mcp-use 1.34.0 → 1.34.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. package/dist/.tsbuildinfo +1 -1
  2. package/dist/{chunk-3UOADQDZ.js → chunk-2EBW4344.js} +40 -4
  3. package/dist/{chunk-U6UCVQKQ.js → chunk-D7SEH5RU.js} +4 -4
  4. package/dist/{chunk-3N6PYMAD.js → chunk-LPVVF6US.js} +2 -2
  5. package/dist/{chunk-AOZBHAT7.js → chunk-LZOTKOYW.js} +1 -1
  6. package/dist/{chunk-VWJXSLCF.js → chunk-N3DGPXFX.js} +38 -2
  7. package/dist/{chunk-EIYWOJYK.js → chunk-NXLY2JS7.js} +1 -1
  8. package/dist/{chunk-WEMFZYUR.js → chunk-PSOT2YDT.js} +1 -1
  9. package/dist/{chunk-2J3FVMZ5.js → chunk-TAPTQKI4.js} +1 -1
  10. package/dist/{chunk-7MKAP6XK.js → chunk-VYDFQS24.js} +1 -1
  11. package/dist/{chunk-XS2ZMBOG.js → chunk-XIAP7CEH.js} +1 -1
  12. package/dist/{chunk-BOFDVMBT.js → chunk-YQIRNTLE.js} +2 -2
  13. package/dist/{chunk-4KP3757O.js → chunk-YZ22J43K.js} +1 -1
  14. package/dist/{client-O5HMGXF3.js → client-AGYZM4PU.js} +4 -4
  15. package/dist/index.cjs +39 -3
  16. package/dist/index.js +7 -7
  17. package/dist/src/agents/index.cjs +1 -1
  18. package/dist/src/agents/index.js +4 -4
  19. package/dist/src/auth/browser-provider.d.ts +16 -0
  20. package/dist/src/auth/browser-provider.d.ts.map +1 -1
  21. package/dist/src/auth/index.cjs +38 -2
  22. package/dist/src/auth/index.js +1 -1
  23. package/dist/src/browser-agent.cjs +1 -1
  24. package/dist/src/browser-agent.js +2 -2
  25. package/dist/src/browser.cjs +39 -3
  26. package/dist/src/browser.js +4 -4
  27. package/dist/src/client.cjs +1 -1
  28. package/dist/src/client.js +4 -4
  29. package/dist/src/react/index.cjs +39 -3
  30. package/dist/src/react/index.js +4 -4
  31. package/dist/src/server/index.cjs +1 -1
  32. package/dist/src/server/index.js +7 -7
  33. package/dist/src/version.d.ts +1 -1
  34. package/dist/{stdio-QIYDKXTT.js → stdio-ECCMBHYL.js} +3 -3
  35. package/dist/{stdio-NRH7PMXI.js → stdio-VYJBFXTQ.js} +2 -2
  36. package/dist/{tool-execution-helpers-GEQBGCKR.js → tool-execution-helpers-J4XLCZBU.js} +2 -2
  37. package/package.json +3 -3
@@ -3,11 +3,11 @@ import {
3
3
  HttpConnector,
4
4
  normalizeClientInfo,
5
5
  resolveCallbacks
6
- } from "./chunk-BOFDVMBT.js";
6
+ } from "./chunk-YQIRNTLE.js";
7
7
  import {
8
8
  Tel,
9
9
  getPackageVersion
10
- } from "./chunk-XS2ZMBOG.js";
10
+ } from "./chunk-XIAP7CEH.js";
11
11
  import {
12
12
  logger
13
13
  } from "./chunk-QWQYAQCK.js";
@@ -523,6 +523,41 @@ var BrowserOAuthClientProvider = class {
523
523
  getKey(keySuffix) {
524
524
  return this.session.getKey(keySuffix);
525
525
  }
526
+ /**
527
+ * Re-anchor an SDK-derived OAuth discovery URL from the MCP connection
528
+ * (proxy) origin onto the actual MCP server.
529
+ *
530
+ * When MCP traffic is tunneled through a gateway/inspector proxy, the SDK
531
+ * transport derives `/.well-known/*` URLs from the URL it connected to (the
532
+ * proxy) whenever no `resource_metadata` hint is available — the SSE
533
+ * transport's EventSource cannot read `WWW-Authenticate`, and token refresh
534
+ * runs without a 401 response at hand. The proxy origin serves no OAuth
535
+ * metadata, so discovery would fail and the server would be misclassified
536
+ * as "does not support OAuth". Rewriting reproduces what a direct
537
+ * connection would have requested: the same well-known document, anchored
538
+ * on the server origin, with the RFC 8414 §3.1 / RFC 9728 §3.1 path
539
+ * insertion using the server's path instead of the proxy's.
