toolcraft 0.0.22 → 0.0.24

package/node_modules/tiny-mcp-client/dist/internal.js

@@ -1,15 +1,18 @@
 import { spawn } from "node:child_process";
 import { PassThrough } from "node:stream";
-import { createOAuthClientProvider, OAuthError, } from "../../mcp-oauth/dist/index.js";
+import { createOAuthClientProvider, OAuthError, } from "mcp-oauth";
 import { OAuthMetadataDiscovery, parseBearerWwwAuthenticateHeader, } from "./oauth-discovery.js";
 export { OAuthMetadataDiscovery, discoverOAuthMetadata, parseBearerWwwAuthenticateHeader, resolveAuthorizationServerMetadataUrl, resolveProtectedResourceMetadataUrl, } from "./oauth-discovery.js";
-export { createAuthStoreSessionStore, createDefaultOAuthClientProvider, } from "../../mcp-oauth/dist/index.js";
+export { createAuthStoreSessionStore, createDefaultOAuthClientProvider, } from "mcp-oauth";
 const MCP_PROTOCOL_VERSION = "2025-03-26";
 export class McpClient {
     currentState = "disconnected";
     currentServerCapabilities = null;
+    currentClientCapabilities = null;
     currentServerInfo = null;
     currentInstructions;
+    subscribedResourceUris = new Set();
+    activeProgressTokens = new Map();
     options;
     transport = null;
     messageLayer = null;
@@ -20,7 +23,9 @@ export class McpClient {
         return this.currentState;
     }
     get serverCapabilities() {
-        return this.currentServerCapabilities;
+        return this.currentServerCapabilities === null
+            ? null
+            : structuredClone(this.currentServerCapabilities);
     }
     get serverInfo() {
         return this.currentServerInfo;
@@ -44,22 +49,23 @@ export class McpClient {
         if (this.currentState !== "disconnected" && this.currentState !== "closed") {
             throw new Error("MCP client is already connected");
         }
+        this.currentServerCapabilities = null;
+        this.currentClientCapabilities = null;
+        this.currentServerInfo = null;
+        this.currentInstructions = undefined;
+        this.subscribedResourceUris.clear();
+        this.activeProgressTokens.clear();
         const transportClosedReason = transport.closed
             .then((closedEvent) => closedEvent.reason)
             .catch((error) => error instanceof Error ? error : new Error(String(error)));
-        const messageLayer = new JsonRpcMessageLayer(transport.readable, transport.writable, 30_000, transportClosedReason);
+        const messageLayer = new JsonRpcMessageLayer(transport.readable, transport.writable, this.options.requestTimeoutMs, transportClosedReason);
         const { onSamplingRequest, onRootsList, onToolsChanged, onResourcesChanged, onResourceUpdated, onPromptsChanged, onLog, onProgress, } = this.options;
         messageLayer.onRequest("ping", () => ({}));
         if (onSamplingRequest !== undefined) {
             messageLayer.onRequest("sampling/createMessage", (params) => onSamplingRequest(params));
         }
-        if (onRootsList !== undefined) {
-            messageLayer.onRequest("roots/list", async () => ({
-                roots: await onRootsList(),
-            }));
-        }
         messageLayer.onNotification("notifications/tools/list_changed", async () => {
-            if (onToolsChanged === undefined) {
+            if (onToolsChanged === undefined || this.currentServerCapabilities?.tools?.listChanged !== true) {
                 return;
             }
             await onToolsChanged();
@@ -78,7 +84,7 @@ export class McpClient {
                 return;
             }
             const { uri } = params;
-            if (typeof uri !== "string") {
+            if (typeof uri !== "string" || !this.subscribedResourceUris.has(uri)) {
                 return;
             }
             await onResourceUpdated(uri);
@@ -113,7 +119,9 @@ export class McpClient {
                 return;
             }
             const { progressToken, progress } = params;
-            if (!isRequestId(progressToken) || typeof progress !== "number") {
+            if (!isRequestId(progressToken) ||
+                typeof progress !== "number" ||
+                !this.activeProgressTokens.has(progressToken)) {
                 return;
             }
             const progressParams = {
@@ -138,6 +146,8 @@ export class McpClient {
         this.transport = transport;
         this.messageLayer = messageLayer;
         this.currentState = "initializing";
+        this.subscribedResourceUris.clear();
+        this.activeProgressTokens.clear();
         transport.closed
             .then((closedEvent) => {
             if (this.transport !== transport) {
@@ -169,20 +179,43 @@ export class McpClient {
