@frontmcp/auth 0.12.2 → 1.0.0-beta.2

package/index.js

@@ -1,9 +1,7 @@
 "use strict";
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __esm = (fn, res) => function __init() {
   return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
@@ -20,14 +18,6 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // libs/auth/src/cimd/cimd.cache.ts
@@ -95,7 +85,7 @@ function parseCacheControlHeader(value) {
   }
   return result;
 }
-var InMemoryCimdCache, CimdCache;
+var InMemoryCimdCache;
 var init_cimd_cache = __esm({
   "libs/auth/src/cimd/cimd.cache.ts"() {
     "use strict";
@@ -230,7 +220,6 @@ var init_cimd_cache = __esm({
         return removed;
       }
     };
-    CimdCache = InMemoryCimdCache;
   }
 });
 
@@ -250,7 +239,6 @@ __export(index_exports, {
   AuthProvidersVault: () => AuthProvidersVault,
   AuthorizationBase: () => AuthorizationBase,
   CDN: () => CDN,
-  CimdCache: () => CimdCache,
   CimdClientIdMismatchError: () => CimdClientIdMismatchError,
   CimdDisabledError: () => CimdDisabledError,
   CimdError: () => CimdError,
@@ -266,12 +254,13 @@ __export(index_exports, {
   EagerCredentialLoader: () => EagerCredentialLoader,
   ElicitationSecretRequiredError: () => ElicitationSecretRequiredError,
   EncryptedRedisVault: () => EncryptedRedisVault,
-  EncryptedStorageError: () => import_utils18.EncryptedStorageError,
-  EncryptedTypedStorage: () => import_utils18.EncryptedTypedStorage,
+  EncryptedStorageError: () => import_utils17.EncryptedStorageError,
+  EncryptedTypedStorage: () => import_utils17.EncryptedTypedStorage,
   EncryptionContextNotSetError: () => EncryptionContextNotSetError,
   EncryptionKeyNotConfiguredError: () => EncryptionKeyNotConfiguredError,
   InMemoryAuthorizationStore: () => InMemoryAuthorizationStore,
   InMemoryAuthorizationVault: () => InMemoryAuthorizationVault,
+  InMemoryCimdCache: () => InMemoryCimdCache,
   InMemoryFederatedAuthSessionStore: () => InMemoryFederatedAuthSessionStore,
   InMemoryOrchestratedTokenStore: () => InMemoryOrchestratedTokenStore,
   InMemoryStoreRequiredError: () => InMemoryStoreRequiredError,
@@ -302,7 +291,7 @@ __export(index_exports, {
   TokenVault: () => TokenVault,
   TransparentAuthorization: () => TransparentAuthorization,
   TransportIdGenerator: () => TransportIdGenerator,
-  TypedStorage: () => import_utils17.TypedStorage,
+  TypedStorage: () => import_utils16.TypedStorage,
   VaultEncryption: () => VaultEncryption,
   VaultLoadError: () => VaultLoadError,
   VaultNotFoundError: () => VaultNotFoundError,
@@ -367,7 +356,6 @@ __export(index_exports, {
   decryptSessionJson: () => decryptSessionJson,
   decryptValue: () => import_utils25.decryptValue,
   defaultSessionRateLimiter: () => defaultSessionRateLimiter,
-  deleteDevKey: () => deleteDevKey,
   deriveAuthorizationId: () => deriveAuthorizationId,
   deriveExpectedAudience: () => deriveExpectedAudience,
   deriveProviderId: () => deriveProviderId,
@@ -380,7 +368,7 @@ __export(index_exports, {
   encryptedBlobSchema: () => encryptedBlobSchema,
   encryptedDataSchema: () => encryptedDataSchema,
   encryptedVaultEntrySchema: () => encryptedVaultEntrySchema,
-  escapeHtml: () => import_utils4.escapeHtml,
+  escapeHtml: () => import_utils3.escapeHtml,
   extraWideLayout: () => extraWideLayout,
   extractBearerToken: () => extractBearerToken,
   extractCacheHeaders: () => extractCacheHeaders,
@@ -389,6 +377,7 @@ __export(index_exports, {
   federatedLoginStateSchema: () => federatedLoginStateSchema,
   federatedProviderItemSchema: () => federatedProviderItemSchema,
   federatedSelectionSchema: () => federatedSelectionSchema,
+  flatRemoteProviderFields: () => flatRemoteProviderFields,
   fromSessionRecord: () => fromSessionRecord,
   generatePkceChallenge: () => generatePkceChallenge,
   getCredentialOptionsSchema: () => getCredentialOptionsSchema,
@@ -402,14 +391,15 @@ __export(index_exports, {
   hkdfSha256: () => import_utils25.hkdfSha256,
   incrementalAuthConfigSchema: () => incrementalAuthConfigSchema,
   isCimdClientId: () => isCimdClientId,
-  isDevKeyPersistenceEnabled: () => isDevKeyPersistenceEnabled,
   isJwt: () => isJwt,
+  isLocalMode: () => isLocalMode,
   isOrchestratedLocal: () => isOrchestratedLocal,
   isOrchestratedMode: () => isOrchestratedMode,
   isOrchestratedRemote: () => isOrchestratedRemote,
   isPublicMode: () => isPublicMode,
+  isRemoteMode: () => isRemoteMode,
   isSessionComplete: () => isSessionComplete,
-  isSignedSession: () => import_utils9.isSignedData,
+  isSignedSession: () => import_utils8.isSignedData,
   isSoonExpiring: () => isSoonExpiring,
   isSoonExpiringProvider: () => isSoonExpiringProvider,
   isTransparentMode: () => isTransparentMode,
@@ -418,14 +408,13 @@ __export(index_exports, {
   jwkSchema: () => jwkSchema,
   legacySseTransportStateSchema: () => legacySseTransportStateSchema,
   llmSafeAuthContextSchema: () => llmSafeAuthContextSchema,
-  loadDevKey: () => loadDevKey,
   loadingStrategySchema: () => loadingStrategySchema,
+  localAuthSchema: () => localAuthSchema,
   localSigningConfigSchema: () => localSigningConfigSchema,
   mtlsCredentialSchema: () => mtlsCredentialSchema,
   noopLogger: () => noopLogger,
   normalizeIssuer: () => normalizeIssuer,
   oauthCredentialSchema: () => oauthCredentialSchema,
-  orchestratedAuthOptionsSchema: () => orchestratedAuthOptionsSchema,
   orchestratedLocalSchema: () => orchestratedLocalSchema,
   orchestratedRemoteSchema: () => orchestratedRemoteSchema,
   parseAuthOptions: () => parseAuthOptions,
@@ -436,16 +425,16 @@ __export(index_exports, {
   pkceOAuthCredentialSchema: () => pkceOAuthCredentialSchema,
   privateKeyCredentialSchema: () => privateKeyCredentialSchema,
   progressiveAuthStateSchema: () => progressiveAuthStateSchema,
+  providerConfigSchema: () => providerConfigSchema,
   publicAccessConfigSchema: () => publicAccessConfigSchema,
   publicAuthOptionsSchema: () => publicAuthOptionsSchema,
   redisConfigSchema: () => redisConfigSchema,
   redisVaultEntrySchema: () => redisVaultEntrySchema,
+  remoteAuthSchema: () => remoteAuthSchema,
   remoteProviderConfigSchema: () => remoteProviderConfigSchema,
   renderToHtml: () => renderToHtml,
   resetCachedKey: () => resetCachedKey,
-  resolveKeyPath: () => resolveKeyPath,
   safeDecrypt: () => safeDecrypt,
-  saveDevKey: () => saveDevKey,
   serviceAccountCredentialSchema: () => serviceAccountCredentialSchema,
   sessionIdPayloadSchema: () => sessionIdPayloadSchema,
   sessionJwtPayloadSchema: () => sessionJwtPayloadSchema,
@@ -554,29 +543,19 @@ var JwksService = class {
       rotateDays: opts?.rotateDays ?? 30,
       providerJwksTtlMs: opts?.providerJwksTtlMs ?? 6 * 60 * 60 * 1e3,
       // 6h
-      networkTimeoutMs: opts?.networkTimeoutMs ?? 5e3,
+      networkTimeoutMs: opts?.networkTimeoutMs ?? 5e3
       // 5s
-      devKeyPersistence: opts?.devKeyPersistence
     };
   }
   // ===========================================================================
   // Key Persistence Helpers
   // ===========================================================================
-  /**
-   * Check if key persistence should be enabled.
-   * Enabled in development by default, disabled in production unless forceEnable.
-   */
-  shouldEnablePersistence() {
-    const isProd = process.env["NODE_ENV"] === "production";
-    if (this.opts.devKeyPersistence?.forceEnable) return true;
-    return !isProd;
-  }
   /**
    * Get or create the KeyPersistence instance.
-   * Returns null if persistence is disabled.
+   * Returns null if persistence is disabled (production).
    */
   async getKeyPersistence() {
-    if (!this.shouldEnablePersistence()) return null;
+    if ((0, import_utils.isProduction)()) return null;
     if (!this.keyPersistence) {
       this.keyPersistence = await (0, import_utils.createKeyPersistence)({
         baseDir: ".frontmcp/keys"
@@ -694,7 +673,12 @@ var JwksService = class {
       if (!jwtAlg) {
         return { ok: false, error: "missing_alg" };
       }
-      const isValid = (0, import_utils.rsaVerify)(jwtAlg, Buffer.from(signatureInput), matchingKey, signature);
+      const isValid = await (0, import_utils.rsaVerify)(
+        jwtAlg,
+        Buffer.from(signatureInput),
+        matchingKey,
+        signature
+      );
       if (!isValid) {
         return { ok: false, error: "signature_invalid" };
       }
@@ -915,150 +899,9 @@ var JwksService = class {
   }
 };
 
-// libs/auth/src/jwks/dev-key-persistence.ts
-var path = __toESM(require("path"));
-var crypto = __toESM(require("crypto"));
-var import_zod = require("zod");
-var import_utils2 = require("@frontmcp/utils");
-var DEFAULT_KEY_PATH = ".frontmcp/dev-keys.json";
-var rsaPrivateKeySchema = import_zod.z.object({
-  kty: import_zod.z.literal("RSA"),
-  n: import_zod.z.string().min(1),
-  e: import_zod.z.string().min(1),
-  d: import_zod.z.string().min(1),
-  p: import_zod.z.string().optional(),
-  q: import_zod.z.string().optional(),
-  dp: import_zod.z.string().optional(),
-  dq: import_zod.z.string().optional(),
-  qi: import_zod.z.string().optional()
-}).passthrough();
-var ecPrivateKeySchema = import_zod.z.object({
-  kty: import_zod.z.literal("EC"),
-  crv: import_zod.z.string().min(1),
-  x: import_zod.z.string().min(1),
-  y: import_zod.z.string().min(1),
-  d: import_zod.z.string().min(1)
-}).passthrough();
-var publicJwkSchema = import_zod.z.object({
-  kty: import_zod.z.enum(["RSA", "EC"]),
-  kid: import_zod.z.string().min(1),
-  alg: import_zod.z.enum(["RS256", "ES256"]),
-  use: import_zod.z.literal("sig")
-}).passthrough();
-var jwksSchema = import_zod.z.object({
-  keys: import_zod.z.array(publicJwkSchema).min(1)
-});
-var devKeyDataSchema = import_zod.z.object({
-  kid: import_zod.z.string().min(1),
-  privateKey: import_zod.z.union([rsaPrivateKeySchema, ecPrivateKeySchema]),
-  publicJwk: jwksSchema,
-  createdAt: import_zod.z.number().positive().int(),
-  alg: import_zod.z.enum(["RS256", "ES256"])
-});
-function validateJwkStructure(data) {
-  const result = devKeyDataSchema.safeParse(data);
-  if (!result.success) {
-    return { valid: false, error: result.error.issues[0]?.message ?? "Invalid JWK structure" };
-  }
-  const parsed = result.data;
-  if (parsed.alg === "RS256" && parsed.privateKey.kty !== "RSA") {
-    return { valid: false, error: "Algorithm RS256 requires RSA key type" };
-  }
-  if (parsed.alg === "ES256" && parsed.privateKey.kty !== "EC") {
-    return { valid: false, error: "Algorithm ES256 requires EC key type" };
-  }
-  const publicKey = parsed.publicJwk.keys[0];
-  if (publicKey.kty !== parsed.privateKey.kty) {
-    return { valid: false, error: "Public and private key types do not match" };
-  }
-  if (publicKey.kid !== parsed.kid) {
-    return { valid: false, error: "kid mismatch between top-level and publicJwk" };
-  }
-  const now = Date.now();
-  const hundredYearsMs = 100 * 365 * 24 * 60 * 60 * 1e3;
-  if (parsed.createdAt > now) {
-    return { valid: false, error: "createdAt is in the future" };
-  }
-  if (parsed.createdAt < now - hundredYearsMs) {
-    return { valid: false, error: "createdAt is too old" };
-  }
-  return { valid: true };
-}
-function isDevKeyPersistenceEnabled(options) {
-  const isProduction = process.env["NODE_ENV"] === "production";
-  if (isProduction) {
-    return options?.forceEnable === true;
-  }
-  return true;
-}
-function resolveKeyPath(options) {
-  const keyPath = options?.keyPath ?? DEFAULT_KEY_PATH;
-  if (path.isAbsolute(keyPath)) {
-    return keyPath;
-  }
-  return path.resolve(process.cwd(), keyPath);
-}
-async function loadDevKey(options) {
-  if (!isDevKeyPersistenceEnabled(options)) {
-    return null;
-  }
-  const keyPath = resolveKeyPath(options);
-  try {
-    const content = await (0, import_utils2.readFile)(keyPath, "utf8");
-    const data = JSON.parse(content);
-    const validation = validateJwkStructure(data);
-    if (!validation.valid) {
-      console.warn(`[DevKeyPersistence] Invalid key file format at ${keyPath}: ${validation.error}, will regenerate`);
-      return null;
-    }
-    console.log(`[DevKeyPersistence] Loaded key (kid=${data.kid}) from ${keyPath}`);
-    return data;
-  } catch (error) {
-    if (error.code === "ENOENT") {
-      return null;
-    }
-    console.warn(`[DevKeyPersistence] Failed to load key from ${keyPath}: ${error.message}`);
-    return null;
-  }
-}
-async function saveDevKey(keyData, options) {
-  if (!isDevKeyPersistenceEnabled(options)) {
-    return true;
-  }
-  const keyPath = resolveKeyPath(options);
-  const dir = path.dirname(keyPath);
-  const tempPath = `${keyPath}.tmp.${Date.now()}.${crypto.randomBytes(8).toString("hex")}`;
-  try {
-    await (0, import_utils2.mkdir)(dir, { recursive: true, mode: 448 });
-    const content = JSON.stringify(keyData, null, 2);
-    await (0, import_utils2.writeFile)(tempPath, content, { mode: 384 });
-    await (0, import_utils2.rename)(tempPath, keyPath);
-    console.log(`[DevKeyPersistence] Saved key (kid=${keyData.kid}) to ${keyPath}`);
-    return true;
-  } catch (error) {
-    console.error(`[DevKeyPersistence] Failed to save key to ${keyPath}: ${error.message}`);
-    try {
-      await (0, import_utils2.unlink)(tempPath);
-    } catch {
-    }
-    return false;
-  }
-}
-async function deleteDevKey(options) {
-  const keyPath = resolveKeyPath(options);
-  try {
-    await (0, import_utils2.unlink)(keyPath);
-    console.log(`[DevKeyPersistence] Deleted key at ${keyPath}`);
-  } catch (error) {
-    if (error.code !== "ENOENT") {
-      console.warn(`[DevKeyPersistence] Failed to delete key at ${keyPath}: ${error.message}`);
-    }
-  }
-}
-
 // libs/auth/src/ui/base-layout.ts
+var import_utils2 = require("@frontmcp/utils");
 var import_utils3 = require("@frontmcp/utils");
-var import_utils4 = require("@frontmcp/utils");
 var CDN = {
   /** Tailwind CSS v4 Browser CDN - generates styles on-the-fly with @theme support */
   tailwind: "https://cdn.jsdelivr.net/npm/@tailwindcss/browser@4",
@@ -1137,13 +980,13 @@ function baseLayout(content, options) {
     }
     ${customCss}
   </style>` : "";
-  const metaDescription = description ? `<meta name="description" content="${(0, import_utils3.escapeHtml)(description)}">` : "";
+  const metaDescription = description ? `<meta name="description" content="${(0, import_utils2.escapeHtml)(description)}">` : "";
   return `<!DOCTYPE html>
 <html lang="en">
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>${(0, import_utils3.escapeHtml)(title)} - FrontMCP</title>
+  <title>${(0, import_utils2.escapeHtml)(title)} - FrontMCP</title>
   ${metaDescription}
 
   <!-- Google Fonts CDN - Inter (modern UI font) -->
@@ -1154,7 +997,7 @@ function baseLayout(content, options) {
   ${tailwindBlock}
   ${headExtra}
 </head>
-<body class="${(0, import_utils3.escapeHtml)(bodyClass)}">
+<body class="${(0, import_utils2.escapeHtml)(bodyClass)}">
   ${content}
 </body>
 </html>`;
@@ -1209,7 +1052,7 @@ function extraWideLayout(content, options) {
 }
 
 // libs/auth/src/ui/templates.ts
-var escapeHtml3 = import_utils4.escapeHtml;
+var escapeHtml3 = import_utils3.escapeHtml;
 function buildConsentPage(params) {
   const { apps, clientName, pendingAuthId, csrfToken, callbackPath } = params;
   const appCards = apps.map((app) => buildAppCardHtml(app, pendingAuthId, csrfToken, callbackPath)).join("\n");
@@ -1558,43 +1401,43 @@ function renderToHtml(html, _options) {
 }
 
