@frontmcp/auth 0.10.0 → 0.11.0

package/authorization/orchestrated.authorization.d.ts

@@ -0,0 +1,257 @@
+import { AuthorizationBase } from './authorization.class';
+import type { AuthorizationCreateCtx, AuthUser, AuthMode } from './authorization.types';
+import type { EncryptedBlob } from '@frontmcp/utils';
+/**
+ * Token store interface for orchestrated mode
+ * Implementations can be memory-based, Redis, or custom stores
+ */
+export interface TokenStore {
+    /**
+     * Retrieve decrypted access token for a provider
+     */
+    getAccessToken(authorizationId: string, providerId: string): Promise<string | null>;
+    /**
+     * Retrieve decrypted refresh token for a provider
+     */
+    getRefreshToken(authorizationId: string, providerId: string): Promise<string | null>;
+    /**
+     * Store tokens for a provider (encrypted)
+     */
+    storeTokens(authorizationId: string, providerId: string, tokens: {
+        accessToken: string;
+        refreshToken?: string;
+        expiresAt?: number;
+    }): Promise<void>;
+    /**
+     * Delete tokens for a provider
+     */
+    deleteTokens(authorizationId: string, providerId: string): Promise<void>;
+    /**
+     * Check if tokens exist for a provider
+     */
+    hasTokens(authorizationId: string, providerId: string): Promise<boolean>;
+    /**
+     * Get all provider IDs that have tokens stored for this authorization.
+     */
+    getProviderIds(authorizationId: string): Promise<string[]>;
+    /**
+     * Migrate tokens from one authorization ID to another.
+     * Used when tokens are stored with a pending ID during federated auth
+     * and need to be accessible under the real authorization ID.
+     *
+     * @param fromAuthId - Source authorization ID (e.g., "pending:abc123")
+     * @param toAuthId - Target authorization ID (e.g., "def456")
+     */
+    migrateTokens(fromAuthId: string, toAuthId: string): Promise<void>;
+}
+/**
+ * Token refresh callback type
+ */
+export type TokenRefreshCallback = (providerId: string, refreshToken: string) => Promise<{
+    accessToken: string;
+    refreshToken?: string;
+    expiresIn?: number;
+}>;
+/**
+ * Provider token state for orchestrated authorization
+ */
+export interface OrchestratedProviderState {
+    /** Provider ID */
+    id: string;
+    /** Encrypted access token blob */
+    accessTokenEnc?: EncryptedBlob;
+    /** Encrypted refresh token blob */
+    refreshTokenEnc?: EncryptedBlob;
+    /** Token expiration (epoch ms) */
+    expiresAt?: number;
+    /** External reference ID (for vault/store) */
+    secretRefId?: string;
+    /** Refresh reference ID */
+    refreshRefId?: string;
+}
+/**
+ * Context for creating an OrchestratedAuthorization
+ */
+export interface OrchestratedAuthorizationCreateCtx {
+    /**
+     * The local JWT issued by the orchestrating server
+     */
+    token: string;
+    /**
+     * User identity from upstream provider
+     */
+    user: AuthUser;
+    /**
+     * Scopes granted to this authorization
+     */
+    scopes?: string[];
+    /**
+     * JWT claims
+     */
+    claims?: Record<string, unknown>;
+    /**
+     * Expiration (epoch ms)
+     */
+    expiresAt?: number;
+    /**
+     * Primary provider ID (default for getToken)
+     */
+    primaryProviderId?: string;
+    /**
+     * Token store for retrieving/storing provider tokens
+     */
+    tokenStore?: TokenStore;
+    /**
+     * Token refresh callback
+     */
+    onTokenRefresh?: TokenRefreshCallback;
+    /**
+     * Provider states (with encrypted tokens)
+     */
+    providers?: Record<string, OrchestratedProviderState>;
+    /**
+     * Precomputed authorization projections
+     */
+    authorizedTools?: AuthorizationCreateCtx['authorizedTools'];
+    authorizedToolIds?: string[];
+    authorizedPrompts?: AuthorizationCreateCtx['authorizedPrompts'];
+    authorizedPromptIds?: string[];
+    authorizedApps?: AuthorizationCreateCtx['authorizedApps'];
+    authorizedAppIds?: string[];
+    authorizedResources?: string[];
+    /**
+     * Provider IDs that the user has explicitly authorized during federated login.
+     * Populated from JWT claims (`federated.selectedProviders`) or token store.
+     * Controls which providers the authorization has access to for progressive auth.
+     */
+    authorizedProviderIds?: string[];
+}
+/**
+ * OrchestratedAuthorization - Local auth server with secure token storage
+ *
+ * In orchestrated mode:
