mcp-use 1.6.3-canary.0 → 1.7.0-canary.1

package/dist/chunk-R5DJJ4IV.js

@@ -0,0 +1,942 @@
+import {
+  __name
+} from "./chunk-3GQAWCBQ.js";
+
+// src/server/oauth/providers/supabase.ts
+import {
+  jwtVerify,
+  createRemoteJWKSet,
+  decodeProtectedHeader,
+  decodeJwt
+} from "jose";
+var SupabaseOAuthProvider = class {
+  static {
+    __name(this, "SupabaseOAuthProvider");
+  }
+  config;
+  supabaseUrl;
+  supabaseAuthUrl;
+  issuer;
+  jwks = null;
+  constructor(config) {
+    this.config = config;
+    this.supabaseUrl = `https://${config.projectId}.supabase.co`;
+    this.supabaseAuthUrl = `${this.supabaseUrl}/auth/v1`;
+    this.issuer = `${this.supabaseUrl}/auth/v1`;
+  }
+  getJWKS() {
+    if (!this.jwks) {
+      this.jwks = createRemoteJWKSet(
+        new URL(`${this.issuer}/.well-known/jwks.json`)
+      );
+    }
+    return this.jwks;
+  }
+  async verifyToken(token) {
+    if (this.config.skipVerification) {
+      console.warn(
+        "[Supabase OAuth] \u26A0\uFE0F  SKIPPING VERIFICATION (DEVELOPMENT MODE)"
+      );
+      console.warn(
+        "[Supabase OAuth]     This is NOT secure! Only use for testing!"
+      );
+      const payload = decodeJwt(token);
+      return { payload, protectedHeader: decodeProtectedHeader(token) };
+    }
+    try {
+      const header = decodeProtectedHeader(token);
+      if (header.alg === "HS256") {
+        if (!this.config.jwtSecret) {
+          throw new Error(
+            "JWT Secret is required for HS256 tokens. Get it from: Supabase Dashboard \u2192 Project Settings \u2192 API \u2192 JWT Settings"
+          );
+        }
+        const secret = new TextEncoder().encode(this.config.jwtSecret);
+        const result = await jwtVerify(token, secret, {
+          issuer: this.issuer,
+          audience: "authenticated"
+        });
+        return result;
+      } else if (header.alg === "ES256") {
+        const result = await jwtVerify(token, this.getJWKS(), {
+          issuer: this.issuer,
+          audience: "authenticated"
+        });
+        return result;
+      } else {
+        throw new Error(`Unsupported algorithm: ${header.alg}`);
+      }
+    } catch (error) {
+      throw new Error(`Supabase JWT verification failed: ${error}`);
+    }
+  }
+  getUserInfo(payload) {
+    return {
+      userId: payload.sub || payload.user_id,
+      email: payload.email,
+      name: payload.user_metadata?.name || payload.user_metadata?.full_name,
+      username: payload.user_metadata?.username,
+      picture: payload.user_metadata?.avatar_url,
+      roles: payload.role ? [payload.role] : [],
+      permissions: payload.aal ? [`aal:${payload.aal}`] : [],
+      // Include Supabase-specific claims
+      aal: payload.aal,
+      // Authentication Assurance Level
+      amr: payload.amr,
+      // Authentication Methods References
+      session_id: payload.session_id
+    };
+  }
+  getIssuer() {
+    return this.issuer;
+  }
+  getAuthEndpoint() {
+    return `${this.supabaseAuthUrl}/authorize`;
+  }
+  getTokenEndpoint() {
+    return `${this.supabaseAuthUrl}/token`;
+  }
+  getScopesSupported() {
+    return [];
+  }
+  getGrantTypesSupported() {
+    return ["authorization_code", "refresh_token"];
+  }
+};
+
+// src/server/oauth/providers/auth0.ts
+import { jwtVerify as jwtVerify2, createRemoteJWKSet as createRemoteJWKSet2 } from "jose";
+var Auth0OAuthProvider = class {
+  static {
+    __name(this, "Auth0OAuthProvider");
+  }
+  config;
+  issuer;
+  jwks = null;
+  constructor(config) {
+    this.config = config;
+    this.issuer = `https://${config.domain}`;
+  }
+  getJWKS() {
+    if (!this.jwks) {
+      this.jwks = createRemoteJWKSet2(
+        new URL(`${this.issuer}/.well-known/jwks.json`)
+      );
+    }
+    return this.jwks;
+  }
+  async verifyToken(token) {
+    if (this.config.verifyJwt === false) {
+      console.warn("[Auth0 OAuth] \u26A0\uFE0F  JWT verification is disabled");
