npm - @chances-ai/engine - Versions diffs - 24.0.0 - Mend

@chances-ai/engine 24.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (389) hide show

package/dist/agents/discover.d.ts +30 -0
package/dist/agents/discover.d.ts.map +1 -0
package/dist/agents/discover.js +183 -0
package/dist/agents/discover.js.map +1 -0
package/dist/agents/index.d.ts +20 -0
package/dist/agents/index.d.ts.map +1 -0
package/dist/agents/index.js +52 -0
package/dist/agents/index.js.map +1 -0
package/dist/agents/parse.d.ts +61 -0
package/dist/agents/parse.d.ts.map +1 -0
package/dist/agents/parse.js +527 -0
package/dist/agents/parse.js.map +1 -0
package/dist/agents/types.d.ts +52 -0
package/dist/agents/types.d.ts.map +1 -0
package/dist/agents/types.js +8 -0
package/dist/agents/types.js.map +1 -0
package/dist/ai/adapters/ai-sdk-stream.d.ts +19 -0
package/dist/ai/adapters/ai-sdk-stream.d.ts.map +1 -0
package/dist/ai/adapters/ai-sdk-stream.js +125 -0
package/dist/ai/adapters/ai-sdk-stream.js.map +1 -0
package/dist/ai/adapters/ai-sdk.d.ts +56 -0
package/dist/ai/adapters/ai-sdk.d.ts.map +1 -0
package/dist/ai/adapters/ai-sdk.js +112 -0
package/dist/ai/adapters/ai-sdk.js.map +1 -0
package/dist/ai/adapters/mock.d.ts +13 -0
package/dist/ai/adapters/mock.d.ts.map +1 -0
package/dist/ai/adapters/mock.js +54 -0
package/dist/ai/adapters/mock.js.map +1 -0
package/dist/ai/adapters/openai-compatible.d.ts +23 -0
package/dist/ai/adapters/openai-compatible.d.ts.map +1 -0
package/dist/ai/adapters/openai-compatible.js +45 -0
package/dist/ai/adapters/openai-compatible.js.map +1 -0
package/dist/ai/cost.d.ts +3 -0
package/dist/ai/cost.d.ts.map +1 -0
package/dist/ai/cost.js +5 -0
package/dist/ai/cost.js.map +1 -0
package/dist/ai/index.d.ts +12 -0
package/dist/ai/index.d.ts.map +1 -0
package/dist/ai/index.js +11 -0
package/dist/ai/index.js.map +1 -0
package/dist/ai/known-models.d.ts +20 -0
package/dist/ai/known-models.d.ts.map +1 -0
package/dist/ai/known-models.js +129 -0
package/dist/ai/known-models.js.map +1 -0
package/dist/ai/registry.d.ts +12 -0
package/dist/ai/registry.d.ts.map +1 -0
package/dist/ai/registry.js +24 -0
package/dist/ai/registry.js.map +1 -0
package/dist/ai/retry.d.ts +11 -0
package/dist/ai/retry.d.ts.map +1 -0
package/dist/ai/retry.js +14 -0
package/dist/ai/retry.js.map +1 -0
package/dist/ai/router.d.ts +25 -0
package/dist/ai/router.d.ts.map +1 -0
package/dist/ai/router.js +36 -0
package/dist/ai/router.js.map +1 -0
package/dist/ai/setup.d.ts +23 -0
package/dist/ai/setup.d.ts.map +1 -0
package/dist/ai/setup.js +47 -0
package/dist/ai/setup.js.map +1 -0
package/dist/ai/summarizer.d.ts +24 -0
package/dist/ai/summarizer.d.ts.map +1 -0
package/dist/ai/summarizer.js +56 -0
package/dist/ai/summarizer.js.map +1 -0
package/dist/ai/types.d.ts +83 -0
package/dist/ai/types.d.ts.map +1 -0
package/dist/ai/types.js +2 -0
package/dist/ai/types.js.map +1 -0
package/dist/core/compaction/circuit-breaker.d.ts +32 -0
package/dist/core/compaction/circuit-breaker.d.ts.map +1 -0
package/dist/core/compaction/circuit-breaker.js +42 -0
package/dist/core/compaction/circuit-breaker.js.map +1 -0
package/dist/core/compaction/compactor.d.ts +75 -0
package/dist/core/compaction/compactor.d.ts.map +1 -0
package/dist/core/compaction/compactor.js +261 -0
package/dist/core/compaction/compactor.js.map +1 -0
package/dist/core/compaction/estimate.d.ts +39 -0
package/dist/core/compaction/estimate.d.ts.map +1 -0
package/dist/core/compaction/estimate.js +74 -0
package/dist/core/compaction/estimate.js.map +1 -0
package/dist/core/compaction/index.d.ts +5 -0
package/dist/core/compaction/index.d.ts.map +1 -0
package/dist/core/compaction/index.js +5 -0
package/dist/core/compaction/index.js.map +1 -0
package/dist/core/compaction/prune.d.ts +43 -0
package/dist/core/compaction/prune.d.ts.map +1 -0
package/dist/core/compaction/prune.js +51 -0
package/dist/core/compaction/prune.js.map +1 -0
package/dist/core/engine.d.ts +268 -0
package/dist/core/engine.d.ts.map +1 -0
package/dist/core/engine.js +767 -0
package/dist/core/engine.js.map +1 -0
package/dist/core/index.d.ts +6 -0
package/dist/core/index.d.ts.map +1 -0
package/dist/core/index.js +6 -0
package/dist/core/index.js.map +1 -0
package/dist/core/task-tool.d.ts +175 -0
package/dist/core/task-tool.d.ts.map +1 -0
package/dist/core/task-tool.js +901 -0
package/dist/core/task-tool.js.map +1 -0
package/dist/core/workspace-query.d.ts +83 -0
package/dist/core/workspace-query.d.ts.map +1 -0
package/dist/core/workspace-query.js +217 -0
package/dist/core/workspace-query.js.map +1 -0
package/dist/core/worktree/active-marker.d.ts +31 -0
package/dist/core/worktree/active-marker.d.ts.map +1 -0
package/dist/core/worktree/active-marker.js +109 -0
package/dist/core/worktree/active-marker.js.map +1 -0
package/dist/core/worktree/create.d.ts +40 -0
package/dist/core/worktree/create.d.ts.map +1 -0
package/dist/core/worktree/create.js +121 -0
package/dist/core/worktree/create.js.map +1 -0
package/dist/core/worktree/errors.d.ts +7 -0
package/dist/core/worktree/errors.d.ts.map +1 -0
package/dist/core/worktree/errors.js +11 -0
package/dist/core/worktree/errors.js.map +1 -0
package/dist/core/worktree/gc.d.ts +39 -0
package/dist/core/worktree/gc.d.ts.map +1 -0
package/dist/core/worktree/gc.js +146 -0
package/dist/core/worktree/gc.js.map +1 -0
package/dist/core/worktree/git.d.ts +53 -0
package/dist/core/worktree/git.d.ts.map +1 -0
package/dist/core/worktree/git.js +166 -0
package/dist/core/worktree/git.js.map +1 -0
package/dist/core/worktree/index.d.ts +8 -0
package/dist/core/worktree/index.d.ts.map +1 -0
package/dist/core/worktree/index.js +8 -0
package/dist/core/worktree/index.js.map +1 -0
package/dist/core/worktree/paths.d.ts +26 -0
package/dist/core/worktree/paths.d.ts.map +1 -0
package/dist/core/worktree/paths.js +57 -0
package/dist/core/worktree/paths.js.map +1 -0
package/dist/core/worktree/slug.d.ts +6 -0
package/dist/core/worktree/slug.d.ts.map +1 -0
package/dist/core/worktree/slug.js +21 -0
package/dist/core/worktree/slug.js.map +1 -0
package/dist/local-vault/file-store.d.ts +64 -0
package/dist/local-vault/file-store.d.ts.map +1 -0
package/dist/local-vault/file-store.js +225 -0
package/dist/local-vault/file-store.js.map +1 -0
package/dist/local-vault/index.d.ts +57 -0
package/dist/local-vault/index.d.ts.map +1 -0
package/dist/local-vault/index.js +68 -0
package/dist/local-vault/index.js.map +1 -0
package/dist/local-vault/keychain.d.ts +58 -0
package/dist/local-vault/keychain.d.ts.map +1 -0
package/dist/local-vault/keychain.js +200 -0
package/dist/local-vault/keychain.js.map +1 -0
package/dist/local-vault/mutex.d.ts +20 -0
package/dist/local-vault/mutex.d.ts.map +1 -0
package/dist/local-vault/mutex.js +44 -0
package/dist/local-vault/mutex.js.map +1 -0
package/dist/local-vault/passphrase.d.ts +30 -0
package/dist/local-vault/passphrase.d.ts.map +1 -0
package/dist/local-vault/passphrase.js +72 -0
package/dist/local-vault/passphrase.js.map +1 -0
package/dist/lsp/config.d.ts +34 -0
package/dist/lsp/config.d.ts.map +1 -0
package/dist/lsp/config.js +68 -0
package/dist/lsp/config.js.map +1 -0
package/dist/lsp/detect.d.ts +7 -0
package/dist/lsp/detect.d.ts.map +1 -0
package/dist/lsp/detect.js +78 -0
package/dist/lsp/detect.js.map +1 -0
package/dist/lsp/errors.d.ts +11 -0
package/dist/lsp/errors.d.ts.map +1 -0
package/dist/lsp/errors.js +11 -0
package/dist/lsp/errors.js.map +1 -0
package/dist/lsp/formatters.d.ts +147 -0
package/dist/lsp/formatters.d.ts.map +1 -0
package/dist/lsp/formatters.js +259 -0
package/dist/lsp/formatters.js.map +1 -0
package/dist/lsp/index.d.ts +31 -0
package/dist/lsp/index.d.ts.map +1 -0
package/dist/lsp/index.js +31 -0
package/dist/lsp/index.js.map +1 -0
package/dist/lsp/instance.d.ts +72 -0
package/dist/lsp/instance.d.ts.map +1 -0
package/dist/lsp/instance.js +489 -0
package/dist/lsp/instance.js.map +1 -0
package/dist/lsp/lazy-load.d.ts +27 -0
package/dist/lsp/lazy-load.d.ts.map +1 -0
package/dist/lsp/lazy-load.js +57 -0
package/dist/lsp/lazy-load.js.map +1 -0
package/dist/lsp/manager.d.ts +59 -0
package/dist/lsp/manager.d.ts.map +1 -0
package/dist/lsp/manager.js +242 -0
package/dist/lsp/manager.js.map +1 -0
package/dist/lsp/ops.d.ts +13 -0
package/dist/lsp/ops.d.ts.map +1 -0
package/dist/lsp/ops.js +225 -0
package/dist/lsp/ops.js.map +1 -0
