@elliotding/ai-agent-mcp 0.1.26 → 0.1.28

package/dist/api/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/api/client.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,+CAA6E;AAC7E,sCAAmC;AACnC,4CAAqE;AACrE,4CAAiD;AAEjD,MAAM,SAAS;IACL,MAAM,CAAgB;IACb,UAAU,GAAG,CAAC,CAAC;IACf,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW;IAE/C;QACE,IAAI,CAAC,MAAM,GAAG,eAAK,CAAC,MAAM,CAAC;YACzB,OAAO,EAAE,eAAM,CAAC,GAAG,CAAC,UAAU;YAC9B,OAAO,EAAE,eAAM,CAAC,GAAG,CAAC,OAAO;YAC3B,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,YAAY,EAAE,wBAAwB;aACvC;SACF,CAAC,CAAC;QAEH,sDAAsD;QACtD,0EAA0E;QAC1E,0EAA0E;QAC1E,wEAAwE;QACxE,8CAA8C;QAC9C,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAClC,CAAC,aAAa,EAAE,EAAE;YAChB,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;gBACzC,OAAO,OAAO,CAAC,MAAM,CACnB,IAAI,KAAK,CACP,kCAAkC;oBAClC,mGAAmG,CACpG,CACF,CAAC;YACJ,CAAC;YAED,2BAA2B;YAC3B,eAAM,CAAC,KAAK,CACV;gBACE,IAAI,EAAE,mBAAmB;gBACzB,MAAM,EAAE,aAAa,CAAC,MAAM,EAAE,WAAW,EAAE;gBAC3C,GAAG,EAAE,aAAa,CAAC,GAAG;gBACtB,MAAM,EAAE,aAAa,CAAC,MAAM;gBAC5B,IAAI,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS;gBAC3F,OAAO,EAAE,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,OAAiC,CAAC;aAC/E,EACD,gBAAgB,aAAa,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,aAAa,CAAC,GAAG,EAAE,CAC3E,CAAC;YAEF,6CAA6C;YAC5C,aAAqB,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAE9C,OAAO,aAAa,CAAC;QACvB,CAAC,EACD,CAAC,KAAK,EAAE,EAAE;YACR,eAAM,CAAC,KAAK,CAAC;gBACX,IAAI,EAAE,+BAA+B;gBACrC,KAAK,EAAE,KAAK,CAAC,OAAO;aACrB,EAAE,+BAA+B,CAAC,CAAC;YACpC,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC/B,CAAC,CACF,CAAC;QAEF,4CAA4C;QAC5C,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CACnC,CAAC,QAAQ,EAAE,EAAE;YACX,MAAM,SAAS,GAAI,QAAQ,CAAC,MAAc,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YACnE,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YACxC,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,SAAS,CAAC;YAClE,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,IAAI,SAAS,CAAC;YAE7C,4BAA4B;YAC5B,IAAA,sBAAa,EACX,MAAM,EACN,GAAG,EACH,QAAQ,CAAC,MAAM,EACf,QAAQ,EACR,QAAQ,CAAC,MAAM,CAAC,IAAI,EACpB,QAAQ,CAAC,IAAI,EACb,QAAQ,CAAC,OAAiC,CAC3C,CAAC;YAEF,OAAO,QAAQ,CAAC;QAClB,CAAC,EACD,CAAC,KAAiB,EAAE,EAAE;YACpB,MAAM,SAAS,GAAI,KAAK,CAAC,MAAc,EAAE,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YACjE,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YACxC,MAAM,UAAU,GAAG,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC;YAC1C,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,IAAI,SAAS,CAAC;YAChE,MAAM,GAAG,GAAG,KAAK,CAAC,MAAM,EAAE,GAAG,IAAI,SAAS,CAAC;YAE3C,yBAAyB;YACzB,IAAA,oBAAW,EACT,MAAM,EACN,GAAG,EACH,KAAK,EACL,KAAK,CAAC,MAAM,EAAE,IAAI,EAClB,UAAU,CACX,CAAC;YAEF,oCAAoC;YACpC,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;gBACnB,eAAM,CAAC,KAAK,CACV;oBACE,IAAI,EAAE,oBAAoB;oBAC1B,MAAM;oBACN,GAAG;oBACH,MAAM,EAAE,UAAU;oBAClB,UAAU,EAAE,KAAK,CAAC,QAAQ,CAAC,UAAU;oBACrC,YAAY,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;oBACtG,QAAQ;iBACT,EACD,uBAAuB,MAAM,IAAI,GAAG,MAAM,UAAU,EAAE,CACvD,CAAC;YACJ,CAAC;YAED,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC/B,CAAC,CACF,CAAC;IACJ,CAAC;IAED;;;;;;;;;OASG;IACH,UAAU,CAAC,KAAyB,EAAE,KAA0B;QAC9D,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,IAAI,EAAE,CAAC;QAC/B,OAAO;YACL,GAAG,KAAK;YACR,OAAO,EAAE;gBACP,GAAG,CAAC,KAAK,EAAE,OAAO,IAAI,EAAE,CAAC;gBACzB,aAAa,EAAE,UAAU,KAAK,EAAE;aACjC;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,eAAe,CAAC,OAA+B;QACrD,MAAM,SAAS,GAAG,EAAE,GAAG,OAAO,EAAE,CAAC;QACjC,IAAI,SAAS,CAAC,eAAe,CAAC,IAAI,SAAS,CAAC,eAAe,CAAC,EAAE,CAAC;YAC7D,MAAM,GAAG,GAAG,SAAS,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,eAAe,CAAC;YAC3E,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;YAC7B,IAAI,KAAK,IAAI,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACzC,MAAM,KAAK,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;gBACjC,SAAS,CAAC,GAAG,CAAC,GAAG,UAAU,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,GAAG,EAAE,CAAC,EAAE,CAAC;YAC9F,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,gBAAgB,CAC5B,SAA2B,EAC3B,MAAc,EACd,GAAW,EACX,UAAU,GAAG,CAAC;QAEd,IAAI,CAAC;YACH,OAAO,MAAM,SAAS,EAAE,CAAC;QAC3B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,cAAc,GAClB,KAAK,YAAY,kBAAU;gBAC3B,CAAC,CAAC,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,IAAI,KAAK,cAAc,IAAI,KAAK,CAAC,IAAI,KAAK,WAAW,CAAC,CAAC;YAEnF,IAAI,cAAc,IAAI,UAAU,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;gBACnD,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;gBACxD,eAAM,CAAC,IAAI,CACT;oBACE,MAAM;oBACN,GAAG;oBACH,UAAU,EAAE,UAAU,GAAG,CAAC;oBAC1B,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,KAAK;iBACN,EACD,mCAAmC,KAAK,OAAO,CAChD,CAAC;gBAEF,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;gBAC3D,OAAO,IAAI,CAAC,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,GAAG,CAAC,CAAC,CAAC;YACvE,CAAC;YAED,oCAAoC;YACpC,IAAI,KAAK,YAAY,kBAAU,EAAE,CAAC;gBAChC,MAAM,IAAA,uBAAc,EAClB,MAAM,EACN,GAAG,EACH,KAAK,EACL,KAAK,CAAC,QAAQ,EAAE,MAAM,EACtB,UAAU,CACX,CAAC;YACJ,CAAC;YAED,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,GAAG,CAAI,GAAW,EAAE,MAA2B;QACnD,OAAO,IAAI,CAAC,gBAAgB,CAC1B,KAAK,IAAI,EAAE;YACT,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAI,GAAG,EAAE,MAAM,CAAC,CAAC;YACvD,OAAO,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC,EACD,KAAK,EACL,GAAG,CACJ,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,IAAI,CAAI,GAAW,EAAE,IAAc,EAAE,MAA2B;QACpE,OAAO,IAAI,