dxcomplete 0.2.0 → 0.2.2

package/dist/http/service.js

@@ -1,725 +0,0 @@
-import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
-import { assertWorkspaceMembership, consumeOAuthAuthorizationRequest, createGoogleActor, createOAuthAuthorizationCode, createOAuthAuthorizationRequest, createWorkspaceServiceClient, ensureWorkspaceBootstrap, exchangeGoogleCodeForProfile, exchangeOAuthAuthorizationCode, exchangeOAuthRefreshToken, getOAuthClient, googleAuthorizationUrl, membershipRoles, registerOAuthClient, upsertWorkspaceMembership, verifyWorkspaceServiceClient, verifyMcpAccessToken } from "../runtime/auth.js";
-import { createMcpServer } from "../mcp/server.js";
-import { connectRuntime } from "../runtime/mongo.js";
-import { RUNTIME_ACTOR_ID } from "../runtime/records.js";
-const MCP_PATH = "/api/mcp";
-const GOOGLE_CALLBACK_PATH = "/api/auth/callback/google";
-const MCP_SCOPE = "mcp:tools";
-const AUTH_DIAGNOSTICS_COLLECTION = "auth_diagnostics";
-let runtimePromise;
-export async function closeDxcompleteServiceRuntime() {
-    if (runtimePromise) {
-        const runtime = await runtimePromise;
-        await runtime.close();
-    }
-    runtimePromise = undefined;
-}
-export async function closeDxcompleteHttpRuntime() {
-    await closeDxcompleteServiceRuntime();
-}
-export default async function handleDxcompleteServiceRequest(req, res) {
-    try {
-        setCorsHeaders(res);
-        if (req.method === "OPTIONS") {
-            res.writeHead(204).end();
-            return;
-        }
-        const runtime = await getRuntime();
-        const ownBaseUrl = getBaseUrl(req);
-        const requestUrl = new URL(req.url ?? "/", ownBaseUrl);
-        const path = normalizeServicePath(requestUrl.pathname);
-        if (path === "/api/dxcomplete/service/provision") {
-            await handleWorkspaceProvisioning(req, res, runtime);
-            return;
-        }
-        const workspaceConfig = await authenticateWorkspaceService(runtime, req);
-        const baseUrl = forwardedWorkspaceBaseUrl(req) ?? ownBaseUrl;
-        if (isProtectedResourceMetadataPath(path)) {
-            writeJson(res, 200, protectedResourceMetadata(baseUrl));
-            return;
-        }
-        if (isAuthorizationServerMetadataPath(path)) {
-            writeJson(res, 200, authorizationServerMetadata(baseUrl));
-            return;
-        }
-        if (path === "/api/dxcomplete/auth/register") {
-            await handleClientRegistration(req, res, runtime);
-            return;
-        }
-        if (path === "/api/dxcomplete/auth/authorize") {
-            await handleAuthorize(req, res, runtime, workspaceConfig, baseUrl, requestUrl);
-            return;
-        }
-        if (path === GOOGLE_CALLBACK_PATH) {
-            await handleGoogleCallback(res, runtime, workspaceConfig, baseUrl, requestUrl);
-            return;
-        }
-        if (path === "/api/dxcomplete/auth/token") {
-            await handleToken(req, res, runtime, baseUrl);
-            return;
-        }
-        if (path === MCP_PATH) {
-            await handleMcp(req, res, baseUrl, workspaceConfig);
-            return;
-        }
-        writeJson(res, 404, { error: "not_found" });
-    }
-    catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        const responseError = responseErrorForMessage(message);
-        if (!res.headersSent) {
-            writeJson(res, responseError.status, {
-                error: responseError.error,
-                error_description: message
-            });
-        }
-        else {
-            res.end();
-        }
-    }
-}
-function responseErrorForMessage(message) {
-    if (message.includes("service client") || message.includes("service credentials") || message.includes("Provisioning")) {
-        return { status: 401, error: "unauthorized" };
-    }
-    if (message.includes("Workspace access denied")) {
-        return { status: 403, error: "access_denied" };
-    }
-    if (message.includes("OAuth client was not found")) {
-        return { status: 400, error: "invalid_client" };
-    }
-    if (message.includes("authorization request expired") ||
-        message.includes("Authorization code expired") ||
-        message.includes("Invalid PKCE verifier") ||
-        message.includes("Refresh token") ||
-        message.includes("Token expired")) {
-        return { status: 400, error: "invalid_grant" };
-    }
-    if (message.includes("redirect_uri") ||
-        message.includes("response_type") ||
-        message.includes("code_challenge") ||
-        message.includes("grant_type") ||
-        message.includes("OAuth resource")) {
-        return { status: 400, error: "invalid_request" };
-    }
-    return { status: 500, error: "server_error" };
-}
-async function authenticateWorkspaceService(runtime, req) {
-    const serviceClient = await verifyWorkspaceServiceClient(runtime.db, {
-        clientId: firstHeader(req.headers["x-dxc-service-client-id"]),
-        secret: firstHeader(req.headers["x-dxc-service-client-secret"]),
-        workspaceId: firstHeader(req.headers["x-dxc-workspace-id"])
-    });
-    const workspace = await runtime.db.collection("workspaces").findOne({ _id: serviceClient.workspaceId });
-    return {
-        workspaceId: serviceClient.workspaceId,
-        name: readRecordName(workspace) ??