package/dist/lsp/rpc.d.ts +47 -0
package/dist/lsp/rpc.d.ts.map +1 -0
package/dist/lsp/rpc.js +134 -0
package/dist/lsp/rpc.js.map +1 -0
package/dist/lsp/safe-uri.d.ts +18 -0
package/dist/lsp/safe-uri.d.ts.map +1 -0
package/dist/lsp/safe-uri.js +96 -0
package/dist/lsp/safe-uri.js.map +1 -0
package/dist/lsp/types.d.ts +70 -0
package/dist/lsp/types.d.ts.map +1 -0
package/dist/lsp/types.js +16 -0
package/dist/lsp/types.js.map +1 -0
package/dist/mcp/bridge.d.ts +57 -0
package/dist/mcp/bridge.d.ts.map +1 -0
package/dist/mcp/bridge.js +98 -0
package/dist/mcp/bridge.js.map +1 -0
package/dist/mcp/category.d.ts +22 -0
package/dist/mcp/category.d.ts.map +1 -0
package/dist/mcp/category.js +11 -0
package/dist/mcp/category.js.map +1 -0
package/dist/mcp/client.d.ts +228 -0
package/dist/mcp/client.d.ts.map +1 -0
package/dist/mcp/client.js +352 -0
package/dist/mcp/client.js.map +1 -0
package/dist/mcp/content.d.ts +86 -0
package/dist/mcp/content.d.ts.map +1 -0
package/dist/mcp/content.js +147 -0
package/dist/mcp/content.js.map +1 -0
package/dist/mcp/env.d.ts +19 -0
package/dist/mcp/env.d.ts.map +1 -0
package/dist/mcp/env.js +50 -0
package/dist/mcp/env.js.map +1 -0
package/dist/mcp/host.d.ts +199 -0
package/dist/mcp/host.d.ts.map +1 -0
package/dist/mcp/host.js +530 -0
package/dist/mcp/host.js.map +1 -0
package/dist/mcp/index.d.ts +18 -0
package/dist/mcp/index.d.ts.map +1 -0
package/dist/mcp/index.js +17 -0
package/dist/mcp/index.js.map +1 -0
package/dist/mcp/load-mcp-host.d.ts +32 -0
package/dist/mcp/load-mcp-host.d.ts.map +1 -0
package/dist/mcp/load-mcp-host.js +49 -0
package/dist/mcp/load-mcp-host.js.map +1 -0
package/dist/mcp/oauth/callback-server.d.ts +73 -0
package/dist/mcp/oauth/callback-server.d.ts.map +1 -0
package/dist/mcp/oauth/callback-server.js +280 -0
package/dist/mcp/oauth/callback-server.js.map +1 -0
package/dist/mcp/oauth/config-hash.d.ts +24 -0
package/dist/mcp/oauth/config-hash.d.ts.map +1 -0
package/dist/mcp/oauth/config-hash.js +55 -0
package/dist/mcp/oauth/config-hash.js.map +1 -0
package/dist/mcp/oauth/error-normalize.d.ts +39 -0
package/dist/mcp/oauth/error-normalize.d.ts.map +1 -0
package/dist/mcp/oauth/error-normalize.js +91 -0
package/dist/mcp/oauth/error-normalize.js.map +1 -0
package/dist/mcp/oauth/provider.d.ts +190 -0
package/dist/mcp/oauth/provider.d.ts.map +1 -0
package/dist/mcp/oauth/provider.js +305 -0
package/dist/mcp/oauth/provider.js.map +1 -0
package/dist/mcp/oauth/refresh-coalescer.d.ts +46 -0
package/dist/mcp/oauth/refresh-coalescer.d.ts.map +1 -0
package/dist/mcp/oauth/refresh-coalescer.js +77 -0
package/dist/mcp/oauth/refresh-coalescer.js.map +1 -0
package/dist/mcp/oauth/sdk-shapes.d.ts +77 -0
package/dist/mcp/oauth/sdk-shapes.d.ts.map +1 -0
package/dist/mcp/oauth/sdk-shapes.js +21 -0
package/dist/mcp/oauth/sdk-shapes.js.map +1 -0
package/dist/mcp/parse.d.ts +28 -0
package/dist/mcp/parse.d.ts.map +1 -0
package/dist/mcp/parse.js +209 -0
package/dist/mcp/parse.js.map +1 -0
package/dist/mcp/prompts.d.ts +31 -0
package/dist/mcp/prompts.d.ts.map +1 -0
package/dist/mcp/prompts.js +71 -0
package/dist/mcp/prompts.js.map +1 -0
package/dist/mcp/redact.d.ts +62 -0
package/dist/mcp/redact.d.ts.map +1 -0
package/dist/mcp/redact.js +87 -0
package/dist/mcp/redact.js.map +1 -0
package/dist/mcp/resources.d.ts +70 -0
package/dist/mcp/resources.d.ts.map +1 -0
package/dist/mcp/resources.js +170 -0
package/dist/mcp/resources.js.map +1 -0
package/dist/mcp/types.d.ts +123 -0
package/dist/mcp/types.d.ts.map +1 -0
package/dist/mcp/types.js +2 -0
package/dist/mcp/types.js.map +1 -0
package/dist/memory/frontmatter.d.ts +18 -0
package/dist/memory/frontmatter.d.ts.map +1 -0
package/dist/memory/frontmatter.js +81 -0
package/dist/memory/frontmatter.js.map +1 -0
package/dist/memory/index.d.ts +5 -0
package/dist/memory/index.d.ts.map +1 -0
package/dist/memory/index.js +5 -0
package/dist/memory/index.js.map +1 -0
package/dist/memory/store.d.ts +44 -0
package/dist/memory/store.d.ts.map +1 -0
package/dist/memory/store.js +237 -0
package/dist/memory/store.js.map +1 -0
package/dist/memory/tools.d.ts +11 -0
package/dist/memory/tools.d.ts.map +1 -0
package/dist/memory/tools.js +159 -0
package/dist/memory/tools.js.map +1 -0
package/dist/memory/types.d.ts +32 -0
package/dist/memory/types.d.ts.map +1 -0
package/dist/memory/types.js +20 -0
package/dist/memory/types.js.map +1 -0
package/dist/plugin-api/index.d.ts +167 -0
package/dist/plugin-api/index.d.ts.map +1 -0
package/dist/plugin-api/index.js +151 -0
package/dist/plugin-api/index.js.map +1 -0
package/dist/plugin-logger/index.d.ts +21 -0
package/dist/plugin-logger/index.d.ts.map +1 -0
package/dist/plugin-logger/index.js +59 -0
package/dist/plugin-logger/index.js.map +1 -0
package/dist/session/index.d.ts +125 -0
package/dist/session/index.d.ts.map +1 -0
package/dist/session/index.js +202 -0
package/dist/session/index.js.map +1 -0
package/dist/tools/approval.d.ts +33 -0
package/dist/tools/approval.d.ts.map +1 -0
package/dist/tools/approval.js +53 -0
package/dist/tools/approval.js.map +1 -0
package/dist/tools/builtins/_shared.d.ts +94 -0
package/dist/tools/builtins/_shared.d.ts.map +1 -0
package/dist/tools/builtins/_shared.js +246 -0
package/dist/tools/builtins/_shared.js.map +1 -0
package/dist/tools/builtins/ask-user-question.d.ts +27 -0
package/dist/tools/builtins/ask-user-question.d.ts.map +1 -0
package/dist/tools/builtins/ask-user-question.js +191 -0
package/dist/tools/builtins/ask-user-question.js.map +1 -0
package/dist/tools/builtins/bash.d.ts +3 -0
package/dist/tools/builtins/bash.d.ts.map +1 -0
package/dist/tools/builtins/bash.js +158 -0
package/dist/tools/builtins/bash.js.map +1 -0
package/dist/tools/builtins/diff.d.ts +3 -0
package/dist/tools/builtins/diff.d.ts.map +1 -0
package/dist/tools/builtins/diff.js +83 -0
package/dist/tools/builtins/diff.js.map +1 -0
package/dist/tools/builtins/edit.d.ts +3 -0
package/dist/tools/builtins/edit.d.ts.map +1 -0
package/dist/tools/builtins/edit.js +40 -0
package/dist/tools/builtins/edit.js.map +1 -0
package/dist/tools/builtins/glob.d.ts +3 -0
package/dist/tools/builtins/glob.d.ts.map +1 -0
package/dist/tools/builtins/glob.js +37 -0
package/dist/tools/builtins/glob.js.map +1 -0
package/dist/tools/builtins/grep.d.ts +3 -0
package/dist/tools/builtins/grep.d.ts.map +1 -0
package/dist/tools/builtins/grep.js +81 -0
package/dist/tools/builtins/grep.js.map +1 -0
package/dist/tools/builtins/lsp.d.ts +3 -0
package/dist/tools/builtins/lsp.d.ts.map +1 -0
package/dist/tools/builtins/lsp.js +102 -0
package/dist/tools/builtins/lsp.js.map +1 -0
package/dist/tools/builtins/pty.d.ts +64 -0
package/dist/tools/builtins/pty.d.ts.map +1 -0
package/dist/tools/builtins/pty.js +536 -0
package/dist/tools/builtins/pty.js.map +1 -0
package/dist/tools/builtins/read.d.ts +3 -0
package/dist/tools/builtins/read.d.ts.map +1 -0
package/dist/tools/builtins/read.js +18 -0
package/dist/tools/builtins/read.js.map +1 -0
package/dist/tools/builtins/web-fetch.d.ts +4 -0
package/dist/tools/builtins/web-fetch.d.ts.map +1 -0
package/dist/tools/builtins/web-fetch.js +353 -0
package/dist/tools/builtins/web-fetch.js.map +1 -0
package/dist/tools/builtins/write.d.ts +3 -0
package/dist/tools/builtins/write.d.ts.map +1 -0
package/dist/tools/builtins/write.js +48 -0
package/dist/tools/builtins/write.js.map +1 -0
package/dist/tools/builtins.d.ts +9 -0
package/dist/tools/builtins.d.ts.map +1 -0
package/dist/tools/builtins.js +29 -0
package/dist/tools/builtins.js.map +1 -0
package/dist/tools/diff.d.ts +18 -0
package/dist/tools/diff.d.ts.map +1 -0
package/dist/tools/diff.js +57 -0
package/dist/tools/diff.js.map +1 -0
package/dist/tools/index.d.ts +10 -0
package/dist/tools/index.d.ts.map +1 -0
package/dist/tools/index.js +9 -0
package/dist/tools/index.js.map +1 -0
package/dist/tools/permission.d.ts +120 -0
package/dist/tools/permission.d.ts.map +1 -0
package/dist/tools/permission.js +208 -0
package/dist/tools/permission.js.map +1 -0
package/dist/tools/registry.d.ts +12 -0
package/dist/tools/registry.d.ts.map +1 -0
package/dist/tools/registry.js +19 -0
package/dist/tools/registry.js.map +1 -0
package/dist/tools/types.d.ts +244 -0
package/dist/tools/types.d.ts.map +1 -0
package/dist/tools/types.js +15 -0
package/dist/tools/types.js.map +1 -0
package/package.json +109 -0

