@frontmcp/auth 0.9.0 → 0.11.0

package/common/session.types.d.ts

@@ -0,0 +1,190 @@
+import { z } from 'zod';
+/**
+ * Transport protocol types (excludes non-transport intents like 'delete-session')
+ */
+export type TransportProtocolType = 'legacy-sse' | 'sse' | 'streamable-http' | 'stateful-http' | 'stateless-http';
+/**
+ * Known AI platform types that can be detected from client info.
+ * Used for platform-specific rendering and behavior customization.
+ */
+export type AIPlatformType = 'openai' | 'claude' | 'gemini' | 'cursor' | 'continue' | 'cody' | 'generic-mcp' | 'ext-apps' | 'unknown';
+/**
+ * Zod schema for AIPlatformType validation
+ */
+export declare const aiPlatformTypeSchema: z.ZodEnum<{
+    unknown: "unknown";
+    openai: "openai";
+    claude: "claude";
+    gemini: "gemini";
+    cursor: "cursor";
+    continue: "continue";
+    cody: "cody";
+    "generic-mcp": "generic-mcp";
+    "ext-apps": "ext-apps";
+}>;
+/**
+ * Decoded JWT payload (if any) or empty object
+ */
+export type UserClaim = {
+    iss: string;
+    sid?: string;
+    sub: string;
+    exp?: number;
+    iat?: number;
+    aud?: string | string[];
+    email?: string;
+    username?: string;
+    preferred_username?: string;
+    name?: string;
+    picture?: string;
+};
+export declare const userClaimSchema: z.ZodObject<{
+    iss: z.ZodString;
+    sid: z.ZodOptional<z.ZodString>;
+    sub: z.ZodString;
+    exp: z.ZodOptional<z.ZodNumber>;
+    iat: z.ZodOptional<z.ZodNumber>;
+    aud: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    email: z.ZodOptional<z.ZodString>;
+    username: z.ZodOptional<z.ZodString>;
+    preferred_username: z.ZodOptional<z.ZodString>;
+    name: z.ZodOptional<z.ZodString>;
+    picture: z.ZodOptional<z.ZodString>;
+}, z.core.$loose>;
+export type SessionIdPayload = {
+    nodeId: string;
+    authSig: string;
+    uuid: string;
+    iat: number;
+    protocol?: TransportProtocolType;
+    isPublic?: boolean;
+    platformType?: AIPlatformType;
+    clientName?: string;
+    clientVersion?: string;
+    supportsElicitation?: boolean;
+    /**
+     * Whether this session is in skills-only mode.
+     * When true, tools/list returns empty array but skills/search and skills/load work normally.
+     * This is useful for planner agents that only need skill information.
+     */
+    skillsOnlyMode?: boolean;
+};
+export declare const sessionIdPayloadSchema: z.ZodObject<{
+    nodeId: z.ZodString;
+    authSig: z.ZodString;
+    uuid: z.ZodString;
+    iat: z.ZodNumber;
+    protocol: z.ZodOptional<z.ZodEnum<{
+        "legacy-sse": "legacy-sse";
+        sse: "sse";
+        "streamable-http": "streamable-http";
+        "stateful-http": "stateful-http";
+        "stateless-http": "stateless-http";
+    }>>;
+    isPublic: z.ZodOptional<z.ZodBoolean>;
+    platformType: z.ZodOptional<z.ZodEnum<{
+        unknown: "unknown";
+        openai: "openai";
+        claude: "claude";
+        gemini: "gemini";
+        cursor: "cursor";
+        continue: "continue";
+        cody: "cody";
+        "generic-mcp": "generic-mcp";
+        "ext-apps": "ext-apps";
+    }>>;
+    clientName: z.ZodOptional<z.ZodString>;
+    clientVersion: z.ZodOptional<z.ZodString>;
+    supportsElicitation: z.ZodOptional<z.ZodBoolean>;
+    skillsOnlyMode: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strip>;
+export interface Authorization {
+    token: string;
+    user: UserClaim;
+    session?: {
+        id: string;
+        /** Payload may be undefined when session validation failed but ID is passed for transport lookup */
+        payload?: SessionIdPayload;
+    };
+}
+export declare const sessionIdSchema: z.ZodObject<{
+    id: z.ZodString;
+    payload: z.ZodOptional<z.ZodObject<{
+        nodeId: z.ZodString;
+        authSig: z.ZodString;
+        uuid: z.ZodString;
+        iat: z.ZodNumber;
+        protocol: z.ZodOptional<z.ZodEnum<{
+            "legacy-sse": "legacy-sse";
+            sse: "sse";
+            "streamable-http": "streamable-http";
+            "stateful-http": "stateful-http";
+            "stateless-http": "stateless-http";
+        }>>;
+        isPublic: z.ZodOptional<z.ZodBoolean>;
+        platformType: z.ZodOptional<z.ZodEnum<{
+            unknown: "unknown";
+            openai: "openai";
+            claude: "claude";
+            gemini: "gemini";
+            cursor: "cursor";
+            continue: "continue";
+            cody: "cody";
+            "generic-mcp": "generic-mcp";
+            "ext-apps": "ext-apps";
+        }>>;
+        clientName: z.ZodOptional<z.ZodString>;
+        clientVersion: z.ZodOptional<z.ZodString>;
+        supportsElicitation: z.ZodOptional<z.ZodBoolean>;
+        skillsOnlyMode: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export declare const authorizationSchema: z.ZodObject<{
+    token: z.ZodString;
+    session: z.ZodOptional<z.ZodObject<{
+        id: z.ZodString;
+        payload: z.ZodOptional<z.ZodObject<{
+            nodeId: z.ZodString;
+            authSig: z.ZodString;
+            uuid: z.ZodString;
+            iat: z.ZodNumber;
+            protocol: z.ZodOptional<z.ZodEnum<{
+                "legacy-sse": "legacy-sse";
+                sse: "sse";
+                "streamable-http": "streamable-http";
+                "stateful-http": "stateful-http";
+                "stateless-http": "stateless-http";
+            }>>;
+            isPublic: z.ZodOptional<z.ZodBoolean>;
+            platformType: z.ZodOptional<z.ZodEnum<{
+                unknown: "unknown";
+                openai: "openai";
+                claude: "claude";
+                gemini: "gemini";
+                cursor: "cursor";
+                continue: "continue";
+                cody: "cody";
+                "generic-mcp": "generic-mcp";
+                "ext-apps": "ext-apps";
+            }>>;
+            clientName: z.ZodOptional<z.ZodString>;
+            clientVersion: z.ZodOptional<z.ZodString>;
+            supportsElicitation: z.ZodOptional<z.ZodBoolean>;
+            skillsOnlyMode: z.ZodOptional<z.ZodBoolean>;
+        }, z.core.$strip>>;
+    }, z.core.$strip>>;
+    user: z.ZodObject<{
+        iss: z.ZodString;
+        sid: z.ZodOptional<z.ZodString>;
+        sub: z.ZodString;
+        exp: z.ZodOptional<z.ZodNumber>;
+        iat: z.ZodOptional<z.ZodNumber>;
+        aud: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+        email: z.ZodOptional<z.ZodString>;
+        username: z.ZodOptional<z.ZodString>;
+        preferred_username: z.ZodOptional<z.ZodString>;
+        name: z.ZodOptional<z.ZodString>;
+        picture: z.ZodOptional<z.ZodString>;
+    }, z.core.$loose>;
+}, z.core.$strip>;
+//# sourceMappingURL=session.types.d.ts.map

