@elliotding/ai-agent-mcp 0.1.25 → 0.1.26

package/dist/auth/middleware.js

@@ -1,194 +0,0 @@
-"use strict";
-/**
- * Authentication and Permission Middlewares
- * Token authentication and permission checking for HTTP endpoints
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.tokenAuthMiddleware = tokenAuthMiddleware;
-exports.tokenAuthOrLegacyMiddleware = tokenAuthOrLegacyMiddleware;
-exports.requirePermission = requirePermission;
-exports.checkToolCallPermission = checkToolCallPermission;
-const token_validator_1 = require("./token-validator");
-const permissions_1 = require("./permissions");
-const logger_1 = require("../utils/logger");
-/**
- * Token Authentication Middleware
- * Verifies token via external REST API
- */
-async function tokenAuthMiddleware(request, reply) {
-    try {
-        // Extract token from Authorization header
-        const authHeader = request.headers.authorization;
-        if (!authHeader || !authHeader.startsWith('Bearer ')) {
-            logger_1.logger.warn({
-                type: 'auth',
-                operation: 'middleware',
-                ip: request.ip,
-                url: request.url
-            }, 'Missing or invalid Authorization header');
-            reply.code(401).send({
-                error: 'Unauthorized',
-                message: 'Missing or invalid Authorization header. Expected: Bearer <token>',
-            });
-            return;
-        }
-        const token = authHeader.substring(7); // Remove 'Bearer ' prefix
-        // Verify token via external API
-        const payload = await (0, token_validator_1.verifyToken)(token);
-        if (!payload) {
-            logger_1.logger.warn({
-                type: 'auth',
-                operation: 'middleware',
-                ip: request.ip,
-                url: request.url
-            }, 'Token validation failed');
-            reply.code(401).send({
-                error: 'Unauthorized',
-                message: 'Invalid or expired token',
-            });
-            return;
-        }
-        // Attach user info to request
-        request.user = payload;
-        logger_1.logger.debug({
-            type: 'auth',
-            operation: 'middleware',
-            userId: payload.userId,
-            email: payload.email,
-            groups: payload.groups
-        }, `Token authentication successful for user ${payload.userId}`);
-    }
-    catch (error) {
-        logger_1.logger.error({
-            type: 'auth',
-            operation: 'middleware',
-            error: error instanceof Error ? error.message : 'Unknown error'
-        }, 'Token authentication error');
-        reply.code(500).send({
-            error: 'Internal Server Error',
-            message: 'Authentication failed',
-        });
-    }
-}
-/**
- * Token Authentication Middleware with Legacy Bearer Token Support
- * Supports both token validation via API and legacy bearer tokens
- */
-async function tokenAuthOrLegacyMiddleware(request, reply) {
-    try {
-        const authHeader = request.headers.authorization;
-        if (!authHeader || !authHeader.startsWith('Bearer ')) {
-            logger_1.logger.warn({
-                type: 'auth',
-                operation: 'middleware_legacy',
-                ip: request.ip,
-                url: request.url
-            }, 'Missing or invalid Authorization header');
-            reply.code(401).send({
-                error: 'Unauthorized',
-                message: 'Missing or invalid Authorization header',
-            });
-            return;
-        }
-        const token = authHeader.substring(7);
-        // Try to validate via API first
-        const payload = await (0, token_validator_1.verifyToken)(token);
-        if (payload) {
-            // API validation successful
-            request.user = payload;
-            logger_1.logger.debug({
-                type: 'auth',
-                operation: 'middleware_legacy',
-                userId: payload.userId,
-                email: payload.email,
-                groups: payload.groups
-            }, `Token validated via API for user ${payload.userId}`);
