@cyanheads/mcp-ts-core 0.1.0-beta.12

package/dist/mcp-server/transports/auth/authMiddleware.d.ts

@@ -0,0 +1,24 @@
+/**
+ * @fileoverview Defines a unified Hono middleware for authentication.
+ * This middleware is strategy-agnostic. It extracts a Bearer token,
+ * delegates verification to the provided authentication strategy, and
+ * populates the async-local storage context with the resulting auth info.
+ *
+ * Errors from the strategy propagate directly to the Hono global error
+ * handler ({@link httpErrorHandler}), which handles OTel recording, logging,
+ * and JSON-RPC response formatting.
+ * @module src/mcp-server/transports/auth/authMiddleware
+ */
+import type { HttpBindings } from '@hono/node-server';
+import type { MiddlewareHandler } from 'hono';
+import type { AuthStrategy } from '../../../mcp-server/transports/auth/strategies/authStrategy.js';
+/**
+ * Creates a Hono middleware function that enforces authentication using a given strategy.
+ *
+ * @param strategy - An instance of a class that implements the `AuthStrategy` interface.
+ * @returns A Hono middleware function.
+ */
+export declare function createAuthMiddleware(strategy: AuthStrategy): MiddlewareHandler<{
+    Bindings: HttpBindings;
+}>;
+//# sourceMappingURL=authMiddleware.d.ts.map

package/dist/mcp-server/transports/auth/authMiddleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authMiddleware.d.ts","sourceRoot":"","sources":["../../../../src/mcp-server/transports/auth/authMiddleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEtD,OAAO,KAAK,EAAW,iBAAiB,EAAQ,MAAM,MAAM,CAAC;AAG7D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yDAAyD,CAAC;AAK5F;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAClC,QAAQ,EAAE,YAAY,GACrB,iBAAiB,CAAC;IAAE,QAAQ,EAAE,YAAY,CAAA;CAAE,CAAC,CAwD/C"}

package/dist/mcp-server/transports/auth/authMiddleware.js

@@ -0,0 +1,69 @@
+/**
+ * @fileoverview Defines a unified Hono middleware for authentication.
+ * This middleware is strategy-agnostic. It extracts a Bearer token,
+ * delegates verification to the provided authentication strategy, and
+ * populates the async-local storage context with the resulting auth info.
+ *
+ * Errors from the strategy propagate directly to the Hono global error
+ * handler ({@link httpErrorHandler}), which handles OTel recording, logging,
+ * and JSON-RPC response formatting.
+ * @module src/mcp-server/transports/auth/authMiddleware
+ */
+import { trace } from '@opentelemetry/api';
+import { authContext } from '../../../mcp-server/transports/auth/lib/authContext.js';
+import { JsonRpcErrorCode, McpError } from '../../../types-global/errors.js';
+import { logger } from '../../../utils/internal/logger.js';
+import { requestContextService } from '../../../utils/internal/requestContext.js';
+/**
+ * Creates a Hono middleware function that enforces authentication using a given strategy.
+ *
+ * @param strategy - An instance of a class that implements the `AuthStrategy` interface.
+ * @returns A Hono middleware function.
+ */
+export function createAuthMiddleware(strategy) {
+    return async function authMiddleware(c, next) {
+        const context = requestContextService.createRequestContext({
+            operation: 'authMiddleware',
+            additionalContext: {
+                method: c.req.method,
+                path: c.req.path,
+            },
+        });
+        logger.debug('Initiating authentication check.', context);
+        const authHeader = c.req.header('Authorization');
+        if (!authHeader?.startsWith('Bearer ')) {
+            logger.warning('Authorization header missing or invalid.', context);
+            throw new McpError(JsonRpcErrorCode.Unauthorized, 'Missing or invalid Authorization header. Bearer scheme required.');
+        }
+        const token = authHeader.substring(7);
+        if (!token) {
+            logger.warning('Bearer token is missing from Authorization header.', context);
+            throw new McpError(JsonRpcErrorCode.Unauthorized, 'Authentication token is missing.');
+        }
+        logger.debug('Extracted Bearer token, proceeding to verification.', context);
+        // Strategy.verify() throws McpError on failure — errors propagate to httpErrorHandler.
+        const authInfo = await strategy.verify(token);
+        const authLogContext = {
+            ...context,
+            ...(authInfo.tenantId ? { tenantId: authInfo.tenantId } : {}),
+            clientId: authInfo.clientId,
+            subject: authInfo.subject,
+            scopes: authInfo.scopes,
+        };
+        logger.info('Authentication successful. Auth context populated.', authLogContext);
+        // Add authentication context to OpenTelemetry span for distributed tracing
+        const activeSpan = trace.getActiveSpan();
+        if (activeSpan) {
+            activeSpan.setAttributes({
+                'auth.client_id': authInfo.clientId,
+                'auth.tenant_id': authInfo.tenantId ?? 'none',
+                'auth.scopes': authInfo.scopes.join(','),
+                'auth.subject': authInfo.subject ?? 'unknown',
+                'auth.method': 'bearer',
+            });
+        }
+        // Run the next middleware in the chain within the populated auth context.
+        await authContext.run({ authInfo }, next);
+    };
+}
+//# sourceMappingURL=authMiddleware.js.map

