mcp-remote 0.1.18 → 0.1.20

package/dist/{chunk-OXNXVROF.js → chunk-EP7LWBXW.js}

@@ -10301,7 +10301,7 @@ var z = /* @__PURE__ */ Object.freeze({
   ZodError
 });
 
-// node_modules/.pnpm/@modelcontextprotocol+sdk@https+++pkg.pr.new+geelen+typescript-sdk+@modelcontextprotocol+sdk@877f4bf/node_modules/@modelcontextprotocol/sdk/dist/esm/types.js
+// node_modules/.pnpm/@modelcontextprotocol+sdk@1.17.4/node_modules/@modelcontextprotocol/sdk/dist/esm/types.js
 var LATEST_PROTOCOL_VERSION = "2025-06-18";
 var SUPPORTED_PROTOCOL_VERSIONS = [
   LATEST_PROTOCOL_VERSION,
@@ -10586,11 +10586,19 @@ var TextResourceContentsSchema = ResourceContentsSchema.extend({
    */
   text: z.string()
 });
+var Base64Schema = z.string().refine((val) => {
+  try {
+    atob(val);
+    return true;
+  } catch (_a) {
+    return false;
+  }
+}, { message: "Invalid Base64 string" });
 var BlobResourceContentsSchema = ResourceContentsSchema.extend({
   /**
    * A base64-encoded string representing the binary data of the item.
    */
-  blob: z.string().base64()
+  blob: Base64Schema
 });
 var ResourceSchema = BaseMetadataSchema.extend({
   /**
@@ -10753,7 +10761,7 @@ var ImageContentSchema = z.object({
   /**
    * The base64-encoded image data.
    */
-  data: z.string().base64(),
+  data: Base64Schema,
   /**
    * The MIME type of the image. Different providers may support different image types.
    */
@@ -10769,7 +10777,7 @@ var AudioContentSchema = z.object({
   /**
    * The base64-encoded audio data.
    */
-  data: z.string().base64(),
+  data: Base64Schema,
   /**
    * The MIME type of the audio. Different providers may support different audio types.
    */
@@ -11096,7 +11104,7 @@ var ElicitResultSchema = ResultSchema.extend({
   /**
    * The user's response action.
    */
-  action: z.enum(["accept", "reject", "cancel"]),
+  action: z.enum(["accept", "decline", "cancel"]),
   /**
    * The collected user input content (only present if action is "accept").
    */
@@ -11244,7 +11252,7 @@ var McpError = class extends Error {
   }
 };
 
-// node_modules/.pnpm/@modelcontextprotocol+sdk@https+++pkg.pr.new+geelen+typescript-sdk+@modelcontextprotocol+sdk@877f4bf/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/protocol.js
+// node_modules/.pnpm/@modelcontextprotocol+sdk@1.17.4/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/protocol.js
 var DEFAULT_REQUEST_TIMEOUT_MSEC = 6e4;
 var Protocol = class {
   constructor(_options) {
@@ -11256,6 +11264,7 @@ var Protocol = class {
     this._responseHandlers = /* @__PURE__ */ new Map();
     this._progressHandlers = /* @__PURE__ */ new Map();
     this._timeoutInfo = /* @__PURE__ */ new Map();
+    this._pendingDebouncedNotifications = /* @__PURE__ */ new Set();
     this.setNotificationHandler(CancelledNotificationSchema, (notification) => {
       const controller = this._requestHandlerAbortControllers.get(notification.params.requestId);
       controller === null || controller === void 0 ? void 0 : controller.abort(notification.params.reason);
@@ -11337,6 +11346,7 @@ var Protocol = class {
     const responseHandlers = this._responseHandlers;
     this._responseHandlers = /* @__PURE__ */ new Map();
     this._progressHandlers.clear();
+    this._pendingDebouncedNotifications.clear();
     this._transport = void 0;
     (_a = this.onclose) === null || _a === void 0 ? void 0 : _a.call(this);
     const error = new McpError(ErrorCode.ConnectionClosed, "Connection closed");
@@ -11357,10 +11367,11 @@ var Protocol = class {
     Promise.resolve().then(() => handler(notification)).catch((error) => this._onerror(new Error(`Uncaught error in notification handler: ${error}`)));
   }
   _onrequest(request, extra) {
-    var _a, _b, _c, _d;
+    var _a, _b;
     const handler = (_a = this._requestHandlers.get(request.method)) !== null && _a !== void 0 ? _a : this.fallbackRequestHandler;
+    const capturedTransport = this._transport;
     if (handler === void 0) {
-      (_b = this._transport) === null || _b === void 0 ? void 0 : _b.send({
+      capturedTransport === null || capturedTransport === void 0 ? void 0 : capturedTransport.send({
         jsonrpc: "2.0",
         id: request.id,
         error: {
@@ -11374,8 +11385,8 @@ var Protocol = class {
     this._requestHandlerAbortControllers.set(request.id, abortController);
     const fullExtra = {
       signal: abortController.signal,
-      sessionId: (_c = this._transport) === null || _c === void 0 ? void 0 : _c.sessionId,
-      _meta: (_d = request.params) === null || _d === void 0 ? void 0 : _d._meta,
+      sessionId: capturedTransport === null || capturedTransport === void 0 ? void 0 : capturedTransport.sessionId,
+      _meta: (_b = request.params) === null || _b === void 0 ? void 0 : _b._meta,
       sendNotification: (notification) => this.notification(notification, { relatedRequestId: request.id }),
       sendRequest: (r, resultSchema, options) => this.request(r, resultSchema, { ...options, relatedRequestId: request.id }),
       authInfo: extra === null || extra === void 0 ? void 0 : extra.authInfo,
@@ -11383,26 +11394,25 @@ var Protocol = class {
       requestInfo: extra === null || extra === void 0 ? void 0 : extra.requestInfo
     };
     Promise.resolve().then(() => handler(request, fullExtra)).then((result) => {
-      var _a2;
       if (abortController.signal.aborted) {
         return;
       }
-      return (_a2 = this._transport) === null || _a2 === void 0 ? void 0 : _a2.send({
+      return capturedTransport === null || capturedTransport === void 0 ? void 0 : capturedTransport.send({
         result,
         jsonrpc: "2.0",
         id: request.id
       });
     }, (error) => {
-      var _a2, _b2;
+      var _a2;
       if (abortController.signal.aborted) {
         return;
       }
-      return (_a2 = this._transport) === null || _a2 === void 0 ? void 0 : _a2.send({
+      return capturedTransport === null || capturedTransport === void 0 ? void 0 : capturedTransport.send({
         jsonrpc: "2.0",
         id: request.id,
         error: {
           code: Number.isSafeInteger(error["code"]) ? error["code"] : ErrorCode.InternalError,
-          message: (_b2 = error.message) !== null && _b2 !== void 0 ? _b2 : "Internal error"
+          message: (_a2 = error.message) !== null && _a2 !== void 0 ? _a2 : "Internal error"
         }
       });
     }).catch((error) => this._onerror(new Error(`Failed to send response: ${error}`))).finally(() => {
@@ -11536,10 +11546,32 @@ var Protocol = class {
    * Emits a notification, which is a one-way message that does not expect a response.
    */
   async notification(notification, options) {
+    var _a, _b;
     if (!this._transport) {
       throw new Error("Not connected");
     }
     this.assertNotificationCapability(notification.method);
+    const debouncedMethods = (_b = (_a = this._options) === null || _a === void 0 ? void 0 : _a.debouncedNotificationMethods) !== null && _b !== void 0 ? _b : [];
+    const canDebounce = debouncedMethods.includes(notification.method) && !notification.params && !(options === null || options === void 0 ? void 0 : options.relatedRequestId);
+    if (canDebounce) {
+      if (this._pendingDebouncedNotifications.has(notification.method)) {
+        return;
+      }
+      this._pendingDebouncedNotifications.add(notification.method);
+      Promise.resolve().then(() => {
+        var _a2;
+        this._pendingDebouncedNotifications.delete(notification.method);
+        if (!this._transport) {
+          return;
+        }
+        const jsonrpcNotification2 = {
+          ...notification,
+          jsonrpc: "2.0"
+        };
+        (_a2 = this._transport) === null || _a2 === void 0 ? void 0 : _a2.send(jsonrpcNotification2, options).catch((error) => this._onerror(error));
+      });
+      return;
+    }
     const jsonrpcNotification = {
       ...notification,
       jsonrpc: "2.0"
@@ -11598,7 +11630,7 @@ function mergeCapabilities(base, additional) {
   }, { ...base });
 }
 
