@authsec/sdk 4.0.0

package/README.md

@@ -0,0 +1,253 @@
+# AuthSec TypeScript SDK (`@authsec/sdk`)
+
+Add OAuth + RBAC protection to MCP tools and wrappers in TypeScript/JavaScript.
+
+This SDK lets you:
+- Protect tools with `protectedByAuthSec(...)`
+- Register public tools with `mcpTool(...)`
+- Run an MCP server with `runMcpServerWithOAuth(...)`
+- Wrap another MCP server (for example memory server) and enforce AuthSec in front of it
+
+## Package
+
+- Name: `@authsec/sdk`
+- Node: `>=18`
+- Entry: `dist/index.js`
+
+## Install
+
+```bash
+cd packages/typescript-sdk
+npm install
+npm run build
+```
+
+Consumer install:
+
+```bash
+npm install @authsec/sdk
+```
+
+## Quick Start
+
+```ts
+import {
+  mcpTool,
+  protectedByAuthSec,
+  runMcpServerWithOAuth,
+} from "@authsec/sdk";
+
+const ping = mcpTool(
+  {
+    name: "ping",
+    description: "Health check",
+    inputSchema: {
+      type: "object",
+      properties: {},
+      required: [],
+    },
+  },
+  async () => [{ type: "text", text: "pong" }]
+);
+
+const deleteInvoice = protectedByAuthSec(
+  {
+    toolName: "delete_invoice",
+    roles: ["admin"],
+    scopes: ["write"],
+    requireAll: true,
+    description: "Delete invoice by id",
+    inputSchema: {
+      type: "object",
+      properties: {
+        invoice_id: { type: "string" },
+        session_id: { type: "string" },
+      },
+      required: ["invoice_id"],
+    },
+  },
+  async (args) => {
+    const user = args?._user_info?.email_id ?? "unknown-user";
+    return [{ type: "text", text: `Deleted ${args.invoice_id} by ${user}` }];
+  }
+);
+
+runMcpServerWithOAuth({
+  tools: [ping, deleteInvoice],
+  clientId: process.env.AUTHSEC_CLIENT_ID!,
+  appName: "my-ts-mcp",
+  host: "127.0.0.1",
+  port: 3005,
+});
+```
+
+Run:
+
+```bash
+AUTHSEC_CLIENT_ID="YOUR_CLIENT_ID" \
+AUTHSEC_AUTH_SERVICE_URL="https://dev.api.authsec.dev/sdkmgr/mcp-auth" \
+AUTHSEC_SERVICES_URL="https://dev.api.authsec.dev/sdkmgr/services" \
+node <your-compiled-server-entry>.js
+```
+
+## Wrapping an Existing MCP Server (Memory Example)
+
+This repo includes a ready wrapper:
+
+- `packages/typescript-sdk/examples/memory-authsec-wrapper.mjs`
+
+It:
+- Connects to upstream memory MCP server over stdio
+- Reads upstream tool list
+- Wraps each tool with `protectedByAuthSec(...)`
+- Exposes a new AuthSec-protected MCP server on `HOST:PORT`
+
+### Run locally
+
+```bash
+cd packages/typescript-sdk
+npm install
+npm run build
+
+AUTHSEC_CLIENT_ID="YOUR_CLIENT_ID" \
+PORT=3005 \
+HOST=127.0.0.1 \
+node examples/memory-authsec-wrapper.mjs
+```
+
+### Optional wrapper env vars
+
+- `AUTHSEC_APP_NAME` (default: autogenerated)
+- `MEMORY_SERVER_COMMAND` (default: `npx`)
+- `MEMORY_SERVER_ARGS_JSON` (default: `["-y","@modelcontextprotocol/server-memory"]`)
+- `AUTHSEC_TOOL_ROLES_JSON` (per-tool RBAC map)
+- `MEMORY_FILE_PATH` (memory server persistence path)
+
+Example RBAC map:
+
+```bash
+AUTHSEC_TOOL_ROLES_JSON='{"create_entities":["admin"],"delete_entities":["admin"]}'
+```
+
+## How Protection Works
+
+1. `tools/list` asks SDK Manager for OAuth + protected tool visibility.
