@agent-native/core 0.18.0 → 0.19.0

package/dist/mcp/connect-store.js

@@ -0,0 +1,434 @@
+/**
+ * Framework-table store for the "connect external agents" feature.
+ *
+ * Two additive, dialect-agnostic tables back the browser **Connect** page and
+ * the OAuth-style **device-code flow** a CLI drives:
+ *
+ *   - `mcp_connect_tokens`  — one row per minted MCP token. We never store the
+ *     token value (it's a signed JWT); only its `jti` so revocation is a
+ *     SQL lookup. Revoking sets `revoked_at`; the row is never deleted.
+ *   - `mcp_device_codes`    — short-lived (10 min) device/user code pairs for
+ *     the OAuth 2.0 device-authorization-style CLI flow. Single-use
+ *     (`consumed_at`), rate-limited at creation.
+ *
+ * Mirrors `application-state/store.ts`: lazy `ensureTable()`, `getDbExec()`,
+ * `isPostgres()` dialect branching for upserts, `isConnectionError()` swallow
+ * so a transient Neon WS drop never 500s. `CREATE TABLE IF NOT EXISTS` only —
+ * strictly additive, never DROP / ALTER (shared prod DB rule).
+ */
+import { getDbExec, isConnectionError, intType, } from "../db/client.js";
+import { randomBytes, randomUUID } from "node:crypto";
+let _initPromise;
+/**
+ * Scope claim that marks a connect-minted token (vs. an ordinary A2A
+ * delegation JWT). Only tokens carrying this scope go through the revoke
+ * lookup in `verifyAuth` — defined here so both `connect-route.ts` and
+ * `build-server.ts` import it from the leaf store without a cycle.
+ */
+export const MCP_CONNECT_SCOPE = "mcp-connect";
+/** Device codes are valid for 10 minutes. */
+export const DEVICE_CODE_TTL_MS = 10 * 60_000;
+/** Default minted-token lifetime. Configurable per-request 1–365 days. */
+export const DEFAULT_TOKEN_TTL_DAYS = 90;
+export const MIN_TOKEN_TTL_DAYS = 1;
+export const MAX_TOKEN_TTL_DAYS = 365;
+/**
+ * Rate limit for `device/start`: at most this many device codes may be created
+ * within `DEVICE_START_WINDOW_MS`. Unauthenticated endpoint — keep it tight so
+ * a hostile client can't flood the table or brute-force user codes.
+ */
+export const DEVICE_START_MAX = 20;
+export const DEVICE_START_WINDOW_MS = 60_000;
+async function ensureTable() {
+    if (!_initPromise) {
+        _initPromise = (async () => {
+            const client = getDbExec();
+            // Additive only. Never DROP / ALTER — this DB is shared across every
+            // deploy context (preview/branch/prod) for hosted templates.
+            await client.execute(`
+        CREATE TABLE IF NOT EXISTS mcp_connect_tokens (
+          id TEXT PRIMARY KEY,
+          jti TEXT UNIQUE NOT NULL,
+          owner_email TEXT NOT NULL,
+          org_id TEXT,
+          label TEXT,
+          created_at ${intType()},
+          last_used_at ${intType()},
+          revoked_at ${intType()}
+        )
+      `);
+            await client.execute(`
+        CREATE TABLE IF NOT EXISTS mcp_device_codes (
+          device_code TEXT PRIMARY KEY,
+          user_code TEXT NOT NULL,
+          owner_email TEXT,
+          org_id TEXT,
+          status TEXT NOT NULL DEFAULT 'pending',
+          token_jti TEXT,
+          created_at ${intType()},
+          expires_at ${intType()},
+          consumed_at ${intType()}
+        )
+      `);
+        })().catch((err) => {
+            // Don't cache a rejected init. A transient DB blip should let the next
+            // connect/mint/revoke call retry rather than wedging the process.
+            _initPromise = undefined;
+            throw err;
+        });
+    }
+    return _initPromise;
+}
+/**
+ * Persist a record of a minted token. The token value itself (a signed JWT)
+ * is NEVER stored — only its `jti`, so revocation is a cheap SQL lookup.
+ */
+export async function recordMintedToken(params) {
+    await ensureTable();
+    const client = getDbExec();
+    const id = randomUUID();
+    await client.execute({
+        sql: `INSERT INTO mcp_connect_tokens (id, jti, owner_email, org_id, label, created_at, last_used_at, revoked_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
+        args: [
+            id,
+            params.jti,
+            params.ownerEmail,
+            params.orgId ?? null,
+            params.label ?? null,
+            Date.now(),
+            null,
+            null,
+        ],
+    });
+    return id;
+}
+/**
+ * Returns true when the given `jti` corresponds to a token that has been
+ * revoked. Fails OPEN on a store/DB error: a transient Neon WS drop must not
+ * lock every connected agent out. Signature verification is unaffected — this
+ * is only the post-verify revoke check (see `verifyAuth` in build-server.ts).
+ */
+export async function isJtiRevoked(jti) {
+    try {
+        await ensureTable();
+        const client = getDbExec();
+        const { rows } = await client.execute({
+            sql: `SELECT revoked_at FROM mcp_connect_tokens WHERE jti = ?`,
+            args: [jti],
+        });
+        if (rows.length === 0)
+            return false;
+        const revokedAt = rows[0].revoked_at ?? rows[0].revokedAt;
+        return revokedAt != null;
+    }
+    catch (err) {
+        // Fail open: a DB blip must not turn every minted token into a 401.
+        // (Signature checks already passed; this only gates explicit revokes.)
+        if (isConnectionError(err))
+            return false;
+        return false;
+    }
+}
+export async function listTokens(ownerEmail) {
+    try {
+        await ensureTable();
+        const client = getDbExec();
+        const { rows } = await client.execute({
+            sql: `SELECT id, jti, owner_email, org_id, label, created_at, last_used_at, revoked_at FROM mcp_connect_tokens WHERE owner_email = ? ORDER BY created_at DESC`,
+            args: [ownerEmail],
+        });
+        return rows.map((r) => ({
+            id: r.id,
+            jti: r.jti,
+            ownerEmail: (r.owner_email ?? r.ownerEmail),
+            orgId: (r.org_id ?? r.orgId ?? null),
+            label: (r.label ?? null),
+            createdAt: numOrNull(r.created_at ?? r.createdAt),
+            lastUsedAt: numOrNull(r.last_used_at ?? r.lastUsedAt),
+            revokedAt: numOrNull(r.revoked_at ?? r.revokedAt),
+        }));
+    }
+    catch (err) {
+        if (isConnectionError(err))
+            return [];
+        throw err;
+    }
+}
+/**
+ * Revoke a token, but ONLY if it is owned by `ownerEmail` (the caller). The
+ * `owner_email = ?` predicate is the access scope — a caller can never revoke
+ * another user's token. Idempotent: re-revoking keeps the first timestamp.
+ * Returns true when a row was actually transitioned to revoked.
+ */
+export async function revokeToken(ownerEmail, id) {
+    await ensureTable();
+    const client = getDbExec();
+    const result = await client.execute({
+        sql: `UPDATE mcp_connect_tokens SET revoked_at = ? WHERE id = ? AND owner_email = ? AND revoked_at IS NULL`,
+        args: [Date.now(), id, ownerEmail],
+    });
+    return result.rowsAffected > 0;
+}
+/**
+ * Best-effort: stamp `last_used_at` for a token. Swallows all errors — this is
+ * pure telemetry and must never affect the auth path.
+ */
+export async function touchTokenUsed(jti) {
+    try {
+        await ensureTable();
+        const client = getDbExec();
+        await client.execute({
+            sql: `UPDATE mcp_connect_tokens SET last_used_at = ? WHERE jti = ?`,
+            args: [Date.now(), jti],
+        });
+    }
+    catch {
+        // last_used_at is informational only — never throw from the hot path.
+    }
+}
+const USER_CODE_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"; // Crockford-ish base32, no 0/1/O/I
+/** Crypto-random short human-typable code, formatted `XXXX-XXXX`. */
+function generateUserCode() {
+    const bytes = randomBytes(8);
+    let out = "";
+    for (let i = 0; i < 8; i++) {
+        out += USER_CODE_ALPHABET[bytes[i] % USER_CODE_ALPHABET.length];
+        if (i === 3)
+            out += "-";
+    }
+    return out;
+}
+function generateDeviceCode() {
+    return randomBytes(32).toString("base64url");
+}
+/**
+ * Create a new device+user code pair. Rate-limited: at most
+ * `DEVICE_START_MAX` codes within `DEVICE_START_WINDOW_MS`. The window count
+ * is a coarse global cap (this endpoint is unauthenticated) — enough to stop
+ * table flooding / user-code brute force without per-IP plumbing.
+ *
+ * Throws `RATE_LIMITED` when the cap is exceeded so the route can map it to a
+ * 429.
