@frontmcp/auth 0.0.1 → 0.8.0

package/session/token.store.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Token Store
+ *
+ * Interface for storing encrypted token blobs.
+ *
+ * For implementations, use StorageTokenStore with any storage adapter:
+ *
+ * @example
+ * ```typescript
+ * import { StorageTokenStore } from '@frontmcp/auth';
+ * import { MemoryStorageAdapter, createStorage } from '@frontmcp/utils';
+ *
+ * // In-memory (development/testing)
+ * const memoryAdapter = new MemoryStorageAdapter();
+ * await memoryAdapter.connect();
+ * const store = new StorageTokenStore(memoryAdapter);
+ *
+ * // With any backend (Redis, Vercel KV, Upstash)
+ * const storage = await createStorage({ type: 'auto' });
+ * const store = new StorageTokenStore(storage);
+ * ```
+ */
+import type { EncBlob } from './token.vault';
+export type SecretRecord = {
+    id: string;
+    blob: EncBlob;
+    updatedAt: number;
+};
+export interface TokenStore {
+    /** Create or overwrite a blob under a stable id. */
+    put(id: string, blob: EncBlob): Promise<void>;
+    /** Fetch encrypted blob by id. */
+    get(id: string): Promise<SecretRecord | undefined>;
+    /** Delete a reference. */
+    del(id: string): Promise<void>;
+    /** Allocate a new id (opaque). */
+    allocId(): string;
+}
+//# sourceMappingURL=token.store.d.ts.map

package/session/token.store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.store.d.ts","sourceRoot":"","sources":["../../src/session/token.store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAE7C,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,WAAW,UAAU;IACzB,oDAAoD;IACpD,GAAG,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9C,kCAAkC;IAClC,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,SAAS,CAAC,CAAC;IACnD,0BAA0B;IAC1B,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,kCAAkC;IAClC,OAAO,IAAI,MAAM,CAAC;CACnB"}

package/session/token.vault.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Token Vault
+ *
+ * Secure token encryption/decryption using AES-256-GCM.
+ * Supports key rotation for seamless key management.
+ */
+export type EncBlob = {
+    alg: 'A256GCM';
+    kid: string;
+    iv: string;
+    tag: string;
+    data: string;
+    exp?: number;
+    meta?: Record<string, unknown>;
+};
+export type VaultKey = {
+    kid: string;
+    key: Uint8Array;
+};
+export declare class TokenVault {
+    /** Active key used for new encryptions */
+    private active;
+    /** All known keys by kid for decryption (includes active) */
+    private keys;
+    constructor(keys: VaultKey[]);
+    rotateTo(k: VaultKey): void;
+    encrypt(plaintext: string, opts?: {
+        exp?: number;
+        meta?: Record<string, unknown>;
+    }): Promise<EncBlob>;
+    decrypt(blob: EncBlob): Promise<string>;
+}
+//# sourceMappingURL=token.vault.d.ts.map

package/session/token.vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.vault.d.ts","sourceRoot":"","sources":["../../src/session/token.vault.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,MAAM,OAAO,GAAG;IACpB,GAAG,EAAE,SAAS,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChC,CAAC;AAEF,MAAM,MAAM,QAAQ,GAAG;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,UAAU,CAAA;CAAE,CAAC;AAExD,qBAAa,UAAU;IACrB,0CAA0C;IAC1C,OAAO,CAAC,MAAM,CAAW;IACzB,6DAA6D;IAC7D,OAAO,CAAC,IAAI,CAAiC;gBAEjC,IAAI,EAAE,QAAQ,EAAE;IAwB5B,QAAQ,CAAC,CAAC,EAAE,QAAQ;IASd,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAerG,OAAO,CAAC,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;CAmB9C"}

package/session/utils/index.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Session utilities
+ */
+export { TinyTtlCache } from './tiny-ttl-cache';
+//# sourceMappingURL=index.d.ts.map

package/session/utils/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/session/utils/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC"}

