@adcp/client 3.8.1 → 3.10.0

package/dist/lib/auth/oauth/MCPOAuthProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"MCPOAuthProvider.d.ts","sourceRoot":"","sources":["../../../../src/lib/auth/oauth/MCPOAuthProvider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,0CAA0C,CAAC;AACpF,OAAO,KAAK,EACV,mBAAmB,EACnB,sBAAsB,EACtB,0BAA0B,EAC1B,WAAW,EACX,gBAAgB,EAChB,mBAAmB,EACnB,kBAAkB,EAClB,WAAW,EACZ,MAAM,SAAS,CAAC;AAIjB;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,qBAAa,gBAAiB,YAAW,mBAAmB;IAC1D,OAAO,CAAC,KAAK,CAAc;IAC3B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAqB;IAC9C,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAmB;IAC/C,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAsB;gBAE1C,MAAM,EAAE,mBAAmB;IAOvC;;OAEG;IACH,MAAM,CAAC,MAAM,CACX,KAAK,EAAE,WAAW,EAClB,WAAW,EAAE,gBAAgB,EAC7B,OAAO,CAAC,EAAE,kBAAkB,EAC5B,uBAAuB,CAAC,EAAE,OAAO,CAAC,mBAAmB,CAAC,GACrD,gBAAgB;IAoBnB,IAAI,WAAW,IAAI,MAAM,GAAG,GAAG,CAE9B;IAED,IAAI,cAAc,IAAI,mBAAmB,CAExC;IAED;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,MAAM,CAAC;IAI9B;;OAEG;IACG,iBAAiB,IAAI,OAAO,CAAC,sBAAsB,GAAG,SAAS,CAAC;IAOtE;;OAEG;IACG,qBAAqB,CAAC,UAAU,EAAE,0BAA0B,GAAG,OAAO,CAAC,IAAI,CAAC;IAKlF;;OAEG;IACG,MAAM,IAAI,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC;IAOhD;;;OAGG;IACG,UAAU,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAOpD;;OAEG;IACG,uBAAuB,CAAC,gBAAgB,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC;IAInE;;OAEG;IACG,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAK3D;;;;OAIG;IACG,YAAY,IAAI,OAAO,CAAC,MAAM,CAAC;IAUrC;;OAEG;IACG,qBAAqB,CAAC,KAAK,EAAE,KAAK,GAAG,QAAQ,GAAG,QAAQ,GAAG,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;IAwB3F;;OAEG;YACW,YAAY;IAM1B;;;OAGG;IACG,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC;IAIxC;;OAEG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAI9B;;;OAGG;IACH,cAAc,IAAI,OAAO;IAgBzB;;;OAGG;IACH,eAAe,IAAI,OAAO;IAI1B;;OAEG;IACG,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;IAIhC;;;OAGG;IACH,QAAQ,IAAI,WAAW;IAIvB;;;OAGG;IACH,UAAU,IAAI,MAAM;CAGrB"}

