ownerMode:r.ownerMode}}o(ey,"buildRouteAuthBaseFromPolicyOptions");function ty(e,t){let n=tt().byVirtualServerId.get(t);if(!n)throw g("unknown_virtual_server",`Unknown virtual server: ${t}`);let a=n.connections.find(s=>s.upstreamServerId===e);if(!a)throw g("virtual_server_upstream_mismatch",`Virtual server ${t} does not bind upstream ${e}.`);return DO({connection:a,virtualServerId:t})}o(ty,"resolveRouteAuthBase");function Q_(e,t){switch(e){case"user":return ur(t.tenantId,t.subjectId);case"tenant_shared":return Es(t.tenantId)}}o(Q_,"buildOwnerForPrincipal");function Qs(e,t){switch(e.ownerMode){case"tenant_shared":return{...e,owner:Q_(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"user":return{...e,owner:Q_(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"none":return e}}o(Qs,"resolveRouteAuthForPrincipal");function qO(e){let t=Object.keys(e.connection.authProfiles);if(t.length!==1)throw g("internal_server_error",`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];if(r===void 0)throw g("internal_server_error",`Upstream policy ${e.policyName} does not declare an auth mode.`);return is.parse(r)}o(qO,"readSingleAuthMode");function ry(e){return St.parse(e)}o(ry,"buildToolNamePrefixFromConnectionId");async function hl(e,t,r,n){let a=ps(r,n),s=qO({policyName:n,connection:a}),i=mn(t),c=ey({connection:a,virtualServerId:i.virtualServerId,authMode:s});if(c.ownerMode==="none")return fd(t,{...c,connectionPolicyName:n,toolNamePrefix:ry(a.id)}),e;let d=Yh(t);return d.tenantId?(fd(t,{...Qs(c,d),connectionPolicyName:n,toolNamePrefix:ry(a.id)}),e):je(e,t,{code:"forbidden",detail:"Upstream credentials for this virtual server require an authenticated tenant.",headers:{"WWW-Authenticate":_n({virtualServerId:i.virtualServerId,requestUrl:e.url,error:"insufficient_scope",errorDescription:"The access token is missing tenant context required by this virtual server.",scope:oe})}})}o(hl,"mcpUpstreamConnectionPolicy");var LO=o(async(e,t,r,n)=>(Ht("policy.inbound.mcp-upstream-connection"),hl(e,t,r,n)),"McpUpstreamConnectionInboundPolicy");W();W();var ny="application/json",jO="application/x-www-form-urlencoded";function HO(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}o(HO,"normalizeContentType");function GO(e,t){return e===t?!0:t===ny&&e.endsWith("+json")}o(GO,"contentTypeMatches");function BO(e,t){if(!t||t.length===0)return;let r=HO(e.headers.get("content-type"));if(!t.some(n=>GO(r,n)))throw g("invalid_request",`Request body must be ${t.join(" or ")}.`)}o(BO,"assertExpectedContentType");function VO(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g("invalid_request",`${r} exceeded the maximum allowed size.`)}o(VO,"assertContentLengthWithinLimit");async function oy(e,t){let r=t.label??"Request body";BO(e,t.expectedContentTypes),VO(e,t.maxBytes,r);let n=await Bs(e.body,{maxBytes:t.maxBytes,createLimitError:o(()=>g("invalid_request",`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(n)}o(oy,"readBoundedTextBody");async function ay(e,t){let r=await oy(e,{...t,expectedContentTypes:[ny]});try{return JSON.parse(r)}catch(n){throw g("invalid_request","Request body must be valid JSON.",n)}}o(ay,"readBoundedJsonBody");async function ei(e,t){let r=await oy(e,{...t,expectedContentTypes:[jO]});return new URLSearchParams(r)}o(ei,"readBoundedFormUrlEncodedBody");var sy=Symbol("Html");function FO(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}o(FO,"escapeHtml");function ZO(e){return e===null||typeof e!="object"?!1:e[sy]===!0}o(ZO,"isHtml");function iy(e){return e==null||e===!1?"":Array.isArray(e)?e.map(iy).join(""):ZO(e)?e.value:FO(String(e))}o(iy,"renderValue");function pt(e){return{[sy]:!0,value:e}}o(pt,"trustedHtml");var me=pt("");function k(e,...t){let r=e[0]??"";for(let n=0;n<t.length;n+=1)r+=iy(t[n]),r+=e[n+1]??"";return pt(r)}o(k,"html");function Lt(e){return e.value}o(Lt,"renderHtml");var KO="text/html; charset=utf-8";function cy(e,t=200){return new Response(Lt(e),{status:t,headers:{"content-type":KO,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(cy,"apiKeyLoginHtmlResponse");function gl(e=401){return cy(k`<!doctype html><html><head><title>Login failed</title></head><body><main><h1>Login failed</h1><p>The API key could not be verified. Start the authorization flow again.</p></main></body></html>`,e)}o(gl,"apiKeyLoginFailureResponse");function uy(e){return cy(k`<!doctype html><html><head><title>API key login</title></head><body><main><h1>API key login</h1><form method="post" action="/oauth/api-key-login" autocomplete="off"><input type="hidden" name="state" value="${e}"><label for="apiKey">API key</label><input id="apiKey" name="apiKey" type="password" required autocomplete="off"><button type="submit">Continue</button></form></main></body></html>`)}o(uy,"renderApiKeyLoginForm");W();W();import{errors as Sy,jwtVerify as vy,SignJWT as by}from"jose";W();import{errors as a0,jwtVerify as s0,SignJWT as i0}from"jose";function fr(e){let t=_e().browserLogin[e];if(typeof t=="string"&&t.length>0)return t;throw g("internal_server_error",`browserLogin.${e} is required for federated browser login. Set it on the mcp-oauth-inbound policy options.`)}o(fr,"requireBrowserLoginField");function ti(e){if(!e.tenantId)throw g("identity_context_missing","Gateway OAuth browser login requires a tenant-scoped principal.");return{...e,tenantId:e.tenantId}}o(ti,"requireTenantScopedBrowserPrincipal");W();import{createRemoteJWKSet as WO,errors as Wo,jwtVerify as JO}from"jose";var YO=u.object({id_token:u.string().min(1),token_type:u.string().min(1).optional(),expires_in:u.number().optional(),access_token:u.string().min(1).optional(),refresh_token:u.string().min(1).optional(),scope:u.string().min(1).optional()}),XO=u.object({error:u.string().min(1).optional(),error_description:u.string().min(1).optional(),error_uri:u.string().min(1).optional()});function QO(e){let t=XO.safeParse(e);if(!t.success)return{};let r={};return t.data.error!==void 0&&(r.idpError=t.data.error),t.data.error_description!==void 0&&(r.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(r.idpErrorUri=t.data.error_uri.slice(0,256)),r}o(QO,"readIdpErrorFields");function e0(e){return e instanceof Wo.JWTExpired?"expired":e instanceof Wo.JWTClaimValidationFailed?"claim":e instanceof Wo.JWSSignatureVerificationFailed?"signature":e instanceof Wo.JWKSNoMatchingKey?"jwks_no_match":e instanceof Wo.JWTInvalid?"invalid":e instanceof u.ZodError?"schema":"other"}o(e0,"readJwtFailureKind");var t0=u.object({sub:le,nonce:u.string().min(1)}).catchall(u.unknown()),_l;function r0(e){return e instanceof Error&&"cause"in e?e.cause:e}o(r0,"readErrorCause");function n0(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}o(n0,"readRuntimeGatewayCode");function o0(){if(!_l){let e=_e();_l=WO(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return _l}o(o0,"readFederatedJwks");async function dy(e){let t=_e(),r=fr("tokenUrl"),n=fr("clientId"),a=fr("clientSecret"),s=new URL("/oauth/callback",lt(e.requestUrl)).toString(),i=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:s,client_id:n,client_secret:a});try{let{response:c,json:d}=await m_(r,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:i},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,...e.context===void 0?{}:{context:e.context}});if(!c.ok){let h=QO(d);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:et(r),idpStatus:c.status,...h},"Federated browser login token exchange returned non-2xx from the identity provider"),g({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${c.status}${h.idpError?` idp_error=${h.idpError}`:""}${h.idpErrorDescription?` idp_error_description=${h.idpErrorDescription}`:""})`)})}let p=YO.parse(d),l;try{({payload:l}=await JO(p.id_token,o0(),{issuer:t.oidc.issuer,audience:n}))}catch(h){let _={};throw Re(_,"error",h),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:e0(h),idpHost:et(r),expectedIssuer:t.oidc.issuer,..._},"Federated id_token failed jose verification"),h}if(l.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:et(r),nonceMissingFromIdToken:l.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),g("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let m=t0.parse(l);return ti(gn({sub:m.sub,data:m},e.requestUrl))}catch(c){let d=ae(c)??n0(c);throw d!==void 0&&d!=="browser_login_verification_failed"?c:g("browser_login_verification_failed","Federated browser login callback could not be verified.",r0(c))}}o(dy,"exchangeFederatedAuthorizationCode");var wl="zuplo_mcp_session",ly="HS256",py="zuplo-mcp-gateway",my="zuplo-mcp-gateway",c0=u.object({purpose:u.literal("gateway_browser_session"),sub:le,tenantId:$e,browserLoginOrigin:u.string().min(1),roles:u.array(u.string().min(1)).optional(),exp:u.number().int().positive(),iat:u.number().int().positive().optional()});function u0(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let n=r.indexOf("=");if(n<0)continue;let a=r.slice(0,n).trim(),s=r.slice(n+1).trim();if(a)try{t.set(a,decodeURIComponent(s))}catch{t.set(a,s)}}return t}o(u0,"parseCookieHeader");async function fy(){return bt({purpose:"browser-session",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>dr(e,"browser-session"),"derive")})}o(fy,"getBrowserSessionKey");function yl(e){let t=new URL(Q(e)),r=[`${wl}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(yl,"buildBrowserSessionEvictionCookie");function d0(e){let t=new URL(Q(e.requestUrl)),r=[`${wl}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(d0,"serializeSessionCookie");function hy(e={}){return new URL(fr("url")).origin}o(hy,"readBrowserLoginOrigin");function Sl(){return _e().browserLogin.stateTtlSeconds}o(Sl,"readBrowserLoginStateTtlSeconds");function gy(e){if(!e.user)throw g("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return ti(gn(e.user,e.url))}o(gy,"resolveCurrentRequestPrincipal");async function ri(e,t={}){let r=u0(e.headers.get("cookie")).get(wl);if(!r)return{};try{let{payload:n}=await s0(r,await fy(),{algorithms:[ly],issuer:py,audience:my}),a=c0.parse(n);if(a.browserLoginOrigin!==hy(t))return{evictCookie:yl(e.url)};let s={subjectId:a.sub,tenantId:a.tenantId};return a.roles&&a.roles.length>0&&(s.roles=a.roles),{principal:s}}catch(n){return n instanceof a0.JWTExpired?{evictCookie:yl(e.url)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:n instanceof Error?n.name:"unknown",errorMessage:n instanceof Error?n.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:yl(e.url)})}}o(ri,"readBrowserSession");async function Jo(e){let t=_e().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,tenantId:e.principal.tenantId,browserLoginOrigin:hy({virtualServerId:e.virtualServerId})};e.principal.roles&&(r.roles=e.principal.roles);let n=await new i0(r).setProtectedHeader({alg:ly,typ:"JWT"}).setIssuer(py).setAudience(my).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await fy());return d0({value:n,requestUrl:e.requestUrl,ttlSeconds:t})}o(Jo,"createBrowserSessionCookie");async function _y(e){throw g("forbidden","API-key browser login is not supported in this gateway.")}o(_y,"resolveApiKeyBrowserLoginPrincipal");async function yy(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await ri(e.request,t);if(r.principal)return r.principal;let n=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!n)throw g("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");return dy({code:n,nonce:e.stateId,requestUrl:e.request.url,...e.context===void 0?{}:{context:e.context}})}o(yy,"resolveBrowserLoginCallbackPrincipal");function wy(e){let t=_e().browserLogin,r=new URL(fr("url")),n=new URL("/oauth/callback",lt(e.requestUrl));return Vh(r)?(r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",fr("clientId")),r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}o(wy,"buildBrowserLoginUrl");var l0=5*60,p0=["mcp_user"],ni="HS256",oi="zuplo-mcp-gateway",ai="zuplo-mcp-gateway",m0=u.object({purpose:u.literal("gateway_browser_login"),transactionId:sr,stateId:vs,exp:u.number().int().positive(),iat:u.number().int().positive().optional()}),f0=u.object({purpose:u.literal("gateway_authorization_setup"),transactionId:sr,stateId:vs,exp:u.number().int().positive(),iat:u.number().int().positive().optional()});async function Ry(){return bt({purpose:"browser-login",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>dr(e,"browser-login"),"derive")})}o(Ry,"getBrowserLoginKey");async function Iy(){return bt({purpose:"authorization-csrf",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>dr(e,"authorization-csrf"),"derive")})}o(Iy,"getCsrfKey");function h0(e){return[...new Set([...p0,...e.roles??[]])]}o(h0,"buildRoles");function Ty(e){return{repository:e.repository??H().downstreamOAuthRepository,now:e.now??new Date,ttlSeconds:Sl()}}o(Ty,"readPendingTransactionDependencies");function g0(e,t){return e.subjectId===t.subjectId&&e.tenantId===t.tenantId}o(g0,"principalsMatch");function Cy(e){return{subjectId:e.subjectId,tenantId:e.tenantId,...e.roles===void 0?{}:{roles:e.roles}}}o(Cy,"toPendingPrincipal");function Ey(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:K(e.now),expiresAt:K(ar(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw g("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:Cy(e.principal)}}o(Ey,"createTransactionRecord");async function Ay(e){if((await e.repository.savePendingAuthorizationTransaction(e.record)).kind==="already_exists")throw g("oauth_state_reused","Authorization transaction state already exists.")}o(Ay,"savePendingTransaction");async function _0(e){return new by({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:ni,typ:"JWT"}).setIssuer(oi).setAudience(ai).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await Ry())}o(_0,"signBrowserLoginState");async function Py(e){return new by({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:Sd()}).setProtectedHeader({alg:ni,typ:"JWT"}).setIssuer(oi).setAudience(ai).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await Iy())}o(Py,"signCsrfToken");async function si(e){try{let{payload:t}=await vy(e,await Ry(),{algorithms:[ni],issuer:oi,audience:ai}),r=m0.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof Sy.JWTExpired?g("oauth_state_expired","Browser login state has expired.",t):g("oauth_state_invalid","Browser login state could not be verified.",t)}}o(si,"verifyBrowserLoginStateToken");async function y0(e){try{let{payload:t}=await vy(e,await Iy(),{algorithms:[ni],issuer:oi,audience:ai});return{transactionId:f0.parse(t).transactionId}}catch(t){throw t instanceof Sy.JWTExpired?g("oauth_state_expired","Authorization setup state has expired.",t):g("oauth_state_invalid","Authorization setup state could not be verified.",t)}}o(y0,"verifyCsrfToken");function ii(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}o(ii,"pendingStateErrorCode");function w0(e){if(e.kind!=="available")throw g(ii(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}o(w0,"requireAwaitingSetup");function S0(e){if(e.kind!=="available")throw g(ii(e.kind),"Browser login state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_login")throw g("oauth_state_invalid","Browser login state is not in the login phase.");return e.record}o(S0,"requireAwaitingLogin");function v0(e){if(!g0(e.currentBrowserPrincipal,e.transaction.principal))throw g("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}o(v0,"requireCurrentPrincipalMatches");async function xy(e){let t=e.repository??H().downstreamOAuthRepository,r=e.now??new Date,n=Sl(),a=wd(),s=Sd(),i=await _0({transactionId:a,stateId:s,ttlSeconds:n}),c=Ey({id:a,transaction:e.transaction,currentStateHash:await ce(i),phase:"awaiting_login",now:r,ttlSeconds:n});if(c.phase!=="awaiting_login")throw g("oauth_state_invalid","Authorization transaction did not start in login phase.");return await Ay({repository:t,record:c}),{transaction:c,browserLoginStateToken:i,browserLoginUrl:wy({state:i,nonce:s,virtualServerId:c.virtualServerId,requestUrl:e.requestUrl})}}o(xy,"startAwaitingLogin");async function ky(e){let{repository:t,now:r,ttlSeconds:n}=Ty(e),a=wd(),s=await Py({transactionId:a,ttlSeconds:n}),i=Ey({id:a,transaction:e.transaction,currentStateHash:await ce(s),phase:"awaiting_setup",principal:e.principal,now:r,ttlSeconds:n});if(i.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization transaction did not start in setup phase.");return await Ay({repository:t,record:i}),{transaction:i,csrfToken:s}}o(ky,"startAwaitingSetup");async function vl(e){let{repository:t,now:r,ttlSeconds:n}=Ty(e),a=await si(e.browserLoginStateToken),s=await Py({transactionId:a.transactionId,ttlSeconds:n}),i=await t.advancePendingAuthorizationTransaction({id:a.transactionId,expectedPhase:"awaiting_login",currentStateHash:await ce(e.browserLoginStateToken),nextStateHash:await ce(s),nextPhase:"awaiting_setup",principal:Cy(e.principal),now:r});if(i.kind!=="advanced")throw g(ii(i.kind),"Browser login state is invalid, expired, or already used.");if(i.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:i.record,csrfToken:s}}o(vl,"completeLogin");async function Oy(e){let t=e.repository??H().downstreamOAuthRepository,r=e.now??new Date,n=await si(e.browserLoginStateToken);return S0(await t.getPendingAuthorizationTransaction({id:n.transactionId,currentStateHash:await ce(e.browserLoginStateToken),now:r}))}o(Oy,"getAwaitingLogin");async function bl(e){let t=await Rl(e);return v0({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}o(bl,"getSetup");async function Rl(e){let t=e.repository??H().downstreamOAuthRepository,r=e.now??new Date,n=await y0(e.csrfToken);return w0(await t.getPendingAuthorizationTransaction({id:n.transactionId,currentStateHash:await ce(e.csrfToken),now:r}))}o(Rl,"getSetupTransaction");async function b0(e){let t=qt(),r=await ce(t),n=Bh(),a=K(ar(e.now,l0)),s={id:e.transaction.id,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,tenantId:e.transaction.principal.tenantId,subjectId:e.transaction.principal.subjectId,scope:e.transaction.scope,roles:h0(e.transaction.principal),codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:K(e.now),expiresAt:a};await e.repository.issueAuthorizationCode({...s,codeHash:r,grantId:n});let i=new URL(e.transaction.redirectUri);return i.searchParams.set("code",t),e.transaction.clientState&&i.searchParams.set("state",e.transaction.clientState),i}o(b0,"createAuthorizationCodeRedirect");function R0(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}o(R0,"buildClientCancelRedirect");async function I0(e){let t=await bl(e),r=await e.repository.consumePendingAuthorizationTransaction({id:t.id,currentStateHash:await ce(e.csrfToken),now:e.now});if(r.kind!=="consumed")throw g(ii(r.kind),"Authorization setup state is invalid, expired, or already used.");if(r.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return r.record}o(I0,"consumeSetup");async function Uy(e){let t=e.repository??H().downstreamOAuthRepository,r=e.now??new Date;return{repository:t,now:r,transaction:await I0({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:r,repository:t})}}o(Uy,"consumeSetupForDecision");async function Ny(e){let{repository:t,now:r,transaction:n}=await Uy(e);return b0({repository:t,transaction:n,now:r})}o(Ny,"approve");async function $y(e){let{transaction:t}=await Uy(e);return R0({redirectUri:t.redirectUri,clientState:t.clientState})}o($y,"cancel");W();var T0={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},z=class extends Error{static{o(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,n=T0[t],a){super(r,a),this.name="OAuthProtocolError",this.errorCode=t,this.status=n}};var C0=1e4,E0=5*1024,A0=2,P0=90*24*60*60,Il=["authorization_code","refresh_token"],Tl=["code"],x0=u.object({client_name:u.string().min(1).optional(),redirect_uris:u.array(u.string().min(1)).min(1),grant_types:u.array(u.enum(Il)).min(1).max(2).optional(),response_types:u.array(u.enum(Tl)).min(1).max(1).optional(),scope:u.literal(oe).optional(),token_endpoint_auth_method:Co.default("client_secret_basic")});function k0(e){try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o(k0,"isCimdClientIdCandidate");function Yo(e,t="invalid_request"){if(O0(e))throw new z(t,"redirect_uris must not include raw whitespace or control characters.");let r;try{r=new URL(e)}catch{throw new z(t,"redirect_uris must be absolute URIs.")}if(r.hash||r.username||r.password)throw new z(t,"redirect_uris must not include credentials or fragments.");if(!(r.protocol==="https:"||Ue(r)))throw new z(t,"redirect_uris must use HTTPS except loopback HTTP redirects for local clients.")}o(Yo,"assertValidRedirectUri");function O0(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}o(O0,"hasForbiddenRawRedirectUriCharacter");async function U0(e){let{response:t,json:r}=await f_(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:A0,maxResponseBytes:E0,timeoutMs:C0});if(!t.ok)throw g("invalid_request","CIMD metadata could not be fetched.");let n=qh.parse(r);if(n.client_id!==e.clientId)throw g("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");if(n.token_endpoint_auth_method!=="none")throw g("invalid_request","CIMD clients must use token_endpoint_auth_method none until private_key_jwt is implemented.");return n}o(U0,"fetchCimdMetadata");async function N0(e){let t=Gs(e),r=await U0({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}o(N0,"resolveCimdClient");async function Xo(e,t,r){let n=Ze.parse(t),a=await e.getDcrClient(n);if(a){let s={kind:"dcr",clientId:n,metadata:{client_id:a.clientId,client_name:a.clientName,redirect_uris:a.redirectUris,token_endpoint_auth_method:a.tokenEndpointAuthMethod}};return a.hashedClientSecret&&(s.hashedClientSecret=a.hashedClientSecret),s}if(!_e().gateway.cimdEnabled||!k0(n))throw new z("invalid_client",n.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.");try{return await N0(n)}catch{throw new z("invalid_client","OAuth client is not registered.")}}o(Xo,"resolveClient");function ci(e,t){if(!e.metadata.redirect_uris.some(r=>Rs(r,t)))throw g("invalid_request","redirect_uri is not registered for the client.")}o(ci,"assertRedirectRegistered");function $0(e){let t=zy(e.grant_types),r=e.response_types??[...Tl];if(!z0(t))throw new z("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!M0(r))throw new z("invalid_client_metadata","response_types must be code.");if(!D0(e.scope))throw new z("invalid_client_metadata",`Only the ${oe} scope is supported.`)}o($0,"assertSupportedDcrRequest");function zy(e){return e===void 0?[...Il]:Array.from(new Set(e))}o(zy,"normalizeGrantTypes");function z0(e){return e.length===0?!1:e.every(t=>Il.includes(t))}o(z0,"isSupportedGrantTypes");function M0(e){return e.length===Tl.length&&e[0]==="code"}o(M0,"isSupportedResponseTypes");function D0(e){return e===void 0||e===oe}o(D0,"isSupportedDcrScope");function Qo(e){if(e===void 0||e===oe)return oe;throw new z("invalid_request",`Only the ${oe} scope is supported.`)}o(Qo,"assertSupportedOAuthScope");function xn(e,t){let r;try{r=new URL(t)}catch{throw new z("invalid_target","resource must be an absolute URI.")}if(r.hash)throw new z("invalid_target","resource must not include a fragment.");if(r.protocol!=="https:"&&!Ue(r))throw new z("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let n=Q(e),a=vh(),s=a?[...a.byVirtualServerId.values()].find(i=>new URL(i.routePath,n).toString()===t):void 0;if(!s)throw new z("invalid_target","resource must match a published virtual MCP server.");return s}o(xn,"resolveResource");async function My(e,t={}){let n=(q0(t)?{repository:t}:t).repository??H().downstreamOAuthRepository,a;try{a=x0.parse(e)}catch(h){if(h instanceof u.ZodError){let _=h.issues.some(w=>w.path[0]==="redirect_uris");throw new z(_?"invalid_redirect_uri":"invalid_client_metadata",h.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:h})}throw h}$0(a);for(let h of a.redirect_uris)Yo(h,"invalid_redirect_uri");let s=new Date,i=Ze.parse(`dcr:${crypto.randomUUID()}`),c=ar(s,P0),d=Math.floor(s.getTime()/1e3),p=Math.floor(c.getTime()/1e3),l={client_id:i,client_name:a.client_name??"Dynamically registered MCP client",redirect_uris:a.redirect_uris,grant_types:zy(a.grant_types),response_types:["code"],scope:oe,token_endpoint_auth_method:a.token_endpoint_auth_method,client_id_issued_at:d},m={clientId:i,clientName:String(l.client_name),redirectUris:a.redirect_uris,tokenEndpointAuthMethod:a.token_endpoint_auth_method,createdAt:K(s),clientExpiresAt:K(c)};if(a.token_endpoint_auth_method!=="none"){let h=qt();m.hashedClientSecret=await ce(h),m.clientSecretExpiresAt=K(c),l.client_secret=h,l.client_secret_expires_at=p,l.client_secret_issued_at=d}return await n.saveDcrClient(m),l}o(My,"registerDownstreamClient");function q0(e){return typeof e.getDcrClient=="function"}o(q0,"isOAuthRepository");var L0=8;function El(e){let t=e.trim();try{let r=new URL(t);if(r.protocol==="https:")return r.toString()}catch{}if(/^data:image\/(?:png|jpe?g|webp);/i.test(t))return t}o(El,"safeIconSrc");function j0(e,t){if(e)try{let r=new URL(t).origin,n=new URL(e,r);return n.origin!==r||!n.pathname.startsWith("/auth/connections/")?void 0:n.toString()}catch{return}}o(j0,"safeGatewayConnectHref");function H0(e){if(e==="any")return Number.POSITIVE_INFINITY;let t=/^(\d+)x(\d+)$/.exec(e);return t?Math.max(Number(t[1]),Number(t[2])):0}o(H0,"parseIconSize");function G0(e,t){let r=e.filter(a=>a.theme===t);if(r.length>0)return r;let n=e.filter(a=>a.theme===void 0);return n.length>0?n:e}o(G0,"selectIconCandidates");function B0(e){return El(e.src)?e.sizes&&e.sizes.length>0?Math.max(...e.sizes.map(H0)):0:-1}o(B0,"readIconScore");function Ly(e,t){if(!e||e.length===0)return;let r=G0(e,t),n,a=-1;for(let s of r){let i=B0(s);i>a&&(n=s,a=i)}return n}o(Ly,"pickIcon");var V0='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>',Dy=pt(V0),F0=pt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>'),Z0=pt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>'),jy=pt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),qy=pt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M8 1.5 2.5 3.5v4.2c0 3.4 2.4 5.6 5.5 6.8 3.1-1.2 5.5-3.4 5.5-6.8V3.5L8 1.5Z"/><path d="m5.8 8.2 1.6 1.6 3-3"/></svg>');function K0(e,t){let r=Ly(e,"light");if(!r)return k`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${Dy}</span>`;let n=El(r.src);return n?k`<span class="icon-frame"><img src="${n}" alt="${t}" loading="lazy" decoding="async"></span>`:k`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${Dy}</span>`}o(K0,"renderIconFrame");function di(e,t){let r=Ly(e,"light");if(!r)return me;let n=El(r.src);return n?k`<img class="inline-icon" src="${n}" alt="${t}" loading="lazy" decoding="async">`:me}o(di,"renderInlineIcon");function W0(e){switch(e){case"user":return"your account";case"tenant_shared":return"shared by your team";case"none":return"gateway-managed"}}o(W0,"ownerModeLabel");function J0(e){return e.endsWith("_oauth")||e==="oauth"?"OAuth":e.includes("static_secret")?"static credential":e.replaceAll("_"," ")}o(J0,"authModeLabel");function Y0(e){switch(e){case"active":return k`<span class="status-badge status-badge--success">Connected</span>`;case"not_connected":return k`<span class="status-badge status-badge--neutral">Not connected</span>`;case"reconsent_required":return k`<span class="status-badge status-badge--warning">Reconnect required</span>`}}o(Y0,"statusBadge");function X0(e){if(!e)return me;let t=[];return e.destructiveHint&&t.push(k`<span class="badge badge--destructive" title="This tool may modify or delete data on your behalf.">destructive</span>`),e.readOnlyHint&&t.push(k`<span class="badge badge--muted" title="This tool only reads data and does not modify state.">read-only</span>`),e.openWorldHint&&t.push(k`<span class="badge badge--muted" title="This tool can access arbitrary URIs supplied at call time.">open-world</span>`),t.length>0?k`<span class="badge-row">${t}</span>`:me}o(X0,"annotationBadges");function Hy(e){let t=0,r=0;for(let n of e.tools)n.annotations?.destructiveHint===!0&&(t+=1),n.annotations?.readOnlyHint===!0&&(r+=1);return{tools:e.tools.length,prompts:e.prompts.length,resources:e.resources.length,destructiveTools:t,readOnlyTools:r}}o(Hy,"summarizeCapabilities");function Q0(e){let t=e.annotations?.title??e.title??e.name,r=e.description?k`<span class="capability-row__description">${e.description}</span>`:me;return k`<li class="capability-row">${di(e.icons,t)}<span class="capability-row__name">${t}</span>${X0(e.annotations)}${r}</li>`}o(Q0,"renderToolRow");function eU(e){let t=e.title??e.name,r=e.description?k`<span class="capability-row__description">${e.description}</span>`:me;return k`<li class="capability-row">${di(e.icons,t)}<span class="capability-row__name">${t}</span>${r}</li>`}o(eU,"renderPromptRow");function tU(e){let t=e.title??e.name,r=e.mimeType===void 0?me:k` · ${e.mimeType}`,n=e.description===void 0?me:k` — ${e.description}`,a=k`<span class="capability-row__description"><code>${e.uri}</code>${r}${n}</span>`;return k`<li class="capability-row">${di(e.icons,t)}<span class="capability-row__name">${t}</span>${a}</li>`}o(tU,"renderResourceRow");function Cl(e,t,r,n){if(t===0)return me;let a=r.slice(0,L0),s=t-a.length,i=s>0?k`<li class="capability-row capability-row--more">+ ${s} more</li>`:me;return k`<section class="capability-section"><h4 class="capability-section__title">${e} <span class="muted">(${t})</span></h4><ul class="capability-list">${a.map(n)}${i}</ul></section>`}o(Cl,"renderCapabilitySection");function ui(e,t,r=!1){return r?k`<span class="count-pill count-pill--destructive"><span class="count-pill__num">${t}</span><span class="count-pill__label">${e}</span></span>`:k`<span class="count-pill"><span class="count-pill__num">${t}</span><span class="count-pill__label">${e}</span></span>`}o(ui,"countPill");function rU(e){let t=Hy(e);if(t.tools+t.prompts+t.resources===0)return k`<div class="upstream-card__capabilities upstream-card__capabilities--empty">No tools, prompts, or resources advertised.</div>`;let n=[];t.tools>0&&n.push(ui(t.tools===1?"tool":"tools",t.tools)),t.prompts>0&&n.push(ui(t.prompts===1?"prompt":"prompts",t.prompts)),t.resources>0&&n.push(ui(t.resources===1?"resource":"resources",t.resources)),t.destructiveTools>0&&n.push(ui("destructive",t.destructiveTools,!0));let a=[Cl("Tools",t.tools,e.tools,Q0),Cl("Prompts",t.prompts,e.prompts,eU),Cl("Resources",t.resources,e.resources,tU)];return k`<details class="upstream-card__capabilities"><summary class="capabilities-summary"><span class="capabilities-summary__counts">${n}</span><span class="capabilities-summary__chevron" aria-hidden="true">${jy}</span></summary><div class="capabilities-detail">${a}</div></details>`}o(rU,"renderUpstreamCapabilities");function nU(e){if(!e||e.length===0)return me;let t=e.map(n=>k`<code class="scope-chip">${n}</code>`),r=e.length===1?"scope":"scopes";return k`<details class="upstream-card__scopes"><summary class="scopes-summary"><span>Requested ${r} <span class="muted">(${e.length})</span></span><span class="capabilities-summary__chevron" aria-hidden="true">${jy}</span></summary><div class="scopes-list">${t}</div></details>`}o(nU,"renderUpstreamScopes");function oU(e,t){if(e.ownerMode!=="user")return me;let r=j0(e.connectUrl,t);if(!r)return me;let n=e.status==="active"?"Redo auth":e.status==="reconsent_required"?"Reconnect":"Connect",a=e.status==="active"?"Reconnect this upstream account or approve updated scopes.":void 0;return k`<a class="button button--secondary button--small" href="${r}"${a===void 0?me:k` title="${a}"`}>${n}</a>`}o(oU,"renderActionButton");function aU(e,t){let r=oU(e,t);return Lt(r)!==""?r:Y0(e.status)}o(aU,"renderUpstreamControl");function sU(e,t){let n=e.ownerMode==="user"&&e.status!=="active"?pt('<article class="upstream-card upstream-card--needs-action">'):pt('<article class="upstream-card">'),a=e.description?k`<p class="upstream-card__description">${e.description}</p>`:me,s=e.transportHost?k`<code class="upstream-card__host">${e.transportHost}</code><span class="upstream-card__sep" aria-hidden="true">·</span>`:me,i=k`<div class="upstream-card__head">${K0(e.serverIcons,e.upstreamDisplayName)}<div class="upstream-card__main"><div class="upstream-card__title-row"><h3 class="upstream-card__title">${e.upstreamDisplayName}</h3>${aU(e,t)}</div><div class="upstream-card__meta">${s}<span>${J0(e.authMode)}</span><span class="upstream-card__sep" aria-hidden="true">·</span><span>${W0(e.ownerMode)}</span></div>${a}</div></div>`,c=rU(e.capabilities),d=nU(e.scopesRequested);return k`${n}${i}${c}${d}</article>`}o(sU,"renderUpstreamCard");function iU(e){return e.reduce((t,r)=>{let n=Hy(r.capabilities);return t.tools+=n.tools,t.prompts+=n.prompts,t.resources+=n.resources,t.destructiveTools+=n.destructiveTools,t.readOnlyTools+=n.readOnlyTools,t},{tools:0,prompts:0,resources:0,destructiveTools:0,readOnlyTools:0})}o(iU,"aggregateCapabilities");function cU(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}o(cU,"deriveMode");function uU(e){if(e.mode==="setup"){let n=e.upstreams.filter(c=>c.ownerMode==="user"&&c.status!=="active"),a=n.length>0&&n.every(c=>c.status==="reconsent_required"),s=n.length===1?"the service":`the ${n.length} services`,i=a?k`Re-authorize ${s} below to refresh access. Authorization will continue automatically once each is ready.`:k`Connect ${s} below before continuing. Authorization will continue automatically once each is ready.`;return k`<div class="banner banner--warning" role="status"><span class="banner__icon" aria-hidden="true">${F0}</span><div class="banner__body"><p class="banner__title">Setup required</p><p class="banner__message">${i}</p></div></div>`}let t=iU(e.upstreams);if(t.destructiveTools===0)return me;let r=t.destructiveTools===1?"tool can":"tools can";return k`<div class="banner banner--alert" role="alert"><span class="banner__icon" aria-hidden="true">${Z0}</span><div class="banner__body"><p class="banner__title">${t.destructiveTools} ${r} modify or delete data</p><p class="banner__message">Review the destructive tools below before authorizing <strong>${e.clientDisplayName}</strong>.</p></div></div>`}o(uU,"renderBanner");function dU(e){return e.mode==="grant"?k`<form class="actions" method="post" action="/oauth/setup"><input type="hidden" name="state" value="${e.state}"><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve">Authorize</button></form>`:k`<form class="actions" method="post" action="/oauth/setup"><input type="hidden" name="state" value="${e.state}"><input type="hidden" name="decision" value="continue"><button class="button button--primary" type="submit">Check again</button></form>`}o(dU,"renderActions");var lU=`
835
