mcp-proxy 6.4.2 → 6.4.4

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { C as NEVER, S as _coercedNumber, T as AuthenticationMiddleware, _ as looseObject, a as startHTTPServer, b as string, c as LATEST_PROTOCOL_VERSION, d as isJSONRPCResponse, f as ZodNumber, g as literal, h as boolean, i as Client, l as isInitializedNotification, m as array, n as serializeMessage, o as proxyServer, p as any, r as Server, s as JSONRPCMessageSchema, t as ReadBuffer, u as isJSONRPCRequest, v as number$1, w as InMemoryEventStore, x as url, y as object } from "./stdio-CvFTizsx.mjs";
+import { C as NEVER, S as _coercedNumber, T as AuthenticationMiddleware, _ as looseObject, a as startHTTPServer, b as string, c as LATEST_PROTOCOL_VERSION, d as isJSONRPCResultResponse, f as ZodNumber, g as literal, h as boolean, i as Client, l as isInitializedNotification, m as array, n as serializeMessage, o as proxyServer, p as any, r as Server, s as JSONRPCMessageSchema, t as ReadBuffer, u as isJSONRPCRequest, v as number$1, w as InMemoryEventStore, x as url, y as object } from "./stdio-BmURZCbz.mjs";
 import process from "node:process";
 
 //#region node_modules/.pnpm/zod@3.25.76/node_modules/zod/v4/classic/compat.js
@@ -354,7 +354,7 @@ function getBaseURL() {
 }
 
 //#endregion
-//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/transport.js
+//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.27.1_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/transport.js
 /**
 * Normalizes HeadersInit to a plain Record<string, string> for manipulation.
 * Handles Headers objects, arrays of tuples, and plain objects.
@@ -379,7 +379,7 @@ function createFetchWithInit(baseFetch = fetch, baseInit) {
 		return baseFetch(url$1, {
 			...baseInit,
 			...init,
-			headers: (init === null || init === void 0 ? void 0 : init.headers) ? {
+			headers: init?.headers ? {
 				...normalizeHeaders(baseInit.headers),
 				...normalizeHeaders(init.headers)
 			} : baseInit.headers
@@ -388,7 +388,7 @@ function createFetchWithInit(baseFetch = fetch, baseInit) {
 }
 
 //#endregion
-//#region node_modules/.pnpm/pkce-challenge@5.0.0/node_modules/pkce-challenge/dist/index.node.js
+//#region node_modules/.pnpm/pkce-challenge@5.0.1/node_modules/pkce-challenge/dist/index.node.js
 let crypto;
 crypto = globalThis.crypto?.webcrypto ?? globalThis.crypto ?? import("node:crypto").then((m) => m.webcrypto);
 /**
@@ -405,11 +405,11 @@ async function getRandomValues(size) {
 */
 async function random(size) {
 	const mask = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~";
+	const evenDistCutoff = Math.pow(2, 8) - Math.pow(2, 8) % 66;
 	let result = "";
-	const randomUints = await getRandomValues(size);
-	for (let i = 0; i < size; i++) {
-		const randomIndex = randomUints[i] % 66;
-		result += mask[randomIndex];
+	while (result.length < size) {
+		const randomBytes = await getRandomValues(size - result.length);
+		for (const randomByte of randomBytes) if (randomByte < evenDistCutoff) result += mask[randomByte % 66];
 	}
 	return result;
 }
@@ -443,7 +443,7 @@ async function pkceChallenge(length) {
 }
 
 //#endregion
-//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/auth.js
+//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.27.1_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/auth.js
 /**
 * Reusable URL validation that disallows javascript: scheme
 */
@@ -627,7 +627,7 @@ const OAuthTokenRevocationRequestSchema = object({
 }).strip();
 
 //#endregion
-//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/auth-utils.js
+//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.27.1_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/auth-utils.js
 /**
 * Utilities for handling OAuth resource URIs.
 */
@@ -661,7 +661,7 @@ function checkResourceAllowed({ requestedResource, configuredResource }) {
 }
 
 //#endregion
-//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/server/auth/errors.js
+//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.27.1_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/server/auth/errors.js
 /**
 * Base class for all OAuth errors
 */
@@ -812,10 +812,10 @@ const OAUTH_ERRORS = {
 };
 
 //#endregion
-//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/client/auth.js
+//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.27.1_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/client/auth.js
 var UnauthorizedError = class extends Error {
 	constructor(message) {
-		super(message !== null && message !== void 0 ? message : "Unauthorized");
+		super(message ?? "Unauthorized");
 	}
 };
 function isClientAuthMethod(method) {
@@ -926,44 +926,64 @@ async function parseErrorResponse(input) {
 * instead of linking together the other lower-level functions in this module.
 */
 async function auth(provider, options) {
-	var _a, _b;
 	try {
 		return await authInternal(provider, options);
 	} catch (error) {
 		if (error instanceof InvalidClientError || error instanceof UnauthorizedClientError) {
-			await ((_a = provider.invalidateCredentials) === null || _a === void 0 ? void 0 : _a.call(provider, "all"));
+			await provider.invalidateCredentials?.("all");
 			return await authInternal(provider, options);
 		} else if (error instanceof InvalidGrantError) {
-			await ((_b = provider.invalidateCredentials) === null || _b === void 0 ? void 0 : _b.call(provider, "tokens"));
+			await provider.invalidateCredentials?.("tokens");
 			return await authInternal(provider, options);
 		}
 		throw error;
 	}
 }
 async function authInternal(provider, { serverUrl, authorizationCode, scope, resourceMetadataUrl, fetchFn }) {
-	var _a, _b;
+	const cachedState = await provider.discoveryState?.();
 	let resourceMetadata;
 	let authorizationServerUrl;
-	try {
-		resourceMetadata = await discoverOAuthProtectedResourceMetadata(serverUrl, { resourceMetadataUrl }, fetchFn);
-		if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) authorizationServerUrl = resourceMetadata.authorization_servers[0];
-	} catch (_c) {}
-	/**
-	* If we don't get a valid authorization server metadata from protected resource metadata,
-	* fallback to the legacy MCP spec's implementation (version 2025-03-26): MCP server base URL acts as the Authorization server.