package/dist/lib/auth/oauth/MCPOAuthProvider.js

@@ -0,0 +1,236 @@
+"use strict";
+/**
+ * MCP OAuth Provider
+ *
+ * Implements the MCP SDK's OAuthClientProvider interface
+ * using AgentConfig for token storage.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MCPOAuthProvider = void 0;
+const types_1 = require("./types");
+const crypto_1 = require("crypto");
+/**
+ * MCP OAuth Client Provider
+ *
+ * This provider stores OAuth tokens directly in the AgentConfig,
+ * using the same structure as static auth tokens.
+ *
+ * @example
+ * ```typescript
+ * const agent: AgentConfig = {
+ *   id: 'my-agent',
+ *   name: 'My Agent',
+ *   agent_uri: 'https://agent.example.com/mcp',
+ *   protocol: 'mcp',
+ *   // OAuth tokens stored here after auth flow
+ *   oauth_tokens: { access_token: '...', refresh_token: '...' }
+ * };
+ *
+ * const provider = new MCPOAuthProvider({
+ *   agent,
+ *   flowHandler: new CLIFlowHandler(),
+ *   storage: myConfigStorage  // Optional: persists tokens
+ * });
+ *
+ * const transport = new StreamableHTTPClientTransport(url, {
+ *   authProvider: provider
+ * });
+ * ```
+ */
+class MCPOAuthProvider {
+    agent;
+    storage;
+    flowHandler;
+    _clientMetadata;
+    constructor(config) {
+        this.agent = config.agent;
+        this.storage = config.storage;
+        this.flowHandler = config.flowHandler;
+        this._clientMetadata = config.clientMetadata;
+    }
+    /**
+     * Create a provider for CLI usage
+     */
+    static forCLI(agent, flowHandler, storage, clientMetadataOverrides) {
+        // Build complete client metadata with required fields
+        const clientMetadata = {
+            ...types_1.DEFAULT_CLIENT_METADATA,
+            redirect_uris: [flowHandler.getRedirectUrl().toString()],
+            ...clientMetadataOverrides,
+        };
+        return new MCPOAuthProvider({
+            agent,
+            flowHandler,
+            storage,
+            clientMetadata,
+        });
+    }
+    // ========================================
+    // OAuthClientProvider interface
+    // ========================================
+    get redirectUrl() {
+        return this.flowHandler.getRedirectUrl();
+    }
+    get clientMetadata() {
+        return this._clientMetadata;
+    }
+    /**
+     * Generate OAuth state parameter
+     */
+    async state() {
+        return (0, crypto_1.randomBytes)(32).toString('base64url');
+    }
+    /**
+     * Load client information from agent config
+     */
+    async clientInformation() {
+        if (this.agent.oauth_client) {
+            return (0, types_1.toMCPClientInfo)(this.agent.oauth_client);
+        }
+        return undefined;
+    }
+    /**
+     * Save client information after dynamic registration
+     */
+    async saveClientInformation(clientInfo) {
+        this.agent.oauth_client = (0, types_1.fromMCPClientInfo)(clientInfo);
+        await this.persistAgent();
+    }
+    /**
+     * Load existing tokens from agent config
+     */
+    async tokens() {
+        if (this.agent.oauth_tokens) {
+            return (0, types_1.toMCPTokens)(this.agent.oauth_tokens);
+        }
+        return undefined;
+    }
+    /**
+     * Save tokens after authorization
+     * Also cleans up the temporary code verifier
+     */
+    async saveTokens(tokens) {
+        this.agent.oauth_tokens = (0, types_1.fromMCPTokens)(tokens);
+        // Clean up temporary code verifier after successful token exchange
+        delete this.agent.oauth_code_verifier;
+        await this.persistAgent();
+    }
+    /**
+     * Redirect user to authorization URL
+     */
+    async redirectToAuthorization(authorizationUrl) {
+        await this.flowHandler.redirectToAuthorization(authorizationUrl);
+    }
+    /**
+     * Save PKCE code verifier
+     */
+    async saveCodeVerifier(codeVerifier) {
+        this.agent.oauth_code_verifier = codeVerifier;
+        await this.persistAgent();
+    }
+    /**
+     * Load PKCE code verifier
+     * The MCP SDK calls saveCodeVerifier() before authorization and
+     * retrieves it here during token exchange.
+     */
+    async codeVerifier() {
+        if (!this.agent.oauth_code_verifier) {
+            throw new Error('No PKCE code verifier found. The OAuth flow may have been interrupted or ' +
+                'the agent config was modified. Please try authenticating again.');
+        }
+        return this.agent.oauth_code_verifier;
+    }
+    /**
+     * Invalidate credentials when server indicates they're invalid
+     */
+    async invalidateCredentials(scope) {
+        switch (scope) {
+            case 'all':
+                delete this.agent.oauth_tokens;
+                delete this.agent.oauth_client;
+                delete this.agent.oauth_code_verifier;
+                break;
+            case 'tokens':
+                delete this.agent.oauth_tokens;
+                break;
+            case 'client':
+                delete this.agent.oauth_client;
+                break;
+            case 'verifier':
+                delete this.agent.oauth_code_verifier;
+                break;
+        }
+        await this.persistAgent();
+    }
+    // ========================================
+    // Additional methods
+    // ========================================
+    /**
+     * Persist agent config to storage if configured
+     */
+    async persistAgent() {
+        if (this.storage) {
+            await this.storage.saveAgent(this.agent);
+        }
+    }
+    /**
+     * Wait for the OAuth callback
+     * Call this after UnauthorizedError is thrown
+     */
+    async waitForCallback() {
+        return this.flowHandler.waitForCallback();
+    }
+    /**
+     * Clean up resources
+     */
+    async cleanup() {
+        await this.flowHandler.cleanup();
+    }
+    /**
+     * Check if we have valid, non-expired OAuth tokens
+     * @returns true if access_token exists and hasn't expired (with 5 minute buffer)
+     */
+    hasValidTokens() {
+        const tokens = this.agent.oauth_tokens;
+        if (!tokens?.access_token)
+            return false;
+        // Check expiration if available
+        if (tokens.expires_at) {
+            const expiresAt = new Date(tokens.expires_at);
+            // Consider expired if within 5 minutes of expiration
+            if (expiresAt.getTime() - Date.now() < 5 * 60 * 1000) {
+                return false;
+            }
+        }
+        return true;
+    }
+    /**
+     * Check if we have a refresh token available for token refresh
+     * @returns true if refresh_token is present
+     */
+    hasRefreshToken() {
+        return !!this.agent.oauth_tokens?.refresh_token;
+    }
+    /**
+     * Clear all OAuth data for this agent
+     */
+    async clearAuth() {
+        await this.invalidateCredentials('all');
+    }
+    /**
+     * Get the agent config this provider manages
+     * @returns The AgentConfig with OAuth tokens populated after successful auth
+     */
+    getAgent() {
+        return this.agent;
+    }
+    /**
+     * Get the agent identifier
+     * @returns The agent's unique ID
+     */
+    getAgentId() {
+        return this.agent.id;
+    }
+}
+exports.MCPOAuthProvider = MCPOAuthProvider;
+//# sourceMappingURL=MCPOAuthProvider.js.map