                 ...(capabilities.roots ?? {}),
             };
         }
-        const initializeResult = (await messageLayer.sendRequest("initialize", {
-            protocolVersion: MCP_PROTOCOL_VERSION,
-            clientInfo: this.options.clientInfo,
-            capabilities,
-        }));
-        if (initializeResult.protocolVersion !== MCP_PROTOCOL_VERSION) {
-            throw new McpError(ERROR_INVALID_REQUEST, `Unsupported protocol version: ${initializeResult.protocolVersion}`);
-        }
-        this.currentServerCapabilities = initializeResult.capabilities;
-        this.currentServerInfo = initializeResult.serverInfo;
-        this.currentInstructions = initializeResult.instructions;
-        messageLayer.sendNotification("notifications/initialized");
-        this.currentState = "ready";
-        return initializeResult;
+        this.currentClientCapabilities = structuredClone(capabilities);
+        try {
+            const initializeResultValue = await messageLayer.sendRequest("initialize", {
+                protocolVersion: MCP_PROTOCOL_VERSION,
+                clientInfo: this.options.clientInfo,
+                capabilities,
+            });
+            if (!isInitializeResult(initializeResultValue)) {
+                throw new McpError(ERROR_INVALID_REQUEST, "Invalid initialize result");
+            }
+            const initializeResult = initializeResultValue;
+            if (initializeResult.protocolVersion !== MCP_PROTOCOL_VERSION) {
+                throw new McpError(ERROR_INVALID_REQUEST, `Unsupported protocol version: ${initializeResult.protocolVersion}`);
+            }
+            this.currentServerCapabilities = structuredClone(initializeResult.capabilities);
+            this.currentServerInfo = { ...initializeResult.serverInfo };
+            this.currentInstructions = initializeResult.instructions;
+            if (onRootsList !== undefined) {
+                messageLayer.onRequest("roots/list", async () => ({
+                    roots: await onRootsList(),
+                }));
+            }
+            messageLayer.sendNotification("notifications/initialized");
+            this.currentState = "ready";
+            return initializeResult;
+        }
+        catch (error) {
+            if (this.transport === transport) {
+                const reason = error instanceof Error ? error : new Error(String(error));
+                messageLayer.dispose(reason);
+                transport.dispose(reason);
+                this.messageLayer = null;
+                this.transport = null;
+                this.currentState = "disconnected";
+            }
+            throw error;
+        }
     }
     getServerCapabilitiesOrThrow() {
         if (this.currentServerCapabilities === null) {
@@ -197,7 +230,11 @@ export class McpClient {
             throw new Error("Server does not support tools");
         }
         const requestParams = params.cursor === undefined ? undefined : { cursor: params.cursor };
-        return (await messageLayer.sendRequest("tools/list", requestParams));
+        const result = await messageLayer.sendRequest("tools/list", requestParams);
+        if (!isToolsListResult(result)) {
+            throw new McpError(ERROR_INVALID_REQUEST, "Invalid tools/list result");
+        }
+        return result;
     }
     async callTool(params, options = {}) {
         const messageLayer = this.getMessageLayerOrThrow();
@@ -205,6 +242,9 @@ export class McpClient {
         if (serverCapabilities.tools === undefined) {
             throw new Error("Server does not support tools");
         }
+        if (options.signal?.aborted) {
+            throw options.signal.reason;
+        }
         const requestParams = options.progressToken === undefined
             ? params
             : {
@@ -213,37 +253,58 @@ export class McpClient {
                     progressToken: options.progressToken,
                 },
             };
-        let requestId;
-        const requestPromise = messageLayer.sendRequest("tools/call", requestParams, {
-            onRequestId: (nextRequestId) => {
-                requestId = nextRequestId;
-            },
-        });
-        if (options.signal === undefined) {
-            return await requestPromise;
-        }
-        const signal = options.signal;
-        let abortListener;
-        const abortPromise = new Promise((_, reject) => {
-            const rejectWithAbortReason = () => {
-                if (requestId !== undefined) {
-                    messageLayer.sendNotification("notifications/cancelled", { requestId });
