mcp-proxy/dist/index.mjs.map

A TypeScript SSE proxy for MCP servers that use stdio transport.

{"version":3,"file":"index.mjs","names":["core._coercedNumber","schemas.ZodNumber","url","url","z\n    .url","z.NEVER","url","z.looseObject","z.string","z.array","z.boolean","z.object","z\n    .object","z.coerce.number","z.literal","z.any","z.number","url","tokens","url","url","_a","_b","url","_a","error","transport: SSEClientTransport | StreamableHTTPClientTransport","url"],"sources":["../node_modules/.pnpm/zod@3.25.76/node_modules/zod/v4/classic/compat.js","../node_modules/.pnpm/zod@3.25.76/node_modules/zod/v4/classic/coerce.js","../node_modules/.pnpm/eventsource-parser@3.0.6/node_modules/eventsource-parser/dist/index.js","../node_modules/.pnpm/eventsource@3.0.7/node_modules/eventsource/dist/index.js","../node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/transport.js","../node_modules/.pnpm/pkce-challenge@5.0.0/node_modules/pkce-challenge/dist/index.node.js","../node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/auth.js","../node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/auth-utils.js","../node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/server/auth/errors.js","../node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/client/auth.js","../node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/client/sse.js","../node_modules/.pnpm/eventsource-parser@3.0.6/node_modules/eventsource-parser/dist/stream.js","../node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/client/streamableHttp.js","../node_modules/.pnpm/@modelcontextprotocol+sdk@1.24.3_zod@3.25.76/node_modules/@modelcontextprotocol/sdk/dist/esm/server/stdio.js","../src/startStdioServer.ts","../src/tapTransport.ts"],"sourcesContent":["// Zod 3 compat layer\nimport * as core from \"../core/index.js\";\n/** @deprecated Use the raw string literal codes instead, e.g. \"invalid_type\". */\nexport const ZodIssueCode = {\n    invalid_type: \"invalid_type\",\n    too_big: \"too_big\",\n    too_small: \"too_small\",\n    invalid_format: \"invalid_format\",\n    not_multiple_of: \"not_multiple_of\",\n    unrecognized_keys: \"unrecognized_keys\",\n    invalid_union: \"invalid_union\",\n    invalid_key: \"invalid_key\",\n    invalid_element: \"invalid_element\",\n    invalid_value: \"invalid_value\",\n    custom: \"custom\",\n};\nexport { $brand, config } from \"../core/index.js\";\n/** @deprecated Use `z.config(params)` instead. */\nexport function setErrorMap(map) {\n    core.config({\n        customError: map,\n    });\n}\n/** @deprecated Use `z.config()` instead. */\nexport function getErrorMap() {\n    return core.config().customError;\n}\n","import * as core from \"../core/index.js\";\nimport * as schemas from \"./schemas.js\";\nexport function string(params) {\n    return core._coercedString(schemas.ZodString, params);\n}\nexport function number(params) {\n    return core._coercedNumber(schemas.ZodNumber, params);\n}\nexport function boolean(params) {\n    return core._coercedBoolean(schemas.ZodBoolean, params);\n}\nexport function bigint(params) {\n    return core._coercedBigint(schemas.ZodBigInt, params);\n}\nexport function date(params) {\n    return core._coercedDate(schemas.ZodDate, params);\n}\n","class ParseError extends Error {\n  constructor(message, options) {\n    super(message), this.name = \"ParseError\", this.type = options.type, this.field = options.field, this.value = options.value, this.line = options.line;\n  }\n}\nfunction noop(_arg) {\n}\nfunction createParser(callbacks) {\n  if (typeof callbacks == \"function\")\n    throw new TypeError(\n      \"`callbacks` must be an object, got a function instead. Did you mean `{onEvent: fn}`?\"\n    );\n  const { onEvent = noop, onError = noop, onRetry = noop, onComment } = callbacks;\n  let incompleteLine = \"\", isFirstChunk = !0, id, data = \"\", eventType = \"\";\n  function feed(newChunk) {\n    const chunk = isFirstChunk ? newChunk.replace(/^\\xEF\\xBB\\xBF/, \"\") : newChunk, [complete, incomplete] = splitLines(`${incompleteLine}${chunk}`);\n    for (const line of complete)\n      parseLine(line);\n    incompleteLine = incomplete, isFirstChunk = !1;\n  }\n  function parseLine(line) {\n    if (line === \"\") {\n      dispatchEvent();\n      return;\n    }\n    if (line.startsWith(\":\")) {\n      onComment && onComment(line.slice(line.startsWith(\": \") ? 2 : 1));\n      return;\n    }\n    const fieldSeparatorIndex = line.indexOf(\":\");\n    if (fieldSeparatorIndex !== -1) {\n      const field = line.slice(0, fieldSeparatorIndex), offset = line[fieldSeparatorIndex + 1] === \" \" ? 2 : 1, value = line.slice(fieldSeparatorIndex + offset);\n      processField(field, value, line);\n      return;\n    }\n    processField(line, \"\", line);\n  }\n  function processField(field, value, line) {\n    switch (field) {\n      case \"event\":\n        eventType = value;\n        break;\n      case \"data\":\n        data = `${data}${value}\n`;\n        break;\n      case \"id\":\n        id = value.includes(\"\\0\") ? void 0 : value;\n        break;\n      case \"retry\":\n        /^\\d+$/.test(value) ? onRetry(parseInt(value, 10)) : onError(\n          new ParseError(`Invalid \\`retry\\` value: \"${value}\"`, {\n            type: \"invalid-retry\",\n            value,\n            line\n          })\n        );\n        break;\n      default:\n        onError(\n          new ParseError(\n            `Unknown field \"${field.length > 20 ? `${field.slice(0, 20)}\\u2026` : field}\"`,\n            { type: \"unknown-field\", field, value, line }\n          )\n        );\n        break;\n    }\n  }\n  function dispatchEvent() {\n    data.length > 0 && onEvent({\n      id,\n      event: eventType || void 0,\n      // If the data buffer's last character is a U+000A LINE FEED (LF) character,\n      // then remove the last character from the data buffer.