@debian777/kairos-mcp 3.0.1-beta.14

package/dist/http/http-auth-callback.js

@@ -0,0 +1,183 @@
+import crypto from 'crypto';
+import { AUTH_ENABLED, KEYCLOAK_URL, KEYCLOAK_INTERNAL_URL, KEYCLOAK_REALM, KEYCLOAK_CLIENT_ID, AUTH_CALLBACK_BASE_URL, SESSION_SECRET, SESSION_MAX_AGE_SEC } from '../config.js';
+import { structuredLogger } from '../utils/structured-logger.js';
+import { getStateStore, SESSION_COOKIE_NAME } from './http-auth-middleware.js';
+function signSession(payload) {
+    const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64url');
+    const sig = crypto.createHmac('sha256', SESSION_SECRET).update(payloadB64).digest('base64url');
+    return `${payloadB64}.${sig}`;
+}
+function realmFromIssuer(iss) {
+    const match = /\/realms\/([^/]+)/.exec(iss);
+    const segment = match?.[1] ?? iss.split('/').filter(Boolean).pop();
+    return typeof segment === 'string' ? segment : 'default';
+}
+const AUTH_SUCCESS_HTML = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Authentication successful – KAIROS</title>
+  <style>
+    body { font-family: system-ui, sans-serif; display: flex; justify-content: center; align-items: center; min-height: 100vh; margin: 0; background: #1a1a1a; color: #e5e5e5; text-align: center; }
+    .box { padding: 2rem; max-width: 24rem; }
+    h1 { font-size: 1.25rem; font-weight: 600; margin-bottom: 0.5rem; }
+    p { color: #a3a3a3; margin: 0; }
+  </style>
+</head>
+<body>
+  <div class="box">
+    <h1>Authentication successful</h1>
+    <p>You can close this page and return to your MCP client.</p>
+  </div>
+</body>
+</html>
+`;
+const AUTH_LOGGED_OUT_HTML = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Logged out – KAIROS</title>
+  <style>
+    body { font-family: system-ui, sans-serif; display: flex; justify-content: center; align-items: center; min-height: 100vh; margin: 0; background: #1a1a1a; color: #e5e5e5; text-align: center; }
+    .box { padding: 2rem; max-width: 24rem; }
+    h1 { font-size: 1.25rem; font-weight: 600; margin-bottom: 0.5rem; }
+    p { color: #a3a3a3; margin: 0; }
+  </style>
+</head>
+<body>
+  <div class="box">
+    <h1>Session cleared</h1>
+    <p>You are logged out. You can close this page.</p>
+  </div>
+</body>
+</html>
+`;
+/** Cookie options must match those used when setting the session (Path=/) so the browser clears it. */
+const COOKIE_CLEAR_OPTIONS = { path: '/', httpOnly: true, sameSite: 'lax' };
+export function setupAuthCallback(app) {
+    app.get('/auth/success', (_req, res) => {
+        res.setHeader('Content-Type', 'text/html; charset=utf-8');
+        res.send(AUTH_SUCCESS_HTML);
+    });
+    app.get('/auth/logout', (_req, res) => {
+        res.clearCookie(SESSION_COOKIE_NAME, COOKIE_CLEAR_OPTIONS);
+        res.redirect(302, '/auth/logged-out');
+    });
+    app.get('/auth/logged-out', (_req, res) => {
+        res.setHeader('Content-Type', 'text/html; charset=utf-8');
+        res.send(AUTH_LOGGED_OUT_HTML);
+    });
+    app.get('/auth/callback', async (req, res) => {
+        if (!AUTH_ENABLED || !KEYCLOAK_URL || !SESSION_SECRET || !AUTH_CALLBACK_BASE_URL) {
+            res.status(503).json({
+                error: 'Auth not configured',
+                message: 'AUTH_ENABLED, KEYCLOAK_URL, SESSION_SECRET, and AUTH_CALLBACK_BASE_URL are required. Set in .env (see docs/install/README.md).'
+            });
+            return;
+        }
+        const { code, state } = req.query;
+        if (!code || !state) {
+            res.redirect(302, '/?error=missing_code_or_state');
+            return;
+        }
+        const store = getStateStore();
+        const entry = store.get(state);
+        store.delete(state);
+        if (!entry) {
+            structuredLogger.info('Auth callback: invalid or expired state');
+            res.redirect(302, '/?error=invalid_state');
+            return;
+        }