-            return;
-        }
-        // Fallback to legacy bearer token (for backward compatibility)
-        logger_1.logger.debug({
-            type: 'auth',
-            operation: 'middleware_legacy',
-            ip: request.ip
-        }, 'API validation failed, using legacy bearer token mode');
-        // In legacy mode, we don't have user info, so continue without setting request.user
-        // The endpoint will handle the legacy token separately
-    }
-    catch (error) {
-        logger_1.logger.error({
-            type: 'auth',
-            operation: 'middleware_legacy',
-            error: error instanceof Error ? error.message : 'Unknown error'
-        }, 'Token authentication error');
-        reply.code(500).send({
-            error: 'Internal Server Error',
-            message: 'Authentication failed',
-        });
-    }
-}
-/**
- * Permission Check Middleware Factory
- * Creates middleware to check permissions for a specific tool
- */
-function requirePermission(toolName) {
-    return async (request, reply) => {
-        try {
-            if (!request.user) {
-                logger_1.logger.error({
-                    type: 'auth',
-                    operation: 'permission_check',
-                    url: request.url
-                }, 'Permission check called without authentication');
-                reply.code(401).send({
-                    error: 'Unauthorized',
-                    message: 'Authentication required',
-                });
-                return;
-            }
-            // Check permission
-            const permissionCheck = (0, permissions_1.checkPermission)(toolName, request.user.groups);
-            if (!permissionCheck.allowed) {
-                logger_1.logger.warn({
-                    type: 'auth',
-                    operation: 'permission_check',
-                    userId: request.user.userId,
-                    email: request.user.email,
-                    groups: request.user.groups,
-                    toolName,
-                    reason: permissionCheck.reason,
-                }, `Permission denied for user ${request.user.userId} to access tool ${toolName}`);
-                reply.code(403).send({
-                    error: 'Forbidden',
-                    message: permissionCheck.reason || 'Insufficient permissions',
-                });
-                return;
-            }
-            logger_1.logger.debug({
-                type: 'auth',
-                operation: 'permission_check',
-                userId: request.user.userId,
-                toolName
-            }, `Permission granted for user ${request.user.userId} to access tool ${toolName}`);
-        }
-        catch (error) {
-            logger_1.logger.error({
-                type: 'auth',
-                operation: 'permission_check',
-                toolName,
-                error: error instanceof Error ? error.message : 'Unknown error'
-            }, 'Permission check error');
-            reply.code(500).send({
-                error: 'Internal Server Error',
-                message: 'Permission check failed',
-            });
-        }
-    };
-}
-/**
- * Permission Check for Tool Call
- * Checks permission when tools/call is invoked
- */
-function checkToolCallPermission(toolName, user) {
-    return (0, permissions_1.checkPermission)(toolName, user.groups);
-}
-//# sourceMappingURL=middleware.js.map

package/dist/auth/middleware.