@agent-native/core 0.18.1 → 0.19.1

package/dist/mcp/connect-store.js

@@ -0,0 +1,434 @@
+/**
+ * Framework-table store for the "connect external agents" feature.
+ *
+ * Two additive, dialect-agnostic tables back the browser **Connect** page and
+ * the OAuth-style **device-code flow** a CLI drives:
+ *
+ *   - `mcp_connect_tokens`  — one row per minted MCP token. We never store the
+ *     token value (it's a signed JWT); only its `jti` so revocation is a
+ *     SQL lookup. Revoking sets `revoked_at`; the row is never deleted.
+ *   - `mcp_device_codes`    — short-lived (10 min) device/user code pairs for
+ *     the OAuth 2.0 device-authorization-style CLI flow. Single-use
+ *     (`consumed_at`), rate-limited at creation.
+ *
+ * Mirrors `application-state/store.ts`: lazy `ensureTable()`, `getDbExec()`,
+ * `isPostgres()` dialect branching for upserts, `isConnectionError()` swallow
+ * so a transient Neon WS drop never 500s. `CREATE TABLE IF NOT EXISTS` only —
+ * strictly additive, never DROP / ALTER (shared prod DB rule).
+ */
+import { getDbExec, isConnectionError, intType, } from "../db/client.js";
+import { randomBytes, randomUUID } from "node:crypto";
+let _initPromise;
+/**
+ * Scope claim that marks a connect-minted token (vs. an ordinary A2A
+ * delegation JWT). Only tokens carrying this scope go through the revoke
+ * lookup in `verifyAuth` — defined here so both `connect-route.ts` and
+ * `build-server.ts` import it from the leaf store without a cycle.
+ */
+export const MCP_CONNECT_SCOPE = "mcp-connect";
+/** Device codes are valid for 10 minutes. */
+export const DEVICE_CODE_TTL_MS = 10 * 60_000;
+/** Default minted-token lifetime. Configurable per-request 1–365 days. */
+export const DEFAULT_TOKEN_TTL_DAYS = 90;
+export const MIN_TOKEN_TTL_DAYS = 1;
+export const MAX_TOKEN_TTL_DAYS = 365;
+/**
+ * Rate limit for `device/start`: at most this many device codes may be created
+ * within `DEVICE_START_WINDOW_MS`. Unauthenticated endpoint — keep it tight so
+ * a hostile client can't flood the table or brute-force user codes.
+ */
+export const DEVICE_START_MAX = 20;
+export const DEVICE_START_WINDOW_MS = 60_000;
+async function ensureTable() {
+    if (!_initPromise) {
+        _initPromise = (async () => {
+            const client = getDbExec();
+            // Additive only. Never DROP / ALTER — this DB is shared across every
+            // deploy context (preview/branch/prod) for hosted templates.
+            await client.execute(`
+        CREATE TABLE IF NOT EXISTS mcp_connect_tokens (
+          id TEXT PRIMARY KEY,
+          jti TEXT UNIQUE NOT NULL,
+          owner_email TEXT NOT NULL,
+          org_id TEXT,
+          label TEXT,
+          created_at ${intType()},
+          last_used_at ${intType()},
+          revoked_at ${intType()}
+        )
+      `);
+            await client.execute(`
+        CREATE TABLE IF NOT EXISTS mcp_device_codes (
+          device_code TEXT PRIMARY KEY,
+          user_code TEXT NOT NULL,
+          owner_email TEXT,
+          org_id TEXT,
+          status TEXT NOT NULL DEFAULT 'pending',
+          token_jti TEXT,
+          created_at ${intType()},
+          expires_at ${intType()},
+          consumed_at ${intType()}
+        )
+      `);
+        })().catch((err) => {
+            // Don't cache a rejected init. A transient DB blip should let the next
+            // connect/mint/revoke call retry rather than wedging the process.
+            _initPromise = undefined;
+            throw err;
+        });
+    }
+    return _initPromise;
+}
+/**
+ * Persist a record of a minted token. The token value itself (a signed JWT)
+ * is NEVER stored — only its `jti`, so revocation is a cheap SQL lookup.
+ */
+export async function recordMintedToken(params) {
+    await ensureTable();
+    const client = getDbExec();
+    const id = randomUUID();
+    await client.execute({
+        sql: `INSERT INTO mcp_connect_tokens (id, jti, owner_email, org_id, label, created_at, last_used_at, revoked_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
+        args: [
+            id,
+            params.jti,
+            params.ownerEmail,
+            params.orgId ?? null,
+            params.label ?? null,
+            Date.now(),
+            null,
+            null,
+        ],
+    });
+    return id;
+}
+/**
+ * Returns true when the given `jti` corresponds to a token that has been
+ * revoked. Fails OPEN on a store/DB error: a transient Neon WS drop must not
+ * lock every connected agent out. Signature verification is unaffected — this
+ * is only the post-verify revoke check (see `verifyAuth` in build-server.ts).
+ */
+export async function isJtiRevoked(jti) {
+    try {
+        await ensureTable();
+        const client = getDbExec();
+        const { rows } = await client.execute({
+            sql: `SELECT revoked_at FROM mcp_connect_tokens WHERE jti = ?`,
+            args: [jti],
+        });
+        if (rows.length === 0)
+            return false;
+        const revokedAt = rows[0].revoked_at ?? rows[0].revokedAt;
+        return revokedAt != null;
+    }
+    catch (err) {
+        // Fail open: a DB blip must not turn every minted token into a 401.
+        // (Signature checks already passed; this only gates explicit revokes.)
+        if (isConnectionError(err))
+            return false;
+        return false;
+    }
+}
+export async function listTokens(ownerEmail) {
+    try {
+        await ensureTable();
+        const client = getDbExec();
+        const { rows } = await client.execute({
+            sql: `SELECT id, jti, owner_email, org_id, label, created_at, last_used_at, revoked_at FROM mcp_connect_tokens WHERE owner_email = ? ORDER BY created_at DESC`,
+            args: [ownerEmail],
+        });
+        return rows.map((r) => ({
+            id: r.id,
+            jti: r.jti,
+            ownerEmail: (r.owner_email ?? r.ownerEmail),
+            orgId: (r.org_id ?? r.orgId ?? null),
+            label: (r.label ?? null),
+            createdAt: numOrNull(r.created_at ?? r.createdAt),
+            lastUsedAt: numOrNull(r.last_used_at ?? r.lastUsedAt),
+            revokedAt: numOrNull(r.revoked_at ?? r.revokedAt),
+        }));
+    }
+    catch (err) {
+        if (isConnectionError(err))
+            return [];
+        throw err;
+    }
+}
+/**
+ * Revoke a token, but ONLY if it is owned by `ownerEmail` (the caller). The
+ * `owner_email = ?` predicate is the access scope — a caller can never revoke
+ * another user's token. Idempotent: re-revoking keeps the first timestamp.