package/dist/mcp-server/transports/auth/authMiddleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authMiddleware.js","sourceRoot":"","sources":["../../../../src/mcp-server/transports/auth/authMiddleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAG3C,OAAO,EAAE,WAAW,EAAE,MAAM,iDAAiD,CAAC;AAE9E,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACtE,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,oCAAoC,CAAC;AAE3E;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAClC,QAAsB;IAEtB,OAAO,KAAK,UAAU,cAAc,CAAC,CAAsC,EAAE,IAAU;QACrF,MAAM,OAAO,GAAG,qBAAqB,CAAC,oBAAoB,CAAC;YACzD,SAAS,EAAE,gBAAgB;YAC3B,iBAAiB,EAAE;gBACjB,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM;gBACpB,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI;aACjB;SACF,CAAC,CAAC;QAEH,MAAM,CAAC,KAAK,CAAC,kCAAkC,EAAE,OAAO,CAAC,CAAC;QAE1D,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QACjD,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACvC,MAAM,CAAC,OAAO,CAAC,0CAA0C,EAAE,OAAO,CAAC,CAAC;YACpE,MAAM,IAAI,QAAQ,CAChB,gBAAgB,CAAC,YAAY,EAC7B,kEAAkE,CACnE,CAAC;QACJ,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,CAAC,OAAO,CAAC,oDAAoD,EAAE,OAAO,CAAC,CAAC;YAC9E,MAAM,IAAI,QAAQ,CAAC,gBAAgB,CAAC,YAAY,EAAE,kCAAkC,CAAC,CAAC;QACxF,CAAC;QAED,MAAM,CAAC,KAAK,CAAC,qDAAqD,EAAE,OAAO,CAAC,CAAC;QAE7E,uFAAuF;QACvF,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAE9C,MAAM,cAAc,GAAG;YACrB,GAAG,OAAO;YACV,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7D,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,OAAO,EAAE,QAAQ,CAAC,OAAO;YACzB,MAAM,EAAE,QAAQ,CAAC,MAAM;SACxB,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,oDAAoD,EAAE,cAAc,CAAC,CAAC;QAElF,2EAA2E;QAC3E,MAAM,UAAU,GAAG,KAAK,CAAC,aAAa,EAAE,CAAC;QACzC,IAAI,UAAU,EAAE,CAAC;YACf,UAAU,CAAC,aAAa,CAAC;gBACvB,gBAAgB,EAAE,QAAQ,CAAC,QAAQ;gBACnC,gBAAgB,EAAE,QAAQ,CAAC,QAAQ,IAAI,MAAM;gBAC7C,aAAa,EAAE,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;gBACxC,cAAc,EAAE,QAAQ,CAAC,OAAO,IAAI,SAAS;gBAC7C,aAAa,EAAE,QAAQ;aACxB,CAAC,CAAC;QACL,CAAC;QAED,0EAA0E;QAC1E,MAAM,WAAW,CAAC,GAAG,CAAC,EAAE,QAAQ,EAAE,EAAE,IAAI,CAAC,CAAC;IAC5C,CAAC,CAAC;AACJ,CAAC"}

package/dist/mcp-server/transports/auth/lib/authContext.d.ts

@@ -0,0 +1,34 @@
+/**
+ * @fileoverview Defines the AsyncLocalStorage context for authentication information.
+ * This module provides a mechanism to store and retrieve authentication details
+ * (like scopes and client ID) across asynchronous operations, making it available
+ * from the middleware layer down to the tool and resource handlers without
+ * drilling props.
+ *
+ * @module src/mcp-server/transports/auth/core/authContext
+ */
+import { AsyncLocalStorage } from 'node:async_hooks';
+import type { AuthInfo } from './authTypes.js';
+/**
+ * Defines the structure of the store used within the AsyncLocalStorage.
+ * It holds the authentication information for the current request context.
+ */
+interface AuthStore {
+    authInfo: AuthInfo;
+}
+/**
+ * An instance of AsyncLocalStorage to hold the authentication context (`AuthStore`).
+ * This allows `authInfo` to be accessible throughout the async call chain of a request
+ * after being set in the authentication middleware.
+ *
+ * @example
+ * // In middleware:
+ * await authContext.run({ authInfo }, next);
+ *
+ * // In a deeper handler:
+ * const store = authContext.getStore();
+ * const scopes = store?.authInfo.scopes;
+ */
+export declare const authContext: AsyncLocalStorage<AuthStore>;
+export {};
+//# sourceMappingURL=authContext.d.ts.map

