@frontmcp/auth 0.0.1 → 0.8.1

package/session/authorization.store.d.ts

@@ -0,0 +1,311 @@
+/**
+ * Authorization Store for OAuth flows
+ *
+ * Stores authorization codes, PKCE challenges, and pending authorizations.
+ * Supports both in-memory (dev/test) and Redis (production) backends.
+ */
+import { z } from 'zod';
+/**
+ * PKCE challenge data
+ */
+export interface PkceChallenge {
+    /** S256 hashed code_challenge */
+    challenge: string;
+    /** Always 'S256' per OAuth 2.1 */
+    method: 'S256';
+}
+/**
+ * Authorization code record stored during the OAuth flow
+ */
+export interface AuthorizationCodeRecord {
+    /** The authorization code (opaque string) */
+    code: string;
+    /** Client ID that requested authorization */
+    clientId: string;
+    /** Redirect URI used in the authorization request */
+    redirectUri: string;
+    /** Requested scopes */
+    scopes: string[];
+    /** PKCE challenge for verification */
+    pkce: PkceChallenge;
+    /** User identifier (sub claim) */
+    userSub: string;
+    /** User email if available */
+    userEmail?: string;
+    /** User name if available */
+    userName?: string;
+    /** Original state parameter */
+    state?: string;
+    /** Creation timestamp (epoch ms) */
+    createdAt: number;
+    /** Expiration timestamp (epoch ms) - codes are short-lived (60s default) */
+    expiresAt: number;
+    /** Whether this code has been used (single-use) */
+    used: boolean;
+    /** Resource/audience the token will be issued for */
+    resource?: string;
+    /** Selected tool IDs from consent flow */
+    selectedToolIds?: string[];
+    /** Selected provider IDs from federated login */
+    selectedProviderIds?: string[];
+    /** Skipped provider IDs from federated login (for progressive auth) */
+    skippedProviderIds?: string[];
+    /** Whether consent was enabled for this authorization */
+    consentEnabled?: boolean;
+    /** Whether federated login was used */
+    federatedLoginUsed?: boolean;
+    /** Pending auth ID for token migration (federated login) */
+    pendingAuthId?: string;
+}
+/**
+ * Consent state for tool selection
+ */
+export interface ConsentStateRecord {
+    /** Whether consent flow is enabled */
+    enabled: boolean;
+    /** Available tool IDs for consent */
+    availableToolIds: string[];
+    /** Selected tool IDs (after user selection) */
+    selectedToolIds?: string[];
+    /** Whether consent has been completed */
+    consentCompleted: boolean;
+    /** Timestamp when consent was completed */
+    consentCompletedAt?: number;
+}
+/**
+ * Federated login state for multi-provider auth
+ */
+export interface FederatedLoginStateRecord {
+    /** Available provider IDs */
+    providerIds: string[];
+    /** Selected provider IDs */
+    selectedProviderIds?: string[];
+    /** Skipped provider IDs */
+    skippedProviderIds?: string[];
+    /** Provider-specific user data (after auth) */
+    providerUserData?: Record<string, {
+        email?: string;
+        name?: string;
+        sub?: string;
+    }>;
+}
+/**
+ * Pending authorization request (before user authenticates)
+ */
+export interface PendingAuthorizationRecord {
+    /** Unique ID for this pending authorization */
+    id: string;
+    /** Client ID requesting authorization */
+    clientId: string;
+    /** Redirect URI for callback */
+    redirectUri: string;
+    /** Requested scopes */
+    scopes: string[];
+    /** PKCE challenge */
+    pkce: PkceChallenge;
+    /** Original state parameter from client */
+    state?: string;
+    /** Resource/audience */
+    resource?: string;
+    /** Creation timestamp */
+    createdAt: number;
+    /** Expiration timestamp (pending requests expire after 10 minutes) */
+    expiresAt: number;
+    /** Whether this is an incremental authorization request */
+    isIncremental?: boolean;
+    /** Target app ID for incremental authorization */
+    targetAppId?: string;
+    /** Target tool ID that triggered the incremental auth */
+    targetToolId?: string;
+    /** Existing session ID for incremental auth (to expand the token vault) */
+    existingSessionId?: string;
+    /** Existing authorization ID to expand */
+    existingAuthorizationId?: string;
+    /** Federated login state for multi-provider auth */
+    federatedLogin?: FederatedLoginStateRecord;
+    /** Consent state for tool selection */
+    consent?: ConsentStateRecord;
+}
+/**
+ * Refresh token record
+ */
+export interface RefreshTokenRecord {
+    /** The refresh token (opaque string) */
+    token: string;
+    /** Client ID */
+    clientId: string;
+    /** User identifier */
+    userSub: string;
+    /** Granted scopes */
+    scopes: string[];
+    /** Resource/audience */
+    resource?: string;
+    /** Creation timestamp */
+    createdAt: number;
+    /** Expiration timestamp */
+    expiresAt: number;
+    /** Whether this token has been revoked */
+    revoked: boolean;
+    /** Previous token if rotated */
+    previousToken?: string;
+}
+/**
+ * Zod schemas for validation
+ */
+export declare const pkceChallengeSchema: z.ZodObject<{
+    challenge: z.ZodString;
+    method: z.ZodLiteral<"S256">;
+}, z.core.$strip>;
+export declare const authorizationCodeRecordSchema: z.ZodObject<{
+    code: z.ZodString;
+    clientId: z.ZodString;
+    redirectUri: z.ZodString;
+    scopes: z.ZodArray<z.ZodString>;
+    pkce: z.ZodObject<{
+        challenge: z.ZodString;
+        method: z.ZodLiteral<"S256">;
+    }, z.core.$strip>;
+    userSub: z.ZodString;
+    userEmail: z.ZodOptional<z.ZodString>;
+    userName: z.ZodOptional<z.ZodString>;
+    state: z.ZodOptional<z.ZodString>;
+    createdAt: z.ZodNumber;
+    expiresAt: z.ZodNumber;
+    used: z.ZodBoolean;
+    resource: z.ZodOptional<z.ZodString>;