540
+ */
541
+ reanchorWellKnownUrl(url) {
542
+ if (!this.connectionUrl) return url;
543
+ try {
544
+ const requested = new URL(url);
545
+ const connection = new URL(this.connectionUrl);
546
+ if (requested.origin !== connection.origin) return url;
547
+ if (!requested.pathname.startsWith("/.well-known/")) return url;
548
+ const target = new URL(this.serverUrl);
549
+ const rest = requested.pathname.slice("/.well-known/".length);
550
+ const [doc, ...suffixParts] = rest.split("/");
551
+ if (!doc) return url;
552
+ const suffix = suffixParts.length ? `/${suffixParts.join("/")}` : "";
553
+ const connectionPath = connection.pathname.replace(/\/+$/, "");
554
+ const targetPath = target.pathname.replace(/\/+$/, "");
555
+ const newSuffix = suffix && suffix === connectionPath ? targetPath : suffix;
556
+ return `${target.origin}/.well-known/${doc}${newSuffix}${requested.search}`;
557
+ } catch {
558
+ return url;
559
+ }
560
+ }
526
561
  /**
527
562
  * Returns a `fetch` function, scoped to this provider, that routes OAuth
528
563
  * requests (`.well-known` metadata, token, register, authorize) through the
@@ -552,7 +587,8 @@ var BrowserOAuthClientProvider = class {
552
587
  const connectionUrl = this.connectionUrl;
553
588
  const serverUrl = this.serverUrl;
554
589
  return async (input, init) => {
555
- const url = typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
590
+ const requestedUrl = typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
591
+ const url = this.reanchorWellKnownUrl(requestedUrl);
556
592
  const isOAuthRequest = url.includes("/.well-known/") || url.match(/\/(register|token|authorize)$/);
557
593
  if (!isOAuthRequest) {
558
594
  return await base(input, init);
@@ -622,7 +658,7 @@ var BrowserOAuthClientProvider = class {
622
658
  "[OAuth Proxy] Request failed, falling back to direct fetch:",
623
659
  error
624
660
  );
625
- return await base(input, init);
661
+ return url !== requestedUrl ? await base(url, init) : await base(input, init);
626
662
  }
627
663
  };
628
664
  }
@@ -3,17 +3,17 @@ import {
3
3
  } from "./chunk-GKPKUKD6.js";
4
4
  import {
5
5
  CodeModeConnector
6
- } from "./chunk-2J3FVMZ5.js";
6
+ } from "./chunk-TAPTQKI4.js";
7
7
  import {
8
8
  BaseConnector
9
- } from "./chunk-4KP3757O.js";
9
+ } from "./chunk-YZ22J43K.js";
10
10
  import {
11
11
  JSONSchemaToZod
12
12
  } from "./chunk-LG5NSHEL.js";
13
13
  import {
14
14
  Tel,
15
15
  getPackageVersion
16
- } from "./chunk-WEMFZYUR.js";
16
+ } from "./chunk-PSOT2YDT.js";
17
17
  import {
18
18
  logger
19
19
  } from "./chunk-QWQYAQCK.js";
@@ -2356,7 +2356,7 @@ var MCPClient = class _MCPClient extends BaseMCPClient {
2356
2356
  clientInfo: serverConfig.clientInfo ?? this.config.clientInfo
2357
2357
  };
2358
2358
  if ("command" in merged && "args" in merged) {
2359
- const { StdioConnector } = await import("./stdio-QIYDKXTT.js");
2359
+ const { StdioConnector } = await import("./stdio-ECCMBHYL.js");
2360
2360
  const stdioConfig = merged;
2361
2361
  return new StdioConnector({
2362
2362
  command: stdioConfig.command,
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  CODE_MODE_AGENT_PROMPT
3
- } from "./chunk-2J3FVMZ5.js";
3
+ } from "./chunk-TAPTQKI4.js";
4
4
  import {
5
5
  LangChainAdapter
6
6
  } from "./chunk-27JERD25.js";
@@ -8,7 +8,7 @@ import {
8
8
  Telemetry,
9
9
  extractModelInfo,
10
10
  getPackageVersion
11
- } from "./chunk-WEMFZYUR.js";
11
+ } from "./chunk-PSOT2YDT.js";
12
12
  import {
13
13
  logger
14
14
  } from "./chunk-QWQYAQCK.js";
@@ -3,7 +3,7 @@ import {
3
3
  } from "./chunk-GKPKUKD6.js";
4
4
  import {
5
5
  BaseConnector
6
- } from "./chunk-4KP3757O.js";
6
+ } from "./chunk-YZ22J43K.js";
7
7
  import {
8
8
  logger
9
9
  } from "./chunk-QWQYAQCK.js";
@@ -95,6 +95,41 @@ var BrowserOAuthClientProvider = class {
95
95
  getKey(keySuffix) {
96
96
  return this.session.getKey(keySuffix);
97
97
  }
98
+ /**
99
+ * Re-anchor an SDK-derived OAuth discovery URL from the MCP connection
100
+ * (proxy) origin onto the actual MCP server.
101
+ *
102
+ * When MCP traffic is tunneled through a gateway/inspector proxy, the SDK
103
+ * transport derives `/.well-known/*` URLs from the URL it connected to (the
104
+ * proxy) whenever no `resource_metadata` hint is available — the SSE
105
+ * transport's EventSource cannot read `WWW-Authenticate`, and token refresh
106
+ * runs without a 401 response at hand. The proxy origin serves no OAuth
107
+ * metadata, so discovery would fail and the server would be misclassified
108
+ * as "does not support OAuth". Rewriting reproduces what a direct
109
+ * connection would have requested: the same well-known document, anchored
110
+ * on the server origin, with the RFC 8414 §3.1 / RFC 9728 §3.1 path
111
+ * insertion using the server's path instead of the proxy's.
