mcp-proxy 5.11.2 → 5.12.1

package/dist/index.js

@@ -1,6 +1,29 @@
-import { AuthenticationMiddleware, Client, InMemoryEventStore, JSONRPCMessageSchema, LATEST_PROTOCOL_VERSION, NEVER, ReadBuffer, Server, ZodIssueCode, anyType, arrayType, booleanType, isInitializedNotification, isJSONRPCRequest, isJSONRPCResponse, numberType, objectType, proxyServer, serializeMessage, startHTTPServer, stringType } from "./stdio-DQCs94rj.js";
+import { C as NEVER, S as _coercedNumber, T as AuthenticationMiddleware, _ as looseObject, a as startHTTPServer, b as string, c as LATEST_PROTOCOL_VERSION, d as isJSONRPCResponse, f as ZodNumber, g as literal, h as boolean, i as Client, l as isInitializedNotification, m as array, n as serializeMessage, o as proxyServer, p as any, r as Server, s as JSONRPCMessageSchema, t as ReadBuffer, u as isJSONRPCRequest, v as number$1, w as InMemoryEventStore, x as url, y as object } from "./stdio-BAyQuMKu.js";
 import process from "node:process";
 
+//#region node_modules/.pnpm/zod@3.25.76/node_modules/zod/v4/classic/compat.js
+/** @deprecated Use the raw string literal codes instead, e.g. "invalid_type". */
+const ZodIssueCode = {
+	invalid_type: "invalid_type",
+	too_big: "too_big",
+	too_small: "too_small",
+	invalid_format: "invalid_format",
+	not_multiple_of: "not_multiple_of",
+	unrecognized_keys: "unrecognized_keys",
+	invalid_union: "invalid_union",
+	invalid_key: "invalid_key",
+	invalid_element: "invalid_element",
+	invalid_value: "invalid_value",
+	custom: "custom"
+};
+
+//#endregion
+//#region node_modules/.pnpm/zod@3.25.76/node_modules/zod/v4/classic/coerce.js
+function number(params) {
+	return _coercedNumber(ZodNumber, params);
+}
+
+//#endregion
 //#region node_modules/.pnpm/eventsource-parser@3.0.6/node_modules/eventsource-parser/dist/index.js
 var ParseError = class extends Error {
 	constructor(message, options) {
@@ -28,8 +51,8 @@ function createParser(callbacks) {
 		}
 		const fieldSeparatorIndex = line.indexOf(":");
 		if (fieldSeparatorIndex !== -1) {
-			const field = line.slice(0, fieldSeparatorIndex), offset = line[fieldSeparatorIndex + 1] === " " ? 2 : 1, value = line.slice(fieldSeparatorIndex + offset);
-			processField(field, value, line);
+			const field = line.slice(0, fieldSeparatorIndex), offset = line[fieldSeparatorIndex + 1] === " " ? 2 : 1;
+			processField(field, line.slice(fieldSeparatorIndex + offset), line);
 			return;
 		}
 		processField(line, "", line);
@@ -163,7 +186,7 @@ var __typeError = (msg) => {
 	throw TypeError(msg);
 }, __accessCheck = (obj, member, msg) => member.has(obj) || __typeError("Cannot " + msg), __privateGet = (obj, member, getter) => (__accessCheck(obj, member, "read from private field"), getter ? getter.call(obj) : member.get(obj)), __privateAdd = (obj, member, value) => member.has(obj) ? __typeError("Cannot add the same private member more than once") : member instanceof WeakSet ? member.add(obj) : member.set(obj, value), __privateSet = (obj, member, value, setter) => (__accessCheck(obj, member, "write to private field"), member.set(obj, value), value), __privateMethod = (obj, member, method) => (__accessCheck(obj, member, "access private method"), method), _readyState, _url, _redirectUrl, _withCredentials, _fetch, _reconnectInterval, _reconnectTimer, _lastEventId, _controller, _parser, _onError, _onMessage, _onOpen, _EventSource_instances, connect_fn, _onFetchResponse, _onFetchError, getRequestOptions_fn, _onEvent, _onRetryChange, failConnection_fn, scheduleReconnect_fn, _reconnect;
 var EventSource = class extends EventTarget {
-	constructor(url, eventSourceInitDict) {
+	constructor(url$1, eventSourceInitDict) {
 		var _a, _b;
 		super(), __privateAdd(this, _EventSource_instances), this.CONNECTING = 0, this.OPEN = 1, this.CLOSED = 2, __privateAdd(this, _readyState), __privateAdd(this, _url), __privateAdd(this, _redirectUrl), __privateAdd(this, _withCredentials), __privateAdd(this, _fetch), __privateAdd(this, _reconnectInterval), __privateAdd(this, _reconnectTimer), __privateAdd(this, _lastEventId, null), __privateAdd(this, _controller), __privateAdd(this, _parser), __privateAdd(this, _onError, null), __privateAdd(this, _onMessage, null), __privateAdd(this, _onOpen, null), __privateAdd(this, _onFetchResponse, async (response) => {
 			var _a2;
@@ -210,8 +233,8 @@ var EventSource = class extends EventTarget {
 			__privateSet(this, _reconnectTimer, void 0), __privateGet(this, _readyState) === this.CONNECTING && __privateMethod(this, _EventSource_instances, connect_fn).call(this);
 		});
 		try {
-			if (url instanceof URL) __privateSet(this, _url, url);
-			else if (typeof url == "string") __privateSet(this, _url, new URL(url, getBaseURL()));
+			if (url$1 instanceof URL) __privateSet(this, _url, url$1);
+			else if (typeof url$1 == "string") __privateSet(this, _url, new URL(url$1, getBaseURL()));
 			else throw new Error("Invalid URL");
 		} catch {
 			throw syntaxError("An invalid or illegal string was specified");
@@ -330,6 +353,40 @@ function getBaseURL() {
 	return doc && typeof doc == "object" && "baseURI" in doc && typeof doc.baseURI == "string" ? doc.baseURI : void 0;
 }
 
+//#endregion
+//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/transport.js
+/**
+* Normalizes HeadersInit to a plain Record<string, string> for manipulation.
+* Handles Headers objects, arrays of tuples, and plain objects.
+*/
+function normalizeHeaders(headers) {
+	if (!headers) return {};
+	if (headers instanceof Headers) return Object.fromEntries(headers.entries());
+	if (Array.isArray(headers)) return Object.fromEntries(headers);
+	return { ...headers };
+}
+/**
+* Creates a fetch function that includes base RequestInit options.
+* This ensures requests inherit settings like credentials, mode, headers, etc. from the base init.
+*
+* @param baseFetch - The base fetch function to wrap (defaults to global fetch)
+* @param baseInit - The base RequestInit to merge with each request
+* @returns A wrapped fetch function that merges base options with call-specific options
+*/
+function createFetchWithInit(baseFetch = fetch, baseInit) {
+	if (!baseInit) return baseFetch;
+	return async (url$1, init) => {
+		return baseFetch(url$1, {
+			...baseInit,
+			...init,
+			headers: (init === null || init === void 0 ? void 0 : init.headers) ? {
+				...normalizeHeaders(baseInit.headers),
+				...normalizeHeaders(init.headers)
+			} : baseInit.headers
+		});
+	};
+}
+
 //#endregion
 //#region node_modules/.pnpm/pkce-challenge@5.0.0/node_modules/pkce-challenge/dist/index.node.js
 let crypto;
@@ -379,19 +436,18 @@ async function pkceChallenge(length) {
 	if (!length) length = 43;
 	if (length < 43 || length > 128) throw `Expected a length between 43 and 128. Received ${length}.`;
 	const verifier = await generateVerifier(length);
-	const challenge = await generateChallenge(verifier);
 	return {
 		code_verifier: verifier,
-		code_challenge: challenge
+		code_challenge: await generateChallenge(verifier)
 	};
 }
 
 //#endregion
-//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.18.1/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/auth.js
+//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/auth.js
 /**
 * Reusable URL validation that disallows javascript: scheme
 */
-const SafeUrlSchema = stringType().url().superRefine((val, ctx) => {
+const SafeUrlSchema = url().superRefine((val, ctx) => {
 	if (!URL.canParse(val)) {
 		ctx.addIssue({
 			code: ZodIssueCode.custom,
@@ -400,147 +456,156 @@ const SafeUrlSchema = stringType().url().superRefine((val, ctx) => {
 		});
 		return NEVER;
 	}
-}).refine((url) => {
-	const u = new URL(url);
+}).refine((url$1) => {
+	const u = new URL(url$1);
 	return u.protocol !== "javascript:" && u.protocol !== "data:" && u.protocol !== "vbscript:";
 }, { message: "URL cannot use javascript:, data:, or vbscript: scheme" });
 /**
 * RFC 9728 OAuth Protected Resource Metadata
 */
-const OAuthProtectedResourceMetadataSchema = objectType({
-	resource: stringType().url(),
-	authorization_servers: arrayType(SafeUrlSchema).optional(),
-	jwks_uri: stringType().url().optional(),
-	scopes_supported: arrayType(stringType()).optional(),
-	bearer_methods_supported: arrayType(stringType()).optional(),
-	resource_signing_alg_values_supported: arrayType(stringType()).optional(),
-	resource_name: stringType().optional(),
-	resource_documentation: stringType().optional(),
-	resource_policy_uri: stringType().url().optional(),
-	resource_tos_uri: stringType().url().optional(),