-// node_modules/.pnpm/@modelcontextprotocol+sdk@https+++pkg.pr.new+geelen+typescript-sdk+@modelcontextprotocol+sdk@877f4bf/node_modules/@modelcontextprotocol/sdk/dist/esm/client/index.js
+// node_modules/.pnpm/@modelcontextprotocol+sdk@1.17.4/node_modules/@modelcontextprotocol/sdk/dist/esm/client/index.js
 var import_ajv = __toESM(require_ajv(), 1);
 var Client = class extends Protocol {
   /**
@@ -11840,7 +11872,7 @@ var Client = class extends Protocol {
 };
 
 // package.json
-var version = "0.1.18";
+var version = "0.1.20";
 
 // node_modules/.pnpm/pkce-challenge@5.0.0/node_modules/pkce-challenge/dist/index.node.js
 var crypto;
@@ -11881,10 +11913,23 @@ async function pkceChallenge(length) {
   };
 }
 
-// node_modules/.pnpm/@modelcontextprotocol+sdk@https+++pkg.pr.new+geelen+typescript-sdk+@modelcontextprotocol+sdk@877f4bf/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/auth.js
+// node_modules/.pnpm/@modelcontextprotocol+sdk@1.17.4/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/auth.js
+var SafeUrlSchema = z.string().url().superRefine((val, ctx) => {
+  if (!URL.canParse(val)) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: "URL must be parseable",
+      fatal: true
+    });
+    return z.NEVER;
+  }
+}).refine((url) => {
+  const u = new URL(url);
+  return u.protocol !== "javascript:" && u.protocol !== "data:" && u.protocol !== "vbscript:";
+}, { message: "URL cannot use javascript:, data:, or vbscript: scheme" });
 var OAuthProtectedResourceMetadataSchema = z.object({
   resource: z.string().url(),
-  authorization_servers: z.array(z.string().url()).optional(),
+  authorization_servers: z.array(SafeUrlSchema).optional(),
   jwks_uri: z.string().url().optional(),
   scopes_supported: z.array(z.string()).optional(),
   bearer_methods_supported: z.array(z.string()).optional(),
@@ -11900,17 +11945,17 @@ var OAuthProtectedResourceMetadataSchema = z.object({
 }).passthrough();
 var OAuthMetadataSchema = z.object({
   issuer: z.string(),
-  authorization_endpoint: z.string(),
-  token_endpoint: z.string(),
-  registration_endpoint: z.string().optional(),
+  authorization_endpoint: SafeUrlSchema,
+  token_endpoint: SafeUrlSchema,
+  registration_endpoint: SafeUrlSchema.optional(),
   scopes_supported: z.array(z.string()).optional(),
   response_types_supported: z.array(z.string()),
   response_modes_supported: z.array(z.string()).optional(),
   grant_types_supported: z.array(z.string()).optional(),
   token_endpoint_auth_methods_supported: z.array(z.string()).optional(),
   token_endpoint_auth_signing_alg_values_supported: z.array(z.string()).optional(),
-  service_documentation: z.string().optional(),
-  revocation_endpoint: z.string().optional(),
+  service_documentation: SafeUrlSchema.optional(),
+  revocation_endpoint: SafeUrlSchema.optional(),
   revocation_endpoint_auth_methods_supported: z.array(z.string()).optional(),
   revocation_endpoint_auth_signing_alg_values_supported: z.array(z.string()).optional(),
   introspection_endpoint: z.string().optional(),
@@ -11918,8 +11963,50 @@ var OAuthMetadataSchema = z.object({
   introspection_endpoint_auth_signing_alg_values_supported: z.array(z.string()).optional(),
   code_challenge_methods_supported: z.array(z.string()).optional()
 }).passthrough();
+var OpenIdProviderMetadataSchema = z.object({
+  issuer: z.string(),
+  authorization_endpoint: SafeUrlSchema,
+  token_endpoint: SafeUrlSchema,
+  userinfo_endpoint: SafeUrlSchema.optional(),
+  jwks_uri: SafeUrlSchema,
+  registration_endpoint: SafeUrlSchema.optional(),
+  scopes_supported: z.array(z.string()).optional(),
+  response_types_supported: z.array(z.string()),
+  response_modes_supported: z.array(z.string()).optional(),
+  grant_types_supported: z.array(z.string()).optional(),
+  acr_values_supported: z.array(z.string()).optional(),
+  subject_types_supported: z.array(z.string()),
+  id_token_signing_alg_values_supported: z.array(z.string()),
+  id_token_encryption_alg_values_supported: z.array(z.string()).optional(),
+  id_token_encryption_enc_values_supported: z.array(z.string()).optional(),
+  userinfo_signing_alg_values_supported: z.array(z.string()).optional(),
+  userinfo_encryption_alg_values_supported: z.array(z.string()).optional(),
+  userinfo_encryption_enc_values_supported: z.array(z.string()).optional(),
+  request_object_signing_alg_values_supported: z.array(z.string()).optional(),
+  request_object_encryption_alg_values_supported: z.array(z.string()).optional(),
+  request_object_encryption_enc_values_supported: z.array(z.string()).optional(),
+  token_endpoint_auth_methods_supported: z.array(z.string()).optional(),
+  token_endpoint_auth_signing_alg_values_supported: z.array(z.string()).optional(),
+  display_values_supported: z.array(z.string()).optional(),
+  claim_types_supported: z.array(z.string()).optional(),
+  claims_supported: z.array(z.string()).optional(),
+  service_documentation: z.string().optional(),
+  claims_locales_supported: z.array(z.string()).optional(),
+  ui_locales_supported: z.array(z.string()).optional(),
+  claims_parameter_supported: z.boolean().optional(),
+  request_parameter_supported: z.boolean().optional(),
+  request_uri_parameter_supported: z.boolean().optional(),
+  require_request_uri_registration: z.boolean().optional(),
+  op_policy_uri: SafeUrlSchema.optional(),
+  op_tos_uri: SafeUrlSchema.optional()
+}).passthrough();
+var OpenIdProviderDiscoveryMetadataSchema = OpenIdProviderMetadataSchema.merge(OAuthMetadataSchema.pick({
+  code_challenge_methods_supported: true
+}));
 var OAuthTokensSchema = z.object({
   access_token: z.string(),
+  id_token: z.string().optional(),
+  // Optional for OAuth 2.1, but necessary in OpenID Connect
   token_type: z.string(),
   expires_in: z.number().optional(),
   scope: z.string().optional(),
@@ -11931,18 +12018,18 @@ var OAuthErrorResponseSchema = z.object({
   error_uri: z.string().optional()
 });
 var OAuthClientMetadataSchema = z.object({
-  redirect_uris: z.array(z.string()).refine((uris) => uris.every((uri) => URL.canParse(uri)), { message: "redirect_uris must contain valid URLs" }),
+  redirect_uris: z.array(SafeUrlSchema),
   token_endpoint_auth_method: z.string().optional(),
   grant_types: z.array(z.string()).optional(),
   response_types: z.array(z.string()).optional(),
   client_name: z.string().optional(),
-  client_uri: z.string().optional(),
-  logo_uri: z.string().optional(),
+  client_uri: SafeUrlSchema.optional(),
+  logo_uri: SafeUrlSchema.optional(),
   scope: z.string().optional(),
   contacts: z.array(z.string()).optional(),
-  tos_uri: z.string().optional(),
+  tos_uri: SafeUrlSchema.optional(),
   policy_uri: z.string().optional(),
-  jwks_uri: z.string().optional(),
+  jwks_uri: SafeUrlSchema.optional(),
   jwks: z.any().optional(),
   software_id: z.string().optional(),
   software_version: z.string().optional(),
@@ -11964,7 +12051,7 @@ var OAuthTokenRevocationRequestSchema = z.object({
   token_type_hint: z.string().optional()
 }).strip();
 
