@elliotding/ai-agent-mcp 0.1.26 → 0.1.27

package/dist/api/client.js

@@ -0,0 +1,371 @@
+"use strict";
+/**
+ * REST API Client
+ * HTTP client for CSP Resource Server
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.apiClient = void 0;
+const axios_1 = __importStar(require("axios"));
+const config_1 = require("../config");
+const logger_1 = require("../utils/logger");
+const errors_1 = require("../types/errors");
+class APIClient {
+    client;
+    maxRetries = 3;
+    retryDelay = 1000; // 1 second
+    constructor() {
+        this.client = axios_1.default.create({
+            baseURL: config_1.config.csp.apiBaseUrl,
+            timeout: config_1.config.csp.timeout,
+            headers: {
+                'Content-Type': 'application/json',
+                'User-Agent': `csp-ai-agent-mcp/0.2.0`,
+            },
+        });
+        // Request interceptor for authentication and logging.
+        // Every request MUST carry a per-request Authorization header supplied by
+        // the caller via authConfig(userToken). If none is present the request is
+        // rejected immediately — the token must come from the authenticated SSE
+        // connection, not from environment variables.
+        this.client.interceptors.request.use((requestConfig) => {
+            if (!requestConfig.headers.Authorization) {
+                return Promise.reject(new Error('Authorization token is missing. ' +
+                    'Ensure the MCP server is connected via SSE with a valid Bearer token in the Authorization header.'));
+            }
+            // Enhanced request logging
+            logger_1.logger.debug({
+                type: 'api_request_start',
+                method: requestConfig.method?.toUpperCase(),
+                url: requestConfig.url,
+                params: requestConfig.params,
+                data: requestConfig.data ? JSON.stringify(requestConfig.data).substring(0, 500) : undefined,
+                headers: this.sanitizeHeaders(requestConfig.headers),
+            }, `API Request: ${requestConfig.method?.toUpperCase()} ${requestConfig.url}`);
+            // Record start time for duration calculation
+            requestConfig.startTime = Date.now();
+            return requestConfig;
+        }, (error) => {
+            logger_1.logger.error({
+                type: 'api_request_interceptor_error',
+                error: error.message
+            }, 'API request interceptor error');
+            return Promise.reject(error);
+        });
+        // Response interceptor for detailed logging
+        this.client.interceptors.response.use((response) => {
+            const startTime = response.config.startTime || Date.now();
+            const duration = Date.now() - startTime;
+            const method = response.config.method?.toUpperCase() || 'UNKNOWN';
+            const url = response.config.url || 'unknown';
+            // Enhanced response logging
+            (0, logger_1.logApiRequest)(method, url, response.status, duration, response.config.data, response.data, response.headers);
+            return response;
+        }, (error) => {
+            const startTime = error.config?.startTime || Date.now();
+            const duration = Date.now() - startTime;
+            const statusCode = error.response?.status;
+            const method = error.config?.method?.toUpperCase() || 'UNKNOWN';
+            const url = error.config?.url || 'unknown';
+            // Enhanced error logging
+            (0, logger_1.logApiError)(method, url, error, error.config?.data, statusCode);
+            // Log response details if available
+            if (error.response) {
+                logger_1.logger.error({
+                    type: 'api_response_error',
+                    method,
+                    url,
+                    status: statusCode,
+                    statusText: error.response.statusText,
+                    responseData: error.response.data ? JSON.stringify(error.response.data).substring(0, 1000) : undefined,
+                    duration,
+                }, `API Error Response: ${method} ${url} - ${statusCode}`);
+            }
+            return Promise.reject(error);
+        });
+    }
+    /**
+     * Build an AxiosRequestConfig that carries a per-request user token.
+     * Pass the result as the `config` argument to get/post/put/delete or merge it
+     * into any existing request config so that the caller's token overrides the
+     * server-level fallback set in the interceptor.
