@frontmcp/auth 0.0.1 → 0.8.1

package/esm/index.mjs

@@ -0,0 +1,4001 @@
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+
+// libs/auth/src/cimd/cimd.cache.ts
+function extractCacheHeaders(headers) {
+  return {
+    "cache-control": headers.get("cache-control") ?? void 0,
+    expires: headers.get("expires") ?? void 0,
+    etag: headers.get("etag") ?? void 0,
+    "last-modified": headers.get("last-modified") ?? void 0,
+    age: headers.get("age") ?? void 0
+  };
+}
+function parseCacheHeaders(headers, config) {
+  let ttlMs = config.defaultTtlMs;
+  if (headers["cache-control"]) {
+    const cacheControl = parseCacheControlHeader(headers["cache-control"]);
+    if (cacheControl["no-store"] || cacheControl["no-cache"]) {
+      ttlMs = config.minTtlMs;
+    } else if (typeof cacheControl["max-age"] === "number") {
+      let maxAgeSecs = cacheControl["max-age"];
+      if (headers.age) {
+        const ageSeconds = parseInt(headers.age, 10);
+        if (!isNaN(ageSeconds)) {
+          maxAgeSecs = Math.max(0, maxAgeSecs - ageSeconds);
+        }
+      }
+      ttlMs = maxAgeSecs * 1e3;
+    }
+    if (typeof cacheControl["s-maxage"] === "number") {
+      let sMaxAgeSecs = cacheControl["s-maxage"];
+      if (headers.age) {
+        const ageSeconds = parseInt(headers.age, 10);
+        if (!isNaN(ageSeconds)) {
+          sMaxAgeSecs = Math.max(0, sMaxAgeSecs - ageSeconds);
+        }
+      }
+      ttlMs = sMaxAgeSecs * 1e3;
+    }
+  } else if (headers.expires) {
+    const expiresDate = new Date(headers.expires);
+    if (!isNaN(expiresDate.getTime())) {
+      ttlMs = Math.max(0, expiresDate.getTime() - Date.now());
+    }
+  }
+  ttlMs = Math.max(config.minTtlMs, Math.min(config.maxTtlMs, ttlMs));
+  return {
+    ttlMs,
+    etag: headers.etag,
+    lastModified: headers["last-modified"]
+  };
+}
+function parseCacheControlHeader(value) {
+  const result = {};
+  const directives = value.toLowerCase().split(",").map((d) => d.trim());
+  for (const directive of directives) {
+    const [key, val] = directive.split("=").map((s) => s.trim());
+    if (val !== void 0) {
+      const numVal = parseInt(val, 10);
+      if (!isNaN(numVal)) {
+        result[key] = numVal;
+      }
+    } else {
+      result[key] = true;
+    }
+  }
+  return result;
+}
+var InMemoryCimdCache, CimdCache;
+var init_cimd_cache = __esm({
+  "libs/auth/src/cimd/cimd.cache.ts"() {
+    "use strict";
+    InMemoryCimdCache = class {
+      cache = /* @__PURE__ */ new Map();
+      config;
+      constructor(config) {
+        this.config = {
+          defaultTtlMs: config?.defaultTtlMs ?? 36e5,
+          maxTtlMs: config?.maxTtlMs ?? 864e5,
+          minTtlMs: config?.minTtlMs ?? 6e4
+        };
+      }
+      /**
+       * Get a cached entry by client_id.
+       *
+       * @param clientId - The client_id URL
+       * @returns The cached entry if valid, or undefined
+       */
+      async get(clientId) {
+        const entry = this.cache.get(clientId);
+        if (!entry) {
+          return void 0;
+        }
+        if (entry.expiresAt < Date.now()) {
+          return void 0;
+        }
+        return entry;
+      }
+      /**
+       * Get a stale entry for conditional revalidation.
+       *
+       * @param clientId - The client_id URL
+       * @returns The stale entry (even if expired), or undefined if not cached
+       */
+      async getStale(clientId) {
+        return this.cache.get(clientId);
+      }
+      /**
+       * Store a document in the cache.
+       *
+       * @param clientId - The client_id URL
+       * @param document - The metadata document
+       * @param headers - HTTP response headers
+       */
+      async set(clientId, document, headers) {
+        const cacheHeaders = extractCacheHeaders(headers);
+        const { ttlMs, etag, lastModified } = parseCacheHeaders(cacheHeaders, this.config);
+        const now = Date.now();
+        const entry = {
+          document,
+          expiresAt: now + ttlMs,
+          etag,
+          lastModified,
+          cachedAt: now
+        };
+        this.cache.set(clientId, entry);
+      }
+      /**
+       * Update an existing cache entry (after 304 Not Modified).
+       *
+       * @param clientId - The client_id URL
+       * @param headers - New HTTP headers with updated cache directives
+       */
+      async revalidate(clientId, headers) {
+        const existing = this.cache.get(clientId);
+        if (!existing) {
+          return false;
+        }
+        const cacheHeaders = extractCacheHeaders(headers);
+        const { ttlMs, etag, lastModified } = parseCacheHeaders(cacheHeaders, this.config);
+        existing.expiresAt = Date.now() + ttlMs;
+        if (etag) existing.etag = etag;
+        if (lastModified) existing.lastModified = lastModified;
+        return true;
+      }
+      /**
+       * Delete a cache entry.
+       *
+       * @param clientId - The client_id URL
+       * @returns true if an entry was deleted
+       */
+      async delete(clientId) {
+        return this.cache.delete(clientId);
+      }
+      /**
+       * Get conditional request headers for a cached entry.
+       *
+       * @param clientId - The client_id URL
+       * @returns Headers for conditional request, or undefined if not cached
+       */
+      async getConditionalHeaders(clientId) {
+        const entry = this.cache.get(clientId);
+        if (!entry) {
+          return void 0;
+        }
+        const headers = {};
+        if (entry.etag) {
+          headers["If-None-Match"] = entry.etag;
+        }
+        if (entry.lastModified) {
+          headers["If-Modified-Since"] = entry.lastModified;
+        }
+        return Object.keys(headers).length > 0 ? headers : void 0;
+      }
+      /**
+       * Clear all cached entries.
+       */
+      async clear() {
+        this.cache.clear();
+      }
+      /**
+       * Get the number of cached entries.
+       */
+      async size() {
+        return this.cache.size;
+      }
+      /**
+       * Remove expired entries.
+       *
+       * @returns Number of entries removed
+       */
+      async cleanup() {
+        const now = Date.now();
+        let removed = 0;
+        for (const [clientId, entry] of this.cache) {
+          if (entry.expiresAt + this.config.maxTtlMs * 2 < now) {
+            this.cache.delete(clientId);
+            removed++;
+          }
+        }
+        return removed;
+      }
+    };
+    CimdCache = InMemoryCimdCache;
+  }
+});
+
+// libs/auth/src/jwks/jwks.service.ts
+import { jwtVerify, createLocalJWKSet, decodeProtectedHeader } from "jose";
+import { bytesToHex, randomBytes, rsaVerify, createKeyPersistence } from "@frontmcp/utils";
+
+// libs/auth/src/jwks/jwks.utils.ts
+function trimSlash(s) {
+  return (s ?? "").replace(/\/+$/, "");
+}
+function normalizeIssuer(u) {
+  return trimSlash(String(u ?? ""));
+}
+function decodeJwtPayloadSafe(token) {
+  if (!token) return void 0;
+  const parts = token.split(".");
+  if (parts.length < 2) return void 0;
+  try {
+    const b64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    const json = typeof Buffer !== "undefined" ? Buffer.from(b64, "base64").toString("utf8") : (
+      // browser fallback
+      atob(b64)
+    );
+    const obj = JSON.parse(json);
+    return obj && typeof obj === "object" && !Array.isArray(obj) ? obj : void 0;
+  } catch {
+    return void 0;
+  }
+}
+
+// libs/auth/src/jwks/jwks.service.ts
+var WEAK_KEY_WARNING = `
+\u26A0\uFE0F  SECURITY WARNING: OAuth provider is using an RSA key smaller than 2048 bits.
+    This is considered insecure and should be updated.
+    Please contact your OAuth provider to upgrade their signing keys.
+    Verification will proceed but with reduced security guarantees.
+`;
+var JwksService = class {
+  opts;
+  warnedProviders = /* @__PURE__ */ new Set();
+  // Orchestrator signing material
+  orchestratorKey;
+  // Provider JWKS cache (providerId -> jwks + fetchedAt)
+  providerJwks = /* @__PURE__ */ new Map();
+  // Track if key has been initialized (for async loading)
+  keyInitialized = false;
+  // Promise guard to prevent concurrent key generation
+  keyInitPromise;
+  // KeyPersistence instance for unified key storage
+  keyPersistence;
+  constructor(opts) {
+    this.opts = {
+      orchestratorAlg: opts?.orchestratorAlg ?? "RS256",
+      rotateDays: opts?.rotateDays ?? 30,
+      providerJwksTtlMs: opts?.providerJwksTtlMs ?? 6 * 60 * 60 * 1e3,
+      // 6h
+      networkTimeoutMs: opts?.networkTimeoutMs ?? 5e3,
+      // 5s
+      devKeyPersistence: opts?.devKeyPersistence
+    };
+  }
+  // ===========================================================================
+  // Key Persistence Helpers
+  // ===========================================================================
+  /**
+   * Check if key persistence should be enabled.
+   * Enabled in development by default, disabled in production unless forceEnable.
+   */
+  shouldEnablePersistence() {
+    const isProd = process.env["NODE_ENV"] === "production";
+    if (this.opts.devKeyPersistence?.forceEnable) return true;
+    return !isProd;
+  }
+  /**
+   * Get or create the KeyPersistence instance.
+   * Returns null if persistence is disabled.
+   */
+  async getKeyPersistence() {
+    if (!this.shouldEnablePersistence()) return null;
+    if (!this.keyPersistence) {
+      this.keyPersistence = await createKeyPersistence({
+        baseDir: ".frontmcp/keys"
+      });
+    }
+    return this.keyPersistence;
+  }
+  // ===========================================================================
+  // Public JWKS (what /.well-known/jwks.json serves)
+  // ===========================================================================
+  /** Gateway's public JWKS (publish at /.well-known/jwks.json when orchestrated). */
+  async getPublicJwks() {
+    return this.getOrchestratorJwks();
+  }
+  // ===========================================================================
+  // Scope-aware verification API
+  // ===========================================================================
+  /** Verify a token issued by the gateway itself (orchestrated mode). */
+  async verifyGatewayToken(token, expectedIssuer) {
+    try {
+      const payload = decodeJwtPayloadSafe(token);
+      if (!payload) {
+        return {
+          ok: false,
+          error: "invalid bearer token"
+        };
+      }
+      return {
+        ok: true,
+        issuer: expectedIssuer,
+        sub: payload["sub"],
+        payload,
+        header: decodeProtectedHeader(token)
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "verification_failed";
+      return { ok: false, error: message };
+    }
+  }
+  /**
+   * Verify a token against candidate transparent providers.
+   * Ensures JWKS are available (cached/TTL/AS discovery) per provider.
+   */
+  async verifyTransparentToken(token, candidates) {
+    if (!candidates?.length) return { ok: false, error: "no_providers" };
+    let kid;
+    try {
+      const header = decodeProtectedHeader(token);
+      kid = typeof header?.kid === "string" ? header.kid : void 0;
+    } catch {
+    }
+    for (const p of candidates) {
+      let jwks;
+      try {
+        jwks = await this.getJwksForProvider(p);
+        if (!jwks?.keys?.length) continue;
+        const draftPayload = decodeJwtPayloadSafe(token);
+        const JWKS = createLocalJWKSet(jwks);
+        const { payload, protectedHeader } = await jwtVerify(token, JWKS, {
+          issuer: [normalizeIssuer(p.issuerUrl)].concat(
+            draftPayload?.["iss"] ? [draftPayload["iss"]] : []
+          )
+          // used because current cloud gateway have invalid issuer
+        });
+        return {
+          ok: true,
+          issuer: payload?.iss,
+          sub: payload?.sub,
+          providerId: p.id,
+          header: protectedHeader,
+          payload
+        };
+      } catch (e) {
+        if (this.isWeakKeyError(e)) {
+          const fallbackJwks = jwks ?? await this.getJwksForProvider(p);
+          if (fallbackJwks?.keys?.length) {
+            const fallbackResult = await this.verifyWithWeakKey(token, fallbackJwks, p);
+            if (fallbackResult.ok) {
+              return fallbackResult;
+            }
+          }
+        }
+        console.log("failed to verify token for provider: ", p.id, e);
+      }
+    }
+    return { ok: false, error: `no_provider_verified${kid ? ` (kid=${kid})` : ""}` };
+  }
+  /**
+   * Check if the error is due to weak RSA key (< 2048 bits)
+   */
+  isWeakKeyError(error) {
+    const message = typeof error === "object" && error !== null && "message" in error && typeof error.message === "string" ? error.message : String(error);
+    return message.includes("modulusLength") && message.includes("2048");
+  }
+  /**
+   * Fallback verification for providers using RSA keys smaller than 2048 bits.
+   * Logs a security warning but allows verification to proceed.
