@frontmcp/auth 0.10.0 → 0.11.1

package/utils/authorization-id.utils.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Derive a consistent authorization ID from a JWT token.
+ *
+ * Uses the token's signature (third part) to generate a deterministic
+ * ID that uniquely identifies this authorization without exposing
+ * the full token.
+ *
+ * @param token - JWT token string
+ * @returns 16-character hex string authorization ID
+ */
+export declare function deriveAuthorizationId(token: string): string;
+//# sourceMappingURL=authorization-id.utils.d.ts.map

package/utils/authorization-id.utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization-id.utils.d.ts","sourceRoot":"","sources":["../../src/utils/authorization-id.utils.ts"],"names":[],"mappings":"AAIA;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAI3D"}

package/utils/index.d.ts

@@ -5,4 +5,5 @@ export { buildWwwAuthenticate, buildPrmUrl, buildUnauthorizedHeader, buildInvali
 export type { BearerErrorCode, WwwAuthenticateOptions } from './www-authenticate.utils';
 export { validateAudience, createAudienceValidator, deriveExpectedAudience, AudienceValidator, } from './audience.validator';
 export type { AudienceValidationResult, AudienceValidatorOptions } from './audience.validator';
+export { deriveAuthorizationId } from './authorization-id.utils';
 //# sourceMappingURL=index.d.ts.map

package/utils/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,oBAAoB,EACpB,WAAW,EACX,uBAAuB,EACvB,uBAAuB,EACvB,4BAA4B,EAC5B,yBAAyB,EACzB,oBAAoB,GACrB,MAAM,0BAA0B,CAAC;AAClC,YAAY,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAExF,OAAO,EACL,gBAAgB,EAChB,uBAAuB,EACvB,sBAAsB,EACtB,iBAAiB,GAClB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,MAAM,sBAAsB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,oBAAoB,EACpB,WAAW,EACX,uBAAuB,EACvB,uBAAuB,EACvB,4BAA4B,EAC5B,yBAAyB,EACzB,oBAAoB,GACrB,MAAM,0BAA0B,CAAC;AAClC,YAAY,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAExF,OAAO,EACL,gBAAgB,EAChB,uBAAuB,EACvB,sBAAsB,EACtB,iBAAiB,GAClB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,MAAM,sBAAsB,CAAC;AAE/F,OAAO,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAC"}

