@agent-native/core 0.18.1 → 0.19.1

package/dist/mcp/connect-route.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"connect-route.js","sourceRoot":"","sources":["../../src/mcp/connect-route.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAGH,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AAC1C,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AACvE,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EACL,iBAAiB,EACjB,UAAU,EACV,WAAW,EACX,gBAAgB,EAChB,aAAa,EACb,iBAAiB,EACjB,sBAAsB,EACtB,oBAAoB,EACpB,qBAAqB,EACrB,gBAAgB,EAChB,iBAAiB,EACjB,sBAAsB,EACtB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAE5B,gDAAgD;AAChD,MAAM,sBAAsB,GAAG,CAAC,CAAC;AAEjC,6DAA6D;AAC7D,MAAM,YAAY,GAAG,2BAA2B,CAAC;AASjD,SAAS,IAAI,CAAC,IAAa,EAAE,MAAM,GAAG,GAAG;IACvC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;QACxC,MAAM;QACN,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;KAChD,CAAC,CAAC;AACL,CAAC;AAED,SAAS,IAAI,CAAC,IAAY,EAAE,MAAM,GAAG,GAAG;IACtC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;QACxB,MAAM;QACN,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE;KACxD,CAAC,CAAC;AACL,CAAC;AAED;8EAC8E;AAC9E,SAAS,YAAY,CAAC,KAAc;IAClC,MAAM,cAAc,GAAG,SAAS,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;IAC7D,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,EAAE,kBAAkB,CAAC,IAAI,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9E,MAAM,KAAK,GACT,cAAc,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE;QACrC,CAAC,IAAI,IAAI,gCAAgC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IAC3E,OAAO,IAAI,CAAC,CAAC,CAAC,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AAC1C,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAuB;IAChD,MAAM,OAAO,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACnC,IAAI,CAAC,OAAO,IAAI,OAAO,KAAK,GAAG;QAAE,OAAO,EAAE,CAAC;IAC3C,MAAM,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,OAAO,EAAE,CAAC;IACpE,OAAO,SAAS,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACvC,CAAC;AAED,SAAS,kBAAkB;IACzB,OAAO,iBAAiB,CACtB,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAC5D,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,QAAgB,EAAE,IAAY;IACjD,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,IAAI,IAAI,KAAK,GAAG;QAAE,OAAO,QAAQ,CAAC;IAClC,OAAO,GAAG,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;AAClE,CAAC;AAED,SAAS,QAAQ,CAAC,MAAc,EAAE,OAA+B;IAC/D,IAAI,OAAO,CAAC,KAAK;QAAE,OAAO,OAAO,CAAC,KAAK,CAAC;IACxC,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC;QACnC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC,OAAO,IAAI,KAAK,CAAC;IAClC,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CAAC,MAAc,EAAE,OAA+B;IACjE,OAAO,gBAAgB,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC;AACrD,CAAC;AAED,SAAS,UAAU,CAAC,CAAS;IAC3B,OAAO,CAAC;SACL,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;AAC7B,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,gBAAgB,CAC7B,KAAyB;IAEzB,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,IAAI,CAAC;QACH,OAAO,CAAC,MAAM,YAAY,CAAC,KAAK,CAAC,CAAC,IAAI,SAAS,CAAC;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,KAAc;IAClC,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IACxB,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;QAAE,OAAO,sBAAsB,CAAC;IACvD,OAAO,IAAI,CAAC,GAAG,CACb,kBAAkB,EAClB,IAAI,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAC5C,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,gBAAgB,CAAC,MAK/B;IACC,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvD,MAAM,GAAG,GAAG,UAAU,EAAE,CAAC;IACzB,0EAA0E;IAC1E,2EAA2E;IAC3E,yEAAyE;IACzE,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE;QACnE,kBAAkB,EAAE,IAAI;QACxB,SAAS,EAAE,GAAG,MAAM,CAAC,OAAO,GAAG;QAC/B,WAAW,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,iBAAiB,EAAE;KAC/C,CAAC,CAAC;IACH,MAAM,iBAAiB,CAAC;QACtB,GAAG;QACH,UAAU,EAAE,MAAM,CAAC,KAAK;QACxB,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,IAAI;QAC3B,KAAK,EAAE,MAAM,CAAC,KAAK;KACpB,CAAC,CAAC;IACH,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;AACxB,CAAC;AAED,SAAS,gBAAgB,CACvB,MAAc,EACd,KAAa,EACb,OAA+B;IAE/B,MAAM,MAAM,GAAG,GAAG,MAAM,oBAAoB,CAAC;IAC7C,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACzC,OAAO;QACL,KAAK;QACL,MAAM;QACN,UAAU,EAAE,IAAI;QAChB,cAAc,EAAE;YACd,IAAI,EAAE,MAAe;YACrB,GAAG,EAAE,MAAM;YACX,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE;SAC9C;QACD,GAAG,EAAE,wBAAwB,MAAM,EAAE;KACtC,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,6CAA6C;AAC7C,8EAA8E;AAE9E,SAAS,iBAAiB,CAAC,MAM1B;IACC,MAAM,EAAE,MAAM,EAAE,eAAe,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC;IACrE,MAAM,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,SAAS,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IACpC,MAAM,YAAY,GAChB,QAAQ,IAAI,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACtE,OAAO;;;;;iBAKQ,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;2EAyJmD,OAAO;;;;;;;;;;;;;;;;;;;;;kBAqBhE,OAAO;0GACiF,OAAO;6CACpE,SAAS,sBAAsB,UAAU;;8CAExC,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ;;4CAE9B,YAAY;;;;;;gDAMR,YAAY,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,yBAAyB;;;;;;;;;;;;;;;mEAe1C,sBAAsB;;;;;;;;;;;;;;;;;;;;eAoB1E,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,eAAe,EAAE,4BAA4B,CAAC,CAAC;oBACrE,IAAI,CAAC,SAAS,CAAC,YAAY,IAAI,IAAI,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QA4GhD,CAAC;AACT,CAAC;AAED,8EAA8E;AAC9E,2EAA2E;AAC3E,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,KAAc,EACd,OAAe,EACf,UAAkC,EAAE;IAEpC,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IAChC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IACnC,MAAM,QAAQ,GAAG,kBAAkB,EAAE,CAAC;IACtC,MAAM,MAAM,GAAG,GAAG,MAAM,GAAG,QAAQ,EAAE,CAAC;IACtC,MAAM,GAAG,GAAG,CAAC,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CACzE,MAAM,EACN,EAAE,CACH,CAAC;IAEF,yEAAyE;IACzE,IAAI,GAAG,KAAK,EAAE,EAAE,CAAC;QACf,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YAC1C,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,EAAE,GAAG,CAAC,CAAC;QACpD,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;YACpB,oEAAoE;YACpE,iEAAiE;YACjE,MAAM,SAAS,GAAG,sBAAsB,CAAC,KAAK,CAAC,CAAC;YAChD,IAAI,SAAS;gBAAE,OAAO,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;YAC3C,8DAA8D;YAC9D,OAAO,IAAI,CACT,iBAAiB,CAAC;gBAChB,MAAM,EAAE,MAAM;gBACd,eAAe,EAAE,QAAQ;gBACzB,KAAK,EAAE,sBAAsB;gBAC7B,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;gBACrD,QAAQ,EAAE,IAAI;aACf,CAAC,CACH,CAAC;QACJ,CAAC;QACD,IAAI,QAAQ,GAAkB,IAAI,CAAC;QACnC,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,IAAI,GAAG,CACf,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,EACzC,mBAAmB,CACpB,CAAC;YACF,MAAM,GAAG,GAAG,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;YAC5C,IAAI,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;gBAAE,QAAQ,GAAG,GAAG,CAAC;QACpD,CAAC;QAAC,MAAM,CAAC;YACP,QAAQ,GAAG,IAAI,CAAC;QAClB,CAAC;QACD,OAAO,IAAI,CACT,iBAAiB,CAAC;YAChB,MAAM,EAAE,MAAM;YACd,eAAe,EAAE,QAAQ;YACzB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;YACrD,QAAQ;SACT,CAAC,CACH,CAAC;IACJ,CAAC;IAED,yEAAyE;IACzE,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;QACrB,IAAI,MAAM,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,EAAE,GAAG,CAAC,CAAC;QACzE,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO,EAAE,KAAK;YAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE,GAAG,CAAC,CAAC;QACjE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC;YAC5B,OAAO,IAAI,CACT;gBACE,KAAK,EACH,mFAAmF;aACtF,EACD,GAAG,CACJ,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAG5D,CAAC;QACF,MAAM,KAAK,GACT,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE;YACjD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;YACjC,CAAC,CAAC,IAAI,CAAC;QACX,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC3C,IAAI,CAAC;YACH,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,gBAAgB,CAAC;gBACvC,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,KAAK;gBACL,OAAO;aACR,CAAC,CAAC;YACH,OAAO,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC;QACxD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,EAAE,GAAG,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAED,yEAAyE;IACzE,IAAI,GAAG,KAAK,eAAe,EAAE,CAAC;QAC5B,IAAI,MAAM,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,EAAE,GAAG,CAAC,CAAC;QACzE,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACrC,MAAM,eAAe,GAAG,GAAG,MAAM,4BAA4B,CAAC;YAC9D,OAAO,IAAI,CAAC;gBACV,WAAW,EAAE,GAAG,CAAC,UAAU;gBAC3B,SAAS,EAAE,GAAG,CAAC,QAAQ;gBACvB,gBAAgB,EAAE,eAAe;gBACjC,yBAAyB,EAAE,GAAG,eAAe,cAAc,GAAG,CAAC,QAAQ,EAAE;gBACzE,QAAQ,EAAE,sBAAsB;gBAChC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,kBAAkB,GAAG,IAAI,CAAC;aAClD,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,IAAI,GAAG,EAAE,OAAO,KAAK,cAAc,EAAE,CAAC;gBACpC,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,kCAAkC,EAAE,EAAE,GAAG,CAAC,CAAC;YAClE,CAAC;YACD,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,8BAA8B,EAAE,EAAE,GAAG,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED,yEAAyE;IACzE,IAAI,GAAG,KAAK,mBAAmB,EAAE,CAAC;QAChC,IAAI,MAAM,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,EAAE,GAAG,CAAC,CAAC;QACzE,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO,EAAE,KAAK;YAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE,GAAG,CAAC,CAAC;QACjE,MAAM,IAAI,GAAG,CAAC,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAE5D,CAAC;QACF,MAAM,QAAQ,GACZ,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAClE,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjC,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,EAAE,GAAG,CAAC,CAAC;QACpD,CAAC;QACD,MAAM,KAAK,GACT,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE;YACvD,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE;YACtB,CAAC,CAAC,IAAI,CAAC;QACX,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,QAAQ,EAAE,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QACvE,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;YAC3B,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,EAAE,GAAG,CAAC,CAAC;QACtD,CAAC;QACD,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,+BAA+B,EAAE,EAAE,GAAG,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,oCAAoC,EAAE,EAAE,GAAG,CAAC,CAAC;QACpE,CAAC;QACD,OAAO,IAAI,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;IACtC,CAAC;IAED,yEAAyE;IACzE,IAAI,GAAG,KAAK,cAAc,EAAE,CAAC;QAC3B,IAAI,MAAM,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,EAAE,GAAG,CAAC,CAAC;QACzE,MAAM,IAAI,GAAG,CAAC,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAE5D,CAAC;QACF,MAAM,UAAU,GACd,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/D,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,EAAE,GAAG,CAAC,CAAC;QACrE,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;QAC5C,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,EAAE,GAAG,CAAC,CAAC;QACpD,IAAI,GAAG,CAAC,MAAM,KAAK,UAAU;YAAE,OAAO,IAAI,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;QACnE,IACE,GAAG,CAAC,MAAM,KAAK,SAAS;YACxB,CAAC,GAAG,CAAC,SAAS,IAAI,IAAI,IAAI,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,EACrD,CAAC;YACD,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS;gBAAE,KAAK,gBAAgB,CAAC,UAAU,CAAC,CAAC;YAChE,OAAO,IAAI,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;QACrC,CAAC;QACD,IACE,GAAG,CAAC,MAAM,KAAK,SAAS;YACxB,GAAG,CAAC,MAAM,KAAK,SAAS;YACxB,CAAC,GAAG,CAAC,UAAU,EACf,CAAC;YACD,OAAO,IAAI,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;QACrC,CAAC;QACD,iEAAiE;QACjE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,2BAA2B,EAAE,EAAE,GAAG,CAAC,CAAC;QAC5E,CAAC;QACD,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,UAAU,EAAE,CAAC;YACzB,wEAAwE;YACxE,8DAA8D;YAC9D,MAAM,OAAO,GAAG,MAAM,sBAAsB,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;YAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;gBAC9C,IAAI,KAAK,EAAE,MAAM,KAAK,UAAU;oBAAE,OAAO,IAAI,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;gBACtE,OAAO,IAAI,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;YACrC,CAAC;YACD,IAAI,KAAa,CAAC;YAClB,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,OAAO,CAAC,KAAK,IAAI,SAAS,CAAC,CAAC;gBACrE,KAAK,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,UAAW,EAAE,SAAS,EAAE,SAAS,EAAE;oBACpE,kBAAkB,EAAE,IAAI;oBACxB,SAAS,EAAE,GAAG,sBAAsB,GAAG;oBACvC,WAAW,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,iBAAiB,EAAE;iBAC/C,CAAC,CAAC;gBACH,MAAM,iBAAiB,CAAC;oBACtB,GAAG;oBACH,UAAU,EAAE,OAAO,CAAC,UAAW;oBAC/B,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,KAAK,EAAE,mBAAmB;iBAC3B,CAAC,CAAC;gBACH,IAAI,CAAC,CAAC,MAAM,oBAAoB,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC;oBACnD,OAAO,IAAI,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;gBACrC,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,qBAAqB,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;gBAC7C,MAAM,GAAG,CAAC;YACZ,CAAC;YACD,OAAO,IAAI,CAAC;gBACV,MAAM,EAAE,UAAU;gBAClB,GAAG,gBAAgB,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC;aAC5C,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,uBAAuB,EAAE,EAAE,GAAG,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAED,yEAAyE;IACzE,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtB,IAAI,MAAM,KAAK,KAAK;YAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,EAAE,GAAG,CAAC,CAAC;QACxE,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO,EAAE,KAAK;YAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE,GAAG,CAAC,CAAC;QACjE,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC7C,OAAO,IAAI,CAAC;YACV,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACvB,EAAE,EAAE,CAAC,CAAC,EAAE;gBACR,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,SAAS,EAAE,CAAC,CAAC,SAAS;gBACtB,UAAU,EAAE,CAAC,CAAC,UAAU;gBACxB,SAAS,EAAE,CAAC,CAAC,SAAS;aACvB,CAAC,CAAC;SACJ,CAAC,CAAC;IACL,CAAC;IAED,yEAAyE;IACzE,IAAI,GAAG,KAAK,gBAAgB,EAAE,CAAC;QAC7B,IAAI,MAAM,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,EAAE,GAAG,CAAC,CAAC;QACzE,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO,EAAE,KAAK;YAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE,GAAG,CAAC,CAAC;QACjE,MAAM,IAAI,GAAG,CAAC,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAE5D,CAAC;QACF,MAAM,EAAE,GAAG,OAAO,IAAI,CAAC,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACtD,IAAI,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,EAAE,GAAG,CAAC,CAAC;QACpD,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACrD,OAAO,IAAI,CAAC,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;IAC/B,CAAC;IAED,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,GAAG,CAAC,CAAC;AAC3C,CAAC","sourcesContent":["/**\n * `/_agent-native/mcp/connect` — frictionless external-agent connection.