@frontmcp/auth 0.12.2 → 1.0.0-beta.1

package/esm/index.mjs

@@ -74,7 +74,7 @@ function parseCacheControlHeader(value) {
   }
   return result;
 }
-var InMemoryCimdCache, CimdCache;
+var InMemoryCimdCache;
 var init_cimd_cache = __esm({
   "libs/auth/src/cimd/cimd.cache.ts"() {
     "use strict";
@@ -209,13 +209,18 @@ var init_cimd_cache = __esm({
         return removed;
       }
     };
-    CimdCache = InMemoryCimdCache;
   }
 });
 
 // libs/auth/src/jwks/jwks.service.ts
 import { jwtVerify, createLocalJWKSet, decodeProtectedHeader } from "jose";
-import { bytesToHex, randomBytes, rsaVerify, createKeyPersistence } from "@frontmcp/utils";
+import {
+  bytesToHex,
+  randomBytes,
+  rsaVerify,
+  createKeyPersistence,
+  isProduction
+} from "@frontmcp/utils";
 
 // libs/auth/src/jwks/jwks.utils.ts
 function trimSlash(s) {
@@ -286,29 +291,19 @@ var JwksService = class {
       rotateDays: opts?.rotateDays ?? 30,
       providerJwksTtlMs: opts?.providerJwksTtlMs ?? 6 * 60 * 60 * 1e3,
       // 6h
-      networkTimeoutMs: opts?.networkTimeoutMs ?? 5e3,
+      networkTimeoutMs: opts?.networkTimeoutMs ?? 5e3
       // 5s
-      devKeyPersistence: opts?.devKeyPersistence
     };
   }
   // ===========================================================================
   // Key Persistence Helpers
   // ===========================================================================
-  /**
-   * Check if key persistence should be enabled.
-   * Enabled in development by default, disabled in production unless forceEnable.
-   */
-  shouldEnablePersistence() {
-    const isProd = process.env["NODE_ENV"] === "production";
-    if (this.opts.devKeyPersistence?.forceEnable) return true;
-    return !isProd;
-  }
   /**
    * Get or create the KeyPersistence instance.
-   * Returns null if persistence is disabled.
+   * Returns null if persistence is disabled (production).
    */
   async getKeyPersistence() {
-    if (!this.shouldEnablePersistence()) return null;
+    if (isProduction()) return null;
     if (!this.keyPersistence) {
       this.keyPersistence = await createKeyPersistence({
         baseDir: ".frontmcp/keys"
@@ -426,7 +421,12 @@ var JwksService = class {
       if (!jwtAlg) {
         return { ok: false, error: "missing_alg" };
       }
-      const isValid = rsaVerify(jwtAlg, Buffer.from(signatureInput), matchingKey, signature);
+      const isValid = await rsaVerify(
+        jwtAlg,
+        Buffer.from(signatureInput),
+        matchingKey,
+        signature
+      );
       if (!isValid) {
         return { ok: false, error: "signature_invalid" };
       }
@@ -647,147 +647,6 @@ var JwksService = class {
   }
 };
 
-// libs/auth/src/jwks/dev-key-persistence.ts
-import * as path from "path";
-import * as crypto from "crypto";
-import { z } from "zod";
-import { readFile, mkdir, writeFile, rename, unlink } from "@frontmcp/utils";
-var DEFAULT_KEY_PATH = ".frontmcp/dev-keys.json";
-var rsaPrivateKeySchema = z.object({
-  kty: z.literal("RSA"),
-  n: z.string().min(1),
-  e: z.string().min(1),
-  d: z.string().min(1),
-  p: z.string().optional(),
-  q: z.string().optional(),
-  dp: z.string().optional(),
-  dq: z.string().optional(),
-  qi: z.string().optional()
-}).passthrough();
-var ecPrivateKeySchema = z.object({
-  kty: z.literal("EC"),
-  crv: z.string().min(1),
-  x: z.string().min(1),
-  y: z.string().min(1),
-  d: z.string().min(1)
-}).passthrough();
-var publicJwkSchema = z.object({
-  kty: z.enum(["RSA", "EC"]),
-  kid: z.string().min(1),
-  alg: z.enum(["RS256", "ES256"]),
-  use: z.literal("sig")
-}).passthrough();
-var jwksSchema = z.object({
-  keys: z.array(publicJwkSchema).min(1)
-});
-var devKeyDataSchema = z.object({
-  kid: z.string().min(1),
-  privateKey: z.union([rsaPrivateKeySchema, ecPrivateKeySchema]),
-  publicJwk: jwksSchema,
-  createdAt: z.number().positive().int(),
-  alg: z.enum(["RS256", "ES256"])
-});
-function validateJwkStructure(data) {
-  const result = devKeyDataSchema.safeParse(data);
-  if (!result.success) {
-    return { valid: false, error: result.error.issues[0]?.message ?? "Invalid JWK structure" };
-  }
-  const parsed = result.data;
-  if (parsed.alg === "RS256" && parsed.privateKey.kty !== "RSA") {
-    return { valid: false, error: "Algorithm RS256 requires RSA key type" };
-  }
-  if (parsed.alg === "ES256" && parsed.privateKey.kty !== "EC") {
-    return { valid: false, error: "Algorithm ES256 requires EC key type" };
-  }
-  const publicKey = parsed.publicJwk.keys[0];
-  if (publicKey.kty !== parsed.privateKey.kty) {
-    return { valid: false, error: "Public and private key types do not match" };
-  }
-  if (publicKey.kid !== parsed.kid) {
-    return { valid: false, error: "kid mismatch between top-level and publicJwk" };
-  }
-  const now = Date.now();
-  const hundredYearsMs = 100 * 365 * 24 * 60 * 60 * 1e3;
-  if (parsed.createdAt > now) {
-    return { valid: false, error: "createdAt is in the future" };
-  }
-  if (parsed.createdAt < now - hundredYearsMs) {
-    return { valid: false, error: "createdAt is too old" };
-  }
-  return { valid: true };
-}
-function isDevKeyPersistenceEnabled(options) {
-  const isProduction = process.env["NODE_ENV"] === "production";
-  if (isProduction) {
-    return options?.forceEnable === true;
-  }
-  return true;
-}
-function resolveKeyPath(options) {
-  const keyPath = options?.keyPath ?? DEFAULT_KEY_PATH;
-  if (path.isAbsolute(keyPath)) {
-    return keyPath;
-  }
-  return path.resolve(process.cwd(), keyPath);
-}
-async function loadDevKey(options) {
-  if (!isDevKeyPersistenceEnabled(options)) {
-    return null;
-  }
-  const keyPath = resolveKeyPath(options);
-  try {
-    const content = await readFile(keyPath, "utf8");
-    const data = JSON.parse(content);
-    const validation = validateJwkStructure(data);
-    if (!validation.valid) {
-      console.warn(`[DevKeyPersistence] Invalid key file format at ${keyPath}: ${validation.error}, will regenerate`);
-      return null;
-    }
-    console.log(`[DevKeyPersistence] Loaded key (kid=${data.kid}) from ${keyPath}`);
-    return data;
-  } catch (error) {
-    if (error.code === "ENOENT") {
-      return null;
-    }
-    console.warn(`[DevKeyPersistence] Failed to load key from ${keyPath}: ${error.message}`);
-    return null;
-  }
-}
-async function saveDevKey(keyData, options) {
-  if (!isDevKeyPersistenceEnabled(options)) {
-    return true;
-  }
-  const keyPath = resolveKeyPath(options);
-  const dir = path.dirname(keyPath);
-  const tempPath = `${keyPath}.tmp.${Date.now()}.${crypto.randomBytes(8).toString("hex")}`;
-  try {
-    await mkdir(dir, { recursive: true, mode: 448 });
-    const content = JSON.stringify(keyData, null, 2);
-    await writeFile(tempPath, content, { mode: 384 });
-    await rename(tempPath, keyPath);
-    console.log(`[DevKeyPersistence] Saved key (kid=${keyData.kid}) to ${keyPath}`);
-    return true;
-  } catch (error) {
-    console.error(`[DevKeyPersistence] Failed to save key to ${keyPath}: ${error.message}`);
-    try {
-      await unlink(tempPath);
-    } catch {
-    }
-    return false;
-  }
-}
-async function deleteDevKey(options) {
-  const keyPath = resolveKeyPath(options);
-  try {
-    await unlink(keyPath);
-    console.log(`[DevKeyPersistence] Deleted key at ${keyPath}`);
-  } catch (error) {
-    if (error.code !== "ENOENT") {
-      console.warn(`[DevKeyPersistence] Failed to delete key at ${keyPath}: ${error.message}`);
-    }
-  }
-}
-
 // libs/auth/src/ui/base-layout.ts
 import { escapeHtml } from "@frontmcp/utils";
 import { escapeHtml as escapeHtml2 } from "@frontmcp/utils";
@@ -1291,32 +1150,32 @@ function renderToHtml(html, _options) {
 
 // libs/auth/src/session/authorization.store.ts
 import { randomUUID, sha256Base64url } from "@frontmcp/utils";
-import { z as z2 } from "zod";
-var pkceChallengeSchema = z2.object({
-  challenge: z2.string().min(43).max(128),
-  method: z2.literal("S256")
+import { z } from "zod";
+var pkceChallengeSchema = z.object({
+  challenge: z.string().min(43).max(128),
+  method: z.literal("S256")
 });
-var authorizationCodeRecordSchema = z2.object({
-  code: z2.string().min(1),
-  clientId: z2.string().min(1),
-  redirectUri: z2.string().url(),
-  scopes: z2.array(z2.string()),
+var authorizationCodeRecordSchema = z.object({
+  code: z.string().min(1),
+  clientId: z.string().min(1),
+  redirectUri: z.string().url(),
+  scopes: z.array(z.string()),
   pkce: pkceChallengeSchema,
-  userSub: z2.string().min(1),
-  userEmail: z2.string().email().optional(),
-  userName: z2.string().optional(),
-  state: z2.string().optional(),
-  createdAt: z2.number(),
-  expiresAt: z2.number(),
-  used: z2.boolean(),
-  resource: z2.string().url().optional(),
+  userSub: z.string().min(1),
+  userEmail: z.string().email().optional(),
+  userName: z.string().optional(),
+  state: z.string().optional(),
+  createdAt: z.number(),
+  expiresAt: z.number(),
+  used: z.boolean(),
+  resource: z.string().url().optional(),
   // Consent and federated login fields
-  selectedToolIds: z2.array(z2.string()).optional(),
-  selectedProviderIds: z2.array(z2.string()).optional(),
-  skippedProviderIds: z2.array(z2.string()).optional(),
-  consentEnabled: z2.boolean().optional(),
-  federatedLoginUsed: z2.boolean().optional(),
-  pendingAuthId: z2.string().optional()
+  selectedToolIds: z.array(z.string()).optional(),
+  selectedProviderIds: z.array(z.string()).optional(),
+  skippedProviderIds: z.array(z.string()).optional(),
+  consentEnabled: z.boolean().optional(),
+  federatedLoginUsed: z.boolean().optional(),
+  pendingAuthId: z.string().optional()
 });
 function verifyPkce(codeVerifier, challenge) {
   if (challenge.method !== "S256") {
@@ -1569,8 +1428,8 @@ var RedisAuthorizationStore = class {
 };
 