package/dist/mcp/load-mcp-host.js ADDED Viewed

@@ -0,0 +1,49 @@
+/**
+ * (3.7) `loadMcpHost({withVault})` — boot-time factory for `McpHost` that
+ * lazily resolves `@chances-ai/local-vault` ONLY when the caller asks for
+ * a vault. Keeps the cold-start budget intact when no OAuth-configured
+ * MCP server is present (`apps/cli/src/boot/load-runtime.ts` passes
+ * `withVault: needsOAuth`).
+ *
+ * **Boundary decision (codex Round-1 NICE).** `apps/cli` MUST NOT import
+ * `@chances-ai/local-vault` directly — the only `app → local-vault` edge
+ * would force dependency-cruiser to permit a new boundary rule. Routing
+ * vault creation through this factory keeps the graph clean: only
+ * `@chances-ai/mcp` reaches into the vault package.
+ *
+ * **`bun build --compile` story.** The vault specifier is COMPUTED
+ * (`["@chances-ai", "local-vault"].join("/")`) so Bun's bundler doesn't
+ * statically resolve it. A binary built without `@chances-ai/local-vault`
+ * in node_modules still compiles cleanly — at runtime, the dynamic
+ * import fails, we log a clear diagnostic, and OAuth-configured MCP
+ * servers individually fail with the same diagnostic (the non-OAuth
+ * servers keep working). § 13.4 / § 16 of `docs/3.7-design.md` cover
+ * the five-permutation smoke gate that pins this property.
+ */
+import { McpHost } from "./host.js";
+export async function loadMcpHost(opts) {
+    let vault;
+    if (opts.withVault) {
+        const loader = opts.vaultLoader ?? defaultVaultLoader;
+        try {
+            vault = await loader();
+        }
+        catch (e) {
+            // Vault load failure isn't fatal — non-OAuth servers keep working,
+            // and OAuth servers will fail individually with a clear message
+            // inside `startServer`. We surface the load error here so admins
+            // see why the vault is missing.
+            opts.logger.warn(`mcp: local-vault init failed (${e.message}); OAuth MCP servers will be unavailable until resolved`);
+        }
+    }
+    return McpHost.start({ ...opts, vault });
+}
+async function defaultVaultLoader() {
+    // (7.1 Step 5) local-vault folded into @chances-ai/engine — always present, so
+    // a plain relative dynamic import. Still lazy: it defers loading the optional
+    // @napi-rs/keyring peer (which local-vault itself resolves via a computed
+    // specifier in keychain.ts), so `bun build --compile` stays clean without keyring.
+    const mod = (await import("../local-vault/index.js"));
+    return mod.createLocalVault();
+}
+//# sourceMappingURL=load-mcp-host.js.map