+      console.warn("[Auth0 OAuth]     Enable verifyJwt: true for production");
+      const parts = token.split(".");
+      if (parts.length !== 3) {
+        throw new Error("Invalid JWT format");
+      }
+      const payload = JSON.parse(
+        Buffer.from(parts[1], "base64url").toString("utf8")
+      );
+      return { payload };
+    }
+    try {
+      const result = await jwtVerify2(token, this.getJWKS(), {
+        issuer: this.issuer,
+        audience: this.config.audience
+      });
+      return result;
+    } catch (error) {
+      throw new Error(`Auth0 JWT verification failed: ${error}`);
+    }
+  }
+  getUserInfo(payload) {
+    return {
+      userId: payload.sub,
+      email: payload.email,
+      name: payload.name,
+      username: payload.username,
+      nickname: payload.nickname,
+      picture: payload.picture,
+      // Auth0 includes permissions directly in the token
+      permissions: payload.permissions || [],
+      // Auth0 can include roles (if configured)
+      roles: payload.roles || payload["https://your-app.com/roles"] || [],
+      // Include scope as well
+      scopes: payload.scope ? payload.scope.split(" ") : [],
+      // Additional Auth0-specific claims
+      email_verified: payload.email_verified,
+      updated_at: payload.updated_at
+    };
+  }
+  getIssuer() {
+    return this.issuer;
+  }
+  getAuthEndpoint() {
+    return `${this.issuer}/authorize`;
+  }
+  getTokenEndpoint() {
+    return `${this.issuer}/oauth/token`;
+  }
+  getScopesSupported() {
+    return ["openid", "profile", "email", "offline_access"];
+  }
+  getGrantTypesSupported() {
+    return ["authorization_code", "refresh_token"];
+  }
+};
+
+// src/server/oauth/providers/keycloak.ts
+import { jwtVerify as jwtVerify3, createRemoteJWKSet as createRemoteJWKSet3 } from "jose";
+var KeycloakOAuthProvider = class {
+  static {
+    __name(this, "KeycloakOAuthProvider");
+  }
+  config;
+  issuer;
+  jwks = null;
+  constructor(config) {
+    this.config = config;
+    const serverUrl = config.serverUrl.replace(/\/$/, "");
+    this.issuer = `${serverUrl}/realms/${config.realm}`;
+  }
+  getJWKS() {
+    if (!this.jwks) {
+      this.jwks = createRemoteJWKSet3(
+        new URL(`${this.issuer}/protocol/openid-connect/certs`)
+      );
+    }
+    return this.jwks;
+  }
+  async verifyToken(token) {
+    if (this.config.verifyJwt === false) {
+      console.warn("[Keycloak OAuth] \u26A0\uFE0F  JWT verification is disabled");
+      console.warn(
+        "[Keycloak OAuth]     Enable verifyJwt: true for production"
+      );
+      const parts = token.split(".");
+      if (parts.length !== 3) {
+        throw new Error("Invalid JWT format");
+      }
+      const payload = JSON.parse(
+        Buffer.from(parts[1], "base64url").toString("utf8")
+      );
+      return { payload };
+    }
+    try {
+      const result = await jwtVerify3(token, this.getJWKS(), {
+        issuer: this.issuer,
+        // Don't verify audience if not specified
+        ...this.config.clientId && { audience: this.config.clientId }
+      });
+      return result;
+    } catch (error) {
+      throw new Error(`Keycloak JWT verification failed: ${error}`);
+    }
+  }
+  getUserInfo(payload) {
+    const realmRoles = payload.realm_access?.roles || [];
+    const clientRoles = this.config.clientId && payload.resource_access?.[this.config.clientId]?.roles || [];
+    const allRoles = [...realmRoles, ...clientRoles];
+    const permissions = [];
+    if (payload.resource_access) {
+      Object.entries(payload.resource_access).forEach(
+        ([resource, access]) => {
+          if (access.roles) {
+            access.roles.forEach((role) => {
+              permissions.push(`${resource}:${role}`);
+            });
+          }
+        }
+      );
+    }
+    return {
+      userId: payload.sub,
+      email: payload.email,