-            firstHeader(req.headers["x-dxc-workspace-name"]) ??
-            serviceClient.workspaceId,
-        bootstrapMembers: []
-    };
-}
-async function handleWorkspaceProvisioning(req, res, runtime) {
-    if (req.method !== "POST") {
-        writeJson(res, 405, { error: "method_not_allowed" });
-        return;
-    }
-    const expectedSecret = runtime.config.serviceProvisioningSecret;
-    const suppliedSecret = readProvisioningSecret(req);
-    if (!expectedSecret || !suppliedSecret || suppliedSecret !== expectedSecret) {
-        writeJson(res, 401, { error: "unauthorized", error_description: "Provisioning authorization failed." });
-        return;
-    }
-    const body = await readJsonBody(req);
-    const workspaceId = readRequiredBodyString(body, "workspaceId");
-    const name = readRequiredBodyString(body, "name");
-    const ownerEmail = readRequiredBodyString(body, "ownerEmail");
-    const serviceClientName = readRequiredBodyString(body, "serviceClientName");
-    const mode = readOptionalWorkspaceMode(body.mode);
-    await ensureWorkspaceBootstrap(runtime.db, {
-        workspaceId,
-        name,
-        ...(mode ? { mode } : {}),
-        bootstrapMembers: [{ email: ownerEmail, roles: ["owner"] }]
-    }, RUNTIME_ACTOR_ID);
-    const membership = await upsertWorkspaceMembership(runtime.db, {
-        workspaceId,
-        email: ownerEmail,
-        roles: ["owner"],
-        actorId: RUNTIME_ACTOR_ID
-    });
-    const { record: serviceClient, secret } = await createWorkspaceServiceClient(runtime.db, {
-        workspaceId,
-        name: serviceClientName,
-        actorId: RUNTIME_ACTOR_ID
-    });
-    const workspace = await runtime.db.collection("workspaces").findOne({ _id: workspaceId });
-    writeJson(res, 201, {
-        workspace,
-        ownerMembership: {
-            _id: membership._id,
-            workspaceId: membership.workspaceId,
-            email: membership.email,
-            roles: membershipRoles(membership)
-        },
-        serviceClient: {
-            clientId: serviceClient.clientId,
-            name: serviceClient.name,
-            workspaceId: serviceClient.workspaceId,
-            secret
-        }
-    });
-}
-function readRecordName(workspace) {
-    if (!workspace) {
-        return undefined;
-    }
-    if (typeof workspace.fields.name === "string" && workspace.fields.name.trim()) {
-        return workspace.fields.name.trim();
-    }
-    return workspace.title;
-}
-function readProvisioningSecret(req) {
-    const authorization = firstHeader(req.headers.authorization);
-    const bearerMatch = authorization?.match(/^Bearer\s+(.+)$/i);
-    return bearerMatch?.[1]?.trim() || firstHeader(req.headers["x-dxc-provisioning-secret"])?.trim();
-}
-function readRequiredBodyString(body, key) {
-    const value = body[key];
-    if (typeof value !== "string" || !value.trim()) {
-        throw new Error(`${key} is required.`);
-    }
-    return value.trim();
-}
-function readOptionalWorkspaceMode(value) {
-    if (value === undefined) {
-        return undefined;
-    }
-    if (value === "transformation" || value === "greenfield" || value === "limited-disclosure") {
-        return value;
-    }
-    throw new Error("mode must be transformation, greenfield, or limited-disclosure when provided.");
-}
-function forwardedWorkspaceBaseUrl(req) {
-    const value = firstHeader(req.headers["x-dxc-forwarded-base-url"]);
-    if (!value) {
-        return undefined;
-    }
-    return new URL(value).origin;
-}
-async function handleMcp(req, res, baseUrl, workspaceConfig) {
-    const resource = mcpResourceUrl(baseUrl);
-    const token = readBearerToken(req);
-    if (!token) {
-        await drainRequestBody(req);
-        writeOAuthChallenge(res, baseUrl);
-        return;
-    }
-    const runtime = await getRuntime();
-    let tokenRecord;
-    let membership;
-    try {
-        tokenRecord = await verifyMcpAccessToken(runtime.db, {
-            token,
-            workspaceId: workspaceConfig.workspaceId,
-            resource
-        });
-        membership = await assertWorkspaceMembership(runtime.db, workspaceConfig.workspaceId, tokenRecord.actor);
-    }