-	*/
-	if (!authorizationServerUrl) authorizationServerUrl = new URL("/", serverUrl);
+	let metadata;
+	let effectiveResourceMetadataUrl = resourceMetadataUrl;
+	if (!effectiveResourceMetadataUrl && cachedState?.resourceMetadataUrl) effectiveResourceMetadataUrl = new URL(cachedState.resourceMetadataUrl);
+	if (cachedState?.authorizationServerUrl) {
+		authorizationServerUrl = cachedState.authorizationServerUrl;
+		resourceMetadata = cachedState.resourceMetadata;
+		metadata = cachedState.authorizationServerMetadata ?? await discoverAuthorizationServerMetadata(authorizationServerUrl, { fetchFn });
+		if (!resourceMetadata) try {
+			resourceMetadata = await discoverOAuthProtectedResourceMetadata(serverUrl, { resourceMetadataUrl: effectiveResourceMetadataUrl }, fetchFn);
+		} catch {}
+		if (metadata !== cachedState.authorizationServerMetadata || resourceMetadata !== cachedState.resourceMetadata) await provider.saveDiscoveryState?.({
+			authorizationServerUrl: String(authorizationServerUrl),
+			resourceMetadataUrl: effectiveResourceMetadataUrl?.toString(),
+			resourceMetadata,
+			authorizationServerMetadata: metadata
+		});
+	} else {
+		const serverInfo = await discoverOAuthServerInfo(serverUrl, {
+			resourceMetadataUrl: effectiveResourceMetadataUrl,
+			fetchFn
+		});
+		authorizationServerUrl = serverInfo.authorizationServerUrl;
+		metadata = serverInfo.authorizationServerMetadata;
+		resourceMetadata = serverInfo.resourceMetadata;
+		await provider.saveDiscoveryState?.({
+			authorizationServerUrl: String(authorizationServerUrl),
+			resourceMetadataUrl: effectiveResourceMetadataUrl?.toString(),
+			resourceMetadata,
+			authorizationServerMetadata: metadata
+		});
+	}
 	const resource = await selectResourceURL(serverUrl, provider, resourceMetadata);
-	const metadata = await discoverAuthorizationServerMetadata(authorizationServerUrl, { fetchFn });
 	let clientInformation = await Promise.resolve(provider.clientInformation());
 	if (!clientInformation) {
 		if (authorizationCode !== void 0) throw new Error("Existing OAuth client information is required when exchanging an authorization code");
-		const supportsUrlBasedClientId = (metadata === null || metadata === void 0 ? void 0 : metadata.client_id_metadata_document_supported) === true;
+		const supportsUrlBasedClientId = metadata?.client_id_metadata_document_supported === true;
 		const clientMetadataUrl = provider.clientMetadataUrl;
 		if (clientMetadataUrl && !isHttpsUrl(clientMetadataUrl)) throw new InvalidClientMetadataError(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${clientMetadataUrl}`);
 		if (supportsUrlBasedClientId && clientMetadataUrl) {
 			clientInformation = { client_id: clientMetadataUrl };
-			await ((_a = provider.saveClientInformation) === null || _a === void 0 ? void 0 : _a.call(provider, clientInformation));
+			await provider.saveClientInformation?.(clientInformation);
 		} else {
 			if (!provider.saveClientInformation) throw new Error("OAuth client information must be saveable for dynamic registration");
 			const fullInformation = await registerClient(authorizationServerUrl, {
@@ -987,7 +1007,7 @@ async function authInternal(provider, { serverUrl, authorizationCode, scope, res
 		return "AUTHORIZED";
 	}
 	const tokens = await provider.tokens();
-	if (tokens === null || tokens === void 0 ? void 0 : tokens.refresh_token) try {
+	if (tokens?.refresh_token) try {
 		const newTokens = await refreshAuthorization(authorizationServerUrl, {
 			metadata,
 			clientInformation,
@@ -1007,7 +1027,7 @@ async function authInternal(provider, { serverUrl, authorizationCode, scope, res
 		clientInformation,
 		state,
 		redirectUrl: provider.redirectUrl,
-		scope: scope || ((_b = resourceMetadata === null || resourceMetadata === void 0 ? void 0 : resourceMetadata.scopes_supported) === null || _b === void 0 ? void 0 : _b.join(" ")) || provider.clientMetadata.scope,
+		scope: scope || resourceMetadata?.scopes_supported?.join(" ") || provider.clientMetadata.scope,
 		resource
 	});
 	await provider.saveCodeVerifier(codeVerifier);
@@ -1023,13 +1043,13 @@ function isHttpsUrl(value) {
 	try {
 		const url$1 = new URL(value);
 		return url$1.protocol === "https:" && url$1.pathname !== "/";
-	} catch (_a) {
+	} catch {
 		return false;
 	}
 }
 async function selectResourceURL(serverUrl, provider, resourceMetadata) {
 	const defaultResource = resourceUrlFromServerUrl(serverUrl);
-	if (provider.validateResourceURL) return await provider.validateResourceURL(defaultResource, resourceMetadata === null || resourceMetadata === void 0 ? void 0 : resourceMetadata.resource);
+	if (provider.validateResourceURL) return await provider.validateResourceURL(defaultResource, resourceMetadata?.resource);
 	if (!resourceMetadata) return;
 	if (!checkResourceAllowed({
 		requestedResource: defaultResource,
@@ -1049,7 +1069,7 @@ function extractWWWAuthenticateParams(res) {
 	let resourceMetadataUrl;
 	if (resourceMetadataMatch) try {
 		resourceMetadataUrl = new URL(resourceMetadataMatch);
-	} catch (_a) {}
+	} catch {}
 	const scope = extractFieldFromWwwAuth(res, "scope") || void 0;
 	const error = extractFieldFromWwwAuth(res, "error") || void 0;
 	return {
@@ -1080,17 +1100,16 @@ function extractFieldFromWwwAuth(response, fieldName) {
 * return `undefined`. Any other errors will be thrown as exceptions.