 // libs/auth/src/session/authorization.store.ts
-var import_utils5 = require("@frontmcp/utils");
-var import_zod2 = require("zod");
-var pkceChallengeSchema = import_zod2.z.object({
-  challenge: import_zod2.z.string().min(43).max(128),
-  method: import_zod2.z.literal("S256")
+var import_utils4 = require("@frontmcp/utils");
+var import_zod = require("zod");
+var pkceChallengeSchema = import_zod.z.object({
+  challenge: import_zod.z.string().min(43).max(128),
+  method: import_zod.z.literal("S256")
 });
-var authorizationCodeRecordSchema = import_zod2.z.object({
-  code: import_zod2.z.string().min(1),
-  clientId: import_zod2.z.string().min(1),
-  redirectUri: import_zod2.z.string().url(),
-  scopes: import_zod2.z.array(import_zod2.z.string()),
+var authorizationCodeRecordSchema = import_zod.z.object({
+  code: import_zod.z.string().min(1),
+  clientId: import_zod.z.string().min(1),
+  redirectUri: import_zod.z.string().url(),
+  scopes: import_zod.z.array(import_zod.z.string()),
   pkce: pkceChallengeSchema,
-  userSub: import_zod2.z.string().min(1),
-  userEmail: import_zod2.z.string().email().optional(),
-  userName: import_zod2.z.string().optional(),
-  state: import_zod2.z.string().optional(),
-  createdAt: import_zod2.z.number(),
-  expiresAt: import_zod2.z.number(),
-  used: import_zod2.z.boolean(),
-  resource: import_zod2.z.string().url().optional(),
+  userSub: import_zod.z.string().min(1),
+  userEmail: import_zod.z.string().email().optional(),
+  userName: import_zod.z.string().optional(),
+  state: import_zod.z.string().optional(),
+  createdAt: import_zod.z.number(),
+  expiresAt: import_zod.z.number(),
+  used: import_zod.z.boolean(),
+  resource: import_zod.z.string().url().optional(),
   // Consent and federated login fields
-  selectedToolIds: import_zod2.z.array(import_zod2.z.string()).optional(),
-  selectedProviderIds: import_zod2.z.array(import_zod2.z.string()).optional(),
-  skippedProviderIds: import_zod2.z.array(import_zod2.z.string()).optional(),
-  consentEnabled: import_zod2.z.boolean().optional(),
-  federatedLoginUsed: import_zod2.z.boolean().optional(),
-  pendingAuthId: import_zod2.z.string().optional()
+  selectedToolIds: import_zod.z.array(import_zod.z.string()).optional(),
+  selectedProviderIds: import_zod.z.array(import_zod.z.string()).optional(),
+  skippedProviderIds: import_zod.z.array(import_zod.z.string()).optional(),
+  consentEnabled: import_zod.z.boolean().optional(),
+  federatedLoginUsed: import_zod.z.boolean().optional(),
+  pendingAuthId: import_zod.z.string().optional()
 });
 function verifyPkce(codeVerifier, challenge) {
   if (challenge.method !== "S256") {
     return false;
   }
-  const hash = (0, import_utils5.sha256Base64url)(codeVerifier);
+  const hash = (0, import_utils4.sha256Base64url)(codeVerifier);
   return hash === challenge.challenge;
 }
 function generatePkceChallenge(codeVerifier) {
-  const challenge = (0, import_utils5.sha256Base64url)(codeVerifier);
+  const challenge = (0, import_utils4.sha256Base64url)(codeVerifier);
   return { challenge, method: "S256" };
 }
 var InMemoryAuthorizationStore = class {
@@ -1608,10 +1451,10 @@ var InMemoryAuthorizationStore = class {
   /** Default TTL for refresh tokens (30 days) */
   refreshTtlMs = 30 * 24 * 60 * 60 * 1e3;
   generateCode() {
-    return (0, import_utils5.randomUUID)().replace(/-/g, "") + (0, import_utils5.randomUUID)().replace(/-/g, "");
+    return (0, import_utils4.randomUUID)().replace(/-/g, "") + (0, import_utils4.randomUUID)().replace(/-/g, "");
   }
   generateRefreshToken() {
-    return (0, import_utils5.randomUUID)() + "-" + (0, import_utils5.randomUUID)();
+    return (0, import_utils4.randomUUID)() + "-" + (0, import_utils4.randomUUID)();
   }
   async storeAuthorizationCode(record) {
     this.codes.set(record.code, record);
@@ -1724,7 +1567,7 @@ var InMemoryAuthorizationStore = class {
   createPendingRecord(params) {
     const now = Date.now();
     return {
-      id: (0, import_utils5.randomUUID)(),
+      id: (0, import_utils4.randomUUID)(),
       clientId: params.clientId,
       redirectUri: params.redirectUri,
       scopes: params.scopes,
@@ -1771,10 +1614,10 @@ var RedisAuthorizationStore = class {
     return `${this.namespace}${type}:${id}`;
   }
   generateCode() {
-    return (0, import_utils5.randomUUID)().replace(/-/g, "") + (0, import_utils5.randomUUID)().replace(/-/g, "");
+    return (0, import_utils4.randomUUID)().replace(/-/g, "") + (0, import_utils4.randomUUID)().replace(/-/g, "");
   }
   generateRefreshToken() {
-    return (0, import_utils5.randomUUID)() + "-" + (0, import_utils5.randomUUID)();
+    return (0, import_utils4.randomUUID)() + "-" + (0, import_utils4.randomUUID)();
   }
   async storeAuthorizationCode(record) {
     const ttl = Math.max(Math.ceil((record.expiresAt - Date.now()) / 1e3), 1);
@@ -1837,8 +1680,8 @@ var RedisAuthorizationStore = class {
 };
 
 // libs/auth/src/session/authorization-vault.ts
-var import_zod3 = require("zod");
-var credentialTypeSchema = import_zod3.z.enum([
+var import_zod2 = require("zod");
+var credentialTypeSchema = import_zod2.z.enum([
   "oauth",
   // OAuth 2.0 tokens
   "api_key",
@@ -1860,135 +1703,135 @@ var credentialTypeSchema = import_zod3.z.enum([
   "oauth_pkce"
   // OAuth 2.0 with PKCE for public clients
 ]);
-var oauthCredentialSchema = import_zod3.z.object({
-  type: import_zod3.z.literal("oauth"),
+var oauthCredentialSchema = import_zod2.z.object({
+  type: import_zod2.z.literal("oauth"),
   /** Access token */
-  accessToken: import_zod3.z.string(),
+  accessToken: import_zod2.z.string(),
   /** Refresh token (optional) */
-  refreshToken: import_zod3.z.string().optional(),
+  refreshToken: import_zod2.z.string().optional(),
   /** Token type (usually 'Bearer') */
-  tokenType: import_zod3.z.string().default("Bearer"),
+  tokenType: import_zod2.z.string().default("Bearer"),
   /** Token expiration timestamp (epoch ms) */
-  expiresAt: import_zod3.z.number().optional(),
+  expiresAt: import_zod2.z.number().optional(),
   /** Granted scopes */
-  scopes: import_zod3.z.array(import_zod3.z.string()).default([]),
+  scopes: import_zod2.z.array(import_zod2.z.string()).default([]),
   /** ID token for OIDC (optional) */
-  idToken: import_zod3.z.string().optional()
+  idToken: import_zod2.z.string().optional()
 });
-var apiKeyCredentialSchema = import_zod3.z.object({
-  type: import_zod3.z.literal("api_key"),
+var apiKeyCredentialSchema = import_zod2.z.object({
+  type: import_zod2.z.literal("api_key"),
   /** The API key value */
-  key: import_zod3.z.string().min(1),
+  key: import_zod2.z.string().min(1),
   /** Header name to use (e.g., 'X-API-Key', 'Authorization') */
-  headerName: import_zod3.z.string().default("X-API-Key"),
+  headerName: import_zod2.z.string().default("X-API-Key"),
   /** Prefix for the header value (e.g., 'Bearer ', 'Api-Key ') */
-  headerPrefix: import_zod3.z.string().optional(),
+  headerPrefix: import_zod2.z.string().optional(),
   /** Alternative: send as query parameter */
-  queryParam: import_zod3.z.string().optional()
+  queryParam: import_zod2.z.string().optional()
 });
-var basicAuthCredentialSchema = import_zod3.z.object({
-  type: import_zod3.z.literal("basic"),
+var basicAuthCredentialSchema = import_zod2.z.object({
+  type: import_zod2.z.literal("basic"),
   /** Username */
-  username: import_zod3.z.string().min(1),
+  username: import_zod2.z.string().min(1),
   /** Password */
-  password: import_zod3.z.string(),
+  password: import_zod2.z.string(),
   /** Pre-computed base64 encoded value (optional, for caching) */
-  encodedValue: import_zod3.z.string().optional()
+  encodedValue: import_zod2.z.string().optional()
 });
-var bearerCredentialSchema = import_zod3.z.object({
-  type: import_zod3.z.literal("bearer"),
+var bearerCredentialSchema = import_zod2.z.object({
+  type: import_zod2.z.literal("bearer"),
   /** The bearer token value */
-  token: import_zod3.z.string().min(1),
+  token: import_zod2.z.string().min(1),
   /** Token expiration (optional, for static tokens that expire) */
-  expiresAt: import_zod3.z.number().optional()
+  expiresAt: import_zod2.z.number().optional()
 });
-var privateKeyCredentialSchema = import_zod3.z.object({
-  type: import_zod3.z.literal("private_key"),
+var privateKeyCredentialSchema = import_zod2.z.object({
+  type: import_zod2.z.literal("private_key"),
   /** Key format */
-  format: import_zod3.z.enum(["pem", "jwk", "pkcs8", "pkcs12"]),
+  format: import_zod2.z.enum(["pem", "jwk", "pkcs8", "pkcs12"]),
   /** The key data (PEM string or JWK JSON) */
-  keyData: import_zod3.z.string(),
+  keyData: import_zod2.z.string(),
   /** Key ID (for JWK) */
-  keyId: import_zod3.z.string().optional(),
+  keyId: import_zod2.z.string().optional(),
   /** Algorithm to use for signing */
-  algorithm: import_zod3.z.string().optional(),
+  algorithm: import_zod2.z.string().optional(),
   /** Passphrase if key is encrypted */
-  passphrase: import_zod3.z.string().optional(),
+  passphrase: import_zod2.z.string().optional(),
   /** Associated certificate (for mTLS) */
-  certificate: import_zod3.z.string().optional()
+  certificate: import_zod2.z.string().optional()
 });
-var mtlsCredentialSchema = import_zod3.z.object({
-  type: import_zod3.z.literal("mtls"),
+var mtlsCredentialSchema = import_zod2.z.object({
+  type: import_zod2.z.literal("mtls"),
   /** Client certificate (PEM format) */
-  certificate: import_zod3.z.string(),
+  certificate: import_zod2.z.string(),
   /** Private key (PEM format) */
-  privateKey: import_zod3.z.string(),
+  privateKey: import_zod2.z.string(),
   /** Passphrase if private key is encrypted */
-  passphrase: import_zod3.z.string().optional(),
+  passphrase: import_zod2.z.string().optional(),
   /** CA certificate chain (optional) */
-  caCertificate: import_zod3.z.string().optional()
+  caCertificate: import_zod2.z.string().optional()
 });
-var customCredentialSchema = import_zod3.z.object({
-  type: import_zod3.z.literal("custom"),
+var customCredentialSchema = import_zod2.z.object({
+  type: import_zod2.z.literal("custom"),
   /** Custom type identifier */
-  customType: import_zod3.z.string().min(1),
+  customType: import_zod2.z.string().min(1),
   /** Arbitrary credential data */
-  data: import_zod3.z.record(import_zod3.z.string(), import_zod3.z.unknown()),
+  data: import_zod2.z.record(import_zod2.z.string(), import_zod2.z.unknown()),
   /** Headers to include in requests */
-  headers: import_zod3.z.record(import_zod3.z.string(), import_zod3.z.string()).optional()
+  headers: import_zod2.z.record(import_zod2.z.string(), import_zod2.z.string()).optional()
 });
-var sshKeyCredentialSchema = import_zod3.z.object({
-  type: import_zod3.z.literal("ssh_key"),
+var sshKeyCredentialSchema = import_zod2.z.object({
+  type: import_zod2.z.literal("ssh_key"),
   /** Private key (PEM format) */
-  privateKey: import_zod3.z.string().min(1),
+  privateKey: import_zod2.z.string().min(1),
   /** Public key (optional, can be derived from private key) */
-  publicKey: import_zod3.z.string().optional(),
+  publicKey: import_zod2.z.string().optional(),
   /** Passphrase if private key is encrypted */
-  passphrase: import_zod3.z.string().optional(),
+  passphrase: import_zod2.z.string().optional(),
   /** Key type */
-  keyType: import_zod3.z.enum(["rsa", "ed25519", "ecdsa", "dsa"]).default("ed25519"),
+  keyType: import_zod2.z.enum(["rsa", "ed25519", "ecdsa", "dsa"]).default("ed25519"),
   /** Key fingerprint (SHA256 hash) */
-  fingerprint: import_zod3.z.string().optional(),
+  fingerprint: import_zod2.z.string().optional(),
   /** Username for SSH connections */
-  username: import_zod3.z.string().optional()
+  username: import_zod2.z.string().optional()
 });
-var serviceAccountCredentialSchema = import_zod3.z.object({
-  type: import_zod3.z.literal("service_account"),
+var serviceAccountCredentialSchema = import_zod2.z.object({
+  type: import_zod2.z.literal("service_account"),
   /** Cloud provider */
-  provider: import_zod3.z.enum(["gcp", "aws", "azure", "custom"]),
+  provider: import_zod2.z.enum(["gcp", "aws", "azure", "custom"]),
   /** Raw credentials (JSON key file content, access keys, etc.) */
-  credentials: import_zod3.z.record(import_zod3.z.string(), import_zod3.z.unknown()),
+  credentials: import_zod2.z.record(import_zod2.z.string(), import_zod2.z.unknown()),
   /** Project/Account ID */
-  projectId: import_zod3.z.string().optional(),
+  projectId: import_zod2.z.string().optional(),
   /** Region for regional services */
-  region: import_zod3.z.string().optional(),
+  region: import_zod2.z.string().optional(),
   /** AWS: Role ARN to assume */
-  assumeRoleArn: import_zod3.z.string().optional(),
+  assumeRoleArn: import_zod2.z.string().optional(),
   /** AWS: External ID for cross-account access */
-  externalId: import_zod3.z.string().optional(),
+  externalId: import_zod2.z.string().optional(),
   /** Service account email (GCP) or ARN (AWS) */
-  serviceAccountId: import_zod3.z.string().optional(),
+  serviceAccountId: import_zod2.z.string().optional(),
   /** Expiration timestamp for temporary credentials */
-  expiresAt: import_zod3.z.number().optional()
+  expiresAt: import_zod2.z.number().optional()
 });
-var pkceOAuthCredentialSchema = import_zod3.z.object({
-  type: import_zod3.z.literal("oauth_pkce"),
+var pkceOAuthCredentialSchema = import_zod2.z.object({
+  type: import_zod2.z.literal("oauth_pkce"),
   /** Access token */
-  accessToken: import_zod3.z.string(),
+  accessToken: import_zod2.z.string(),
   /** Refresh token (optional) */
-  refreshToken: import_zod3.z.string().optional(),
+  refreshToken: import_zod2.z.string().optional(),
   /** Token type (usually 'Bearer') */
-  tokenType: import_zod3.z.string().default("Bearer"),
+  tokenType: import_zod2.z.string().default("Bearer"),
   /** Token expiration timestamp (epoch ms) */
-  expiresAt: import_zod3.z.number().optional(),
+  expiresAt: import_zod2.z.number().optional(),
   /** Granted scopes */
-  scopes: import_zod3.z.array(import_zod3.z.string()).default([]),
+  scopes: import_zod2.z.array(import_zod2.z.string()).default([]),
   /** ID token for OIDC (optional) */
-  idToken: import_zod3.z.string().optional(),
+  idToken: import_zod2.z.string().optional(),
   /** Authorization server issuer */
-  issuer: import_zod3.z.string().optional()
+  issuer: import_zod2.z.string().optional()
 });
-var credentialSchema = import_zod3.z.discriminatedUnion("type", [
+var credentialSchema = import_zod2.z.discriminatedUnion("type", [
   oauthCredentialSchema,
   apiKeyCredentialSchema,
   basicAuthCredentialSchema,
@@ -2000,117 +1843,117 @@ var credentialSchema = import_zod3.z.discriminatedUnion("type", [
   serviceAccountCredentialSchema,
   pkceOAuthCredentialSchema
 ]);
-var appCredentialSchema = import_zod3.z.object({
+var appCredentialSchema = import_zod2.z.object({
   /** App ID this credential belongs to */
-  appId: import_zod3.z.string().min(1),
+  appId: import_zod2.z.string().min(1),
   /** Provider ID within the app (for apps with multiple auth providers) */
-  providerId: import_zod3.z.string().min(1),
+  providerId: import_zod2.z.string().min(1),
   /** The credential data */
   credential: credentialSchema,
   /** Timestamp when credential was acquired */
-  acquiredAt: import_zod3.z.number(),
+  acquiredAt: import_zod2.z.number(),
   /** Timestamp when credential was last used */
-  lastUsedAt: import_zod3.z.number().optional(),
+  lastUsedAt: import_zod2.z.number().optional(),
   /** Credential expiration (if applicable) */
-  expiresAt: import_zod3.z.number().optional(),
+  expiresAt: import_zod2.z.number().optional(),
   /** Whether this credential is currently valid */
-  isValid: import_zod3.z.boolean().default(true),
+  isValid: import_zod2.z.boolean().default(true),
   /** Error message if credential is invalid */
-  invalidReason: import_zod3.z.string().optional(),
+  invalidReason: import_zod2.z.string().optional(),
   /** User info associated with this credential */
-  userInfo: import_zod3.z.object({
-    sub: import_zod3.z.string().optional(),
-    email: import_zod3.z.string().optional(),
-    name: import_zod3.z.string().optional()
+  userInfo: import_zod2.z.object({
+    sub: import_zod2.z.string().optional(),
+    email: import_zod2.z.string().optional(),
+    name: import_zod2.z.string().optional()
   }).optional(),
   /** Metadata for tracking/debugging */
-  metadata: import_zod3.z.record(import_zod3.z.string(), import_zod3.z.unknown()).optional()
+  metadata: import_zod2.z.record(import_zod2.z.string(), import_zod2.z.unknown()).optional()
 });
-var vaultConsentRecordSchema = import_zod3.z.object({
+var vaultConsentRecordSchema = import_zod2.z.object({
   /** Whether consent was enabled */
-  enabled: import_zod3.z.boolean(),
+  enabled: import_zod2.z.boolean(),
   /** Selected tool IDs (user approved these) */
-  selectedToolIds: import_zod3.z.array(import_zod3.z.string()),
+  selectedToolIds: import_zod2.z.array(import_zod2.z.string()),
   /** Available tool IDs at time of consent */
-  availableToolIds: import_zod3.z.array(import_zod3.z.string()),
+  availableToolIds: import_zod2.z.array(import_zod2.z.string()),
   /** Timestamp when consent was given */
-  consentedAt: import_zod3.z.number(),
+  consentedAt: import_zod2.z.number(),
   /** Consent version for tracking changes */
-  version: import_zod3.z.string().default("1.0")
+  version: import_zod2.z.string().default("1.0")
 });
-var vaultFederatedRecordSchema = import_zod3.z.object({
+var vaultFederatedRecordSchema = import_zod2.z.object({
   /** Provider IDs that were selected */
-  selectedProviderIds: import_zod3.z.array(import_zod3.z.string()),
+  selectedProviderIds: import_zod2.z.array(import_zod2.z.string()),
   /** Provider IDs that were skipped (can be authorized later) */
-  skippedProviderIds: import_zod3.z.array(import_zod3.z.string()),
+  skippedProviderIds: import_zod2.z.array(import_zod2.z.string()),
   /** Primary provider ID */
-  primaryProviderId: import_zod3.z.string().optional(),
+  primaryProviderId: import_zod2.z.string().optional(),
   /** Timestamp when federated login was completed */
-  completedAt: import_zod3.z.number()
+  completedAt: import_zod2.z.number()
 });
-var pendingIncrementalAuthSchema = import_zod3.z.object({
+var pendingIncrementalAuthSchema = import_zod2.z.object({
   /** Unique ID for this request */
-  id: import_zod3.z.string(),
+  id: import_zod2.z.string(),
   /** App ID being authorized */
-  appId: import_zod3.z.string(),
+  appId: import_zod2.z.string(),
   /** Tool ID that triggered the auth request */
-  toolId: import_zod3.z.string().optional(),
+  toolId: import_zod2.z.string().optional(),
   /** Authorization URL */
-  authUrl: import_zod3.z.string(),
+  authUrl: import_zod2.z.string(),
   /** Required scopes */
-  requiredScopes: import_zod3.z.array(import_zod3.z.string()).optional(),
+  requiredScopes: import_zod2.z.array(import_zod2.z.string()).optional(),
   /** Whether elicit is being used */
-  elicitId: import_zod3.z.string().optional(),
+  elicitId: import_zod2.z.string().optional(),
   /** Timestamp when request was created */
-  createdAt: import_zod3.z.number(),
+  createdAt: import_zod2.z.number(),
   /** Expiration timestamp */
-  expiresAt: import_zod3.z.number(),
+  expiresAt: import_zod2.z.number(),
   /** Status of the request */
-  status: import_zod3.z.enum(["pending", "completed", "cancelled", "expired"])
+  status: import_zod2.z.enum(["pending", "completed", "cancelled", "expired"])
 });
-var authorizationVaultEntrySchema = import_zod3.z.object({
+var authorizationVaultEntrySchema = import_zod2.z.object({
   /** Vault ID (maps to access token jti claim) */
-  id: import_zod3.z.string(),
+  id: import_zod2.z.string(),
   /** User subject identifier */
-  userSub: import_zod3.z.string(),
+  userSub: import_zod2.z.string(),
   /** User email */
-  userEmail: import_zod3.z.string().optional(),
+  userEmail: import_zod2.z.string().optional(),
   /** User name */
-  userName: import_zod3.z.string().optional(),
+  userName: import_zod2.z.string().optional(),
   /** Client ID that created this session */
-  clientId: import_zod3.z.string(),
+  clientId: import_zod2.z.string(),
   /** Creation timestamp */
-  createdAt: import_zod3.z.number(),
+  createdAt: import_zod2.z.number(),
   /** Last access timestamp */
-  lastAccessAt: import_zod3.z.number(),
+  lastAccessAt: import_zod2.z.number(),
   /** App credentials (keyed by `${appId}:${providerId}`) */
-  appCredentials: import_zod3.z.record(import_zod3.z.string(), appCredentialSchema).default({}),
+  appCredentials: import_zod2.z.record(import_zod2.z.string(), appCredentialSchema).default({}),
   /** Consent record */
   consent: vaultConsentRecordSchema.optional(),
   /** Federated login record */
   federated: vaultFederatedRecordSchema.optional(),
   /** Pending incremental authorization requests */
-  pendingAuths: import_zod3.z.array(pendingIncrementalAuthSchema),
+  pendingAuths: import_zod2.z.array(pendingIncrementalAuthSchema),
   /** Apps that are fully authorized */
-  authorizedAppIds: import_zod3.z.array(import_zod3.z.string()),
+  authorizedAppIds: import_zod2.z.array(import_zod2.z.string()),
   /** Apps that were skipped (not yet authorized) */
-  skippedAppIds: import_zod3.z.array(import_zod3.z.string())
+  skippedAppIds: import_zod2.z.array(import_zod2.z.string())
 });
 