package/dist/lib/auth/oauth/MCPOAuthProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"MCPOAuthProvider.js","sourceRoot":"","sources":["../../../../src/lib/auth/oauth/MCPOAuthProvider.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAaH,mCAAkH;AAClH,mCAAqC;AAErC;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAa,gBAAgB;IACnB,KAAK,CAAc;IACV,OAAO,CAAsB;IAC7B,WAAW,CAAmB;IAC9B,eAAe,CAAsB;IAEtD,YAAY,MAA2B;QACrC,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;QAC1B,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;QACtC,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,cAAc,CAAC;IAC/C,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,MAAM,CACX,KAAkB,EAClB,WAA6B,EAC7B,OAA4B,EAC5B,uBAAsD;QAEtD,sDAAsD;QACtD,MAAM,cAAc,GAAwB;YAC1C,GAAG,+BAAuB;YAC1B,aAAa,EAAE,CAAC,WAAW,CAAC,cAAc,EAAE,CAAC,QAAQ,EAAE,CAAC;YACxD,GAAG,uBAAuB;SAC3B,CAAC;QAEF,OAAO,IAAI,gBAAgB,CAAC;YAC1B,KAAK;YACL,WAAW;YACX,OAAO;YACP,cAAc;SACf,CAAC,CAAC;IACL,CAAC;IAED,2CAA2C;IAC3C,gCAAgC;IAChC,2CAA2C;IAE3C,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,WAAW,CAAC,cAAc,EAAE,CAAC;IAC3C,CAAC;IAED,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,eAAe,CAAC;IAC9B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,KAAK;QACT,OAAO,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC/C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,iBAAiB;QACrB,IAAI,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;YAC5B,OAAO,IAAA,uBAAe,EAAC,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QAClD,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,qBAAqB,CAAC,UAAsC;QAChE,IAAI,CAAC,KAAK,CAAC,YAAY,GAAG,IAAA,yBAAiB,EAAC,UAAU,CAAC,CAAC;QACxD,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM;QACV,IAAI,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;YAC5B,OAAO,IAAA,mBAAW,EAAC,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QAC9C,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,UAAU,CAAC,MAAmB;QAClC,IAAI,CAAC,KAAK,CAAC,YAAY,GAAG,IAAA,qBAAa,EAAC,MAAM,CAAC,CAAC;QAChD,mEAAmE;QACnE,OAAO,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC;QACtC,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,uBAAuB,CAAC,gBAAqB;QACjD,MAAM,IAAI,CAAC,WAAW,CAAC,uBAAuB,CAAC,gBAAgB,CAAC,CAAC;IACnE,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB,CAAC,YAAoB;QACzC,IAAI,CAAC,KAAK,CAAC,mBAAmB,GAAG,YAAY,CAAC;QAC9C,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;IAC5B,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,YAAY;QAChB,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,mBAAmB,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CACb,2EAA2E;gBACzE,iEAAiE,CACpE,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,qBAAqB,CAAC,KAA+C;QACzE,QAAQ,KAAK,EAAE,CAAC;YACd,KAAK,KAAK;gBACR,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC;gBAC/B,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC;gBAC/B,OAAO,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC;gBACtC,MAAM;YACR,KAAK,QAAQ;gBACX,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC;gBAC/B,MAAM;YACR,KAAK,QAAQ;gBACX,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC;gBAC/B,MAAM;YACR,KAAK,UAAU;gBACb,OAAO,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC;gBACtC,MAAM;QACV,CAAC;QACD,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;IAC5B,CAAC;IAED,2CAA2C;IAC3C,qBAAqB;IACrB,2CAA2C;IAE3C;;OAEG;IACK,KAAK,CAAC,YAAY;QACxB,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,eAAe;QACnB,OAAO,IAAI,CAAC,WAAW,CAAC,eAAe,EAAE,CAAC;IAC5C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO;QACX,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;IACnC,CAAC;IAED;;;OAGG;IACH,cAAc;QACZ,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC;QACvC,IAAI,CAAC,MAAM,EAAE,YAAY;YAAE,OAAO,KAAK,CAAC;QAExC,gCAAgC;QAChC,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YAC9C,qDAAqD;YACrD,IAAI,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;gBACrD,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;OAGG;IACH,eAAe;QACb,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,aAAa,CAAC;IAClD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,SAAS;QACb,MAAM,IAAI,CAAC,qBAAqB,CAAC,KAAK,CAAC,CAAC;IAC1C,CAAC;IAED;;;OAGG;IACH,QAAQ;QACN,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED;;;OAGG;IACH,UAAU;QACR,OAAO,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;IACvB,CAAC;CACF;AAlOD,4CAkOC"}

