@frontmcp/auth 0.0.1 → 0.8.0

package/cimd/cimd.errors.d.ts

@@ -0,0 +1,124 @@
+/**
+ * CIMD (Client ID Metadata Documents) Error Classes
+ *
+ * Standalone error classes for CIMD-specific failures.
+ * These do not depend on the SDK's error classes.
+ */
+/**
+ * Base class for all CIMD-related errors.
+ *
+ * Provides a consistent API with code, statusCode, and getPublicMessage()
+ * that mirrors the SDK's PublicMcpError but without the dependency.
+ */
+export declare abstract class CimdError extends Error {
+    /**
+     * Error code for machine-readable identification.
+     */
+    readonly code: string;
+    /**
+     * HTTP status code to return when this error occurs.
+     */
+    readonly statusCode: number;
+    /**
+     * The client_id URL that caused the error.
+     */
+    readonly clientIdUrl?: string;
+    constructor(message: string, code: string, statusCode: number, clientIdUrl?: string);
+    /**
+     * Get a message safe to return to clients.
+     * Override in subclasses to provide user-friendly messages.
+     */
+    getPublicMessage(): string;
+}
+/**
+ * Thrown when the client_id URL is invalid.
+ *
+ * Examples:
+ * - HTTP URL instead of HTTPS
+ * - Missing path component
+ * - Invalid URL format
+ */
+export declare class InvalidClientIdUrlError extends CimdError {
+    readonly reason: string;
+    constructor(clientIdUrl: string, reason: string);
+    getPublicMessage(): string;
+}
+/**
+ * Thrown when fetching the CIMD document fails.
+ *
+ * Examples:
+ * - Network timeout
+ * - HTTP error (404, 500, etc.)
+ * - Connection refused
+ */
+export declare class CimdFetchError extends CimdError {
+    readonly httpStatus?: number;
+    readonly originalError?: Error;
+    constructor(clientIdUrl: string, message: string, options?: {
+        httpStatus?: number;
+        originalError?: Error;
+    });
+    getPublicMessage(): string;
+}
+/**
+ * Thrown when the CIMD document fails validation.
+ *
+ * Examples:
+ * - Missing required fields
+ * - Invalid field values
+ * - client_id in document doesn't match URL
+ */
+export declare class CimdValidationError extends CimdError {
+    readonly validationErrors: string[];
+    constructor(clientIdUrl: string, errors: string[]);
+    getPublicMessage(): string;
+}
+/**
+ * Thrown when the client_id in the document doesn't match the URL.
+ *
+ * Per CIMD spec, the client_id field in the document MUST exactly match
+ * the URL from which the document was fetched.
+ */
+export declare class CimdClientIdMismatchError extends CimdError {
+    readonly documentClientId: string;
+    constructor(urlClientId: string, documentClientId: string);
+    getPublicMessage(): string;
+}
+/**
+ * Thrown when SSRF protection blocks a client_id URL.
+ *
+ * Examples:
+ * - Private IP address
+ * - Blocked domain
+ * - Link-local address
+ */
+export declare class CimdSecurityError extends CimdError {
+    readonly securityReason: string;
+    constructor(clientIdUrl: string, reason: string);
+    getPublicMessage(): string;
+}
+/**
+ * Thrown when the redirect_uri doesn't match any in the CIMD document.
+ */
+export declare class RedirectUriMismatchError extends CimdError {
+    readonly requestedRedirectUri: string;
+    readonly allowedRedirectUris: string[];
+    constructor(clientIdUrl: string, requestedRedirectUri: string, allowedRedirectUris: string[]);
+    getPublicMessage(): string;
+}
+/**
+ * Thrown when the CIMD response exceeds the maximum allowed size.
+ */
+export declare class CimdResponseTooLargeError extends CimdError {
+    readonly maxBytes: number;
+    readonly actualBytes?: number;
+    constructor(clientIdUrl: string, maxBytes: number, actualBytes?: number);
+    getPublicMessage(): string;
+}
+/**
+ * Thrown when CIMD is disabled but a CIMD client_id is used.
+ */
+export declare class CimdDisabledError extends CimdError {
+    constructor();
+}
+//# sourceMappingURL=cimd.errors.d.ts.map