package/session/utils/tiny-ttl-cache.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Tiny TTL Cache
+ *
+ * A simple in-memory cache with time-to-live expiration.
+ */
+export declare class TinyTtlCache<K, V> {
+    private readonly ttlMs;
+    private map;
+    constructor(ttlMs: number);
+    get(k: K): V | undefined;
+    set(k: K, v: V): void;
+    delete(k: K): boolean;
+    clear(): void;
+    size(): number;
+    /**
+     * Remove all expired entries
+     */
+    cleanup(): number;
+}
+//# sourceMappingURL=tiny-ttl-cache.d.ts.map

package/session/utils/tiny-ttl-cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tiny-ttl-cache.d.ts","sourceRoot":"","sources":["../../../src/session/utils/tiny-ttl-cache.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,qBAAa,YAAY,CAAC,CAAC,EAAE,CAAC;IAGhB,OAAO,CAAC,QAAQ,CAAC,KAAK;IAFlC,OAAO,CAAC,GAAG,CAAuC;gBAErB,KAAK,EAAE,MAAM;IAE1C,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,SAAS;IAUxB,GAAG,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;IAId,MAAM,CAAC,CAAC,EAAE,CAAC,GAAG,OAAO;IAIrB,KAAK,IAAI,IAAI;IAIb,IAAI,IAAI,MAAM;IAId;;OAEG;IACH,OAAO,IAAI,MAAM;CAWlB"}