package/vault/auth-providers.accessor.d.ts

@@ -0,0 +1,154 @@
+/**
+ * AuthProvidersAccessor - Interface for accessing auth provider credentials
+ *
+ * This interface provides the runtime API for tools to access credentials
+ * from registered auth providers. It supports:
+ * - Credential retrieval by provider name
+ * - Lazy loading with session-scoped caching
+ * - Automatic token refresh for OAuth providers
+ * - Headers generation for HTTP requests
+ */
+import { Token } from '@frontmcp/di';
+import type { Credential } from '../session';
+import type { ResolvedCredential, GetCredentialOptions } from './auth-providers.types';
+/**
+ * AuthProvidersAccessor - Runtime accessor for auth providers in tool contexts.
+ *
+ * Available in tool execution via `this.authProviders`:
+ * ```typescript
+ * @Tool({ name: 'my_tool' })
+ * class MyTool extends ToolContext {
+ *   async execute(input: Input) {
+ *     const github = await this.authProviders.get('github');
+ *     const headers = await this.authProviders.headers('github');
+ *   }
+ * }
+ * ```
+ */
+export interface AuthProvidersAccessor {
+    /**
+     * Get a credential by provider name.
+     *
+     * @param providerName - Registered provider name (e.g., 'github', 'google')
+     * @param options - Retrieval options (forceRefresh, scopes, timeout)
+     * @returns Resolved credential or null if not available
+     *
+     * @example
+     * ```typescript
+     * const cred = await this.authProviders.get('github');
+     * if (cred?.credential.type === 'oauth') {
+     *   const token = cred.credential.accessToken;
+     * }
+     * ```
+     *
+     * @example Force refresh
+     * ```typescript
+     * const cred = await this.authProviders.get('github', { forceRefresh: true });
+     * ```
+     */
+    get<T extends Credential = Credential>(providerName: string, options?: GetCredentialOptions): Promise<ResolvedCredential<T> | null>;
+    /**
+     * Get multiple credentials by provider names.
+     * Executes all retrievals in parallel for efficiency.
+     *
+     * @param providerNames - Array of provider names
+     * @param options - Retrieval options applied to all providers
+     * @returns Map of provider name to resolved credential (null if not available)
+     *
+     * @example
+     * ```typescript
+     * const creds = await this.authProviders.getMany(['github', 'jira']);
+     * const github = creds.get('github');
+     * const jira = creds.get('jira');
+     * ```
+     */
+    getMany(providerNames: string[], options?: GetCredentialOptions): Promise<Map<string, ResolvedCredential | null>>;
+    /**
+     * Get headers for a provider (convenience method).
+     * Automatically handles different credential types:
+     * - OAuth/Bearer: `Authorization: Bearer <token>`
+     * - API Key: Uses configured header name
+     * - Basic: `Authorization: Basic <base64>`
+     *
+     * @param providerName - Provider name
+     * @returns Headers record or empty object if not available
+     *
+     * @example
+     * ```typescript
+     * const headers = await this.authProviders.headers('github');
+     * const response = await fetch(url, { headers });
+     * ```
+     */
+    headers(providerName: string): Promise<Record<string, string>>;
+    /**
+     * Get headers for multiple providers merged into a single object.
+     * Later providers override earlier ones if headers conflict.
+     *
+     * @param providerNames - Array of provider names
+     * @returns Merged headers from all providers
+     */
+    headersMany(providerNames: string[]): Promise<Record<string, string>>;
+    /**
+     * Force refresh a credential (for OAuth token refresh).
+     * Uses the provider's refresh function if available, otherwise calls factory.
+     *
+     * @param providerName - Provider name to refresh
+     * @returns New credential or null if refresh failed
+     *
+     * @example
+     * ```typescript
+     * // On 401 response, try refreshing
+     * if (response.status === 401) {
+     *   const newCred = await this.authProviders.refresh('github');
+     *   if (newCred) {
+     *     // Retry request with new credential
+     *   }
+     * }
+     * ```
+     */
+    refresh(providerName: string): Promise<ResolvedCredential | null>;
+    /**
+     * Check if a provider credential is available and valid.
+     * Does not trigger credential loading.
+     *
+     * @param providerName - Provider name
+     * @returns true if credential exists in cache/vault and is valid
+     */
+    has(providerName: string): Promise<boolean>;
+    /**
+     * Check if a provider is registered (regardless of credential availability).
+     *
+     * @param providerName - Provider name
+     * @returns true if provider is registered
+     */
+    isRegistered(providerName: string): boolean;
+    /**
+     * Invalidate cached credential (triggers reload on next access).
+     * Does not remove from persistent vault storage.
+     *
+     * @param providerName - Provider name to invalidate
+     */
+    invalidate(providerName: string): void;
+    /**
+     * Invalidate all cached credentials for this session.
+     */
+    invalidateAll(): void;
+    /**
+     * List all registered provider names.
+     */
+    listProviders(): string[];
+    /**
+     * List all available credentials (loaded in cache or vault).
+     */
+    listAvailable(): Promise<string[]>;
+}
+/**
+ * DI Token for AuthProvidersAccessor
+ *
+ * Used to resolve the accessor in tool contexts:
+ * ```typescript
+ * const accessor = this.get(AUTH_PROVIDERS_ACCESSOR);
+ * ```
+ */
+export declare const AUTH_PROVIDERS_ACCESSOR: Token<AuthProvidersAccessor>;
+//# sourceMappingURL=auth-providers.accessor.d.ts.map

package/vault/auth-providers.accessor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-providers.accessor.d.ts","sourceRoot":"","sources":["../../src/vault/auth-providers.accessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,cAAc,CAAC;AACrC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,KAAK,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAEvF;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,qBAAqB;IACpC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,GAAG,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,EACnC,YAAY,EAAE,MAAM,EACpB,OAAO,CAAC,EAAE,oBAAoB,GAC7B,OAAO,CAAC,kBAAkB,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAEzC;;;;;;;;;;;;;;OAcG;IACH,OAAO,CAAC,aAAa,EAAE,MAAM,EAAE,EAAE,OAAO,CAAC,EAAE,oBAAoB,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,kBAAkB,GAAG,IAAI,CAAC,CAAC,CAAC;IAElH;;;;;;;;;;;;;;;OAeG;IACH,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAE/D;;;;;;OAMG;IACH,WAAW,CAAC,aAAa,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAEtE;;;;;;;;;;;;;;;;;OAiBG;IACH,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAElE;;;;;;OAMG;IACH,GAAG,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAE5C;;;;;OAKG;IACH,YAAY,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC;IAE5C;;;;;OAKG;IACH,UAAU,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAEvC;;OAEG;IACH,aAAa,IAAI,IAAI,CAAC;IAEtB;;OAEG;IACH,aAAa,IAAI,MAAM,EAAE,CAAC;IAE1B;;OAEG;IACH,aAAa,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;CACpC;AAED;;;;;;;GAOG;AACH,eAAO,MAAM,uBAAuB,EAAqD,KAAK,CAAC,qBAAqB,CAAC,CAAC"}

