@authsec/sdk 4.0.0

package/dist/mcp-server.js

@@ -0,0 +1,353 @@
+"use strict";
+/**
+ * MCP Server implementation
+ * Mirrors Python MCPServer class + run_mcp_server_with_oauth
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runMcpServerWithOAuth = runMcpServerWithOAuth;
+const express_1 = __importDefault(require("express"));
+const cors_1 = __importDefault(require("cors"));
+const http_js_1 = require("./http.js");
+const config_js_1 = require("./config.js");
+class MCPServer {
+    clientId;
+    appName;
+    userTools = [];
+    unprotectedTools = [];
+    toolHandlers = new Map();
+    app;
+    constructor(clientId, appName) {
+        this.clientId = clientId;
+        this.appName = appName;
+        this.app = (0, express_1.default)();
+        this.app.use((0, cors_1.default)());
+        this.app.use(express_1.default.json({ limit: '10mb' }));
+        this.setupRoutes();
+    }
+    /**
+     * Register tools (replaces Python's set_user_module with module introspection).
+     * In JS/TS, users pass an array of ToolDefinition objects.
+     */
+    setTools(tools) {
+        for (const tool of tools) {
+            if (tool.isProtected) {
+                // Protected tool — extract metadata and send to SDK Manager
+                const toolMetadata = {
+                    name: tool.name,
+                    rbac: {
+                        roles: tool.rbacRequirements?.roles ?? [],
+                        groups: tool.rbacRequirements?.groups ?? [],
+                        resources: tool.rbacRequirements?.resources ?? [],
+                        scopes: tool.rbacRequirements?.scopes ?? [],
+                        permissions: tool.rbacRequirements?.permissions ?? [],
+                        require_all: tool.rbacRequirements?.requireAll ?? false,
+                    },
+                };
+                if (tool.description) {
+                    toolMetadata.description = tool.description;
+                }
+                if (tool.inputSchema) {
+                    toolMetadata.inputSchema = tool.inputSchema;
+                }
+                this.userTools.push(toolMetadata);
+                this.toolHandlers.set(tool.name, tool.handler);
+            }
+            else {
+                // Unprotected tool — register as standard MCP tool
+                const toolSchema = {
+                    name: tool.name,
+                    description: tool.description ?? `Tool: ${tool.name}`,
+                    inputSchema: tool.inputSchema ?? {
+                        type: 'object',
+                        properties: {},
+                        required: [],
+                    },
+                };
+                this.unprotectedTools.push(toolSchema);
+                this.toolHandlers.set(tool.name, tool.handler);
+                console.log(`Registered unprotected tool: ${tool.name} (standard MCP tool, no auth required)`);
+            }
+        }
+    }
+    setupRoutes() {
+        this.app.get('/', (_req, res) => {
+            const config = (0, config_js_1.getInternalConfig)();
+            res.json({
+                name: this.appName,
+                version: '1.0.0',
+                protocol: 'mcp-with-oauth',
+                status: 'running',
+                auth_service: config.authServiceUrl,
+                services_url: config.servicesBaseUrl,
+            });
+        });
+        this.app.post('/', async (req, res) => {
+            try {
+                const message = req.body;
+                const response = await this.processMcpMessage(message, req);
+                res.json(response);
+            }
+            catch (e) {
+                res.json({
+                    jsonrpc: '2.0',
+                    id: null,
+                    error: { code: -32603, message: e.message ?? String(e) },
+                });
+            }
+        });
+    }
+    deriveReturnUrl(req) {
+        const referer = req.headers.referer;
+        if (referer) {
+            try {
+                const parsed = new URL(referer);
+                if (parsed.protocol === 'http:' || parsed.protocol === 'https:') {
+                    return parsed.origin + (parsed.pathname || '/') + parsed.search + parsed.hash;
+                }
+            }
+            catch {
+                // ignore
+            }
+        }
+        const origin = req.headers.origin;
+        if (origin) {
+            try {
+                const parsed = new URL(origin);
+                if (parsed.protocol === 'http:' || parsed.protocol === 'https:') {
+                    return `${parsed.protocol}//${parsed.host}/`;
+                }
+            }
+            catch {
+                // ignore
+            }
+        }
+        return null;
+    }
+    normalizeOauthArguments(arguments_) {
+        if (typeof arguments_ !== 'object' || arguments_ === null) {
+            return arguments_;
+        }
+        const args = { ...arguments_ };
+        for (const [key, value] of Object.entries(args)) {
+            if (Array.isArray(value)) {
+                if (value.length === 1) {
+                    args[key] = String(value[0]);
+                }
+                else {
+                    args[key] = value.map(String).join(' ');
+                }
+            }
+        }
+        return args;
+    }
+    async processMcpMessage(message, req) {
+        const method = message.method;
+        const messageId = message.id;
+        const params = message.params ?? {};
+        if (method === 'initialize') {
+            return {
+                jsonrpc: '2.0',
+                id: messageId,
+                result: {
+                    protocolVersion: '2024-11-05',
+                    capabilities: { tools: { listChanged: false } },
+                    serverInfo: { name: this.appName, version: '1.0.0' },
+                },
+            };
+        }
+        if (method === 'tools/list') {
+            // Get protected tools from SDK Manager (with OAuth and RBAC)
+            let toolsResponse;
+            const toolsListTimeout = parseInt(process.env.AUTHSEC_TOOLS_LIST_TIMEOUT_SECONDS ?? '8', 10);
+            try {
+                toolsResponse = await Promise.race([
+                    (0, http_js_1.makeAuthRequest)('tools/list', {
+                        client_id: this.clientId,
+                        app_name: this.appName,
+                        user_tools: this.userTools,
+                    }),
+                    new Promise((_, reject) => setTimeout(() => reject(new Error('tools/list timed out')), toolsListTimeout * 1000)),
+                ]);
+            }
+            catch {
+                toolsResponse = { error: 'tools/list timed out against auth service' };
+            }
+            // Combine protected tools (from SDK Manager) with unprotected tools (local)
+            const remoteTools = Array.isArray(toolsResponse?.tools)
+                ? toolsResponse.tools