+      name: payload.name,
+      username: payload.preferred_username,
+      nickname: payload.preferred_username,
+      picture: payload.picture,
+      roles: allRoles,
+      permissions,
+      // Include scope as well
+      scopes: payload.scope ? payload.scope.split(" ") : [],
+      // Keycloak-specific claims
+      email_verified: payload.email_verified,
+      given_name: payload.given_name,
+      family_name: payload.family_name,
+      realm_access: payload.realm_access,
+      resource_access: payload.resource_access
+    };
+  }
+  getIssuer() {
+    return this.issuer;
+  }
+  getAuthEndpoint() {
+    return `${this.issuer}/protocol/openid-connect/auth`;
+  }
+  getTokenEndpoint() {
+    return `${this.issuer}/protocol/openid-connect/token`;
+  }
+  getScopesSupported() {
+    return ["openid", "profile", "email", "offline_access", "roles"];
+  }
+  getGrantTypesSupported() {
+    return ["authorization_code", "refresh_token", "client_credentials"];
+  }
+};
+
+// src/server/oauth/providers/workos.ts
+import { jwtVerify as jwtVerify4, createRemoteJWKSet as createRemoteJWKSet4, decodeJwt as decodeJwt2 } from "jose";
+var WorkOSOAuthProvider = class {
+  static {
+    __name(this, "WorkOSOAuthProvider");
+  }
+  config;
+  issuer;
+  jwks = null;
+  constructor(config) {
+    this.config = config;
+    this.issuer = `https://${config.subdomain}.authkit.app`;
+  }
+  getJWKS() {
+    if (!this.jwks) {
+      this.jwks = createRemoteJWKSet4(new URL(`${this.issuer}/oauth2/jwks`));
+    }
+    return this.jwks;
+  }
+  async verifyToken(token) {
+    if (this.config.verifyJwt === false) {
+      console.warn("[WorkOS OAuth] \u26A0\uFE0F  JWT verification is disabled");
+      console.warn("[WorkOS OAuth]     Enable verifyJwt: true for production");
+      const parts = token.split(".");
+      if (parts.length !== 3) {
+        throw new Error("Invalid JWT format");
+      }
+      const payload = decodeJwt2(token);
+      return { payload };
+    }
+    try {
+      const result = await jwtVerify4(token, this.getJWKS(), {
+        issuer: this.issuer
+      });
+      return result;
+    } catch (error) {
+      throw new Error(`WorkOS JWT verification failed: ${error}`);
+    }
+  }
+  getUserInfo(payload) {
+    return {
+      userId: payload.sub,
+      email: payload.email,
+      name: payload.name,
+      username: payload.preferred_username,
+      picture: payload.picture,
+      // WorkOS includes permissions and roles in token
+      permissions: payload.permissions || [],
+      roles: payload.roles || [],
+      // Include scope as well
+      scopes: payload.scope ? payload.scope.split(" ") : [],
+      // Additional WorkOS-specific claims
+      email_verified: payload.email_verified,
+      organization_id: payload.org_id,
+      sid: payload.sid
+      // Session ID
+    };
+  }
+  getIssuer() {
+    return this.issuer;
+  }
+  getAuthEndpoint() {
+    return `${this.issuer}/oauth2/authorize`;
+  }
+  getTokenEndpoint() {
+    return `${this.issuer}/oauth2/token`;
+  }
+  getScopesSupported() {
+    return ["email", "offline_access", "openid", "profile"];
+  }
+  getGrantTypesSupported() {
+    return ["authorization_code", "refresh_token"];
+  }
+  getMode() {
+    if (this.config.clientId) {
+      console.log("[WorkOS OAuth] Using proxy mode (pre-registered client)");
+      return "proxy";
+    }
+    console.log(
+      "[WorkOS OAuth] Using direct mode (Dynamic Client Registration)"
+    );
+    return "direct";
+  }
+  getRegistrationEndpoint() {
+    if (this.config.clientId) {
+      return void 0;
+    }
+    return `${this.issuer}/oauth2/register`;
+  }
+};
+
+// src/server/oauth/providers/custom.ts
+var CustomOAuthProvider = class {
+  static {
+    __name(this, "CustomOAuthProvider");
+  }
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  async verifyToken(token) {
+    try {