-// node_modules/.pnpm/@modelcontextprotocol+sdk@https+++pkg.pr.new+geelen+typescript-sdk+@modelcontextprotocol+sdk@877f4bf/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/auth-utils.js
+// node_modules/.pnpm/@modelcontextprotocol+sdk@1.17.4/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/auth-utils.js
 function resourceUrlFromServerUrl(url) {
   const resourceURL = typeof url === "string" ? new URL(url) : new URL(url.href);
   resourceURL.hash = "";
@@ -11984,7 +12071,7 @@ function checkResourceAllowed({ requestedResource, configuredResource }) {
   return requestedPath.startsWith(configuredPath);
 }
 
-// node_modules/.pnpm/@modelcontextprotocol+sdk@https+++pkg.pr.new+geelen+typescript-sdk+@modelcontextprotocol+sdk@877f4bf/node_modules/@modelcontextprotocol/sdk/dist/esm/server/auth/errors.js
+// node_modules/.pnpm/@modelcontextprotocol+sdk@1.17.4/node_modules/@modelcontextprotocol/sdk/dist/esm/server/auth/errors.js
 var OAuthError = class extends Error {
   constructor(message, errorUri) {
     super(message);
@@ -12075,12 +12162,60 @@ var OAUTH_ERRORS = {
   [InsufficientScopeError.errorCode]: InsufficientScopeError
 };
 