-    catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        await recordAuthDiagnostic(runtime.db, "mcp.token_rejected", req, {
-            workspaceId: workspaceConfig.workspaceId,
-            resource,
-            error: message,
-            status: message.includes("Workspace access denied") ? 403 : 401
-        });
-        if (message.includes("Workspace access denied")) {
-            await drainRequestBody(req);
-            writeJson(res, 403, { error: "access_denied", error_description: "Workspace access denied." });
-            return;
-        }
-        await drainRequestBody(req);
-        writeOAuthChallenge(res, baseUrl);
-        return;
-    }
-    const server = createMcpServer(runtime, {
-        actor: tokenRecord.actor,
-        recordActorId: tokenRecord.actor.actorId,
-        hostedWorkspace: {
-            workspaceId: workspaceConfig.workspaceId,
-            name: workspaceConfig.name
-        },
-        workspaceRoles: membershipRoles(membership),
-        hostedHttp: {
-            canonicalMcpPath: MCP_PATH,
-            canonicalMcpUrl: resource,
-            protectedResourceMetadataUrl: protectedResourceMetadataUrl(baseUrl),
-            googleCallbackUrl: googleCallbackUrl(baseUrl)
-        }
-    });
-    const transport = new StreamableHTTPServerTransport({
-        sessionIdGenerator: undefined,
-        enableJsonResponse: true
-    });
-    req.auth = {
-        token,
-        clientId: tokenRecord.clientId,
-        scopes: tokenRecord.scope.split(/\s+/).filter(Boolean),
-        expiresAt: Math.floor(new Date(tokenRecord.expiresAt).getTime() / 1000),
-        resource: new URL(resource),
-        extra: {
-            actor: tokenRecord.actor,
-            workspaceId: tokenRecord.workspaceId
-        }
-    };
-    await recordAuthDiagnostic(runtime.db, "mcp.token_accepted", req, {
-        clientId: tokenRecord.clientId,
-        workspaceId: tokenRecord.workspaceId,
-        resource: tokenRecord.resource,
-        actorEmail: tokenRecord.actor.email,
-        status: 200
-    });
-    ensureStreamableHttpAcceptHeader(req);
-    await server.connect(transport);
-    const parsedBody = req.method === "POST" ? await readJsonBody(req) : undefined;
-    try {
-        await transport.handleRequest(req, res, parsedBody);
-        await recordAuthDiagnostic(runtime.db, "mcp.transport_completed", req, {
-            clientId: tokenRecord.clientId,
-            workspaceId: tokenRecord.workspaceId,
-            resource: tokenRecord.resource,
-            actorEmail: tokenRecord.actor.email,
-            status: res.statusCode,
-            responseContentType: firstHeader(res.getHeader("content-type"))
-        });
-    }
-    catch (error) {
-        await recordAuthDiagnostic(runtime.db, "mcp.transport_failed", req, {
-            clientId: tokenRecord.clientId,
-            workspaceId: tokenRecord.workspaceId,
-            resource: tokenRecord.resource,
-            actorEmail: tokenRecord.actor.email,
-            error: error instanceof Error ? error.message : String(error),
-            status: res.statusCode
-        });
-        throw error;
-    }
-    res.on("close", () => {
-        void transport.close().catch(() => undefined);
-        void server.close().catch(() => undefined);
-    });
-}
-async function handleClientRegistration(req, res, runtime) {
-    if (req.method !== "POST") {
-        writeJson(res, 405, { error: "method_not_allowed" });
-        return;
-    }
-    const body = await readJsonBody(req);
-    const redirectUris = readStringArray(body.redirect_uris);
-    const client = await registerOAuthClient(runtime.db, {
-        clientName: typeof body.client_name === "string" ? body.client_name : undefined,
-        redirectUris,
-        grantTypes: readStringArray(body.grant_types, ["authorization_code", "refresh_token"]),
-        responseTypes: readStringArray(body.response_types, ["code"])
-    });
-    await recordAuthDiagnostic(runtime.db, "oauth.client_registered", req, {
-        clientId: client.clientId,
-        redirectUris: client.redirectUris,
-        status: 201
-    });
-    writeJson(res, 201, {
-        client_id: client.clientId,