-	tls_client_certificate_bound_access_tokens: booleanType().optional(),
-	authorization_details_types_supported: arrayType(stringType()).optional(),
-	dpop_signing_alg_values_supported: arrayType(stringType()).optional(),
-	dpop_bound_access_tokens_required: booleanType().optional()
-}).passthrough();
+const OAuthProtectedResourceMetadataSchema = looseObject({
+	resource: string().url(),
+	authorization_servers: array(SafeUrlSchema).optional(),
+	jwks_uri: string().url().optional(),
+	scopes_supported: array(string()).optional(),
+	bearer_methods_supported: array(string()).optional(),
+	resource_signing_alg_values_supported: array(string()).optional(),
+	resource_name: string().optional(),
+	resource_documentation: string().optional(),
+	resource_policy_uri: string().url().optional(),
+	resource_tos_uri: string().url().optional(),
+	tls_client_certificate_bound_access_tokens: boolean().optional(),
+	authorization_details_types_supported: array(string()).optional(),
+	dpop_signing_alg_values_supported: array(string()).optional(),
+	dpop_bound_access_tokens_required: boolean().optional()
+});
 /**
 * RFC 8414 OAuth 2.0 Authorization Server Metadata
 */
-const OAuthMetadataSchema = objectType({
-	issuer: stringType(),
+const OAuthMetadataSchema = looseObject({
+	issuer: string(),
 	authorization_endpoint: SafeUrlSchema,
 	token_endpoint: SafeUrlSchema,
 	registration_endpoint: SafeUrlSchema.optional(),
-	scopes_supported: arrayType(stringType()).optional(),
-	response_types_supported: arrayType(stringType()),
-	response_modes_supported: arrayType(stringType()).optional(),
-	grant_types_supported: arrayType(stringType()).optional(),
-	token_endpoint_auth_methods_supported: arrayType(stringType()).optional(),
-	token_endpoint_auth_signing_alg_values_supported: arrayType(stringType()).optional(),
+	scopes_supported: array(string()).optional(),
+	response_types_supported: array(string()),
+	response_modes_supported: array(string()).optional(),
+	grant_types_supported: array(string()).optional(),
+	token_endpoint_auth_methods_supported: array(string()).optional(),
+	token_endpoint_auth_signing_alg_values_supported: array(string()).optional(),
 	service_documentation: SafeUrlSchema.optional(),
 	revocation_endpoint: SafeUrlSchema.optional(),
-	revocation_endpoint_auth_methods_supported: arrayType(stringType()).optional(),
-	revocation_endpoint_auth_signing_alg_values_supported: arrayType(stringType()).optional(),
-	introspection_endpoint: stringType().optional(),
-	introspection_endpoint_auth_methods_supported: arrayType(stringType()).optional(),
-	introspection_endpoint_auth_signing_alg_values_supported: arrayType(stringType()).optional(),
-	code_challenge_methods_supported: arrayType(stringType()).optional()
-}).passthrough();
+	revocation_endpoint_auth_methods_supported: array(string()).optional(),
+	revocation_endpoint_auth_signing_alg_values_supported: array(string()).optional(),
+	introspection_endpoint: string().optional(),
+	introspection_endpoint_auth_methods_supported: array(string()).optional(),
+	introspection_endpoint_auth_signing_alg_values_supported: array(string()).optional(),
+	code_challenge_methods_supported: array(string()).optional(),
+	client_id_metadata_document_supported: boolean().optional()
+});
 /**
 * OpenID Connect Discovery 1.0 Provider Metadata
 * see: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
 */
-const OpenIdProviderMetadataSchema = objectType({
-	issuer: stringType(),
+const OpenIdProviderMetadataSchema = looseObject({
+	issuer: string(),
 	authorization_endpoint: SafeUrlSchema,
 	token_endpoint: SafeUrlSchema,
 	userinfo_endpoint: SafeUrlSchema.optional(),
 	jwks_uri: SafeUrlSchema,
 	registration_endpoint: SafeUrlSchema.optional(),
-	scopes_supported: arrayType(stringType()).optional(),
-	response_types_supported: arrayType(stringType()),
-	response_modes_supported: arrayType(stringType()).optional(),
-	grant_types_supported: arrayType(stringType()).optional(),
-	acr_values_supported: arrayType(stringType()).optional(),
-	subject_types_supported: arrayType(stringType()),
-	id_token_signing_alg_values_supported: arrayType(stringType()),
-	id_token_encryption_alg_values_supported: arrayType(stringType()).optional(),
-	id_token_encryption_enc_values_supported: arrayType(stringType()).optional(),
-	userinfo_signing_alg_values_supported: arrayType(stringType()).optional(),
-	userinfo_encryption_alg_values_supported: arrayType(stringType()).optional(),
-	userinfo_encryption_enc_values_supported: arrayType(stringType()).optional(),
-	request_object_signing_alg_values_supported: arrayType(stringType()).optional(),
-	request_object_encryption_alg_values_supported: arrayType(stringType()).optional(),
-	request_object_encryption_enc_values_supported: arrayType(stringType()).optional(),
-	token_endpoint_auth_methods_supported: arrayType(stringType()).optional(),
-	token_endpoint_auth_signing_alg_values_supported: arrayType(stringType()).optional(),
-	display_values_supported: arrayType(stringType()).optional(),
-	claim_types_supported: arrayType(stringType()).optional(),
-	claims_supported: arrayType(stringType()).optional(),
-	service_documentation: stringType().optional(),
-	claims_locales_supported: arrayType(stringType()).optional(),
-	ui_locales_supported: arrayType(stringType()).optional(),
-	claims_parameter_supported: booleanType().optional(),
-	request_parameter_supported: booleanType().optional(),
-	request_uri_parameter_supported: booleanType().optional(),
-	require_request_uri_registration: booleanType().optional(),
+	scopes_supported: array(string()).optional(),
+	response_types_supported: array(string()),
+	response_modes_supported: array(string()).optional(),
+	grant_types_supported: array(string()).optional(),
+	acr_values_supported: array(string()).optional(),
+	subject_types_supported: array(string()),
+	id_token_signing_alg_values_supported: array(string()),
+	id_token_encryption_alg_values_supported: array(string()).optional(),
+	id_token_encryption_enc_values_supported: array(string()).optional(),
+	userinfo_signing_alg_values_supported: array(string()).optional(),
+	userinfo_encryption_alg_values_supported: array(string()).optional(),
+	userinfo_encryption_enc_values_supported: array(string()).optional(),
+	request_object_signing_alg_values_supported: array(string()).optional(),
+	request_object_encryption_alg_values_supported: array(string()).optional(),
+	request_object_encryption_enc_values_supported: array(string()).optional(),
+	token_endpoint_auth_methods_supported: array(string()).optional(),
+	token_endpoint_auth_signing_alg_values_supported: array(string()).optional(),
+	display_values_supported: array(string()).optional(),
+	claim_types_supported: array(string()).optional(),
+	claims_supported: array(string()).optional(),
+	service_documentation: string().optional(),
+	claims_locales_supported: array(string()).optional(),
+	ui_locales_supported: array(string()).optional(),
+	claims_parameter_supported: boolean().optional(),
+	request_parameter_supported: boolean().optional(),
+	request_uri_parameter_supported: boolean().optional(),
+	require_request_uri_registration: boolean().optional(),
 	op_policy_uri: SafeUrlSchema.optional(),
-	op_tos_uri: SafeUrlSchema.optional()
-}).passthrough();
+	op_tos_uri: SafeUrlSchema.optional(),
+	client_id_metadata_document_supported: boolean().optional()
+});
 /**
 * OpenID Connect Discovery metadata that may include OAuth 2.0 fields
 * This schema represents the real-world scenario where OIDC providers
 * return a mix of OpenID Connect and OAuth 2.0 metadata fields
 */
-const OpenIdProviderDiscoveryMetadataSchema = OpenIdProviderMetadataSchema.merge(OAuthMetadataSchema.pick({ code_challenge_methods_supported: true }));
+const OpenIdProviderDiscoveryMetadataSchema = object({
+	...OpenIdProviderMetadataSchema.shape,
+	...OAuthMetadataSchema.pick({ code_challenge_methods_supported: true }).shape
+});
 /**
 * OAuth 2.1 token response
 */
-const OAuthTokensSchema = objectType({
-	access_token: stringType(),
-	id_token: stringType().optional(),
-	token_type: stringType(),
-	expires_in: numberType().optional(),
-	scope: stringType().optional(),
-	refresh_token: stringType().optional()
+const OAuthTokensSchema = object({
+	access_token: string(),
+	id_token: string().optional(),
+	token_type: string(),
+	expires_in: number().optional(),
+	scope: string().optional(),
+	refresh_token: string().optional()
 }).strip();
 /**