package/common/session.types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.types.d.ts","sourceRoot":"","sources":["../../src/common/session.types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAAG,YAAY,GAAG,KAAK,GAAG,iBAAiB,GAAG,eAAe,GAAG,gBAAgB,CAAC;AAElH;;;GAGG;AACH,MAAM,MAAM,cAAc,GACtB,QAAQ,GACR,QAAQ,GACR,QAAQ,GACR,QAAQ,GACR,UAAU,GACV,MAAM,GACN,aAAa,GACb,UAAU,GACV,SAAS,CAAC;AAEd;;GAEG;AACH,eAAO,MAAM,oBAAoB;;;;;;;;;;EAU/B,CAAC;AAEH;;GAEG;AACH,MAAM,MAAM,SAAS,GAAG;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AACF,eAAO,MAAM,eAAe;;;;;;;;;;;;iBAcZ,CAAC;AAEjB,MAAM,MAAM,gBAAgB,GAAG;IAE7B,MAAM,EAAE,MAAM,CAAC;IAEf,OAAO,EAAE,MAAM,CAAC;IAEhB,IAAI,EAAE,MAAM,CAAC;IAEb,GAAG,EAAE,MAAM,CAAC;IAEZ,QAAQ,CAAC,EAAE,qBAAqB,CAAC;IAEjC,QAAQ,CAAC,EAAE,OAAO,CAAC;IAEnB,YAAY,CAAC,EAAE,cAAc,CAAC;IAE9B,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B;;;;OAIG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B,CAAC;AACF,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAYO,CAAC;AAE3C,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,SAAS,CAAC;IAChB,OAAO,CAAC,EAAE;QACR,EAAE,EAAE,MAAM,CAAC;QACX,oGAAoG;QACpG,OAAO,CAAC,EAAE,gBAAgB,CAAC;KAC5B,CAAC;CACH;AAED,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAIwC,CAAC;AAErE,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAIO,CAAC"}