+ */
+export async function createDeviceCode() {
+    await ensureTable();
+    const client = getDbExec();
+    const now = Date.now();
+    try {
+        const { rows } = await client.execute({
+            sql: `SELECT COUNT(*) AS n FROM mcp_device_codes WHERE created_at > ?`,
+            args: [now - DEVICE_START_WINDOW_MS],
+        });
+        const n = Number(rows[0]?.n ?? rows[0]?.["COUNT(*)"] ?? 0);
+        if (Number.isFinite(n) && n >= DEVICE_START_MAX) {
+            throw new Error("RATE_LIMITED");
+        }
+    }
+    catch (err) {
+        if (err?.message === "RATE_LIMITED")
+            throw err;
+        // A read failure here should not block legitimate device starts — the
+        // single-use + short-TTL design is the primary protection. Continue.
+    }
+    const deviceCode = generateDeviceCode();
+    const userCode = generateUserCode();
+    const expiresAt = now + DEVICE_CODE_TTL_MS;
+    await client.execute({
+        sql: `INSERT INTO mcp_device_codes (device_code, user_code, owner_email, org_id, status, token_jti, created_at, expires_at, consumed_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+        args: [
+            deviceCode,
+            userCode,
+            null,
+            null,
+            "pending",
+            null,
+            now,
+            expiresAt,
+            null,
+        ],
+    });
+    return {
+        deviceCode,
+        userCode,
+        ownerEmail: null,
+        orgId: null,
+        status: "pending",
+        tokenJti: null,
+        createdAt: now,
+        expiresAt,
+        consumedAt: null,
+    };
+}
+function mapDeviceRow(r) {
+    return {
+        deviceCode: (r.device_code ?? r.deviceCode),
+        userCode: (r.user_code ?? r.userCode),
+        ownerEmail: (r.owner_email ?? r.ownerEmail ?? null),
+        orgId: (r.org_id ?? r.orgId ?? null),
+        status: (r.status ?? "pending"),
+        tokenJti: (r.token_jti ?? r.tokenJti ?? null),
+        createdAt: numOrNull(r.created_at ?? r.createdAt),
+        expiresAt: numOrNull(r.expires_at ?? r.expiresAt),
+        consumedAt: numOrNull(r.consumed_at ?? r.consumedAt),
+    };
+}
+export async function getDeviceCode(deviceCode) {
+    try {
+        await ensureTable();
+        const client = getDbExec();
+        const { rows } = await client.execute({
+            sql: `SELECT * FROM mcp_device_codes WHERE device_code = ?`,
+            args: [deviceCode],
+        });
+        if (rows.length === 0)
+            return null;
+        return mapDeviceRow(rows[0]);
+    }
+    catch (err) {
+        if (isConnectionError(err))
+            return null;
+        throw err;
+    }
+}
+export async function getDeviceCodeByUserCode(userCode) {
+    try {
+        await ensureTable();
+        const client = getDbExec();
+        const { rows } = await client.execute({
+            sql: `SELECT * FROM mcp_device_codes WHERE user_code = ?`,
+            args: [userCode],
+        });
+        if (rows.length === 0)
+            return null;
+        return mapDeviceRow(rows[0]);
+    }
+    catch (err) {
+        if (isConnectionError(err))
+            return null;
+        throw err;
+    }
+}
+/**
+ * Bind the logged-in user (email + org) to a pending device code, identified
+ * by its human-typable `user_code`. Only transitions a non-expired, still
+ * `pending` row. Returns the bound row, or a string error code:
+ *   - `not_found`  — no such user_code
+ *   - `expired`    — past its TTL
+ *   - `already`    — already approved/consumed (not re-bindable)
+ */
+export async function approveDeviceCode(userCode, ownerEmail, orgId) {
+    await ensureTable();
+    const client = getDbExec();
+    const row = await getDeviceCodeByUserCode(userCode);
+    if (!row)
+        return "not_found";
+    if ((row.expiresAt ?? 0) < Date.now())
+        return "expired";
+    if (row.status !== "pending")
+        return "already";
+    const result = await client.execute({
+        sql: `UPDATE mcp_device_codes SET status = 'approved', owner_email = ?, org_id = ? WHERE user_code = ? AND status = 'pending'`,
+        args: [ownerEmail, orgId, userCode],
+    });
+    if (result.rowsAffected === 0) {
+        // Lost a race with another approve — re-read to report the real state.
+        const fresh = await getDeviceCodeByUserCode(userCode);
+        return fresh && fresh.status !== "pending" ? "already" : "not_found";
+    }
+    return {
+        ...row,
+        status: "approved",
+        ownerEmail,
+        orgId,
+    };
+}
+/**
+ * Atomically transition an approved device code to consumed and stamp the
+ * minted token's jti. Single-use: only succeeds when the row is currently
+ * `approved` (not already consumed). Returns the pre-consume row on success,
+ * or null when it could not be consumed (already consumed / not approved /
+ * gone). The caller mints the token only after this returns a row.
+ */
+export async function consumeDeviceCode(deviceCode, tokenJti) {
+    await ensureTable();
+    const client = getDbExec();
+    const row = await getDeviceCode(deviceCode);
+    if (!row)
+        return null;
+    if (row.status !== "approved")
+        return null;
+    const result = await client.execute({
+        sql: `UPDATE mcp_device_codes SET status = 'consumed', token_jti = ?, consumed_at = ? WHERE device_code = ? AND status = 'approved'`,
+        args: [tokenJti, Date.now(), deviceCode],
+    });
+    if (result.rowsAffected === 0)
+        return null; // lost the single-use race
+    return row;
+}
+/**
+ * Claim an approved device code for token minting without making it terminal.
+ * If signing or token recording fails, callers release this back to approved
+ * so the CLI can retry the poll instead of being stuck at "consumed".
+ */
+export async function claimDeviceCodeForMint(deviceCode, tokenJti) {
+    await ensureTable();
+    const client = getDbExec();
+    const row = await getDeviceCode(deviceCode);
+    if (!row || row.status !== "approved")
+        return null;
+    const result = await client.execute({
+        sql: `UPDATE mcp_device_codes SET status = 'minting', token_jti = ?, consumed_at = ? WHERE device_code = ? AND status = 'approved'`,
+        args: [tokenJti, Date.now(), deviceCode],
+    });
+    if (result.rowsAffected === 0)
+        return null;
+    return row;
+}
+export async function finishDeviceCodeMint(deviceCode, tokenJti) {
+    await ensureTable();
+    const client = getDbExec();
+    const result = await client.execute({
+        sql: `UPDATE mcp_device_codes SET status = 'consumed' WHERE device_code = ? AND status = 'minting' AND token_jti = ?`,
+        args: [deviceCode, tokenJti],
+    });
+    return result.rowsAffected > 0;
+}
+export async function releaseDeviceCodeMint(deviceCode, tokenJti) {
+    try {
+        await ensureTable();
+        const client = getDbExec();
+        await client.execute({
+            sql: `UPDATE mcp_device_codes SET status = 'approved', token_jti = NULL, consumed_at = NULL WHERE device_code = ? AND status = 'minting' AND token_jti = ?`,
+            args: [deviceCode, tokenJti],
+        });
+    }
+    catch {
+        // The next poll will keep returning pending for a minting row until a
+        // later cleanup/retry path can observe or repair it. Do not throw here.
+    }
+}
+/**
+ * Best-effort: flip an expired, still-pending/approved row to `expired` so
+ * the poll endpoint can report a clean terminal state. Swallows errors.
+ */
+export async function expireDeviceCode(deviceCode) {
+    try {
+        await ensureTable();
+        const client = getDbExec();
+        await client.execute({
+            sql: `UPDATE mcp_device_codes SET status = 'expired' WHERE device_code = ? AND status IN ('pending','approved')`,
+            args: [deviceCode],
+        });
+    }
+    catch {
+        // The poll handler already treats past-TTL rows as expired regardless of
+        // whether this housekeeping write lands.