112
+ */
113
+ reanchorWellKnownUrl(url) {
114
+ if (!this.connectionUrl) return url;
115
+ try {
116
+ const requested = new URL(url);
117
+ const connection = new URL(this.connectionUrl);
118
+ if (requested.origin !== connection.origin) return url;
119
+ if (!requested.pathname.startsWith("/.well-known/")) return url;
120
+ const target = new URL(this.serverUrl);
121
+ const rest = requested.pathname.slice("/.well-known/".length);
122
+ const [doc, ...suffixParts] = rest.split("/");
123
+ if (!doc) return url;
124
+ const suffix = suffixParts.length ? `/${suffixParts.join("/")}` : "";
125
+ const connectionPath = connection.pathname.replace(/\/+$/, "");
126
+ const targetPath = target.pathname.replace(/\/+$/, "");
127
+ const newSuffix = suffix && suffix === connectionPath ? targetPath : suffix;
128
+ return `${target.origin}/.well-known/${doc}${newSuffix}${requested.search}`;
129
+ } catch {
130
+ return url;
131
+ }
132
+ }
98
133
  /**
99
134
  * Returns a `fetch` function, scoped to this provider, that routes OAuth
100
135
  * requests (`.well-known` metadata, token, register, authorize) through the
@@ -124,7 +159,8 @@ var BrowserOAuthClientProvider = class {
124
159
  const connectionUrl = this.connectionUrl;
125
160
  const serverUrl = this.serverUrl;
126
161
  return async (input, init) => {
127
- const url = typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
162
+ const requestedUrl = typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
163
+ const url = this.reanchorWellKnownUrl(requestedUrl);
128
164
  const isOAuthRequest = url.includes("/.well-known/") || url.match(/\/(register|token|authorize)$/);
129
165
  if (!isOAuthRequest) {
130
166
  return await base(input, init);
@@ -194,7 +230,7 @@ var BrowserOAuthClientProvider = class {
194
230
  "[OAuth Proxy] Request failed, falling back to direct fetch:",
195
231
  error
196
232
  );
197
- return await base(input, init);
233
+ return url !== requestedUrl ? await base(url, init) : await base(input, init);
198
234
  }
199
235
  };
200
236
  }
@@ -6,7 +6,7 @@ import {
6
6
  } from "./chunk-KUEVOU4M.js";
7
7
  import {
8
8
  Telemetry
9
- } from "./chunk-WEMFZYUR.js";
9
+ } from "./chunk-PSOT2YDT.js";
10
10
  import {
11
11
  generateUUID
12
12
  } from "./chunk-MTHLLDCX.js";
@@ -13,7 +13,7 @@ import {
13
13
  } from "./chunk-3GQAWCBQ.js";
14
14
 
15
15
  // src/version.ts
16
- var VERSION = "1.34.0";
16
+ var VERSION = "1.34.1";
17
17
  function getPackageVersion() {
18
18
  return VERSION;
19
19
  }
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  BaseConnector
3
- } from "./chunk-4KP3757O.js";
3
+ } from "./chunk-YZ22J43K.js";
4
4
  import {
5
5
  __name
6
6
  } from "./chunk-3GQAWCBQ.js";
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  Telemetry
3
- } from "./chunk-XS2ZMBOG.js";
3
+ } from "./chunk-XIAP7CEH.js";
4
4
  import {
5
5
  logger
6
6
  } from "./chunk-QWQYAQCK.js";
@@ -6,7 +6,7 @@ import {
6
6
  } from "./chunk-3GQAWCBQ.js";
7
7
 
8
8
  // src/version.ts
9
- var VERSION = "1.34.0";
9
+ var VERSION = "1.34.1";
10
10
  function getPackageVersion() {
11
11
  return VERSION;
12
12
  }
@@ -1,11 +1,11 @@
1
1
  import {
2
2
  BaseConnector,
3
3
  ConnectionManager
4
- } from "./chunk-7MKAP6XK.js";
4
+ } from "./chunk-VYDFQS24.js";
5
5
  import {
6
6
  Tel,
7
7
  getPackageVersion
8
- } from "./chunk-XS2ZMBOG.js";
8
+ } from "./chunk-XIAP7CEH.js";
9
9
  import {
10
10
  logger
11
11
  } from "./chunk-QWQYAQCK.js";
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  Telemetry
3
- } from "./chunk-WEMFZYUR.js";
3
+ } from "./chunk-PSOT2YDT.js";
4
4
  import {
5
5
  logger
6
6
  } from "./chunk-QWQYAQCK.js";
@@ -7,15 +7,15 @@ import {
7
7
  createConnectorFromConfig,
8
8
  normalizeClientInfo,
9
9
  resolveCallbacks
10
- } from "./chunk-BOFDVMBT.js";
10
+ } from "./chunk-YQIRNTLE.js";
11
11
  import "./chunk-URE3PRDB.js";
12
12
  import {
13
13
  BaseConnector
14
- } from "./chunk-7MKAP6XK.js";
14
+ } from "./chunk-VYDFQS24.js";
15
15
  import {
16
16
  Tel,
17
17
  getPackageVersion
18
- } from "./chunk-XS2ZMBOG.js";
18
+ } from "./chunk-XIAP7CEH.js";
19
19
  import {
20
20
  logger
21
21
  } from "./chunk-QWQYAQCK.js";
@@ -1107,7 +1107,7 @@ var MCPClient = class _MCPClient extends BaseMCPClient {
1107
1107
  clientInfo: serverConfig.clientInfo ?? this.config.clientInfo
1108
1108
  };
1109
1109
  if ("command" in merged && "args" in merged) {
1110
- const { StdioConnector } = await import("./stdio-NRH7PMXI.js");
1110
+ const { StdioConnector } = await import("./stdio-VYJBFXTQ.js");
1111
1111
  const stdioConfig = merged;
1112
1112
  return new StdioConnector({
1113
1113
  command: stdioConfig.command,
package/dist/index.cjs CHANGED
@@ -1170,7 +1170,7 @@ var VERSION;
1170
1170
  var init_version = __esm({
1171
1171
  "src/version.ts"() {
1172
1172
  "use strict";
1173
- VERSION = "1.34.0";
1173
+ VERSION = "1.34.1";
1174
1174
  __name(getPackageVersion, "getPackageVersion");
1175
1175
  }
1176
1176
  });
@@ -10102,6 +10102,41 @@ var BrowserOAuthClientProvider = class {
10102
10102
  getKey(keySuffix) {
10103
10103
  return this.session.getKey(keySuffix);
10104
10104
  }
10105
+ /**
10106
+ * Re-anchor an SDK-derived OAuth discovery URL from the MCP connection
10107
+ * (proxy) origin onto the actual MCP server.