package/common/zod-utils.d.ts

@@ -0,0 +1,5 @@
+import { z } from 'zod';
+export type RawZodShape<Type, Base = unknown> = {
+    [K in keyof Omit<Type, keyof Base>]-?: z.ZodTypeAny;
+};
+//# sourceMappingURL=zod-utils.d.ts.map

package/common/zod-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"zod-utils.d.ts","sourceRoot":"","sources":["../../src/common/zod-utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,MAAM,WAAW,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,IAAI;KAC7C,CAAC,IAAI,MAAM,IAAI,CAAC,IAAI,EAAE,MAAM,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU;CACpD,CAAC"}

package/consent/consent.types.d.ts

@@ -0,0 +1,112 @@
+/**
+ * Consent Flow Types and Schemas
+ *
+ * Defines types for the tool consent flow that allows users to select
+ * which MCP tools they want to expose to the LLM.
+ */
+import { z } from 'zod';
+import { consentConfigSchema } from '../options/shared.schemas';
+export { consentConfigSchema };
+/**
+ * Tool consent item schema - represents a tool available for consent
+ */
+export declare const consentToolItemSchema: z.ZodObject<{
+    id: z.ZodString;
+    name: z.ZodString;
+    description: z.ZodOptional<z.ZodString>;
+    appId: z.ZodString;
+    appName: z.ZodString;
+    defaultSelected: z.ZodDefault<z.ZodBoolean>;
+    requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    category: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+/**
+ * Consent selection schema - user's tool selection
+ */
+export declare const consentSelectionSchema: z.ZodObject<{
+    selectedTools: z.ZodArray<z.ZodString>;
+    allSelected: z.ZodBoolean;
+    consentedAt: z.ZodString;
+    consentVersion: z.ZodDefault<z.ZodString>;
+}, z.core.$strip>;
+/**
+ * Consent page state schema - stored in pending authorization
+ */
+export declare const consentStateSchema: z.ZodObject<{
+    enabled: z.ZodBoolean;
+    availableTools: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        name: z.ZodString;
+        description: z.ZodOptional<z.ZodString>;
+        appId: z.ZodString;
+        appName: z.ZodString;
+        defaultSelected: z.ZodDefault<z.ZodBoolean>;
+        requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        category: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    preselectedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    groupByApp: z.ZodDefault<z.ZodBoolean>;
+    customMessage: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+/**
+ * Auth provider item for federated login UI
+ */
+export declare const federatedProviderItemSchema: z.ZodObject<{
+    id: z.ZodString;
+    name: z.ZodString;
+    description: z.ZodOptional<z.ZodString>;
+    icon: z.ZodOptional<z.ZodString>;
+    type: z.ZodEnum<{
+        transparent: "transparent";
+        local: "local";
+        remote: "remote";
+    }>;
+    providerUrl: z.ZodOptional<z.ZodString>;
+    appIds: z.ZodArray<z.ZodString>;
+    appNames: z.ZodArray<z.ZodString>;
+    scopes: z.ZodArray<z.ZodString>;
+    isPrimary: z.ZodBoolean;
+    isOptional: z.ZodDefault<z.ZodBoolean>;
+}, z.core.$strip>;
+/**
+ * Federated login state schema
+ */
+export declare const federatedLoginStateSchema: z.ZodObject<{
+    providers: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        name: z.ZodString;
+        description: z.ZodOptional<z.ZodString>;
+        icon: z.ZodOptional<z.ZodString>;
+        type: z.ZodEnum<{
+            transparent: "transparent";
+            local: "local";
+            remote: "remote";
+        }>;
+        providerUrl: z.ZodOptional<z.ZodString>;
+        appIds: z.ZodArray<z.ZodString>;
+        appNames: z.ZodArray<z.ZodString>;
+        scopes: z.ZodArray<z.ZodString>;
+        isPrimary: z.ZodBoolean;
+        isOptional: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    primaryProviderId: z.ZodOptional<z.ZodString>;
+    allowSkip: z.ZodDefault<z.ZodBoolean>;
+    preselectedProviders: z.ZodOptional<z.ZodArray<z.ZodString>>;
+}, z.core.$strip>;
+/**
+ * Federated login selection schema
+ */
+export declare const federatedSelectionSchema: z.ZodObject<{
+    selectedProviders: z.ZodArray<z.ZodString>;
+    skippedProviders: z.ZodArray<z.ZodString>;
+    providerMetadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.core.$strip>;
+export type ConsentToolItem = z.infer<typeof consentToolItemSchema>;
+export type ConsentSelection = z.infer<typeof consentSelectionSchema>;
+export type ConsentState = z.infer<typeof consentStateSchema>;
+export type ConsentConfig = z.infer<typeof consentConfigSchema>;
+export type ConsentConfigInput = z.input<typeof consentConfigSchema>;
+export type FederatedProviderItem = z.infer<typeof federatedProviderItemSchema>;
+export type FederatedLoginState = z.infer<typeof federatedLoginStateSchema>;
+export type FederatedSelection = z.infer<typeof federatedSelectionSchema>;
+//# sourceMappingURL=consent.types.d.ts.map