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAkBH,kDAqEC;AAMD,kEAkEC;AAMD,8CAgEC;AAMD,0DAKC;AA7OD,uDAA8D;AAC9D,+CAAgD;AAChD,4CAAyC;AASzC;;;GAGG;AACI,KAAK,UAAU,mBAAmB,CACvC,OAA6B,EAC7B,KAAmB;IAEnB,IAAI,CAAC;QACH,0CAA0C;QAC1C,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QACjD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACrD,eAAM,CAAC,IAAI,CACT;gBACE,IAAI,EAAE,MAAM;gBACZ,SAAS,EAAE,YAAY;gBACvB,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,GAAG,EAAE,OAAO,CAAC,GAAG;aACjB,EACD,yCAAyC,CAC1C,CAAC;YACF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,mEAAmE;aAC7E,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,0BAA0B;QAEjE,gCAAgC;QAChC,MAAM,OAAO,GAAG,MAAM,IAAA,6BAAW,EAAC,KAAK,CAAC,CAAC;QACzC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,eAAM,CAAC,IAAI,CACT;gBACE,IAAI,EAAE,MAAM;gBACZ,SAAS,EAAE,YAAY;gBACvB,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,GAAG,EAAE,OAAO,CAAC,GAAG;aACjB,EACD,yBAAyB,CAC1B,CAAC;YACF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,0BAA0B;aACpC,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,8BAA8B;QAC9B,OAAO,CAAC,IAAI,GAAG,OAAO,CAAC;QAEvB,eAAM,CAAC,KAAK,CACV;YACE,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,YAAY;YACvB,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,EACD,4CAA4C,OAAO,CAAC,MAAM,EAAE,CAC7D,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,eAAM,CAAC,KAAK,CAAC;YACX,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,YAAY;YACvB,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;SAChE,EAAE,4BAA4B,CAAC,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,uBAAuB;YAC9B,OAAO,EAAE,uBAAuB;SACjC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,2BAA2B,CAC/C,OAA6B,EAC7B,KAAmB;IAEnB,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QACjD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACrD,eAAM,CAAC,IAAI,CACT;gBACE,IAAI,EAAE,MAAM;gBACZ,SAAS,EAAE,mBAAmB;gBAC9B,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,GAAG,EAAE,OAAO,CAAC,GAAG;aACjB,EACD,yCAAyC,CAC1C,CAAC;YACF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,yCAAyC;aACnD,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QAEtC,gCAAgC;QAChC,MAAM,OAAO,GAAG,MAAM,IAAA,6BAAW,EAAC,KAAK,CAAC,CAAC;QACzC,IAAI,OAAO,EAAE,CAAC;YACZ,4BAA4B;YAC5B,OAAO,CAAC,IAAI,GAAG,OAAO,CAAC;YACvB,eAAM,CAAC,KAAK,CACV;gBACE,IAAI,EAAE,MAAM;gBACZ,SAAS,EAAE,mBAAmB;gBAC9B,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,MAAM,EAAE,OAAO,CAAC,MAAM;aACvB,EACD,oCAAoC,OAAO,CAAC,MAAM,EAAE,CACrD,CAAC;YACF,OAAO;QACT,CAAC;QAED,+DAA+D;QAC/D,eAAM,CAAC,KAAK,CACV;YACE,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,mBAAmB;YAC9B,EAAE,EAAE,OAAO,CAAC,EAAE;SACf,EACD,uDAAuD,CACxD,CAAC;QAEF,oFAAoF;QACpF,uDAAuD;IACzD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,eAAM,CAAC,KAAK,CAAC;YACX,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,mBAAmB;YAC9B,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;SAChE,EAAE,4BAA4B,CAAC,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,uBAAuB;YAC9B,OAAO,EAAE,uBAAuB;SACjC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAgB,iBAAiB,CAAC,QAAgB;IAChD,OAAO,KAAK,EAAE,OAA6B,EAAE,KAAmB,EAAiB,EAAE;QACjF,IAAI,CAAC;YACH,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;gBAClB,eAAM,CAAC,KAAK,CACV;oBACE,IAAI,EAAE,MAAM;oBACZ,SAAS,EAAE,kBAAkB;oBAC7B,GAAG,EAAE,OAAO,CAAC,GAAG;iBACjB,EACD,gDAAgD,CACjD,CAAC;gBACF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,KAAK,EAAE,cAAc;oBACrB,OAAO,EAAE,yBAAyB;iBACnC,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,mBAAmB;YACnB,MAAM,eAAe,GAAG,IAAA,6BAAe,EAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAEvE,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,CAAC;gBAC7B,eAAM,CAAC,IAAI,CACT;oBACE,IAAI,EAAE,MAAM;oBACZ,SAAS,EAAE,kBAAkB;oBAC7B,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM;oBAC3B,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK;oBACzB,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM;oBAC3B,QAAQ;oBACR,MAAM,EAAE,eAAe,CAAC,MAAM;iBAC/B,EACD,8BAA8B,OAAO,CAAC,IAAI,CAAC,MAAM,mBAAmB,QAAQ,EAAE,CAC/E,CAAC;gBACF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,eAAe,CAAC,MAAM,IAAI,0BAA0B;iBAC9D,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,eAAM,CAAC,KAAK,CACV;gBACE,IAAI,EAAE,MAAM;gBACZ,SAAS,EAAE,kBAAkB;gBAC7B,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM;gBAC3B,QAAQ;aACT,EACD,+BAA+B,OAAO,CAAC,IAAI,CAAC,MAAM,mBAAmB,QAAQ,EAAE,CAChF,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,eAAM,CAAC,KAAK,CAAC;gBACX,IAAI,EAAE,MAAM;gBACZ,SAAS,EAAE,kBAAkB;gBAC7B,QAAQ;gBACR,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;aAChE,EAAE,wBAAwB,CAAC,CAAC;YAC7B,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,uBAAuB;gBAC9B,OAAO,EAAE,yBAAyB;aACnC,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAgB,uBAAuB,CACrC,QAAgB,EAChB,IAAkB;IAElB,OAAO,IAAA,6BAAe,EAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;AAChD,CAAC"}

