@aigne/afs-cli 1.11.0-beta.6 → 1.11.0-beta.8

package/dist/credential/cli-auth-context.cjs

@@ -0,0 +1,86 @@
+const require_rolldown_runtime = require('../_virtual/rolldown_runtime.cjs');
+const require_auth_server = require('./auth-server.cjs');
+let node_child_process = require("node:child_process");
+
+//#region src/credential/cli-auth-context.ts
+/**
+* CLI AuthContext implementation.
+*
+* Collects credentials by launching a local HTTP form in the browser.
+* Opens URLs via the platform `open` command.
+* Creates callback servers via the shared auth-server module.
+*/
+/**
+* Create a CLI AuthContext that collects credentials via a local browser form.
+*/
+function createCLIAuthContext(options) {
+	const resolved = options?.resolved ?? {};
+	const output = options?.output ?? process.stderr;
+	const openURLFn = options?.openURL ?? openURL;
+	return {
+		get resolved() {
+			return { ...resolved };
+		},
+		async collect(schema) {
+			const properties = schema.properties;
+			if (!properties || typeof properties !== "object") return {};
+			if (Object.keys(properties).length === 0) return {};
+			const server = await require_auth_server.createAuthServer();
+			const formURL = `${server.baseURL}/auth?nonce=${server.nonce}`;
+			const writeOutput = (text) => new Promise((resolve) => {
+				output.write(text, () => resolve());
+			});
+			await writeOutput(`\nPlease fill in credentials in your browser:\n${formURL}\n`);
+			try {
+				await openURLFn(formURL);
+			} catch {}
+			try {
+				return await server.waitForForm(schema, { title: "AFS Credential Collection" });
+			} finally {
+				server.close();
+			}
+		},
+		async createCallbackServer() {
+			const server = await require_auth_server.createAuthServer();
+			return {
+				callbackURL: server.callbackURL,
+				waitForCallback: server.waitForCallback.bind(server),
+				close: server.close.bind(server)
+			};
+		},
+		async requestOpenURL(url, message) {
+			const writeOutput = (text) => {
+				return new Promise((resolve) => {
+					output.write(text, () => resolve());
+				});
+			};
+			await writeOutput(`\n${message}\n`);
+			await writeOutput(`${url}\n`);
+			try {
+				await openURLFn(url);
+			} catch {}
+			return "accepted";
+		}
+	};
+}
+/**
+* Open a URL in the default browser using platform-specific commands.
+*/
+function openURL(url) {
+	const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "cmd" : "xdg-open";
+	const args = process.platform === "win32" ? [
+		"/c",
+		"start",
+		"",
+		url
+	] : [url];
+	return new Promise((resolve, reject) => {
+		(0, node_child_process.execFile)(cmd, args, (err) => {
+			if (err) reject(err);
+			else resolve();
+		});
+	});
+}
+
+//#endregion
+exports.createCLIAuthContext = createCLIAuthContext;

package/dist/credential/cli-auth-context.d.mts

@@ -0,0 +1 @@
+import { AuthContext } from "@aigne/afs";

package/dist/credential/cli-auth-context.mjs

@@ -0,0 +1,86 @@
+import { createAuthServer } from "./auth-server.mjs";
+import { execFile } from "node:child_process";
+
+//#region src/credential/cli-auth-context.ts
+/**
+* CLI AuthContext implementation.
+*
+* Collects credentials by launching a local HTTP form in the browser.
+* Opens URLs via the platform `open` command.
+* Creates callback servers via the shared auth-server module.
+*/
+/**
+* Create a CLI AuthContext that collects credentials via a local browser form.
+*/
+function createCLIAuthContext(options) {
+	const resolved = options?.resolved ?? {};
+	const output = options?.output ?? process.stderr;
+	const openURLFn = options?.openURL ?? openURL;
+	return {
+		get resolved() {
+			return { ...resolved };
+		},
+		async collect(schema) {
+			const properties = schema.properties;
+			if (!properties || typeof properties !== "object") return {};
+			if (Object.keys(properties).length === 0) return {};
+			const server = await createAuthServer();
+			const formURL = `${server.baseURL}/auth?nonce=${server.nonce}`;
+			const writeOutput = (text) => new Promise((resolve) => {
+				output.write(text, () => resolve());
+			});
+			await writeOutput(`\nPlease fill in credentials in your browser:\n${formURL}\n`);
+			try {
+				await openURLFn(formURL);
+			} catch {}
+			try {
+				return await server.waitForForm(schema, { title: "AFS Credential Collection" });
+			} finally {
+				server.close();
+			}
+		},
+		async createCallbackServer() {
+			const server = await createAuthServer();
+			return {
+				callbackURL: server.callbackURL,
+				waitForCallback: server.waitForCallback.bind(server),
+				close: server.close.bind(server)
+			};
+		},
+		async requestOpenURL(url, message) {
+			const writeOutput = (text) => {
+				return new Promise((resolve) => {
+					output.write(text, () => resolve());
+				});
+			};
+			await writeOutput(`\n${message}\n`);
+			await writeOutput(`${url}\n`);
+			try {
+				await openURLFn(url);
+			} catch {}
+			return "accepted";
+		}
+	};
+}
+/**
+* Open a URL in the default browser using platform-specific commands.
+*/
+function openURL(url) {
+	const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "cmd" : "xdg-open";
+	const args = process.platform === "win32" ? [
+		"/c",
+		"start",
+		"",
+		url
+	] : [url];
+	return new Promise((resolve, reject) => {
+		execFile(cmd, args, (err) => {
+			if (err) reject(err);
+			else resolve();
+		});
+	});
+}
+
+//#endregion
+export { createCLIAuthContext };
+//# sourceMappingURL=cli-auth-context.mjs.map