 // libs/auth/src/session/authorization-vault.ts
-import { z as z3 } from "zod";
-var credentialTypeSchema = z3.enum([
+import { z as z2 } from "zod";
+var credentialTypeSchema = z2.enum([
   "oauth",
   // OAuth 2.0 tokens
   "api_key",
@@ -1592,135 +1451,135 @@ var credentialTypeSchema = z3.enum([
   "oauth_pkce"
   // OAuth 2.0 with PKCE for public clients
 ]);
-var oauthCredentialSchema = z3.object({
-  type: z3.literal("oauth"),
+var oauthCredentialSchema = z2.object({
+  type: z2.literal("oauth"),
   /** Access token */
-  accessToken: z3.string(),
+  accessToken: z2.string(),
   /** Refresh token (optional) */
-  refreshToken: z3.string().optional(),
+  refreshToken: z2.string().optional(),
   /** Token type (usually 'Bearer') */
-  tokenType: z3.string().default("Bearer"),
+  tokenType: z2.string().default("Bearer"),
   /** Token expiration timestamp (epoch ms) */
-  expiresAt: z3.number().optional(),
+  expiresAt: z2.number().optional(),
   /** Granted scopes */
-  scopes: z3.array(z3.string()).default([]),
+  scopes: z2.array(z2.string()).default([]),
   /** ID token for OIDC (optional) */
-  idToken: z3.string().optional()
+  idToken: z2.string().optional()
 });
-var apiKeyCredentialSchema = z3.object({
-  type: z3.literal("api_key"),
+var apiKeyCredentialSchema = z2.object({
+  type: z2.literal("api_key"),
   /** The API key value */
-  key: z3.string().min(1),
+  key: z2.string().min(1),
   /** Header name to use (e.g., 'X-API-Key', 'Authorization') */
-  headerName: z3.string().default("X-API-Key"),
+  headerName: z2.string().default("X-API-Key"),
   /** Prefix for the header value (e.g., 'Bearer ', 'Api-Key ') */
-  headerPrefix: z3.string().optional(),
+  headerPrefix: z2.string().optional(),
   /** Alternative: send as query parameter */
-  queryParam: z3.string().optional()
+  queryParam: z2.string().optional()
 });
-var basicAuthCredentialSchema = z3.object({
-  type: z3.literal("basic"),
+var basicAuthCredentialSchema = z2.object({
+  type: z2.literal("basic"),
   /** Username */
-  username: z3.string().min(1),
+  username: z2.string().min(1),
   /** Password */
-  password: z3.string(),
+  password: z2.string(),
   /** Pre-computed base64 encoded value (optional, for caching) */
-  encodedValue: z3.string().optional()
+  encodedValue: z2.string().optional()
 });
-var bearerCredentialSchema = z3.object({
-  type: z3.literal("bearer"),
+var bearerCredentialSchema = z2.object({
+  type: z2.literal("bearer"),
   /** The bearer token value */
-  token: z3.string().min(1),
+  token: z2.string().min(1),
   /** Token expiration (optional, for static tokens that expire) */
-  expiresAt: z3.number().optional()
+  expiresAt: z2.number().optional()
 });
-var privateKeyCredentialSchema = z3.object({
-  type: z3.literal("private_key"),
+var privateKeyCredentialSchema = z2.object({
+  type: z2.literal("private_key"),
   /** Key format */
-  format: z3.enum(["pem", "jwk", "pkcs8", "pkcs12"]),
+  format: z2.enum(["pem", "jwk", "pkcs8", "pkcs12"]),
   /** The key data (PEM string or JWK JSON) */
-  keyData: z3.string(),
+  keyData: z2.string(),
   /** Key ID (for JWK) */
-  keyId: z3.string().optional(),
+  keyId: z2.string().optional(),
   /** Algorithm to use for signing */
-  algorithm: z3.string().optional(),
+  algorithm: z2.string().optional(),
   /** Passphrase if key is encrypted */
-  passphrase: z3.string().optional(),
+  passphrase: z2.string().optional(),
   /** Associated certificate (for mTLS) */
-  certificate: z3.string().optional()
+  certificate: z2.string().optional()
 });
-var mtlsCredentialSchema = z3.object({
-  type: z3.literal("mtls"),
+var mtlsCredentialSchema = z2.object({
+  type: z2.literal("mtls"),
   /** Client certificate (PEM format) */
-  certificate: z3.string(),
+  certificate: z2.string(),
   /** Private key (PEM format) */
-  privateKey: z3.string(),
+  privateKey: z2.string(),
   /** Passphrase if private key is encrypted */
-  passphrase: z3.string().optional(),
+  passphrase: z2.string().optional(),
   /** CA certificate chain (optional) */
-  caCertificate: z3.string().optional()
+  caCertificate: z2.string().optional()
 });
-var customCredentialSchema = z3.object({
-  type: z3.literal("custom"),
+var customCredentialSchema = z2.object({
+  type: z2.literal("custom"),
   /** Custom type identifier */
-  customType: z3.string().min(1),
+  customType: z2.string().min(1),
   /** Arbitrary credential data */
-  data: z3.record(z3.string(), z3.unknown()),
+  data: z2.record(z2.string(), z2.unknown()),
   /** Headers to include in requests */
-  headers: z3.record(z3.string(), z3.string()).optional()
+  headers: z2.record(z2.string(), z2.string()).optional()
 });
-var sshKeyCredentialSchema = z3.object({
-  type: z3.literal("ssh_key"),
+var sshKeyCredentialSchema = z2.object({
+  type: z2.literal("ssh_key"),
   /** Private key (PEM format) */
-  privateKey: z3.string().min(1),
+  privateKey: z2.string().min(1),
   /** Public key (optional, can be derived from private key) */
-  publicKey: z3.string().optional(),
+  publicKey: z2.string().optional(),
   /** Passphrase if private key is encrypted */
-  passphrase: z3.string().optional(),
+  passphrase: z2.string().optional(),
   /** Key type */
-  keyType: z3.enum(["rsa", "ed25519", "ecdsa", "dsa"]).default("ed25519"),
+  keyType: z2.enum(["rsa", "ed25519", "ecdsa", "dsa"]).default("ed25519"),
   /** Key fingerprint (SHA256 hash) */
-  fingerprint: z3.string().optional(),
+  fingerprint: z2.string().optional(),
   /** Username for SSH connections */
-  username: z3.string().optional()
+  username: z2.string().optional()
 });
-var serviceAccountCredentialSchema = z3.object({
-  type: z3.literal("service_account"),
+var serviceAccountCredentialSchema = z2.object({
+  type: z2.literal("service_account"),
   /** Cloud provider */
-  provider: z3.enum(["gcp", "aws", "azure", "custom"]),
+  provider: z2.enum(["gcp", "aws", "azure", "custom"]),
   /** Raw credentials (JSON key file content, access keys, etc.) */
-  credentials: z3.record(z3.string(), z3.unknown()),
+  credentials: z2.record(z2.string(), z2.unknown()),
   /** Project/Account ID */
-  projectId: z3.string().optional(),
+  projectId: z2.string().optional(),
   /** Region for regional services */
-  region: z3.string().optional(),
+  region: z2.string().optional(),
   /** AWS: Role ARN to assume */
-  assumeRoleArn: z3.string().optional(),
+  assumeRoleArn: z2.string().optional(),
   /** AWS: External ID for cross-account access */
-  externalId: z3.string().optional(),
+  externalId: z2.string().optional(),
   /** Service account email (GCP) or ARN (AWS) */
-  serviceAccountId: z3.string().optional(),
+  serviceAccountId: z2.string().optional(),
   /** Expiration timestamp for temporary credentials */
-  expiresAt: z3.number().optional()
+  expiresAt: z2.number().optional()
 });
-var pkceOAuthCredentialSchema = z3.object({
-  type: z3.literal("oauth_pkce"),
+var pkceOAuthCredentialSchema = z2.object({
+  type: z2.literal("oauth_pkce"),
   /** Access token */
-  accessToken: z3.string(),
+  accessToken: z2.string(),
   /** Refresh token (optional) */
-  refreshToken: z3.string().optional(),
+  refreshToken: z2.string().optional(),
   /** Token type (usually 'Bearer') */
-  tokenType: z3.string().default("Bearer"),
+  tokenType: z2.string().default("Bearer"),
   /** Token expiration timestamp (epoch ms) */
-  expiresAt: z3.number().optional(),
+  expiresAt: z2.number().optional(),
   /** Granted scopes */
-  scopes: z3.array(z3.string()).default([]),
+  scopes: z2.array(z2.string()).default([]),
   /** ID token for OIDC (optional) */
-  idToken: z3.string().optional(),
+  idToken: z2.string().optional(),
   /** Authorization server issuer */
-  issuer: z3.string().optional()
+  issuer: z2.string().optional()
 });
-var credentialSchema = z3.discriminatedUnion("type", [
+var credentialSchema = z2.discriminatedUnion("type", [
   oauthCredentialSchema,
   apiKeyCredentialSchema,
   basicAuthCredentialSchema,
@@ -1732,124 +1591,124 @@ var credentialSchema = z3.discriminatedUnion("type", [
   serviceAccountCredentialSchema,
   pkceOAuthCredentialSchema
 ]);
-var appCredentialSchema = z3.object({
+var appCredentialSchema = z2.object({
   /** App ID this credential belongs to */
-  appId: z3.string().min(1),
+  appId: z2.string().min(1),
   /** Provider ID within the app (for apps with multiple auth providers) */
-  providerId: z3.string().min(1),
+  providerId: z2.string().min(1),
   /** The credential data */
   credential: credentialSchema,
   /** Timestamp when credential was acquired */
-  acquiredAt: z3.number(),
+  acquiredAt: z2.number(),
   /** Timestamp when credential was last used */
-  lastUsedAt: z3.number().optional(),
+  lastUsedAt: z2.number().optional(),
   /** Credential expiration (if applicable) */
-  expiresAt: z3.number().optional(),
+  expiresAt: z2.number().optional(),
   /** Whether this credential is currently valid */
-  isValid: z3.boolean().default(true),
+  isValid: z2.boolean().default(true),
   /** Error message if credential is invalid */
-  invalidReason: z3.string().optional(),
+  invalidReason: z2.string().optional(),
   /** User info associated with this credential */
-  userInfo: z3.object({
-    sub: z3.string().optional(),
-    email: z3.string().optional(),
-    name: z3.string().optional()
+  userInfo: z2.object({
+    sub: z2.string().optional(),
+    email: z2.string().optional(),
+    name: z2.string().optional()
   }).optional(),
   /** Metadata for tracking/debugging */
-  metadata: z3.record(z3.string(), z3.unknown()).optional()
+  metadata: z2.record(z2.string(), z2.unknown()).optional()
 });
-var vaultConsentRecordSchema = z3.object({
+var vaultConsentRecordSchema = z2.object({
   /** Whether consent was enabled */
-  enabled: z3.boolean(),
+  enabled: z2.boolean(),
   /** Selected tool IDs (user approved these) */
-  selectedToolIds: z3.array(z3.string()),
+  selectedToolIds: z2.array(z2.string()),
   /** Available tool IDs at time of consent */
-  availableToolIds: z3.array(z3.string()),
+  availableToolIds: z2.array(z2.string()),
   /** Timestamp when consent was given */
-  consentedAt: z3.number(),
+  consentedAt: z2.number(),
   /** Consent version for tracking changes */
-  version: z3.string().default("1.0")
+  version: z2.string().default("1.0")
 });
-var vaultFederatedRecordSchema = z3.object({
+var vaultFederatedRecordSchema = z2.object({
   /** Provider IDs that were selected */
-  selectedProviderIds: z3.array(z3.string()),
+  selectedProviderIds: z2.array(z2.string()),
   /** Provider IDs that were skipped (can be authorized later) */
-  skippedProviderIds: z3.array(z3.string()),
+  skippedProviderIds: z2.array(z2.string()),
   /** Primary provider ID */
-  primaryProviderId: z3.string().optional(),
+  primaryProviderId: z2.string().optional(),
   /** Timestamp when federated login was completed */
-  completedAt: z3.number()
+  completedAt: z2.number()
 });
-var pendingIncrementalAuthSchema = z3.object({
+var pendingIncrementalAuthSchema = z2.object({
   /** Unique ID for this request */
-  id: z3.string(),
+  id: z2.string(),
   /** App ID being authorized */
-  appId: z3.string(),
+  appId: z2.string(),
   /** Tool ID that triggered the auth request */
-  toolId: z3.string().optional(),
+  toolId: z2.string().optional(),
   /** Authorization URL */
-  authUrl: z3.string(),
+  authUrl: z2.string(),
   /** Required scopes */
-  requiredScopes: z3.array(z3.string()).optional(),
+  requiredScopes: z2.array(z2.string()).optional(),
   /** Whether elicit is being used */
-  elicitId: z3.string().optional(),
+  elicitId: z2.string().optional(),
   /** Timestamp when request was created */
-  createdAt: z3.number(),
+  createdAt: z2.number(),
   /** Expiration timestamp */
-  expiresAt: z3.number(),
+  expiresAt: z2.number(),
   /** Status of the request */
-  status: z3.enum(["pending", "completed", "cancelled", "expired"])
+  status: z2.enum(["pending", "completed", "cancelled", "expired"])
 });
-var authorizationVaultEntrySchema = z3.object({
+var authorizationVaultEntrySchema = z2.object({
   /** Vault ID (maps to access token jti claim) */
-  id: z3.string(),
+  id: z2.string(),
   /** User subject identifier */
-  userSub: z3.string(),
+  userSub: z2.string(),
   /** User email */
-  userEmail: z3.string().optional(),
+  userEmail: z2.string().optional(),
   /** User name */
-  userName: z3.string().optional(),
+  userName: z2.string().optional(),
   /** Client ID that created this session */
-  clientId: z3.string(),
+  clientId: z2.string(),
   /** Creation timestamp */
-  createdAt: z3.number(),
+  createdAt: z2.number(),
   /** Last access timestamp */
-  lastAccessAt: z3.number(),
+  lastAccessAt: z2.number(),
   /** App credentials (keyed by `${appId}:${providerId}`) */
-  appCredentials: z3.record(z3.string(), appCredentialSchema).default({}),
+  appCredentials: z2.record(z2.string(), appCredentialSchema).default({}),
   /** Consent record */
   consent: vaultConsentRecordSchema.optional(),
   /** Federated login record */
   federated: vaultFederatedRecordSchema.optional(),
   /** Pending incremental authorization requests */
-  pendingAuths: z3.array(pendingIncrementalAuthSchema),
+  pendingAuths: z2.array(pendingIncrementalAuthSchema),
   /** Apps that are fully authorized */
-  authorizedAppIds: z3.array(z3.string()),
+  authorizedAppIds: z2.array(z2.string()),
   /** Apps that were skipped (not yet authorized) */
-  skippedAppIds: z3.array(z3.string())
+  skippedAppIds: z2.array(z2.string())
 });
 
