@frontmcp/auth 0.0.1 → 0.8.1

package/utils/audience.validator.d.ts

@@ -0,0 +1,130 @@
+/**
+ * Audience Validator
+ *
+ * Validates JWT audience claims per RFC 7519 and MCP Authorization spec.
+ * The audience (aud) claim identifies the recipients that the JWT is intended for.
+ */
+/**
+ * Validation result
+ */
+export interface AudienceValidationResult {
+    /** Whether the audience is valid */
+    valid: boolean;
+    /** Error message if invalid */
+    error?: string;
+    /** Matched audience value (if valid) */
+    matchedAudience?: string;
+}
+/**
+ * Audience validator options
+ */
+export interface AudienceValidatorOptions {
+    /**
+     * Expected audience values
+     * Token must contain at least one of these audiences
+     */
+    expectedAudiences: string[];
+    /**
+     * Whether to allow tokens with no audience claim
+     * @default false
+     */
+    allowNoAudience?: boolean;
+    /**
+     * Case-sensitive comparison
+     * @default true
+     */
+    caseSensitive?: boolean;
+    /**
+     * Allow wildcard matching (e.g., *.example.com)
+     * @default false
+     */
+    allowWildcards?: boolean;
+}
+/**
+ * Validate JWT audience claim
+ *
+ * @param tokenAudience - The audience claim from the JWT (can be string or array)
+ * @param options - Validation options
+ * @returns Validation result
+ *
+ * @example
+ * ```typescript
+ * // Single expected audience
+ * validateAudience('https://api.example.com', {
+ *   expectedAudiences: ['https://api.example.com'],
+ * });
+ * // => { valid: true, matchedAudience: 'https://api.example.com' }
+ *
+ * // Multiple audiences in token
+ * validateAudience(['aud1', 'aud2', 'aud3'], {
+ *   expectedAudiences: ['aud2'],
+ * });
+ * // => { valid: true, matchedAudience: 'aud2' }
+ *
+ * // No match
+ * validateAudience('wrong-aud', {
+ *   expectedAudiences: ['expected-aud'],
+ * });
+ * // => { valid: false, error: 'Token audience does not match expected audiences' }
+ * ```
+ */
+export declare function validateAudience(tokenAudience: string | string[] | undefined, options: AudienceValidatorOptions): AudienceValidationResult;
+/**
+ * Create an audience validator function
+ *
+ * @param options - Validator options
+ * @returns A validation function that takes token audience and returns validation result
+ *
+ * @example
+ * ```typescript
+ * const validator = createAudienceValidator({
+ *   expectedAudiences: ['https://api.example.com', 'https://api.example.org'],
+ * });
+ *
+ * validator('https://api.example.com'); // => { valid: true, ... }
+ * validator('wrong-aud'); // => { valid: false, ... }
+ * ```
+ */
+export declare function createAudienceValidator(options: AudienceValidatorOptions): (audience: string | string[] | undefined) => AudienceValidationResult;
+/**
+ * Derive expected audience from the resource URL
+ *
+ * Per MCP Authorization spec, the audience should typically be the
+ * resource server URL (the MCP server URL).
+ *
+ * @param resourceUrl - The resource server URL
+ * @returns Array of expected audiences
+ *
+ * @example
+ * ```typescript
+ * deriveExpectedAudience('https://api.example.com/v1/mcp');
+ * // => ['https://api.example.com/v1/mcp', 'https://api.example.com', 'api.example.com']
+ * ```
+ */
+export declare function deriveExpectedAudience(resourceUrl: string): string[];
+/**
+ * AudienceValidator class for reusable validation with configuration
+ */
+export declare class AudienceValidator {
+    private options;
+    constructor(options?: Partial<AudienceValidatorOptions> & {
+        expectedAudiences?: string[];
+    });
+    /**
+     * Validate an audience claim
+     */
+    validate(audience: string | string[] | undefined): AudienceValidationResult;
+    /**
+     * Add expected audiences
+     */
+    addAudiences(...audiences: string[]): void;
+    /**
+     * Set expected audiences (replace existing)
+     */
+    setAudiences(audiences: string[]): void;
+    /**
+     * Create validator from resource URL
+     */
+    static fromResourceUrl(resourceUrl: string, options?: Omit<AudienceValidatorOptions, 'expectedAudiences'>): AudienceValidator;
+}
+//# sourceMappingURL=audience.validator.d.ts.map