 * OAuth 2.1 error response
 */
-const OAuthErrorResponseSchema = objectType({
-	error: stringType(),
-	error_description: stringType().optional(),
-	error_uri: stringType().optional()
+const OAuthErrorResponseSchema = object({
+	error: string(),
+	error_description: string().optional(),
+	error_uri: string().optional()
 });
 /**
+* Optional version of SafeUrlSchema that allows empty string for retrocompatibility on tos_uri and logo_uri
+*/
+const OptionalSafeUrlSchema = SafeUrlSchema.optional().or(literal("").transform(() => void 0));
+/**
 * RFC 7591 OAuth 2.0 Dynamic Client Registration metadata
 */
-const OAuthClientMetadataSchema = objectType({
-	redirect_uris: arrayType(SafeUrlSchema),
-	token_endpoint_auth_method: stringType().optional(),
-	grant_types: arrayType(stringType()).optional(),
-	response_types: arrayType(stringType()).optional(),
-	client_name: stringType().optional(),
+const OAuthClientMetadataSchema = object({
+	redirect_uris: array(SafeUrlSchema),
+	token_endpoint_auth_method: string().optional(),
+	grant_types: array(string()).optional(),
+	response_types: array(string()).optional(),
+	client_name: string().optional(),
 	client_uri: SafeUrlSchema.optional(),
-	logo_uri: SafeUrlSchema.optional(),
-	scope: stringType().optional(),
-	contacts: arrayType(stringType()).optional(),
-	tos_uri: SafeUrlSchema.optional(),
-	policy_uri: stringType().optional(),
+	logo_uri: OptionalSafeUrlSchema,
+	scope: string().optional(),
+	contacts: array(string()).optional(),
+	tos_uri: OptionalSafeUrlSchema,
+	policy_uri: string().optional(),
 	jwks_uri: SafeUrlSchema.optional(),
-	jwks: anyType().optional(),
-	software_id: stringType().optional(),
-	software_version: stringType().optional(),
-	software_statement: stringType().optional()
+	jwks: any().optional(),
+	software_id: string().optional(),
+	software_version: string().optional(),
+	software_statement: string().optional()
 }).strip();
 /**
 * RFC 7591 OAuth 2.0 Dynamic Client Registration client information
 */
-const OAuthClientInformationSchema = objectType({
-	client_id: stringType(),
-	client_secret: stringType().optional(),
-	client_id_issued_at: numberType().optional(),
-	client_secret_expires_at: numberType().optional()
+const OAuthClientInformationSchema = object({
+	client_id: string(),
+	client_secret: string().optional(),
+	client_id_issued_at: number$1().optional(),
+	client_secret_expires_at: number$1().optional()
 }).strip();
 /**
 * RFC 7591 OAuth 2.0 Dynamic Client Registration full response (client information plus metadata)
@@ -549,20 +614,20 @@ const OAuthClientInformationFullSchema = OAuthClientMetadataSchema.merge(OAuthCl
 /**
 * RFC 7591 OAuth 2.0 Dynamic Client Registration error response
 */
-const OAuthClientRegistrationErrorSchema = objectType({
-	error: stringType(),
-	error_description: stringType().optional()
+const OAuthClientRegistrationErrorSchema = object({
+	error: string(),
+	error_description: string().optional()
 }).strip();
 /**
 * RFC 7009 OAuth 2.0 Token Revocation request
 */
-const OAuthTokenRevocationRequestSchema = objectType({
-	token: stringType(),
-	token_type_hint: stringType().optional()
+const OAuthTokenRevocationRequestSchema = object({
+	token: string(),
+	token_type_hint: string().optional()
 }).strip();
 
 //#endregion
-//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.18.1/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/auth-utils.js
+//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/auth-utils.js
 /**
 * Utilities for handling OAuth resource URIs.
 */
@@ -571,8 +636,8 @@ const OAuthTokenRevocationRequestSchema = objectType({
 * RFC 8707 section 2 states that resource URIs "MUST NOT include a fragment component".
 * Keeps everything else unchanged (scheme, domain, port, path, query).
 */
-function resourceUrlFromServerUrl(url) {
-	const resourceURL = typeof url === "string" ? new URL(url) : new URL(url.href);
+function resourceUrlFromServerUrl(url$1) {
+	const resourceURL = typeof url$1 === "string" ? new URL(url$1) : new URL(url$1.href);
 	resourceURL.hash = "";
 	return resourceURL;
 }
@@ -596,7 +661,7 @@ function checkResourceAllowed({ requestedResource, configuredResource }) {
 }
 
 //#endregion
-//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.18.1/node_modules/@modelcontextprotocol/sdk/dist/esm/server/auth/errors.js
+//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/server/auth/errors.js
 /**
 * Base class for all OAuth errors
 */
@@ -718,6 +783,12 @@ InvalidClientMetadataError.errorCode = "invalid_client_metadata";
 var InsufficientScopeError = class extends OAuthError {};
 InsufficientScopeError.errorCode = "insufficient_scope";
 /**
+* Invalid target error - The requested resource is invalid, missing, unknown, or malformed.
+* (Custom error for resource indicators - RFC 8707)
+*/
+var InvalidTargetError = class extends OAuthError {};
+InvalidTargetError.errorCode = "invalid_target";
+/**
 * A full list of all OAuthErrors, enabling parsing from error responses
 */
 const OAUTH_ERRORS = {
@@ -736,16 +807,26 @@ const OAUTH_ERRORS = {
 	[MethodNotAllowedError.errorCode]: MethodNotAllowedError,
 	[TooManyRequestsError.errorCode]: TooManyRequestsError,
 	[InvalidClientMetadataError.errorCode]: InvalidClientMetadataError,
-	[InsufficientScopeError.errorCode]: InsufficientScopeError
+	[InsufficientScopeError.errorCode]: InsufficientScopeError,
+	[InvalidTargetError.errorCode]: InvalidTargetError
 };
 
 //#endregion
-//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.18.1/node_modules/@modelcontextprotocol/sdk/dist/esm/client/auth.js
+//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/client/auth.js
 var UnauthorizedError = class extends Error {
 	constructor(message) {
 		super(message !== null && message !== void 0 ? message : "Unauthorized");
 	}
 };
+function isClientAuthMethod(method) {
+	return [
+		"client_secret_basic",
+		"client_secret_post",
+		"none"
+	].includes(method);
+}
+const AUTHORIZATION_CODE_RESPONSE_TYPE = "code";
+const AUTHORIZATION_CODE_CHALLENGE_METHOD = "S256";
 /**
 * Determines the best client authentication method to use based on server support and client configuration.
 *
@@ -761,6 +842,7 @@ var UnauthorizedError = class extends Error {
 function selectClientAuthMethod(clientInformation, supportedMethods) {
 	const hasClientSecret = clientInformation.client_secret !== void 0;
 	if (supportedMethods.length === 0) return hasClientSecret ? "client_secret_post" : "none";
+	if ("token_endpoint_auth_method" in clientInformation && clientInformation.token_endpoint_auth_method && isClientAuthMethod(clientInformation.token_endpoint_auth_method) && supportedMethods.includes(clientInformation.token_endpoint_auth_method)) return clientInformation.token_endpoint_auth_method;
 	if (hasClientSecret && supportedMethods.includes("client_secret_basic")) return "client_secret_basic";
 	if (hasClientSecret && supportedMethods.includes("client_secret_post")) return "client_secret_post";
 	if (supportedMethods.includes("none")) return "none";
@@ -834,8 +916,7 @@ async function parseErrorResponse(input) {
 		const { error, error_description, error_uri } = OAuthErrorResponseSchema.parse(JSON.parse(body));
 		return new (OAUTH_ERRORS[error] || ServerError)(error_description || "", error_uri);
 	} catch (error) {
-		const errorMessage = `${statusCode ? `HTTP ${statusCode}: ` : ""}Invalid OAuth error response: ${error}. Raw body: ${body}`;
-		return new ServerError(errorMessage);
+		return new ServerError(`${statusCode ? `HTTP ${statusCode}: ` : ""}Invalid OAuth error response: ${error}. Raw body: ${body}`);
 	}
 }
 /**
@@ -860,41 +941,46 @@ async function auth(provider, options) {
 	}
 }
 async function authInternal(provider, { serverUrl, authorizationCode, scope, resourceMetadataUrl, fetchFn }) {
+	var _a, _b;
 	let resourceMetadata;
 	let authorizationServerUrl;
 	try {
 		resourceMetadata = await discoverOAuthProtectedResourceMetadata(serverUrl, { resourceMetadataUrl }, fetchFn);
 		if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) authorizationServerUrl = resourceMetadata.authorization_servers[0];
-	} catch (_a) {}
+	} catch (_c) {}
 	/**
 	* If we don't get a valid authorization server metadata from protected resource metadata,
-	* fallback to the legacy MCP spec's implementation (version 2025-03-26): MCP server acts as the Authorization server.
+	* fallback to the legacy MCP spec's implementation (version 2025-03-26): MCP server base URL acts as the Authorization server.