+ * Returns true when a row was actually transitioned to revoked.
+ */
+export async function revokeToken(ownerEmail, id) {
+    await ensureTable();
+    const client = getDbExec();
+    const result = await client.execute({
+        sql: `UPDATE mcp_connect_tokens SET revoked_at = ? WHERE id = ? AND owner_email = ? AND revoked_at IS NULL`,
+        args: [Date.now(), id, ownerEmail],
+    });
+    return result.rowsAffected > 0;
+}
+/**
+ * Best-effort: stamp `last_used_at` for a token. Swallows all errors — this is
+ * pure telemetry and must never affect the auth path.
+ */
+export async function touchTokenUsed(jti) {
+    try {
+        await ensureTable();
+        const client = getDbExec();
+        await client.execute({
+            sql: `UPDATE mcp_connect_tokens SET last_used_at = ? WHERE jti = ?`,
+            args: [Date.now(), jti],
+        });
+    }
+    catch {
+        // last_used_at is informational only — never throw from the hot path.
+    }
+}
+const USER_CODE_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"; // Crockford-ish base32, no 0/1/O/I
+/** Crypto-random short human-typable code, formatted `XXXX-XXXX`. */
+function generateUserCode() {
+    const bytes = randomBytes(8);
+    let out = "";
+    for (let i = 0; i < 8; i++) {
+        out += USER_CODE_ALPHABET[bytes[i] % USER_CODE_ALPHABET.length];
+        if (i === 3)
+            out += "-";
+    }
+    return out;
+}
+function generateDeviceCode() {
+    return randomBytes(32).toString("base64url");
+}
+/**
+ * Create a new device+user code pair. Rate-limited: at most
+ * `DEVICE_START_MAX` codes within `DEVICE_START_WINDOW_MS`. The window count
+ * is a coarse global cap (this endpoint is unauthenticated) — enough to stop
+ * table flooding / user-code brute force without per-IP plumbing.
+ *
+ * Throws `RATE_LIMITED` when the cap is exceeded so the route can map it to a
+ * 429.
+ */
+export async function createDeviceCode() {
+    await ensureTable();
+    const client = getDbExec();
+    const now = Date.now();
+    try {
+        const { rows } = await client.execute({
+            sql: `SELECT COUNT(*) AS n FROM mcp_device_codes WHERE created_at > ?`,
+            args: [now - DEVICE_START_WINDOW_MS],
+        });
+        const n = Number(rows[0]?.n ?? rows[0]?.["COUNT(*)"] ?? 0);
+        if (Number.isFinite(n) && n >= DEVICE_START_MAX) {
+            throw new Error("RATE_LIMITED");
+        }
+    }
+    catch (err) {
+        if (err?.message === "RATE_LIMITED")
+            throw err;
+        // A read failure here should not block legitimate device starts — the
+        // single-use + short-TTL design is the primary protection. Continue.
+    }
+    const deviceCode = generateDeviceCode();
+    const userCode = generateUserCode();
+    const expiresAt = now + DEVICE_CODE_TTL_MS;
+    await client.execute({
+        sql: `INSERT INTO mcp_device_codes (device_code, user_code, owner_email, org_id, status, token_jti, created_at, expires_at, consumed_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+        args: [
+            deviceCode,
+            userCode,
+            null,
+            null,
+            "pending",
+            null,
+            now,
+            expiresAt,
+            null,
+        ],
+    });
+    return {
+        deviceCode,
+        userCode,
+        ownerEmail: null,
+        orgId: null,
+        status: "pending",
+        tokenJti: null,
+        createdAt: now,
+        expiresAt,
+        consumedAt: null,
+    };
+}
+function mapDeviceRow(r) {
+    return {
+        deviceCode: (r.device_code ?? r.deviceCode),
+        userCode: (r.user_code ?? r.userCode),
+        ownerEmail: (r.owner_email ?? r.ownerEmail ?? null),
+        orgId: (r.org_id ?? r.orgId ?? null),
+        status: (r.status ?? "pending"),
+        tokenJti: (r.token_jti ?? r.tokenJti ?? null),
+        createdAt: numOrNull(r.created_at ?? r.createdAt),
+        expiresAt: numOrNull(r.expires_at ?? r.expiresAt),
+        consumedAt: numOrNull(r.consumed_at ?? r.consumedAt),
+    };
+}
+export async function getDeviceCode(deviceCode) {
+    try {
+        await ensureTable();
+        const client = getDbExec();
+        const { rows } = await client.execute({
+            sql: `SELECT * FROM mcp_device_codes WHERE device_code = ?`,
+            args: [deviceCode],
+        });
+        if (rows.length === 0)
+            return null;
+        return mapDeviceRow(rows[0]);
+    }
+    catch (err) {
+        if (isConnectionError(err))
+            return null;
+        throw err;
+    }
+}
+export async function getDeviceCodeByUserCode(userCode) {
+    try {
+        await ensureTable();
+        const client = getDbExec();
+        const { rows } = await client.execute({
+            sql: `SELECT * FROM mcp_device_codes WHERE user_code = ?`,
+            args: [userCode],
+        });
+        if (rows.length === 0)
+            return null;
+        return mapDeviceRow(rows[0]);
+    }
+    catch (err) {
+        if (isConnectionError(err))
+            return null;
+        throw err;
+    }
+}
+/**
+ * Bind the logged-in user (email + org) to a pending device code, identified
+ * by its human-typable `user_code`. Only transitions a non-expired, still
+ * `pending` row. Returns the bound row, or a string error code:
+ *   - `not_found`  — no such user_code
+ *   - `expired`    — past its TTL
+ *   - `already`    — already approved/consumed (not re-bindable)
+ */
+export async function approveDeviceCode(userCode, ownerEmail, orgId) {
+    await ensureTable();
+    const client = getDbExec();
+    const row = await getDeviceCodeByUserCode(userCode);
+    if (!row)
+        return "not_found";
+    if ((row.expiresAt ?? 0) < Date.now())
+        return "expired";
+    if (row.status !== "pending")
+        return "already";
+    const result = await client.execute({
+        sql: `UPDATE mcp_device_codes SET status = 'approved', owner_email = ?, org_id = ? WHERE user_code = ? AND status = 'pending'`,
+        args: [ownerEmail, orgId, userCode],
+    });
+    if (result.rowsAffected === 0) {
+        // Lost a race with another approve — re-read to report the real state.