+ * - The MCP server acts as an OAuth client to upstream providers
+ * - Provider tokens are encrypted and never exposed to the LLM
+ * - Supports token refresh and multi-provider scenarios
+ * - getToken() retrieves decrypted tokens from secure storage
+ * - Ideal for multi-tenant, federated auth, or high-security scenarios
+ */
+export declare class OrchestratedAuthorization extends AuthorizationBase {
+    #private;
+    readonly mode: AuthMode;
+    /**
+     * Primary provider ID (default for getToken)
+     */
+    readonly primaryProviderId?: string;
+    private constructor();
+    /**
+     * Create an OrchestratedAuthorization
+     *
+     * @param ctx - Creation context
+     * @returns A new OrchestratedAuthorization instance
+     *
+     * @example
+     * ```typescript
+     * const auth = OrchestratedAuthorization.create({
+     *   token: localJwt,
+     *   user: { sub: 'user123', name: 'John' },
+     *   primaryProviderId: 'github',
+     *   tokenStore: redisTokenStore,
+     *   providers: {
+     *     github: { id: 'github', secretRefId: 'vault:github:user123' },
+     *   },
+     * });
+     *
+     * // Retrieve token securely (never exposed to LLM)
+     * const githubToken = await auth.getToken('github');
+     * ```
+     */
+    static create(ctx: OrchestratedAuthorizationCreateCtx): OrchestratedAuthorization;
+    /**
+     * Get access token for a provider
+     *
+     * Retrieves the decrypted token from the secure store.
+     * If the token is expired and refresh is available, attempts refresh.
+     *
+     * @param providerId - Provider ID (defaults to primaryProviderId)
+     * @returns The decrypted access token
+     * @throws If no token store or no token available
+     */
+    getToken(providerId?: string): Promise<string>;
+    /**
+     * Refresh token and return new access token
+     */
+    private refreshAndGetToken;
+    /**
+     * Check if a provider has tokens stored
+     */
+    hasProvider(providerId: string): boolean;
+    /**
+     * Get all provider IDs with tokens
+     */
+    getProviderIds(): string[];
+    /**
+     * Add a new provider to this authorization
+     * Used when user authorizes additional providers after initial auth
+     */
+    addProvider(providerId: string, tokens: {
+        accessToken: string;
+        refreshToken?: string;
+        expiresIn?: number;
+    }): Promise<void>;
+    /**
+     * Add app authorization after initial auth (progressive authorization).
+     * Stores app tokens server-side and updates authorized apps without JWT reissue.
+     *
+     * @param appId - App ID to authorize
+     * @param toolIds - Tool IDs accessible through this app authorization
+     * @param tokens - OAuth tokens from the app's auth provider
+     *
+     * @example
+     * ```typescript
+     * // User clicks auth link for Slack app
+     * await auth.addAppAuthorization('slack', ['slack:send_message', 'slack:list_channels'], {
+     *   accessToken: slackAccessToken,
+     *   refreshToken: slackRefreshToken,
+     *   expiresIn: 3600,
+     * });
+     *
+     * // Now slack tools will work without re-auth
+     * ```
+     */
+    addAppAuthorization(appId: string, toolIds: string[], tokens: {
+        accessToken: string;
+        refreshToken?: string;
+        expiresIn?: number;
+    }): Promise<void>;
+    /**
+     * Get access token for a specific app (for tool execution).
+     * Retrieves the app's OAuth token from server-side storage.
+     *
+     * @param appId - App ID to get token for
+     * @returns The decrypted access token, or null if not authorized
+     */
+    getAppToken(appId: string): Promise<string | null>;
+    /**
+     * Check if an app is authorized (includes progressively authorized apps).
+     * Overrides base class to include mutable app authorization state.
+     */
+    isAppAuthorized(appId: string): boolean;
+    /**
+     * Get all authorized app IDs (includes progressively authorized apps).
+     */
+    getAllAuthorizedAppIds(): string[];
+    /**
+     * Get tool IDs authorized through an app.
+     */
+    getAppToolIds(appId: string): string[] | undefined;
+    /**
+     * Remove a provider from this authorization
+     */
+    removeProvider(providerId: string): Promise<void>;
+    /**
+     * Get the issuer (local orchestrator)
+     */
+    get issuer(): string | undefined;
+}
+//# sourceMappingURL=orchestrated.authorization.d.ts.map

