@axtary/mcp 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,280 @@
1
+ import { MCP_PROTOCOL_VERSION } from "./server.js";
2
+ /**
3
+ * Validate an upstream MCP URL before we send anything to it. `https://` is
4
+ * always allowed; `http://` is allowed only for loopback hosts. We never POST
5
+ * headers (which may carry credentials) in cleartext to a remote host — the
6
+ * same honesty rule that caught the Slack HTTP-loopback bug.
7
+ */
8
+ export function assertSafeMcpUrl(rawUrl) {
9
+ let url;
10
+ try {
11
+ url = new URL(rawUrl);
12
+ }
13
+ catch {
14
+ throw new Error("mcp_http_invalid_url");
15
+ }
16
+ if (url.protocol === "https:") {
17
+ return url;
18
+ }
19
+ if (url.protocol === "http:") {
20
+ const host = url.hostname;
21
+ if (host === "localhost" || host === "127.0.0.1" || host === "::1" || host === "[::1]") {
22
+ return url;
23
+ }
24
+ throw new Error("mcp_http_insecure_url:http_allowed_only_for_localhost");
25
+ }
26
+ throw new Error(`mcp_http_unsupported_scheme:${url.protocol}`);
27
+ }
28
+ /**
29
+ * MCP client over the Streamable HTTP transport (spec 2025-06-18). Mirrors the
30
+ * surface of `McpStdioClient` so the governance path is transport-agnostic:
31
+ * every JSON-RPC message is a POST to the single MCP endpoint, the server may
32
+ * answer with one JSON object or an SSE stream, the session id from the
33
+ * InitializeResult is echoed on later requests, and the negotiated protocol
34
+ * version rides every post-init request.
35
+ */
36
+ export class McpHttpClient {
37
+ url;
38
+ headers;
39
+ fetchImpl;
40
+ timeoutMs;
41
+ sessionId = null;
42
+ negotiatedVersion = null;
43
+ closed = false;
44
+ serverInfo = null;
45
+ constructor(config) {
46
+ this.url = assertSafeMcpUrl(config.url);
47
+ this.headers = config.headers ?? {};
48
+ const fetchImpl = config.fetch ?? globalThis.fetch;
49
+ if (!fetchImpl) {
50
+ throw new Error("mcp_http_fetch_required");
51
+ }
52
+ this.fetchImpl = fetchImpl;
53
+ this.timeoutMs = config.timeoutMs ?? 15_000;
54
+ }
55
+ static async start(config) {
56
+ const client = new McpHttpClient(config);
57
+ const initialized = (await client.request("initialize", {
58
+ protocolVersion: MCP_PROTOCOL_VERSION,
59
+ capabilities: {},
60
+ clientInfo: {
61
+ name: config.clientName ?? "axtary-mcp-wrapper",
62
+ version: config.clientVersion ?? "0.0.1",
63
+ },
64
+ }));
65
+ const serverInfo = initialized.serverInfo &&
66
+ typeof initialized.serverInfo === "object" &&
67
+ !Array.isArray(initialized.serverInfo)
68
+ ? initialized.serverInfo
69
+ : {};
70
+ client.negotiatedVersion =
71
+ typeof initialized.protocolVersion === "string"
72
+ ? initialized.protocolVersion
73
+ : MCP_PROTOCOL_VERSION;
74
+ client.serverInfo = {
75
+ name: typeof serverInfo.name === "string" ? serverInfo.name : "upstream",
76
+ version: typeof serverInfo.version === "string" ? serverInfo.version : "unknown",
77
+ protocolVersion: client.negotiatedVersion,
78
+ };
79
+ await client.notify("notifications/initialized", {});
80
+ return client;
81
+ }
82
+ async listTools() {
83
+ const result = (await this.request("tools/list", {}));
84
+ const tools = Array.isArray(result.tools) ? result.tools : [];
85
+ return tools.flatMap((tool) => {
86
+ if (!tool || typeof tool !== "object" || Array.isArray(tool)) {
87
+ return [];
88
+ }
89
+ const record = tool;
90
+ if (typeof record.name !== "string" || record.name.length === 0) {
91
+ return [];
92
+ }
93
+ return [
94
+ {
95
+ name: record.name,
96
+ description: typeof record.description === "string" ? record.description : undefined,
97
+ inputSchema: record.inputSchema &&
98
+ typeof record.inputSchema === "object" &&
99
+ !Array.isArray(record.inputSchema)
100
+ ? record.inputSchema
101
+ : {},
102
+ },
103
+ ];
104
+ });
105
+ }
106
+ callTool(name, callArguments) {
107
+ return this.request("tools/call", { name, arguments: callArguments });
108
+ }
109
+ close() {
110
+ if (this.closed) {
111
+ return;
112
+ }
113
+ this.closed = true;
114
+ // Best-effort session termination; the server may answer 405 (no support)
115
+ // and we never want close() to throw.