+    selectedToolIds: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    selectedProviderIds: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    skippedProviderIds: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    consentEnabled: z.ZodOptional<z.ZodBoolean>;
+    federatedLoginUsed: z.ZodOptional<z.ZodBoolean>;
+    pendingAuthId: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+/**
+ * Authorization Store Interface
+ */
+export interface AuthorizationStore {
+    storeAuthorizationCode(record: AuthorizationCodeRecord): Promise<void>;
+    getAuthorizationCode(code: string): Promise<AuthorizationCodeRecord | null>;
+    markCodeUsed(code: string): Promise<void>;
+    deleteAuthorizationCode(code: string): Promise<void>;
+    storePendingAuthorization(record: PendingAuthorizationRecord): Promise<void>;
+    getPendingAuthorization(id: string): Promise<PendingAuthorizationRecord | null>;
+    deletePendingAuthorization(id: string): Promise<void>;
+    storeRefreshToken(record: RefreshTokenRecord): Promise<void>;
+    getRefreshToken(token: string): Promise<RefreshTokenRecord | null>;
+    revokeRefreshToken(token: string): Promise<void>;
+    rotateRefreshToken(oldToken: string, newRecord: RefreshTokenRecord): Promise<void>;
+    generateCode(): string;
+    generateRefreshToken(): string;
+    cleanup(): Promise<void>;
+}
+/**
+ * PKCE utilities
+ */
+export declare function verifyPkce(codeVerifier: string, challenge: PkceChallenge): boolean;
+export declare function generatePkceChallenge(codeVerifier: string): PkceChallenge;
+/**
+ * In-Memory Authorization Store
+ *
+ * Development/testing implementation. Data is lost on restart.
+ * For production, use RedisAuthorizationStore.
+ */
+export declare class InMemoryAuthorizationStore implements AuthorizationStore {
+    private codes;
+    private pending;
+    private refreshTokens;
+    /** Default TTL for authorization codes (60 seconds) */
+    private readonly codeTtlMs;
+    /** Default TTL for pending authorizations (10 minutes) */
+    private readonly pendingTtlMs;
+    /** Default TTL for refresh tokens (30 days) */
+    private readonly refreshTtlMs;
+    generateCode(): string;
+    generateRefreshToken(): string;
+    storeAuthorizationCode(record: AuthorizationCodeRecord): Promise<void>;
+    getAuthorizationCode(code: string): Promise<AuthorizationCodeRecord | null>;
+    markCodeUsed(code: string): Promise<void>;
+    deleteAuthorizationCode(code: string): Promise<void>;
+    storePendingAuthorization(record: PendingAuthorizationRecord): Promise<void>;
+    getPendingAuthorization(id: string): Promise<PendingAuthorizationRecord | null>;
+    deletePendingAuthorization(id: string): Promise<void>;
+    storeRefreshToken(record: RefreshTokenRecord): Promise<void>;
+    getRefreshToken(token: string): Promise<RefreshTokenRecord | null>;
+    revokeRefreshToken(token: string): Promise<void>;
+    rotateRefreshToken(oldToken: string, newRecord: RefreshTokenRecord): Promise<void>;
+    cleanup(): Promise<void>;
+    /**
+     * Create an authorization code record with defaults
+     */
+    createCodeRecord(params: {
+        clientId: string;
+        redirectUri: string;
+        scopes: string[];
+        pkce: PkceChallenge;
+        userSub: string;
+        userEmail?: string;
+        userName?: string;
+        state?: string;
+        resource?: string;
+        selectedToolIds?: string[];
+        selectedProviderIds?: string[];
+        skippedProviderIds?: string[];
+        consentEnabled?: boolean;
+        federatedLoginUsed?: boolean;
+        pendingAuthId?: string;
+    }): AuthorizationCodeRecord;
+    /**
+     * Create a pending authorization record with defaults
+     */
+    createPendingRecord(params: {
+        clientId: string;
+        redirectUri: string;
+        scopes: string[];
+        pkce: PkceChallenge;
+        state?: string;
+        resource?: string;
+        isIncremental?: boolean;
+        targetAppId?: string;
+        targetToolId?: string;
+        existingSessionId?: string;
+        existingAuthorizationId?: string;
+        federatedLogin?: FederatedLoginStateRecord;
+        consent?: ConsentStateRecord;
+    }): PendingAuthorizationRecord;
+    /**
+     * Create a refresh token record with defaults
+     */
+    createRefreshTokenRecord(params: {
+        clientId: string;
+        userSub: string;
+        scopes: string[];
+        resource?: string;
+    }): RefreshTokenRecord;
+}
+/**
+ * Redis Authorization Store (placeholder)
+ *
+ * Production implementation using Redis for distributed storage.
+ * TODO: Implement after in-memory store is validated.
+ */
+export declare class RedisAuthorizationStore implements AuthorizationStore {
+    private readonly redis;
+    private readonly namespace;
+    constructor(redis: any, namespace?: string);
+    private key;
+    generateCode(): string;
+    generateRefreshToken(): string;
+    storeAuthorizationCode(record: AuthorizationCodeRecord): Promise<void>;
+    getAuthorizationCode(code: string): Promise<AuthorizationCodeRecord | null>;
+    markCodeUsed(code: string): Promise<void>;
+    deleteAuthorizationCode(code: string): Promise<void>;
+    storePendingAuthorization(record: PendingAuthorizationRecord): Promise<void>;
+    getPendingAuthorization(id: string): Promise<PendingAuthorizationRecord | null>;
+    deletePendingAuthorization(id: string): Promise<void>;
+    storeRefreshToken(record: RefreshTokenRecord): Promise<void>;
+    getRefreshToken(token: string): Promise<RefreshTokenRecord | null>;
+    revokeRefreshToken(token: string): Promise<void>;
+    rotateRefreshToken(oldToken: string, newRecord: RefreshTokenRecord): Promise<void>;
+    cleanup(): Promise<void>;
+}
+//# sourceMappingURL=authorization.store.d.ts.map