+        if (options.progressToken !== undefined) {
+            this.activeProgressTokens.set(options.progressToken, (this.activeProgressTokens.get(options.progressToken) ?? 0) + 1);
+        }
+        try {
+            let requestId;
+            const requestPromise = messageLayer.sendRequest("tools/call", requestParams, {
+                onRequestId: (nextRequestId) => {
+                    requestId = nextRequestId;
+                },
+            }).then((result) => {
+                if (!isCallToolResult(result)) {
+                    throw new McpError(ERROR_INVALID_REQUEST, "Invalid tool result");
+                }
+                return result;
+            });
+            if (options.signal === undefined) {
+                return await requestPromise;
+            }
+            const signal = options.signal;
+            let abortListener;
+            const abortPromise = new Promise((_, reject) => {
+                const rejectWithAbortReason = () => {
+                    if (requestId !== undefined) {
+                        messageLayer.sendNotification("notifications/cancelled", { requestId });
+                    }
+                    reject(signal.reason);
+                };
+                abortListener = rejectWithAbortReason;
+                signal.addEventListener("abort", abortListener, { once: true });
+                if (signal.aborted) {
+                    signal.removeEventListener("abort", abortListener);
+                    rejectWithAbortReason();
+                }
+            });
+            try {
+                return (await Promise.race([requestPromise, abortPromise]));
+            }
+            finally {
+                if (abortListener !== undefined) {
+                    signal.removeEventListener("abort", abortListener);
                 }
-                reject(signal.reason);
-            };
-            abortListener = rejectWithAbortReason;
-            signal.addEventListener("abort", abortListener, { once: true });
-            if (signal.aborted) {
-                signal.removeEventListener("abort", abortListener);
-                rejectWithAbortReason();
             }
-        });
-        try {
-            return (await Promise.race([requestPromise, abortPromise]));
         }
         finally {
-            if (abortListener !== undefined) {
-                signal.removeEventListener("abort", abortListener);
+            if (options.progressToken !== undefined) {
+                const activeCount = this.activeProgressTokens.get(options.progressToken);
+                if (activeCount === 1) {
+                    this.activeProgressTokens.delete(options.progressToken);
+                }
+                else if (activeCount !== undefined) {
+                    this.activeProgressTokens.set(options.progressToken, activeCount - 1);
+                }
             }
         }
     }
@@ -280,6 +341,7 @@ export class McpClient {
             throw new Error("Server does not support resource subscriptions");
         }
         await messageLayer.sendRequest("resources/subscribe", { uri });
+        this.subscribedResourceUris.add(uri);
     }
     async unsubscribe(uri) {
         const messageLayer = this.getMessageLayerOrThrow();
@@ -288,6 +350,7 @@ export class McpClient {
             throw new Error("Server does not support resource subscriptions");
         }
         await messageLayer.sendRequest("resources/unsubscribe", { uri });
+        this.subscribedResourceUris.delete(uri);
     }
     async listPrompts(params = {}) {
         const messageLayer = this.getMessageLayerOrThrow();
@@ -332,6 +395,9 @@ export class McpClient {
     }
     async sendRootsChanged() {
         const messageLayer = this.getMessageLayerOrThrow();
+        if (this.currentClientCapabilities?.roots?.listChanged !== true) {
+            throw new Error("Client did not advertise roots list changes");
+        }
         messageLayer.sendNotification("notifications/roots/list_changed");
     }
     async ping() {
@@ -347,6 +413,12 @@ export class McpClient {
         this.transport?.dispose(closeError);
         this.messageLayer = null;
         this.transport = null;
+        this.currentServerCapabilities = null;
+        this.currentClientCapabilities = null;
+        this.currentServerInfo = null;
+        this.currentInstructions = undefined;
+        this.subscribedResourceUris.clear();
+        this.activeProgressTokens.clear();
         this.currentState = "closed";
     }
 }
@@ -1543,16 +1615,29 @@ export class HttpTransport {
         this.disposed = true;
         this.abortInFlightFetches();