 // libs/auth/src/session/vault-encryption.ts
-import { z as z4 } from "zod";
+import { z as z3 } from "zod";
 import {
   hkdfSha256,
   encryptAesGcm,
   decryptAesGcm,
-  randomBytes as randomBytes3,
+  randomBytes as randomBytes2,
   base64urlEncode,
   base64urlDecode
 } from "@frontmcp/utils";
-var encryptedDataSchema = z4.object({
+var encryptedDataSchema = z3.object({
   /** Version for future algorithm changes */
-  v: z4.literal(1),
+  v: z3.literal(1),
   /** Algorithm identifier */
-  alg: z4.literal("aes-256-gcm"),
+  alg: z3.literal("aes-256-gcm"),
   /** Initialization vector (base64) */
-  iv: z4.string(),
+  iv: z3.string(),
   /** Ciphertext (base64) */
-  ct: z4.string(),
+  ct: z3.string(),
   /** Authentication tag (base64) */
-  tag: z4.string()
+  tag: z3.string()
 });
 var VaultEncryption = class {
   pepper;
@@ -1919,7 +1778,7 @@ var VaultEncryption = class {
     if (key.length !== 32) {
       throw new Error("Encryption key must be 32 bytes");
     }
-    const iv = randomBytes3(12);
+    const iv = randomBytes2(12);
     const { ciphertext, tag } = await encryptAesGcm(key, new TextEncoder().encode(plaintext), iv);
     return {
       v: 1,
@@ -1987,33 +1846,33 @@ var VaultEncryption = class {
     return encryptedDataSchema.safeParse(data).success;
   }
 };
-var encryptedVaultEntrySchema = z4.object({
+var encryptedVaultEntrySchema = z3.object({
   /** Vault ID (maps to JWT jti claim) */
-  id: z4.string(),
+  id: z3.string(),
   /** User subject identifier */
-  userSub: z4.string(),
+  userSub: z3.string(),
   /** User email (unencrypted for display) */
-  userEmail: z4.string().optional(),
+  userEmail: z3.string().optional(),
   /** User name (unencrypted for display) */
-  userName: z4.string().optional(),
+  userName: z3.string().optional(),
   /** Client ID that created this session */
-  clientId: z4.string(),
+  clientId: z3.string(),
   /** Creation timestamp */
-  createdAt: z4.number(),
+  createdAt: z3.number(),
   /** Last access timestamp */
-  lastAccessAt: z4.number(),
+  lastAccessAt: z3.number(),
   /** Encrypted sensitive data (provider tokens, credentials, consent) */
   encryptedData: encryptedDataSchema,
   /** Apps that are fully authorized (unencrypted for quick lookup) */
-  authorizedAppIds: z4.array(z4.string()),
+  authorizedAppIds: z3.array(z3.string()),
   /** Apps that were skipped (unencrypted for quick lookup) */
-  skippedAppIds: z4.array(z4.string()),
+  skippedAppIds: z3.array(z3.string()),
   /** Pending auth IDs (unencrypted for lookup, actual URLs encrypted) */
-  pendingAuthIds: z4.array(z4.string()).default([])
+  pendingAuthIds: z3.array(z3.string()).default([])
 });
 
 // libs/auth/src/session/token.vault.ts
-import { encryptAesGcm as encryptAesGcm2, decryptAesGcm as decryptAesGcm2, randomBytes as randomBytes4, base64urlEncode as base64urlEncode2, base64urlDecode as base64urlDecode2 } from "@frontmcp/utils";
+import { encryptAesGcm as encryptAesGcm2, decryptAesGcm as decryptAesGcm2, randomBytes as randomBytes3, base64urlEncode as base64urlEncode2, base64urlDecode as base64urlDecode2 } from "@frontmcp/utils";
 var TokenVault = class {
   /** Active key used for new encryptions */
   active;
@@ -2042,7 +1901,7 @@ var TokenVault = class {
     this.keys.set(k.kid, k.key);
   }
   async encrypt(plaintext, opts) {
-    const iv = randomBytes4(12);
+    const iv = randomBytes3(12);
     const { ciphertext, tag } = await encryptAesGcm2(this.active.key, new TextEncoder().encode(plaintext), iv);
     return {
       alg: "A256GCM",
@@ -2081,94 +1940,94 @@ import {
 } from "@frontmcp/utils";
 
 // libs/auth/src/session/transport-session.types.ts
-import { z as z5 } from "zod";
-var transportProtocolSchema = z5.enum([
+import { z as z4 } from "zod";
+var transportProtocolSchema = z4.enum([
   "legacy-sse",
   "sse",
   "streamable-http",
   "stateful-http",
   "stateless-http"
 ]);
-var sseTransportStateSchema = z5.object({
-  type: z5.literal("sse"),
-  lastEventId: z5.string().optional(),
-  lastPing: z5.number().optional(),
-  connectionState: z5.enum(["connecting", "open", "closed"]).optional()
+var sseTransportStateSchema = z4.object({
+  type: z4.literal("sse"),
+  lastEventId: z4.string().optional(),
+  lastPing: z4.number().optional(),
+  connectionState: z4.enum(["connecting", "open", "closed"]).optional()
 });
-var streamableHttpTransportStateSchema = z5.object({
-  type: z5.literal("streamable-http"),
-  requestSeq: z5.number(),
-  activeStreamId: z5.string().optional(),
-  pendingRequests: z5.array(z5.string()).optional()
+var streamableHttpTransportStateSchema = z4.object({
+  type: z4.literal("streamable-http"),
+  requestSeq: z4.number(),
+  activeStreamId: z4.string().optional(),
+  pendingRequests: z4.array(z4.string()).optional()
 });
-var statefulHttpTransportStateSchema = z5.object({
-  type: z5.literal("stateful-http"),
-  requestSeq: z5.number(),
-  pendingResponses: z5.array(z5.string()).optional(),
-  lastActivity: z5.number().optional()
+var statefulHttpTransportStateSchema = z4.object({
+  type: z4.literal("stateful-http"),
+  requestSeq: z4.number(),
+  pendingResponses: z4.array(z4.string()).optional(),
+  lastActivity: z4.number().optional()
 });
-var statelessHttpTransportStateSchema = z5.object({
-  type: z5.literal("stateless-http"),
-  requestCount: z5.number(),
-  windowStart: z5.number().optional()
+var statelessHttpTransportStateSchema = z4.object({
+  type: z4.literal("stateless-http"),
+  requestCount: z4.number(),
+  windowStart: z4.number().optional()
 });
-var legacySseTransportStateSchema = z5.object({
-  type: z5.literal("legacy-sse"),
-  messagePath: z5.string(),
-  lastEventId: z5.string().optional(),
-  connectionState: z5.enum(["connecting", "open", "closed"]).optional()
+var legacySseTransportStateSchema = z4.object({
+  type: z4.literal("legacy-sse"),
+  messagePath: z4.string(),
+  lastEventId: z4.string().optional(),
+  connectionState: z4.enum(["connecting", "open", "closed"]).optional()
 });
-var transportStateSchema = z5.discriminatedUnion("type", [
+var transportStateSchema = z4.discriminatedUnion("type", [
   sseTransportStateSchema,
   streamableHttpTransportStateSchema,
   statefulHttpTransportStateSchema,
   statelessHttpTransportStateSchema,
   legacySseTransportStateSchema
 ]);
-var transportSessionSchema = z5.object({
-  id: z5.string(),
-  authorizationId: z5.string(),
+var transportSessionSchema = z4.object({
+  id: z4.string(),
+  authorizationId: z4.string(),
   protocol: transportProtocolSchema,
-  createdAt: z5.number(),
-  expiresAt: z5.number().optional(),
-  nodeId: z5.string(),
-  clientFingerprint: z5.string().optional(),
+  createdAt: z4.number(),
+  expiresAt: z4.number().optional(),
+  nodeId: z4.string(),
+  clientFingerprint: z4.string().optional(),
   transportState: transportStateSchema.optional()
 });
-var sessionJwtPayloadSchema = z5.object({
-  sid: z5.string(),
-  aid: z5.string(),
+var sessionJwtPayloadSchema = z4.object({
+  sid: z4.string(),
+  aid: z4.string(),
   proto: transportProtocolSchema,
-  nid: z5.string(),
-  iat: z5.number(),
-  exp: z5.number().optional()
+  nid: z4.string(),
+  iat: z4.number(),
+  exp: z4.number().optional()
 });
-var encryptedBlobSchema = z5.object({
-  alg: z5.literal("A256GCM"),
-  kid: z5.string().optional(),
-  iv: z5.string(),
-  tag: z5.string(),
-  data: z5.string(),
-  exp: z5.number().optional(),
-  meta: z5.record(z5.string(), z5.unknown()).optional()
+var encryptedBlobSchema = z4.object({
+  alg: z4.literal("A256GCM"),
+  kid: z4.string().optional(),
+  iv: z4.string(),
+  tag: z4.string(),
+  data: z4.string(),
+  exp: z4.number().optional(),
+  meta: z4.record(z4.string(), z4.unknown()).optional()
 });
-var storedSessionSchema = z5.object({
+var storedSessionSchema = z4.object({
   session: transportSessionSchema,
-  authorizationId: z5.string(),
-  tokens: z5.record(z5.string(), encryptedBlobSchema).optional(),
-  createdAt: z5.number(),
-  lastAccessedAt: z5.number(),
-  initialized: z5.boolean().optional(),
-  maxLifetimeAt: z5.number().optional()
+  authorizationId: z4.string(),
+  tokens: z4.record(z4.string(), encryptedBlobSchema).optional(),
+  createdAt: z4.number(),
+  lastAccessedAt: z4.number(),
+  initialized: z4.boolean().optional(),
+  maxLifetimeAt: z4.number().optional()
 });
-var redisConfigSchema = z5.object({
-  host: z5.string().min(1),
-  port: z5.number().int().positive().optional().default(6379),
-  password: z5.string().optional(),
-  db: z5.number().int().nonnegative().optional().default(0),
-  tls: z5.boolean().optional().default(false),
-  keyPrefix: z5.string().optional().default("mcp:session:"),
-  defaultTtlMs: z5.number().int().positive().optional().default(36e5)
+var redisConfigSchema = z4.object({
+  host: z4.string().min(1),
+  port: z4.number().int().positive().optional().default(6379),
+  password: z4.string().optional(),
+  db: z4.number().int().nonnegative().optional().default(0),
+  tls: z4.boolean().optional().default(false),
+  keyPrefix: z4.string().optional().default("mcp:session:"),
+  defaultTtlMs: z4.number().int().positive().optional().default(36e5)
   // 1 hour default
 });
 
@@ -2177,11 +2036,13 @@ import {
   signData,
   verifyData,
   isSignedData,
-  verifyOrParseData
+  verifyOrParseData,
+  getEnv,
+  isProduction as isProduction2
 } from "@frontmcp/utils";
 