CAAC,gBAAgB,CAC1B,KAAK,IAAI,EAAE;YACT,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAI,GAAG,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;YAC9D,OAAO,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC,EACD,MAAM,EACN,GAAG,CACJ,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,GAAG,CAAI,GAAW,EAAE,IAAc,EAAE,MAA2B;QACnE,OAAO,IAAI,CAAC,gBAAgB,CAC1B,KAAK,IAAI,EAAE;YACT,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAI,GAAG,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;YAC7D,OAAO,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC,EACD,KAAK,EACL,GAAG,CACJ,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAI,GAAW,EAAE,MAA2B;QACtD,OAAO,IAAI,CAAC,gBAAgB,CAC1B,KAAK,IAAI,EAAE;YACT,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAI,GAAG,EAAE,MAAM,CAAC,CAAC;YAC1D,OAAO,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC,EACD,QAAQ,EACR,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,6CAA6C;IAC7C,oCAAoC;IACpC,6CAA6C;IAE7C;;;;;;OAMG;IACH,KAAK,CAAC,gBAAgB,CACpB,MAIC,EACD,SAAkB;QAiBlB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,GAAG,CAmB5B,kCAAkC,EAAE,IAAI,CAAC,UAAU,CAAC,SAAS,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;QAE/E,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QAED,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,SAAS,CACb,WAAqB,EACrB,QAAQ,GAAG,IAAI,EACf,KAAmC,EACnC,SAAkB;QAUlB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAa9B,sCAAsC,EACtC,EAAE,YAAY,EAAE,WAAW,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,EAAE,EACzD,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAC3B,CAAC;QAEF,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,QAAQ,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;IACvE,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,WAAW,CAAC,WAA8B,EAAE,SAAkB;QAClE,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;QACrE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAI/B,yCAAyC,EAAE,IAAI,CAAC,UAAU,CAAC,SAAS,EAAE,EAAE,IAAI,EAAE,EAAE,YAAY,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC;QAE3G,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,eAAe,CACnB,MAOC,EACD,SAAkB;QAwBlB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,GAAG,CA2B5B,2BAA2B,EAAE,IAAI,CAAC,UAAU,CAAC,SAAS,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;QAExE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QAED,OAAO;YACL,KAAK,EAAE,QAAQ,CAAC,IAAI,CAAC,KAAK;YAC1B,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,IAAI;YACxB,SAAS,EAAE,QAAQ,CAAC,IAAI,CAAC,SAAS;YAClC,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACzC,GAAG,CAAC;gBACJ,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC;gBACnB,aAAa,EAAE,CAAC,CAAC,aAAa,IAAI,KAAK;aACxC,CAAC,CAAC;SACJ,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,gBAAgB,CACpB,UAAkB,EAClB,SAAkB;QASlB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,GAAG,CAW5B,+BAA+B,UAAU,EAAE,EAAE,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;QAC5E,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED;;;;;;;;;;;;;OAaG;IACH;;;;OAIG;IACH,KAAK,CAAC,iBAAiB,CACrB,UAAkB,EAClB,SAAkB;QAoBlB,OAAO,IAAI,CAAC,GAAG,CAAC,sBAAsB,UAAU,EAAE,EAAE,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;IAClF,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,mBAAmB,CACvB,MAMC,EACD,SAAkB;QAOlB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAIzB,2BAA2B,EAAE,MAAM,EAAE,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;QACpE,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,sBAAsB,CAC1B,QAAgB,EAChB,aAAqB,EACrB,SAAkB;QAQlB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAW1B,6BAA6B,EAC7B,EAAE,SAAS,EAAE,QAAQ,EAAE,cAAc,EAAE,aAAa,EAAE,EACtD,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAC3B,CAAC;QACF,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,eAAe,CACnB,OAuBC,EACD,SAAiB;QAEjB,MAAM,IAAI,CAAC,IAAI,CACb,8BAA8B,EAC9B,OAAO,EACP,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAC3B,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAAC,MAMpB;QAKC,OAAO,IAAI,CAAC,IAAI,CAAC,2BAA2B,EAAE,MAAM,CAAC,CAAC;IACxD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAAC,QAAgB,EAAE,IAAY;QAIjD,OAAO,IAAI,CAAC,IAAI,CAAC,6BAA6B,EAAE;YAC9C,SAAS,EAAE,QAAQ;YACnB,IAAI;SACL,CAAC,CAAC;IACL,CAAC;CACF;AAED,4BAA4B;AACf,QAAA,SAAS,GAAG,IAAI,SAAS,EAAE,CAAC"}

package/dist/auth/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Authentication Module
+ * Exports all authentication and authorization utilities
+ */
+export * from './token-validator';
+export * from './permissions';
+export * from './middleware';
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,cAAc,mBAAmB,CAAC;AAGlC,cAAc,eAAe,CAAC;AAC9B,cAAc,cAAc,CAAC"}

package/dist/auth/index.js

@@ -0,0 +1,26 @@
+"use strict";
+/**
+ * Authentication Module
+ * Exports all authentication and authorization utilities
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+// Token validation via CSP API (primary method)
+__exportStar(require("./token-validator"), exports);
+// Permissions and middleware
+__exportStar(require("./permissions"), exports);
+__exportStar(require("./middleware"), exports);
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;AAEH,gDAAgD;AAChD,oDAAkC;AAElC,6BAA6B;AAC7B,gDAA8B;AAC9B,+CAA6B"}

package/dist/auth/middleware.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Authentication and Permission Middlewares
+ * Token authentication and permission checking for HTTP endpoints
+ */
+import { FastifyRequest, FastifyReply } from 'fastify';
