mcp-use 1.6.3-canary.0 → 1.7.0-canary.2

package/dist/src/server/index.cjs

@@ -6,6 +6,9 @@ var __getOwnPropNames = Object.getOwnPropertyNames;
 var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
@@ -16,44 +19,1082 @@ var __copyProps = (to, from, except, desc) => {
       if (!__hasOwnProp.call(to, key) && key !== except)
         __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
   }
-  return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/server/utils/runtime.ts
+function getEnv2(key) {
+  if (isDeno2) {
+    return globalThis.Deno.env.get(key);
+  }
+  return process.env[key];
+}
+function getCwd() {
+  if (isDeno2) {
+    return globalThis.Deno.cwd();
+  }
+  return process.cwd();
+}
+function generateUUID() {
+  return globalThis.crypto.randomUUID();
+}
+var isDeno2, fsHelpers, pathHelpers;
+var init_runtime = __esm({
+  "src/server/utils/runtime.ts"() {
+    "use strict";
+    isDeno2 = typeof globalThis.Deno !== "undefined";
+    __name(getEnv2, "getEnv");
+    __name(getCwd, "getCwd");
+    fsHelpers = {
+      async readFileSync(path, encoding = "utf8") {
+        if (isDeno2) {
+          return await globalThis.Deno.readTextFile(path);
+        }
+        const { readFileSync } = await import("fs");
+        const result = readFileSync(path, encoding);
+        return typeof result === "string" ? result : result.toString(encoding);
+      },
+      async readFile(path) {
+        if (isDeno2) {
+          const data = await globalThis.Deno.readFile(path);
+          return data.buffer;
+        }
+        const { readFileSync } = await import("fs");
+        const buffer = readFileSync(path);
+        return buffer.buffer.slice(
+          buffer.byteOffset,
+          buffer.byteOffset + buffer.byteLength
+        );
+      },
+      async existsSync(path) {
+        if (isDeno2) {
+          try {
+            await globalThis.Deno.stat(path);
+            return true;
+          } catch {
+            return false;
+          }
+        }
+        const { existsSync } = await import("fs");
+        return existsSync(path);
+      },
+      async readdirSync(path) {
+        if (isDeno2) {
+          const entries = [];
+          for await (const entry of globalThis.Deno.readDir(path)) {
+            entries.push(entry.name);
+          }
+          return entries;
+        }
+        const { readdirSync } = await import("fs");
+        return readdirSync(path);
+      }
+    };
+    pathHelpers = {
+      join(...paths) {
+        if (isDeno2) {
+          return paths.join("/").replace(/\/+/g, "/");
+        }
+        return paths.join("/").replace(/\/+/g, "/");
+      },
+      relative(from, to) {
+        const fromParts = from.split("/").filter((p) => p);
+        const toParts = to.split("/").filter((p) => p);
+        let i = 0;
+        while (i < fromParts.length && i < toParts.length && fromParts[i] === toParts[i]) {
+          i++;
+        }
+        const upCount = fromParts.length - i;
+        const relativeParts = [...Array(upCount).fill(".."), ...toParts.slice(i)];
+        return relativeParts.join("/");
+      }
+    };
+    __name(generateUUID, "generateUUID");
+  }
+});
+
+// src/server/oauth/providers/supabase.ts
+var import_jose, SupabaseOAuthProvider;
+var init_supabase = __esm({
+  "src/server/oauth/providers/supabase.ts"() {
+    "use strict";
+    import_jose = require("jose");
+    SupabaseOAuthProvider = class {
+      static {
+        __name(this, "SupabaseOAuthProvider");
+      }
+      config;
+      supabaseUrl;
+      supabaseAuthUrl;
+      issuer;
+      jwks = null;
+      constructor(config) {
+        this.config = config;
+        this.supabaseUrl = `https://${config.projectId}.supabase.co`;
+        this.supabaseAuthUrl = `${this.supabaseUrl}/auth/v1`;
+        this.issuer = `${this.supabaseUrl}/auth/v1`;
+      }
+      getJWKS() {
+        if (!this.jwks) {
+          this.jwks = (0, import_jose.createRemoteJWKSet)(
+            new URL(`${this.issuer}/.well-known/jwks.json`)
+          );
+        }
+        return this.jwks;
+      }
+      async verifyToken(token) {
+        if (this.config.skipVerification) {
+          console.warn(
+            "[Supabase OAuth] \u26A0\uFE0F  SKIPPING VERIFICATION (DEVELOPMENT MODE)"
+          );
+          console.warn(
+            "[Supabase OAuth]     This is NOT secure! Only use for testing!"
+          );
+          const payload = (0, import_jose.decodeJwt)(token);
+          return { payload, protectedHeader: (0, import_jose.decodeProtectedHeader)(token) };
+        }
+        try {
+          const header = (0, import_jose.decodeProtectedHeader)(token);
+          if (header.alg === "HS256") {
+            if (!this.config.jwtSecret) {
+              throw new Error(
+                "JWT Secret is required for HS256 tokens. Get it from: Supabase Dashboard \u2192 Project Settings \u2192 API \u2192 JWT Settings"
+              );
+            }
+            const secret = new TextEncoder().encode(this.config.jwtSecret);
+            const result = await (0, import_jose.jwtVerify)(token, secret, {
+              issuer: this.issuer,
+              audience: "authenticated"
+            });
+            return result;
+          } else if (header.alg === "ES256") {
+            const result = await (0, import_jose.jwtVerify)(token, this.getJWKS(), {
+              issuer: this.issuer,
+              audience: "authenticated"
+            });
+            return result;
+          } else {
+            throw new Error(`Unsupported algorithm: ${header.alg}`);
+          }
+        } catch (error2) {
+          throw new Error(`Supabase JWT verification failed: ${error2}`);
+        }
+      }
+      getUserInfo(payload) {
+        return {
+          userId: payload.sub || payload.user_id,
+          email: payload.email,
+          name: payload.user_metadata?.name || payload.user_metadata?.full_name,
+          username: payload.user_metadata?.username,
+          picture: payload.user_metadata?.avatar_url,
+          roles: payload.role ? [payload.role] : [],
+          permissions: payload.aal ? [`aal:${payload.aal}`] : [],
+          // Include Supabase-specific claims
+          aal: payload.aal,
+          // Authentication Assurance Level
+          amr: payload.amr,
+          // Authentication Methods References
+          session_id: payload.session_id
+        };
+      }
+      getIssuer() {
+        return this.issuer;
+      }
+      getAuthEndpoint() {
+        return `${this.supabaseAuthUrl}/authorize`;
+      }
+      getTokenEndpoint() {
+        return `${this.supabaseAuthUrl}/token`;
+      }
+      getScopesSupported() {
+        return [];
+      }
+      getGrantTypesSupported() {
+        return ["authorization_code", "refresh_token"];
+      }
+    };
+  }
+});
+
+// src/server/oauth/providers/auth0.ts
+var import_jose2, Auth0OAuthProvider;
+var init_auth0 = __esm({
+  "src/server/oauth/providers/auth0.ts"() {
+    "use strict";
+    import_jose2 = require("jose");
+    Auth0OAuthProvider = class {
+      static {
+        __name(this, "Auth0OAuthProvider");
+      }
+      config;
+      issuer;
+      jwks = null;
+      constructor(config) {
+        this.config = config;
+        this.issuer = `https://${config.domain}`;
+      }
+      getJWKS() {
+        if (!this.jwks) {
+          this.jwks = (0, import_jose2.createRemoteJWKSet)(
+            new URL(`${this.issuer}/.well-known/jwks.json`)
+          );
+        }
+        return this.jwks;
+      }
+      async verifyToken(token) {
+        if (this.config.verifyJwt === false) {
+          console.warn("[Auth0 OAuth] \u26A0\uFE0F  JWT verification is disabled");
+          console.warn("[Auth0 OAuth]     Enable verifyJwt: true for production");
+          const parts = token.split(".");
+          if (parts.length !== 3) {
+            throw new Error("Invalid JWT format");
+          }
+          const payload = JSON.parse(
+            Buffer.from(parts[1], "base64url").toString("utf8")
+          );
+          return { payload };
+        }
+        try {
+          const result = await (0, import_jose2.jwtVerify)(token, this.getJWKS(), {
+            issuer: this.issuer,
+            audience: this.config.audience
+          });
+          return result;
+        } catch (error2) {
+          throw new Error(`Auth0 JWT verification failed: ${error2}`);
+        }
+      }
+      getUserInfo(payload) {
+        return {
+          userId: payload.sub,
+          email: payload.email,
+          name: payload.name,
+          username: payload.username,
+          nickname: payload.nickname,
+          picture: payload.picture,
+          // Auth0 includes permissions directly in the token
+          permissions: payload.permissions || [],
+          // Auth0 can include roles (if configured)
+          roles: payload.roles || payload["https://your-app.com/roles"] || [],
+          // Include scope as well
+          scopes: payload.scope ? payload.scope.split(" ") : [],
+          // Additional Auth0-specific claims
+          email_verified: payload.email_verified,
+          updated_at: payload.updated_at
+        };
+      }
+      getIssuer() {
+        return this.issuer;
+      }
+      getAuthEndpoint() {
+        return `${this.issuer}/authorize`;
+      }
+      getTokenEndpoint() {
+        return `${this.issuer}/oauth/token`;
+      }
+      getScopesSupported() {
+        return ["openid", "profile", "email", "offline_access"];
+      }
+      getGrantTypesSupported() {