+        const keycloakBase = (KEYCLOAK_INTERNAL_URL || KEYCLOAK_URL).replace(/\/$/, '');
+        const redirectUri = `${AUTH_CALLBACK_BASE_URL.replace(/\/$/, '')}/auth/callback`;
+        const body = new URLSearchParams({
+            grant_type: 'authorization_code',
+            client_id: KEYCLOAK_CLIENT_ID,
+            code,
+            redirect_uri: redirectUri,
+            code_verifier: entry.codeVerifier
+        });
+        let tokenRes;
+        try {
+            tokenRes = await fetch(`${keycloakBase}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token`, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                body: body.toString()
+            });
+        }
+        catch (err) {
+            structuredLogger.error('Auth callback: token request failed', err);
+            res.redirect(302, '/?error=token_request_failed');
+            return;
+        }
+        if (!tokenRes.ok) {
+            const text = await tokenRes.text();
+            structuredLogger.info(`Auth callback: token error ${JSON.stringify({ status: tokenRes.status, body: text })}`);
+            res.redirect(302, '/?error=token_exchange_failed');
+            return;
+        }
+        const tokens = (await tokenRes.json());
+        const idToken = tokens.id_token;
+        const accessToken = tokens.access_token;
+        const tokenToDecode = idToken ?? accessToken;
+        if (!tokenToDecode || typeof tokenToDecode !== 'string') {
+            structuredLogger.info('Auth callback: no id_token or access_token in response');
+            res.redirect(302, '/?error=no_tokens');
+            return;
+        }
+        let sub = null;
+        let groups = [];
+        let realm = KEYCLOAK_REALM;
+        let group_ids;
+        try {
+            const segment = tokenToDecode.split('.')[1];
+            const payload = segment
+                ? JSON.parse(Buffer.from(segment, 'base64url').toString())
+                : null;
+            if (!payload || typeof payload.sub !== 'string' || payload.sub.length === 0) {
+                structuredLogger.info('Auth callback: could not extract sub from token');
+                res.redirect(302, '/?error=invalid_token_sub');
+                return;
+            }
+            sub = payload.sub;
+            if (Array.isArray(payload.groups))
+                groups = payload.groups.filter((g) => typeof g === 'string');
+            else if (payload.realm_access && Array.isArray(payload.realm_access.roles))
+                groups = payload.realm_access.roles.filter((r) => typeof r === 'string');
+            if (typeof payload.iss === 'string')
+                realm = realmFromIssuer(payload.iss);
+            const g = payload.group_ids;
+            if (Array.isArray(g)) {
+                const ids = g.filter((x) => typeof x === 'string' && x.length > 0);
+                if (ids.length > 0)
+                    group_ids = ids;
+            }
+        }
+        catch {
+            structuredLogger.info('Auth callback: token payload parse failed');
+            res.redirect(302, '/?error=invalid_token_payload');
+            return;
+        }
+        if (sub === null) {
+            res.redirect(302, '/?error=invalid_token_sub');
+            return;
+        }
+        const exp = Math.floor(Date.now() / 1000) + SESSION_MAX_AGE_SEC;
+        const sessionPayload = {
+            sub,
+            groups,
+            realm,
+            exp
+        };
+        if (group_ids && group_ids.length > 0)
+            sessionPayload.group_ids = group_ids;
+        const cookieValue = signSession(sessionPayload);
+        res.setHeader('Set-Cookie', [
+            `${SESSION_COOKIE_NAME}=${encodeURIComponent(cookieValue)}; Path=/; HttpOnly; SameSite=Lax; Max-Age=${SESSION_MAX_AGE_SEC}`
+        ]);
+        res.redirect(302, '/auth/success');
+    });
+}
+//# sourceMappingURL=http-auth-callback.js.map