116
+ if (this.sessionId) {
117
+ const controller = new AbortController();
118
+ const timeout = setTimeout(() => controller.abort(), this.timeoutMs);
119
+ void this.fetchImpl(this.url, {
120
+ method: "DELETE",
121
+ headers: this.buildHeaders(false),
122
+ signal: controller.signal,
123
+ })
124
+ .catch(() => undefined)
125
+ .finally(() => clearTimeout(timeout));
126
+ }
127
+ }
128
+ async request(method, params) {
129
+ const id = `axtary_mcp_${method}`;
130
+ const message = await this.post(id, method, params, false);
131
+ if (!message) {
132
+ throw new Error(`mcp_http_missing_response:${method}`);
133
+ }
134
+ if (message.error) {
135
+ throw new Error(`mcp_http_error:${message.error.code ?? "unknown"}:${message.error.message ?? "unknown"}`);
136
+ }
137
+ return message.result ?? null;
138
+ }
139
+ async notify(method, params) {
140
+ await this.post(null, method, params, true);
141
+ }
142
+ async post(id, method, params, isNotification) {
143
+ if (this.closed) {
144
+ throw new Error("mcp_http_closed");
145
+ }
146
+ const controller = new AbortController();
147
+ const timeout = setTimeout(() => controller.abort(), this.timeoutMs);
148
+ const body = isNotification
149
+ ? { jsonrpc: "2.0", method, params }
150
+ : { jsonrpc: "2.0", id, method, params };
151
+ let response;
152
+ try {
153
+ response = await this.fetchImpl(this.url, {
154
+ method: "POST",
155
+ headers: this.buildHeaders(true),
156
+ body: JSON.stringify(body),
157
+ signal: controller.signal,
158
+ });
159
+ }
160
+ finally {
161
+ clearTimeout(timeout);
162
+ }
163
+ // The session id is assigned on the InitializeResult response.
164
+ const assignedSession = response.headers.get("mcp-session-id");
165
+ if (assignedSession) {
166
+ this.sessionId = assignedSession;
167
+ }
168
+ if (response.status === 404 && this.sessionId) {
169
+ throw new Error("mcp_http_session_expired");
170
+ }
171
+ if (isNotification) {
172
+ // 202 Accepted (no body) is the expected outcome for notifications.
173
+ if (!response.ok) {
174
+ throw new Error(`mcp_http_status:${response.status}`);
175
+ }
176
+ void response.body?.cancel();
177
+ return null;
178
+ }
179
+ if (!response.ok) {
180
+ throw new Error(`mcp_http_status:${response.status}`);
181
+ }
182
+ const contentType = response.headers.get("content-type") ?? "";
183
+ if (contentType.includes("text/event-stream")) {
184
+ return this.readSseResponse(response, id);
185
+ }
186
+ const parsed = (await response.json());
187
+ return toResponseMessage(parsed);
188
+ }
189
+ async readSseResponse(response, id) {
190
+ if (!response.body) {
191
+ throw new Error("mcp_http_sse_no_body");
192
+ }
193
+ const reader = response.body.getReader();
194
+ const decoder = new TextDecoder();
195
+ let buffer = "";
196
+ try {
197
+ for (;;) {
198
+ const { value, done } = await reader.read();
199
+ if (done) {
200
+ break;
201
+ }
202
+ buffer += decoder.decode(value, { stream: true });
203
+ let separator = nextEventBoundary(buffer);
204
+ while (separator) {
205
+ const rawEvent = buffer.slice(0, separator.index);
206
+ buffer = buffer.slice(separator.index + separator.length);
207
+ const data = parseSseData(rawEvent);
208
+ if (data !== null) {
209
+ const message = toResponseMessage(JSON.parse(data));
210
+ if (message && message.id === id) {
211
+ await reader.cancel();
212
+ return message;
213
+ }
214
+ }
215
+ separator = nextEventBoundary(buffer);
216
+ }
217
+ }
218
+ }
219
+ finally {
220
+ reader.releaseLock();
221
+ }
222
+ throw new Error("mcp_http_sse_no_matching_response");
223
+ }
224
+ buildHeaders(withBody) {
225
+ const headers = {
226
+ ...this.headers,
227
+ accept: "application/json, text/event-stream",
228
+ };
229
+ if (withBody) {
230
+ headers["content-type"] = "application/json";
231
+ }
232
+ if (this.sessionId) {
233
+ headers["mcp-session-id"] = this.sessionId;
234
+ }
235
+ if (this.negotiatedVersion) {
236
+ headers["mcp-protocol-version"] = this.negotiatedVersion;
237
+ }
238
+ return headers;
239
+ }
240
+ }
241
+ function toResponseMessage(value) {
242
+ if (!value || typeof value !== "object" || Array.isArray(value)) {
243
+ return null;
244
+ }
245
+ const record = value;
246
+ const error = record.error && typeof record.error === "object" && !Array.isArray(record.error)
247
+ ? record.error
248
+ : undefined;
249
+ return {
250
+ id: record.id ?? null,
251
+ result: record.result,
252
+ error: error
253
+ ? {
254
+ code: typeof error.code === "number" ? error.code : undefined,
255
+ message: typeof error.message === "string" ? error.message : undefined,
256
+ }
257
+ : undefined,
258
+ };
259
+ }
260
+ /** Locate the next SSE event boundary (blank line), tolerating LF and CRLF. */
261
+ function nextEventBoundary(buffer) {
262
+ const lf = buffer.indexOf("\n\n");
263
+ const crlf = buffer.indexOf("\r\n\r\n");
264
+ if (crlf !== -1 && (lf === -1 || crlf < lf)) {
