@zuplo/runtime 6.71.27 → 6.72.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/out/esm/{chunk-D3O7C43P.js → chunk-FAOWNDMK.js} +55 -55
- package/out/esm/{chunk-D3O7C43P.js.map → chunk-FAOWNDMK.js.map} +1 -1
- package/out/esm/index.js +1 -1
- package/out/esm/mcp-gateway/index.js +9 -9
- package/out/esm/mcp-gateway/index.js.map +1 -1
- package/out/types/mcp-gateway/index.d.ts +30 -0
- package/package.json +1 -1
- /package/out/esm/{chunk-D3O7C43P.js.LEGAL.txt → chunk-FAOWNDMK.js.LEGAL.txt} +0 -0
|
@@ -22,11 +22,11 @@
|
|
|
22
22
|
* DEALINGS IN THE SOFTWARE.
|
|
23
23
|
*--------------------------------------------------------------------------------------------*/
|
|
24
24
|
|
|
25
|
-
import{$ as d,$b as Tc,$c as qr,Ab as K,Ac as wo,Ad as v,Bb as eo,Bc as ee,Bd as F,Cb as to,Cc as L,Cd as le,Db as M,Dc as bo,Dd as T,Eb as ro,Ec as Ro,Ed as Qt,Fb as Le,Fc as I,Fd as qc,Gb as no,Gc as de,Gd as Mc,Hb as Ne,Hc as $e,Ib as g,Ic as J,Jb as Je,Jc as q,Kb as Ge,Kc as Io,Lb as _e,Lc as G,Mb as we,Mc as Co,Nb as Nt,Nc as Re,Ob as oo,Oc as Tr,P as $n,Pb as re,Pc as Kt,Q as p,Qb as io,Qc as Ur,R as Zn,Rb as ce,Rc as Wt,S as Ar,Sb as b,Sc as pt,T as se,Tb as Jt,Tc as Ze,U as Kn,Ub as N,Uc as So,V as _,Vb as be,Vc as ue,W as ye,Wb as Sc,Wc as Pr,X as Lt,Xb as vc,Xc as Er,Y as Wn,Yb as Ac,Yc as vo,Z as Vn,Zb as kc,Zc as Vt,_ as Yn,_b as xc,_c as Or,aa as Z,ac as Uc,ad as Ao,bc as Pc,bd as D,cc as Ec,cd as ko,dc as Oc,dd as xo,ec as ao,ed as Mr,fc as so,fd as To,ga as Xn,gc as co,gd as Uo,hc as Gt,hd as Dr,i as ae,ic as kr,id as Po,jc as Ft,jd as Pe,kc as $t,kd as Eo,lc as dt,ld as mt,mc as uo,md as Oo,nc as lo,nd as Yt,oc as po,od as ft,pc as ut,pd as qo,qc as mo,qd as Mo,r as Ue,rc as Fe,rd as Do,s as Jn,sc as fo,sd as jo,tc as xr,td as zo,u as Gn,uc as ho,ud as Ho,vc as lt,vd as Bo,wc as Zt,wd as Xt,xc as go,xd as Lo,y as Fn,yc as yo,yd as No,z as Bt,zb as Qn,zc as _o,zd as R}from"../chunk-D3O7C43P.js";import"../chunk-4MNJC7E2.js";import{a as C}from"../chunk-4QJJMELB.js";import{$ as Q,a as n,aa as h,ba as A,ca as Nn,da as Ht}from"../chunk-DSZS6PZJ.js";Z();function Dc(e){let t=$t.safeParse(e);return t.success?t.data.id:void 0}n(Dc,"parseJsonRpcRequestId");function Jo(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return Dc(t)}catch{return}}n(Jo,"readJsonRpcRequestIdFromBody");function er(e){return uo.parse({jsonrpc:Ft,...e.id===void 0?{}:{id:e.id},error:{code:e.error.code,message:e.error.message,...e.error.data===void 0?{}:{data:e.error.data}}})}n(er,"jsonRpcErrorResponse");function Go(e){return new po([lo.parse({mode:"url",message:e.message,elicitationId:e.elicitationId,url:e.url})],e.message)}n(Go,"urlElicitationRequiredError");var rr=d.record(d.string(),d.unknown()),jc=d.record(d.string(),d.unknown()),Ie=d.array(d.string().min(1)).min(1).optional(),zc=d.object({name:d.string().min(1),description:d.string().min(1).optional(),annotations:jc.optional(),_meta:rr.optional(),roles:Ie,groups:Ie,public:d.boolean().optional()}).strict(),Hc=d.object({name:d.string().min(1),description:d.string().min(1).optional(),_meta:rr.optional(),roles:Ie,groups:Ie,public:d.boolean().optional()}).strict(),Bc=d.object({uri:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:rr.optional(),roles:Ie,groups:Ie,public:d.boolean().optional()}).strict(),Lc=d.object({uriTemplate:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:rr.optional(),roles:Ie,groups:Ie,public:d.boolean().optional()}).strict(),Nc=d.array(d.union([d.string(),zc])),Jc=d.array(d.union([d.string(),Hc])),Gc=d.array(d.union([d.string(),Bc])),Fc=d.array(d.union([d.string(),Lc])),$c=d.object({module:d.unknown(),export:d.string().min(1)}).strict(),Zc=d.object({mode:d.enum(["allPublic","rolesAndGroups","function"]).optional(),roleClaim:d.string().min(1).optional(),groupClaim:d.string().min(1).optional(),identifier:$c.optional()}).strict(),Kc=d.object({tools:Nc.optional(),prompts:Jc.optional(),resources:Gc.optional(),resourceTemplates:Fc.optional(),accessControl:Zc.optional()}).strict(),Ce=[{option:"tools",listMethod:"tools/list",resultProperty:"tools",itemProperty:"name",directMethods:[{method:"tools/call",paramProperty:"name"}]},{option:"prompts",listMethod:"prompts/list",resultProperty:"prompts",itemProperty:"name",directMethods:[{method:"prompts/get",paramProperty:"name"}]},{option:"resources",listMethod:"resources/list",resultProperty:"resources",itemProperty:"uri",directMethods:[{method:"resources/read",paramProperty:"uri"}]},{option:"resourceTemplates",listMethod:"resources/templates/list",resultProperty:"resourceTemplates",itemProperty:"uriTemplate",directMethods:[]}];function Wc(e,t){return eo(Kc,e,`MCP capability filter policy "${t}"`)}n(Wc,"parseMcpCapabilityFilterOptions");function z(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(z,"isRecord");function Vc(e,t){if(!z(e))return;let r=e[t];return typeof r=="string"?r:void 0}n(Vc,"readParamString");function zr(e){let t=e.id;return typeof t=="string"||typeof t=="number"||t===null?t:void 0}n(zr,"readRequestId");function Vo(e){return e===void 0?void 0:JSON.stringify(e)}n(Vo,"requestIdKey");function Fo(e){if(!Array.isArray(e))return;let t=e.filter(r=>typeof r=="string");return t.length>0?t:void 0}n(Fo,"asStringArray");function $o(e,t){if(!z(e))return[];let r=t in e?e[t]:t.split(".").reduce((o,i)=>z(o)?o[i]:void 0,e);return Array.isArray(r)?r.filter(o=>typeof o=="string"):typeof r=="string"?r.split(/\s+/).filter(o=>o.length>0):[]}n($o,"readClaimValues");function Hr(e,t){if(typeof e=="string")return{key:e,public:!1};if(!z(e))return;let r=e[t];if(typeof r=="string")return{key:r,roles:Fo(e.roles),groups:Fo(e.groups),public:e.public===!0}}n(Hr,"normalizeEntry");function Yc(e,t,r){if(e.public)return!0;let o=e.roles??[],i=e.groups??[];return o.length===0&&i.length===0?!1:o.some(a=>t.has(a))||i.some(a=>r.has(a))}n(Yc,"isCallerAllowed");function tr(e,t,r,o){if(e===void 0)return;let i=[];for(let a of e){let s=Hr(a,t);s!==void 0&&Yc(s,r,o)&&i.push(s.key)}return i}n(tr,"allowedKeys");var Yo=n((e,t,r)=>{let o=r.accessControl?.roleClaim??"roles",i=r.accessControl?.groupClaim??"groups",a=new Set($o(e.user?.data,o)),s=new Set($o(e.user?.data,i));return{tools:tr(r.tools,"name",a,s),prompts:tr(r.prompts,"name",a,s),resources:tr(r.resources,"uri",a,s),resourceTemplates:tr(r.resourceTemplates,"uriTemplate",a,s)}},"claimsCapabilityResolver");function Xc(e,t){let r=[];for(let o of Ce){let i=e[o.option];if(i!==void 0)for(let a of i){let s=Hr(a,o.itemProperty);if(s===void 0)continue;let c=(s.roles?.length??0)>0||(s.groups?.length??0)>0;s.public&&c?r.push(`${o.option} "${s.key}" (both)`):!s.public&&!c&&r.push(`${o.option} "${s.key}" (neither)`)}}if(r.length>0)throw new A(`MCP capability filter policy "${t}" - with accessControl.mode "rolesAndGroups", every capability must set roles/groups OR "public": true (not both, not neither): ${r.join(", ")}`)}n(Xc,"assertClassified");function Qc(e,t){let r=[];for(let o of Ce){let i=e[o.option];if(i!==void 0)for(let a of i){let s=Hr(a,o.itemProperty);s!==void 0&&((s.roles?.length??0)>0||(s.groups?.length??0)>0||s.public)&&r.push(`${o.option} "${s.key}"`)}}if(r.length>0)throw new A(`MCP capability filter policy "${t}" - accessControl.mode is "allPublic" (the default) but these capabilities set roles/groups/public; set accessControl.mode to "rolesAndGroups" or remove the markup: ${r.join(", ")}`)}n(Qc,"assertNoMarkup");function ed(e,t){let r=e.identifier;if(r===void 0)throw new A(`MCP capability filter policy "${t}" - accessControl.mode "function" requires accessControl.identifier`);if(r.module===null||typeof r.module!="object")throw new A(`MCP capability filter policy "${t}" - accessControl.identifier.module must reference a module, e.g. $import(./modules/mcp-access-control)`);if(!r.export)throw new A(`MCP capability filter policy "${t}" - accessControl.identifier.export must be specified`);let o=r.module[r.export];if(typeof o!="function")throw new A(`MCP capability filter policy "${t}" - accessControl.identifier must resolve to a valid function`);let i=o;return async(a,s,c)=>{let u=await i(a,s,c);if(u==null)throw new h(`MCP capability filter policy "${t}" - accessControl resolver returned no value; return an AllowedCapabilities object (use empty arrays to deny)`);if(typeof u!="object"||Array.isArray(u))throw new h(`MCP capability filter policy "${t}" - accessControl resolver must return an AllowedCapabilities object`);return u}}n(ed,"buildCustomResolver");function td(e,t){let r=e.accessControl,o=r?.mode??"allPublic";if(o==="function"){if(r===void 0)throw new A(`MCP capability filter policy "${t}" - accessControl.mode "function" requires accessControl.identifier`);return ed(r,t)}if(o==="rolesAndGroups")return Xc(e,t),Yo;Qc(e,t)}n(td,"buildCapabilityResolver");function rd(e){let t={};for(let r of Ce){let o=e[r.option];if(o===void 0)continue;let i=new Map;for(let a of o){let s=sd(a,r.itemProperty);s!==void 0&&i.set(s.key,s)}t[r.option]=i}return t}n(rd,"buildProjectionMaps");function Br(e){return Ce.find(t=>t.listMethod===e)}n(Br,"findListRule");function nd(e){return e.requests.some(t=>{if(!z(t))return!1;let r=Br(t.method);return r!==void 0&&e.projectionMaps[r.option]!==void 0})}n(nd,"shouldFilterListResponses");function od(e){return e.requests.some(t=>z(t)?Ce.some(r=>e.projectionMaps[r.option]===void 0?!1:r.listMethod===t.method||r.directMethods.some(o=>o.method===t.method)):!1)}n(od,"requestTouchesConfiguredCapability");function id(e){for(let t of Ce){let r=e.projectionMaps[t.option];if(r!==void 0)for(let o of t.directMethods){if(e.request.method!==o.method)continue;let i=Vc(e.request.params,o.paramProperty);if(i===void 0)continue;let a=e.allowedSets?.[t.option];if(!r.has(i)||a!==void 0&&!a.has(i))return{id:zr(e.request)}}}}n(id,"findDisallowedDirectAccess");function ad(e){return Response.json(er({id:e,error:{code:dt.MethodNotFound,message:"Method not found"}}))}n(ad,"methodNotFoundResponse");function sd(e,t){if(typeof e=="string")return{key:e,overlay:{}};if(!z(e))return;let r=e[t];if(typeof r!="string")return;let o={...e};return delete o.roles,delete o.groups,delete o.public,{key:r,overlay:o}}n(sd,"buildProjection");function Zo(e){let t=e.base[e.property],r=e.overlay[e.property];return z(r)?z(t)?{...t,...r}:r:t}n(Zo,"mergeRecordProperty");function cd(e,t){let r={...e,...t.overlay},o=Zo({base:e,overlay:t.overlay,property:"annotations"});o!==void 0&&(r.annotations=o);let i=Zo({base:e,overlay:t.overlay,property:"_meta"});return i!==void 0&&(r._meta=i),r}n(cd,"applyProjection");function Ko(e,t,r,o){if(!z(e))return e;let i=e.result;if(!z(i))return e;let a=i[t.resultProperty];return!Array.isArray(a)||!a.every(s=>z(s)&&typeof s[t.itemProperty]=="string")?e:{...e,result:{...i,[t.resultProperty]:a.flatMap(s=>{if(!z(s))return[];let c=s[t.itemProperty];if(typeof c!="string")return[];if(o!==void 0&&!o.has(c))return[];let u=r.get(c);return u===void 0?[]:[cd(s,u)]})}}}n(Ko,"filterAndProjectItems");function dd(e){let t=new Map;if(!Array.isArray(e))return t;for(let r of e){if(!z(r))continue;let o=Br(r.method),i=zr(r),a=Vo(i);o!==void 0&&a!==void 0&&t.set(a,o)}return t}n(dd,"buildListRulesByResponseId");function ud(e){if(Array.isArray(e.responseBody)){let o=dd(e.requestBody);return o.size===0?e.responseBody:e.responseBody.map(i=>{if(!z(i)||"error"in i)return i;let a=Vo(zr(i)),s=a===void 0?void 0:o.get(a),c=s===void 0?void 0:e.projectionMaps[s.option];return s===void 0||c===void 0?i:Ko(i,s,c,e.allowedSets?.[s.option])})}if(!z(e.requestBody)||!z(e.responseBody)||"error"in e.responseBody)return e.responseBody;let t=Br(e.requestBody.method),r=t===void 0?void 0:e.projectionMaps[t.option];return t===void 0||r===void 0?e.responseBody:Ko(e.responseBody,t,r,e.allowedSets?.[t.option])}n(ud,"filterJsonRpcResponse");async function Wo(e){return e.clone().json()}n(Wo,"readJson");function ld(e){return e.headers.get("content-type")?.includes("json")??!1}n(ld,"isJsonResponse");var jr=class extends Bt{static{n(this,"McpCapabilityFilterInboundPolicy")}static policyType="mcp-capability-filter";#e;#r;#n;#t;constructor(t,r){let o=Wc(t,r);super(o,r),this.#r=o,this.#n=r,this.#e=rd(o),this.#t=td(o,r)}async handler(t,r){let o;try{o=await Wo(t)}catch{return t}let i=Array.isArray(o)?o:[o],a=this.#t!==void 0&&od({requests:i,projectionMaps:this.#e})?await this.#o(t,r):void 0;for(let s of i){if(!z(s))continue;let c=id({request:s,projectionMaps:this.#e,allowedSets:a});if(c!==void 0)return ad(c.id)}return nd({requests:i,projectionMaps:this.#e})&&r.addResponseSendingHook(async s=>{if(!ld(s))return s;let c;try{c=await Wo(s)}catch{return s}let u=ud({requestBody:o,responseBody:c,projectionMaps:this.#e,allowedSets:a});if(u===c)return s;let l=new Headers(s.headers);return l.delete("content-length"),new Response(JSON.stringify(u),{status:s.status,statusText:s.statusText,headers:l})}),t}async#o(t,r){let o=this.#t;if(o===void 0)return{};let i;try{i=await o(t,r,this.#r)}catch(s){r.log.error(`MCP capability filter policy "${this.#n}" - access-control resolver threw; denying configured capabilities`,s);let c={};for(let u of Ce)this.#e[u.option]!==void 0&&(c[u.option]=new Set);return c}let a={};for(let s of Ce){let c=this.#e[s.option];if(c===void 0)continue;let u=i[s.option];if(u===void 0)continue;let l=new Set;if(Array.isArray(u))for(let m of u)typeof m=="string"&&c.has(m)&&l.add(m);a[s.option]=l}return a}};var Lr;Lr=globalThis.crypto;async function pd(e){return(await Lr).getRandomValues(new Uint8Array(e))}n(pd,"getRandomValues");async function md(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,o="";for(;o.length<e;){let i=await pd(e-o.length);for(let a of i)a<r&&(o+=t[a%t.length])}return o}n(md,"random");async function fd(e){return await md(e)}n(fd,"generateVerifier");async function hd(e){let t=await(await Lr).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}n(hd,"generateChallenge");async function Nr(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await fd(e),r=await hd(t);return{code_verifier:t,code_challenge:r}}n(Nr,"pkceChallenge");Z();var H=Zn().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:Vn.custom,message:"URL must be parseable",fatal:!0}),$n}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),nr=Lt({resource:p().url(),authorization_servers:_(H).optional(),jwks_uri:p().url().optional(),scopes_supported:_(p()).optional(),bearer_methods_supported:_(p()).optional(),resource_signing_alg_values_supported:_(p()).optional(),resource_name:p().optional(),resource_documentation:p().optional(),resource_policy_uri:p().url().optional(),resource_tos_uri:p().url().optional(),tls_client_certificate_bound_access_tokens:se().optional(),authorization_details_types_supported:_(p()).optional(),dpop_signing_alg_values_supported:_(p()).optional(),dpop_bound_access_tokens_required:se().optional()}),ht=Lt({issuer:p(),authorization_endpoint:H,token_endpoint:H,registration_endpoint:H.optional(),scopes_supported:_(p()).optional(),response_types_supported:_(p()),response_modes_supported:_(p()).optional(),grant_types_supported:_(p()).optional(),token_endpoint_auth_methods_supported:_(p()).optional(),token_endpoint_auth_signing_alg_values_supported:_(p()).optional(),service_documentation:H.optional(),revocation_endpoint:H.optional(),revocation_endpoint_auth_methods_supported:_(p()).optional(),revocation_endpoint_auth_signing_alg_values_supported:_(p()).optional(),introspection_endpoint:p().optional(),introspection_endpoint_auth_methods_supported:_(p()).optional(),introspection_endpoint_auth_signing_alg_values_supported:_(p()).optional(),code_challenge_methods_supported:_(p()).optional(),client_id_metadata_document_supported:se().optional()}),gd=Lt({issuer:p(),authorization_endpoint:H,token_endpoint:H,userinfo_endpoint:H.optional(),jwks_uri:H,registration_endpoint:H.optional(),scopes_supported:_(p()).optional(),response_types_supported:_(p()),response_modes_supported:_(p()).optional(),grant_types_supported:_(p()).optional(),acr_values_supported:_(p()).optional(),subject_types_supported:_(p()),id_token_signing_alg_values_supported:_(p()),id_token_encryption_alg_values_supported:_(p()).optional(),id_token_encryption_enc_values_supported:_(p()).optional(),userinfo_signing_alg_values_supported:_(p()).optional(),userinfo_encryption_alg_values_supported:_(p()).optional(),userinfo_encryption_enc_values_supported:_(p()).optional(),request_object_signing_alg_values_supported:_(p()).optional(),request_object_encryption_alg_values_supported:_(p()).optional(),request_object_encryption_enc_values_supported:_(p()).optional(),token_endpoint_auth_methods_supported:_(p()).optional(),token_endpoint_auth_signing_alg_values_supported:_(p()).optional(),display_values_supported:_(p()).optional(),claim_types_supported:_(p()).optional(),claims_supported:_(p()).optional(),service_documentation:p().optional(),claims_locales_supported:_(p()).optional(),ui_locales_supported:_(p()).optional(),claims_parameter_supported:se().optional(),request_parameter_supported:se().optional(),request_uri_parameter_supported:se().optional(),require_request_uri_registration:se().optional(),op_policy_uri:H.optional(),op_tos_uri:H.optional(),client_id_metadata_document_supported:se().optional()}),or=ye({...gd.shape,...ht.pick({code_challenge_methods_supported:!0}).shape}),Ke=ye({access_token:p(),id_token:p().optional(),token_type:p(),expires_in:Yn.number().optional(),scope:p().optional(),refresh_token:p().optional()}).strip(),Qo=ye({error:p(),error_description:p().optional(),error_uri:p().optional()}),Xo=H.optional().or(Wn("").transform(()=>{})),yd=ye({redirect_uris:_(H),token_endpoint_auth_method:p().optional(),grant_types:_(p()).optional(),response_types:_(p()).optional(),client_name:p().optional(),client_uri:H.optional(),logo_uri:Xo,scope:p().optional(),contacts:_(p()).optional(),tos_uri:Xo,policy_uri:p().optional(),jwks_uri:H.optional(),jwks:Kn().optional(),software_id:p().optional(),software_version:p().optional(),software_statement:p().optional()}).strip(),ir=ye({client_id:p(),client_secret:p().optional(),client_id_issued_at:Ar().optional(),client_secret_expires_at:Ar().optional()}).strip(),gt=yd.merge(ir),sg=ye({error:p(),error_description:p().optional()}).strip(),cg=ye({token:p(),token_type_hint:p().optional()}).strip();function ei(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}n(ei,"resourceUrlFromServerUrl");function ti({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),o=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==o.origin||r.pathname.length<o.pathname.length)return!1;let i=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",a=o.pathname.endsWith("/")?o.pathname:o.pathname+"/";return i.startsWith(a)}n(ti,"checkResourceAllowed");var k=class extends Error{static{n(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},yt=class extends k{static{n(this,"InvalidRequestError")}};yt.errorCode="invalid_request";var Ee=class extends k{static{n(this,"InvalidClientError")}};Ee.errorCode="invalid_client";var Oe=class extends k{static{n(this,"InvalidGrantError")}};Oe.errorCode="invalid_grant";var qe=class extends k{static{n(this,"UnauthorizedClientError")}};qe.errorCode="unauthorized_client";var _t=class extends k{static{n(this,"UnsupportedGrantTypeError")}};_t.errorCode="unsupported_grant_type";var wt=class extends k{static{n(this,"InvalidScopeError")}};wt.errorCode="invalid_scope";var bt=class extends k{static{n(this,"AccessDeniedError")}};bt.errorCode="access_denied";var pe=class extends k{static{n(this,"ServerError")}};pe.errorCode="server_error";var Rt=class extends k{static{n(this,"TemporarilyUnavailableError")}};Rt.errorCode="temporarily_unavailable";var It=class extends k{static{n(this,"UnsupportedResponseTypeError")}};It.errorCode="unsupported_response_type";var Ct=class extends k{static{n(this,"UnsupportedTokenTypeError")}};Ct.errorCode="unsupported_token_type";var St=class extends k{static{n(this,"InvalidTokenError")}};St.errorCode="invalid_token";var vt=class extends k{static{n(this,"MethodNotAllowedError")}};vt.errorCode="method_not_allowed";var At=class extends k{static{n(this,"TooManyRequestsError")}};At.errorCode="too_many_requests";var Me=class extends k{static{n(this,"InvalidClientMetadataError")}};Me.errorCode="invalid_client_metadata";var kt=class extends k{static{n(this,"InsufficientScopeError")}};kt.errorCode="insufficient_scope";var xt=class extends k{static{n(this,"InvalidTargetError")}};xt.errorCode="invalid_target";var ri={[yt.errorCode]:yt,[Ee.errorCode]:Ee,[Oe.errorCode]:Oe,[qe.errorCode]:qe,[_t.errorCode]:_t,[wt.errorCode]:wt,[bt.errorCode]:bt,[pe.errorCode]:pe,[Rt.errorCode]:Rt,[It.errorCode]:It,[Ct.errorCode]:Ct,[St.errorCode]:St,[vt.errorCode]:vt,[At.errorCode]:At,[Me.errorCode]:Me,[kt.errorCode]:kt,[xt.errorCode]:xt};function _d(e){return["client_secret_basic","client_secret_post","none"].includes(e)}n(_d,"isClientAuthMethod");var Jr="code",Gr="S256";function wd(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&_d(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}n(wd,"selectClientAuthMethod");function bd(e,t,r,o){let{client_id:i,client_secret:a}=t;switch(e){case"client_secret_basic":Rd(i,a,r);return;case"client_secret_post":Id(i,a,o);return;case"none":Cd(i,o);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}n(bd,"applyClientAuthentication");function Rd(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let o=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${o}`)}n(Rd,"applyBasicAuth");function Id(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}n(Id,"applyPostAuth");function Cd(e,t){t.set("client_id",e)}n(Cd,"applyPublicAuth");async function oi(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let o=Qo.parse(JSON.parse(r)),{error:i,error_description:a,error_uri:s}=o,c=ri[i]||pe;return new c(a||"",s)}catch(o){let i=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${o}. Raw body: ${r}`;return new pe(i)}}n(oi,"parseErrorResponse");async function Zr(e,t){try{return await Fr(e,t)}catch(r){if(r instanceof Ee||r instanceof qe)return await e.invalidateCredentials?.("all"),await Fr(e,t);if(r instanceof Oe)return await e.invalidateCredentials?.("tokens"),await Fr(e,t);throw r}}n(Zr,"auth");async function Fr(e,{serverUrl:t,authorizationCode:r,scope:o,resourceMetadataUrl:i,fetchFn:a}){let s=await e.discoveryState?.(),c,u,l,m=i;if(!m&&s?.resourceMetadataUrl&&(m=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(u=s.authorizationServerUrl,c=s.resourceMetadata,l=s.authorizationServerMetadata??await si(u,{fetchFn:a}),!c)try{c=await ai(t,{resourceMetadataUrl:m},a)}catch{}(l!==s.authorizationServerMetadata||c!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(u),resourceMetadataUrl:m?.toString(),resourceMetadata:c,authorizationServerMetadata:l})}else{let O=await Td(t,{resourceMetadataUrl:m,fetchFn:a});u=O.authorizationServerUrl,l=O.authorizationServerMetadata,c=O.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(u),resourceMetadataUrl:m?.toString(),resourceMetadata:c,authorizationServerMetadata:l})}let w=await Sd(t,e,c),P=o||c?.scopes_supported?.join(" ")||e.clientMetadata.scope,y=await Promise.resolve(e.clientInformation());if(!y){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let O=l?.client_id_metadata_document_supported===!0,j=e.clientMetadataUrl;if(j&&!Kr(j))throw new Me(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${j}`);if(O&&j)y={client_id:j},await e.saveClientInformation?.(y);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let Ln=await qd(u,{metadata:l,clientMetadata:e.clientMetadata,scope:P,fetchFn:a});await e.saveClientInformation(Ln),y=Ln}}let E=!e.redirectUrl;if(r!==void 0||E){let O=await Od(e,u,{metadata:l,resource:w,authorizationCode:r,fetchFn:a});return await e.saveTokens(O),"AUTHORIZED"}let x=await e.tokens();if(x?.refresh_token)try{let O=await Ed(u,{metadata:l,clientInformation:y,refreshToken:x.refresh_token,resource:w,addClientAuthentication:e.addClientAuthentication,fetchFn:a});return await e.saveTokens(O),"AUTHORIZED"}catch(O){if(!(!(O instanceof k)||O instanceof pe))throw O}let B=e.state?await e.state():void 0,{authorizationUrl:Be,codeVerifier:X}=await Ud(u,{metadata:l,clientInformation:y,state:B,redirectUrl:e.redirectUrl,scope:P,resource:w});return await e.saveCodeVerifier(X),await e.redirectToAuthorization(Be),"REDIRECT"}n(Fr,"authInternal");function Kr(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}n(Kr,"isHttpsUrl");async function Sd(e,t,r){let o=ei(e);if(t.validateResourceURL)return await t.validateResourceURL(o,r?.resource);if(r){if(!ti({requestedResource:o,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${o} (or origin)`);return new URL(r.resource)}}n(Sd,"selectResourceURL");function ii(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,o]=t.split(" ");if(r.toLowerCase()!=="bearer"||!o)return{};let i=$r(e,"resource_metadata")||void 0,a;if(i)try{a=new URL(i)}catch{}let s=$r(e,"scope")||void 0,c=$r(e,"error")||void 0;return{resourceMetadataUrl:a,scope:s,error:c}}n(ii,"extractWWWAuthenticateParams");function $r(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let o=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),i=r.match(o);return i?i[1]||i[2]:null}n($r,"extractFieldFromWwwAuth");async function ai(e,t,r=fetch){let o=await kd(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!o||o.status===404)throw await o?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!o.ok)throw await o.body?.cancel(),new Error(`HTTP ${o.status} trying to load well-known OAuth protected resource metadata.`);return nr.parse(await o.json())}n(ai,"discoverOAuthProtectedResourceMetadata");async function Wr(e,t,r=fetch){try{return await r(e,{headers:t})}catch(o){if(o instanceof TypeError)return t?Wr(e,void 0,r):void 0;throw o}}n(Wr,"fetchWithCorsRetry");function vd(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}n(vd,"buildWellKnownPath");async function ni(e,t,r=fetch){return await Wr(e,{"MCP-Protocol-Version":t},r)}n(ni,"tryMetadataDiscovery");function Ad(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}n(Ad,"shouldAttemptFallback");async function kd(e,t,r,o){let i=new URL(e),a=o?.protocolVersion??kr,s;if(o?.metadataUrl)s=new URL(o.metadataUrl);else{let u=vd(t,i.pathname);s=new URL(u,o?.metadataServerUrl??i),s.search=i.search}let c=await ni(s,a,r);if(!o?.metadataUrl&&Ad(c,i.pathname)){let u=new URL(`/.well-known/${t}`,i);c=await ni(u,a,r)}return c}n(kd,"discoverMetadataWithFallback");function xd(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",o=[];if(!r)return o.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),o.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),o;let i=t.pathname;return i.endsWith("/")&&(i=i.slice(0,-1)),o.push({url:new URL(`/.well-known/oauth-authorization-server${i}`,t.origin),type:"oauth"}),o.push({url:new URL(`/.well-known/openid-configuration${i}`,t.origin),type:"oidc"}),o.push({url:new URL(`${i}/.well-known/openid-configuration`,t.origin),type:"oidc"}),o}n(xd,"buildDiscoveryUrls");async function si(e,{fetchFn:t=fetch,protocolVersion:r=kr}={}){let o={"MCP-Protocol-Version":r,Accept:"application/json"},i=xd(e);for(let{url:a,type:s}of i){let c=await Wr(a,o,t);if(c){if(!c.ok){if(await c.body?.cancel(),c.status>=400&&c.status<500)continue;throw new Error(`HTTP ${c.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${a}`)}return s==="oauth"?ht.parse(await c.json()):or.parse(await c.json())}}}n(si,"discoverAuthorizationServerMetadata");async function Td(e,t){let r,o;try{r=await ai(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(o=r.authorization_servers[0])}catch{}o||(o=String(new URL("/",e)));let i=await si(o,{fetchFn:t?.fetchFn});return{authorizationServerUrl:o,authorizationServerMetadata:i,resourceMetadata:r}}n(Td,"discoverOAuthServerInfo");async function Ud(e,{metadata:t,clientInformation:r,redirectUrl:o,scope:i,state:a,resource:s}){let c;if(t){if(c=new URL(t.authorization_endpoint),!t.response_types_supported.includes(Jr))throw new Error(`Incompatible auth server: does not support response type ${Jr}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(Gr))throw new Error(`Incompatible auth server: does not support code challenge method ${Gr}`)}else c=new URL("/authorize",e);let u=await Nr(),l=u.code_verifier,m=u.code_challenge;return c.searchParams.set("response_type",Jr),c.searchParams.set("client_id",r.client_id),c.searchParams.set("code_challenge",m),c.searchParams.set("code_challenge_method",Gr),c.searchParams.set("redirect_uri",String(o)),a&&c.searchParams.set("state",a),i&&c.searchParams.set("scope",i),i?.includes("offline_access")&&c.searchParams.append("prompt","consent"),s&&c.searchParams.set("resource",s.href),{authorizationUrl:c,codeVerifier:l}}n(Ud,"startAuthorization");function Pd(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}n(Pd,"prepareAuthorizationCodeRequest");async function ci(e,{metadata:t,tokenRequestParams:r,clientInformation:o,addClientAuthentication:i,resource:a,fetchFn:s}){let c=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),u=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(a&&r.set("resource",a.href),i)await i(u,r,c,t);else if(o){let m=t?.token_endpoint_auth_methods_supported??[],w=wd(o,m);bd(w,o,u,r)}let l=await(s??fetch)(c,{method:"POST",headers:u,body:r});if(!l.ok)throw await oi(l);return Ke.parse(await l.json())}n(ci,"executeTokenRequest");async function Ed(e,{metadata:t,clientInformation:r,refreshToken:o,resource:i,addClientAuthentication:a,fetchFn:s}){let c=new URLSearchParams({grant_type:"refresh_token",refresh_token:o}),u=await ci(e,{metadata:t,tokenRequestParams:c,clientInformation:r,addClientAuthentication:a,resource:i,fetchFn:s});return{refresh_token:o,...u}}n(Ed,"refreshAuthorization");async function Od(e,t,{metadata:r,resource:o,authorizationCode:i,fetchFn:a}={}){let s=e.clientMetadata.scope,c;if(e.prepareTokenRequest&&(c=await e.prepareTokenRequest(s)),!c){if(!i)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let l=await e.codeVerifier();c=Pd(i,l,e.redirectUrl)}let u=await e.clientInformation();return ci(t,{metadata:r,tokenRequestParams:c,clientInformation:u??void 0,addClientAuthentication:e.addClientAuthentication,resource:o,fetchFn:a})}n(Od,"fetchToken");async function qd(e,{metadata:t,clientMetadata:r,scope:o,fetchFn:i}){let a;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");a=new URL(t.registration_endpoint)}else a=new URL("/register",e);let s=await(i??fetch)(a,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...o!==void 0?{scope:o}:{}})});if(!s.ok)throw await oi(s);return gt.parse(await s.json())}n(qd,"registerClient");var Vr="zuplo.com",Md=new Set(["co.jp","co.kr","co.nz","co.uk","com.au","com.br","com.cn","com.mx","com.sg","co.in"]),Dd=[".example.test",".example.com",".example.org",".invalid",".localhost",".test"];function di(e){return`https://www.google.com/s2/favicons?domain=${e}&sz=128`}n(di,"s2FaviconHref");function jd(e){return`https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&drop_404_icon=true&fallback_opts=TYPE,SIZE,URL&url=http://${e}&size=128`}n(jd,"strictFaviconHref");var ar=di(Vr);function Yr(e){let t=e.toLowerCase();return t===Vr||t==="zuplo.app"||t==="zuplo.dev"||t.endsWith(".zuplo.app")||t.endsWith(".zuplo.dev")?di(Vr):jd(e)}n(Yr,"resolveIconHref");function zd(e){try{return new URL(`http://${e}`).hostname}catch{return e}}n(zd,"hostnameFromHost");function Hd(e){return e==="localhost"||e.includes(":")||/^\d{1,3}(?:\.\d{1,3}){3}$/.test(e)}n(Hd,"isLocalOrAddressHost");function Bd(e){let t=zd(e).toLowerCase().replace(/\.$/,"");if(Hd(t)||Dd.some(a=>t===a.slice(1)||t.endsWith(a)))return t;let r=t.split(".").filter(Boolean);if(r.length<=2)return t;let o=r.slice(-2).join("."),i=Md.has(o)?3:2;return r.slice(-i).join(".")}n(Bd,"inferFaviconDomain");function Xr(e){return{src:Yr(Bd(e)),mimeType:"image/png",sizes:["128x128"]}}n(Xr,"resolveMcpFaviconIcon");function sr(e){try{return Xr(new URL(e).host)}catch{return}}n(sr,"resolveMcpFaviconIconFromUrl");function Se(e){let t=ee().connectionsById.get(e);if(!t)throw new A(`Unknown upstream server "${e}". Check the route's MCP upstream policy and ensure policies.json declares a matching upstream connection.`);return{displayName:t.displayName,description:t.description,serverInfo:t.serverInfo,transport:{baseUrl:t.mcpUrl,resourceMetadataUrl:t.protectedResourceMetadataUrl}}}n(Se,"getUpstreamServerConfig");function cr(e){let t=ee().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw new A(`Unknown auth profile "${String(e.authProfileId)}" for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares a matching auth mode for that upstream connection.`);return t.authConfig}n(cr,"getUpstreamAuthConfig");function We(e,t){let r=cr({upstreamServerId:e,authProfileId:t});if(r.mode!=="shared-oauth"&&r.mode!=="user-oauth")throw new A(`Upstream server "${e}" does not use upstream OAuth. Select authMode "shared-oauth" or "user-oauth" before starting an upstream OAuth connection flow.`);return r.oauth}n(We,"requireUpstreamOAuthConfig");function ui(e,t){let r=cr({upstreamServerId:e,authProfileId:t});if(r.mode!=="id-jag")throw new A(`Upstream server "${e}" does not use upstream ID-JAG. Select authMode "id-jag" before requesting an upstream XAA token exchange.`);return r.idJag}n(ui,"requireUpstreamIdJagConfig");function li(e,t){if(!t)return;if(t.aborted){e.abort(t.reason);return}let r=n(()=>e.abort(t.reason),"abort");return t.addEventListener("abort",r,{once:!0}),()=>t.removeEventListener("abort",r)}n(li,"mergeAbortSignals");async function Ld(e){try{await e.cancel()}catch{}}n(Ld,"cancelReader");async function dr(e,t){if(!e)return new Uint8Array;let r=e.getReader(),o=[],i=0,a=await r.read();for(;!a.done;){let u=a.value;if(i+=u.byteLength,i>t.maxBytes)throw await Ld(r),t.createLimitError();o.push(u),a=await r.read()}let s=new Uint8Array(i),c=0;for(let u of o)s.set(u,c),c+=u.byteLength;return s}n(dr,"readBoundedByteStream");var Nd=2,Jd=1024*1024,Gd=1e4,Fd=new Set([301,302,303,307,308]),$d=["authorization","proxy-authorization","cookie","cookie2"];function Qr(e){return typeof e=="string"?e:e instanceof URL?e.toString():e.url}n(Qr,"readRequestUrl");function Ve(e,t){return t?.method!==void 0?t.method.toUpperCase():e instanceof Request?e.method.toUpperCase():"GET"}n(Ve,"readRequestMethod");function Zd(e,t,r){let o=e.headers.get("content-length");if(!o)return;let i=Number.parseInt(o,10);if(Number.isFinite(i)&&i>t)throw new h({message:"Outbound response exceeded the maximum allowed size.",extensionMembers:{[g]:r}})}n(Zd,"assertContentLengthWithinLimit");async function Kd(e,t,r){return Zd(e,t,r),dr(e.body,{maxBytes:t,createLimitError:n(()=>new h({message:"Outbound response exceeded the maximum allowed size.",extensionMembers:{[g]:r}}),"createLimitError")})}n(Kd,"readBoundedResponseBody");function Wd(e,t){let r=new ArrayBuffer(t.byteLength);return new Uint8Array(r).set(t),new Response(r,{status:e.status,statusText:e.statusText,headers:e.headers})}n(Wd,"responseFromBufferedBody");function Vd(e,t){if(!Fd.has(e.status))return;let r=e.headers.get("location");if(r)return new URL(r,t).toString()}n(Vd,"resolveRedirectUrl");function pi(e,t){try{return t.validateUrl(e)}catch(r){throw new h({message:"Outbound URL was not allowed.",extensionMembers:{[g]:t.problemCode}},{cause:r})}}n(pi,"validateOutboundUrl");function Yd(e,t){throw e instanceof h&&Nt(e.extensionMembers?.[g])?e:new h({message:"Outbound fetch failed.",extensionMembers:{[g]:t}},{cause:e})}n(Yd,"normalizeFetchError");function Tt(e,t){if(e===void 0)return;let r={event:t.event,code:t.problemCode,method:t.method};if(t.host!==void 0&&(r.host=t.host),t.extra!==void 0)for(let[o,i]of Object.entries(t.extra))i!==void 0&&(r[o]=i);t.error!==void 0&&J(r,"error",t.error),e.log.warn(r,"Outbound HTTP exchange rejected")}n(Tt,"logOutboundFailure");async function Xd(e,t,r,o,i,a,s){let c=Ve(r,o);try{return await t(r,o)}catch(u){let l=u instanceof DOMException&&u.name==="AbortError";Tt(e,{event:l?"outbound_fetch_aborted":"outbound_fetch_failed",problemCode:i,method:c,host:q(a),error:u,extra:{abortReason:s()}}),Yd(u,i)}}n(Xd,"fetchWithNormalizedError");function Qd(e){if(e.redirects>=e.maxRedirects)throw new h({message:"Outbound redirects exceeded the maximum allowed depth.",extensionMembers:{[g]:e.problemCode}});if(e.method!=="GET"&&e.method!=="HEAD")throw new h({message:"Outbound redirect after a non-idempotent request was blocked.",extensionMembers:{[g]:e.problemCode}})}n(Qd,"assertRedirectAllowed");function eu(e,t){let r=new Headers(e);for(let o of $d)r.delete(o);for(let o of t)r.delete(o);return r}n(eu,"stripCrossOriginHeaders");function tu(e,t,r,o,i){let a={...e,method:t,redirect:"manual",signal:r};return o&&(a.headers=eu(e.headers,i)),a}n(tu,"buildRedirectInit");function ru(e,t,r){let o={...t,redirect:"manual",signal:r};return o.headers===void 0&&e instanceof Request&&(o.headers=e.headers),o}n(ru,"buildInitialRequestInit");function nu(e){let t=Ve(e.currentInput,e.currentInit);Qd({redirects:e.redirects,maxRedirects:e.maxRedirects,method:t,problemCode:e.problemCode});let r=pi(e.redirectUrl,{problemCode:e.problemCode,validateUrl:e.validateUrl}),o=new URL(e.currentUrl),i=r.origin!==o.origin,a=r.toString();return{currentInput:a,currentUrl:a,currentInit:tu(e.currentInit,t,e.signal,i,e.additionalCrossOriginStrippedHeaders),redirects:e.redirects+1}}n(nu,"followRedirect");async function en(e,t,r){let o=r.problemCode??"invalid_request",i=r.maxRedirects??Nd,a=r.maxResponseBytes??Jd,s=r.timeoutMs??Gd,c=r.fetchImpl??fetch,u=r.additionalCrossOriginStrippedHeaders??[],l=r.context,m=new AbortController,w=li(m,t.signal),P=!1,y=setTimeout(()=>{P=!0,m.abort()},s),E=e,x=ru(e,t,m.signal),B;try{B=pi(Qr(e),{problemCode:o,validateUrl:r.validateUrl}).toString()}catch(X){throw Tt(l,{event:"outbound_url_blocked",problemCode:o,method:Ve(e,t),host:q(Qr(e)),error:X}),clearTimeout(y),w?.(),X}let Be=0;try{for(;;){let X=await Xd(l,c,E,x,o,B,()=>P?`timeout_after_${s}ms`:void 0),O=Vd(X,B);if(O!==void 0)try{let j=nu({currentInput:E,currentInit:x,currentUrl:B,redirectUrl:O,redirects:Be,maxRedirects:i,problemCode:o,validateUrl:r.validateUrl,signal:m.signal,additionalCrossOriginStrippedHeaders:u});E=j.currentInput,x=j.currentInit,B=j.currentUrl,Be=j.redirects;continue}catch(j){throw Tt(l,{event:"outbound_redirect_blocked",problemCode:o,method:Ve(E,x),host:q(B),error:j,extra:{redirects:Be,maxRedirects:i,redirectTargetHost:q(O)}}),j}try{return Wd(X,await Kd(X,a,o))}catch(j){throw Tt(l,{event:"outbound_response_size_exceeded",problemCode:o,method:Ve(E,x),host:q(B),error:j,extra:{maxResponseBytes:a,status:X.status}}),j}}}finally{clearTimeout(y),w?.()}}n(en,"runSafeOutboundExchange");async function Ut(e,t,r){let o=await en(e,t,r);try{return{response:o,json:await o.clone().json()}}catch(i){throw Tt(r.context,{event:"outbound_json_parse_failed",problemCode:r.problemCode??"invalid_request",method:Ve(e,t),host:q(Qr(e)),error:i,extra:{status:o.status,contentType:o.headers.get("content-type")??void 0}}),new h({message:"Outbound JSON response could not be parsed.",extensionMembers:{[g]:r.problemCode??"invalid_request"}},{cause:i})}}n(Ut,"runSafeOutboundJsonExchange");function mi(e,t={},r={}){return en(e,t,{...r,validateUrl:mt})}n(mi,"fetchConfiguredOutbound");function fi(e,t={},r={}){return Ut(e,t,{...r,validateUrl:mt})}n(fi,"fetchConfiguredOutboundJson");function ur(e,t={},r={}){return Ut(e,t,{...r,validateUrl:Oo})}n(ur,"fetchIdentityProviderJson");function hi(e,t={},r={}){return Ut(e,t,{...r,validateUrl:Yt})}n(hi,"fetchCimdClientMetadataJson");function gi(e,t={},r={}){return Ut(e,t,{...r,validateUrl:ft})}n(gi,"fetchCimdClientJwksJson");Z();import{errors as Ii,jwtVerify as Ci,SignJWT as Si}from"jose";var $="zuplo-mcp-gateway",W=$,V="HS256";import{base64url as ou}from"jose";var iu=new TextEncoder,au="MCP gateway could not initialize secure key material.",su=32,yi=new Map,_i=new Map,cu;function du(){return cu??Nn.instance.authPrivateKey}n(du,"readAuthPrivateKey");function wi(e){return new Q(au,e===void 0?void 0:{cause:e})}n(wi,"createGeneratedKeyMaterialError");function bi(e,t){let r=ou.decode(t);if(r.byteLength!==su)throw new Error(`Generated deployment auth key ${e} is invalid.`);return r}n(bi,"decodeJwkKeyField");function uu(e){let t=du();if(!t)throw wi();try{let r=JSON.parse(t);if(r.kty!=="OKP"||r.crv!=="Ed25519"||typeof r.d!="string"||typeof r.x!="string")throw new Error("Generated deployment auth key is not an Ed25519 JWK.");let o=bi("d",r.d);bi("x",r.x);let i=iu.encode(`zuplo-mcp-gateway:${e}:Ed25519:`),a=new Uint8Array(i.byteLength+o.byteLength);return a.set(i),a.set(o,i.byteLength),a}catch(r){throw wi(r)}}n(uu,"decodeGeneratedKeyMaterial");function lu(e){let t=yi.get(e);return t||(t=uu(e),yi.set(e,t)),t}n(lu,"getMasterKeyMaterial");async function oe(e){let t=_i.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(lu(e.keyMaterialPurpose));return _i.set(e.purpose,r),r}n(oe,"readCachedDerivedKey");var pu="SHA-256",mu=32,fu="zuplo-mcp-gateway:",hu=new TextEncoder,Ri=new WeakMap;async function ve(e,t){let r=Ri.get(e);r||(r=new Map,Ri.set(e,r));let o=r.get(t);if(o)return o;let i=await gu(e,t);return r.set(t,i),i}n(ve,"deriveGatewaySigningKey");async function gu(e,t){let r=F(e),o=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),i=hu.encode(`${fu}${t}`),a=await crypto.subtle.deriveBits({name:"HKDF",hash:pu,salt:new Uint8Array,info:F(i)},o,mu*8);return new Uint8Array(a)}n(gu,"hkdfExpand");var vi=900,yu=900,_u=ho.extend({id:zo}),wu=_u.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Ai=xr.extend({id:Ho,purpose:d.literal("browser_connect")}),bu=xr.extend({purpose:d.literal("browser_connect")}),Ru=Ai.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),ki=vi*1e3;async function xi(){return oe({purpose:"oauth-state",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>ve(e,"oauth-state"),"derive")})}n(xi,"getOAuthStateKey");async function Ti(){return oe({purpose:"browser-connect",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>ve(e,"browser-connect"),"derive")})}n(Ti,"getBrowserConnectKey");async function Ui(e){let t=Math.floor(Date.now()/1e3)+vi;return new Si(e).setProtectedHeader({alg:V,typ:"JWT"}).setIssuer($).setAudience(W).setIssuedAt().setExpirationTime(t).sign(await xi())}n(Ui,"signOAuthState");async function lr(e){try{let{payload:t}=await Ci(e,await xi(),{algorithms:[V],issuer:$,audience:W});return wu.parse(t)}catch(t){throw t instanceof Ii.JWTExpired?new h({message:"OAuth state has expired",extensionMembers:{[g]:"oauth_state_expired"}},{cause:t}):new h({message:"OAuth state could not be verified",extensionMembers:{[g]:"oauth_state_invalid"}},{cause:t})}}n(lr,"verifyOAuthState");async function Pi(e){let t=Math.floor(Date.now()/1e3)+yu,r=bu.parse(e),o=Ai.parse({...r,id:No()});return new Si(o).setProtectedHeader({alg:V,typ:"JWT"}).setIssuer($).setAudience(W).setIssuedAt().setExpirationTime(t).sign(await Ti())}n(Pi,"signBrowserConnectTicket");async function Ei(e){try{let{payload:t}=await Ci(e,await Ti(),{algorithms:[V],issuer:$,audience:W});return Ru.parse(t)}catch(t){throw t instanceof Ii.JWTExpired?new h({message:"Browser connect ticket has expired",extensionMembers:{[g]:"oauth_state_expired"}},{cause:t}):new h({message:"Browser connect ticket could not be verified",extensionMembers:{[g]:"oauth_state_invalid"}},{cause:t})}}n(Ei,"verifyBrowserConnectTicket");async function Oi(e){if((await R().consumeBrowserConnectTicket({id:e.id,expiresAt:I(new Date(e.exp*1e3)),now:I(new Date)})).kind==="consumed")throw new h({message:"Browser connect ticket has already been used",extensionMembers:{[g]:"oauth_state_reused"}})}n(Oi,"consumeBrowserConnectTicket");function Iu(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}n(Iu,"buildConnectRequiredMessage");async function Cu(e){let t=M(e.requestUrl,e.requestHeaders),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("operationId",e.operationId),r.searchParams.set("browserTicket",await Pi({...lt(e),purpose:"browser_connect"})),r.toString()}n(Cu,"buildGatewayBrowserTicketUrl");function Su(e){return L().actionPath(`/auth/connections/${encodeURIComponent(e)}/connect`)}n(Su,"buildGatewayConnectPath");async function tn(e){return Cu({...e,path:Su(e.upstreamServerId),redirect:!0})}n(tn,"buildGatewayConnectUrl");async function pr(e){let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await tn(t),message:Iu(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}n(pr,"buildRedirectConnectRequiredResponse");function qi(e){return vu({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}n(qi,"buildAdminConnectRequiredResponse");function vu(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}n(vu,"buildAdminSetupRequiredResponse");var Mi=12;async function Di(e){let t=await crypto.subtle.digest("SHA-256",F(new TextEncoder().encode(e)));return Array.from(new Uint8Array(t)).map(r=>r.toString(16).padStart(2,"0")).join("")}n(Di,"sha256Hex");async function Ye(e){if(e)return(await Di(e)).slice(0,Mi)}n(Ye,"fingerprintSecret");async function Xe(e){let t=JSON.stringify([e.owner.mode,e.owner.mode==="user"?e.owner.subjectId:"",e.upstreamServerId,e.authProfileId]);return(await Di(t)).slice(0,Mi)}n(Xe,"fingerprintConnectionIdentity");function Pt(e){return e?e.status!=="active"?"inactive":e.encryptedAccessToken?e.expiresAt&&new Date(e.expiresAt).getTime()<=Date.now()?"expired":"usable":"no_access_token":"no_connection"}n(Pt,"describeAccessTokenState");Z();var ji=new Set(["client_id","code_challenge","code_challenge_method","display","login_hint","nonce","prompt","redirect_uri","response_mode","response_type","state"]);function Au(e,t){return e&&e.length>0?e.join(t):void 0}n(Au,"joinOAuthScopes");function ku(e){if(e?.authorization_endpoint===void 0)return e;let t=new URL(e.authorization_endpoint);for(let r of ji)t.searchParams.delete(r);return{...e,authorization_endpoint:t.toString()}}n(ku,"sanitizeAuthorizationServerMetadata");function zi(e){let t=ku(e.authorizationServerMetadata);return t===e.authorizationServerMetadata?e:{...e,authorizationServerMetadata:t}}n(zi,"sanitizeOAuthDiscoveryState");function Hi(e){let t=new URL(e);for(let r of ji){let o=t.searchParams.getAll(r);o.length<=1||(t.searchParams.delete(r),t.searchParams.set(r,o.at(-1)??""))}return t}n(Hi,"dedupeSingletonAuthorizationRequestParams");function mr(e){let t=new URL(e);return K(t)&&Qn(t.hostname)!=="localhost"&&(t.hostname="localhost"),t}n(mr,"normalizeLoopbackOAuthRedirectUri");function Bi(e){return Au(e.state?.resourceMetadata?.scopes_supported,e.delimiter)}n(Bi,"readProtectedResourceMetadataScope");function xu(e){return`Zuplo MCP Gateway - ${e}`}n(xu,"buildGatewayOAuthClientName");function Tu(e,t){return e&&e.length>0?e.join(t):void 0}n(Tu,"joinOAuthScopeList");function Uu(e){if(e.clientRegistration.mode!=="auto")return Tu(e.scopes,e.scopeDelimiter)}n(Uu,"readPublicClientMetadataScope");function rn(e){return new URL(L().actionPath(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`),e.origin).toString()}n(rn,"buildOAuthClientMetadataDocumentUrl");function nn(e){let t=Se(e.upstreamServerId);return{client_name:xu(t.displayName),client_uri:new URL("/",e.origin).toString(),redirect_uris:[e.redirectUri],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",...e.scope===void 0?