package/dist/credential/cli-auth-context.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli-auth-context.mjs","names":[],"sources":["../../src/credential/cli-auth-context.ts"],"sourcesContent":["/**\n * CLI AuthContext implementation.\n *\n * Collects credentials by launching a local HTTP form in the browser.\n * Opens URLs via the platform `open` command.\n * Creates callback servers via the shared auth-server module.\n */\n\nimport { execFile } from \"node:child_process\";\nimport type { AuthContext, CallbackServer, JSONSchema7 } from \"@aigne/afs\";\nimport { createAuthServer } from \"./auth-server.js\";\n\nexport interface CLIAuthContextOptions {\n  /** Pre-resolved fields from Step 2 (env/store/config) */\n  resolved?: Record<string, unknown>;\n  /** Output stream (for testing). Default: process.stderr */\n  output?: NodeJS.WritableStream;\n  /** Custom URL opener (for testing). Default: platform `open` command. */\n  openURL?: (url: string) => Promise<void>;\n}\n\n/**\n * Create a CLI AuthContext that collects credentials via a local browser form.\n */\nexport function createCLIAuthContext(options?: CLIAuthContextOptions): AuthContext {\n  const resolved = options?.resolved ?? {};\n  const output = options?.output ?? process.stderr;\n  const openURLFn = options?.openURL ?? openURL;\n\n  return {\n    get resolved() {\n      return { ...resolved };\n    },\n\n    async collect(schema: JSONSchema7): Promise<Record<string, unknown> | null> {\n      const properties = (schema as any).properties;\n      if (!properties || typeof properties !== \"object\") return {};\n      if (Object.keys(properties).length === 0) return {};\n\n      // Start auth server and open form in browser\n      const server = await createAuthServer();\n      const formURL = `${server.baseURL}/auth?nonce=${server.nonce}`;\n\n      const writeOutput = (text: string) =>\n        new Promise<void>((resolve) => {\n          (output as NodeJS.WritableStream).write(text, () => resolve());\n        });\n\n      await writeOutput(`\\nPlease fill in credentials in your browser:\\n${formURL}\\n`);\n\n      try {\n        await openURLFn(formURL);\n      } catch {\n        // Browser failed to open; URL is already printed above\n      }\n\n      try {\n        const result = await server.waitForForm(schema as Record<string, any>, {\n          title: \"AFS Credential Collection\",\n        });\n        return result;\n      } finally {\n        server.close();\n      }\n    },\n\n    async createCallbackServer(): Promise<CallbackServer> {\n      const server = await createAuthServer();\n      return {\n        callbackURL: server.callbackURL,\n        waitForCallback: server.waitForCallback.bind(server),\n        close: server.close.bind(server),\n      };\n    },\n\n    async requestOpenURL(\n      url: string,\n      message: string,\n    ): Promise<\"accepted\" | \"declined\" | \"cancelled\"> {\n      const writeOutput = (text: string) => {\n        return new Promise<void>((resolve) => {\n          (output as NodeJS.WritableStream).write(text, () => resolve());\n        });\n      };\n\n      await writeOutput(`\\n${message}\\n`);\n\n      await writeOutput(`${url}\\n`);\n\n      try {\n        await openURLFn(url);\n      } catch {\n        // Browser failed to open; URL is already printed above\n      }\n\n      return \"accepted\";\n    },\n  };\n}\n\n/**\n * Open a URL in the default browser using platform-specific commands.\n */\nfunction openURL(url: string): Promise<void> {\n  const cmd =\n    process.platform === \"darwin\" ? \"open\" : process.platform === \"win32\" ? \"cmd\" : \"xdg-open\";\n\n  const args = process.platform === \"win32\" ? [\"/c\", \"start\", \"\", url] : [url];\n\n  return new Promise((resolve, reject) => {\n    execFile(cmd, args, (err) => {\n      if (err) reject(err);\n      else resolve();\n    });\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;AAwBA,SAAgB,qBAAqB,SAA8C;CACjF,MAAM,WAAW,SAAS,YAAY,EAAE;CACxC,MAAM,SAAS,SAAS,UAAU,QAAQ;CAC1C,MAAM,YAAY,SAAS,WAAW;AAEtC,QAAO;EACL,IAAI,WAAW;AACb,UAAO,EAAE,GAAG,UAAU;;EAGxB,MAAM,QAAQ,QAA8D;GAC1E,MAAM,aAAc,OAAe;AACnC,OAAI,CAAC,cAAc,OAAO,eAAe,SAAU,QAAO,EAAE;AAC5D,OAAI,OAAO,KAAK,WAAW,CAAC,WAAW,EAAG,QAAO,EAAE;GAGnD,MAAM,SAAS,MAAM,kBAAkB;GACvC,MAAM,UAAU,GAAG,OAAO,QAAQ,cAAc,OAAO;GAEvD,MAAM,eAAe,SACnB,IAAI,SAAe,YAAY;AAC7B,IAAC,OAAiC,MAAM,YAAY,SAAS,CAAC;KAC9D;AAEJ,SAAM,YAAY,kDAAkD,QAAQ,IAAI;AAEhF,OAAI;AACF,UAAM,UAAU,QAAQ;WAClB;AAIR,OAAI;AAIF,WAHe,MAAM,OAAO,YAAY,QAA+B,EACrE,OAAO,6BACR,CAAC;aAEM;AACR,WAAO,OAAO;;;EAIlB,MAAM,uBAAgD;GACpD,MAAM,SAAS,MAAM,kBAAkB;AACvC,UAAO;IACL,aAAa,OAAO;IACpB,iBAAiB,OAAO,gBAAgB,KAAK,OAAO;IACpD,OAAO,OAAO,MAAM,KAAK,OAAO;IACjC;;EAGH,MAAM,eACJ,KACA,SACgD;GAChD,MAAM,eAAe,SAAiB;AACpC,WAAO,IAAI,SAAe,YAAY;AACpC,KAAC,OAAiC,MAAM,YAAY,SAAS,CAAC;MAC9D;;AAGJ,SAAM,YAAY,KAAK,QAAQ,IAAI;AAEnC,SAAM,YAAY,GAAG,IAAI,IAAI;AAE7B,OAAI;AACF,UAAM,UAAU,IAAI;WACd;AAIR,UAAO;;EAEV;;;;;AAMH,SAAS,QAAQ,KAA4B;CAC3C,MAAM,MACJ,QAAQ,aAAa,WAAW,SAAS,QAAQ,aAAa,UAAU,QAAQ;CAElF,MAAM,OAAO,QAAQ,aAAa,UAAU;EAAC;EAAM;EAAS;EAAI;EAAI,GAAG,CAAC,IAAI;AAE5E,QAAO,IAAI,SAAS,SAAS,WAAW;AACtC,WAAS,KAAK,OAAO,QAAQ;AAC3B,OAAI,IAAK,QAAO,IAAI;OACf,UAAS;IACd;GACF"}