10108
+ *
10109
+ * When MCP traffic is tunneled through a gateway/inspector proxy, the SDK
10110
+ * transport derives `/.well-known/*` URLs from the URL it connected to (the
10111
+ * proxy) whenever no `resource_metadata` hint is available — the SSE
10112
+ * transport's EventSource cannot read `WWW-Authenticate`, and token refresh
10113
+ * runs without a 401 response at hand. The proxy origin serves no OAuth
10114
+ * metadata, so discovery would fail and the server would be misclassified
10115
+ * as "does not support OAuth". Rewriting reproduces what a direct
10116
+ * connection would have requested: the same well-known document, anchored
10117
+ * on the server origin, with the RFC 8414 §3.1 / RFC 9728 §3.1 path
10118
+ * insertion using the server's path instead of the proxy's.
10119
+ */
10120
+ reanchorWellKnownUrl(url) {
10121
+ if (!this.connectionUrl) return url;
10122
+ try {
10123
+ const requested = new URL(url);
10124
+ const connection = new URL(this.connectionUrl);
10125
+ if (requested.origin !== connection.origin) return url;
10126
+ if (!requested.pathname.startsWith("/.well-known/")) return url;
10127
+ const target = new URL(this.serverUrl);
10128
+ const rest = requested.pathname.slice("/.well-known/".length);
10129
+ const [doc, ...suffixParts] = rest.split("/");
10130
+ if (!doc) return url;
10131
+ const suffix = suffixParts.length ? `/${suffixParts.join("/")}` : "";
10132
+ const connectionPath = connection.pathname.replace(/\/+$/, "");
10133
+ const targetPath = target.pathname.replace(/\/+$/, "");
10134
+ const newSuffix = suffix && suffix === connectionPath ? targetPath : suffix;
10135
+ return `${target.origin}/.well-known/${doc}${newSuffix}${requested.search}`;
10136
+ } catch {
10137
+ return url;
10138
+ }
10139
+ }
10105
10140
  /**
10106
10141
  * Returns a `fetch` function, scoped to this provider, that routes OAuth
10107
10142
  * requests (`.well-known` metadata, token, register, authorize) through the
@@ -10131,7 +10166,8 @@ var BrowserOAuthClientProvider = class {
10131
10166
  const connectionUrl = this.connectionUrl;
10132
10167
  const serverUrl = this.serverUrl;
10133
10168
  return async (input, init) => {
10134
- const url = typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
10169
+ const requestedUrl = typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
10170
+ const url = this.reanchorWellKnownUrl(requestedUrl);
10135
10171
  const isOAuthRequest = url.includes("/.well-known/") || url.match(/\/(register|token|authorize)$/);
10136
10172
  if (!isOAuthRequest) {
10137
10173
  return await base(input, init);
@@ -10201,7 +10237,7 @@ var BrowserOAuthClientProvider = class {
10201
10237
  "[OAuth Proxy] Request failed, falling back to direct fetch:",
10202
10238
  error
10203
10239
  );
10204
- return await base(input, init);
10240
+ return url !== requestedUrl ? await base(url, init) : await base(input, init);
10205
10241
  }
10206
10242
  };
10207
10243
  }
package/dist/index.js CHANGED
@@ -5,7 +5,7 @@ import {
5
5
  } from "./chunk-OWF2HVMR.js";
6
6
  import {
7
7
  StdioConnector
8
- } from "./chunk-AOZBHAT7.js";
8
+ } from "./chunk-LZOTKOYW.js";
9
9
  import {
10
10
  clearRpcLogs,
11
11
  getAllRpcLogs,