{}:{scope:e.scope},token_endpoint_auth_method:"none"}}n(nn,"buildGatewayOAuthClientMetadata");function Li(e,t,r){let o=We(t,r),i=Uu(o);return{client_id:rn({origin:e,upstreamServerId:t}),...nn({origin:e,upstreamServerId:t,redirectUri:mr(new URL(o.redirectPath,e)).toString(),scope:i})}}n(Li,"buildOAuthClientMetadataDocument");Z();import{base64url as Ae}from"jose";var Pu="SHA-256",Qe="AES-GCM",Eu=12,an="zuplo-secret",sn=1,Ni="generated:auth_private_key:token-encryption",Ou=d.object({version:d.literal(sn),keyId:d.literal(Ni),algorithm:d.literal(Qe),iv:d.string().min(1),ciphertext:d.string().min(1)}).strict();async function on(){return oe({purpose:"token-encryption",keyMaterialPurpose:"token-encryption",derive:n(async e=>{let t=await crypto.subtle.digest(Pu,F(e));return crypto.subtle.importKey("raw",t,{name:Qe},!1,["encrypt","decrypt"])},"derive")})}n(on,"getEncryptionKey");function Ji(e){return F(new TextEncoder().encode(`${an}:v${e.version}:${e.keyId}`))}n(Ji,"getAssociatedData");function qu(e){return`${an}:v${e.version}:${Ae.encode(new TextEncoder().encode(JSON.stringify(e)))}`}n(qu,"encodeEnvelope");function Mu(e){let t=`${an}:v${sn}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),o=new TextDecoder().decode(Ae.decode(r));return Ou.parse(JSON.parse(o))}n(Mu,"decodeEnvelope");async function me(e){let t=await on(),r=crypto.getRandomValues(new Uint8Array(Eu)),o={version:sn,keyId:Ni},i=await crypto.subtle.encrypt({name:Qe,iv:r,additionalData:Ji(o)},t,new TextEncoder().encode(e));return qu({...o,algorithm:Qe,iv:Ae.encode(r),ciphertext:Ae.encode(new Uint8Array(i))})}n(me,"encryptSecret");async function ke(e){let t=Mu(e);if(t){let s=await on(),c=await crypto.subtle.decrypt({name:Qe,iv:F(Ae.decode(t.iv)),additionalData:Ji(t)},s,F(Ae.decode(t.ciphertext)));return new TextDecoder().decode(c)}let[r,o]=e.split(".");if(!r||!o)throw new Q("Encrypted payload is malformed");let i=await on(),a=await crypto.subtle.decrypt({name:Qe,iv:F(Ae.decode(r))},i,F(Ae.decode(o)));return new TextDecoder().decode(a)}n(ke,"decryptSecret");var Du=d.union([gt,ir]),ju=d.object({authorizationServerUrl:d.url(),resourceMetadataUrl:d.url().optional(),resourceMetadata:nr.optional(),authorizationServerMetadata:d.union([ht,or]).optional()}).passthrough(),zu="Bearer",Hu="__zuplo_refresh_only_upstream_access_token__";function Bu(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}n(Bu,"splitScopes");function Lu(e){return Ne.parse(e)}n(Lu,"parsePkceCodeVerifier");function Nu(e){if(typeof e.expires_in=="number")return I(new Date(Date.now()+e.expires_in*1e3))}n(Nu,"readTokenExpiry");async function Ju(e){if(e!==void 0)return me(JSON.stringify(e))}n(Ju,"encryptJson");async function Gu(e,t){if(!e)return;let r=await ke(e);try{return t.parse(JSON.parse(r))}catch(o){throw new h({message:"Stored upstream OAuth JSON state is invalid.",extensionMembers:{[g]:"oauth_state_invalid"}},{cause:o})}}n(Gu,"decryptJson");function Fu(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}n(Fu,"clientInformationAllowsRedirectUri");function $u(e){return e.clientMetadataUrl===void 0?"redirect_uris"in e.clientInformation:"redirect_uris"in e.clientInformation||e.clientInformation.client_id===e.clientMetadataUrl}n($u,"clientInformationMatchesCurrentClientMetadataUrl");function Zu(e){return e.clientMetadataUrl!==void 0&&!("redirect_uris"in e.clientInformation)&&e.clientInformation.client_id===e.clientMetadataUrl}n(Zu,"isUrlBasedClientInformation");function Ku(e,t){return t===void 0?e:{...e,scope:t}}n(Ku,"applyOAuthClientMetadataScope");function Wu(e,t){return Bi({state:e,delimiter:t})}n(Wu,"readResourceMetadataScope");function Vu(e,t){return e&&e.length>0?e.join(t):void 0}n(Vu,"joinOAuthScopeList");function Yu(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw new A(`Manual OAuth registration for upstream "${e.upstreamServerId}" requires clientSecret. Set the env var that backs the client secret or use tokenEndpointAuthMethod "none".`);return gt.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}n(Yu,"buildManualOAuthClientInformation");function Xu(e,t){let r=rn({origin:new URL(t).origin,upstreamServerId:e});return Kr(r)?r:void 0}n(Xu,"buildClientMetadataUrl");function Qu(e){for(let t of e)if(t!==void 0)return t}n(Qu,"firstDefined");function el(e){let t=We(e.target.upstreamServerId,e.target.authProfileId),r=Vu(t.scopes,t.scopeDelimiter),o=nn({origin:new URL(e.redirectUri).origin,upstreamServerId:e.target.upstreamServerId,redirectUri:e.redirectUri,scope:r});if(t.clientRegistration.mode==="manual")return{clientMetadata:o,configuredScope:r,scopeDelimiter:t.scopeDelimiter,configuredClientInformation:Yu({clientMetadata:o,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let i=Xu(e.target.upstreamServerId,e.redirectUri);return i===void 0?{clientMetadata:o,configuredScope:r,scopeDelimiter:t.scopeDelimiter}:{clientMetadata:o,configuredScope:r,scopeDelimiter:t.scopeDelimiter,clientMetadataUrl:i}}n(el,"buildInitialOAuthClientSetup");function tl(e,t){if(t===void 0)return Qu([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}n(tl,"readEncryptedClientInformation");var De=class{static{n(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredScope;scopeDelimiter;configuredClientInformation;challengeScope;inferredScope;authorizationUrlValue;connection;pendingState;encryptedClientInformation;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;connectionFingerprintValue;usedRefreshTokenFingerprintValue;constructor(t){let r=el({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredScope=r.configuredScope,this.scopeDelimiter=r.scopeDelimiter,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=tl(t,this.configuredClientInformation)}get authorizationUrl(){return this.authorizationUrlValue}get usedRefreshTokenFingerprint(){return this.usedRefreshTokenFingerprintValue}async connectionFingerprint(){return this.connectionFingerprintValue===void 0&&(this.connectionFingerprintValue=await Xe({owner:this.target.owner,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId})),this.connectionFingerprintValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return Ku(this.clientMetadataValue,this.readEffectiveScope())}async state(){let t=await this.createPendingState();return Ui({id:t.id,...lt({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,G()?.info({event:"upstream_oauth_client_registered",upstreamServerId:this.target.upstreamServerId,clientId:"client_id"in t?t.client_id:void 0,redirectUriCount:"redirect_uris"in t?t.redirect_uris.length:void 0},"Upstream OAuth client registered for the gateway"),!Zu({clientInformation:t,clientMetadataUrl:this.clientMetadataUrl})&&(this.encryptedClientInformation=await Ju(t),await this.syncPendingState(!1)))}async discoveryState(){return this.readCachedDiscoveryState()}applyChallengeScope(t){this.challengeScope=t}async saveDiscoveryState(t){let r=zi(ju.parse(t));this.cachedDiscoveryState=r,this.discoveryStateLoaded=!0,G()?.info({event:"upstream_oauth_discovery_resolved",upstreamServerId:this.target.upstreamServerId,authorizationServerHost:q(r.authorizationServerUrl),resourceMetadataHost:q(r.resourceMetadataUrl),resource:r.resourceMetadata?.resource,scopesSupportedCount:r.resourceMetadata?.scopes_supported?.length,hasResourceMetadata:r.resourceMetadata!==void 0},"Upstream OAuth discovery resolved authorization server and resource"),this.inferredScope=Wu(r,this.scopeDelimiter)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=Ke.parse(t),o=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0,i=this.connection,a=!r.refresh_token&&!!i?.encryptedRefreshToken,s=r.refresh_token?await me(r.refresh_token):this.connection?.encryptedRefreshToken;this.cachedTokens=r.refresh_token||!this.connection?.encryptedRefreshToken?r:Ke.parse({...r,refresh_token:await ke(this.connection.encryptedRefreshToken)}),this.tokensLoaded=!0;let c={id:this.connection?.id??Xt(),ownerMode:this.target.owner.mode,subjectId:o,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await me(r.access_token),encryptedRefreshToken:s,scopes:Bu(r.scope??this.readEffectiveScope()),expiresAt:Nu(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await R().upsertUpstreamConnection(c),G()?.info({event:"upstream_oauth_tokens_persisted",upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,ownerMode:this.target.owner.mode,connectionFingerprint:await this.connectionFingerprint(),connectionId:this.connection.id,hasRefreshToken:!!s,priorStatus:i?.status,priorUpdatedAt:i?.updatedAt,usedRefreshTokenFingerprint:this.usedRefreshTokenFingerprintValue,newRefreshTokenFingerprint:await Ye(r.refresh_token),reusedSnapshotRefreshToken:a,scopeCount:c.scopes.length,expiresAt:c.expiresAt},"Upstream OAuth tokens persisted; upstream connection is active")}async redirectToAuthorization(t){let r=Hi(t);this.authorizationUrlValue=r.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:Lu(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw new h({message:"OAuth code verifier is missing",extensionMembers:{[g]:"oauth_state_invalid"}});return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",o=t==="all"||t==="client",i=t==="all"||t==="discovery",a=t==="all"||t==="verifier";o&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),i&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.challengeScope=void 0,this.inferredScope=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(a),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:Lo(),...lt({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,operationId:this.target.operationId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:I(new Date(Date.now()+ki)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,connectedBySubjectId:this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await R().saveUpstreamOAuthState({record:t}),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await Gu(this.encryptedClientInformation,Du)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&(!Fu(t,this.redirectUriValue)||!$u({clientInformation:t,clientMetadataUrl:this.clientMetadataUrl}))){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}return t===void 0&&this.pendingState?.codeVerifier!==void 0&&this.clientMetadataUrl!==void 0&&(t=ir.parse({client_id:this.clientMetadataUrl})),this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async readCachedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;this.discoveryStateLoaded=!0}readEffectiveScope(){return this.configuredScope??this.challengeScope??this.inferredScope}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection||this.connection.status!=="active"){G()?.debug({event:"upstream_oauth_tokens_not_loaded",upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,connectionFingerprint:await this.connectionFingerprint(),connectionId:this.connection?.id,status:this.connection?.status??"not_connected"},"Upstream OAuth tokens not loaded; connection is not active");return}let t=this.connection.encryptedAccessToken?await ke(this.connection.encryptedAccessToken):void 0,r=this.connection.encryptedRefreshToken?await ke(this.connection.encryptedRefreshToken):void 0;if(!t&&!r)return;let o=G();this.usedRefreshTokenFingerprintValue=o?await Ye(r):void 0,o?.debug({event:"upstream_oauth_tokens_loaded",upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,connectionFingerprint:await this.connectionFingerprint(),connectionId:this.connection.id,hasAccessToken:!!t,hasRefreshToken:!!r,usedRefreshTokenFingerprint:this.usedRefreshTokenFingerprintValue,expiresAt:this.connection.expiresAt},"Upstream OAuth tokens loaded from stored connection");let i=Ke.parse({access_token:t??Hu,token_type:zu,refresh_token:r,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=i,i}async persistCredentialInvalidation(t){if(!this.connection)return;let r=this.connection.status,o=this.connection.updatedAt,i={id:this.connection.id,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(i.status="reconsent_required",i.encryptedAccessToken=void 0,i.encryptedRefreshToken=void 0,i.scopes=[],i.expiresAt=void 0),i.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await R().upsertUpstreamConnection(i);let a=G();if(a){let s={event:"upstream_oauth_credentials_invalidated",upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,connectionFingerprint:await this.connectionFingerprint(),connectionId:this.connection.id,clearedTokens:t,priorStatus:r,newStatus:this.connection.status,priorUpdatedAt:o,usedRefreshTokenFingerprint:this.usedRefreshTokenFingerprintValue};t?a.warn(s,"Upstream OAuth credentials invalidated; connection now requires reconsent"):a.debug(s,"Upstream OAuth credential metadata rewritten")}}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!t))return{encryptedClientInformation:this.encryptedClientInformation,connectedBySubjectId:t}}};var rl=3e4,nl=256*1024,ol=2,il="does not support dynamic client registration",al=["Resource server does not implement OAuth 2.0 Protected Resource Metadata","trying to load well-known OAuth protected resource metadata"],sl=["HTTP 403 Forbidden","Access Denied","permission to access"],cl=new Set(["access_denied","invalid_client","invalid_grant","invalid_request","invalid_scope","invalid_target","unauthorized_client","unsupported_grant_type"]);function dl(e){return e instanceof Error&&e.message.includes(il)}n(dl,"isDynamicClientRegistrationUnsupported");function ul(e){return e instanceof Error&&al.some(t=>e.message.includes(t))}n(ul,"isProtectedResourceMetadataUnavailable");function ll(e){return e instanceof Error&&sl.some(t=>e.message.includes(t))}n(ll,"isUpstreamProviderAccessDenied");function pl(e){return e instanceof k&&cl.has(e.errorCode)}n(pl,"isStoredConnectionReconsentError");function ml(e){if(e.error instanceof h&&e.error.extensionMembers?.[g]!==void 0)return e.error;if(dl(e.error))return new h({message:`The authorization server for ${e.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register an OAuth client for the gateway manually before retrying.`,extensionMembers:{[g]:"upstream_client_registration_required"}},{cause:e.error});if(ul(e.error))return new h({message:`The upstream MCP server "${e.upstreamServerId}" does not publish OAuth protected resource metadata at "${e.resourceMetadataUrl}". Configure protectedResourceMetadataUrl to a working metadata document, use a provider-supported legacy client, or contact the provider to approve/allowlist this gateway OAuth client before retrying.`,extensionMembers:{[g]:"upstream_oauth_discovery_unavailable"}},{cause:e.error});if(ll(e.error))return new h({message:`The upstream provider denied access while connecting ${e.upstreamServerId}. Confirm the provider allows this gateway and its OAuth client, then retry.`,extensionMembers:{[g]:"upstream_provider_access_denied"}},{cause:e.error})}n(ml,"mapUpstreamOAuthSetupError");function fl(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}n(fl,"readOAuthFetchRequest");function hl(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}n(hl,"responseLooksJson");function gl(e,t){let r=e.headers.get("content-type")??"",o=t.trimStart().toLowerCase();return r.includes("html")||o.startsWith("<!doctype html")||o.startsWith("<html")}n(gl,"responseLooksHtml");function yl(e){let t=e.response.statusText?` ${e.response.statusText}`:"",r=e.response.headers.get("content-type")??"text/html";throw new h({message:`The upstream provider returned ${e.response.status}${t} (${r}) from ${e.request.url.toString()} while connecting ${e.upstreamServerId}.`,extensionMembers:{[g]:e.response.status===403?"upstream_provider_access_denied":"upstream_token_exchange_failed",[_e]:e.response.status,[Je]:r,[we]:e.request.url.toString(),[Ge]:e.body}})}n(yl,"throwUpstreamHtmlError");function _l(e){try{let t=JSON.parse(e);if(typeof t!="object"||t===null)return{};let r=t;return{error:typeof r.error=="string"?r.error:void 0,errorDescription:typeof r.error_description=="string"?r.error_description:void 0}}catch{return{}}}n(_l,"readUpstreamOAuthErrorBody");function wl(e){let{error:t,errorDescription:r}=_l(e.body);e.log?.warn({event:"upstream_oauth_http_error",upstreamServerId:e.upstreamServerId,method:e.request.method??"GET",host:q(e.request.url),path:e.request.url.pathname,status:e.response.status,oauthError:t,oauthErrorDescription:r?.slice(0,256)},"Upstream OAuth HTTP request returned an error response")}n(wl,"logUpstreamOAuthHttpError");function Fi(e){return async(t,r)=>{let o=fl(t),i=G(),a=Date.now(),s=await mi(t,r,{maxRedirects:ol,maxResponseBytes:nl,problemCode:"upstream_token_exchange_failed",timeoutMs:rl}),c=await s.clone().text();if(i?.debug({event:"upstream_oauth_http_request",upstreamServerId:e,method:o.method??"GET",host:q(o.url),path:o.url.pathname,status:s.status,durationMs:Date.now()-a,responseChars:c.length},"Upstream OAuth HTTP request completed"),s.ok||wl({log:i,upstreamServerId:e,request:o,response:s,body:c}),!s.ok&&gl(s,c)&&yl({upstreamServerId:e,request:o,response:s,body:c}),!hl(s,c))return s;try{JSON.parse(c)}catch(u){throw new h({message:`Upstream OAuth fetch ${o.url.origin}${o.url.pathname} for ${e} returned invalid JSON.`,extensionMembers:{[g]:"upstream_token_exchange_failed"}},{cause:u})}return s}}n(Fi,"createUpstreamOAuthFetch");function $i(e){G()?.debug({event:e.phase==="authorize"?"upstream_oauth_authorize_started":"upstream_oauth_token_exchange_started",upstreamServerId:e.upstreamServerId,serverHost:q(e.serverUrl),resourceMetadataHost:q(e.resourceMetadataUrl),hasRequestedScope:e.requestedScope!==void 0},e.phase==="authorize"?"Upstream OAuth authorization flow started":"Upstream OAuth authorization-code exchange started")}n($i,"logUpstreamOAuthFlowStarted");function Zi(e){let t={event:"upstream_oauth_flow_failed",phase:e.phase,upstreamServerId:e.upstreamServerId},r=q(e.serverUrl);r!==void 0&&(t.serverHost=r);let o=e.error instanceof h?e.error.extensionMembers?.[g]:void 0;typeof o=="string"&&(t.code=o),J(t,"error",e.error),G()?.warn(t,"Upstream OAuth flow failed before a connection was established")}n(Zi,"logUpstreamOAuthFlowFailed");async function Ki(e,t){e.applyChallengeScope(t.requestedScope),$i({phase:"authorize",...t});try{let r={serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:Fi(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),await Zr(e,r)}catch(r){Zi({phase:"authorize",upstreamServerId:t.upstreamServerId,serverUrl:t.serverUrl,error:r});let o=ml({upstreamServerId:t.upstreamServerId,resourceMetadataUrl:t.resourceMetadataUrl,error:r});throw o!==void 0?o:r}}n(Ki,"runUpstreamOAuth");async function bl(e,t){e.applyChallengeScope(t.requestedScope),$i({phase:"token_exchange",...t});let r={serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:Fi(t.upstreamServerId)};t.requestedScope!==void 0&&(r.scope=t.requestedScope);try{return await Zr(e,r)}catch(o){throw Zi({phase:"token_exchange",upstreamServerId:t.upstreamServerId,serverUrl:t.serverUrl,error:o}),o}}n(bl,"exchangeUpstreamAuthorizationCode");async function Wi(e,t){let r=await Ki(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?new h({message:`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}}):new h({message:`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}})}n(Wi,"requireUpstreamAuthorizationRedirect");async function Vi(e){let t=Pt(e.connection),r=!!e.forceRefresh,o=!r&&t==="usable",i=G(),a=i?await Xe({owner:e.target.owner,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId}):void 0;if(i?.debug({event:"upstream_oauth_refresh_decision",upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,ownerMode:e.target.owner.mode,connectionFingerprint:a,connectionId:e.connection?.id,accessTokenState:t,forceRefresh:r,willRefresh:!o,expiresAt:e.connection?.expiresAt,connectionUpdatedAt:e.connection?.updatedAt},o?"Reusing stored upstream access token":"Refreshing upstream credential"),o)return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let s;try{s=await Ki(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope}})}catch(c){if(e.connection===void 0||!pl(c))throw c;return i?.warn({event:"upstream_oauth_connection_reconsent_required",upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,oauthError:c.errorCode,connectionFingerprint:a,connectionId:e.connection.id,rejectedRefreshTokenFingerprint:e.provider.usedRefreshTokenFingerprint,connectionUpdatedAt:e.connection.updatedAt,connectionExpiresAt:e.connection.expiresAt},"Stored upstream OAuth connection was rejected by the upstream provider"),await e.provider.invalidateCredentials("all"),{kind:"connect_required",payload:await Gi({requestUrl:e.target.request.url,requestHeaders:e.target.request.headers,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.target.operationId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}if(s==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(s!=="REDIRECT")throw new h({message:`Unexpected OAuth result for ${e.target.upstreamServerId}: ${s}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}});if(!e.provider.authorizationUrl)throw new h({message:`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}});return{kind:"connect_required",payload:await Gi({requestUrl:e.target.request.url,requestHeaders:e.target.request.headers,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.target.operationId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}n(Vi,"authorizeUpstreamOAuthSession");async function Rl(e){let t=await lr(e.stateToken),r=await R().consumeUpstreamOAuthState({id:t.id,now:I(new Date)}),o=Il(r);return Cl({storedState:o,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),Sl(o),o}n(Rl,"consumeStoredCallbackState");function Il(e){switch(e.kind){case"consumed":throw new h({message:"OAuth state has already been used",extensionMembers:{[g]:"oauth_state_reused"}});case"missing":throw new h({message:"OAuth state is missing or expired",extensionMembers:{[g]:"oauth_state_expired"}});case"available":return e.record}}n(Il,"readConsumedCallbackState");function Cl(e){if(![e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.operationId===e.signedState.operationId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw new h({message:"OAuth callback did not match the initiating request",extensionMembers:{[g]:"oauth_callback_mismatch"}})}n(Cl,"assertStoredCallbackStateMatches");function Sl(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw new h({message:"OAuth state has expired",extensionMembers:{[g]:"oauth_state_expired"}})}n(Sl,"assertStoredCallbackStateFresh");async function Gi(e){if(e.owner.mode==="shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),qi(r)}let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),pr(t)}n(Gi,"buildOAuthConnectRequiredResponse");async function Yi(e){let t=await Rl({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=Zt(t),[o]=await R().batchGetUpstreamConnections([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),i={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};o!==void 0&&(i.connection=o);let a=new De(i),s=await bl(a,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?new h({message:`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}}):new h({message:`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}})}n(Yi,"finishUpstreamOAuthCallback");Z();import{importPKCS8 as vl,SignJWT as Al}from"jose";var Qi=1e4,ea=64*1024,ta=2,kl=300,ne=d.string().min(1),xl=d.object({access_token:ne,issued_token_type:d.literal(Ur),token_type:d.string().optional(),expires_in:d.number().int().positive().optional(),scope:ne.optional()}).passthrough(),Tl=d.object({id_token:ne,token_type:ne.optional(),expires_in:d.number().int().positive().optional(),refresh_token:ne.optional(),scope:ne.optional()}).passthrough(),Ul=d.object({access_token:ne,token_type:ne,expires_in:d.number().int().positive().optional(),scope:ne.optional(),resource:ne.optional(),refresh_token:ne.optional()}).passthrough();function Xi(e){return encodeURIComponent(e).replace(/%20/g,"+")}n(Xi,"formEncodeClientCredential");function Pl(e){return e.replaceAll("\\n",`
|
|
26
|
-
`)}n(Pl,"normalizePem");async function El(e){let t=e.clientAuth.algorithm??"RS256",r=e.clientAuth.expiresInSeconds??kl,o=await vl(Pl(e.clientAuth.privateKeyPem),t),i={alg:t,typ:"JWT",...e.clientAuth.keyId===void 0?{}:{kid:e.clientAuth.keyId}};return new Al({jti:crypto.randomUUID()}).setProtectedHeader(i).setIssuer(e.clientAuth.clientId).setSubject(e.clientAuth.clientId).setAudience(e.clientAuth.audience??e.tokenUrl).setIssuedAt().setExpirationTime(`${r}s`).sign(o)}n(El,"createPrivateKeyJwtClientAssertion");async function Ol(e){switch(e.clientAuth.method){case"client_secret_post":e.form.set("client_id",e.clientAuth.clientId),e.form.set("client_secret",e.clientAuth.clientSecret);return;case"client_secret_basic":{let t=Xi(e.clientAuth.clientId),r=Xi(e.clientAuth.clientSecret);e.headers.authorization=`Basic ${btoa(`${t}:${r}`)}`;return}case"private_key_jwt":e.form.set("client_id",e.clientAuth.clientId),e.form.set("client_assertion_type",Wt),e.form.set("client_assertion",await El({clientAuth:e.clientAuth,tokenUrl:e.tokenUrl}));return}}n(Ol,"appendClientAuthentication");async function cn(e){let t={"Content-Type":"application/x-www-form-urlencoded"};return await Ol({form:e.form,headers:t,clientAuth:e.clientAuth,tokenUrl:e.tokenUrl}),{method:"POST",headers:t,body:e.form.toString()}}n(cn,"buildFormRequest");function ra(e){return(t,r)=>ur(t,r,{context:e,maxRedirects:ta,maxResponseBytes:ea,problemCode:"upstream_token_exchange_failed",timeoutMs:Qi})}n(ra,"defaultIdpFetchJson");function ql(e){return(t,r)=>fi(t,r,{context:e,maxRedirects:ta,maxResponseBytes:ea,problemCode:"upstream_token_exchange_failed",timeoutMs:Qi})}n(ql,"defaultResourceAsFetchJson");function fr(e){let t={[g]:e.code,[we]:e.tokenUrl};return e.response!==void 0&&(t[_e]=e.response.status),new h({message:e.message,extensionMembers:t},e.cause===void 0?void 0:{cause:e.cause})}n(fr,"runtimeError");function dn(e){if(!e.response.ok)throw fr({code:"upstream_token_exchange_failed",message:(()=>{switch(e.stage){case"idp_refresh_token":return"IdP refresh-token grant failed while renewing the upstream ID-JAG subject token.";case"idp_token_exchange":return"IdP token exchange failed while requesting an upstream ID-JAG.";case"resource_as_jwt_bearer":return"Upstream Resource AS rejected the ID-JAG JWT-bearer exchange."}})(),tokenUrl:e.tokenUrl,response:e.response})}n(dn,"assertTokenEndpointSucceeded");function Ml(e){let t=Tl.safeParse(e.json);if(!t.success)throw fr({code:"upstream_token_response_invalid",message:"IdP refresh-token grant returned an invalid subject-token response.",tokenUrl:e.tokenUrl,response:e.response,cause:t.error});let r={idToken:t.data.id_token};return t.data.expires_in!==void 0&&(r.expiresIn=t.data.expires_in),t.data.refresh_token!==void 0&&(r.refreshToken=t.data.refresh_token),t.data.scope!==void 0&&(r.scope=t.data.scope),r}n(Ml,"parseIdpRefreshTokenResponse");function Dl(e){let t=xl.safeParse(e.json);if(!t.success)throw fr({code:"upstream_token_response_invalid",message:"IdP token exchange returned an invalid ID-JAG response.",tokenUrl:e.tokenUrl,response:e.response,cause:t.error});let r={assertion:t.data.access_token};return t.data.expires_in!==void 0&&(r.expiresIn=t.data.expires_in),t.data.scope!==void 0&&(r.scope=t.data.scope),r}n(Dl,"parseIdJagTokenExchangeResponse");function jl(e){let t=Ul.safeParse(e.json);if(!t.success)throw fr({code:"upstream_token_response_invalid",message:"Upstream Resource AS returned an invalid JWT-bearer token response.",tokenUrl:e.tokenUrl,response:e.response,cause:t.error});let r={accessToken:t.data.access_token,tokenType:t.data.token_type};return t.data.expires_in!==void 0&&(r.expiresIn=t.data.expires_in),t.data.scope!==void 0&&(r.scope=t.data.scope),t.data.resource!==void 0&&(r.resource=t.data.resource),t.data.refresh_token!==void 0&&(r.refreshToken=t.data.refresh_token),r}n(jl,"parseAccessTokenResponse");async function na(e){let t=new URLSearchParams({grant_type:Kt,requested_token_type:Ur,subject_token:e.subjectToken,subject_token_type:e.subjectTokenType,audience:e.audience});e.resource!==void 0&&t.set("resource",e.resource),e.scope!==void 0&&t.set("scope",e.scope),e.authorizationDetails!==void 0&&t.set("authorization_details",JSON.stringify(e.authorizationDetails));let r=e.fetchJson??ra(e.context),{response:o,json:i}=await r(e.idp.tokenUrl,await cn({form:t,clientAuth:e.clientAuth,tokenUrl:e.idp.tokenUrl}));return dn({response:o,tokenUrl:e.idp.tokenUrl,stage:"idp_token_exchange"}),Dl({json:i,response:o,tokenUrl:e.idp.tokenUrl})}n(na,"requestIdJag");async function oa(e){let t=new URLSearchParams({grant_type:"refresh_token",refresh_token:e.refreshToken}),r=e.fetchJson??ra(e.context),{response:o,json:i}=await r(e.idp.tokenUrl,await cn({form:t,clientAuth:e.clientAuth,tokenUrl:e.idp.tokenUrl}));return dn({response:o,tokenUrl:e.idp.tokenUrl,stage:"idp_refresh_token"}),Ml({json:i,response:o,tokenUrl:e.idp.tokenUrl})}n(oa,"refreshIdpSubjectToken");async function ia(e){let t=new URLSearchParams({grant_type:Re,assertion:e.assertion});e.resource!==void 0&&t.set("resource",e.resource),e.scope!==void 0&&t.set("scope",e.scope);let r=e.fetchJson??ql(e.context),{response:o,json:i}=await r(e.resourceAs.tokenUrl,await cn({form:t,clientAuth:e.clientAuth,tokenUrl:e.resourceAs.tokenUrl}));return dn({response:o,tokenUrl:e.resourceAs.tokenUrl,stage:"resource_as_jwt_bearer"}),jl({json:i,response:o,tokenUrl:e.resourceAs.tokenUrl})}n(ia,"exchangeIdJagForAccessToken");function zl(e){return Pt(e)==="usable"}n(zl,"hasUsableAccessToken");function Hl(e){if(e.tokenType.toLowerCase()!=="bearer")throw new h({message:"Upstream Resource AS returned a token type the MCP gateway cannot send as a bearer token.",extensionMembers:{[g]:"upstream_token_response_invalid"}})}n(Hl,"assertBearerToken");function aa(e,t){if(t===Ze)return!1;let r=e?.metadata?.idpSubjectTokenExpiresAt;return r!==void 0&&new Date(r).getTime()<=Date.now()}n(aa,"hasExpiredSubjectToken");async function Bl(e){let t=await ke(e.encryptedSubjectToken);if(e.subjectTokenType!==Ze)return{connection:e.connection,subjectToken:t,subjectTokenType:e.subjectTokenType};let r=await oa({idp:e.idp,refreshToken:t,clientAuth:e.clientAuth,context:e.context});if(r.refreshToken===void 0)return{connection:e.connection,subjectToken:r.idToken,subjectTokenType:pt};let o=await R().upsertUpstreamConnection({id:e.connection.id,ownerMode:e.connection.ownerMode,subjectId:e.connection.subjectId,upstreamServerId:e.connection.upstreamServerId,authProfileId:e.connection.authProfileId,status:"active",encryptedAccessToken:e.connection.encryptedAccessToken,encryptedRefreshToken:e.connection.encryptedRefreshToken,scopes:e.connection.scopes,expiresAt:e.connection.expiresAt,metadata:{...e.connection.metadata??{},encryptedIdpSubjectToken:await me(r.refreshToken),idpSubjectTokenType:Ze,idpSubjectTokenExpiresAt:void 0}});return G()?.info({event:"upstream_id_jag_subject_token_rotated",upstreamServerId:e.connection.upstreamServerId,authProfileId:e.connection.authProfileId,connectionFingerprint:e.connectionFingerprint,connectionId:o.id,priorStatus:e.connection.status,priorUpdatedAt:e.connection.updatedAt,usedSubjectRefreshTokenFingerprint:await Ye(t),newSubjectRefreshTokenFingerprint:await Ye(r.refreshToken)},"Upstream ID-JAG IdP subject refresh token rotated and persisted"),{connection:o,subjectToken:r.idToken,subjectTokenType:pt}}n(Bl,"resolveIdJagSubjectToken");async function sa(e){let t="preloadedConnection"in e?e.preloadedConnection:(await R().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0],r=Pt(t),o=!!e.forceRefresh,i=!o&&r==="usable",a=G(),s=a?await Xe({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}):void 0;if(a?.debug({event:"upstream_id_jag_auth_decision",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,ownerMode:e.owner.mode,connectionFingerprint:s,connectionId:t?.id,accessTokenState:r,forceRefresh:o,willMint:!i,expiresAt:t?.expiresAt,connectionUpdatedAt:t?.updatedAt},i?"Reusing stored upstream ID-JAG access token":"Minting upstream ID-JAG access token"),!e.forceRefresh&&zl(t))return{kind:"authorized",credential:{type:"bearer_token",token:await ke(t.encryptedAccessToken)}};let c=t?.metadata?.encryptedIdpSubjectToken,u=t?.metadata?.idpSubjectTokenType;if(t?.status!=="active"||c===void 0||u===void 0||aa(t,u))return a?.debug({event:"upstream_id_jag_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,connectionFingerprint:s,connectionId:t?.id,status:t?.status??"not_connected",hasSubjectToken:c!==void 0,subjectTokenType:u,subjectTokenExpired:u!==void 0&&aa(t,u)},"Upstream ID-JAG requires an admin subject-token binding"),{kind:"connect_required",payload:{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,message:`An IdP subject-token binding is required for ${e.upstreamDisplayName} before this tool can use XAA / ID-JAG.`,nextAction:"admin_setup_required"}};let l=Se(e.upstreamServerId),m=ui(e.upstreamServerId,e.authProfileId),w=m.resourceAs.resource??l.transport.baseUrl,P=e.requestedScope??(m.scopes.length===0?void 0:m.scopes.join(m.scopeDelimiter)),y=await Bl({connection:t,connectionFingerprint:s,encryptedSubjectToken:c,subjectTokenType:u,idp:{tokenUrl:m.idp.tokenUrl},clientAuth:m.idp.clientAuth,context:e.context}),E=await na({idp:{tokenUrl:m.idp.tokenUrl},subjectToken:y.subjectToken,subjectTokenType:y.subjectTokenType,audience:m.resourceAs.audience,resource:w,scope:P,clientAuth:m.idp.clientAuth,context:e.context}),x=E.scope??P,B=await ia({resourceAs:{tokenUrl:m.resourceAs.tokenUrl},assertion:E.assertion,resource:w,scope:x,clientAuth:m.resourceAs.clientAuth,context:e.context});if(Hl(B),t!==void 0){let X=(B.scope??x)?.split(/[,\s]+/).filter(Boolean)??[],O=B.expiresIn===void 0?void 0:I(new Date(Date.now()+B.expiresIn*1e3)),j=await R().upsertUpstreamConnection({id:y.connection.id,ownerMode:y.connection.ownerMode,subjectId:y.connection.subjectId,upstreamServerId:y.connection.upstreamServerId,authProfileId:y.connection.authProfileId,status:"active",encryptedAccessToken:await me(B.accessToken),encryptedRefreshToken:y.connection.encryptedRefreshToken,scopes:X,expiresAt:O,metadata:y.connection.metadata});a?.info({event:"upstream_id_jag_access_token_persisted",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,connectionFingerprint:s,connectionId:j.id,priorStatus:y.connection.status,priorUpdatedAt:y.connection.updatedAt,scopeCount:X.length,expiresAt:O},"Upstream ID-JAG access token persisted; connection is active")}return{kind:"authorized",credential:{type:"bearer_token",token:B.accessToken}}}n(sa,"authorizeUpstreamIdJagRequest");function Ll(e){return mr(new URL(e.callbackPath,M(e.requestUrl,e.requestHeaders))).toString()}n(Ll,"buildGatewayOAuthRedirectUri");async function ca(e){let t=Se(e.upstreamServerId),r=We(e.upstreamServerId,e.authProfileId),o=Ll({callbackPath:r.redirectPath,requestUrl:e.request.url,requestHeaders:e.request.headers}),i="preloadedConnection"in e?e.preloadedConnection:(await R().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:i,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,returnTo:e.returnTo},redirectUri:o,returnOrigin:M(e.request.url,e.request.headers)}}}n(ca,"prepareUpstreamOAuthRequest");async function da(e){let t=await ca(e),r=new De({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return Wi(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(da,"startUpstreamConnect");async function ua(e){let t=await ca(e),r=new De({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return Vi({target:e,provider:r,connection:t.connection,forceRefresh:e.forceRefresh,requestedScope:e.requestedScope,upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(ua,"authorizeUpstreamRequest");async function et(e){let{routeAuth:t}=e;switch(t.authMode){case"shared-oauth":case"user-oauth":return ua({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,forceRefresh:e.forceRefresh,requestedScope:e.requestedScope,...e.preloadedConnection===void 0?{}:{preloadedConnection:e.preloadedConnection},returnTo:t.returnTo});case"id-jag":return sa({request:e.request,context:e.context,authMode:t.authMode,ownerMode:t.ownerMode,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,upstreamDisplayName:t.upstreamDisplayName,forceRefresh:e.forceRefresh,requestedScope:e.requestedScope,...e.preloadedConnection===void 0?{}:{preloadedConnection:e.preloadedConnection},returnTo:t.returnTo})}let r=t;throw new Q(`Unsupported upstream auth route context ${JSON.stringify(r)}.`)}n(et,"resolveUpstreamCredentialForRoute");async function la(e){if(e.connectRequest.authMode==="id-jag")throw new Q(`Upstream server ${e.connectRequest.upstreamServerId} uses XAA / ID-JAG and does not support browser OAuth connection flows.`);let t=await da({request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,operationId:e.connectRequest.operationId,returnTo:e.connectRequest.returnTo});return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,operationId:e.connectRequest.operationId}}n(la,"startUpstreamConnectForRequest");async function pa(e){let r=(await lr(e.callbackRequest.state)).authProfileId;if(cr({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r}).mode==="id-jag")throw new Q(`Upstream server ${e.callbackRequest.upstreamServerId} uses XAA / ID-JAG and does not support OAuth callbacks.`);return Yi({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:Se(e.callbackRequest.upstreamServerId)})}n(pa,"finishUpstreamCallbackForRequest");function Nl(e){return{upstreamServerId:e.connection.upstreamServerId,operationId:e.operationId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:e.connection.ownerMode}}n(Nl,"buildRouteAuthBaseFromConnection");function ma(e){return{upstreamServerId:e.connection.id,operationId:e.operationId,authProfileId:go(e.connection.id,e.connection.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:e.connection.ownerMode}}n(ma,"buildRouteAuthBaseFromPolicyOptions");function hr(e,t){let o=ee().byOperationId.get(t);if(!o)throw new A(`Unknown MCP route "${t}". Ensure routes.oas.json declares this operationId before starting an upstream connection flow.`);if(o.connection===void 0)throw new A(`MCP route "${t}" does not declare an MCP token exchange policy. Add one before starting an upstream connection flow.`);if(o.connection.upstreamServerId!==e)throw new A(`MCP route "${t}" does not bind upstream "${e}". Check the route's MCP upstream policies and bind the upstream before starting an upstream connection flow.`);return Nl({connection:o.connection,operationId:t})}n(hr,"resolveRouteAuthBase");function un(e,t){switch(e){case"user":return Fe(t);case"shared":return fo()}}n(un,"buildOwnerForSubject");function tt(e,t){switch(e.authMode){case"shared-oauth":return{...e,authMode:"shared-oauth",ownerMode:"shared",owner:un("shared",t),initiatedBySubjectId:t};case"user-oauth":return{...e,authMode:"user-oauth",ownerMode:"user",owner:un("user",t),initiatedBySubjectId:t};case"id-jag":return{...e,authMode:"id-jag",ownerMode:"user",owner:un("user",t),initiatedBySubjectId:t}}}n(tt,"resolveRouteAuthForSubject");var Jl=dt.InvalidRequest,Gl=new Set(["connection","keep-alive","proxy-authenticate","te","trailer","transfer-encoding","upgrade"]);function Fl(e,t){return{credentialType:e.type,forceRefresh:t}}n(Fl,"buildCredentialResolvedAttributes");function $l(e){switch(e){case"admin_connect_required":return"admin_connect_required";case"authenticating":return"connect_required"}}n($l,"connectRequiredReasonCode");function fa(e){v(e.context,{eventType:C.MCP_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:Fl(e.credential,e.forceRefresh===!0)})}n(fa,"emitCredentialResolvedAnalyticsEvent");function ha(e){let t={forceRefresh:e.forceRefresh===!0,nextAction:e.payload.nextAction,state:e.payload.state};if(v(e.context,{eventType:C.MCP_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:t}),e.payload.state==="reconsent_required"){v(e.context,{eventType:C.MCP_AUTH_UPSTREAM_RECONSENT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"reconsent_required",reasonClass:"auth",attributes:t});return}v(e.context,{eventType:C.MCP_AUTH_UPSTREAM_CONNECT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:$l(e.payload.state),reasonClass:"auth",attributes:t})}n(ha,"emitCredentialMissingAnalyticsEvents");function Zl(e){let t=e.route.raw();return Gt.parse(t?.operationId)}n(Zl,"readOperationId");async function Kl(e,t,r,o){let i=await et({request:e,context:o,routeAuth:t});if(i.kind==="connect_required")return ha({context:o,payload:i.payload,routeBinding:t}),o.log.info({event:"mcp_upstream_connect_required",upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId},"MCP upstream proxy: upstream connection required"),{kind:"connect_required",payload:i.payload};let a=i.credential;if(fa({context:o,credential:a,routeBinding:t}),a.type==="bearer_token")return{kind:"headers",headers:[["authorization",`Bearer ${a.token}`]]};let s=await a.provider.tokens();return s?{kind:"headers",headers:[["authorization",`${s.token_type??"Bearer"} ${s.access_token}`]]}:(o.log.warn({event:"mcp_upstream_no_tokens",upstreamServerId:t.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens"),Response.json({error:"no_upstream_tokens"},{status:401}))}n(Kl,"buildCredentialHeaders");var Wl=new Set(["authorization","cookie","cookie2"]);function Vl(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return t&&typeof t=="object"&&!Array.isArray(t)&&"method"in t&&typeof t.method=="string"?t.method:void 0}catch{return}}n(Vl,"readJsonRequestMethod");function Yl(e){let t=e.headers.get("content-type")??"";return/\bapplication\/(?:[\w.+-]+\+)?json\b/i.test(t)}n(Yl,"isJsonResponse");function ln(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(ln,"isRecord");function Xl(e){return Array.isArray(e)&&e.length>0}n(Xl,"hasIconList");function Ql(e){if(e.connection.serverInfo?.icons!==void 0&&e.connection.serverInfo.icons.length>0)return e.connection.serverInfo.icons;try{let t=sr(ao(e.context.route.handler));return t===void 0?void 0:[t]}catch{return}}n(Ql,"readFallbackServerIcons");function ep(e){if(!ln(e.body))return e.body;let t=e.body.result;if(!ln(t))return e.body;let r=t.serverInfo;return!ln(r)||Xl(r.icons)?e.body:{...e.body,result:{...t,serverInfo:{...r,icons:e.icons}}}}n(ep,"addMissingServerIcons");function tp(e,t){let r=new Headers(e.headers);for(let o of Wl)r.delete(o);for(let[o,i]of t)r.set(o,i);return new Gn(e,{headers:r})}n(tp,"applyUpstreamHeaders");function rp(e){let t=new Headers(e.headers);for(let r of Gl)t.delete(r);return t}n(rp,"buildProxyHeaders");async function np(e){if(!(e.method==="GET"||e.method==="HEAD"))return e.clone().arrayBuffer()}n(np,"readRetryBody");function ga(e,t){let r=t.authUrl===void 0?void 0:Go({message:t.message,elicitationId:["connect",t.operationId,t.upstreamServerId,t.authProfileId].join(":"),url:t.authUrl});return Response.json(er({id:Jo(e),error:{code:r?.code??Jl,message:t.message,data:{...r?.data??{},connectRequired:t}}}))}n(ga,"connectRequiredJsonRpcResponse");async function op(e){let{scope:t}=ii(e.upstreamResponse),r=await et({request:e.request,context:e.context,routeAuth:e.routeAuth,forceRefresh:!0,requestedScope:t});if(r.kind==="connect_required")return ha({context:e.context,payload:r.payload,routeBinding:e.routeAuth,forceRefresh:!0}),{kind:"connect_required",payload:r.payload};let o=new Headers(e.headers),i=r.credential;if(fa({context:e.context,credential:i,routeBinding:e.routeAuth,forceRefresh:!0}),i.type==="bearer_token")return o.set("authorization",`Bearer ${i.token}`),{kind:"headers",headers:o};let a=await i.provider.tokens();return a?(o.set("authorization",`${a.token_type??"Bearer"} ${a.access_token}`),{kind:"headers",headers:o}):(e.context.log.warn({event:"mcp_upstream_no_tokens_after_refresh",upstreamServerId:e.routeAuth.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens after refresh"),{kind:"response",response:Response.json({error:"no_upstream_tokens"},{status:401})})}n(op,"applyRefreshedCredentialHeaders");function ip(e){e.context.addResponseSendingHook(async(t,r)=>{if(t.status!==401)return t;let o=await op({request:e.request,context:e.context,headers:rp(r),routeAuth:e.routeAuth,upstreamResponse:t});if(o.kind==="connect_required")return ga(e.requestBody,o.payload);if(o.kind==="response")return o.response;let i=so({handler:e.context.route.handler,request:r,body:e.requestBody,headers:o.headers});return Ht.fetch(i.url,i.init)})}n(ip,"installUpstreamAuthRetryHook");function ap(e){if(Vl(e.requestBody)!=="initialize")return;let t=Ql({connection:e.connection,context:e.context});t===void 0||t.length===0||e.context.addResponseSendingHook(async r=>{if(!Yl(r))return r;let o;try{o=await r.clone().json()}catch{return r}let i=ep({body:o,icons:t});if(i===o)return r;let a=new Headers(r.headers);return a.delete("content-length"),new Response(JSON.stringify(i),{status:r.status,statusText:r.statusText,headers:a})})}n(ap,"installInitializeIconHook");async function pn(e,t,r){let o=Zl(t),i=await np(e),a=ma({connection:r,operationId:o}),s=Pe(e.user,e.url,e.headers);t.log.setLogProperties?.({requestId:t.requestId}),Io(t,s);let c=tt(a,s.subjectId),u=await Kl(e,c,r,t);if(!(u instanceof Response)&&u.kind==="connect_required")return ga(i,u.payload);if(u instanceof Response)return u;let l=tp(e,u.headers);return ip({request:l,context:t,requestBody:i,routeAuth:c}),ap({context:t,requestBody:i,connection:r}),l}n(pn,"mcpTokenExchangePolicy");var mn=class extends Bt{static{n(this,"McpTokenExchangeInboundPolicy")}static policyType="mcp-token-exchange";constructor(t,r){let o=yo(t,r);super(o,r)}async handler(t,r){return pn(t,r,this.options)}};Z();var ya=Symbol("Html");function sp(e){return e.replaceAll("&","&").replaceAll("<","<").replaceAll(">",">").replaceAll('"',""").replaceAll("'","'")}n(sp,"escapeHtml");function cp(e){return e===null||typeof e!="object"?!1:e[ya]===!0}n(cp,"isHtml");function _a(e){return e==null||e===!1?"":Array.isArray(e)?e.map(_a).join(""):cp(e)?e.value:sp(String(e))}n(_a,"renderValue");function fe(e){return{[ya]:!0,value:e}}n(fe,"trustedHtml");var te=fe("");function S(e,...t){let r=e[0]??"";for(let o=0;o<t.length;o+=1)r+=_a(t[o]),r+=e[o+1]??"";return fe(r)}n(S,"html");function rt(e){return e.value}n(rt,"renderHtml");function wa(e){return S`<p class="card__description">${e.detail}</p>${e.guidance} ${e.technicalDetails} ${e.action}`}n(wa,"renderBrowserErrorPage");var nt=fe('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;justify-content:center;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;min-height:40px;padding:8px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.reconnect-action{align-items:center;margin-right:auto;display:inline-flex;position:relative}.reconnect-button{gap:7px}.tooltip{width:16px;height:16px;color:var(--accent);background:color-mix(in srgb,var(--accent)8%,transparent);cursor:help;border:1.5px solid;border-radius:50%;justify-content:center;align-items:center;font-size:10.5px;font-weight:700;line-height:1;display:inline-flex;position:relative}.tooltip:after{content:attr(aria-label);z-index:10;border-radius:var(--radius-sm);background:var(--accent);width:280px;max-width:min(280px,100vw - 48px);color:var(--accent-text);box-shadow:var(--shadow);text-align:left;white-space:normal;opacity:0;pointer-events:none;padding:12px 14px;font-size:13px;font-weight:600;line-height:1.45;transition:opacity .12s;position:absolute;bottom:calc(100% + 12px);left:50%;transform:translate(-50%)}.tooltip:before{content:"";z-index:11;border-left:7px solid #0000;border-right:7px solid #0000;border-top:8px solid var(--accent);opacity:0;pointer-events:none;transition:opacity .12s;position:absolute;bottom:calc(100% + 5px);left:50%;transform:translate(-50%)}.tooltip:hover:after,.tooltip:hover:before,.tooltip:focus-visible:after,.tooltip:focus-visible:before{opacity:1}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}.reconnect-action{justify-content:center;width:100%;margin-right:0}.reconnect-action .button{flex:1}.tooltip:after{left:auto;right:0;transform:none}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function ot(e){return S`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" href="${e.iconHref}" /><style>
|
|
25
|
+