+        return ["authorization_code", "refresh_token"];
+      }
+    };
+  }
+});
+
+// src/server/oauth/providers/keycloak.ts
+var import_jose3, KeycloakOAuthProvider;
+var init_keycloak = __esm({
+  "src/server/oauth/providers/keycloak.ts"() {
+    "use strict";
+    import_jose3 = require("jose");
+    KeycloakOAuthProvider = class {
+      static {
+        __name(this, "KeycloakOAuthProvider");
+      }
+      config;
+      issuer;
+      jwks = null;
+      constructor(config) {
+        this.config = config;
+        const serverUrl = config.serverUrl.replace(/\/$/, "");
+        this.issuer = `${serverUrl}/realms/${config.realm}`;
+      }
+      getJWKS() {
+        if (!this.jwks) {
+          this.jwks = (0, import_jose3.createRemoteJWKSet)(
+            new URL(`${this.issuer}/protocol/openid-connect/certs`)
+          );
+        }
+        return this.jwks;
+      }
+      async verifyToken(token) {
+        if (this.config.verifyJwt === false) {
+          console.warn("[Keycloak OAuth] \u26A0\uFE0F  JWT verification is disabled");
+          console.warn(
+            "[Keycloak OAuth]     Enable verifyJwt: true for production"
+          );
+          const parts = token.split(".");
+          if (parts.length !== 3) {
+            throw new Error("Invalid JWT format");
+          }
+          const payload = JSON.parse(
+            Buffer.from(parts[1], "base64url").toString("utf8")
+          );
+          return { payload };
+        }
+        try {
+          const result = await (0, import_jose3.jwtVerify)(token, this.getJWKS(), {
+            issuer: this.issuer,
+            // Don't verify audience if not specified
+            ...this.config.clientId && { audience: this.config.clientId }
+          });
+          return result;
+        } catch (error2) {
+          throw new Error(`Keycloak JWT verification failed: ${error2}`);
+        }
+      }
+      getUserInfo(payload) {
+        const realmRoles = payload.realm_access?.roles || [];
+        const clientRoles = this.config.clientId && payload.resource_access?.[this.config.clientId]?.roles || [];
+        const allRoles = [...realmRoles, ...clientRoles];
+        const permissions = [];
+        if (payload.resource_access) {
+          Object.entries(payload.resource_access).forEach(
+            ([resource2, access]) => {
+              if (access.roles) {
+                access.roles.forEach((role) => {
+                  permissions.push(`${resource2}:${role}`);
+                });
+              }
+            }
+          );
+        }
+        return {
+          userId: payload.sub,
+          email: payload.email,
+          name: payload.name,
+          username: payload.preferred_username,
+          nickname: payload.preferred_username,
+          picture: payload.picture,
+          roles: allRoles,
+          permissions,
+          // Include scope as well
+          scopes: payload.scope ? payload.scope.split(" ") : [],
+          // Keycloak-specific claims
+          email_verified: payload.email_verified,
+          given_name: payload.given_name,
+          family_name: payload.family_name,
+          realm_access: payload.realm_access,
+          resource_access: payload.resource_access
+        };
+      }
+      getIssuer() {
+        return this.issuer;
+      }
+      getAuthEndpoint() {
+        return `${this.issuer}/protocol/openid-connect/auth`;
+      }
+      getTokenEndpoint() {
+        return `${this.issuer}/protocol/openid-connect/token`;
+      }
+      getScopesSupported() {
+        return ["openid", "profile", "email", "offline_access", "roles"];
+      }
+      getGrantTypesSupported() {
+        return ["authorization_code", "refresh_token", "client_credentials"];
+      }
+    };
+  }
+});
+
+// src/server/oauth/providers/workos.ts
+var import_jose4, WorkOSOAuthProvider;
+var init_workos = __esm({
+  "src/server/oauth/providers/workos.ts"() {
+    "use strict";
+    import_jose4 = require("jose");
+    WorkOSOAuthProvider = class {
+      static {
+        __name(this, "WorkOSOAuthProvider");
+      }
+      config;
+      issuer;
+      jwks = null;
+      constructor(config) {
+        this.config = config;
+        this.issuer = `https://${config.subdomain}.authkit.app`;
+      }
+      getJWKS() {
+        if (!this.jwks) {
+          this.jwks = (0, import_jose4.createRemoteJWKSet)(new URL(`${this.issuer}/oauth2/jwks`));
+        }
+        return this.jwks;
+      }
+      async verifyToken(token) {
+        if (this.config.verifyJwt === false) {
+          console.warn("[WorkOS OAuth] \u26A0\uFE0F  JWT verification is disabled");
+          console.warn("[WorkOS OAuth]     Enable verifyJwt: true for production");
+          const parts = token.split(".");
+          if (parts.length !== 3) {
+            throw new Error("Invalid JWT format");
+          }
+          const payload = (0, import_jose4.decodeJwt)(token);
+          return { payload };
+        }
+        try {
+          const result = await (0, import_jose4.jwtVerify)(token, this.getJWKS(), {
+            issuer: this.issuer
+          });
+          return result;
+        } catch (error2) {
+          throw new Error(`WorkOS JWT verification failed: ${error2}`);
+        }
+      }
+      getUserInfo(payload) {
+        return {
+          userId: payload.sub,
+          email: payload.email,
+          name: payload.name,
+          username: payload.preferred_username,
+          picture: payload.picture,
+          // WorkOS includes permissions and roles in token
+          permissions: payload.permissions || [],
+          roles: payload.roles || [],
+          // Include scope as well
+          scopes: payload.scope ? payload.scope.split(" ") : [],
+          // Additional WorkOS-specific claims
+          email_verified: payload.email_verified,
+          organization_id: payload.org_id,
+          sid: payload.sid
+          // Session ID
+        };
+      }
+      getIssuer() {
+        return this.issuer;
+      }
+      getAuthEndpoint() {
+        return `${this.issuer}/oauth2/authorize`;
+      }
+      getTokenEndpoint() {
+        return `${this.issuer}/oauth2/token`;
+      }
+      getScopesSupported() {
+        return ["email", "offline_access", "openid", "profile"];
+      }
+      getGrantTypesSupported() {
+        return ["authorization_code", "refresh_token"];
+      }
+      getMode() {
+        if (this.config.clientId) {
+          console.log("[WorkOS OAuth] Using proxy mode (pre-registered client)");
+          return "proxy";
+        }
+        console.log(
+          "[WorkOS OAuth] Using direct mode (Dynamic Client Registration)"
+        );
+        return "direct";
+      }
+      getRegistrationEndpoint() {
+        if (this.config.clientId) {
+          return void 0;
+        }
+        return `${this.issuer}/oauth2/register`;
+      }
+    };
+  }
+});
+
+// src/server/oauth/providers/custom.ts
+var CustomOAuthProvider;
+var init_custom = __esm({
+  "src/server/oauth/providers/custom.ts"() {
+    "use strict";
+    CustomOAuthProvider = class {
+      static {
+        __name(this, "CustomOAuthProvider");
+      }
+      config;
+      constructor(config) {
+        this.config = config;
+      }
+      async verifyToken(token) {
+        try {
+          const result = await this.config.verifyToken(token);
+          return { payload: result };
+        } catch (error2) {
+          throw new Error(`Custom OAuth verification failed: ${error2}`);
+        }
+      }
+      getUserInfo(payload) {
+        if (this.config.getUserInfo) {
+          return this.config.getUserInfo(payload);
+        }
+        return {
+          userId: payload.sub || payload.user_id || payload.id,
+          email: payload.email,
+          name: payload.name,
+          username: payload.username || payload.preferred_username,
+          nickname: payload.nickname,
+          picture: payload.picture || payload.avatar_url,
+          roles: payload.roles || [],
+          permissions: payload.permissions || [],
+          scopes: payload.scope ? payload.scope.split(" ") : []
+        };
+      }
+      getIssuer() {
+        return this.config.issuer;
+      }
+      getAuthEndpoint() {
+        return this.config.authEndpoint;
+      }
+      getTokenEndpoint() {
+        return this.config.tokenEndpoint;
+      }
+      getScopesSupported() {
+        return this.config.scopesSupported || ["openid", "profile", "email"];
+      }
+      getGrantTypesSupported() {
+        return this.config.grantTypesSupported || ["authorization_code", "refresh_token"];
+      }
+    };
+  }
+});
+
+// src/server/oauth/providers.ts
+function oauthSupabaseProvider(config = {}) {
+  const projectId = config.projectId ?? getEnv2("MCP_USE_OAUTH_SUPABASE_PROJECT_ID");
+  const jwtSecret = config.jwtSecret ?? getEnv2("MCP_USE_OAUTH_SUPABASE_JWT_SECRET");
+  if (!projectId) {
+    throw new Error(
+      "Supabase projectId is required. Set MCP_USE_OAUTH_SUPABASE_PROJECT_ID environment variable or pass projectId in config."
+    );
+  }
+  return new SupabaseOAuthProvider({
+    provider: "supabase",
+    projectId,
+    jwtSecret,
+    skipVerification: config.skipVerification
+  });
+}
+function oauthAuth0Provider(config = {}) {
+  const domain = config.domain ?? getEnv2("MCP_USE_OAUTH_AUTH0_DOMAIN");
+  const audience = config.audience ?? getEnv2("MCP_USE_OAUTH_AUTH0_AUDIENCE");
+  if (!domain) {
+    throw new Error(
+      "Auth0 domain is required. Set MCP_USE_OAUTH_AUTH0_DOMAIN environment variable or pass domain in config."
