@authsec/sdk 4.0.0

package/dist/decorators.js

@@ -0,0 +1,142 @@
+"use strict";
+/**
+ * Tool decorator functions (higher-order functions)
+ * Mirrors Python @protected_by_AuthSec and @mcp_tool decorators
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.protectedByAuthSec = protectedByAuthSec;
+exports.mcpTool = mcpTool;
+const http_js_1 = require("./http.js");
+const rbac_js_1 = require("./rbac.js");
+const config_js_1 = require("./config.js");
+const types_js_1 = require("./types.js");
+/**
+ * Protect a tool via SDK Manager auth service API with optional RBAC.
+ *
+ * The handler receives (arguments, session) where session contains user context.
+ *
+ * @example
+ * ```ts
+ * const adminTool = protectedByAuthSec({
+ *   toolName: 'admin_dashboard',
+ *   roles: ['admin'],
+ *   description: 'Access admin dashboard',
+ * }, async (args, session) => {
+ *   return [{ type: 'text', text: `Hello ${session.userId}` }];
+ * });
+ * ```
+ */
+function protectedByAuthSec(options, handler) {
+    const rbacRequirements = {
+        roles: options.roles ?? [],
+        groups: options.groups ?? [],
+        resources: options.resources ?? [],
+        scopes: options.scopes ?? [],
+        permissions: options.permissions ?? [],
+        requireAll: options.requireAll ?? false,
+    };
+    // Determine if handler expects session (by checking function arity)
+    const expectsSession = handler.length >= 2;
+    const wrappedHandler = async (arguments_) => {
+        const config = (0, config_js_1.getInternalConfig)();
+        const sessionId = arguments_.session_id;
+        // Single API call to auth service for tool protection
+        const payload = {
+            session_id: sessionId,
+            tool_name: options.toolName,
+            client_id: config.clientId,
+            app_name: config.appName,
+        };
+        const protectionResult = await (0, http_js_1.makeAuthRequest)('protect-tool', payload);
+        // Check if access is allowed
+        if (!protectionResult.allowed) {
+            const errorResponse = {
+                error: protectionResult.error ?? 'Access denied',
+                message: protectionResult.message ?? 'Authentication failed',
+                tool: options.toolName,
+            };
+            return [{ type: 'text', text: JSON.stringify(errorResponse) }];
+        }
+        const resolvedSessionId = protectionResult.session_id ?? sessionId;
+        const userInfo = protectionResult.user_info ?? {};
+        if (resolvedSessionId) {
+            config_js_1.sessionUserInfo[String(resolvedSessionId)] = userInfo;
+            arguments_.session_id = resolvedSessionId;
+        }
+        console.log(JSON.stringify(userInfo, null, 2));
+        // Enforce RBAC at execution time
+        const [rbacOk, rbacReason] = (0, rbac_js_1.evaluateRbac)(userInfo, rbacRequirements);
+        if (!rbacOk) {
+            const errorResponse = {
+                error: 'Access denied',
+                message: `RBAC denied: ${rbacReason}`,
+                tool: options.toolName,
+            };
+            return [{ type: 'text', text: JSON.stringify(errorResponse) }];
+        }
+        // Add user info to arguments for the business function
+        arguments_._user_info = userInfo;
+        try {
+            if (expectsSession) {
+                const session = new types_js_1.SimpleSession(String(resolvedSessionId ?? ''), protectionResult.user_info ?? {});
+                return await handler(arguments_, session);
+            }
+            else {
+                return await handler(arguments_);
+            }
+        }
+        catch (e) {
+            return [
+                {
+                    type: 'text',
+                    text: JSON.stringify({
+                        error: 'Tool execution failed',
+                        message: `Internal error in ${options.toolName}: ${e.message ?? e}`,
+                        tool: options.toolName,
+                    }),
+                },
+            ];
+        }
+    };
+    return {
+        handler: wrappedHandler,
+        name: options.toolName,
+        description: options.description,
+        inputSchema: options.inputSchema,
+        isProtected: true,
+        rbacRequirements,
+    };
+}
+/**
+ * Define a standard MCP tool (no authentication required).