+    }
+}
+function numOrNull(v) {
+    if (v == null)
+        return null;
+    const n = Number(v);
+    return Number.isFinite(n) ? n : null;
+}
+//# sourceMappingURL=connect-store.js.map

package/dist/mcp/connect-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"connect-store.js","sourceRoot":"","sources":["../../src/mcp/connect-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EACL,SAAS,EACT,iBAAiB,EAEjB,OAAO,GACR,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEtD,IAAI,YAAuC,CAAC;AAE5C;;;;;GAKG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,aAAa,CAAC;AAE/C,6CAA6C;AAC7C,MAAM,CAAC,MAAM,kBAAkB,GAAG,EAAE,GAAG,MAAM,CAAC;AAE9C,0EAA0E;AAC1E,MAAM,CAAC,MAAM,sBAAsB,GAAG,EAAE,CAAC;AACzC,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC;AACpC,MAAM,CAAC,MAAM,kBAAkB,GAAG,GAAG,CAAC;AAEtC;;;;GAIG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,EAAE,CAAC;AACnC,MAAM,CAAC,MAAM,sBAAsB,GAAG,MAAM,CAAC;AAE7C,KAAK,UAAU,WAAW;IACxB,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,YAAY,GAAG,CAAC,KAAK,IAAI,EAAE;YACzB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAC3B,qEAAqE;YACrE,6DAA6D;YAC7D,MAAM,MAAM,CAAC,OAAO,CAAC;;;;;;;uBAOJ,OAAO,EAAE;yBACP,OAAO,EAAE;uBACX,OAAO,EAAE;;OAEzB,CAAC,CAAC;YACH,MAAM,MAAM,CAAC,OAAO,CAAC;;;;;;;;uBAQJ,OAAO,EAAE;uBACT,OAAO,EAAE;wBACR,OAAO,EAAE;;OAE1B,CAAC,CAAC;QACL,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACjB,uEAAuE;YACvE,kEAAkE;YAClE,YAAY,GAAG,SAAS,CAAC;YACzB,MAAM,GAAG,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAiBD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAKvC;IACC,MAAM,WAAW,EAAE,CAAC;IACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,EAAE,GAAG,UAAU,EAAE,CAAC;IACxB,MAAM,MAAM,CAAC,OAAO,CAAC;QACnB,GAAG,EAAE,4IAA4I;QACjJ,IAAI,EAAE;YACJ,EAAE;YACF,MAAM,CAAC,GAAG;YACV,MAAM,CAAC,UAAU;YACjB,MAAM,CAAC,KAAK,IAAI,IAAI;YACpB,MAAM,CAAC,KAAK,IAAI,IAAI;YACpB,IAAI,CAAC,GAAG,EAAE;YACV,IAAI;YACJ,IAAI;SACL;KACF,CAAC,CAAC;IACH,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAW;IAC5C,IAAI,CAAC;QACH,MAAM,WAAW,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;YACpC,GAAG,EAAE,yDAAyD;YAC9D,IAAI,EAAE,CAAC,GAAG,CAAC;SACZ,CAAC,CAAC;QACH,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QACpC,MAAM,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAC1D,OAAO,SAAS,IAAI,IAAI,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,oEAAoE;QACpE,uEAAuE;QACvE,IAAI,iBAAiB,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QACzC,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,UAAkB;IAElB,IAAI,CAAC;QACH,MAAM,WAAW,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;YACpC,GAAG,EAAE,yJAAyJ;YAC9J,IAAI,EAAE,CAAC,UAAU,CAAC;SACnB,CAAC,CAAC;QACH,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC;YAC3B,EAAE,EAAE,CAAC,CAAC,EAAY;YAClB,GAAG,EAAE,CAAC,CAAC,GAAa;YACpB,UAAU,EAAE,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,UAAU,CAAW;YACrD,KAAK,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,KAAK,IAAI,IAAI,CAAkB;YACrD,KAAK,EAAE,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAkB;YACzC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,SAAS,CAAC;YACjD,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC,YAAY,IAAI,CAAC,CAAC,UAAU,CAAC;YACrD,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,SAAS,CAAC;SAClD,CAAC,CAAC,CAAC;IACN,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,iBAAiB,CAAC,GAAG,CAAC;YAAE,OAAO,EAAE,CAAC;QACtC,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,UAAkB,EAClB,EAAU;IAEV,MAAM,WAAW,EAAE,CAAC;IACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;QAClC,GAAG,EAAE,sGAAsG;QAC3G,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,EAAE,EAAE,UAAU,CAAC;KACnC,CAAC,CAAC;IACH,OAAO,MAAM,CAAC,YAAY,GAAG,CAAC,CAAC;AACjC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,GAAW;IAC9C,IAAI,CAAC;QACH,MAAM,WAAW,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,MAAM,CAAC,OAAO,CAAC;YACnB,GAAG,EAAE,8DAA8D;YACnE,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,GAAG,CAAC;SACxB,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,sEAAsE;IACxE,CAAC;AACH,CAAC;AAkBD,MAAM,kBAAkB,GAAG,kCAAkC,CAAC,CAAC,mCAAmC;AAElG,qEAAqE;AACrE,SAAS,gBAAgB;IACvB,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;IAC7B,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,GAAG,IAAI,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAChE,IAAI,CAAC,KAAK,CAAC;YAAE,GAAG,IAAI,GAAG,CAAC;IAC1B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,kBAAkB;IACzB,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC/C,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,MAAM,WAAW,EAAE,CAAC;IACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAE3B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;YACpC,GAAG,EAAE,iEAAiE;YACtE,IAAI,EAAE,CAAC,GAAG,GAAG,sBAAsB,CAAC;SACrC,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;QAC3D,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,gBAAgB,EAAE,CAAC;YAChD,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,IAAI,GAAG,EAAE,OAAO,KAAK,cAAc;YAAE,MAAM,GAAG,CAAC;QAC/C,sEAAsE;QACtE,qEAAqE;IACvE,CAAC;IAED,MAAM,UAAU,GAAG,kBAAkB,EAAE,CAAC;IACxC,MAAM,QAAQ,GAAG,gBAAgB,EAAE,CAAC;IACpC,MAAM,SAAS,GAAG,GAAG,GAAG,kBAAkB,CAAC;IAC3C,MAAM,MAAM,CAAC,OAAO,CAAC;QACnB,GAAG,EAAE,uKAAuK;QAC5K,IAAI,EAAE;YACJ,UAAU;YACV,QAAQ;YACR,IAAI;YACJ,IAAI;YACJ,SAAS;YACT,IAAI;YACJ,GAAG;YACH,SAAS;YACT,IAAI;SACL;KACF,CAAC,CAAC;IACH,OAAO;QACL,UAAU;QACV,QAAQ;QACR,UAAU,EAAE,IAAI;QAChB,KAAK,EAAE,IAAI;QACX,MAAM,EAAE,SAAS;QACjB,QAAQ,EAAE,IAAI;QACd,SAAS,EAAE,GAAG;QACd,SAAS;QACT,UAAU,EAAE,IAAI;KACjB,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,CAAM;IAC1B,OAAO;QACL,UAAU,EAAE,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,UAAU,CAAW;QACrD,QAAQ,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,QAAQ,CAAW;QAC/C,UAAU,EAAE,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,UAAU,IAAI,IAAI,CAAkB;QACpE,KAAK,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,KAAK,IAAI,IAAI,CAAkB;QACrD,MAAM,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,SAAS,CAA4B;QAC1D,QAAQ,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,QAAQ,IAAI,IAAI,CAAkB;QAC9D,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,SAAS,CAAC;QACjD,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,SAAS,CAAC;QACjD,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,UAAU,CAAC;KACrD,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,UAAkB;IAElB,IAAI,CAAC;QACH,MAAM,WAAW,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;YACpC,GAAG,EAAE,sDAAsD;YAC3D,IAAI,EAAE,CAAC,UAAU,CAAC;SACnB,CAAC,CAAC;QACH,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,iBAAiB,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACxC,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,QAAgB;IAEhB,IAAI,CAAC;QACH,MAAM,WAAW,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;YACpC,GAAG,EAAE,oDAAoD;YACzD,IAAI,EAAE,CAAC,QAAQ,CAAC;SACjB,CAAC,CAAC;QACH,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,iBAAiB,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACxC,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,QAAgB,EAChB,UAAkB,EAClB,KAAoB;IAEpB,MAAM,WAAW,EAAE,CAAC;IACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,GAAG,GAAG,MAAM,uBAAuB,CAAC,QAAQ,CAAC,CAAC;IACpD,IAAI,CAAC,GAAG;QAAE,OAAO,WAAW,CAAC;IAC7B,IAAI,CAAC,GAAG,CAAC,SAAS,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE;QAAE,OAAO,SAAS,CAAC;IACxD,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAE/C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;QAClC,GAAG,EAAE,yHAAyH;QAC9H,IAAI,EAAE,CAAC,UAAU,EAAE,KAAK,EAAE,QAAQ,CAAC;KACpC,CAAC,CAAC;IACH,IAAI,MAAM,CAAC,YAAY,KAAK,CAAC,EAAE,CAAC;QAC9B,uEAAuE;QACvE,MAAM,KAAK,GAAG,MAAM,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QACtD,OAAO,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC;IACvE,CAAC;IACD,OAAO;QACL,GAAG,GAAG;QACN,MAAM,EAAE,UAAU;QAClB,UAAU;QACV,KAAK;KACN,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,UAAkB,EAClB,QAAgB;IAEhB,MAAM,WAAW,EAAE,CAAC;IACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;IAC5C,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,IAAI,GAAG,CAAC,MAAM,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IAC3C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;QAClC,GAAG,EAAE,+HAA+H;QACpI,IAAI,EAAE,CAAC,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC;KACzC,CAAC,CAAC;IACH,IAAI,MAAM,CAAC,YAAY,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,2BAA2B;IACvE,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,UAAkB,EAClB,QAAgB;IAEhB,MAAM,WAAW,EAAE,CAAC;IACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;IAC5C,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