+     *
+     * Usage:
+     *   await apiClient.get('/some/path', apiClient.authConfig(userToken));
+     *   await apiClient.post('/some/path', body, apiClient.authConfig(userToken));
+     */
+    authConfig(token, extra) {
+        if (!token)
+            return extra ?? {};
+        return {
+            ...extra,
+            headers: {
+                ...(extra?.headers ?? {}),
+                Authorization: `Bearer ${token}`,
+            },
+        };
+    }
+    /**
+     * Sanitize headers to hide sensitive information
+     */
+    sanitizeHeaders(headers) {
+        const sanitized = { ...headers };
+        if (sanitized['Authorization'] || sanitized['authorization']) {
+            const key = sanitized['Authorization'] ? 'Authorization' : 'authorization';
+            const value = sanitized[key];
+            if (value && value.startsWith('Bearer ')) {
+                const token = value.substring(7);
+                sanitized[key] = `Bearer ${token.substring(0, 10)}...${token.substring(token.length - 10)}`;
+            }
+        }
+        return sanitized;
+    }
+    /**
+     * Execute request with retry logic
+     */
+    async executeWithRetry(requestFn, method, url, retryCount = 0) {
+        try {
+            return await requestFn();
+        }
+        catch (error) {
+            const isNetworkError = error instanceof axios_1.AxiosError &&
+                (!error.response || error.code === 'ECONNREFUSED' || error.code === 'ETIMEDOUT');
+            if (isNetworkError && retryCount < this.maxRetries) {
+                const delay = this.retryDelay * Math.pow(2, retryCount);
+                logger_1.logger.warn({
+                    method,
+                    url,
+                    retryCount: retryCount + 1,
+                    maxRetries: this.maxRetries,
+                    delay,
+                }, `API request failed, retrying in ${delay}ms...`);
+                await new Promise((resolve) => setTimeout(resolve, delay));
+                return this.executeWithRetry(requestFn, method, url, retryCount + 1);
+            }
+            // Transform axios error to APIError
+            if (error instanceof axios_1.AxiosError) {
+                throw (0, errors_1.createAPIError)(method, url, error, error.response?.status, retryCount);
+            }
+            throw error;
+        }
+    }
+    /**
+     * GET request
+     */
+    async get(url, config) {
+        return this.executeWithRetry(async () => {
+            const response = await this.client.get(url, config);
+            return response.data;
+        }, 'GET', url);
+    }
+    /**
+     * POST request
+     */
+    async post(url, data, config) {
+        return this.executeWithRetry(async () => {
+            const response = await this.client.post(url, data, config);
+            return response.data;
+        }, 'POST', url);
+    }
+    /**
+     * PUT request
+     */
+    async put(url, data, config) {
+        return this.executeWithRetry(async () => {
+            const response = await this.client.put(url, data, config);
+            return response.data;
+        }, 'PUT', url);
+    }
+    /**
+     * DELETE request
+     */
+    async delete(url, config) {
+        return this.executeWithRetry(async () => {
+            const response = await this.client.delete(url, config);
+            return response.data;
+        }, 'DELETE', url);
+    }
+    //===========================================
+    // CSP Resource Server API Endpoints
+    //===========================================
+    /**
+     * Get subscription list
+     *
+     * @param params   Query parameters for filtering subscriptions.
+     * @param userToken Per-request token from the caller's mcp.json configuration.
+     *                  When provided it overrides the server-level fallback token.
+     */
+    async getSubscriptions(params, userToken) {
+        const response = await this.get('/csp/api/resources/subscriptions', this.authConfig(userToken, { params }));
+        if (!response.data) {
+            throw new Error('Invalid API response: missing data field');
+        }
+        return response.data;
+    }
+    /**
+     * Subscribe to resource
+     *
+     * @param userToken Per-request token from the caller's mcp.json configuration.
+     */
+    async subscribe(resourceIds, autoSync = true, scope, userToken) {
+        const response = await this.post('/csp/api/resources/subscriptions/add', { resource_ids: resourceIds, auto_sync: autoSync, scope }, this.authConfig(userToken));
+        if (!response.data) {
+            throw new Error('Invalid API response: missing data field');
+        }
+        return { success: true, subscriptions: response.data.subscriptions };
+    }
+    /**
+     * Unsubscribe from resource
+     *
+     * @param userToken Per-request token from the caller's mcp.json configuration.
+     */
+    async unsubscribe(resourceIds, userToken) {
+        const ids = Array.isArray(resourceIds) ? resourceIds : [resourceIds];
+        const response = await this.delete('/csp/api/resources/subscriptions/remove', this.authConfig(userToken, { data: { resource_ids: ids } }));
+        if (!response.data) {
+            throw new Error('Invalid API response: missing data field');
+        }
+    }
+    /**
+     * Search resources
+     *
+     * @param userToken Per-request token from the caller's mcp.json configuration.