\n *\n * A logged-in user on a deployed agent-native app (e.g. mail.agent-native.com)\n * mints a per-user, scoped, revocable MCP bearer token WITHOUT ever copying a\n * shared deployment secret. Two surfaces:\n *\n *   1. Browser  — `GET /connect` renders a minimal in-app page (same inline\n *      HTML approach as the auth pages). The Authorize button POSTs to\n *      `/connect/token`, then shows the ready-to-paste `.mcp.json` entry, the\n *      `agent-native connect <origin>` one-liner, and the user's existing\n *      tokens with Revoke buttons.\n *   2. CLI      — an OAuth-2.0-device-authorization-style flow:\n *        POST /connect/device/start      (unauth)  → device_code + user_code\n *        GET  /connect?user_code=…       (browser) → user signs in & approves\n *        POST /connect/device/authorize  (session) → binds user to the code\n *        POST /connect/device/poll       (unauth)  → mints + returns the token\n *\n * The minted token reuses the existing A2A signer (`signA2AToken`) — no new\n * crypto. We only add a random `jti` + `scope: \"mcp-connect\"` claim so it can\n * be revoked. `verifyAuth` already verifies A2A_SECRET JWTs and extracts\n * `sub`/`org_domain`, so a minted token works against `/_agent-native/mcp`\n * with no verify changes for the happy path (the revoke check is the only\n * addition there).\n *\n * Node-only (crypto + the A2A signer), bundled alongside the other framework\n * routes. Dialect-agnostic SQL lives in `connect-store.ts`.\n */\n\nimport type { H3Event } from \"h3\";\nimport { getMethod, getHeader } from \"h3\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport { getSession, getConfiguredLoginHtml } from \"../server/auth.js\";\nimport { signA2AToken } from \"../a2a/client.js\";\nimport { getOrgDomain } from \"../org/context.js\";\nimport { randomUUID } from \"node:crypto\";\nimport {\n  recordMintedToken,\n  listTokens,\n  revokeToken,\n  createDeviceCode,\n  getDeviceCode,\n  approveDeviceCode,\n  claimDeviceCodeForMint,\n  finishDeviceCodeMint,\n  releaseDeviceCodeMint,\n  expireDeviceCode,\n  MCP_CONNECT_SCOPE,\n  DEFAULT_TOKEN_TTL_DAYS,\n  MIN_TOKEN_TTL_DAYS,\n  MAX_TOKEN_TTL_DAYS,\n  DEVICE_CODE_TTL_MS,\n} from \"./connect-store.js\";\n\n/** Device-flow poll interval hint (seconds). */\nconst DEVICE_POLL_INTERVAL_S = 3;\n\n// Human-typable user code: 8 base32 chars, dashed XXXX-XXXX.\nconst USER_CODE_RE = /^[A-Z2-7]{4}-[A-Z2-7]{4}$/;\n\nexport interface McpConnectRouteOptions {\n  /** App id (directory under apps/, e.g. `mail`). Used for the server name. */\n  appId?: string;\n  /** Human app name shown on the connect page. */\n  appName?: string;\n}\n\nfunction json(body: unknown, status = 200): Response {\n  return new Response(JSON.stringify(body), {\n    status,\n    headers: { \"Content-Type\": \"application/json\" },\n  });\n}\n\nfunction html(body: string, status = 200): Response {\n  return new Response(body, {\n    status,\n    headers: { \"Content-Type\": \"text/html; charset=utf-8\" },\n  });\n}\n\n/** Derive the running app's origin from request headers (same logic mountMCP\n *  uses) — `https` in prod / for non-loopback hosts, `http` for localhost. */\nfunction deriveOrigin(event: H3Event): string {\n  const forwardedProto = getHeader(event, \"x-forwarded-proto\");\n  const host = getHeader(event, \"x-forwarded-host\") || getHeader(event, \"host\");\n  const proto =\n    forwardedProto?.split(\",\")[0]?.trim() ||\n    (host && /^(localhost|127\\.0\\.0\\.1)(:|$)/.test(host) ? \"http\" : \"https\");\n  return host ? `${proto}://${host}` : \"\";\n}\n\nfunction normalizeBasePath(raw: string | undefined): string {\n  const trimmed = (raw ?? \"\").trim();\n  if (!trimmed || trimmed === \"/\") return \"\";\n  const withSlash = trimmed.startsWith(\"/\") ? trimmed : `/${trimmed}`;\n  return withSlash.replace(/\\/+$/, \"\");\n}\n\nfunction configuredBasePath(): string {\n  return normalizeBasePath(\n    process.env.APP_BASE_PATH || process.env.VITE_APP_BASE_PATH,\n  );\n}\n\nfunction joinAppPath(basePath: string, path: string): string {\n  if (!basePath) return path;\n  if (path === \"/\") return basePath;\n  return `${basePath}${path.startsWith(\"/\") ? path : `/${path}`}`;\n}\n\nfunction appLabel(origin: string, options: McpConnectRouteOptions): string {\n  if (options.appId) return options.appId;\n  try {\n    const h = new URL(origin).hostname;\n    return h.split(\".\")[0] || h;\n  } catch {\n    return options.appName || \"app\";\n  }\n}\n\nfunction serverName(origin: string, options: McpConnectRouteOptions): string {\n  return `agent-native-${appLabel(origin, options)}`;\n}\n\nfunction escapeHtml(s: string): string {\n  return s\n    .replace(/&/g, \"&amp;\")\n    .replace(/</g, \"&lt;\")\n    .replace(/>/g, \"&gt;\")\n    .replace(/\"/g, \"&quot;\");\n}\n\n/**\n * Resolve the org domain for a session. Used as the JWT `org_domain` claim so\n * the receiving MCP endpoint can map it back to an org id (same as A2A). Best\n * effort — a missing org just yields a user-scoped (no-org) token.\n */\nasync function resolveOrgDomain(\n  orgId: string | undefined,\n): Promise<string | undefined> {\n  if (!orgId) return undefined;\n  try {\n    return (await getOrgDomain(orgId)) ?? undefined;\n  } catch {\n    return undefined;\n  }\n}\n\nfunction clampTtlDays(input: unknown): number {\n  const n = Number(input);\n  if (!Number.isFinite(n)) return DEFAULT_TOKEN_TTL_DAYS;\n  return Math.min(\n    MAX_TOKEN_TTL_DAYS,\n    Math.max(MIN_TOKEN_TTL_DAYS, Math.floor(n)),\n  );\n}\n\n/**\n * Mint a connect-scoped JWT and record it. The JWT is signed by the existing\n * A2A signer (HS256 over A2A_SECRET); we add a random `jti` and\n * `scope: \"mcp-connect\"` so the token is individually revocable. The token\n * value is returned to the caller exactly once and never persisted.