 */
 async function discoverOAuthProtectedResourceMetadata(serverUrl, opts, fetchFn = fetch) {
-	var _a, _b;
 	const response = await discoverMetadataWithFallback(serverUrl, "oauth-protected-resource", fetchFn, {
-		protocolVersion: opts === null || opts === void 0 ? void 0 : opts.protocolVersion,
-		metadataUrl: opts === null || opts === void 0 ? void 0 : opts.resourceMetadataUrl
+		protocolVersion: opts?.protocolVersion,
+		metadataUrl: opts?.resourceMetadataUrl
 	});
 	if (!response || response.status === 404) {
-		await ((_a = response === null || response === void 0 ? void 0 : response.body) === null || _a === void 0 ? void 0 : _a.cancel());
+		await response?.body?.cancel();
 		throw new Error(`Resource server does not implement OAuth 2.0 Protected Resource Metadata.`);
 	}
 	if (!response.ok) {
-		await ((_b = response.body) === null || _b === void 0 ? void 0 : _b.cancel());
+		await response.body?.cancel();
 		throw new Error(`HTTP ${response.status} trying to load well-known OAuth protected resource metadata.`);
 	}
 	return OAuthProtectedResourceMetadataSchema.parse(await response.json());
@@ -1130,18 +1149,17 @@ function shouldAttemptFallback(response, pathname) {
 * Generic function for discovering OAuth metadata with fallback support
 */
 async function discoverMetadataWithFallback(serverUrl, wellKnownType, fetchFn, opts) {
-	var _a, _b;
 	const issuer = new URL(serverUrl);
-	const protocolVersion = (_a = opts === null || opts === void 0 ? void 0 : opts.protocolVersion) !== null && _a !== void 0 ? _a : LATEST_PROTOCOL_VERSION;
+	const protocolVersion = opts?.protocolVersion ?? LATEST_PROTOCOL_VERSION;
 	let url$1;
-	if (opts === null || opts === void 0 ? void 0 : opts.metadataUrl) url$1 = new URL(opts.metadataUrl);
+	if (opts?.metadataUrl) url$1 = new URL(opts.metadataUrl);
 	else {
 		const wellKnownPath = buildWellKnownPath(wellKnownType, issuer.pathname);
-		url$1 = new URL(wellKnownPath, (_b = opts === null || opts === void 0 ? void 0 : opts.metadataServerUrl) !== null && _b !== void 0 ? _b : issuer);
+		url$1 = new URL(wellKnownPath, opts?.metadataServerUrl ?? issuer);
 		url$1.search = issuer.search;
 	}
 	let response = await tryMetadataDiscovery(url$1, protocolVersion, fetchFn);
-	if (!(opts === null || opts === void 0 ? void 0 : opts.metadataUrl) && shouldAttemptFallback(response, issuer.pathname)) response = await tryMetadataDiscovery(new URL(`/.well-known/${wellKnownType}`, issuer), protocolVersion, fetchFn);
+	if (!opts?.metadataUrl && shouldAttemptFallback(response, issuer.pathname)) response = await tryMetadataDiscovery(new URL(`/.well-known/${wellKnownType}`, issuer), protocolVersion, fetchFn);
 	return response;
 }
 /**
@@ -1198,7 +1216,6 @@ function buildDiscoveryUrls(authorizationServerUrl) {
 * @returns Promise resolving to authorization server metadata, or undefined if discovery fails
 */
 async function discoverAuthorizationServerMetadata(authorizationServerUrl, { fetchFn = fetch, protocolVersion = LATEST_PROTOCOL_VERSION } = {}) {
-	var _a;
 	const headers = {
 		"MCP-Protocol-Version": protocolVersion,
 		Accept: "application/json"
@@ -1213,7 +1230,7 @@ async function discoverAuthorizationServerMetadata(authorizationServerUrl, { fet
 		*/
 		continue;
 		if (!response.ok) {
-			await ((_a = response.body) === null || _a === void 0 ? void 0 : _a.cancel());
+			await response.body?.cancel();
 			if (response.status >= 400 && response.status < 500) continue;
 			throw new Error(`HTTP ${response.status} trying to load ${type === "oauth" ? "OAuth" : "OpenID provider"} metadata from ${endpointUrl}`);
 		}
@@ -1222,6 +1239,41 @@ async function discoverAuthorizationServerMetadata(authorizationServerUrl, { fet
 	}
 }
 /**
+* Discovers the authorization server for an MCP server following
+* {@link https://datatracker.ietf.org/doc/html/rfc9728 | RFC 9728} (OAuth 2.0 Protected
+* Resource Metadata), with fallback to treating the server URL as the
+* authorization server.
+*
+* This function combines two discovery steps into one call:
+* 1. Probes `/.well-known/oauth-protected-resource` on the MCP server to find the
+*    authorization server URL (RFC 9728).
+* 2. Fetches authorization server metadata from that URL (RFC 8414 / OpenID Connect Discovery).
+*
+* Use this when you need the authorization server metadata for operations outside the
+* {@linkcode auth} orchestrator, such as token refresh or token revocation.