package/session/vault-encryption.d.ts

@@ -0,0 +1,190 @@
+/**
+ * Vault Encryption
+ *
+ * Client-side key derivation for zero-knowledge credential storage.
+ *
+ * Security Model:
+ * - The JWT authorization token contains a unique `jti` (JWT ID) claim
+ * - A secret portion of the token (or a derived key) is used as the encryption key
+ * - The server stores encrypted blobs in Redis but CANNOT decrypt them
+ * - Only the client presenting the valid JWT can decrypt their vault
+ *
+ * Key Derivation:
+ * - Input: JWT token (after signature verification)
+ * - Extract: jti + a secret claim (e.g., `vaultKey` or derived from signature)
+ * - Derive: HKDF-SHA256 to produce AES-256 key
+ *
+ * Encryption:
+ * - Algorithm: AES-256-GCM (authenticated encryption)
+ * - IV: Random 12 bytes per encryption (stored with ciphertext)
+ * - Auth Tag: 16 bytes (ensures integrity)
+ */
+import { z } from 'zod';
+/**
+ * Encrypted data format stored in Redis
+ */
+export declare const encryptedDataSchema: z.ZodObject<{
+    v: z.ZodLiteral<1>;
+    alg: z.ZodLiteral<"aes-256-gcm">;
+    iv: z.ZodString;
+    ct: z.ZodString;
+    tag: z.ZodString;
+}, z.core.$strip>;
+export type EncryptedData = z.infer<typeof encryptedDataSchema>;
+/**
+ * JWT claims required for key derivation
+ */
+export interface VaultKeyDerivationClaims {
+    /** JWT ID - unique identifier for this token/vault */
+    jti: string;
+    /** Vault key material - secret claim added during token generation */
+    vaultKey?: string;
+    /** Subject - user identifier */
+    sub: string;
+    /** Issued at timestamp */
+    iat: number;
+}
+/**
+ * Vault encryption configuration
+ */
+export interface VaultEncryptionConfig {
+    /**
+     * Server-side pepper added to key derivation
+     * This adds defense-in-depth: even with a stolen JWT,
+     * attacker needs the pepper to derive the key
+     */
+    pepper?: string;
+    /**
+     * Key derivation info string for HKDF
+     * Allows domain separation between different uses
+     */
+    hkdfInfo?: string;
+}
+/**
+ * VaultEncryption handles encryption/decryption of vault credentials
+ * using keys derived from the client's JWT authorization token.
+ *
+ * @example
+ * ```typescript
+ * const encryption = new VaultEncryption({ pepper: process.env.VAULT_PEPPER });
+ *
+ * // After JWT verification, derive the encryption key
+ * const key = await encryption.deriveKey(jwtClaims);
+ *
+ * // Encrypt credentials before storing
+ * const encrypted = await encryption.encrypt(JSON.stringify(credentials), key);
+ *
+ * // Decrypt when reading
+ * const decrypted = await encryption.decrypt(encrypted, key);
+ * const credentials = JSON.parse(decrypted);
+ * ```
+ */
+export declare class VaultEncryption {
+    private readonly pepper;
+    private readonly hkdfInfo;
+    constructor(config?: VaultEncryptionConfig);
+    /**
+     * Derive an encryption key from JWT claims
+     *
+     * The key derivation uses HKDF:
+     * 1. Combine jti + vaultKey + sub + iat + pepper as IKM
+     * 2. Apply HKDF-SHA256 to derive a 256-bit key
+     *
+     * @param claims - JWT claims containing key material
+     * @returns 32-byte encryption key as Uint8Array
+     */
+    deriveKey(claims: VaultKeyDerivationClaims): Promise<Uint8Array>;
+    /**
+     * Derive a key directly from the raw JWT token string
+     *
+     * This is useful when you want to derive the key from the token
+     * before or without fully parsing the claims. Uses the token's
+     * signature portion as additional entropy.
+     *
+     * @param token - The raw JWT token string
+     * @param claims - Parsed JWT claims
+     * @returns 32-byte encryption key as Uint8Array
+     */
+    deriveKeyFromToken(token: string, claims: VaultKeyDerivationClaims): Promise<Uint8Array>;
+    /**
+     * Encrypt plaintext data using AES-256-GCM
+     *
+     * @param plaintext - Data to encrypt (typically JSON string)
+     * @param key - 32-byte encryption key from deriveKey()
+     * @returns Encrypted data object (safe to store in Redis)
+     */
+    encrypt(plaintext: string, key: Uint8Array): Promise<EncryptedData>;
+    /**
+     * Decrypt encrypted data using AES-256-GCM
+     *
+     * @param encrypted - Encrypted data object from encrypt()
+     * @param key - 32-byte encryption key from deriveKey()
+     * @returns Decrypted plaintext
+     * @throws Error if decryption fails (wrong key, tampered data, etc.)
+     */
+    decrypt(encrypted: EncryptedData, key: Uint8Array): Promise<string>;
+    /**
+     * Encrypt a JavaScript object (serializes to JSON first)
+     *
+     * @param data - Object to encrypt
+     * @param key - Encryption key
+     * @returns Encrypted data
+     */
+    encryptObject<T>(data: T, key: Uint8Array): Promise<EncryptedData>;
+    /**
+     * Decrypt and parse a JavaScript object
+     *
+     * @param encrypted - Encrypted data
+     * @param key - Encryption key
+     * @returns Decrypted and parsed object
+     */
+    decryptObject<T>(encrypted: EncryptedData, key: Uint8Array): Promise<T>;
+    /**
+     * Check if data is in encrypted format
+     *
+     * @param data - Data to check
+     * @returns True if data appears to be encrypted
+     */
+    isEncrypted(data: unknown): data is EncryptedData;
+}
+/**
+ * Vault entry with encrypted credentials
+ *
+ * The structure separates:
+ * - Metadata (unencrypted): id, userSub, timestamps, app lists
+ * - Sensitive data (encrypted): provider tokens, app credentials
+ */
+export declare const encryptedVaultEntrySchema: z.ZodObject<{
+    id: z.ZodString;
+    userSub: z.ZodString;
+    userEmail: z.ZodOptional<z.ZodString>;
+    userName: z.ZodOptional<z.ZodString>;
+    clientId: z.ZodString;
+    createdAt: z.ZodNumber;
+    lastAccessAt: z.ZodNumber;
+    encryptedData: z.ZodObject<{
+        v: z.ZodLiteral<1>;
+        alg: z.ZodLiteral<"aes-256-gcm">;
+        iv: z.ZodString;
+        ct: z.ZodString;
+        tag: z.ZodString;
+    }, z.core.$strip>;
+    authorizedAppIds: z.ZodArray<z.ZodString>;
+    skippedAppIds: z.ZodArray<z.ZodString>;
+    pendingAuthIds: z.ZodDefault<z.ZodArray<z.ZodString>>;
+}, z.core.$strip>;
+export type EncryptedVaultEntry = z.infer<typeof encryptedVaultEntrySchema>;
+/**
+ * Sensitive data that gets encrypted
+ */
+export interface VaultSensitiveData {
+    /** App credentials */
+    appCredentials: Record<string, unknown>;
+    /** Consent record */
+    consent?: unknown;
+    /** Federated login record */
+    federated?: unknown;
+    /** Pending auth details (URLs, scopes, etc.) */
+    pendingAuths: unknown[];
+}
+//# sourceMappingURL=vault-encryption.d.ts.map