+import { TokenPayload } from './token-validator';
+/**
+ * Extended request with user info
+ */
+export interface AuthenticatedRequest extends FastifyRequest {
+    user?: TokenPayload;
+}
+/**
+ * Token Authentication Middleware
+ * Verifies token via external REST API
+ */
+export declare function tokenAuthMiddleware(request: AuthenticatedRequest, reply: FastifyReply): Promise<void>;
+/**
+ * Token Authentication Middleware with Legacy Bearer Token Support
+ * Supports both token validation via API and legacy bearer tokens
+ */
+export declare function tokenAuthOrLegacyMiddleware(request: AuthenticatedRequest, reply: FastifyReply): Promise<void>;
+/**
+ * Permission Check Middleware Factory
+ * Creates middleware to check permissions for a specific tool
+ */
+export declare function requirePermission(toolName: string): (request: AuthenticatedRequest, reply: FastifyReply) => Promise<void>;
+/**
+ * Permission Check for Tool Call
+ * Checks permission when tools/call is invoked
+ */
+export declare function checkToolCallPermission(toolName: string, user: TokenPayload): {
+    allowed: boolean;
+    reason?: string;
+};
+//# sourceMappingURL=middleware.d.ts.map

package/dist/auth/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvD,OAAO,EAAe,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAI9D;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,cAAc;IAC1D,IAAI,CAAC,EAAE,YAAY,CAAC;CACrB;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,oBAAoB,EAC7B,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,IAAI,CAAC,CAkEf;AAED;;;GAGG;AACH,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE,oBAAoB,EAC7B,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,IAAI,CAAC,CA+Df;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,IAClC,SAAS,oBAAoB,EAAE,OAAO,YAAY,KAAG,OAAO,CAAC,IAAI,CAAC,CA+DjF;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,YAAY,GACjB;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAEvC"}

package/dist/auth/middleware.js

@@ -0,0 +1,194 @@
+"use strict";
+/**
+ * Authentication and Permission Middlewares
+ * Token authentication and permission checking for HTTP endpoints
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.tokenAuthMiddleware = tokenAuthMiddleware;
+exports.tokenAuthOrLegacyMiddleware = tokenAuthOrLegacyMiddleware;
+exports.requirePermission = requirePermission;
+exports.checkToolCallPermission = checkToolCallPermission;
+const token_validator_1 = require("./token-validator");
+const permissions_1 = require("./permissions");
+const logger_1 = require("../utils/logger");
+/**
+ * Token Authentication Middleware
+ * Verifies token via external REST API
+ */
+async function tokenAuthMiddleware(request, reply) {
+    try {
+        // Extract token from Authorization header
+        const authHeader = request.headers.authorization;
+        if (!authHeader || !authHeader.startsWith('Bearer ')) {
+            logger_1.logger.warn({
+                type: 'auth',
+                operation: 'middleware',
+                ip: request.ip,
+                url: request.url
+            }, 'Missing or invalid Authorization header');
+            reply.code(401).send({
+                error: 'Unauthorized',
+                message: 'Missing or invalid Authorization header. Expected: Bearer <token>',
+            });
+            return;
+        }
+        const token = authHeader.substring(7); // Remove 'Bearer ' prefix
+        // Verify token via external API
+        const payload = await (0, token_validator_1.verifyToken)(token);
+        if (!payload) {
+            logger_1.logger.warn({
+                type: 'auth',
+                operation: 'middleware',
+                ip: request.ip,
+                url: request.url
+            }, 'Token validation failed');
+            reply.code(401).send({
+                error: 'Unauthorized',
+                message: 'Invalid or expired token',
+            });
+            return;
+        }
+        // Attach user info to request
+        request.user = payload;
+        logger_1.logger.debug({
+            type: 'auth',
+            operation: 'middleware',
+            userId: payload.userId,
+            email: payload.email,
+            groups: payload.groups
+        }, `Token authentication successful for user ${payload.userId}`);
+    }
+    catch (error) {
+        logger_1.logger.error({
+            type: 'auth',
+            operation: 'middleware',
+            error: error instanceof Error ? error.message : 'Unknown error'
+        }, 'Token authentication error');
+        reply.code(500).send({
+            error: 'Internal Server Error',
+            message: 'Authentication failed',
+        });
+    }
+}
+/**
+ * Token Authentication Middleware with Legacy Bearer Token Support
+ * Supports both token validation via API and legacy bearer tokens
+ */
+async function tokenAuthOrLegacyMiddleware(request, reply) {
+    try {
+        const authHeader = request.headers.authorization;
+        if (!authHeader || !authHeader.startsWith('Bearer ')) {
+            logger_1.logger.warn({
+                type: 'auth',
+                operation: 'middleware_legacy',
+                ip: request.ip,
+                url: request.url
+            }, 'Missing or invalid Authorization header');
+            reply.code(401).send({
+                error: 'Unauthorized',
+                message: 'Missing or invalid Authorization header',