package/authorization/orchestrated.authorization.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"orchestrated.authorization.d.ts","sourceRoot":"","sources":["../../src/authorization/orchestrated.authorization.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,KAAK,EAAE,sBAAsB,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAExF,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAIrD;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB;;OAEG;IACH,cAAc,CAAC,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAEpF;;OAEG;IACH,eAAe,CAAC,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAErF;;OAEG;IACH,WAAW,CACT,eAAe,EAAE,MAAM,EACvB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;QACN,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,GACA,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjB;;OAEG;IACH,YAAY,CAAC,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzE;;OAEG;IACH,SAAS,CAAC,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAEzE;;OAEG;IACH,cAAc,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE3D;;;;;;;OAOG;IACH,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACpE;AAED;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG,CACjC,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM,KACjB,OAAO,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,kBAAkB;IAClB,EAAE,EAAE,MAAM,CAAC;IACX,kCAAkC;IAClC,cAAc,CAAC,EAAE,aAAa,CAAC;IAC/B,mCAAmC;IACnC,eAAe,CAAC,EAAE,aAAa,CAAC;IAChC,kCAAkC;IAClC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8CAA8C;IAC9C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,2BAA2B;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,kCAAkC;IACjD;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;OAEG;IACH,IAAI,EAAE,QAAQ,CAAC;IAEf;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAElB;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAEjC;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;OAEG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B;;OAEG;IACH,UAAU,CAAC,EAAE,UAAU,CAAC;IAExB;;OAEG;IACH,cAAc,CAAC,EAAE,oBAAoB,CAAC;IAEtC;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,yBAAyB,CAAC,CAAC;IAEtD;;OAEG;IACH,eAAe,CAAC,EAAE,sBAAsB,CAAC,iBAAiB,CAAC,CAAC;IAC5D,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,iBAAiB,CAAC,EAAE,sBAAsB,CAAC,mBAAmB,CAAC,CAAC;IAChE,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,cAAc,CAAC,EAAE,sBAAsB,CAAC,gBAAgB,CAAC,CAAC;IAC1D,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;CAClC;AAED;;;;;;;;;GASG;AACH,qBAAa,yBAA0B,SAAQ,iBAAiB;;IAC9D,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAkB;IAEzC;;OAEG;IACH,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAiBpC,OAAO;IAeP;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,kCAAkC,GAAG,yBAAyB;IA2DjF;;;;;;;;;OASG;IACG,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAmCpD;;OAEG;YACW,kBAAkB;IAiChC;;OAEG;IACH,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;IAIxC;;OAEG;IACH,cAAc,IAAI,MAAM,EAAE;IAI1B;;;OAGG;IACG,WAAW,CACf,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;QACN,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,GACA,OAAO,CAAC,IAAI,CAAC;IAqChB;;;;;;;;;;;;;;;;;;;OAmBG;IACG,mBAAmB,CACvB,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,MAAM,EAAE,EACjB,MAAM,EAAE;QACN,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,GACA,OAAO,CAAC,IAAI,CAAC;IAehB;;;;;;OAMG;IACG,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAcxD;;;OAGG;IACM,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAIhD;;OAEG;IACH,sBAAsB,IAAI,MAAM,EAAE;IAQlC;;OAEG;IACH,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS;IAIlD;;OAEG;IACG,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOvD;;OAEG;IACH,IAAI,MAAM,IAAI,MAAM,GAAG,SAAS,CAE/B;CACF"}