package/consent/consent.types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"consent.types.d.ts","sourceRoot":"","sources":["../../src/consent/consent.types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAGhE,OAAO,EAAE,mBAAmB,EAAE,CAAC;AAM/B;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;iBAiBhC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,sBAAsB;;;;;iBASjC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;iBAW7B,CAAC;AAKH;;GAEG;AACH,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;iBAuBtC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;iBASpC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,wBAAwB;;;;iBAOnC,CAAC;AAMH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AACpE,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AACtE,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAC9D,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAChE,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAErE,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAChF,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAC5E,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC"}

package/consent/index.d.ts

@@ -0,0 +1,2 @@
+export { consentToolItemSchema, consentSelectionSchema, consentStateSchema, federatedProviderItemSchema, federatedLoginStateSchema, federatedSelectionSchema, ConsentToolItem, ConsentSelection, ConsentState, ConsentConfig, ConsentConfigInput, FederatedProviderItem, FederatedLoginState, FederatedSelection, } from './consent.types';
+//# sourceMappingURL=index.d.ts.map

package/consent/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/consent/index.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,qBAAqB,EACrB,sBAAsB,EACtB,kBAAkB,EAClB,2BAA2B,EAC3B,yBAAyB,EACzB,wBAAwB,EAExB,eAAe,EACf,gBAAgB,EAChB,YAAY,EACZ,aAAa,EACb,kBAAkB,EAClB,qBAAqB,EACrB,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,iBAAiB,CAAC"}

package/detection/auth-provider-detection.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Auth Provider Detection
+ *
+ * Detects unique auth providers across nested apps and determines
+ * if orchestrated mode is required at the parent scope level.
+ */
+import { z } from 'zod';
+import type { AuthOptions } from '../options/schema';
+export declare const detectedAuthProviderSchema: z.ZodObject<{
+    id: z.ZodString;
+    providerUrl: z.ZodOptional<z.ZodString>;
+    mode: z.ZodEnum<{
+        public: "public";
+        transparent: "transparent";
+        orchestrated: "orchestrated";
+    }>;
+    appIds: z.ZodArray<z.ZodString>;
+    scopes: z.ZodArray<z.ZodString>;
+    isParentProvider: z.ZodBoolean;
+}, z.core.$strip>;
+export declare const authProviderDetectionResultSchema: z.ZodObject<{
+    providers: z.ZodMap<z.ZodString, z.ZodObject<{
+        id: z.ZodString;
+        providerUrl: z.ZodOptional<z.ZodString>;
+        mode: z.ZodEnum<{
+            public: "public";
+            transparent: "transparent";
+            orchestrated: "orchestrated";
+        }>;
+        appIds: z.ZodArray<z.ZodString>;
+        scopes: z.ZodArray<z.ZodString>;
+        isParentProvider: z.ZodBoolean;
+    }, z.core.$strip>>;
+    requiresOrchestration: z.ZodBoolean;
+    parentProviderId: z.ZodOptional<z.ZodString>;
+    childProviderIds: z.ZodArray<z.ZodString>;
+    uniqueProviderCount: z.ZodNumber;
+    validationErrors: z.ZodArray<z.ZodString>;
+    warnings: z.ZodArray<z.ZodString>;
+}, z.core.$strip>;
+export type DetectedAuthProvider = z.infer<typeof detectedAuthProviderSchema>;
+export type AuthProviderDetectionResult = z.infer<typeof authProviderDetectionResultSchema>;
+export interface AppAuthInfo {
+    id: string;
+    name: string;
+    auth?: AuthOptions;
+}
+export declare function deriveProviderId(options: AuthOptions): string;
+export declare function detectAuthProviders(parentAuth: AuthOptions | undefined, apps: AppAuthInfo[]): AuthProviderDetectionResult;
+export declare function appRequiresOrchestration(appAuth: AuthOptions | undefined, parentAuth: AuthOptions | undefined): boolean;
+export declare function getProviderScopes(detection: AuthProviderDetectionResult, providerId: string): string[];
+export declare function getProviderApps(detection: AuthProviderDetectionResult, providerId: string): string[];
+//# sourceMappingURL=auth-provider-detection.d.ts.map