\n      data: data.endsWith(`\n`) ? data.slice(0, -1) : data\n    }), id = void 0, data = \"\", eventType = \"\";\n  }\n  function reset(options = {}) {\n    incompleteLine && options.consume && parseLine(incompleteLine), isFirstChunk = !0, id = void 0, data = \"\", eventType = \"\", incompleteLine = \"\";\n  }\n  return { feed, reset };\n}\nfunction splitLines(chunk) {\n  const lines = [];\n  let incompleteLine = \"\", searchIndex = 0;\n  for (; searchIndex < chunk.length; ) {\n    const crIndex = chunk.indexOf(\"\\r\", searchIndex), lfIndex = chunk.indexOf(`\n`, searchIndex);\n    let lineEnd = -1;\n    if (crIndex !== -1 && lfIndex !== -1 ? lineEnd = Math.min(crIndex, lfIndex) : crIndex !== -1 ? crIndex === chunk.length - 1 ? lineEnd = -1 : lineEnd = crIndex : lfIndex !== -1 && (lineEnd = lfIndex), lineEnd === -1) {\n      incompleteLine = chunk.slice(searchIndex);\n      break;\n    } else {\n      const line = chunk.slice(searchIndex, lineEnd);\n      lines.push(line), searchIndex = lineEnd + 1, chunk[searchIndex - 1] === \"\\r\" && chunk[searchIndex] === `\n` && searchIndex++;\n    }\n  }\n  return [lines, incompleteLine];\n}\nexport {\n  ParseError,\n  createParser\n};\n//# sourceMappingURL=index.js.map\n","import { createParser } from \"eventsource-parser\";\nclass ErrorEvent extends Event {\n  /**\n   * Constructs a new `ErrorEvent` instance. This is typically not called directly,\n   * but rather emitted by the `EventSource` object when an error occurs.\n   *\n   * @param type - The type of the event (should be \"error\")\n   * @param errorEventInitDict - Optional properties to include in the error event\n   */\n  constructor(type, errorEventInitDict) {\n    var _a, _b;\n    super(type), this.code = (_a = errorEventInitDict == null ? void 0 : errorEventInitDict.code) != null ? _a : void 0, this.message = (_b = errorEventInitDict == null ? void 0 : errorEventInitDict.message) != null ? _b : void 0;\n  }\n  /**\n   * Node.js \"hides\" the `message` and `code` properties of the `ErrorEvent` instance,\n   * when it is `console.log`'ed. This makes it harder to debug errors. To ease debugging,\n   * we explicitly include the properties in the `inspect` method.\n   *\n   * This is automatically called by Node.js when you `console.log` an instance of this class.\n   *\n   * @param _depth - The current depth\n   * @param options - The options passed to `util.inspect`\n   * @param inspect - The inspect function to use (prevents having to import it from `util`)\n   * @returns A string representation of the error\n   */\n  [Symbol.for(\"nodejs.util.inspect.custom\")](_depth, options, inspect) {\n    return inspect(inspectableError(this), options);\n  }\n  /**\n   * Deno \"hides\" the `message` and `code` properties of the `ErrorEvent` instance,\n   * when it is `console.log`'ed. This makes it harder to debug errors. To ease debugging,\n   * we explicitly include the properties in the `inspect` method.\n   *\n   * This is automatically called by Deno when you `console.log` an instance of this class.\n   *\n   * @param inspect - The inspect function to use (prevents having to import it from `util`)\n   * @param options - The options passed to `Deno.inspect`\n   * @returns A string representation of the error\n   */\n  [Symbol.for(\"Deno.customInspect\")](inspect, options) {\n    return inspect(inspectableError(this), options);\n  }\n}\nfunction syntaxError(message) {\n  const DomException = globalThis.DOMException;\n  return typeof DomException == \"function\" ? new DomException(message, \"SyntaxError\") : new SyntaxError(message);\n}\nfunction flattenError(err) {\n  return err instanceof Error ? \"errors\" in err && Array.isArray(err.errors) ? err.errors.map(flattenError).join(\", \") : \"cause\" in err && err.cause instanceof Error ? `${err}: ${flattenError(err.cause)}` : err.message : `${err}`;\n}\nfunction inspectableError(err) {\n  return {\n    type: err.type,\n    message: err.message,\n    code: err.code,\n    defaultPrevented: err.defaultPrevented,\n    cancelable: err.cancelable,\n    timeStamp: err.timeStamp\n  };\n}\nvar __typeError = (msg) => {\n  throw TypeError(msg);\n}, __accessCheck = (obj, member, msg) => member.has(obj) || __typeError(\"Cannot \" + msg), __privateGet = (obj, member, getter) => (__accessCheck(obj, member, \"read from private field\"), getter ? getter.call(obj) : member.get(obj)), __privateAdd = (obj, member, value) => member.has(obj) ? __typeError(\"Cannot add the same private member more than once\") : member instanceof WeakSet ? member.add(obj) : member.set(obj, value), __privateSet = (obj, member, value, setter) => (__accessCheck(obj, member, \"write to private field\"), member.set(obj, value), value), __privateMethod = (obj, member, method) => (__accessCheck(obj, member, \"access private method\"), method), _readyState, _url, _redirectUrl, _withCredentials, _fetch, _reconnectInterval, _reconnectTimer, _lastEventId, _controller, _parser, _onError, _onMessage, _onOpen, _EventSource_instances, connect_fn, _onFetchResponse, _onFetchError, getRequestOptions_fn, _onEvent, _onRetryChange, failConnection_fn, scheduleReconnect_fn, _reconnect;\nclass EventSource extends EventTarget {\n  constructor(url, eventSourceInitDict) {\n    var _a, _b;\n    super(), __privateAdd(this, _EventSource_instances), this.CONNECTING = 0, this.OPEN = 1, this.CLOSED = 2, __privateAdd(this, _readyState), __privateAdd(this, _url), __privateAdd(this, _redirectUrl), __privateAdd(this, _withCredentials), __privateAdd(this, _fetch), __privateAdd(this, _reconnectInterval), __privateAdd(this, _reconnectTimer), __privateAdd(this, _lastEventId, null), __privateAdd(this, _controller), __privateAdd(this, _parser), __privateAdd(this, _onError, null), __privateAdd(this, _onMessage, null), __privateAdd(this, _onOpen, null), __privateAdd(this, _onFetchResponse, async (response) => {\n      var _a2;\n      __privateGet(this, _parser).reset();\n      const { body, redirected, status, headers } = response;\n      if (status === 204) {\n        __privateMethod(this, _EventSource_instances, failConnection_fn).call(this, \"Server sent HTTP 204, not reconnecting\", 204), this.close();\n        return;\n      }\n      if (redirected ? __privateSet(this, _redirectUrl, new URL(response.url)) : __privateSet(this, _redirectUrl, void 0), status !== 200) {\n        __privateMethod(this, _EventSource_instances, failConnection_fn).call(this, `Non-200 status code (${status})`, status);\n        return;\n      }\n      if (!