+      const result = await this.config.verifyToken(token);
+      return { payload: result };
+    } catch (error) {
+      throw new Error(`Custom OAuth verification failed: ${error}`);
+    }
+  }
+  getUserInfo(payload) {
+    if (this.config.getUserInfo) {
+      return this.config.getUserInfo(payload);
+    }
+    return {
+      userId: payload.sub || payload.user_id || payload.id,
+      email: payload.email,
+      name: payload.name,
+      username: payload.username || payload.preferred_username,
+      nickname: payload.nickname,
+      picture: payload.picture || payload.avatar_url,
+      roles: payload.roles || [],
+      permissions: payload.permissions || [],
+      scopes: payload.scope ? payload.scope.split(" ") : []
+    };
+  }
+  getIssuer() {
+    return this.config.issuer;
+  }
+  getAuthEndpoint() {
+    return this.config.authEndpoint;
+  }
+  getTokenEndpoint() {
+    return this.config.tokenEndpoint;
+  }
+  getScopesSupported() {
+    return this.config.scopesSupported || ["openid", "profile", "email"];
+  }
+  getGrantTypesSupported() {
+    return this.config.grantTypesSupported || ["authorization_code", "refresh_token"];
+  }
+};
+
+// src/server/utils/runtime.ts
+var isDeno = typeof globalThis.Deno !== "undefined";
+function getEnv(key) {
+  if (isDeno) {
+    return globalThis.Deno.env.get(key);
+  }
+  return process.env[key];
+}
+__name(getEnv, "getEnv");
+function getCwd() {
+  if (isDeno) {
+    return globalThis.Deno.cwd();
+  }
+  return process.cwd();
+}
+__name(getCwd, "getCwd");
+var fsHelpers = {
+  async readFileSync(path, encoding = "utf8") {
+    if (isDeno) {
+      return await globalThis.Deno.readTextFile(path);
+    }
+    const { readFileSync } = await import("fs");
+    const result = readFileSync(path, encoding);
+    return typeof result === "string" ? result : result.toString(encoding);
+  },
+  async readFile(path) {
+    if (isDeno) {
+      const data = await globalThis.Deno.readFile(path);
+      return data.buffer;
+    }
+    const { readFileSync } = await import("fs");
+    const buffer = readFileSync(path);
+    return buffer.buffer.slice(
+      buffer.byteOffset,
+      buffer.byteOffset + buffer.byteLength
+    );
+  },
+  async existsSync(path) {
+    if (isDeno) {
+      try {
+        await globalThis.Deno.stat(path);
+        return true;
+      } catch {
+        return false;
+      }
+    }
+    const { existsSync } = await import("fs");
+    return existsSync(path);
+  },
+  async readdirSync(path) {
+    if (isDeno) {
+      const entries = [];
+      for await (const entry of globalThis.Deno.readDir(path)) {
+        entries.push(entry.name);
+      }
+      return entries;
+    }
+    const { readdirSync } = await import("fs");
+    return readdirSync(path);
+  }
+};
+var pathHelpers = {
+  join(...paths) {
+    if (isDeno) {
+      return paths.join("/").replace(/\/+/g, "/");
+    }
+    return paths.join("/").replace(/\/+/g, "/");
+  },
+  relative(from, to) {
+    const fromParts = from.split("/").filter((p) => p);
+    const toParts = to.split("/").filter((p) => p);
+    let i = 0;
+    while (i < fromParts.length && i < toParts.length && fromParts[i] === toParts[i]) {
+      i++;
+    }
+    const upCount = fromParts.length - i;
+    const relativeParts = [...Array(upCount).fill(".."), ...toParts.slice(i)];
+    return relativeParts.join("/");
+  }
+};
+function generateUUID() {
+  return globalThis.crypto.randomUUID();
+}
+__name(generateUUID, "generateUUID");
+
+// src/server/oauth/providers.ts
+function oauthSupabaseProvider(config = {}) {
+  const projectId = config.projectId ?? getEnv("MCP_USE_OAUTH_SUPABASE_PROJECT_ID");
+  const jwtSecret = config.jwtSecret ?? getEnv("MCP_USE_OAUTH_SUPABASE_JWT_SECRET");
+  if (!projectId) {
+    throw new Error(
+      "Supabase projectId is required. Set MCP_USE_OAUTH_SUPABASE_PROJECT_ID environment variable or pass projectId in config."