+   */
+  async verifyWithWeakKey(token, jwks, provider) {
+    try {
+      const parts = token.split(".");
+      if (parts.length !== 3) {
+        return { ok: false, error: "invalid_token_format" };
+      }
+      const [headerB64, payloadB64, signatureB64] = parts;
+      const header = JSON.parse(Buffer.from(headerB64, "base64url").toString("utf8"));
+      const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString("utf8"));
+      const matchingKey = this.findMatchingKey(jwks, header);
+      if (!matchingKey) {
+        return { ok: false, error: "no_matching_key" };
+      }
+      const signatureInput = `${headerB64}.${payloadB64}`;
+      const signature = Buffer.from(signatureB64, "base64url");
+      const jwtAlg = typeof header.alg === "string" ? header.alg : void 0;
+      if (!jwtAlg) {
+        return { ok: false, error: "missing_alg" };
+      }
+      const isValid = rsaVerify(jwtAlg, Buffer.from(signatureInput), matchingKey, signature);
+      if (!isValid) {
+        return { ok: false, error: "signature_invalid" };
+      }
+      const payloadIssuerRaw = typeof payload.iss === "string" ? payload.iss : void 0;
+      if (!payloadIssuerRaw) {
+        return { ok: false, error: "issuer_mismatch" };
+      }
+      const trustedIssuers = /* @__PURE__ */ new Set([normalizeIssuer(provider.issuerUrl)]);
+      const payloadIssuer = normalizeIssuer(payloadIssuerRaw);
+      if (!trustedIssuers.has(payloadIssuer)) {
+        return { ok: false, error: "issuer_mismatch" };
+      }
+      if (payload.exp && payload.exp < Math.floor(Date.now() / 1e3)) {
+        return { ok: false, error: "token_expired" };
+      }
+      if (!this.warnedProviders.has(provider.id)) {
+        this.warnedProviders.add(provider.id);
+        console.warn(WEAK_KEY_WARNING);
+        console.warn(`    Provider: ${provider.id} (${provider.issuerUrl})`);
+      }
+      return {
+        ok: true,
+        issuer: payload.iss,
+        sub: payload.sub,
+        providerId: provider.id,
+        header,
+        payload
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "unknown";
+      return { ok: false, error: `weak_key_verification_failed: ${message}` };
+    }
+  }
+  /**
+   * Find a matching key from JWKS based on token header
+   */
+  findMatchingKey(jwks, header) {
+    if (header.kid) {
+      const byKid = jwks.keys.find((k) => k.kid === header.kid);
+      if (byKid) return byKid;
+    }
+    if (header.alg) {
+      const byAlg = jwks.keys.find((k) => k.alg === header.alg || k.kty === "RSA" && header.alg?.startsWith("RS"));
+      if (byAlg) return byAlg;
+    }
+    return jwks.keys.find((k) => k.kty === "RSA");
+  }
+  // ===========================================================================
+  // Provider JWKS (cache + preload + discovery)
+  // ===========================================================================
+  /** Directly set provider JWKS (e.g., inline keys from config). */
+  setProviderJwks(providerId, jwks) {
+    this.providerJwks.set(providerId, { jwks, fetchedAt: Date.now() });
+  }
+  /**
+   * Ensure JWKS for a provider:
+   *   1) inline jwks (if provided) → cache & return
+   *   2) cached & fresh (TTL)      → return
+   *   3) explicit jwksUri          → fetch, cache, return
+   *   4) discover jwks_uri via AS  → fetch AS metadata, then jwks_uri, cache, return
+   */
+  async getJwksForProvider(ref) {
+    if (ref.jwks?.keys?.length) {
+      this.setProviderJwks(ref.id, ref.jwks);
+      return ref.jwks;
+    }
+    const cached = this.providerJwks.get(ref.id);
+    if (cached && Date.now() - cached.fetchedAt < this.opts.providerJwksTtlMs) {
+      return cached.jwks;
+    }
+    if (ref.jwksUri) {
+      const fromUri = await this.tryFetchJwks(ref.id, ref.jwksUri);
+      if (fromUri?.keys?.length) return fromUri;
+    }
+    const issuer = trimSlash(ref.issuerUrl);
+    const meta = await this.tryFetchAsMeta(`${issuer}/.well-known/oauth-authorization-server`);
+    const uri = meta && typeof meta === "object" && meta["jwks_uri"] ? String(meta["jwks_uri"]) : void 0;
+    if (uri) {
+      const fromMeta = await this.tryFetchJwks(ref.id, uri);
+      if (fromMeta?.keys?.length) return fromMeta;
+    }
+    return cached?.jwks;
+  }
+  // ===========================================================================
+  // Orchestrator keys (generation/rotation)
+  // ===========================================================================
+  /** Return the orchestrator public JWKS (generates/rotates as needed). */
+  async getOrchestratorJwks() {
+    await this.ensureOrchestratorKey();
+    return this.orchestratorKey.publicJwk;
+  }
+  /** Return private signing key + kid for issuing orchestrator tokens. */
+  async getOrchestratorSigningKey() {
+    await this.ensureOrchestratorKey();
+    return { kid: this.orchestratorKey.kid, key: this.orchestratorKey.privateKey, alg: this.opts.orchestratorAlg };
+  }
+  // ===========================================================================
+  // Internals (fetch, rotation, helpers)
+  // ===========================================================================
+  async tryFetchJwks(providerId, uri) {
+    try {
+      const jwks = await this.fetchJson(uri);
+      if (jwks?.keys?.length) {
+        this.setProviderJwks(providerId, jwks);
+        return jwks;
+      }
+    } catch {
+    }
+    return void 0;
+  }
+  async tryFetchAsMeta(url) {
+    try {
+      return await this.fetchJson(url);
+    } catch {
+      return void 0;
+    }
+  }
+  async fetchJson(url) {
+    const ctl = typeof AbortController !== "undefined" ? new AbortController() : void 0;
+    const timer = setTimeout(() => ctl?.abort(), this.opts.networkTimeoutMs);
+    try {
+      const res = await fetch(url, {
+        method: "GET",
+        headers: { accept: "application/json" },
+        signal: ctl?.signal
+      });
+      if (!res.ok) throw new Error(`HTTP ${res.status}`);
+      return await res.json();
+    } finally {
+      clearTimeout(timer);
+    }
+  }
+  async ensureOrchestratorKey() {
+    const now = Date.now();
+    const maxAge = this.opts.rotateDays * 24 * 60 * 60 * 1e3;
+    if (this.orchestratorKey && now - this.orchestratorKey.createdAt <= maxAge) {
+      return;
+    }
+    if (this.keyInitPromise) {
+      await this.keyInitPromise;
+      return;
+    }
+    this.keyInitPromise = this.initializeOrchestratorKey(now, maxAge);
+    try {
+      await this.keyInitPromise;
+    } finally {
+      this.keyInitPromise = void 0;
+    }
+  }
+  async initializeOrchestratorKey(now, maxAge) {
+    const persistence = await this.getKeyPersistence();
+    if (persistence && !this.keyInitialized) {
+      this.keyInitialized = true;
+      const loaded = await persistence.getAsymmetric("jwks-orchestrator");
+      if (loaded && now - loaded.createdAt <= maxAge) {
+        if (loaded.alg !== this.opts.orchestratorAlg) {
+          console.warn(
+            `[JwksService] Persisted key algorithm (${loaded.alg}) doesn't match config (${this.opts.orchestratorAlg}), generating new key`
+          );
+        } else {
+          try {
+            const { createPrivateKey } = __require("node:crypto");
+            const privateKey = createPrivateKey({
+              key: loaded.privateKey,
+              format: "jwk"
+            });
+            this.orchestratorKey = {
+              kid: loaded.kid,
+              privateKey,
+              publicJwk: loaded.publicJwk,
+              createdAt: loaded.createdAt
+            };
+            return;
+          } catch (error) {
+            console.warn(`[JwksService] Failed to load persisted key: ${error.message}, generating new key`);
+          }
+        }
+      }
+    }
+    this.orchestratorKey = this.generateKey(this.opts.orchestratorAlg);
+    this.keyInitialized = true;
+    if (persistence) {
+      try {
+        await persistence.set({
+          type: "asymmetric",
+          kid: this.orchestratorKey.kid,
+          alg: this.opts.orchestratorAlg,
+          privateKey: this.orchestratorKey.privateKey.export({ format: "jwk" }),
+          publicJwk: this.orchestratorKey.publicJwk,
+          createdAt: this.orchestratorKey.createdAt,
+          version: 1
+        });
+      } catch (error) {
+        console.warn(`[JwksService] Failed to persist dev key: ${error.message}`);
+      }
+    }
+  }
+  generateKey(alg) {
+    const { generateKeyPairSync } = __require("node:crypto");
+    if (alg === "RS256") {
+      const { privateKey, publicKey } = generateKeyPairSync("rsa", { modulusLength: 2048 });
+      const kid = bytesToHex(randomBytes(8));
+      const publicJwk = publicKey.export({ format: "jwk" });
+      Object.assign(publicJwk, { kid, alg: "RS256", use: "sig", kty: "RSA" });
+      return { kid, privateKey, publicJwk: { keys: [publicJwk] }, createdAt: Date.now() };
+    } else {
+      const { privateKey, publicKey } = generateKeyPairSync("ec", { namedCurve: "P-256" });
+      const kid = bytesToHex(randomBytes(8));
+      const publicJwk = publicKey.export({ format: "jwk" });
+      Object.assign(publicJwk, { kid, alg: "ES256", use: "sig", kty: "EC" });
+      return { kid, privateKey, publicJwk: { keys: [publicJwk] }, createdAt: Date.now() };
+    }
+  }
+};
+
+// libs/auth/src/jwks/dev-key-persistence.ts
+import * as path from "path";
+import * as crypto from "crypto";
+import { z } from "zod";
+import { readFile, mkdir, writeFile, rename, unlink } from "@frontmcp/utils";
+var DEFAULT_KEY_PATH = ".frontmcp/dev-keys.json";
+var rsaPrivateKeySchema = z.object({
+  kty: z.literal("RSA"),
+  n: z.string().min(1),
+  e: z.string().min(1),
+  d: z.string().min(1),
+  p: z.string().optional(),
+  q: z.string().optional(),
+  dp: z.string().optional(),
+  dq: z.string().optional(),
+  qi: z.string().optional()
+}).passthrough();
+var ecPrivateKeySchema = z.object({
+  kty: z.literal("EC"),
+  crv: z.string().min(1),
+  x: z.string().min(1),
+  y: z.string().min(1),
+  d: z.string().min(1)
+}).passthrough();
+var publicJwkSchema = z.object({
+  kty: z.enum(["RSA", "EC"]),
+  kid: z.string().min(1),
+  alg: z.enum(["RS256", "ES256"]),
+  use: z.literal("sig")
+}).passthrough();
+var jwksSchema = z.object({
+  keys: z.array(publicJwkSchema).min(1)
+});
+var devKeyDataSchema = z.object({
+  kid: z.string().min(1),
+  privateKey: z.union([rsaPrivateKeySchema, ecPrivateKeySchema]),
+  publicJwk: jwksSchema,
+  createdAt: z.number().positive().int(),
+  alg: z.enum(["RS256", "ES256"])
+});
+function validateJwkStructure(data) {
+  const result = devKeyDataSchema.safeParse(data);
+  if (!result.success) {
+    return { valid: false, error: result.error.issues[0]?.message ?? "Invalid JWK structure" };
+  }
+  const parsed = result.data;
+  if (parsed.alg === "RS256" && parsed.privateKey.kty !== "RSA") {
+    return { valid: false, error: "Algorithm RS256 requires RSA key type" };
+  }
+  if (parsed.alg === "ES256" && parsed.privateKey.kty !== "EC") {
+    return { valid: false, error: "Algorithm ES256 requires EC key type" };
+  }
+  const publicKey = parsed.publicJwk.keys[0];
+  if (publicKey.kty !== parsed.privateKey.kty) {
+    return { valid: false, error: "Public and private key types do not match" };
+  }
+  if (publicKey.kid !== parsed.kid) {
+    return { valid: false, error: "kid mismatch between top-level and publicJwk" };
+  }
+  const now = Date.now();
+  const hundredYearsMs = 100 * 365 * 24 * 60 * 60 * 1e3;
+  if (parsed.createdAt > now) {
+    return { valid: false, error: "createdAt is in the future" };
+  }
+  if (parsed.createdAt < now - hundredYearsMs) {
+    return { valid: false, error: "createdAt is too old" };
+  }
+  return { valid: true };
+}
+function isDevKeyPersistenceEnabled(options) {
+  const isProduction = process.env["NODE_ENV"] === "production";
+  if (isProduction) {
+    return options?.forceEnable === true;
+  }
+  return true;
+}
+function resolveKeyPath(options) {
+  const keyPath = options?.keyPath ?? DEFAULT_KEY_PATH;
+  if (path.isAbsolute(keyPath)) {
+    return keyPath;
+  }
+  return path.resolve(process.cwd(), keyPath);
+}
+async function loadDevKey(options) {
+  if (!isDevKeyPersistenceEnabled(options)) {
+    return null;
+  }
+  const keyPath = resolveKeyPath(options);
+  try {
+    const content = await readFile(keyPath, "utf8");
+    const data = JSON.parse(content);
+    const validation = validateJwkStructure(data);
+    if (!validation.valid) {
+      console.warn(`[DevKeyPersistence] Invalid key file format at ${keyPath}: ${validation.error}, will regenerate`);
+      return null;
+    }
+    console.log(`[DevKeyPersistence] Loaded key (kid=${data.kid}) from ${keyPath}`);
+    return data;
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return null;
+    }
+    console.warn(`[DevKeyPersistence] Failed to load key from ${keyPath}: ${error.message}`);
+    return null;
+  }
+}
+async function saveDevKey(keyData, options) {
+  if (!isDevKeyPersistenceEnabled(options)) {
+    return true;
+  }
+  const keyPath = resolveKeyPath(options);
+  const dir = path.dirname(keyPath);
+  const tempPath = `${keyPath}.tmp.${Date.now()}.${crypto.randomBytes(8).toString("hex")}`;
+  try {
+    await mkdir(dir, { recursive: true, mode: 448 });
+    const content = JSON.stringify(keyData, null, 2);
+    await writeFile(tempPath, content, { mode: 384 });
+    await rename(tempPath, keyPath);
+    console.log(`[DevKeyPersistence] Saved key (kid=${keyData.kid}) to ${keyPath}`);
+    return true;
+  } catch (error) {
+    console.error(`[DevKeyPersistence] Failed to save key to ${keyPath}: ${error.message}`);
+    try {
+      await unlink(tempPath);
+    } catch {
+    }
+    return false;
+  }
+}
+async function deleteDevKey(options) {
+  const keyPath = resolveKeyPath(options);
+  try {
+    await unlink(keyPath);
+    console.log(`[DevKeyPersistence] Deleted key at ${keyPath}`);
+  } catch (error) {
+    if (error.code !== "ENOENT") {
+      console.warn(`[DevKeyPersistence] Failed to delete key at ${keyPath}: ${error.message}`);
+    }
+  }
+}
+
+// libs/auth/src/ui/base-layout.ts
+import { escapeHtml } from "@frontmcp/utils";
+import { escapeHtml as escapeHtml2 } from "@frontmcp/utils";
+var CDN = {
+  /** Tailwind CSS v4 Browser CDN - generates styles on-the-fly with @theme support */
+  tailwind: "https://cdn.jsdelivr.net/npm/@tailwindcss/browser@4",
+  /** Google Fonts - Inter for modern UI */
+  fonts: {
+    preconnect: ["https://fonts.googleapis.com", "https://fonts.gstatic.com"],
+    stylesheet: "https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap"
+  }
+};
+var DEFAULT_THEME = {
+  colors: {
+    primary: "#3b82f6",
+    // blue-500
+    "primary-dark": "#2563eb",
+    // blue-600
+    secondary: "#8b5cf6",
+    // violet-500
+    accent: "#06b6d4",
+    // cyan-500
+    success: "#22c55e",
+    // green-500
+    warning: "#f59e0b",
+    // amber-500
+    danger: "#ef4444"
+    // red-500
+  },
+  fonts: {
+    sans: 'Inter, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif'
+  }
+};
+function buildThemeCss(theme) {
+  const lines = [];
+  if (theme.colors) {
+    for (const [key, value] of Object.entries(theme.colors)) {
+      if (value) {
+        lines.push(`--color-${key}: ${value};`);
+      }
+    }
+  }
+  if (theme.fonts) {
+    for (const [key, value] of Object.entries(theme.fonts)) {
+      if (value) {
+        lines.push(`--font-${key}: ${value};`);
+      }
+    }
+  }
+  if (theme.customVars) {
+    lines.push(theme.customVars);
+  }
+  return lines.join("\n        ");
+}
+function baseLayout(content, options) {
+  const {
+    title,
+    description,
+    includeTailwind = true,
+    includeFonts = true,
+    headExtra = "",
+    bodyClass = "bg-gray-50 min-h-screen font-sans antialiased",
+    theme
+  } = options;
+  const mergedTheme = {
+    colors: { ...DEFAULT_THEME.colors, ...theme?.colors },
+    fonts: { ...DEFAULT_THEME.fonts, ...theme?.fonts },
+    customVars: theme?.customVars,
+    customCss: theme?.customCss
+  };
+  const fontPreconnect = includeFonts ? CDN.fonts.preconnect.map((url, i) => `<link rel="preconnect" href="${url}"${i > 0 ? " crossorigin" : ""}>`).join("\n  ") : "";
+  const fontStylesheet = includeFonts ? `<link href="${CDN.fonts.stylesheet}" rel="stylesheet">` : "";
+  const themeCss = buildThemeCss(mergedTheme);
+  const customCss = mergedTheme.customCss || "";
+  const tailwindBlock = includeTailwind ? `<script src="${CDN.tailwind}"></script>
+  <style type="text/tailwindcss">
+    @theme {
+      ${themeCss}
+    }
+    ${customCss}
+  </style>` : "";
+  const metaDescription = description ? `<meta name="description" content="${escapeHtml(description)}">` : "";
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${escapeHtml(title)} - FrontMCP</title>
+  ${metaDescription}
+
+  <!-- Google Fonts CDN - Inter (modern UI font) -->
+  ${fontPreconnect}
+  ${fontStylesheet}
+
+  <!-- Tailwind CSS v4 Browser CDN with @theme support -->
+  ${tailwindBlock}
+  ${headExtra}
+</head>
+<body class="${escapeHtml(bodyClass)}">
+  ${content}
+</body>
+</html>`;
+}
+function createLayout(defaultOptions) {
+  return (content, options) => {
+    const mergedTheme = defaultOptions.theme || options.theme ? {
+      colors: { ...defaultOptions.theme?.colors, ...options.theme?.colors },
+      fonts: { ...defaultOptions.theme?.fonts, ...options.theme?.fonts },
+      customVars: options.theme?.customVars ?? defaultOptions.theme?.customVars,
+      customCss: options.theme?.customCss ?? defaultOptions.theme?.customCss
+    } : void 0;
+    return baseLayout(content, {
+      ...defaultOptions,
+      ...options,
+      theme: mergedTheme
+    });
+  };
+}
+var authLayout = createLayout({
+  bodyClass: "bg-gray-50 min-h-screen font-sans antialiased"
+});
+function centeredCardLayout(content, options) {
+  const wrappedContent = `
+  <div class="min-h-screen flex items-center justify-center p-4">
+    <div class="w-full max-w-md">
+      ${content}
+    </div>
+  </div>`;
+  return baseLayout(wrappedContent, {
+    ...options,
+    bodyClass: "bg-gradient-to-br from-primary to-secondary min-h-screen font-sans antialiased"
+  });
+}
+function wideLayout(content, options) {
+  const wrappedContent = `
+  <div class="min-h-screen py-8 px-4">
+    <div class="max-w-2xl mx-auto">
+      ${content}
+    </div>
+  </div>`;
+  return baseLayout(wrappedContent, options);
+}
+function extraWideLayout(content, options) {
+  const wrappedContent = `
+  <div class="min-h-screen py-8 px-4">
+    <div class="max-w-3xl mx-auto">
+      ${content}
+    </div>
+  </div>`;
+  return baseLayout(wrappedContent, options);
+}
+
+// libs/auth/src/ui/templates.ts
+var escapeHtml3 = escapeHtml2;
+function buildConsentPage(params) {
+  const { apps, clientName, pendingAuthId, csrfToken, callbackPath } = params;
+  const appCards = apps.map((app) => buildAppCardHtml(app, pendingAuthId, csrfToken, callbackPath)).join("\n");
+  const content = `
+    <h1 class="text-3xl font-bold text-gray-900 mb-4">Authorize ${escapeHtml3(clientName)}</h1>
+    <p class="text-gray-600 mb-8">
+      Select which apps you want to authorize. You can skip apps and authorize them later when needed.
+    </p>
+
+    <div class="space-y-4" id="app-list">
+      ${appCards}
+    </div>
+
+    <div class="mt-6 p-4 bg-blue-50 border border-blue-200 rounded-lg text-sm text-blue-800">
+      Skipped apps can be authorized later when you try to use their tools (progressive authorization).
+    </div>`;
+  return wideLayout(content, { title: `Authorize ${clientName}` });
+}
+function buildAppCardHtml(app, pendingAuthId, csrfToken, callbackPath) {
+  const icon = app.iconUrl ? `<img src="${escapeHtml3(app.iconUrl)}" alt="${escapeHtml3(
+    app.appName
+  )}" class="w-12 h-12 rounded-lg object-cover">` : `<div class="w-12 h-12 rounded-lg bg-gradient-to-br from-blue-500 to-purple-600 flex items-center justify-center text-white font-bold text-lg">${escapeHtml3(
+    app.appName.charAt(0).toUpperCase()
+  )}</div>`;
+  const description = app.description ? `<p class="text-sm text-gray-500">${escapeHtml3(app.description)}</p>` : "";
+  const scopes = app.requiredScopes?.length ? `<div class="mb-4">
+        <p class="text-xs font-medium text-gray-500 uppercase tracking-wide mb-2">Permissions</p>
+        <div class="flex flex-wrap gap-2">
+          ${app.requiredScopes.map(
+    (scope) => `<span class="inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-medium bg-blue-100 text-blue-800">${escapeHtml3(
+      scope
+    )}</span>`
+  ).join("")}
+        </div>
+      </div>` : "";
+  return `<div class="bg-white rounded-xl shadow-sm border border-gray-200 p-6 hover:shadow-md transition-shadow" data-app-id="${escapeHtml3(
+    app.appId
+  )}">
+    <div class="flex items-center gap-4 mb-4">
+      ${icon}
+      <div class="flex-1">
+        <h3 class="font-semibold text-gray-900">${escapeHtml3(app.appName)}</h3>
+        ${description}
+      </div>
+    </div>
+
+    ${scopes}
+
+    <form method="POST" action="${escapeHtml3(callbackPath)}" class="flex gap-3 pt-4 border-t border-gray-100">
+      <input type="hidden" name="csrf" value="${escapeHtml3(csrfToken)}">
+      <input type="hidden" name="pending_auth_id" value="${escapeHtml3(pendingAuthId)}">
+      <input type="hidden" name="app" value="${escapeHtml3(app.appId)}">
+      <button type="submit" name="action" value="authorize"
+        class="flex-1 bg-blue-600 hover:bg-blue-700 text-white font-medium py-2.5 px-4 rounded-lg transition-colors">
+        Authorize
+      </button>
+      <button type="submit" name="action" value="skip"
+        class="px-4 py-2.5 text-gray-600 hover:text-gray-900 hover:bg-gray-100 font-medium rounded-lg transition-colors">
+        Skip
+      </button>
+    </form>
+  </div>`;
+}
+function buildIncrementalAuthPage(params) {
+  const { app, toolId, sessionHint, callbackPath } = params;
+  const description = app.description ? `<p class="text-gray-500 mt-2">${escapeHtml3(app.description)}</p>` : "";
+  const content = `
+    <!-- Warning icon -->
+    <div class="flex justify-center mb-6">
+      <div class="w-16 h-16 rounded-full bg-amber-100 flex items-center justify-center">
+        <svg class="w-8 h-8 text-amber-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+          <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z"/>
+        </svg>
+      </div>
+    </div>
+
+    <h1 class="text-2xl font-bold text-gray-900 text-center mb-2">Authorization Required</h1>
+    <p class="text-gray-600 text-center mb-8">
+      To use "<span class="font-mono text-sm bg-gray-100 px-1 rounded">${escapeHtml3(
+    toolId
+  )}</span>", you need to authorize ${escapeHtml3(app.appName)}.