         this.cancelOpenSseReaders();
-        this.terminateSession();
         if (!this.writeStream.destroyed && !this.writeStream.writableEnded) {
             this.writeStream.end();
         }
         if (!this.readStream.destroyed && !this.readStream.writableEnded) {
             this.readStream.end();
         }
+        void this.closeWithSessionTermination(reason);
+    }
+    async closeWithSessionTermination(reason) {
+        let closeReason = reason;
+        if (this.sessionId !== undefined) {
+            const sessionId = this.sessionId;
+            this.sessionId = undefined;
+            try {
+                await this.sendSessionTerminationRequest(sessionId);
+            }
+            catch (error) {
+                closeReason = error instanceof Error ? error : new Error(String(error));
+            }
+        }
         const resolveClosed = this.resolveClosed;
         this.resolveClosed = undefined;
-        resolveClosed?.({ reason });
+        resolveClosed?.({ reason: closeReason });
     }
     abortInFlightFetches() {
         for (const abortController of this.inFlightFetchAbortControllers) {
@@ -1598,7 +1683,9 @@ export class HttpTransport {
             await this.throwForPostHttpError(response);
             this.captureSessionId(response);
             this.maybeOpenGetSseStream();
-            await this.forwardResponseMessages(response);
+            void this.forwardResponseMessages(response).catch((error) => {
+                this.dispose(error instanceof Error ? error : new Error(String(error)));
+            });
         }
     }
     async createPostHeaders() {
@@ -1607,6 +1694,7 @@ export class HttpTransport {
         headers.set("Content-Type", "application/json");
         if (this.sessionId !== undefined) {
             headers.set("Mcp-Session-Id", this.sessionId);
+            headers.set("MCP-Protocol-Version", MCP_PROTOCOL_VERSION);
         }
         return this.authorizeRequestHeaders(headers);
     }
@@ -1615,6 +1703,7 @@ export class HttpTransport {
         headers.set("Accept", "text/event-stream");
         if (this.sessionId !== undefined) {
             headers.set("Mcp-Session-Id", this.sessionId);
+            headers.set("MCP-Protocol-Version", MCP_PROTOCOL_VERSION);
         }
         if (this.lastEventId !== undefined) {
             headers.set("Last-Event-ID", this.lastEventId);
@@ -1624,6 +1713,7 @@ export class HttpTransport {
     async createDeleteHeaders(sessionId) {
         const headers = new Headers(this.headers);
         headers.set("Mcp-Session-Id", sessionId);
+        headers.set("MCP-Protocol-Version", MCP_PROTOCOL_VERSION);
         return this.authorizeRequestHeaders(headers);
     }
     async authorizeRequestHeaders(headers) {
@@ -1639,6 +1729,9 @@ export class HttpTransport {
         if (sessionId === null || sessionId.length === 0) {
             return;
         }
+        if (this.sessionId !== undefined && this.sessionId !== sessionId) {
+            throw new Error("HTTP transport response changed active session ID");
+        }
         this.sessionId = sessionId;
     }
     maybeOpenGetSseStream() {
@@ -1653,22 +1746,20 @@ export class HttpTransport {
             this.dispose(error instanceof Error ? error : new Error(String(error)));
         });
     }
-    terminateSession() {
-        if (this.sessionId === undefined) {
-            return;
-        }
-        const sessionId = this.sessionId;
-        this.sessionId = undefined;
-        this.sendSessionTerminationRequest(sessionId).catch(() => undefined);
-    }
     async sendSessionTerminationRequest(sessionId) {
         const response = await this.fetchImpl(this.url, {
             method: "DELETE",
             headers: await this.createDeleteHeaders(sessionId),
         });
-        if (response.status === 405) {
+        if (response.status === 405 || response.ok) {
             return;
         }
+        const responseBody = (await response.text()).trim();
+        const statusDescriptor = `${response.status} ${response.statusText}`.trim();
+        const message = responseBody.length === 0
+            ? `HTTP transport DELETE failed (${statusDescriptor})`
+            : `HTTP transport DELETE failed (${statusDescriptor}): ${responseBody}`;
+        throw new Error(message);
     }
     async consumeGetSseStream() {
         const response = await this.fetchWithOAuthRetry({
@@ -1678,6 +1769,18 @@ export class HttpTransport {
         if (response.status === 405) {
             throw new HttpTransportGetSseNotSupportedError();
         }
+        if (response.status === 404) {
+            this.sessionId = undefined;