package/cimd/cimd.errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cimd.errors.d.ts","sourceRoot":"","sources":["../../src/cimd/cimd.errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;;GAKG;AACH,8BAAsB,SAAU,SAAQ,KAAK;IAC3C;;OAEG;IACH,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB;;OAEG;IACH,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAE5B;;OAEG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;gBAElB,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM;IAanF;;;OAGG;IACH,gBAAgB,IAAI,MAAM;CAG3B;AAED;;;;;;;GAOG;AACH,qBAAa,uBAAwB,SAAQ,SAAS;IACpD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;gBAEZ,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAKtC,gBAAgB,IAAI,MAAM;CAGpC;AAED;;;;;;;GAOG;AACH,qBAAa,cAAe,SAAQ,SAAS;IAC3C,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,aAAa,CAAC,EAAE,KAAK,CAAC;gBAEnB,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,aAAa,CAAC,EAAE,KAAK,CAAA;KAAE;IAMjG,gBAAgB,IAAI,MAAM;CAMpC;AAED;;;;;;;GAOG;AACH,qBAAa,mBAAoB,SAAQ,SAAS;IAChD,QAAQ,CAAC,gBAAgB,EAAE,MAAM,EAAE,CAAC;gBAExB,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE;IAKxC,gBAAgB,IAAI,MAAM;CAGpC;AAED;;;;;GAKG;AACH,qBAAa,yBAA0B,SAAQ,SAAS;IACtD,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;gBAEtB,WAAW,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM;IAUhD,gBAAgB,IAAI,MAAM;CAGpC;AAED;;;;;;;GAOG;AACH,qBAAa,iBAAkB,SAAQ,SAAS;IAC9C,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;gBAEpB,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAKtC,gBAAgB,IAAI,MAAM;CAGpC;AAED;;GAEG;AACH,qBAAa,wBAAyB,SAAQ,SAAS;IACrD,QAAQ,CAAC,oBAAoB,EAAE,MAAM,CAAC;IACtC,QAAQ,CAAC,mBAAmB,EAAE,MAAM,EAAE,CAAC;gBAE3B,WAAW,EAAE,MAAM,EAAE,oBAAoB,EAAE,MAAM,EAAE,mBAAmB,EAAE,MAAM,EAAE;IAWnF,gBAAgB,IAAI,MAAM;CAGpC;AAED;;GAEG;AACH,qBAAa,yBAA0B,SAAQ,SAAS;IACtD,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;gBAElB,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM;IAa9D,gBAAgB,IAAI,MAAM;CAGpC;AAED;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,SAAS;;CAI/C"}

package/cimd/cimd.logger.d.ts

@@ -0,0 +1,39 @@
+/**
+ * CIMD Logger Interface
+ *
+ * A generic logger interface that FrontMcpLogger already satisfies.
+ * This allows CIMD to be used independently of the SDK.
+ */
+/**
+ * Logger interface for CIMD service.
+ *
+ * This interface is compatible with FrontMcpLogger and most common
+ * logging libraries (winston, pino, bunyan, etc.).
+ */
+export interface CimdLogger {
+    /**
+     * Create a child logger with a prefix.
+     */
+    child(prefix: string): CimdLogger;
+    /**
+     * Log a debug message.
+     */
+    debug(message: string, ...args: unknown[]): void;
+    /**
+     * Log an info message.
+     */
+    info(message: string, ...args: unknown[]): void;
+    /**
+     * Log a warning message.
+     */
+    warn(message: string, ...args: unknown[]): void;
+    /**
+     * Log an error message.
+     */
+    error(message: string, ...args: unknown[]): void;
+}
+/**
+ * No-op logger implementation for when logging is not needed.
+ */
+export declare const noopLogger: CimdLogger;
+//# sourceMappingURL=cimd.logger.d.ts.map