 // libs/auth/src/session/vault-encryption.ts
-var import_zod4 = require("zod");
-var import_utils6 = require("@frontmcp/utils");
-var encryptedDataSchema = import_zod4.z.object({
+var import_zod3 = require("zod");
+var import_utils5 = require("@frontmcp/utils");
+var encryptedDataSchema = import_zod3.z.object({
   /** Version for future algorithm changes */
-  v: import_zod4.z.literal(1),
+  v: import_zod3.z.literal(1),
   /** Algorithm identifier */
-  alg: import_zod4.z.literal("aes-256-gcm"),
+  alg: import_zod3.z.literal("aes-256-gcm"),
   /** Initialization vector (base64) */
-  iv: import_zod4.z.string(),
+  iv: import_zod3.z.string(),
   /** Ciphertext (base64) */
-  ct: import_zod4.z.string(),
+  ct: import_zod3.z.string(),
   /** Authentication tag (base64) */
-  tag: import_zod4.z.string()
+  tag: import_zod3.z.string()
 });
 var VaultEncryption = class {
   pepper;
@@ -2139,7 +1982,7 @@ var VaultEncryption = class {
     ];
     const ikm = new TextEncoder().encode(ikmParts.join(""));
     const infoBytes = new TextEncoder().encode(this.hkdfInfo);
-    const key = await (0, import_utils6.hkdfSha256)(ikm, new Uint8Array(0), infoBytes, 32);
+    const key = await (0, import_utils5.hkdfSha256)(ikm, new Uint8Array(0), infoBytes, 32);
     return key;
   }
   /**
@@ -2166,7 +2009,7 @@ var VaultEncryption = class {
     ];
     const ikm = new TextEncoder().encode(ikmParts.join(""));
     const infoBytes = new TextEncoder().encode(this.hkdfInfo);
-    const key = await (0, import_utils6.hkdfSha256)(ikm, new Uint8Array(0), infoBytes, 32);
+    const key = await (0, import_utils5.hkdfSha256)(ikm, new Uint8Array(0), infoBytes, 32);
     return key;
   }
   /**
@@ -2180,14 +2023,14 @@ var VaultEncryption = class {
     if (key.length !== 32) {
       throw new Error("Encryption key must be 32 bytes");
     }
-    const iv = (0, import_utils6.randomBytes)(12);
-    const { ciphertext, tag } = await (0, import_utils6.encryptAesGcm)(key, new TextEncoder().encode(plaintext), iv);
+    const iv = (0, import_utils5.randomBytes)(12);
+    const { ciphertext, tag } = await (0, import_utils5.encryptAesGcm)(key, new TextEncoder().encode(plaintext), iv);
     return {
       v: 1,
       alg: "aes-256-gcm",
-      iv: (0, import_utils6.base64urlEncode)(iv),
-      ct: (0, import_utils6.base64urlEncode)(ciphertext),
-      tag: (0, import_utils6.base64urlEncode)(tag)
+      iv: (0, import_utils5.base64urlEncode)(iv),
+      ct: (0, import_utils5.base64urlEncode)(ciphertext),
+      tag: (0, import_utils5.base64urlEncode)(tag)
     };
   }
   /**
@@ -2207,11 +2050,11 @@ var VaultEncryption = class {
       throw new Error("Invalid encrypted data format");
     }
     const { iv, ct, tag } = parsed.data;
-    const ivBuffer = (0, import_utils6.base64urlDecode)(iv);
-    const ciphertext = (0, import_utils6.base64urlDecode)(ct);
-    const tagBuffer = (0, import_utils6.base64urlDecode)(tag);
+    const ivBuffer = (0, import_utils5.base64urlDecode)(iv);
+    const ciphertext = (0, import_utils5.base64urlDecode)(ct);
+    const tagBuffer = (0, import_utils5.base64urlDecode)(tag);
     try {
-      const plaintext = await (0, import_utils6.decryptAesGcm)(key, ciphertext, ivBuffer, tagBuffer);
+      const plaintext = await (0, import_utils5.decryptAesGcm)(key, ciphertext, ivBuffer, tagBuffer);
       return new TextDecoder().decode(plaintext);
     } catch (_error) {
       throw new Error("Decryption failed: invalid key or corrupted data");
@@ -2248,33 +2091,33 @@ var VaultEncryption = class {
     return encryptedDataSchema.safeParse(data).success;
   }
 };
-var encryptedVaultEntrySchema = import_zod4.z.object({
+var encryptedVaultEntrySchema = import_zod3.z.object({
   /** Vault ID (maps to JWT jti claim) */
-  id: import_zod4.z.string(),
+  id: import_zod3.z.string(),
   /** User subject identifier */
-  userSub: import_zod4.z.string(),
+  userSub: import_zod3.z.string(),
   /** User email (unencrypted for display) */
-  userEmail: import_zod4.z.string().optional(),
+  userEmail: import_zod3.z.string().optional(),
   /** User name (unencrypted for display) */
-  userName: import_zod4.z.string().optional(),
+  userName: import_zod3.z.string().optional(),
   /** Client ID that created this session */
-  clientId: import_zod4.z.string(),
+  clientId: import_zod3.z.string(),
   /** Creation timestamp */
-  createdAt: import_zod4.z.number(),
+  createdAt: import_zod3.z.number(),
   /** Last access timestamp */
-  lastAccessAt: import_zod4.z.number(),
+  lastAccessAt: import_zod3.z.number(),
   /** Encrypted sensitive data (provider tokens, credentials, consent) */
   encryptedData: encryptedDataSchema,
   /** Apps that are fully authorized (unencrypted for quick lookup) */
-  authorizedAppIds: import_zod4.z.array(import_zod4.z.string()),
+  authorizedAppIds: import_zod3.z.array(import_zod3.z.string()),
   /** Apps that were skipped (unencrypted for quick lookup) */
-  skippedAppIds: import_zod4.z.array(import_zod4.z.string()),
+  skippedAppIds: import_zod3.z.array(import_zod3.z.string()),
   /** Pending auth IDs (unencrypted for lookup, actual URLs encrypted) */
-  pendingAuthIds: import_zod4.z.array(import_zod4.z.string()).default([])
+  pendingAuthIds: import_zod3.z.array(import_zod3.z.string()).default([])
 });
 
 // libs/auth/src/session/token.vault.ts
-var import_utils7 = require("@frontmcp/utils");
+var import_utils6 = require("@frontmcp/utils");
 var TokenVault = class {
   /** Active key used for new encryptions */
   active;
@@ -2303,14 +2146,14 @@ var TokenVault = class {
     this.keys.set(k.kid, k.key);
   }
   async encrypt(plaintext, opts) {
-    const iv = (0, import_utils7.randomBytes)(12);
-    const { ciphertext, tag } = await (0, import_utils7.encryptAesGcm)(this.active.key, new TextEncoder().encode(plaintext), iv);
+    const iv = (0, import_utils6.randomBytes)(12);
+    const { ciphertext, tag } = await (0, import_utils6.encryptAesGcm)(this.active.key, new TextEncoder().encode(plaintext), iv);
     return {
       alg: "A256GCM",
       kid: this.active.kid,
-      iv: (0, import_utils7.base64urlEncode)(iv),
-      tag: (0, import_utils7.base64urlEncode)(tag),
-      data: (0, import_utils7.base64urlEncode)(ciphertext),
+      iv: (0, import_utils6.base64urlEncode)(iv),
+      tag: (0, import_utils6.base64urlEncode)(tag),
+      data: (0, import_utils6.base64urlEncode)(ciphertext),
       exp: opts?.exp,
       meta: opts?.meta
     };
@@ -2324,10 +2167,10 @@ var TokenVault = class {
     }
     const key = this.keys.get(blob.kid);
     if (!key) throw new Error(`vault_unknown_kid:${blob.kid}`);
-    const iv = (0, import_utils7.base64urlDecode)(blob.iv);
-    const tag = (0, import_utils7.base64urlDecode)(blob.tag);
-    const data = (0, import_utils7.base64urlDecode)(blob.data);
-    const plaintext = await (0, import_utils7.decryptAesGcm)(key, data, iv, tag);
+    const iv = (0, import_utils6.base64urlDecode)(blob.iv);
+    const tag = (0, import_utils6.base64urlDecode)(blob.tag);
+    const data = (0, import_utils6.base64urlDecode)(blob.data);
+    const plaintext = await (0, import_utils6.decryptAesGcm)(key, data, iv, tag);
     return new TextDecoder().decode(plaintext);
   }
 };
@@ -2336,102 +2179,103 @@ var TokenVault = class {
 var import_utils25 = require("@frontmcp/utils");
 