package/dist/http/http-auth-callback.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-auth-callback.js","sourceRoot":"","sources":["../../src/http/http-auth-callback.ts"],"names":[],"mappings":"AAKA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,qBAAqB,EACrB,cAAc,EACd,kBAAkB,EAClB,sBAAsB,EACtB,cAAc,EACd,mBAAmB,EACpB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AACjE,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAE/E,SAAS,WAAW,CAAC,OAMpB;IACC,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC9E,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC/F,OAAO,GAAG,UAAU,IAAI,GAAG,EAAE,CAAC;AAChC,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5C,MAAM,OAAO,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC;IACnE,OAAO,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;AAC3D,CAAC;AAED,MAAM,iBAAiB,GAAG;;;;;;;;;;;;;;;;;;;;CAoBzB,CAAC;AAEF,MAAM,oBAAoB,GAAG;;;;;;;;;;;;;;;;;;;;CAoB5B,CAAC;AAEF,uGAAuG;AACvG,MAAM,oBAAoB,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAc,EAAE,CAAC;AAErF,MAAM,UAAU,iBAAiB,CAAC,GAAoB;IACpD,GAAG,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC,IAAa,EAAE,GAAa,EAAE,EAAE;QACxD,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC;QAC1D,GAAG,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC,IAAa,EAAE,GAAa,EAAE,EAAE;QACvD,GAAG,CAAC,WAAW,CAAC,mBAAmB,EAAE,oBAAoB,CAAC,CAAC;QAC3D,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC,IAAa,EAAE,GAAa,EAAE,EAAE;QAC3D,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC;QAC1D,GAAG,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,gBAAgB,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QAC9D,IAAI,CAAC,YAAY,IAAI,CAAC,YAAY,IAAI,CAAC,cAAc,IAAI,CAAC,sBAAsB,EAAE,CAAC;YACjF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,qBAAqB;gBAC5B,OAAO,EAAE,gIAAgI;aAC1I,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC,KAA0C,CAAC;QACvE,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACpB,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,+BAA+B,CAAC,CAAC;YACnD,OAAO;QACT,CAAC;QACD,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC/B,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACpB,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,gBAAgB,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;YACjE,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,uBAAuB,CAAC,CAAC;YAC3C,OAAO;QACT,CAAC;QACD,MAAM,YAAY,GAAG,CAAC,qBAAqB,IAAI,YAAY,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAChF,MAAM,WAAW,GAAG,GAAG,sBAAsB,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,gBAAgB,CAAC;QACjF,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;YAC/B,UAAU,EAAE,oBAAoB;YAChC,SAAS,EAAE,kBAAkB;YAC7B,IAAI;YACJ,YAAY,EAAE,WAAW;YACzB,aAAa,EAAE,KAAK,CAAC,YAAY;SAClC,CAAC,CAAC;QACH,IAAI,QAA6B,CAAC;QAClC,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,YAAY,WAAW,cAAc,gCAAgC,EAAE;gBAC/F,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;gBAChE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;aACtB,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,gBAAgB,CAAC,KAAK,CAAC,qCAAqC,EAAE,GAAG,CAAC,CAAC;YACnE,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,8BAA8B,CAAC,CAAC;YAClD,OAAO;QACT,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,gBAAgB,CAAC,IAAI,CAAC,8BAA8B,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,CAAC;YAC/G,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,+BAA+B,CAAC,CAAC;YACnD,OAAO;QACT,CAAC;QACD,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAiD,CAAC;QACvF,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC;QAChC,MAAM,WAAW,GAAG,MAAM,CAAC,YAAY,CAAC;QACxC,MAAM,aAAa,GAAG,OAAO,IAAI,WAAW,CAAC;QAC7C,IAAI,CAAC,aAAa,IAAI,OAAO,aAAa,KAAK,QAAQ,EAAE,CAAC;YACxD,gBAAgB,CAAC,IAAI,CAAC,wDAAwD,CAAC,CAAC;YAChF,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,mBAAmB,CAAC,CAAC;YACvC,OAAO;QACT,CAAC;QACD,IAAI,GAAG,GAAkB,IAAI,CAAC;QAC9B,IAAI,MAAM,GAAa,EAAE,CAAC;QAC1B,IAAI,KAAK,GAAG,cAAc,CAAC;QAC3B,IAAI,SAA+B,CAAC;QACpC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC5C,MAAM,OAAO,GAAG,OAAO;gBACrB,CAAC,CAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAMtD;gBACJ,CAAC,CAAC,IAAI,CAAC;YACT,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC5E,gBAAgB,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;gBACzE,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,2BAA2B,CAAC,CAAC;gBAC/C,OAAO;YACT,CAAC;YACD,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;YAClB,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC;gBAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;iBACxG,IAAI,OAAO,CAAC,YAAY,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC;gBACxE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;YACxF,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;gBAAE,KAAK,GAAG,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAC1E,MAAM,CAAC,GAAG,OAAO,CAAC,SAAS,CAAC;YAC5B,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;gBACrB,MAAM,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBAChF,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC;oBAAE,SAAS,GAAG,GAAG,CAAC;YACtC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,gBAAgB,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;YACnE,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,+BAA+B,CAAC,CAAC;YACnD,OAAO;QACT,CAAC;QACD,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YACjB,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,2BAA2B,CAAC,CAAC;YAC/C,OAAO;QACT,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,mBAAmB,CAAC;QAChE,MAAM,cAAc,GAAwF;YAC1G,GAAG;YACH,MAAM;YACN,KAAK;YACL,GAAG;SACJ,CAAC;QACF,IAAI,SAAS,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC;YAAE,cAAc,CAAC,SAAS,GAAG,SAAS,CAAC;QAC5E,MAAM,WAAW,GAAG,WAAW,CAAC,cAAc,CAAC,CAAC;QAChD,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE;YAC1B,GAAG,mBAAmB,IAAI,kBAAkB,CAAC,WAAW,CAAC,6CAA6C,mBAAmB,EAAE;SAC5H,CAAC,CAAC;QACH,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/http/http-auth-middleware.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Auth middleware: when AUTH_ENABLED, require session or Bearer for /api and /mcp.
+ * Unauthenticated browser GET -> redirect to Keycloak; otherwise 401 with login_url.
+ * When AUTH_MODE=oidc_bearer, Bearer tokens are validated (issuer, audience, exp); req.auth is set from session or validated Bearer.
+ */
+import type { Request, Response, NextFunction } from 'express';
+import { type AuthPayload } from './bearer-validate.js';
+import { type SpaceContext } from '../utils/tenant-context.js';
+export type { AuthPayload };
+declare const SESSION_COOKIE_NAME = "kairos_session";
+interface StateEntry {
+    codeVerifier: string;
+    createdAt: number;
+}
+export declare function setWwwAuthenticate(res: Response, opts?: {
+    error?: 'invalid_token';
+    error_description?: string;
+}): void;
+declare global {
+    namespace Express {
+        interface Request {
+            auth?: AuthPayload;
+            spaceContext?: SpaceContext;
+        }
+    }
+}
+export declare function authMiddleware(req: Request, res: Response, next: NextFunction): Promise<void>;
+export declare function getStateStore(): Map<string, StateEntry>;
+export { SESSION_COOKIE_NAME };
+//# sourceMappingURL=http-auth-middleware.d.ts.map