+        const fresh = await getDeviceCodeByUserCode(userCode);
+        return fresh && fresh.status !== "pending" ? "already" : "not_found";
+    }
+    return {
+        ...row,
+        status: "approved",
+        ownerEmail,
+        orgId,
+    };
+}
+/**
+ * Atomically transition an approved device code to consumed and stamp the
+ * minted token's jti. Single-use: only succeeds when the row is currently
+ * `approved` (not already consumed). Returns the pre-consume row on success,
+ * or null when it could not be consumed (already consumed / not approved /
+ * gone). The caller mints the token only after this returns a row.
+ */
+export async function consumeDeviceCode(deviceCode, tokenJti) {
+    await ensureTable();
+    const client = getDbExec();
+    const row = await getDeviceCode(deviceCode);
+    if (!row)
+        return null;
+    if (row.status !== "approved")
+        return null;
+    const result = await client.execute({
+        sql: `UPDATE mcp_device_codes SET status = 'consumed', token_jti = ?, consumed_at = ? WHERE device_code = ? AND status = 'approved'`,
+        args: [tokenJti, Date.now(), deviceCode],
+    });
+    if (result.rowsAffected === 0)
+        return null; // lost the single-use race
+    return row;
+}
+/**
+ * Claim an approved device code for token minting without making it terminal.
+ * If signing or token recording fails, callers release this back to approved
+ * so the CLI can retry the poll instead of being stuck at "consumed".
+ */
+export async function claimDeviceCodeForMint(deviceCode, tokenJti) {
+    await ensureTable();
+    const client = getDbExec();
+    const row = await getDeviceCode(deviceCode);
+    if (!row || row.status !== "approved")
+        return null;
+    const result = await client.execute({
+        sql: `UPDATE mcp_device_codes SET status = 'minting', token_jti = ?, consumed_at = ? WHERE device_code = ? AND status = 'approved'`,
+        args: [tokenJti, Date.now(), deviceCode],
+    });
+    if (result.rowsAffected === 0)
+        return null;
+    return row;
+}
+export async function finishDeviceCodeMint(deviceCode, tokenJti) {
+    await ensureTable();
+    const client = getDbExec();
+    const result = await client.execute({
+        sql: `UPDATE mcp_device_codes SET status = 'consumed' WHERE device_code = ? AND status = 'minting' AND token_jti = ?`,
+        args: [deviceCode, tokenJti],
+    });
+    return result.rowsAffected > 0;
+}
+export async function releaseDeviceCodeMint(deviceCode, tokenJti) {
+    try {
+        await ensureTable();
+        const client = getDbExec();
+        await client.execute({
+            sql: `UPDATE mcp_device_codes SET status = 'approved', token_jti = NULL, consumed_at = NULL WHERE device_code = ? AND status = 'minting' AND token_jti = ?`,
+            args: [deviceCode, tokenJti],
+        });
+    }
+    catch {
+        // The next poll will keep returning pending for a minting row until a
+        // later cleanup/retry path can observe or repair it. Do not throw here.
+    }
+}
+/**
+ * Best-effort: flip an expired, still-pending/approved row to `expired` so
+ * the poll endpoint can report a clean terminal state. Swallows errors.
+ */
+export async function expireDeviceCode(deviceCode) {
+    try {
+        await ensureTable();
+        const client = getDbExec();
+        await client.execute({
+            sql: `UPDATE mcp_device_codes SET status = 'expired' WHERE device_code = ? AND status IN ('pending','approved')`,
+            args: [deviceCode],
+        });
+    }
+    catch {
+        // The poll handler already treats past-TTL rows as expired regardless of
+        // whether this housekeeping write lands.
+    }
+}
+function numOrNull(v) {
+    if (v == null)
+        return null;
+    const n = Number(v);
+    return Number.isFinite(n) ? n : null;
+}
+//# sourceMappingURL=connect-store.js.map

package/dist/mcp/connect-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"connect-store.js","sourceRoot":"","sources":["../../src/mcp/connect-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EACL,SAAS,EACT,iBAAiB,EAEjB,OAAO,GACR,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEtD,IAAI,YAAuC,CAAC;AAE5C;;;;;GAKG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,aAAa,CAAC;AAE/C,6CAA6C;AAC7C,MAAM,CAAC,MAAM,kBAAkB,GAAG,EAAE,GAAG,MAAM,CAAC;AAE9C,0EAA0E;AAC1E,MAAM,CAAC,MAAM,sBAAsB,GAAG,EAAE,CAAC;AACzC,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC;AACpC,MAAM,CAAC,MAAM,kBAAkB,GAAG,GAAG,CAAC;AAEtC;;;;GAIG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,EAAE,CAAC;AACnC,MAAM,CAAC,MAAM,sBAAsB,GAAG,MAAM,CAAC;AAE7C,KAAK,UAAU,WAAW;IACxB,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,YAAY,GAAG,CAAC,KAAK,IAAI,EAAE;YACzB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAC3B,qEAAqE;YACrE,6DAA6D;YAC7D,MAAM,MAAM,CAAC,OAAO,CAAC;;;;;;;uBAOJ,OAAO,EAAE;yBACP,OAAO,EAAE;uBACX,OAAO,EAAE;;OAEzB,CAAC,CAAC;YACH,MAAM,MAAM,CAAC,OAAO,CAAC;;;;;;;;uBAQJ,OAAO,EAAE;uBACT,OAAO,EAAE;wBACR,OAAO,EAAE;;OAE1B,CAAC,CAAC;QACL,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACjB,uEAAuE;YACvE,kEAAkE;YAClE,YAAY,GAAG,SAAS,CAAC;YACzB,MAAM,GAAG,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAiBD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAKvC;IACC,MAAM,WAAW,EAAE,CAAC;IACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,EAAE,GAAG,UAAU,EAAE,CAAC;IACxB,MAAM,MAAM,CAAC,OAAO,CAAC;QACnB,GAAG,EAAE,4IAA4I;QACjJ,IAAI,EAAE;YACJ,EAAE;YACF,MAAM,CAAC,GAAG;YACV,MAAM,CAAC,UAAU;YACjB,MAAM,CAAC,KAAK,IAAI,IAAI;YACpB,MAAM,CAAC,KAAK,IAAI,IAAI;YACpB,IAAI,CAAC,GAAG,EAAE;YACV,IAAI;YACJ,IAAI;SACL;KACF,CAAC,CAAC;IACH,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAW;IAC5C,IAAI,CAAC;QACH,MAAM,WAAW,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;YACpC,GAAG,EAAE,yDAAyD;YAC9D,IAAI,EAAE,CAAC,GAAG,CAAC;SACZ,CAAC,CAAC;QACH,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QACpC,MAAM,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAC1D,OAAO,SAAS,IAAI,IAAI,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,oEAAoE;QACpE,uEAAuE;QACvE,IAAI,iBAAiB,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QACzC,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,UAAkB;IAElB,IAAI,CAAC;QACH,MAAM,WAAW