package/session/authorization.store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization.store.d.ts","sourceRoot":"","sources":["../../src/session/authorization.store.ts"],"names":[],"mappings":"AACA;;;;;GAKG;AAGH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,kCAAkC;IAClC,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,6CAA6C;IAC7C,IAAI,EAAE,MAAM,CAAC;IACb,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,CAAC;IACjB,qDAAqD;IACrD,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB;IACvB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,sCAAsC;IACtC,IAAI,EAAE,aAAa,CAAC;IACpB,kCAAkC;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,8BAA8B;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,6BAA6B;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,+BAA+B;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,oCAAoC;IACpC,SAAS,EAAE,MAAM,CAAC;IAClB,4EAA4E;IAC5E,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,IAAI,EAAE,OAAO,CAAC;IACd,qDAAqD;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAGlB,0CAA0C;IAC1C,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,iDAAiD;IACjD,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,uEAAuE;IACvE,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC9B,yDAAyD;IACzD,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,uCAAuC;IACvC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,4DAA4D;IAC5D,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,sCAAsC;IACtC,OAAO,EAAE,OAAO,CAAC;IACjB,qCAAqC;IACrC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,+CAA+C;IAC/C,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,yCAAyC;IACzC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,2CAA2C;IAC3C,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,6BAA6B;IAC7B,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,4BAA4B;IAC5B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,2BAA2B;IAC3B,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC9B,+CAA+C;IAC/C,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACpF;AAED;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,+CAA+C;IAC/C,EAAE,EAAE,MAAM,CAAC;IACX,yCAAyC;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,gCAAgC;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB;IACvB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,qBAAqB;IACrB,IAAI,EAAE,aAAa,CAAC;IACpB,2CAA2C;IAC3C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,wBAAwB;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yBAAyB;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,sEAAsE;IACtE,SAAS,EAAE,MAAM,CAAC;IAGlB,2DAA2D;IAC3D,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,kDAAkD;IAClD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,yDAAyD;IACzD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,2EAA2E;IAC3E,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,0CAA0C;IAC1C,uBAAuB,CAAC,EAAE,MAAM,CAAC;IAGjC,oDAAoD;IACpD,cAAc,CAAC,EAAE,yBAAyB,CAAC;IAG3C,uCAAuC;IACvC,OAAO,CAAC,EAAE,kBAAkB,CAAC;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,wCAAwC;IACxC,KAAK,EAAE,MAAM,CAAC;IACd,gBAAgB;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,sBAAsB;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,qBAAqB;IACrB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,wBAAwB;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yBAAyB;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,2BAA2B;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,0CAA0C;IAC1C,OAAO,EAAE,OAAO,CAAC;IACjB,gCAAgC;IAChC,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;iBAG9B,CAAC;AAEH,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;iBAqBxC,CAAC;AAEH;;GAEG;AACH,MAAM,WAAW,kBAAkB;IAEjC,sBAAsB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvE,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAAC;IAC5E,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1C,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAGrD,yBAAyB,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7E,uBAAuB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,GAAG,IAAI,CAAC,CAAC;IAChF,0BAA0B,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAGtD,iBAAiB,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7D,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IACnE,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACjD,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAGnF,YAAY,IAAI,MAAM,CAAC;IACvB,oBAAoB,IAAI,MAAM,CAAC;IAC/B,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,YAAY,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,GAAG,OAAO,CAQlF;AAED,wBAAgB,qBAAqB,CAAC,YAAY,EAAE,MAAM,GAAG,aAAa,CAGzE;AAED;;;;;GAKG;AACH,qBAAa,0BAA2B,YAAW,kBAAkB;IACnE,OAAO,CAAC,KAAK,CAA8C;IAC3D,OAAO,CAAC,OAAO,CAAiD;IAChE,OAAO,CAAC,aAAa,CAAyC;IAE9D,uDAAuD;IACvD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAa;IACvC,0DAA0D;IAC1D,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAkB;IAC/C,+CAA+C;IAC/C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAA4B;IAEzD,YAAY,IAAI,MAAM;IAKtB,oBAAoB,IAAI,MAAM;IAIxB,sBAAsB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC;IAItE,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC;IAa3E,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOzC,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIpD,yBAAyB,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,IAAI,CAAC;IAI5E,uBAAuB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,GAAG,IAAI,CAAC;IAa/E,0BAA0B,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIrD,iBAAiB,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC;IAI5D,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC;IAYlE,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOhD,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC;IASlF,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAyB9B;;OAEG;IACH,gBAAgB,CAAC,MAAM,EAAE;QACvB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,IAAI,EAAE,aAAa,CAAC;QACpB,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,MAAM,CAAC;QAElB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAC3B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC/B,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC9B,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAE7B,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,GAAG,uBAAuB;IA2B3B;;OAEG;IACH,mBAAmB,CAAC,MAAM,EAAE;QAC1B,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,IAAI,EAAE,aAAa,CAAC;QACpB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,MAAM,CAAC;QAElB,aAAa,CAAC,EAAE,OAAO,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,iBAAiB,CAAC,EAAE,MAAM,CAAC;QAC3B,uBAAuB,CAAC,EAAE,MAAM,CAAC;QAEjC,cAAc,CAAC,EAAE,yBAAyB,CAAC;QAE3C,OAAO,CAAC,EAAE,kBAAkB,CAAC;KAC9B,GAAG,0BAA0B;IAyB9B;;OAEG;IACH,wBAAwB,CAAC,MAAM,EAAE;QAC/B,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,GAAG,kBAAkB;CAavB;AAED;;;;;GAKG;AACH,qBAAa,uBAAwB,YAAW,kBAAkB;IAG9D,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,SAAS;gBADT,KAAK,EAAE,GAAG,EACV,SAAS,SAAW;IAGvC,OAAO,CAAC,GAAG;IAIX,YAAY,IAAI,MAAM;IAItB,oBAAoB,IAAI,MAAM;IAIxB,sBAAsB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC;IAKtE,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC;IAM3E,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IASzC,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIpD,yBAAyB,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,IAAI,CAAC;IAK5E,uBAAuB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,GAAG,IAAI,CAAC;IAM/E,0BAA0B,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIrD,iBAAiB,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC;IAK5D,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC;IAQlE,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAShD,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC;IAMlF,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAG/B"}