 // libs/auth/src/errors/auth-internal.error.ts
-import { randomBytes as randomBytes5, bytesToHex as bytesToHex2 } from "@frontmcp/utils";
+import { randomBytes as randomBytes4, bytesToHex as bytesToHex2 } from "@frontmcp/utils";
 var AuthInternalError = class extends Error {
   /**
    * Unique error ID for tracking in logs.
@@ -2203,7 +2064,7 @@ var AuthInternalError = class extends Error {
     super(message);
     this.name = this.constructor.name;
     this.code = code;
-    this.errorId = `err_${bytesToHex2(randomBytes5(8))}`;
+    this.errorId = `err_${bytesToHex2(randomBytes4(8))}`;
     Error.captureStackTrace(this, this.constructor);
   }
   /**
@@ -2326,9 +2187,9 @@ var AuthFlowError = class extends AuthInternalError {
 
 // libs/auth/src/session/session-crypto.ts
 function getSigningSecret(config) {
-  const secret = config?.secret || process.env["MCP_SESSION_SECRET"];
+  const secret = config?.secret || getEnv("MCP_SESSION_SECRET");
   if (!secret) {
-    if (process.env["NODE_ENV"] === "production") {
+    if (isProduction2()) {
       throw new SessionSecretRequiredError("session signing");
     }
     console.warn("[SessionCrypto] MCP_SESSION_SECRET not set. Using insecure default for development only.");
@@ -2361,7 +2222,7 @@ var SessionRateLimiter = class {
     const cleanupIntervalMs = config.cleanupIntervalMs ?? 6e4;
     if (cleanupIntervalMs > 0) {
       this.cleanupTimer = setInterval(() => this.cleanup(), cleanupIntervalMs);
-      this.cleanupTimer.unref();
+      if (typeof this.cleanupTimer.unref === "function") this.cleanupTimer.unref();
     }
   }
   /**
@@ -2469,12 +2330,11 @@ import { randomUUID as randomUUID2 } from "@frontmcp/utils";
 var TransportIdGenerator = class {
   /**
    * Create a transport session ID.
-   * Always generates JWT-style IDs for distributed session support.
+   * Generates JWT-style IDs for distributed session support.
    *
-   * @param _mode - Deprecated parameter, kept for backwards compatibility
-   * @returns A JWT-style transport session ID (UUID without dashes)
+   * @returns A transport session ID (UUID without dashes)
    */
-  static createId(_mode) {
+  static createId() {
     return randomUUID2().replace(/-/g, "");
   }
 };
@@ -2565,18 +2425,20 @@ function extractBearerToken(header) {
 }
 
 // libs/auth/src/session/utils/session-crypto.utils.ts
-import { sha256, encryptValue, decryptValue } from "@frontmcp/utils";
+import { sha256, encryptValue, decryptValue, getEnv as getEnv3, isProduction as isProduction4 } from "@frontmcp/utils";
 
 // libs/auth/src/machine-id/machine-id.ts
-import * as path2 from "path";
-import { randomUUID as randomUUID3, mkdir as mkdir2, writeFile as writeFile2, readFileSync } from "@frontmcp/utils";
+import { randomUUID as randomUUID3, mkdir, writeFile, readFileSync, getEnv as getEnv2, getCwd, isProduction as isProduction3, isBrowser } from "@frontmcp/utils";
 var DEFAULT_MACHINE_ID_PATH = ".frontmcp/machine-id";
 function isDevPersistenceEnabled() {
-  return process.env["NODE_ENV"] !== "production";
+  if (isBrowser()) return false;
+  return !isProduction3();
 }
 function resolveMachineIdPath() {
-  const machineIdPath = process.env["MACHINE_ID_PATH"] ?? DEFAULT_MACHINE_ID_PATH;
-  return path2.isAbsolute(machineIdPath) ? machineIdPath : path2.resolve(process.cwd(), machineIdPath);
+  if (isBrowser()) return DEFAULT_MACHINE_ID_PATH;
+  const path = __require("path");
+  const machineIdPath = getEnv2("MACHINE_ID_PATH") ?? DEFAULT_MACHINE_ID_PATH;
+  return path.isAbsolute(machineIdPath) ? machineIdPath : path.resolve(getCwd(), machineIdPath);
 }
 function loadMachineIdSync() {
   if (!isDevPersistenceEnabled()) {
@@ -2602,18 +2464,19 @@ function saveMachineIdAsync(machineId2) {
     return;
   }
   const machineIdPath = resolveMachineIdPath();
-  const dir = path2.dirname(machineIdPath);
+  const path = __require("path");
+  const dir = path.dirname(machineIdPath);
   (async () => {
     try {
-      await mkdir2(dir, { recursive: true, mode: 448 });
-      await writeFile2(machineIdPath, machineId2, { mode: 384 });
+      await mkdir(dir, { recursive: true, mode: 448 });
+      await writeFile(machineIdPath, machineId2, { mode: 384 });
     } catch (error) {
       console.warn(`[MachineId] Failed to save to ${machineIdPath}: ${error.message}`);
     }
   })();
 }
 var machineId = (() => {
-  const envMachineId = process.env["MACHINE_ID"];
+  const envMachineId = getEnv2("MACHINE_ID");
   if (envMachineId) {
     return envMachineId;
   }
@@ -2637,10 +2500,9 @@ function setMachineIdOverride(id) {
 var cachedKey = null;
 function getKey() {
   if (cachedKey) return cachedKey;
-  const secret = process.env["MCP_SESSION_SECRET"];
-  const nodeEnv = process.env["NODE_ENV"];
+  const secret = getEnv3("MCP_SESSION_SECRET");
   if (!secret) {
-    if (nodeEnv === "production") {
+    if (isProduction4()) {
       throw new SessionSecretRequiredError("session ID encryption");
     }
     console.warn(
@@ -3554,7 +3416,7 @@ var VercelKvSessionStore = class {
 };
 
 // libs/auth/src/session/orchestrated-token.store.ts
-import { encryptAesGcm as encryptAesGcm3, decryptAesGcm as decryptAesGcm3, randomBytes as randomBytes6, hkdfSha256 as hkdfSha2562 } from "@frontmcp/utils";
+import { encryptAesGcm as encryptAesGcm3, decryptAesGcm as decryptAesGcm3, randomBytes as randomBytes5, hkdfSha256 as hkdfSha2562 } from "@frontmcp/utils";
 var InMemoryOrchestratedTokenStore = class {
   /** Token storage: Map<compositeKey, ProviderTokenRecord> */
   tokens = /* @__PURE__ */ new Map();
@@ -3606,7 +3468,7 @@ var InMemoryOrchestratedTokenStore = class {
   async encryptRecord(compositeKey, record) {
     const key = await this.deriveKeyForRecord(compositeKey);
     const plaintext = JSON.stringify(record);
-    const iv = randomBytes6(12);
+    const iv = randomBytes5(12);
     const { ciphertext, tag } = encryptAesGcm3(key, new TextEncoder().encode(plaintext), iv);
     return JSON.stringify({
       iv: Buffer.from(iv).toString("base64url"),
@@ -3989,30 +3851,30 @@ function startNextProvider(session, pkce, state) {
 }
 
 // libs/auth/src/session/encrypted-authorization-vault.ts
-import { z as z6 } from "zod";
+import { z as z5 } from "zod";
 import { randomUUID as randomUUID9 } from "@frontmcp/utils";
-import { AsyncLocalStorage } from "node:async_hooks";
-var redisVaultEntrySchema = z6.object({
+import { AsyncLocalStorage } from "@frontmcp/utils";
+var redisVaultEntrySchema = z5.object({
   /** Vault ID */
-  id: z6.string(),
+  id: z5.string(),
   /** User sub (for lookup) */
-  userSub: z6.string(),
+  userSub: z5.string(),
   /** User email (optional, for display) */
-  userEmail: z6.string().optional(),
+  userEmail: z5.string().optional(),
   /** User name (optional, for display) */
-  userName: z6.string().optional(),
+  userName: z5.string().optional(),
   /** Client ID */
-  clientId: z6.string(),
+  clientId: z5.string(),
   /** Creation timestamp */
-  createdAt: z6.number(),
+  createdAt: z5.number(),
   /** Last access timestamp */
-  lastAccessAt: z6.number(),
+  lastAccessAt: z5.number(),
   /** Authorized app IDs (unencrypted for quick auth checks) */
-  authorizedAppIds: z6.array(z6.string()),
+  authorizedAppIds: z5.array(z5.string()),
   /** Skipped app IDs (unencrypted for quick checks) */
-  skippedAppIds: z6.array(z6.string()),
+  skippedAppIds: z5.array(z5.string()),
   /** Pending auth request IDs (unencrypted for lookup) */
-  pendingAuthIds: z6.array(z6.string()),
+  pendingAuthIds: z5.array(z5.string()),
   /** Encrypted sensitive data blob */
   encrypted: encryptedDataSchema
 });
@@ -4417,37 +4279,37 @@ function tryJwtExp(token) {
 }
 
 // libs/auth/src/authorization/authorization.types.ts
-import { z as z7 } from "zod";
-var authModeSchema = z7.enum(["public", "transparent", "orchestrated"]);
-var authUserSchema = z7.object({
-  sub: z7.string(),
-  name: z7.string().optional(),
-  email: z7.string().email().optional(),
-  picture: z7.string().url().optional(),
-  anonymous: z7.boolean().optional()
+import { z as z6 } from "zod";
+var authModeSchema = z6.enum(["public", "transparent", "orchestrated"]);
+var authUserSchema = z6.object({
+  sub: z6.string(),
+  name: z6.string().optional(),
+  email: z6.string().email().optional(),
+  picture: z6.string().url().optional(),
+  anonymous: z6.boolean().optional()
 });
-var authorizedToolSchema = z7.object({
-  executionPath: z7.tuple([z7.string(), z7.string()]),
-  scopes: z7.array(z7.string()).optional(),
-  details: z7.record(z7.string(), z7.unknown()).optional()
+var authorizedToolSchema = z6.object({
+  executionPath: z6.tuple([z6.string(), z6.string()]),
+  scopes: z6.array(z6.string()).optional(),
+  details: z6.record(z6.string(), z6.unknown()).optional()
 });
-var authorizedPromptSchema = z7.object({
-  executionPath: z7.tuple([z7.string(), z7.string()]),
-  scopes: z7.array(z7.string()).optional(),
-  details: z7.record(z7.string(), z7.unknown()).optional()
+var authorizedPromptSchema = z6.object({
+  executionPath: z6.tuple([z6.string(), z6.string()]),
+  scopes: z6.array(z6.string()).optional(),
+  details: z6.record(z6.string(), z6.unknown()).optional()
 });
-var llmSafeAuthContextSchema = z7.object({
-  authorizationId: z7.string(),
-  sessionId: z7.string(),
+var llmSafeAuthContextSchema = z6.object({
+  authorizationId: z6.string(),
+  sessionId: z6.string(),
   mode: authModeSchema,
-  isAnonymous: z7.boolean(),
-  user: z7.object({
-    sub: z7.string(),
-    name: z7.string().optional()
+  isAnonymous: z6.boolean(),
+  user: z6.object({
+    sub: z6.string(),
+    name: z6.string().optional()
   }),
-  scopes: z7.array(z7.string()),
-  authorizedToolIds: z7.array(z7.string()),
-  authorizedPromptIds: z7.array(z7.string())
+  scopes: z6.array(z6.string()),
+  authorizedToolIds: z6.array(z6.string()),
+  authorizedPromptIds: z6.array(z6.string())
 });
 var AppAuthState = /* @__PURE__ */ ((AppAuthState2) => {
   AppAuthState2["AUTHORIZED"] = "authorized";
@@ -4455,19 +4317,19 @@ var AppAuthState = /* @__PURE__ */ ((AppAuthState2) => {
   AppAuthState2["PENDING"] = "pending";
   return AppAuthState2;
 })(AppAuthState || {});
-var appAuthStateSchema = z7.nativeEnum(AppAuthState);
-var appAuthorizationRecordSchema = z7.object({
-  appId: z7.string(),
+var appAuthStateSchema = z6.nativeEnum(AppAuthState);
+var appAuthorizationRecordSchema = z6.object({
+  appId: z6.string(),
   state: appAuthStateSchema,
-  stateChangedAt: z7.number(),
-  grantedScopes: z7.array(z7.string()).optional(),
-  authProviderId: z7.string().optional(),
-  toolIds: z7.array(z7.string())
+  stateChangedAt: z6.number(),
+  grantedScopes: z6.array(z6.string()).optional(),
+  authProviderId: z6.string().optional(),
+  toolIds: z6.array(z6.string())
 });
-var progressiveAuthStateSchema = z7.object({
-  apps: z7.record(z7.string(), appAuthorizationRecordSchema),
-  initiallyAuthorized: z7.array(z7.string()),
-  initiallySkipped: z7.array(z7.string())
+var progressiveAuthStateSchema = z6.object({
+  apps: z6.record(z6.string(), appAuthorizationRecordSchema),
+  initiallyAuthorized: z6.array(z6.string()),
+  initiallySkipped: z6.array(z6.string())
 });
 