+    );
+  }
+  if (!audience) {
+    throw new Error(
+      "Auth0 audience is required. Set MCP_USE_OAUTH_AUTH0_AUDIENCE environment variable or pass audience in config."
+    );
+  }
+  return new Auth0OAuthProvider({
+    provider: "auth0",
+    domain,
+    audience,
+    verifyJwt: config.verifyJwt
+  });
+}
+function oauthKeycloakProvider(config = {}) {
+  const serverUrl = config.serverUrl ?? getEnv2("MCP_USE_OAUTH_KEYCLOAK_SERVER_URL");
+  const realm = config.realm ?? getEnv2("MCP_USE_OAUTH_KEYCLOAK_REALM");
+  const clientId = config.clientId ?? getEnv2("MCP_USE_OAUTH_KEYCLOAK_CLIENT_ID");
+  if (!serverUrl) {
+    throw new Error(
+      "Keycloak serverUrl is required. Set MCP_USE_OAUTH_KEYCLOAK_SERVER_URL environment variable or pass serverUrl in config."
+    );
+  }
+  if (!realm) {
+    throw new Error(
+      "Keycloak realm is required. Set MCP_USE_OAUTH_KEYCLOAK_REALM environment variable or pass realm in config."
+    );
+  }
+  return new KeycloakOAuthProvider({
+    provider: "keycloak",
+    serverUrl,
+    realm,
+    clientId,
+    verifyJwt: config.verifyJwt
+  });
+}
+function oauthWorkOSProvider(config = {}) {
+  const subdomain = config.subdomain ?? getEnv2("MCP_USE_OAUTH_WORKOS_SUBDOMAIN");
+  const clientId = config.clientId ?? getEnv2("MCP_USE_OAUTH_WORKOS_CLIENT_ID");
+  const apiKey = config.apiKey ?? getEnv2("MCP_USE_OAUTH_WORKOS_API_KEY");
+  if (!subdomain) {
+    throw new Error(
+      "WorkOS subdomain is required. Set MCP_USE_OAUTH_WORKOS_SUBDOMAIN environment variable or pass subdomain in config."
+    );
+  }
+  if (clientId) {
+    console.log("[WorkOS OAuth] Using pre-registered OAuth client mode");
+    console.log(`[WorkOS OAuth]   - Client ID: ${clientId}`);
+    console.log(
+      "[WorkOS OAuth]   - Make sure this client exists in WorkOS Dashboard"
+    );
+    console.log(
+      "[WorkOS OAuth]   - Configure redirect URIs to match your MCP client"
+    );
+  } else {
+    console.log("[WorkOS OAuth] Using Dynamic Client Registration (DCR) mode");
+    console.log(
+      "[WorkOS OAuth]   - MCP clients will register themselves automatically"
+    );
+    console.log(
+      "[WorkOS OAuth]   - Make sure DCR is enabled in WorkOS Dashboard"
+    );
+  }
+  return new WorkOSOAuthProvider({
+    provider: "workos",
+    subdomain,
+    clientId,
+    apiKey,
+    verifyJwt: config.verifyJwt
+  });
+}
+function oauthCustomProvider(config) {
+  return new CustomOAuthProvider({
+    provider: "custom",
+    ...config
+  });
+}
+var init_providers = __esm({
+  "src/server/oauth/providers.ts"() {
+    "use strict";
+    init_supabase();
+    init_auth0();
+    init_keycloak();
+    init_workos();
+    init_custom();
+    init_runtime();
+    __name(oauthSupabaseProvider, "oauthSupabaseProvider");
+    __name(oauthAuth0Provider, "oauthAuth0Provider");
+    __name(oauthKeycloakProvider, "oauthKeycloakProvider");
+    __name(oauthWorkOSProvider, "oauthWorkOSProvider");
+    __name(oauthCustomProvider, "oauthCustomProvider");
+  }
+});
+
+// src/server/oauth/middleware.ts
+function createBearerAuthMiddleware(provider, baseUrl) {
+  return async (c, next) => {
+    const authHeader = c.req.header("Authorization");
+    const getWWWAuthenticateHeader = /* @__PURE__ */ __name(() => {
+      const base = baseUrl || new URL(c.req.url).origin;
+      const parts = [
+        'Bearer error="unauthorized"',
+        'error_description="Authorization needed"'
+      ];
+      parts.push(
+        `resource_metadata="${base}/.well-known/oauth-protected-resource"`
+      );
+      return parts.join(", ");
+    }, "getWWWAuthenticateHeader");
+    if (!authHeader) {
+      c.header("WWW-Authenticate", getWWWAuthenticateHeader());
+      return c.json({ error: "Missing Authorization header" }, 401);
+    }
+    const [type, token] = authHeader.split(" ");
+    if (type.toLowerCase() !== "bearer" || !token) {
+      c.header("WWW-Authenticate", getWWWAuthenticateHeader());
+      return c.json(
+        {
+          error: 'Invalid Authorization header format, expected "Bearer TOKEN"'
+        },
+        401
+      );
+    }
+    try {
+      const result = await provider.verifyToken(token);
+      const payload = result.payload;
+      const user = provider.getUserInfo(payload);
+      const authInfo = {
+        user,
+        payload,
+        accessToken: token,
+        // Extract scopes from scope claim (OAuth standard)
+        scopes: payload.scope ? payload.scope.split(" ") : [],
+        // Extract permissions (Auth0 style, or custom)
+        permissions: payload.permissions || []
+      };
+      c.set("auth", authInfo);
+      c.auth = authInfo;
+      c.set("user", user);
+      c.set("payload", payload);
+      c.set("accessToken", token);
+      await next();
+    } catch (error2) {
+      c.header("WWW-Authenticate", getWWWAuthenticateHeader());
+      return c.json({ error: `Invalid token: ${error2}` }, 401);
+    }
+  };
+}
+var init_middleware = __esm({
+  "src/server/oauth/middleware.ts"() {
+    "use strict";
+    __name(createBearerAuthMiddleware, "createBearerAuthMiddleware");
+  }
+});
+
+// src/server/oauth/routes.ts
+function setupOAuthRoutes(app, provider, baseUrl) {
+  const mode = provider.getMode?.() || "proxy";
+  app.use(
+    "/.well-known/*",
+    (0, import_cors.cors)({
+      origin: "*",
+      // Allow all origins for metadata discovery
+      allowMethods: ["GET", "OPTIONS"],
+      allowHeaders: ["Content-Type", "Authorization"],
+      exposeHeaders: ["Content-Type"],
+      maxAge: 86400
+      // Cache preflight for 24 hours
+    })
+  );
+  if (mode === "proxy") {
+    app.use(
+      "/authorize",
+      (0, import_cors.cors)({
+        origin: "*",
+        allowMethods: ["GET", "POST", "OPTIONS"],
+        allowHeaders: ["Content-Type", "Authorization"],
+        maxAge: 86400
+      })
+    );
+    app.use(
+      "/token",
+      (0, import_cors.cors)({
+        origin: "*",
+        allowMethods: ["POST", "OPTIONS"],
+        allowHeaders: ["Content-Type", "Authorization"],
+        maxAge: 86400
+      })
+    );
+  }
+  if (mode === "proxy") {
+    const handleAuthorize = /* @__PURE__ */ __name(async (c) => {
+      const params = c.req.method === "POST" ? await c.req.parseBody() : c.req.query();
+      const clientId = params.client_id;
+      const redirectUri = params.redirect_uri;
+      const responseType = params.response_type;
+      const codeChallenge = params.code_challenge;
+      const codeChallengeMethod = params.code_challenge_method;
+      const state = params.state;
+      const scope = params.scope;
+      const audience = params.audience;
+      if (!clientId || !redirectUri || !responseType || !codeChallenge) {
+        return c.json(
+          {
+            error: "invalid_request",
+            error_description: "Missing required parameters"
+          },
+          400
+        );
+      }
+      const authUrl = new URL(provider.getAuthEndpoint());
+      authUrl.searchParams.set("client_id", clientId);
+      authUrl.searchParams.set("redirect_uri", redirectUri);
+      authUrl.searchParams.set("response_type", responseType);
+      authUrl.searchParams.set("code_challenge", codeChallenge);
+      authUrl.searchParams.set(
+        "code_challenge_method",
+        codeChallengeMethod || "S256"
+      );
+      if (state) authUrl.searchParams.set("state", state);
+      if (scope) authUrl.searchParams.set("scope", scope);
+      if (audience) authUrl.searchParams.set("audience", audience);
+      return c.redirect(authUrl.toString(), 302);
+    }, "handleAuthorize");
+    app.get("/authorize", handleAuthorize);
+    app.post("/authorize", handleAuthorize);
+    app.post("/token", async (c) => {
+      try {
+        const body = await c.req.parseBody();
+        const response = await fetch(provider.getTokenEndpoint(), {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/x-www-form-urlencoded"
+          },
+          body: new URLSearchParams(body).toString()
+        });
+        const data = await response.json();
+        if (!response.ok) {
+          return c.json(data, response.status);
+        }
+        return c.json(data);
+      } catch (error2) {
+        return c.json(
+          {
+            error: "server_error",
+            error_description: `Token exchange failed: ${error2}`
+          },
+          500
+        );
+      }
+    });
+  }
+  const handleAuthorizationServerMetadata = /* @__PURE__ */ __name(async (c) => {
+    const requestPath = new URL(c.req.url).pathname;
+    console.log(`[OAuth] Metadata request: ${requestPath} (mode: ${mode})`);
+    if (mode === "direct") {
+      try {
+        const metadataUrl = `${provider.getIssuer()}/.well-known/oauth-authorization-server`;
+        console.log(`[OAuth] Fetching metadata from provider: ${metadataUrl}`);
+        const response = await fetch(metadataUrl);
+        if (!response.ok) {
+          console.error(
+            `[OAuth] Failed to fetch provider metadata: ${response.status}`
+          );
+          return c.json(
+            {
+              error: "server_error",
+              error_description: `Failed to fetch provider metadata: ${response.status}`
+            },
+            500
+          );
+        }