+ SELECT EXISTS (SELECT 1 FROM inserted_consumption) AS inserted`,[t,n,r])),"browser connect ticket consume").inserted?{kind:"available"}:{kind:"consumed"}}};var OE={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},U=class extends Error{static{o(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,n=OE[t],a){super(r,a),this.name="OAuthProtocolError",this.errorCode=t,this.status=n}};Y();var Jd=c.discriminatedUnion("mode",[c.object({mode:c.literal("user"),tenantId:ue,subjectId:X}).strict(),c.object({mode:c.literal("tenant_shared"),tenantId:ue}).strict()]),Fg=c.object({owner:Jd,upstreamServerId:ke,authProfileId:Pe}).strict(),Zg=c.object({items:c.array(Fg).min(1).max(100)}).strict(),Yd=c.object({items:c.array(c.object({key:c.object({ownerMode:Ht,tenantId:ue,subjectId:X.optional(),upstreamServerId:ke,authProfileId:Pe}).strict(),connection:Gt.strict().optional()}).strict())}).strict(),Kg=Gt.omit({createdAt:!0,updatedAt:!0}).strict().superRefine(Kd),Wg=Gt.strict(),Jg=c.object({owner:Jd,upstreamServerId:ke,authProfileId:Pe}).strict(),Yg=c.object({owner:Jd,upstreamServerId:ke,authProfileId:Pe,connection:Gt.strict().optional(),connectionStatus:c.object({connected:c.boolean(),status:xn,updatedAt:Gt.shape.updatedAt.optional()}).strict()}).strict(),UE=c.enum(["none","client_secret_basic","client_secret_post"]),Mr=c.object({clientId:le,clientName:c.string().min(1),tokenEndpointAuthMethod:UE}).strict(),Xd=c.discriminatedUnion("method",[c.object({method:c.literal("none"),clientId:le}).strict(),c.object({method:c.enum(["client_secret_basic","client_secret_post"]),clientId:le,clientSecretHashInput:c.string().min(1)}).strict()]),Qd=c.object({id:je,currentStateHash:c.string().min(1),clientId:le,redirectUri:c.string().min(1),resource:c.string().min(1),virtualServerId:me,clientState:c.string().optional(),scope:c.string(),codeChallenge:c.string().min(1),codeChallengeMethod:c.literal("S256"),createdAt:V,expiresAt:V,consumedAt:V.optional()}).strict(),Vg=Qd.omit({id:!0,consumedAt:!0}).extend({transactionId:je,client:Mr.optional()}).strict(),el=c.object({tenantId:ue,subjectId:X,roles:c.array(c.string()).optional()}).strict(),zE=Qd.extend({phase:c.literal("awaiting_login")}).strict(),Wd=Qd.extend({phase:c.literal("awaiting_setup"),principal:el}).strict(),NE=c.discriminatedUnion("phase",[zE,Wd]),tl=c.object({transaction:NE,client:Mr}).strict(),Xg=$o.omit({revokedAt:!0}).strict(),Qg=c.discriminatedUnion("kind",[c.object({kind:c.literal("registered"),client:Mr}).strict(),c.object({kind:c.literal("already_exists")}).strict()]),e_=c.object({clientId:le}).strict(),t_=c.discriminatedUnion("kind",[c.object({kind:c.literal("found"),client:$o.strict()}).strict(),c.object({kind:c.literal("missing")}).strict()]),r_=c.discriminatedUnion("phase",[Vg.extend({phase:c.literal("awaiting_login")}).strict(),Vg.extend({phase:c.literal("awaiting_setup"),principal:el}).strict()]),n_=c.discriminatedUnion("kind",[tl.extend({kind:c.literal("started")}).strict(),c.object({kind:c.literal("invalid_client")}).strict(),c.object({kind:c.literal("redirect_uri_mismatch")}).strict(),c.object({kind:c.literal("already_exists")}).strict()]),o_=c.object({transactionId:je,currentStateHash:c.string().min(1),now:V}).strict(),a_=c.discriminatedUnion("kind",[tl.extend({kind:c.literal("available")}).strict(),c.object({kind:c.literal("stale_hash")}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("missing")}).strict()]),i_=c.object({transactionId:je,expectedPhase:c.literal("awaiting_login"),currentStateHash:c.string().min(1),nextStateHash:c.string().min(1),nextPhase:c.literal("awaiting_setup"),principal:el,now:V}).strict(),s_=c.discriminatedUnion("kind",[tl.extend({kind:c.literal("advanced")}).strict(),c.object({kind:c.literal("wrong_phase"),current:c.enum(["awaiting_login","awaiting_setup"])}).strict(),c.object({kind:c.literal("stale_hash")}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("missing")}).strict()]),c_=c.discriminatedUnion("decision",[c.object({decision:c.literal("approve"),transactionId:je,currentStateHash:c.string().min(1),currentPrincipal:c.object({tenantId:ue,subjectId:X}).strict(),authorizationCodeHash:c.string().min(1),authorizationCodeExpiresAt:V,grantId:_t,now:V}).strict(),c.object({decision:c.literal("cancel"),transactionId:je,currentStateHash:c.string().min(1),currentPrincipal:c.object({tenantId:ue,subjectId:X}).strict(),now:V}).strict()]),u_=c.discriminatedUnion("kind",[c.object({kind:c.literal("approved"),transaction:Wd,client:Mr}).strict(),c.object({kind:c.literal("cancelled"),transaction:Wd,client:Mr}).strict(),c.object({kind:c.literal("principal_mismatch")}).strict(),c.object({kind:c.literal("stale_hash")}).strict(),c.object({kind:c.literal("consumed_already")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("missing")}).strict()]),d_=c.object({clientAuth:Xd,codeHash:c.string().min(1),redirectUri:c.string().min(1),resource:c.string().min(1).optional(),codeChallenge:c.string().min(1),currentRefreshTokenHash:c.string().min(1),accessTokenHash:c.string().min(1),grantExpiresAt:V,accessTokenExpiresAt:V,now:V}).strict(),l_=c.discriminatedUnion("kind",[c.object({kind:c.literal("exchanged"),client:Mr,grant:Lo.strict()}).strict(),c.object({kind:c.literal("invalid_client")}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("resource_mismatch")}).strict(),c.object({kind:c.literal("binding_mismatch")}).strict()]),p_=c.object({clientAuth:Xd,currentRefreshTokenHash:c.string().min(1),nextRefreshTokenHash:c.string().min(1),accessTokenHash:c.string().min(1),resource:c.string().min(1).optional(),accessTokenExpiresAt:V,now:V}).strict(),m_=c.discriminatedUnion("kind",[c.object({kind:c.literal("rotated"),client:Mr,grant:Lo.strict(),accessToken:In.strict(),matched:c.literal("current")}).strict(),c.object({kind:c.literal("invalid_client")}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("resource_mismatch")}).strict(),c.object({kind:c.literal("revoked")}).strict()]),h_=c.object({clientAuth:Xd,tokenHash:c.string().min(1),now:V}).strict(),f_=c.discriminatedUnion("kind",[c.object({kind:c.literal("revoked_access_token")}).strict(),c.object({kind:c.literal("revoked_grant")}).strict(),c.object({kind:c.literal("client_mismatch")}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("invalid_client")}).strict()]),g_=c.object({tokenHash:c.string().min(1),now:V}).strict(),__=c.discriminatedUnion("kind",[c.object({kind:c.literal("valid"),record:In.strict()}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("revoked")}).strict()]),y_=c.object({accessTokenHash:c.string().min(1),resource:c.string().min(1),virtualServerId:me,upstreamConnectionKeys:c.array(Fg).max(100),now:V}).strict(),S_=c.discriminatedUnion("kind",[c.object({kind:c.literal("authorized"),principal:c.object({tenantId:ue,subjectId:X,roles:c.array(c.string())}).strict(),accessToken:In.strict(),upstreamConnections:Yd.shape.items}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("revoked")}).strict(),c.object({kind:c.literal("resource_mismatch")}).strict(),c.object({kind:c.literal("principal_mismatch")}).strict()]),w_=c.object({record:Vo}).strict(),v_=c.object({kind:c.literal("saved")}).strict(),R_=c.object({id:En,now:V}).strict(),b_=c.discriminatedUnion("kind",[c.object({kind:c.literal("available"),record:Vo}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("missing")}).strict()]),C_=c.object({id:Bo,expiresAt:V,now:V}).strict(),I_=c.discriminatedUnion("kind",[c.object({kind:c.literal("available")}).strict(),c.object({kind:c.literal("consumed")}).strict()]);var T_=100;function A_(e){return e!==null&&typeof e=="object"}o(A_,"isProblemDetailsShape");var DE="/zups/v2/mcp/storage";function xe(e){return`${DE}/${e}`}o(xe,"buildStoragePath");function ME(){return xe("upstream-connections/batch-get")}o(ME,"buildBatchGetUpstreamConnectionsPath");function qE(){return xe("upstream-connections/upsert")}o(qE,"buildUpsertUpstreamConnectionPath");function $E(){return xe("authorization/read-setup")}o($E,"buildReadAuthorizationSetupPath");function LE(){return xe("oauth/register-client")}o(LE,"buildRegisterClientPath");function jE(){return xe("oauth/read-client")}o(jE,"buildReadClientPath");function HE(){return xe("authorization/start")}o(HE,"buildStartAuthorizationPath");function GE(){return xe("authorization/read-pending")}o(GE,"buildReadPendingAuthorizationPath");function BE(){return xe("authorization/advance-pending")}o(BE,"buildAdvancePendingAuthorizationPath");function VE(){return xe("authorization/decide-setup")}o(VE,"buildDecideAuthorizationSetupPath");function FE(){return xe("token/exchange-authorization-code")}o(FE,"buildExchangeAuthorizationCodePath");function ZE(){return xe("token/refresh")}o(ZE,"buildRefreshTokenPath");function KE(){return xe("token/revoke")}o(KE,"buildRevokeOAuthTokenPath");function WE(){return xe("token/validate-access-token")}o(WE,"buildValidateAccessTokenPath");function JE(){return xe("mcp/authorize-and-load-connections")}o(JE,"buildAuthorizeAndLoadConnectionsPath");function YE(){return xe("upstream-oauth-state/save")}o(YE,"buildSaveUpstreamOAuthStatePath");function XE(){return xe("upstream-oauth-state/consume")}o(XE,"buildConsumeUpstreamOAuthStatePath");function QE(){return xe("browser-connect-ticket/consume")}o(QE,"buildConsumeBrowserConnectTicketPath");function ex(e,t){return e.ownerMode===t.owner.mode&&e.tenantId===t.owner.tenantId&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(ex,"responseKeyMatchesLookup");function tx(e,t){return e.owner.mode===t.owner.mode&&e.owner.tenantId===t.owner.tenantId&&(e.owner.mode==="user"?e.owner.subjectId:"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(tx,"authorizationSetupMatchesLookup");function E_(e,t){return e.ownerMode===t.owner.mode&&e.tenantId===t.owner.tenantId&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(E_,"connectionMatchesLookup");function rx(e,t){return e.ownerMode===t.ownerMode&&(e.tenantId??"")===(t.tenantId??"")&&(e.subjectId??"")===(t.subjectId??"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId&&e.status===t.status&&(e.encryptedAccessToken??"")===(t.encryptedAccessToken??"")&&(e.encryptedRefreshToken??"")===(t.encryptedRefreshToken??"")&&nl(e.scopes,t.scopes)&&rl(e.expiresAt,t.expiresAt)&&ox(e.metadata,t.metadata)}o(rx,"connectionMatchesUpsertRecord");function rl(e,t){return e===void 0||t===void 0?e===t:Date.parse(e)===Date.parse(t)}o(rl,"optionalTimestampInstantsMatch");function nx(e,t){return Date.parse(e)<=Date.parse(t)}o(nx,"timestampInstantIsAtOrBefore");function nl(e,t){return e.length===t.length&&e.every((r,n)=>r===t[n])}o(nl,"stringArraysMatch");function ox(e,t){let r=k_(e),n=k_(t),a=Object.fromEntries(n);return r.length===n.length&&r.every(([i,s])=>a[i]===s)}o(ox,"metadataMatches");function k_(e){return Object.entries(e??{}).filter(t=>t[1]!==void 0)}o(k_,"definedMetadataEntries");function ge(e,t){throw g({code:"internal_server_error",privateDetail:e,cause:t})}o(ge,"throwInvalidStorageResponse");async function ax(e,t){try{let r=await e.json();return r&&typeof r=="object"&&!Array.isArray(r)&&delete r.$schema,t.parse(r)}catch(r){ge("Gateway Service storage response did not match the runtime storage contract.",r)}}o(ax,"parseRuntimeHttpStorageResponse");function x_(e,t){e.length!==t.length&&ge("Gateway Service storage response item count did not match the request.");for(let[r,n]of e.entries()){let a=t[r];ex(n.key,a)||ge("Gateway Service storage response key did not match the request."),n.connection!==void 0&&!E_(n.connection,a)&&ge("Gateway Service storage response connection did not match the response key.")}}o(x_,"validateUpstreamConnectionItemsMatchLookups");function ix(e,t){tx(e,t)||ge("Gateway Service storage response authorization setup did not match the request."),e.connection!==void 0&&!E_(e.connection,t)&&ge("Gateway Service storage response authorization setup connection did not match the request.");let r=e.connection?.status==="active",n=e.connection?.status??"not_connected",a=e.connection?.updatedAt;(e.connectionStatus.connected!==r||e.connectionStatus.status!==n||!rl(e.connectionStatus.updatedAt,a))&&ge("Gateway Service storage response authorization setup status did not match the connection.")}o(ix,"validateAuthorizationSetupResponseMatchesLookup");function sx(e,t){e.kind==="registered"&&(e.client.clientId!==t.clientId||e.client.clientName!==t.clientName||e.client.tokenEndpointAuthMethod!==t.tokenEndpointAuthMethod)&&ge("Gateway Service storage response registered client did not match the request.")}o(sx,"validateRegisterClientResponseMatchesRequest");function cx(e,t){e.kind==="found"&&e.client.clientId!==t.clientId&&ge("Gateway Service storage response client did not match the request.")}o(cx,"validateReadClientResponseMatchesRequest");function ux(e,t){e.kind==="started"&&((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.phase!==t.phase||e.transaction.clientId!==t.clientId||e.transaction.redirectUri!==t.redirectUri||e.transaction.resource!==t.resource||e.transaction.virtualServerId!==t.virtualServerId||(e.transaction.clientState??"")!==(t.clientState??"")||e.transaction.scope!==t.scope||e.transaction.codeChallenge!==t.codeChallenge||e.transaction.codeChallengeMethod!==t.codeChallengeMethod)&&ge("Gateway Service storage response started authorization did not match the request."),t.phase==="awaiting_setup"&&(e.transaction.phase!=="awaiting_setup"||e.transaction.principal.tenantId!==t.principal.tenantId||e.transaction.principal.subjectId!==t.principal.subjectId)&&ge("Gateway Service storage response started authorization principal did not match the request."))}o(ux,"validateStartAuthorizationResponseMatchesRequest");function P_(e,t){e.kind!=="available"&&e.kind!=="advanced"||((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==("nextStateHash"in t?t.nextStateHash:t.currentStateHash))&&ge("Gateway Service storage response pending authorization did not match the request."),"nextPhase"in t&&(e.transaction.phase!==t.nextPhase||e.transaction.phase!=="awaiting_setup"||e.transaction.principal.tenantId!==t.principal.tenantId||e.transaction.principal.subjectId!==t.principal.subjectId)&&ge("Gateway Service storage response advanced authorization did not match the request."))}o(P_,"validatePendingAuthorizationResponseMatchesRequest");function dx(e,t){e.kind!=="approved"&&e.kind!=="cancelled"||(e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.principal.tenantId!==t.currentPrincipal.tenantId||e.transaction.principal.subjectId!==t.currentPrincipal.subjectId)&&ge("Gateway Service storage response authorization setup transaction did not match the request.")}o(dx,"validateAuthorizationSetupDecisionResponseMatchesRequest");function lx(e,t){e.kind==="exchanged"&&(e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.currentRefreshTokenHash||!rl(e.grant.expiresAt,t.grantExpiresAt)||t.resource!==void 0&&e.grant.resource!==t.resource)&&ge("Gateway Service storage response authorization-code exchange did not match the request.")}o(lx,"validateExchangeAuthorizationCodeResponseMatchesRequest");function px(e,t){e.kind==="rotated"&&((e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.nextRefreshTokenHash||e.grant.previousRefreshTokenHash!==t.currentRefreshTokenHash||t.resource!==void 0&&e.grant.resource!==t.resource)&&ge("Gateway Service storage response token refresh grant did not match the request."),(e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.grantId!==e.grant.id||!nx(e.accessToken.expiresAt,t.accessTokenExpiresAt)||!fx(e.accessToken,e.grant))&&ge("Gateway Service storage response token refresh access token did not match the request."))}o(px,"validateRefreshTokenResponseMatchesRequest");function mx(e,t){e.kind==="valid"&&e.record.tokenHash!==t.tokenHash&&ge("Gateway Service storage response access token did not match the request.")}o(mx,"validateAccessTokenValidationResponseMatchesRequest");function hx(e,t){e.kind==="authorized"&&((e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.resource!==t.resource||e.accessToken.virtualServerId!==t.virtualServerId||e.principal.tenantId!==e.accessToken.tenantId||e.principal.subjectId!==e.accessToken.subjectId||!nl(e.principal.roles,e.accessToken.roles))&&ge("Gateway Service storage response MCP authorization did not match the request."),x_(e.upstreamConnections,t.upstreamConnectionKeys))}o(hx,"validateAuthorizeAndLoadConnectionsResponseMatchesRequest");function fx(e,t){return e.clientId===t.clientId&&e.resource===t.resource&&e.virtualServerId===t.virtualServerId&&e.tenantId===t.tenantId&&e.subjectId===t.subjectId&&e.scope===t.scope&&nl(e.roles,t.roles)}o(fx,"accessTokenMatchesGrant");async function gx(e){try{return await e.clone().json()}catch{return}}o(gx,"readProblemDetails");async function _x(e){let t=await gx(e),r=A_(t)&&typeof t.status=="number"?t.status:e.status,n=A_(t)&&Uo(t.code)?t.code:pd(r);throw g({code:n,privateDetail:`Gateway Service storage request failed with HTTP ${r}.`})}o(_x,"throwRuntimeHttpStorageError");var Ki=class{static{o(this,"RuntimeHttpStorageClient")}#t;#r;constructor(t){this.#t=t.baseUrl??gp.instance.zuploEdgeApiUrl,this.#r=t.fetch??fetch}async#e(t){let r=t.requestSchema.parse(t.input),n=new URL(t.path,this.#t),a=new Headers({"Content-Type":"application/json"});_p(a);let i=await this.#r(n,{method:"POST",headers:a,body:JSON.stringify(r)});return i.ok||await _x(i),{request:r,response:await ax(i,t.responseSchema)}}async batchGetUpstreamConnections(t){if(t.length===0)return[];let r=[],n=new Map,a=t.map(s=>{let u=Dr(s),d=n.get(u);if(d!==void 0)return d;let l=r.length;return r.push(s),n.set(u,l),l}),i=[];for(let s=0;s<r.length;s+=T_){let u=r.slice(s,s+T_);i.push(...await this.#n(u))}return a.map(s=>i[s])}async upsertUpstreamConnection(t){let{request:r,response:n}=await this.#e({input:t,path:qE(),requestSchema:Kg,responseSchema:Wg});return rx(n,r)||ge("Gateway Service storage response connection did not match the request."),n}async readAuthorizationSetup(t){let{request:r,response:n}=await this.#e({input:t,path:$E(),requestSchema:Jg,responseSchema:Yg});return ix(n,r),n}async registerClient(t){let{request:r,response:n}=await this.#e({input:t,path:LE(),requestSchema:Xg,responseSchema:Qg});return sx(n,r),n}async readClient(t){let{request:r,response:n}=await this.#e({input:t,path:jE(),requestSchema:e_,responseSchema:t_});return cx(n,r),n}async startAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:HE(),requestSchema:r_,responseSchema:n_});return ux(n,r),n}async readPendingAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:GE(),requestSchema:o_,responseSchema:a_});return P_(n,r),n}async advancePendingAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:BE(),requestSchema:i_,responseSchema:s_});return P_(n,r),n}async decideAuthorizationSetup(t){let{request:r,response:n}=await this.#e({input:t,path:VE(),requestSchema:c_,responseSchema:u_});return dx(n,r),n}async saveUpstreamOAuthState(t){let{response:r}=await this.#e({input:t,path:YE(),requestSchema:w_,responseSchema:v_});return r}async consumeUpstreamOAuthState(t){let{request:r,response:n}=await this.#e({input:t,path:XE(),requestSchema:R_,responseSchema:b_});return n.kind==="available"&&n.record.id!==r.id&&ge("Gateway Service storage response upstream OAuth state did not match the request."),n}async consumeBrowserConnectTicket(t){let{response:r}=await this.#e({input:t,path:QE(),requestSchema:C_,responseSchema:I_});return r}async exchangeAuthorizationCode(t){let{request:r,response:n}=await this.#e({input:t,path:FE(),requestSchema:d_,responseSchema:l_});return lx(n,r),n}async refreshToken(t){let{request:r,response:n}=await this.#e({input:t,path:ZE(),requestSchema:p_,responseSchema:m_});return px(n,r),n}async revokeOAuthToken(t){let{response:r}=await this.#e({input:t,path:KE(),requestSchema:h_,responseSchema:f_});return r}async validateAccessToken(t){let{request:r,response:n}=await this.#e({input:t,path:WE(),requestSchema:g_,responseSchema:__});return mx(n,r),n}async authorizeAndLoadConnections(t){let{request:r,response:n}=await this.#e({input:t,path:JE(),requestSchema:y_,responseSchema:S_});return hx(n,r),n}async#n(t){let r={items:[...t]},{response:n}=await this.#e({input:r,path:ME(),requestSchema:Zg,responseSchema:Yd});return x_(n.items,t),n.items.map(a=>a.connection)}};var ol=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpUpstreamConnectionRepository")}batchGet(t){return this.client.batchGetUpstreamConnections(t)}upsert(t){return this.client.upsertUpstreamConnection(t)}},al=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpDownstreamOAuthRepository")}#t=new Map;#r=new Map;async getDcrClient(t){let r=this.#t.get(t);if(r&&r.redirectUris.length>0)return r;let n=await this.client.readClient({clientId:t});if(n.kind!=="missing")return this.#t.set(t,n.client),n.client}async saveDcrClient(t){if((await this.client.registerClient(t)).kind==="already_exists")throw g("invalid_request","OAuth client is already registered.");this.#t.set(t.clientId,t)}async savePendingAuthorizationTransaction(t,r){let{id:n,...a}=t,i=await this.client.startAuthorization({...a,transactionId:n,...r?.client===void 0?{}:{client:r.client}});switch(i.kind){case"started":return this.#e(i.client),{kind:"saved"};case"already_exists":return{kind:"already_exists"};case"invalid_client":throw new U("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new U("invalid_request","redirect_uri is not registered for the client.")}}async advancePendingAuthorizationTransaction(t){let r=await this.client.advancePendingAuthorization({transactionId:t.id,expectedPhase:t.expectedPhase,currentStateHash:t.currentStateHash,nextStateHash:t.nextStateHash,nextPhase:t.nextPhase,principal:t.principal,now:O(t.now)});return r.kind==="advanced"?(this.#e(r.client),{kind:"advanced",record:r.transaction}):r}async getPendingAuthorizationTransaction(t){let r=await this.client.readPendingAuthorization({transactionId:t.id,currentStateHash:t.currentStateHash,now:O(t.now)});return r.kind==="available"?(this.#e(r.client),{kind:"available",record:r.transaction}):r}async consumePendingAuthorizationTransaction(t){let r=await this.getPendingAuthorizationTransaction(t);return r.kind!=="available"?r.kind==="consumed"?{kind:"consumed_already"}:r:r.record.phase!=="awaiting_setup"?{kind:"missing"}:(this.#r.set(r.record.id,{currentStateHash:t.currentStateHash,now:t.now,transaction:r.record}),{kind:"consumed",record:r.record})}async issueAuthorizationCode(t){let r=this.#r.get(t.id);if(!r)throw g("internal_server_error","Authorization code issuance requires a pending setup decision.");let n=await this.decideAuthorizationSetup({decision:"approve",transactionId:t.id,currentStateHash:r.currentStateHash,currentPrincipal:{tenantId:r.transaction.principal.tenantId,subjectId:r.transaction.principal.subjectId},authorizationCodeHash:t.codeHash,authorizationCodeExpiresAt:t.expiresAt,grantId:t.grantId,now:O(r.now)});if(this.#r.delete(t.id),n.kind!=="approved")throw g("oauth_state_invalid","Authorization setup state is invalid, expired, or already used.")}async exchangeAuthorizationCode(t){let r=await this.exchangeAuthorizationCodeWithClientAuth({clientAuth:{method:"none",clientId:t.clientId},codeHash:t.codeHash,redirectUri:t.redirectUri,...t.resource===void 0?{}:{resource:t.resource},codeChallenge:t.codeChallenge,currentRefreshTokenHash:t.currentRefreshTokenHash,accessTokenHash:t.accessTokenHash,grantExpiresAt:t.grantExpiresAt,accessTokenExpiresAt:t.accessTokenExpiresAt,now:O(t.now)});return r.kind==="invalid_client"?{kind:"missing"}:r.kind==="exchanged"?{kind:"exchanged",grant:r.grant}:r}async saveAccessToken(t){throw g("internal_server_error","Runtime HTTP access-token save is covered by token exchange/refresh operations.")}async validateAccessToken(t){return this.client.validateAccessToken({tokenHash:t.tokenHash,now:O(t.now)})}async rotateRefreshToken(t){throw g("internal_server_error","Runtime HTTP refresh-token rotation is covered by the token refresh operation.")}async revokeOAuthToken(t){let r=await this.revokeOAuthTokenWithClientAuth({clientAuth:{method:"none",clientId:t.clientId},tokenHash:t.tokenHash,now:O(t.now)});return r.kind==="invalid_client"?{kind:"missing"}:r}async revokeGrant(t){throw g("internal_server_error","Runtime HTTP grant revocation is not exposed as a standalone storage operation.")}decideAuthorizationSetup(t){return this.client.decideAuthorizationSetup(t)}exchangeAuthorizationCodeWithClientAuth(t){return this.client.exchangeAuthorizationCode(t)}refreshTokenWithClientAuth(t){return this.client.refreshToken(t)}revokeOAuthTokenWithClientAuth(t){return this.client.revokeOAuthToken(t)}authorizeAndLoadConnections(t){return this.client.authorizeAndLoadConnections(t)}#e(t){this.#t.has(t.clientId)||this.#t.set(t.clientId,{clientId:t.clientId,clientName:t.clientName,redirectUris:[],tokenEndpointAuthMethod:t.tokenEndpointAuthMethod,clientExpiresAt:O(new Date(864e10)),createdAt:O(new Date(0))})}},il=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpOAuthStateStore")}async save(t){await this.client.saveUpstreamOAuthState({record:t})}consumeForCallback(t){return this.client.consumeUpstreamOAuthState({id:t,now:O(new Date)})}},sl=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpBrowserConnectTicketStore")}consume(t,r){return this.client.consumeBrowserConnectTicket({id:t,expiresAt:O(r),now:O(new Date)})}};function O_(e={}){let t=new Ki(e);return{upstreamConnectionRepository:new ol(t),downstreamOAuthRepository:new al(t),oauthStateStore:new il(t),browserConnectTicketStore:new sl(t)}}o(O_,"createRuntimeHttpStorageBackend");var yx="__zuploMcpGatewayStorageBackend",cl;function Sx(e){return{upstreamConnectionRepository:new Vi(e),downstreamOAuthRepository:new Li(e),oauthStateStore:new Fi(e),browserConnectTicketStore:new Zi(e)}}o(Sx,"createPostgresStorageBackend");function wx(e){let t=xg(e),r=Ug(t);return Sx(r)}o(wx,"buildPostgresStorageBackend");function vx(){let e=$i().TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING;return e?wx(e):O_()}o(vx,"buildProductionStorageBackend");function q(){let e=globalThis[yx];return e||(cl||(cl=vx()),cl)}o(q,"getStorage");function ul(e){let t=e.headers.get("authorization"),[r,n]=t?.split(/\s+/,2)??[];if(!(r?.toLowerCase()!=="bearer"||!n))return n}o(ul,"readBearerToken");function Rx(e,t,r){return Ze(e,t,{code:"authentication_required",detail:"Gateway access token is required.",headers:{"WWW-Authenticate":r}})}o(Rx,"gatewayAuthenticationRequiredResponse");async function bx(e,t,r){let n=await q().downstreamOAuthRepository.validateAccessToken({tokenHash:await F(e),now:new Date});if(n.kind!=="valid")throw t.log.warn({event:"gateway_access_token_validate_failed",code:"authentication_required",validationKind:n.kind,virtualServerId:r},"Gateway access token validation failed"),g("authentication_required","Gateway access token is expired, revoked, or invalid.");return n.record}o(bx,"validateGatewayAccessToken");function Cx(e,t){if(e.accessToken.resource!==e.resource||e.accessToken.virtualServerId!==e.virtualServerId)throw t.log.warn({event:"gateway_access_token_resource_mismatch",code:"authentication_required",expectedResource:e.resource,tokenResource:e.accessToken.resource,expectedVirtualServerId:e.virtualServerId,tokenVirtualServerId:e.accessToken.virtualServerId,clientId:e.accessToken.clientId},"Gateway access token resource does not match the requested MCP resource"),g("authentication_required","Gateway access token was not issued for this MCP resource.")}o(Cx,"assertAccessTokenResource");function Ix(e,t,r){return Ze(e,t,{code:"forbidden",detail:"Gateway access token is missing the required MCP scope.",headers:{"WWW-Authenticate":An({virtualServerId:r,requestUrl:e.url,error:"insufficient_scope",errorDescription:`The access token is missing the ${ce} scope required by this MCP resource.`,scope:ce})}})}o(Ix,"insufficientScopeResponse");function Tx(e){return{subjectId:e.subjectId,tenantId:e.tenantId,roles:e.roles}}o(Tx,"principalFromAccessToken");function Ax(e){let t=de(e.error),r={event:"gateway_access_token_rejected",code:t??"authentication_required",virtualServerId:e.virtualServerId};return e.error instanceof Error?(r.errorName=e.error.name,r.errorMessage=e.error.message):e.error!==void 0&&e.error!==null&&(r.errorMessage=String(e.error)),e.context.log.warn(r,"Gateway access token rejected; MCP request denied"),Ze(e.request,e.context,{code:t??"authentication_required",detail:e.error instanceof Error?e.error.message:"Gateway access token could not be verified.",headers:{"WWW-Authenticate":An({virtualServerId:e.virtualServerId,requestUrl:e.request.url,error:"invalid_token",errorDescription:"The access token is expired, malformed, or invalid."})}})}o(Ax,"gatewayTokenRejectedResponse");async function dl(e,t){let r=Rn(t),n=Nr(r.virtualServerId,e.url),a=ul(e),i=An({virtualServerId:r.virtualServerId,requestUrl:e.url});if(!a)return t.log.debug({event:"gateway_access_token_missing",code:"authentication_required",virtualServerId:r.virtualServerId,hasAuthorizationHeader:e.headers.get("authorization")!==null},"MCP request did not include a gateway access token"),Rx(e,t,i);try{let s=await bx(a,t,r.virtualServerId);if(Cx({accessToken:s,resource:n,virtualServerId:r.virtualServerId},t),s.scope!==ce)return t.log.warn({event:"gateway_access_token_insufficient_scope",code:"forbidden",tokenScope:s.scope,requiredScope:ce,virtualServerId:r.virtualServerId,clientId:s.clientId},"Gateway access token does not have the required MCP scope"),Ix(e,t,r.virtualServerId);let u=Tx(s);return Ag(t,u),ld(t,u),e}catch(s){return Ax({request:e,context:t,error:s,virtualServerId:r.virtualServerId})}}o(dl,"gatewayTokenInbound");var kx=2,U_=4,Px=24,Ex=16,z_=512,xx=/(token|secret|authorization|password|cookie|credential|client[_-]?secret|code[_-]?verifier|(^|[_-])(code|state|verifier)($|[_-]))/i,Ox=/("(?:access_token|refresh_token|id_token|client_secret|authorization|password|cookie|code|state|code_verifier)"\s*:\s*")([^"]*)(")/gi,Ux=/\b(access[_-]?token|refresh[_-]?token|id[_-]?token|client[_-]?secret|password|cookie|code|state|code[_-]?verifier)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|[^\s,;&]+)/gi,zx=/\b(authorization)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|(?:Bearer|Basic)\s+[^\s,;]+|[^\s,;]+)/gi,Nx=/\bBearer\s+[A-Za-z0-9._~+/=-]+/gi,Dx=/\bBasic\s+[A-Za-z0-9+/=-]+/gi;function N_(e){let t=e.route;return t&&typeof t=="object"?t:void 0}o(N_,"readRoute");function Mx(e){let t=N_(e)?.path;return typeof t=="string"&&t.length>0?t:void 0}o(Mx,"readRoutePath");function qx(e){let t=N_(e)?.raw;if(typeof t!="function")return;let r=t();if(!r||typeof r!="object")return;let n=r.operationId;return typeof n=="string"&&n.length>0?n:void 0}o(qx,"readRouteOperationId");function $x(e){if(!(e===void 0||!Number.isFinite(e)||e<100))return`${Math.trunc(e/100)}xx`}o($x,"deriveStatusClass");function Lx(e,t){if(!(!e&&!t))return e==="user"?t==="user_oauth"?"upstream_user_attributed":"gateway_user_attributed_only":e==="tenant_shared"?"tenant_shared_upstream_identity":e==="none"?"machine_identity":"unknown"}o(Lx,"deriveOriginAttributionMode");function jx(e){if(!e)return;let t=e.toLowerCase();return t.includes("desktop")||t.includes("claude")||t.includes("chatgpt")?"desktop":t.includes("vscode")||t.includes("cursor")||t.includes("zed")||t.includes("jetbrains")||t.includes("ide")?"ide":t.includes("extension")?"extension":t.includes("agent")||t.includes("bot")||t.includes("worker")||t.includes("service")?"service":"unknown"}o(jx,"deriveClientKind");function Hx(e,t){return t==="success"?"none":e===H.MCP_GATEWAY_REQUEST_RECEIVED||e===H.MCP_GATEWAY_REQUEST_REJECTED||e===H.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR?"ingress":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===H.MCP_GATEWAY_INITIALIZE_NEGOTIATED?"routing":e===H.MCP_GATEWAY_POLICY_DECISION?"policy":e===H.MCP_GATEWAY_GUARDRAIL_DECISION?"guardrail":e===H.MCP_GATEWAY_RATE_LIMIT_DECISION?"policy":e.startsWith("mcp_gateway_upstream_")||e.startsWith("mcp_gateway_capability_")||e.startsWith("mcp_gateway_catalog_")?"upstream":e===H.MCP_GATEWAY_REQUEST_COMPLETED?"egress":"none"}o(Hx,"deriveFailureStage");function Gx(e,t){return t==="success"?"none":t==="application_error"?"mcp_application":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===H.MCP_GATEWAY_POLICY_DECISION||e===H.MCP_GATEWAY_GUARDRAIL_DECISION||e===H.MCP_GATEWAY_RATE_LIMIT_DECISION?"policy":e.startsWith("mcp_gateway_upstream_")||e===H.MCP_GATEWAY_CAPABILITY_FAILED||e===H.MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED?"upstream":e===H.MCP_GATEWAY_REQUEST_REJECTED||e===H.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR?"client":"gateway"}o(Gx,"deriveFailureOrigin");function Bx(e,t){return t==="success"?"none":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===H.MCP_GATEWAY_POLICY_DECISION?"policy":e===H.MCP_GATEWAY_GUARDRAIL_DECISION?"guardrail":e===H.MCP_GATEWAY_RATE_LIMIT_DECISION?"rate_limit":e.startsWith("mcp_gateway_upstream_")?"upstream":e===H.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR||e===H.MCP_GATEWAY_REQUEST_REJECTED?"protocol":"none"}o(Bx,"deriveReasonClass");function Vx(e){return e.length<=z_?e:`${e.slice(0,z_)}...`}o(Vx,"truncateAnalyticsString");function Fx(e){return Vx(e.replace(Ox,"$1[REDACTED]$3").replace(zx,"$1$2[REDACTED]").replace(Ux,"$1$2[REDACTED]").replace(Nx,"Bearer [REDACTED]").replace(Dx,"Basic [REDACTED]"))}o(Fx,"redactAnalyticsString");function D_(e,t){if(e!==void 0){if(e===null||typeof e=="boolean")return e;if(typeof e=="string")return Fx(e);if(typeof e=="number")return Number.isFinite(e)?e:void 0;if(Array.isArray(e))return t>=U_?"[DEPTH_LIMIT]":e.slice(0,Ex).map(r=>D_(r,t+1)).filter(r=>r!==void 0);if(typeof e=="object")return e instanceof Date?e.toISOString():t>=U_?"[DEPTH_LIMIT]":M_(e,t+1)}}o(D_,"sanitizeAnalyticsValue");function M_(e,t=0){if(!e)return;let r={};for(let[n,a]of Object.entries(e).slice(0,Px)){if(xx.test(n)){r[n]="[REDACTED]";continue}let i=D_(a,t);i!==void 0&&(r[n]=i)}return Object.keys(r).length===0?void 0:r}o(M_,"sanitizeMcpGatewayAnalyticsAttributes");function z(e){return e===void 0?null:e}o(z,"nullable");function Zx(e){let t=e.environment;return t&&typeof t=="object"&&typeof t.name=="string"?t.name:null}o(Zx,"readEnvironment");function Kx(e){let t=e.requestId;return typeof t=="string"&&t.length>0?t:null}o(Kx,"readRequestId");function Wx(e){if(e===void 0)return null;try{return JSON.stringify(e)}catch{return null}}o(Wx,"attributesToJsonString");function Jx(e,t){let r=Hd(e),n=No(e),a=M_(t.attributes),i=Kx(e),s=t.ownerMode??t.routeBinding?.ownerMode??null,u=t.upstreamAuthMode??t.routeBinding?.authMode??null,d=t.virtualServerName??t.routeBinding?.virtualServerId??n?.virtualServerId??null,l=t.upstreamServerName??t.routeBinding?.upstreamServerId??n?.upstreamServerId??null,p=t.upstreamServerTitle??t.routeBinding?.upstreamDisplayName??null,m=t.authProfileId??t.routeBinding?.authProfileId??n?.authProfileId??null,f=t.clientKind??jx(t.clientName)??null,_=Lx(s??void 0,u??void 0)??null,S=$x(t.httpStatusCode)??null,y=t.reasonClass??Bx(t.eventType,t.outcome),w=t.failureOrigin??Gx(t.eventType,t.outcome),v=t.failureStage??Hx(t.eventType,t.outcome);return{schemaVersion:kx,outcome:t.outcome,tenantId:z(r?.tenantId),subjectId:z(r?.subjectId),environment:Zx(e),traceId:t.traceId??i,spanId:z(t.spanId),parentEventId:z(t.parentEventId),mcpSessionId:z(t.mcpSessionId),routeSurface:z(t.routeSurface),routePath:Mx(e)??null,operationId:qx(e)??null,virtualServerName:d,virtualServerTitle:z(t.virtualServerTitle),upstreamServerName:l,upstreamServerTitle:p,upstreamBindingId:z(t.upstreamBindingId),clientName:z(t.clientName),clientTitle:z(t.clientTitle),clientVersion:z(t.clientVersion),clientKind:f,authProfileId:m,upstreamAuthMode:u,ownerMode:s,authMethod:z(t.authMethod),originAttributionMode:_,httpMethod:z(t.httpMethod),httpStatusCode:z(t.httpStatusCode),statusClass:S,mcpMethod:z(t.mcpMethod),mcpProtocolVersion:z(t.mcpProtocolVersion),mcpStatus:z(t.mcpStatus),mcpErrorType:z(t.mcpErrorType),applicationError:z(t.applicationError),applicationErrorCode:z(t.applicationErrorCode),toolResultIsError:z(t.toolResultIsError),capabilityType:z(t.capabilityType),capabilityName:z(t.capabilityName),capabilityTitle:z(t.capabilityTitle),upstreamCapabilityName:z(t.upstreamCapabilityName),upstreamCapabilityTitle:z(t.upstreamCapabilityTitle),capabilitySchemaHash:z(t.capabilitySchemaHash),policyId:z(t.policyId),policyAction:z(t.policyAction),guardrailType:z(t.guardrailType),guardrailDirection:z(t.guardrailDirection),guardrailFindingCount:z(t.guardrailFindingCount),redactionCount:z(t.redactionCount),requestMutated:z(t.requestMutated),responseMutated:z(t.responseMutated),latencyMs:z(t.latencyMs),gatewayLatencyMs:z(t.gatewayLatencyMs),upstreamLatencyMs:z(t.upstreamLatencyMs),authLatencyMs:z(t.authLatencyMs),policyLatencyMs:z(t.policyLatencyMs),requestBytes:z(t.requestBytes),responseBytes:z(t.responseBytes),estimatedInputTokens:z(t.estimatedInputTokens),estimatedOutputTokens:z(t.estimatedOutputTokens),estimatedContextTokens:z(t.estimatedContextTokens),contextPressureBucket:z(t.contextPressureBucket),responseMimeTypes:z(t.responseMimeTypes),base64Suspected:z(t.base64Suspected),truncated:z(t.truncated),isLargePayloadRequest:z(t.isLargePayloadRequest),isLargePayloadResponse:z(t.isLargePayloadResponse),payloadCaptureMode:z(t.payloadCaptureMode),reasonCode:z(t.reasonCode),reasonClass:y,errorType:t.errorType??t.reasonCode??null,failureOrigin:w,failureStage:v,customMetadataJson:z(t.customMetadataJson),attributesJson:Wx(a)}}o(Jx,"buildMcpGatewayAnalyticsMetadata");function We(e,t){try{e.analyticsContext.addAnalyticsEvent(t.value??1,t.eventType,Jx(e,t),t.unit)}catch(r){e.log?.warn?.({event:"mcp_gateway_analytics_emit_failed",errorName:r instanceof Error?r.name:"unknown"})}}o(We,"emitMcpGatewayAnalyticsEvent");function Je(e){let t=st().connectionsById.get(e);if(!t)throw g("unknown_upstream_server",`Unknown upstream server: ${e}`);return t.config}o(Je,"getUpstreamServerConfig");function Yx(e){let t=st().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw g("unknown_auth_profile",`Unknown auth profile ${String(e.authProfileId)} for upstream server ${e.upstreamServerId}.`);return t.authProfileId}o(Yx,"resolveUpstreamAuthProfileId");function hr(e){Yx(e);let t=st().connectionsById.get(e.upstreamServerId);if(!t)throw g("unknown_auth_profile",`Auth profile could not be resolved for upstream server ${e.upstreamServerId}.`);return t.authConfig}o(hr,"getUpstreamAuthConfig");function qr(e,t){let r=hr({upstreamServerId:e,authProfileId:t});if(!Bf(r))throw g("invalid_request",`Upstream server ${e} does not use upstream OAuth.