+ *
+ * @example
+ * ```ts
+ * const echoTool = mcpTool({
+ *   name: 'echo',
+ *   description: 'Echo a message',
+ *   inputSchema: {
+ *     type: 'object',
+ *     properties: { message: { type: 'string' } },
+ *     required: ['message'],
+ *   },
+ * }, async (args) => {
+ *   return [{ type: 'text', text: args.message }];
+ * });
+ * ```
+ */
+function mcpTool(options, handler) {
+    const toolName = options.name ?? handler.name ?? 'unnamed_tool';
+    return {
+        handler,
+        name: toolName,
+        description: options.description,
+        inputSchema: options.inputSchema ?? {
+            type: 'object',
+            properties: {},
+            required: [],
+        },
+        isProtected: false,
+    };
+}
+//# sourceMappingURL=decorators.js.map

package/dist/decorators.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"decorators.js","sourceRoot":"","sources":["../src/decorators.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AA2CH,gDAmGC;AA0BD,0BAiBC;AAvLD,uCAA4C;AAC5C,uCAAyC;AACzC,2CAAiE;AASjE,yCAAiE;AAcjE;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,kBAAkB,CAChC,OAA6B,EAC7B,OAA6C;IAE7C,MAAM,gBAAgB,GAAqB;QACzC,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,EAAE;QAC1B,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,EAAE;QAC5B,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,EAAE;QAClC,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,EAAE;QAC5B,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,EAAE;QACtC,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,KAAK;KACxC,CAAC;IAEF,oEAAoE;IACpE,MAAM,cAAc,GAAG,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC;IAE3C,MAAM,cAAc,GAAG,KAAK,EAC1B,UAA+B,EACR,EAAE;QACzB,MAAM,MAAM,GAAG,IAAA,6BAAiB,GAAE,CAAC;QACnC,MAAM,SAAS,GAAG,UAAU,CAAC,UAAU,CAAC;QAExC,sDAAsD;QACtD,MAAM,OAAO,GAAG;YACd,UAAU,EAAE,SAAS;YACrB,SAAS,EAAE,OAAO,CAAC,QAAQ;YAC3B,SAAS,EAAE,MAAM,CAAC,QAAQ;YAC1B,QAAQ,EAAE,MAAM,CAAC,OAAO;SACzB,CAAC;QAEF,MAAM,gBAAgB,GAAG,MAAM,IAAA,yBAAe,EAAC,cAAc,EAAE,OAAO,CAAC,CAAC;QAExE,6BAA6B;QAC7B,IAAI,CAAC,gBAAgB,CAAC,OAAO,EAAE,CAAC;YAC9B,MAAM,aAAa,GAAG;gBACpB,KAAK,EAAE,gBAAgB,CAAC,KAAK,IAAI,eAAe;gBAChD,OAAO,EAAE,gBAAgB,CAAC,OAAO,IAAI,uBAAuB;gBAC5D,IAAI,EAAE,OAAO,CAAC,QAAQ;aACvB,CAAC;YACF,OAAO,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;QACjE,CAAC;QAED,MAAM,iBAAiB,GACrB,gBAAgB,CAAC,UAAU,IAAI,SAAS,CAAC;QAC3C,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,IAAI,EAAE,CAAC;QAElD,IAAI,iBAAiB,EAAE,CAAC;YACtB,2BAAe,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,GAAG,QAAQ,CAAC;YACtD,UAAU,CAAC,UAAU,GAAG,iBAAiB,CAAC;QAC5C,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAE/C,iCAAiC;QACjC,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,GAAG,IAAA,sBAAY,EAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC;QACtE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,aAAa,GAAG;gBACpB,KAAK,EAAE,eAAe;gBACtB,OAAO,EAAE,gBAAgB,UAAU,EAAE;gBACrC,IAAI,EAAE,OAAO,CAAC,QAAQ;aACvB,CAAC;YACF,OAAO,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;QACjE,CAAC;QAED,uDAAuD;QACvD,UAAU,CAAC,UAAU,GAAG,QAAQ,CAAC;QAEjC,IAAI,CAAC;YACH,IAAI,cAAc,EAAE,CAAC;gBACnB,MAAM,OAAO,GAAG,IAAI,wBAAkB,CACpC,MAAM,CAAC,iBAAiB,IAAI,EAAE,CAAC,EAC/B,gBAAgB,CAAC,SAAS,IAAI,EAAE,CACjC,CAAC;gBACF,OAAO,MAAO,OAAkC,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACxE,CAAC;iBAAM,CAAC;gBACN,OAAO,MAAO,OAAuB,CAAC,UAAU,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,OAAO;gBACL;oBACE,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;wBACnB,KAAK,EAAE,uBAAuB;wBAC9B,OAAO,EAAE,qBAAqB,OAAO,CAAC,QAAQ,KAAK,CAAC,CAAC,OAAO,IAAI,CAAC,EAAE;wBACnE,IAAI,EAAE,OAAO,CAAC,QAAQ;qBACvB,CAAC;iBACH;aACF,CAAC;QACJ,CAAC;IACH,CAAC,CAAC;IAEF,OAAO;QACL,OAAO,EAAE,cAAc;QACvB,IAAI,EAAE,OAAO,CAAC,QAAQ;QACtB,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,WAAW,EAAE,IAAI;QACjB,gBAAgB;KACjB,CAAC;AACJ,CAAC;AAQD;;;;;;;;;;;;;;;;;GAiBG;AACH,SAAgB,OAAO,CACrB,OAAuB,EACvB,OAAoB;IAEpB,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,IAAI,cAAc,CAAC;IAEhE,OAAO;QACL,OAAO;QACP,IAAI,EAAE,QAAQ;QACd,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI;YAClC,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE,EAAE;YACd,QAAQ,EAAE,EAAE;SACb;QACD,WAAW,EAAE,KAAK;KACnB,CAAC;AACJ,CAAC"}

package/dist/http.d.ts

@@ -0,0 +1,19 @@
+/**
+ * HTTP client helpers for communicating with SDK Manager
+ * Mirrors Python _make_auth_request / _make_services_request
+ */
+/**
+ * Make HTTP request to SDK Manager auth service.
+ */
+export declare function makeAuthRequest(endpoint: string, payload?: Record<string, any> | null, method?: 'GET' | 'POST'): Promise<Record<string, any>>;
+/**
+ * Make HTTP request to SDK Manager services.
+ */
+export declare function makeServicesRequest(endpoint: string, payload?: Record<string, any> | null, method?: 'GET' | 'POST'): Promise<Record<string, any>>;
+/** Test connection to auth service */
+export declare function testAuthService(): Promise<boolean>;
+/** Test connection to services */
+export declare function testServices(): Promise<boolean>;
+/** Decode JWT payload without verification (for cache/debug only) */
+export declare function decodeJwtUnverified(token: string): Record<string, any>;
+//# sourceMappingURL=http.d.ts.map

package/dist/http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../src/http.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH;;GAEG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,EACpC,MAAM,GAAE,KAAK,GAAG,MAAe,GAC9B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAqD9B;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,EACpC,MAAM,GAAE,KAAK,GAAG,MAAe,GAC9B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAyD9B;AAED,sCAAsC;AACtC,wBAAsB,eAAe,IAAI,OAAO,CAAC,OAAO,CAAC,CASxD;AAED,kCAAkC;AAClC,wBAAsB,YAAY,IAAI,OAAO,CAAC,OAAO,CAAC,CASrD;AAED,qEAAqE;AACrE,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAatE"}

package/dist/http.js

@@ -0,0 +1,156 @@
+"use strict";
+/**
+ * HTTP client helpers for communicating with SDK Manager
+ * Mirrors Python _make_auth_request / _make_services_request
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.makeAuthRequest = makeAuthRequest;
+exports.makeServicesRequest = makeServicesRequest;
+exports.testAuthService = testAuthService;
+exports.testServices = testServices;
+exports.decodeJwtUnverified = decodeJwtUnverified;
+const config_js_1 = require("./config.js");
+/**
+ * Make HTTP request to SDK Manager auth service.