package/dist/mcp/load-mcp-host.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"load-mcp-host.js","sourceRoot":"","sources":["../../src/mcp/load-mcp-host.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAAE,OAAO,EAA4C,MAAM,WAAW,CAAC;AAU9E,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAwB;IACxD,IAAI,KAAiC,CAAC;IACtC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,IAAI,kBAAkB,CAAC;QACtD,IAAI,CAAC;YACH,KAAK,GAAG,MAAM,MAAM,EAAE,CAAC;QACzB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,mEAAmE;YACnE,gEAAgE;YAChE,iEAAiE;YACjE,gCAAgC;YAChC,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,iCAAkC,CAAW,CAAC,OAAO,yDAAyD,CAC/G,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC,KAAK,CAAC,EAAE,GAAG,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AAC3C,CAAC;AAED,KAAK,UAAU,kBAAkB;IAC/B,+EAA+E;IAC/E,8EAA8E;IAC9E,0EAA0E;IAC1E,mFAAmF;IACnF,MAAM,GAAG,GAAG,CAAC,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAEnD,CAAC;IACF,OAAO,GAAG,CAAC,gBAAgB,EAAE,CAAC;AAChC,CAAC"}

package/dist/mcp/oauth/callback-server.d.ts ADDED Viewed

@@ -0,0 +1,73 @@
+/**
+ * (3.7) Loopback HTTP listener for the OAuth authorization-code callback.
+ *
+ * Lifecycle:
+ *   1. `bind({preferredPort, allowFallback})` → reserves a port,
+ *      returns the loopback URL the caller registers as the redirect_uri.
+ *   2. `waitForCode({expectedState, timeoutMs, signal})` → resolves with
+ *      the auth code when a callback arrives whose `state` matches.
+ *   3. `close()` → shuts down the listener. Idempotent.
+ *
+ * **(codex Round-1 MUST-FIX #2)** OAuth `state` and PKCE `code_verifier`
+ * are independent: `state` travels in the browser redirect and is the
+ * CSRF binding; `code_verifier` stays in the chances process and goes
+ * to the token endpoint. We accept `expectedState` per-flow; the SDK
+ * generates and stores the verifier separately.
+ *
+ * **(codex Round-1 MUST-FIX #3)** Manual mode reuses the same loopback
+ * URL as a registered redirect_uri but never binds — see `register-only`
+ * mode in `bind()`.
+ *
+ * **(codex Round-1 SHOULD-FIX Q8)** Response carries strict CSP +
+ * `X-Content-Type-Options: nosniff` so a future contributor who adds
+ * dynamic content can't introduce an XSS sink.
+ *
+ * **(codex Round-1 SHOULD-FIX)** Default port is OS-assigned via
+ * `bind(0)` — accepts any unprivileged port. Fixed 3118 fallback ONLY
+ * if `bind(0)` itself fails (rare). RFC 8252 §7.3.
+ */
+export interface BindOptions {
+    /** Explicit port from config (`auth.callbackPort` or env override).
+     *  When set, port-fallback is DISABLED (exact-URI-match per oh-my-pi
+     *  commit c246d88db). */
+    preferredPort?: number;
+    /** When false, this is "register-only" mode — manual flow. We compute
+     *  the URL but do NOT bind a listener. */
+    bindListener: boolean;
+}
+export interface WaitForCodeOptions {
+    /** The state value we expect to see echoed back. */
+    expectedState: string;
+    /** Timeout in ms. Default 300_000 (5 min). */
+    timeoutMs?: number;
+    /** Optional caller-provided abort signal (e.g. user Ctrl-C). */
+    signal?: AbortSignal;
+}
+export interface CallbackResult {
+    /** The OAuth authorization code from the callback URL. */
+    code: string;
+}
+export declare class LoopbackCallbackServer {
+    private server;
+    private resolvedPort;
+    private pending;
+    private closed;
+    /** Resolved redirect URL. Throws when `bind()` hasn't run. */
+    get redirectUrl(): URL;
+    bind(opts: BindOptions): Promise<URL>;
+    /** Bind a listener on the given port. Resolves with the actual port
+     *  (may differ from the request when port=0). */
+    private bindServerOn;
+    waitForCode(opts: WaitForCodeOptions): Promise<CallbackResult>;
+    /** Parses a manually-pasted callback URL (manual mode, § 6.5).
+     *  Validates state internally. */
+    parseManualCallback(pastedUrl: string, expectedState: string): CallbackResult;
+    close(): Promise<void>;
+    /** Test seam — the resolved port after bind(). Undefined before bind. */
+    get port(): number | undefined;
+    private handleRequest;
+    private sendSuccess;
+    private sendError;
+    private writeWithCsp;
+}
+//# sourceMappingURL=callback-server.d.ts.map

package/dist/mcp/oauth/callback-server.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"callback-server.d.ts","sourceRoot":"","sources":["../../../src/mcp/oauth/callback-server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAOH,MAAM,WAAW,WAAW;IAC1B;;6BAEyB;IACzB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;8CAC0C;IAC1C,YAAY,EAAE,OAAO,CAAC;CACvB;AAED,MAAM,WAAW,kBAAkB;IACjC,oDAAoD;IACpD,aAAa,EAAE,MAAM,CAAC;IACtB,8CAA8C;IAC9C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gEAAgE;IAChE,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED,MAAM,WAAW,cAAc;IAC7B,0DAA0D;IAC1D,IAAI,EAAE,MAAM,CAAC;CACd;AAED,qBAAa,sBAAsB;IACjC,OAAO,CAAC,MAAM,CAAqB;IACnC,OAAO,CAAC,YAAY,CAAqB;IACzC,OAAO,CAAC,OAAO,CAED;IACd,OAAO,CAAC,MAAM,CAAS;IAEvB,8DAA8D;IAC9D,IAAI,WAAW,IAAI,GAAG,CAKrB;IAEK,IAAI,CAAC,IAAI,EAAE,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC;IAyC3C;qDACiD;IACjD,OAAO,CAAC,YAAY;IAiBd,WAAW,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,cAAc,CAAC;IAsDpE;sCACkC;IAClC,mBAAmB,CAAC,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,cAAc;IAyBvE,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAgB5B,yEAAyE;IACzE,IAAI,IAAI,IAAI,MAAM,GAAG,SAAS,CAE7B;IAED,OAAO,CAAC,aAAa;IAyCrB,OAAO,CAAC,WAAW;IAKnB,OAAO,CAAC,SAAS;IAMjB,OAAO,CAAC,YAAY;CASrB"}