+     */
+    async searchResources(params, userToken) {
+        const response = await this.get('/csp/api/resources/search', this.authConfig(userToken, { params }));
+        if (!response.data) {
+            throw new Error('Invalid API response: missing data field');
+        }
+        return {
+            total: response.data.total,
+            page: response.data.page,
+            page_size: response.data.page_size,
+            results: response.data.results.map((r) => ({
+                ...r,
+                score: r.score || 0,
+                is_subscribed: r.is_subscribed || false,
+            })),
+        };
+    }
+    /**
+     * Download resource — returns all files for the resource.
+     *
+     * GET /csp/api/resources/download/{id}
+     * Response: { data: { resource_id, name, type, version, hash, files: [{path, content}] } }
+     *
+     * files[].path is the relative path within the resource directory.
+     * Single-file resources (command, rule) have exactly one element.
+     * Multi-file resources (skill, mcp) have all their files included.
+     *
+     * @param userToken Per-request token from the caller's mcp.json configuration.
+     */
+    async downloadResource(resourceId, userToken) {
+        const response = await this.get(`/csp/api/resources/download/${resourceId}`, this.authConfig(userToken));
+        return response.data;
+    }
+    /**
+     * Get resource detail
+     *
+     * @param userToken Per-request token from the caller's mcp.json configuration.
+     */
+    async getResourceDetail(resourceId, userToken) {
+        return this.get(`/csp/api/resources/${resourceId}`, this.authConfig(userToken));
+    }
+    /**
+     * Stage resource files for upload (Step 1 of two-step upload flow).
+     *
+     * POST /csp/api/resources/upload
+     * Body: { type, name, files: [{ path, content }] }
+     * Response: { upload_id, status, expires_at, preview_url }
+     *
+     * The server validates path traversal, total size (< 10 MB), and name conflicts.
+     * All file types are supported — mcp packages may include .py, .js, package.json, etc.
+     *
+     * @param userToken Per-request token from the caller's mcp.json configuration.
+     */
+    async uploadResourceFiles(params, userToken) {
+        const resp = await this.post('/csp/api/resources/upload', params, this.authConfig(userToken));
+        return resp.data;
+    }
+    /**
+     * Finalize staged upload — triggers Git commit (Step 2 of two-step upload flow).
+     *
+     * POST /csp/api/resources/finalize
+     * Body: { upload_id, commit_message }
+     * Response: { resource_id, version, url, commit_hash, download_url }
+     *
+     * @param userToken Per-request token from the caller's mcp.json configuration.
+     */
+    async finalizeResourceUpload(uploadId, commitMessage, userToken) {
+        const resp = await this.post('/csp/api/resources/finalize', { upload_id: uploadId, commit_message: commitMessage }, this.authConfig(userToken));
+        return resp.data;
+    }
+    /**
+     * Report AI resource usage telemetry to the server.
+     *
+     * POST /csp/api/resources/telemetry
+     * Body: { client_version, reported_at, events[], subscribed_rules[], configured_mcps[] }
+     *
+     * Called by TelemetryManager.flush() every ~10 seconds and on reconnect.
+     * Throws on non-2xx so the caller can apply retry logic.
+     *
+     * jira_id in each event entry is optional — it is only present when the user
+     * explicitly passed a Jira ID during the Prompt invocation.
+     *
+     * @param payload   Telemetry report payload built by TelemetryManager
+     * @param userToken Per-request Bearer token from the caller's mcp.json configuration
+     */
+    async reportTelemetry(payload, userToken) {
+        await this.post('/csp/api/resources/telemetry', payload, this.authConfig(userToken));
+    }
+    /**
+     * @deprecated Use uploadResourceFiles() + finalizeResourceUpload() instead.
+     */
+    async uploadResource(params) {
+        return this.post('/csp/api/resources/upload', params);
+    }
+    /**
+     * @deprecated Use finalizeResourceUpload() instead.