@@ -32,7 +32,7 @@ import {
32
32
  reject,
33
33
  resolveCallbacks,
34
34
  validate
35
- } from "./chunk-U6UCVQKQ.js";
35
+ } from "./chunk-D7SEH5RU.js";
36
36
  import "./chunk-GKPKUKD6.js";
37
37
  import "./chunk-GXNAXUDI.js";
38
38
  import {
@@ -50,12 +50,12 @@ import {
50
50
  getSupportedProviders,
51
51
  isValidLLMString,
52
52
  parseLLMString
53
- } from "./chunk-3N6PYMAD.js";
53
+ } from "./chunk-LPVVF6US.js";
54
54
  import "./chunk-N27VLLMA.js";
55
- import "./chunk-2J3FVMZ5.js";
55
+ import "./chunk-TAPTQKI4.js";
56
56
  import {
57
57
  BaseConnector
58
- } from "./chunk-4KP3757O.js";
58
+ } from "./chunk-YZ22J43K.js";
59
59
  import {
60
60
  BaseAdapter
61
61
  } from "./chunk-27JERD25.js";
@@ -67,7 +67,7 @@ import {
67
67
  onMcpAuthorization,
68
68
  probeAuthParams,
69
69
  runAuthPopup
70
- } from "./chunk-VWJXSLCF.js";
70
+ } from "./chunk-N3DGPXFX.js";
71
71
  import {
72
72
  sanitizeUrl
73
73
  } from "./chunk-HDFPTC56.js";
@@ -98,7 +98,7 @@ import {
98
98
  createServerRunEventData,
99
99
  getPackageVersion,
100
100
  setTelemetrySource
101
- } from "./chunk-WEMFZYUR.js";
101
+ } from "./chunk-PSOT2YDT.js";
102
102
  import {
103
103
  telFetch
104
104
  } from "./chunk-BXZHMYMM.js";
@@ -583,7 +583,7 @@ var VERSION;
583
583
  var init_version = __esm({
584
584
  "src/version.ts"() {
585
585
  "use strict";
586
- VERSION = "1.34.0";
586
+ VERSION = "1.34.1";
587
587
  __name(getPackageVersion, "getPackageVersion");
588
588
  }
589
589
  });
@@ -3,13 +3,13 @@ import {
3
3
  MCPAgent,
4
4
  PROMPTS,
5
5
  RemoteAgent
6
- } from "../../chunk-3N6PYMAD.js";
6
+ } from "../../chunk-LPVVF6US.js";
7
7
  import "../../chunk-N27VLLMA.js";
8
- import "../../chunk-2J3FVMZ5.js";
9
- import "../../chunk-4KP3757O.js";
8
+ import "../../chunk-TAPTQKI4.js";
9
+ import "../../chunk-YZ22J43K.js";
10
10
  import "../../chunk-27JERD25.js";
11
11
  import "../../chunk-LG5NSHEL.js";
12
- import "../../chunk-WEMFZYUR.js";
12
+ import "../../chunk-PSOT2YDT.js";
13
13
  import "../../chunk-BXZHMYMM.js";
14
14
  import "../../chunk-MTHLLDCX.js";
15
15
  import "../../chunk-QWQYAQCK.js";
@@ -54,6 +54,22 @@ export declare class BrowserOAuthClientProvider implements OAuthClientProvider {
54
54
  get callbackUrl(): string;
55
55
  get scope(): string | undefined;
56
56
  getKey(keySuffix: string): string;
57
+ /**
58
+ * Re-anchor an SDK-derived OAuth discovery URL from the MCP connection
59
+ * (proxy) origin onto the actual MCP server.
60
+ *
61
+ * When MCP traffic is tunneled through a gateway/inspector proxy, the SDK
62
+ * transport derives `/.well-known/*` URLs from the URL it connected to (the
63
+ * proxy) whenever no `resource_metadata` hint is available — the SSE
64
+ * transport's EventSource cannot read `WWW-Authenticate`, and token refresh
65
+ * runs without a 401 response at hand. The proxy origin serves no OAuth
66
+ * metadata, so discovery would fail and the server would be misclassified
67
+ * as "does not support OAuth". Rewriting reproduces what a direct
68
+ * connection would have requested: the same well-known document, anchored
69
+ * on the server origin, with the RFC 8414 §3.1 / RFC 9728 §3.1 path
70
+ * insertion using the server's path instead of the proxy's.
