@frontmcp/auth 0.9.0 → 0.11.0

package/options/schema.d.ts

@@ -0,0 +1,265 @@
+import { z } from 'zod';
+export declare const authOptionsSchema: z.ZodUnion<readonly [z.ZodObject<{
+    mode: z.ZodLiteral<"public">;
+    issuer: z.ZodOptional<z.ZodString>;
+    sessionTtl: z.ZodDefault<z.ZodNumber>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    jwks: z.ZodOptional<z.ZodObject<{
+        keys: z.ZodArray<z.ZodType<import("..").JWK, unknown, z.core.$ZodTypeInternals<import("..").JWK, unknown>>>;
+    }, z.core.$strip>>;
+    signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<import("..").JWK, unknown, z.core.$ZodTypeInternals<import("..").JWK, unknown>>, z.ZodCustom<Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>]>>;
+}, z.core.$strip>, z.ZodObject<{
+    mode: z.ZodLiteral<"transparent">;
+    remote: z.ZodObject<{
+        provider: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+        id: z.ZodOptional<z.ZodString>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<import("..").JWK, unknown, z.core.$ZodTypeInternals<import("..").JWK, unknown>>>;
+        }, z.core.$strip>>;
+        jwksUri: z.ZodOptional<z.ZodString>;
+        clientId: z.ZodOptional<z.ZodString>;
+        clientSecret: z.ZodOptional<z.ZodString>;
+        scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        dcrEnabled: z.ZodDefault<z.ZodBoolean>;
+        authEndpoint: z.ZodOptional<z.ZodString>;
+        tokenEndpoint: z.ZodOptional<z.ZodString>;
+        registrationEndpoint: z.ZodOptional<z.ZodString>;
+        userInfoEndpoint: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>;
+    expectedAudience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    requiredScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    allowAnonymous: z.ZodDefault<z.ZodBoolean>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+}, z.core.$strip>, z.ZodObject<{
+    local: z.ZodOptional<z.ZodObject<{
+        signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<import("..").JWK, unknown, z.core.$ZodTypeInternals<import("..").JWK, unknown>>, z.ZodCustom<Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>]>>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<import("..").JWK, unknown, z.core.$ZodTypeInternals<import("..").JWK, unknown>>>;
+        }, z.core.$strip>>;
+        issuer: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    tokenStorage: z.ZodDefault<z.ZodDiscriminatedUnion<[z.ZodObject<{
+        type: z.ZodLiteral<"memory">;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"redis">;
+        config: z.ZodObject<{
+            host: z.ZodString;
+            port: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            password: z.ZodOptional<z.ZodString>;
+            db: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            tls: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+            keyPrefix: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+            defaultTtlMs: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+        }, z.core.$strip>;
+    }, z.core.$strip>], "type">>;
+    allowDefaultPublic: z.ZodDefault<z.ZodBoolean>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    consent: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        groupByApp: z.ZodDefault<z.ZodBoolean>;
+        showDescriptions: z.ZodDefault<z.ZodBoolean>;
+        allowSelectAll: z.ZodDefault<z.ZodBoolean>;
+        requireSelection: z.ZodDefault<z.ZodBoolean>;
+        customMessage: z.ZodOptional<z.ZodString>;
+        rememberConsent: z.ZodDefault<z.ZodBoolean>;
+        excludedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        defaultSelectedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>>;
+    federatedAuth: z.ZodOptional<z.ZodObject<{
+        stateValidation: z.ZodDefault<z.ZodEnum<{
+            format: "format";
+            strict: "strict";
+        }>>;