package/dist/lib/auth/oauth/discovery.d.ts

@@ -0,0 +1,96 @@
+/**
+ * OAuth Discovery utilities
+ *
+ * Functions to discover OAuth capabilities of MCP servers.
+ * MCP servers expose OAuth metadata at /.well-known/oauth-authorization-server
+ */
+/**
+ * OAuth Authorization Server Metadata
+ * @see https://datatracker.ietf.org/doc/html/rfc8414
+ */
+export interface OAuthMetadata {
+    /** URL of the authorization endpoint */
+    authorization_endpoint: string;
+    /** URL of the token endpoint */
+    token_endpoint: string;
+    /** URL of the dynamic client registration endpoint (optional) */
+    registration_endpoint?: string;
+    /** Issuer identifier */
+    issuer?: string;
+    /** PKCE code challenge methods supported */
+    code_challenge_methods_supported?: string[];
+    /** Response types supported */
+    response_types_supported?: string[];
+    /** Grant types supported */
+    grant_types_supported?: string[];
+    /** Token endpoint auth methods supported */
+    token_endpoint_auth_methods_supported?: string[];
+    /** Scopes supported */
+    scopes_supported?: string[];
+}
+/**
+ * Options for OAuth discovery
+ */
+export interface DiscoveryOptions {
+    /** Timeout in milliseconds (default: 5000) */
+    timeout?: number;
+    /** Custom fetch function (for testing or custom HTTP handling) */
+    fetch?: typeof fetch;
+}
+/**
+ * Discover OAuth metadata from an MCP server
+ *
+ * Fetches the OAuth Authorization Server Metadata from the well-known endpoint.
+ * Returns null if the server doesn't support OAuth or the metadata isn't available.
+ *
+ * @param agentUrl - The MCP server URL
+ * @param options - Discovery options
+ * @returns OAuth metadata or null if not available
+ *
+ * @example
+ * ```typescript
+ * const metadata = await discoverOAuthMetadata('https://agent.example.com/mcp');
+ * if (metadata) {
+ *   console.log('Authorization URL:', metadata.authorization_endpoint);
+ *   console.log('Supports dynamic registration:', !!metadata.registration_endpoint);
+ * }
+ * ```
+ */
+export declare function discoverOAuthMetadata(agentUrl: string, options?: DiscoveryOptions): Promise<OAuthMetadata | null>;
+/**
+ * Check if an MCP server supports OAuth authentication
+ *
+ * This is a simple boolean check - use discoverOAuthMetadata() if you need
+ * the actual endpoints.
+ *
+ * @param agentUrl - The MCP server URL
+ * @param options - Discovery options
+ * @returns true if the server supports OAuth
+ *
+ * @example
+ * ```typescript
+ * if (await supportsOAuth('https://agent.example.com/mcp')) {
+ *   console.log('Agent requires OAuth authentication');
+ * }
+ * ```
+ */
+export declare function supportsOAuth(agentUrl: string, options?: DiscoveryOptions): Promise<boolean>;
+/**
+ * Check if an MCP server supports dynamic client registration
+ *
+ * Servers that support dynamic registration allow clients to register
+ * automatically without pre-configured credentials.
+ *
+ * @param agentUrl - The MCP server URL
+ * @param options - Discovery options
+ * @returns true if the server supports dynamic client registration
+ *
+ * @example
+ * ```typescript
+ * if (await supportsDynamicRegistration('https://agent.example.com/mcp')) {
+ *   console.log('Agent supports automatic client registration');
+ * }
+ * ```
+ */
+export declare function supportsDynamicRegistration(agentUrl: string, options?: DiscoveryOptions): Promise<boolean>;
+//# sourceMappingURL=discovery.d.ts.map