package/dist/mcp/oauth/callback-server.js ADDED Viewed

@@ -0,0 +1,280 @@
+/**
+ * (3.7) Loopback HTTP listener for the OAuth authorization-code callback.
+ *
+ * Lifecycle:
+ *   1. `bind({preferredPort, allowFallback})` → reserves a port,
+ *      returns the loopback URL the caller registers as the redirect_uri.
+ *   2. `waitForCode({expectedState, timeoutMs, signal})` → resolves with
+ *      the auth code when a callback arrives whose `state` matches.
+ *   3. `close()` → shuts down the listener. Idempotent.
+ *
+ * **(codex Round-1 MUST-FIX #2)** OAuth `state` and PKCE `code_verifier`
+ * are independent: `state` travels in the browser redirect and is the
+ * CSRF binding; `code_verifier` stays in the chances process and goes
+ * to the token endpoint. We accept `expectedState` per-flow; the SDK
+ * generates and stores the verifier separately.
+ *
+ * **(codex Round-1 MUST-FIX #3)** Manual mode reuses the same loopback
+ * URL as a registered redirect_uri but never binds — see `register-only`
+ * mode in `bind()`.
+ *
+ * **(codex Round-1 SHOULD-FIX Q8)** Response carries strict CSP +
+ * `X-Content-Type-Options: nosniff` so a future contributor who adds
+ * dynamic content can't introduce an XSS sink.
+ *
+ * **(codex Round-1 SHOULD-FIX)** Default port is OS-assigned via
+ * `bind(0)` — accepts any unprivileged port. Fixed 3118 fallback ONLY
+ * if `bind(0)` itself fails (rare). RFC 8252 §7.3.
+ */
+import { createServer } from "node:http";
+const FALLBACK_PORT = 3118;
+const LOOPBACK_HOST = "127.0.0.1";
+export class LoopbackCallbackServer {
+    server;
+    resolvedPort;
+    pending;
+    closed = false;
+    /** Resolved redirect URL. Throws when `bind()` hasn't run. */
+    get redirectUrl() {
+        if (this.resolvedPort === undefined) {
+            throw new Error("LoopbackCallbackServer: bind() not called");
+        }
+        return new URL(`http://${LOOPBACK_HOST}:${this.resolvedPort}/callback`);
+    }
+    async bind(opts) {
+        if (this.resolvedPort !== undefined) {
+            throw new Error("LoopbackCallbackServer: already bound");
+        }
+        if (opts.preferredPort !== undefined) {
+            // Explicit port — bind exactly or fail. No fallback.
+            this.resolvedPort = opts.preferredPort;
+            if (opts.bindListener) {
+                await this.bindServerOn(opts.preferredPort, /*fallbackOnFail=*/ false);
+            }
+            return this.redirectUrl;
+        }
+        // Default: bind(0) — let the OS assign an unprivileged port.
+        if (opts.bindListener) {
+            try {
+                const port = await this.bindServerOn(0, /*fallbackOnFail=*/ false);
+                this.resolvedPort = port;
+            }
+            catch (e0) {
+                // Rare: OS refused to assign. Try fixed 3118.
+                try {
+                    await this.bindServerOn(FALLBACK_PORT, /*fallbackOnFail=*/ false);
+                    this.resolvedPort = FALLBACK_PORT;
+                }
+                catch (e1) {
+                    throw new Error(`LoopbackCallbackServer: could not bind any loopback port. ` +
+                        `bind(0) failed: ${e0.message}. ` +
+                        `Fallback ${FALLBACK_PORT} failed: ${e1.message}.`);
+                }
+            }
+        }
+        else {
+            // Register-only (manual mode): just pick a port without binding.
+            // Use fallback so the user has a stable URL to register with the
+            // IdP; not binding means another flow can reuse it.
+            this.resolvedPort = FALLBACK_PORT;
+        }
+        return this.redirectUrl;
+    }
+    /** Bind a listener on the given port. Resolves with the actual port
+     *  (may differ from the request when port=0). */
+    bindServerOn(port, _fallbackOnFail) {
+        return new Promise((resolve, reject) => {
+            const server = createServer((req, res) => this.handleRequest(req, res));
+            server.on("error", (err) => reject(err));
+            server.listen(port, LOOPBACK_HOST, () => {
+                const addr = server.address();
+                if (addr === null || typeof addr === "string") {
+                    server.close();
+                    reject(new Error(`unexpected listen address shape: ${addr}`));
+                    return;
+                }
+                this.server = server;
+                resolve(addr.port);
+            });
+        });
+    }
+    async waitForCode(opts) {
+        if (this.server === undefined) {
+            throw new Error("LoopbackCallbackServer: waitForCode requires a bound listener (manual mode uses parseManualCallback)");
+        }
+        if (this.pending) {
+            throw new Error("LoopbackCallbackServer: a previous waitForCode is still in flight");
+        }
+        const timeoutMs = opts.timeoutMs ?? 300_000;
+        return new Promise((resolve, reject) => {
+            this.pending = { resolve, reject, expectedState: opts.expectedState };
+            const timer = setTimeout(() => {
+                if (this.pending) {
+                    const p = this.pending;
+                    this.pending = undefined;
+                    // (codex Round-2 SHOULD-FIX #4) Free the port on timeout — the
+                    // design (§ 6.4) requires close-on-timeout, and a held-open
+                    // listener after a 5-minute timeout would block the next
+                    // /mcp login from binding the same port.
+                    void this.close().catch(() => undefined);
+                    p.reject(new Error("OAuth callback timed out — close the browser window and retry."));
+                }
+            }, timeoutMs);
+            // Honor abort signal — caller's Ctrl-C / `/mcp logout` etc.
+            const onAbort = () => {
+                if (this.pending) {
+                    const p = this.pending;
+                    this.pending = undefined;
+                    clearTimeout(timer);
+                    void this.close().catch(() => undefined);
+                    p.reject(new Error("OAuth callback aborted"));
+                }
+            };
+            if (opts.signal) {
+                if (opts.signal.aborted) {
+                    onAbort();
+                }
+                else {
+                    opts.signal.addEventListener("abort", onAbort, { once: true });
+                }
+            }
+            // Wrap resolve/reject so they also clear the timer.
+            const origResolve = resolve;
+            const origReject = reject;
+            this.pending.resolve = (r) => {
+                clearTimeout(timer);
+                origResolve(r);
+            };
+            this.pending.reject = (e) => {
+                clearTimeout(timer);
+                origReject(e);
+            };
+        });
+    }
+    /** Parses a manually-pasted callback URL (manual mode, § 6.5).
+     *  Validates state internally. */
+    parseManualCallback(pastedUrl, expectedState) {
+        let url;
+        try {
+            url = new URL(pastedUrl);
+        }
+        catch {
+            throw new Error("OAuth manual mode: pasted value is not a valid URL");
+        }
+        if (url.protocol !== "http:" || (url.hostname !== LOOPBACK_HOST && url.hostname.toLowerCase() !== "localhost" && url.hostname !== "[::1]")) {
+            throw new Error("OAuth manual mode: pasted URL must be the loopback redirect (http://127.0.0.1:...)");
+        }
+        const error = url.searchParams.get("error");
+        if (error !== null) {
+            const desc = url.searchParams.get("error_description") ?? "";
+            throw new Error(`OAuth authorization denied: ${error}${desc ? ` — ${desc}` : ""}`);
+        }
+        const code = url.searchParams.get("code");
+        const state = url.searchParams.get("state");
+        if (code === null)
+            throw new Error("OAuth manual mode: pasted URL is missing the 'code' query parameter");
+        if (state === null)
+            throw new Error("OAuth manual mode: pasted URL is missing the 'state' query parameter");
+        if (!constantTimeEqual(state, expectedState)) {
+            throw new Error("OAuth manual mode: state mismatch (CSRF guard) — abandoned flow or copy/paste error");
+        }
+        return { code };
+    }
+    async close() {
+        if (this.closed)
+            return;
+        this.closed = true;
+        if (this.pending) {
+            const p = this.pending;
+            this.pending = undefined;
+            p.reject(new Error("OAuth callback server closed"));
+        }
+        if (this.server) {
+            await new Promise((resolve) => {
+                this.server.close(() => resolve());
+            });
+            this.server = undefined;
+        }
+    }
+    /** Test seam — the resolved port after bind(). Undefined before bind. */
+    get port() {
+        return this.resolvedPort;
+    }
+    handleRequest(req, res) {
+        if (!req.url) {
+            this.sendError(res, 400, "Bad Request");
+            return;
+        }
+        const url = new URL(req.url, `http://${LOOPBACK_HOST}:${this.resolvedPort}`);
+        if (url.pathname !== "/callback") {
+            this.sendError(res, 404, "Not Found");
+            return;
+        }
+        const error = url.searchParams.get("error");
+        if (error !== null) {
+            const desc = url.searchParams.get("error_description") ?? "";
+            this.sendError(res, 200, "Authorization denied", `Authorization denied: ${escapeHtml(error)}${desc ? ` — ${escapeHtml(desc)}` : ""}`);
+            if (this.pending) {
+                const p = this.pending;
+                this.pending = undefined;
+                p.reject(new Error(`OAuth authorization denied: ${error}${desc ? ` — ${desc}` : ""}`));
+            }
+            return;
+        }
+        const code = url.searchParams.get("code");
+        const state = url.searchParams.get("state");
+        if (code === null || state === null) {
+            this.sendError(res, 400, "Bad Request", "Callback is missing required parameters.");
+            return;
+        }
+        // codex Round-1 MUST-FIX #2 — state vs verifier. Constant-time
+        // compare to defend against timing oracles.
+        if (!this.pending || !constantTimeEqual(state, this.pending.expectedState)) {
+            this.sendError(res, 400, "Bad Request", "Callback state mismatch.");
+            // Don't disclose what state was expected.
+            return;
+        }
+        // Success path.
+        this.sendSuccess(res);
+        const p = this.pending;
+        this.pending = undefined;
+        p.resolve({ code });
+    }
+    sendSuccess(res) {
+        const body = `<!doctype html><html><head><meta charset="utf-8"><title>chances · OAuth</title></head><body style="font-family:system-ui,sans-serif;padding:2rem"><h1>Authorization complete</h1><p>You can close this tab.</p></body></html>`;
+        this.writeWithCsp(res, 200, "text/html; charset=utf-8", body);
+    }
+    sendError(res, status, _label, body) {
+        const safe = body ?? "OAuth callback error.";
+        const html = `<!doctype html><html><head><meta charset="utf-8"><title>chances · OAuth</title></head><body style="font-family:system-ui,sans-serif;padding:2rem"><h1>OAuth callback error</h1><p>${escapeHtml(safe)}</p></body></html>`;
+        this.writeWithCsp(res, status, "text/html; charset=utf-8", html);
+    }
+    writeWithCsp(res, status, contentType, body) {
+        res.statusCode = status;
+        res.setHeader("Content-Type", contentType);
+        res.setHeader("Content-Security-Policy", "default-src 'none'; base-uri 'none'; frame-ancestors 'none'");
+        res.setHeader("X-Content-Type-Options", "nosniff");
+        res.setHeader("Cache-Control", "no-store");
+        res.setHeader("Referrer-Policy", "no-referrer");
+        res.end(body);
+    }
+}
+function escapeHtml(s) {
+    return s
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#39;");
+}
+/** Length-then-content constant-time compare; safe against tiny strings. */
+function constantTimeEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++) {
+        diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+    }
+    return diff === 0;
+}
+//# sourceMappingURL=callback-server.js.map