package/dist/mcp-server/transports/auth/lib/authContext.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authContext.d.ts","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/authContext.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAErD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAE/C;;;GAGG;AACH,UAAU,SAAS;IACjB,QAAQ,EAAE,QAAQ,CAAC;CACpB;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,WAAW,8BAAqC,CAAC"}

package/dist/mcp-server/transports/auth/lib/authContext.js

@@ -0,0 +1,25 @@
+/**
+ * @fileoverview Defines the AsyncLocalStorage context for authentication information.
+ * This module provides a mechanism to store and retrieve authentication details
+ * (like scopes and client ID) across asynchronous operations, making it available
+ * from the middleware layer down to the tool and resource handlers without
+ * drilling props.
+ *
+ * @module src/mcp-server/transports/auth/core/authContext
+ */
+import { AsyncLocalStorage } from 'node:async_hooks';
+/**
+ * An instance of AsyncLocalStorage to hold the authentication context (`AuthStore`).
+ * This allows `authInfo` to be accessible throughout the async call chain of a request
+ * after being set in the authentication middleware.
+ *
+ * @example
+ * // In middleware:
+ * await authContext.run({ authInfo }, next);
+ *
+ * // In a deeper handler:
+ * const store = authContext.getStore();
+ * const scopes = store?.authInfo.scopes;
+ */
+export const authContext = new AsyncLocalStorage();
+//# sourceMappingURL=authContext.js.map

package/dist/mcp-server/transports/auth/lib/authContext.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authContext.js","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/authContext.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAYrD;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,iBAAiB,EAAa,CAAC"}

package/dist/mcp-server/transports/auth/lib/authTypes.d.ts

@@ -0,0 +1,19 @@
+/**
+ * @fileoverview Shared types for authentication middleware.
+ * @module src/mcp-server/transports/auth/lib/authTypes
+ */
+import type { AuthInfo as SdkAuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';
+/**
+ * Extends the SDK's base AuthInfo with common optional JWT claims
+ * not part of the core MCP auth contract.
+ *
+ * - `subject` — JWT `sub` claim (end-user or service identity)
+ * - `tenantId` — JWT `tid` claim (Azure AD / custom multi-tenant)
+ */
+export type AuthInfo = SdkAuthInfo & {
+    /** JWT `sub` claim — the authenticated subject (user or service). */
+    subject?: string;
+    /** JWT `tid` claim — tenant identifier for multi-tenant deployments. */
+    tenantId?: string;
+};
+//# sourceMappingURL=authTypes.d.ts.map

package/dist/mcp-server/transports/auth/lib/authTypes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authTypes.d.ts","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/authTypes.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,KAAK,EAAE,QAAQ,IAAI,WAAW,EAAE,MAAM,gDAAgD,CAAC;AAE9F;;;;;;GAMG;AACH,MAAM,MAAM,QAAQ,GAAG,WAAW,GAAG;IACnC,qEAAqE;IACrE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wEAAwE;IACxE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC"}

package/dist/mcp-server/transports/auth/lib/authTypes.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=authTypes.js.map

package/dist/mcp-server/transports/auth/lib/authTypes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authTypes.js","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/authTypes.ts"],"names":[],"mappings":""}

package/dist/mcp-server/transports/auth/lib/authUtils.d.ts

@@ -0,0 +1,18 @@
+/**
+ * @fileoverview Provides utility functions for authorization, specifically for
+ * checking token scopes against required permissions for a given operation.
+ * @module src/mcp-server/transports/auth/core/authUtils
+ */
+import { type RequestContext } from '../../../../utils/internal/requestContext.js';
+/**
+ * Checks if the current authentication context contains all the specified scopes.
+ * When auth is disabled (`MCP_AUTH_MODE=none`), scope checks are skipped.
+ * When auth is enabled and the auth context is missing, fails closed with Unauthorized.
+ *
+ * @param requiredScopes - An array of scope strings that are mandatory for the operation.
+ * @param parentContext - Optional parent request context for trace correlation.
+ * @throws {McpError} Throws `Unauthorized` if auth is enabled but no auth context exists.
+ * @throws {McpError} Throws `Forbidden` if auth is active and required scopes are missing.
+ */
+export declare function withRequiredScopes(requiredScopes: string[], parentContext?: RequestContext): void;
+//# sourceMappingURL=authUtils.d.ts.map

package/dist/mcp-server/transports/auth/lib/authUtils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authUtils.d.ts","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/authUtils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,OAAO,EAAE,KAAK,cAAc,EAAyB,MAAM,oCAAoC,CAAC;AAEhG;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAAC,cAAc,EAAE,MAAM,EAAE,EAAE,aAAa,CAAC,EAAE,cAAc,GAAG,IAAI,CA8DjG"}