+                : [];
+            const allTools = [...remoteTools, ...this.unprotectedTools];
+            return {
+                jsonrpc: '2.0',
+                id: messageId,
+                result: { tools: allTools },
+            };
+        }
+        if (method === 'tools/call') {
+            const toolName = params.name;
+            let arguments_ = params.arguments ?? {};
+            let content;
+            if (toolName.startsWith('oauth_')) {
+                // Delegate OAuth tools to hosted service
+                arguments_ = this.normalizeOauthArguments(arguments_);
+                if (toolName === 'oauth_authenticate' &&
+                    typeof arguments_ === 'object' &&
+                    arguments_ !== null &&
+                    typeof arguments_.jwt_token === 'string') {
+                    // Backward/forward compatibility across auth service payload variants.
+                    const token = arguments_.jwt_token;
+                    if (!arguments_.token)
+                        arguments_.token = token;
+                    if (!arguments_.jwt)
+                        arguments_.jwt = token;
+                    if (!arguments_.access_token)
+                        arguments_.access_token = token;
+                }
+                if (toolName === 'oauth_start' &&
+                    typeof arguments_ === 'object' &&
+                    !arguments_.return_url) {
+                    const autoReturnUrl = this.deriveReturnUrl(req);
+                    if (autoReturnUrl) {
+                        arguments_.return_url = autoReturnUrl;
+                    }
+                }
+                const toolResponse = await (0, http_js_1.makeAuthRequest)(`tools/call/${toolName}`, {
+                    client_id: this.clientId,
+                    app_name: this.appName,
+                    arguments: arguments_,
+                });
+                if (typeof toolResponse === 'object' &&
+                    Array.isArray(toolResponse.content)) {
+                    content = toolResponse.content;
+                }
+                else {
+                    // Preserve useful upstream diagnostics
+                    const errorPayload = {
+                        error: 'Tool execution failed',
+                        tool: toolName,
+                    };
+                    if (typeof toolResponse === 'object') {
+                        if (toolResponse.detail)
+                            errorPayload.detail = toolResponse.detail;
+                        if (toolResponse.error)
+                            errorPayload.upstream_error = toolResponse.error;
+                        if (toolResponse.message)
+                            errorPayload.upstream_message = toolResponse.message;
+                    }
+                    content = [{ type: 'text', text: JSON.stringify(errorPayload) }];
+                }
+            }
+            else if (this.toolHandlers.has(toolName)) {
+                // Execute user's tool locally
+                content = await this.toolHandlers.get(toolName)(arguments_);
+            }
+            else {
+                content = [
+                    {
+                        type: 'text',
+                        text: JSON.stringify({ error: `Unknown tool: ${toolName}` }),
+                    },
+                ];
+            }
+            return {
+                jsonrpc: '2.0',
+                id: messageId,
+                result: { content },
+            };
+        }
+        return {
+            jsonrpc: '2.0',
+            id: messageId,
+            error: { code: -32601, message: `Method not found: ${method}` },
+        };
+    }
+    async cleanupSessions() {
+        try {
+            const result = await (0, http_js_1.makeAuthRequest)('cleanup-sessions', {
+                client_id: this.clientId,
+                app_name: this.appName,
+                reason: 'server_shutdown',
+            });
+            console.log(`Sessions cleanup: ${result.message ?? 'Completed'}`);
+        }
+        catch (e) {
+            console.log(`Session cleanup failed: ${e.message ?? e}`);
+        }
+    }
+    setupShutdownHandlers() {
+        const handler = () => {
+            console.log('\nReceived shutdown signal, cleaning up sessions...');
+            this.cleanupSessions()
+                .catch(() => { })
+                .finally(() => process.exit(0));
+        };
+        process.on('SIGINT', handler);
+        process.on('SIGTERM', handler);
+    }
+}
+/**
+ * Run MCP server using SDK Manager for auth.
+ *
+ * @example
+ * ```ts
+ * import { protectedByAuthSec, mcpTool, runMcpServerWithOAuth } from '@authsec/sdk';
+ *
+ * const myTool = protectedByAuthSec({
+ *   toolName: 'my_tool',
+ *   roles: ['admin'],
+ * }, async (args, session) => {
+ *   return [{ type: 'text', text: 'Hello!' }];
+ * });
+ *
+ * runMcpServerWithOAuth({
+ *   tools: [myTool],
+ *   clientId: 'your-client-id',
+ *   appName: 'my-app',
+ * });
+ * ```
+ */
+function runMcpServerWithOAuth(options) {
+    const host = options.host ?? '0.0.0.0';
+    const port = options.port ?? 3005;
+    const authServiceUrl = process.env.AUTHSEC_AUTH_SERVICE_URL;
+    const servicesBaseUrl = process.env.AUTHSEC_SERVICES_URL;
+    const timeoutSeconds = parseInt(process.env.AUTHSEC_TIMEOUT_SECONDS ?? '15', 10);
+    const retries = parseInt(process.env.AUTHSEC_RETRIES ?? '2', 10);
+    const runtimeClientId = (0, config_js_1.normalizeRuntimeClientId)(options.clientId);
+    (0, config_js_1.configureAuth)(runtimeClientId, options.appName, {
+        authServiceUrl: authServiceUrl ?? undefined,
+        servicesBaseUrl: servicesBaseUrl ?? undefined,
+        timeout: timeoutSeconds,
+        retries,
+    });
+    // Store SPIRE socket path in global config if provided
+    const config = (0, config_js_1.getInternalConfig)();
+    if (options.spireSocketPath) {
+        config.spireSocketPath = options.spireSocketPath;
+        config.spireEnabled = true;
+    }
+    else {
+        config.spireEnabled = false;
+    }
+    const server = new MCPServer(runtimeClientId, options.appName);
+    server.setTools(options.tools);
+    server.setupShutdownHandlers();
+    console.log(`Starting ${options.appName} MCP Server on ${host}:${port}`);
+    console.log(`Authentication via: ${config.authServiceUrl}`);
+    console.log(`Services via: ${config.servicesBaseUrl}`);
+    if (config.spireEnabled) {
+        console.log('SPIRE Workload Identity: ENABLED');
+        console.log(`  Agent socket: ${config.spireSocketPath}`);
+    }
+    else {
+        console.log('SPIRE Workload Identity: DISABLED');
+    }
+    console.log(`MCP Inspector: npx @modelcontextprotocol/inspector http://${host}:${port}`);
+    server.app.listen(port, host, () => {
+        console.log(`Server listening on ${host}:${port}`);
+    });
+}
+//# sourceMappingURL=mcp-server.js.map