package/dist/mcp/oauth/callback-server.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"callback-server.js","sourceRoot":"","sources":["../../../src/mcp/oauth/callback-server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,EAAE,YAAY,EAA0D,MAAM,WAAW,CAAC;AAEjG,MAAM,aAAa,GAAG,IAAI,CAAC;AAC3B,MAAM,aAAa,GAAG,WAAW,CAAC;AA0BlC,MAAM,OAAO,sBAAsB;IACzB,MAAM,CAAqB;IAC3B,YAAY,CAAqB;IACjC,OAAO,CAED;IACN,MAAM,GAAG,KAAK,CAAC;IAEvB,8DAA8D;IAC9D,IAAI,WAAW;QACb,IAAI,IAAI,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,IAAI,GAAG,CAAC,UAAU,aAAa,IAAI,IAAI,CAAC,YAAY,WAAW,CAAC,CAAC;IAC1E,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,IAAiB;QAC1B,IAAI,IAAI,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QAED,IAAI,IAAI,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;YACrC,qDAAqD;YACrD,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;YACvC,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;gBACtB,MAAM,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,aAAa,EAAE,mBAAmB,CAAC,KAAK,CAAC,CAAC;YACzE,CAAC;YACD,OAAO,IAAI,CAAC,WAAW,CAAC;QAC1B,CAAC;QAED,6DAA6D;QAC7D,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,CAAC,EAAE,mBAAmB,CAAC,KAAK,CAAC,CAAC;gBACnE,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;YAC3B,CAAC;YAAC,OAAO,EAAE,EAAE,CAAC;gBACZ,8CAA8C;gBAC9C,IAAI,CAAC;oBACH,MAAM,IAAI,CAAC,YAAY,CAAC,aAAa,EAAE,mBAAmB,CAAC,KAAK,CAAC,CAAC;oBAClE,IAAI,CAAC,YAAY,GAAG,aAAa,CAAC;gBACpC,CAAC;gBAAC,OAAO,EAAE,EAAE,CAAC;oBACZ,MAAM,IAAI,KAAK,CACb,4DAA4D;wBAC1D,mBAAoB,EAAY,CAAC,OAAO,IAAI;wBAC5C,YAAY,aAAa,YAAa,EAAY,CAAC,OAAO,GAAG,CAChE,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,iEAAiE;YACjE,iEAAiE;YACjE,oDAAoD;YACpD,IAAI,CAAC,YAAY,GAAG,aAAa,CAAC;QACpC,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED;qDACiD;IACzC,YAAY,CAAC,IAAY,EAAE,eAAwB;QACzD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;YACxE,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YACzC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,aAAa,EAAE,GAAG,EAAE;gBACtC,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;gBAC9B,IAAI,IAAI,KAAK,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;oBAC9C,MAAM,CAAC,KAAK,EAAE,CAAC;oBACf,MAAM,CAAC,IAAI,KAAK,CAAC,oCAAoC,IAAI,EAAE,CAAC,CAAC,CAAC;oBAC9D,OAAO;gBACT,CAAC;gBACD,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;gBACrB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACrB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,IAAwB;QACxC,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,sGAAsG,CAAC,CAAC;QAC1H,CAAC;QACD,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAC;QACvF,CAAC;QACD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC;QAE5C,OAAO,IAAI,OAAO,CAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrD,IAAI,CAAC,OAAO,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC;YACtE,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC5B,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;oBACjB,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC;oBACvB,IAAI,CAAC,OAAO,GAAG,SAAS,CAAC;oBACzB,+DAA+D;oBAC/D,4DAA4D;oBAC5D,yDAAyD;oBACzD,yCAAyC;oBACzC,KAAK,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;oBACzC,CAAC,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC,CAAC;gBACxF,CAAC;YACH,CAAC,EAAE,SAAS,CAAC,CAAC;YACd,4DAA4D;YAC5D,MAAM,OAAO,GAAG,GAAG,EAAE;gBACnB,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;oBACjB,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC;oBACvB,IAAI,CAAC,OAAO,GAAG,SAAS,CAAC;oBACzB,YAAY,CAAC,KAAK,CAAC,CAAC;oBACpB,KAAK,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;oBACzC,CAAC,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC,CAAC;gBAChD,CAAC;YACH,CAAC,CAAC;YACF,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChB,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;oBACxB,OAAO,EAAE,CAAC;gBACZ,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;gBACjE,CAAC;YACH,CAAC;YACD,oDAAoD;YACpD,MAAM,WAAW,GAAG,OAAO,CAAC;YAC5B,MAAM,UAAU,GAAG,MAAM,CAAC;YAC1B,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,EAAE,EAAE;gBAC3B,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,WAAW,CAAC,CAAC,CAAC,CAAC;YACjB,CAAC,CAAC;YACF,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,EAAE;gBAC1B,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,UAAU,CAAC,CAAC,CAAC,CAAC;YAChB,CAAC,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED;sCACkC;IAClC,mBAAmB,CAAC,SAAiB,EAAE,aAAqB;QAC1D,IAAI,GAAQ,CAAC;QACb,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;QAC3B,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;QACxE,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,CAAC,GAAG,CAAC,QAAQ,KAAK,aAAa,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,WAAW,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,CAAC,EAAE,CAAC;YAC3I,MAAM,IAAI,KAAK,CAAC,oFAAoF,CAAC,CAAC;QACxG,CAAC;QACD,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACnB,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,EAAE,CAAC;YAC7D,MAAM,IAAI,KAAK,CAAC,+BAA+B,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACrF,CAAC;QACD,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,IAAI,KAAK,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,qEAAqE,CAAC,CAAC;QAC1G,IAAI,KAAK,KAAK,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;QAC5G,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,aAAa,CAAC,EAAE,CAAC;YAC7C,MAAM,IAAI,KAAK,CAAC,qFAAqF,CAAC,CAAC;QACzG,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,MAAM;YAAE,OAAO;QACxB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACnB,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC;YACvB,IAAI,CAAC,OAAO,GAAG,SAAS,CAAC;YACzB,CAAC,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC,CAAC;QACtD,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;gBAClC,IAAI,CAAC,MAAO,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YACtC,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,yEAAyE;IACzE,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAEO,aAAa,CAAC,GAAoB,EAAE,GAAmB;QAC7D,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,aAAa,CAAC,CAAC;YACxC,OAAO;QACT,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,UAAU,aAAa,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC;QAC7E,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;YACjC,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;YACtC,OAAO;QACT,CAAC;QACD,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACnB,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,EAAE,CAAC;YAC7D,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,sBAAsB,EAAE,yBAAyB,UAAU,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACtI,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBACjB,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC;gBACvB,IAAI,CAAC,OAAO,GAAG,SAAS,CAAC;gBACzB,CAAC,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,+BAA+B,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;YACzF,CAAC;YACD,OAAO;QACT,CAAC;QACD,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,IAAI,KAAK,IAAI,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACpC,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,aAAa,EAAE,0CAA0C,CAAC,CAAC;YACpF,OAAO;QACT,CAAC;QACD,+DAA+D;QAC/D,4CAA4C;QAC5C,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAC3E,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,aAAa,EAAE,0BAA0B,CAAC,CAAC;YACpE,0CAA0C;YAC1C,OAAO;QACT,CAAC;QACD,gBAAgB;QAChB,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACtB,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC;QACvB,IAAI,CAAC,OAAO,GAAG,SAAS,CAAC;QACzB,CAAC,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;IACtB,CAAC;IAEO,WAAW,CAAC,GAAmB;QACrC,MAAM,IAAI,GAAG,+NAA+N,CAAC;QAC7O,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE,0BAA0B,EAAE,IAAI,CAAC,CAAC;IAChE,CAAC;IAEO,SAAS,CAAC,GAAmB,EAAE,MAAc,EAAE,MAAc,EAAE,IAAa;QAClF,MAAM,IAAI,GAAG,IAAI,IAAI,uBAAuB,CAAC;QAC7C,MAAM,IAAI,GAAG,qLAAqL,UAAU,CAAC,IAAI,CAAC,oBAAoB,CAAC;QACvO,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,MAAM,EAAE,0BAA0B,EAAE,IAAI,CAAC,CAAC;IACnE,CAAC;IAEO,YAAY,CAAC,GAAmB,EAAE,MAAc,EAAE,WAAmB,EAAE,IAAY;QACzF,GAAG,CAAC,UAAU,GAAG,MAAM,CAAC;QACxB,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;QAC3C,GAAG,CAAC,SAAS,CAAC,yBAAyB,EAAE,6DAA6D,CAAC,CAAC;QACxG,GAAG,CAAC,SAAS,CAAC,wBAAwB,EAAE,SAAS,CAAC,CAAC;QACnD,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;QAC3C,GAAG,CAAC,SAAS,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAC;QAChD,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAChB,CAAC;CACF;AAED,SAAS,UAAU,CAAC,CAAS;IAC3B,OAAO,CAAC;SACL,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AAC5B,CAAC;AAED,4EAA4E;AAC5E,SAAS,iBAAiB,CAAC,CAAS,EAAE,CAAS;IAC7C,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,IAAI,IAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,IAAI,KAAK,CAAC,CAAC;AACpB,CAAC"}