+     */
+    async finalizeUpload(uploadId, hash) {
+        return this.post('/csp/api/resources/finalize', {
+            upload_id: uploadId,
+            hash,
+        });
+    }
+}
+// Export singleton instance
+exports.apiClient = new APIClient();
+//# sourceMappingURL=client.js.map

package/dist/api/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/api/client.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,+CAA6E;AAC7E,sCAAmC;AACnC,4CAAqE;AACrE,4CAAiD;AAEjD,MAAM,SAAS;IACL,MAAM,CAAgB;IACb,UAAU,GAAG,CAAC,CAAC;IACf,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW;IAE/C;QACE,IAAI,CAAC,MAAM,GAAG,eAAK,CAAC,MAAM,CAAC;YACzB,OAAO,EAAE,eAAM,CAAC,GAAG,CAAC,UAAU;YAC9B,OAAO,EAAE,eAAM,CAAC,GAAG,CAAC,OAAO;YAC3B,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,YAAY,EAAE,wBAAwB;aACvC;SACF,CAAC,CAAC;QAEH,sDAAsD;QACtD,0EAA0E;QAC1E,0EAA0E;QAC1E,wEAAwE;QACxE,8CAA8C;QAC9C,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAClC,CAAC,aAAa,EAAE,EAAE;YAChB,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;gBACzC,OAAO,OAAO,CAAC,MAAM,CACnB,IAAI,KAAK,CACP,kCAAkC;oBAClC,mGAAmG,CACpG,CACF,CAAC;YACJ,CAAC;YAED,2BAA2B;YAC3B,eAAM,CAAC,KAAK,CACV;gBACE,IAAI,EAAE,mBAAmB;gBACzB,MAAM,EAAE,aAAa,CAAC,MAAM,EAAE,WAAW,EAAE;gBAC3C,GAAG,EAAE,aAAa,CAAC,GAAG;gBACtB,MAAM,EAAE,aAAa,CAAC,MAAM;gBAC5B,IAAI,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS;gBAC3F,OAAO,EAAE,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,OAAiC,CAAC;aAC/E,EACD,gBAAgB,aAAa,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,aAAa,CAAC,GAAG,EAAE,CAC3E,CAAC;YAEF,6CAA6C;YAC5C,aAAqB,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAE9C,OAAO,aAAa,CAAC;QACvB,CAAC,EACD,CAAC,KAAK,EAAE,EAAE;YACR,eAAM,CAAC,KAAK,CAAC;gBACX,IAAI,EAAE,+BAA+B;gBACrC,KAAK,EAAE,KAAK,CAAC,OAAO;aACrB,EAAE,+BAA+B,CAAC,CAAC;YACpC,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC/B,CAAC,CACF,CAAC;QAEF,4CAA4C;QAC5C,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CACnC,CAAC,QAAQ,EAAE,EAAE;YACX,MAAM,SAAS,GAAI,QAAQ,CAAC,MAAc,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YACnE,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YACxC,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,SAAS,CAAC;YAClE,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,IAAI,SAAS,CAAC;YAE7C,4BAA4B;YAC5B,IAAA,sBAAa,EACX,MAAM,EACN,GAAG,EACH,QAAQ,CAAC,MAAM,EACf,QAAQ,EACR,QAAQ,CAAC,MAAM,CAAC,IAAI,EACpB,QAAQ,CAAC,IAAI,EACb,QAAQ,CAAC,OAAiC,CAC3C,CAAC;YAEF,OAAO,QAAQ,CAAC;QAClB,CAAC,EACD,CAAC,KAAiB,EAAE,EAAE;YACpB,MAAM,SAAS,GAAI,KAAK,CAAC,MAAc,EAAE,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YACjE,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YACxC,MAAM,UAAU,GAAG,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC;YAC1C,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,IAAI,SAAS,CAAC;YAChE,MAAM,GAAG,GAAG,KAAK,CAAC,MAAM,EAAE,GAAG,IAAI,SAAS,CAAC;YAE3C,yBAAyB;YACzB,IAAA,oBAAW,EACT,MAAM,EACN,GAAG,EACH,KAAK,EACL,KAAK,CAAC,MAAM,EAAE,IAAI,EAClB,UAAU,CACX,CAAC;YAEF,oCAAoC;YACpC,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;gBACnB,eAAM,CAAC,KAAK,CACV;oBACE,IAAI,EAAE,oBAAoB;oBAC1B,MAAM;oBACN,GAAG;oBACH,MAAM,EAAE,UAAU;oBAClB,UAAU,EAAE,KAAK,CAAC,QAAQ,CAAC,UAAU;oBACrC,YAAY,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;oBACtG,QAAQ;iBACT,EACD,uBAAuB,MAAM,IAAI,GAAG,MAAM,UAAU,EAAE,CACvD,CAAC;YACJ,CAAC;YAED,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC/B,CAAC,CACF,CAAC;IACJ,CAAC;IAED;;;;;;;;;OASG;IACH,UAAU,CAAC,KAAyB,EAAE,KAA0B;QAC9D,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,IAAI,EAAE,CAAC;QAC/B,OAAO;YACL,GAAG,KAAK;YACR,OAAO,EAAE;gBACP,GAAG,CAAC,KAAK,EAAE,OAAO,IAAI,EAAE,CAAC;gBACzB,aAAa,EAAE,UAAU,KAAK,EAAE;aACjC;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,eAAe,CAAC,OAA+B;QACrD,MAAM,SAAS,GAAG,EAAE,GAAG,OAAO,EAAE,CAAC;QACjC,IAAI,SAAS,CAAC,eAAe,CAAC,IAAI,SAAS,CAAC,eAAe,CAAC,EAAE,CAAC;YAC7D,MAAM,GAAG,GAAG,SAAS,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,eAAe,CAAC;YAC3E,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;YAC7B,IAAI,KAAK,IAAI,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACzC,MAAM,KAAK,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