+        const metadata = await response.json();
+        const hasRegisteredClient = provider.getRegistrationEndpoint && provider.config?.clientId;
+        if (hasRegisteredClient) {
+          console.log(
+            `[OAuth] Provider has pre-registered client - removing DCR endpoint`
+          );
+          delete metadata.registration_endpoint;
+        }
+        console.log(`[OAuth] Provider metadata retrieved successfully`);
+        console.log(`[OAuth]   - Issuer: ${metadata.issuer}`);
+        console.log(
+          `[OAuth]   - Registration endpoint: ${metadata.registration_endpoint || "not available (using pre-registered client)"}`
+        );
+        return c.json(metadata);
+      } catch (error2) {
+        console.error(`[OAuth] Error fetching provider metadata:`, error2);
+        return c.json(
+          {
+            error: "server_error",
+            error_description: `Failed to fetch provider metadata: ${error2}`
+          },
+          500
+        );
+      }
+    } else {
+      console.log(`[OAuth] Returning proxy mode metadata`);
+      return c.json({
+        issuer: provider.getIssuer(),
+        authorization_endpoint: `${baseUrl}/authorize`,
+        token_endpoint: `${baseUrl}/token`,
+        response_types_supported: ["code"],
+        grant_types_supported: provider.getGrantTypesSupported(),
+        code_challenge_methods_supported: ["S256"],
+        token_endpoint_auth_methods_supported: [
+          "client_secret_post",
+          "client_secret_basic",
+          "none"
+        ],
+        scopes_supported: provider.getScopesSupported()
+      });
+    }
+  }, "handleAuthorizationServerMetadata");
+  app.get(
+    "/.well-known/oauth-authorization-server",
+    handleAuthorizationServerMetadata
+  );
+  app.get(
+    "/.well-known/openid-configuration",
+    handleAuthorizationServerMetadata
+  );
+  app.get("/.well-known/oauth-protected-resource", (c) => {
+    console.log(`[OAuth] Protected resource metadata request (mode: ${mode})`);
+    console.log(`[OAuth]   - Resource: ${baseUrl}`);
+    console.log(`[OAuth]   - Authorization server: ${provider.getIssuer()}`);
+    return c.json({
+      resource: baseUrl,
+      authorization_servers: [provider.getIssuer()],
+      bearer_methods_supported: ["header"],
+      resource_documentation: mode === "direct" ? "This resource uses direct OAuth flow. Clients communicate directly with the authorization server." : void 0
+    });
+  });
+  app.get("/.well-known/oauth-protected-resource/mcp", (c) => {
+    return c.json({
+      resource: `${baseUrl}/mcp`,
+      authorization_servers: [provider.getIssuer()],
+      bearer_methods_supported: ["header"]
+    });
+  });
+}
+var import_cors;
+var init_routes = __esm({
+  "src/server/oauth/routes.ts"() {
+    "use strict";
+    import_cors = require("hono/cors");
+    __name(setupOAuthRoutes, "setupOAuthRoutes");
+  }
+});
+
+// src/server/oauth/utils.ts
+function getAuth(context) {
+  return context.get("auth");
+}
+function hasScope(context, needed) {
+  const { scopes, permissions } = getAuth(context);
+  const requiredScopes = Array.isArray(needed) ? needed : [needed];
+  return requiredScopes.every(
+    (scope) => scopes.includes(scope) || permissions.includes(scope)
+  );
+}
+function hasAnyScope(context, needed) {
+  const { scopes, permissions } = getAuth(context);
+  return needed.some(
+    (scope) => scopes.includes(scope) || permissions.includes(scope)
+  );
+}
+function requireScope(needed) {
+  return async (c, next) => {
+    if (!hasScope(c, needed)) {
+      const { scopes, permissions } = getAuth(c);
+      const requiredScopes = Array.isArray(needed) ? needed : [needed];
+      return c.json(
+        {
+          error: "insufficient_scope",
+          required: requiredScopes,
+          granted_scopes: scopes,
+          granted_permissions: permissions,
+          message: `Missing required scope(s): ${requiredScopes.join(", ")}`
+        },
+        403
+      );
+    }
+    await next();
+  };
+}
+function requireAnyScope(needed) {
+  return async (c, next) => {
+    if (!hasAnyScope(c, needed)) {
+      const { scopes, permissions } = getAuth(c);
+      return c.json(
+        {
+          error: "insufficient_scope",
+          required_any: needed,
+          granted_scopes: scopes,
+          granted_permissions: permissions,
+          message: `Missing at least one required scope from: ${needed.join(", ")}`
+        },
+        403
+      );
+    }
+    await next();
+  };
+}
+var init_utils = __esm({
+  "src/server/oauth/utils.ts"() {
+    "use strict";
+    __name(getAuth, "getAuth");
+    __name(hasScope, "hasScope");
+    __name(hasAnyScope, "hasAnyScope");
+    __name(requireScope, "requireScope");
+    __name(requireAnyScope, "requireAnyScope");
+  }
+});
+
+// src/server/oauth/index.ts
+var oauth_exports = {};
+__export(oauth_exports, {
+  createBearerAuthMiddleware: () => createBearerAuthMiddleware,
+  getAuth: () => getAuth,
+  hasAnyScope: () => hasAnyScope,
+  hasScope: () => hasScope,
+  oauthAuth0Provider: () => oauthAuth0Provider,
+  oauthCustomProvider: () => oauthCustomProvider,
+  oauthKeycloakProvider: () => oauthKeycloakProvider,
+  oauthSupabaseProvider: () => oauthSupabaseProvider,
+  oauthWorkOSProvider: () => oauthWorkOSProvider,
+  requireAnyScope: () => requireAnyScope,
+  requireScope: () => requireScope,
+  setupOAuthRoutes: () => setupOAuthRoutes
+});
+var init_oauth = __esm({
+  "src/server/oauth/index.ts"() {
+    "use strict";
+    init_providers();
+    init_middleware();
+    init_routes();
+    init_utils();
+  }
+});
 
 // src/server/index.ts
 var server_exports = {};
 __export(server_exports, {
   adaptConnectMiddleware: () => adaptConnectMiddleware,
   adaptMiddleware: () => adaptMiddleware,
+  array: () => array,
   buildWidgetUrl: () => buildWidgetUrl,
   createExternalUrlResource: () => createExternalUrlResource,
   createMCPServer: () => createMCPServer,
   createRawHtmlResource: () => createRawHtmlResource,
   createRemoteDomResource: () => createRemoteDomResource,
   createUIResourceFromDefinition: () => createUIResourceFromDefinition,
-  isExpressMiddleware: () => isExpressMiddleware
+  error: () => error,
+  getAuth: () => getAuth,
+  getRequestContext: () => getRequestContext,
+  hasAnyScope: () => hasAnyScope,
+  hasRequestContext: () => hasRequestContext,
+  hasScope: () => hasScope,
+  image: () => image,
+  isExpressMiddleware: () => isExpressMiddleware,
+  oauthAuth0Provider: () => oauthAuth0Provider,
+  oauthCustomProvider: () => oauthCustomProvider,
+  oauthKeycloakProvider: () => oauthKeycloakProvider,
+  oauthSupabaseProvider: () => oauthSupabaseProvider,
+  oauthWorkOSProvider: () => oauthWorkOSProvider,
+  object: () => object,
+  requireAnyScope: () => requireAnyScope,
+  requireScope: () => requireScope,
+  resource: () => resource,
+  runWithContext: () => runWithContext,
+  text: () => text,
+  widget: () => widget
 });
 module.exports = __toCommonJS(server_exports);
 
 // src/server/mcp-server.ts
 var import_mcp = require("@modelcontextprotocol/sdk/server/mcp.js");
-var import_hono = require("hono");
-var import_cors = require("hono/cors");
 var import_zod = require("zod");
+var import_hono = require("hono");
+var import_cors2 = require("hono/cors");
+
+// src/server/context-storage.ts
+var import_node_async_hooks = require("async_hooks");
+var requestContextStorage = new import_node_async_hooks.AsyncLocalStorage();
+async function runWithContext(context, fn) {
+  return requestContextStorage.run(context, fn);
+}
+__name(runWithContext, "runWithContext");
+function getRequestContext() {
+  return requestContextStorage.getStore();
+}
+__name(getRequestContext, "getRequestContext");
+function hasRequestContext() {
+  return requestContextStorage.getStore() !== void 0;
+}
+__name(hasRequestContext, "hasRequestContext");
 
 // src/server/adapters/mcp-ui-adapter.ts
 var import_server = require("@mcp-ui/server");
-function buildWidgetUrl(widget, props, config) {
+function buildWidgetUrl(widget2, props, config) {
   const url = new URL(
-    `/mcp-use/widgets/${widget}`,
+    `/mcp-use/widgets/${widget2}`,
     `${config.baseUrl}:${config.port}`
   );
   if (props && Object.keys(props).length > 0) {
@@ -93,17 +1134,17 @@ function createRemoteDomResource(uri, script, framework = "react", encoding = "t
 }
 __name(createRemoteDomResource, "createRemoteDomResource");
 function createAppsSdkResource(uri, htmlTemplate, metadata) {
-  const resource = {
+  const resource2 = {
     uri,
     mimeType: "text/html+skybridge",
     text: htmlTemplate
   };
   if (metadata && Object.keys(metadata).length > 0) {
-    resource._meta = metadata;
+    resource2._meta = metadata;
   }
   return {
     type: "resource",
-    resource
+    resource: resource2
   };
 }
 __name(createAppsSdkResource, "createAppsSdkResource");
@@ -199,11 +1240,10 @@ async function adaptConnectMiddleware(connectMiddleware, middlewarePath) {
     const httpMocks = await import("node-mocks-http");
     createRequest = httpMocks.createRequest;
     createResponse = httpMocks.createResponse;
-  } catch (error) {
-    console.error(
-      "[WIDGETS] node-mocks-http not available. Install connect and node-mocks-http for Vite middleware support."