package/dist/mcp/oauth/config-hash.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+/**
+ * (3.7) Deterministic config hash for vault key derivation.
+ *
+ * Vault keys are `mcp-oauth|<serverName>|<configHash16>` so that:
+ *   - Changing the server URL invalidates the stored tokens (you'd
+ *     otherwise authenticate against the wrong server).
+ *   - Changing `auth.scopes` invalidates them (need a new consent
+ *     screen).
+ *   - Cosmetic changes (header order, URL trailing slashes, scope
+ *     ordering) do NOT invalidate — same logical config = same hash.
+ *
+ * Per claude-code's `auth.ts:325-341` pattern. Hash is sha256, kept
+ * to 16 hex chars (8 bytes) — enough entropy to distinguish unrelated
+ * configs but short enough to remain readable in diagnostics.
+ */
+import type { HttpMcpConfig } from "../types.js";
+/**
+ * Computes the stable hash for an OAuth-configured HTTP server entry.
+ * Throws if the server isn't OAuth-configured (caller's bug).
+ */
+export declare function makeConfigHash(config: HttpMcpConfig): string;
+/** Convenience: full vault key for an OAuth-configured server. */
+export declare function makeVaultKey(serverName: string, config: HttpMcpConfig): string;
+//# sourceMappingURL=config-hash.d.ts.map

package/dist/mcp/oauth/config-hash.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"config-hash.d.ts","sourceRoot":"","sources":["../../../src/mcp/oauth/config-hash.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAIjD;;;GAGG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,aAAa,GAAG,MAAM,CA6B5D;AAED,kEAAkE;AAClE,wBAAgB,YAAY,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,GAAG,MAAM,CAE9E"}

package/dist/mcp/oauth/config-hash.js ADDED Viewed

@@ -0,0 +1,55 @@
+/**
+ * (3.7) Deterministic config hash for vault key derivation.
+ *
+ * Vault keys are `mcp-oauth|<serverName>|<configHash16>` so that:
+ *   - Changing the server URL invalidates the stored tokens (you'd
+ *     otherwise authenticate against the wrong server).
+ *   - Changing `auth.scopes` invalidates them (need a new consent
+ *     screen).
+ *   - Cosmetic changes (header order, URL trailing slashes, scope
+ *     ordering) do NOT invalidate — same logical config = same hash.
+ *
+ * Per claude-code's `auth.ts:325-341` pattern. Hash is sha256, kept
+ * to 16 hex chars (8 bytes) — enough entropy to distinguish unrelated
+ * configs but short enough to remain readable in diagnostics.
+ */
+import { createHash } from "node:crypto";
+const HASH_LEN_HEX = 16;
+/**
+ * Computes the stable hash for an OAuth-configured HTTP server entry.
+ * Throws if the server isn't OAuth-configured (caller's bug).
+ */
+export function makeConfigHash(config) {
+    if (config.type !== "http" || !config.auth || config.auth.kind !== "oauth") {
+        throw new Error("makeConfigHash: server is not OAuth-configured");
+    }
+    // Normalise URL: trim trailing slashes, lowercase host. Path-case
+    // and query stay as-is (some IdPs are path-sensitive).
+    let url;
+    try {
+        url = new URL(config.url);
+    }
+    catch {
+        // If the URL isn't parseable, hash the raw string — caller's
+        // parse.ts would have rejected before reaching us, but be defensive.
+        return createHash("sha256").update(config.url).digest("hex").slice(0, HASH_LEN_HEX);
+    }
+    const normalisedUrl = `${url.protocol}//${url.host.toLowerCase()}${url.pathname.replace(/\/+$/, "")}${url.search}`;
+    // Canonical scope list: dedup + sort.
+    const scopes = config.auth.scopes ? [...new Set(config.auth.scopes)].sort() : [];
+    // Stable JSON: only fields that affect IdP-side identity.
+    const stable = {
+        url: normalisedUrl,
+        authServerMetadataUrl: config.auth.authServerMetadataUrl ?? null,
+        clientId: config.auth.clientId ?? null,
+        clientSecret: config.auth.clientSecret ?? null,
+        scopes,
+        callbackPort: config.auth.callbackPort ?? null,
+    };
+    return createHash("sha256").update(JSON.stringify(stable)).digest("hex").slice(0, HASH_LEN_HEX);
+}
+/** Convenience: full vault key for an OAuth-configured server. */
+export function makeVaultKey(serverName, config) {
+    return `mcp-oauth|${serverName}|${makeConfigHash(config)}`;
+}
+//# sourceMappingURL=config-hash.js.map