package/dist/auth/permissions.d.ts

@@ -1,60 +0,0 @@
-/**
- * Permission Control System
- * Group-based access control for MCP tools
- * Groups are obtained from CSP API /user/permissions (e.g., "zNet", "Client-Public")
- */
-/**
- * Known groups from CSP
- * Users may belong to one or more groups
- */
-export declare const KnownGroups: {
-    readonly ZNET: "zNet";
-    readonly CLIENT_PUBLIC: "Client-Public";
-    readonly ADMIN: "admin";
-};
-/**
- * Permission level for operations
- */
-export declare enum PermissionLevel {
-    READ = "read",
-    WRITE = "write",
-    ADMIN = "admin"
-}
-/**
- * Tool permission configuration
- */
-export interface ToolPermission {
-    tool: string;
-    allowedGroups: string[];
-    requiredPermission: PermissionLevel;
-}
-/**
- * Initialize permission system
- */
-export declare function initializePermissions(customRules?: ToolPermission[]): void;
-/**
- * Check if a user has permission to access a tool
- * @param toolName - The name of the tool to check
- * @param userGroups - The groups the user belongs to (from CSP API)
- */
-export declare function checkPermission(toolName: string, userGroups: string[]): {
-    allowed: boolean;
-    reason?: string;
-};
-/**
- * Get permission info for a tool
- */
-export declare function getToolPermission(toolName: string): ToolPermission | undefined;
-/**
- * Get all permission rules
- */
-export declare function getAllPermissions(): ToolPermission[];
-/**
- * Update permission rule for a tool
- */
-export declare function updatePermission(permission: ToolPermission): void;
-/**
- * Remove permission rule for a tool
- */
-export declare function removePermission(toolName: string): void;
-//# sourceMappingURL=permissions.d.ts.map

package/dist/auth/permissions.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"permissions.d.ts","sourceRoot":"","sources":["../../src/auth/permissions.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;GAGG;AACH,eAAO,MAAM,WAAW;;;;CAId,CAAC;AAEX;;GAEG;AACH,oBAAY,eAAe;IACzB,IAAI,SAAS;IACb,KAAK,UAAU;IACf,KAAK,UAAU;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,kBAAkB,EAAE,eAAe,CAAC;CACrC;AAkDD;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,WAAW,CAAC,EAAE,cAAc,EAAE,GAAG,IAAI,CAqB1E;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAAE,GACnB;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAwKvC;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS,CAE9E;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,cAAc,EAAE,CAEpD;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,cAAc,GAAG,IAAI,CAMjE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAGvD"}

package/dist/auth/permissions.js

@@ -1,262 +0,0 @@
-"use strict";
-/**
- * Permission Control System
- * Group-based access control for MCP tools
- * Groups are obtained from CSP API /user/permissions (e.g., "zNet", "Client-Public")
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.PermissionLevel = exports.KnownGroups = void 0;
-exports.initializePermissions = initializePermissions;
-exports.checkPermission = checkPermission;
-exports.getToolPermission = getToolPermission;
-exports.getAllPermissions = getAllPermissions;
-exports.updatePermission = updatePermission;
-exports.removePermission = removePermission;
-const logger_1 = require("../utils/logger");
-/**
- * Known groups from CSP
- * Users may belong to one or more groups
- */
-exports.KnownGroups = {
-    ZNET: 'zNet', // zNet team - full access
-    CLIENT_PUBLIC: 'Client-Public', // Client-Public team - standard access
-    ADMIN: 'admin', // Admin group - full access (if exists)
-};
-/**
- * Permission level for operations
- */
-var PermissionLevel;
-(function (PermissionLevel) {
-    PermissionLevel["READ"] = "read";
-    PermissionLevel["WRITE"] = "write";
-    PermissionLevel["ADMIN"] = "admin";
-})(PermissionLevel || (exports.PermissionLevel = PermissionLevel = {}));
-/**
- * Default permission rules for each tool