 // libs/auth/src/authorization/authorization.class.ts
@@ -5326,42 +5188,42 @@ var OrchestratedAuthAccessorAdapter = class {
 };
 
 // libs/auth/src/common/jwt.types.ts
-import { z as z8 } from "zod";
-var jwkParametersSchema = z8.object({
-  kty: z8.string().optional(),
-  alg: z8.string().optional(),
-  key_ops: z8.array(z8.string()).optional(),
-  ext: z8.boolean().optional(),
-  use: z8.string().optional(),
-  x5c: z8.array(z8.string()).optional(),
-  x5t: z8.string().optional(),
-  "x5t#S256": z8.string().optional(),
-  x5u: z8.string().optional(),
-  kid: z8.string().optional()
+import { z as z7 } from "zod";
+var jwkParametersSchema = z7.object({
+  kty: z7.string().optional(),
+  alg: z7.string().optional(),
+  key_ops: z7.array(z7.string()).optional(),
+  ext: z7.boolean().optional(),
+  use: z7.string().optional(),
+  x5c: z7.array(z7.string()).optional(),
+  x5t: z7.string().optional(),
+  "x5t#S256": z7.string().optional(),
+  x5u: z7.string().optional(),
+  kid: z7.string().optional()
 });
 var jwkSchema = jwkParametersSchema.extend({
-  crv: z8.string().optional(),
-  d: z8.string().optional(),
-  dp: z8.string().optional(),
-  dq: z8.string().optional(),
-  e: z8.string().optional(),
-  k: z8.string().optional(),
-  n: z8.string().optional(),
-  p: z8.string().optional(),
-  q: z8.string().optional(),
-  qi: z8.string().optional(),
-  x: z8.string().optional(),
-  y: z8.string().optional(),
-  pub: z8.string().optional(),
-  priv: z8.string().optional()
+  crv: z7.string().optional(),
+  d: z7.string().optional(),
+  dp: z7.string().optional(),
+  dq: z7.string().optional(),
+  e: z7.string().optional(),
+  k: z7.string().optional(),
+  n: z7.string().optional(),
+  p: z7.string().optional(),
+  q: z7.string().optional(),
+  qi: z7.string().optional(),
+  x: z7.string().optional(),
+  y: z7.string().optional(),
+  pub: z7.string().optional(),
+  priv: z7.string().optional()
 });
-var jsonWebKeySetSchema = z8.object({
-  keys: z8.array(jwkSchema)
+var jsonWebKeySetSchema = z7.object({
+  keys: z7.array(jwkSchema)
 });
 
 // libs/auth/src/common/session.types.ts
-import { z as z9 } from "zod";
-var aiPlatformTypeSchema = z9.enum([
+import { z as z8 } from "zod";
+var aiPlatformTypeSchema = z8.enum([
   "openai",
   "claude",
   "gemini",
@@ -5372,45 +5234,45 @@ var aiPlatformTypeSchema = z9.enum([
   "ext-apps",
   "unknown"
 ]);
-var userClaimSchema = z9.object({
-  iss: z9.string(),
-  sid: z9.string().optional(),
-  sub: z9.string(),
-  exp: z9.number().optional(),
-  iat: z9.number().optional(),
-  aud: z9.union([z9.string(), z9.array(z9.string())]).optional(),
-  email: z9.string().optional(),
-  username: z9.string().optional(),
-  preferred_username: z9.string().optional(),
-  name: z9.string().optional(),
-  picture: z9.string().optional()
+var userClaimSchema = z8.object({
+  iss: z8.string(),
+  sid: z8.string().optional(),
+  sub: z8.string(),
+  exp: z8.number().optional(),
+  iat: z8.number().optional(),
+  aud: z8.union([z8.string(), z8.array(z8.string())]).optional(),
+  email: z8.string().optional(),
+  username: z8.string().optional(),
+  preferred_username: z8.string().optional(),
+  name: z8.string().optional(),
+  picture: z8.string().optional()
 }).passthrough();
-var sessionIdPayloadSchema = z9.object({
-  nodeId: z9.string(),
-  authSig: z9.string(),
-  uuid: z9.string().uuid(),
-  iat: z9.number(),
-  protocol: z9.enum(["legacy-sse", "sse", "streamable-http", "stateful-http", "stateless-http"]).optional(),
-  isPublic: z9.boolean().optional(),
+var sessionIdPayloadSchema = z8.object({
+  nodeId: z8.string(),
+  authSig: z8.string(),
+  uuid: z8.string().uuid(),
+  iat: z8.number(),
+  protocol: z8.enum(["legacy-sse", "sse", "streamable-http", "stateful-http", "stateless-http"]).optional(),
+  isPublic: z8.boolean().optional(),
   platformType: aiPlatformTypeSchema.optional(),
-  clientName: z9.string().optional(),
-  clientVersion: z9.string().optional(),
-  supportsElicitation: z9.boolean().optional(),
-  skillsOnlyMode: z9.boolean().optional()
+  clientName: z8.string().optional(),
+  clientVersion: z8.string().optional(),
+  supportsElicitation: z8.boolean().optional(),
+  skillsOnlyMode: z8.boolean().optional()
 });
-var sessionIdSchema = z9.object({
-  id: z9.string(),
+var sessionIdSchema = z8.object({
+  id: z8.string(),
   /** Payload is optional - may be undefined when session validation failed but ID is passed for transport lookup */
   payload: sessionIdPayloadSchema.optional()
 });
-var authorizationSchema = z9.object({
-  token: z9.string(),
+var authorizationSchema = z8.object({
+  token: z8.string(),
   session: sessionIdSchema.optional(),
   user: userClaimSchema
 });
 
 // libs/auth/src/options/shared.schemas.ts
-import { z as z11 } from "zod";
+import { z as z10 } from "zod";
 
 // libs/auth/src/cimd/cimd.logger.ts
 var noopLogger = {
@@ -5426,169 +5288,169 @@ var noopLogger = {
 };
 
 // libs/auth/src/cimd/cimd.types.ts
-import { z as z10 } from "zod";
-var clientMetadataDocumentSchema = z10.object({
+import { z as z9 } from "zod";
+var clientMetadataDocumentSchema = z9.object({
   // REQUIRED per CIMD spec
   /**
    * Client identifier - MUST match the URL from which this document was fetched.
    */
-  client_id: z10.string().url(),
+  client_id: z9.string().url(),
   /**
    * Human-readable name of the client.
    */
-  client_name: z10.string().min(1),
+  client_name: z9.string().min(1),
   /**
    * Array of redirect URIs for authorization responses.
    * At least one is required.
    */
-  redirect_uris: z10.array(z10.string().url()).min(1),
+  redirect_uris: z9.array(z9.string().url()).min(1),
   // OPTIONAL per RFC 7591
   /**
    * Token endpoint authentication method.
    * @default 'none'
    */
-  token_endpoint_auth_method: z10.enum(["none", "client_secret_basic", "client_secret_post", "private_key_jwt"]).default("none"),
+  token_endpoint_auth_method: z9.enum(["none", "client_secret_basic", "client_secret_post", "private_key_jwt"]).default("none"),
   /**
    * OAuth grant types the client can use.
    * @default ['authorization_code']
    */
-  grant_types: z10.array(z10.string()).default(["authorization_code"]),
+  grant_types: z9.array(z9.string()).default(["authorization_code"]),
   /**
    * OAuth response types the client can request.
    * @default ['code']
    */
-  response_types: z10.array(z10.string()).default(["code"]),
+  response_types: z9.array(z9.string()).default(["code"]),
   /**
    * URL of the client's home page.
    */
-  client_uri: z10.string().url().optional(),
+  client_uri: z9.string().url().optional(),
   /**
    * URL of the client's logo image.
    */
-  logo_uri: z10.string().url().optional(),
+  logo_uri: z9.string().url().optional(),
   /**
    * URL of the client's JWKS (for private_key_jwt).
    */
-  jwks_uri: z10.string().url().optional(),
+  jwks_uri: z9.string().url().optional(),
   /**
    * Inline JWKS (for private_key_jwt).
    */
-  jwks: z10.object({
-    keys: z10.array(z10.record(z10.string(), z10.unknown()))
+  jwks: z9.object({
+    keys: z9.array(z9.record(z9.string(), z9.unknown()))
   }).optional(),
   /**
    * URL of the client's terms of service.
    */
-  tos_uri: z10.string().url().optional(),
+  tos_uri: z9.string().url().optional(),
   /**
    * URL of the client's privacy policy.
    */
-  policy_uri: z10.string().url().optional(),
+  policy_uri: z9.string().url().optional(),
   /**
    * Requested OAuth scopes.
    */
-  scope: z10.string().optional(),
+  scope: z9.string().optional(),
   /**
    * Array of contact emails for the client.
    */
-  contacts: z10.array(z10.string().email()).optional(),
+  contacts: z9.array(z9.string().email()).optional(),
   /**
    * Software statement (signed JWT).
    */
-  software_statement: z10.string().optional(),
+  software_statement: z9.string().optional(),
   /**
    * Unique identifier for the client software.
    */
-  software_id: z10.string().optional(),
+  software_id: z9.string().optional(),
   /**
    * Version of the client software.
    */
-  software_version: z10.string().optional()
+  software_version: z9.string().optional()
 });
-var cimdRedisCacheConfigSchema = z10.object({
+var cimdRedisCacheConfigSchema = z9.object({
   /**
    * Redis connection URL.
    * e.g., "redis://user:pass@host:6379/0"
    */
-  url: z10.string().optional(),
+  url: z9.string().optional(),
   /**
    * Redis host.
    */
-  host: z10.string().optional(),
+  host: z9.string().optional(),
   /**
    * Redis port.
    * @default 6379
    */
-  port: z10.number().optional(),
+  port: z9.number().optional(),
   /**
    * Redis password.
    */
-  password: z10.string().optional(),
+  password: z9.string().optional(),
   /**
    * Redis database number.
    * @default 0
    */
-  db: z10.number().optional(),
+  db: z9.number().optional(),
   /**
    * Enable TLS for Redis connection.
    * @default false
    */
-  tls: z10.boolean().optional(),
+  tls: z9.boolean().optional(),
   /**
    * Key prefix for CIMD cache entries.
    * @default 'cimd:'
    */
-  keyPrefix: z10.string().default("cimd:")
+  keyPrefix: z9.string().default("cimd:")
 });
-var cimdCacheConfigSchema = z10.object({
+var cimdCacheConfigSchema = z9.object({
   /**
    * Cache storage type.
    * - 'memory': In-memory cache (default, suitable for dev/single-instance)
    * - 'redis': Redis-backed cache (for production/distributed deployments)
    * @default 'memory'
    */
-  type: z10.enum(["memory", "redis"]).default("memory"),
+  type: z9.enum(["memory", "redis"]).default("memory"),
   /**
    * Default TTL for cached metadata documents.
    * @default 3600000 (1 hour)
    */
-  defaultTtlMs: z10.number().min(0).default(36e5),
+  defaultTtlMs: z9.number().min(0).default(36e5),
   /**
    * Maximum TTL (even if server suggests longer).
    * @default 86400000 (24 hours)
    */
-  maxTtlMs: z10.number().min(0).default(864e5),
+  maxTtlMs: z9.number().min(0).default(864e5),
   /**
    * Minimum TTL (even if server suggests shorter).
    * @default 60000 (1 minute)
    */
-  minTtlMs: z10.number().min(0).default(6e4),
+  minTtlMs: z9.number().min(0).default(6e4),
   /**
    * Redis configuration (required when type is 'redis').
    */
   redis: cimdRedisCacheConfigSchema.optional()
 });
-var cimdSecurityConfigSchema = z10.object({
+var cimdSecurityConfigSchema = z9.object({
   /**
    * Block fetching from private/internal IP addresses (SSRF protection).
    * @default true
    */
-  blockPrivateIPs: z10.boolean().default(true),
+  blockPrivateIPs: z9.boolean().default(true),
   /**
    * Explicit list of allowed domains.
    * If set, only these domains can host CIMD documents.
    */
-  allowedDomains: z10.array(z10.string()).optional(),
+  allowedDomains: z9.array(z9.string()).optional(),
   /**
    * Explicit list of blocked domains.
    * These domains cannot host CIMD documents.
    */
-  blockedDomains: z10.array(z10.string()).optional(),
+  blockedDomains: z9.array(z9.string()).optional(),
   /**
    * Warn when a client has only localhost redirect URIs.
    * @default true
    */
-  warnOnLocalhostRedirects: z10.boolean().default(true),
+  warnOnLocalhostRedirects: z9.boolean().default(true),
   /**
    * Allow HTTP (instead of HTTPS) for localhost CIMD URLs.
    *
@@ -5599,19 +5461,19 @@ var cimdSecurityConfigSchema = z10.object({
    *
    * @default false
    */
-  allowInsecureForTesting: z10.boolean().default(false)
+  allowInsecureForTesting: z9.boolean().default(false)
 });
-var cimdNetworkConfigSchema = z10.object({
+var cimdNetworkConfigSchema = z9.object({
   /**
    * Request timeout in milliseconds.
    * @default 5000 (5 seconds)
    */
-  timeoutMs: z10.number().min(100).default(5e3),
+  timeoutMs: z9.number().min(100).default(5e3),
   /**
    * Maximum response body size in bytes.
    * @default 65536 (64KB)
    */
-  maxResponseSizeBytes: z10.number().min(1024).default(65536),
+  maxResponseSizeBytes: z9.number().min(1024).default(65536),
   /**
    * Redirect handling policy for CIMD fetches.
    * - 'deny': reject redirects (default, safest)
@@ -5619,19 +5481,19 @@ var cimdNetworkConfigSchema = z10.object({
    * - 'allow': allow redirects to any origin
    * @default 'deny'
    */
-  redirectPolicy: z10.enum(["deny", "same-origin", "allow"]).default("deny"),
+  redirectPolicy: z9.enum(["deny", "same-origin", "allow"]).default("deny"),
   /**
    * Maximum number of redirects to follow when redirects are allowed.
    * @default 5
    */
-  maxRedirects: z10.number().int().min(0).default(5)
+  maxRedirects: z9.number().int().min(0).default(5)
 });
-var cimdConfigSchema = z10.object({
+var cimdConfigSchema = z9.object({
   /**
    * Enable CIMD support.
    * @default true
    */
-  enabled: z10.boolean().default(true),
+  enabled: z9.boolean().default(true),
   /**
    * Cache configuration.
    */
@@ -5994,7 +5856,7 @@ var CimdService = class {
     this.cacheConfig = cimdCacheConfigSchema.parse(this.config.cache ?? {});
     this.securityConfig = cimdSecurityConfigSchema.parse(this.config.security ?? {});
     this.networkConfig = cimdNetworkConfigSchema.parse(this.config.network ?? {});
-    this.cache = new CimdCache(this.cacheConfig);
+    this.cache = new InMemoryCimdCache(this.cacheConfig);
     this.logger.debug("CimdService initialized", {
       enabled: this.config.enabled,
       cacheDefaultTtlMs: this.cacheConfig.defaultTtlMs,
@@ -6262,8 +6124,8 @@ var CimdService = class {
     const result = clientMetadataDocumentSchema.safeParse(document);
     if (!result.success) {
       const errors = result.error.issues.map((issue) => {
-        const path3 = issue.path.length > 0 ? `${issue.path.join(".")}: ` : "";
-        return `${path3}${issue.message}`;
+        const path = issue.path.length > 0 ? `${issue.path.join(".")}: ` : "";
+        return `${path}${issue.message}`;
       });
       throw new CimdValidationError(clientId, errors);
     }
@@ -6285,55 +6147,84 @@ function normalizeRedirectUri(uri) {
 }
 