-// node_modules/.pnpm/@modelcontextprotocol+sdk@https+++pkg.pr.new+geelen+typescript-sdk+@modelcontextprotocol+sdk@877f4bf/node_modules/@modelcontextprotocol/sdk/dist/esm/client/auth.js
+// node_modules/.pnpm/@modelcontextprotocol+sdk@1.17.4/node_modules/@modelcontextprotocol/sdk/dist/esm/client/auth.js
 var UnauthorizedError = class extends Error {
   constructor(message) {
     super(message !== null && message !== void 0 ? message : "Unauthorized");
   }
 };
+function selectClientAuthMethod(clientInformation, supportedMethods) {
+  const hasClientSecret = clientInformation.client_secret !== void 0;
+  if (supportedMethods.length === 0) {
+    return hasClientSecret ? "client_secret_post" : "none";
+  }
+  if (hasClientSecret && supportedMethods.includes("client_secret_basic")) {
+    return "client_secret_basic";
+  }
+  if (hasClientSecret && supportedMethods.includes("client_secret_post")) {
+    return "client_secret_post";
+  }
+  if (supportedMethods.includes("none")) {
+    return "none";
+  }
+  return hasClientSecret ? "client_secret_post" : "none";
+}
+function applyClientAuthentication(method, clientInformation, headers, params) {
+  const { client_id, client_secret } = clientInformation;
+  switch (method) {
+    case "client_secret_basic":
+      applyBasicAuth(client_id, client_secret, headers);
+      return;
+    case "client_secret_post":
+      applyPostAuth(client_id, client_secret, params);
+      return;
+    case "none":
+      applyPublicAuth(client_id, params);
+      return;
+    default:
+      throw new Error(`Unsupported client authentication method: ${method}`);
+  }
+}
+function applyBasicAuth(clientId, clientSecret, headers) {
+  if (!clientSecret) {
+    throw new Error("client_secret_basic authentication requires a client_secret");
+  }
+  const credentials = btoa(`${clientId}:${clientSecret}`);
+  headers.set("Authorization", `Basic ${credentials}`);
+}
+function applyPostAuth(clientId, clientSecret, params) {
+  params.set("client_id", clientId);
+  if (clientSecret) {
+    params.set("client_secret", clientSecret);
+  }
+}
+function applyPublicAuth(clientId, params) {
+  params.set("client_id", clientId);
+}
 async function parseErrorResponse(input) {
   const statusCode = input instanceof Response ? input.status : void 0;
   const body = input instanceof Response ? await input.text() : input;
@@ -12109,18 +12244,23 @@ async function auth(provider, options) {
     throw error;
   }
 }
-async function authInternal(provider, { serverUrl, authorizationCode, scope, resourceMetadataUrl }) {
+async function authInternal(provider, { serverUrl, authorizationCode, scope, resourceMetadataUrl, fetchFn }) {
   let resourceMetadata;
-  let authorizationServerUrl = serverUrl;
+  let authorizationServerUrl;
   try {
-    resourceMetadata = await discoverOAuthProtectedResourceMetadata(serverUrl, { resourceMetadataUrl });
+    resourceMetadata = await discoverOAuthProtectedResourceMetadata(serverUrl, { resourceMetadataUrl }, fetchFn);
     if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) {
       authorizationServerUrl = resourceMetadata.authorization_servers[0];
     }
   } catch (_a) {
   }
+  if (!authorizationServerUrl) {
+    authorizationServerUrl = serverUrl;
+  }
   const resource = await selectResourceURL(serverUrl, provider, resourceMetadata);
-  const metadata = await discoverOAuthMetadata(authorizationServerUrl);
+  const metadata = await discoverAuthorizationServerMetadata(authorizationServerUrl, {
+    fetchFn
+  });
   let clientInformation = await Promise.resolve(provider.clientInformation());
   if (!clientInformation) {
     if (authorizationCode !== void 0) {
@@ -12131,7 +12271,8 @@ async function authInternal(provider, { serverUrl, authorizationCode, scope, res
     }
     const fullInformation = await registerClient(authorizationServerUrl, {
       metadata,
-      clientMetadata: provider.clientMetadata
+      clientMetadata: provider.clientMetadata,
+      fetchFn
     });
     await provider.saveClientInformation(fullInformation);
     clientInformation = fullInformation;
@@ -12144,7 +12285,9 @@ async function authInternal(provider, { serverUrl, authorizationCode, scope, res
       authorizationCode,
       codeVerifier: codeVerifier2,
       redirectUri: provider.redirectUrl,
-      resource
+      resource,
+      addClientAuthentication: provider.addClientAuthentication,
+      fetchFn
     });
     await provider.saveTokens(tokens2);
     return "AUTHORIZED";
@@ -12156,7 +12299,9 @@ async function authInternal(provider, { serverUrl, authorizationCode, scope, res
         metadata,
         clientInformation,
         refreshToken: tokens.refresh_token,
-        resource
+        resource,
+        addClientAuthentication: provider.addClientAuthentication,
+        fetchFn
       });
       await provider.saveTokens(newTokens);
       return "AUTHORIZED";
@@ -12213,29 +12358,12 @@ function extractResourceMetadataUrl(res) {
     return void 0;
   }
 }
-async function discoverOAuthProtectedResourceMetadata(serverUrl, opts) {
-  var _a;
-  let url;
-  if (opts === null || opts === void 0 ? void 0 : opts.resourceMetadataUrl) {
-    url = new URL(opts === null || opts === void 0 ? void 0 : opts.resourceMetadataUrl);
-  } else {
-    url = new URL("/.well-known/oauth-protected-resource", serverUrl);
-  }
-  let response;
-  try {
-    response = await fetch(url, {
-      headers: {
-        "MCP-Protocol-Version": (_a = opts === null || opts === void 0 ? void 0 : opts.protocolVersion) !== null && _a !== void 0 ? _a : LATEST_PROTOCOL_VERSION
-      }
-    });
-  } catch (error) {
-    if (error instanceof TypeError) {
-      response = await fetch(url);
-    } else {
-      throw error;
-    }
-  }
-  if (response.status === 404) {
+async function discoverOAuthProtectedResourceMetadata(serverUrl, opts, fetchFn = fetch) {
+  const response = await discoverMetadataWithFallback(serverUrl, "oauth-protected-resource", fetchFn, {
+    protocolVersion: opts === null || opts === void 0 ? void 0 : opts.protocolVersion,
+    metadataUrl: opts === null || opts === void 0 ? void 0 : opts.resourceMetadataUrl
+  });
+  if (!response || response.status === 404) {
     throw new Error(`Resource server does not implement OAuth 2.0 Protected Resource Metadata.`);
   }
   if (!response.ok) {
@@ -12243,13 +12371,13 @@ async function discoverOAuthProtectedResourceMetadata(serverUrl, opts) {
   }
   return OAuthProtectedResourceMetadataSchema.parse(await response.json());
 }
-async function fetchWithCorsRetry(url, headers) {
+async function fetchWithCorsRetry(url, headers, fetchFn = fetch) {
   try {
-    return await fetch(url, { headers });
+    return await fetchFn(url, { headers });
   } catch (error) {
     if (error instanceof TypeError) {
       if (headers) {
-        return fetchWithCorsRetry(url);
+        return fetchWithCorsRetry(url, void 0, fetchFn);
       } else {
         return void 0;
       }
@@ -12257,40 +12385,103 @@ async function fetchWithCorsRetry(url, headers) {
     throw error;
   }
 }
-function buildWellKnownPath(pathname) {
-  let wellKnownPath = `/.well-known/oauth-authorization-server${pathname}`;
+function buildWellKnownPath(wellKnownPrefix, pathname = "", options = {}) {
   if (pathname.endsWith("/")) {
-    wellKnownPath = wellKnownPath.slice(0, -1);
+    pathname = pathname.slice(0, -1);
   }
-  return wellKnownPath;
+  return options.prependPathname ? `${pathname}/.well-known/${wellKnownPrefix}` : `/.well-known/${wellKnownPrefix}${pathname}`;
 }
-async function tryMetadataDiscovery(url, protocolVersion) {
+async function tryMetadataDiscovery(url, protocolVersion, fetchFn = fetch) {
   const headers = {
     "MCP-Protocol-Version": protocolVersion
   };
-  return await fetchWithCorsRetry(url, headers);
+  return await fetchWithCorsRetry(url, headers, fetchFn);
 }
 function shouldAttemptFallback(response, pathname) {
-  return !response || response.status === 404 && pathname !== "/";
+  return !response || response.status >= 400 && response.status < 500 && pathname !== "/";
 }
-async function discoverOAuthMetadata(authorizationServerUrl, opts) {
-  var _a;
-  const issuer = new URL(authorizationServerUrl);
+async function discoverMetadataWithFallback(serverUrl, wellKnownType, fetchFn, opts) {
+  var _a, _b;
+  const issuer = new URL(serverUrl);
   const protocolVersion = (_a = opts === null || opts === void 0 ? void 0 : opts.protocolVersion) !== null && _a !== void 0 ? _a : LATEST_PROTOCOL_VERSION;
-  const wellKnownPath = buildWellKnownPath(issuer.pathname);
-  const pathAwareUrl = new URL(wellKnownPath, issuer);
-  let response = await tryMetadataDiscovery(pathAwareUrl, protocolVersion);
-  if (shouldAttemptFallback(response, issuer.pathname)) {
-    const rootUrl = new URL("/.well-known/oauth-authorization-server", issuer);
-    response = await tryMetadataDiscovery(rootUrl, protocolVersion);
+  let url;
+  if (opts === null || opts === void 0 ? void 0 : opts.metadataUrl) {
+    url = new URL(opts.metadataUrl);
+  } else {
+    const wellKnownPath = buildWellKnownPath(wellKnownType, issuer.pathname);
+    url = new URL(wellKnownPath, (_b = opts === null || opts === void 0 ? void 0 : opts.metadataServerUrl) !== null && _b !== void 0 ? _b : issuer);