;gBACjC,SAAS,CAAC,GAAG,CAAC,GAAG,UAAU,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,GAAG,EAAE,CAAC,EAAE,CAAC;YAC9F,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,gBAAgB,CAC5B,SAA2B,EAC3B,MAAc,EACd,GAAW,EACX,UAAU,GAAG,CAAC;QAEd,IAAI,CAAC;YACH,OAAO,MAAM,SAAS,EAAE,CAAC;QAC3B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,cAAc,GAClB,KAAK,YAAY,kBAAU;gBAC3B,CAAC,CAAC,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,IAAI,KAAK,cAAc,IAAI,KAAK,CAAC,IAAI,KAAK,WAAW,CAAC,CAAC;YAEnF,IAAI,cAAc,IAAI,UAAU,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;gBACnD,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;gBACxD,eAAM,CAAC,IAAI,CACT;oBACE,MAAM;oBACN,GAAG;oBACH,UAAU,EAAE,UAAU,GAAG,CAAC;oBAC1B,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,KAAK;iBACN,EACD,mCAAmC,KAAK,OAAO,CAChD,CAAC;gBAEF,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;gBAC3D,OAAO,IAAI,CAAC,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,GAAG,CAAC,CAAC,CAAC;YACvE,CAAC;YAED,oCAAoC;YACpC,IAAI,KAAK,YAAY,kBAAU,EAAE,CAAC;gBAChC,MAAM,IAAA,uBAAc,EAClB,MAAM,EACN,GAAG,EACH,KAAK,EACL,KAAK,CAAC,QAAQ,EAAE,MAAM,EACtB,UAAU,CACX,CAAC;YACJ,CAAC;YAED,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,GAAG,CAAI,GAAW,EAAE,MAA2B;QACnD,OAAO,IAAI,CAAC,gBAAgB,CAC1B,KAAK,IAAI,EAAE;YACT,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAI,GAAG,EAAE,MAAM,CAAC,CAAC;YACvD,OAAO,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC,EACD,KAAK,EACL,GAAG,CACJ,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,IAAI,CAAI,GAAW,EAAE,IAAc,EAAE,MAA2B;QACpE,OAAO,IAAI,CAAC,gBAAgB,CAC1B,KAAK,IAAI,EAAE;YACT,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAI,GAAG,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;YAC9D,OAAO,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC,EACD,MAAM,EACN,GAAG,CACJ,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,GAAG,CAAI,GAAW,EAAE,IAAc,EAAE,MAA2B;QACnE,OAAO,IAAI,CAAC,gBAAgB,CAC1B,KAAK,IAAI,EAAE;YACT,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAI,GAAG,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;YAC7D,OAAO,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC,EACD,KAAK,EACL,GAAG,CACJ,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAI,GAAW,EAAE,MAA2B;QACtD,OAAO,IAAI,CAAC,gBAAgB,CAC1B,KAAK,IAAI,EAAE;YACT,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAI,GAAG,EAAE,MAAM,CAAC,CAAC;YAC1D,OAAO,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC,EACD,QAAQ,EACR,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,6CAA6C;IAC7C,oCAAoC;IACpC,6CAA6C;IAE7C;;;;;;OAMG;IACH,KAAK,CAAC,gBAAgB,CACpB,MAIC,EACD,SAAkB;QAiBlB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,GAAG,CAmB5B,kCAAkC,EAAE,IAAI,CAAC,UAAU,CAAC,SAAS,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;QAE/E,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QAED,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,SAAS,CACb,WAAqB,EACrB,QAAQ,GAAG,IAAI,EACf,KAAmC,EACnC,SAAkB;QAUlB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAa9B,sCAAsC,EACtC,EAAE,YAAY,EAAE,WAAW,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,EAAE,EACzD,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAC3B,CAAC;QAEF,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,QAAQ,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;IACvE,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,WAAW,CAAC,WAA8B,EAAE,SAAkB;QAClE,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;QACrE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAI/B,yCAAyC,EAAE,IAAI,CAAC,UAAU,CAAC,SAAS,EAAE,EAAE,IAAI,EAAE,EAAE,YAAY,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC;QAE3G,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,eAAe,CACnB,MAOC,EACD,SAAkB;QAwBlB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,GAAG,CA2B5B,2BAA2B,EAAE,IAAI,CAAC,UAAU,CAAC,SAAS,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;QAExE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QAED,OAAO;YACL,KAAK,EAAE,QAAQ,CAAC,IAAI,CAAC,KAAK;YAC1B,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,IAAI;YACxB,SAAS,EAAE,QAAQ,CAAC,IAAI,CAAC,SAAS;YAClC,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACzC,GAAG,CAAC;gBACJ,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC;gBACnB,aAAa,EAAE,CAAC,CAAC,aAAa,IAAI,KAAK;aACxC,CAAC,CAAC;SACJ,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,gBAAgB,CACpB,UAAkB,EAClB,SAAkB;QASlB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,GAAG,CAW5B,+BAA+B,UAAU,EAAE,EAAE,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;QAC5E,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,iBAAiB,CACrB,UAAkB,EAClB,SAAkB;QAoBlB,OAAO,IAAI,CAAC,GAAG,CAAC,sBAAsB,UAAU,EAAE,EAAE,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;IAClF,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,mBAAmB,CACvB,MAMC,EACD,SAAkB;QAOlB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAIzB,2BAA2B,EAAE,MAAM,EAAE,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;QACpE,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,sBAAsB,CAC1B,QAAgB,EAChB,aAAqB,EACrB,SAAkB;QAQlB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAW1B,6BAA6B,EAC7B,EAAE,SAAS,EAAE,QAAQ,EAAE,cAAc,EAAE,aAAa,EAAE,EACtD,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAC3B,CAAC;QACF,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,eAAe,CACnB,OAuBC,EACD,SAAiB;QAEjB,MAAM,IAAI,CAAC,IAAI,CACb,8BAA8B,EAC9B,OAAO,EACP,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAC3B,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAAC,MAMpB;QAKC,OAAO,IAAI,CAAC,IAAI,CAAC,2BAA2B,EAAE,MAAM,CAAC,CAAC;IACxD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAAC,QAAgB,EAAE,IAAY;QAIjD,OAAO,IAAI,CAAC,IAAI,CAAC,6BAA6B,EAAE;YAC9C,SAAS,EAAE,QAAQ;YACnB,IAAI;SACL,CAAC,CAAC;IACL,CAAC;CACF;AAED,4BAA4B;AACf,QAAA,SAAS,GAAG,IAAI,SAAS,EAAE,CAAC"}

package/dist/auth/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Authentication Module
+ * Exports all authentication and authorization utilities
+ */
+export * from './token-validator';
+export * from './permissions';
+export * from './middleware';
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,cAAc,mBAAmB,CAAC;AAGlC,cAAc,eAAe,CAAC;AAC9B,cAAc,cAAc,CAAC"}

package/dist/auth/index.js

@@ -0,0 +1,26 @@
+"use strict";
+/**
+ * Authentication Module
+ * Exports all authentication and authorization utilities
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+// Token validation via CSP API (primary method)
+__exportStar(require("./token-validator"), exports);
+// Permissions and middleware
+__exportStar(require("./permissions"), exports);
+__exportStar(require("./middleware"), exports);
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;AAEH,gDAAgD;AAChD,oDAAkC;AAElC,6BAA6B;AAC7B,gDAA8B;AAC9B,+CAA6B"}

package/dist/auth/middleware.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Authentication and Permission Middlewares
+ * Token authentication and permission checking for HTTP endpoints
+ */
+import { FastifyRequest, FastifyReply } from 'fastify';
+import { TokenPayload } from './token-validator';
+/**
+ * Extended request with user info
+ */
+export interface AuthenticatedRequest extends FastifyRequest {
+    user?: TokenPayload;
+}
+/**
+ * Token Authentication Middleware
+ * Verifies token via external REST API
+ */
+export declare function tokenAuthMiddleware(request: AuthenticatedRequest, reply: FastifyReply): Promise<void>;
+/**
+ * Token Authentication Middleware with Legacy Bearer Token Support
+ * Supports both token validation via API and legacy bearer tokens
+ */
+export declare function tokenAuthOrLegacyMiddleware(request: AuthenticatedRequest, reply: FastifyReply): Promise<void>;
+/**
+ * Permission Check Middleware Factory
+ * Creates middleware to check permissions for a specific tool
+ */
+export declare function requirePermission(toolName: string): (request: AuthenticatedRequest, reply: FastifyReply) => Promise<void>;
+/**
+ * Permission Check for Tool Call
+ * Checks permission when tools/call is invoked
+ */
+export declare function checkToolCallPermission(toolName: string, user: TokenPayload): {
+    allowed: boolean;
+    reason?: string;
+};
+//# sourceMappingURL=middleware.d.ts.map