package/utils/audience.validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audience.validator.d.ts","sourceRoot":"","sources":["../../src/utils/audience.validator.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,oCAAoC;IACpC,KAAK,EAAE,OAAO,CAAC;IACf,+BAA+B;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,wCAAwC;IACxC,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC;;;OAGG;IACH,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAE5B;;;OAGG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC;IAE1B;;;OAGG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;IAExB;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,gBAAgB,CAC9B,aAAa,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,EAC5C,OAAO,EAAE,wBAAwB,GAChC,wBAAwB,CAwC1B;AAqCD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,wBAAwB,GAChC,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,KAAK,wBAAwB,CAEvE;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,sBAAsB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,EAAE,CAsBpE;AAED;;GAEG;AACH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,OAAO,CAA2B;gBAE9B,OAAO,GAAE,OAAO,CAAC,wBAAwB,CAAC,GAAG;QAAE,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAA;KAAO;IAS9F;;OAEG;IACH,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,GAAG,wBAAwB;IAI3E;;OAEG;IACH,YAAY,CAAC,GAAG,SAAS,EAAE,MAAM,EAAE,GAAG,IAAI;IAI1C;;OAEG;IACH,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,IAAI;IAIvC;;OAEG;IACH,MAAM,CAAC,eAAe,CACpB,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE,IAAI,CAAC,wBAAwB,EAAE,mBAAmB,CAAM,GAChE,iBAAiB;CAMrB"}

package/utils/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Auth Utilities
+ */
+export { buildWwwAuthenticate, buildPrmUrl, buildUnauthorizedHeader, buildInvalidTokenHeader, buildInsufficientScopeHeader, buildInvalidRequestHeader, parseWwwAuthenticate, } from './www-authenticate.utils';
+export type { BearerErrorCode, WwwAuthenticateOptions } from './www-authenticate.utils';
+export { validateAudience, createAudienceValidator, deriveExpectedAudience, AudienceValidator, } from './audience.validator';
+export type { AudienceValidationResult, AudienceValidatorOptions } from './audience.validator';
+//# sourceMappingURL=index.d.ts.map

package/utils/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,oBAAoB,EACpB,WAAW,EACX,uBAAuB,EACvB,uBAAuB,EACvB,4BAA4B,EAC5B,yBAAyB,EACzB,oBAAoB,GACrB,MAAM,0BAA0B,CAAC;AAClC,YAAY,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAExF,OAAO,EACL,gBAAgB,EAChB,uBAAuB,EACvB,sBAAsB,EACtB,iBAAiB,GAClB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,MAAM,sBAAsB,CAAC"}

