npm - @frontmcp/auth - Versions diffs - 0.0.1 → 0.8.0 - Mend

@frontmcp/auth 0.0.1 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (81) hide show

package/README.md +11 -0
package/authorization/authorization.types.d.ts +236 -0
package/authorization/authorization.types.d.ts.map +1 -0
package/authorization/index.d.ts +9 -0
package/authorization/index.d.ts.map +1 -0
package/cimd/cimd-redis.cache.d.ts +111 -0
package/cimd/cimd-redis.cache.d.ts.map +1 -0
package/cimd/cimd.cache.d.ts +200 -0
package/cimd/cimd.cache.d.ts.map +1 -0
package/cimd/cimd.errors.d.ts +124 -0
package/cimd/cimd.errors.d.ts.map +1 -0
package/cimd/cimd.logger.d.ts +39 -0
package/cimd/cimd.logger.d.ts.map +1 -0
package/cimd/cimd.service.d.ts +88 -0
package/cimd/cimd.service.d.ts.map +1 -0
package/cimd/cimd.types.d.ts +178 -0
package/cimd/cimd.types.d.ts.map +1 -0
package/cimd/cimd.validator.d.ts +49 -0
package/cimd/cimd.validator.d.ts.map +1 -0
package/cimd/index.d.ts +17 -0
package/cimd/index.d.ts.map +1 -0
package/esm/index.mjs +4001 -0
package/esm/package.json +59 -0
package/index.d.ts +44 -0
package/index.d.ts.map +1 -0
package/index.js +4131 -0
package/jwks/dev-key-persistence.d.ts +70 -0
package/jwks/dev-key-persistence.d.ts.map +1 -0
package/jwks/index.d.ts +20 -0
package/jwks/index.d.ts.map +1 -0
package/jwks/jwks.service.d.ts +69 -0
package/jwks/jwks.service.d.ts.map +1 -0
package/jwks/jwks.types.d.ts +33 -0
package/jwks/jwks.types.d.ts.map +1 -0
package/jwks/jwks.utils.d.ts +5 -0
package/jwks/jwks.utils.d.ts.map +1 -0
package/package.json +2 -2
package/session/authorization-vault.d.ts +667 -0
package/session/authorization-vault.d.ts.map +1 -0
package/session/authorization.store.d.ts +311 -0
package/session/authorization.store.d.ts.map +1 -0
package/session/index.d.ts +19 -0
package/session/index.d.ts.map +1 -0
package/session/storage/in-memory-authorization-vault.d.ts +53 -0
package/session/storage/in-memory-authorization-vault.d.ts.map +1 -0
package/session/storage/index.d.ts +17 -0
package/session/storage/index.d.ts.map +1 -0
package/session/storage/storage-authorization-vault.d.ts +107 -0
package/session/storage/storage-authorization-vault.d.ts.map +1 -0
package/session/storage/storage-token-store.d.ts +92 -0
package/session/storage/storage-token-store.d.ts.map +1 -0
package/session/token.store.d.ts +39 -0
package/session/token.store.d.ts.map +1 -0
package/session/token.vault.d.ts +33 -0
package/session/token.vault.d.ts.map +1 -0
package/session/utils/index.d.ts +5 -0
package/session/utils/index.d.ts.map +1 -0
package/session/utils/tiny-ttl-cache.d.ts +20 -0
package/session/utils/tiny-ttl-cache.d.ts.map +1 -0
package/session/vault-encryption.d.ts +190 -0
package/session/vault-encryption.d.ts.map +1 -0
package/ui/base-layout.d.ts +170 -0
package/ui/base-layout.d.ts.map +1 -0
package/ui/index.d.ts +10 -0
package/ui/index.d.ts.map +1 -0
package/ui/templates.d.ts +134 -0
package/ui/templates.d.ts.map +1 -0
package/utils/audience.validator.d.ts +130 -0
package/utils/audience.validator.d.ts.map +1 -0
package/utils/index.d.ts +8 -0
package/utils/index.d.ts.map +1 -0
package/utils/www-authenticate.utils.d.ts +98 -0
package/utils/www-authenticate.utils.d.ts.map +1 -0
package/vault/auth-providers.types.d.ts +262 -0
package/vault/auth-providers.types.d.ts.map +1 -0
package/vault/credential-cache.d.ts +98 -0
package/vault/credential-cache.d.ts.map +1 -0
package/vault/credential-helpers.d.ts +14 -0
package/vault/credential-helpers.d.ts.map +1 -0
package/vault/index.d.ts +10 -0
package/vault/index.d.ts.map +1 -0

package/session/authorization-vault.d.ts ADDED Viewed

@@ -0,0 +1,667 @@
+/**
+ * Authorization Vault
+ *
+ * Secure storage for stateful authorization sessions.