\n */\nasync function mintConnectToken(params: {\n  email: string;\n  orgId: string | undefined;\n  label: string | null;\n  ttlDays: number;\n}): Promise<{ token: string; jti: string }> {\n  const orgDomain = await resolveOrgDomain(params.orgId);\n  const jti = randomUUID();\n  // signA2AToken signs { sub: email, org_domain? } over A2A_SECRET (global)\n  // or the org secret. We extend its claims via the standard jose builder by\n  // re-using the same signer with extra claims threaded through `options`.\n  const token = await signA2AToken(params.email, orgDomain, undefined, {\n    preferGlobalSecret: true,\n    expiresIn: `${params.ttlDays}d`,\n    extraClaims: { jti, scope: MCP_CONNECT_SCOPE },\n  });\n  await recordMintedToken({\n    jti,\n    ownerEmail: params.email,\n    orgId: params.orgId ?? null,\n    label: params.label,\n  });\n  return { token, jti };\n}\n\nfunction mcpResultPayload(\n  appUrl: string,\n  token: string,\n  options: McpConnectRouteOptions,\n) {\n  const mcpUrl = `${appUrl}/_agent-native/mcp`;\n  const name = serverName(appUrl, options);\n  return {\n    token,\n    mcpUrl,\n    serverName: name,\n    mcpServerEntry: {\n      type: \"http\" as const,\n      url: mcpUrl,\n      headers: { Authorization: `Bearer ${token}` },\n    },\n    cli: `agent-native connect ${appUrl}`,\n  };\n}\n\n// ---------------------------------------------------------------------------\n// Connect page (server-rendered HTML string)\n// ---------------------------------------------------------------------------\n\nfunction renderConnectPage(params: {\n  origin: string;\n  connectBasePath: string;\n  email: string;\n  appName: string;\n  userCode: string | null;\n}): string {\n  const { origin, connectBasePath, email, appName, userCode } = params;\n  const safeOrigin = escapeHtml(origin);\n  const safeEmail = escapeHtml(email);\n  const safeApp = escapeHtml(appName);\n  const safeUserCode =\n    userCode && USER_CODE_RE.test(userCode) ? escapeHtml(userCode) : \"\";\n  return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"UTF-8\">\n<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n<title>Connect ${safeApp}</title>\n<style>\n  *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }\n  :root {\n    color-scheme: dark;\n    --bg: #08080a; --panel: #131316; --panel-2: #0d0d10;\n    --border: rgba(255,255,255,0.08); --border-strong: rgba(255,255,255,0.14);\n    --text: #fafafa; --muted: #a1a1aa; --subtle: #71717a;\n    --accent: #fafafa; --accent-fg: #09090b;\n    --ring: rgba(250,250,250,0.55);\n    --error: #fca5a5; --error-bg: rgba(127,29,29,0.18);\n    --ok: #86efac; --ok-bg: rgba(20,83,45,0.2);\n  }\n  html, body { -webkit-font-smoothing: antialiased; }\n  body {\n    font-family: -apple-system, BlinkMacSystemFont, \"Segoe UI\", sans-serif;\n    background:\n      radial-gradient(900px 540px at 50% -14%, rgba(255,255,255,0.05), transparent 60%),\n      linear-gradient(180deg, #121215 0%, var(--bg) 56%);\n    color: var(--text); display: flex; align-items: center;\n    justify-content: center; min-height: 100vh; padding: 1.5rem 1rem;\n  }\n  .card {\n    width: 100%; max-width: 420px;\n    background: var(--panel); border: 1px solid var(--border);\n    border-radius: 18px; box-shadow: 0 1px 0 rgba(255,255,255,0.04) inset,\n      0 30px 90px rgba(0,0,0,0.5);\n    padding: 2.25rem 2rem 1.75rem;\n  }\n  /* App-to-app glyph */\n  .glyph {\n    display: flex; align-items: center; justify-content: center;\n    gap: 0; margin: 0 auto 1.5rem; width: fit-content;\n  }\n  .glyph .tile {\n    width: 52px; height: 52px; border-radius: 14px;\n    display: flex; align-items: center; justify-content: center;\n    background: var(--panel-2); border: 1px solid var(--border-strong);\n    color: var(--text); flex-shrink: 0;\n  }\n  .glyph .tile svg { display: block; }\n  .glyph .conn {\n    width: 38px; height: 2px; flex-shrink: 0;\n    background-image: radial-gradient(circle, var(--subtle) 1px, transparent 1.4px);\n    background-size: 7px 2px; background-repeat: repeat-x;\n    background-position: center;\n  }\n  .eyebrow {\n    text-align: center; font-size: 0.72rem; font-weight: 600;\n    letter-spacing: 0.08em; text-transform: uppercase;\n    color: var(--subtle); margin-bottom: 0.5rem;\n  }\n  h1 {\n    text-align: center; font-size: 1.4rem; font-weight: 680;\n    line-height: 1.25; margin-bottom: 0.55rem;\n    letter-spacing: -0.01em;\n  }\n  .sub {\n    text-align: center; color: var(--muted); font-size: 0.9rem;\n    line-height: 1.5; margin: 0 auto 0.85rem; max-width: 34ch;\n  }\n  .identity {\n    text-align: center; color: var(--subtle); font-size: 0.78rem;\n    margin-bottom: 1.5rem;\n  }\n  .identity strong { color: var(--muted); font-weight: 600; }\n  .code-callout {\n    border: 1px solid var(--border-strong); border-radius: 12px;\n    padding: 0.85rem 1rem; margin-bottom: 1.25rem;\n    background: var(--panel-2); text-align: center;\n  }\n  .code-callout .label { font-size: 0.68rem; color: var(--subtle);\n    text-transform: uppercase; letter-spacing: 0.08em; margin-bottom: 0.4rem; }\n  .code-callout .value { font-size: 1.6rem; font-weight: 700;\n    font-family: ui-monospace, SFMono-Regular, Menlo, monospace;\n    letter-spacing: 0.14em; color: var(--text); }\n  button {\n    cursor: pointer; font: inherit; font-weight: 600; border: none;\n    border-radius: 10px; padding: 0.8rem 1.1rem;\n  }\n  button:focus-visible { outline: 2px solid var(--ring); outline-offset: 2px; }\n  .primary {\n    background: var(--accent); color: var(--accent-fg); width: 100%;\n    font-size: 0.95rem;\n  }\n  .primary:hover:not(:disabled) { background: #e4e4e7; }\n  .primary:disabled { opacity: 0.55; cursor: default; }\n  .ghost {\n    background: transparent; color: var(--muted);\n    border: 1px solid var(--border-strong); padding: 0.35rem 0.7rem;\n    font-size: 0.78rem; font-weight: 500; border-radius: 8px;\n  }\n  .ghost:hover:not(:disabled) { color: var(--text); border-color: var(--subtle); }\n  pre {\n    background: var(--panel-2); border: 1px solid var(--border); border-radius: 10px;\n    padding: 0.9rem; font-size: 0.78rem; line-height: 1.5; overflow-x: auto;\n    font-family: ui-monospace, SFMono-Regular, Menlo, monospace;\n    color: #d4d4d8; margin: 0.5rem 0 1rem;\n  }\n  /* Advanced disclosure */\n  .advanced { margin: 0 0 1rem; }\n  .advanced > summary {\n    list-style: none; cursor: pointer; user-select: none;\n    display: flex; align-items: center; justify-content: center; gap: 0.35rem;\n    color: var(--subtle); font-size: 0.8rem; font-weight: 500;\n    padding: 0.5rem 0; text-align: center;\n  }\n  .advanced > summary::-webkit-details-marker { display: none; }\n  .advanced > summary:hover { color: var(--muted); }\n  .advanced > summary:focus-visible { outline: 2px solid var(--ring);\n    outline-offset: 2px; border-radius: 6px; }\n  .advanced > summary .chev {\n    width: 14px; height: 14px; transition: transform 0.15s ease;\n  }\n  .advanced[open] > summary .chev { transform: rotate(180deg); }\n  .advanced-body {\n    padding: 0.85rem 0.1rem 0.25rem;\n  }\n  .field { margin-bottom: 0.9rem; }\n  .field:last-child { margin-bottom: 0; }\n  .field label { display: block; font-size: 0.78rem; color: var(--muted);\n    margin-bottom: 0.35rem; }\n  .field input {\n    width: 100%; padding: 0.6rem 0.7rem; font: inherit; color: var(--text);\n    background: var(--panel-2); border: 1px solid var(--border-strong);\n    border-radius: 8px;\n  }\n  .field input:focus-visible {\n    outline: none; border-color: var(--ring);\n    box-shadow: 0 0 0 3px rgba(250,250,250,0.12);\n  }\n  .inline { display: flex; gap: 0.5rem; }\n  .inline input { flex: 1; }\n  .tokens { margin-top: 1.5rem; border-top: 1px solid var(--border);\n    padding-top: 1.25rem; }\n  .tokens h2 { font-size: 0.78rem; font-weight: 600; color: var(--muted);\n    text-transform: uppercase; letter-spacing: 0.06em; margin-bottom: 0.6rem; }\n  .tok { display: flex; align-items: center; justify-content: space-between;\n    gap: 0.75rem; padding: 0.6rem 0; border-bottom: 1px solid var(--border);\n    font-size: 0.83rem; }\n  .tok:last-child { border-bottom: none; }\n  .tok .meta { color: var(--subtle); font-size: 0.74rem; margin-top: 0.1rem; }\n  .tok.revoked { opacity: 0.45; }\n  .msg { font-size: 0.83rem; padding: 0.6rem 0.8rem; border-radius: 8px;\n    margin-bottom: 1rem; display: none; }\n  .msg.err { display: block; color: var(--error); background: var(--error-bg); }\n  .msg.ok { display: block; color: var(--ok); background: var(--ok-bg); }\n  .hidden { display: none !important; }\n</style>\n</head>\n<body>\n<div class=\"card\">\n  <!-- \"Connect an external agent\" — kept as an accessible label / consent eyebrow -->\n  <div class=\"glyph\" role=\"img\" aria-label=\"Connect an external agent to ${safeApp}\">\n    <span class=\"tile\" aria-hidden=\"true\">\n      <svg width=\"22\" height=\"22\" viewBox=\"0 0 24 24\" fill=\"none\">\n        <rect x=\"3\" y=\"3\" width=\"8\" height=\"8\" rx=\"2.2\" fill=\"currentColor\"/>\n        <rect x=\"13\" y=\"3\" width=\"8\" height=\"8\" rx=\"2.2\" fill=\"currentColor\" opacity=\"0.55\"/>\n        <rect x=\"3\" y=\"13\" width=\"8\" height=\"8\" rx=\"2.2\" fill=\"currentColor\" opacity=\"0.55\"/>\n        <rect x=\"13\" y=\"13\" width=\"8\" height=\"8\" rx=\"2.2\" fill=\"currentColor\"/>\n      </svg>\n    </span>\n    <span class=\"conn\" aria-hidden=\"true\"></span>\n    <span class=\"tile\" aria-hidden=\"true\">\n      <svg width=\"22\" height=\"22\" viewBox=\"0 0 24 24\" fill=\"none\"\n        stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\"\n        stroke-linejoin=\"round\">\n        <path d=\"M9 8 L5 12 L9 16\"/>\n        <path d=\"M15 8 L19 12 L15 16\"/>\n      </svg>\n    </span>\n  </div>\n\n  <div class=\"eyebrow\">Connect an external agent</div>\n  <h1>Authorize ${safeApp}?</h1>\n  <p class=\"sub\">Mint a personal token so a coding agent (Claude Code, Codex, Cowork) can act as you on ${safeApp}.</p>\n  <p class=\"identity\">Signed in as <strong>${safeEmail}</strong> &middot; ${safeOrigin}</p>\n\n  <div id=\"codeCallout\" class=\"code-callout ${safeUserCode ? \"\" : \"hidden\"}\">\n    <div class=\"label\">Authorizing device code</div>\n    <div class=\"value\" id=\"userCodeValue\">${safeUserCode}</div>\n  </div>\n\n  <div id=\"msg\" class=\"msg\"></div>\n\n  <div id=\"mintForm\">\n    <button id=\"authorizeBtn\" class=\"primary\">${safeUserCode ? \"Authorize device\" : \"Create connection token\"}</button>\n    <details class=\"advanced\">\n      <summary>\n        Advanced options\n        <svg class=\"chev\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\"\n          stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\n          aria-hidden=\"true\"><path d=\"M6 9l6 6 6-6\"/></svg>\n      </summary>\n      <div class=\"advanced-body\">\n        <div class=\"field\">\n          <label for=\"label\">Label (optional)</label>\n          <input id=\"label\" type=\"text\" placeholder=\"e.g. Claude Code on my laptop\" maxlength=\"120\" />\n        </div>\n        <div class=\"field\">\n          <label for=\"ttl\">Expires in (days, 1–365)</label>\n          <input id=\"ttl\" type=\"number\" min=\"1\" max=\"365\" value=\"${DEFAULT_TOKEN_TTL_DAYS}\" />\n        </div>\n      </div>\n    </details>\n  </div>\n\n  <div id=\"result\" class=\"hidden\">\n    <p class=\"sub\" id=\"resultMsg\">Token created. Paste this into your agent's MCP config:</p>\n    <pre id=\"mcpJson\"></pre>\n    <p class=\"sub\">Or from a terminal:</p>\n    <pre id=\"cliLine\"></pre>\n  </div>\n\n  <div class=\"tokens\">\n    <h2>Your connections</h2>\n    <div id=\"tokenList\"><div class=\"meta\">Loading…</div></div>\n  </div>\n</div>\n<script>\n(function () {\n  var BASE = ${JSON.stringify(joinAppPath(connectBasePath, \"/_agent-native/mcp/connect\"))};\n  var USER_CODE = ${JSON.stringify(safeUserCode || null)};\n  var msgEl = document.getElementById(\"msg\");\n  function showMsg(text, kind) {\n    msgEl.textContent = text;\n    msgEl.className = \"msg \" + (kind || \"err\");\n  }\n  function clearMsg() { msgEl.className = \"msg\"; msgEl.textContent = \"\"; }\n\n  function renderResult(data) {\n    document.getElementById(\"mintForm\").classList.add(\"hidden\");\n    var entry = {};\n    entry[data.serverName] = data.mcpServerEntry;\n    document.getElementById(\"mcpJson\").textContent =\n      JSON.stringify({ mcpServers: entry }, null, 2);\n    document.getElementById(\"cliLine\").textContent = data.cli;\n    document.getElementById(\"result\").classList.remove(\"hidden\");\n  }\n\n  async function postJson(path, body) {\n    var res = await fetch(BASE + path, {\n      method: \"POST\",\n      headers: { \"Content-Type\": \"application/json\" },\n      credentials: \"same-origin\",\n      body: JSON.stringify(body || {})\n    });\n    var data = null;\n    try { data = await res.json(); } catch (e) {}\n    return { ok: res.ok, status: res.status, data: data };\n  }\n\n  async function loadTokens() {\n    var listEl = document.getElementById(\"tokenList\");\n    try {\n      var res = await fetch(BASE + \"/tokens\", { credentials: \"same-origin\" });\n      if (!res.ok) { listEl.innerHTML = '<div class=\"meta\">Could not load.</div>'; return; }\n      var data = await res.json();\n      var tokens = (data && data.tokens) || [];\n      if (!tokens.length) { listEl.innerHTML = '<div class=\"meta\">No connections yet.