@frontmcp/plugin-approval 0.0.1 → 0.7.0

package/approval/errors.d.ts

@@ -0,0 +1,149 @@
+/**
+ * Error classes for approval operations.
+ *
+ * These are standalone error classes that can be extended by plugins
+ * for MCP-specific error handling.
+ *
+ * @module @frontmcp/utils/approval
+ */
+import type { ApprovalScope } from './types';
+/**
+ * Base class for approval-related errors.
+ */
+export declare class ApprovalError extends Error {
+    constructor(message: string);
+}
+/**
+ * Error thrown when tool approval is required but not granted.
+ */
+export declare class ApprovalRequiredError extends ApprovalError {
+    readonly details: {
+        /** Tool identifier */
+        toolId: string;
+        /** Current approval state */
+        state: 'pending' | 'denied' | 'expired';
+        /** User-facing message */
+        message: string;
+        /** Available approval options (for UI) */
+        approvalOptions?: {
+            allowedScopes?: ApprovalScope[];
+            defaultScope?: ApprovalScope;
+            maxTtlMs?: number;
+            category?: string;
+            riskLevel?: string;
+        };
+    };
+    constructor(details: {
+        /** Tool identifier */
+        toolId: string;
+        /** Current approval state */
+        state: 'pending' | 'denied' | 'expired';
+        /** User-facing message */
+        message: string;
+        /** Available approval options (for UI) */
+        approvalOptions?: {
+            allowedScopes?: ApprovalScope[];
+            defaultScope?: ApprovalScope;
+            maxTtlMs?: number;
+            category?: string;
+            riskLevel?: string;
+        };
+    });
+    /**
+     * Convert to a JSON-RPC compatible error structure.
+     */
+    toJsonRpcError(): {
+        code: number;
+        message: string;
+        data: {
+            type: string;
+            toolId: string;
+            state: "pending" | "denied" | "expired";
+            options: {
+                allowedScopes?: ApprovalScope[];
+                defaultScope?: ApprovalScope;
+                maxTtlMs?: number;
+                category?: string;
+                riskLevel?: string;
+            } | undefined;
+        };
+    };
+}
+/**
+ * Error thrown when approval operation fails.
+ */
+export declare class ApprovalOperationError extends ApprovalError {
+    readonly operation: 'grant' | 'revoke' | 'query';
+    readonly reason: string;
+    constructor(operation: 'grant' | 'revoke' | 'query', reason: string);
+    /**
+     * Convert to a JSON-RPC compatible error structure.
+     */
+    toJsonRpcError(): {
+        code: number;
+        message: string;
+        data: {
+            type: string;
+            operation: "grant" | "revoke" | "query";
+        };
+    };
+}
+/**
+ * Error thrown when approval scope is not allowed.
+ */
+export declare class ApprovalScopeNotAllowedError extends ApprovalError {
+    readonly requestedScope: ApprovalScope;
+    readonly allowedScopes: ApprovalScope[];
+    constructor(requestedScope: ApprovalScope, allowedScopes: ApprovalScope[]);
+    /**
+     * Convert to a JSON-RPC compatible error structure.
+     */
+    toJsonRpcError(): {
+        code: number;
+        message: string;
+        data: {
+            type: string;
+            requestedScope: ApprovalScope;
+            allowedScopes: ApprovalScope[];
+        };
+    };
+}
+/**
+ * Error thrown when approval has expired.
+ */
+export declare class ApprovalExpiredError extends ApprovalError {
+    readonly toolId: string;
+    readonly expiredAt: number;
+    constructor(toolId: string, expiredAt: number);
+    /**
+     * Convert to a JSON-RPC compatible error structure.
+     */
+    toJsonRpcError(): {
+        code: number;
+        message: string;
+        data: {
+            type: string;
+            toolId: string;
+            expiredAt: number;
+        };
+    };
+}
+/**
+ * Error thrown when PKCE challenge validation fails.
+ */
+export declare class ChallengeValidationError extends ApprovalError {
+    readonly reason: 'invalid' | 'expired' | 'not_found' | 'already_used';
+    constructor(reason?: 'invalid' | 'expired' | 'not_found' | 'already_used', message?: string);
+    /**
+     * Convert to a JSON-RPC compatible error structure.
