@agent-vm/mcp-portal 0.0.69 → 0.0.70

package/README.md

@@ -1,10 +1,11 @@
 # @agent-vm/mcp-portal
 
-Agent-scoped MCP Portal server and Tool VM helpers.
+Agent-scoped MCP Portal core library, external proxy, CLI, and Tool VM helpers.
 
 ## What This Package Owns
 
-- The standalone `agent-vm-mcp-portal-server` HTTP MCP server.
+- `/core`, the adapter-neutral portal execution library used by OpenClaw.
+- `mcp-portal mcp-proxy serve`, the external `/mcp-proxy` MCP server command.
 - The four model-facing portal tools: `mcp_portal_list`, `mcp_portal_search`, `mcp_portal_describe`, and `mcp_portal_call`.
 - JSON-Schema-derived Zod validation before upstream tool calls.
 - HMAC approval-token verification for portal calls that OpenClaw approved.
@@ -12,23 +13,53 @@ Agent-scoped MCP Portal server and Tool VM helpers.
 
 ## Runtime Shape
 
-The server is launched in the OpenClaw gateway VM and listens on a loopback port,
-normally `127.0.0.1:18790`.
+Managed OpenClaw loads `/core` in process from a controller-materialized
+effective config directory. It does not launch a portal server in the gateway VM.
 
-Each agent receives a distinct MCP URL:
+External MCP clients can use the proxy command:
 
 ```text
-http://127.0.0.1:18790/agents/<agentId>/mcp
+mcp-portal mcp-proxy serve --config-dir <dir>
 ```
 
 The portal loads two files from `--config-dir`:
 
 - `mcp.config.jsonc`: upstream MCP provider catalog and credentials.
-- `mcp-portal.config.jsonc`: portal access header, agents, profiles, and policy.
+- `mcp-portal.config.jsonc`: agents, profiles, policy, and optional external proxy auth.
+
+External `serve` resolves `source: "1password"` refs through `@agent-vm/secrets`.
+Use `AGENT_VM_MCP_PORTAL_OP_TOKEN_SOURCE=env`, `op-cli`, or `keychain` plus the
+matching source-specific env settings when the proxy host needs 1Password
+access. If no token source is configured, env-only configs still work. The
+built-in HTTP bearer server is loopback-only; use a TLS reverse proxy and
+`mcp-portal mcp-proxy print-client-config --proxy-url <url>` for public
+endpoints. The printed client config contains bearer credential material on
+stdout. Treat it like an API token, keep it out of logs and commits, and rotate
+`credentialVersion` or the portal `masterKey` to revoke issued credentials.
+
+`mcp-proxy serve` keeps approval-token replay state in process. Run one serving
+process per external endpoint unless a future shared replay store is added.
+Restarting the process clears consumed approval JTIs, so approval token TTLs
+must stay short.
+
+Managed OpenClaw materialization rewrites provider secrets to environment
+references in the effective MCP config. Plaintext provider values flow only into
+runtime environment variables for `injection: "env"` or into host-mediated
+runtime secret state for `injection: "http-mediation"`; they are not written to
+the generated config files.
+
+Upstream MCP provider URLs are deployment-owned config. The schema rejects
+non-HTTP schemes, but it intentionally allows loopback and private-network HTTP
+targets because local sidecars and private service MCP providers are supported.
+Do not load provider config from untrusted sources. If a future workflow imports
+less-trusted provider definitions, put an explicit per-provider network
+allowlist in front of private-network targets instead of blanket-blocking
+loopback.
 
 ## Start Reading
 
-- `src/bin/portal-server.ts` for CLI boot and config loading.
-- `src/mcp-server/portal-http-server.ts` for Hono routing and MCP transport.
-- `src/mcp-server/portal-tools.ts` for portal tool behavior.
-- `src/auth/hmac-token.ts` for approval-token signing and verification.
+- `src/core/portal-core.ts` for adapter-neutral execution.
+- `src/bin/mcp-portal.ts` for CLI commands.
+- `src/mcp-proxy/portal-http-server.ts` for Hono routing and MCP transport.
+- `src/core/portal-tools.ts` for portal tool behavior.
+- `src/portal-auth/hmac-token.ts` for approval-token signing and verification.

package/dist/agent-bearer-token-DCtpDPCZ.js

@@ -0,0 +1,59 @@
+import { createHash, createHmac, timingSafeEqual } from "node:crypto";
+//#region src/portal-auth/agent-bearer-token.ts
+const bearerPurposePrefix = "mcp-proxy:agent:";
+const minimumMasterKeyBytes = 32;
+const base64UrlPattern = /^[A-Za-z0-9_-]+$/u;
+function decodePortalMasterKey(encodedMasterKey) {
+	const trimmedMasterKey = encodedMasterKey.trim();
+	if (!base64UrlPattern.test(trimmedMasterKey)) throw new Error("MCP Portal masterKey must be base64url-encoded key material.");
+	const masterKey = Buffer.from(trimmedMasterKey, "base64url");
+	if (masterKey.length < minimumMasterKeyBytes) throw new Error(`MCP Portal masterKey must decode to at least ${String(minimumMasterKeyBytes)} bytes.`);
+	if (masterKey.toString("base64url") !== trimmedMasterKey) throw new Error("MCP Portal masterKey must be canonical base64url without padding.");
+	return masterKey;
+}
+function deriveAgentBearerToken(props) {
+	return createHmac("sha256", props.masterKey).update(`${bearerPurposePrefix}${props.agentId}:v${String(props.credentialVersion)}`).digest("base64url");
+}
+function formatMasterKeyFingerprint(masterKey) {
+	return `sha256:${createHash("sha256").update(masterKey).digest("base64url")}`;
+}
+function timingSafeEqualToken(left, right) {
+	const leftBuffer = Buffer.from(left);
+	const rightBuffer = Buffer.from(right);
+	return leftBuffer.length === rightBuffer.length && timingSafeEqual(leftBuffer, rightBuffer);
+}
+function mismatchedTokenWithExpectedLength(expectedToken) {
+	return `${expectedToken.startsWith("A") ? "B" : "A"}${expectedToken.slice(1)}`;
+}
+function verifyAgentBearerAuthorization(props) {
+	const expectedToken = deriveAgentBearerToken({
+		agentId: props.agentId,
+		credentialVersion: props.credentialVersion,
+		masterKey: props.masterKey
+	});
+	const mismatchedToken = mismatchedTokenWithExpectedLength(expectedToken);
+	if (props.authorizationHeader === void 0) {
+		timingSafeEqualToken(mismatchedToken, expectedToken);
+		return {
+			ok: false,
+			reason: "missing"
+		};
+	}
+	const [scheme, token, extra] = props.authorizationHeader.split(/\s+/u);
+	if (scheme !== "Bearer" || token === void 0 || token.length === 0 || extra !== void 0) {
+		timingSafeEqualToken(mismatchedToken, expectedToken);
+		return {
+			ok: false,
+			reason: "malformed"
+		};
+	}
+	if (!timingSafeEqualToken(token.length === expectedToken.length ? token : mismatchedToken, expectedToken)) return {
+		ok: false,
+		reason: "signature-mismatch"
+	};
+	return { ok: true };
+}
+//#endregion
+export { verifyAgentBearerAuthorization as i, deriveAgentBearerToken as n, formatMasterKeyFingerprint as r, decodePortalMasterKey as t };
+
+//# sourceMappingURL=agent-bearer-token-DCtpDPCZ.js.map

