@credat/mcp 0.1.2-alpha.1 → 0.2.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/README.md +4 -4
  2. package/dist/index.cjs +7 -7
  3. package/dist/index.cjs.map +1 -1
  4. package/dist/index.d.cts +4 -4
  5. package/dist/index.d.ts +4 -4
  6. package/dist/index.js +3 -3
  7. package/dist/index.js.map +1 -1
  8. package/package.json +3 -3
package/README.md CHANGED
@@ -62,7 +62,7 @@ server.registerTool('read-emails', { ... },
62
62
  ## Install
63
63
 
64
64
  ```bash
65
- npm install @credat/mcp credat @modelcontextprotocol/sdk
65
+ npm install @credat/mcp @credat/sdk @modelcontextprotocol/sdk
66
66
  ```
67
67
 
68
68
  ## How It Works
@@ -102,7 +102,7 @@ All using standard cryptography (ES256/EdDSA), DIDs, and SD-JWT Verifiable Crede
102
102
  ```typescript
103
103
  import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'
104
104
  import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js'
105
- import { base64urlToUint8Array } from 'credat'
105
+ import { base64urlToUint8Array } from '@credat/sdk'
106
106
  import { z } from 'zod'
107
107
  import { CredatAuth } from '@credat/mcp'
108
108
 
@@ -140,8 +140,8 @@ await server.connect(transport)
140
140
 
141
141
  ```typescript
142
142
  import { Client } from '@modelcontextprotocol/sdk/client/index.js'
143
- import { presentCredentials } from 'credat'
144
- import type { ChallengeMessage } from 'credat'
143
+ import { presentCredentials } from '@credat/sdk'
144
+ import type { ChallengeMessage } from '@credat/sdk'
145
145
 
146
146
  // After connecting to the MCP server...
147
147
 
package/dist/index.cjs CHANGED
@@ -34,7 +34,7 @@ module.exports = __toCommonJS(index_exports);
34
34
  var import_zod = require("zod");
35
35
 
36
36
  // src/protect.ts
37
- var import_credat = require("credat");
37
+ var import_sdk = require("@credat/sdk");
38
38
 
39
39
  // src/constraints.ts
40
40
  function validateConstraints(constraints, context) {
@@ -117,12 +117,12 @@ function createProtect(sessionStore) {
117
117
  }
118
118
  const { delegationResult } = session;
119
119
  if (options.scopes && options.scopes.length > 0) {
120
- if (!(0, import_credat.hasAllScopes)(delegationResult, options.scopes)) {
120
+ if (!(0, import_sdk.hasAllScopes)(delegationResult, options.scopes)) {
121
121
  return scopeError(options.scopes, delegationResult.scopes);
122
122
  }
123
123
  }
124
124
  if (options.anyScope && options.anyScope.length > 0) {
125
- if (!(0, import_credat.hasAnyScope)(delegationResult, options.anyScope)) {
125
+ if (!(0, import_sdk.hasAnyScope)(delegationResult, options.anyScope)) {
126
126
  return scopeError(options.anyScope, delegationResult.scopes);
127
127
  }
128
128
  }
@@ -241,7 +241,7 @@ var SessionStore = class {
241
241
  };
242
242
 
243
243
  // src/tools/authenticate.ts
244
- var import_credat2 = require("credat");
244
+ var import_sdk2 = require("@credat/sdk");
245
245
  var STDIO_SESSION_KEY2 = "__stdio__";
246
246
  function createAuthenticateHandler(config, challengeStore, sessionStore) {
247
247
  return async (args, extra) => {
@@ -279,7 +279,7 @@ function createAuthenticateHandler(config, challengeStore, sessionStore) {
279
279
  McpAuthErrorCodes.CONFIGURATION_ERROR
280
280
  );
281
281
  }
282
- const result = await (0, import_credat2.verifyPresentation)(presentation, {
282
+ const result = await (0, import_sdk2.verifyPresentation)(presentation, {
283
283
  challenge: stored.challenge,
284
284
  ownerPublicKey: config.ownerPublicKey,
285
285
  agentPublicKey,
@@ -313,11 +313,11 @@ function createAuthenticateHandler(config, challengeStore, sessionStore) {
313
313
  }
314
314
 
315
315
  // src/tools/challenge.ts
316
- var import_credat3 = require("credat");
316
+ var import_sdk3 = require("@credat/sdk");
317
317
  var STDIO_SESSION_KEY3 = "__stdio__";
318
318
  function createChallengeHandler(serverDid, challengeStore) {
319
319
  return (extra) => {
320
- const challenge = (0, import_credat3.createChallenge)({ from: serverDid });
320
+ const challenge = (0, import_sdk3.createChallenge)({ from: serverDid });
321
321
  const sessionId = extra.sessionId ?? STDIO_SESSION_KEY3;
322
322
  challengeStore.set(challenge.nonce, challenge, sessionId);
323
323
  return {
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/auth.ts","../src/protect.ts","../src/constraints.ts","../src/errors.ts","../src/session.ts","../src/tools/authenticate.ts","../src/tools/challenge.ts"],"sourcesContent":["export { CredatAuth } from \"./auth.js\";\nexport type { McpAuthErrorCode } from \"./errors.js\";\nexport {\n\tauthError,\n\tconstraintError,\n\tMcpAuthErrorCodes,\n\tscopeError,\n} from \"./errors.js\";\nexport { ChallengeStore, SessionStore } from \"./session.js\";\nexport type {\n\tAuthContext,\n\tAuthErrorPayload,\n\tCredatAuthOptions,\n\tProtectOptions,\n\tSessionAuth,\n\tStoredChallenge,\n\tToolExtra,\n} from \"./types.js\";\n","import type { McpServer } from \"@modelcontextprotocol/sdk/server/mcp.js\";\nimport type { CallToolResult } from \"@modelcontextprotocol/sdk/types.js\";\nimport { z } from \"zod\";\nimport { createProtect } from \"./protect.js\";\nimport { ChallengeStore, SessionStore } from \"./session.js\";\nimport { createAuthenticateHandler } from \"./tools/authenticate.js\";\nimport { createChallengeHandler } from \"./tools/challenge.js\";\nimport type {\n\tAuthContext,\n\tCredatAuthOptions,\n\tProtectOptions,\n\tSessionAuth,\n\tToolExtra,\n} from \"./types.js\";\n\nconst DEFAULT_CHALLENGE_MAX_AGE_MS = 5 * 60 * 1000; // 5 minutes\nconst DEFAULT_SESSION_MAX_AGE_MS = 60 * 60 * 1000; // 1 hour\nconst DEFAULT_TOOL_PREFIX = \"credat\";\n\nconst STDIO_SESSION_KEY = \"__stdio__\";\n\ntype ProtectedHandler<TArgs> = (\n\targs: TArgs,\n\textra: ToolExtra & { auth: AuthContext },\n) => CallToolResult | Promise<CallToolResult>;\n\nexport class CredatAuth {\n\tprivate readonly config: Required<\n\t\tPick<\n\t\t\tCredatAuthOptions,\n\t\t\t\"serverDid\" | \"ownerPublicKey\" | \"challengeMaxAgeMs\" | \"sessionMaxAgeMs\" | \"toolPrefix\"\n\t\t>\n\t> &\n\t\tPick<CredatAuthOptions, \"agentPublicKey\" | \"resolveAgentKey\">;\n\n\tprivate readonly challengeStore: ChallengeStore;\n\tprivate readonly sessionStore: SessionStore;\n\tprivate readonly protectFn: ReturnType<typeof createProtect>;\n\n\tconstructor(options: CredatAuthOptions) {\n\t\tif (!options.serverDid) {\n\t\t\tthrow new Error(\"CredatAuth: serverDid is required\");\n\t\t}\n\t\tif (!options.ownerPublicKey || options.ownerPublicKey.length === 0) {\n\t\t\tthrow new Error(\"CredatAuth: ownerPublicKey is required\");\n\t\t}\n\n\t\tthis.config = {\n\t\t\tserverDid: options.serverDid,\n\t\t\townerPublicKey: options.ownerPublicKey,\n\t\t\tagentPublicKey: options.agentPublicKey,\n\t\t\tresolveAgentKey: options.resolveAgentKey,\n\t\t\tchallengeMaxAgeMs: options.challengeMaxAgeMs ?? DEFAULT_CHALLENGE_MAX_AGE_MS,\n\t\t\tsessionMaxAgeMs: options.sessionMaxAgeMs ?? DEFAULT_SESSION_MAX_AGE_MS,\n\t\t\ttoolPrefix: options.toolPrefix ?? DEFAULT_TOOL_PREFIX,\n\t\t};\n\n\t\tthis.challengeStore = new ChallengeStore(this.config.challengeMaxAgeMs);\n\t\tthis.sessionStore = new SessionStore(this.config.sessionMaxAgeMs);\n\t\tthis.protectFn = createProtect(this.sessionStore);\n\t}\n\n\t/** Register the credat:challenge and credat:authenticate tools on the server */\n\tinstall(server: McpServer): void {\n\t\tconst prefix = this.config.toolPrefix;\n\n\t\tconst challengeHandler = createChallengeHandler(this.config.serverDid, this.challengeStore);\n\n\t\tconst authenticateHandler = createAuthenticateHandler(\n\t\t\tthis.config,\n\t\t\tthis.challengeStore,\n\t\t\tthis.sessionStore,\n\t\t);\n\n\t\t// Register challenge tool (no input — callback receives just extra)\n\t\tserver.registerTool(\n\t\t\t`${prefix}:challenge`,\n\t\t\t{\n\t\t\t\tdescription:\n\t\t\t\t\t\"Request an authentication challenge. Returns a nonce that must be signed with your delegation credential.\",\n\t\t\t},\n\t\t\t(extra) => challengeHandler(extra as ToolExtra),\n\t\t);\n\n\t\t// Register authenticate tool\n\t\tserver.registerTool(\n\t\t\t`${prefix}:authenticate`,\n\t\t\t{\n\t\t\t\tdescription:\n\t\t\t\t\t\"Present your signed credentials to authenticate. Requires a presentation object containing delegation proof and signed nonce.\",\n\t\t\t\tinputSchema: z.object({\n\t\t\t\t\tpresentation: z.object({\n\t\t\t\t\t\ttype: z.literal(\"credat:presentation\"),\n\t\t\t\t\t\tdelegation: z.string(),\n\t\t\t\t\t\tnonce: z.string(),\n\t\t\t\t\t\tproof: z.string(),\n\t\t\t\t\t\tfrom: z.string(),\n\t\t\t\t\t}),\n\t\t\t\t}),\n\t\t\t},\n\t\t\t(args, extra) =>\n\t\t\t\tauthenticateHandler(\n\t\t\t\t\targs as {\n\t\t\t\t\t\tpresentation: {\n\t\t\t\t\t\t\ttype: \"credat:presentation\";\n\t\t\t\t\t\t\tdelegation: string;\n\t\t\t\t\t\t\tnonce: string;\n\t\t\t\t\t\t\tproof: string;\n\t\t\t\t\t\t\tfrom: string;\n\t\t\t\t\t\t};\n\t\t\t\t\t},\n\t\t\t\t\textra as ToolExtra,\n\t\t\t\t),\n\t\t);\n\t}\n\n\t/** Wrap a tool handler to require authentication + optional scope/constraint checks */\n\tprotect<TArgs extends Record<string, unknown>>(\n\t\toptions: ProtectOptions,\n\t\thandler: ProtectedHandler<TArgs>,\n\t) {\n\t\treturn this.protectFn(options, handler);\n\t}\n\n\t/** Check if a session is currently authenticated */\n\tisAuthenticated(sessionId?: string): boolean {\n\t\tconst key = sessionId ?? STDIO_SESSION_KEY;\n\t\treturn this.sessionStore.get(key) !== undefined;\n\t}\n\n\t/** Get the auth result for a session */\n\tgetSessionAuth(sessionId?: string): SessionAuth | undefined {\n\t\tconst key = sessionId ?? STDIO_SESSION_KEY;\n\t\treturn this.sessionStore.get(key);\n\t}\n\n\t/** Revoke a session, forcing re-authentication */\n\trevokeSession(sessionId?: string): void {\n\t\tconst key = sessionId ?? STDIO_SESSION_KEY;\n\t\tthis.sessionStore.delete(key);\n\t}\n}\n","import type { CallToolResult } from \"@modelcontextprotocol/sdk/types.js\";\nimport { hasAllScopes, hasAnyScope } from \"credat\";\nimport { validateConstraints } from \"./constraints.js\";\nimport { authError, constraintError, McpAuthErrorCodes, scopeError } from \"./errors.js\";\nimport type { SessionStore } from \"./session.js\";\nimport type { AuthContext, ProtectOptions, ToolExtra } from \"./types.js\";\n\nconst STDIO_SESSION_KEY = \"__stdio__\";\n\ntype ProtectedHandler<TArgs> = (\n\targs: TArgs,\n\textra: ToolExtra & { auth: AuthContext },\n) => CallToolResult | Promise<CallToolResult>;\n\ntype ToolHandler<TArgs> = (\n\targs: TArgs,\n\textra: ToolExtra,\n) => CallToolResult | Promise<CallToolResult>;\n\nexport function createProtect(sessionStore: SessionStore) {\n\treturn function protect<TArgs extends Record<string, unknown>>(\n\t\toptions: ProtectOptions,\n\t\thandler: ProtectedHandler<TArgs>,\n\t): ToolHandler<TArgs> {\n\t\treturn (args: TArgs, extra: ToolExtra) => {\n\t\t\tconst sessionId = extra.sessionId ?? STDIO_SESSION_KEY;\n\n\t\t\t// 1. Check authentication\n\t\t\tconst session = sessionStore.get(sessionId);\n\t\t\tif (!session) {\n\t\t\t\treturn authError(\n\t\t\t\t\t\"Not authenticated. Call the credat:challenge tool to begin authentication.\",\n\t\t\t\t\tMcpAuthErrorCodes.NOT_AUTHENTICATED,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tconst { delegationResult } = session;\n\n\t\t\t// 2. Check required scopes (ALL)\n\t\t\tif (options.scopes && options.scopes.length > 0) {\n\t\t\t\tif (!hasAllScopes(delegationResult, options.scopes)) {\n\t\t\t\t\treturn scopeError(options.scopes, delegationResult.scopes);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// 3. Check required scopes (ANY)\n\t\t\tif (options.anyScope && options.anyScope.length > 0) {\n\t\t\t\tif (!hasAnyScope(delegationResult, options.anyScope)) {\n\t\t\t\t\treturn scopeError(options.anyScope, delegationResult.scopes);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// 4. Validate constraints\n\t\t\tif (options.constraintContext) {\n\t\t\t\tconst context =\n\t\t\t\t\ttypeof options.constraintContext === \"function\"\n\t\t\t\t\t\t? options.constraintContext(args as Record<string, unknown>)\n\t\t\t\t\t\t: options.constraintContext;\n\n\t\t\t\tconst violations = validateConstraints(delegationResult.constraints, context);\n\t\t\t\tif (violations.length > 0) {\n\t\t\t\t\treturn constraintError(violations);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// 5. Build auth context and call handler\n\t\t\tconst authContext: AuthContext = {\n\t\t\t\tagentDid: delegationResult.agent,\n\t\t\t\townerDid: delegationResult.owner,\n\t\t\t\tscopes: delegationResult.scopes,\n\t\t\t\tconstraints: delegationResult.constraints,\n\t\t\t};\n\n\t\t\tconst augmentedExtra = Object.assign({}, extra, {\n\t\t\t\tauth: authContext,\n\t\t\t});\n\n\t\t\treturn handler(args, augmentedExtra);\n\t\t};\n\t};\n}\n","import type { DelegationConstraints } from \"credat\";\nimport type { ConstraintContext, ConstraintViolation } from \"./types.js\";\n\nexport function validateConstraints(\n\tconstraints: DelegationConstraints | undefined,\n\tcontext: ConstraintContext,\n): ConstraintViolation[] {\n\tif (!constraints) return [];\n\n\tconst violations: ConstraintViolation[] = [];\n\n\tif (constraints.maxTransactionValue != null && context.transactionValue != null) {\n\t\tif (context.transactionValue > constraints.maxTransactionValue) {\n\t\t\tviolations.push({\n\t\t\t\tconstraint: \"maxTransactionValue\",\n\t\t\t\tmessage: `${context.transactionValue} exceeds max ${constraints.maxTransactionValue}`,\n\t\t\t});\n\t\t}\n\t}\n\n\tif (constraints.allowedDomains != null && context.domain != null) {\n\t\tif (!constraints.allowedDomains.includes(context.domain)) {\n\t\t\tviolations.push({\n\t\t\t\tconstraint: \"allowedDomains\",\n\t\t\t\tmessage: `Domain \"${context.domain}\" is not in allowed list: ${constraints.allowedDomains.join(\", \")}`,\n\t\t\t});\n\t\t}\n\t}\n\n\tif (constraints.rateLimit != null && typeof context.rateLimit === \"number\") {\n\t\tif (context.rateLimit > constraints.rateLimit) {\n\t\t\tviolations.push({\n\t\t\t\tconstraint: \"rateLimit\",\n\t\t\t\tmessage: `Rate ${context.rateLimit} exceeds limit ${constraints.rateLimit}`,\n\t\t\t});\n\t\t}\n\t}\n\n\treturn