package/dist/credential/index.cjs

@@ -0,0 +1,5 @@
+const require_auth_server = require('./auth-server.cjs');
+const require_cli_auth_context = require('./cli-auth-context.cjs');
+const require_mcp_auth_context = require('./mcp-auth-context.cjs');
+const require_resolver = require('./resolver.cjs');
+const require_store = require('./store.cjs');

package/dist/credential/index.d.mts

@@ -0,0 +1,4 @@
+import "./cli-auth-context.mjs";
+import "./mcp-auth-context.mjs";
+import { CredentialStore, CredentialStoreOptions, Credentials, createCredentialStore } from "./store.mjs";
+import "./resolver.mjs";

package/dist/credential/index.mjs

@@ -0,0 +1,7 @@
+import { createAuthServer } from "./auth-server.mjs";
+import { createCLIAuthContext } from "./cli-auth-context.mjs";
+import { createMCPAuthContext } from "./mcp-auth-context.mjs";
+import { resolveCredentials } from "./resolver.mjs";
+import { createCredentialStore } from "./store.mjs";
+
+export {  };

package/dist/credential/mcp-auth-context.cjs

@@ -0,0 +1,186 @@
+const require_rolldown_runtime = require('../_virtual/rolldown_runtime.cjs');
+const require_auth_server = require('./auth-server.cjs');
+let node_crypto = require("node:crypto");
+let node_child_process = require("node:child_process");
+let _aigne_afs_utils_schema = require("@aigne/afs/utils/schema");
+
+//#region src/credential/mcp-auth-context.ts
+/**
+* MCP AuthContext implementation.
+*
+* Uses MCP elicitation protocol to collect credentials:
+* - Non-sensitive fields: form mode (Client renders UI)
+* - Sensitive fields: URL mode (local HTTP server, data never passes through Client/LLM)
+*
+* Requires an MCP Server instance that supports elicitation.
+*/
+/**
+* Create an MCP AuthContext for MCP-based credential collection.
+*/
+function createMCPAuthContext(options) {
+	const { server } = options;
+	const resolved = options.resolved ?? {};
+	const openURLFn = options.openURL;
+	return {
+		get resolved() {
+			return { ...resolved };
+		},
+		async collect(schema) {
+			const properties = schema.properties;
+			if (!properties || typeof properties !== "object") return {};
+			if (new Set((0, _aigne_afs_utils_schema.getSensitiveFields)(schema)).size > 0) {
+				try {
+					return await collectViaURLMode(server, schema);
+				} catch (err) {
+					if (!(err instanceof ElicitationUnsupportedError)) throw err;
+				}
+				return collectViaBrowser(schema, openURLFn);
+			}
+			try {
+				return await collectViaFormMode(server, schema);
+			} catch (err) {
+				if (!(err instanceof ElicitationUnsupportedError)) throw err;
+			}
+			return collectViaBrowser(schema, openURLFn);
+		},
+		async createCallbackServer() {
+			const authServer = await require_auth_server.createAuthServer();
+			return {
+				callbackURL: authServer.callbackURL,
+				waitForCallback: authServer.waitForCallback.bind(authServer),
+				close: authServer.close.bind(authServer)
+			};
+		},
+		async requestOpenURL(url, message) {
+			try {
+				const elicitationId = (0, node_crypto.randomBytes)(16).toString("hex");
+				const result = await server.elicitInput({
+					mode: "url",
+					message,
+					url,
+					elicitationId
+				});
+				if (result.action === "accept") return "accepted";
+				if (result.action === "decline") return "declined";
+				return "cancelled";
+			} catch {
+				return "cancelled";
+			}
+		}
+	};
+}
+/** Sentinel error: elicitation mode not supported by client */
+var ElicitationUnsupportedError = class extends Error {
+	constructor(mode) {
+		super(`Client does not support ${mode} elicitation`);
+	}
+};
+/**