package/vault/auth-providers.accessor.impl.d.ts

@@ -0,0 +1,54 @@
+/**
+ * AuthProvidersAccessorImpl - Implementation of AuthProvidersAccessor
+ *
+ * Provides runtime access to credential providers in tool contexts.
+ * Handles caching, vault storage, lazy loading, and credential refresh.
+ */
+import type { Credential } from '../session';
+import type { CredentialFactoryContext, GetCredentialOptions, ResolvedCredential } from './auth-providers.types';
+import { CredentialCache } from './credential-cache';
+import type { AuthProvidersAccessor } from './auth-providers.accessor';
+import type { AuthProvidersRegistry } from './auth-providers.registry';
+import type { AuthProvidersVault } from './auth-providers.vault';
+import type { LazyCredentialLoader } from './credential-loaders/lazy-loader';
+import type { AuthLogger } from '../common/auth-logger.interface';
+/**
+ * AuthProvidersAccessorImpl - Runtime implementation
+ */
+export declare class AuthProvidersAccessorImpl implements AuthProvidersAccessor {
+    private readonly registry;
+    private readonly vault;
+    private readonly cache;
+    private readonly loader;
+    private readonly context;
+    private readonly logger?;
+    constructor(registry: AuthProvidersRegistry, vault: AuthProvidersVault, cache: CredentialCache, loader: LazyCredentialLoader, context: CredentialFactoryContext, logger?: AuthLogger | undefined);
+    get<T extends Credential = Credential>(providerName: string, options?: GetCredentialOptions): Promise<ResolvedCredential<T> | null>;
+    getMany(providerNames: string[], options?: GetCredentialOptions): Promise<Map<string, ResolvedCredential | null>>;
+    headers(providerName: string): Promise<Record<string, string>>;
+    headersMany(providerNames: string[]): Promise<Record<string, string>>;
+    refresh(providerName: string): Promise<ResolvedCredential | null>;
+    has(providerName: string): Promise<boolean>;
+    isRegistered(providerName: string): boolean;
+    invalidate(providerName: string): void;
+    invalidateAll(): void;
+    listProviders(): string[];
+    listAvailable(): Promise<string[]>;
+    /**
+     * Load credential from vault storage
+     */
+    private loadFromVault;
+    /**
+     * Store credential in vault storage
+     */
+    private storeInVault;
+    /**
+     * Check if a resolved credential is still valid
+     */
+    private isValid;
+    /**
+     * Generate default headers for a credential type
+     */
+    private defaultHeaders;
+}
+//# sourceMappingURL=auth-providers.accessor.impl.d.ts.map

package/vault/auth-providers.accessor.impl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-providers.accessor.impl.d.ts","sourceRoot":"","sources":["../../src/vault/auth-providers.accessor.impl.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,KAAK,EAAE,wBAAwB,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAEjH,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAErD,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AACvE,OAAO,KAAK,EAAE,qBAAqB,EAA4B,MAAM,2BAA2B,CAAC;AACjG,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AACjE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,kCAAkC,CAAC;AAC7E,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,iCAAiC,CAAC;AAElE;;GAEG;AACH,qBAAa,yBAA0B,YAAW,qBAAqB;IAEnE,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,OAAO;IACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;gBALP,QAAQ,EAAE,qBAAqB,EAC/B,KAAK,EAAE,kBAAkB,EACzB,KAAK,EAAE,eAAe,EACtB,MAAM,EAAE,oBAAoB,EAC5B,OAAO,EAAE,wBAAwB,EACjC,MAAM,CAAC,EAAE,UAAU,YAAA;IAGhC,GAAG,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,EACzC,YAAY,EAAE,MAAM,EACpB,OAAO,CAAC,EAAE,oBAAoB,GAC7B,OAAO,CAAC,kBAAkB,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;IAwClC,OAAO,CACX,aAAa,EAAE,MAAM,EAAE,EACvB,OAAO,CAAC,EAAE,oBAAoB,GAC7B,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAuB5C,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAc9D,WAAW,CAAC,aAAa,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAWrE,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC;IAgCjE,GAAG,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAqBjD,YAAY,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAI3C,UAAU,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI;IAKtC,aAAa,IAAI,IAAI;IAKrB,aAAa,IAAI,MAAM,EAAE;IAInB,aAAa,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAYxC;;OAEG;YACW,aAAa;IA8B3B;;OAEG;YACW,YAAY;IAkB1B;;OAEG;IACH,OAAO,CAAC,OAAO;IAYf;;OAEG;IACH,OAAO,CAAC,cAAc;CAmCvB"}