violations;\n}\n","import type { CallToolResult } from \"@modelcontextprotocol/sdk/types.js\";\nimport type { AuthErrorPayload, ConstraintViolation } from \"./types.js\";\n\n// ── Error Codes ──\n\nexport const McpAuthErrorCodes = {\n\tNOT_AUTHENTICATED: \"NOT_AUTHENTICATED\",\n\tSESSION_EXPIRED: \"SESSION_EXPIRED\",\n\tSESSION_MISMATCH: \"SESSION_MISMATCH\",\n\tINSUFFICIENT_SCOPES: \"INSUFFICIENT_SCOPES\",\n\tCONSTRAINT_VIOLATION: \"CONSTRAINT_VIOLATION\",\n\tCONFIGURATION_ERROR: \"CONFIGURATION_ERROR\",\n} as const;\n\nexport type McpAuthErrorCode = (typeof McpAuthErrorCodes)[keyof typeof McpAuthErrorCodes];\n\n// ── Error Response Builders ──\n\nexport function authError(message: string, code: string, details?: string[]): CallToolResult {\n\tconst payload: AuthErrorPayload = { error: message, code };\n\tif (details && details.length > 0) {\n\t\tpayload.details = details;\n\t}\n\treturn {\n\t\tcontent: [{ type: \"text\", text: JSON.stringify(payload) }],\n\t\tisError: true,\n\t};\n}\n\nexport function scopeError(required: string[], actual: string[]): CallToolResult {\n\tconst missing = required.filter((s) => !actual.includes(s));\n\treturn authError(\n\t\t`Insufficient scopes. Missing: ${missing.join(\", \")}`,\n\t\tMcpAuthErrorCodes.INSUFFICIENT_SCOPES,\n\t\t[`required: ${required.join(\", \")}`, `granted: ${actual.join(\", \")}`],\n\t);\n}\n\nexport function constraintError(violations: ConstraintViolation[]): CallToolResult {\n\treturn authError(\n\t\t`Constraint violation: ${violations.map((v) => v.message).join(\"; \")}`,\n\t\tMcpAuthErrorCodes.CONSTRAINT_VIOLATION,\n\t\tviolations.map((v) => `${v.constraint}: ${v.message}`),\n\t);\n}\n","import type { ChallengeMessage } from \"credat\";\nimport type { SessionAuth, StoredChallenge } from \"./types.js\";\n\nconst DEFAULT_MAX_SIZE = 1000;\nconst CLEANUP_THRESHOLD = 100;\n\n// ── Challenge Store ──\n\nexport class ChallengeStore {\n\tprivate store = new Map<string, StoredChallenge>();\n\tprivate readonly maxAgeMs: number;\n\tprivate readonly maxSize: number;\n\tprivate insertsSinceCleanup = 0;\n\n\tconstructor(maxAgeMs: number, maxSize = DEFAULT_MAX_SIZE) {\n\t\tthis.maxAgeMs = maxAgeMs;\n\t\tthis.maxSize = maxSize;\n\t}\n\n\tset(nonce: string, challenge: ChallengeMessage, sessionId: string): void {\n\t\tthis.store.set(nonce, {\n\t\t\tchallenge,\n\t\t\tsessionId,\n\t\t\tcreatedAt: Date.now(),\n\t\t});\n\n\t\tthis.insertsSinceCleanup++;\n\t\tif (this.insertsSinceCleanup >= CLEANUP_THRESHOLD || this.store.size > this.maxSize) {\n\t\t\tthis.cleanup();\n\t\t\tthis.insertsSinceCleanup = 0;\n\t\t}\n\t}\n\n\t/** Consume a challenge (single-use). Returns and deletes. */\n\tconsume(nonce: string): StoredChallenge | undefined {\n\t\tconst entry = this.store.get(nonce);\n\t\tif (!entry) return undefined;\n\n\t\tthis.store.delete(nonce);\n\n\t\tif (Date.now() - entry.createdAt > this.maxAgeMs) {\n\t\t\treturn undefined;\n\t\t}\n\n\t\treturn entry;\n\t}\n\n\tcleanup(): void {\n\t\tconst now = Date.now();\n\t\tfor (const [nonce, entry] of this.store) {\n\t\t\tif (now - entry.createdAt > this.maxAgeMs) {\n\t\t\t\tthis.store.delete(nonce);\n\t\t\t}\n\t\t}\n\n\t\t// Evict oldest if still over max size\n\t\tif (this.store.size > this.maxSize) {\n\t\t\tconst entries = [...this.store.entries()].sort((a, b) => a[1].createdAt - b[1].createdAt);\n\t\t\tconst toRemove = entries.slice(0, this.store.size - this.maxSize);\n\t\t\tfor (const [nonce] of toRemove) {\n\t\t\t\tthis.store.delete(nonce);\n\t\t\t}\n\t\t}\n\t}\n\n\tget size(): number {\n\t\treturn this.store.size;\n\t}\n}\n\n// ── Session Store ──\n\nexport class SessionStore {\n\tprivate store = new Map<string, SessionAuth>();\n\tprivate readonly maxAgeMs: number;\n\tprivate insertsSinceCleanup = 0;\n\n\tconstructor(maxAgeMs: number) {\n\t\tthis.maxAgeMs = maxAgeMs;\n\t}\n\n\tset(sessionId: string, auth: SessionAuth): void {\n\t\tthis.store.set(sessionId, auth);\n\n\t\tthis.insertsSinceCleanup++;\n\t\tif (this.insertsSinceCleanup >= CLEANUP_THRESHOLD) {\n\t\t\tthis.cleanup();\n\t\t\tthis.insertsSinceCleanup = 0;\n\t\t}\n\t}\n\n\tget(sessionId: string): SessionAuth | undefined {\n\t\tconst entry = this.store.get(sessionId);\n\t\tif (!entry) return undefined;\n\n\t\tif (Date.now() - entry.authenticatedAt > this.maxAgeMs) {\n\t\t\tthis.store.delete(sessionId);\n\t\t\treturn undefined;\n\t\t}\n\n\t\treturn entry;\n\t}\n\n\tdelete(sessionId: string): boolean {\n\t\treturn this.store.delete(sessionId);\n\t}\n\n\tcleanup(): void {\n\t\tconst now = Date.now();\n\t\tfor (const [sessionId, entry] of this.store) {\n\t\t\tif (now - entry.authenticatedAt > this.maxAgeMs) {\n\t\t\t\tthis.store.delete(sessionId);\n\t\t\t}\n\t\t}\n\t}\n\n\tget size(): number {\n\t\treturn this.store.size;\n\t}\n}\n","import type { CallToolResult } from \"@modelcontextprotocol/sdk/types.js\";\nimport type { PresentationMessage } from \"credat\";\nimport { verifyPresentation } from \"credat\";\nimport { authError, McpAuthErrorCodes } from \"../errors.js\";\nimport type { ChallengeStore, SessionStore } from \"../session.js\";\nimport type { CredatAuthOptions, ToolExtra } from \"../types.js\";\n\nconst STDIO_SESSION_KEY = \"__stdio__\";\n\nexport function createAuthenticateHandler(\n\tconfig: CredatAuthOptions,\n\tchallengeStore: ChallengeStore,\n\tsessionStore: SessionStore,\n) {\n\treturn async (\n\t\targs: { presentation: PresentationMessage },\n\t\textra: ToolExtra,\n\t): Promise<CallToolResult> => {\n\t\tconst { presentation } = args;\n\t\tconst sessionId = extra.sessionId ?? STDIO_SESSION_KEY;\n\n\t\t// 1. Consume challenge (single-use nonce)\n\t\tconst stored = challengeStore.consume(presentation.nonce);\n\t\tif (!stored) {\n\t\t\treturn authError(\n\t\t\t\t\"Unknown or expired challenge nonce. Request a new challenge.\",\n\t\t\t\tMcpAuthErrorCodes.NOT_AUTHENTICATED,\n\t\t\t);\n\t\t}\n\n\t\t// 2. Verify session binding\n\t\tif (stored.sessionId !== sessionId) {\n\t\t\treturn authError(\n\t\t\t\t\"Challenge was issued to a different session.\",\n\t\t\t\tMcpAuthErrorCodes.SESSION_MISMATCH,\n\t\t\t);\n\t\t}\n\n\t\t// 3. Resolve agent public key\n\t\tlet agentPublicKey: Uint8Array;\n\t\tif (config.agentPublicKey) {\n\t\t\tagentPublicKey = config.agentPublicKey;\n\t\t} else if (config.resolveAgentKey) {\n\t\t\ttry {\n\t\t\t\tagentPublicKey = await config.resolveAgentKey(presentation.from);\n\t\t\t} catch (err) {\n\t\t\t\tconst message = err instanceof Error ? err.message : \"Unknown error\";\n\t\t\t\treturn authError(\n\t\t\t\t\t`Failed to resolve agent public key for ${presentation.from}: ${message}`,\n\t\t\t\t\tMcpAuthErrorCodes.CONFIGURATION_ERROR,\n\t\t\t\t);\n\t\t\t}\n\t\t} else {\n\t\t\treturn authError(\n\t\t\t\t\"No agentPublicKey configured and no resolveAgentKey callback provided.\",\n\t\t\t\tMcpAuthErrorCodes.CONFIGURATION_ERROR,\n\t\t\t);\n\t\t}\n\n\t\t// 4. Verify presentation\n\t\tconst result = await verifyPresentation(presentation, {\n\t\t\tchallenge: stored.challenge,\n\t\t\townerPublicKey: config.ownerPublicKey,\n\t\t\tagentPublicKey,\n\t\t\tchallengeMaxAgeMs: config.challengeMaxAgeMs,\n\t\t});\n\n\t\tif (!result.valid) {\n\t\t\tconst details = result.errors.map((e) => `${e.code}: ${e.message}`);\n\t\t\treturn authError(\n\t\t\t\t\"Authentication failed.\",\n\t\t\t\tresult.errors[0]?.code ?? \"HANDSHAKE_VERIFICATION_FAILED\",\n\t\t\t\tdetails,\n\t\t\t);\n\t\t}\n\n\t\t// 5. Store session auth\n\t\tsessionStore.set(sessionId, {\n\t\t\tdelegationResult: result,\n\t\t\tauthenticatedAt: Date.now(),\n\t\t});\n\n\t\treturn {\n\t\t\tcontent: [\n\t\t\t\t{\n\t\t\t\t\ttype: \"text\",\n\t\t\t\t\ttext: JSON.stringify({\n\t\t\t\t\t\tauthenticated: true,\n\t\t\t\t\t\tagent: result.agent,\n\t\t\t\t\t\tscopes: result.scopes,\n\t\t\t\t\t}),\n\t\t\t\t},\n\t\t\t],\n\t\t};\n\t};\n}\n","import type { CallToolResult } from \"@modelcontextprotocol/sdk/types.js\";\nimport { createChallenge } from \"credat\";\nimport type { ChallengeStore } from \"../session.js\";\nimport type { ToolExtra } from \"../types.js\";\n\nconst STDIO_SESSION_KEY = \"__stdio__\";\n\nexport function createChallengeHandler(serverDid: string, challengeStore: ChallengeStore) {\n\treturn (extra: ToolExtra): CallToolResult => {\n\t\tconst challenge = createChallenge({ from: serverDid });\n\t\tconst sessionId = extra.sessionId ?? STDIO_SESSION_KEY;\n\n\t\tchallengeStore.set(challenge.nonce, challenge, sessionId);\n\n\t\treturn {\n\t\t\tcontent: [{ type: \"text\", text: JSON.stringify(challenge) }],\n\t\t};\n\t};\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACEA,iBAAkB;;;ACDlB,oBAA0C;;;ACEnC,SAAS,oBACf,aACA,SACwB;AACxB,MAAI,CAAC,YAAa,QAAO,CAAC;AAE1B,QAAM,aAAoC,CAAC;AAE3C,MAAI,YAAY,uBAAuB,QAAQ,QAAQ,oBAAoB,MAAM;AAChF,QAAI,QAAQ,mBAAmB,YAAY,qBAAqB;AAC/D,iBAAW,KAAK;AAAA,QACf,YAAY;AAAA,QACZ,SAAS,GAAG,QAAQ,gBAAgB,gBAAgB,YAAY,mBAAmB;AAAA,MACpF,CAAC;AAAA,IACF;AAAA,EACD;AAEA,MAAI,YAAY,kBAAkB,QAAQ,QAAQ,UAAU,MAAM;AACjE,QAAI,CAAC,YAAY,eAAe,SAAS,QAAQ,MAAM,GAAG;AACzD,iBAAW,KAAK;AAAA,QACf,YAAY;AAAA,QACZ,SAAS,WAAW,QAAQ,MAAM,6BAA6B,YAAY,eAAe,KAAK,IAAI,CAAC;AAAA,MACrG,CAAC;AAAA,IACF;AAAA,EACD;AAEA,MAAI,YAAY,aAAa,QAAQ,OAAO,QAAQ,cAAc,UAAU;AAC3E,QAAI,QAAQ,YAAY,YAAY,WAAW;AAC9C,iBAAW,KAAK;AAAA,QACf,YAAY;AAAA,QACZ,SAAS,QAAQ,QAAQ,SAAS,kBAAkB,YAAY,SAAS;AAAA,MAC1E,CAAC;AAAA,IACF;AAAA,EACD;AAEA,SAAO;AACR;;;AClCO,IAAM,oBAAoB;AAAA,EAChC,mBAAmB;AAAA,EACnB,iBAAiB;AAAA,EACjB,kBAAkB;AAAA,EAClB,qBAAqB;AAAA,EACrB,sBAAsB;AAAA,EACtB,qBAAqB;AACtB;AAMO,SAAS,UAAU,SAAiB,MAAc,SAAoC;AAC5F,QAAM,UAA4B,EAAE,OAAO,SAAS,KAAK;AACzD,MAAI,WAAW,QAAQ,SAAS,GAAG;AAClC,YAAQ,UAAU;AAAA,EACnB;AACA,SAAO;AAAA,IACN,SAAS,CAAC,EAAE,MAAM,QAAQ,MAAM,KAAK,UAAU,OAAO,EAAE,CAAC;AAAA,IACzD,SAAS;AAAA,EACV;AACD;AAEO,SAAS,WAAW,UAAoB,QAAkC;AAChF,QAAM,UAAU,SAAS,OAAO,CAAC,MAAM,CAAC,OAAO,SAAS,CAAC,CAAC;AAC1D,SAAO;AAAA,IACN,iCAAiC,QAAQ,KAAK,IAAI,CAAC;AAAA,IACnD,kBAAkB;AAAA,IAClB,CAAC,aAAa,SAAS,KAAK,IAAI,CAAC,IAAI,YAAY,OAAO,KAAK,IAAI,CAAC,EAAE;AAAA,EACrE;AACD;AAEO,SAAS,gBAAgB,YAAmD;AAClF,SAAO;AAAA,IACN,yBAAyB,WAAW,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,IAAI,CAAC;AAAA,IACpE,kBAAkB;AAAA,IAClB,WAAW,IAAI,CAAC,MAAM,GAAG,EAAE,UAAU,KAAK,EAAE,OAAO,EAAE;AAAA,EACtD;AACD;;;AFrCA,IAAM,oBAAoB;AAYnB,SAAS,cAAc,cAA4B;AACzD,SAAO,SAAS,QACf,SACA,SACqB;AACrB,WAAO,CAAC,MAAa,UAAqB;AACzC,YAAM,YAAY,MAAM,aAAa;AAGrC,YAAM,UAAU,aAAa,IAAI,SAAS;AAC1C,UAAI,CAAC,SAAS;AACb,eAAO;AAAA,UACN;AAAA,UACA,kBAAkB;AAAA,QACnB;AAAA,MACD;AAEA,YAAM,EAAE,iBAAiB,IAAI;AAG7B,UAAI,QAAQ,UAAU,QAAQ,OAAO,SAAS,GAAG;AAChD,YAAI,KAAC,4BAAa,kBAAkB,QAAQ,MAAM,GAAG;AACpD,iBAAO,WAAW,QAAQ,QAAQ,iBAAiB,MAAM;AAAA,QAC1D;AAAA,MACD;AAGA,UAAI,QAAQ,YAAY,QAAQ,SAAS,SAAS,GAAG;AACpD,YAAI,KAAC,2BAAY,kBAAkB,QAAQ,QAAQ,GAAG;AACrD,iBAAO,WAAW,QAAQ,UAAU,iBAAiB,MAAM;AAAA,QAC5D;AAAA,MACD;AAGA,UAAI,QAAQ,mBAAmB;AAC9B,cAAM,UACL,OAAO,QAAQ,sBAAsB,aAClC,QAAQ,kBAAkB,IAA+B,IACzD,QAAQ;AAEZ,cAAM,aAAa,oBAAoB,iBAAiB,aAAa,OAAO;AAC5E,YAAI,WAAW,SAAS,GAAG;AAC1B,iBAAO,gBAAgB,UAAU;AAAA,QAClC;AAAA,MACD;AAGA,YAAM,cAA2B;AAAA,QAChC,UAAU,iBAAiB;AAAA,QAC3B,UAAU,iBAAiB;AAAA,QAC3B,QAAQ,iBAAiB;AAAA,QACzB,aAAa,iBAAiB;AAAA,MAC/B;AAEA,YAAM,iBAAiB,OAAO,OAAO,CAAC,GAAG,OAAO;AAAA,QAC/C,MAAM;AAAA,MACP,CAAC;AAED,aAAO,QAAQ,MAAM,cAAc;AAAA,IACpC;AAAA,EACD;AACD;;;AG7EA,IAAM,mBAAmB;AACzB,IAAM,oBAAoB;AAInB,IAAM,iBAAN,MAAqB;AAAA,EACnB,QAAQ,oBAAI,IAA6B;AAAA,EAChC;AAAA,EACA;AAAA,EACT,sBAAsB;AAAA,EAE9B,YAAY,UAAkB,UAAU,kBAAkB;AACzD,SAAK,WAAW;AAChB,SAAK,UAAU;AAAA,EAChB;AAAA,EAEA,IAAI,OAAe,WAA6B,WAAyB;AACxE,SAAK,MAAM,IAAI,OAAO;AAAA,MACrB;AAAA,MACA;AAAA,MACA,WAAW,KAAK,IAAI;AAAA,IACrB,CAAC;AAED,SAAK;AACL,QAAI,KAAK,uBAAuB,qBAAqB,KAAK,MAAM,OAAO,KAAK,SAAS;AACpF,WAAK,QAAQ;AACb,WAAK,sBAAsB;AAAA,IAC5B;AAAA,EACD;AAAA;AAAA,EAGA,QAAQ,OAA4C;AACnD,UAAM,QAAQ,KAAK,MAAM,IAAI,KAAK;AAClC,QAAI,CAAC,MAAO,QAAO;AAEnB,SAAK,MAAM,OAAO,KAAK;AAEvB,QAAI,KAAK,IAAI,IAAI,MAAM,YAAY,KAAK,UAAU;AACjD,aAAO;AAAA,IACR;AAEA,WAAO;AAAA,EACR;AAAA,EAEA,UAAgB;AACf,UAAM,MAAM,KAAK,IAAI;AACrB,eAAW,CAAC,OAAO,KAAK,KAAK,KAAK,OAAO;AACxC,UAAI,MAAM,MAAM,YAAY,KAAK,UAAU;AAC1C,aAAK,MAAM,OAAO,KAAK;AAAA,MACxB;AAAA,IACD;AAGA,QAAI,KAAK,MAAM,OAAO,KAAK,SAAS;AACnC,YAAM,UAAU,CAAC,GAAG,KAAK,MAAM,QAAQ,CAAC,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,SAAS;AACxF,YAAM,WAAW,QAAQ,MAAM,GAAG,KAAK,MAAM,OAAO,KAAK,OAAO;AAChE,iBAAW,CAAC,KAAK,KAAK,UAAU;AAC/B,aAAK,MAAM,OAAO,KAAK;AAAA,MACxB;AAAA,IACD;AAAA,EACD;AAAA,EAEA,IAAI,OAAe;AAClB,WAAO,KAAK,MAAM;AAAA,EACnB;AACD;AAIO,IAAM,eAAN,MAAmB;AAAA,EACjB,QAAQ,oBAAI,IAAyB;AAAA,EAC5B;AAAA,EACT,sBAAsB;AAAA,EAE9B,YAAY,UAAkB;AAC7B,SAAK,WAAW;AAAA,EACjB;AAAA,EAEA,IAAI,WAAmB,MAAyB;AAC/C,SAAK,MAAM,IAAI,WAAW,IAAI;AAE9B,SAAK;AACL,QAAI,KAAK,uBAAuB,mBAAmB;AAClD,WAAK,QAAQ;AACb,WAAK,sBAAsB;AAAA,IAC5B;AAAA,EACD;AAAA,EAEA,IAAI,WAA4C;AAC/C,UAAM,QAAQ,KAAK,MAAM,IAAI,SAAS;AACtC,QAAI,CAAC,MAAO,QAAO;AAEnB,QAAI,KAAK,IAAI,IAAI,MAAM,kBAAkB,KAAK,UAAU;AACvD,WAAK,MAAM,OAAO,SAAS;AAC3B,aAAO;AAAA,IACR;AAEA,WAAO;AAAA,EACR;AAAA,EAEA,OAAO,WAA4B;AAClC,WAAO,KAAK,MAAM,OAAO,SAAS;AAAA,EACnC;AAAA,EAEA,UAAgB;AACf,UAAM,MAAM,KAAK,IAAI;AACrB,eAAW,CAAC,WAAW,KAAK,KAAK,KAAK,OAAO;AAC5C,UAAI,MAAM,MAAM,kBAAkB,KAAK,UAAU;AAChD,aAAK,MAAM,OAAO,SAAS;AAAA,MAC5B;AAAA,IACD;AAAA,EACD;AAAA,EAEA,IAAI,OAAe;AAClB,WAAO,KAAK,MAAM;AAAA,EACnB;AACD;;;ACrHA,IAAAA,iBAAmC;AAKnC,IAAMC,qBAAoB;AAEnB,SAAS,0BACf,QACA,gBACA,cACC;AACD,SAAO,OACN,MACA,UAC6B;AAC7B,UAAM,EAAE,aAAa,IAAI;AACzB,UAAM,YAAY,MAAM,aAAaA;AAGrC,UAAM,SAAS,eAAe,QAAQ,aAAa,KAAK;AACxD,QAAI,CAAC,QAAQ;AACZ,aAAO;AAAA,QACN;AAAA,QACA,kBAAkB;AAAA,MACnB;AAAA,IACD;AAGA,QAAI,OAAO,cAAc,WAAW;AACnC,aAAO;AAAA,QACN;AAAA,QACA,kBAAkB;AAAA,MACnB;AAAA,IACD;AAGA,QAAI;AACJ,QAAI,OAAO,gBAAgB;AAC1B,uBAAiB,OAAO;AAAA,IACzB,WAAW,OAAO,iBAAiB;AAClC,UAAI;AACH,yBAAiB,MAAM,OAAO,gBAAgB,aAAa,IAAI;AAAA,MAChE,SAAS,KAAK;AACb,cAAM,UAAU,eAAe,QAAQ,IAAI,UAAU;AACrD,eAAO;AAAA,UACN,0CAA0C,aAAa,IAAI,KAAK,OAAO;AAAA,UACvE,kBAAkB;AAAA,QACnB;AAAA,MACD;AAAA,IACD,OAAO;AACN,aAAO;AAAA,QACN;AAAA,QACA,kBAAkB;AAAA,MACnB;AAAA,IACD;AAGA,UAAM,SAAS,UAAM,mCAAmB,cAAc;AAAA,MACrD,WAAW,OAAO;AAAA,MAClB,gBAAgB,OAAO;AAAA,MACvB;AAAA,MACA,mBAAmB,OAAO;AAAA,IAC3B,CAAC;AAED,QAAI,CAAC,OAAO,OAAO;AAClB,YAAM,UAAU,OAAO,OAAO,IAAI,CAAC,MAAM,GAAG,EAAE,IAAI,KAAK,EAAE,OAAO,EAAE;AAClE,aAAO;AAAA,QACN;AAAA,QACA,OAAO,OAAO,CAAC,GAAG,QAAQ;AAAA,QAC1B;AAAA,MACD;AAAA,IACD;AAGA,iBAAa,IAAI,WAAW;AAAA,MAC3B,kBAAkB;AAAA,MAClB,iBAAiB,KAAK,IAAI;AAAA,IAC3B,CAAC;AAED,WAAO;AAAA,