265
+ return { index: crlf, length: 4 };
266
+ }
267
+ if (lf !== -1) {
268
+ return { index: lf, length: 2 };
269
+ }
270
+ return null;
271
+ }
272
+ /** Concatenate the `data:` lines of one SSE event, or null if there are none. */
273
+ function parseSseData(rawEvent) {
274
+ const dataLines = rawEvent
275
+ .split(/\r?\n/)
276
+ .filter((line) => line.startsWith("data:"))
277
+ .map((line) => line.slice("data:".length).replace(/^ /, ""));
278
+ return dataLines.length > 0 ? dataLines.join("\n") : null;
279
+ }
280
+ //# sourceMappingURL=http-client.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"http-client.js","sourceRoot":"","sources":["../src/http-client.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAsBnD;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAc;IAC7C,IAAI,GAAQ,CAAC;IAEb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAC1C,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,GAAG,CAAC;IACb,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAC;QAE1B,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;YACvF,OAAO,GAAG,CAAC;QACb,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;AACjE,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,OAAO,aAAa;IACP,GAAG,CAAM;IACT,OAAO,CAAyB;IAChC,SAAS,CAAe;IACxB,SAAS,CAAS;IAC3B,SAAS,GAAkB,IAAI,CAAC;IAChC,iBAAiB,GAAkB,IAAI,CAAC;IACxC,MAAM,GAAG,KAAK,CAAC;IACvB,UAAU,GAAiC,IAAI,CAAC;IAEhD,YAAoB,MAA2B;QAC7C,IAAI,CAAC,GAAG,GAAG,gBAAgB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC;QACpC,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC;QAEnD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;QAC7C,CAAC;QAED,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC;IAC9C,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,MAA2B;QAC5C,MAAM,MAAM,GAAG,IAAI,aAAa,CAAC,MAAM,CAAC,CAAC;QACzC,MAAM,WAAW,GAAG,CAAC,MAAM,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE;YACtD,eAAe,EAAE,oBAAoB;YACrC,YAAY,EAAE,EAAE;YAChB,UAAU,EAAE;gBACV,IAAI,EAAE,MAAM,CAAC,UAAU,IAAI,oBAAoB;gBAC/C,OAAO,EAAE,MAAM,CAAC,aAAa,IAAI,OAAO;aACzC;SACF,CAAC,CAA8B,CAAC;QAEjC,MAAM,UAAU,GACd,WAAW,CAAC,UAAU;YACtB,OAAO,WAAW,CAAC,UAAU,KAAK,QAAQ;YAC1C,CAAC,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,UAAU,CAAC;YACpC,CAAC,CAAE,WAAW,CAAC,UAAwC;YACvD,CAAC,CAAC,EAAE,CAAC;QAET,MAAM,CAAC,iBAAiB;YACtB,OAAO,WAAW,CAAC,eAAe,KAAK,QAAQ;gBAC7C,CAAC,CAAC,WAAW,CAAC,eAAe;gBAC7B,CAAC,CAAC,oBAAoB,CAAC;QAC3B,MAAM,CAAC,UAAU,GAAG;YAClB,IAAI,EAAE,OAAO,UAAU,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU;YACxE,OAAO,EAAE,OAAO,UAAU,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;YAChF,eAAe,EAAE,MAAM,CAAC,iBAAiB;SAC1C,CAAC;QAEF,MAAM,MAAM,CAAC,MAAM,CAAC,2BAA2B,EAAE,EAAE,CAAC,CAAC;QAErD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,SAAS;QACb,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAA8B,CAAC;QACnF,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QAE9D,OAAO,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;YAC5B,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7D,OAAO,EAAE,CAAC;YACZ,CAAC;YAED,MAAM,MAAM,GAAG,IAAiC,CAAC;YAEjD,IAAI,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAChE,OAAO,EAAE,CAAC;YACZ,CAAC;YAED,OAAO;gBACL;oBACE,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,WAAW,EACT,OAAO,MAAM,CAAC,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;oBACzE,WAAW,EACT,MAAM,CAAC,WAAW;wBAClB,OAAO,MAAM,CAAC,WAAW,KAAK,QAAQ;wBACtC,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC;wBAChC,CAAC,CAAE,MAAM,CAAC,WAAyC;wBACnD,CAAC,CAAC,EAAE;iBACT;aACF,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,IAAY,EAAE,aAAwC;QAC7D,OAAO,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,aAAa,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,KAAK;QACH,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,OAAO;QACT,CAAC;QAED,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QAEnB,0EAA0E;QAC1E,sCAAsC;QACtC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;YAErE,KAAK,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC5B,MAAM,EAAE,QAAQ;gBAChB,OAAO,EAAE,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC;gBACjC,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC;iBACC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC;iBACtB,OAAO,CAAC,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,MAAc,EACd,MAAiC;QAEjC,MAAM,EAAE,GAAG,cAAc,MAAM,EAAE,CAAC;QAClC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;QAE3D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAC;QACzD,CAAC;QAED,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CACb,kBAAkB,OAAO,CAAC,KAAK,CAAC,IAAI,IAAI,SAAS,IAAI,OAAO,CAAC,KAAK,CAAC,OAAO,IAAI,SAAS,EAAE,CAC1F,CAAC;QACJ,CAAC;QAED,OAAO,OAAO,CAAC,MAAM,IAAI,IAAI,CAAC;IAChC,CAAC;IAEO,KAAK,CAAC,MAAM,CAAC,MAAc,EAAE,MAAiC;QACpE,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;IAC9C,CAAC;IAEO,KAAK,CAAC,IAAI,CAChB,EAAiB,EACjB,MAAc,EACd,MAAiC,EACjC,cAAuB;QAEvB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