package/dist/http/http-auth-middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-auth-middleware.d.ts","sourceRoot":"","sources":["../../src/http/http-auth-middleware.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAa/D,OAAO,EAAuB,KAAK,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC7E,OAAO,EAAwC,KAAK,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAGrG,YAAY,EAAE,WAAW,EAAE,CAAC;AAE5B,QAAA,MAAM,mBAAmB,mBAAmB,CAAC;AAG7C,UAAU,UAAU;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB;AAmGD,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,eAAe,CAAC;IAAC,iBAAiB,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAGtH;AAED,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,IAAI,CAAC,EAAE,WAAW,CAAC;YACnB,YAAY,CAAC,EAAE,YAAY,CAAC;SAC7B;KACF;CACF;AAED,wBAAsB,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA6HnG;AAED,wBAAgB,aAAa,IAAI,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAEvD;AAED,OAAO,EAAE,mBAAmB,EAAE,CAAC"}

package/dist/http/http-auth-middleware.js

@@ -0,0 +1,224 @@
+import crypto from 'crypto';
+import { AUTH_ENABLED, KEYCLOAK_URL, KEYCLOAK_REALM, KEYCLOAK_CLIENT_ID, AUTH_CALLBACK_BASE_URL, SESSION_SECRET, AUTH_MODE, AUTH_TRUSTED_ISSUERS, AUTH_ALLOWED_AUDIENCES } from '../config.js';
+import { validateBearerToken } from './bearer-validate.js';
+import { getSpaceContext, runWithSpaceContext } from '../utils/tenant-context.js';
+import { structuredLogger } from '../utils/structured-logger.js';
+const SESSION_COOKIE_NAME = 'kairos_session';
+const STATE_TTL_MS = 600_000; // 10 min
+const stateStore = new Map();
+function pruneStateStore() {
+    const now = Date.now();
+    for (const [k, v] of stateStore.entries()) {
+        if (now - v.createdAt > STATE_TTL_MS)
+            stateStore.delete(k);
+    }
+}
+function buildLoginUrl(state, codeChallenge) {
+    const base = KEYCLOAK_URL.replace(/\/$/, '');
+    const redirectUri = `${AUTH_CALLBACK_BASE_URL.replace(/\/$/, '')}/auth/callback`;
+    const params = new URLSearchParams({
+        client_id: KEYCLOAK_CLIENT_ID,
+        redirect_uri: redirectUri,
+        response_type: 'code',
+        scope: 'openid',
+        state,
+        code_challenge: codeChallenge,
+        code_challenge_method: 'S256',
+        // Force login page so a second browser gets a fresh login instead of SSO "already logged in" errors.
+        prompt: 'login'
+    });
+    return `${base}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/auth?${params.toString()}`;
+}
+function getSessionCookie(req) {
+    const raw = req.get('cookie');
+    if (!raw)
+        return null;
+    const match = raw.split(';').map((s) => s.trim()).find((s) => s.startsWith(SESSION_COOKIE_NAME + '='));
+    if (!match)
+        return null;
+    const value = match.slice((SESSION_COOKIE_NAME + '=').length).trim();
+    return value ? decodeURIComponent(value) : null;
+}
+function hasValidSession(req) {
+    return getSessionPayload(req) !== null;
+}
+/** Decode and verify session cookie; returns AuthPayload or null. */
+function getSessionPayload(req) {
+    const cookie = getSessionCookie(req);
+    if (!cookie || !SESSION_SECRET)
+        return null;
+    try {
+        const [payloadB64, sig] = cookie.split('.');
+        if (!payloadB64 || !sig)
+            return null;
+        const expectedSig = crypto.createHmac('sha256', SESSION_SECRET).update(payloadB64).digest('base64url');
+        if (sig !== expectedSig)
+            return null;
+        const payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString());
+        if (payload.exp && payload.exp < Date.now() / 1000)
+            return null;
+        const sub = typeof payload.sub === 'string' ? payload.sub : '';
+        if (!sub)
+            return null;
+        const groups = Array.isArray(payload.groups) ? payload.groups.filter((g) => typeof g === 'string') : [];
+        const realm = typeof payload.realm === 'string' ? payload.realm : 'default';
+        const group_ids = Array.isArray(payload.group_ids)
+            ? payload.group_ids.filter((g) => typeof g === 'string' && g.length > 0)
+            : undefined;
+        const result = { sub, groups, realm };
+        if (group_ids && group_ids.length > 0)
+            result.group_ids = group_ids;
+        return result;
+    }
+    catch {
+        return null;
+    }
+}
+function getBearerToken(req) {
+    const auth = req.get('authorization');
+    if (!auth || !auth.toLowerCase().startsWith('bearer '))
+        return null;
+    return auth.slice(7).trim() || null;
+}
+function hasBearer(req) {
+    return getBearerToken(req) !== null;
+}
+/** Paths that require auth when AUTH_ENABLED: /api, /api/*, and /mcp (MCP-over-HTTP). */
+function isProtectedPath(path) {
+    return path === '/api' || path.startsWith('/api/') || path === '/mcp';
+}
+/** Build WWW-Authenticate value. Use error=invalid_token so MCP clients clear stored token and restart OAuth (e.g. after Keycloak session cleanup). */
+function buildWwwAuthenticate(opts) {
+    if (!AUTH_CALLBACK_BASE_URL)
+        return '';
+    const resourceMetadataUrl = `${AUTH_CALLBACK_BASE_URL.replace(/\/$/, '')}/.well-known/oauth-protected-resource`;
+    const parts = [`Bearer realm="mcp"`, `resource_metadata="${resourceMetadataUrl}"`, 'scope="openid"'];
+    if (opts?.error) {
+        parts.unshift(`error="${opts.error}"`);
+        if (opts.error_description)
+            parts.push(`error_description="${opts.error_description.replace(/"/g, '\\"')}"`);
+    }
+    return parts.join(', ');
+}
+export function setWwwAuthenticate(res, opts) {
+    const value = buildWwwAuthenticate(opts);
+    if (value)