MACN,SAAS;AAAA,QACR;AAAA,UACC,MAAM;AAAA,UACN,MAAM,KAAK,UAAU;AAAA,YACpB,eAAe;AAAA,YACf,OAAO,OAAO;AAAA,YACd,QAAQ,OAAO;AAAA,UAChB,CAAC;AAAA,QACF;AAAA,MACD;AAAA,IACD;AAAA,EACD;AACD;;;AC9FA,IAAAC,iBAAgC;AAIhC,IAAMC,qBAAoB;AAEnB,SAAS,uBAAuB,WAAmB,gBAAgC;AACzF,SAAO,CAAC,UAAqC;AAC5C,UAAM,gBAAY,gCAAgB,EAAE,MAAM,UAAU,CAAC;AACrD,UAAM,YAAY,MAAM,aAAaA;AAErC,mBAAe,IAAI,UAAU,OAAO,WAAW,SAAS;AAExD,WAAO;AAAA,MACN,SAAS,CAAC,EAAE,MAAM,QAAQ,MAAM,KAAK,UAAU,SAAS,EAAE,CAAC;AAAA,IAC5D;AAAA,EACD;AACD;;;ANHA,IAAM,+BAA+B,IAAI,KAAK;AAC9C,IAAM,6BAA6B,KAAK,KAAK;AAC7C,IAAM,sBAAsB;AAE5B,IAAMC,qBAAoB;AAOnB,IAAM,aAAN,MAAiB;AAAA,EACN;AAAA,EAQA;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,SAA4B;AACvC,QAAI,CAAC,QAAQ,WAAW;AACvB,YAAM,IAAI,MAAM,mCAAmC;AAAA,IACpD;AACA,QAAI,CAAC,QAAQ,kBAAkB,QAAQ,eAAe,WAAW,GAAG;AACnE,YAAM,IAAI,MAAM,wCAAwC;AAAA,IACzD;AAEA,SAAK,SAAS;AAAA,MACb,WAAW,QAAQ;AAAA,MACnB,gBAAgB,QAAQ;AAAA,MACxB,gBAAgB,QAAQ;AAAA,MACxB,iBAAiB,QAAQ;AAAA,MACzB,mBAAmB,QAAQ,qBAAqB;AAAA,MAChD,iBAAiB,QAAQ,mBAAmB;AAAA,MAC5C,YAAY,QAAQ,cAAc;AAAA,IACnC;AAEA,SAAK,iBAAiB,IAAI,eAAe,KAAK,OAAO,iBAAiB;AACtE,SAAK,eAAe,IAAI,aAAa,KAAK,OAAO,eAAe;AAChE,SAAK,YAAY,cAAc,KAAK,YAAY;AAAA,EACjD;AAAA;AAAA,EAGA,QAAQ,QAAyB;AAChC,UAAM,SAAS,KAAK,OAAO;AAE3B,UAAM,mBAAmB,uBAAuB,KAAK,OAAO,WAAW,KAAK,cAAc;AAE1F,UAAM,sBAAsB;AAAA,MAC3B,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,IACN;AAGA,WAAO;AAAA,MACN,GAAG,MAAM;AAAA,MACT;AAAA,QACC,aACC;AAAA,MACF;AAAA,MACA,CAAC,UAAU,iBAAiB,KAAkB;AAAA,IAC/C;AAGA,WAAO;AAAA,MACN,GAAG,MAAM;AAAA,MACT;AAAA,QACC,aACC;AAAA,QACD,aAAa,aAAE,OAAO;AAAA,UACrB,cAAc,aAAE,OAAO;AAAA,YACtB,MAAM,aAAE,QAAQ,qBAAqB;AAAA,YACrC,YAAY,aAAE,OAAO;AAAA,YACrB,OAAO,aAAE,OAAO;AAAA,YAChB,OAAO,aAAE,OAAO;AAAA,YAChB,MAAM,aAAE,OAAO;AAAA,UAChB,CAAC;AAAA,QACF,CAAC;AAAA,MACF;AAAA,MACA,CAAC,MAAM,UACN;AAAA,QACC;AAAA,QASA;AAAA,MACD;AAAA,IACF;AAAA,EACD;AAAA;AAAA,EAGA,QACC,SACA,SACC;AACD,WAAO,KAAK,UAAU,SAAS,OAAO;AAAA,EACvC;AAAA;AAAA,EAGA,gBAAgB,WAA6B;AAC5C,UAAM,MAAM,aAAaA;AACzB,WAAO,KAAK,aAAa,IAAI,GAAG,MAAM;AAAA,EACvC;AAAA;AAAA,EAGA,eAAe,WAA6C;AAC3D,UAAM,MAAM,aAAaA;AACzB,WAAO,KAAK,aAAa,IAAI,GAAG;AAAA,EACjC;AAAA;AAAA,EAGA,cAAc,WAA0B;AACvC,UAAM,MAAM,aAAaA;AACzB,SAAK,aAAa,OAAO,GAAG;AAAA,EAC7B;AACD;","names":["import_credat","STDIO_SESSION_KEY","import_credat","STDIO_SESSION_KEY","STDIO_SESSION_KEY"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/auth.ts","../src/protect.ts","../src/constraints.ts","../src/errors.ts","../src/session.ts","../src/tools/authenticate.ts","../src/tools/challenge.ts"],"sourcesContent":["export { CredatAuth } from \"./auth.js\";\nexport type { McpAuthErrorCode } from \"./errors.js\";\nexport {\n\tauthError,\n\tconstraintError,\n\tMcpAuthErrorCodes,\n\tscopeError,\n} from \"./errors.js\";\nexport { ChallengeStore, SessionStore } from \"./session.js\";\nexport type {\n\tAuthContext,\n\tAuthErrorPayload,\n\tCredatAuthOptions,\n\tProtectOptions,\n\tSessionAuth,\n\tStoredChallenge,\n\tToolExtra,\n} from \"./types.js\";\n","import type { McpServer } from \"@modelcontextprotocol/sdk/server/mcp.js\";\nimport type { CallToolResult } from \"@modelcontextprotocol/sdk/types.js\";\nimport { z } from \"zod\";\nimport { createProtect } from \"./protect.js\";\nimport { ChallengeStore, SessionStore } from \"./session.js\";\nimport { createAuthenticateHandler } from \"./tools/authenticate.js\";\nimport { createChallengeHandler } from \"./tools/challenge.js\";\nimport type {\n\tAuthContext,\n\tCredatAuthOptions,\n\tProtectOptions,\n\tSessionAuth,\n\tToolExtra,\n} from \"./types.js\";\n\nconst DEFAULT_CHALLENGE_MAX_AGE_MS = 5 * 60 * 1000; // 5 minutes\nconst DEFAULT_SESSION_MAX_AGE_MS = 60 * 60 * 1000; // 1 hour\nconst DEFAULT_TOOL_PREFIX = \"credat\";\n\nconst STDIO_SESSION_KEY = \"__stdio__\";\n\ntype ProtectedHandler<TArgs> = (\n\targs: TArgs,\n\textra: ToolExtra & { auth: AuthContext },\n) => CallToolResult | Promise<CallToolResult>;\n\nexport class CredatAuth {\n\tprivate readonly config: Required<\n\t\tPick<\n\t\t\tCredatAuthOptions,\n\t\t\t\"serverDid\" | \"ownerPublicKey\" | \"challengeMaxAgeMs\" | \"sessionMaxAgeMs\" | \"toolPrefix\"\n\t\t>\n\t> &\n\t\tPick<CredatAuthOptions, \"agentPublicKey\" | \"resolveAgentKey\">;\n\n\tprivate readonly challengeStore: ChallengeStore;\n\tprivate readonly sessionStore: SessionStore;\n\tprivate readonly protectFn: ReturnType<typeof createProtect>;\n\n\tconstructor(options: CredatAuthOptions) {\n\t\tif (!options.serverDid) {\n\t\t\tthrow new Error(\"CredatAuth: serverDid is required\");\n\t\t}\n\t\tif (!options.ownerPublicKey || options.ownerPublicKey.length === 0) {\n\t\t\tthrow new Error(\"CredatAuth: ownerPublicKey is required\");\n\t\t}\n\n\t\tthis.config = {\n\t\t\tserverDid: options.serverDid,\n\t\t\townerPublicKey: options.ownerPublicKey,\n\t\t\tagentPublicKey: options.agentPublicKey,\n\t\t\tresolveAgentKey: options.resolveAgentKey,\n\t\t\tchallengeMaxAgeMs: options.challengeMaxAgeMs ?? DEFAULT_CHALLENGE_MAX_AGE_MS,\n\t\t\tsessionMaxAgeMs: options.sessionMaxAgeMs ?? DEFAULT_SESSION_MAX_AGE_MS,\n\t\t\ttoolPrefix: options.toolPrefix ?? DEFAULT_TOOL_PREFIX,\n\t\t};\n\n\t\tthis.challengeStore = new ChallengeStore(this.config.challengeMaxAgeMs);\n\t\tthis.sessionStore = new SessionStore(this.config.sessionMaxAgeMs);\n\t\tthis.protectFn = createProtect(this.sessionStore);\n\t}\n\n\t/** Register the credat:challenge and credat:authenticate tools on the server */\n\tinstall(server: McpServer): void {\n\t\tconst prefix = this.config.toolPrefix;\n\n\t\tconst challengeHandler = createChallengeHandler(this.config.serverDid, this.challengeStore);\n\n\t\tconst authenticateHandler = createAuthenticateHandler(\n\t\t\tthis.config,\n\t\t\tthis.challengeStore,\n\t\t\tthis.sessionStore,\n\t\t);\n\n\t\t// Register challenge tool (no input — callback receives just extra)\n\t\tserver.registerTool(\n\t\t\t`${prefix}:challenge`,\n\t\t\t{\n\t\t\t\tdescription:\n\t\t\t\t\t\"Request an authentication challenge. Returns a nonce that must be signed with your delegation credential.\",\n\t\t\t},\n\t\t\t(extra) => challengeHandler(extra as ToolExtra),\n\t\t);\n\n\t\t// Register authenticate tool\n\t\tserver.registerTool(\n\t\t\t`${prefix}:authenticate`,\n\t\t\t{\n\t\t\t\tdescription:\n\t\t\t\t\t\"Present your signed credentials to authenticate. Requires a presentation object containing delegation proof and signed nonce.\",\n\t\t\t\tinputSchema: z.object({\n\t\t\t\t\tpresentation: z.object({\n\t\t\t\t\t\ttype: z.literal(\"credat:presentation\"),\n\t\t\t\t\t\tdelegation: z.string(),\n\t\t\t\t\t\tnonce: z.string(),\n\t\t\t\t\t\tproof: z.string(),\n\t\t\t\t\t\tfrom: z.string(),\n\t\t\t\t\t}),\n\t\t\t\t}),\n\t\t\t},\n\t\t\t(args, extra) =>\n\t\t\t\tauthenticateHandler(\n\t\t\t\t\targs as {\n\t\t\t\t\t\tpresentation: {\n\t\t\t\t\t\t\ttype: \"credat:presentation\";\n\t\t\t\t\t\t\tdelegation: string;\n\t\t\t\t\t\t\tnonce: string;\n\t\t\t\t\t\t\tproof: string;\n\t\t\t\t\t\t\tfrom: string;\n\t\t\t\t\t\t};\n\t\t\t\t\t},\n\t\t\t\t\textra as ToolExtra,\n\t\t\t\t),\n\t\t);\n\t}\n\n\t/** Wrap a tool handler to require authentication + optional scope/constraint checks */\n\tprotect<TArgs extends Record<string, unknown>>(\n\t\toptions: ProtectOptions,\n\t\thandler: ProtectedHandler<TArgs>,\n\t) {\n\t\treturn this.protectFn(options, handler);\n\t}\n\n\t/** Check if a session is currently authenticated */\n\tisAuthenticated(sessionId?: string): boolean {\n\t\tconst key = sessionId ?? STDIO_SESSION_KEY;\n\t\treturn this.sessionStore.get(key) !== undefined;\n\t}\n\n\t/** Get the auth result for a session */\n\tgetSessionAuth(sessionId?: string): SessionAuth | undefined {\n\t\tconst key = sessionId ?? STDIO_SESSION_KEY;\n\t\treturn this.sessionStore.get(key);\n\t}\n\n\t/** Revoke a session, forcing re-authentication */\n\trevokeSession(sessionId?: string): void {\n\t\tconst key = sessionId ?? STDIO_SESSION_KEY;\n\t\tthis.sessionStore.delete(key);\n\t}\n}\n","import type { CallToolResult } from \"@modelcontextprotocol/sdk/types.js\";\nimport { hasAllScopes, hasAnyScope } from \"@credat/sdk\";\nimport { validateConstraints } from \"./constraints.js\";\nimport { authError, constraintError, McpAuthErrorCodes, scopeError } from \"./errors.js\";\nimport type { SessionStore } from \"./session.js\";\nimport type { AuthContext, ProtectOptions, ToolExtra } from \"./types.js\";\n\nconst STDIO_SESSION_KEY = \"__stdio__\";\n\ntype ProtectedHandler<TArgs> = (\n\targs: TArgs,\n\textra: ToolExtra & { auth: AuthContext },\n) => CallToolResult | Promise<CallToolResult>;\n\ntype ToolHandler<TArgs> = (\n\targs: TArgs,\n\textra: ToolExtra,\n) => CallToolResult | Promise<CallToolResult>;\n\nexport function createProtect(sessionStore: SessionStore) {\n\treturn function protect<TArgs extends Record<string, unknown>>(\n\t\toptions: ProtectOptions,\n\t\thandler: ProtectedHandler<TArgs>,\n\t): ToolHandler<TArgs> {\n\t\treturn (args: TArgs, extra: ToolExtra) => {\n\t\t\tconst sessionId = extra.sessionId ?? STDIO_SESSION_KEY;\n\n\t\t\t// 1. Check authentication\n\t\t\tconst session = sessionStore.get(sessionId);\n\t\t\tif (!session) {\n\t\t\t\treturn authError(\n\t\t\t\t\t\"Not authenticated. Call the credat:challenge tool to begin authentication.\",\n\t\t\t\t\tMcpAuthErrorCodes.NOT_AUTHENTICATED,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tconst { delegationResult } = session;\n\n\t\t\t// 2. Check required scopes (ALL)\n\t\t\tif (options.scopes && options.scopes.length > 0) {\n\t\t\t\tif (!hasAllScopes(delegationResult, options.scopes)) {\n\t\t\t\t\treturn scopeError(options.scopes, delegationResult.scopes);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// 3. Check required scopes (ANY)\n\t\t\tif (options.anyScope && options.anyScope.length > 0) {\n\t\t\t\tif (!hasAnyScope(delegationResult, options.anyScope)) {\n\t\t\t\t\treturn scopeError(options.anyScope, delegationResult.scopes);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// 4. Validate constraints\n\t\t\tif (options.constraintContext) {\n\t\t\t\tconst context =\n\t\t\t\t\ttypeof options.constraintContext === \"function\"\n\t\t\t\t\t\t? options.constraintContext(args as Record<string, unknown>)\n\t\t\t\t\t\t: options.constraintContext;\n\n\t\t\t\tconst violations = validateConstraints(delegationResult.constraints, context);\n\t\t\t\tif (violations.length > 0) {\n\t\t\t\t\treturn constraintError(violations);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// 5. Build auth context and call handler\n\t\t\tconst authContext: AuthContext = {\n\t\t\t\tagentDid: delegationResult.agent,\n\t\t\t\townerDid: delegationResult.owner,\n\t\t\t\tscopes: delegationResult.scopes,\n\t\t\t\tconstraints: delegationResult.constraints,\n\t\t\t};\n\n\t\t\tconst augmentedExtra = Object.assign({}, extra, {\n\t\t\t\tauth: authContext,\n\t\t\t});\n\n\t\t\treturn handler(args, augmentedExtra);\n\t\t};\n\t};\n}\n","import type { DelegationConstraints } from \"@credat/sdk\";\nimport type { ConstraintContext, ConstraintViolation } from \"./types.js\";\n\nexport function validateConstraints(\n\tconstraints: DelegationConstraints | undefined,\n\tcontext: ConstraintContext,\n): ConstraintViolation[] {\n\tif (!constraints) return [];\n\n\tconst violations: ConstraintViolation[] = [];\n\n\tif (constraints.maxTransactionValue != null && context.transactionValue != null) {\n\t\tif (context.transactionValue > constraints.maxTransactionValue) {\n\t\t\tviolations.push({\n\t\t\t\tconstraint: \"maxTransactionValue\",\n\t\t\t\tmessage: `${context.transactionValue} exceeds max ${constraints.maxTransactionValue}`,\n\t\t\t});\n\t\t}\n\t}\n\n\tif (constraints.allowedDomains != null && context.domain != null) {\n\t\tif (!constraints.allowedDomains.includes(context.domain)) {\n\t\t\tviolations.push({\n\t\t\t\tconstraint: \"allowedDomains\",\n\t\t\t\tmessage: `Domain \"${context.domain}\" is not in allowed list: ${constraints.allowedDomains.join(\", \")}`,\n\t\t\t});\n\t\t}\n\t}\n\n\tif (constraints.rateLimit != null && typeof context.rateLimit === \"number\") {\n\t\tif (context.rateLimit > constraints.rateLimit) {\n\t\t\tviolations.push({\n\t\t\t\tconstraint: \"rateLimit\",\n\t\t\t\tmessage: `Rate ${context.rateLimit} exceeds limit ${constraints.rateLimit}`,\n\t\t\t});\n\t\t}\n\t}\n\n\treturn violations;\n}\n","import type { CallToolResult } from \"@modelcontextprotocol/sdk/types.js\";\nimport type { AuthErrorPayload, ConstraintViolation } from \"./types.js\";\n\n// ── Error Codes ──\n\nexport const McpAuthErrorCodes = {\n\tNOT_AUTHENTICATED: \"NOT_AUTHENTICATED\",\n\tSESSION_EXPIRED: \"SESSION_EXPIRED\",\n\tSESSION_MISMATCH: \"SESSION_MISMATCH\",\n\tINSUFFICIENT_SCOPES: \"INSUFFICIENT_SCOPES\",\n\tCONSTRAINT_VIOLATION: \"CONSTRAINT_VIOLATION\",\n\tCONFIGURATION_ERROR: \"CONFIGURATION_ERROR\",\n} as const;\n\nexport type McpAuthErrorCode = (typeof McpAuthErrorCodes)[keyof typeof McpAuthErrorCodes];\n\n// ── Error Response Builders ──\n\nexport function authError(message: string, code: string, details?: string[]): CallToolResult {\n\tconst payload: AuthErrorPayload = { error: message, code };\n\tif (details && details.length > 0) {\n\t\tpayload.details = details;\n\t}\n\treturn {\n\t\tcontent: [{ type: \"text\", text: JSON.stringify(payload) }],\n\t\tisError: true,\n\t};\n}\n\nexport function scopeError(required: string[], actual: string[]): CallToolResult {\n\tconst missing = required.filter((s) => !actual.includes(s));\n\treturn authError(\n\t\t`Insufficient scopes. Missing: ${missing.join(\", \")}`,\n\t\tMcpAuthErrorCodes.INSUFFICIENT_SCOPES,\n\t\t[`required: ${required.join(\", \")}`, `granted: ${actual.join(\", \")}`],\n\t);\n}\n\nexport function constraintError(violations: ConstraintViolation[]): CallToolResult {\n\treturn authError(\n\t\t`Constraint violation: ${violations.map((v) => v.message).join(\"; \")}`,\n\t\tMcpAuthErrorCodes.CONSTRAINT_VIOLATION,\n\t\tviolations.map((v) => `${v.constraint}: ${v.message}`),\n\t);\n}\n","import type { ChallengeMessage } from \"@credat/sdk\";\nimport type { SessionAuth, StoredChallenge } from \"./types.js\";\n\nconst DEFAULT_MAX_SIZE = 1000;\nconst CLEANUP_THRESHOLD = 100;\n\n// ── Challenge Store ──\n\nexport class ChallengeStore {\n\tprivate store = new