IACnD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;QAClC,GAAG,EAAE,8HAA8H;QACnI,IAAI,EAAE,CAAC,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC;KACzC,CAAC,CAAC;IACH,IAAI,MAAM,CAAC,YAAY,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,UAAkB,EAClB,QAAgB;IAEhB,MAAM,WAAW,EAAE,CAAC;IACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;QAClC,GAAG,EAAE,gHAAgH;QACrH,IAAI,EAAE,CAAC,UAAU,EAAE,QAAQ,CAAC;KAC7B,CAAC,CAAC;IACH,OAAO,MAAM,CAAC,YAAY,GAAG,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,UAAkB,EAClB,QAAgB;IAEhB,IAAI,CAAC;QACH,MAAM,WAAW,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,MAAM,CAAC,OAAO,CAAC;YACnB,GAAG,EAAE,sJAAsJ;YAC3J,IAAI,EAAE,CAAC,UAAU,EAAE,QAAQ,CAAC;SAC7B,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,sEAAsE;QACtE,wEAAwE;IAC1E,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,UAAkB;IACvD,IAAI,CAAC;QACH,MAAM,WAAW,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,MAAM,CAAC,OAAO,CAAC;YACnB,GAAG,EAAE,2GAA2G;YAChH,IAAI,EAAE,CAAC,UAAU,CAAC;SACnB,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,yEAAyE;QACzE,yCAAyC;IAC3C,CAAC;AACH,CAAC;AAED,SAAS,SAAS,CAAC,CAAU;IAC3B,IAAI,CAAC,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACpB,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACvC,CAAC","sourcesContent":["/**\n * Framework-table store for the \"connect external agents\" feature.\n *\n * Two additive, dialect-agnostic tables back the browser **Connect** page and\n * the OAuth-style **device-code flow** a CLI drives:\n *\n *   - `mcp_connect_tokens`  — one row per minted MCP token. We never store the\n *     token value (it's a signed JWT); only its `jti` so revocation is a\n *     SQL lookup. Revoking sets `revoked_at`; the row is never deleted.\n *   - `mcp_device_codes`    — short-lived (10 min) device/user code pairs for\n *     the OAuth 2.0 device-authorization-style CLI flow. Single-use\n *     (`consumed_at`), rate-limited at creation.\n *\n * Mirrors `application-state/store.ts`: lazy `ensureTable()`, `getDbExec()`,\n * `isPostgres()` dialect branching for upserts, `isConnectionError()` swallow\n * so a transient Neon WS drop never 500s. `CREATE TABLE IF NOT EXISTS` only —\n * strictly additive, never DROP / ALTER (shared prod DB rule).\n */\n\nimport {\n  getDbExec,\n  isConnectionError,\n  isPostgres,\n  intType,\n} from \"../db/client.js\";\nimport { randomBytes, randomUUID } from \"node:crypto\";\n\nlet _initPromise: Promise<void> | undefined;\n\n/**\n * Scope claim that marks a connect-minted token (vs. an ordinary A2A\n * delegation JWT). Only tokens carrying this scope go through the revoke\n * lookup in `verifyAuth` — defined here so both `connect-route.ts` and\n * `build-server.ts` import it from the leaf store without a cycle.\n */\nexport const MCP_CONNECT_SCOPE = \"mcp-connect\";\n\n/** Device codes are valid for 10 minutes. */\nexport const DEVICE_CODE_TTL_MS = 10 * 60_000;\n\n/** Default minted-token lifetime. Configurable per-request 1–365 days. */\nexport const DEFAULT_TOKEN_TTL_DAYS = 90;\nexport const MIN_TOKEN_TTL_DAYS = 1;\nexport const MAX_TOKEN_TTL_DAYS = 365;\n\n/**\n * Rate limit for `device/start`: at most this many device codes may be created\n * within `DEVICE_START_WINDOW_MS`. Unauthenticated endpoint — keep it tight so\n * a hostile client can't flood the table or brute-force user codes.\n */\nexport const DEVICE_START_MAX = 20;\nexport const DEVICE_START_WINDOW_MS = 60_000;\n\nasync function ensureTable(): Promise<void> {\n  if (!_initPromise) {\n    _initPromise = (async () => {\n      const client = getDbExec();\n      // Additive only. Never DROP / ALTER — this DB is shared across every\n      // deploy context (preview/branch/prod) for hosted templates.\n      await client.execute(`\n        CREATE TABLE IF NOT EXISTS mcp_connect_tokens (\n          id TEXT PRIMARY KEY,\n          jti TEXT UNIQUE NOT NULL,\n          owner_email TEXT NOT NULL,\n          org_id TEXT,\n          label TEXT,\n          created_at ${intType()},\n          last_used_at ${intType()},\n          revoked_at ${intType()}\n        )\n      `);\n      await client.execute(`\n        CREATE TABLE IF NOT EXISTS mcp_device_codes (\n          device_code TEXT PRIMARY KEY,\n          user_code TEXT NOT NULL,\n          owner_email TEXT,\n          org_id TEXT,\n          status TEXT NOT NULL DEFAULT 'pending',\n          token_jti TEXT,\n          created_at ${intType()},\n          expires_at ${intType()},\n          consumed_at ${intType()}\n        )\n      `);\n    })().catch((err) => {\n      // Don't cache a rejected init. A transient DB blip should let the next\n      // connect/mint/revoke call retry rather than wedging the process.\n      _initPromise = undefined;\n      throw err;\n    });\n  }\n  return _initPromise;\n}\n\n// ---------------------------------------------------------------------------\n// Minted-token records\n// ---------------------------------------------------------------------------\n\nexport interface MintedTokenRow {\n  id: string;\n  jti: string;\n  ownerEmail: string;\n  orgId: string | null;\n  label: string | null;\n  createdAt: number | null;\n  lastUsedAt: number | null;\n  revokedAt: number | null;\n}\n\n/**\n * Persist a record of a minted token. The token value itself (a signed JWT)\n * is NEVER stored — only its `jti`, so revocation is a cheap SQL lookup.\n */\nexport async function recordMintedToken(params: {\n  jti: string;\n  ownerEmail: string;\n  orgId?: string | null;\n  label?: string | null;\n}): Promise<string> {\n  await ensureTable();\n  const client = getDbExec();\n  const id = randomUUID();\n  await client.execute({\n    sql: `INSERT INTO mcp_connect_tokens (id, jti, owner_email, org_id, label, created_at, last_used_at, revoked_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,\n    args: [\n      id,\n      params.jti,\n      params.ownerEmail,\n      params.orgId ?? null,\n      params.label ?? null,\n      Date.now(),\n      null,\n      null,\n    ],\n  });\n  return id;\n}\n\n/**\n * Returns true when the given `jti` corresponds to a token that has been\n * revoked. Fails OPEN on a store/DB error: a transient Neon WS drop must not\n * lock every connected agent out. Signature verification is unaffected — this\n * is only the post-verify revoke check (see `verifyAuth` in build-server.ts).\n */\nexport async function isJtiRevoked(jti: string): Promise<boolean> {\n  try {\n    await ensureTable();\n    const client = getDbExec();\n    const { rows } = await client.execute({\n      sql: `SELECT revoked_at FROM mcp_connect_tokens WHERE jti = ?`,\n      args: [jti],\n    });\n    if (rows.length === 0) return false;\n    const revokedAt = rows[0].revoked_at ?? rows[0].revokedAt;\n    return revokedAt != null;\n  } catch (err) {\n    // Fail open: a DB blip must not turn every minted token into a 401.\n    // (Signature checks already passed; this only gates explicit revokes.)\n    if (isConnectionError(err)) return false;\n    return false;\n  }\n}\n\nexport async function listTokens(\n  ownerEmail: string,\n): Promise<MintedTokenRow[]> {\n  try {\n    await ensureTable();\n    const client = getDbExec();\n    const { rows } = await client.execute({\n      sql: `SELECT id, jti, owner_email, org_id, label, created_at, last_used_at, revoked_at FROM mcp_connect_tokens WHERE owner_email = ? ORDER BY created_at DESC`,\n      args: [ownerEmail],\n    });\n    return rows.map((r: any) => ({\n      id: r.id as string,\n      jti: r.jti as string,\n      ownerEmail: (r.owner_email ?? r.ownerEmail) as string,\n      orgId: (r.org_id ?? r.orgId ?? null) as string | null,\n      label: (r.label ?? null) as string | null,\n      createdAt: numOrNull(r.created_at ?? r.createdAt),\n      lastUsedAt: numOrNull(r.last_used_at ?? r.lastUsedAt),\n      revokedAt: numOrNull(r.revoked_at ?? r.revokedAt),\n    }));\n  } catch (err) {\n    if (isConnectionError(err)) return [];\n    throw err;\n  }\n}\n\n/**\n * Revoke a token, but ONLY if it is owned by `ownerEmail` (the caller). The\n * `owner_email = ?` predicate is the access scope — a caller can never revoke\n * another user's token. Idempotent: re-revoking keeps the first timestamp.\n * Returns true when a row was actually transitioned to revoked.