package/cimd/cimd.logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cimd.logger.d.ts","sourceRoot":"","sources":["../../src/cimd/cimd.logger.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;;GAKG;AACH,MAAM,WAAW,UAAU;IACzB;;OAEG;IACH,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAAC;IAElC;;OAEG;IACH,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAEjD;;OAEG;IACH,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAEhD;;OAEG;IACH,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAEhD;;OAEG;IACH,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;CAClD;AAED;;GAEG;AACH,eAAO,MAAM,UAAU,EAAE,UAMxB,CAAC"}

package/cimd/cimd.service.d.ts

@@ -0,0 +1,88 @@
+/**
+ * CIMD (Client ID Metadata Documents) Service
+ *
+ * Core service for resolving and validating OAuth Client ID Metadata Documents.
+ *
+ * @see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-client-id-metadata-document-00
+ */
+import type { CimdLogger } from './cimd.logger';
+import { type ClientMetadataDocument, type CimdConfigInput, type CimdResolutionResult } from './cimd.types';
+/**
+ * CIMD Service for resolving and validating client metadata documents.
+ *
+ * Following the JwksService pattern for HTTP fetching with caching.
+ */
+export declare class CimdService {
+    private readonly config;
+    private readonly cacheConfig;
+    private readonly securityConfig;
+    private readonly networkConfig;
+    private readonly cache;
+    private readonly logger;
+    /**
+     * Whether CIMD is enabled.
+     */
+    get enabled(): boolean;
+    /**
+     * Create a new CIMD service.
+     *
+     * @param logger - Optional logger. If not provided, logging is disabled.
+     * @param config - Optional configuration.
+     */
+    constructor(logger?: CimdLogger, config?: Partial<CimdConfigInput>);
+    /**
+     * Check if a client_id is a CIMD URL.
+     *
+     * @param clientId - The client_id to check
+     * @returns true if this is a CIMD client_id (HTTPS URL with path, or HTTP for localhost when testing)
+     */
+    isCimdClientId(clientId: string): boolean;
+    /**
+     * Resolve a client_id to its metadata document.
+     *
+     * If the client_id is a CIMD URL, this fetches and validates the metadata document.
+     * Non-CIMD client IDs return a result with isCimdClient: false.
+     *
+     * @param clientId - The client_id to resolve
+     * @returns Resolution result with metadata if available
+     */
+    resolveClientMetadata(clientId: string): Promise<CimdResolutionResult>;
+    /**
+     * Validate that a redirect_uri is registered for the client.
+     *
+     * @param redirectUri - The redirect_uri from the authorization request
+     * @param metadata - The client's metadata document
+     * @throws RedirectUriMismatchError if the redirect_uri is not registered
+     */
+    validateRedirectUri(redirectUri: string, metadata: ClientMetadataDocument): void;
+    /**
+     * Clear the cache for a specific client or all clients.
+     *
+     * @param clientId - Optional client_id to clear; clears all if not provided
+     */
+    clearCache(clientId?: string): Promise<void>;
+    /**
+     * Get cache statistics.
+     */
+    getCacheStats(): Promise<{
+        size: number;
+    }>;
+    /**
+     * Fetch a metadata document from a CIMD URL.
+     *
+     * Following the JwksService.fetchJson() pattern.
+     */
+    private fetchMetadataDocument;
+    /**
+     * Read response body with size limit.
+     */
+    private readResponseWithLimit;
+    /**
+     * Validate a fetched document against the schema.
+     *
+     * @param clientId - The URL from which the document was fetched
+     * @param document - The document to validate
+     */
+    private validateDocument;
+}
+//# sourceMappingURL=cimd.service.d.ts.map