package/vault/auth-providers.registry.d.ts

@@ -0,0 +1,111 @@
+/**
+ * AuthProvidersRegistry - Registry for credential providers
+ *
+ * Manages registration and lookup of credential providers.
+ * Providers are registered at scope initialization and
+ * remain available for the lifetime of the scope.
+ */
+import { Token } from '@frontmcp/di';
+import type { Credential } from '../session';
+import type { CredentialProviderConfig, CredentialScope, LoadingStrategy, AuthProvidersVaultOptions } from './auth-providers.types';
+/**
+ * Normalized provider config with defaults applied
+ */
+export interface NormalizedProviderConfig<T extends Credential = Credential> extends Required<Pick<CredentialProviderConfig<T>, 'name' | 'scope' | 'loading'>> {
+    description?: string;
+    cacheTtl: number;
+    factory: CredentialProviderConfig<T>['factory'];
+    refresh?: CredentialProviderConfig<T>['refresh'];
+    toHeaders?: CredentialProviderConfig<T>['toHeaders'];
+    metadata?: Record<string, unknown>;
+    required: boolean;
+}
+/**
+ * AuthProvidersRegistry - Manages credential provider configurations
+ */
+export declare class AuthProvidersRegistry {
+    private readonly providers;
+    private readonly defaultCacheTtl;
+    constructor(options?: AuthProvidersVaultOptions);
+    /**
+     * Register a credential provider
+     *
+     * @param config - Provider configuration
+     * @throws CredentialProviderAlreadyRegisteredError if provider with same name already registered
+     */
+    register<T extends Credential = Credential>(config: CredentialProviderConfig<T>): void;
+    /**
+     * Unregister a credential provider
+     *
+     * @param name - Provider name to unregister
+     * @returns true if provider was unregistered, false if not found
+     */
+    unregister(name: string): boolean;
+    /**
+     * Get a provider configuration by name
+     *
+     * @param name - Provider name
+     * @returns Provider config or undefined if not found
+     */
+    get<T extends Credential = Credential>(name: string): NormalizedProviderConfig<T> | undefined;
+    /**
+     * Check if a provider is registered
+     *
+     * @param name - Provider name
+     * @returns true if provider is registered
+     */
+    has(name: string): boolean;
+    /**
+     * Get all registered provider names
+     */
+    getNames(): string[];
+    /**
+     * Get all provider configurations
+     */
+    getAll(): NormalizedProviderConfig[];
+    /**
+     * Get providers by scope
+     *
+     * @param scope - Credential scope to filter by
+     */
+    getByScope(scope: CredentialScope): NormalizedProviderConfig[];
+    /**
+     * Get providers by loading strategy
+     *
+     * @param loading - Loading strategy to filter by
+     */
+    getByLoading(loading: LoadingStrategy): NormalizedProviderConfig[];
+    /**
+     * Get providers that are required
+     */
+    getRequired(): NormalizedProviderConfig[];
+    /**
+     * Get providers that should be eagerly loaded
+     */
+    getEager(): NormalizedProviderConfig[];
+    /**
+     * Get providers that should be lazily loaded
+     */
+    getLazy(): NormalizedProviderConfig[];
+    /**
+     * Get the number of registered providers
+     */
+    get size(): number;
+    /**
+     * Check if registry is empty
+     */
+    isEmpty(): boolean;
+    /**
+     * Clear all registered providers
+     */
+    clear(): void;
+    /**
+     * Normalize provider config with defaults
+     */
+    private normalize;
+}
+/**
+ * DI Token for AuthProvidersRegistry
+ */
+export declare const AUTH_PROVIDERS_REGISTRY: Token<AuthProvidersRegistry>;
+//# sourceMappingURL=auth-providers.registry.d.ts.map