 // libs/auth/src/session/transport-session.types.ts
-var import_zod5 = require("zod");
-var transportProtocolSchema = import_zod5.z.enum([
+var import_zod4 = require("zod");
+var transportProtocolSchema = import_zod4.z.enum([
   "legacy-sse",
   "sse",
   "streamable-http",
   "stateful-http",
   "stateless-http"
 ]);
-var sseTransportStateSchema = import_zod5.z.object({
-  type: import_zod5.z.literal("sse"),
-  lastEventId: import_zod5.z.string().optional(),
-  lastPing: import_zod5.z.number().optional(),
-  connectionState: import_zod5.z.enum(["connecting", "open", "closed"]).optional()
+var sseTransportStateSchema = import_zod4.z.object({
+  type: import_zod4.z.literal("sse"),
+  lastEventId: import_zod4.z.string().optional(),
+  lastPing: import_zod4.z.number().optional(),
+  connectionState: import_zod4.z.enum(["connecting", "open", "closed"]).optional()
 });
-var streamableHttpTransportStateSchema = import_zod5.z.object({
-  type: import_zod5.z.literal("streamable-http"),
-  requestSeq: import_zod5.z.number(),
-  activeStreamId: import_zod5.z.string().optional(),
-  pendingRequests: import_zod5.z.array(import_zod5.z.string()).optional()
+var streamableHttpTransportStateSchema = import_zod4.z.object({
+  type: import_zod4.z.literal("streamable-http"),
+  requestSeq: import_zod4.z.number(),
+  activeStreamId: import_zod4.z.string().optional(),
+  pendingRequests: import_zod4.z.array(import_zod4.z.string()).optional()
 });
-var statefulHttpTransportStateSchema = import_zod5.z.object({
-  type: import_zod5.z.literal("stateful-http"),
-  requestSeq: import_zod5.z.number(),
-  pendingResponses: import_zod5.z.array(import_zod5.z.string()).optional(),
-  lastActivity: import_zod5.z.number().optional()
+var statefulHttpTransportStateSchema = import_zod4.z.object({
+  type: import_zod4.z.literal("stateful-http"),
+  requestSeq: import_zod4.z.number(),
+  pendingResponses: import_zod4.z.array(import_zod4.z.string()).optional(),
+  lastActivity: import_zod4.z.number().optional()
 });
-var statelessHttpTransportStateSchema = import_zod5.z.object({
-  type: import_zod5.z.literal("stateless-http"),
-  requestCount: import_zod5.z.number(),
-  windowStart: import_zod5.z.number().optional()
+var statelessHttpTransportStateSchema = import_zod4.z.object({
+  type: import_zod4.z.literal("stateless-http"),
+  requestCount: import_zod4.z.number(),
+  windowStart: import_zod4.z.number().optional()
 });
-var legacySseTransportStateSchema = import_zod5.z.object({
-  type: import_zod5.z.literal("legacy-sse"),
-  messagePath: import_zod5.z.string(),
-  lastEventId: import_zod5.z.string().optional(),
-  connectionState: import_zod5.z.enum(["connecting", "open", "closed"]).optional()
+var legacySseTransportStateSchema = import_zod4.z.object({
+  type: import_zod4.z.literal("legacy-sse"),
+  messagePath: import_zod4.z.string(),
+  lastEventId: import_zod4.z.string().optional(),
+  connectionState: import_zod4.z.enum(["connecting", "open", "closed"]).optional()
 });
-var transportStateSchema = import_zod5.z.discriminatedUnion("type", [
+var transportStateSchema = import_zod4.z.discriminatedUnion("type", [
   sseTransportStateSchema,
   streamableHttpTransportStateSchema,
   statefulHttpTransportStateSchema,
   statelessHttpTransportStateSchema,
   legacySseTransportStateSchema
 ]);
-var transportSessionSchema = import_zod5.z.object({
-  id: import_zod5.z.string(),
-  authorizationId: import_zod5.z.string(),
+var transportSessionSchema = import_zod4.z.object({
+  id: import_zod4.z.string(),
+  authorizationId: import_zod4.z.string(),
   protocol: transportProtocolSchema,
-  createdAt: import_zod5.z.number(),
-  expiresAt: import_zod5.z.number().optional(),
-  nodeId: import_zod5.z.string(),
-  clientFingerprint: import_zod5.z.string().optional(),
+  createdAt: import_zod4.z.number(),
+  expiresAt: import_zod4.z.number().optional(),
+  nodeId: import_zod4.z.string(),
+  clientFingerprint: import_zod4.z.string().optional(),
   transportState: transportStateSchema.optional()
 });
-var sessionJwtPayloadSchema = import_zod5.z.object({
-  sid: import_zod5.z.string(),
-  aid: import_zod5.z.string(),
+var sessionJwtPayloadSchema = import_zod4.z.object({
+  sid: import_zod4.z.string(),
+  aid: import_zod4.z.string(),
   proto: transportProtocolSchema,
-  nid: import_zod5.z.string(),
-  iat: import_zod5.z.number(),
-  exp: import_zod5.z.number().optional()
+  nid: import_zod4.z.string(),
+  iat: import_zod4.z.number(),
+  exp: import_zod4.z.number().optional()
 });
-var encryptedBlobSchema = import_zod5.z.object({
-  alg: import_zod5.z.literal("A256GCM"),
-  kid: import_zod5.z.string().optional(),
-  iv: import_zod5.z.string(),
-  tag: import_zod5.z.string(),
-  data: import_zod5.z.string(),
-  exp: import_zod5.z.number().optional(),
-  meta: import_zod5.z.record(import_zod5.z.string(), import_zod5.z.unknown()).optional()
+var encryptedBlobSchema = import_zod4.z.object({
+  alg: import_zod4.z.literal("A256GCM"),
+  kid: import_zod4.z.string().optional(),
+  iv: import_zod4.z.string(),
+  tag: import_zod4.z.string(),
+  data: import_zod4.z.string(),
+  exp: import_zod4.z.number().optional(),
+  meta: import_zod4.z.record(import_zod4.z.string(), import_zod4.z.unknown()).optional()
 });
-var storedSessionSchema = import_zod5.z.object({
+var storedSessionSchema = import_zod4.z.object({
   session: transportSessionSchema,
-  authorizationId: import_zod5.z.string(),
-  tokens: import_zod5.z.record(import_zod5.z.string(), encryptedBlobSchema).optional(),
-  createdAt: import_zod5.z.number(),
-  lastAccessedAt: import_zod5.z.number(),
-  initialized: import_zod5.z.boolean().optional(),
-  maxLifetimeAt: import_zod5.z.number().optional()
+  authorizationId: import_zod4.z.string(),
+  tokens: import_zod4.z.record(import_zod4.z.string(), encryptedBlobSchema).optional(),
+  createdAt: import_zod4.z.number(),
+  lastAccessedAt: import_zod4.z.number(),
+  initialized: import_zod4.z.boolean().optional(),
+  maxLifetimeAt: import_zod4.z.number().optional(),
+  clientCapabilities: import_zod4.z.record(import_zod4.z.string(), import_zod4.z.unknown()).optional()
 });
-var redisConfigSchema = import_zod5.z.object({
-  host: import_zod5.z.string().min(1),
-  port: import_zod5.z.number().int().positive().optional().default(6379),
-  password: import_zod5.z.string().optional(),
-  db: import_zod5.z.number().int().nonnegative().optional().default(0),
-  tls: import_zod5.z.boolean().optional().default(false),
-  keyPrefix: import_zod5.z.string().optional().default("mcp:session:"),
-  defaultTtlMs: import_zod5.z.number().int().positive().optional().default(36e5)
+var redisConfigSchema = import_zod4.z.object({
+  host: import_zod4.z.string().min(1),
+  port: import_zod4.z.number().int().positive().optional().default(6379),
+  password: import_zod4.z.string().optional(),
+  db: import_zod4.z.number().int().nonnegative().optional().default(0),
+  tls: import_zod4.z.boolean().optional().default(false),
+  keyPrefix: import_zod4.z.string().optional().default("mcp:session:"),
+  defaultTtlMs: import_zod4.z.number().int().positive().optional().default(36e5)
   // 1 hour default
 });
 
 // libs/auth/src/session/session-crypto.ts
-var import_utils9 = require("@frontmcp/utils");
+var import_utils8 = require("@frontmcp/utils");
 
 // libs/auth/src/errors/auth-internal.error.ts
-var import_utils8 = require("@frontmcp/utils");
+var import_utils7 = require("@frontmcp/utils");
 var AuthInternalError = class extends Error {
   /**
    * Unique error ID for tracking in logs.
@@ -2453,7 +2297,7 @@ var AuthInternalError = class extends Error {
     super(message);
     this.name = this.constructor.name;
     this.code = code;
-    this.errorId = `err_${(0, import_utils8.bytesToHex)((0, import_utils8.randomBytes)(8))}`;
+    this.errorId = `err_${(0, import_utils7.bytesToHex)((0, import_utils7.randomBytes)(8))}`;
     Error.captureStackTrace(this, this.constructor);
   }
   /**
@@ -2576,9 +2420,9 @@ var AuthFlowError = class extends AuthInternalError {
 
 // libs/auth/src/session/session-crypto.ts
 function getSigningSecret(config) {
-  const secret = config?.secret || process.env["MCP_SESSION_SECRET"];
+  const secret = config?.secret || (0, import_utils8.getEnv)("MCP_SESSION_SECRET");
   if (!secret) {
-    if (process.env["NODE_ENV"] === "production") {
+    if ((0, import_utils8.isProduction)()) {
       throw new SessionSecretRequiredError("session signing");
     }
     console.warn("[SessionCrypto] MCP_SESSION_SECRET not set. Using insecure default for development only.");
@@ -2590,13 +2434,13 @@ function resolveConfig(config) {
   return { secret: getSigningSecret(config) };
 }
 function signSession(session, config) {
-  return (0, import_utils9.signData)(session, resolveConfig(config));
+  return (0, import_utils8.signData)(session, resolveConfig(config));
 }
 function verifySession(signedData, config) {
-  return (0, import_utils9.verifyData)(signedData, resolveConfig(config));
+  return (0, import_utils8.verifyData)(signedData, resolveConfig(config));
 }
 function verifyOrParseSession(data, config) {
-  return (0, import_utils9.verifyOrParseData)(data, resolveConfig(config));
+  return (0, import_utils8.verifyOrParseData)(data, resolveConfig(config));
 }
 
 // libs/auth/src/session/session-rate-limiter.ts
@@ -2611,7 +2455,7 @@ var SessionRateLimiter = class {
     const cleanupIntervalMs = config.cleanupIntervalMs ?? 6e4;
     if (cleanupIntervalMs > 0) {
       this.cleanupTimer = setInterval(() => this.cleanup(), cleanupIntervalMs);
-      this.cleanupTimer.unref();
+      if (typeof this.cleanupTimer.unref === "function") this.cleanupTimer.unref();
     }
   }
   /**
@@ -2715,17 +2559,16 @@ var SessionRateLimiter = class {
 var defaultSessionRateLimiter = new SessionRateLimiter();
 
 // libs/auth/src/session/session.transport.ts
-var import_utils10 = require("@frontmcp/utils");
+var import_utils9 = require("@frontmcp/utils");
 var TransportIdGenerator = class {
   /**
    * Create a transport session ID.
-   * Always generates JWT-style IDs for distributed session support.
+   * Generates JWT-style IDs for distributed session support.
    *
-   * @param _mode - Deprecated parameter, kept for backwards compatibility
-   * @returns A JWT-style transport session ID (UUID without dashes)
+   * @returns A transport session ID (UUID without dashes)
    */
-  static createId(_mode) {
-    return (0, import_utils10.randomUUID)().replace(/-/g, "");
+  static createId() {
+    return (0, import_utils9.randomUUID)().replace(/-/g, "");
   }
 };
 
@@ -2773,7 +2616,7 @@ var TinyTtlCache = class {
 };
 
 // libs/auth/src/session/utils/auth-token.utils.ts
-var import_utils11 = require("@frontmcp/utils");
+var import_utils10 = require("@frontmcp/utils");
 function isJwt(token) {
   if (!token) return false;
   return token.split(".").length === 3;
@@ -2783,7 +2626,7 @@ function getTokenSignatureFingerprint(token) {
     const sig = token.split(".")[2];
     if (sig) return sig;
   }
-  return (0, import_utils11.sha256Base64url)(token);
+  return (0, import_utils10.sha256Base64url)(token);
 }
 function extractClaimValue(claims, key, validator) {
   const value = claims[key];
@@ -2815,18 +2658,20 @@ function extractBearerToken(header) {
 }
 
 // libs/auth/src/session/utils/session-crypto.utils.ts
-var import_utils13 = require("@frontmcp/utils");
+var import_utils12 = require("@frontmcp/utils");
 
 // libs/auth/src/machine-id/machine-id.ts
-var path2 = __toESM(require("path"));
-var import_utils12 = require("@frontmcp/utils");
+var import_utils11 = require("@frontmcp/utils");
 var DEFAULT_MACHINE_ID_PATH = ".frontmcp/machine-id";
 function isDevPersistenceEnabled() {
-  return process.env["NODE_ENV"] !== "production";
+  if ((0, import_utils11.isBrowser)()) return false;
+  return !(0, import_utils11.isProduction)();
 }
 function resolveMachineIdPath() {
-  const machineIdPath = process.env["MACHINE_ID_PATH"] ?? DEFAULT_MACHINE_ID_PATH;
-  return path2.isAbsolute(machineIdPath) ? machineIdPath : path2.resolve(process.cwd(), machineIdPath);
+  if ((0, import_utils11.isBrowser)()) return DEFAULT_MACHINE_ID_PATH;
+  const path = require("path");
+  const machineIdPath = (0, import_utils11.getEnv)("MACHINE_ID_PATH") ?? DEFAULT_MACHINE_ID_PATH;
+  return path.isAbsolute(machineIdPath) ? machineIdPath : path.resolve((0, import_utils11.getCwd)(), machineIdPath);
 }
 function loadMachineIdSync() {
   if (!isDevPersistenceEnabled()) {
@@ -2834,7 +2679,7 @@ function loadMachineIdSync() {
   }
   const machineIdPath = resolveMachineIdPath();
   try {
-    const content = (0, import_utils12.readFileSync)(machineIdPath, "utf8").trim();
+    const content = (0, import_utils11.readFileSync)(machineIdPath, "utf8").trim();
     if (/^[0-9a-f-]{32,36}$/i.test(content)) {
       return content;
     }
@@ -2852,18 +2697,19 @@ function saveMachineIdAsync(machineId2) {
     return;
   }
   const machineIdPath = resolveMachineIdPath();
-  const dir = path2.dirname(machineIdPath);
+  const path = require("path");
+  const dir = path.dirname(machineIdPath);
   (async () => {
     try {
-      await (0, import_utils12.mkdir)(dir, { recursive: true, mode: 448 });
-      await (0, import_utils12.writeFile)(machineIdPath, machineId2, { mode: 384 });
+      await (0, import_utils11.mkdir)(dir, { recursive: true, mode: 448 });
+      await (0, import_utils11.writeFile)(machineIdPath, machineId2, { mode: 384 });
     } catch (error) {
       console.warn(`[MachineId] Failed to save to ${machineIdPath}: ${error.message}`);
     }
   })();
 }
 var machineId = (() => {
-  const envMachineId = process.env["MACHINE_ID"];
+  const envMachineId = (0, import_utils11.getEnv)("MACHINE_ID");
   if (envMachineId) {
     return envMachineId;
   }
@@ -2871,7 +2717,7 @@ var machineId = (() => {
   if (loadedId) {
     return loadedId;
   }
-  const newId = (0, import_utils12.randomUUID)();
+  const newId = (0, import_utils11.randomUUID)();
   saveMachineIdAsync(newId);
   return newId;
 })();
@@ -2887,10 +2733,9 @@ function setMachineIdOverride(id) {
 var cachedKey = null;
 function getKey() {
   if (cachedKey) return cachedKey;
-  const secret = process.env["MCP_SESSION_SECRET"];
-  const nodeEnv = process.env["NODE_ENV"];
+  const secret = (0, import_utils12.getEnv)("MCP_SESSION_SECRET");
   if (!secret) {
-    if (nodeEnv === "production") {
+    if ((0, import_utils12.isProduction)()) {
       throw new SessionSecretRequiredError("session ID encryption");
     }
     console.warn(
@@ -2898,12 +2743,12 @@ function getKey() {
     );
   }
   const base = secret || getMachineId();
-  cachedKey = (0, import_utils13.sha256)(new TextEncoder().encode(base));
+  cachedKey = (0, import_utils12.sha256)(new TextEncoder().encode(base));
   return cachedKey;
 }
 function encryptJson(obj) {
   const key = getKey();
-  const encrypted = (0, import_utils13.encryptValue)(obj, key);
+  const encrypted = (0, import_utils12.encryptValue)(obj, key);
   return `${encrypted.iv}.${encrypted.tag}.${encrypted.data}`;
 }
 function decryptSessionJson(sessionId) {
@@ -2912,7 +2757,7 @@ function decryptSessionJson(sessionId) {
   const [ivB64, tagB64, ctB64] = parts;
   if (!ivB64 || !tagB64 || !ctB64) return null;
   const key = getKey();
-  return (0, import_utils13.decryptValue)({ alg: "A256GCM", iv: ivB64, tag: tagB64, data: ctB64 }, key);
+  return (0, import_utils12.decryptValue)({ alg: "A256GCM", iv: ivB64, tag: tagB64, data: ctB64 }, key);
 }
 function safeDecrypt(sessionId) {
   try {
@@ -2926,11 +2771,11 @@ function resetCachedKey() {
 }
 
 // libs/auth/src/session/storage/index.ts
+var import_utils16 = require("@frontmcp/utils");
 var import_utils17 = require("@frontmcp/utils");
-var import_utils18 = require("@frontmcp/utils");
 
 // libs/auth/src/session/storage/storage-token-store.ts
-var import_utils14 = require("@frontmcp/utils");
+var import_utils13 = require("@frontmcp/utils");
 var StorageTokenStore = class {
   storage;
   namespace;
@@ -2942,13 +2787,13 @@ var StorageTokenStore = class {
     this.defaultTtlSeconds = options.defaultTtlSeconds;
     this.storageIsNamespaced = "namespace" in storage && typeof storage.namespace === "function";
     const namespacedStorage = this.storageIsNamespaced ? storage.namespace(this.namespace) : storage;
-    this.storage = new import_utils14.TypedStorage(namespacedStorage);
+    this.storage = new import_utils13.TypedStorage(namespacedStorage);
   }
   /**
    * Allocate a new unique ID for a token record.
    */
   allocId() {
-    return (0, import_utils14.randomUUID)();
+    return (0, import_utils13.randomUUID)();
   }
   /**
    * Store an encrypted token blob.
@@ -3011,7 +2856,7 @@ var StorageTokenStore = class {
 };
 
 // libs/auth/src/session/storage/storage-authorization-vault.ts
-var import_utils15 = require("@frontmcp/utils");
+var import_utils14 = require("@frontmcp/utils");
 var StorageAuthorizationVault = class {
   storage;
   namespace;
@@ -3020,7 +2865,7 @@ var StorageAuthorizationVault = class {
     this.namespace = options.namespace ?? "vault";
     this.pendingAuthTtlMs = options.pendingAuthTtlMs ?? 10 * 60 * 1e3;
     const namespacedStorage = this.isNamespacedStorage(storage) ? storage.namespace(this.namespace) : storage;
-    this.storage = new import_utils15.TypedStorage(namespacedStorage, {
+    this.storage = new import_utils14.TypedStorage(namespacedStorage, {
       schema: options.validateOnRead ? authorizationVaultEntrySchema : void 0,
       throwOnInvalid: false
     });
@@ -3031,7 +2876,7 @@ var StorageAuthorizationVault = class {
   async create(params) {
     const now = Date.now();
     const entry = {
-      id: (0, import_utils15.randomUUID)(),
+      id: (0, import_utils14.randomUUID)(),
       userSub: params.userSub,
       userEmail: params.userEmail,
       userName: params.userName,
@@ -3105,7 +2950,7 @@ var StorageAuthorizationVault = class {
     }
     const now = Date.now();
     const pendingAuth = {
-      id: (0, import_utils15.randomUUID)(),
+      id: (0, import_utils14.randomUUID)(),
       appId: params.appId,
       toolId: params.toolId,
       authUrl: params.authUrl,
@@ -3309,11 +3154,11 @@ var StorageAuthorizationVault = class {
 };
 
 // libs/auth/src/session/storage/in-memory-authorization-vault.ts
-var import_utils16 = require("@frontmcp/utils");
+var import_utils15 = require("@frontmcp/utils");
 var InMemoryAuthorizationVault = class extends StorageAuthorizationVault {
   memoryAdapter;
   constructor(options = {}) {
-    const memoryAdapter = new import_utils16.MemoryStorageAdapter();
+    const memoryAdapter = new import_utils15.MemoryStorageAdapter();
     super(memoryAdapter, {
       namespace: options.namespace ?? "vault",
       pendingAuthTtlMs: options.pendingAuthTtlMs
@@ -3334,7 +3179,7 @@ var InMemoryAuthorizationVault = class extends StorageAuthorizationVault {
 };
 