package/session/vault-encryption.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-encryption.d.ts","sourceRoot":"","sources":["../../src/session/vault-encryption.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAcxB;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;iBAW9B,CAAC;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEhE;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,sDAAsD;IACtD,GAAG,EAAE,MAAM,CAAC;IACZ,sEAAsE;IACtE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gCAAgC;IAChC,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAMD;;;;;;;;;;;;;;;;;;GAkBG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAa;IACpC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;gBAEtB,MAAM,GAAE,qBAA0B;IAM9C;;;;;;;;;OASG;IACG,SAAS,CAAC,MAAM,EAAE,wBAAwB,GAAG,OAAO,CAAC,UAAU,CAAC;IAkBtE;;;;;;;;;;OAUG;IACG,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,wBAAwB,GAAG,OAAO,CAAC,UAAU,CAAC;IAsB9F;;;;;;OAMG;IACG,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC;IAoBzE;;;;;;;OAOG;IACG,OAAO,CAAC,SAAS,EAAE,aAAa,EAAE,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC;IA4BzE;;;;;;OAMG;IACG,aAAa,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC;IAIxE;;;;;;OAMG;IACG,aAAa,CAAC,CAAC,EAAE,SAAS,EAAE,aAAa,EAAE,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC;IAK7E;;;;;OAKG;IACH,WAAW,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI,IAAI,aAAa;CAGlD;AAMD;;;;;;GAMG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;iBAuBpC,CAAC;AAEH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAE5E;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,sBAAsB;IACtB,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACxC,qBAAqB;IACrB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,6BAA6B;IAC7B,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,gDAAgD;IAChD,YAAY,EAAE,OAAO,EAAE,CAAC;CACzB"}