+    }, z.core.$strip>>;
+    refresh: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skewSeconds: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    expectedAudience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    incrementalAuth: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skippedAppBehavior: z.ZodDefault<z.ZodEnum<{
+            anonymous: "anonymous";
+            "require-auth": "require-auth";
+        }>>;
+        allowSkip: z.ZodDefault<z.ZodBoolean>;
+        showAllAppsAtOnce: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    cimd: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        cache: z.ZodOptional<z.ZodObject<{
+            type: z.ZodDefault<z.ZodEnum<{
+                memory: "memory";
+                redis: "redis";
+            }>>;
+            defaultTtlMs: z.ZodDefault<z.ZodNumber>;
+            maxTtlMs: z.ZodDefault<z.ZodNumber>;
+            minTtlMs: z.ZodDefault<z.ZodNumber>;
+            redis: z.ZodOptional<z.ZodObject<{
+                url: z.ZodOptional<z.ZodString>;
+                host: z.ZodOptional<z.ZodString>;
+                port: z.ZodOptional<z.ZodNumber>;
+                password: z.ZodOptional<z.ZodString>;
+                db: z.ZodOptional<z.ZodNumber>;
+                tls: z.ZodOptional<z.ZodBoolean>;
+                keyPrefix: z.ZodDefault<z.ZodString>;
+            }, z.core.$strip>>;
+        }, z.core.$strip>>;
+        security: z.ZodOptional<z.ZodObject<{
+            blockPrivateIPs: z.ZodDefault<z.ZodBoolean>;
+            allowedDomains: z.ZodOptional<z.ZodArray<z.ZodString>>;
+            blockedDomains: z.ZodOptional<z.ZodArray<z.ZodString>>;
+            warnOnLocalhostRedirects: z.ZodDefault<z.ZodBoolean>;
+            allowInsecureForTesting: z.ZodDefault<z.ZodBoolean>;
+        }, z.core.$strip>>;
+        network: z.ZodOptional<z.ZodObject<{
+            timeoutMs: z.ZodDefault<z.ZodNumber>;
+            maxResponseSizeBytes: z.ZodDefault<z.ZodNumber>;
+            redirectPolicy: z.ZodDefault<z.ZodEnum<{
+                deny: "deny";
+                "same-origin": "same-origin";
+                allow: "allow";
+            }>>;
+            maxRedirects: z.ZodDefault<z.ZodNumber>;
+        }, z.core.$strip>>;
+    }, z.core.$strip>>;
+    mode: z.ZodLiteral<"orchestrated">;
+    type: z.ZodLiteral<"local">;
+}, z.core.$strip>, z.ZodObject<{
+    local: z.ZodOptional<z.ZodObject<{
+        signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<import("..").JWK, unknown, z.core.$ZodTypeInternals<import("..").JWK, unknown>>, z.ZodCustom<Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>]>>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<import("..").JWK, unknown, z.core.$ZodTypeInternals<import("..").JWK, unknown>>>;
+        }, z.core.$strip>>;
+        issuer: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    tokenStorage: z.ZodDefault<z.ZodDiscriminatedUnion<[z.ZodObject<{
+        type: z.ZodLiteral<"memory">;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"redis">;
+        config: z.ZodObject<{
+            host: z.ZodString;
+            port: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            password: z.ZodOptional<z.ZodString>;
+            db: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            tls: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+            keyPrefix: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+            defaultTtlMs: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+        }, z.core.$strip>;
+    }, z.core.$strip>], "type">>;
+    allowDefaultPublic: z.ZodDefault<z.ZodBoolean>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    consent: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        groupByApp: z.ZodDefault<z.ZodBoolean>;
+        showDescriptions: z.ZodDefault<z.ZodBoolean>;
+        allowSelectAll: z.ZodDefault<z.ZodBoolean>;