import{$ as d,$b as Pc,$c as qr,Ab as K,Ac as wo,Ad as v,Bb as eo,Bc as ee,Bd as F,Cb as to,Cc as L,Cd as le,Db as M,Dc as bo,Dd as T,Eb as ro,Ec as Ro,Ed as Qt,Fb as Le,Fc as I,Fd as Dc,Gb as no,Gc as de,Gd as jc,Hb as Ne,Hc as $e,Ib as g,Ic as G,Jb as Je,Jc as q,Kb as Ge,Kc as Io,Lb as _e,Lc as N,Mb as we,Mc as Co,Nb as Nt,Nc as Re,Ob as oo,Oc as Tr,P as $n,Pb as re,Pc as Kt,Q as p,Qb as io,Qc as Ur,R as Zn,Rb as ce,Rc as Wt,S as Ar,Sb as b,Sc as pt,T as se,Tb as Jt,Tc as Ze,U as Kn,Ub as J,Uc as So,V as _,Vb as be,Vc as ue,W as ye,Wb as Ac,Wc as Pr,X as Lt,Xb as kc,Xc as Er,Y as Wn,Yb as xc,Yc as vo,Z as Vn,Zb as Tc,Zc as Vt,_ as Yn,_b as Uc,_c as Or,aa as Z,ac as Ec,ad as Ao,bc as Oc,bd as D,cc as qc,cd as ko,dc as Mc,dd as xo,ec as ao,ed as Mr,fc as so,fd as To,ga as Xn,gc as co,gd as Uo,hc as Gt,hd as Dr,i as ae,ic as kr,id as Po,jc as Ft,jd as Pe,kc as $t,kd as Eo,lc as dt,ld as mt,mc as uo,md as Oo,nc as lo,nd as Yt,oc as po,od as ft,pc as ut,pd as qo,qc as mo,qd as Mo,r as Ue,rc as Fe,rd as Do,s as Jn,sc as fo,sd as jo,tc as xr,td as zo,u as Gn,uc as ho,ud as Ho,vc as lt,vd as Bo,wc as Zt,wd as Xt,xc as go,xd as Lo,y as Fn,yc as yo,yd as No,z as Bt,zb as Qn,zc as _o,zd as R}from"../chunk-FAOWNDMK.js";import"../chunk-4MNJC7E2.js";import{a as C}from"../chunk-4QJJMELB.js";import{$ as Q,a as n,aa as h,ba as A,ca as Nn,da as Ht}from"../chunk-DSZS6PZJ.js";Z();function zc(e){let t=$t.safeParse(e);return t.success?t.data.id:void 0}n(zc,"parseJsonRpcRequestId");function Jo(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return zc(t)}catch{return}}n(Jo,"readJsonRpcRequestIdFromBody");function er(e){return uo.parse({jsonrpc:Ft,...e.id===void 0?{}:{id:e.id},error:{code:e.error.code,message:e.error.message,...e.error.data===void 0?{}:{data:e.error.data}}})}n(er,"jsonRpcErrorResponse");function Go(e){return new po([lo.parse({mode:"url",message:e.message,elicitationId:e.elicitationId,url:e.url})],e.message)}n(Go,"urlElicitationRequiredError");var rr=d.record(d.string(),d.unknown()),Hc=d.record(d.string(),d.unknown()),Ie=d.array(d.string().min(1)).min(1).optional(),Bc=d.object({name:d.string().min(1),description:d.string().min(1).optional(),annotations:Hc.optional(),_meta:rr.optional(),roles:Ie,groups:Ie,public:d.boolean().optional()}).strict(),Lc=d.object({name:d.string().min(1),description:d.string().min(1).optional(),_meta:rr.optional(),roles:Ie,groups:Ie,public:d.boolean().optional()}).strict(),Nc=d.object({uri:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:rr.optional(),roles:Ie,groups:Ie,public:d.boolean().optional()}).strict(),Jc=d.object({uriTemplate:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:rr.optional(),roles:Ie,groups:Ie,public:d.boolean().optional()}).strict(),Gc=d.array(d.union([d.string(),Bc])),Fc=d.array(d.union([d.string(),Lc])),$c=d.array(d.union([d.string(),Nc])),Zc=d.array(d.union([d.string(),Jc])),Kc=d.object({module:d.unknown(),export:d.string().min(1)}).strict(),Wc=d.object({mode:d.enum(["allPublic","rolesAndGroups","function"]).optional(),roleClaim:d.string().min(1).optional(),groupClaim:d.string().min(1).optional(),identifier:Kc.optional()}).strict(),Vc=d.object({tools:Gc.optional(),prompts:Fc.optional(),resources:$c.optional(),resourceTemplates:Zc.optional(),accessControl:Wc.optional()}).strict(),Ce=[{option:"tools",listMethod:"tools/list",resultProperty:"tools",itemProperty:"name",directMethods:[{method:"tools/call",paramProperty:"name"}]},{option:"prompts",listMethod:"prompts/list",resultProperty:"prompts",itemProperty:"name",directMethods:[{method:"prompts/get",paramProperty:"name"}]},{option:"resources",listMethod:"resources/list",resultProperty:"resources",itemProperty:"uri",directMethods:[{method:"resources/read",paramProperty:"uri"}]},{option:"resourceTemplates",listMethod:"resources/templates/list",resultProperty:"resourceTemplates",itemProperty:"uriTemplate",directMethods:[]}];function Yc(e,t){return eo(Vc,e,`MCP capability filter policy "${t}"`)}n(Yc,"parseMcpCapabilityFilterOptions");function z(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(z,"isRecord");function Xc(e,t){if(!z(e))return;let r=e[t];return typeof r=="string"?r:void 0}n(Xc,"readParamString");function zr(e){let t=e.id;return typeof t=="string"||typeof t=="number"||t===null?t:void 0}n(zr,"readRequestId");function Vo(e){return e===void 0?void 0:JSON.stringify(e)}n(Vo,"requestIdKey");function Fo(e){if(!Array.isArray(e))return;let t=e.filter(r=>typeof r=="string");return t.length>0?t:void 0}n(Fo,"asStringArray");function $o(e,t){if(!z(e))return[];let r=t in e?e[t]:t.split(".").reduce((o,i)=>z(o)?o[i]:void 0,e);return Array.isArray(r)?r.filter(o=>typeof o=="string"):typeof r=="string"?r.split(/\s+/).filter(o=>o.length>0):[]}n($o,"readClaimValues");function Hr(e,t){if(typeof e=="string")return{key:e,public:!1};if(!z(e))return;let r=e[t];if(typeof r=="string")return{key:r,roles:Fo(e.roles),groups:Fo(e.groups),public:e.public===!0}}n(Hr,"normalizeEntry");function Qc(e,t,r){if(e.public)return!0;let o=e.roles??[],i=e.groups??[];return o.length===0&&i.length===0?!1:o.some(a=>t.has(a))||i.some(a=>r.has(a))}n(Qc,"isCallerAllowed");function tr(e,t,r,o){if(e===void 0)return;let i=[];for(let a of e){let s=Hr(a,t);s!==void 0&&Qc(s,r,o)&&i.push(s.key)}return i}n(tr,"allowedKeys");var Yo=n((e,t,r)=>{let o=r.accessControl?.roleClaim??"roles",i=r.accessControl?.groupClaim??"groups",a=new Set($o(e.user?.data,o)),s=new Set($o(e.user?.data,i));return{tools:tr(r.tools,"name",a,s),prompts:tr(r.prompts,"name",a,s),resources:tr(r.resources,"uri",a,s),resourceTemplates:tr(r.resourceTemplates,"uriTemplate",a,s)}},"claimsCapabilityResolver");function ed(e,t){let r=[];for(let o of Ce){let i=e[o.option];if(i!==void 0)for(let a of i){let s=Hr(a,o.itemProperty);if(s===void 0)continue;let c=(s.roles?.length??0)>0||(s.groups?.length??0)>0;s.public&&c?r.push(`${o.option} "${s.key}" (both)`):!s.public&&!c&&r.push(`${o.option} "${s.key}" (neither)`)}}if(r.length>0)throw new A(`MCP capability filter policy "${t}" - with accessControl.mode "rolesAndGroups", every capability must set roles/groups OR "public": true (not both, not neither): ${r.join(", ")}`)}n(ed,"assertClassified");function td(e,t){let r=[];for(let o of Ce){let i=e[o.option];if(i!==void 0)for(let a of i){let s=Hr(a,o.itemProperty);s!==void 0&&((s.roles?.length??0)>0||(s.groups?.length??0)>0||s.public)&&r.push(`${o.option} "${s.key}"`)}}if(r.length>0)throw new A(`MCP capability filter policy "${t}" - accessControl.mode is "allPublic" (the default) but these capabilities set roles/groups/public; set accessControl.mode to "rolesAndGroups" or remove the markup: ${r.join(", ")}`)}n(td,"assertNoMarkup");function rd(e,t){let r=e.identifier;if(r===void 0)throw new A(`MCP capability filter policy "${t}" - accessControl.mode "function" requires accessControl.identifier`);if(r.module===null||typeof r.module!="object")throw new A(`MCP capability filter policy "${t}" - accessControl.identifier.module must reference a module, e.g. $import(./modules/mcp-access-control)`);if(!r.export)throw new A(`MCP capability filter policy "${t}" - accessControl.identifier.export must be specified`);let o=r.module[r.export];if(typeof o!="function")throw new A(`MCP capability filter policy "${t}" - accessControl.identifier must resolve to a valid function`);let i=o;return async(a,s,c)=>{let u=await i(a,s,c);if(u==null)throw new h(`MCP capability filter policy "${t}" - accessControl resolver returned no value; return an AllowedCapabilities object (use empty arrays to deny)`);if(typeof u!="object"||Array.isArray(u))throw new h(`MCP capability filter policy "${t}" - accessControl resolver must return an AllowedCapabilities object`);return u}}n(rd,"buildCustomResolver");function nd(e,t){let r=e.accessControl,o=r?.mode??"allPublic";if(o==="function"){if(r===void 0)throw new A(`MCP capability filter policy "${t}" - accessControl.mode "function" requires accessControl.identifier`);return rd(r,t)}if(o==="rolesAndGroups")return ed(e,t),Yo;td(e,t)}n(nd,"buildCapabilityResolver");function od(e){let t={};for(let r of Ce){let o=e[r.option];if(o===void 0)continue;let i=new Map;for(let a of o){let s=dd(a,r.itemProperty);s!==void 0&&i.set(s.key,s)}t[r.option]=i}return t}n(od,"buildProjectionMaps");function Br(e){return Ce.find(t=>t.listMethod===e)}n(Br,"findListRule");function id(e){return e.requests.some(t=>{if(!z(t))return!1;let r=Br(t.method);return r!==void 0&&e.projectionMaps[r.option]!==void 0})}n(id,"shouldFilterListResponses");function ad(e){return e.requests.some(t=>z(t)?Ce.some(r=>e.projectionMaps[r.option]===void 0?!1:r.listMethod===t.method||r.directMethods.some(o=>o.method===t.method)):!1)}n(ad,"requestTouchesConfiguredCapability");function sd(e){for(let t of Ce){let r=e.projectionMaps[t.option];if(r!==void 0)for(let o of t.directMethods){if(e.request.method!==o.method)continue;let i=Xc(e.request.params,o.paramProperty);if(i===void 0)continue;let a=e.allowedSets?.[t.option];if(!r.has(i)||a!==void 0&&!a.has(i))return{id:zr(e.request)}}}}n(sd,"findDisallowedDirectAccess");function cd(e){return Response.json(er({id:e,error:{code:dt.MethodNotFound,message:"Method not found"}}))}n(cd,"methodNotFoundResponse");function dd(e,t){if(typeof e=="string")return{key:e,overlay:{}};if(!z(e))return;let r=e[t];if(typeof r!="string")return;let o={...e};return delete o.roles,delete o.groups,delete o.public,{key:r,overlay:o}}n(dd,"buildProjection");function Zo(e){let t=e.base[e.property],r=e.overlay[e.property];return z(r)?z(t)?{...t,...r}:r:t}n(Zo,"mergeRecordProperty");function ud(e,t){let r={...e,...t.overlay},o=Zo({base:e,overlay:t.overlay,property:"annotations"});o!==void 0&&(r.annotations=o);let i=Zo({base:e,overlay:t.overlay,property:"_meta"});return i!==void 0&&(r._meta=i),r}n(ud,"applyProjection");function Ko(e,t,r,o){if(!z(e))return e;let i=e.result;if(!z(i))return e;let a=i[t.resultProperty];return!Array.isArray(a)||!a.every(s=>z(s)&&typeof s[t.itemProperty]=="string")?e:{...e,result:{...i,[t.resultProperty]:a.flatMap(s=>{if(!z(s))return[];let c=s[t.itemProperty];if(typeof c!="string")return[];if(o!==void 0&&!o.has(c))return[];let u=r.get(c);return u===void 0?[]:[ud(s,u)]})}}}n(Ko,"filterAndProjectItems");function ld(e){let t=new Map;if(!Array.isArray(e))return t;for(let r of e){if(!z(r))continue;let o=Br(r.method),i=zr(r),a=Vo(i);o!==void 0&&a!==void 0&&t.set(a,o)}return t}n(ld,"buildListRulesByResponseId");function pd(e){if(Array.isArray(e.responseBody)){let o=ld(e.requestBody);return o.size===0?e.responseBody:e.responseBody.map(i=>{if(!z(i)||"error"in i)return i;let a=Vo(zr(i)),s=a===void 0?void 0:o.get(a),c=s===void 0?void 0:e.projectionMaps[s.option];return s===void 0||c===void 0?i:Ko(i,s,c,e.allowedSets?.[s.option])})}if(!z(e.requestBody)||!z(e.responseBody)||"error"in e.responseBody)return e.responseBody;let t=Br(e.requestBody.method),r=t===void 0?void 0:e.projectionMaps[t.option];return t===void 0||r===void 0?e.responseBody:Ko(e.responseBody,t,r,e.allowedSets?.[t.option])}n(pd,"filterJsonRpcResponse");async function Wo(e){return e.clone().json()}n(Wo,"readJson");function md(e){return e.headers.get("content-type")?.includes("json")??!1}n(md,"isJsonResponse");var jr=class extends Bt{static{n(this,"McpCapabilityFilterInboundPolicy")}static policyType="mcp-capability-filter";#e;#r;#n;#t;constructor(t,r){let o=Yc(t,r);super(o,r),this.#r=o,this.#n=r,this.#e=od(o),this.#t=nd(o,r)}async handler(t,r){let o;try{o=await Wo(t)}catch{return t}let i=Array.isArray(o)?o:[o],a=this.#t!==void 0&&ad({requests:i,projectionMaps:this.#e})?await this.#o(t,r):void 0;for(let s of i){if(!z(s))continue;let c=sd({request:s,projectionMaps:this.#e,allowedSets:a});if(c!==void 0)return cd(c.id)}return id({requests:i,projectionMaps:this.#e})&&r.addResponseSendingHook(async s=>{if(!md(s))return s;let c;try{c=await Wo(s)}catch{return s}let u=pd({requestBody:o,responseBody:c,projectionMaps:this.#e,allowedSets:a});if(u===c)return s;let l=new Headers(s.headers);return l.delete("content-length"),new Response(JSON.stringify(u),{status:s.status,statusText:s.statusText,headers:l})}),t}async#o(t,r){let o=this.#t;if(o===void 0)return{};let i;try{i=await o(t,r,this.#r)}catch(s){r.log.error(`MCP capability filter policy "${this.#n}" - access-control resolver threw; denying configured capabilities`,s);let c={};for(let u of Ce)this.#e[u.option]!==void 0&&(c[u.option]=new Set);return c}let a={};for(let s of Ce){let c=this.#e[s.option];if(c===void 0)continue;let u=i[s.option];if(u===void 0)continue;let l=new Set;if(Array.isArray(u))for(let m of u)typeof m=="string"&&c.has(m)&&l.add(m);a[s.option]=l}return a}};var Lr;Lr=globalThis.crypto;async function fd(e){return(await Lr).getRandomValues(new Uint8Array(e))}n(fd,"getRandomValues");async function hd(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,o="";for(;o.length<e;){let i=await fd(e-o.length);for(let a of i)a<r&&(o+=t[a%t.length])}return o}n(hd,"random");async function gd(e){return await hd(e)}n(gd,"generateVerifier");async function yd(e){let t=await(await Lr).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}n(yd,"generateChallenge");async function Nr(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await gd(e),r=await yd(t);return{code_verifier:t,code_challenge:r}}n(Nr,"pkceChallenge");Z();var H=Zn().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:Vn.custom,message:"URL must be parseable",fatal:!0}),$n}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),nr=Lt({resource:p().url(),authorization_servers:_(H).optional(),jwks_uri:p().url().optional(),scopes_supported:_(p()).optional(),bearer_methods_supported:_(p()).optional(),resource_signing_alg_values_supported:_(p()).optional(),resource_name:p().optional(),resource_documentation:p().optional(),resource_policy_uri:p().url().optional(),resource_tos_uri:p().url().optional(),tls_client_certificate_bound_access_tokens:se().optional(),authorization_details_types_supported:_(p()).optional(),dpop_signing_alg_values_supported:_(p()).optional(),dpop_bound_access_tokens_required:se().optional()}),ht=Lt({issuer:p(),authorization_endpoint:H,token_endpoint:H,registration_endpoint:H.optional(),scopes_supported:_(p()).optional(),response_types_supported:_(p()),response_modes_supported:_(p()).optional(),grant_types_supported:_(p()).optional(),token_endpoint_auth_methods_supported:_(p()).optional(),token_endpoint_auth_signing_alg_values_supported:_(p()).optional(),service_documentation:H.optional(),revocation_endpoint:H.optional(),revocation_endpoint_auth_methods_supported:_(p()).optional(),revocation_endpoint_auth_signing_alg_values_supported:_(p()).optional(),introspection_endpoint:p().optional(),introspection_endpoint_auth_methods_supported:_(p()).optional(),introspection_endpoint_auth_signing_alg_values_supported:_(p()).optional(),code_challenge_methods_supported:_(p()).optional(),client_id_metadata_document_supported:se().optional()}),_d=Lt({issuer:p(),authorization_endpoint:H,token_endpoint:H,userinfo_endpoint:H.optional(),jwks_uri:H,registration_endpoint:H.optional(),scopes_supported:_(p()).optional(),response_types_supported:_(p()),response_modes_supported:_(p()).optional(),grant_types_supported:_(p()).optional(),acr_values_supported:_(p()).optional(),subject_types_supported:_(p()),id_token_signing_alg_values_supported:_(p()),id_token_encryption_alg_values_supported:_(p()).optional(),id_token_encryption_enc_values_supported:_(p()).optional(),userinfo_signing_alg_values_supported:_(p()).optional(),userinfo_encryption_alg_values_supported:_(p()).optional(),userinfo_encryption_enc_values_supported:_(p()).optional(),request_object_signing_alg_values_supported:_(p()).optional(),request_object_encryption_alg_values_supported:_(p()).optional(),request_object_encryption_enc_values_supported:_(p()).optional(),token_endpoint_auth_methods_supported:_(p()).optional(),token_endpoint_auth_signing_alg_values_supported:_(p()).optional(),display_values_supported:_(p()).optional(),claim_types_supported:_(p()).optional(),claims_supported:_(p()).optional(),service_documentation:p().optional(),claims_locales_supported:_(p()).optional(),ui_locales_supported:_(p()).optional(),claims_parameter_supported:se().optional(),request_parameter_supported:se().optional(),request_uri_parameter_supported:se().optional(),require_request_uri_registration:se().optional(),op_policy_uri:H.optional(),op_tos_uri:H.optional(),client_id_metadata_document_supported:se().optional()}),or=ye({..._d.shape,...ht.pick({code_challenge_methods_supported:!0}).shape}),Ke=ye({access_token:p(),id_token:p().optional(),token_type:p(),expires_in:Yn.number().optional(),scope:p().optional(),refresh_token:p().optional()}).strip(),Qo=ye({error:p(),error_description:p().optional(),error_uri:p().optional()}),Xo=H.optional().or(Wn("").transform(()=>{})),wd=ye({redirect_uris:_(H),token_endpoint_auth_method:p().optional(),grant_types:_(p()).optional(),response_types:_(p()).optional(),client_name:p().optional(),client_uri:H.optional(),logo_uri:Xo,scope:p().optional(),contacts:_(p()).optional(),tos_uri:Xo,policy_uri:p().optional(),jwks_uri:H.optional(),jwks:Kn().optional(),software_id:p().optional(),software_version:p().optional(),software_statement:p().optional()}).strip(),ir=ye({client_id:p(),client_secret:p().optional(),client_id_issued_at:Ar().optional(),client_secret_expires_at:Ar().optional()}).strip(),gt=wd.merge(ir),cg=ye({error:p(),error_description:p().optional()}).strip(),dg=ye({token:p(),token_type_hint:p().optional()}).strip();function ei(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}n(ei,"resourceUrlFromServerUrl");function ti({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),o=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==o.origin||r.pathname.length<o.pathname.length)return!1;let i=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",a=o.pathname.endsWith("/")?o.pathname:o.pathname+"/";return i.startsWith(a)}n(ti,"checkResourceAllowed");var k=class extends Error{static{n(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},yt=class extends k{static{n(this,"InvalidRequestError")}};yt.errorCode="invalid_request";var Ee=class extends k{static{n(this,"InvalidClientError")}};Ee.errorCode="invalid_client";var Oe=class extends k{static{n(this,"InvalidGrantError")}};Oe.errorCode="invalid_grant";var qe=class extends k{static{n(this,"UnauthorizedClientError")}};qe.errorCode="unauthorized_client";var _t=class extends k{static{n(this,"UnsupportedGrantTypeError")}};_t.errorCode="unsupported_grant_type";var wt=class extends k{static{n(this,"InvalidScopeError")}};wt.errorCode="invalid_scope";var bt=class extends k{static{n(this,"AccessDeniedError")}};bt.errorCode="access_denied";var pe=class extends k{static{n(this,"ServerError")}};pe.errorCode="server_error";var Rt=class extends k{static{n(this,"TemporarilyUnavailableError")}};Rt.errorCode="temporarily_unavailable";var It=class extends k{static{n(this,"UnsupportedResponseTypeError")}};It.errorCode="unsupported_response_type";var Ct=class extends k{static{n(this,"UnsupportedTokenTypeError")}};Ct.errorCode="unsupported_token_type";var St=class extends k{static{n(this,"InvalidTokenError")}};St.errorCode="invalid_token";var vt=class extends k{static{n(this,"MethodNotAllowedError")}};vt.errorCode="method_not_allowed";var At=class extends k{static{n(this,"TooManyRequestsError")}};At.errorCode="too_many_requests";var Me=class extends k{static{n(this,"InvalidClientMetadataError")}};Me.errorCode="invalid_client_metadata";var kt=class extends k{static{n(this,"InsufficientScopeError")}};kt.errorCode="insufficient_scope";var xt=class extends k{static{n(this,"InvalidTargetError")}};xt.errorCode="invalid_target";var ri={[yt.errorCode]:yt,[Ee.errorCode]:Ee,[Oe.errorCode]:Oe,[qe.errorCode]:qe,[_t.errorCode]:_t,[wt.errorCode]:wt,[bt.errorCode]:bt,[pe.errorCode]:pe,[Rt.errorCode]:Rt,[It.errorCode]:It,[Ct.errorCode]:Ct,[St.errorCode]:St,[vt.errorCode]:vt,[At.errorCode]:At,[Me.errorCode]:Me,[kt.errorCode]:kt,[xt.errorCode]:xt};function bd(e){return["client_secret_basic","client_secret_post","none"].includes(e)}n(bd,"isClientAuthMethod");var Jr="code",Gr="S256";function Rd(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&bd(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}n(Rd,"selectClientAuthMethod");function Id(e,t,r,o){let{client_id:i,client_secret:a}=t;switch(e){case"client_secret_basic":Cd(i,a,r);return;case"client_secret_post":Sd(i,a,o);return;case"none":vd(i,o);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}n(Id,"applyClientAuthentication");function Cd(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let o=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${o}`)}n(Cd,"applyBasicAuth");function Sd(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}n(Sd,"applyPostAuth");function vd(e,t){t.set("client_id",e)}n(vd,"applyPublicAuth");async function oi(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let o=Qo.parse(JSON.parse(r)),{error:i,error_description:a,error_uri:s}=o,c=ri[i]||pe;return new c(a||"",s)}catch(o){let i=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${o}. Raw body: ${r}`;return new pe(i)}}n(oi,"parseErrorResponse");async function Zr(e,t){try{return await Fr(e,t)}catch(r){if(r instanceof Ee||r instanceof qe)return await e.invalidateCredentials?.("all"),await Fr(e,t);if(r instanceof Oe)return await e.invalidateCredentials?.("tokens"),await Fr(e,t);throw r}}n(Zr,"auth");async function Fr(e,{serverUrl:t,authorizationCode:r,scope:o,resourceMetadataUrl:i,fetchFn:a}){let s=await e.discoveryState?.(),c,u,l,m=i;if(!m&&s?.resourceMetadataUrl&&(m=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(u=s.authorizationServerUrl,c=s.resourceMetadata,l=s.authorizationServerMetadata??await si(u,{fetchFn:a}),!c)try{c=await ai(t,{resourceMetadataUrl:m},a)}catch{}(l!==s.authorizationServerMetadata||c!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(u),resourceMetadataUrl:m?.toString(),resourceMetadata:c,authorizationServerMetadata:l})}else{let O=await Pd(t,{resourceMetadataUrl:m,fetchFn:a});u=O.authorizationServerUrl,l=O.authorizationServerMetadata,c=O.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(u),resourceMetadataUrl:m?.toString(),resourceMetadata:c,authorizationServerMetadata:l})}let w=await Ad(t,e,c),P=o||c?.scopes_supported?.join(" ")||e.clientMetadata.scope,y=await Promise.resolve(e.clientInformation());if(!y){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let O=l?.client_id_metadata_document_supported===!0,j=e.clientMetadataUrl;if(j&&!Kr(j))throw new Me(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${j}`);if(O&&j)y={client_id:j},await e.saveClientInformation?.(y);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let Ln=await Dd(u,{metadata:l,clientMetadata:e.clientMetadata,scope:P,fetchFn:a});await e.saveClientInformation(Ln),y=Ln}}let E=!e.redirectUrl;if(r!==void 0||E){let O=await Md(e,u,{metadata:l,resource:w,authorizationCode:r,fetchFn:a});return await e.saveTokens(O),"AUTHORIZED"}let x=await e.tokens();if(x?.refresh_token)try{let O=await qd(u,{metadata:l,clientInformation:y,refreshToken:x.refresh_token,resource:w,addClientAuthentication:e.addClientAuthentication,fetchFn:a});return await e.saveTokens(O),"AUTHORIZED"}catch(O){if(!(!(O instanceof k)||O instanceof pe))throw O}let B=e.state?await e.state():void 0,{authorizationUrl:Be,codeVerifier:X}=await Ed(u,{metadata:l,clientInformation:y,state:B,redirectUrl:e.redirectUrl,scope:P,resource:w});return await e.saveCodeVerifier(X),await e.redirectToAuthorization(Be),"REDIRECT"}n(Fr,"authInternal");function Kr(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}n(Kr,"isHttpsUrl");async function Ad(e,t,r){let o=ei(e);if(t.validateResourceURL)return await t.validateResourceURL(o,r?.resource);if(r){if(!ti({requestedResource:o,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${o} (or origin)`);return new URL(r.resource)}}n(Ad,"selectResourceURL");function ii(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,o]=t.split(" ");if(r.toLowerCase()!=="bearer"||!o)return{};let i=$r(e,"resource_metadata")||void 0,a;if(i)try{a=new URL(i)}catch{}let s=$r(e,"scope")||void 0,c=$r(e,"error")||void 0;return{resourceMetadataUrl:a,scope:s,error:c}}n(ii,"extractWWWAuthenticateParams");function $r(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let o=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),i=r.match(o);return i?i[1]||i[2]:null}n($r,"extractFieldFromWwwAuth");async function ai(e,t,r=fetch){let o=await Td(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!o||o.status===404)throw await o?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!o.ok)throw await o.body?.cancel(),new Error(`HTTP ${o.status} trying to load well-known OAuth protected resource metadata.`);return nr.parse(await o.json())}n(ai,"discoverOAuthProtectedResourceMetadata");async function Wr(e,t,r=fetch){try{return await r(e,{headers:t})}catch(o){if(o instanceof TypeError)return t?Wr(e,void 0,r):void 0;throw o}}n(Wr,"fetchWithCorsRetry");function kd(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}n(kd,"buildWellKnownPath");async function ni(e,t,r=fetch){return await Wr(e,{"MCP-Protocol-Version":t},r)}n(ni,"tryMetadataDiscovery");function xd(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}n(xd,"shouldAttemptFallback");async function Td(e,t,r,o){let i=new URL(e),a=o?.protocolVersion??kr,s;if(o?.metadataUrl)s=new URL(o.metadataUrl);else{let u=kd(t,i.pathname);s=new URL(u,o?.metadataServerUrl??i),s.search=i.search}let c=await ni(s,a,r);if(!o?.metadataUrl&&xd(c,i.pathname)){let u=new URL(`/.well-known/${t}`,i);c=await ni(u,a,r)}return c}n(Td,"discoverMetadataWithFallback");function Ud(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",o=[];if(!r)return o.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),o.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),o;let i=t.pathname;return i.endsWith("/")&&(i=i.slice(0,-1)),o.push({url:new URL(`/.well-known/oauth-authorization-server${i}`,t.origin),type:"oauth"}),o.push({url:new URL(`/.well-known/openid-configuration${i}`,t.origin),type:"oidc"}),o.push({url:new URL(`${i}/.well-known/openid-configuration`,t.origin),type:"oidc"}),o}n(Ud,"buildDiscoveryUrls");async function si(e,{fetchFn:t=fetch,protocolVersion:r=kr}={}){let o={"MCP-Protocol-Version":r,Accept:"application/json"},i=Ud(e);for(let{url:a,type:s}of i){let c=await Wr(a,o,t);if(c){if(!c.ok){if(await c.body?.cancel(),c.status>=400&&c.status<500)continue;throw new Error(`HTTP ${c.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${a}`)}return s==="oauth"?ht.parse(await c.json()):or.parse(await c.json())}}}n(si,"discoverAuthorizationServerMetadata");async function Pd(e,t){let r,o;try{r=await ai(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(o=r.authorization_servers[0])}catch{}o||(o=String(new URL("/",e)));let i=await si(o,{fetchFn:t?.fetchFn});return{authorizationServerUrl:o,authorizationServerMetadata:i,resourceMetadata:r}}n(Pd,"discoverOAuthServerInfo");async function Ed(e,{metadata:t,clientInformation:r,redirectUrl:o,scope:i,state:a,resource:s}){let c;if(t){if(c=new URL(t.authorization_endpoint),!t.response_types_supported.includes(Jr))throw new Error(`Incompatible auth server: does not support response type ${Jr}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(Gr))throw new Error(`Incompatible auth server: does not support code challenge method ${Gr}`)}else c=new URL("/authorize",e);let u=await Nr(),l=u.code_verifier,m=u.code_challenge;return c.searchParams.set("response_type",Jr),c.searchParams.set("client_id",r.client_id),c.searchParams.set("code_challenge",m),c.searchParams.set("code_challenge_method",Gr),c.searchParams.set("redirect_uri",String(o)),a&&c.searchParams.set("state",a),i&&c.searchParams.set("scope",i),i?.includes("offline_access")&&c.searchParams.append("prompt","consent"),s&&c.searchParams.set("resource",s.href),{authorizationUrl:c,codeVerifier:l}}n(Ed,"startAuthorization");function Od(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}n(Od,"prepareAuthorizationCodeRequest");async function ci(e,{metadata:t,tokenRequestParams:r,clientInformation:o,addClientAuthentication:i,resource:a,fetchFn:s}){let c=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),u=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(a&&r.set("resource",a.href),i)await i(u,r,c,t);else if(o){let m=t?.token_endpoint_auth_methods_supported??[],w=Rd(o,m);Id(w,o,u,r)}let l=await(s??fetch)(c,{method:"POST",headers:u,body:r});if(!l.ok)throw await oi(l);return Ke.parse(await l.json())}n(ci,"executeTokenRequest");async function qd(e,{metadata:t,clientInformation:r,refreshToken:o,resource:i,addClientAuthentication:a,fetchFn:s}){let c=new URLSearchParams({grant_type:"refresh_token",refresh_token:o}),u=await ci(e,{metadata:t,tokenRequestParams:c,clientInformation:r,addClientAuthentication:a,resource:i,fetchFn:s});return{refresh_token:o,...u}}n(qd,"refreshAuthorization");async function Md(e,t,{metadata:r,resource:o,authorizationCode:i,fetchFn:a}={}){let s=e.clientMetadata.scope,c;if(e.prepareTokenRequest&&(c=await e.prepareTokenRequest(s)),!c){if(!i)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let l=await e.codeVerifier();c=Od(i,l,e.redirectUrl)}let u=await e.clientInformation();return ci(t,{metadata:r,tokenRequestParams:c,clientInformation:u??void 0,addClientAuthentication:e.addClientAuthentication,resource:o,fetchFn:a})}n(Md,"fetchToken");async function Dd(e,{metadata:t,clientMetadata:r,scope:o,fetchFn:i}){let a;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");a=new URL(t.registration_endpoint)}else a=new URL("/register",e);let s=await(i??fetch)(a,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...o!==void 0?{scope:o}:{}})});if(!s.ok)throw await oi(s);return gt.parse(await s.json())}n(Dd,"registerClient");var Vr="zuplo.com",jd=new Set(["co.jp","co.kr","co.nz","co.uk","com.au","com.br","com.cn","com.mx","com.sg","co.in"]),zd=[".example.test",".example.com",".example.org",".invalid",".localhost",".test"];function di(e){return`https://www.google.com/s2/favicons?domain=${e}&sz=128`}n(di,"s2FaviconHref");function Hd(e){return`https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&drop_404_icon=true&fallback_opts=TYPE,SIZE,URL&url=http://${e}&size=128`}n(Hd,"strictFaviconHref");var ar=di(Vr);function Yr(e){let t=e.toLowerCase();return t===Vr||t==="zuplo.app"||t==="zuplo.dev"||t.endsWith(".zuplo.app")||t.endsWith(".zuplo.dev")?di(Vr):Hd(e)}n(Yr,"resolveIconHref");function Bd(e){try{return new URL(`http://${e}`).hostname}catch{return e}}n(Bd,"hostnameFromHost");function Ld(e){return e==="localhost"||e.includes(":")||/^\d{1,3}(?:\.\d{1,3}){3}$/.test(e)}n(Ld,"isLocalOrAddressHost");function Nd(e){let t=Bd(e).toLowerCase().replace(/\.$/,"");if(Ld(t)||zd.some(a=>t===a.slice(1)||t.endsWith(a)))return t;let r=t.split(".").filter(Boolean);if(r.length<=2)return t;let o=r.slice(-2).join("."),i=jd.has(o)?3:2;return r.slice(-i).join(".")}n(Nd,"inferFaviconDomain");function Xr(e){return{src:Yr(Nd(e)),mimeType:"image/png",sizes:["128x128"]}}n(Xr,"resolveMcpFaviconIcon");function sr(e){try{return Xr(new URL(e).host)}catch{return}}n(sr,"resolveMcpFaviconIconFromUrl");function Se(e){let t=ee().connectionsById.get(e);if(!t)throw new A(`Unknown upstream server "${e}". Check the route's MCP upstream policy and ensure policies.json declares a matching upstream connection.`);return{displayName:t.displayName,description:t.description,serverInfo:t.serverInfo,transport:{baseUrl:t.mcpUrl,resourceMetadataUrl:t.protectedResourceMetadataUrl}}}n(Se,"getUpstreamServerConfig");function cr(e){let t=ee().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw new A(`Unknown auth profile "${String(e.authProfileId)}" for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares a matching auth mode for that upstream connection.`);return t.authConfig}n(cr,"getUpstreamAuthConfig");function We(e,t){let r=cr({upstreamServerId:e,authProfileId:t});if(r.mode!=="shared-oauth"&&r.mode!=="user-oauth")throw new A(`Upstream server "${e}" does not use upstream OAuth. Select authMode "shared-oauth" or "user-oauth" before starting an upstream OAuth connection flow.`);return r.oauth}n(We,"requireUpstreamOAuthConfig");function ui(e,t){let r=cr({upstreamServerId:e,authProfileId:t});if(r.mode!=="id-jag")throw new A(`Upstream server "${e}" does not use upstream ID-JAG. Select authMode "id-jag" before requesting an upstream XAA token exchange.`);return r.idJag}n(ui,"requireUpstreamIdJagConfig");function li(e,t){if(!t)return;if(t.aborted){e.abort(t.reason);return}let r=n(()=>e.abort(t.reason),"abort");return t.addEventListener("abort",r,{once:!0}),()=>t.removeEventListener("abort",r)}n(li,"mergeAbortSignals");async function Jd(e){try{await e.cancel()}catch{}}n(Jd,"cancelReader");async function dr(e,t){if(!e)return new Uint8Array;let r=e.getReader(),o=[],i=0,a=await r.read();for(;!a.done;){let u=a.value;if(i+=u.byteLength,i>t.maxBytes)throw await Jd(r),t.createLimitError();o.push(u),a=await r.read()}let s=new Uint8Array(i),c=0;for(let u of o)s.set(u,c),c+=u.byteLength;return s}n(dr,"readBoundedByteStream");var Gd=2,Fd=1024*1024,$d=1e4,Zd=new Set([301,302,303,307,308]),Kd=["authorization","proxy-authorization","cookie","cookie2"];function Qr(e){return typeof e=="string"?e:e instanceof URL?e.toString():e.url}n(Qr,"readRequestUrl");function Ve(e,t){return t?.method!==void 0?t.method.toUpperCase():e instanceof Request?e.method.toUpperCase():"GET"}n(Ve,"readRequestMethod");function Wd(e,t,r){let o=e.headers.get("content-length");if(!o)return;let i=Number.parseInt(o,10);if(Number.isFinite(i)&&i>t)throw new h({message:"Outbound response exceeded the maximum allowed size.",extensionMembers:{[g]:r}})}n(Wd,"assertContentLengthWithinLimit");async function Vd(e,t,r){return Wd(e,t,r),dr(e.body,{maxBytes:t,createLimitError:n(()=>new h({message:"Outbound response exceeded the maximum allowed size.",extensionMembers:{[g]:r}}),"createLimitError")})}n(Vd,"readBoundedResponseBody");function Yd(e,t){let r=new ArrayBuffer(t.byteLength);return new Uint8Array(r).set(t),new Response(r,{status:e.status,statusText:e.statusText,headers:e.headers})}n(Yd,"responseFromBufferedBody");function Xd(e,t){if(!Zd.has(e.status))return;let r=e.headers.get("location");if(r)return new URL(r,t).toString()}n(Xd,"resolveRedirectUrl");function pi(e,t){try{return t.validateUrl(e)}catch(r){throw new h({message:"Outbound URL was not allowed.",extensionMembers:{[g]:t.problemCode}},{cause:r})}}n(pi,"validateOutboundUrl");function Qd(e,t){throw e instanceof h&&Nt(e.extensionMembers?.[g])?e:new h({message:"Outbound fetch failed.",extensionMembers:{[g]:t}},{cause:e})}n(Qd,"normalizeFetchError");function Tt(e,t){if(e===void 0)return;let r={event:t.event,code:t.problemCode,method:t.method};if(t.host!==void 0&&(r.host=t.host),t.extra!==void 0)for(let[o,i]of Object.entries(t.extra))i!==void 0&&(r[o]=i);t.error!==void 0&&G(r,"error",t.error),e.log.warn(r,"Outbound HTTP exchange rejected")}n(Tt,"logOutboundFailure");async function eu(e,t,r,o,i,a,s){let c=Ve(r,o);try{return await t(r,o)}catch(u){let l=u instanceof DOMException&&u.name==="AbortError";Tt(e,{event:l?"outbound_fetch_aborted":"outbound_fetch_failed",problemCode:i,method:c,host:q(a),error:u,extra:{abortReason:s()}}),Qd(u,i)}}n(eu,"fetchWithNormalizedError");function tu(e){if(e.redirects>=e.maxRedirects)throw new h({message:"Outbound redirects exceeded the maximum allowed depth.",extensionMembers:{[g]:e.problemCode}});if(e.method!=="GET"&&e.method!=="HEAD")throw new h({message:"Outbound redirect after a non-idempotent request was blocked.",extensionMembers:{[g]:e.problemCode}})}n(tu,"assertRedirectAllowed");function ru(e,t){let r=new Headers(e);for(let o of Kd)r.delete(o);for(let o of t)r.delete(o);return r}n(ru,"stripCrossOriginHeaders");function nu(e,t,r,o,i){let a={...e,method:t,redirect:"manual",signal:r};return o&&(a.headers=ru(e.headers,i)),a}n(nu,"buildRedirectInit");function ou(e,t,r){let o={...t,redirect:"manual",signal:r};return o.headers===void 0&&e instanceof Request&&(o.headers=e.headers),o}n(ou,"buildInitialRequestInit");function iu(e){let t=Ve(e.currentInput,e.currentInit);tu({redirects:e.redirects,maxRedirects:e.maxRedirects,method:t,problemCode:e.problemCode});let r=pi(e.redirectUrl,{problemCode:e.problemCode,validateUrl:e.validateUrl}),o=new URL(e.currentUrl),i=r.origin!==o.origin,a=r.toString();return{currentInput:a,currentUrl:a,currentInit:nu(e.currentInit,t,e.signal,i,e.additionalCrossOriginStrippedHeaders),redirects:e.redirects+1}}n(iu,"followRedirect");async function en(e,t,r){let o=r.problemCode??"invalid_request",i=r.maxRedirects??Gd,a=r.maxResponseBytes??Fd,s=r.timeoutMs??$d,c=r.fetchImpl??fetch,u=r.additionalCrossOriginStrippedHeaders??[],l=r.context,m=new AbortController,w=li(m,t.signal),P=!1,y=setTimeout(()=>{P=!0,m.abort()},s),E=e,x=ou(e,t,m.signal),B;try{B=pi(Qr(e),{problemCode:o,validateUrl:r.validateUrl}).toString()}catch(X){throw Tt(l,{event:"outbound_url_blocked",problemCode:o,method:Ve(e,t),host:q(Qr(e)),error:X}),clearTimeout(y),w?.(),X}let Be=0;try{for(;;){let X=await eu(l,c,E,x,o,B,()=>P?`timeout_after_${s}ms`:void 0),O=Xd(X,B);if(O!==void 0)try{let j=iu({currentInput:E,currentInit:x,currentUrl:B,redirectUrl:O,redirects:Be,maxRedirects:i,problemCode:o,validateUrl:r.validateUrl,signal:m.signal,additionalCrossOriginStrippedHeaders:u});E=j.currentInput,x=j.currentInit,B=j.currentUrl,Be=j.redirects;continue}catch(j){throw Tt(l,{event:"outbound_redirect_blocked",problemCode:o,method:Ve(E,x),host:q(B),error:j,extra:{redirects:Be,maxRedirects:i,redirectTargetHost:q(O)}}),j}try{return Yd(X,await Vd(X,a,o))}catch(j){throw Tt(l,{event:"outbound_response_size_exceeded",problemCode:o,method:Ve(E,x),host:q(B),error:j,extra:{maxResponseBytes:a,status:X.status}}),j}}}finally{clearTimeout(y),w?.()}}n(en,"runSafeOutboundExchange");async function Ut(e,t,r){let o=await en(e,t,r);try{return{response:o,json:await o.clone().json()}}catch(i){throw Tt(r.context,{event:"outbound_json_parse_failed",problemCode:r.problemCode??"invalid_request",method:Ve(e,t),host:q(Qr(e)),error:i,extra:{status:o.status,contentType:o.headers.get("content-type")??void 0}}),new h({message:"Outbound JSON response could not be parsed.",extensionMembers:{[g]:r.problemCode??"invalid_request"}},{cause:i})}}n(Ut,"runSafeOutboundJsonExchange");function mi(e,t={},r={}){return en(e,t,{...r,validateUrl:mt})}n(mi,"fetchConfiguredOutbound");function fi(e,t={},r={}){return Ut(e,t,{...r,validateUrl:mt})}n(fi,"fetchConfiguredOutboundJson");function ur(e,t={},r={}){return Ut(e,t,{...r,validateUrl:Oo})}n(ur,"fetchIdentityProviderJson");function hi(e,t={},r={}){return Ut(e,t,{...r,validateUrl:Yt})}n(hi,"fetchCimdClientMetadataJson");function gi(e,t={},r={}){return Ut(e,t,{...r,validateUrl:ft})}n(gi,"fetchCimdClientJwksJson");Z();import{errors as Ii,jwtVerify as Ci,SignJWT as Si}from"jose";var $="zuplo-mcp-gateway",W=$,V="HS256";import{base64url as au}from"jose";var su=new TextEncoder,cu="MCP gateway could not initialize secure key material.",du=32,yi=new Map,_i=new Map,uu;function lu(){return uu??Nn.instance.authPrivateKey}n(lu,"readAuthPrivateKey");function wi(e){return new Q(cu,e===void 0?void 0:{cause:e})}n(wi,"createGeneratedKeyMaterialError");function bi(e,t){let r=au.decode(t);if(r.byteLength!==du)throw new Error(`Generated deployment auth key ${e} is invalid.`);return r}n(bi,"decodeJwkKeyField");function pu(e){let t=lu();if(!t)throw wi();try{let r=JSON.parse(t);if(r.kty!=="OKP"||r.crv!=="Ed25519"||typeof r.d!="string"||typeof r.x!="string")throw new Error("Generated deployment auth key is not an Ed25519 JWK.");let o=bi("d",r.d);bi("x",r.x);let i=su.encode(`zuplo-mcp-gateway:${e}:Ed25519:`),a=new Uint8Array(i.byteLength+o.byteLength);return a.set(i),a.set(o,i.byteLength),a}catch(r){throw wi(r)}}n(pu,"decodeGeneratedKeyMaterial");function mu(e){let t=yi.get(e);return t||(t=pu(e),yi.set(e,t)),t}n(mu,"getMasterKeyMaterial");async function oe(e){let t=_i.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(mu(e.keyMaterialPurpose));return _i.set(e.purpose,r),r}n(oe,"readCachedDerivedKey");var fu="SHA-256",hu=32,gu="zuplo-mcp-gateway:",yu=new TextEncoder,Ri=new WeakMap;async function ve(e,t){let r=Ri.get(e);r||(r=new Map,Ri.set(e,r));let o=r.get(t);if(o)return o;let i=await _u(e,t);return r.set(t,i),i}n(ve,"deriveGatewaySigningKey");async function _u(e,t){let r=F(e),o=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),i=yu.encode(`${gu}${t}`),a=await crypto.subtle.deriveBits({name:"HKDF",hash:fu,salt:new Uint8Array,info:F(i)},o,hu*8);return new Uint8Array(a)}n(_u,"hkdfExpand");var vi=900,wu=900,bu=ho.extend({id:zo}),Ru=bu.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Ai=xr.extend({id:Ho,purpose:d.literal("browser_connect")}),Iu=xr.extend({purpose:d.literal("browser_connect")}),Cu=Ai.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),ki=vi*1e3;async function xi(){return oe({purpose:"oauth-state",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>ve(e,"oauth-state"),"derive")})}n(xi,"getOAuthStateKey");async function Ti(){return oe({purpose:"browser-connect",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>ve(e,"browser-connect"),"derive")})}n(Ti,"getBrowserConnectKey");async function Ui(e){let t=Math.floor(Date.now()/1e3)+vi;return new Si(e).setProtectedHeader({alg:V,typ:"JWT"}).setIssuer($).setAudience(W).setIssuedAt().setExpirationTime(t).sign(await xi())}n(Ui,"signOAuthState");async function lr(e){try{let{payload:t}=await Ci(e,await xi(),{algorithms:[V],issuer:$,audience:W});return Ru.parse(t)}catch(t){throw t instanceof Ii.JWTExpired?new h({message:"OAuth state has expired",extensionMembers:{[g]:"oauth_state_expired"}},{cause:t}):new h({message:"OAuth state could not be verified",extensionMembers:{[g]:"oauth_state_invalid"}},{cause:t})}}n(lr,"verifyOAuthState");async function Pi(e){let t=Math.floor(Date.now()/1e3)+wu,r=Iu.parse(e),o=Ai.parse({...r,id:No()});return new Si(o).setProtectedHeader({alg:V,typ:"JWT"}).setIssuer($).setAudience(W).setIssuedAt().setExpirationTime(t).sign(await Ti())}n(Pi,"signBrowserConnectTicket");async function Ei(e){try{let{payload:t}=await Ci(e,await Ti(),{algorithms:[V],issuer:$,audience:W});return Cu.parse(t)}catch(t){throw t instanceof Ii.JWTExpired?new h({message:"Browser connect ticket has expired",extensionMembers:{[g]:"oauth_state_expired"}},{cause:t}):new h({message:"Browser connect ticket could not be verified",extensionMembers:{[g]:"oauth_state_invalid"}},{cause:t})}}n(Ei,"verifyBrowserConnectTicket");async function Oi(e){if((await R().consumeBrowserConnectTicket({id:e.id,expiresAt:I(new Date(e.exp*1e3)),now:I(new Date)})).kind==="consumed")throw new h({message:"Browser connect ticket has already been used",extensionMembers:{[g]:"oauth_state_reused"}})}n(Oi,"consumeBrowserConnectTicket");function Su(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}n(Su,"buildConnectRequiredMessage");async function vu(e){let t=M(e.requestUrl,e.requestHeaders),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("operationId",e.operationId),r.searchParams.set("browserTicket",await Pi({...lt(e),purpose:"browser_connect"})),r.toString()}n(vu,"buildGatewayBrowserTicketUrl");function Au(e){return L().actionPath(`/auth/connections/${encodeURIComponent(e)}/connect`)}n(Au,"buildGatewayConnectPath");async function tn(e){return vu({...e,path:Au(e.upstreamServerId),redirect:!0})}n(tn,"buildGatewayConnectUrl");async function pr(e){let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await tn(t),message:Su(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}n(pr,"buildRedirectConnectRequiredResponse");function qi(e){return ku({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}n(qi,"buildAdminConnectRequiredResponse");function ku(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}n(ku,"buildAdminSetupRequiredResponse");var Mi=12;async function Di(e){let t=await crypto.subtle.digest("SHA-256",F(new TextEncoder().encode(e)));return Array.from(new Uint8Array(t)).map(r=>r.toString(16).padStart(2,"0")).join("")}n(Di,"sha256Hex");async function Ye(e){if(e)return(await Di(e)).slice(0,Mi)}n(Ye,"fingerprintSecret");async function Xe(e){let t=JSON.stringify([e.owner.mode,e.owner.mode==="user"?e.owner.subjectId:"",e.upstreamServerId,e.authProfileId]);return(await Di(t)).slice(0,Mi)}n(Xe,"fingerprintConnectionIdentity");function Pt(e){return e?e.status!=="active"?"inactive":e.encryptedAccessToken?e.expiresAt&&new Date(e.expiresAt).getTime()<=Date.now()?"expired":"usable":"no_access_token":"no_connection"}n(Pt,"describeAccessTokenState");Z();var ji=new Set(["client_id","code_challenge","code_challenge_method","display","login_hint","nonce","prompt","redirect_uri","response_mode","response_type","state"]);function xu(e,t){return e&&e.length>0?e.join(t):void 0}n(xu,"joinOAuthScopes");function Tu(e){if(e?.authorization_endpoint===void 0)return e;let t=new URL(e.authorization_endpoint);for(let r of ji)t.searchParams.delete(r);return{...e,authorization_endpoint:t.toString()}}n(Tu,"sanitizeAuthorizationServerMetadata");function zi(e){let t=Tu(e.authorizationServerMetadata);return t===e.authorizationServerMetadata?e:{...e,authorizationServerMetadata:t}}n(zi,"sanitizeOAuthDiscoveryState");function Hi(e){let t=new URL(e);for(let r of ji){let o=t.searchParams.getAll(r);o.length<=1||(t.searchParams.delete(r),t.searchParams.set(r,o.at(-1)??""))}return t}n(Hi,"dedupeSingletonAuthorizationRequestParams");function mr(e){let t=new URL(e);return K(t)&&Qn(t.hostname)!=="localhost"&&(t.hostname="localhost"),t}n(mr,"normalizeLoopbackOAuthRedirectUri");function Bi(e){return xu(e.state?.resourceMetadata?.scopes_supported,e.delimiter)}n(Bi,"readProtectedResourceMetadataScope");function Uu(e){return`Zuplo MCP Gateway - ${e}`}n(Uu,"buildGatewayOAuthClientName");function Pu(e,t){return e&&e.length>0?e.join(t):void 0}n(Pu,"joinOAuthScopeList");function Eu(e){if(e.clientRegistration.mode!=="auto")return Pu(e.scopes,e.scopeDelimiter)}n(Eu,"readPublicClientMetadataScope");function rn(e){return new URL(L().actionPath(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`),e.origin).toString()}n(rn,"buildOAuthClientMetadataDocumentUrl");function nn(e){let t=Se(e.upstreamServerId);return{client_name:Uu(t.displayName),client_uri:new URL("/",e.origin).toString(),redirect_uris:[e.redirectUri],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",...e.scope===void 0?{}:{scope:e.scope},token_endpoint_auth_method:"none"}}n(nn,"buildGatewayOAuthClientMetadata");function Li(e,t,r){let o=We(t,r),i=Eu(o);return{client_id:rn({origin:e,upstreamServerId:t}),...nn({origin:e,upstreamServerId:t,redirectUri:mr(new URL(o.redirectPath,e)).toString(),scope:i})}}n(Li,"buildOAuthClientMetadataDocument");Z();import{base64url as Ae}from"jose";var Ou="SHA-256",Qe="AES-GCM",qu=12,an="zuplo-secret",sn=1,Ni="generated:auth_private_key:token-encryption",Mu=d.object({version:d.literal(sn),keyId:d.literal(Ni),algorithm:d.literal(Qe),iv:d.string().min(1),ciphertext:d.string().min(1)}).strict();async function on(){return oe({purpose:"token-encryption",keyMaterialPurpose:"token-encryption",derive:n(async e=>{let t=await crypto.subtle.digest(Ou,F(e));return crypto.subtle.importKey("raw",t,{name:Qe},!1,["encrypt","decrypt"])},"derive")})}n(on,"getEncryptionKey");function Ji(e){return F(new TextEncoder().encode(`${an}:v${e.version}:${e.keyId}`))}n(Ji,"getAssociatedData");function Du(e){return`${an}:v${e.version}:${Ae.encode(new TextEncoder().encode(JSON.stringify(e)))}`}n(Du,"encodeEnvelope");function ju(e){let t=`${an}:v${sn}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),o=new TextDecoder().decode(Ae.decode(r));return Mu.parse(JSON.parse(o))}n(ju,"decodeEnvelope");async function me(e){let t=await on(),r=crypto.getRandomValues(new Uint8Array(qu)),o={version:sn,keyId:Ni},i=await crypto.subtle.encrypt({name:Qe,iv:r,additionalData:Ji(o)},t,new TextEncoder().encode(e));return Du({...o,algorithm:Qe,iv:Ae.encode(r),ciphertext:Ae.encode(new Uint8Array(i))})}n(me,"encryptSecret");async function ke(e){let t=ju(e);if(t){let s=await on(),c=await crypto.subtle.decrypt({name:Qe,iv:F(Ae.decode(t.iv)),additionalData:Ji(t)},s,F(Ae.decode(t.ciphertext)));return new TextDecoder().decode(c)}let[r,o]=e.split(".");if(!r||!o)throw new Q("Encrypted payload is malformed");let i=await on(),a=await crypto.subtle.decrypt({name:Qe,iv:F(Ae.decode(r))},i,F(Ae.decode(o)));return new TextDecoder().decode(a)}n(ke,"decryptSecret");var zu=d.union([gt,ir]),Hu=d.object({authorizationServerUrl:d.url(),resourceMetadataUrl:d.url().optional(),resourceMetadata:nr.optional(),authorizationServerMetadata:d.union([ht,or]).optional()}).passthrough(),Bu="Bearer",Lu="__zuplo_refresh_only_upstream_access_token__";function Gi(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}n(Gi,"splitScopes");function Nu(e){return Ne.parse(e)}n(Nu,"parsePkceCodeVerifier");function Ju(e){if(typeof e.expires_in=="number")return I(new Date(Date.now()+e.expires_in*1e3))}n(Ju,"readTokenExpiry");async function Gu(e){if(e!