package/session/index.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Session Module
+ *
+ * Provides session management, credential storage, and encryption.
+ */
+export { InMemoryAuthorizationStore, RedisAuthorizationStore, verifyPkce, generatePkceChallenge, pkceChallengeSchema, authorizationCodeRecordSchema, } from './authorization.store';
+export type { AuthorizationStore, PkceChallenge, AuthorizationCodeRecord, PendingAuthorizationRecord, RefreshTokenRecord, ConsentStateRecord, FederatedLoginStateRecord, } from './authorization.store';
+export { credentialTypeSchema, oauthCredentialSchema, apiKeyCredentialSchema, basicAuthCredentialSchema, bearerCredentialSchema, privateKeyCredentialSchema, mtlsCredentialSchema, customCredentialSchema, sshKeyCredentialSchema, serviceAccountCredentialSchema, pkceOAuthCredentialSchema, credentialSchema, appCredentialSchema, vaultConsentRecordSchema, vaultFederatedRecordSchema, pendingIncrementalAuthSchema, authorizationVaultEntrySchema, } from './authorization-vault';
+export type { CredentialType, OAuthCredential, ApiKeyCredential, BasicAuthCredential, BearerCredential, PrivateKeyCredential, MtlsCredential, CustomCredential, SshKeyCredential, ServiceAccountCredential, PkceOAuthCredential, Credential, AppCredential, VaultConsentRecord, VaultFederatedRecord, PendingIncrementalAuth, AuthorizationVaultEntry, AuthorizationVault, } from './authorization-vault';
+export { encryptedDataSchema, encryptedVaultEntrySchema, VaultEncryption } from './vault-encryption';
+export type { EncryptedData, VaultKeyDerivationClaims, VaultEncryptionConfig, EncryptedVaultEntry, VaultSensitiveData, } from './vault-encryption';
+export { TokenVault } from './token.vault';
+export type { EncBlob, VaultKey } from './token.vault';
+export type { SecretRecord, TokenStore } from './token.store';
+export { hkdfSha256, encryptValue, decryptValue, encryptAesGcm, decryptAesGcm, type EncryptedBlob, } from '@frontmcp/utils';
+export { TinyTtlCache } from './utils';
+export { TypedStorage, EncryptedTypedStorage, EncryptedStorageError, StorageTokenStore, StorageAuthorizationVault, InMemoryAuthorizationVault, } from './storage';
+export type { TypedStorageOptions, TypedSetOptions, TypedSetEntry, EncryptedTypedStorageOptions, EncryptedSetOptions, EncryptedSetEntry, EncryptionKey, StoredEncryptedBlob, ClientKeyBinding, StorageTokenStoreOptions, StorageAuthorizationVaultOptions, InMemoryAuthorizationVaultOptions, } from './storage';
+//# sourceMappingURL=index.d.ts.map