\n */\nexport async function revokeToken(\n  ownerEmail: string,\n  id: string,\n): Promise<boolean> {\n  await ensureTable();\n  const client = getDbExec();\n  const result = await client.execute({\n    sql: `UPDATE mcp_connect_tokens SET revoked_at = ? WHERE id = ? AND owner_email = ? AND revoked_at IS NULL`,\n    args: [Date.now(), id, ownerEmail],\n  });\n  return result.rowsAffected > 0;\n}\n\n/**\n * Best-effort: stamp `last_used_at` for a token. Swallows all errors — this is\n * pure telemetry and must never affect the auth path.\n */\nexport async function touchTokenUsed(jti: string): Promise<void> {\n  try {\n    await ensureTable();\n    const client = getDbExec();\n    await client.execute({\n      sql: `UPDATE mcp_connect_tokens SET last_used_at = ? WHERE jti = ?`,\n      args: [Date.now(), jti],\n    });\n  } catch {\n    // last_used_at is informational only — never throw from the hot path.\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Device-code flow (OAuth 2.0 device-authorization style)\n// ---------------------------------------------------------------------------\n\nexport interface DeviceCodeRow {\n  deviceCode: string;\n  userCode: string;\n  ownerEmail: string | null;\n  orgId: string | null;\n  status: \"pending\" | \"approved\" | \"minting\" | \"consumed\" | \"expired\";\n  tokenJti: string | null;\n  createdAt: number | null;\n  expiresAt: number | null;\n  consumedAt: number | null;\n}\n\nconst USER_CODE_ALPHABET = \"ABCDEFGHIJKLMNOPQRSTUVWXYZ234567\"; // Crockford-ish base32, no 0/1/O/I\n\n/** Crypto-random short human-typable code, formatted `XXXX-XXXX`. */\nfunction generateUserCode(): string {\n  const bytes = randomBytes(8);\n  let out = \"\";\n  for (let i = 0; i < 8; i++) {\n    out += USER_CODE_ALPHABET[bytes[i] % USER_CODE_ALPHABET.length];\n    if (i === 3) out += \"-\";\n  }\n  return out;\n}\n\nfunction generateDeviceCode(): string {\n  return randomBytes(32).toString(\"base64url\");\n}\n\n/**\n * Create a new device+user code pair. Rate-limited: at most\n * `DEVICE_START_MAX` codes within `DEVICE_START_WINDOW_MS`. The window count\n * is a coarse global cap (this endpoint is unauthenticated) — enough to stop\n * table flooding / user-code brute force without per-IP plumbing.\n *\n * Throws `RATE_LIMITED` when the cap is exceeded so the route can map it to a\n * 429.\n */\nexport async function createDeviceCode(): Promise<DeviceCodeRow> {\n  await ensureTable();\n  const client = getDbExec();\n\n  const now = Date.now();\n  try {\n    const { rows } = await client.execute({\n      sql: `SELECT COUNT(*) AS n FROM mcp_device_codes WHERE created_at > ?`,\n      args: [now - DEVICE_START_WINDOW_MS],\n    });\n    const n = Number(rows[0]?.n ?? rows[0]?.[\"COUNT(*)\"] ?? 0);\n    if (Number.isFinite(n) && n >= DEVICE_START_MAX) {\n      throw new Error(\"RATE_LIMITED\");\n    }\n  } catch (err: any) {\n    if (err?.message === \"RATE_LIMITED\") throw err;\n    // A read failure here should not block legitimate device starts — the\n    // single-use + short-TTL design is the primary protection. Continue.\n  }\n\n  const deviceCode = generateDeviceCode();\n  const userCode = generateUserCode();\n  const expiresAt = now + DEVICE_CODE_TTL_MS;\n  await client.execute({\n    sql: `INSERT INTO mcp_device_codes (device_code, user_code, owner_email, org_id, status, token_jti, created_at, expires_at, consumed_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,\n    args: [\n      deviceCode,\n      userCode,\n      null,\n      null,\n      \"pending\",\n      null,\n      now,\n      expiresAt,\n      null,\n    ],\n  });\n  return {\n    deviceCode,\n    userCode,\n    ownerEmail: null,\n    orgId: null,\n    status: \"pending\",\n    tokenJti: null,\n    createdAt: now,\n    expiresAt,\n    consumedAt: null,\n  };\n}\n\nfunction mapDeviceRow(r: any): DeviceCodeRow {\n  return {\n    deviceCode: (r.device_code ?? r.deviceCode) as string,\n    userCode: (r.user_code ?? r.userCode) as string,\n    ownerEmail: (r.owner_email ?? r.ownerEmail ?? null) as string | null,\n    orgId: (r.org_id ?? r.orgId ?? null) as string | null,\n    status: (r.status ?? \"pending\") as DeviceCodeRow[\"status\"],\n    tokenJti: (r.token_jti ?? r.tokenJti ?? null) as string | null,\n    createdAt: numOrNull(r.created_at ?? r.createdAt),\n    expiresAt: numOrNull(r.expires_at ?? r.expiresAt),\n    consumedAt: numOrNull(r.consumed_at ?? r.consumedAt),\n  };\n}\n\nexport async function getDeviceCode(\n  deviceCode: string,\n): Promise<DeviceCodeRow | null> {\n  try {\n    await ensureTable();\n    const client = getDbExec();\n    const { rows } = await client.execute({\n      sql: `SELECT * FROM mcp_device_codes WHERE device_code = ?`,\n      args: [deviceCode],\n    });\n    if (rows.length === 0) return null;\n    return mapDeviceRow(rows[0]);\n  } catch (err) {\n    if (isConnectionError(err)) return null;\n    throw err;\n  }\n}\n\nexport async function getDeviceCodeByUserCode(\n  userCode: string,\n): Promise<DeviceCodeRow | null> {\n  try {\n    await ensureTable();\n    const client = getDbExec();\n    const { rows } = await client.execute({\n      sql: `SELECT * FROM mcp_device_codes WHERE user_code = ?`,\n      args: [userCode],\n    });\n    if (rows.length === 0) return null;\n    return mapDeviceRow(rows[0]);\n  } catch (err) {\n    if (isConnectionError(err)) return null;\n    throw err;\n  }\n}\n\n/**\n * Bind the logged-in user (email + org) to a pending device code, identified\n * by its human-typable `user_code`. Only transitions a non-expired, still\n * `pending` row. Returns the bound row, or a string error code:\n *   - `not_found`  — no such user_code\n *   - `expired`    — past its TTL\n *   - `already`    — already approved/consumed (not re-bindable)\n */\nexport async function approveDeviceCode(\n  userCode: string,\n  ownerEmail: string,\n  orgId: string | null,\n): Promise<DeviceCodeRow | \"not_found\" | \"expired\" | \"already\"> {\n  await ensureTable();\n  const client = getDbExec();\n  const row = await getDeviceCodeByUserCode(userCode);\n  if (!row) return \"not_found\";\n  if ((row.expiresAt ?? 0) < Date.now()) return \"expired\";\n  if (row.status !== \"pending\") return \"already\";\n\n  const result = await client.execute({\n    sql: `UPDATE mcp_device_codes SET status = 'approved', owner_email = ?, org_id = ? WHERE user_code = ? AND status = 'pending'`,\n    args: [ownerEmail, orgId, userCode],\n  });\n  if (result.rowsAffected === 0) {\n    // Lost a race with another approve — re-read to report the real state.\n    const fresh = await getDeviceCodeByUserCode(userCode);\n    return fresh && fresh.status !== \"pending\" ? \"already\" : \"not_found\";\n  }\n  return {\n    ...row,\n    status: \"approved\",\n    ownerEmail,\n    orgId,\n  };\n}\n\n/**\n * Atomically transition an approved device code to consumed and stamp the\n * minted token's jti. Single-use: only succeeds when the row is currently\n * `approved` (not already consumed). Returns the pre-consume row on success,\n * or null when it could not be consumed (already consumed / not approved /\n * gone). The caller mints the token only after this returns a row.\n */\nexport async function consumeDeviceCode(\n  deviceCode: string,\n  tokenJti: string,\n): Promise<DeviceCodeRow | null> {\n  await ensureTable();\n  const client = getDbExec();\n  const row = await getDeviceCode(deviceCode);\n  if (!row) return null;\n  if (row.status !== \"approved\") return null;\n  const result = await client.execute({\n    sql: `UPDATE mcp_device_codes SET status = 'consumed', token_jti = ?, consumed_at = ? WHERE device_code = ? AND status = 'approved'`,\n    args: [tokenJti, Date.now(), deviceCode],\n  });\n  if (result.rowsAffected === 0) return null; // lost the single-use race\n  return row;\n}\n\n/**\n * Claim an approved device code for token minting without making it terminal.\n * If signing or token recording fails, callers release this back to approved\n * so the CLI can retry the poll instead of being stuck at \"consumed\".\n */\nexport async function claimDeviceCodeForMint(\n  deviceCode: string,\n  tokenJti: string,\n): Promise<DeviceCodeRow | null> {\n  await ensureTable();\n  const client = getDbExec();\n  const row = await getDeviceCode(deviceCode);\n  if (!row || row.status !== \"approved\") return null;\n  const result = await client.execute({\n    sql: `UPDATE mcp_device_codes SET status = 'minting', token_jti = ?, consumed_at = ? WHERE device_code = ? AND status = 'approved'`,\n    args: [tokenJti, Date.now(), deviceCode],\n  });\n  if (result.rowsAffected === 0) return null;\n  return row;\n}\n\nexport async function finishDeviceCodeMint(\n  deviceCode: string,\n  tokenJti: string,\n): Promise<boolean> {\n  await ensureTable();\n  const client = getDbExec();\n  const result = await client.execute({\n    sql: `UPDATE mcp_device_codes SET status = 'consumed' WHERE device_code = ? AND status = 'minting' AND token_jti = ?