+*
+* @param serverUrl - The MCP resource server URL
+* @param opts - Optional configuration
+* @param opts.resourceMetadataUrl - Override URL for the protected resource metadata endpoint
+* @param opts.fetchFn - Custom fetch function for HTTP requests
+* @returns Authorization server URL, metadata, and resource metadata (if available)
+*/
+async function discoverOAuthServerInfo(serverUrl, opts) {
+	let resourceMetadata;
+	let authorizationServerUrl;
+	try {
+		resourceMetadata = await discoverOAuthProtectedResourceMetadata(serverUrl, { resourceMetadataUrl: opts?.resourceMetadataUrl }, opts?.fetchFn);
+		if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) authorizationServerUrl = resourceMetadata.authorization_servers[0];
+	} catch {}
+	if (!authorizationServerUrl) authorizationServerUrl = String(new URL("/", serverUrl));
+	const authorizationServerMetadata = await discoverAuthorizationServerMetadata(authorizationServerUrl, { fetchFn: opts?.fetchFn });
+	return {
+		authorizationServerUrl,
+		authorizationServerMetadata,
+		resourceMetadata
+	};
+}
+/**
 * Begins the authorization flow with the given server, by generating a PKCE challenge and constructing the authorization URL.
 */
 async function startAuthorization(authorizationServerUrl, { metadata, clientInformation, redirectUrl, scope, state, resource }) {
@@ -1241,7 +1293,7 @@ async function startAuthorization(authorizationServerUrl, { metadata, clientInfo
 	authorizationUrl.searchParams.set("redirect_uri", String(redirectUrl));
 	if (state) authorizationUrl.searchParams.set("state", state);
 	if (scope) authorizationUrl.searchParams.set("scope", scope);
-	if (scope === null || scope === void 0 ? void 0 : scope.includes("offline_access")) authorizationUrl.searchParams.append("prompt", "consent");
+	if (scope?.includes("offline_access")) authorizationUrl.searchParams.append("prompt", "consent");
 	if (resource) authorizationUrl.searchParams.set("resource", resource.href);
 	return {
 		authorizationUrl,
@@ -1272,16 +1324,15 @@ function prepareAuthorizationCodeRequest(authorizationCode, codeVerifier, redire
 * Used by exchangeAuthorization, refreshAuthorization, and fetchToken.
 */
 async function executeTokenRequest(authorizationServerUrl, { metadata, tokenRequestParams, clientInformation, addClientAuthentication, resource, fetchFn }) {
-	var _a;
-	const tokenUrl = (metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint) ? new URL(metadata.token_endpoint) : new URL("/token", authorizationServerUrl);
+	const tokenUrl = metadata?.token_endpoint ? new URL(metadata.token_endpoint) : new URL("/token", authorizationServerUrl);
 	const headers = new Headers({
 		"Content-Type": "application/x-www-form-urlencoded",
 		Accept: "application/json"
 	});
 	if (resource) tokenRequestParams.set("resource", resource.href);
 	if (addClientAuthentication) await addClientAuthentication(headers, tokenRequestParams, tokenUrl, metadata);
-	else if (clientInformation) applyClientAuthentication(selectClientAuthMethod(clientInformation, (_a = metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint_auth_methods_supported) !== null && _a !== void 0 ? _a : []), clientInformation, headers, tokenRequestParams);
-	const response = await (fetchFn !== null && fetchFn !== void 0 ? fetchFn : fetch)(tokenUrl, {
+	else if (clientInformation) applyClientAuthentication(selectClientAuthMethod(clientInformation, metadata?.token_endpoint_auth_methods_supported ?? []), clientInformation, headers, tokenRequestParams);
+	const response = await (fetchFn ?? fetch)(tokenUrl, {
 		method: "POST",
 		headers,
 		body: tokenRequestParams
@@ -1356,7 +1407,7 @@ async function fetchToken(provider, authorizationServerUrl, { metadata, resource
 	return executeTokenRequest(authorizationServerUrl, {
 		metadata,
 		tokenRequestParams,
-		clientInformation: clientInformation !== null && clientInformation !== void 0 ? clientInformation : void 0,
+		clientInformation: clientInformation ?? void 0,
 		addClientAuthentication: provider.addClientAuthentication,
 		resource,
 		fetchFn
@@ -1371,7 +1422,7 @@ async function registerClient(authorizationServerUrl, { metadata, clientMetadata
 		if (!metadata.registration_endpoint) throw new Error("Incompatible auth server: does not support dynamic client registration");
 		registrationUrl = new URL(metadata.registration_endpoint);
 	} else registrationUrl = new URL("/register", authorizationServerUrl);
-	const response = await (fetchFn !== null && fetchFn !== void 0 ? fetchFn : fetch)(registrationUrl, {
+	const response = await (fetchFn ?? fetch)(registrationUrl, {
 		method: "POST",
 		headers: { "Content-Type": "application/json" },
 		body: JSON.stringify(clientMetadata)
@@ -1381,7 +1432,7 @@ async function registerClient(authorizationServerUrl, { metadata, clientMetadata
 }
 
 //#endregion
-//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/client/sse.js
+//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.27.1_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/client/sse.js
 var SseError = class extends Error {
 	constructor(code, message, event) {
 		super(`SSE error: ${message}`);
@@ -1399,14 +1450,13 @@ var SSEClientTransport = class {
 		this._url = url$1;