+ */
+async function makeAuthRequest(endpoint, payload, method = 'POST') {
+    const config = (0, config_js_1.getInternalConfig)();
+    if (!config.clientId) {
+        throw new Error('Authentication not configured. Call configureAuth() first.');
+    }
+    const headers = {
+        'Content-Type': 'application/json',
+        'X-Client-ID': config.clientId,
+        'X-App-Name': config.appName,
+    };
+    const url = `${config.authServiceUrl}/${endpoint}`;
+    for (let attempt = 0; attempt < config.retries; attempt++) {
+        try {
+            const controller = new AbortController();
+            const timeoutId = setTimeout(() => controller.abort(), config.timeout * 1000);
+            const fetchOptions = {
+                method,
+                headers,
+                signal: controller.signal,
+            };
+            if (method === 'POST' && payload) {
+                fetchOptions.body = JSON.stringify(payload);
+            }
+            const response = await fetch(url, fetchOptions);
+            clearTimeout(timeoutId);
+            return (await response.json());
+        }
+        catch (e) {
+            if (attempt < config.retries - 1) {
+                await sleep(500 * (attempt + 1));
+                continue;
+            }
+            return {
+                allowed: false,
+                error: 'Connection error',
+                message: `Failed to connect to auth service: ${e.message ?? e}`,
+            };
+        }
+    }
+    return {
+        allowed: false,
+        error: 'Max retries exceeded',
+        message: 'Could not complete authentication check',
+    };
+}
+/**
+ * Make HTTP request to SDK Manager services.
+ */
+async function makeServicesRequest(endpoint, payload, method = 'POST') {
+    const config = (0, config_js_1.getInternalConfig)();
+    if (!config.clientId) {
+        throw new Error('Authentication not configured. Call configureAuth() first.');
+    }
+    const headers = {
+        'Content-Type': 'application/json',
+        'X-Client-ID': config.clientId,
+        'X-App-Name': config.appName,
+    };
+    const url = `${config.servicesBaseUrl}/${endpoint}`;
+    const timeoutMs = config.timeout * 2 * 1000; // Services may take longer
+    for (let attempt = 0; attempt < config.retries; attempt++) {
+        try {
+            const controller = new AbortController();
+            const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+            const fetchOptions = {
+                method,
+                headers,
+                signal: controller.signal,
+            };
+            if (method === 'POST' && payload) {
+                fetchOptions.body = JSON.stringify(payload);
+            }
+            const response = await fetch(url, fetchOptions);
+            clearTimeout(timeoutId);
+            if (response.status >= 400) {
+                const errorText = await response.text();
+                return { error: `HTTP ${response.status}: ${errorText}` };
+            }
+            return (await response.json());
+        }
+        catch (e) {
+            if (attempt < config.retries - 1) {
+                await sleep(500 * (attempt + 1));
+                continue;
+            }
+            return {
+                error: 'Connection error',
+                message: `Failed to connect to services: ${e.message ?? e}`,
+            };
+        }
+    }
+    return {
+        error: 'Max retries exceeded',
+        message: 'Could not complete services request',
+    };
+}
+/** Test connection to auth service */
+async function testAuthService() {
+    try {
+        const result = await makeAuthRequest('health', null, 'GET');
+        console.log(`Auth service is running: ${JSON.stringify(result)}`);
+        return result.status === 'healthy';
+    }
+    catch (e) {
+        console.log(`Failed to connect to auth service: ${e.message ?? e}`);
+        return false;
+    }
+}
+/** Test connection to services */
+async function testServices() {
+    try {
+        const result = await makeServicesRequest('health', null, 'GET');