package/utils/www-authenticate.utils.d.ts

@@ -0,0 +1,98 @@
+/**
+ * WWW-Authenticate Header Builder
+ *
+ * Implements RFC 9728 (OAuth 2.0 Protected Resource Metadata) and
+ * RFC 6750 (Bearer Token Usage) compliant WWW-Authenticate headers.
+ */
+/**
+ * Error codes per RFC 6750 Section 3.1
+ */
+export type BearerErrorCode = 'invalid_request' | 'invalid_token' | 'insufficient_scope';
+/**
+ * Options for building WWW-Authenticate header
+ */
+export interface WwwAuthenticateOptions {
+    /**
+     * The resource_metadata URL pointing to the PRM document
+     * Per RFC 9728, this is the primary mechanism for resource discovery
+     */
+    resourceMetadataUrl?: string;
+    /**
+     * OAuth 2.0 realm (optional per RFC 6750)
+     */
+    realm?: string;
+    /**
+     * Required scopes for the resource (space-delimited)
+     */
+    scope?: string | string[];
+    /**
+     * Error code when authentication fails
+     */
+    error?: BearerErrorCode;
+    /**
+     * Human-readable error description
+     */
+    errorDescription?: string;
+    /**
+     * Error URI pointing to additional information
+     */
+    errorUri?: string;
+}
+/**
+ * Build a WWW-Authenticate header for Bearer authentication
+ *
+ * @param options - Header options
+ * @returns The formatted WWW-Authenticate header value
+ *
+ * @example
+ * ```typescript
+ * // Basic protected resource metadata header
+ * buildWwwAuthenticate({
+ *   resourceMetadataUrl: 'https://api.example.com/.well-known/oauth-protected-resource',
+ * });
+ * // => 'Bearer resource_metadata="https://api.example.com/.well-known/oauth-protected-resource"'
+ *
+ * // With error information
+ * buildWwwAuthenticate({
+ *   resourceMetadataUrl: 'https://api.example.com/.well-known/oauth-protected-resource',
+ *   error: 'insufficient_scope',
+ *   scope: ['read', 'write'],
+ *   errorDescription: 'Additional permissions required',
+ * });
+ * // => 'Bearer resource_metadata="...", error="insufficient_scope", scope="read write", error_description="..."'
+ * ```
+ */
+export declare function buildWwwAuthenticate(options?: WwwAuthenticateOptions): string;
+/**
+ * Build the Protected Resource Metadata URL for a given base URL and path
+ *
+ * @param baseUrl - The server base URL
+ * @param entryPath - The entry path prefix
+ * @param routeBase - The route base path
+ * @returns The full PRM URL
+ */
+export declare function buildPrmUrl(baseUrl: string, entryPath: string, routeBase: string): string;
+/**
+ * Build WWW-Authenticate header for unauthorized requests (no token)
+ */
+export declare function buildUnauthorizedHeader(prmUrl: string): string;
+/**
+ * Build WWW-Authenticate header for invalid token errors
+ */
+export declare function buildInvalidTokenHeader(prmUrl: string, description?: string): string;
+/**
+ * Build WWW-Authenticate header for insufficient scope errors
+ */
+export declare function buildInsufficientScopeHeader(prmUrl: string, requiredScopes: string[], description?: string): string;
+/**
+ * Build WWW-Authenticate header for invalid request errors
+ */
+export declare function buildInvalidRequestHeader(prmUrl: string, description?: string): string;
+/**
+ * Parse a WWW-Authenticate header value
+ *
+ * @param header - The WWW-Authenticate header value
+ * @returns Parsed header options
+ */
+export declare function parseWwwAuthenticate(header: string): WwwAuthenticateOptions;
+//# sourceMappingURL=www-authenticate.utils.d.ts.map

package/utils/www-authenticate.utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"www-authenticate.utils.d.ts","sourceRoot":"","sources":["../../src/utils/www-authenticate.utils.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,iBAAiB,GAAG,eAAe,GAAG,oBAAoB,CAAC;AAEzF;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAE7B;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAE1B;;OAEG;IACH,KAAK,CAAC,EAAE,eAAe,CAAC;IAExB;;OAEG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,GAAE,sBAA2B,GAAG,MAAM,CAwCjF;AAED;;;;;;;GAOG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAIzF;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAI9D;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAMpF;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAOnH;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAMtF;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,sBAAsB,CAwC3E"}