 		this._resourceMetadataUrl = void 0;
 		this._scope = void 0;
-		this._eventSourceInit = opts === null || opts === void 0 ? void 0 : opts.eventSourceInit;
-		this._requestInit = opts === null || opts === void 0 ? void 0 : opts.requestInit;
-		this._authProvider = opts === null || opts === void 0 ? void 0 : opts.authProvider;
-		this._fetch = opts === null || opts === void 0 ? void 0 : opts.fetch;
-		this._fetchWithInit = createFetchWithInit(opts === null || opts === void 0 ? void 0 : opts.fetch, opts === null || opts === void 0 ? void 0 : opts.requestInit);
+		this._eventSourceInit = opts?.eventSourceInit;
+		this._requestInit = opts?.requestInit;
+		this._authProvider = opts?.authProvider;
+		this._fetch = opts?.fetch;
+		this._fetchWithInit = createFetchWithInit(opts?.fetch, opts?.requestInit);
 	}
 	async _authThenStart() {
-		var _a;
 		if (!this._authProvider) throw new UnauthorizedError("No auth provider");
 		let result;
 		try {
@@ -1417,29 +1467,27 @@ var SSEClientTransport = class {
 				fetchFn: this._fetchWithInit
 			});
 		} catch (error) {
-			(_a = this.onerror) === null || _a === void 0 || _a.call(this, error);
+			this.onerror?.(error);
 			throw error;
 		}
 		if (result !== "AUTHORIZED") throw new UnauthorizedError();
 		return await this._startOrAuth();
 	}
 	async _commonHeaders() {
-		var _a;
 		const headers = {};
 		if (this._authProvider) {
 			const tokens = await this._authProvider.tokens();
 			if (tokens) headers["Authorization"] = `Bearer ${tokens.access_token}`;
 		}
 		if (this._protocolVersion) headers["mcp-protocol-version"] = this._protocolVersion;
-		const extraHeaders = normalizeHeaders((_a = this._requestInit) === null || _a === void 0 ? void 0 : _a.headers);
+		const extraHeaders = normalizeHeaders(this._requestInit?.headers);
 		return new Headers({
 			...headers,
 			...extraHeaders
 		});
 	}
 	_startOrAuth() {
-		var _a, _b, _c;
-		const fetchImpl = (_c = (_b = (_a = this === null || this === void 0 ? void 0 : this._eventSourceInit) === null || _a === void 0 ? void 0 : _a.fetch) !== null && _b !== void 0 ? _b : this._fetch) !== null && _c !== void 0 ? _c : fetch;
+		const fetchImpl = this?._eventSourceInit?.fetch ?? this._fetch ?? fetch;
 		return new Promise((resolve, reject) => {
 			this._eventSource = new EventSource(this._url.href, {
 				...this._eventSourceInit,
@@ -1460,41 +1508,38 @@ var SSEClientTransport = class {
 			});
 			this._abortController = new AbortController();
 			this._eventSource.onerror = (event) => {
-				var _a$1;
 				if (event.code === 401 && this._authProvider) {
 					this._authThenStart().then(resolve, reject);
 					return;
 				}
 				const error = new SseError(event.code, event.message, event);
 				reject(error);
-				(_a$1 = this.onerror) === null || _a$1 === void 0 || _a$1.call(this, error);
+				this.onerror?.(error);
 			};
 			this._eventSource.onopen = () => {};
 			this._eventSource.addEventListener("endpoint", (event) => {
-				var _a$1;
 				const messageEvent = event;
 				try {
 					this._endpoint = new URL(messageEvent.data, this._url);
 					if (this._endpoint.origin !== this._url.origin) throw new Error(`Endpoint origin does not match connection origin: ${this._endpoint.origin}`);
 				} catch (error) {
 					reject(error);
-					(_a$1 = this.onerror) === null || _a$1 === void 0 || _a$1.call(this, error);
+					this.onerror?.(error);
 					this.close();
 					return;
 				}
 				resolve();
 			});
 			this._eventSource.onmessage = (event) => {
-				var _a$1, _b$1;
 				const messageEvent = event;
 				let message;
 				try {
 					message = JSONRPCMessageSchema.parse(JSON.parse(messageEvent.data));
 				} catch (error) {
-					(_a$1 = this.onerror) === null || _a$1 === void 0 || _a$1.call(this, error);
+					this.onerror?.(error);
 					return;
 				}
-				(_b$1 = this.onmessage) === null || _b$1 === void 0 || _b$1.call(this, message);
+				this.onmessage?.(message);
 			};
 		});
 	}
@@ -1516,13 +1561,11 @@ var SSEClientTransport = class {
 		}) !== "AUTHORIZED") throw new UnauthorizedError("Failed to authorize");
 	}
 	async close() {
-		var _a, _b, _c;
-		(_a = this._abortController) === null || _a === void 0 || _a.abort();
-		(_b = this._eventSource) === null || _b === void 0 || _b.close();
-		(_c = this.onclose) === null || _c === void 0 || _c.call(this);
+		this._abortController?.abort();
+		this._eventSource?.close();
+		this.onclose?.();
 	}
 	async send(message) {
-		var _a, _b, _c, _d;
 		if (!this._endpoint) throw new Error("Not connected");
 		try {
 			const headers = await this._commonHeaders();
@@ -1532,9 +1575,9 @@ var SSEClientTransport = class {
 				method: "POST",
 				headers,
 				body: JSON.stringify(message),
-				signal: (_a = this._abortController) === null || _a === void 0 ? void 0 : _a.signal
+				signal: this._abortController?.signal
 			};
-			const response = await ((_b = this._fetch) !== null && _b !== void 0 ? _b : fetch)(this._endpoint, init);
+			const response = await (this._fetch ?? fetch)(this._endpoint, init);
 			if (!response.ok) {
 				const text = await response.text().catch(() => null);
 				if (response.status === 401 && this._authProvider) {
@@ -1551,9 +1594,9 @@ var SSEClientTransport = class {