package/dist/agent-bearer-token-DCtpDPCZ.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-bearer-token-DCtpDPCZ.js","names":[],"sources":["../src/portal-auth/agent-bearer-token.ts"],"sourcesContent":["import { createHash, createHmac, timingSafeEqual } from 'node:crypto';\n\nexport interface DeriveAgentBearerTokenProps {\n\treadonly agentId: string;\n\treadonly credentialVersion: number;\n\treadonly masterKey: Buffer;\n}\n\nexport interface VerifyAgentBearerAuthorizationProps extends DeriveAgentBearerTokenProps {\n\treadonly authorizationHeader: string | undefined;\n}\n\nexport type VerifyAgentBearerAuthorizationResult =\n\t| { readonly ok: true }\n\t| { readonly ok: false; readonly reason: 'malformed' | 'missing' | 'signature-mismatch' };\n\nconst bearerPurposePrefix = 'mcp-proxy:agent:';\nconst minimumMasterKeyBytes = 32;\nconst base64UrlPattern = /^[A-Za-z0-9_-]+$/u;\n\nexport function decodePortalMasterKey(encodedMasterKey: string): Buffer {\n\tconst trimmedMasterKey = encodedMasterKey.trim();\n\tif (!base64UrlPattern.test(trimmedMasterKey)) {\n\t\tthrow new Error('MCP Portal masterKey must be base64url-encoded key material.');\n\t}\n\tconst masterKey = Buffer.from(trimmedMasterKey, 'base64url');\n\tif (masterKey.length < minimumMasterKeyBytes) {\n\t\tthrow new Error(\n\t\t\t`MCP Portal masterKey must decode to at least ${String(minimumMasterKeyBytes)} bytes.`,\n\t\t);\n\t}\n\tif (masterKey.toString('base64url') !== trimmedMasterKey) {\n\t\tthrow new Error('MCP Portal masterKey must be canonical base64url without padding.');\n\t}\n\treturn masterKey;\n}\n\nexport function deriveAgentBearerToken(props: DeriveAgentBearerTokenProps): string {\n\treturn createHmac('sha256', props.masterKey)\n\t\t.update(`${bearerPurposePrefix}${props.agentId}:v${String(props.credentialVersion)}`)\n\t\t.digest('base64url');\n}\n\nexport function formatMasterKeyFingerprint(masterKey: Buffer): string {\n\treturn `sha256:${createHash('sha256').update(masterKey).digest('base64url')}`;\n}\n\nfunction timingSafeEqualToken(left: string, right: string): boolean {\n\tconst leftBuffer = Buffer.from(left);\n\tconst rightBuffer = Buffer.from(right);\n\treturn leftBuffer.length === rightBuffer.length && timingSafeEqual(leftBuffer, rightBuffer);\n}\n\nfunction mismatchedTokenWithExpectedLength(expectedToken: string): string {\n\tconst replacementPrefix = expectedToken.startsWith('A') ? 'B' : 'A';\n\treturn `${replacementPrefix}${expectedToken.slice(1)}`;\n}\n\nexport function verifyAgentBearerAuthorization(\n\tprops: VerifyAgentBearerAuthorizationProps,\n): VerifyAgentBearerAuthorizationResult {\n\tconst expectedToken = deriveAgentBearerToken({\n\t\tagentId: props.agentId,\n\t\tcredentialVersion: props.credentialVersion,\n\t\tmasterKey: props.masterKey,\n\t});\n\tconst mismatchedToken = mismatchedTokenWithExpectedLength(expectedToken);\n\n\tif (props.authorizationHeader === undefined) {\n\t\ttimingSafeEqualToken(mismatchedToken, expectedToken);\n\t\treturn { ok: false, reason: 'missing' };\n\t}\n\tconst [scheme, token, extra] = props.authorizationHeader.split(/\\s+/u);\n\tif (scheme !== 'Bearer' || token === undefined || token.length === 0 || extra !== undefined) {\n\t\ttimingSafeEqualToken(mismatchedToken, expectedToken);\n\t\treturn { ok: false, reason: 'malformed' };\n\t}\n\tconst comparableToken = token.length === expectedToken.length ? token : mismatchedToken;\n\tif (!timingSafeEqualToken(comparableToken, expectedToken)) {\n\t\treturn { ok: false, reason: 'signature-mismatch' };\n\t}\n\treturn { ok: true };\n}\n"],"mappings":";;AAgBA,MAAM,sBAAsB;AAC5B,MAAM,wBAAwB;AAC9B,MAAM,mBAAmB;AAEzB,SAAgB,sBAAsB,kBAAkC;CACvE,MAAM,mBAAmB,iBAAiB,MAAM;CAChD,IAAI,CAAC,iBAAiB,KAAK,iBAAiB,EAC3C,MAAM,IAAI,MAAM,+DAA+D;CAEhF,MAAM,YAAY,OAAO,KAAK,kBAAkB,YAAY;CAC5D,IAAI,UAAU,SAAS,uBACtB,MAAM,IAAI,MACT,gDAAgD,OAAO,sBAAsB,CAAC,SAC9E;CAEF,IAAI,UAAU,SAAS,YAAY,KAAK,kBACvC,MAAM,IAAI,MAAM,oEAAoE;CAErF,OAAO;;AAGR,SAAgB,uBAAuB,OAA4C;CAClF,OAAO,WAAW,UAAU,MAAM,UAAU,CAC1C,OAAO,GAAG,sBAAsB,MAAM,QAAQ,IAAI,OAAO,MAAM,kBAAkB,GAAG,CACpF,OAAO,YAAY;;AAGtB,SAAgB,2BAA2B,WAA2B;CACrE,OAAO,UAAU,WAAW,SAAS,CAAC,OAAO,UAAU,CAAC,OAAO,YAAY;;AAG5E,SAAS,qBAAqB,MAAc,OAAwB;CACnE,MAAM,aAAa,OAAO,KAAK,KAAK;CACpC,MAAM,cAAc,OAAO,KAAK,MAAM;CACtC,OAAO,WAAW,WAAW,YAAY,UAAU,gBAAgB,YAAY,YAAY;;AAG5F,SAAS,kCAAkC,eAA+B;CAEzE,OAAO,GADmB,cAAc,WAAW,IAAI,GAAG,MAAM,MAClC,cAAc,MAAM,EAAE;;AAGrD,SAAgB,+BACf,OACuC;CACvC,MAAM,gBAAgB,uBAAuB;EAC5C,SAAS,MAAM;EACf,mBAAmB,MAAM;EACzB,WAAW,MAAM;EACjB,CAAC;CACF,MAAM,kBAAkB,kCAAkC,cAAc;CAExE,IAAI,MAAM,wBAAwB,KAAA,GAAW;EAC5C,qBAAqB,iBAAiB,cAAc;EACpD,OAAO;GAAE,IAAI;GAAO,QAAQ;GAAW;;CAExC,MAAM,CAAC,QAAQ,OAAO,SAAS,MAAM,oBAAoB,MAAM,OAAO;CACtE,IAAI,WAAW,YAAY,UAAU,KAAA,KAAa,MAAM,WAAW,KAAK,UAAU,KAAA,GAAW;EAC5F,qBAAqB,iBAAiB,cAAc;EACpD,OAAO;GAAE,IAAI;GAAO,QAAQ;GAAa;;CAG1C,IAAI,CAAC,qBADmB,MAAM,WAAW,cAAc,SAAS,QAAQ,iBAC7B,cAAc,EACxD,OAAO;EAAE,IAAI;EAAO,QAAQ;EAAsB;CAEnD,OAAO,EAAE,IAAI,MAAM"}

package/dist/bin/mcp-portal.d.ts

@@ -0,0 +1,28 @@
+import { n as PortalToolRecord } from "../catalog-types-BVuB4Ynx.js";
+import { SecretResolver } from "@agent-vm/secrets";
+
+//#region src/bin/mcp-portal.d.ts
+interface PortalCatalogFile {
+  readonly tools: readonly PortalToolRecord[];
+}
+interface AgentVmMcpPortalRuntimeProps {
+  readonly env?: Readonly<Record<string, string | undefined>>;
+  readonly secretResolver?: SecretResolver;
+}
+type PortalShutdownSignal = 'SIGINT' | 'SIGTERM';
+interface PortalSignalTarget {
+  readonly off: (signal: PortalShutdownSignal, listener: () => void) => void;
+  readonly once: (signal: PortalShutdownSignal, listener: () => void) => void;
+}
+interface RunningPortalServer {
+  readonly close: () => Promise<void>;
+}
+declare function waitUntilPortalServerShutdown(props: {
+  readonly server: RunningPortalServer;
+  readonly signalTarget?: PortalSignalTarget;
+}): Promise<void>;
+declare function runMcpPortal(args: readonly string[], props?: AgentVmMcpPortalRuntimeProps): Promise<number>;
+declare function shouldRunMcpPortalEntrypoint(argvPath: string | undefined): boolean;
+//#endregion
+export { AgentVmMcpPortalRuntimeProps, PortalCatalogFile, RunningPortalServer, runMcpPortal, shouldRunMcpPortalEntrypoint, waitUntilPortalServerShutdown };
+//# sourceMappingURL=mcp-portal.d.ts.map

package/dist/bin/mcp-portal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-portal.d.ts","names":[],"sources":["../../src/bin/mcp-portal.ts"],"mappings":";;;;UAiDiB,iBAAA;EAAA,SACP,KAAA,WAAgB,gBAAA;AAAA;AAAA,UAGT,4BAAA;EAAA,SACP,GAAA,GAAM,QAAA,CAAS,MAAA;EAAA,SACf,cAAA,GAAiB,cAAA;AAAA;AAAA,KAgMtB,oBAAA;AAAA,UACK,kBAAA;EAAA,SACA,GAAA,GAAM,MAAA,EAAQ,oBAAA,EAAsB,QAAA;EAAA,SACpC,IAAA,GAAO,MAAA,EAAQ,oBAAA,EAAsB,QAAA;AAAA;AAAA,UAG9B,mBAAA;EAAA,SACP,KAAA,QAAa,OAAA;AAAA;AAAA,iBAsBD,6BAAA,CAA8B,KAAA;EAAA,SAC1C,MAAA,EAAQ,mBAAA;EAAA,SACR,YAAA,GAAe,kBAAA;AAAA,IACrB,OAAA;AAAA,iBAwHkB,YAAA,CACrB,IAAA,qBACA,KAAA,GAAO,4BAAA,GACL,OAAA;AAAA,iBA2Fa,4BAAA,CAA6B,QAAA"}