,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;YACpC,GAAG,EAAE,yJAAyJ;YAC9J,IAAI,EAAE,CAAC,UAAU,CAAC;SACnB,CAAC,CAAC;QACH,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC;YAC3B,EAAE,EAAE,CAAC,CAAC,EAAY;YAClB,GAAG,EAAE,CAAC,CAAC,GAAa;YACpB,UAAU,EAAE,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,UAAU,CAAW;YACrD,KAAK,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,KAAK,IAAI,IAAI,CAAkB;YACrD,KAAK,EAAE,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAkB;YACzC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,SAAS,CAAC;YACjD,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC,YAAY,IAAI,CAAC,CAAC,UAAU,CAAC;YACrD,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,SAAS,CAAC;SAClD,CAAC,CAAC,CAAC;IACN,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,iBAAiB,CAAC,GAAG,CAAC;YAAE,OAAO,EAAE,CAAC;QACtC,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,UAAkB,EAClB,EAAU;IAEV,MAAM,WAAW,EAAE,CAAC;IACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;QAClC,GAAG,EAAE,sGAAsG;QAC3G,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,EAAE,EAAE,UAAU,CAAC;KACnC,CAAC,CAAC;IACH,OAAO,MAAM,CAAC,YAAY,GAAG,CAAC,CAAC;AACjC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,GAAW;IAC9C,IAAI,CAAC;QACH,MAAM,WAAW,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,MAAM,CAAC,OAAO,CAAC;YACnB,GAAG,EAAE,8DAA8D;YACnE,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,GAAG,CAAC;SACxB,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,sEAAsE;IACxE,CAAC;AACH,CAAC;AAkBD,MAAM,kBAAkB,GAAG,kCAAkC,CAAC,CAAC,mCAAmC;AAElG,qEAAqE;AACrE,SAAS,gBAAgB;IACvB,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;IAC7B,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,GAAG,IAAI,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAChE,IAAI,CAAC,KAAK,CAAC;YAAE,GAAG,IAAI,GAAG,CAAC;IAC1B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,kBAAkB;IACzB,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC/C,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,MAAM,WAAW,EAAE,CAAC;IACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAE3B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;YACpC,GAAG,EAAE,iEAAiE;YACtE,IAAI,EAAE,CAAC,GAAG,GAAG,sBAAsB,CAAC;SACrC,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;QAC3D,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,gBAAgB,EAAE,CAAC;YAChD,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,IAAI,GAAG,EAAE,OAAO,KAAK,cAAc;YAAE,MAAM,GAAG,CAAC;QAC/C,sEAAsE;QACtE,qEAAqE;IACvE,CAAC;IAED,MAAM,UAAU,GAAG,kBAAkB,EAAE,CAAC;IACxC,MAAM,QAAQ,GAAG,gBAAgB,EAAE,CAAC;IACpC,MAAM,SAAS,GAAG,GAAG,GAAG,kBAAkB,CAAC;IAC3C,MAAM,MAAM,CAAC,OAAO,CAAC;QACnB,GAAG,EAAE,uKAAuK;QAC5K,IAAI,EAAE;YACJ,UAAU;YACV,QAAQ;YACR,IAAI;YACJ,IAAI;YACJ,SAAS;YACT,IAAI;YACJ,GAAG;YACH,SAAS;YACT,IAAI;SACL;KACF,CAAC,CAAC;IACH,OAAO;QACL,UAAU;QACV,QAAQ;QACR,UAAU,EAAE,IAAI;QAChB,KAAK,EAAE,IAAI;QACX,MAAM,EAAE,SAAS;QACjB,QAAQ,EAAE,IAAI;QACd,SAAS,EAAE,GAAG;QACd,SAAS;QACT,UAAU,EAAE,IAAI;KACjB,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,CAAM;IAC1B,OAAO;QACL,UAAU,EAAE,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,UAAU,CAAW;QACrD,QAAQ,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,QAAQ,CAAW;QAC/C,UAAU,EAAE,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,UAAU,IAAI,IAAI,CAAkB;QACpE,KAAK,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,KAAK,IAAI,IAAI,CAAkB;QACrD,MAAM,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,SAAS,CAA4B;QAC1D,QAAQ,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,QAAQ,IAAI,IAAI,CAAkB;QAC9D,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,SAAS,CAAC;QACjD,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,SAAS,CAAC;QACjD,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,UAAU,CAAC;KACrD,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,UAAkB;IAElB,IAAI,CAAC;QACH,MAAM,WAAW,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;YACpC,GAAG,EAAE,sDAAsD;YAC3D,IAAI,EAAE,CAAC,UAAU,CAAC;SACnB,CAAC,CAAC;QACH,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,iBAAiB,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACxC,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,QAAgB;IAEhB,IAAI,CAAC;QACH,MAAM,WAAW,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;YACpC,GAAG,EAAE,oDAAoD;YACzD,IAAI,EAAE,CAAC,QAAQ,CAAC;SACjB,CAAC,CAAC;QACH,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,iBAAiB,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACxC,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,QAAgB,EAChB,UAAkB,EAClB,KAAoB;IAEpB,MAAM,WAAW,EAAE,CAAC;IACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,GAAG,GAAG,MAAM,uBAAuB,CAAC,QAAQ,CAAC,CAAC;IACpD,IAAI,CAAC,GAAG;QAAE,OAAO,WAAW,CAAC;IAC7B,IAAI,CAAC,GAAG,CAAC,SAAS,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE;QAAE,OAAO,SAAS,CAAC;IACxD,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAE/C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;QAClC,GAAG,EAAE,yHAAyH;QAC9H,IAAI,EAAE,CAAC,UAAU,EAAE,KAAK,EAAE,QAAQ,CAAC;KACpC,CAAC,CAAC;IACH,IAAI,MAAM,CAAC,YAAY,KAAK,CAAC,EAAE,CAAC;QAC9B,uEAAuE;QACvE,MAAM,KAAK,GAAG,MAAM,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QACtD,OAAO,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC;IACvE,CAAC;IACD,OAAO;QACL,GAAG,GAAG;QACN,MAAM,EAAE,UAAU;QAClB,UAAU;QACV,KAAK;KACN,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,UAAkB,EAClB,QAAgB;IAEhB,MAAM,WAAW,EAAE,CAAC;IACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;IAC5C,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,IAAI,GAAG,CAAC,MAAM,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IAC3C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;QAClC,GAAG,EAAE,+HAA+H;QACpI,IAAI,EAAE,CAAC,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC;KACzC,CAAC,CAAC;IACH,IAAI,MAAM,CAAC,YAAY,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,2BAA2B;IACvE,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,UAAkB,EAClB,QAAgB;IAEhB,MAAM,WAAW,EAAE,CAAC;IACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;IAC5C,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IACnD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;QAClC,GAAG,EAAE,8HAA8H;QACnI,IAAI,EAAE,CAAC,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC;KACzC,CAAC,CAAC;IACH,IAAI,MAAM,CAAC,YAAY,