package/dist/mcp-server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-server.js","sourceRoot":"","sources":["../src/mcp-server.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;AA8WH,sDAoDC;AAhaD,sDAA8B;AAC9B,gDAAwB;AACxB,uCAA4C;AAC5C,2CAIqB;AAGrB,MAAM,SAAS;IACL,QAAQ,CAAS;IACjB,OAAO,CAAS;IAChB,SAAS,GAA+B,EAAE,CAAC;IAC3C,gBAAgB,GAA+B,EAAE,CAAC;IAClD,YAAY,GAA6D,IAAI,GAAG,EAAE,CAAC;IACpF,GAAG,CAAkB;IAE5B,YAAY,QAAgB,EAAE,OAAe;QAC3C,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QAEvB,IAAI,CAAC,GAAG,GAAG,IAAA,iBAAO,GAAE,CAAC;QACrB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,IAAA,cAAI,GAAE,CAAC,CAAC;QACrB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,iBAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;QAE9C,IAAI,CAAC,WAAW,EAAE,CAAC;IACrB,CAAC;IAED;;;OAGG;IACH,QAAQ,CAAC,KAAuB;QAC9B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBACrB,4DAA4D;gBAC5D,MAAM,YAAY,GAAwB;oBACxC,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE;wBACJ,KAAK,EAAE,IAAI,CAAC,gBAAgB,EAAE,KAAK,IAAI,EAAE;wBACzC,MAAM,EAAE,IAAI,CAAC,gBAAgB,EAAE,MAAM,IAAI,EAAE;wBAC3C,SAAS,EAAE,IAAI,CAAC,gBAAgB,EAAE,SAAS,IAAI,EAAE;wBACjD,MAAM,EAAE,IAAI,CAAC,gBAAgB,EAAE,MAAM,IAAI,EAAE;wBAC3C,WAAW,EAAE,IAAI,CAAC,gBAAgB,EAAE,WAAW,IAAI,EAAE;wBACrD,WAAW,EAAE,IAAI,CAAC,gBAAgB,EAAE,UAAU,IAAI,KAAK;qBACxD;iBACF,CAAC;gBAEF,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;oBACrB,YAAY,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;gBAC9C,CAAC;gBACD,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;oBACrB,YAAY,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;gBAC9C,CAAC;gBAED,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;gBAClC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;YACjD,CAAC;iBAAM,CAAC;gBACN,mDAAmD;gBACnD,MAAM,UAAU,GAAwB;oBACtC,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,SAAS,IAAI,CAAC,IAAI,EAAE;oBACrD,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI;wBAC/B,IAAI,EAAE,QAAQ;wBACd,UAAU,EAAE,EAAE;wBACd,QAAQ,EAAE,EAAE;qBACb;iBACF,CAAC;gBAEF,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;gBACvC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC/C,OAAO,CAAC,GAAG,CACT,gCAAgC,IAAI,CAAC,IAAI,wCAAwC,CAClF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAEO,WAAW;QACjB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;YAC9B,MAAM,MAAM,GAAG,IAAA,6BAAiB,GAAE,CAAC;YACnC,GAAG,CAAC,IAAI,CAAC;gBACP,IAAI,EAAE,IAAI,CAAC,OAAO;gBAClB,OAAO,EAAE,OAAO;gBAChB,QAAQ,EAAE,gBAAgB;gBAC1B,MAAM,EAAE,SAAS;gBACjB,YAAY,EAAE,MAAM,CAAC,cAAc;gBACnC,YAAY,EAAE,MAAM,CAAC,eAAe;aACrC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;YACpC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,GAAG,CAAC,IAAkB,CAAC;gBACvC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;gBAC5D,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACrB,CAAC;YAAC,OAAO,CAAM,EAAE,CAAC;gBAChB,GAAG,CAAC,IAAI,CAAC;oBACP,OAAO,EAAE,KAAK;oBACd,EAAE,EAAE,IAAI;oBACR,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,IAAI,MAAM,CAAC,CAAC,CAAC,EAAE;iBACzD,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,eAAe,CAAC,GAAoB;QAC1C,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;QACpC,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;gBAChC,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBAChE,OAAO,MAAM,CAAC,MAAM,GAAG,CAAC,MAAM,CAAC,QAAQ,IAAI,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC;gBAChF,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;QAClC,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;gBAC/B,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBAChE,OAAO,GAAG,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC;gBAC/C,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,uBAAuB,CAC7B,UAA+B;QAE/B,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;YAC1D,OAAO,UAAU,CAAC;QACpB,CAAC;QAED,MAAM,IAAI,GAAG,EAAE,GAAG,UAAU,EAAE,CAAC;QAE/B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YAChD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzB,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACvB,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC/B,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC1C,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAC7B,OAAmB,EACnB,GAAoB;QAEpB,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC9B,MAAM,SAAS,GAAG,OAAO,CAAC,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;QAEpC,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;YAC5B,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,SAAS;gBACb,MAAM,EAAE;oBACN,eAAe,EAAE,YAAY;oBAC7B,YAAY,EAAE,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,EAAE;oBAC/C,UAAU,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE;iBACrD;aACF,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;YAC5B,6DAA6D;YAC7D,IAAI,aAAkC,CAAC;YACvC,MAAM,gBAAgB,GAAG,QAAQ,CAC/B,OAAO,CAAC,GAAG,CAAC,kCAAkC,IAAI,GAAG,EACrD,EAAE,CACH,CAAC;YAEF,IAAI,CAAC;gBACH,aAAa,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;oBACjC,IAAA,yBAAe,EAAC,YAAY,EAAE;wBAC5B,SAAS,EAAE,IAAI,CAAC,QAAQ;wBACxB,QAAQ,EAAE,IAAI,CAAC,OAAO;wBACtB,UAAU,EAAE,IAAI,CAAC,SAAS;qBAC3B,CAAC;oBACF,IAAI,OAAO,CAAsB,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAC7C,UAAU,CACR,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC,EAC/C,gBAAgB,GAAG,IAAI,CACxB,CACF;iBACF,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,aAAa,GAAG,EAAE,KAAK,EAAE,2CAA2C,EAAE,CAAC;YACzE,CAAC;YAED,4EAA4E;YAC5E,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,aAAa,EAAE,KAAK,CAAC;gBACrD,CAAC,CAAC,aAAa,CAAC,KAAK;gBACrB,CAAC,CAAC,EAAE,CAAC;YACP,MAAM,QAAQ,GAAG,CAAC,GAAG,WAAW,EAAE,GAAG,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAE5D,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,SAAS;gBACb,MAAM,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE;aAC5B,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;YAC5B,MAAM,QAAQ,GAAW,MAAM,CAAC,IAAI,CAAC;YACrC,IAAI,UAAU,GAAG,MAAM,CAAC,SAAS,IAAI,EAAE,CAAC;YACxC,IAAI,OAAmC,CAAC;YAExC,IAAI,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAClC,yCAAyC;gBACzC,UAAU,GAAG,IAAI,CAAC,uBAAuB,CAAC,UAAU,CAAC,CAAC;gBACtD,IACE,QAAQ,KAAK,oBAAoB;oBACjC,OAAO,UAAU,KAAK,QAAQ;oBAC9B,UAAU,KAAK,IAAI;oBACnB,OAAO,UAAU,CAAC,SAAS,KAAK,QAAQ,EACxC,CAAC;oBACD,uEAAuE;oBACvE,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,CAAC;oBACnC,IAAI,CAAC,UAAU,CAAC,KAAK;wBAAE,UAAU,CAAC,KAAK,GAAG,KAAK,CAAC;oBAChD,IAAI,CAAC,UAAU,CAAC,GAAG;wBAAE,UAAU,CAAC,GAAG,GAAG,KAAK,CAAC;oBAC5C,IAAI,CAAC,UAAU,CAAC,YAAY;wBAAE,UAAU,CAAC,YAAY,GAAG,KAAK,CAAC;gBAChE,CAAC;gBACD,IACE,QAAQ,KAAK,aAAa;oBAC1B,OAAO,UAAU,KAAK,QAAQ;oBAC9B,CAAC,UAAU,CAAC,UAAU,EACtB,CAAC;oBACD,MAAM,aAAa,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;oBAChD,IAAI,aAAa,EAAE,CAAC;wBAClB,UAAU,CAAC,UAAU,GAAG,aAAa,CAAC;oBACxC,CAAC;gBACH,CAAC;gBAED,MAAM,YAAY,GAAG,MAAM,IAAA,yBAAe,EACxC,cAAc,QAAQ,EAAE,EACxB;oBACE,SAAS,EAAE,IAAI,CAAC,QAAQ;oBACxB,QAAQ,EAAE,IAAI,CAAC,OAAO;oBACtB,SAAS,EAAE,UAAU;iBACtB,CACF,CAAC;gBAEF,IACE,OAAO,YAAY,KAAK,QAAQ;oBAChC,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,OAAO,CAAC,EACnC,CAAC;oBACD,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC;gBACjC,CAAC;qBAAM,CAAC;oBACN,uCAAuC;oBACvC,MAAM,YAAY,GAAwB;wBACxC,KAAK,EAAE,uBAAuB;wBAC9B,IAAI,EAAE,QAAQ;qBACf,CAAC;oBACF,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;wBACrC,IAAI,YAAY,CAAC,MAAM;4BAAE,YAAY,CAAC,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC;wBACnE,IAAI,YAAY,CAAC,KAAK;4BACpB,YAAY,CAAC,cAAc,GAAG,YAAY,CAAC,KAAK,CAAC;wBACnD,IAAI,YAAY,CAAC,OAAO;4BACtB,YAAY,CAAC,gBAAgB,GAAG,YAAY,CAAC,OAAO,CAAC;oBACzD,CAAC;oBACD,OAAO,GAAG,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;gBACnE,CAAC;YACH,CAAC;iBAAM,IAAI,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC3C,8BAA8B;gBAC9B,OAAO,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAE,CAAC,UAAU,CAAC,CAAC;YAC/D,CAAC;iBAAM,CAAC;gBACN,OAAO,GAAG;oBACR;wBACE,IAAI,EAAE,MAAM;wBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,iBAAiB,QAAQ,EAAE,EAAE,CAAC;qBAC7D;iBACF,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,SAAS;gBACb,MAAM,EAAE,EAAE,OAAO,EAAE;aACpB,CAAC;QACJ,CAAC;QAED,OAAO;YACL,OAAO,EAAE,KAAK;YACd,EAAE,EAAE,SAAS;YACb,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,qBAAqB,MAAM,EAAE,EAAE;SAChE,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,eAAe;QAC3B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAA,yBAAe,EAAC,kBAAkB,EAAE;gBACvD,SAAS,EAAE,IAAI,CAAC,QAAQ;gBACxB,QAAQ,EAAE,IAAI,CAAC,OAAO;gBACtB,MAAM,EAAE,iBAAiB;aAC1B,CAAC,CAAC;YACH,OAAO,CAAC,GAAG,CAAC,qBAAqB,MAAM,CAAC,OAAO,IAAI,WAAW,EAAE,CAAC,CAAC;QACpE,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC,OAAO,IAAI,CAAC,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,qBAAqB;QACnB,MAAM,OAAO,GAAG,GAAG,EAAE;YACnB,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC;YACnE,IAAI,CAAC,eAAe,EAAE;iBACnB,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;iBACf,OAAO,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACpC,CAAC,CAAC;QAEF,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC9B,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IACjC,CAAC;CACF;AAiBD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,SAAgB,qBAAqB,CAAC,OAA4B;IAChE,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,SAAS,CAAC;IACvC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC;IAElC,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;IAC5D,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;IACzD,MAAM,cAAc,GAAG,QAAQ,CAC7B,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAI,IAAI,EAC3C,EAAE,CACH,CAAC;IACF,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC;IAEjE,MAAM,eAAe,GAAG,IAAA,oCAAwB,EAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEnE,IAAA,yBAAa,EAAC,eAAe,EAAE,OAAO,CAAC,OAAO,EAAE;QAC9C,cAAc,EAAE,cAAc,IAAI,SAAS;QAC3C,eAAe,EAAE,eAAe,IAAI,SAAS;QAC7C,OAAO,EAAE,cAAc;QACvB,OAAO;KACR,CAAC,CAAC;IAEH,uDAAuD;IACvD,MAAM,MAAM,GAAG,IAAA,6BAAiB,GAAE,CAAC;IACnC,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;QAC5B,MAAM,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC;QACjD,MAAM,CAAC,YAAY,GAAG,IAAI,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,YAAY,GAAG,KAAK,CAAC;IAC9B,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC,eAAe,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAC/D,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC/B,MAAM,CAAC,qBAAqB,EAAE,CAAC;IAE/B,OAAO,CAAC,GAAG,CAAC,YAAY,OAAO,CAAC,OAAO,kBAAkB,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,CAAC,GAAG,CAAC,uBAAuB,MAAM,CAAC,cAAc,EAAE,CAAC,CAAC;IAC5D,OAAO,CAAC,GAAG,CAAC,iBAAiB,MAAM,CAAC,eAAe,EAAE,CAAC,CAAC;IAEvD,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;QAChD,OAAO,CAAC,GAAG,CAAC,mBAAmB,MAAM,CAAC,eAAe,EAAE,CAAC,CAAC;IAC3D,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,CAAC,GAAG,CACT,6DAA6D,IAAI,IAAI,IAAI,EAAE,CAC5E,CAAC;IAEF,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE;QACjC,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/rbac.d.ts