71
+ */
72
+ private reanchorWellKnownUrl;
57
73
  /**
58
74
  * Returns a `fetch` function, scoped to this provider, that routes OAuth
59
75
  * requests (`.well-known` metadata, token, register, authorize) through the
@@ -1 +1 @@
1
- {"version":3,"file":"browser-provider.d.ts","sourceRoot":"","sources":["../../../src/auth/browser-provider.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,0CAA0C,CAAC;AACpF,OAAO,KAAK,EACV,sBAAsB,EACtB,mBAAmB,EACnB,WAAW,EACZ,MAAM,0CAA0C,CAAC;AAkBlD,UAAU,mBAAmB;IAC3B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,4EAA4E;IAC5E,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;;;;OAOG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAC1C,wEAAwE;IACxE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,CACd,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,UAAU,CAAC,MAAM,GAAG,IAAI,KAC7B,IAAI,CAAC;CACX;AAED;;GAEG;AACH,qBAAa,0BAA2B,YAAW,mBAAmB;IACpE,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IACnD,OAAO,CAAC,OAAO,CAAoB;IAGnC,OAAO,CAAC,eAAe,CAAC,CAAU;IAClC,OAAO,CAAC,eAAe,CAAC,CAAU;IAClC,OAAO,CAAC,aAAa,CAAC,CAAS;IAC/B,OAAO,CAAC,aAAa,CAAC,CAAS;IAC/B,OAAO,CAAC,kBAAkB,CAAU;IACpC,OAAO,CAAC,qBAAqB,CAAuB;IACpD,QAAQ,CAAC,aAAa,EAClB,CAAC,CACC,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,UAAU,CAAC,MAAM,GAAG,IAAI,KAC7B,IAAI,CAAC,GACV,SAAS,CAAC;gBAEF,SAAS,EAAE,MAAM,EAAE,OAAO,GAAE,mBAAwB;IAkBhE,IAAI,gBAAgB,IAAI,MAAM,CAE7B;IAED,IAAI,aAAa,IAAI,MAAM,CAE1B;IAED,IAAI,UAAU,IAAI,MAAM,CAEvB;IAED,IAAI,SAAS,IAAI,MAAM,CAEtB;IAED,IAAI,OAAO,IAAI,MAAM,CAEpB;IAED,IAAI,WAAW,IAAI,MAAM,CAExB;IAED,IAAI,KAAK,IAAI,MAAM,GAAG,SAAS,CAE9B;IAED,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM;IAIjC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,aAAa,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,GAAG,OAAO,KAAK,GAAG,SAAS;IA6IjE,IAAI,WAAW,IAAI,MAAM,CAExB;IAED,IAAI,cAAc,IAAI,mBAAmB,CAExC;IAED,MAAM,IAAI,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC;IAI1C,UAAU,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAIxC,iBAAiB,IAAI,OAAO,CAAC,sBAAsB,GAAG,SAAS,CAAC;IAShE,qBAAqB,CACzB,iBAAiB,EAAE,sBAAsB,GACxC,OAAO,CAAC,IAAI,CAAC;IAOhB,YAAY,IAAI,OAAO,CAAC,MAAM,CAAC;IAI/B,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIrD,qBAAqB,CACnB,KAAK,EAAE,KAAK,GAAG,QAAQ,GAAG,QAAQ,GAAG,UAAU,GAC9C,OAAO,CAAC,IAAI,CAAC;IAIhB;;;;OAIG;IACH,gBAAgB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAI1C;;;;OAIG;IACH,oBAAoB,IAAI,OAAO,CAAC;QAC9B,SAAS,EAAE,MAAM,CAAC;QAClB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,GAAG,IAAI,CAAC;IAIT;;;;;OAKG;IACG,uBAAuB,CAAC,gBAAgB,EAAE,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC;IAiBrE;;;OAGG;IACG,uBAAuB,CAAC,gBAAgB,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC;IAuDnE;;;;OAIG;IACH,OAAO,CAAC,2BAA2B;IAyBnC;;OAEG;IACH,uBAAuB,IAAI,MAAM,GAAG,IAAI;IAMxC,YAAY,IAAI,MAAM;CAqCvB"}
1
+ {"version":3,"file":"browser-provider.d.ts","sourceRoot":"","sources":["../../../src/auth/browser-provider.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,0CAA0C,CAAC;AACpF,OAAO,KAAK,EACV,sBAAsB,EACtB,mBAAmB,EACnB,WAAW,EACZ,MAAM,0CAA0C,CAAC;AAkBlD,UAAU,mBAAmB;IAC3B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,4EAA4E;IAC5E,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;;;;OAOG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAC1C,wEAAwE;IACxE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,CACd,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,UAAU,CAAC,MAAM,GAAG,IAAI,KAC7B,IAAI,CAAC;CACX;AAED;;GAEG;AACH,qBAAa,0BAA2B,YAAW,mBAAmB;IACpE,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IACnD,OAAO,CAAC,OAAO,CAAoB;IAGnC,OAAO,CAAC,eAAe,CAAC,CAAU;IAClC,OAAO,CAAC,eAAe,CAAC,CAAU;IAClC,OAAO,CAAC,aAAa,CAAC,CAAS;IAC/B,OAAO,CAAC,aAAa,CAAC,CAAS;IAC/B,OAAO,CAAC,kBAAkB,CAAU;IACpC,OAAO,CAAC,qBAAqB,CAAuB;IACpD,QAAQ,CAAC,aAAa,EAClB,CAAC,CACC,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,UAAU,CAAC,MAAM,GAAG,IAAI,KAC7B,IAAI,CAAC,GACV,SAAS,CAAC;gBAEF,SAAS,EAAE,MAAM,EAAE,OAAO,GAAE,mBAAwB;IAkBhE,IAAI,gBAAgB,IAAI,MAAM,CAE7B;IAED,IAAI,aAAa,IAAI,MAAM,CAE1B;IAED,IAAI,UAAU,IAAI,MAAM,CAEvB;IAED,IAAI,SAAS,IAAI,MAAM,CAEtB;IAED,IAAI,OAAO,IAAI,MAAM,CAEpB;IAED,IAAI,WAAW,IAAI,MAAM,CAExB;IAED,IAAI,KAAK,IAAI,MAAM,GAAG,SAAS,CAE9B;IAED,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM;IAIjC;;;;;;;;;;;;;;OAcG;IACH,OAAO,CAAC,oBAAoB;IA2B5B;;;;;;;;;;;;;;;;;;;OAmBG;IACH,aAAa,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,GAAG,OAAO,KAAK,GAAG,SAAS;IAsJjE,IAAI,WAAW,IAAI,MAAM,CAExB;IAED,IAAI,cAAc,IAAI,mBAAmB,CAExC;IAED,MAAM,IAAI,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC;IAI1C,UAAU,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAIxC,iBAAiB,IAAI,OAAO,CAAC,sBAAsB,GAAG,SAAS,CAAC;IAShE,qBAAqB,CACzB,iBAAiB,EAAE,sBAAsB,GACxC,OAAO,CAAC,IAAI,CAAC;IAOhB,YAAY,IAAI,OAAO,CAAC,MAAM,CAAC;IAI/B,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIrD,qBAAqB,CACnB,KAAK,EAAE,KAAK,GAAG,QAAQ,GAAG,QAAQ,GAAG,UAAU,GAC9C,OAAO,CAAC,IAAI,CAAC;IAIhB;;;;OAIG;IACH,gBAAgB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAI1C;;;;OAIG;IACH,oBAAoB,IAAI,OAAO,CAAC;QAC9B,SAAS,EAAE,MAAM,CAAC;QAClB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,GAAG,IAAI,CAAC;IAIT;;;;;OAKG;IACG,uBAAuB,CAAC,gBAAgB,EAAE,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC;IAiBrE;;;OAGG;IACG,uBAAuB,CAAC,gBAAgB,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC;IAuDnE;;;;OAIG;IACH,OAAO,CAAC,2BAA2B;IAyBnC;;OAEG;IACH,uBAAuB,IAAI,MAAM,GAAG,IAAI;IAMxC,YAAY,IAAI,MAAM;CAqCvB"}
@@ -444,6 +444,41 @@ var BrowserOAuthClientProvider = class {
444
444
  getKey(keySuffix) {
445
445
  return this.session.getKey(keySuffix);
446
446
  }
447
+ /**
448
+ * Re-anchor an SDK-derived OAuth discovery URL from the MCP connection
449
+ * (proxy) origin onto the actual MCP server.
450
+ *
451
+ * When MCP traffic is tunneled through a gateway/inspector proxy, the SDK
452
+ * transport derives `/.well-known/*` URLs from the URL it connected to (the
453
+ * proxy) whenever no `resource_metadata` hint is available — the SSE
454
+ * transport's EventSource cannot read `WWW-Authenticate`, and token refresh
455
+ * runs without a 401 response at hand. The proxy origin serves no OAuth
456
+ * metadata, so discovery would fail and the server would be misclassified
457
+ * as "does not support OAuth". Rewriting reproduces what a direct
458
+ * connection would have requested: the same well-known document, anchored
459
+ * on the server origin, with the RFC 8414 §3.1 / RFC 9728 §3.1 path
460
+ * insertion using the server's path instead of the proxy's.
461
+ */
462
+ reanchorWellKnownUrl(url) {
463
+ if (!this.connectionUrl) return url;
464
+ try {
465
+ const requested = new URL(url);
466
+ const connection = new URL(this.connectionUrl);
467
+ if (requested.origin !== connection.origin) return url;
468
+ if (!requested.pathname.startsWith("/.well-known/")) return url;
469
+ const target = new URL(this.serverUrl);
470
+ const rest = requested.pathname.slice("/.well-known/".length);
471
+ const [doc, ...suffixParts] = rest.split("/");
472
+ if (!doc) return url;
473
+ const suffix = suffixParts.length ? `/${suffixParts.join("/")}` : "";
474
+ const connectionPath = connection.pathname.replace(/\/+$/, "");
475
+ const targetPath = target.pathname.replace(/\/+$/, "");
476
+ const newSuffix = suffix && suffix === connectionPath ? targetPath : suffix;
477
+ return `${target.origin}/.well-known/${doc}${newSuffix}${requested.search}`;
478
+ } catch {
479
+ return url;
480
+ }
481
+ }
447
482
  /**
448
483
  * Returns a `fetch` function, scoped to this provider, that routes OAuth
449
484
  * requests (`.well-known` metadata, token, register, authorize) through the
@@ -473,7 +508,8 @@ var BrowserOAuthClientProvider = class {
473
508
  const connectionUrl = this.connectionUrl;
474
509
  const serverUrl = this.serverUrl;
475
510
  return async (input, init) => {
476
- const url = typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
511
+ const requestedUrl = typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
512
+ const url = this.reanchorWellKnownUrl(requestedUrl);
477
513
  const isOAuthRequest = url.includes("/.well-known/") || url.match(/\/(register|token|authorize)$/);
478
514
  if (!isOAuthRequest) {
479
515
  return await base(input, init);
@@ -543,7 +579,7 @@ var BrowserOAuthClientProvider = class {
543
579
  "[OAuth Proxy] Request failed, falling back to direct fetch:",
544
580
  error
545
581
  );
546
- return await base(input, init);
582
+ return url !== requestedUrl ? await base(url, init) : await base(input, init);
547
583
  }
548
584
  };
549
585
  }
@@ -5,7 +5,7 @@ import {
5
5
  onMcpAuthorization,
6
6
  probeAuthParams,
7
7
  runAuthPopup
8
- } from "../../chunk-VWJXSLCF.js";
8
+ } from "../../chunk-N3DGPXFX.js";
9
9
  import "../../chunk-HDFPTC56.js";
10
10
  import "../../chunk-3GQAWCBQ.js";
11
11
  export {
@@ -1170,7 +1170,7 @@ var VERSION;
1170