package/dist/bin/mcp-portal.js

@@ -0,0 +1,318 @@
+#!/usr/bin/env node
+import { a as portalToolRecordSchema } from "../zod-schema-loader-yNekKNpm.js";
+import { t as createUpstreamMcpClientRuntime } from "../upstream-mcp-client-runtime-JlsfTm7_.js";
+import { i as resolveUpstreamServers, n as createPortalCore } from "../portal-core-Cgu714CL.js";
+import { t as generateTypescriptCatalogArtifact } from "../typescript-artifact-BVLt3Ifd.js";
+import { n as deriveAgentBearerToken, r as formatMasterKeyFingerprint, t as decodePortalMasterKey } from "../agent-bearer-token-DCtpDPCZ.js";
+import { i as resolveAgentHmacKeys, n as createPortalApprovalVerifier, t as createPortalAgentRuntimeRecords } from "../resolve-agent-identity-DnC_Pmnh.js";
+import { c as resolveSecretValue, i as deriveApprovalHmacKeysFromMasterKey, n as buildProfilePolicyMaps, o as parsePortalServerCliArgs, r as createServeSecretResolver, s as startPortalServer } from "../serve-command-CnSMUybd.js";
+import { t as parseHmacKeysFromEnv } from "../hmac-env-B4shpRRB.js";
+import { z } from "zod";
+import { loadMcpConfig, loadMcpPortalConfig } from "@agent-vm/config-contracts";
+import { basename, join } from "node:path";
+import { mkdir, readFile, writeFile } from "node:fs/promises";
+//#region src/bin/mcp-portal.ts
+const catalogFileSchema = z.object({ tools: z.array(portalToolRecordSchema) }).strict();
+async function readCatalogFile(catalogPath) {
+	const rawCatalog = await readFile(catalogPath, "utf-8");
+	const parsedJson = JSON.parse(rawCatalog);
+	return catalogFileSchema.parse(parsedJson);
+}
+function parseOutputDirectory(args) {
+	const outputFlagIndex = args.indexOf("--out");
+	if (outputFlagIndex === -1) return null;
+	return args[outputFlagIndex + 1] ?? null;
+}
+function printUsage() {
+	process.stderr.write("Usage: mcp-portal validate <catalog.json>\n");
+	process.stderr.write("Usage: mcp-portal generate-helper <catalog.json> --out <directory>\n");
+	process.stderr.write("Usage: mcp-portal mcp-proxy serve --config-dir <directory> [--port <port>]\n");
+	process.stderr.write("Usage: mcp-portal call --config-dir <directory> --agent <agent-id> --input <request.json> [--tool <portal-tool-name>]\n");
+	process.stderr.write("Usage: mcp-portal mcp-proxy print-client-config --config-dir <directory> --agent <agent-id> --master-key-fingerprint <sha256:...> [--proxy-url <url>]\n");
+}
+function readFlag(args, name) {
+	const index = args.indexOf(name);
+	if (index === -1) return null;
+	return args[index + 1] ?? null;
+}
+function normalizeCredentialProxyUrl(value) {
+	const url = new URL(value);
+	if (url.protocol !== "http:" && url.protocol !== "https:") throw new Error(`Invalid --proxy-url protocol "${url.protocol}". Expected http or https.`);
+	return url.toString();
+}
+async function createCliSecretResolver(props) {
+	return props.secretResolver ?? await createServeSecretResolver(props.env);
+}
+function serverNameForClientConfig(agentId) {
+	return `mcp-portal-${agentId.replaceAll(/[^A-Za-z0-9_-]/gu, "-")}`;
+}
+function printCredentialMaterialWarning() {
+	process.stderr.write([
+		"WARNING: MCP Portal client config is bearer credential material.",
+		"WARNING: Treat stdout like an API token. Do not paste it into logs, commits, or chat.",
+		"WARNING: The token is per-agent and remains valid until credentialVersion or masterKey rotation.",
+		""
+	].join("\n"));
+}
+function printDisabledCredentialWriter() {
+	process.stderr.write([
+		"mcp-portal: mcp-proxy write-credential is disabled because it persists bearer credentials.",
+		"Use mcp-portal mcp-proxy print-client-config and decide explicitly where stdout is stored.",
+		""
+	].join("\n"));
+	return 1;
+}
+async function printClientConfig(args, runtimeProps) {
+	const configDir = readFlag(args, "--config-dir");
+	const agentId = readFlag(args, "--agent");
+	const expectedFingerprint = readFlag(args, "--master-key-fingerprint");
+	const proxyUrlOverride = readFlag(args, "--proxy-url");
+	if (configDir === null || agentId === null || expectedFingerprint === null) {
+		printUsage();
+		return 1;
+	}
+	const portalConfig = await loadMcpPortalConfig(join(configDir, "mcp-portal.config.jsonc"));
+	if (portalConfig.externalAuth === void 0) throw new Error("print-client-config requires externalAuth.masterKey.");
+	if (portalConfig.mcpProxy === void 0 && proxyUrlOverride === null) throw new Error("print-client-config requires mcpProxy server settings or --proxy-url.");
+	if (portalConfig.agents[agentId] === void 0) throw new Error(`Unknown MCP Portal agent "${agentId}".`);
+	const secretResolver = await createCliSecretResolver(runtimeProps);
+	const masterKey = decodePortalMasterKey(await resolveSecretValue(portalConfig.externalAuth.masterKey, {
+		env: runtimeProps.env,
+		secretResolver
+	}));
+	const actualFingerprint = formatMasterKeyFingerprint(masterKey);
+	if (actualFingerprint !== expectedFingerprint) throw new Error(`Master-key fingerprint mismatch. Expected ${expectedFingerprint}; resolved ${actualFingerprint}.`);
+	const agentConfig = portalConfig.agents[agentId];
+	const bearer = deriveAgentBearerToken({
+		agentId,
+		credentialVersion: agentConfig.credentialVersion,
+		masterKey
+	});
+	const proxyUrl = proxyUrlOverride === null ? credentialProxyUrlFromConfig(requireCredentialMcpProxy(portalConfig.mcpProxy), agentId) : normalizeCredentialProxyUrl(proxyUrlOverride);
+	const authorizationHeaderName = portalConfig.mcpProxy?.auth.headerName ?? "authorization";
+	const authorizationHeaderValue = `Bearer ${bearer}`;
+	const clientConfig = {
+		agentId,
+		authorizationHeaderName,
+		authorizationHeaderValue,
+		kind: "mcp-portal-client-config",
+		masterKeyFingerprint: actualFingerprint,
+		mcpServers: { [serverNameForClientConfig(agentId)]: {
+			headers: { [authorizationHeaderName]: authorizationHeaderValue },
+			type: "streamable-http",
+			url: proxyUrl
+		} },
+		proxyUrl,
+		schemaVersion: 1
+	};
+	printCredentialMaterialWarning();
+	process.stdout.write(`${JSON.stringify(clientConfig, null, "	")}\n`);
+	return 0;
+}
+function requireCredentialMcpProxy(mcpProxy) {
+	if (mcpProxy === void 0) throw new Error("print-client-config requires mcpProxy server settings or --proxy-url.");
+	return mcpProxy;
+}
+function credentialProxyUrlFromConfig(mcpProxy, agentId) {
+	return `http://${mcpProxy.server.host.includes(":") ? `[${mcpProxy.server.host.replace(/^\[|\]$/gu, "")}]` : mcpProxy.server.host}:${String(mcpProxy.server.port)}/agents/${encodeURIComponent(agentId)}/mcp`;
+}
+const portalCoreToolNames = new Set([
+	"mcp_portal_list",
+	"mcp_portal_search",
+	"mcp_portal_describe",
+	"mcp_portal_call"
+]);
+function waitForPortalShutdownSignal(signalTarget = process) {
+	const signals = ["SIGINT", "SIGTERM"];
+	return new Promise((resolve) => {
+		const listeners = /* @__PURE__ */ new Map();
+		for (const signal of signals) {
+			const listener = () => {
+				for (const [registeredSignal, registeredListener] of listeners) signalTarget.off(registeredSignal, registeredListener);
+				resolve(signal);
+			};
+			listeners.set(signal, listener);
+			signalTarget.once(signal, listener);
+		}
+	});
+}
+async function waitUntilPortalServerShutdown(props) {
+	try {
+		await waitForPortalShutdownSignal(props.signalTarget);
+	} finally {
+		await props.server.close();
+	}
+}
+function isPortalCoreToolName(value) {
+	return portalCoreToolNames.has(value);
+}
+function parsePortalCoreToolName(value) {
+	const toolName = value ?? "mcp_portal_call";
+	if (!isPortalCoreToolName(toolName)) throw new Error(`Unknown MCP Portal tool "${toolName}".`);
+	return toolName;
+}
+function writePortalCoreEventToStderr(event) {
+	if (event.kind === "progress" && event.message !== void 0) {
+		process.stderr.write(`${event.message}\n`);
+		return;
+	}
+	if (event.kind === "partial_content") {
+		const message = event.content.type === "text" ? event.content.text : JSON.stringify(event.content.value);
+		process.stderr.write(`${message}\n`);
+		return;
+	}
+	if (event.kind === "upstream_notification") process.stderr.write(`upstream notification ${event.method}\n`);
+}
+async function resolveCliApprovalHmacKeys(props) {
+	if (props.portalConfig.externalAuth !== void 0) {
+		const masterKey = decodePortalMasterKey(await props.resolveSecret(props.portalConfig.externalAuth.masterKey));
+		return deriveApprovalHmacKeysFromMasterKey({
+			agentIds: props.agentIds,
+			masterKey
+		});
+	}
+	return await resolveAgentHmacKeys({
+		agents: props.portalConfig.agents,
+		envKeys: parseHmacKeysFromEnv(props.env),
+		resolveSecret: props.resolveSecret
+	});
+}
+async function runCallCommand(args, runtimeProps) {
+	const configDir = readFlag(args, "--config-dir");
+	const agentId = readFlag(args, "--agent");
+	const inputPath = readFlag(args, "--input");
+	if (configDir === null || agentId === null || inputPath === null) {
+		printUsage();
+		return 1;
+	}
+	const toolName = parsePortalCoreToolName(readFlag(args, "--tool"));
+	const input = JSON.parse(await readFile(inputPath, "utf8"));
+	const secretResolver = await createCliSecretResolver(runtimeProps);
+	const resolveSecret = (secret) => resolveSecretValue(secret, {
+		env: runtimeProps.env,
+		secretResolver
+	});
+	const [mcpConfig, portalConfig] = await Promise.all([loadMcpConfig(join(configDir, "mcp.config.jsonc")), loadMcpPortalConfig(join(configDir, "mcp-portal.config.jsonc"))]);
+	if (portalConfig.agents[agentId] === void 0) throw new Error(`Unknown MCP Portal agent "${agentId}".`);
+	const verifyApproval = createPortalApprovalVerifier({ records: createPortalAgentRuntimeRecords({
+		hmacKeys: await resolveCliApprovalHmacKeys({
+			agentIds: Object.keys(portalConfig.agents),
+			env: runtimeProps.env,
+			portalConfig,
+			resolveSecret
+		}),
+		portalConfig
+	}) });
+	const upstreamServers = await resolveUpstreamServers({
+		config: mcpConfig,
+		resolveSecret
+	});
+	const upstreamRuntime = createUpstreamMcpClientRuntime({ servers: upstreamServers });
+	const profilePolicyMaps = buildProfilePolicyMaps(portalConfig);
+	const core = createPortalCore({
+		accessPolicy: {
+			defaultPolicy: "deny-all",
+			enabledNamespacesByAgent: profilePolicyMaps.enabledNamespacesByAgent,
+			enabledToolsByAgent: profilePolicyMaps.enabledToolsByAgent,
+			hiddenToolsByAgent: profilePolicyMaps.hiddenToolsByAgent
+		},
+		approval: (calls, scope, approvalToken) => verifyApproval(calls, scope.agentId, approvalToken),
+		catalogTtlMs: profilePolicyMaps.cacheTtlMs,
+		runtime: {
+			...upstreamRuntime,
+			callUpstreamTool: upstreamRuntime.callTool
+		},
+		upstreamNamespaces: upstreamServers.map((server) => server.namespace)
+	});
+	try {
+		const scope = core.createAgentScope({
+			agentId,
+			agentScopeId: agentId,
+			source: "cli-operator"
+		});
+		const result = await core.collectPortalCoreResult(core.callStream({
+			input,
+			scope,
+			toolName
+		}), { onEvent: writePortalCoreEventToStderr });
+		process.stdout.write(`${JSON.stringify(result, null, "	")}\n`);
+		return 0;
+	} finally {
+		await core.close();
+	}
+}
+async function runMcpPortal(args, props = {}) {
+	const [command, catalogPath, ...restArgs] = args;
+	const runtimeProps = {
+		env: props.env ?? process.env,
+		...props.secretResolver !== void 0 ? { secretResolver: props.secretResolver } : {}
+	};
+	if (!command) {
+		printUsage();
+		return 1;
+	}
+	try {
+		if (command === "mcp-proxy") {
+			const [mcpProxyCommand, ...mcpProxyArgs] = args.slice(1);
+			if (mcpProxyCommand === "serve") {
+				const injectedSecretResolver = runtimeProps.secretResolver;
+				await waitUntilPortalServerShutdown({ server: await startPortalServer({
+					args: parsePortalServerCliArgs(mcpProxyArgs),
+					env: runtimeProps.env,
+					...injectedSecretResolver !== void 0 ? { resolveSecret: (secret) => resolveSecretValue(secret, {
+						env: runtimeProps.env,
+						secretResolver: injectedSecretResolver
+					}) } : {}
+				}) });
+				return 0;
+			}
+			if (mcpProxyCommand === "write-credential") return printDisabledCredentialWriter();
+			if (mcpProxyCommand === "print-client-config") return await printClientConfig(mcpProxyArgs, runtimeProps);
+			printUsage();
+			return 1;
+		}
+		if (command === "serve") {
+			printUsage();
+			return 1;
+		}
+		if (command === "write-credential") {
+			printUsage();
+			return 1;
+		}
+		if (command === "call") return await runCallCommand(args.slice(1), runtimeProps);
+		if (!catalogPath) {
+			printUsage();
+			return 1;
+		}
+		const catalog = await readCatalogFile(catalogPath);
+		switch (command) {
+			case "validate": return 0;
+			case "generate-helper": {
+				const outputDirectory = parseOutputDirectory(restArgs);
+				if (!outputDirectory) {
+					printUsage();
+					return 1;
+				}
+				await mkdir(outputDirectory, { recursive: true });
+				await writeFile(join(outputDirectory, "catalog.json"), JSON.stringify(catalog, null, "	"));
+				await writeFile(join(outputDirectory, "catalog.ts"), generateTypescriptCatalogArtifact(catalog));
+				return 0;
+			}
+			default:
+				printUsage();
+				return 1;
+		}
+	} catch (error) {
+		process.stderr.write(`${error instanceof Error ? error.message : String(error)}\n`);
+		return 1;
+	}
+}
+function shouldRunMcpPortalEntrypoint(argvPath) {
+	const entrypointName = argvPath === void 0 ? void 0 : basename(argvPath);
+	return entrypointName === "mcp-portal" || entrypointName === "mcp-portal.js" || entrypointName === "mcp-portal.ts";
+}
+if (shouldRunMcpPortalEntrypoint(process.argv[1])) process.exitCode = await runMcpPortal(process.argv.slice(2));
+//#endregion
+export { runMcpPortal, shouldRunMcpPortalEntrypoint, waitUntilPortalServerShutdown };
+
+//# sourceMappingURL=mcp-portal.js.map