 // libs/auth/src/session/redis-session.store.ts
-var import_utils19 = require("@frontmcp/utils");
+var import_utils18 = require("@frontmcp/utils");
 var RedisSessionStore = class {
   storage;
   keyPrefix;
@@ -3356,14 +3201,14 @@ var RedisSessionStore = class {
       });
     }
     if ("redis" in config && config.redis) {
-      this.storage = new import_utils19.RedisStorageAdapter({
+      this.storage = new import_utils18.RedisStorageAdapter({
         client: config.redis,
         keyPrefix: this.keyPrefix
       });
       this.externalInstance = true;
     } else {
       const redisConfig = config;
-      this.storage = new import_utils19.RedisStorageAdapter({
+      this.storage = new import_utils18.RedisStorageAdapter({
         config: {
           host: redisConfig.host,
           port: redisConfig.port ?? 6379,
@@ -3545,7 +3390,7 @@ var RedisSessionStore = class {
    * Allocate a new session ID
    */
   allocId() {
-    return (0, import_utils19.randomUUID)();
+    return (0, import_utils18.randomUUID)();
   }
   /**
    * Disconnect from Redis (only if we created the connection)
@@ -3581,7 +3426,7 @@ var RedisSessionStore = class {
 };
 
 // libs/auth/src/session/vercel-kv-session.store.ts
-var import_utils20 = require("@frontmcp/utils");
+var import_utils19 = require("@frontmcp/utils");
 var VercelKvSessionStore = class {
   storage;
   keyPrefix;
@@ -3601,7 +3446,7 @@ var VercelKvSessionStore = class {
         maxRequests: this.security.rateLimiting?.maxRequests
       });
     }
-    this.storage = new import_utils20.VercelKvStorageAdapter({
+    this.storage = new import_utils19.VercelKvStorageAdapter({
       url: config.url,
       token: config.token,
       keyPrefix: this.keyPrefix
@@ -3775,7 +3620,7 @@ var VercelKvSessionStore = class {
    * Allocate a new session ID
    */
   allocId() {
-    return (0, import_utils20.randomUUID)();
+    return (0, import_utils19.randomUUID)();
   }
   /**
    * Disconnect from Vercel KV
@@ -3804,7 +3649,7 @@ var VercelKvSessionStore = class {
 };
 
 // libs/auth/src/session/orchestrated-token.store.ts
-var import_utils21 = require("@frontmcp/utils");
+var import_utils20 = require("@frontmcp/utils");
 var InMemoryOrchestratedTokenStore = class {
   /** Token storage: Map<compositeKey, ProviderTokenRecord> */
   tokens = /* @__PURE__ */ new Map();
@@ -3846,7 +3691,7 @@ var InMemoryOrchestratedTokenStore = class {
     }
     const info = new TextEncoder().encode(`orchestrated-token:${compositeKey}`);
     const salt = new TextEncoder().encode("frontmcp-token-store");
-    const derivedKey = (0, import_utils21.hkdfSha256)(this.encryptionKey, salt, info, 32);
+    const derivedKey = (0, import_utils20.hkdfSha256)(this.encryptionKey, salt, info, 32);
     this.derivedKeys.set(compositeKey, derivedKey);
     return derivedKey;
   }
@@ -3856,8 +3701,8 @@ var InMemoryOrchestratedTokenStore = class {
   async encryptRecord(compositeKey, record) {
     const key = await this.deriveKeyForRecord(compositeKey);
     const plaintext = JSON.stringify(record);
-    const iv = (0, import_utils21.randomBytes)(12);
-    const { ciphertext, tag } = (0, import_utils21.encryptAesGcm)(key, new TextEncoder().encode(plaintext), iv);
+    const iv = (0, import_utils20.randomBytes)(12);
+    const { ciphertext, tag } = (0, import_utils20.encryptAesGcm)(key, new TextEncoder().encode(plaintext), iv);
     return JSON.stringify({
       iv: Buffer.from(iv).toString("base64url"),
       tag: Buffer.from(tag).toString("base64url"),
@@ -3873,7 +3718,7 @@ var InMemoryOrchestratedTokenStore = class {
     const ivBytes = Buffer.from(iv, "base64url");
     const tagBytes = Buffer.from(tag, "base64url");
     const ciphertextBytes = Buffer.from(data, "base64url");
-    const plaintext = (0, import_utils21.decryptAesGcm)(key, ciphertextBytes, ivBytes, tagBytes);
+    const plaintext = (0, import_utils20.decryptAesGcm)(key, ciphertextBytes, ivBytes, tagBytes);
     return JSON.parse(new TextDecoder().decode(plaintext));
   }
   /**
@@ -4075,7 +3920,7 @@ var InMemoryOrchestratedTokenStore = class {
 };
 
 // libs/auth/src/session/federated-auth.session.ts
-var import_utils22 = require("@frontmcp/utils");
+var import_utils21 = require("@frontmcp/utils");
 function toSessionRecord(session) {
   return {
     ...session,
@@ -4150,7 +3995,7 @@ var InMemoryFederatedAuthSessionStore = class {
   createSession(params) {
     const now = Date.now();
     return {
-      id: (0, import_utils22.randomUUID)(),
+      id: (0, import_utils21.randomUUID)(),
       pendingAuthId: params.pendingAuthId,
       clientId: params.clientId,
       redirectUri: params.redirectUri,
@@ -4182,7 +4027,7 @@ var InMemoryFederatedAuthSessionStore = class {
 function createFederatedAuthSession(params, ttlMs = 15 * 60 * 1e3) {
   const now = Date.now();
   return {
-    id: (0, import_utils22.randomUUID)(),
+    id: (0, import_utils21.randomUUID)(),
     pendingAuthId: params.pendingAuthId,
     clientId: params.clientId,
     redirectUri: params.redirectUri,
@@ -4239,34 +4084,34 @@ function startNextProvider(session, pkce, state) {
 }
 
 // libs/auth/src/session/encrypted-authorization-vault.ts
-var import_zod6 = require("zod");
+var import_zod5 = require("zod");
+var import_utils22 = require("@frontmcp/utils");
 var import_utils23 = require("@frontmcp/utils");
-var import_node_async_hooks = require("node:async_hooks");
-var redisVaultEntrySchema = import_zod6.z.object({
+var redisVaultEntrySchema = import_zod5.z.object({
   /** Vault ID */
-  id: import_zod6.z.string(),
+  id: import_zod5.z.string(),
   /** User sub (for lookup) */
-  userSub: import_zod6.z.string(),
+  userSub: import_zod5.z.string(),
   /** User email (optional, for display) */
-  userEmail: import_zod6.z.string().optional(),
+  userEmail: import_zod5.z.string().optional(),
   /** User name (optional, for display) */
-  userName: import_zod6.z.string().optional(),
+  userName: import_zod5.z.string().optional(),
   /** Client ID */
-  clientId: import_zod6.z.string(),
+  clientId: import_zod5.z.string(),
   /** Creation timestamp */
-  createdAt: import_zod6.z.number(),
+  createdAt: import_zod5.z.number(),
   /** Last access timestamp */
-  lastAccessAt: import_zod6.z.number(),
+  lastAccessAt: import_zod5.z.number(),
   /** Authorized app IDs (unencrypted for quick auth checks) */
-  authorizedAppIds: import_zod6.z.array(import_zod6.z.string()),
+  authorizedAppIds: import_zod5.z.array(import_zod5.z.string()),
   /** Skipped app IDs (unencrypted for quick checks) */
-  skippedAppIds: import_zod6.z.array(import_zod6.z.string()),
+  skippedAppIds: import_zod5.z.array(import_zod5.z.string()),
   /** Pending auth request IDs (unencrypted for lookup) */
-  pendingAuthIds: import_zod6.z.array(import_zod6.z.string()),
+  pendingAuthIds: import_zod5.z.array(import_zod5.z.string()),
   /** Encrypted sensitive data blob */
   encrypted: encryptedDataSchema
 });
-var encryptionContextStorage = new import_node_async_hooks.AsyncLocalStorage();
+var encryptionContextStorage = new import_utils23.AsyncLocalStorage();
 var EncryptedRedisVault = class {
   constructor(redis, encryption, namespace = "vault:") {
     this.redis = redis;
@@ -4399,7 +4244,7 @@ var EncryptedRedisVault = class {
   async create(params) {
     const now = Date.now();
     const entry = {
-      id: (0, import_utils23.randomUUID)(),
+      id: (0, import_utils22.randomUUID)(),
       userSub: params.userSub,
       userEmail: params.userEmail,
       userName: params.userName,
@@ -4458,7 +4303,7 @@ var EncryptedRedisVault = class {
     }
     const now = Date.now();
     const pendingAuth = {
-      id: (0, import_utils23.randomUUID)(),
+      id: (0, import_utils22.randomUUID)(),
       appId: params.appId,
       toolId: params.toolId,
       authUrl: params.authUrl,
@@ -4667,37 +4512,37 @@ function tryJwtExp(token) {
 }
 
 // libs/auth/src/authorization/authorization.types.ts
-var import_zod7 = require("zod");
-var authModeSchema = import_zod7.z.enum(["public", "transparent", "orchestrated"]);
-var authUserSchema = import_zod7.z.object({
-  sub: import_zod7.z.string(),
-  name: import_zod7.z.string().optional(),
-  email: import_zod7.z.string().email().optional(),
-  picture: import_zod7.z.string().url().optional(),
-  anonymous: import_zod7.z.boolean().optional()
+var import_zod6 = require("zod");
+var authModeSchema = import_zod6.z.enum(["public", "transparent", "orchestrated"]);
+var authUserSchema = import_zod6.z.object({
+  sub: import_zod6.z.string(),
+  name: import_zod6.z.string().optional(),
+  email: import_zod6.z.string().email().optional(),
+  picture: import_zod6.z.string().url().optional(),
+  anonymous: import_zod6.z.boolean().optional()
 });
-var authorizedToolSchema = import_zod7.z.object({
-  executionPath: import_zod7.z.tuple([import_zod7.z.string(), import_zod7.z.string()]),
-  scopes: import_zod7.z.array(import_zod7.z.string()).optional(),
-  details: import_zod7.z.record(import_zod7.z.string(), import_zod7.z.unknown()).optional()
+var authorizedToolSchema = import_zod6.z.object({
+  executionPath: import_zod6.z.tuple([import_zod6.z.string(), import_zod6.z.string()]),
+  scopes: import_zod6.z.array(import_zod6.z.string()).optional(),
+  details: import_zod6.z.record(import_zod6.z.string(), import_zod6.z.unknown()).optional()
 });
-var authorizedPromptSchema = import_zod7.z.object({
-  executionPath: import_zod7.z.tuple([import_zod7.z.string(), import_zod7.z.string()]),
-  scopes: import_zod7.z.array(import_zod7.z.string()).optional(),
-  details: import_zod7.z.record(import_zod7.z.string(), import_zod7.z.unknown()).optional()
+var authorizedPromptSchema = import_zod6.z.object({
+  executionPath: import_zod6.z.tuple([import_zod6.z.string(), import_zod6.z.string()]),
+  scopes: import_zod6.z.array(import_zod6.z.string()).optional(),
+  details: import_zod6.z.record(import_zod6.z.string(), import_zod6.z.unknown()).optional()
 });
-var llmSafeAuthContextSchema = import_zod7.z.object({
-  authorizationId: import_zod7.z.string(),
-  sessionId: import_zod7.z.string(),
+var llmSafeAuthContextSchema = import_zod6.z.object({
+  authorizationId: import_zod6.z.string(),
+  sessionId: import_zod6.z.string(),
   mode: authModeSchema,
-  isAnonymous: import_zod7.z.boolean(),
-  user: import_zod7.z.object({
-    sub: import_zod7.z.string(),
-    name: import_zod7.z.string().optional()
+  isAnonymous: import_zod6.z.boolean(),
+  user: import_zod6.z.object({
+    sub: import_zod6.z.string(),
+    name: import_zod6.z.string().optional()
   }),
-  scopes: import_zod7.z.array(import_zod7.z.string()),
-  authorizedToolIds: import_zod7.z.array(import_zod7.z.string()),
-  authorizedPromptIds: import_zod7.z.array(import_zod7.z.string())
+  scopes: import_zod6.z.array(import_zod6.z.string()),
+  authorizedToolIds: import_zod6.z.array(import_zod6.z.string()),
+  authorizedPromptIds: import_zod6.z.array(import_zod6.z.string())
 });
 var AppAuthState = /* @__PURE__ */ ((AppAuthState2) => {
   AppAuthState2["AUTHORIZED"] = "authorized";
@@ -4705,19 +4550,19 @@ var AppAuthState = /* @__PURE__ */ ((AppAuthState2) => {
   AppAuthState2["PENDING"] = "pending";
   return AppAuthState2;
 })(AppAuthState || {});
-var appAuthStateSchema = import_zod7.z.nativeEnum(AppAuthState);
-var appAuthorizationRecordSchema = import_zod7.z.object({
-  appId: import_zod7.z.string(),
+var appAuthStateSchema = import_zod6.z.nativeEnum(AppAuthState);
+var appAuthorizationRecordSchema = import_zod6.z.object({
+  appId: import_zod6.z.string(),
   state: appAuthStateSchema,
-  stateChangedAt: import_zod7.z.number(),
-  grantedScopes: import_zod7.z.array(import_zod7.z.string()).optional(),
-  authProviderId: import_zod7.z.string().optional(),
-  toolIds: import_zod7.z.array(import_zod7.z.string())
+  stateChangedAt: import_zod6.z.number(),
+  grantedScopes: import_zod6.z.array(import_zod6.z.string()).optional(),
+  authProviderId: import_zod6.z.string().optional(),
+  toolIds: import_zod6.z.array(import_zod6.z.string())
 });
-var progressiveAuthStateSchema = import_zod7.z.object({
-  apps: import_zod7.z.record(import_zod7.z.string(), appAuthorizationRecordSchema),
-  initiallyAuthorized: import_zod7.z.array(import_zod7.z.string()),
-  initiallySkipped: import_zod7.z.array(import_zod7.z.string())
+var progressiveAuthStateSchema = import_zod6.z.object({
+  apps: import_zod6.z.record(import_zod6.z.string(), appAuthorizationRecordSchema),
+  initiallyAuthorized: import_zod6.z.array(import_zod6.z.string()),
+  initiallySkipped: import_zod6.z.array(import_zod6.z.string())
 });
 
 // libs/auth/src/authorization/authorization.class.ts
@@ -5576,42 +5421,42 @@ var OrchestratedAuthAccessorAdapter = class {
 };
 
 // libs/auth/src/common/jwt.types.ts
-var import_zod8 = require("zod");
-var jwkParametersSchema = import_zod8.z.object({
-  kty: import_zod8.z.string().optional(),
-  alg: import_zod8.z.string().optional(),
-  key_ops: import_zod8.z.array(import_zod8.z.string()).optional(),
-  ext: import_zod8.z.boolean().optional(),
-  use: import_zod8.z.string().optional(),
-  x5c: import_zod8.z.array(import_zod8.z.string()).optional(),
-  x5t: import_zod8.z.string().optional(),
-  "x5t#S256": import_zod8.z.string().optional(),
-  x5u: import_zod8.z.string().optional(),
-  kid: import_zod8.z.string().optional()
+var import_zod7 = require("zod");
+var jwkParametersSchema = import_zod7.z.object({
+  kty: import_zod7.z.string().optional(),
+  alg: import_zod7.z.string().optional(),
+  key_ops: import_zod7.z.array(import_zod7.z.string()).optional(),
+  ext: import_zod7.z.boolean().optional(),
+  use: import_zod7.z.string().optional(),
+  x5c: import_zod7.z.array(import_zod7.z.string()).optional(),
+  x5t: import_zod7.z.string().optional(),
+  "x5t#S256": import_zod7.z.string().optional(),
+  x5u: import_zod7.z.string().optional(),
+  kid: import_zod7.z.string().optional()
 });
 var jwkSchema = jwkParametersSchema.extend({
-  crv: import_zod8.z.string().optional(),
-  d: import_zod8.z.string().optional(),
-  dp: import_zod8.z.string().optional(),
-  dq: import_zod8.z.string().optional(),
-  e: import_zod8.z.string().optional(),
-  k: import_zod8.z.string().optional(),
-  n: import_zod8.z.string().optional(),
-  p: import_zod8.z.string().optional(),
-  q: import_zod8.z.string().optional(),
-  qi: import_zod8.z.string().optional(),
-  x: import_zod8.z.string().optional(),
-  y: import_zod8.z.string().optional(),
-  pub: import_zod8.z.string().optional(),
-  priv: import_zod8.z.string().optional()
+  crv: import_zod7.z.string().optional(),
+  d: import_zod7.z.string().optional(),
+  dp: import_zod7.z.string().optional(),
+  dq: import_zod7.z.string().optional(),
+  e: import_zod7.z.string().optional(),
+  k: import_zod7.z.string().optional(),
+  n: import_zod7.z.string().optional(),
+  p: import_zod7.z.string().optional(),
+  q: import_zod7.z.string().optional(),
+  qi: import_zod7.z.string().optional(),
+  x: import_zod7.z.string().optional(),
+  y: import_zod7.z.string().optional(),
+  pub: import_zod7.z.string().optional(),
+  priv: import_zod7.z.string().optional()
 });
-var jsonWebKeySetSchema = import_zod8.z.object({
-  keys: import_zod8.z.array(jwkSchema)
+var jsonWebKeySetSchema = import_zod7.z.object({
+  keys: import_zod7.z.array(jwkSchema)
 });
 