==void 0)return me(JSON.stringify(e))}n(Gu,"encryptJson");async function Fu(e,t){if(!e)return;let r=await ke(e);try{return t.parse(JSON.parse(r))}catch(o){throw new h({message:"Stored upstream OAuth JSON state is invalid.",extensionMembers:{[g]:"oauth_state_invalid"}},{cause:o})}}n(Fu,"decryptJson");function $u(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}n($u,"clientInformationAllowsRedirectUri");function Zu(e){return e.clientMetadataUrl===void 0?"redirect_uris"in e.clientInformation:"redirect_uris"in e.clientInformation||e.clientInformation.client_id===e.clientMetadataUrl}n(Zu,"clientInformationMatchesCurrentClientMetadataUrl");function Ku(e){return e.clientMetadataUrl!==void 0&&!("redirect_uris"in e.clientInformation)&&e.clientInformation.client_id===e.clientMetadataUrl}n(Ku,"isUrlBasedClientInformation");function Wu(e,t){return t===void 0?e:{...e,scope:t}}n(Wu,"applyOAuthClientMetadataScope");function Vu(e,t){return Bi({state:e,delimiter:t})}n(Vu,"readResourceMetadataScope");function Yu(e,t){return e&&e.length>0?e.join(t):void 0}n(Yu,"joinOAuthScopeList");function Xu(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw new A(`Manual OAuth registration for upstream "${e.upstreamServerId}" requires clientSecret. Set the env var that backs the client secret or use tokenEndpointAuthMethod "none".`);return gt.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}n(Xu,"buildManualOAuthClientInformation");function Qu(e,t){let r=rn({origin:new URL(t).origin,upstreamServerId:e});return Kr(r)?r:void 0}n(Qu,"buildClientMetadataUrl");function el(e){for(let t of e)if(t!==void 0)return t}n(el,"firstDefined");function tl(e){let t=We(e.target.upstreamServerId,e.target.authProfileId),r=Yu(t.scopes,t.scopeDelimiter),o=nn({origin:new URL(e.redirectUri).origin,upstreamServerId:e.target.upstreamServerId,redirectUri:e.redirectUri,scope:r});if(t.clientRegistration.mode==="manual")return{clientMetadata:o,configuredScope:r,scopeDelimiter:t.scopeDelimiter,promptOverride:t.prompt,configuredClientInformation:Xu({clientMetadata:o,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let i=Qu(e.target.upstreamServerId,e.redirectUri);return i===void 0?{clientMetadata:o,configuredScope:r,scopeDelimiter:t.scopeDelimiter,promptOverride:t.prompt}:{clientMetadata:o,configuredScope:r,scopeDelimiter:t.scopeDelimiter,promptOverride:t.prompt,clientMetadataUrl:i}}n(tl,"buildInitialOAuthClientSetup");function rl(e,t){if(t===void 0)return el([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}n(rl,"readEncryptedClientInformation");var De=class{static{n(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredScope;scopeDelimiter;promptOverride;configuredClientInformation;challengeScope;inferredScope;authorizationUrlValue;connection;pendingState;encryptedClientInformation;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;connectionFingerprintValue;usedRefreshTokenFingerprintValue;constructor(t){let r=tl({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredScope=r.configuredScope,this.scopeDelimiter=r.scopeDelimiter,this.promptOverride=r.promptOverride,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=rl(t,this.configuredClientInformation)}get authorizationUrl(){return this.authorizationUrlValue}get configuredAuthorizationScope(){return this.configuredScope}get usedRefreshTokenFingerprint(){return this.usedRefreshTokenFingerprintValue}async connectionFingerprint(){return this.connectionFingerprintValue===void 0&&(this.connectionFingerprintValue=await Xe({owner:this.target.owner,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId})),this.connectionFingerprintValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return Wu(this.clientMetadataValue,this.readEffectiveScope())}async state(){let t=await this.createPendingState();return Ui({id:t.id,...lt({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,N()?.info({event:"upstream_oauth_client_registered",upstreamServerId:this.target.upstreamServerId,clientId:"client_id"in t?t.client_id:void 0,redirectUriCount:"redirect_uris"in t?t.redirect_uris.length:void 0},"Upstream OAuth client registered for the gateway"),!Ku({clientInformation:t,clientMetadataUrl:this.clientMetadataUrl})&&(this.encryptedClientInformation=await Gu(t),await this.syncPendingState(!1)))}async discoveryState(){return this.readCachedDiscoveryState()}applyChallengeScope(t){this.challengeScope=t}async saveDiscoveryState(t){let r=zi(Hu.parse(t));this.cachedDiscoveryState=r,this.discoveryStateLoaded=!0,N()?.info({event:"upstream_oauth_discovery_resolved",upstreamServerId:this.target.upstreamServerId,authorizationServerHost:q(r.authorizationServerUrl),resourceMetadataHost:q(r.resourceMetadataUrl),resource:r.resourceMetadata?.resource,scopesSupportedCount:r.resourceMetadata?.scopes_supported?.length,hasResourceMetadata:r.resourceMetadata!==void 0},"Upstream OAuth discovery resolved authorization server and resource"),this.inferredScope=Vu(r,this.scopeDelimiter);let o=r.resourceMetadata?.scopes_supported;if(this.configuredScope!==void 0&&o!==void 0){let i=Gi(this.configuredScope).filter(a=>!o.includes(a));i.length>0&&N()?.debug({event:"upstream_oauth_configured_scopes_not_advertised",upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,unadvertisedScopes:i,scopesSupported:o},"Configured upstream OAuth scopes include values the resource metadata does not advertise")}}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=Ke.parse(t),o=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0,i=this.connection,a=!r.refresh_token&&!!i?.encryptedRefreshToken,s=r.refresh_token?await me(r.refresh_token):this.connection?.encryptedRefreshToken;this.cachedTokens=r.refresh_token||!this.connection?.encryptedRefreshToken?r:Ke.parse({...r,refresh_token:await ke(this.connection.encryptedRefreshToken)}),this.tokensLoaded=!0;let c={id:this.connection?.id??Xt(),ownerMode:this.target.owner.mode,subjectId:o,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await me(r.access_token),encryptedRefreshToken:s,scopes:Gi(r.scope??this.readEffectiveScope()),expiresAt:Ju(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await R().upsertUpstreamConnection(c),N()?.info({event:"upstream_oauth_tokens_persisted",upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,ownerMode:this.target.owner.mode,connectionFingerprint:await this.connectionFingerprint(),connectionId:this.connection.id,hasRefreshToken:!!s,priorStatus:i?.status,priorUpdatedAt:i?.updatedAt,usedRefreshTokenFingerprint:this.usedRefreshTokenFingerprintValue,newRefreshTokenFingerprint:await Ye(r.refresh_token),reusedSnapshotRefreshToken:a,scopeCount:c.scopes.length,expiresAt:c.expiresAt},"Upstream OAuth tokens persisted; upstream connection is active")}async redirectToAuthorization(t){let r=Hi(t);this.promptOverride===!1?r.searchParams.delete("prompt"):this.promptOverride!==void 0&&r.searchParams.set("prompt",this.promptOverride),this.authorizationUrlValue=r.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:Nu(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw new h({message:"OAuth code verifier is missing",extensionMembers:{[g]:"oauth_state_invalid"}});return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",o=t==="all"||t==="client",i=t==="all"||t==="discovery",a=t==="all"||t==="verifier";o&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),i&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.challengeScope=void 0,this.inferredScope=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(a),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:Lo(),...lt({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,operationId:this.target.operationId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:I(new Date(Date.now()+ki)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,connectedBySubjectId:this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await R().saveUpstreamOAuthState({record:t}),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await Fu(this.encryptedClientInformation,zu)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&(!$u(t,this.redirectUriValue)||!Zu({clientInformation:t,clientMetadataUrl:this.clientMetadataUrl}))){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}return t===void 0&&this.pendingState?.codeVerifier!==void 0&&this.clientMetadataUrl!==void 0&&(t=ir.parse({client_id:this.clientMetadataUrl})),this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async readCachedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;this.discoveryStateLoaded=!0}readEffectiveScope(){return this.configuredScope??this.challengeScope??this.inferredScope}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection||this.connection.status!=="active"){N()?.debug({event:"upstream_oauth_tokens_not_loaded",upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,connectionFingerprint:await this.connectionFingerprint(),connectionId:this.connection?.id,status:this.connection?.status??"not_connected"},"Upstream OAuth tokens not loaded; connection is not active");return}let t=this.connection.encryptedAccessToken?await ke(this.connection.encryptedAccessToken):void 0,r=this.connection.encryptedRefreshToken?await ke(this.connection.encryptedRefreshToken):void 0;if(!t&&!r)return;let o=N();this.usedRefreshTokenFingerprintValue=o?await Ye(r):void 0,o?.debug({event:"upstream_oauth_tokens_loaded",upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,connectionFingerprint:await this.connectionFingerprint(),connectionId:this.connection.id,hasAccessToken:!!t,hasRefreshToken:!!r,usedRefreshTokenFingerprint:this.usedRefreshTokenFingerprintValue,expiresAt:this.connection.expiresAt},"Upstream OAuth tokens loaded from stored connection");let i=Ke.parse({access_token:t??Lu,token_type:Bu,refresh_token:r,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=i,i}async persistCredentialInvalidation(t){if(!this.connection)return;let r=this.connection.status,o=this.connection.updatedAt,i={id:this.connection.id,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(i.status="reconsent_required",i.encryptedAccessToken=void 0,i.encryptedRefreshToken=void 0,i.scopes=[],i.expiresAt=void 0),i.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await R().upsertUpstreamConnection(i);let a=N();if(a){let s={event:"upstream_oauth_credentials_invalidated",upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,connectionFingerprint:await this.connectionFingerprint(),connectionId:this.connection.id,clearedTokens:t,priorStatus:r,newStatus:this.connection.status,priorUpdatedAt:o,usedRefreshTokenFingerprint:this.usedRefreshTokenFingerprintValue};t?a.warn(s,"Upstream OAuth credentials invalidated; connection now requires reconsent"):a.debug(s,"Upstream OAuth credential metadata rewritten")}}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!t))return{encryptedClientInformation:this.encryptedClientInformation,connectedBySubjectId:t}}};var nl=3e4,ol=256*1024,il=2,al="does not support dynamic client registration",sl=["Resource server does not implement OAuth 2.0 Protected Resource Metadata","trying to load well-known OAuth protected resource metadata"],cl=["HTTP 403 Forbidden","Access Denied","permission to access"],dl=new Set(["access_denied","invalid_client","invalid_grant","invalid_request","invalid_scope","invalid_target","unauthorized_client","unsupported_grant_type"]);function ul(e){return e instanceof Error&&e.message.includes(al)}n(ul,"isDynamicClientRegistrationUnsupported");function ll(e){return e instanceof Error&&sl.some(t=>e.message.includes(t))}n(ll,"isProtectedResourceMetadataUnavailable");function pl(e){return e instanceof Error&&cl.some(t=>e.message.includes(t))}n(pl,"isUpstreamProviderAccessDenied");function ml(e){return e instanceof k&&dl.has(e.errorCode)}n(ml,"isStoredConnectionReconsentError");function fl(e){if(e.error instanceof h&&e.error.extensionMembers?.[g]!==void 0)return e.error;if(ul(e.error))return new h({message:`The authorization server for ${e.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register an OAuth client for the gateway manually before retrying.`,extensionMembers:{[g]:"upstream_client_registration_required"}},{cause:e.error});if(ll(e.error))return new h({message:`The upstream MCP server "${e.upstreamServerId}" does not publish OAuth protected resource metadata at "${e.resourceMetadataUrl}". Configure protectedResourceMetadataUrl to a working metadata document, use a provider-supported legacy client, or contact the provider to approve/allowlist this gateway OAuth client before retrying.`,extensionMembers:{[g]:"upstream_oauth_discovery_unavailable"}},{cause:e.error});if(pl(e.error))return new h({message:`The upstream provider denied access while connecting ${e.upstreamServerId}. Confirm the provider allows this gateway and its OAuth client, then retry.`,extensionMembers:{[g]:"upstream_provider_access_denied"}},{cause:e.error})}n(fl,"mapUpstreamOAuthSetupError");function hl(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}n(hl,"readOAuthFetchRequest");function gl(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}n(gl,"responseLooksJson");function yl(e,t){let r=e.headers.get("content-type")??"",o=t.trimStart().toLowerCase();return r.includes("html")||o.startsWith("<!doctype html")||o.startsWith("<html")}n(yl,"responseLooksHtml");function _l(e){let t=e.response.statusText?` ${e.response.statusText}`:"",r=e.response.headers.get("content-type")??"text/html";throw new h({message:`The upstream provider returned ${e.response.status}${t} (${r}) from ${e.request.url.toString()} while connecting ${e.upstreamServerId}.`,extensionMembers:{[g]:e.response.status===403?"upstream_provider_access_denied":"upstream_token_exchange_failed",[_e]:e.response.status,[Je]:r,[we]:e.request.url.toString(),[Ge]:e.body}})}n(_l,"throwUpstreamHtmlError");function wl(e){try{let t=JSON.parse(e);if(typeof t!="object"||t===null)return{};let r=t;return{error:typeof r.error=="string"?r.error:void 0,errorDescription:typeof r.error_description=="string"?r.error_description:void 0}}catch{return{}}}n(wl,"readUpstreamOAuthErrorBody");function bl(e){let{error:t,errorDescription:r}=wl(e.body);e.log?.warn({event:"upstream_oauth_http_error",upstreamServerId:e.upstreamServerId,method:e.request.method??"GET",host:q(e.request.url),path:e.request.url.pathname,status:e.response.status,oauthError:t,oauthErrorDescription:r?.slice(0,256)},"Upstream OAuth HTTP request returned an error response")}n(bl,"logUpstreamOAuthHttpError");function $i(e){return async(t,r)=>{let o=hl(t),i=N(),a=Date.now(),s=await mi(t,r,{maxRedirects:il,maxResponseBytes:ol,problemCode:"upstream_token_exchange_failed",timeoutMs:nl}),c=await s.clone().text();if(i?.debug({event:"upstream_oauth_http_request",upstreamServerId:e,method:o.method??"GET",host:q(o.url),path:o.url.pathname,status:s.status,durationMs:Date.now()-a,responseChars:c.length},"Upstream OAuth HTTP request completed"),s.ok||bl({log:i,upstreamServerId:e,request:o,response:s,body:c}),!s.ok&&yl(s,c)&&_l({upstreamServerId:e,request:o,response:s,body:c}),!gl(s,c))return s;try{JSON.parse(c)}catch(u){throw new h({message:`Upstream OAuth fetch ${o.url.origin}${o.url.pathname} for ${e} returned invalid JSON.`,extensionMembers:{[g]:"upstream_token_exchange_failed"}},{cause:u})}return s}}n($i,"createUpstreamOAuthFetch");function Zi(e){N()?.debug({event:e.phase==="authorize"?"upstream_oauth_authorize_started":"upstream_oauth_token_exchange_started",upstreamServerId:e.upstreamServerId,serverHost:q(e.serverUrl),resourceMetadataHost:q(e.resourceMetadataUrl),hasRequestedScope:e.requestedScope!==void 0},e.phase==="authorize"?"Upstream OAuth authorization flow started":"Upstream OAuth authorization-code exchange started")}n(Zi,"logUpstreamOAuthFlowStarted");function Ki(e){let t={event:"upstream_oauth_flow_failed",phase:e.phase,upstreamServerId:e.upstreamServerId},r=q(e.serverUrl);r!==void 0&&(t.serverHost=r);let o=e.error instanceof h?e.error.extensionMembers?.[g]:void 0;typeof o=="string"&&(t.code=o),G(t,"error",e.error),N()?.warn(t,"Upstream OAuth flow failed before a connection was established")}n(Ki,"logUpstreamOAuthFlowFailed");function Wi(e,t){return e.configuredAuthorizationScope??t.requestedScope}n(Wi,"readAuthorizationRequestScope");async function Vi(e,t){e.applyChallengeScope(t.requestedScope),Zi({phase:"authorize",...t});try{let r={serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:$i(t.upstreamServerId)},o=Wi(e,t);return o!==void 0&&(r.scope=o),await Zr(e,r)}catch(r){Ki({phase:"authorize",upstreamServerId:t.upstreamServerId,serverUrl:t.serverUrl,error:r});let o=fl({upstreamServerId:t.upstreamServerId,resourceMetadataUrl:t.resourceMetadataUrl,error:r});throw o!==void 0?o:r}}n(Vi,"runUpstreamOAuth");async function Rl(e,t){e.applyChallengeScope(t.requestedScope),Zi({phase:"token_exchange",...t});let r={serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:$i(t.upstreamServerId)},o=Wi(e,t);o!==void 0&&(r.scope=o);try{return await Zr(e,r)}catch(i){throw Ki({phase:"token_exchange",upstreamServerId:t.upstreamServerId,serverUrl:t.serverUrl,error:i}),i}}n(Rl,"exchangeUpstreamAuthorizationCode");async function Yi(e,t){let r=await Vi(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?new h({message:`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}}):new h({message:`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}})}n(Yi,"requireUpstreamAuthorizationRedirect");async function Xi(e){let t=Pt(e.connection),r=!!e.forceRefresh,o=!r&&t==="usable",i=N(),a=i?await Xe({owner:e.target.owner,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId}):void 0;if(i?.debug({event:"upstream_oauth_refresh_decision",upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,ownerMode:e.target.owner.mode,connectionFingerprint:a,connectionId:e.connection?.id,accessTokenState:t,forceRefresh:r,willRefresh:!o,expiresAt:e.connection?.expiresAt,connectionUpdatedAt:e.connection?.updatedAt},o?"Reusing stored upstream access token":"Refreshing upstream credential"),o)return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let s;try{s=await Vi(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope}})}catch(c){if(e.connection===void 0||!ml(c))throw c;return i?.warn({event:"upstream_oauth_connection_reconsent_required",upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,oauthError:c.errorCode,connectionFingerprint:a,connectionId:e.connection.id,rejectedRefreshTokenFingerprint:e.provider.usedRefreshTokenFingerprint,connectionUpdatedAt:e.connection.updatedAt,connectionExpiresAt:e.connection.expiresAt},"Stored upstream OAuth connection was rejected by the upstream provider"),await e.provider.invalidateCredentials("all"),{kind:"connect_required",payload:await Fi({requestUrl:e.target.request.url,requestHeaders:e.target.request.headers,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.target.operationId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}if(s==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(s!=="REDIRECT")throw new h({message:`Unexpected OAuth result for ${e.target.upstreamServerId}: ${s}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}});if(!e.provider.authorizationUrl)throw new h({message:`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}});return{kind:"connect_required",payload:await Fi({requestUrl:e.target.request.url,requestHeaders:e.target.request.headers,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.target.operationId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}n(Xi,"authorizeUpstreamOAuthSession");async function Il(e){let t=await lr(e.stateToken),r=await R().consumeUpstreamOAuthState({id:t.id,now:I(new Date)}),o=Cl(r);return Sl({storedState:o,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),vl(o),o}n(Il,"consumeStoredCallbackState");function Cl(e){switch(e.kind){case"consumed":throw new h({message:"OAuth state has already been used",extensionMembers:{[g]:"oauth_state_reused"}});case"missing":throw new h({message:"OAuth state is missing or expired",extensionMembers:{[g]:"oauth_state_expired"}});case"available":return e.record}}n(Cl,"readConsumedCallbackState");function Sl(e){if(![e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.operationId===e.signedState.operationId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw new h({message:"OAuth callback did not match the initiating request",extensionMembers:{[g]:"oauth_callback_mismatch"}})}n(Sl,"assertStoredCallbackStateMatches");function vl(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw new h({message:"OAuth state has expired",extensionMembers:{[g]:"oauth_state_expired"}})}n(vl,"assertStoredCallbackStateFresh");async function Fi(e){if(e.owner.mode==="shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),qi(r)}let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),pr(t)}n(Fi,"buildOAuthConnectRequiredResponse");async function Qi(e){let t=await Il({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=Zt(t),[o]=await R().batchGetUpstreamConnections([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),i={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};o!==void 0&&(i.connection=o);let a=new De(i),s=await Rl(a,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?new h({message:`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}}):new h({message:`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`,extensionMembers:{[g]:"upstream_token_exchange_failed"}})}n(Qi,"finishUpstreamOAuthCallback");Z();import{importPKCS8 as Al,SignJWT as kl}from"jose";var ta=1e4,ra=64*1024,na=2,xl=300,ne=d.string().min(1),Tl=d.object({access_token:ne,issued_token_type:d.literal(Ur),token_type:d.string().optional(),expires_in:d.number().int().positive().optional(),scope:ne.optional()}).passthrough(),Ul=d.object({id_token:ne,token_type:ne.optional(),expires_in:d.number().int().positive().optional(),refresh_token:ne.optional(),scope:ne.optional()}).passthrough(),Pl=d.object({access_token:ne,token_type:ne,expires_in:d.number().int().positive().optional(),scope:ne.optional(),resource:ne.optional(),refresh_token:ne.optional()}).passthrough();function ea(e){return encodeURIComponent(e).replace(/%20/g,"+")}n(ea,"formEncodeClientCredential");function El(e){return e.replaceAll("\\n",`
|
|
26
|
+
`)}n(El,"normalizePem");async function Ol(e){let t=e.clientAuth.algorithm??"RS256",r=e.clientAuth.expiresInSeconds??xl,o=await Al(El(e.clientAuth.privateKeyPem),t),i={alg:t,typ:"JWT",...e.clientAuth.keyId===void 0?{}:{kid:e.clientAuth.keyId}};return new kl({jti:crypto.randomUUID()}).setProtectedHeader(i).setIssuer(e.clientAuth.clientId).setSubject(e.clientAuth.clientId).setAudience(e.clientAuth.audience??e.tokenUrl).setIssuedAt().setExpirationTime(`${r}s`).sign(o)}n(Ol,"createPrivateKeyJwtClientAssertion");async function ql(e){switch(e.clientAuth.method){case"client_secret_post":e.form.set("client_id",e.clientAuth.clientId),e.form.set("client_secret",e.clientAuth.clientSecret);return;case"client_secret_basic":{let t=ea(e.clientAuth.clientId),r=ea(e.clientAuth.clientSecret);e.headers.authorization=`Basic ${btoa(`${t}:${r}`)}`;return}case"private_key_jwt":e.form.set("client_id",e.clientAuth.clientId),e.form.set("client_assertion_type",Wt),e.form.set("client_assertion",await Ol({clientAuth:e.clientAuth,tokenUrl:e.tokenUrl}));return}}n(ql,"appendClientAuthentication");async function cn(e){let t={"Content-Type":"application/x-www-form-urlencoded"};return await ql({form:e.form,headers:t,clientAuth:e.clientAuth,tokenUrl:e.tokenUrl}),{method:"POST",headers:t,body:e.form.toString()}}n(cn,"buildFormRequest");function oa(e){return(t,r)=>ur(t,r,{context:e,maxRedirects:na,maxResponseBytes:ra,problemCode:"upstream_token_exchange_failed",timeoutMs:ta})}n(oa,"defaultIdpFetchJson");function Ml(e){return(t,r)=>fi(t,r,{context:e,maxRedirects:na,maxResponseBytes:ra,problemCode:"upstream_token_exchange_failed",timeoutMs:ta})}n(Ml,"defaultResourceAsFetchJson");function fr(e){let t={[g]:e.code,[we]:e.tokenUrl};return e.response!==void 0&&(t[_e]=e.response.status),new h({message:e.message,extensionMembers:t},e.cause===void 0?void 0:{cause:e.cause})}n(fr,"runtimeError");function dn(e){if(!e.response.ok)throw fr({code:"upstream_token_exchange_failed",message:(()=>{switch(e.stage){case"idp_refresh_token":return"IdP refresh-token grant failed while renewing the upstream ID-JAG subject token.";case"idp_token_exchange":return"IdP token exchange failed while requesting an upstream ID-JAG.";case"resource_as_jwt_bearer":return"Upstream Resource AS rejected the ID-JAG JWT-bearer exchange."}})(),tokenUrl:e.tokenUrl,response:e.response})}n(dn,"assertTokenEndpointSucceeded");function Dl(e){let t=Ul.safeParse(e.json);if(!t.success)throw fr({code:"upstream_token_response_invalid",message:"IdP refresh-token grant returned an invalid subject-token response.",tokenUrl:e.tokenUrl,response:e.response,cause:t.error});let r={idToken:t.data.id_token};return t.data.expires_in!==void 0&&(r.expiresIn=t.data.expires_in),t.data.refresh_token!==void 0&&(r.refreshToken=t.data.refresh_token),t.data.scope!==void 0&&(r.scope=t.data.scope),r}n(Dl,"parseIdpRefreshTokenResponse");function jl(e){let t=Tl.safeParse(e.json);if(!t.success)throw fr({code:"upstream_token_response_invalid",message:"IdP token exchange returned an invalid ID-JAG response.",tokenUrl:e.tokenUrl,response:e.response,cause:t.error});let r={assertion:t.data.access_token};return t.data.expires_in!==void 0&&(r.expiresIn=t.data.expires_in),t.data.scope!==void 0&&(r.scope=t.data.scope),r}n(jl,"parseIdJagTokenExchangeResponse");function zl(e){let t=Pl.safeParse(e.json);if(!t.success)throw fr({code:"upstream_token_response_invalid",message:"Upstream Resource AS returned an invalid JWT-bearer token response.",tokenUrl:e.tokenUrl,response:e.response,cause:t.error});let r={accessToken:t.data.access_token,tokenType:t.data.token_type};return t.data.expires_in!==void 0&&(r.expiresIn=t.data.expires_in),t.data.scope!==void 0&&(r.scope=t.data.scope),t.data.resource!==void 0&&(r.resource=t.data.resource),t.data.refresh_token!==void 0&&(r.refreshToken=t.data.refresh_token),r}n(zl,"parseAccessTokenResponse");async function ia(e){let t=new URLSearchParams({grant_type:Kt,requested_token_type:Ur,subject_token:e.subjectToken,subject_token_type:e.subjectTokenType,audience:e.audience});e.resource!==void 0&&t.set("resource",e.resource),e.scope!==void 0&&t.set("scope",e.scope),e.authorizationDetails!==void 0&&t.set("authorization_details",JSON.stringify(e.authorizationDetails));let r=e.fetchJson??oa(e.context),{response:o,json:i}=await r(e.idp.tokenUrl,await cn({form:t,clientAuth:e.clientAuth,tokenUrl:e.idp.tokenUrl}));return dn({response:o,tokenUrl:e.idp.tokenUrl,stage:"idp_token_exchange"}),jl({json:i,response:o,tokenUrl:e.idp.tokenUrl})}n(ia,"requestIdJag");async function aa(e){let t=new URLSearchParams({grant_type:"refresh_token",refresh_token:e.refreshToken}),r=e.fetchJson??oa(e.context),{response:o,json:i}=await r(e.idp.tokenUrl,await cn({form:t,clientAuth:e.clientAuth,tokenUrl:e.idp.tokenUrl}));return dn({response:o,tokenUrl:e.idp.tokenUrl,stage:"idp_refresh_token"}),Dl({json:i,response:o,tokenUrl:e.idp.tokenUrl})}n(aa,"refreshIdpSubjectToken");async function sa(e){let t=new URLSearchParams({grant_type:Re,assertion:e.assertion});e.resource!==void 0&&t.set("resource",e.resource),e.scope!==void 0&&t.set("scope",e.scope);let r=e.fetchJson??Ml(e.context),{response:o,json:i}=await r(e.resourceAs.tokenUrl,await cn({form:t,clientAuth:e.clientAuth,tokenUrl:e.resourceAs.tokenUrl}));return dn({response:o,tokenUrl:e.resourceAs.tokenUrl,stage:"resource_as_jwt_bearer"}),zl({json:i,response:o,tokenUrl:e.resourceAs.tokenUrl})}n(sa,"exchangeIdJagForAccessToken");function Hl(e){return Pt(e)==="usable"}n(Hl,"hasUsableAccessToken");function Bl(e){if(e.tokenType.toLowerCase()!=="bearer")throw new h({message:"Upstream Resource AS returned a token type the MCP gateway cannot send as a bearer token.",extensionMembers:{[g]:"upstream_token_response_invalid"}})}n(Bl,"assertBearerToken");function ca(e,t){if(t===Ze)return!1;let r=e?.metadata?.idpSubjectTokenExpiresAt;return r!==void 0&&new Date(r).getTime()<=Date.now()}n(ca,"hasExpiredSubjectToken");async function Ll(e){let t=await ke(e.encryptedSubjectToken);if(e.subjectTokenType!==Ze)return{connection:e.connection,subjectToken:t,subjectTokenType:e.subjectTokenType};let r=await aa({idp:e.idp,refreshToken:t,clientAuth:e.clientAuth,context:e.context});if(r.refreshToken===void 0)return{connection:e.connection,subjectToken:r.idToken,subjectTokenType:pt};let o=await R().upsertUpstreamConnection({id:e.connection.id,ownerMode:e.connection.ownerMode,subjectId:e.connection.subjectId,upstreamServerId:e.connection.upstreamServerId,authProfileId:e.connection.authProfileId,status:"active",encryptedAccessToken:e.connection.encryptedAccessToken,encryptedRefreshToken:e.connection.encryptedRefreshToken,scopes:e.connection.scopes,expiresAt:e.connection.expiresAt,metadata:{...e.connection.metadata??{},encryptedIdpSubjectToken:await me(r.refreshToken),idpSubjectTokenType:Ze,idpSubjectTokenExpiresAt:void 0}});return N()?.info({event:"upstream_id_jag_subject_token_rotated",upstreamServerId:e.connection.upstreamServerId,authProfileId:e.connection.authProfileId,connectionFingerprint:e.connectionFingerprint,connectionId:o.id,priorStatus:e.connection.status,priorUpdatedAt:e.connection.updatedAt,usedSubjectRefreshTokenFingerprint:await Ye(t),newSubjectRefreshTokenFingerprint:await Ye(r.refreshToken)},"Upstream ID-JAG IdP subject refresh token rotated and persisted"),{connection:o,subjectToken:r.idToken,subjectTokenType:pt}}n(Ll,"resolveIdJagSubjectToken");async function da(e){let t="preloadedConnection"in e?e.preloadedConnection:(await R().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0],r=Pt(t),o=!!e.forceRefresh,i=!o&&r==="usable",a=N(),s=a?await Xe({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}):void 0;if(a?.debug({event:"upstream_id_jag_auth_decision",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,ownerMode:e.owner.mode,connectionFingerprint:s,connectionId:t?.id,accessTokenState:r,forceRefresh:o,willMint:!i,expiresAt:t?.expiresAt,connectionUpdatedAt:t?.updatedAt},i?"Reusing stored upstream ID-JAG access token":"Minting upstream ID-JAG access token"),!e.forceRefresh&&Hl(t))return{kind:"authorized",credential:{type:"bearer_token",token:await ke(t.encryptedAccessToken)}};let c=t?.metadata?.encryptedIdpSubjectToken,u=t?.metadata?.idpSubjectTokenType;if(t?.status!=="active"||c===void 0||u===void 0||ca(t,u))return a?.debug({event:"upstream_id_jag_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,connectionFingerprint:s,connectionId:t?.id,status:t?.status??"not_connected",hasSubjectToken:c!==void 0,subjectTokenType:u,subjectTokenExpired:u!==void 0&&ca(t,u)},"Upstream ID-JAG requires an admin subject-token binding"),{kind:"connect_required",payload:{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,message:`An IdP subject-token binding is required for ${e.upstreamDisplayName} before this tool can use XAA / ID-JAG.`,nextAction:"admin_setup_required"}};let l=Se(e.upstreamServerId),m=ui(e.upstreamServerId,e.authProfileId),w=m.resourceAs.resource??l.transport.baseUrl,P=e.requestedScope??(m.scopes.length===0?void 0:m.scopes.join(m.scopeDelimiter)),y=await Ll({connection:t,connectionFingerprint:s,encryptedSubjectToken:c,subjectTokenType:u,idp:{tokenUrl:m.idp.tokenUrl},clientAuth:m.idp.clientAuth,context:e.context}),E=await ia({idp:{tokenUrl:m.idp.tokenUrl},subjectToken:y.subjectToken,subjectTokenType:y.subjectTokenType,audience:m.resourceAs.audience,resource:w,scope:P,clientAuth:m.idp.clientAuth,context:e.context}),x=E.scope??P,B=await sa({resourceAs:{tokenUrl:m.resourceAs.tokenUrl},assertion:E.assertion,resource:w,scope:x,clientAuth:m.resourceAs.clientAuth,context:e.context});if(Bl(B),t!==void 0){let X=(B.scope??x)?.split(/[,\s]+/).filter(Boolean)??[],O=B.expiresIn===void 0?void 0:I(new Date(Date.now()+B.expiresIn*1e3)),j=await R().upsertUpstreamConnection({id:y.connection.id,ownerMode:y.connection.ownerMode,subjectId:y.connection.subjectId,upstreamServerId:y.connection.upstreamServerId,authProfileId:y.connection.authProfileId,status:"active",encryptedAccessToken:await me(B.accessToken),encryptedRefreshToken:y.connection.encryptedRefreshToken,scopes:X,expiresAt:O,metadata:y.connection.metadata});a?.info({event:"upstream_id_jag_access_token_persisted",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,connectionFingerprint:s,connectionId:j.id,priorStatus:y.connection.status,priorUpdatedAt:y.connection.updatedAt,scopeCount:X.length,expiresAt:O},"Upstream ID-JAG access token persisted; connection is active")}return{kind:"authorized",credential:{type:"bearer_token",token:B.accessToken}}}n(da,"authorizeUpstreamIdJagRequest");function Nl(e){return mr(new URL(e.callbackPath,M(e.requestUrl,e.requestHeaders))).toString()}n(Nl,"buildGatewayOAuthRedirectUri");async function ua(e){let t=Se(e.upstreamServerId),r=We(e.upstreamServerId,e.authProfileId),o=Nl({callbackPath:r.redirectPath,requestUrl:e.request.url,requestHeaders:e.request.headers}),i="preloadedConnection"in e?e.preloadedConnection:(await R().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:i,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,returnTo:e.returnTo},redirectUri:o,returnOrigin:M(e.request.url,e.request.headers)}}}n(ua,"prepareUpstreamOAuthRequest");async function la(e){let t=await ua(e),r=new De({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return Yi(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(la,"startUpstreamConnect");async function pa(e){let t=await ua(e),r=new De({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return Xi({target:e,provider:r,connection:t.connection,forceRefresh:e.forceRefresh,requestedScope:e.requestedScope,upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(pa,"authorizeUpstreamRequest");async function et(e){let{routeAuth:t}=e;switch(t.authMode){case"shared-oauth":case"user-oauth":return pa({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,forceRefresh:e.forceRefresh,requestedScope:e.requestedScope,...e.preloadedConnection===void 0?{}:{preloadedConnection:e.preloadedConnection},returnTo:t.returnTo});case"id-jag":return da({request:e.request,context:e.context,authMode:t.authMode,ownerMode:t.ownerMode,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,upstreamDisplayName:t.upstreamDisplayName,forceRefresh:e.forceRefresh,requestedScope:e.requestedScope,...e.preloadedConnection===void 0?{}:{preloadedConnection:e.preloadedConnection},returnTo:t.returnTo})}let r=t;throw new Q(`Unsupported upstream auth route context ${JSON.stringify(r)}.`)}n(et,"resolveUpstreamCredentialForRoute");async function ma(e){if(e.connectRequest.authMode==="id-jag")throw new Q(`Upstream server ${e.connectRequest.upstreamServerId} uses XAA / ID-JAG and does not support browser OAuth connection flows.`);let t=await la({request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,operationId:e.connectRequest.operationId,returnTo:e.connectRequest.returnTo});return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,operationId:e.connectRequest.operationId}}n(ma,"startUpstreamConnectForRequest");async function fa(e){let r=(await lr(e.callbackRequest.state)).authProfileId;if(cr({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r}).mode==="id-jag")throw new Q(`Upstream server ${e.callbackRequest.upstreamServerId} uses XAA / ID-JAG and does not support OAuth callbacks.`);return Qi({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:Se(e.callbackRequest.upstreamServerId)})}n(fa,"finishUpstreamCallbackForRequest");function Jl(e){return{upstreamServerId:e.connection.upstreamServerId,operationId:e.operationId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:e.connection.ownerMode}}n(Jl,"buildRouteAuthBaseFromConnection");function ha(e){return{upstreamServerId:e.connection.id,operationId:e.operationId,authProfileId:go(e.connection.id,e.connection.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:e.connection.ownerMode}}n(ha,"buildRouteAuthBaseFromPolicyOptions");function hr(e,t){let o=ee().byOperationId.get(t);if(!o)throw new A(`Unknown MCP route "${t}". Ensure routes.oas.json declares this operationId before starting an upstream connection flow.`);if(o.connection===void 0)throw new A(`MCP route "${t}" does not declare an MCP token exchange policy. Add one before starting an upstream connection flow.`);if(o.connection.upstreamServerId!==e)throw new A(`MCP route "${t}" does not bind upstream "${e}". Check the route's MCP upstream policies and bind the upstream before starting an upstream connection flow.`);return Jl({connection:o.connection,operationId:t})}n(hr,"resolveRouteAuthBase");function un(e,t){switch(e){case"user":return Fe(t);case"shared":return fo()}}n(un,"buildOwnerForSubject");function tt(e,t){switch(e.authMode){case"shared-oauth":return{...e,authMode:"shared-oauth",ownerMode:"shared",owner:un("shared",t),initiatedBySubjectId:t};case"user-oauth":return{...e,authMode:"user-oauth",ownerMode:"user",owner:un("user",t),initiatedBySubjectId:t};case"id-jag":return{...e,authMode:"id-jag",ownerMode:"user",owner:un("user",t),initiatedBySubjectId:t}}}n(tt,"resolveRouteAuthForSubject");var Gl=dt.InvalidRequest,Fl=new Set(["connection","keep-alive","proxy-authenticate","te","trailer","transfer-encoding","upgrade"]);function $l(e,t){return{credentialType:e.type,forceRefresh:t}}n($l,"buildCredentialResolvedAttributes");function Zl(e){switch(e){case"admin_connect_required":return"admin_connect_required";case"authenticating":return"connect_required"}}n(Zl,"connectRequiredReasonCode");function ga(e){v(e.context,{eventType:C.MCP_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:$l(e.credential,e.forceRefresh===!0)})}n(ga,"emitCredentialResolvedAnalyticsEvent");function ya(e){let t={forceRefresh:e.forceRefresh===!0,nextAction:e.payload.nextAction,state:e.payload.state};if(v(e.context,{eventType:C.MCP_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:t}),e.payload.state==="reconsent_required"){v(e.context,{eventType:C.MCP_AUTH_UPSTREAM_RECONSENT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"reconsent_required",reasonClass:"auth",attributes:t});return}v(e.context,{eventType:C.MCP_AUTH_UPSTREAM_CONNECT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:Zl(e.payload.state),reasonClass:"auth",attributes:t})}n(ya,"emitCredentialMissingAnalyticsEvents");function Kl(e){let t=e.route.raw();return Gt.parse(t?.operationId)}n(Kl,"readOperationId");async function Wl(e,t,r,o){let i=await et({request:e,context:o,routeAuth:t});if(i.kind==="connect_required")return ya({context:o,payload:i.payload,routeBinding:t}),o.log.info({event:"mcp_upstream_connect_required",upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId},"MCP upstream proxy: upstream connection required"),{kind:"connect_required",payload:i.payload};let a=i.credential;if(ga({context:o,credential:a,routeBinding:t}),a.type==="bearer_token")return{kind:"headers",headers:[["authorization",`Bearer ${a.token}`]]};let s=await a.provider.tokens();return s?{kind:"headers",headers:[["authorization",`${s.token_type??"Bearer"} ${s.access_token}`]]}:(o.log.warn({event:"mcp_upstream_no_tokens",upstreamServerId:t.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens"),Response.json({error:"no_upstream_tokens"},{status:401}))}n(Wl,"buildCredentialHeaders");var Vl=new Set(["authorization","cookie","cookie2"]);function Yl(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return t&&typeof t=="object"&&!Array.isArray(t)&&"method"in t&&typeof t.method=="string"?t.method:void 0}catch{return}}n(Yl,"readJsonRequestMethod");function Xl(e){let t=e.headers.get("content-type")??"";return/\bapplication\/(?:[\w.+-]+\+)?json\b/i.test(t)}n(Xl,"isJsonResponse");function ln(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(ln,"isRecord");function Ql(e){return Array.isArray(e)&&e.length>0}n(Ql,"hasIconList");function ep(e){if(e.connection.serverInfo?.icons!==void 0&&e.connection.serverInfo.icons.length>0)return e.connection.serverInfo.icons;try{let t=sr(ao(e.context.route.handler));return t===void 0?void 0:[t]}catch{return}}n(ep,"readFallbackServerIcons");function tp(e){if(!ln(e.body))return e.body;let t=e.body.result;if(!ln(t))return e.body;let r=t.serverInfo;return!ln(r)||Ql(r.icons)?e.body:{...e.body,result:{...t,serverInfo:{...r,icons:e.icons}}}}n(tp,"addMissingServerIcons");function rp(e,t){let r=new Headers(e.headers);for(let o of Vl)r.delete(o);for(let[o,i]of t)r.set(o,i);return new Gn(e,{headers:r})}n(rp,"applyUpstreamHeaders");function np(e){let t=new Headers(e.headers);for(let r of Fl)t.delete(r);return t}n(np,"buildProxyHeaders");async function op(e){if(!(e.method==="GET"||e.method==="HEAD"))return e.clone().arrayBuffer()}n(op,"readRetryBody");function _a(e,t){let r=t.authUrl===void 0?void 0:Go({message:t.message,elicitationId:["connect",t.operationId,t.upstreamServerId,t.authProfileId].join(":"),url:t.authUrl});return Response.json(er({id:Jo(e),error:{code:r?.code??Gl,message:t.message,data:{...r?.data??{},connectRequired:t}}}))}n(_a,"connectRequiredJsonRpcResponse");async function ip(e){let{scope:t}=ii(e.upstreamResponse),r=await et({request:e.request,context:e.context,routeAuth:e.routeAuth,forceRefresh:!0,requestedScope:t});if(r.kind==="connect_required")return ya({context:e.context,payload:r.payload,routeBinding:e.routeAuth,forceRefresh:!0}),{kind:"connect_required",payload:r.payload};let o=new Headers(e.headers),i=r.credential;if(ga({context:e.context,credential:i,routeBinding:e.routeAuth,forceRefresh:!0}),i.type==="bearer_token")return o.set("authorization",`Bearer ${i.token}`),{kind:"headers",headers:o};let a=await i.provider.tokens();return a?(o.set("authorization",`${a.token_type??"Bearer"} ${a.access_token}`),{kind:"headers",headers:o}):(e.context.log.warn({event:"mcp_upstream_no_tokens_after_refresh",upstreamServerId:e.routeAuth.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens after refresh"),{kind:"response",response:Response.json({error:"no_upstream_tokens"},{status:401})})}n(ip,"applyRefreshedCredentialHeaders");function ap(e){e.context.addResponseSendingHook(async(t,r)=>{if(t.status!==401)return t;let o=await ip({request:e.request,context:e.context,headers:np(r),routeAuth:e.routeAuth,upstreamResponse:t});if(o.kind==="connect_required")return _a(e.requestBody,o.payload);if(o.kind==="response")return o.response;let i=so({handler:e.context.route.handler,request:r,body:e.requestBody,headers:o.headers});return Ht.fetch(i.url,i.init)})}n(ap,"installUpstreamAuthRetryHook");function sp(e){if(Yl(e.requestBody)!=="initialize")return;let t=ep({connection:e.connection,context:e.context});t===void 0||t.length===0||e.context.addResponseSendingHook(async r=>{if(!Xl(r))return r;let o;try{o=await r.clone().json()}catch{return r}let i=tp({body:o,icons:t});if(i===o)return r;let a=new Headers(r.headers);return a.delete("content-length"),new Response(JSON.stringify(i),{status:r.status,statusText:r.statusText,headers:a})})}n(sp,"installInitializeIconHook");async function pn(e,t,r){let o=Kl(t),i=await op(e),a=ha({connection:r,operationId:o}),s=Pe(e.user,e.url,e.headers);t.log.setLogProperties?.({requestId:t.requestId}),Io(t,s);let c=tt(a,s.subjectId),u=await Wl(e,c,r,t);if(!(u instanceof Response)&&u.kind==="connect_required")return _a(i,u.payload);if(u instanceof Response)return u;let l=rp(e,u.headers);return ap({request:l,context:t,requestBody:i,routeAuth:c}),sp({context:t,requestBody:i,connection:r}),l}n(pn,"mcpTokenExchangePolicy");var mn=class extends Bt{static{n(this,"McpTokenExchangeInboundPolicy")}static policyType="mcp-token-exchange";constructor(t,r){let o=yo(t,r);super(o,r)}async handler(t,r){return pn(t,r,this.options)}};Z();var wa=Symbol("Html");function cp(e){return e.replaceAll("&","&").replaceAll("<","<").replaceAll(">",">").replaceAll('"',""").replaceAll("'","'")}n(cp,"escapeHtml");function dp(e){return e===null||typeof e!="object"?!1:e[wa]===!0}n(dp,"isHtml");function ba(e){return e==null||e===!1?"":Array.isArray(e)?e.map(ba).join(""):dp(e)?e.value:cp(String(e))}n(ba,"renderValue");function fe(e){return{[wa]:!0,value:e}}n(fe,"trustedHtml");var te=fe("");function S(e,...t){let r=e[0]??"";for(let o=0;o<t.length;o+=1)r+=ba(t[o]),r+=e[o+1]??"";return fe(r)}n(S,"html");function rt(e){return e.value}n(rt,"renderHtml");function Ra(e){return S`<p class="card__description">${e.detail}</p>${e.guidance} ${e.technicalDetails} ${e.action}`}n(Ra,"renderBrowserErrorPage");var nt=fe('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;justify-content:center;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;min-height:40px;padding:8px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.reconnect-action{align-items:center;margin-right:auto;display:inline-flex;position:relative}.reconnect-button{gap:7px}.tooltip{width:16px;height:16px;color:var(--accent);background:color-mix(in srgb,var(--accent)8%,transparent);cursor:help;border:1.5px solid;border-radius:50%;justify-content:center;align-items:center;font-size:10.5px;font-weight:700;line-height:1;display:inline-flex;position:relative}.tooltip:after{content:attr(aria-label);z-index:10;border-radius:var(--radius-sm);background:var(--accent);width:280px;max-width:min(280px,100vw - 48px);color:var(--accent-text);box-shadow:var(--shadow);text-align:left;white-space:normal;opacity:0;pointer-events:none;padding:12px 14px;font-size:13px;font-weight:600;line-height:1.45;transition:opacity .12s;position:absolute;bottom:calc(100% + 12px);left:50%;transform:translate(-50%)}.tooltip:before{content:"";z-index:11;border-left:7px solid #0000;border-right:7px solid #0000;border-top:8px solid var(--accent);opacity:0;pointer-events:none;transition:opacity .12s;position:absolute;bottom:calc(100% + 5px);left:50%;transform:translate(-50%)}.tooltip:hover:after,.tooltip:hover:before,.tooltip:focus-visible:after,.tooltip:focus-visible:before{opacity:1}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}.reconnect-action{justify-content:center;width:100%;margin-right:0}.reconnect-action .button{flex:1}.tooltip:after{left:auto;right:0;transform:none}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function ot(e){return S`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" href="${e.iconHref}" /><style>
|
|
27
27
|
${e.styles}
|
|
28
|
-
</style></head><body><main class="card"><header class="card__head">${e.headerIcon}<h1 class="card__title">${e.heading}</h1>${e.subhead}</header><div class="card__body">${e.body}</div>${e.footer}</main></body></html>`}n(ot,"renderShell");var
|
|
29
|
-
`);return S`<pre class="banner__message" style="white-space: pre-wrap; overflow-wrap: anywhere; margin-top: 8px;"><code>${t}</code></pre>`}n(
|
|
28
|
+