`,\n    args: [deviceCode, tokenJti],\n  });\n  return result.rowsAffected > 0;\n}\n\nexport async function releaseDeviceCodeMint(\n  deviceCode: string,\n  tokenJti: string,\n): Promise<void> {\n  try {\n    await ensureTable();\n    const client = getDbExec();\n    await client.execute({\n      sql: `UPDATE mcp_device_codes SET status = 'approved', token_jti = NULL, consumed_at = NULL WHERE device_code = ? AND status = 'minting' AND token_jti = ?`,\n      args: [deviceCode, tokenJti],\n    });\n  } catch {\n    // The next poll will keep returning pending for a minting row until a\n    // later cleanup/retry path can observe or repair it. Do not throw here.\n  }\n}\n\n/**\n * Best-effort: flip an expired, still-pending/approved row to `expired` so\n * the poll endpoint can report a clean terminal state. Swallows errors.\n */\nexport async function expireDeviceCode(deviceCode: string): Promise<void> {\n  try {\n    await ensureTable();\n    const client = getDbExec();\n    await client.execute({\n      sql: `UPDATE mcp_device_codes SET status = 'expired' WHERE device_code = ? AND status IN ('pending','approved')`,\n      args: [deviceCode],\n    });\n  } catch {\n    // The poll handler already treats past-TTL rows as expired regardless of\n    // whether this housekeeping write lands.\n  }\n}\n\nfunction numOrNull(v: unknown): number | null {\n  if (v == null) return null;\n  const n = Number(v);\n  return Number.isFinite(n) ? n : null;\n}\n"]}

package/dist/mcp/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":"AAQA,OAAO,EACL,yBAAyB,EACzB,UAAU,EACV,eAAe,EACf,sBAAsB,EACtB,kBAAkB,EAClB,KAAK,SAAS,EACd,KAAK,iBAAiB,EACtB,KAAK,cAAc,EACpB,MAAM,mBAAmB,CAAC;AAK3B,OAAO,EACL,yBAAyB,EACzB,UAAU,EACV,eAAe,EACf,sBAAsB,EACtB,kBAAkB,GACnB,CAAC;AACF,YAAY,EAAE,SAAS,EAAE,iBAAiB,EAAE,cAAc,EAAE,CAAC;AAM7D;;;;;;;;;;GAUG;AACH,wBAAgB,QAAQ,CACtB,QAAQ,EAAE,GAAG,EACb,MAAM,EAAE,SAAS,EACjB,WAAW,SAAmB,GAC7B,IAAI,CAkGN"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":"AAQA,OAAO,EACL,yBAAyB,EACzB,UAAU,EACV,eAAe,EACf,sBAAsB,EACtB,kBAAkB,EAClB,KAAK,SAAS,EACd,KAAK,iBAAiB,EACtB,KAAK,cAAc,EACpB,MAAM,mBAAmB,CAAC;AAK3B,OAAO,EACL,yBAAyB,EACzB,UAAU,EACV,eAAe,EACf,sBAAsB,EACtB,kBAAkB,GACnB,CAAC;AACF,YAAY,EAAE,SAAS,EAAE,iBAAiB,EAAE,cAAc,EAAE,CAAC;AAM7D;;;;;;;;;;GAUG;AACH,wBAAgB,QAAQ,CACtB,QAAQ,EAAE,GAAG,EACb,MAAM,EAAE,SAAS,EACjB,WAAW,SAAmB,GAC7B,IAAI,CAwHN"}

package/dist/mcp/server.js

@@ -31,10 +31,14 @@ export function mountMCP(nitroApp, config, routePrefix = "/_agent-native") {
             return;
         }
         const method = getMethod(event);
-        // Auth check — also extracts the caller's identity from the JWT so
-        // downstream tools run inside `runWithRequestContext`.
+        // Auth check — extracts the caller's identity from the JWT (`sub`),
+        // or, on the static-token / dev-open path, from the forwarded
+        // `X-Agent-Native-Owner-Email` hint the stdio proxy sends (the
+        // `agent-native mcp install` flow). Without this the install flow
+        // would run every tool unscoped (userEmail === undefined).
         const authHeader = getRequestHeader(event, "authorization");
-        const authResult = await verifyAuth(authHeader);
+        const ownerEmailHeader = getRequestHeader(event, "x-agent-native-owner-email");
+        const authResult = await verifyAuth(authHeader, ownerEmailHeader);
         if (!authResult.authed) {
             setResponseStatus(event, 401);
             return { error: "Unauthorized" };
@@ -84,7 +88,22 @@ export function mountMCP(nitroApp, config, routePrefix = "/_agent-native") {
             setResponseStatus(event, 501);
             return { error: "MCP requires Node runtime" };
         }
-        await transport.handleRequest(nodeReq, nodeRes, body);
+        try {
+            await transport.handleRequest(nodeReq, nodeRes, body);
+        }
+        catch (err) {
+            // The SDK transport writes directly to the Node response. If the
+            // socket is already closed/ended (client disconnected, or the host
+            // stream layer also flushed), Node throws ERR_STREAM_WRITE_AFTER_END
+            // *after* the MCP payload was already delivered correctly. Swallow
+            // that benign post-flush write so an external agent disconnecting
+            // mid-stream can never take down the server process; rethrow
+            // anything else.
+            if (err?.code !== "ERR_STREAM_WRITE_AFTER_END")
+                throw err;
+            if (process.env.DEBUG)
+                console.log("[mcp] ignored post-flush ERR_STREAM_WRITE_AFTER_END (client disconnected)");
+        }
         // Prevent H3 from double-writing the response
         event._handled = true;
     }));

package/dist/mcp/server.js.map

@@ -1 +1 @@
-{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,wCAAwC,CAAC;AAClE,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,SAAS,EACT,gBAAgB,GACjB,MAAM,IAAI,CAAC;AACZ,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,yBAAyB,EACzB,UAAU,EACV,eAAe,EACf,sBAAsB,EACtB,kBAAkB,GAInB,MAAM,mBAAmB,CAAC;AAE3B,6EAA6E;AAC7E,4EAA4E;AAC5E,yDAAyD;AACzD,OAAO,EACL,yBAAyB,EACzB,UAAU,EACV,eAAe,EACf,sBAAsB,EACtB,kBAAkB,GACnB,CAAC;AAGF,8EAA8E;AAC9E,+DAA+D;AAC/D,8EAA8E;AAE9E;;;;;;;;;;GAUG;AACH,MAAM,UAAU,QAAQ,CACtB,QAAa,EACb,MAAiB,EACjB,WAAW,GAAG,gBAAgB;IAE9B,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,GAAG,WAAW,MAAM,EACpB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,GAAG,CAAC;QAC5C,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACjE,IAAI,OAAO,EAAE,CAAC;YACZ,kEAAkE;YAClE,qEAAqE;YACrE,WAAW;YACX,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAEhC,mEAAmE;QACnE,uDAAuD;QACvD,MAAM,UAAU,GAAG,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;QAC5D,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC,UAAU,CAAC,CAAC;QAChD,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;YACvB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;QACnC,CAAC;QAED,0CAA0C;QAC1C,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YACxB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YACrB,+DAA+D;YAC/D,iEAAiE;QACnE,CAAC;QAED,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YAC1C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,uCAAuC;QACvC,MAAM,IAAI,GAAG,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEnE,kDAAkD;QAClD,MAAM,EAAE,6BAA6B,EAAE,GACrC,MAAM,MAAM,CAAC,oDAAoD,CAAC,CAAC;QACrE,MAAM,SAAS,GAAG,IAAI,6BAA6B,CAAC;YAClD,kBAAkB,EAAE,SAAS,EAAE,YAAY;SAC5C,CAAC,CAAC;QACH,gEAAgE;QAChE,oEAAoE;QACpE,MAAM,cAAc,GAAG,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;QACpE,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC7C,MAAM,KAAK,GACT,cAAc,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE;YACrC,CAAC,IAAI,IAAI,gCAAgC,CAAC,IAAI,CAAC,IAAI,CAAC;gBAClD,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,OAAO,CAAC,CAAC;QACf,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;QACvD,MAAM,YAAY,GAAG,gBAAgB,CACnC,KAAK,EACL,4BAA4B,CAC7B,EAAE,WAAW,EAAE,CAAC;QACjB,MAAM,MAAM,GACV,YAAY,KAAK,SAAS;YAC1B,YAAY,KAAK,UAAU;YAC3B,YAAY,KAAK,SAAS;YACxB,CAAC,CAAE,YAAyC;YAC5C,CAAC,CAAC,SAAS,CAAC;QAEhB,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAC5C,MAAM,EACN,UAAU,CAAC,QAAQ,EACnB,EAAE,MAAM,EAAE,MAAM,EAAE,CACnB,CAAC;QACF,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAEhC,uEAAuE;QACvE,uEAAuE;QACvE,MAAM,OAAO,GACV,KAAa,CAAC,IAAI,EAAE,GAAG,IAAK,KAAa,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC;QACrE,MAAM,OAAO,GACV,KAAa,CAAC,IAAI,EAAE,GAAG,IAAK,KAAa,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC;QACrE,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC;YACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC;QAChD,CAAC;QACD,MAAM,SAAS,CAAC,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;QAEtD,8CAA8C;QAC7C,KAAa,CAAC,QAAQ,GAAG,IAAI,CAAC;IACjC,CAAC,CAAC,CACH,CAAC;IAEF,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;QACnB,OAAO,CAAC,GAAG,CACT,+BAA+B,WAAW,SAAS,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,SAAS,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,GAAG,CACvI,CAAC;AACN,CAAC","sourcesContent":["import { getH3App } from \"../server/framework-request-handler.js\";\nimport {\n  defineEventHandler,\n  setResponseStatus,\n  getMethod,\n  getRequestHeader,\n} from \"h3\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n  createMCPServerForRequest,\n  verifyAuth,\n  getAccessTokens,\n  resolveOrgIdFromDomain,\n  buildLinkArtifacts,\n  type MCPConfig,\n  type MCPCallerIdentity,\n  type MCPRequestMeta,\n} from \"./build-server.js\";\n\n// Re-export the shared MCP server builder + types so the stdio transport and\n// any (future) external importer of `@agent-native/core/mcp` keep resolving\n// against `./server.js` exactly as before this refactor.