+    </p>
+
+    <!-- App card -->
+    <div class="bg-white rounded-xl shadow-sm border border-gray-200 p-6 mb-6">
+      <div class="flex items-center gap-4 mb-4">
+        <div class="w-12 h-12 rounded-lg bg-gradient-to-br from-blue-500 to-purple-600 flex items-center justify-center text-white font-bold text-lg">
+          ${escapeHtml3(app.appName.charAt(0).toUpperCase())}
+        </div>
+        <div class="flex-1">
+          <h3 class="font-semibold text-gray-900">${escapeHtml3(app.appName)}</h3>
+          ${description}
+        </div>
+      </div>
+
+      <form method="GET" action="${escapeHtml3(callbackPath)}" class="flex gap-3 pt-4 border-t border-gray-100">
+        <input type="hidden" name="pending_auth_id" value="${escapeHtml3(sessionHint)}">
+        <input type="hidden" name="app_id" value="${escapeHtml3(app.appId)}">
+        <input type="hidden" name="incremental" value="true">
+        <button type="button" onclick="window.close()"
+          class="flex-1 px-4 py-2.5 text-gray-600 hover:text-gray-900 hover:bg-gray-100 font-medium rounded-lg transition-colors">
+          Cancel
+        </button>
+        <button type="submit"
+          class="flex-1 bg-blue-600 hover:bg-blue-700 text-white font-medium py-2.5 px-4 rounded-lg transition-colors">
+          Authorize
+        </button>
+      </form>
+    </div>
+
+    <div class="p-4 bg-amber-50 border border-amber-200 rounded-lg text-sm text-amber-800 text-center">
+      This is an incremental authorization. Your existing session will be expanded to include ${escapeHtml3(
+    app.appName
+  )}.
+    </div>`;
+  return centeredCardLayout(content, { title: `Authorize ${app.appName}` });
+}
+function buildFederatedLoginPage(params) {
+  const { providers, clientName, pendingAuthId, callbackPath } = params;
+  const providerCards = providers.map((provider) => {
+    const isPrimaryBadge = provider.isPrimary ? `<span class="px-2 py-0.5 text-xs font-medium bg-blue-600 text-white rounded-full">Primary</span>` : "";
+    const providerUrl = provider.providerUrl ? `<p class="text-xs text-gray-400 font-mono truncate">${escapeHtml3(provider.providerUrl)}</p>` : "";
+    const appIds = provider.appIds.length > 0 ? `<p class="text-xs text-gray-500 mt-1">Apps: ${provider.appIds.map((id) => escapeHtml3(id)).join(", ")}</p>` : "";
+    return `<label class="flex items-start gap-4 p-4 bg-white border-2 border-gray-200 rounded-xl cursor-pointer hover:border-blue-300 transition-colors has-[:checked]:border-blue-500 has-[:checked]:bg-blue-50">
+      <input type="checkbox" name="providers" value="${escapeHtml3(provider.providerId)}"
+        class="mt-1 w-5 h-5 rounded border-gray-300" ${provider.isPrimary ? "checked" : ""}>
+      <div class="flex-1">
+        <div class="flex items-center gap-2 mb-1">
+          <span class="font-semibold text-gray-900">${escapeHtml3(provider.providerName)}</span>
+          ${isPrimaryBadge}
+        </div>
+        <p class="text-sm text-gray-500">Mode: ${escapeHtml3(provider.mode)}</p>
+        ${providerUrl}
+        ${appIds}
+      </div>
+    </label>`;
+  }).join("\n");
+  const content = `
+    <h1 class="text-3xl font-bold text-gray-900 mb-4">Select Authorization Providers</h1>
+    <p class="text-gray-600 mb-8">
+      ${escapeHtml3(clientName)} uses multiple authentication providers. Select which ones you want to authorize.
+    </p>
+
+    <form method="GET" action="${escapeHtml3(callbackPath)}" id="federated-form">
+      <input type="hidden" name="pending_auth_id" value="${escapeHtml3(pendingAuthId)}">
+      <input type="hidden" name="federated" value="true">
+
+      <!-- Select all toggle -->
+      <label class="flex items-center gap-3 mb-6 cursor-pointer">
+        <input type="checkbox" id="select-all" class="w-5 h-5 rounded border-gray-300"
+          onchange="document.querySelectorAll('input[name=providers]').forEach(cb => cb.checked = this.checked)">
+        <span class="text-gray-700">Select all providers</span>
+      </label>
+
+      <!-- Provider cards -->
+      <div class="space-y-4 mb-8">
+        ${providerCards}
+      </div>
+
+      <!-- Email input -->
+      <div class="mb-6">
+        <label for="email" class="block text-sm font-medium text-gray-700 mb-2">Email</label>
+        <input type="email" id="email" name="email" required placeholder="you@example.com"
+          class="w-full px-4 py-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-blue-500 focus:border-blue-500">
+      </div>
+
+      <!-- Buttons -->
+      <div class="flex gap-4">
+        <button type="button"
+          class="flex-1 px-6 py-3 text-gray-700 bg-gray-100 hover:bg-gray-200 font-medium rounded-lg transition-colors"
+          onclick="document.querySelectorAll('input[name=providers]').forEach(cb => cb.checked = false); document.getElementById('federated-form').submit();">
+          Skip All
+        </button>
+        <button type="submit"
+          class="flex-1 px-6 py-3 bg-blue-600 hover:bg-blue-700 text-white font-medium rounded-lg transition-colors">
+          Continue
+        </button>
+      </div>
+    </form>
+
+    <div class="mt-6 p-4 bg-blue-50 border border-blue-200 rounded-lg text-sm text-blue-800">
+      Skipped providers can be authorized later when you try to use their tools (progressive authorization).
+    </div>`;
+  return wideLayout(content, { title: "Select Providers" });
+}
+function buildToolConsentPage(params) {
+  const { tools, clientName, pendingAuthId, csrfToken, callbackPath, userName, userEmail } = params;
+  const toolsByApp = {};
+  for (const tool of tools) {
+    if (!toolsByApp[tool.appId]) {
+      toolsByApp[tool.appId] = { appName: tool.appName, tools: [] };
+    }
+    toolsByApp[tool.appId].tools.push(tool);
+  }
+  const userInfo = userName || userEmail ? `<div class="p-3 bg-gray-50 rounded-lg mb-6 text-sm">
+        <span class="text-gray-500">Signed in as: </span>
+        <span class="font-medium text-gray-900">${escapeHtml3(userName || userEmail || "")}</span>
+      </div>` : "";
+  const appGroups = Object.entries(toolsByApp).map(([appId, { appName, tools: appTools }]) => {
+    const toolItems = appTools.map((tool) => {
+      const desc = tool.description ? `<p class="text-sm text-gray-500 mt-0.5">${escapeHtml3(tool.description)}</p>` : "";
+      return `<label class="flex items-start gap-3 p-3 bg-white rounded-lg cursor-pointer hover:bg-gray-50">
+        <input type="checkbox" name="tools" value="${escapeHtml3(
+        tool.toolId
+      )}" class="mt-0.5 w-5 h-5 rounded border-gray-300" checked>
+        <div>
+          <span class="font-medium text-gray-900">${escapeHtml3(tool.toolName)}</span>
+          ${desc}
+        </div>
+      </label>`;
+    }).join("\n");
+    return `<div class="bg-gray-50 rounded-xl overflow-hidden">
+      <div class="flex items-center justify-between px-4 py-3 bg-gray-100">
+        <div class="flex items-center gap-3">
+          <div class="w-8 h-8 rounded-lg bg-gradient-to-br from-blue-500 to-purple-600 flex items-center justify-center text-white font-bold text-sm">
+            ${escapeHtml3(appName.charAt(0).toUpperCase())}
+          </div>
+          <span class="font-semibold text-gray-900">${escapeHtml3(appName)}</span>
+        </div>
+        <button type="button" class="text-sm text-blue-600 hover:text-blue-800"
+          onclick="const container = this.closest('.bg-gray-50').querySelector('[data-app]'); const cbs = container.querySelectorAll('input[name=tools]'); const allChecked = [...cbs].every(cb => cb.checked); cbs.forEach(cb => cb.checked = !allChecked); updateCount();">
+          Toggle All
+        </button>
+      </div>
+      <div class="p-4 space-y-2" data-app="${escapeHtml3(appId)}">
+        ${toolItems}
+      </div>
+    </div>`;
+  }).join("\n");
+  const updateCountScript = `
+  <script>
+    function updateCount() {
+      const all = document.querySelectorAll('input[name="tools"]');
+      const checked = document.querySelectorAll('input[name="tools"]:checked');
+      document.getElementById('selection-count').textContent = checked.length + ' of ' + all.length + ' selected';
+      document.getElementById('select-all').checked = all.length > 0 && all.length === checked.length;
+    }
+    document.querySelectorAll('input[name="tools"]').forEach(cb => cb.addEventListener('change', updateCount));
+  </script>`;
+  const content = `
+    <h1 class="text-3xl font-bold text-gray-900 mb-4">Select Tools to Enable</h1>
+    <p class="text-gray-600 mb-6">
+      Choose which tools ${escapeHtml3(clientName)} can access. You can change this later.
+    </p>
+
+    ${userInfo}
+
+    <form method="POST" action="${escapeHtml3(callbackPath)}" id="consent-form">
+      <input type="hidden" name="csrf" value="${escapeHtml3(csrfToken)}">
+      <input type="hidden" name="pending_auth_id" value="${escapeHtml3(pendingAuthId)}">
+
+      <!-- Select all toggle -->
+      <div class="flex items-center justify-between mb-6">
+        <label class="flex items-center gap-3 cursor-pointer">
+          <input type="checkbox" id="select-all" class="w-5 h-5 rounded border-gray-300" checked
+            onchange="document.querySelectorAll('input[name=tools]').forEach(cb => cb.checked = this.checked); updateCount();">
+          <span class="text-gray-700">Select all tools</span>
+        </label>
+        <span id="selection-count" class="text-sm text-gray-500">${tools.length} of ${tools.length} selected</span>
+      </div>
+
+      <!-- Tool groups by app -->
+      <div class="space-y-6 mb-8">
+        ${appGroups}
+      </div>
+
+      <!-- Buttons -->
+      <div class="flex gap-4">
+        <button type="button" onclick="history.back()"
+          class="flex-1 px-6 py-3 text-gray-700 bg-gray-100 hover:bg-gray-200 font-medium rounded-lg transition-colors">
+          Cancel
+        </button>
+        <button type="submit"
+          class="flex-1 px-6 py-3 bg-blue-600 hover:bg-blue-700 text-white font-medium rounded-lg transition-colors">
+          Confirm Selection
+        </button>
+      </div>
+    </form>
+    ${updateCountScript}`;
+  return extraWideLayout(content, { title: "Select Tools" });
+}
+function buildLoginPage(params) {
+  const { clientName, scope, pendingAuthId, callbackPath } = params;
+  const scopesHtml = scope ? `<div class="p-4 bg-gray-50 rounded-lg mb-6">
+        <p class="text-xs font-medium text-gray-500 uppercase tracking-wide mb-2">Requested permissions</p>
+        <p class="text-gray-700">${scope.split(" ").map((s) => escapeHtml3(s)).join(", ") || "Default access"}</p>
+      </div>` : "";
+  const content = `
+    <div class="bg-white rounded-2xl shadow-xl p-8">
+      <h1 class="text-3xl font-bold text-gray-900 mb-2 text-center">Sign In</h1>
+      <p class="text-gray-600 mb-8 text-center">Authorize access to ${escapeHtml3(clientName)}</p>
+
+      ${scopesHtml}
+
+      <form method="GET" action="${escapeHtml3(callbackPath)}">
+        <input type="hidden" name="pending_auth_id" value="${escapeHtml3(pendingAuthId)}">
+
+        <!-- Email -->
+        <div class="mb-4">
+          <label for="email" class="block text-sm font-medium text-gray-700 mb-2">Email</label>
+          <input type="email" id="email" name="email" required placeholder="you@example.com"
+            class="w-full px-4 py-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-blue-500 focus:border-blue-500">
+        </div>
+
+        <!-- Name (optional) -->
+        <div class="mb-6">
+          <label for="name" class="block text-sm font-medium text-gray-700 mb-2">Name (optional)</label>
+          <input type="text" id="name" name="name" placeholder="Your name"
+            class="w-full px-4 py-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-blue-500 focus:border-blue-500">
+        </div>
+
+        <!-- Submit -->
+        <button type="submit"
+          class="w-full px-6 py-3 bg-blue-600 hover:bg-blue-700 text-white font-medium rounded-lg transition-colors">
+          Authorize
+        </button>
+      </form>
+
+      <p class="text-center text-sm text-gray-500 mt-6">Client: ${escapeHtml3(clientName)}</p>
+    </div>`;
+  return centeredCardLayout(content, { title: "Sign In" });
+}
+function buildErrorPage(params) {
+  const { error, description } = params;
+  const content = `
+    <div class="bg-white rounded-2xl shadow-xl p-8 text-center">
+      <!-- Error icon -->
+      <div class="flex justify-center mb-6">
+        <div class="w-16 h-16 rounded-full bg-red-100 flex items-center justify-center">
+          <svg class="w-8 h-8 text-red-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12"/>
+          </svg>
+        </div>
+      </div>
+
+      <h1 class="text-2xl font-bold text-gray-900 mb-4">Authorization Error</h1>
+      <p class="mb-4">
+        <code class="px-2 py-1 bg-gray-100 rounded text-red-600 font-mono text-sm">${escapeHtml3(error)}</code>
+      </p>
+      <p class="text-gray-600">${escapeHtml3(description)}</p>
+    </div>`;
+  return centeredCardLayout(content, { title: "Error" });
+}
+function renderToHtml(html, _options) {
+  return html;
+}
+
+// libs/auth/src/session/authorization.store.ts
+import { randomUUID, sha256Base64url } from "@frontmcp/utils";
+import { z as z2 } from "zod";
+var pkceChallengeSchema = z2.object({
+  challenge: z2.string().min(43).max(128),
+  method: z2.literal("S256")
+});
+var authorizationCodeRecordSchema = z2.object({
+  code: z2.string().min(1),
+  clientId: z2.string().min(1),
+  redirectUri: z2.string().url(),
+  scopes: z2.array(z2.string()),
+  pkce: pkceChallengeSchema,
+  userSub: z2.string().min(1),
+  userEmail: z2.string().email().optional(),
+  userName: z2.string().optional(),
+  state: z2.string().optional(),
+  createdAt: z2.number(),
+  expiresAt: z2.number(),
+  used: z2.boolean(),
+  resource: z2.string().url().optional(),
+  // Consent and federated login fields
+  selectedToolIds: z2.array(z2.string()).optional(),
+  selectedProviderIds: z2.array(z2.string()).optional(),
+  skippedProviderIds: z2.array(z2.string()).optional(),
+  consentEnabled: z2.boolean().optional(),
+  federatedLoginUsed: z2.boolean().optional(),
+  pendingAuthId: z2.string().optional()
+});
+function verifyPkce(codeVerifier, challenge) {
+  if (challenge.method !== "S256") {
+    return false;
+  }
+  const hash = sha256Base64url(codeVerifier);
+  return hash === challenge.challenge;
+}
+function generatePkceChallenge(codeVerifier) {
+  const challenge = sha256Base64url(codeVerifier);
+  return { challenge, method: "S256" };
+}
+var InMemoryAuthorizationStore = class {
+  codes = /* @__PURE__ */ new Map();
+  pending = /* @__PURE__ */ new Map();
+  refreshTokens = /* @__PURE__ */ new Map();
+  /** Default TTL for authorization codes (60 seconds) */
+  codeTtlMs = 60 * 1e3;
+  /** Default TTL for pending authorizations (10 minutes) */
+  pendingTtlMs = 10 * 60 * 1e3;
+  /** Default TTL for refresh tokens (30 days) */
+  refreshTtlMs = 30 * 24 * 60 * 60 * 1e3;
+  generateCode() {
+    return randomUUID().replace(/-/g, "") + randomUUID().replace(/-/g, "");
+  }
+  generateRefreshToken() {
+    return randomUUID() + "-" + randomUUID();
+  }
+  async storeAuthorizationCode(record) {
+    this.codes.set(record.code, record);
+  }
+  async getAuthorizationCode(code) {
+    const record = this.codes.get(code);
+    if (!record) return null;
+    if (Date.now() > record.expiresAt) {
+      this.codes.delete(code);
+      return null;
+    }
+    return record;
+  }
+  async markCodeUsed(code) {
+    const record = this.codes.get(code);
+    if (record) {
+      record.used = true;
+    }
+  }
+  async deleteAuthorizationCode(code) {
+    this.codes.delete(code);
+  }
+  async storePendingAuthorization(record) {
+    this.pending.set(record.id, record);
+  }
+  async getPendingAuthorization(id) {
+    const record = this.pending.get(id);
+    if (!record) return null;
+    if (Date.now() > record.expiresAt) {
+      this.pending.delete(id);
+      return null;
+    }
+    return record;
+  }
+  async deletePendingAuthorization(id) {
+    this.pending.delete(id);
+  }
+  async storeRefreshToken(record) {
+    this.refreshTokens.set(record.token, record);
+  }
+  async getRefreshToken(token) {
+    const record = this.refreshTokens.get(token);
+    if (!record) return null;
+    if (Date.now() > record.expiresAt || record.revoked) {
+      return null;
+    }
+    return record;
+  }
+  async revokeRefreshToken(token) {
+    const record = this.refreshTokens.get(token);
+    if (record) {
+      record.revoked = true;
+    }
+  }
+  async rotateRefreshToken(oldToken, newRecord) {
+    await this.revokeRefreshToken(oldToken);