 // libs/auth/src/options/shared.schemas.ts
-var publicAccessConfigSchema = z11.object({
+var publicAccessConfigSchema = z10.object({
   /**
    * Allow all tools or explicit whitelist
    * @default 'all'
    */
-  tools: z11.union([z11.literal("all"), z11.array(z11.string())]).default("all"),
+  tools: z10.union([z10.literal("all"), z10.array(z10.string())]).default("all"),
   /**
    * Allow all prompts or explicit whitelist
    * @default 'all'
    */
-  prompts: z11.union([z11.literal("all"), z11.array(z11.string())]).default("all"),
+  prompts: z10.union([z10.literal("all"), z10.array(z10.string())]).default("all"),
   /**
    * Rate limit per IP per minute
    * @default 60
    */
-  rateLimit: z11.number().default(60)
+  rateLimit: z10.number().default(60)
 });
-var localSigningConfigSchema = z11.object({
+var localSigningConfigSchema = z10.object({
   /**
-   * Private key for signing orchestrated tokens
+   * Private key for signing tokens
    * @default auto-generated
    */
-  signKey: jwkSchema.or(z11.instanceof(Uint8Array)).optional(),
+  signKey: jwkSchema.or(z10.instanceof(Uint8Array)).optional(),
   /**
    * JWKS for token verification
    * @default auto-generated
    */
   jwks: jsonWebKeySetSchema.optional(),
   /**
-   * Issuer identifier for orchestrated tokens
+   * Issuer identifier for tokens
    * @default auto-derived from server URL
    */
-  issuer: z11.string().optional()
+  issuer: z10.string().optional()
 });
-var remoteProviderConfigSchema = z11.object({
+var providerConfigSchema = z10.object({
+  /** Provider display name */
+  name: z10.string().optional(),
+  /**
+   * Unique identifier for this provider
+   * @default derived from provider URL
+   */
+  id: z10.string().optional(),
+  /**
+   * Inline JWKS for offline token verification
+   * Falls back to fetching from provider's /.well-known/jwks.json
+   */
+  jwks: jsonWebKeySetSchema.optional(),
+  /** Custom JWKS URI if not at standard path */
+  jwksUri: z10.string().url().optional(),
+  /**
+   * Enable Dynamic Client Registration (DCR)
+   * @default false
+   */
+  dcrEnabled: z10.boolean().default(false),
+  /** Authorization endpoint override */
+  authEndpoint: z10.string().url().optional(),
+  /** Token endpoint override */
+  tokenEndpoint: z10.string().url().optional(),
+  /** Registration endpoint override (for DCR) */
+  registrationEndpoint: z10.string().url().optional(),
+  /** User info endpoint override */
+  userInfoEndpoint: z10.string().url().optional()
+});
+var remoteProviderConfigSchema = z10.object({
   /**
    * OAuth provider base URL
    * @example 'https://auth.example.com'
    */
-  provider: z11.string().url(),
+  provider: z10.string().url(),
   /**
    * Provider display name
    */
-  name: z11.string().optional(),
+  name: z10.string().optional(),
   /**
    * Unique identifier for this provider
    * @default derived from provider URL
    */
-  id: z11.string().optional(),
+  id: z10.string().optional(),
   /**
    * Inline JWKS for offline token verification
    * Falls back to fetching from provider's /.well-known/jwks.json
@@ -6342,121 +6233,133 @@ var remoteProviderConfigSchema = z11.object({
   /**
    * Custom JWKS URI if not at standard path
    */
-  jwksUri: z11.string().url().optional(),
+  jwksUri: z10.string().url().optional(),
   /**
-   * Client ID for this MCP server (for orchestrated mode)
+   * Client ID for this MCP server
    */
-  clientId: z11.string().optional(),
+  clientId: z10.string().optional(),
   /**
-   * Client secret (for confidential clients in orchestrated mode)
+   * Client secret (for confidential clients)
    */
-  clientSecret: z11.string().optional(),
+  clientSecret: z10.string().optional(),
   /**
    * Scopes to request from the upstream provider
    */
-  scopes: z11.array(z11.string()).optional(),
+  scopes: z10.array(z10.string()).optional(),
   /**
    * Enable Dynamic Client Registration (DCR)
    * @default false
    */
-  dcrEnabled: z11.boolean().default(false),
+  dcrEnabled: z10.boolean().default(false),
   /**
    * Authorization endpoint override
    */
-  authEndpoint: z11.string().url().optional(),
+  authEndpoint: z10.string().url().optional(),
   /**
    * Token endpoint override
    */
-  tokenEndpoint: z11.string().url().optional(),
+  tokenEndpoint: z10.string().url().optional(),
   /**
    * Registration endpoint override (for DCR)
    */
-  registrationEndpoint: z11.string().url().optional(),
+  registrationEndpoint: z10.string().url().optional(),
   /**
    * User info endpoint override
    */
-  userInfoEndpoint: z11.string().url().optional()
+  userInfoEndpoint: z10.string().url().optional()
 });
-var tokenStorageConfigSchema = z11.discriminatedUnion("type", [
-  z11.object({ type: z11.literal("memory") }),
-  z11.object({ type: z11.literal("redis"), config: redisConfigSchema })
-]);
-var tokenRefreshConfigSchema = z11.object({
+var flatRemoteProviderFields = {
+  /**
+   * OAuth provider base URL (required)
+   * @example 'https://auth.example.com'
+   */
+  provider: z10.string().url(),
+  /** Client ID for this MCP server */
+  clientId: z10.string().optional(),
+  /** Client secret (for confidential clients) */
+  clientSecret: z10.string().optional(),
+  /** Scopes to request from the upstream provider */
+  scopes: z10.array(z10.string()).optional(),
+  /** Advanced provider configuration */
+  providerConfig: providerConfigSchema.optional()
+};
+var tokenStorageConfigSchema = z10.union([z10.literal("memory"), z10.object({ redis: redisConfigSchema })]);
+var tokenRefreshConfigSchema = z10.object({
   /**
    * Enable automatic token refresh
    * @default true
    */
-  enabled: z11.boolean().default(true),
+  enabled: z10.boolean().default(true),
   /**
    * Refresh token before expiry by this many seconds
    * @default 60
    */
-  skewSeconds: z11.number().default(60)
+  skewSeconds: z10.number().default(60)
 });
-var skippedAppBehaviorSchema = z11.enum(["anonymous", "require-auth"]);
-var consentConfigSchema = z11.object({
+var skippedAppBehaviorSchema = z10.enum(["anonymous", "require-auth"]);
+var consentConfigSchema = z10.object({
   /**
    * Enable consent flow for tool selection
    * When enabled, users can choose which tools to expose to the LLM
    * @default false
    */
-  enabled: z11.boolean().default(false),
+  enabled: z10.boolean().default(false),
   /**
    * Group tools by app in the consent UI
    * @default true
    */
-  groupByApp: z11.boolean().default(true),
+  groupByApp: z10.boolean().default(true),
   /**
    * Show tool descriptions in consent UI
    * @default true
    */
-  showDescriptions: z11.boolean().default(true),
+  showDescriptions: z10.boolean().default(true),
   /**
    * Allow selecting all tools at once
    * @default true
    */
-  allowSelectAll: z11.boolean().default(true),
+  allowSelectAll: z10.boolean().default(true),
   /**
    * Require at least one tool to be selected
    * @default true
    */
-  requireSelection: z11.boolean().default(true),
+  requireSelection: z10.boolean().default(true),
   /**
    * Custom message to display on consent page
    */
-  customMessage: z11.string().optional(),
+  customMessage: z10.string().optional(),
   /**
    * Remember consent for future sessions
    * @default true
    */
-  rememberConsent: z11.boolean().default(true),
+  rememberConsent: z10.boolean().default(true),
   /**
    * Tools to exclude from consent (always available)
    * Useful for essential tools that should always be accessible
    */
-  excludedTools: z11.array(z11.string()).optional(),
+  excludedTools: z10.array(z10.string()).optional(),
   /**
    * Tools to always include in consent (pre-selected)
    */
-  defaultSelectedTools: z11.array(z11.string()).optional()
+  defaultSelectedTools: z10.array(z10.string()).optional()
 });
-var federatedAuthConfigSchema = z11.object({
+var federatedAuthConfigSchema = z10.object({
   /**
    * How strictly to validate the OAuth state parameter on provider callbacks.
    * - 'strict': require exact match to stored state (default, safest)
    * - 'format': validate only "federated:{sessionId}:{nonce}" format
    * @default 'strict'
    */
-  stateValidation: z11.enum(["strict", "format"]).default("strict")
+  stateValidation: z10.enum(["strict", "format"]).default("strict")
 });
-var incrementalAuthConfigSchema = z11.object({
+var incrementalAuthConfigSchema = z10.object({
   /**
    * Enable incremental (progressive) authorization
    * When enabled, users can skip app authorizations during initial auth
    * and authorize individual apps later when needed
    * @default true
    */
-  enabled: z11.boolean().default(true),
+  enabled: z10.boolean().default(true),
   /**
    * Behavior when a tool from a skipped app is called
    * - 'anonymous': If app supports anonymous access, use it; otherwise require auth
@@ -6468,33 +6371,33 @@ var incrementalAuthConfigSchema = z11.object({
    * Allow users to skip app authorization during initial auth flow
    * @default true
    */
-  allowSkip: z11.boolean().default(true),
+  allowSkip: z10.boolean().default(true),
   /**
    * Show all apps in a single authorization page (vs step-by-step)
    * @default true
    */
-  showAllAppsAtOnce: z11.boolean().default(true)
+  showAllAppsAtOnce: z10.boolean().default(true)
 });
 