package/vault/auth-providers.registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-providers.registry.d.ts","sourceRoot":"","sources":["../../src/vault/auth-providers.registry.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,cAAc,CAAC;AAErC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,KAAK,EACV,wBAAwB,EACxB,eAAe,EACf,eAAe,EACf,yBAAyB,EAC1B,MAAM,wBAAwB,CAAC;AAEhC;;GAEG;AACH,MAAM,WAAW,wBAAwB,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,CACzE,SAAQ,QAAQ,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC,CAAC;IACjF,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,wBAAwB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAChD,OAAO,CAAC,EAAE,wBAAwB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IACjD,SAAS,CAAC,EAAE,wBAAwB,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,qBAAa,qBAAqB;IAChC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAA+C;IACzE,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;gBAE7B,OAAO,CAAC,EAAE,yBAAyB;IAU/C;;;;;OAKG;IACH,QAAQ,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,EAAE,MAAM,EAAE,wBAAwB,CAAC,CAAC,CAAC,GAAG,IAAI;IAUtF;;;;;OAKG;IACH,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAIjC;;;;;OAKG;IACH,GAAG,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,EAAE,IAAI,EAAE,MAAM,GAAG,wBAAwB,CAAC,CAAC,CAAC,GAAG,SAAS;IAI7F;;;;;OAKG;IACH,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAI1B;;OAEG;IACH,QAAQ,IAAI,MAAM,EAAE;IAIpB;;OAEG;IACH,MAAM,IAAI,wBAAwB,EAAE;IAIpC;;;;OAIG;IACH,UAAU,CAAC,KAAK,EAAE,eAAe,GAAG,wBAAwB,EAAE;IAI9D;;;;OAIG;IACH,YAAY,CAAC,OAAO,EAAE,eAAe,GAAG,wBAAwB,EAAE;IAIlE;;OAEG;IACH,WAAW,IAAI,wBAAwB,EAAE;IAIzC;;OAEG;IACH,QAAQ,IAAI,wBAAwB,EAAE;IAItC;;OAEG;IACH,OAAO,IAAI,wBAAwB,EAAE;IAIrC;;OAEG;IACH,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED;;OAEG;IACH,OAAO,IAAI,OAAO;IAIlB;;OAEG;IACH,KAAK,IAAI,IAAI;IAIb;;OAEG;IACH,OAAO,CAAC,SAAS;CAclB;AAED;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAqD,KAAK,CAAC,qBAAqB,CAAC,CAAC"}

package/vault/auth-providers.types.d.ts

@@ -15,9 +15,9 @@ import type { Credential, AuthorizationVault } from '../session';
  */
 export type CredentialScope = 'global' | 'user' | 'session';
 export declare const credentialScopeSchema: z.ZodEnum<{
+    session: "session";
     user: "user";
     global: "global";
-    session: "session";
 }>;
 /**
  * Loading strategy determines when credentials are acquired.
@@ -141,9 +141,9 @@ export declare const credentialProviderConfigSchema: z.ZodObject<{
     name: z.ZodString;
     description: z.ZodOptional<z.ZodString>;
     scope: z.ZodEnum<{
+        session: "session";
         user: "user";
         global: "global";
-        session: "session";
     }>;
     loading: z.ZodEnum<{
         lazy: "lazy";
@@ -227,9 +227,9 @@ export declare const authProvidersVaultOptionsSchema: z.ZodObject<{
         name: z.ZodString;
         description: z.ZodOptional<z.ZodString>;
         scope: z.ZodEnum<{
+            session: "session";
             user: "user";
             global: "global";
-            session: "session";
         }>;
         loading: z.ZodEnum<{
             lazy: "lazy";