`);return r.oauth}o(qr,"requireUpstreamOAuthConfig");var Xx={tenant_shared_oauth:{authMode:"tenant_shared_oauth",ownerMode:"tenant_shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},user_oauth:{authMode:"user_oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},static_secret:{authMode:"static_secret",ownerMode:"none",connectSupport:"none",connectUnsupportedDetail:"Static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"configured_static_secret"},tenant_static_secret:{authMode:"tenant_static_secret",ownerMode:"tenant_shared",connectSupport:"none",connectUnsupportedDetail:"Tenant static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"tenant_static_secret_connection"},user_static_secret:{authMode:"user_static_secret",ownerMode:"user",connectSupport:"user_static_secret_capture",connectUnsupportedDetail:void 0,callbackSupport:"none",credentialAcquisition:"user_static_secret_connection"}};function At(e){return Xx[e]}o(At,"describeUpstreamAuthMode");function Wi(e){return At(e).ownerMode}o(Wi,"resolveOwnerModeForUpstreamAuthMode");Y();import{errors as B_,jwtVerify as V_,SignJWT as F_}from"jose";import{base64url as Qx}from"jose";var eO=new TextEncoder,ll=32;function q_(e,t={}){let r=[tO(e),eO.encode(e)],n;for(let a of r)if(a){if(a.byteLength>=ll){n=a;break}(n===void 0||a.byteLength>n.byteLength)&&(n=a)}if(n===void 0||n.byteLength<ll){let a=t.name??"secret key material",i=n?.byteLength??0;throw new Error(`${a} must decode to at least ${ll} bytes (got ${i}). Generate a high-entropy value with for example: openssl rand -base64 32 | tr '+/' '-_' | tr -d '='.`)}return n}o(q_,"decodeConfiguredSecretKeyMaterial");function tO(e){try{return Qx.decode(e)}catch{return}}o(tO,"tryDecodeBase64Url");var $_=new Map,L_=new Map;function rO(e){let t=$_.get(e);return t||(t=q_($i()[e],{name:e}),$_.set(e,t)),t}o(rO,"getMasterKeyMaterial");async function kt(e){let t=L_.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(rO(e.envVar));return L_.set(e.purpose,r),r}o(kt,"readCachedDerivedKey");var nO="SHA-256";var oO="zuplo-mcp-gateway:",aO=new TextEncoder,j_=new WeakMap;async function fr(e,t){let r=j_.get(e);r||(r=new Map,j_.set(e,r));let n=r.get(t);if(n)return n;let a=await iO(e,t);return r.set(t,a),a}o(fr,"deriveGatewaySigningKey");async function iO(e,t){let r=H_(e),n=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),a=aO.encode(`${oO}${t}`),i=await crypto.subtle.deriveBits({name:"HKDF",hash:nO,salt:new Uint8Array,info:H_(a)},n,32*8);return new Uint8Array(i)}o(iO,"hkdfExpand");function H_(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(H_,"copyToArrayBuffer");var Ji="HS256",Z_=15*60,sO=15*60,Yi="zuplo-mcp-gateway",Xi="zuplo-mcp-gateway",cO=Dg.extend({id:En}),uO=cO.extend({exp:c.number().int().positive(),iat:c.number().int().positive().optional()}),K_=kn.extend({id:Bo,purpose:c.literal("browser_connect")}),dO=kn.extend({purpose:c.literal("browser_connect")}),lO=K_.extend({exp:c.number().int().positive(),iat:c.number().int().positive().optional()}),W_=Z_*1e3;async function J_(){return kt({purpose:"oauth-state",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"oauth-state"),"derive")})}o(J_,"getOAuthStateKey");async function Y_(){return kt({purpose:"browser-connect",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"browser-connect"),"derive")})}o(Y_,"getBrowserConnectKey");async function X_(e){let t=Math.floor(Date.now()/1e3)+Z_;return new F_(e).setProtectedHeader({alg:Ji,typ:"JWT"}).setIssuer(Yi).setAudience(Xi).setIssuedAt().setExpirationTime(t).sign(await J_())}o(X_,"signOAuthState");async function Qi(e){try{let{payload:t}=await V_(e,await J_(),{algorithms:[Ji],issuer:Yi,audience:Xi});return uO.parse(t)}catch(t){throw t instanceof B_.JWTExpired?g("oauth_state_expired","OAuth state has expired",t):g("oauth_state_invalid","OAuth state could not be verified",t)}}o(Qi,"verifyOAuthState");async function Q_(e){let t=Math.floor(Date.now()/1e3)+sO,r=dO.parse(e),n=K_.parse({...r,id:jg()});return new F_(n).setProtectedHeader({alg:Ji,typ:"JWT"}).setIssuer(Yi).setAudience(Xi).setIssuedAt().setExpirationTime(t).sign(await Y_())}o(Q_,"signBrowserConnectTicket");async function es(e){try{let{payload:t}=await V_(e,await Y_(),{algorithms:[Ji],issuer:Yi,audience:Xi});return lO.parse(t)}catch(t){throw t instanceof B_.JWTExpired?g("oauth_state_expired","Browser connect ticket has expired",t):g("oauth_state_invalid","Browser connect ticket could not be verified",t)}}o(es,"verifyBrowserConnectTicket");async function ts(e){if((await q().browserConnectTicketStore.consume(e.id,new Date(e.exp*1e3))).kind==="consumed")throw g("oauth_state_reused","Browser connect ticket has already been used")}o(ts,"consumeBrowserConnectTicket");function pO(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}o(pO,"buildConnectRequiredMessage");async function ey(e){let t=re(e.requestUrl),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("virtualServerId",e.virtualServerId),r.searchParams.set("browserTicket",await Q_({...Go(e),purpose:"browser_connect"})),r.toString()}o(ey,"buildGatewayBrowserTicketUrl");function mO(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}o(mO,"buildGatewayConnectPath");async function pl(e){return ey({...e,path:mO(e.upstreamServerId),redirect:!0})}o(pl,"buildGatewayConnectUrl");async function ty(e){return ey({...e,path:`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`})}o(ty,"buildGatewayAppPasswordCaptureUrl");async function On(e){let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await pl(t),message:pO(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}o(On,"buildRedirectConnectRequiredResponse");function ry(e){return ny({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}o(ry,"buildAdminConnectRequiredResponse");function ny(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}o(ny,"buildAdminSetupRequiredResponse");function oy(e){return ny({...e,message:e.requiresReconsent?`An administrator must replace the ${e.upstreamDisplayName} static credential before this tool can be used.`:`An administrator must configure the ${e.upstreamDisplayName} static credential before this tool can be used.`})}o(oy,"buildAdminStaticSecretRequiredResponse");Y();import{base64url as gr}from"jose";var hO="SHA-256",zn="AES-GCM",fO=12,hl="zuplo-secret",fl=1,ay="env:TOKEN_ENCRYPTION_KEY",gO=c.object({version:c.literal(fl),keyId:c.literal(ay),algorithm:c.literal(zn),iv:c.string().min(1),ciphertext:c.string().min(1)}).strict();function Un(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(Un,"copyToArrayBuffer");async function ml(){return kt({purpose:"token-encryption",envVar:"TOKEN_ENCRYPTION_KEY",derive:o(async e=>{let t=await crypto.subtle.digest(hO,Un(e));return crypto.subtle.importKey("raw",t,{name:zn},!1,["encrypt","decrypt"])},"derive")})}o(ml,"getEncryptionKey");function iy(e){return Un(new TextEncoder().encode(`${hl}:v${e.version}:${e.keyId}`))}o(iy,"getAssociatedData");function _O(e){return`${hl}:v${e.version}:${gr.encode(new TextEncoder().encode(JSON.stringify(e)))}`}o(_O,"encodeEnvelope");function yO(e){let t=`${hl}:v${fl}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),n=new TextDecoder().decode(gr.decode(r));return gO.parse(JSON.parse(n))}o(yO,"decodeEnvelope");async function $r(e){let t=await ml(),r=crypto.getRandomValues(new Uint8Array(fO)),n={version:fl,keyId:ay},a=await crypto.subtle.encrypt({name:zn,iv:r,additionalData:iy(n)},t,new TextEncoder().encode(e));return _O({...n,algorithm:zn,iv:gr.encode(r),ciphertext:gr.encode(new Uint8Array(a))})}o($r,"encryptSecret");async function Bt(e){let t=yO(e);if(t){let s=await ml(),u=await crypto.subtle.decrypt({name:zn,iv:Un(gr.decode(t.iv)),additionalData:iy(t)},s,Un(gr.decode(t.ciphertext)));return new TextDecoder().decode(u)}let[r,n]=e.split(".");if(!r||!n)throw g("internal_server_error","Encrypted payload is malformed");let a=await ml(),i=await crypto.subtle.decrypt({name:zn,iv:Un(gr.decode(r))},a,Un(gr.decode(n)));return new TextDecoder().decode(i)}o(Bt,"decryptSecret");function SO(e,t){let r=hr({upstreamServerId:e,authProfileId:t});if(r.mode!=="tenant_static_secret")throw g("invalid_request",`Upstream server ${e} does not use tenant static credentials.`);return r.secret}o(SO,"requireTenantStaticSecretConfig");function sy(e){return e?.status==="active"&&e.metadata?.staticSecretKind==="bearer_token"&&!!e.metadata.encryptedStaticSecret}o(sy,"hasUsableTenantStaticSecret");async function wO(e){if(!sy(e.connection))throw g("internal_server_error","Stored tenant static credential is incomplete.");return{type:"bearer_token",token:await Bt(e.connection.metadata.encryptedStaticSecret)}}o(wO,"resolveTenantStaticSecretCredential");async function cy(e){let t=Je(e.upstreamServerId);SO(e.upstreamServerId,e.authProfileId);let r="preloadedConnection"in e?e.preloadedConnection:(await q().upstreamConnectionRepository.batchGet([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(sy(r))return{kind:"authorized",credential:await wO({connection:r})};let n={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:oy(n)}}o(cy,"resolveTenantStaticSecretCredentialForRequest");Y();async function gl(e){return q().upstreamConnectionRepository.upsert({id:Bi(),tenantId:e.owner.tenantId,ownerMode:e.owner.mode,subjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,status:"active",encryptedAccessToken:void 0,encryptedRefreshToken:void 0,scopes:[],expiresAt:void 0,metadata:e.metadata})}o(gl,"upsertStaticSecretConnection");var vO=c.string().trim().min(1).max(320),RO=c.string().min(1).max(4096),bO=c.string().trim().min(1).max(4096);function _l(e,t){let r=hr({upstreamServerId:e,authProfileId:t});if(r.mode!=="user_static_secret")throw g("invalid_request",`Upstream server ${e} does not use user static credentials.`);return r.secret}o(_l,"requireUserStaticSecretConfig");function CO(e){let t=new TextEncoder().encode(e),r="";for(let n of t)r+=String.fromCharCode(n);return btoa(r)}o(CO,"encodeBase64Utf8");function IO(e){return`Basic ${CO(`${e.username}:${e.appPassword}`)}`}o(IO,"buildBasicAuthHeader");function uy(e){return e?.status==="active"&&!!e.metadata?.encryptedStaticSecret}o(uy,"hasEncryptedUserStaticSecret");async function TO(e){if(!uy(e.connection))throw g("internal_server_error","Stored user static credential is incomplete.");if(e.connection.metadata.staticSecretKind==="bearer_token")return{type:"bearer_token",token:await Bt(e.connection.metadata.encryptedStaticSecret)};if(e.connection.metadata.staticSecretKind==="basic_auth_app_password"&&e.connection.metadata.staticSecretUsername)return{type:"headers",headers:{Authorization:IO({username:e.connection.metadata.staticSecretUsername,appPassword:await Bt(e.connection.metadata.encryptedStaticSecret)})}};throw g("internal_server_error","Stored user static credential kind is unsupported.")}o(TO,"resolveUserStaticSecretCredential");async function dy(e){if(_l(e.upstreamServerId,e.authProfileId).kind!=="basic_auth_app_password")throw g("invalid_request","This upstream does not use username and app-password credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=vO.parse(e.username),n=RO.parse(e.appPassword);return gl({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await $r(n),staticSecretKind:"basic_auth_app_password",staticSecretUsername:r}})}o(dy,"saveUserStaticSecretCredential");async function rs(e){let t=_l(e.upstreamServerId,e.authProfileId);if(t.kind!=="bearer_token")throw g("invalid_request","This upstream does not use bearer token credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=bO.parse(e.token);return gl({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await $r(r),staticSecretKind:t.kind,staticSecretLabel:t.label}})}o(rs,"saveUserStaticBearerTokenCredential");function yl(e,t){return _l(e,t)}o(yl,"readUserStaticSecretCaptureConfig");async function ly(e){let t=Je(e.upstreamServerId);if(e.owner.mode!=="user")throw g("internal_server_error","User static credential flow resolved a non-user owner.");let r="preloadedConnection"in e?e.preloadedConnection:(await q().upstreamConnectionRepository.batchGet([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(uy(r))return{kind:"authorized",credential:await TO({connection:r})};let n={requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:await On(n)}}o(ly,"resolveUserStaticSecretCredentialForRequest");function py(e){if(e.owner.mode!=="user")throw g("invalid_request","User static credential capture requires a user-owned connection.");return ty({requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}})}o(py,"buildUserStaticSecretConnectUrl");var Sl;Sl=globalThis.crypto;async function AO(e){return(await Sl).getRandomValues(new Uint8Array(e))}o(AO,"getRandomValues");async function kO(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,n="";for(;n.length<e;){let a=await AO(e-n.length);for(let i of a)i<r&&(n+=t[i%t.length])}return n}o(kO,"random");async function PO(e){return await kO(e)}o(PO,"generateVerifier");async function EO(e){let t=await(await Sl).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}o(EO,"generateChallenge");async function wl(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await PO(e),r=await EO(t);return{code_verifier:t,code_challenge:r}}o(wl,"pkceChallenge");Y();var Oe=vp().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:Ip.custom,message:"URL must be parseable",fatal:!0}),Sp}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),ns=Se({resource:h().url(),authorization_servers:b(Oe).optional(),jwks_uri:h().url().optional(),scopes_supported:b(h()).optional(),bearer_methods_supported:b(h()).optional(),resource_signing_alg_values_supported:b(h()).optional(),resource_name:h().optional(),resource_documentation:h().optional(),resource_policy_uri:h().url().optional(),resource_tos_uri:h().url().optional(),tls_client_certificate_bound_access_tokens:ee().optional(),authorization_details_types_supported:b(h()).optional(),dpop_signing_alg_values_supported:b(h()).optional(),dpop_bound_access_tokens_required:ee().optional()}),Fo=Se({issuer:h(),authorization_endpoint:Oe,token_endpoint:Oe,registration_endpoint:Oe.optional(),scopes_supported:b(h()).optional(),response_types_supported:b(h()),response_modes_supported:b(h()).optional(),grant_types_supported:b(h()).optional(),token_endpoint_auth_methods_supported:b(h()).optional(),token_endpoint_auth_signing_alg_values_supported:b(h()).optional(),service_documentation:Oe.optional(),revocation_endpoint:Oe.optional(),revocation_endpoint_auth_methods_supported:b(h()).optional(),revocation_endpoint_auth_signing_alg_values_supported:b(h()).optional(),introspection_endpoint:h().optional(),introspection_endpoint_auth_methods_supported:b(h()).optional(),introspection_endpoint_auth_signing_alg_values_supported:b(h()).optional(),code_challenge_methods_supported:b(h()).optional(),client_id_metadata_document_supported:ee().optional()}),xO=Se({issuer:h(),authorization_endpoint:Oe,token_endpoint:Oe,userinfo_endpoint:Oe.optional(),jwks_uri:Oe,registration_endpoint:Oe.optional(),scopes_supported:b(h()).optional(),response_types_supported:b(h()),response_modes_supported:b(h()).optional(),grant_types_supported:b(h()).optional(),acr_values_supported:b(h()).optional(),subject_types_supported:b(h()),id_token_signing_alg_values_supported:b(h()),id_token_encryption_alg_values_supported:b(h()).optional(),id_token_encryption_enc_values_supported:b(h()).optional(),userinfo_signing_alg_values_supported:b(h()).optional(),userinfo_encryption_alg_values_supported:b(h()).optional(),userinfo_encryption_enc_values_supported:b(h()).optional(),request_object_signing_alg_values_supported:b(h()).optional(),request_object_encryption_alg_values_supported:b(h()).optional(),request_object_encryption_enc_values_supported:b(h()).optional(),token_endpoint_auth_methods_supported:b(h()).optional(),token_endpoint_auth_signing_alg_values_supported:b(h()).optional(),display_values_supported:b(h()).optional(),claim_types_supported:b(h()).optional(),claims_supported:b(h()).optional(),service_documentation:h().optional(),claims_locales_supported:b(h()).optional(),ui_locales_supported:b(h()).optional(),claims_parameter_supported:ee().optional(),request_parameter_supported:ee().optional(),request_uri_parameter_supported:ee().optional(),require_request_uri_registration:ee().optional(),op_policy_uri:Oe.optional(),op_tos_uri:Oe.optional(),client_id_metadata_document_supported:ee().optional()}),os=C({...xO.shape,...Fo.pick({code_challenge_methods_supported:!0}).shape}),Zo=C({access_token:h(),id_token:h().optional(),token_type:h(),expires_in:Tp.number().optional(),scope:h().optional(),refresh_token:h().optional()}).strip(),hy=C({error:h(),error_description:h().optional(),error_uri:h().optional()}),my=Oe.optional().or(P("").transform(()=>{})),OO=C({redirect_uris:b(Oe),token_endpoint_auth_method:h().optional(),grant_types:b(h()).optional(),response_types:b(h()).optional(),client_name:h().optional(),client_uri:Oe.optional(),logo_uri:my,scope:h().optional(),contacts:b(h()).optional(),tos_uri:my,policy_uri:h().optional(),jwks_uri:Oe.optional(),jwks:bp().optional(),software_id:h().optional(),software_version:h().optional(),software_statement:h().optional()}).strip(),vl=C({client_id:h(),client_secret:h().optional(),client_id_issued_at:K().optional(),client_secret_expires_at:K().optional()}).strip(),Ko=OO.merge(vl),N4=C({error:h(),error_description:h().optional()}).strip(),D4=C({token:h(),token_type_hint:h().optional()}).strip();function fy(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}o(fy,"resourceUrlFromServerUrl");function gy({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),n=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==n.origin||r.pathname.length<n.pathname.length)return!1;let a=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",i=n.pathname.endsWith("/")?n.pathname:n.pathname+"/";return a.startsWith(i)}o(gy,"checkResourceAllowed");var _e=class extends Error{static{o(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},Wo=class extends _e{static{o(this,"InvalidRequestError")}};Wo.errorCode="invalid_request";var Lr=class extends _e{static{o(this,"InvalidClientError")}};Lr.errorCode="invalid_client";var jr=class extends _e{static{o(this,"InvalidGrantError")}};jr.errorCode="invalid_grant";var Hr=class extends _e{static{o(this,"UnauthorizedClientError")}};Hr.errorCode="unauthorized_client";var Jo=class extends _e{static{o(this,"UnsupportedGrantTypeError")}};Jo.errorCode="unsupported_grant_type";var Yo=class extends _e{static{o(this,"InvalidScopeError")}};Yo.errorCode="invalid_scope";var Xo=class extends _e{static{o(this,"AccessDeniedError")}};Xo.errorCode="access_denied";var Vt=class extends _e{static{o(this,"ServerError")}};Vt.errorCode="server_error";var Qo=class extends _e{static{o(this,"TemporarilyUnavailableError")}};Qo.errorCode="temporarily_unavailable";var ea=class extends _e{static{o(this,"UnsupportedResponseTypeError")}};ea.errorCode="unsupported_response_type";var ta=class extends _e{static{o(this,"UnsupportedTokenTypeError")}};ta.errorCode="unsupported_token_type";var ra=class extends _e{static{o(this,"InvalidTokenError")}};ra.errorCode="invalid_token";var na=class extends _e{static{o(this,"MethodNotAllowedError")}};na.errorCode="method_not_allowed";var oa=class extends _e{static{o(this,"TooManyRequestsError")}};oa.errorCode="too_many_requests";var Gr=class extends _e{static{o(this,"InvalidClientMetadataError")}};Gr.errorCode="invalid_client_metadata";var aa=class extends _e{static{o(this,"InsufficientScopeError")}};aa.errorCode="insufficient_scope";var ia=class extends _e{static{o(this,"InvalidTargetError")}};ia.errorCode="invalid_target";var _y={[Wo.errorCode]:Wo,[Lr.errorCode]:Lr,[jr.errorCode]:jr,[Hr.errorCode]:Hr,[Jo.errorCode]:Jo,[Yo.errorCode]:Yo,[Xo.errorCode]:Xo,[Vt.errorCode]:Vt,[Qo.errorCode]:Qo,[ea.errorCode]:ea,[ta.errorCode]:ta,[ra.errorCode]:ra,[na.errorCode]:na,[oa.errorCode]:oa,[Gr.errorCode]:Gr,[aa.errorCode]:aa,[ia.errorCode]:ia};var Ft=class extends Error{static{o(this,"UnauthorizedError")}constructor(t){super(t??"Unauthorized")}};function UO(e){return["client_secret_basic","client_secret_post","none"].includes(e)}o(UO,"isClientAuthMethod");var Rl="code",bl="S256";function zO(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&UO(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}o(zO,"selectClientAuthMethod");function NO(e,t,r,n){let{client_id:a,client_secret:i}=t;switch(e){case"client_secret_basic":DO(a,i,r);return;case"client_secret_post":MO(a,i,n);return;case"none":qO(a,n);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}o(NO,"applyClientAuthentication");function DO(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let n=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${n}`)}o(DO,"applyBasicAuth");function MO(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}o(MO,"applyPostAuth");function qO(e,t){t.set("client_id",e)}o(qO,"applyPublicAuth");async function Sy(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let n=hy.parse(JSON.parse(r)),{error:a,error_description:i,error_uri:s}=n,u=_y[a]||Vt;return new u(i||"",s)}catch(n){let a=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${n}. Raw body: ${r}`;return new Vt(a)}}o(Sy,"parseErrorResponse");async function _r(e,t){try{return await Cl(e,t)}catch(r){if(r instanceof Lr||r instanceof Hr)return await e.invalidateCredentials?.("all"),await Cl(e,t);if(r instanceof jr)return await e.invalidateCredentials?.("tokens"),await Cl(e,t);throw r}}o(_r,"auth");async function Cl(e,{serverUrl:t,authorizationCode:r,scope:n,resourceMetadataUrl:a,fetchFn:i}){let s=await e.discoveryState?.(),u,d,l,p=a;if(!p&&s?.resourceMetadataUrl&&(p=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(d=s.authorizationServerUrl,u=s.resourceMetadata,l=s.authorizationServerMetadata??await vy(d,{fetchFn:i}),!u)try{u=await wy(t,{resourceMetadataUrl:p},i)}catch{}(l!==s.authorizationServerMetadata||u!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:p?.toString(),resourceMetadata:u,authorizationServerMetadata:l})}else{let I=await BO(t,{resourceMetadataUrl:p,fetchFn:i});d=I.authorizationServerUrl,l=I.authorizationServerMetadata,u=I.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:p?.toString(),resourceMetadata:u,authorizationServerMetadata:l})}let m=await $O(t,e,u),f=n||u?.scopes_supported?.join(" ")||e.clientMetadata.scope,_=await Promise.resolve(e.clientInformation());if(!_){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let I=l?.client_id_metadata_document_supported===!0,N=e.clientMetadataUrl;if(N&&!Tl(N))throw new Gr(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${N}`);if(I&&N)_={client_id:N},await e.saveClientInformation?.(_);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let Ye=await WO(d,{metadata:l,clientMetadata:e.clientMetadata,scope:f,fetchFn:i});await e.saveClientInformation(Ye),_=Ye}}let S=!e.redirectUrl;if(r!==void 0||S){let I=await KO(e,d,{metadata:l,resource:m,authorizationCode:r,fetchFn:i});return await e.saveTokens(I),"AUTHORIZED"}let y=await e.tokens();if(y?.refresh_token)try{let I=await ZO(d,{metadata:l,clientInformation:_,refreshToken:y.refresh_token,resource:m,addClientAuthentication:e.addClientAuthentication,fetchFn:i});return await e.saveTokens(I),"AUTHORIZED"}catch(I){if(!(!(I instanceof _e)||I instanceof Vt))throw I}let w=e.state?await e.state():void 0,{authorizationUrl:v,codeVerifier:R}=await VO(d,{metadata:l,clientInformation:_,state:w,redirectUrl:e.redirectUrl,scope:f,resource:m});return await e.saveCodeVerifier(R),await e.redirectToAuthorization(v),"REDIRECT"}o(Cl,"authInternal");function Tl(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o(Tl,"isHttpsUrl");async function $O(e,t,r){let n=fy(e);if(t.validateResourceURL)return await t.validateResourceURL(n,r?.resource);if(r){if(!gy({requestedResource:n,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${n} (or origin)`);return new URL(r.resource)}}o($O,"selectResourceURL");function Al(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,n]=t.split(" ");if(r.toLowerCase()!=="bearer"||!n)return{};let a=Il(e,"resource_metadata")||void 0,i;if(a)try{i=new URL(a)}catch{}let s=Il(e,"scope")||void 0,u=Il(e,"error")||void 0;return{resourceMetadataUrl:i,scope:s,error:u}}o(Al,"extractWWWAuthenticateParams");function Il(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let n=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),a=r.match(n);return a?a[1]||a[2]:null}o(Il,"extractFieldFromWwwAuth");async function wy(e,t,r=fetch){let n=await HO(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!n||n.status===404)throw await n?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!n.ok)throw await n.body?.cancel(),new Error(`HTTP ${n.status} trying to load well-known OAuth protected resource metadata.`);return ns.parse(await n.json())}o(wy,"discoverOAuthProtectedResourceMetadata");async function kl(e,t,r=fetch){try{return await r(e,{headers:t})}catch(n){if(n instanceof TypeError)return t?kl(e,void 0,r):void 0;throw n}}o(kl,"fetchWithCorsRetry");function LO(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}o(LO,"buildWellKnownPath");async function yy(e,t,r=fetch){return await kl(e,{"MCP-Protocol-Version":t},r)}o(yy,"tryMetadataDiscovery");function jO(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}o(jO,"shouldAttemptFallback");async function HO(e,t,r,n){let a=new URL(e),i=n?.protocolVersion??Xt,s;if(n?.metadataUrl)s=new URL(n.metadataUrl);else{let d=LO(t,a.pathname);s=new URL(d,n?.metadataServerUrl??a),s.search=a.search}let u=await yy(s,i,r);if(!n?.metadataUrl&&jO(u,a.pathname)){let d=new URL(`/.well-known/${t}`,a);u=await yy(d,i,r)}return u}o(HO,"discoverMetadataWithFallback");function GO(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",n=[];if(!r)return n.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),n.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),n;let a=t.pathname;return a.endsWith("/")&&(a=a.slice(0,-1)),n.push({url:new URL(`/.well-known/oauth-authorization-server${a}`,t.origin),type:"oauth"}),n.push({url:new URL(`/.well-known/openid-configuration${a}`,t.origin),type:"oidc"}),n.push({url:new URL(`${a}/.well-known/openid-configuration`,t.origin),type:"oidc"}),n}o(GO,"buildDiscoveryUrls");async function vy(e,{fetchFn:t=fetch,protocolVersion:r=Xt}={}){let n={"MCP-Protocol-Version":r,Accept:"application/json"},a=GO(e);for(let{url:i,type:s}of a){let u=await kl(i,n,t);if(u){if(!u.ok){if(await u.body?.cancel(),u.status>=400&&u.status<500)continue;throw new Error(`HTTP ${u.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${i}`)}return s==="oauth"?Fo.parse(await u.json()):os.parse(await u.json())}}}o(vy,"discoverAuthorizationServerMetadata");async function BO(e,t){let r,n;try{r=await wy(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(n=r.authorization_servers[0])}catch{}n||(n=String(new URL("/",e)));let a=await vy(n,{fetchFn:t?.fetchFn});return{authorizationServerUrl:n,authorizationServerMetadata:a,resourceMetadata:r}}o(BO,"discoverOAuthServerInfo");async function VO(e,{metadata:t,clientInformation:r,redirectUrl:n,scope:a,state:i,resource:s}){let u;if(t){if(u=new URL(t.authorization_endpoint),!t.response_types_supported.includes(Rl))throw new Error(`Incompatible auth server: does not support response type ${Rl}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(bl))throw new Error(`Incompatible auth server: does not support code challenge method ${bl}`)}else u=new URL("/authorize",e);let d=await wl(),l=d.code_verifier,p=d.code_challenge;return u.searchParams.set("response_type",Rl),u.searchParams.set("client_id",r.client_id),u.searchParams.set("code_challenge",p),u.searchParams.set("code_challenge_method",bl),u.searchParams.set("redirect_uri",String(n)),i&&u.searchParams.set("state",i),a&&u.searchParams.set("scope",a),a?.includes("offline_access")&&u.searchParams.append("prompt","consent"),s&&u.searchParams.set("resource",s.href),{authorizationUrl:u,codeVerifier:l}}o(VO,"startAuthorization");function FO(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}o(FO,"prepareAuthorizationCodeRequest");async function Ry(e,{metadata:t,tokenRequestParams:r,clientInformation:n,addClientAuthentication:a,resource:i,fetchFn:s}){let u=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),d=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(i&&r.set("resource",i.href),a)await a(d,r,u,t);else if(n){let p=t?.token_endpoint_auth_methods_supported??[],m=zO(n,p);NO(m,n,d,r)}let l=await(s??fetch)(u,{method:"POST",headers:d,body:r});if(!l.ok)throw await Sy(l);return Zo.parse(await l.json())}o(Ry,"executeTokenRequest");async function ZO(e,{metadata:t,clientInformation:r,refreshToken:n,resource:a,addClientAuthentication:i,fetchFn:s}){let u=new URLSearchParams({grant_type:"refresh_token",refresh_token:n}),d=await Ry(e,{metadata:t,tokenRequestParams:u,clientInformation:r,addClientAuthentication:i,resource:a,fetchFn:s});return{refresh_token:n,...d}}o(ZO,"refreshAuthorization");async function KO(e,t,{metadata:r,resource:n,authorizationCode:a,fetchFn:i}={}){let s=e.clientMetadata.scope,u;if(e.prepareTokenRequest&&(u=await e.prepareTokenRequest(s)),!u){if(!a)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let l=await e.codeVerifier();u=FO(a,l,e.redirectUrl)}let d=await e.clientInformation();return Ry(t,{metadata:r,tokenRequestParams:u,clientInformation:d??void 0,addClientAuthentication:e.addClientAuthentication,resource:n,fetchFn:i})}o(KO,"fetchToken");async function WO(e,{metadata:t,clientMetadata:r,scope:n,fetchFn:a}){let i;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");i=new URL(t.registration_endpoint)}else i=new URL("/register",e);let s=await(a??fetch)(i,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...n!==void 0?{scope:n}:{}})});if(!s.ok)throw await Sy(s);return Ko.parse(await s.json())}o(WO,"registerClient");var JO=new Set(["localhost","169.254.169.254","metadata.google.internal","metadata"]),YO=[{first:0},{first:10},{first:127},{first:169,secondMin:254,secondMax:254},{first:172,secondMin:16,secondMax:31},{first:192,secondMin:168,secondMax:168},{first:100,secondMin:64,secondMax:127},{first:224,firstMax:239},{first:240,firstMax:255}];function by(e){if(!/^\d+\.\d+\.\d+\.\d+$/.test(e))return;let t=e.split(".").map(r=>Number(r));if(!(t.length!==4||t.some(r=>Number.isNaN(r)||r<0||r>255)))return t}o(by,"parseIpv4Octets");function XO([e,t],r){let n=r.firstMax??r.first;return e<r.first||e>n?!1:r.secondMin===void 0||r.secondMax===void 0?!0:t>=r.secondMin&&t<=r.secondMax}o(XO,"ipv4RangeMatches");function Cy(e){let t=by(e);return t!==void 0&&YO.some(r=>XO(t,r))}o(Cy,"isPrivateIpv4");function Pl(e){if(!e||e.length>4)return;let t=Number.parseInt(e,16);return Number.isNaN(t)||t<0||t>65535?void 0:t}o(Pl,"parseIpv6Word");function QO(e,t){return[e>>8&255,e&255,t>>8&255,t&255].join(".")}o(QO,"formatIpv4FromWords");function eU(e){let t=e.slice(7),r=by(t);if(r!==void 0)return r.join(".");let[n,a,i]=t.split(":"),s=Pl(n),u=Pl(a);return i===void 0&&s!==void 0&&u!==void 0?QO(s,u):void 0}o(eU,"parseIpv6MappedIpv4");function tU(e){return Pl(e.split(":").find(Boolean))}o(tU,"readFirstIpv6Hextet");function rU(e){let t=ct(e);if(!t.includes(":"))return!1;if(t==="::"||t==="::1")return!0;if(t.startsWith("::ffff:")){let n=eU(t);return n===void 0||Cy(n)}let r=tU(t);return r===void 0?!1:(r&65024)===64512||(r&65472)===65152}o(rU,"isPrivateIpv6");function El(e){let t=ct(e);return JO.has(t)||t.endsWith(".internal")||Cy(t)||rU(t)}o(El,"isBlockedOutboundHostname");function Iy(e){let t=new URL(e);if(t.protocol!=="https:"&&t.protocol!=="http:")throw g("invalid_request",`Unsupported outbound protocol: ${t.protocol}`);let r=Le(t);if(t.protocol==="http:"&&!r)throw g("invalid_request","Configured outbound HTTP URLs must target loopback hosts.");let n=ct(t.hostname);if(!r&&El(n))throw g("invalid_request",`Blocked outbound host: ${n}`);return t}o(Iy,"validateConfiguredOutboundUrl");function Ty(e){let t=new URL(e);if(t.protocol!=="https:")throw g("invalid_request","Identity provider URLs must use https.");if(t.username||t.password||t.search||t.hash)throw g("invalid_request","Identity provider URLs must not include credentials, query params, or fragments.");let r=ct(t.hostname);if(El(r))throw g("invalid_request",`Blocked identity provider host: ${r}`);return t}o(Ty,"validateIdentityProviderUrl");function as(e){let t=new URL(e);if(t.protocol!=="https:"||t.pathname==="/"||t.username||t.password||t.search||t.hash)throw g("invalid_request","CIMD client_id must be an HTTPS URL with a path and no credentials, query, or fragment.");if(El(t.hostname))throw g("invalid_request","CIMD client_id points at a blocked host.");return t}o(as,"validateCimdClientMetadataUrl");function Ay(e,t){if(!t)return;if(t.aborted){e.abort(t.reason);return}let r=o(()=>e.abort(t.reason),"abort");return t.addEventListener("abort",r,{once:!0}),()=>t.removeEventListener("abort",r)}o(Ay,"mergeAbortSignals");async function nU(e){try{await e.cancel()}catch{}}o(nU,"cancelReader");async function is(e,t){if(!e)return new Uint8Array;let r=e.getReader(),n=[],a=0,i=await r.read();for(;!i.done;){let d=i.value;if(a+=d.byteLength,a>t.maxBytes)throw await nU(r),t.createLimitError();n.push(d),i=await r.read()}let s=new Uint8Array(a),u=0;for(let d of n)s.set(d,u),u+=d.byteLength;return s}o(is,"readBoundedByteStream");var oU=2,aU=1024*1024,iU=1e4,sU=new Set([301,302,303,307,308]),cU=["authorization","proxy-authorization","cookie","cookie2"];function xl(e){return typeof e=="string"?e:e instanceof URL?e.toString():e.url}o(xl,"readRequestUrl");function Nn(e,t){return t?.method!==void 0?t.method.toUpperCase():e instanceof Request?e.method.toUpperCase():"GET"}o(Nn,"readRequestMethod");function uU(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g(r,"Outbound response exceeded the maximum allowed size.")}o(uU,"assertContentLengthWithinLimit");async function dU(e,t,r){return uU(e,t,r),is(e.body,{maxBytes:t,createLimitError:o(()=>g(r,"Outbound response exceeded the maximum allowed size."),"createLimitError")})}o(dU,"readBoundedResponseBody");function lU(e,t){let r=new ArrayBuffer(t.byteLength);return new Uint8Array(r).set(t),new Response(r,{status:e.status,statusText:e.statusText,headers:e.headers})}o(lU,"responseFromBufferedBody");function pU(e,t){if(!sU.has(e.status))return;let r=e.headers.get("location");if(r)return new URL(r,t).toString()}o(pU,"resolveRedirectUrl");function ky(e,t){try{return t.validateUrl(e)}catch(r){throw g(t.problemCode,"Outbound URL was not allowed.",r)}}o(ky,"validateOutboundUrl");function mU(e,t){throw de(e)!==void 0?e:g(t,"Outbound fetch failed.",e)}o(mU,"normalizeFetchError");function sa(e,t){if(e===void 0)return;let r={event:t.event,code:t.problemCode,method:t.method};if(t.host!==void 0&&(r.host=t.host),t.extra!==void 0)for(let[n,a]of Object.entries(t.extra))a!==void 0&&(r[n]=a);t.error!==void 0&&Ae(r,"error",t.error),e.log.warn(r,"Outbound HTTP exchange rejected")}o(sa,"logOutboundFailure");async function hU(e,t,r,n,a,i,s){let u=Nn(r,n);try{return await t(r,n)}catch(d){let l=d instanceof DOMException&&d.name==="AbortError";sa(e,{event:l?"outbound_fetch_aborted":"outbound_fetch_failed",problemCode:a,method:u,host:it(i),error:d,extra:{abortReason:s()}}),mU(d,a)}}o(hU,"fetchWithNormalizedError");function fU(e){if(e.redirects>=e.maxRedirects)throw g(e.problemCode,"Outbound redirects exceeded the maximum allowed depth.");if(e.method!=="GET"&&e.method!=="HEAD")throw g(e.problemCode,"Outbound redirect after a non-idempotent request was blocked.")}o(fU,"assertRedirectAllowed");function gU(e,t){let r=new Headers(e);for(let n of cU)r.delete(n);for(let n of t)r.delete(n);return r}o(gU,"stripCrossOriginHeaders");function _U(e,t,r,n,a){let i={...e,method:t,redirect:"manual",signal:r};return n&&(i.headers=gU(e.headers,a)),i}o(_U,"buildRedirectInit");function yU(e,t,r){let n={...t,redirect:"manual",signal:r};return n.headers===void 0&&e instanceof Request&&(n.headers=e.headers),n}o(yU,"buildInitialRequestInit");function SU(e){let t=Nn(e.currentInput,e.currentInit);fU({redirects:e.redirects,maxRedirects:e.maxRedirects,method:t,problemCode:e.problemCode});let r=ky(e.redirectUrl,{problemCode:e.problemCode,validateUrl:e.validateUrl}),n=new URL(e.currentUrl),a=r.origin!==n.origin,i=r.toString();return{currentInput:i,currentUrl:i,currentInit:_U(e.currentInit,t,e.signal,a,e.additionalCrossOriginStrippedHeaders),redirects:e.redirects+1}}o(SU,"followRedirect");async function Ol(e,t,r){let n=r.problemCode??"invalid_request",a=r.maxRedirects??oU,i=r.maxResponseBytes??aU,s=r.timeoutMs??iU,u=r.fetchImpl??fetch,d=r.additionalCrossOriginStrippedHeaders??[],l=r.context,p=new AbortController,m=Ay(p,t.signal),f=!1,_=setTimeout(()=>{f=!0,p.abort()},s),S=e,y=yU(e,t,p.signal),w;try{w=ky(xl(e),{problemCode:n,validateUrl:r.validateUrl}).toString()}catch(R){throw sa(l,{event:"outbound_url_blocked",problemCode:n,method:Nn(e,t),host:it(xl(e)),error:R}),clearTimeout(_),m?.(),R}let v=0;try{for(;;){let R=await hU(l,u,S,y,n,w,()=>f?`timeout_after_${s}ms`:void 0),I=pU(R,w);if(I!