\nexport {\n  createMCPServerForRequest,\n  verifyAuth,\n  getAccessTokens,\n  resolveOrgIdFromDomain,\n  buildLinkArtifacts,\n};\nexport type { MCPConfig, MCPCallerIdentity, MCPRequestMeta };\n\n// ---------------------------------------------------------------------------\n// mountMCP — register MCP Streamable HTTP endpoint on H3/Nitro\n// ---------------------------------------------------------------------------\n\n/**\n * Mount an MCP remote server on an H3/Nitro app.\n *\n * Endpoint: `{routePrefix}/mcp` (default `/_agent-native/mcp`)\n *\n * Uses stateless Streamable HTTP transport — no in-memory sessions,\n * compatible with serverless deployments.\n *\n * Auth: Bearer token matching ACCESS_TOKEN/ACCESS_TOKENS or JWT via A2A_SECRET.\n * No auth required when neither is configured (dev mode).\n */\nexport function mountMCP(\n  nitroApp: any,\n  config: MCPConfig,\n  routePrefix = \"/_agent-native\",\n): void {\n  getH3App(nitroApp).use(\n    `${routePrefix}/mcp`,\n    defineEventHandler(async (event) => {\n      const pathname = event.url?.pathname || \"/\";\n      const subpath = pathname.replace(/^\\/+/, \"\").replace(/\\/+$/, \"\");\n      if (subpath) {\n        // Let management/status routes mounted under /_agent-native/mcp/*\n        // handle their own requests instead of treating them as MCP protocol\n        // traffic.\n        return;\n      }\n\n      const method = getMethod(event);\n\n      // Auth check — also extracts the caller's identity from the JWT so\n      // downstream tools run inside `runWithRequestContext`.\n      const authHeader = getRequestHeader(event, \"authorization\");\n      const authResult = await verifyAuth(authHeader);\n      if (!authResult.authed) {\n        setResponseStatus(event, 401);\n        return { error: \"Unauthorized\" };\n      }\n\n      // Stateless mode: only POST is meaningful\n      if (method === \"DELETE\") {\n        setResponseStatus(event, 204);\n        return \"\";\n      }\n\n      if (method === \"GET\") {\n        // SSE stream endpoint — not used in stateless mode but the SDK\n        // handles it gracefully. Let it through for protocol compliance.\n      }\n\n      if (method !== \"POST\" && method !== \"GET\") {\n        setResponseStatus(event, 405);\n        return { error: \"Method not allowed\" };\n      }\n\n      // Read body for POST (GET has no body)\n      const body = method === \"POST\" ? await readBody(event) : undefined;\n\n      // Create per-request stateless transport + server\n      const { StreamableHTTPServerTransport } =\n        await import(\"@modelcontextprotocol/sdk/server/streamableHttp.js\");\n      const transport = new StreamableHTTPServerTransport({\n        sessionIdGenerator: undefined, // stateless\n      });\n      // Derive the running app's origin so relative deep links become\n      // absolute URLs the external agent can open (same approach as A2A).\n      const forwardedProto = getRequestHeader(event, \"x-forwarded-proto\");\n      const host = getRequestHeader(event, \"host\");\n      const proto =\n        forwardedProto?.split(\",\")[0]?.trim() ||\n        (host && /^(localhost|127\\.0\\.0\\.1)(:|$)/.test(host)\n          ? \"http\"\n          : \"https\");\n      const origin = host ? `${proto}://${host}` : undefined;\n      const targetHeader = getRequestHeader(\n        event,\n        \"x-agent-native-open-target\",\n      )?.toLowerCase();\n      const target =\n        targetHeader === \"desktop\" ||\n        targetHeader === \"terminal\" ||\n        targetHeader === \"browser\"\n          ? (targetHeader as MCPRequestMeta[\"target\"])\n          : undefined;\n\n      const server = await createMCPServerForRequest(\n        config,\n        authResult.identity,\n        { origin, target },\n      );\n      await server.connect(transport);\n\n      // Delegate to the transport — it writes directly to the Node response.\n      // MCP's HTTP transport requires Node streams; this route is Node-only.\n      const nodeReq =\n        (event as any).node?.req ?? (event as any).req?.runtime?.node?.req;\n      const nodeRes =\n        (event as any).node?.res ?? (event as any).req?.runtime?.node?.res;\n      if (!nodeReq || !nodeRes) {\n        setResponseStatus(event, 501);\n        return { error: \"MCP requires Node runtime\" };\n      }\n      await transport.handleRequest(nodeReq, nodeRes, body);\n\n      // Prevent H3 from double-writing the response\n      (event as any)._handled = true;\n    }),\n  );\n\n  if (process.env.DEBUG)\n    console.log(\n      `[mcp] Mounted MCP server at ${routePrefix}/mcp (${Object.keys(config.actions).length} tools${config.askAgent ? \" + ask-agent\" : \"\"})`,\n    );\n}\n"]}
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,wCAAwC,CAAC;AAClE,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,SAAS,EACT,gBAAgB,GACjB,MAAM,IAAI,CAAC;AACZ,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,yBAAyB,EACzB,UAAU,EACV,eAAe,EACf,sBAAsB,EACtB,kBAAkB,GAInB,MAAM,mBAAmB,CAAC;AAE3B,6EAA6E;AAC7E,4EAA4E;AAC5E,yDAAyD;AACzD,OAAO,EACL,yBAAyB,EACzB,UAAU,EACV,eAAe,EACf,sBAAsB,EACtB,kBAAkB,GACnB,CAAC;AAGF,8EAA8E;AAC9E,+DAA+D;AAC/D,8EAA8E;AAE9E;;;;;;;;;;GAUG;AACH,MAAM,UAAU,QAAQ,CACtB,QAAa,EACb,MAAiB,EACjB,WAAW,GAAG,gBAAgB;IAE9B,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,GAAG,WAAW,MAAM,EACpB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,GAAG,CAAC;QAC5C,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACjE,IAAI,OAAO,EAAE,CAAC;YACZ,kEAAkE;YAClE,qEAAqE;YACrE,WAAW;YACX,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAEhC,oEAAoE;QACpE,8DAA8D;QAC9D,+DAA+D;QAC/D,kEAAkE;QAClE,2DAA2D;QAC3D,MAAM,UAAU,GAAG,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;QAC5D,MAAM,gBAAgB,GAAG,gBAAgB,CACvC,KAAK,EACL,4BAA4B,CAC7B,CAAC;QACF,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAAC;QAClE,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;YACvB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;QACnC,CAAC;QAED,0CAA0C;QAC1C,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YACxB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YACrB,+DAA+D;YAC/D,iEAAiE;QACnE,CAAC;QAED,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YAC1C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,uCAAuC;QACvC,MAAM,IAAI,GAAG,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEnE,kDAAkD;QAClD,MAAM,EAAE,6BAA6B,EAAE,GACrC,MAAM,MAAM,CAAC,oDAAoD,CAAC,CAAC;QACrE,MAAM,SAAS,GAAG,IAAI,6BAA6B,CAAC;YAClD,kBAAkB,EAAE,SAAS,EAAE,YAAY;SAC5C,CAAC,CAAC;QACH,gEAAgE;QAChE,oEAAoE;QACpE,MAAM,cAAc,GAAG,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;QACpE,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC7C,MAAM,KAAK,GACT,cAAc,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE;YACrC,CAAC,IAAI,IAAI,gCAAgC,CAAC,IAAI,CAAC,IAAI,CAAC;gBAClD,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,OAAO,CAAC,CAAC;QACf,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;QACvD,MAAM,YAAY,GAAG,gBAAgB,CACnC,KAAK,EACL,4BAA4B,CAC7B,EAAE,WAAW,EAAE,CAAC;QACjB,MAAM,MAAM,GACV,YAAY,KAAK,SAAS;YAC1B,YAAY,KAAK,UAAU;YAC3B,YAAY,KAAK,SAAS;YACxB,CAAC,CAAE,YAAyC;YAC5C,CAAC,CAAC,SAAS,CAAC;QAEhB,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAC5C,MAAM,EACN,UAAU,CAAC,QAAQ,EACnB,EAAE,MAAM,EAAE,MAAM,EAAE,CACnB,CAAC;QACF,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAEhC,uEAAuE;QACvE,uEAAuE;QACvE,MAAM,OAAO,GACV,KAAa,CAAC,IAAI,EAAE,GAAG,IAAK,KAAa,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC;QACrE,MAAM,OAAO,GACV,KAAa,CAAC,IAAI,EAAE,GAAG,IAAK,KAAa,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC;QACrE,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC;YACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC;QAChD,CAAC;QACD,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,iEAAiE;YACjE,mEAAmE;YACnE,qEAAqE;YACrE,mEAAmE;YACnE,kEAAkE;YAClE,6DAA6D;YAC7D,iBAAiB;YACjB,IAAI,GAAG,EAAE,IAAI,KAAK,4BAA4B;gBAAE,MAAM,GAAG,CAAC;YAC1D,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;gBACnB,OAAO,CAAC,GAAG,CACT,2EAA2E,CAC5E,CAAC;QACN,CAAC;QAED,8CAA8C;QAC7C,KAAa,CAAC,QAAQ,GAAG,IAAI,CAAC;IACjC,CAAC,CAAC,CACH,CAAC;IAEF,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;QACnB,OAAO,CAAC,GAAG,CACT,+BAA+B,WAAW,SAAS,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,SAAS,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,GAAG,CACvI,CAAC;AACN,CAAC","sourcesContent":["import { getH3App } from \"../server/framework-request-handler.js\";\nimport {\n  defineEventHandler,\n  setResponseStatus,\n  getMethod,\n  getRequestHeader,\n} from \"h3\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n  createMCPServerForRequest,\n  verifyAuth,\n  getAccessTokens,\n  resolveOrgIdFromDomain,\n  buildLinkArtifacts,\n  type MCPConfig,\n  type MCPCallerIdentity,\n  type MCPRequestMeta,\n} from \"./build-server.js\";\n\n// Re-export the shared MCP server builder + types so the stdio transport and\n// any (future) external importer of `@agent-native/core/mcp` keep resolving\n// against `./server.js` exactly as before this refactor.