package/cimd/cimd.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cimd.service.d.ts","sourceRoot":"","sources":["../../src/cimd/cimd.service.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAUhD,OAAO,EAML,KAAK,sBAAsB,EAE3B,KAAK,eAAe,EACpB,KAAK,oBAAoB,EAI1B,MAAM,cAAc,CAAC;AAGtB;;;;GAIG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAa;IACpC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAkB;IAC9C,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAqB;IACpD,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAoB;IAClD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAmB;IACzC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAa;IAEpC;;OAEG;IACH,IAAI,OAAO,IAAI,OAAO,CAErB;IAED;;;;;OAKG;gBACS,MAAM,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC;IA4BlE;;;;;OAKG;IACH,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAIzC;;;;;;;;OAQG;IACG,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAoD5E;;;;;;OAMG;IACH,mBAAmB,CAAC,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,sBAAsB,GAAG,IAAI;IAUhF;;;;OAIG;IACG,UAAU,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUlD;;OAEG;IACG,aAAa,IAAI,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAMhD;;;;OAIG;YACW,qBAAqB;IAmJnC;;OAEG;YACW,qBAAqB;IAyCnC;;;;;OAKG;IACH,OAAO,CAAC,gBAAgB;CAiBzB"}

package/cimd/cimd.types.d.ts

@@ -0,0 +1,178 @@
+/**
+ * CIMD (Client ID Metadata Documents) Type Definitions
+ *
+ * Implements OAuth Client ID Metadata Documents per
+ * draft-ietf-oauth-client-id-metadata-document-00
+ *
+ * @see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-client-id-metadata-document-00
+ */
+import { z } from 'zod';
+/**
+ * OAuth Client Metadata Document schema.
+ *
+ * When a client_id is an HTTPS URL, this document is fetched from that URL
+ * and contains the client's OAuth metadata.
+ *
+ * Per RFC 7591 (OAuth 2.0 Dynamic Client Registration) and CIMD spec.
+ */
+export declare const clientMetadataDocumentSchema: z.ZodObject<{
+    client_id: z.ZodString;
+    client_name: z.ZodString;
+    redirect_uris: z.ZodArray<z.ZodString>;
+    token_endpoint_auth_method: z.ZodDefault<z.ZodEnum<{
+        none: "none";
+        client_secret_basic: "client_secret_basic";
+        client_secret_post: "client_secret_post";
+        private_key_jwt: "private_key_jwt";
+    }>>;
+    grant_types: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    response_types: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    client_uri: z.ZodOptional<z.ZodString>;
+    logo_uri: z.ZodOptional<z.ZodString>;
+    jwks_uri: z.ZodOptional<z.ZodString>;
+    jwks: z.ZodOptional<z.ZodObject<{
+        keys: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, z.core.$strip>>;
+    tos_uri: z.ZodOptional<z.ZodString>;
+    policy_uri: z.ZodOptional<z.ZodString>;
+    scope: z.ZodOptional<z.ZodString>;
+    contacts: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    software_statement: z.ZodOptional<z.ZodString>;
+    software_id: z.ZodOptional<z.ZodString>;
+    software_version: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type ClientMetadataDocument = z.infer<typeof clientMetadataDocumentSchema>;
+export type ClientMetadataDocumentInput = z.input<typeof clientMetadataDocumentSchema>;
+/**
+ * Redis configuration for CIMD cache.
+ */
+export declare const cimdRedisCacheConfigSchema: z.ZodObject<{
+    url: z.ZodOptional<z.ZodString>;
+    host: z.ZodOptional<z.ZodString>;
+    port: z.ZodOptional<z.ZodNumber>;
+    password: z.ZodOptional<z.ZodString>;
+    db: z.ZodOptional<z.ZodNumber>;
+    tls: z.ZodOptional<z.ZodBoolean>;
+    keyPrefix: z.ZodDefault<z.ZodString>;
+}, z.core.$strip>;
+export type CimdRedisCacheConfig = z.infer<typeof cimdRedisCacheConfigSchema>;
+/**
+ * Cache configuration for CIMD service.
+ */
+export declare const cimdCacheConfigSchema: z.ZodObject<{
+    type: z.ZodDefault<z.ZodEnum<{
+        memory: "memory";
+        redis: "redis";
+    }>>;
+    defaultTtlMs: z.ZodDefault<z.ZodNumber>;
+    maxTtlMs: z.ZodDefault<z.ZodNumber>;