package/vault/auth-providers.types.d.ts

@@ -0,0 +1,262 @@
+/**
+ * AuthProviders Vault - Core Type Definitions
+ *
+ * Types for credential management, provider configuration, and vault operations.
+ * These are portable types that can be used across different implementations.
+ */
+import { z } from 'zod';
+import type { Credential, AuthorizationVault } from '../session';
+/**
+ * Credential scope determines caching and storage behavior.
+ *
+ * - `global`: Shared across all sessions and users. Stored with global key.
+ * - `user`: Scoped to a specific user. Persists across sessions for same user.
+ * - `session`: Scoped to a specific session. Lost when session ends.
+ */
+export type CredentialScope = 'global' | 'user' | 'session';
+export declare const credentialScopeSchema: z.ZodEnum<{
+    user: "user";
+    global: "global";
+    session: "session";
+}>;
+/**
+ * Loading strategy determines when credentials are acquired.
+ *
+ * - `eager`: Load at session initialization (blocking)
+ * - `lazy`: Load on first access (non-blocking init)
+ */
+export type LoadingStrategy = 'eager' | 'lazy';
+export declare const loadingStrategySchema: z.ZodEnum<{
+    lazy: "lazy";
+    eager: "eager";
+}>;
+/**
+ * Options for credential retrieval
+ */
+export interface GetCredentialOptions {
+    /** Force refresh even if cached and valid */
+    forceRefresh?: boolean;
+    /** Required scopes (for OAuth providers) */
+    scopes?: string[];
+    /** Timeout for credential acquisition in ms */
+    timeout?: number;
+}
+export declare const getCredentialOptionsSchema: z.ZodObject<{
+    forceRefresh: z.ZodOptional<z.ZodBoolean>;
+    scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    timeout: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strict>;
+/**
+ * Resolved credential with metadata
+ */
+export interface ResolvedCredential<T extends Credential = Credential> {
+    /** The credential data */
+    credential: T;
+    /** Provider ID that provided this credential */
+    providerId: string;
+    /** When the credential was acquired (epoch ms) */
+    acquiredAt: number;
+    /** When the credential expires (epoch ms, if applicable) */
+    expiresAt?: number;
+    /** Whether the credential is currently valid */
+    isValid: boolean;
+    /** Scope the credential was resolved at */
+    scope: CredentialScope;
+}
+/**
+ * Context passed to credential factories
+ */
+export interface CredentialFactoryContext {
+    /** Current session ID */
+    sessionId: string;
+    /** User subject identifier (from JWT sub claim) */
+    userSub?: string;
+    /** User email */
+    userEmail?: string;
+    /** User name */
+    userName?: string;
+    /** App ID requesting the credential */
+    appId?: string;
+    /** Tool ID requesting the credential (if available) */
+    toolId?: string;
+    /** Existing credential (for refresh operations) */
+    existingCredential?: Credential;
+    /** Authorization vault for storage operations */
+    vault: AuthorizationVault;
+    /** Custom metadata passed during provider registration */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Credential factory function type.
+ * Called to acquire new credentials or refresh existing ones.
+ */
+export type CredentialFactory<T extends Credential = Credential> = (context: CredentialFactoryContext) => Promise<T | null>;
+/**
+ * Credential refresh function type.
+ * Called specifically for credential rotation/refresh.
+ */
+export type CredentialRefreshFn<T extends Credential = Credential> = (context: CredentialFactoryContext & {
+    existingCredential: T;
+}) => Promise<T | null>;
+/**
+ * Headers generator function type.
+ * Converts a credential to HTTP headers.
+ */
+export type CredentialHeadersFn<T extends Credential = Credential> = (credential: T) => Record<string, string>;
+/**
+ * Configuration for registering a credential provider
+ */
+export interface CredentialProviderConfig<T extends Credential = Credential> {
+    /** Unique provider name (e.g., 'github', 'openai', 'aws') */
+    name: string;
+    /** Human-readable description */
+    description?: string;
+    /** Credential scope - determines storage and caching behavior */
+    scope: CredentialScope;
+    /** Loading strategy - when to acquire credentials */
+    loading: LoadingStrategy;
+    /** TTL in milliseconds for cached credentials (0 = no TTL, use credential expiry) */
+    cacheTtl?: number;
+    /**
+     * Factory function to acquire credentials.
+     * Called on first access (lazy) or session init (eager).
+     */
+    factory: CredentialFactory<T>;
+    /**
+     * Optional refresh function for credential rotation.
+     * If not provided, factory is called on refresh.