1170
  var init_version = __esm({
1171
1171
  "src/version.ts"() {
1172
1172
  "use strict";
1173
- VERSION = "1.34.0";
1173
+ VERSION = "1.34.1";
1174
1174
  __name(getPackageVersion, "getPackageVersion");
1175
1175
  }
1176
1176
  });
@@ -7,7 +7,7 @@ import {
7
7
  Telemetry,
8
8
  extractModelInfo,
9
9
  getPackageVersion
10
- } from "../chunk-XS2ZMBOG.js";
10
+ } from "../chunk-XIAP7CEH.js";
11
11
  import {
12
12
  logger
13
13
  } from "../chunk-QWQYAQCK.js";
@@ -1671,7 +1671,7 @@ var MCPAgent = class {
1671
1671
  logger.debug(
1672
1672
  `Creating MCPClient with ${Object.keys(this.mcpServersConfig).length} server(s)...`
1673
1673
  );
1674
- const { MCPClient } = await import("../client-O5HMGXF3.js");
1674
+ const { MCPClient } = await import("../client-AGYZM4PU.js");
1675
1675
  this.client = new MCPClient({ mcpServers: this.mcpServersConfig });
1676
1676
  logger.debug("\u2705 MCPClient created successfully");
1677
1677
  }
@@ -783,7 +783,7 @@ var ClientRemoveServerEvent = class extends BaseTelemetryEvent {
783
783
  };
784
784
 
785
785
  // src/version.ts
786
- var VERSION = "1.34.0";
786
+ var VERSION = "1.34.1";
787
787
  function getPackageVersion() {
788
788
  return VERSION;
789
789
  }
@@ -3512,6 +3512,41 @@ var BrowserOAuthClientProvider = class {
3512
3512
  getKey(keySuffix) {
3513
3513
  return this.session.getKey(keySuffix);
3514
3514
  }
3515
+ /**
3516
+ * Re-anchor an SDK-derived OAuth discovery URL from the MCP connection
3517
+ * (proxy) origin onto the actual MCP server.
3518
+ *
3519
+ * When MCP traffic is tunneled through a gateway/inspector proxy, the SDK
3520
+ * transport derives `/.well-known/*` URLs from the URL it connected to (the
3521
+ * proxy) whenever no `resource_metadata` hint is available — the SSE
3522
+ * transport's EventSource cannot read `WWW-Authenticate`, and token refresh
3523
+ * runs without a 401 response at hand. The proxy origin serves no OAuth
3524
+ * metadata, so discovery would fail and the server would be misclassified
3525
+ * as "does not support OAuth". Rewriting reproduces what a direct
3526
+ * connection would have requested: the same well-known document, anchored
3527
+ * on the server origin, with the RFC 8414 §3.1 / RFC 9728 §3.1 path
3528
+ * insertion using the server's path instead of the proxy's.
3529
+ */
3530
+ reanchorWellKnownUrl(url) {
3531
+ if (!this.connectionUrl) return url;
3532
+ try {
3533
+ const requested = new URL(url);
3534
+ const connection = new URL(this.connectionUrl);
3535
+ if (requested.origin !== connection.origin) return url;
3536
+ if (!requested.pathname.startsWith("/.well-known/")) return url;
3537
+ const target = new URL(this.serverUrl);
3538
+ const rest = requested.pathname.slice("/.well-known/".length);
3539
+ const [doc, ...suffixParts] = rest.split("/");
3540
+ if (!doc) return url;
3541
+ const suffix = suffixParts.length ? `/${suffixParts.join("/")}` : "";
3542
+ const connectionPath = connection.pathname.replace(/\/+$/, "");
3543
+ const targetPath = target.pathname.replace(/\/+$/, "");
3544
+ const newSuffix = suffix && suffix === connectionPath ? targetPath : suffix;
3545
+ return `${target.origin}/.well-known/${doc}${newSuffix}${requested.search}`;
3546
+ } catch {
3547
+ return url;
3548
+ }
3549
+ }
3515
3550
  /**
3516
3551
  * Returns a `fetch` function, scoped to this provider, that routes OAuth
3517
3552
  * requests (`.well-known` metadata, token, register, authorize) through the
@@ -3541,7 +3576,8 @@ var BrowserOAuthClientProvider = class {
3541
3576
  const connectionUrl = this.connectionUrl;
3542
3577
  const serverUrl = this.serverUrl;
3543
3578
  return async (input, init) => {
3544
- const url = typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
3579
+ const requestedUrl = typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
3580
+ const url = this.reanchorWellKnownUrl(requestedUrl);
3545
3581
  const isOAuthRequest = url.includes("/.well-known/") || url.match(/\/(register|token|authorize)$/);
3546
3582
  if (!isOAuthRequest) {
3547
3583
  return await base(input, init);
@@ -3611,7 +3647,7 @@ var BrowserOAuthClientProvider = class {
3611
3647
  "[OAuth Proxy] Request failed, falling back to direct fetch:",
3612
3648
  error
3613
3649
  );
3614
- return await base(input, init);
3650
+ return url !== requestedUrl ? await base(url, init) : await base(input, init);
3615
3651
  }
3616
3652
  };
3617
3653
  }