+        res.setHeader('WWW-Authenticate', value);
+}
+export async function authMiddleware(req, res, next) {
+    if (!AUTH_ENABLED) {
+        next();
+        return;
+    }
+    if (req.path === '/auth/callback') {
+        next();
+        return;
+    }
+    if (!isProtectedPath(req.path)) {
+        next();
+        return;
+    }
+    const hasSession = hasValidSession(req);
+    const hasBearerReq = hasBearer(req);
+    structuredLogger.debug(`[auth] protected ${req.method} ${req.path} session=${hasSession} bearer=${!!hasBearerReq}`);
+    function runNext(ctx) {
+        const spaceParam = (req.query?.['space'] ?? req.query?.['space_id']);
+        if (spaceParam && typeof spaceParam === 'string') {
+            if (!ctx.allowedSpaceIds.includes(spaceParam)) {
+                res.status(403).json({ error: 'forbidden', message: 'Requested space is not in your allowed spaces' });
+                return;
+            }
+            ctx = {
+                ...ctx,
+                allowedSpaceIds: [spaceParam],
+                defaultWriteSpaceId: spaceParam
+            };
+        }
+        req.spaceContext = ctx;
+        runWithSpaceContext(ctx, () => next());
+    }
+    if (hasSession) {
+        const payload = getSessionPayload(req);
+        if (payload)
+            req.auth = payload;
+        structuredLogger.debug(`[auth] allowed session ${req.method} ${req.path}`);
+        runNext(getSpaceContext(req));
+        return;
+    }
+    if (hasBearerReq) {
+        if (process.env['AUTH_TRACE'] === 'true' || process.env['LOG_LEVEL'] === 'trace') {
+            structuredLogger.info(`[auth] TRACE raw call ${req.method} ${req.path} bearer=true trusted_issuers=${JSON.stringify(AUTH_TRUSTED_ISSUERS)} allowed_audiences=${JSON.stringify(AUTH_ALLOWED_AUDIENCES)}`);
+        }
+        const hasIssuerAndAudience = AUTH_TRUSTED_ISSUERS.length > 0 && AUTH_ALLOWED_AUDIENCES.length > 0;
+        const canValidateBearer = hasIssuerAndAudience && (AUTH_MODE === 'oidc_bearer' || AUTH_ENABLED);
+        structuredLogger.info(`[auth] Bearer check path=${req.path} canValidate=${canValidateBearer} AUTH_MODE=${AUTH_MODE} trusted_issuers=${AUTH_TRUSTED_ISSUERS.length} allowed_audiences=${AUTH_ALLOWED_AUDIENCES.length}`);
+        if (!canValidateBearer) {
+            structuredLogger.info(`[auth] 401 ${req.method} ${req.path} bearer_not_validated (config missing)`);
+            setWwwAuthenticate(res);
+            res.status(401).json({
+                error: 'bearer_not_validated',
+                message: 'Bearer tokens are not validated when issuer/audience are not configured. Set AUTH_TRUSTED_ISSUERS and AUTH_ALLOWED_AUDIENCES (and AUTH_MODE=oidc_bearer or AUTH_ENABLED) to use Bearer auth.'
+            });
+            return;
+        }
+        const token = getBearerToken(req);
+        try {
+            const payload = await validateBearerToken(token, AUTH_TRUSTED_ISSUERS, AUTH_ALLOWED_AUDIENCES);
+            if (payload) {
+                req.auth = payload;
+                structuredLogger.debug(`[auth] allowed bearer ${req.method} ${req.path}`);
+                runNext(getSpaceContext(req));
+            }
+            else {
+                structuredLogger.info(`[auth] 401 ${req.method} ${req.path} bearer invalid or expired`);
+                setWwwAuthenticate(res, {
+                    error: 'invalid_token',
+                    error_description: 'Token expired or invalid; re-authenticate to obtain a new token'
+                });
+                res.status(401).json({ error: 'invalid_token', message: 'Bearer token invalid or expired' });
+            }
+        }
+        catch {
+            structuredLogger.info(`[auth] 401 ${req.method} ${req.path} bearer validation failed`);
+            setWwwAuthenticate(res, {
+                error: 'invalid_token',
+                error_description: 'Token validation failed; re-authenticate to obtain a new token'
+            });
+            res.status(401).json({ error: 'invalid_token', message: 'Bearer token validation failed' });
+        }
+        return;
+    }
+    if (!AUTH_CALLBACK_BASE_URL) {
+        res.status(503).json({
+            error: 'Auth misconfigured',
+            message: 'AUTH_CALLBACK_BASE_URL is required when AUTH_ENABLED is true. Set it in .env (e.g. http://localhost:3500).'
+        });
+        return;
+    }
+    const loginUrl = (s, cc) => buildLoginUrl(s, cc);
+    const state = crypto.randomBytes(16).toString('base64url');
+    const codeVerifier = crypto.randomBytes(32).toString('base64url');
+    const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url').replace(/=/g, '');
+    stateStore.set(state, { codeVerifier, createdAt: Date.now() });
+    pruneStateStore();
+    // MCP client must receive 401 + WWW-Authenticate to show "Needs authentication" / Connect.
+    // Redirect (302) would prevent discovery; always return 401 for /mcp.
+    const isMcp = req.path === '/mcp';
+    if (req.method === 'GET' && !isMcp) {
+        structuredLogger.info(`[auth] 302 ${req.method} ${req.path} redirect to login`);
+        res.redirect(302, loginUrl(state, codeChallenge));
+        return;
+    }
+    structuredLogger.info(`[auth] 401 ${req.method} ${req.path}${isMcp ? ' (announcing auth need for MCP client)' : ''}`);
+    setWwwAuthenticate(res);
+    res.status(401).json({
+        error: 'Unauthorized',
+        message: 'Authentication required',
+        login_url: loginUrl(state, codeChallenge)
+    });
+}
+export function getStateStore() {
+    return stateStore;
+}
+export { SESSION_COOKIE_NAME };
+//# sourceMappingURL=http-auth-middleware.js.map