Map<string, StoredChallenge>();\n\tprivate readonly maxAgeMs: number;\n\tprivate readonly maxSize: number;\n\tprivate insertsSinceCleanup = 0;\n\n\tconstructor(maxAgeMs: number, maxSize = DEFAULT_MAX_SIZE) {\n\t\tthis.maxAgeMs = maxAgeMs;\n\t\tthis.maxSize = maxSize;\n\t}\n\n\tset(nonce: string, challenge: ChallengeMessage, sessionId: string): void {\n\t\tthis.store.set(nonce, {\n\t\t\tchallenge,\n\t\t\tsessionId,\n\t\t\tcreatedAt: Date.now(),\n\t\t});\n\n\t\tthis.insertsSinceCleanup++;\n\t\tif (this.insertsSinceCleanup >= CLEANUP_THRESHOLD || this.store.size > this.maxSize) {\n\t\t\tthis.cleanup();\n\t\t\tthis.insertsSinceCleanup = 0;\n\t\t}\n\t}\n\n\t/** Consume a challenge (single-use). Returns and deletes. */\n\tconsume(nonce: string): StoredChallenge | undefined {\n\t\tconst entry = this.store.get(nonce);\n\t\tif (!entry) return undefined;\n\n\t\tthis.store.delete(nonce);\n\n\t\tif (Date.now() - entry.createdAt > this.maxAgeMs) {\n\t\t\treturn undefined;\n\t\t}\n\n\t\treturn entry;\n\t}\n\n\tcleanup(): void {\n\t\tconst now = Date.now();\n\t\tfor (const [nonce, entry] of this.store) {\n\t\t\tif (now - entry.createdAt > this.maxAgeMs) {\n\t\t\t\tthis.store.delete(nonce);\n\t\t\t}\n\t\t}\n\n\t\t// Evict oldest if still over max size\n\t\tif (this.store.size > this.maxSize) {\n\t\t\tconst entries = [...this.store.entries()].sort((a, b) => a[1].createdAt - b[1].createdAt);\n\t\t\tconst toRemove = entries.slice(0, this.store.size - this.maxSize);\n\t\t\tfor (const [nonce] of toRemove) {\n\t\t\t\tthis.store.delete(nonce);\n\t\t\t}\n\t\t}\n\t}\n\n\tget size(): number {\n\t\treturn this.store.size;\n\t}\n}\n\n// ── Session Store ──\n\nexport class SessionStore {\n\tprivate store = new Map<string, SessionAuth>();\n\tprivate readonly maxAgeMs: number;\n\tprivate insertsSinceCleanup = 0;\n\n\tconstructor(maxAgeMs: number) {\n\t\tthis.maxAgeMs = maxAgeMs;\n\t}\n\n\tset(sessionId: string, auth: SessionAuth): void {\n\t\tthis.store.set(sessionId, auth);\n\n\t\tthis.insertsSinceCleanup++;\n\t\tif (this.insertsSinceCleanup >= CLEANUP_THRESHOLD) {\n\t\t\tthis.cleanup();\n\t\t\tthis.insertsSinceCleanup = 0;\n\t\t}\n\t}\n\n\tget(sessionId: string): SessionAuth | undefined {\n\t\tconst entry = this.store.get(sessionId);\n\t\tif (!entry) return undefined;\n\n\t\tif (Date.now() - entry.authenticatedAt > this.maxAgeMs) {\n\t\t\tthis.store.delete(sessionId);\n\t\t\treturn undefined;\n\t\t}\n\n\t\treturn entry;\n\t}\n\n\tdelete(sessionId: string): boolean {\n\t\treturn this.store.delete(sessionId);\n\t}\n\n\tcleanup(): void {\n\t\tconst now = Date.now();\n\t\tfor (const [sessionId, entry] of this.store) {\n\t\t\tif (now - entry.authenticatedAt > this.maxAgeMs) {\n\t\t\t\tthis.store.delete(sessionId);\n\t\t\t}\n\t\t}\n\t}\n\n\tget size(): number {\n\t\treturn this.store.size;\n\t}\n}\n","import type { CallToolResult } from \"@modelcontextprotocol/sdk/types.js\";\nimport type { PresentationMessage } from \"@credat/sdk\";\nimport { verifyPresentation } from \"@credat/sdk\";\nimport { authError, McpAuthErrorCodes } from \"../errors.js\";\nimport type { ChallengeStore, SessionStore } from \"../session.js\";\nimport type { CredatAuthOptions, ToolExtra } from \"../types.js\";\n\nconst STDIO_SESSION_KEY = \"__stdio__\";\n\nexport function createAuthenticateHandler(\n\tconfig: CredatAuthOptions,\n\tchallengeStore: ChallengeStore,\n\tsessionStore: SessionStore,\n) {\n\treturn async (\n\t\targs: { presentation: PresentationMessage },\n\t\textra: ToolExtra,\n\t): Promise<CallToolResult> => {\n\t\tconst { presentation } = args;\n\t\tconst sessionId = extra.sessionId ?? STDIO_SESSION_KEY;\n\n\t\t// 1. Consume challenge (single-use nonce)\n\t\tconst stored = challengeStore.consume(presentation.nonce);\n\t\tif (!stored) {\n\t\t\treturn authError(\n\t\t\t\t\"Unknown or expired challenge nonce. Request a new challenge.\",\n\t\t\t\tMcpAuthErrorCodes.NOT_AUTHENTICATED,\n\t\t\t);\n\t\t}\n\n\t\t// 2. Verify session binding\n\t\tif (stored.sessionId !== sessionId) {\n\t\t\treturn authError(\n\t\t\t\t\"Challenge was issued to a different session.\",\n\t\t\t\tMcpAuthErrorCodes.SESSION_MISMATCH,\n\t\t\t);\n\t\t}\n\n\t\t// 3. Resolve agent public key\n\t\tlet agentPublicKey: Uint8Array;\n\t\tif (config.agentPublicKey) {\n\t\t\tagentPublicKey = config.agentPublicKey;\n\t\t} else if (config.resolveAgentKey) {\n\t\t\ttry {\n\t\t\t\tagentPublicKey = await config.resolveAgentKey(presentation.from);\n\t\t\t} catch (err) {\n\t\t\t\tconst message = err instanceof Error ? err.message : \"Unknown error\";\n\t\t\t\treturn authError(\n\t\t\t\t\t`Failed to resolve agent public key for ${presentation.from}: ${message}`,\n\t\t\t\t\tMcpAuthErrorCodes.CONFIGURATION_ERROR,\n\t\t\t\t);\n\t\t\t}\n\t\t} else {\n\t\t\treturn authError(\n\t\t\t\t\"No agentPublicKey configured and no resolveAgentKey callback provided.\",\n\t\t\t\tMcpAuthErrorCodes.CONFIGURATION_ERROR,\n\t\t\t);\n\t\t}\n\n\t\t// 4. Verify presentation\n\t\tconst result = await verifyPresentation(presentation, {\n\t\t\tchallenge: stored.challenge,\n\t\t\townerPublicKey: config.ownerPublicKey,\n\t\t\tagentPublicKey,\n\t\t\tchallengeMaxAgeMs: config.challengeMaxAgeMs,\n\t\t});\n\n\t\tif (!result.valid) {\n\t\t\tconst details = result.errors.map((e) => `${e.code}: ${e.message}`);\n\t\t\treturn authError(\n\t\t\t\t\"Authentication failed.\",\n\t\t\t\tresult.errors[0]?.code ?? \"HANDSHAKE_VERIFICATION_FAILED\",\n\t\t\t\tdetails,\n\t\t\t);\n\t\t}\n\n\t\t// 5. Store session auth\n\t\tsessionStore.set(sessionId, {\n\t\t\tdelegationResult: result,\n\t\t\tauthenticatedAt: Date.now(),\n\t\t});\n\n\t\treturn {\n\t\t\tcontent: [\n\t\t\t\t{\n\t\t\t\t\ttype: \"text\",\n\t\t\t\t\ttext: JSON.stringify({\n\t\t\t\t\t\tauthenticated: true,\n\t\t\t\t\t\tagent: result.agent,\n\t\t\t\t\t\tscopes: result.scopes,\n\t\t\t\t\t}),\n\t\t\t\t},\n\t\t\t],\n\t\t};\n\t};\n}\n","import type { CallToolResult } from \"@modelcontextprotocol/sdk/types.js\";\nimport { createChallenge } from \"@credat/sdk\";\nimport type { ChallengeStore } from \"../session.js\";\nimport type { ToolExtra } from \"../types.js\";\n\nconst STDIO_SESSION_KEY = \"__stdio__\";\n\nexport function createChallengeHandler(serverDid: string, challengeStore: ChallengeStore) {\n\treturn (extra: ToolExtra): CallToolResult => {\n\t\tconst challenge = createChallenge({ from: serverDid });\n\t\tconst sessionId = extra.sessionId ?? STDIO_SESSION_KEY;\n\n\t\tchallengeStore.set(challenge.nonce, challenge, sessionId);\n\n\t\treturn {\n\t\t\tcontent: [{ type: \"text\", text: JSON.stringify(challenge) }],\n\t\t};\n\t};\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACEA,iBAAkB;;;ACDlB,iBAA0C;;;ACEnC,SAAS,oBACf,aACA,SACwB;AACxB,MAAI,CAAC,YAAa,QAAO,CAAC;AAE1B,QAAM,aAAoC,CAAC;AAE3C,MAAI,YAAY,uBAAuB,QAAQ,QAAQ,oBAAoB,MAAM;AAChF,QAAI,QAAQ,mBAAmB,YAAY,qBAAqB;AAC/D,iBAAW,KAAK;AAAA,QACf,YAAY;AAAA,QACZ,SAAS,GAAG,QAAQ,gBAAgB,gBAAgB,YAAY,mBAAmB;AAAA,MACpF,CAAC;AAAA,IACF;AAAA,EACD;AAEA,MAAI,YAAY,kBAAkB,QAAQ,QAAQ,UAAU,MAAM;AACjE,QAAI,CAAC,YAAY,eAAe,SAAS,QAAQ,MAAM,GAAG;AACzD,iBAAW,KAAK;AAAA,QACf,YAAY;AAAA,QACZ,SAAS,WAAW,QAAQ,MAAM,6BAA6B,YAAY,eAAe,KAAK,IAAI,CAAC;AAAA,MACrG,CAAC;AAAA,IACF;AAAA,EACD;AAEA,MAAI,YAAY,aAAa,QAAQ,OAAO,QAAQ,cAAc,UAAU;AAC3E,QAAI,QAAQ,YAAY,YAAY,WAAW;AAC9C,iBAAW,KAAK;AAAA,QACf,YAAY;AAAA,QACZ,SAAS,QAAQ,QAAQ,SAAS,kBAAkB,YAAY,SAAS;AAAA,MAC1E,CAAC;AAAA,IACF;AAAA,EACD;AAEA,SAAO;AACR;;;AClCO,IAAM,oBAAoB;AAAA,EAChC,mBAAmB;AAAA,EACnB,iBAAiB;AAAA,EACjB,kBAAkB;AAAA,EAClB,qBAAqB;AAAA,EACrB,sBAAsB;AAAA,EACtB,qBAAqB;AACtB;AAMO,SAAS,UAAU,SAAiB,MAAc,SAAoC;AAC5F,QAAM,UAA4B,EAAE,OAAO,SAAS,KAAK;AACzD,MAAI,WAAW,QAAQ,SAAS,GAAG;AAClC,YAAQ,UAAU;AAAA,EACnB;AACA,SAAO;AAAA,IACN,SAAS,CAAC,EAAE,MAAM,QAAQ,MAAM,KAAK,UAAU,OAAO,EAAE,CAAC;AAAA,IACzD,SAAS;AAAA,EACV;AACD;AAEO,SAAS,WAAW,UAAoB,QAAkC;AAChF,QAAM,UAAU,SAAS,OAAO,CAAC,MAAM,CAAC,OAAO,SAAS,CAAC,CAAC;AAC1D,SAAO;AAAA,IACN,iCAAiC,QAAQ,KAAK,IAAI,CAAC;AAAA,IACnD,kBAAkB;AAAA,IAClB,CAAC,aAAa,SAAS,KAAK,IAAI,CAAC,IAAI,YAAY,OAAO,KAAK,IAAI,CAAC,EAAE;AAAA,EACrE;AACD;AAEO,SAAS,gBAAgB,YAAmD;AAClF,SAAO;AAAA,IACN,yBAAyB,WAAW,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,IAAI,CAAC;AAAA,IACpE,kBAAkB;AAAA,IAClB,WAAW,IAAI,CAAC,MAAM,GAAG,EAAE,UAAU,KAAK,EAAE,OAAO,EAAE;AAAA,EACtD;AACD;;;AFrCA,IAAM,oBAAoB;AAYnB,SAAS,cAAc,cAA4B;AACzD,SAAO,SAAS,QACf,SACA,SACqB;AACrB,WAAO,CAAC,MAAa,UAAqB;AACzC,YAAM,YAAY,MAAM,aAAa;AAGrC,YAAM,UAAU,aAAa,IAAI,SAAS;AAC1C,UAAI,CAAC,SAAS;AACb,eAAO;AAAA,UACN;AAAA,UACA,kBAAkB;AAAA,QACnB;AAAA,MACD;AAEA,YAAM,EAAE,iBAAiB,IAAI;AAG7B,UAAI,QAAQ,UAAU,QAAQ,OAAO,SAAS,GAAG;AAChD,YAAI,KAAC,yBAAa,kBAAkB,QAAQ,MAAM,GAAG;AACpD,iBAAO,WAAW,QAAQ,QAAQ,iBAAiB,MAAM;AAAA,QAC1D;AAAA,MACD;AAGA,UAAI,QAAQ,YAAY,QAAQ,SAAS,SAAS,GAAG;AACpD,YAAI,KAAC,wBAAY,kBAAkB,QAAQ,QAAQ,GAAG;AACrD,iBAAO,WAAW,QAAQ,UAAU,iBAAiB,MAAM;AAAA,QAC5D;AAAA,MACD;AAGA,UAAI,QAAQ,mBAAmB;AAC9B,cAAM,UACL,OAAO,QAAQ,sBAAsB,aAClC,QAAQ,kBAAkB,IAA+B,IACzD,QAAQ;AAEZ,cAAM,aAAa,oBAAoB,iBAAiB,aAAa,OAAO;AAC5E,YAAI,WAAW,SAAS,GAAG;AAC1B,iBAAO,gBAAgB,UAAU;AAAA,QAClC;AAAA,MACD;AAGA,YAAM,cAA2B;AAAA,QAChC,UAAU,iBAAiB;AAAA,QAC3B,UAAU,iBAAiB;AAAA,QAC3B,QAAQ,iBAAiB;AAAA,QACzB,aAAa,iBAAiB;AAAA,MAC/B;AAEA,YAAM,iBAAiB,OAAO,OAAO,CAAC,GAAG,OAAO;AAAA,QAC/C,MAAM;AAAA,MACP,CAAC;AAED,aAAO,QAAQ,MAAM,cAAc;AAAA,IACpC;AAAA,EACD;AACD;;;AG7EA,IAAM,mBAAmB;AACzB,IAAM,oBAAoB;AAInB,IAAM,iBAAN,MAAqB;AAAA,EACnB,QAAQ,oBAAI,IAA6B;AAAA,EAChC;AAAA,EACA;AAAA,EACT,sBAAsB;AAAA,EAE9B,YAAY,UAAkB,UAAU,kBAAkB;AACzD,SAAK,WAAW;AAChB,SAAK,UAAU;AAAA,EAChB;AAAA,EAEA,IAAI,OAAe,WAA6B,WAAyB;AACxE,SAAK,MAAM,IAAI,OAAO;AAAA,MACrB;AAAA,MACA;AAAA,MACA,WAAW,KAAK,IAAI;AAAA,IACrB,CAAC;AAED,SAAK;AACL,QAAI,KAAK,uBAAuB,qBAAqB,KAAK,MAAM,OAAO,KAAK,SAAS;AACpF,WAAK,QAAQ;AACb,WAAK,sBAAsB;AAAA,IAC5B;AAAA,EACD;AAAA;AAAA,EAGA,QAAQ,OAA4C;AACnD,UAAM,QAAQ,KAAK,MAAM,IAAI,KAAK;AAClC,QAAI,CAAC,MAAO,QAAO;AAEnB,SAAK,MAAM,OAAO,KAAK;AAEvB,QAAI,KAAK,IAAI,IAAI,MAAM,YAAY,KAAK,UAAU;AACjD,aAAO;AAAA,IACR;AAEA,WAAO;AAAA,EACR;AAAA,EAEA,UAAgB;AACf,UAAM,MAAM,KAAK,IAAI;AACrB,eAAW,CAAC,OAAO,KAAK,KAAK,KAAK,OAAO;AACxC,UAAI,MAAM,MAAM,YAAY,KAAK,UAAU;AAC1C,aAAK,MAAM,OAAO,KAAK;AAAA,MACxB;AAAA,IACD;AAGA,QAAI,KAAK,MAAM,OAAO,KAAK,SAAS;AACnC,YAAM,UAAU,CAAC,GAAG,KAAK,MAAM,QAAQ,CAAC,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,SAAS;AACxF,YAAM,WAAW,QAAQ,MAAM,GAAG,KAAK,MAAM,OAAO,KAAK,OAAO;AAChE,iBAAW,CAAC,KAAK,KAAK,UAAU;AAC/B,aAAK,MAAM,OAAO,KAAK;AAAA,MACxB;AAAA,IACD;AAAA,EACD;AAAA,EAEA,IAAI,OAAe;AAClB,WAAO,KAAK,MAAM;AAAA,EACnB;AACD;AAIO,IAAM,eAAN,MAAmB;AAAA,EACjB,QAAQ,oBAAI,IAAyB;AAAA,EAC5B;AAAA,EACT,sBAAsB;AAAA,EAE9B,YAAY,UAAkB;AAC7B,SAAK,WAAW;AAAA,EACjB;AAAA,EAEA,IAAI,WAAmB,MAAyB;AAC/C,SAAK,MAAM,IAAI,WAAW,IAAI;AAE9B,SAAK;AACL,QAAI,KAAK,uBAAuB,mBAAmB;AAClD,WAAK,QAAQ;AACb,WAAK,sBAAsB;AAAA,IAC5B;AAAA,EACD;AAAA,EAEA,IAAI,WAA4C;AAC/C,UAAM,QAAQ,KAAK,MAAM,IAAI,SAAS;AACtC,QAAI,CAAC,MAAO,QAAO;AAEnB,QAAI,KAAK,IAAI,IAAI,MAAM,kBAAkB,KAAK,UAAU;AACvD,WAAK,MAAM,OAAO,SAAS;AAC3B,aAAO;AAAA,IACR;AAEA,WAAO;AAAA,EACR;AAAA,EAEA,OAAO,WAA4B;AAClC,WAAO,KAAK,MAAM,OAAO,SAAS;AAAA,EACnC;AAAA,EAEA,UAAgB;AACf,UAAM,MAAM,KAAK,IAAI;AACrB,eAAW,CAAC,WAAW,KAAK,KAAK,KAAK,OAAO;AAC5C,UAAI,MAAM,MAAM,kBAAkB,KAAK,UAAU;AAChD,aAAK,MAAM,OAAO,SAAS;AAAA,MAC5B;AAAA,IACD;AAAA,EACD;AAAA,EAEA,IAAI,OAAe;AAClB,WAAO,KAAK,MAAM;AAAA,EACnB;AACD;;;ACrHA,IAAAA,cAAmC;AAKnC,IAAMC,qBAAoB;AAEnB,SAAS,0BACf,QACA,gBACA,cACC;AACD,SAAO,OACN,MACA,UAC6B;AAC7B,UAAM,EAAE,aAAa,IAAI;AACzB,UAAM,YAAY,MAAM,aAAaA;AAGrC,UAAM,SAAS,eAAe,QAAQ,aAAa,KAAK;AACxD,QAAI,CAAC,QAAQ;AACZ,aAAO;AAAA,QACN;AAAA,QACA,kBAAkB;AAAA,MACnB;AAAA,IACD;AAGA,QAAI,OAAO,cAAc,WAAW;AACnC,aAAO;AAAA,QACN;AAAA,QACA,kBAAkB;AAAA,MACnB;AAAA,IACD;AAGA,QAAI;AACJ,QAAI,OAAO,gBAAgB;AAC1B,uBAAiB,OAAO;AAAA,IACzB,WAAW,OAAO,iBAAiB;AAClC,UAAI;AACH,yBAAiB,MAAM,OAAO,gBAAgB,aAAa,IAAI;AAAA,MAChE,SAAS,KAAK;AACb,cAAM,UAAU,eAAe,QAAQ,IAAI,UAAU;AACrD,eAAO;AAAA,UACN,0CAA0C,aAAa,IAAI,KAAK,OAAO;AAAA,UACvE,kBAAkB;AAAA,QACnB;AAAA,MACD;AAAA,IACD,OAAO;AACN,aAAO;AAAA,QACN;AAAA,QACA,kBAAkB;AAAA,MACnB;AAAA,IACD;AAGA,UAAM,SAAS,UAAM,gCAAmB,cAAc;AAAA,MACrD,WAAW,OAAO;AAAA,MAClB,gBAAgB,OAAO;AAAA,MACvB;AAAA,MACA,mBAAmB,OAAO;AAAA,IAC3B,CAAC;AAED,QAAI,CAAC,OAAO,OAAO;AAClB,YAAM,UAAU,OAAO,OAAO,IAAI,CAAC,MAAM,GAAG,EAAE,IAAI,KAAK,EAAE,OAAO,EAAE;AAClE,aAAO;AAAA,QACN;AAAA,QACA,OAAO,OAAO,CAAC,GAAG,QAAQ;AAAA,QAC1B;AAAA,MACD;AAAA,IACD;AAGA,iBAAa,IAAI,WAAW;AAAA,MAC3B,kBAAkB;AAAA,MAClB,iBAAiB,KAAK,IAAI;AAAA,IAC3B,CAAC;AAED,WAAO;AAAA,MACN,SAAS;AAAA,QACR;AAAA,UACC,MAAM;AAAA,UACN,MAAM,KAAK,UAAU;AAAA,YACpB,eAAe;AAAA,YACf,OAAO,OAAO;AAAA,YACd,QAAQ,OAAO;AAAA,UAChB,CAAC;AAAA,QACF;AAAA,MACD;AAAA,IACD;AAAA,EACD;AACD;;;AC9FA,IAAAC,cAAgC;AAIhC,IAAMC,qBAAoB;AAEnB,SAAS,uBAAuB,WAAmB,gBAAgC;AACzF,SAAO,CAAC,UAAqC;AAC5C,UAAM,gBAAY,6BAAgB,EAAE,MAAM,UAAU,CAAC;AACrD,UAAM,YAAY,MAAM,aAAaA;AAErC,mBAAe,IAAI,UAAU,OAAO,WAAW,SAAS;AAExD,WAAO;AAAA,MACN,SAAS,CAAC,EAAE,MAAM,QAAQ,MAAM,KAAK,UAAU,SAAS,EAAE,CAAC;AAAA,IAC5D;AAAA,EACD;AACD;;;ANHA,IAAM,+BAA+B,IAAI,KAAK;AAC9C,IAAM,6BAA6B,KAAK,KAAK;AAC7C,IAAM,sBAAsB;AAE5B,IAAMC,qBAAoB;AAOnB,IAAM,aAAN,MAAiB;AAAA,EACN;AAAA,EAQA;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,SAA4B;AACvC,QAAI,CAAC,QAAQ,WAAW;AACvB,YAAM,IAAI,MAAM,mCAAmC;AAAA,IACpD;AACA,QAAI,CAAC,QAAQ,kBAAkB,QAAQ,eAAe,WAAW,GAAG;AACnE,YAAM,IAAI,MAAM,wCAAwC;AAAA,IACzD;AAEA,SAAK,SAAS;AAAA,MACb,WAAW,QAAQ;AAAA,MACnB,gBAAgB,QAAQ;AAAA,MACxB,gBAAgB,QAAQ;AAAA,MACxB,iBAAiB,QAAQ;AAAA,MACzB,mBAAmB,QAAQ,qBAAqB;AAAA,MAChD,iBAAiB,QAAQ,mBAAmB;AAAA,MAC5C,YAAY,QAAQ,cAAc;AAAA,IACnC;AAEA,SAAK,iBAAiB,IAAI,eAAe,KAAK,OAAO,iBAAiB;AACtE,SAAK,eAAe,IAAI,aAAa,KAAK,OAAO,eAAe;AAChE,SAAK,YAAY,cAAc,KAAK,YAAY;AAAA,EACjD;AAAA;AAAA,EAGA,QAAQ,QAAyB;AAChC,UAAM,SAAS,KAAK,OAAO;AAE3B,UAAM,mBAAmB,uBAAuB,KAAK,OAAO,WAAW,KAAK,cAAc;AAE1F,UAAM,sBAAsB;AAAA,MAC3B,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,IACN;AAGA,WAAO;AAAA,MACN,GAAG,MAAM;AAAA,MACT;AAAA,QACC,aACC;AAAA,MACF;AAAA,MACA,CAAC,UAAU,iBAAiB,KAAkB;AAAA,IAC/C;AAGA,WAAO;AAAA,MACN,GAAG,MAAM;AAAA,MACT;AAAA,QACC,aACC;AAAA,QACD,aAAa,aAAE,OAAO;AAAA,UACrB,cAAc,aAAE,OAAO;AAAA,YACtB,MAAM,aAAE,QAAQ,qBAAqB;AAAA,YACrC,YAAY,aAAE,OAAO;AAAA,YACrB,OAAO,aAAE,OAAO;AAAA,YAChB,OAAO,aAAE,OAAO;AAAA,YAChB,MAAM,aAAE,OAAO;AAAA,UAChB,CAAC;AAAA,QACF,CAAC;AAAA,MACF;AAAA,MACA,CAAC,MAAM,UACN;AAAA,QACC;AAAA,QASA;AAAA,MACD;AAAA,IACF;AAAA,EACD;AAAA;AAAA,EAGA,QACC,SACA,SACC;AACD,WAAO,KAAK,UAAU,SAAS,OAAO;AAAA,EACvC;AAAA;AAAA,EAGA,gBAAgB,WAA6B;AAC5C,UAAM,MAAM,aAAaA;AACzB,WAAO,KAAK,aAAa,IAAI,GAAG,MAAM;AAAA,EACvC;AAAA;AAAA,EAGA,eAAe,WAA6C;AAC3D,UAAM,MAAM,aAAaA;AACzB,WAAO,KAAK,aAAa,IAAI,GAAG;AAAA,EACjC;AAAA;AAAA,EAGA,cAAc,WAA0B;AACvC,UAAM,MAAM,aAAaA;AACzB,SAAK,aAAa,OAAO,GAAG;AAAA,EAC7B;AACD;","names":["import_sdk","STDIO_SESSION_KEY","import_sdk","STDIO_SESSION_KEY","STDIO_SESSION_KEY"]}