-        client_id_issued_at: Math.floor(new Date(client.createdAt).getTime() / 1000),
-        redirect_uris: client.redirectUris,
-        grant_types: client.grantTypes,
-        response_types: client.responseTypes,
-        token_endpoint_auth_method: "none"
-    });
-}
-async function handleAuthorize(req, res, runtime, workspaceConfig, baseUrl, requestUrl) {
-    if (req.method !== "GET") {
-        writeJson(res, 405, { error: "method_not_allowed" });
-        return;
-    }
-    const clientId = requiredParam(requestUrl, "client_id");
-    const redirectUri = requiredParam(requestUrl, "redirect_uri");
-    const responseType = requiredParam(requestUrl, "response_type");
-    const codeChallenge = requiredParam(requestUrl, "code_challenge");
-    const codeChallengeMethod = requiredParam(requestUrl, "code_challenge_method");
-    const resource = requestUrl.searchParams.get("resource") || mcpResourceUrl(baseUrl);
-    if (responseType !== "code") {
-        throw new Error("Only authorization code response_type is supported.");
-    }
-    if (codeChallengeMethod !== "S256") {
-        throw new Error("Only S256 PKCE is supported.");
-    }
-    const client = await getOAuthClient(runtime.db, clientId);
-    if (!client) {
-        throw new Error("OAuth client was not found.");
-    }
-    if (!client.redirectUris.includes(redirectUri)) {
-        throw new Error("redirect_uri was not registered for this OAuth client.");
-    }
-    if (resource !== mcpResourceUrl(baseUrl)) {
-        throw new Error("OAuth resource must match this MCP endpoint.");
-    }
-    const authRequest = await createOAuthAuthorizationRequest(runtime.db, {
-        clientId,
-        redirectUri,
-        codeChallenge,
-        codeChallengeMethod: "S256",
-        state: requestUrl.searchParams.get("state") ?? undefined,
-        scope: requestUrl.searchParams.get("scope") || MCP_SCOPE,
-        resource,
-        workspaceId: workspaceConfig.workspaceId
-    });
-    const googleRedirectUri = googleCallbackUrl(baseUrl);
-    await recordAuthDiagnostic(runtime.db, "oauth.authorize_redirect", req, {
-        clientId,
-        workspaceId: workspaceConfig.workspaceId,
-        resource,
-        redirectUri,
-        googleRedirectUri,
-        status: 302
-    });
-    redirect(res, googleAuthorizationUrl(runtime.config, {
-        redirectUri: googleRedirectUri,
-        state: authRequest._id
-    }));
-}
-async function handleGoogleCallback(res, runtime, workspaceConfig, baseUrl, requestUrl) {
-    const state = requiredParam(requestUrl, "state");
-    const googleCode = requiredParam(requestUrl, "code");
-    const authRequest = await consumeOAuthAuthorizationRequest(runtime.db, state);
-    const profile = await exchangeGoogleCodeForProfile(runtime.config, {
-        code: googleCode,
-        redirectUri: googleCallbackUrl(baseUrl)
-    });
-    const actor = createGoogleActor(profile);
-    await assertWorkspaceMembership(runtime.db, workspaceConfig.workspaceId, actor);
-    const code = await createOAuthAuthorizationCode(runtime.db, authRequest, actor);
-    await recordAuthDiagnostic(runtime.db, "oauth.callback_authorized", undefined, {
-        clientId: authRequest.clientId,
-        workspaceId: workspaceConfig.workspaceId,
-        resource: authRequest.resource,
-        redirectUri: authRequest.redirectUri,
-        actorEmail: actor.email,
-        status: 302
-    });
-    const callback = new URL(authRequest.redirectUri);
-    callback.searchParams.set("code", code);
-    if (authRequest.state) {
-        callback.searchParams.set("state", authRequest.state);
-    }
-    redirect(res, callback.href);
-}
-async function handleToken(req, res, runtime, baseUrl) {
-    if (req.method !== "POST") {
-        writeJson(res, 405, { error: "method_not_allowed" });
-        return;
-    }
-    const body = await readFormBody(req);
-    const grantType = requiredFormValue(body, "grant_type");
-    const clientId = readClientId(req, body);
-    const client = await getOAuthClient(runtime.db, clientId);
-    const resource = body.get("resource") || mcpResourceUrl(baseUrl);
-    if (!client) {
-        throw new Error("OAuth client was not found.");
-    }