+    newRecord.previousToken = oldToken;
+    await this.storeRefreshToken(newRecord);
+  }
+  async cleanup() {
+    const now = Date.now();
+    for (const [code, record] of this.codes) {
+      if (now > record.expiresAt) {
+        this.codes.delete(code);
+      }
+    }
+    for (const [id, record] of this.pending) {
+      if (now > record.expiresAt) {
+        this.pending.delete(id);
+      }
+    }
+    for (const [token, record] of this.refreshTokens) {
+      if (now > record.expiresAt || record.revoked) {
+        this.refreshTokens.delete(token);
+      }
+    }
+  }
+  /**
+   * Create an authorization code record with defaults
+   */
+  createCodeRecord(params) {
+    const now = Date.now();
+    return {
+      code: this.generateCode(),
+      clientId: params.clientId,
+      redirectUri: params.redirectUri,
+      scopes: params.scopes,
+      pkce: params.pkce,
+      userSub: params.userSub,
+      userEmail: params.userEmail,
+      userName: params.userName,
+      state: params.state,
+      resource: params.resource,
+      createdAt: now,
+      expiresAt: now + this.codeTtlMs,
+      used: false,
+      // Consent and Federated Login Data
+      selectedToolIds: params.selectedToolIds,
+      selectedProviderIds: params.selectedProviderIds,
+      skippedProviderIds: params.skippedProviderIds,
+      consentEnabled: params.consentEnabled,
+      federatedLoginUsed: params.federatedLoginUsed,
+      // Token migration ID (for federated auth)
+      pendingAuthId: params.pendingAuthId
+    };
+  }
+  /**
+   * Create a pending authorization record with defaults
+   */
+  createPendingRecord(params) {
+    const now = Date.now();
+    return {
+      id: randomUUID(),
+      clientId: params.clientId,
+      redirectUri: params.redirectUri,
+      scopes: params.scopes,
+      pkce: params.pkce,
+      state: params.state,
+      resource: params.resource,
+      createdAt: now,
+      expiresAt: now + this.pendingTtlMs,
+      // Progressive/Incremental Authorization Fields
+      isIncremental: params.isIncremental,
+      targetAppId: params.targetAppId,
+      targetToolId: params.targetToolId,
+      existingSessionId: params.existingSessionId,
+      existingAuthorizationId: params.existingAuthorizationId,
+      // Federated Login State
+      federatedLogin: params.federatedLogin,
+      // Consent State
+      consent: params.consent
+    };
+  }
+  /**
+   * Create a refresh token record with defaults
+   */
+  createRefreshTokenRecord(params) {
+    const now = Date.now();
+    return {
+      token: this.generateRefreshToken(),
+      clientId: params.clientId,
+      userSub: params.userSub,
+      scopes: params.scopes,
+      resource: params.resource,
+      createdAt: now,
+      expiresAt: now + this.refreshTtlMs,
+      revoked: false
+    };
+  }
+};
+var RedisAuthorizationStore = class {
+  constructor(redis, namespace = "oauth:") {
+    this.redis = redis;
+    this.namespace = namespace;
+  }
+  key(type, id) {
+    return `${this.namespace}${type}:${id}`;
+  }
+  generateCode() {
+    return randomUUID().replace(/-/g, "") + randomUUID().replace(/-/g, "");
+  }
+  generateRefreshToken() {
+    return randomUUID() + "-" + randomUUID();
+  }
+  async storeAuthorizationCode(record) {
+    const ttl = Math.max(Math.ceil((record.expiresAt - Date.now()) / 1e3), 1);
+    await this.redis.set(this.key("code", record.code), JSON.stringify(record), "EX", Math.max(ttl, 1));
+  }
+  async getAuthorizationCode(code) {
+    const data = await this.redis.get(this.key("code", code));
+    if (!data) return null;
+    return JSON.parse(data);
+  }
+  async markCodeUsed(code) {
+    const record = await this.getAuthorizationCode(code);
+    if (record) {
+      record.used = true;
+      const ttl = Math.ceil((record.expiresAt - Date.now()) / 1e3);
+      await this.redis.set(this.key("code", code), JSON.stringify(record), "EX", Math.max(ttl, 1));
+    }
+  }
+  async deleteAuthorizationCode(code) {
+    await this.redis.del(this.key("code", code));
+  }
+  async storePendingAuthorization(record) {
+    const ttl = Math.max(Math.ceil((record.expiresAt - Date.now()) / 1e3), 1);
+    await this.redis.set(this.key("pending", record.id), JSON.stringify(record), "EX", ttl);
+  }
+  async getPendingAuthorization(id) {
+    const data = await this.redis.get(this.key("pending", id));
+    if (!data) return null;
+    return JSON.parse(data);
+  }
+  async deletePendingAuthorization(id) {
+    await this.redis.del(this.key("pending", id));
+  }
+  async storeRefreshToken(record) {
+    const ttl = Math.ceil((record.expiresAt - Date.now()) / 1e3);
+    await this.redis.set(this.key("refresh", record.token), JSON.stringify(record), "EX", ttl);
+  }
+  async getRefreshToken(token) {
+    const data = await this.redis.get(this.key("refresh", token));
+    if (!data) return null;
+    const record = JSON.parse(data);
+    if (record.revoked) return null;
+    return record;
+  }
+  async revokeRefreshToken(token) {
+    const record = await this.getRefreshToken(token);
+    if (record) {
+      record.revoked = true;
+      const ttl = Math.ceil((record.expiresAt - Date.now()) / 1e3);
+      await this.redis.set(this.key("refresh", token), JSON.stringify(record), "EX", Math.max(ttl, 1));
+    }
+  }
+  async rotateRefreshToken(oldToken, newRecord) {
+    await this.revokeRefreshToken(oldToken);
+    newRecord.previousToken = oldToken;
+    await this.storeRefreshToken(newRecord);
+  }
+  async cleanup() {
+  }
+};
+
+// libs/auth/src/session/authorization-vault.ts
+import { z as z3 } from "zod";
+var credentialTypeSchema = z3.enum([
+  "oauth",
+  // OAuth 2.0 tokens
+  "api_key",
+  // API key (header or query param)
+  "basic",
+  // Basic auth (username:password)
+  "bearer",
+  // Bearer token (static)
+  "private_key",
+  // Private key for signing (JWT, etc.)
+  "mtls",
+  // Mutual TLS certificate
+  "custom",
+  // Custom credential type
+  "ssh_key",
+  // SSH key for authentication
+  "service_account",
+  // Cloud provider service accounts
+  "oauth_pkce"
+  // OAuth 2.0 with PKCE for public clients
+]);
+var oauthCredentialSchema = z3.object({
+  type: z3.literal("oauth"),
+  /** Access token */
+  accessToken: z3.string(),
+  /** Refresh token (optional) */
+  refreshToken: z3.string().optional(),
+  /** Token type (usually 'Bearer') */
+  tokenType: z3.string().default("Bearer"),
+  /** Token expiration timestamp (epoch ms) */
+  expiresAt: z3.number().optional(),
+  /** Granted scopes */
+  scopes: z3.array(z3.string()).default([]),
+  /** ID token for OIDC (optional) */
+  idToken: z3.string().optional()
+});
+var apiKeyCredentialSchema = z3.object({
+  type: z3.literal("api_key"),
+  /** The API key value */
+  key: z3.string().min(1),
+  /** Header name to use (e.g., 'X-API-Key', 'Authorization') */
+  headerName: z3.string().default("X-API-Key"),
+  /** Prefix for the header value (e.g., 'Bearer ', 'Api-Key ') */
+  headerPrefix: z3.string().optional(),
+  /** Alternative: send as query parameter */
+  queryParam: z3.string().optional()
+});
+var basicAuthCredentialSchema = z3.object({
+  type: z3.literal("basic"),
+  /** Username */
+  username: z3.string().min(1),
+  /** Password */
+  password: z3.string(),
+  /** Pre-computed base64 encoded value (optional, for caching) */
+  encodedValue: z3.string().optional()
+});
+var bearerCredentialSchema = z3.object({
+  type: z3.literal("bearer"),
+  /** The bearer token value */
+  token: z3.string().min(1),
+  /** Token expiration (optional, for static tokens that expire) */
+  expiresAt: z3.number().optional()
+});
+var privateKeyCredentialSchema = z3.object({
+  type: z3.literal("private_key"),
+  /** Key format */
+  format: z3.enum(["pem", "jwk", "pkcs8", "pkcs12"]),
+  /** The key data (PEM string or JWK JSON) */
+  keyData: z3.string(),
+  /** Key ID (for JWK) */
+  keyId: z3.string().optional(),
+  /** Algorithm to use for signing */
+  algorithm: z3.string().optional(),
+  /** Passphrase if key is encrypted */
+  passphrase: z3.string().optional(),
+  /** Associated certificate (for mTLS) */
+  certificate: z3.string().optional()
+});
+var mtlsCredentialSchema = z3.object({
+  type: z3.literal("mtls"),
+  /** Client certificate (PEM format) */
+  certificate: z3.string(),
+  /** Private key (PEM format) */
+  privateKey: z3.string(),
+  /** Passphrase if private key is encrypted */
+  passphrase: z3.string().optional(),
+  /** CA certificate chain (optional) */
+  caCertificate: z3.string().optional()
+});
+var customCredentialSchema = z3.object({
+  type: z3.literal("custom"),
+  /** Custom type identifier */
+  customType: z3.string().min(1),
+  /** Arbitrary credential data */
+  data: z3.record(z3.string(), z3.unknown()),
+  /** Headers to include in requests */
+  headers: z3.record(z3.string(), z3.string()).optional()
+});
+var sshKeyCredentialSchema = z3.object({
+  type: z3.literal("ssh_key"),
+  /** Private key (PEM format) */
+  privateKey: z3.string().min(1),
+  /** Public key (optional, can be derived from private key) */
+  publicKey: z3.string().optional(),
+  /** Passphrase if private key is encrypted */
+  passphrase: z3.string().optional(),
+  /** Key type */
+  keyType: z3.enum(["rsa", "ed25519", "ecdsa", "dsa"]).default("ed25519"),
+  /** Key fingerprint (SHA256 hash) */
+  fingerprint: z3.string().optional(),
+  /** Username for SSH connections */
+  username: z3.string().optional()
+});
+var serviceAccountCredentialSchema = z3.object({
+  type: z3.literal("service_account"),
+  /** Cloud provider */
+  provider: z3.enum(["gcp", "aws", "azure", "custom"]),
+  /** Raw credentials (JSON key file content, access keys, etc.) */
+  credentials: z3.record(z3.string(), z3.unknown()),
+  /** Project/Account ID */
+  projectId: z3.string().optional(),
+  /** Region for regional services */
+  region: z3.string().optional(),
+  /** AWS: Role ARN to assume */
+  assumeRoleArn: z3.string().optional(),
+  /** AWS: External ID for cross-account access */
+  externalId: z3.string().optional(),
+  /** Service account email (GCP) or ARN (AWS) */
+  serviceAccountId: z3.string().optional(),
+  /** Expiration timestamp for temporary credentials */
+  expiresAt: z3.number().optional()
+});
+var pkceOAuthCredentialSchema = z3.object({
+  type: z3.literal("oauth_pkce"),
+  /** Access token */
+  accessToken: z3.string(),
+  /** Refresh token (optional) */
+  refreshToken: z3.string().optional(),
+  /** Token type (usually 'Bearer') */
+  tokenType: z3.string().default("Bearer"),
+  /** Token expiration timestamp (epoch ms) */
+  expiresAt: z3.number().optional(),
+  /** Granted scopes */
+  scopes: z3.array(z3.string()).default([]),
+  /** ID token for OIDC (optional) */
+  idToken: z3.string().optional(),
+  /** Authorization server issuer */
+  issuer: z3.string().optional()
+});
+var credentialSchema = z3.discriminatedUnion("type", [
+  oauthCredentialSchema,
+  apiKeyCredentialSchema,
+  basicAuthCredentialSchema,
+  bearerCredentialSchema,
+  privateKeyCredentialSchema,
+  mtlsCredentialSchema,
+  customCredentialSchema,
+  sshKeyCredentialSchema,
+  serviceAccountCredentialSchema,
+  pkceOAuthCredentialSchema
+]);
+var appCredentialSchema = z3.object({
+  /** App ID this credential belongs to */
+  appId: z3.string().min(1),
+  /** Provider ID within the app (for apps with multiple auth providers) */
+  providerId: z3.string().min(1),
+  /** The credential data */
+  credential: credentialSchema,
+  /** Timestamp when credential was acquired */
+  acquiredAt: z3.number(),
+  /** Timestamp when credential was last used */
+  lastUsedAt: z3.number().optional(),
+  /** Credential expiration (if applicable) */
+  expiresAt: z3.number().optional(),
+  /** Whether this credential is currently valid */
+  isValid: z3.boolean().default(true),
+  /** Error message if credential is invalid */
+  invalidReason: z3.string().optional(),
+  /** User info associated with this credential */
+  userInfo: z3.object({
+    sub: z3.string().optional(),
+    email: z3.string().optional(),
+    name: z3.string().optional()
+  }).optional(),
+  /** Metadata for tracking/debugging */
+  metadata: z3.record(z3.string(), z3.unknown()).optional()
+});
+var vaultConsentRecordSchema = z3.object({
+  /** Whether consent was enabled */
+  enabled: z3.boolean(),
+  /** Selected tool IDs (user approved these) */
+  selectedToolIds: z3.array(z3.string()),
+  /** Available tool IDs at time of consent */
+  availableToolIds: z3.array(z3.string()),
+  /** Timestamp when consent was given */
+  consentedAt: z3.number(),
+  /** Consent version for tracking changes */
+  version: z3.string().default("1.0")
+});
+var vaultFederatedRecordSchema = z3.object({
+  /** Provider IDs that were selected */
+  selectedProviderIds: z3.array(z3.string()),
+  /** Provider IDs that were skipped (can be authorized later) */
+  skippedProviderIds: z3.array(z3.string()),
+  /** Primary provider ID */
+  primaryProviderId: z3.string().optional(),
+  /** Timestamp when federated login was completed */
+  completedAt: z3.number()
+});
+var pendingIncrementalAuthSchema = z3.object({
+  /** Unique ID for this request */
+  id: z3.string(),
+  /** App ID being authorized */
+  appId: z3.string(),
+  /** Tool ID that triggered the auth request */
+  toolId: z3.string().optional(),
+  /** Authorization URL */
+  authUrl: z3.string(),
+  /** Required scopes */
+  requiredScopes: z3.array(z3.string()).optional(),
+  /** Whether elicit is being used */
+  elicitId: z3.string().optional(),
+  /** Timestamp when request was created */
+  createdAt: z3.number(),
+  /** Expiration timestamp */
+  expiresAt: z3.number(),
+  /** Status of the request */
+  status: z3.enum(["pending", "completed", "cancelled", "expired"])
+});
+var authorizationVaultEntrySchema = z3.object({
+  /** Vault ID (maps to access token jti claim) */
+  id: z3.string(),
+  /** User subject identifier */
+  userSub: z3.string(),
+  /** User email */
+  userEmail: z3.string().optional(),
+  /** User name */
+  userName: z3.string().optional(),
+  /** Client ID that created this session */
+  clientId: z3.string(),
+  /** Creation timestamp */
+  createdAt: z3.number(),
+  /** Last access timestamp */
+  lastAccessAt: z3.number(),
+  /** App credentials (keyed by `${appId}:${providerId}`) */
+  appCredentials: z3.record(z3.string(), appCredentialSchema).default({}),
+  /** Consent record */
+  consent: vaultConsentRecordSchema.optional(),
+  /** Federated login record */
+  federated: vaultFederatedRecordSchema.optional(),
+  /** Pending incremental authorization requests */
+  pendingAuths: z3.array(pendingIncrementalAuthSchema),
+  /** Apps that are fully authorized */
+  authorizedAppIds: z3.array(z3.string()),
+  /** Apps that were skipped (not yet authorized) */
+  skippedAppIds: z3.array(z3.string())
+});
+
+// libs/auth/src/session/vault-encryption.ts
+import { z as z4 } from "zod";
+import {
+  hkdfSha256,
+  encryptAesGcm,
+  decryptAesGcm,
+  randomBytes as randomBytes3,
+  base64urlEncode,
+  base64urlDecode
+} from "@frontmcp/utils";
+var encryptedDataSchema = z4.object({
+  /** Version for future algorithm changes */
+  v: z4.literal(1),
+  /** Algorithm identifier */
+  alg: z4.literal("aes-256-gcm"),
+  /** Initialization vector (base64) */
+  iv: z4.string(),
+  /** Ciphertext (base64) */
+  ct: z4.string(),
+  /** Authentication tag (base64) */
+  tag: z4.string()
+});
+var VaultEncryption = class {
+  pepper;
+  hkdfInfo;
+  constructor(config = {}) {
+    this.pepper = new TextEncoder().encode(config.pepper ?? "");
+    this.hkdfInfo = config.hkdfInfo ?? "frontmcp-vault-v1";
+  }
+  /**
+   * Derive an encryption key from JWT claims
+   *
+   * The key derivation uses HKDF:
+   * 1. Combine jti + vaultKey + sub + iat + pepper as IKM
+   * 2. Apply HKDF-SHA256 to derive a 256-bit key
+   *
+   * @param claims - JWT claims containing key material
+   * @returns 32-byte encryption key as Uint8Array
+   */
+  async deriveKey(claims) {
+    const ikmParts = [
+      claims.jti,
+      claims.vaultKey ?? "",
+      claims.sub,
+      claims.iat.toString(),
+      new TextDecoder().decode(this.pepper)
+    ];
+    const ikm = new TextEncoder().encode(ikmParts.join(""));
+    const infoBytes = new TextEncoder().encode(this.hkdfInfo);
+    const key = await hkdfSha256(ikm, new Uint8Array(0), infoBytes, 32);
+    return key;
+  }
+  /**
+   * Derive a key directly from the raw JWT token string
+   *
+   * This is useful when you want to derive the key from the token
+   * before or without fully parsing the claims. Uses the token's
+   * signature portion as additional entropy.