+        requireSelection: z.ZodDefault<z.ZodBoolean>;
+        customMessage: z.ZodOptional<z.ZodString>;
+        rememberConsent: z.ZodDefault<z.ZodBoolean>;
+        excludedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        defaultSelectedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>>;
+    federatedAuth: z.ZodOptional<z.ZodObject<{
+        stateValidation: z.ZodDefault<z.ZodEnum<{
+            format: "format";
+            strict: "strict";
+        }>>;
+    }, z.core.$strip>>;
+    refresh: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skewSeconds: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    expectedAudience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    incrementalAuth: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skippedAppBehavior: z.ZodDefault<z.ZodEnum<{
+            anonymous: "anonymous";
+            "require-auth": "require-auth";
+        }>>;
+        allowSkip: z.ZodDefault<z.ZodBoolean>;
+        showAllAppsAtOnce: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    cimd: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        cache: z.ZodOptional<z.ZodObject<{
+            type: z.ZodDefault<z.ZodEnum<{
+                memory: "memory";
+                redis: "redis";
+            }>>;
+            defaultTtlMs: z.ZodDefault<z.ZodNumber>;
+            maxTtlMs: z.ZodDefault<z.ZodNumber>;
+            minTtlMs: z.ZodDefault<z.ZodNumber>;
+            redis: z.ZodOptional<z.ZodObject<{
+                url: z.ZodOptional<z.ZodString>;
+                host: z.ZodOptional<z.ZodString>;
+                port: z.ZodOptional<z.ZodNumber>;
+                password: z.ZodOptional<z.ZodString>;
+                db: z.ZodOptional<z.ZodNumber>;
+                tls: z.ZodOptional<z.ZodBoolean>;
+                keyPrefix: z.ZodDefault<z.ZodString>;
+            }, z.core.$strip>>;
+        }, z.core.$strip>>;
+        security: z.ZodOptional<z.ZodObject<{
+            blockPrivateIPs: z.ZodDefault<z.ZodBoolean>;
+            allowedDomains: z.ZodOptional<z.ZodArray<z.ZodString>>;
+            blockedDomains: z.ZodOptional<z.ZodArray<z.ZodString>>;
+            warnOnLocalhostRedirects: z.ZodDefault<z.ZodBoolean>;
+            allowInsecureForTesting: z.ZodDefault<z.ZodBoolean>;
+        }, z.core.$strip>>;
+        network: z.ZodOptional<z.ZodObject<{
+            timeoutMs: z.ZodDefault<z.ZodNumber>;
+            maxResponseSizeBytes: z.ZodDefault<z.ZodNumber>;
+            redirectPolicy: z.ZodDefault<z.ZodEnum<{
+                deny: "deny";
+                "same-origin": "same-origin";
+                allow: "allow";
+            }>>;
+            maxRedirects: z.ZodDefault<z.ZodNumber>;
+        }, z.core.$strip>>;
+    }, z.core.$strip>>;
+    mode: z.ZodLiteral<"orchestrated">;
+    type: z.ZodLiteral<"remote">;
+    remote: z.ZodObject<{
+        provider: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+        id: z.ZodOptional<z.ZodString>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<import("..").JWK, unknown, z.core.$ZodTypeInternals<import("..").JWK, unknown>>>;
+        }, z.core.$strip>>;
+        jwksUri: z.ZodOptional<z.ZodString>;
+        clientId: z.ZodOptional<z.ZodString>;
+        clientSecret: z.ZodOptional<z.ZodString>;
+        scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        dcrEnabled: z.ZodDefault<z.ZodBoolean>;
+        authEndpoint: z.ZodOptional<z.ZodString>;
+        tokenEndpoint: z.ZodOptional<z.ZodString>;
+        registrationEndpoint: z.ZodOptional<z.ZodString>;
+        userInfoEndpoint: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>;
+}, z.core.$strip>]>;
+export type AuthOptions = z.infer<typeof authOptionsSchema>;
+export type AuthOptionsInput = z.input<typeof authOptionsSchema>;
+export type AuthMode = 'public' | 'transparent' | 'orchestrated';
+//# sourceMappingURL=schema.d.ts.map