package/vault/auth-providers.vault.d.ts

@@ -0,0 +1,94 @@
+/**
+ * AuthProvidersVault - Dedicated storage namespace for auth provider credentials
+ *
+ * Uses the same underlying storage (Redis/Vercel KV) as AuthorizationVault
+ * but with a separate namespace to avoid conflicts.
+ */
+import { Token } from '@frontmcp/di';
+import type { Credential, AuthorizationVault, AppCredential } from '../session';
+import type { CredentialScope } from './auth-providers.types';
+import type { AuthLogger } from '../common/auth-logger.interface';
+/**
+ * AuthProvidersVault - Storage layer for auth provider credentials
+ */
+export declare class AuthProvidersVault {
+    private readonly baseVault;
+    private readonly namespace;
+    private readonly logger?;
+    constructor(baseVault: AuthorizationVault, namespace?: string, logger?: AuthLogger | undefined);
+    /**
+     * Store a credential in the vault
+     *
+     * @param sessionId - Current session ID
+     * @param providerId - Provider name
+     * @param credential - Credential to store
+     * @param scope - Credential scope
+     * @param userId - User ID (required for user scope)
+     */
+    storeCredential<T extends Credential>(sessionId: string, providerId: string, credential: T, scope: CredentialScope, userId?: string): Promise<void>;
+    /**
+     * Get a credential from the vault
+     *
+     * @param sessionId - Current session ID
+     * @param providerId - Provider name
+     * @param scope - Credential scope
+     * @param userId - User ID (required for user scope)
+     * @returns Credential or null if not found
+     */
+    getCredential<T extends Credential>(sessionId: string, providerId: string, scope: CredentialScope, userId?: string): Promise<T | null>;
+    /**
+     * Remove a credential from the vault
+     *
+     * @param sessionId - Current session ID
+     * @param providerId - Provider name
+     * @param scope - Credential scope
+     * @param userId - User ID (required for user scope)
+     */
+    removeCredential(sessionId: string, providerId: string, scope: CredentialScope, userId?: string): Promise<void>;
+    /**
+     * Invalidate a credential (mark as invalid without removing)
+     *
+     * @param sessionId - Current session ID
+     * @param providerId - Provider name
+     * @param scope - Credential scope
+     * @param reason - Reason for invalidation
+     * @param userId - User ID (required for user scope)
+     */
+    invalidateCredential(sessionId: string, providerId: string, scope: CredentialScope, reason: string, userId?: string): Promise<void>;
+    /**
+     * Update OAuth credential tokens (for refresh)
+     *
+     * @param sessionId - Current session ID
+     * @param providerId - Provider name
+     * @param scope - Credential scope
+     * @param tokens - New tokens
+     * @param userId - User ID (required for user scope)
+     */
+    refreshOAuthCredential(sessionId: string, providerId: string, scope: CredentialScope, tokens: {
+        accessToken: string;
+        refreshToken?: string;
+        expiresAt?: number;
+    }, userId?: string): Promise<void>;
+    /**
+     * Get all credentials for a session
+     *
+     * @param sessionId - Current session ID
+     * @param scope - Optional scope filter
+     * @param userId - User ID (required for user scope)
+     */
+    getAllCredentials(sessionId: string, scope?: CredentialScope, userId?: string): Promise<AppCredential[]>;
+    /**
+     * Build vault key based on scope
+     *
+     * Key patterns:
+     * - global: `authproviders:global`
+     * - user: `authproviders:user:{userId}`
+     * - session: `authproviders:session:{sessionId}`
+     */
+    private buildVaultKey;
+}
+/**
+ * DI Token for AuthProvidersVault
+ */
+export declare const AUTH_PROVIDERS_VAULT: Token<AuthProvidersVault>;
+//# sourceMappingURL=auth-providers.vault.d.ts.map

package/vault/auth-providers.vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-providers.vault.d.ts","sourceRoot":"","sources":["../../src/vault/auth-providers.vault.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,cAAc,CAAC;AACrC,OAAO,KAAK,EAAE,UAAU,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAChF,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAE9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,iCAAiC,CAAC;AAGlE;;GAEG;AACH,qBAAa,kBAAkB;IAE3B,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;gBAFP,SAAS,EAAE,kBAAkB,EAC7B,SAAS,SAAmB,EAC5B,MAAM,CAAC,EAAE,UAAU,YAAA;IAGtC;;;;;;;;OAQG;IACG,eAAe,CAAC,CAAC,SAAS,UAAU,EACxC,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,CAAC,EACb,KAAK,EAAE,eAAe,EACtB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC;IAqBhB;;;;;;;;OAQG;IACG,aAAa,CAAC,CAAC,SAAS,UAAU,EACtC,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,eAAe,EACtB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;IAkCpB;;;;;;;OAOG;IACG,gBAAgB,CACpB,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,eAAe,EACtB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC;IAWhB;;;;;;;;OAQG;IACG,oBAAoB,CACxB,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,eAAe,EACtB,MAAM,EAAE,MAAM,EACd,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC;IAWhB;;;;;;;;OAQG;IACG,sBAAsB,CAC1B,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,eAAe,EACtB,MAAM,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,EAC1E,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC;IAYhB;;;;;;OAMG;IACG,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,eAAe,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAoD9G;;;;;;;OAOG;IACH,OAAO,CAAC,aAAa;CAoBtB;AAED;;GAEG;AACH,eAAO,MAAM,oBAAoB,EAAkD,KAAK,CAAC,kBAAkB,CAAC,CAAC"}