- * All authenticated users (with valid groups) can use these tools
- */
-const defaultPermissions = [
-    // sync_resources - available to all authenticated users
-    {
-        tool: 'sync_resources',
-        allowedGroups: ['*'], // * means all authenticated users
-        requiredPermission: PermissionLevel.WRITE,
-    },
-    // manage_subscription - available to all authenticated users
-    {
-        tool: 'manage_subscription',
-        allowedGroups: ['*'],
-        requiredPermission: PermissionLevel.WRITE,
-    },
-    // search_resources - read-only, all authenticated users
-    {
-        tool: 'search_resources',
-        allowedGroups: ['*'],
-        requiredPermission: PermissionLevel.READ,
-    },
-    // upload_resource - requires write permission
-    {
-        tool: 'upload_resource',
-        allowedGroups: ['*'],
-        requiredPermission: PermissionLevel.WRITE,
-    },
-    // uninstall_resource - requires write permission
-    {
-        tool: 'uninstall_resource',
-        allowedGroups: ['*'],
-        requiredPermission: PermissionLevel.WRITE,
-    },
-    // track_usage - internal telemetry tool, always allowed for all authenticated users
-    {
-        tool: 'track_usage',
-        allowedGroups: ['*'],
-        requiredPermission: PermissionLevel.WRITE,
-    },
-];
-/**
- * Custom permission rules (can be overridden via config)
- */
-let permissionRules = new Map();
-/**
- * Initialize permission system
- */
-function initializePermissions(customRules) {
-    // Load default permissions
-    for (const perm of defaultPermissions) {
-        permissionRules.set(perm.tool, perm);
-    }
-    // Override with custom rules if provided
-    if (customRules && customRules.length > 0) {
-        logger_1.logger.info({ count: customRules.length }, 'Loading custom permission rules');
-        for (const perm of customRules) {
-            permissionRules.set(perm.tool, perm);
-        }
-    }
-    logger_1.logger.info({ toolCount: permissionRules.size }, 'Permission system initialized');
-}
-/**
- * Check if a user has permission to access a tool
- * @param toolName - The name of the tool to check
- * @param userGroups - The groups the user belongs to (from CSP API)
- */
-function checkPermission(toolName, userGroups) {
-    const checkStartTime = Date.now();
-    logger_1.logger.debug({
-        type: 'permission_check',
-        toolName,
-        userGroups,
-        timestamp: new Date().toISOString()
-    }, `Checking permission for tool: ${toolName}`);
-    // Check if tool has permission rules
-    const permission = permissionRules.get(toolName);
-    if (!permission) {
-        // If no permission rule defined, deny by default
-        logger_1.logger.warn({
-            type: 'permission_check',
-            toolName,
-            userGroups,
-            result: 'denied',
-            reason: 'no_rule',
-            timestamp: new Date().toISOString()
-        }, 'No permission rule found for tool, denying access');
-        (0, logger_1.logAuthAttempt)('permission_check', false, {
-            toolName,
-            userGroups,
-            reason: 'no_rule',
-            duration: Date.now() - checkStartTime
-        });
-        return {
-            allowed: false,
-            reason: `Tool '${toolName}' has no permission rule defined`,
-        };
-    }
-    // If no groups provided, deny access
-    if (!userGroups || userGroups.length === 0) {
-        logger_1.logger.warn({
-            type: 'permission_check',
-            toolName,
-            result: 'denied',
-            reason: 'no_groups',
-            timestamp: new Date().toISOString()
-        }, 'Permission denied: user has no groups');
-        (0, logger_1.logAuthAttempt)('permission_check', false, {
-            toolName,
-            reason: 'no_groups',
-            duration: Date.now() - checkStartTime
-        });
-        return {
-            allowed: false,
-            reason: `User must belong to at least one group to access tools`,
-        };
-    }
-    // Admin group bypasses all checks
-    if (userGroups.includes(exports.KnownGroups.ADMIN) || userGroups.includes('admin')) {