+            });
+            return;
+        }
+        const token = authHeader.substring(7);
+        // Try to validate via API first
+        const payload = await (0, token_validator_1.verifyToken)(token);
+        if (payload) {
+            // API validation successful
+            request.user = payload;
+            logger_1.logger.debug({
+                type: 'auth',
+                operation: 'middleware_legacy',
+                userId: payload.userId,
+                email: payload.email,
+                groups: payload.groups
+            }, `Token validated via API for user ${payload.userId}`);
+            return;
+        }
+        // Fallback to legacy bearer token (for backward compatibility)
+        logger_1.logger.debug({
+            type: 'auth',
+            operation: 'middleware_legacy',
+            ip: request.ip
+        }, 'API validation failed, using legacy bearer token mode');
+        // In legacy mode, we don't have user info, so continue without setting request.user
+        // The endpoint will handle the legacy token separately
+    }
+    catch (error) {
+        logger_1.logger.error({
+            type: 'auth',
+            operation: 'middleware_legacy',
+            error: error instanceof Error ? error.message : 'Unknown error'
+        }, 'Token authentication error');
+        reply.code(500).send({
+            error: 'Internal Server Error',
+            message: 'Authentication failed',
+        });
+    }
+}
+/**
+ * Permission Check Middleware Factory
+ * Creates middleware to check permissions for a specific tool
+ */
+function requirePermission(toolName) {
+    return async (request, reply) => {
+        try {
+            if (!request.user) {
+                logger_1.logger.error({
+                    type: 'auth',
+                    operation: 'permission_check',
+                    url: request.url
+                }, 'Permission check called without authentication');
+                reply.code(401).send({
+                    error: 'Unauthorized',
+                    message: 'Authentication required',
+                });
+                return;
+            }
+            // Check permission
+            const permissionCheck = (0, permissions_1.checkPermission)(toolName, request.user.groups);
+            if (!permissionCheck.allowed) {
+                logger_1.logger.warn({
+                    type: 'auth',
+                    operation: 'permission_check',
+                    userId: request.user.userId,
+                    email: request.user.email,
+                    groups: request.user.groups,
+                    toolName,
+                    reason: permissionCheck.reason,
+                }, `Permission denied for user ${request.user.userId} to access tool ${toolName}`);
+                reply.code(403).send({
+                    error: 'Forbidden',
+                    message: permissionCheck.reason || 'Insufficient permissions',
+                });
+                return;
+            }
+            logger_1.logger.debug({
+                type: 'auth',
+                operation: 'permission_check',
+                userId: request.user.userId,
+                toolName
+            }, `Permission granted for user ${request.user.userId} to access tool ${toolName}`);
+        }
+        catch (error) {
+            logger_1.logger.error({
+                type: 'auth',
+                operation: 'permission_check',
+                toolName,
+                error: error instanceof Error ? error.message : 'Unknown error'
+            }, 'Permission check error');
+            reply.code(500).send({
+                error: 'Internal Server Error',
+                message: 'Permission check failed',
+            });
+        }
+    };
+}
+/**
+ * Permission Check for Tool Call
+ * Checks permission when tools/call is invoked
+ */
+function checkToolCallPermission(toolName, user) {
+    return (0, permissions_1.checkPermission)(toolName, user.groups);
+}
+//# sourceMappingURL=middleware.js.map

package/dist/auth/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAkBH,kDAqEC;AAMD,kEAkEC;AAMD,8CAgEC;AAMD,0DAKC;AA7OD,uDAA8D;AAC9D,+CAAgD;AAChD,4CAAyC;AASzC;;;GAGG;AACI,KAAK,UAAU,mBAAmB,CACvC,OAA6B,EAC7B,KAAmB;IAEnB,IAAI,CAAC;QACH,0CAA0C;QAC1C,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QACjD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACrD,eAAM,CAAC,IAAI,CACT;gBACE,IAAI,EAAE,MAAM;gBACZ,SAAS,EAAE,YAAY;gBACvB,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,GAAG,EAAE,OAAO,CAAC,GAAG;aACjB,EACD,yCAAyC,CAC1C,CAAC;YACF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,mEAAmE;aAC7E,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,0BAA0B;QAEjE,gCAAgC;QAChC,MAAM,OAAO,GAAG,MAAM,IAAA,6BAAW,EAAC,KAAK,CAAC,CAAC;QACzC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,eAAM,CAAC,IAAI,CACT;gBACE,IAAI,EAAE,MAAM;gBACZ,SAAS,EAAE,YAAY;gBACvB,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,GAAG,EAAE,OAAO,CAAC,GAAG;aACjB,EACD,yBAAyB,CAC1B,CAAC;YACF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,0BAA0B;aACpC,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,8BAA8B;QAC9B,OAAO,CAAC,IAAI,GAAG,OAAO,CAAC;QAEvB,eAAM,CAAC,KAAK,CACV;YACE,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,YAAY;YACvB,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,EACD,4CAA4C,OAAO,CAAC,MAAM,EAAE,CAC7D,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