package/vault/credential-loaders/eager-loader.d.ts

@@ -0,0 +1,47 @@
+/**
+ * EagerCredentialLoader - Loads credentials at session initialization
+ *
+ * Used for providers configured with `loading: 'eager'`.
+ * Credentials are loaded in parallel at session start.
+ */
+import type { CredentialFactoryContext, ResolvedCredential } from '../auth-providers.types';
+import { CredentialCache } from '../credential-cache';
+import type { AuthProvidersRegistry } from '../auth-providers.registry';
+import type { AuthLogger } from '../../common/auth-logger.interface';
+/**
+ * Result of eager loading
+ */
+export interface EagerLoadResult {
+    /** Successfully loaded credentials */
+    loaded: Map<string, ResolvedCredential>;
+    /** Failed provider names with errors */
+    failed: Map<string, Error>;
+    /** Total loading time in ms */
+    duration: number;
+}
+/**
+ * EagerCredentialLoader - Loads credentials at session initialization
+ */
+export declare class EagerCredentialLoader {
+    private readonly registry;
+    private readonly cache;
+    private readonly logger?;
+    constructor(registry: AuthProvidersRegistry, cache: CredentialCache, logger?: AuthLogger | undefined);
+    /**
+     * Load all eager credentials for a session.
+     * Called during session initialization.
+     *
+     * @param context - Factory context with session/user info
+     * @returns Map of provider name to resolved credential
+     */
+    loadForSession(context: CredentialFactoryContext): Promise<EagerLoadResult>;
+    /**
+     * Load a single credential
+     */
+    private loadOne;
+    /**
+     * Wrap credential with resolved metadata
+     */
+    private wrapCredential;
+}
+//# sourceMappingURL=eager-loader.d.ts.map

package/vault/credential-loaders/eager-loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"eager-loader.d.ts","sourceRoot":"","sources":["../../../src/vault/credential-loaders/eager-loader.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAE5F,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,KAAK,EAAE,qBAAqB,EAA4B,MAAM,4BAA4B,CAAC;AAClG,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oCAAoC,CAAC;AAErE;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,sCAAsC;IACtC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;IACxC,wCAAwC;IACxC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAC3B,+BAA+B;IAC/B,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,qBAAa,qBAAqB;IAE9B,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;gBAFP,QAAQ,EAAE,qBAAqB,EAC/B,KAAK,EAAE,eAAe,EACtB,MAAM,CAAC,EAAE,UAAU,YAAA;IAGtC;;;;;;OAMG;IACG,cAAc,CAAC,OAAO,EAAE,wBAAwB,GAAG,OAAO,CAAC,eAAe,CAAC;IAoDjF;;OAEG;YACW,OAAO;IAgBrB;;OAEG;IACH,OAAO,CAAC,cAAc;CAcvB"}

package/vault/credential-loaders/index.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Credential Loaders - Eager and Lazy credential loading strategies
+ */
+export { EagerCredentialLoader, type EagerLoadResult } from './eager-loader';
+export { LazyCredentialLoader } from './lazy-loader';
+export { extractCredentialExpiry } from '../credential-helpers';
+//# sourceMappingURL=index.d.ts.map

package/vault/credential-loaders/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/vault/credential-loaders/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,qBAAqB,EAAE,KAAK,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAC7E,OAAO,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AAGrD,OAAO,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAC"}

package/vault/credential-loaders/lazy-loader.d.ts

@@ -0,0 +1,54 @@
+/**
+ * LazyCredentialLoader - Loads credentials on first access
+ *
+ * Used for providers configured with `loading: 'lazy'` (default).
+ * Prevents concurrent loads for the same provider (deduplication).
+ */
+import type { Credential } from '../../session';
+import type { CredentialFactoryContext, ResolvedCredential } from '../auth-providers.types';
+import type { NormalizedProviderConfig } from '../auth-providers.registry';
+import type { AuthLogger } from '../../common/auth-logger.interface';
+/**
+ * LazyCredentialLoader - Loads credentials on first access
+ */
+export declare class LazyCredentialLoader {
+    private readonly logger?;
+    /** In-flight loading promises for deduplication */
+    private readonly loading;
+    constructor(logger?: AuthLogger | undefined);
+    /**
+     * Load a credential lazily.
+     * If already loading, returns the in-flight promise (deduplication).
+     *
+     * @param config - Provider configuration
+     * @param context - Factory context
+     * @returns Resolved credential or null
+     */
+    load<T extends Credential>(config: NormalizedProviderConfig<T>, context: CredentialFactoryContext): Promise<ResolvedCredential<T> | null>;
+    /**
+     * Perform the actual credential loading
+     */
+    private doLoad;
+    /**
+     * Refresh a credential using the provider's refresh function or factory
+     *
+     * @param config - Provider configuration
+     * @param context - Factory context with existing credential
+     * @returns Refreshed credential or null
+     */
+    refresh<T extends Credential>(config: NormalizedProviderConfig<T>, context: CredentialFactoryContext & {
+        existingCredential: T;
+    }): Promise<ResolvedCredential<T> | null>;
+    /**
+     * Check if a credential is currently being loaded
+     *
+     * @param name - Provider name
+     * @returns true if loading is in progress
+     */
+    isLoading(name: string): boolean;
+    /**
+     * Cancel all in-flight loads (for cleanup)
+     */
+    cancelAll(): void;
+}
+//# sourceMappingURL=lazy-loader.d.ts.map