-    if (resource !== mcpResourceUrl(baseUrl)) {
-        throw new Error("OAuth resource must match this MCP endpoint.");
-    }
-    if (grantType === "authorization_code") {
-        const redirectUri = requiredFormValue(body, "redirect_uri");
-        const tokenPair = await exchangeOAuthAuthorizationCode(runtime.db, {
-            code: requiredFormValue(body, "code"),
-            clientId,
-            redirectUri,
-            codeVerifier: requiredFormValue(body, "code_verifier"),
-            resource
-        });
-        await recordAuthDiagnostic(runtime.db, "oauth.token_issued", req, {
-            clientId,
-            resource,
-            redirectUri,
-            grantType,
-            status: 200
-        });
-        writeTokenResponse(res, tokenPair);
-        return;
-    }
-    if (grantType === "refresh_token") {
-        const tokenPair = await exchangeOAuthRefreshToken(runtime.db, {
-            refreshToken: requiredFormValue(body, "refresh_token"),
-            clientId,
-            resource
-        });
-        await recordAuthDiagnostic(runtime.db, "oauth.token_refreshed", req, {
-            clientId,
-            resource,
-            grantType,
-            status: 200
-        });
-        writeTokenResponse(res, tokenPair);
-        return;
-    }
-    writeJson(res, 400, { error: "unsupported_grant_type" });
-}
-function protectedResourceMetadata(baseUrl) {
-    return {
-        resource: mcpResourceUrl(baseUrl),
-        authorization_servers: [baseUrl],
-        scopes_supported: [MCP_SCOPE],
-        resource_name: "DX Complete"
-    };
-}
-function authorizationServerMetadata(baseUrl) {
-    return {
-        issuer: baseUrl,
-        authorization_endpoint: `${baseUrl}/api/dxcomplete/auth/authorize`,
-        token_endpoint: `${baseUrl}/api/dxcomplete/auth/token`,
-        registration_endpoint: `${baseUrl}/api/dxcomplete/auth/register`,
-        response_types_supported: ["code"],
-        code_challenge_methods_supported: ["S256"],
-        token_endpoint_auth_methods_supported: ["none"],
-        grant_types_supported: ["authorization_code", "refresh_token"],
-        scopes_supported: [MCP_SCOPE]
-    };
-}
-function writeTokenResponse(res, tokenPair) {
-    res.setHeader("cache-control", "no-store");
-    res.setHeader("pragma", "no-cache");
-    writeJson(res, 200, {
-        access_token: tokenPair.accessToken,
-        refresh_token: tokenPair.refreshToken,
-        token_type: "Bearer",
-        expires_in: tokenPair.expiresIn,
-        scope: tokenPair.scope
-    });
-}
-function writeOAuthChallenge(res, baseUrl) {
-    res.setHeader("www-authenticate", `Bearer resource_metadata="${protectedResourceMetadataUrl(baseUrl)}", scope="${MCP_SCOPE}"`);
-    writeJson(res, 401, { error: "unauthorized" });
-}
-function ensureStreamableHttpAcceptHeader(req) {
-    const accept = firstHeader(req.headers.accept)?.toLowerCase() ?? "";
-    if (req.method === "POST" && (!accept.includes("application/json") || !accept.includes("text/event-stream"))) {
-        setIncomingHeader(req, "accept", "application/json, text/event-stream");
-    }
-    if (req.method === "GET" && !accept.includes("text/event-stream")) {
-        setIncomingHeader(req, "accept", "text/event-stream");
-    }
-}
-function setIncomingHeader(req, key, value) {
-    const lowerKey = key.toLowerCase();
-    req.headers[lowerKey] = value;
-    const rawIndex = req.rawHeaders.findIndex((entry) => entry.toLowerCase() === lowerKey);
-    if (rawIndex >= 0) {
-        req.rawHeaders[rawIndex + 1] = value;
-        return;
-    }
-    req.rawHeaders.push(key, value);
-}
-async function recordAuthDiagnostic(db, event, req, fields) {
-    try {
-        await db.collection(AUTH_DIAGNOSTICS_COLLECTION).insertOne({
-            event,
-            createdAt: new Date().toISOString(),
-            method: req?.method,
-            path: req ? normalizePath(new URL(req.url ?? "/", "http://localhost").pathname) : undefined,
-            headers: req ? diagnosticHeaders(req) : undefined,
-            ...sanitizeDiagnosticFields(fields)
-        });
-    }
-    catch {
-        // Diagnostics must never affect the OAuth or MCP response path.