+    url.search = issuer.search;
   }
-  if (!response || response.status === 404) {
-    return void 0;
+  let response = await tryMetadataDiscovery(url, protocolVersion, fetchFn);
+  if (!(opts === null || opts === void 0 ? void 0 : opts.metadataUrl) && shouldAttemptFallback(response, issuer.pathname)) {
+    const rootUrl = new URL(`/.well-known/${wellKnownType}`, issuer);
+    response = await tryMetadataDiscovery(rootUrl, protocolVersion, fetchFn);
   }
-  if (!response.ok) {
-    throw new Error(`HTTP ${response.status} trying to load well-known OAuth metadata`);
+  return response;
+}
+function buildDiscoveryUrls(authorizationServerUrl) {
+  const url = typeof authorizationServerUrl === "string" ? new URL(authorizationServerUrl) : authorizationServerUrl;
+  const hasPath = url.pathname !== "/";
+  const urlsToTry = [];
+  if (!hasPath) {
+    urlsToTry.push({
+      url: new URL("/.well-known/oauth-authorization-server", url.origin),
+      type: "oauth"
+    });
+    urlsToTry.push({
+      url: new URL(`/.well-known/openid-configuration`, url.origin),
+      type: "oidc"
+    });
+    return urlsToTry;
   }
-  return OAuthMetadataSchema.parse(await response.json());
+  let pathname = url.pathname;
+  if (pathname.endsWith("/")) {
+    pathname = pathname.slice(0, -1);
+  }
+  urlsToTry.push({
+    url: new URL(`/.well-known/oauth-authorization-server${pathname}`, url.origin),
+    type: "oauth"
+  });
+  urlsToTry.push({
+    url: new URL("/.well-known/oauth-authorization-server", url.origin),
+    type: "oauth"
+  });
+  urlsToTry.push({
+    url: new URL(`/.well-known/openid-configuration${pathname}`, url.origin),
+    type: "oidc"
+  });
+  urlsToTry.push({
+    url: new URL(`${pathname}/.well-known/openid-configuration`, url.origin),
+    type: "oidc"
+  });
+  return urlsToTry;
+}
+async function discoverAuthorizationServerMetadata(authorizationServerUrl, { fetchFn = fetch, protocolVersion = LATEST_PROTOCOL_VERSION } = {}) {
+  var _a;
+  const headers = { "MCP-Protocol-Version": protocolVersion };
+  const urlsToTry = buildDiscoveryUrls(authorizationServerUrl);
+  for (const { url: endpointUrl, type } of urlsToTry) {
+    const response = await fetchWithCorsRetry(endpointUrl, headers, fetchFn);
+    if (!response) {
+      continue;
+    }
+    if (!response.ok) {
+      if (response.status >= 400 && response.status < 500) {
+        continue;
+      }
+      throw new Error(`HTTP ${response.status} trying to load ${type === "oauth" ? "OAuth" : "OpenID provider"} metadata from ${endpointUrl}`);
+    }
+    if (type === "oauth") {
+      return OAuthMetadataSchema.parse(await response.json());
+    } else {
+      const metadata = OpenIdProviderDiscoveryMetadataSchema.parse(await response.json());
+      if (!((_a = metadata.code_challenge_methods_supported) === null || _a === void 0 ? void 0 : _a.includes("S256"))) {
+        throw new Error(`Incompatible OIDC provider at ${endpointUrl}: does not support S256 code challenge method required by MCP specification`);
+      }
+      return metadata;
+    }
+  }
+  return void 0;
 }
 async function startAuthorization(authorizationServerUrl, { metadata, clientInformation, redirectUrl, scope, state, resource }) {
   const responseType = "code";
@@ -12321,40 +12512,44 @@ async function startAuthorization(authorizationServerUrl, { metadata, clientInfo
   if (scope) {
     authorizationUrl.searchParams.set("scope", scope);
   }
+  if (scope === null || scope === void 0 ? void 0 : scope.includes("offline_access")) {
+    authorizationUrl.searchParams.append("prompt", "consent");
+  }
   if (resource) {
     authorizationUrl.searchParams.set("resource", resource.href);
   }
   return { authorizationUrl, codeVerifier };
 }
-async function exchangeAuthorization(authorizationServerUrl, { metadata, clientInformation, authorizationCode, codeVerifier, redirectUri, resource }) {
+async function exchangeAuthorization(authorizationServerUrl, { metadata, clientInformation, authorizationCode, codeVerifier, redirectUri, resource, addClientAuthentication, fetchFn }) {
+  var _a;
   const grantType = "authorization_code";
-  let tokenUrl;
-  if (metadata) {
-    tokenUrl = new URL(metadata.token_endpoint);
-    if (metadata.grant_types_supported && !metadata.grant_types_supported.includes(grantType)) {
-      throw new Error(`Incompatible auth server: does not support grant type ${grantType}`);
-    }
-  } else {
-    tokenUrl = new URL("/token", authorizationServerUrl);
+  const tokenUrl = (metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint) ? new URL(metadata.token_endpoint) : new URL("/token", authorizationServerUrl);
+  if ((metadata === null || metadata === void 0 ? void 0 : metadata.grant_types_supported) && !metadata.grant_types_supported.includes(grantType)) {
+    throw new Error(`Incompatible auth server: does not support grant type ${grantType}`);
   }
+  const headers = new Headers({
+    "Content-Type": "application/x-www-form-urlencoded",
+    "Accept": "application/json"
+  });
   const params = new URLSearchParams({
     grant_type: grantType,
-    client_id: clientInformation.client_id,
     code: authorizationCode,
     code_verifier: codeVerifier,
     redirect_uri: String(redirectUri)
   });
-  if (clientInformation.client_secret) {
-    params.set("client_secret", clientInformation.client_secret);
+  if (addClientAuthentication) {
+    addClientAuthentication(headers, params, authorizationServerUrl, metadata);
+  } else {
+    const supportedMethods = (_a = metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint_auth_methods_supported) !== null && _a !== void 0 ? _a : [];
+    const authMethod = selectClientAuthMethod(clientInformation, supportedMethods);
+    applyClientAuthentication(authMethod, clientInformation, headers, params);
   }
   if (resource) {
     params.set("resource", resource.href);
   }
-  const response = await fetch(tokenUrl, {
+  const response = await (fetchFn !== null && fetchFn !== void 0 ? fetchFn : fetch)(tokenUrl, {
     method: "POST",
-    headers: {
-      "Content-Type": "application/x-www-form-urlencoded"
-    },
+    headers,
     body: params
   });
   if (!response.ok) {
@@ -12362,7 +12557,8 @@ async function exchangeAuthorization(authorizationServerUrl, { metadata, clientI
   }
   return OAuthTokensSchema.parse(await response.json());
 }
-async function refreshAuthorization(authorizationServerUrl, { metadata, clientInformation, refreshToken, resource }) {
+async function refreshAuthorization(authorizationServerUrl, { metadata, clientInformation, refreshToken, resource, addClientAuthentication, fetchFn }) {
+  var _a;
   const grantType = "refresh_token";
   let tokenUrl;
   if (metadata) {
@@ -12373,22 +12569,26 @@ async function refreshAuthorization(authorizationServerUrl, { metadata, clientIn
   } else {
     tokenUrl = new URL("/token", authorizationServerUrl);
   }
+  const headers = new Headers({
+    "Content-Type": "application/x-www-form-urlencoded"
+  });
   const params = new URLSearchParams({
     grant_type: grantType,
-    client_id: clientInformation.client_id,
     refresh_token: refreshToken
   });
-  if (clientInformation.client_secret) {
-    params.set("client_secret", clientInformation.client_secret);
+  if (addClientAuthentication) {
+    addClientAuthentication(headers, params, authorizationServerUrl, metadata);
+  } else {
+    const supportedMethods = (_a = metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint_auth_methods_supported) !== null && _a !== void 0 ? _a : [];
+    const authMethod = selectClientAuthMethod(clientInformation, supportedMethods);
+    applyClientAuthentication(authMethod, clientInformation, headers, params);
   }
   if (resource) {
     params.set("resource", resource.href);
   }
-  const response = await fetch(tokenUrl, {
+  const response = await (fetchFn !== null && fetchFn !== void 0 ? fetchFn : fetch)(tokenUrl, {
     method: "POST",
-    headers: {
-      "Content-Type": "application/x-www-form-urlencoded"
-    },
+    headers,
     body: params
   });
   if (!response.ok) {
@@ -12396,7 +12596,7 @@ async function refreshAuthorization(authorizationServerUrl, { metadata, clientIn
   }
   return OAuthTokensSchema.parse({ refresh_token: refreshToken, ...await response.json() });
 }
-async function registerClient(authorizationServerUrl, { metadata, clientMetadata }) {
+async function registerClient(authorizationServerUrl, { metadata, clientMetadata, fetchFn }) {
   let registrationUrl;
   if (metadata) {
     if (!metadata.registration_endpoint) {
@@ -12406,7 +12606,7 @@ async function registerClient(authorizationServerUrl, { metadata, clientMetadata
   } else {
     registrationUrl = new URL("/register", authorizationServerUrl);
   }
-  const response = await fetch(registrationUrl, {
+  const response = await (fetchFn !== null && fetchFn !== void 0 ? fetchFn : fetch)(registrationUrl, {
     method: "POST",
     headers: {
       "Content-Type": "application/json"
@@ -12819,7 +13019,7 @@ function getBaseURL() {
   return doc && typeof doc == "object" && "baseURI" in doc && typeof doc.baseURI == "string" ? doc.baseURI : void 0;
 }
 