;QACrC,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;QACrE,MAAM,IAAI,GAAG,cAAc;YACzB,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE;YACpC,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QAE3C,IAAI,QAAkB,CAAC;QAEvB,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE;gBACxC,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC;gBAChC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;gBAC1B,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QAED,+DAA+D;QAC/D,MAAM,eAAe,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;QAE/D,IAAI,eAAe,EAAE,CAAC;YACpB,IAAI,CAAC,SAAS,GAAG,eAAe,CAAC;QACnC,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAC9C,CAAC;QAED,IAAI,cAAc,EAAE,CAAC;YACnB,oEAAoE;YACpE,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CAAC,mBAAmB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YACxD,CAAC;YAED,KAAK,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,mBAAmB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACxD,CAAC;QAED,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;QAE/D,IAAI,WAAW,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;YAC9C,OAAO,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAC5C,CAAC;QAED,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAc,CAAC;QAEpD,OAAO,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC;IAEO,KAAK,CAAC,eAAe,CAC3B,QAAkB,EAClB,EAAiB;QAEjB,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QAED,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;QAClC,IAAI,MAAM,GAAG,EAAE,CAAC;QAEhB,IAAI,CAAC;YACH,SAAS,CAAC;gBACR,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;gBAE5C,IAAI,IAAI,EAAE,CAAC;oBACT,MAAM;gBACR,CAAC;gBAED,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;gBAClD,IAAI,SAAS,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;gBAE1C,OAAO,SAAS,EAAE,CAAC;oBACjB,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;oBAClD,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;oBAC1D,MAAM,IAAI,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;oBAEpC,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;wBAClB,MAAM,OAAO,GAAG,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAc,CAAC,CAAC;wBAEjE,IAAI,OAAO,IAAI,OAAO,CAAC,EAAE,KAAK,EAAE,EAAE,CAAC;4BACjC,MAAM,MAAM,CAAC,MAAM,EAAE,CAAC;4BACtB,OAAO,OAAO,CAAC;wBACjB,CAAC;oBACH,CAAC;oBAED,SAAS,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;gBACxC,CAAC;YACH,CAAC;QACH,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,WAAW,EAAE,CAAC;QACvB,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IAEO,YAAY,CAAC,QAAiB;QACpC,MAAM,OAAO,GAA2B;YACtC,GAAG,IAAI,CAAC,OAAO;YACf,MAAM,EAAE,qCAAqC;SAC9C,CAAC;QAEF,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;QAC/C,CAAC;QAED,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,OAAO,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;QAC7C,CAAC;QAED,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC3B,OAAO,CAAC,sBAAsB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC3D,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;CACF;AAED,SAAS,iBAAiB,CAAC,KAAgB;IACzC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAChE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,MAAM,GAAG,KAAkC,CAAC;IAClD,MAAM,KAAK,GACT,MAAM,CAAC,KAAK,IAAI,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC;QAC9E,CAAC,CAAE,MAAM,CAAC,KAAmC;QAC7C,CAAC,CAAC,SAAS,CAAC;IAEhB,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,EAAE,IAAI,IAAI;QACrB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,KAAK,EAAE,KAAK;YACV,CAAC,CAAC;gBACE,IAAI,EAAE,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;gBAC7D,OAAO,EAAE,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;aACvE;YACH,CAAC,CAAC,SAAS;KACd,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,SAAS,iBAAiB,CAAC,MAAc;IACvC,MAAM,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAClC,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAExC,IAAI,IAAI,KAAK,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,IAAI,GAAG,EAAE,CAAC,EAAE,CAAC;QAC5C,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;IACpC,CAAC;IAED,IAAI,EAAE,KAAK,CAAC,CAAC,EAAE,CAAC;QACd,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;IAClC,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,iFAAiF;AACjF,SAAS,YAAY,CAAC,QAAgB;IACpC,MAAM,SAAS,GAAG,QAAQ;SACvB,KAAK,CAAC,OAAO,CAAC;SACd,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;SAC1C,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;IAE/D,OAAO,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAC5D,CAAC"}
package/dist/index.d.ts CHANGED
@@ -1,3 +1,8 @@
1
1
  export * from "./core.js";
2
- export { MCP_PROTOCOL_VERSION, MCP_WRAPPER_SERVER_NAME, McpStdioClient, McpWrapperServer, createMcpToolRouter, createMcpWrapperServer, createMcpWrapperTool, type McpStdioClientConfig, type McpUpstreamServerInfo, type McpUpstreamToolListing, type McpWrapperRuntime, type McpWrapperServerConfig, type McpWrapperTool, } from "./server.js";