package/dist/http/http-auth-middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-auth-middleware.js","sourceRoot":"","sources":["../../src/http/http-auth-middleware.ts"],"names":[],"mappings":"AAMA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,kBAAkB,EAClB,sBAAsB,EACtB,cAAc,EACd,SAAS,EACT,oBAAoB,EACpB,sBAAsB,EACvB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,mBAAmB,EAAoB,MAAM,sBAAsB,CAAC;AAC7E,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAqB,MAAM,4BAA4B,CAAC;AACrG,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AAIjE,MAAM,mBAAmB,GAAG,gBAAgB,CAAC;AAC7C,MAAM,YAAY,GAAG,OAAO,CAAC,CAAC,SAAS;AAMvC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAsB,CAAC;AAEjD,SAAS,eAAe;IACtB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC;QAC1C,IAAI,GAAG,GAAG,CAAC,CAAC,SAAS,GAAG,YAAY;YAAE,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC7D,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,KAAa,EAAE,aAAqB;IACzD,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC7C,MAAM,WAAW,GAAG,GAAG,sBAAsB,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,gBAAgB,CAAC;IACjF,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,SAAS,EAAE,kBAAkB;QAC7B,YAAY,EAAE,WAAW;QACzB,aAAa,EAAE,MAAM;QACrB,KAAK,EAAE,QAAQ;QACf,KAAK;QACL,cAAc,EAAE,aAAa;QAC7B,qBAAqB,EAAE,MAAM;QAC7B,qGAAqG;QACrG,MAAM,EAAE,OAAO;KAChB,CAAC,CAAC;IACH,OAAO,GAAG,IAAI,WAAW,cAAc,iCAAiC,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;AAC9F,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAY;IACpC,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,mBAAmB,GAAG,GAAG,CAAC,CAAC,CAAC;IACvG,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,mBAAmB,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;IACrE,OAAO,KAAK,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAClD,CAAC;AAED,SAAS,eAAe,CAAC,GAAY;IACnC,OAAO,iBAAiB,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC;AACzC,CAAC;AAED,qEAAqE;AACrE,SAAS,iBAAiB,CAAC,GAAY;IACrC,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACrC,IAAI,CAAC,MAAM,IAAI,CAAC,cAAc;QAAE,OAAO,IAAI,CAAC;IAC5C,IAAI,CAAC;QACH,MAAM,CAAC,UAAU,EAAE,GAAG,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC5C,IAAI,CAAC,UAAU,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACrC,MAAM,WAAW,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACvG,IAAI,GAAG,KAAK,WAAW;YAAE,OAAO,IAAI,CAAC;QACrC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAMzE,CAAC;QACF,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI;YAAE,OAAO,IAAI,CAAC;QAChE,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/D,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACrH,MAAM,KAAK,GAAG,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAC5E,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC;YAChD,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;YACrF,CAAC,CAAC,SAAS,CAAC;QACd,MAAM,MAAM,GAAgB,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QACnD,IAAI,SAAS,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC;YAAE,MAAM,CAAC,SAAS,GAAG,SAAS,CAAC;QACpE,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,GAAY;IAClC,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACtC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IACpE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC;AACtC,CAAC;AAED,SAAS,SAAS,CAAC,GAAY;IAC7B,OAAO,cAAc,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC;AACtC,CAAC;AAED,yFAAyF;AACzF,SAAS,eAAe,CAAC,IAAY;IACnC,OAAO,IAAI,KAAK,MAAM,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,IAAI,KAAK,MAAM,CAAC;AACxE,CAAC;AAED,uJAAuJ;AACvJ,SAAS,oBAAoB,CAAC,IAA8D;IAC1F,IAAI,CAAC,sBAAsB;QAAE,OAAO,EAAE,CAAC;IACvC,MAAM,mBAAmB,GAAG,GAAG,sBAAsB,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,uCAAuC,CAAC;IAChH,MAAM,KAAK,GAAG,CAAC,oBAAoB,EAAE,sBAAsB,mBAAmB,GAAG,EAAE,gBAAgB,CAAC,CAAC;IACrG,IAAI,IAAI,EAAE,KAAK,EAAE,CAAC;QAChB,KAAK,CAAC,OAAO,CAAC,UAAU,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC;QACvC,IAAI,IAAI,CAAC,iBAAiB;YAAE,KAAK,CAAC,IAAI,CAAC,sBAAsB,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/G,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,GAAa,EAAE,IAA8D;IAC9G,MAAM,KAAK,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;IACzC,IAAI,KAAK;QAAE,GAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,KAAK,CAAC,CAAC;AACtD,CAAC;AAWD,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB;IAClF,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,IAAI,EAAE,CAAC;QACP,OAAO;IACT,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;QAClC,IAAI,EAAE,CAAC;QACP,OAAO;IACT,CAAC;IACD,