package/authorization/public.authorization.d.ts

@@ -0,0 +1,92 @@
+import { AuthorizationBase } from './authorization.class';
+import type { AuthMode } from './authorization.types';
+/**
+ * Context for creating a PublicAuthorization
+ */
+export interface PublicAuthorizationCreateCtx {
+    /**
+     * Anonymous user's identifier prefix
+     * @default 'anon'
+     */
+    prefix?: string;
+    /**
+     * Anonymous scopes granted to the user
+     * @default ['anonymous']
+     */
+    scopes?: string[];
+    /**
+     * Session TTL in milliseconds
+     * @default 3600000 (1 hour)
+     */
+    ttlMs?: number;
+    /**
+     * Issuer identifier for the anonymous JWT
+     */
+    issuer?: string;
+    /**
+     * Allowed tools for anonymous access
+     * If 'all', all tools are allowed
+     */
+    allowedTools?: 'all' | string[];
+    /**
+     * Allowed prompts for anonymous access
+     * If 'all', all prompts are allowed
+     */
+    allowedPrompts?: 'all' | string[];
+}
+/**
+ * PublicAuthorization - Authorization for public/anonymous access mode
+ *
+ * In public mode:
+ * - No authentication is required
+ * - Anonymous sessions are auto-generated
+ * - getToken() throws - anonymous users cannot access provider tokens
+ * - Ideal for development, docs, public wikis, and read-only resources
+ */
+export declare class PublicAuthorization extends AuthorizationBase {
+    readonly mode: AuthMode;
+    /**
+     * Issuer identifier for the anonymous authorization
+     */
+    readonly issuer?: string;
+    private constructor();
+    /**
+     * Create a new PublicAuthorization for anonymous access
+     *
+     * @param ctx - Creation context with optional configuration
+     * @returns A new PublicAuthorization instance
+     *
+     * @example
+     * ```typescript
+     * const auth = PublicAuthorization.create({
+     *   scopes: ['read', 'anonymous'],
+     *   ttlMs: 3600000,
+     *   allowedTools: ['search', 'get-docs'],
+     * });
+     * ```
+     */
+    static create(ctx?: PublicAuthorizationCreateCtx): PublicAuthorization;
+    /**
+     * Anonymous users cannot access provider tokens
+     *
+     * @throws TokenNotAvailableError always - anonymous users do not have provider tokens
+     */
+    getToken(_providerId?: string): Promise<string>;
+    /**
+     * Check if all tools are allowed (public access)
+     */
+    get allowsAllTools(): boolean;
+    /**
+     * Check if all prompts are allowed (public access)
+     */
+    get allowsAllPrompts(): boolean;
+    /**
+     * Override canAccessTool to support 'all' mode
+     */
+    canAccessTool(toolId: string): boolean;
+    /**
+     * Override canAccessPrompt to support 'all' mode
+     */
+    canAccessPrompt(promptId: string): boolean;
+}
+//# sourceMappingURL=public.authorization.d.ts.map

package/authorization/public.authorization.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"public.authorization.d.ts","sourceRoot":"","sources":["../../src/authorization/public.authorization.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,KAAK,EAAoC,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAGxF;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC3C;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAElB;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,YAAY,CAAC,EAAE,KAAK,GAAG,MAAM,EAAE,CAAC;IAEhC;;;OAGG;IACH,cAAc,CAAC,EAAE,KAAK,GAAG,MAAM,EAAE,CAAC;CACnC;AAED;;;;;;;;GAQG;AACH,qBAAa,mBAAoB,SAAQ,iBAAiB;IACxD,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAY;IAEnC;;OAEG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IAEzB,OAAO;IAKP;;;;;;;;;;;;;;OAcG;IACH,MAAM,CAAC,MAAM,CAAC,GAAG,GAAE,4BAAiC,GAAG,mBAAmB;IA6D1E;;;;OAIG;IACG,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAOrD;;OAEG;IACH,IAAI,cAAc,IAAI,OAAO,CAE5B;IAED;;OAEG;IACH,IAAI,gBAAgB,IAAI,OAAO,CAE9B;IAED;;OAEG;IACM,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAQ/C;;OAEG;IACM,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;CAOpD"}