 				}
 				throw new Error(`Error POSTing to endpoint (HTTP ${response.status}): ${text}`);
 			}
-			await ((_c = response.body) === null || _c === void 0 ? void 0 : _c.cancel());
+			await response.body?.cancel();
 		} catch (error) {
-			(_d = this.onerror) === null || _d === void 0 || _d.call(this, error);
+			this.onerror?.(error);
 			throw error;
 		}
 	}
@@ -1588,7 +1631,7 @@ var EventSourceParserStream = class extends TransformStream {
 };
 
 //#endregion
-//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/client/streamableHttp.js
+//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.27.1_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/client/streamableHttp.js
 const DEFAULT_STREAMABLE_HTTP_RECONNECTION_OPTIONS = {
 	initialReconnectionDelay: 1e3,
 	maxReconnectionDelay: 3e4,
@@ -1608,20 +1651,18 @@ var StreamableHTTPError = class extends Error {
 */
 var StreamableHTTPClientTransport = class {
 	constructor(url$1, opts) {
-		var _a;
 		this._hasCompletedAuthFlow = false;
 		this._url = url$1;
 		this._resourceMetadataUrl = void 0;
 		this._scope = void 0;
-		this._requestInit = opts === null || opts === void 0 ? void 0 : opts.requestInit;
-		this._authProvider = opts === null || opts === void 0 ? void 0 : opts.authProvider;
-		this._fetch = opts === null || opts === void 0 ? void 0 : opts.fetch;
-		this._fetchWithInit = createFetchWithInit(opts === null || opts === void 0 ? void 0 : opts.fetch, opts === null || opts === void 0 ? void 0 : opts.requestInit);
-		this._sessionId = opts === null || opts === void 0 ? void 0 : opts.sessionId;
-		this._reconnectionOptions = (_a = opts === null || opts === void 0 ? void 0 : opts.reconnectionOptions) !== null && _a !== void 0 ? _a : DEFAULT_STREAMABLE_HTTP_RECONNECTION_OPTIONS;
+		this._requestInit = opts?.requestInit;
+		this._authProvider = opts?.authProvider;
+		this._fetch = opts?.fetch;
+		this._fetchWithInit = createFetchWithInit(opts?.fetch, opts?.requestInit);
+		this._sessionId = opts?.sessionId;
+		this._reconnectionOptions = opts?.reconnectionOptions ?? DEFAULT_STREAMABLE_HTTP_RECONNECTION_OPTIONS;
 	}
 	async _authThenStart() {
-		var _a;
 		if (!this._authProvider) throw new UnauthorizedError("No auth provider");
 		let result;
 		try {
@@ -1632,14 +1673,13 @@ var StreamableHTTPClientTransport = class {
 				fetchFn: this._fetchWithInit
 			});
 		} catch (error) {
-			(_a = this.onerror) === null || _a === void 0 || _a.call(this, error);
+			this.onerror?.(error);
 			throw error;
 		}
 		if (result !== "AUTHORIZED") throw new UnauthorizedError();
 		return await this._startOrAuthSse({ resumptionToken: void 0 });
 	}
 	async _commonHeaders() {
-		var _a;
 		const headers = {};
 		if (this._authProvider) {
 			const tokens = await this._authProvider.tokens();
@@ -1647,33 +1687,32 @@ var StreamableHTTPClientTransport = class {
 		}
 		if (this._sessionId) headers["mcp-session-id"] = this._sessionId;
 		if (this._protocolVersion) headers["mcp-protocol-version"] = this._protocolVersion;
-		const extraHeaders = normalizeHeaders((_a = this._requestInit) === null || _a === void 0 ? void 0 : _a.headers);
+		const extraHeaders = normalizeHeaders(this._requestInit?.headers);
 		return new Headers({
 			...headers,
 			...extraHeaders
 		});
 	}
 	async _startOrAuthSse(options) {
-		var _a, _b, _c, _d;
 		const { resumptionToken } = options;
 		try {
 			const headers = await this._commonHeaders();
 			headers.set("Accept", "text/event-stream");
 			if (resumptionToken) headers.set("last-event-id", resumptionToken);
-			const response = await ((_a = this._fetch) !== null && _a !== void 0 ? _a : fetch)(this._url, {
+			const response = await (this._fetch ?? fetch)(this._url, {
 				method: "GET",
 				headers,
-				signal: (_b = this._abortController) === null || _b === void 0 ? void 0 : _b.signal
+				signal: this._abortController?.signal
 			});
 			if (!response.ok) {
-				await ((_c = response.body) === null || _c === void 0 ? void 0 : _c.cancel());
+				await response.body?.cancel();
 				if (response.status === 401 && this._authProvider) return await this._authThenStart();
 				if (response.status === 405) return;
 				throw new StreamableHTTPError(response.status, `Failed to open SSE stream: ${response.statusText}`);
 			}
 			this._handleSseStream(response.body, options, true);
 		} catch (error) {
-			(_d = this.onerror) === null || _d === void 0 || _d.call(this, error);
+			this.onerror?.(error);
 			throw error;
 		}
 	}
@@ -1697,17 +1736,15 @@ var StreamableHTTPClientTransport = class {
 	* @param attemptCount Current reconnection attempt count for this specific stream
 	*/
 	_scheduleReconnection(options, attemptCount = 0) {
-		var _a;
 		const maxRetries = this._reconnectionOptions.maxRetries;
 		if (attemptCount >= maxRetries) {
-			(_a = this.onerror) === null || _a === void 0 || _a.call(this, /* @__PURE__ */ new Error(`Maximum reconnection attempts (${maxRetries}) exceeded.`));
+			this.onerror?.(/* @__PURE__ */ new Error(`Maximum reconnection attempts (${maxRetries}) exceeded.`));
 			return;
 		}
 		const delay = this._getNextReconnectionDelay(attemptCount);
 		this._reconnectionTimeout = setTimeout(() => {
 			this._startOrAuthSse(options).catch((error) => {