package/dist/mcp-server/transports/auth/lib/authUtils.js

@@ -0,0 +1,64 @@
+/**
+ * @fileoverview Provides utility functions for authorization, specifically for
+ * checking token scopes against required permissions for a given operation.
+ * @module src/mcp-server/transports/auth/core/authUtils
+ */
+import { config } from '../../../../config/index.js';
+import { authContext } from '../../../../mcp-server/transports/auth/lib/authContext.js';
+import { JsonRpcErrorCode, McpError } from '../../../../types-global/errors.js';
+import { logger } from '../../../../utils/internal/logger.js';
+import { requestContextService } from '../../../../utils/internal/requestContext.js';
+/**
+ * Checks if the current authentication context contains all the specified scopes.
+ * When auth is disabled (`MCP_AUTH_MODE=none`), scope checks are skipped.
+ * When auth is enabled and the auth context is missing, fails closed with Unauthorized.
+ *
+ * @param requiredScopes - An array of scope strings that are mandatory for the operation.
+ * @param parentContext - Optional parent request context for trace correlation.
+ * @throws {McpError} Throws `Unauthorized` if auth is enabled but no auth context exists.
+ * @throws {McpError} Throws `Forbidden` if auth is active and required scopes are missing.
+ */
+export function withRequiredScopes(requiredScopes, parentContext) {
+    const initialContext = parentContext
+        ? {
+            ...parentContext,
+            operation: 'withRequiredScopesCheck',
+            requiredScopes,
+        }
+        : requestContextService.createRequestContext({
+            operation: 'withRequiredScopesCheck',
+            additionalContext: { requiredScopes },
+        });
+    // Explicitly check if auth is disabled — only skip scope checks when intentionally off.
+    if (config.mcpAuthMode === 'none') {
+        logger.debug('Auth disabled (MCP_AUTH_MODE=none), skipping scope check.', initialContext);
+        return;
+    }
+    const store = authContext.getStore();
+    // Auth is enabled but no context exists — fail closed.
+    if (!store || !store.authInfo) {
+        logger.warning('Auth enabled but no authentication context found. Denying request.', initialContext);
+        throw new McpError(JsonRpcErrorCode.Unauthorized, 'Authentication required but no auth context was established.', initialContext);
+    }
+    logger.debug('Performing scope authorization check.', initialContext);
+    const { scopes: grantedScopes, clientId, subject } = store.authInfo;
+    const grantedScopeSet = new Set(grantedScopes);
+    const missingScopes = requiredScopes.filter((scope) => !grantedScopeSet.has(scope));
+    const finalContext = {
+        ...initialContext,
+        grantedScopes,
+        clientId,
+        subject,
+    };
+    if (missingScopes.length > 0) {
+        // Log full details server-side (grantedScopes, clientId, subject stay in logs)
+        logger.warning('Authorization failed: Missing required scopes.', {
+            ...finalContext,
+            missingScopes,
+        });
+        // Only surface non-sensitive info in the client-facing error
+        throw new McpError(JsonRpcErrorCode.Forbidden, `Insufficient permissions. Missing required scopes: ${missingScopes.join(', ')}`, { requiredScopes, missingScopes });
+    }
+    logger.debug('Scope authorization successful.', finalContext);
+}
+//# sourceMappingURL=authUtils.js.map

package/dist/mcp-server/transports/auth/lib/authUtils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authUtils.js","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/authUtils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAC3C,OAAO,EAAE,WAAW,EAAE,MAAM,iDAAiD,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACtE,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AACpD,OAAO,EAAuB,qBAAqB,EAAE,MAAM,oCAAoC,CAAC;AAEhG;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB,CAAC,cAAwB,EAAE,aAA8B;IACzF,MAAM,cAAc,GAAG,aAAa;QAClC,CAAC,CAAC;YACE,GAAG,aAAa;YAChB,SAAS,EAAE,yBAAyB;YACpC,cAAc;SACf;QACH,CAAC,CAAC,qBAAqB,CAAC,oBAAoB,CAAC;YACzC,SAAS,EAAE,yBAAyB;YACpC,iBAAiB,EAAE,EAAE,cAAc,EAAE;SACtC,CAAC,CAAC;IAEP,wFAAwF;IACxF,IAAI,MAAM,CAAC,WAAW,KAAK,MAAM,EAAE,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,2DAA2D,EAAE,cAAc,CAAC,CAAC;QAC1F,OAAO;IACT,CAAC;IAED,MAAM,KAAK,GAAG,WAAW,CAAC,QAAQ,EAAE,CAAC;IAErC,uDAAuD;IACvD,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,CAAC,OAAO,CACZ,oEAAoE,EACpE,cAAc,CACf,CAAC;QACF,MAAM,IAAI,QAAQ,CAChB,gBAAgB,CAAC,YAAY,EAC7B,8DAA8D,EAC9D,cAAc,CACf,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,uCAAuC,EAAE,cAAc,CAAC,CAAC;IAEtE,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,KAAK,CAAC,QAAQ,CAAC;IACpE,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC;IAE/C,MAAM,aAAa,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;IAEpF,MAAM,YAAY,GAAG;QACnB,GAAG,cAAc;QACjB,aAAa;QACb,QAAQ;QACR,OAAO;KACR,CAAC;IAEF,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,+EAA+E;QAC/E,MAAM,CAAC,OAAO,CAAC,gDAAgD,EAAE;YAC/D,GAAG,YAAY;YACf,aAAa;SACd,CAAC,CAAC;QACH,6DAA6D;QAC7D,MAAM,IAAI,QAAQ,CAChB,gBAAgB,CAAC,SAAS,EAC1B,sDAAsD,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAChF,EAAE,cAAc,EAAE,aAAa,EAAE,CAClC,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE,YAAY,CAAC,CAAC;AAChE,CAAC"}