@@ -0,0 +1,12 @@
+/**
+ * RBAC evaluation logic
+ * Mirrors Python _evaluate_rbac and _normalize_claim_list
+ */
+import type { RbacRequirements, UserInfo } from './types.js';
+/**
+ * Evaluate RBAC requirements against user info.
+ *
+ * @returns [allowed, reason] - allowed is true if access is granted, reason explains denial
+ */
+export declare function evaluateRbac(userInfo: UserInfo, requirements: RbacRequirements): [boolean, string];
+//# sourceMappingURL=rbac.d.ts.map

package/dist/rbac.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.d.ts","sourceRoot":"","sources":["../src/rbac.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAkB7D;;;;GAIG;AACH,wBAAgB,YAAY,CAC1B,QAAQ,EAAE,QAAQ,EAClB,YAAY,EAAE,gBAAgB,GAC7B,CAAC,OAAO,EAAE,MAAM,CAAC,CAkGnB"}

package/dist/rbac.js

@@ -0,0 +1,130 @@
+"use strict";
+/**
+ * RBAC evaluation logic
+ * Mirrors Python _evaluate_rbac and _normalize_claim_list
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.evaluateRbac = evaluateRbac;
+/**
+ * Normalize a claim value to a Set of strings.
+ */
+function normalizeClaimList(value) {
+    if (value == null)
+        return new Set();
+    if (typeof value === 'string')
+        return new Set([value]);
+    if (Array.isArray(value)) {
+        return new Set(value
+            .filter((v) => v != null && String(v) !== '')
+            .map((v) => String(v)));
+    }
+    return new Set();
+}
+/**
+ * Evaluate RBAC requirements against user info.
+ *
+ * @returns [allowed, reason] - allowed is true if access is granted, reason explains denial
+ */
+function evaluateRbac(userInfo, requirements) {
+    const rolesReq = new Set(requirements.roles ?? []);
+    const groupsReq = new Set(requirements.groups ?? []);
+    const resourcesReq = new Set(requirements.resources ?? []);
+    const scopesReq = new Set(requirements.scopes ?? []);
+    const permsReq = new Set(requirements.permissions ?? []);
+    const requireAll = requirements.requireAll ?? false;
+    // Normalize user claims
+    const userRoles = normalizeClaimList(userInfo.roles);
+    const userGroups = normalizeClaimList(userInfo.groups);
+    // Scopes from both 'scopes' and 'scope' claims
+    const rawScopes = union(normalizeClaimList(userInfo.scopes), normalizeClaimList(userInfo.scope));
+    // Resources: direct claim + extracted from "resource:action" scopes
+    const userResources = normalizeClaimList(userInfo.resources);
+    for (const s of rawScopes) {
+        if (s.includes(':')) {
+            userResources.add(s.split(':')[0]);
+        }
+    }
+    // Scopes: non-resource scopes + action part of "resource:action"
+    const userScopes = new Set();
+    for (const s of rawScopes) {
+        if (s.includes(':')) {
+            userScopes.add(s.split(':')[1]);
+        }
+        else {
+            userScopes.add(s);
+        }
+    }
+    // Permissions: direct claim + "resource:action" scopes
+    const userPerms = normalizeClaimList(userInfo.permissions);
+    for (const s of rawScopes) {
+        if (s.includes(':')) {
+            userPerms.add(s);
+        }
+    }
+    // Build checks map
+    const checks = {};
+    if (rolesReq.size > 0) {
+        checks['roles'] = hasIntersection(userRoles, rolesReq);
+    }
+    if (groupsReq.size > 0) {
+        checks['groups'] = hasIntersection(userGroups, groupsReq);
+    }
+    if (resourcesReq.size > 0) {
+        checks['resources'] = hasIntersection(userResources, resourcesReq);
+    }
+    if (scopesReq.size > 0) {
+        checks['scopes'] = hasIntersection(userScopes, scopesReq);
+    }
+    if (permsReq.size > 0) {
+        if (userPerms.size > 0) {
+            checks['permissions'] = hasIntersection(userPerms, permsReq);
+        }
+        else {
+            // Fallback: check if user has matching resource + action combo
+            let allowed = false;
+            for (const perm of permsReq) {
+                if (perm.includes(':')) {
+                    const [res, act] = perm.split(':');
+                    if (userResources.has(res) && userScopes.has(act)) {
+                        allowed = true;
+                        break;
+                    }
+                }
+            }
+            checks['permissions'] = allowed;
+        }
+    }
+    // No RBAC requirements -> allow
+    if (Object.keys(checks).length === 0) {
+        return [true, ''];
+    }
+    if (requireAll) {
+        const missing = Object.entries(checks)
+            .filter(([_, ok]) => !ok)
+            .map(([k]) => k);
+        if (missing.length > 0) {
+            return [false, `missing required ${missing.join(', ')}`];
+        }
+        return [true, ''];
+    }
+    // OR logic across categories
+    if (Object.values(checks).some((v) => v)) {
+        return [true, ''];
+    }
+    return [false, 'no RBAC requirement satisfied'];
+}
+function hasIntersection(a, b) {
+    for (const item of a) {
+        if (b.has(item))
+            return true;
+    }
+    return false;
+}
+function union(a, b) {
+    const result = new Set(a);
+    for (const item of b) {
+        result.add(item);
+    }
+    return result;
+}
+//# sourceMappingURL=rbac.js.map