 // libs/auth/src/common/session.types.ts
-var import_zod9 = require("zod");
-var aiPlatformTypeSchema = import_zod9.z.enum([
+var import_zod8 = require("zod");
+var aiPlatformTypeSchema = import_zod8.z.enum([
   "openai",
   "claude",
   "gemini",
@@ -5622,45 +5467,45 @@ var aiPlatformTypeSchema = import_zod9.z.enum([
   "ext-apps",
   "unknown"
 ]);
-var userClaimSchema = import_zod9.z.object({
-  iss: import_zod9.z.string(),
-  sid: import_zod9.z.string().optional(),
-  sub: import_zod9.z.string(),
-  exp: import_zod9.z.number().optional(),
-  iat: import_zod9.z.number().optional(),
-  aud: import_zod9.z.union([import_zod9.z.string(), import_zod9.z.array(import_zod9.z.string())]).optional(),
-  email: import_zod9.z.string().optional(),
-  username: import_zod9.z.string().optional(),
-  preferred_username: import_zod9.z.string().optional(),
-  name: import_zod9.z.string().optional(),
-  picture: import_zod9.z.string().optional()
+var userClaimSchema = import_zod8.z.object({
+  iss: import_zod8.z.string(),
+  sid: import_zod8.z.string().optional(),
+  sub: import_zod8.z.string(),
+  exp: import_zod8.z.number().optional(),
+  iat: import_zod8.z.number().optional(),
+  aud: import_zod8.z.union([import_zod8.z.string(), import_zod8.z.array(import_zod8.z.string())]).optional(),
+  email: import_zod8.z.string().optional(),
+  username: import_zod8.z.string().optional(),
+  preferred_username: import_zod8.z.string().optional(),
+  name: import_zod8.z.string().optional(),
+  picture: import_zod8.z.string().optional()
 }).passthrough();
-var sessionIdPayloadSchema = import_zod9.z.object({
-  nodeId: import_zod9.z.string(),
-  authSig: import_zod9.z.string(),
-  uuid: import_zod9.z.string().uuid(),
-  iat: import_zod9.z.number(),
-  protocol: import_zod9.z.enum(["legacy-sse", "sse", "streamable-http", "stateful-http", "stateless-http"]).optional(),
-  isPublic: import_zod9.z.boolean().optional(),
+var sessionIdPayloadSchema = import_zod8.z.object({
+  nodeId: import_zod8.z.string(),
+  authSig: import_zod8.z.string(),
+  uuid: import_zod8.z.string().uuid(),
+  iat: import_zod8.z.number(),
+  protocol: import_zod8.z.enum(["legacy-sse", "sse", "streamable-http", "stateful-http", "stateless-http"]).optional(),
+  isPublic: import_zod8.z.boolean().optional(),
   platformType: aiPlatformTypeSchema.optional(),
-  clientName: import_zod9.z.string().optional(),
-  clientVersion: import_zod9.z.string().optional(),
-  supportsElicitation: import_zod9.z.boolean().optional(),
-  skillsOnlyMode: import_zod9.z.boolean().optional()
+  clientName: import_zod8.z.string().optional(),
+  clientVersion: import_zod8.z.string().optional(),
+  supportsElicitation: import_zod8.z.boolean().optional(),
+  skillsOnlyMode: import_zod8.z.boolean().optional()
 });
-var sessionIdSchema = import_zod9.z.object({
-  id: import_zod9.z.string(),
+var sessionIdSchema = import_zod8.z.object({
+  id: import_zod8.z.string(),
   /** Payload is optional - may be undefined when session validation failed but ID is passed for transport lookup */
   payload: sessionIdPayloadSchema.optional()
 });
-var authorizationSchema = import_zod9.z.object({
-  token: import_zod9.z.string(),
+var authorizationSchema = import_zod8.z.object({
+  token: import_zod8.z.string(),
   session: sessionIdSchema.optional(),
   user: userClaimSchema
 });
 
 // libs/auth/src/options/shared.schemas.ts
-var import_zod11 = require("zod");
+var import_zod10 = require("zod");
 
 // libs/auth/src/cimd/cimd.logger.ts
 var noopLogger = {
@@ -5676,169 +5521,169 @@ var noopLogger = {
 };
 
 // libs/auth/src/cimd/cimd.types.ts
-var import_zod10 = require("zod");
-var clientMetadataDocumentSchema = import_zod10.z.object({
+var import_zod9 = require("zod");
+var clientMetadataDocumentSchema = import_zod9.z.object({
   // REQUIRED per CIMD spec
   /**
    * Client identifier - MUST match the URL from which this document was fetched.
    */
-  client_id: import_zod10.z.string().url(),
+  client_id: import_zod9.z.string().url(),
   /**
    * Human-readable name of the client.
    */
-  client_name: import_zod10.z.string().min(1),
+  client_name: import_zod9.z.string().min(1),
   /**
    * Array of redirect URIs for authorization responses.
    * At least one is required.
    */
-  redirect_uris: import_zod10.z.array(import_zod10.z.string().url()).min(1),
+  redirect_uris: import_zod9.z.array(import_zod9.z.string().url()).min(1),
   // OPTIONAL per RFC 7591
   /**
    * Token endpoint authentication method.
    * @default 'none'
    */
-  token_endpoint_auth_method: import_zod10.z.enum(["none", "client_secret_basic", "client_secret_post", "private_key_jwt"]).default("none"),
+  token_endpoint_auth_method: import_zod9.z.enum(["none", "client_secret_basic", "client_secret_post", "private_key_jwt"]).default("none"),
   /**
    * OAuth grant types the client can use.
    * @default ['authorization_code']
    */
-  grant_types: import_zod10.z.array(import_zod10.z.string()).default(["authorization_code"]),
+  grant_types: import_zod9.z.array(import_zod9.z.string()).default(["authorization_code"]),
   /**
    * OAuth response types the client can request.
    * @default ['code']
    */
-  response_types: import_zod10.z.array(import_zod10.z.string()).default(["code"]),
+  response_types: import_zod9.z.array(import_zod9.z.string()).default(["code"]),
   /**
    * URL of the client's home page.
    */
-  client_uri: import_zod10.z.string().url().optional(),
+  client_uri: import_zod9.z.string().url().optional(),
   /**
    * URL of the client's logo image.
    */
-  logo_uri: import_zod10.z.string().url().optional(),
+  logo_uri: import_zod9.z.string().url().optional(),
   /**
    * URL of the client's JWKS (for private_key_jwt).
    */
-  jwks_uri: import_zod10.z.string().url().optional(),
+  jwks_uri: import_zod9.z.string().url().optional(),
   /**
    * Inline JWKS (for private_key_jwt).
    */
-  jwks: import_zod10.z.object({
-    keys: import_zod10.z.array(import_zod10.z.record(import_zod10.z.string(), import_zod10.z.unknown()))
+  jwks: import_zod9.z.object({
+    keys: import_zod9.z.array(import_zod9.z.record(import_zod9.z.string(), import_zod9.z.unknown()))
   }).optional(),
   /**
    * URL of the client's terms of service.
    */
-  tos_uri: import_zod10.z.string().url().optional(),
+  tos_uri: import_zod9.z.string().url().optional(),
   /**
    * URL of the client's privacy policy.
    */
-  policy_uri: import_zod10.z.string().url().optional(),
+  policy_uri: import_zod9.z.string().url().optional(),
   /**
    * Requested OAuth scopes.
    */
-  scope: import_zod10.z.string().optional(),
+  scope: import_zod9.z.string().optional(),
   /**
    * Array of contact emails for the client.
    */
-  contacts: import_zod10.z.array(import_zod10.z.string().email()).optional(),
+  contacts: import_zod9.z.array(import_zod9.z.string().email()).optional(),
   /**
    * Software statement (signed JWT).
    */
-  software_statement: import_zod10.z.string().optional(),
+  software_statement: import_zod9.z.string().optional(),
   /**
    * Unique identifier for the client software.
    */
-  software_id: import_zod10.z.string().optional(),
+  software_id: import_zod9.z.string().optional(),
   /**
    * Version of the client software.
    */
-  software_version: import_zod10.z.string().optional()
+  software_version: import_zod9.z.string().optional()
 });
-var cimdRedisCacheConfigSchema = import_zod10.z.object({
+var cimdRedisCacheConfigSchema = import_zod9.z.object({
   /**
    * Redis connection URL.
    * e.g., "redis://user:pass@host:6379/0"
    */
-  url: import_zod10.z.string().optional(),
+  url: import_zod9.z.string().optional(),
   /**
    * Redis host.
    */
-  host: import_zod10.z.string().optional(),
+  host: import_zod9.z.string().optional(),
   /**
    * Redis port.
    * @default 6379
    */
-  port: import_zod10.z.number().optional(),
+  port: import_zod9.z.number().optional(),
   /**
    * Redis password.
    */
-  password: import_zod10.z.string().optional(),
+  password: import_zod9.z.string().optional(),
   /**
    * Redis database number.
    * @default 0
    */
-  db: import_zod10.z.number().optional(),
+  db: import_zod9.z.number().optional(),
   /**
    * Enable TLS for Redis connection.
    * @default false
    */
-  tls: import_zod10.z.boolean().optional(),
+  tls: import_zod9.z.boolean().optional(),
   /**
    * Key prefix for CIMD cache entries.
    * @default 'cimd:'
    */
-  keyPrefix: import_zod10.z.string().default("cimd:")
+  keyPrefix: import_zod9.z.string().default("cimd:")
 });
-var cimdCacheConfigSchema = import_zod10.z.object({
+var cimdCacheConfigSchema = import_zod9.z.object({
   /**
    * Cache storage type.
    * - 'memory': In-memory cache (default, suitable for dev/single-instance)
    * - 'redis': Redis-backed cache (for production/distributed deployments)
    * @default 'memory'
    */
-  type: import_zod10.z.enum(["memory", "redis"]).default("memory"),
+  type: import_zod9.z.enum(["memory", "redis"]).default("memory"),
   /**
    * Default TTL for cached metadata documents.
    * @default 3600000 (1 hour)
    */
-  defaultTtlMs: import_zod10.z.number().min(0).default(36e5),
+  defaultTtlMs: import_zod9.z.number().min(0).default(36e5),
   /**
    * Maximum TTL (even if server suggests longer).
    * @default 86400000 (24 hours)
    */
-  maxTtlMs: import_zod10.z.number().min(0).default(864e5),
+  maxTtlMs: import_zod9.z.number().min(0).default(864e5),
   /**
    * Minimum TTL (even if server suggests shorter).
    * @default 60000 (1 minute)
    */
-  minTtlMs: import_zod10.z.number().min(0).default(6e4),
+  minTtlMs: import_zod9.z.number().min(0).default(6e4),
   /**
    * Redis configuration (required when type is 'redis').
    */
   redis: cimdRedisCacheConfigSchema.optional()
 });
-var cimdSecurityConfigSchema = import_zod10.z.object({
+var cimdSecurityConfigSchema = import_zod9.z.object({
   /**
    * Block fetching from private/internal IP addresses (SSRF protection).
    * @default true
    */
-  blockPrivateIPs: import_zod10.z.boolean().default(true),
+  blockPrivateIPs: import_zod9.z.boolean().default(true),
   /**
    * Explicit list of allowed domains.
    * If set, only these domains can host CIMD documents.
    */
-  allowedDomains: import_zod10.z.array(import_zod10.z.string()).optional(),
+  allowedDomains: import_zod9.z.array(import_zod9.z.string()).optional(),
   /**
    * Explicit list of blocked domains.
    * These domains cannot host CIMD documents.
    */
-  blockedDomains: import_zod10.z.array(import_zod10.z.string()).optional(),
+  blockedDomains: import_zod9.z.array(import_zod9.z.string()).optional(),
   /**
    * Warn when a client has only localhost redirect URIs.
    * @default true
    */
-  warnOnLocalhostRedirects: import_zod10.z.boolean().default(true),
+  warnOnLocalhostRedirects: import_zod9.z.boolean().default(true),
   /**
    * Allow HTTP (instead of HTTPS) for localhost CIMD URLs.
    *
@@ -5849,19 +5694,19 @@ var cimdSecurityConfigSchema = import_zod10.z.object({
    *
    * @default false
    */
-  allowInsecureForTesting: import_zod10.z.boolean().default(false)
+  allowInsecureForTesting: import_zod9.z.boolean().default(false)
 });
-var cimdNetworkConfigSchema = import_zod10.z.object({
+var cimdNetworkConfigSchema = import_zod9.z.object({
   /**
    * Request timeout in milliseconds.
    * @default 5000 (5 seconds)
    */
-  timeoutMs: import_zod10.z.number().min(100).default(5e3),
+  timeoutMs: import_zod9.z.number().min(100).default(5e3),
   /**
    * Maximum response body size in bytes.
    * @default 65536 (64KB)
    */
-  maxResponseSizeBytes: import_zod10.z.number().min(1024).default(65536),
+  maxResponseSizeBytes: import_zod9.z.number().min(1024).default(65536),
   /**
    * Redirect handling policy for CIMD fetches.
    * - 'deny': reject redirects (default, safest)
@@ -5869,19 +5714,19 @@ var cimdNetworkConfigSchema = import_zod10.z.object({
    * - 'allow': allow redirects to any origin
    * @default 'deny'
    */
-  redirectPolicy: import_zod10.z.enum(["deny", "same-origin", "allow"]).default("deny"),
+  redirectPolicy: import_zod9.z.enum(["deny", "same-origin", "allow"]).default("deny"),
   /**
    * Maximum number of redirects to follow when redirects are allowed.
    * @default 5
    */
-  maxRedirects: import_zod10.z.number().int().min(0).default(5)
+  maxRedirects: import_zod9.z.number().int().min(0).default(5)
 });
-var cimdConfigSchema = import_zod10.z.object({
+var cimdConfigSchema = import_zod9.z.object({
   /**
    * Enable CIMD support.
    * @default true
    */
-  enabled: import_zod10.z.boolean().default(true),
+  enabled: import_zod9.z.boolean().default(true),
   /**
    * Cache configuration.
    */
@@ -6244,7 +6089,7 @@ var CimdService = class {
     this.cacheConfig = cimdCacheConfigSchema.parse(this.config.cache ?? {});
     this.securityConfig = cimdSecurityConfigSchema.parse(this.config.security ?? {});
     this.networkConfig = cimdNetworkConfigSchema.parse(this.config.network ?? {});
-    this.cache = new CimdCache(this.cacheConfig);
+    this.cache = new InMemoryCimdCache(this.cacheConfig);
     this.logger.debug("CimdService initialized", {
       enabled: this.config.enabled,
       cacheDefaultTtlMs: this.cacheConfig.defaultTtlMs,
@@ -6512,8 +6357,8 @@ var CimdService = class {
     const result = clientMetadataDocumentSchema.safeParse(document);
     if (!result.success) {
       const errors = result.error.issues.map((issue) => {
-        const path3 = issue.path.length > 0 ? `${issue.path.join(".")}: ` : "";
-        return `${path3}${issue.message}`;
+        const path = issue.path.length > 0 ? `${issue.path.join(".")}: ` : "";
+        return `${path}${issue.message}`;
       });
       throw new CimdValidationError(clientId, errors);
     }
@@ -6535,55 +6380,84 @@ function normalizeRedirectUri(uri) {
 }
 