-// node_modules/.pnpm/@modelcontextprotocol+sdk@https+++pkg.pr.new+geelen+typescript-sdk+@modelcontextprotocol+sdk@877f4bf/node_modules/@modelcontextprotocol/sdk/dist/esm/client/sse.js
+// node_modules/.pnpm/@modelcontextprotocol+sdk@1.17.4/node_modules/@modelcontextprotocol/sdk/dist/esm/client/sse.js
 var SseError = class extends Error {
   constructor(code, message, event) {
     super(`SSE error: ${message}`);
@@ -12834,6 +13034,7 @@ var SSEClientTransport = class {
     this._eventSourceInit = opts === null || opts === void 0 ? void 0 : opts.eventSourceInit;
     this._requestInit = opts === null || opts === void 0 ? void 0 : opts.requestInit;
     this._authProvider = opts === null || opts === void 0 ? void 0 : opts.authProvider;
+    this._fetch = opts === null || opts === void 0 ? void 0 : opts.fetch;
   }
   async _authThenStart() {
     var _a;
@@ -12842,7 +13043,7 @@ var SSEClientTransport = class {
     }
     let result;
     try {
-      result = await auth(this._authProvider, { serverUrl: this._url, resourceMetadataUrl: this._resourceMetadataUrl });
+      result = await auth(this._authProvider, { serverUrl: this._url, resourceMetadataUrl: this._resourceMetadataUrl, fetchFn: this._fetch });
     } catch (error) {
       (_a = this.onerror) === null || _a === void 0 ? void 0 : _a.call(this, error);
       throw error;
@@ -12854,9 +13055,7 @@ var SSEClientTransport = class {
   }
   async _commonHeaders() {
     var _a;
-    const headers = {
-      ...(_a = this._requestInit) === null || _a === void 0 ? void 0 : _a.headers
-    };
+    const headers = {};
     if (this._authProvider) {
       const tokens = await this._authProvider.tokens();
       if (tokens) {
@@ -12866,22 +13065,20 @@ var SSEClientTransport = class {
     if (this._protocolVersion) {
       headers["mcp-protocol-version"] = this._protocolVersion;
     }
-    return headers;
+    return new Headers({ ...headers, ...(_a = this._requestInit) === null || _a === void 0 ? void 0 : _a.headers });
   }
   _startOrAuth() {
-    var _a;
-    const fetchImpl = ((_a = this === null || this === void 0 ? void 0 : this._eventSourceInit) === null || _a === void 0 ? void 0 : _a.fetch) || fetch;
+    var _a, _b, _c;
+    const fetchImpl = (_c = (_b = (_a = this === null || this === void 0 ? void 0 : this._eventSourceInit) === null || _a === void 0 ? void 0 : _a.fetch) !== null && _b !== void 0 ? _b : this._fetch) !== null && _c !== void 0 ? _c : fetch;
     return new Promise((resolve, reject) => {
       this._eventSource = new EventSource(this._url.href, {
         ...this._eventSourceInit,
         fetch: async (url, init) => {
           const headers = await this._commonHeaders();
+          headers.set("Accept", "text/event-stream");
           const response = await fetchImpl(url, {
             ...init,
-            headers: new Headers({
-              ...headers,
-              Accept: "text/event-stream"
-            })
+            headers
           });
           if (response.status === 401 && response.headers.has("www-authenticate")) {
             this._resourceMetadataUrl = extractResourceMetadataUrl(response);
@@ -12919,7 +13116,7 @@ var SSEClientTransport = class {
         resolve();
       });
       this._eventSource.onmessage = (event) => {
-        var _a2, _b;
+        var _a2, _b2;
         const messageEvent = event;
         let message;
         try {
@@ -12928,7 +13125,7 @@ var SSEClientTransport = class {
           (_a2 = this.onerror) === null || _a2 === void 0 ? void 0 : _a2.call(this, error);
           return;
         }
-        (_b = this.onmessage) === null || _b === void 0 ? void 0 : _b.call(this, message);
+        (_b2 = this.onmessage) === null || _b2 === void 0 ? void 0 : _b2.call(this, message);
       };
     });
   }
@@ -12945,7 +13142,7 @@ var SSEClientTransport = class {
     if (!this._authProvider) {
       throw new UnauthorizedError("No auth provider");
     }
-    const result = await auth(this._authProvider, { serverUrl: this._url, authorizationCode, resourceMetadataUrl: this._resourceMetadataUrl });
+    const result = await auth(this._authProvider, { serverUrl: this._url, authorizationCode, resourceMetadataUrl: this._resourceMetadataUrl, fetchFn: this._fetch });
     if (result !== "AUTHORIZED") {
       throw new UnauthorizedError("Failed to authorize");
     }
@@ -12957,13 +13154,12 @@ var SSEClientTransport = class {
     (_c = this.onclose) === null || _c === void 0 ? void 0 : _c.call(this);
   }
   async send(message) {
-    var _a, _b;
+    var _a, _b, _c;
     if (!this._endpoint) {
       throw new Error("Not connected");
     }
     try {
-      const commonHeaders = await this._commonHeaders();
-      const headers = new Headers(commonHeaders);
+      const headers = await this._commonHeaders();
       headers.set("content-type", "application/json");
       const init = {
         ...this._requestInit,
@@ -12972,11 +13168,11 @@ var SSEClientTransport = class {
         body: JSON.stringify(message),
         signal: (_a = this._abortController) === null || _a === void 0 ? void 0 : _a.signal
       };
-      const response = await fetch(this._endpoint, init);
+      const response = await ((_b = this._fetch) !== null && _b !== void 0 ? _b : fetch)(this._endpoint, init);
       if (!response.ok) {
         if (response.status === 401 && this._authProvider) {
           this._resourceMetadataUrl = extractResourceMetadataUrl(response);
-          const result = await auth(this._authProvider, { serverUrl: this._url, resourceMetadataUrl: this._resourceMetadataUrl });
+          const result = await auth(this._authProvider, { serverUrl: this._url, resourceMetadataUrl: this._resourceMetadataUrl, fetchFn: this._fetch });
           if (result !== "AUTHORIZED") {
             throw new UnauthorizedError();
           }
@@ -12986,7 +13182,7 @@ var SSEClientTransport = class {
         throw new Error(`Error POSTing to endpoint (HTTP ${response.status}): ${text}`);
       }
     } catch (error) {
-      (_b = this.onerror) === null || _b === void 0 ? void 0 : _b.call(this, error);
+      (_c = this.onerror) === null || _c === void 0 ? void 0 : _c.call(this, error);
       throw error;
     }
   }
@@ -13019,7 +13215,7 @@ var EventSourceParserStream = class extends TransformStream {
   }
 };
 