+2. `oauth_*` tools are delegated upstream to SDK Manager.
+3. Protected tool call triggers upstream `protect-tool` check.
+4. On success, handler receives:
+- `args.session_id` (resolved session)
+- `args._user_info` (claims)
+
+Auth behavior note:
+- OAuth/auth decisions are delegated upstream to SDK Manager.
+- Keep local wrappers as thin transport/proxy layers; do not add local auth bypass logic in production.
+
+## Environment Variables
+
+SDK runtime:
+- `AUTHSEC_AUTH_SERVICE_URL` (default dev URL)
+- `AUTHSEC_SERVICES_URL` (default dev URL)
+- `AUTHSEC_TIMEOUT_SECONDS` (default `15`)
+- `AUTHSEC_RETRIES` (default `2`)
+- `AUTHSEC_TOOLS_LIST_TIMEOUT_SECONDS` (default `8`)
+
+Server runtime:
+- `AUTHSEC_CLIENT_ID` (required by your app wrapper)
+- `AUTHSEC_APP_NAME` (optional app name)
+- `HOST` / `PORT`
+
+Note:
+- Tool filtering policy for hidden/visible protected tools is controlled in SDK Manager service configuration.
+
+## Troubleshooting
+
+- `MODULE_NOT_FOUND` when running example path
+  - Check exact file path and avoid trailing spaces in command.
+- `OAuth tool failed: ... released back to the pool`
+  - SDK Manager backend deployment issue, not wrapper syntax.
+- `verifyToken failed: 404`
+  - SDK Manager `AUTH_MANAGER_URL` is likely wrong for environment; ensure dev/prod endpoint is correct.
+- Tools visible but calls denied
+  - Expected when server is configured to expose all tools and enforce RBAC at call-time.
+
+## Prompt Template (Copy/Paste)
+
+Use this prompt with any coding LLM to secure an MCP server with `@authsec/sdk`:
+
+```text
+You are editing a TypeScript MCP server codebase.
+
+Goal:
+1) Add @authsec/sdk to protect sensitive tools with OAuth + RBAC.
+2) Keep selected tools unprotected.
+3) Ensure all auth checks are delegated upstream to SDK Manager (no local auth bypasses).
+
+Requirements:
+- Use protectedByAuthSec(...) for sensitive tools.
+- Use mcpTool(...) for public tools.
+- Provide strict inputSchema for every tool.
+- Run server via runMcpServerWithOAuth({ tools, clientId, appName, host, port }).
+- Add startup instructions with AUTHSEC_CLIENT_ID, AUTHSEC_AUTH_SERVICE_URL, AUTHSEC_SERVICES_URL.
+- If wrapping an upstream MCP server, preserve upstream tool names and normalize returned content.
+
+Inputs:
+- clientId: <YOUR_CLIENT_ID>
+- appName: <YOUR_APP_NAME>
+- protected tools + RBAC:
+  - <tool_1>: roles=[...], scopes=[...], requireAll=<true/false>
+  - <tool_2>: ...
+- unprotected tools:
+  - <tool_3>
+
+Deliverables:
+- Updated TS source files.
+- Run commands.
+- MCP Inspector verification checklist.