+        console.log(`Services are running: ${JSON.stringify(result)}`);
+        return result.status === 'healthy';
+    }
+    catch (e) {
+        console.log(`Failed to connect to services: ${e.message ?? e}`);
+        return false;
+    }
+}
+/** Decode JWT payload without verification (for cache/debug only) */
+function decodeJwtUnverified(token) {
+    try {
+        const parts = token.split('.');
+        if (parts.length < 2)
+            return {};
+        const payload = parts[1];
+        // Add padding
+        const padded = payload + '='.repeat((4 - (payload.length % 4)) % 4);
+        const decoded = Buffer.from(padded, 'base64url').toString('utf-8');
+        const data = JSON.parse(decoded);
+        return typeof data === 'object' && data !== null ? data : {};
+    }
+    catch {
+        return {};
+    }
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+//# sourceMappingURL=http.js.map

package/dist/http.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.js","sourceRoot":"","sources":["../src/http.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAOH,0CAyDC;AAKD,kDA6DC;AAGD,0CASC;AAGD,oCASC;AAGD,kDAaC;AAxKD,2CAAgD;AAEhD;;GAEG;AACI,KAAK,UAAU,eAAe,CACnC,QAAgB,EAChB,OAAoC,EACpC,SAAyB,MAAM;IAE/B,MAAM,MAAM,GAAG,IAAA,6BAAiB,GAAE,CAAC;IAEnC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;IAChF,CAAC;IAED,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;QAClC,aAAa,EAAE,MAAM,CAAC,QAAQ;QAC9B,YAAY,EAAE,MAAM,CAAC,OAAQ;KAC9B,CAAC;IAEF,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,cAAc,IAAI,QAAQ,EAAE,CAAC;IAEnD,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,CAAC;QAC1D,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;YAE9E,MAAM,YAAY,GAAgB;gBAChC,MAAM;gBACN,OAAO;gBACP,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC;YAEF,IAAI,MAAM,KAAK,MAAM,IAAI,OAAO,EAAE,CAAC;gBACjC,YAAY,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;YAC9C,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;YAChD,YAAY,CAAC,SAAS,CAAC,CAAC;YAExB,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAwB,CAAC;QACxD,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,OAAO,GAAG,MAAM,CAAC,OAAO,GAAG,CAAC,EAAE,CAAC;gBACjC,MAAM,KAAK,CAAC,GAAG,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;gBACjC,SAAS;YACX,CAAC;YAED,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,kBAAkB;gBACzB,OAAO,EAAE,sCAAsC,CAAC,CAAC,OAAO,IAAI,CAAC,EAAE;aAChE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,KAAK;QACd,KAAK,EAAE,sBAAsB;QAC7B,OAAO,EAAE,yCAAyC;KACnD,CAAC;AACJ,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,mBAAmB,CACvC,QAAgB,EAChB,OAAoC,EACpC,SAAyB,MAAM;IAE/B,MAAM,MAAM,GAAG,IAAA,6BAAiB,GAAE,CAAC;IAEnC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;IAChF,CAAC;IAED,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;QAClC,aAAa,EAAE,MAAM,CAAC,QAAQ;QAC9B,YAAY,EAAE,MAAM,CAAC,OAAQ;KAC9B,CAAC;IAEF,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,eAAe,IAAI,QAAQ,EAAE,CAAC;IACpD,MAAM,SAAS,GAAG,MAAM,CAAC,OAAO,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC,2BAA2B;IAExE,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,CAAC;QAC1D,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;YAElE,MAAM,YAAY,GAAgB;gBAChC,MAAM;gBACN,OAAO;gBACP,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC;YAEF,IAAI,MAAM,KAAK,MAAM,IAAI,OAAO,EAAE,CAAC;gBACjC,YAAY,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;YAC9C,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;YAChD,YAAY,CAAC,SAAS,CAAC,CAAC;YAExB,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;gBAC3B,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACxC,OAAO,EAAE,KAAK,EAAE,QAAQ,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,EAAE,CAAC;YAC5D,CAAC;YAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAwB,CAAC;QACxD,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,OAAO,GAAG,MAAM,CAAC,OAAO,GAAG,CAAC,EAAE,CAAC;gBACjC,MAAM,KAAK,CAAC,GAAG,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;gBACjC,SAAS;YACX,CAAC;YAED,OAAO;gBACL,KAAK,EAAE,kBAAkB;gBACzB,OAAO,EAAE,kCAAkC,CAAC,CAAC,OAAO,IAAI,CAAC,EAAE;aAC5D,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO;QACL,KAAK,EAAE,sBAAsB;QAC7B,OAAO,EAAE,qCAAqC;KAC/C,CAAC;AACJ,CAAC;AAED,sCAAsC;AAC/B,KAAK,UAAU,eAAe;IACnC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;QAC5D,OAAO,CAAC,GAAG,CAAC,4BAA4B,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAClE,OAAO,MAAM,CAAC,MAAM,KAAK,SAAS,CAAC;IACrC,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC,OAAO,IAAI,CAAC,EAAE,CAAC,CAAC;QACpE,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,kCAAkC;AAC3B,KAAK,UAAU,YAAY;IAChC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;QAChE,OAAO,CAAC,GAAG,CAAC,yBAAyB,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAC/D,OAAO,MAAM,CAAC,MAAM,KAAK,SAAS,CAAC;IACrC,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC,OAAO,IAAI,CAAC,EAAE,CAAC,CAAC;QAChE,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,qEAAqE;AACrE,SAAgB,mBAAmB,CAAC,KAAa;IAC/C,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,EAAE,CAAC;QAChC,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;QAC1B,cAAc;QACd,MAAM,MAAM,GAAG,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACpE,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACnE,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACjC,OAAO,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;IAC/D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,47 @@
+/**
+ * AuthSec SDK for TypeScript/JavaScript
+ *
+ * Enterprise-grade authentication and authorization library for JS/TS servers.
+ * Provides OAuth 2.0, RBAC, SPIFFE workload identity, and CIBA passwordless auth.
+ *
+ * @example
+ * ```ts
+ * import {
+ *   protectedByAuthSec,
+ *   mcpTool,
+ *   runMcpServerWithOAuth,
+ *   ServiceAccessSDK,
+ *   CIBAClient,
+ * } from '@authsec/sdk';
+ *
+ * const adminTool = protectedByAuthSec({
+ *   toolName: 'admin_dashboard',
+ *   roles: ['admin'],
+ *   description: 'Access admin dashboard',
+ * }, async (args, session) => {
+ *   const sdk = new ServiceAccessSDK(session);
+ *   const creds = await sdk.getServiceCredentials('my-db');
+ *   return [{ type: 'text', text: JSON.stringify(creds) }];
+ * });
+ *
+ * runMcpServerWithOAuth({
+ *   tools: [adminTool],
+ *   clientId: 'your-client-id',
+ *   appName: 'my-app',
+ * });
+ * ```
+ */
+export { protectedByAuthSec, mcpTool } from './decorators.js';
+export { runMcpServerWithOAuth } from './mcp-server.js';
+export type { RunMcpServerOptions } from './mcp-server.js';
+export { configureAuth, getConfig, isConfigured } from './config.js';
+export { testAuthService, testServices } from './http.js';
+export { ServiceAccessSDK, ServiceAccessError } from './service-access.js';
+export { CIBAClient } from './ciba.js';
+export { QuickStartSVID } from './spiffe/quick-start-svid.js';
+export { WorkloadAPIClient } from './spiffe/workload-api-client.js';
+export { WorkloadSVID } from './spiffe/workload-svid.js';
+export type { ToolHandler, ToolHandlerWithSession, ToolDefinition, RbacRequirements, McpContent, UserInfo, ServiceCredentials, AuthSecConfig, McpMessage, } from './types.js';
+export { SimpleSession } from './types.js';
+export declare const VERSION = "4.0.0";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAGH,OAAO,EAAE,kBAAkB,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC9D,OAAO,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AACxD,YAAY,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAG3D,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAGrE,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAG1D,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAG3E,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAGvC,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAGzD,YAAY,EACV,WAAW,EACX,sBAAsB,EACtB,cAAc,EACd,gBAAgB,EAChB,UAAU,EACV,QAAQ,EACR,kBAAkB,EAClB,aAAa,EACb,UAAU,GACX,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE3C,eAAO,MAAM,OAAO,UAAU,CAAC"}

package/dist/index.js

@@ -0,0 +1,69 @@
+"use strict";
+/**
+ * AuthSec SDK for TypeScript/JavaScript
+ *
+ * Enterprise-grade authentication and authorization library for JS/TS servers.