2
+ export { MCP_CONFORMANCE_RECEIPT_VERSION, MCP_CONFORMANCE_REGISTRY_VERSION, McpConformanceReceiptSchema, McpConformanceRegistrySchema, emptyMcpConformanceRegistry, loadMcpConformanceRegistry, parseMcpConformanceRegistry, saveMcpConformanceRegistry, upsertMcpConformanceReceipt, type McpConformanceReceipt, type McpConformanceRegistry, } from "./conformance.js";
3
+ export { MCP_PINS_SCHEMA_VERSION, MCP_PINS_SCHEMA_VERSION_V0, McpPinManifestSchema, McpServerPinsSchema, McpToolPinSchema, emptyMcpPinManifest, loadMcpPinManifest, parseMcpPinManifest, pinMcpDefinitions, reconcileMcpPins, saveMcpPinManifest, evaluateMcpVersionChain, findMcpToolPin, compareSemver, type McpChainEvaluation, type McpChainVerdict, type McpPinManifest, type McpPinProvenance, type McpPinReconcileEntry, type McpPinStatus, type McpServerPins, type McpToolPin, } from "./pins.js";
4
+ export { MCP_PROTOCOL_VERSION, MCP_WRAPPER_SERVER_NAME, McpStdioClient, McpWrapperServer, createMcpToolRouter, createMcpWrapperServer, createMcpWrapperTool, type McpStdioClientConfig, type McpUpstreamClient, type McpUpstreamServerInfo, type McpUpstreamToolListing, type McpWrapperRuntime, type McpWrapperServerConfig, type McpWrapperTool, } from "./server.js";
5
+ export { McpHttpClient, assertSafeMcpUrl, type McpHttpClientConfig, } from "./http-client.js";
6
+ export { PROTECTED_RESOURCE_WELL_KNOWN, AUTHORIZATION_SERVER_WELL_KNOWN, OPENID_CONFIGURATION_WELL_KNOWN, canonicalResourceUri, assertSafeOAuthEndpoint, parseWwwAuthenticate, protectedResourceMetadataUrl, authorizationServerMetadataUrls, discoverProtectedResourceMetadata, discoverAuthorizationServerMetadata, createPkcePair, createOAuthState, buildAuthorizationUrl, exchangeAuthorizationCode, refreshAccessToken, registerOAuthClient, type WwwAuthenticateChallenge, type ProtectedResourceMetadata, type AuthorizationServerMetadata, type DiscoverInput, type PkcePair, type OAuthTokens, type RegisteredClient, } from "./oauth.js";
7
+ export { MCP_SIGNED_DEFINITION_PROFILE, MCP_SIGNED_DEFINITION_TYP, MCP_PUBLISHER_KEYRING_VERSION, MCP_PUBLISHER_TRUST_VERSION, MCP_SIGNED_DEFINITION_REGISTRY_VERSION, McpSignedDefinitionClaimsSchema, McpSignedDefinitionRegistryEntrySchema, McpSignedDefinitionRegistrySchema, McpPublisherKeySchema, McpPublisherKeyringSchema, McpPublisherTrustEntrySchema, McpPublisherTrustStoreSchema, signMcpToolDefinition, verifyMcpSignedDefinition, createSignedMcpToolHandler, mcpPublisherKeyResolver, emptyMcpPublisherTrustStore, parseMcpPublisherTrustStore, loadMcpPublisherTrustStore, saveMcpPublisherTrustStore, loadMcpSignedDefinitionRegistry, findMcpSignedDefinition, trustMcpPublisher, mcpPublisherJwks, mcpPublisherSigningKey, loadOrCreateMcpPublisherKeyring, type McpSignedDefinitionClaims, type McpSignedDefinitionRegistry, type McpSignedDefinitionRegistryEntry, type McpSignedDefinitionVerification, type McpPublisherKey, type McpPublisherKeyResolver, type McpPublisherKeyring, type McpPublisherTrustEntry, type McpPublisherTrustStore, type SignMcpToolDefinitionInput, } from "./signing.js";
3
8
  //# sourceMappingURL=index.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAC;AAC1B,OAAO,EACL,oBAAoB,EACpB,uBAAuB,EACvB,cAAc,EACd,gBAAgB,EAChB,mBAAmB,EACnB,sBAAsB,EACtB,oBAAoB,EACpB,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,EAC1B,KAAK,sBAAsB,EAC3B,KAAK,iBAAiB,EACtB,KAAK,sBAAsB,EAC3B,KAAK,cAAc,GACpB,MAAM,aAAa,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAC;AAC1B,OAAO,EACL,+BAA+B,EAC/B,gCAAgC,EAChC,2BAA2B,EAC3B,4BAA4B,EAC5B,2BAA2B,EAC3B,0BAA0B,EAC1B,2BAA2B,EAC3B,0BAA0B,EAC1B,2BAA2B,EAC3B,KAAK,qBAAqB,EAC1B,KAAK,sBAAsB,GAC5B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,uBAAuB,EACvB,0BAA0B,EAC1B,oBAAoB,EACpB,mBAAmB,EACnB,gBAAgB,EAChB,mBAAmB,EACnB,kBAAkB,EAClB,mBAAmB,EACnB,iBAAiB,EACjB,gBAAgB,EAChB,kBAAkB,EAClB,uBAAuB,EACvB,cAAc,EACd,aAAa,EACb,KAAK,kBAAkB,EACvB,KAAK,eAAe,EACpB,KAAK,cAAc,EACnB,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,YAAY,EACjB,KAAK,aAAa,EAClB,KAAK,UAAU,GAChB,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,oBAAoB,EACpB,uBAAuB,EACvB,cAAc,EACd,gBAAgB,EAChB,mBAAmB,EACnB,sBAAsB,EACtB,oBAAoB,EACpB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,EACtB,KAAK,qBAAqB,EAC1B,KAAK,sBAAsB,EAC3B,KAAK,iBAAiB,EACtB,KAAK,sBAAsB,EAC3B,KAAK,cAAc,GACpB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,aAAa,EACb,gBAAgB,EAChB,KAAK,mBAAmB,GACzB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,6BAA6B,EAC7B,+BAA+B,EAC/B,+BAA+B,EAC/B,oBAAoB,EACpB,uBAAuB,EACvB,oBAAoB,EACpB,4BAA4B,EAC5B,+BAA+B,EAC/B,iCAAiC,EACjC,mCAAmC,EACnC,cAAc,EACd,gBAAgB,EAChB,qBAAqB,EACrB,yBAAyB,EACzB,kBAAkB,EAClB,mBAAmB,EACnB,KAAK,wBAAwB,EAC7B,KAAK,yBAAyB,EAC9B,KAAK,2BAA2B,EAChC,KAAK,aAAa,EAClB,KAAK,QAAQ,EACb,KAAK,WAAW,EAChB,KAAK,gBAAgB,GACtB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,6BAA6B,EAC7B,yBAAyB,EACzB,6BAA6B,EAC7B,2BAA2B,EAC3B,sCAAsC,EACtC,+BAA+B,EAC/B,sCAAsC,EACtC,iCAAiC,EACjC,qBAAqB,EACrB,yBAAyB,EACzB,4BAA4B,EAC5B,4BAA4B,EAC5B,qBAAqB,EACrB,yBAAyB,EACzB,0BAA0B,EAC1B,uBAAuB,EACvB,2BAA2B,EAC3B,2BAA2B,EAC3B,0BAA0B,EAC1B,0BAA0B,EAC1B,+BAA+B,EAC/B,uBAAuB,EACvB,iBAAiB,EACjB,gBAAgB,EAChB,sBAAsB,EACtB,+BAA+B,EAC/B,KAAK,yBAAyB,EAC9B,KAAK,2BAA2B,EAChC,KAAK,gCAAgC,EACrC,KAAK,+BAA+B,EACpC,KAAK,eAAe,EACpB,KAAK,uBAAuB,EAC5B,KAAK,mBAAmB,EACxB,KAAK,sBAAsB,EAC3B,KAAK,sBAAsB,EAC3B,KAAK,0BAA0B,GAChC,MAAM,cAAc,CAAC"}