 	*/
-	if (!authorizationServerUrl) authorizationServerUrl = serverUrl;
+	if (!authorizationServerUrl) authorizationServerUrl = new URL("/", serverUrl);
 	const resource = await selectResourceURL(serverUrl, provider, resourceMetadata);
 	const metadata = await discoverAuthorizationServerMetadata(authorizationServerUrl, { fetchFn });
 	let clientInformation = await Promise.resolve(provider.clientInformation());
 	if (!clientInformation) {
 		if (authorizationCode !== void 0) throw new Error("Existing OAuth client information is required when exchanging an authorization code");
-		if (!provider.saveClientInformation) throw new Error("OAuth client information must be saveable for dynamic registration");
-		const fullInformation = await registerClient(authorizationServerUrl, {
-			metadata,
-			clientMetadata: provider.clientMetadata,
-			fetchFn
-		});
-		await provider.saveClientInformation(fullInformation);
-		clientInformation = fullInformation;
+		const supportsUrlBasedClientId = (metadata === null || metadata === void 0 ? void 0 : metadata.client_id_metadata_document_supported) === true;
+		const clientMetadataUrl = provider.clientMetadataUrl;
+		if (clientMetadataUrl && !isHttpsUrl(clientMetadataUrl)) throw new InvalidClientMetadataError(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${clientMetadataUrl}`);
+		if (supportsUrlBasedClientId && clientMetadataUrl) {
+			clientInformation = { client_id: clientMetadataUrl };
+			await ((_a = provider.saveClientInformation) === null || _a === void 0 ? void 0 : _a.call(provider, clientInformation));
+		} else {
+			if (!provider.saveClientInformation) throw new Error("OAuth client information must be saveable for dynamic registration");
+			const fullInformation = await registerClient(authorizationServerUrl, {
+				metadata,
+				clientMetadata: provider.clientMetadata,
+				fetchFn
+			});
+			await provider.saveClientInformation(fullInformation);
+			clientInformation = fullInformation;
+		}
 	}
-	if (authorizationCode !== void 0) {
-		const codeVerifier$1 = await provider.codeVerifier();
-		const tokens$1 = await exchangeAuthorization(authorizationServerUrl, {
+	const nonInteractiveFlow = !provider.redirectUrl;
+	if (authorizationCode !== void 0 || nonInteractiveFlow) {
+		const tokens$1 = await fetchToken(provider, authorizationServerUrl, {
 			metadata,
-			clientInformation,
-			authorizationCode,
-			codeVerifier: codeVerifier$1,
-			redirectUri: provider.redirectUrl,
 			resource,
-			addClientAuthentication: provider.addClientAuthentication,
+			authorizationCode,
 			fetchFn
 		});
 		await provider.saveTokens(tokens$1);
@@ -921,13 +1007,26 @@ async function authInternal(provider, { serverUrl, authorizationCode, scope, res
 		clientInformation,
 		state,
 		redirectUrl: provider.redirectUrl,
-		scope: scope || provider.clientMetadata.scope,
+		scope: scope || ((_b = resourceMetadata === null || resourceMetadata === void 0 ? void 0 : resourceMetadata.scopes_supported) === null || _b === void 0 ? void 0 : _b.join(" ")) || provider.clientMetadata.scope,
 		resource
 	});
 	await provider.saveCodeVerifier(codeVerifier);
 	await provider.redirectToAuthorization(authorizationUrl);
 	return "REDIRECT";
 }
+/**
+* SEP-991: URL-based Client IDs
+* Validate that the client_id is a valid URL with https scheme
+*/
+function isHttpsUrl(value) {
+	if (!value) return false;
+	try {
+		const url$1 = new URL(value);
+		return url$1.protocol === "https:" && url$1.pathname !== "/";
+	} catch (_a) {
+		return false;
+	}
+}
 async function selectResourceURL(serverUrl, provider, resourceMetadata) {
 	const defaultResource = resourceUrlFromServerUrl(serverUrl);
 	if (provider.validateResourceURL) return await provider.validateResourceURL(defaultResource, resourceMetadata === null || resourceMetadata === void 0 ? void 0 : resourceMetadata.resource);
@@ -939,20 +1038,40 @@ async function selectResourceURL(serverUrl, provider, resourceMetadata) {
 	return new URL(resourceMetadata.resource);
 }
 /**
-* Extract resource_metadata from response header.
+* Extract resource_metadata, scope, and error from WWW-Authenticate header.
 */
-function extractResourceMetadataUrl(res) {
+function extractWWWAuthenticateParams(res) {
 	const authenticateHeader = res.headers.get("WWW-Authenticate");
-	if (!authenticateHeader) return;
+	if (!authenticateHeader) return {};
 	const [type, scheme] = authenticateHeader.split(" ");
-	if (type.toLowerCase() !== "bearer" || !scheme) return;
-	const match = /resource_metadata="([^"]*)"/.exec(authenticateHeader);
-	if (!match) return;
-	try {
-		return new URL(match[1]);
-	} catch (_a) {
-		return;
-	}
+	if (type.toLowerCase() !== "bearer" || !scheme) return {};
+	const resourceMetadataMatch = extractFieldFromWwwAuth(res, "resource_metadata") || void 0;
+	let resourceMetadataUrl;
+	if (resourceMetadataMatch) try {
+		resourceMetadataUrl = new URL(resourceMetadataMatch);
+	} catch (_a) {}
+	const scope = extractFieldFromWwwAuth(res, "scope") || void 0;
+	const error = extractFieldFromWwwAuth(res, "error") || void 0;
+	return {
+		resourceMetadataUrl,
+		scope,
+		error
+	};
+}
+/**
+* Extracts a specific field's value from the WWW-Authenticate header string.
+*
+* @param response The HTTP response object containing the headers.
+* @param fieldName The name of the field to extract (e.g., "realm", "nonce").
+* @returns The field value
+*/
+function extractFieldFromWwwAuth(response, fieldName) {
+	const wwwAuthHeader = response.headers.get("WWW-Authenticate");
+	if (!wwwAuthHeader) return null;
+	const pattern = /* @__PURE__ */ new RegExp(`${fieldName}=(?:"([^"]+)"|([^\\s,]+))`);
+	const match = wwwAuthHeader.match(pattern);
+	if (match) return match[1] || match[2];
+	return null;
 }
 /**
 * Looks up RFC 9728 OAuth 2.0 Protected Resource Metadata.
@@ -961,22 +1080,29 @@ function extractResourceMetadataUrl(res) {
 * return `undefined`. Any other errors will be thrown as exceptions.
 */
 async function discoverOAuthProtectedResourceMetadata(serverUrl, opts, fetchFn = fetch) {
+	var _a, _b;
 	const response = await discoverMetadataWithFallback(serverUrl, "oauth-protected-resource", fetchFn, {
 		protocolVersion: opts === null || opts === void 0 ? void 0 : opts.protocolVersion,
 		metadataUrl: opts === null || opts === void 0 ? void 0 : opts.resourceMetadataUrl
 	});
-	if (!response || response.status === 404) throw new Error(`Resource server does not implement OAuth 2.0 Protected Resource Metadata.`);
-	if (!response.ok) throw new Error(`HTTP ${response.status} trying to load well-known OAuth protected resource metadata.`);
+	if (!response || response.status === 404) {
+		await ((_a = response === null || response === void 0 ? void 0 : response.body) === null || _a === void 0 ? void 0 : _a.cancel());
+		throw new Error(`Resource server does not implement OAuth 2.0 Protected Resource Metadata.`);
+	}
+	if (!response.ok) {
+		await ((_b = response.body) === null || _b === void 0 ? void 0 : _b.cancel());
+		throw new Error(`HTTP ${response.status} trying to load well-known OAuth protected resource metadata.`);
+	}
 	return OAuthProtectedResourceMetadataSchema.parse(await response.json());
 }
 /**
 * Helper function to handle fetch with CORS retry logic
 */
-async function fetchWithCorsRetry(url, headers, fetchFn = fetch) {
+async function fetchWithCorsRetry(url$1, headers, fetchFn = fetch) {
 	try {
-		return await fetchFn(url, { headers });
+		return await fetchFn(url$1, { headers });
 	} catch (error) {
-		if (error instanceof TypeError) if (headers) return fetchWithCorsRetry(url, void 0, fetchFn);
+		if (error instanceof TypeError) if (headers) return fetchWithCorsRetry(url$1, void 0, fetchFn);
 		else return;
 		throw error;
 	}
@@ -991,8 +1117,8 @@ function buildWellKnownPath(wellKnownPrefix, pathname = "", options = {}) {
 /**
 * Tries to discover OAuth metadata at a specific URL
 */
-async function tryMetadataDiscovery(url, protocolVersion, fetchFn = fetch) {
-	return await fetchWithCorsRetry(url, { "MCP-Protocol-Version": protocolVersion }, fetchFn);
+async function tryMetadataDiscovery(url$1, protocolVersion, fetchFn = fetch) {
+	return await fetchWithCorsRetry(url$1, { "MCP-Protocol-Version": protocolVersion }, fetchFn);
 }
 /**
 * Determines if fallback to root discovery should be attempted
@@ -1007,58 +1133,50 @@ async function discoverMetadataWithFallback(serverUrl, wellKnownType, fetchFn, o
 	var _a, _b;
 	const issuer = new URL(serverUrl);
 	const protocolVersion = (_a = opts === null || opts === void 0 ? void 0 : opts.protocolVersion) !== null && _a !== void 0 ? _a : LATEST_PROTOCOL_VERSION;
-	let url;
-	if (opts === null || opts === void 0 ? void 0 : opts.metadataUrl) url = new URL(opts.metadataUrl);
+	let url$1;
+	if (opts === null || opts === void 0 ? void 0 : opts.metadataUrl) url$1 = new URL(opts.metadataUrl);
 	else {
 		const wellKnownPath = buildWellKnownPath(wellKnownType, issuer.pathname);
-		url = new URL(wellKnownPath, (_b = opts === null || opts === void 0 ? void 0 : opts.metadataServerUrl) !== null && _b !== void 0 ? _b : issuer);
-		url.search = issuer.search;
-	}
-	let response = await tryMetadataDiscovery(url, protocolVersion, fetchFn);
-	if (!(opts === null || opts === void 0 ? void 0 : opts.metadataUrl) && shouldAttemptFallback(response, issuer.pathname)) {
-		const rootUrl = new URL(`/.well-known/${wellKnownType}`, issuer);
-		response = await tryMetadataDiscovery(rootUrl, protocolVersion, fetchFn);
+		url$1 = new URL(wellKnownPath, (_b = opts === null || opts === void 0 ? void 0 : opts.metadataServerUrl) !== null && _b !== void 0 ? _b : issuer);
+		url$1.search = issuer.search;
 	}
+	let response = await tryMetadataDiscovery(url$1, protocolVersion, fetchFn);
+	if (!(opts === null || opts === void 0 ? void 0 : opts.metadataUrl) && shouldAttemptFallback(response, issuer.pathname)) response = await tryMetadataDiscovery(new URL(`/.well-known/${wellKnownType}`, issuer), protocolVersion, fetchFn);
 	return response;
 }
 /**
 * Builds a list of discovery URLs to try for authorization server metadata.