-				var _a$1;
-				(_a$1 = this.onerror) === null || _a$1 === void 0 || _a$1.call(this, /* @__PURE__ */ new Error(`Failed to reconnect SSE stream: ${error instanceof Error ? error.message : String(error)}`));
+				this.onerror?.(/* @__PURE__ */ new Error(`Failed to reconnect SSE stream: ${error instanceof Error ? error.message : String(error)}`));
 				this._scheduleReconnection(options, attemptCount + 1);
 			});
 		}, delay);
@@ -1719,7 +1756,6 @@ var StreamableHTTPClientTransport = class {
 		let hasPrimingEvent = false;
 		let receivedResponse = false;
 		const processStream = async () => {
-			var _a, _b, _c, _d;
 			try {
 				const reader = stream.pipeThrough(new TextDecoderStream()).pipeThrough(new EventSourceParserStream({ onRetry: (retryMs) => {
 					this._serverRetryMs = retryMs;
@@ -1730,18 +1766,18 @@ var StreamableHTTPClientTransport = class {
 					if (event.id) {
 						lastEventId = event.id;
 						hasPrimingEvent = true;
-						onresumptiontoken === null || onresumptiontoken === void 0 || onresumptiontoken(event.id);
+						onresumptiontoken?.(event.id);
 					}
 					if (!event.data) continue;
 					if (!event.event || event.event === "message") try {
 						const message = JSONRPCMessageSchema.parse(JSON.parse(event.data));
-						if (isJSONRPCResponse(message)) {
+						if (isJSONRPCResultResponse(message)) {
 							receivedResponse = true;
 							if (replayMessageId !== void 0) message.id = replayMessageId;
 						}
-						(_a = this.onmessage) === null || _a === void 0 || _a.call(this, message);
+						this.onmessage?.(message);
 					} catch (error) {
-						(_b = this.onerror) === null || _b === void 0 || _b.call(this, error);
+						this.onerror?.(error);
 					}
 				}
 				if ((isReconnectable || hasPrimingEvent) && !receivedResponse && this._abortController && !this._abortController.signal.aborted) this._scheduleReconnection({
@@ -1750,7 +1786,7 @@ var StreamableHTTPClientTransport = class {
 					replayMessageId
 				}, 0);
 			} catch (error) {
-				(_c = this.onerror) === null || _c === void 0 || _c.call(this, /* @__PURE__ */ new Error(`SSE stream disconnected: ${error}`));
+				this.onerror?.(/* @__PURE__ */ new Error(`SSE stream disconnected: ${error}`));
 				if ((isReconnectable || hasPrimingEvent) && !receivedResponse && this._abortController && !this._abortController.signal.aborted) try {
 					this._scheduleReconnection({
 						resumptionToken: lastEventId,
@@ -1758,7 +1794,7 @@ var StreamableHTTPClientTransport = class {
 						replayMessageId
 					}, 0);
 				} catch (error$1) {
-					(_d = this.onerror) === null || _d === void 0 || _d.call(this, /* @__PURE__ */ new Error(`Failed to reconnect: ${error$1 instanceof Error ? error$1.message : String(error$1)}`));
+					this.onerror?.(/* @__PURE__ */ new Error(`Failed to reconnect: ${error$1 instanceof Error ? error$1.message : String(error$1)}`));
 				}
 			}
 		};
@@ -1782,26 +1818,21 @@ var StreamableHTTPClientTransport = class {
 		}) !== "AUTHORIZED") throw new UnauthorizedError("Failed to authorize");
 	}
 	async close() {
-		var _a, _b;
 		if (this._reconnectionTimeout) {
 			clearTimeout(this._reconnectionTimeout);
 			this._reconnectionTimeout = void 0;
 		}
-		(_a = this._abortController) === null || _a === void 0 || _a.abort();
-		(_b = this.onclose) === null || _b === void 0 || _b.call(this);
+		this._abortController?.abort();
+		this.onclose?.();
 	}
 	async send(message, options) {
-		var _a, _b, _c, _d, _e, _f, _g;
 		try {
 			const { resumptionToken, onresumptiontoken } = options || {};
 			if (resumptionToken) {
 				this._startOrAuthSse({
 					resumptionToken,
 					replayMessageId: isJSONRPCRequest(message) ? message.id : void 0
-				}).catch((err) => {
-					var _a$1;
-					return (_a$1 = this.onerror) === null || _a$1 === void 0 ? void 0 : _a$1.call(this, err);
-				});
+				}).catch((err) => this.onerror?.(err));
 				return;
 			}
 			const headers = await this._commonHeaders();
@@ -1812,9 +1843,9 @@ var StreamableHTTPClientTransport = class {
 				method: "POST",
 				headers,
 				body: JSON.stringify(message),
-				signal: (_a = this._abortController) === null || _a === void 0 ? void 0 : _a.signal
+				signal: this._abortController?.signal
 			};
-			const response = await ((_b = this._fetch) !== null && _b !== void 0 ? _b : fetch)(this._url, init);
+			const response = await (this._fetch ?? fetch)(this._url, init);
 			const sessionId = response.headers.get("mcp-session-id");
 			if (sessionId) this._sessionId = sessionId;
 			if (!response.ok) {
@@ -1840,7 +1871,7 @@ var StreamableHTTPClientTransport = class {
 						if (this._lastUpscopingHeader === wwwAuthHeader) throw new StreamableHTTPError(403, "Server returned 403 after trying upscoping");
 						if (scope) this._scope = scope;
 						if (resourceMetadataUrl) this._resourceMetadataUrl = resourceMetadataUrl;
-						this._lastUpscopingHeader = wwwAuthHeader !== null && wwwAuthHeader !== void 0 ? wwwAuthHeader : void 0;
+						this._lastUpscopingHeader = wwwAuthHeader ?? void 0;
 						if (await auth(this._authProvider, {
 							serverUrl: this._url,
 							resourceMetadataUrl: this._resourceMetadataUrl,