 // libs/auth/src/options/public.schema.ts
-import { z as z12 } from "zod";
-var publicAuthOptionsSchema = z12.object({
-  mode: z12.literal("public"),
+import { z as z11 } from "zod";
+var publicAuthOptionsSchema = z11.object({
+  mode: z11.literal("public"),
   /**
    * Issuer identifier for anonymous JWTs
    * @default auto-derived from server URL
    */
-  issuer: z12.string().optional(),
+  issuer: z11.string().optional(),
   /**
    * Anonymous session TTL in seconds
    * @default 3600 (1 hour)
    */
-  sessionTtl: z12.number().default(3600),
+  sessionTtl: z11.number().default(3600),
   /**
    * Scopes granted to anonymous sessions
    * @default ['anonymous']
    */
-  anonymousScopes: z12.array(z12.string()).default(["anonymous"]),
+  anonymousScopes: z11.array(z11.string()).default(["anonymous"]),
   /**
    * Tool/prompt access configuration for anonymous users
    */
@@ -6508,38 +6411,38 @@ var publicAuthOptionsSchema = z12.object({
    * Private key for signing anonymous tokens
    * @default auto-generated
    */
-  signKey: jwkSchema.or(z12.instanceof(Uint8Array)).optional()
+  signKey: jwkSchema.or(z11.instanceof(Uint8Array)).optional()
 });
 
 // libs/auth/src/options/transparent.schema.ts
-import { z as z13 } from "zod";
-var transparentAuthOptionsSchema = z13.object({
-  mode: z13.literal("transparent"),
+import { z as z12 } from "zod";
+var transparentAuthOptionsSchema = z12.object({
+  mode: z12.literal("transparent"),
   /**
-   * Remote OAuth provider configuration (required)
+   * Flattened remote provider fields (provider, clientId, clientSecret, scopes, providerConfig)
    */
-  remote: remoteProviderConfigSchema,
+  ...flatRemoteProviderFields,
   /**
    * Expected token audience
    * If not set, defaults to the resource URL
    */
-  expectedAudience: z13.union([z13.string(), z13.array(z13.string())]).optional(),
+  expectedAudience: z12.union([z12.string(), z12.array(z12.string())]).optional(),
   /**
    * Required scopes for access
    * Empty array means any valid token is accepted
    * @default []
    */
-  requiredScopes: z13.array(z13.string()).default([]),
+  requiredScopes: z12.array(z12.string()).default([]),
   /**
    * Allow anonymous fallback when no token is provided
    * @default false
    */
-  allowAnonymous: z13.boolean().default(false),
+  allowAnonymous: z12.boolean().default(false),
   /**
    * Scopes granted to anonymous sessions (when allowAnonymous=true)
    * @default ['anonymous']
    */
-  anonymousScopes: z13.array(z13.string()).default(["anonymous"]),
+  anonymousScopes: z12.array(z12.string()).default(["anonymous"]),
   /**
    * Public access config for anonymous users (when allowAnonymous=true)
    */
@@ -6547,56 +6450,52 @@ var transparentAuthOptionsSchema = z13.object({
 });
 
 // libs/auth/src/options/orchestrated.schema.ts
-import { z as z14 } from "zod";
-var orchestratedSharedFields = {
+import { z as z13 } from "zod";
+var sharedAuthFields = {
   local: localSigningConfigSchema.optional(),
-  tokenStorage: tokenStorageConfigSchema.default({ type: "memory" }),
-  allowDefaultPublic: z14.boolean().default(false),
-  anonymousScopes: z14.array(z14.string()).default(["anonymous"]),
+  tokenStorage: tokenStorageConfigSchema.default("memory"),
+  allowDefaultPublic: z13.boolean().default(false),
+  anonymousScopes: z13.array(z13.string()).default(["anonymous"]),
   publicAccess: publicAccessConfigSchema.optional(),
   consent: consentConfigSchema.optional(),
   federatedAuth: federatedAuthConfigSchema.optional(),
   refresh: tokenRefreshConfigSchema.optional(),
-  expectedAudience: z14.union([z14.string(), z14.array(z14.string())]).optional(),
+  expectedAudience: z13.union([z13.string(), z13.array(z13.string())]).optional(),
   incrementalAuth: incrementalAuthConfigSchema.optional(),
   cimd: cimdConfigSchema.optional()
 };
-var orchestratedLocalSchema = z14.object({
-  mode: z14.literal("orchestrated"),
-  type: z14.literal("local"),
-  ...orchestratedSharedFields
+var localAuthSchema = z13.object({
+  mode: z13.literal("local"),
+  ...sharedAuthFields
 });
-var orchestratedRemoteSchema = z14.object({
-  mode: z14.literal("orchestrated"),
-  type: z14.literal("remote"),
-  remote: remoteProviderConfigSchema,
-  ...orchestratedSharedFields
+var remoteAuthSchema = z13.object({
+  mode: z13.literal("remote"),
+  ...flatRemoteProviderFields,
+  ...sharedAuthFields
 });
-var orchestratedAuthOptionsSchema = z14.discriminatedUnion("type", [
-  orchestratedLocalSchema,
-  orchestratedRemoteSchema
-]);
+var orchestratedLocalSchema = localAuthSchema;
+var orchestratedRemoteSchema = remoteAuthSchema;
 
 // libs/auth/src/options/schema.ts
-import { z as z15 } from "zod";
-var authOptionsSchema = z15.union([
+import { z as z14 } from "zod";
+var authOptionsSchema = z14.union([
   publicAuthOptionsSchema,
   transparentAuthOptionsSchema,
-  orchestratedLocalSchema,
-  orchestratedRemoteSchema
+  localAuthSchema,
+  remoteAuthSchema
 ]);
 
 // libs/auth/src/options/app-auth.schema.ts
-import { z as z16 } from "zod";
+import { z as z15 } from "zod";
 var standaloneOptionSchema = {
-  standalone: z16.boolean().optional(),
-  excludeFromParent: z16.boolean().optional()
+  standalone: z15.boolean().optional(),
+  excludeFromParent: z15.boolean().optional()
 };
-var appAuthOptionsSchema = z16.union([
+var appAuthOptionsSchema = z15.union([
   publicAuthOptionsSchema.extend(standaloneOptionSchema),
   transparentAuthOptionsSchema.extend(standaloneOptionSchema),
-  orchestratedLocalSchema.extend(standaloneOptionSchema),
-  orchestratedRemoteSchema.extend(standaloneOptionSchema)
+  localAuthSchema.extend(standaloneOptionSchema),
+  remoteAuthSchema.extend(standaloneOptionSchema)
 ]);
 
 // libs/auth/src/options/utils.ts
@@ -6609,136 +6508,142 @@ function isPublicMode(options) {
 function isTransparentMode(options) {
   return options.mode === "transparent";
 }
+function isLocalMode(options) {
+  return options.mode === "local";
+}
+function isRemoteMode(options) {
+  return options.mode === "remote";
+}
 function isOrchestratedMode(options) {
-  return options.mode === "orchestrated";
+  return options.mode === "local" || options.mode === "remote";
 }
 function isOrchestratedLocal(options) {
-  return options.type === "local";
+  return options.mode === "local";
 }
 function isOrchestratedRemote(options) {
-  return options.type === "remote";
+  return options.mode === "remote";
 }
 function allowsPublicAccess(options) {
   if (options.mode === "public") return true;
   if (options.mode === "transparent") return options.allowAnonymous;
-  if (options.mode === "orchestrated") return options.allowDefaultPublic;
+  if (options.mode === "local" || options.mode === "remote") return options.allowDefaultPublic;
   return false;
 }
 
 // libs/auth/src/consent/consent.types.ts
-import { z as z17 } from "zod";
-var consentToolItemSchema = z17.object({
+import { z as z16 } from "zod";
+var consentToolItemSchema = z16.object({
   /** Tool ID (e.g., 'slack:send_message') */
-  id: z17.string().min(1),
+  id: z16.string().min(1),
   /** Tool name for display */
-  name: z17.string().min(1),
+  name: z16.string().min(1),
   /** Tool description */
-  description: z17.string().optional(),
+  description: z16.string().optional(),
   /** App ID this tool belongs to */
-  appId: z17.string().min(1),
+  appId: z16.string().min(1),
   /** App name for display */
-  appName: z17.string().min(1),
+  appName: z16.string().min(1),
   /** Whether the tool is selected by default */
-  defaultSelected: z17.boolean().default(true),
+  defaultSelected: z16.boolean().default(true),
   /** Whether this tool requires specific scopes */
-  requiredScopes: z17.array(z17.string()).optional(),
+  requiredScopes: z16.array(z16.string()).optional(),
   /** Category for grouping (e.g., 'read', 'write', 'admin') */
-  category: z17.string().optional()
+  category: z16.string().optional()
 });
-var consentSelectionSchema = z17.object({
+var consentSelectionSchema = z16.object({
   /** Selected tool IDs */
-  selectedTools: z17.array(z17.string()),
+  selectedTools: z16.array(z16.string()),
   /** Whether all tools were selected */
-  allSelected: z17.boolean(),
+  allSelected: z16.boolean(),
   /** Timestamp when consent was given */
-  consentedAt: z17.string().datetime(),
+  consentedAt: z16.string().datetime(),
   /** Consent version for tracking changes */
-  consentVersion: z17.string().default("1.0")
+  consentVersion: z16.string().default("1.0")
 });
-var consentStateSchema = z17.object({
+var consentStateSchema = z16.object({
   /** Whether consent flow is enabled */
-  enabled: z17.boolean(),
+  enabled: z16.boolean(),
   /** Available tools for consent */
-  availableTools: z17.array(consentToolItemSchema),
+  availableTools: z16.array(consentToolItemSchema),
   /** Pre-selected tools (from previous consent or defaults) */
-  preselectedTools: z17.array(z17.string()).optional(),
+  preselectedTools: z16.array(z16.string()).optional(),
   /** Whether to show all tools or group by app */
-  groupByApp: z17.boolean().default(true),
+  groupByApp: z16.boolean().default(true),
   /** Custom consent message */
-  customMessage: z17.string().optional()
+  customMessage: z16.string().optional()
 });
-var federatedProviderItemSchema = z17.object({
+var federatedProviderItemSchema = z16.object({
   /** Provider ID (derived or explicit) */
-  id: z17.string().min(1),
+  id: z16.string().min(1),
   /** Provider display name */
-  name: z17.string().min(1),
+  name: z16.string().min(1),
   /** Provider description */
-  description: z17.string().optional(),
+  description: z16.string().optional(),
   /** Provider icon URL or emoji */
-  icon: z17.string().optional(),
+  icon: z16.string().optional(),
   /** Provider type */
-  type: z17.enum(["local", "remote", "transparent"]),
+  type: z16.enum(["local", "remote", "transparent"]),
   /** OAuth provider URL (for remote providers) */
-  providerUrl: z17.string().url().optional(),
+  providerUrl: z16.string().url().optional(),
   /** Apps using this provider */
-  appIds: z17.array(z17.string()),
+  appIds: z16.array(z16.string()),
   /** App names using this provider */
-  appNames: z17.array(z17.string()),
+  appNames: z16.array(z16.string()),
   /** Scopes required by this provider */
-  scopes: z17.array(z17.string()),
+  scopes: z16.array(z16.string()),
   /** Whether this is the primary/parent provider */
-  isPrimary: z17.boolean(),
+  isPrimary: z16.boolean(),
   /** Whether this provider is optional (can be skipped) */
-  isOptional: z17.boolean().default(false)
+  isOptional: z16.boolean().default(false)
 });
-var federatedLoginStateSchema = z17.object({
+var federatedLoginStateSchema = z16.object({
   /** All available providers */
-  providers: z17.array(federatedProviderItemSchema),
+  providers: z16.array(federatedProviderItemSchema),
   /** Primary provider ID (if any) */
-  primaryProviderId: z17.string().optional(),
+  primaryProviderId: z16.string().optional(),
   /** Whether user can skip optional providers */
-  allowSkip: z17.boolean().default(true),
+  allowSkip: z16.boolean().default(true),
   /** Pre-selected provider IDs (from previous session) */
-  preselectedProviders: z17.array(z17.string()).optional()
+  preselectedProviders: z16.array(z16.string()).optional()
 });
-var federatedSelectionSchema = z17.object({
+var federatedSelectionSchema = z16.object({
   /** Selected provider IDs */
-  selectedProviders: z17.array(z17.string()),
+  selectedProviders: z16.array(z16.string()),
   /** Skipped provider IDs */
-  skippedProviders: z17.array(z17.string()),
+  skippedProviders: z16.array(z16.string()),
   /** Provider-specific metadata */
-  providerMetadata: z17.record(z17.string(), z17.unknown()).optional()
+  providerMetadata: z16.record(z16.string(), z16.unknown()).optional()
 });
 