+    );
+  }
+  return new SupabaseOAuthProvider({
+    provider: "supabase",
+    projectId,
+    jwtSecret,
+    skipVerification: config.skipVerification
+  });
+}
+__name(oauthSupabaseProvider, "oauthSupabaseProvider");
+function oauthAuth0Provider(config = {}) {
+  const domain = config.domain ?? getEnv("MCP_USE_OAUTH_AUTH0_DOMAIN");
+  const audience = config.audience ?? getEnv("MCP_USE_OAUTH_AUTH0_AUDIENCE");
+  if (!domain) {
+    throw new Error(
+      "Auth0 domain is required. Set MCP_USE_OAUTH_AUTH0_DOMAIN environment variable or pass domain in config."
+    );
+  }
+  if (!audience) {
+    throw new Error(
+      "Auth0 audience is required. Set MCP_USE_OAUTH_AUTH0_AUDIENCE environment variable or pass audience in config."
+    );
+  }
+  return new Auth0OAuthProvider({
+    provider: "auth0",
+    domain,
+    audience,
+    verifyJwt: config.verifyJwt
+  });
+}
+__name(oauthAuth0Provider, "oauthAuth0Provider");
+function oauthKeycloakProvider(config = {}) {
+  const serverUrl = config.serverUrl ?? getEnv("MCP_USE_OAUTH_KEYCLOAK_SERVER_URL");
+  const realm = config.realm ?? getEnv("MCP_USE_OAUTH_KEYCLOAK_REALM");
+  const clientId = config.clientId ?? getEnv("MCP_USE_OAUTH_KEYCLOAK_CLIENT_ID");
+  if (!serverUrl) {
+    throw new Error(
+      "Keycloak serverUrl is required. Set MCP_USE_OAUTH_KEYCLOAK_SERVER_URL environment variable or pass serverUrl in config."
+    );
+  }
+  if (!realm) {
+    throw new Error(
+      "Keycloak realm is required. Set MCP_USE_OAUTH_KEYCLOAK_REALM environment variable or pass realm in config."
+    );
+  }
+  return new KeycloakOAuthProvider({
+    provider: "keycloak",
+    serverUrl,
+    realm,
+    clientId,
+    verifyJwt: config.verifyJwt
+  });
+}
+__name(oauthKeycloakProvider, "oauthKeycloakProvider");
+function oauthWorkOSProvider(config = {}) {
+  const subdomain = config.subdomain ?? getEnv("MCP_USE_OAUTH_WORKOS_SUBDOMAIN");
+  const clientId = config.clientId ?? getEnv("MCP_USE_OAUTH_WORKOS_CLIENT_ID");
+  const apiKey = config.apiKey ?? getEnv("MCP_USE_OAUTH_WORKOS_API_KEY");
+  if (!subdomain) {
+    throw new Error(
+      "WorkOS subdomain is required. Set MCP_USE_OAUTH_WORKOS_SUBDOMAIN environment variable or pass subdomain in config."