+            throw new Error("HTTP transport session expired (GET 404 response)");
+        }
+        if (!response.ok) {
+            const responseBody = (await response.text()).trim();
+            const statusDescriptor = `${response.status} ${response.statusText}`.trim();
+            const message = responseBody.length === 0
+                ? `HTTP transport GET failed (${statusDescriptor})`
+                : `HTTP transport GET failed (${statusDescriptor}): ${responseBody}`;
+            throw new Error(message);
+        }
         const contentType = response.headers.get("Content-Type");
         if (contentType === null) {
             return;
@@ -1688,7 +1791,9 @@ export class HttpTransport {
             if (!this.disposed && this.sessionId !== undefined && this.lastEventId !== undefined) {
                 this.maybeOpenGetSseStream();
             }
+            return;
         }
+        return;
     }
     async throwForPostHttpError(response) {
         if (response.status < 400) {
@@ -1744,7 +1849,9 @@ export class HttpTransport {
         }
         if (normalizedContentType.includes("application/json")) {
             await this.forwardJsonResponseMessage(response);
+            return;
         }
+        throw new Error("HTTP transport POST returned an unsupported response content type");
     }
     async forwardSseResponseMessages(response) {
         if (response.body === null) {
@@ -1866,8 +1973,12 @@ function normalizeLine(line) {
 }
 export async function* readLines(stream) {
     let buffer = "";
+    const decoder = new TextDecoder();
     for await (const chunk of stream) {
-        buffer += chunkToString(chunk);
+        buffer +=
+            chunk instanceof Uint8Array
+                ? decoder.decode(chunk, { stream: true })
+                : decoder.decode() + String(chunk);
         while (true) {
             const newlineIndex = buffer.indexOf("\n");
             if (newlineIndex === -1) {
@@ -1878,6 +1989,7 @@ export async function* readLines(stream) {
             yield normalizeLine(line);
         }
     }
+    buffer += decoder.decode();
     if (buffer.length > 0) {
         yield normalizeLine(buffer);
     }
@@ -2253,6 +2365,64 @@ export class JsonRpcMessageLayer {
 function isObjectRecord(value) {
     return typeof value === "object" && value !== null && !Array.isArray(value);
 }
+function isInitializeResult(value) {
+    if (!isObjectRecord(value) || typeof value.protocolVersion !== "string") {
+        return false;
+    }
+    if (!isServerCapabilities(value.capabilities)) {
+        return false;
+    }
+    if (!isObjectRecord(value.serverInfo)
+        || typeof value.serverInfo.name !== "string"
+        || value.serverInfo.name.length === 0
+        || typeof value.serverInfo.version !== "string"
+        || value.serverInfo.version.length === 0) {
+        return false;
+    }
+    return value.instructions === undefined || typeof value.instructions === "string";
+}
+function isServerCapabilities(value) {
+    if (!isObjectRecord(value)) {
+        return false;
+    }
+    for (const capability of ["prompts", "resources", "tools", "logging", "completions", "experimental"]) {
+        if (value[capability] !== undefined && !isObjectRecord(value[capability])) {
+            return false;
+        }
+    }
+    return true;
+}
+function isCallToolResult(value) {
+    if (!isObjectRecord(value) || !Array.isArray(value.content)) {
+        return false;
+    }
+    if (value.isError !== undefined && typeof value.isError !== "boolean") {
+        return false;
+    }
+    return value.content.every(isContentItem);
+}
+function isToolsListResult(value) {
+    return isObjectRecord(value)
+        && Array.isArray(value.tools)
+        && (value.nextCursor === undefined || typeof value.nextCursor === "string");
+}
+function isContentItem(value) {
+    if (!isObjectRecord(value)) {
+        return false;
+    }
+    if (value.type === "text") {
+        return typeof value.text === "string";
+    }
+    if (value.type === "image" || value.type === "audio") {
+        return typeof value.data === "string" && typeof value.mimeType === "string";
+    }
+    if (value.type !== "resource" || !isObjectRecord(value.resource)) {
+        return false;
+    }
+    return typeof value.resource.uri === "string"
+        && (value.resource.mimeType === undefined || typeof value.resource.mimeType === "string")
+        && (typeof value.resource.text === "string" || typeof value.resource.blob === "string");
+}
 function hasOwn(value, property) {
     return Object.prototype.hasOwnProperty.call(value, property);
 }