package/dist/bin/mcp-portal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-portal.js","names":[],"sources":["../../src/bin/mcp-portal.ts"],"sourcesContent":["#!/usr/bin/env node\n\nimport { mkdir, readFile, writeFile } from 'node:fs/promises';\nimport { basename, join } from 'node:path';\n\nimport {\n\tloadMcpConfig,\n\tloadMcpPortalConfig,\n\ttype McpPortalConfig,\n\ttype SecretValue,\n} from '@agent-vm/config-contracts';\nimport type { SecretResolver } from '@agent-vm/secrets';\nimport { z } from 'zod';\n\nimport { portalToolRecordSchema, type PortalToolRecord } from '../catalog-types.js';\nimport {\n\tbuildProfilePolicyMaps,\n\tcreateServeSecretResolver,\n\tderiveApprovalHmacKeysFromMasterKey,\n\tparsePortalServerCliArgs,\n\tstartPortalServer,\n} from '../cli/serve-command.js';\nimport {\n\tcreatePortalCore,\n\ttype PortalCoreEvent,\n\ttype PortalCoreToolName,\n} from '../core/portal-core.js';\nimport { resolveUpstreamServers } from '../core/provider-runtime.js';\nimport {\n\tcreatePortalAgentRuntimeRecords,\n\tcreatePortalApprovalVerifier,\n\tresolveAgentHmacKeys,\n} from '../mcp-proxy/resolve-agent-identity.js';\nimport {\n\tdecodePortalMasterKey,\n\tderiveAgentBearerToken,\n\tformatMasterKeyFingerprint,\n} from '../portal-auth/agent-bearer-token.js';\nimport { parseHmacKeysFromEnv } from '../portal-auth/hmac-env.js';\nimport { generateTypescriptCatalogArtifact } from '../portal-config/typescript-artifact.js';\nimport { createUpstreamMcpClientRuntime } from '../upstream-mcp-client-runtime.js';\nimport { resolveSecretValue } from './secret-value-resolver.js';\n\nconst catalogFileSchema = z\n\t.object({\n\t\ttools: z.array(portalToolRecordSchema),\n\t})\n\t.strict();\n\nexport interface PortalCatalogFile {\n\treadonly tools: readonly PortalToolRecord[];\n}\n\nexport interface AgentVmMcpPortalRuntimeProps {\n\treadonly env?: Readonly<Record<string, string | undefined>>;\n\treadonly secretResolver?: SecretResolver;\n}\n\nasync function readCatalogFile(catalogPath: string): Promise<PortalCatalogFile> {\n\tconst rawCatalog = await readFile(catalogPath, 'utf-8');\n\tconst parsedJson = JSON.parse(rawCatalog) as unknown;\n\treturn catalogFileSchema.parse(parsedJson);\n}\n\nfunction parseOutputDirectory(args: readonly string[]): string | null {\n\tconst outputFlagIndex = args.indexOf('--out');\n\tif (outputFlagIndex === -1) {\n\t\treturn null;\n\t}\n\n\treturn args[outputFlagIndex + 1] ?? null;\n}\n\nfunction printUsage(): void {\n\tprocess.stderr.write('Usage: mcp-portal validate <catalog.json>\\n');\n\tprocess.stderr.write('Usage: mcp-portal generate-helper <catalog.json> --out <directory>\\n');\n\tprocess.stderr.write(\n\t\t'Usage: mcp-portal mcp-proxy serve --config-dir <directory> [--port <port>]\\n',\n\t);\n\tprocess.stderr.write(\n\t\t'Usage: mcp-portal call --config-dir <directory> --agent <agent-id> --input <request.json> [--tool <portal-tool-name>]\\n',\n\t);\n\tprocess.stderr.write(\n\t\t'Usage: mcp-portal mcp-proxy print-client-config --config-dir <directory> --agent <agent-id> --master-key-fingerprint <sha256:...> [--proxy-url <url>]\\n',\n\t);\n}\n\nfunction readFlag(args: readonly string[], name: string): string | null {\n\tconst index = args.indexOf(name);\n\tif (index === -1) {\n\t\treturn null;\n\t}\n\treturn args[index + 1] ?? null;\n}\n\nfunction normalizeCredentialProxyUrl(value: string): string {\n\tconst url = new URL(value);\n\tif (url.protocol !== 'http:' && url.protocol !== 'https:') {\n\t\tthrow new Error(`Invalid --proxy-url protocol \"${url.protocol}\". Expected http or https.`);\n\t}\n\treturn url.toString();\n}\n\ntype RequiredPortalRuntimeProps = Required<Pick<AgentVmMcpPortalRuntimeProps, 'env'>> &\n\tPick<AgentVmMcpPortalRuntimeProps, 'secretResolver'>;\n\nasync function createCliSecretResolver(props: RequiredPortalRuntimeProps): Promise<SecretResolver> {\n\treturn props.secretResolver ?? (await createServeSecretResolver(props.env));\n}\n\ninterface McpPortalClientConfigServer {\n\treadonly headers: Readonly<Record<string, string>>;\n\treadonly type: 'streamable-http';\n\treadonly url: string;\n}\n\ninterface McpPortalClientConfig {\n\treadonly agentId: string;\n\treadonly authorizationHeaderName: string;\n\treadonly authorizationHeaderValue: string;\n\treadonly kind: 'mcp-portal-client-config';\n\treadonly masterKeyFingerprint: string;\n\treadonly mcpServers: Readonly<Record<string, McpPortalClientConfigServer>>;\n\treadonly proxyUrl: string;\n\treadonly schemaVersion: 1;\n}\n\nfunction serverNameForClientConfig(agentId: string): string {\n\treturn `mcp-portal-${agentId.replaceAll(/[^A-Za-z0-9_-]/gu, '-')}`;\n}\n\nfunction printCredentialMaterialWarning(): void {\n\tprocess.stderr.write(\n\t\t[\n\t\t\t'WARNING: MCP Portal client config is bearer credential material.',\n\t\t\t'WARNING: Treat stdout like an API token. Do not paste it into logs, commits, or chat.',\n\t\t\t'WARNING: The token is per-agent and remains valid until credentialVersion or masterKey rotation.',\n\t\t\t'',\n\t\t].join('\\n'),\n\t);\n}\n\nfunction printDisabledCredentialWriter(): number {\n\tprocess.stderr.write(\n\t\t[\n\t\t\t'mcp-portal: mcp-proxy write-credential is disabled because it persists bearer credentials.',\n\t\t\t'Use mcp-portal mcp-proxy print-client-config and decide explicitly where stdout is stored.',\n\t\t\t'',\n\t\t].join('\\n'),\n\t);\n\treturn 1;\n}\n\nasync function printClientConfig(\n\targs: readonly string[],\n\truntimeProps: RequiredPortalRuntimeProps,\n): Promise<number> {\n\tconst configDir = readFlag(args, '--config-dir');\n\tconst agentId = readFlag(args, '--agent');\n\tconst expectedFingerprint = readFlag(args, '--master-key-fingerprint');\n\tconst proxyUrlOverride = readFlag(args, '--proxy-url');\n\tif (configDir === null || agentId === null || expectedFingerprint === null) {\n\t\tprintUsage();\n\t\treturn 1;\n\t}\n\tconst portalConfig = await loadMcpPortalConfig(join(configDir, 'mcp-portal.config.jsonc'));\n\tif (portalConfig.externalAuth === undefined) {\n\t\tthrow new Error('print-client-config requires externalAuth.masterKey.');\n\t}\n\tif (portalConfig.mcpProxy === undefined && proxyUrlOverride === null) {\n\t\tthrow new Error('print-client-config requires mcpProxy server settings or --proxy-url.');\n\t}\n\tif (portalConfig.agents[agentId] === undefined) {\n\t\tthrow new Error(`Unknown MCP Portal agent \"${agentId}\".