+    minTtlMs: z.ZodDefault<z.ZodNumber>;
+    redis: z.ZodOptional<z.ZodObject<{
+        url: z.ZodOptional<z.ZodString>;
+        host: z.ZodOptional<z.ZodString>;
+        port: z.ZodOptional<z.ZodNumber>;
+        password: z.ZodOptional<z.ZodString>;
+        db: z.ZodOptional<z.ZodNumber>;
+        tls: z.ZodOptional<z.ZodBoolean>;
+        keyPrefix: z.ZodDefault<z.ZodString>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export type CimdCacheConfig = z.infer<typeof cimdCacheConfigSchema>;
+/**
+ * Security configuration for CIMD service.
+ */
+export declare const cimdSecurityConfigSchema: z.ZodObject<{
+    blockPrivateIPs: z.ZodDefault<z.ZodBoolean>;
+    allowedDomains: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    blockedDomains: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    warnOnLocalhostRedirects: z.ZodDefault<z.ZodBoolean>;
+    allowInsecureForTesting: z.ZodDefault<z.ZodBoolean>;
+}, z.core.$strip>;
+export type CimdSecurityConfig = z.infer<typeof cimdSecurityConfigSchema>;
+/**
+ * Network configuration for CIMD service.
+ */
+export declare const cimdNetworkConfigSchema: z.ZodObject<{
+    timeoutMs: z.ZodDefault<z.ZodNumber>;
+    maxResponseSizeBytes: z.ZodDefault<z.ZodNumber>;
+    redirectPolicy: z.ZodDefault<z.ZodEnum<{
+        deny: "deny";
+        "same-origin": "same-origin";
+        allow: "allow";
+    }>>;
+    maxRedirects: z.ZodDefault<z.ZodNumber>;
+}, z.core.$strip>;
+export type CimdNetworkConfig = z.infer<typeof cimdNetworkConfigSchema>;
+/**
+ * Full CIMD service configuration schema.
+ */
+export declare const cimdConfigSchema: z.ZodObject<{
+    enabled: z.ZodDefault<z.ZodBoolean>;
+    cache: z.ZodOptional<z.ZodObject<{
+        type: z.ZodDefault<z.ZodEnum<{
+            memory: "memory";
+            redis: "redis";
+        }>>;
+        defaultTtlMs: z.ZodDefault<z.ZodNumber>;
+        maxTtlMs: z.ZodDefault<z.ZodNumber>;
+        minTtlMs: z.ZodDefault<z.ZodNumber>;
+        redis: z.ZodOptional<z.ZodObject<{
+            url: z.ZodOptional<z.ZodString>;
+            host: z.ZodOptional<z.ZodString>;
+            port: z.ZodOptional<z.ZodNumber>;
+            password: z.ZodOptional<z.ZodString>;
+            db: z.ZodOptional<z.ZodNumber>;
+            tls: z.ZodOptional<z.ZodBoolean>;
+            keyPrefix: z.ZodDefault<z.ZodString>;
+        }, z.core.$strip>>;
+    }, z.core.$strip>>;
+    security: z.ZodOptional<z.ZodObject<{
+        blockPrivateIPs: z.ZodDefault<z.ZodBoolean>;
+        allowedDomains: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        blockedDomains: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        warnOnLocalhostRedirects: z.ZodDefault<z.ZodBoolean>;
+        allowInsecureForTesting: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    network: z.ZodOptional<z.ZodObject<{
+        timeoutMs: z.ZodDefault<z.ZodNumber>;
+        maxResponseSizeBytes: z.ZodDefault<z.ZodNumber>;
+        redirectPolicy: z.ZodDefault<z.ZodEnum<{
+            deny: "deny";
+            "same-origin": "same-origin";
+            allow: "allow";
+        }>>;
+        maxRedirects: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export type CimdConfig = z.infer<typeof cimdConfigSchema>;
+export type CimdConfigInput = z.input<typeof cimdConfigSchema>;
+/**
+ * Result of resolving a client_id to its metadata document.
+ */
+export interface CimdResolutionResult {
+    /**
+     * Whether this client_id is a CIMD URL.
+     */
+    isCimdClient: boolean;
+    /**
+     * The resolved metadata document (if isCimdClient is true).
+     */
+    metadata?: ClientMetadataDocument;
+    /**
+     * Whether the result came from cache.
+     */
+    fromCache: boolean;
+    /**
+     * When the cached entry expires (if cached).
+     */
+    expiresAt?: number;
+    /**
+     * HTTP ETag for conditional requests.
+     */
+    etag?: string;
+    /**
+     * HTTP Last-Modified header value.
+     */
+    lastModified?: string;
+}
+//# sourceMappingURL=cimd.types.d.ts.map