package/session/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/session/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAEL,0BAA0B,EAC1B,uBAAuB,EAEvB,UAAU,EACV,qBAAqB,EAErB,mBAAmB,EACnB,6BAA6B,GAC9B,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EAEV,kBAAkB,EAClB,aAAa,EACb,uBAAuB,EACvB,0BAA0B,EAC1B,kBAAkB,EAClB,kBAAkB,EAClB,yBAAyB,GAC1B,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAEL,oBAAoB,EACpB,qBAAqB,EACrB,sBAAsB,EACtB,yBAAyB,EACzB,sBAAsB,EACtB,0BAA0B,EAC1B,oBAAoB,EACpB,sBAAsB,EACtB,sBAAsB,EACtB,8BAA8B,EAC9B,yBAAyB,EACzB,gBAAgB,EAEhB,mBAAmB,EACnB,wBAAwB,EACxB,0BAA0B,EAC1B,4BAA4B,EAC5B,6BAA6B,GAC9B,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EACV,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,mBAAmB,EACnB,gBAAgB,EAChB,oBAAoB,EACpB,cAAc,EACd,gBAAgB,EAChB,gBAAgB,EAChB,wBAAwB,EACxB,mBAAmB,EACnB,UAAU,EACV,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,kBAAkB,GACnB,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAAE,mBAAmB,EAAE,yBAAyB,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrG,YAAY,EACV,aAAa,EACb,wBAAwB,EACxB,qBAAqB,EACrB,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAGvD,YAAY,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAG9D,OAAO,EACL,UAAU,EACV,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,aAAa,EACb,KAAK,aAAa,GACnB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAGvC,OAAO,EACL,YAAY,EACZ,qBAAqB,EACrB,qBAAqB,EACrB,iBAAiB,EACjB,yBAAyB,EACzB,0BAA0B,GAC3B,MAAM,WAAW,CAAC;AACnB,YAAY,EACV,mBAAmB,EACnB,eAAe,EACf,aAAa,EACb,4BAA4B,EAC5B,mBAAmB,EACnB,iBAAiB,EACjB,aAAa,EACb,mBAAmB,EACnB,gBAAgB,EAChB,wBAAwB,EACxB,gCAAgC,EAChC,iCAAiC,GAClC,MAAM,WAAW,CAAC"}

package/session/storage/in-memory-authorization-vault.d.ts

@@ -0,0 +1,53 @@
+/**
+ * In-Memory Authorization Vault
+ *
+ * Development/testing implementation using MemoryStorageAdapter.
+ * Data is lost on restart.
+ *
+ * For production, use StorageAuthorizationVault with a persistent
+ * storage adapter (Redis, Vercel KV, Upstash, etc.).
+ *
+ * @example
+ * ```typescript
+ * const vault = new InMemoryAuthorizationVault();
+ * const entry = await vault.create({
+ *   userSub: 'user123',
+ *   clientId: 'client456',
+ * });
+ * ```
+ */
+import { StorageAuthorizationVault } from './storage-authorization-vault';
+/**
+ * Options for InMemoryAuthorizationVault
+ */
+export interface InMemoryAuthorizationVaultOptions {
+    /**
+     * Namespace prefix for all keys.
+     * @default 'vault'
+     */
+    namespace?: string;
+    /**
+     * Default TTL for pending auth requests in milliseconds.
+     * @default 600000 (10 minutes)
+     */
+    pendingAuthTtlMs?: number;
+}
+/**
+ * In-Memory Authorization Vault
+ *
+ * Development/testing implementation using MemoryStorageAdapter.
+ * Data is lost on restart.
+ *
+ * For production, use StorageAuthorizationVault with a persistent
+ * storage adapter (Redis, Vercel KV, Upstash, etc.).
+ */
+export declare class InMemoryAuthorizationVault extends StorageAuthorizationVault {
+    private readonly memoryAdapter;
+    constructor(options?: InMemoryAuthorizationVaultOptions);
+    /**
+     * Clear all stored data.
+     * Useful for testing.
+     */
+    clear(): Promise<void>;
+}
+//# sourceMappingURL=in-memory-authorization-vault.d.ts.map