+    );
+  }
+  if (clientId) {
+    console.log("[WorkOS OAuth] Using pre-registered OAuth client mode");
+    console.log(`[WorkOS OAuth]   - Client ID: ${clientId}`);
+    console.log(
+      "[WorkOS OAuth]   - Make sure this client exists in WorkOS Dashboard"
+    );
+    console.log(
+      "[WorkOS OAuth]   - Configure redirect URIs to match your MCP client"
+    );
+  } else {
+    console.log("[WorkOS OAuth] Using Dynamic Client Registration (DCR) mode");
+    console.log(
+      "[WorkOS OAuth]   - MCP clients will register themselves automatically"
+    );
+    console.log(
+      "[WorkOS OAuth]   - Make sure DCR is enabled in WorkOS Dashboard"
+    );
+  }
+  return new WorkOSOAuthProvider({
+    provider: "workos",
+    subdomain,
+    clientId,
+    apiKey,
+    verifyJwt: config.verifyJwt
+  });
+}
+__name(oauthWorkOSProvider, "oauthWorkOSProvider");
+function oauthCustomProvider(config) {
+  return new CustomOAuthProvider({
+    provider: "custom",
+    ...config
+  });
+}
+__name(oauthCustomProvider, "oauthCustomProvider");
+
+// src/server/oauth/middleware.ts
+function createBearerAuthMiddleware(provider, baseUrl) {
+  return async (c, next) => {
+    const authHeader = c.req.header("Authorization");
+    const getWWWAuthenticateHeader = /* @__PURE__ */ __name(() => {
+      const base = baseUrl || new URL(c.req.url).origin;
+      const parts = [
+        'Bearer error="unauthorized"',
+        'error_description="Authorization needed"'
+      ];
+      parts.push(
+        `resource_metadata="${base}/.well-known/oauth-protected-resource"`
+      );
+      return parts.join(", ");
+    }, "getWWWAuthenticateHeader");
+    if (!authHeader) {
+      c.header("WWW-Authenticate", getWWWAuthenticateHeader());
+      return c.json({ error: "Missing Authorization header" }, 401);
+    }
+    const [type, token] = authHeader.split(" ");
+    if (type.toLowerCase() !== "bearer" || !token) {
+      c.header("WWW-Authenticate", getWWWAuthenticateHeader());
+      return c.json(
+        {
+          error: 'Invalid Authorization header format, expected "Bearer TOKEN"'
+        },
+        401
+      );
+    }
+    try {
+      const result = await provider.verifyToken(token);
+      const payload = result.payload;
+      const user = provider.getUserInfo(payload);
+      const authInfo = {
+        user,
+        payload,
+        accessToken: token,
+        // Extract scopes from scope claim (OAuth standard)
+        scopes: payload.scope ? payload.scope.split(" ") : [],
+        // Extract permissions (Auth0 style, or custom)
+        permissions: payload.permissions || []
+      };
+      c.set("auth", authInfo);
+      c.auth = authInfo;
+      c.set("user", user);
+      c.set("payload", payload);
+      c.set("accessToken", token);
+      await next();
+    } catch (error) {
+      c.header("WWW-Authenticate", getWWWAuthenticateHeader());
+      return c.json({ error: `Invalid token: ${error}` }, 401);
+    }
+  };
+}
+__name(createBearerAuthMiddleware, "createBearerAuthMiddleware");
+
+// src/server/oauth/routes.ts
+import { cors } from "hono/cors";
+function setupOAuthRoutes(app, provider, baseUrl) {
+  const mode = provider.getMode?.() || "proxy";
+  app.use(
+    "/.well-known/*",
+    cors({
+      origin: "*",
+      // Allow all origins for metadata discovery
+      allowMethods: ["GET", "OPTIONS"],
+      allowHeaders: ["Content-Type", "Authorization"],
+      exposeHeaders: ["Content-Type"],
+      maxAge: 86400
+      // Cache preflight for 24 hours
+    })
+  );
+  if (mode === "proxy") {
+    app.use(
+      "/authorize",
+      cors({
+        origin: "*",
+        allowMethods: ["GET", "POST", "OPTIONS"],
+        allowHeaders: ["Content-Type", "Authorization"],
+        maxAge: 86400
+      })
+    );
+    app.use(
+      "/token",
+      cors({
+        origin: "*",
+        allowMethods: ["POST", "OPTIONS"],
+        allowHeaders: ["Content-Type", "Authorization"],
+        maxAge: 86400
+      })
+    );
+  }
+  if (mode === "proxy") {