package/node_modules/tiny-mcp-client/dist/oauth-discovery.d.ts

@@ -1,4 +1,4 @@
-import type { OAuthAuthorizationServerMetadata, OAuthDiscoveryResult, OAuthMetadataFetch, OAuthProtectedResourceMetadata, OAuthUnauthorizedChallenge } from "../../mcp-oauth/dist/index.js";
+import type { OAuthAuthorizationServerMetadata, OAuthDiscoveryResult, OAuthMetadataFetch, OAuthProtectedResourceMetadata, OAuthUnauthorizedChallenge } from "mcp-oauth";
 export type { OAuthAuthorizationServerMetadata, OAuthDiscoveryResult, OAuthMetadataFetch, OAuthProtectedResourceMetadata, OAuthUnauthorizedChallenge, };
 export interface OAuthDiscoveryCache {
     get(resourceUrl: string): OAuthDiscoveryResult | null | undefined | Promise<OAuthDiscoveryResult | null | undefined>;

package/node_modules/tiny-mcp-client/dist/oauth-discovery.js

@@ -1,4 +1,4 @@
-import { canonicalizeResourceIndicator } from "../../mcp-oauth/dist/index.js";
+import { canonicalizeResourceIndicator } from "mcp-oauth";
 function defaultOAuthMetadataFetch(input, init) {
     return fetch(input, init);
 }
@@ -129,16 +129,13 @@ export class OAuthMetadataDiscovery {
         const cacheKey = canonicalizeResourceIndicator(resourceUrl);
         const resourceMetadataLocation = resolveProtectedResourceMetadataUrl(cacheKey, resourceMetadataUrl);
         const memoryCachedResult = this.memoryCache.get(cacheKey);
-        if (memoryCachedResult !== undefined &&
-            (resourceMetadataUrl === undefined
-                || memoryCachedResult.resourceMetadataUrl === resourceMetadataLocation)) {
+        if (memoryCachedResult !== undefined && resourceMetadataUrl === undefined) {
             return memoryCachedResult;
         }
         const sharedCachedResult = await this.cache?.get(cacheKey);
         if (sharedCachedResult !== null &&
             sharedCachedResult !== undefined &&
-            (resourceMetadataUrl === undefined
-                || sharedCachedResult.resourceMetadataUrl === resourceMetadataLocation)) {
+            resourceMetadataUrl === undefined) {
             this.memoryCache.set(cacheKey, sharedCachedResult);
             return sharedCachedResult;
         }
@@ -340,7 +337,7 @@ export function parseBearerWwwAuthenticateHeader(headerValue) {
             break;
         }
         index = skipOptionalWhitespace(headerValue, scheme.nextIndex);
-        const params = {};
+        const params = Object.create(null);
         if (index < headerValue.length && headerValue[index] !== ",") {
             const token68 = readToken68(headerValue, index);
             if (token68 !== null) {