package/session/storage/in-memory-authorization-vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"in-memory-authorization-vault.d.ts","sourceRoot":"","sources":["../../../src/session/storage/in-memory-authorization-vault.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAGH,OAAO,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAE1E;;GAEG;AACH,MAAM,WAAW,iCAAiC;IAChD;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;;;;GAQG;AACH,qBAAa,0BAA2B,SAAQ,yBAAyB;IACvE,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAuB;gBAEzC,OAAO,GAAE,iCAAsC;IAY3D;;;OAGG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAM7B"}

package/session/storage/index.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Storage Module
+ *
+ * Storage-adapter-backed implementations of TokenStore and AuthorizationVault.
+ * Uses @frontmcp/utils/storage for unified backend support (Memory, Redis, Vercel KV, Upstash).
+ */
+export { TypedStorage } from '@frontmcp/utils';
+export type { TypedStorageOptions, TypedSetOptions, TypedSetEntry } from '@frontmcp/utils';
+export { EncryptedTypedStorage, EncryptedStorageError } from '@frontmcp/utils';
+export type { EncryptedTypedStorageOptions, EncryptedSetOptions, EncryptedSetEntry, EncryptionKey, StoredEncryptedBlob, ClientKeyBinding, } from '@frontmcp/utils';
+export { StorageTokenStore } from './storage-token-store';
+export type { StorageTokenStoreOptions } from './storage-token-store';
+export { StorageAuthorizationVault } from './storage-authorization-vault';
+export type { StorageAuthorizationVaultOptions } from './storage-authorization-vault';
+export { InMemoryAuthorizationVault } from './in-memory-authorization-vault';
+export type { InMemoryAuthorizationVaultOptions } from './in-memory-authorization-vault';
+//# sourceMappingURL=index.d.ts.map

package/session/storage/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/session/storage/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,YAAY,EAAE,mBAAmB,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAG3F,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAC/E,YAAY,EACV,4BAA4B,EAC5B,mBAAmB,EACnB,iBAAiB,EACjB,aAAa,EACb,mBAAmB,EACnB,gBAAgB,GACjB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,YAAY,EAAE,wBAAwB,EAAE,MAAM,uBAAuB,CAAC;AAGtE,OAAO,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAC1E,YAAY,EAAE,gCAAgC,EAAE,MAAM,+BAA+B,CAAC;AAGtF,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,YAAY,EAAE,iCAAiC,EAAE,MAAM,iCAAiC,CAAC"}