 // libs/auth/src/detection/auth-provider-detection.ts
-import { z as z18 } from "zod";
-var detectedAuthProviderSchema = z18.object({
-  id: z18.string(),
-  providerUrl: z18.string().optional(),
-  mode: z18.enum(["public", "transparent", "orchestrated"]),
-  appIds: z18.array(z18.string()),
-  scopes: z18.array(z18.string()),
-  isParentProvider: z18.boolean()
+import { z as z17 } from "zod";
+var detectedAuthProviderSchema = z17.object({
+  id: z17.string(),
+  providerUrl: z17.string().optional(),
+  mode: z17.enum(["public", "transparent", "local", "remote"]),
+  appIds: z17.array(z17.string()),
+  scopes: z17.array(z17.string()),
+  isParentProvider: z17.boolean()
 });
-var authProviderDetectionResultSchema = z18.object({
-  providers: z18.map(z18.string(), detectedAuthProviderSchema),
-  requiresOrchestration: z18.boolean(),
-  parentProviderId: z18.string().optional(),
-  childProviderIds: z18.array(z18.string()),
-  uniqueProviderCount: z18.number(),
-  validationErrors: z18.array(z18.string()),
-  warnings: z18.array(z18.string())
+var authProviderDetectionResultSchema = z17.object({
+  providers: z17.map(z17.string(), detectedAuthProviderSchema),
+  requiresOrchestration: z17.boolean(),
+  parentProviderId: z17.string().optional(),
+  childProviderIds: z17.array(z17.string()),
+  uniqueProviderCount: z17.number(),
+  validationErrors: z17.array(z17.string()),
+  warnings: z17.array(z17.string())
 });
 function deriveProviderId(options) {
   if (isPublicMode(options)) {
     return options.issuer ?? "public";
   }
   if (isTransparentMode(options)) {
-    return options.remote.id ?? urlToProviderId(options.remote.provider);
+    return options.providerConfig?.id ?? urlToProviderId(options.provider);
   }
   if (isOrchestratedMode(options)) {
     if (isOrchestratedRemote(options)) {
-      return options.remote.id ?? urlToProviderId(options.remote.provider);
+      return options.providerConfig?.id ?? urlToProviderId(options.provider);
     }
     return options.local?.issuer ?? "local";
   }
@@ -6758,7 +6663,7 @@ function extractScopes(options) {
   }
   if (isOrchestratedMode(options)) {
     if (isOrchestratedRemote(options)) {
-      return options.remote.scopes || [];
+      return options.scopes || [];
     }
   }
   return [];
@@ -6807,12 +6712,12 @@ function detectAuthProviders(parentAuth, apps) {
   const requiresOrchestration = hasMultipleProviders || hasChildOnlyProviders || childProviderIds.length > 0 && parentProviderId !== void 0;
   if (requiresOrchestration && parentAuth && isTransparentMode(parentAuth)) {
     validationErrors.push(
-      `Invalid auth configuration: Parent uses transparent mode but apps have their own auth providers. Transparent mode passes tokens through without modification, which is incompatible with multi-provider setups. Change parent auth to orchestrated mode to properly manage tokens for each provider. Detected providers: ${[...providers.keys()].join(", ")}`
+      `Invalid auth configuration: Parent uses transparent mode but apps have their own auth providers. Transparent mode passes tokens through without modification, which is incompatible with multi-provider setups. Change parent auth to local or remote mode to properly manage tokens for each provider. Detected providers: ${[...providers.keys()].join(", ")}`
     );
   }
   if (uniqueProviderCount > 1 && parentAuth && isPublicMode(parentAuth)) {
     warnings.push(
-      `Parent uses public mode but apps have auth providers configured. App-level auth will be used, but consider using orchestrated mode at parent for unified auth management.`
+      `Parent uses public mode but apps have auth providers configured. App-level auth will be used, but consider using local or remote mode at parent for unified auth management.`
     );
   }
   return {
@@ -6827,10 +6732,10 @@ function detectAuthProviders(parentAuth, apps) {
 }
 function getProviderUrl(options) {
   if (isTransparentMode(options)) {
-    return options.remote.provider;
+    return options.provider;
   }
   if (isOrchestratedMode(options) && isOrchestratedRemote(options)) {
-    return options.remote.provider;
+    return options.provider;
   }
   return void 0;
 }
@@ -7000,9 +6905,9 @@ function escapeQuotedString(value) {
 function unescapeQuotedString(value) {
   return value.replace(/\\(.)/g, "$1");
 }
-function normalizePathSegment(path3) {
-  if (!path3 || path3 === "/") return "";
-  const normalized = path3.startsWith("/") ? path3 : `/${path3}`;
+function normalizePathSegment(path) {
+  if (!path || path === "/") return "";
+  const normalized = path.startsWith("/") ? path : `/${path}`;
   let end = normalized.length;
   while (end > 0 && normalized[end - 1] === "/") {
     end--;
@@ -7117,43 +7022,43 @@ var AudienceValidator = class _AudienceValidator {
 };
 
 // libs/auth/src/vault/auth-providers.types.ts
-import { z as z19 } from "zod";
-var credentialScopeSchema = z19.enum(["global", "user", "session"]);
-var loadingStrategySchema = z19.enum(["eager", "lazy"]);
-var getCredentialOptionsSchema = z19.object({
-  forceRefresh: z19.boolean().optional(),
-  scopes: z19.array(z19.string()).optional(),
-  timeout: z19.number().positive().optional()
+import { z as z18 } from "zod";
+var credentialScopeSchema = z18.enum(["global", "user", "session"]);
+var loadingStrategySchema = z18.enum(["eager", "lazy"]);
+var getCredentialOptionsSchema = z18.object({
+  forceRefresh: z18.boolean().optional(),
+  scopes: z18.array(z18.string()).optional(),
+  timeout: z18.number().positive().optional()
 }).strict();
-var credentialProviderConfigSchema = z19.object({
-  name: z19.string().min(1),
-  description: z19.string().optional(),
+var credentialProviderConfigSchema = z18.object({
+  name: z18.string().min(1),
+  description: z18.string().optional(),
   scope: credentialScopeSchema,
   loading: loadingStrategySchema,
-  cacheTtl: z19.number().nonnegative().optional(),
+  cacheTtl: z18.number().nonnegative().optional(),
   // Functions validated at runtime, not via Zod (Zod 4 compatibility)
-  factory: z19.any(),
-  refresh: z19.any().optional(),
-  toHeaders: z19.any().optional(),
-  metadata: z19.record(z19.string(), z19.unknown()).optional(),
-  required: z19.boolean().optional()
+  factory: z18.any(),
+  refresh: z18.any().optional(),
+  toHeaders: z18.any().optional(),
+  metadata: z18.record(z18.string(), z18.unknown()).optional(),
+  required: z18.boolean().optional()
 }).strict();
-var authProviderMappingSchema = z19.union([
-  z19.string(),
-  z19.object({
-    name: z19.string().min(1),
-    required: z19.boolean().optional().default(true),
-    scopes: z19.array(z19.string()).optional(),
-    alias: z19.string().optional()
+var authProviderMappingSchema = z18.union([
+  z18.string(),
+  z18.object({
+    name: z18.string().min(1),
+    required: z18.boolean().optional().default(true),
+    scopes: z18.array(z18.string()).optional(),
+    alias: z18.string().optional()
   }).strict()
 ]);
-var authProvidersVaultOptionsSchema = z19.object({
-  enabled: z19.boolean().optional(),
-  useSharedStorage: z19.boolean().optional().default(true),
-  namespace: z19.string().optional().default("authproviders:"),
-  defaultCacheTtl: z19.number().nonnegative().optional().default(36e5),
-  maxCredentialsPerSession: z19.number().positive().optional().default(100),
-  providers: z19.array(credentialProviderConfigSchema).optional()
+var authProvidersVaultOptionsSchema = z18.object({
+  enabled: z18.boolean().optional(),
+  useSharedStorage: z18.boolean().optional().default(true),
+  namespace: z18.string().optional().default("authproviders:"),
+  defaultCacheTtl: z18.number().nonnegative().optional().default(36e5),
+  maxCredentialsPerSession: z18.number().positive().optional().default(100),
+  providers: z18.array(credentialProviderConfigSchema).optional()
 }).strict();
 
 // libs/auth/src/vault/credential-helpers.ts
@@ -8132,7 +8037,6 @@ export {
   AuthProvidersVault,
   AuthorizationBase,
   CDN,
-  CimdCache,
   CimdClientIdMismatchError,
   CimdDisabledError,
   CimdError,
@@ -8154,6 +8058,7 @@ export {
   EncryptionKeyNotConfiguredError,
   InMemoryAuthorizationStore,
   InMemoryAuthorizationVault,
+  InMemoryCimdCache,
   InMemoryFederatedAuthSessionStore,
   InMemoryOrchestratedTokenStore,
   InMemoryStoreRequiredError,
@@ -8249,7 +8154,6 @@ export {
   decryptSessionJson,
   decryptValue2 as decryptValue,
   defaultSessionRateLimiter,
-  deleteDevKey,
   deriveAuthorizationId,
   deriveExpectedAudience,
   deriveProviderId,
@@ -8271,6 +8175,7 @@ export {
   federatedLoginStateSchema,
   federatedProviderItemSchema,
   federatedSelectionSchema,
+  flatRemoteProviderFields,
   fromSessionRecord,
   generatePkceChallenge,
   getCredentialOptionsSchema,
@@ -8284,12 +8189,13 @@ export {
   hkdfSha2563 as hkdfSha256,
   incrementalAuthConfigSchema,
   isCimdClientId,
-  isDevKeyPersistenceEnabled,
   isJwt,
+  isLocalMode,
   isOrchestratedLocal,
   isOrchestratedMode,
   isOrchestratedRemote,
   isPublicMode,
+  isRemoteMode,
   isSessionComplete,
   isSignedData as isSignedSession,
   isSoonExpiring,
@@ -8300,14 +8206,13 @@ export {
   jwkSchema,
   legacySseTransportStateSchema,
   llmSafeAuthContextSchema,
-  loadDevKey,
   loadingStrategySchema,
+  localAuthSchema,
   localSigningConfigSchema,
   mtlsCredentialSchema,
   noopLogger,
   normalizeIssuer,
   oauthCredentialSchema,
-  orchestratedAuthOptionsSchema,
   orchestratedLocalSchema,
   orchestratedRemoteSchema,
   parseAuthOptions,
@@ -8318,16 +8223,16 @@ export {
   pkceOAuthCredentialSchema,
   privateKeyCredentialSchema,
   progressiveAuthStateSchema,
+  providerConfigSchema,
   publicAccessConfigSchema,
   publicAuthOptionsSchema,
   redisConfigSchema,
   redisVaultEntrySchema,
+  remoteAuthSchema,
   remoteProviderConfigSchema,
   renderToHtml,
   resetCachedKey,
-  resolveKeyPath,
   safeDecrypt,
-  saveDevKey,
   serviceAccountCredentialSchema,
   sessionIdPayloadSchema,
   sessionJwtPayloadSchema,