+```
+
+## Publishing (npm)
+
+### 1) Bump version
+
+Update version consistently:
+- `packages/typescript-sdk/package.json` -> `version`
+- `packages/typescript-sdk/src/index.ts` -> `VERSION`
+
+### 2) Build and pack
+
+```bash
+cd packages/typescript-sdk
+npm ci
+npm run clean
+npm run build
+npm pack
+```
+
+### 3) Smoke test tarball (recommended)
+
+```bash
+mkdir -p /tmp/authsec-sdk-smoke && cd /tmp/authsec-sdk-smoke
+npm init -y
+npm install /absolute/path/to/packages/typescript-sdk/authsec-sdk-<version>.tgz
+```
+
+### 4) Publish
+
+```bash
+cd /absolute/path/to/packages/typescript-sdk
+npm login
+npm publish --access public
+```
+
+If using private registry, set it before publish:
+
+```bash
+npm config set registry <your-registry-url>
+npm publish
+```
+
+### 5) Post-publish check
+
+```bash
+npm view @authsec/sdk version
+```

package/dist/ciba.d.ts

@@ -0,0 +1,47 @@
+/**
+ * CIBA SDK - Passwordless Authentication for Voice Clients
+ * Mirrors Python CIBAClient class
+ *
+ * Supports both Admin and End-User (tenant) authentication flows:
+ * - Admin flow: email only (original flow)
+ * - Tenant flow: email + client_id (multi-client architecture)
+ */
+export declare class CIBAClient {
+    private baseUrl;
+    private clientId;
+    private activePolls;
+    private retryCounts;
+    constructor(options?: {
+        clientId?: string;
+        baseUrl?: string;
+    });
+    /**
+     * Triggers a CIBA push notification and cancels any existing poll for this user.
+     *
+     * - If clientId is set: uses tenant endpoint (/tenant/ciba/initiate)
+     * - If clientId is null: uses admin endpoint (/ciba/initiate)
+     */
+    initiateAppApproval(email: string): Promise<Record<string, any>>;
+    /**
+     * Verifies a TOTP code for authentication.
+     *
+     * - If clientId is set: uses tenant endpoint (/tenant/totp/login)
+     * - If clientId is null: uses admin endpoint (/totp/login)
+     */
+    verifyTotp(email: string, code: string): Promise<Record<string, any>>;
+    /**
+     * Polls for CIBA approval status.
+     *
+     * - If clientId is set: uses tenant endpoint (/tenant/ciba/token)
+     * - If clientId is null: uses admin endpoint (/ciba/token)
+     */
+    pollForApproval(email: string, authReqId: string, options?: {
+        interval?: number;
+        timeout?: number;
+    }): Promise<Record<string, any>>;
+    /**
+     * Cancels any ongoing poll and resets retry logic for the user.
+     */
+    cancelApproval(email: string): Record<string, any>;
+}
+//# sourceMappingURL=ciba.d.ts.map

package/dist/ciba.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ciba.d.ts","sourceRoot":"","sources":["../src/ciba.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,qBAAa,UAAU;IACrB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,QAAQ,CAAgB;IAChC,OAAO,CAAC,WAAW,CAAuB;IAC1C,OAAO,CAAC,WAAW,CAAsB;gBAE7B,OAAO,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE;IAO7D;;;;;OAKG;IACG,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAiCtE;;;;;OAKG;IACG,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAuD3E;;;;;OAKG;IACG,eAAe,CACnB,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,GAChD,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAkD/B;;OAEG;IACH,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC;CAKnD"}

package/dist/ciba.js

@@ -0,0 +1,172 @@
+"use strict";
+/**
+ * CIBA SDK - Passwordless Authentication for Voice Clients
+ * Mirrors Python CIBAClient class
+ *
+ * Supports both Admin and End-User (tenant) authentication flows:
+ * - Admin flow: email only (original flow)
+ * - Tenant flow: email + client_id (multi-client architecture)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CIBAClient = void 0;
+class CIBAClient {
+    baseUrl;
+    clientId;
+    activePolls;
+    retryCounts;
+    constructor(options) {
+        this.baseUrl = options?.baseUrl ?? 'https://dev.api.authsec.dev';
+        this.clientId = options?.clientId ?? null;
+        this.activePolls = new Map();
+        this.retryCounts = new Map();
+    }
+    /**
+     * Triggers a CIBA push notification and cancels any existing poll for this user.
+     *
+     * - If clientId is set: uses tenant endpoint (/tenant/ciba/initiate)
+     * - If clientId is null: uses admin endpoint (/ciba/initiate)
+     */
+    async initiateAppApproval(email) {
+        this.retryCounts.set(email, 0);
+        if (this.activePolls.has(email)) {
+            this.activePolls.set(email, true);
+        }
+        let endpoint;
+        let payload;
+        if (this.clientId) {
+            endpoint = `${this.baseUrl}/uflow/auth/tenant/ciba/initiate`;
+            payload = {
+                client_id: this.clientId,
+                email,
+                binding_message: 'Authentication requested via Voice SDK',
+            };
+        }
+        else {
+            endpoint = `${this.baseUrl}/uflow/auth/ciba/initiate`;
+            payload = {
+                login_hint: email,
+                binding_message: 'Authentication requested via Voice SDK',
+            };
+        }
+        const response = await fetch(endpoint, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify(payload),
+        });
+        return (await response.json());
+    }
+    /**
+     * Verifies a TOTP code for authentication.