 * URLs are returned in priority order:
 * 1. OAuth metadata at the given URL
-* 2. OAuth metadata at root (if URL has path)
-* 3. OIDC metadata endpoints
+* 2. OIDC metadata endpoints at the given URL
 */
 function buildDiscoveryUrls(authorizationServerUrl) {
-	const url = typeof authorizationServerUrl === "string" ? new URL(authorizationServerUrl) : authorizationServerUrl;
-	const hasPath = url.pathname !== "/";
+	const url$1 = typeof authorizationServerUrl === "string" ? new URL(authorizationServerUrl) : authorizationServerUrl;
+	const hasPath = url$1.pathname !== "/";
 	const urlsToTry = [];
 	if (!hasPath) {
 		urlsToTry.push({
-			url: new URL("/.well-known/oauth-authorization-server", url.origin),
+			url: new URL("/.well-known/oauth-authorization-server", url$1.origin),
 			type: "oauth"
 		});
 		urlsToTry.push({
-			url: new URL(`/.well-known/openid-configuration`, url.origin),
+			url: new URL(`/.well-known/openid-configuration`, url$1.origin),
 			type: "oidc"
 		});
 		return urlsToTry;
 	}
-	let pathname = url.pathname;
+	let pathname = url$1.pathname;
 	if (pathname.endsWith("/")) pathname = pathname.slice(0, -1);
 	urlsToTry.push({
-		url: new URL(`/.well-known/oauth-authorization-server${pathname}`, url.origin),
-		type: "oauth"
-	});
-	urlsToTry.push({
-		url: new URL("/.well-known/oauth-authorization-server", url.origin),
+		url: new URL(`/.well-known/oauth-authorization-server${pathname}`, url$1.origin),
 		type: "oauth"
 	});
 	urlsToTry.push({
-		url: new URL(`/.well-known/openid-configuration${pathname}`, url.origin),
+		url: new URL(`/.well-known/openid-configuration${pathname}`, url$1.origin),
 		type: "oidc"
 	});
 	urlsToTry.push({
-		url: new URL(`${pathname}/.well-known/openid-configuration`, url.origin),
+		url: new URL(`${pathname}/.well-known/openid-configuration`, url$1.origin),
 		type: "oidc"
 	});
 	return urlsToTry;
@@ -1081,7 +1199,10 @@ function buildDiscoveryUrls(authorizationServerUrl) {
 */
 async function discoverAuthorizationServerMetadata(authorizationServerUrl, { fetchFn = fetch, protocolVersion = LATEST_PROTOCOL_VERSION } = {}) {
 	var _a;
-	const headers = { "MCP-Protocol-Version": protocolVersion };
+	const headers = {
+		"MCP-Protocol-Version": protocolVersion,
+		Accept: "application/json"
+	};
 	const urlsToTry = buildDiscoveryUrls(authorizationServerUrl);
 	for (const { url: endpointUrl, type } of urlsToTry) {
 		const response = await fetchWithCorsRetry(endpointUrl, headers, fetchFn);
@@ -1092,36 +1213,31 @@ async function discoverAuthorizationServerMetadata(authorizationServerUrl, { fet
 		*/
 		continue;
 		if (!response.ok) {
+			await ((_a = response.body) === null || _a === void 0 ? void 0 : _a.cancel());
 			if (response.status >= 400 && response.status < 500) continue;
 			throw new Error(`HTTP ${response.status} trying to load ${type === "oauth" ? "OAuth" : "OpenID provider"} metadata from ${endpointUrl}`);
 		}
 		if (type === "oauth") return OAuthMetadataSchema.parse(await response.json());
-		else {
-			const metadata = OpenIdProviderDiscoveryMetadataSchema.parse(await response.json());
-			if (!((_a = metadata.code_challenge_methods_supported) === null || _a === void 0 ? void 0 : _a.includes("S256"))) throw new Error(`Incompatible OIDC provider at ${endpointUrl}: does not support S256 code challenge method required by MCP specification`);
-			return metadata;
-		}
+		else return OpenIdProviderDiscoveryMetadataSchema.parse(await response.json());
 	}
 }
 /**
 * Begins the authorization flow with the given server, by generating a PKCE challenge and constructing the authorization URL.
 */
 async function startAuthorization(authorizationServerUrl, { metadata, clientInformation, redirectUrl, scope, state, resource }) {
-	const responseType = "code";
-	const codeChallengeMethod = "S256";
 	let authorizationUrl;
 	if (metadata) {
 		authorizationUrl = new URL(metadata.authorization_endpoint);
-		if (!metadata.response_types_supported.includes(responseType)) throw new Error(`Incompatible auth server: does not support response type ${responseType}`);
-		if (!metadata.code_challenge_methods_supported || !metadata.code_challenge_methods_supported.includes(codeChallengeMethod)) throw new Error(`Incompatible auth server: does not support code challenge method ${codeChallengeMethod}`);
+		if (!metadata.response_types_supported.includes(AUTHORIZATION_CODE_RESPONSE_TYPE)) throw new Error(`Incompatible auth server: does not support response type ${AUTHORIZATION_CODE_RESPONSE_TYPE}`);
+		if (metadata.code_challenge_methods_supported && !metadata.code_challenge_methods_supported.includes(AUTHORIZATION_CODE_CHALLENGE_METHOD)) throw new Error(`Incompatible auth server: does not support code challenge method ${AUTHORIZATION_CODE_CHALLENGE_METHOD}`);
 	} else authorizationUrl = new URL("/authorize", authorizationServerUrl);
 	const challenge = await pkceChallenge();
 	const codeVerifier = challenge.code_verifier;
 	const codeChallenge = challenge.code_challenge;
-	authorizationUrl.searchParams.set("response_type", responseType);
+	authorizationUrl.searchParams.set("response_type", AUTHORIZATION_CODE_RESPONSE_TYPE);
 	authorizationUrl.searchParams.set("client_id", clientInformation.client_id);
 	authorizationUrl.searchParams.set("code_challenge", codeChallenge);
-	authorizationUrl.searchParams.set("code_challenge_method", codeChallengeMethod);
+	authorizationUrl.searchParams.set("code_challenge_method", AUTHORIZATION_CODE_CHALLENGE_METHOD);
 	authorizationUrl.searchParams.set("redirect_uri", String(redirectUrl));
 	if (state) authorizationUrl.searchParams.set("state", state);
 	if (scope) authorizationUrl.searchParams.set("scope", scope);
@@ -1133,43 +1249,42 @@ async function startAuthorization(authorizationServerUrl, { metadata, clientInfo
 	};
 }
 /**
-* Exchanges an authorization code for an access token with the given server.
+* Prepares token request parameters for an authorization code exchange.
 *
-* Supports multiple client authentication methods as specified in OAuth 2.1:
-* - Automatically selects the best authentication method based on server support
-* - Falls back to appropriate defaults when server metadata is unavailable
+* This is the default implementation used by fetchToken when the provider
+* doesn't implement prepareTokenRequest.
 *
-* @param authorizationServerUrl - The authorization server's base URL
-* @param options - Configuration object containing client info, auth code, etc.
-* @returns Promise resolving to OAuth tokens
-* @throws {Error} When token exchange fails or authentication is invalid
+* @param authorizationCode - The authorization code received from the authorization endpoint
+* @param codeVerifier - The PKCE code verifier
+* @param redirectUri - The redirect URI used in the authorization request
+* @returns URLSearchParams for the authorization_code grant
 */
-async function exchangeAuthorization(authorizationServerUrl, { metadata, clientInformation, authorizationCode, codeVerifier, redirectUri, resource, addClientAuthentication, fetchFn }) {
+function prepareAuthorizationCodeRequest(authorizationCode, codeVerifier, redirectUri) {
+	return new URLSearchParams({
+		grant_type: "authorization_code",
+		code: authorizationCode,
+		code_verifier: codeVerifier,
+		redirect_uri: String(redirectUri)
+	});
+}
+/**
+* Internal helper to execute a token request with the given parameters.
+* Used by exchangeAuthorization, refreshAuthorization, and fetchToken.