-// node_modules/.pnpm/@modelcontextprotocol+sdk@https+++pkg.pr.new+geelen+typescript-sdk+@modelcontextprotocol+sdk@877f4bf/node_modules/@modelcontextprotocol/sdk/dist/esm/client/streamableHttp.js
+// node_modules/.pnpm/@modelcontextprotocol+sdk@1.17.4/node_modules/@modelcontextprotocol/sdk/dist/esm/client/streamableHttp.js
 var DEFAULT_STREAMABLE_HTTP_RECONNECTION_OPTIONS = {
   initialReconnectionDelay: 1e3,
   maxReconnectionDelay: 3e4,
@@ -13039,6 +13235,7 @@ var StreamableHTTPClientTransport = class {
     this._resourceMetadataUrl = void 0;
     this._requestInit = opts === null || opts === void 0 ? void 0 : opts.requestInit;
     this._authProvider = opts === null || opts === void 0 ? void 0 : opts.authProvider;
+    this._fetch = opts === null || opts === void 0 ? void 0 : opts.fetch;
     this._sessionId = opts === null || opts === void 0 ? void 0 : opts.sessionId;
     this._reconnectionOptions = (_a = opts === null || opts === void 0 ? void 0 : opts.reconnectionOptions) !== null && _a !== void 0 ? _a : DEFAULT_STREAMABLE_HTTP_RECONNECTION_OPTIONS;
   }
@@ -13049,7 +13246,7 @@ var StreamableHTTPClientTransport = class {
     }
     let result;
     try {
-      result = await auth(this._authProvider, { serverUrl: this._url, resourceMetadataUrl: this._resourceMetadataUrl });
+      result = await auth(this._authProvider, { serverUrl: this._url, resourceMetadataUrl: this._resourceMetadataUrl, fetchFn: this._fetch });
     } catch (error) {
       (_a = this.onerror) === null || _a === void 0 ? void 0 : _a.call(this, error);
       throw error;
@@ -13081,7 +13278,7 @@ var StreamableHTTPClientTransport = class {
     });
   }
   async _startOrAuthSse(options) {
-    var _a, _b;
+    var _a, _b, _c;
     const { resumptionToken } = options;
     try {
       const headers = await this._commonHeaders();
@@ -13089,10 +13286,10 @@ var StreamableHTTPClientTransport = class {
       if (resumptionToken) {
         headers.set("last-event-id", resumptionToken);
       }
-      const response = await fetch(this._url, {
+      const response = await ((_a = this._fetch) !== null && _a !== void 0 ? _a : fetch)(this._url, {
         method: "GET",
         headers,
-        signal: (_a = this._abortController) === null || _a === void 0 ? void 0 : _a.signal
+        signal: (_b = this._abortController) === null || _b === void 0 ? void 0 : _b.signal
       });
       if (!response.ok) {
         if (response.status === 401 && this._authProvider) {
@@ -13103,9 +13300,9 @@ var StreamableHTTPClientTransport = class {
         }
         throw new StreamableHTTPError(response.status, `Failed to open SSE stream: ${response.statusText}`);
       }
-      this._handleSseStream(response.body, options);
+      this._handleSseStream(response.body, options, true);
     } catch (error) {
-      (_b = this.onerror) === null || _b === void 0 ? void 0 : _b.call(this, error);
+      (_c = this.onerror) === null || _c === void 0 ? void 0 : _c.call(this, error);
       throw error;
     }
   }
@@ -13154,7 +13351,7 @@ var StreamableHTTPClientTransport = class {
       });
     }, delay);
   }
-  _handleSseStream(stream, options) {
+  _handleSseStream(stream, options, isReconnectable) {
     if (!stream) {
       return;
     }
@@ -13187,17 +13384,15 @@ var StreamableHTTPClientTransport = class {
         }
       } catch (error) {
         (_c = this.onerror) === null || _c === void 0 ? void 0 : _c.call(this, new Error(`SSE stream disconnected: ${error}`));
-        if (this._abortController && !this._abortController.signal.aborted) {
-          if (lastEventId !== void 0) {
-            try {
-              this._scheduleReconnection({
-                resumptionToken: lastEventId,
-                onresumptiontoken,
-                replayMessageId
-              }, 0);
-            } catch (error2) {
-              (_d = this.onerror) === null || _d === void 0 ? void 0 : _d.call(this, new Error(`Failed to reconnect: ${error2 instanceof Error ? error2.message : String(error2)}`));
-            }
+        if (isReconnectable && this._abortController && !this._abortController.signal.aborted) {
+          try {
+            this._scheduleReconnection({
+              resumptionToken: lastEventId,
+              onresumptiontoken,
+              replayMessageId
+            }, 0);
+          } catch (error2) {
+            (_d = this.onerror) === null || _d === void 0 ? void 0 : _d.call(this, new Error(`Failed to reconnect: ${error2 instanceof Error ? error2.message : String(error2)}`));
           }
         }
       }
@@ -13217,7 +13412,7 @@ var StreamableHTTPClientTransport = class {
     if (!this._authProvider) {
       throw new UnauthorizedError("No auth provider");
     }
-    const result = await auth(this._authProvider, { serverUrl: this._url, authorizationCode, resourceMetadataUrl: this._resourceMetadataUrl });
+    const result = await auth(this._authProvider, { serverUrl: this._url, authorizationCode, resourceMetadataUrl: this._resourceMetadataUrl, fetchFn: this._fetch });
     if (result !== "AUTHORIZED") {
       throw new UnauthorizedError("Failed to authorize");
     }
@@ -13228,7 +13423,7 @@ var StreamableHTTPClientTransport = class {
     (_b = this.onclose) === null || _b === void 0 ? void 0 : _b.call(this);
   }
   async send(message, options) {
-    var _a, _b, _c;
+    var _a, _b, _c, _d;
     try {
       const { resumptionToken, onresumptiontoken } = options || {};
       if (resumptionToken) {
@@ -13248,7 +13443,7 @@ var StreamableHTTPClientTransport = class {
         body: JSON.stringify(message),
         signal: (_a = this._abortController) === null || _a === void 0 ? void 0 : _a.signal
       };
-      const response = await fetch(this._url, init);
+      const response = await ((_b = this._fetch) !== null && _b !== void 0 ? _b : fetch)(this._url, init);
       const sessionId = response.headers.get("mcp-session-id");
       if (sessionId) {
         this._sessionId = sessionId;
@@ -13256,7 +13451,7 @@ var StreamableHTTPClientTransport = class {
       if (!response.ok) {
         if (response.status === 401 && this._authProvider) {
           this._resourceMetadataUrl = extractResourceMetadataUrl(response);
-          const result = await auth(this._authProvider, { serverUrl: this._url, resourceMetadataUrl: this._resourceMetadataUrl });
+          const result = await auth(this._authProvider, { serverUrl: this._url, resourceMetadataUrl: this._resourceMetadataUrl, fetchFn: this._fetch });
           if (result !== "AUTHORIZED") {
             throw new UnauthorizedError();
           }
@@ -13279,19 +13474,19 @@ var StreamableHTTPClientTransport = class {
       const contentType = response.headers.get("content-type");
       if (hasRequests) {
         if (contentType === null || contentType === void 0 ? void 0 : contentType.includes("text/event-stream")) {
-          this._handleSseStream(response.body, { onresumptiontoken });
+          this._handleSseStream(response.body, { onresumptiontoken }, false);
         } else if (contentType === null || contentType === void 0 ? void 0 : contentType.includes("application/json")) {
           const data = await response.json();
           const responseMessages = Array.isArray(data) ? data.map((msg) => JSONRPCMessageSchema.parse(msg)) : [JSONRPCMessageSchema.parse(data)];
           for (const msg of responseMessages) {
-            (_b = this.onmessage) === null || _b === void 0 ? void 0 : _b.call(this, msg);
+            (_c = this.onmessage) === null || _c === void 0 ? void 0 : _c.call(this, msg);
           }
         } else {
           throw new StreamableHTTPError(-1, `Unexpected content type: ${contentType}`);
         }
       }
     } catch (error) {
-      (_c = this.onerror) === null || _c === void 0 ? void 0 : _c.call(this, error);
+      (_d = this.onerror) === null || _d === void 0 ? void 0 : _d.call(this, error);
       throw error;
     }
   }
@@ -13310,7 +13505,7 @@ var StreamableHTTPClientTransport = class {
    * the server does not allow clients to terminate sessions.
    */
   async terminateSession() {
-    var _a, _b;
+    var _a, _b, _c;
     if (!this._sessionId) {
       return;
     }
@@ -13322,13 +13517,13 @@ var StreamableHTTPClientTransport = class {
         headers,
         signal: (_a = this._abortController) === null || _a === void 0 ? void 0 : _a.signal
       };
-      const response = await fetch(this._url, init);
+      const response = await ((_b = this._fetch) !== null && _b !== void 0 ? _b : fetch)(this._url, init);
       if (!response.ok && response.status !== 405) {
         throw new StreamableHTTPError(response.status, `Failed to terminate session: ${response.statusText}`);
       }
       this._sessionId = void 0;
     } catch (error) {
-      (_b = this.onerror) === null || _b === void 0 ? void 0 : _b.call(this, error);
+      (_c = this.onerror) === null || _c === void 0 ? void 0 : _c.call(this, error);
       throw error;
     }
   }
@@ -13949,6 +14144,7 @@ var NodeOAuthClientProvider = class {
     this.staticOAuthClientMetadata = options.staticOAuthClientMetadata;
     this.staticOAuthClientInfo = options.staticOAuthClientInfo;
     this.authorizeResource = options.authorizeResource;
+    this._scopes = options.scopes || "openid email profile";
     this._state = randomUUID();
   }
   serverUrlHash;
@@ -13960,6 +14156,7 @@ var NodeOAuthClientProvider = class {
   staticOAuthClientMetadata;
   staticOAuthClientInfo;
   authorizeResource;
+  _scopes;
   _state;
   get redirectUrl() {
     return `http://${this.options.host}:${this.options.callbackPort}${this.callbackPath}`;
@@ -13974,6 +14171,7 @@ var NodeOAuthClientProvider = class {
       client_uri: this.clientUri,
       software_id: this.softwareId,
       software_version: this.softwareVersion,
+      scope: this._scopes,
       ...this.staticOAuthClientMetadata
     };
   }
@@ -13995,16 +14193,41 @@ var NodeOAuthClientProvider = class {
       "client_info.json",
       OAuthClientInformationFullSchema
     );
+    if (clientInfo) {
+      const scopesData = await readJsonFile(this.serverUrlHash, "scopes.json", {
+        parseAsync: async (data) => data
+      });
+      if (scopesData?.scopes) {
+        this._scopes = scopesData.scopes;
+        if (DEBUG) debugLog("Loaded stored scopes from registration", { scopes: this._scopes });
+      }
+    }
     if (DEBUG) debugLog("Client info result:", clientInfo ? "Found" : "Not found");
     return clientInfo;
   }
+  /**
+   * Extracts scopes from OAuth registration response
+   * @param clientInfo The client registration response
+   * @returns The extracted scopes as a space-separated string
+   */
+  extractScopesFromRegistration(clientInfo) {
+    if (clientInfo.scope) return clientInfo.scope;
+    if (clientInfo.default_scope) return clientInfo.default_scope;
+    if (Array.isArray(clientInfo.scopes)) return clientInfo.scopes.join(" ");
+    if (Array.isArray(clientInfo.default_scopes)) return clientInfo.default_scopes.join(" ");
+    return "openid email profile";
+  }
   /**
    * Saves client information
    * @param clientInformation The client information to save
    */
   async saveClientInformation(clientInformation) {
     if (DEBUG) debugLog("Saving client info", { client_id: clientInformation.client_id });
+    const scopes = this.extractScopesFromRegistration(clientInformation);
+    if (DEBUG) debugLog("Extracted scopes from registration response", { scopes });
+    this._scopes = scopes;
     await writeJsonFile(this.serverUrlHash, "client_info.json", clientInformation);
+    await writeJsonFile(this.serverUrlHash, "scopes.json", { scopes });
   }
   /**
    * Gets the OAuth tokens if they exist
@@ -14071,6 +14294,10 @@ var NodeOAuthClientProvider = class {
     if (this.authorizeResource) {
       authorizationUrl.searchParams.set("resource", this.authorizeResource);
     }
+    if (this._scopes) {
+      authorizationUrl.searchParams.set("scope", this._scopes);
+      if (DEBUG) debugLog("Added scope parameter to authorization URL", { scopes: this._scopes });
+    }
     log(`
 Please authorize this client by visiting:
 ${authorizationUrl.toString()}
@@ -14113,12 +14340,14 @@ ${authorizationUrl.toString()}
         await Promise.all([
           deleteConfigFile(this.serverUrlHash, "client_info.json"),
           deleteConfigFile(this.serverUrlHash, "tokens.json"),
-          deleteConfigFile(this.serverUrlHash, "code_verifier.txt")
+          deleteConfigFile(this.serverUrlHash, "code_verifier.txt"),
+          deleteConfigFile(this.serverUrlHash, "scopes.json")
         ]);
         if (DEBUG) debugLog("All credentials invalidated");
         break;
       case "client":
-        await deleteConfigFile(this.serverUrlHash, "client_info.json");
+        await Promise.all([deleteConfigFile(this.serverUrlHash, "client_info.json"), deleteConfigFile(this.serverUrlHash, "scopes.json")]);
+        this._scopes = this.options.scopes || "openid email profile";
         if (DEBUG) debugLog("Client information invalidated");
         break;
       case "tokens":