+     */
+    toJsonRpcError(): {
+        code: number;
+        message: string;
+        data: {
+            type: string;
+            reason: "expired" | "invalid" | "not_found" | "already_used";
+        };
+    };
+}
+//# sourceMappingURL=errors.d.ts.map

package/approval/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/approval/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAE7C;;GAEG;AACH,qBAAa,aAAc,SAAQ,KAAK;gBAC1B,OAAO,EAAE,MAAM;CAI5B;AAED;;GAEG;AACH,qBAAa,qBAAsB,SAAQ,aAAa;aAEpC,OAAO,EAAE;QACvB,sBAAsB;QACtB,MAAM,EAAE,MAAM,CAAC;QACf,6BAA6B;QAC7B,KAAK,EAAE,SAAS,GAAG,QAAQ,GAAG,SAAS,CAAC;QACxC,0BAA0B;QAC1B,OAAO,EAAE,MAAM,CAAC;QAChB,0CAA0C;QAC1C,eAAe,CAAC,EAAE;YAChB,aAAa,CAAC,EAAE,aAAa,EAAE,CAAC;YAChC,YAAY,CAAC,EAAE,aAAa,CAAC;YAC7B,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,SAAS,CAAC,EAAE,MAAM,CAAC;SACpB,CAAC;KACH;gBAfe,OAAO,EAAE;QACvB,sBAAsB;QACtB,MAAM,EAAE,MAAM,CAAC;QACf,6BAA6B;QAC7B,KAAK,EAAE,SAAS,GAAG,QAAQ,GAAG,SAAS,CAAC;QACxC,0BAA0B;QAC1B,OAAO,EAAE,MAAM,CAAC;QAChB,0CAA0C;QAC1C,eAAe,CAAC,EAAE;YAChB,aAAa,CAAC,EAAE,aAAa,EAAE,CAAC;YAChC,YAAY,CAAC,EAAE,aAAa,CAAC;YAC7B,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,SAAS,CAAC,EAAE,MAAM,CAAC;SACpB,CAAC;KACH;IAMH;;OAEG;IACH,cAAc;;;;;;;;gCAfQ,aAAa,EAAE;+BAChB,aAAa;2BACjB,MAAM;2BACN,MAAM;4BACL,MAAM;;;;CAuBzB;AAED;;GAEG;AACH,qBAAa,sBAAuB,SAAQ,aAAa;aAC3B,SAAS,EAAE,OAAO,GAAG,QAAQ,GAAG,OAAO;aAAkB,MAAM,EAAE,MAAM;gBAAvE,SAAS,EAAE,OAAO,GAAG,QAAQ,GAAG,OAAO,EAAkB,MAAM,EAAE,MAAM;IAKnG;;OAEG;IACH,cAAc;;;;;;;;CAUf;AAED;;GAEG;AACH,qBAAa,4BAA6B,SAAQ,aAAa;aACjC,cAAc,EAAE,aAAa;aAAkB,aAAa,EAAE,aAAa,EAAE;gBAA7E,cAAc,EAAE,aAAa,EAAkB,aAAa,EAAE,aAAa,EAAE;IAQzG;;OAEG;IACH,cAAc;;;;;;;;;CAWf;AAED;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,aAAa;aACzB,MAAM,EAAE,MAAM;aAAkB,SAAS,EAAE,MAAM;gBAAjD,MAAM,EAAE,MAAM,EAAkB,SAAS,EAAE,MAAM;IAK7E;;OAEG;IACH,cAAc;;;;;;;;;CAWf;AAED;;GAEG;AACH,qBAAa,wBAAyB,SAAQ,aAAa;aAEvC,MAAM,EAAE,SAAS,GAAG,SAAS,GAAG,WAAW,GAAG,cAAc;gBAA5D,MAAM,GAAE,SAAS,GAAG,SAAS,GAAG,WAAW,GAAG,cAA0B,EACxF,OAAO,CAAC,EAAE,MAAM;IAMlB;;OAEG;IACH,cAAc;;;;;;;;CAUf"}

package/approval/factories.d.ts

@@ -0,0 +1,251 @@
+/**
+ * Factory functions for creating approval grantors and revokers.