+    const handleAuthorize = /* @__PURE__ */ __name(async (c) => {
+      const params = c.req.method === "POST" ? await c.req.parseBody() : c.req.query();
+      const clientId = params.client_id;
+      const redirectUri = params.redirect_uri;
+      const responseType = params.response_type;
+      const codeChallenge = params.code_challenge;
+      const codeChallengeMethod = params.code_challenge_method;
+      const state = params.state;
+      const scope = params.scope;
+      const audience = params.audience;
+      if (!clientId || !redirectUri || !responseType || !codeChallenge) {
+        return c.json(
+          {
+            error: "invalid_request",
+            error_description: "Missing required parameters"
+          },
+          400
+        );
+      }
+      const authUrl = new URL(provider.getAuthEndpoint());
+      authUrl.searchParams.set("client_id", clientId);
+      authUrl.searchParams.set("redirect_uri", redirectUri);
+      authUrl.searchParams.set("response_type", responseType);
+      authUrl.searchParams.set("code_challenge", codeChallenge);
+      authUrl.searchParams.set(
+        "code_challenge_method",
+        codeChallengeMethod || "S256"
+      );
+      if (state) authUrl.searchParams.set("state", state);
+      if (scope) authUrl.searchParams.set("scope", scope);
+      if (audience) authUrl.searchParams.set("audience", audience);
+      return c.redirect(authUrl.toString(), 302);
+    }, "handleAuthorize");
+    app.get("/authorize", handleAuthorize);
+    app.post("/authorize", handleAuthorize);
+    app.post("/token", async (c) => {
+      try {
+        const body = await c.req.parseBody();
+        const response = await fetch(provider.getTokenEndpoint(), {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/x-www-form-urlencoded"
+          },
+          body: new URLSearchParams(body).toString()
+        });
+        const data = await response.json();
+        if (!response.ok) {
+          return c.json(data, response.status);
+        }
+        return c.json(data);
+      } catch (error) {
+        return c.json(
+          {
+            error: "server_error",
+            error_description: `Token exchange failed: ${error}`
+          },
+          500
+        );
+      }
+    });
+  }
+  const handleAuthorizationServerMetadata = /* @__PURE__ */ __name(async (c) => {
+    const requestPath = new URL(c.req.url).pathname;
+    console.log(`[OAuth] Metadata request: ${requestPath} (mode: ${mode})`);
+    if (mode === "direct") {
+      try {
+        const metadataUrl = `${provider.getIssuer()}/.well-known/oauth-authorization-server`;
+        console.log(`[OAuth] Fetching metadata from provider: ${metadataUrl}`);
+        const response = await fetch(metadataUrl);
+        if (!response.ok) {
+          console.error(
+            `[OAuth] Failed to fetch provider metadata: ${response.status}`
+          );
+          return c.json(
+            {
+              error: "server_error",
+              error_description: `Failed to fetch provider metadata: ${response.status}`
+            },
+            500
+          );
+        }
+        const metadata = await response.json();
+        const hasRegisteredClient = provider.getRegistrationEndpoint && provider.config?.clientId;
+        if (hasRegisteredClient) {
+          console.log(
+            `[OAuth] Provider has pre-registered client - removing DCR endpoint`
+          );
+          delete metadata.registration_endpoint;
+        }
+        console.log(`[OAuth] Provider metadata retrieved successfully`);
+        console.log(`[OAuth]   - Issuer: ${metadata.issuer}`);
+        console.log(
+          `[OAuth]   - Registration endpoint: ${metadata.registration_endpoint || "not available (using pre-registered client)"}`
+        );
+        return c.json(metadata);
+      } catch (error) {
+        console.error(`[OAuth] Error fetching provider metadata:`, error);
+        return c.json(
+          {
+            error: "server_error",