package/authorization/transparent.authorization.d.ts

@@ -0,0 +1,130 @@
+import { AuthorizationBase } from './authorization.class';
+import type { AuthorizationCreateCtx, AuthMode } from './authorization.types';
+/**
+ * Verified JWT payload from transparent auth provider
+ */
+export interface TransparentVerifiedPayload {
+    /** Subject identifier */
+    sub: string;
+    /** Issuer */
+    iss?: string;
+    /** Audience */
+    aud?: string | string[];
+    /** Expiration (seconds since epoch) */
+    exp?: number;
+    /** Issued at (seconds since epoch) */
+    iat?: number;
+    /** Scopes (space-separated or array) */
+    scope?: string | string[];
+    /** Display name */
+    name?: string;
+    /** Email */
+    email?: string;
+    /** Picture URL */
+    picture?: string;
+    /** Additional claims */
+    [key: string]: unknown;
+}
+/**
+ * Context for creating a TransparentAuthorization
+ */
+export interface TransparentAuthorizationCreateCtx {
+    /**
+     * The original bearer token (passed through to downstream)
+     */
+    token: string;
+    /**
+     * Verified JWT payload from the upstream provider
+     */
+    payload: TransparentVerifiedPayload;
+    /**
+     * Provider ID for this authorization
+     */
+    providerId: string;
+    /**
+     * Provider name for display/logging
+     */
+    providerName?: string;
+    /**
+     * Precomputed authorization projections
+     */
+    authorizedTools?: AuthorizationCreateCtx['authorizedTools'];
+    authorizedToolIds?: string[];
+    authorizedPrompts?: AuthorizationCreateCtx['authorizedPrompts'];
+    authorizedPromptIds?: string[];
+    authorizedApps?: AuthorizationCreateCtx['authorizedApps'];
+    authorizedAppIds?: string[];
+    authorizedResources?: string[];
+}
+/**
+ * TransparentAuthorization - Pass-through OAuth tokens
+ *
+ * In transparent mode:
+ * - The client's token is forwarded directly to downstream services
+ * - Token validation happens via the upstream provider's JWKS
+ * - getToken() returns the original bearer token
+ * - Ideal when the auth server is the source of truth
+ */
+export declare class TransparentAuthorization extends AuthorizationBase {
+    readonly mode: AuthMode;
+    /**
+     * Provider ID that issued the token
+     */
+    readonly providerId: string;
+    /**
+     * Provider display name
+     */
+    readonly providerName?: string;
+    private constructor();
+    /**
+     * Create a TransparentAuthorization from a verified JWT
+     *
+     * @param ctx - Creation context with token and verified payload
+     * @returns A new TransparentAuthorization instance
+     *
+     * @example
+     * ```typescript
+     * const auth = TransparentAuthorization.fromVerifiedToken({
+     *   token: bearerToken,
+     *   payload: verifiedClaims,
+     *   providerId: 'auth0',
+     * });
+     *
+     * // Pass token through to downstream
+     * const token = await auth.getToken();
+     * ```
+     */
+    static fromVerifiedToken(ctx: TransparentAuthorizationCreateCtx): TransparentAuthorization;
+    /**
+     * Get the original bearer token for pass-through
+     *
+     * In transparent mode, the same token is returned regardless of providerId
+     * since only one provider (the upstream) issued the token.
+     *
+     * @param _providerId - Ignored in transparent mode
+     * @returns The original bearer token
+     */
+    getToken(_providerId?: string): Promise<string>;
+    /**
+     * Parse scope claim from JWT payload
+     */
+    private static parseScopes;
+    /**
+     * Generate authorization ID from token signature
+     * Uses SHA-256 fingerprint of the token signature for uniqueness
+     */
+    private static generateAuthorizationId;
+    /**
+     * Get the issuer from the token claims
+     */
+    get issuer(): string | undefined;
+    /**
+     * Get the audience from the token claims
+     */
+    get audience(): string | string[] | undefined;
+    /**
+     * Check if the token was issued for a specific audience
+     */
+    hasAudience(aud: string): boolean;
+}
+//# sourceMappingURL=transparent.authorization.d.ts.map