 // libs/auth/src/options/shared.schemas.ts
-var publicAccessConfigSchema = import_zod11.z.object({
+var publicAccessConfigSchema = import_zod10.z.object({
   /**
    * Allow all tools or explicit whitelist
    * @default 'all'
    */
-  tools: import_zod11.z.union([import_zod11.z.literal("all"), import_zod11.z.array(import_zod11.z.string())]).default("all"),
+  tools: import_zod10.z.union([import_zod10.z.literal("all"), import_zod10.z.array(import_zod10.z.string())]).default("all"),
   /**
    * Allow all prompts or explicit whitelist
    * @default 'all'
    */
-  prompts: import_zod11.z.union([import_zod11.z.literal("all"), import_zod11.z.array(import_zod11.z.string())]).default("all"),
+  prompts: import_zod10.z.union([import_zod10.z.literal("all"), import_zod10.z.array(import_zod10.z.string())]).default("all"),
   /**
    * Rate limit per IP per minute
    * @default 60
    */
-  rateLimit: import_zod11.z.number().default(60)
+  rateLimit: import_zod10.z.number().default(60)
 });
-var localSigningConfigSchema = import_zod11.z.object({
+var localSigningConfigSchema = import_zod10.z.object({
   /**
-   * Private key for signing orchestrated tokens
+   * Private key for signing tokens
    * @default auto-generated
    */
-  signKey: jwkSchema.or(import_zod11.z.instanceof(Uint8Array)).optional(),
+  signKey: jwkSchema.or(import_zod10.z.instanceof(Uint8Array)).optional(),
   /**
    * JWKS for token verification
    * @default auto-generated
    */
   jwks: jsonWebKeySetSchema.optional(),
   /**
-   * Issuer identifier for orchestrated tokens
+   * Issuer identifier for tokens
    * @default auto-derived from server URL
    */
-  issuer: import_zod11.z.string().optional()
+  issuer: import_zod10.z.string().optional()
 });
-var remoteProviderConfigSchema = import_zod11.z.object({
+var providerConfigSchema = import_zod10.z.object({
+  /** Provider display name */
+  name: import_zod10.z.string().optional(),
+  /**
+   * Unique identifier for this provider
+   * @default derived from provider URL
+   */
+  id: import_zod10.z.string().optional(),
+  /**
+   * Inline JWKS for offline token verification
+   * Falls back to fetching from provider's /.well-known/jwks.json
+   */
+  jwks: jsonWebKeySetSchema.optional(),
+  /** Custom JWKS URI if not at standard path */
+  jwksUri: import_zod10.z.string().url().optional(),
+  /**
+   * Enable Dynamic Client Registration (DCR)
+   * @default false
+   */
+  dcrEnabled: import_zod10.z.boolean().default(false),
+  /** Authorization endpoint override */
+  authEndpoint: import_zod10.z.string().url().optional(),
+  /** Token endpoint override */
+  tokenEndpoint: import_zod10.z.string().url().optional(),
+  /** Registration endpoint override (for DCR) */
+  registrationEndpoint: import_zod10.z.string().url().optional(),
+  /** User info endpoint override */
+  userInfoEndpoint: import_zod10.z.string().url().optional()
+});
+var remoteProviderConfigSchema = import_zod10.z.object({
   /**
    * OAuth provider base URL
    * @example 'https://auth.example.com'
    */
-  provider: import_zod11.z.string().url(),
+  provider: import_zod10.z.string().url(),
   /**
    * Provider display name
    */
-  name: import_zod11.z.string().optional(),
+  name: import_zod10.z.string().optional(),
   /**
    * Unique identifier for this provider
    * @default derived from provider URL
    */
-  id: import_zod11.z.string().optional(),
+  id: import_zod10.z.string().optional(),
   /**
    * Inline JWKS for offline token verification
    * Falls back to fetching from provider's /.well-known/jwks.json
@@ -6592,121 +6466,133 @@ var remoteProviderConfigSchema = import_zod11.z.object({
   /**
    * Custom JWKS URI if not at standard path
    */
-  jwksUri: import_zod11.z.string().url().optional(),
+  jwksUri: import_zod10.z.string().url().optional(),
   /**
-   * Client ID for this MCP server (for orchestrated mode)
+   * Client ID for this MCP server
    */
-  clientId: import_zod11.z.string().optional(),
+  clientId: import_zod10.z.string().optional(),
   /**
-   * Client secret (for confidential clients in orchestrated mode)
+   * Client secret (for confidential clients)
    */
-  clientSecret: import_zod11.z.string().optional(),
+  clientSecret: import_zod10.z.string().optional(),
   /**
    * Scopes to request from the upstream provider
    */
-  scopes: import_zod11.z.array(import_zod11.z.string()).optional(),
+  scopes: import_zod10.z.array(import_zod10.z.string()).optional(),
   /**
    * Enable Dynamic Client Registration (DCR)
    * @default false
    */
-  dcrEnabled: import_zod11.z.boolean().default(false),
+  dcrEnabled: import_zod10.z.boolean().default(false),
   /**
    * Authorization endpoint override
    */
-  authEndpoint: import_zod11.z.string().url().optional(),
+  authEndpoint: import_zod10.z.string().url().optional(),
   /**
    * Token endpoint override
    */
-  tokenEndpoint: import_zod11.z.string().url().optional(),
+  tokenEndpoint: import_zod10.z.string().url().optional(),
   /**
    * Registration endpoint override (for DCR)
    */
-  registrationEndpoint: import_zod11.z.string().url().optional(),
+  registrationEndpoint: import_zod10.z.string().url().optional(),
   /**
    * User info endpoint override
    */
-  userInfoEndpoint: import_zod11.z.string().url().optional()
+  userInfoEndpoint: import_zod10.z.string().url().optional()
 });
-var tokenStorageConfigSchema = import_zod11.z.discriminatedUnion("type", [
-  import_zod11.z.object({ type: import_zod11.z.literal("memory") }),
-  import_zod11.z.object({ type: import_zod11.z.literal("redis"), config: redisConfigSchema })
-]);
-var tokenRefreshConfigSchema = import_zod11.z.object({
+var flatRemoteProviderFields = {
+  /**
+   * OAuth provider base URL (required)
+   * @example 'https://auth.example.com'
+   */
+  provider: import_zod10.z.string().url(),
+  /** Client ID for this MCP server */
+  clientId: import_zod10.z.string().optional(),
+  /** Client secret (for confidential clients) */
+  clientSecret: import_zod10.z.string().optional(),
+  /** Scopes to request from the upstream provider */
+  scopes: import_zod10.z.array(import_zod10.z.string()).optional(),
+  /** Advanced provider configuration */
+  providerConfig: providerConfigSchema.optional()
+};
+var tokenStorageConfigSchema = import_zod10.z.union([import_zod10.z.literal("memory"), import_zod10.z.object({ redis: redisConfigSchema })]);
+var tokenRefreshConfigSchema = import_zod10.z.object({
   /**
    * Enable automatic token refresh
    * @default true
    */
-  enabled: import_zod11.z.boolean().default(true),
+  enabled: import_zod10.z.boolean().default(true),
   /**
    * Refresh token before expiry by this many seconds
    * @default 60
    */
-  skewSeconds: import_zod11.z.number().default(60)
+  skewSeconds: import_zod10.z.number().default(60)
 });
-var skippedAppBehaviorSchema = import_zod11.z.enum(["anonymous", "require-auth"]);
-var consentConfigSchema = import_zod11.z.object({
+var skippedAppBehaviorSchema = import_zod10.z.enum(["anonymous", "require-auth"]);
+var consentConfigSchema = import_zod10.z.object({
   /**
    * Enable consent flow for tool selection
    * When enabled, users can choose which tools to expose to the LLM
    * @default false
    */
-  enabled: import_zod11.z.boolean().default(false),
+  enabled: import_zod10.z.boolean().default(false),
   /**
    * Group tools by app in the consent UI
    * @default true
    */
-  groupByApp: import_zod11.z.boolean().default(true),
+  groupByApp: import_zod10.z.boolean().default(true),
   /**
    * Show tool descriptions in consent UI
    * @default true
    */
-  showDescriptions: import_zod11.z.boolean().default(true),
+  showDescriptions: import_zod10.z.boolean().default(true),
   /**
    * Allow selecting all tools at once
    * @default true
    */
-  allowSelectAll: import_zod11.z.boolean().default(true),
+  allowSelectAll: import_zod10.z.boolean().default(true),
   /**
    * Require at least one tool to be selected
    * @default true
    */
-  requireSelection: import_zod11.z.boolean().default(true),
+  requireSelection: import_zod10.z.boolean().default(true),
   /**
    * Custom message to display on consent page
    */
-  customMessage: import_zod11.z.string().optional(),
+  customMessage: import_zod10.z.string().optional(),
   /**
    * Remember consent for future sessions
    * @default true
    */
-  rememberConsent: import_zod11.z.boolean().default(true),
+  rememberConsent: import_zod10.z.boolean().default(true),
   /**
    * Tools to exclude from consent (always available)
    * Useful for essential tools that should always be accessible
    */
-  excludedTools: import_zod11.z.array(import_zod11.z.string()).optional(),
+  excludedTools: import_zod10.z.array(import_zod10.z.string()).optional(),
   /**
    * Tools to always include in consent (pre-selected)
    */
-  defaultSelectedTools: import_zod11.z.array(import_zod11.z.string()).optional()
+  defaultSelectedTools: import_zod10.z.array(import_zod10.z.string()).optional()
 });
-var federatedAuthConfigSchema = import_zod11.z.object({
+var federatedAuthConfigSchema = import_zod10.z.object({
   /**
    * How strictly to validate the OAuth state parameter on provider callbacks.
    * - 'strict': require exact match to stored state (default, safest)
    * - 'format': validate only "federated:{sessionId}:{nonce}" format
    * @default 'strict'
    */
-  stateValidation: import_zod11.z.enum(["strict", "format"]).default("strict")
+  stateValidation: import_zod10.z.enum(["strict", "format"]).default("strict")
 });
-var incrementalAuthConfigSchema = import_zod11.z.object({
+var incrementalAuthConfigSchema = import_zod10.z.object({
   /**
    * Enable incremental (progressive) authorization
    * When enabled, users can skip app authorizations during initial auth
    * and authorize individual apps later when needed
    * @default true
    */
-  enabled: import_zod11.z.boolean().default(true),
+  enabled: import_zod10.z.boolean().default(true),
   /**
    * Behavior when a tool from a skipped app is called
    * - 'anonymous': If app supports anonymous access, use it; otherwise require auth
@@ -6718,33 +6604,33 @@ var incrementalAuthConfigSchema = import_zod11.z.object({
    * Allow users to skip app authorization during initial auth flow
    * @default true
    */
-  allowSkip: import_zod11.z.boolean().default(true),
+  allowSkip: import_zod10.z.boolean().default(true),
   /**
    * Show all apps in a single authorization page (vs step-by-step)
    * @default true
    */
-  showAllAppsAtOnce: import_zod11.z.boolean().default(true)
+  showAllAppsAtOnce: import_zod10.z.boolean().default(true)
 });
 
 // libs/auth/src/options/public.schema.ts
-var import_zod12 = require("zod");
-var publicAuthOptionsSchema = import_zod12.z.object({
-  mode: import_zod12.z.literal("public"),
+var import_zod11 = require("zod");
+var publicAuthOptionsSchema = import_zod11.z.object({
+  mode: import_zod11.z.literal("public"),
   /**
    * Issuer identifier for anonymous JWTs
    * @default auto-derived from server URL
    */
-  issuer: import_zod12.z.string().optional(),
+  issuer: import_zod11.z.string().optional(),
   /**
    * Anonymous session TTL in seconds
    * @default 3600 (1 hour)
    */
-  sessionTtl: import_zod12.z.number().default(3600),
+  sessionTtl: import_zod11.z.number().default(3600),
   /**
    * Scopes granted to anonymous sessions
    * @default ['anonymous']
    */
-  anonymousScopes: import_zod12.z.array(import_zod12.z.string()).default(["anonymous"]),
+  anonymousScopes: import_zod11.z.array(import_zod11.z.string()).default(["anonymous"]),
   /**
    * Tool/prompt access configuration for anonymous users
    */
@@ -6758,38 +6644,38 @@ var publicAuthOptionsSchema = import_zod12.z.object({
    * Private key for signing anonymous tokens
    * @default auto-generated
    */
-  signKey: jwkSchema.or(import_zod12.z.instanceof(Uint8Array)).optional()
+  signKey: jwkSchema.or(import_zod11.z.instanceof(Uint8Array)).optional()
 });
 
 // libs/auth/src/options/transparent.schema.ts
-var import_zod13 = require("zod");
-var transparentAuthOptionsSchema = import_zod13.z.object({
-  mode: import_zod13.z.literal("transparent"),
+var import_zod12 = require("zod");
+var transparentAuthOptionsSchema = import_zod12.z.object({
+  mode: import_zod12.z.literal("transparent"),
   /**
-   * Remote OAuth provider configuration (required)
+   * Flattened remote provider fields (provider, clientId, clientSecret, scopes, providerConfig)
    */
-  remote: remoteProviderConfigSchema,
+  ...flatRemoteProviderFields,
   /**
    * Expected token audience
    * If not set, defaults to the resource URL
    */
-  expectedAudience: import_zod13.z.union([import_zod13.z.string(), import_zod13.z.array(import_zod13.z.string())]).optional(),
+  expectedAudience: import_zod12.z.union([import_zod12.z.string(), import_zod12.z.array(import_zod12.z.string())]).optional(),
   /**
    * Required scopes for access
    * Empty array means any valid token is accepted
    * @default []
    */
-  requiredScopes: import_zod13.z.array(import_zod13.z.string()).default([]),
+  requiredScopes: import_zod12.z.array(import_zod12.z.string()).default([]),
   /**
    * Allow anonymous fallback when no token is provided
    * @default false
    */
-  allowAnonymous: import_zod13.z.boolean().default(false),
+  allowAnonymous: import_zod12.z.boolean().default(false),
   /**
    * Scopes granted to anonymous sessions (when allowAnonymous=true)
    * @default ['anonymous']
    */
-  anonymousScopes: import_zod13.z.array(import_zod13.z.string()).default(["anonymous"]),
+  anonymousScopes: import_zod12.z.array(import_zod12.z.string()).default(["anonymous"]),
   /**
    * Public access config for anonymous users (when allowAnonymous=true)
    */
@@ -6797,56 +6683,52 @@ var transparentAuthOptionsSchema = import_zod13.z.object({
 });
 
 // libs/auth/src/options/orchestrated.schema.ts
-var import_zod14 = require("zod");
-var orchestratedSharedFields = {
+var import_zod13 = require("zod");
+var sharedAuthFields = {
   local: localSigningConfigSchema.optional(),
-  tokenStorage: tokenStorageConfigSchema.default({ type: "memory" }),
-  allowDefaultPublic: import_zod14.z.boolean().default(false),
-  anonymousScopes: import_zod14.z.array(import_zod14.z.string()).default(["anonymous"]),
+  tokenStorage: tokenStorageConfigSchema.default("memory"),
+  allowDefaultPublic: import_zod13.z.boolean().default(false),
+  anonymousScopes: import_zod13.z.array(import_zod13.z.string()).default(["anonymous"]),
   publicAccess: publicAccessConfigSchema.optional(),
   consent: consentConfigSchema.optional(),
   federatedAuth: federatedAuthConfigSchema.optional(),
   refresh: tokenRefreshConfigSchema.optional(),
-  expectedAudience: import_zod14.z.union([import_zod14.z.string(), import_zod14.z.array(import_zod14.z.string())]).optional(),
+  expectedAudience: import_zod13.z.union([import_zod13.z.string(), import_zod13.z.array(import_zod13.z.string())]).optional(),
   incrementalAuth: incrementalAuthConfigSchema.optional(),
   cimd: cimdConfigSchema.optional()
 };
-var orchestratedLocalSchema = import_zod14.z.object({
-  mode: import_zod14.z.literal("orchestrated"),
-  type: import_zod14.z.literal("local"),
-  ...orchestratedSharedFields
+var localAuthSchema = import_zod13.z.object({
+  mode: import_zod13.z.literal("local"),
+  ...sharedAuthFields
 });
-var orchestratedRemoteSchema = import_zod14.z.object({
-  mode: import_zod14.z.literal("orchestrated"),
-  type: import_zod14.z.literal("remote"),
-  remote: remoteProviderConfigSchema,
-  ...orchestratedSharedFields
+var remoteAuthSchema = import_zod13.z.object({
+  mode: import_zod13.z.literal("remote"),
+  ...flatRemoteProviderFields,
+  ...sharedAuthFields
 });
-var orchestratedAuthOptionsSchema = import_zod14.z.discriminatedUnion("type", [
-  orchestratedLocalSchema,
-  orchestratedRemoteSchema
-]);
+var orchestratedLocalSchema = localAuthSchema;
+var orchestratedRemoteSchema = remoteAuthSchema;
 
 // libs/auth/src/options/schema.ts
-var import_zod15 = require("zod");
-var authOptionsSchema = import_zod15.z.union([
+var import_zod14 = require("zod");
+var authOptionsSchema = import_zod14.z.union([
   publicAuthOptionsSchema,
   transparentAuthOptionsSchema,
-  orchestratedLocalSchema,
-  orchestratedRemoteSchema
+  localAuthSchema,
+  remoteAuthSchema
 ]);
 
 // libs/auth/src/options/app-auth.schema.ts
-var import_zod16 = require("zod");
+var import_zod15 = require("zod");
 var standaloneOptionSchema = {
-  standalone: import_zod16.z.boolean().optional(),
-  excludeFromParent: import_zod16.z.boolean().optional()
+  standalone: import_zod15.z.boolean().optional(),
+  excludeFromParent: import_zod15.z.boolean().optional()
 };
-var appAuthOptionsSchema = import_zod16.z.union([
+var appAuthOptionsSchema = import_zod15.z.union([
   publicAuthOptionsSchema.extend(standaloneOptionSchema),
   transparentAuthOptionsSchema.extend(standaloneOptionSchema),
-  orchestratedLocalSchema.extend(standaloneOptionSchema),
-  orchestratedRemoteSchema.extend(standaloneOptionSchema)
+  localAuthSchema.extend(standaloneOptionSchema),
+  remoteAuthSchema.extend(standaloneOptionSchema)
 ]);
 
 // libs/auth/src/options/utils.ts
@@ -6859,136 +6741,142 @@ function isPublicMode(options) {
 function isTransparentMode(options) {
   return options.mode === "transparent";
 }
+function isLocalMode(options) {
+  return options.mode === "local";
+}
+function isRemoteMode(options) {
+  return options.mode === "remote";
+}
 function isOrchestratedMode(options) {
-  return options.mode === "orchestrated";
+  return options.mode === "local" || options.mode === "remote";
 }
 function isOrchestratedLocal(options) {
-  return options.type === "local";
+  return options.mode === "local";
 }
 function isOrchestratedRemote(options) {
-  return options.type === "remote";
+  return options.mode === "remote";
 }
 function allowsPublicAccess(options) {
   if (options.mode === "public") return true;
   if (options.mode === "transparent") return options.allowAnonymous;
-  if (options.mode === "orchestrated") return options.allowDefaultPublic;
+  if (options.mode === "local" || options.mode === "remote") return options.allowDefaultPublic;
   return false;
 }
 