+ *
+ * These helpers make it easy to create properly-typed grantor/revoker objects
+ * for common scenarios.
+ *
+ * @example
+ * ```typescript
+ * import { userGrantor, testGrantor, policyGrantor } from '@frontmcp/utils';
+ *
+ * // In tests
+ * await store.grantApproval({
+ *   toolId: 'my-tool',
+ *   scope: ApprovalScope.SESSION,
+ *   grantedBy: testGrantor(),
+ * });
+ *
+ * // In production
+ * await store.grantApproval({
+ *   toolId: 'my-tool',
+ *   scope: ApprovalScope.SESSION,
+ *   grantedBy: userGrantor('user-123', 'John Doe'),
+ * });
+ * ```
+ *
+ * @module @frontmcp/utils/approval
+ */
+import type { ApprovalGrantor, ApprovalRevoker, ApprovalSourceType, RevocationSourceType, DelegationContext, ApprovalMethod } from './types';
+/**
+ * Create a user grantor for interactive approvals.
+ *
+ * @param userId - The user's unique identifier
+ * @param displayName - Human-readable name for display
+ * @param options - Additional options (method, origin)
+ * @returns ApprovalGrantor object
+ *
+ * @example
+ * ```typescript
+ * grantedBy: userGrantor('user-123', 'John Doe')
+ * // => { source: 'user', identifier: 'user-123', displayName: 'John Doe', method: 'interactive' }
+ * ```
+ */
+export declare function userGrantor(userId: string, displayName?: string, options?: {
+    method?: ApprovalMethod;
+    origin?: string;
+}): ApprovalGrantor;
+/**
+ * Create a policy grantor for auto-approved tools.
+ *
+ * @param policyId - The policy's unique identifier
+ * @param policyName - Human-readable policy name
+ * @returns ApprovalGrantor object
+ *
+ * @example
+ * ```typescript
+ * grantedBy: policyGrantor('safe-list', 'Safe Tools Policy')
+ * // => { source: 'policy', identifier: 'safe-list', displayName: 'Safe Tools Policy', method: 'implicit' }
+ * ```
+ */
+export declare function policyGrantor(policyId: string, policyName?: string): ApprovalGrantor;
+/**
+ * Create an admin grantor for administrator overrides.
+ *
+ * @param adminId - The admin's unique identifier
+ * @param displayName - Human-readable name for display
+ * @param options - Additional options (method, origin)
+ * @returns ApprovalGrantor object
+ *
+ * @example
+ * ```typescript
+ * grantedBy: adminGrantor('admin-456', 'Super Admin')
+ * // => { source: 'admin', identifier: 'admin-456', displayName: 'Super Admin', method: 'interactive' }
+ * ```
+ */
+export declare function adminGrantor(adminId: string, displayName?: string, options?: {
+    method?: ApprovalMethod;
+    origin?: string;
+}): ApprovalGrantor;
+/**
+ * Create a system grantor for system-level approvals.
+ *
+ * @param systemId - Optional system identifier (defaults to 'system')
+ * @returns ApprovalGrantor object
+ *
+ * @example
+ * ```typescript
+ * grantedBy: systemGrantor()
+ * // => { source: 'system', identifier: 'system', method: 'implicit' }
+ * ```
+ */
+export declare function systemGrantor(systemId?: string): ApprovalGrantor;
+/**
+ * Create an agent grantor for AI agents with delegated authority.
+ *
+ * @param agentId - The agent's unique identifier
+ * @param delegationContext - Who authorized the agent and constraints
+ * @param displayName - Human-readable agent name
+ * @returns ApprovalGrantor object
+ *
+ * @example
+ * ```typescript
+ * grantedBy: agentGrantor('claude-code', {
+ *   delegatorId: 'user-123',
+ *   delegateId: 'claude-code',
+ *   purpose: 'code editing',
+ *   constraints: { paths: ['/home/user/project'] },
+ * }, 'Claude Code Assistant')
+ * ```
+ */
+export declare function agentGrantor(agentId: string, delegationContext: DelegationContext, displayName?: string): ApprovalGrantor;
+/**
+ * Create an API grantor for external API integrations.