+  } catch (error2) {
+    throw new Error(
+      "\u274C Widget middleware dependencies not installed!\n\nTo use Connect middleware adapters with MCP widgets, you need to install:\n\n  npm install node-mocks-http\n  # or\n  pnpm add node-mocks-http\n\nThis dependency is automatically included in projects created with 'create-mcp-use-app'."
     );
-    throw error;
   }
   let normalizedPath = middlewarePath;
   if (normalizedPath.endsWith("*")) {
@@ -416,7 +1456,7 @@ async function requestLogger(c, next) {
       } else {
         console.log("\x1B[33mResponse Body:\x1B[0m (no body)");
       }
-    } catch (error) {
+    } catch (error2) {
       console.log("\x1B[33mResponse Body:\x1B[0m (unable to read)");
     }
     console.log("\x1B[36m" + "=".repeat(80) + "\x1B[0m\n");
@@ -425,90 +1465,8 @@ async function requestLogger(c, next) {
 __name(requestLogger, "requestLogger");
 
 // src/server/mcp-server.ts
-function generateUUID() {
-  return globalThis.crypto.randomUUID();
-}
-__name(generateUUID, "generateUUID");
+init_runtime();
 var TMP_MCP_USE_DIR = ".mcp-use";
-var isDeno2 = typeof globalThis.Deno !== "undefined";
-function getEnv2(key) {
-  if (isDeno2) {
-    return globalThis.Deno.env.get(key);
-  }
-  return process.env[key];
-}
-__name(getEnv2, "getEnv");
-function getCwd() {
-  if (isDeno2) {
-    return globalThis.Deno.cwd();
-  }
-  return process.cwd();
-}
-__name(getCwd, "getCwd");
-var fsHelpers = {
-  async readFileSync(path, encoding = "utf8") {
-    if (isDeno2) {
-      return await globalThis.Deno.readTextFile(path);
-    }
-    const { readFileSync } = await import("fs");
-    const result = readFileSync(path, encoding);
-    return typeof result === "string" ? result : result.toString(encoding);
-  },
-  async readFile(path) {
-    if (isDeno2) {
-      const data = await globalThis.Deno.readFile(path);
-      return data.buffer;
-    }
-    const { readFileSync } = await import("fs");
-    const buffer = readFileSync(path);
-    return buffer.buffer.slice(
-      buffer.byteOffset,
-      buffer.byteOffset + buffer.byteLength
-    );
-  },
-  async existsSync(path) {
-    if (isDeno2) {
-      try {
-        await globalThis.Deno.stat(path);
-        return true;
-      } catch {
-        return false;
-      }
-    }
-    const { existsSync } = await import("fs");
-    return existsSync(path);
-  },
-  async readdirSync(path) {
-    if (isDeno2) {
-      const entries = [];
-      for await (const entry of globalThis.Deno.readDir(path)) {
-        entries.push(entry.name);
-      }
-      return entries;
-    }
-    const { readdirSync } = await import("fs");
-    return readdirSync(path);
-  }
-};
-var pathHelpers = {
-  join(...paths) {
-    if (isDeno2) {
-      return paths.join("/").replace(/\/+/g, "/");
-    }
-    return paths.join("/").replace(/\/+/g, "/");
-  },
-  relative(from, to) {
-    const fromParts = from.split("/").filter((p) => p);
-    const toParts = to.split("/").filter((p) => p);
-    let i = 0;
-    while (i < fromParts.length && i < toParts.length && fromParts[i] === toParts[i]) {
-      i++;
-    }
-    const upCount = fromParts.length - i;
-    const relativeParts = [...Array(upCount).fill(".."), ...toParts.slice(i)];
-    return relativeParts.join("/");
-  }
-};
 var McpServer = class {
   static {
     __name(this, "McpServer");
@@ -527,6 +1485,13 @@ var McpServer = class {
   buildId;
   sessions = /* @__PURE__ */ new Map();
   idleCleanupInterval;
+  oauthProvider;
+  // OAuthProvider from oauth/index.js
+  oauthMiddleware;
+  // Bearer auth middleware
+  oauthConfig;
+  // Store OAuth config for lazy initialization
+  oauthSetupComplete = false;
   /**
    * Creates a new MCP server instance with Hono integration
    *
@@ -548,7 +1513,7 @@ var McpServer = class {
     this.app = new import_hono.Hono();
     this.app.use(
       "*",
-      (0, import_cors.cors)({
+      (0, import_cors2.cors)({
         origin: "*",
         allowMethods: ["GET", "HEAD", "POST", "PUT", "DELETE", "OPTIONS"],
         allowHeaders: [
@@ -565,6 +1530,9 @@ var McpServer = class {
       })
     );
     this.app.use("*", requestLogger);
+    if (config.oauth) {
+      this.oauthConfig = config.oauth;
+    }
     return new Proxy(this, {
       get(target, prop) {
         if (prop === "use") {
@@ -645,6 +1613,42 @@ var McpServer = class {
     console.log("[CSP] Parsed CSP URLs:", urls);
     return urls;
   }
+  /**
+   * Setup OAuth authentication
+   *
+   * Initializes OAuth provider, creates bearer auth middleware,
+   * sets up OAuth routes, and applies auth to /mcp endpoints.
+   *
+   * @private
+   */
+  async setupOAuth(oauthProvider) {
+    if (this.oauthSetupComplete) {
+      return;
+    }
+    const { setupOAuthRoutes: setupOAuthRoutes2, createBearerAuthMiddleware: createBearerAuthMiddleware2 } = await Promise.resolve().then(() => (init_oauth(), oauth_exports));
+    this.oauthProvider = oauthProvider;
+    console.log(`[OAuth] OAuth provider initialized`);
+    const baseUrl = this.getServerBaseUrl();
+    this.oauthMiddleware = createBearerAuthMiddleware2(
+      this.oauthProvider,
+      baseUrl
+    );
+    setupOAuthRoutes2(this.app, this.oauthProvider, baseUrl);
+    const mode = this.oauthProvider.getMode?.() || "proxy";
+    if (mode === "direct") {
+      console.log(
+        "[OAuth] Direct mode: Clients will authenticate with provider directly"
+      );
+      console.log("[OAuth] Metadata endpoints: /.well-known/*");
+    } else {
+      console.log(
+        "[OAuth] Proxy mode: Routes at /authorize, /token, /.well-known/*"
+      );
+    }
+    this.app.use("/mcp/*", this.oauthMiddleware);
+    console.log("[OAuth] Bearer authentication enabled on /mcp routes");
+    this.oauthSetupComplete = true;
+  }
   /**
    * Define a static resource that can be accessed by clients
    *
@@ -771,46 +1775,22 @@ var McpServer = class {
     this.registeredResources.push(resourceTemplateDefinition.name);
     return this;
   }
-  /**
-   * Define a tool that can be called by clients
-   *
-   * Registers a tool with the MCP server that clients can invoke with parameters.
-   * Tools are functions that perform actions, computations, or operations and
-   * return results. They accept structured input parameters and return structured output.
-   *
-   * Supports Apps SDK metadata for ChatGPT integration via the _meta field.