</style></head><body><main class="card"><header class="card__head">${e.headerIcon}<h1 class="card__title">${e.heading}</h1>${e.subhead}</header><div class="card__body">${e.body}</div>${e.footer}</main></body></html>`}n(ot,"renderShell");var up="text/html; charset=utf-8";function it(e){try{return new URL(e).host}catch{return""}}n(it,"safeHostFromUrl");function ie(e){let t=pp(e.kind??"authorization_failed"),r=lp(e);return new Response(rt(ot({title:e.title??t.title,iconHref:"",styles:nt,headerIcon:te,heading:e.title??t.title,subhead:"",body:Ra({detail:e.detail,guidance:S`<p class="card__description">${t.guidance}</p>`,technicalDetails:yp({diagnostic:r,upstreamHtml:e.upstreamHtml}),action:hp(e.action)}),footer:""})),{status:e.status??400,headers:{"content-type":up,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(ie,"browserErrorPageResponse");function lp(e){let t=e.diagnostic?.code??e.code??"unknown";return{code:t,stage:e.diagnostic?.stage??mp(t),timestamp:e.diagnostic?.timestamp??new Date().toISOString(),...e.requestId===void 0&&e.diagnostic?.requestId===void 0?{}:{requestId:e.diagnostic?.requestId??e.requestId},...e.diagnostic?.operationId===void 0?{}:{operationId:e.diagnostic.operationId},...e.diagnostic?.routePath===void 0?{}:{routePath:e.diagnostic.routePath},...e.diagnostic?.upstreamServerId===void 0?{}:{upstreamServerId:e.diagnostic.upstreamServerId},...e.diagnostic?.authProfileId===void 0?{}:{authProfileId:e.diagnostic.authProfileId},...e.diagnostic?.upstreamUrl===void 0?{}:{upstreamUrl:e.diagnostic.upstreamUrl},...e.diagnostic?.metadataUrl===void 0?{}:{metadataUrl:e.diagnostic.metadataUrl},...e.diagnostic?.httpStatus===void 0?{}:{httpStatus:e.diagnostic.httpStatus},...e.diagnostic?.contentType===void 0?{}:{contentType:e.diagnostic.contentType},...e.diagnostic?.providerError===void 0?{}:{providerError:e.diagnostic.providerError},...e.diagnostic?.providerErrorDescription===void 0?{}:{providerErrorDescription:e.diagnostic.providerErrorDescription},suggestedFix:e.diagnostic?.suggestedFix??fp(t),underlyingError:e.diagnostic?.underlyingError??e.developerDetail}}n(lp,"buildBrowserErrorDiagnostic");function pp(e){switch(e){case"session_expired":return{title:"Authorization expired",guidance:"Return to your MCP client and reconnect. Expired authorization requests cannot be resumed."};case"access_denied":return{title:"Authorization canceled",guidance:"Return to your MCP client to retry if you want to grant access."};case"configuration_error":return{title:"Configuration needs attention",guidance:"Contact your workspace admin with this error code. The gateway or upstream configuration must be fixed before retrying."};case"connection_failed":return{title:"Connection failed",guidance:"Return to your MCP client and reconnect this upstream. If this keeps happening, contact your gateway administrator with this error code."};case"invalid_request":return{title:"Authorization request invalid",guidance:"Return to your MCP client and try connecting again. If this keeps happening, the client request may need to be fixed."};case"admin_required":return{title:"Admin setup required",guidance:"Contact your workspace admin with this error code. This connection cannot be completed until setup is finished."};case"internal_error":return{title:"Gateway error",guidance:"Try again later from your MCP client. If this keeps happening, contact your gateway administrator with this error code."};case"authorization_failed":return{title:"Authorization failed",guidance:"Return to your MCP client and start authorization again. If this keeps happening, contact your gateway administrator with this error code."}}}n(pp,"readBrowserErrorPagePresentation");function mp(e){switch(e){case"upstream_oauth_discovery_unavailable":return"upstream_oauth_discovery";case"upstream_client_registration_required":return"upstream_oauth_client_registration";case"upstream_provider_access_denied":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"upstream_token_exchange";case"provider_access_denied":return"upstream_oauth_callback";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"upstream_oauth_state";case"browser_login_verification_failed":return"downstream_browser_login";case"authentication_required":case"identity_context_missing":return"downstream_auth";case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"gateway_configuration";case"server_error":case"internal_server_error":return"gateway_internal";default:return"gateway_request"}}n(mp,"readBrowserErrorStage");function fp(e){switch(e){case"upstream_oauth_discovery_unavailable":return"Confirm the upstream MCP URL and OAuth protected resource metadata. If the provider requires approval, configure the provider app or contact the provider.";case"upstream_client_registration_required":return"Register an OAuth client with the upstream provider, then configure the gateway to use that client before retrying.";case"upstream_provider_access_denied":return"Confirm the provider allows this gateway, OAuth client, and upstream MCP URL, then retry the connection.";case"upstream_token_exchange_failed":return"Retry the connection. If it repeats, verify the upstream OAuth client, redirect URI, token endpoint, and provider allowlist.";case"upstream_token_response_invalid":return"Verify the upstream token endpoint returns a valid OAuth token response for this gateway client.";case"provider_access_denied":return"Start the connection again if access was denied by mistake. Otherwise, grant the requested upstream provider access.";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"Start a new connection from the MCP client. The previous browser authorization request cannot be resumed.";case"browser_login_verification_failed":return"Retry the browser login flow. If it repeats, verify the downstream login callback configuration.";case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"Check the MCP route, upstream server, and auth profile entries in the gateway configuration.";case"authentication_required":case"identity_context_missing":return"Verify the normal Zuplo auth policy runs before the MCP gateway policy and sets request.user.";case"server_error":case"internal_server_error":return"Retry later and check gateway logs with the request ID.";default:return"Check the gateway configuration and request details associated with this error code."}}n(fp,"readBrowserErrorSuggestedFix");function hp(e){return e===void 0?te:S`<a class="button button--primary button--block" href="${e.href}">${e.label}</a>`}n(hp,"renderAction");function gp(e){let t=[["Error code",e.code],["Stage",e.stage],["Request ID",e.requestId],["Time",e.timestamp],["Gateway route",e.routePath],["Operation ID",e.operationId],["Upstream",e.upstreamServerId],["Auth profile",e.authProfileId],["Upstream URL",e.upstreamUrl],["Metadata URL",e.metadataUrl],["HTTP status",e.httpStatus],["Content type",e.contentType],["Provider error",e.providerError],["Provider error description",e.providerErrorDescription],["Suggested fix",e.suggestedFix],["Underlying error",e.underlyingError]].filter(r=>r[1]!==void 0).map(([r,o])=>`${r}: ${o}`).join(`
|
|
29
|
+
`);return S`<pre class="banner__message" style="white-space: pre-wrap; overflow-wrap: anywhere; margin-top: 8px;"><code>${t}</code></pre>`}n(gp,"renderTechnicalPre");function gr(e){return e.value===void 0||e.value===""?te:S`<p class="banner__message"><strong>${e.label}:</strong> <code>${e.value}</code></p>`}n(gr,"renderOptionalTechnicalRow");function yp(e){return S`<section class="banner banner--warning" aria-label="Developer details">
|
|
30
30
|
<span class="banner__icon" aria-hidden="true">!</span>
|
|
31
31
|
<div class="banner__body">
|
|
32
32
|
<p class="banner__title">Developer details</p>
|
|
@@ -37,14 +37,14 @@ import{$ as d,$b as Tc,$c as qr,Ab as K,Ac as wo,Ad as v,Bb as eo,Bc as ee,Bd as
|
|
|
37
37
|
${gr({label:"Request ID",value:e.diagnostic.requestId})}
|
|
38
38
|
${gr({label:"Suggested fix",value:e.diagnostic.suggestedFix})}
|
|
39
39
|
${gr({label:"Reason",value:e.diagnostic.underlyingError})}
|
|
40
|
-
${
|
|
41
|
-
${
|
|
40
|
+
${gp(e.diagnostic)}
|
|
41
|
+
${_p(e.upstreamHtml)}
|
|
42
42
|
</div>
|
|
43
|
-
</section>`}n(
|
|
43
|
+
</section>`}n(yp,"renderTechnicalDetails");function _p(e){return e===void 0?te:S`<iframe
|
|
44
44
|
title="Upstream HTML error response"
|
|
45
45
|
sandbox
|
|
46
46
|
srcdoc="${e}"
|
|
47
47
|
style="border: 1px solid var(--warning-border); border-radius: var(--radius-sm); background: white; width: 100%; min-height: 220px; margin-top: 8px;"
|
|
48
|
-
></iframe>`}n(yp,"renderUpstreamHtml");var ba="application/json",_p="application/x-www-form-urlencoded";function yr(e,t){return new h({message:e,extensionMembers:{[g]:"invalid_request"}},t===void 0?void 0:{cause:t})}n(yr,"invalidRequestError");function wp(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}n(wp,"normalizeContentType");function bp(e,t){return e===t?!0:t===ba&&e.endsWith("+json")}n(bp,"contentTypeMatches");function Rp(e,t){if(!t||t.length===0)return;let r=wp(e.headers.get("content-type"));if(!t.some(o=>bp(r,o)))throw yr(`Request body must be ${t.join(" or ")}.`)}n(Rp,"assertExpectedContentType");function Ip(e,t,r){let o=e.headers.get("content-length");if(!o)return;let i=Number.parseInt(o,10);if(Number.isFinite(i)&&i>t)throw yr(`${r} exceeded the maximum allowed size.`)}n(Ip,"assertContentLengthWithinLimit");async function Ra(e,t){let r=t.label??"Request body";Rp(e,t.expectedContentTypes),Ip(e,t.maxBytes,r);let o=await dr(e.body,{maxBytes:t.maxBytes,createLimitError:n(()=>yr(`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(o)}n(Ra,"readBoundedTextBody");async function Ia(e,t){let r=await Ra(e,{...t,expectedContentTypes:[ba]});try{return JSON.parse(r)}catch(o){throw yr("Request body must be valid JSON.",o)}}n(Ia,"readBoundedJsonBody");async function Ca(e,t){let r=await Ra(e,{...t,expectedContentTypes:[_p]});return new URLSearchParams(r)}n(Ca,"readBoundedFormUrlEncodedBody");Z();Z();import{errors as va,jwtVerify as Aa,SignJWT as ka}from"jose";import{base64url as Cp}from"jose";var Sp="mcp-browser-login-pkce:",vp=new TextEncoder;async function Ap(e){return crypto.subtle.importKey("raw",F(e),{name:"HMAC",hash:"SHA-256"},!1,["sign"])}n(Ap,"importHmacKey");async function fn(e){let t=await Ap(e.signingKey),r=vp.encode(`${Sp}${e.stateId}`),o=await crypto.subtle.sign("HMAC",t,F(r));return Ne.parse(Cp.encode(new Uint8Array(o)))}n(fn,"deriveBrowserLoginPkceVerifier");async function Sa(e){let t=await fn(e),r=await Qt(t);return{codeVerifier:t,codeChallenge:r,codeChallengeMethod:Le}}n(Sa,"deriveBrowserLoginPkceParams");var kp={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},f=class extends Error{static{n(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,o=kp[t],i){super(r,i),this.name="OAuthProtocolError",this.errorCode=t,this.status=o}};var xp=300,Tp=d.object({purpose:d.literal("gateway_browser_login"),transactionId:Pr,stateId:Er,exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Up=d.object({purpose:d.literal("gateway_authorization_setup"),transactionId:Pr,stateId:Er,exp:d.number().int().positive(),iat:d.number().int().positive().optional()});async function Et(){return oe({purpose:"browser-login",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>ve(e,"browser-login"),"derive")})}n(Et,"getBrowserLoginKey");async function xa(){return oe({purpose:"authorization-csrf",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>ve(e,"authorization-csrf"),"derive")})}n(xa,"getCsrfKey");function Ta(e){return{now:e.now??new Date,ttlSeconds:Ua()}}n(Ta,"readPendingTransactionDependencies");function Ua(){return N().browserLogin.stateTtlSeconds}n(Ua,"readBrowserLoginStateTtlSeconds");function Pp(e){let t=L();return K(e)&&t.isActionPath(e.pathname,"/oauth/dev-login")}n(Pp,"isLoopbackDevLoginUrl");async function Ep(e){let t=N().browserLogin,r=L(),o=new URL(be("url")),i=new URL(r.actionPath("/oauth/callback"),$e(e.requestUrl,e.requestHeaders));if(Pp(o))return o.searchParams.set("redirect_uri",i.toString()),o.searchParams.set("state",e.state),o;if(o.searchParams.set("response_type","code"),o.searchParams.set("client_id",be("clientId")),o.searchParams.set("redirect_uri",i.toString()),o.searchParams.set("scope",t.scope),o.searchParams.set("state",e.state),o.searchParams.set("nonce",e.nonce),t.audience&&o.searchParams.set("audience",t.audience),t.pkce===Le){let a=await Sa({stateId:e.stateId,signingKey:await Et()});o.searchParams.set("code_challenge",a.codeChallenge),o.searchParams.set("code_challenge_method",a.codeChallengeMethod)}return o}n(Ep,"buildBrowserLoginUrl");function Op(e,t){return e.subjectId===t.subjectId}n(Op,"principalsMatch");function Pa(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}n(Pa,"toPendingPrincipal");function Ea(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,operationId:e.transaction.operationId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:I(e.now),expiresAt:I(de(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw b("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:Pa(e.principal)}}n(Ea,"createTransactionRecord");async function Oa(e){let{id:t,...r}=e.record,o=await R().startAuthorization({...r,transactionId:t,...e.client===void 0?{}:{client:e.client}});switch(o.kind){case"started":return o.transaction;case"already_exists":throw b("oauth_state_reused","Authorization transaction state already exists.");case"invalid_client":throw new f("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new f("invalid_request","redirect_uri is not registered for the client.")}}n(Oa,"startPendingTransaction");async function qp(e){return new ka({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:V,typ:"JWT"}).setIssuer($).setAudience(W).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await Et())}n(qp,"signBrowserLoginState");async function qa(e){return new ka({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:qr()}).setProtectedHeader({alg:V,typ:"JWT"}).setIssuer($).setAudience(W).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await xa())}n(qa,"signCsrfToken");async function hn(e){try{let{payload:t}=await Aa(e,await Et(),{algorithms:[V],issuer:$,audience:W}),r=Tp.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof va.JWTExpired?b("oauth_state_expired","Browser login state has expired.",t):b("oauth_state_invalid","Browser login state could not be verified.",t)}}n(hn,"verifyBrowserLoginStateToken");async function _r(e){try{let{payload:t}=await Aa(e,await xa(),{algorithms:[V],issuer:$,audience:W});return{transactionId:Up.parse(t).transactionId}}catch(t){throw t instanceof va.JWTExpired?b("oauth_state_expired","Authorization setup state has expired.",t):b("oauth_state_invalid","Authorization setup state could not be verified.",t)}}n(_r,"verifyCsrfToken");function gn(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}n(gn,"pendingStateErrorCode");function Mp(e){return e.kind==="available"?{kind:"available",record:e.transaction}:e}n(Mp,"toPendingAuthorizationGetResult");function Dp(e){return e.kind==="advanced"?{kind:"advanced",record:e.transaction}:e}n(Dp,"toPendingAuthorizationAdvanceResult");function yn(e){return e==="principal_mismatch"?"oauth_callback_mismatch":gn(e==="consumed_already"?"consumed_already":e)}n(yn,"setupDecisionErrorCode");async function Ma(e){let t=e.now??new Date,r=await _r(e.csrfToken),o=await R().markAuthorizationSetupApproved({transactionId:r.transactionId,currentStateHash:await T(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:I(t)});if(o.kind!=="marked")throw b(yn(o.kind),"Authorization setup state is invalid, expired, or already used.");return Da({kind:"available",record:o.transaction})}n(Ma,"markSetupApproved");function Da(e){if(e.kind!=="available")throw b(gn(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw b("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}n(Da,"requireAwaitingSetup");function jp(e){if(!Op(e.currentBrowserPrincipal,e.transaction.principal))throw b("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}n(jp,"requireCurrentPrincipalMatches");async function ja(e){let t=e.now??new Date,r=Ua(),o=Or(),i=qr(),a=await qp({transactionId:o,stateId:i,ttlSeconds:r}),s=Ea({id:o,transaction:e.transaction,currentStateHash:await T(a),phase:"awaiting_login",now:t,ttlSeconds:r});if(s.phase!=="awaiting_login")throw b("oauth_state_invalid","Authorization transaction did not start in login phase.");let c=await Oa({record:s,client:e.transaction.client});if(c.phase!=="awaiting_login")throw b("oauth_state_invalid","Authorization transaction did not start in login phase.");let u=await Ep({state:a,nonce:i,stateId:i,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}});return{transaction:c,browserLoginStateToken:a,browserLoginUrl:u}}n(ja,"startAwaitingLogin");async function za(e){let{now:t,ttlSeconds:r}=Ta(e),o=Or(),i=await qa({transactionId:o,ttlSeconds:r}),a=Ea({id:o,transaction:e.transaction,currentStateHash:await T(i),phase:"awaiting_setup",principal:e.principal,now:t,ttlSeconds:r});if(a.phase!=="awaiting_setup")throw b("oauth_state_invalid","Authorization transaction did not start in setup phase.");let s=await Oa({record:a,client:e.transaction.client});if(s.phase!=="awaiting_setup")throw b("oauth_state_invalid","Authorization transaction did not start in setup phase.");return{transaction:s,csrfToken:i}}n(za,"startAwaitingSetup");async function Ha(e){let{now:t,ttlSeconds:r}=Ta(e),o=await hn(e.browserLoginStateToken),i=await qa({transactionId:o.transactionId,ttlSeconds:r}),a=Dp(await R().advancePendingAuthorization({transactionId:o.transactionId,expectedPhase:"awaiting_login",currentStateHash:await T(e.browserLoginStateToken),nextStateHash:await T(i),nextPhase:"awaiting_setup",principal:Pa(e.principal),now:I(t)}));if(a.kind!=="advanced")throw b(gn(a.kind),"Browser login state is invalid, expired, or already used.");if(a.record.phase!=="awaiting_setup")throw b("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:a.record,csrfToken:i}}n(Ha,"completeLogin");async function Ba(e){let t=await _n(e);return jp({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}n(Ba,"getSetup");async function _n(e){let t=e.now??new Date,r=await _r(e.csrfToken);return Da(Mp(await R().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await T(e.csrfToken),now:I(t)})))}n(_n,"getSetupTransaction");async function zp(e){let t=await _r(e.csrfToken),r=le(),o=I(de(e.now,xp)),i=await R().decideAuthorizationSetup({decision:"approve",transactionId:t.transactionId,currentStateHash:await T(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await T(r),authorizationCodeExpiresAt:o,grantId:Ao(),now:I(e.now)});if(i.kind!=="approved")throw b(i.kind==="cancelled"?"oauth_state_invalid":yn(i.kind),"Authorization setup state is invalid, expired, or already used.");let a=new URL(i.transaction.redirectUri);return a.searchParams.set("code",r),i.transaction.clientState&&a.searchParams.set("state",i.transaction.clientState),a}n(zp,"createAuthorizationCodeRedirectWithDecision");async function Hp(e){let t=await _r(e.csrfToken),r=await R().decideAuthorizationSetup({decision:"cancel",transactionId:t.transactionId,currentStateHash:await T(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:I(e.now)});if(r.kind!=="cancelled")throw b(r.kind==="approved"?"oauth_state_invalid":yn(r.kind),"Authorization setup state is invalid, expired, or already used.");return Bp({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}n(Hp,"createCancelRedirectWithDecision");function Bp(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}n(Bp,"buildClientCancelRedirect");async function La(e){let t=e.now??new Date;return zp({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(La,"approve");async function Na(e){let t=e.now??new Date;return Hp({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(Na,"cancel");Z();import{createRemoteJWKSet as Lp,errors as at,jwtVerify as Ja,SignJWT as Np}from"jose";var Rn="zuplo_mcp_session",Jp=d.object({purpose:d.literal("gateway_browser_session"),sub:ut,browserLoginOrigin:d.string().min(1),roles:d.array(d.string().min(1)).optional(),exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Gp=d.object({id_token:d.string().min(1),token_type:d.string().min(1).optional(),expires_in:d.number().optional(),access_token:d.string().min(1).optional(),refresh_token:d.string().min(1).optional(),scope:d.string().min(1).optional()}),Fp=d.object({error:d.string().min(1).optional(),error_description:d.string().min(1).optional(),error_uri:d.string().min(1).optional()}),$p=d.object({sub:ut,nonce:d.string().min(1)}).catchall(d.unknown()),wn;function Zp(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let o=r.indexOf("=");if(o<0)continue;let i=r.slice(0,o).trim(),a=r.slice(o+1).trim();if(i)try{t.set(i,decodeURIComponent(a))}catch{t.set(i,a)}}return t}n(Zp,"parseCookieHeader");async function Ga(){return oe({purpose:"browser-session",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>ve(e,"browser-session"),"derive")})}n(Ga,"getBrowserSessionKey");function bn(e,t){let r=new URL(M(e,t)),o=[`${Rn}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return r.protocol==="https:"&&o.push("Secure"),o.join("; ")}n(bn,"buildBrowserSessionEvictionCookie");function Kp(e){let t=new URL(M(e.requestUrl,e.requestHeaders)),r=[`${Rn}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}n(Kp,"serializeSessionCookie");function Fa(){return new URL(be("url")).origin}n(Fa,"readBrowserLoginOrigin");function Wp(e){let t=Fp.safeParse(e);if(!t.success)return{};let r={};return t.data.error!==void 0&&(r.idpError=t.data.error),t.data.error_description!==void 0&&(r.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(r.idpErrorUri=t.data.error_uri.slice(0,256)),r}n(Wp,"readIdpErrorFields");function Vp(e){return e instanceof at.JWTExpired?"expired":e instanceof at.JWTClaimValidationFailed?"claim":e instanceof at.JWSSignatureVerificationFailed?"signature":e instanceof at.JWKSNoMatchingKey?"jwks_no_match":e instanceof at.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(Vp,"readJwtFailureKind");function Yp(e){return e instanceof Error&&"cause"in e?e.cause:e}n(Yp,"readErrorCause");function Xp(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}n(Xp,"readRuntimeGatewayCode");function Qp(){if(!wn){let e=N();wn=Lp(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return wn}n(Qp,"readFederatedJwks");function $a(e){if(!e.user)throw b("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return Pe(e.user,e.url)}n($a,"resolveCurrentRequestPrincipal");async function wr(e,t={}){let r=Zp(e.headers.get("cookie")).get(Rn);if(!r)return{};try{let{payload:o}=await Ja(r,await Ga(),{algorithms:[V],issuer:$,audience:W}),i=Jp.parse(o);if(i.browserLoginOrigin!==Fa())return{evictCookie:bn(e.url,e.headers)};let a={subjectId:i.sub};return i.roles&&i.roles.length>0&&(a.roles=i.roles),{principal:a}}catch(o){return o instanceof at.JWTExpired?{evictCookie:bn(e.url,e.headers)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:o instanceof Error?o.name:"unknown",errorMessage:o instanceof Error?o.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:bn(e.url,e.headers)})}}n(wr,"readBrowserSession");async function br(e){let t=N().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:Fa()};e.principal.roles&&(r.roles=e.principal.roles);let o=await new Np(r).setProtectedHeader({alg:V,typ:"JWT"}).setIssuer($).setAudience(W).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await Ga());return Kp({value:o,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,ttlSeconds:t})}n(br,"createBrowserSessionCookie");async function em(e){let t=N(),r=be("tokenUrl"),o=be("clientId"),i=be("clientSecret"),a=new URL(L().actionPath("/oauth/callback"),$e(e.requestUrl,e.requestHeaders)).toString(),s=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:a,client_id:o,client_secret:i});if(t.browserLogin.pkce===Le){let c=await fn({stateId:e.stateId,signingKey:await Et()});s.set("code_verifier",c)}try{let{response:c,json:u}=await ur(r,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:s},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,context:e.context});if(!c.ok){let y=Wp(u);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:q(r),idpStatus:c.status,...y},"Federated browser login token exchange returned non-2xx from the identity provider"),b({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${c.status}${y.idpError?` idp_error=${y.idpError}`:""}${y.idpErrorDescription?` idp_error_description=${y.idpErrorDescription}`:""})`)})}let l=Gp.parse(u),m;try{({payload:m}=await Ja(l.id_token,Qp(),{issuer:t.oidc.issuer,audience:o}))}catch(y){let E={};throw J(E,"error",y),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:Vp(y),idpHost:q(r),expectedIssuer:t.oidc.issuer,...E},"Federated id_token failed jose verification"),y}if(m.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:q(r),nonceMissingFromIdToken:m.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),b("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let w=$p.parse(m);return{principal:Pe({sub:w.sub,data:w},e.requestUrl),subjectToken:{token:l.id_token,tokenType:pt,expiresAt:typeof m.exp=="number"?I(new Date(m.exp*1e3)):void 0}}}catch(c){let u=ce(c)??Xp(c);throw u!==void 0&&u!=="browser_login_verification_failed"?c:b("browser_login_verification_failed","Federated browser login callback could not be verified.",Yp(c))}}n(em,"exchangeFederatedAuthorizationCode");async function Za(e){let t=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(t)return em({code:t,nonce:e.stateId,stateId:e.stateId,requestUrl:e.request.url,requestHeaders:e.request.headers,context:e.context});let r=await wr(e.request,{context:e.context});if(r.principal)return{principal:r.principal};throw b("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.")}n(Za,"resolveBrowserLoginCallbackIdentity");Z();var tm=new Set(["about","blob","data","file","ftp","ftps","javascript","mailto","urn","ws","wss"]);function rm(e){return e.protocol.replace(/:$/u,"").toLowerCase()}n(rm,"readScheme");function nm(e){return e.protocol==="https:"}n(nm,"isSpecCompliantRedirectUri");function om(e){let t=rm(e);return t.length>0&&t!=="http"&&t!=="https"&&!tm.has(t)}n(om,"isNativeAppCustomSchemeRedirectUri");var Wa=[{id:"oauth.redirect_uri.https",mode:"strict",accepts:n(e=>nm(e),"accepts")},{id:"oauth.redirect_uri.loopback_http",mode:"native_app",accepts:n(e=>K(e),"accepts"),matches:n((e,t)=>K(e)&&K(t)&&e.pathname===t.pathname&&e.search===t.search,"matches")},{id:"oauth.redirect_uri.custom_scheme",mode:"native_app",accepts:n(e=>om(e),"accepts")}];function Va(e){let t=Wa.find(r=>r.accepts(e.url));return t===void 0?{kind:"rejected"}:{kind:"allowed",ruleId:t.id,mode:t.mode}}n(Va,"evaluateBuiltInRedirectUriCompatibility");function Ka(e){try{return new URL(e)}catch{return}}n(Ka,"parseUrl");function Ya(e){if(e.registeredRedirectUri===e.requestedRedirectUri)return!0;let t=Ka(e.registeredRedirectUri),r=Ka(e.requestedRedirectUri);return t===void 0||r===void 0?!1:Wa.some(o=>o.matches?.(t,r))}n(Ya,"redirectUriMatchesBuiltInCompatibility");var im=1e4,am=5*1024,sm=0,cm=2160*60*60,Xa=["authorization_code","refresh_token",Kt,Re],dm=["authorization_code","refresh_token"],Qa=[Co],um=["code"],lm=d.object({client_name:d.string().min(1).optional(),redirect_uris:d.array(d.string().min(1)).min(1),grant_types:d.array(d.enum(Xa)).min(1).max(Xa.length).optional(),authorization_grant_profiles_supported:d.array(d.enum(Qa)).min(1).max(Qa.length).optional(),response_types:d.array(d.enum(um)).min(1).max(1).optional(),scope:d.literal(D).optional(),token_endpoint_auth_method:vo.optional(),jwks_uri:d.string().min(1).optional()});function pm(e){try{let t=new URL(e);return(t.protocol==="https:"||t.protocol==="http:"&&K(t))&&t.pathname!=="/"}catch{return!1}}n(pm,"isCimdClientIdCandidate");function es(e,t){throw new f("invalid_client",qo({clientId:e})??"OAuth client is not registered.",void 0,t===void 0?void 0:{cause:t})}n(es,"invalidCimdClientError");function st(e,t="invalid_request"){if(mm(e))throw new f(t,"redirect_uris must not include raw whitespace or control characters.");let r;try{r=new URL(e)}catch{throw new f(t,"redirect_uris must be absolute URIs.")}if(r.hash||r.username||r.password)throw new f(t,"redirect_uris must not include credentials or fragments.");if(Va({url:r}).kind==="rejected")throw new f(t,"redirect_uris must use HTTPS, loopback HTTP, or a native-app private-use URI scheme.")}n(st,"assertValidRedirectUri");function mm(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}n(mm,"hasForbiddenRawRedirectUriCharacter");async function fm(e){let{response:t,json:r}=await hi(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:sm,maxResponseBytes:am,timeoutMs:im});if(!t.ok)throw b("invalid_request","CIMD metadata could not be fetched.");let o=Vt(r);for(let i of o.redirect_uris)st(i,"invalid_request");if(o.jwks_uri!==void 0&&ft(o.jwks_uri),o.client_id!==e.clientId)throw b("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");return o}n(fm,"fetchCimdMetadata");async function hm(e){let t=Yt(e),r=await fm({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}n(hm,"resolveCimdClient");async function Rr(e,t){let r=ue.parse(e);if(pm(r)){N().gateway.downstreamCimdEnabled||es(r);try{return await hm(r)}catch(i){es(r,i)}}let o=await R().readClient({clientId:r});if(o.kind==="found"){let i=o.client,a=Do(i.clientId),s=a===void 0?i.tokenEndpointAuthMethod:"private_key_jwt",c=i.jwksUri??a;if(s==="private_key_jwt"&&c===void 0)throw new f("invalid_client","Dynamic private_key_jwt client is missing JWKS metadata. Re-run client registration before authorization.");let u=Vt({client_id:i.clientId,client_name:i.clientName,redirect_uris:i.redirectUris,token_endpoint_auth_method:s,...c===void 0?{}:{jwks_uri:c}}),l={kind:"dcr",clientId:r,metadata:u};return i.hashedClientSecret&&(l.hashedClientSecret=i.hashedClientSecret),l}throw new f("invalid_client",r.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}n(Rr,"resolveClient");function ts(e,t){if(!e.metadata.redirect_uris.some(r=>Ya({registeredRedirectUri:r,requestedRedirectUri:t})))throw b("invalid_request","redirect_uri is not registered for the client.")}n(ts,"assertRedirectRegistered");function gm(e){return e===void 0?[...dm]:Array.from(new Set(e))}n(gm,"normalizeGrantTypes");function ym(e){try{ft(e)}catch(t){throw new f("invalid_client_metadata","jwks_uri must be an HTTPS URL with a path, no credentials or fragment, and must not point at a blocked host.",void 0,{cause:t})}}n(ym,"assertValidDcrJwksUri");function _m(e){return e.tokenEndpointAuthMethod==="private_key_jwt"&&e.jwksUri!==void 0?ue.parse(Mo({clientId:crypto.randomUUID(),jwksUri:e.jwksUri})):ue.parse(`dcr:${crypto.randomUUID()}`)}n(_m,"createDcrClientId");function ct(e){if(e===void 0||e===D)return D;throw new f("invalid_request",`Only the ${D} scope is supported.`)}n(ct,"assertSupportedOAuthScope");function je(e,t,r){let o;try{o=new URL(t)}catch{throw new f("invalid_target","resource must be an absolute URI.")}if(o.hash)throw new f("invalid_target","resource must not include a fragment.");if(o.protocol!=="https:"&&!K(o))throw new f("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let i=M(e,r),a=Ro(),s=a?[...a.byOperationId.values()].find(c=>new URL(c.routePath,i).toString()===t):void 0;if(!s)throw new f("invalid_target","resource must match a published MCP route.");return s}n(je,"resolveResource");async function rs(e){let t;try{t=lm.parse(e)}catch(y){if(y instanceof d.ZodError){let E=y.issues.some(x=>x.path[0]==="redirect_uris");throw new f(E?"invalid_redirect_uri":"invalid_client_metadata",y.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:y})}throw y}for(let y of t.redirect_uris)st(y,"invalid_redirect_uri");if(t.token_endpoint_auth_method==="private_key_jwt"&&t.jwks_uri===void 0)throw new f("invalid_client_metadata","jwks_uri is required for private_key_jwt clients.");t.jwks_uri!==void 0&&ym(t.jwks_uri);let r=new Date,o=t.token_endpoint_auth_method??"none",i=o==="private_key_jwt"?"none":o,a=_m({tokenEndpointAuthMethod:o,jwksUri:t.jwks_uri}),s=Vt({client_id:a,client_name:t.client_name??"Dynamically registered MCP client",redirect_uris:t.redirect_uris,token_endpoint_auth_method:o,...t.jwks_uri===void 0?{}:{jwks_uri:t.jwks_uri}}),c=de(r,cm),u=Math.floor(r.getTime()/1e3),l=Math.floor(c.getTime()/1e3),m={client_id:s.client_id,client_name:s.client_name,redirect_uris:s.redirect_uris,grant_types:gm(t.grant_types),authorization_grant_profiles_supported:t.authorization_grant_profiles_supported,response_types:["code"],scope:D,token_endpoint_auth_method:s.token_endpoint_auth_method,client_id_issued_at:u,jwks_uri:s.jwks_uri},w={clientId:s.client_id,clientName:s.client_name,redirectUris:s.redirect_uris,tokenEndpointAuthMethod:i,createdAt:I(r),clientExpiresAt:I(c)};if(o==="client_secret_basic"||o==="client_secret_post"){let y=le();w.hashedClientSecret=await T(y),w.clientSecretExpiresAt=I(c),m.client_secret=y,m.client_secret_expires_at=l,m.client_secret_issued_at=u}if((await R().registerClient(w)).kind==="already_exists")throw b("invalid_request","OAuth client is already registered.");return m}n(rs,"registerDownstreamClient");function wm(e){return e?.metadata?.idpSubjectTokenType!==Ze&&e?.metadata?.idpSubjectTokenExpiresAt!==void 0&&new Date(e.metadata.idpSubjectTokenExpiresAt).getTime()<=Date.now()?!1:e?.status==="active"&&e.metadata?.encryptedIdpSubjectToken!==void 0&&e.metadata.idpSubjectTokenType!==void 0}n(wm,"hasStoredIdJagSubjectTokenBinding");async function ns(e){let t=Fe(e.principal.subjectId);return(await R().batchGetUpstreamConnections([{owner:t,upstreamServerId:e.connection.upstreamServerId,authProfileId:e.connection.authProfileId}]))[0]}n(ns,"readIdJagSubjectConnection");async function In(e){let t=ee().byOperationId.get(e.operationId);if(t?.connection===void 0||t.connection.authMode!=="id-jag")return!1;let r=await ns({connection:t.connection,principal:e.principal});return!wm(r)}n(In,"requiresIdJagSubjectTokenBinding");async function os(e){if(e.subjectToken===void 0)return;let t=ee().byOperationId.get(e.transaction.operationId);if(t?.connection===void 0||t.connection.authMode!=="id-jag"||e.principal.subjectId!==e.transaction.principal.subjectId)return;let r=await ns({connection:t.connection,principal:e.principal});return R().upsertUpstreamConnection({id:r?.id??Xt(),ownerMode:"user",subjectId:e.transaction.principal.subjectId,upstreamServerId:t.connection.upstreamServerId,authProfileId:t.connection.authProfileId,status:"active",encryptedAccessToken:r?.encryptedAccessToken,encryptedRefreshToken:r?.encryptedRefreshToken,scopes:r?.scopes??[],expiresAt:r?.expiresAt,metadata:{...r?.metadata??{},encryptedIdpSubjectToken:await me(e.subjectToken.token),idpSubjectTokenType:e.subjectToken.tokenType,idpSubjectTokenExpiresAt:e.subjectToken.expiresAt}})}n(os,"bindIdJagSubjectTokenForAuthorizationTransaction");function Ir(e){return S`<img class="card__icon" src="${e.iconHref}" alt="" width="48" height="48" referrerpolicy="no-referrer" onerror=" this.onerror = null; this.src = '${e.fallbackIconHref}'; " />`}n(Ir,"renderShellIcon");function is(e){return S`<form class="actions" method="post" action="${e.setupAction}" ${e.submitOnceAttrs}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate >Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve" ${e.authorizeAttrs} >Authorize</button></form>`}n(is,"renderActions");var as=fe('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>');function ss(e){return S`<div class="banner banner--warning" role="status"><span class="banner__icon" aria-hidden="true">${e.icon}</span><div class="banner__body"><p class="banner__title">Setup required</p><p class="banner__message">${e.message}</p></div></div>`}n(ss,"renderBannerWarning");var uR=fe('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),lR=fe('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>');var pR=fe('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>');var bm="data:,",cs=S`data-submit-once="true" onsubmit="if (this.dataset.submitted === 'true') return false; this.dataset.submitted = 'true'; setTimeout(() => this.querySelectorAll('button').forEach((button) => { button.disabled = true; }), 0);"`,ds=S`data-activate-once="true" onclick="if (this.dataset.activated === 'true') return false; this.dataset.activated = 'true'; this.setAttribute('aria-disabled', 'true'); this.style.pointerEvents = 'none';"`;function Rm(e,t,r){if(e)try{let o=new URL(t).origin,i=new URL(e,o);return i.origin!==o||!i.pathname.startsWith(r.actionPath("/auth/connections/"))?void 0:i.toString()}catch{return}}n(Rm,"safeGatewayConnectHref");function Im(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}n(Im,"deriveMode");function Cm(e){return is({state:e.state,setupAction:e.gateway.actionPath("/oauth/setup"),submitOnceAttrs:cs,authorizeAttrs:te})}n(Cm,"renderActions");function Cn(e,t,r,o){for(let i of e){if(i.ownerMode!=="user"||i.status!==r)continue;let a=Rm(i.connectUrl,t,o);if(a)return a}}n(Cn,"firstUserConnectHref");function Sm(e){let t=e.connectHref===void 0?te:S`<a class="button button--primary" href="${e.connectHref}" ${ds}>Connect</a>`;return S`<form class="actions" method="post" action="${e.gateway.actionPath("/oauth/setup")}" ${cs}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button>${t}</form>`}n(Sm,"renderSetupActions");function vm(e){return e?S`<span class="reconnect-action"><a class="button button--secondary reconnect-button" href="${e}" ${ds}>Re-connect<span class="tooltip" tabindex="0" aria-label="Reset or change how the gateway connects to the upstream service, including changing scopes.">?</span></a></span>`:te}n(vm,"renderReconnectAction");function Am(e){try{let t=new URL(e);return t.protocol==="https:"||t.protocol==="http:"?!0:t.protocol==="data:"&&/^data:image\/(?:png|jpe?g|webp|svg\+xml);/i.test(e)}catch{return!1}}n(Am,"isRenderableIconHref");function us(e){return e?.find(t=>Am(t.src))?.src}n(us,"readIconHref");function km(e){return us(e.serverIcons)??(e.transportHost===void 0?void 0:Xr(e.transportHost).src)}n(km,"readUpstreamIconHref");function xm(e){let t=us(e.routeIcons);if(t!==void 0)return t;for(let r of e.upstreams){let o=km(r);if(o!==void 0)return o}}n(xm,"readHeaderIconHref");function Tm(e){let t=e.setupMessage===void 0?te:ss({icon:as,message:e.setupMessage});return S`<p class="card__subtitle">Authorize '<strong>${e.clientDisplayName}</strong>' to access '<strong>${e.routeDisplayName}</strong>' on your behalf?</p>${t}`}n(Tm,"renderBody");function Sn(e){let t=Im(e.upstreams),r=Cn(e.upstreams,e.gatewayOrigin,"not_connected",e.gateway),o=Cn(e.upstreams,e.gatewayOrigin,"reconsent_required",e.gateway),i=Cn(e.upstreams,e.gatewayOrigin,"active",e.gateway),a=t==="setup"?r??o:void 0,s=t==="setup"?e.upstreams.find(l=>l.ownerMode==="user"&&l.status!=="active"&&l.connectUrl===void 0&&l.setupMessage!==void 0)?.setupMessage:void 0,c=xm({routeIcons:e.routeIcons,upstreams:e.upstreams}),u=t==="setup"?S`<footer class="card__footer">${Sm({state:e.state,connectHref:a,gateway:e.gateway})}</footer>`:S`<footer class="card__footer">${vm(i)}${Cm({state:e.state,gateway:e.gateway})}</footer>`;return rt(ot({title:`Authorize access \xB7 ${e.routeDisplayName}`,iconHref:c??bm,styles:nt,headerIcon:c===void 0?te:Ir({iconHref:c,fallbackIconHref:ar}),heading:"Authorize access",subhead:te,body:Tm({routeDisplayName:e.routeDisplayName,clientDisplayName:e.clientDisplayName,setupMessage:s}),footer:u}))}n(Sn,"renderConsentPage");var Um=1e4,ls="mcp-session-id",Pm;function gs(){return{tools:[],prompts:[],resources:[]}}n(gs,"emptyCapabilities");function ps(){return new Headers({accept:"application/json, text/event-stream","content-type":"application/json","mcp-protocol-version":Mr})}n(ps,"buildReadinessHeaders");async function ms(e){if(e.type==="bearer_token"){let o=ps();return o.set("authorization",`Bearer ${e.token}`),o}let t=await e.provider.tokens();if(!t)return;let r=ps();return r.set("authorization",`${t.token_type??"Bearer"} ${t.access_token}`),r}n(ms,"buildAsyncCredentialHeaders");function fs(e){return new Request(e.upstreamUrl,{method:"POST",headers:e.headers,body:JSON.stringify($t.parse({jsonrpc:Ft,id:1,method:"initialize",params:{protocolVersion:Mr,capabilities:{},clientInfo:{name:"zuplo-mcp-gateway-readiness",version:"0.0.0"}}}))})}n(fs,"buildInitializePreflight");async function vn(e){mt(e.url);let t=new AbortController,r=setTimeout(()=>t.abort(),Um);try{let o=new Request(e,{redirect:"manual",signal:t.signal});return await Ht.fetch(o)}finally{clearTimeout(r)}}n(vn,"runPreflight");function An(e){e.body?.cancel().catch(()=>{})}n(An,"releasePreflightBody");async function Em(e){let t=e.response.headers.get(ls);if(!t)return;let r=new Headers(e.headers);r.set(ls,t),r.delete("content-type");try{let o=await vn(new Request(e.upstreamUrl,{method:"DELETE",headers:r}));An(o)}catch{}}n(Em,"terminatePreflightSession");async function ys(e){let{response:t}=e;return An(t),t.status>=200&&t.status<300?(await Em(e),{kind:"ready",upstreamStatus:t.status,capabilities:gs()}):t.status===401||t.status===403?{kind:"upstream_auth_rejected",status:t.status,message:"Upstream MCP server rejected the configured credential."}:{kind:"upstream_unavailable",status:t.status,message:"Upstream MCP server did not accept the readiness preflight."}}n(ys,"classifyResponse");function hs(e){let t={status:e.state==="reconsent_required"?"reconsent_required":"not_connected",connected:!1};return e.nextAction==="admin_setup_required"?{kind:"admin_setup_required",payload:e,connectionStatus:t}:{kind:"connect_required",payload:e,connectionStatus:t}}n(hs,"connectRequiredResult");async function Om(e){try{return ys({response:await vn(e.request),upstreamUrl:e.upstreamUrl,headers:e.headers})}catch(t){return{kind:"upstream_unavailable",message:t instanceof Error?t.message:"Upstream MCP server readiness preflight failed."}}}n(Om,"classifyPreflight");async function qm(e){let t=e.route.connection;if(t===void 0)return{kind:"ready",upstreamStatus:204,capabilities:gs()};let r=hr(t.upstreamServerId,e.route.operationId),o=tt(r,e.subjectId),i=e.returnTo===void 0?o:{...o,returnTo:e.returnTo},a=new Request(e.requestUrl,{headers:e.requestHeaders}),s=await et({request:a,routeAuth:i,preloadedConnection:e.preloadedConnection});if(s.kind==="connect_required")return hs(s.payload);let c=await ms(s.credential);if(c===void 0)return{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens."};let u=fs({upstreamUrl:t.mcpUrl,headers:c}),l;try{l=await vn(u)}catch(P){return{kind:"upstream_unavailable",message:P instanceof Error?P.message:"Upstream MCP server readiness preflight failed."}}if(l.status!==401)return ys({response:l,upstreamUrl:t.mcpUrl,headers:c});An(l);let m=await et({request:a,routeAuth:i,forceRefresh:!0,preloadedConnection:e.preloadedConnection});if(m.kind==="connect_required")return hs(m.payload);let w=await ms(m.credential);return w===void 0?{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens after refresh."}:Om({request:fs({upstreamUrl:t.mcpUrl,headers:w}),upstreamUrl:t.mcpUrl,headers:w})}n(qm,"checkUpstreamRouteReadinessImpl");function _s(e){return(Pm??qm)(e)}n(_s,"checkUpstreamRouteReadiness");function Mm(e){try{return new URL(e).host}catch{return}}n(Mm,"safeUrlHost");function ws(e){return e!==void 0&&e.length>0}n(ws,"hasItems");function Dm(e){let t=e.serverInfo?.icons;if(ws(t))return t;let r=sr(e.mcpUrl);return r===void 0?void 0:[r]}n(Dm,"readServerIcons");async function jm(e){let{authConfig:t,authMode:r,description:o,displayName:i,mcpUrl:a,ownerMode:s,upstreamServerId:c,authProfileId:u}=e.registeredConnection,l=s==="user",m=l&&r!=="id-jag",w=e.readiness??(l?Bo(e.connection):{connected:!0,status:"active"}),P=m?e.readiness?.connectUrl??(e.returnTo!==void 0?await tn({requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:c,authProfileId:u,operationId:e.route.operationId,returnTo:e.returnTo}):void 0):void 0,y=t.mode==="id-jag"?t.idJag.scopes:t.oauth.scopes;return{upstreamServerId:c,authProfileId:u,authMode:r,ownerMode:s,upstreamDisplayName:i,description:o,transportHost:Mm(a),scopesRequested:ws(y)?y:void 0,serverIcons:Dm(e.registeredConnection),status:w.status,connected:w.connected,capabilities:{tools:[],prompts:[],resources:[]},connectUrl:P,setupMessage:e.setupMessage,updatedAt:l&&"updatedAt"in w&&w.updatedAt!==void 0?w.updatedAt:void 0,expiresAt:e.readiness?.expiresAt??e.connection?.expiresAt}}n(jm,"buildSetupRequirement");function bs(e){let t=ee().byOperationId.get(e);if(!t)throw b("unknown_mcp_route",`Unknown MCP route: ${e}`);return t}n(bs,"requireRoute");async function kn(e){let t=bs(e.transaction.operationId),r=Fe(e.transaction.principal.subjectId),o=t.connection;if(o===void 0)return[];let a=o.ownerMode==="user"?(await R().batchGetUpstreamConnections([{owner:r,upstreamServerId:o.upstreamServerId,authProfileId:o.authProfileId}]))[0]:void 0,s=await _s({requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,route:t,subjectId:e.transaction.principal.subjectId,preloadedConnection:a,returnTo:e.returnTo}),c="connectionStatus"in s?s.connectionStatus:void 0,u=(s.kind==="connect_required"||s.kind==="admin_setup_required")&&s.payload.authUrl!==void 0?s.payload.authUrl:void 0,l=s.kind==="admin_setup_required"?s.payload.message:void 0;return[await jm({connection:a,registeredConnection:o,route:t,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,returnTo:e.returnTo,transaction:e.transaction,userOwner:r,setupMessage:l,readiness:c===void 0?void 0:{...c,connectUrl:u}})]}n(kn,"requirementsForSetup");async function xn(e){let t=bs(e.transaction.operationId),r=await R().readClient({clientId:e.transaction.clientId}),o=r.kind==="found"?r.client:void 0,i={gatewayOrigin:M(e.requestUrl,e.requestHeaders),routeDisplayName:t.connection?.displayName??t.operationId,clientDisplayName:o?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},a=t.connection?.description;return a!==void 0&&(i.routeDescription=a),i}n(xn,"consentContext");function Tn(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}n(Tn,"hasUnresolvedUserUpstream");var zm=["mcp_user"],Hm="dev-browser-user",Bm=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/{routePath} where {routePath} is the published MCP route path without a leading slash and each segment is URL-encoded as needed, for example /oauth/authorize/mcp/linear, or add resource={protected resource URI from protected-resource metadata}."].join(" "),Lm=d.object({response_type:d.literal("code"),client_id:d.string().min(1),redirect_uri:d.string().min(1),resource:d.url(),code_challenge:d.string().min(43),code_challenge_method:no,state:d.string().min(1).optional(),scope:d.literal(D).default(D)}),Nm=d.enum(["continue","approve","cancel"]).default("continue"),Jm=d.object({state:d.string().min(1),decision:Nm}),xe=class extends Error{static{n(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function Rs(e){return typeof e=="string"&&e.length>0?e:void 0}n(Rs,"readQueryString");function Gm(e,t){let r=Rs(e.query.resource);if(t===void 0){if(r!==void 0)return r;throw new f("invalid_target",Bm)}let o=Uo(t,e.url,e.headers);if(r===void 0||r===o)return o;throw new f("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}n(Gm,"requireAuthorizeResource");async function Fm(e,t){let r={};t!==void 0&&(r.context=t);let o=await wr(e,r);if(o.principal)return{principal:o.principal};if(!e.user)return o.evictCookie===void 0?{}:{setCookie:o.evictCookie};let i=$a(e);return{principal:i,setCookie:await br({principal:i,requestUrl:e.url,requestHeaders:e.headers})}}n(Fm,"resolveBrowserPrincipal");async function $m(e,t){let r={};t!==void 0&&(r.context=t);let o=await wr(e,r);if(!o.principal)throw b("authentication_required","Authorization setup requires a current browser session.");return o.principal}n($m,"requireSetupPrincipal");function Is(e){return`${L().actionPath("/oauth/setup")}?state=${encodeURIComponent(e)}`}n(Is,"buildSetupReturnTo");async function Cs(e){let t=await kn({transaction:e.transaction,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,returnTo:Is(e.csrfToken)}),r=await xn({transaction:e.transaction,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders}),o={kind:"setup_page",html:Sn({state:e.csrfToken,operationId:e.transaction.operationId,gateway:L(),upstreams:t,...r})};return e.setCookie!