+     */
+    refresh?: CredentialRefreshFn<T>;
+    /**
+     * Optional headers generator from credential.
+     * If not provided, uses default header generation logic.
+     */
+    toHeaders?: CredentialHeadersFn<T>;
+    /** Custom metadata to pass to factory */
+    metadata?: Record<string, unknown>;
+    /** Required for this provider to be available (default: false) */
+    required?: boolean;
+}
+export declare const credentialProviderConfigSchema: z.ZodObject<{
+    name: z.ZodString;
+    description: z.ZodOptional<z.ZodString>;
+    scope: z.ZodEnum<{
+        user: "user";
+        global: "global";
+        session: "session";
+    }>;
+    loading: z.ZodEnum<{
+        lazy: "lazy";
+        eager: "eager";
+    }>;
+    cacheTtl: z.ZodOptional<z.ZodNumber>;
+    factory: z.ZodAny;
+    refresh: z.ZodOptional<z.ZodAny>;
+    toHeaders: z.ZodOptional<z.ZodAny>;
+    metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    required: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strict>;
+/**
+ * Auth provider mapping for tool metadata.
+ * Used in @Tool({ authProviders: [...] }) decorator.
+ */
+export interface AuthProviderMapping {
+    /** Provider name */
+    name: string;
+    /** Whether credential is required (default: true) */
+    required?: boolean;
+    /** Required scopes for OAuth providers */
+    scopes?: string[];
+    /** Alias to use when injecting (for multiple providers) */
+    alias?: string;
+}
+export declare const authProviderMappingSchema: z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
+    name: z.ZodString;
+    required: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+    scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    alias: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>]>;
+/**
+ * Internal cache entry structure
+ */
+export interface CredentialCacheEntry<T extends Credential = Credential> {
+    /** The resolved credential */
+    resolved: ResolvedCredential<T>;
+    /** Cache insertion timestamp */
+    cachedAt: number;
+    /** Cache TTL in ms (0 = no TTL) */
+    ttl: number;
+}
+/**
+ * Vault storage key components
+ */
+export interface VaultStorageKey {
+    /** Credential scope */
+    scope: CredentialScope;
+    /** Provider name */
+    providerId: string;
+    /** Session ID (for session scope) */
+    sessionId?: string;
+    /** User ID (for user scope) */
+    userId?: string;
+}
+/**
+ * Configuration options for AuthProviders vault
+ */
+export interface AuthProvidersVaultOptions {
+    /** Enable AuthProvidersVault (default: true if any providers registered) */
+    enabled?: boolean;
+    /** Use shared storage with AuthorizationVault (default: true) */
+    useSharedStorage?: boolean;
+    /** Custom namespace for credential storage (default: 'authproviders:') */
+    namespace?: string;
+    /** Default TTL for cached credentials in ms (default: 3600000 = 1 hour) */
+    defaultCacheTtl?: number;
+    /** Maximum credentials per session (default: 100) */
+    maxCredentialsPerSession?: number;
+    /** Credential providers to register */
+    providers?: CredentialProviderConfig[];
+}
+export declare const authProvidersVaultOptionsSchema: z.ZodObject<{
+    enabled: z.ZodOptional<z.ZodBoolean>;
+    useSharedStorage: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+    namespace: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+    defaultCacheTtl: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+    maxCredentialsPerSession: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+    providers: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        name: z.ZodString;
+        description: z.ZodOptional<z.ZodString>;
+        scope: z.ZodEnum<{
+            user: "user";
+            global: "global";
+            session: "session";
+        }>;
+        loading: z.ZodEnum<{
+            lazy: "lazy";
+            eager: "eager";
+        }>;
+        cacheTtl: z.ZodOptional<z.ZodNumber>;
+        factory: z.ZodAny;
+        refresh: z.ZodOptional<z.ZodAny>;
+        toHeaders: z.ZodOptional<z.ZodAny>;
+        metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        required: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strict>>>;
+}, z.core.$strict>;
+/**
+ * Credential event types
+ */
+export type CredentialEventType = 'acquired' | 'refreshed' | 'invalidated' | 'expired' | 'error';
+/**
+ * Credential event payload
+ */
+export interface CredentialEvent {
+    type: CredentialEventType;
+    providerId: string;
+    scope: CredentialScope;
+    sessionId?: string;
+    userId?: string;
+    timestamp: number;
+    error?: Error;
+}
+//# sourceMappingURL=auth-providers.types.d.ts.map