+*/
+async function executeTokenRequest(authorizationServerUrl, { metadata, tokenRequestParams, clientInformation, addClientAuthentication, resource, fetchFn }) {
 	var _a;
-	const grantType = "authorization_code";
 	const tokenUrl = (metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint) ? new URL(metadata.token_endpoint) : new URL("/token", authorizationServerUrl);
-	if ((metadata === null || metadata === void 0 ? void 0 : metadata.grant_types_supported) && !metadata.grant_types_supported.includes(grantType)) throw new Error(`Incompatible auth server: does not support grant type ${grantType}`);
 	const headers = new Headers({
 		"Content-Type": "application/x-www-form-urlencoded",
-		"Accept": "application/json"
+		Accept: "application/json"
 	});
-	const params = new URLSearchParams({
-		grant_type: grantType,
-		code: authorizationCode,
-		code_verifier: codeVerifier,
-		redirect_uri: String(redirectUri)
-	});
-	if (addClientAuthentication) addClientAuthentication(headers, params, authorizationServerUrl, metadata);
-	else {
-		const supportedMethods = (_a = metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint_auth_methods_supported) !== null && _a !== void 0 ? _a : [];
-		const authMethod = selectClientAuthMethod(clientInformation, supportedMethods);
-		applyClientAuthentication(authMethod, clientInformation, headers, params);
-	}
-	if (resource) params.set("resource", resource.href);
+	if (resource) tokenRequestParams.set("resource", resource.href);
+	if (addClientAuthentication) await addClientAuthentication(headers, tokenRequestParams, tokenUrl, metadata);
+	else if (clientInformation) applyClientAuthentication(selectClientAuthMethod(clientInformation, (_a = metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint_auth_methods_supported) !== null && _a !== void 0 ? _a : []), clientInformation, headers, tokenRequestParams);
 	const response = await (fetchFn !== null && fetchFn !== void 0 ? fetchFn : fetch)(tokenUrl, {
 		method: "POST",
 		headers,
-		body: params
+		body: tokenRequestParams
 	});
 	if (!response.ok) throw await parseErrorResponse(response);
 	return OAuthTokensSchema.parse(await response.json());
@@ -1187,34 +1302,64 @@ async function exchangeAuthorization(authorizationServerUrl, { metadata, clientI
 * @throws {Error} When token refresh fails or authentication is invalid
 */
 async function refreshAuthorization(authorizationServerUrl, { metadata, clientInformation, refreshToken, resource, addClientAuthentication, fetchFn }) {
-	var _a;
-	const grantType = "refresh_token";
-	let tokenUrl;
-	if (metadata) {
-		tokenUrl = new URL(metadata.token_endpoint);
-		if (metadata.grant_types_supported && !metadata.grant_types_supported.includes(grantType)) throw new Error(`Incompatible auth server: does not support grant type ${grantType}`);
-	} else tokenUrl = new URL("/token", authorizationServerUrl);
-	const headers = new Headers({ "Content-Type": "application/x-www-form-urlencoded" });
-	const params = new URLSearchParams({
-		grant_type: grantType,
-		refresh_token: refreshToken
-	});
-	if (addClientAuthentication) addClientAuthentication(headers, params, authorizationServerUrl, metadata);
-	else {
-		const supportedMethods = (_a = metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint_auth_methods_supported) !== null && _a !== void 0 ? _a : [];
-		const authMethod = selectClientAuthMethod(clientInformation, supportedMethods);
-		applyClientAuthentication(authMethod, clientInformation, headers, params);
-	}
-	if (resource) params.set("resource", resource.href);
-	const response = await (fetchFn !== null && fetchFn !== void 0 ? fetchFn : fetch)(tokenUrl, {
-		method: "POST",
-		headers,
-		body: params
-	});
-	if (!response.ok) throw await parseErrorResponse(response);
-	return OAuthTokensSchema.parse({
+	return {
 		refresh_token: refreshToken,
-		...await response.json()
+		...await executeTokenRequest(authorizationServerUrl, {
+			metadata,
+			tokenRequestParams: new URLSearchParams({
+				grant_type: "refresh_token",
+				refresh_token: refreshToken
+			}),
+			clientInformation,
+			addClientAuthentication,
+			resource,
+			fetchFn
+		})
+	};
+}
+/**
+* Unified token fetching that works with any grant type via provider.prepareTokenRequest().
+*
+* This function provides a single entry point for obtaining tokens regardless of the
+* OAuth grant type. The provider's prepareTokenRequest() method determines which grant
+* to use and supplies the grant-specific parameters.
+*
+* @param provider - OAuth client provider that implements prepareTokenRequest()
+* @param authorizationServerUrl - The authorization server's base URL
+* @param options - Configuration for the token request
+* @returns Promise resolving to OAuth tokens
+* @throws {Error} When provider doesn't implement prepareTokenRequest or token fetch fails
+*
+* @example
+* // Provider for client_credentials:
+* class MyProvider implements OAuthClientProvider {
+*   prepareTokenRequest(scope) {
+*     const params = new URLSearchParams({ grant_type: 'client_credentials' });
+*     if (scope) params.set('scope', scope);
+*     return params;
+*   }
+*   // ... other methods
+* }
+*
+* const tokens = await fetchToken(provider, authServerUrl, { metadata });
+*/
+async function fetchToken(provider, authorizationServerUrl, { metadata, resource, authorizationCode, fetchFn } = {}) {
+	const scope = provider.clientMetadata.scope;
+	let tokenRequestParams;
+	if (provider.prepareTokenRequest) tokenRequestParams = await provider.prepareTokenRequest(scope);
+	if (!tokenRequestParams) {
+		if (!authorizationCode) throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");
+		if (!provider.redirectUrl) throw new Error("redirectUrl is required for authorization_code flow");
+		tokenRequestParams = prepareAuthorizationCodeRequest(authorizationCode, await provider.codeVerifier(), provider.redirectUrl);
+	}
+	const clientInformation = await provider.clientInformation();
+	return executeTokenRequest(authorizationServerUrl, {
+		metadata,
+		tokenRequestParams,
+		clientInformation: clientInformation !== null && clientInformation !== void 0 ? clientInformation : void 0,
+		addClientAuthentication: provider.addClientAuthentication,
+		resource,
+		fetchFn
 	});
 }
 /**
@@ -1236,7 +1381,7 @@ async function registerClient(authorizationServerUrl, { metadata, clientMetadata
 }
 
 //#endregion
-//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.18.1/node_modules/@modelcontextprotocol/sdk/dist/esm/client/sse.js
+//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/client/sse.js
 var SseError = class extends Error {
 	constructor(code, message, event) {
 		super(`SSE error: ${message}`);
@@ -1247,15 +1392,18 @@ var SseError = class extends Error {
 /**
 * Client transport for SSE: this will connect to a server using Server-Sent Events for receiving
 * messages and make separate POST requests for sending messages.
+* @deprecated SSEClientTransport is deprecated. Prefer to use StreamableHTTPClientTransport where possible instead. Note that because some servers are still using SSE, clients may need to support both transports during the migration period.
 */
 var SSEClientTransport = class {
-	constructor(url, opts) {
-		this._url = url;
+	constructor(url$1, opts) {
+		this._url = url$1;
 		this._resourceMetadataUrl = void 0;
+		this._scope = void 0;
 		this._eventSourceInit = opts === null || opts === void 0 ? void 0 : opts.eventSourceInit;
 		this._requestInit = opts === null || opts === void 0 ? void 0 : opts.requestInit;
 		this._authProvider = opts === null || opts === void 0 ? void 0 : opts.authProvider;
 		this._fetch = opts === null || opts === void 0 ? void 0 : opts.fetch;
+		this._fetchWithInit = createFetchWithInit(opts === null || opts === void 0 ? void 0 : opts.fetch, opts === null || opts === void 0 ? void 0 : opts.requestInit);
 	}
 	async _authThenStart() {
 		var _a;
@@ -1265,7 +1413,8 @@ var SSEClientTransport = class {
 			result = await auth(this._authProvider, {
 				serverUrl: this._url,
 				resourceMetadataUrl: this._resourceMetadataUrl,
-				fetchFn: this._fetch
+				scope: this._scope,
+				fetchFn: this._fetchWithInit
 			});
 		} catch (error) {
 			(_a = this.onerror) === null || _a === void 0 || _a.call(this, error);
@@ -1282,9 +1431,10 @@ var SSEClientTransport = class {
 			if (tokens) headers["Authorization"] = `Bearer ${tokens.access_token}`;
 		}
 		if (this._protocolVersion) headers["mcp-protocol-version"] = this._protocolVersion;
+		const extraHeaders = normalizeHeaders((_a = this._requestInit) === null || _a === void 0 ? void 0 : _a.headers);
 		return new Headers({
 			...headers,
-			...(_a = this._requestInit) === null || _a === void 0 ? void 0 : _a.headers
+			...extraHeaders
 		});
 	}
 	_startOrAuth() {
@@ -1293,14 +1443,18 @@ var SSEClientTransport = class {
 		return new Promise((resolve, reject) => {
 			this._eventSource = new EventSource(this._url.href, {
 				...this._eventSourceInit,
-				fetch: async (url, init) => {
+				fetch: async (url$1, init) => {
 					const headers = await this._commonHeaders();
 					headers.set("Accept", "text/event-stream");
-					const response = await fetchImpl(url, {
+					const response = await fetchImpl(url$1, {
 						...init,
 						headers
 					});
-					if (response.status === 401 && response.headers.has("www-authenticate")) this._resourceMetadataUrl = extractResourceMetadataUrl(response);
+					if (response.status === 401 && response.headers.has("www-authenticate")) {
+						const { resourceMetadataUrl, scope } = extractWWWAuthenticateParams(response);
+						this._resourceMetadataUrl = resourceMetadataUrl;
+						this._scope = scope;
+					}
 					return response;
 				}
 			});
@@ -1357,7 +1511,8 @@ var SSEClientTransport = class {
 			serverUrl: this._url,
 			authorizationCode,
 			resourceMetadataUrl: this._resourceMetadataUrl,
-			fetchFn: this._fetch
+			scope: this._scope,
+			fetchFn: this._fetchWithInit
 		}) !== "AUTHORIZED") throw new UnauthorizedError("Failed to authorize");
 	}
 	async close() {
@@ -1367,7 +1522,7 @@ var SSEClientTransport = class {
 		(_c = this.onclose) === null || _c === void 0 || _c.call(this);
 	}
 	async send(message) {
-		var _a, _b, _c;
+		var _a, _b, _c, _d;
 		if (!this._endpoint) throw new Error("Not connected");
 		try {
 			const headers = await this._commonHeaders();
@@ -1381,20 +1536,24 @@ var SSEClientTransport = class {
 			};
 			const response = await ((_b = this._fetch) !== null && _b !== void 0 ? _b : fetch)(this._endpoint, init);
 			if (!response.ok) {
+				const text = await response.text().catch(() => null);
 				if (response.status === 401 && this._authProvider) {
-					this._resourceMetadataUrl = extractResourceMetadataUrl(response);
+					const { resourceMetadataUrl, scope } = extractWWWAuthenticateParams(response);
+					this._resourceMetadataUrl = resourceMetadataUrl;
+					this._scope = scope;
 					if (await auth(this._authProvider, {
 						serverUrl: this._url,
 						resourceMetadataUrl: this._resourceMetadataUrl,
-						fetchFn: this._fetch
+						scope: this._scope,
+						fetchFn: this._fetchWithInit
 					}) !== "AUTHORIZED") throw new UnauthorizedError();
 					return this.send(message);
 				}
-				const text = await response.text().catch(() => null);
 				throw new Error(`Error POSTing to endpoint (HTTP ${response.status}): ${text}`);
 			}
+			await ((_c = response.body) === null || _c === void 0 ? void 0 : _c.cancel());
 		} catch (error) {
-			(_c = this.onerror) === null || _c === void 0 || _c.call(this, error);
+			(_d = this.onerror) === null || _d === void 0 || _d.call(this, error);
 			throw error;
 		}
 	}
@@ -1429,7 +1588,7 @@ var EventSourceParserStream = class extends TransformStream {
 };
 
 //#endregion
-//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.18.1/node_modules/@modelcontextprotocol/sdk/dist/esm/client/streamableHttp.js
+//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/client/streamableHttp.js
 const DEFAULT_STREAMABLE_HTTP_RECONNECTION_OPTIONS = {
 	initialReconnectionDelay: 1e3,
 	maxReconnectionDelay: 3e4,
@@ -1448,13 +1607,16 @@ var StreamableHTTPError = class extends Error {
 * for receiving messages.