package/dist/index.d.cts CHANGED
@@ -1,7 +1,7 @@
1
1
  import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
2
2
  import { CallToolResult } from '@modelcontextprotocol/sdk/types.js';
3
- import * as credat from 'credat';
4
- import { DelegationConstraints, DelegationResult, ChallengeMessage } from 'credat';
3
+ import * as _credat_sdk from '@credat/sdk';
4
+ import { DelegationConstraints, DelegationResult, ChallengeMessage } from '@credat/sdk';
5
5
 
6
6
  interface ConstraintContext {
7
7
  transactionValue?: number;
@@ -25,7 +25,7 @@ interface CredatAuthOptions {
25
25
  challengeMaxAgeMs?: number;
26
26
  /** Max age for authenticated sessions. Default: 3_600_000 (1 hour) */
27
27
  sessionMaxAgeMs?: number;
28
- /** Tool name prefix. Default: "credat" → tools become "credat:challenge", "credat:authenticate" */
28
+ /** Tool name prefix. Default: "@credat/sdk" → tools become "credat:challenge", "credat:authenticate" */
29
29
  toolPrefix?: string;
30
30
  }
31
31
  interface ProtectOptions {
@@ -53,7 +53,7 @@ interface SessionAuth {
53
53
  authenticatedAt: number;
54
54
  }
55
55
  interface StoredChallenge {
56
- challenge: credat.ChallengeMessage;
56
+ challenge: _credat_sdk.ChallengeMessage;
57
57
  sessionId: string;
58
58
  createdAt: number;
59
59
  }
package/dist/index.d.ts CHANGED
@@ -1,7 +1,7 @@
1
1
  import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
2
2
  import { CallToolResult } from '@modelcontextprotocol/sdk/types.js';
3
- import * as credat from 'credat';
4
- import { DelegationConstraints, DelegationResult, ChallengeMessage } from 'credat';
3
+ import * as _credat_sdk from '@credat/sdk';
4
+ import { DelegationConstraints, DelegationResult, ChallengeMessage } from '@credat/sdk';
5
5
 
6
6
  interface ConstraintContext {
7
7
  transactionValue?: number;
@@ -25,7 +25,7 @@ interface CredatAuthOptions {
25
25
  challengeMaxAgeMs?: number;
26
26
  /** Max age for authenticated sessions. Default: 3_600_000 (1 hour) */
27
27
  sessionMaxAgeMs?: number;
28
- /** Tool name prefix. Default: "credat" → tools become "credat:challenge", "credat:authenticate" */
28
+ /** Tool name prefix. Default: "@credat/sdk" → tools become "credat:challenge", "credat:authenticate" */
29
29
  toolPrefix?: string;
30
30
  }
31
31
  interface ProtectOptions {
@@ -53,7 +53,7 @@ interface SessionAuth {
53
53
  authenticatedAt: number;
54
54
  }
55
55
  interface StoredChallenge {
56
- challenge: credat.ChallengeMessage;
56
+ challenge: _credat_sdk.ChallengeMessage;
57
57
  sessionId: string;
58
58
  createdAt: number;
59
59
  }
package/dist/index.js CHANGED
@@ -2,7 +2,7 @@
2
2
  import { z } from "zod";
3
3
 
4
4
  // src/protect.ts
5
- import { hasAllScopes, hasAnyScope } from "credat";
5
+ import { hasAllScopes, hasAnyScope } from "@credat/sdk";
6
6
 
7
7
  // src/constraints.ts
8
8
  function validateConstraints(constraints, context) {
@@ -209,7 +209,7 @@ var SessionStore = class {
209
209
  };
210
210
 
211
211
  // src/tools/authenticate.ts
212
- import { verifyPresentation } from "credat";
212
+ import { verifyPresentation } from "@credat/sdk";
213
213
  var STDIO_SESSION_KEY2 = "__stdio__";
214
214
  function createAuthenticateHandler(config, challengeStore, sessionStore) {
215
215
  return async (args, extra) => {
@@ -281,7 +281,7 @@ function createAuthenticateHandler(config, challengeStore, sessionStore) {
281
281
  }
282
282
 
283
283
  // src/tools/challenge.ts
284
- import { createChallenge } from "credat";
284
+ import { createChallenge } from "@credat/sdk";
285
285
  var STDIO_SESSION_KEY3 = "__stdio__";
286
286
  function createChallengeHandler(serverDid, challengeStore) {
287
287
  return (extra) => {
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/auth.ts","../src/protect.ts","../src/constraints.ts","../src/errors.ts","../src/session.ts","../src/tools/authenticate.ts","../src/tools/challenge.ts"],"sourcesContent":["import type { McpServer } from \"@modelcontextprotocol/sdk/server/mcp.js\";\nimport type { CallToolResult } from \"@modelcontextprotocol/sdk/types.js\";\nimport { z } from \"zod\";\nimport { createProtect } from \"./protect.js\";\nimport { ChallengeStore, SessionStore } from \"./session.js\";\nimport { createAuthenticateHandler } from \"./tools/authenticate.js\";\nimport { createChallengeHandler } from \"./tools/challenge.js\";\nimport type {\n\tAuthContext,\n\tCredatAuthOptions,\n\tProtectOptions,\n\tSessionAuth,\n\tToolExtra,\n} from \"./types.js\";\n\nconst DEFAULT_CHALLENGE_MAX_AGE_MS = 5 * 60 * 1000; // 5 minutes\nconst DEFAULT_SESSION_MAX_AGE_MS = 60 * 60 * 1000; // 1 hour\nconst DEFAULT_TOOL_PREFIX = \"credat\";\n\nconst STDIO_SESSION_KEY = \"__stdio__\";\n\ntype ProtectedHandler<TArgs> = (\n\targs: TArgs,\n\textra: ToolExtra & { auth: AuthContext },\n) => CallToolResult | Promise<CallToolResult>;\n\nexport class CredatAuth {\n\tprivate readonly config: Required<\n\t\tPick<\n\t\t\tCredatAuthOptions,\n\t\t\t\"serverDid\" | \"ownerPublicKey\" | \"challengeMaxAgeMs\" | \"sessionMaxAgeMs\" | \"toolPrefix\"\n\t\t>\n\t> &\n\t\tPick<CredatAuthOptions, \"agentPublicKey\" | \"resolveAgentKey\">;\n\n\tprivate readonly challengeStore: ChallengeStore;\n\tprivate readonly sessionStore: SessionStore;\n\tprivate readonly protectFn: ReturnType<typeof createProtect>;\n\n\tconstructor(options: CredatAuthOptions) {\n\t\tif (!options.serverDid) {\n\t\t\tthrow new Error(\"CredatAuth: serverDid is required\");\n\t\t}\n\t\tif (!options.ownerPublicKey || options.ownerPublicKey.length === 0) {\n\t\t\tthrow new Error(\"CredatAuth: ownerPublicKey is required\");\n\t\t}\n\n\t\tthis.config = {\n\t\t\tserverDid: options.serverDid,\n\t\t\townerPublicKey: options.ownerPublicKey,\n\t\t\tagentPublicKey: options.agentPublicKey,\n\t\t\tresolveAgentKey: options.resolveAgentKey,\n\t\t\tchallengeMaxAgeMs: options.challengeMaxAgeMs ?? DEFAULT_CHALLENGE_MAX_AGE_MS,\n\t\t\tsessionMaxAgeMs: options.sessionMaxAgeMs ?? DEFAULT_SESSION_MAX_AGE_MS,\n\t\t\ttoolPrefix: options.toolPrefix ?? DEFAULT_TOOL_PREFIX,\n\t\t};\n\n\t\tthis.challengeStore = new ChallengeStore(this.config.challengeMaxAgeMs);\n\t\tthis.sessionStore = new SessionStore(this.config.sessionMaxAgeMs);\n\t\tthis.protectFn = createProtect(this.sessionStore);\n\t}\n\n\t/** Register the credat:challenge and credat:authenticate tools on the server */\n\tinstall(server: McpServer): void {\n\t\tconst prefix = this.config.toolPrefix;\n\n\t\tconst challengeHandler = createChallengeHandler(this.config.serverDid, this.challengeStore);\n\n\t\tconst authenticateHandler = createAuthenticateHandler(\n\t\t\tthis.config,\n\t\t\tthis.challengeStore,\n\t\t\tthis.sessionStore,\n\t\t);\n\n\t\t// Register challenge tool (no input — callback receives just extra)\n\t\tserver.registerTool(\n\t\t\t`${prefix}:challenge`,\n\t\t\t{\n\t\t\t\tdescription:\n\t\t\t\t\t\"Request an authentication challenge. Returns a nonce that must be signed with your delegation credential.\",\n\t\t\t},\n\t\t\t(extra) => challengeHandler(extra as ToolExtra),\n\t\t);\n\n\t\t// Register authenticate tool\n\t\tserver.registerTool(\n\t\t\t`${prefix}:authenticate`,\n\t\t\t{\n\t\t\t\tdescription:\n\t\t\t\t\t\"Present your signed credentials to authenticate. Requires a presentation object containing delegation proof and signed nonce.\",\n\t\t\t\tinputSchema: z.object({\n\t\t\t\t\tpresentation: z.object({\n\t\t\t\t\t\ttype: z.literal(\"credat:presentation\"),\n\t\t\t\t\t\tdelegation: z.string(),\n\t\t\t\t\t\tnonce: z.string(),\n\t\t\t\t\t\tproof: z.string(),\n\t\t\t\t\t\tfrom: z.string(),\n\t\t\t\t\t}),\n\t\t\t\t}),\n\t\t\t},\n\t\t\t(args, extra) =>\n\t\t\t\tauthenticateHandler(\n\t\t\t\t\targs as {\n\t\t\t\t\t\tpresentation: {\n\t\t\t\t\t\t\ttype: \"credat:presentation\";\n\t\t\t\t\t\t\tdelegation: string;\n\t\t\t\t\t\t\tnonce: string;\n\t\t\t\t\t\t\tproof: string;\n\t\t\t\t\t\t\tfrom: string;\n\t\t\t\t\t\t};\n\t\t\t\t\t},\n\t\t\t\t\textra as ToolExtra,\n\t\t\t\t),\n\t\t);\n\t}\n\n\t/** Wrap a tool handler to require authentication + optional scope/constraint checks */\n\tprotect<TArgs extends Record<string, unknown>>(\n\t\toptions: ProtectOptions,\n\t\thandler: ProtectedHandler<TArgs>,\n\t) {\n\t\treturn this.protectFn(options, handler);\n\t}\n\n\t/** Check if a session is currently authenticated */\n\tisAuthenticated(sessionId?: string): boolean {\n\t\tconst key = sessionId ?? STDIO_SESSION_KEY;\n\t\treturn this.sessionStore.get(key) !== undefined;\n\t}\n\n\t/** Get the auth result for a session */\n\tgetSessionAuth(sessionId?: string): SessionAuth | undefined {\n\t\tconst key = sessionId ?? STDIO_SESSION_KEY;\n\t\treturn this.sessionStore.get(key);\n\t}\n\n\t/** Revoke a session, forcing re-authentication */\n\trevokeSession(sessionId?: string): void {\n\t\tconst key = sessionId ?? STDIO_SESSION_KEY;\n\t\tthis.sessionStore.delete(key);\n\t}\n}\n","import type { CallToolResult } from \"@modelcontextprotocol/sdk/types.js\";\nimport { hasAllScopes, hasAnyScope } from \"credat\";\nimport { validateConstraints } from \"./constraints.js\";\nimport { authError, constraintError, McpAuthErrorCodes, scopeError } from \"./errors.js\";\nimport type { SessionStore } from \"./session.js\";\nimport type { AuthContext, ProtectOptions, ToolExtra } from \"./types.js\";\n\nconst STDIO_SESSION_KEY = \"__stdio__\";\n\ntype ProtectedHandler<TArgs> = (\n\targs: TArgs,\n\textra: ToolExtra & { auth: AuthContext },\n) => CallToolResult | Promise<CallToolResult>;\n\ntype ToolHandler<TArgs> = (\n\targs: TArgs,\n\textra: ToolExtra,\n) => CallToolResult | Promise<CallToolResult>;\n\nexport function createProtect(sessionStore: SessionStore) {\n\treturn function protect<TArgs extends Record<string, unknown>>(\n\t\toptions: ProtectOptions,\n\t\thandler: ProtectedHandler<TArgs>,\n\t): ToolHandler<TArgs> {\n\t\treturn (args: TArgs, extra: ToolExtra) => {\n\t\t\tconst sessionId = extra.sessionId ?? STDIO_SESSION_KEY;\n\n\t\t\t// 1. Check authentication\n\t\t\tconst session = sessionStore.get(sessionId);\n\t\t\tif (!session) {\n\t\t\t\treturn authError(\n\t\t\t\t\t\"Not authenticated. Call the credat:challenge tool to begin authentication.\",\n\t\t\t\t\tMcpAuthErrorCodes.NOT_AUTHENTICATED,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tconst { delegationResult } = session;\n\n\t\t\t// 2. Check required scopes (ALL)\n\t\t\tif (options.scopes && options.scopes.length > 0) {\n\t\t\t\tif (!hasAllScopes(delegationResult, options.scopes)) {\n\t\t\t\t\treturn scopeError(options.scopes, delegationResult.scopes);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// 3. Check required scopes (ANY)\n\t\t\tif (options.anyScope && options.anyScope.length > 0) {\n\t\t\t\tif (!hasAnyScope(delegationResult, options.anyScope)) {\n\t\t\t\t\treturn scopeError(options.anyScope, delegationResult.scopes);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// 4. Validate constraints\n\t\t\tif (options.constraintContext) {\n\t\t\t\tconst context =\n\t\t\t\t\ttypeof options.constraintContext === \"function\"\n\t\t\t\t\t\t? options.constraintContext(args as Record<string, unknown>)\n\t\t\t\t\t\t: options.constraintContext;\n\n\t\t\t\tconst violations = validateConstraints(delegationResult.constraints, context);\n\t\t\t\tif (violations.length > 0) {\n\t\t\t\t\treturn constraintError(violations);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// 5. Build auth context and call handler\n\t\t\tconst authContext: AuthContext = {\n\t\t\t\tagentDid: delegationResult.agent,\n\t\t\t\townerDid: delegationResult.owner,\n\t\t\t\tscopes: delegationResult.scopes,\n\t\t\t\tconstraints: delegationResult.constraints,\n\t\t\t};\n\n\t\t\tconst augmentedExtra = Object.assign({}, extra, {\n\t\t\t\tauth: authContext,\n\t\t\t});\n\n\t\t\treturn handler(args, augmentedExtra);\n\t\t};\n\t};\n}\n","import type { DelegationConstraints } from \"credat\";\nimport type { ConstraintContext, ConstraintViolation } from \"./types.js\";\n\nexport function validateConstraints(\n\tconstraints: DelegationConstraints | undefined,\n\tcontext: ConstraintContext,\n): ConstraintViolation[] {\n\tif (!constraints) return [];\n\n\tconst violations: ConstraintViolation[] = [];\n\n\tif (constraints.maxTransactionValue != null && context.transactionValue != null) {\n\t\tif (context.transactionValue > constraints.maxTransactionValue) {\n\t\t\tviolations.push({\n\t\t\t\tconstraint: \"maxTransactionValue\",\n\t\t\t\tmessage: `${context.transactionValue} exceeds max ${constraints.maxTransactionValue}`,\n\t\t\t});\n\t\t}\n\t}\n\n\tif (constraints.allowedDomains != null && context.domain != null) {\n\t\tif (!constraints.allowedDomains.includes(context.domain)) {\n\t\t\tviolations.push({\n\t\t\t\tconstraint: \"allowedDomains\",\n\t\t\t\tmessage: `Domain \"${context.domain}\" is not in allowed list: ${constraints.allowedDomains.join(\", \")}`,\n\t\t\t});\n\t\t}\n\t}\n\n\tif (constraints.rateLimit != null && typeof context.rateLimit === \"number\") {\n\t\tif (context.rateLimit > constraints.rateLimit) {\n\t\t\tviolations.push({\n\t\t\t\tconstraint: \"rateLimit\",\n\t\t\t\tmessage: `Rate ${context.rateLimit} exceeds limit ${constraints.rateLimit}`,\n\t\t\t});\n\t\t}\n\t}\n\n\treturn violations;\n}\n","import type { CallToolResult } from \"@modelcontextprotocol/sdk/types.js\";\nimport type { AuthErrorPayload, ConstraintViolation } from \"./types.js\";\n\n// ── Error Codes ──\n\nexport const McpAuthErrorCodes = {\n\tNOT_AUTHENTICATED: \"NOT_AUTHENTICATED\",\n\tSESSION_EXPIRED: \"SESSION_EXPIRED\",\n\tSESSION_MISMATCH: \"SESSION_MISMATCH\",\n\tINSUFFICIENT_SCOPES: \"INSUFFICIENT_SCOPES\",\n\tCONSTRAINT_VIOLATION: \"CONSTRAINT_VIOLATION\",\n\tCONFIGURATION_ERROR: \"CONFIGURATION_ERROR\",\n} as const;\n\nexport type McpAuthErrorCode = (typeof McpAuthErrorCodes)[keyof typeof McpAuthErrorCodes];\n\n// ── Error Response Builders ──\n\nexport function authError(message: string, code: string, details?: string[]): CallToolResult {\n\tconst payload: AuthErrorPayload = { error: message, code };\n\tif (details && details.length > 0) {\n\t\tpayload.details = details;\n\t}\n\treturn {\n\t\tcontent: [{ type: \"text\", text: JSON.stringify(payload) }],\n\t\tisError: true,\n\t};\n}\n\nexport function scopeError(required: string[], actual: string[]): CallToolResult {\n\tconst missing = required.filter((s) => !actual.includes(s));\n\treturn authError(\n\t\t`Insufficient scopes. Missing: ${missing.join(\", \")}`,\n\t\tMcpAuthErrorCodes.INSUFFICIENT_SCOPES,\n\t\t[`required: ${required.join(\", \")}`, `granted: ${actual.join(\", \")}`],\n\t);\n}\n\nexport function constraintError(violations: ConstraintViolation[]): CallToolResult {\n\treturn authError(\n\t\t`Constraint violation: ${violations.map((v) => v.message).join(\"; \")}`,\n\t\tMcpAuthErrorCodes.CONSTRAINT_VIOLATION,\n\t\tviolations.map((v) => `${v.constraint}: ${v.message}`),\n\t);\n}\n","import type { ChallengeMessage } from \"credat\";\nimport type { SessionAuth, StoredChallenge } from \"./types.js\";\n\nconst DEFAULT_MAX_SIZE = 1000;\nconst CLEANUP_THRESHOLD = 100;\n\n// ── Challenge Store ──\n\nexport class ChallengeStore {\n\tprivate store = new Map<string, StoredChallenge>();\n\tprivate readonly maxAgeMs: number;\n\tprivate readonly maxSize: number;\n\tprivate insertsSinceCleanup = 0;\n\n\tconstructor(maxAgeMs: number, maxSize = DEFAULT_MAX_SIZE) {\n\t\tthis.maxAgeMs = maxAgeMs;\n\t\tthis.maxSize = maxSize;\n\t}\n\n\tset(nonce: string, challenge: ChallengeMessage, sessionId: string): void {\n\t\tthis.store.set(nonce, {\n\t\t\tchallenge,\n\t\t\tsessionId,\n\t\t\tcreatedAt: Date.now(),\n\t\t});\n\n\t\tthis.insertsSinceCleanup++;\n\t\tif (this.insertsSinceCleanup >= CLEANUP_THRESHOLD || this.store.size > this.maxSize) {\n\t\t\tthis.cleanup();\n\t\t\tthis.insertsSinceCleanup = 0;\n\t\t}\n\t}\n\n\t/** Consume a challenge (single-use). Returns and deletes. */\n\tconsume(nonce: string): StoredChallenge | undefined {\n\t\tconst entry = this.store.get(nonce);\n\t\tif (!entry) return undefined;\n\n\t\tthis.store.delete(nonce);\n\n\t\tif (Date.now() - entry.createdAt > this.maxAgeMs) {\n\t\t\treturn undefined;\n\t\t}\n\n\t\treturn entry;\n\t}\n\n\tcleanup(): void {\n\t\tconst now = Date.now();\n\t\tfor (const [nonce, entry] of this.store) {\n\t\t\tif (now - entry.createdAt > this.maxAgeMs) {\n\t\t\t\tthis.store.delete(nonce);\n\t\t\t}\n\t\t}\n\n\t\t// Evict oldest if still over max size\n\t\tif (this.store.size > this.maxSize) {\n\t\t\tconst entries = [...this.store.entries()].sort((a, b) => a[1].createdAt - b[1].createdAt);\n\t\t\tconst toRemove = entries.slice(0, this.store.size - this.maxSize);\n\t\t\tfor (const [nonce] of toRemove) {\n\t\t\t\tthis.store.delete(nonce);\n\t\t\t}\n\t\t}\n\t}\n\n\tget size(): number {\n\t\treturn this.store.size;\n\t}\n}\n\n// ── Session Store ──\n\nexport class SessionStore {\n\tprivate store = new Map<string, SessionAuth>();\n\tprivate readonly maxAgeMs: number;\n\tprivate insertsSinceCleanup = 0;\n\n\tconstructor(maxAgeMs: number) {\n\t\tthis.maxAgeMs = maxAgeMs;\n\t}\n\n\tset(sessionId: string, auth: SessionAuth): void {\n\t\tthis.store.set(sessionId, auth);\n\n\t\tthis.insertsSinceCleanup++;\n\t\tif (this.insertsSinceCleanup >= CLEANUP_THRESHOLD) {\n\t\t\tthis.cleanup();\n\t\t\tthis.insertsSinceCleanup = 0;\n\t\t}\n\t}\n\n\tget(sessionId: string): SessionAuth | undefined {\n\t\tconst entry = this.store.get(sessionId);\n\t\tif (!entry) return undefined;\n\n\t\tif (Date.now() - entry.authenticatedAt > this.maxAgeMs) {\n\t\t\tthis.store.delete(sessionId);\n\t\t\treturn undefined;\n\t\t}\n\n\t\treturn entry;\n\t}\n\n\tdelete(sessionId: string): boolean {\n\t\treturn this.store.delete(sessionId);\n\t}\n\n\tcleanup(): void {\n\t\tconst now = Date.now();\n\t\tfor (const [sessionId, entry] of this.store) {\n\t\t\tif (now - entry.authenticatedAt > this.maxAgeMs) {\n\t\t\t\tthis.store.delete(sessionId);\n\t\t\t}\n\t\t}\n\t}\n\n\tget size(): number {\n\t\treturn this.store.size;\n\t}\n}\n","import type { CallToolResult } from \"@modelcontextprotocol/sdk/types.js\";\nimport type { PresentationMessage } from \"credat\";\nimport { verifyPresentation } from \"credat\";\nimport { authError, McpAuthErrorCodes } from \"../errors.js\";\nimport type { ChallengeStore, SessionStore } from \"../session.js\";\nimport type { CredatAuthOptions, ToolExtra } from \"../types.js\";\n\nconst STDIO_SESSION_KEY = \"__stdio__\";\n\nexport function createAuthenticateHandler(\n\tconfig: CredatAuthOptions,\n\tchallengeStore: ChallengeStore,\n\tsessionStore: SessionStore,\n) {\n\treturn async (\n\t\targs: { presentation: PresentationMessage },\n\t\textra: ToolExtra,\n\t): Promise<CallToolResult> => {\n\t\tconst { presentation } = args;\n\t\tconst sessionId = extra.sessionId ?? STDIO_SESSION_KEY;\n\n\t\t// 1. Consume challenge (single-use nonce)\n\t\tconst stored = challengeStore.consume(presentation.nonce);\n\t\tif (!stored) {\n\t\t\treturn authError(\n\t\t\t\t\"Unknown or expired challenge nonce. Request a new challenge.\",\n\t\t\t\tMcpAuthErrorCodes.NOT_AUTHENTICATED,\n\t\t\t);\n\t\t}\n\n\t\t// 2. Verify session binding\n\t\tif (stored.sessionId !== sessionId) {\n\t\t\treturn authError(\n\t\t\t\t\"Challenge was issued to a different session.\",\n\t\t\t\tMcpAuthErrorCodes.SESSION_MISMATCH,\n\t\t\t);\n\t\t}\n\n\t\t// 3. Resolve agent public key\n\t\tlet agentPublicKey: Uint8Array;\n\t\tif (config.agentPublicKey) {\n\t\t\tagentPublicKey = config.agentPublicKey;\n\t\t} else if (config.resolveAgentKey) {\n\t\t\ttry {\n\t\t\t\tagentPublicKey = await config.resolveAgentKey(presentation.from);\n\t\t\t} catch (err) {\n\t\t\t\tconst message = err instanceof Error ? err.message : \"Unknown error\";\n\t\t\t\treturn authError(\n\t\t\t\t\t`Failed to resolve agent public key for ${presentation.from}: ${message}`,\n\t\t\t\t\tMcpAuthErrorCodes.CONFIGURATION_ERROR,\n\t\t\t\t);\n\t\t\t}\n\t\t} else {\n\t\t\treturn authError(\n\t\t\t\t\"No agentPublicKey configured and no resolveAgentKey callback provided.\",\n\t\t\t\tMcpAuthErrorCodes.CONFIGURATION_ERROR,\n\t\t\t);\n\t\t}\n\n\t\t// 4. Verify presentation\n\t\tconst result = await verifyPresentation(presentation, {\n\t\t\tchallenge: stored.challenge,\n\t\t\townerPublicKey: config.ownerPublicKey,\n\t\t\tagentPublicKey,\n\t\t\tchallengeMaxAgeMs: config.challengeMaxAgeMs,\n\t\t});\n\n\t\tif (!result.valid) {\n\t\t\tconst details = result.errors.map((e) => `${e.code}: ${e.message}`);\n\t\t\treturn authError(\n\t\t\t\t\"Authentication failed.\",\n\t\t\t\tresult.errors[0]?.code ?? \"HANDSHAKE_VERIFICATION_FAILED\",\n\t\t\t\tdetails,\n\t\t\t);\n\t\t}\n\n\t\t// 5. Store session auth\n\t\tsessionStore.set(sessionId, {\n\t\t\tdelegationResult: result,\n\t\t\tauthenticatedAt: Date.now(),\n\t\t});\n\n\t\treturn {\n\t\t\tcontent: [\n\t\t\t\t{\n\t\t\t\t\ttype: \"text\",\n\t\t\t\t\ttext: JSON.stringify({\n\t\t\t\t\t\tauthenticated: true,\n\t\t\t\t\t\tagent: result.agent,\n\t\t\t\t\t\tscopes: result.scopes,\n\t\t\t\t\t}),\n\t\t\t\t},\n\t\t\t],\n\t\t};\n\t};\n}\n","import type { CallToolResult } from \"@modelcontextprotocol/sdk/types.js\";\nimport { createChallenge } from \"credat\";\nimport type { ChallengeStore } from \"../session.js\";\nimport type { ToolExtra } from \"../types.js\";\n\nconst STDIO_SESSION_KEY = \"__stdio__\";\n\nexport function createChallengeHandler(serverDid: string, challengeStore: ChallengeStore) {\n\treturn (extra: ToolExtra): CallToolResult => {\n\t\tconst challenge = createChallenge({ from: serverDid });\n\t\tconst sessionId = extra.sessionId ?? STDIO_SESSION_KEY;\n\n\t\tchallengeStore.set(challenge.nonce, challenge, sessionId);\n\n\t\treturn {\n\t\t\tcontent: [{ type: \"text\", text: JSON.stringify(challenge) }],\n\t\t};\n\t};\n}\n"],"mappings":";AAEA,SAAS,SAAS;;;ACDlB,SAAS,cAAc,mBAAmB;;;ACEnC,SAAS,oBACf,aACA,SACwB;AACxB,MAAI,CAAC,YAAa,QAAO,CAAC;AAE1B,QAAM,aAAoC,CAAC;AAE3C,MAAI,YAAY,uBAAuB,QAAQ,QAAQ,oBAAoB,MAAM;AAChF,QAAI,QAAQ,mBAAmB,YAAY,qBAAqB;AAC/D,iBAAW,KAAK;AAAA,QACf,YAAY;AAAA,QACZ,SAAS,GAAG,QAAQ,gBAAgB,gBAAgB,YAAY,mBAAmB;AAAA,MACpF,CAAC;AAAA,IACF;AAAA,EACD;AAEA,MAAI,YAAY,kBAAkB,QAAQ,QAAQ,UAAU,MAAM;AACjE,QAAI,CAAC,YAAY,eAAe,SAAS,QAAQ,MAAM,GAAG;AACzD,iBAAW,KAAK;AAAA,QACf,YAAY;AAAA,QACZ,SAAS,WAAW,QAAQ,MAAM,6BAA6B,YAAY,eAAe,KAAK,IAAI,CAAC;AAAA,MACrG,CAAC;AAAA,IACF;AAAA,EACD;AAEA,MAAI,YAAY,aAAa,QAAQ,OAAO,QAAQ,cAAc,UAAU;AAC3E,QAAI,QAAQ,YAAY,YAAY,WAAW;AAC9C,iBAAW,KAAK;AAAA,QACf,YAAY;AAAA,QACZ,SAAS,QAAQ,QAAQ,SAAS,kBAAkB,YAAY,SAAS;AAAA,MAC1E,CAAC;AAAA,IACF;AAAA,EACD;AAEA,SAAO;AACR;;;AClCO,IAAM,oBAAoB;AAAA,EAChC,mBAAmB;AAAA,EACnB,iBAAiB;AAAA,EACjB,kBAAkB;AAAA,EAClB,qBAAqB;AAAA,EACrB,sBAAsB;AAAA,EACtB,qBAAqB;AACtB;AAMO,SAAS,UAAU,SAAiB,MAAc,SAAoC;AAC5F,QAAM,UAA4B,EAAE,OAAO,SAAS,KAAK;AACzD,MAAI,WAAW,QAAQ,SAAS,GAAG;AAClC,YAAQ,UAAU;AAAA,EACnB;AACA,SAAO;AAAA,IACN,SAAS,CAAC,EAAE,MAAM,QAAQ,MAAM,KAAK,UAAU,OAAO,EAAE,CAAC;AAAA,IACzD,SAAS;AAAA,EACV;AACD;AAEO,SAAS,WAAW,UAAoB,QAAkC;AAChF,QAAM,UAAU,SAAS,OAAO,CAAC,MAAM,CAAC,OAAO,SAAS,CAAC,CAAC;AAC1D,SAAO;AAAA,IACN,iCAAiC,QAAQ,KAAK,IAAI,CAAC;AAAA,IACnD,kBAAkB;AAAA,IAClB,CAAC,aAAa,SAAS,KAAK,IAAI,CAAC,IAAI,YAAY,OAAO,KAAK,IAAI,CAAC,EAAE;AAAA,EACrE;AACD;AAEO,SAAS,gBAAgB,YAAmD;AAClF,SAAO;AAAA,IACN,yBAAyB,WAAW,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,IAAI,CAAC;AAAA,IACpE,kBAAkB;AAAA,IAClB,WAAW,IAAI,CAAC,MAAM,GAAG,EAAE,UAAU,KAAK,EAAE,OAAO,EAAE;AAAA,EACtD;AACD;;;AFrCA,IAAM,oBAAoB;AAYnB,SAAS,cAAc,cAA4B;AACzD,SAAO,SAAS,QACf,SACA,SACqB;AACrB,WAAO,CAAC,MAAa,UAAqB;AACzC,YAAM,YAAY,MAAM,aAAa;AAGrC,YAAM,UAAU,aAAa,IAAI,SAAS;AAC1C,UAAI,CAAC,SAAS;AACb,eAAO;AAAA,UACN;AAAA,UACA,kBAAkB;AAAA,QACnB;AAAA,MACD;AAEA,YAAM,EAAE,iBAAiB,IAAI;AAG7B,UAAI,QAAQ,UAAU,QAAQ,OAAO,SAAS,GAAG;AAChD,YAAI,CAAC,aAAa,kBAAkB,QAAQ,MAAM,GAAG;AACpD,iBAAO,WAAW,QAAQ,QAAQ,iBAAiB,MAAM;AAAA,QAC1D;AAAA,MACD;AAGA,UAAI,QAAQ,YAAY,QAAQ,SAAS,SAAS,GAAG;AACpD,YAAI,CAAC,YAAY,kBAAkB,QAAQ,QAAQ,GAAG;AACrD,iBAAO,WAAW,QAAQ,UAAU,iBAAiB,MAAM;AAAA,QAC5D;AAAA,MACD;AAGA,UAAI,QAAQ,mBAAmB;AAC9B,cAAM,UACL,OAAO,QAAQ,sBAAsB,aAClC,QAAQ,kBAAkB,IAA+B,IACzD,QAAQ;AAEZ,cAAM,aAAa,oBAAoB,iBAAiB,aAAa,OAAO;AAC5E,YAAI,WAAW,SAAS,GAAG;AAC1B,iBAAO,gBAAgB,UAAU;AAAA,QAClC;AAAA,MACD;AAGA,YAAM,cAA2B;AAAA,QAChC,UAAU,iBAAiB;AAAA,QAC3B,UAAU,iBAAiB;AAAA,QAC3B,QAAQ,iBAAiB;AAAA,QACzB,aAAa,iBAAiB;AAAA,MAC/B;AAEA,YAAM,iBAAiB,OAAO,OAAO,CAAC,GAAG,OAAO;AAAA,QAC/C,MAAM;AAAA,MACP,CAAC;AAED,aAAO,QAAQ,MAAM,cAAc;AAAA,IACpC;AAAA,EACD;AACD;;;AG7EA,IAAM,mBAAmB;AACzB,IAAM,oBAAoB;AAInB,IAAM,iBAAN,MAAqB;AAAA,EACnB,QAAQ,oBAAI,IAA6B;AAAA,EAChC;AAAA,EACA;AAAA,EACT,sBAAsB;AAAA,EAE9B,YAAY,UAAkB,UAAU,kBAAkB;AACzD,SAAK,WAAW;AAChB,SAAK,UAAU;AAAA,EAChB;AAAA,EAEA,IAAI,OAAe,WAA6B,WAAyB;AACxE,SAAK,MAAM,IAAI,OAAO;AAAA,MACrB;AAAA,MACA;AAAA,MACA,WAAW,KAAK,IAAI;AAAA,IACrB,CAAC;AAED,SAAK;AACL,QAAI,KAAK,uBAAuB,qBAAqB,KAAK,MAAM,OAAO,KAAK,SAAS;AACpF,WAAK,QAAQ;AACb,WAAK,sBAAsB;AAAA,IAC5B;AAAA,EACD;AAAA;AAAA,EAGA,QAAQ,OAA4C;AACnD,UAAM,QAAQ,KAAK,MAAM,IAAI,KAAK;AAClC,QAAI,CAAC,MAAO,QAAO;AAEnB,SAAK,MAAM,OAAO,KAAK;AAEvB,QAAI,KAAK,IAAI,IAAI,MAAM,YAAY,KAAK,UAAU;AACjD,aAAO;AAAA,IACR;AAEA,WAAO;AAAA,EACR;AAAA,EAEA,UAAgB;AACf,UAAM,MAAM,KAAK,IAAI;AACrB,eAAW,CAAC,OAAO,KAAK,KAAK,KAAK,OAAO;AACxC,UAAI,MAAM,MAAM,YAAY,KAAK,UAAU;AAC1C,aAAK,MAAM,OAAO,KAAK;AAAA,MACxB;AAAA,IACD;AAGA,QAAI,KAAK,MAAM,OAAO,KAAK,SAAS;AACnC,YAAM,UAAU,CAAC,GAAG,KAAK,MAAM,QAAQ,CAAC,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,SAAS;AACxF,YAAM,WAAW,QAAQ,MAAM,GAAG,KAAK,MAAM,OAAO,KAAK,OAAO;AAChE,iBAAW,CAAC,KAAK,KAAK,UAAU;AAC/B,aAAK,MAAM,OAAO,KAAK;AAAA,MACxB;AAAA,IACD;AAAA,EACD;AAAA,EAEA,IAAI,OAAe;AAClB,WAAO,KAAK,MAAM;AAAA,EACnB;AACD;AAIO,IAAM,eAAN,MAAmB;AAAA,EACjB,QAAQ,oBAAI,IAAyB;AAAA,EAC5B;AAAA,EACT,sBAAsB;AAAA,EAE9B,YAAY,UAAkB;AAC7B,SAAK,WAAW;AAAA,EACjB;AAAA,EAEA,IAAI,WAAmB,MAAyB;AAC/C,SAAK,MAAM,IAAI,WAAW,IAAI;AAE9B,SAAK;AACL,QAAI,KAAK,uBAAuB,mBAAmB;AAClD,WAAK,QAAQ;AACb,WAAK,sBAAsB;AAAA,IAC5B;AAAA,EACD;AAAA,EAEA,IAAI,WAA4C;AAC/C,UAAM,QAAQ,KAAK,MAAM,IAAI,SAAS;AACtC,QAAI,CAAC,MAAO,QAAO;AAEnB,QAAI,KAAK,IAAI,IAAI,MAAM,kBAAkB,KAAK,UAAU;AACvD,WAAK,MAAM,OAAO,SAAS;AAC3B,aAAO;AAAA,IACR;AAEA,WAAO;AAAA,EACR;AAAA,EAEA,OAAO,WAA4B;AAClC,WAAO,KAAK,MAAM,OAAO,SAAS;AAAA,EACnC;AAAA,EAEA,UAAgB;AACf,UAAM,MAAM,KAAK,IAAI;AACrB,eAAW,CAAC,WAAW,KAAK,KAAK,KAAK,OAAO;AAC5C,UAAI,MAAM,MAAM,kBAAkB,KAAK,UAAU;AAChD,aAAK,MAAM,OAAO,SAAS;AAAA,MAC5B;AAAA,IACD;AAAA,EACD;AAAA,EAEA,IAAI,OAAe;AAClB,WAAO,KAAK,MAAM;AAAA,EACnB;AACD;;;ACrHA,SAAS,0BAA0B;AAKnC,IAAMA,qBAAoB;AAEnB,SAAS,0BACf,QACA,gBACA,cACC;AACD,SAAO,OACN,MACA,UAC6B;AAC7B,UAAM,EAAE,aAAa,IAAI;AACzB,UAAM,YAAY,MAAM,aAAaA;AAGrC,UAAM,SAAS,eAAe,QAAQ,aAAa,KAAK;AACxD,QAAI,CAAC,QAAQ;AACZ,aAAO;AAAA,QACN;AAAA,QACA,kBAAkB;AAAA,MACnB;AAAA,IACD;AAGA,QAAI,OAAO,cAAc,WAAW;AACnC,aAAO;AAAA,QACN;AAAA,QACA,kBAAkB;AAAA,MACnB;AAAA,IACD;AAGA,QAAI;AACJ,QAAI,OAAO,gBAAgB;AAC1B,uBAAiB,OAAO;AAAA,IACzB,WAAW,OAAO,iBAAiB;AAClC,UAAI;AACH,yBAAiB,MAAM,OAAO,gBAAgB,aAAa,IAAI;AAAA,MAChE,SAAS,KAAK;AACb,cAAM,UAAU,eAAe,QAAQ,IAAI,UAAU;AACrD,eAAO;AAAA,UACN,0CAA0C,aAAa,IAAI,KAAK,OAAO;AAAA,UACvE,kBAAkB;AAAA,QACnB;AAAA,MACD;AAAA,IACD,OAAO;AACN,aAAO;AAAA,QACN;AAAA,QACA,kBAAkB;AAAA,MACnB;AAAA,IACD;AAGA,UAAM,SAAS,MAAM,mBAAmB,cAAc;AAAA,MACrD,WAAW,OAAO;AAAA,MAClB,gBAAgB,OAAO;AAAA,MACvB;AAAA,MACA,mBAAmB,OAAO;AAAA,IAC3B,CAAC;AAED,QAAI,CAAC,OAAO,OAAO;AAClB,YAAM,UAAU,OAAO,OAAO,IAAI,CAAC,MAAM,GAAG,EAAE,IAAI,KAAK,EAAE,OAAO,EAAE;AAClE,aAAO;AAAA,QACN;AAAA,QACA,OAAO,OAAO,CAAC,GAAG,QAAQ;AAAA,QAC1B;AAAA,MACD;AAAA,IACD;AAGA,iBAAa,IAAI,WAAW;AAAA,MAC3B,kBAAkB;AAAA,MAClB,iBAAiB,KAAK,IAAI;AAAA,IAC3B,CAAC;AAED,WAAO;AAAA,MACN,SAAS;AAAA,QACR;AAAA,UACC,MAAM;AAAA,UACN,MAAM,KAAK,UAAU;AAAA,YACpB,eAAe;AAAA,YACf,OAAO,OAAO;AAAA,YACd,QAAQ,OAAO;AAAA,UAChB,CAAC;AAAA,QACF;AAAA,MACD;AAAA,IACD;AAAA,EACD;AACD;;;AC9FA,SAAS,uBAAuB;AAIhC,IAAMC,qBAAoB;AAEnB,SAAS,uBAAuB,WAAmB,gBAAgC;AACzF,SAAO,CAAC,UAAqC;AAC5C,UAAM,YAAY,gBAAgB,EAAE,MAAM,UAAU,CAAC;AACrD,UAAM,YAAY,MAAM,aAAaA;AAErC,mBAAe,IAAI,UAAU,OAAO,WAAW,SAAS;AAExD,WAAO;AAAA,MACN,SAAS,CAAC,EAAE,MAAM,QAAQ,MAAM,KAAK,UAAU,SAAS,EAAE,CAAC;AAAA,IAC5D;AAAA,EACD;AACD;;;ANHA,IAAM,+BAA+B,IAAI,KAAK;AAC9C,IAAM,6BAA6B,KAAK,KAAK;AAC7C,IAAM,sBAAsB;AAE5B,IAAMC,qBAAoB;AAOnB,IAAM,aAAN,MAAiB;AAAA,EACN;AAAA,EAQA;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,SAA4B;AACvC,QAAI,CAAC,QAAQ,WAAW;AACvB,YAAM,IAAI,MAAM,mCAAmC;AAAA,IACpD;AACA,QAAI,CAAC,QAAQ,kBAAkB,QAAQ,eAAe,WAAW,GAAG;AACnE,YAAM,IAAI,MAAM,wCAAwC;AAAA,IACzD;AAEA,SAAK,SAAS;AAAA,MACb,WAAW,QAAQ;AAAA,MACnB,gBAAgB,QAAQ;AAAA,MACxB,gBAAgB,QAAQ;AAAA,MACxB,iBAAiB,QAAQ;AAAA,MACzB,mBAAmB,QAAQ,qBAAqB;AAAA,MAChD,iBAAiB,QAAQ,mBAAmB;AAAA,MAC5C,YAAY,QAAQ,cAAc;AAAA,IACnC;AAEA,SAAK,iBAAiB,IAAI,eAAe,KAAK,OAAO,iBAAiB;AACtE,SAAK,eAAe,IAAI,aAAa,KAAK,OAAO,eAAe;AAChE,SAAK,YAAY,cAAc,KAAK,YAAY;AAAA,EACjD;AAAA;AAAA,EAGA,QAAQ,QAAyB;AAChC,UAAM,SAAS,KAAK,OAAO;AAE3B,UAAM,mBAAmB,uBAAuB,KAAK,OAAO,WAAW,KAAK,cAAc;AAE1F,UAAM,sBAAsB;AAAA,MAC3B,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,IACN;AAGA,WAAO;AAAA,MACN,GAAG,MAAM;AAAA,MACT;AAAA,QACC,aACC;AAAA,MACF;AAAA,MACA,CAAC,UAAU,iBAAiB,KAAkB;AAAA,IAC/C;AAGA,WAAO;AAAA,MACN,GAAG,MAAM;AAAA,MACT;AAAA,QACC,aACC;AAAA,QACD,aAAa,EAAE,OAAO;AAAA,UACrB,cAAc,EAAE,OAAO;AAAA,YACtB,MAAM,EAAE,QAAQ,qBAAqB;AAAA,YACrC,YAAY,EAAE,OAAO;AAAA,YACrB,OAAO,EAAE,OAAO;AAAA,YAChB,OAAO,EAAE,OAAO;AAAA,YAChB,MAAM,EAAE,OAAO;AAAA,UAChB,CAAC;AAAA,QACF,CAAC;AAAA,MACF;AAAA,MACA,CAAC,MAAM,UACN;AAAA,QACC;AAAA,QASA;AAAA,MACD;AAAA,IACF;AAAA,EACD;AAAA;AAAA,EAGA,QACC,SACA,SACC;AACD,WAAO,KAAK,UAAU,SAAS,OAAO;AAAA,EACvC;AAAA;AAAA,EAGA,gBAAgB,WAA6B;AAC5C,UAAM,MAAM,aAAaA;AACzB,WAAO,KAAK,aAAa,IAAI,GAAG,MAAM;AAAA,EACvC;AAAA;AAAA,EAGA,eAAe,WAA6C;AAC3D,UAAM,MAAM,aAAaA;AACzB,WAAO,KAAK,aAAa,IAAI,GAAG;AAAA,EACjC;AAAA;AAAA,EAGA,cAAc,WAA0B;AACvC,UAAM,MAAM,aAAaA;AACzB,SAAK,aAAa,OAAO,GAAG;AAAA,EAC7B;AACD;","names":["STDIO_SESSION_KEY","STDIO_SESSION_KEY","STDIO_SESSION_KEY"]}