(headers.get(\"content-type\") || \"\").startsWith(\"text/event-stream\")) {\n        __privateMethod(this, _EventSource_instances, failConnection_fn).call(this, 'Invalid content type, expected \"text/event-stream\"', status);\n        return;\n      }\n      if (__privateGet(this, _readyState) === this.CLOSED)\n        return;\n      __privateSet(this, _readyState, this.OPEN);\n      const openEvent = new Event(\"open\");\n      if ((_a2 = __privateGet(this, _onOpen)) == null || _a2.call(this, openEvent), this.dispatchEvent(openEvent), typeof body != \"object\" || !body || !(\"getReader\" in body)) {\n        __privateMethod(this, _EventSource_instances, failConnection_fn).call(this, \"Invalid response body, expected a web ReadableStream\", status), this.close();\n        return;\n      }\n      const decoder = new TextDecoder(), reader = body.getReader();\n      let open = !0;\n      do {\n        const { done, value } = await reader.read();\n        value && __privateGet(this, _parser).feed(decoder.decode(value, { stream: !done })), done && (open = !1, __privateGet(this, _parser).reset(), __privateMethod(this, _EventSource_instances, scheduleReconnect_fn).call(this));\n      } while (open);\n    }), __privateAdd(this, _onFetchError, (err) => {\n      __privateSet(this, _controller, void 0), !(err.name === \"AbortError\" || err.type === \"aborted\") && __privateMethod(this, _EventSource_instances, scheduleReconnect_fn).call(this, flattenError(err));\n    }), __privateAdd(this, _onEvent, (event) => {\n      typeof event.id == \"string\" && __privateSet(this, _lastEventId, event.id);\n      const messageEvent = new MessageEvent(event.event || \"message\", {\n        data: event.data,\n        origin: __privateGet(this, _redirectUrl) ? __privateGet(this, _redirectUrl).origin : __privateGet(this, _url).origin,\n        lastEventId: event.id || \"\"\n      });\n      __privateGet(this, _onMessage) && (!event.event || event.event === \"message\") && __privateGet(this, _onMessage).call(this, messageEvent), this.dispatchEvent(messageEvent);\n    }), __privateAdd(this, _onRetryChange, (value) => {\n      __privateSet(this, _reconnectInterval, value);\n    }), __privateAdd(this, _reconnect, () => {\n      __privateSet(this, _reconnectTimer, void 0), __privateGet(this, _readyState) === this.CONNECTING && __privateMethod(this, _EventSource_instances, connect_fn).call(this);\n    });\n    try {\n      if (url instanceof URL)\n        __privateSet(this, _url, url);\n      else if (typeof url == \"string\")\n        __privateSet(this, _url, new URL(url, getBaseURL()));\n      else\n        throw new Error(\"Invalid URL\");\n    } catch {\n      throw syntaxError(\"An invalid or illegal string was specified\");\n    }\n    __privateSet(this, _parser, createParser({\n      onEvent: __privateGet(this, _onEvent),\n      onRetry: __privateGet(this, _onRetryChange)\n    })), __privateSet(this, _readyState, this.CONNECTING), __privateSet(this, _reconnectInterval, 3e3), __privateSet(this, _fetch, (_a = eventSourceInitDict == null ? void 0 : eventSourceInitDict.fetch) != null ? _a : globalThis.fetch), __privateSet(this, _withCredentials, (_b = eventSourceInitDict == null ? void 0 : eventSourceInitDict.withCredentials) != null ? _b : !1), __privateMethod(this, _EventSource_instances, connect_fn).call(this);\n  }\n  /**\n   * Returns the state of this EventSource object's connection. It can have the values described below.\n   *\n   * [MDN Reference](https://developer.mozilla.org/docs/Web/API/EventSource/readyState)\n   *\n   * Note: typed as `number` instead of `0 | 1 | 2` for compatibility with the `EventSource` interface,\n   * defined in the TypeScript `dom` library.\n   *\n   * @public\n   */\n  get readyState() {\n    return __privateGet(this, _readyState);\n  }\n  /**\n   * Returns the URL providing the event stream.\n   *\n   * [MDN Reference](https://developer.mozilla.org/docs/Web/API/EventSource/url)\n   *\n   * @public\n   */\n  get url() {\n    return __privateGet(this, _url).href;\n  }\n  /**\n   * Returns true if the credentials mode for connection requests to the URL providing the event stream is set to \"include\", and false otherwise.\n   *\n   * [MDN Reference](https://developer.mozilla.org/docs/Web/API/EventSource/withCredentials)\n   */\n  get withCredentials() {\n    return __privateGet(this, _withCredentials);\n  }\n  /** [MDN Reference](https://developer.mozilla.org/docs/Web/API/EventSource/error_event) */\n  get onerror() {\n    return __privateGet(this, _onError);\n  }\n  set onerror(value) {\n    __privateSet(this, _onError, value);\n  }\n  /** [MDN Reference](https://developer.mozilla.org/docs/Web/API/EventSource/message_event) */\n  get onmessage() {\n    return __privateGet(this, _onMessage);\n  }\n  set onmessage(value) {\n    __privateSet(this, _onMessage, value);\n  }\n  /** [MDN Reference](https://developer.mozilla.org/docs/Web/API/EventSource/open_event) */\n  get onopen() {\n    return __privateGet(this, _onOpen);\n  }\n  set onopen(value) {\n    __privateSet(this, _onOpen, value);\n  }\n  addEventListener(type, listener, options) {\n    const listen = listener;\n    super.addEventListener(type, listen, options);\n  }\n  removeEventListener(type, listener, options) {\n    const listen = listener;\n    super.removeEventListener(type, listen, options);\n  }\n  /**\n   * Aborts any instances of the fetch algorithm started for this EventSource object, and sets the readyState attribute to CLOSED.\n   *\n   * [MDN Reference](https://developer.mozilla.org/docs/Web/API/EventSource/close)\n   *\n   * @public\n   */\n  close() {\n    __privateGet(this, _reconnectTimer) && clearTimeout(__privateGet(this, _reconnectTimer)), __privateGet(this, _readyState) !