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,UAAkB,EAClB,QAAgB;IAEhB,MAAM,WAAW,EAAE,CAAC;IACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;QAClC,GAAG,EAAE,gHAAgH;QACrH,IAAI,EAAE,CAAC,UAAU,EAAE,QAAQ,CAAC;KAC7B,CAAC,CAAC;IACH,OAAO,MAAM,CAAC,YAAY,GAAG,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,UAAkB,EAClB,QAAgB;IAEhB,IAAI,CAAC;QACH,MAAM,WAAW,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,MAAM,CAAC,OAAO,CAAC;YACnB,GAAG,EAAE,sJAAsJ;YAC3J,IAAI,EAAE,CAAC,UAAU,EAAE,QAAQ,CAAC;SAC7B,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,sEAAsE;QACtE,wEAAwE;IAC1E,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,UAAkB;IACvD,IAAI,CAAC;QACH,MAAM,WAAW,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,MAAM,CAAC,OAAO,CAAC;YACnB,GAAG,EAAE,2GAA2G;YAChH,IAAI,EAAE,CAAC,UAAU,CAAC;SACnB,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,yEAAyE;QACzE,yCAAyC;IAC3C,CAAC;AACH,CAAC;AAED,SAAS,SAAS,CAAC,CAAU;IAC3B,IAAI,CAAC,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACpB,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACvC,CAAC","sourcesContent":["/**\n * Framework-table store for the \"connect external agents\" feature.\n *\n * Two additive, dialect-agnostic tables back the browser **Connect** page and\n * the OAuth-style **device-code flow** a CLI drives:\n *\n *   - `mcp_connect_tokens`  — one row per minted MCP token. We never store the\n *     token value (it's a signed JWT); only its `jti` so revocation is a\n *     SQL lookup. Revoking sets `revoked_at`; the row is never deleted.\n *   - `mcp_device_codes`    — short-lived (10 min) device/user code pairs for\n *     the OAuth 2.0 device-authorization-style CLI flow. Single-use\n *     (`consumed_at`), rate-limited at creation.\n *\n * Mirrors `application-state/store.ts`: lazy `ensureTable()`, `getDbExec()`,\n * `isPostgres()` dialect branching for upserts, `isConnectionError()` swallow\n * so a transient Neon WS drop never 500s. `CREATE TABLE IF NOT EXISTS` only —\n * strictly additive, never DROP / ALTER (shared prod DB rule).\n */\n\nimport {\n  getDbExec,\n  isConnectionError,\n  isPostgres,\n  intType,\n} from \"../db/client.js\";\nimport { randomBytes, randomUUID } from \"node:crypto\";\n\nlet _initPromise: Promise<void> | undefined;\n\n/**\n * Scope claim that marks a connect-minted token (vs. an ordinary A2A\n * delegation JWT). Only tokens carrying this scope go through the revoke\n * lookup in `verifyAuth` — defined here so both `connect-route.ts` and\n * `build-server.ts` import it from the leaf store without a cycle.\n */\nexport const MCP_CONNECT_SCOPE = \"mcp-connect\";\n\n/** Device codes are valid for 10 minutes. */\nexport const DEVICE_CODE_TTL_MS = 10 * 60_000;\n\n/** Default minted-token lifetime. Configurable per-request 1–365 days. */\nexport const DEFAULT_TOKEN_TTL_DAYS = 90;\nexport const MIN_TOKEN_TTL_DAYS = 1;\nexport const MAX_TOKEN_TTL_DAYS = 365;\n\n/**\n * Rate limit for `device/start`: at most this many device codes may be created\n * within `DEVICE_START_WINDOW_MS`. Unauthenticated endpoint — keep it tight so\n * a hostile client can't flood the table or brute-force user codes.\n */\nexport const DEVICE_START_MAX = 20;\nexport const DEVICE_START_WINDOW_MS = 60_000;\n\nasync function ensureTable(): Promise<void> {\n  if (!_initPromise) {\n    _initPromise = (async () => {\n      const client = getDbExec();\n      // Additive only. Never DROP / ALTER — this DB is shared across every\n      // deploy context (preview/branch/prod) for hosted templates.\n      await client.execute(`\n        CREATE TABLE IF NOT EXISTS mcp_connect_tokens (\n          id TEXT PRIMARY KEY,\n          jti TEXT UNIQUE NOT NULL,\n          owner_email TEXT NOT NULL,\n          org_id TEXT,\n          label TEXT,\n          created_at ${intType()},\n          last_used_at ${intType()},\n          revoked_at ${intType()}\n        )\n      `);\n      await client.execute(`\n        CREATE TABLE IF NOT EXISTS mcp_device_codes (\n          device_code TEXT PRIMARY KEY,\n          user_code TEXT NOT NULL,\n          owner_email TEXT,\n          org_id TEXT,\n          status TEXT NOT NULL DEFAULT 'pending',\n          token_jti TEXT,\n          created_at ${intType()},\n          expires_at ${intType()},\n          consumed_at ${intType()}\n        )\n      `);\n    })().catch((err) => {\n      // Don't cache a rejected init. A transient DB blip should let the next\n      // connect/mint/revoke call retry rather than wedging the process.\n      _initPromise = undefined;\n      throw err;\n    });\n  }\n  return _initPromise;\n}\n\n// ---------------------------------------------------------------------------\n// Minted-token records\n// ---------------------------------------------------------------------------\n\nexport interface MintedTokenRow {\n  id: string;\n  jti: string;\n  ownerEmail: string;\n  orgId: string | null;\n  label: string | null;\n  createdAt: number | null;\n  lastUsedAt: number | null;\n  revokedAt: number | null;\n}\n\n/**\n * Persist a record of a minted token. The token value itself (a signed JWT)\n * is NEVER stored — only its `jti`, so revocation is a cheap SQL lookup.\n */\nexport async function recordMintedToken(params: {\n  jti: string;\n  ownerEmail: string;\n  orgId?: string | null;\n  label?: string | null;\n}): Promise<string> {\n  await ensureTable();\n  const client = getDbExec();\n  const id = randomUUID();\n  await client.execute({\n    sql: `INSERT INTO mcp_connect_tokens (id, jti, owner_email, org_id, label, created_at, last_used_at, revoked_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,\n    args: [\n      id,\n      params.jti,\n      params.ownerEmail,\n      params.orgId ?? null,\n      params.label ?? null,\n      Date.now(),\n      null,\n      null,\n    ],\n  });\n  return id;\n}\n\n/**\n * Returns true when the given `jti` corresponds to a token that has been\n * revoked. Fails OPEN on a store/DB error: a transient Neon WS drop must not\n * lock every connected agent out. Signature verification is unaffected — this\n * is only the post-verify revoke check (see `verifyAuth` in build-server.ts).