+   *
+   * @param token - The raw JWT token string
+   * @param claims - Parsed JWT claims
+   * @returns 32-byte encryption key as Uint8Array
+   */
+  async deriveKeyFromToken(token, claims) {
+    const parts = token.split(".");
+    const signature = parts[2] ?? "";
+    const ikmParts = [
+      claims.jti,
+      claims.vaultKey ?? "",
+      claims.sub,
+      claims.iat.toString(),
+      signature,
+      new TextDecoder().decode(this.pepper)
+    ];
+    const ikm = new TextEncoder().encode(ikmParts.join(""));
+    const infoBytes = new TextEncoder().encode(this.hkdfInfo);
+    const key = await hkdfSha256(ikm, new Uint8Array(0), infoBytes, 32);
+    return key;
+  }
+  /**
+   * Encrypt plaintext data using AES-256-GCM
+   *
+   * @param plaintext - Data to encrypt (typically JSON string)
+   * @param key - 32-byte encryption key from deriveKey()
+   * @returns Encrypted data object (safe to store in Redis)
+   */
+  async encrypt(plaintext, key) {
+    if (key.length !== 32) {
+      throw new Error("Encryption key must be 32 bytes");
+    }
+    const iv = randomBytes3(12);
+    const { ciphertext, tag } = await encryptAesGcm(key, new TextEncoder().encode(plaintext), iv);
+    return {
+      v: 1,
+      alg: "aes-256-gcm",
+      iv: base64urlEncode(iv),
+      ct: base64urlEncode(ciphertext),
+      tag: base64urlEncode(tag)
+    };
+  }
+  /**
+   * Decrypt encrypted data using AES-256-GCM
+   *
+   * @param encrypted - Encrypted data object from encrypt()
+   * @param key - 32-byte encryption key from deriveKey()
+   * @returns Decrypted plaintext
+   * @throws Error if decryption fails (wrong key, tampered data, etc.)
+   */
+  async decrypt(encrypted, key) {
+    if (key.length !== 32) {
+      throw new Error("Encryption key must be 32 bytes");
+    }
+    const parsed = encryptedDataSchema.safeParse(encrypted);
+    if (!parsed.success) {
+      throw new Error("Invalid encrypted data format");
+    }
+    const { iv, ct, tag } = parsed.data;
+    const ivBuffer = base64urlDecode(iv);
+    const ciphertext = base64urlDecode(ct);
+    const tagBuffer = base64urlDecode(tag);
+    try {
+      const plaintext = await decryptAesGcm(key, ciphertext, ivBuffer, tagBuffer);
+      return new TextDecoder().decode(plaintext);
+    } catch (_error) {
+      throw new Error("Decryption failed: invalid key or corrupted data");
+    }
+  }
+  /**
+   * Encrypt a JavaScript object (serializes to JSON first)
+   *
+   * @param data - Object to encrypt
+   * @param key - Encryption key
+   * @returns Encrypted data
+   */
+  async encryptObject(data, key) {
+    return this.encrypt(JSON.stringify(data), key);
+  }
+  /**
+   * Decrypt and parse a JavaScript object
+   *
+   * @param encrypted - Encrypted data
+   * @param key - Encryption key
+   * @returns Decrypted and parsed object
+   */
+  async decryptObject(encrypted, key) {
+    const plaintext = await this.decrypt(encrypted, key);
+    return JSON.parse(plaintext);
+  }
+  /**
+   * Check if data is in encrypted format
+   *
+   * @param data - Data to check
+   * @returns True if data appears to be encrypted
+   */
+  isEncrypted(data) {
+    return encryptedDataSchema.safeParse(data).success;
+  }
+};
+var encryptedVaultEntrySchema = z4.object({
+  /** Vault ID (maps to JWT jti claim) */
+  id: z4.string(),
+  /** User subject identifier */
+  userSub: z4.string(),
+  /** User email (unencrypted for display) */
+  userEmail: z4.string().optional(),
+  /** User name (unencrypted for display) */
+  userName: z4.string().optional(),
+  /** Client ID that created this session */
+  clientId: z4.string(),
+  /** Creation timestamp */
+  createdAt: z4.number(),
+  /** Last access timestamp */
+  lastAccessAt: z4.number(),
+  /** Encrypted sensitive data (provider tokens, credentials, consent) */
+  encryptedData: encryptedDataSchema,
+  /** Apps that are fully authorized (unencrypted for quick lookup) */
+  authorizedAppIds: z4.array(z4.string()),
+  /** Apps that were skipped (unencrypted for quick lookup) */
+  skippedAppIds: z4.array(z4.string()),
+  /** Pending auth IDs (unencrypted for lookup, actual URLs encrypted) */
+  pendingAuthIds: z4.array(z4.string()).default([])
+});
+
+// libs/auth/src/session/token.vault.ts
+import { encryptAesGcm as encryptAesGcm2, decryptAesGcm as decryptAesGcm2, randomBytes as randomBytes4, base64urlEncode as base64urlEncode2, base64urlDecode as base64urlDecode2 } from "@frontmcp/utils";
+var TokenVault = class {
+  /** Active key used for new encryptions */
+  active;
+  /** All known keys by kid for decryption (includes active) */
+  keys = /* @__PURE__ */ new Map();
+  constructor(keys) {
+    if (!Array.isArray(keys) || keys.length === 0) {
+      throw new Error("TokenVault requires at least one key");
+    }
+    for (const k of keys) {
+      if (!(k.key instanceof Uint8Array) || k.key.length !== 32) {
+        throw new Error(`TokenVault key "${k.kid}" must be a 32-byte Uint8Array for AES-256-GCM`);
+      }
+      if (this.keys.has(k.kid)) {
+        throw new Error(`TokenVault duplicate kid: "${k.kid}"`);
+      }
+      this.keys.set(k.kid, k.key);
+    }
+    this.active = keys[0];
+  }
+  rotateTo(k) {
+    if (!(k.key instanceof Uint8Array) || k.key.length !== 32) {
+      throw new Error(`TokenVault key "${k.kid}" must be a 32-byte Uint8Array for AES-256-GCM`);
+    }
+    this.active = k;
+    this.keys.set(k.kid, k.key);
+  }
+  async encrypt(plaintext, opts) {
+    const iv = randomBytes4(12);
+    const { ciphertext, tag } = await encryptAesGcm2(this.active.key, new TextEncoder().encode(plaintext), iv);
+    return {
+      alg: "A256GCM",
+      kid: this.active.kid,
+      iv: base64urlEncode2(iv),
+      tag: base64urlEncode2(tag),
+      data: base64urlEncode2(ciphertext),
+      exp: opts?.exp,
+      meta: opts?.meta
+    };
+  }
+  async decrypt(blob) {
+    if (blob.exp !== void 0) {
+      const nowSeconds = Math.floor(Date.now() / 1e3);
+      if (nowSeconds > blob.exp) {
+        throw new Error(`vault_expired:${blob.kid}`);
+      }
+    }
+    const key = this.keys.get(blob.kid);
+    if (!key) throw new Error(`vault_unknown_kid:${blob.kid}`);
+    const iv = base64urlDecode2(blob.iv);
+    const tag = base64urlDecode2(blob.tag);
+    const data = base64urlDecode2(blob.data);
+    const plaintext = await decryptAesGcm2(key, data, iv, tag);
+    return new TextDecoder().decode(plaintext);
+  }
+};
+
+// libs/auth/src/session/index.ts
+import {
+  hkdfSha256 as hkdfSha2562,
+  encryptValue,
+  decryptValue,
+  encryptAesGcm as encryptAesGcm3,
+  decryptAesGcm as decryptAesGcm3
+} from "@frontmcp/utils";
+
+// libs/auth/src/session/utils/tiny-ttl-cache.ts
+var TinyTtlCache = class {
+  constructor(ttlMs) {
+    this.ttlMs = ttlMs;
+  }
+  map = /* @__PURE__ */ new Map();
+  get(k) {
+    const hit = this.map.get(k);
+    if (!hit) return void 0;
+    if (hit.exp < Date.now()) {
+      this.map.delete(k);
+      return void 0;
+    }
+    return hit.v;
+  }
+  set(k, v) {
+    this.map.set(k, { v, exp: Date.now() + this.ttlMs });
+  }
+  delete(k) {
+    return this.map.delete(k);
+  }
+  clear() {
+    this.map.clear();
+  }
+  size() {
+    return this.map.size;
+  }
+  /**
+   * Remove all expired entries
+   */
+  cleanup() {
+    const now = Date.now();
+    let removed = 0;
+    for (const [k, { exp }] of this.map) {
+      if (exp < now) {
+        this.map.delete(k);
+        removed++;
+      }
+    }
+    return removed;
+  }
+};
+
+// libs/auth/src/session/storage/index.ts
+import { TypedStorage as TypedStorage3 } from "@frontmcp/utils";
+import { EncryptedTypedStorage, EncryptedStorageError } from "@frontmcp/utils";
+
+// libs/auth/src/session/storage/storage-token-store.ts
+import { randomUUID as randomUUID2, TypedStorage } from "@frontmcp/utils";
+var StorageTokenStore = class {
+  storage;
+  namespace;
+  defaultTtlSeconds;
+  /** Track if original storage was namespaced to avoid double-prefixing */
+  storageIsNamespaced;
+  constructor(storage, options = {}) {
+    this.namespace = options.namespace ?? "tok";
+    this.defaultTtlSeconds = options.defaultTtlSeconds;
+    this.storageIsNamespaced = "namespace" in storage && typeof storage.namespace === "function";
+    const namespacedStorage = this.storageIsNamespaced ? storage.namespace(this.namespace) : storage;
+    this.storage = new TypedStorage(namespacedStorage);
+  }
+  /**
+   * Allocate a new unique ID for a token record.
+   */
+  allocId() {
+    return randomUUID2();
+  }
+  /**
+   * Store an encrypted token blob.
+   *
+   * TTL is calculated from blob.exp (epoch seconds) if present.
+   * Falls back to defaultTtlSeconds if configured.
+   *
+   * @param id - Token record ID
+   * @param blob - Encrypted token blob
+   */
+  async put(id, blob) {
+    const record = {
+      id,
+      blob,
+      updatedAt: Date.now()
+    };
+    const ttlSeconds = this.calculateTtl(blob.exp);
+    await this.storage.set(this.key(id), record, ttlSeconds ? { ttlSeconds } : void 0);
+  }
+  /**
+   * Retrieve a token record by ID.
+   *
+   * @param id - Token record ID
+   * @returns The secret record, or undefined if not found
+   */
+  async get(id) {
+    const record = await this.storage.get(this.key(id));
+    return record ?? void 0;
+  }
+  /**
+   * Delete a token record.
+   *
+   * @param id - Token record ID
+   */
+  async del(id) {
+    await this.storage.delete(this.key(id));
+  }
+  /**
+   * Calculate TTL in seconds from expiration timestamp.
+   *
+   * @param exp - Expiration timestamp in epoch seconds
+   * @returns TTL in seconds, or undefined if no TTL should be applied
+   */
+  calculateTtl(exp) {
+    if (exp) {
+      const nowSeconds = Math.floor(Date.now() / 1e3);
+      const ttl = exp - nowSeconds;
+      return ttl > 0 ? ttl : 1;
+    }
+    return this.defaultTtlSeconds;
+  }
+  /**
+   * Build the storage key for a token ID.
+   * For namespaced storage, the namespace is handled by the storage layer.
+   * For non-namespaced storage, includes the namespace prefix in the key.
+   */
+  key(id) {
+    return this.storageIsNamespaced ? id : `${this.namespace}:${id}`;
+  }
+};
+
+// libs/auth/src/session/storage/storage-authorization-vault.ts
+import { randomUUID as randomUUID3, TypedStorage as TypedStorage2 } from "@frontmcp/utils";
+var StorageAuthorizationVault = class {
+  storage;
+  namespace;
+  pendingAuthTtlMs;
+  constructor(storage, options = {}) {
+    this.namespace = options.namespace ?? "vault";
+    this.pendingAuthTtlMs = options.pendingAuthTtlMs ?? 10 * 60 * 1e3;
+    const namespacedStorage = this.isNamespacedStorage(storage) ? storage.namespace(this.namespace) : storage;
+    this.storage = new TypedStorage2(namespacedStorage, {
+      schema: options.validateOnRead ? authorizationVaultEntrySchema : void 0,
+      throwOnInvalid: false
+    });
+  }
+  // ============================================
+  // Core CRUD Methods
+  // ============================================
+  async create(params) {
+    const now = Date.now();
+    const entry = {
+      id: randomUUID3(),
+      userSub: params.userSub,
+      userEmail: params.userEmail,
+      userName: params.userName,
+      clientId: params.clientId,
+      createdAt: now,
+      lastAccessAt: now,
+      appCredentials: {},
+      consent: params.consent,
+      federated: params.federated,
+      pendingAuths: [],
+      authorizedAppIds: params.authorizedAppIds ?? [],
+      skippedAppIds: params.skippedAppIds ?? []
+    };
+    await this.storage.set(this.key(entry.id), entry);
+    return entry;
+  }
+  async get(id) {
+    return this.storage.get(this.key(id));
+  }
+  async update(id, updates) {
+    const entry = await this.get(id);
+    if (!entry) {
+      console.warn(`[StorageAuthorizationVault] Update failed: vault entry not found for id ${id}`);
+      return;
+    }
+    const updated = {
+      ...entry,
+      ...updates,
+      lastAccessAt: Date.now()
+    };
+    await this.storage.set(this.key(id), updated);
+  }
+  async delete(id) {
+    await this.storage.delete(this.key(id));
+  }
+  // ============================================
+  // Consent Methods
+  // ============================================
+  async updateConsent(vaultId, consent) {
+    const entry = await this.get(vaultId);
+    if (!entry) return;
+    entry.consent = consent;
+    entry.lastAccessAt = Date.now();
+    await this.storage.set(this.key(vaultId), entry);
+  }
+  // ============================================
+  // App Authorization Methods
+  // ============================================
+  async authorizeApp(vaultId, appId) {
+    const entry = await this.get(vaultId);
+    if (!entry) return;
+    entry.skippedAppIds = entry.skippedAppIds.filter((id) => id !== appId);
+    if (!entry.authorizedAppIds.includes(appId)) {
+      entry.authorizedAppIds.push(appId);
+    }
+    entry.lastAccessAt = Date.now();
+    await this.storage.set(this.key(vaultId), entry);
+  }
+  async isAppAuthorized(vaultId, appId) {
+    const entry = await this.get(vaultId);
+    if (!entry) return false;
+    return entry.authorizedAppIds.includes(appId);
+  }
+  // ============================================
+  // Pending Auth Methods
+  // ============================================
+  async createPendingAuth(vaultId, params) {
+    const entry = await this.get(vaultId);
+    if (!entry) {
+      throw new Error(`Vault not found: ${vaultId}`);
+    }
+    const now = Date.now();
+    const pendingAuth = {
+      id: randomUUID3(),
+      appId: params.appId,
+      toolId: params.toolId,
+      authUrl: params.authUrl,
+      requiredScopes: params.requiredScopes,
+      elicitId: params.elicitId,
+      createdAt: now,
+      expiresAt: now + (params.ttlMs ?? this.pendingAuthTtlMs),
+      status: "pending"
+    };
+    entry.pendingAuths.push(pendingAuth);
+    entry.lastAccessAt = now;
+    await this.storage.set(this.key(vaultId), entry);
+    return pendingAuth;
+  }
+  async getPendingAuth(vaultId, pendingAuthId) {
+    const entry = await this.get(vaultId);
+    if (!entry) return null;
+    const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
+    if (!pendingAuth) return null;
+    if (Date.now() > pendingAuth.expiresAt && pendingAuth.status === "pending") {
+      pendingAuth.status = "expired";
+      await this.storage.set(this.key(vaultId), entry);
+    }
+    return pendingAuth;
+  }
+  async completePendingAuth(vaultId, pendingAuthId) {
+    const entry = await this.get(vaultId);
+    if (!entry) return;
+    const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
+    if (pendingAuth) {
+      pendingAuth.status = "completed";
+      entry.skippedAppIds = entry.skippedAppIds.filter((id) => id !== pendingAuth.appId);
+      if (!entry.authorizedAppIds.includes(pendingAuth.appId)) {
+        entry.authorizedAppIds.push(pendingAuth.appId);
+      }
+      entry.lastAccessAt = Date.now();
+      await this.storage.set(this.key(vaultId), entry);
+    }
+  }
+  async cancelPendingAuth(vaultId, pendingAuthId) {
+    const entry = await this.get(vaultId);
+    if (!entry) return;
+    const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
+    if (pendingAuth) {
+      pendingAuth.status = "cancelled";
+      await this.storage.set(this.key(vaultId), entry);
+    }
+  }
+  async getPendingAuths(vaultId) {
+    const entry = await this.get(vaultId);
+    if (!entry) return [];
+    const now = Date.now();
+    let updated = false;
+    const pending = entry.pendingAuths.filter((p) => {
+      if (now > p.expiresAt && p.status === "pending") {
+        p.status = "expired";
+        updated = true;
+      }
+      return p.status === "pending";
+    });
+    if (updated) {
+      await this.storage.set(this.key(vaultId), entry);
+    }
+    return pending;
+  }
+  // ============================================
+  // App Credential Methods
+  // ============================================
+  credentialKey(appId, providerId) {
+    return `${appId}:${providerId}`;
+  }
+  async addAppCredential(vaultId, credential) {
+    const entry = await this.get(vaultId);
+    if (!entry) return;
+    const shouldStore = await this.shouldStoreCredential(vaultId, credential.appId);
+    if (!shouldStore) {
+      return;
+    }
+    const key = this.credentialKey(credential.appId, credential.providerId);
+    entry.appCredentials[key] = credential;
+    entry.lastAccessAt = Date.now();
+    await this.storage.set(this.key(vaultId), entry);
+  }
+  async removeAppCredential(vaultId, appId, providerId) {
+    const entry = await this.get(vaultId);
+    if (!entry) return;
+    const key = this.credentialKey(appId, providerId);
+    delete entry.appCredentials[key];
+    entry.lastAccessAt = Date.now();
+    await this.storage.set(this.key(vaultId), entry);
+  }
+  async getAppCredentials(vaultId, appId) {
+    const entry = await this.get(vaultId);
+    if (!entry) return [];
+    const prefix = `${appId}:`;
+    return Object.entries(entry.appCredentials).filter(([key]) => key.startsWith(prefix)).map(([, cred]) => cred);
+  }
+  async getCredential(vaultId, appId, providerId) {
+    const entry = await this.get(vaultId);
+    if (!entry) return null;
+    const key = this.credentialKey(appId, providerId);
+    return entry.appCredentials[key] ?? null;
+  }
+  async getAllCredentials(vaultId, filterByConsent = false) {
+    const entry = await this.get(vaultId);
+    if (!entry) return [];
+    const allCredentials = Object.values(entry.appCredentials);
+    if (!filterByConsent || !entry.consent?.enabled) {
+      return allCredentials;
+    }
+    const consentedToolIds = new Set(entry.consent.selectedToolIds);
+    return allCredentials.filter((cred) => {
+      return Array.from(consentedToolIds).some((toolId) => toolId.startsWith(`${cred.appId}:`));
+    });
+  }
+  async updateCredential(vaultId, appId, providerId, updates) {
+    const entry = await this.get(vaultId);
+    if (!entry) return;
+    const key = this.credentialKey(appId, providerId);
+    const credential = entry.appCredentials[key];
+    if (!credential) return;
+    Object.assign(credential, updates);
+    entry.lastAccessAt = Date.now();
+    await this.storage.set(this.key(vaultId), entry);
+  }
+  async shouldStoreCredential(vaultId, appId, toolIds) {
+    const entry = await this.get(vaultId);
+    if (!entry) return false;
+    const consent = entry.consent;
+    if (!consent?.enabled) {
+      return true;
+    }
+    if (toolIds && toolIds.length > 0) {
+      return toolIds.some((toolId) => consent.selectedToolIds.includes(toolId));
+    }
+    const consentedToolIds = consent.selectedToolIds;
+    return consentedToolIds.some((toolId) => toolId.startsWith(`${appId}:`));
+  }
+  async invalidateCredential(vaultId, appId, providerId, reason) {
+    await this.updateCredential(vaultId, appId, providerId, {
+      isValid: false,
+      invalidReason: reason
+    });
+  }
+  async refreshOAuthCredential(vaultId, appId, providerId, tokens) {
+    const entry = await this.get(vaultId);
+    if (!entry) return;
+    const key = this.credentialKey(appId, providerId);
+    const credential = entry.appCredentials[key];
+    if (!credential || credential.credential.type !== "oauth" && credential.credential.type !== "oauth_pkce") return;
+    credential.credential.accessToken = tokens.accessToken;
+    if (tokens.refreshToken !== void 0) {
+      credential.credential.refreshToken = tokens.refreshToken;
+    }
+    if (tokens.expiresAt !== void 0) {
+      credential.credential.expiresAt = tokens.expiresAt;
+      credential.expiresAt = tokens.expiresAt;
+    }
+    credential.isValid = true;
+    credential.invalidReason = void 0;
+    entry.lastAccessAt = Date.now();
+    await this.storage.set(this.key(vaultId), entry);
+  }
+  // ============================================
+  // Cleanup
+  // ============================================
+  async cleanup() {
+    const keys = await this.storage.keys("*");
+    const now = Date.now();
+    for (const key of keys) {
+      const entry = await this.storage.get(key);
+      if (!entry) continue;
+      const originalLength = entry.pendingAuths.length;
+      entry.pendingAuths = entry.pendingAuths.filter((p) => {
+        if (now > p.expiresAt && p.status === "pending") {
+          p.status = "expired";
+        }
+        return p.status === "pending";
+      });
+      if (entry.pendingAuths.length !== originalLength) {
+        await this.storage.set(key, entry);
+      }
+    }
+  }
+  // ============================================
+  // Helpers
+  // ============================================
+  /**
+   * Build the storage key for a vault ID.