package/cimd/cimd.types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cimd.types.d.ts","sourceRoot":"","sources":["../../src/cimd/cimd.types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAMxB;;;;;;;GAOG;AACH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;;;;;;;iBAiGvC,CAAC;AAEH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AAClF,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AAMvF;;GAEG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;iBAwCrC,CAAC;AAEH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAE9E;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;iBA+BhC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;GAEG;AACH,eAAO,MAAM,wBAAwB;;;;;;iBAoCnC,CAAC;AAEH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAE1E;;GAEG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;iBA2BlC,CAAC;AAEH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAExE;;GAEG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAqB3B,CAAC;AAEH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAC1D,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAM/D;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,YAAY,EAAE,OAAO,CAAC;IAEtB;;OAEG;IACH,QAAQ,CAAC,EAAE,sBAAsB,CAAC;IAElC;;OAEG;IACH,SAAS,EAAE,OAAO,CAAC;IAEnB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB"}

package/cimd/cimd.validator.d.ts

@@ -0,0 +1,49 @@
+import type { CimdSecurityConfig } from './cimd.types';
+/**
+ * Check if a client_id is a CIMD URL (HTTPS URL with path component).
+ *
+ * Per CIMD spec, a CIMD client_id is an HTTPS URL that:
+ * - Uses the https:// scheme
+ * - Has a path component (not just the root)
+ *
+ * @param clientId - The client_id to check
+ * @param allowInsecure - Allow HTTP for localhost (testing only)
+ * @returns true if this is a CIMD client_id
+ */
+export declare function isCimdClientId(clientId: string, allowInsecure?: boolean): boolean;
+/**
+ * Validate a client_id URL for CIMD usage.
+ *
+ * @param clientId - The client_id to validate
+ * @param securityConfig - Optional security configuration
+ * @returns The parsed URL object
+ * @throws InvalidClientIdUrlError if the URL is invalid
+ * @throws CimdSecurityError if the URL violates security policy
+ */
+export declare function validateClientIdUrl(clientId: string, securityConfig?: Partial<CimdSecurityConfig>): URL;
+/**
+ * Check if a hostname should be blocked for SSRF protection.
+ */
+interface SsrfCheckResult {
+    allowed: boolean;
+    reason: string;
+}
+/**
+ * Perform SSRF protection checks on a hostname.
+ *
+ * @param hostname - The hostname to check
+ * @returns Result indicating if the hostname is allowed
+ */
+export declare function checkSsrfProtection(hostname: string): SsrfCheckResult;
+/**
+ * Check if any redirect URIs in the list are localhost-only.
+ *
+ * This is a warning indicator for development clients that might
+ * have accidentally been submitted for production use.
+ *
+ * @param redirectUris - Array of redirect URIs to check
+ * @returns true if all URIs are localhost
+ */
+export declare function hasOnlyLocalhostRedirectUris(redirectUris: string[]): boolean;
+export {};
+//# sourceMappingURL=cimd.validator.d.ts.map