`);\n\t}\n\tconst secretResolver = await createCliSecretResolver(runtimeProps);\n\tconst masterKey = decodePortalMasterKey(\n\t\tawait resolveSecretValue(portalConfig.externalAuth.masterKey, {\n\t\t\tenv: runtimeProps.env,\n\t\t\tsecretResolver,\n\t\t}),\n\t);\n\tconst actualFingerprint = formatMasterKeyFingerprint(masterKey);\n\tif (actualFingerprint !== expectedFingerprint) {\n\t\tthrow new Error(\n\t\t\t`Master-key fingerprint mismatch. Expected ${expectedFingerprint}; resolved ${actualFingerprint}.`,\n\t\t);\n\t}\n\tconst agentConfig = portalConfig.agents[agentId];\n\tconst bearer = deriveAgentBearerToken({\n\t\tagentId,\n\t\tcredentialVersion: agentConfig.credentialVersion,\n\t\tmasterKey,\n\t});\n\tconst proxyUrl =\n\t\tproxyUrlOverride === null\n\t\t\t? credentialProxyUrlFromConfig(requireCredentialMcpProxy(portalConfig.mcpProxy), agentId)\n\t\t\t: normalizeCredentialProxyUrl(proxyUrlOverride);\n\tconst authorizationHeaderName = portalConfig.mcpProxy?.auth.headerName ?? 'authorization';\n\tconst authorizationHeaderValue = `Bearer ${bearer}`;\n\tconst clientConfig = {\n\t\tagentId,\n\t\tauthorizationHeaderName,\n\t\tauthorizationHeaderValue,\n\t\tkind: 'mcp-portal-client-config',\n\t\tmasterKeyFingerprint: actualFingerprint,\n\t\tmcpServers: {\n\t\t\t[serverNameForClientConfig(agentId)]: {\n\t\t\t\theaders: { [authorizationHeaderName]: authorizationHeaderValue },\n\t\t\t\ttype: 'streamable-http',\n\t\t\t\turl: proxyUrl,\n\t\t\t},\n\t\t},\n\t\tproxyUrl,\n\t\tschemaVersion: 1,\n\t} satisfies McpPortalClientConfig;\n\tprintCredentialMaterialWarning();\n\tprocess.stdout.write(`${JSON.stringify(clientConfig, null, '\\t')}\\n`);\n\treturn 0;\n}\n\nfunction requireCredentialMcpProxy(\n\tmcpProxy: McpPortalConfig['mcpProxy'],\n): NonNullable<McpPortalConfig['mcpProxy']> {\n\tif (mcpProxy === undefined) {\n\t\tthrow new Error('print-client-config requires mcpProxy server settings or --proxy-url.');\n\t}\n\treturn mcpProxy;\n}\n\nfunction credentialProxyUrlFromConfig(\n\tmcpProxy: NonNullable<McpPortalConfig['mcpProxy']>,\n\tagentId: string,\n): string {\n\tconst host = mcpProxy.server.host.includes(':')\n\t\t? `[${mcpProxy.server.host.replace(/^\\[|\\]$/gu, '')}]`\n\t\t: mcpProxy.server.host;\n\treturn `http://${host}:${String(mcpProxy.server.port)}/agents/${encodeURIComponent(agentId)}/mcp`;\n}\n\nconst portalCoreToolNames = new Set<string>([\n\t'mcp_portal_list',\n\t'mcp_portal_search',\n\t'mcp_portal_describe',\n\t'mcp_portal_call',\n]);\n\ntype PortalShutdownSignal = 'SIGINT' | 'SIGTERM';\ninterface PortalSignalTarget {\n\treadonly off: (signal: PortalShutdownSignal, listener: () => void) => void;\n\treadonly once: (signal: PortalShutdownSignal, listener: () => void) => void;\n}\n\nexport interface RunningPortalServer {\n\treadonly close: () => Promise<void>;\n}\n\nfunction waitForPortalShutdownSignal(\n\tsignalTarget: PortalSignalTarget = process,\n): Promise<PortalShutdownSignal> {\n\tconst signals = ['SIGINT', 'SIGTERM'] satisfies readonly PortalShutdownSignal[];\n\treturn new Promise((resolve) => {\n\t\tconst listeners = new Map<PortalShutdownSignal, () => void>();\n\t\tfor (const signal of signals) {\n\t\t\tconst listener = (): void => {\n\t\t\t\tfor (const [registeredSignal, registeredListener] of listeners) {\n\t\t\t\t\tsignalTarget.off(registeredSignal, registeredListener);\n\t\t\t\t}\n\t\t\t\tresolve(signal);\n\t\t\t};\n\t\t\tlisteners.set(signal, listener);\n\t\t\tsignalTarget.once(signal, listener);\n\t\t}\n\t});\n}\n\nexport async function waitUntilPortalServerShutdown(props: {\n\treadonly server: RunningPortalServer;\n\treadonly signalTarget?: PortalSignalTarget;\n}): Promise<void> {\n\ttry {\n\t\tawait waitForPortalShutdownSignal(props.signalTarget);\n\t} finally {\n\t\tawait props.server.close();\n\t}\n}\n\nfunction isPortalCoreToolName(value: string): value is PortalCoreToolName {\n\treturn portalCoreToolNames.has(value);\n}\n\nfunction parsePortalCoreToolName(value: string | null): PortalCoreToolName {\n\tconst toolName = value ?? 'mcp_portal_call';\n\tif (!isPortalCoreToolName(toolName)) {\n\t\tthrow new Error(`Unknown MCP Portal tool \"${toolName}\".`);\n\t}\n\treturn toolName;\n}\n\nfunction writePortalCoreEventToStderr(event: PortalCoreEvent): void {\n\tif (event.kind === 'progress' && event.message !== undefined) {\n\t\tprocess.stderr.write(`${event.message}\\n`);\n\t\treturn;\n\t}\n\tif (event.kind === 'partial_content') {\n\t\tconst message =\n\t\t\tevent.content.type === 'text' ? event.content.text : JSON.stringify(event.content.value);\n\t\tprocess.stderr.write(`${message}\\n`);\n\t\treturn;\n\t}\n\tif (event.kind === 'upstream_notification') {\n\t\tprocess.stderr.write(`upstream notification ${event.method}\\n`);\n\t}\n}\n\nasync function resolveCliApprovalHmacKeys(props: {\n\treadonly agentIds: readonly string[];\n\treadonly env: Readonly<Record<string, string | undefined>>;\n\treadonly portalConfig: Awaited<ReturnType<typeof loadMcpPortalConfig>>;\n\treadonly resolveSecret: (secret: SecretValue) => Promise<string>;\n}): Promise<ReadonlyMap<string, Buffer>> {\n\tif (props.portalConfig.externalAuth !== undefined) {\n\t\tconst masterKey = decodePortalMasterKey(\n\t\t\tawait props.resolveSecret(props.portalConfig.externalAuth.masterKey),\n\t\t);\n\t\treturn deriveApprovalHmacKeysFromMasterKey({ agentIds: props.agentIds, masterKey });\n\t}\n\treturn await resolveAgentHmacKeys({\n\t\tagents: props.portalConfig.agents,\n\t\tenvKeys: parseHmacKeysFromEnv(props.env),\n\t\tresolveSecret: props.resolveSecret,\n\t});\n}\n\nasync function runCallCommand(\n\targs: readonly string[],\n\truntimeProps: RequiredPortalRuntimeProps,\n): Promise<number> {\n\tconst configDir = readFlag(args, '--config-dir');\n\tconst agentId = readFlag(args, '--agent');\n\tconst inputPath = readFlag(args, '--input');\n\tif (configDir === null || agentId === null || inputPath === null) {\n\t\tprintUsage();\n\t\treturn 1;\n\t}\n\tconst toolName = parsePortalCoreToolName(readFlag(args, '--tool'));\n\tconst input = JSON.parse(await readFile(inputPath, 'utf8')) as unknown;\n\tconst secretResolver = await createCliSecretResolver(runtimeProps);\n\tconst resolveSecret = (secret: SecretValue): Promise<string> =>\n\t\tresolveSecretValue(secret, { env: runtimeProps.env, secretResolver });\n\tconst [mcpConfig, portalConfig] = await Promise.all([\n\t\tloadMcpConfig(join(configDir, 'mcp.config.jsonc')),\n\t\tloadMcpPortalConfig(join(configDir, 'mcp-portal.config.jsonc')),\n\t]);\n\tif (portalConfig.agents[agentId] === undefined) {\n\t\tthrow new Error(`Unknown MCP Portal agent \"${agentId}\".