+ * Stores provider tokens, consent selections, and session metadata.
+ *
+ * Supports multiple credential types:
+ * - OAuth tokens (access_token, refresh_token, scopes)
+ * - API Keys (key value, header name)
+ * - Basic Auth (username, password)
+ * - Private Keys (PEM/JWK format for signing)
+ * - Custom credentials (extensible)
+ *
+ * In stateful mode:
+ * - Access token is a non-rotatable key to this vault
+ * - All sensitive data stored server-side
+ * - Supports incremental authorization via links
+ *
+ * In stateless mode:
+ * - No vault used, all data in JWT claims
+ * - No incremental authorization support
+ */
+import { z } from 'zod';
+/**
+ * Supported credential types for app authentication
+ */
+export declare const credentialTypeSchema: z.ZodEnum<{
+    custom: "custom";
+    oauth: "oauth";
+    api_key: "api_key";
+    basic: "basic";
+    bearer: "bearer";
+    private_key: "private_key";
+    mtls: "mtls";
+    ssh_key: "ssh_key";
+    service_account: "service_account";
+    oauth_pkce: "oauth_pkce";
+}>;
+export type CredentialType = z.infer<typeof credentialTypeSchema>;
+/**
+ * OAuth credential - standard OAuth 2.0 tokens
+ */
+export declare const oauthCredentialSchema: z.ZodObject<{
+    type: z.ZodLiteral<"oauth">;
+    accessToken: z.ZodString;
+    refreshToken: z.ZodOptional<z.ZodString>;
+    tokenType: z.ZodDefault<z.ZodString>;
+    expiresAt: z.ZodOptional<z.ZodNumber>;
+    scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    idToken: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+/**
+ * API Key credential - sent in header or query param
+ */
+export declare const apiKeyCredentialSchema: z.ZodObject<{
+    type: z.ZodLiteral<"api_key">;
+    key: z.ZodString;
+    headerName: z.ZodDefault<z.ZodString>;
+    headerPrefix: z.ZodOptional<z.ZodString>;
+    queryParam: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+/**
+ * Basic Auth credential - username and password
+ */
+export declare const basicAuthCredentialSchema: z.ZodObject<{
+    type: z.ZodLiteral<"basic">;
+    username: z.ZodString;
+    password: z.ZodString;
+    encodedValue: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+/**
+ * Bearer token credential - static bearer token
+ */
+export declare const bearerCredentialSchema: z.ZodObject<{
+    type: z.ZodLiteral<"bearer">;
+    token: z.ZodString;
+    expiresAt: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strip>;
+/**
+ * Private key credential - for JWT signing or request signing
+ */
+export declare const privateKeyCredentialSchema: z.ZodObject<{
+    type: z.ZodLiteral<"private_key">;
+    format: z.ZodEnum<{
+        pem: "pem";
+        jwk: "jwk";
+        pkcs8: "pkcs8";
+        pkcs12: "pkcs12";
+    }>;
+    keyData: z.ZodString;
+    keyId: z.ZodOptional<z.ZodString>;
+    algorithm: z.ZodOptional<z.ZodString>;
+    passphrase: z.ZodOptional<z.ZodString>;
+    certificate: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+/**
+ * mTLS credential - client certificate for mutual TLS
+ */
+export declare const mtlsCredentialSchema: z.ZodObject<{
+    type: z.ZodLiteral<"mtls">;
+    certificate: z.ZodString;
+    privateKey: z.ZodString;
+    passphrase: z.ZodOptional<z.ZodString>;
+    caCertificate: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+/**
+ * Custom credential - extensible for app-specific auth
+ */
+export declare const customCredentialSchema: z.ZodObject<{
+    type: z.ZodLiteral<"custom">;
+    customType: z.ZodString;
+    data: z.ZodRecord<z.ZodString, z.ZodUnknown>;
+    headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+}, z.core.$strip>;
+/**
+ * SSH Key credential - for SSH-based authentication
+ */
+export declare const sshKeyCredentialSchema: z.ZodObject<{
+    type: z.ZodLiteral<"ssh_key">;
+    privateKey: z.ZodString;
+    publicKey: z.ZodOptional<z.ZodString>;
+    passphrase: z.ZodOptional<z.ZodString>;
+    keyType: z.ZodDefault<z.ZodEnum<{
+        rsa: "rsa";
+        dsa: "dsa";