package/cimd/cimd.validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cimd.validator.d.ts","sourceRoot":"","sources":["../../src/cimd/cimd.validator.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAEvD;;;;;;;;;;GAUG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,aAAa,UAAQ,GAAG,OAAO,CA4B/E;AAUD;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,kBAAkB,CAAC,GAAG,GAAG,CA6DvG;AAED;;GAEG;AACH,UAAU,eAAe;IACvB,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,eAAe,CAqBrE;AAqKD;;;;;;;;GAQG;AACH,wBAAgB,4BAA4B,CAAC,YAAY,EAAE,MAAM,EAAE,GAAG,OAAO,CAgB5E"}

package/cimd/index.d.ts

@@ -0,0 +1,17 @@
+/**
+ * CIMD (Client ID Metadata Documents) Module
+ *
+ * OAuth Client ID Metadata Documents support per
+ * draft-ietf-oauth-client-id-metadata-document-00
+ *
+ * @see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-client-id-metadata-document-00
+ */
+export { type CimdLogger, noopLogger } from './cimd.logger';
+export { clientMetadataDocumentSchema, cimdCacheConfigSchema, cimdRedisCacheConfigSchema, cimdSecurityConfigSchema, cimdNetworkConfigSchema, cimdConfigSchema, type ClientMetadataDocument, type ClientMetadataDocumentInput, type CimdCacheConfig, type CimdRedisCacheConfig, type CimdSecurityConfig, type CimdNetworkConfig, type CimdConfig, type CimdConfigInput, type CimdResolutionResult, } from './cimd.types';
+export { CimdError, InvalidClientIdUrlError, CimdFetchError, CimdValidationError, CimdClientIdMismatchError, CimdSecurityError, RedirectUriMismatchError, CimdResponseTooLargeError, CimdDisabledError, } from './cimd.errors';
+export { isCimdClientId, validateClientIdUrl, checkSsrfProtection, hasOnlyLocalhostRedirectUris, } from './cimd.validator';
+export { InMemoryCimdCache, CimdCache, // Backwards compatibility alias
+createCimdCache, extractCacheHeaders, parseCacheHeaders, type CimdCacheBackend, type CimdCacheEntry, type CimdCacheTtlConfig, type CacheableHeaders, } from './cimd.cache';
+export { RedisCimdCache } from './cimd-redis.cache';
+export { CimdService } from './cimd.service';
+//# sourceMappingURL=index.d.ts.map

package/cimd/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cimd/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,OAAO,EAAE,KAAK,UAAU,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAK5D,OAAO,EAEL,4BAA4B,EAC5B,qBAAqB,EACrB,0BAA0B,EAC1B,wBAAwB,EACxB,uBAAuB,EACvB,gBAAgB,EAEhB,KAAK,sBAAsB,EAC3B,KAAK,2BAA2B,EAChC,KAAK,eAAe,EACpB,KAAK,oBAAoB,EACzB,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EACtB,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,oBAAoB,GAC1B,MAAM,cAAc,CAAC;AAKtB,OAAO,EACL,SAAS,EACT,uBAAuB,EACvB,cAAc,EACd,mBAAmB,EACnB,yBAAyB,EACzB,iBAAiB,EACjB,wBAAwB,EACxB,yBAAyB,EACzB,iBAAiB,GAClB,MAAM,eAAe,CAAC;AAKvB,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,mBAAmB,EACnB,4BAA4B,GAC7B,MAAM,kBAAkB,CAAC;AAK1B,OAAO,EAEL,iBAAiB,EACjB,SAAS,EAAE,gCAAgC;AAE3C,eAAe,EAEf,mBAAmB,EACnB,iBAAiB,EAEjB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,GACtB,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAKpD,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC"}