`);\n\t}\n\tconst hmacKeys = await resolveCliApprovalHmacKeys({\n\t\tagentIds: Object.keys(portalConfig.agents),\n\t\tenv: runtimeProps.env,\n\t\tportalConfig,\n\t\tresolveSecret,\n\t});\n\tconst agentRecords = createPortalAgentRuntimeRecords({ hmacKeys, portalConfig });\n\tconst verifyApproval = createPortalApprovalVerifier({ records: agentRecords });\n\tconst upstreamServers = await resolveUpstreamServers({ config: mcpConfig, resolveSecret });\n\tconst upstreamRuntime = createUpstreamMcpClientRuntime({ servers: upstreamServers });\n\tconst profilePolicyMaps = buildProfilePolicyMaps(portalConfig);\n\tconst core = createPortalCore({\n\t\taccessPolicy: {\n\t\t\tdefaultPolicy: 'deny-all',\n\t\t\tenabledNamespacesByAgent: profilePolicyMaps.enabledNamespacesByAgent,\n\t\t\tenabledToolsByAgent: profilePolicyMaps.enabledToolsByAgent,\n\t\t\thiddenToolsByAgent: profilePolicyMaps.hiddenToolsByAgent,\n\t\t},\n\t\tapproval: (calls, scope, approvalToken) => verifyApproval(calls, scope.agentId, approvalToken),\n\t\tcatalogTtlMs: profilePolicyMaps.cacheTtlMs,\n\t\truntime: {\n\t\t\t...upstreamRuntime,\n\t\t\tcallUpstreamTool: upstreamRuntime.callTool,\n\t\t},\n\t\tupstreamNamespaces: upstreamServers.map((server) => server.namespace),\n\t});\n\ttry {\n\t\tconst scope = core.createAgentScope({\n\t\t\tagentId,\n\t\t\tagentScopeId: agentId,\n\t\t\tsource: 'cli-operator',\n\t\t});\n\t\tconst result = await core.collectPortalCoreResult(core.callStream({ input, scope, toolName }), {\n\t\t\tonEvent: writePortalCoreEventToStderr,\n\t\t});\n\t\tprocess.stdout.write(`${JSON.stringify(result, null, '\\t')}\\n`);\n\t\treturn 0;\n\t} finally {\n\t\tawait core.close();\n\t}\n}\n\nexport async function runMcpPortal(\n\targs: readonly string[],\n\tprops: AgentVmMcpPortalRuntimeProps = {},\n): Promise<number> {\n\tconst [command, catalogPath, ...restArgs] = args;\n\tconst runtimeProps = {\n\t\tenv: props.env ?? process.env,\n\t\t...(props.secretResolver !== undefined ? { secretResolver: props.secretResolver } : {}),\n\t};\n\tif (!command) {\n\t\tprintUsage();\n\t\treturn 1;\n\t}\n\n\ttry {\n\t\tif (command === 'mcp-proxy') {\n\t\t\tconst [mcpProxyCommand, ...mcpProxyArgs] = args.slice(1);\n\t\t\tif (mcpProxyCommand === 'serve') {\n\t\t\t\tconst injectedSecretResolver = runtimeProps.secretResolver;\n\t\t\t\tconst server = await startPortalServer({\n\t\t\t\t\targs: parsePortalServerCliArgs(mcpProxyArgs),\n\t\t\t\t\tenv: runtimeProps.env,\n\t\t\t\t\t...(injectedSecretResolver !== undefined\n\t\t\t\t\t\t? {\n\t\t\t\t\t\t\t\tresolveSecret: (secret) =>\n\t\t\t\t\t\t\t\t\tresolveSecretValue(secret, {\n\t\t\t\t\t\t\t\t\t\tenv: runtimeProps.env,\n\t\t\t\t\t\t\t\t\t\tsecretResolver: injectedSecretResolver,\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t: {}),\n\t\t\t\t});\n\t\t\t\tawait waitUntilPortalServerShutdown({ server });\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tif (mcpProxyCommand === 'write-credential') {\n\t\t\t\treturn printDisabledCredentialWriter();\n\t\t\t}\n\t\t\tif (mcpProxyCommand === 'print-client-config') {\n\t\t\t\treturn await printClientConfig(mcpProxyArgs, runtimeProps);\n\t\t\t}\n\t\t\tprintUsage();\n\t\t\treturn 1;\n\t\t}\n\t\tif (command === 'serve') {\n\t\t\tprintUsage();\n\t\t\treturn 1;\n\t\t}\n\t\tif (command === 'write-credential') {\n\t\t\tprintUsage();\n\t\t\treturn 1;\n\t\t}\n\t\tif (command === 'call') {\n\t\t\treturn await runCallCommand(args.slice(1), runtimeProps);\n\t\t}\n\t\tif (!catalogPath) {\n\t\t\tprintUsage();\n\t\t\treturn 1;\n\t\t}\n\t\tconst catalog = await readCatalogFile(catalogPath);\n\t\tswitch (command) {\n\t\t\tcase 'validate':\n\t\t\t\treturn 0;\n\t\t\tcase 'generate-helper': {\n\t\t\t\tconst outputDirectory = parseOutputDirectory(restArgs);\n\t\t\t\tif (!outputDirectory) {\n\t\t\t\t\tprintUsage();\n\t\t\t\t\treturn 1;\n\t\t\t\t}\n\n\t\t\t\tawait mkdir(outputDirectory, { recursive: true });\n\t\t\t\tawait writeFile(join(outputDirectory, 'catalog.json'), JSON.stringify(catalog, null, '\\t'));\n\t\t\t\tawait writeFile(\n\t\t\t\t\tjoin(outputDirectory, 'catalog.ts'),\n\t\t\t\t\tgenerateTypescriptCatalogArtifact(catalog),\n\t\t\t\t);\n\t\t\t\treturn 0;\n\t\t\t}\n\t\t\tdefault:\n\t\t\t\tprintUsage();\n\t\t\t\treturn 1;\n\t\t}\n\t} catch (error) {\n\t\tprocess.stderr.write(`${error instanceof Error ? error.message : String(error)}\\n`);\n\t\treturn 1;\n\t}\n}\n\n/*\n * Command-shape note: top-level `serve` and credential commands are\n * intentionally rejected. The public CLI shape is `mcp-portal mcp-proxy ...`\n * so the command mirrors the library adapter boundary.\n */\n\nexport function shouldRunMcpPortalEntrypoint(argvPath: string | undefined): boolean {\n\tconst entrypointName = argvPath === undefined ? undefined : basename(argvPath);\n\treturn (\n\t\tentrypointName === 'mcp-portal' ||\n\t\tentrypointName === 'mcp-portal.js' ||\n\t\tentrypointName === 'mcp-portal.ts'\n\t);\n}\n\nif (shouldRunMcpPortalEntrypoint(process.argv[1])) {\n\tprocess.exitCode = await