+     *
+     * - If clientId is set: uses tenant endpoint (/tenant/totp/login)
+     * - If clientId is null: uses admin endpoint (/totp/login)
+     */
+    async verifyTotp(email, code) {
+        if (!this.retryCounts.has(email)) {
+            this.retryCounts.set(email, 0);
+        }
+        if (this.retryCounts.get(email) >= 3) {
+            return { success: false, error: 'too_many_retries', remaining: 0 };
+        }
+        let endpoint;
+        let payload;
+        if (this.clientId) {
+            endpoint = `${this.baseUrl}/uflow/auth/tenant/totp/login`;
+            payload = { client_id: this.clientId, email, totp_code: code };
+        }
+        else {
+            // Admin flow (fallback to dev.api if base_url is localhost for compatibility)
+            if (this.baseUrl.includes('localhost') || this.baseUrl.includes('127.0.0.1')) {
+                endpoint = 'https://dev.api.authsec.dev/uflow/auth/totp/login';
+            }
+            else {
+                endpoint = `${this.baseUrl}/uflow/auth/totp/login`;
+            }
+            payload = { email, totp_code: code };
+        }
+        try {
+            const response = await fetch(endpoint, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify(payload),
+                signal: AbortSignal.timeout(10000),
+            });
+            const resData = (await response.json());
+            const token = resData.token ?? resData.access_token;
+            if (token || resData.success === true) {
+                this.retryCounts.set(email, 0);
+                return { ...resData, success: true, token, remaining: 3 };
+            }
+            else {
+                this.retryCounts.set(email, this.retryCounts.get(email) + 1);
+                return {
+                    success: false,
+                    error: 'invalid_code',
+                    remaining: 3 - this.retryCounts.get(email),
+                };
+            }
+        }
+        catch (e) {
+            return {
+                success: false,
+                error: e.message ?? String(e),
+                remaining: 3 - (this.retryCounts.get(email) ?? 0),
+            };
+        }
+    }
+    /**
+     * Polls for CIBA approval status.
+     *
+     * - If clientId is set: uses tenant endpoint (/tenant/ciba/token)
+     * - If clientId is null: uses admin endpoint (/ciba/token)
+     */
+    async pollForApproval(email, authReqId, options) {
+        const interval = (options?.interval ?? 5) * 1000;
+        const timeout = (options?.timeout ?? 300) * 1000;
+        this.activePolls.set(email, false);
+        let endpoint;
+        let payload;
+        if (this.clientId) {
+            endpoint = `${this.baseUrl}/uflow/auth/tenant/ciba/token`;
+            payload = { client_id: this.clientId, auth_req_id: authReqId };
+        }
+        else {
+            endpoint = `${this.baseUrl}/uflow/auth/ciba/token`;
+            payload = { auth_req_id: authReqId };
+        }
+        const startTime = Date.now();
+        while (Date.now() - startTime < timeout) {
+            if (this.activePolls.get(email) === true) {
+                return { status: 'cancelled' };
+            }
+            const response = await fetch(endpoint, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify(payload),
+            });
+            const data = (await response.json());
+            const token = data.access_token ?? data.token;
+            if (token) {
+                return { status: 'approved', token };
+            }
+            if (data.error === 'access_denied' || data.error === 'expired_token') {
+                return { status: data.error };
+            }
+            await new Promise((resolve) => setTimeout(resolve, interval));
+            if (timeout <= 2000) {
+                break; // Short check for manual check
+            }
+        }
+        return { status: 'timeout' };
+    }
+    /**
+     * Cancels any ongoing poll and resets retry logic for the user.