-    }
-}
-function diagnosticHeaders(req) {
-    return {
-        accept: firstHeader(req.headers.accept),
-        contentType: firstHeader(req.headers["content-type"]),
-        mcpProtocolVersion: firstHeader(req.headers["mcp-protocol-version"]),
-        origin: firstHeader(req.headers.origin),
-        userAgent: firstHeader(req.headers["user-agent"])
-    };
-}
-function sanitizeDiagnosticFields(fields) {
-    const sanitized = {};
-    for (const [key, value] of Object.entries(fields)) {
-        if (value === undefined) {
-            continue;
-        }
-        if (key.toLowerCase().includes("token") || key.toLowerCase().includes("code")) {
-            continue;
-        }
-        sanitized[key] = typeof value === "string" ? truncateDiagnosticValue(value) : value;
-    }
-    return sanitized;
-}
-function truncateDiagnosticValue(value) {
-    return value.length > 500 ? `${value.slice(0, 500)}...` : value;
-}
-function setCorsHeaders(res) {
-    res.setHeader("access-control-allow-origin", "*");
-    res.setHeader("access-control-allow-headers", "authorization,content-type,mcp-protocol-version,mcp-session-id,last-event-id,x-dxc-service-client-id,x-dxc-service-client-secret,x-dxc-workspace-id,x-dxc-workspace-name,x-dxc-forwarded-base-url,x-dxc-provisioning-secret");
-    res.setHeader("access-control-allow-methods", "GET,POST,DELETE,OPTIONS");
-    res.setHeader("access-control-expose-headers", "mcp-session-id,www-authenticate");
-}
-function writeJson(res, status, value) {
-    const body = JSON.stringify(value);
-    if (!res.headersSent) {
-        res.writeHead(status, {
-            "content-type": "application/json",
-            "content-length": String(Buffer.byteLength(body))
-        });
-    }
-    res.end(body);
-}
-function redirect(res, location) {
-    res.writeHead(302, { location });
-    res.end();
-}
-async function getRuntime() {
-    runtimePromise ??= connectRuntime();
-    return runtimePromise;
-}
-function getBaseUrl(req) {
-    const forwardedProto = firstHeader(req.headers["x-forwarded-proto"]);
-    const forwardedHost = firstHeader(req.headers["x-forwarded-host"]);
-    const host = forwardedHost || firstHeader(req.headers.host);
-    const protocol = forwardedProto || "http";
-    if (!host) {
-        throw new Error("Host header is required.");
-    }
-    return `${protocol}://${host}`;
-}
-function firstHeader(value) {
-    return Array.isArray(value) ? value[0] : value;
-}
-function normalizePath(pathname) {
-    if (pathname === "/api/mcp" || pathname === "/api/dxcomplete" || pathname === "/api/dxcomplete/mcp") {
-        return MCP_PATH;
-    }
-    return pathname.endsWith("/") && pathname.length > 1 ? pathname.slice(0, -1) : pathname;
-}
-function normalizeServicePath(pathname) {
-    const path = pathname.endsWith("/") && pathname.length > 1 ? pathname.slice(0, -1) : pathname;
-    switch (path) {
-        case "/api/dxcomplete/service/mcp":
-            return MCP_PATH;
-        case "/api/dxcomplete/service/auth/register":
-            return "/api/dxcomplete/auth/register";
-        case "/api/dxcomplete/service/auth/authorize":
-            return "/api/dxcomplete/auth/authorize";
-        case "/api/dxcomplete/service/auth/google/callback":
-            return GOOGLE_CALLBACK_PATH;
-        case "/api/dxcomplete/service/auth/token":
-            return "/api/dxcomplete/auth/token";
-        default:
-            return path;
-    }
-}
-function isProtectedResourceMetadataPath(pathname) {