-   *
-   * @param toolDefinition - Configuration object containing tool metadata and handler function
-   * @param toolDefinition.name - Unique identifier for the tool
-   * @param toolDefinition.description - Human-readable description of what the tool does
-   * @param toolDefinition.inputs - Array of input parameter definitions with types and validation
-   * @param toolDefinition.cb - Async callback function that executes the tool logic with provided parameters
-   * @param toolDefinition._meta - Optional metadata for the tool (e.g. Apps SDK metadata)
-   * @returns The server instance for method chaining
-   *
-   * @example
-   * ```typescript
-   * server.tool({
-   *   name: 'calculate',
-   *   description: 'Performs mathematical calculations',
-   *   inputs: [
-   *     { name: 'expression', type: 'string', required: true },
-   *     { name: 'precision', type: 'number', required: false }
-   *   ],
-   *   cb: async ({ expression, precision = 2 }) => {
-   *     const result = eval(expression)
-   *     return { result: Number(result.toFixed(precision)) }
-   *   },
-   *   _meta: {
-   *     'openai/outputTemplate': 'ui://widgets/calculator',
-   *     'openai/toolInvocation/invoking': 'Calculating...',
-   *     'openai/toolInvocation/invoked': 'Calculation complete'
-   *   }
-   * })
-   * ```
-   */
-  tool(toolDefinition) {
-    const inputSchema = this.createParamsSchema(toolDefinition.inputs || []);
+  // Implementation
+  tool(toolDefinition, callback) {
+    const actualCallback = callback || toolDefinition.cb;
+    if (!actualCallback) {
+      throw new Error(
+        `Tool '${toolDefinition.name}' must have either a cb property or a callback parameter`
+      );
+    }
+    let inputSchema;
+    if (toolDefinition.schema) {
+      inputSchema = this.convertZodSchemaToParams(toolDefinition.schema);
+    } else if (toolDefinition.inputs && toolDefinition.inputs.length > 0) {
+      inputSchema = this.createParamsSchema(toolDefinition.inputs);
+    } else {
+      inputSchema = {};
+    }
     this.server.registerTool(
       toolDefinition.name,
       {
@@ -821,101 +1801,95 @@ var McpServer = class {
         _meta: toolDefinition._meta
       },
       async (params, extra) => {
+        let requestContext = getRequestContext();
+        if (!requestContext) {
+          for (const [, session] of this.sessions.entries()) {
+            if (session.context) {
+              requestContext = session.context;
+              break;
+            }
+          }
+        }
         const progressToken = extra?._meta?.progressToken;
-        const context = {
-          /**
-           * Request sampling from the client's LLM with automatic progress notifications.
-           *
-           * Progress notifications are sent every 5 seconds (configurable) while waiting
-           * for the sampling response. This prevents client-side timeouts when
-           * resetTimeoutOnProgress is enabled.
-           *
-           * @param params - Sampling parameters (messages, model preferences, etc.)
-           * @param options - Optional configuration
-           * @param options.timeout - Timeout in milliseconds (default: no timeout / Infinity)
-           * @param options.progressIntervalMs - Interval between progress notifications (default: 5000ms)
-           * @param options.onProgress - Optional callback called each time progress is reported
-           * @returns The sampling result from the client's LLM
-           */
-          sample: /* @__PURE__ */ __name(async (sampleParams, options) => {
-            const {
-              timeout,
-              progressIntervalMs = 5e3,
-              onProgress
-            } = options ?? {};
-            let progressCount = 0;
-            let completed = false;
-            let progressInterval = null;
-            if (progressToken && extra?.sendNotification) {
-              progressInterval = setInterval(async () => {
-                if (completed) return;
-                progressCount++;
-                const progressData = {
-                  progress: progressCount,
-                  total: void 0,
-                  message: `Waiting for LLM response... (${progressCount * Math.round(progressIntervalMs / 1e3)}s elapsed)`
-                };
-                if (onProgress) {
-                  try {
-                    onProgress(progressData);
-                  } catch {
-                  }
-                }
+        const enhancedContext = requestContext ? Object.create(requestContext) : {};
+        enhancedContext.sample = async (sampleParams, options) => {
+          const {
+            timeout,
+            progressIntervalMs = 5e3,
+            onProgress
+          } = options ?? {};
+          let progressCount = 0;
+          let completed = false;
+          let progressInterval = null;
+          if (progressToken && extra?.sendNotification) {
+            progressInterval = setInterval(async () => {
+              if (completed) return;
+              progressCount++;
+              const progressData = {
+                progress: progressCount,
+                total: void 0,
+                message: `Waiting for LLM response... (${progressCount * Math.round(progressIntervalMs / 1e3)}s elapsed)`
+              };
+              if (onProgress) {
                 try {
-                  await extra.sendNotification({
-                    method: "notifications/progress",
-                    params: {
-                      progressToken,
-                      progress: progressData.progress,
-                      total: progressData.total,
-                      message: progressData.message
-                    }
-                  });
+                  onProgress(progressData);
                 } catch {
                 }
-              }, progressIntervalMs);
-            }
-            try {
-              const samplePromise = this.createMessage(sampleParams);
-              if (timeout && timeout !== Infinity) {
-                const timeoutPromise = new Promise((_, reject) => {
-                  setTimeout(
-                    () => reject(
-                      new Error(`Sampling timed out after ${timeout}ms`)
-                    ),
-                    timeout
-                  );
-                });
-                return await Promise.race([samplePromise, timeoutPromise]);
               }
-              return await samplePromise;
-            } finally {
-              completed = true;
-              if (progressInterval) {
-                clearInterval(progressInterval);
+              try {
+                await extra.sendNotification({
+                  method: "notifications/progress",
+                  params: {
+                    progressToken,
+                    progress: progressData.progress,
+                    total: progressData.total,
+                    message: progressData.message
+                  }
+                });
+              } catch {
               }
+            }, progressIntervalMs);
+          }
+          try {
+            const samplePromise = this.createMessage(sampleParams);
+            if (timeout && timeout !== Infinity) {
+              const timeoutPromise = new Promise((_, reject) => {
+                setTimeout(
+                  () => reject(new Error(`Sampling timed out after ${timeout}ms`)),
+                  timeout
+                );
+              });
+              return await Promise.race([samplePromise, timeoutPromise]);
             }
-          }, "sample"),
-          /**
-           * Send a progress notification to the client.
-           * Only works if the client requested progress updates for this tool call.
-           */
-          reportProgress: progressToken && extra?.sendNotification ? async (progress, total, message) => {
-            await extra.sendNotification({
-              method: "notifications/progress",
-              params: {
-                progressToken,
-                progress,
-                total,
-                message
-              }
-            });
-          } : void 0
+            return await samplePromise;
+          } finally {
+            completed = true;
+            if (progressInterval) {
+              clearInterval(progressInterval);
+            }
+          }
         };
-        if (toolDefinition.cb.length >= 2) {
-          return await toolDefinition.cb(params, context);
+        enhancedContext.reportProgress = progressToken && extra?.sendNotification ? async (progress, total, message) => {
+          await extra.sendNotification({
+            method: "notifications/progress",
+            params: {
+              progressToken,
+              progress,
+              total,
+              message
+            }
+          });
+        } : void 0;
+        const executeCallback = /* @__PURE__ */ __name(async () => {
+          if (actualCallback.length >= 2) {
+            return await actualCallback(params, enhancedContext);
+          }
+          return await actualCallback(params);
+        }, "executeCallback");
+        if (requestContext) {
+          return await runWithContext(requestContext, executeCallback);
         }
-        return await toolDefinition.cb(params);
+        return await executeCallback();
       }
     );
     this.registeredTools.push(toolDefinition.name);
@@ -963,6 +1937,7 @@ var McpServer = class {
         title: promptDefinition.title,
         description: promptDefinition.description ?? "",
         argsSchema
+        // Type assertion for Zod v4 compatibility
       },
       async (params) => {
         return await promptDefinition.cb(params);
@@ -1266,35 +2241,6 @@ var McpServer = class {
     }
     return `ui://widget/${parts.join("-")}${extension}`;
   }
-  /**
-   * Build a complete URL for a widget including query parameters
-   *
-   * Constructs the full URL to access a widget's iframe, encoding any provided
-   * parameters as query string parameters. Complex objects are JSON-stringified
-   * for transmission.
-   *
-   * @private
-   * @param widget - Widget name/identifier
-   * @param params - Parameters to encode in the URL
-   * @returns Complete URL with encoded parameters
-   */
-  buildWidgetUrl(widget, params) {
-    const baseUrl = `http://${this.serverHost}:${this.serverPort}/mcp-use/widgets/${widget}`;
-    if (Object.keys(params).length === 0) {
-      return baseUrl;
-    }
-    const queryParams = new URLSearchParams();
-    for (const [key, value] of Object.entries(params)) {
-      if (value !== void 0 && value !== null) {
-        if (typeof value === "object") {
-          queryParams.append(key, JSON.stringify(value));
-        } else {
-          queryParams.append(key, String(value));
-        }
-      }
-    }
-    return `${baseUrl}?${queryParams.toString()}`;
-  }
   /**
    * Convert widget props definition to tool input schema
    *
@@ -1403,7 +2349,7 @@ var McpServer = class {
     const srcDir = pathHelpers.join(getCwd(), resourcesDir);
     try {
       await fs.access(srcDir);
-    } catch (error) {
+    } catch (error2) {
       console.log(
         `[WIDGETS] No ${resourcesDir}/ directory found - skipping widget serving`
       );
@@ -1437,7 +2383,7 @@ var McpServer = class {
           }
         }
       }
-    } catch (error) {
+    } catch (error2) {
       console.log(`[WIDGETS] No widgets found in ${resourcesDir}/ directory`);
       return;
     }
@@ -1462,14 +2408,10 @@ var McpServer = class {
         'return import("@tailwindcss/vite")'
       )();
       tailwindcss = tailwindModule.default;
-    } catch (error) {
-      console.error(
-        "[WIDGETS] Dev dependencies not available. Install vite, @vitejs/plugin-react, and @tailwindcss/vite for widget development."
-      );
-      console.error(
-        "[WIDGETS] For production, use 'mcp-use build' to pre-build widgets."
+    } catch (error2) {
+      throw new Error(
+        "\u274C Widget dependencies not installed!\n\nTo use MCP widgets with resources folder, you need to install the required dependencies:\n\n  npm install vite @vitejs/plugin-react @tailwindcss/vite\n  # or\n  pnpm add vite @vitejs/plugin-react @tailwindcss/vite\n\nThese dependencies are automatically included in projects created with 'create-mcp-use-app'.\nFor production, pre-build your widgets using 'mcp-use build'."