package/detection/auth-provider-detection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-provider-detection.d.ts","sourceRoot":"","sources":["../../src/detection/auth-provider-detection.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAMrD,eAAO,MAAM,0BAA0B;;;;;;;;;;;iBAOrC,CAAC;AAEH,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;;;;iBAQ5C,CAAC;AAMH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAC9E,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAE5F,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,WAAW,CAAC;CACpB;AAMD,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,WAAW,GAAG,MAAM,CAiB7D;AAyBD,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,WAAW,GAAG,SAAS,EACnC,IAAI,EAAE,WAAW,EAAE,GAClB,2BAA2B,CA4E7B;AAcD,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,WAAW,GAAG,SAAS,EAChC,UAAU,EAAE,WAAW,GAAG,SAAS,GAClC,OAAO,CAaT;AAED,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,2BAA2B,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,EAAE,CAGtG;AAED,wBAAgB,eAAe,CAAC,SAAS,EAAE,2BAA2B,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,EAAE,CAGpG"}

package/detection/index.d.ts

@@ -0,0 +1,3 @@
+export { detectedAuthProviderSchema, authProviderDetectionResultSchema, detectAuthProviders, deriveProviderId, appRequiresOrchestration, getProviderScopes, getProviderApps, } from './auth-provider-detection';
+export type { DetectedAuthProvider, AuthProviderDetectionResult, AppAuthInfo } from './auth-provider-detection';
+//# sourceMappingURL=index.d.ts.map

package/detection/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/detection/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,0BAA0B,EAC1B,iCAAiC,EACjC,mBAAmB,EACnB,gBAAgB,EAChB,wBAAwB,EACxB,iBAAiB,EACjB,eAAe,GAChB,MAAM,2BAA2B,CAAC;AACnC,YAAY,EAAE,oBAAoB,EAAE,2BAA2B,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC"}

package/errors/auth-internal.error.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Base class for internal auth errors.
+ * Mirrors SDK's InternalMcpError structure but lives in @frontmcp/auth
+ * to avoid circular dependencies.
+ */
+export declare abstract class AuthInternalError extends Error {
+    /**
+     * Unique error ID for tracking in logs.
+     */
+    readonly errorId: string;
+    /**
+     * Whether this error should expose details to the client.
+     */
+    readonly isPublic = false;
+    /**
+     * HTTP status code equivalent.
+     */
+    readonly statusCode = 500;
+    /**
+     * Error code for categorization.
+     */
+    readonly code: string;
+    protected constructor(message: string, code?: string);
+    /**
+     * Get the public-facing error message.
+     */
+    getPublicMessage(): string;
+    /**
+     * Get the internal error message (for logging).
+     */
+    getInternalMessage(): string;
+}
+//# sourceMappingURL=auth-internal.error.d.ts.map

package/errors/auth-internal.error.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-internal.error.d.ts","sourceRoot":"","sources":["../../src/errors/auth-internal.error.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,8BAAsB,iBAAkB,SAAQ,KAAK;IACnD;;OAEG;IACH,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IAEzB;;OAEG;IACH,QAAQ,CAAC,QAAQ,SAAS;IAE1B;;OAEG;IACH,QAAQ,CAAC,UAAU,OAAO;IAE1B;;OAEG;IACH,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,SAAS,aAAa,OAAO,EAAE,MAAM,EAAE,IAAI,SAAwB;IAQnE;;OAEG;IACH,gBAAgB,IAAI,MAAM;IAI1B;;OAEG;IACH,kBAAkB,IAAI,MAAM;CAG7B"}