 // libs/auth/src/consent/consent.types.ts
-var import_zod17 = require("zod");
-var consentToolItemSchema = import_zod17.z.object({
+var import_zod16 = require("zod");
+var consentToolItemSchema = import_zod16.z.object({
   /** Tool ID (e.g., 'slack:send_message') */
-  id: import_zod17.z.string().min(1),
+  id: import_zod16.z.string().min(1),
   /** Tool name for display */
-  name: import_zod17.z.string().min(1),
+  name: import_zod16.z.string().min(1),
   /** Tool description */
-  description: import_zod17.z.string().optional(),
+  description: import_zod16.z.string().optional(),
   /** App ID this tool belongs to */
-  appId: import_zod17.z.string().min(1),
+  appId: import_zod16.z.string().min(1),
   /** App name for display */
-  appName: import_zod17.z.string().min(1),
+  appName: import_zod16.z.string().min(1),
   /** Whether the tool is selected by default */
-  defaultSelected: import_zod17.z.boolean().default(true),
+  defaultSelected: import_zod16.z.boolean().default(true),
   /** Whether this tool requires specific scopes */
-  requiredScopes: import_zod17.z.array(import_zod17.z.string()).optional(),
+  requiredScopes: import_zod16.z.array(import_zod16.z.string()).optional(),
   /** Category for grouping (e.g., 'read', 'write', 'admin') */
-  category: import_zod17.z.string().optional()
+  category: import_zod16.z.string().optional()
 });
-var consentSelectionSchema = import_zod17.z.object({
+var consentSelectionSchema = import_zod16.z.object({
   /** Selected tool IDs */
-  selectedTools: import_zod17.z.array(import_zod17.z.string()),
+  selectedTools: import_zod16.z.array(import_zod16.z.string()),
   /** Whether all tools were selected */
-  allSelected: import_zod17.z.boolean(),
+  allSelected: import_zod16.z.boolean(),
   /** Timestamp when consent was given */
-  consentedAt: import_zod17.z.string().datetime(),
+  consentedAt: import_zod16.z.string().datetime(),
   /** Consent version for tracking changes */
-  consentVersion: import_zod17.z.string().default("1.0")
+  consentVersion: import_zod16.z.string().default("1.0")
 });
-var consentStateSchema = import_zod17.z.object({
+var consentStateSchema = import_zod16.z.object({
   /** Whether consent flow is enabled */
-  enabled: import_zod17.z.boolean(),
+  enabled: import_zod16.z.boolean(),
   /** Available tools for consent */
-  availableTools: import_zod17.z.array(consentToolItemSchema),
+  availableTools: import_zod16.z.array(consentToolItemSchema),
   /** Pre-selected tools (from previous consent or defaults) */
-  preselectedTools: import_zod17.z.array(import_zod17.z.string()).optional(),
+  preselectedTools: import_zod16.z.array(import_zod16.z.string()).optional(),
   /** Whether to show all tools or group by app */
-  groupByApp: import_zod17.z.boolean().default(true),
+  groupByApp: import_zod16.z.boolean().default(true),
   /** Custom consent message */
-  customMessage: import_zod17.z.string().optional()
+  customMessage: import_zod16.z.string().optional()
 });
-var federatedProviderItemSchema = import_zod17.z.object({
+var federatedProviderItemSchema = import_zod16.z.object({
   /** Provider ID (derived or explicit) */
-  id: import_zod17.z.string().min(1),
+  id: import_zod16.z.string().min(1),
   /** Provider display name */
-  name: import_zod17.z.string().min(1),
+  name: import_zod16.z.string().min(1),
   /** Provider description */
-  description: import_zod17.z.string().optional(),
+  description: import_zod16.z.string().optional(),
   /** Provider icon URL or emoji */
-  icon: import_zod17.z.string().optional(),
+  icon: import_zod16.z.string().optional(),
   /** Provider type */
-  type: import_zod17.z.enum(["local", "remote", "transparent"]),
+  type: import_zod16.z.enum(["local", "remote", "transparent"]),
   /** OAuth provider URL (for remote providers) */
-  providerUrl: import_zod17.z.string().url().optional(),
+  providerUrl: import_zod16.z.string().url().optional(),
   /** Apps using this provider */
-  appIds: import_zod17.z.array(import_zod17.z.string()),
+  appIds: import_zod16.z.array(import_zod16.z.string()),
   /** App names using this provider */
-  appNames: import_zod17.z.array(import_zod17.z.string()),
+  appNames: import_zod16.z.array(import_zod16.z.string()),
   /** Scopes required by this provider */
-  scopes: import_zod17.z.array(import_zod17.z.string()),
+  scopes: import_zod16.z.array(import_zod16.z.string()),
   /** Whether this is the primary/parent provider */
-  isPrimary: import_zod17.z.boolean(),
+  isPrimary: import_zod16.z.boolean(),
   /** Whether this provider is optional (can be skipped) */
-  isOptional: import_zod17.z.boolean().default(false)
+  isOptional: import_zod16.z.boolean().default(false)
 });
-var federatedLoginStateSchema = import_zod17.z.object({
+var federatedLoginStateSchema = import_zod16.z.object({
   /** All available providers */
-  providers: import_zod17.z.array(federatedProviderItemSchema),
+  providers: import_zod16.z.array(federatedProviderItemSchema),
   /** Primary provider ID (if any) */
-  primaryProviderId: import_zod17.z.string().optional(),
+  primaryProviderId: import_zod16.z.string().optional(),
   /** Whether user can skip optional providers */
-  allowSkip: import_zod17.z.boolean().default(true),
+  allowSkip: import_zod16.z.boolean().default(true),
   /** Pre-selected provider IDs (from previous session) */
-  preselectedProviders: import_zod17.z.array(import_zod17.z.string()).optional()
+  preselectedProviders: import_zod16.z.array(import_zod16.z.string()).optional()
 });
-var federatedSelectionSchema = import_zod17.z.object({
+var federatedSelectionSchema = import_zod16.z.object({
   /** Selected provider IDs */
-  selectedProviders: import_zod17.z.array(import_zod17.z.string()),
+  selectedProviders: import_zod16.z.array(import_zod16.z.string()),
   /** Skipped provider IDs */
-  skippedProviders: import_zod17.z.array(import_zod17.z.string()),
+  skippedProviders: import_zod16.z.array(import_zod16.z.string()),
   /** Provider-specific metadata */
-  providerMetadata: import_zod17.z.record(import_zod17.z.string(), import_zod17.z.unknown()).optional()
+  providerMetadata: import_zod16.z.record(import_zod16.z.string(), import_zod16.z.unknown()).optional()
 });
 
 // libs/auth/src/detection/auth-provider-detection.ts
-var import_zod18 = require("zod");
-var detectedAuthProviderSchema = import_zod18.z.object({
-  id: import_zod18.z.string(),
-  providerUrl: import_zod18.z.string().optional(),
-  mode: import_zod18.z.enum(["public", "transparent", "orchestrated"]),
-  appIds: import_zod18.z.array(import_zod18.z.string()),
-  scopes: import_zod18.z.array(import_zod18.z.string()),
-  isParentProvider: import_zod18.z.boolean()
+var import_zod17 = require("zod");
+var detectedAuthProviderSchema = import_zod17.z.object({
+  id: import_zod17.z.string(),
+  providerUrl: import_zod17.z.string().optional(),
+  mode: import_zod17.z.enum(["public", "transparent", "local", "remote"]),
+  appIds: import_zod17.z.array(import_zod17.z.string()),
+  scopes: import_zod17.z.array(import_zod17.z.string()),
+  isParentProvider: import_zod17.z.boolean()
 });
-var authProviderDetectionResultSchema = import_zod18.z.object({
-  providers: import_zod18.z.map(import_zod18.z.string(), detectedAuthProviderSchema),
-  requiresOrchestration: import_zod18.z.boolean(),
-  parentProviderId: import_zod18.z.string().optional(),
-  childProviderIds: import_zod18.z.array(import_zod18.z.string()),
-  uniqueProviderCount: import_zod18.z.number(),
-  validationErrors: import_zod18.z.array(import_zod18.z.string()),
-  warnings: import_zod18.z.array(import_zod18.z.string())
+var authProviderDetectionResultSchema = import_zod17.z.object({
+  providers: import_zod17.z.map(import_zod17.z.string(), detectedAuthProviderSchema),
+  requiresOrchestration: import_zod17.z.boolean(),
+  parentProviderId: import_zod17.z.string().optional(),
+  childProviderIds: import_zod17.z.array(import_zod17.z.string()),
+  uniqueProviderCount: import_zod17.z.number(),
+  validationErrors: import_zod17.z.array(import_zod17.z.string()),
+  warnings: import_zod17.z.array(import_zod17.z.string())
 });
 function deriveProviderId(options) {
   if (isPublicMode(options)) {
     return options.issuer ?? "public";
   }
   if (isTransparentMode(options)) {
-    return options.remote.id ?? urlToProviderId(options.remote.provider);
+    return options.providerConfig?.id ?? urlToProviderId(options.provider);
   }
   if (isOrchestratedMode(options)) {
     if (isOrchestratedRemote(options)) {
-      return options.remote.id ?? urlToProviderId(options.remote.provider);
+      return options.providerConfig?.id ?? urlToProviderId(options.provider);
     }
     return options.local?.issuer ?? "local";
   }
@@ -7008,7 +6896,7 @@ function extractScopes(options) {
   }
   if (isOrchestratedMode(options)) {
     if (isOrchestratedRemote(options)) {
-      return options.remote.scopes || [];
+      return options.scopes || [];
     }
   }
   return [];
@@ -7057,12 +6945,12 @@ function detectAuthProviders(parentAuth, apps) {
   const requiresOrchestration = hasMultipleProviders || hasChildOnlyProviders || childProviderIds.length > 0 && parentProviderId !== void 0;
   if (requiresOrchestration && parentAuth && isTransparentMode(parentAuth)) {
     validationErrors.push(
-      `Invalid auth configuration: Parent uses transparent mode but apps have their own auth providers. Transparent mode passes tokens through without modification, which is incompatible with multi-provider setups. Change parent auth to orchestrated mode to properly manage tokens for each provider. Detected providers: ${[...providers.keys()].join(", ")}`
+      `Invalid auth configuration: Parent uses transparent mode but apps have their own auth providers. Transparent mode passes tokens through without modification, which is incompatible with multi-provider setups. Change parent auth to local or remote mode to properly manage tokens for each provider. Detected providers: ${[...providers.keys()].join(", ")}`
     );
   }
   if (uniqueProviderCount > 1 && parentAuth && isPublicMode(parentAuth)) {
     warnings.push(
-      `Parent uses public mode but apps have auth providers configured. App-level auth will be used, but consider using orchestrated mode at parent for unified auth management.`
+      `Parent uses public mode but apps have auth providers configured. App-level auth will be used, but consider using local or remote mode at parent for unified auth management.`
     );
   }
   return {
@@ -7077,10 +6965,10 @@ function detectAuthProviders(parentAuth, apps) {
 }
 function getProviderUrl(options) {
   if (isTransparentMode(options)) {
-    return options.remote.provider;
+    return options.provider;
   }
   if (isOrchestratedMode(options) && isOrchestratedRemote(options)) {
-    return options.remote.provider;
+    return options.provider;
   }
   return void 0;
 }
@@ -7250,9 +7138,9 @@ function escapeQuotedString(value) {
 function unescapeQuotedString(value) {
   return value.replace(/\\(.)/g, "$1");
 }
-function normalizePathSegment(path3) {
-  if (!path3 || path3 === "/") return "";
-  const normalized = path3.startsWith("/") ? path3 : `/${path3}`;
+function normalizePathSegment(path) {
+  if (!path || path === "/") return "";
+  const normalized = path.startsWith("/") ? path : `/${path}`;
   let end = normalized.length;
   while (end > 0 && normalized[end - 1] === "/") {
     end--;
@@ -7367,43 +7255,43 @@ var AudienceValidator = class _AudienceValidator {
 };
 
 // libs/auth/src/vault/auth-providers.types.ts
-var import_zod19 = require("zod");
-var credentialScopeSchema = import_zod19.z.enum(["global", "user", "session"]);
-var loadingStrategySchema = import_zod19.z.enum(["eager", "lazy"]);
-var getCredentialOptionsSchema = import_zod19.z.object({
-  forceRefresh: import_zod19.z.boolean().optional(),
-  scopes: import_zod19.z.array(import_zod19.z.string()).optional(),
-  timeout: import_zod19.z.number().positive().optional()
+var import_zod18 = require("zod");
+var credentialScopeSchema = import_zod18.z.enum(["global", "user", "session"]);
+var loadingStrategySchema = import_zod18.z.enum(["eager", "lazy"]);
+var getCredentialOptionsSchema = import_zod18.z.object({
+  forceRefresh: import_zod18.z.boolean().optional(),
+  scopes: import_zod18.z.array(import_zod18.z.string()).optional(),
+  timeout: import_zod18.z.number().positive().optional()
 }).strict();
-var credentialProviderConfigSchema = import_zod19.z.object({
-  name: import_zod19.z.string().min(1),
-  description: import_zod19.z.string().optional(),
+var credentialProviderConfigSchema = import_zod18.z.object({
+  name: import_zod18.z.string().min(1),
+  description: import_zod18.z.string().optional(),
   scope: credentialScopeSchema,
   loading: loadingStrategySchema,
-  cacheTtl: import_zod19.z.number().nonnegative().optional(),
+  cacheTtl: import_zod18.z.number().nonnegative().optional(),
   // Functions validated at runtime, not via Zod (Zod 4 compatibility)
-  factory: import_zod19.z.any(),
-  refresh: import_zod19.z.any().optional(),
-  toHeaders: import_zod19.z.any().optional(),
-  metadata: import_zod19.z.record(import_zod19.z.string(), import_zod19.z.unknown()).optional(),
-  required: import_zod19.z.boolean().optional()
+  factory: import_zod18.z.any(),
+  refresh: import_zod18.z.any().optional(),
+  toHeaders: import_zod18.z.any().optional(),
+  metadata: import_zod18.z.record(import_zod18.z.string(), import_zod18.z.unknown()).optional(),
+  required: import_zod18.z.boolean().optional()
 }).strict();
-var authProviderMappingSchema = import_zod19.z.union([
-  import_zod19.z.string(),
-  import_zod19.z.object({
-    name: import_zod19.z.string().min(1),
-    required: import_zod19.z.boolean().optional().default(true),
-    scopes: import_zod19.z.array(import_zod19.z.string()).optional(),
-    alias: import_zod19.z.string().optional()
+var authProviderMappingSchema = import_zod18.z.union([
+  import_zod18.z.string(),
+  import_zod18.z.object({
+    name: import_zod18.z.string().min(1),
+    required: import_zod18.z.boolean().optional().default(true),
+    scopes: import_zod18.z.array(import_zod18.z.string()).optional(),
+    alias: import_zod18.z.string().optional()
   }).strict()
 ]);
-var authProvidersVaultOptionsSchema = import_zod19.z.object({
-  enabled: import_zod19.z.boolean().optional(),
-  useSharedStorage: import_zod19.z.boolean().optional().default(true),
-  namespace: import_zod19.z.string().optional().default("authproviders:"),
-  defaultCacheTtl: import_zod19.z.number().nonnegative().optional().default(36e5),
-  maxCredentialsPerSession: import_zod19.z.number().positive().optional().default(100),
-  providers: import_zod19.z.array(credentialProviderConfigSchema).optional()
+var authProvidersVaultOptionsSchema = import_zod18.z.object({
+  enabled: import_zod18.z.boolean().optional(),
+  useSharedStorage: import_zod18.z.boolean().optional().default(true),
+  namespace: import_zod18.z.string().optional().default("authproviders:"),
+  defaultCacheTtl: import_zod18.z.number().nonnegative().optional().default(36e5),
+  maxCredentialsPerSession: import_zod18.z.number().positive().optional().default(100),
+  providers: import_zod18.z.array(credentialProviderConfigSchema).optional()
 }).strict();
 
 // libs/auth/src/vault/credential-helpers.ts
@@ -8383,7 +8271,6 @@ var LazyCredentialLoader = class {
   AuthProvidersVault,
   AuthorizationBase,
   CDN,
-  CimdCache,
   CimdClientIdMismatchError,
   CimdDisabledError,
   CimdError,
@@ -8405,6 +8292,7 @@ var LazyCredentialLoader = class {
   EncryptionKeyNotConfiguredError,
   InMemoryAuthorizationStore,
   InMemoryAuthorizationVault,
+  InMemoryCimdCache,
   InMemoryFederatedAuthSessionStore,
   InMemoryOrchestratedTokenStore,
   InMemoryStoreRequiredError,
@@ -8500,7 +8388,6 @@ var LazyCredentialLoader = class {
   decryptSessionJson,
   decryptValue,
   defaultSessionRateLimiter,
-  deleteDevKey,
   deriveAuthorizationId,
   deriveExpectedAudience,
   deriveProviderId,
@@ -8522,6 +8409,7 @@ var LazyCredentialLoader = class {
   federatedLoginStateSchema,
   federatedProviderItemSchema,
   federatedSelectionSchema,
+  flatRemoteProviderFields,
   fromSessionRecord,
   generatePkceChallenge,
   getCredentialOptionsSchema,
@@ -8535,12 +8423,13 @@ var LazyCredentialLoader = class {
   hkdfSha256,
   incrementalAuthConfigSchema,
   isCimdClientId,
-  isDevKeyPersistenceEnabled,
   isJwt,
+  isLocalMode,
   isOrchestratedLocal,
   isOrchestratedMode,
   isOrchestratedRemote,
   isPublicMode,
+  isRemoteMode,
   isSessionComplete,
   isSignedSession,
   isSoonExpiring,
@@ -8551,14 +8440,13 @@ var LazyCredentialLoader = class {
   jwkSchema,
   legacySseTransportStateSchema,
   llmSafeAuthContextSchema,
-  loadDevKey,
   loadingStrategySchema,
+  localAuthSchema,
   localSigningConfigSchema,
   mtlsCredentialSchema,
   noopLogger,
   normalizeIssuer,
   oauthCredentialSchema,
-  orchestratedAuthOptionsSchema,
   orchestratedLocalSchema,
   orchestratedRemoteSchema,
   parseAuthOptions,
@@ -8569,16 +8457,16 @@ var LazyCredentialLoader = class {
   pkceOAuthCredentialSchema,
   privateKeyCredentialSchema,
   progressiveAuthStateSchema,
+  providerConfigSchema,
   publicAccessConfigSchema,
   publicAuthOptionsSchema,
   redisConfigSchema,
   redisVaultEntrySchema,
+  remoteAuthSchema,
   remoteProviderConfigSchema,
   renderToHtml,
   resetCachedKey,
-  resolveKeyPath,
   safeDecrypt,
-  saveDevKey,
   serviceAccountCredentialSchema,
   sessionIdPayloadSchema,
   sessionJwtPayloadSchema,