package/dist/mcp-server/transports/auth/lib/checkScopes.d.ts

@@ -0,0 +1,25 @@
+/**
+ * @fileoverview Public API for dynamic scope checking in new-style handlers.
+ * Use when auth scopes depend on runtime input (e.g., `team:${input.teamId}:write`).
+ * For static scopes, prefer the `auth` property on the tool/resource definition.
+ * @module src/mcp-server/transports/auth/lib/checkScopes
+ */
+import type { Context } from '../../../../context.js';
+/**
+ * Checks that the current request has the required auth scopes.
+ * Throws `McpError(Forbidden)` if scopes are insufficient.
+ * No-ops when auth is disabled (`MCP_AUTH_MODE=none`).
+ * Throws `Unauthorized` when auth is enabled but no auth context exists.
+ *
+ * @example
+ * ```ts
+ * import { checkScopes } from '@cyanheads/mcp-ts-core/auth';
+ *
+ * handler: async (input, ctx) => {
+ *   checkScopes(ctx, [`team:${input.teamId}:write`]);
+ *   // ...
+ * },
+ * ```
+ */
+export declare function checkScopes(ctx: Context, requiredScopes: string[]): void;
+//# sourceMappingURL=checkScopes.d.ts.map

package/dist/mcp-server/transports/auth/lib/checkScopes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"checkScopes.d.ts","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/checkScopes.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAG5C;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,GAAG,IAAI,CASxE"}

package/dist/mcp-server/transports/auth/lib/checkScopes.js

@@ -0,0 +1,34 @@
+/**
+ * @fileoverview Public API for dynamic scope checking in new-style handlers.
+ * Use when auth scopes depend on runtime input (e.g., `team:${input.teamId}:write`).
+ * For static scopes, prefer the `auth` property on the tool/resource definition.
+ * @module src/mcp-server/transports/auth/lib/checkScopes
+ */
+import { withRequiredScopes } from '../../../../mcp-server/transports/auth/lib/authUtils.js';
+/**
+ * Checks that the current request has the required auth scopes.
+ * Throws `McpError(Forbidden)` if scopes are insufficient.
+ * No-ops when auth is disabled (`MCP_AUTH_MODE=none`).
+ * Throws `Unauthorized` when auth is enabled but no auth context exists.
+ *
+ * @example
+ * ```ts
+ * import { checkScopes } from '@cyanheads/mcp-ts-core/auth';
+ *
+ * handler: async (input, ctx) => {
+ *   checkScopes(ctx, [`team:${input.teamId}:write`]);
+ *   // ...
+ * },
+ * ```
+ */
+export function checkScopes(ctx, requiredScopes) {
+    withRequiredScopes(requiredScopes, {
+        requestId: ctx.requestId,
+        timestamp: ctx.timestamp,
+        operation: 'checkScopes',
+        ...(ctx.tenantId ? { tenantId: ctx.tenantId } : {}),
+        ...(ctx.traceId ? { traceId: ctx.traceId } : {}),
+        ...(ctx.spanId ? { spanId: ctx.spanId } : {}),
+    });
+}
+//# sourceMappingURL=checkScopes.js.map

package/dist/mcp-server/transports/auth/lib/checkScopes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"checkScopes.js","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/checkScopes.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,+CAA+C,CAAC;AAEnF;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,WAAW,CAAC,GAAY,EAAE,cAAwB;IAChE,kBAAkB,CAAC,cAAc,EAAE;QACjC,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,SAAS,EAAE,aAAa;QACxB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACnD,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAChD,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC9C,CAAC,CAAC;AACL,CAAC"}

package/dist/mcp-server/transports/auth/lib/claimParser.d.ts

@@ -0,0 +1,34 @@
+/**
+ * @fileoverview Shared JWT claim parsing and AuthInfo construction.
+ * Extracts and validates standard claims (clientId, scopes, subject, tenantId, expiresAt)
+ * from a decoded JWT payload, producing a fully-formed AuthInfo object.
+ * Used by both JWT and OAuth strategies to ensure consistent claim handling.
+ * @module src/mcp-server/transports/auth/lib/claimParser
+ */
+import type { JWTPayload } from 'jose';
+import type { AuthInfo } from '../../../../mcp-server/transports/auth/lib/authTypes.js';
+/**
+ * Builds an {@link AuthInfo} from a raw token string and decoded JWT payload.
+ *
+ * Claim resolution order:
+ * - **clientId**: `cid` (Okta) → `client_id` (OAuth 2.1 standard)
+ * - **scopes**: `scp` (Okta, array) → `scope` (standard, space-delimited string)
+ * - **subject**: `sub` (standard)
+ * - **tenantId**: `tid` (Azure AD / custom)
+ * - **expiresAt**: `exp` (standard, seconds since epoch)
+ *
+ * @throws {McpError} `Unauthorized` if `clientId` or `scopes` are missing/empty.
+ */
+export declare function buildAuthInfoFromClaims(token: string, payload: JWTPayload): AuthInfo;
+/**
+ * Handles errors thrown by `jose` verification functions.
+ * Rethrows {@link McpError} instances as-is and wraps other errors
+ * (e.g. `JWTExpired`, `JWSSignatureVerificationFailed`) in an
+ * `Unauthorized` McpError.
+ *
+ * @param error - The caught error from a jose verify call.
+ * @param fallbackMessage - Message used when the error is not a recognized jose type.
+ * @throws Always throws — either the original McpError or a new Unauthorized McpError.
+ */
+export declare function handleJoseVerifyError(error: unknown, fallbackMessage: string): never;
+//# sourceMappingURL=claimParser.d.ts.map

package/dist/mcp-server/transports/auth/lib/claimParser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"claimParser.d.ts","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/claimParser.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,+CAA+C,CAAC;AAG9E;;;;;;;;;;;GAWG;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,QAAQ,CAqCpF;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,GAAG,KAAK,CAOpF"}

package/dist/mcp-server/transports/auth/lib/claimParser.js

@@ -0,0 +1,58 @@
+import { JsonRpcErrorCode, McpError } from '../../../../types-global/errors.js';
+/**
+ * Builds an {@link AuthInfo} from a raw token string and decoded JWT payload.
+ *
+ * Claim resolution order:
+ * - **clientId**: `cid` (Okta) → `client_id` (OAuth 2.1 standard)
+ * - **scopes**: `scp` (Okta, array) → `scope` (standard, space-delimited string)
+ * - **subject**: `sub` (standard)
+ * - **tenantId**: `tid` (Azure AD / custom)
+ * - **expiresAt**: `exp` (standard, seconds since epoch)
+ *
+ * @throws {McpError} `Unauthorized` if `clientId` or `scopes` are missing/empty.
+ */
+export function buildAuthInfoFromClaims(token, payload) {
+    const clientId = typeof payload.cid === 'string'
+        ? payload.cid
+        : typeof payload.client_id === 'string'
+            ? payload.client_id
+            : undefined;
+    if (!clientId) {
+        throw new McpError(JsonRpcErrorCode.Unauthorized, "Invalid token: missing 'cid' or 'client_id' claim.");
+    }
+    let scopes = [];
+    if (Array.isArray(payload.scp) && payload.scp.every((s) => typeof s === 'string')) {
+        scopes = payload.scp;
+    }
+    else if (typeof payload.scope === 'string' && payload.scope.trim()) {
+        scopes = payload.scope.split(' ').filter(Boolean);
+    }
+    if (scopes.length === 0) {
+        throw new McpError(JsonRpcErrorCode.Unauthorized, 'Token must contain valid, non-empty scopes.');
+    }
+    return {
+        token,
+        clientId,
+        scopes,
+        ...(typeof payload.sub === 'string' && { subject: payload.sub }),
+        ...(typeof payload.tid === 'string' && { tenantId: payload.tid }),
+        ...(typeof payload.exp === 'number' && { expiresAt: payload.exp }),
+    };
+}
+/**
+ * Handles errors thrown by `jose` verification functions.
+ * Rethrows {@link McpError} instances as-is and wraps other errors
+ * (e.g. `JWTExpired`, `JWSSignatureVerificationFailed`) in an
+ * `Unauthorized` McpError.
+ *
+ * @param error - The caught error from a jose verify call.
+ * @param fallbackMessage - Message used when the error is not a recognized jose type.
+ * @throws Always throws — either the original McpError or a new Unauthorized McpError.
+ */
+export function handleJoseVerifyError(error, fallbackMessage) {
+    if (error instanceof McpError)
+        throw error;
+    const message = error instanceof Error && error.name === 'JWTExpired' ? 'Token has expired.' : fallbackMessage;
+    throw new McpError(JsonRpcErrorCode.Unauthorized, message);
+}
+//# sourceMappingURL=claimParser.js.map