==void 0)try{let N=SU({currentInput:S,currentInit:y,currentUrl:w,redirectUrl:I,redirects:v,maxRedirects:a,problemCode:n,validateUrl:r.validateUrl,signal:p.signal,additionalCrossOriginStrippedHeaders:d});S=N.currentInput,y=N.currentInit,w=N.currentUrl,v=N.redirects;continue}catch(N){throw sa(l,{event:"outbound_redirect_blocked",problemCode:n,method:Nn(S,y),host:it(w),error:N,extra:{redirects:v,maxRedirects:a,redirectTargetHost:it(I)}}),N}try{return lU(R,await dU(R,i,n))}catch(N){throw sa(l,{event:"outbound_response_size_exceeded",problemCode:n,method:Nn(S,y),host:it(w),error:N,extra:{maxResponseBytes:i,status:R.status}}),N}}}finally{clearTimeout(_),m?.()}}o(Ol,"runSafeOutboundExchange");async function Ul(e,t,r){let n=await Ol(e,t,r);try{return{response:n,json:await n.clone().json()}}catch(a){throw sa(r.context,{event:"outbound_json_parse_failed",problemCode:r.problemCode??"invalid_request",method:Nn(e,t),host:it(xl(e)),error:a,extra:{status:n.status,contentType:n.headers.get("content-type")??void 0}}),g(r.problemCode??"invalid_request","Outbound JSON response could not be parsed.",a)}}o(Ul,"runSafeOutboundJsonExchange");function ss(e,t={},r={}){return Ol(e,t,{...r,validateUrl:Iy})}o(ss,"fetchConfiguredOutbound");function Py(e,t={},r={}){return Ul(e,t,{...r,validateUrl:Ty})}o(Py,"fetchIdentityProviderJson");function Ey(e,t={},r={}){return Ul(e,t,{...r,validateUrl:as})}o(Ey,"fetchCimdClientMetadataJson");Y();function zl(e){return`Zuplo MCP Gateway - ${e}`}o(zl,"buildGatewayOAuthClientName");function xy(e,t){let r=new URL(e,re(t));return Le(r)&&ct(r.hostname)!=="localhost"&&(r.hostname="localhost"),r.toString()}o(xy,"buildGatewayOAuthRedirectUri");function Nl(e){let t=new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`,e.origin);return t.searchParams.set("authProfileId",e.authProfileId),t.toString()}o(Nl,"buildOAuthClientMetadataDocumentUrl");function Oy(e){return re(e)}o(Oy,"requireOAuthClientMetadataOrigin");function Uy(e,t,r){let n=Je(t),a=qr(t,r);return{client_id:Nl({origin:e,upstreamServerId:t,authProfileId:r}),client_name:zl(n.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(a.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"}}o(Uy,"buildOAuthClientMetadataDocument");var wU=c.union([Ko,vl]),vU=c.object({authorizationServerUrl:c.url(),resourceMetadataUrl:c.url().optional(),resourceMetadata:ns.optional(),authorizationServerMetadata:c.union([Fo,os]).optional()}).passthrough(),RU="Bearer";function bU(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}o(bU,"splitScopes");function CU(e){return zi.parse(e)}o(CU,"parsePkceCodeVerifier");function IU(e){if(typeof e.expires_in=="number")return O(new Date(Date.now()+e.expires_in*1e3))}o(IU,"readTokenExpiry");async function zy(e){if(e!==void 0)return $r(JSON.stringify(e))}o(zy,"encryptJson");async function Ny(e,t){if(!e)return;let r=await Bt(e);try{return t.parse(JSON.parse(r))}catch(n){throw g("oauth_state_invalid","Stored upstream OAuth JSON state is invalid.",n)}}o(Ny,"decryptJson");function TU(e){if(e===void 0)return;let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}o(TU,"toOAuthDiscoveryState");function AU(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}o(AU,"clientInformationAllowsRedirectUri");function kU(e,t,r){let n=Je(e),a=qr(e,t),i;return a.scopes.length>0&&(i=a.scopes.join(a.scopeDelimiter)),{client_name:zl(n.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:i,token_endpoint_auth_method:"none"}}o(kU,"buildOAuthClientMetadata");function PU(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw g("internal_server_error",`Manual OAuth registration for ${e.upstreamServerId} requires clientSecret.`);return Ko.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}o(PU,"buildManualOAuthClientInformation");function EU(e,t,r){let n=Nl({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return Tl(n)?n:void 0}o(EU,"buildClientMetadataUrl");function Dy(e){for(let t of e)if(t!==void 0)return t}o(Dy,"firstDefined");function xU(e){let t=qr(e.target.upstreamServerId,e.target.authProfileId),r=kU(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredClientInformation:PU({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let n=EU(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return n===void 0?{clientMetadata:r}:{clientMetadata:r,clientMetadataUrl:n}}o(xU,"buildInitialOAuthClientSetup");function OU(e,t){if(t===void 0)return Dy([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}o(OU,"readEncryptedClientInformation");function UU(e){return Dy([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}o(UU,"readEncryptedDiscoveryState");var Br=class{static{o(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredClientInformation;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=xU({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=OU(t,this.configuredClientInformation),this.encryptedDiscoveryState=UU(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return this.clientMetadataValue}async state(){let t=await this.createPendingState();return X_({id:t.id,...Go({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.encryptedClientInformation=await zy(t),await this.syncPendingState(!1))}async discoveryState(){return this.loadPersistedDiscoveryState()}async saveDiscoveryState(t){this.cachedDiscoveryState=t,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=await zy(t),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=Zo.parse(t),n=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0;this.cachedTokens=r,this.tokensLoaded=!0;let a={id:this.connection?.id??Bi(),tenantId:this.target.owner.tenantId,ownerMode:this.target.owner.mode,subjectId:n,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await $r(r.access_token),encryptedRefreshToken:r.refresh_token?await $r(r.refresh_token):void 0,scopes:bU(r.scope??this.clientMetadataValue.scope),expiresAt:IU(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="tenant_shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await q().upstreamConnectionRepository.upsert(a)}async redirectToAuthorization(t){this.authorizationUrlValue=t.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:CU(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw g("oauth_state_invalid","OAuth code verifier is missing");return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",n=t==="all"||t==="client",a=t==="all"||t==="discovery",i=t==="all"||t==="verifier";n&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),a&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(i),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:Lg(),...Go({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,virtualServerId:this.target.virtualServerId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:O(new Date(Date.now()+W_)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="tenant_shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await q().oauthStateStore.save(t),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await Ny(this.encryptedClientInformation,wU)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&!AU(t,this.redirectUriValue)){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1);return}return this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=TU(await Ny(this.encryptedDiscoveryState,vU))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.cachedDiscoveryState}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection?.encryptedAccessToken||this.connection.status!=="active")return;let t=Zo.parse({access_token:await Bt(this.connection.encryptedAccessToken),token_type:RU,refresh_token:this.connection.encryptedRefreshToken?await Bt(this.connection.encryptedRefreshToken):void 0,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=t,t}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,tenantId:this.connection.tenantId,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await q().upstreamConnectionRepository.upsert(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var zU=1e4,NU=256*1024,DU=2;function MU(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}o(MU,"hasUsableAccessToken");var qU="does not support dynamic client registration";function $U(e){return e instanceof Error&&e.message.includes(qU)}o($U,"isDynamicClientRegistrationUnsupported");function LU(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}o(LU,"readOAuthFetchRequest");function jU(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}o(jU,"responseLooksJson");function My(e){return async(t,r)=>{let n=LU(t),a=await ss(t,r,{maxRedirects:DU,maxResponseBytes:NU,problemCode:"upstream_token_exchange_failed",timeoutMs:zU}),i=await a.clone().text();if(!jU(a,i))return a;try{JSON.parse(i)}catch(s){throw g("upstream_token_exchange_failed",`Upstream OAuth fetch ${n.url.origin}${n.url.pathname} for ${e} returned invalid JSON.`,s)}return a}}o(My,"createUpstreamOAuthFetch");async function qy(e,t){try{return await _r(e,{serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:My(t.upstreamServerId)})}catch(r){throw $U(r)?g("upstream_client_registration_required",`The authorization server for ${t.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register a client for the gateway manually before retrying.`,r):r}}o(qy,"runUpstreamOAuth");async function HU(e,t){return _r(e,{serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:My(t.upstreamServerId)})}o(HU,"exchangeUpstreamAuthorizationCode");async function $y(e,t){let r=await qy(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?g("upstream_token_exchange_failed",`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`):g("upstream_token_exchange_failed",`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`)}o($y,"requireUpstreamAuthorizationRedirect");async function Ly(e){if(MU(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await qy(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`);if(!e.provider.authorizationUrl)throw g("upstream_token_exchange_failed",`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`);return{kind:"connect_required",payload:await ZU({requestUrl:e.target.request.url,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.target.virtualServerId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}o(Ly,"authorizeUpstreamOAuthSession");async function GU(e){let t=await Qi(e.stateToken),r=await q().oauthStateStore.consumeForCallback(t.id),n=BU(r);return VU({storedState:n,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),FU(n),n}o(GU,"consumeStoredCallbackState");function BU(e){switch(e.kind){case"consumed":throw g("oauth_state_reused","OAuth state has already been used");case"missing":throw g("oauth_state_expired","OAuth state is missing or expired");case"available":return e.record}}o(BU,"readConsumedCallbackState");function VU(e){if(![e.storedState.tenantId===e.signedState.tenantId,e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.virtualServerId===e.signedState.virtualServerId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw g("oauth_callback_mismatch","OAuth callback did not match the initiating request")}o(VU,"assertStoredCallbackStateMatches");function FU(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw g("oauth_state_expired","OAuth state has expired")}o(FU,"assertStoredCallbackStateFresh");async function ZU(e){if(e.owner.mode==="tenant_shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),ry(r)}let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),On(t)}o(ZU,"buildOAuthConnectRequiredResponse");async function jy(e){let t=await GU({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=Pn(t),[n]=await q().upstreamConnectionRepository.batchGet([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),a={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};n!==void 0&&(a.connection=n);let i=new Br(a),s=await HU(i,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`):g("upstream_token_exchange_failed",`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`)}o(jy,"finishUpstreamOAuthCallback");async function Hy(e){let t=Je(e.upstreamServerId),r=qr(e.upstreamServerId,e.authProfileId),n=xy(r.redirectPath,e.request.url),a="preloadedConnection"in e?e.preloadedConnection:(await q().upstreamConnectionRepository.batchGet([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:a,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:n,returnOrigin:re(e.request.url)}}}o(Hy,"prepareUpstreamOAuthRequest");async function Gy(e){let t=await Hy(e),r=new Br({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return $y(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(Gy,"startUpstreamConnect");async function By(e){let t=await Hy(e),r=new Br({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return Ly({target:e,provider:r,connection:t.connection,upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(By,"authorizeUpstreamRequest");function KU(e,t){switch(e.kind){case"bearer_token":{if(!e.token)throw g("internal_server_error",`Static bearer token is not configured for upstream ${t}.`);return{type:"bearer_token",token:e.token}}case"headers":{let r={};for(let n of e.headers){if(!n.value)throw g("internal_server_error",`Static header ${n.name} is not configured for upstream ${t}.`);r[n.name]=n.value}return{type:"headers",headers:r}}}}o(KU,"resolveStaticSecretCredential");async function Vy(e){let{routeAuth:t}=e;switch(t.authMode){case"tenant_shared_oauth":case"user_oauth":return By({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}});case"tenant_static_secret":return cy({owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}});case"static_secret":{let n=hr({upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId});if(n.mode!=="static_secret")throw g("internal_server_error",`Resolved static-secret credential context loaded ${n.mode} config.`);return{kind:"authorized",credential:KU(n.secret,t.upstreamServerId)}}case"user_static_secret":return ly({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}})}throw g("internal_server_error",`Unsupported upstream auth route context ${JSON.stringify(t)}.`)}o(Vy,"resolveUpstreamCredentialForRoute");async function Fy(e){let t=mr(e.principal.tenantId,e.principal.subjectId),r=st().byVirtualServerId.get(e.virtualServerId);if(r)for(let n of r.connections)n.authConfig.mode!=="user_static_secret"||n.authConfig.secret.kind!=="bearer_token"||n.authConfig.secret.capture!=="browser_login"||await rs({owner:t,initiatedBySubjectId:e.principal.subjectId,upstreamServerId:n.upstreamServerId,authProfileId:n.authProfileId,token:e.apiKey})}o(Fy,"saveBrowserLoginApiKeyCredentialsForVirtualServer");async function Zy(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,virtualServerId:e.connectRequest.virtualServerId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},n=At(e.connectRequest.authMode);switch(n.connectSupport){case"oauth_authorization":t=await Gy(r);break;case"user_static_secret_capture":t=await py(r);break;case"none":throw g("invalid_request",n.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,virtualServerId:e.connectRequest.virtualServerId}}o(Zy,"startUpstreamConnectForRequest");async function Ky(e){let r=(await Qi(e.callbackRequest.state)).authProfileId,n=hr({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if(At(n.mode).callbackSupport!=="authorization_code")throw g("invalid_request",`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return jy({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:Je(e.callbackRequest.upstreamServerId)})}o(Ky,"finishUpstreamCallbackForRequest");var cs=class{static{o(this,"ExperimentalClientTasks")}constructor(t){this._client=t}async*callToolStream(t,r=tr,n){let a=this._client,i={...n,task:n?.task??(a.isToolTask(t.name)?{}:void 0)},s=a.requestStream({method:"tools/call",params:t},r,i),u=a.getToolOutputValidator(t.name);for await(let d of s){if(d.type==="result"&&u){let l=d.result;if(!l.structuredContent&&!l.isError){yield{type:"error",error:new A(k.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`)};return}if(l.structuredContent)try{let p=u(l.structuredContent);if(!p.valid){yield{type:"error",error:new A(k.InvalidParams,`Structured content does not match the tool's output schema: ${p.errorMessage}`)};return}}catch(p){if(p instanceof A){yield{type:"error",error:p};return}yield{type:"error",error:new A(k.InvalidParams,`Failed to validate structured content: ${p instanceof Error?p.message:String(p)}`)};return}}yield d}}async getTask(t,r){return this._client.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._client.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._client.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._client.cancelTask({taskId:t},r)}requestStream(t,r,n){return this._client.requestStream(t,r,n)}};function us(e,t){if(!(!e||t===null||typeof t!="object")){if(e.type==="object"&&e.properties&&typeof e.properties=="object"){let r=t,n=e.properties;for(let a of Object.keys(n)){let i=n[a];r[a]===void 0&&Object.prototype.hasOwnProperty.call(i,"default")&&(r[a]=i.default),r[a]!==void 0&&us(i,r[a])}}if(Array.isArray(e.anyOf))for(let r of e.anyOf)typeof r!="boolean"&&us(r,t);if(Array.isArray(e.oneOf))for(let r of e.oneOf)typeof r!="boolean"&&us(r,t)}}o(us,"applyElicitationDefaults");function WU(e){if(!e)return{supportsFormMode:!1,supportsUrlMode:!1};let t=e.form!==void 0,r=e.url!==void 0;return{supportsFormMode:t||!t&&!r,supportsUrlMode:r}}o(WU,"getSupportedElicitationModes");var ds=class extends tn{static{o(this,"Client")}constructor(t,r){super(r),this._clientInfo=t,this._cachedToolOutputValidators=new Map,this._cachedKnownTaskTools=new Set,this._cachedRequiredTaskTools=new Set,this._listChangedDebounceTimers=new Map,this._capabilities=r?.capabilities??{},this._jsonSchemaValidator=r?.jsonSchemaValidator??new Sn,r?.listChanged&&(this._pendingListChangedConfig=r.listChanged)}_setupListChangedHandlers(t){t.tools&&this._serverCapabilities?.tools?.listChanged&&this._setupListChangedHandler("tools",dc,t.tools,async()=>(await this.listTools()).tools),t.prompts&&this._serverCapabilities?.prompts?.listChanged&&this._setupListChangedHandler("prompts",sc,t.prompts,async()=>(await this.listPrompts()).prompts),t.resources&&this._serverCapabilities?.resources?.listChanged&&this._setupListChangedHandler("resources",Xs,t.resources,async()=>(await this.listResources()).resources)}get experimental(){return this._experimental||(this._experimental={tasks:new cs(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=Oa(this._capabilities,t)}setRequestHandler(t,r){let a=Jr(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let i;if(Jt(a)){let u=a;i=u._zod?.def?.value??u.value}else{let u=a;i=u._def?.value??u.value}if(typeof i!="string")throw new Error("Schema method literal must be a string");let s=i;if(s==="elicitation/create"){let u=o(async(d,l)=>{let p=Me(mc,d);if(!p.success){let R=p.error instanceof Error?p.error.message:String(p.error);throw new A(k.InvalidParams,`Invalid elicitation request: ${R}`)}let{params:m}=p.data;m.mode=m.mode??"form";let{supportsFormMode:f,supportsUrlMode:_}=WU(this._capabilities.elicitation);if(m.mode==="form"&&!f)throw new A(k.InvalidParams,"Client does not support form-mode elicitation requests");if(m.mode==="url"&&!_)throw new A(k.InvalidParams,"Client does not support URL-mode elicitation requests");let S=await Promise.resolve(r(d,l));if(m.task){let R=Me(Nt,S);if(!R.success){let I=R.error instanceof Error?R.error.message:String(R.error);throw new A(k.InvalidParams,`Invalid task creation result: ${I}`)}return R.data}let y=Me(rr,S);if(!y.success){let R=y.error instanceof Error?y.error.message:String(y.error);throw new A(k.InvalidParams,`Invalid elicitation result: ${R}`)}let w=y.data,v=m.mode==="form"?m.requestedSchema:void 0;if(m.mode==="form"&&w.action==="accept"&&w.content&&v&&this._capabilities.elicitation?.form?.applyDefaults)try{us(v,w.content)}catch{}return w},"wrappedHandler");return super.setRequestHandler(t,u)}if(s==="sampling/createMessage"){let u=o(async(d,l)=>{let p=Me(pc,d);if(!p.success){let w=p.error instanceof Error?p.error.message:String(p.error);throw new A(k.InvalidParams,`Invalid sampling request: ${w}`)}let{params:m}=p.data,f=await Promise.resolve(r(d,l));if(m.task){let w=Me(Nt,f);if(!w.success){let v=w.error instanceof Error?w.error.message:String(w.error);throw new A(k.InvalidParams,`Invalid task creation result: ${v}`)}return w.data}let S=m.tools||m.toolChoice?to:vr,y=Me(S,f);if(!y.success){let w=y.error instanceof Error?y.error.message:String(y.error);throw new A(k.InvalidParams,`Invalid sampling result: ${w}`)}return y.data},"wrappedHandler");return super.setRequestHandler(t,u)}return super.setRequestHandler(t,r)}assertCapability(t,r){if(!this._serverCapabilities?.[t])throw new Error(`Server does not support ${t} (required for ${r})`)}async connect(t,r){if(await super.connect(t),t.sessionId===void 0)try{let n=await this.request({method:"initialize",params:{protocolVersion:Xt,capabilities:this._capabilities,clientInfo:this._clientInfo}},Bs,r);if(n===void 0)throw new Error(`Server sent invalid initialize result: ${n}`);if(!Qt.includes(n.protocolVersion))throw new Error(`Server's protocol version is not supported: ${n.protocolVersion}`);this._serverCapabilities=n.capabilities,this._serverVersion=n.serverInfo,t.setProtocolVersion&&t.setProtocolVersion(n.protocolVersion),this._instructions=n.instructions,await this.notification({method:"notifications/initialized"}),this._pendingListChangedConfig&&(this._setupListChangedHandlers(this._pendingListChangedConfig),this._pendingListChangedConfig=void 0)}catch(n){throw this.close(),n}}getServerCapabilities(){return this._serverCapabilities}getServerVersion(){return this._serverVersion}getInstructions(){return this._instructions}assertCapabilityForMethod(t){switch(t){case"logging/setLevel":if(!this._serverCapabilities?.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._serverCapabilities?.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":case"resources/subscribe":case"resources/unsubscribe":if(!this._serverCapabilities?.resources)throw new Error(`Server does not support resources (required for ${t})`);if(t==="resources/subscribe"&&!this._serverCapabilities.resources.subscribe)throw new Error(`Server does not support resource subscriptions (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._serverCapabilities?.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"completion/complete":if(!this._serverCapabilities?.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"initialize":break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/roots/list_changed":if(!this._capabilities.roots?.listChanged)throw new Error(`Client does not support roots list changed notifications (required for ${t})`);break;case"notifications/initialized":break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"sampling/createMessage":if(!this._capabilities.sampling)throw new Error(`Client does not support sampling capability (required for ${t})`);break;case"elicitation/create":if(!this._capabilities.elicitation)throw new Error(`Client does not support elicitation capability (required for ${t})`);break;case"roots/list":if(!this._capabilities.roots)throw new Error(`Client does not support roots capability (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Client does not support tasks capability (required for ${t})`);break;case"ping":break}}assertTaskCapability(t){gi(this._serverCapabilities?.tasks?.requests,t,"Server")}assertTaskHandlerCapability(t){this._capabilities&&_i(this._capabilities.tasks?.requests,t,"Client")}async ping(t){return this.request({method:"ping"},zt,t)}async complete(t,r){return this.request({method:"completion/complete",params:t},hc,r)}async setLoggingLevel(t,r){return this.request({method:"logging/setLevel",params:{level:t}},zt,r)}async getPrompt(t,r){return this.request({method:"prompts/get",params:t},ic,r)}async listPrompts(t,r){return this.request({method:"prompts/list",params:t},ec,r)}async listResources(t,r){return this.request({method:"resources/list",params:t},Zs,r)}async listResourceTemplates(t,r){return this.request({method:"resources/templates/list",params:t},Ks,r)}async readResource(t,r){return this.request({method:"resources/read",params:t},Ys,r)}async subscribeResource(t,r){return this.request({method:"resources/subscribe",params:t},zt,r)}async unsubscribeResource(t,r){return this.request({method:"resources/unsubscribe",params:t},zt,r)}async callTool(t,r=tr,n){if(this.isToolTaskRequired(t.name))throw new A(k.InvalidRequest,`Tool "${t.name}" requires task-based execution. Use client.experimental.tasks.callToolStream() instead.`);let a=await this.request({method:"tools/call",params:t},r,n),i=this.getToolOutputValidator(t.name);if(i){if(!a.structuredContent&&!a.isError)throw new A(k.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`);if(a.structuredContent)try{let s=i(a.structuredContent);if(!s.valid)throw new A(k.InvalidParams,`Structured content does not match the tool's output schema: ${s.errorMessage}`)}catch(s){throw s instanceof A?s:new A(k.InvalidParams,`Failed to validate structured content: ${s instanceof Error?s.message:String(s)}`)}}return a}isToolTask(t){return this._serverCapabilities?.tasks?.requests?.tools?.call?this._cachedKnownTaskTools.has(t):!1}isToolTaskRequired(t){return this._cachedRequiredTaskTools.has(t)}cacheToolMetadata(t){this._cachedToolOutputValidators.clear(),this._cachedKnownTaskTools.clear(),this._cachedRequiredTaskTools.clear();for(let r of t){if(r.outputSchema){let a=this._jsonSchemaValidator.getValidator(r.outputSchema);this._cachedToolOutputValidators.set(r.name,a)}let n=r.execution?.taskSupport;(n==="required"||n==="optional")&&this._cachedKnownTaskTools.add(r.name),n==="required"&&this._cachedRequiredTaskTools.add(r.name)}}getToolOutputValidator(t){return this._cachedToolOutputValidators.get(t)}async listTools(t,r){let n=await this.request({method:"tools/list",params:t},uc,r);return this.cacheToolMetadata(n.tools),n}_setupListChangedHandler(t,r,n,a){let i=Hp.safeParse(n);if(!i.success)throw new Error(`Invalid ${t} listChanged options: ${i.error.message}`);if(typeof n.onChanged!="function")throw new Error(`Invalid ${t} listChanged options: onChanged must be a function`);let{autoRefresh:s,debounceMs:u}=i.data,{onChanged:d}=n,l=o(async()=>{if(!s){d(null,null);return}try{let m=await a();d(null,m)}catch(m){let f=m instanceof Error?m:new Error(String(m));d(f,null)}},"refresh"),p=o(()=>{if(u){let m=this._listChangedDebounceTimers.get(t);m&&clearTimeout(m);let f=setTimeout(l,u);this._listChangedDebounceTimers.set(t,f)}else l()},"handler");this.setNotificationHandler(r,p)}async sendRootsListChanged(){return this.notification({method:"notifications/roots/list_changed"})}};function ls(e){return e?e instanceof Headers?Object.fromEntries(e.entries()):Array.isArray(e)?Object.fromEntries(e):{...e}:{}}o(ls,"normalizeHeaders");function Wy(e=fetch,t){return t?async(r,n)=>{let a={...t,...n,headers:n?.headers?{...ls(t.headers),...ls(n.headers)}:t.headers};return e(r,a)}:e}o(Wy,"createFetchWithInit");var ps=class extends Error{static{o(this,"ParseError")}constructor(t,r){super(t),this.name="ParseError",this.type=r.type,this.field=r.field,this.value=r.value,this.line=r.line}};function Dl(e){}o(Dl,"noop");function Jy(e){if(typeof e=="function")throw new TypeError("`callbacks` must be an object, got a function instead. Did you mean `{onEvent: fn}`?");let{onEvent:t=Dl,onError:r=Dl,onRetry:n=Dl,onComment:a}=e,i="",s=!0,u,d="",l="";function p(y){let w=s?y.replace(/^\xEF\xBB\xBF/,""):y,[v,R]=JU(`${i}${w}`);for(let I of v)m(I);i=R,s=!1}o(p,"feed");function m(y){if(y===""){_();return}if(y.startsWith(":")){a&&a(y.slice(y.startsWith(": ")?2:1));return}let w=y.indexOf(":");if(w!==-1){let v=y.slice(0,w),R=y[w+1]===" "?2:1,I=y.slice(w+R);f(v,I,y);return}f(y,"",y)}o(m,"parseLine");function f(y,w,v){switch(y){case"event":l=w;break;case"data":d=`${d}${w}
836
+ `;break;case"id":u=w.includes("\0")?void 0:w;break;case"retry":/^\d+$/.test(w)?n(parseInt(w,10)):r(new ps(`Invalid \`retry\` value: "${w}"`,{type:"invalid-retry",value:w,line:v}));break;default:r(new ps(`Unknown field "${y.length>20?`${y.slice(0,20)}\u2026`:y}"`,{type:"unknown-field",field:y,value:w,line:v}));break}}o(f,"processField");function _(){d.length>0&&t({id:u,event:l||void 0,data:d.endsWith(`
837
+ `)?d.slice(0,-1):d}),u=void 0,d="",l=""}o(_,"dispatchEvent");function S(y={}){i&&y.consume&&m(i),s=!0,u=void 0,d="",l="",i=""}return o(S,"reset"),{feed:p,reset:S}}o(Jy,"createParser");function JU(e){let t=[],r="",n=0;for(;n<e.length;){let a=e.indexOf("\r",n),i=e.indexOf(`
838
+ `,n),s=-1;if(a!==-1&&i!==-1?s=Math.min(a,i):a!==-1?a===e.length-1?s=-1:s=a:i!==-1&&(s=i),s===-1){r=e.slice(n);break}else{let u=e.slice(n,s);t.push(u),n=s+1,e[n-1]==="\r"&&e[n]===`
839
+ `&&n++}}return[t,r]}o(JU,"splitLines");var ms=class extends TransformStream{static{o(this,"EventSourceParserStream")}constructor({onError:t,onRetry:r,onComment:n}={}){let a;super({start(i){a=Jy({onEvent:o(s=>{i.enqueue(s)},"onEvent"),onError(s){t==="terminate"?i.error(s):typeof t=="function"&&t(s)},onRetry:r,onComment:n})},transform(i){a.feed(i)}})}};var YU={initialReconnectionDelay:1e3,maxReconnectionDelay:3e4,reconnectionDelayGrowFactor:1.5,maxRetries:2},yr=class extends Error{static{o(this,"StreamableHTTPError")}constructor(t,r){super(`Streamable HTTP error: ${r}`),this.code=t}},hs=class{static{o(this,"StreamableHTTPClientTransport")}constructor(t,r){this._hasCompletedAuthFlow=!1,this._url=t,this._resourceMetadataUrl=void 0,this._scope=void 0,this._requestInit=r?.requestInit,this._authProvider=r?.authProvider,this._fetch=r?.fetch,this._fetchWithInit=Wy(r?.fetch,r?.requestInit),this._sessionId=r?.sessionId,this._reconnectionOptions=r?.reconnectionOptions??YU}async _authThenStart(){if(!this._authProvider)throw new Ft("No auth provider");let t;try{t=await _r(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})}catch(r){throw this.onerror?.(r),r}if(t!=="AUTHORIZED")throw new Ft;return await this._startOrAuthSse({resumptionToken:void 0})}async _commonHeaders(){let t={};if(this._authProvider){let n=await this._authProvider.tokens();n&&(t.Authorization=`Bearer ${n.access_token}`)}this._sessionId&&(t["mcp-session-id"]=this._sessionId),this._protocolVersion&&(t["mcp-protocol-version"]=this._protocolVersion);let r=ls(this._requestInit?.headers);return new Headers({...t,...r})}async _startOrAuthSse(t){let{resumptionToken:r}=t;try{let n=await this._commonHeaders();n.set("Accept","text/event-stream"),r&&n.set("last-event-id",r);let a=await(this._fetch??fetch)(this._url,{method:"GET",headers:n,signal:this._abortController?.signal});if(!a.ok){if(await a.body?.cancel(),a.status===401&&this._authProvider)return await this._authThenStart();if(a.status===405)return;throw new yr(a.status,`Failed to open SSE stream: ${a.statusText}`)}this._handleSseStream(a.body,t,!0)}catch(n){throw this.onerror?.(n),n}}_getNextReconnectionDelay(t){if(this._serverRetryMs!==void 0)return this._serverRetryMs;let r=this._reconnectionOptions.initialReconnectionDelay,n=this._reconnectionOptions.reconnectionDelayGrowFactor,a=this._reconnectionOptions.maxReconnectionDelay;return Math.min(r*Math.pow(n,t),a)}_scheduleReconnection(t,r=0){let n=this._reconnectionOptions.maxRetries;if(r>=n){this.onerror?.(new Error(`Maximum reconnection attempts (${n}) exceeded.`));return}let a=this._getNextReconnectionDelay(r);this._reconnectionTimeout=setTimeout(()=>{this._startOrAuthSse(t).catch(i=>{this.onerror?.(new Error(`Failed to reconnect SSE stream: ${i instanceof Error?i.message:String(i)}`)),this._scheduleReconnection(t,r+1)})},a)}_handleSseStream(t,r,n){if(!t)return;let{onresumptiontoken:a,replayMessageId:i}=r,s,u=!1,d=!1;o(async()=>{try{let p=t.pipeThrough(new TextDecoderStream).pipeThrough(new ms({onRetry:o(_=>{this._serverRetryMs=_},"onRetry")})).getReader();for(;;){let{value:_,done:S}=await p.read();if(S)break;if(_.id&&(s=_.id,u=!0,a?.(_.id)),!!_.data&&(!_.event||_.event==="message"))try{let y=wr.parse(JSON.parse(_.data));ut(y)&&(d=!0,i!==void 0&&(y.id=i)),this.onmessage?.(y)}catch(y){this.onerror?.(y)}}(n||u)&&!d&&this._abortController&&!this._abortController.signal.aborted&&this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(p){if(this.onerror?.(new Error(`SSE stream disconnected: ${p}`)),(n||u)&&!d&&this._abortController&&!this._abortController.signal.aborted)try{this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(_){this.onerror?.(new Error(`Failed to reconnect: ${_ instanceof Error?_.message:String(_)}`))}}},"processStream")()}async start(){if(this._abortController)throw new Error("StreamableHTTPClientTransport already started! If using Client class, note that connect() calls start() automatically.");this._abortController=new AbortController}async finishAuth(t){if(!this._authProvider)throw new Ft("No auth provider");if(await _r(this._authProvider,{serverUrl:this._url,authorizationCode:t,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new Ft("Failed to authorize")}async close(){this._reconnectionTimeout&&(clearTimeout(this._reconnectionTimeout),this._reconnectionTimeout=void 0),this._abortController?.abort(),this.onclose?.()}async send(t,r){try{let{resumptionToken:n,onresumptiontoken:a}=r||{};if(n){this._startOrAuthSse({resumptionToken:n,replayMessageId:St(t)?t.id:void 0}).catch(f=>this.onerror?.(f));return}let i=await this._commonHeaders();i.set("content-type","application/json"),i.set("accept","application/json, text/event-stream");let s={...this._requestInit,method:"POST",headers:i,body:JSON.stringify(t),signal:this._abortController?.signal},u=await(this._fetch??fetch)(this._url,s),d=u.headers.get("mcp-session-id");if(d&&(this._sessionId=d),!u.ok){let f=await u.text().catch(()=>null);if(u.status===401&&this._authProvider){if(this._hasCompletedAuthFlow)throw new yr(401,"Server returned 401 after successful authentication");let{resourceMetadataUrl:_,scope:S}=Al(u);if(this._resourceMetadataUrl=_,this._scope=S,await _r(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new Ft;return this._hasCompletedAuthFlow=!0,this.send(t)}if(u.status===403&&this._authProvider){let{resourceMetadataUrl:_,scope:S,error:y}=Al(u);if(y==="insufficient_scope"){let w=u.headers.get("WWW-Authenticate");if(this._lastUpscopingHeader===w)throw new yr(403,"Server returned 403 after trying upscoping");if(S&&(this._scope=S),_&&(this._resourceMetadataUrl=_),this._lastUpscopingHeader=w??void 0,await _r(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetch})!=="AUTHORIZED")throw new Ft;return this.send(t)}}throw new yr(u.status,`Error POSTing to endpoint: ${f}`)}if(this._hasCompletedAuthFlow=!1,this._lastUpscopingHeader=void 0,u.status===202){await u.body?.cancel(),Np(t)&&this._startOrAuthSse({resumptionToken:void 0}).catch(f=>this.onerror?.(f));return}let p=(Array.isArray(t)?t:[t]).filter(f=>"method"in f&&"id"in f&&f.id!==void 0).length>0,m=u.headers.get("content-type");if(p)if(m?.includes("text/event-stream"))this._handleSseStream(u.body,{onresumptiontoken:a},!1);else if(m?.includes("application/json")){let f=await u.json(),_=Array.isArray(f)?f.map(S=>wr.parse(S)):[wr.parse(f)];for(let S of _)this.onmessage?.(S)}else throw await u.body?.cancel(),new yr(-1,`Unexpected content type: ${m}`);else await u.body?.cancel()}catch(n){throw this.onerror?.(n),n}}get sessionId(){return this._sessionId}async terminateSession(){if(this._sessionId)try{let t=await this._commonHeaders(),r={...this._requestInit,method:"DELETE",headers:t,signal:this._abortController?.signal},n=await(this._fetch??fetch)(this._url,r);if(await n.body?.cancel(),!n.ok&&n.status!==405)throw new yr(n.status,`Failed to terminate session: ${n.statusText}`);this._sessionId=void 0}catch(t){throw this.onerror?.(t),t}}setProtocolVersion(t){this._protocolVersion=t}get protocolVersion(){return this._protocolVersion}async resumeStream(t,r){await this._startOrAuthSse({resumptionToken:t,onresumptiontoken:r?.onresumptiontoken})}};function Yy(e=[]){let t={};for(let r of e){if(!r.value){if(r.required)throw g("internal_server_error",`Native MCP transport header ${r.name} is required but has no value configured.`);continue}t[r.name]=r.value}return t}o(Yy,"resolveNativeMcpRequestHeaders");var XU={name:"zuplo-mcp-gateway",version:"0.1.0"},QU=5,e0=500,eS=3e4,t0=2*1024*1024,r0=2;function Xy(){return performance.now()/1e3}o(Xy,"nowSeconds");function n0(e){if(e.port)return Number(e.port);if(e.protocol==="https:")return 443;if(e.protocol==="http:")return 80}o(n0,"readServerPort");function o0(e,t){return{mcpSessionId:t,serverAddress:e.hostname,serverPort:n0(e)}}o(o0,"buildNativeMcpOperationContext");function Dn(e){return dg(e)}o(Dn,"withTraceMeta");function Ml(e){if(e>e0)throw g("upstream_import_failed","Upstream import exceeded the maximum allowed capability count.")}o(Ml,"assertImportedCapabilityBudget");function Qy(e){return Object.keys(e).length===0?{}:{requestInit:{headers:e}}}o(Qy,"buildRequestInit");function a0(e){return(t,r)=>ss(t,r,{additionalCrossOriginStrippedHeaders:e,maxRedirects:r0,maxResponseBytes:t0,problemCode:"upstream_capability_invocation_failed",timeoutMs:eS})}o(a0,"createNativeMcpFetch");function i0(e){return new Promise((t,r)=>{let n=setTimeout(()=>{r(g("upstream_capability_invocation_failed","Upstream MCP request exceeded the maximum allowed time."))