,eAAM,CAAC,KAAK,CAAC;YACX,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,YAAY;YACvB,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;SAChE,EAAE,4BAA4B,CAAC,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,uBAAuB;YAC9B,OAAO,EAAE,uBAAuB;SACjC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,2BAA2B,CAC/C,OAA6B,EAC7B,KAAmB;IAEnB,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QACjD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACrD,eAAM,CAAC,IAAI,CACT;gBACE,IAAI,EAAE,MAAM;gBACZ,SAAS,EAAE,mBAAmB;gBAC9B,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,GAAG,EAAE,OAAO,CAAC,GAAG;aACjB,EACD,yCAAyC,CAC1C,CAAC;YACF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,yCAAyC;aACnD,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QAEtC,gCAAgC;QAChC,MAAM,OAAO,GAAG,MAAM,IAAA,6BAAW,EAAC,KAAK,CAAC,CAAC;QACzC,IAAI,OAAO,EAAE,CAAC;YACZ,4BAA4B;YAC5B,OAAO,CAAC,IAAI,GAAG,OAAO,CAAC;YACvB,eAAM,CAAC,KAAK,CACV;gBACE,IAAI,EAAE,MAAM;gBACZ,SAAS,EAAE,mBAAmB;gBAC9B,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,MAAM,EAAE,OAAO,CAAC,MAAM;aACvB,EACD,oCAAoC,OAAO,CAAC,MAAM,EAAE,CACrD,CAAC;YACF,OAAO;QACT,CAAC;QAED,+DAA+D;QAC/D,eAAM,CAAC,KAAK,CACV;YACE,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,mBAAmB;YAC9B,EAAE,EAAE,OAAO,CAAC,EAAE;SACf,EACD,uDAAuD,CACxD,CAAC;QAEF,oFAAoF;QACpF,uDAAuD;IACzD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,eAAM,CAAC,KAAK,CAAC;YACX,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,mBAAmB;YAC9B,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;SAChE,EAAE,4BAA4B,CAAC,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,uBAAuB;YAC9B,OAAO,EAAE,uBAAuB;SACjC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAgB,iBAAiB,CAAC,QAAgB;IAChD,OAAO,KAAK,EAAE,OAA6B,EAAE,KAAmB,EAAiB,EAAE;QACjF,IAAI,CAAC;YACH,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;gBAClB,eAAM,CAAC,KAAK,CACV;oBACE,IAAI,EAAE,MAAM;oBACZ,SAAS,EAAE,kBAAkB;oBAC7B,GAAG,EAAE,OAAO,CAAC,GAAG;iBACjB,EACD,gDAAgD,CACjD,CAAC;gBACF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,KAAK,EAAE,cAAc;oBACrB,OAAO,EAAE,yBAAyB;iBACnC,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,mBAAmB;YACnB,MAAM,eAAe,GAAG,IAAA,6BAAe,EAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAEvE,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,CAAC;gBAC7B,eAAM,CAAC,IAAI,CACT;oBACE,IAAI,EAAE,MAAM;oBACZ,SAAS,EAAE,kBAAkB;oBAC7B,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM;oBAC3B,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK;oBACzB,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM;oBAC3B,QAAQ;oBACR,MAAM,EAAE,eAAe,CAAC,MAAM;iBAC/B,EACD,8BAA8B,OAAO,CAAC,IAAI,CAAC,MAAM,mBAAmB,QAAQ,EAAE,CAC/E,CAAC;gBACF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,eAAe,CAAC,MAAM,IAAI,0BAA0B;iBAC9D,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,eAAM,CAAC,KAAK,CACV;gBACE,IAAI,EAAE,MAAM;gBACZ,SAAS,EAAE,kBAAkB;gBAC7B,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM;gBAC3B,QAAQ;aACT,EACD,+BAA+B,OAAO,CAAC,IAAI,CAAC,MAAM,mBAAmB,QAAQ,EAAE,CAChF,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,eAAM,CAAC,KAAK,CAAC;gBACX,IAAI,EAAE,MAAM;gBACZ,SAAS,EAAE,kBAAkB;gBAC7B,QAAQ;gBACR,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;aAChE,EAAE,wBAAwB,CAAC,CAAC;YAC7B,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,uBAAuB;gBAC9B,OAAO,EAAE,yBAAyB;aACnC,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAgB,uBAAuB,CACrC,QAAgB,EAChB,IAAkB;IAElB,OAAO,IAAA,6BAAe,EAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;AAChD,CAAC"}

package/dist/auth/permissions.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Permission Control System
+ * Group-based access control for MCP tools
+ * Groups are obtained from CSP API /user/permissions (e.g., "zNet", "Client-Public")
+ */
+/**
+ * Known groups from CSP
+ * Users may belong to one or more groups
+ */
+export declare const KnownGroups: {
+    readonly ZNET: "zNet";
+    readonly CLIENT_PUBLIC: "Client-Public";
+    readonly ADMIN: "admin";
+};
+/**
+ * Permission level for operations
+ */
+export declare enum PermissionLevel {
+    READ = "read",
+    WRITE = "write",
+    ADMIN = "admin"
+}
+/**
+ * Tool permission configuration
+ */
+export interface ToolPermission {
+    tool: string;
+    allowedGroups: string[];
+    requiredPermission: PermissionLevel;
+}
+/**
+ * Initialize permission system
+ */
+export declare function initializePermissions(customRules?: ToolPermission[]): void;
+/**
+ * Check if a user has permission to access a tool
+ * @param toolName - The name of the tool to check
+ * @param userGroups - The groups the user belongs to (from CSP API)
+ */
+export declare function checkPermission(toolName: string, userGroups: string[]): {
+    allowed: boolean;
+    reason?: string;
+};
+/**
+ * Get permission info for a tool
+ */
+export declare function getToolPermission(toolName: string): ToolPermission | undefined;
+/**
+ * Get all permission rules
+ */
+export declare function getAllPermissions(): ToolPermission[];
+/**
+ * Update permission rule for a tool
+ */
+export declare function updatePermission(permission: ToolPermission): void;
+/**
+ * Remove permission rule for a tool
+ */
+export declare function removePermission(toolName: string): void;
+//# sourceMappingURL=permissions.d.ts.map