-        logger_1.logger.info({
-            type: 'permission_check',
-            toolName,
-            userGroups,
-            result: 'granted',
-            reason: 'admin_bypass',
-            duration: Date.now() - checkStartTime,
-            timestamp: new Date().toISOString()
-        }, 'Admin group access granted');
-        (0, logger_1.logAuthAttempt)('permission_check', true, {
-            toolName,
-            userGroups,
-            reason: 'admin',
-            duration: Date.now() - checkStartTime
-        });
-        return { allowed: true };
-    }
-    // Check if tool allows all authenticated users
-    if (permission.allowedGroups.includes('*')) {
-        logger_1.logger.info({
-            type: 'permission_check',
-            toolName,
-            userGroups,
-            allowedGroups: permission.allowedGroups,
-            result: 'granted',
-            reason: 'wildcard',
-            duration: Date.now() - checkStartTime,
-            timestamp: new Date().toISOString()
-        }, 'Permission granted (tool allows all authenticated users)');
-        (0, logger_1.logAuthAttempt)('permission_check', true, {
-            toolName,
-            userGroups,
-            reason: 'wildcard',
-            duration: Date.now() - checkStartTime
-        });
-        return { allowed: true };
-    }
-    // Check if user belongs to any of the allowed groups
-    const hasAllowedGroup = userGroups.some((group) => permission.allowedGroups.includes(group));
-    if (!hasAllowedGroup) {
-        logger_1.logger.warn({
-            type: 'permission_check',
-            toolName,
-            userGroups,
-            allowedGroups: permission.allowedGroups,
-            result: 'denied',
-            reason: 'group_mismatch',
-            duration: Date.now() - checkStartTime,
-            timestamp: new Date().toISOString()
-        }, 'Permission denied: user not in allowed groups');
-        (0, logger_1.logAuthAttempt)('permission_check', false, {
-            toolName,
-            userGroups,
-            allowedGroups: permission.allowedGroups,
-            reason: 'group_mismatch',
-            duration: Date.now() - checkStartTime
-        });
-        return {
-            allowed: false,
-            reason: `Tool '${toolName}' requires membership in one of: ${permission.allowedGroups.join(', ')}`,
-        };
-    }
-    logger_1.logger.info({
-        type: 'permission_check',
-        toolName,
-        userGroups,
-        allowedGroups: permission.allowedGroups,
-        result: 'granted',
-        reason: 'group_match',
-        duration: Date.now() - checkStartTime,
-        timestamp: new Date().toISOString()
-    }, 'Permission granted (user in allowed groups)');
-    (0, logger_1.logAuthAttempt)('permission_check', true, {
-        toolName,
-        userGroups,
-        matchedGroups: userGroups.filter(g => permission.allowedGroups.includes(g)),
-        duration: Date.now() - checkStartTime
-    });
-    return { allowed: true };
-}
-/**
- * Get permission info for a tool
- */
-function getToolPermission(toolName) {
-    return permissionRules.get(toolName);
-}
-/**
- * Get all permission rules
- */
-function getAllPermissions() {
-    return Array.from(permissionRules.values());
-}
-/**
- * Update permission rule for a tool
- */
-function updatePermission(permission) {
-    permissionRules.set(permission.tool, permission);
-    logger_1.logger.info({ tool: permission.tool, permission }, 'Permission rule updated');
-}
-/**
- * Remove permission rule for a tool
- */
-function removePermission(toolName) {
-    permissionRules.delete(toolName);
-    logger_1.logger.info({ toolName }, 'Permission rule removed');
-}
-// Initialize with default permissions
-initializePermissions();
-//# sourceMappingURL=permissions.js.map