==void 0&&(o.setCookie=e.setCookie),o}n(Cs,"renderSetup");function Zm(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}n(Zm,"toAuthorizationTransactionClient");async function Un(e,t={}){let r=Lm.parse({...e.query,resource:Gm(e,t.operationId),state:Rs(e.query.state)}),o=ct(r.scope);st(r.redirect_uri,"invalid_request");let i=new Date,a=ue.parse(r.client_id),s=await Rr(r.client_id,i);ts(s,r.redirect_uri);try{let c=je(e.url,r.resource,e.headers),u=Zm(s);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:a,operationId:c.operationId,scope:o,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved"),t.context&&v(t.context,{eventType:C.MCP_OAUTH_AUTHORIZE_STARTED,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:a,scope:o,responseType:r.response_type}});let l={clientId:s?.clientId??a,...u===void 0?{}:{client:u},redirectUri:r.redirect_uri,resource:r.resource,operationId:c.operationId,scope:o,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:m,setCookie:w}=await Fm(e,t.context),P=m===void 0?!1:await In({operationId:c.operationId,principal:m});if(!m||P){let E=await ja({transaction:l,requestUrl:e.url,requestHeaders:e.headers,now:i});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:a,operationId:c.operationId,reason:m?"id_jag_subject_binding_missing":"no_browser_session"},"Downstream OAuth authorize: redirecting to browser login");let x={kind:"redirect",location:E.browserLoginUrl};return w!==void 0&&(x.setCookie=w),x}let y=await za({transaction:l,principal:m,now:i});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:a,operationId:c.operationId,subjectId:m.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),t.context&&v(t.context,{eventType:C.MCP_OAUTH_AUTHORIZE_AWAITING_SETUP,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:a,scope:o,responseType:r.response_type,subjectId:m.subjectId}}),Cs({transaction:y.transaction,csrfToken:y.csrfToken,requestUrl:e.url,requestHeaders:e.headers,setCookie:w})}catch(c){throw Km({redirectUri:r.redirect_uri,clientState:r.state,cause:c})}}n(Un,"authorizeDownstreamClient");function Km(e){if(e.cause instanceof xe)return e.cause;let t=Wm(e.cause);return t?new xe({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}n(Km,"toDownstreamAuthorizeRedirectError");function Wm(e){if(e instanceof f)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof d.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}n(Wm,"mapToOAuthRedirectError");async function Ss(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let l=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,m=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...l===void 0?{}:{idpErrorDescription:l},...m===void 0?{}:{idpErrorUri:m}},"Identity provider redirected browser-login callback with an error"),b("provider_access_denied",l??"The delegated browser login was not completed.")}let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),b("oauth_state_invalid","Browser login callback is missing state.");let i=await hn(o),a={request:e,stateId:i.stateId};t.context!==void 0&&(a.context=t.context);let s=await Za(a),c=await Ha({browserLoginStateToken:o,principal:s.principal});if(await os({transaction:c.transaction,principal:s.principal,subjectToken:s.subjectToken}),await In({operationId:c.transaction.operationId,principal:s.principal}))throw b("browser_login_verification_failed","The identity provider did not return the subject token required for XAA / ID-JAG.");let u=await Cs({transaction:c.transaction,csrfToken:c.csrfToken,requestUrl:e.url,requestHeaders:e.headers});return u.setCookie=await br({principal:s.principal,requestUrl:e.url,requestHeaders:e.headers}),u}n(Ss,"completeBrowserLoginCallback");async function vs(e){let t=N(),r=new URL(e.url);if(!K(r))throw b("forbidden","Local browser login is only available on loopback HTTP origins.");let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw b("oauth_state_invalid","Local browser login is missing state.");let i=L().actionPath("/oauth/callback"),a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:i,M(e.url)),s=new URL(M(e.url)).origin;if(a.origin!==s||a.pathname!==i)throw b("oauth_callback_mismatch",`Local browser login redirect_uri must target this gateway's ${i} route.`);a.searchParams.set("state",o);let c={subjectId:ut.parse(Hm),roles:zm};return{kind:"redirect",location:a,setCookie:await br({principal:c,requestUrl:e.url,requestHeaders:e.headers})}}n(vs,"completeLocalDevBrowserLogin");function Vm(e){let t=e.method==="POST"?e.body:e.query;return Jm.parse(t)}n(Vm,"readSetupContinueRequest");async function As(e){let{state:t,decision:r}=Vm({method:e.request.method,query:e.request.query,body:e.body}),o=new Date,i=await _n({csrfToken:t,now:o}),a=await $m(e.request,e.context);if(r==="cancel")return{kind:"redirect",location:await Na({csrfToken:t,currentBrowserPrincipal:a,now:o})};let s=await Ba({csrfToken:t,currentBrowserPrincipal:a,now:o}),c=await kn({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers,returnTo:Is(t)});if(r==="approve"&&Tn(c)&&await Ma({csrfToken:t,currentBrowserPrincipal:a,now:o}),Tn(c)){let u=await xn({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers});return{kind:"setup_page",html:Sn({state:t,operationId:s.operationId,gateway:L(),upstreams:c,...u})}}return{kind:"redirect",location:await La({csrfToken:t,currentBrowserPrincipal:a,now:o})}}n(As,"continueDownstreamAuthorizeSetup");Z();import{createLocalJWKSet as uf,decodeJwt as lf,errors as qt,jwtVerify as pf}from"jose";Z();import{createRemoteJWKSet as Ym,decodeJwt as Xm,decodeProtectedHeader as Qm,errors as Ot,jwtVerify as ef}from"jose";var Ps=30,U=d.string().min(1),tf=d.union([U,d.array(U).min(1)]),rf=d.union([U,d.array(U).min(1)]),nf=d.object({type:U,locations:d.array(U).optional(),actions:d.array(U).optional(),datatypes:d.array(U).optional(),identifier:U.optional(),privileges:d.array(U).optional()}).passthrough(),of=d.object({iss:d.url(),sub:U,aud:tf,client_id:U,resource:rf.optional(),scope:U.optional(),authorization_details:d.array(nf).optional(),jti:U,iat:d.number().int(),nbf:d.number().int().optional(),exp:d.number().int(),tenant:U.optional(),aud_tenant:U.optional(),aud_sub:U.optional(),sub_id:U.optional(),act:d.unknown().optional(),email:U.optional(),auth_time:d.number().int().optional(),acr:U.optional(),amr:d.array(U).optional(),cnf:d.unknown().optional()}).passthrough();function Y(e){throw new f("invalid_grant",e)}n(Y,"throwInvalidGrant");function af(e){return e instanceof Ot.JWTExpired?"expired":e instanceof Ot.JWTClaimValidationFailed?"claim":e instanceof Ot.JWSSignatureVerificationFailed?"signature":e instanceof Ot.JWKSNoMatchingKey?"jwks_no_match":e instanceof Ot.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(af,"readJwtFailureKind");function sf(e){return Array.isArray(e.aud)?(e.aud.length!==1&&Y("ID-JAG audience must contain exactly one value."),e.aud[0]):e.aud}n(sf,"readSingleAudience");function ks(e){try{let t=of.parse(e);return sf(t),t}catch(t){if(t instanceof f)throw t;Y("ID-JAG claims are invalid.")}}n(ks,"parseIdJagClaims");function cf(e,t){e.idJag.enabled||Y("ID-JAG grant is not enabled.");let r=e.idJag.trustedIssuers.find(o=>o.issuer===t);return r===void 0&&Y("ID-JAG issuer is not trusted."),r}n(cf,"readTrustedIssuer");function df(e){let t=e.authorizationDetails;if(t===void 0)return;if(e.allowedTypes===void 0)return t;let r=new Set(e.allowedTypes);return t.filter(o=>r.has(o.type))}n(df,"readGrantedAuthorizationDetails");function xs(e){if(e.clientAuth.method==="none")throw new f("invalid_client","Client authentication failed.");e.claims.client_id!==e.authenticatedClientId&&Y("ID-JAG client_id must match the authenticated client."),e.trustedIssuer.expectedClientIds!==void 0&&!e.trustedIssuer.expectedClientIds.includes(e.claims.client_id)&&Y("ID-JAG client_id is not allowed for this issuer.")}n(xs,"assertClientBinding");function Ts(e){e.cnf!==void 0&&Y("ID-JAG cnf-bound assertions require DPoP support.")}n(Ts,"assertProofOfPossessionNotDeferred");function Us(e){let t=Math.floor(e.now.getTime()/1e3)+Ps;e.claims.iat>t&&Y("ID-JAG iat must not be in the future.")}n(Us,"assertIssuedAtNotInFuture");async function Es(e){let t;try{t=Qm(e.assertion)}catch{Y("ID-JAG assertion is malformed.")}t.typ!==Tr&&Y('ID-JAG header typ must be "oauth-id-jag+jwt".');let r;try{r=ks(Xm(e.assertion))}catch(c){if(c instanceof f)throw c;Y("ID-JAG assertion is malformed.")}let o=$e(e.requestUrl,e.requestHeaders),i=[o];e.requestedResource!==void 0&&e.requestedResource!==o&&i.push(e.requestedResource);let a=cf(e.config,r.iss);i.includes(r.iss)&&Y("ID-JAG issuer must be different from the gateway."),xs({claims:r,trustedIssuer:a,authenticatedClientId:e.authenticatedClientId,clientAuth:e.clientAuth}),Ts(r),Us({claims:r,now:e.now});let s;try{let c=Ym(new URL(a.jwksUrl)),{payload:u}=await ef(e.assertion,c,{issuer:a.issuer,audience:i,currentDate:e.now,clockTolerance:Ps,typ:Tr});s=ks(u)}catch(c){e.context?.log.warn({event:"oauth_id_jag_verification_failed",issuer:a.issuer,failureKind:af(c)},"OAuth ID-JAG assertion verification failed"),Y("ID-JAG assertion verification failed.")}return xs({claims:s,trustedIssuer:a,authenticatedClientId:e.authenticatedClientId,clientAuth:e.clientAuth}),Ts(s),Us({claims:s,now:e.now}),{claims:s,trustedIssuer:a,subjectId:Po({issuer:s.iss,subject:s.sub,gatewayIssuer:o,subjectMapping:a.subjectMapping,tenant:s.tenant}),grantedAuthorizationDetails:df({authorizationDetails:s.authorization_details,allowedTypes:e.config.idJag.enabled?e.config.idJag.authorizationDetailsTypesAllowed:void 0})}}n(Es,"verifyIdJagAssertion");var mf=new Set(["authorization_code","refresh_token",Re]),ff=1e4,hf=32*1024,gf=2,yf=3600,Pn=d.object({client_id:d.string().min(1).optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),_f=d.discriminatedUnion("grant_type",[Pn.extend({grant_type:d.literal("authorization_code"),code:d.string().min(1),redirect_uri:d.string().min(1),code_verifier:Ne,resource:d.url().optional(),scope:d.literal(D).optional()}),Pn.extend({grant_type:d.literal("refresh_token"),refresh_token:d.string().min(1),resource:d.url().optional(),scope:d.literal(D).optional()}),Pn.extend({grant_type:d.literal(Re),assertion:d.string().min(1),resource:d.url().optional(),scope:d.literal(D).optional(),authorization_details:d.string().min(1).optional()})]);function wf(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!mf.has(t)))throw new f("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}n(wf,"assertSupportedGrantType");var bf=d.object({token:d.string().min(1),client_id:d.string().min(1).optional(),token_type_hint:d.string().optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),Rf=d.object({keys:d.array(d.record(d.string(),d.unknown())).min(1)}).passthrough();function qs(){return N().gateway.accessTokenTtlSeconds}n(qs,"readAccessTokenTtlSeconds");function If(){return N().gateway.refreshTokenTtlSeconds}n(If,"readRefreshTokenTtlSeconds");function Os(e,t){let r=qs(),o=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),i=Math.min(r,o);return{expiresAt:I(de(e,i)),expiresIn:i}}n(Os,"calculateAccessTokenExpiresAt");function Cf(e){let t=e.claimedResource===void 0?[]:Array.isArray(e.claimedResource)?e.claimedResource:[e.claimedResource];if(e.requestedResource!==void 0){if(t.length>0&&!t.includes(e.requestedResource))throw new f("invalid_target","Token request resource must match the ID-JAG resource.");return e.requestedResource}if(t.length===0)throw new f("invalid_target","resource is required for the ID-JAG JWT bearer grant.");if(t.length!==1)throw new f("invalid_target","ID-JAG resource arrays require a token request resource.");return t[0]}n(Cf,"readIdJagResource");function Sf(e){if(e.claimAuthorizationDetails===void 0)return;let t=(e.grantedAuthorizationDetails??[]).filter(r=>r.locations?.includes(e.resource)===!0);if(t.length===0)throw new f("invalid_grant","ID-JAG authorization_details must authorize the requested resource.");return t}n(Sf,"readIdJagGrantedAuthorizationDetails");function vf(e){if(e.claimScope?.split(/\s+/).includes(D)===!0||(e.grantedAuthorizationDetails?.length??0)>0)return D;if(e.claimScope===void 0)throw new f("invalid_grant",`ID-JAG must include ${D} scope or matching authorization_details.`);if(!e.claimScope.split(/\s+/).includes(D))throw new f("invalid_grant",`ID-JAG scope must include ${D}.`);return D}n(vf,"readIdJagGrantedScope");function Af(e){if(e!==void 0&&e.get("dpop")!==null)throw new f("invalid_request","DPoP proofs are not supported for the ID-JAG JWT bearer grant.")}n(Af,"assertNoDpopProofForIdJag");function Ms(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new f("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new f("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new f("invalid_client","Malformed HTTP Basic client authentication.")}}n(Ms,"readBasicClientSecret");function Ds(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new f("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t!==void 0)return t;if(e.clientAssertion!==void 0){try{let r=lf(e.clientAssertion);if(typeof r.iss=="string"&&typeof r.sub=="string"&&r.iss===r.sub)return r.iss}catch{throw new f("invalid_client","Malformed private_key_jwt client assertion.")}throw new f("invalid_client","private_key_jwt client assertion must identify the client with matching iss and sub claims.")}throw new f("invalid_client","Client authentication or client_id is required.")}n(Ds,"resolveAuthenticatedClientId");function kf(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new f("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}n(kf,"resolveClientSecretInput");function xf(e){return e.clientAssertion!==void 0||e.clientAssertionType!==void 0}n(xf,"hasClientAssertion");function Tf(e){if(e.requestUrl===void 0)throw new f("invalid_request","Request URL is required for private_key_jwt client authentication.");let t=new URL(L().actionPath(e.pathname),M(e.requestUrl,e.requestHeaders));return t.search="",t.hash="",t.toString()}n(Tf,"buildEndpointAudience");function Uf(e){return e instanceof qt.JWTExpired?"expired":e instanceof qt.JWTClaimValidationFailed?"claim":e instanceof qt.JWSSignatureVerificationFailed?"signature":e instanceof qt.JWKSNoMatchingKey?"jwks_no_match":e instanceof qt.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(Uf,"readJwtFailureKind");async function Pf(e){let{response:t,json:r}=await gi(e.jwksUri,{headers:{accept:"application/json"}},{context:e.context,maxRedirects:gf,maxResponseBytes:hf,timeoutMs:ff});if(!t.ok)throw new f("invalid_client","Client JWKS could not be fetched.");return Rf.parse(r)}n(Pf,"fetchClientJwks");async function Ef(e){if(e.clientAssertionType!==Wt||e.clientAssertion===void 0)throw new f("invalid_request","private_key_jwt client authentication requires a JWT bearer client_assertion and client_assertion_type.");let t=ue.parse(e.clientId),r=await Rr(t,e.now);if(r.metadata.token_endpoint_auth_method!=="private_key_jwt")throw new f("invalid_client","Client is not registered for private_key_jwt authentication.");let o=r.metadata.jwks_uri;if(o===void 0)throw new f("invalid_client","Client JWKS URI is required for private_key_jwt authentication.");let i=Tf({requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,pathname:e.endpointPathname});try{let a=await Pf({jwksUri:o,context:e.context}),{payload:s}=await pf(e.clientAssertion,uf(a),{issuer:t,subject:t,audience:i,currentDate:e.now}),c=Math.floor(e.now.getTime()/1e3)+yf;if(typeof s.exp!="number"||s.exp>c)throw new f("invalid_client","Client authentication failed.")}catch(a){throw e.context?.log.warn({event:"oauth_private_key_jwt_client_auth_failed",clientId:t,failureKind:Uf(a)},"OAuth private_key_jwt client authentication failed"),new f("invalid_client","Client authentication failed.")}return{method:"private_key_jwt",clientId:t}}n(Ef,"verifyPrivateKeyJwtClientAssertion");async function Of(e){let t=ue.parse(e.clientId);if(jo(t))throw new f("invalid_client","Client is registered for private_key_jwt authentication.");return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await T(e.clientSecret)}}n(Of,"buildRuntimeHttpClientAuth");async function js(e){if(xf({clientAssertion:e.clientAssertion,clientAssertionType:e.clientAssertionType})){if(e.basicClientSecret!==void 0||e.bodyClientSecret!==void 0)throw new f("invalid_request","Use only one client authentication method per request.");return Ef(e)}let t=kf({basicClientSecret:e.basicClientSecret,bodyClientSecret:e.bodyClientSecret});return Of({clientId:e.clientId,...t})}n(js,"resolveRuntimeHttpClientAuth");async function zs(e){wf(e.body);let t=_f.parse(e.body),r=Ms(e.authorizationHeader),o=Ds({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),i=new Date,a=await js({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/token",now:i,context:e.context});return qf({parsed:t,clientId:o,clientAuth:a,now:i,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,context:e.context})}n(zs,"exchangeDownstreamToken");async function qf(e){if(e.parsed.grant_type==="authorization_code"){st(e.parsed.redirect_uri,"invalid_request"),ct(e.parsed.scope),e.parsed.resource!==void 0&&je(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let c=le(),u=le(),l=I(de(e.now,If())),m=Os(e.now,l),w=await R().exchangeAuthorizationCode({clientAuth:e.clientAuth,codeHash:await T(e.parsed.code),redirectUri:e.parsed.redirect_uri,resource:e.parsed.resource,codeChallenge:await Qt(e.parsed.code_verifier),currentRefreshTokenHash:await T(c),accessTokenHash:await T(u),grantExpiresAt:l,accessTokenExpiresAt:m.expiresAt,now:I(e.now)});if(w.kind==="invalid_client")throw new f("invalid_client","Client authentication failed.");if(w.kind==="resource_mismatch")throw new f("invalid_target","Token request resource must match the authorization code resource.");if(w.kind!=="exchanged")throw new f("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context&&v(e.context,{eventType:C.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"authorization_code"}}),{access_token:u,token_type:"Bearer",expires_in:m.expiresIn,refresh_token:c,scope:w.grant.scope,resource:w.grant.resource}}if(e.parsed.grant_type===Re){ct(e.parsed.scope),Af(e.requestHeaders);let c=await Es({assertion:e.parsed.assertion,authenticatedClientId:e.clientId,clientAuth:e.clientAuth,requestUrl:e.requestUrl??e.parsed.resource??"",requestHeaders:e.requestHeaders,requestedResource:e.parsed.resource,now:e.now,context:e.context,config:N()}),u=Cf({claimedResource:c.claims.resource,requestedResource:e.parsed.resource}),l=je(e.requestUrl??u,u,e.requestHeaders),m=Sf({claimAuthorizationDetails:c.claims.authorization_details,grantedAuthorizationDetails:c.grantedAuthorizationDetails,resource:u}),w=vf({claimScope:c.claims.scope,grantedAuthorizationDetails:m}),P=le(),y=I(new Date(c.claims.exp*1e3)),E=Os(e.now,y),x=await R().issueAccessTokenForIdJag({clientAuth:e.clientAuth,accessTokenHash:await T(P),subjectId:c.subjectId,resource:u,operationId:l.operationId,scope:w,authorizationDetails:m,accessTokenExpiresAt:E.expiresAt,now:I(e.now),idJag:{issuer:c.claims.iss,jti:c.claims.jti,tenant:c.claims.tenant,expiresAt:y}});if(x.kind==="invalid_client")throw new f("invalid_client","Client authentication failed.");if(x.kind==="resource_mismatch")throw new f("invalid_target","Token request resource must match the ID-JAG resource.");return e.context&&v(e.context,{eventType:C.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"jwt-bearer"}}),{access_token:P,token_type:"Bearer",expires_in:E.expiresIn,scope:x.grant.scope,resource:x.grant.resource,...m===void 0?{}:{authorization_details:m}}}ct(e.parsed.scope),e.parsed.resource!==void 0&&je(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let t=await T(e.parsed.refresh_token),r=e.parsed.refresh_token,o=le(),i=I(de(e.now,qs())),a=await R().refreshToken({clientAuth:e.clientAuth,currentRefreshTokenHash:t,nextRefreshTokenHash:t,accessTokenHash:await T(o),resource:e.parsed.resource,accessTokenExpiresAt:i,now:I(e.now)});if(a.kind==="invalid_client")throw new f("invalid_client","Client authentication failed.");if(a.kind==="resource_mismatch")throw new f("invalid_target","Token request resource must match the refresh token grant resource.");if(a.kind!=="rotated")throw new f("invalid_grant","Refresh token is invalid, expired, or revoked.");je(e.requestUrl??a.grant.resource,a.grant.resource,e.requestHeaders);let s=a.accessToken.expiresAt;return e.context&&v(e.context,{eventType:C.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"refresh_token"}}),{access_token:o,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(s).getTime()-e.now.getTime())/1e3)),refresh_token:r,scope:a.grant.scope,resource:a.grant.resource}}n(qf,"exchangeDownstreamTokenWithRuntimeHttp");async function Hs(e){let t=bf.parse(e.body),r=Ms(e.authorizationHeader),o=Ds({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),i=new Date;if((await R().revokeOAuthToken({clientAuth:await js({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/revoke",now:i,context:e.context}),tokenHash:await T(t.token),now:I(i)})).kind==="invalid_client")throw new f("invalid_client","Client authentication failed.");e.context?.log.info({event:"oauth_token_revoked",clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed"),e.context&&v(e.context,{eventType:C.MCP_OAUTH_TOKEN_REVOKED,outcome:"success",attributes:{clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}}})}n(Hs,"revokeDownstreamToken");var Mf=64*1024,Df=16*1024,jf="text/html; charset=utf-8";function zf(e){let t={};for(let[r,o]of e.entries())t[r]=o;return t}n(zf,"formDataToObject");async function Hf(e){return Ia(e,{maxBytes:Mf,label:"Request body"})}n(Hf,"readJsonBody");async function On(e){return zf(await Ca(e,{maxBytes:Df,label:"Request body"}))}n(On,"readFormBody");async function Ls(e,t,r){let o=ce(r),i=r instanceof d.ZodError?Te(r):void 0,a={code:o??(r instanceof d.ZodError?"invalid_request":"internal_server_error")};return i!==void 0&&(a.detail=i),Jt(e,t,a)}n(Ls,"handleProblem");function Ns(e){return e?.requestId}n(Ns,"readBrowserRequestId");function Js(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[Ge];return typeof t=="string"?t:void 0}n(Js,"readUpstreamHtmlError");function Bs(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(Bs,"readRuntimeErrorExtensionString");function Bf(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(Bf,"readRuntimeErrorExtensionNumber");function Lf(e){try{return new URL(e.url).pathname}catch{return}}n(Lf,"readBrowserRequestPath");function ze(e){let t={code:e.code,requestId:e.requestId,routePath:Lf(e.request),underlyingError:e.underlyingError};return e.error instanceof h&&(t.httpStatus=Bf(e.error,_e),t.contentType=Bs(e.error,Je),t.upstreamUrl=Bs(e.error,we)),t}n(ze,"buildBrowserErrorDiagnostic");function Mt(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}n(Mt,"oauthErrorResponse");function Nf(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}n(Nf,"readOAuthProtocolHeaders");function Jf(e,t){let r=re("internal_server_error");return Mt({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:Nf(e,t)})}n(Jf,"oauthProtocolErrorResponse");function En(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}n(En,"readZodOAuthErrorCode");function Gf(e){let t={error:En(e)},r=Te(e);return r!==void 0&&(t.errorDescription=r),Mt(t)}n(Gf,"oauthZodErrorResponse");function Ff(e){let t=ce(e);if(t===void 0)return;let r=re(t);if(r.oauthError===void 0)return;let o={error:r.oauthError,status:Zf(r.oauthError)};return r.oauthError==="server_error"?o.errorDescription=r.publicDetail:e instanceof Error?o.errorDescription=e.message:o.errorDescription=r.publicDetail,Mt(o)}n(Ff,"oauthGatewayProblemResponse");function $f(){let t={error:"server_error",status:500,errorDescription:re("internal_server_error").publicDetail};return Mt(t)}n($f,"oauthFallbackErrorResponse");function Zf(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}n(Zf,"readOAuthStatus");function qn(e,t={}){return e instanceof xe?$s(e):e instanceof f?Jf(e,t):e instanceof d.ZodError?Gf(e):Ff(e)??$f()}n(qn,"oauthProblemResponse");function Mn(e,t,r){let o=it(e.url),i=Ns(t);if(r instanceof xe)return $s(r);if(r instanceof f){let c=re("internal_server_error");return ie({host:o,kind:Kf(r.errorCode),title:"Authorization failed",detail:r.errorCode==="server_error"?c.publicDetail:r.message,developerDetail:r.errorCode==="server_error"?c.publicDetail:r.message,code:r.errorCode,diagnostic:ze({request:e,requestId:i,code:r.errorCode,underlyingError:r.errorCode==="server_error"?c.publicDetail:r.message,error:r}),requestId:i,status:r.status})}if(r instanceof d.ZodError)return ie({host:o,kind:"invalid_request",detail:Te(r)??"The authorization request was invalid.",developerDetail:Te(r)??"The authorization request was invalid.",code:En(r),diagnostic:ze({request:e,requestId:i,code:En(r),underlyingError:Te(r)??"The authorization request was invalid.",error:r}),requestId:i});let a=ce(r);if(a!==void 0){let c=re(a);return ie({host:o,kind:Fs(a),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:a,diagnostic:ze({request:e,requestId:i,code:a,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:i,upstreamHtml:Js(r),status:c.status})}let s=re("internal_server_error");return ie({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"server_error",diagnostic:ze({request:e,requestId:i,code:"server_error",underlyingError:s.publicDetail,error:r}),requestId:i,status:s.status})}n(Mn,"browserOAuthProblemResponse");function Gs(e,t,r){let o=it(e.url),i=Ns(t),a=ce(r);if(a!==void 0){let c=re(a);return ie({host:o,kind:Fs(a),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:a,diagnostic:ze({request:e,requestId:i,code:a,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:i,upstreamHtml:Js(r),status:c.status})}if(r instanceof d.ZodError)return ie({host:o,kind:"invalid_request",detail:Te(r)??"The authorization request was invalid.",developerDetail:Te(r)??"The authorization request was invalid.",code:"invalid_request",diagnostic:ze({request:e,requestId:i,code:"invalid_request",underlyingError:Te(r)??"The authorization request was invalid.",error:r}),requestId:i});let s=re("internal_server_error");return ie({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"internal_server_error",diagnostic:ze({request:e,requestId:i,code:"internal_server_error",underlyingError:s.publicDetail,error:r}),requestId:i,status:s.status})}n(Gs,"browserGatewayProblemResponse");function Kf(e){return e==="server_error"?"internal_error":"invalid_request"}n(Kf,"readOAuthBrowserErrorKind");function Fs(e){if(re(e).status>=500)return"internal_error";switch(e){case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"configuration_error";case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"invalid_request":case"authentication_required":case"forbidden":case"not_found":case"too_many_requests":case"identity_context_missing":return"invalid_request";case"upstream_capability_invocation_failed":case"upstream_capability_unavailable":case"upstream_import_failed":return"connection_failed";case"internal_server_error":return"internal_error"}return"authorization_failed"}n(Fs,"readGatewayBrowserErrorKind");function he(e,t,r){let o={event:t},i=!1;if(r instanceof f)o.oauthError=r.errorCode,o.status=r.status,J(o,"error",r);else if(r instanceof xe)o.oauthError=r.errorCode,J(o,"error",r);else if(r instanceof d.ZodError){o.code="invalid_request",J(o,"error",r);let a=r.issues[0];a&&(o.zodPath=a.path.join("."))}else{let a=ce(r);if(a!==void 0){let s=re(a);o.code=a,o.status=s.status,s.oauthError!==void 0&&(o.oauthError=s.oauthError),i=s.status>=500||s.oauthError==="server_error",J(o,"error",r)}else i=!0,J(o,"error",r)}if(i){let a=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(o,a.message)}else e.log.warn(o,"OAuth handler rejected the request")}n(he,"logUnexpectedOAuthHandlerError");function $s(e){let t;try{t=new URL(e.redirectUri)}catch{return Mt({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}n($s,"downstreamAuthorizeRedirectErrorResponse");function Te(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}n(Te,"formatZodErrorDetail");function Wf(e,t){let r={event:"browser_login_callback_failed",code:ce(t)??"invalid_request"};J(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}n(Wf,"logBrowserLoginCallbackFailure");function Zs(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}n(Zs,"redirectResultResponse");function Cr(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":jf,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return Zs(e)}n(Cr,"authorizeResultResponse");async function Ks(e,t){try{return Response.json(ko(e.url,e.headers))}catch(r){return he(t,"oauth_authorization_server_metadata_failed",r),Ls(e,t,r)}}n(Ks,"authorizationServerMetadataHandler");async function Ws(e,t){try{let r=Dr(e.params.routePath);return Response.json(xo({operationId:r.operationId,requestUrl:e.url,requestHeaders:e.headers}))}catch(r){return he(t,"oauth_authorization_server_metadata_failed",r),Ls(e,t,r)}}n(Ws,"scopedAuthorizationServerMetadataHandler");async function Vs(e,t){try{let r=await rs(await Hf(e)),o=r.client_id,i=r.client_name,a=r.redirect_uris.length,s=r.token_endpoint_auth_method;return t.log.info({event:"oauth_dcr_client_registered",clientId:o,clientName:i,redirectUriCount:a,tokenEndpointAuthMethod:s},"OAuth Dynamic Client Registration completed"),v(t,{eventType:C.MCP_OAUTH_CLIENT_REGISTERED,outcome:"success",clientName:i,attributes:{clientId:o,redirectUriCount:a,tokenEndpointAuthMethod:s}}),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return he(t,"oauth_register_failed",r),qn(r)}}n(Vs,"registerHandler");async function Ys(e,t){try{return Cr(await Un(e,{context:t}))}catch(r){return he(t,"oauth_authorize_failed",r),Mn(e,t,r)}}n(Ys,"authorizeHandler");async function Xs(e,t){try{let r=Dr(e.params.routePath);return Cr(await Un(e,{operationId:r.operationId,context:t}))}catch(r){return he(t,"oauth_authorize_scoped_failed",r),Mn(e,t,r)}}n(Xs,"scopedAuthorizeHandler");async function Qs(e,t){try{let r=await Ss(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),Cr(r)}catch(r){return Wf(t,r),Gs(e,t,r)}}n(Qs,"callbackHandler");async function ec(e,t){try{return Zs(await vs(e))}catch(r){return he(t,"oauth_dev_login_failed",r),Mn(e,t,r)}}n(ec,"devLoginHandler");async function tc(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await As({request:e,body:e.method==="POST"?await On(e):void 0,context:t});return Cr(r)}catch(r){return he(t,"oauth_setup_failed",r),Gs(e,t,r)}}n(tc,"setupHandler");async function rc(e,t){try{return Response.json(await zs({body:await On(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return he(t,"oauth_token_failed",r),qn(r)}}n(rc,"tokenHandler");async function nc(e,t){try{return await Hs({body:await On(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return he(t,"oauth_revoke_failed",r),qn(r)}}n(nc,"revokeHandler");function oc(e){return S`<p data-gateway-error-code="${e.code}">${e.body}</p>`}n(oc,"renderBrowserResult");var Vf="text/html; charset=utf-8",Yf="none";function Xf(e){let t=Yr(e.host);return ot({title:e.title,iconHref:t,styles:nt,headerIcon:Ir({iconHref:t,fallbackIconHref:ar}),heading:e.title,subhead:"",body:oc({body:e.body,code:e.code??Yf}),footer:""})}n(Xf,"browserResultHtml");function Qf(e,t=200){return new Response(rt(e),{status:t,headers:{"content-type":Vf,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(Qf,"browserResultResponse");function ic(e){return Qf(Xf(e))}n(ic,"browserConnectionSuccessResponse");function Sr(e,t,r={}){let o=io(t);return ie({host:e,kind:eh(t),detail:o.body,developerDetail:r.developerDetail,code:t,diagnostic:r.diagnostic,upstreamHtml:r.upstreamHtml})}n(Sr,"browserConnectionFailureResponse");function eh(e){switch(e){case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required"}}n(eh,"readCallbackFailureBrowserErrorKind");var th={connect:"Connect",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},ac=Symbol("upstream-request");function Dt(e,t){Object.defineProperty(e,ac,{configurable:!0,value:t})}n(Dt,"setUpstreamRequestContext");function rh(e){let t=e[ac];if(!t)throw new Q("Upstream request context has not been set");return t}n(rh,"readUpstreamRequestContext");function nh(e,t){return t.some(r=>r===e)}n(nh,"requestContextMatchesKind");function oh(e){return typeof e=="string"?[e]:e}n(oh,"toExpectedKinds");function jt(e,t){let r=rh(e),o=oh(t);if(!nh(r.kind,o)){let i=th[o[0]];throw new Q(`${i} request context has not been set`)}return r}n(jt,"requireUpstreamRequestContext");function He(e){if(typeof e=="string"&&e.length!==0)return e}n(He,"readOptionalQueryString");function ih(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw new Q(`Validated path parameter ${t} is missing`);return ah(r,t)}n(ih,"requirePathString");function ah(e,t){try{return decodeURIComponent(e)}catch(r){throw new h({message:`Path parameter "${t}" must be valid URL encoding.`,extensionMembers:{[g]:"invalid_request"}},{cause:r})}}n(ah,"decodePathString");function sh(e){let t=He(e);return t?Gt.parse(t):void 0}n(sh,"readOptionalOperationId");function ch(e){let t=ee().connectionsById.get(e);if(t!==void 0)return t.authProfileId;throw new h({message:`No upstream connection is registered for ${e}.`,extensionMembers:{[g]:"unknown_upstream_server"}})}n(ch,"readRegisteredAuthProfileId");function dh(e){let t=sh(e);if(!t)throw new h({message:"operationId query parameter is required.",extensionMembers:{[g]:"invalid_request"}});return t}n(dh,"readRequiredOperationId");async function uh(e,t){let r=hr(t,dh(e.query.operationId));if(r.authMode==="id-jag")throw new h({message:"This upstream uses XAA / ID-JAG and does not support browser OAuth connection flows.",extensionMembers:{[g]:"invalid_request"}});let o=e.query.redirect==="true",i=He(e.query.browserTicket);if(e.user){if(i)throw new h({message:"Use either an authenticated gateway request or a browser connect ticket, not both.",extensionMembers:{[g]:"invalid_request"}});let c=Pe(e.user,e.url),u={kind:"connect",...tt(r,c.subjectId),redirect:o},l=mo(He(e.query.returnTo));return l!==void 0&&(u.returnTo=l),u}if(!i)throw new h({message:"Authentication is required to start the upstream connection flow.",extensionMembers:{[g]:"authentication_required"}});let a=await Ei(i);if(a.ownerMode!==r.ownerMode||a.upstreamServerId!==r.upstreamServerId||a.authProfileId!==r.authProfileId||a.operationId!==r.operationId)throw new h({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[g]:"oauth_callback_mismatch"}});await Oi(a);let s=Zt(a);switch(r.authMode){case"shared-oauth":{if(s.mode!=="shared")throw new h({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[g]:"oauth_callback_mismatch"}});let c={kind:"connect",...r,authMode:"shared-oauth",ownerMode:"shared",owner:s,initiatedBySubjectId:a.initiatedBySubjectId,redirect:o};return a.returnTo!==void 0&&(c.returnTo=a.returnTo),c}case"user-oauth":{if(s.mode!=="user")throw new h({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[g]:"oauth_callback_mismatch"}});let c={kind:"connect",...r,authMode:"user-oauth",ownerMode:"user",owner:s,initiatedBySubjectId:a.initiatedBySubjectId,redirect:o};return a.returnTo!==void 0&&(c.returnTo=a.returnTo),c}}}n(uh,"resolveConnectContext");async function lh(e,t,r){let o=co.parse(ih(e,"connection"));switch(r){case"connect":Dt(e,await uh(e,o));return;case"callback":{let i=He(e.query.error);if(i){let c={kind:"callback_provider_error",upstreamServerId:o,error:i},u=He(e.query.error_description);u!==void 0&&(c.errorDescription=u),Dt(e,c);return}let a=He(e.query.code),s=He(e.query.state);if(a&&s){Dt(e,{kind:"callback_authorization_code",upstreamServerId:o,code:a,state:s});return}Dt(e,{kind:"callback_invalid",upstreamServerId:o});return}case"client_metadata":Dt(e,{kind:"client_metadata",upstreamServerId:o,authProfileId:ch(o)});return}}n(lh,"resolveUpstreamRequestInbound");async function ph(e,t,r){try{await lh(e,t,r);return}catch(o){let i=o instanceof h?o.extensionMembers?.[g]:void 0,a=o instanceof Error?o.message:void 0;switch(i){case"invalid_request":case"unknown_upstream_server":case"oauth_callback_mismatch":return Ue.badRequest(e,t,{code:i,detail:a});case"authentication_required":return Ue.unauthorized(e,t,{code:i,detail:a});default:throw o}}}n(ph,"applyUpstreamRequestContext");function vr(e,t){return n(async(o,i)=>{let a=await ph(o,i,e);return a||t(o,i)},"wrapped")}n(vr,"withUpstreamRequestContext");var mh=["callback_authorization_code","callback_provider_error","callback_invalid"];function Dn(e){try{return new URL(e.url).pathname}catch{return}}n(Dn,"readBrowserRequestPath");function fh(e){return"cause"in e?e.cause:void 0}n(fh,"readErrorCause");function hh(e){return e.stack?.split(`
|
|
49
|
-
`).slice(1,4).map(t=>t.trim()).join(" | ")}n(hh,"readFirstStackFrame");function sc(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=hh(r))}n(sc,"addErrorAttributes");function jn(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[g];return Nt(t)?t:void 0}n(jn,"readRuntimeGatewayCode");function cc(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(cc,"readRuntimeErrorExtensionString");function gh(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(gh,"readRuntimeErrorExtensionNumber");function yh(e,t,r,o){switch(r.kind){case"callback_provider_error":return t.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:r.upstreamServerId,providerError:r.error,...r.errorDescription===void 0?{}:{providerErrorDescription:r.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),v(t,{eventType:C.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:r.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:r.error,errorDescription:r.errorDescription}}),Sr(o,"provider_access_denied",{developerDetail:r.errorDescription??r.error,diagnostic:{code:"provider_access_denied",requestId:t.requestId,routePath:Dn(e),upstreamServerId:r.upstreamServerId,providerError:r.error,providerErrorDescription:r.errorDescription,underlyingError:r.errorDescription??r.error}});case"callback_invalid":return t.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:r.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),Sr(o,"oauth_state_invalid",{diagnostic:{code:"oauth_state_invalid",requestId:t.requestId,routePath:Dn(e),upstreamServerId:r.upstreamServerId}});case"callback_authorization_code":return r}}n(yh,"requireAuthorizationCallbackRequest");function _h(e,t){v(e,{eventType:C.MCP_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}n(_h,"emitCallbackReceivedAnalyticsEvent");function wh(e,t){v(e,{eventType:C.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.operationId})}n(wh,"emitTokenExchangeSucceededAnalyticsEvent");function bh(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return ic({host:it(e.url),title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}n(bh,"buildSuccessfulCallbackResponse");function Rh(e){let t={detail:e instanceof Error?e.message:void 0};return sc(t,"error",e),e instanceof Error&&sc(t,"cause",fh(e)),t}n(Rh,"buildTokenExchangeFailureAttributes");function Ih(e){v(e.context,{eventType:C.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:jn(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:Rh(e.error)})}n(Ih,"emitTokenExchangeFailedAnalyticsEvent");function Ch(e){let t=e.error,r=jn(t),o=oo(r)?r:"upstream_token_exchange_failed",i={code:o,requestId:e.context.requestId,routePath:Dn(e.request),upstreamServerId:e.callbackRequest.upstreamServerId,underlyingError:t instanceof Error?t.message:void 0,...t instanceof h?{httpStatus:gh(t,_e),contentType:cc(t,Je),upstreamUrl:cc(t,we)}:{}};return Sr(e.host,o,{developerDetail:t instanceof Error?t.message:void 0,diagnostic:i,upstreamHtml:Sh(t)})}n(Ch,"tokenExchangeFailureResponse");function Sh(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[Ge];return typeof t=="string"?t:void 0}n(Sh,"readUpstreamHtmlError");async function zn(e,t){let r=jt(e,mh),o=it(e.url),i=yh(e,t,r,o);if(i instanceof Response)return i;_h(t,i);try{let a=await pa({request:e,callbackRequest:i});return wh(t,a),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:a.upstreamServerId,operationId:a.operationId,authProfileId:a.authProfileId,ownerMode:a.ownerMode},"Upstream OAuth token exchange completed; user connection established"),bh(e,a)}catch(a){let s={event:"upstream_oauth_token_exchange_failed",code:jn(a)??"upstream_token_exchange_failed",upstreamServerId:i.upstreamServerId};return J(s,"error",a),t.log.warn(s,"Upstream OAuth token exchange failed; user shown connection-failure page"),Ih({context:t,callbackRequest:i,error:a}),Ch({request:e,context:t,host:o,callbackRequest:i,error:a})}}n(zn,"callbackHandler");function vh(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}n(vh,"clientMetadataProblemDetail");async function dc(e,t){let r=jt(e,"connect"),o=await la({request:e,connectRequest:r});if(v(t,{eventType:C.MCP_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:o.operationId,upstreamServerTitle:o.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,operationId:o.operationId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(o.authUrl,302);let i=await pr({requestUrl:e.url,requestHeaders:e.headers,owner:o.owner,initiatedBySubjectId:o.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,upstreamDisplayName:o.upstreamDisplayName,operationId:o.operationId,subject:"MCP route",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(i,{status:428})}n(dc,"connectHandler");async function uc(e,t){let r=jt(e,"client_metadata");try{let o=M(e.url,e.headers),i=Li(o,r.upstreamServerId,r.authProfileId);return Response.json(i)}catch(o){if(!(o instanceof A))throw o;let i=o instanceof Error?o.message:String(o);return t.log.warn({event:"oauth_client_metadata_request_failed",upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:i},"Failed to serve OAuth client metadata document for upstream connection"),Ue.notFound(e,t,{code:"not_found",detail:vh(o)})}}n(uc,"oauthClientMetadataHandler");function Ah(e,t){return e.mount==="root"?e.path:t.actionPath(e.path)}n(Ah,"resolveInternalRoutePath");var kh={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function xh(){return new Response(null,{status:204,headers:kh})}n(xh,"buildWellKnownPreflightResponse");function Th(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}n(Th,"withWellKnownCorsHeaders");function Hn(e){return async(t,r)=>t.method==="OPTIONS"?xh():Th(await e(t,r))}n(Hn,"wrapWellKnownHandler");var mc=[{routeName:"oauth_as_metadata",mount:"root",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:Hn(Ks),corsPolicy:"anything-goes"},{routeName:"oauth_as_metadata_scoped",mount:"root",path:"/.well-known/oauth-authorization-server/:routePath*",methods:["GET","OPTIONS"],handler:Hn(Ws),corsPolicy:"anything-goes"},{routeName:"oauth_protected_resource_metadata",mount:"root",path:"/.well-known/oauth-protected-resource/:routePath*",methods:["GET","OPTIONS"],handler:Hn(To),corsPolicy:"anything-goes"},{routeName:"oauth_register",mount:"action",path:"/oauth/register",methods:["POST"],handler:Vs},{routeName:"oauth_authorize",mount:"action",path:"/oauth/authorize",methods:["GET"],handler:Ys},{routeName:"oauth_authorize_scoped",mount:"action",path:"/oauth/authorize/:routePath*",methods:["GET"],handler:Xs},{routeName:"oauth_callback",mount:"action",path:"/oauth/callback",methods:["GET"],handler:Qs},{routeName:"oauth_dev_login",mount:"action",path:"/oauth/dev-login",methods:["GET"],handler:ec},{routeName:"oauth_setup",mount:"action",path:"/oauth/setup",methods:["GET","POST"],handler:tc},{routeName:"oauth_token",mount:"action",path:"/oauth/token",methods:["POST"],handler:rc},{routeName:"oauth_revoke",mount:"action",path:"/oauth/revoke",methods:["POST"],handler:nc},{routeName:"upstream_client_metadata",mount:"action",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:vr("client_metadata",uc)},{routeName:"upstream_connect",mount:"action",path:"/auth/connections/:connection/connect",methods:["GET"],handler:vr("connect",dc)},{routeName:"upstream_callback",mount:"action",path:"/auth/connections/:connection/callback",methods:["GET"],handler:vr("callback",zn)}],Uh=mc.filter(e=>!e.routeName.startsWith("upstream_")),Ph=mc.filter(e=>e.routeName.startsWith("upstream_"));function Eh(e){let t=_o({routes:e.routes,policies:e.policies,gateway:e.gateway});return wo(t),t}n(Eh,"initializeMcpGatewayConnectionRegistry");function Oh(e){return[...e.byOperationId.values()].some(t=>t.downstreamOAuth!==void 0)}n(Oh,"hasDownstreamOAuthRoutes");function qh(e){return[...e.byOperationId.values()].some(t=>t.downstreamOAuth?.config.idJag.enabled===!0)}n(qh,"hasIdJagDownstreamOAuth");function Mh(e){let t=new Map;for(let o of e.byOperationId.values())o.downstreamOAuth&&t.set(o.downstreamOAuth.policyName,o.downstreamOAuth.config);if(t.size===1)return[...t.values()][0];let r=[...t.keys()].map(o=>`"${o}"`).join(", ");throw new A(`MCP gateway found multiple attached OAuth policies: ${r}. Multiple downstream MCP OAuth configs in one gateway are not supported yet; use one MCP OAuth policy across MCP routes or split these routes into separate gateways.`)}n(Mh,"readSingletonDownstreamOAuthConfig");function Dh(e,t,r){let o=String(t.params.routePath??""),i=e.byRoutePath.get(So(o));if(i===void 0)return;let a=i?.downstreamOAuth?.config;return a===void 0?Jt(t,r,{code:"not_found",detail:"The requested MCP route does not expose downstream OAuth."}):a}n(Dh,"readScopedDownstreamOAuthConfig");function jh(e){return e.path==="/.well-known/oauth-authorization-server/:routePath*"||e.path==="/.well-known/oauth-protected-resource/:routePath*"||e.path==="/oauth/authorize/:routePath*"}n(jh,"routeUsesScopedOAuthConfig");function lc(e,t,r){return async(o,i)=>{if(i.log.setLogProperties?.({requestId:i.requestId}),r){let u=await r(o,i);if(u instanceof Response)return u;u&&to(i,u)}let a=o.method==="OPTIONS",s=Date.now();a||i.log.info({event:`${e}_received`,method:o.method},`MCP gateway: ${e} received`);let c=await t(o,i);return a||i.log.info({event:`${e}_responded`,status:c.status,durationMs:Date.now()-s},`MCP gateway: ${e} responded`),c}}n(lc,"wrapInternalHandler");function pc(e,t,r,o){e.addPluginRoute({path:Ah(t,r),methods:t.methods,handler:o,processors:[Fn],corsPolicy:t.corsPolicy??"none"})}n(pc,"addInternalRoute");function fc(e,t){let r=Eh(t),o=Oh(r),i=r.connectionsById.size>0,a,s=n(()=>(a===void 0&&(a=Mh(r)),a),"readSingletonOAuthConfig");if(o){ae("plugin.mcp-gateway.downstream-oauth"),qh(r)&&ae("plugin.mcp-gateway.downstream-oauth.id-jag");for(let c of Uh){let u=jh(c)?(l,m)=>Dh(r,l,m):s;pc(e,c,r.gateway,lc(c.routeName,c.handler,u))}}if(i){ae("plugin.mcp-gateway.upstream-auth");for(let c of r.connectionsById.values())ae(`plugin.mcp-gateway.upstream-auth.${c.authMode}`);for(let c of Ph)pc(e,c,r.gateway,lc(c.routeName,c.handler))}}n(fc,"registerMcpGatewayInternalRoutes");var Bn=class extends Jn{static{n(this,"McpGatewayPlugin")}#e;constructor(t={}){super(),ae("plugin.mcp-gateway"),this.#e=ro(t)}registerRoutes(t){let r=t.parsedRouteData;r&&fc(t.router,{routes:r.routes,policies:r.policies,gateway:this.#e})}};var zh=new TextDecoder;function Hh(e){if(e)try{return JSON.parse(zh.decode(e))}catch{return}}n(Hh,"readBodyJson");function ge(e){return e&&typeof e=="object"?e:void 0}n(ge,"readRecord");function zt(e,t){let r=ge(e)?.[t];return typeof r=="string"?r:void 0}n(zt,"readStringProperty");function gc(e,t){let r=ge(e)?.[t];return typeof r=="number"?r:void 0}n(gc,"readNumberProperty");function hc(e,t){return gc(e,"code")??(t.status>=400?t.status:void 0)}n(hc,"readErrorCode");function yc(e){return Array.isArray(e)?e.map(yc).find(t=>t?.method):ge(e)}n(yc,"readJsonRpcMessage");function _c(e){let t=yc(Hh(e)),r=typeof t?.method=="string"?t.method:"",o=t?.params;switch(r){case"tools/list":return{mcpMethod:r,capabilityType:"tool"};case"tools/call":return{mcpMethod:r,capabilityType:"tool",capabilityName:zt(o,"name")};case"prompts/list":return{mcpMethod:r,capabilityType:"prompt"};case"prompts/get":return{mcpMethod:r,capabilityType:"prompt",capabilityName:zt(o,"name")};case"resources/list":case"resources/templates/list":return{mcpMethod:r,capabilityType:"resource"};case"resources/read":{let i=zt(o,"uri");return{mcpMethod:r,capabilityType:"resource",capabilityName:i,resourceUri:i}}default:return null}}n(_c,"buildBaseCapabilityInput");function wc(e){return e==="tools/list"||e==="prompts/list"||e==="resources/list"||e==="resources/templates/list"}n(wc,"isCapabilityListMethod");function Bh(e,t,r){let a=ge(r)?.[e==="resources/templates/list"?"resourceTemplates":t==="tool"?"tools":t==="prompt"?"prompts":"resources"];return Array.isArray(a)?a.length:void 0}n(Bh,"readItemCount");async function Lh(e){try{return await e.clone().json()}catch{return}}n(Lh,"readResponseJson");function bc(e){let t=_c(e);return!t||wc(t.mcpMethod)?null:{eventType:C.MCP_CAPABILITY_INVOKED,outcome:"success",...t}}n(bc,"buildCapabilityInvokedAnalyticsInput");async function Rc(e,t){let r=_c(e);if(!r)return null;let o=ge(await Lh(t)),i=ge(o?.error),a=ge(i?.data),s=o?.result,c=r.mcpMethod==="tools/call"&&ge(s)?.isError===!0;if(ge(a?.connectRequired))return{eventType:C.MCP_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",...r,httpStatusCode:t.status,reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required",errorCode:gc(i,"code"),mcpErrorType:zt(i,"message")};if(wc(r.mcpMethod)){let u=t.status>=400?void 0:Bh(r.mcpMethod,r.capabilityType,s);return{eventType:C.MCP_CAPABILITY_LISTED,outcome:t.status>=400||i?"failure":"success",...r,httpStatusCode:t.status,...t.status>=400||i?{reasonCode:"upstream_capability_list_failed",reasonClass:"upstream",errorType:"capability_list_error",errorCode:hc(i,t)}:{},...u===void 0?{}:{attributes:{itemCount:u}}}}return t.status>=400||i?{eventType:C.MCP_CAPABILITY_FAILED,outcome:"failure",...r,httpStatusCode:t.status,reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"capability_error",errorCode:hc(i,t),mcpErrorType:zt(i,"message")}:{eventType:C.MCP_CAPABILITY_COMPLETED,outcome:c?"application_error":"success",...r,httpStatusCode:t.status,toolResultIsError:c,applicationError:c}}n(Rc,"buildCapabilityFinalAnalyticsInput");var Nh={Allow:"POST"};async function Jh(e){try{return await e.clone().arrayBuffer()}catch{return}}n(Jh,"readRequestBody");function Ic(e){try{let t=bo(e.route.path);return{virtualServerName:t.operationId,upstreamServerName:t.connection?.upstreamServerId,upstreamServerTitle:t.connection?.displayName,authProfileId:t.connection?.authProfileId,upstreamAuthMode:t.connection?.authMode}}catch{return{}}}n(Ic,"readRouteAnalyticsFields");function Cc(e){return Eo(e.user,e.url,e.headers)?.subjectId}n(Cc,"readRequestSubjectId");function Gh(e){let t=bc(e.requestBody);t&&v(e.context,{...t,...Ic(e.context),httpMethod:e.request.method,subjectId:Cc(e.request),transport:"http"})}n(Gh,"emitCapabilityInvokedAnalytics");async function Fh(e){let t=await Rc(e.requestBody,e.response);t&&v(e.context,{...t,...Ic(e.context),httpMethod:e.request.method,subjectId:Cc(e.request),transport:"http",latencyMs:Date.now()-e.startedAt})}n(Fh,"emitCapabilityFinalAnalytics");async function $h(e,t){if(ae("handler.mcp-gateway-proxy"),e.method==="GET")return Ue.methodNotAllowed(e,t,{detail:"MCP Gateway routes support stateless Streamable HTTP requests over POST. Server-sent event GET streams are not supported."},Nh);let r=Date.now(),o=await Jh(e);Gh({context:t,request:e,requestBody:o});let i=await Xn(e,t);return await Fh({context:t,request:e,requestBody:o,response:i,startedAt:r}),i}n($h,"McpProxyHandler");export{qc as McpAuth0OAuthInboundPolicy,jr as McpCapabilityFilterInboundPolicy,Sc as McpClerkOAuthInboundPolicy,vc as McpCognitoOAuthInboundPolicy,Ac as McpEntraOAuthInboundPolicy,Bn as McpGatewayPlugin,kc as McpGoogleOAuthInboundPolicy,xc as McpKeycloakOAuthInboundPolicy,Tc as McpLogtoOAuthInboundPolicy,Mc as McpOAuthInboundPolicy,Uc as McpOktaOAuthInboundPolicy,Pc as McpOneLoginOAuthInboundPolicy,Ec as McpPingOAuthInboundPolicy,$h as McpProxyHandler,mn as McpTokenExchangeInboundPolicy,Oc as McpWorkosOAuthInboundPolicy,Yo as claimsCapabilityResolver};