+        ed25519: "ed25519";
+        ecdsa: "ecdsa";
+    }>>;
+    fingerprint: z.ZodOptional<z.ZodString>;
+    username: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+/**
+ * Service Account credential - for cloud provider service accounts (GCP, AWS, Azure)
+ */
+export declare const serviceAccountCredentialSchema: z.ZodObject<{
+    type: z.ZodLiteral<"service_account">;
+    provider: z.ZodEnum<{
+        custom: "custom";
+        gcp: "gcp";
+        aws: "aws";
+        azure: "azure";
+    }>;
+    credentials: z.ZodRecord<z.ZodString, z.ZodUnknown>;
+    projectId: z.ZodOptional<z.ZodString>;
+    region: z.ZodOptional<z.ZodString>;
+    assumeRoleArn: z.ZodOptional<z.ZodString>;
+    externalId: z.ZodOptional<z.ZodString>;
+    serviceAccountId: z.ZodOptional<z.ZodString>;
+    expiresAt: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strip>;
+/**
+ * PKCE OAuth credential - OAuth 2.0 with PKCE for public clients
+ */
+export declare const pkceOAuthCredentialSchema: z.ZodObject<{
+    type: z.ZodLiteral<"oauth_pkce">;
+    accessToken: z.ZodString;
+    refreshToken: z.ZodOptional<z.ZodString>;
+    tokenType: z.ZodDefault<z.ZodString>;
+    expiresAt: z.ZodOptional<z.ZodNumber>;
+    scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    idToken: z.ZodOptional<z.ZodString>;
+    issuer: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+/**
+ * Union of all credential types
+ */
+export declare const credentialSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
+    type: z.ZodLiteral<"oauth">;
+    accessToken: z.ZodString;
+    refreshToken: z.ZodOptional<z.ZodString>;
+    tokenType: z.ZodDefault<z.ZodString>;
+    expiresAt: z.ZodOptional<z.ZodNumber>;
+    scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    idToken: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>, z.ZodObject<{
+    type: z.ZodLiteral<"api_key">;
+    key: z.ZodString;
+    headerName: z.ZodDefault<z.ZodString>;
+    headerPrefix: z.ZodOptional<z.ZodString>;
+    queryParam: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>, z.ZodObject<{
+    type: z.ZodLiteral<"basic">;
+    username: z.ZodString;
+    password: z.ZodString;
+    encodedValue: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>, z.ZodObject<{
+    type: z.ZodLiteral<"bearer">;
+    token: z.ZodString;
+    expiresAt: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strip>, z.ZodObject<{
+    type: z.ZodLiteral<"private_key">;
+    format: z.ZodEnum<{
+        pem: "pem";
+        jwk: "jwk";
+        pkcs8: "pkcs8";
+        pkcs12: "pkcs12";
+    }>;
+    keyData: z.ZodString;
+    keyId: z.ZodOptional<z.ZodString>;
+    algorithm: z.ZodOptional<z.ZodString>;
+    passphrase: z.ZodOptional<z.ZodString>;
+    certificate: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>, z.ZodObject<{
+    type: z.ZodLiteral<"mtls">;
+    certificate: z.ZodString;
+    privateKey: z.ZodString;
+    passphrase: z.ZodOptional<z.ZodString>;
+    caCertificate: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>, z.ZodObject<{
+    type: z.ZodLiteral<"custom">;
+    customType: z.ZodString;
+    data: z.ZodRecord<z.ZodString, z.ZodUnknown>;
+    headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+}, z.core.$strip>, z.ZodObject<{
+    type: z.ZodLiteral<"ssh_key">;
+    privateKey: z.ZodString;
+    publicKey: z.ZodOptional<z.ZodString>;
+    passphrase: z.ZodOptional<z.ZodString>;
+    keyType: z.ZodDefault<z.ZodEnum<{
+        rsa: "rsa";
+        dsa: "dsa";
+        ed25519: "ed25519";
+        ecdsa: "ecdsa";
+    }>>;
+    fingerprint: z.ZodOptional<z.ZodString>;
+    username: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>, z.ZodObject<{
+    type: z.ZodLiteral<"service_account">;
+    provider: z.ZodEnum<{
+        custom: "custom";
+        gcp: "gcp";
+        aws: "aws";
+        azure: "azure";
+    }>;
+    credentials: z.ZodRecord<z.ZodString, z.ZodUnknown>;
+    projectId: z.ZodOptional<z.ZodString>;