+   * For non-namespaced storage, includes the namespace prefix.
+   */
+  key(id) {
+    return this.isNamespacedStorage(this.storage.raw) ? id : `${this.namespace}:${id}`;
+  }
+  /**
+   * Type guard to check if storage is a NamespacedStorage.
+   */
+  isNamespacedStorage(storage) {
+    return "namespace" in storage && typeof storage.namespace === "function";
+  }
+};
+
+// libs/auth/src/session/storage/in-memory-authorization-vault.ts
+import { MemoryStorageAdapter } from "@frontmcp/utils";
+var InMemoryAuthorizationVault = class extends StorageAuthorizationVault {
+  memoryAdapter;
+  constructor(options = {}) {
+    const memoryAdapter = new MemoryStorageAdapter();
+    super(memoryAdapter, {
+      namespace: options.namespace ?? "vault",
+      pendingAuthTtlMs: options.pendingAuthTtlMs
+    });
+    this.memoryAdapter = memoryAdapter;
+    void this.memoryAdapter.connect();
+  }
+  /**
+   * Clear all stored data.
+   * Useful for testing.
+   */
+  async clear() {
+    const keys = await this.memoryAdapter.keys("*");
+    for (const key of keys) {
+      await this.memoryAdapter.delete(key);
+    }
+  }
+};
+
+// libs/auth/src/authorization/authorization.types.ts
+import { z as z5 } from "zod";
+var authModeSchema = z5.enum(["public", "transparent", "orchestrated"]);
+var authUserSchema = z5.object({
+  sub: z5.string(),
+  name: z5.string().optional(),
+  email: z5.string().email().optional(),
+  picture: z5.string().url().optional(),
+  anonymous: z5.boolean().optional()
+});
+var authorizedToolSchema = z5.object({
+  executionPath: z5.tuple([z5.string(), z5.string()]),
+  scopes: z5.array(z5.string()).optional(),
+  details: z5.record(z5.string(), z5.unknown()).optional()
+});
+var authorizedPromptSchema = z5.object({
+  executionPath: z5.tuple([z5.string(), z5.string()]),
+  scopes: z5.array(z5.string()).optional(),
+  details: z5.record(z5.string(), z5.unknown()).optional()
+});
+var llmSafeAuthContextSchema = z5.object({
+  authorizationId: z5.string(),
+  sessionId: z5.string(),
+  mode: authModeSchema,
+  isAnonymous: z5.boolean(),
+  user: z5.object({
+    sub: z5.string(),
+    name: z5.string().optional()
+  }),
+  scopes: z5.array(z5.string()),
+  authorizedToolIds: z5.array(z5.string()),
+  authorizedPromptIds: z5.array(z5.string())
+});
+var AppAuthState = /* @__PURE__ */ ((AppAuthState2) => {
+  AppAuthState2["AUTHORIZED"] = "authorized";
+  AppAuthState2["SKIPPED"] = "skipped";
+  AppAuthState2["PENDING"] = "pending";
+  return AppAuthState2;
+})(AppAuthState || {});
+var appAuthStateSchema = z5.nativeEnum(AppAuthState);
+var appAuthorizationRecordSchema = z5.object({
+  appId: z5.string(),
+  state: appAuthStateSchema,
+  stateChangedAt: z5.number(),
+  grantedScopes: z5.array(z5.string()).optional(),
+  authProviderId: z5.string().optional(),
+  toolIds: z5.array(z5.string())
+});
+var progressiveAuthStateSchema = z5.object({
+  apps: z5.record(z5.string(), appAuthorizationRecordSchema),
+  initiallyAuthorized: z5.array(z5.string()),
+  initiallySkipped: z5.array(z5.string())
+});
+
+// libs/auth/src/utils/www-authenticate.utils.ts
+function buildWwwAuthenticate(options = {}) {
+  const parts = ["Bearer"];
+  const params = [];
+  if (options.resourceMetadataUrl) {
+    params.push(`resource_metadata="${escapeQuotedString(options.resourceMetadataUrl)}"`);
+  }
+  if (options.realm) {
+    params.push(`realm="${escapeQuotedString(options.realm)}"`);
+  }
+  if (options.error) {
+    params.push(`error="${options.error}"`);
+  }
+  if (options.errorDescription) {
+    params.push(`error_description="${escapeQuotedString(options.errorDescription)}"`);
+  }
+  if (options.errorUri) {
+    params.push(`error_uri="${escapeQuotedString(options.errorUri)}"`);
+  }
+  if (options.scope) {
+    const scopeValue = Array.isArray(options.scope) ? options.scope.join(" ") : options.scope;
+    params.push(`scope="${escapeQuotedString(scopeValue)}"`);
+  }
+  if (params.length > 0) {
+    parts.push(params.join(", "));
+  }
+  return parts.join(" ");
+}
+function buildPrmUrl(baseUrl, entryPath, routeBase) {
+  const normalizedEntry = normalizePathSegment(entryPath);
+  const normalizedRoute = normalizePathSegment(routeBase);
+  return `${baseUrl}/.well-known/oauth-protected-resource${normalizedEntry}${normalizedRoute}`;
+}
+function buildUnauthorizedHeader(prmUrl) {
+  return buildWwwAuthenticate({
+    resourceMetadataUrl: prmUrl
+  });
+}
+function buildInvalidTokenHeader(prmUrl, description) {
+  return buildWwwAuthenticate({
+    resourceMetadataUrl: prmUrl,
+    error: "invalid_token",
+    errorDescription: description ?? "The access token is invalid or expired"
+  });
+}
+function buildInsufficientScopeHeader(prmUrl, requiredScopes, description) {
+  return buildWwwAuthenticate({
+    resourceMetadataUrl: prmUrl,
+    error: "insufficient_scope",
+    scope: requiredScopes,
+    errorDescription: description ?? "The request requires higher privileges"
+  });
+}
+function buildInvalidRequestHeader(prmUrl, description) {
+  return buildWwwAuthenticate({
+    resourceMetadataUrl: prmUrl,
+    error: "invalid_request",
+    errorDescription: description ?? "The request is missing required parameters"
+  });
+}
+function parseWwwAuthenticate(header) {
+  const result = {};
+  if (!header.toLowerCase().startsWith("bearer")) {
+    return result;
+  }
+  const paramString = header.substring(6).trim();
+  const paramRegex = /(\w+)="([^"\\]*(?:\\.[^"\\]*)*)"/g;
+  let match;
+  while ((match = paramRegex.exec(paramString)) !== null) {
+    const [, key, value] = match;
+    const unescapedValue = unescapeQuotedString(value);
+    switch (key.toLowerCase()) {
+      case "resource_metadata":
+        result.resourceMetadataUrl = unescapedValue;
+        break;
+      case "realm":
+        result.realm = unescapedValue;
+        break;
+      case "error":
+        result.error = unescapedValue;
+        break;
+      case "error_description":
+        result.errorDescription = unescapedValue;
+        break;
+      case "error_uri":
+        result.errorUri = unescapedValue;
+        break;
+      case "scope":
+        result.scope = unescapedValue;
+        break;
+    }
+  }
+  return result;
+}
+function escapeQuotedString(value) {
+  return value.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+}
+function unescapeQuotedString(value) {
+  return value.replace(/\\(.)/g, "$1");
+}
+function normalizePathSegment(path2) {
+  if (!path2 || path2 === "/") return "";
+  const normalized = path2.startsWith("/") ? path2 : `/${path2}`;
+  return normalized.replace(/\/+$/, "");
+}
+
+// libs/auth/src/utils/audience.validator.ts
+function validateAudience(tokenAudience, options) {
+  const { expectedAudiences, allowNoAudience = false, caseSensitive = true, allowWildcards = false } = options;
+  if (tokenAudience === void 0 || tokenAudience === null) {
+    if (allowNoAudience) {
+      return { valid: true };
+    }
+    return {
+      valid: false,
+      error: "Token is missing audience claim"
+    };
+  }
+  if (expectedAudiences.length === 0) {
+    return {
+      valid: false,
+      error: "No expected audiences configured - cannot validate token"
+    };
+  }
+  const tokenAuds = Array.isArray(tokenAudience) ? tokenAudience : [tokenAudience];
+  for (const tokenAud of tokenAuds) {
+    for (const expectedAud of expectedAudiences) {
+      if (matchesAudience(tokenAud, expectedAud, caseSensitive, allowWildcards)) {
+        return { valid: true, matchedAudience: tokenAud };
+      }
+    }
+  }
+  return {
+    valid: false,
+    error: `Token audience does not match expected audiences. Got: ${tokenAuds.join(
+      ", "
+    )}. Expected one of: ${expectedAudiences.join(", ")}`
+  };
+}
+function matchesAudience(tokenAud, expectedAud, caseSensitive, allowWildcards) {
+  if (caseSensitive) {
+    if (tokenAud === expectedAud) return true;
+  } else {
+    if (tokenAud.toLowerCase() === expectedAud.toLowerCase()) return true;
+  }
+  if (allowWildcards && expectedAud.includes("*")) {
+    const wildcardCount = (expectedAud.match(/\*/g) || []).length;
+    if (wildcardCount > 2) {
+      return false;
+    }
+    const pattern = expectedAud.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, "[^.]*");
+    const regex = new RegExp(`^${pattern}$`, caseSensitive ? "" : "i");
+    if (regex.test(tokenAud)) return true;
+  }
+  return false;
+}
+function createAudienceValidator(options) {
+  return (audience) => validateAudience(audience, options);
+}
+function deriveExpectedAudience(resourceUrl) {
+  const audiences = [];
+  try {
+    const url = new URL(resourceUrl);
+    audiences.push(resourceUrl.replace(/\/$/, ""));
+    if (url.pathname !== "/" && url.pathname !== "") {
+      audiences.push(url.origin);
+    }
+    audiences.push(url.host);
+  } catch {
+    audiences.push(resourceUrl);
+  }
+  return audiences;
+}
+var AudienceValidator = class _AudienceValidator {
+  options;
+  constructor(options = {}) {
+    this.options = {
+      expectedAudiences: [...options.expectedAudiences ?? []],
+      allowNoAudience: options.allowNoAudience ?? false,
+      caseSensitive: options.caseSensitive ?? true,
+      allowWildcards: options.allowWildcards ?? false
+    };
+  }
+  /**
+   * Validate an audience claim
+   */
+  validate(audience) {
+    return validateAudience(audience, this.options);
+  }
+  /**
+   * Add expected audiences
+   */
+  addAudiences(...audiences) {
+    this.options.expectedAudiences.push(...audiences);
+  }
+  /**
+   * Set expected audiences (replace existing)
+   */
+  setAudiences(audiences) {
+    this.options.expectedAudiences = audiences;
+  }
+  /**
+   * Create validator from resource URL
+   */
+  static fromResourceUrl(resourceUrl, options = {}) {
+    return new _AudienceValidator({
+      ...options,
+      expectedAudiences: deriveExpectedAudience(resourceUrl)
+    });
+  }
+};
+
+// libs/auth/src/vault/auth-providers.types.ts
+import { z as z6 } from "zod";
+var credentialScopeSchema = z6.enum(["global", "user", "session"]);
+var loadingStrategySchema = z6.enum(["eager", "lazy"]);
+var getCredentialOptionsSchema = z6.object({
+  forceRefresh: z6.boolean().optional(),
+  scopes: z6.array(z6.string()).optional(),
+  timeout: z6.number().positive().optional()
+}).strict();
+var credentialProviderConfigSchema = z6.object({
+  name: z6.string().min(1),
+  description: z6.string().optional(),
+  scope: credentialScopeSchema,
+  loading: loadingStrategySchema,
+  cacheTtl: z6.number().nonnegative().optional(),
+  // Functions validated at runtime, not via Zod (Zod 4 compatibility)
+  factory: z6.any(),
+  refresh: z6.any().optional(),
+  toHeaders: z6.any().optional(),
+  metadata: z6.record(z6.string(), z6.unknown()).optional(),
+  required: z6.boolean().optional()
+}).strict();
+var authProviderMappingSchema = z6.union([
+  z6.string(),
+  z6.object({
+    name: z6.string().min(1),
+    required: z6.boolean().optional().default(true),
+    scopes: z6.array(z6.string()).optional(),
+    alias: z6.string().optional()
+  }).strict()
+]);
+var authProvidersVaultOptionsSchema = z6.object({
+  enabled: z6.boolean().optional(),
+  useSharedStorage: z6.boolean().optional().default(true),
+  namespace: z6.string().optional().default("authproviders:"),
+  defaultCacheTtl: z6.number().nonnegative().optional().default(36e5),
+  maxCredentialsPerSession: z6.number().positive().optional().default(100),
+  providers: z6.array(credentialProviderConfigSchema).optional()
+}).strict();
+
+// libs/auth/src/vault/credential-helpers.ts
+function extractCredentialExpiry(credential) {
+  switch (credential.type) {
+    case "oauth":
+    case "oauth_pkce":
+    case "bearer":
+    case "service_account":
+      return credential.expiresAt;
+    default:
+      return void 0;
+  }
+}
+
+// libs/auth/src/vault/credential-cache.ts
+var CredentialCache = class {
+  cache = /* @__PURE__ */ new Map();
+  maxSize;
+  stats = { hits: 0, misses: 0, evictions: 0, size: 0 };
+  constructor(maxSize = 100) {
+    this.maxSize = maxSize;
+  }
+  /**
+   * Get a cached credential
+   *
+   * @param providerId - Provider name
+   * @returns Resolved credential or undefined if not cached or expired
+   */
+  get(providerId) {
+    const entry = this.cache.get(providerId);
+    if (!entry) {
+      this.stats.misses++;
+      return void 0;
+    }
+    if (this.isExpired(entry)) {
+      this.cache.delete(providerId);
+      this.stats.size = this.cache.size;
+      this.stats.misses++;
+      this.stats.evictions++;
+      return void 0;
+    }
+    if (entry.resolved.expiresAt && Date.now() >= entry.resolved.expiresAt) {
+      this.cache.delete(providerId);
+      this.stats.size = this.cache.size;
+      this.stats.misses++;
+      this.stats.evictions++;
+      return void 0;
+    }
+    this.stats.hits++;
+    return entry.resolved;
+  }
+  /**
+   * Cache a resolved credential
+   *
+   * @param providerId - Provider name
+   * @param resolved - Resolved credential to cache
+   * @param ttl - TTL in milliseconds (0 = no TTL, rely on credential expiry)
+   */
+  set(providerId, resolved, ttl = 0) {
+    if (this.cache.size >= this.maxSize && !this.cache.has(providerId)) {
+      this.evictOldest();
+    }
+    const entry = {
+      resolved,
+      cachedAt: Date.now(),
+      ttl
+    };
+    this.cache.set(providerId, entry);
+    this.stats.size = this.cache.size;
+  }
+  /**
+   * Check if a credential is cached and valid
+   *
+   * @param providerId - Provider name
+   * @returns true if cached and not expired
+   */
+  has(providerId) {
+    const entry = this.cache.get(providerId);
+    if (!entry) return false;
+    if (this.isExpired(entry)) {
+      this.cache.delete(providerId);
+      this.stats.size = this.cache.size;
+      this.stats.evictions++;
+      return false;
+    }
+    return true;
+  }
+  /**
+   * Invalidate (remove) a cached credential
+   *
+   * @param providerId - Provider name to invalidate
+   * @returns true if credential was removed
+   */
+  invalidate(providerId) {
+    const deleted = this.cache.delete(providerId);
+    if (deleted) {
+      this.stats.size = this.cache.size;
+    }
+    return deleted;
+  }
+  /**
+   * Invalidate all cached credentials
+   */
+  invalidateAll() {
+    this.cache.clear();
+    this.stats.size = 0;
+  }
+  /**
+   * Invalidate credentials by scope
+   *
+   * @param scope - Credential scope to invalidate
+   */
+  invalidateByScope(scope) {
+    for (const [key, entry] of this.cache) {
+      if (entry.resolved.scope === scope) {
+        this.cache.delete(key);
+      }
+    }
+    this.stats.size = this.cache.size;
+  }
+  /**
+   * Get all cached provider IDs
+   */
+  keys() {
+    this.cleanup();
+    return [...this.cache.keys()];
+  }
+  /**
+   * Get cache size
+   */
+  get size() {
+    return this.cache.size;
+  }
+  /**
+   * Get cache statistics
+   */
+  getStats() {
+    return { ...this.stats };
+  }
+  /**
+   * Reset cache statistics
+   */
+  resetStats() {
+    this.stats = { hits: 0, misses: 0, evictions: 0, size: this.cache.size };
+  }
+  /**
+   * Clean up expired entries
+   */
+  cleanup() {
+    const now = Date.now();
+    for (const [key, entry] of this.cache) {
+      if (this.isExpiredAt(entry, now)) {
+        this.cache.delete(key);
+        this.stats.evictions++;
+      }
+    }
+    this.stats.size = this.cache.size;
+  }
+  /**
+   * Check if entry is expired based on TTL
+   */
+  isExpired(entry) {
+    return this.isExpiredAt(entry, Date.now());
+  }
+  /**
+   * Check if entry is expired at a given timestamp
+   */
+  isExpiredAt(entry, now) {
+    if (entry.ttl > 0 && now - entry.cachedAt >= entry.ttl) {
+      return true;
+    }
+    if (entry.resolved.expiresAt && now >= entry.resolved.expiresAt) {
+      return true;
+    }
+    if (!entry.resolved.isValid) {
+      return true;
+    }
+    return false;
+  }
+  /**
+   * Evict the oldest entry from cache
+   */
+  evictOldest() {
+    let oldestKey;
+    let oldestTime = Infinity;
+    for (const [key, entry] of this.cache) {
+      if (entry.cachedAt < oldestTime) {
+        oldestTime = entry.cachedAt;
+        oldestKey = key;
+      }
+    }
+    if (oldestKey) {
+      this.cache.delete(oldestKey);
+      this.stats.evictions++;
+      this.stats.size = this.cache.size;
+    }
+  }
+};
+
+// libs/auth/src/cimd/cimd.logger.ts
+var noopLogger = {
+  child: () => noopLogger,
+  debug: () => {
+  },
+  info: () => {
+  },
+  warn: () => {
+  },
+  error: () => {
+  }
+};
+
+// libs/auth/src/cimd/cimd.types.ts
+import { z as z7 } from "zod";
+var clientMetadataDocumentSchema = z7.object({
+  // REQUIRED per CIMD spec
+  /**
+   * Client identifier - MUST match the URL from which this document was fetched.