package/dist/mcp/oauth/config-hash.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"config-hash.js","sourceRoot":"","sources":["../../../src/mcp/oauth/config-hash.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGzC,MAAM,YAAY,GAAG,EAAE,CAAC;AAExB;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,MAAqB;IAClD,IAAI,MAAM,CAAC,IAAI,KAAK,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC3E,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,kEAAkE;IAClE,uDAAuD;IACvD,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,6DAA6D;QAC7D,qEAAqE;QACrE,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IACtF,CAAC;IACD,MAAM,aAAa,GAAG,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC;IAEnH,sCAAsC;IACtC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAEjF,0DAA0D;IAC1D,MAAM,MAAM,GAAG;QACb,GAAG,EAAE,aAAa;QAClB,qBAAqB,EAAE,MAAM,CAAC,IAAI,CAAC,qBAAqB,IAAI,IAAI;QAChE,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI;QACtC,YAAY,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,IAAI,IAAI;QAC9C,MAAM;QACN,YAAY,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,IAAI,IAAI;KAC/C,CAAC;IACF,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;AAClG,CAAC;AAED,kEAAkE;AAClE,MAAM,UAAU,YAAY,CAAC,UAAkB,EAAE,MAAqB;IACpE,OAAO,aAAa,UAAU,IAAI,cAAc,CAAC,MAAM,CAAC,EAAE,CAAC;AAC7D,CAAC"}

package/dist/mcp/oauth/error-normalize.d.ts ADDED Viewed

@@ -0,0 +1,39 @@
+/**
+ * (3.7) Normalises non-RFC-6749 OAuth error responses.
+ *
+ * Some IdPs return HTTP 200 + JSON body with `{"ok": false, "error": ...}`
+ * instead of the RFC 6749 standard (HTTP 4xx + JSON body with
+ * `{"error": "...", "error_description": "..."}`). Slack is the
+ * canonical offender; claude-code's
+ * `services/mcp/auth.ts:157-190` has a `normalizeOAuthErrorBody()`
+ * helper for exactly this case.
+ *
+ * Without normalisation, the SDK's strict 4xx-based detection silently
+ * accepts the 200 response as success and downstream code is confused
+ * when the access_token field is missing.
+ */
+export interface NormalisedOAuthError {
+    /** RFC 6749 error code; defaults to `invalid_request` when unspecified. */
+    error: string;
+    /** Optional human-readable detail. Already control-stripped. */
+    errorDescription?: string;
+    /** Optional URI to a page with more info. */
+    errorUri?: string;
+}
+/**
+ * Inspects a `Response` (already-parsed JSON body) plus HTTP status
+ * code and returns:
+ *   - `{ ok: true }` when the response represents success;
+ *   - `{ ok: false, error }` when it represents an OAuth failure
+ *     (regardless of whether the HTTP status is 200 or 4xx).
+ */
+export declare function classifyOAuthResponse(status: number, body: unknown): {
+    ok: true;
+} | {
+    ok: false;
+    error: NormalisedOAuthError;
+};
+/** Returns true when an OAuth error is "definitive" — refresh will
+ *  never succeed without user intervention. */
+export declare function isDefinitiveOAuthError(err: NormalisedOAuthError): boolean;
+//# sourceMappingURL=error-normalize.d.ts.map

package/dist/mcp/oauth/error-normalize.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"error-normalize.d.ts","sourceRoot":"","sources":["../../../src/mcp/oauth/error-normalize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,MAAM,WAAW,oBAAoB;IACnC,2EAA2E;IAC3E,KAAK,EAAE,MAAM,CAAC;IACd,gEAAgE;IAChE,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,6CAA6C;IAC7C,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AASD;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,OAAO,GACZ;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,oBAAoB,CAAA;CAAE,CAmC3D;AA0BD;+CAC+C;AAC/C,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,oBAAoB,GAAG,OAAO,CAEzE"}

package/dist/mcp/oauth/error-normalize.js ADDED Viewed

@@ -0,0 +1,91 @@
+/**
+ * (3.7) Normalises non-RFC-6749 OAuth error responses.
+ *
+ * Some IdPs return HTTP 200 + JSON body with `{"ok": false, "error": ...}`
+ * instead of the RFC 6749 standard (HTTP 4xx + JSON body with
+ * `{"error": "...", "error_description": "..."}`). Slack is the
+ * canonical offender; claude-code's
+ * `services/mcp/auth.ts:157-190` has a `normalizeOAuthErrorBody()`
+ * helper for exactly this case.
+ *
+ * Without normalisation, the SDK's strict 4xx-based detection silently
+ * accepts the 200 response as success and downstream code is confused
+ * when the access_token field is missing.
+ */
+/** Strip control chars from a string — defensive on attacker-controlled
+ *  error_description that might carry newlines/escapes. */
+function clean(s) {
+    if (s === undefined || s === null)
+        return undefined;
+    return s.replace(/[\x00-\x1F\x7F]+/g, " ").trim() || undefined;
+}
+/**
+ * Inspects a `Response` (already-parsed JSON body) plus HTTP status
+ * code and returns:
+ *   - `{ ok: true }` when the response represents success;
+ *   - `{ ok: false, error }` when it represents an OAuth failure
+ *     (regardless of whether the HTTP status is 200 or 4xx).
+ */
+export function classifyOAuthResponse(status, body) {
+    // RFC 6749: 4xx with JSON body containing `error`.
+    if (status >= 400 && status < 600) {
+        const err = extractRfc6749(body);
+        return { ok: false, error: err ?? { error: "server_error", errorDescription: `HTTP ${status}` } };
+    }
+    // Slack-style: 200 with `{ok: false, error: ...}`.
+    if (status >= 200 && status < 300) {
+        if (isObject(body) && body.ok === false && typeof body.error === "string") {
+            return {
+                ok: false,
+                error: {
+                    error: body.error,
+                    errorDescription: clean(typeof body.error_description === "string" ? body.error_description : undefined),
+                    errorUri: clean(typeof body.error_uri === "string" ? body.error_uri : undefined),
+                },
+            };
+        }
+        // Some servers return 200 with a top-level `error` field but no `ok`.
+        if (isObject(body) && typeof body.error === "string" && !("access_token" in body)) {
+            return {
+                ok: false,
+                error: {
+                    error: body.error,
+                    errorDescription: clean(typeof body.error_description === "string" ? body.error_description : undefined),
+                    errorUri: clean(typeof body.error_uri === "string" ? body.error_uri : undefined),
+                },
+            };
+        }
+        return { ok: true };
+    }
+    // 1xx / 3xx — surface as unknown.
+    return { ok: false, error: { error: "server_error", errorDescription: `HTTP ${status}` } };
+}
+function extractRfc6749(body) {
+    if (!isObject(body))
+        return undefined;
+    if (typeof body.error !== "string")
+        return undefined;
+    return {
+        error: body.error,
+        errorDescription: clean(typeof body.error_description === "string" ? body.error_description : undefined),
+        errorUri: clean(typeof body.error_uri === "string" ? body.error_uri : undefined),
+    };
+}
+function isObject(v) {
+    return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+/** RFC 6749 "definitive failure" codes — refresh CANNOT succeed by
+ *  retrying, must force full re-auth. (oh-my-pi commit c936620c6.) */
+const DEFINITIVE_ERRORS = new Set([
+    "invalid_grant",
+    "invalid_client",
+    "unauthorized_client",
+    "unsupported_grant_type",
+    "invalid_scope",
+]);
+/** Returns true when an OAuth error is "definitive" — refresh will
+ *  never succeed without user intervention. */
+export function isDefinitiveOAuthError(err) {
+    return DEFINITIVE_ERRORS.has(err.error);
+}
+//# sourceMappingURL=error-normalize.js.map