package/ui/base-layout.d.ts

@@ -0,0 +1,170 @@
+/**
+ * Base Layout for Server-Rendered Pages
+ *
+ * Provides a consistent HTML shell with all CDN resources pre-configured:
+ * - Tailwind CSS v4 (Browser CDN) - Utility-first CSS framework with @theme support
+ * - Google Fonts (Inter) - Modern UI typography
+ *
+ * No build step required - all resources loaded from CDN at runtime.
+ *
+ * @example
+ * ```typescript
+ * // Basic usage
+ * const html = baseLayout('<div>content</div>', { title: 'Page' });
+ *
+ * // With custom theme
+ * const html = baseLayout('<div>content</div>', {
+ *   title: 'Page',
+ *   theme: {
+ *     colors: {
+ *       primary: '#3b82f6',
+ *       'primary-dark': '#2563eb',
+ *     },
+ *   },
+ * });
+ * ```
+ */
+/**
+ * CDN URLs and versions - centralized for easy updates
+ */
+export declare const CDN: {
+    /** Tailwind CSS v4 Browser CDN - generates styles on-the-fly with @theme support */
+    readonly tailwind: "https://cdn.jsdelivr.net/npm/@tailwindcss/browser@4";
+    /** Google Fonts - Inter for modern UI */
+    readonly fonts: {
+        readonly preconnect: readonly ["https://fonts.googleapis.com", "https://fonts.gstatic.com"];
+        readonly stylesheet: "https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap";
+    };
+};
+/**
+ * Theme color configuration
+ * Keys become CSS custom properties: --color-{key}
+ */
+export interface ThemeColors {
+    /** Primary brand color */
+    primary?: string;
+    /** Darker primary for hover states */
+    'primary-dark'?: string;
+    /** Secondary brand color */
+    secondary?: string;
+    /** Accent color for highlights */
+    accent?: string;
+    /** Success state color */
+    success?: string;
+    /** Warning state color */
+    warning?: string;
+    /** Error/danger state color */
+    danger?: string;
+    /** Custom colors (any additional colors) */
+    [key: string]: string | undefined;
+}
+/**
+ * Theme font configuration
+ * Keys become CSS custom properties: --font-{key}
+ */
+export interface ThemeFonts {
+    /** Sans-serif font family */
+    sans?: string;
+    /** Serif font family */
+    serif?: string;
+    /** Monospace font family */
+    mono?: string;
+    /** Custom fonts */
+    [key: string]: string | undefined;
+}
+/**
+ * Complete theme configuration for FrontMCP UI
+ */
+export interface ThemeConfig {
+    /** Custom colors */
+    colors?: ThemeColors;
+    /** Custom fonts */
+    fonts?: ThemeFonts;
+    /** Additional custom CSS variables (raw @theme content) */
+    customVars?: string;
+    /** Additional custom CSS (outside @theme) */
+    customCss?: string;
+}
+/**
+ * Default theme with FrontMCP branding
+ */
+export declare const DEFAULT_THEME: ThemeConfig;
+/**
+ * Options for the base layout
+ */
+export interface BaseLayoutOptions {
+    /** Page title (will be suffixed with " - FrontMCP") */
+    title: string;
+    /** Optional description for meta tag */
+    description?: string;
+    /** Include Tailwind CSS (default: true) */
+    includeTailwind?: boolean;
+    /** Include Google Fonts (default: true) */
+    includeFonts?: boolean;
+    /** Additional head content (scripts, styles, meta tags) */
+    headExtra?: string;
+    /** Body classes (default: 'bg-gray-50 min-h-screen font-sans antialiased') */
+    bodyClass?: string;
+    /** Theme configuration - colors, fonts, and custom CSS */
+    theme?: ThemeConfig;
+}
+export { escapeHtml } from '@frontmcp/utils';
+/**
+ * Build the complete HTML document with CDN resources
+ *
+ * @param content - The page content (HTML string)
+ * @param options - Layout configuration options
+ * @returns Complete HTML document string
+ *
+ * @example
+ * ```typescript
+ * const html = baseLayout('<div>My content</div>', {
+ *   title: 'Sign In',
+ *   description: 'Sign in to your account',
+ *   theme: {
+ *     colors: {
+ *       primary: '#ff6b6b',
+ *     },
+ *   },
+ * });
+ * ```
+ */
+export declare function baseLayout(content: string, options: BaseLayoutOptions): string;
+/**
+ * Create a layout wrapper function with preset options
+ *
+ * @param defaultOptions - Default options to apply to all pages
+ * @returns A function that wraps content with the layout
+ *
+ * @example
+ * ```typescript
+ * const brandedLayout = createLayout({
+ *   theme: {
+ *     colors: {
+ *       primary: '#ff6b6b',
+ *       'primary-dark': '#ee5a5a',
+ *     },
+ *   },
+ * });
+ *
+ * const html = brandedLayout('<div>Content</div>', { title: 'Page' });
+ * ```
+ */
+export declare function createLayout(defaultOptions: Partial<BaseLayoutOptions>): (content: string, options: BaseLayoutOptions) => string;
+/**
+ * Default auth layout with standard styling
+ */
+export declare const authLayout: (content: string, options: BaseLayoutOptions) => string;
+/**
+ * Centered card layout for login/auth pages
+ */
+export declare function centeredCardLayout(content: string, options: BaseLayoutOptions): string;
+/**
+ * Wide layout for consent/selection pages
+ */
+export declare function wideLayout(content: string, options: BaseLayoutOptions): string;
+/**
+ * Extra wide layout for tool selection pages
+ */
+export declare function extraWideLayout(content: string, options: BaseLayoutOptions): string;
+//# sourceMappingURL=base-layout.d.ts.map