package/dist/auth/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvD,OAAO,EAAe,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAI9D;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,cAAc;IAC1D,IAAI,CAAC,EAAE,YAAY,CAAC;CACrB;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,oBAAoB,EAC7B,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,IAAI,CAAC,CAkEf;AAED;;;GAGG;AACH,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE,oBAAoB,EAC7B,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,IAAI,CAAC,CA+Df;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,IAClC,SAAS,oBAAoB,EAAE,OAAO,YAAY,KAAG,OAAO,CAAC,IAAI,CAAC,CA+DjF;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,YAAY,GACjB;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAEvC"}

package/dist/auth/middleware.js

@@ -0,0 +1,194 @@
+"use strict";
+/**
+ * Authentication and Permission Middlewares
+ * Token authentication and permission checking for HTTP endpoints
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.tokenAuthMiddleware = tokenAuthMiddleware;
+exports.tokenAuthOrLegacyMiddleware = tokenAuthOrLegacyMiddleware;
+exports.requirePermission = requirePermission;
+exports.checkToolCallPermission = checkToolCallPermission;
+const token_validator_1 = require("./token-validator");
+const permissions_1 = require("./permissions");
+const logger_1 = require("../utils/logger");
+/**
+ * Token Authentication Middleware
+ * Verifies token via external REST API
+ */
+async function tokenAuthMiddleware(request, reply) {
+    try {
+        // Extract token from Authorization header
+        const authHeader = request.headers.authorization;
+        if (!authHeader || !authHeader.startsWith('Bearer ')) {
+            logger_1.logger.warn({
+                type: 'auth',
+                operation: 'middleware',
+                ip: request.ip,
+                url: request.url
+            }, 'Missing or invalid Authorization header');
+            reply.code(401).send({
+                error: 'Unauthorized',
+                message: 'Missing or invalid Authorization header. Expected: Bearer <token>',
+            });
+            return;
+        }
+        const token = authHeader.substring(7); // Remove 'Bearer ' prefix
+        // Verify token via external API
+        const payload = await (0, token_validator_1.verifyToken)(token);
+        if (!payload) {
+            logger_1.logger.warn({
+                type: 'auth',
+                operation: 'middleware',
+                ip: request.ip,
+                url: request.url
+            }, 'Token validation failed');
+            reply.code(401).send({
+                error: 'Unauthorized',
+                message: 'Invalid or expired token',
+            });
+            return;
+        }
+        // Attach user info to request
+        request.user = payload;
+        logger_1.logger.debug({
+            type: 'auth',
+            operation: 'middleware',
+            userId: payload.userId,
+            email: payload.email,
+            groups: payload.groups
+        }, `Token authentication successful for user ${payload.userId}`);
+    }
+    catch (error) {
+        logger_1.logger.error({
+            type: 'auth',
+            operation: 'middleware',
+            error: error instanceof Error ? error.message : 'Unknown error'
+        }, 'Token authentication error');
+        reply.code(500).send({
+            error: 'Internal Server Error',
+            message: 'Authentication failed',
+        });
+    }
+}
+/**
+ * Token Authentication Middleware with Legacy Bearer Token Support
+ * Supports both token validation via API and legacy bearer tokens
+ */
+async function tokenAuthOrLegacyMiddleware(request, reply) {
+    try {
+        const authHeader = request.headers.authorization;
+        if (!authHeader || !authHeader.startsWith('Bearer ')) {
+            logger_1.logger.warn({
+                type: 'auth',
+                operation: 'middleware_legacy',
+                ip: request.ip,
+                url: request.url
+            }, 'Missing or invalid Authorization header');
+            reply.code(401).send({
+                error: 'Unauthorized',