+ * Provides OAuth 2.0, RBAC, SPIFFE workload identity, and CIBA passwordless auth.
+ *
+ * @example
+ * ```ts
+ * import {
+ *   protectedByAuthSec,
+ *   mcpTool,
+ *   runMcpServerWithOAuth,
+ *   ServiceAccessSDK,
+ *   CIBAClient,
+ * } from '@authsec/sdk';
+ *
+ * const adminTool = protectedByAuthSec({
+ *   toolName: 'admin_dashboard',
+ *   roles: ['admin'],
+ *   description: 'Access admin dashboard',
+ * }, async (args, session) => {
+ *   const sdk = new ServiceAccessSDK(session);
+ *   const creds = await sdk.getServiceCredentials('my-db');
+ *   return [{ type: 'text', text: JSON.stringify(creds) }];
+ * });
+ *
+ * runMcpServerWithOAuth({
+ *   tools: [adminTool],
+ *   clientId: 'your-client-id',
+ *   appName: 'my-app',
+ * });
+ * ```
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VERSION = exports.SimpleSession = exports.WorkloadSVID = exports.WorkloadAPIClient = exports.QuickStartSVID = exports.CIBAClient = exports.ServiceAccessError = exports.ServiceAccessSDK = exports.testServices = exports.testAuthService = exports.isConfigured = exports.getConfig = exports.configureAuth = exports.runMcpServerWithOAuth = exports.mcpTool = exports.protectedByAuthSec = void 0;
+// Core Auth & MCP
+var decorators_js_1 = require("./decorators.js");
+Object.defineProperty(exports, "protectedByAuthSec", { enumerable: true, get: function () { return decorators_js_1.protectedByAuthSec; } });
+Object.defineProperty(exports, "mcpTool", { enumerable: true, get: function () { return decorators_js_1.mcpTool; } });
+var mcp_server_js_1 = require("./mcp-server.js");
+Object.defineProperty(exports, "runMcpServerWithOAuth", { enumerable: true, get: function () { return mcp_server_js_1.runMcpServerWithOAuth; } });
+// Configuration
+var config_js_1 = require("./config.js");
+Object.defineProperty(exports, "configureAuth", { enumerable: true, get: function () { return config_js_1.configureAuth; } });
+Object.defineProperty(exports, "getConfig", { enumerable: true, get: function () { return config_js_1.getConfig; } });
+Object.defineProperty(exports, "isConfigured", { enumerable: true, get: function () { return config_js_1.isConfigured; } });
+// HTTP / Testing
+var http_js_1 = require("./http.js");
+Object.defineProperty(exports, "testAuthService", { enumerable: true, get: function () { return http_js_1.testAuthService; } });
+Object.defineProperty(exports, "testServices", { enumerable: true, get: function () { return http_js_1.testServices; } });
+// Service Access
+var service_access_js_1 = require("./service-access.js");
+Object.defineProperty(exports, "ServiceAccessSDK", { enumerable: true, get: function () { return service_access_js_1.ServiceAccessSDK; } });
+Object.defineProperty(exports, "ServiceAccessError", { enumerable: true, get: function () { return service_access_js_1.ServiceAccessError; } });
+// CIBA Passwordless Auth
+var ciba_js_1 = require("./ciba.js");
+Object.defineProperty(exports, "CIBAClient", { enumerable: true, get: function () { return ciba_js_1.CIBAClient; } });
+// SPIFFE Workload Identity
+var quick_start_svid_js_1 = require("./spiffe/quick-start-svid.js");
+Object.defineProperty(exports, "QuickStartSVID", { enumerable: true, get: function () { return quick_start_svid_js_1.QuickStartSVID; } });