runMcpPortal(process.argv.slice(2));\n}\n"],"mappings":";;;;;;;;;;;;;;AA2CA,MAAM,oBAAoB,EACxB,OAAO,EACP,OAAO,EAAE,MAAM,uBAAuB,EACtC,CAAC,CACD,QAAQ;AAWV,eAAe,gBAAgB,aAAiD;CAC/E,MAAM,aAAa,MAAM,SAAS,aAAa,QAAQ;CACvD,MAAM,aAAa,KAAK,MAAM,WAAW;CACzC,OAAO,kBAAkB,MAAM,WAAW;;AAG3C,SAAS,qBAAqB,MAAwC;CACrE,MAAM,kBAAkB,KAAK,QAAQ,QAAQ;CAC7C,IAAI,oBAAoB,IACvB,OAAO;CAGR,OAAO,KAAK,kBAAkB,MAAM;;AAGrC,SAAS,aAAmB;CAC3B,QAAQ,OAAO,MAAM,8CAA8C;CACnE,QAAQ,OAAO,MAAM,uEAAuE;CAC5F,QAAQ,OAAO,MACd,+EACA;CACD,QAAQ,OAAO,MACd,0HACA;CACD,QAAQ,OAAO,MACd,0JACA;;AAGF,SAAS,SAAS,MAAyB,MAA6B;CACvE,MAAM,QAAQ,KAAK,QAAQ,KAAK;CAChC,IAAI,UAAU,IACb,OAAO;CAER,OAAO,KAAK,QAAQ,MAAM;;AAG3B,SAAS,4BAA4B,OAAuB;CAC3D,MAAM,MAAM,IAAI,IAAI,MAAM;CAC1B,IAAI,IAAI,aAAa,WAAW,IAAI,aAAa,UAChD,MAAM,IAAI,MAAM,iCAAiC,IAAI,SAAS,4BAA4B;CAE3F,OAAO,IAAI,UAAU;;AAMtB,eAAe,wBAAwB,OAA4D;CAClG,OAAO,MAAM,kBAAmB,MAAM,0BAA0B,MAAM,IAAI;;AAoB3E,SAAS,0BAA0B,SAAyB;CAC3D,OAAO,cAAc,QAAQ,WAAW,oBAAoB,IAAI;;AAGjE,SAAS,iCAAuC;CAC/C,QAAQ,OAAO,MACd;EACC;EACA;EACA;EACA;EACA,CAAC,KAAK,KAAK,CACZ;;AAGF,SAAS,gCAAwC;CAChD,QAAQ,OAAO,MACd;EACC;EACA;EACA;EACA,CAAC,KAAK,KAAK,CACZ;CACD,OAAO;;AAGR,eAAe,kBACd,MACA,cACkB;CAClB,MAAM,YAAY,SAAS,MAAM,eAAe;CAChD,MAAM,UAAU,SAAS,MAAM,UAAU;CACzC,MAAM,sBAAsB,SAAS,MAAM,2BAA2B;CACtE,MAAM,mBAAmB,SAAS,MAAM,cAAc;CACtD,IAAI,cAAc,QAAQ,YAAY,QAAQ,wBAAwB,MAAM;EAC3E,YAAY;EACZ,OAAO;;CAER,MAAM,eAAe,MAAM,oBAAoB,KAAK,WAAW,0BAA0B,CAAC;CAC1F,IAAI,aAAa,iBAAiB,KAAA,GACjC,MAAM,IAAI,MAAM,uDAAuD;CAExE,IAAI,aAAa,aAAa,KAAA,KAAa,qBAAqB,MAC/D,MAAM,IAAI,MAAM,wEAAwE;CAEzF,IAAI,aAAa,OAAO,aAAa,KAAA,GACpC,MAAM,IAAI,MAAM,6BAA6B,QAAQ,IAAI;CAE1D,MAAM,iBAAiB,MAAM,wBAAwB,aAAa;CAClE,MAAM,YAAY,sBACjB,MAAM,mBAAmB,aAAa,aAAa,WAAW;EAC7D,KAAK,aAAa;EAClB;EACA,CAAC,CACF;CACD,MAAM,oBAAoB,2BAA2B,UAAU;CAC/D,IAAI,sBAAsB,qBACzB,MAAM,IAAI,MACT,6CAA6C,oBAAoB,aAAa,kBAAkB,GAChG;CAEF,MAAM,cAAc,aAAa,OAAO;CACxC,MAAM,SAAS,uBAAuB;EACrC;EACA,mBAAmB,YAAY;EAC/B;EACA,CAAC;CACF,MAAM,WACL,qBAAqB,OAClB,6BAA6B,0BAA0B,aAAa,SAAS,EAAE,QAAQ,GACvF,4BAA4B,iBAAiB;CACjD,MAAM,0BAA0B,aAAa,UAAU,KAAK,cAAc;CAC1E,MAAM,2BAA2B,UAAU;CAC3C,MAAM,eAAe;EACpB;EACA;EACA;EACA,MAAM;EACN,sBAAsB;EACtB,YAAY,GACV,0BAA0B,QAAQ,GAAG;GACrC,SAAS,GAAG,0BAA0B,0BAA0B;GAChE,MAAM;GACN,KAAK;GACL,EACD;EACD;EACA,eAAe;EACf;CACD,gCAAgC;CAChC,QAAQ,OAAO,MAAM,GAAG,KAAK,UAAU,cAAc,MAAM,IAAK,CAAC,IAAI;CACrE,OAAO;;AAGR,SAAS,0BACR,UAC2C;CAC3C,IAAI,aAAa,KAAA,GAChB,MAAM,IAAI,MAAM,wEAAwE;CAEzF,OAAO;;AAGR,SAAS,6BACR,UACA,SACS;CAIT,OAAO,UAHM,SAAS,OAAO,KAAK,SAAS,IAAI,GAC5C,IAAI,SAAS,OAAO,KAAK,QAAQ,aAAa,GAAG,CAAC,KAClD,SAAS,OAAO,KACG,GAAG,OAAO,SAAS,OAAO,KAAK,CAAC,UAAU,mBAAmB,QAAQ,CAAC;;AAG7F,MAAM,sBAAsB,IAAI,IAAY;CAC3C;CACA;CACA;CACA;CACA,CAAC;AAYF,SAAS,4BACR,eAAmC,SACH;CAChC,MAAM,UAAU,CAAC,UAAU,UAAU;CACrC,OAAO,IAAI,SAAS,YAAY;EAC/B,MAAM,4BAAY,IAAI,KAAuC;EAC7D,KAAK,MAAM,UAAU,SAAS;GAC7B,MAAM,iBAAuB;IAC5B,KAAK,MAAM,CAAC,kBAAkB,uBAAuB,WACpD,aAAa,IAAI,kBAAkB,mBAAmB;IAEvD,QAAQ,OAAO;;GAEhB,UAAU,IAAI,QAAQ,SAAS;GAC/B,aAAa,KAAK,QAAQ,SAAS;;GAEnC;;AAGH,eAAsB,8BAA8B,OAGlC;CACjB,IAAI;EACH,MAAM,4BAA4B,MAAM,aAAa;WAC5C;EACT,MAAM,MAAM,OAAO,OAAO;;;AAI5B,SAAS,qBAAqB,OAA4C;CACzE,OAAO,oBAAoB,IAAI,MAAM;;AAGtC,SAAS,wBAAwB,OAA0C;CAC1E,MAAM,WAAW,SAAS;CAC1B,IAAI,CAAC,qBAAqB,SAAS,EAClC,MAAM,IAAI,MAAM,4BAA4B,SAAS,IAAI;CAE1D,OAAO;;AAGR,SAAS,6BAA6B,OAA8B;CACnE,IAAI,MAAM,SAAS,cAAc,MAAM,YAAY,KAAA,GAAW;EAC7D,QAAQ,OAAO,MAAM,GAAG,MAAM,QAAQ,IAAI;EAC1C;;CAED,IAAI,MAAM,SAAS,mBAAmB;EACrC,MAAM,UACL,MAAM,QAAQ,SAAS,SAAS,MAAM,QAAQ,OAAO,KAAK,UAAU,MAAM,QAAQ,MAAM;EACzF,QAAQ,OAAO,MAAM,GAAG,QAAQ,IAAI;EACpC;;CAED,IAAI,MAAM,SAAS,yBAClB,QAAQ,OAAO,MAAM,yBAAyB,MAAM,OAAO,IAAI;;AAIjE,eAAe,2BAA2B,OAKD;CACxC,IAAI,MAAM,aAAa,iBAAiB,KAAA,GAAW;EAClD,MAAM,YAAY,sBACjB,MAAM,MAAM,cAAc,MAAM,aAAa,aAAa,UAAU,CACpE;EACD,OAAO,oCAAoC;GAAE,UAAU,MAAM;GAAU;GAAW,CAAC;;CAEpF,OAAO,MAAM,qBAAqB;EACjC,QAAQ,MAAM,aAAa;EAC3B,SAAS,qBAAqB,MAAM,IAAI;EACxC,eAAe,MAAM;EACrB,CAAC;;AAGH,eAAe,eACd,MACA,cACkB;CAClB,MAAM,YAAY,SAAS,MAAM,eAAe;CAChD,MAAM,UAAU,SAAS,MAAM,UAAU;CACzC,MAAM,YAAY,SAAS,MAAM,UAAU;CAC3C,IAAI,cAAc,QAAQ,YAAY,QAAQ,cAAc,MAAM;EACjE,YAAY;EACZ,OAAO;;CAER,MAAM,WAAW,wBAAwB,SAAS,MAAM,SAAS,CAAC;CAClE,MAAM,QAAQ,KAAK,MAAM,MAAM,SAAS,WAAW,OAAO,CAAC;CAC3D,MAAM,iBAAiB,MAAM,wBAAwB,aAAa;CAClE,MAAM,iBAAiB,WACtB,mBAAmB,QAAQ;EAAE,KAAK,aAAa;EAAK;EAAgB,CAAC;CACtE,MAAM,CAAC,WAAW,gBAAgB,MAAM,QAAQ,IAAI,CACnD,cAAc,KAAK,WAAW,mBAAmB,CAAC,EAClD,oBAAoB,KAAK,WAAW,0BAA0B,CAAC,CAC/D,CAAC;CACF,IAAI,aAAa,OAAO,aAAa,KAAA,GACpC,MAAM,IAAI,MAAM,6BAA6B,QAAQ,IAAI;CAS1D,MAAM,iBAAiB,6BAA6B,EAAE,SADjC,gCAAgC;EAAE,UAAA,MANhC,2BAA2B;GACjD,UAAU,OAAO,KAAK,aAAa,OAAO;GAC1C,KAAK,aAAa;GAClB;GACA;GACA,CAAC;EAC+D;EAAc,CACJ,EAAE,CAAC;CAC9E,MAAM,kBAAkB,MAAM,uBAAuB;EAAE,QAAQ;EAAW;EAAe,CAAC;CAC1F,MAAM,kBAAkB,+BAA+B,EAAE,SAAS,iBAAiB,CAAC;CACpF,MAAM,oBAAoB,uBAAuB,aAAa;CAC9D,MAAM,OAAO,iBAAiB;EAC7B,cAAc;GACb,eAAe;GACf,0BAA0B,kBAAkB;GAC5C,qBAAqB,kBAAkB;GACvC,oBAAoB,kBAAkB;GACtC;EACD,WAAW,OAAO,OAAO,kBAAkB,eAAe,OAAO,MAAM,SAAS,cAAc;EAC9F,cAAc,kBAAkB;EAChC,SAAS;GACR,GAAG;GACH,kBAAkB,gBAAgB;GAClC;EACD,oBAAoB,gBAAgB,KAAK,WAAW,OAAO,UAAU;EACrE,CAAC;CACF,IAAI;EACH,MAAM,QAAQ,KAAK,iBAAiB;GACnC;GACA,cAAc;GACd,QAAQ;GACR,CAAC;EACF,MAAM,SAAS,MAAM,KAAK,wBAAwB,KAAK,WAAW;GAAE;GAAO;GAAO;GAAU,CAAC,EAAE,EAC9F,SAAS,8BACT,CAAC;EACF,QAAQ,OAAO,MAAM,GAAG,KAAK,UAAU,QAAQ,MAAM,IAAK,CAAC,IAAI;EAC/D,OAAO;WACE;EACT,MAAM,KAAK,OAAO;;;AAIpB,eAAsB,aACrB,MACA,QAAsC,EAAE,EACtB;CAClB,MAAM,CAAC,SAAS,aAAa,GAAG,YAAY;CAC5C,MAAM,eAAe;EACpB,KAAK,MAAM,OAAO,QAAQ;EAC1B,GAAI,MAAM,mBAAmB,KAAA,IAAY,EAAE,gBAAgB,MAAM,gBAAgB,GAAG,EAAE;EACtF;CACD,IAAI,CAAC,SAAS;EACb,YAAY;EACZ,OAAO;;CAGR,IAAI;EACH,IAAI,YAAY,aAAa;GAC5B,MAAM,CAAC,iBAAiB,GAAG,gBAAgB,KAAK,MAAM,EAAE;GACxD,IAAI,oBAAoB,SAAS;IAChC,MAAM,yBAAyB,aAAa;IAc5C,MAAM,8BAA8B,EAAE,QAAA,MAbjB,kBAAkB;KACtC,MAAM,yBAAyB,aAAa;KAC5C,KAAK,aAAa;KAClB,GAAI,2BAA2B,KAAA,IAC5B,EACA,gBAAgB,WACf,mBAAmB,QAAQ;MAC1B,KAAK,aAAa;MAClB,gBAAgB;MAChB,CAAC,EACH,GACA,EAAE;KACL,CAAC,EAC4C,CAAC;IAC/C,OAAO;;GAER,IAAI,oBAAoB,oBACvB,OAAO,+BAA+B;GAEvC,IAAI,oBAAoB,uBACvB,OAAO,MAAM,kBAAkB,cAAc,aAAa;GAE3D,YAAY;GACZ,OAAO;;EAER,IAAI,YAAY,SAAS;GACxB,YAAY;GACZ,OAAO;;EAER,IAAI,YAAY,oBAAoB;GACnC,YAAY;GACZ,OAAO;;EAER,IAAI,YAAY,QACf,OAAO,MAAM,eAAe,KAAK,MAAM,EAAE,EAAE,aAAa;EAEzD,IAAI,CAAC,aAAa;GACjB,YAAY;GACZ,OAAO;;EAER,MAAM,UAAU,MAAM,gBAAgB,YAAY;EAClD,QAAQ,SAAR;GACC,KAAK,YACJ,OAAO;GACR,KAAK,mBAAmB;IACvB,MAAM,kBAAkB,qBAAqB,SAAS;IACtD,IAAI,CAAC,iBAAiB;KACrB,YAAY;KACZ,OAAO;;IAGR,MAAM,MAAM,iBAAiB,EAAE,WAAW,MAAM,CAAC;IACjD,MAAM,UAAU,KAAK,iBAAiB,eAAe,EAAE,KAAK,UAAU,SAAS,MAAM,IAAK,CAAC;IAC3F,MAAM,UACL,KAAK,iBAAiB,aAAa,EACnC,kCAAkC,QAAQ,CAC1C;IACD,OAAO;;GAER;IACC,YAAY;IACZ,OAAO;;UAED,OAAO;EACf,QAAQ,OAAO,MAAM,GAAG,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,CAAC,IAAI;EACnF,OAAO;;;AAUT,SAAgB,6BAA6B,UAAuC;CACnF,MAAM,iBAAiB,aAAa,KAAA,IAAY,KAAA,IAAY,SAAS,SAAS;CAC9E,OACC,mBAAmB,gBACnB,mBAAmB,mBACnB,mBAAmB;;AAIrB,IAAI,6BAA6B,QAAQ,KAAK,GAAG,EAChD,QAAQ,WAAW,MAAM,aAAa,QAAQ,KAAK,MAAM,EAAE,CAAC"}