+   */
+  client_id: z7.string().url(),
+  /**
+   * Human-readable name of the client.
+   */
+  client_name: z7.string().min(1),
+  /**
+   * Array of redirect URIs for authorization responses.
+   * At least one is required.
+   */
+  redirect_uris: z7.array(z7.string().url()).min(1),
+  // OPTIONAL per RFC 7591
+  /**
+   * Token endpoint authentication method.
+   * @default 'none'
+   */
+  token_endpoint_auth_method: z7.enum(["none", "client_secret_basic", "client_secret_post", "private_key_jwt"]).default("none"),
+  /**
+   * OAuth grant types the client can use.
+   * @default ['authorization_code']
+   */
+  grant_types: z7.array(z7.string()).default(["authorization_code"]),
+  /**
+   * OAuth response types the client can request.
+   * @default ['code']
+   */
+  response_types: z7.array(z7.string()).default(["code"]),
+  /**
+   * URL of the client's home page.
+   */
+  client_uri: z7.string().url().optional(),
+  /**
+   * URL of the client's logo image.
+   */
+  logo_uri: z7.string().url().optional(),
+  /**
+   * URL of the client's JWKS (for private_key_jwt).
+   */
+  jwks_uri: z7.string().url().optional(),
+  /**
+   * Inline JWKS (for private_key_jwt).
+   */
+  jwks: z7.object({
+    keys: z7.array(z7.record(z7.string(), z7.unknown()))
+  }).optional(),
+  /**
+   * URL of the client's terms of service.
+   */
+  tos_uri: z7.string().url().optional(),
+  /**
+   * URL of the client's privacy policy.
+   */
+  policy_uri: z7.string().url().optional(),
+  /**
+   * Requested OAuth scopes.
+   */
+  scope: z7.string().optional(),
+  /**
+   * Array of contact emails for the client.
+   */
+  contacts: z7.array(z7.string().email()).optional(),
+  /**
+   * Software statement (signed JWT).
+   */
+  software_statement: z7.string().optional(),
+  /**
+   * Unique identifier for the client software.
+   */
+  software_id: z7.string().optional(),
+  /**
+   * Version of the client software.
+   */
+  software_version: z7.string().optional()
+});
+var cimdRedisCacheConfigSchema = z7.object({
+  /**
+   * Redis connection URL.
+   * e.g., "redis://user:pass@host:6379/0"
+   */
+  url: z7.string().optional(),
+  /**
+   * Redis host.
+   */
+  host: z7.string().optional(),
+  /**
+   * Redis port.
+   * @default 6379
+   */
+  port: z7.number().optional(),
+  /**
+   * Redis password.
+   */
+  password: z7.string().optional(),
+  /**
+   * Redis database number.
+   * @default 0
+   */
+  db: z7.number().optional(),
+  /**
+   * Enable TLS for Redis connection.
+   * @default false
+   */
+  tls: z7.boolean().optional(),
+  /**
+   * Key prefix for CIMD cache entries.
+   * @default 'cimd:'
+   */
+  keyPrefix: z7.string().default("cimd:")
+});
+var cimdCacheConfigSchema = z7.object({
+  /**
+   * Cache storage type.
+   * - 'memory': In-memory cache (default, suitable for dev/single-instance)
+   * - 'redis': Redis-backed cache (for production/distributed deployments)
+   * @default 'memory'
+   */
+  type: z7.enum(["memory", "redis"]).default("memory"),
+  /**
+   * Default TTL for cached metadata documents.
+   * @default 3600000 (1 hour)
+   */
+  defaultTtlMs: z7.number().min(0).default(36e5),
+  /**
+   * Maximum TTL (even if server suggests longer).
+   * @default 86400000 (24 hours)
+   */
+  maxTtlMs: z7.number().min(0).default(864e5),
+  /**
+   * Minimum TTL (even if server suggests shorter).
+   * @default 60000 (1 minute)
+   */
+  minTtlMs: z7.number().min(0).default(6e4),
+  /**
+   * Redis configuration (required when type is 'redis').
+   */
+  redis: cimdRedisCacheConfigSchema.optional()
+});
+var cimdSecurityConfigSchema = z7.object({
+  /**
+   * Block fetching from private/internal IP addresses (SSRF protection).
+   * @default true
+   */
+  blockPrivateIPs: z7.boolean().default(true),
+  /**
+   * Explicit list of allowed domains.
+   * If set, only these domains can host CIMD documents.
+   */
+  allowedDomains: z7.array(z7.string()).optional(),
+  /**
+   * Explicit list of blocked domains.
+   * These domains cannot host CIMD documents.
+   */
+  blockedDomains: z7.array(z7.string()).optional(),
+  /**
+   * Warn when a client has only localhost redirect URIs.
+   * @default true
+   */
+  warnOnLocalhostRedirects: z7.boolean().default(true),
+  /**
+   * Allow HTTP (instead of HTTPS) for localhost CIMD URLs.
+   *
+   * **WARNING: This is for testing purposes only. Never enable in production!**
+   *
+   * When enabled, permits HTTP URLs for localhost CIMD client IDs during testing.
+   * The CIMD spec requires HTTPS, but e2e test servers typically use HTTP.
+   *
+   * @default false
+   */
+  allowInsecureForTesting: z7.boolean().default(false)
+});
+var cimdNetworkConfigSchema = z7.object({
+  /**
+   * Request timeout in milliseconds.
+   * @default 5000 (5 seconds)
+   */
+  timeoutMs: z7.number().min(100).default(5e3),
+  /**
+   * Maximum response body size in bytes.
+   * @default 65536 (64KB)
+   */
+  maxResponseSizeBytes: z7.number().min(1024).default(65536),
+  /**
+   * Redirect handling policy for CIMD fetches.
+   * - 'deny': reject redirects (default, safest)
+   * - 'same-origin': allow redirects only to the same origin
+   * - 'allow': allow redirects to any origin
+   * @default 'deny'
+   */
+  redirectPolicy: z7.enum(["deny", "same-origin", "allow"]).default("deny"),
+  /**
+   * Maximum number of redirects to follow when redirects are allowed.
+   * @default 5
+   */
+  maxRedirects: z7.number().int().min(0).default(5)
+});
+var cimdConfigSchema = z7.object({
+  /**
+   * Enable CIMD support.
+   * @default true
+   */
+  enabled: z7.boolean().default(true),
+  /**
+   * Cache configuration.
+   */
+  cache: cimdCacheConfigSchema.optional(),
+  /**
+   * Security configuration.
+   */
+  security: cimdSecurityConfigSchema.optional(),
+  /**
+   * Network configuration.
+   */
+  network: cimdNetworkConfigSchema.optional()
+});
+
+// libs/auth/src/cimd/cimd.errors.ts
+var CimdError = class extends Error {
+  /**
+   * Error code for machine-readable identification.
+   */
+  code;
+  /**
+   * HTTP status code to return when this error occurs.
+   */
+  statusCode;
+  /**
+   * The client_id URL that caused the error.
+   */
+  clientIdUrl;
+  constructor(message, code, statusCode, clientIdUrl) {
+    super(message);
+    this.name = this.constructor.name;
+    this.code = code;
+    this.statusCode = statusCode;
+    this.clientIdUrl = clientIdUrl;
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, this.constructor);
+    }
+  }
+  /**
+   * Get a message safe to return to clients.
+   * Override in subclasses to provide user-friendly messages.
+   */
+  getPublicMessage() {
+    return this.message;
+  }
+};
+var InvalidClientIdUrlError = class extends CimdError {
+  reason;
+  constructor(clientIdUrl, reason) {
+    super(`Invalid CIMD client_id URL: ${reason}`, "INVALID_CLIENT_ID_URL", 400, clientIdUrl);
+    this.reason = reason;
+  }
+  getPublicMessage() {
+    return `Invalid client_id URL: ${this.reason}`;
+  }
+};
+var CimdFetchError = class extends CimdError {
+  httpStatus;
+  originalError;
+  constructor(clientIdUrl, message, options) {
+    super(`Failed to fetch CIMD document from ${clientIdUrl}: ${message}`, "CIMD_FETCH_ERROR", 502, clientIdUrl);
+    this.httpStatus = options?.httpStatus;
+    this.originalError = options?.originalError;
+  }
+  getPublicMessage() {
+    if (this.httpStatus) {
+      return `Failed to fetch client metadata: HTTP ${this.httpStatus}`;
+    }
+    return "Failed to fetch client metadata document";
+  }
+};
+var CimdValidationError = class extends CimdError {
+  validationErrors;
+  constructor(clientIdUrl, errors) {
+    super(`CIMD document validation failed: ${errors.join("; ")}`, "CIMD_VALIDATION_ERROR", 400, clientIdUrl);
+    this.validationErrors = errors;
+  }
+  getPublicMessage() {
+    return `Client metadata document validation failed: ${this.validationErrors.join("; ")}`;
+  }
+};
+var CimdClientIdMismatchError = class extends CimdError {
+  documentClientId;
+  constructor(urlClientId, documentClientId) {
+    super(
+      `CIMD client_id mismatch: URL is "${urlClientId}" but document contains "${documentClientId}"`,
+      "CIMD_CLIENT_ID_MISMATCH",
+      400,
+      urlClientId
+    );
+    this.documentClientId = documentClientId;
+  }
+  getPublicMessage() {
+    return "Client ID in metadata document does not match the request";
+  }
+};
+var CimdSecurityError = class extends CimdError {
+  securityReason;
+  constructor(clientIdUrl, reason) {
+    super(`CIMD security check failed for ${clientIdUrl}: ${reason}`, "CIMD_SECURITY_ERROR", 403, clientIdUrl);
+    this.securityReason = reason;
+  }
+  getPublicMessage() {
+    return "Client ID URL is not allowed by security policy";
+  }
+};
+var RedirectUriMismatchError = class extends CimdError {
+  requestedRedirectUri;
+  allowedRedirectUris;
+  constructor(clientIdUrl, requestedRedirectUri, allowedRedirectUris) {
+    super(
+      `Redirect URI "${requestedRedirectUri}" is not registered for client "${clientIdUrl}"`,
+      "REDIRECT_URI_MISMATCH",
+      400,
+      clientIdUrl
+    );
+    this.requestedRedirectUri = requestedRedirectUri;
+    this.allowedRedirectUris = allowedRedirectUris;
+  }
+  getPublicMessage() {
+    return "The redirect_uri is not registered for this client";
+  }
+};
+var CimdResponseTooLargeError = class extends CimdError {
+  maxBytes;
+  actualBytes;
+  constructor(clientIdUrl, maxBytes, actualBytes) {
+    super(
+      `CIMD response from ${clientIdUrl} exceeds maximum size of ${maxBytes} bytes${actualBytes ? ` (received ${actualBytes} bytes)` : ""}`,
+      "CIMD_RESPONSE_TOO_LARGE",
+      502,
+      clientIdUrl
+    );
+    this.maxBytes = maxBytes;
+    this.actualBytes = actualBytes;
+  }
+  getPublicMessage() {
+    return "Client metadata document is too large";
+  }
+};
+var CimdDisabledError = class extends CimdError {
+  constructor() {
+    super("CIMD (Client ID Metadata Documents) is disabled on this server", "CIMD_DISABLED", 400);
+  }
+};
+
+// libs/auth/src/cimd/cimd.validator.ts
+function isCimdClientId(clientId, allowInsecure = false) {
+  if (!clientId || typeof clientId !== "string") {
+    return false;
+  }
+  try {
+    const url = new URL(clientId);
+    if (url.protocol === "https:") {
+    } else if (url.protocol === "http:" && allowInsecure && isLocalhostHost(url.hostname)) {
+    } else {
+      return false;
+    }
+    if (!url.pathname || url.pathname === "/") {
+      return false;
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+function isLocalhostHost(hostname) {
+  const lower = hostname.toLowerCase();
+  return lower === "localhost" || lower === "127.0.0.1" || lower === "[::1]" || lower.endsWith(".localhost");
+}
+function validateClientIdUrl(clientId, securityConfig) {
+  if (!clientId || typeof clientId !== "string") {
+    throw new InvalidClientIdUrlError(clientId || "", "client_id must be a non-empty string");
+  }
+  let url;
+  try {
+    url = new URL(clientId);
+  } catch {
+    throw new InvalidClientIdUrlError(clientId, "Invalid URL format");
+  }
+  const allowInsecure = securityConfig?.allowInsecureForTesting ?? false;
+  if (url.protocol === "https:") {
+  } else if (url.protocol === "http:" && allowInsecure && isLocalhostHost(url.hostname)) {
+  } else {
+    throw new InvalidClientIdUrlError(clientId, `CIMD requires HTTPS, got ${url.protocol.replace(":", "")}`);
+  }
+  if (!url.pathname || url.pathname === "/") {
+    throw new InvalidClientIdUrlError(
+      clientId,
+      "CIMD client_id URL must have a path component (e.g., /oauth/client-metadata.json)"
+    );
+  }
+  const config = {
+    blockPrivateIPs: securityConfig?.blockPrivateIPs ?? true,
+    allowedDomains: securityConfig?.allowedDomains,
+    blockedDomains: securityConfig?.blockedDomains
+  };
+  if (config.allowedDomains?.length) {
+    if (!isDomainInList(url.hostname, config.allowedDomains)) {
+      throw new CimdSecurityError(clientId, `Domain "${url.hostname}" is not in the allowed domains list`);
+    }
+  }
+  if (config.blockedDomains?.length) {
+    if (isDomainInList(url.hostname, config.blockedDomains)) {
+      throw new CimdSecurityError(clientId, `Domain "${url.hostname}" is blocked`);
+    }
+  }
+  if (config.blockPrivateIPs && !allowInsecure) {
+    const ssrfCheck = checkSsrfProtection(url.hostname);
+    if (!ssrfCheck.allowed) {
+      throw new CimdSecurityError(clientId, ssrfCheck.reason);
+    }
+  }
+  return url;
+}
+function checkSsrfProtection(hostname) {
+  const lowercaseHostname = hostname.toLowerCase();
+  if (lowercaseHostname === "localhost" || lowercaseHostname === "localhost.localdomain" || lowercaseHostname.endsWith(".localhost")) {
+    return { allowed: false, reason: "Localhost addresses are not allowed" };
+  }
+  if (isIpAddress(hostname)) {
+    const ipCheck = checkIpAddress(hostname);
+    if (!ipCheck.allowed) {
+      return ipCheck;
+    }
+  }
+  return { allowed: true, reason: "" };
+}
+function isIpAddress(hostname) {
+  const ipv4Pattern = /^(\d{1,3}\.){3}\d{1,3}$/;
+  if (ipv4Pattern.test(hostname)) {
+    return true;
+  }
+  const cleanHostname = hostname.replace(/^\[|\]$/g, "");
+  if (cleanHostname.includes(":")) {
+    return true;
+  }
+  return false;
+}
+function checkIpAddress(ip) {
+  const cleanIp = ip.replace(/^\[|\]$/g, "");
+  if (cleanIp.includes(".") && !cleanIp.includes(":")) {
+    return checkIpv4(cleanIp);
+  }
+  return checkIpv6(cleanIp);
+}
+function checkIpv4(ip) {
+  const parts = ip.split(".").map(Number);
+  if (parts.length !== 4 || parts.some((p) => isNaN(p) || p < 0 || p > 255)) {
+    return { allowed: false, reason: "Invalid IPv4 address" };
+  }
+  const [a, b, c, d] = parts;
+  if (a === 127) {
+    return { allowed: false, reason: "Loopback addresses (127.x.x.x) are not allowed" };
+  }
+  if (a === 10) {
+    return { allowed: false, reason: "Private IP addresses (10.x.x.x) are not allowed" };
+  }
+  if (a === 172 && b >= 16 && b <= 31) {
+    return { allowed: false, reason: "Private IP addresses (172.16-31.x.x) are not allowed" };
+  }
+  if (a === 192 && b === 168) {
+    return { allowed: false, reason: "Private IP addresses (192.168.x.x) are not allowed" };
+  }
+  if (a === 169 && b === 254) {
+    return { allowed: false, reason: "Link-local addresses (169.254.x.x) are not allowed" };
+  }
+  if (a === 0) {
+    return { allowed: false, reason: "Current network addresses (0.x.x.x) are not allowed" };
+  }
+  if (a === 255 && b === 255 && c === 255 && d === 255) {
+    return { allowed: false, reason: "Broadcast address is not allowed" };
+  }
+  if (a >= 224 && a <= 239) {
+    return { allowed: false, reason: "Multicast addresses are not allowed" };
+  }
+  return { allowed: true, reason: "" };
+}
+function checkIpv6(ip) {
+  const normalizedIp = ip.toLowerCase();
+  if (normalizedIp === "::1") {
+    return { allowed: false, reason: "IPv6 loopback address (::1) is not allowed" };
+  }
+  if (normalizedIp === "::" || normalizedIp === "0:0:0:0:0:0:0:0") {
+    return { allowed: false, reason: "IPv6 unspecified address (::) is not allowed" };
+  }
+  if (normalizedIp.startsWith("fe8") || normalizedIp.startsWith("fe9") || normalizedIp.startsWith("fea") || normalizedIp.startsWith("feb")) {
+    return { allowed: false, reason: "IPv6 link-local addresses (fe80::/10) are not allowed" };
+  }
+  if (normalizedIp.startsWith("fc") || normalizedIp.startsWith("fd")) {
+    return { allowed: false, reason: "IPv6 unique local addresses (fc00::/7) are not allowed" };
+  }
+  const ipv4MappedMatch = normalizedIp.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/);
+  if (ipv4MappedMatch) {
+    return checkIpv4(ipv4MappedMatch[1]);
+  }
+  return { allowed: true, reason: "" };
+}
+function isDomainInList(hostname, domainList) {
+  const lowerHostname = hostname.toLowerCase();
+  for (const domain of domainList) {
+    const lowerDomain = domain.toLowerCase();
+    if (lowerHostname === lowerDomain) {
+      return true;
+    }
+    if (lowerHostname.endsWith("." + lowerDomain)) {
+      return true;
+    }
+    if (lowerDomain.startsWith("*.")) {
+      const baseDomain = lowerDomain.slice(2);
+      if (lowerHostname === baseDomain || lowerHostname.endsWith("." + baseDomain)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+function hasOnlyLocalhostRedirectUris(redirectUris) {
+  if (!redirectUris.length) {
+    return false;
+  }
+  return redirectUris.every((uri) => {
+    try {
+      const url = new URL(uri);
+      const hostname = url.hostname.toLowerCase();
+      return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]" || hostname.endsWith(".localhost");
+    } catch {
+      return false;
+    }
+  });
+}
+
+// libs/auth/src/cimd/index.ts
+init_cimd_cache();
+
+// libs/auth/src/cimd/cimd.service.ts
+init_cimd_cache();
+var CimdService = class {
+  config;
+  cacheConfig;
+  securityConfig;
+  networkConfig;
+  cache;
+  logger;
+  /**
+   * Whether CIMD is enabled.