package/dist/mcp-server/transports/auth/lib/claimParser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"claimParser.js","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/claimParser.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AAEtE;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,uBAAuB,CAAC,KAAa,EAAE,OAAmB;IACxE,MAAM,QAAQ,GACZ,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;QAC7B,CAAC,CAAC,OAAO,CAAC,GAAG;QACb,CAAC,CAAC,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ;YACrC,CAAC,CAAC,OAAO,CAAC,SAAS;YACnB,CAAC,CAAC,SAAS,CAAC;IAElB,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,QAAQ,CAChB,gBAAgB,CAAC,YAAY,EAC7B,oDAAoD,CACrD,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,GAAa,EAAE,CAAC;IAC1B,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,EAAE,CAAC;QAClF,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC;IACvB,CAAC;SAAM,IAAI,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;QACrE,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACpD,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,QAAQ,CAChB,gBAAgB,CAAC,YAAY,EAC7B,6CAA6C,CAC9C,CAAC;IACJ,CAAC;IAED,OAAO;QACL,KAAK;QACL,QAAQ;QACR,MAAM;QACN,GAAG,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QAChE,GAAG,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QACjE,GAAG,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;KACnE,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAc,EAAE,eAAuB;IAC3E,IAAI,KAAK,YAAY,QAAQ;QAAE,MAAM,KAAK,CAAC;IAE3C,MAAM,OAAO,GACX,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,eAAe,CAAC;IAEjG,MAAM,IAAI,QAAQ,CAAC,gBAAgB,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;AAC7D,CAAC"}

package/dist/mcp-server/transports/auth/lib/withAuth.d.ts

@@ -0,0 +1,25 @@
+/**
+ * @fileoverview Higher-order functions for declarative, scope-based authorization.
+ * @module src/mcp-server/transports/auth/lib/withAuth
+ */
+import type { SdkContext } from '../../../../mcp-server/tools/utils/toolDefinition.js';
+import type { RequestContext } from '../../../../utils/internal/requestContext.js';
+/**
+ * A higher-order function that wraps a **tool's** logic function with a
+ * scope-based authorization check.
+ *
+ * @param {string[]} requiredScopes An array of scopes required to execute the logic.
+ * @param {Function} logicFn The core tool logic function to execute if authorization succeeds.
+ * @returns A new async function that performs the auth check before executing the logic.
+ */
+export declare function withToolAuth<TInput, TOutput>(requiredScopes: string[], logicFn: (input: TInput, context: RequestContext, sdkContext: SdkContext) => TOutput | Promise<TOutput>): (input: TInput, context: RequestContext, sdkContext: SdkContext) => Promise<TOutput>;
+/**
+ * A higher-order function that wraps a **resource's** logic function with a
+ * scope-based authorization check.
+ *
+ * @param {string[]} requiredScopes An array of scopes required to execute the logic.
+ * @param {Function} logicFn The core resource logic function to execute if authorization succeeds.
+ * @returns A new async function that performs the auth check before executing the logic.
+ */
+export declare function withResourceAuth<TUri, TParams, TOutput>(requiredScopes: string[], logicFn: (uri: TUri, params: TParams, context: RequestContext) => TOutput | Promise<TOutput>): (uri: TUri, params: TParams, context: RequestContext) => Promise<TOutput>;
+//# sourceMappingURL=withAuth.d.ts.map

package/dist/mcp-server/transports/auth/lib/withAuth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"withAuth.d.ts","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/withAuth.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,4CAA4C,CAAC;AAE7E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AAEzE;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,OAAO,EAC1C,cAAc,EAAE,MAAM,EAAE,EACxB,OAAO,EAAE,CACP,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,cAAc,EACvB,UAAU,EAAE,UAAU,KACnB,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAC9B,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,UAAU,KAAK,OAAO,CAAC,OAAO,CAAC,CAStF;AAED;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,EACrD,cAAc,EAAE,MAAM,EAAE,EACxB,OAAO,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,cAAc,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAC3F,CAAC,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,cAAc,KAAK,OAAO,CAAC,OAAO,CAAC,CAK3E"}