+var workload_api_client_js_1 = require("./spiffe/workload-api-client.js");
+Object.defineProperty(exports, "WorkloadAPIClient", { enumerable: true, get: function () { return workload_api_client_js_1.WorkloadAPIClient; } });
+var workload_svid_js_1 = require("./spiffe/workload-svid.js");
+Object.defineProperty(exports, "WorkloadSVID", { enumerable: true, get: function () { return workload_svid_js_1.WorkloadSVID; } });
+var types_js_1 = require("./types.js");
+Object.defineProperty(exports, "SimpleSession", { enumerable: true, get: function () { return types_js_1.SimpleSession; } });
+exports.VERSION = '4.0.0';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;;;AAEH,kBAAkB;AAClB,iDAA8D;AAArD,mHAAA,kBAAkB,OAAA;AAAE,wGAAA,OAAO,OAAA;AACpC,iDAAwD;AAA/C,sHAAA,qBAAqB,OAAA;AAG9B,gBAAgB;AAChB,yCAAqE;AAA5D,0GAAA,aAAa,OAAA;AAAE,sGAAA,SAAS,OAAA;AAAE,yGAAA,YAAY,OAAA;AAE/C,iBAAiB;AACjB,qCAA0D;AAAjD,0GAAA,eAAe,OAAA;AAAE,uGAAA,YAAY,OAAA;AAEtC,iBAAiB;AACjB,yDAA2E;AAAlE,qHAAA,gBAAgB,OAAA;AAAE,uHAAA,kBAAkB,OAAA;AAE7C,yBAAyB;AACzB,qCAAuC;AAA9B,qGAAA,UAAU,OAAA;AAEnB,2BAA2B;AAC3B,oEAA8D;AAArD,qHAAA,cAAc,OAAA;AACvB,0EAAoE;AAA3D,2HAAA,iBAAiB,OAAA;AAC1B,8DAAyD;AAAhD,gHAAA,YAAY,OAAA;AAcrB,uCAA2C;AAAlC,yGAAA,aAAa,OAAA;AAET,QAAA,OAAO,GAAG,OAAO,CAAC"}

package/dist/mcp-server.d.ts

@@ -0,0 +1,42 @@
+/**
+ * MCP Server implementation
+ * Mirrors Python MCPServer class + run_mcp_server_with_oauth
+ */
+import type { ToolDefinition } from './types.js';
+export interface RunMcpServerOptions {
+    /** Array of tool definitions created by protectedByAuthSec() and mcpTool() */
+    tools: ToolDefinition[];
+    /** Your client ID from AuthSec */
+    clientId: string;
+    /** Application name */
+    appName: string;
+    /** Server host (default: "0.0.0.0") */
+    host?: string;
+    /** Server port (default: 3005) */
+    port?: number;
+    /** Optional path to SPIRE agent socket */
+    spireSocketPath?: string;
+}
+/**
+ * Run MCP server using SDK Manager for auth.
+ *
+ * @example
+ * ```ts
+ * import { protectedByAuthSec, mcpTool, runMcpServerWithOAuth } from '@authsec/sdk';
+ *
+ * const myTool = protectedByAuthSec({
+ *   toolName: 'my_tool',
+ *   roles: ['admin'],
+ * }, async (args, session) => {
+ *   return [{ type: 'text', text: 'Hello!' }];
+ * });
+ *
+ * runMcpServerWithOAuth({
+ *   tools: [myTool],
+ *   clientId: 'your-client-id',
+ *   appName: 'my-app',
+ * });
+ * ```
+ */
+export declare function runMcpServerWithOAuth(options: RunMcpServerOptions): void;
+//# sourceMappingURL=mcp-server.d.ts.map

package/dist/mcp-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-server.d.ts","sourceRoot":"","sources":["../src/mcp-server.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAUH,OAAO,KAAK,EAAE,cAAc,EAAc,MAAM,YAAY,CAAC;AAgU7D,MAAM,WAAW,mBAAmB;IAClC,8EAA8E;IAC9E,KAAK,EAAE,cAAc,EAAE,CAAC;IACxB,kCAAkC;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,uBAAuB;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,uCAAuC;IACvC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,kCAAkC;IAClC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,0CAA0C;IAC1C,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,mBAAmB,GAAG,IAAI,CAoDxE"}