package/options/schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/options/schema.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AASxB,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;mBAK5B,CAAC;AAMH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAC5D,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AACjE,MAAM,MAAM,QAAQ,GAAG,QAAQ,GAAG,aAAa,GAAG,cAAc,CAAC"}

package/options/shared.schemas.d.ts

@@ -0,0 +1,128 @@
+import { z } from 'zod';
+import { RedisConfig } from '../session/transport-session.types';
+/**
+ * Public access configuration for tools/prompts
+ */
+export declare const publicAccessConfigSchema: z.ZodObject<{
+    tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+    prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+    rateLimit: z.ZodDefault<z.ZodNumber>;
+}, z.core.$strip>;
+export type PublicAccessConfig = z.infer<typeof publicAccessConfigSchema>;
+export type PublicAccessConfigInput = z.input<typeof publicAccessConfigSchema>;
+/**
+ * Local signing configuration (for orchestrated local type)
+ */
+export declare const localSigningConfigSchema: z.ZodObject<{
+    signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<import("../common/jwt.types").JWK, unknown, z.core.$ZodTypeInternals<import("../common/jwt.types").JWK, unknown>>, z.ZodCustom<Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>]>>;
+    jwks: z.ZodOptional<z.ZodObject<{
+        keys: z.ZodArray<z.ZodType<import("../common/jwt.types").JWK, unknown, z.core.$ZodTypeInternals<import("../common/jwt.types").JWK, unknown>>>;
+    }, z.core.$strip>>;
+    issuer: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type LocalSigningConfig = z.infer<typeof localSigningConfigSchema>;
+export type LocalSigningConfigInput = z.input<typeof localSigningConfigSchema>;
+/**
+ * Remote OAuth provider configuration (for orchestrated remote and transparent)
+ */
+export declare const remoteProviderConfigSchema: z.ZodObject<{
+    provider: z.ZodString;
+    name: z.ZodOptional<z.ZodString>;
+    id: z.ZodOptional<z.ZodString>;
+    jwks: z.ZodOptional<z.ZodObject<{
+        keys: z.ZodArray<z.ZodType<import("../common/jwt.types").JWK, unknown, z.core.$ZodTypeInternals<import("../common/jwt.types").JWK, unknown>>>;
+    }, z.core.$strip>>;
+    jwksUri: z.ZodOptional<z.ZodString>;
+    clientId: z.ZodOptional<z.ZodString>;
+    clientSecret: z.ZodOptional<z.ZodString>;
+    scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    dcrEnabled: z.ZodDefault<z.ZodBoolean>;
+    authEndpoint: z.ZodOptional<z.ZodString>;
+    tokenEndpoint: z.ZodOptional<z.ZodString>;
+    registrationEndpoint: z.ZodOptional<z.ZodString>;
+    userInfoEndpoint: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type RemoteProviderConfig = z.infer<typeof remoteProviderConfigSchema>;
+export type RemoteProviderConfigInput = z.input<typeof remoteProviderConfigSchema>;
+/**
+ * Token storage configuration for orchestrated mode
+ */
+export declare const tokenStorageConfigSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
+    type: z.ZodLiteral<"memory">;
+}, z.core.$strip>, z.ZodObject<{
+    type: z.ZodLiteral<"redis">;
+    config: z.ZodObject<{
+        host: z.ZodString;
+        port: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+        password: z.ZodOptional<z.ZodString>;
+        db: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+        tls: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+        keyPrefix: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+        defaultTtlMs: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+    }, z.core.$strip>;
+}, z.core.$strip>], "type">;
+export type TokenStorageConfig = z.infer<typeof tokenStorageConfigSchema>;
+export type TokenStorageConfigInput = z.input<typeof tokenStorageConfigSchema>;
+/**
+ * Token refresh configuration
+ */
+export declare const tokenRefreshConfigSchema: z.ZodObject<{
+    enabled: z.ZodDefault<z.ZodBoolean>;
+    skewSeconds: z.ZodDefault<z.ZodNumber>;
+}, z.core.$strip>;
+export type TokenRefreshConfig = z.infer<typeof tokenRefreshConfigSchema>;
+export type TokenRefreshConfigInput = z.input<typeof tokenRefreshConfigSchema>;
+/**
+ * Behavior when a tool from a skipped (not yet authorized) app is called
+ */
+export declare const skippedAppBehaviorSchema: z.ZodEnum<{
+    anonymous: "anonymous";
+    "require-auth": "require-auth";
+}>;
+export type SkippedAppBehavior = z.infer<typeof skippedAppBehaviorSchema>;
+/**
+ * Consent configuration for tool selection
+ * Allows users to choose which MCP tools to expose to the LLM
+ */
+export declare const consentConfigSchema: z.ZodObject<{
+    enabled: z.ZodDefault<z.ZodBoolean>;
+    groupByApp: z.ZodDefault<z.ZodBoolean>;
+    showDescriptions: z.ZodDefault<z.ZodBoolean>;
+    allowSelectAll: z.ZodDefault<z.ZodBoolean>;
+    requireSelection: z.ZodDefault<z.ZodBoolean>;
+    customMessage: z.ZodOptional<z.ZodString>;
+    rememberConsent: z.ZodDefault<z.ZodBoolean>;
+    excludedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    defaultSelectedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+}, z.core.$strip>;
+export type ConsentConfig = z.infer<typeof consentConfigSchema>;
+export type ConsentConfigInput = z.input<typeof consentConfigSchema>;
+/**
+ * Federated authentication configuration
+ */
+export declare const federatedAuthConfigSchema: z.ZodObject<{
+    stateValidation: z.ZodDefault<z.ZodEnum<{
+        format: "format";
+        strict: "strict";
+    }>>;
+}, z.core.$strip>;
+export type FederatedAuthConfig = z.infer<typeof federatedAuthConfigSchema>;
+export type FederatedAuthConfigInput = z.input<typeof federatedAuthConfigSchema>;
+/**
+ * Progressive/Incremental authorization configuration
+ * Allows users to authorize apps one at a time after initial auth
+ */
+export declare const incrementalAuthConfigSchema: z.ZodObject<{
+    enabled: z.ZodDefault<z.ZodBoolean>;
+    skippedAppBehavior: z.ZodDefault<z.ZodEnum<{
+        anonymous: "anonymous";
+        "require-auth": "require-auth";
+    }>>;
+    allowSkip: z.ZodDefault<z.ZodBoolean>;
+    showAllAppsAtOnce: z.ZodDefault<z.ZodBoolean>;
+}, z.core.$strip>;
+export type IncrementalAuthConfig = z.infer<typeof incrementalAuthConfigSchema>;
+export type IncrementalAuthConfigInput = z.input<typeof incrementalAuthConfigSchema>;
+export { cimdCacheConfigSchema, cimdSecurityConfigSchema, cimdNetworkConfigSchema, cimdConfigSchema, type CimdCacheConfig, type CimdSecurityConfig, type CimdNetworkConfig, type CimdConfig, type CimdConfigInput, } from '../cimd';
+export type { RedisConfig };
+//# sourceMappingURL=shared.schemas.d.ts.map