+* Collect non-sensitive fields via MCP form mode elicitation.
+*
+* @throws ElicitationUnsupportedError if client doesn't support form mode
+* @returns collected values, or null if user declined/cancelled
+*/
+async function collectViaFormMode(server, schema) {
+	const properties = schema.properties || {};
+	const required = schema.required || [];
+	const formProperties = {};
+	for (const [key, prop] of Object.entries(properties)) formProperties[key] = {
+		type: "string",
+		...prop.description ? { description: prop.description } : {},
+		...prop.title ? { title: prop.title } : {},
+		...prop.default != null ? { default: prop.default } : {}
+	};
+	try {
+		const result = await server.elicitInput({
+			mode: "form",
+			message: "Please provide the required configuration:",
+			requestedSchema: {
+				type: "object",
+				properties: formProperties,
+				required
+			}
+		});
+		if (result.action === "accept" && result.content) return result.content;
+		return null;
+	} catch {
+		throw new ElicitationUnsupportedError("form");
+	}
+}
+/**
+* Collect fields containing sensitive data via URL mode.
+* Starts a local HTTP server, sends URL mode elicitation so Client opens the browser.
+* Form data goes directly from browser to local server (never through Client/LLM).
+*
+* @throws ElicitationUnsupportedError if client doesn't support URL mode
+* @returns collected values, or null if user declined/cancelled
+*/
+async function collectViaURLMode(server, schema) {
+	const authServer = await require_auth_server.createAuthServer();
+	try {
+		const elicitationId = (0, node_crypto.randomBytes)(16).toString("hex");
+		const formURL = `${authServer.baseURL}/auth?nonce=${authServer.nonce}`;
+		let elicitResult;
+		try {
+			elicitResult = await server.elicitInput({
+				mode: "url",
+				message: "Please fill in the credential form in your browser:",
+				url: formURL,
+				elicitationId
+			});
+		} catch {
+			throw new ElicitationUnsupportedError("url");
+		}
+		if (elicitResult.action !== "accept") return null;
+		const result = await authServer.waitForForm(schema, {
+			title: "AFS Credential Collection",
+			timeout: 12e4
+		});
+		try {
+			await server.createElicitationCompletionNotifier(elicitationId)();
+		} catch {}
+		return result;
+	} finally {
+		authServer.close();
+	}
+}
+/**
+* Fallback: collect credentials by opening a browser directly.
+* Used when MCP client doesn't support elicitation protocol.
+*/
+async function collectViaBrowser(schema, openURLFn) {
+	const properties = schema.properties || {};
+	if (Object.keys(properties).length === 0) return {};
+	const authServer = await require_auth_server.createAuthServer();
+	const formURL = `${authServer.baseURL}/auth?nonce=${authServer.nonce}`;
+	console.error(`\nPlease fill in credentials in your browser:\n${formURL}`);
+	try {
+		await (openURLFn ?? openURL)(formURL);
+	} catch {}
+	try {
+		return await authServer.waitForForm(schema, { title: "AFS Credential Collection" });
+	} finally {
+		authServer.close();
+	}
+}
+/**
+* Open a URL in the default browser.
+*/
+function openURL(url) {
+	const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "cmd" : "xdg-open";
+	const args = process.platform === "win32" ? [
+		"/c",
+		"start",
+		"",
+		url
+	] : [url];
+	return new Promise((resolve, reject) => {
+		(0, node_child_process.execFile)(cmd, args, (err) => {
+			if (err) reject(err);
+			else resolve();
+		});
+	});
+}
+
+//#endregion
+exports.createMCPAuthContext = createMCPAuthContext;

package/dist/credential/mcp-auth-context.d.mts

@@ -0,0 +1 @@
+import { AuthContext } from "@aigne/afs";