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/B,IAAI,EAAE,CAAC;QACP,OAAO;IACT,CAAC;IAED,MAAM,UAAU,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACxC,MAAM,YAAY,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;IACpC,gBAAgB,CAAC,KAAK,CACpB,oBAAoB,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,YAAY,UAAU,WAAW,CAAC,CAAC,YAAY,EAAE,CAC5F,CAAC;IAEF,SAAS,OAAO,CAAC,GAAiB;QAChC,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC,UAAU,CAAC,CAAuB,CAAC;QAC3F,IAAI,UAAU,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;YACjD,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC9C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,+CAA+C,EAAE,CAAC,CAAC;gBACvG,OAAO;YACT,CAAC;YACD,GAAG,GAAG;gBACJ,GAAG,GAAG;gBACN,eAAe,EAAE,CAAC,UAAU,CAAC;gBAC7B,mBAAmB,EAAE,UAAU;aAChC,CAAC;QACJ,CAAC;QACD,GAAG,CAAC,YAAY,GAAG,GAAG,CAAC;QACvB,mBAAmB,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,OAAO;YAAE,GAAG,CAAC,IAAI,GAAG,OAAO,CAAC;QAChC,gBAAgB,CAAC,KAAK,CAAC,0BAA0B,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;QAC3E,OAAO,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC;QAC9B,OAAO;IACT,CAAC;IAED,IAAI,YAAY,EAAE,CAAC;QACjB,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,KAAK,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,OAAO,EAAE,CAAC;YACjF,gBAAgB,CAAC,IAAI,CACnB,yBAAyB,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,gCAAgC,IAAI,CAAC,SAAS,CAAC,oBAAoB,CAAC,sBAAsB,IAAI,CAAC,SAAS,CAAC,sBAAsB,CAAC,EAAE,CAClL,CAAC;QACJ,CAAC;QACD,MAAM,oBAAoB,GAAG,oBAAoB,CAAC,MAAM,GAAG,CAAC,IAAI,sBAAsB,CAAC,MAAM,GAAG,CAAC,CAAC;QAClG,MAAM,iBAAiB,GACrB,oBAAoB,IAAI,CAAC,SAAS,KAAK,aAAa,IAAI,YAAY,CAAC,CAAC;QACxE,gBAAgB,CAAC,IAAI,CACnB,4BAA4B,GAAG,CAAC,IAAI,gBAAgB,iBAAiB,cAAc,SAAS,oBAAoB,oBAAoB,CAAC,MAAM,sBAAsB,sBAAsB,CAAC,MAAM,EAAE,CACjM,CAAC;QACF,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,gBAAgB,CAAC,IAAI,CAAC,cAAc,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,wCAAwC,CAAC,CAAC;YACpG,kBAAkB,CAAC,GAAG,CAAC,CAAC;YACxB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,sBAAsB;gBAC7B,OAAO,EACL,8LAA8L;aACjM,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,MAAM,KAAK,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,mBAAmB,CAAC,KAAM,EAAE,oBAAoB,EAAE,sBAAsB,CAAC,CAAC;YAChG,IAAI,OAAO,EAAE,CAAC;gBACZ,GAAG,CAAC,IAAI,GAAG,OAAO,CAAC;gBACnB,gBAAgB,CAAC,KAAK,CAAC,yBAAyB,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC1E,OAAO,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC;YAChC,CAAC;iBAAM,CAAC;gBACN,gBAAgB,CAAC,IAAI,CAAC,cAAc,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,4BAA4B,CAAC,CAAC;gBACxF,kBAAkB,CAAC,GAAG,EAAE;oBACtB,KAAK,EAAE,eAAe;oBACtB,iBAAiB,EAAE,iEAAiE;iBACrF,CAAC,CAAC;gBACH,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,iCAAiC,EAAE,CAAC,CAAC;YAC/F,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,gBAAgB,CAAC,IAAI,CAAC,cAAc,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,2BAA2B,CAAC,CAAC;YACvF,kBAAkB,CAAC,GAAG,EAAE;gBACtB,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,gEAAgE;aACpF,CAAC,CAAC;YACH,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,gCAAgC,EAAE,CAAC,CAAC;QAC9F,CAAC;QACD,OAAO;IACT,CAAC;IAED,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAC5B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,oBAAoB;YAC3B,OAAO,EAAE,4GAA4G;SACtH,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,QAAQ,GAAG,CAAC,CAAS,EAAE,EAAU,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACjE,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC3D,MAAM,YAAY,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAClE,MAAM,aAAa,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAC7G,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,YAAY,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAC/D,eAAe,EAAE,CAAC;IAElB,2FAA2F;IAC3F,sEAAsE;IACtE,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,KAAK,MAAM,CAAC;IAClC,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,IAAI,CAAC,KAAK,EAAE,CAAC;QACnC,gBAAgB,CAAC,IAAI,CAAC,cAAc,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,oBAAoB,CAAC,CAAC;QAChF,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC;QAClD,OAAO;IACT,CAAC;IACD,gBAAgB,CAAC,IAAI,CACnB,cAAc,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,wCAAwC,CAAC,CAAC,CAAC,EAAE,EAAE,CAC/F,CAAC;IACF,kBAAkB,CAAC,GAAG,CAAC,CAAC;IACxB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;QACnB,KAAK,EAAE,cAAc;QACrB,OAAO,EAAE,yBAAyB;QAClC,SAAS,EAAE,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC;KAC1C,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,OAAO,EAAE,mBAAmB,EAAE,CAAC"}