package/vault/auth-providers.types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-providers.types.d.ts","sourceRoot":"","sources":["../../src/vault/auth-providers.types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,KAAK,EAAE,UAAU,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAMjE;;;;;;GAMG;AACH,MAAM,MAAM,eAAe,GAAG,QAAQ,GAAG,MAAM,GAAG,SAAS,CAAC;AAE5D,eAAO,MAAM,qBAAqB;;;;EAAwC,CAAC;AAM3E;;;;;GAKG;AACH,MAAM,MAAM,eAAe,GAAG,OAAO,GAAG,MAAM,CAAC;AAE/C,eAAO,MAAM,qBAAqB;;;EAA4B,CAAC;AAM/D;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,6CAA6C;IAC7C,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,4CAA4C;IAC5C,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,+CAA+C;IAC/C,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,eAAO,MAAM,0BAA0B;;;;kBAM5B,CAAC;AAMZ;;GAEG;AACH,MAAM,WAAW,kBAAkB,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU;IACnE,0BAA0B;IAC1B,UAAU,EAAE,CAAC,CAAC;IACd,gDAAgD;IAChD,UAAU,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,UAAU,EAAE,MAAM,CAAC;IACnB,4DAA4D;IAC5D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gDAAgD;IAChD,OAAO,EAAE,OAAO,CAAC;IACjB,2CAA2C;IAC3C,KAAK,EAAE,eAAe,CAAC;CACxB;AAMD;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,yBAAyB;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,iBAAiB;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gBAAgB;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,uCAAuC;IACvC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,uDAAuD;IACvD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,mDAAmD;IACnD,kBAAkB,CAAC,EAAE,UAAU,CAAC;IAChC,iDAAiD;IACjD,KAAK,EAAE,kBAAkB,CAAC;IAC1B,0DAA0D;IAC1D,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAMD;;;GAGG;AACH,MAAM,MAAM,iBAAiB,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,IAAI,CACjE,OAAO,EAAE,wBAAwB,KAC9B,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAEvB;;;GAGG;AACH,MAAM,MAAM,mBAAmB,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,IAAI,CACnE,OAAO,EAAE,wBAAwB,GAAG;IAAE,kBAAkB,EAAE,CAAC,CAAA;CAAE,KAC1D,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAEvB;;;GAGG;AACH,MAAM,MAAM,mBAAmB,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,IAAI,CAAC,UAAU,EAAE,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAM/G;;GAEG;AACH,MAAM,WAAW,wBAAwB,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU;IACzE,6DAA6D;IAC7D,IAAI,EAAE,MAAM,CAAC;IAEb,iCAAiC;IACjC,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,iEAAiE;IACjE,KAAK,EAAE,eAAe,CAAC;IAEvB,qDAAqD;IACrD,OAAO,EAAE,eAAe,CAAC;IAEzB,qFAAqF;IACrF,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,OAAO,EAAE,iBAAiB,CAAC,CAAC,CAAC,CAAC;IAE9B;;;OAGG;IACH,OAAO,CAAC,EAAE,mBAAmB,CAAC,CAAC,CAAC,CAAC;IAEjC;;;OAGG;IACH,SAAS,CAAC,EAAE,mBAAmB,CAAC,CAAC,CAAC,CAAC;IAEnC,yCAAyC;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAEnC,kEAAkE;IAClE,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;kBAchC,CAAC;AAMZ;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,oBAAoB;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,qDAAqD;IACrD,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,2DAA2D;IAC3D,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,eAAO,MAAM,yBAAyB;;;;;oBAUpC,CAAC;AAMH;;GAEG;AACH,MAAM,WAAW,oBAAoB,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU;IACrE,8BAA8B;IAC9B,QAAQ,EAAE,kBAAkB,CAAC,CAAC,CAAC,CAAC;IAChC,gCAAgC;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,mCAAmC;IACnC,GAAG,EAAE,MAAM,CAAC;CACb;AAMD;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,uBAAuB;IACvB,KAAK,EAAE,eAAe,CAAC;IACvB,oBAAoB;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,+BAA+B;IAC/B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAMD;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,4EAA4E;IAC5E,OAAO,CAAC,EAAE,OAAO,CAAC;IAElB,iEAAiE;IACjE,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAE3B,0EAA0E;IAC1E,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,2EAA2E;IAC3E,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB,qDAAqD;IACrD,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAElC,uCAAuC;IACvC,SAAS,CAAC,EAAE,wBAAwB,EAAE,CAAC;CACxC;AAED,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;kBASjC,CAAC;AAMZ;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,UAAU,GAAG,WAAW,GAAG,aAAa,GAAG,SAAS,GAAG,OAAO,CAAC;AAEjG;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,mBAAmB,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,eAAe,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf"}