\n */\nexport async function isJtiRevoked(jti: string): Promise<boolean> {\n  try {\n    await ensureTable();\n    const client = getDbExec();\n    const { rows } = await client.execute({\n      sql: `SELECT revoked_at FROM mcp_connect_tokens WHERE jti = ?`,\n      args: [jti],\n    });\n    if (rows.length === 0) return false;\n    const revokedAt = rows[0].revoked_at ?? rows[0].revokedAt;\n    return revokedAt != null;\n  } catch (err) {\n    // Fail open: a DB blip must not turn every minted token into a 401.\n    // (Signature checks already passed; this only gates explicit revokes.)\n    if (isConnectionError(err)) return false;\n    return false;\n  }\n}\n\nexport async function listTokens(\n  ownerEmail: string,\n): Promise<MintedTokenRow[]> {\n  try {\n    await ensureTable();\n    const client = getDbExec();\n    const { rows } = await client.execute({\n      sql: `SELECT id, jti, owner_email, org_id, label, created_at, last_used_at, revoked_at FROM mcp_connect_tokens WHERE owner_email = ? ORDER BY created_at DESC`,\n      args: [ownerEmail],\n    });\n    return rows.map((r: any) => ({\n      id: r.id as string,\n      jti: r.jti as string,\n      ownerEmail: (r.owner_email ?? r.ownerEmail) as string,\n      orgId: (r.org_id ?? r.orgId ?? null) as string | null,\n      label: (r.label ?? null) as string | null,\n      createdAt: numOrNull(r.created_at ?? r.createdAt),\n      lastUsedAt: numOrNull(r.last_used_at ?? r.lastUsedAt),\n      revokedAt: numOrNull(r.revoked_at ?? r.revokedAt),\n    }));\n  } catch (err) {\n    if (isConnectionError(err)) return [];\n    throw err;\n  }\n}\n\n/**\n * Revoke a token, but ONLY if it is owned by `ownerEmail` (the caller). The\n * `owner_email = ?` predicate is the access scope — a caller can never revoke\n * another user's token. Idempotent: re-revoking keeps the first timestamp.\n * Returns true when a row was actually transitioned to revoked.\n */\nexport async function revokeToken(\n  ownerEmail: string,\n  id: string,\n): Promise<boolean> {\n  await ensureTable();\n  const client = getDbExec();\n  const result = await client.execute({\n    sql: `UPDATE mcp_connect_tokens SET revoked_at = ? WHERE id = ? AND owner_email = ? AND revoked_at IS NULL`,\n    args: [Date.now(), id, ownerEmail],\n  });\n  return result.rowsAffected > 0;\n}\n\n/**\n * Best-effort: stamp `last_used_at` for a token. Swallows all errors — this is\n * pure telemetry and must never affect the auth path.\n */\nexport async function touchTokenUsed(jti: string): Promise<void> {\n  try {\n    await ensureTable();\n    const client = getDbExec();\n    await client.execute({\n      sql: `UPDATE mcp_connect_tokens SET last_used_at = ? WHERE jti = ?`,\n      args: [Date.now(), jti],\n    });\n  } catch {\n    // last_used_at is informational only — never throw from the hot path.\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Device-code flow (OAuth 2.0 device-authorization style)\n// ---------------------------------------------------------------------------\n\nexport interface DeviceCodeRow {\n  deviceCode: string;\n  userCode: string;\n  ownerEmail: string | null;\n  orgId: string | null;\n  status: \"pending\" | \"approved\" | \"minting\" | \"consumed\" | \"expired\";\n  tokenJti: string | null;\n  createdAt: number | null;\n  expiresAt: number | null;\n  consumedAt: number | null;\n}\n\nconst USER_CODE_ALPHABET = \"ABCDEFGHIJKLMNOPQRSTUVWXYZ234567\"; // Crockford-ish base32, no 0/1/O/I\n\n/** Crypto-random short human-typable code, formatted `XXXX-XXXX`. */\nfunction generateUserCode(): string {\n  const bytes = randomBytes(8);\n  let out = \"\";\n  for (let i = 0; i < 8; i++) {\n    out += USER_CODE_ALPHABET[bytes[i] % USER_CODE_ALPHABET.length];\n    if (i === 3) out += \"-\";\n  }\n  return out;\n}\n\nfunction generateDeviceCode(): string {\n  return randomBytes(32).toString(\"base64url\");\n}\n\n/**\n * Create a new device+user code pair. Rate-limited: at most\n * `DEVICE_START_MAX` codes within `DEVICE_START_WINDOW_MS`. The window count\n * is a coarse global cap (this endpoint is unauthenticated) — enough to stop\n * table flooding / user-code brute force without per-IP plumbing.\n *\n * Throws `RATE_LIMITED` when the cap is exceeded so the route can map it to a\n * 429.\n */\nexport async function createDeviceCode(): Promise<DeviceCodeRow> {\n  await ensureTable();\n  const client = getDbExec();\n\n  const now = Date.now();\n  try {\n    const { rows } = await client.execute({\n      sql: `SELECT COUNT(*) AS n FROM mcp_device_codes WHERE created_at > ?`,\n      args: [now - DEVICE_START_WINDOW_MS],\n    });\n    const n = Number(rows[0]?.n ?? rows[0]?.[\"COUNT(*)\"] ?? 0);\n    if (Number.isFinite(n) && n >= DEVICE_START_MAX) {\n      throw new Error(\"RATE_LIMITED\");\n    }\n  } catch (err: any) {\n    if (err?.message === \"RATE_LIMITED\") throw err;\n    // A read failure here should not block legitimate device starts — the\n    // single-use + short-TTL design is the primary protection. Continue.\n  }\n\n  const deviceCode = generateDeviceCode();\n  const userCode = generateUserCode();\n  const expiresAt = now + DEVICE_CODE_TTL_MS;\n  await client.execute({\n    sql: `INSERT INTO mcp_device_codes (device_code, user_code, owner_email, org_id, status, token_jti, created_at, expires_at, consumed_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,\n    args: [\n      deviceCode,\n      userCode,\n      null,\n      null,\n      \"pending\",\n      null,\n      now,\n      expiresAt,\n      null,\n    ],\n  });\n  return {\n    deviceCode,\n    userCode,\n    ownerEmail: null,\n    orgId: null,\n    status: \"pending\",\n    tokenJti: null,\n    createdAt: now,\n    expiresAt,\n    consumedAt: null,\n  };\n}\n\nfunction mapDeviceRow(r: any): DeviceCodeRow {\n  return {\n    deviceCode: (r.device_code ?? r.deviceCode) as string,\n    userCode: (r.user_code ?? r.userCode) as string,\n    ownerEmail: (r.owner_email ?? r.ownerEmail ?? null) as string | null,\n    orgId: (r.org_id ?? r.orgId ?? null) as string | null,\n    status: (r.status ?? \"pending\") as DeviceCodeRow[\"status\"],\n    tokenJti: (r.token_jti ?? r.tokenJti ?? null) as string | null,\n    createdAt: numOrNull(r.created_at ?? r.createdAt),\n    expiresAt: numOrNull(r.expires_at ?? r.expiresAt),\n    consumedAt: numOrNull(r.consumed_at ?? r.consumedAt),\n  };\n}\n\nexport async function getDeviceCode(\n  deviceCode: string,\n): Promise<DeviceCodeRow | null> {\n  try {\n    await ensureTable();\n    const client = getDbExec();\n    const { rows } = await client.execute({\n      sql: `SELECT * FROM mcp_device_codes WHERE device_code = ?