package/session/storage/storage-authorization-vault.d.ts

@@ -0,0 +1,107 @@
+/**
+ * StorageAuthorizationVault
+ *
+ * AuthorizationVault implementation backed by @frontmcp/utils/storage adapters.
+ * Supports Memory, Redis, Vercel KV, and Upstash backends.
+ *
+ * @example
+ * ```typescript
+ * import { createStorage } from '@frontmcp/utils/storage';
+ * import { StorageAuthorizationVault } from '@frontmcp/auth';
+ *
+ * const storage = await createStorage({ type: 'auto' });
+ * const vault = new StorageAuthorizationVault(storage);
+ *
+ * const entry = await vault.create({
+ *   userSub: 'user123',
+ *   clientId: 'client456',
+ * });
+ * ```
+ */
+import type { StorageAdapter, NamespacedStorage } from '@frontmcp/utils';
+import type { AuthorizationVault, AuthorizationVaultEntry, AppCredential, VaultConsentRecord, VaultFederatedRecord, PendingIncrementalAuth } from '../authorization-vault';
+/**
+ * Options for StorageAuthorizationVault
+ */
+export interface StorageAuthorizationVaultOptions {
+    /**
+     * Namespace prefix for all keys.
+     * @default 'vault'
+     */
+    namespace?: string;
+    /**
+     * Default TTL for pending auth requests in milliseconds.
+     * @default 600000 (10 minutes)
+     */
+    pendingAuthTtlMs?: number;
+    /**
+     * Whether to validate entries with Zod schema on read.
+     * @default false
+     */
+    validateOnRead?: boolean;
+}
+/**
+ * AuthorizationVault implementation using StorageAdapter.
+ *
+ * Stores complete AuthorizationVaultEntry documents as JSON blobs.
+ * Supports all AuthorizationVault interface methods.
+ */
+export declare class StorageAuthorizationVault implements AuthorizationVault {
+    private readonly storage;
+    private readonly namespace;
+    private readonly pendingAuthTtlMs;
+    constructor(storage: StorageAdapter | NamespacedStorage, options?: StorageAuthorizationVaultOptions);
+    create(params: {
+        userSub: string;
+        userEmail?: string;
+        userName?: string;
+        clientId: string;
+        consent?: VaultConsentRecord;
+        federated?: VaultFederatedRecord;
+        authorizedAppIds?: string[];
+        skippedAppIds?: string[];
+    }): Promise<AuthorizationVaultEntry>;
+    get(id: string): Promise<AuthorizationVaultEntry | null>;
+    update(id: string, updates: Partial<AuthorizationVaultEntry>): Promise<void>;
+    delete(id: string): Promise<void>;
+    updateConsent(vaultId: string, consent: VaultConsentRecord): Promise<void>;
+    authorizeApp(vaultId: string, appId: string): Promise<void>;
+    isAppAuthorized(vaultId: string, appId: string): Promise<boolean>;
+    createPendingAuth(vaultId: string, params: {
+        appId: string;
+        toolId?: string;
+        authUrl: string;
+        requiredScopes?: string[];
+        elicitId?: string;
+        ttlMs?: number;
+    }): Promise<PendingIncrementalAuth>;
+    getPendingAuth(vaultId: string, pendingAuthId: string): Promise<PendingIncrementalAuth | null>;
+    completePendingAuth(vaultId: string, pendingAuthId: string): Promise<void>;
+    cancelPendingAuth(vaultId: string, pendingAuthId: string): Promise<void>;
+    getPendingAuths(vaultId: string): Promise<PendingIncrementalAuth[]>;
+    private credentialKey;
+    addAppCredential(vaultId: string, credential: AppCredential): Promise<void>;
+    removeAppCredential(vaultId: string, appId: string, providerId: string): Promise<void>;
+    getAppCredentials(vaultId: string, appId: string): Promise<AppCredential[]>;
+    getCredential(vaultId: string, appId: string, providerId: string): Promise<AppCredential | null>;
+    getAllCredentials(vaultId: string, filterByConsent?: boolean): Promise<AppCredential[]>;
+    updateCredential(vaultId: string, appId: string, providerId: string, updates: Partial<Pick<AppCredential, 'lastUsedAt' | 'isValid' | 'invalidReason' | 'expiresAt' | 'metadata'>>): Promise<void>;
+    shouldStoreCredential(vaultId: string, appId: string, toolIds?: string[]): Promise<boolean>;
+    invalidateCredential(vaultId: string, appId: string, providerId: string, reason: string): Promise<void>;
+    refreshOAuthCredential(vaultId: string, appId: string, providerId: string, tokens: {
+        accessToken: string;
+        refreshToken?: string;
+        expiresAt?: number;
+    }): Promise<void>;
+    cleanup(): Promise<void>;
+    /**
+     * Build the storage key for a vault ID.
+     * For non-namespaced storage, includes the namespace prefix.
+     */
+    private key;
+    /**
+     * Type guard to check if storage is a NamespacedStorage.
+     */
+    private isNamespacedStorage;
+}
+//# sourceMappingURL=storage-authorization-vault.d.ts.map

package/session/storage/storage-authorization-vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage-authorization-vault.d.ts","sourceRoot":"","sources":["../../../src/session/storage/storage-authorization-vault.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAGH,OAAO,KAAK,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACzE,OAAO,KAAK,EACV,kBAAkB,EAClB,uBAAuB,EACvB,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,sBAAsB,EACvB,MAAM,wBAAwB,CAAC;AAGhC;;GAEG;AACH,MAAM,WAAW,gCAAgC;IAC/C;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED;;;;;GAKG;AACH,qBAAa,yBAA0B,YAAW,kBAAkB;IAClE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAwC;IAChE,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;gBAE9B,OAAO,EAAE,cAAc,GAAG,iBAAiB,EAAE,OAAO,GAAE,gCAAqC;IAiBjG,MAAM,CAAC,MAAM,EAAE;QACnB,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,CAAC,EAAE,kBAAkB,CAAC;QAC7B,SAAS,CAAC,EAAE,oBAAoB,CAAC;QACjC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC5B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAsB9B,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC;IAIxD,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,uBAAuB,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAe5E,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAQjC,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC;IAa1E,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAa3D,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAWjE,iBAAiB,CACrB,OAAO,EAAE,MAAM,EACf,MAAM,EAAE;QACN,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,GACA,OAAO,CAAC,sBAAsB,CAAC;IA0B5B,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,sBAAsB,GAAG,IAAI,CAAC;IAgB9F,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAmB1E,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAWxE,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,sBAAsB,EAAE,CAAC;IA0BzE,OAAO,CAAC,aAAa;IAIf,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IAgB3E,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUtF,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAU3E,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAQhG,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,eAAe,UAAQ,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAiBrF,gBAAgB,CACpB,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,aAAa,EAAE,YAAY,GAAG,SAAS,GAAG,eAAe,GAAG,WAAW,GAAG,UAAU,CAAC,CAAC,GAC3G,OAAO,CAAC,IAAI,CAAC;IAaV,qBAAqB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAoB3F,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOvG,sBAAsB,CAC1B,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GACzE,OAAO,CAAC,IAAI,CAAC;IA6BV,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IA+B9B;;;OAGG;IACH,OAAO,CAAC,GAAG;IAIX;;OAEG;IACH,OAAO,CAAC,mBAAmB;CAG5B"}