package/vault/credential-loaders/lazy-loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"lazy-loader.d.ts","sourceRoot":"","sources":["../../../src/vault/credential-loaders/lazy-loader.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,KAAK,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAE5F,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AAC3E,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oCAAoC,CAAC;AAErE;;GAEG;AACH,qBAAa,oBAAoB;IAInB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;IAHpC,mDAAmD;IACnD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyD;gBAEpD,MAAM,CAAC,EAAE,UAAU,YAAA;IAEhD;;;;;;;OAOG;IACG,IAAI,CAAC,CAAC,SAAS,UAAU,EAC7B,MAAM,EAAE,wBAAwB,CAAC,CAAC,CAAC,EACnC,OAAO,EAAE,wBAAwB,GAChC,OAAO,CAAC,kBAAkB,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;IAmBxC;;OAEG;YACW,MAAM;IAsCpB;;;;;;OAMG;IACG,OAAO,CAAC,CAAC,SAAS,UAAU,EAChC,MAAM,EAAE,wBAAwB,CAAC,CAAC,CAAC,EACnC,OAAO,EAAE,wBAAwB,GAAG;QAAE,kBAAkB,EAAE,CAAC,CAAA;KAAE,GAC5D,OAAO,CAAC,kBAAkB,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;IAwCxC;;;;;OAKG;IACH,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAIhC;;OAEG;IACH,SAAS,IAAI,IAAI;CAGlB"}

package/vault/index.d.ts

@@ -7,4 +7,13 @@ export type { CredentialScope, LoadingStrategy, GetCredentialOptions, ResolvedCr
 export { credentialScopeSchema, loadingStrategySchema, getCredentialOptionsSchema, credentialProviderConfigSchema, authProviderMappingSchema, authProvidersVaultOptionsSchema, } from './auth-providers.types';
 export { extractCredentialExpiry } from './credential-helpers';
 export { CredentialCache, type CacheStats } from './credential-cache';
+export type { AuthProvidersAccessor } from './auth-providers.accessor';
+export { AUTH_PROVIDERS_ACCESSOR } from './auth-providers.accessor';
+export { AuthProvidersAccessorImpl } from './auth-providers.accessor.impl';
+export { AuthProvidersRegistry, AUTH_PROVIDERS_REGISTRY } from './auth-providers.registry';
+export type { NormalizedProviderConfig } from './auth-providers.registry';
+export { AuthProvidersVault, AUTH_PROVIDERS_VAULT } from './auth-providers.vault';
+export { EagerCredentialLoader } from './credential-loaders/eager-loader';
+export type { EagerLoadResult } from './credential-loaders/eager-loader';
+export { LazyCredentialLoader } from './credential-loaders/lazy-loader';
 //# sourceMappingURL=index.d.ts.map

package/vault/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/vault/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,YAAY,EACV,eAAe,EACf,eAAe,EACf,oBAAoB,EACpB,kBAAkB,EAClB,wBAAwB,EACxB,iBAAiB,EACjB,mBAAmB,EACnB,mBAAmB,EACnB,wBAAwB,EACxB,mBAAmB,EACnB,oBAAoB,EACpB,eAAe,EACf,yBAAyB,EACzB,mBAAmB,EACnB,eAAe,GAChB,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,qBAAqB,EACrB,qBAAqB,EACrB,0BAA0B,EAC1B,8BAA8B,EAC9B,yBAAyB,EACzB,+BAA+B,GAChC,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AAG/D,OAAO,EAAE,eAAe,EAAE,KAAK,UAAU,EAAE,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/vault/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,YAAY,EACV,eAAe,EACf,eAAe,EACf,oBAAoB,EACpB,kBAAkB,EAClB,wBAAwB,EACxB,iBAAiB,EACjB,mBAAmB,EACnB,mBAAmB,EACnB,wBAAwB,EACxB,mBAAmB,EACnB,oBAAoB,EACpB,eAAe,EACf,yBAAyB,EACzB,mBAAmB,EACnB,eAAe,GAChB,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,qBAAqB,EACrB,qBAAqB,EACrB,0BAA0B,EAC1B,8BAA8B,EAC9B,yBAAyB,EACzB,+BAA+B,GAChC,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AAG/D,OAAO,EAAE,eAAe,EAAE,KAAK,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGtE,YAAY,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AACvE,OAAO,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAG3E,OAAO,EAAE,qBAAqB,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AAC3F,YAAY,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AAG1E,OAAO,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAGlF,OAAO,EAAE,qBAAqB,EAAE,MAAM,mCAAmC,CAAC;AAC1E,YAAY,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AACzE,OAAO,EAAE,oBAAoB,EAAE,MAAM,kCAAkC,CAAC"}