+    region: z.ZodOptional<z.ZodString>;
+    assumeRoleArn: z.ZodOptional<z.ZodString>;
+    externalId: z.ZodOptional<z.ZodString>;
+    serviceAccountId: z.ZodOptional<z.ZodString>;
+    expiresAt: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strip>, z.ZodObject<{
+    type: z.ZodLiteral<"oauth_pkce">;
+    accessToken: z.ZodString;
+    refreshToken: z.ZodOptional<z.ZodString>;
+    tokenType: z.ZodDefault<z.ZodString>;
+    expiresAt: z.ZodOptional<z.ZodNumber>;
+    scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    idToken: z.ZodOptional<z.ZodString>;
+    issuer: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>], "type">;
+export type OAuthCredential = z.infer<typeof oauthCredentialSchema>;
+export type ApiKeyCredential = z.infer<typeof apiKeyCredentialSchema>;
+export type BasicAuthCredential = z.infer<typeof basicAuthCredentialSchema>;
+export type BearerCredential = z.infer<typeof bearerCredentialSchema>;
+export type PrivateKeyCredential = z.infer<typeof privateKeyCredentialSchema>;
+export type MtlsCredential = z.infer<typeof mtlsCredentialSchema>;
+export type CustomCredential = z.infer<typeof customCredentialSchema>;
+export type SshKeyCredential = z.infer<typeof sshKeyCredentialSchema>;
+export type ServiceAccountCredential = z.infer<typeof serviceAccountCredentialSchema>;
+export type PkceOAuthCredential = z.infer<typeof pkceOAuthCredentialSchema>;
+export type Credential = z.infer<typeof credentialSchema>;
+/**
+ * Credential stored for an app in the vault
+ */
+export declare const appCredentialSchema: z.ZodObject<{
+    appId: z.ZodString;
+    providerId: z.ZodString;
+    credential: z.ZodDiscriminatedUnion<[z.ZodObject<{
+        type: z.ZodLiteral<"oauth">;
+        accessToken: z.ZodString;
+        refreshToken: z.ZodOptional<z.ZodString>;
+        tokenType: z.ZodDefault<z.ZodString>;
+        expiresAt: z.ZodOptional<z.ZodNumber>;
+        scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+        idToken: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"api_key">;
+        key: z.ZodString;
+        headerName: z.ZodDefault<z.ZodString>;
+        headerPrefix: z.ZodOptional<z.ZodString>;
+        queryParam: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"basic">;
+        username: z.ZodString;
+        password: z.ZodString;
+        encodedValue: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"bearer">;
+        token: z.ZodString;
+        expiresAt: z.ZodOptional<z.ZodNumber>;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"private_key">;
+        format: z.ZodEnum<{
+            pem: "pem";
+            jwk: "jwk";
+            pkcs8: "pkcs8";
+            pkcs12: "pkcs12";
+        }>;
+        keyData: z.ZodString;
+        keyId: z.ZodOptional<z.ZodString>;
+        algorithm: z.ZodOptional<z.ZodString>;
+        passphrase: z.ZodOptional<z.ZodString>;
+        certificate: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"mtls">;
+        certificate: z.ZodString;
+        privateKey: z.ZodString;
+        passphrase: z.ZodOptional<z.ZodString>;
+        caCertificate: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"custom">;
+        customType: z.ZodString;
+        data: z.ZodRecord<z.ZodString, z.ZodUnknown>;
+        headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"ssh_key">;
+        privateKey: z.ZodString;
+        publicKey: z.ZodOptional<z.ZodString>;
+        passphrase: z.ZodOptional<z.ZodString>;
+        keyType: z.ZodDefault<z.ZodEnum<{
+            rsa: "rsa";
+            dsa: "dsa";
+            ed25519: "ed25519";
+            ecdsa: "ecdsa";
+        }>>;
+        fingerprint: z.ZodOptional<z.ZodString>;
+        username: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"service_account">;
+        provider: z.ZodEnum<{
+            custom: "custom";
+            gcp: "gcp";
+            aws: "aws";
+            azure: "azure";
+        }>;
+        credentials: z.ZodRecord<z.ZodString, z.ZodUnknown>;