package/vault/credential-cache.d.ts

@@ -0,0 +1,98 @@
+/**
+ * CredentialCache - Session-scoped in-memory cache for credentials
+ *
+ * Provides fast access to recently used credentials with TTL-based expiration.
+ * Each cache instance is scoped to a session/request context.
+ */
+import type { Credential } from '../session';
+import type { ResolvedCredential, CredentialScope } from './auth-providers.types';
+/**
+ * Cache statistics for monitoring
+ */
+export interface CacheStats {
+    hits: number;
+    misses: number;
+    evictions: number;
+    size: number;
+}
+/**
+ * CredentialCache - In-memory credential cache with TTL support
+ */
+export declare class CredentialCache {
+    private readonly cache;
+    private readonly maxSize;
+    private stats;
+    constructor(maxSize?: number);
+    /**
+     * Get a cached credential
+     *
+     * @param providerId - Provider name
+     * @returns Resolved credential or undefined if not cached or expired
+     */
+    get<T extends Credential = Credential>(providerId: string): ResolvedCredential<T> | undefined;
+    /**
+     * Cache a resolved credential
+     *
+     * @param providerId - Provider name
+     * @param resolved - Resolved credential to cache
+     * @param ttl - TTL in milliseconds (0 = no TTL, rely on credential expiry)
+     */
+    set<T extends Credential = Credential>(providerId: string, resolved: ResolvedCredential<T>, ttl?: number): void;
+    /**
+     * Check if a credential is cached and valid
+     *
+     * @param providerId - Provider name
+     * @returns true if cached and not expired
+     */
+    has(providerId: string): boolean;
+    /**
+     * Invalidate (remove) a cached credential
+     *
+     * @param providerId - Provider name to invalidate
+     * @returns true if credential was removed
+     */
+    invalidate(providerId: string): boolean;
+    /**
+     * Invalidate all cached credentials
+     */
+    invalidateAll(): void;
+    /**
+     * Invalidate credentials by scope
+     *
+     * @param scope - Credential scope to invalidate
+     */
+    invalidateByScope(scope: CredentialScope): void;
+    /**
+     * Get all cached provider IDs
+     */
+    keys(): string[];
+    /**
+     * Get cache size
+     */
+    get size(): number;
+    /**
+     * Get cache statistics
+     */
+    getStats(): CacheStats;
+    /**
+     * Reset cache statistics
+     */
+    resetStats(): void;
+    /**
+     * Clean up expired entries
+     */
+    cleanup(): void;
+    /**
+     * Check if entry is expired based on TTL
+     */
+    private isExpired;
+    /**
+     * Check if entry is expired at a given timestamp
+     */
+    private isExpiredAt;
+    /**
+     * Evict the oldest entry from cache
+     */
+    private evictOldest;
+}
+//# sourceMappingURL=credential-cache.d.ts.map