package/dist/rbac.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.js","sourceRoot":"","sources":["../src/rbac.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAyBH,oCAqGC;AA1HD;;GAEG;AACH,SAAS,kBAAkB,CAAC,KAAU;IACpC,IAAI,KAAK,IAAI,IAAI;QAAE,OAAO,IAAI,GAAG,EAAE,CAAC;IACpC,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IACvD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,IAAI,GAAG,CACZ,KAAK;aACF,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,IAAI,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC;aAC5C,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CACzB,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,GAAG,EAAE,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,SAAgB,YAAY,CAC1B,QAAkB,EAClB,YAA8B;IAE9B,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;IACnD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;IACrD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;IAC3D,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;IACzD,MAAM,UAAU,GAAG,YAAY,CAAC,UAAU,IAAI,KAAK,CAAC;IAEpD,wBAAwB;IACxB,MAAM,SAAS,GAAG,kBAAkB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACrD,MAAM,UAAU,GAAG,kBAAkB,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAEvD,+CAA+C;IAC/C,MAAM,SAAS,GAAG,KAAK,CACrB,kBAAkB,CAAC,QAAQ,CAAC,MAAM,CAAC,EACnC,kBAAkB,CAAC,QAAQ,CAAC,KAAK,CAAC,CACnC,CAAC;IAEF,oEAAoE;IACpE,MAAM,aAAa,GAAG,kBAAkB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IAC7D,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;QAC1B,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACpB,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IAED,iEAAiE;IACjE,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;QAC1B,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACpB,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,CAAC;QACnC,CAAC;aAAM,CAAC;YACN,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IAED,uDAAuD;IACvD,MAAM,SAAS,GAAG,kBAAkB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC3D,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;QAC1B,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACpB,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IAED,mBAAmB;IACnB,MAAM,MAAM,GAA4B,EAAE,CAAC;IAE3C,IAAI,QAAQ,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,CAAC,OAAO,CAAC,GAAG,eAAe,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,SAAS,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,CAAC,QAAQ,CAAC,GAAG,eAAe,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;IAC5D,CAAC;IACD,IAAI,YAAY,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,CAAC,WAAW,CAAC,GAAG,eAAe,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;IACrE,CAAC;IACD,IAAI,SAAS,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,CAAC,QAAQ,CAAC,GAAG,eAAe,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;IAC5D,CAAC;IACD,IAAI,QAAQ,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACtB,IAAI,SAAS,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,CAAC,aAAa,CAAC,GAAG,eAAe,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC/D,CAAC;aAAM,CAAC;YACN,+DAA+D;YAC/D,IAAI,OAAO,GAAG,KAAK,CAAC;YACpB,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;gBAC5B,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBACvB,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;oBACnC,IAAI,aAAa,CAAC,GAAG,CAAC,GAAI,CAAC,IAAI,UAAU,CAAC,GAAG,CAAC,GAAI,CAAC,EAAE,CAAC;wBACpD,OAAO,GAAG,IAAI,CAAC;wBACf,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;YACD,MAAM,CAAC,aAAa,CAAC,GAAG,OAAO,CAAC;QAClC,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACpB,CAAC;IAED,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;aACnC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC;aACxB,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;QACnB,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,OAAO,CAAC,KAAK,EAAE,oBAAoB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC3D,CAAC;QACD,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACpB,CAAC;IAED,6BAA6B;IAC7B,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACzC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACpB,CAAC;IACD,OAAO,CAAC,KAAK,EAAE,+BAA+B,CAAC,CAAC;AAClD,CAAC;AAED,SAAS,eAAe,CAAC,CAAc,EAAE,CAAc;IACrD,KAAK,MAAM,IAAI,IAAI,CAAC,EAAE,CAAC;QACrB,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;IAC/B,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,KAAK,CAAC,CAAc,EAAE,CAAc;IAC3C,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC;IAC1B,KAAK,MAAM,IAAI,IAAI,CAAC,EAAE,CAAC;QACrB,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACnB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/service-access.d.ts

@@ -0,0 +1,31 @@
+/**
+ * ServiceAccessSDK - access external service credentials via hosted services
+ * Mirrors Python ServiceAccessSDK class
+ */
+import type { ServiceCredentials } from './types.js';
+export declare class ServiceAccessError extends Error {
+    constructor(message: string);
+}
+export declare class ServiceAccessSDK {
+    private sessionId;
+    private session;
+    private timeout;
+    constructor(session: {
+        sessionId: string;
+        [key: string]: any;
+    } | {
+        session_id: string;
+        [key: string]: any;
+    }, timeout?: number);
+    /** Check service health via hosted service */
+    healthCheck(): Promise<Record<string, any>>;
+    /** Get service credentials via hosted service */
+    getServiceCredentials(serviceName: string): Promise<ServiceCredentials>;
+    /** Get access token for service */
+    getServiceToken(serviceName: string): Promise<string>;
+    /** Get JWT payload details via hosted service */
+    getServiceUserDetails(serviceName: string): Promise<Record<string, any>>;
+    /** Close SDK (no-op in this minimal implementation) */
+    close(): Promise<void>;
+}
+//# sourceMappingURL=service-access.d.ts.map

package/dist/service-access.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-access.d.ts","sourceRoot":"","sources":["../src/service-access.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAErD,qBAAa,kBAAmB,SAAQ,KAAK;gBAC/B,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,OAAO,CAAM;IACrB,OAAO,CAAC,OAAO,CAAS;gBAGtB,OAAO,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;KAAE,GAAG;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;KAAE,EAC/F,OAAO,GAAE,MAAW;IAetB,8CAA8C;IACxC,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAIjD,iDAAiD;IAC3C,qBAAqB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAwB7E,mCAAmC;IAC7B,eAAe,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAS3D,iDAAiD;IAC3C,qBAAqB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAS9E,uDAAuD;IACjD,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAG7B"}