+        projectId: z.ZodOptional<z.ZodString>;
+        region: z.ZodOptional<z.ZodString>;
+        assumeRoleArn: z.ZodOptional<z.ZodString>;
+        externalId: z.ZodOptional<z.ZodString>;
+        serviceAccountId: z.ZodOptional<z.ZodString>;
+        expiresAt: z.ZodOptional<z.ZodNumber>;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"oauth_pkce">;
+        accessToken: z.ZodString;
+        refreshToken: z.ZodOptional<z.ZodString>;
+        tokenType: z.ZodDefault<z.ZodString>;
+        expiresAt: z.ZodOptional<z.ZodNumber>;
+        scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+        idToken: z.ZodOptional<z.ZodString>;
+        issuer: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>], "type">;
+    acquiredAt: z.ZodNumber;
+    lastUsedAt: z.ZodOptional<z.ZodNumber>;
+    expiresAt: z.ZodOptional<z.ZodNumber>;
+    isValid: z.ZodDefault<z.ZodBoolean>;
+    invalidReason: z.ZodOptional<z.ZodString>;
+    userInfo: z.ZodOptional<z.ZodObject<{
+        sub: z.ZodOptional<z.ZodString>;
+        email: z.ZodOptional<z.ZodString>;
+        name: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.core.$strip>;
+export type AppCredential = z.infer<typeof appCredentialSchema>;
+/**
+ * Consent record stored in vault
+ */
+export declare const vaultConsentRecordSchema: z.ZodObject<{
+    enabled: z.ZodBoolean;
+    selectedToolIds: z.ZodArray<z.ZodString>;
+    availableToolIds: z.ZodArray<z.ZodString>;
+    consentedAt: z.ZodNumber;
+    version: z.ZodDefault<z.ZodString>;
+}, z.core.$strip>;
+/**
+ * Federated login record stored in vault
+ */
+export declare const vaultFederatedRecordSchema: z.ZodObject<{
+    selectedProviderIds: z.ZodArray<z.ZodString>;
+    skippedProviderIds: z.ZodArray<z.ZodString>;
+    primaryProviderId: z.ZodOptional<z.ZodString>;
+    completedAt: z.ZodNumber;
+}, z.core.$strip>;
+/**
+ * Pending incremental authorization request
+ */
+export declare const pendingIncrementalAuthSchema: z.ZodObject<{
+    id: z.ZodString;
+    appId: z.ZodString;
+    toolId: z.ZodOptional<z.ZodString>;
+    authUrl: z.ZodString;
+    requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    elicitId: z.ZodOptional<z.ZodString>;
+    createdAt: z.ZodNumber;
+    expiresAt: z.ZodNumber;
+    status: z.ZodEnum<{
+        pending: "pending";
+        completed: "completed";
+        cancelled: "cancelled";
+        expired: "expired";
+    }>;
+}, z.core.$strip>;
+/**
+ * Authorization vault entry (the full session state)
+ */
+export declare const authorizationVaultEntrySchema: z.ZodObject<{
+    id: z.ZodString;
+    userSub: z.ZodString;
+    userEmail: z.ZodOptional<z.ZodString>;
+    userName: z.ZodOptional<z.ZodString>;
+    clientId: z.ZodString;
+    createdAt: z.ZodNumber;
+    lastAccessAt: z.ZodNumber;
+    appCredentials: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodObject<{
+        appId: z.ZodString;
+        providerId: z.ZodString;
+        credential: z.ZodDiscriminatedUnion<[z.ZodObject<{
+            type: z.ZodLiteral<"oauth">;
+            accessToken: z.ZodString;
+            refreshToken: z.ZodOptional<z.ZodString>;
+            tokenType: z.ZodDefault<z.ZodString>;
+            expiresAt: z.ZodOptional<z.ZodNumber>;
+            scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+            idToken: z.ZodOptional<z.ZodString>;
+        }, z.core.$strip>, z.ZodObject<{
+            type: z.ZodLiteral<"api_key">;
+            key: z.ZodString;
+            headerName: z.ZodDefault<z.ZodString>;
+            headerPrefix: z.ZodOptional<z.ZodString>;
+            queryParam: z.ZodOptional<z.ZodString>;
+        }, z.core.$strip>, z.ZodObject<{
+            type: z.ZodLiteral<"basic">;
+            username: z.ZodString;
+            password: z.ZodString;
+            encodedValue: z.ZodOptional<z.ZodString>;
+        }, z.core.$strip>, z.ZodObject<{
+            type: z.ZodLiteral<"bearer">;
+            token: z.ZodString;