package/dist/auth/permissions.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"permissions.js","sourceRoot":"","sources":["../../src/auth/permissions.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAmFH,sDAqBC;AAOD,0CA2KC;AAKD,8CAEC;AAKD,8CAEC;AAKD,4CAMC;AAKD,4CAGC;AAzTD,4CAAyD;AAEzD;;;GAGG;AACU,QAAA,WAAW,GAAG;IACzB,IAAI,EAAE,MAAM,EAAuB,0BAA0B;IAC7D,aAAa,EAAE,eAAe,EAAK,uCAAuC;IAC1E,KAAK,EAAE,OAAO,EAAqB,wCAAwC;CACnE,CAAC;AAEX;;GAEG;AACH,IAAY,eAIX;AAJD,WAAY,eAAe;IACzB,gCAAa,CAAA;IACb,kCAAe,CAAA;IACf,kCAAe,CAAA;AACjB,CAAC,EAJW,eAAe,+BAAf,eAAe,QAI1B;AAWD;;;GAGG;AACH,MAAM,kBAAkB,GAAqB;IAC3C,wDAAwD;IACxD;QACE,IAAI,EAAE,gBAAgB;QACtB,aAAa,EAAE,CAAC,GAAG,CAAC,EAAG,kCAAkC;QACzD,kBAAkB,EAAE,eAAe,CAAC,KAAK;KAC1C;IACD,6DAA6D;IAC7D;QACE,IAAI,EAAE,qBAAqB;QAC3B,aAAa,EAAE,CAAC,GAAG,CAAC;QACpB,kBAAkB,EAAE,eAAe,CAAC,KAAK;KAC1C;IACD,wDAAwD;IACxD;QACE,IAAI,EAAE,kBAAkB;QACxB,aAAa,EAAE,CAAC,GAAG,CAAC;QACpB,kBAAkB,EAAE,eAAe,CAAC,IAAI;KACzC;IACD,8CAA8C;IAC9C;QACE,IAAI,EAAE,iBAAiB;QACvB,aAAa,EAAE,CAAC,GAAG,CAAC;QACpB,kBAAkB,EAAE,eAAe,CAAC,KAAK;KAC1C;IACD,iDAAiD;IACjD;QACE,IAAI,EAAE,oBAAoB;QAC1B,aAAa,EAAE,CAAC,GAAG,CAAC;QACpB,kBAAkB,EAAE,eAAe,CAAC,KAAK;KAC1C;IACD,oFAAoF;IACpF;QACE,IAAI,EAAE,aAAa;QACnB,aAAa,EAAE,CAAC,GAAG,CAAC;QACpB,kBAAkB,EAAE,eAAe,CAAC,KAAK;KAC1C;CACF,CAAC;AAEF;;GAEG;AACH,IAAI,eAAe,GAAgC,IAAI,GAAG,EAAE,CAAC;AAE7D;;GAEG;AACH,SAAgB,qBAAqB,CAAC,WAA8B;IAClE,2BAA2B;IAC3B,KAAK,MAAM,IAAI,IAAI,kBAAkB,EAAE,CAAC;QACtC,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACvC,CAAC;IAED,yCAAyC;IACzC,IAAI,WAAW,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1C,eAAM,CAAC,IAAI,CACT,EAAE,KAAK,EAAE,WAAW,CAAC,MAAM,EAAE,EAC7B,iCAAiC,CAClC,CAAC;QACF,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IAED,eAAM,CAAC,IAAI,CACT,EAAE,SAAS,EAAE,eAAe,CAAC,IAAI,EAAE,EACnC,+BAA+B,CAChC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAgB,eAAe,CAC7B,QAAgB,EAChB,UAAoB;IAEpB,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAElC,eAAM,CAAC,KAAK,CAAC;QACX,IAAI,EAAE,kBAAkB;QACxB,QAAQ;QACR,UAAU;QACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,EAAE,iCAAiC,QAAQ,EAAE,CAAC,CAAC;IAEhD,qCAAqC;IACrC,MAAM,UAAU,GAAG,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,iDAAiD;QACjD,eAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,kBAAkB;YACxB,QAAQ;YACR,UAAU;YACV,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,SAAS;YACjB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EAAE,mDAAmD,CAAC,CAAC;QAExD,IAAA,uBAAc,EAAC,kBAAkB,EAAE,KAAK,EAAE;YACxC,QAAQ;YACR,UAAU;YACV,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;SACtC,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,SAAS,QAAQ,kCAAkC;SAC5D,CAAC;IACJ,CAAC;IAED,qCAAqC;IACrC,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3C,eAAM,CAAC,IAAI,CACT;YACE,IAAI,EAAE,kBAAkB;YACxB,QAAQ;YACR,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,WAAW;YACnB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EACD,uCAAuC,CACxC,CAAC;QAEF,IAAA,uBAAc,EAAC,kBAAkB,EAAE,KAAK,EAAE;YACxC,QAAQ;YACR,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;SACtC,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,wDAAwD;SACjE,CAAC;IACJ,CAAC;IAED,kCAAkC;IAClC,IAAI,UAAU,CAAC,QAAQ,CAAC,mBAAW,CAAC,KAAK,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3E,eAAM,CAAC,IAAI,CACT;YACE,IAAI,EAAE,kBAAkB;YACxB,QAAQ;YACR,UAAU;YACV,MAAM,EAAE,SAAS;YACjB,MAAM,EAAE,cAAc;YACtB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;YACrC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EACD,4BAA4B,CAC7B,CAAC;QAEF,IAAA,uBAAc,EAAC,kBAAkB,EAAE,IAAI,EAAE;YACvC,QAAQ;YACR,UAAU;YACV,MAAM,EAAE,OAAO;YACf,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;SACtC,CAAC,CAAC;QAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,+CAA+C;IAC/C,IAAI,UAAU,CAAC,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3C,eAAM,CAAC,IAAI,CACT;YACE,IAAI,EAAE,kBAAkB;YACxB,QAAQ;YACR,UAAU;YACV,aAAa,EAAE,UAAU,CAAC,aAAa;YACvC,MAAM,EAAE,SAAS;YACjB,MAAM,EAAE,UAAU;YAClB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;YACrC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EACD,0DAA0D,CAC3D,CAAC;QAEF,IAAA,uBAAc,EAAC,kBAAkB,EAAE,IAAI,EAAE;YACvC,QAAQ;YACR,UAAU;YACV,MAAM,EAAE,UAAU;YAClB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;SACtC,CAAC,CAAC;QAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,qDAAqD;IACrD,MAAM,eAAe,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAChD,UAAU,