package/dist/auth/permissions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.d.ts","sourceRoot":"","sources":["../../src/auth/permissions.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;GAGG;AACH,eAAO,MAAM,WAAW;;;;CAId,CAAC;AAEX;;GAEG;AACH,oBAAY,eAAe;IACzB,IAAI,SAAS;IACb,KAAK,UAAU;IACf,KAAK,UAAU;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,kBAAkB,EAAE,eAAe,CAAC;CACrC;AAkDD;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,WAAW,CAAC,EAAE,cAAc,EAAE,GAAG,IAAI,CAqB1E;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAAE,GACnB;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAwKvC;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS,CAE9E;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,cAAc,EAAE,CAEpD;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,cAAc,GAAG,IAAI,CAMjE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAGvD"}

package/dist/auth/permissions.js

@@ -0,0 +1,262 @@
+"use strict";
+/**
+ * Permission Control System
+ * Group-based access control for MCP tools
+ * Groups are obtained from CSP API /user/permissions (e.g., "zNet", "Client-Public")
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PermissionLevel = exports.KnownGroups = void 0;
+exports.initializePermissions = initializePermissions;
+exports.checkPermission = checkPermission;
+exports.getToolPermission = getToolPermission;
+exports.getAllPermissions = getAllPermissions;
+exports.updatePermission = updatePermission;
+exports.removePermission = removePermission;
+const logger_1 = require("../utils/logger");
+/**
+ * Known groups from CSP
+ * Users may belong to one or more groups
+ */
+exports.KnownGroups = {
+    ZNET: 'zNet', // zNet team - full access
+    CLIENT_PUBLIC: 'Client-Public', // Client-Public team - standard access
+    ADMIN: 'admin', // Admin group - full access (if exists)
+};
+/**
+ * Permission level for operations
+ */
+var PermissionLevel;
+(function (PermissionLevel) {
+    PermissionLevel["READ"] = "read";
+    PermissionLevel["WRITE"] = "write";
+    PermissionLevel["ADMIN"] = "admin";
+})(PermissionLevel || (exports.PermissionLevel = PermissionLevel = {}));
+/**
+ * Default permission rules for each tool
+ * All authenticated users (with valid groups) can use these tools
+ */
+const defaultPermissions = [
+    // sync_resources - available to all authenticated users
+    {
+        tool: 'sync_resources',
+        allowedGroups: ['*'], // * means all authenticated users
+        requiredPermission: PermissionLevel.WRITE,
+    },
+    // manage_subscription - available to all authenticated users
+    {
+        tool: 'manage_subscription',
+        allowedGroups: ['*'],
+        requiredPermission: PermissionLevel.WRITE,
+    },
+    // search_resources - read-only, all authenticated users
+    {
+        tool: 'search_resources',
+        allowedGroups: ['*'],
+        requiredPermission: PermissionLevel.READ,
+    },
+    // upload_resource - requires write permission
+    {
+        tool: 'upload_resource',
+        allowedGroups: ['*'],
+        requiredPermission: PermissionLevel.WRITE,
+    },
+    // uninstall_resource - requires write permission
+    {
+        tool: 'uninstall_resource',
+        allowedGroups: ['*'],
+        requiredPermission: PermissionLevel.WRITE,
+    },
+    // track_usage - internal telemetry tool, always allowed for all authenticated users
+    {
+        tool: 'track_usage',
+        allowedGroups: ['*'],
+        requiredPermission: PermissionLevel.WRITE,
+    },
+];
+/**
+ * Custom permission rules (can be overridden via config)
+ */
+let permissionRules = new Map();
+/**
+ * Initialize permission system
+ */
+function initializePermissions(customRules) {
+    // Load default permissions
+    for (const perm of defaultPermissions) {
+        permissionRules.set(perm.tool, perm);
+    }
+    // Override with custom rules if provided
+    if (customRules && customRules.length > 0) {
+        logger_1.logger.info({ count: customRules.length }, 'Loading custom permission rules');
+        for (const perm of customRules) {
+            permissionRules.set(perm.tool, perm);
+        }
+    }
+    logger_1.logger.info({ toolCount: permissionRules.size }, 'Permission system initialized');
+}
+/**
+ * Check if a user has permission to access a tool
+ * @param toolName - The name of the tool to check
+ * @param userGroups - The groups the user belongs to (from CSP API)
+ */
+function checkPermission(toolName, userGroups) {
+    const checkStartTime = Date.now();
+    logger_1.logger.debug({
+        type: 'permission_check',
+        toolName,
+        userGroups,
+        timestamp: new Date().toISOString()
+    }, `Checking permission for tool: ${toolName}`);
+    // Check if tool has permission rules
+    const permission = permissionRules.get(toolName);
+    if (!permission) {
+        // If no permission rule defined, deny by default
+        logger_1.logger.warn({
+            type: 'permission_check',
+            toolName,
+            userGroups,
+            result: 'denied',
+            reason: 'no_rule',
+            timestamp: new Date().toISOString()
+        }, 'No permission rule found for tool, denying access');
+        (0, logger_1.logAuthAttempt)('permission_check', false, {
+            toolName,
+            userGroups,
+            reason: 'no_rule',
+            duration: Date.now() - checkStartTime
+        });
+        return {
+            allowed: false,
+            reason: `Tool '${toolName}' has no permission rule defined`,
+        };
+    }
+    // If no groups provided, deny access