+            expiresAt: z.ZodOptional<z.ZodNumber>;
+        }, z.core.$strip>, z.ZodObject<{
+            type: z.ZodLiteral<"private_key">;
+            format: z.ZodEnum<{
+                pem: "pem";
+                jwk: "jwk";
+                pkcs8: "pkcs8";
+                pkcs12: "pkcs12";
+            }>;
+            keyData: z.ZodString;
+            keyId: z.ZodOptional<z.ZodString>;
+            algorithm: z.ZodOptional<z.ZodString>;
+            passphrase: z.ZodOptional<z.ZodString>;
+            certificate: z.ZodOptional<z.ZodString>;
+        }, z.core.$strip>, z.ZodObject<{
+            type: z.ZodLiteral<"mtls">;
+            certificate: z.ZodString;
+            privateKey: z.ZodString;
+            passphrase: z.ZodOptional<z.ZodString>;
+            caCertificate: z.ZodOptional<z.ZodString>;
+        }, z.core.$strip>, z.ZodObject<{
+            type: z.ZodLiteral<"custom">;
+            customType: z.ZodString;
+            data: z.ZodRecord<z.ZodString, z.ZodUnknown>;
+            headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+        }, z.core.$strip>, z.ZodObject<{
+            type: z.ZodLiteral<"ssh_key">;
+            privateKey: z.ZodString;
+            publicKey: z.ZodOptional<z.ZodString>;
+            passphrase: z.ZodOptional<z.ZodString>;
+            keyType: z.ZodDefault<z.ZodEnum<{
+                rsa: "rsa";
+                dsa: "dsa";
+                ed25519: "ed25519";
+                ecdsa: "ecdsa";
+            }>>;
+            fingerprint: z.ZodOptional<z.ZodString>;
+            username: z.ZodOptional<z.ZodString>;
+        }, z.core.$strip>, z.ZodObject<{
+            type: z.ZodLiteral<"service_account">;
+            provider: z.ZodEnum<{
+                custom: "custom";
+                gcp: "gcp";
+                aws: "aws";
+                azure: "azure";
+            }>;
+            credentials: z.ZodRecord<z.ZodString, z.ZodUnknown>;
+            projectId: z.ZodOptional<z.ZodString>;
+            region: z.ZodOptional<z.ZodString>;
+            assumeRoleArn: z.ZodOptional<z.ZodString>;
+            externalId: z.ZodOptional<z.ZodString>;
+            serviceAccountId: z.ZodOptional<z.ZodString>;
+            expiresAt: z.ZodOptional<z.ZodNumber>;
+        }, z.core.$strip>, z.ZodObject<{
+            type: z.ZodLiteral<"oauth_pkce">;
+            accessToken: z.ZodString;
+            refreshToken: z.ZodOptional<z.ZodString>;
+            tokenType: z.ZodDefault<z.ZodString>;
+            expiresAt: z.ZodOptional<z.ZodNumber>;
+            scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+            idToken: z.ZodOptional<z.ZodString>;
+            issuer: z.ZodOptional<z.ZodString>;
+        }, z.core.$strip>], "type">;
+        acquiredAt: z.ZodNumber;
+        lastUsedAt: z.ZodOptional<z.ZodNumber>;
+        expiresAt: z.ZodOptional<z.ZodNumber>;
+        isValid: z.ZodDefault<z.ZodBoolean>;
+        invalidReason: z.ZodOptional<z.ZodString>;
+        userInfo: z.ZodOptional<z.ZodObject<{
+            sub: z.ZodOptional<z.ZodString>;
+            email: z.ZodOptional<z.ZodString>;
+            name: z.ZodOptional<z.ZodString>;
+        }, z.core.$strip>>;
+        metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, z.core.$strip>>>;
+    consent: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodBoolean;
+        selectedToolIds: z.ZodArray<z.ZodString>;
+        availableToolIds: z.ZodArray<z.ZodString>;
+        consentedAt: z.ZodNumber;
+        version: z.ZodDefault<z.ZodString>;
+    }, z.core.$strip>>;
+    federated: z.ZodOptional<z.ZodObject<{
+        selectedProviderIds: z.ZodArray<z.ZodString>;
+        skippedProviderIds: z.ZodArray<z.ZodString>;
+        primaryProviderId: z.ZodOptional<z.ZodString>;
+        completedAt: z.ZodNumber;
+    }, z.core.$strip>>;
+    pendingAuths: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        appId: z.ZodString;
+        toolId: z.ZodOptional<z.ZodString>;