package/session/storage/storage-token-store.d.ts

@@ -0,0 +1,92 @@
+/**
+ * StorageTokenStore
+ *
+ * TokenStore implementation backed by @frontmcp/utils/storage adapters.
+ * Supports Memory, Redis, Vercel KV, and Upstash backends.
+ *
+ * @example
+ * ```typescript
+ * import { createStorage } from '@frontmcp/utils/storage';
+ * import { StorageTokenStore } from '@frontmcp/auth';
+ *
+ * const storage = await createStorage({ type: 'auto' });
+ * const tokenStore = new StorageTokenStore(storage);
+ *
+ * const id = tokenStore.allocId();
+ * await tokenStore.put(id, encryptedBlob);
+ * const record = await tokenStore.get(id);
+ * ```
+ */
+import type { StorageAdapter, NamespacedStorage } from '@frontmcp/utils';
+import type { TokenStore, SecretRecord } from '../token.store';
+import type { EncBlob } from '../token.vault';
+/**
+ * Options for StorageTokenStore
+ */
+export interface StorageTokenStoreOptions {
+    /**
+     * Namespace prefix for all keys.
+     * @default 'tok'
+     */
+    namespace?: string;
+    /**
+     * Default TTL in seconds when not derived from blob.exp.
+     * If not set and blob.exp is not present, no TTL is applied.
+     */
+    defaultTtlSeconds?: number;
+}
+/**
+ * TokenStore implementation using StorageAdapter.
+ *
+ * Uses the blob's `exp` field (epoch seconds) to calculate TTL for automatic
+ * expiration in the underlying storage backend.
+ */
+export declare class StorageTokenStore implements TokenStore {
+    private readonly storage;
+    private readonly namespace;
+    private readonly defaultTtlSeconds?;
+    /** Track if original storage was namespaced to avoid double-prefixing */
+    private readonly storageIsNamespaced;
+    constructor(storage: StorageAdapter | NamespacedStorage, options?: StorageTokenStoreOptions);
+    /**
+     * Allocate a new unique ID for a token record.
+     */
+    allocId(): string;
+    /**
+     * Store an encrypted token blob.
+     *
+     * TTL is calculated from blob.exp (epoch seconds) if present.
+     * Falls back to defaultTtlSeconds if configured.
+     *
+     * @param id - Token record ID
+     * @param blob - Encrypted token blob
+     */
+    put(id: string, blob: EncBlob): Promise<void>;
+    /**
+     * Retrieve a token record by ID.
+     *
+     * @param id - Token record ID
+     * @returns The secret record, or undefined if not found
+     */
+    get(id: string): Promise<SecretRecord | undefined>;
+    /**
+     * Delete a token record.
+     *
+     * @param id - Token record ID
+     */
+    del(id: string): Promise<void>;
+    /**
+     * Calculate TTL in seconds from expiration timestamp.
+     *
+     * @param exp - Expiration timestamp in epoch seconds
+     * @returns TTL in seconds, or undefined if no TTL should be applied
+     */
+    private calculateTtl;
+    /**
+     * Build the storage key for a token ID.
+     * For namespaced storage, the namespace is handled by the storage layer.
+     * For non-namespaced storage, includes the namespace prefix in the key.
+     */
+    private key;
+}
+//# sourceMappingURL=storage-token-store.d.ts.map

package/session/storage/storage-token-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage-token-store.d.ts","sourceRoot":"","sources":["../../../src/session/storage/storage-token-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,KAAK,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACzE,OAAO,KAAK,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC/D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAE9C;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;GAKG;AACH,qBAAa,iBAAkB,YAAW,UAAU;IAClD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA6B;IACrD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAS;IAC5C,yEAAyE;IACzE,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAU;gBAElC,OAAO,EAAE,cAAc,GAAG,iBAAiB,EAAE,OAAO,GAAE,wBAA6B;IAe/F;;OAEG;IACH,OAAO,IAAI,MAAM;IAIjB;;;;;;;;OAQG;IACG,GAAG,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;IAWnD;;;;;OAKG;IACG,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,SAAS,CAAC;IAKxD;;;;OAIG;IACG,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIpC;;;;;OAKG;IACH,OAAO,CAAC,YAAY;IAUpB;;;;OAIG;IACH,OAAO,CAAC,GAAG;CAGZ"}