== this.CLOSED && (__privateGet(this, _controller) && __privateGet(this, _controller).abort(), __privateSet(this, _readyState, this.CLOSED), __privateSet(this, _controller, void 0));\n  }\n}\n_readyState = /* @__PURE__ */ new WeakMap(), _url = /* @__PURE__ */ new WeakMap(), _redirectUrl = /* @__PURE__ */ new WeakMap(), _withCredentials = /* @__PURE__ */ new WeakMap(), _fetch = /* @__PURE__ */ new WeakMap(), _reconnectInterval = /* @__PURE__ */ new WeakMap(), _reconnectTimer = /* @__PURE__ */ new WeakMap(), _lastEventId = /* @__PURE__ */ new WeakMap(), _controller = /* @__PURE__ */ new WeakMap(), _parser = /* @__PURE__ */ new WeakMap(), _onError = /* @__PURE__ */ new WeakMap(), _onMessage = /* @__PURE__ */ new WeakMap(), _onOpen = /* @__PURE__ */ new WeakMap(), _EventSource_instances = /* @__PURE__ */ new WeakSet(), /**\n* Connect to the given URL and start receiving events\n*\n* @internal\n*/\nconnect_fn = function() {\n  __privateSet(this, _readyState, this.CONNECTING), __privateSet(this, _controller, new AbortController()), __privateGet(this, _fetch)(__privateGet(this, _url), __privateMethod(this, _EventSource_instances, getRequestOptions_fn).call(this)).then(__privateGet(this, _onFetchResponse)).catch(__privateGet(this, _onFetchError));\n}, _onFetchResponse = /* @__PURE__ */ new WeakMap(), _onFetchError = /* @__PURE__ */ new WeakMap(), /**\n* Get request options for the `fetch()` request\n*\n* @returns The request options\n* @internal\n*/\ngetRequestOptions_fn = function() {\n  var _a;\n  const init = {\n    // [spec] Let `corsAttributeState` be `Anonymous`…\n    // [spec] …will have their mode set to \"cors\"…\n    mode: \"cors\",\n    redirect: \"follow\",\n    headers: { Accept: \"text/event-stream\", ...__privateGet(this, _lastEventId) ? { \"Last-Event-ID\": __privateGet(this, _lastEventId) } : void 0 },\n    cache: \"no-store\",\n    signal: (_a = __privateGet(this, _controller)) == null ? void 0 : _a.signal\n  };\n  return \"window\" in globalThis && (init.credentials = this.withCredentials ? \"include\" : \"same-origin\"), init;\n}, _onEvent = /* @__PURE__ */ new WeakMap(), _onRetryChange = /* @__PURE__ */ new WeakMap(), /**\n* Handles the process referred to in the EventSource specification as \"failing a connection\".\n*\n* @param error - The error causing the connection to fail\n* @param code - The HTTP status code, if available\n* @internal\n*/\nfailConnection_fn = function(message, code) {\n  var _a;\n  __privateGet(this, _readyState) !== this.CLOSED && __privateSet(this, _readyState, this.CLOSED);\n  const errorEvent = new ErrorEvent(\"error\", { code, message });\n  (_a = __privateGet(this, _onError)) == null || _a.call(this, errorEvent), this.dispatchEvent(errorEvent);\n}, /**\n* Schedules a reconnection attempt against the EventSource endpoint.\n*\n* @param message - The error causing the connection to fail\n* @param code - The HTTP status code, if available\n* @internal\n*/\nscheduleReconnect_fn = function(message, code) {\n  var _a;\n  if (__privateGet(this, _readyState) === this.CLOSED)\n    return;\n  __privateSet(this, _readyState, this.CONNECTING);\n  const errorEvent = new ErrorEvent(\"error\", { code, message });\n  (_a = __privateGet(this, _onError)) == null || _a.call(this, errorEvent), this.dispatchEvent(errorEvent), __privateSet(this, _reconnectTimer, setTimeout(__privateGet(this, _reconnect), __privateGet(this, _reconnectInterval)));\n}, _reconnect = /* @__PURE__ */ new WeakMap(), /**\n* ReadyState representing an EventSource currently trying to connect\n*\n* @public\n*/\nEventSource.CONNECTING = 0, /**\n* ReadyState representing an EventSource connection that is open (eg connected)\n*\n* @public\n*/\nEventSource.OPEN = 1, /**\n* ReadyState representing an EventSource connection that is closed (eg disconnected)\n*\n* @public\n*/\nEventSource.CLOSED = 2;\nfunction getBaseURL() {\n  const doc = \"document\" in globalThis ? globalThis.document : void 0;\n  return doc && typeof doc == \"object\" && \"baseURI\" in doc && typeof doc.baseURI == \"string\" ? doc.baseURI : void 0;\n}\nexport {\n  ErrorEvent,\n  EventSource\n};\n//# sourceMappingURL=index.js.map\n","/**\n * Normalizes HeadersInit to a plain Record<string, string> for manipulation.\n * Handles Headers objects, arrays of tuples, and plain objects.\n */\nexport function normalizeHeaders(headers) {\n    if (!headers)\n        return {};\n    if (headers instanceof Headers) {\n        return Object.fromEntries(headers.entries());\n    }\n    if (Array.isArray(headers)) {\n        return Object.fromEntries(headers);\n    }\n    return { ...headers };\n}\n/**\n * Creates a fetch function that includes base RequestInit options.\n * This ensures requests inherit settings like credentials, mode, headers, etc. from the base init.\n *\n * @param baseFetch - The base fetch function to wrap (defaults to global fetch)\n * @param baseInit - The base RequestInit to merge with each request\n * @returns A wrapped fetch function that merges base options with call-specific options\n */\nexport function createFetchWithInit(baseFetch = fetch, baseInit) {\n    if (!baseInit) {\n        return baseFetch;\n    }\n    // Return a wrapped fetch that merges base RequestInit with call-specific init\n    return async (url, init) => {\n        const mergedInit = {\n            ...baseInit,\n            ...init,\n            // Headers need special handling - merge instead of replace\n            headers: (init === null || init === void 0 ? void 0 : init.headers) ? { ...normalizeHeaders(baseInit.headers), ...normalizeHeaders(init.headers) } : baseInit.headers\n        };\n        return baseFetch(url, mergedInit);\n    };\n}\n//# sourceMappingURL=transport.js.map","let crypto;\ncrypto =\n    globalThis.crypto?.webcrypto ?? // Node.js [18-16] REPL\n        globalThis.crypto ?? // Node.js >18\n        import(\"node:crypto\").then(m => m.webcrypto); // Node.js <18 Non-REPL\n/**\n * Creates an array of length `size` of random bytes\n * @param size\n * @returns Array of random ints (0 to 255)\n */\nasync function getRandomValues(size) {\n    return (await crypto).getRandomValues(new Uint8Array(size));\n}\n/** Generate cryptographically strong random string\n * @param size The desired length of the string\n * @returns The random string\n */\nasync function random(size) {\n    const mask = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~\";\n    let result = \"\";\n    const randomUints = await getRandomValues(size);\n    for (let i = 0; i < size; i++) {\n        // cap the value of the randomIndex to mask.length - 1\n        const randomIndex = randomUints[i] % mask.length;\n        