},eS);e.then(a=>{clearTimeout(n),t(a)},a=>{clearTimeout(n),r(a)})})}o(i0,"withNativeMcpRequestTimeout");function s0(e,t=[]){let r=Yy(t),n=e?.type==="headers"?Object.keys(e.headers):[],a=[...Object.keys(r),...n],i={fetch:a0(a)};if(!e)return{...i,...Qy(r)};switch(e.type){case"mcp_oauth_provider":return{authProvider:e.provider,...i,...Qy(r)};case"bearer_token":return{...i,requestInit:{headers:{...r,Authorization:`Bearer ${e.token}`}}};case"headers":return{...i,requestInit:{headers:{...r,...e.headers}}}}}o(s0,"buildNativeMcpTransportOptions");async function Mn(e,t,r){let{transport:n}=Je(e),a=new URL(n.baseUrl),i=new hs(a,s0(r,n.requestHeaders)),s=new ds(XU,{capabilities:{}});return i0((async()=>{let u=Xy();await s.connect(i);let d=i.sessionId,l=o0(a,d);try{return await t(s,l)}finally{if(i.sessionId)try{await i.terminateSession()}catch{}await s.close(),d&&lg(l,Xy()-u)}})())}o(Mn,"withNativeMcpClient");async function c0(e,t,r){let n=[],a,i=0;do{if(i>=QU)throw g("upstream_capability_invocation_failed",`${e} pagination exceeded the maximum allowed page count.`);let s=await t(a);i+=1,n.push(...r(s)),a=s.nextCursor}while(a);return n}o(c0,"collectPaginatedSdkItems");async function ql(e){return e.enabled?c0(e.label,e.fetchPage,e.readItems):[]}o(ql,"listNativeMcpCapabilityItems");async function tS(e){return Mn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"tools/list",...r},()=>ql({enabled:!!n?.tools,label:"Tool list",fetchPage:o(i=>t.listTools(Dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.tools,"readItems")}));return Ml(a.length),{tools:a}},e.credential)}o(tS,"listNativeMcpTools");async function rS(e){return Mn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"prompts/list",...r},()=>ql({enabled:!!n?.prompts,label:"Prompt list",fetchPage:o(i=>t.listPrompts(Dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.prompts,"readItems")}));return Ml(a.length),{prompts:a}},e.credential)}o(rS,"listNativeMcpPrompts");async function nS(e){return Mn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"resources/list",...r},()=>ql({enabled:!!n?.resources,label:"Resource list",fetchPage:o(i=>t.listResources(Dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.resources,"readItems")}));return Ml(a.length),{resources:a}},e.credential)}o(nS,"listNativeMcpResources");async function oS(e){return Mn(e.upstreamServerId,(t,r)=>Ur({methodName:"tools/call",capabilityType:"tool",capabilityName:e.params.name,...r},async()=>await t.callTool(Dn(e.params))),e.credential)}o(oS,"callNativeMcpTool");async function aS(e){return Mn(e.upstreamServerId,(t,r)=>Ur({methodName:"prompts/get",capabilityType:"prompt",capabilityName:e.params.name,...r},()=>t.getPrompt(Dn(e.params))),e.credential)}o(aS,"getNativeMcpPrompt");async function iS(e){return Mn(e.upstreamServerId,(t,r)=>Ur({methodName:"resources/read",capabilityType:"resource",resourceUri:e.params.uri,...r},()=>t.readResource(Dn(e.params))),e.credential)}o(iS,"readNativeMcpResource");var ca=class extends A{static{o(this,"ConnectRequiredMcpError")}constructor(t){super(k.InvalidRequest,t.message),this.name="ConnectRequiredMcpError"}};function u0(e){return{content:[{type:"text",text:e}],isError:!0}}o(u0,"buildToolErrorResult");function d0(e){return e.authUrl?new Yt([{mode:"url",elicitationId:crypto.randomUUID(),message:e.message,url:e.authUrl}],e.message):new ca(e)}o(d0,"toConnectRequiredError");function l0(e){return{credentialType:e.type,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}o(l0,"buildCredentialResolvedAttributes");function p0(e){We(e.context,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:l0(e.credential)})}o(p0,"emitCredentialResolvedAnalyticsEvent");function m0(e){We(e.context,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}})}o(m0,"emitCredentialMissingAnalyticsEvent");function h0(e){return e.ownerMode==="none"?JSON.stringify(["none",e.upstreamServerId,e.authProfileId]):Dr({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId})}o(h0,"readRouteBindingCredentialCacheKey");function f0(e){return typeof e.authorizeAndLoadConnections=="function"}o(f0,"isRuntimeHttpCompositeAuthorizationRepository");function cS(e){if(e.ownerMode!=="none")return{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}}o(cS,"readOwnedRouteBindingLookup");async function g0(e){let t=q().downstreamOAuthRepository;if(!f0(t))return new Map;let r=ul(e.request);if(!r)return new Map;let n=new Map;for(let u of e.routeBindings){let d=cS(u);d!==void 0&&n.set(Dr(d),d)}if(n.size===0)return new Map;let a=[...n.values()],i=await t.authorizeAndLoadConnections({accessTokenHash:await F(r),resource:Nr(e.virtualServerId,e.request.url),virtualServerId:e.virtualServerId,upstreamConnectionKeys:a,now:O(new Date)});if(i.kind!=="authorized")return new Map;let s=new Map;return i.upstreamConnections.forEach((u,d)=>{let l=a[d];l!==void 0&&s.set(Dr(l),u.connection)}),s}o(g0,"preloadCompositeAuthorizedConnections");function _0(e){let t=new Map;return r=>{let n=h0(r),a=t.get(n);if(a)return a;let i=(async()=>{let s=await e.preloadedConnections,u=cS(r),d=u===void 0?void 0:Dr(u),l=await Vy({request:e.request,routeAuth:r,...d!==void 0&&s.has(d)?{preloadedConnection:s.get(d)}:{}});if(l.kind==="connect_required")throw m0({context:e.context,payload:l.payload,routeBinding:r}),d0(l.payload);return p0({context:e.context,credential:l.credential,routeBinding:r}),l.credential})();return t.set(n,i),i}}o(_0,"createCredentialResolver");var sS=500;function y0(e){return e.length<=sS?e:`${e.slice(0,sS)}...`}o(y0,"truncateAnalyticsDetail");function S0(e){We(e.context,{eventType:H.MCP_GATEWAY_CAPABILITY_COMPLETED,outcome:e.result.isError===!0?"application_error":"success",routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",toolResultIsError:e.result.isError===!0,applicationError:e.result.isError===!0})}o(S0,"emitToolInvocationCompletedAnalyticsEvent");function w0(e){return e instanceof Yt||e instanceof ca?{eventType:H.MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required"}:e instanceof A&&e.code===k.InvalidParams?{eventType:H.MCP_GATEWAY_CAPABILITY_FAILED,outcome:"failure",reasonCode:"invalid_tool_arguments",reasonClass:"client",errorType:"tool_error",mcpErrorType:"InvalidParams"}:{eventType:H.MCP_GATEWAY_CAPABILITY_FAILED,outcome:"failure",reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"tool_error"}}o(w0,"classifyToolInvocationFailure");function v0(e){let t=e.error instanceof Error?e.error.message:String(e.error),r=w0(e.error);We(e.context,{eventType:r.eventType,outcome:r.outcome,routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",reasonCode:r.reasonCode,reasonClass:r.reasonClass,errorType:r.errorType,mcpErrorType:r.mcpErrorType,attributes:{detail:y0(t)}})}o(v0,"emitToolInvocationFailedAnalyticsEvent");var R0=256*1024;function b0(e){if(e.arguments===void 0)return;let t;try{t=new TextEncoder().encode(JSON.stringify(e.arguments)).length}catch{throw new A(k.InvalidParams,"Tool arguments must be JSON-serializable.")}if(t>R0)throw new A(k.InvalidParams,"Tool arguments exceed the maximum allowed size.")}o(b0,"assertToolArgumentsWithinLimit");function $l(e){if(e.routeBindings.length===1)return e.routeBindings[0];let t=e.routeBindings.filter(r=>r.connectionPolicyName===e.upstreamPolicyName);if(t.length!==1)throw new A(k.InvalidRequest,`Published item ${e.capabilityName} on virtual server ${e.virtualServerId} is claimed by ${t.length} upstream bindings.`);return t[0]}o($l,"findBindingForPublishedCapability");function qn(e){let t=e.routeBindings[0];if(e.routeBindings.length!==1||t===void 0)throw new A(k.InternalError,`Upstream MCP catalog mode for virtual server ${e.publishedVirtualServer.virtualServerId} requires exactly one upstream binding.`);return t}o(qn,"requireSingleTransparentBinding");function C0(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:qn(e),upstreamName:e.toolName};let t=e.publishedVirtualServer.catalog.tools.find(r=>r.name===e.toolName&&r.enabled!==!1);if(!t)throw new A(k.MethodNotFound,`Tool ${e.toolName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:$l({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(C0,"resolvePublishedToolRoute");function I0(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:qn(e),upstreamName:e.promptName};let t=e.publishedVirtualServer.catalog.prompts.find(r=>r.name===e.promptName&&r.enabled!==!1);if(!t)throw new A(k.MethodNotFound,`Prompt ${e.promptName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:$l({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(I0,"resolvePublishedPromptRoute");function T0(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:qn(e),upstreamUri:e.resourceUri};let t=e.publishedVirtualServer.catalog.resources.find(r=>r.uri===e.resourceUri&&r.enabled!==!1);if(!t)throw new A(k.MethodNotFound,`Resource ${e.resourceUri} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:$l({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamUri:t.upstreamUri}}o(T0,"resolvePublishedResourceRoute");function uS(e){let t=g0({request:e.request,routeBindings:e.routeBindings,virtualServerId:e.publishedVirtualServer.virtualServerId}),r=_0({context:e.context,preloadedConnections:t,request:e.request});return{async listTools(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{tools:e.publishedVirtualServer.catalog.tools.filter(a=>a.enabled!==!1).map(ki)};let n=qn(e);return tS({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async callTool(n){let a=C0({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,toolName:n.name});try{b0(n);let i=await r(a.binding),s=await oS({upstreamServerId:a.binding.upstreamServerId,params:{...n,name:a.upstreamName},credential:i});return S0({context:e.context,routeBinding:a.binding,toolName:n.name,result:s}),e.context.log.debug({event:"upstream_tool_invocation_succeeded",toolName:n.name,upstreamName:a.upstreamName,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId,isError:s.isError===!0},"Upstream tool invocation completed"),s}catch(i){if(v0({context:e.context,routeBinding:a.binding,toolName:n.name,error:i}),i instanceof Yt||i instanceof ca)throw e.context.log.info({event:"upstream_tool_invocation_connect_required",toolName:n.name,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId,ownerMode:a.binding.ownerMode,hasAuthUrl:i instanceof Yt},"Upstream tool invocation requires user to complete a connect flow"),i;let s={event:"upstream_tool_invocation_failed",code:"upstream_capability_invocation_failed",toolName:n.name,upstreamName:a.upstreamName,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId};return i instanceof A&&(s.mcpErrorCode=i.code),i instanceof Error?(s.errorName=i.name,s.errorMessage=i.message,i.cause instanceof Error&&(s.causeName=i.cause.name,s.causeMessage=i.cause.message)):s.errorMessage=String(i),e.context.log.warn(s,"Upstream tool invocation failed; returning generic gateway error to MCP client"),u0(Fe("upstream_capability_invocation_failed").publicDetail)}},async listPrompts(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{prompts:e.publishedVirtualServer.catalog.prompts.filter(a=>a.enabled!==!1).map(Pi)};let n=qn(e);return rS({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async getPrompt(n){let a=I0({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,promptName:n.name});return aS({upstreamServerId:a.binding.upstreamServerId,params:{...n,name:a.upstreamName},credential:await r(a.binding)})},async listResources(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{resources:e.publishedVirtualServer.catalog.resources.filter(a=>a.enabled!==!1).map(Ei)};let n=qn(e);return nS({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async readResource(n){let a=T0({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,resourceUri:n.uri});return iS({upstreamServerId:a.binding.upstreamServerId,params:{...n,uri:a.upstreamUri},credential:await r(a.binding)})}}}o(uS,"createCapabilityDispatcher");var A0="0.1.0",lS="POST",k0="POST, OPTIONS";function Ll(e){return Response.json({jsonrpc:"2.0",id:null,error:{code:-32e3,message:e}},{status:405,headers:{Allow:lS}})}o(Ll,"jsonRpcMethodNotAllowedResponse");function P0(e){let t={Allow:lS},r=e.headers.get("origin"),n=e.headers.get("access-control-request-method");if(r&&n){t["Access-Control-Allow-Methods"]=k0;let a=e.headers.get("access-control-request-headers");a&&(t["Access-Control-Allow-Headers"]=a)}return new Response(null,{status:204,headers:t})}o(P0,"buildOptionsResponse");function $n(e){let t=e&&typeof e=="object"?e.id:void 0;return typeof t=="string"||typeof t=="number"?t:void 0}o($n,"readJsonRpcRequestId");function jl(e){return e&&typeof e=="object"?e.params:void 0}o(jl,"readMcpRequestParams");function dS(e,t){return e.headers.get(t)??void 0}o(dS,"readMcpHeader");function E0(e){return{mcpProtocolVersion:dS(e,"mcp-protocol-version")??Or,mcpSessionId:dS(e,"mcp-session-id")}}o(E0,"buildServerTelemetryBase");function x0(e){if(e.headers.has("mcp-protocol-version"))return e;let t=new Headers(e.headers);return t.set("mcp-protocol-version",Or),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(x0,"ensureProtocolVersionHeader");async function Hl(e,t){if(e.method==="OPTIONS")return P0(e);if(e.method==="GET")return Ll("Standalone SSE GET is not supported by this stateless virtual MCP server. Use POST streamable HTTP for MCP requests.");if(e.method==="DELETE")return Ll("Session termination via DELETE is not supported because this virtual MCP server is stateless.");if(e.method!=="POST")return Ll("Only POST is supported by this virtual MCP server.");let r=Rn(t),n=Yf(r.virtualServerId),a=mg(t);if(n.catalog.catalogSource==="upstream_mcp"&&a.length!==1)throw t.log.error({event:"virtual_server_binding_count_invalid",code:"internal_server_error",virtualServerId:r.virtualServerId,bindingCount:a.length,catalogSource:n.catalog.catalogSource},"MCP virtual server route requires exactly one upstream binding"),g("internal_server_error",`MCP virtual server route requires exactly one upstream binding; found ${a.length}.`);let i=E0(e),s=uS({context:t,publishedVirtualServer:n,request:e,routeBindings:a}),u=re(e.url),d=new Si({enableDnsRebindingProtection:!0,allowedOrigins:[u]}),l=new yi(n.catalog.serverInfo??{name:r.virtualServerId,version:A0},{capabilities:{prompts:{},resources:{},tools:{}}});l.setRequestHandler(cc,async m=>zr({methodName:"tools/list",params:jl(m),jsonRpcRequestId:$n(m),...i},()=>s.listTools())),l.setRequestHandler(Qn,async m=>zr({methodName:"tools/call",capabilityType:"tool",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:$n(m),...i},()=>s.callTool(m.params))),l.setRequestHandler(Qs,async m=>zr({methodName:"prompts/list",params:jl(m),jsonRpcRequestId:$n(m),...i},()=>s.listPrompts())),l.setRequestHandler(tc,async m=>zr({methodName:"prompts/get",capabilityType:"prompt",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:$n(m),...i},()=>s.getPrompt(m.params))),l.setRequestHandler(Fs,async m=>zr({methodName:"resources/list",params:jl(m),jsonRpcRequestId:$n(m),...i},()=>s.listResources())),l.setRequestHandler(Js,async m=>zr({methodName:"resources/read",capabilityType:"resource",resourceUri:m.params.uri,params:m.params,jsonRpcRequestId:$n(m),...i},()=>s.readResource(m.params))),await l.connect(d);let p=await d.handleRequest(e);return x0(p)}o(Hl,"virtualServerHandler");async function O0(e,t){return Wt("handler.mcp-virtual-server"),Hl(e,t)}o(O0,"McpVirtualServerHandler");var Ln={OAUTH_PROTECTED_RESOURCE_METADATA:"oauth_metadata",VIRTUAL_MCP_SERVER:"gateway",OTHER:"other"},U0="oauth-protected-resource-metadata",z0="/.well-known/oauth-protected-resource/";function N0(e){let r=(typeof e.route.raw=="function"?e.route.raw():void 0)?.operationId;return typeof r=="string"?r:void 0}o(N0,"readRouteOperationId");function D0(e){return e.hasGatewayRouteContext?Ln.VIRTUAL_MCP_SERVER:e.routeOperationId===U0||e.routeOperationId===void 0&&e.routePath.startsWith(z0)?Ln.OAUTH_PROTECTED_RESOURCE_METADATA:Ln.OTHER}o(D0,"classifyAnalyticsRouteSurface");function M0(e){let t=e.route.path;return{routePath:t,routeSurface:D0({routePath:t,routeOperationId:N0(e),hasGatewayRouteContext:No(e)!==void 0})}}o(M0,"readAnalyticsRequestContext");function q0(e){return e.response.status===405&&e.response.headers.has("allow")&&e.routeSurface===Ln.VIRTUAL_MCP_SERVER}o(q0,"isIntentionalMethodRejection");function $0(e){return q0(e)||e.response.status===401&&e.routeSurface===Ln.OAUTH_PROTECTED_RESOURCE_METADATA?"success":e.response.status>=400?"failure":"success"}o($0,"classifyRequestCompletedOutcome");async function Gl(e,t){let r=Date.now(),n=M0(t);return t.addResponseSendingFinalHook(a=>{let i=$0({response:a,routeSurface:n.routeSurface});We(t,{eventType:H.MCP_GATEWAY_REQUEST_COMPLETED,outcome:i,routeSurface:n.routeSurface,httpStatusCode:a.status,httpMethod:e.method,latencyMs:Date.now()-r})}),e}o(Gl,"analyticsContextInbound");function L0(e){return e instanceof Response}o(L0,"isResponse");var pS="/mcp/";function j0(e){let t=e.route.path;if(!t.startsWith(pS))throw g("internal_server_error",`Route ${t} is bound to mcp-oauth-inbound but does not match the /mcp/{virtualServerId} convention.`);let r=t.slice(pS.length);if(!r||r.includes("/"))throw g("internal_server_error",`Route ${t} is bound to mcp-oauth-inbound but must use exactly one /mcp/{virtualServerId} segment.`);return r}o(j0,"readVirtualServerIdFromRoute");async function ua(e,t){let n={virtualServerId:me.parse(j0(t))};eg(t,n),zf(t,n);let a=await Gl(e,t);return L0(a)?a:dl(a,t)}o(ua,"mcpOAuthInboundPolicy");var H0=o(async(e,t,r,n)=>(Wt("policy.inbound.mcp-auth0-oauth"),ua(e,t)),"McpAuth0OAuthInboundPolicy");function G0(e){let t=`https://${e.auth0Domain}/`,r=`https://${e.auth0Domain}/.well-known/jwks.json`,n=`https://${e.auth0Domain}/authorize`,a=`https://${e.auth0Domain}/oauth/token`;return Ui({oidc:{issuer:t,jwksUrl:r,audience:e.audience},browserLogin:{url:n,tokenUrl:a,clientId:e.clientId,clientSecret:e.clientSecret,scope:e.scope??"openid profile email",audience:e.audience,...e.browserLoginOverrides??{}},gateway:e.gateway,devTenantId:e.devTenantId})}o(G0,"buildAuth0McpOAuthRuntimeConfig");var B0={policyType:"mcp-auth0-oauth-inbound",displayName:"MCP OAuth (Auth0)",getConfig(e){return G0(e)}};Ci(B0);var V0=o(async(e,t,r,n)=>(Wt("policy.inbound.mcp-oauth"),ua(e,t)),"McpOAuthInboundPolicy"),F0={policyType:"mcp-oauth-inbound",displayName:"MCP OAuth",getConfig(e){return Ui(e)}};Ci(F0);function Z0(e){let t=At(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,virtualServerId:e.virtualServerId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.config.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}o(Z0,"buildRouteAuthBaseFromConnection");function hS(e){if(!e.connection.authProfiles[e.authMode])throw g("internal_server_error",`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=At(e.authMode);return{upstreamServerId:e.connection.id,virtualServerId:e.virtualServerId,authProfileId:vn(e.connection.id,e.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.authMode,ownerMode:r.ownerMode}}o(hS,"buildRouteAuthBaseFromPolicyOptions");function fS(e,t){let n=st().byVirtualServerId.get(t);if(!n)throw g("unknown_virtual_server",`Unknown virtual server: ${t}`);let a=n.connections.find(i=>i.upstreamServerId===e);if(!a)throw g("virtual_server_upstream_mismatch",`Virtual server ${t} does not bind upstream ${e}.`);return Z0({connection:a,virtualServerId:t})}o(fS,"resolveRouteAuthBase");function mS(e,t){switch(e){case"user":return mr(t.tenantId,t.subjectId);case"tenant_shared":return Hi(t.tenantId)}}o(mS,"buildOwnerForPrincipal");function fs(e,t){switch(e.ownerMode){case"tenant_shared":return{...e,owner:mS(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"user":return{...e,owner:mS(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"none":return e}}o(fs,"resolveRouteAuthForPrincipal");function K0(e){let t=Object.keys(e.connection.authProfiles);if(t.length!==1)throw g("internal_server_error",`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];if(r===void 0)throw g("internal_server_error",`Upstream policy ${e.policyName} does not declare an auth mode.`);return Ri.parse(r)}o(K0,"readSingleAuthMode");function gS(e){return Tt.parse(e)}o(gS,"buildToolNamePrefixFromConnectionId");async function Bl(e,t,r,n){let a=Ai(r,n),i=K0({policyName:n,connection:a}),s=Rn(t),u=hS({connection:a,virtualServerId:s.virtualServerId,authMode:i});if(u.ownerMode==="none")return Pd(t,{...u,connectionPolicyName:n,toolNamePrefix:gS(a.id)}),e;let d=Tg(t);return d.tenantId?(Pd(t,{...fs(u,d),connectionPolicyName:n,toolNamePrefix:gS(a.id)}),e):Ze(e,t,{code:"forbidden",detail:"Upstream credentials for this virtual server require an authenticated tenant.",headers:{"WWW-Authenticate":An({virtualServerId:s.virtualServerId,requestUrl:e.url,error:"insufficient_scope",errorDescription:"The access token is missing tenant context required by this virtual server.",scope:ce})}})}o(Bl,"mcpUpstreamConnectionPolicy");var W0=o(async(e,t,r,n)=>(Wt("policy.inbound.mcp-upstream-connection"),Bl(e,t,r,n)),"McpUpstreamConnectionInboundPolicy");Y();Y();var _S="application/json",J0="application/x-www-form-urlencoded";function Y0(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}o(Y0,"normalizeContentType");function X0(e,t){return e===t?!0:t===_S&&e.endsWith("+json")}o(X0,"contentTypeMatches");function Q0(e,t){if(!t||t.length===0)return;let r=Y0(e.headers.get("content-type"));if(!t.some(n=>X0(r,n)))throw g("invalid_request",`Request body must be ${t.join(" or ")}.`)}o(Q0,"assertExpectedContentType");function ez(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g("invalid_request",`${r} exceeded the maximum allowed size.`)}o(ez,"assertContentLengthWithinLimit");async function yS(e,t){let r=t.label??"Request body";Q0(e,t.expectedContentTypes),ez(e,t.maxBytes,r);let n=await is(e.body,{maxBytes:t.maxBytes,createLimitError:o(()=>g("invalid_request",`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(n)}o(yS,"readBoundedTextBody");async function SS(e,t){let r=await yS(e,{...t,expectedContentTypes:[_S]});try{return JSON.parse(r)}catch(n){throw g("invalid_request","Request body must be valid JSON.",n)}}o(SS,"readBoundedJsonBody");async function gs(e,t){let r=await yS(e,{...t,expectedContentTypes:[J0]});return new URLSearchParams(r)}o(gs,"readBoundedFormUrlEncodedBody");var wS=Symbol("Html");function tz(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}o(tz,"escapeHtml");function rz(e){return e===null||typeof e!="object"?!1:e[wS]===!0}o(rz,"isHtml");function vS(e){return e==null||e===!1?"":Array.isArray(e)?e.map(vS).join(""):rz(e)?e.value:tz(String(e))}o(vS,"renderValue");function yt(e){return{[wS]:!0,value:e}}o(yt,"trustedHtml");var ye=yt("");function x(e,...t){let r=e[0]??"";for(let n=0;n<t.length;n+=1)r+=vS(t[n]),r+=e[n+1]??"";return yt(r)}o(x,"html");function Zt(e){return e.value}o(Zt,"renderHtml");var nz="text/html; charset=utf-8";function RS(e,t=200){return new Response(Zt(e),{status:t,headers:{"content-type":nz,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(RS,"apiKeyLoginHtmlResponse");function Vl(e=401){return RS(x`<!doctype html><html><head><title>Login failed</title></head><body><main><h1>Login failed</h1><p>The API key could not be verified. Start the authorization flow again.</p></main></body></html>`,e)}o(Vl,"apiKeyLoginFailureResponse");function bS(e){return RS(x`<!doctype html><html><head><title>API key login</title></head><body><main><h1>API key login</h1><form method="post" action="/oauth/api-key-login" autocomplete="off"><input type="hidden" name="state" value="${e}"><label for="apiKey">API key</label><input id="apiKey" name="apiKey" type="password" required autocomplete="off"><button type="submit">Continue</button></form></main></body></html>`)}o(bS,"renderApiKeyLoginForm");Y();Y();import{errors as zS,jwtVerify as NS,SignJWT as DS}from"jose";Y();import{errors as hz,jwtVerify as fz,SignJWT as gz}from"jose";function Sr(e){let t=ve().browserLogin[e];if(typeof t=="string"&&t.length>0)return t;throw g("internal_server_error",`browserLogin.${e} is required for federated browser login. Set it on the mcp-oauth-inbound policy options.`)}o(Sr,"requireBrowserLoginField");function _s(e){if(!e.tenantId)throw g("identity_context_missing","Gateway OAuth browser login requires a tenant-scoped principal.");return{...e,tenantId:e.tenantId}}o(_s,"requireTenantScopedBrowserPrincipal");Y();import{createRemoteJWKSet as oz,errors as da,jwtVerify as az}from"jose";var iz=c.object({id_token:c.string().min(1),token_type:c.string().min(1).optional(),expires_in:c.number().optional(),access_token:c.string().min(1).optional(),refresh_token:c.string().min(1).optional(),scope:c.string().min(1).optional()}),sz=c.object({error:c.string().min(1).optional(),error_description:c.string().min(1).optional(),error_uri:c.string().min(1).optional()});function cz(e){let t=sz.safeParse(e);if(!t.success)return{};let r={};return t.data.error!==void 0&&(r.idpError=t.data.error),t.data.error_description!==void 0&&(r.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(r.idpErrorUri=t.data.error_uri.slice(0,256)),r}o(cz,"readIdpErrorFields");function uz(e){return e instanceof da.JWTExpired?"expired":e instanceof da.JWTClaimValidationFailed?"claim":e instanceof da.JWSSignatureVerificationFailed?"signature":e instanceof da.JWKSNoMatchingKey?"jwks_no_match":e instanceof da.JWTInvalid?"invalid":e instanceof c.ZodError?"schema":"other"}o(uz,"readJwtFailureKind");var dz=c.object({sub:X,nonce:c.string().min(1)}).catchall(c.unknown()),Fl;function lz(e){return e instanceof Error&&"cause"in e?e.cause:e}o(lz,"readErrorCause");function pz(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}o(pz,"readRuntimeGatewayCode");function mz(){if(!Fl){let e=ve();Fl=oz(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return Fl}o(mz,"readFederatedJwks");async function CS(e){let t=ve(),r=Sr("tokenUrl"),n=Sr("clientId"),a=Sr("clientSecret"),i=new URL("/oauth/callback",gt(e.requestUrl)).toString(),s=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:i,client_id:n,client_secret:a});try{let{response:u,json:d}=await Py(r,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:s},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,...e.context===void 0?{}:{context:e.context}});if(!u.ok){let f=cz(d);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:it(r),idpStatus:u.status,...f},"Federated browser login token exchange returned non-2xx from the identity provider"),g({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${u.status}${f.idpError?` idp_error=${f.idpError}`:""}${f.idpErrorDescription?` idp_error_description=${f.idpErrorDescription}`:""})`)})}let l=iz.parse(d),p;try{({payload:p}=await az(l.id_token,mz(),{issuer:t.oidc.issuer,audience:n}))}catch(f){let _={};throw Ae(_,"error",f),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:uz(f),idpHost:it(r),expectedIssuer:t.oidc.issuer,..._},"Federated id_token failed jose verification"),f}if(p.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:it(r),nonceMissingFromIdToken:p.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),g("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let m=dz.parse(p);return _s(Tn({sub:m.sub,data:m},e.requestUrl))}catch(u){let d=de(u)??pz(u);throw d!==void 0&&d!=="browser_login_verification_failed"?u:g("browser_login_verification_failed","Federated browser login callback could not be verified.",lz(u))}}o(CS,"exchangeFederatedAuthorizationCode");var Kl="zuplo_mcp_session",IS="HS256",TS="zuplo-mcp-gateway",AS="zuplo-mcp-gateway",_z=c.object({purpose:c.literal("gateway_browser_session"),sub:X,tenantId:ue,browserLoginOrigin:c.string().min(1),roles:c.array(c.string().min(1)).optional(),exp:c.number().int().positive(),iat:c.number().int().positive().optional()});function yz(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let n=r.indexOf("=");if(n<0)continue;let a=r.slice(0,n).trim(),i=r.slice(n+1).trim();if(a)try{t.set(a,decodeURIComponent(i))}catch{t.set(a,i)}}return t}o(yz,"parseCookieHeader");async function kS(){return kt({purpose:"browser-session",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"browser-session"),"derive")})}o(kS,"getBrowserSessionKey");function Zl(e){let t=new URL(re(e)),r=[`${Kl}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(Zl,"buildBrowserSessionEvictionCookie");function Sz(e){let t=new URL(re(e.requestUrl)),r=[`${Kl}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(Sz,"serializeSessionCookie");function PS(e={}){return new URL(Sr("url")).origin}o(PS,"readBrowserLoginOrigin");function Wl(){return ve().browserLogin.stateTtlSeconds}o(Wl,"readBrowserLoginStateTtlSeconds");function ES(e){if(!e.user)throw g("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return _s(Tn(e.user,e.url))}o(ES,"resolveCurrentRequestPrincipal");async function ys(e,t={}){let r=yz(e.headers.get("cookie")).get(Kl);if(!r)return{};try{let{payload:n}=await fz(r,await kS(),{algorithms:[IS],issuer:TS,audience:AS}),a=_z.parse(n);if(a.browserLoginOrigin!==PS(t))return{evictCookie:Zl(e.url)};let i={subjectId:a.sub,tenantId:a.tenantId};return a.roles&&a.roles.length>0&&(i.roles=a.roles),{principal:i}}catch(n){return n instanceof hz.JWTExpired?{evictCookie:Zl(e.url)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:n instanceof Error?n.name:"unknown",errorMessage:n instanceof Error?n.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:Zl(e.url)})}}o(ys,"readBrowserSession");async function la(e){let t=ve().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,tenantId:e.principal.tenantId,browserLoginOrigin:PS({virtualServerId:e.virtualServerId})};e.principal.roles&&(r.roles=e.principal.roles);let n=await new gz(r).setProtectedHeader({alg:IS,typ:"JWT"}).setIssuer(TS).setAudience(AS).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await kS());return Sz({value:n,requestUrl:e.requestUrl,ttlSeconds:t})}o(la,"createBrowserSessionCookie");async function xS(e){throw g("forbidden","API-key browser login is not supported in this gateway.")}o(xS,"resolveApiKeyBrowserLoginPrincipal");async function OS(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await ys(e.request,t);if(r.principal)return r.principal;let n=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!n)throw g("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");return CS({code:n,nonce:e.stateId,requestUrl:e.request.url,...e.context===void 0?{}:{context:e.context}})}o(OS,"resolveBrowserLoginCallbackPrincipal");function US(e){let t=ve().browserLogin,r=new URL(Sr("url")),n=new URL("/oauth/callback",gt(e.requestUrl));return yg(r)?(r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",Sr("clientId")),r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}o(US,"buildBrowserLoginUrl");var MS=5*60,wz=["mcp_user"],Ss="HS256",ws="zuplo-mcp-gateway",vs="zuplo-mcp-gateway",vz=c.object({purpose:c.literal("gateway_browser_login"),transactionId:je,stateId:Di,exp:c.number().int().positive(),iat:c.number().int().positive().optional()}),Rz=c.object({purpose:c.literal("gateway_authorization_setup"),transactionId:je,stateId:Di,exp:c.number().int().positive(),iat:c.number().int().positive().optional()});async function qS(){return kt({purpose:"browser-login",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"browser-login"),"derive")})}o(qS,"getBrowserLoginKey");async function $S(){return kt({purpose:"authorization-csrf",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"authorization-csrf"),"derive")})}o($S,"getCsrfKey");function bz(e){return[...new Set([...wz,...e.roles??[]])]}o(bz,"buildRoles");function LS(e){return{repository:e.repository??q().downstreamOAuthRepository,now:e.now??new Date,ttlSeconds:Wl()}}o(LS,"readPendingTransactionDependencies");function Cz(e,t){return e.subjectId===t.subjectId&&e.tenantId===t.tenantId}o(Cz,"principalsMatch");function jS(e){return{subjectId:e.subjectId,tenantId:e.tenantId,...e.roles===void 0?{}:{roles:e.roles}}}o(jS,"toPendingPrincipal");function HS(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:O(e.now),expiresAt:O(ft(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw g("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:jS(e.principal)}}o(HS,"createTransactionRecord");async function GS(e){if((await e.repository.savePendingAuthorizationTransaction(e.record,e.client===void 0?void 0:{client:e.client})).kind==="already_exists")throw g("oauth_state_reused","Authorization transaction state already exists.")}o(GS,"savePendingTransaction");async function Iz(e){return new DS({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:Ss,typ:"JWT"}).setIssuer(ws).setAudience(vs).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await qS())}o(Iz,"signBrowserLoginState");async function BS(e){return new DS({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:Nd()}).setProtectedHeader({alg:Ss,typ:"JWT"}).setIssuer(ws).setAudience(vs).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await $S())}o(BS,"signCsrfToken");async function Rs(e){try{let{payload:t}=await NS(e,await qS(),{algorithms:[Ss],issuer:ws,audience:vs}),r=vz.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof zS.JWTExpired?g("oauth_state_expired","Browser login state has expired.",t):g("oauth_state_invalid","Browser login state could not be verified.",t)}}o(Rs,"verifyBrowserLoginStateToken");async function Tz(e){try{let{payload:t}=await NS(e,await $S(),{algorithms:[Ss],issuer:ws,audience:vs});return{transactionId:Rz.parse(t).transactionId}}catch(t){throw t instanceof zS.JWTExpired?g("oauth_state_expired","Authorization setup state has expired.",t):g("oauth_state_invalid","Authorization setup state could not be verified.",t)}}o(Tz,"verifyCsrfToken");function pa(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}o(pa,"pendingStateErrorCode");function VS(e){return e==="principal_mismatch"?"oauth_callback_mismatch":pa(e==="consumed_already"?"consumed_already":e)}o(VS,"setupDecisionErrorCode");function Az(e){if(e.kind!=="available")throw g(pa(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}o(Az,"requireAwaitingSetup");function kz(e){if(e.kind!=="available")throw g(pa(e.kind),"Browser login state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_login")throw g("oauth_state_invalid","Browser login state is not in the login phase.");return e.record}o(kz,"requireAwaitingLogin");function Pz(e){if(!Cz(e.currentBrowserPrincipal,e.transaction.principal))throw g("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}o(Pz,"requireCurrentPrincipalMatches");function FS(e){return typeof e.decideAuthorizationSetup=="function"}o(FS,"hasRuntimeHttpAuthorizationDecision");async function ZS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date,n=Wl(),a=zd(),i=Nd(),s=await Iz({transactionId:a,stateId:i,ttlSeconds:n}),u=HS({id:a,transaction:e.transaction,currentStateHash:await F(s),phase:"awaiting_login",now:r,ttlSeconds:n});if(u.phase!=="awaiting_login")throw g("oauth_state_invalid","Authorization transaction did not start in login phase.");return await GS({repository:t,record:u,client:e.transaction.client}),{transaction:u,browserLoginStateToken:s,browserLoginUrl:US({state:s,nonce:i,virtualServerId:u.virtualServerId,requestUrl:e.requestUrl})}}o(ZS,"startAwaitingLogin");async function KS(e){let{repository:t,now:r,ttlSeconds:n}=LS(e),a=zd(),i=await BS({transactionId:a,ttlSeconds:n}),s=HS({id:a,transaction:e.transaction,currentStateHash:await F(i),phase:"awaiting_setup",principal:e.principal,now:r,ttlSeconds:n});if(s.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization transaction did not start in setup phase.");return await GS({repository:t,record:s,client:e.transaction.client}),{transaction:s,csrfToken:i}}o(KS,"startAwaitingSetup");async function Jl(e){let{repository:t,now:r,ttlSeconds:n}=LS(e),a=await Rs(e.browserLoginStateToken),i=await BS({transactionId:a.transactionId,ttlSeconds:n}),s=await t.advancePendingAuthorizationTransaction({id:a.transactionId,expectedPhase:"awaiting_login",currentStateHash:await F(e.browserLoginStateToken),nextStateHash:await F(i),nextPhase:"awaiting_setup",principal:jS(e.principal),now:r});if(s.kind!=="advanced")throw g(pa(s.kind),"Browser login state is invalid, expired, or already used.");if(s.