package/options/shared.schemas.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"shared.schemas.d.ts","sourceRoot":"","sources":["../../src/options/shared.schemas.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,WAAW,EAAqB,MAAM,oCAAoC,CAAC;AAMpF;;GAEG;AACH,eAAO,MAAM,wBAAwB;;;;iBAkBnC,CAAC;AAEH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAC1E,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAM/E;;GAEG;AACH,eAAO,MAAM,wBAAwB;;;;;;iBAkBnC,CAAC;AAEH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAC1E,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAM/E;;GAEG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;iBAqErC,CAAC;AAEH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAC9E,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAMnF;;GAEG;AACH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;2BAGnC,CAAC;AAEH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAC1E,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAM/E;;GAEG;AACH,eAAO,MAAM,wBAAwB;;;iBAYnC,CAAC;AAEH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAC1E,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAM/E;;GAEG;AACH,eAAO,MAAM,wBAAwB;;;EAAwC,CAAC;AAE9E,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAM1E;;;GAGG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;iBAqD9B,CAAC;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAChE,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAMrE;;GAEG;AACH,eAAO,MAAM,yBAAyB;;;;;iBAQpC,CAAC;AAEH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAC5E,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAMjF;;;GAGG;AACH,eAAO,MAAM,2BAA2B;;;;;;;;iBA4BtC,CAAC;AAEH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAChF,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAMrF,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,uBAAuB,EACvB,gBAAgB,EAChB,KAAK,eAAe,EACpB,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EACtB,KAAK,UAAU,EACf,KAAK,eAAe,GACrB,MAAM,SAAS,CAAC;AAGjB,YAAY,EAAE,WAAW,EAAE,CAAC"}

package/options/transparent.schema.d.ts

@@ -0,0 +1,33 @@
+import { z } from 'zod';
+export declare const transparentAuthOptionsSchema: z.ZodObject<{
+    mode: z.ZodLiteral<"transparent">;
+    remote: z.ZodObject<{
+        provider: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+        id: z.ZodOptional<z.ZodString>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<import("..").JWK, unknown, z.core.$ZodTypeInternals<import("..").JWK, unknown>>>;
+        }, z.core.$strip>>;
+        jwksUri: z.ZodOptional<z.ZodString>;
+        clientId: z.ZodOptional<z.ZodString>;
+        clientSecret: z.ZodOptional<z.ZodString>;
+        scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        dcrEnabled: z.ZodDefault<z.ZodBoolean>;
+        authEndpoint: z.ZodOptional<z.ZodString>;
+        tokenEndpoint: z.ZodOptional<z.ZodString>;
+        registrationEndpoint: z.ZodOptional<z.ZodString>;
+        userInfoEndpoint: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>;
+    expectedAudience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    requiredScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    allowAnonymous: z.ZodDefault<z.ZodBoolean>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export type TransparentAuthOptions = z.infer<typeof transparentAuthOptionsSchema>;
+export type TransparentAuthOptionsInput = z.input<typeof transparentAuthOptionsSchema>;
+//# sourceMappingURL=transparent.schema.d.ts.map