|
|
48
|
+
></iframe>`}n(_p,"renderUpstreamHtml");var Ia="application/json",wp="application/x-www-form-urlencoded";function yr(e,t){return new h({message:e,extensionMembers:{[g]:"invalid_request"}},t===void 0?void 0:{cause:t})}n(yr,"invalidRequestError");function bp(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}n(bp,"normalizeContentType");function Rp(e,t){return e===t?!0:t===Ia&&e.endsWith("+json")}n(Rp,"contentTypeMatches");function Ip(e,t){if(!t||t.length===0)return;let r=bp(e.headers.get("content-type"));if(!t.some(o=>Rp(r,o)))throw yr(`Request body must be ${t.join(" or ")}.`)}n(Ip,"assertExpectedContentType");function Cp(e,t,r){let o=e.headers.get("content-length");if(!o)return;let i=Number.parseInt(o,10);if(Number.isFinite(i)&&i>t)throw yr(`${r} exceeded the maximum allowed size.`)}n(Cp,"assertContentLengthWithinLimit");async function Ca(e,t){let r=t.label??"Request body";Ip(e,t.expectedContentTypes),Cp(e,t.maxBytes,r);let o=await dr(e.body,{maxBytes:t.maxBytes,createLimitError:n(()=>yr(`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(o)}n(Ca,"readBoundedTextBody");async function Sa(e,t){let r=await Ca(e,{...t,expectedContentTypes:[Ia]});try{return JSON.parse(r)}catch(o){throw yr("Request body must be valid JSON.",o)}}n(Sa,"readBoundedJsonBody");async function va(e,t){let r=await Ca(e,{...t,expectedContentTypes:[wp]});return new URLSearchParams(r)}n(va,"readBoundedFormUrlEncodedBody");Z();Z();import{errors as ka,jwtVerify as xa,SignJWT as Ta}from"jose";import{base64url as Sp}from"jose";var vp="mcp-browser-login-pkce:",Ap=new TextEncoder;async function kp(e){return crypto.subtle.importKey("raw",F(e),{name:"HMAC",hash:"SHA-256"},!1,["sign"])}n(kp,"importHmacKey");async function fn(e){let t=await kp(e.signingKey),r=Ap.encode(`${vp}${e.stateId}`),o=await crypto.subtle.sign("HMAC",t,F(r));return Ne.parse(Sp.encode(new Uint8Array(o)))}n(fn,"deriveBrowserLoginPkceVerifier");async function Aa(e){let t=await fn(e),r=await Qt(t);return{codeVerifier:t,codeChallenge:r,codeChallengeMethod:Le}}n(Aa,"deriveBrowserLoginPkceParams");var xp={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},f=class extends Error{static{n(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,o=xp[t],i){super(r,i),this.name="OAuthProtocolError",this.errorCode=t,this.status=o}};var Tp=300,Up=d.object({purpose:d.literal("gateway_browser_login"),transactionId:Pr,stateId:Er,exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Pp=d.object({purpose:d.literal("gateway_authorization_setup"),transactionId:Pr,stateId:Er,exp:d.number().int().positive(),iat:d.number().int().positive().optional()});async function Et(){return oe({purpose:"browser-login",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>ve(e,"browser-login"),"derive")})}n(Et,"getBrowserLoginKey");async function Ua(){return oe({purpose:"authorization-csrf",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>ve(e,"authorization-csrf"),"derive")})}n(Ua,"getCsrfKey");function Pa(e){return{now:e.now??new Date,ttlSeconds:Ea()}}n(Pa,"readPendingTransactionDependencies");function Ea(){return J().browserLogin.stateTtlSeconds}n(Ea,"readBrowserLoginStateTtlSeconds");function Ep(e){let t=L();return K(e)&&t.isActionPath(e.pathname,"/oauth/dev-login")}n(Ep,"isLoopbackDevLoginUrl");async function Op(e){let t=J().browserLogin,r=L(),o=new URL(be("url")),i=new URL(r.actionPath("/oauth/callback"),$e(e.requestUrl,e.requestHeaders));if(Ep(o))return o.searchParams.set("redirect_uri",i.toString()),o.searchParams.set("state",e.state),o;if(o.searchParams.set("response_type","code"),o.searchParams.set("client_id",be("clientId")),o.searchParams.set("redirect_uri",i.toString()),o.searchParams.set("scope",t.scope),o.searchParams.set("state",e.state),o.searchParams.set("nonce",e.nonce),t.audience&&o.searchParams.set("audience",t.audience),t.pkce===Le){let a=await Aa({stateId:e.stateId,signingKey:await Et()});o.searchParams.set("code_challenge",a.codeChallenge),o.searchParams.set("code_challenge_method",a.codeChallengeMethod)}return o}n(Op,"buildBrowserLoginUrl");function qp(e,t){return e.subjectId===t.subjectId}n(qp,"principalsMatch");function Oa(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}n(Oa,"toPendingPrincipal");function qa(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,operationId:e.transaction.operationId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:I(e.now),expiresAt:I(de(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw b("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:Oa(e.principal)}}n(qa,"createTransactionRecord");async function Ma(e){let{id:t,...r}=e.record,o=await R().startAuthorization({...r,transactionId:t,...e.client===void 0?{}:{client:e.client}});switch(o.kind){case"started":return o.transaction;case"already_exists":throw b("oauth_state_reused","Authorization transaction state already exists.");case"invalid_client":throw new f("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new f("invalid_request","redirect_uri is not registered for the client.")}}n(Ma,"startPendingTransaction");async function Mp(e){return new Ta({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:V,typ:"JWT"}).setIssuer($).setAudience(W).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await Et())}n(Mp,"signBrowserLoginState");async function Da(e){return new Ta({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:qr()}).setProtectedHeader({alg:V,typ:"JWT"}).setIssuer($).setAudience(W).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await Ua())}n(Da,"signCsrfToken");async function hn(e){try{let{payload:t}=await xa(e,await Et(),{algorithms:[V],issuer:$,audience:W}),r=Up.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof ka.JWTExpired?b("oauth_state_expired","Browser login state has expired.",t):b("oauth_state_invalid","Browser login state could not be verified.",t)}}n(hn,"verifyBrowserLoginStateToken");async function _r(e){try{let{payload:t}=await xa(e,await Ua(),{algorithms:[V],issuer:$,audience:W});return{transactionId:Pp.parse(t).transactionId}}catch(t){throw t instanceof ka.JWTExpired?b("oauth_state_expired","Authorization setup state has expired.",t):b("oauth_state_invalid","Authorization setup state could not be verified.",t)}}n(_r,"verifyCsrfToken");function gn(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}n(gn,"pendingStateErrorCode");function Dp(e){return e.kind==="available"?{kind:"available",record:e.transaction}:e}n(Dp,"toPendingAuthorizationGetResult");function jp(e){return e.kind==="advanced"?{kind:"advanced",record:e.transaction}:e}n(jp,"toPendingAuthorizationAdvanceResult");function yn(e){return e==="principal_mismatch"?"oauth_callback_mismatch":gn(e==="consumed_already"?"consumed_already":e)}n(yn,"setupDecisionErrorCode");async function ja(e){let t=e.now??new Date,r=await _r(e.csrfToken),o=await R().markAuthorizationSetupApproved({transactionId:r.transactionId,currentStateHash:await T(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:I(t)});if(o.kind!=="marked")throw b(yn(o.kind),"Authorization setup state is invalid, expired, or already used.");return za({kind:"available",record:o.transaction})}n(ja,"markSetupApproved");function za(e){if(e.kind!=="available")throw b(gn(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw b("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}n(za,"requireAwaitingSetup");function zp(e){if(!qp(e.currentBrowserPrincipal,e.transaction.principal))throw b("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}n(zp,"requireCurrentPrincipalMatches");async function Ha(e){let t=e.now??new Date,r=Ea(),o=Or(),i=qr(),a=await Mp({transactionId:o,stateId:i,ttlSeconds:r}),s=qa({id:o,transaction:e.transaction,currentStateHash:await T(a),phase:"awaiting_login",now:t,ttlSeconds:r});if(s.phase!=="awaiting_login")throw b("oauth_state_invalid","Authorization transaction did not start in login phase.");let c=await Ma({record:s,client:e.transaction.client});if(c.phase!=="awaiting_login")throw b("oauth_state_invalid","Authorization transaction did not start in login phase.");let u=await Op({state:a,nonce:i,stateId:i,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}});return{transaction:c,browserLoginStateToken:a,browserLoginUrl:u}}n(Ha,"startAwaitingLogin");async function Ba(e){let{now:t,ttlSeconds:r}=Pa(e),o=Or(),i=await Da({transactionId:o,ttlSeconds:r}),a=qa({id:o,transaction:e.transaction,currentStateHash:await T(i),phase:"awaiting_setup",principal:e.principal,now:t,ttlSeconds:r});if(a.phase!=="awaiting_setup")throw b("oauth_state_invalid","Authorization transaction did not start in setup phase.");let s=await Ma({record:a,client:e.transaction.client});if(s.phase!=="awaiting_setup")throw b("oauth_state_invalid","Authorization transaction did not start in setup phase.");return{transaction:s,csrfToken:i}}n(Ba,"startAwaitingSetup");async function La(e){let{now:t,ttlSeconds:r}=Pa(e),o=await hn(e.browserLoginStateToken),i=await Da({transactionId:o.transactionId,ttlSeconds:r}),a=jp(await R().advancePendingAuthorization({transactionId:o.transactionId,expectedPhase:"awaiting_login",currentStateHash:await T(e.browserLoginStateToken),nextStateHash:await T(i),nextPhase:"awaiting_setup",principal:Oa(e.principal),now:I(t)}));if(a.kind!=="advanced")throw b(gn(a.kind),"Browser login state is invalid, expired, or already used.");if(a.record.phase!=="awaiting_setup")throw b("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:a.record,csrfToken:i}}n(La,"completeLogin");async function Na(e){let t=await _n(e);return zp({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}n(Na,"getSetup");async function _n(e){let t=e.now??new Date,r=await _r(e.csrfToken);return za(Dp(await R().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await T(e.csrfToken),now:I(t)})))}n(_n,"getSetupTransaction");async function Hp(e){let t=await _r(e.csrfToken),r=le(),o=I(de(e.now,Tp)),i=await R().decideAuthorizationSetup({decision:"approve",transactionId:t.transactionId,currentStateHash:await T(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await T(r),authorizationCodeExpiresAt:o,grantId:Ao(),now:I(e.now)});if(i.kind!=="approved")throw b(i.kind==="cancelled"?"oauth_state_invalid":yn(i.kind),"Authorization setup state is invalid, expired, or already used.");let a=new URL(i.transaction.redirectUri);return a.searchParams.set("code",r),i.transaction.clientState&&a.searchParams.set("state",i.transaction.clientState),a}n(Hp,"createAuthorizationCodeRedirectWithDecision");async function Bp(e){let t=await _r(e.csrfToken),r=await R().decideAuthorizationSetup({decision:"cancel",transactionId:t.transactionId,currentStateHash:await T(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:I(e.now)});if(r.kind!=="cancelled")throw b(r.kind==="approved"?"oauth_state_invalid":yn(r.kind),"Authorization setup state is invalid, expired, or already used.");return Lp({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}n(Bp,"createCancelRedirectWithDecision");function Lp(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}n(Lp,"buildClientCancelRedirect");async function Ja(e){let t=e.now??new Date;return Hp({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(Ja,"approve");async function Ga(e){let t=e.now??new Date;return Bp({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(Ga,"cancel");Z();import{createRemoteJWKSet as Np,errors as at,jwtVerify as Fa,SignJWT as Jp}from"jose";var Rn="zuplo_mcp_session",Gp=d.object({purpose:d.literal("gateway_browser_session"),sub:ut,browserLoginOrigin:d.string().min(1),roles:d.array(d.string().min(1)).optional(),exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Fp=d.object({id_token:d.string().min(1),token_type:d.string().min(1).optional(),expires_in:d.number().optional(),access_token:d.string().min(1).optional(),refresh_token:d.string().min(1).optional(),scope:d.string().min(1).optional()}),$p=d.object({error:d.string().min(1).optional(),error_description:d.string().min(1).optional(),error_uri:d.string().min(1).optional()}),Zp=d.object({sub:ut,nonce:d.string().min(1)}).catchall(d.unknown()),wn;function Kp(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let o=r.indexOf("=");if(o<0)continue;let i=r.slice(0,o).trim(),a=r.slice(o+1).trim();if(i)try{t.set(i,decodeURIComponent(a))}catch{t.set(i,a)}}return t}n(Kp,"parseCookieHeader");async function $a(){return oe({purpose:"browser-session",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>ve(e,"browser-session"),"derive")})}n($a,"getBrowserSessionKey");function bn(e,t){let r=new URL(M(e,t)),o=[`${Rn}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return r.protocol==="https:"&&o.push("Secure"),o.join("; ")}n(bn,"buildBrowserSessionEvictionCookie");function Wp(e){let t=new URL(M(e.requestUrl,e.requestHeaders)),r=[`${Rn}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}n(Wp,"serializeSessionCookie");function Za(){return new URL(be("url")).origin}n(Za,"readBrowserLoginOrigin");function Vp(e){let t=$p.safeParse(e);if(!t.success)return{};let r={};return t.data.error!==void 0&&(r.idpError=t.data.error),t.data.error_description!==void 0&&(r.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(r.idpErrorUri=t.data.error_uri.slice(0,256)),r}n(Vp,"readIdpErrorFields");function Yp(e){return e instanceof at.JWTExpired?"expired":e instanceof at.JWTClaimValidationFailed?"claim":e instanceof at.JWSSignatureVerificationFailed?"signature":e instanceof at.JWKSNoMatchingKey?"jwks_no_match":e instanceof at.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(Yp,"readJwtFailureKind");function Xp(e){return e instanceof Error&&"cause"in e?e.cause:e}n(Xp,"readErrorCause");function Qp(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}n(Qp,"readRuntimeGatewayCode");function em(){if(!wn){let e=J();wn=Np(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return wn}n(em,"readFederatedJwks");function Ka(e){if(!e.user)throw b("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return Pe(e.user,e.url)}n(Ka,"resolveCurrentRequestPrincipal");async function wr(e,t={}){let r=Kp(e.headers.get("cookie")).get(Rn);if(!r)return{};try{let{payload:o}=await Fa(r,await $a(),{algorithms:[V],issuer:$,audience:W}),i=Gp.parse(o);if(i.browserLoginOrigin!==Za())return{evictCookie:bn(e.url,e.headers)};let a={subjectId:i.sub};return i.roles&&i.roles.length>0&&(a.roles=i.roles),{principal:a}}catch(o){return o instanceof at.JWTExpired?{evictCookie:bn(e.url,e.headers)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:o instanceof Error?o.name:"unknown",errorMessage:o instanceof Error?o.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:bn(e.url,e.headers)})}}n(wr,"readBrowserSession");async function br(e){let t=J().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:Za()};e.principal.roles&&(r.roles=e.principal.roles);let o=await new Jp(r).setProtectedHeader({alg:V,typ:"JWT"}).setIssuer($).setAudience(W).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await $a());return Wp({value:o,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,ttlSeconds:t})}n(br,"createBrowserSessionCookie");async function tm(e){let t=J(),r=be("tokenUrl"),o=be("clientId"),i=be("clientSecret"),a=new URL(L().actionPath("/oauth/callback"),$e(e.requestUrl,e.requestHeaders)).toString(),s=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:a,client_id:o,client_secret:i});if(t.browserLogin.pkce===Le){let c=await fn({stateId:e.stateId,signingKey:await Et()});s.set("code_verifier",c)}try{let{response:c,json:u}=await ur(r,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:s},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,context:e.context});if(!c.ok){let y=Vp(u);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:q(r),idpStatus:c.status,...y},"Federated browser login token exchange returned non-2xx from the identity provider"),b({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${c.status}${y.idpError?` idp_error=${y.idpError}`:""}${y.idpErrorDescription?` idp_error_description=${y.idpErrorDescription}`:""})`)})}let l=Fp.parse(u),m;try{({payload:m}=await Fa(l.id_token,em(),{issuer:t.oidc.issuer,audience:o}))}catch(y){let E={};throw G(E,"error",y),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:Yp(y),idpHost:q(r),expectedIssuer:t.oidc.issuer,...E},"Federated id_token failed jose verification"),y}if(m.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:q(r),nonceMissingFromIdToken:m.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),b("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let w=Zp.parse(m);return{principal:Pe({sub:w.sub,data:w},e.requestUrl),subjectToken:{token:l.id_token,tokenType:pt,expiresAt:typeof m.exp=="number"?I(new Date(m.exp*1e3)):void 0}}}catch(c){let u=ce(c)??Qp(c);throw u!==void 0&&u!=="browser_login_verification_failed"?c:b("browser_login_verification_failed","Federated browser login callback could not be verified.",Xp(c))}}n(tm,"exchangeFederatedAuthorizationCode");async function Wa(e){let t=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(t)return tm({code:t,nonce:e.stateId,stateId:e.stateId,requestUrl:e.request.url,requestHeaders:e.request.headers,context:e.context});let r=await wr(e.request,{context:e.context});if(r.principal)return{principal:r.principal};throw b("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.")}n(Wa,"resolveBrowserLoginCallbackIdentity");Z();var rm=new Set(["about","blob","data","file","ftp","ftps","javascript","mailto","urn","ws","wss"]);function nm(e){return e.protocol.replace(/:$/u,"").toLowerCase()}n(nm,"readScheme");function om(e){return e.protocol==="https:"}n(om,"isSpecCompliantRedirectUri");function im(e){let t=nm(e);return t.length>0&&t!=="http"&&t!=="https"&&!rm.has(t)}n(im,"isNativeAppCustomSchemeRedirectUri");var Ya=[{id:"oauth.redirect_uri.https",mode:"strict",accepts:n(e=>om(e),"accepts")},{id:"oauth.redirect_uri.loopback_http",mode:"native_app",accepts:n(e=>K(e),"accepts"),matches:n((e,t)=>K(e)&&K(t)&&e.pathname===t.pathname&&e.search===t.search,"matches")},{id:"oauth.redirect_uri.custom_scheme",mode:"native_app",accepts:n(e=>im(e),"accepts")}];function Xa(e){let t=Ya.find(r=>r.accepts(e.url));return t===void 0?{kind:"rejected"}:{kind:"allowed",ruleId:t.id,mode:t.mode}}n(Xa,"evaluateBuiltInRedirectUriCompatibility");function Va(e){try{return new URL(e)}catch{return}}n(Va,"parseUrl");function Qa(e){if(e.registeredRedirectUri===e.requestedRedirectUri)return!0;let t=Va(e.registeredRedirectUri),r=Va(e.requestedRedirectUri);return t===void 0||r===void 0?!1:Ya.some(o=>o.matches?.(t,r))}n(Qa,"redirectUriMatchesBuiltInCompatibility");var am=1e4,sm=5*1024,cm=0,dm=2160*60*60,es=["authorization_code","refresh_token",Kt,Re],um=["authorization_code","refresh_token"],ts=[Co],lm=["code"],pm=d.object({client_name:d.string().min(1).optional(),redirect_uris:d.array(d.string().min(1)).min(1),grant_types:d.array(d.enum(es)).min(1).max(es.length).optional(),authorization_grant_profiles_supported:d.array(d.enum(ts)).min(1).max(ts.length).optional(),response_types:d.array(d.enum(lm)).min(1).max(1).optional(),scope:d.literal(D).optional(),token_endpoint_auth_method:vo.optional(),jwks_uri:d.string().min(1).optional()});function mm(e){try{let t=new URL(e);return(t.protocol==="https:"||t.protocol==="http:"&&K(t))&&t.pathname!=="/"}catch{return!1}}n(mm,"isCimdClientIdCandidate");function rs(e,t){throw new f("invalid_client",qo({clientId:e})??"OAuth client is not registered.",void 0,t===void 0?void 0:{cause:t})}n(rs,"invalidCimdClientError");function st(e,t="invalid_request"){if(fm(e))throw new f(t,"redirect_uris must not include raw whitespace or control characters.");let r;try{r=new URL(e)}catch{throw new f(t,"redirect_uris must be absolute URIs.")}if(r.hash||r.username||r.password)throw new f(t,"redirect_uris must not include credentials or fragments.");if(Xa({url:r}).kind==="rejected")throw new f(t,"redirect_uris must use HTTPS, loopback HTTP, or a native-app private-use URI scheme.")}n(st,"assertValidRedirectUri");function fm(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}n(fm,"hasForbiddenRawRedirectUriCharacter");async function hm(e){let{response:t,json:r}=await hi(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:cm,maxResponseBytes:sm,timeoutMs:am});if(!t.ok)throw b("invalid_request","CIMD metadata could not be fetched.");let o=Vt(r);for(let i of o.redirect_uris)st(i,"invalid_request");if(o.jwks_uri!==void 0&&ft(o.jwks_uri),o.client_id!==e.clientId)throw b("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");return o}n(hm,"fetchCimdMetadata");async function gm(e){let t=Yt(e),r=await hm({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}n(gm,"resolveCimdClient");async function Rr(e,t){let r=ue.parse(e);if(mm(r)){J().gateway.downstreamCimdEnabled||rs(r);try{return await gm(r)}catch(i){rs(r,i)}}let o=await R().readClient({clientId:r});if(o.kind==="found"){let i=o.client,a=Do(i.clientId),s=a===void 0?i.tokenEndpointAuthMethod:"private_key_jwt",c=i.jwksUri??a;if(s==="private_key_jwt"&&c===void 0)throw new f("invalid_client","Dynamic private_key_jwt client is missing JWKS metadata. Re-run client registration before authorization.");let u=Vt({client_id:i.clientId,client_name:i.clientName,redirect_uris:i.redirectUris,token_endpoint_auth_method:s,...c===void 0?{}:{jwks_uri:c}}),l={kind:"dcr",clientId:r,metadata:u};return i.hashedClientSecret&&(l.hashedClientSecret=i.hashedClientSecret),l}throw new f("invalid_client",r.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}n(Rr,"resolveClient");function ns(e,t){if(!e.metadata.redirect_uris.some(r=>Qa({registeredRedirectUri:r,requestedRedirectUri:t})))throw b("invalid_request","redirect_uri is not registered for the client.")}n(ns,"assertRedirectRegistered");function ym(e){return e===void 0?[...um]:Array.from(new Set(e))}n(ym,"normalizeGrantTypes");function _m(e){try{ft(e)}catch(t){throw new f("invalid_client_metadata","jwks_uri must be an HTTPS URL with a path, no credentials or fragment, and must not point at a blocked host.",void 0,{cause:t})}}n(_m,"assertValidDcrJwksUri");function wm(e){return e.tokenEndpointAuthMethod==="private_key_jwt"&&e.jwksUri!==void 0?ue.parse(Mo({clientId:crypto.randomUUID(),jwksUri:e.jwksUri})):ue.parse(`dcr:${crypto.randomUUID()}`)}n(wm,"createDcrClientId");function ct(e){if(e===void 0||e===D)return D;throw new f("invalid_request",`Only the ${D} scope is supported.`)}n(ct,"assertSupportedOAuthScope");function je(e,t,r){let o;try{o=new URL(t)}catch{throw new f("invalid_target","resource must be an absolute URI.")}if(o.hash)throw new f("invalid_target","resource must not include a fragment.");if(o.protocol!=="https:"&&!K(o))throw new f("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let i=M(e,r),a=Ro(),s=a?[...a.byOperationId.values()].find(c=>new URL(c.routePath,i).toString()===t):void 0;if(!s)throw new f("invalid_target","resource must match a published MCP route.");return s}n(je,"resolveResource");async function os(e){let t;try{t=pm.parse(e)}catch(y){if(y instanceof d.ZodError){let E=y.issues.some(x=>x.path[0]==="redirect_uris");throw new f(E?"invalid_redirect_uri":"invalid_client_metadata",y.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:y})}throw y}for(let y of t.redirect_uris)st(y,"invalid_redirect_uri");if(t.token_endpoint_auth_method==="private_key_jwt"&&t.jwks_uri===void 0)throw new f("invalid_client_metadata","jwks_uri is required for private_key_jwt clients.");t.jwks_uri!==void 0&&_m(t.jwks_uri);let r=new Date,o=t.token_endpoint_auth_method??"none",i=o==="private_key_jwt"?"none":o,a=wm({tokenEndpointAuthMethod:o,jwksUri:t.jwks_uri}),s=Vt({client_id:a,client_name:t.client_name??"Dynamically registered MCP client",redirect_uris:t.redirect_uris,token_endpoint_auth_method:o,...t.jwks_uri===void 0?{}:{jwks_uri:t.jwks_uri}}),c=de(r,dm),u=Math.floor(r.getTime()/1e3),l=Math.floor(c.getTime()/1e3),m={client_id:s.client_id,client_name:s.client_name,redirect_uris:s.redirect_uris,grant_types:ym(t.grant_types),authorization_grant_profiles_supported:t.authorization_grant_profiles_supported,response_types:["code"],scope:D,token_endpoint_auth_method:s.token_endpoint_auth_method,client_id_issued_at:u,jwks_uri:s.jwks_uri},w={clientId:s.client_id,clientName:s.client_name,redirectUris:s.redirect_uris,tokenEndpointAuthMethod:i,createdAt:I(r),clientExpiresAt:I(c)};if(o==="client_secret_basic"||o==="client_secret_post"){let y=le();w.hashedClientSecret=await T(y),w.clientSecretExpiresAt=I(c),m.client_secret=y,m.client_secret_expires_at=l,m.client_secret_issued_at=u}if((await R().registerClient(w)).kind==="already_exists")throw b("invalid_request","OAuth client is already registered.");return m}n(os,"registerDownstreamClient");function bm(e){return e?.metadata?.idpSubjectTokenType!==Ze&&e?.metadata?.idpSubjectTokenExpiresAt!==void 0&&new Date(e.metadata.idpSubjectTokenExpiresAt).getTime()<=Date.now()?!1:e?.status==="active"&&e.metadata?.encryptedIdpSubjectToken!==void 0&&e.metadata.idpSubjectTokenType!==void 0}n(bm,"hasStoredIdJagSubjectTokenBinding");async function is(e){let t=Fe(e.principal.subjectId);return(await R().batchGetUpstreamConnections([{owner:t,upstreamServerId:e.connection.upstreamServerId,authProfileId:e.connection.authProfileId}]))[0]}n(is,"readIdJagSubjectConnection");async function In(e){let t=ee().byOperationId.get(e.operationId);if(t?.connection===void 0||t.connection.authMode!=="id-jag")return!1;let r=await is({connection:t.connection,principal:e.principal});return!bm(r)}n(In,"requiresIdJagSubjectTokenBinding");async function as(e){if(e.subjectToken===void 0)return;let t=ee().byOperationId.get(e.transaction.operationId);if(t?.connection===void 0||t.connection.authMode!=="id-jag"||e.principal.subjectId!==e.transaction.principal.subjectId)return;let r=await is({connection:t.connection,principal:e.principal});return R().upsertUpstreamConnection({id:r?.id??Xt(),ownerMode:"user",subjectId:e.transaction.principal.subjectId,upstreamServerId:t.connection.upstreamServerId,authProfileId:t.connection.authProfileId,status:"active",encryptedAccessToken:r?.encryptedAccessToken,encryptedRefreshToken:r?.encryptedRefreshToken,scopes:r?.scopes??[],expiresAt:r?.expiresAt,metadata:{...r?.metadata??{},encryptedIdpSubjectToken:await me(e.subjectToken.token),idpSubjectTokenType:e.subjectToken.tokenType,idpSubjectTokenExpiresAt:e.subjectToken.expiresAt}})}n(as,"bindIdJagSubjectTokenForAuthorizationTransaction");function Ir(e){return S`<img class="card__icon" src="${e.iconHref}" alt="" width="48" height="48" referrerpolicy="no-referrer" onerror=" this.onerror = null; this.src = '${e.fallbackIconHref}'; " />`}n(Ir,"renderShellIcon");function ss(e){return S`<form class="actions" method="post" action="${e.setupAction}" ${e.submitOnceAttrs}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate >Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve" ${e.authorizeAttrs} >Authorize</button></form>`}n(ss,"renderActions");var cs=fe('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>');function ds(e){return S`<div class="banner banner--warning" role="status"><span class="banner__icon" aria-hidden="true">${e.icon}</span><div class="banner__body"><p class="banner__title">Setup required</p><p class="banner__message">${e.message}</p></div></div>`}n(ds,"renderBannerWarning");var lR=fe('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),pR=fe('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>');var mR=fe('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>');var Rm="data:,",us=S`data-submit-once="true" onsubmit="if (this.dataset.submitted === 'true') return false; this.dataset.submitted = 'true'; setTimeout(() => this.querySelectorAll('button').forEach((button) => { button.disabled = true; }), 0);"`,ls=S`data-activate-once="true" onclick="if (this.dataset.activated === 'true') return false; this.dataset.activated = 'true'; this.setAttribute('aria-disabled', 'true'); this.style.pointerEvents = 'none';"`;function Im(e,t,r){if(e)try{let o=new URL(t).origin,i=new URL(e,o);return i.origin!==o||!i.pathname.startsWith(r.actionPath("/auth/connections/"))?void 0:i.toString()}catch{return}}n(Im,"safeGatewayConnectHref");function Cm(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}n(Cm,"deriveMode");function Sm(e){return ss({state:e.state,setupAction:e.gateway.actionPath("/oauth/setup"),submitOnceAttrs:us,authorizeAttrs:te})}n(Sm,"renderActions");function Cn(e,t,r,o){for(let i of e){if(i.ownerMode!=="user"||i.status!==r)continue;let a=Im(i.connectUrl,t,o);if(a)return a}}n(Cn,"firstUserConnectHref");function vm(e){let t=e.connectHref===void 0?te:S`<a class="button button--primary" href="${e.connectHref}" ${ls}>Connect</a>`;return S`<form class="actions" method="post" action="${e.gateway.actionPath("/oauth/setup")}" ${us}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button>${t}</form>`}n(vm,"renderSetupActions");function Am(e){return e?S`<span class="reconnect-action"><a class="button button--secondary reconnect-button" href="${e}" ${ls}>Re-connect<span class="tooltip" tabindex="0" aria-label="Reset or change how the gateway connects to the upstream service, including changing scopes.">?</span></a></span>`:te}n(Am,"renderReconnectAction");function km(e){try{let t=new URL(e);return t.protocol==="https:"||t.protocol==="http:"?!0:t.protocol==="data:"&&/^data:image\/(?:png|jpe?g|webp|svg\+xml);/i.test(e)}catch{return!1}}n(km,"isRenderableIconHref");function ps(e){return e?.find(t=>km(t.src))?.src}n(ps,"readIconHref");function xm(e){return ps(e.serverIcons)??(e.transportHost===void 0?void 0:Xr(e.transportHost).src)}n(xm,"readUpstreamIconHref");function Tm(e){let t=ps(e.routeIcons);if(t!==void 0)return t;for(let r of e.upstreams){let o=xm(r);if(o!==void 0)return o}}n(Tm,"readHeaderIconHref");function Um(e){let t=e.setupMessage===void 0?te:ds({icon:cs,message:e.setupMessage});return S`<p class="card__subtitle">Authorize '<strong>${e.clientDisplayName}</strong>' to access '<strong>${e.routeDisplayName}</strong>' on your behalf?</p>${t}`}n(Um,"renderBody");function Sn(e){let t=Cm(e.upstreams),r=Cn(e.upstreams,e.gatewayOrigin,"not_connected",e.gateway),o=Cn(e.upstreams,e.gatewayOrigin,"reconsent_required",e.gateway),i=Cn(e.upstreams,e.gatewayOrigin,"active",e.gateway),a=t==="setup"?r??o:void 0,s=t==="setup"?e.upstreams.find(l=>l.ownerMode==="user"&&l.status!=="active"&&l.connectUrl===void 0&&l.setupMessage!==void 0)?.setupMessage:void 0,c=Tm({routeIcons:e.routeIcons,upstreams:e.upstreams}),u=t==="setup"?S`<footer class="card__footer">${vm({state:e.state,connectHref:a,gateway:e.gateway})}</footer>`:S`<footer class="card__footer">${Am(i)}${Sm({state:e.state,gateway:e.gateway})}</footer>`;return rt(ot({title:`Authorize access \xB7 ${e.routeDisplayName}`,iconHref:c??Rm,styles:nt,headerIcon:c===void 0?te:Ir({iconHref:c,fallbackIconHref:ar}),heading:"Authorize access",subhead:te,body:Um({routeDisplayName:e.routeDisplayName,clientDisplayName:e.clientDisplayName,setupMessage:s}),footer:u}))}n(Sn,"renderConsentPage");var Pm=1e4,ms="mcp-session-id",Em;function _s(){return{tools:[],prompts:[],resources:[]}}n(_s,"emptyCapabilities");function fs(){return new Headers({accept:"application/json, text/event-stream","content-type":"application/json","mcp-protocol-version":Mr})}n(fs,"buildReadinessHeaders");async function hs(e){if(e.type==="bearer_token"){let o=fs();return o.set("authorization",`Bearer ${e.token}`),o}let t=await e.provider.tokens();if(!t)return;let r=fs();return r.set("authorization",`${t.token_type??"Bearer"} ${t.access_token}`),r}n(hs,"buildAsyncCredentialHeaders");function gs(e){return new Request(e.upstreamUrl,{method:"POST",headers:e.headers,body:JSON.stringify($t.parse({jsonrpc:Ft,id:1,method:"initialize",params:{protocolVersion:Mr,capabilities:{},clientInfo:{name:"zuplo-mcp-gateway-readiness",version:"0.0.0"}}}))})}n(gs,"buildInitializePreflight");async function vn(e){mt(e.url);let t=new AbortController,r=setTimeout(()=>t.abort(),Pm);try{let o=new Request(e,{redirect:"manual",signal:t.signal});return await Ht.fetch(o)}finally{clearTimeout(r)}}n(vn,"runPreflight");function An(e){e.body?.cancel().catch(()=>{})}n(An,"releasePreflightBody");async function Om(e){let t=e.response.headers.get(ms);if(!t)return;let r=new Headers(e.headers);r.set(ms,t),r.delete("content-type");try{let o=await vn(new Request(e.upstreamUrl,{method:"DELETE",headers:r}));An(o)}catch{}}n(Om,"terminatePreflightSession");async function ws(e){let{response:t}=e;return An(t),t.status>=200&&t.status<300?(await Om(e),{kind:"ready",upstreamStatus:t.status,capabilities:_s()}):t.status===401||t.status===403?{kind:"upstream_auth_rejected",status:t.status,message:"Upstream MCP server rejected the configured credential."}:{kind:"upstream_unavailable",status:t.status,message:"Upstream MCP server did not accept the readiness preflight."}}n(ws,"classifyResponse");function ys(e){let t={status:e.state==="reconsent_required"?"reconsent_required":"not_connected",connected:!1};return e.nextAction==="admin_setup_required"?{kind:"admin_setup_required",payload:e,connectionStatus:t}:{kind:"connect_required",payload:e,connectionStatus:t}}n(ys,"connectRequiredResult");async function qm(e){try{return ws({response:await vn(e.request),upstreamUrl:e.upstreamUrl,headers:e.headers})}catch(t){return{kind:"upstream_unavailable",message:t instanceof Error?t.message:"Upstream MCP server readiness preflight failed."}}}n(qm,"classifyPreflight");async function Mm(e){let t=e.route.connection;if(t===void 0)return{kind:"ready",upstreamStatus:204,capabilities:_s()};let r=hr(t.upstreamServerId,e.route.operationId),o=tt(r,e.subjectId),i=e.returnTo===void 0?o:{...o,returnTo:e.returnTo},a=new Request(e.requestUrl,{headers:e.requestHeaders}),s=await et({request:a,routeAuth:i,preloadedConnection:e.preloadedConnection});if(s.kind==="connect_required")return ys(s.payload);let c=await hs(s.credential);if(c===void 0)return{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens."};let u=gs({upstreamUrl:t.mcpUrl,headers:c}),l;try{l=await vn(u)}catch(P){return{kind:"upstream_unavailable",message:P instanceof Error?P.message:"Upstream MCP server readiness preflight failed."}}if(l.status!==401)return ws({response:l,upstreamUrl:t.mcpUrl,headers:c});An(l);let m=await et({request:a,routeAuth:i,forceRefresh:!0,preloadedConnection:e.preloadedConnection});if(m.kind==="connect_required")return ys(m.payload);let w=await hs(m.credential);return w===void 0?{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens after refresh."}:qm({request:gs({upstreamUrl:t.mcpUrl,headers:w}),upstreamUrl:t.mcpUrl,headers:w})}n(Mm,"checkUpstreamRouteReadinessImpl");function bs(e){return(Em??Mm)(e)}n(bs,"checkUpstreamRouteReadiness");function Dm(e){try{return new URL(e).host}catch{return}}n(Dm,"safeUrlHost");function Rs(e){return e!==void 0&&e.length>0}n(Rs,"hasItems");function jm(e){let t=e.serverInfo?.icons;if(Rs(t))return t;let r=sr(e.mcpUrl);return r===void 0?void 0:[r]}n(jm,"readServerIcons");async function zm(e){let{authConfig:t,authMode:r,description:o,displayName:i,mcpUrl:a,ownerMode:s,upstreamServerId:c,authProfileId:u}=e.registeredConnection,l=s==="user",m=l&&r!=="id-jag",w=e.readiness??(l?Bo(e.connection):{connected:!0,status:"active"}),P=m?e.readiness?.connectUrl??(e.returnTo!==void 0?await tn({requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:c,authProfileId:u,operationId:e.route.operationId,returnTo:e.returnTo}):void 0):void 0,y=t.mode==="id-jag"?t.idJag.scopes:t.oauth.scopes;return{upstreamServerId:c,authProfileId:u,authMode:r,ownerMode:s,upstreamDisplayName:i,description:o,transportHost:Dm(a),scopesRequested:Rs(y)?y:void 0,serverIcons:jm(e.registeredConnection),status:w.status,connected:w.connected,capabilities:{tools:[],prompts:[],resources:[]},connectUrl:P,setupMessage:e.setupMessage,updatedAt:l&&"updatedAt"in w&&w.updatedAt!==void 0?w.updatedAt:void 0,expiresAt:e.readiness?.expiresAt??e.connection?.expiresAt}}n(zm,"buildSetupRequirement");function Is(e){let t=ee().byOperationId.get(e);if(!t)throw b("unknown_mcp_route",`Unknown MCP route: ${e}`);return t}n(Is,"requireRoute");async function kn(e){let t=Is(e.transaction.operationId),r=Fe(e.transaction.principal.subjectId),o=t.connection;if(o===void 0)return[];let a=o.ownerMode==="user"?(await R().batchGetUpstreamConnections([{owner:r,upstreamServerId:o.upstreamServerId,authProfileId:o.authProfileId}]))[0]:void 0,s=await bs({requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,route:t,subjectId:e.transaction.principal.subjectId,preloadedConnection:a,returnTo:e.returnTo}),c="connectionStatus"in s?s.connectionStatus:void 0,u=(s.kind==="connect_required"||s.kind==="admin_setup_required")&&s.payload.authUrl!==void 0?s.payload.authUrl:void 0,l=s.kind==="admin_setup_required"?s.payload.message:void 0;return[await zm({connection:a,registeredConnection:o,route:t,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,returnTo:e.returnTo,transaction:e.transaction,userOwner:r,setupMessage:l,readiness:c===void 0?void 0:{...c,connectUrl:u}})]}n(kn,"requirementsForSetup");async function xn(e){let t=Is(e.transaction.operationId),r=await R().readClient({clientId:e.transaction.clientId}),o=r.kind==="found"?r.client:void 0,i={gatewayOrigin:M(e.requestUrl,e.requestHeaders),routeDisplayName:t.connection?.displayName??t.operationId,clientDisplayName:o?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},a=t.connection?.description;return a!==void 0&&(i.routeDescription=a),i}n(xn,"consentContext");function Tn(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}n(Tn,"hasUnresolvedUserUpstream");var Hm=["mcp_user"],Bm="dev-browser-user",Lm=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/{routePath} where {routePath} is the published MCP route path without a leading slash and each segment is URL-encoded as needed, for example /oauth/authorize/mcp/linear, or add resource={protected resource URI from protected-resource metadata}."].join(" "),Nm=d.object({response_type:d.literal("code"),client_id:d.string().min(1),redirect_uri:d.string().min(1),resource:d.url(),code_challenge:d.string().min(43),code_challenge_method:no,state:d.string().min(1).optional(),scope:d.literal(D).default(D)}),Jm=d.enum(["continue","approve","cancel"]).default("continue"),Gm=d.object({state:d.string().min(1),decision:Jm}),xe=class extends Error{static{n(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function Cs(e){return typeof e=="string"&&e.length>0?e:void 0}n(Cs,"readQueryString");function Fm(e,t){let r=Cs(e.query.resource);if(t===void 0){if(r!==void 0)return r;throw new f("invalid_target",Lm)}let o=Uo(t,e.url,e.headers);if(r===void 0||r===o)return o;throw new f("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}n(Fm,"requireAuthorizeResource");async function $m(e,t){let r={};t!==void 0&&(r.context=t);let o=await wr(e,r);if(o.principal)return{principal:o.principal};if(!e.user)return o.evictCookie===void 0?{}:{setCookie:o.evictCookie};let i=Ka(e);return{principal:i,setCookie:await br({principal:i,requestUrl:e.url,requestHeaders:e.headers})}}n($m,"resolveBrowserPrincipal");async function Zm(e,t){let r={};t!==void 0&&(r.context=t);let o=await wr(e,r);if(!o.principal)throw b("authentication_required","Authorization setup requires a current browser session.");return o.principal}n(Zm,"requireSetupPrincipal");function Ss(e){return`${L().actionPath("/oauth/setup")}?state=${encodeURIComponent(e)}`}n(Ss,"buildSetupReturnTo");async function vs(e){let t=await kn({transaction:e.transaction,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,returnTo:Ss(e.csrfToken)}),r=await xn({transaction:e.transaction,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders}),o={kind:"setup_page",html:Sn({state:e.csrfToken,operationId:e.transaction.operationId,gateway:L(),upstreams:t,...r})};return e.setCookie!==void 0&&(o.setCookie=e.setCookie),o}n(vs,"renderSetup");function Km(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}n(Km,"toAuthorizationTransactionClient");async function Un(e,t={}){let r=Nm.parse({...e.query,resource:Fm(e,t.operationId),state:Cs(e.query.state)}),o=ct(r.scope);st(r.redirect_uri,"invalid_request");let i=new Date,a=ue.parse(r.client_id),s=await Rr(r.client_id,i);ns(s,r.redirect_uri);try{let c=je(e.url,r.resource,e.headers),u=Km(s);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:a,operationId:c.operationId,scope:o,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved"),t.context&&v(t.context,{eventType:C.MCP_OAUTH_AUTHORIZE_STARTED,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:a,scope:o,responseType:r.response_type}});let l={clientId:s?.clientId??a,...u===void 0?{}:{client:u},redirectUri:r.redirect_uri,resource:r.resource,operationId:c.operationId,scope:o,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:m,setCookie:w}=await $m(e,t.context),P=m===void 0?!1:await In({operationId:c.operationId,principal:m});if(!m||P){let E=await Ha({transaction:l,requestUrl:e.url,requestHeaders:e.headers,now:i});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:a,operationId:c.operationId,reason:m?"id_jag_subject_binding_missing":"no_browser_session"},"Downstream OAuth authorize: redirecting to browser login");let x={kind:"redirect",location:E.browserLoginUrl};return w!==void 0&&(x.setCookie=w),x}let y=await Ba({transaction:l,principal:m,now:i});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:a,operationId:c.operationId,subjectId:m.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),t.context&&v(t.context,{eventType:C.MCP_OAUTH_AUTHORIZE_AWAITING_SETUP,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:a,scope:o,responseType:r.response_type,subjectId:m.subjectId}}),vs({transaction:y.transaction,csrfToken:y.csrfToken,requestUrl:e.url,requestHeaders:e.headers,setCookie:w})}catch(c){throw Wm({redirectUri:r.redirect_uri,clientState:r.state,cause:c})}}n(Un,"authorizeDownstreamClient");function Wm(e){if(e.cause instanceof xe)return e.cause;let t=Vm(e.cause);return t?new xe({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}n(Wm,"toDownstreamAuthorizeRedirectError");function Vm(e){if(e instanceof f)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof d.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}n(Vm,"mapToOAuthRedirectError");async function As(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let l=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,m=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...l===void 0?{}:{idpErrorDescription:l},...m===void 0?{}:{idpErrorUri:m}},"Identity provider redirected browser-login callback with an error"),b("provider_access_denied",l??"The delegated browser login was not completed.")}let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),b("oauth_state_invalid","Browser login callback is missing state.");let i=await hn(o),a={request:e,stateId:i.stateId};t.context!==void 0&&(a.context=t.context);let s=await Wa(a),c=await La({browserLoginStateToken:o,principal:s.principal});if(await as({transaction:c.transaction,principal:s.principal,subjectToken:s.subjectToken}),await In({operationId:c.transaction.operationId,principal:s.principal}))throw b("browser_login_verification_failed","The identity provider did not return the subject token required for XAA / ID-JAG.");let u=await vs({transaction:c.transaction,csrfToken:c.csrfToken,requestUrl:e.url,requestHeaders:e.headers});return u.setCookie=await br({principal:s.principal,requestUrl:e.url,requestHeaders:e.headers}),u}n(As,"completeBrowserLoginCallback");async function ks(e){let t=J(),r=new URL(e.url);if(!K(r))throw b("forbidden","Local browser login is only available on loopback HTTP origins.");let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw b("oauth_state_invalid","Local browser login is missing state.");let i=L().actionPath("/oauth/callback"),a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:i,M(e.url)),s=new URL(M(e.url)).origin;if(a.origin!==s||a.pathname!