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,CACzC,CAAC;IAEF,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,eAAM,CAAC,IAAI,CACT;YACE,IAAI,EAAE,kBAAkB;YACxB,QAAQ;YACR,UAAU;YACV,aAAa,EAAE,UAAU,CAAC,aAAa;YACvC,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,gBAAgB;YACxB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;YACrC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EACD,+CAA+C,CAChD,CAAC;QAEF,IAAA,uBAAc,EAAC,kBAAkB,EAAE,KAAK,EAAE;YACxC,QAAQ;YACR,UAAU;YACV,aAAa,EAAE,UAAU,CAAC,aAAa;YACvC,MAAM,EAAE,gBAAgB;YACxB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;SACtC,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,SAAS,QAAQ,oCAAoC,UAAU,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;SACnG,CAAC;IACJ,CAAC;IAED,eAAM,CAAC,IAAI,CACT;QACE,IAAI,EAAE,kBAAkB;QACxB,QAAQ;QACR,UAAU;QACV,aAAa,EAAE,UAAU,CAAC,aAAa;QACvC,MAAM,EAAE,SAAS;QACjB,MAAM,EAAE,aAAa;QACrB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;QACrC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,EACD,6CAA6C,CAC9C,CAAC;IAEF,IAAA,uBAAc,EAAC,kBAAkB,EAAE,IAAI,EAAE;QACvC,QAAQ;QACR,UAAU;QACV,aAAa,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QAC3E,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;KACtC,CAAC,CAAC;IAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,QAAgB;IAChD,OAAO,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB;IAC/B,OAAO,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,CAAC,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAAC,UAA0B;IACzD,eAAe,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IACjD,eAAM,CAAC,IAAI,CACT,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,EAAE,UAAU,EAAE,EACrC,yBAAyB,CAC1B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAAC,QAAgB;IAC/C,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACjC,eAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,EAAE,yBAAyB,CAAC,CAAC;AACvD,CAAC;AAED,sCAAsC;AACtC,qBAAqB,EAAE,CAAC"}

package/dist/auth/token-validator.d.ts

@@ -1,52 +0,0 @@
-/**
- * Token Validation via CSP API
- * Validates tokens by calling CSP /user/permissions endpoint
- */
-/**
- * Token validation payload structure
- */
-export interface TokenPayload {
-    userId: string;
-    email: string;
-    groups: string[];
-    roles?: string[];
-    [key: string]: unknown;
-}
-/**
- * Start cache cleanup interval
- */
-export declare function startCacheCleanup(): void;
-/**
- * Stop cache cleanup interval
- */
-export declare function stopCacheCleanup(): void;
-/**
- * Verify token by calling CSP API /user/permissions
- * @param token - The JWT token to verify
- * @returns Token payload if valid, null otherwise
- */
-export declare function verifyTokenViaAPI(token: string): Promise<TokenPayload | null>;
-/**
- * Verify token with caching
- * Uses cached result if available to reduce API calls
- * @param token - The token to verify
- * @returns Token payload if valid, null otherwise
- */
-export declare function verifyToken(token: string): Promise<TokenPayload | null>;
-/**
- * Clear token from cache (e.g., after logout)
- * @param token - The token to invalidate
- */
-export declare function invalidateToken(token: string): void;
-/**
- * Clear all cached tokens
- */
-export declare function clearTokenCache(): void;
-/**
- * Get cache statistics
- */
-export declare function getTokenCacheStats(): {
-    size: number;
-    tokens: string[];
-};
-//# sourceMappingURL=token-validator.d.ts.map

package/dist/auth/token-validator.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"token-validator.d.ts","sourceRoot":"","sources":["../../src/auth/token-validator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;IAEjB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AA+CD;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,IAAI,CASxC;AAED;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,IAAI,CAMvC;AAKD;;;;GAIG;AACH,wBAAsB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAkGnF;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAqD7E;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAMnD;AAED;;GAEG;AACH,wBAAgB,eAAe,IAAI,IAAI,CAMtC;AAED;;GAEG;AACH,wBAAgB,kBAAkB;;;EAMjC"}