package/vault/credential-cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-cache.d.ts","sourceRoot":"","sources":["../../src/vault/credential-cache.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,KAAK,EAAE,kBAAkB,EAAwB,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAExG;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA2C;IACjE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,KAAK,CAA6D;gBAE9D,OAAO,SAAM;IAIzB;;;;;OAKG;IACH,GAAG,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,EAAE,UAAU,EAAE,MAAM,GAAG,kBAAkB,CAAC,CAAC,CAAC,GAAG,SAAS;IA8B7F;;;;;;OAMG;IACH,GAAG,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,kBAAkB,CAAC,CAAC,CAAC,EAAE,GAAG,SAAI,GAAG,IAAI;IAgB1G;;;;;OAKG;IACH,GAAG,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;IAchC;;;;;OAKG;IACH,UAAU,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;IAQvC;;OAEG;IACH,aAAa,IAAI,IAAI;IAKrB;;;;OAIG;IACH,iBAAiB,CAAC,KAAK,EAAE,eAAe,GAAG,IAAI;IAS/C;;OAEG;IACH,IAAI,IAAI,MAAM,EAAE;IAMhB;;OAEG;IACH,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED;;OAEG;IACH,QAAQ,IAAI,UAAU;IAItB;;OAEG;IACH,UAAU,IAAI,IAAI;IAIlB;;OAEG;IACH,OAAO,IAAI,IAAI;IAWf;;OAEG;IACH,OAAO,CAAC,SAAS;IAIjB;;OAEG;IACH,OAAO,CAAC,WAAW;IAmBnB;;OAEG;IACH,OAAO,CAAC,WAAW;CAiBpB"}

package/vault/credential-helpers.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Credential Helpers
+ *
+ * Shared utilities for credential handling.
+ */
+import type { Credential } from '../session';
+/**
+ * Extract expiry time from a credential.
+ *
+ * @param credential - The credential to extract expiry from
+ * @returns Expiry timestamp in epoch ms, or undefined if no expiry
+ */
+export declare function extractCredentialExpiry(credential: Credential): number | undefined;
+//# sourceMappingURL=credential-helpers.d.ts.map

package/vault/credential-helpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-helpers.d.ts","sourceRoot":"","sources":["../../src/vault/credential-helpers.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,UAAU,GAAG,MAAM,GAAG,SAAS,CAUlF"}

package/vault/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Vault Module
+ *
+ * Types and utilities for credential management and auth provider integration.
+ */
+export type { CredentialScope, LoadingStrategy, GetCredentialOptions, ResolvedCredential, CredentialFactoryContext, CredentialFactory, CredentialRefreshFn, CredentialHeadersFn, CredentialProviderConfig, AuthProviderMapping, CredentialCacheEntry, VaultStorageKey, AuthProvidersVaultOptions, CredentialEventType, CredentialEvent, } from './auth-providers.types';
+export { credentialScopeSchema, loadingStrategySchema, getCredentialOptionsSchema, credentialProviderConfigSchema, authProviderMappingSchema, authProvidersVaultOptionsSchema, } from './auth-providers.types';
+export { extractCredentialExpiry } from './credential-helpers';
+export { CredentialCache, type CacheStats } from './credential-cache';
+//# sourceMappingURL=index.d.ts.map

package/vault/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/vault/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,YAAY,EACV,eAAe,EACf,eAAe,EACf,oBAAoB,EACpB,kBAAkB,EAClB,wBAAwB,EACxB,iBAAiB,EACjB,mBAAmB,EACnB,mBAAmB,EACnB,wBAAwB,EACxB,mBAAmB,EACnB,oBAAoB,EACpB,eAAe,EACf,yBAAyB,EACzB,mBAAmB,EACnB,eAAe,GAChB,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,qBAAqB,EACrB,qBAAqB,EACrB,0BAA0B,EAC1B,8BAA8B,EAC9B,yBAAyB,EACzB,+BAA+B,GAChC,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AAG/D,OAAO,EAAE,eAAe,EAAE,KAAK,UAAU,EAAE,MAAM,oBAAoB,CAAC"}