</div>'; return; }\n      listEl.innerHTML = \"\";\n      tokens.forEach(function (t) {\n        var div = document.createElement(\"div\");\n        div.className = \"tok\" + (t.revokedAt ? \" revoked\" : \"\");\n        var when = t.createdAt ? new Date(t.createdAt).toLocaleString() : \"\";\n        var used = t.lastUsedAt ? \" · last used \" + new Date(t.lastUsedAt).toLocaleString() : \"\";\n        var left = document.createElement(\"div\");\n        var label = document.createElement(\"div\");\n        label.textContent = t.label || \"(unlabeled)\";\n        var meta = document.createElement(\"div\");\n        meta.className = \"meta\";\n        meta.textContent = (t.revokedAt ? \"Revoked · \" : \"Created \") + when + used;\n        left.appendChild(label); left.appendChild(meta);\n        div.appendChild(left);\n        if (!t.revokedAt) {\n          var btn = document.createElement(\"button\");\n          btn.className = \"ghost\";\n          btn.textContent = \"Revoke\";\n          btn.onclick = async function () {\n            btn.disabled = true;\n            var r = await postJson(\"/tokens/revoke\", { id: t.id });\n            if (r.ok) { loadTokens(); }\n            else { btn.disabled = false; showMsg(\"Could not revoke token.\"); }\n          };\n          div.appendChild(btn);\n        }\n        listEl.appendChild(div);\n      });\n    } catch (e) {\n      listEl.innerHTML = '<div class=\"meta\">Could not load.</div>';\n    }\n  }\n\n  document.getElementById(\"authorizeBtn\").onclick = async function () {\n    var btn = this;\n    btn.disabled = true;\n    clearMsg();\n    var label = document.getElementById(\"label\").value || undefined;\n    var ttlDays = parseInt(document.getElementById(\"ttl\").value, 10) || undefined;\n    try {\n      if (USER_CODE) {\n        var a = await postJson(\"/device/authorize\", { user_code: USER_CODE });\n        if (!a.ok) {\n          btn.disabled = false;\n          showMsg((a.data && a.data.error) || \"Could not authorize this device code.\");\n          return;\n        }\n        showMsg(\"Device authorized. You can return to your terminal — it will connect automatically.\", \"ok\");\n        btn.classList.add(\"hidden\");\n        document.getElementById(\"mintForm\").classList.add(\"hidden\");\n      } else {\n        var m = await postJson(\"/token\", { label: label, ttlDays: ttlDays });\n        if (!m.ok) {\n          btn.disabled = false;\n          showMsg((m.data && m.data.error) || \"Could not create token.\");\n          return;\n        }\n        renderResult(m.data);\n      }\n      loadTokens();\n    } catch (e) {\n      btn.disabled = false;\n      showMsg(\"Network error. Please try again.\");\n    }\n  };\n\n  loadTokens();\n})();\n</script>\n</body>\n</html>`;\n}\n\n// ---------------------------------------------------------------------------\n// Handler — single entry point; core-routes-plugin dispatches the subpath.\n// ---------------------------------------------------------------------------\n\n/**\n * Handle a `/_agent-native/mcp/connect[...]` request. `subpath` is the part\n * after `/connect` (empty string = the page itself, otherwise e.g.\n * `/token`, `/device/start`). The core-routes-plugin computes it from the\n * stripped event path so this module stays mount-agnostic.\n */\nexport async function handleMcpConnect(\n  event: H3Event,\n  subpath: string,\n  options: McpConnectRouteOptions = {},\n): Promise<Response> {\n  const method = getMethod(event);\n  const origin = deriveOrigin(event);\n  const basePath = configuredBasePath();\n  const appUrl = `${origin}${basePath}`;\n  const sub = (\"/\" + subpath.replace(/^\\/+/, \"\").replace(/\\/+$/, \"\")).replace(\n    /^\\/$/,\n    \"\",\n  );\n\n  // ---- The connect page (GET) ------------------------------------------\n  if (sub === \"\") {\n    if (method !== \"GET\" && method !== \"HEAD\") {\n      return json({ error: \"Method not allowed\" }, 405);\n    }\n    const session = await getSession(event);\n    if (!session?.email) {\n      // Serve the SAME login form the guard would, at this same URL — the\n      // login form reloads window.location so we re-enter here authed.\n      const loginHtml = getConfiguredLoginHtml(event);\n      if (loginHtml) return html(loginHtml, 200);\n      // Fully-open app (no auth guard): nothing to scope a mint to.\n      return html(\n        renderConnectPage({\n          origin: appUrl,\n          connectBasePath: basePath,\n          email: \"(no auth configured)\",\n          appName: options.appName || appLabel(appUrl, options),\n          userCode: null,\n        }),\n      );\n    }\n    let userCode: string | null = null;\n    try {\n      const u = new URL(\n        event.node?.req?.url ?? event.path ?? \"/\",\n        \"http://an.invalid\",\n      );\n      const raw = u.searchParams.get(\"user_code\");\n      if (raw && USER_CODE_RE.test(raw)) userCode = raw;\n    } catch {\n      userCode = null;\n    }\n    return html(\n      renderConnectPage({\n        origin: appUrl,\n        connectBasePath: basePath,\n        email: session.email,\n        appName: options.appName || appLabel(appUrl, options),\n        userCode,\n      }),\n    );\n  }\n\n  // ---- POST /token  (session-required) ---------------------------------\n  if (sub === \"/token\") {\n    if (method !== \"POST\") return json({ error: \"Method not allowed\" }, 405);\n    const session = await getSession(event);\n    if (!session?.email) return json({ error: \"Unauthorized\" }, 401);\n    if (!process.env.A2A_SECRET) {\n      return json(\n        {\n          error:\n            \"This deployment has no A2A_SECRET configured, so connect tokens cannot be minted.\",\n        },\n        503,\n      );\n    }\n    const body = ((await readBody(event).catch(() => ({}))) ?? {}) as {\n      label?: unknown;\n      ttlDays?: unknown;\n    };\n    const label =\n      typeof body.label === \"string\" && body.label.trim()\n        ? body.label.trim().slice(0, 120)\n        : null;\n    const ttlDays = clampTtlDays(body.ttlDays);\n    try {\n      const { token } = await mintConnectToken({\n        email: session.email,\n        orgId: session.orgId,\n        label,\n        ttlDays,\n      });\n      return json(mcpResultPayload(appUrl, token, options));\n    } catch {\n      return json({ error: \"Failed to mint token.\" }, 500);\n    }\n  }\n\n  // ---- POST /device/start  (UNAUTH) ------------------------------------\n  if (sub === \"/device/start\") {\n    if (method !== \"POST\") return json({ error: \"Method not allowed\" }, 405);\n    try {\n      const row = await createDeviceCode();\n      const verificationUri = `${appUrl}/_agent-native/mcp/connect`;\n      return json({\n        device_code: row.deviceCode,\n        user_code: row.userCode,\n        verification_uri: verificationUri,\n        verification_uri_complete: `${verificationUri}?user_code=${row.userCode}`,\n        interval: DEVICE_POLL_INTERVAL_S,\n        expires_in: Math.floor(DEVICE_CODE_TTL_MS / 1000),\n      });\n    } catch (err: any) {\n      if (err?.message === \"RATE_LIMITED\") {\n        return json({ error: \"Rate limited. Try again shortly.\" }, 429);\n      }\n      return json({ error: \"Could not start device flow.\" }, 500);\n    }\n  }\n\n  // ---- POST /device/authorize  (session-required) ----------------------\n  if (sub === \"/device/authorize\") {\n    if (method !== \"POST\") return json({ error: \"Method not allowed\" }, 405);\n    const session = await getSession(event);\n    if (!session?.email) return json({ error: \"Unauthorized\" }, 401);\n    const body = ((await readBody(event).catch(() => ({}))) ?? {}) as {\n      user_code?: unknown;\n    };\n    const userCode =\n      typeof body.user_code === \"string\" ? body.user_code.trim() : \"\";\n    if (!USER_CODE_RE.test(userCode)) {\n      return json({ error: \"Invalid user code.\" }, 400);\n    }\n    const orgId =\n      typeof session.orgId === \"string\" && session.orgId.trim()\n        ? session.orgId.trim()\n        : null;\n    const result = await approveDeviceCode(userCode, session.email, orgId);\n    if (result === \"not_found\") {\n      return json({ error: \"Unknown device code.\" }, 404);\n    }\n    if (result === \"expired\") {\n      return json({ error: \"This device code has expired.\" }, 410);\n    }\n    if (result === \"already\") {\n      return json({ error: \"This device code was already used.\" }, 409);\n    }\n    return json({ status: \"approved\" });\n  }\n\n  // ---- POST /device/poll  (UNAUTH) -------------------------------------\n  if (sub === \"/device/poll\") {\n    if (method !== \"POST\") return json({ error: \"Method not allowed\" }, 405);\n    const body = ((await readBody(event).catch(() => ({}))) ?? {}) as {\n      device_code?: unknown;\n    };\n    const deviceCode =\n      typeof body.device_code === \"string\" ? body.device_code : \"\";\n    if (!deviceCode) return json({ error: \"device_code required\" }, 400);\n    const row = await getDeviceCode(deviceCode);\n    if (!row) return json({ status: \"not_found\" }, 404);\n    if (row.status === \"consumed\") return json({ status: \"consumed\" });\n    if (\n      row.status === \"expired\" ||\n      (row.expiresAt != null && row.expiresAt < Date.now())\n    ) {\n      if (row.status !== \"expired\") void expireDeviceCode(deviceCode);\n      return json({ status: \"expired\" });\n    }\n    if (\n      row.status === \"pending\" ||\n      row.status === \"minting\" ||\n      !row.ownerEmail\n    ) {\n      return json({ status: \"pending\" });\n    }\n    // status === \"approved\" && ownerEmail bound → mint exactly once.\n    if (!process.env.A2A_SECRET) {\n      return json({ status: \"error\", error: \"A2A_SECRET not configured\" }, 503);\n    }\n    try {\n      const jti = randomUUID();\n      // Claim a retryable minting state first. If signing or recording fails,\n      // release the row back to approved so the CLI can poll again.\n      const claimed = await claimDeviceCodeForMint(deviceCode, jti);\n      if (!claimed) {\n        const fresh = await getDeviceCode(deviceCode);\n        if (fresh?.status === \"consumed\") return json({ status: \"consumed\" });\n        return json({ status: \"pending\" });\n      }\n      let token: string;\n      try {\n        const orgDomain = await resolveOrgDomain(claimed.orgId ?? undefined);\n        token = await signA2AToken(claimed.ownerEmail!, orgDomain, undefined, {\n          preferGlobalSecret: true,\n          expiresIn: `${DEFAULT_TOKEN_TTL_DAYS}d`,\n          extraClaims: { jti, scope: MCP_CONNECT_SCOPE },\n        });\n        await recordMintedToken({\n          jti,\n          ownerEmail: claimed.ownerEmail!,\n          orgId: claimed.orgId,\n          label: \"Device connection\",\n        });\n        if (!(await finishDeviceCodeMint(deviceCode, jti))) {\n          return json({ status: \"pending\" });\n        }\n      } catch (err) {\n        await releaseDeviceCodeMint(deviceCode, jti);\n        throw err;\n      }\n      return json({\n        status: \"approved\",\n        ...mcpResultPayload(appUrl, token, options),\n      });\n    } catch {\n      return json({ status: \"error\", error: \"Failed to mint token.\" }, 500);\n    }\n  }\n\n  // ---- GET /tokens  (session-required) ---------------------------------\n  if (sub === \"/tokens\") {\n    if (method !== \"GET\") return json({ error: \"Method not allowed\" }, 405);\n    const session = await getSession(event);\n    if (!session?.email) return json({ error: \"Unauthorized\" }, 401);\n    const rows = await listTokens(session.email);\n    return json({\n      tokens: rows.map((r) => ({\n        id: r.id,\n        label: r.label,\n        createdAt: r.createdAt,\n        lastUsedAt: r.lastUsedAt,\n        revokedAt: r.revokedAt,\n      })),\n    });\n  }\n\n  // ---- POST /tokens/revoke  (session-required) -------------------------\n  if (sub === \"/tokens/revoke\") {\n    if (method !== \"POST\") return json({ error: \"Method not allowed\" }, 405);\n    const session = await getSession(event);\n    if (!session?.email) return json({ error: \"Unauthorized\" }, 401);\n    const body = ((await readBody(event).catch(() => ({}))) ?? {}) as {\n      id?: unknown;\n    };\n    const id = typeof body.id === \"string\" ? body.id : \"\";\n    if (!id) return json({ error: \"id required\" }, 400);\n    const revoked = await revokeToken(session.email, id);\n    return json({ ok: revoked });\n  }\n\n  return json({ error: \"Not found\" }, 404);\n}\n"]}

package/dist/mcp/connect-store.d.ts

@@ -0,0 +1,132 @@
+/**
+ * Framework-table store for the "connect external agents" feature.
+ *
+ * Two additive, dialect-agnostic tables back the browser **Connect** page and
+ * the OAuth-style **device-code flow** a CLI drives:
+ *
+ *   - `mcp_connect_tokens`  — one row per minted MCP token. We never store the
+ *     token value (it's a signed JWT); only its `jti` so revocation is a
+ *     SQL lookup. Revoking sets `revoked_at`; the row is never deleted.
+ *   - `mcp_device_codes`    — short-lived (10 min) device/user code pairs for
+ *     the OAuth 2.0 device-authorization-style CLI flow. Single-use
+ *     (`consumed_at`), rate-limited at creation.
+ *
+ * Mirrors `application-state/store.ts`: lazy `ensureTable()`, `getDbExec()`,
+ * `isPostgres()` dialect branching for upserts, `isConnectionError()` swallow
+ * so a transient Neon WS drop never 500s. `CREATE TABLE IF NOT EXISTS` only —
+ * strictly additive, never DROP / ALTER (shared prod DB rule).
+ */
+/**
+ * Scope claim that marks a connect-minted token (vs. an ordinary A2A
+ * delegation JWT). Only tokens carrying this scope go through the revoke
+ * lookup in `verifyAuth` — defined here so both `connect-route.ts` and
+ * `build-server.ts` import it from the leaf store without a cycle.