@@ -1855,27 +1886,24 @@ var StreamableHTTPClientTransport = class {
 			this._hasCompletedAuthFlow = false;
 			this._lastUpscopingHeader = void 0;
 			if (response.status === 202) {
-				await ((_c = response.body) === null || _c === void 0 ? void 0 : _c.cancel());
-				if (isInitializedNotification(message)) this._startOrAuthSse({ resumptionToken: void 0 }).catch((err) => {
-					var _a$1;
-					return (_a$1 = this.onerror) === null || _a$1 === void 0 ? void 0 : _a$1.call(this, err);
-				});
+				await response.body?.cancel();
+				if (isInitializedNotification(message)) this._startOrAuthSse({ resumptionToken: void 0 }).catch((err) => this.onerror?.(err));
 				return;
 			}
 			const hasRequests = (Array.isArray(message) ? message : [message]).filter((msg) => "method" in msg && "id" in msg && msg.id !== void 0).length > 0;
 			const contentType = response.headers.get("content-type");
-			if (hasRequests) if (contentType === null || contentType === void 0 ? void 0 : contentType.includes("text/event-stream")) this._handleSseStream(response.body, { onresumptiontoken }, false);
-			else if (contentType === null || contentType === void 0 ? void 0 : contentType.includes("application/json")) {
+			if (hasRequests) if (contentType?.includes("text/event-stream")) this._handleSseStream(response.body, { onresumptiontoken }, false);
+			else if (contentType?.includes("application/json")) {
 				const data = await response.json();
 				const responseMessages = Array.isArray(data) ? data.map((msg) => JSONRPCMessageSchema.parse(msg)) : [JSONRPCMessageSchema.parse(data)];
-				for (const msg of responseMessages) (_d = this.onmessage) === null || _d === void 0 || _d.call(this, msg);
+				for (const msg of responseMessages) this.onmessage?.(msg);
 			} else {
-				await ((_e = response.body) === null || _e === void 0 ? void 0 : _e.cancel());
+				await response.body?.cancel();
 				throw new StreamableHTTPError(-1, `Unexpected content type: ${contentType}`);
 			}
-			else await ((_f = response.body) === null || _f === void 0 ? void 0 : _f.cancel());
+			else await response.body?.cancel();
 		} catch (error) {
-			(_g = this.onerror) === null || _g === void 0 || _g.call(this, error);
+			this.onerror?.(error);
 			throw error;
 		}
 	}
@@ -1894,7 +1922,6 @@ var StreamableHTTPClientTransport = class {
 	* the server does not allow clients to terminate sessions.
 	*/
 	async terminateSession() {
-		var _a, _b, _c, _d;
 		if (!this._sessionId) return;
 		try {
 			const headers = await this._commonHeaders();
@@ -1902,14 +1929,14 @@ var StreamableHTTPClientTransport = class {
 				...this._requestInit,
 				method: "DELETE",
 				headers,
-				signal: (_a = this._abortController) === null || _a === void 0 ? void 0 : _a.signal
+				signal: this._abortController?.signal
 			};
-			const response = await ((_b = this._fetch) !== null && _b !== void 0 ? _b : fetch)(this._url, init);
-			await ((_c = response.body) === null || _c === void 0 ? void 0 : _c.cancel());
+			const response = await (this._fetch ?? fetch)(this._url, init);
+			await response.body?.cancel();
 			if (!response.ok && response.status !== 405) throw new StreamableHTTPError(response.status, `Failed to terminate session: ${response.statusText}`);
 			this._sessionId = void 0;
 		} catch (error) {
-			(_d = this.onerror) === null || _d === void 0 || _d.call(this, error);
+			this.onerror?.(error);
 			throw error;
 		}
 	}
@@ -1929,13 +1956,13 @@ var StreamableHTTPClientTransport = class {
 	async resumeStream(lastEventId, options) {
 		await this._startOrAuthSse({
 			resumptionToken: lastEventId,
-			onresumptiontoken: options === null || options === void 0 ? void 0 : options.onresumptiontoken
+			onresumptiontoken: options?.onresumptiontoken
 		});
 	}
 };
 
 //#endregion
-//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/server/stdio.js
+//#region node_modules/.pnpm/@modelcontextprotocol+sdk@1.27.1_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/server/stdio.js
 /**
 * Server transport for stdio: this communicates with an MCP client by reading from the current process' stdin and writing to stdout.
 *
@@ -1952,8 +1979,7 @@ var StdioServerTransport = class {
 			this.processReadBuffer();
 		};
 		this._onerror = (error) => {
-			var _a;
-			(_a = this.onerror) === null || _a === void 0 || _a.call(this, error);
+			this.onerror?.(error);
 		};
 	}
 	/**
@@ -1966,22 +1992,20 @@ var StdioServerTransport = class {
 		this._stdin.on("error", this._onerror);
 	}
 	processReadBuffer() {
-		var _a, _b;
 		while (true) try {
 			const message = this._readBuffer.readMessage();
 			if (message === null) break;
-			(_a = this.onmessage) === null || _a === void 0 || _a.call(this, message);
+			this.onmessage?.(message);
 		} catch (error) {
-			(_b = this.onerror) === null || _b === void 0 || _b.call(this, error);
+			this.onerror?.(error);
 		}
 	}
 	async close() {
-		var _a;
 		this._stdin.off("data", this._ondata);
 		this._stdin.off("error", this._onerror);
 		if (this._stdin.listenerCount("data") === 0) this._stdin.pause();
 		this._readBuffer.clear();
-		(_a = this.onclose) === null || _a === void 0 || _a.call(this);
+		this.onclose?.();
 	}
 	send(message) {
 		return new Promise((resolve) => {