package/dist/{catalog-types--gUGFPpN.d.ts → catalog-types-BVuB4Ynx.d.ts}

@@ -41,4 +41,4 @@ type PortalToolRecord = z.infer<typeof portalToolRecordSchema>;
 type PortalToolAnnotations = z.infer<typeof portalToolAnnotationsSchema>;
 //#endregion
 export { safeToolMetadataSchema as a, JsonPrimitive as c, isJsonObject as d, jsonObjectSchema as f, portalToolRecordSchema as i, JsonValue as l, PortalToolRecord as n, JsonArray as o, jsonValueSchema as p, portalToolAnnotationsSchema as r, JsonObject as s, PortalToolAnnotations as t, assertJsonObject as u };
-//# sourceMappingURL=catalog-types--gUGFPpN.d.ts.map
+//# sourceMappingURL=catalog-types-BVuB4Ynx.d.ts.map

package/dist/{catalog-types--gUGFPpN.d.ts.map → catalog-types-BVuB4Ynx.d.ts.map}

@@ -1 +1 @@
-{"version":3,"file":"catalog-types--gUGFPpN.d.ts","names":[],"sources":["../src/json-schema.ts","../src/catalog-types.ts"],"mappings":";;;KAEY,aAAA;AAAA,KACA,SAAA,GAAY,SAAA;AAAA,KACZ,UAAA;EAAA,CAAgB,GAAA,WAAc,SAAA;AAAA;AAAA,KAC9B,SAAA,GAAY,SAAA,GAAY,UAAA,GAAa,aAAA;AAAA,cAEpC,eAAA,EAAiB,CAAA,CAAE,OAAA,CAAQ,SAAA;AAAA,cAW3B,gBAAA,EAAkB,CAAA,CAAE,OAAA,CAAQ,UAAA;AAAA,iBAEzB,YAAA,CAAa,KAAA,YAAiB,KAAA,IAAS,UAAA;AAAA,iBAIvC,gBAAA,CAAiB,KAAA,WAAgB,KAAA,WAAgB,UAAA;;;cCmBpD,2BAAA,EAA2B,CAAA,CAAA,WAAA,CAAA,CAAA,CAAA,SAAA;;;;;;;cAW3B,sBAAA,EAAsB,CAAA,CAAA,WAAA,CAAA,CAAA,CAAA,OAAA,CAAA,UAAA,WAAA,CAAA,CAAA,IAAA,CAAA,iBAAA,CAAA,UAAA;AAAA,cAgBtB,sBAAA,EAAsB,CAAA,CAAA,SAAA;;;;;;;;;;;;;;;;KAavB,gBAAA,GAAmB,CAAA,CAAE,KAAA,QAAa,sBAAA;AAAA,KAClC,qBAAA,GAAwB,CAAA,CAAE,KAAA,QAAa,2BAAA"}
+{"version":3,"file":"catalog-types-BVuB4Ynx.d.ts","names":[],"sources":["../src/json-schema.ts","../src/catalog-types.ts"],"mappings":";;;KAEY,aAAA;AAAA,KACA,SAAA,GAAY,SAAA;AAAA,KACZ,UAAA;EAAA,CAAgB,GAAA,WAAc,SAAA;AAAA;AAAA,KAC9B,SAAA,GAAY,SAAA,GAAY,UAAA,GAAa,aAAA;AAAA,cAEpC,eAAA,EAAiB,CAAA,CAAE,OAAA,CAAQ,SAAA;AAAA,cAW3B,gBAAA,EAAkB,CAAA,CAAE,OAAA,CAAQ,UAAA;AAAA,iBAEzB,YAAA,CAAa,KAAA,YAAiB,KAAA,IAAS,UAAA;AAAA,iBAIvC,gBAAA,CAAiB,KAAA,WAAgB,KAAA,WAAgB,UAAA;;;cCmBpD,2BAAA,EAA2B,CAAA,CAAA,WAAA,CAAA,CAAA,CAAA,SAAA;;;;;;;cAW3B,sBAAA,EAAsB,CAAA,CAAA,WAAA,CAAA,CAAA,CAAA,OAAA,CAAA,UAAA,WAAA,CAAA,CAAA,IAAA,CAAA,iBAAA,CAAA,UAAA;AAAA,cAgBtB,sBAAA,EAAsB,CAAA,CAAA,SAAA;;;;;;;;;;;;;;;;KAavB,gBAAA,GAAmB,CAAA,CAAE,KAAA,QAAa,sBAAA;AAAA,KAClC,qBAAA,GAAwB,CAAA,CAAE,KAAA,QAAa,2BAAA"}