\nexport {\n  createMCPServerForRequest,\n  verifyAuth,\n  getAccessTokens,\n  resolveOrgIdFromDomain,\n  buildLinkArtifacts,\n};\nexport type { MCPConfig, MCPCallerIdentity, MCPRequestMeta };\n\n// ---------------------------------------------------------------------------\n// mountMCP — register MCP Streamable HTTP endpoint on H3/Nitro\n// ---------------------------------------------------------------------------\n\n/**\n * Mount an MCP remote server on an H3/Nitro app.\n *\n * Endpoint: `{routePrefix}/mcp` (default `/_agent-native/mcp`)\n *\n * Uses stateless Streamable HTTP transport — no in-memory sessions,\n * compatible with serverless deployments.\n *\n * Auth: Bearer token matching ACCESS_TOKEN/ACCESS_TOKENS or JWT via A2A_SECRET.\n * No auth required when neither is configured (dev mode).\n */\nexport function mountMCP(\n  nitroApp: any,\n  config: MCPConfig,\n  routePrefix = \"/_agent-native\",\n): void {\n  getH3App(nitroApp).use(\n    `${routePrefix}/mcp`,\n    defineEventHandler(async (event) => {\n      const pathname = event.url?.pathname || \"/\";\n      const subpath = pathname.replace(/^\\/+/, \"\").replace(/\\/+$/, \"\");\n      if (subpath) {\n        // Let management/status routes mounted under /_agent-native/mcp/*\n        // handle their own requests instead of treating them as MCP protocol\n        // traffic.\n        return;\n      }\n\n      const method = getMethod(event);\n\n      // Auth check — extracts the caller's identity from the JWT (`sub`),\n      // or, on the static-token / dev-open path, from the forwarded\n      // `X-Agent-Native-Owner-Email` hint the stdio proxy sends (the\n      // `agent-native mcp install` flow). Without this the install flow\n      // would run every tool unscoped (userEmail === undefined).\n      const authHeader = getRequestHeader(event, \"authorization\");\n      const ownerEmailHeader = getRequestHeader(\n        event,\n        \"x-agent-native-owner-email\",\n      );\n      const authResult = await verifyAuth(authHeader, ownerEmailHeader);\n      if (!authResult.authed) {\n        setResponseStatus(event, 401);\n        return { error: \"Unauthorized\" };\n      }\n\n      // Stateless mode: only POST is meaningful\n      if (method === \"DELETE\") {\n        setResponseStatus(event, 204);\n        return \"\";\n      }\n\n      if (method === \"GET\") {\n        // SSE stream endpoint — not used in stateless mode but the SDK\n        // handles it gracefully. Let it through for protocol compliance.\n      }\n\n      if (method !== \"POST\" && method !== \"GET\") {\n        setResponseStatus(event, 405);\n        return { error: \"Method not allowed\" };\n      }\n\n      // Read body for POST (GET has no body)\n      const body = method === \"POST\" ? await readBody(event) : undefined;\n\n      // Create per-request stateless transport + server\n      const { StreamableHTTPServerTransport } =\n        await import(\"@modelcontextprotocol/sdk/server/streamableHttp.js\");\n      const transport = new StreamableHTTPServerTransport({\n        sessionIdGenerator: undefined, // stateless\n      });\n      // Derive the running app's origin so relative deep links become\n      // absolute URLs the external agent can open (same approach as A2A).\n      const forwardedProto = getRequestHeader(event, \"x-forwarded-proto\");\n      const host = getRequestHeader(event, \"host\");\n      const proto =\n        forwardedProto?.split(\",\")[0]?.trim() ||\n        (host && /^(localhost|127\\.0\\.0\\.1)(:|$)/.test(host)\n          ? \"http\"\n          : \"https\");\n      const origin = host ? `${proto}://${host}` : undefined;\n      const targetHeader = getRequestHeader(\n        event,\n        \"x-agent-native-open-target\",\n      )?.toLowerCase();\n      const target =\n        targetHeader === \"desktop\" ||\n        targetHeader === \"terminal\" ||\n        targetHeader === \"browser\"\n          ? (targetHeader as MCPRequestMeta[\"target\"])\n          : undefined;\n\n      const server = await createMCPServerForRequest(\n        config,\n        authResult.identity,\n        { origin, target },\n      );\n      await server.connect(transport);\n\n      // Delegate to the transport — it writes directly to the Node response.\n      // MCP's HTTP transport requires Node streams; this route is Node-only.\n      const nodeReq =\n        (event as any).node?.req ?? (event as any).req?.runtime?.node?.req;\n      const nodeRes =\n        (event as any).node?.res ?? (event as any).req?.runtime?.node?.res;\n      if (!nodeReq || !nodeRes) {\n        setResponseStatus(event, 501);\n        return { error: \"MCP requires Node runtime\" };\n      }\n      try {\n        await transport.handleRequest(nodeReq, nodeRes, body);\n      } catch (err: any) {\n        // The SDK transport writes directly to the Node response. If the\n        // socket is already closed/ended (client disconnected, or the host\n        // stream layer also flushed), Node throws ERR_STREAM_WRITE_AFTER_END\n        // *after* the MCP payload was already delivered correctly. Swallow\n        // that benign post-flush write so an external agent disconnecting\n        // mid-stream can never take down the server process; rethrow\n        // anything else.\n        if (err?.code !== \"ERR_STREAM_WRITE_AFTER_END\") throw err;\n        if (process.env.DEBUG)\n          console.log(\n            \"[mcp] ignored post-flush ERR_STREAM_WRITE_AFTER_END (client disconnected)\",\n          );\n      }\n\n      // Prevent H3 from double-writing the response\n      (event as any)._handled = true;\n    }),\n  );\n\n  if (process.env.DEBUG)\n    console.log(\n      `[mcp] Mounted MCP server at ${routePrefix}/mcp (${Object.keys(config.actions).length} tools${config.askAgent ? \" + ask-agent\" : \"\"})`,\n    );\n}\n"]}

package/dist/mcp/stdio.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"stdio.d.ts","sourceRoot":"","sources":["../../src/mcp/stdio.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAIH,MAAM,WAAW,kBAAkB;IACjC,yEAAyE;IACzE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,0EAA0E;IAC1E,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qEAAqE;IACrE,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,qDAAqD;IACrD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,qCAAqC;IACrC,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;IACxB,sEAAsE;IACtE,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAoMD;;;GAGG;AACH,wBAAsB,WAAW,CAC/B,IAAI,GAAE,kBAAuB,GAC5B,OAAO,CAAC,IAAI,CAAC,CAef"}
+{"version":3,"file":"stdio.d.ts","sourceRoot":"","sources":["../../src/mcp/stdio.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAIH,MAAM,WAAW,kBAAkB;IACjC,yEAAyE;IACzE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,0EAA0E;IAC1E,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qEAAqE;IACrE,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,qDAAqD;IACrD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,qCAAqC;IACrC,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;IACxB,sEAAsE;IACtE,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAqMD;;;GAGG;AACH,wBAAsB,WAAW,CAC/B,IAAI,GAAE,kBAAuB,GAC5B,OAAO,CAAC,IAAI,CAAC,CAef"}

package/dist/mcp/stdio.js

@@ -166,6 +166,7 @@ async function runStandalone(opts) {
     log(`Standalone: discovered ${Object.keys(actions).length} action(s) in ${cwd}`);
     const server = await createMCPServerForRequest({
         name: appId.charAt(0).toUpperCase() + appId.slice(1),
+        appId,
         description: `Agent-native ${appId} app (standalone MCP)`,
         actions,
         // No askAgent in standalone — there is no running engine/runtime here.