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:s.record,csrfToken:i}}o(Jl,"completeLogin");async function WS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date,n=await Rs(e.browserLoginStateToken);return kz(await t.getPendingAuthorizationTransaction({id:n.transactionId,currentStateHash:await F(e.browserLoginStateToken),now:r}))}o(WS,"getAwaitingLogin");async function ma(e){let t=await Yl(e);return Pz({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}o(ma,"getSetup");async function Yl(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date,n=await Tz(e.csrfToken);return Az(await t.getPendingAuthorizationTransaction({id:n.transactionId,currentStateHash:await F(e.csrfToken),now:r}))}o(Yl,"getSetupTransaction");async function Ez(e){let t=Ke(),r=await F(t),n=Dd(),a=O(ft(e.now,MS)),i={id:e.transaction.id,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,tenantId:e.transaction.principal.tenantId,subjectId:e.transaction.principal.subjectId,scope:e.transaction.scope,roles:bz(e.transaction.principal),codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:O(e.now),expiresAt:a};await e.repository.issueAuthorizationCode({...i,codeHash:r,grantId:n});let s=new URL(e.transaction.redirectUri);return s.searchParams.set("code",t),e.transaction.clientState&&s.searchParams.set("state",e.transaction.clientState),s}o(Ez,"createAuthorizationCodeRedirect");async function xz(e){let t=await ma({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:e.now,repository:e.repository}),r=Ke(),n=O(ft(e.now,MS)),a=await e.repository.decideAuthorizationSetup({decision:"approve",transactionId:t.id,currentStateHash:await F(e.csrfToken),currentPrincipal:{tenantId:e.currentBrowserPrincipal.tenantId,subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await F(r),authorizationCodeExpiresAt:n,grantId:Dd(),now:O(e.now)});if(a.kind!=="approved")throw g(a.kind==="cancelled"?"oauth_state_invalid":VS(a.kind),"Authorization setup state is invalid, expired, or already used.");let i=new URL(a.transaction.redirectUri);return i.searchParams.set("code",r),a.transaction.clientState&&i.searchParams.set("state",a.transaction.clientState),i}o(xz,"createAuthorizationCodeRedirectWithDecision");async function Oz(e){let t=await ma({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:e.now,repository:e.repository}),r=await e.repository.decideAuthorizationSetup({decision:"cancel",transactionId:t.id,currentStateHash:await F(e.csrfToken),currentPrincipal:{tenantId:e.currentBrowserPrincipal.tenantId,subjectId:e.currentBrowserPrincipal.subjectId},now:O(e.now)});if(r.kind!=="cancelled")throw g(r.kind==="approved"?"oauth_state_invalid":VS(r.kind),"Authorization setup state is invalid, expired, or already used.");return JS({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}o(Oz,"createCancelRedirectWithDecision");function JS(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}o(JS,"buildClientCancelRedirect");async function Uz(e){let t=await ma(e),r=await e.repository.consumePendingAuthorizationTransaction({id:t.id,currentStateHash:await F(e.csrfToken),now:e.now});if(r.kind!=="consumed")throw g(pa(r.kind),"Authorization setup state is invalid, expired, or already used.");if(r.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return r.record}o(Uz,"consumeSetup");async function YS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date;return{repository:t,now:r,transaction:await Uz({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:r,repository:t})}}o(YS,"consumeSetupForDecision");async function XS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date;if(FS(t))return xz({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:r,repository:t});let n=await YS(e);return Ez({repository:n.repository,transaction:n.transaction,now:n.now})}o(XS,"approve");async function QS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date;if(FS(t))return Oz({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:r,repository:t});let{transaction:n}=await YS(e);return JS({redirectUri:n.redirectUri,clientState:n.clientState})}o(QS,"cancel");Y();var zz=1e4,Nz=5*1024,Dz=2,Mz=90*24*60*60,Xl=["authorization_code","refresh_token"],Ql=["code"],qz=c.object({client_name:c.string().min(1).optional(),redirect_uris:c.array(c.string().min(1)).min(1),grant_types:c.array(c.enum(Xl)).min(1).max(2).optional(),response_types:c.array(c.enum(Ql)).min(1).max(1).optional(),scope:c.literal(ce).optional(),token_endpoint_auth_method:qo.default("client_secret_basic")});function $z(e){try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o($z,"isCimdClientIdCandidate");function jn(e,t="invalid_request"){if(Lz(e))throw new U(t,"redirect_uris must not include raw whitespace or control characters.");let r;try{r=new URL(e)}catch{throw new U(t,"redirect_uris must be absolute URIs.")}if(r.hash||r.username||r.password)throw new U(t,"redirect_uris must not include credentials or fragments.");if(!(r.protocol==="https:"||Le(r)))throw new U(t,"redirect_uris must use HTTPS except loopback HTTP redirects for local clients.")}o(jn,"assertValidRedirectUri");function Lz(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}o(Lz,"hasForbiddenRawRedirectUriCharacter");async function jz(e){let{response:t,json:r}=await Ey(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:Dz,maxResponseBytes:Nz,timeoutMs:zz});if(!t.ok)throw g("invalid_request","CIMD metadata could not be fetched.");let n=gg.parse(r);if(n.client_id!==e.clientId)throw g("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");if(n.token_endpoint_auth_method!=="none")throw g("invalid_request","CIMD clients must use token_endpoint_auth_method none until private_key_jwt is implemented.");return n}o(jz,"fetchCimdMetadata");async function Hz(e){let t=as(e),r=await jz({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}o(Hz,"resolveCimdClient");async function ha(e,t,r){let n=le.parse(t);if($z(n)){if(!ve().gateway.cimdEnabled)throw new U("invalid_client","OAuth client is not registered.");try{return await Hz(n)}catch{throw new U("invalid_client","OAuth client is not registered.")}}let a=await e.getDcrClient(n);if(a){let i={kind:"dcr",clientId:n,metadata:{client_id:a.clientId,client_name:a.clientName,redirect_uris:a.redirectUris,token_endpoint_auth_method:a.tokenEndpointAuthMethod}};return a.hashedClientSecret&&(i.hashedClientSecret=a.hashedClientSecret),i}throw new U("invalid_client",n.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}o(ha,"resolveClient");function bs(e,t){if(!e.metadata.redirect_uris.some(r=>qi(r,t)))throw g("invalid_request","redirect_uri is not registered for the client.")}o(bs,"assertRedirectRegistered");function Gz(e){let t=ew(e.grant_types),r=e.response_types??[...Ql];if(!Bz(t))throw new U("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!Vz(r))throw new U("invalid_client_metadata","response_types must be code.");if(!Fz(e.scope))throw new U("invalid_client_metadata",`Only the ${ce} scope is supported.`)}o(Gz,"assertSupportedDcrRequest");function ew(e){return e===void 0?[...Xl]:Array.from(new Set(e))}o(ew,"normalizeGrantTypes");function Bz(e){return e.length===0?!1:e.every(t=>Xl.includes(t))}o(Bz,"isSupportedGrantTypes");function Vz(e){return e.length===Ql.length&&e[0]==="code"}o(Vz,"isSupportedResponseTypes");function Fz(e){return e===void 0||e===ce}o(Fz,"isSupportedDcrScope");function Vr(e){if(e===void 0||e===ce)return ce;throw new U("invalid_request",`Only the ${ce} scope is supported.`)}o(Vr,"assertSupportedOAuthScope");function Pt(e,t){let r;try{r=new URL(t)}catch{throw new U("invalid_target","resource must be an absolute URI.")}if(r.hash)throw new U("invalid_target","resource must not include a fragment.");if(r.protocol!=="https:"&&!Le(r))throw new U("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let n=re(e),a=Xf(),i=a?[...a.byVirtualServerId.values()].find(s=>new URL(s.routePath,n).toString()===t):void 0;if(!i)throw new U("invalid_target","resource must match a published virtual MCP server.");return i}o(Pt,"resolveResource");async function tw(e,t={}){let r=Zz(t)?{repository:t}:t,n;try{n=qz.parse(e)}catch(f){if(f instanceof c.ZodError){let _=f.issues.some(S=>S.path[0]==="redirect_uris");throw new U(_?"invalid_redirect_uri":"invalid_client_metadata",f.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:f})}throw f}Gz(n);for(let f of n.redirect_uris)jn(f,"invalid_redirect_uri");let a=r.repository??q().downstreamOAuthRepository,i=new Date,s=le.parse(`dcr:${crypto.randomUUID()}`),u=ft(i,Mz),d=Math.floor(i.getTime()/1e3),l=Math.floor(u.getTime()/1e3),p={client_id:s,client_name:n.client_name??"Dynamically registered MCP client",redirect_uris:n.redirect_uris,grant_types:ew(n.grant_types),response_types:["code"],scope:ce,token_endpoint_auth_method:n.token_endpoint_auth_method,client_id_issued_at:d},m={clientId:s,clientName:String(p.client_name),redirectUris:n.redirect_uris,tokenEndpointAuthMethod:n.token_endpoint_auth_method,createdAt:O(i),clientExpiresAt:O(u)};if(n.token_endpoint_auth_method!=="none"){let f=Ke();m.hashedClientSecret=await F(f),m.clientSecretExpiresAt=O(u),p.client_secret=f,p.client_secret_expires_at=l,p.client_secret_issued_at=d}return await a.saveDcrClient(m),p}o(tw,"registerDownstreamClient");function Zz(e){return typeof e.getDcrClient=="function"}o(Zz,"isOAuthRepository");var Kz=8;function tp(e){let t=e.trim();try{let r=new URL(t);if(r.protocol==="https:")return r.toString()}catch{}if(/^data:image\/(?:png|jpe?g|webp);/i.test(t))return t}o(tp,"safeIconSrc");function Wz(e,t){if(e)try{let r=new URL(t).origin,n=new URL(e,r);return n.origin!==r||!n.pathname.startsWith("/auth/connections/")?void 0:n.toString()}catch{return}}o(Wz,"safeGatewayConnectHref");function Jz(e){if(e==="any")return Number.POSITIVE_INFINITY;let t=/^(\d+)x(\d+)$/.exec(e);return t?Math.max(Number(t[1]),Number(t[2])):0}o(Jz,"parseIconSize");function Yz(e,t){let r=e.filter(a=>a.theme===t);if(r.length>0)return r;let n=e.filter(a=>a.theme===void 0);return n.length>0?n:e}o(Yz,"selectIconCandidates");function Xz(e){return tp(e.src)?e.sizes&&e.sizes.length>0?Math.max(...e.sizes.map(Jz)):0:-1}o(Xz,"readIconScore");function ow(e,t){if(!e||e.length===0)return;let r=Yz(e,t),n,a=-1;for(let i of r){let s=Xz(i);s>a&&(n=i,a=s)}return n}o(ow,"pickIcon");var Qz='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>',rw=yt(Qz),eN=yt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>'),tN=yt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>'),aw=yt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),nw=yt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M8 1.5 2.5 3.5v4.2c0 3.4 2.4 5.6 5.5 6.8 3.1-1.2 5.5-3.4 5.5-6.8V3.5L8 1.5Z"/><path d="m5.8 8.2 1.6 1.6 3-3"/></svg>');function rN(e,t){let r=ow(e,"light");if(!r)return x`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${rw}</span>`;let n=tp(r.src);return n?x`<span class="icon-frame"><img src="${n}" alt="${t}" loading="lazy" decoding="async"></span>`:x`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${rw}</span>`}o(rN,"renderIconFrame");function Is(e,t){let r=ow(e,"light");if(!r)return ye;let n=tp(r.src);return n?x`<img class="inline-icon" src="${n}" alt="${t}" loading="lazy" decoding="async">`:ye}o(Is,"renderInlineIcon");function nN(e){switch(e){case"user":return"your account";case"tenant_shared":return"shared by your team";case"none":return"gateway-managed"}}o(nN,"ownerModeLabel");function oN(e){return e.endsWith("_oauth")||e==="oauth"?"OAuth":e.includes("static_secret")?"static credential":e.replaceAll("_"," ")}o(oN,"authModeLabel");function aN(e){switch(e){case"active":return x`<span class="status-badge status-badge--success">Connected</span>`;case"not_connected":return x`<span class="status-badge status-badge--neutral">Not connected</span>`;case"reconsent_required":return x`<span class="status-badge status-badge--warning">Reconnect required</span>`}}o(aN,"statusBadge");function iN(e){if(!e)return ye;let t=[];return e.destructiveHint&&t.push(x`<span class="badge badge--destructive" title="This tool may modify or delete data on your behalf.">destructive</span>`),e.readOnlyHint&&t.push(x`<span class="badge badge--muted" title="This tool only reads data and does not modify state.">read-only</span>`),e.openWorldHint&&t.push(x`<span class="badge badge--muted" title="This tool can access arbitrary URIs supplied at call time.">open-world</span>`),t.length>0?x`<span class="badge-row">${t}</span>`:ye}o(iN,"annotationBadges");function iw(e){let t=0,r=0;for(let n of e.tools)n.annotations?.destructiveHint===!0&&(t+=1),n.annotations?.readOnlyHint===!0&&(r+=1);return{tools:e.tools.length,prompts:e.prompts.length,resources:e.resources.length,destructiveTools:t,readOnlyTools:r}}o(iw,"summarizeCapabilities");function sN(e){let t=e.annotations?.title??e.title??e.name,r=e.description?x`<span class="capability-row__description">${e.description}</span>`:ye;return x`<li class="capability-row">${Is(e.icons,t)}<span class="capability-row__name">${t}</span>${iN(e.annotations)}${r}</li>`}o(sN,"renderToolRow");function cN(e){let t=e.title??e.name,r=e.description?x`<span class="capability-row__description">${e.description}</span>`:ye;return x`<li class="capability-row">${Is(e.icons,t)}<span class="capability-row__name">${t}</span>${r}</li>`}o(cN,"renderPromptRow");function uN(e){let t=e.title??e.name,r=e.mimeType===void 0?ye:x` · ${e.mimeType}`,n=e.description===void 0?ye:x` — ${e.description}`,a=x`<span class="capability-row__description"><code>${e.uri}</code>${r}${n}</span>`;return x`<li class="capability-row">${Is(e.icons,t)}<span class="capability-row__name">${t}</span>${a}</li>`}o(uN,"renderResourceRow");function ep(e,t,r,n){if(t===0)return ye;let a=r.slice(0,Kz),i=t-a.length,s=i>0?x`<li class="capability-row capability-row--more">+ ${i} more</li>`:ye;return x`<section class="capability-section"><h4 class="capability-section__title">${e} <span class="muted">(${t})</span></h4><ul class="capability-list">${a.map(n)}${s}</ul></section>`}o(ep,"renderCapabilitySection");function Cs(e,t,r=!1){return r?x`<span class="count-pill count-pill--destructive"><span class="count-pill__num">${t}</span><span class="count-pill__label">${e}</span></span>`:x`<span class="count-pill"><span class="count-pill__num">${t}</span><span class="count-pill__label">${e}</span></span>`}o(Cs,"countPill");function dN(e){let t=iw(e);if(t.tools+t.prompts+t.resources===0)return x`<div class="upstream-card__capabilities upstream-card__capabilities--empty">No tools, prompts, or resources advertised.</div>`;let n=[];t.tools>0&&n.push(Cs(t.tools===1?"tool":"tools",t.tools)),t.prompts>0&&n.push(Cs(t.prompts===1?"prompt":"prompts",t.prompts)),t.resources>0&&n.push(Cs(t.resources===1?"resource":"resources",t.resources)),t.destructiveTools>0&&n.push(Cs("destructive",t.destructiveTools,!0));let a=[ep("Tools",t.tools,e.tools,sN),ep("Prompts",t.prompts,e.prompts,cN),ep("Resources",t.resources,e.resources,uN)];return x`<details class="upstream-card__capabilities"><summary class="capabilities-summary"><span class="capabilities-summary__counts">${n}</span><span class="capabilities-summary__chevron" aria-hidden="true">${aw}</span></summary><div class="capabilities-detail">${a}</div></details>`}o(dN,"renderUpstreamCapabilities");function lN(e){if(!e||e.length===0)return ye;let t=e.map(n=>x`<code class="scope-chip">${n}</code>`),r=e.length===1?"scope":"scopes";return x`<details class="upstream-card__scopes"><summary class="scopes-summary"><span>Requested ${r} <span class="muted">(${e.length})</span></span><span class="capabilities-summary__chevron" aria-hidden="true">${aw}</span></summary><div class="scopes-list">${t}</div></details>`}o(lN,"renderUpstreamScopes");function pN(e,t){if(e.ownerMode!=="user")return ye;let r=Wz(e.connectUrl,t);if(!r)return ye;let n=e.status==="active"?"Redo auth":e.status==="reconsent_required"?"Reconnect":"Connect",a=e.status==="active"?"Reconnect this upstream account or approve updated scopes.":void 0;return x`<a class="button button--secondary button--small" href="${r}"${a===void 0?ye:x` title="${a}"`}>${n}</a>`}o(pN,"renderActionButton");function mN(e,t){let r=pN(e,t);return Zt(r)!==""?r:aN(e.status)}o(mN,"renderUpstreamControl");function hN(e,t){let n=e.ownerMode==="user"&&e.status!=="active"?yt('<article class="upstream-card upstream-card--needs-action">'):yt('<article class="upstream-card">'),a=e.description?x`<p class="upstream-card__description">${e.description}</p>`:ye,i=e.transportHost?x`<code class="upstream-card__host">${e.transportHost}</code><span class="upstream-card__sep" aria-hidden="true">·</span>`:ye,s=x`<div class="upstream-card__head">${rN(e.serverIcons,e.upstreamDisplayName)}<div class="upstream-card__main"><div class="upstream-card__title-row"><h3 class="upstream-card__title">${e.upstreamDisplayName}</h3>${mN(e,t)}</div><div class="upstream-card__meta">${i}<span>${oN(e.authMode)}</span><span class="upstream-card__sep" aria-hidden="true">·</span><span>${nN(e.ownerMode)}</span></div>${a}</div></div>`,u=dN(e.capabilities),d=lN(e.scopesRequested);return x`${n}${s}${u}${d}</article>`}o(hN,"renderUpstreamCard");function fN(e){return e.reduce((t,r)=>{let n=iw(r.capabilities);return t.tools+=n.tools,t.prompts+=n.prompts,t.resources+=n.resources,t.destructiveTools+=n.destructiveTools,t.readOnlyTools+=n.readOnlyTools,t},{tools:0,prompts:0,resources:0,destructiveTools:0,readOnlyTools:0})}o(fN,"aggregateCapabilities");function gN(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}o(gN,"deriveMode");function _N(e){if(e.mode==="setup"){let n=e.upstreams.filter(u=>u.ownerMode==="user"&&u.status!=="active"),a=n.length>0&&n.every(u=>u.status==="reconsent_required"),i=n.length===1?"the service":`the ${n.length} services`,s=a?x`Re-authorize ${i} below to refresh access. Authorization will continue automatically once each is ready.`:x`Connect ${i} below before continuing. Authorization will continue automatically once each is ready.`;return x`<div class="banner banner--warning" role="status"><span class="banner__icon" aria-hidden="true">${eN}</span><div class="banner__body"><p class="banner__title">Setup required</p><p class="banner__message">${s}</p></div></div>`}let t=fN(e.upstreams);if(t.destructiveTools===0)return ye;let r=t.destructiveTools===1?"tool can":"tools can";return x`<div class="banner banner--alert" role="alert"><span class="banner__icon" aria-hidden="true">${tN}</span><div class="banner__body"><p class="banner__title">${t.destructiveTools} ${r} modify or delete data</p><p class="banner__message">Review the destructive tools below before authorizing <strong>${e.clientDisplayName}</strong>.</p></div></div>`}o(_N,"renderBanner");function yN(e){return e.mode==="grant"?x`<form class="actions" method="post" action="/oauth/setup"><input type="hidden" name="state" value="${e.state}"><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve">Authorize</button></form>`:x`<form class="actions" method="post" action="/oauth/setup"><input type="hidden" name="state" value="${e.state}"><input type="hidden" name="decision" value="continue"><button class="button button--primary" type="submit">Check again</button></form>`}o(yN,"renderActions");var SN=`
814
840
  *,*::before,*::after{box-sizing:border-box}
815
841
  :root{
816
842
  --bg:#ffffff;
@@ -1242,8 +1268,8 @@ details[open] > .scopes-summary .capabilities-summary__chevron{transform:rotate(
1242
1268
  @media (prefers-reduced-motion: reduce){
1243
1269
  *{transition:none!important}
1244
1270
  }
1245
- `,pU=pt(lU);function Al(e){let t=cU(e.upstreams),r=[...e.upstreams].sort((m,h)=>{let _=o(y=>y.ownerMode!=="user"?2:y.status==="active"?1:0,"blockedRank"),w=_(m)-_(h);return w!==0?w:m.upstreamDisplayName.localeCompare(h.upstreamDisplayName)}),n=e.principalLabel?k`<span class="principal" title="Signed in as ${e.principalLabel}">${e.principalLabel}</span>`:me,a=e.virtualServerDescription?k`<p class="hero__description">${e.virtualServerDescription}</p>`:me,s=di(e.virtualServerIcons,e.virtualServerDisplayName),i=uU({mode:t,upstreams:r,clientDisplayName:e.clientDisplayName}),c=r.length===0?k`<div class="empty">This virtual server does not declare any upstream services.</div>`:k`<ul class="upstream-list">${r.map(m=>k`<li>${sU(m,e.gatewayOrigin)}</li>`)}</ul>`,d=dU({mode:t,state:e.state}),p=t==="grant"?k`<p class="fineprint"><span class="fineprint__icon" aria-hidden="true">${qy}</span><span><strong>${e.clientDisplayName}</strong> will receive a token scoped to <strong>${e.virtualServerDisplayName}</strong>. You can revoke access at any time.</span></p>`:k`<p class="fineprint"><span class="fineprint__icon" aria-hidden="true">${qy}</span><span>Authorization continues automatically once every required service is connected.</span></p>`,l=r.length>0?k`<span class="section-label__count">(${r.length})</span>`:me;return Lt(k`<!doctype html><html lang="en"><head><meta charset="utf-8"><title>Authorize MCP access · ${e.virtualServerDisplayName}</title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="referrer" content="no-referrer"><meta name="robots" content="noindex"><style>${pU}</style></head><body><header class="topbar"><div class="topbar__inner"><div class="brand"><span class="brand__mark" aria-hidden="true">Z</span><span class="brand__name">Zuplo MCP Gateway</span></div>${n}</div></header><main class="shell-main"><div class="static-top"><div class="static-top__inner"><section class="hero"><h1 class="hero__title">Authorize access</h1><p class="hero__connection"><span class="hero__client">${e.clientDisplayName}</span><span class="hero__arrow" aria-label="will access">→</span><span class="hero__server">${s}${e.virtualServerDisplayName}</span></p>${a}</section>${i}</div></div><section class="upstream-region" aria-labelledby="upstreams-heading"><div class="upstream-region__head"><h2 id="upstreams-heading" class="section-label">Upstream services${l}</h2></div><div class="upstream-region__scroll"><div class="upstream-region__scroll-inner">${c}</div></div></section></main><div class="action-bar" role="region" aria-label="Authorization decision"><div class="action-bar__inner">${p}${d}</div></div></body></html>`)}o(Al,"renderConsentPage");function mU(e){try{return new URL(e).host}catch{return}}o(mU,"safeUrlHost");function fU(e){if(e.mode==="user_oauth"||e.mode==="tenant_shared_oauth")return e.oauth.scopes}o(fU,"readOAuthScopes");function Pl(e){return e!==void 0&&e.length>0}o(Pl,"hasItems");async function hU(e){return H().upstreamConnectionRepository.get(e.userOwner,e.registeredConnection.upstreamServerId,e.registeredConnection.authProfileId)}o(hU,"readUserConnection");function gU(e){let t=e.registeredConnection.config.serverInfo?.icons;if(Pl(t))return t;let r=e.virtualServer.serverInfo?.icons;return e.virtualServer.connections.length===1&&Pl(r)?r:void 0}o(gU,"readServerIcons");async function _U(e){if(!(e.returnTo===void 0||!e.isUserOwned))return $d({requestUrl:e.requestUrl,owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,virtualServerId:e.virtualServer.virtualServerId,returnTo:e.returnTo})}o(_U,"readConnectUrl");function Mr(e,t){return t===void 0?{}:{[e]:t}}o(Mr,"optionalRequirementField");function yU(e){return e.isUserOwned?_g(e.connection):{connected:!0,status:"active"}}o(yU,"readSetupConnectionStatus");function wU(e){let t=fU(e);return Pl(t)?t:void 0}o(wU,"readScopesRequested");function SU(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}o(SU,"readUpdatedAt");function vU(e){if(e.virtualServer.catalog.catalogSource!=="openapi")return{tools:[],prompts:[],resources:[]};let t=o(r=>r.upstreamPolicyName===e.registeredConnection.policyName,"ownsCapability");return{tools:e.virtualServer.catalog.tools.filter(r=>r.enabled!==!1&&t(r)).map(ms),prompts:e.virtualServer.catalog.prompts.filter(r=>r.enabled!==!1&&t(r)).map(fs),resources:e.virtualServer.catalog.resources.filter(r=>r.enabled!==!1&&t(r)).map(hs)}}o(vU,"readVirtualServerCapabilities");async function bU(e){let{authConfig:t,authMode:r,config:n,upstreamServerId:a,authProfileId:s}=e.registeredConnection,i=Td(r),c=i==="user",d=yU({connection:e.connection,isUserOwned:c}),p=await _U({...e,connected:d.connected,isUserOwned:c});return{upstreamServerId:a,authProfileId:s,authMode:r,ownerMode:i,upstreamDisplayName:n.displayName,status:d.status,connected:d.connected,capabilities:vU({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer}),...Mr("description",n.description),...Mr("transportHost",mU(n.transport.baseUrl)),...Mr("scopesRequested",wU(t)),...Mr("serverIcons",gU({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer})),...Mr("connectUrl",p),...Mr("updatedAt",SU({connectionStatus:d,isUserOwned:c})),...Mr("expiresAt",e.connection?.expiresAt)}}o(bU,"buildSetupRequirement");function Gy(e){let t=tt().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(Gy,"requireVirtualServer");async function xl(e){let t=Gy(e.transaction.virtualServerId),r=ur(e.transaction.principal.tenantId,e.transaction.principal.subjectId),n=[];for(let a of t.connections){let s=Td(a.authMode)==="user";n.push(await bU({connection:s?await hU({registeredConnection:a,userOwner:r}):void 0,registeredConnection:a,virtualServer:t,requestUrl:e.requestUrl,returnTo:e.returnTo,transaction:e.transaction,userOwner:r}))}return n}o(xl,"requirementsForSetup");function RU(e){return e.virtualServer.serverInfo?.title??e.virtualServer.serverInfo?.name??e.virtualServer.virtualServerId}o(RU,"readVirtualServerDisplayName");async function kl(e){let t=e.repository??H().downstreamOAuthRepository,r=Gy(e.transaction.virtualServerId),n=RU({virtualServer:r}),a=await t.getDcrClient(e.transaction.clientId),s={gatewayOrigin:Q(e.requestUrl),virtualServerDisplayName:n,clientDisplayName:a?.clientName??String(e.transaction.clientId),principalLabel:`${e.transaction.principal.subjectId} \xB7 ${e.transaction.principal.tenantId}`},i=r.serverInfo?.title;return i!==void 0&&i!==n&&(s.virtualServerDescription=i),s}o(kl,"consentContext");function By(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}o(By,"hasUnresolvedUserUpstream");var IU=["mcp_user"],TU="dev-browser-user",CU=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/mcp/{virtualServerId} or add resource={protected resource URI from protected-resource metadata}."].join(" "),EU=u.object({response_type:u.literal("code"),client_id:u.string().min(1),redirect_uri:u.string().min(1),resource:u.url(),code_challenge:u.string().min(43),code_challenge_method:hn,state:u.string().min(1).optional(),scope:u.literal(oe).default(oe)}),AU=u.enum(["continue","approve","cancel"]).default("continue"),PU=u.object({state:u.string().min(1),decision:AU}),xU=u.object({state:u.string().min(1),apiKey:u.string().min(1)}),Dr=class extends Error{static{o(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function Vy(e){return typeof e=="string"&&e.length>0?e:void 0}o(Vy,"readQueryString");function kU(e,t){let r=Vy(e.query.resource);if(t===void 0){if(r!==void 0)return r;throw new z("invalid_target",CU)}let n=Eo(t,e.url);if(r===void 0||r===n)return n;throw new z("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}o(kU,"requireAuthorizeResource");async function OU(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await ri(e,n);if(a.principal)return{principal:a.principal};if(!e.user)return a.evictCookie===void 0?{}:{setCookie:a.evictCookie};let s=gy(e);return{principal:s,setCookie:await Jo({principal:s,requestUrl:e.url,virtualServerId:t})}}o(OU,"resolveBrowserPrincipal");async function UU(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await ri(e,n);if(!a.principal)throw g("authentication_required","Authorization setup requires a current browser session.");return a.principal}o(UU,"requireSetupPrincipal");async function Fy(e){let t=await xl({transaction:e.transaction,requestUrl:e.requestUrl,returnTo:`/oauth/setup?state=${encodeURIComponent(e.csrfToken)}`}),r=await kl({transaction:e.transaction,requestUrl:e.requestUrl,...e.repository===void 0?{}:{repository:e.repository}}),n={kind:"setup_page",html:Al({state:e.csrfToken,virtualServerId:e.transaction.virtualServerId,upstreams:t,...r})};return e.setCookie!==void 0&&(n.setCookie=e.setCookie),n}o(Fy,"renderSetup");async function Ol(e,t={}){let r=EU.parse({...e.query,resource:kU(e,t.virtualServerId),state:Vy(e.query.state)}),n=Qo(r.scope);Yo(r.redirect_uri);let a=H().downstreamOAuthRepository,s=new Date,i=await Xo(a,r.client_id,s);ci(i,r.redirect_uri);try{let c=xn(e.url,r.resource);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:i.clientId,virtualServerId:c.virtualServerId,scope:n,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved");let d={clientId:i.clientId,redirectUri:r.redirect_uri,resource:r.resource,virtualServerId:c.virtualServerId,scope:n,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:p,setCookie:l}=await OU(e,c.virtualServerId,t.context);if(!p){let h=await xy({transaction:d,requestUrl:e.url,now:s,repository:a});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:i.clientId,virtualServerId:c.virtualServerId},"Downstream OAuth authorize: redirecting to browser login (no session)");let _={kind:"redirect",location:h.browserLoginUrl};return l!==void 0&&(_.setCookie=l),_}let m=await ky({transaction:d,principal:p,now:s,repository:a});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:i.clientId,virtualServerId:c.virtualServerId,tenantId:p.tenantId,subjectId:p.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),Fy({transaction:m.transaction,csrfToken:m.csrfToken,requestUrl:e.url,repository:a,setCookie:l})}catch(c){throw NU({redirectUri:r.redirect_uri,clientState:r.state,cause:c})}}o(Ol,"authorizeDownstreamClient");function NU(e){if(e.cause instanceof Dr)return e.cause;let t=$U(e.cause);return t?new Dr({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}o(NU,"toDownstreamAuthorizeRedirectError");function $U(e){if(e instanceof z)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof u.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}o($U,"mapToOAuthRedirectError");async function Zy(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let l=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,m=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...l===void 0?{}:{idpErrorDescription:l},...m===void 0?{}:{idpErrorUri:m}},"Identity provider redirected browser-login callback with an error"),g("provider_access_denied",l??"The delegated browser login was not completed.")}let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),g("oauth_state_invalid","Browser login callback is missing state.");let a=await si(n),s={request:e,stateId:a.stateId};t.context!==void 0&&(s.context=t.context);let i=await yy(s),c=H().downstreamOAuthRepository,d=await vl({browserLoginStateToken:n,principal:i,repository:c}),p=await Fy({transaction:d.transaction,csrfToken:d.csrfToken,requestUrl:e.url,repository:c});return p.setCookie=await Jo({principal:i,requestUrl:e.url,virtualServerId:d.transaction.virtualServerId}),p}o(Zy,"completeBrowserLoginCallback");async function Ky(e){let t=_e();if(!t.devTenantId)throw g("authentication_required","Local browser login requires the `devTenantId` policy option on mcp-oauth-inbound.");let r=new URL(e.url);if(!Ue(r))throw g("forbidden","Local browser login is only available on loopback HTTP origins.");let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw g("oauth_state_invalid","Local browser login is missing state.");let a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",Q(e.url)),s=new URL(Q(e.url)).origin;if(a.origin!==s||a.pathname!=="/oauth/callback")throw g("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");a.searchParams.set("state",n);let i={subjectId:le.parse(TU),tenantId:$e.parse(t.devTenantId),roles:IU};return{kind:"redirect",location:a,setCookie:await Jo({principal:i,requestUrl:e.url})}}o(Ky,"completeLocalDevBrowserLogin");async function Wy(e){let t=xU.parse(e.body),r=H().downstreamOAuthRepository,n=await Oy({browserLoginStateToken:t.state,repository:r}),a=await _y({apiKey:t.apiKey,virtualServerId:n.virtualServerId}),s=await vl({browserLoginStateToken:t.state,principal:a,repository:r});await x_({apiKey:t.apiKey,principal:a,virtualServerId:s.transaction.virtualServerId});let i=new URL("/oauth/setup",lt(e.request.url));return i.searchParams.set("state",s.csrfToken),{kind:"redirect",location:i,setCookie:await Jo({principal:a,requestUrl:e.request.url,virtualServerId:s.transaction.virtualServerId})}}o(Wy,"completeApiKeyBrowserLogin");function zU(e){let t=e.method==="POST"?e.body:e.query;return PU.parse(t)}o(zU,"readSetupContinueRequest");async function Jy(e){let{state:t,decision:r}=zU({method:e.request.method,query:e.request.query,body:e.body}),n=H().downstreamOAuthRepository,a=new Date,s=await Rl({csrfToken:t,now:a,repository:n}),i=await UU(e.request,s.virtualServerId,e.context);if(r==="cancel")return{kind:"redirect",location:await $y({csrfToken:t,currentBrowserPrincipal:i,now:a,repository:n})};let c=await bl({csrfToken:t,currentBrowserPrincipal:i,now:a,repository:n}),d=await xl({transaction:c,requestUrl:e.request.url,returnTo:`/oauth/setup?state=${encodeURIComponent(t)}`});if(r==="continue"||By(d)){let p=await kl({repository:n,transaction:c,requestUrl:e.request.url});return{kind:"setup_page",html:Al({state:t,virtualServerId:c.virtualServerId,upstreams:d,...p})}}return{kind:"redirect",location:await Ny({csrfToken:t,currentBrowserPrincipal:i,now:a,repository:n})}}o(Jy,"continueDownstreamAuthorizeSetup");W();var MU=new Set(["authorization_code","refresh_token"]),DU=u.discriminatedUnion("grant_type",[u.object({grant_type:u.literal("authorization_code"),code:u.string().min(1),redirect_uri:u.string().min(1),client_id:u.string().min(1).optional(),code_verifier:ws,resource:u.url().optional(),scope:u.literal(oe).optional(),client_secret:u.string().min(1).optional()}),u.object({grant_type:u.literal("refresh_token"),refresh_token:u.string().min(1),client_id:u.string().min(1).optional(),resource:u.url().optional(),scope:u.literal(oe).optional(),client_secret:u.string().min(1).optional()})]);function qU(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!MU.has(t)))throw new z("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}o(qU,"assertSupportedGrantType");var LU=u.object({token:u.string().min(1),client_id:u.string().min(1).optional(),token_type_hint:u.string().optional(),client_secret:u.string().min(1).optional()});function jU(){return _e().gateway.accessTokenTtlSeconds}o(jU,"readAccessTokenTtlSeconds");function HU(){return _e().gateway.refreshTokenTtlSeconds}o(HU,"readRefreshTokenTtlSeconds");async function Yy(e){if(!e.client.hashedClientSecret||!e.clientSecret||e.clientSecretSource!==e.requiredSource)throw new z("invalid_client",e.missingMessage);if(!await J_({value:e.clientSecret,expectedHash:e.client.hashedClientSecret}))throw new z("invalid_client","Client authentication failed.")}o(Yy,"requireClientSecretAuthentication");async function Xy(e){switch(e.client.metadata.token_endpoint_auth_method){case"none":if(e.clientSecret)throw new z("invalid_request","Public clients must not authenticate with client_secret.");return;case"client_secret_basic":await Yy({...e,requiredSource:"basic",missingMessage:"Client authentication with HTTP Basic is required."});return;case"client_secret_post":await Yy({...e,requiredSource:"post",missingMessage:"Client authentication with client_secret_post is required."});return;case"private_key_jwt":throw new z("invalid_client","private_key_jwt client authentication is not supported.")}}o(Xy,"requireClientAuthentication");function Qy(e,t){let r=jU(),n=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),a=Math.min(r,n);return{expiresAt:K(ar(e,a)),expiresIn:a}}o(Qy,"calculateAccessTokenExpiresAt");async function GU(e){let t=qt(),r=await ce(t),n=Qy(e.now,e.grant.expiresAt);return await e.repository.saveAccessToken({tokenHash:r,grantId:e.grant.id,clientId:e.grant.clientId,resource:e.grant.resource,virtualServerId:e.grant.virtualServerId,tenantId:e.grant.tenantId,subjectId:e.grant.subjectId,scope:e.grant.scope,roles:e.grant.roles,createdAt:K(e.now),expiresAt:n.expiresAt}),{accessToken:t,expiresIn:n.expiresIn}}o(GU,"issueOpaqueAccessToken");function ew(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new z("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new z("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new z("invalid_client","Malformed HTTP Basic client authentication.")}}o(ew,"readBasicClientSecret");function tw(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new z("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t===void 0)throw new z("invalid_client","Client authentication or client_id is required.");return t}o(tw,"resolveAuthenticatedClientId");function rw(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new z("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}o(rw,"resolveClientSecretInput");async function nw(e){qU(e.body);let t=DU.parse(e.body),r=ew(e.authorizationHeader),n=tw({basicClientId:r.clientId,bodyClientId:t.client_id}),a=H().downstreamOAuthRepository,s=new Date,i=await Xo(a,n,s),c=rw({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret});if(await Xy({client:i,...c}),t.grant_type==="authorization_code"){Yo(t.redirect_uri),ci(i,t.redirect_uri),Qo(t.scope),t.resource!==void 0&&xn(e.requestUrl??t.resource,t.resource);let w=qt(),y=qt(),S=K(ar(s,HU())),v=Qy(s,S),b=await a.exchangeAuthorizationCode({codeHash:await ce(t.code),clientId:i.clientId,redirectUri:t.redirect_uri,...t.resource===void 0?