package/ui/base-layout.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base-layout.d.ts","sourceRoot":"","sources":["../../src/ui/base-layout.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAQH;;GAEG;AACH,eAAO,MAAM,GAAG;IACd,oFAAoF;;IAGpF,yCAAyC;;;;;CAKjC,CAAC;AAMX;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,0BAA0B;IAC1B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,sCAAsC;IACtC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,4BAA4B;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kCAAkC;IAClC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,0BAA0B;IAC1B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,0BAA0B;IAC1B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4CAA4C;IAC5C,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;CACnC;AAED;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB,6BAA6B;IAC7B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,wBAAwB;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,4BAA4B;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,mBAAmB;IACnB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;CACnC;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,oBAAoB;IACpB,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,mBAAmB;IACnB,KAAK,CAAC,EAAE,UAAU,CAAC;IACnB,2DAA2D;IAC3D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6CAA6C;IAC7C,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,eAAO,MAAM,aAAa,EAAE,WAa3B,CAAC;AAMF;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,uDAAuD;IACvD,KAAK,EAAE,MAAM,CAAC;IAEd,wCAAwC;IACxC,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,2CAA2C;IAC3C,eAAe,CAAC,EAAE,OAAO,CAAC;IAE1B,2CAA2C;IAC3C,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB,2DAA2D;IAC3D,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,8EAA8E;IAC9E,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,0DAA0D;IAC1D,KAAK,CAAC,EAAE,WAAW,CAAC;CACrB;AAOD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAsC7C;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,GAAG,MAAM,CAkE9E;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,YAAY,CAC1B,cAAc,EAAE,OAAO,CAAC,iBAAiB,CAAC,GACzC,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,KAAK,MAAM,CAmBzD;AAMD;;GAEG;AACH,eAAO,MAAM,UAAU,YA5BV,MAAM,WAAW,iBAAiB,KAAK,MA8BlD,CAAC;AAEH;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,GAAG,MAAM,CAYtF;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,GAAG,MAAM,CAS9E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,GAAG,MAAM,CASnF"}

package/ui/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Auth UI Module
+ *
+ * Server-side HTML templates for OAuth authorization flows.
+ */
+export { CDN, DEFAULT_THEME, baseLayout, createLayout, authLayout, centeredCardLayout, wideLayout, extraWideLayout, escapeHtml, } from './base-layout';
+export type { ThemeColors, ThemeFonts, ThemeConfig, BaseLayoutOptions } from './base-layout';
+export { buildConsentPage, buildIncrementalAuthPage, buildFederatedLoginPage, buildToolConsentPage, buildLoginPage, buildErrorPage, renderToHtml, } from './templates';
+export type { AppAuthCard, ProviderCard, ToolCard } from './templates';
+//# sourceMappingURL=index.d.ts.map

package/ui/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/ui/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EACL,GAAG,EACH,aAAa,EACb,UAAU,EACV,YAAY,EACZ,UAAU,EACV,kBAAkB,EAClB,UAAU,EACV,eAAe,EACf,UAAU,GACX,MAAM,eAAe,CAAC;AACvB,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAG7F,OAAO,EACL,gBAAgB,EAChB,wBAAwB,EACxB,uBAAuB,EACvB,oBAAoB,EACpB,cAAc,EACd,cAAc,EACd,YAAY,GACb,MAAM,aAAa,CAAC;AACrB,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC"}