`,\n      args: [deviceCode],\n    });\n    if (rows.length === 0) return null;\n    return mapDeviceRow(rows[0]);\n  } catch (err) {\n    if (isConnectionError(err)) return null;\n    throw err;\n  }\n}\n\nexport async function getDeviceCodeByUserCode(\n  userCode: string,\n): Promise<DeviceCodeRow | null> {\n  try {\n    await ensureTable();\n    const client = getDbExec();\n    const { rows } = await client.execute({\n      sql: `SELECT * FROM mcp_device_codes WHERE user_code = ?`,\n      args: [userCode],\n    });\n    if (rows.length === 0) return null;\n    return mapDeviceRow(rows[0]);\n  } catch (err) {\n    if (isConnectionError(err)) return null;\n    throw err;\n  }\n}\n\n/**\n * Bind the logged-in user (email + org) to a pending device code, identified\n * by its human-typable `user_code`. Only transitions a non-expired, still\n * `pending` row. Returns the bound row, or a string error code:\n *   - `not_found`  — no such user_code\n *   - `expired`    — past its TTL\n *   - `already`    — already approved/consumed (not re-bindable)\n */\nexport async function approveDeviceCode(\n  userCode: string,\n  ownerEmail: string,\n  orgId: string | null,\n): Promise<DeviceCodeRow | \"not_found\" | \"expired\" | \"already\"> {\n  await ensureTable();\n  const client = getDbExec();\n  const row = await getDeviceCodeByUserCode(userCode);\n  if (!row) return \"not_found\";\n  if ((row.expiresAt ?? 0) < Date.now()) return \"expired\";\n  if (row.status !== \"pending\") return \"already\";\n\n  const result = await client.execute({\n    sql: `UPDATE mcp_device_codes SET status = 'approved', owner_email = ?, org_id = ? WHERE user_code = ? AND status = 'pending'`,\n    args: [ownerEmail, orgId, userCode],\n  });\n  if (result.rowsAffected === 0) {\n    // Lost a race with another approve — re-read to report the real state.\n    const fresh = await getDeviceCodeByUserCode(userCode);\n    return fresh && fresh.status !== \"pending\" ? \"already\" : \"not_found\";\n  }\n  return {\n    ...row,\n    status: \"approved\",\n    ownerEmail,\n    orgId,\n  };\n}\n\n/**\n * Atomically transition an approved device code to consumed and stamp the\n * minted token's jti. Single-use: only succeeds when the row is currently\n * `approved` (not already consumed). Returns the pre-consume row on success,\n * or null when it could not be consumed (already consumed / not approved /\n * gone). The caller mints the token only after this returns a row.\n */\nexport async function consumeDeviceCode(\n  deviceCode: string,\n  tokenJti: string,\n): Promise<DeviceCodeRow | null> {\n  await ensureTable();\n  const client = getDbExec();\n  const row = await getDeviceCode(deviceCode);\n  if (!row) return null;\n  if (row.status !== \"approved\") return null;\n  const result = await client.execute({\n    sql: `UPDATE mcp_device_codes SET status = 'consumed', token_jti = ?, consumed_at = ? WHERE device_code = ? AND status = 'approved'`,\n    args: [tokenJti, Date.now(), deviceCode],\n  });\n  if (result.rowsAffected === 0) return null; // lost the single-use race\n  return row;\n}\n\n/**\n * Claim an approved device code for token minting without making it terminal.\n * If signing or token recording fails, callers release this back to approved\n * so the CLI can retry the poll instead of being stuck at \"consumed\".\n */\nexport async function claimDeviceCodeForMint(\n  deviceCode: string,\n  tokenJti: string,\n): Promise<DeviceCodeRow | null> {\n  await ensureTable();\n  const client = getDbExec();\n  const row = await getDeviceCode(deviceCode);\n  if (!row || row.status !== \"approved\") return null;\n  const result = await client.execute({\n    sql: `UPDATE mcp_device_codes SET status = 'minting', token_jti = ?, consumed_at = ? WHERE device_code = ? AND status = 'approved'`,\n    args: [tokenJti, Date.now(), deviceCode],\n  });\n  if (result.rowsAffected === 0) return null;\n  return row;\n}\n\nexport async function finishDeviceCodeMint(\n  deviceCode: string,\n  tokenJti: string,\n): Promise<boolean> {\n  await ensureTable();\n  const client = getDbExec();\n  const result = await client.execute({\n    sql: `UPDATE mcp_device_codes SET status = 'consumed' WHERE device_code = ? AND status = 'minting' AND token_jti = ?`,\n    args: [deviceCode, tokenJti],\n  });\n  return result.rowsAffected > 0;\n}\n\nexport async function releaseDeviceCodeMint(\n  deviceCode: string,\n  tokenJti: string,\n): Promise<void> {\n  try {\n    await ensureTable();\n    const client = getDbExec();\n    await client.execute({\n      sql: `UPDATE mcp_device_codes SET status = 'approved', token_jti = NULL, consumed_at = NULL WHERE device_code = ? AND status = 'minting' AND token_jti = ?`,\n      args: [deviceCode, tokenJti],\n    });\n  } catch {\n    // The next poll will keep returning pending for a minting row until a\n    // later cleanup/retry path can observe or repair it. Do not throw here.\n  }\n}\n\n/**\n * Best-effort: flip an expired, still-pending/approved row to `expired` so\n * the poll endpoint can report a clean terminal state. Swallows errors.\n */\nexport async function expireDeviceCode(deviceCode: string): Promise<void> {\n  try {\n    await ensureTable();\n    const client = getDbExec();\n    await client.execute({\n      sql: `UPDATE mcp_device_codes SET status = 'expired' WHERE device_code = ? AND status IN ('pending','approved')`,\n      args: [deviceCode],\n    });\n  } catch {\n    // The poll handler already treats past-TTL rows as expired regardless of\n    // whether this housekeeping write lands.\n  }\n}\n\nfunction numOrNull(v: unknown): number | null {\n  if (v == null) return null;\n  const n = Number(v);\n  return Number.isFinite(n) ? n : null;\n}\n"]}

package/dist/mcp/org-directory.d.ts

@@ -0,0 +1,83 @@
+/**
+ * Org-directory discovery for the generic cross-app MCP verbs
+ * (`list_apps` / `ask_app` in `builtin-tools.ts`).