-    return (pathname === protectedResourceMetadataPath() ||
-        pathname === "/.well-known/oauth-protected-resource/api/dxcomplete/mcp" ||
-        pathname === `/api/dxcomplete${protectedResourceMetadataPath()}`);
-}
-function isAuthorizationServerMetadataPath(pathname) {
-    return pathname === "/.well-known/oauth-authorization-server" || pathname === "/api/dxcomplete/.well-known/oauth-authorization-server";
-}
-function protectedResourceMetadataPath() {
-    return `/.well-known/oauth-protected-resource${MCP_PATH}`;
-}
-function protectedResourceMetadataUrl(baseUrl) {
-    return `${baseUrl}${protectedResourceMetadataPath()}`;
-}
-function mcpResourceUrl(baseUrl) {
-    return `${baseUrl}${MCP_PATH}`;
-}
-function googleCallbackUrl(baseUrl) {
-    return `${baseUrl}${GOOGLE_CALLBACK_PATH}`;
-}
-function readBearerToken(req) {
-    const authorization = firstHeader(req.headers.authorization);
-    const match = authorization?.match(/^Bearer\s+(.+)$/i);
-    return match?.[1]?.trim();
-}
-async function readJsonBody(req) {
-    if (req.body && typeof req.body === "object" && !Buffer.isBuffer(req.body)) {
-        return req.body;
-    }
-    const text = typeof req.body === "string" ? req.body : await readRawBody(req);
-    return text.trim() ? JSON.parse(text) : {};
-}
-async function readFormBody(req) {
-    if (req.body && typeof req.body === "object" && !Buffer.isBuffer(req.body)) {
-        const params = new URLSearchParams();
-        for (const [key, value] of Object.entries(req.body)) {
-            if (typeof value === "string") {
-                params.set(key, value);
-            }
-        }
-        return params;
-    }
-    const text = typeof req.body === "string" ? req.body : await readRawBody(req);
-    return new URLSearchParams(text);
-}
-function readRawBody(req) {
-    return new Promise((resolve, reject) => {
-        let body = "";
-        req.setEncoding("utf8");
-        req.on("data", (chunk) => {
-            body += chunk;
-        });
-        req.on("end", () => resolve(body));
-        req.on("error", reject);
-    });
-}
-async function drainRequestBody(req) {
-    if (req.method !== "POST" || req.complete || req.destroyed) {
-        return;
-    }
-    await readRawBody(req).catch(() => undefined);
-}
-function readStringArray(value, fallback) {
-    if (value === undefined && fallback) {
-        return fallback;
-    }
-    if (!Array.isArray(value) || !value.every((entry) => typeof entry === "string" && entry.trim())) {
-        throw new Error("Expected a non-empty string array.");
-    }
-    return value.map((entry) => entry.trim());
-}
-function requiredParam(url, key) {
-    const value = url.searchParams.get(key)?.trim();
-    if (!value) {
-        throw new Error(`${key} is required.`);
-    }
-    return value;
-}
-function requiredFormValue(body, key) {
-    const value = body.get(key)?.trim();
-    if (!value) {
-        throw new Error(`${key} is required.`);
-    }
-    return value;
-}
-function readClientId(req, body) {
-    const bodyClientId = body.get("client_id")?.trim();
-    if (bodyClientId) {
-        return bodyClientId;
-    }
-    const authorization = firstHeader(req.headers.authorization);
-    const match = authorization?.match(/^Basic\s+(.+)$/i);
-    if (match?.[1]) {
-        const decoded = Buffer.from(match[1], "base64").toString("utf8");
-        const [clientId] = decoded.split(":");
-        if (clientId) {
-            return clientId;
-        }
-    }
-    throw new Error("client_id is required.");
-}