package/options/transparent.schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"transparent.schema.d.ts","sourceRoot":"","sources":["../../src/options/transparent.schema.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAQxB,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAqCvC,CAAC;AAMH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AAClF,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC"}

package/options/typecheck.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=typecheck.d.ts.map

package/options/typecheck.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"typecheck.d.ts","sourceRoot":"","sources":["../../src/options/typecheck.ts"],"names":[],"mappings":"AA2EA,OAAO,EAAE,CAAC"}

package/options/utils.d.ts

@@ -0,0 +1,33 @@
+import { AuthOptions, AuthOptionsInput } from './schema';
+import { PublicAuthOptions } from './public.schema';
+import { TransparentAuthOptions } from './transparent.schema';
+import { OrchestratedAuthOptions, OrchestratedLocalOptions, OrchestratedRemoteOptions } from './orchestrated.schema';
+/**
+ * Parse and validate auth options with defaults
+ */
+export declare function parseAuthOptions(input: AuthOptionsInput): AuthOptions;
+/**
+ * Check if options are public mode
+ */
+export declare function isPublicMode(options: AuthOptions | AuthOptionsInput): options is PublicAuthOptions;
+/**
+ * Check if options are transparent mode
+ */
+export declare function isTransparentMode(options: AuthOptions | AuthOptionsInput): options is TransparentAuthOptions;
+/**
+ * Check if options are orchestrated mode
+ */
+export declare function isOrchestratedMode(options: AuthOptions | AuthOptionsInput): options is OrchestratedAuthOptions;
+/**
+ * Check if orchestrated options are local type
+ */
+export declare function isOrchestratedLocal(options: OrchestratedAuthOptions): options is OrchestratedLocalOptions;
+/**
+ * Check if orchestrated options are remote type
+ */
+export declare function isOrchestratedRemote(options: OrchestratedAuthOptions): options is OrchestratedRemoteOptions;
+/**
+ * Check if options allow public/anonymous access
+ */
+export declare function allowsPublicAccess(options: AuthOptions): boolean;
+//# sourceMappingURL=utils.d.ts.map

package/options/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/options/utils.ts"],"names":[],"mappings":"AAGA,OAAO,EAAqB,WAAW,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAC5E,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAC9D,OAAO,EAAE,uBAAuB,EAAE,wBAAwB,EAAE,yBAAyB,EAAE,MAAM,uBAAuB,CAAC;AAMrH;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,gBAAgB,GAAG,WAAW,CAErE;AAMD;;GAEG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,WAAW,GAAG,gBAAgB,GAAG,OAAO,IAAI,iBAAiB,CAElG;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,WAAW,GAAG,gBAAgB,GAAG,OAAO,IAAI,sBAAsB,CAE5G;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,WAAW,GAAG,gBAAgB,GAAG,OAAO,IAAI,uBAAuB,CAE9G;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,uBAAuB,GAAG,OAAO,IAAI,wBAAwB,CAEzG;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,uBAAuB,GAAG,OAAO,IAAI,yBAAyB,CAE3G;AAMD;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAKhE"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@frontmcp/auth",
-  "version": "0.9.0",
+  "version": "0.11.0",
   "description": "FrontMCP Auth - Authentication, session management, and credential vault",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://docs.agentfront.dev",
@@ -47,10 +47,25 @@
     "node": ">=22.0.0"
   },
   "peerDependencies": {
-    "zod": "^4.0.0"
+    "zod": "^4.0.0",
+    "ioredis": "^5.0.0",
+    "@vercel/kv": "^3.0.0",
+    "@frontmcp/storage-sqlite": "0.11.0"
+  },
+  "peerDependenciesMeta": {
+    "ioredis": {
+      "optional": true
+    },
+    "@vercel/kv": {
+      "optional": true
+    },
+    "@frontmcp/storage-sqlite": {
+      "optional": true
+    }
   },
   "dependencies": {
-    "@frontmcp/utils": "0.9.0",
+    "@frontmcp/utils": "0.11.0",
+    "@frontmcp/di": "0.11.0",
     "jose": "^6.0.0"
   },
   "devDependencies": {