+ */
+export declare const MCP_CONNECT_SCOPE = "mcp-connect";
+/** Device codes are valid for 10 minutes. */
+export declare const DEVICE_CODE_TTL_MS: number;
+/** Default minted-token lifetime. Configurable per-request 1–365 days. */
+export declare const DEFAULT_TOKEN_TTL_DAYS = 90;
+export declare const MIN_TOKEN_TTL_DAYS = 1;
+export declare const MAX_TOKEN_TTL_DAYS = 365;
+/**
+ * Rate limit for `device/start`: at most this many device codes may be created
+ * within `DEVICE_START_WINDOW_MS`. Unauthenticated endpoint — keep it tight so
+ * a hostile client can't flood the table or brute-force user codes.
+ */
+export declare const DEVICE_START_MAX = 20;
+export declare const DEVICE_START_WINDOW_MS = 60000;
+export interface MintedTokenRow {
+    id: string;
+    jti: string;
+    ownerEmail: string;
+    orgId: string | null;
+    label: string | null;
+    createdAt: number | null;
+    lastUsedAt: number | null;
+    revokedAt: number | null;
+}
+/**
+ * Persist a record of a minted token. The token value itself (a signed JWT)
+ * is NEVER stored — only its `jti`, so revocation is a cheap SQL lookup.
+ */
+export declare function recordMintedToken(params: {
+    jti: string;
+    ownerEmail: string;
+    orgId?: string | null;
+    label?: string | null;
+}): Promise<string>;
+/**
+ * Returns true when the given `jti` corresponds to a token that has been
+ * revoked. Fails OPEN on a store/DB error: a transient Neon WS drop must not
+ * lock every connected agent out. Signature verification is unaffected — this
+ * is only the post-verify revoke check (see `verifyAuth` in build-server.ts).
+ */
+export declare function isJtiRevoked(jti: string): Promise<boolean>;
+export declare function listTokens(ownerEmail: string): Promise<MintedTokenRow[]>;
+/**
+ * Revoke a token, but ONLY if it is owned by `ownerEmail` (the caller). The
+ * `owner_email = ?` predicate is the access scope — a caller can never revoke
+ * another user's token. Idempotent: re-revoking keeps the first timestamp.
+ * Returns true when a row was actually transitioned to revoked.
+ */
+export declare function revokeToken(ownerEmail: string, id: string): Promise<boolean>;
+/**
+ * Best-effort: stamp `last_used_at` for a token. Swallows all errors — this is
+ * pure telemetry and must never affect the auth path.
+ */
+export declare function touchTokenUsed(jti: string): Promise<void>;
+export interface DeviceCodeRow {
+    deviceCode: string;
+    userCode: string;
+    ownerEmail: string | null;
+    orgId: string | null;
+    status: "pending" | "approved" | "minting" | "consumed" | "expired";
+    tokenJti: string | null;
+    createdAt: number | null;
+    expiresAt: number | null;
+    consumedAt: number | null;
+}
+/**
+ * Create a new device+user code pair. Rate-limited: at most
+ * `DEVICE_START_MAX` codes within `DEVICE_START_WINDOW_MS`. The window count
+ * is a coarse global cap (this endpoint is unauthenticated) — enough to stop
+ * table flooding / user-code brute force without per-IP plumbing.
+ *
+ * Throws `RATE_LIMITED` when the cap is exceeded so the route can map it to a
+ * 429.
+ */
+export declare function createDeviceCode(): Promise<DeviceCodeRow>;
+export declare function getDeviceCode(deviceCode: string): Promise<DeviceCodeRow | null>;
+export declare function getDeviceCodeByUserCode(userCode: string): Promise<DeviceCodeRow | null>;
+/**
+ * Bind the logged-in user (email + org) to a pending device code, identified
+ * by its human-typable `user_code`. Only transitions a non-expired, still
+ * `pending` row. Returns the bound row, or a string error code:
+ *   - `not_found`  — no such user_code
+ *   - `expired`    — past its TTL
+ *   - `already`    — already approved/consumed (not re-bindable)
+ */
+export declare function approveDeviceCode(userCode: string, ownerEmail: string, orgId: string | null): Promise<DeviceCodeRow | "not_found" | "expired" | "already">;
+/**
+ * Atomically transition an approved device code to consumed and stamp the
+ * minted token's jti. Single-use: only succeeds when the row is currently
+ * `approved` (not already consumed). Returns the pre-consume row on success,
+ * or null when it could not be consumed (already consumed / not approved /
+ * gone). The caller mints the token only after this returns a row.
+ */
+export declare function consumeDeviceCode(deviceCode: string, tokenJti: string): Promise<DeviceCodeRow | null>;
+/**
+ * Claim an approved device code for token minting without making it terminal.
+ * If signing or token recording fails, callers release this back to approved
+ * so the CLI can retry the poll instead of being stuck at "consumed".
+ */
+export declare function claimDeviceCodeForMint(deviceCode: string, tokenJti: string): Promise<DeviceCodeRow | null>;
+export declare function finishDeviceCodeMint(deviceCode: string, tokenJti: string): Promise<boolean>;
+export declare function releaseDeviceCodeMint(deviceCode: string, tokenJti: string): Promise<void>;
+/**
+ * Best-effort: flip an expired, still-pending/approved row to `expired` so
+ * the poll endpoint can report a clean terminal state. Swallows errors.
+ */
+export declare function expireDeviceCode(deviceCode: string): Promise<void>;
+//# sourceMappingURL=connect-store.d.ts.map

package/dist/mcp/connect-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"connect-store.d.ts","sourceRoot":"","sources":["../../src/mcp/connect-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAYH;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,gBAAgB,CAAC;AAE/C,6CAA6C;AAC7C,eAAO,MAAM,kBAAkB,QAAc,CAAC;AAE9C,0EAA0E;AAC1E,eAAO,MAAM,sBAAsB,KAAK,CAAC;AACzC,eAAO,MAAM,kBAAkB,IAAI,CAAC;AACpC,eAAO,MAAM,kBAAkB,MAAM,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,KAAK,CAAC;AACnC,eAAO,MAAM,sBAAsB,QAAS,CAAC;AA+C7C,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,EAAE;IAC9C,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB,GAAG,OAAO,CAAC,MAAM,CAAC,CAkBlB;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAiBhE;AAED,wBAAsB,UAAU,CAC9B,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,cAAc,EAAE,CAAC,CAsB3B;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAC/B,UAAU,EAAE,MAAM,EAClB,EAAE,EAAE,MAAM,GACT,OAAO,CAAC,OAAO,CAAC,CAQlB;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAW/D;AAMD,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,SAAS,GAAG,UAAU,GAAG,SAAS,CAAC;IACpE,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAmBD;;;;;;;;GAQG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,aAAa,CAAC,CAgD/D;AAgBD,wBAAsB,aAAa,CACjC,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAc/B;AAED,wBAAsB,uBAAuB,CAC3C,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAc/B;AAED;;;;;;;GAOG;AACH,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,MAAM,GAAG,IAAI,GACnB,OAAO,CAAC,aAAa,GAAG,WAAW,GAAG,SAAS,GAAG,SAAS,CAAC,CAuB9D;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAY/B;AAED;;;;GAIG;AACH,wBAAsB,sBAAsB,CAC1C,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAW/B;AAED,wBAAsB,oBAAoB,CACxC,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,OAAO,CAAC,CAQlB;AAED,wBAAsB,qBAAqB,CACzC,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC,CAYf;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAYxE"}