1
+ {"version":3,"sources":["../src/auth.ts","../src/protect.ts","../src/constraints.ts","../src/errors.ts","../src/session.ts","../src/tools/authenticate.ts","../src/tools/challenge.ts"],"sourcesContent":["import type { McpServer } from \"@modelcontextprotocol/sdk/server/mcp.js\";\nimport type { CallToolResult } from \"@modelcontextprotocol/sdk/types.js\";\nimport { z } from \"zod\";\nimport { createProtect } from \"./protect.js\";\nimport { ChallengeStore, SessionStore } from \"./session.js\";\nimport { createAuthenticateHandler } from \"./tools/authenticate.js\";\nimport { createChallengeHandler } from \"./tools/challenge.js\";\nimport type {\n\tAuthContext,\n\tCredatAuthOptions,\n\tProtectOptions,\n\tSessionAuth,\n\tToolExtra,\n} from \"./types.js\";\n\nconst DEFAULT_CHALLENGE_MAX_AGE_MS = 5 * 60 * 1000; // 5 minutes\nconst DEFAULT_SESSION_MAX_AGE_MS = 60 * 60 * 1000; // 1 hour\nconst DEFAULT_TOOL_PREFIX = \"credat\";\n\nconst STDIO_SESSION_KEY = \"__stdio__\";\n\ntype ProtectedHandler<TArgs> = (\n\targs: TArgs,\n\textra: ToolExtra & { auth: AuthContext },\n) => CallToolResult | Promise<CallToolResult>;\n\nexport class CredatAuth {\n\tprivate readonly config: Required<\n\t\tPick<\n\t\t\tCredatAuthOptions,\n\t\t\t\"serverDid\" | \"ownerPublicKey\" | \"challengeMaxAgeMs\" | \"sessionMaxAgeMs\" | \"toolPrefix\"\n\t\t>\n\t> &\n\t\tPick<CredatAuthOptions, \"agentPublicKey\" | \"resolveAgentKey\">;\n\n\tprivate readonly challengeStore: ChallengeStore;\n\tprivate readonly sessionStore: SessionStore;\n\tprivate readonly protectFn: ReturnType<typeof createProtect>;\n\n\tconstructor(options: CredatAuthOptions) {\n\t\tif (!options.serverDid) {\n\t\t\tthrow new Error(\"CredatAuth: serverDid is required\");\n\t\t}\n\t\tif (!options.ownerPublicKey || options.ownerPublicKey.length === 0) {\n\t\t\tthrow new Error(\"CredatAuth: ownerPublicKey is required\");\n\t\t}\n\n\t\tthis.config = {\n\t\t\tserverDid: options.serverDid,\n\t\t\townerPublicKey: options.ownerPublicKey,\n\t\t\tagentPublicKey: options.agentPublicKey,\n\t\t\tresolveAgentKey: options.resolveAgentKey,\n\t\t\tchallengeMaxAgeMs: options.challengeMaxAgeMs ?? DEFAULT_CHALLENGE_MAX_AGE_MS,\n\t\t\tsessionMaxAgeMs: options.sessionMaxAgeMs ?? DEFAULT_SESSION_MAX_AGE_MS,\n\t\t\ttoolPrefix: options.toolPrefix ?? DEFAULT_TOOL_PREFIX,\n\t\t};\n\n\t\tthis.challengeStore = new ChallengeStore(this.config.challengeMaxAgeMs);\n\t\tthis.sessionStore = new SessionStore(this.config.sessionMaxAgeMs);\n\t\tthis.protectFn = createProtect(this.sessionStore);\n\t}\n\n\t/** Register the credat:challenge and credat:authenticate tools on the server */\n\tinstall(server: McpServer): void {\n\t\tconst prefix = this.config.toolPrefix;\n\n\t\tconst challengeHandler = createChallengeHandler(this.config.serverDid, this.challengeStore);\n\n\t\tconst authenticateHandler = createAuthenticateHandler(\n\t\t\tthis.config,\n\t\t\tthis.challengeStore,\n\t\t\tthis.sessionStore,\n\t\t);\n\n\t\t// Register challenge tool (no input — callback receives just extra)\n\t\tserver.registerTool(\n\t\t\t`${prefix}:challenge`,\n\t\t\t{\n\t\t\t\tdescription:\n\t\t\t\t\t\"Request an authentication challenge. Returns a nonce that must be signed with your delegation credential.\",\n\t\t\t},\n\t\t\t(extra) => challengeHandler(extra as ToolExtra),\n\t\t);\n\n\t\t// Register authenticate tool\n\t\tserver.registerTool(\n\t\t\t`${prefix}:authenticate`,\n\t\t\t{\n\t\t\t\tdescription:\n\t\t\t\t\t\"Present your signed credentials to authenticate. Requires a presentation object containing delegation proof and signed nonce.\",\n\t\t\t\tinputSchema: z.object({\n\t\t\t\t\tpresentation: z.object({\n\t\t\t\t\t\ttype: z.literal(\"credat:presentation\"),\n\t\t\t\t\t\tdelegation: z.string(),\n\t\t\t\t\t\tnonce: z.string(),\n\t\t\t\t\t\tproof: z.string(),\n\t\t\t\t\t\tfrom: z.string(),\n\t\t\t\t\t}),\n\t\t\t\t}),\n\t\t\t},\n\t\t\t(args, extra) =>\n\t\t\t\tauthenticateHandler(\n\t\t\t\t\targs as {\n\t\t\t\t\t\tpresentation: {\n\t\t\t\t\t\t\ttype: \"credat:presentation\";\n\t\t\t\t\t\t\tdelegation: string;\n\t\t\t\t\t\t\tnonce: string;\n\t\t\t\t\t\t\tproof: string;\n\t\t\t\t\t\t\tfrom: string;\n\t\t\t\t\t\t};\n\t\t\t\t\t},\n\t\t\t\t\textra as ToolExtra,\n\t\t\t\t),\n\t\t);\n\t}\n\n\t/** Wrap a tool handler to require authentication + optional scope/constraint checks */\n\tprotect<TArgs extends Record<string, unknown>>(\n\t\toptions: ProtectOptions,\n\t\thandler: ProtectedHandler<TArgs>,\n\t) {\n\t\treturn this.protectFn(options, handler);\n\t}\n\n\t/** Check if a session is currently authenticated */\n\tisAuthenticated(sessionId?: string): boolean {\n\t\tconst key = sessionId ?? STDIO_SESSION_KEY;\n\t\treturn this.sessionStore.get(key) !== undefined;\n\t}\n\n\t/** Get the auth result for a session */\n\tgetSessionAuth(sessionId?: string): SessionAuth | undefined {\n\t\tconst key = sessionId ?? STDIO_SESSION_KEY;\n\t\treturn this.sessionStore.get(key);\n\t}\n\n\t/** Revoke a session, forcing re-authentication */\n\trevokeSession(sessionId?: string): void {\n\t\tconst key = sessionId ?? STDIO_SESSION_KEY;\n\t\tthis.sessionStore.delete(key);\n\t}\n}\n","import type { CallToolResult } from \"@modelcontextprotocol/sdk/types.js\";\nimport { hasAllScopes, hasAnyScope } from \"@credat/sdk\";\nimport { validateConstraints } from \"./constraints.js\";\nimport { authError, constraintError, McpAuthErrorCodes, scopeError } from \"./errors.js\";\nimport type { SessionStore } from \"./session.js\";\nimport type { AuthContext, ProtectOptions, ToolExtra } from \"./types.js\";\n\nconst STDIO_SESSION_KEY = \"__stdio__\";\n\ntype ProtectedHandler<TArgs> = (\n\targs: TArgs,\n\textra: ToolExtra & { auth: AuthContext },\n) => CallToolResult | Promise<CallToolResult>;\n\ntype ToolHandler<TArgs> = (\n\targs: TArgs,\n\textra: ToolExtra,\n) => CallToolResult | Promise<CallToolResult>;\n\nexport function createProtect(sessionStore: SessionStore) {\n\treturn function protect<TArgs extends Record<string, unknown>>(\n\t\toptions: ProtectOptions,\n\t\thandler: ProtectedHandler<TArgs>,\n\t): ToolHandler<TArgs> {\n\t\treturn (args: TArgs, extra: ToolExtra) => {\n\t\t\tconst sessionId = extra.sessionId ?? STDIO_SESSION_KEY;\n\n\t\t\t// 1. Check authentication\n\t\t\tconst session = sessionStore.get(sessionId);\n\t\t\tif (!session) {\n\t\t\t\treturn authError(\n\t\t\t\t\t\"Not authenticated. Call the credat:challenge tool to begin authentication.\",\n\t\t\t\t\tMcpAuthErrorCodes.NOT_AUTHENTICATED,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tconst { delegationResult } = session;\n\n\t\t\t// 2. Check required scopes (ALL)\n\t\t\tif (options.scopes && options.scopes.length > 0) {\n\t\t\t\tif (!hasAllScopes(delegationResult, options.scopes)) {\n\t\t\t\t\treturn scopeError(options.scopes, delegationResult.scopes);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// 3. Check required scopes (ANY)\n\t\t\tif (options.anyScope && options.anyScope.length > 0) {\n\t\t\t\tif (!hasAnyScope(delegationResult, options.anyScope)) {\n\t\t\t\t\treturn scopeError(options.anyScope, delegationResult.scopes);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// 4. Validate constraints\n\t\t\tif (options.constraintContext) {\n\t\t\t\tconst context =\n\t\t\t\t\ttypeof options.constraintContext === \"function\"\n\t\t\t\t\t\t? options.constraintContext(args as Record<string, unknown>)\n\t\t\t\t\t\t: options.constraintContext;\n\n\t\t\t\tconst violations = validateConstraints(delegationResult.constraints, context);\n\t\t\t\tif (violations.length > 0) {\n\t\t\t\t\treturn constraintError(violations);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// 5. Build auth context and call handler\n\t\t\tconst authContext: AuthContext = {\n\t\t\t\tagentDid: delegationResult.agent,\n\t\t\t\townerDid: delegationResult.owner,\n\t\t\t\tscopes: delegationResult.scopes,\n\t\t\t\tconstraints: delegationResult.constraints,\n\t\t\t};\n\n\t\t\tconst augmentedExtra = Object.assign({}, extra, {\n\t\t\t\tauth: authContext,\n\t\t\t});\n\n\t\t\treturn handler(args, augmentedExtra);\n\t\t};\n\t};\n}\n","import type { DelegationConstraints } from \"@credat/sdk\";\nimport type { ConstraintContext, ConstraintViolation } from \"./types.js\";\n\nexport function validateConstraints(\n\tconstraints: DelegationConstraints | undefined,\n\tcontext: ConstraintContext,\n): ConstraintViolation[] {\n\tif (!constraints) return [];\n\n\tconst violations: ConstraintViolation[] = [];\n\n\tif (constraints.maxTransactionValue != null && context.transactionValue != null) {\n\t\tif (context.transactionValue > constraints.maxTransactionValue) {\n\t\t\tviolations.push({\n\t\t\t\tconstraint: \"maxTransactionValue\",\n\t\t\t\tmessage: `${context.transactionValue} exceeds max ${constraints.maxTransactionValue}`,\n\t\t\t});\n\t\t}\n\t}\n\n\tif (constraints.allowedDomains != null && context.domain != null) {\n\t\tif (!constraints.allowedDomains.includes(context.domain)) {\n\t\t\tviolations.push({\n\t\t\t\tconstraint: \"allowedDomains\",\n\t\t\t\tmessage: `Domain \"${context.domain}\" is not in allowed list: ${constraints.allowedDomains.join(\", \")}`,\n\t\t\t});\n\t\t}\n\t}\n\n\tif (constraints.rateLimit != null && typeof context.rateLimit === \"number\") {\n\t\tif (context.rateLimit > constraints.rateLimit) {\n\t\t\tviolations.push({\n\t\t\t\tconstraint: \"rateLimit\",\n\t\t\t\tmessage: `Rate ${context.rateLimit} exceeds limit ${constraints.rateLimit}`,\n\t\t\t});\n\t\t}\n\t}\n\n\treturn violations;\n}\n","import type { CallToolResult } from \"@modelcontextprotocol/sdk/types.js\";\nimport type { AuthErrorPayload, ConstraintViolation } from \"./types.js\";\n\n// ── Error Codes ──\n\nexport const McpAuthErrorCodes = {\n\tNOT_AUTHENTICATED: \"NOT_AUTHENTICATED\",\n\tSESSION_EXPIRED: \"SESSION_EXPIRED\",\n\tSESSION_MISMATCH: \"SESSION_MISMATCH\",\n\tINSUFFICIENT_SCOPES: \"INSUFFICIENT_SCOPES\",\n\tCONSTRAINT_VIOLATION: \"CONSTRAINT_VIOLATION\",\n\tCONFIGURATION_ERROR: \"CONFIGURATION_ERROR\",\n} as const;\n\nexport type McpAuthErrorCode = (typeof McpAuthErrorCodes)[keyof typeof McpAuthErrorCodes];\n\n// ── Error Response Builders ──\n\nexport function authError(message: string, code: string, details?: string[]): CallToolResult {\n\tconst payload: AuthErrorPayload = { error: message, code };\n\tif (details && details.length > 0) {\n\t\tpayload.details = details;\n\t}\n\treturn {\n\t\tcontent: [{ type: \"text\", text: JSON.stringify(payload) }],\n\t\tisError: true,\n\t};\n}\n\nexport function scopeError(required: string[], actual: string[]): CallToolResult {\n\tconst missing = required.filter((s) => !actual.includes(s));\n\treturn authError(\n\t\t`Insufficient scopes. Missing: ${missing.join(\", \")}`,\n\t\tMcpAuthErrorCodes.INSUFFICIENT_SCOPES,\n\t\t[`required: ${required.join(\", \")}`, `granted: ${actual.join(\", \")}`],\n\t);\n}\n\nexport function constraintError(violations: ConstraintViolation[]): CallToolResult {\n\treturn authError(\n\t\t`Constraint violation: ${violations.map((v) => v.message).join(\"; \")}`,\n\t\tMcpAuthErrorCodes.CONSTRAINT_VIOLATION,\n\t\tviolations.map((v) => `${v.constraint}: ${v.message}`),\n\t);\n}\n","import type { ChallengeMessage } from \"@credat/sdk\";\nimport type { SessionAuth, StoredChallenge } from \"./types.js\";\n\nconst DEFAULT_MAX_SIZE = 1000;\nconst CLEANUP_THRESHOLD = 100;\n\n// ── Challenge Store ──\n\nexport class ChallengeStore {\n\tprivate store = new Map<string, StoredChallenge>();\n\tprivate readonly maxAgeMs: number;\n\tprivate readonly maxSize: number;\n\tprivate insertsSinceCleanup = 0;\n\n\tconstructor(maxAgeMs: number, maxSize = DEFAULT_MAX_SIZE) {\n\t\tthis.maxAgeMs = maxAgeMs;\n\t\tthis.maxSize = maxSize;\n\t}\n\n\tset(nonce: string, challenge: ChallengeMessage, sessionId: string): void {\n\t\tthis.store.set(nonce, {\n\t\t\tchallenge,\n\t\t\tsessionId,\n\t\t\tcreatedAt: Date.now(),\n\t\t});\n\n\t\tthis.insertsSinceCleanup++;\n\t\tif (this.insertsSinceCleanup >= CLEANUP_THRESHOLD || this.store.size > this.maxSize) {\n\t\t\tthis.cleanup();\n\t\t\tthis.insertsSinceCleanup = 0;\n\t\t}\n\t}\n\n\t/** Consume a challenge (single-use). Returns and deletes. */\n\tconsume(nonce: string): StoredChallenge | undefined {\n\t\tconst entry = this.store.get(nonce);\n\t\tif (!entry) return undefined;\n\n\t\tthis.store.delete(nonce);\n\n\t\tif (Date.now() - entry.createdAt > this.maxAgeMs) {\n\t\t\treturn undefined;\n\t\t}\n\n\t\treturn entry;\n\t}\n\n\tcleanup(): void {\n\t\tconst now = Date.now();\n\t\tfor (const [nonce, entry] of this.store) {\n\t\t\tif (now - entry.createdAt > this.maxAgeMs) {\n\t\t\t\tthis.store.delete(nonce);\n\t\t\t}\n\t\t}\n\n\t\t// Evict oldest if still over max size\n\t\tif (this.store.size > this.maxSize) {\n\t\t\tconst entries = [...this.store.entries()].sort((a, b) => a[1].createdAt - b[1].createdAt);\n\t\t\tconst toRemove = entries.slice(0, this.store.size - this.maxSize);\n\t\t\tfor (const [nonce] of toRemove) {\n\t\t\t\tthis.store.delete(nonce);\n\t\t\t}\n\t\t}\n\t}\n\n\tget size(): number {\n\t\treturn this.store.size;\n\t}\n}\n\n// ── Session Store ──\n\nexport class SessionStore {\n\tprivate store = new Map<string, SessionAuth>();\n\tprivate readonly maxAgeMs: number;\n\tprivate insertsSinceCleanup = 0;\n\n\tconstructor(maxAgeMs: number) {\n\t\tthis.maxAgeMs = maxAgeMs;\n\t}\n\n\tset(sessionId: string, auth: SessionAuth): void {\n\t\tthis.store.set(sessionId, auth);\n\n\t\tthis.insertsSinceCleanup++;\n\t\tif (this.insertsSinceCleanup >= CLEANUP_THRESHOLD) {\n\t\t\tthis.cleanup();\n\t\t\tthis.insertsSinceCleanup = 0;\n\t\t}\n\t}\n\n\tget(sessionId: string): SessionAuth | undefined {\n\t\tconst entry = this.store.get(sessionId);\n\t\tif (!entry) return undefined;\n\n\t\tif (Date.now() - entry.authenticatedAt > this.maxAgeMs) {\n\t\t\tthis.store.delete(sessionId);\n\t\t\treturn undefined;\n\t\t}\n\n\t\treturn entry;\n\t}\n\n\tdelete(sessionId: string): boolean {\n\t\treturn this.store.delete(sessionId);\n\t}\n\n\tcleanup(): void {\n\t\tconst now = Date.now();\n\t\tfor (const [sessionId, entry] of this.store) {\n\t\t\tif (now - entry.authenticatedAt > this.maxAgeMs) {\n\t\t\t\tthis.store.delete(sessionId);\n\t\t\t}\n\t\t}\n\t}\n\n\tget size(): number {\n\t\treturn this.store.size;\n\t}\n}\n","import type { CallToolResult } from \"@modelcontextprotocol/sdk/types.js\";\nimport type { PresentationMessage } from \"@credat/sdk\";\nimport { verifyPresentation } from \"@credat/sdk\";\nimport { authError, McpAuthErrorCodes } from \"../errors.js\";\nimport type { ChallengeStore, SessionStore } from \"../session.js\";\nimport type { CredatAuthOptions, ToolExtra } from \"../types.js\";\n\nconst STDIO_SESSION_KEY = \"__stdio__\";\n\nexport function createAuthenticateHandler(\n\tconfig: CredatAuthOptions,\n\tchallengeStore: ChallengeStore,\n\tsessionStore: SessionStore,\n) {\n\treturn async (\n\t\targs: { presentation: PresentationMessage },\n\t\textra: ToolExtra,\n\t): Promise<CallToolResult> => {\n\t\tconst { presentation } = args;\n\t\tconst sessionId = extra.sessionId ?? STDIO_SESSION_KEY;\n\n\t\t// 1. Consume challenge (single-use nonce)\n\t\tconst stored = challengeStore.consume(presentation.nonce);\n\t\tif (!stored) {\n\t\t\treturn authError(\n\t\t\t\t\"Unknown or expired challenge nonce. Request a new challenge.\",\n\t\t\t\tMcpAuthErrorCodes.NOT_AUTHENTICATED,\n\t\t\t);\n\t\t}\n\n\t\t// 2. Verify session binding\n\t\tif (stored.sessionId !== sessionId) {\n\t\t\treturn authError(\n\t\t\t\t\"Challenge was issued to a different session.\",\n\t\t\t\tMcpAuthErrorCodes.SESSION_MISMATCH,\n\t\t\t);\n\t\t}\n\n\t\t// 3. Resolve agent public key\n\t\tlet agentPublicKey: Uint8Array;\n\t\tif (config.agentPublicKey) {\n\t\t\tagentPublicKey = config.agentPublicKey;\n\t\t} else if (config.resolveAgentKey) {\n\t\t\ttry {\n\t\t\t\tagentPublicKey = await config.resolveAgentKey(presentation.from);\n\t\t\t} catch (err) {\n\t\t\t\tconst message = err instanceof Error ? err.message : \"Unknown error\";\n\t\t\t\treturn authError(\n\t\t\t\t\t`Failed to resolve agent public key for ${presentation.from}: ${message}`,\n\t\t\t\t\tMcpAuthErrorCodes.CONFIGURATION_ERROR,\n\t\t\t\t);\n\t\t\t}\n\t\t} else {\n\t\t\treturn authError(\n\t\t\t\t\"No agentPublicKey configured and no resolveAgentKey callback provided.\",\n\t\t\t\tMcpAuthErrorCodes.CONFIGURATION_ERROR,\n\t\t\t);\n\t\t}\n\n\t\t// 4. Verify presentation\n\t\tconst result = await verifyPresentation(presentation, {\n\t\t\tchallenge: stored.challenge,\n\t\t\townerPublicKey: config.ownerPublicKey,\n\t\t\tagentPublicKey,\n\t\t\tchallengeMaxAgeMs: config.challengeMaxAgeMs,\n\t\t});\n\n\t\tif (!result.valid) {\n\t\t\tconst details = result.errors.map((e) => `${e.code}: ${e.message}`);\n\t\t\treturn authError(\n\t\t\t\t\"Authentication failed.\",\n\t\t\t\tresult.errors[0]?.code ?? \"HANDSHAKE_VERIFICATION_FAILED\",\n\t\t\t\tdetails,\n\t\t\t);\n\t\t}\n\n\t\t// 5. Store session auth\n\t\tsessionStore.set(sessionId, {\n\t\t\tdelegationResult: result,\n\t\t\tauthenticatedAt: Date.now(),\n\t\t});\n\n\t\treturn {\n\t\t\tcontent: [\n\t\t\t\t{\n\t\t\t\t\ttype: \"text\",\n\t\t\t\t\ttext: JSON.stringify({\n\t\t\t\t\t\tauthenticated: true,\n\t\t\t\t\t\tagent: result.agent,\n\t\t\t\t\t\tscopes: result.scopes,\n\t\t\t\t\t}),\n\t\t\t\t},\n\t\t\t],\n\t\t};\n\t};\n}\n","import type { CallToolResult } from \"@modelcontextprotocol/sdk/types.js\";\nimport { createChallenge } from \"@credat/sdk\";\nimport type { ChallengeStore } from \"../session.js\";\nimport type { ToolExtra } from \"../types.js\";\n\nconst STDIO_SESSION_KEY = \"__stdio__\";\n\nexport function createChallengeHandler(serverDid: string, challengeStore: ChallengeStore) {\n\treturn (extra: ToolExtra): CallToolResult => {\n\t\tconst challenge = createChallenge({ from: serverDid });\n\t\tconst sessionId = extra.sessionId ?? STDIO_SESSION_KEY;\n\n\t\tchallengeStore.set(challenge.nonce, challenge, sessionId);\n\n\t\treturn {\n\t\t\tcontent: [{ type: \"text\", text: JSON.stringify(challenge) }],\n\t\t};\n\t};\n}\n"],"mappings":";AAEA,SAAS,SAAS;;;ACDlB,SAAS,cAAc,mBAAmB;;;ACEnC,SAAS,oBACf,aACA,SACwB;AACxB,MAAI,CAAC,YAAa,QAAO,CAAC;AAE1B,QAAM,aAAoC,CAAC;AAE3C,MAAI,YAAY,uBAAuB,QAAQ,QAAQ,oBAAoB,MAAM;AAChF,QAAI,QAAQ,mBAAmB,YAAY,qBAAqB;AAC/D,iBAAW,KAAK;AAAA,QACf,YAAY;AAAA,QACZ,SAAS,GAAG,QAAQ,gBAAgB,gBAAgB,YAAY,mBAAmB;AAAA,MACpF,CAAC;AAAA,IACF;AAAA,EACD;AAEA,MAAI,YAAY,kBAAkB,QAAQ,QAAQ,UAAU,MAAM;AACjE,QAAI,CAAC,YAAY,eAAe,SAAS,QAAQ,MAAM,GAAG;AACzD,iBAAW,KAAK;AAAA,QACf,YAAY;AAAA,QACZ,SAAS,WAAW,QAAQ,MAAM,6BAA6B,YAAY,eAAe,KAAK,IAAI,CAAC;AAAA,MACrG,CAAC;AAAA,IACF;AAAA,EACD;AAEA,MAAI,YAAY,aAAa,QAAQ,OAAO,QAAQ,cAAc,UAAU;AAC3E,QAAI,QAAQ,YAAY,YAAY,WAAW;AAC9C,iBAAW,KAAK;AAAA,QACf,YAAY;AAAA,QACZ,SAAS,QAAQ,QAAQ,SAAS,kBAAkB,YAAY,SAAS;AAAA,MAC1E,CAAC;AAAA,IACF;AAAA,EACD;AAEA,SAAO;AACR;;;AClCO,IAAM,oBAAoB;AAAA,EAChC,mBAAmB;AAAA,EACnB,iBAAiB;AAAA,EACjB,kBAAkB;AAAA,EAClB,qBAAqB;AAAA,EACrB,sBAAsB;AAAA,EACtB,qBAAqB;AACtB;AAMO,SAAS,UAAU,SAAiB,MAAc,SAAoC;AAC5F,QAAM,UAA4B,EAAE,OAAO,SAAS,KAAK;AACzD,MAAI,WAAW,QAAQ,SAAS,GAAG;AAClC,YAAQ,UAAU;AAAA,EACnB;AACA,SAAO;AAAA,IACN,SAAS,CAAC,EAAE,MAAM,QAAQ,MAAM,KAAK,UAAU,OAAO,EAAE,CAAC;AAAA,IACzD,SAAS;AAAA,EACV;AACD;AAEO,SAAS,WAAW,UAAoB,QAAkC;AAChF,QAAM,UAAU,SAAS,OAAO,CAAC,MAAM,CAAC,OAAO,SAAS,CAAC,CAAC;AAC1D,SAAO;AAAA,IACN,iCAAiC,QAAQ,KAAK,IAAI,CAAC;AAAA,IACnD,kBAAkB;AAAA,IAClB,CAAC,aAAa,SAAS,KAAK,IAAI,CAAC,IAAI,YAAY,OAAO,KAAK,IAAI,CAAC,EAAE;AAAA,EACrE;AACD;AAEO,SAAS,gBAAgB,YAAmD;AAClF,SAAO;AAAA,IACN,yBAAyB,WAAW,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,IAAI,CAAC;AAAA,IACpE,kBAAkB;AAAA,IAClB,WAAW,IAAI,CAAC,MAAM,GAAG,EAAE,UAAU,KAAK,EAAE,OAAO,EAAE;AAAA,EACtD;AACD;;;AFrCA,IAAM,oBAAoB;AAYnB,SAAS,cAAc,cAA4B;AACzD,SAAO,SAAS,QACf,SACA,SACqB;AACrB,WAAO,CAAC,MAAa,UAAqB;AACzC,YAAM,YAAY,MAAM,aAAa;AAGrC,YAAM,UAAU,aAAa,IAAI,SAAS;AAC1C,UAAI,CAAC,SAAS;AACb,eAAO;AAAA,UACN;AAAA,UACA,kBAAkB;AAAA,QACnB;AAAA,MACD;AAEA,YAAM,EAAE,iBAAiB,IAAI;AAG7B,UAAI,QAAQ,UAAU,QAAQ,OAAO,SAAS,GAAG;AAChD,YAAI,CAAC,aAAa,kBAAkB,QAAQ,MAAM,GAAG;AACpD,iBAAO,WAAW,QAAQ,QAAQ,iBAAiB,MAAM;AAAA,QAC1D;AAAA,MACD;AAGA,UAAI,QAAQ,YAAY,QAAQ,SAAS,SAAS,GAAG;AACpD,YAAI,CAAC,YAAY,kBAAkB,QAAQ,QAAQ,GAAG;AACrD,iBAAO,WAAW,QAAQ,UAAU,iBAAiB,MAAM;AAAA,QAC5D;AAAA,MACD;AAGA,UAAI,QAAQ,mBAAmB;AAC9B,cAAM,UACL,OAAO,QAAQ,sBAAsB,aAClC,QAAQ,kBAAkB,IAA+B,IACzD,QAAQ;AAEZ,cAAM,aAAa,oBAAoB,iBAAiB,aAAa,OAAO;AAC5E,YAAI,WAAW,SAAS,GAAG;AAC1B,iBAAO,gBAAgB,UAAU;AAAA,QAClC;AAAA,MACD;AAGA,YAAM,cAA2B;AAAA,QAChC,UAAU,iBAAiB;AAAA,QAC3B,UAAU,iBAAiB;AAAA,QAC3B,QAAQ,iBAAiB;AAAA,QACzB,aAAa,iBAAiB;AAAA,MAC/B;AAEA,YAAM,iBAAiB,OAAO,OAAO,CAAC,GAAG,OAAO;AAAA,QAC/C,MAAM;AAAA,MACP,CAAC;AAED,aAAO,QAAQ,MAAM,cAAc;AAAA,IACpC;AAAA,EACD;AACD;;;AG7EA,IAAM,mBAAmB;AACzB,IAAM,oBAAoB;AAInB,IAAM,iBAAN,MAAqB;AAAA,EACnB,QAAQ,oBAAI,IAA6B;AAAA,EAChC;AAAA,EACA;AAAA,EACT,sBAAsB;AAAA,EAE9B,YAAY,UAAkB,UAAU,kBAAkB;AACzD,SAAK,WAAW;AAChB,SAAK,UAAU;AAAA,EAChB;AAAA,EAEA,IAAI,OAAe,WAA6B,WAAyB;AACxE,SAAK,MAAM,IAAI,OAAO;AAAA,MACrB;AAAA,MACA;AAAA,MACA,WAAW,KAAK,IAAI;AAAA,IACrB,CAAC;AAED,SAAK;AACL,QAAI,KAAK,uBAAuB,qBAAqB,KAAK,MAAM,OAAO,KAAK,SAAS;AACpF,WAAK,QAAQ;AACb,WAAK,sBAAsB;AAAA,IAC5B;AAAA,EACD;AAAA;AAAA,EAGA,QAAQ,OAA4C;AACnD,UAAM,QAAQ,KAAK,MAAM,IAAI,KAAK;AAClC,QAAI,CAAC,MAAO,QAAO;AAEnB,SAAK,MAAM,OAAO,KAAK;AAEvB,QAAI,KAAK,IAAI,IAAI,MAAM,YAAY,KAAK,UAAU;AACjD,aAAO;AAAA,IACR;AAEA,WAAO;AAAA,EACR;AAAA,EAEA,UAAgB;AACf,UAAM,MAAM,KAAK,IAAI;AACrB,eAAW,CAAC,OAAO,KAAK,KAAK,KAAK,OAAO;AACxC,UAAI,MAAM,MAAM,YAAY,KAAK,UAAU;AAC1C,aAAK,MAAM,OAAO,KAAK;AAAA,MACxB;AAAA,IACD;AAGA,QAAI,KAAK,MAAM,OAAO,KAAK,SAAS;AACnC,YAAM,UAAU,CAAC,GAAG,KAAK,MAAM,QAAQ,CAAC,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,SAAS;AACxF,YAAM,WAAW,QAAQ,MAAM,GAAG,KAAK,MAAM,OAAO,KAAK,OAAO;AAChE,iBAAW,CAAC,KAAK,KAAK,UAAU;AAC/B,aAAK,MAAM,OAAO,KAAK;AAAA,MACxB;AAAA,IACD;AAAA,EACD;AAAA,EAEA,IAAI,OAAe;AAClB,WAAO,KAAK,MAAM;AAAA,EACnB;AACD;AAIO,IAAM,eAAN,MAAmB;AAAA,EACjB,QAAQ,oBAAI,IAAyB;AAAA,EAC5B;AAAA,EACT,sBAAsB;AAAA,EAE9B,YAAY,UAAkB;AAC7B,SAAK,WAAW;AAAA,EACjB;AAAA,EAEA,IAAI,WAAmB,MAAyB;AAC/C,SAAK,MAAM,IAAI,WAAW,IAAI;AAE9B,SAAK;AACL,QAAI,KAAK,uBAAuB,mBAAmB;AAClD,WAAK,QAAQ;AACb,WAAK,sBAAsB;AAAA,IAC5B;AAAA,EACD;AAAA,EAEA,IAAI,WAA4C;AAC/C,UAAM,QAAQ,KAAK,MAAM,IAAI,SAAS;AACtC,QAAI,CAAC,MAAO,QAAO;AAEnB,QAAI,KAAK,IAAI,IAAI,MAAM,kBAAkB,KAAK,UAAU;AACvD,WAAK,MAAM,OAAO,SAAS;AAC3B,aAAO;AAAA,IACR;AAEA,WAAO;AAAA,EACR;AAAA,EAEA,OAAO,WAA4B;AAClC,WAAO,KAAK,MAAM,OAAO,SAAS;AAAA,EACnC;AAAA,EAEA,UAAgB;AACf,UAAM,MAAM,KAAK,IAAI;AACrB,eAAW,CAAC,WAAW,KAAK,KAAK,KAAK,OAAO;AAC5C,UAAI,MAAM,MAAM,kBAAkB,KAAK,UAAU;AAChD,aAAK,MAAM,OAAO,SAAS;AAAA,MAC5B;AAAA,IACD;AAAA,EACD;AAAA,EAEA,IAAI,OAAe;AAClB,WAAO,KAAK,MAAM;AAAA,EACnB;AACD;;;ACrHA,SAAS,0BAA0B;AAKnC,IAAMA,qBAAoB;AAEnB,SAAS,0BACf,QACA,gBACA,cACC;AACD,SAAO,OACN,MACA,UAC6B;AAC7B,UAAM,EAAE,aAAa,IAAI;AACzB,UAAM,YAAY,MAAM,aAAaA;AAGrC,UAAM,SAAS,eAAe,QAAQ,aAAa,KAAK;AACxD,QAAI,CAAC,QAAQ;AACZ,aAAO;AAAA,QACN;AAAA,QACA,kBAAkB;AAAA,MACnB;AAAA,IACD;AAGA,QAAI,OAAO,cAAc,WAAW;AACnC,aAAO;AAAA,QACN;AAAA,QACA,kBAAkB;AAAA,MACnB;AAAA,IACD;AAGA,QAAI;AACJ,QAAI,OAAO,gBAAgB;AAC1B,uBAAiB,OAAO;AAAA,IACzB,WAAW,OAAO,iBAAiB;AAClC,UAAI;AACH,yBAAiB,MAAM,OAAO,gBAAgB,aAAa,IAAI;AAAA,MAChE,SAAS,KAAK;AACb,cAAM,UAAU,eAAe,QAAQ,IAAI,UAAU;AACrD,eAAO;AAAA,UACN,0CAA0C,aAAa,IAAI,KAAK,OAAO;AAAA,UACvE,kBAAkB;AAAA,QACnB;AAAA,MACD;AAAA,IACD,OAAO;AACN,aAAO;AAAA,QACN;AAAA,QACA,kBAAkB;AAAA,MACnB;AAAA,IACD;AAGA,UAAM,SAAS,MAAM,mBAAmB,cAAc;AAAA,MACrD,WAAW,OAAO;AAAA,MAClB,gBAAgB,OAAO;AAAA,MACvB;AAAA,MACA,mBAAmB,OAAO;AAAA,IAC3B,CAAC;AAED,QAAI,CAAC,OAAO,OAAO;AAClB,YAAM,UAAU,OAAO,OAAO,IAAI,CAAC,MAAM,GAAG,EAAE,IAAI,KAAK,EAAE,OAAO,EAAE;AAClE,aAAO;AAAA,QACN;AAAA,QACA,OAAO,OAAO,CAAC,GAAG,QAAQ;AAAA,QAC1B;AAAA,MACD;AAAA,IACD;AAGA,iBAAa,IAAI,WAAW;AAAA,MAC3B,kBAAkB;AAAA,MAClB,iBAAiB,KAAK,IAAI;AAAA,IAC3B,CAAC;AAED,WAAO;AAAA,MACN,SAAS;AAAA,QACR;AAAA,UACC,MAAM;AAAA,UACN,MAAM,KAAK,UAAU;AAAA,YACpB,eAAe;AAAA,YACf,OAAO,OAAO;AAAA,YACd,QAAQ,OAAO;AAAA,UAChB,CAAC;AAAA,QACF;AAAA,MACD;AAAA,IACD;AAAA,EACD;AACD;;;AC9FA,SAAS,uBAAuB;AAIhC,IAAMC,qBAAoB;AAEnB,SAAS,uBAAuB,WAAmB,gBAAgC;AACzF,SAAO,CAAC,UAAqC;AAC5C,UAAM,YAAY,gBAAgB,EAAE,MAAM,UAAU,CAAC;AACrD,UAAM,YAAY,MAAM,aAAaA;AAErC,mBAAe,IAAI,UAAU,OAAO,WAAW,SAAS;AAExD,WAAO;AAAA,MACN,SAAS,CAAC,EAAE,MAAM,QAAQ,MAAM,KAAK,UAAU,SAAS,EAAE,CAAC;AAAA,IAC5D;AAAA,EACD;AACD;;;ANHA,IAAM,+BAA+B,IAAI,KAAK;AAC9C,IAAM,6BAA6B,KAAK,KAAK;AAC7C,IAAM,sBAAsB;AAE5B,IAAMC,qBAAoB;AAOnB,IAAM,aAAN,MAAiB;AAAA,EACN;AAAA,EAQA;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,SAA4B;AACvC,QAAI,CAAC,QAAQ,WAAW;AACvB,YAAM,IAAI,MAAM,mCAAmC;AAAA,IACpD;AACA,QAAI,CAAC,QAAQ,kBAAkB,QAAQ,eAAe,WAAW,GAAG;AACnE,YAAM,IAAI,MAAM,wCAAwC;AAAA,IACzD;AAEA,SAAK,SAAS;AAAA,MACb,WAAW,QAAQ;AAAA,MACnB,gBAAgB,QAAQ;AAAA,MACxB,gBAAgB,QAAQ;AAAA,MACxB,iBAAiB,QAAQ;AAAA,MACzB,mBAAmB,QAAQ,qBAAqB;AAAA,MAChD,iBAAiB,QAAQ,mBAAmB;AAAA,MAC5C,YAAY,QAAQ,cAAc;AAAA,IACnC;AAEA,SAAK,iBAAiB,IAAI,eAAe,KAAK,OAAO,iBAAiB;AACtE,SAAK,eAAe,IAAI,aAAa,KAAK,OAAO,eAAe;AAChE,SAAK,YAAY,cAAc,KAAK,YAAY;AAAA,EACjD;AAAA;AAAA,EAGA,QAAQ,QAAyB;AAChC,UAAM,SAAS,KAAK,OAAO;AAE3B,UAAM,mBAAmB,uBAAuB,KAAK,OAAO,WAAW,KAAK,cAAc;AAE1F,UAAM,sBAAsB;AAAA,MAC3B,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,IACN;AAGA,WAAO;AAAA,MACN,GAAG,MAAM;AAAA,MACT;AAAA,QACC,aACC;AAAA,MACF;AAAA,MACA,CAAC,UAAU,iBAAiB,KAAkB;AAAA,IAC/C;AAGA,WAAO;AAAA,MACN,GAAG,MAAM;AAAA,MACT;AAAA,QACC,aACC;AAAA,QACD,aAAa,EAAE,OAAO;AAAA,UACrB,cAAc,EAAE,OAAO;AAAA,YACtB,MAAM,EAAE,QAAQ,qBAAqB;AAAA,YACrC,YAAY,EAAE,OAAO;AAAA,YACrB,OAAO,EAAE,OAAO;AAAA,YAChB,OAAO,EAAE,OAAO;AAAA,YAChB,MAAM,EAAE,OAAO;AAAA,UAChB,CAAC;AAAA,QACF,CAAC;AAAA,MACF;AAAA,MACA,CAAC,MAAM,UACN;AAAA,QACC;AAAA,QASA;AAAA,MACD;AAAA,IACF;AAAA,EACD;AAAA;AAAA,EAGA,QACC,SACA,SACC;AACD,WAAO,KAAK,UAAU,SAAS,OAAO;AAAA,EACvC;AAAA;AAAA,EAGA,gBAAgB,WAA6B;AAC5C,UAAM,MAAM,aAAaA;AACzB,WAAO,KAAK,aAAa,IAAI,GAAG,MAAM;AAAA,EACvC;AAAA;AAAA,EAGA,eAAe,WAA6C;AAC3D,UAAM,MAAM,aAAaA;AACzB,WAAO,KAAK,aAAa,IAAI,GAAG;AAAA,EACjC;AAAA;AAAA,EAGA,cAAc,WAA0B;AACvC,UAAM,MAAM,aAAaA;AACzB,SAAK,aAAa,OAAO,GAAG;AAAA,EAC7B;AACD;","names":["STDIO_SESSION_KEY","STDIO_SESSION_KEY","STDIO_SESSION_KEY"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@credat/mcp",
3
- "version": "0.1.2-alpha.1",
3
+ "version": "0.2.0-alpha.1",
4
4
  "description": "Trust & authentication layer for MCP servers — verify agent identity, delegated permissions, and scopes using Credat",
5
5
  "type": "module",
6
6
  "main": "./dist/index.cjs",
@@ -61,15 +61,15 @@
61
61
  "node": ">=22.0.0"
62
62
  },
63
63
  "peerDependencies": {
64
- "credat": "^0.2.0-alpha.1",
64
+ "@credat/sdk": "^0.3.0-alpha.1",
65
65
  "@modelcontextprotocol/sdk": "^1.27.0",
66
66
  "zod": "^3.25.0"
67
67
  },
68
68
  "devDependencies": {
69
69
  "@biomejs/biome": "^2.4.0",
70
+ "@credat/sdk": "^0.3.0-alpha.1",
70
71
  "@modelcontextprotocol/sdk": "^1.27.0",
71
72
  "@types/node": "^22.0.0",
72
- "credat": "^0.2.0-alpha.1",
73
73
  "tsup": "^8.5.1",
74
74
  "typescript": "^5.9.3",
75
75
  "vitest": "^4.0.18",