+        authUrl: z.ZodString;
+        requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        elicitId: z.ZodOptional<z.ZodString>;
+        createdAt: z.ZodNumber;
+        expiresAt: z.ZodNumber;
+        status: z.ZodEnum<{
+            pending: "pending";
+            completed: "completed";
+            cancelled: "cancelled";
+            expired: "expired";
+        }>;
+    }, z.core.$strip>>;
+    authorizedAppIds: z.ZodArray<z.ZodString>;
+    skippedAppIds: z.ZodArray<z.ZodString>;
+}, z.core.$strip>;
+export type VaultConsentRecord = z.infer<typeof vaultConsentRecordSchema>;
+export type VaultFederatedRecord = z.infer<typeof vaultFederatedRecordSchema>;
+export type PendingIncrementalAuth = z.infer<typeof pendingIncrementalAuthSchema>;
+export type AuthorizationVaultEntry = z.infer<typeof authorizationVaultEntrySchema>;
+export interface AuthorizationVault {
+    /**
+     * Create a new vault entry
+     */
+    create(params: {
+        userSub: string;
+        userEmail?: string;
+        userName?: string;
+        clientId: string;
+        consent?: VaultConsentRecord;
+        federated?: VaultFederatedRecord;
+        authorizedAppIds?: string[];
+        skippedAppIds?: string[];
+    }): Promise<AuthorizationVaultEntry>;
+    /**
+     * Get vault entry by ID
+     */
+    get(id: string): Promise<AuthorizationVaultEntry | null>;
+    /**
+     * Update vault entry
+     */
+    update(id: string, updates: Partial<AuthorizationVaultEntry>): Promise<void>;
+    /**
+     * Delete vault entry
+     */
+    delete(id: string): Promise<void>;
+    /**
+     * Update consent in the vault
+     */
+    updateConsent(vaultId: string, consent: VaultConsentRecord): Promise<void>;
+    /**
+     * Add app to authorized list (for incremental auth)
+     */
+    authorizeApp(vaultId: string, appId: string): Promise<void>;
+    /**
+     * Create a pending incremental auth request
+     */
+    createPendingAuth(vaultId: string, params: {
+        appId: string;
+        toolId?: string;
+        authUrl: string;
+        requiredScopes?: string[];
+        elicitId?: string;
+        ttlMs?: number;
+    }): Promise<PendingIncrementalAuth>;
+    /**
+     * Get pending auth by ID
+     */
+    getPendingAuth(vaultId: string, pendingAuthId: string): Promise<PendingIncrementalAuth | null>;
+    /**
+     * Complete a pending incremental auth
+     */
+    completePendingAuth(vaultId: string, pendingAuthId: string): Promise<void>;
+    /**
+     * Cancel a pending incremental auth
+     */
+    cancelPendingAuth(vaultId: string, pendingAuthId: string): Promise<void>;
+    /**
+     * Check if app is authorized
+     */
+    isAppAuthorized(vaultId: string, appId: string): Promise<boolean>;
+    /**
+     * Get all pending auths for a vault
+     */
+    getPendingAuths(vaultId: string): Promise<PendingIncrementalAuth[]>;
+    /**
+     * Add an app credential to the vault
+     * Only stores if app is authorized AND (consent disabled OR app tools in consent)
+     */
+    addAppCredential(vaultId: string, credential: AppCredential): Promise<void>;
+    /**
+     * Remove an app credential from the vault
+     */
+    removeAppCredential(vaultId: string, appId: string, providerId: string): Promise<void>;
+    /**
+     * Get all credentials for a specific app
+     */
+    getAppCredentials(vaultId: string, appId: string): Promise<AppCredential[]>;
+    /**
+     * Get a specific credential for an app and provider
+     */
+    getCredential(vaultId: string, appId: string, providerId: string): Promise<AppCredential | null>;
+    /**
+     * Get all credentials in the vault (filtered by consent if enabled)
+     * @param filterByConsent If true, only returns credentials for apps with consented tools
+     */
+    getAllCredentials(vaultId: string, filterByConsent?: boolean): Promise<AppCredential[]>;
+    /**
+     * Update credential metadata (last used, validity, etc.)