package/dist/credential/mcp-auth-context.mjs

@@ -0,0 +1,186 @@
+import { createAuthServer } from "./auth-server.mjs";
+import { randomBytes } from "node:crypto";
+import { execFile } from "node:child_process";
+import { getSensitiveFields } from "@aigne/afs/utils/schema";
+
+//#region src/credential/mcp-auth-context.ts
+/**
+* MCP AuthContext implementation.
+*
+* Uses MCP elicitation protocol to collect credentials:
+* - Non-sensitive fields: form mode (Client renders UI)
+* - Sensitive fields: URL mode (local HTTP server, data never passes through Client/LLM)
+*
+* Requires an MCP Server instance that supports elicitation.
+*/
+/**
+* Create an MCP AuthContext for MCP-based credential collection.
+*/
+function createMCPAuthContext(options) {
+	const { server } = options;
+	const resolved = options.resolved ?? {};
+	const openURLFn = options.openURL;
+	return {
+		get resolved() {
+			return { ...resolved };
+		},
+		async collect(schema) {
+			const properties = schema.properties;
+			if (!properties || typeof properties !== "object") return {};
+			if (new Set(getSensitiveFields(schema)).size > 0) {
+				try {
+					return await collectViaURLMode(server, schema);
+				} catch (err) {
+					if (!(err instanceof ElicitationUnsupportedError)) throw err;
+				}
+				return collectViaBrowser(schema, openURLFn);
+			}
+			try {
+				return await collectViaFormMode(server, schema);
+			} catch (err) {
+				if (!(err instanceof ElicitationUnsupportedError)) throw err;
+			}
+			return collectViaBrowser(schema, openURLFn);
+		},
+		async createCallbackServer() {
+			const authServer = await createAuthServer();
+			return {
+				callbackURL: authServer.callbackURL,
+				waitForCallback: authServer.waitForCallback.bind(authServer),
+				close: authServer.close.bind(authServer)
+			};
+		},
+		async requestOpenURL(url, message) {
+			try {
+				const elicitationId = randomBytes(16).toString("hex");
+				const result = await server.elicitInput({
+					mode: "url",
+					message,
+					url,
+					elicitationId
+				});
+				if (result.action === "accept") return "accepted";
+				if (result.action === "decline") return "declined";
+				return "cancelled";
+			} catch {
+				return "cancelled";
+			}
+		}
+	};
+}
+/** Sentinel error: elicitation mode not supported by client */
+var ElicitationUnsupportedError = class extends Error {
+	constructor(mode) {
+		super(`Client does not support ${mode} elicitation`);
+	}
+};
+/**
+* Collect non-sensitive fields via MCP form mode elicitation.
+*
+* @throws ElicitationUnsupportedError if client doesn't support form mode
+* @returns collected values, or null if user declined/cancelled
+*/
+async function collectViaFormMode(server, schema) {
+	const properties = schema.properties || {};
+	const required = schema.required || [];
+	const formProperties = {};
+	for (const [key, prop] of Object.entries(properties)) formProperties[key] = {
+		type: "string",
+		...prop.description ? { description: prop.description } : {},
+		...prop.title ? { title: prop.title } : {},
+		...prop.default != null ? { default: prop.default } : {}
+	};
+	try {
+		const result = await server.elicitInput({
+			mode: "form",
+			message: "Please provide the required configuration:",
+			requestedSchema: {
+				type: "object",
+				properties: formProperties,
+				required
+			}
+		});
+		if (result.action === "accept" && result.content) return result.content;
+		return null;
+	} catch {
+		throw new ElicitationUnsupportedError("form");
+	}
+}
+/**
+* Collect fields containing sensitive data via URL mode.
+* Starts a local HTTP server, sends URL mode elicitation so Client opens the browser.
+* Form data goes directly from browser to local server (never through Client/LLM).
+*
+* @throws ElicitationUnsupportedError if client doesn't support URL mode
+* @returns collected values, or null if user declined/cancelled
+*/
+async function collectViaURLMode(server, schema) {
+	const authServer = await createAuthServer();
+	try {
+		const elicitationId = randomBytes(16).toString("hex");
+		const formURL = `${authServer.baseURL}/auth?nonce=${authServer.nonce}`;
+		let elicitResult;
+		try {
+			elicitResult = await server.elicitInput({
+				mode: "url",
+				message: "Please fill in the credential form in your browser:",
+				url: formURL,
+				elicitationId
+			});
+		} catch {
+			throw new ElicitationUnsupportedError("url");
+		}
+		if (elicitResult.action !== "accept") return null;
+		const result = await authServer.waitForForm(schema, {
+			title: "AFS Credential Collection",
+			timeout: 12e4
+		});
+		try {
+			await server.createElicitationCompletionNotifier(elicitationId)();
+		} catch {}
+		return result;
+	} finally {
+		authServer.close();
+	}
+}
+/**
+* Fallback: collect credentials by opening a browser directly.
+* Used when MCP client doesn't support elicitation protocol.
+*/
+async function collectViaBrowser(schema, openURLFn) {
+	const properties = schema.properties || {};
+	if (Object.keys(properties).length === 0) return {};
+	const authServer = await createAuthServer();
+	const formURL = `${authServer.baseURL}/auth?nonce=${authServer.nonce}`;
+	console.error(`\nPlease fill in credentials in your browser:\n${formURL}`);
+	try {
+		await (openURLFn ?? openURL)(formURL);
+	} catch {}
+	try {
+		return await authServer.waitForForm(schema, { title: "AFS Credential Collection" });
+	} finally {
+		authServer.close();
+	}
+}
+/**
+* Open a URL in the default browser.
+*/
+function openURL(url) {
+	const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "cmd" : "xdg-open";
+	const args = process.platform === "win32" ? [
+		"/c",
+		"start",
+		"",
+		url
+	] : [url];
+	return new Promise((resolve, reject) => {
+		execFile(cmd, args, (err) => {
+			if (err) reject(err);
+			else resolve();
+		});
+	});
+}
+
+//#endregion
+export { createMCPAuthContext };
+//# sourceMappingURL=mcp-auth-context.mjs.map