+ *
+ * Phase 3b of cross-app auto-wiring. Today the cross-app verbs resolve sibling
+ * apps from *local workspace* info only (`workspace-resolve.ts`), so the mail
+ * agent can only reach the calendar agent in a local dev workspace. When the
+ * deployment runs against an org directory (Dispatch is also the identity hub
+ * for the org), this module discovers the org's *deployed* sibling apps so the
+ * same verbs work cross-app in production with ZERO manual setup.
+ *
+ * ## The directory request
+ *
+ *   GET  <directoryOrigin>/_agent-native/org/apps
+ *   Auth Authorization: Bearer <org A2A token>   (same signed token A2A peers
+ *        already mint — reuses `resolveA2ACallerAuth()`; the org A2A secret /
+ *        global `A2A_SECRET` is loaded exactly how outgoing A2A calls load it)
+ *   ⇒    { org, apps: [ { id, name, url, a2aUrl, capabilities? } ] }
+ *        (allow-listed first-party apps only, prod URLs — enforced by the
+ *         authority side, Phase 3a, on Dispatch)
+ *
+ * ## Resolution + safety model
+ *
+ *   - The directory origin is read from env: `AGENT_NATIVE_ORG_DIRECTORY_URL`
+ *     (dedicated) or `AGENT_NATIVE_IDENTITY_HUB_URL` (Dispatch is also the
+ *     identity hub). When *neither* is set the feature is simply inactive —
+ *     `fetchOrgApps()` returns `[]` and nothing changes anywhere (asserted by
+ *     a test). This makes the whole feature opt-in and back-compat.
+ *   - On ANY error (no env, unreachable, 401, non-2xx, bad JSON, no signed
+ *     token) `fetchOrgApps()` returns `[]` and NEVER throws — the cross-app
+ *     verbs degrade silently to their exact current local-only behavior.
+ *   - A short in-memory TTL cache (default 60s) keyed by directory origin and
+ *     caller identity/org scope so sibling app lists never cross tenants.
+ *     Empty authenticated results are cached too (with a shorter TTL) so a
+ *     transient failure doesn't hammer the directory on every call.
+ *   - No secrets are ever logged.
+ *
+ * Bundled alongside `mountMCP` (no Node-only top-level imports). The A2A
+ * caller-auth + a2a client are dynamically imported inside `fetchOrgApps()`.
+ */
+export interface OrgApp {
+    /** Canonical app id, e.g. `calendar`. */
+    id: string;
+    /** Human-readable name, e.g. `Calendar`. */
+    name: string;
+    /** Deployed app origin/URL, e.g. `https://calendar.acme.com`. */
+    url: string;
+    /**
+     * A2A endpoint to route `ask_app` to. The authority side returns this; we
+     * fall back to the app `url` (the A2A client appends `/_agent-native/a2a`).
+     */
+    a2aUrl: string;
+    /** Optional capability hints the authority side may include. */
+    capabilities?: string[];
+}
+/**
+ * Resolve the org-directory origin from env. Returns `null` when neither env
+ * var is set — the caller treats `null` as "feature inactive".
+ *
+ * `env` is injectable for tests; defaults to `process.env`.
+ */
+export declare function resolveOrgDirectoryOrigin(env?: NodeJS.ProcessEnv): string | null;
+/**
+ * Fetch the org's first-party sibling apps from the org directory.
+ *
+ * - Returns `[]` (never throws) on ANY failure or when the directory env is
+ *   unset — the cross-app verbs then keep their exact local-only behavior.
+ * - Short in-memory TTL cache so it isn't fetched on every tool call.
+ * - Strips the current app from the result (compared by id and by origin) so
+ *   `list_apps` / `ask_app` never offer to route to themselves.
+ *
+ * @param opts.selfId      Current app id (so it's stripped from the result).
+ * @param opts.selfOrigin  Current app origin (so it's stripped by origin too).
+ * @param opts.env         Injectable env (tests). Defaults to `process.env`.
+ */
+export declare function fetchOrgApps(opts?: {
+    selfId?: string;
+    selfOrigin?: string;
+    env?: NodeJS.ProcessEnv;
+}): Promise<OrgApp[]>;
+/** Test-only: clear the in-memory cache between cases. */
+export declare function _resetOrgDirectoryCache(): void;
+//# sourceMappingURL=org-directory.d.ts.map

package/dist/mcp/org-directory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"org-directory.d.ts","sourceRoot":"","sources":["../../src/mcp/org-directory.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AAEH,MAAM,WAAW,MAAM;IACrB,yCAAyC;IACzC,EAAE,EAAE,MAAM,CAAC;IACX,4CAA4C;IAC5C,IAAI,EAAE,MAAM,CAAC;IACb,iEAAiE;IACjE,GAAG,EAAE,MAAM,CAAC;IACZ;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC;IACf,gEAAgE;IAChE,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAeD;;;;;GAKG;AACH,wBAAgB,yBAAyB,CACvC,GAAG,GAAE,MAAM,CAAC,UAAwB,GACnC,MAAM,GAAG,IAAI,CAcf;AAwDD;;;;;;;;;;;;GAYG;AACH,wBAAsB,YAAY,CAAC,IAAI,CAAC,EAAE;IACxC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;CACzB,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAmEpB;AAED,0DAA0D;AAC1D,wBAAgB,uBAAuB,IAAI,IAAI,CAE9C"}