package/ui/templates.d.ts

@@ -0,0 +1,134 @@
+/**
+ * Template Builders for OAuth UI
+ *
+ * Server-side HTML rendering with Tailwind CSS for OAuth authorization flows.
+ * No build step required - pure runtime rendering with Tailwind CSS CDN.
+ *
+ * Features:
+ * - OAuth consent page with multiple apps
+ * - Incremental authorization page for single app
+ * - Federated login page for multi-provider selection
+ * - All pages use Tailwind CSS from CDN (no build required)
+ * - Google Fonts (Inter) for modern typography
+ *
+ * Uses base-layout.ts for consistent HTML shell with CDN resources.
+ */
+import { escapeHtml as baseEscapeHtml } from './base-layout';
+/**
+ * App information for authorization cards
+ */
+export interface AppAuthCard {
+    /** App identifier */
+    appId: string;
+    /** Display name */
+    appName: string;
+    /** App description */
+    description?: string;
+    /** Icon URL (optional, will use initials fallback) */
+    iconUrl?: string;
+    /** Scopes required by this app */
+    requiredScopes?: string[];
+}
+/**
+ * Provider information for federated login
+ */
+export interface ProviderCard {
+    /** Provider identifier */
+    providerId: string;
+    /** Display name */
+    providerName: string;
+    /** Provider URL (for remote providers) */
+    providerUrl?: string;
+    /** Auth mode */
+    mode: string;
+    /** App IDs associated with this provider */
+    appIds: string[];
+    /** Whether this is the parent/primary provider */
+    isPrimary?: boolean;
+}
+/**
+ * Tool information for consent page
+ */
+export interface ToolCard {
+    /** Tool identifier */
+    toolId: string;
+    /** Display name */
+    toolName: string;
+    /** Tool description */
+    description?: string;
+    /** Parent app ID */
+    appId: string;
+    /** Parent app name */
+    appName: string;
+}
+/**
+ * Escape HTML special characters
+ * Re-exported from base-layout for convenience
+ */
+export declare const escapeHtml: typeof baseEscapeHtml;
+/**
+ * Build OAuth consent page with Tailwind
+ * Shows all apps at once with Authorize/Skip buttons
+ */
+export declare function buildConsentPage(params: {
+    apps: AppAuthCard[];
+    clientName: string;
+    pendingAuthId: string;
+    csrfToken: string;
+    callbackPath: string;
+}): string;
+/**
+ * Build incremental auth page (single app) with Tailwind
+ * Used when a tool requires authorization for a skipped app
+ */
+export declare function buildIncrementalAuthPage(params: {
+    app: AppAuthCard;
+    toolId: string;
+    sessionHint: string;
+    callbackPath: string;
+}): string;
+/**
+ * Build federated login page for multi-provider selection
+ */
+export declare function buildFederatedLoginPage(params: {
+    providers: ProviderCard[];
+    clientName: string;
+    pendingAuthId: string;
+    callbackPath: string;
+}): string;
+/**
+ * Build consent page for tool selection
+ */
+export declare function buildToolConsentPage(params: {
+    tools: ToolCard[];
+    clientName: string;
+    pendingAuthId: string;
+    csrfToken: string;
+    callbackPath: string;
+    userName?: string;
+    userEmail?: string;
+}): string;
+/**
+ * Build simple login page
+ */
+export declare function buildLoginPage(params: {
+    clientName: string;
+    scope: string;
+    pendingAuthId: string;
+    callbackPath: string;
+}): string;
+/**
+ * Build error page
+ */
+export declare function buildErrorPage(params: {
+    error: string;
+    description: string;
+}): string;
+/**
+ * Simple wrapper for compatibility - just returns the HTML string
+ * (Templates are already complete HTML documents)
+ */
+export declare function renderToHtml(html: string, _options?: {
+    title?: string;
+}): string;
+//# sourceMappingURL=templates.d.ts.map

package/ui/templates.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"templates.d.ts","sourceRoot":"","sources":["../../src/ui/templates.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAmD,UAAU,IAAI,cAAc,EAAE,MAAM,eAAe,CAAC;AAM9G;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,qBAAqB;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,mBAAmB;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,sBAAsB;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,sDAAsD;IACtD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kCAAkC;IAClC,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,0BAA0B;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,mBAAmB;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,0CAA0C;IAC1C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,4CAA4C;IAC5C,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,kDAAkD;IAClD,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,sBAAsB;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,mBAAmB;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,uBAAuB;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,oBAAoB;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,sBAAsB;IACtB,OAAO,EAAE,MAAM,CAAC;CACjB;AAMD;;;GAGG;AACH,eAAO,MAAM,UAAU,uBAAiB,CAAC;AAMzC;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE;IACvC,IAAI,EAAE,WAAW,EAAE,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;CACtB,GAAG,MAAM,CAoBT;AA6DD;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,EAAE;IAC/C,GAAG,EAAE,WAAW,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;CACtB,GAAG,MAAM,CAwDT;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE;IAC9C,SAAS,EAAE,YAAY,EAAE,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;CACtB,GAAG,MAAM,CAkFT;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE;IAC3C,KAAK,EAAE,QAAQ,EAAE,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GAAG,MAAM,CAgHT;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE;IACrC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;CACtB,GAAG,MAAM,CAkDT;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAsBrF;AAMD;;;GAGG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAEhF"}