package/dist/credential/mcp-auth-context.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-auth-context.mjs","names":[],"sources":["../../src/credential/mcp-auth-context.ts"],"sourcesContent":["/**\n * MCP AuthContext implementation.\n *\n * Uses MCP elicitation protocol to collect credentials:\n * - Non-sensitive fields: form mode (Client renders UI)\n * - Sensitive fields: URL mode (local HTTP server, data never passes through Client/LLM)\n *\n * Requires an MCP Server instance that supports elicitation.\n */\n\nimport { execFile } from \"node:child_process\";\nimport { randomBytes } from \"node:crypto\";\nimport type { AuthContext, CallbackServer, JSONSchema7 } from \"@aigne/afs\";\nimport { getSensitiveFields } from \"@aigne/afs/utils/schema\";\nimport type { Server } from \"@modelcontextprotocol/sdk/server/index.js\";\nimport { createAuthServer } from \"./auth-server.js\";\n\nexport interface MCPAuthContextOptions {\n  /** The MCP Server instance (for sending elicitation requests) */\n  server: Server;\n  /** Pre-resolved fields from Step 2 (env/store/config) */\n  resolved?: Record<string, unknown>;\n  /** Override browser URL opener (for testing). Falls back to platform-default open. */\n  openURL?: (url: string) => Promise<void>;\n}\n\n/**\n * Create an MCP AuthContext for MCP-based credential collection.\n */\nexport function createMCPAuthContext(options: MCPAuthContextOptions): AuthContext {\n  const { server } = options;\n  const resolved = options.resolved ?? {};\n  const openURLFn = options.openURL;\n\n  return {\n    get resolved() {\n      return { ...resolved };\n    },\n\n    async collect(schema: JSONSchema7): Promise<Record<string, unknown> | null> {\n      const properties = (schema as any).properties;\n      if (!properties || typeof properties !== \"object\") return {};\n\n      const sensitiveFields = new Set(getSensitiveFields(schema));\n      const hasSensitive = sensitiveFields.size > 0;\n\n      // Strategy: try elicitation first, fall back to browser if client doesn't support it.\n      // ElicitationUnsupportedError means \"not supported\" → try next mode.\n      // null means \"user declined/cancelled\" → stop and return null.\n\n      if (hasSensitive) {\n        // Sensitive fields: try URL mode (data stays local, never through Client/LLM)\n        try {\n          return await collectViaURLMode(server, schema);\n        } catch (err) {\n          if (!(err instanceof ElicitationUnsupportedError)) throw err;\n        }\n        // URL mode not supported — browser fallback (also keeps data local)\n        return collectViaBrowser(schema, openURLFn);\n      }\n\n      // Non-sensitive only: try form mode (Client renders UI)\n      try {\n        return await collectViaFormMode(server, schema);\n      } catch (err) {\n        if (!(err instanceof ElicitationUnsupportedError)) throw err;\n      }\n\n      // Form mode not supported — browser fallback\n      return collectViaBrowser(schema, openURLFn);\n    },\n\n    async createCallbackServer(): Promise<CallbackServer> {\n      const authServer = await createAuthServer();\n      return {\n        callbackURL: authServer.callbackURL,\n        waitForCallback: authServer.waitForCallback.bind(authServer),\n        close: authServer.close.bind(authServer),\n      };\n    },\n\n    async requestOpenURL(\n      url: string,\n      message: string,\n    ): Promise<\"accepted\" | \"declined\" | \"cancelled\"> {\n      try {\n        const elicitationId = randomBytes(16).toString(\"hex\");\n        const result = await server.elicitInput({\n          mode: \"url\",\n          message,\n          url,\n          elicitationId,\n        });\n\n        if (result.action === \"accept\") return \"accepted\";\n        if (result.action === \"decline\") return \"declined\";\n        return \"cancelled\";\n      } catch {\n        // Client doesn't support elicitation — try direct open\n        return \"cancelled\";\n      }\n    },\n  };\n}\n\n/** Sentinel error: elicitation mode not supported by client */\nclass ElicitationUnsupportedError extends Error {\n  constructor(mode: string) {\n    super(`Client does not support ${mode} elicitation`);\n  }\n}\n\n/**\n * Collect non-sensitive fields via MCP form mode elicitation.