+                message: 'Missing or invalid Authorization header',
+            });
+            return;
+        }
+        const token = authHeader.substring(7);
+        // Try to validate via API first
+        const payload = await (0, token_validator_1.verifyToken)(token);
+        if (payload) {
+            // API validation successful
+            request.user = payload;
+            logger_1.logger.debug({
+                type: 'auth',
+                operation: 'middleware_legacy',
+                userId: payload.userId,
+                email: payload.email,
+                groups: payload.groups
+            }, `Token validated via API for user ${payload.userId}`);
+            return;
+        }
+        // Fallback to legacy bearer token (for backward compatibility)
+        logger_1.logger.debug({
+            type: 'auth',
+            operation: 'middleware_legacy',
+            ip: request.ip
+        }, 'API validation failed, using legacy bearer token mode');
+        // In legacy mode, we don't have user info, so continue without setting request.user
+        // The endpoint will handle the legacy token separately
+    }
+    catch (error) {
+        logger_1.logger.error({
+            type: 'auth',
+            operation: 'middleware_legacy',
+            error: error instanceof Error ? error.message : 'Unknown error'
+        }, 'Token authentication error');
+        reply.code(500).send({
+            error: 'Internal Server Error',
+            message: 'Authentication failed',
+        });
+    }
+}
+/**
+ * Permission Check Middleware Factory
+ * Creates middleware to check permissions for a specific tool
+ */
+function requirePermission(toolName) {
+    return async (request, reply) => {
+        try {
+            if (!request.user) {
+                logger_1.logger.error({
+                    type: 'auth',
+                    operation: 'permission_check',
+                    url: request.url
+                }, 'Permission check called without authentication');
+                reply.code(401).send({
+                    error: 'Unauthorized',
+                    message: 'Authentication required',
+                });
+                return;
+            }
+            // Check permission
+            const permissionCheck = (0, permissions_1.checkPermission)(toolName, request.user.groups);
+            if (!permissionCheck.allowed) {
+                logger_1.logger.warn({
+                    type: 'auth',
+                    operation: 'permission_check',
+                    userId: request.user.userId,
+                    email: request.user.email,
+                    groups: request.user.groups,
+                    toolName,
+                    reason: permissionCheck.reason,
+                }, `Permission denied for user ${request.user.userId} to access tool ${toolName}`);
+                reply.code(403).send({
+                    error: 'Forbidden',
+                    message: permissionCheck.reason || 'Insufficient permissions',
+                });
+                return;
+            }
+            logger_1.logger.debug({
+                type: 'auth',
+                operation: 'permission_check',
+                userId: request.user.userId,
+                toolName
+            }, `Permission granted for user ${request.user.userId} to access tool ${toolName}`);
+        }
+        catch (error) {
+            logger_1.logger.error({
+                type: 'auth',
+                operation: 'permission_check',
+                toolName,
+                error: error instanceof Error ? error.message : 'Unknown error'
+            }, 'Permission check error');
+            reply.code(500).send({
+                error: 'Internal Server Error',
+                message: 'Permission check failed',
+            });
+        }
+    };
+}
+/**
+ * Permission Check for Tool Call
+ * Checks permission when tools/call is invoked
+ */
+function checkToolCallPermission(toolName, user) {
+    return (0, permissions_1.checkPermission)(toolName, user.groups);
+}
+//# sourceMappingURL=middleware.js.map