+     */
+    updateCredential(vaultId: string, appId: string, providerId: string, updates: Partial<Pick<AppCredential, 'lastUsedAt' | 'isValid' | 'invalidReason' | 'expiresAt' | 'metadata'>>): Promise<void>;
+    /**
+     * Check if a credential should be stored based on consent
+     * Returns true if:
+     * - Consent is disabled, OR
+     * - The app has at least one tool in the consent selection
+     */
+    shouldStoreCredential(vaultId: string, appId: string, toolIds?: string[]): Promise<boolean>;
+    /**
+     * Invalidate a credential (mark as invalid without removing)
+     */
+    invalidateCredential(vaultId: string, appId: string, providerId: string, reason: string): Promise<void>;
+    /**
+     * Refresh an OAuth credential (update tokens)
+     */
+    refreshOAuthCredential(vaultId: string, appId: string, providerId: string, tokens: {
+        accessToken: string;
+        refreshToken?: string;
+        expiresAt?: number;
+    }): Promise<void>;
+    /**
+     * Cleanup expired entries and pending auths
+     */
+    cleanup(): Promise<void>;
+}
+//# sourceMappingURL=authorization-vault.d.ts.map

package/session/authorization-vault.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"authorization-vault.d.ts","sourceRoot":"","sources":["../../src/session/authorization-vault.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAOxB;;GAEG;AACH,eAAO,MAAM,oBAAoB;;;;;;;;;;;EAW/B,CAAC;AAEH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAMlE;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;iBAchC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,sBAAsB;;;;;;iBAUjC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,yBAAyB;;;;;iBAQpC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,sBAAsB;;;;iBAMjC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;iBAcrC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,oBAAoB;;;;;;iBAU/B,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,sBAAsB;;;;;iBAQjC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;iBAcjC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;iBAkBzC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;iBAgBpC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;2BAW3B,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AACpE,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AACtE,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAC5E,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AACtE,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAC9E,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAClE,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AACtE,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AACtE,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AACtF,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAC5E,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAM1D;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA2B9B,CAAC;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEhE;;GAEG;AACH,eAAO,MAAM,wBAAwB;;;;;;iBAWnC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,0BAA0B;;;;;iBASrC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;iBAmBvC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA2BxC,CAAC;AAMH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAC1E,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAC9E,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AAClF,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAC;AAMpF,MAAM,WAAW,kBAAkB;IACjC;;OAEG;IACH,MAAM,CAAC,MAAM,EAAE;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,CAAC,EAAE,kBAAkB,CAAC;QAC7B,SAAS,CAAC,EAAE,oBAAoB,CAAC;QACjC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC5B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IAErC;;OAEG;IACH,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAAC;IAEzD;;OAEG;IACH,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,uBAAuB,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE7E;;OAEG;IACH,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAElC;;OAEG;IACH,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE3E;;OAEG;IACH,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE5D;;OAEG;IACH,iBAAiB,CACf,OAAO,EAAE,MAAM,EACf,MAAM,EAAE;QACN,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,GACA,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAEnC;;OAEG;IACH,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,sBAAsB,GAAG,IAAI,CAAC,CAAC;IAE/F;;OAEG;IACH,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE3E;;OAEG;IACH,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzE;;OAEG;IACH,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAElE;;OAEG;IACH,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,sBAAsB,EAAE,CAAC,CAAC;IAMpE;;;OAGG;IACH,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE5E;;OAEG;IACH,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvF;;OAEG;IACH,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;IAE5E;;OAEG;IACH,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;IAEjG;;;OAGG;IACH,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,eAAe,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;IAExF;;OAEG;IACH,gBAAgB,CACd,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,aAAa,EAAE,YAAY,GAAG,SAAS,GAAG,eAAe,GAAG,WAAW,GAAG,UAAU,CAAC,CAAC,GAC3G,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjB;;;;;OAKG;IACH,qBAAqB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAE5F;;OAEG;IACH,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAExG;;OAEG;IACH,sBAAsB,CACpB,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GACzE,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjB;;OAEG;IACH,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B"}