\n *\n * @throws ElicitationUnsupportedError if client doesn't support form mode\n * @returns collected values, or null if user declined/cancelled\n */\nasync function collectViaFormMode(\n  server: Server,\n  schema: JSONSchema7,\n): Promise<Record<string, unknown> | null> {\n  const properties = (schema as any).properties || {};\n  const required = (schema as any).required || [];\n\n  // Build elicitation form schema (simplified for MCP form mode)\n  const formProperties: Record<string, any> = {};\n  for (const [key, prop] of Object.entries(properties) as [string, any][]) {\n    formProperties[key] = {\n      type: \"string\",\n      ...(prop.description ? { description: prop.description } : {}),\n      ...(prop.title ? { title: prop.title } : {}),\n      ...(prop.default != null ? { default: prop.default } : {}),\n    };\n  }\n\n  try {\n    const result = await server.elicitInput({\n      mode: \"form\",\n      message: \"Please provide the required configuration:\",\n      requestedSchema: {\n        type: \"object\" as const,\n        properties: formProperties,\n        required,\n      },\n    });\n\n    if (result.action === \"accept\" && result.content) {\n      return result.content as Record<string, unknown>;\n    }\n\n    // User declined or cancelled\n    return null;\n  } catch {\n    // Client doesn't support form elicitation\n    throw new ElicitationUnsupportedError(\"form\");\n  }\n}\n\n/**\n * Collect fields containing sensitive data via URL mode.\n * Starts a local HTTP server, sends URL mode elicitation so Client opens the browser.\n * Form data goes directly from browser to local server (never through Client/LLM).\n *\n * @throws ElicitationUnsupportedError if client doesn't support URL mode\n * @returns collected values, or null if user declined/cancelled\n */\nasync function collectViaURLMode(\n  server: Server,\n  schema: JSONSchema7,\n): Promise<Record<string, unknown> | null> {\n  const authServer = await createAuthServer();\n\n  try {\n    const elicitationId = randomBytes(16).toString(\"hex\");\n    const formURL = `${authServer.baseURL}/auth?nonce=${authServer.nonce}`;\n\n    // Send URL mode elicitation to client — let errors propagate\n    let elicitResult: { action: string };\n    try {\n      elicitResult = await server.elicitInput({\n        mode: \"url\",\n        message: \"Please fill in the credential form in your browser:\",\n        url: formURL,\n        elicitationId,\n      });\n    } catch {\n      // Client doesn't support URL elicitation\n      throw new ElicitationUnsupportedError(\"url\");\n    }\n\n    if (elicitResult.action !== \"accept\") {\n      // User declined or cancelled\n      return null;\n    }\n\n    // Client accepted — wait for form submission with timeout\n    const result = await authServer.waitForForm(schema as Record<string, any>, {\n      title: \"AFS Credential Collection\",\n      timeout: 120_000, // 2-minute safety timeout\n    });\n\n    // Notify client that elicitation is complete\n    try {\n      const notifyComplete = server.createElicitationCompletionNotifier(elicitationId);\n      await notifyComplete();\n    } catch {\n      // Notification failure is non-critical\n    }\n\n    return result;\n  } finally {\n    authServer.close();\n  }\n}\n\n/**\n * Fallback: collect credentials by opening a browser directly.\n * Used when MCP client doesn't support elicitation protocol.