package/node_modules/tiny-mcp-client/package.json

@@ -1,11 +1,12 @@
 {
   "name": "tiny-mcp-client",
   "version": "0.1.0",
+  "private": true,
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
   "scripts": {
-    "build": "tsc"
+    "build": "node ../../scripts/guard-package-dist.mjs && tsc"
   },
   "repository": {
     "type": "git",

package/node_modules/tiny-mcp-client/src/http-oauth.integration.test.ts

@@ -4,7 +4,7 @@ import {
   OAuthError,
   type OAuthSessionStore,
   type StoredOAuthSession,
-} from "../../mcp-oauth/dist/index.js";
+} from "mcp-oauth";
 import { nodeFetch } from "tiny-http-mcp-server/testing";
 import {
   createMcpOAuthTestServer,

package/node_modules/tiny-mcp-client/src/http-oauth.test.ts

@@ -427,6 +427,45 @@ describe("discoverOAuthMetadata", () => {
       hintedAuthorizationServerMetadataUrl,
     ]);
   });
+
+  it("refetches an explicitly repeated resource_metadata hint", async () => {
+    const resourceUrl = "https://resource.example.com/tenant/mcp";
+    const resourceMetadataUrl =
+      "https://resource.example.com/.well-known/oauth-protected-resource/tenant/mcp";
+    const firstIssuer = "https://auth.example.com/issuer-a";
+    const secondIssuer = "https://auth.example.com/issuer-b";
+    let rotated = false;
+    const fetchMock = vi.fn(async (input: string | URL): Promise<Response> => {
+      const url = input.toString();
+      if (url === resourceMetadataUrl) {
+        return jsonResponse({
+          resource: resourceUrl,
+          authorization_servers: [rotated ? secondIssuer : firstIssuer],
+        });
+      }
+      const issuer = url.includes("issuer-a") ? firstIssuer : secondIssuer;
+      return jsonResponse({
+        issuer,
+        authorization_endpoint: `${issuer}/authorize`,
+        token_endpoint: `${issuer}/token`,
+        response_types_supported: ["code"],
+        code_challenge_methods_supported: ["S256"],
+      });
+    });
+    const discoveryClient = new OAuthMetadataDiscovery({ fetch: fetchMock });
+
+    expect((await discoveryClient.discover(resourceUrl)).authorizationServer).toBe(firstIssuer);
+    rotated = true;
+    expect(
+      (await discoveryClient.discover(resourceUrl, { resourceMetadataUrl })).authorizationServer
+    ).toBe(secondIssuer);
+    expect(fetchMock.mock.calls.map(([input]) => input.toString())).toEqual([
+      resourceMetadataUrl,
+      "https://auth.example.com/.well-known/oauth-authorization-server/issuer-a",
+      resourceMetadataUrl,
+      "https://auth.example.com/.well-known/oauth-authorization-server/issuer-b",
+    ]);
+  });
 });
 
 describe("parseBearerWwwAuthenticateHeader", () => {
@@ -464,6 +503,13 @@ describe("parseBearerWwwAuthenticateHeader", () => {
         'Digest abc123==, Bearer abc123==, Bearer realm="mcp", resource_metadata="https://resource.example.com/.well-known/oauth-protected-resource/mcp"',
     });
   });
+
+  it("preserves a __proto__ auth parameter as parsed data", () => {
+    const challenge = parseBearerWwwAuthenticateHeader('Bearer __proto__="visible"');
+
+    expect(Object.hasOwn(challenge!.params, "__proto__")).toBe(true);
+    expect(challenge?.params.__proto__).toBe("visible");
+  });
 });
 
 describe("resolveAuthorizationServerMetadataUrl", () => {