+    if (!userGroups || userGroups.length === 0) {
+        logger_1.logger.warn({
+            type: 'permission_check',
+            toolName,
+            result: 'denied',
+            reason: 'no_groups',
+            timestamp: new Date().toISOString()
+        }, 'Permission denied: user has no groups');
+        (0, logger_1.logAuthAttempt)('permission_check', false, {
+            toolName,
+            reason: 'no_groups',
+            duration: Date.now() - checkStartTime
+        });
+        return {
+            allowed: false,
+            reason: `User must belong to at least one group to access tools`,
+        };
+    }
+    // Admin group bypasses all checks
+    if (userGroups.includes(exports.KnownGroups.ADMIN) || userGroups.includes('admin')) {
+        logger_1.logger.info({
+            type: 'permission_check',
+            toolName,
+            userGroups,
+            result: 'granted',
+            reason: 'admin_bypass',
+            duration: Date.now() - checkStartTime,
+            timestamp: new Date().toISOString()
+        }, 'Admin group access granted');
+        (0, logger_1.logAuthAttempt)('permission_check', true, {
+            toolName,
+            userGroups,
+            reason: 'admin',
+            duration: Date.now() - checkStartTime
+        });
+        return { allowed: true };
+    }
+    // Check if tool allows all authenticated users
+    if (permission.allowedGroups.includes('*')) {
+        logger_1.logger.info({
+            type: 'permission_check',
+            toolName,
+            userGroups,
+            allowedGroups: permission.allowedGroups,
+            result: 'granted',
+            reason: 'wildcard',
+            duration: Date.now() - checkStartTime,
+            timestamp: new Date().toISOString()
+        }, 'Permission granted (tool allows all authenticated users)');
+        (0, logger_1.logAuthAttempt)('permission_check', true, {
+            toolName,
+            userGroups,
+            reason: 'wildcard',
+            duration: Date.now() - checkStartTime
+        });
+        return { allowed: true };
+    }
+    // Check if user belongs to any of the allowed groups
+    const hasAllowedGroup = userGroups.some((group) => permission.allowedGroups.includes(group));
+    if (!hasAllowedGroup) {
+        logger_1.logger.warn({
+            type: 'permission_check',
+            toolName,
+            userGroups,
+            allowedGroups: permission.allowedGroups,
+            result: 'denied',
+            reason: 'group_mismatch',
+            duration: Date.now() - checkStartTime,
+            timestamp: new Date().toISOString()
+        }, 'Permission denied: user not in allowed groups');
+        (0, logger_1.logAuthAttempt)('permission_check', false, {
+            toolName,
+            userGroups,
+            allowedGroups: permission.allowedGroups,
+            reason: 'group_mismatch',
+            duration: Date.now() - checkStartTime
+        });
+        return {
+            allowed: false,
+            reason: `Tool '${toolName}' requires membership in one of: ${permission.allowedGroups.join(', ')}`,
+        };
+    }
+    logger_1.logger.info({
+        type: 'permission_check',
+        toolName,
+        userGroups,
+        allowedGroups: permission.allowedGroups,
+        result: 'granted',
+        reason: 'group_match',
+        duration: Date.now() - checkStartTime,
+        timestamp: new Date().toISOString()
+    }, 'Permission granted (user in allowed groups)');
+    (0, logger_1.logAuthAttempt)('permission_check', true, {
+        toolName,
+        userGroups,
+        matchedGroups: userGroups.filter(g => permission.allowedGroups.includes(g)),
+        duration: Date.now() - checkStartTime
+    });
+    return { allowed: true };
+}
+/**
+ * Get permission info for a tool
+ */
+function getToolPermission(toolName) {
+    return permissionRules.get(toolName);
+}
+/**
+ * Get all permission rules
+ */
+function getAllPermissions() {
+    return Array.from(permissionRules.values());
+}
+/**
+ * Update permission rule for a tool
+ */
+function updatePermission(permission) {
+    permissionRules.set(permission.tool, permission);
+    logger_1.logger.info({ tool: permission.tool, permission }, 'Permission rule updated');
+}
+/**
+ * Remove permission rule for a tool
+ */
+function removePermission(toolName) {
+    permissionRules.delete(toolName);
+    logger_1.logger.info({ toolName }, 'Permission rule removed');
+}
+// Initialize with default permissions
+initializePermissions();
+//# sourceMappingURL=permissions.js.map

package/dist/auth/permissions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.js","sourceRoot":"","sources":["../../src/auth/permissions.