package/authorization/transparent.authorization.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"transparent.authorization.d.ts","sourceRoot":"","sources":["../../src/authorization/transparent.authorization.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,KAAK,EAAE,sBAAsB,EAAY,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAIxF;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,yBAAyB;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,aAAa;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,eAAe;IACf,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,uCAAuC;IACvC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,sCAAsC;IACtC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,wCAAwC;IACxC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC1B,mBAAmB;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,YAAY;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wBAAwB;IACxB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,iCAAiC;IAChD;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;OAEG;IACH,OAAO,EAAE,0BAA0B,CAAC;IAEpC;;OAEG;IACH,UAAU,EAAE,MAAM,CAAC;IAEnB;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;OAEG;IACH,eAAe,CAAC,EAAE,sBAAsB,CAAC,iBAAiB,CAAC,CAAC;IAC5D,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,iBAAiB,CAAC,EAAE,sBAAsB,CAAC,mBAAmB,CAAC,CAAC;IAChE,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,cAAc,CAAC,EAAE,sBAAsB,CAAC,gBAAgB,CAAC,CAAC;IAC1D,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;CAChC;AAED;;;;;;;;GAQG;AACH,qBAAa,wBAAyB,SAAQ,iBAAiB;IAC7D,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAiB;IAExC;;OAEG;IACH,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAE5B;;OAEG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAE/B,OAAO;IAWP;;;;;;;;;;;;;;;;;OAiBG;IACH,MAAM,CAAC,iBAAiB,CAAC,GAAG,EAAE,iCAAiC,GAAG,wBAAwB;IA8C1F;;;;;;;;OAQG;IACG,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAOrD;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAM1B;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,uBAAuB;IAMtC;;OAEG;IACH,IAAI,MAAM,IAAI,MAAM,GAAG,SAAS,CAE/B;IAED;;OAEG;IACH,IAAI,QAAQ,IAAI,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAE5C;IAED;;OAEG;IACH,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;CAMlC"}

package/common/auth-logger.interface.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Logger interface for auth library components.
+ * Decouples auth from SDK's FrontMcpLogger.
+ */
+export interface AuthLogger {
+    info(msg: string, ...args: unknown[]): void;
+    warn(msg: string, ...args: unknown[]): void;
+    error(msg: string, ...args: unknown[]): void;
+    debug(msg: string, ...args: unknown[]): void;
+}
+/**
+ * No-op logger that discards all messages.
+ */
+export declare const noopAuthLogger: AuthLogger;
+//# sourceMappingURL=auth-logger.interface.d.ts.map

package/common/auth-logger.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-logger.interface.d.ts","sourceRoot":"","sources":["../../src/common/auth-logger.interface.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAC5C,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAC5C,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAC7C,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;CAC9C;AAED;;GAEG;AACH,eAAO,MAAM,cAAc,EAAE,UAK5B,CAAC"}

package/common/index.d.ts

@@ -0,0 +1,6 @@
+export * from './auth-logger.interface';
+export * from './zod-utils';
+export * from './session-user.types';
+export * from './jwt.types';
+export * from './session.types';
+//# sourceMappingURL=index.d.ts.map

package/common/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/common/index.ts"],"names":[],"mappings":"AAAA,cAAc,yBAAyB,CAAC;AACxC,cAAc,aAAa,CAAC;AAC5B,cAAc,sBAAsB,CAAC;AACrC,cAAc,aAAa,CAAC;AAC5B,cAAc,iBAAiB,CAAC"}