package/dist/http/http-error-handlers.d.ts

@@ -0,0 +1,7 @@
+import express from 'express';
+/**
+ * Set up error handlers and additional routes
+ * @param app Express application instance
+ */
+export declare function setupErrorHandlers(app: express.Express): void;
+//# sourceMappingURL=http-error-handlers.d.ts.map

package/dist/http/http-error-handlers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-error-handlers.d.ts","sourceRoot":"","sources":["../../src/http/http-error-handlers.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,SAAS,CAAC;AAG9B;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,QA6BtD"}

package/dist/http/http-error-handlers.js

@@ -0,0 +1,35 @@
+import { structuredLogger } from '../utils/structured-logger.js';
+/**
+ * Set up error handlers and additional routes
+ * @param app Express application instance
+ */
+export function setupErrorHandlers(app) {
+    // Global error handler for Express routes
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    app.use((err, req, res, next) => {
+        try {
+            const rid = req?.headers?.['x-request-id'] || 'unknown';
+            const method = req?.method || 'UNKNOWN';
+            const url = req?.url || 'UNKNOWN';
+            structuredLogger.error(`HTTP error on ${method} ${url} [id: ${rid}]`, err);
+        }
+        catch { }
+        if (!res.headersSent) {
+            res.status(500).json({ error: 'Internal server error' });
+        }
+        else {
+            res.end();
+        }
+    });
+    // MCP endpoint - reject GET requests (must be POST)
+    app.get('/mcp', (req, res) => {
+        res.status(405).set('Allow', 'POST').json({
+            error: 'Method Not Allowed - use POST /mcp'
+        });
+    });
+    // Catch-all 404 handler (must be last)
+    app.use((req, res) => {
+        res.status(404).json({ error: 'Not found' });
+    });
+}
+//# sourceMappingURL=http-error-handlers.js.map

package/dist/http/http-error-handlers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-error-handlers.js","sourceRoot":"","sources":["../../src/http/http-error-handlers.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AAEjE;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAoB;IACnD,0CAA0C;IAC1C,6DAA6D;IAC7D,GAAG,CAAC,GAAG,CAAC,CAAC,GAAQ,EAAE,GAAQ,EAAE,GAAQ,EAAE,IAAS,EAAE,EAAE;QAChD,IAAI,CAAC;YACD,MAAM,GAAG,GAAG,GAAG,EAAE,OAAO,EAAE,CAAC,cAAc,CAAC,IAAI,SAAS,CAAC;YACxD,MAAM,MAAM,GAAG,GAAG,EAAE,MAAM,IAAI,SAAS,CAAC;YACxC,MAAM,GAAG,GAAG,GAAG,EAAE,GAAG,IAAI,SAAS,CAAC;YAClC,gBAAgB,CAAC,KAAK,CAAC,iBAAiB,MAAM,IAAI,GAAG,SAAS,GAAG,GAAG,EAAE,GAAG,CAAC,CAAC;QAC/E,CAAC;QAAC,MAAM,CAAC,CAAC,CAAC;QAEX,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;YACnB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QAC7D,CAAC;aAAM,CAAC;YACJ,GAAG,CAAC,GAAG,EAAE,CAAC;QACd,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,oDAAoD;IACpD,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACzB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC;YACtC,KAAK,EAAE,oCAAoC;SAC9C,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,uCAAuC;IACvC,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACjB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/http/http-health-routes.d.ts

@@ -0,0 +1,9 @@
+import express from 'express';
+import { MemoryQdrantStore } from '../services/memory/store.js';
+/**
+ * Set up health check and basic info routes
+ * @param app Express application instance
+ * @param memoryStore Memory store instance for health checks
+ */
+export declare function setupHealthRoutes(app: express.Express, memoryStore: MemoryQdrantStore): void;
+//# sourceMappingURL=http-health-routes.d.ts.map

package/dist/http/http-health-routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-health-routes.d.ts","sourceRoot":"","sources":["../../src/http/http-health-routes.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAMhE;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,WAAW,EAAE,iBAAiB,QAgHrF"}