package/dist/service-access.js

@@ -0,0 +1,82 @@
+"use strict";
+/**
+ * ServiceAccessSDK - access external service credentials via hosted services
+ * Mirrors Python ServiceAccessSDK class
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ServiceAccessSDK = exports.ServiceAccessError = void 0;
+const http_js_1 = require("./http.js");
+class ServiceAccessError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'ServiceAccessError';
+    }
+}
+exports.ServiceAccessError = ServiceAccessError;
+class ServiceAccessSDK {
+    sessionId;
+    session;
+    timeout;
+    constructor(session, timeout = 30) {
+        // Extract session_id from various session object shapes
+        if ('sessionId' in session) {
+            this.sessionId = session.sessionId;
+        }
+        else if ('session_id' in session) {
+            this.sessionId = session.session_id;
+        }
+        else {
+            throw new Error('Session must contain sessionId or session_id');
+        }
+        this.session = session;
+        this.timeout = timeout;
+    }
+    /** Check service health via hosted service */
+    async healthCheck() {
+        return (0, http_js_1.makeServicesRequest)('health', null, 'GET');
+    }
+    /** Get service credentials via hosted service */
+    async getServiceCredentials(serviceName) {
+        const payload = {
+            session_id: this.sessionId,
+            service_name: serviceName,
+        };
+        const result = await (0, http_js_1.makeServicesRequest)('credentials', payload);
+        if (result.error) {
+            throw new ServiceAccessError(result.error);
+        }
+        return {
+            serviceId: result.service_id,
+            serviceName: result.service_name,
+            serviceType: result.service_type,
+            authType: result.auth_type,
+            url: result.url,
+            credentials: result.credentials,
+            metadata: result.metadata ?? {},
+            retrievedAt: result.retrieved_at,
+        };
+    }
+    /** Get access token for service */
+    async getServiceToken(serviceName) {
+        const credentials = await this.getServiceCredentials(serviceName);
+        const token = credentials.credentials.access_token;
+        if (!token) {
+            throw new ServiceAccessError(`No access token available for ${serviceName}`);
+        }
+        return token;
+    }
+    /** Get JWT payload details via hosted service */
+    async getServiceUserDetails(serviceName) {
+        const payload = {
+            session_id: this.sessionId,
+            service_name: serviceName,
+        };
+        return (0, http_js_1.makeServicesRequest)('user-details', payload);
+    }
+    /** Close SDK (no-op in this minimal implementation) */
+    async close() {
+        // No-op
+    }
+}
+exports.ServiceAccessSDK = ServiceAccessSDK;
+//# sourceMappingURL=service-access.js.map

package/dist/service-access.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-access.js","sourceRoot":"","sources":["../src/service-access.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH,uCAAgD;AAGhD,MAAa,kBAAmB,SAAQ,KAAK;IAC3C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AALD,gDAKC;AAED,MAAa,gBAAgB;IACnB,SAAS,CAAS;IAClB,OAAO,CAAM;IACb,OAAO,CAAS;IAExB,YACE,OAA+F,EAC/F,UAAkB,EAAE;QAEpB,wDAAwD;QACxD,IAAI,WAAW,IAAI,OAAO,EAAE,CAAC;YAC3B,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QACrC,CAAC;aAAM,IAAI,YAAY,IAAI,OAAO,EAAE,CAAC;YACnC,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC;QACtC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;QAClE,CAAC;QAED,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED,8CAA8C;IAC9C,KAAK,CAAC,WAAW;QACf,OAAO,IAAA,6BAAmB,EAAC,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IACpD,CAAC;IAED,iDAAiD;IACjD,KAAK,CAAC,qBAAqB,CAAC,WAAmB;QAC7C,MAAM,OAAO,GAAG;YACd,UAAU,EAAE,IAAI,CAAC,SAAS;YAC1B,YAAY,EAAE,WAAW;SAC1B,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,IAAA,6BAAmB,EAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QAEjE,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,MAAM,IAAI,kBAAkB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC7C,CAAC;QAED,OAAO;YACL,SAAS,EAAE,MAAM,CAAC,UAAU;YAC5B,WAAW,EAAE,MAAM,CAAC,YAAY;YAChC,WAAW,EAAE,MAAM,CAAC,YAAY;YAChC,QAAQ,EAAE,MAAM,CAAC,SAAS;YAC1B,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,EAAE;YAC/B,WAAW,EAAE,MAAM,CAAC,YAAY;SACjC,CAAC;IACJ,CAAC;IAED,mCAAmC;IACnC,KAAK,CAAC,eAAe,CAAC,WAAmB;QACvC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAClE,MAAM,KAAK,GAAG,WAAW,CAAC,WAAW,CAAC,YAAY,CAAC;QACnD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,kBAAkB,CAAC,iCAAiC,WAAW,EAAE,CAAC,CAAC;QAC/E,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,iDAAiD;IACjD,KAAK,CAAC,qBAAqB,CAAC,WAAmB;QAC7C,MAAM,OAAO,GAAG;YACd,UAAU,EAAE,IAAI,CAAC,SAAS;YAC1B,YAAY,EAAE,WAAW;SAC1B,CAAC;QAEF,OAAO,IAAA,6BAAmB,EAAC,cAAc,EAAE,OAAO,CAAC,CAAC;IACtD,CAAC;IAED,uDAAuD;IACvD,KAAK,CAAC,KAAK;QACT,QAAQ;IACV,CAAC;CACF;AA5ED,4CA4EC"}

package/dist/spiffe/index.d.ts

@@ -0,0 +1,4 @@
+export { WorkloadAPIClient } from './workload-api-client.js';
+export { QuickStartSVID } from './quick-start-svid.js';
+export { WorkloadSVID } from './workload-svid.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/spiffe/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/spiffe/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC"}