package/dist/lib/auth/oauth/discovery.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../../../src/lib/auth/oauth/discovery.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,wCAAwC;IACxC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,gCAAgC;IAChC,cAAc,EAAE,MAAM,CAAC;IACvB,iEAAiE;IACjE,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,wBAAwB;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4CAA4C;IAC5C,gCAAgC,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5C,+BAA+B;IAC/B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;IACpC,4BAA4B;IAC5B,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,4CAA4C;IAC5C,qCAAqC,CAAC,EAAE,MAAM,EAAE,CAAC;IACjD,uBAAuB;IACvB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,8CAA8C;IAC9C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kEAAkE;IAClE,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;CACtB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,gBAAqB,GAC7B,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAmC/B;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,GAAE,gBAAqB,GAAG,OAAO,CAAC,OAAO,CAAC,CAGtG;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,2BAA2B,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,GAAE,gBAAqB,GAAG,OAAO,CAAC,OAAO,CAAC,CAGpH"}

package/dist/lib/auth/oauth/discovery.js

@@ -0,0 +1,104 @@
+"use strict";
+/**
+ * OAuth Discovery utilities
+ *
+ * Functions to discover OAuth capabilities of MCP servers.
+ * MCP servers expose OAuth metadata at /.well-known/oauth-authorization-server
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.discoverOAuthMetadata = discoverOAuthMetadata;
+exports.supportsOAuth = supportsOAuth;
+exports.supportsDynamicRegistration = supportsDynamicRegistration;
+/**
+ * Discover OAuth metadata from an MCP server
+ *
+ * Fetches the OAuth Authorization Server Metadata from the well-known endpoint.
+ * Returns null if the server doesn't support OAuth or the metadata isn't available.
+ *
+ * @param agentUrl - The MCP server URL
+ * @param options - Discovery options
+ * @returns OAuth metadata or null if not available
+ *
+ * @example
+ * ```typescript
+ * const metadata = await discoverOAuthMetadata('https://agent.example.com/mcp');
+ * if (metadata) {
+ *   console.log('Authorization URL:', metadata.authorization_endpoint);
+ *   console.log('Supports dynamic registration:', !!metadata.registration_endpoint);
+ * }
+ * ```
+ */
+async function discoverOAuthMetadata(agentUrl, options = {}) {
+    const { timeout = 5000, fetch: customFetch = fetch } = options;
+    try {
+        const baseUrl = new URL(agentUrl);
+        const metadataUrl = new URL('/.well-known/oauth-authorization-server', baseUrl.origin);
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), timeout);
+        try {
+            const response = await customFetch(metadataUrl.toString(), {
+                headers: { Accept: 'application/json' },
+                signal: controller.signal,
+            });
+            if (!response.ok) {
+                return null;
+            }
+            const metadata = (await response.json());
+            // Validate required fields
+            if (!metadata.authorization_endpoint || !metadata.token_endpoint) {
+                return null;
+            }
+            return metadata;
+        }
+        finally {
+            clearTimeout(timeoutId);
+        }
+    }
+    catch {
+        // Network error, timeout, or invalid URL - agent doesn't support OAuth
+        return null;
+    }
+}
+/**
+ * Check if an MCP server supports OAuth authentication
+ *
+ * This is a simple boolean check - use discoverOAuthMetadata() if you need
+ * the actual endpoints.
+ *
+ * @param agentUrl - The MCP server URL
+ * @param options - Discovery options
+ * @returns true if the server supports OAuth
+ *
+ * @example
+ * ```typescript
+ * if (await supportsOAuth('https://agent.example.com/mcp')) {
+ *   console.log('Agent requires OAuth authentication');
+ * }
+ * ```
+ */
+async function supportsOAuth(agentUrl, options = {}) {
+    const metadata = await discoverOAuthMetadata(agentUrl, options);
+    return metadata !== null;
+}
+/**
+ * Check if an MCP server supports dynamic client registration
+ *
+ * Servers that support dynamic registration allow clients to register
+ * automatically without pre-configured credentials.
+ *
+ * @param agentUrl - The MCP server URL
+ * @param options - Discovery options
+ * @returns true if the server supports dynamic client registration
+ *
+ * @example
+ * ```typescript
+ * if (await supportsDynamicRegistration('https://agent.example.com/mcp')) {
+ *   console.log('Agent supports automatic client registration');
+ * }
+ * ```
+ */
+async function supportsDynamicRegistration(agentUrl, options = {}) {
+    const metadata = await discoverOAuthMetadata(agentUrl, options);
+    return metadata?.registration_endpoint !== undefined;
+}
+//# sourceMappingURL=discovery.js.map