package/dist/index.js CHANGED
@@ -1,3 +1,8 @@
1
1
  export * from "./core.js";
2
+ export { MCP_CONFORMANCE_RECEIPT_VERSION, MCP_CONFORMANCE_REGISTRY_VERSION, McpConformanceReceiptSchema, McpConformanceRegistrySchema, emptyMcpConformanceRegistry, loadMcpConformanceRegistry, parseMcpConformanceRegistry, saveMcpConformanceRegistry, upsertMcpConformanceReceipt, } from "./conformance.js";
3
+ export { MCP_PINS_SCHEMA_VERSION, MCP_PINS_SCHEMA_VERSION_V0, McpPinManifestSchema, McpServerPinsSchema, McpToolPinSchema, emptyMcpPinManifest, loadMcpPinManifest, parseMcpPinManifest, pinMcpDefinitions, reconcileMcpPins, saveMcpPinManifest, evaluateMcpVersionChain, findMcpToolPin, compareSemver, } from "./pins.js";
2
4
  export { MCP_PROTOCOL_VERSION, MCP_WRAPPER_SERVER_NAME, McpStdioClient, McpWrapperServer, createMcpToolRouter, createMcpWrapperServer, createMcpWrapperTool, } from "./server.js";
5
+ export { McpHttpClient, assertSafeMcpUrl, } from "./http-client.js";
6
+ export { PROTECTED_RESOURCE_WELL_KNOWN, AUTHORIZATION_SERVER_WELL_KNOWN, OPENID_CONFIGURATION_WELL_KNOWN, canonicalResourceUri, assertSafeOAuthEndpoint, parseWwwAuthenticate, protectedResourceMetadataUrl, authorizationServerMetadataUrls, discoverProtectedResourceMetadata, discoverAuthorizationServerMetadata, createPkcePair, createOAuthState, buildAuthorizationUrl, exchangeAuthorizationCode, refreshAccessToken, registerOAuthClient, } from "./oauth.js";
7
+ export { MCP_SIGNED_DEFINITION_PROFILE, MCP_SIGNED_DEFINITION_TYP, MCP_PUBLISHER_KEYRING_VERSION, MCP_PUBLISHER_TRUST_VERSION, MCP_SIGNED_DEFINITION_REGISTRY_VERSION, McpSignedDefinitionClaimsSchema, McpSignedDefinitionRegistryEntrySchema, McpSignedDefinitionRegistrySchema, McpPublisherKeySchema, McpPublisherKeyringSchema, McpPublisherTrustEntrySchema, McpPublisherTrustStoreSchema, signMcpToolDefinition, verifyMcpSignedDefinition, createSignedMcpToolHandler, mcpPublisherKeyResolver, emptyMcpPublisherTrustStore, parseMcpPublisherTrustStore, loadMcpPublisherTrustStore, saveMcpPublisherTrustStore, loadMcpSignedDefinitionRegistry, findMcpSignedDefinition, trustMcpPublisher, mcpPublisherJwks, mcpPublisherSigningKey, loadOrCreateMcpPublisherKeyring, } from "./signing.js";
3
8
  //# sourceMappingURL=index.js.map
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAC;AAC1B,OAAO,EACL,oBAAoB,EACpB,uBAAuB,EACvB,cAAc,EACd,gBAAgB,EAChB,mBAAmB,EACnB,sBAAsB,EACtB,oBAAoB,GAOrB,MAAM,aAAa,CAAC"}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAC;AAC1B,OAAO,EACL,+BAA+B,EAC/B,gCAAgC,EAChC,2BAA2B,EAC3B,4BAA4B,EAC5B,2BAA2B,EAC3B,0BAA0B,EAC1B,2BAA2B,EAC3B,0BAA0B,EAC1B,2BAA2B,GAG5B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,uBAAuB,EACvB,0BAA0B,EAC1B,oBAAoB,EACpB,mBAAmB,EACnB,gBAAgB,EAChB,mBAAmB,EACnB,kBAAkB,EAClB,mBAAmB,EACnB,iBAAiB,EACjB,gBAAgB,EAChB,kBAAkB,EAClB,uBAAuB,EACvB,cAAc,EACd,aAAa,GASd,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,oBAAoB,EACpB,uBAAuB,EACvB,cAAc,EACd,gBAAgB,EAChB,mBAAmB,EACnB,sBAAsB,EACtB,oBAAoB,GAQrB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,aAAa,EACb,gBAAgB,GAEjB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,6BAA6B,EAC7B,+BAA+B,EAC/B,+BAA+B,EAC/B,oBAAoB,EACpB,uBAAuB,EACvB,oBAAoB,EACpB,4BAA4B,EAC5B,+BAA+B,EAC/B,iCAAiC,EACjC,mCAAmC,EACnC,cAAc,EACd,gBAAgB,EAChB,qBAAqB,EACrB,yBAAyB,EACzB,kBAAkB,EAClB,mBAAmB,GAQpB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,6BAA6B,EAC7B,yBAAyB,EACzB,6BAA6B,EAC7B,2BAA2B,EAC3B,sCAAsC,EACtC,+BAA+B,EAC/B,sCAAsC,EACtC,iCAAiC,EACjC,qBAAqB,EACrB,yBAAyB,EACzB,4BAA4B,EAC5B,4BAA4B,EAC5B,qBAAqB,EACrB,yBAAyB,EACzB,0BAA0B,EAC1B,uBAAuB,EACvB,2BAA2B,EAC3B,2BAA2B,EAC3B,0BAA0B,EAC1B,0BAA0B,EAC1B,+BAA+B,EAC/B,uBAAuB,EACvB,iBAAiB,EACjB,gBAAgB,EAChB,sBAAsB,EACtB,+BAA+B,GAWhC,MAAM,cAAc,CAAC"}
@@ -0,0 +1,168 @@
1
+ export declare const PROTECTED_RESOURCE_WELL_KNOWN = "/.well-known/oauth-protected-resource";
2
+ export declare const AUTHORIZATION_SERVER_WELL_KNOWN = "/.well-known/oauth-authorization-server";
3
+ export declare const OPENID_CONFIGURATION_WELL_KNOWN = "/.well-known/openid-configuration";
4
+ /**
5
+ * The canonical resource identifier for an MCP server, per RFC 8707 §2 and the
6
+ * MCP spec's "Canonical Server URI" rules: lowercase scheme + host, no fragment,
7
+ * no trailing slash (unless the path is just "/"). This exact string is the
8
+ * `resource` parameter and must match the `resource` field of the Protected
9
+ * Resource Metadata document.