result += mask[randomIndex];\n    }\n    return result;\n}\n/** Generate a PKCE challenge verifier\n * @param length Length of the verifier\n * @returns A random verifier `length` characters long\n */\nasync function generateVerifier(length) {\n    return await random(length);\n}\n/** Generate a PKCE code challenge from a code verifier\n * @param code_verifier\n * @returns The base64 url encoded code challenge\n */\nexport async function generateChallenge(code_verifier) {\n    const buffer = await (await crypto).subtle.digest(\"SHA-256\", new TextEncoder().encode(code_verifier));\n    // Generate base64url string\n    // btoa is deprecated in Node.js but is used here for web browser compatibility\n    // (which has no good replacement yet, see also https://github.com/whatwg/html/issues/6811)\n    return btoa(String.fromCharCode(...new Uint8Array(buffer)))\n        .replace(/\\//g, '_')\n        .replace(/\\+/g, '-')\n        .replace(/=/g, '');\n}\n/** Generate a PKCE challenge pair\n * @param length Length of the verifer (between 43-128). Defaults to 43.\n * @returns PKCE challenge pair\n */\nexport default async function pkceChallenge(length) {\n    if (!length)\n        length = 43;\n    if (length < 43 || length > 128) {\n        throw `Expected a length between 43 and 128. Received ${length}.`;\n    }\n    const verifier = await generateVerifier(length);\n    const challenge = await generateChallenge(verifier);\n    return {\n        code_verifier: verifier,\n        code_challenge: challenge,\n    };\n}\n/** Verify that a code_verifier produces the expected code challenge\n * @param code_verifier\n * @param expectedChallenge The code challenge to verify\n * @returns True if challenges are equal. False otherwise.\n */\nexport async function verifyChallenge(code_verifier, expectedChallenge) {\n    const actualChallenge = await generateChallenge(code_verifier);\n    return actualChallenge === expectedChallenge;\n}\n","import * as z from 'zod/v4';\n/**\n * Reusable URL validation that disallows javascript: scheme\n */\nexport const SafeUrlSchema = z\n    .url()\n    .superRefine((val, ctx) => {\n    if (!URL.canParse(val)) {\n        ctx.addIssue({\n            code: z.ZodIssueCode.custom,\n            message: 'URL must be parseable',\n            fatal: true\n        });\n        return z.NEVER;\n    }\n})\n    .refine(url => {\n    const u = new URL(url);\n    return u.protocol !== 'javascript:' && u.protocol !== 'data:' && u.protocol !== 'vbscript:';\n}, { message: 'URL cannot use javascript:, data:, or vbscript: scheme' });\n/**\n * RFC 9728 OAuth Protected Resource Metadata\n */\nexport const OAuthProtectedResourceMetadataSchema = z.looseObject({\n    resource: z.string().url(),\n    authorization_servers: z.array(SafeUrlSchema).optional(),\n    jwks_uri: z.string().url().optional(),\n    scopes_supported: z.array(z.string()).optional(),\n    bearer_methods_supported: z.array(z.string()).optional(),\n    resource_signing_alg_values_supported: z.array(z.string()).optional(),\n    resource_name: z.string().optional(),\n    resource_documentation: z.string().optional(),\n    resource_policy_uri: z.string().url().optional(),\n    resource_tos_uri: z.string().url().optional(),\n    tls_client_certificate_bound_access_tokens: z.boolean().optional(),\n    authorization_details_types_supported: z.array(z.string()).optional(),\n    dpop_signing_alg_values_supported: z.array(z.string()).optional(),\n    dpop_bound_access_tokens_required: z.boolean().optional()\n});\n/**\n * RFC 8414 OAuth 2.0 Authorization Server Metadata\n */\nexport const OAuthMetadataSchema = z.looseObject({\n    issuer: z.string(),\n    authorization_endpoint: SafeUrlSchema,\n    token_endpoint: SafeUrlSchema,\n    registration_endpoint: SafeUrlSchema.optional(),\n    scopes_supported: z.array(z.string()).optional(),\n    response_types_supported: z.array(z.string()),\n    response_modes_supported: z.array(z.string()).optional(),\n    grant_types_supported: z.array(z.string()).optional(),\n    token_endpoint_auth_methods_supported: z.array(z.string()).optional(),\n    token_endpoint_auth_signing_alg_values_supported: z.array(z.string()).optional(),\n    service_documentation: SafeUrlSchema.optional(),\n    revocation_endpoint: SafeUrlSchema.optional(),\n    revocation_endpoint_auth_methods_supported: z.array(z.string()).optional(),\n    revocation_endpoint_auth_signing_alg_values_supported: z.array(z.string()).optional(),\n    introspection_endpoint: z.string().optional(),\n    introspection_endpoint_auth_methods_supported: z.array(z.string()).optional(),\n    introspection_endpoint_auth_signing_alg_values_supported: z.array(z.string()).optional(),\n    code_challenge_methods_supported: z.array(z.string()).optional(),\n    client_id_metadata_document_supported: z.boolean().optional()\n});\n/**\n * OpenID Connect Discovery 1.0 Provider Metadata\n * see: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata\n */\nexport const OpenIdProviderMetadataSchema = z.looseObject({\n    issuer: z.string(),\n    authorization_endpoint: SafeUrlSchema,\n    token_endpoint: SafeUrlSchema,\n    userinfo_endpoint: SafeUrlSchema.optional(),\n    jwks_uri: SafeUrlSchema,\n    registration_endpoint: SafeUrlSchema.optional(),\n    scopes_supported: z.array(z.string()).optional(),\n    response_types_supported: z.array(z.string()),\n    response_modes_supported: z.array(z.string()).optional(),\n    grant_types_supported: z.array(z.string()).optional(),\n    acr_values_supported: z.array(z.string()).optional(),\n    subject_types_supported: z.array(z.string()),\n    id_token_signing_alg_values_supported: z.array(z.string()),\n    id_token_encryption_alg_values_supported: z.array(z.string()).optional(),\n    id_token_encryption_enc_values_supported: z.array(z.string()).optional(),\n    userinfo_signing_alg_values_supported: z.array(z.string()).optional(),\n    userinfo_encryption_alg_values_supported: z.array(z.string()).optional(),\n    userinfo_encryption_enc_values_supported: z.array(z.string()).optional(),\n    request_object_signing_alg_values_supported: z.array(z.string()).optional(),\n    request_object_encryption_alg_values_supported: z.array(z.string()).optional(),\n    request_object_encryption_enc_values_supported: z.array(z.string()).optional(),\n    token_endpoint_auth_methods_supported: z.array(z.string()).optional(),\n    token_endpoint_auth_signing_alg_values_supported: z.array(z.string()).optional(),\n    display_values_supported: z.array(z.string()).optional(),\n    claim_types_supported: z.array(z.string()).optional(),\n    claims_supported: z.array(z.string()).optional(),\n    service_documentation: z.string().optional(),\n    claims_locales_supported: z.array(z.string()).optional(),\n    ui_locales_supported: z.array(z.string()).optional(),\n    claims_parameter_supported: z.boolean().optional(),\n    request_parameter_supported: z.boolean().optional(),\n    request_uri_parameter_supported: z.boolean().optional(),\n    require_request_uri_registration: z.boolean().optional(),\n    op_policy_uri: SafeUrlSchema.optional(),\n    op_tos_uri: SafeUrlSchema.optional(),\n    client_id_metadata_document_supported: z.boolean().optional()\n});\n/**\n * OpenID Connect Discovery metadata that may include OAuth 2.0 fields\n * This schema represents the real-world scenario where OIDC providers\n * return a mix of OpenID Connect and OAuth 2.0 metadata fields\n */\nexport const OpenIdProviderDiscoveryMetadataSchema = z.object({\n    ...OpenIdProviderMetadataSchema.shape,\n    ...OAuthMetadataSchema.pick({\n        code_challenge_methods_supported: true\n    }).shape\n});\n/**\n * OAuth 2.1 token response\n */\nexport const OAuthTokensSchema = z\n    .object({\n    access_token: z.string(),\n    id_token: z.string().optional(), // Optional for OAuth 2.1, but necessary in OpenID Connect\n    token_type: z.string(),\n    expires_in: z.coerce.number().optional(),\n    scope: z.string().optional(),\n    refresh_token: z.string().optional()\n})\n    .strip();\n/**\n * OAuth 2.1 error response\n */\nexport const OAuthErrorResponseSchema = z.object({\n    error: z.string(),\n    error_description: z.string().optional(),\n    error_uri: z.string().optional()\n});\n/**\n * Optional version of SafeUrlSchema that allows empty string for retrocompatibility on tos_uri and logo_uri\n */\nexport const OptionalSafeUrlSchema = SafeUrlSchema.optional().or(z.literal('').transform(() => undefined));\n/**\n * RFC 7591 OAuth 2.0 Dynamic Client Registration metadata\n */\nexport const OAuthClientMetadataSchema = z\n    .object({\n    redirect_uris: z.array(SafeUrlSchema),\n    token_endpoint_auth_method: z.string().optional(),\n    grant_types: z.array(z.string()).optional(),\n    response_types: z.array(z.string()).optional(),\n    client_name: z.string().optional(),\n    client_uri: SafeUrlSchema.optional(),\n    logo_uri: OptionalSafeUrlSchema,\n    scope: z.string().optional(),\n    contacts: z.array(z.string()).optional(),\n    tos_uri: OptionalSafeUrlSchema,\n    policy_uri: z.string().optional(),\n    jwks_uri: SafeUrlSchema.optional(),\n    jwks: z.any().optional(),\n    software_id: z.string().optional(),\n    software_version: z.string().optional(),\n    software_statement: z.string().optional()\n})\n    .strip();\n/**\n * RFC 7591 OAuth 2.0 Dynamic Client Registration client information\n */\nexport const OAuthClientInformationSchema = z\n    .object({\n    client_id: z.string(),\n    client_secret: z.string().optional(),\n    client_id_issued_at: z.number().optional(),\n    client_secret_expires_at: z.number().optional()\n})\n    .strip();\n/**\n * RFC 7591 OAuth 2.0 Dynamic Client Registration full response (client information plus metadata)\n */\nexport const OAuthClientInformationFullSchema = OAuthClientMetadataSchema.merge(OAuthClientInformationSchema);\n/**\n * RFC 7591 OAuth 2.0 Dynamic Client Registration error response\n */\nexport const OAuthClientRegistrationErrorSchema = z\n    .object({\n    error: z.string(),\n    error_description: z.string().optional()\n})\n    .strip();\n/**\n * RFC 7009 OAuth 2.0 Token Revocation request\n */\nexport const OAuthTokenRevocationRequestSchema = z\n    .object({\n    token: z.string(),\n    token_type_hint: z.string().optional()\n})\n    .strip();\n//# sourceMappingURL=auth.js.map","/**\n * Utilities for handling OAuth resource URIs.\n */\n/**\n * Converts a server URL to a resource URL by removing the fragment.\n * RFC 8707 section 2 states that resource URIs \"MUST NOT include a fragment component\".\n * Keeps everything else unchanged (scheme, domain, port, path, query).\n */\nexport function resourceUrlFromServerUrl(url) {\n    const resourceURL = typeof url === 'string' ? new URL(url) : new URL(url.href);\n    resourceURL.hash = ''; // Remove fragment\n    return resourceURL;\n}\n/**\n * Checks if a requested resource URL matches a configured resource URL.\n * A requested resource matches if it has the same scheme, domain, port,\n * and its path starts with the configured resource's path.\n *\n * @param requestedResource The resource URL being requested\n * @param configuredResource The resource URL that has been configured\n * @returns true if the requested resource matches the configured resource, false otherwise\n */\nexport function checkResourceAllowed({ requestedResource, configuredResource }) {\n    const requested = typeof requestedResource === 'string' ? new URL(requestedResource) : new URL(requestedResource.href);\n    const configured = typeof configuredResource === 'string' ? new URL(configuredResource) : new URL(configuredResource.href);\n    // Compare the origin (scheme, domain, and port)\n    if (requested.origin !