package/common/jwt.types.d.ts

@@ -0,0 +1,87 @@
+import { z } from 'zod';
+export interface JWKParameters {
+    /** JWK "kty" (Key Type) Parameter */
+    kty?: string;
+    /**
+     * JWK "alg" (Algorithm) Parameter
+     *
+     * @see {@link https://github.com/panva/jose/issues/210 Algorithm Key Requirements}
+     */
+    alg?: string;
+    /** JWK "key_ops" (Key Operations) Parameter */
+    key_ops?: string[];
+    /** JWK "ext" (Extractable) Parameter */
+    ext?: boolean;
+    /** JWK "use" (Public Key Use) Parameter */
+    use?: string;
+    /** JWK "x5c" (X.509 Certificate Chain) Parameter */
+    x5c?: string[];
+    /** JWK "x5t" (X.509 Certificate SHA-1 Thumbprint) Parameter */
+    x5t?: string;
+    /** JWK "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) Parameter */
+    'x5t#S256'?: string;
+    /** JWK "x5u" (X.509 URL) Parameter */
+    x5u?: string;
+    /** JWK "kid" (Key ID) Parameter */
+    kid?: string;
+}
+export declare const jwkParametersSchema: z.ZodObject<{
+    kty: z.ZodOptional<z.ZodString>;
+    alg: z.ZodOptional<z.ZodString>;
+    key_ops: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    ext: z.ZodOptional<z.ZodBoolean>;
+    use: z.ZodOptional<z.ZodString>;
+    x5c: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    x5t: z.ZodOptional<z.ZodString>;
+    'x5t#S256': z.ZodOptional<z.ZodString>;
+    x5u: z.ZodOptional<z.ZodString>;
+    kid: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export interface JWK extends JWKParameters {
+    /**
+     * - EC JWK "crv" (Curve) Parameter
+     * - OKP JWK "crv" (The Subtype of Key Pair) Parameter
+     */
+    crv?: string;
+    /**
+     * - Private RSA JWK "d" (Private Exponent) Parameter
+     * - Private EC JWK "d" (ECC Private Key) Parameter
+     * - Private OKP JWK "d" (The Private Key) Parameter
+     */
+    d?: string;
+    /** Private RSA JWK "dp" (First Factor CRT Exponent) Parameter */
+    dp?: string;
+    /** Private RSA JWK "dq" (Second Factor CRT Exponent) Parameter */
+    dq?: string;
+    /** RSA JWK "e" (Exponent) Parameter */
+    e?: string;
+    /** Oct JWK "k" (Key Value) Parameter */
+    k?: string;
+    /** RSA JWK "n" (Modulus) Parameter */
+    n?: string;
+    /** Private RSA JWK "p" (First Prime Factor) Parameter */
+    p?: string;
+    /** Private RSA JWK "q" (Second Prime Factor) Parameter */
+    q?: string;
+    /** Private RSA JWK "qi" (First CRT Coefficient) Parameter */
+    qi?: string;
+    /**
+     * - EC JWK "x" (X Coordinate) Parameter
+     * - OKP JWK "x" (The public key) Parameter
+     */
+    x?: string;
+    /** EC JWK "y" (Y Coordinate) Parameter */
+    y?: string;
+    /** AKP JWK "pub" (Public Key) Parameter */
+    pub?: string;
+    /** AKP JWK "priv" (Private key) Parameter */
+    priv?: string;
+}
+export declare const jwkSchema: z.ZodType<JWK>;
+export interface JSONWebKeySet {
+    keys: JWK[];
+}
+export declare const jsonWebKeySetSchema: z.ZodObject<{
+    keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+}, z.core.$strip>;
+//# sourceMappingURL=jwt.types.d.ts.map

package/common/jwt.types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.types.d.ts","sourceRoot":"","sources":["../../src/common/jwt.types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,MAAM,WAAW,aAAa;IAC5B,qCAAqC;IACrC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,+CAA+C;IAC/C,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,wCAAwC;IACxC,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,2CAA2C;IAC3C,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,oDAAoD;IACpD,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,+DAA+D;IAC/D,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,sEAAsE;IACtE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,sCAAsC;IACtC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,mCAAmC;IACnC,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,eAAO,MAAM,mBAAmB;;;;;;;;;;;iBAWO,CAAC;AAExC,MAAM,WAAW,GAAI,SAAQ,aAAa;IACxC;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,iEAAiE;IACjE,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,kEAAkE;IAClE,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,uCAAuC;IACvC,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,wCAAwC;IACxC,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,sCAAsC;IACtC,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,yDAAyD;IACzD,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,0DAA0D;IAC1D,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,6DAA6D;IAC7D,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ;;;OAGG;IACH,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,0CAA0C;IAC1C,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,2CAA2C;IAC3C,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,6CAA6C;IAC7C,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,eAAO,MAAM,SAAS,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAeO,CAAC;AAE7C,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,GAAG,EAAE,CAAC;CACb;AAED,eAAO,MAAM,mBAAmB;;iBAEO,CAAC"}

package/common/session-user.types.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Portable session user type extracted from SDK's session.base.ts.
+ * Used by auth components that need user identity without SDK Scope dependency.
+ */
+export interface SessionUser {
+    sub?: string;
+    name?: string;
+    email?: string;
+    picture?: string;
+}
+/**
+ * Generic session claims map.
+ */
+export interface SessionClaims {
+    [key: string]: unknown;
+}
+//# sourceMappingURL=session-user.types.d.ts.map

package/common/session-user.types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-user.types.d.ts","sourceRoot":"","sources":["../../src/common/session-user.types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB"}