package/dist/lib/auth/oauth/discovery.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../../../src/lib/auth/oauth/discovery.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAwDH,sDAsCC;AAmBD,sCAGC;AAmBD,kEAGC;AArGD;;;;;;;;;;;;;;;;;;GAkBG;AACI,KAAK,UAAU,qBAAqB,CACzC,QAAgB,EAChB,UAA4B,EAAE;IAE9B,MAAM,EAAE,OAAO,GAAG,IAAI,EAAE,KAAK,EAAE,WAAW,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;IAE/D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;QAClC,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,yCAAyC,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;QAEvF,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;QAEhE,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,WAAW,CAAC,QAAQ,EAAE,EAAE;gBACzD,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;gBACvC,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkB,CAAC;YAE1D,2BAA2B;YAC3B,IAAI,CAAC,QAAQ,CAAC,sBAAsB,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;gBACjE,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,QAAQ,CAAC;QAClB,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,SAAS,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,uEAAuE;QACvE,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACI,KAAK,UAAU,aAAa,CAAC,QAAgB,EAAE,UAA4B,EAAE;IAClF,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAChE,OAAO,QAAQ,KAAK,IAAI,CAAC;AAC3B,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACI,KAAK,UAAU,2BAA2B,CAAC,QAAgB,EAAE,UAA4B,EAAE;IAChG,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAChE,OAAO,QAAQ,EAAE,qBAAqB,KAAK,SAAS,CAAC;AACvD,CAAC"}