       );
-      return;
     }
     const widgets = entries.map((entry) => {
       return {
@@ -1478,8 +2420,8 @@ var McpServer = class {
         entry: entry.path
       };
     });
-    for (const widget of widgets) {
-      const widgetTempDir = pathHelpers.join(tempDir, widget.name);
+    for (const widget2 of widgets) {
+      const widgetTempDir = pathHelpers.join(tempDir, widget2.name);
       await fs.mkdir(widgetTempDir, { recursive: true });
       const resourcesPath = pathHelpers.join(getCwd(), resourcesDir);
       const relativeResourcesPath = pathHelpers.relative(widgetTempDir, resourcesPath).replace(/\\/g, "/");
@@ -1496,7 +2438,7 @@ var McpServer = class {
       const entryContent = `import React from 'react'
 import { createRoot } from 'react-dom/client'
 import './styles.css'
-import Component from '${widget.entry}'
+import Component from '${widget2.entry}'
 
 const container = document.getElementById('widget-root')
 if (container && Component) {
@@ -1509,11 +2451,11 @@ if (container && Component) {
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width,initial-scale=1" />
-    <title>${widget.name} Widget</title>
+    <title>${widget2.name} Widget</title>
   </head>
   <body>
     <div id="widget-root"></div>
-    <script type="module" src="${baseRoute}/${widget.name}/entry.tsx"></script>
+    <script type="module" src="${baseRoute}/${widget2.name}/entry.tsx"></script>
   </body>
 </html>`;
       await fs.writeFile(
@@ -1603,8 +2545,8 @@ if (container && Component) {
       const widgetMatch = pathname.replace(baseRoute, "").match(/^\/([^/]+)/);
       if (widgetMatch) {
         const widgetName = widgetMatch[1];
-        const widget = widgets.find((w) => w.name === widgetName);
-        if (widget) {
+        const widget2 = widgets.find((w) => w.name === widgetName);
+        if (widget2) {
           const relativePath = pathname.replace(baseRoute, "");
           if (relativePath === `/${widgetName}` || relativePath === `/${widgetName}/`) {
             const newUrl = new URL(c.req.url);
@@ -1655,42 +2597,42 @@ if (container && Component) {
       const message = isAsset ? "Widget asset not found" : "Widget not found";
       return c.text(message, 404);
     });
-    widgets.forEach((widget) => {
+    widgets.forEach((widget2) => {
       console.log(
-        `[WIDGET] ${widget.name} mounted at ${baseRoute}/${widget.name}`
+        `[WIDGET] ${widget2.name} mounted at ${baseRoute}/${widget2.name}`
       );
     });
-    for (const widget of widgets) {
+    for (const widget2 of widgets) {
       const type = "appsSdk";
       let metadata = {};
       let props = {};
-      let description = widget.description;
+      let description = widget2.description;
       try {
-        const mod = await viteServer.ssrLoadModule(widget.entry);
+        const mod = await viteServer.ssrLoadModule(widget2.entry);
         if (mod.widgetMetadata) {
           metadata = mod.widgetMetadata;
-          description = metadata.description || widget.description;
+          description = metadata.description || widget2.description;
           if (metadata.inputs) {
             try {
               props = metadata.inputs.shape || {};
-            } catch (error) {
+            } catch (error2) {
               console.warn(
-                `[WIDGET] Failed to extract props schema for ${widget.name}:`,
-                error
+                `[WIDGET] Failed to extract props schema for ${widget2.name}:`,
+                error2
               );
             }
           }
         }
-      } catch (error) {
+      } catch (error2) {
         console.warn(
-          `[WIDGET] Failed to load metadata for ${widget.name}:`,
-          error
+          `[WIDGET] Failed to load metadata for ${widget2.name}:`,
+          error2
         );
       }
       let html = "";
       try {
         html = await fsHelpers.readFileSync(
-          pathHelpers.join(tempDir, widget.name, "index.html"),
+          pathHelpers.join(tempDir, widget2.name, "index.html"),
           "utf8"
         );
         const mcpUrl = this.getServerBaseUrl();
@@ -1728,25 +2670,25 @@ if (container && Component) {
         html = html.replace(
           /<head[^>]*>/i,
           `<head>
-    <script>window.__getFile = (filename) => { return "${baseUrl}/mcp-use/widgets/${widget.name}/"+filename }; window.__mcpPublicUrl = "${baseUrl}/mcp-use/public";</script>`
+    <script>window.__getFile = (filename) => { return "${baseUrl}/mcp-use/widgets/${widget2.name}/"+filename }; window.__mcpPublicUrl = "${baseUrl}/mcp-use/public";</script>`
         );
-      } catch (error) {
+      } catch (error2) {
         console.error(
-          `Failed to read html template for widget ${widget.name}`,
-          error
+          `Failed to read html template for widget ${widget2.name}`,
+          error2
         );
       }
       const mcp_connect_domain = this.getServerBaseUrl() ? new URL(this.getServerBaseUrl() || "").origin : null;
       this.uiResource({
-        name: widget.name,
-        title: metadata.title || widget.name,
+        name: widget2.name,
+        title: metadata.title || widget2.name,
         description,
         type,
         props,
         _meta: {
           "mcp-use/widget": {
-            name: widget.name,
-            title: metadata.title || widget.name,
+            name: widget2.name,
+            title: metadata.title || widget2.name,
             description,
             type,
             props,
@@ -1758,8 +2700,8 @@ if (container && Component) {
         htmlTemplate: html,
         appsSdkMetadata: {
           "openai/widgetDescription": description,
-          "openai/toolInvocation/invoking": `Loading ${widget.name}...`,
-          "openai/toolInvocation/invoked": `${widget.name} ready`,
+          "openai/toolInvocation/invoking": `Loading ${widget2.name}...`,
+          "openai/toolInvocation/invoked": `${widget2.name} ready`,
           "openai/widgetAccessible": true,
           "openai/resultCanProduceWidget": true,
           ...metadata.appsSdkMetadata || {},
@@ -1832,10 +2774,10 @@ if (container && Component) {
       } else {
         console.log("[WIDGETS] No widgets found in manifest");
       }
-    } catch (error) {
+    } catch (error2) {
       console.log(
         "[WIDGETS] Could not read manifest file, falling back to directory listing:",
-        error
+        error2
       );
       try {
         const allEntries = await fsHelpers.readdirSync(widgetsDir);
@@ -1900,10 +2842,10 @@ if (container && Component) {
     <script>window.__getFile = (filename) => { return "${baseUrl}/mcp-use/widgets/${widgetName}/"+filename }; window.__mcpPublicUrl = "${baseUrl}/mcp-use/public";</script>`
           );
         }
-      } catch (error) {
+      } catch (error2) {
         console.error(
           `[WIDGET] Failed to read ${widgetName}/index.html:`,
-          error
+          error2
         );
         continue;
       }
@@ -2030,7 +2972,7 @@ if (container && Component) {
       if (closeOldSessionId && this.sessions.has(closeOldSessionId)) {
         try {
           this.sessions.get(closeOldSessionId).transport.close();
-        } catch (error) {
+        } catch (error2) {
         }
         this.sessions.delete(closeOldSessionId);
       }
@@ -2161,7 +3103,7 @@ if (container && Component) {
           if (now - session.lastAccessedAt > idleTimeoutMs) {
             try {
               session.transport.close();
-            } catch (error) {
+            } catch (error2) {
             }
             this.sessions.delete(sessionId);
           }
@@ -2317,19 +3259,23 @@ if (container && Component) {
           }
         }
         if (sessionId && this.sessions.has(sessionId)) {
-          this.sessions.get(sessionId).lastAccessedAt = Date.now();
+          const session = this.sessions.get(sessionId);
+          session.lastAccessedAt = Date.now();
+          session.context = c;
         }
         if (expressRes._closeHandler) {
           c.req.raw.signal?.addEventListener("abort", () => {
             transport.close();
           });
         }
-        await this.waitForRequestComplete(
-          transport,
-          expressReq,
-          expressRes,
-          expressReq.body
-        );
+        await runWithContext(c, async () => {
+          await this.waitForRequestComplete(
+            transport,
+            expressReq,
+            expressRes,
+            expressReq.body
+          );
+        });
         const response = getResponse();
         if (response) {
           return response;
@@ -2573,6 +3519,9 @@ if (container && Component) {
     if (hostEnv) {
       this.serverHost = hostEnv;
     }
+    if (this.oauthConfig && !this.oauthSetupComplete) {
+      await this.setupOAuth(this.oauthConfig);
+    }
     await this.mountWidgets({
       baseRoute: "/mcp-use/widgets",
       resourcesDir: "resources"
@@ -2681,6 +3630,9 @@ if (container && Component) {
    * ```
    */
   async getHandler(options) {
+    if (this.oauthConfig && !this.oauthSetupComplete) {
+      await this.setupOAuth(this.oauthConfig);
+    }
     console.log("[MCP] Mounting widgets");
     await this.mountWidgets({
       baseRoute: "/mcp-use/widgets",
@@ -2784,10 +3736,10 @@ if (container && Component) {
     for (const [sessionId, session] of this.sessions.entries()) {
       try {
         await session.transport.send(notification);
-      } catch (error) {
+      } catch (error2) {
         console.warn(
           `[MCP] Failed to send notification to session ${sessionId}:`,
-          error
+          error2
         );
       }
     }
@@ -2832,10 +3784,10 @@ if (container && Component) {
     try {
       await session.transport.send(notification);
       return true;
-    } catch (error) {
+    } catch (error2) {
       console.warn(
         `[MCP] Failed to send notification to session ${sessionId}:`,
-        error
+        error2
       );
       return false;
     }
@@ -2903,10 +3855,10 @@ if (container && Component) {
         return response.roots;
       }
       return [];
-    } catch (error) {
+    } catch (error2) {
       console.warn(
         `[MCP] Failed to list roots from session ${sessionId}:`,
-        error
+        error2
       );
       return null;
     }
@@ -2984,14 +3936,14 @@ if (container && Component) {
    */
   setupWidgetRoutes() {
     this.app.get("/mcp-use/widgets/:widget/assets/*", async (c) => {
-      const widget = c.req.param("widget");
+      const widget2 = c.req.param("widget");
       const assetFile = c.req.path.split("/assets/")[1];
       const assetPath = pathHelpers.join(
         getCwd(),
         "dist",
         "resources",
         "widgets",
-        widget,
+        widget2,
         "assets",
         assetFile
       );
@@ -3020,10 +3972,10 @@ if (container && Component) {
       );
       try {
         const widgets = await fsHelpers.readdirSync(widgetsDir);
-        for (const widget of widgets) {
+        for (const widget2 of widgets) {
           const assetPath = pathHelpers.join(
             widgetsDir,
-            widget,
+            widget2,
             "assets",
             assetFile
           );
@@ -3043,13 +3995,13 @@ if (container && Component) {
       }
     });
     this.app.get("/mcp-use/widgets/:widget", async (c) => {
-      const widget = c.req.param("widget");
+      const widget2 = c.req.param("widget");
       const filePath = pathHelpers.join(
         getCwd(),
         "dist",
         "resources",
         "widgets",
-        widget,
+        widget2,
         "index.html"
       );
       try {
@@ -3066,7 +4018,7 @@ if (container && Component) {
         html = html.replace(
           /<head[^>]*>/i,
           `<head>
-    <script>window.__getFile = (filename) => { return "${baseUrl}/mcp-use/widgets/${widget}/"+filename }</script>`
+    <script>window.__getFile = (filename) => { return "${baseUrl}/mcp-use/widgets/${widget2}/"+filename }</script>`
         );
         return c.html(html);
       } catch {
@@ -3093,28 +4045,21 @@ if (container && Component) {
     });
   }
   /**
-   * Create input schema for resource templates
-   *
-   * Parses a URI template string to extract parameter names and generates a Zod
-   * validation schema for those parameters. Used internally for validating resource
-   * template parameters before processing requests.