\n */\nasync function collectViaBrowser(\n  schema: JSONSchema7,\n  openURLFn?: (url: string) => Promise<void>,\n): Promise<Record<string, unknown> | null> {\n  const properties = (schema as any).properties || {};\n  if (Object.keys(properties).length === 0) return {};\n\n  const authServer = await createAuthServer();\n  const formURL = `${authServer.baseURL}/auth?nonce=${authServer.nonce}`;\n\n  console.error(`\\nPlease fill in credentials in your browser:\\n${formURL}`);\n\n  try {\n    await (openURLFn ?? openURL)(formURL);\n  } catch {\n    // Browser failed to open; URL is already printed above\n  }\n\n  try {\n    const result = await authServer.waitForForm(schema as Record<string, any>, {\n      title: \"AFS Credential Collection\",\n    });\n    return result;\n  } finally {\n    authServer.close();\n  }\n}\n\n/**\n * Open a URL in the default browser.\n */\nfunction openURL(url: string): Promise<void> {\n  const cmd =\n    process.platform === \"darwin\" ? \"open\" : process.platform === \"win32\" ? \"cmd\" : \"xdg-open\";\n\n  const args = process.platform === \"win32\" ? [\"/c\", \"start\", \"\", url] : [url];\n\n  return new Promise((resolve, reject) => {\n    execFile(cmd, args, (err) => {\n      if (err) reject(err);\n      else resolve();\n    });\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AA6BA,SAAgB,qBAAqB,SAA6C;CAChF,MAAM,EAAE,WAAW;CACnB,MAAM,WAAW,QAAQ,YAAY,EAAE;CACvC,MAAM,YAAY,QAAQ;AAE1B,QAAO;EACL,IAAI,WAAW;AACb,UAAO,EAAE,GAAG,UAAU;;EAGxB,MAAM,QAAQ,QAA8D;GAC1E,MAAM,aAAc,OAAe;AACnC,OAAI,CAAC,cAAc,OAAO,eAAe,SAAU,QAAO,EAAE;AAS5D,OAPwB,IAAI,IAAI,mBAAmB,OAAO,CAAC,CACtB,OAAO,GAM1B;AAEhB,QAAI;AACF,YAAO,MAAM,kBAAkB,QAAQ,OAAO;aACvC,KAAK;AACZ,SAAI,EAAE,eAAe,6BAA8B,OAAM;;AAG3D,WAAO,kBAAkB,QAAQ,UAAU;;AAI7C,OAAI;AACF,WAAO,MAAM,mBAAmB,QAAQ,OAAO;YACxC,KAAK;AACZ,QAAI,EAAE,eAAe,6BAA8B,OAAM;;AAI3D,UAAO,kBAAkB,QAAQ,UAAU;;EAG7C,MAAM,uBAAgD;GACpD,MAAM,aAAa,MAAM,kBAAkB;AAC3C,UAAO;IACL,aAAa,WAAW;IACxB,iBAAiB,WAAW,gBAAgB,KAAK,WAAW;IAC5D,OAAO,WAAW,MAAM,KAAK,WAAW;IACzC;;EAGH,MAAM,eACJ,KACA,SACgD;AAChD,OAAI;IACF,MAAM,gBAAgB,YAAY,GAAG,CAAC,SAAS,MAAM;IACrD,MAAM,SAAS,MAAM,OAAO,YAAY;KACtC,MAAM;KACN;KACA;KACA;KACD,CAAC;AAEF,QAAI,OAAO,WAAW,SAAU,QAAO;AACvC,QAAI,OAAO,WAAW,UAAW,QAAO;AACxC,WAAO;WACD;AAEN,WAAO;;;EAGZ;;;AAIH,IAAM,8BAAN,cAA0C,MAAM;CAC9C,YAAY,MAAc;AACxB,QAAM,2BAA2B,KAAK,cAAc;;;;;;;;;AAUxD,eAAe,mBACb,QACA,QACyC;CACzC,MAAM,aAAc,OAAe,cAAc,EAAE;CACnD,MAAM,WAAY,OAAe,YAAY,EAAE;CAG/C,MAAM,iBAAsC,EAAE;AAC9C,MAAK,MAAM,CAAC,KAAK,SAAS,OAAO,QAAQ,WAAW,CAClD,gBAAe,OAAO;EACpB,MAAM;EACN,GAAI,KAAK,cAAc,EAAE,aAAa,KAAK,aAAa,GAAG,EAAE;EAC7D,GAAI,KAAK,QAAQ,EAAE,OAAO,KAAK,OAAO,GAAG,EAAE;EAC3C,GAAI,KAAK,WAAW,OAAO,EAAE,SAAS,KAAK,SAAS,GAAG,EAAE;EAC1D;AAGH,KAAI;EACF,MAAM,SAAS,MAAM,OAAO,YAAY;GACtC,MAAM;GACN,SAAS;GACT,iBAAiB;IACf,MAAM;IACN,YAAY;IACZ;IACD;GACF,CAAC;AAEF,MAAI,OAAO,WAAW,YAAY,OAAO,QACvC,QAAO,OAAO;AAIhB,SAAO;SACD;AAEN,QAAM,IAAI,4BAA4B,OAAO;;;;;;;;;;;AAYjD,eAAe,kBACb,QACA,QACyC;CACzC,MAAM,aAAa,MAAM,kBAAkB;AAE3C,KAAI;EACF,MAAM,gBAAgB,YAAY,GAAG,CAAC,SAAS,MAAM;EACrD,MAAM,UAAU,GAAG,WAAW,QAAQ,cAAc,WAAW;EAG/D,IAAI;AACJ,MAAI;AACF,kBAAe,MAAM,OAAO,YAAY;IACtC,MAAM;IACN,SAAS;IACT,KAAK;IACL;IACD,CAAC;UACI;AAEN,SAAM,IAAI,4BAA4B,MAAM;;AAG9C,MAAI,aAAa,WAAW,SAE1B,QAAO;EAIT,MAAM,SAAS,MAAM,WAAW,YAAY,QAA+B;GACzE,OAAO;GACP,SAAS;GACV,CAAC;AAGF,MAAI;AAEF,SADuB,OAAO,oCAAoC,cAAc,EAC1D;UAChB;AAIR,SAAO;WACC;AACR,aAAW,OAAO;;;;;;;AAQtB,eAAe,kBACb,QACA,WACyC;CACzC,MAAM,aAAc,OAAe,cAAc,EAAE;AACnD,KAAI,OAAO,KAAK,WAAW,CAAC,WAAW,EAAG,QAAO,EAAE;CAEnD,MAAM,aAAa,MAAM,kBAAkB;CAC3C,MAAM,UAAU,GAAG,WAAW,QAAQ,cAAc,WAAW;AAE/D,SAAQ,MAAM,kDAAkD,UAAU;AAE1E,KAAI;AACF,SAAO,aAAa,SAAS,QAAQ;SAC/B;AAIR,KAAI;AAIF,SAHe,MAAM,WAAW,YAAY,QAA+B,EACzE,OAAO,6BACR,CAAC;WAEM;AACR,aAAW,OAAO;;;;;;AAOtB,SAAS,QAAQ,KAA4B;CAC3C,MAAM,MACJ,QAAQ,aAAa,WAAW,SAAS,QAAQ,aAAa,UAAU,QAAQ;CAElF,MAAM,OAAO,QAAQ,aAAa,UAAU;EAAC;EAAM;EAAS;EAAI;EAAI,GAAG,CAAC,IAAI;AAE5E,QAAO,IAAI,SAAS,SAAS,WAAW;AACtC,WAAS,KAAK,OAAO,QAAQ;AAC3B,OAAI,IAAK,QAAO,IAAI;OACf,UAAS;IACd;GACF"}