package/dist/lib/auth/oauth/index.d.ts

@@ -0,0 +1,105 @@
+/**
+ * OAuth module for MCP authentication
+ *
+ * OAuth tokens are stored directly in AgentConfig, same as static auth tokens.
+ *
+ * @example
+ * ```typescript
+ * import { MCPOAuthProvider, CLIFlowHandler } from '@adcp/client';
+ *
+ * // Agent config - tokens will be stored here
+ * const agent: AgentConfig = {
+ *   id: 'my-agent',
+ *   name: 'My Agent',
+ *   agent_uri: 'https://agent.example.com/mcp',
+ *   protocol: 'mcp',
+ *   // After OAuth flow completes:
+ *   // oauth_tokens: { access_token: '...', refresh_token: '...' }
+ * };
+ *
+ * // Create provider with CLI flow handler
+ * const provider = new MCPOAuthProvider({
+ *   agent,
+ *   flowHandler: new CLIFlowHandler(),
+ *   storage: myConfigStorage  // Optional: persists tokens to file/db
+ * });
+ *
+ * // Use with MCP transport
+ * const transport = new StreamableHTTPClientTransport(url, {
+ *   authProvider: provider
+ * });
+ * ```
+ */
+export type { OAuthFlowHandler, OAuthProviderConfig, OAuthConfigStorage, OAuthClientInformation, OAuthClientInformationFull, OAuthClientMetadata, OAuthTokens, AgentConfig, AgentOAuthTokens, AgentOAuthClient, } from './types';
+export { DEFAULT_CLIENT_METADATA, OAuthError, OAuthCancelledError, OAuthTimeoutError, toMCPTokens, fromMCPTokens, toMCPClientInfo, fromMCPClientInfo, } from './types';
+export { CLIFlowHandler, type CLIFlowHandlerConfig } from './CLIFlowHandler';
+export { MCPOAuthProvider } from './MCPOAuthProvider';
+import { MCPOAuthProvider } from './MCPOAuthProvider';
+import type { OAuthClientMetadata, OAuthConfigStorage, AgentConfig } from './types';
+/**
+ * Create an OAuth provider for CLI usage
+ *
+ * @param agent Agent configuration (tokens stored here)
+ * @param options Optional configuration
+ * @returns Configured OAuth provider
+ *
+ * @example
+ * ```typescript
+ * const agent: AgentConfig = {
+ *   id: 'my-agent',
+ *   name: 'My Agent',
+ *   agent_uri: 'https://agent.example.com/mcp',
+ *   protocol: 'mcp'
+ * };
+ *
+ * const provider = createCLIOAuthProvider(agent);
+ *
+ * const transport = new StreamableHTTPClientTransport(url, {
+ *   authProvider: provider
+ * });
+ *
+ * try {
+ *   await client.connect(transport);
+ * } catch (error) {
+ *   if (error instanceof UnauthorizedError) {
+ *     const code = await provider.waitForCallback();
+ *     await transport.finishAuth(code);
+ *     await client.connect(transport);
+ *   }
+ * }
+ *
+ * // After successful auth, agent.oauth_tokens is populated
+ * console.log(agent.oauth_tokens);
+ * ```
+ */
+export declare function createCLIOAuthProvider(agent: AgentConfig, options?: {
+    /** Callback port (default: 8766) */
+    callbackPort?: number;
+    /** Auth timeout in ms (default: 300000 = 5 min) */
+    timeout?: number;
+    /** Custom client metadata overrides */
+    clientMetadata?: Partial<OAuthClientMetadata>;
+    /** Suppress console output */
+    quiet?: boolean;
+    /** Storage for persisting agent config */
+    storage?: OAuthConfigStorage;
+}): MCPOAuthProvider;
+/**
+ * Check if an error indicates OAuth is required
+ */
+export declare function isOAuthRequired(error: unknown): boolean;
+/**
+ * Check if an agent has valid OAuth tokens
+ */
+export declare function hasValidOAuthTokens(agent: AgentConfig): boolean;
+/**
+ * Clear OAuth tokens from an agent config
+ */
+export declare function clearOAuthTokens(agent: AgentConfig): void;
+/**
+ * Get the effective auth token for an agent
+ * Returns OAuth access_token if available, otherwise static auth_token
+ */
+export declare function getEffectiveAuthToken(agent: AgentConfig): string | undefined;
+export { discoverOAuthMetadata, supportsOAuth, supportsDynamicRegistration, type OAuthMetadata, type DiscoveryOptions, } from './discovery';
+//# sourceMappingURL=index.d.ts.map

package/dist/lib/auth/oauth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/lib/auth/oauth/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAGH,YAAY,EACV,gBAAgB,EAChB,mBAAmB,EACnB,kBAAkB,EAClB,sBAAsB,EACtB,0BAA0B,EAC1B,mBAAmB,EACnB,WAAW,EACX,WAAW,EACX,gBAAgB,EAChB,gBAAgB,GACjB,MAAM,SAAS,CAAC;AAEjB,OAAO,EACL,uBAAuB,EACvB,UAAU,EACV,mBAAmB,EACnB,iBAAiB,EACjB,WAAW,EACX,aAAa,EACb,eAAe,EACf,iBAAiB,GAClB,MAAM,SAAS,CAAC;AAGjB,OAAO,EAAE,cAAc,EAAE,KAAK,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAG7E,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAMtD,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,KAAK,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAGpF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,WAAW,EAClB,OAAO,CAAC,EAAE;IACR,oCAAoC;IACpC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,mDAAmD;IACnD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,uCAAuC;IACvC,cAAc,CAAC,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC9C,8BAA8B;IAC9B,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,0CAA0C;IAC1C,OAAO,CAAC,EAAE,kBAAkB,CAAC;CAC9B,GACA,gBAAgB,CAqBlB;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CASvD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAa/D;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI,CAIzD;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,WAAW,GAAG,MAAM,GAAG,SAAS,CAO5E;AAGD,OAAO,EACL,qBAAqB,EACrB,aAAa,EACb,2BAA2B,EAC3B,KAAK,aAAa,EAClB,KAAK,gBAAgB,GACtB,MAAM,aAAa,CAAC"}