+   * Convert a Zod object schema to the internal Record<string, z.ZodSchema> format
    *
-   * @param uriTemplate - URI template string with parameter placeholders (e.g., "/users/{id}/posts/{postId}")
-   * @returns Object mapping parameter names to Zod string schemas
-   *
-   * @example
-   * ```typescript
-   * const schema = this.createInputSchema("/users/{id}/posts/{postId}")
-   * // Returns: { id: z.string(), postId: z.string() }
-   * ```
+   * @param zodSchema - Zod object schema to convert
+   * @returns Object mapping parameter names to Zod validation schemas
    */
-  createInputSchema(uriTemplate) {
-    const params = this.extractTemplateParams(uriTemplate);
-    const schema = {};
-    params.forEach((param) => {
-      schema[param] = import_zod.z.string();
-    });
-    return schema;
+  convertZodSchemaToParams(zodSchema) {
+    if (!(zodSchema instanceof import_zod.z.ZodObject)) {
+      throw new Error("schema must be a Zod object schema (z.object({...}))");
+    }
+    const shape = zodSchema.shape;
+    const params = {};
+    for (const [key, value] of Object.entries(shape)) {
+      params[key] = value;
+    }
+    return params;
   }
   /**
    * Create input schema for tools
@@ -3168,75 +4113,6 @@ if (container && Component) {
     });
     return schema;
   }
-  /**
-   * Create arguments schema for prompts
-   *
-   * Converts prompt argument definitions into Zod validation schemas for runtime validation.
-   * Supports common data types (string, number, boolean, object, array) and optional
-   * parameters. Used internally when registering prompt templates with the MCP server.
-   *
-   * @param inputs - Array of argument definitions with name, type, and optional flag
-   * @returns Object mapping argument names to Zod validation schemas
-   *
-   * @example
-   * ```typescript
-   * const schema = this.createPromptArgsSchema([
-   *   { name: 'topic', type: 'string', required: true },
-   *   { name: 'style', type: 'string', required: false }
-   * ])
-   * // Returns: { topic: z.string(), style: z.string().optional() }
-   * ```
-   */
-  createPromptArgsSchema(inputs) {
-    const schema = {};
-    inputs.forEach((input) => {
-      let zodType;
-      switch (input.type) {
-        case "string":
-          zodType = import_zod.z.string();
-          break;
-        case "number":
-          zodType = import_zod.z.number();
-          break;
-        case "boolean":
-          zodType = import_zod.z.boolean();
-          break;
-        case "object":
-          zodType = import_zod.z.object({});
-          break;
-        case "array":
-          zodType = import_zod.z.array(import_zod.z.any());
-          break;
-        default:
-          zodType = import_zod.z.any();
-      }
-      if (!input.required) {
-        zodType = zodType.optional();
-      }
-      schema[input.name] = zodType;
-    });
-    return schema;
-  }
-  /**
-   * Extract parameter names from URI template
-   *
-   * Parses a URI template string to extract parameter names enclosed in curly braces.
-   * Used internally to identify dynamic parameters in resource templates and generate
-   * appropriate validation schemas.
-   *
-   * @param uriTemplate - URI template string with parameter placeholders (e.g., "/users/{id}/posts/{postId}")
-   * @returns Array of parameter names found in the template
-   *
-   * @example
-   * ```typescript
-   * const params = this.extractTemplateParams("/users/{id}/posts/{postId}")
-   * // Returns: ["id", "postId"]
-   * ```
-   */
-  extractTemplateParams(uriTemplate) {
-    const matches = uriTemplate.match(/\{([^}]+)\}/g);
-    return matches ? matches.map((match) => match.slice(1, -1)) : [];
-  }
   /**
    * Parse parameter values from a URI based on a template
    *
@@ -3279,8 +4155,127 @@ function createMCPServer(name, config = {}) {
     host: config.host,
     baseUrl: config.baseUrl,
     allowedOrigins: config.allowedOrigins,
-    sessionIdleTimeoutMs: config.sessionIdleTimeoutMs
+    sessionIdleTimeoutMs: config.sessionIdleTimeoutMs,
+    autoCreateSessionOnInvalidId: config.autoCreateSessionOnInvalidId,
+    oauth: config.oauth
   });
   return instance;
 }
 __name(createMCPServer, "createMCPServer");
+
+// src/server/utils/response-helpers.ts
+function text(content) {
+  return {
+    content: [
+      {
+        type: "text",
+        text: content
+      }
+    ]
+  };
+}
+__name(text, "text");
+function image(data, mimeType = "image/png") {
+  return {
+    content: [
+      {
+        type: "image",
+        data,
+        mimeType
+      }
+    ]
+  };
+}
+__name(image, "image");
+function resource(uri, mimeType, text2) {
+  const resourceContent = {
+    type: "resource",
+    resource: {
+      uri,
+      ...mimeType && { mimeType },
+      ...text2 && { text: text2 }
+    }
+  };
+  return {
+    content: [resourceContent]
+  };
+}
+__name(resource, "resource");
+function error(message) {
+  return {
+    isError: true,
+    content: [
+      {
+        type: "text",
+        text: message
+      }
+    ]
+  };
+}
+__name(error, "error");
+function object(data) {
+  return Array.isArray(data) ? array(data) : {
+    content: [
+      {
+        type: "text",
+        text: JSON.stringify(data, null, 2)
+      }
+    ],
+    structuredContent: data
+  };
+}
+__name(object, "object");
+function array(data) {
+  return {
+    content: [
+      {
+        type: "text",
+        text: JSON.stringify(data, null, 2)
+      }
+    ],
+    structuredContent: { data }
+  };
+}
+__name(array, "array");
+function widget(config) {
+  const {
+    name,
+    data,
+    message,
+    invoking,
+    invoked,
+    widgetAccessible = true,
+    resultCanProduceWidget = true,
+    buildId
+  } = config;
+  const randomId = Math.random().toString(36).substring(2, 15);
+  const buildIdPart = buildId ? `-${buildId}` : "";
+  const uniqueUri = `ui://widget/${name}${buildIdPart}-${randomId}.html`;
+  const metadata = {
+    "openai/outputTemplate": uniqueUri,
+    "openai/widgetAccessible": widgetAccessible,
+    "openai/resultCanProduceWidget": resultCanProduceWidget
+  };
+  if (invoking) {
+    metadata["openai/toolInvocation/invoking"] = invoking;
+  }
+  if (invoked) {
+    metadata["openai/toolInvocation/invoked"] = invoked;
+  }
+  const displayMessage = message || `Displaying ${name}`;
+  return {
+    _meta: metadata,
+    content: [
+      {
+        type: "text",
+        text: displayMessage
+      }
+    ],
+    // structuredContent will be injected as window.openai.toolOutput by Apps SDK
+    structuredContent: data
+  };
+}
+__name(widget, "widget");
+
+// src/server/index.ts
+init_oauth();