+   */
+  get enabled() {
+    return this.config.enabled;
+  }
+  /**
+   * Create a new CIMD service.
+   *
+   * @param logger - Optional logger. If not provided, logging is disabled.
+   * @param config - Optional configuration.
+   */
+  constructor(logger, config) {
+    this.logger = (logger ?? noopLogger).child("CimdService");
+    this.config = cimdConfigSchema.parse(config ?? {});
+    this.cacheConfig = cimdCacheConfigSchema.parse(this.config.cache ?? {});
+    this.securityConfig = cimdSecurityConfigSchema.parse(this.config.security ?? {});
+    this.networkConfig = cimdNetworkConfigSchema.parse(this.config.network ?? {});
+    this.cache = new CimdCache(this.cacheConfig);
+    this.logger.debug("CimdService initialized", {
+      enabled: this.config.enabled,
+      cacheDefaultTtlMs: this.cacheConfig.defaultTtlMs,
+      networkTimeoutMs: this.networkConfig.timeoutMs
+    });
+    if (this.securityConfig.allowInsecureForTesting) {
+      this.logger.warn(
+        "CIMD allowInsecureForTesting is enabled. HTTP is allowed for localhost CIMD URLs. This should NEVER be enabled in production!"
+      );
+    }
+  }
+  /**
+   * Check if a client_id is a CIMD URL.
+   *
+   * @param clientId - The client_id to check
+   * @returns true if this is a CIMD client_id (HTTPS URL with path, or HTTP for localhost when testing)
+   */
+  isCimdClientId(clientId) {
+    return isCimdClientId(clientId, this.securityConfig.allowInsecureForTesting);
+  }
+  /**
+   * Resolve a client_id to its metadata document.
+   *
+   * If the client_id is a CIMD URL, this fetches and validates the metadata document.
+   * Non-CIMD client IDs return a result with isCimdClient: false.
+   *
+   * @param clientId - The client_id to resolve
+   * @returns Resolution result with metadata if available
+   */
+  async resolveClientMetadata(clientId) {
+    if (!this.isCimdClientId(clientId)) {
+      return {
+        isCimdClient: false,
+        fromCache: false
+      };
+    }
+    validateClientIdUrl(clientId, this.securityConfig);
+    const cached = await this.cache.get(clientId);
+    if (cached) {
+      this.logger.debug(`Cache hit for CIMD client: ${clientId}`);
+      return {
+        isCimdClient: true,
+        metadata: cached.document,
+        fromCache: true,
+        expiresAt: cached.expiresAt,
+        etag: cached.etag,
+        lastModified: cached.lastModified
+      };
+    }
+    this.logger.info(`Fetching CIMD document: ${clientId}`);
+    const { document, headers } = await this.fetchMetadataDocument(clientId);
+    this.validateDocument(clientId, document);
+    if (this.securityConfig.warnOnLocalhostRedirects && hasOnlyLocalhostRedirectUris(document.redirect_uris)) {
+      this.logger.warn(`CIMD client "${clientId}" has only localhost redirect URIs - this may be a development client`);
+    }
+    await this.cache.set(clientId, document, headers);
+    const entry = await this.cache.get(clientId);
+    return {
+      isCimdClient: true,
+      metadata: document,
+      fromCache: false,
+      expiresAt: entry?.expiresAt,
+      etag: entry?.etag,
+      lastModified: entry?.lastModified
+    };
+  }
+  /**
+   * Validate that a redirect_uri is registered for the client.
+   *
+   * @param redirectUri - The redirect_uri from the authorization request
+   * @param metadata - The client's metadata document
+   * @throws RedirectUriMismatchError if the redirect_uri is not registered
+   */
+  validateRedirectUri(redirectUri, metadata) {
+    const normalizedRequestUri = normalizeRedirectUri(redirectUri);
+    const normalizedAllowed = metadata.redirect_uris.map(normalizeRedirectUri);
+    if (!normalizedAllowed.includes(normalizedRequestUri)) {
+      throw new RedirectUriMismatchError(metadata.client_id, redirectUri, metadata.redirect_uris);
+    }
+  }
+  /**
+   * Clear the cache for a specific client or all clients.
+   *
+   * @param clientId - Optional client_id to clear; clears all if not provided
+   */
+  async clearCache(clientId) {
+    if (clientId) {
+      await this.cache.delete(clientId);
+      this.logger.debug(`Cache cleared for: ${clientId}`);
+    } else {
+      await this.cache.clear();
+      this.logger.debug("Cache cleared");
+    }
+  }
+  /**
+   * Get cache statistics.
+   */
+  async getCacheStats() {
+    return {
+      size: await this.cache.size()
+    };
+  }
+  /**
+   * Fetch a metadata document from a CIMD URL.
+   *
+   * Following the JwksService.fetchJson() pattern.
+   */
+  async fetchMetadataDocument(clientId) {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), this.networkConfig.timeoutMs);
+    try {
+      const conditionalHeaders = await this.cache.getConditionalHeaders(clientId);
+      const originalOrigin = new URL(clientId).origin;
+      const maxRedirects = this.networkConfig.maxRedirects;
+      let currentUrl = clientId;
+      let redirectCount = 0;
+      let isFirstRequest = true;
+      while (true) {
+        const headers = {
+          Accept: "application/json"
+        };
+        if (isFirstRequest && conditionalHeaders) {
+          Object.assign(headers, conditionalHeaders);
+        }
+        const response = await fetch(currentUrl, {
+          method: "GET",
+          headers,
+          signal: controller.signal,
+          redirect: "manual"
+        });
+        if (response.status === 304) {
+          const staleEntry = await this.cache.getStale(clientId);
+          if (staleEntry) {
+            await this.cache.revalidate(clientId, response.headers);
+            this.logger.debug(`CIMD document not modified: ${clientId}`);
+            return {
+              document: staleEntry.document,
+              headers: response.headers
+            };
+          }
+          throw new CimdFetchError(clientId, "304 Not Modified but no cached entry", {
+            httpStatus: 304
+          });
+        }
+        if (response.status >= 300 && response.status < 400) {
+          const location = response.headers.get("location");
+          if (!location) {
+            throw new CimdFetchError(clientId, "Redirect response missing Location header", {
+              httpStatus: response.status
+            });
+          }
+          const nextUrl = new URL(location, currentUrl).toString();
+          const redirectPolicy = this.networkConfig.redirectPolicy;
+          if (redirectPolicy === "deny") {
+            throw new CimdFetchError(
+              clientId,
+              `CIMD fetch redirected to "${nextUrl}" but redirects are disabled. Host the metadata at the client_id URL or set auth.cimd.network.redirectPolicy to "same-origin" or "allow".`,
+              { httpStatus: response.status }
+            );
+          }
+          if (redirectPolicy === "same-origin") {
+            const nextOrigin = new URL(nextUrl).origin;
+            if (nextOrigin !== originalOrigin) {
+              throw new CimdFetchError(
+                clientId,
+                `CIMD fetch redirected to "${nextUrl}" which is not the same origin as "${originalOrigin}". Host the metadata at the client_id URL or set auth.cimd.network.redirectPolicy to "allow".`,
+                { httpStatus: response.status }
+              );
+            }
+          }
+          validateClientIdUrl(nextUrl, this.securityConfig);
+          redirectCount += 1;
+          if (redirectCount > maxRedirects) {
+            throw new CimdFetchError(
+              clientId,
+              `CIMD fetch exceeded max redirects (${maxRedirects}). Host the metadata at the client_id URL or increase auth.cimd.network.maxRedirects.`
+            );
+          }
+          this.logger.warn(`CIMD redirect ${redirectCount}/${maxRedirects}: ${currentUrl} -> ${nextUrl}`);
+          currentUrl = nextUrl;
+          isFirstRequest = false;
+          continue;
+        }
+        if (!response.ok) {
+          throw new CimdFetchError(clientId, `HTTP ${response.status} ${response.statusText}`, {
+            httpStatus: response.status
+          });
+        }
+        const contentLength = response.headers.get("content-length");
+        if (contentLength) {
+          const length = parseInt(contentLength, 10);
+          if (!isNaN(length) && length > this.networkConfig.maxResponseSizeBytes) {
+            throw new CimdResponseTooLargeError(clientId, this.networkConfig.maxResponseSizeBytes, length);
+          }
+        }
+        const text = await this.readResponseWithLimit(response, this.networkConfig.maxResponseSizeBytes, clientId);
+        let document;
+        try {
+          document = JSON.parse(text);
+        } catch (e) {
+          throw new CimdFetchError(clientId, "Invalid JSON response", {
+            originalError: e instanceof Error ? e : new Error(String(e))
+          });
+        }
+        return { document, headers: response.headers };
+      }
+    } catch (error) {
+      if (error instanceof CimdFetchError || error instanceof CimdResponseTooLargeError) {
+        throw error;
+      }
+      if (error instanceof Error && error.name === "AbortError") {
+        throw new CimdFetchError(clientId, "Request timeout", {
+          originalError: error
+        });
+      }
+      throw new CimdFetchError(clientId, error instanceof Error ? error.message : "Unknown error", {
+        originalError: error instanceof Error ? error : void 0
+      });
+    } finally {
+      clearTimeout(timer);
+    }
+  }
+  /**
+   * Read response body with size limit.
+   */
+  async readResponseWithLimit(response, maxBytes, clientId) {
+    const reader = response.body?.getReader();
+    if (!reader) {
+      const buffer = await response.arrayBuffer();
+      if (buffer.byteLength > maxBytes) {
+        throw new CimdResponseTooLargeError(clientId, maxBytes, buffer.byteLength);
+      }
+      return new TextDecoder().decode(buffer);
+    }
+    const chunks = [];
+    let totalBytes = 0;
+    try {
+      while (true) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        totalBytes += value.length;
+        if (totalBytes > maxBytes) {
+          throw new CimdResponseTooLargeError(clientId, maxBytes, totalBytes);
+        }
+        chunks.push(value);
+      }
+    } finally {
+      reader.releaseLock();
+    }
+    const combined = new Uint8Array(totalBytes);
+    let offset = 0;
+    for (const chunk of chunks) {
+      combined.set(chunk, offset);
+      offset += chunk.length;
+    }
+    return new TextDecoder().decode(combined);
+  }
+  /**
+   * Validate a fetched document against the schema.
+   *
+   * @param clientId - The URL from which the document was fetched
+   * @param document - The document to validate
+   */
+  validateDocument(clientId, document) {
+    const result = clientMetadataDocumentSchema.safeParse(document);
+    if (!result.success) {
+      const errors = result.error.issues.map((issue) => {
+        const path2 = issue.path.length > 0 ? `${issue.path.join(".")}: ` : "";
+        return `${path2}${issue.message}`;
+      });
+      throw new CimdValidationError(clientId, errors);
+    }
+    if (result.data.client_id !== clientId) {
+      throw new CimdClientIdMismatchError(clientId, result.data.client_id);
+    }
+  }
+};
+function normalizeRedirectUri(uri) {
+  try {
+    const url = new URL(uri);
+    let normalized = `${url.protocol.toLowerCase()}//${url.host.toLowerCase()}`;
+    normalized += url.pathname.replace(/\/+$/, "") || "/";
+    if (url.search) normalized += url.search;
+    return normalized;
+  } catch {
+    return uri;
+  }
+}
+export {
+  AppAuthState,
+  AudienceValidator,
+  CDN,
+  CimdCache,
+  CimdClientIdMismatchError,
+  CimdDisabledError,
+  CimdError,
+  CimdFetchError,
+  CimdResponseTooLargeError,
+  CimdSecurityError,
+  CimdService,
+  CimdValidationError,
+  CredentialCache,
+  DEFAULT_THEME,
+  EncryptedStorageError,
+  EncryptedTypedStorage,
+  InMemoryAuthorizationStore,
+  InMemoryAuthorizationVault,
+  InvalidClientIdUrlError,
+  JwksService,
+  RedirectUriMismatchError,
+  RedisAuthorizationStore,
+  StorageAuthorizationVault,
+  StorageTokenStore,
+  TinyTtlCache,
+  TokenVault,
+  TypedStorage3 as TypedStorage,
+  VaultEncryption,
+  apiKeyCredentialSchema,
+  appAuthStateSchema,
+  appAuthorizationRecordSchema,
+  appCredentialSchema,
+  authLayout,
+  authModeSchema,
+  authProviderMappingSchema,
+  authProvidersVaultOptionsSchema,
+  authUserSchema,
+  authorizationCodeRecordSchema,
+  authorizationVaultEntrySchema,
+  authorizedPromptSchema,
+  authorizedToolSchema,
+  baseLayout,
+  basicAuthCredentialSchema,
+  bearerCredentialSchema,
+  buildConsentPage,
+  buildErrorPage,
+  buildFederatedLoginPage,
+  buildIncrementalAuthPage,
+  buildInsufficientScopeHeader,
+  buildInvalidRequestHeader,
+  buildInvalidTokenHeader,
+  buildLoginPage,
+  buildPrmUrl,
+  buildToolConsentPage,
+  buildUnauthorizedHeader,
+  buildWwwAuthenticate,
+  centeredCardLayout,
+  checkSsrfProtection,
+  cimdCacheConfigSchema,
+  cimdConfigSchema,
+  cimdNetworkConfigSchema,
+  cimdSecurityConfigSchema,
+  clientMetadataDocumentSchema,
+  createAudienceValidator,
+  createLayout,
+  credentialProviderConfigSchema,
+  credentialSchema,
+  credentialScopeSchema,
+  credentialTypeSchema,
+  customCredentialSchema,
+  decodeJwtPayloadSafe,
+  decryptAesGcm3 as decryptAesGcm,
+  decryptValue,
+  deleteDevKey,
+  deriveExpectedAudience,
+  encryptAesGcm3 as encryptAesGcm,
+  encryptValue,
+  encryptedDataSchema,
+  encryptedVaultEntrySchema,
+  escapeHtml2 as escapeHtml,
+  extraWideLayout,
+  extractCacheHeaders,
+  extractCredentialExpiry,
+  generatePkceChallenge,
+  getCredentialOptionsSchema,
+  hasOnlyLocalhostRedirectUris,
+  hkdfSha2562 as hkdfSha256,
+  isCimdClientId,
+  isDevKeyPersistenceEnabled,
+  llmSafeAuthContextSchema,
+  loadDevKey,
+  loadingStrategySchema,
+  mtlsCredentialSchema,
+  noopLogger,
+  normalizeIssuer,
+  oauthCredentialSchema,
+  parseCacheHeaders,
+  parseWwwAuthenticate,
+  pendingIncrementalAuthSchema,
+  pkceChallengeSchema,
+  pkceOAuthCredentialSchema,
+  privateKeyCredentialSchema,
+  progressiveAuthStateSchema,
+  renderToHtml,
+  resolveKeyPath,
+  saveDevKey,
+  serviceAccountCredentialSchema,
+  sshKeyCredentialSchema,
+  trimSlash,
+  validateAudience,
+  validateClientIdUrl,
+  vaultConsentRecordSchema,
+  vaultFederatedRecordSchema,
+  verifyPkce,
+  wideLayout
+};