+     */
+    cancelApproval(email) {
+        this.activePolls.set(email, true);
+        this.retryCounts.set(email, 0);
+        return { status: 'cancelled' };
+    }
+}
+exports.CIBAClient = CIBAClient;
+//# sourceMappingURL=ciba.js.map

package/dist/ciba.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ciba.js","sourceRoot":"","sources":["../src/ciba.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAEH,MAAa,UAAU;IACb,OAAO,CAAS;IAChB,QAAQ,CAAgB;IACxB,WAAW,CAAuB;IAClC,WAAW,CAAsB;IAEzC,YAAY,OAAiD;QAC3D,IAAI,CAAC,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,6BAA6B,CAAC;QACjE,IAAI,CAAC,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,IAAI,CAAC;QAC1C,IAAI,CAAC,WAAW,GAAG,IAAI,GAAG,EAAE,CAAC;QAC7B,IAAI,CAAC,WAAW,GAAG,IAAI,GAAG,EAAE,CAAC;IAC/B,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,mBAAmB,CAAC,KAAa;QACrC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC/B,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACpC,CAAC;QAED,IAAI,QAAgB,CAAC;QACrB,IAAI,OAA4B,CAAC;QAEjC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,QAAQ,GAAG,GAAG,IAAI,CAAC,OAAO,kCAAkC,CAAC;YAC7D,OAAO,GAAG;gBACR,SAAS,EAAE,IAAI,CAAC,QAAQ;gBACxB,KAAK;gBACL,eAAe,EAAE,wCAAwC;aAC1D,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,QAAQ,GAAG,GAAG,IAAI,CAAC,OAAO,2BAA2B,CAAC;YACtD,OAAO,GAAG;gBACR,UAAU,EAAE,KAAK;gBACjB,eAAe,EAAE,wCAAwC;aAC1D,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;YACrC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;SAC9B,CAAC,CAAC;QAEH,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAwB,CAAC;IACxD,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,UAAU,CAAC,KAAa,EAAE,IAAY;QAC1C,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YACjC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACjC,CAAC;QACD,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAE,IAAI,CAAC,EAAE,CAAC;YACtC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,kBAAkB,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;QACrE,CAAC;QAED,IAAI,QAAgB,CAAC;QACrB,IAAI,OAA4B,CAAC;QAEjC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,QAAQ,GAAG,GAAG,IAAI,CAAC,OAAO,+BAA+B,CAAC;YAC1D,OAAO,GAAG,EAAE,SAAS,EAAE,IAAI,CAAC,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QACjE,CAAC;aAAM,CAAC;YACN,8EAA8E;YAC9E,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC7E,QAAQ,GAAG,mDAAmD,CAAC;YACjE,CAAC;iBAAM,CAAC;gBACN,QAAQ,GAAG,GAAG,IAAI,CAAC,OAAO,wBAAwB,CAAC;YACrD,CAAC;YACD,OAAO,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QACvC,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;gBACrC,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;gBAC7B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;aACnC,CAAC,CAAC;YAEH,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAwB,CAAC;YAC/D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,YAAY,CAAC;YAEpD,IAAI,KAAK,IAAI,OAAO,CAAC,OAAO,KAAK,IAAI,EAAE,CAAC;gBACtC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;gBAC/B,OAAO,EAAE,GAAG,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;YAC5D,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAE,GAAG,CAAC,CAAC,CAAC;gBAC9D,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,cAAc;oBACrB,SAAS,EAAE,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAE;iBAC5C,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,CAAC,CAAC,OAAO,IAAI,MAAM,CAAC,CAAC,CAAC;gBAC7B,SAAS,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;aAClD,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,eAAe,CACnB,KAAa,EACb,SAAiB,EACjB,OAAiD;QAEjD,MAAM,QAAQ,GAAG,CAAC,OAAO,EAAE,QAAQ,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;QACjD,MAAM,OAAO,GAAG,CAAC,OAAO,EAAE,OAAO,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC;QAEjD,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QAEnC,IAAI,QAAgB,CAAC;QACrB,IAAI,OAA4B,CAAC;QAEjC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,QAAQ,GAAG,GAAG,IAAI,CAAC,OAAO,+BAA+B,CAAC;YAC1D,OAAO,GAAG,EAAE,SAAS,EAAE,IAAI,CAAC,QAAQ,EAAE,WAAW,EAAE,SAAS,EAAE,CAAC;QACjE,CAAC;aAAM,CAAC;YACN,QAAQ,GAAG,GAAG,IAAI,CAAC,OAAO,wBAAwB,CAAC;YACnD,OAAO,GAAG,EAAE,WAAW,EAAE,SAAS,EAAE,CAAC;QACvC,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,OAAO,EAAE,CAAC;YACxC,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC;gBACzC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;YACjC,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;gBACrC,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;aAC9B,CAAC,CAAC;YAEH,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAwB,CAAC;YAC5D,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,KAAK,CAAC;YAE9C,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC;YACvC,CAAC;YACD,IAAI,IAAI,CAAC,KAAK,KAAK,eAAe,IAAI,IAAI,CAAC,KAAK,KAAK,eAAe,EAAE,CAAC;gBACrE,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;YAChC,CAAC;YAED,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;YAE9D,IAAI,OAAO,IAAI,IAAI,EAAE,CAAC;gBACpB,MAAM,CAAC,+BAA+B;YACxC,CAAC;QACH,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC/B,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,KAAa;QAC1B,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAClC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC/B,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IACjC,CAAC;CACF;AArLD,gCAqLC"}

package/dist/config.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Global configuration store for AuthSec SDK
+ * Mirrors Python authsec_sdk config
+ */
+import type { AuthSecConfig } from './types.js';
+/** In-memory session cache for user info (best-effort, used for oauth_user_info) */
+export declare const sessionUserInfo: Record<string, any>;
+/**
+ * Normalize caller-provided clientId to the runtime form expected by SDK Manager.
+ *
+ * Accepts:
+ * - base UUID (`xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`)
+ * - base UUID with underscores
+ * - already-suffixed IDs (`...-main-client` or `..._main-client`)
+ */
+export declare function normalizeRuntimeClientId(clientId: string): string;
+/**
+ * Configure authentication settings for tool protection.
+ */
+export declare function configureAuth(clientId: string, appName: string, options?: {
+    authServiceUrl?: string;
+    servicesBaseUrl?: string;
+    timeout?: number;
+    retries?: number;
+}): void;
+/** Get current configuration (for debugging). */
+export declare function getConfig(): Record<string, any>;
+/** Check if authentication is properly configured. */
+export declare function isConfigured(): boolean;
+/** Internal: get mutable config reference */
+export declare function getInternalConfig(): AuthSecConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAahD,oFAAoF;AACpF,eAAO,MAAM,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAM,CAAC;AAEvD;;;;;;;GAOG;AACH,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAqBjE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAC3B,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;IACR,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GACA,IAAI,CAuBN;AAED,iDAAiD;AACjD,wBAAgB,SAAS,IAAI,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAM/C;AAED,sDAAsD;AACtD,wBAAgB,YAAY,IAAI,OAAO,CAEtC;AAED,6CAA6C;AAC7C,wBAAgB,iBAAiB,IAAI,aAAa,CAEjD"}

package/dist/config.js

@@ -0,0 +1,92 @@
+"use strict";
+/**
+ * Global configuration store for AuthSec SDK
+ * Mirrors Python authsec_sdk config
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sessionUserInfo = void 0;
+exports.normalizeRuntimeClientId = normalizeRuntimeClientId;
+exports.configureAuth = configureAuth;
+exports.getConfig = getConfig;
+exports.isConfigured = isConfigured;
+exports.getInternalConfig = getInternalConfig;
+const _config = {
+    clientId: null,
+    appName: null,
+    authServiceUrl: 'https://dev.api.authsec.dev/sdkmgr/mcp-auth',
+    servicesBaseUrl: 'https://dev.api.authsec.dev/sdkmgr/services',
+    timeout: 10,
+    retries: 3,
+    spireSocketPath: null,
+    spireEnabled: false,
+};
+/** In-memory session cache for user info (best-effort, used for oauth_user_info) */
+exports.sessionUserInfo = {};
+/**
+ * Normalize caller-provided clientId to the runtime form expected by SDK Manager.