+            error_description: `Failed to fetch provider metadata: ${error}`
+          },
+          500
+        );
+      }
+    } else {
+      console.log(`[OAuth] Returning proxy mode metadata`);
+      return c.json({
+        issuer: provider.getIssuer(),
+        authorization_endpoint: `${baseUrl}/authorize`,
+        token_endpoint: `${baseUrl}/token`,
+        response_types_supported: ["code"],
+        grant_types_supported: provider.getGrantTypesSupported(),
+        code_challenge_methods_supported: ["S256"],
+        token_endpoint_auth_methods_supported: [
+          "client_secret_post",
+          "client_secret_basic",
+          "none"
+        ],
+        scopes_supported: provider.getScopesSupported()
+      });
+    }
+  }, "handleAuthorizationServerMetadata");
+  app.get(
+    "/.well-known/oauth-authorization-server",
+    handleAuthorizationServerMetadata
+  );
+  app.get(
+    "/.well-known/openid-configuration",
+    handleAuthorizationServerMetadata
+  );
+  app.get("/.well-known/oauth-protected-resource", (c) => {
+    console.log(`[OAuth] Protected resource metadata request (mode: ${mode})`);
+    console.log(`[OAuth]   - Resource: ${baseUrl}`);
+    console.log(`[OAuth]   - Authorization server: ${provider.getIssuer()}`);
+    return c.json({
+      resource: baseUrl,
+      authorization_servers: [provider.getIssuer()],
+      bearer_methods_supported: ["header"],
+      resource_documentation: mode === "direct" ? "This resource uses direct OAuth flow. Clients communicate directly with the authorization server." : void 0
+    });
+  });
+  app.get("/.well-known/oauth-protected-resource/mcp", (c) => {
+    return c.json({
+      resource: `${baseUrl}/mcp`,
+      authorization_servers: [provider.getIssuer()],
+      bearer_methods_supported: ["header"]
+    });
+  });
+}
+__name(setupOAuthRoutes, "setupOAuthRoutes");
+
+// src/server/oauth/utils.ts
+function getAuth(context) {
+  return context.get("auth");
+}
+__name(getAuth, "getAuth");
+function hasScope(context, needed) {
+  const { scopes, permissions } = getAuth(context);
+  const requiredScopes = Array.isArray(needed) ? needed : [needed];
+  return requiredScopes.every(
+    (scope) => scopes.includes(scope) || permissions.includes(scope)
+  );
+}
+__name(hasScope, "hasScope");
+function hasAnyScope(context, needed) {
+  const { scopes, permissions } = getAuth(context);
+  return needed.some(
+    (scope) => scopes.includes(scope) || permissions.includes(scope)
+  );
+}
+__name(hasAnyScope, "hasAnyScope");
+function requireScope(needed) {
+  return async (c, next) => {
+    if (!hasScope(c, needed)) {
+      const { scopes, permissions } = getAuth(c);
+      const requiredScopes = Array.isArray(needed) ? needed : [needed];
+      return c.json(
+        {
+          error: "insufficient_scope",
+          required: requiredScopes,
+          granted_scopes: scopes,
+          granted_permissions: permissions,
+          message: `Missing required scope(s): ${requiredScopes.join(", ")}`
+        },
+        403
+      );
+    }
+    await next();
+  };
+}
+__name(requireScope, "requireScope");
+function requireAnyScope(needed) {
+  return async (c, next) => {
+    if (!hasAnyScope(c, needed)) {
+      const { scopes, permissions } = getAuth(c);
+      return c.json(
+        {
+          error: "insufficient_scope",
+          required_any: needed,
+          granted_scopes: scopes,
+          granted_permissions: permissions,
+          message: `Missing at least one required scope from: ${needed.join(", ")}`
+        },
+        403
+      );
+    }
+    await next();
+  };
+}
+__name(requireAnyScope, "requireAnyScope");
+
+export {
+  isDeno,
+  getEnv,
+  getCwd,
+  fsHelpers,
+  pathHelpers,
+  generateUUID,
+  oauthSupabaseProvider,
+  oauthAuth0Provider,
+  oauthKeycloakProvider,
+  oauthWorkOSProvider,
+  oauthCustomProvider,
+  createBearerAuthMiddleware,
+  setupOAuthRoutes,
+  getAuth,
+  hasScope,
+  hasAnyScope,
+  requireScope,
+  requireAnyScope
+};