 */
 var StreamableHTTPClientTransport = class {
-	constructor(url, opts) {
+	constructor(url$1, opts) {
 		var _a;
-		this._url = url;
+		this._hasCompletedAuthFlow = false;
+		this._url = url$1;
 		this._resourceMetadataUrl = void 0;
+		this._scope = void 0;
 		this._requestInit = opts === null || opts === void 0 ? void 0 : opts.requestInit;
 		this._authProvider = opts === null || opts === void 0 ? void 0 : opts.authProvider;
 		this._fetch = opts === null || opts === void 0 ? void 0 : opts.fetch;
+		this._fetchWithInit = createFetchWithInit(opts === null || opts === void 0 ? void 0 : opts.fetch, opts === null || opts === void 0 ? void 0 : opts.requestInit);
 		this._sessionId = opts === null || opts === void 0 ? void 0 : opts.sessionId;
 		this._reconnectionOptions = (_a = opts === null || opts === void 0 ? void 0 : opts.reconnectionOptions) !== null && _a !== void 0 ? _a : DEFAULT_STREAMABLE_HTTP_RECONNECTION_OPTIONS;
 	}
@@ -1466,7 +1628,8 @@ var StreamableHTTPClientTransport = class {
 			result = await auth(this._authProvider, {
 				serverUrl: this._url,
 				resourceMetadataUrl: this._resourceMetadataUrl,
-				fetchFn: this._fetch
+				scope: this._scope,
+				fetchFn: this._fetchWithInit
 			});
 		} catch (error) {
 			(_a = this.onerror) === null || _a === void 0 || _a.call(this, error);
@@ -1484,14 +1647,14 @@ var StreamableHTTPClientTransport = class {
 		}
 		if (this._sessionId) headers["mcp-session-id"] = this._sessionId;
 		if (this._protocolVersion) headers["mcp-protocol-version"] = this._protocolVersion;
-		const extraHeaders = this._normalizeHeaders((_a = this._requestInit) === null || _a === void 0 ? void 0 : _a.headers);
+		const extraHeaders = normalizeHeaders((_a = this._requestInit) === null || _a === void 0 ? void 0 : _a.headers);
 		return new Headers({
 			...headers,
 			...extraHeaders
 		});
 	}
 	async _startOrAuthSse(options) {
-		var _a, _b, _c;
+		var _a, _b, _c, _d;
 		const { resumptionToken } = options;
 		try {
 			const headers = await this._commonHeaders();
@@ -1503,13 +1666,14 @@ var StreamableHTTPClientTransport = class {
 				signal: (_b = this._abortController) === null || _b === void 0 ? void 0 : _b.signal
 			});
 			if (!response.ok) {
+				await ((_c = response.body) === null || _c === void 0 ? void 0 : _c.cancel());
 				if (response.status === 401 && this._authProvider) return await this._authThenStart();
 				if (response.status === 405) return;
 				throw new StreamableHTTPError(response.status, `Failed to open SSE stream: ${response.statusText}`);
 			}
 			this._handleSseStream(response.body, options, true);
 		} catch (error) {
-			(_c = this.onerror) === null || _c === void 0 || _c.call(this, error);
+			(_d = this.onerror) === null || _d === void 0 || _d.call(this, error);
 			throw error;
 		}
 	}
@@ -1520,19 +1684,14 @@ var StreamableHTTPClientTransport = class {
 	* @returns Time to wait in milliseconds before next reconnection attempt
 	*/
 	_getNextReconnectionDelay(attempt) {
+		if (this._serverRetryMs !== void 0) return this._serverRetryMs;
 		const initialDelay = this._reconnectionOptions.initialReconnectionDelay;
 		const growFactor = this._reconnectionOptions.reconnectionDelayGrowFactor;
 		const maxDelay = this._reconnectionOptions.maxReconnectionDelay;
 		return Math.min(initialDelay * Math.pow(growFactor, attempt), maxDelay);
 	}
-	_normalizeHeaders(headers) {
-		if (!headers) return {};
-		if (headers instanceof Headers) return Object.fromEntries(headers.entries());
-		if (Array.isArray(headers)) return Object.fromEntries(headers);
-		return { ...headers };
-	}
 	/**
-	* Schedule a reconnection attempt with exponential backoff
+	* Schedule a reconnection attempt using server-provided retry interval or backoff
 	*
 	* @param lastEventId The ID of the last received event for resumability
 	* @param attemptCount Current reconnection attempt count for this specific stream
@@ -1540,12 +1699,12 @@ var StreamableHTTPClientTransport = class {
 	_scheduleReconnection(options, attemptCount = 0) {
 		var _a;
 		const maxRetries = this._reconnectionOptions.maxRetries;
-		if (maxRetries > 0 && attemptCount >= maxRetries) {
+		if (attemptCount >= maxRetries) {
 			(_a = this.onerror) === null || _a === void 0 || _a.call(this, /* @__PURE__ */ new Error(`Maximum reconnection attempts (${maxRetries}) exceeded.`));
 			return;
 		}
 		const delay = this._getNextReconnectionDelay(attemptCount);
-		setTimeout(() => {
+		this._reconnectionTimeout = setTimeout(() => {
 			this._startOrAuthSse(options).catch((error) => {
 				var _a$1;
 				(_a$1 = this.onerror) === null || _a$1 === void 0 || _a$1.call(this, /* @__PURE__ */ new Error(`Failed to reconnect SSE stream: ${error instanceof Error ? error.message : String(error)}`));
@@ -1557,28 +1716,42 @@ var StreamableHTTPClientTransport = class {
 		if (!stream) return;
 		const { onresumptiontoken, replayMessageId } = options;
 		let lastEventId;
+		let hasPrimingEvent = false;
+		let receivedResponse = false;
 		const processStream = async () => {
 			var _a, _b, _c, _d;
 			try {
-				const reader = stream.pipeThrough(new TextDecoderStream()).pipeThrough(new EventSourceParserStream()).getReader();
+				const reader = stream.pipeThrough(new TextDecoderStream()).pipeThrough(new EventSourceParserStream({ onRetry: (retryMs) => {
+					this._serverRetryMs = retryMs;
+				} })).getReader();
 				while (true) {
 					const { value: event, done } = await reader.read();
 					if (done) break;
 					if (event.id) {
 						lastEventId = event.id;
+						hasPrimingEvent = true;
 						onresumptiontoken === null || onresumptiontoken === void 0 || onresumptiontoken(event.id);
 					}
+					if (!event.data) continue;
 					if (!event.event || event.event === "message") try {
 						const message = JSONRPCMessageSchema.parse(JSON.parse(event.data));
-						if (replayMessageId !== void 0 && isJSONRPCResponse(message)) message.id = replayMessageId;
+						if (isJSONRPCResponse(message)) {
+							receivedResponse = true;
+							if (replayMessageId !== void 0) message.id = replayMessageId;
+						}
 						(_a = this.onmessage) === null || _a === void 0 || _a.call(this, message);
 					} catch (error) {
 						(_b = this.onerror) === null || _b === void 0 || _b.call(this, error);
 					}
 				}
+				if ((isReconnectable || hasPrimingEvent) && !receivedResponse && this._abortController && !this._abortController.signal.aborted) this._scheduleReconnection({
+					resumptionToken: lastEventId,
+					onresumptiontoken,
+					replayMessageId
+				}, 0);
 			} catch (error) {
 				(_c = this.onerror) === null || _c === void 0 || _c.call(this, /* @__PURE__ */ new Error(`SSE stream disconnected: ${error}`));
-				if (isReconnectable && this._abortController && !this._abortController.signal.aborted) try {
+				if ((isReconnectable || hasPrimingEvent) && !receivedResponse && this._abortController && !this._abortController.signal.aborted) try {
 					this._scheduleReconnection({
 						resumptionToken: lastEventId,
 						onresumptiontoken,
@@ -1604,16 +1777,21 @@ var StreamableHTTPClientTransport = class {
 			serverUrl: this._url,
 			authorizationCode,
 			resourceMetadataUrl: this._resourceMetadataUrl,
-			fetchFn: this._fetch
+			scope: this._scope,
+			fetchFn: this._fetchWithInit
 		}) !== "AUTHORIZED") throw new UnauthorizedError("Failed to authorize");
 	}