package/errors/auth-internal.errors.d.ts

@@ -0,0 +1,123 @@
+import { AuthInternalError } from './auth-internal.error';
+/**
+ * Thrown when encryption context is not set.
+ */
+export declare class EncryptionContextNotSetError extends AuthInternalError {
+    constructor();
+}
+/**
+ * Thrown when loading a vault fails.
+ */
+export declare class VaultLoadError extends AuthInternalError {
+    readonly originalError?: Error;
+    constructor(vaultId: string, originalError?: Error);
+}
+/**
+ * Thrown when a vault entity is not found.
+ */
+export declare class VaultNotFoundError extends AuthInternalError {
+    constructor(entityType: string, id: string);
+}
+/**
+ * Thrown when a token is not available (e.g., expired, not yet obtained).
+ */
+export declare class TokenNotAvailableError extends AuthInternalError {
+    constructor(message: string);
+}
+/**
+ * Thrown when a token store is required but not configured.
+ */
+export declare class TokenStoreRequiredError extends AuthInternalError {
+    constructor(context: string);
+}
+/**
+ * Thrown when no provider ID is available.
+ */
+export declare class NoProviderIdError extends AuthInternalError {
+    constructor(message: string);
+}
+/**
+ * Thrown when a potential token leak is detected.
+ */
+export declare class TokenLeakDetectedError extends AuthInternalError {
+    constructor(detail: string);
+}
+/**
+ * Thrown when a session secret is required but not configured.
+ */
+export declare class SessionSecretRequiredError extends AuthInternalError {
+    constructor(component: string);
+}
+/**
+ * Thrown when a credential provider is already registered.
+ */
+export declare class CredentialProviderAlreadyRegisteredError extends AuthInternalError {
+    constructor(name: string);
+}
+/**
+ * Thrown when auth providers are not configured.
+ */
+export declare class AuthProvidersNotConfiguredError extends AuthInternalError {
+    constructor();
+}
+/**
+ * Thrown when orchestrated auth is not available.
+ */
+export declare class OrchestratedAuthNotAvailableError extends AuthInternalError {
+    constructor();
+}
+/**
+ * Thrown when encryption key is not configured.
+ */
+export declare class EncryptionKeyNotConfiguredError extends AuthInternalError {
+    constructor();
+}
+/**
+ * Thrown when session ID is empty.
+ */
+export declare class SessionIdEmptyError extends AuthInternalError {
+    constructor(storeName: string);
+}
+/**
+ * Thrown when elicitation secret is required but not configured.
+ */
+export declare class ElicitationSecretRequiredError extends AuthInternalError {
+    constructor();
+}
+/**
+ * Thrown when scope access is denied for a provider.
+ */
+export declare class ScopeDeniedError extends AuthInternalError {
+    constructor(providerId: string);
+}
+/**
+ * Thrown when an in-memory store is required but not available.
+ */
+export declare class InMemoryStoreRequiredError extends AuthInternalError {
+    constructor(component: string);
+}
+/**
+ * Thrown when orchestrator JWKS is not available.
+ */
+export declare class OrchestratorJwksNotAvailableError extends AuthInternalError {
+    constructor();
+}
+/**
+ * Thrown when invalid input is provided to an auth operation.
+ */
+export declare class AuthInvalidInputError extends AuthInternalError {
+    constructor(message: string);
+}
+/**
+ * Thrown when a credential storage operation fails.
+ */
+export declare class CredentialStorageError extends AuthInternalError {
+    constructor(message: string);
+}
+/**
+ * Thrown when a federated auth flow encounters an error.
+ */
+export declare class AuthFlowError extends AuthInternalError {
+    constructor(message: string, code?: string);
+}
+//# sourceMappingURL=auth-internal.errors.d.ts.map