{}:{resource:t.resource},codeChallenge:await Y_(t.code_verifier),currentRefreshTokenHash:await ce(w),accessTokenHash:await ce(y),now:s,grantExpiresAt:S,accessTokenExpiresAt:v.expiresAt});if(b.kind==="resource_mismatch")throw new z("invalid_target","Token request resource must match the authorization code resource.");if(b.kind!=="exchanged")throw new z("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context?.log.info({event:"oauth_token_issued",grantType:"authorization_code",clientId:i.clientId,scope:b.grant.scope,resource:b.grant.resource,expiresInSeconds:v.expiresIn},"OAuth access token issued (authorization_code grant)"),{access_token:y,token_type:"Bearer",expires_in:v.expiresIn,refresh_token:w,scope:b.grant.scope,resource:b.grant.resource}}Qo(t.scope);let d=await ce(t.refresh_token);t.resource!==void 0&&xn(e.requestUrl??t.resource,t.resource);let p=qt(),l=await ce(p),m=await a.rotateRefreshToken({currentTokenHash:d,nextTokenHash:l,clientId:i.clientId,...t.resource===void 0?{}:{resource:t.resource},now:s});if(m.kind==="resource_mismatch")throw new z("invalid_target","Token request resource must match the refresh token grant resource.");if(m.kind!=="rotated")throw new z("invalid_grant","Refresh token is invalid, expired, or revoked.");let h=m.grant;if(h.revokedAt||h.clientId!==i.clientId)throw new z("invalid_grant","Refresh token grant is invalid or revoked.");xn(e.requestUrl??h.resource,h.resource);let _=await GU({repository:a,grant:h,now:s});return e.context?.log.info({event:"oauth_token_refresh_rotated",grantType:"refresh_token",clientId:i.clientId,scope:h.scope,resource:h.resource,expiresInSeconds:_.expiresIn},"OAuth refresh token rotated and access token issued"),{access_token:_.accessToken,token_type:"Bearer",expires_in:_.expiresIn,refresh_token:p,scope:h.scope,resource:h.resource}}o(nw,"exchangeDownstreamToken");async function ow(e){let t=LU.parse(e.body),r=ew(e.authorizationHeader),n=tw({basicClientId:r.clientId,bodyClientId:t.client_id}),a=H().downstreamOAuthRepository,s=await Xo(a,n,new Date),i=rw({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret});await Xy({client:s,...i});let c=await ce(t.token);await a.revokeOAuthToken({tokenHash:c,clientId:s.clientId,now:new Date}),e.context?.log.info({event:"oauth_token_revoked",clientId:s.clientId,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed")}o(ow,"revokeDownstreamToken");var BU=64*1024,VU=16*1024,FU="text/html; charset=utf-8";function ZU(e){let t={};for(let[r,n]of e.entries())t[r]=n;return t}o(ZU,"formDataToObject");async function KU(e){return ay(e,{maxBytes:BU,label:"Request body"})}o(KU,"readJsonBody");async function li(e){return ZU(await ei(e,{maxBytes:VU,label:"Request body"}))}o(li,"readFormBody");async function pi(e,t,r){let n=ae(r),a=r instanceof u.ZodError?aw(r):r instanceof Error?r.message:void 0,s={code:n??"invalid_request"};return a!==void 0&&(s.detail=a),je(e,t,s)}o(pi,"handleProblem");function ea(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}o(ea,"oauthErrorResponse");function WU(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}o(WU,"readOAuthProtocolHeaders");function JU(e,t){let r=Le("internal_server_error");return ea({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:WU(e,t)})}o(JU,"oauthProtocolErrorResponse");function YU(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}o(YU,"readZodOAuthErrorCode");function XU(e){let t={error:YU(e)},r=aw(e);return r!==void 0&&(t.errorDescription=r),ea(t)}o(XU,"oauthZodErrorResponse");function QU(e){let t=ae(e);if(t===void 0)return;let r=Le(t);if(r.oauthError===void 0)return;let n={error:r.oauthError,status:tN(r.oauthError)};return r.oauthError==="server_error"?n.errorDescription=r.publicDetail:e instanceof Error?n.errorDescription=e.message:n.errorDescription=r.publicDetail,ea(n)}o(QU,"oauthGatewayProblemResponse");function eN(){let t={error:"server_error",status:500,errorDescription:Le("internal_server_error").publicDetail};return ea(t)}o(eN,"oauthFallbackErrorResponse");function tN(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}o(tN,"readOAuthStatus");function kn(e,t={}){return e instanceof Dr?rN(e):e instanceof z?JU(e,t):e instanceof u.ZodError?XU(e):QU(e)??eN()}o(kn,"oauthProblemResponse");function Rt(e,t,r){let n={event:t},a=!1;if(r instanceof z)n.oauthError=r.errorCode,n.status=r.status,Re(n,"error",r);else if(r instanceof Dr)n.oauthError=r.errorCode,Re(n,"error",r);else if(r instanceof u.ZodError){n.code="invalid_request",Re(n,"error",r);let s=r.issues[0];s&&(n.zodPath=s.path.join("."))}else{let s=ae(r);if(s!==void 0){let i=Le(s);n.code=s,n.status=i.status,i.oauthError!==void 0&&(n.oauthError=i.oauthError),a=i.status>=500||i.oauthError==="server_error",Re(n,"error",r)}else a=!0,Re(n,"error",r)}if(a){let s=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(n,s.message)}else e.log.warn(n,"OAuth handler rejected the request")}o(Rt,"logUnexpectedOAuthHandlerError");function rN(e){let t;try{t=new URL(e.redirectUri)}catch{return ea({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}o(rN,"downstreamAuthorizeRedirectErrorResponse");function aw(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}o(aw,"formatZodErrorDetail");function nN(e,t){let r={event:"browser_login_callback_failed",code:ae(t)??"invalid_request"};Re(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}o(nN,"logBrowserLoginCallbackFailure");function Ul(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}o(Ul,"redirectResultResponse");function mi(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":FU,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return Ul(e)}o(mi,"authorizeResultResponse");async function sw(e,t){try{return Response.json(bd(e.url))}catch(r){return Rt(t,"oauth_authorization_server_metadata_failed",r),pi(e,t,r)}}o(sw,"authorizationServerMetadataHandler");async function iw(e,t){try{let r=ge.parse(e.params.virtualServerId),n=bo(r);return Response.json(Fh({virtualServerId:n.virtualServerId,requestUrl:e.url}))}catch(r){return Rt(t,"oauth_authorization_server_metadata_failed",r),pi(e,t,r)}}o(iw,"scopedAuthorizationServerMetadataHandler");async function cw(e,t){try{let r=await My(await KU(e)),n=r;return t.log.info({event:"oauth_dcr_client_registered",clientId:typeof n.client_id=="string"?n.client_id:void 0,clientName:typeof n.client_name=="string"?n.client_name:void 0,redirectUriCount:Array.isArray(n.redirect_uris)?n.redirect_uris.length:void 0,tokenEndpointAuthMethod:typeof n.token_endpoint_auth_method=="string"?n.token_endpoint_auth_method:void 0},"OAuth Dynamic Client Registration completed"),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return Rt(t,"oauth_register_failed",r),kn(r)}}o(cw,"registerHandler");async function uw(e,t){try{return mi(await Ol(e,{context:t}))}catch(r){return Rt(t,"oauth_authorize_failed",r),kn(r,{includeInvalidClientChallenge:!1})}}o(uw,"authorizeHandler");async function dw(e,t){try{let r=ge.parse(e.params.virtualServerId),n=bo(r);return mi(await Ol(e,{virtualServerId:n.virtualServerId,context:t}))}catch(r){return Rt(t,"oauth_authorize_scoped_failed",r),kn(r,{includeInvalidClientChallenge:!1})}}o(dw,"scopedAuthorizeHandler");async function lw(e,t){try{let r=await Zy(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),mi(r)}catch(r){return nN(t,r),pi(e,t,r)}}o(lw,"callbackHandler");async function pw(e,t){try{return Ul(await Ky(e))}catch(r){return Rt(t,"oauth_dev_login_failed",r),kn(r)}}o(pw,"devLoginHandler");async function mw(e,t){try{if(e.method==="GET"){let r=typeof e.query.state=="string"?e.query.state:void 0;return r?uy(r):gl(400)}return e.method!=="POST"?new Response(null,{status:405,headers:{allow:"GET, POST"}}):Ul(await Wy({request:e,body:await li(e)}))}catch(r){return Rt(t,"oauth_api_key_login_failed",r),gl()}}o(mw,"apiKeyLoginHandler");async function fw(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await Jy({request:e,body:e.method==="POST"?await li(e):void 0,context:t});return mi(r)}catch(r){return Rt(t,"oauth_setup_failed",r),pi(e,t,r)}}o(fw,"setupHandler");async function hw(e,t){try{return Response.json(await nw({body:await li(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return Rt(t,"oauth_token_failed",r),kn(r)}}o(hw,"tokenHandler");async function gw(e,t){try{return await ow({body:await li(e),authorizationHeader:e.headers.get("authorization"),context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return Rt(t,"oauth_revoke_failed",r),kn(r)}}o(gw,"revokeHandler");var oN={connect:"Connect",app_password:"App password",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},_w=new Ct("upstream-request");function aN(e){let t=_w.get(e);if(!t)throw g("internal_server_error","Upstream request context has not been set");return t}o(aN,"readUpstreamRequestContext");function sN(e,t){return t.some(r=>r===e)}o(sN,"requestContextMatchesKind");function iN(e){return typeof e=="string"?[e]:e}o(iN,"toExpectedKinds");function qr(e,t){_w.set(e,t)}o(qr,"setUpstreamRequestContext");function Lr(e,t){let r=aN(e),n=iN(t);if(!sN(r.kind,n)){let a=oN[n[0]];throw g("internal_server_error",`${a} request context has not been set`)}return r}o(Lr,"requireUpstreamRequestContext");var cN="text/html; charset=utf-8",uN="none";function yw(e){return k`<!doctype html><html><head><title>${e.title}</title><meta name="viewport" content="width=device-width, initial-scale=1"></head><body data-gateway-error-code="${e.code??uN}"><main><h1>${e.title}</h1><p>${e.body}</p></main></body></html>`}o(yw,"browserResultHtml");function ww(e,t=200){return new Response(Lt(e),{status:t,headers:{"content-type":cN,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(ww,"browserResultResponse");function fi(e){return ww(yw(e))}o(fi,"browserConnectionSuccessResponse");function On(e){let t=sh(e);return ww(yw({title:t.title,body:t.body,code:e}),400)}o(On,"browserConnectionFailureResponse");var dN="text/html; charset=utf-8",lN=16*1024;function pN(e,t=200){return new Response(Lt(e),{status:t,headers:{"content-type":dN,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(pN,"htmlResponse");function mN(e,t){return Response.redirect(new URL(t,e).toString(),302)}o(mN,"safeRedirect");function fN(e){if(!e)throw g("oauth_state_invalid","App password capture requires a signed browser ticket.");return e}o(fN,"requireBrowserTicket");function hN(e,t){return[e.ownerMode!=="user"||e.upstreamServerId!==t.upstreamServerId||t.virtualServerId!==void 0&&e.virtualServerId!==t.virtualServerId].every(n=>!n)}o(hN,"appPasswordTicketMatchesTarget");async function Sw(e){let t=fN(e.browserTicket),r=await Ds(t);if(!hN(r,e))throw g("oauth_callback_mismatch","App password capture ticket did not match the requested upstream flow.");return{upstreamServerId:e.upstreamServerId,authProfileId:r.authProfileId,virtualServerId:r.virtualServerId,browserTicket:t,ticket:r}}o(Sw,"readAppPasswordTarget");function gN(e){let t=jd(e.upstreamServerId,e.authProfileId),r=`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`,n=t.kind==="basic_auth_app_password"?k`<label for="username">${t.usernameLabel}</label><input id="username" name="username" required autocomplete="username"><label for="appPassword">${t.passwordLabel}</label><input id="appPassword" name="appPassword" type="password" required autocomplete="current-password">`:k`<label for="token">${t.label}</label><input id="token" name="token" type="password" required autocomplete="off">`;return pN(k`<!doctype html><html><head><title>Connect upstream</title><meta name="viewport" content="width=device-width, initial-scale=1"><style>body{font-family:system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",sans-serif;margin:0;padding:32px;background:#f8fafc;color:#0f172a}main{max-width:440px;margin:0 auto;background:white;border:1px solid #dbe3ee;border-radius:8px;padding:24px;box-shadow:0 1px 2px rgba(15,23,42,.06)}label{display:block;font-size:14px;font-weight:600;margin:16px 0 6px}input{box-sizing:border-box;width:100%;border:1px solid #b8c3d4;border-radius:6px;padding:10px 12px;font:inherit}button{margin-top:20px;border:0;border-radius:6px;background:#0f172a;color:white;padding:10px 14px;font:inherit;font-weight:600;cursor:pointer}p{color:#475569;line-height:1.5}</style></head><body><main><h1>Connect upstream</h1><p>Enter the per-user credential for this approved upstream. The gateway stores it encrypted and keeps it out of MCP client configuration.</p><form method="post" action="${r}" autocomplete="off"><input type="hidden" name="browserTicket" value="${e.browserTicket}">${n}<button type="submit">Connect</button></form></main></body></html>`)}o(gN,"renderCaptureForm");function hi(e,t){let r=e.get(t);if(typeof r!="string"||r.length===0)throw g("invalid_request",`Missing form field: ${t}`);return r}o(hi,"readRequiredFormValue");function _N(e){return{upstreamServerId:e.upstreamServerId,...e.virtualServerId===void 0?{}:{virtualServerId:e.virtualServerId},...e.browserTicket===void 0?{}:{browserTicket:e.browserTicket}}}o(_N,"readCaptureFormTargetInput");async function yN(e){return gN(await Sw(_N(e)))}o(yN,"handleCaptureFormRequest");async function wN(e){let t=await ei(e.request,{maxBytes:lN,label:"App password request body"});return{form:t,target:await Sw({upstreamServerId:e.upstreamServerId,browserTicket:hi(t,"browserTicket")})}}o(wN,"readSubmittedAppPasswordTarget");async function SN(e){let t=Sn(e.target.ticket);if(await qs(e.target.ticket),jd(e.target.upstreamServerId,e.target.authProfileId).kind==="bearer_token"){await Ls({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,token:hi(e.form,"token")});return}await Kg({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,username:hi(e.form,"username"),appPassword:hi(e.form,"appPassword")})}o(SN,"saveSubmittedAppPasswordCredential");function vN(e,t){return t.ticket.returnTo?mN(e,t.ticket.returnTo):fi({title:"Connection complete",body:"The upstream credential was saved. Return to your MCP client and retry the request."})}o(vN,"appPasswordSuccessResponse");async function bN(e){let t=await wN({request:e.request,upstreamServerId:e.appPasswordRequest.upstreamServerId});return await SN(t),vN(e.request.url,t.target)}o(bN,"handleAppPasswordSubmission");function RN(){return new Response(null,{status:405,headers:{Allow:"GET, POST"}})}o(RN,"methodNotAllowedResponse");function IN(e){let t=ae(e);return On(as(t)?t:"oauth_state_invalid")}o(IN,"appPasswordFailureResponse");async function TN(e){switch(e.request.method){case"GET":return yN(e.appPasswordRequest);case"POST":return bN(e);default:return RN()}}o(TN,"handleAppPasswordMethod");async function Nl(e,t){let r=Lr(t,"app_password");try{return await TN({request:e,appPasswordRequest:r})}catch(n){return IN(n)}}o(Nl,"appPasswordHandler");var CN=["callback_authorization_code","callback_provider_error","callback_invalid"];function EN(e){return"cause"in e?e.cause:void 0}o(EN,"readErrorCause");function AN(e){return e.stack?.split(`
1246
- `).slice(1,4).map(t=>t.trim()).join(" | ")}o(AN,"readFirstStackFrame");function vw(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=AN(r))}o(vw,"addErrorAttributes");function PN(e,t){switch(t.kind){case"callback_provider_error":return e.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:t.upstreamServerId,providerError:t.error,...t.errorDescription===void 0?{}:{providerErrorDescription:t.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),He(e,{eventType:L.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:t.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:t.error,errorDescription:t.errorDescription}}),On("provider_access_denied");case"callback_invalid":return e.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:t.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),On("oauth_state_invalid");case"callback_authorization_code":return t}}o(PN,"requireAuthorizationCallbackRequest");function xN(e,t){He(e,{eventType:L.MCP_GATEWAY_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}o(xN,"emitCallbackReceivedAnalyticsEvent");function kN(e,t){He(e,{eventType:L.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.virtualServerId})}o(kN,"emitTokenExchangeSucceededAnalyticsEvent");function ON(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return fi({title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}o(ON,"buildSuccessfulCallbackResponse");function UN(e){let t={detail:e instanceof Error?e.message:void 0};return vw(t,"error",e),e instanceof Error&&vw(t,"cause",EN(e)),t}o(UN,"buildTokenExchangeFailureAttributes");function NN(e){He(e.context,{eventType:L.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:ae(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:UN(e.error)})}o(NN,"emitTokenExchangeFailedAnalyticsEvent");function $N(e){let t=ae(e);return On(as(t)?t:"upstream_token_exchange_failed")}o($N,"tokenExchangeFailureResponse");async function $l(e,t){let r=Lr(t,CN),n=PN(t,r);if(n instanceof Response)return n;xN(t,n);try{let a=await O_({request:e,callbackRequest:n});return kN(t,a),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:a.upstreamServerId,virtualServerId:a.virtualServerId,authProfileId:a.authProfileId,ownerMode:a.ownerMode},"Upstream OAuth token exchange completed; user connection established"),ON(e,a)}catch(a){let s={event:"upstream_oauth_token_exchange_failed",code:ae(a)??"upstream_token_exchange_failed",upstreamServerId:n.upstreamServerId};return Re(s,"error",a),t.log.warn(s,"Upstream OAuth token exchange failed; user shown connection-failure page"),NN({context:t,callbackRequest:n,error:a}),$N(a)}}o($l,"callbackHandler");function zN(e){let t=ae(e);return t==="unknown_upstream_server"?t:"not_found"}o(zN,"clientMetadataProblemCode");function MN(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}o(MN,"clientMetadataProblemDetail");async function bw(e,t){let r=Lr(t,"connect"),n=await k_({request:e,connectRequest:r});if(He(t,{eventType:L.MCP_GATEWAY_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:n.virtualServerId,upstreamServerTitle:n.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,virtualServerId:n.virtualServerId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(n.authUrl,302);let a=await vn({requestUrl:e.url,owner:n.owner,initiatedBySubjectId:n.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,upstreamDisplayName:n.upstreamDisplayName,virtualServerId:n.virtualServerId,subject:"virtual server",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(a,{status:428})}o(bw,"connectHandler");async function Rw(e,t){let r=Lr(t,"client_metadata");try{let n=g_(e.url),a=__(n,r.upstreamServerId,r.authProfileId);return Response.json(a)}catch(n){let a=zN(n),s=n instanceof Error?n.message:String(n);return t.log.warn({event:"oauth_client_metadata_request_failed",code:a,upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:s},"Failed to serve OAuth client metadata document for upstream connection"),je(e,t,{code:a,detail:MN(n)})}}o(Rw,"oauthClientMetadataHandler");function jt(e){if(typeof e=="string"&&e.length!==0)return e}o(jt,"readOptionalQueryString");function DN(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw g("internal_server_error",`Validated path parameter ${t} is missing`);return r}o(DN,"requirePathString");function Iw(e){let t=jt(e);return t?ge.parse(t):void 0}o(Iw,"readOptionalVirtualServerId");function qN(e,t){let r=jt(e);return r?dt.parse(r):pn(t,"user_oauth")}o(qN,"readOptionalAuthProfileId");function LN(e){let t=Iw(e);if(!t)throw g("invalid_request","virtualServerId query parameter is required.");return t}o(LN,"readRequiredVirtualServerId");function jN(e){let t=jt(e.query.browserTicket);return t===void 0?{}:{browserTicket:t}}o(jN,"readOptionalBrowserTicket");function HN(e){let t=As(jt(e));return t===void 0?{}:{returnTo:t}}o(HN,"readOptionalReturnTo");function GN(e){let t=Iw(e.query.virtualServerId);return t===void 0?{}:{virtualServerId:t}}o(GN,"readOptionalVirtualServerIdContext");function BN(e){let t=jt(e.query.error_description);return t===void 0?{}:{errorDescription:t}}o(BN,"readOptionalProviderErrorDescription");function VN(e){let t=vt(e.authMode);if(t.connectSupport!=="none")return e;throw g("invalid_request",t.connectUnsupportedDetail??"This upstream does not support browser connection flows.")}o(VN,"requireConnectableRouteAuth");function FN(e,t,r,n){let a=Qs(e,t);if(a.ownerMode==="none"||a.authMode==="tenant_static_secret")throw g("invalid_request","Static-secret upstreams do not support browser connection flows.");return{kind:"connect",...a,...n===void 0?{}:{returnTo:n},redirect:r}}o(FN,"buildConnectContextForPrincipal");function ZN(e,t,r){let n=Sn(t),a=vt(e.authMode);if(n.mode!==a.ownerMode)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:n,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}o(ZN,"buildConnectContextForTicket");async function KN(e,t){let r=VN(ty(t,LN(e.query.virtualServerId))),n=e.query.redirect==="true",a=jt(e.query.browserTicket);if(e.user){if(a)throw g("invalid_request","Use either an authenticated gateway request or a browser connect ticket, not both.");let i=gn(e.user,e.url);return FN(r,i,n,HN(e.query.returnTo).returnTo)}if(!a)throw g("authentication_required","Authentication is required to start the upstream connection flow.");let s=await Ds(a);if(s.ownerMode!==r.ownerMode||s.upstreamServerId!==r.upstreamServerId||s.authProfileId!==r.authProfileId||s.virtualServerId!==r.virtualServerId)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return await qs(s),ZN(r,s,n)}o(KN,"resolveConnectContext");async function WN(e,t,r){let n=ut.parse(DN(e,"connection"));switch(r){case"connect":qr(t,await KN(e,n));return;case"app_password":qr(t,{kind:"app_password",upstreamServerId:n,...GN(e),...jN(e)});return;case"callback":{let a=jt(e.query.error);if(a){qr(t,{kind:"callback_provider_error",upstreamServerId:n,error:a,...BN(e)});return}let s=jt(e.query.code),i=jt(e.query.state);if(s&&i){qr(t,{kind:"callback_authorization_code",upstreamServerId:n,code:s,state:i});return}qr(t,{kind:"callback_invalid",upstreamServerId:n});return}case"client_metadata":qr(t,{kind:"client_metadata",upstreamServerId:n,authProfileId:qN(e.query.authProfileId,n)});return}}o(WN,"resolveUpstreamRequestInbound");async function JN(e,t,r){try{await WN(e,t,r);return}catch(n){let a=ae(n);if(!a)throw n;let s=n instanceof Error?n.message:void 0;return je(e,t,{code:a,...s===void 0?{}:{detail:s}})}}o(JN,"applyUpstreamRequestContext");function ta(e,t){return o(async(n,a)=>{let s=await JN(n,a,e);return s||t(n,a)},"wrapped")}o(ta,"withUpstreamRequestContext");var YN={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function XN(){return new Response(null,{status:204,headers:YN})}o(XN,"buildWellKnownPreflightResponse");function QN(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(QN,"withWellKnownCorsHeaders");function zl(e){return async(t,r)=>t.method==="OPTIONS"?XN():QN(await e(t,r))}o(zl,"wrapWellKnownHandler");var e$=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:zl(sw)},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:zl(iw)},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:zl(Zh)},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:cw},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:uw},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/mcp/:virtualServerId",methods:["GET"],handler:dw},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:lw},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:pw},{routeName:"oauth_api_key_login",path:"/oauth/api-key-login",methods:["GET","POST"],handler:mw},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:fw},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:hw},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:gw},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:ta("client_metadata",Rw)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:ta("connect",bw)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:ta("callback",$l)},{routeName:"upstream_app_password",path:"/auth/connections/:connection/app-password",methods:["GET","POST"],handler:ta("app_password",Nl)}];function Tw(e){if(e)return e.find(t=>ds(t.policyType))}o(Tw,"findMcpOAuthPolicy");function Cw(e){return Tw(e)!==void 0}o(Cw,"shouldRegisterMcpGatewayInternalRoutes");function t$(e){let t=td(e.policyType);if(!t){let r=rd();throw new Tt(`MCP gateway: unknown MCP authorization policy type '${String(e.policyType)}'. Registered policy types: ${r.length>0?r.join(", "):"<none>"}.`)}try{return t.getConfig(e.handler.options)}catch(r){throw r instanceof u.ZodError?new Tt(r$(e.name??e.policyType,r),{cause:r}):r}}o(t$,"resolveOAuthConfigFromPolicy");function r$(e,t){let r=t.issues.map(n=>` - ${n.path.length>0?n.path.join("."):"<root>"}: ${n.message}`).join(`
1271
+ `,wN=yt(SN);function rp(e){let t=gN(e.upstreams),r=[...e.upstreams].sort((m,f)=>{let _=o(y=>y.ownerMode!=="user"?2:y.status==="active"?1:0,"blockedRank"),S=_(m)-_(f);return S!==0?S:m.upstreamDisplayName.localeCompare(f.upstreamDisplayName)}),n=e.principalLabel?x`<span class="principal" title="Signed in as ${e.principalLabel}">${e.principalLabel}</span>`:ye,a=e.virtualServerDescription?x`<p class="hero__description">${e.virtualServerDescription}</p>`:ye,i=Is(e.virtualServerIcons,e.virtualServerDisplayName),s=_N({mode:t,upstreams:r,clientDisplayName:e.clientDisplayName}),u=r.length===0?x`<div class="empty">This virtual server does not declare any upstream services.</div>`:x`<ul class="upstream-list">${r.map(m=>x`<li>${hN(m,e.gatewayOrigin)}</li>`)}</ul>`,d=yN({mode:t,state:e.state}),l=t==="grant"?x`<p class="fineprint"><span class="fineprint__icon" aria-hidden="true">${nw}</span><span><strong>${e.clientDisplayName}</strong> will receive a token scoped to <strong>${e.virtualServerDisplayName}</strong>. You can revoke access at any time.</span></p>`:x`<p class="fineprint"><span class="fineprint__icon" aria-hidden="true">${nw}</span><span>Authorization continues automatically once every required service is connected.</span></p>`,p=r.length>0?x`<span class="section-label__count">(${r.length})</span>`:ye;return Zt(x`<!doctype html><html lang="en"><head><meta charset="utf-8"><title>Authorize MCP access · ${e.virtualServerDisplayName}</title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="referrer" content="no-referrer"><meta name="robots" content="noindex"><style>${wN}</style></head><body><header class="topbar"><div class="topbar__inner"><div class="brand"><span class="brand__mark" aria-hidden="true">Z</span><span class="brand__name">Zuplo MCP Gateway</span></div>${n}</div></header><main class="shell-main"><div class="static-top"><div class="static-top__inner"><section class="hero"><h1 class="hero__title">Authorize access</h1><p class="hero__connection"><span class="hero__client">${e.clientDisplayName}</span><span class="hero__arrow" aria-label="will access">→</span><span class="hero__server">${i}${e.virtualServerDisplayName}</span></p>${a}</section>${s}</div></div><section class="upstream-region" aria-labelledby="upstreams-heading"><div class="upstream-region__head"><h2 id="upstreams-heading" class="section-label">Upstream services${p}</h2></div><div class="upstream-region__scroll"><div class="upstream-region__scroll-inner">${u}</div></div></section></main><div class="action-bar" role="region" aria-label="Authorization decision"><div class="action-bar__inner">${l}${d}</div></div></body></html>`)}o(rp,"renderConsentPage");function vN(e){try{return new URL(e).host}catch{return}}o(vN,"safeUrlHost");function RN(e){if(e.mode==="user_oauth"||e.mode==="tenant_shared_oauth")return e.oauth.scopes}o(RN,"readOAuthScopes");function np(e){return e!==void 0&&e.length>0}o(np,"hasItems");function bN(e){let t=e.registeredConnection.config.serverInfo?.icons;if(np(t))return t;let r=e.virtualServer.serverInfo?.icons;return e.virtualServer.connections.length===1&&np(r)?r:void 0}o(bN,"readServerIcons");async function CN(e){if(!(e.returnTo===void 0||!e.isUserOwned))return pl({requestUrl:e.requestUrl,owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,virtualServerId:e.virtualServer.virtualServerId,returnTo:e.returnTo})}o(CN,"readConnectUrl");function Fr(e,t){return t===void 0?{}:{[e]:t}}o(Fr,"optionalRequirementField");function IN(e){return e.isUserOwned?$g(e.connection):{connected:!0,status:"active"}}o(IN,"readSetupConnectionStatus");function TN(e){let t=RN(e);return np(t)?t:void 0}o(TN,"readScopesRequested");function AN(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}o(AN,"readUpdatedAt");function kN(e){if(e.virtualServer.catalog.catalogSource!=="openapi")return{tools:[],prompts:[],resources:[]};let t=o(r=>r.upstreamPolicyName===e.registeredConnection.policyName,"ownsCapability");return{tools:e.virtualServer.catalog.tools.filter(r=>r.enabled!==!1&&t(r)).map(ki),prompts:e.virtualServer.catalog.prompts.filter(r=>r.enabled!==!1&&t(r)).map(Pi),resources:e.virtualServer.catalog.resources.filter(r=>r.enabled!==!1&&t(r)).map(Ei)}}o(kN,"readVirtualServerCapabilities");async function PN(e){let{authConfig:t,authMode:r,config:n,upstreamServerId:a,authProfileId:i}=e.registeredConnection,s=Wi(r),u=s==="user",d=IN({connection:e.connection,isUserOwned:u}),l=await CN({...e,connected:d.connected,isUserOwned:u});return{upstreamServerId:a,authProfileId:i,authMode:r,ownerMode:s,upstreamDisplayName:n.displayName,status:d.status,connected:d.connected,capabilities:kN({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer}),...Fr("description",n.description),...Fr("transportHost",vN(n.transport.baseUrl)),...Fr("scopesRequested",TN(t)),...Fr("serverIcons",bN({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer})),...Fr("connectUrl",l),...Fr("updatedAt",AN({connectionStatus:d,isUserOwned:u})),...Fr("expiresAt",e.connection?.expiresAt)}}o(PN,"buildSetupRequirement");function sw(e){let t=st().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(sw,"requireVirtualServer");async function op(e){let t=sw(e.transaction.virtualServerId),r=mr(e.transaction.principal.tenantId,e.transaction.principal.subjectId),n=[],a=new Map;for(let u of t.connections)Wi(u.authMode)==="user"&&(a.set(u,n.length),n.push({owner:r,upstreamServerId:u.upstreamServerId,authProfileId:u.authProfileId}));let i=await q().upstreamConnectionRepository.batchGet(n),s=[];for(let u of t.connections){let d=Wi(u.authMode)==="user",l=a.get(u);s.push(await PN({connection:d&&l!==void 0?i[l]:void 0,registeredConnection:u,virtualServer:t,requestUrl:e.requestUrl,returnTo:e.returnTo,transaction:e.transaction,userOwner:r}))}return s}o(op,"requirementsForSetup");function EN(e){return e.virtualServer.serverInfo?.title??e.virtualServer.serverInfo?.name??e.virtualServer.virtualServerId}o(EN,"readVirtualServerDisplayName");async function ap(e){let t=e.repository??q().downstreamOAuthRepository,r=sw(e.transaction.virtualServerId),n=EN({virtualServer:r}),a=await t.getDcrClient(e.transaction.clientId),i={gatewayOrigin:re(e.requestUrl),virtualServerDisplayName:n,clientDisplayName:a?.clientName??String(e.transaction.clientId),principalLabel:`${e.transaction.principal.subjectId} \xB7 ${e.transaction.principal.tenantId}`},s=r.serverInfo?.title;return s!==void 0&&s!==n&&(i.virtualServerDescription=s),i}o(ap,"consentContext");function cw(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}o(cw,"hasUnresolvedUserUpstream");var xN=["mcp_user"],ON="dev-browser-user",UN=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/mcp/{virtualServerId} or add resource={protected resource URI from protected-resource metadata}."].join(" "),zN=c.object({response_type:c.literal("code"),client_id:c.string().min(1),redirect_uri:c.string().min(1),resource:c.url(),code_challenge:c.string().min(43),code_challenge_method:Cn,state:c.string().min(1).optional(),scope:c.literal(ce).default(ce)}),NN=c.enum(["continue","approve","cancel"]).default("continue"),DN=c.object({state:c.string().min(1),decision:NN}),MN=c.object({state:c.string().min(1),apiKey:c.string().min(1)}),Zr=class extends Error{static{o(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function uw(e){return typeof e=="string"&&e.length>0?e:void 0}o(uw,"readQueryString");function qN(e,t){let r=uw(e.query.resource);if(t===void 0){if(r!==void 0)return r;throw new U("invalid_target",UN)}let n=Nr(t,e.url);if(r===void 0||r===n)return n;throw new U("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}o(qN,"requireAuthorizeResource");async function $N(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await ys(e,n);if(a.principal)return{principal:a.principal};if(!e.user)return a.evictCookie===void 0?{}:{setCookie:a.evictCookie};let i=ES(e);return{principal:i,setCookie:await la({principal:i,requestUrl:e.url,virtualServerId:t})}}o($N,"resolveBrowserPrincipal");async function LN(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await ys(e,n);if(!a.principal)throw g("authentication_required","Authorization setup requires a current browser session.");return a.principal}o(LN,"requireSetupPrincipal");async function dw(e){let t=await op({transaction:e.transaction,requestUrl:e.requestUrl,returnTo:`/oauth/setup?state=${encodeURIComponent(e.csrfToken)}`}),r=await ap({transaction:e.transaction,requestUrl:e.requestUrl,...e.repository===void 0?{}:{repository:e.repository}}),n={kind:"setup_page",html:rp({state:e.csrfToken,virtualServerId:e.transaction.virtualServerId,upstreams:t,...r})};return e.setCookie!==void 0&&(n.setCookie=e.setCookie),n}o(dw,"renderSetup");function jN(e){return typeof e.decideAuthorizationSetup=="function"}o(jN,"usesRuntimeHttpAuthorizationOperations");function HN(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;if(t==="private_key_jwt")throw new U("invalid_client","OAuth client authentication method is not supported.");return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}o(HN,"toAuthorizationTransactionClient");async function ip(e,t={}){let r=zN.parse({...e.query,resource:qN(e,t.virtualServerId),state:uw(e.query.state)}),n=Vr(r.scope);jn(r.redirect_uri);let a=q().downstreamOAuthRepository,i=new Date,s=le.parse(r.client_id),u=jN(a)&&s.startsWith("dcr:")?void 0:await ha(a,r.client_id,i);u!==void 0&&bs(u,r.redirect_uri);let d=u===void 0,l=d?Pt(e.url,r.resource):void 0;try{let p=l??Pt(e.url,r.resource),m=HN(u);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:s,virtualServerId:p.virtualServerId,scope:n,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved");let f={clientId:u?.clientId??s,...m===void 0?{}:{client:m},redirectUri:r.redirect_uri,resource:r.resource,virtualServerId:p.virtualServerId,scope:n,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:_,setCookie:S}=await $N(e,p.virtualServerId,t.context);if(!_){let w=await ZS({transaction:f,requestUrl:e.url,now:i,repository:a});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:s,virtualServerId:p.virtualServerId},"Downstream OAuth authorize: redirecting to browser login (no session)");let v={kind:"redirect",location:w.browserLoginUrl};return S!==void 0&&(v.setCookie=S),v}let y=await KS({transaction:f,principal:_,now:i,repository:a});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:s,virtualServerId:p.virtualServerId,tenantId:_.tenantId,subjectId:_.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),dw({transaction:y.transaction,csrfToken:y.csrfToken,requestUrl:e.url,repository:a,setCookie:S})}catch(p){throw d?p:GN({redirectUri:r.redirect_uri,clientState:r.state,cause:p})}}o(ip,"authorizeDownstreamClient");function GN(e){if(e.cause instanceof Zr)return e.cause;let t=BN(e.cause);return t?new Zr({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}o(GN,"toDownstreamAuthorizeRedirectError");function BN(e){if(e instanceof U)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof c.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}o(BN,"mapToOAuthRedirectError");async function lw(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let p=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,m=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...p===void 0?{}:{idpErrorDescription:p},...m===void 0?{}:{idpErrorUri:m}},"Identity provider redirected browser-login callback with an error"),g("provider_access_denied",p??"The delegated browser login was not completed.")}let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),g("oauth_state_invalid","Browser login callback is missing state.");let a=await Rs(n),i={request:e,stateId:a.stateId};t.context!==void 0&&(i.context=t.context);let s=await OS(i),u=q().downstreamOAuthRepository,d=await Jl({browserLoginStateToken:n,principal:s,repository:u}),l=await dw({transaction:d.transaction,csrfToken:d.csrfToken,requestUrl:e.url,repository:u});return l.setCookie=await la({principal:s,requestUrl:e.url,virtualServerId:d.transaction.virtualServerId}),l}o(lw,"completeBrowserLoginCallback");async function pw(e){let t=ve();if(!t.devTenantId)throw g("authentication_required","Local browser login requires the `devTenantId` policy option on mcp-oauth-inbound.");let r=new URL(e.url);if(!Le(r))throw g("forbidden","Local browser login is only available on loopback HTTP origins.");let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw g("oauth_state_invalid","Local browser login is missing state.");let a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",re(e.url)),i=new URL(re(e.url)).origin;if(a.origin!