package/dist/client.js

@@ -11,7 +11,7 @@ import {
   parseCommandLineArgs,
   setupSignalHandlers,
   version
-} from "./chunk-OXNXVROF.js";
+} from "./chunk-EP7LWBXW.js";
 
 // src/client.ts
 import { EventEmitter } from "events";

package/dist/proxy.js

@@ -9,15 +9,15 @@ import {
   mcpProxy,
   parseCommandLineArgs,
   setupSignalHandlers
-} from "./chunk-OXNXVROF.js";
+} from "./chunk-EP7LWBXW.js";
 
 // src/proxy.ts
 import { EventEmitter } from "events";
 
-// node_modules/.pnpm/@modelcontextprotocol+sdk@https+++pkg.pr.new+geelen+typescript-sdk+@modelcontextprotocol+sdk@877f4bf/node_modules/@modelcontextprotocol/sdk/dist/esm/server/stdio.js
+// node_modules/.pnpm/@modelcontextprotocol+sdk@1.17.4/node_modules/@modelcontextprotocol/sdk/dist/esm/server/stdio.js
 import process2 from "node:process";
 
-// node_modules/.pnpm/@modelcontextprotocol+sdk@https+++pkg.pr.new+geelen+typescript-sdk+@modelcontextprotocol+sdk@877f4bf/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/stdio.js
+// node_modules/.pnpm/@modelcontextprotocol+sdk@1.17.4/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/stdio.js
 var ReadBuffer = class {
   append(chunk) {
     this._buffer = this._buffer ? Buffer.concat([this._buffer, chunk]) : chunk;
@@ -45,7 +45,7 @@ function serializeMessage(message) {
   return JSON.stringify(message) + "\n";
 }
 
-// node_modules/.pnpm/@modelcontextprotocol+sdk@https+++pkg.pr.new+geelen+typescript-sdk+@modelcontextprotocol+sdk@877f4bf/node_modules/@modelcontextprotocol/sdk/dist/esm/server/stdio.js
+// node_modules/.pnpm/@modelcontextprotocol+sdk@1.17.4/node_modules/@modelcontextprotocol/sdk/dist/esm/server/stdio.js
 var StdioServerTransport = class {
   constructor(_stdin = process2.stdin, _stdout = process2.stdout) {
     this._stdin = _stdin;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcp-remote",
-  "version": "0.1.18",
+  "version": "0.1.20",
   "description": "Remote proxy for Model Context Protocol, allowing local-only clients to connect to remote servers using oAuth",
   "keywords": [
     "mcp",
@@ -36,7 +36,7 @@
     "strict-url-sanitise": "^0.0.1"
   },
   "devDependencies": {
-    "@modelcontextprotocol/sdk": "https://pkg.pr.new/geelen/typescript-sdk/@modelcontextprotocol/sdk@877f4bf",
+    "@modelcontextprotocol/sdk": "^1.17.3",
     "@types/express": "^5.0.0",
     "@types/node": "^22.13.10",
     "prettier": "^3.5.3",