package/errors/auth-internal.errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-internal.errors.d.ts","sourceRoot":"","sources":["../../src/errors/auth-internal.errors.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAE1D;;GAEG;AACH,qBAAa,4BAA6B,SAAQ,iBAAiB;;CAIlE;AAED;;GAEG;AACH,qBAAa,cAAe,SAAQ,iBAAiB;IACnD,QAAQ,CAAC,aAAa,CAAC,EAAE,KAAK,CAAC;gBAEnB,OAAO,EAAE,MAAM,EAAE,aAAa,CAAC,EAAE,KAAK;CAInD;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,iBAAiB;gBAC3C,UAAU,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM;CAG3C;AAED;;GAEG;AACH,qBAAa,sBAAuB,SAAQ,iBAAiB;gBAC/C,OAAO,EAAE,MAAM;CAG5B;AAED;;GAEG;AACH,qBAAa,uBAAwB,SAAQ,iBAAiB;gBAChD,OAAO,EAAE,MAAM;CAG5B;AAED;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,iBAAiB;gBAC1C,OAAO,EAAE,MAAM;CAG5B;AAED;;GAEG;AACH,qBAAa,sBAAuB,SAAQ,iBAAiB;gBAC/C,MAAM,EAAE,MAAM;CAG3B;AAED;;GAEG;AACH,qBAAa,0BAA2B,SAAQ,iBAAiB;gBACnD,SAAS,EAAE,MAAM;CAG9B;AAED;;GAEG;AACH,qBAAa,wCAAyC,SAAQ,iBAAiB;gBACjE,IAAI,EAAE,MAAM;CAGzB;AAED;;GAEG;AACH,qBAAa,+BAAgC,SAAQ,iBAAiB;;CAIrE;AAED;;GAEG;AACH,qBAAa,iCAAkC,SAAQ,iBAAiB;;CAIvE;AAED;;GAEG;AACH,qBAAa,+BAAgC,SAAQ,iBAAiB;;CAIrE;AAED;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,iBAAiB;gBAC5C,SAAS,EAAE,MAAM;CAG9B;AAED;;GAEG;AACH,qBAAa,8BAA+B,SAAQ,iBAAiB;;CAIpE;AAED;;GAEG;AACH,qBAAa,gBAAiB,SAAQ,iBAAiB;gBACzC,UAAU,EAAE,MAAM;CAG/B;AAED;;GAEG;AACH,qBAAa,0BAA2B,SAAQ,iBAAiB;gBACnD,SAAS,EAAE,MAAM;CAG9B;AAED;;GAEG;AACH,qBAAa,iCAAkC,SAAQ,iBAAiB;;CAIvE;AAED;;GAEG;AACH,qBAAa,qBAAsB,SAAQ,iBAAiB;gBAC9C,OAAO,EAAE,MAAM;CAG5B;AAED;;GAEG;AACH,qBAAa,sBAAuB,SAAQ,iBAAiB;gBAC/C,OAAO,EAAE,MAAM;CAG5B;AAED;;GAEG;AACH,qBAAa,aAAc,SAAQ,iBAAiB;gBACtC,OAAO,EAAE,MAAM,EAAE,IAAI,SAAoB;CAGtD"}

package/errors/index.d.ts

@@ -0,0 +1,3 @@
+export { AuthInternalError } from './auth-internal.error';
+export { EncryptionContextNotSetError, VaultLoadError, VaultNotFoundError, TokenNotAvailableError, TokenStoreRequiredError, NoProviderIdError, TokenLeakDetectedError, SessionSecretRequiredError, CredentialProviderAlreadyRegisteredError, AuthProvidersNotConfiguredError, OrchestratedAuthNotAvailableError, EncryptionKeyNotConfiguredError, SessionIdEmptyError, ElicitationSecretRequiredError, ScopeDeniedError, InMemoryStoreRequiredError, OrchestratorJwksNotAvailableError, AuthInvalidInputError, CredentialStorageError, AuthFlowError, } from './auth-internal.errors';
+//# sourceMappingURL=index.d.ts.map

package/errors/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/errors/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EACL,4BAA4B,EAC5B,cAAc,EACd,kBAAkB,EAClB,sBAAsB,EACtB,uBAAuB,EACvB,iBAAiB,EACjB,sBAAsB,EACtB,0BAA0B,EAC1B,wCAAwC,EACxC,+BAA+B,EAC/B,iCAAiC,EACjC,+BAA+B,EAC/B,mBAAmB,EACnB,8BAA8B,EAC9B,gBAAgB,EAChB,0BAA0B,EAC1B,iCAAiC,EACjC,qBAAqB,EACrB,sBAAsB,EACtB,aAAa,GACd,MAAM,wBAAwB,CAAC"}