10
+ */
11
+ export declare function canonicalResourceUri(rawUrl: string): string;
12
+ /**
13
+ * Allow `https://` always; allow `http://` only for loopback hosts. The MCP
14
+ * authorization spec requires all authorization-server endpoints to be served
15
+ * over HTTPS — we never send a bearer, code, or verifier in cleartext to a
16
+ * remote host. Loopback stays permitted for local conformance servers.
17
+ */
18
+ export declare function assertSafeOAuthEndpoint(rawUrl: string): URL;
19
+ export type WwwAuthenticateChallenge = {
20
+ scheme: string;
21
+ params: Record<string, string>;
22
+ };
23
+ /**
24
+ * Parse an RFC 7235 `WWW-Authenticate` header far enough to recover the RFC 9728
25
+ * `resource_metadata` and (optionally) `scope` from a Bearer challenge. We only
26
+ * need quoted/unquoted token68-free `key=value` auth params, which is what real
27
+ * MCP resource servers emit.
28
+ */
29
+ export declare function parseWwwAuthenticate(header: string): WwwAuthenticateChallenge | null;
30
+ export type ProtectedResourceMetadata = {
31
+ resource: string;
32
+ authorizationServers: string[];
33
+ scopesSupported: string[];
34
+ resourceName: string | null;
35
+ metadataUrl: string;
36
+ };
37
+ export type AuthorizationServerMetadata = {
38
+ issuer: string;
39
+ authorizationEndpoint: string;
40
+ tokenEndpoint: string;
41
+ registrationEndpoint: string | null;
42
+ codeChallengeMethodsSupported: string[];
43
+ scopesSupported: string[];
44
+ grantTypesSupported: string[];
45
+ metadataUrl: string;
46
+ };
47
+ /**
48
+ * Build the RFC 9728 Protected Resource Metadata URL from an MCP server URL. The
49
+ * well-known segment is inserted between host and path (path-aware), matching
50
+ * RFC 9728 §3.1, so `https://h/mcp` → `https://h/.well-known/oauth-protected-resource/mcp`.
51
+ */
52
+ export declare function protectedResourceMetadataUrl(mcpUrl: string): string;
53
+ /**
54
+ * Candidate RFC 8414 Authorization Server Metadata URLs for an issuer, tried in
55
+ * order. RFC 8414 inserts the well-known segment between host and path; we also
56
+ * fall back to the OpenID Connect discovery document, which many real
57
+ * authorization servers (including ones fronting MCP) serve instead.
58
+ */
59
+ export declare function authorizationServerMetadataUrls(issuer: string): string[];
60
+ export type DiscoverInput = {
61
+ mcpUrl: string;
62
+ fetch?: typeof fetch;
63
+ timeoutMs?: number;
64
+ /** A `WWW-Authenticate` header from a prior 401, if already observed. */
65
+ wwwAuthenticate?: string;
66
+ };
67
+ /**
68
+ * Discover Protected Resource Metadata for an MCP server. Prefers the
69
+ * `resource_metadata` URL advertised in a 401 `WWW-Authenticate` header (RFC
70
+ * 9728 §5.1); otherwise derives the well-known URL from the MCP endpoint. The
71
+ * returned `resource` must equal the canonical MCP URI or we fail closed rather
72
+ * than request a token for the wrong audience.
73
+ */
74
+ export declare function discoverProtectedResourceMetadata(input: DiscoverInput): Promise<ProtectedResourceMetadata>;
75
+ /**
76
+ * Discover RFC 8414 Authorization Server Metadata for an issuer, trying the
77
+ * path-aware well-known URLs and the OpenID fallback in order. The metadata's
78
+ * `issuer` must equal the requested issuer (RFC 8414 §3.3), and the
79
+ * authorization/token endpoints must be HTTPS (or loopback) or we fail closed.
80
+ */
81
+ export declare function discoverAuthorizationServerMetadata(input: {
82
+ issuer: string;
83
+ fetch?: typeof fetch;
84
+ timeoutMs?: number;
85
+ }): Promise<AuthorizationServerMetadata>;
86
+ export type PkcePair = {
87
+ verifier: string;
88
+ challenge: string;
89
+ method: "S256";
90
+ };
91
+ /** Create an RFC 7636 PKCE verifier/challenge pair (S256). */
92
+ export declare function createPkcePair(randomVerifier?: () => string): PkcePair;
93
+ /** Create an anti-CSRF `state` value for the authorization request. */
94
+ export declare function createOAuthState(randomState?: () => string): string;
95
+ /**
96
+ * Build the OAuth 2.1 authorization-request URL. The RFC 8707 `resource`
97
+ * parameter is always included and set to the canonical MCP URI (MUST per the
98
+ * MCP spec, regardless of AS support), alongside PKCE `code_challenge` and the
99
+ * anti-CSRF `state`.