==i)throw b("oauth_callback_mismatch",`Local browser login redirect_uri must target this gateway's ${i} route.`);a.searchParams.set("state",o);let c={subjectId:ut.parse(Bm),roles:Hm};return{kind:"redirect",location:a,setCookie:await br({principal:c,requestUrl:e.url,requestHeaders:e.headers})}}n(ks,"completeLocalDevBrowserLogin");function Ym(e){let t=e.method==="POST"?e.body:e.query;return Gm.parse(t)}n(Ym,"readSetupContinueRequest");async function xs(e){let{state:t,decision:r}=Ym({method:e.request.method,query:e.request.query,body:e.body}),o=new Date,i=await _n({csrfToken:t,now:o}),a=await Zm(e.request,e.context);if(r==="cancel")return{kind:"redirect",location:await Ga({csrfToken:t,currentBrowserPrincipal:a,now:o})};let s=await Na({csrfToken:t,currentBrowserPrincipal:a,now:o}),c=await kn({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers,returnTo:Ss(t)});if(r==="approve"&&Tn(c)&&await ja({csrfToken:t,currentBrowserPrincipal:a,now:o}),Tn(c)){let u=await xn({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers});return{kind:"setup_page",html:Sn({state:t,operationId:s.operationId,gateway:L(),upstreams:c,...u})}}return{kind:"redirect",location:await Ja({csrfToken:t,currentBrowserPrincipal:a,now:o})}}n(xs,"continueDownstreamAuthorizeSetup");Z();import{createLocalJWKSet as lf,decodeJwt as pf,errors as qt,jwtVerify as mf}from"jose";Z();import{createRemoteJWKSet as Xm,decodeJwt as Qm,decodeProtectedHeader as ef,errors as Ot,jwtVerify as tf}from"jose";var Os=30,U=d.string().min(1),rf=d.union([U,d.array(U).min(1)]),nf=d.union([U,d.array(U).min(1)]),of=d.object({type:U,locations:d.array(U).optional(),actions:d.array(U).optional(),datatypes:d.array(U).optional(),identifier:U.optional(),privileges:d.array(U).optional()}).passthrough(),af=d.object({iss:d.url(),sub:U,aud:rf,client_id:U,resource:nf.optional(),scope:U.optional(),authorization_details:d.array(of).optional(),jti:U,iat:d.number().int(),nbf:d.number().int().optional(),exp:d.number().int(),tenant:U.optional(),aud_tenant:U.optional(),aud_sub:U.optional(),sub_id:U.optional(),act:d.unknown().optional(),email:U.optional(),auth_time:d.number().int().optional(),acr:U.optional(),amr:d.array(U).optional(),cnf:d.unknown().optional()}).passthrough();function Y(e){throw new f("invalid_grant",e)}n(Y,"throwInvalidGrant");function sf(e){return e instanceof Ot.JWTExpired?"expired":e instanceof Ot.JWTClaimValidationFailed?"claim":e instanceof Ot.JWSSignatureVerificationFailed?"signature":e instanceof Ot.JWKSNoMatchingKey?"jwks_no_match":e instanceof Ot.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(sf,"readJwtFailureKind");function cf(e){return Array.isArray(e.aud)?(e.aud.length!==1&&Y("ID-JAG audience must contain exactly one value."),e.aud[0]):e.aud}n(cf,"readSingleAudience");function Ts(e){try{let t=af.parse(e);return cf(t),t}catch(t){if(t instanceof f)throw t;Y("ID-JAG claims are invalid.")}}n(Ts,"parseIdJagClaims");function df(e,t){e.idJag.enabled||Y("ID-JAG grant is not enabled.");let r=e.idJag.trustedIssuers.find(o=>o.issuer===t);return r===void 0&&Y("ID-JAG issuer is not trusted."),r}n(df,"readTrustedIssuer");function uf(e){let t=e.authorizationDetails;if(t===void 0)return;if(e.allowedTypes===void 0)return t;let r=new Set(e.allowedTypes);return t.filter(o=>r.has(o.type))}n(uf,"readGrantedAuthorizationDetails");function Us(e){if(e.clientAuth.method==="none")throw new f("invalid_client","Client authentication failed.");e.claims.client_id!==e.authenticatedClientId&&Y("ID-JAG client_id must match the authenticated client."),e.trustedIssuer.expectedClientIds!==void 0&&!e.trustedIssuer.expectedClientIds.includes(e.claims.client_id)&&Y("ID-JAG client_id is not allowed for this issuer.")}n(Us,"assertClientBinding");function Ps(e){e.cnf!==void 0&&Y("ID-JAG cnf-bound assertions require DPoP support.")}n(Ps,"assertProofOfPossessionNotDeferred");function Es(e){let t=Math.floor(e.now.getTime()/1e3)+Os;e.claims.iat>t&&Y("ID-JAG iat must not be in the future.")}n(Es,"assertIssuedAtNotInFuture");async function qs(e){let t;try{t=ef(e.assertion)}catch{Y("ID-JAG assertion is malformed.")}t.typ!==Tr&&Y('ID-JAG header typ must be "oauth-id-jag+jwt".');let r;try{r=Ts(Qm(e.assertion))}catch(c){if(c instanceof f)throw c;Y("ID-JAG assertion is malformed.")}let o=$e(e.requestUrl,e.requestHeaders),i=[o];e.requestedResource!==void 0&&e.requestedResource!==o&&i.push(e.requestedResource);let a=df(e.config,r.iss);i.includes(r.iss)&&Y("ID-JAG issuer must be different from the gateway."),Us({claims:r,trustedIssuer:a,authenticatedClientId:e.authenticatedClientId,clientAuth:e.clientAuth}),Ps(r),Es({claims:r,now:e.now});let s;try{let c=Xm(new URL(a.jwksUrl)),{payload:u}=await tf(e.assertion,c,{issuer:a.issuer,audience:i,currentDate:e.now,clockTolerance:Os,typ:Tr});s=Ts(u)}catch(c){e.context?.log.warn({event:"oauth_id_jag_verification_failed",issuer:a.issuer,failureKind:sf(c)},"OAuth ID-JAG assertion verification failed"),Y("ID-JAG assertion verification failed.")}return Us({claims:s,trustedIssuer:a,authenticatedClientId:e.authenticatedClientId,clientAuth:e.clientAuth}),Ps(s),Es({claims:s,now:e.now}),{claims:s,trustedIssuer:a,subjectId:Po({issuer:s.iss,subject:s.sub,gatewayIssuer:o,subjectMapping:a.subjectMapping,tenant:s.tenant}),grantedAuthorizationDetails:uf({authorizationDetails:s.authorization_details,allowedTypes:e.config.idJag.enabled?e.config.idJag.authorizationDetailsTypesAllowed:void 0})}}n(qs,"verifyIdJagAssertion");var ff=new Set(["authorization_code","refresh_token",Re]),hf=1e4,gf=32*1024,yf=2,_f=3600,Pn=d.object({client_id:d.string().min(1).optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),wf=d.discriminatedUnion("grant_type",[Pn.extend({grant_type:d.literal("authorization_code"),code:d.string().min(1),redirect_uri:d.string().min(1),code_verifier:Ne,resource:d.url().optional(),scope:d.literal(D).optional()}),Pn.extend({grant_type:d.literal("refresh_token"),refresh_token:d.string().min(1),resource:d.url().optional(),scope:d.literal(D).optional()}),Pn.extend({grant_type:d.literal(Re),assertion:d.string().min(1),resource:d.url().optional(),scope:d.literal(D).optional(),authorization_details:d.string().min(1).optional()})]);function bf(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!ff.has(t)))throw new f("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}n(bf,"assertSupportedGrantType");var Rf=d.object({token:d.string().min(1),client_id:d.string().min(1).optional(),token_type_hint:d.string().optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),If=d.object({keys:d.array(d.record(d.string(),d.unknown())).min(1)}).passthrough();function Ds(){return J().gateway.accessTokenTtlSeconds}n(Ds,"readAccessTokenTtlSeconds");function Cf(){return J().gateway.refreshTokenTtlSeconds}n(Cf,"readRefreshTokenTtlSeconds");function Ms(e,t){let r=Ds(),o=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),i=Math.min(r,o);return{expiresAt:I(de(e,i)),expiresIn:i}}n(Ms,"calculateAccessTokenExpiresAt");function Sf(e){let t=e.claimedResource===void 0?[]:Array.isArray(e.claimedResource)?e.claimedResource:[e.claimedResource];if(e.requestedResource!==void 0){if(t.length>0&&!t.includes(e.requestedResource))throw new f("invalid_target","Token request resource must match the ID-JAG resource.");return e.requestedResource}if(t.length===0)throw new f("invalid_target","resource is required for the ID-JAG JWT bearer grant.");if(t.length!==1)throw new f("invalid_target","ID-JAG resource arrays require a token request resource.");return t[0]}n(Sf,"readIdJagResource");function vf(e){if(e.claimAuthorizationDetails===void 0)return;let t=(e.grantedAuthorizationDetails??[]).filter(r=>r.locations?.includes(e.resource)===!0);if(t.length===0)throw new f("invalid_grant","ID-JAG authorization_details must authorize the requested resource.");return t}n(vf,"readIdJagGrantedAuthorizationDetails");function Af(e){if(e.claimScope?.split(/\s+/).includes(D)===!0||(e.grantedAuthorizationDetails?.length??0)>0)return D;if(e.claimScope===void 0)throw new f("invalid_grant",`ID-JAG must include ${D} scope or matching authorization_details.`);if(!e.claimScope.split(/\s+/).includes(D))throw new f("invalid_grant",`ID-JAG scope must include ${D}.`);return D}n(Af,"readIdJagGrantedScope");function kf(e){if(e!==void 0&&e.get("dpop")!==null)throw new f("invalid_request","DPoP proofs are not supported for the ID-JAG JWT bearer grant.")}n(kf,"assertNoDpopProofForIdJag");function js(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new f("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new f("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new f("invalid_client","Malformed HTTP Basic client authentication.")}}n(js,"readBasicClientSecret");function zs(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new f("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t!==void 0)return t;if(e.clientAssertion!==void 0){try{let r=pf(e.clientAssertion);if(typeof r.iss=="string"&&typeof r.sub=="string"&&r.iss===r.sub)return r.iss}catch{throw new f("invalid_client","Malformed private_key_jwt client assertion.")}throw new f("invalid_client","private_key_jwt client assertion must identify the client with matching iss and sub claims.")}throw new f("invalid_client","Client authentication or client_id is required.")}n(zs,"resolveAuthenticatedClientId");function xf(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new f("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}n(xf,"resolveClientSecretInput");function Tf(e){return e.clientAssertion!==void 0||e.clientAssertionType!==void 0}n(Tf,"hasClientAssertion");function Uf(e){if(e.requestUrl===void 0)throw new f("invalid_request","Request URL is required for private_key_jwt client authentication.");let t=new URL(L().actionPath(e.pathname),M(e.requestUrl,e.requestHeaders));return t.search="",t.hash="",t.toString()}n(Uf,"buildEndpointAudience");function Pf(e){return e instanceof qt.JWTExpired?"expired":e instanceof qt.JWTClaimValidationFailed?"claim":e instanceof qt.JWSSignatureVerificationFailed?"signature":e instanceof qt.JWKSNoMatchingKey?"jwks_no_match":e instanceof qt.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(Pf,"readJwtFailureKind");async function Ef(e){let{response:t,json:r}=await gi(e.jwksUri,{headers:{accept:"application/json"}},{context:e.context,maxRedirects:yf,maxResponseBytes:gf,timeoutMs:hf});if(!t.ok)throw new f("invalid_client","Client JWKS could not be fetched.");return If.parse(r)}n(Ef,"fetchClientJwks");async function Of(e){if(e.clientAssertionType!==Wt||e.clientAssertion===void 0)throw new f("invalid_request","private_key_jwt client authentication requires a JWT bearer client_assertion and client_assertion_type.");let t=ue.parse(e.clientId),r=await Rr(t,e.now);if(r.metadata.token_endpoint_auth_method!=="private_key_jwt")throw new f("invalid_client","Client is not registered for private_key_jwt authentication.");let o=r.metadata.jwks_uri;if(o===void 0)throw new f("invalid_client","Client JWKS URI is required for private_key_jwt authentication.");let i=Uf({requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,pathname:e.endpointPathname});try{let a=await Ef({jwksUri:o,context:e.context}),{payload:s}=await mf(e.clientAssertion,lf(a),{issuer:t,subject:t,audience:i,currentDate:e.now}),c=Math.floor(e.now.getTime()/1e3)+_f;if(typeof s.exp!="number"||s.exp>c)throw new f("invalid_client","Client authentication failed.")}catch(a){throw e.context?.log.warn({event:"oauth_private_key_jwt_client_auth_failed",clientId:t,failureKind:Pf(a)},"OAuth private_key_jwt client authentication failed"),new f("invalid_client","Client authentication failed.")}return{method:"private_key_jwt",clientId:t}}n(Of,"verifyPrivateKeyJwtClientAssertion");async function qf(e){let t=ue.parse(e.clientId);if(jo(t))throw new f("invalid_client","Client is registered for private_key_jwt authentication.");return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await T(e.clientSecret)}}n(qf,"buildRuntimeHttpClientAuth");async function Hs(e){if(Tf({clientAssertion:e.clientAssertion,clientAssertionType:e.clientAssertionType})){if(e.basicClientSecret!==void 0||e.bodyClientSecret!==void 0)throw new f("invalid_request","Use only one client authentication method per request.");return Of(e)}let t=xf({basicClientSecret:e.basicClientSecret,bodyClientSecret:e.bodyClientSecret});return qf({clientId:e.clientId,...t})}n(Hs,"resolveRuntimeHttpClientAuth");async function Bs(e){bf(e.body);let t=wf.parse(e.body),r=js(e.authorizationHeader),o=zs({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),i=new Date,a=await Hs({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/token",now:i,context:e.context});return Mf({parsed:t,clientId:o,clientAuth:a,now:i,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,context:e.context})}n(Bs,"exchangeDownstreamToken");async function Mf(e){if(e.parsed.grant_type==="authorization_code"){st(e.parsed.redirect_uri,"invalid_request"),ct(e.parsed.scope),e.parsed.resource!==void 0&&je(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let c=le(),u=le(),l=I(de(e.now,Cf())),m=Ms(e.now,l),w=await R().exchangeAuthorizationCode({clientAuth:e.clientAuth,codeHash:await T(e.parsed.code),redirectUri:e.parsed.redirect_uri,resource:e.parsed.resource,codeChallenge:await Qt(e.parsed.code_verifier),currentRefreshTokenHash:await T(c),accessTokenHash:await T(u),grantExpiresAt:l,accessTokenExpiresAt:m.expiresAt,now:I(e.now)});if(w.kind==="invalid_client")throw new f("invalid_client","Client authentication failed.");if(w.kind==="resource_mismatch")throw new f("invalid_target","Token request resource must match the authorization code resource.");if(w.kind!=="exchanged")throw new f("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context&&v(e.context,{eventType:C.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"authorization_code"}}),{access_token:u,token_type:"Bearer",expires_in:m.expiresIn,refresh_token:c,scope:w.grant.scope,resource:w.grant.resource}}if(e.parsed.grant_type===Re){ct(e.parsed.scope),kf(e.requestHeaders);let c=await qs({assertion:e.parsed.assertion,authenticatedClientId:e.clientId,clientAuth:e.clientAuth,requestUrl:e.requestUrl??e.parsed.resource??"",requestHeaders:e.requestHeaders,requestedResource:e.parsed.resource,now:e.now,context:e.context,config:J()}),u=Sf({claimedResource:c.claims.resource,requestedResource:e.parsed.resource}),l=je(e.requestUrl??u,u,e.requestHeaders),m=vf({claimAuthorizationDetails:c.claims.authorization_details,grantedAuthorizationDetails:c.grantedAuthorizationDetails,resource:u}),w=Af({claimScope:c.claims.scope,grantedAuthorizationDetails:m}),P=le(),y=I(new Date(c.claims.exp*1e3)),E=Ms(e.now,y),x=await R().issueAccessTokenForIdJag({clientAuth:e.clientAuth,accessTokenHash:await T(P),subjectId:c.subjectId,resource:u,operationId:l.operationId,scope:w,authorizationDetails:m,accessTokenExpiresAt:E.expiresAt,now:I(e.now),idJag:{issuer:c.claims.iss,jti:c.claims.jti,tenant:c.claims.tenant,expiresAt:y}});if(x.kind==="invalid_client")throw new f("invalid_client","Client authentication failed.");if(x.kind==="resource_mismatch")throw new f("invalid_target","Token request resource must match the ID-JAG resource.");return e.context&&v(e.context,{eventType:C.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"jwt-bearer"}}),{access_token:P,token_type:"Bearer",expires_in:E.expiresIn,scope:x.grant.scope,resource:x.grant.resource,...m===void 0?{}:{authorization_details:m}}}ct(e.parsed.scope),e.parsed.resource!==void 0&&je(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let t=await T(e.parsed.refresh_token),r=e.parsed.refresh_token,o=le(),i=I(de(e.now,Ds())),a=await R().refreshToken({clientAuth:e.clientAuth,currentRefreshTokenHash:t,nextRefreshTokenHash:t,accessTokenHash:await T(o),resource:e.parsed.resource,accessTokenExpiresAt:i,now:I(e.now)});if(a.kind==="invalid_client")throw new f("invalid_client","Client authentication failed.");if(a.kind==="resource_mismatch")throw new f("invalid_target","Token request resource must match the refresh token grant resource.");if(a.kind!=="rotated")throw new f("invalid_grant","Refresh token is invalid, expired, or revoked.");je(e.requestUrl??a.grant.resource,a.grant.resource,e.requestHeaders);let s=a.accessToken.expiresAt;return e.context&&v(e.context,{eventType:C.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"refresh_token"}}),{access_token:o,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(s).getTime()-e.now.getTime())/1e3)),refresh_token:r,scope:a.grant.scope,resource:a.grant.resource}}n(Mf,"exchangeDownstreamTokenWithRuntimeHttp");async function Ls(e){let t=Rf.parse(e.body),r=js(e.authorizationHeader),o=zs({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),i=new Date;if((await R().revokeOAuthToken({clientAuth:await Hs({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/revoke",now:i,context:e.context}),tokenHash:await T(t.token),now:I(i)})).kind==="invalid_client")throw new f("invalid_client","Client authentication failed.");e.context?.log.info({event:"oauth_token_revoked",clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed"),e.context&&v(e.context,{eventType:C.MCP_OAUTH_TOKEN_REVOKED,outcome:"success",attributes:{clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}}})}n(Ls,"revokeDownstreamToken");var Df=64*1024,jf=16*1024,zf="text/html; charset=utf-8";function Hf(e){let t={};for(let[r,o]of e.entries())t[r]=o;return t}n(Hf,"formDataToObject");async function Bf(e){return Sa(e,{maxBytes:Df,label:"Request body"})}n(Bf,"readJsonBody");async function On(e){return Hf(await va(e,{maxBytes:jf,label:"Request body"}))}n(On,"readFormBody");async function Js(e,t,r){let o=ce(r),i=r instanceof d.ZodError?Te(r):void 0,a={code:o??(r instanceof d.ZodError?"invalid_request":"internal_server_error")};return i!==void 0&&(a.detail=i),Jt(e,t,a)}n(Js,"handleProblem");function Gs(e){return e?.requestId}n(Gs,"readBrowserRequestId");function Fs(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[Ge];return typeof t=="string"?t:void 0}n(Fs,"readUpstreamHtmlError");function Ns(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(Ns,"readRuntimeErrorExtensionString");function Lf(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(Lf,"readRuntimeErrorExtensionNumber");function Nf(e){try{return new URL(e.url).pathname}catch{return}}n(Nf,"readBrowserRequestPath");function ze(e){let t={code:e.code,requestId:e.requestId,routePath:Nf(e.request),underlyingError:e.underlyingError};return e.error instanceof h&&(t.httpStatus=Lf(e.error,_e),t.contentType=Ns(e.error,Je),t.upstreamUrl=Ns(e.error,we)),t}n(ze,"buildBrowserErrorDiagnostic");function Mt(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}n(Mt,"oauthErrorResponse");function Jf(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}n(Jf,"readOAuthProtocolHeaders");function Gf(e,t){let r=re("internal_server_error");return Mt({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:Jf(e,t)})}n(Gf,"oauthProtocolErrorResponse");function En(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}n(En,"readZodOAuthErrorCode");function Ff(e){let t={error:En(e)},r=Te(e);return r!==void 0&&(t.errorDescription=r),Mt(t)}n(Ff,"oauthZodErrorResponse");function $f(e){let t=ce(e);if(t===void 0)return;let r=re(t);if(r.oauthError===void 0)return;let o={error:r.oauthError,status:Kf(r.oauthError)};return r.oauthError==="server_error"?o.errorDescription=r.publicDetail:e instanceof Error?o.errorDescription=e.message:o.errorDescription=r.publicDetail,Mt(o)}n($f,"oauthGatewayProblemResponse");function Zf(){let t={error:"server_error",status:500,errorDescription:re("internal_server_error").publicDetail};return Mt(t)}n(Zf,"oauthFallbackErrorResponse");function Kf(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}n(Kf,"readOAuthStatus");function qn(e,t={}){return e instanceof xe?Ks(e):e instanceof f?Gf(e,t):e instanceof d.ZodError?Ff(e):$f(e)??Zf()}n(qn,"oauthProblemResponse");function Mn(e,t,r){let o=it(e.url),i=Gs(t);if(r instanceof xe)return Ks(r);if(r instanceof f){let c=re("internal_server_error");return ie({host:o,kind:Wf(r.errorCode),title:"Authorization failed",detail:r.errorCode==="server_error"?c.publicDetail:r.message,developerDetail:r.errorCode==="server_error"?c.publicDetail:r.message,code:r.errorCode,diagnostic:ze({request:e,requestId:i,code:r.errorCode,underlyingError:r.errorCode==="server_error"?c.publicDetail:r.message,error:r}),requestId:i,status:r.status})}if(r instanceof d.ZodError)return ie({host:o,kind:"invalid_request",detail:Te(r)??"The authorization request was invalid.",developerDetail:Te(r)??"The authorization request was invalid.",code:En(r),diagnostic:ze({request:e,requestId:i,code:En(r),underlyingError:Te(r)??"The authorization request was invalid.",error:r}),requestId:i});let a=ce(r);if(a!==void 0){let c=re(a);return ie({host:o,kind:Zs(a),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:a,diagnostic:ze({request:e,requestId:i,code:a,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:i,upstreamHtml:Fs(r),status:c.status})}let s=re("internal_server_error");return ie({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"server_error",diagnostic:ze({request:e,requestId:i,code:"server_error",underlyingError:s.publicDetail,error:r}),requestId:i,status:s.status})}n(Mn,"browserOAuthProblemResponse");function $s(e,t,r){let o=it(e.url),i=Gs(t),a=ce(r);if(a!==void 0){let c=re(a);return ie({host:o,kind:Zs(a),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:a,diagnostic:ze({request:e,requestId:i,code:a,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:i,upstreamHtml:Fs(r),status:c.status})}if(r instanceof d.ZodError)return ie({host:o,kind:"invalid_request",detail:Te(r)??"The authorization request was invalid.",developerDetail:Te(r)??"The authorization request was invalid.",code:"invalid_request",diagnostic:ze({request:e,requestId:i,code:"invalid_request",underlyingError:Te(r)??"The authorization request was invalid.",error:r}),requestId:i});let s=re("internal_server_error");return ie({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"internal_server_error",diagnostic:ze({request:e,requestId:i,code:"internal_server_error",underlyingError:s.publicDetail,error:r}),requestId:i,status:s.status})}n($s,"browserGatewayProblemResponse");function Wf(e){return e==="server_error"?"internal_error":"invalid_request"}n(Wf,"readOAuthBrowserErrorKind");function Zs(e){if(re(e).status>=500)return"internal_error";switch(e){case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"configuration_error";case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"invalid_request":case"authentication_required":case"forbidden":case"not_found":case"too_many_requests":case"identity_context_missing":return"invalid_request";case"upstream_capability_invocation_failed":case"upstream_capability_unavailable":case"upstream_import_failed":return"connection_failed";case"internal_server_error":return"internal_error"}return"authorization_failed"}n(Zs,"readGatewayBrowserErrorKind");function he(e,t,r){let o={event:t},i=!1;if(r instanceof f)o.oauthError=r.errorCode,o.status=r.status,G(o,"error",r);else if(r instanceof xe)o.oauthError=r.errorCode,G(o,"error",r);else if(r instanceof d.ZodError){o.code="invalid_request",G(o,"error",r);let a=r.issues[0];a&&(o.zodPath=a.path.join("."))}else{let a=ce(r);if(a!==void 0){let s=re(a);o.code=a,o.status=s.status,s.oauthError!==void 0&&(o.oauthError=s.oauthError),i=s.status>=500||s.oauthError==="server_error",G(o,"error",r)}else i=!0,G(o,"error",r)}if(i){let a=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(o,a.message)}else e.log.warn(o,"OAuth handler rejected the request")}n(he,"logUnexpectedOAuthHandlerError");function Ks(e){let t;try{t=new URL(e.redirectUri)}catch{return Mt({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}n(Ks,"downstreamAuthorizeRedirectErrorResponse");function Te(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}n(Te,"formatZodErrorDetail");function Vf(e,t){let r={event:"browser_login_callback_failed",code:ce(t)??"invalid_request"};G(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}n(Vf,"logBrowserLoginCallbackFailure");function Ws(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}n(Ws,"redirectResultResponse");function Cr(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":zf,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return Ws(e)}n(Cr,"authorizeResultResponse");async function Vs(e,t){try{return Response.json(ko(e.url,e.headers))}catch(r){return he(t,"oauth_authorization_server_metadata_failed",r),Js(e,t,r)}}n(Vs,"authorizationServerMetadataHandler");async function Ys(e,t){try{let r=Dr(e.params.routePath);return Response.json(xo({operationId:r.operationId,requestUrl:e.url,requestHeaders:e.headers}))}catch(r){return he(t,"oauth_authorization_server_metadata_failed",r),Js(e,t,r)}}n(Ys,"scopedAuthorizationServerMetadataHandler");async function Xs(e,t){try{let r=await os(await Bf(e)),o=r.client_id,i=r.client_name,a=r.redirect_uris.length,s=r.token_endpoint_auth_method;return t.log.info({event:"oauth_dcr_client_registered",clientId:o,clientName:i,redirectUriCount:a,tokenEndpointAuthMethod:s},"OAuth Dynamic Client Registration completed"),v(t,{eventType:C.MCP_OAUTH_CLIENT_REGISTERED,outcome:"success",clientName:i,attributes:{clientId:o,redirectUriCount:a,tokenEndpointAuthMethod:s}}),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return he(t,"oauth_register_failed",r),qn(r)}}n(Xs,"registerHandler");async function Qs(e,t){try{return Cr(await Un(e,{context:t}))}catch(r){return he(t,"oauth_authorize_failed",r),Mn(e,t,r)}}n(Qs,"authorizeHandler");async function ec(e,t){try{let r=Dr(e.params.routePath);return Cr(await Un(e,{operationId:r.operationId,context:t}))}catch(r){return he(t,"oauth_authorize_scoped_failed",r),Mn(e,t,r)}}n(ec,"scopedAuthorizeHandler");async function tc(e,t){try{let r=await As(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),Cr(r)}catch(r){return Vf(t,r),$s(e,t,r)}}n(tc,"callbackHandler");async function rc(e,t){try{return Ws(await ks(e))}catch(r){return he(t,"oauth_dev_login_failed",r),Mn(e,t,r)}}n(rc,"devLoginHandler");async function nc(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await xs({request:e,body:e.method==="POST"?await On(e):void 0,context:t});return Cr(r)}catch(r){return he(t,"oauth_setup_failed",r),$s(e,t,r)}}n(nc,"setupHandler");async function oc(e,t){try{return Response.json(await Bs({body:await On(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return he(t,"oauth_token_failed",r),qn(r)}}n(oc,"tokenHandler");async function ic(e,t){try{return await Ls({body:await On(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return he(t,"oauth_revoke_failed",r),qn(r)}}n(ic,"revokeHandler");function ac(e){return S`<p data-gateway-error-code="${e.code}">${e.body}</p>`}n(ac,"renderBrowserResult");var Yf="text/html; charset=utf-8",Xf="none";function Qf(e){let t=Yr(e.host);return ot({title:e.title,iconHref:t,styles:nt,headerIcon:Ir({iconHref:t,fallbackIconHref:ar}),heading:e.title,subhead:"",body:ac({body:e.body,code:e.code??Xf}),footer:""})}n(Qf,"browserResultHtml");function eh(e,t=200){return new Response(rt(e),{status:t,headers:{"content-type":Yf,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(eh,"browserResultResponse");function sc(e){return eh(Qf(e))}n(sc,"browserConnectionSuccessResponse");function Sr(e,t,r={}){let o=io(t);return ie({host:e,kind:th(t),detail:o.body,developerDetail:r.developerDetail,code:t,diagnostic:r.diagnostic,upstreamHtml:r.upstreamHtml})}n(Sr,"browserConnectionFailureResponse");function th(e){switch(e){case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required"}}n(th,"readCallbackFailureBrowserErrorKind");var rh={connect:"Connect",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},cc=Symbol("upstream-request");function Dt(e,t){Object.defineProperty(e,cc,{configurable:!0,value:t})}n(Dt,"setUpstreamRequestContext");function nh(e){let t=e[cc];if(!t)throw new Q("Upstream request context has not been set");return t}n(nh,"readUpstreamRequestContext");function oh(e,t){return t.some(r=>r===e)}n(oh,"requestContextMatchesKind");function ih(e){return typeof e=="string"?[e]:e}n(ih,"toExpectedKinds");function jt(e,t){let r=nh(e),o=ih(t);if(!oh(r.kind,o)){let i=rh[o[0]];throw new Q(`${i} request context has not been set`)}return r}n(jt,"requireUpstreamRequestContext");function He(e){if(typeof e=="string"&&e.length!==0)return e}n(He,"readOptionalQueryString");function ah(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw new Q(`Validated path parameter ${t} is missing`);return sh(r,t)}n(ah,"requirePathString");function sh(e,t){try{return decodeURIComponent(e)}catch(r){throw new h({message:`Path parameter "${t}" must be valid URL encoding.`,extensionMembers:{[g]:"invalid_request"}},{cause:r})}}n(sh,"decodePathString");function ch(e){let t=He(e);return t?Gt.parse(t):void 0}n(ch,"readOptionalOperationId");function dh(e){let t=ee().connectionsById.get(e);if(t!==void 0)return t.authProfileId;throw new h({message:`No upstream connection is registered for ${e}.`,extensionMembers:{[g]:"unknown_upstream_server"}})}n(dh,"readRegisteredAuthProfileId");function uh(e){let t=ch(e);if(!t)throw new h({message:"operationId query parameter is required.",extensionMembers:{[g]:"invalid_request"}});return t}n(uh,"readRequiredOperationId");async function lh(e,t){let r=hr(t,uh(e.query.operationId));if(r.authMode==="id-jag")throw new h({message:"This upstream uses XAA / ID-JAG and does not support browser OAuth connection flows.",extensionMembers:{[g]:"invalid_request"}});let o=e.query.redirect==="true",i=He(e.query.browserTicket);if(e.user){if(i)throw new h({message:"Use either an authenticated gateway request or a browser connect ticket, not both.",extensionMembers:{[g]:"invalid_request"}});let c=Pe(e.user,e.url),u={kind:"connect",...tt(r,c.subjectId),redirect:o},l=mo(He(e.query.returnTo));return l!==void 0&&(u.returnTo=l),u}if(!i)throw new h({message:"Authentication is required to start the upstream connection flow.",extensionMembers:{[g]:"authentication_required"}});let a=await Ei(i);if(a.ownerMode!==r.ownerMode||a.upstreamServerId!==r.upstreamServerId||a.authProfileId!==r.authProfileId||a.operationId!==r.operationId)throw new h({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[g]:"oauth_callback_mismatch"}});await Oi(a);let s=Zt(a);switch(r.authMode){case"shared-oauth":{if(s.mode!=="shared")throw new h({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[g]:"oauth_callback_mismatch"}});let c={kind:"connect",...r,authMode:"shared-oauth",ownerMode:"shared",owner:s,initiatedBySubjectId:a.initiatedBySubjectId,redirect:o};return a.returnTo!==void 0&&(c.returnTo=a.returnTo),c}case"user-oauth":{if(s.mode!=="user")throw new h({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[g]:"oauth_callback_mismatch"}});let c={kind:"connect",...r,authMode:"user-oauth",ownerMode:"user",owner:s,initiatedBySubjectId:a.initiatedBySubjectId,redirect:o};return a.returnTo!==void 0&&(c.returnTo=a.returnTo),c}}}n(lh,"resolveConnectContext");async function ph(e,t,r){let o=co.parse(ah(e,"connection"));switch(r){case"connect":Dt(e,await lh(e,o));return;case"callback":{let i=He(e.query.error);if(i){let c={kind:"callback_provider_error",upstreamServerId:o,error:i},u=He(e.query.error_description);u!==void 0&&(c.errorDescription=u),Dt(e,c);return}let a=He(e.query.code),s=He(e.query.state);if(a&&s){Dt(e,{kind:"callback_authorization_code",upstreamServerId:o,code:a,state:s});return}Dt(e,{kind:"callback_invalid",upstreamServerId:o});return}case"client_metadata":Dt(e,{kind:"client_metadata",upstreamServerId:o,authProfileId:dh(o)});return}}n(ph,"resolveUpstreamRequestInbound");async function mh(e,t,r){try{await ph(e,t,r);return}catch(o){let i=o instanceof h?o.extensionMembers?.[g]:void 0,a=o instanceof Error?o.message:void 0;switch(i){case"invalid_request":case"unknown_upstream_server":case"oauth_callback_mismatch":return Ue.badRequest(e,t,{code:i,detail:a});case"authentication_required":return Ue.unauthorized(e,t,{code:i,detail:a});default:throw o}}}n(mh,"applyUpstreamRequestContext");function vr(e,t){return n(async(o,i)=>{let a=await mh(o,i,e);return a||t(o,i)},"wrapped")}n(vr,"withUpstreamRequestContext");var fh=["callback_authorization_code","callback_provider_error","callback_invalid"];function Dn(e){try{return new URL(e.url).pathname}catch{return}}n(Dn,"readBrowserRequestPath");function hh(e){return"cause"in e?e.cause:void 0}n(hh,"readErrorCause");function gh(e){return e.stack?.split(`
|
|
49
|
+
`).slice(1,4).map(t=>t.trim()).join(" | ")}n(gh,"readFirstStackFrame");function dc(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=gh(r))}n(dc,"addErrorAttributes");function jn(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[g];return Nt(t)?t:void 0}n(jn,"readRuntimeGatewayCode");function uc(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(uc,"readRuntimeErrorExtensionString");function yh(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(yh,"readRuntimeErrorExtensionNumber");function _h(e,t,r,o){switch(r.kind){case"callback_provider_error":return t.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:r.upstreamServerId,providerError:r.error,...r.errorDescription===void 0?{}:{providerErrorDescription:r.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),v(t,{eventType:C.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:r.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:r.error,errorDescription:r.errorDescription}}),Sr(o,"provider_access_denied",{developerDetail:r.errorDescription??r.error,diagnostic:{code:"provider_access_denied",requestId:t.requestId,routePath:Dn(e),upstreamServerId:r.upstreamServerId,providerError:r.error,providerErrorDescription:r.errorDescription,underlyingError:r.errorDescription??r.error}});case"callback_invalid":return t.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:r.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),Sr(o,"oauth_state_invalid",{diagnostic:{code:"oauth_state_invalid",requestId:t.requestId,routePath:Dn(e),upstreamServerId:r.upstreamServerId}});case"callback_authorization_code":return r}}n(_h,"requireAuthorizationCallbackRequest");function wh(e,t){v(e,{eventType:C.MCP_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}n(wh,"emitCallbackReceivedAnalyticsEvent");function bh(e,t){v(e,{eventType:C.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.operationId})}n(bh,"emitTokenExchangeSucceededAnalyticsEvent");function Rh(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return sc({host:it(e.url),title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}n(Rh,"buildSuccessfulCallbackResponse");function Ih(e){let t={detail:e instanceof Error?e.message:void 0};return dc(t,"error",e),e instanceof Error&&dc(t,"cause",hh(e)),t}n(Ih,"buildTokenExchangeFailureAttributes");function Ch(e){v(e.context,{eventType:C.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:jn(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:Ih(e.error)})}n(Ch,"emitTokenExchangeFailedAnalyticsEvent");function Sh(e){let t=e.error,r=jn(t),o=oo(r)?r:"upstream_token_exchange_failed",i={code:o,requestId:e.context.requestId,routePath:Dn(e.request),upstreamServerId:e.callbackRequest.upstreamServerId,underlyingError:t instanceof Error?t.message:void 0,...t instanceof h?{httpStatus:yh(t,_e),contentType:uc(t,Je),upstreamUrl:uc(t,we)}:{}};return Sr(e.host,o,{developerDetail:t instanceof Error?t.message:void 0,diagnostic:i,upstreamHtml:vh(t)})}n(Sh,"tokenExchangeFailureResponse");function vh(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[Ge];return typeof t=="string"?t:void 0}n(vh,"readUpstreamHtmlError");async function zn(e,t){let r=jt(e,fh),o=it(e.url),i=_h(e,t,r,o);if(i instanceof Response)return i;wh(t,i);try{let a=await fa({request:e,callbackRequest:i});return bh(t,a),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:a.upstreamServerId,operationId:a.operationId,authProfileId:a.authProfileId,ownerMode:a.ownerMode},"Upstream OAuth token exchange completed; user connection established"),Rh(e,a)}catch(a){let s={event:"upstream_oauth_token_exchange_failed",code:jn(a)??"upstream_token_exchange_failed",upstreamServerId:i.upstreamServerId};return G(s,"error",a),t.log.warn(s,"Upstream OAuth token exchange failed; user shown connection-failure page"),Ch({context:t,callbackRequest:i,error:a}),Sh({request:e,context:t,host:o,callbackRequest:i,error:a})}}n(zn,"callbackHandler");function Ah(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}n(Ah,"clientMetadataProblemDetail");async function lc(e,t){let r=jt(e,"connect"),o=await ma({request:e,connectRequest:r});if(v(t,{eventType:C.MCP_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:o.operationId,upstreamServerTitle:o.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,operationId:o.operationId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(o.authUrl,302);let i=await pr({requestUrl:e.url,requestHeaders:e.headers,owner:o.owner,initiatedBySubjectId:o.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,upstreamDisplayName:o.upstreamDisplayName,operationId:o.operationId,subject:"MCP route",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(i,{status:428})}n(lc,"connectHandler");async function pc(e,t){let r=jt(e,"client_metadata");try{let o=M(e.url,e.headers),i=Li(o,r.upstreamServerId,r.authProfileId);return Response.json(i)}catch(o){if(!(o instanceof A))throw o;let i=o instanceof Error?o.message:String(o);return t.log.warn({event:"oauth_client_metadata_request_failed",upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:i},"Failed to serve OAuth client metadata document for upstream connection"),Ue.notFound(e,t,{code:"not_found",detail:Ah(o)})}}n(pc,"oauthClientMetadataHandler");function kh(e,t){return e.mount==="root"?e.path:t.actionPath(e.path)}n(kh,"resolveInternalRoutePath");var xh={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function Th(){return new Response(null,{status:204,headers:xh})}n(Th,"buildWellKnownPreflightResponse");function Uh(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}n(Uh,"withWellKnownCorsHeaders");function Hn(e){return async(t,r)=>t.method==="OPTIONS"?Th():Uh(await e(t,r))}n(Hn,"wrapWellKnownHandler");var hc=[{routeName:"oauth_as_metadata",mount:"root",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:Hn(Vs),corsPolicy:"anything-goes"},{routeName:"oauth_as_metadata_scoped",mount:"root",path:"/.well-known/oauth-authorization-server/:routePath*",methods:["GET","OPTIONS"],handler:Hn(Ys),corsPolicy:"anything-goes"},{routeName:"oauth_protected_resource_metadata",mount:"root",path:"/.well-known/oauth-protected-resource/:routePath*",methods:["GET","OPTIONS"],handler:Hn(To),corsPolicy:"anything-goes"},{routeName:"oauth_register",mount:"action",path:"/oauth/register",methods:["POST"],handler:Xs},{routeName:"oauth_authorize",mount:"action",path:"/oauth/authorize",methods:["GET"],handler:Qs},{routeName:"oauth_authorize_scoped",mount:"action",path:"/oauth/authorize/:routePath*",methods:["GET"],handler:ec},{routeName:"oauth_callback",mount:"action",path:"/oauth/callback",methods:["GET"],handler:tc},{routeName:"oauth_dev_login",mount:"action",path:"/oauth/dev-login",methods:["GET"],handler:rc},{routeName:"oauth_setup",mount:"action",path:"/oauth/setup",methods:["GET","POST"],handler:nc},{routeName:"oauth_token",mount:"action",path:"/oauth/token",methods:["POST"],handler:oc},{routeName:"oauth_revoke",mount:"action",path:"/oauth/revoke",methods:["POST"],handler:ic},{routeName:"upstream_client_metadata",mount:"action",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:vr("client_metadata",pc)},{routeName:"upstream_connect",mount:"action",path:"/auth/connections/:connection/connect",methods:["GET"],handler:vr("connect",lc)},{routeName:"upstream_callback",mount:"action",path:"/auth/connections/:connection/callback",methods:["GET"],handler:vr("callback",zn)}],Ph=hc.filter(e=>!e.routeName.startsWith("upstream_")),Eh=hc.filter(e=>e.routeName.startsWith("upstream_"));function Oh(e){let t=_o({routes:e.routes,policies:e.policies,gateway:e.gateway});return wo(t),t}n(Oh,"initializeMcpGatewayConnectionRegistry");function qh(e){return[...e.byOperationId.values()].some(t=>t.downstreamOAuth!==void 0)}n(qh,"hasDownstreamOAuthRoutes");function Mh(e){return[...e.byOperationId.values()].some(t=>t.downstreamOAuth?.config.idJag.enabled===!0)}n(Mh,"hasIdJagDownstreamOAuth");function Dh(e){let t=new Map;for(let o of e.byOperationId.values())o.downstreamOAuth&&t.set(o.downstreamOAuth.policyName,o.downstreamOAuth.config);if(t.size===1)return[...t.values()][0];let r=[...t.keys()].map(o=>`"${o}"`).join(", ");throw new A(`MCP gateway found multiple attached OAuth policies: ${r}. Multiple downstream MCP OAuth configs in one gateway are not supported yet; use one MCP OAuth policy across MCP routes or split these routes into separate gateways.`)}n(Dh,"readSingletonDownstreamOAuthConfig");function jh(e,t,r){let o=String(t.params.routePath??""),i=e.byRoutePath.get(So(o));if(i===void 0)return;let a=i?.downstreamOAuth?.config;return a===void 0?Jt(t,r,{code:"not_found",detail:"The requested MCP route does not expose downstream OAuth."}):a}n(jh,"readScopedDownstreamOAuthConfig");function zh(e){return e.path==="/.well-known/oauth-authorization-server/:routePath*"||e.path==="/.well-known/oauth-protected-resource/:routePath*"||e.path==="/oauth/authorize/:routePath*"}n(zh,"routeUsesScopedOAuthConfig");function mc(e,t,r){return async(o,i)=>{if(i.log.setLogProperties?.({requestId:i.requestId}),r){let u=await r(o,i);if(u instanceof Response)return u;u&&to(i,u)}let a=o.method==="OPTIONS",s=Date.now();a||i.log.info({event:`${e}_received`,method:o.method},`MCP gateway: ${e} received`);let c=await t(o,i);return a||i.log.info({event:`${e}_responded`,status:c.status,durationMs:Date.now()-s},`MCP gateway: ${e} responded`),c}}n(mc,"wrapInternalHandler");function fc(e,t,r,o){e.addPluginRoute({path:kh(t,r),methods:t.methods,handler:o,processors:[Fn],corsPolicy:t.corsPolicy??"none"})}n(fc,"addInternalRoute");function gc(e,t){let r=Oh(t),o=qh(r),i=r.connectionsById.size>0,a,s=n(()=>(a===void 0&&(a=Dh(r)),a),"readSingletonOAuthConfig");if(o){ae("plugin.mcp-gateway.downstream-oauth"),Mh(r)&&ae("plugin.mcp-gateway.downstream-oauth.id-jag");for(let c of Ph){let u=zh(c)?(l,m)=>jh(r,l,m):s;fc(e,c,r.gateway,mc(c.routeName,c.handler,u))}}if(i){ae("plugin.mcp-gateway.upstream-auth");for(let c of r.connectionsById.values())ae(`plugin.mcp-gateway.upstream-auth.${c.authMode}`);for(let c of Eh)fc(e,c,r.gateway,mc(c.routeName,c.handler))}}n(gc,"registerMcpGatewayInternalRoutes");var Bn=class extends Jn{static{n(this,"McpGatewayPlugin")}#e;constructor(t={}){super(),ae("plugin.mcp-gateway"),this.#e=ro(t)}registerRoutes(t){let r=t.parsedRouteData;r&&gc(t.router,{routes:r.routes,policies:r.policies,gateway:this.#e})}};var Hh=new TextDecoder;function Bh(e){if(e)try{return JSON.parse(Hh.decode(e))}catch{return}}n(Bh,"readBodyJson");function ge(e){return e&&typeof e=="object"?e:void 0}n(ge,"readRecord");function zt(e,t){let r=ge(e)?.[t];return typeof r=="string"?r:void 0}n(zt,"readStringProperty");function _c(e,t){let r=ge(e)?.[t];return typeof r=="number"?r:void 0}n(_c,"readNumberProperty");function yc(e,t){return _c(e,"code")??(t.status>=400?t.status:void 0)}n(yc,"readErrorCode");function wc(e){return Array.isArray(e)?e.map(wc).find(t=>t?.method):ge(e)}n(wc,"readJsonRpcMessage");function bc(e){let t=wc(Bh(e)),r=typeof t?.method=="string"?t.method:"",o=t?.params;switch(r){case"tools/list":return{mcpMethod:r,capabilityType:"tool"};case"tools/call":return{mcpMethod:r,capabilityType:"tool",capabilityName:zt(o,"name")};case"prompts/list":return{mcpMethod:r,capabilityType:"prompt"};case"prompts/get":return{mcpMethod:r,capabilityType:"prompt",capabilityName:zt(o,"name")};case"resources/list":case"resources/templates/list":return{mcpMethod:r,capabilityType:"resource"};case"resources/read":{let i=zt(o,"uri");return{mcpMethod:r,capabilityType:"resource",capabilityName:i,resourceUri:i}}default:return null}}n(bc,"buildBaseCapabilityInput");function Rc(e){return e==="tools/list"||e==="prompts/list"||e==="resources/list"||e==="resources/templates/list"}n(Rc,"isCapabilityListMethod");function Lh(e,t,r){let a=ge(r)?.[e==="resources/templates/list"?"resourceTemplates":t==="tool"?"tools":t==="prompt"?"prompts":"resources"];return Array.isArray(a)?a.length:void 0}n(Lh,"readItemCount");async function Nh(e){try{return await e.clone().json()}catch{return}}n(Nh,"readResponseJson");function Ic(e){let t=bc(e);return!t||Rc(t.mcpMethod)?null:{eventType:C.MCP_CAPABILITY_INVOKED,outcome:"success",...t}}n(Ic,"buildCapabilityInvokedAnalyticsInput");async function Cc(e,t){let r=bc(e);if(!r)return null;let o=ge(await Nh(t)),i=ge(o?.error),a=ge(i?.data),s=o?.result,c=r.mcpMethod==="tools/call"&&ge(s)?.isError===!0;if(ge(a?.connectRequired))return{eventType:C.MCP_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",...r,httpStatusCode:t.status,reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required",errorCode:_c(i,"code"),mcpErrorType:zt(i,"message")};if(Rc(r.mcpMethod)){let u=t.status>=400?void 0:Lh(r.mcpMethod,r.capabilityType,s);return{eventType:C.MCP_CAPABILITY_LISTED,outcome:t.status>=400||i?"failure":"success",...r,httpStatusCode:t.status,...t.status>=400||i?{reasonCode:"upstream_capability_list_failed",reasonClass:"upstream",errorType:"capability_list_error",errorCode:yc(i,t)}:{},...u===void 0?{}:{attributes:{itemCount:u}}}}return t.status>=400||i?{eventType:C.MCP_CAPABILITY_FAILED,outcome:"failure",...r,httpStatusCode:t.status,reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"capability_error",errorCode:yc(i,t),mcpErrorType:zt(i,"message")}:{eventType:C.MCP_CAPABILITY_COMPLETED,outcome:c?"application_error":"success",...r,httpStatusCode:t.status,toolResultIsError:c,applicationError:c}}n(Cc,"buildCapabilityFinalAnalyticsInput");var Jh={Allow:"POST"};async function Gh(e){try{return await e.clone().arrayBuffer()}catch{return}}n(Gh,"readRequestBody");function Sc(e){try{let t=bo(e.route.path);return{virtualServerName:t.operationId,upstreamServerName:t.connection?.upstreamServerId,upstreamServerTitle:t.connection?.displayName,authProfileId:t.connection?.authProfileId,upstreamAuthMode:t.connection?.authMode}}catch{return{}}}n(Sc,"readRouteAnalyticsFields");function vc(e){return Eo(e.user,e.url,e.headers)?.subjectId}n(vc,"readRequestSubjectId");function Fh(e){let t=Ic(e.requestBody);t&&v(e.context,{...t,...Sc(e.context),httpMethod:e.request.method,subjectId:vc(e.request),transport:"http"})}n(Fh,"emitCapabilityInvokedAnalytics");async function $h(e){let t=await Cc(e.requestBody,e.response);t&&v(e.context,{...t,...Sc(e.context),httpMethod:e.request.method,subjectId:vc(e.request),transport:"http",latencyMs:Date.now()-e.startedAt})}n($h,"emitCapabilityFinalAnalytics");async function Zh(e,t){if(ae("handler.mcp-gateway-proxy"),e.method==="GET")return Ue.methodNotAllowed(e,t,{detail:"MCP Gateway routes support stateless Streamable HTTP requests over POST. Server-sent event GET streams are not supported."},Jh);let r=Date.now(),o=await Gh(e);Fh({context:t,request:e,requestBody:o});let i=await Xn(e,t);return await $h({context:t,request:e,requestBody:o,response:i,startedAt:r}),i}n(Zh,"McpProxyHandler");export{Dc as McpAuth0OAuthInboundPolicy,jr as McpCapabilityFilterInboundPolicy,Ac as McpClerkOAuthInboundPolicy,kc as McpCognitoOAuthInboundPolicy,xc as McpEntraOAuthInboundPolicy,Bn as McpGatewayPlugin,Tc as McpGoogleOAuthInboundPolicy,Uc as McpKeycloakOAuthInboundPolicy,Pc as McpLogtoOAuthInboundPolicy,jc as McpOAuthInboundPolicy,Ec as McpOktaOAuthInboundPolicy,Oc as McpOneLoginOAuthInboundPolicy,qc as McpPingOAuthInboundPolicy,Zh as McpProxyHandler,mn as McpTokenExchangeInboundPolicy,Mc as McpWorkosOAuthInboundPolicy,Yo as claimsCapabilityResolver};
|
|
50
50
|
//# sourceMappingURL=index.js.map
|