 	async close() {
 		var _a, _b;
+		if (this._reconnectionTimeout) {
+			clearTimeout(this._reconnectionTimeout);
+			this._reconnectionTimeout = void 0;
+		}
 		(_a = this._abortController) === null || _a === void 0 || _a.abort();
 		(_b = this.onclose) === null || _b === void 0 || _b.call(this);
 	}
 	async send(message, options) {
-		var _a, _b, _c, _d;
+		var _a, _b, _c, _d, _e, _f, _g;
 		try {
 			const { resumptionToken, onresumptiontoken } = options || {};
 			if (resumptionToken) {
@@ -1640,19 +1818,44 @@ var StreamableHTTPClientTransport = class {
 			const sessionId = response.headers.get("mcp-session-id");
 			if (sessionId) this._sessionId = sessionId;
 			if (!response.ok) {
+				const text = await response.text().catch(() => null);
 				if (response.status === 401 && this._authProvider) {
-					this._resourceMetadataUrl = extractResourceMetadataUrl(response);
+					if (this._hasCompletedAuthFlow) throw new StreamableHTTPError(401, "Server returned 401 after successful authentication");
+					const { resourceMetadataUrl, scope } = extractWWWAuthenticateParams(response);
+					this._resourceMetadataUrl = resourceMetadataUrl;
+					this._scope = scope;
 					if (await auth(this._authProvider, {
 						serverUrl: this._url,
 						resourceMetadataUrl: this._resourceMetadataUrl,
-						fetchFn: this._fetch
+						scope: this._scope,
+						fetchFn: this._fetchWithInit
 					}) !== "AUTHORIZED") throw new UnauthorizedError();
+					this._hasCompletedAuthFlow = true;
 					return this.send(message);
 				}
-				const text = await response.text().catch(() => null);
-				throw new Error(`Error POSTing to endpoint (HTTP ${response.status}): ${text}`);
+				if (response.status === 403 && this._authProvider) {
+					const { resourceMetadataUrl, scope, error } = extractWWWAuthenticateParams(response);
+					if (error === "insufficient_scope") {
+						const wwwAuthHeader = response.headers.get("WWW-Authenticate");
+						if (this._lastUpscopingHeader === wwwAuthHeader) throw new StreamableHTTPError(403, "Server returned 403 after trying upscoping");
+						if (scope) this._scope = scope;
+						if (resourceMetadataUrl) this._resourceMetadataUrl = resourceMetadataUrl;
+						this._lastUpscopingHeader = wwwAuthHeader !== null && wwwAuthHeader !== void 0 ? wwwAuthHeader : void 0;
+						if (await auth(this._authProvider, {
+							serverUrl: this._url,
+							resourceMetadataUrl: this._resourceMetadataUrl,
+							scope: this._scope,
+							fetchFn: this._fetch
+						}) !== "AUTHORIZED") throw new UnauthorizedError();
+						return this.send(message);
+					}
+				}
+				throw new StreamableHTTPError(response.status, `Error POSTing to endpoint: ${text}`);
 			}
+			this._hasCompletedAuthFlow = false;
+			this._lastUpscopingHeader = void 0;
 			if (response.status === 202) {
+				await ((_c = response.body) === null || _c === void 0 ? void 0 : _c.cancel());
 				if (isInitializedNotification(message)) this._startOrAuthSse({ resumptionToken: void 0 }).catch((err) => {
 					var _a$1;
 					return (_a$1 = this.onerror) === null || _a$1 === void 0 ? void 0 : _a$1.call(this, err);
@@ -1665,10 +1868,14 @@ var StreamableHTTPClientTransport = class {
 			else if (contentType === null || contentType === void 0 ? void 0 : contentType.includes("application/json")) {
 				const data = await response.json();
 				const responseMessages = Array.isArray(data) ? data.map((msg) => JSONRPCMessageSchema.parse(msg)) : [JSONRPCMessageSchema.parse(data)];
-				for (const msg of responseMessages) (_c = this.onmessage) === null || _c === void 0 || _c.call(this, msg);
-			} else throw new StreamableHTTPError(-1, `Unexpected content type: ${contentType}`);
+				for (const msg of responseMessages) (_d = this.onmessage) === null || _d === void 0 || _d.call(this, msg);
+			} else {
+				await ((_e = response.body) === null || _e === void 0 ? void 0 : _e.cancel());
+				throw new StreamableHTTPError(-1, `Unexpected content type: ${contentType}`);
+			}
+			else await ((_f = response.body) === null || _f === void 0 ? void 0 : _f.cancel());
 		} catch (error) {
-			(_d = this.onerror) === null || _d === void 0 || _d.call(this, error);
+			(_g = this.onerror) === null || _g === void 0 || _g.call(this, error);
 			throw error;
 		}
 	}
@@ -1687,7 +1894,7 @@ var StreamableHTTPClientTransport = class {
 	* the server does not allow clients to terminate sessions.
 	*/
 	async terminateSession() {
-		var _a, _b, _c;
+		var _a, _b, _c, _d;
 		if (!this._sessionId) return;
 		try {
 			const headers = await this._commonHeaders();
@@ -1698,10 +1905,11 @@ var StreamableHTTPClientTransport = class {
 				signal: (_a = this._abortController) === null || _a === void 0 ? void 0 : _a.signal
 			};
 			const response = await ((_b = this._fetch) !== null && _b !== void 0 ? _b : fetch)(this._url, init);
+			await ((_c = response.body) === null || _c === void 0 ? void 0 : _c.cancel());
 			if (!response.ok && response.status !== 405) throw new StreamableHTTPError(response.status, `Failed to terminate session: ${response.statusText}`);
 			this._sessionId = void 0;
 		} catch (error) {
-			(_c = this.onerror) === null || _c === void 0 || _c.call(this, error);
+			(_d = this.onerror) === null || _d === void 0 || _d.call(this, error);
 			throw error;
 		}
 	}
@@ -1711,12 +1919,25 @@ var StreamableHTTPClientTransport = class {
 	get protocolVersion() {
 		return this._protocolVersion;
 	}
+	/**
+	* Resume an SSE stream from a previous event ID.
+	* Opens a GET SSE connection with Last-Event-ID header to replay missed events.
+	*
+	* @param lastEventId The event ID to resume from
+	* @param options Optional callback to receive new resumption tokens
+	*/
+	async resumeStream(lastEventId, options) {
+		await this._startOrAuthSse({
+			resumptionToken: lastEventId,
+			onresumptiontoken: options === null || options === void 0 ? void 0 : options.onresumptiontoken
+		});
+	}
 };
 
 //#endregion
-//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.18.1/node_modules/@modelcontextprotocol/sdk/dist/esm/server/stdio.js
+//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/server/stdio.js
 /**
-* Server transport for stdio: this communicates with a MCP client by reading from the current process' stdin and writing to stdout.
+* Server transport for stdio: this communicates with an MCP client by reading from the current process' stdin and writing to stdout.
 *
 * This transport is only available in Node.js environments.
 */
@@ -1778,13 +1999,13 @@ let ServerType = /* @__PURE__ */ function(ServerType$1) {
 	ServerType$1["SSE"] = "SSE";
 	return ServerType$1;
 }({});
-const startStdioServer = async ({ initStdioServer, initStreamClient, serverType, transportOptions = {}, url }) => {
+const startStdioServer = async ({ initStdioServer, initStreamClient, serverType, transportOptions = {}, url: url$1 }) => {
 	let transport;
 	switch (serverType) {
 		case ServerType.SSE:
-			transport = new SSEClientTransport(new URL(url), transportOptions);
+			transport = new SSEClientTransport(new URL(url$1), transportOptions);
 			break;
-		default: transport = new StreamableHTTPClientTransport(new URL(url), transportOptions);
+		default: transport = new StreamableHTTPClientTransport(new URL(url$1), transportOptions);
 	}
 	const streamClient = initStreamClient ? await initStreamClient() : new Client({
 		name: "mcp-proxy",