100
+ */
101
+ export declare function buildAuthorizationUrl(input: {
102
+ authorizationEndpoint: string;
103
+ clientId: string;
104
+ redirectUri: string;
105
+ resource: string;
106
+ scopes: string[];
107
+ state: string;
108
+ codeChallenge: string;
109
+ extraParams?: Record<string, string>;
110
+ }): string;
111
+ export type OAuthTokens = {
112
+ accessToken: string;
113
+ refreshToken: string | null;
114
+ tokenType: string;
115
+ scope: string[];
116
+ expiresIn: number | null;
117
+ };
118
+ /**
119
+ * Exchange an authorization code for tokens at the token endpoint. Sends the
120
+ * RFC 7636 `code_verifier` and the RFC 8707 `resource` parameter so the issued
121
+ * token is audience-bound to this MCP server. Public-client form (no secret) is
122
+ * the default; a confidential client secret is included only when supplied.
123
+ */
124
+ export declare function exchangeAuthorizationCode(input: {
125
+ tokenEndpoint: string;
126
+ clientId: string;
127
+ clientSecret?: string;
128
+ code: string;
129
+ redirectUri: string;
130
+ codeVerifier: string;
131
+ resource: string;
132
+ fetch?: typeof fetch;
133
+ timeoutMs?: number;
134
+ }): Promise<OAuthTokens>;
135
+ /**
136
+ * Refresh an access token. Per OAuth 2.1 the `resource` parameter is repeated so
137
+ * the refreshed token keeps the same audience; the requested `scope` is narrowed
138
+ * to what was originally granted (never broadened).
139
+ */
140
+ export declare function refreshAccessToken(input: {
141
+ tokenEndpoint: string;
142
+ clientId: string;
143
+ clientSecret?: string;
144
+ refreshToken: string;
145
+ resource: string;
146
+ scopes?: string[];
147
+ fetch?: typeof fetch;
148
+ timeoutMs?: number;
149
+ }): Promise<OAuthTokens>;
150
+ export type RegisteredClient = {
151
+ clientId: string;
152
+ clientSecret: string | null;
153
+ };
154
+ /**
155
+ * Register a public OAuth client via RFC 7591 Dynamic Client Registration. We
156
+ * register as a public client using PKCE (`token_endpoint_auth_method: none`)
157
+ * with the loopback redirect and the authorization-code grant, so no client
158
+ * secret is needed or stored. Returns the issued client id.
159
+ */
160
+ export declare function registerOAuthClient(input: {
161
+ registrationEndpoint: string;
162
+ redirectUris: string[];
163
+ clientName: string;
164
+ scopes?: string[];
165
+ fetch?: typeof fetch;
166
+ timeoutMs?: number;
167
+ }): Promise<RegisteredClient>;
168
+ //# sourceMappingURL=oauth.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../src/oauth.ts"],"names":[],"mappings":"AAyBA,eAAO,MAAM,6BAA6B,0CAA0C,CAAC;AACrF,eAAO,MAAM,+BAA+B,4CAA4C,CAAC;AACzF,eAAO,MAAM,+BAA+B,sCAAsC,CAAC;AAEnF;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CA8B3D;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,CAwB3D;AAED,MAAM,MAAM,wBAAwB,GAAG;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAChC,CAAC;AAEF;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,wBAAwB,GAAG,IAAI,CAqBpF;AASD,MAAM,MAAM,yBAAyB,GAAG;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAcF,MAAM,MAAM,2BAA2B,GAAG;IACxC,MAAM,EAAE,MAAM,CAAC;IACf,qBAAqB,EAAE,MAAM,CAAC;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,6BAA6B,EAAE,MAAM,EAAE,CAAC;IACxC,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAC9B,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAKnE;AAED;;;;;GAKG;AACH,wBAAgB,+BAA+B,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAmBxE;AAED,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,yEAAyE;IACzE,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF;;;;;;GAMG;AACH,wBAAsB,iCAAiC,CACrD,KAAK,EAAE,aAAa,GACnB,OAAO,CAAC,yBAAyB,CAAC,CA+CpC;AAED;;;;;GAKG;AACH,wBAAsB,mCAAmC,CAAC,KAAK,EAAE;IAC/D,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GAAG,OAAO,CAAC,2BAA2B,CAAC,CA4DvC;AAED,MAAM,MAAM,QAAQ,GAAG;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAE/E,8DAA8D;AAC9D,wBAAgB,cAAc,CAAC,cAAc,CAAC,EAAE,MAAM,MAAM,GAAG,QAAQ,CAKtE;AAED,uEAAuE;AACvE,wBAAgB,gBAAgB,CAAC,WAAW,CAAC,EAAE,MAAM,MAAM,GAAG,MAAM,CAEnE;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE;IAC3C,qBAAqB,EAAE,MAAM,CAAC;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACtC,GAAG,MAAM,CAmBT;AAED,MAAM,MAAM,WAAW,GAAG;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B,CAAC;AAYF;;;;;GAKG;AACH,wBAAsB,yBAAyB,CAAC,KAAK,EAAE;IACrD,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GAAG,OAAO,CAAC,WAAW,CAAC,CAoBvB;AAED;;;;GAIG;AACH,wBAAsB,kBAAkB,CAAC,KAAK,EAAE;IAC9C,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GAAG,OAAO,CAAC,WAAW,CAAC,CAsBvB;AASD,MAAM,MAAM,gBAAgB,GAAG;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B,CAAC;AAEF;;;;;GAKG;AACH,wBAAsB,mBAAmB,CAAC,KAAK,EAAE;IAC/C,oBAAoB,EAAE,MAAM,CAAC;IAC7B,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA4C5B"}