==i||a.pathname!=="/oauth/callback")throw g("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");a.searchParams.set("state",n);let s={subjectId:X.parse(ON),tenantId:ue.parse(t.devTenantId),roles:xN};return{kind:"redirect",location:a,setCookie:await la({principal:s,requestUrl:e.url})}}o(pw,"completeLocalDevBrowserLogin");async function mw(e){let t=MN.parse(e.body),r=q().downstreamOAuthRepository,n=await WS({browserLoginStateToken:t.state,repository:r}),a=await xS({apiKey:t.apiKey,virtualServerId:n.virtualServerId}),i=await Jl({browserLoginStateToken:t.state,principal:a,repository:r});await Fy({apiKey:t.apiKey,principal:a,virtualServerId:i.transaction.virtualServerId});let s=new URL("/oauth/setup",gt(e.request.url));return s.searchParams.set("state",i.csrfToken),{kind:"redirect",location:s,setCookie:await la({principal:a,requestUrl:e.request.url,virtualServerId:i.transaction.virtualServerId})}}o(mw,"completeApiKeyBrowserLogin");function VN(e){let t=e.method==="POST"?e.body:e.query;return DN.parse(t)}o(VN,"readSetupContinueRequest");async function hw(e){let{state:t,decision:r}=VN({method:e.request.method,query:e.request.query,body:e.body}),n=q().downstreamOAuthRepository,a=new Date,i=await Yl({csrfToken:t,now:a,repository:n}),s=await LN(e.request,i.virtualServerId,e.context);if(r==="cancel")return{kind:"redirect",location:await QS({csrfToken:t,currentBrowserPrincipal:s,now:a,repository:n})};let u=await ma({csrfToken:t,currentBrowserPrincipal:s,now:a,repository:n}),d=await op({transaction:u,requestUrl:e.request.url,returnTo:`/oauth/setup?state=${encodeURIComponent(t)}`});if(r==="continue"||cw(d)){let l=await ap({repository:n,transaction:u,requestUrl:e.request.url});return{kind:"setup_page",html:rp({state:t,virtualServerId:u.virtualServerId,upstreams:d,...l})}}return{kind:"redirect",location:await XS({csrfToken:t,currentBrowserPrincipal:s,now:a,repository:n})}}o(hw,"continueDownstreamAuthorizeSetup");Y();var FN=new Set(["authorization_code","refresh_token"]),ZN=c.discriminatedUnion("grant_type",[c.object({grant_type:c.literal("authorization_code"),code:c.string().min(1),redirect_uri:c.string().min(1),client_id:c.string().min(1).optional(),code_verifier:zi,resource:c.url().optional(),scope:c.literal(ce).optional(),client_secret:c.string().min(1).optional()}),c.object({grant_type:c.literal("refresh_token"),refresh_token:c.string().min(1),client_id:c.string().min(1).optional(),resource:c.url().optional(),scope:c.literal(ce).optional(),client_secret:c.string().min(1).optional()})]);function KN(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!FN.has(t)))throw new U("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}o(KN,"assertSupportedGrantType");var WN=c.object({token:c.string().min(1),client_id:c.string().min(1).optional(),token_type_hint:c.string().optional(),client_secret:c.string().min(1).optional()});function gw(){return ve().gateway.accessTokenTtlSeconds}o(gw,"readAccessTokenTtlSeconds");function _w(){return ve().gateway.refreshTokenTtlSeconds}o(_w,"readRefreshTokenTtlSeconds");async function fw(e){if(!e.client.hashedClientSecret||!e.clientSecret||e.clientSecretSource!==e.requiredSource)throw new U("invalid_client",e.missingMessage);if(!await bg({value:e.clientSecret,expectedHash:e.client.hashedClientSecret}))throw new U("invalid_client","Client authentication failed.")}o(fw,"requireClientSecretAuthentication");async function yw(e){switch(e.client.metadata.token_endpoint_auth_method){case"none":if(e.clientSecret)throw new U("invalid_request","Public clients must not authenticate with client_secret.");return;case"client_secret_basic":await fw({...e,requiredSource:"basic",missingMessage:"Client authentication with HTTP Basic is required."});return;case"client_secret_post":await fw({...e,requiredSource:"post",missingMessage:"Client authentication with client_secret_post is required."});return;case"private_key_jwt":throw new U("invalid_client","private_key_jwt client authentication is not supported.")}}o(yw,"requireClientAuthentication");function sp(e,t){let r=gw(),n=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),a=Math.min(r,n);return{expiresAt:O(ft(e,a)),expiresIn:a}}o(sp,"calculateAccessTokenExpiresAt");async function JN(e){let t=Ke(),r=await F(t),n=sp(e.now,e.grant.expiresAt);return await e.repository.saveAccessToken({tokenHash:r,grantId:e.grant.id,clientId:e.grant.clientId,resource:e.grant.resource,virtualServerId:e.grant.virtualServerId,tenantId:e.grant.tenantId,subjectId:e.grant.subjectId,scope:e.grant.scope,roles:e.grant.roles,createdAt:O(e.now),expiresAt:n.expiresAt}),{accessToken:t,expiresIn:n.expiresIn}}o(JN,"issueOpaqueAccessToken");function Sw(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new U("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new U("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new U("invalid_client","Malformed HTTP Basic client authentication.")}}o(Sw,"readBasicClientSecret");function ww(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new U("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t===void 0)throw new U("invalid_client","Client authentication or client_id is required.");return t}o(ww,"resolveAuthenticatedClientId");function vw(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new U("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}o(vw,"resolveClientSecretInput");function Rw(e){return typeof e.exchangeAuthorizationCodeWithClientAuth=="function"&&typeof e.refreshTokenWithClientAuth=="function"&&typeof e.revokeOAuthTokenWithClientAuth=="function"}o(Rw,"usesRuntimeHttpTokenOperations");async function bw(e){let t=le.parse(e.clientId);return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await F(e.clientSecret)}}o(bw,"buildRuntimeHttpClientAuth");async function Cw(e){KN(e.body);let t=ZN.parse(e.body),r=Sw(e.authorizationHeader),n=ww({basicClientId:r.clientId,bodyClientId:t.client_id}),a=q().downstreamOAuthRepository,i=new Date,s=vw({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret});if(Rw(a))return YN({parsed:t,clientId:n,clientSecretInput:s,now:i,repository:a,requestUrl:e.requestUrl});let u=await ha(a,n,i);if(await yw({client:u,...s}),t.grant_type==="authorization_code"){jn(t.redirect_uri),bs(u,t.redirect_uri),Vr(t.scope),t.resource!==void 0&&Pt(e.requestUrl??t.resource,t.resource);let S=Ke(),y=Ke(),w=O(ft(i,_w())),v=sp(i,w),R=await a.exchangeAuthorizationCode({codeHash:await F(t.code),clientId:u.clientId,redirectUri:t.redirect_uri,...t.resource===void 0?{}:{resource:t.resource},codeChallenge:await Ld(t.code_verifier),currentRefreshTokenHash:await F(S),accessTokenHash:await F(y),now:i,grantExpiresAt:w,accessTokenExpiresAt:v.expiresAt});if(R.kind==="resource_mismatch")throw new U("invalid_target","Token request resource must match the authorization code resource.");if(R.kind!=="exchanged")throw new U("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context?.log.info({event:"oauth_token_issued",grantType:"authorization_code",clientId:u.clientId,scope:R.grant.scope,resource:R.grant.resource,expiresInSeconds:v.expiresIn},"OAuth access token issued (authorization_code grant)"),{access_token:y,token_type:"Bearer",expires_in:v.expiresIn,refresh_token:S,scope:R.grant.scope,resource:R.grant.resource}}Vr(t.scope);let d=await F(t.refresh_token);t.resource!==void 0&&Pt(e.requestUrl??t.resource,t.resource);let l=Ke(),p=await F(l),m=await a.rotateRefreshToken({currentTokenHash:d,nextTokenHash:p,clientId:u.clientId,...t.resource===void 0?{}:{resource:t.resource},now:i});if(m.kind==="resource_mismatch")throw new U("invalid_target","Token request resource must match the refresh token grant resource.");if(m.kind!=="rotated")throw new U("invalid_grant","Refresh token is invalid, expired, or revoked.");let f=m.grant;if(f.revokedAt||f.clientId!==u.clientId)throw new U("invalid_grant","Refresh token grant is invalid or revoked.");Pt(e.requestUrl??f.resource,f.resource);let _=await JN({repository:a,grant:f,now:i});return e.context?.log.info({event:"oauth_token_refresh_rotated",grantType:"refresh_token",clientId:u.clientId,scope:f.scope,resource:f.resource,expiresInSeconds:_.expiresIn},"OAuth refresh token rotated and access token issued"),{access_token:_.accessToken,token_type:"Bearer",expires_in:_.expiresIn,refresh_token:l,scope:f.scope,resource:f.resource}}o(Cw,"exchangeDownstreamToken");async function YN(e){let t=await bw({clientId:e.clientId,...e.clientSecretInput});if(e.parsed.grant_type==="authorization_code"){jn(e.parsed.redirect_uri),Vr(e.parsed.scope),e.parsed.resource!==void 0&&Pt(e.requestUrl??e.parsed.resource,e.parsed.resource);let u=Ke(),d=Ke(),l=O(ft(e.now,_w())),p=sp(e.now,l),m=await e.repository.exchangeAuthorizationCodeWithClientAuth({clientAuth:t,codeHash:await F(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await Ld(e.parsed.code_verifier),currentRefreshTokenHash:await F(u),accessTokenHash:await F(d),grantExpiresAt:l,accessTokenExpiresAt:p.expiresAt,now:O(e.now)});if(m.kind==="invalid_client")throw new U("invalid_client","Client authentication failed.");if(m.kind==="resource_mismatch")throw new U("invalid_target","Token request resource must match the authorization code resource.");if(m.kind!=="exchanged")throw new U("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return{access_token:d,token_type:"Bearer",expires_in:p.expiresIn,refresh_token:u,scope:m.grant.scope,resource:m.grant.resource}}Vr(e.parsed.scope),e.parsed.resource!==void 0&&Pt(e.requestUrl??e.parsed.resource,e.parsed.resource);let r=Ke(),n=Ke(),a=O(ft(e.now,gw())),i=await e.repository.refreshTokenWithClientAuth({clientAuth:t,currentRefreshTokenHash:await F(e.parsed.refresh_token),nextRefreshTokenHash:await F(r),accessTokenHash:await F(n),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:a,now:O(e.now)});if(i.kind==="invalid_client")throw new U("invalid_client","Client authentication failed.");if(i.kind==="resource_mismatch")throw new U("invalid_target","Token request resource must match the refresh token grant resource.");if(i.kind!=="rotated")throw new U("invalid_grant","Refresh token is invalid, expired, or revoked.");Pt(e.requestUrl??i.grant.resource,i.grant.resource);let s=i.accessToken.expiresAt;return{access_token:n,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(s).getTime()-e.now.getTime())/1e3)),refresh_token:r,scope:i.grant.scope,resource:i.grant.resource}}o(YN,"exchangeDownstreamTokenWithRuntimeHttp");async function Iw(e){let t=WN.parse(e.body),r=Sw(e.authorizationHeader),n=ww({basicClientId:r.clientId,bodyClientId:t.client_id}),a=q().downstreamOAuthRepository,i=vw({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret});if(Rw(a)){let d=new Date;if((await a.revokeOAuthTokenWithClientAuth({clientAuth:await bw({clientId:n,...i}),tokenHash:await F(t.token),now:O(d)})).kind==="invalid_client")throw new U("invalid_client","Client authentication failed.");return}let s=await ha(a,n,new Date);await yw({client:s,...i});let u=await F(t.token);await a.revokeOAuthToken({tokenHash:u,clientId:s.clientId,now:new Date}),e.context?.log.info({event:"oauth_token_revoked",clientId:s.clientId,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed")}o(Iw,"revokeDownstreamToken");var XN=64*1024,QN=16*1024,eD="text/html; charset=utf-8";function tD(e){let t={};for(let[r,n]of e.entries())t[r]=n;return t}o(tD,"formDataToObject");async function rD(e){return SS(e,{maxBytes:XN,label:"Request body"})}o(rD,"readJsonBody");async function Ts(e){return tD(await gs(e,{maxBytes:QN,label:"Request body"}))}o(Ts,"readFormBody");async function As(e,t,r){let n=de(r),a=r instanceof c.ZodError?Tw(r):r instanceof Error?r.message:void 0,i={code:n??"invalid_request"};return a!==void 0&&(i.detail=a),Ze(e,t,i)}o(As,"handleProblem");function fa(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}o(fa,"oauthErrorResponse");function nD(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}o(nD,"readOAuthProtocolHeaders");function oD(e,t){let r=Fe("internal_server_error");return fa({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:nD(e,t)})}o(oD,"oauthProtocolErrorResponse");function aD(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}o(aD,"readZodOAuthErrorCode");function iD(e){let t={error:aD(e)},r=Tw(e);return r!==void 0&&(t.errorDescription=r),fa(t)}o(iD,"oauthZodErrorResponse");function sD(e){let t=de(e);if(t===void 0)return;let r=Fe(t);if(r.oauthError===void 0)return;let n={error:r.oauthError,status:uD(r.oauthError)};return r.oauthError==="server_error"?n.errorDescription=r.publicDetail:e instanceof Error?n.errorDescription=e.message:n.errorDescription=r.publicDetail,fa(n)}o(sD,"oauthGatewayProblemResponse");function cD(){let t={error:"server_error",status:500,errorDescription:Fe("internal_server_error").publicDetail};return fa(t)}o(cD,"oauthFallbackErrorResponse");function uD(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}o(uD,"readOAuthStatus");function Hn(e,t={}){return e instanceof Zr?dD(e):e instanceof U?oD(e,t):e instanceof c.ZodError?iD(e):sD(e)??cD()}o(Hn,"oauthProblemResponse");function Et(e,t,r){let n={event:t},a=!1;if(r instanceof U)n.oauthError=r.errorCode,n.status=r.status,Ae(n,"error",r);else if(r instanceof Zr)n.oauthError=r.errorCode,Ae(n,"error",r);else if(r instanceof c.ZodError){n.code="invalid_request",Ae(n,"error",r);let i=r.issues[0];i&&(n.zodPath=i.path.join("."))}else{let i=de(r);if(i!==void 0){let s=Fe(i);n.code=i,n.status=s.status,s.oauthError!==void 0&&(n.oauthError=s.oauthError),a=s.status>=500||s.oauthError==="server_error",Ae(n,"error",r)}else a=!0,Ae(n,"error",r)}if(a){let i=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(n,i.message)}else e.log.warn(n,"OAuth handler rejected the request")}o(Et,"logUnexpectedOAuthHandlerError");function dD(e){let t;try{t=new URL(e.redirectUri)}catch{return fa({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}o(dD,"downstreamAuthorizeRedirectErrorResponse");function Tw(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}o(Tw,"formatZodErrorDetail");function lD(e,t){let r={event:"browser_login_callback_failed",code:de(t)??"invalid_request"};Ae(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}o(lD,"logBrowserLoginCallbackFailure");function cp(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}o(cp,"redirectResultResponse");function ks(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":eD,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return cp(e)}o(ks,"authorizeResultResponse");async function Aw(e,t){try{return Response.json(qd(e.url))}catch(r){return Et(t,"oauth_authorization_server_metadata_failed",r),As(e,t,r)}}o(Aw,"authorizationServerMetadataHandler");async function kw(e,t){try{let r=me.parse(e.params.virtualServerId),n=zo(r);return Response.json(Sg({virtualServerId:n.virtualServerId,requestUrl:e.url}))}catch(r){return Et(t,"oauth_authorization_server_metadata_failed",r),As(e,t,r)}}o(kw,"scopedAuthorizationServerMetadataHandler");async function Pw(e,t){try{let r=await tw(await rD(e)),n=r;return t.log.info({event:"oauth_dcr_client_registered",clientId:typeof n.client_id=="string"?n.client_id:void 0,clientName:typeof n.client_name=="string"?n.client_name:void 0,redirectUriCount:Array.isArray(n.redirect_uris)?n.redirect_uris.length:void 0,tokenEndpointAuthMethod:typeof n.token_endpoint_auth_method=="string"?n.token_endpoint_auth_method:void 0},"OAuth Dynamic Client Registration completed"),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return Et(t,"oauth_register_failed",r),Hn(r)}}o(Pw,"registerHandler");async function Ew(e,t){try{return ks(await ip(e,{context:t}))}catch(r){return Et(t,"oauth_authorize_failed",r),Hn(r,{includeInvalidClientChallenge:!1})}}o(Ew,"authorizeHandler");async function xw(e,t){try{let r=me.parse(e.params.virtualServerId),n=zo(r);return ks(await ip(e,{virtualServerId:n.virtualServerId,context:t}))}catch(r){return Et(t,"oauth_authorize_scoped_failed",r),Hn(r,{includeInvalidClientChallenge:!1})}}o(xw,"scopedAuthorizeHandler");async function Ow(e,t){try{let r=await lw(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),ks(r)}catch(r){return lD(t,r),As(e,t,r)}}o(Ow,"callbackHandler");async function Uw(e,t){try{return cp(await pw(e))}catch(r){return Et(t,"oauth_dev_login_failed",r),Hn(r)}}o(Uw,"devLoginHandler");async function zw(e,t){try{if(e.method==="GET"){let r=typeof e.query.state=="string"?e.query.state:void 0;return r?bS(r):Vl(400)}return e.method!=="POST"?new Response(null,{status:405,headers:{allow:"GET, POST"}}):cp(await mw({request:e,body:await Ts(e)}))}catch(r){return Et(t,"oauth_api_key_login_failed",r),Vl()}}o(zw,"apiKeyLoginHandler");async function Nw(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await hw({request:e,body:e.method==="POST"?await Ts(e):void 0,context:t});return ks(r)}catch(r){return Et(t,"oauth_setup_failed",r),As(e,t,r)}}o(Nw,"setupHandler");async function Dw(e,t){try{return Response.json(await Cw({body:await Ts(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return Et(t,"oauth_token_failed",r),Hn(r)}}o(Dw,"tokenHandler");async function Mw(e,t){try{return await Iw({body:await Ts(e),authorizationHeader:e.headers.get("authorization"),context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return Et(t,"oauth_revoke_failed",r),Hn(r)}}o(Mw,"revokeHandler");var pD={connect:"Connect",app_password:"App password",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},qw=new Ut("upstream-request");function mD(e){let t=qw.get(e);if(!t)throw g("internal_server_error","Upstream request context has not been set");return t}o(mD,"readUpstreamRequestContext");function hD(e,t){return t.some(r=>r===e)}o(hD,"requestContextMatchesKind");function fD(e){return typeof e=="string"?[e]:e}o(fD,"toExpectedKinds");function Kr(e,t){qw.set(e,t)}o(Kr,"setUpstreamRequestContext");function Wr(e,t){let r=mD(e),n=fD(t);if(!hD(r.kind,n)){let a=pD[n[0]];throw g("internal_server_error",`${a} request context has not been set`)}return r}o(Wr,"requireUpstreamRequestContext");var gD="text/html; charset=utf-8",_D="none";function $w(e){return x`<!doctype html><html><head><title>${e.title}</title><meta name="viewport" content="width=device-width, initial-scale=1"></head><body data-gateway-error-code="${e.code??_D}"><main><h1>${e.title}</h1><p>${e.body}</p></main></body></html>`}o($w,"browserResultHtml");function Lw(e,t=200){return new Response(Zt(e),{status:t,headers:{"content-type":gD,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(Lw,"browserResultResponse");function Ps(e){return Lw($w(e))}o(Ps,"browserConnectionSuccessResponse");function Gn(e){let t=Mf(e);return Lw($w({title:t.title,body:t.body,code:e}),400)}o(Gn,"browserConnectionFailureResponse");var yD="text/html; charset=utf-8",SD=16*1024;function wD(e,t=200){return new Response(Zt(e),{status:t,headers:{"content-type":yD,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(wD,"htmlResponse");function vD(e,t){return Response.redirect(new URL(t,e).toString(),302)}o(vD,"safeRedirect");function RD(e){if(!e)throw g("oauth_state_invalid","App password capture requires a signed browser ticket.");return e}o(RD,"requireBrowserTicket");function bD(e,t){return[e.ownerMode!=="user"||e.upstreamServerId!==t.upstreamServerId||t.virtualServerId!==void 0&&e.virtualServerId!==t.virtualServerId].every(n=>!n)}o(bD,"appPasswordTicketMatchesTarget");async function jw(e){let t=RD(e.browserTicket),r=await es(t);if(!bD(r,e))throw g("oauth_callback_mismatch","App password capture ticket did not match the requested upstream flow.");return{upstreamServerId:e.upstreamServerId,authProfileId:r.authProfileId,virtualServerId:r.virtualServerId,browserTicket:t,ticket:r}}o(jw,"readAppPasswordTarget");function CD(e){let t=yl(e.upstreamServerId,e.authProfileId),r=`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`,n=t.kind==="basic_auth_app_password"?x`<label for="username">${t.usernameLabel}</label><input id="username" name="username" required autocomplete="username"><label for="appPassword">${t.passwordLabel}</label><input id="appPassword" name="appPassword" type="password" required autocomplete="current-password">`:x`<label for="token">${t.label}</label><input id="token" name="token" type="password" required autocomplete="off">`;return wD(x`<!doctype html><html><head><title>Connect upstream</title><meta name="viewport" content="width=device-width, initial-scale=1"><style>body{font-family:system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",sans-serif;margin:0;padding:32px;background:#f8fafc;color:#0f172a}main{max-width:440px;margin:0 auto;background:white;border:1px solid #dbe3ee;border-radius:8px;padding:24px;box-shadow:0 1px 2px rgba(15,23,42,.06)}label{display:block;font-size:14px;font-weight:600;margin:16px 0 6px}input{box-sizing:border-box;width:100%;border:1px solid #b8c3d4;border-radius:6px;padding:10px 12px;font:inherit}button{margin-top:20px;border:0;border-radius:6px;background:#0f172a;color:white;padding:10px 14px;font:inherit;font-weight:600;cursor:pointer}p{color:#475569;line-height:1.5}</style></head><body><main><h1>Connect upstream</h1><p>Enter the per-user credential for this approved upstream. The gateway stores it encrypted and keeps it out of MCP client configuration.</p><form method="post" action="${r}" autocomplete="off"><input type="hidden" name="browserTicket" value="${e.browserTicket}">${n}<button type="submit">Connect</button></form></main></body></html>`)}o(CD,"renderCaptureForm");function Es(e,t){let r=e.get(t);if(typeof r!="string"||r.length===0)throw g("invalid_request",`Missing form field: ${t}`);return r}o(Es,"readRequiredFormValue");function ID(e){return{upstreamServerId:e.upstreamServerId,...e.virtualServerId===void 0?{}:{virtualServerId:e.virtualServerId},...e.browserTicket===void 0?{}:{browserTicket:e.browserTicket}}}o(ID,"readCaptureFormTargetInput");async function TD(e){return CD(await jw(ID(e)))}o(TD,"handleCaptureFormRequest");async function AD(e){let t=await gs(e.request,{maxBytes:SD,label:"App password request body"});return{form:t,target:await jw({upstreamServerId:e.upstreamServerId,browserTicket:Es(t,"browserTicket")})}}o(AD,"readSubmittedAppPasswordTarget");async function kD(e){let t=Pn(e.target.ticket);if(await ts(e.target.ticket),yl(e.target.upstreamServerId,e.target.authProfileId).kind==="bearer_token"){await rs({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,token:Es(e.form,"token")});return}await dy({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,username:Es(e.form,"username"),appPassword:Es(e.form,"appPassword")})}o(kD,"saveSubmittedAppPasswordCredential");function PD(e,t){return t.ticket.returnTo?vD(e,t.ticket.returnTo):Ps({title:"Connection complete",body:"The upstream credential was saved. Return to your MCP client and retry the request."})}o(PD,"appPasswordSuccessResponse");async function ED(e){let t=await AD({request:e.request,upstreamServerId:e.appPasswordRequest.upstreamServerId});return await kD(t),PD(e.request.url,t.target)}o(ED,"handleAppPasswordSubmission");function xD(){return new Response(null,{status:405,headers:{Allow:"GET, POST"}})}o(xD,"methodNotAllowedResponse");function OD(e){let t=de(e);return Gn(wi(t)?t:"oauth_state_invalid")}o(OD,"appPasswordFailureResponse");async function UD(e){switch(e.request.method){case"GET":return TD(e.appPasswordRequest);case"POST":return ED(e);default:return xD()}}o(UD,"handleAppPasswordMethod");async function up(e,t){let r=Wr(t,"app_password");try{return await UD({request:e,appPasswordRequest:r})}catch(n){return OD(n)}}o(up,"appPasswordHandler");var zD=["callback_authorization_code","callback_provider_error","callback_invalid"];function ND(e){return"cause"in e?e.cause:void 0}o(ND,"readErrorCause");function DD(e){return e.stack?.split(`
1272
+ `).slice(1,4).map(t=>t.trim()).join(" | ")}o(DD,"readFirstStackFrame");function Hw(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=DD(r))}o(Hw,"addErrorAttributes");function MD(e,t){switch(t.kind){case"callback_provider_error":return e.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:t.upstreamServerId,providerError:t.error,...t.errorDescription===void 0?{}:{providerErrorDescription:t.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),We(e,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:t.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:t.error,errorDescription:t.errorDescription}}),Gn("provider_access_denied");case"callback_invalid":return e.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:t.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),Gn("oauth_state_invalid");case"callback_authorization_code":return t}}o(MD,"requireAuthorizationCallbackRequest");function qD(e,t){We(e,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}o(qD,"emitCallbackReceivedAnalyticsEvent");function $D(e,t){We(e,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.virtualServerId})}o($D,"emitTokenExchangeSucceededAnalyticsEvent");function LD(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return Ps({title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}o(LD,"buildSuccessfulCallbackResponse");function jD(e){let t={detail:e instanceof Error?e.message:void 0};return Hw(t,"error",e),e instanceof Error&&Hw(t,"cause",ND(e)),t}o(jD,"buildTokenExchangeFailureAttributes");function HD(e){We(e.context,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:de(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:jD(e.error)})}o(HD,"emitTokenExchangeFailedAnalyticsEvent");function GD(e){let t=de(e);return Gn(wi(t)?t:"upstream_token_exchange_failed")}o(GD,"tokenExchangeFailureResponse");async function dp(e,t){let r=Wr(t,zD),n=MD(t,r);if(n instanceof Response)return n;qD(t,n);try{let a=await Ky({request:e,callbackRequest:n});return $D(t,a),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:a.upstreamServerId,virtualServerId:a.virtualServerId,authProfileId:a.authProfileId,ownerMode:a.ownerMode},"Upstream OAuth token exchange completed; user connection established"),LD(e,a)}catch(a){let i={event:"upstream_oauth_token_exchange_failed",code:de(a)??"upstream_token_exchange_failed",upstreamServerId:n.upstreamServerId};return Ae(i,"error",a),t.log.warn(i,"Upstream OAuth token exchange failed; user shown connection-failure page"),HD({context:t,callbackRequest:n,error:a}),GD(a)}}o(dp,"callbackHandler");function BD(e){let t=de(e);return t==="unknown_upstream_server"?t:"not_found"}o(BD,"clientMetadataProblemCode");function VD(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}o(VD,"clientMetadataProblemDetail");async function Gw(e,t){let r=Wr(t,"connect"),n=await Zy({request:e,connectRequest:r});if(We(t,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:n.virtualServerId,upstreamServerTitle:n.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,virtualServerId:n.virtualServerId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(n.authUrl,302);let a=await On({requestUrl:e.url,owner:n.owner,initiatedBySubjectId:n.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,upstreamDisplayName:n.upstreamDisplayName,virtualServerId:n.virtualServerId,subject:"virtual server",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(a,{status:428})}o(Gw,"connectHandler");async function Bw(e,t){let r=Wr(t,"client_metadata");try{let n=Oy(e.url),a=Uy(n,r.upstreamServerId,r.authProfileId);return Response.json(a)}catch(n){let a=BD(n),i=n instanceof Error?n.message:String(n);return t.log.warn({event:"oauth_client_metadata_request_failed",code:a,upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:i},"Failed to serve OAuth client metadata document for upstream connection"),Ze(e,t,{code:a,detail:VD(n)})}}o(Bw,"oauthClientMetadataHandler");function Kt(e){if(typeof e=="string"&&e.length!==0)return e}o(Kt,"readOptionalQueryString");function FD(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw g("internal_server_error",`Validated path parameter ${t} is missing`);return r}o(FD,"requirePathString");function Vw(e){let t=Kt(e);return t?me.parse(t):void 0}o(Vw,"readOptionalVirtualServerId");function ZD(e,t){let r=Kt(e);return r?Pe.parse(r):vn(t,"user_oauth")}o(ZD,"readOptionalAuthProfileId");function KD(e){let t=Vw(e);if(!t)throw g("invalid_request","virtualServerId query parameter is required.");return t}o(KD,"readRequiredVirtualServerId");function WD(e){let t=Kt(e.query.browserTicket);return t===void 0?{}:{browserTicket:t}}o(WD,"readOptionalBrowserTicket");function JD(e){let t=Gi(Kt(e));return t===void 0?{}:{returnTo:t}}o(JD,"readOptionalReturnTo");function YD(e){let t=Vw(e.query.virtualServerId);return t===void 0?{}:{virtualServerId:t}}o(YD,"readOptionalVirtualServerIdContext");function XD(e){let t=Kt(e.query.error_description);return t===void 0?{}:{errorDescription:t}}o(XD,"readOptionalProviderErrorDescription");function QD(e){let t=At(e.authMode);if(t.connectSupport!=="none")return e;throw g("invalid_request",t.connectUnsupportedDetail??"This upstream does not support browser connection flows.")}o(QD,"requireConnectableRouteAuth");function eM(e,t,r,n){let a=fs(e,t);if(a.ownerMode==="none"||a.authMode==="tenant_static_secret")throw g("invalid_request","Static-secret upstreams do not support browser connection flows.");return{kind:"connect",...a,...n===void 0?{}:{returnTo:n},redirect:r}}o(eM,"buildConnectContextForPrincipal");function tM(e,t,r){let n=Pn(t),a=At(e.authMode);if(n.mode!==a.ownerMode)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:n,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}o(tM,"buildConnectContextForTicket");async function rM(e,t){let r=QD(fS(t,KD(e.query.virtualServerId))),n=e.query.redirect==="true",a=Kt(e.query.browserTicket);if(e.user){if(a)throw g("invalid_request","Use either an authenticated gateway request or a browser connect ticket, not both.");let s=Tn(e.user,e.url);return eM(r,s,n,JD(e.query.returnTo).returnTo)}if(!a)throw g("authentication_required","Authentication is required to start the upstream connection flow.");let i=await es(a);if(i.ownerMode!==r.ownerMode||i.upstreamServerId!==r.upstreamServerId||i.authProfileId!==r.authProfileId||i.virtualServerId!==r.virtualServerId)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return await ts(i),tM(r,i,n)}o(rM,"resolveConnectContext");async function nM(e,t,r){let n=ke.parse(FD(e,"connection"));switch(r){case"connect":Kr(t,await rM(e,n));return;case"app_password":Kr(t,{kind:"app_password",upstreamServerId:n,...YD(e),...WD(e)});return;case"callback":{let a=Kt(e.query.error);if(a){Kr(t,{kind:"callback_provider_error",upstreamServerId:n,error:a,...XD(e)});return}let i=Kt(e.query.code),s=Kt(e.query.state);if(i&&s){Kr(t,{kind:"callback_authorization_code",upstreamServerId:n,code:i,state:s});return}Kr(t,{kind:"callback_invalid",upstreamServerId:n});return}case"client_metadata":Kr(t,{kind:"client_metadata",upstreamServerId:n,authProfileId:ZD(e.query.authProfileId,n)});return}}o(nM,"resolveUpstreamRequestInbound");async function oM(e,t,r){try{await nM(e,t,r);return}catch(n){let a=de(n);if(!a)throw n;let i=n instanceof Error?n.message:void 0;return Ze(e,t,{code:a,...i===void 0?{}:{detail:i}})}}o(oM,"applyUpstreamRequestContext");function ga(e,t){return o(async(n,a)=>{let i=await oM(n,a,e);return i||t(n,a)},"wrapped")}o(ga,"withUpstreamRequestContext");var aM={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function iM(){return new Response(null,{status:204,headers:aM})}o(iM,"buildWellKnownPreflightResponse");function sM(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(sM,"withWellKnownCorsHeaders");function lp(e){return async(t,r)=>t.method==="OPTIONS"?iM():sM(await e(t,r))}o(lp,"wrapWellKnownHandler");var cM=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:lp(Aw)},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:lp(kw)},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:lp(wg)},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:Pw},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:Ew},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/mcp/:virtualServerId",methods:["GET"],handler:xw},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:Ow},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:Uw},{routeName:"oauth_api_key_login",path:"/oauth/api-key-login",methods:["GET","POST"],handler:zw},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:Nw},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:Dw},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:Mw},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:ga("client_metadata",Bw)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:ga("connect",Gw)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:ga("callback",dp)},{routeName:"upstream_app_password",path:"/auth/connections/:connection/app-password",methods:["GET","POST"],handler:ga("app_password",up)}];function Fw(e){if(e)return e.find(t=>Ii(t.policyType))}o(Fw,"findMcpOAuthPolicy");function Zw(e){return Fw(e)!==void 0}o(Zw,"shouldRegisterMcpGatewayInternalRoutes");function uM(e){let t=gd(e.policyType);if(!t){let r=_d();throw new Ot(`MCP gateway: unknown MCP authorization policy type '${String(e.policyType)}'. Registered policy types: ${r.length>0?r.join(", "):"<none>"}.`)}try{return t.getConfig(e.handler.options)}catch(r){throw r instanceof c.ZodError?new Ot(dM(e.name??e.policyType,r),{cause:r}):r}}o(uM,"resolveOAuthConfigFromPolicy");function dM(e,t){let r=t.issues.map(n=>` - ${n.path.length>0?n.path.join("."):"<root>"}: ${n.message}`).join(`
1247
1273
  `);return`MCP OAuth policy "${e}" is misconfigured. Missing/invalid options:
1248
- ${r}`}o(r$,"formatPolicyConfigError");function Ew(e){let t=Tw(e.policies);if(!t){let r=rd(),n=r.length>0?`Add one of [${r.map(a=>`\`${a}\``).join(", ")}] and reference it on your MCP routes.`:"Register an MCP authorization policy descriptor and reference it on your MCP routes.";throw new Tt(`MCP gateway: could not find an MCP authorization policy in policies.json. ${n}`)}Dh(t$(t)),wh(yh({routes:e.routes,policies:e.policies}))}o(Ew,"initializeMcpGatewayState");function n$(e,t){return async(r,n)=>{let a=n,s=r.method==="OPTIONS",i=Date.now();s||a.log.info({event:`${e}_received`,method:r.method},`MCP gateway: ${e} received`);try{let c=await t(r,n);return s||a.log.info({event:`${e}_responded`,status:c.status,durationMs:Date.now()-i},`MCP gateway: ${e} responded`),c}catch(c){let d={event:`${e}_threw`,durationMs:Date.now()-i};throw Re(d,"err",c),a.log.error(d,`MCP gateway: ${e} threw`),c}}}o(n$,"wrapInternalHandler");function Aw(e){for(let t of e$){let r=n$(t.routeName,t.handler),n=o((a,s)=>r(a,s),"handler");e.addPluginRoute({path:t.path,methods:t.methods,handler:n,processors:[wi],corsPolicy:"none"})}}o(Aw,"registerMcpGatewayInternalRoutes");var Ml=class extends jl{static{o(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;r&&Cw(r.policies)&&(Ew({routes:r.routes,policies:r.policies}),Aw(t.router))}};export{UO as McpAuth0OAuthInboundPolicy,Ml as McpGatewayPlugin,zO as McpOAuthInboundPolicy,LO as McpUpstreamConnectionInboundPolicy,mO as McpVirtualServerHandler};
1274
+ ${r}`}o(dM,"formatPolicyConfigError");function Kw(e){let t=Fw(e.policies);if(!t){let r=_d(),n=r.length>0?`Add one of [${r.map(a=>`\`${a}\``).join(", ")}] and reference it on your MCP routes.`:"Register an MCP authorization policy descriptor and reference it on your MCP routes.";throw new Ot(`MCP gateway: could not find an MCP authorization policy in policies.json. ${n}`)}fg(uM(t)),Jf(Wf({routes:e.routes,policies:e.policies}))}o(Kw,"initializeMcpGatewayState");function lM(e,t){return async(r,n)=>{let a=n,i=r.method==="OPTIONS",s=Date.now();i||a.log.info({event:`${e}_received`,method:r.method},`MCP gateway: ${e} received`);try{let u=await t(r,n);return i||a.log.info({event:`${e}_responded`,status:u.status,durationMs:Date.now()-s},`MCP gateway: ${e} responded`),u}catch(u){let d={event:`${e}_threw`,durationMs:Date.now()-s};throw Ae(d,"err",u),a.log.error(d,`MCP gateway: ${e} threw`),u}}}o(lM,"wrapInternalHandler");function Ww(e){for(let t of cM){let r=lM(t.routeName,t.handler),n=o((a,i)=>r(a,i),"handler");e.addPluginRoute({path:t.path,methods:t.methods,handler:n,processors:[zs],corsPolicy:"none"})}}o(Ww,"registerMcpGatewayInternalRoutes");var pp=class extends yp{static{o(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;r&&Zw(r.policies)&&(Kw({routes:r.routes,policies:r.policies}),Ww(t.router))}};export{H0 as McpAuth0OAuthInboundPolicy,pp as McpGatewayPlugin,V0 as McpOAuthInboundPolicy,W0 as McpUpstreamConnectionInboundPolicy,O0 as McpVirtualServerHandler};
1249
1275
  //# sourceMappingURL=index.js.map