== configured.origin) {\n        return false;\n    }\n    // Handle cases like requested=/foo and configured=/foo/\n    if (requested.pathname.length < configured.pathname.length) {\n        return false;\n    }\n    // Check if the requested path starts with the configured path\n    // Ensure both paths end with / for proper comparison\n    // This ensures that if we have paths like \"/api\" and \"/api/users\",\n    // we properly detect that \"/api/users\" is a subpath of \"/api\"\n    // By adding a trailing slash if missing, we avoid false positives\n    // where paths like \"/api123\" would incorrectly match \"/api\"\n    const requestedPath = requested.pathname.endsWith('/') ? requested.pathname : requested.pathname + '/';\n    const configuredPath = configured.pathname.endsWith('/') ? configured.pathname : configured.pathname + '/';\n    return requestedPath.startsWith(configuredPath);\n}\n//# sourceMappingURL=auth-utils.js.map","/**\n * Base class for all OAuth errors\n */\nexport class OAuthError extends Error {\n    constructor(message, errorUri) {\n        super(message);\n        this.errorUri = errorUri;\n        this.name = this.constructor.name;\n    }\n    /**\n     * Converts the error to a standard OAuth error response object\n     */\n    toResponseObject() {\n        const response = {\n            error: this.errorCode,\n            error_description: this.message\n        };\n        if (this.errorUri) {\n            response.error_uri = this.errorUri;\n        }\n        return response;\n    }\n    get errorCode() {\n        return this.constructor.errorCode;\n    }\n}\n/**\n * Invalid request error - The request is missing a required parameter,\n * includes an invalid parameter value, includes a parameter more than once,\n * or is otherwise malformed.\n */\nexport class InvalidRequestError extends OAuthError {\n}\nInvalidRequestError.errorCode = 'invalid_request';\n/**\n * Invalid client error - Client authentication failed (e.g., unknown client, no client\n * authentication included, or unsupported authentication method).\n */\nexport class InvalidClientError extends OAuthError {\n}\nInvalidClientError.errorCode = 'invalid_client';\n/**\n * Invalid grant error - The provided authorization grant or refresh token is\n * invalid, expired, revoked, does not match the redirection URI used in the\n * authorization request, or was issued to another client.\n */\nexport class InvalidGrantError extends OAuthError {\n}\nInvalidGrantError.errorCode = 'invalid_grant';\n/**\n * Unauthorized client error - The authenticated client is not authorized to use\n * this authorization grant type.\n */\nexport class UnauthorizedClientError extends OAuthError {\n}\nUnauthorizedClientError.errorCode = 'unauthorized_client';\n/**\n * Unsupported grant type error - The authorization grant type is not supported\n * by the authorization server.\n */\nexport class UnsupportedGrantTypeError extends OAuthError {\n}\nUnsupportedGrantTypeError.errorCode = 'unsupported_grant_type';\n/**\n * Invalid scope error - The requested scope is invalid, unknown, malformed, or\n * exceeds the scope granted by the resource owner.\n */\nexport class InvalidScopeError extends OAuthError {\n}\nInvalidScopeError.errorCode = 'invalid_scope';\n/**\n * Access denied error - The resource owner or authorization server denied the request.\n */\nexport class AccessDeniedError extends OAuthError {\n}\nAccessDeniedError.errorCode = 'access_denied';\n/**\n * Server error - The authorization server encountered an unexpected condition\n * that prevented it from fulfilling the request.\n */\nexport class ServerError extends OAuthError {\n}\nServerError.errorCode = 'server_error';\n/**\n * Temporarily unavailable error - The authorization server is currently unable to\n * handle the request due to a temporary overloading or maintenance of the server.\n */\nexport class TemporarilyUnavailableError extends OAuthError {\n}\nTemporarilyUnavailableError.errorCode = 'temporarily_unavailable';\n/**\n * Unsupported response type error - The authorization server does not support\n * obtaining an authorization code using this method.\n */\nexport class UnsupportedResponseTypeError extends OAuthError {\n}\nUnsupportedResponseTypeError.errorCode = 'unsupported_response_type';\n/**\n * Unsupported token type error - The authorization server does not support\n * the requested token type.\n */\nexport class UnsupportedTokenTypeError extends OAuthError {\n}\nUnsupportedTokenTypeError.errorCode = 'unsupported_token_type';\n/**\n * Invalid token error - The access token provided is expired, revoked, malformed,\n * or invalid for other reasons.\n */\nexport class InvalidTokenError extends OAuthError {\n}\nInvalidTokenError.errorCode = 'invalid_token';\n/**\n * Method not allowed error - The HTTP method used is not allowed for this endpoint.\n * (Custom, non-standard error)\n */\nexport class MethodNotAllowedError extends OAuthError {\n}\nMethodNotAllowedError.errorCode = 'method_not_allowed';\n/**\n * Too many requests error - Rate limit exceeded.\n * (Custom, non-standard error based on RFC 6585)\n */\nexport class TooManyRequestsError extends OAuthError {\n}\nTooManyRequestsError.errorCode = 'too_many_requests';\n/**\n * Invalid client metadata error - The client metadata is invalid.\n * (Custom error for dynamic client registration - RFC 7591)\n */\nexport class InvalidClientMetadataError extends OAuthError {\n}\nInvalidClientMetadataError.errorCode = 'invalid_client_metadata';\n/**\n * Insufficient scope error - The request requires higher privileges than provided by the access token.\n */\nexport class InsufficientScopeError extends OAuthError {\n}\nInsufficientScopeError.errorCode = 'insufficient_scope';\n/**\n * Invalid target error - The requested resource is invalid, missing, unknown, or malformed.\n * (Custom error for resource indicators - RFC 8707)\n */\nexport class InvalidTargetError extends OAuthError {\n}\nInvalidTargetError.errorCode = 'invalid_target';\n/**\n * A utility class for defining one-off error codes\n */\nexport class CustomOAuthError extends OAuthError {\n    constructor(customErrorCode, message, errorUri) {\n        super(message, errorUri);\n        this.customErrorCode = customErrorCode;\n    }\n    get errorCode() {\n        return this.customErrorCode;\n    }\n}\n/**\n * A full list of all OAuthErrors, enabling parsing from error responses\n */\nexport const OAUTH_ERRORS = {\n    [InvalidRequestError.errorCode]: InvalidRequestError,\n    [InvalidClientError.errorCode]: InvalidClientError,\n    [InvalidGrantError.errorCode]: InvalidGrantError,\n    [UnauthorizedClientError.errorCode]: UnauthorizedClientError,\n    [UnsupportedGrantTypeError.errorCode]: UnsupportedGrantTypeError,\n    [InvalidScopeError.errorCode]: InvalidScopeError,\n    [AccessDeniedError.errorCode]: AccessDeniedError,\n    [ServerError.errorCode]: ServerError,\n    [TemporarilyUnavailableError.errorCode]: TemporarilyUnavailableError,\n    [UnsupportedResponseTypeError.errorCode]: UnsupportedResponseTypeError,\n    [UnsupportedTokenTypeError.errorCode]: UnsupportedTokenTypeError,\n    [InvalidTokenError.errorCode]: InvalidTokenError,\n    [MethodNotAllowedError.errorCode]: MethodNotAllowedError,\n    [TooManyRequestsError.errorCode]: TooManyRequestsError,\n    [InvalidClientMetadataError.errorCode]: InvalidClientMetadataError,\n    [InsufficientScopeError.errorCode]: InsufficientScopeError,\n    [InvalidTargetError.errorCode]: InvalidTargetError\n};\n//# sourceMappingURL=errors.js.map","import pkceChallenge from 'pkce-challenge';\nimport { LATEST_PROTOCOL_VERSION } from '../types.js';\nimport { OAuthErrorResponseSchema, OpenIdProviderDiscoveryMetadataSchema } from '../shared/auth.js';\nimport { OAuthClientInformationFullSchema, OAuthMetadataSchema, OAuthProtectedResourceMetadataSchema, OAuthTokensSchema } from '../shared/auth.js';\nimport { checkResourceAllowed, resourceUrlFromServerUrl } from '../shared/auth-utils.js';\nimport { InvalidClientError, InvalidClientMetadataError, InvalidGrantError, OAUTH_ERRORS, OAuthError, ServerError, UnauthorizedClientError } from '../server/auth/errors.js';\nexport class UnauthorizedError extends Error {\n    constructor(message) {\n        super(message !== null && message !== void 0 ? message : 'Unauthorized');\n    }\n}\nfunction isClientAuthMethod(method) {\n    return ['client_secret_basic', 'client_secret_post', 'none'].includes(method);\n}\nconst AUTHORIZATION_CODE_RESPONSE_TYPE = 'code';\nconst AUTHORIZATION_CODE_CHALLENGE_METHOD = 'S256';\n/**\n * Determines the best client authentication method to use based on server support and client configuration.\n *\n * Priority order (highest to lowest):\n * 1. client_secret_basic (if client secret is available)\n * 2. client_secret_post (if client secret is available)\n * 3. none (for public clients)\n *\n * @param clientInformation - OAuth client information containing credentials\n * @param supportedMethods - Authentication methods supported by the authorization server\n * @returns The selected authentication method\n */\nexport function selectClientAuthMethod(clientInformation, supportedMethods) {\n    const hasClientSecret = clientInformation.client_secret !== undefined;\n    // If server doesn't specify supported methods, use RFC 6749 defaults\n    if (supportedMethods.length === 0) {\n        return hasClientSecret ? 'client_secret_post' : 'none';\n    }\n    // Prefer the method returned by the server during client registration if valid and supported\n    if ('token_endpoint_auth_method' in clientInformation &&\n        clientInformation.token_endpoint_auth_method &&\n        isClientAuthMethod(clientInformation.token_endpoint_auth_method) &&\n        supportedMethods.includes(clientInformation.token_endpoint_auth_method)) {\n        return clientInformation.token_endpoint_auth_method;\n    }\n    // Try methods in priority order (most secure first)\n    if (hasClientSecret && supportedMethods.includes('client_secret_basic')) {\n        return 'client_secret_basic';\n    }\n    if (hasClientSecret && supportedMethods.includes('client_secret_post')) {\n        return 'client_secret_post';\n    }\n    if (supportedMethods.includes('none')) {\n        return 'none';\n    }\n    // Fallback: use what we have\n    return hasClientSecret ? 'client_secret_post' : 'none';\n}\n/**\n * Applies client authentication to the request based on the specified method.\n *\n * Implements OAuth 2.1 client authentication methods:\n * - client_secret_basic: HTTP Basic authentication (RFC 6749 Section 2.3.1)\n * - client_secret_post: Credentials in request body (RFC 6749 Section 2.3.1)\n * - none: Public client authentication (RFC 6749 Section 2.1)\n *\n * @param method - The authentication method to use\n * @param clientInformation - OAuth client information containing credentials\n * @param headers - HTTP headers object to modify\n * @param params - URL search parameters to modify\n * @throws {Error} When required credentials are missing\n */\nfunction applyClientAuthentication(method, clientInformation, headers, params) {\n    const { client_id, client_secret } = clientInformation;\n    switch (method) {\n        case 'client_secret_basic':\n            applyBasicAuth(client_id, client_secret, headers);\n            return;\n        case 'client_secret_post':\n            applyPostAuth(client_id, client_secret, params);\n            return;\n        case 'none':\n            applyPublicAuth(client_id, params);\n            return;\n        default:\n            throw new Error(`Unsupported client authentication method: ${method}`);\n    }\n}\n/**\n * Applies HTTP Basic authentication (RFC 6749 Section 2.3.1)\n */\nfunction applyBasicAuth(clientId, clientSecret, headers) {\n    if (!clientSecret) {\n        throw new Error('client_secret_basic authentication requires a client_secret');\n    }\n    const credentials = btoa(`${clientId}:${clientSecret}`);\n    headers.set('Authorization', `Basic ${credentials}`);\n}\n/**\n * Applies POST body authentication (RFC 6749 Section 2.3.1)\n */\nfunction applyPostAuth(clientId, clientSecret, params) {\n    params.set('client_id', clientId);\n    if (clientSecret) {\n        params.set('client_secret', clientSecret);\n    }\n}\n/**\n * Applies public client authentication (RFC 6749 Section 2.1)\n */\nfunction applyPublicAuth(clientId, params) {\n    params.set('client_id', clientId);\n}\n/**\n * Parses an OAuth error response from a string or Response object.\n *\n * If the input is a standard OAuth2.0 error response, it will be parsed according to the spec\n * and an instance of the appropriate OAuthError subclass will be returned.\n * If parsing fails, it falls back to a generic ServerError that includes\n * the response status (if available) and original content.\n *\n * @param input - A Response object or string containing the error response\n * @returns A Promise that resolves to an OAuthError instance\n */\nexport async function parseErrorResponse(input) {\n