+ *
+ * Accepts:
+ * - base UUID (`xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`)
+ * - base UUID with underscores
+ * - already-suffixed IDs (`...-main-client` or `..._main-client`)
+ */
+function normalizeRuntimeClientId(clientId) {
+    let raw = (clientId ?? '').trim().replace(/^["']|["']$/g, '');
+    if (!raw) {
+        throw new Error('client_id must be a non-empty string');
+    }
+    raw = raw.replace('_main-client', '-main-client');
+    let base;
+    if (raw.endsWith('-main-client')) {
+        base = raw.slice(0, -'-main-client'.length);
+    }
+    else {
+        base = raw;
+    }
+    // Normalize UUID-like underscore format to hyphen format
+    if (base.includes('_') && (base.match(/_/g) || []).length === 4) {
+        base = base.replace(/_/g, '-');
+    }
+    return `${base}-main-client`;
+}
+/**
+ * Configure authentication settings for tool protection.
+ */
+function configureAuth(clientId, appName, options) {
+    if (!clientId || typeof clientId !== 'string') {
+        throw new Error('clientId must be a non-empty string');
+    }
+    if (!appName || typeof appName !== 'string') {
+        throw new Error('appName must be a non-empty string');
+    }
+    _config.clientId = clientId;
+    _config.appName = appName;
+    _config.timeout = options?.timeout ?? 10;
+    _config.retries = options?.retries ?? 3;
+    if (options?.authServiceUrl) {
+        _config.authServiceUrl = options.authServiceUrl.replace(/\/+$/, '');
+    }
+    if (options?.servicesBaseUrl) {
+        _config.servicesBaseUrl = options.servicesBaseUrl.replace(/\/+$/, '');
+    }
+    console.log(`Auth configured: ${appName} with client_id: ${clientId.slice(0, 8)}...`);
+    console.log(`Auth service URL: ${_config.authServiceUrl}`);
+    console.log(`Services URL: ${_config.servicesBaseUrl}`);
+}
+/** Get current configuration (for debugging). */
+function getConfig() {
+    const copy = { ..._config };
+    if (copy.clientId) {
+        copy.clientId = copy.clientId.slice(0, 8) + '...' + copy.clientId.slice(-4);
+    }
+    return copy;
+}
+/** Check if authentication is properly configured. */
+function isConfigured() {
+    return !!(getInternalConfig().clientId && getInternalConfig().appName);
+}
+/** Internal: get mutable config reference */
+function getInternalConfig() {
+    return _config;
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AA0BH,4DAqBC;AAKD,sCAgCC;AAGD,8BAMC;AAGD,oCAEC;AAGD,8CAEC;AAnGD,MAAM,OAAO,GAAkB;IAC7B,QAAQ,EAAE,IAAI;IACd,OAAO,EAAE,IAAI;IACb,cAAc,EAAE,6CAA6C;IAC7D,eAAe,EAAE,6CAA6C;IAC9D,OAAO,EAAE,EAAE;IACX,OAAO,EAAE,CAAC;IACV,eAAe,EAAE,IAAI;IACrB,YAAY,EAAE,KAAK;CACpB,CAAC;AAEF,oFAAoF;AACvE,QAAA,eAAe,GAAwB,EAAE,CAAC;AAEvD;;;;;;;GAOG;AACH,SAAgB,wBAAwB,CAAC,QAAgB;IACvD,IAAI,GAAG,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;IAC9D,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,EAAE,cAAc,CAAC,CAAC;IAElD,IAAI,IAAY,CAAC;IACjB,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QACjC,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC;SAAM,CAAC;QACN,IAAI,GAAG,GAAG,CAAC;IACb,CAAC;IAED,yDAAyD;IACzD,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChE,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACjC,CAAC;IAED,OAAO,GAAG,IAAI,cAAc,CAAC;AAC/B,CAAC;AAED;;GAEG;AACH,SAAgB,aAAa,CAC3B,QAAgB,EAChB,OAAe,EACf,OAKC;IAED,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IAED,OAAO,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC5B,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC;IAC1B,OAAO,CAAC,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;IACzC,OAAO,CAAC,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,CAAC,CAAC;IAExC,IAAI,OAAO,EAAE,cAAc,EAAE,CAAC;QAC5B,OAAO,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACtE,CAAC;IACD,IAAI,OAAO,EAAE,eAAe,EAAE,CAAC;QAC7B,OAAO,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,oBAAoB,OAAO,oBAAoB,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;IACtF,OAAO,CAAC,GAAG,CAAC,qBAAqB,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC;IAC3D,OAAO,CAAC,GAAG,CAAC,iBAAiB,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC;AAC1D,CAAC;AAED,iDAAiD;AACjD,SAAgB,SAAS;IACvB,MAAM,IAAI,GAAG,EAAE,GAAG,OAAO,EAAE,CAAC;IAC5B,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAClB,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9E,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,sDAAsD;AACtD,SAAgB,YAAY;IAC1B,OAAO,CAAC,CAAC,CAAC,iBAAiB,EAAE,CAAC,QAAQ,IAAI,iBAAiB,EAAE,CAAC,OAAO,CAAC,CAAC;AACzE,CAAC;AAED,6CAA6C;AAC7C,SAAgB,iBAAiB;IAC/B,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/decorators.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Tool decorator functions (higher-order functions)
+ * Mirrors Python @protected_by_AuthSec and @mcp_tool decorators
+ */
+import type { ToolDefinition, ToolHandler, ToolHandlerWithSession } from './types.js';
+interface ProtectedToolOptions {
+    toolName: string;
+    roles?: string[];
+    groups?: string[];
+    resources?: string[];
+    scopes?: string[];
+    permissions?: string[];
+    requireAll?: boolean;
+    description?: string;
+    inputSchema?: Record<string, any>;
+}
+/**
+ * Protect a tool via SDK Manager auth service API with optional RBAC.
+ *
+ * The handler receives (arguments, session) where session contains user context.
+ *
+ * @example
+ * ```ts
+ * const adminTool = protectedByAuthSec({
+ *   toolName: 'admin_dashboard',
+ *   roles: ['admin'],
+ *   description: 'Access admin dashboard',
+ * }, async (args, session) => {
+ *   return [{ type: 'text', text: `Hello ${session.userId}` }];
+ * });
+ * ```
+ */
+export declare function protectedByAuthSec(options: ProtectedToolOptions, handler: ToolHandler | ToolHandlerWithSession): ToolDefinition;
+interface McpToolOptions {
+    name?: string;
+    description?: string;
+    inputSchema?: Record<string, any>;
+}
+/**
+ * Define a standard MCP tool (no authentication required).
+ *
+ * @example
+ * ```ts
+ * const echoTool = mcpTool({
+ *   name: 'echo',
+ *   description: 'Echo a message',
+ *   inputSchema: {
+ *     type: 'object',
+ *     properties: { message: { type: 'string' } },
+ *     required: ['message'],
+ *   },
+ * }, async (args) => {
+ *   return [{ type: 'text', text: args.message }];
+ * });
+ * ```
+ */
+export declare function mcpTool(options: McpToolOptions, handler: ToolHandler): ToolDefinition;
+export {};
+//# sourceMappingURL=decorators.d.ts.map

package/dist/decorators.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"decorators.d.ts","sourceRoot":"","sources":["../src/decorators.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,OAAO,KAAK,EACV,cAAc,EACd,WAAW,EACX,sBAAsB,EAIvB,MAAM,YAAY,CAAC;AAGpB,UAAU,oBAAoB;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CACnC;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,oBAAoB,EAC7B,OAAO,EAAE,WAAW,GAAG,sBAAsB,GAC5C,cAAc,CAgGhB;AAED,UAAU,cAAc;IACtB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,OAAO,CACrB,OAAO,EAAE,cAAc,EACvB,OAAO,EAAE,WAAW,GACnB,cAAc,CAchB"}