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAmFH,sDAqBC;AAOD,0CA2KC;AAKD,8CAEC;AAKD,8CAEC;AAKD,4CAMC;AAKD,4CAGC;AAzTD,4CAAyD;AAEzD;;;GAGG;AACU,QAAA,WAAW,GAAG;IACzB,IAAI,EAAE,MAAM,EAAuB,0BAA0B;IAC7D,aAAa,EAAE,eAAe,EAAK,uCAAuC;IAC1E,KAAK,EAAE,OAAO,EAAqB,wCAAwC;CACnE,CAAC;AAEX;;GAEG;AACH,IAAY,eAIX;AAJD,WAAY,eAAe;IACzB,gCAAa,CAAA;IACb,kCAAe,CAAA;IACf,kCAAe,CAAA;AACjB,CAAC,EAJW,eAAe,+BAAf,eAAe,QAI1B;AAWD;;;GAGG;AACH,MAAM,kBAAkB,GAAqB;IAC3C,wDAAwD;IACxD;QACE,IAAI,EAAE,gBAAgB;QACtB,aAAa,EAAE,CAAC,GAAG,CAAC,EAAG,kCAAkC;QACzD,kBAAkB,EAAE,eAAe,CAAC,KAAK;KAC1C;IACD,6DAA6D;IAC7D;QACE,IAAI,EAAE,qBAAqB;QAC3B,aAAa,EAAE,CAAC,GAAG,CAAC;QACpB,kBAAkB,EAAE,eAAe,CAAC,KAAK;KAC1C;IACD,wDAAwD;IACxD;QACE,IAAI,EAAE,kBAAkB;QACxB,aAAa,EAAE,CAAC,GAAG,CAAC;QACpB,kBAAkB,EAAE,eAAe,CAAC,IAAI;KACzC;IACD,8CAA8C;IAC9C;QACE,IAAI,EAAE,iBAAiB;QACvB,aAAa,EAAE,CAAC,GAAG,CAAC;QACpB,kBAAkB,EAAE,eAAe,CAAC,KAAK;KAC1C;IACD,iDAAiD;IACjD;QACE,IAAI,EAAE,oBAAoB;QAC1B,aAAa,EAAE,CAAC,GAAG,CAAC;QACpB,kBAAkB,EAAE,eAAe,CAAC,KAAK;KAC1C;IACD,oFAAoF;IACpF;QACE,IAAI,EAAE,aAAa;QACnB,aAAa,EAAE,CAAC,GAAG,CAAC;QACpB,kBAAkB,EAAE,eAAe,CAAC,KAAK;KAC1C;CACF,CAAC;AAEF;;GAEG;AACH,IAAI,eAAe,GAAgC,IAAI,GAAG,EAAE,CAAC;AAE7D;;GAEG;AACH,SAAgB,qBAAqB,CAAC,WAA8B;IAClE,2BAA2B;IAC3B,KAAK,MAAM,IAAI,IAAI,kBAAkB,EAAE,CAAC;QACtC,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACvC,CAAC;IAED,yCAAyC;IACzC,IAAI,WAAW,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1C,eAAM,CAAC,IAAI,CACT,EAAE,KAAK,EAAE,WAAW,CAAC,MAAM,EAAE,EAC7B,iCAAiC,CAClC,CAAC;QACF,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IAED,eAAM,CAAC,IAAI,CACT,EAAE,SAAS,EAAE,eAAe,CAAC,IAAI,EAAE,EACnC,+BAA+B,CAChC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAgB,eAAe,CAC7B,QAAgB,EAChB,UAAoB;IAEpB,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAElC,eAAM,CAAC,KAAK,CAAC;QACX,IAAI,EAAE,kBAAkB;QACxB,QAAQ;QACR,UAAU;QACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,EAAE,iCAAiC,QAAQ,EAAE,CAAC,CAAC;IAEhD,qCAAqC;IACrC,MAAM,UAAU,GAAG,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,iDAAiD;QACjD,eAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,kBAAkB;YACxB,QAAQ;YACR,UAAU;YACV,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,SAAS;YACjB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EAAE,mDAAmD,CAAC,CAAC;QAExD,IAAA,uBAAc,EAAC,kBAAkB,EAAE,KAAK,EAAE;YACxC,QAAQ;YACR,UAAU;YACV,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;SACtC,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,SAAS,QAAQ,kCAAkC;SAC5D,CAAC;IACJ,CAAC;IAED,qCAAqC;IACrC,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3C,eAAM,CAAC,IAAI,CACT;YACE,IAAI,EAAE,kBAAkB;YACxB,QAAQ;YACR,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,WAAW;YACnB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EACD,uCAAuC,CACxC,CAAC;QAEF,IAAA,uBAAc,EAAC,kBAAkB,EAAE,KAAK,EAAE;YACxC,QAAQ;YACR,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;SACtC,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,wDAAwD;SACjE,CAAC;IACJ,CAAC;IAED,kCAAkC;IAClC,IAAI,UAAU,CAAC,QAAQ,CAAC,mBAAW,CAAC,KAAK,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3E,eAAM,CAAC,IAAI,CACT;YACE,IAAI,EAAE,kBAAkB;YACxB,QAAQ;YACR,UAAU;YACV,MAAM,EAAE,SAAS;YACjB,MAAM,EAAE,cAAc;YACtB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;YACrC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EACD,4BAA4B,CAC7B,CAAC;QAEF,IAAA,uBAAc,EAAC,kBAAkB,EAAE,IAAI,EAAE;YACvC,QAAQ;YACR,UAAU;YACV,MAAM,EAAE,OAAO;YACf,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;SACtC,CAAC,CAAC;QAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,+CAA+C;IAC/C,IAAI,UAAU,CAAC,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3C,eAAM,CAAC,IAAI,CACT;YACE,IAAI,EAAE,kBAAkB;YACxB,QAAQ;YACR,UAAU;YACV,aAAa,EAAE,UAAU,CAAC,aAAa;YACvC,MAAM,EAAE,SAAS;YACjB,MAAM,EAAE,UAAU;YAClB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;YACrC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EACD,0DAA0D,CAC3D,CAAC;QAEF,IAAA,uBAAc,EAAC,kBAAkB,EAAE,IAAI,EAAE;YACvC,QAAQ;YACR,UAAU;YACV,MAAM,EAAE,UAAU;YAClB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;SACtC,CAAC,CAAC;QAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,qDAAqD;IACrD,MAAM,eAAe,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAChD,UAAU,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,CACzC,CAAC;IAEF,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,eAAM,CAAC,IAAI,CACT;YACE,IAAI,EAAE,kBAAkB;YACxB,QAAQ;YACR,UAAU;YACV,aAAa,EAAE,UAAU,CAAC,aAAa;YACvC,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,gBAAgB;YACxB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;YACrC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EACD,+CAA+C,CAChD,CAAC;QAEF,IAAA,uBAAc,EAAC,kBAAkB,EAAE,KAAK,EAAE;YACxC,QAAQ;YACR,UAAU;YACV,aAAa,EAAE,UAAU,CAAC,aAAa;YACvC,MAAM,EAAE,gBAAgB;YACxB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;SACtC,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,SAAS,QAAQ,oCAAoC,UAAU,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;SACnG,CAAC;IACJ,CAAC;IAED,eAAM,CAAC,IAAI,CACT;QACE,IAAI,EAAE,kBAAkB;QACxB,QAAQ;QACR,UAAU;QACV,aAAa,EAAE,UAAU,CAAC,aAAa;QACvC,MAAM,EAAE,SAAS;QACjB,MAAM,EAAE,aAAa;QACrB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;QACrC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,EACD,6CAA6C,CAC9C,CAAC;IAEF,IAAA,uBAAc,EAAC,kBAAkB,EAAE,IAAI,EAAE;QACvC,QAAQ;QACR,UAAU;QACV,aAAa,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QAC3E,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;KACtC,CAAC,CAAC;IAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,QAAgB;IAChD,OAAO,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB;IAC/B,OAAO,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,CAAC,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAAC,UAA0B;IACzD,eAAe,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IACjD,eAAM,CAAC,IAAI,CACT,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,EAAE,UAAU,EAAE,EACrC,yBAAyB,CAC1B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAAC,QAAgB;IAC/C,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACjC,eAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,EAAE,yBAAyB,CAAC,CAAC;AACvD,CAAC;AAED,sCAAsC;AACtC,qBAAqB,EAAE,CAAC"}