package/dist/mcp-server/transports/auth/lib/withAuth.js

@@ -0,0 +1,30 @@
+import { withRequiredScopes } from '../../../../mcp-server/transports/auth/lib/authUtils.js';
+/**
+ * A higher-order function that wraps a **tool's** logic function with a
+ * scope-based authorization check.
+ *
+ * @param {string[]} requiredScopes An array of scopes required to execute the logic.
+ * @param {Function} logicFn The core tool logic function to execute if authorization succeeds.
+ * @returns A new async function that performs the auth check before executing the logic.
+ */
+export function withToolAuth(requiredScopes, logicFn) {
+    return async (input, context, sdkContext) => {
+        withRequiredScopes(requiredScopes, context);
+        return await logicFn(input, context, sdkContext);
+    };
+}
+/**
+ * A higher-order function that wraps a **resource's** logic function with a
+ * scope-based authorization check.
+ *
+ * @param {string[]} requiredScopes An array of scopes required to execute the logic.
+ * @param {Function} logicFn The core resource logic function to execute if authorization succeeds.
+ * @returns A new async function that performs the auth check before executing the logic.
+ */
+export function withResourceAuth(requiredScopes, logicFn) {
+    return async (uri, params, context) => {
+        withRequiredScopes(requiredScopes, context);
+        return await logicFn(uri, params, context);
+    };
+}
+//# sourceMappingURL=withAuth.js.map

package/dist/mcp-server/transports/auth/lib/withAuth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"withAuth.js","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/withAuth.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+CAA+C,CAAC;AAGnF;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAC1B,cAAwB,EACxB,OAI+B;IAE/B,OAAO,KAAK,EACV,KAAa,EACb,OAAuB,EACvB,UAAsB,EACJ,EAAE;QACpB,kBAAkB,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;QAC5C,OAAO,MAAM,OAAO,CAAC,KAAK,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;IACnD,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAC9B,cAAwB,EACxB,OAA4F;IAE5F,OAAO,KAAK,EAAE,GAAS,EAAE,MAAe,EAAE,OAAuB,EAAoB,EAAE;QACrF,kBAAkB,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;QAC5C,OAAO,MAAM,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7C,CAAC,CAAC;AACJ,CAAC"}

package/dist/mcp-server/transports/auth/strategies/authStrategy.d.ts

@@ -0,0 +1,18 @@
+/**
+ * @fileoverview Defines the interface for all authentication strategies.
+ * This interface establishes a contract for verifying authentication tokens,
+ * ensuring that any authentication method (JWT, OAuth, etc.) can be used
+ * interchangeably by the core authentication middleware.
+ * @module src/mcp-server/transports/auth/strategies/AuthStrategy
+ */
+import type { AuthInfo } from '../../../../mcp-server/transports/auth/lib/authTypes.js';
+export interface AuthStrategy {
+    /**
+     * Verifies an authentication token.
+     * @param token The raw token string extracted from the request.
+     * @returns A promise that resolves with the AuthInfo on successful verification.
+     * @throws {McpError} if the token is invalid, expired, or fails verification for any reason.
+     */
+    verify(token: string): Promise<AuthInfo>;
+}
+//# sourceMappingURL=authStrategy.d.ts.map

package/dist/mcp-server/transports/auth/strategies/authStrategy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authStrategy.d.ts","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/strategies/authStrategy.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,+CAA+C,CAAC;AAE9E,MAAM,WAAW,YAAY;IAC3B;;;;;OAKG;IACH,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CAC1C"}

package/dist/mcp-server/transports/auth/strategies/authStrategy.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=authStrategy.js.map

package/dist/mcp-server/transports/auth/strategies/authStrategy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authStrategy.js","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/strategies/authStrategy.ts"],"names":[],"mappings":""}

package/dist/mcp-server/transports/auth/strategies/jwtStrategy.d.ts

@@ -0,0 +1,14 @@
+import type { config as ConfigType } from '../../../../config/index.js';
+import type { AuthInfo } from '../../../../mcp-server/transports/auth/lib/authTypes.js';
+import type { AuthStrategy } from '../../../../mcp-server/transports/auth/strategies/authStrategy.js';
+import type { logger as LoggerType } from '../../../../utils/internal/logger.js';
+export declare class JwtStrategy implements AuthStrategy {
+    private config;
+    private logger;
+    private readonly secretKey;
+    private readonly devMcpClientId;
+    private readonly devMcpScopes;
+    constructor(config: typeof ConfigType, logger: typeof LoggerType);
+    verify(token: string): Promise<AuthInfo>;
+}
+//# sourceMappingURL=jwtStrategy.d.ts.map

package/dist/mcp-server/transports/auth/strategies/jwtStrategy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwtStrategy.d.ts","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/strategies/jwtStrategy.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,MAAM,IAAI,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC9D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,+CAA+C,CAAC;AAK9E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yDAAyD,CAAC;AAE5F,OAAO,KAAK,EAAE,MAAM,IAAI,UAAU,EAAE,MAAM,4BAA4B,CAAC;AAGvE,qBAAa,WAAY,YAAW,YAAY;IAM5C,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,MAAM;IANhB,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAoB;IAC9C,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAW;gBAG9B,MAAM,EAAE,OAAO,UAAU,EACzB,MAAM,EAAE,OAAO,UAAU;IAiC7B,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;CA8C/C"}