+ *
+ * @param apiKeyPrefix - Prefix of the API key (for audit, not full key)
+ * @param serviceName - Name of the external service
+ * @returns ApprovalGrantor object
+ *
+ * @example
+ * ```typescript
+ * grantedBy: apiGrantor('sk_live_...abc', 'GitHub Actions')
+ * // => { source: 'api', identifier: 'sk_live_...abc', displayName: 'GitHub Actions', method: 'api' }
+ * ```
+ */
+export declare function apiGrantor(apiKeyPrefix: string, serviceName?: string): ApprovalGrantor;
+/**
+ * Create an OAuth grantor for OAuth token grants.
+ *
+ * @param tokenId - Token identifier or subject
+ * @param provider - OAuth provider name
+ * @returns ApprovalGrantor object
+ *
+ * @example
+ * ```typescript
+ * grantedBy: oauthGrantor('token-xyz', 'Google')
+ * // => { source: 'oauth', identifier: 'token-xyz', displayName: 'Google', method: 'api', origin: 'oauth' }
+ * ```
+ */
+export declare function oauthGrantor(tokenId: string, provider?: string): ApprovalGrantor;
+/**
+ * Create a test grantor for test environments.
+ * Use this in tests to avoid TypeScript errors with the old hardcoded types.
+ *
+ * @returns ApprovalGrantor object
+ *
+ * @example
+ * ```typescript
+ * // In tests
+ * await store.grantApproval({
+ *   toolId: 'tool-1',
+ *   scope: ApprovalScope.SESSION,
+ *   grantedBy: testGrantor(),
+ * });
+ * ```
+ */
+export declare function testGrantor(): ApprovalGrantor;
+/**
+ * Create a custom grantor for vendor-specific sources.
+ *
+ * @param source - Custom source type string
+ * @param identifier - Optional identifier
+ * @param options - Additional options
+ * @returns ApprovalGrantor object
+ *
+ * @example
+ * ```typescript
+ * // Vendor-specific RBAC
+ * grantedBy: customGrantor('frontcloud-rbac', 'role:admin', {
+ *   displayName: 'Admin Role',
+ *   method: 'implicit',
+ *   origin: 'frontcloud-iam',
+ * })
+ * ```
+ */
+export declare function customGrantor(source: string, identifier?: string, options?: {
+    displayName?: string;
+    method?: ApprovalMethod;
+    origin?: string;
+    delegationContext?: DelegationContext;
+}): ApprovalGrantor;
+/**
+ * Create a user revoker for interactive revocations.
+ *
+ * @param userId - The user's unique identifier
+ * @param displayName - Human-readable name for display
+ * @returns ApprovalRevoker object
+ */
+export declare function userRevoker(userId: string, displayName?: string): ApprovalRevoker;
+/**
+ * Create an admin revoker for administrator revocations.
+ *
+ * @param adminId - The admin's unique identifier
+ * @param displayName - Human-readable name for display
+ * @returns ApprovalRevoker object
+ */
+export declare function adminRevoker(adminId: string, displayName?: string): ApprovalRevoker;
+/**
+ * Create an expiry revoker for TTL-based revocations.
+ *
+ * @returns ApprovalRevoker object
+ */
+export declare function expiryRevoker(): ApprovalRevoker;
+/**
+ * Create a session end revoker for session cleanup.
+ *
+ * @param sessionId - The session that ended
+ * @returns ApprovalRevoker object
+ */
+export declare function sessionEndRevoker(sessionId?: string): ApprovalRevoker;
+/**
+ * Create a policy revoker for policy-based revocations.
+ *
+ * @param policyId - The policy's unique identifier
+ * @param policyName - Human-readable policy name
+ * @returns ApprovalRevoker object
+ */
+export declare function policyRevoker(policyId: string, policyName?: string): ApprovalRevoker;
+/**
+ * Normalize a grantedBy input to the structured ApprovalGrantor format.
+ * Accepts either a simple string source type or a full ApprovalGrantor object.
+ *
+ * @param input - String source type or ApprovalGrantor object
+ * @returns Normalized ApprovalGrantor object
+ *
+ * @example
+ * ```typescript
+ * normalizeGrantor('user')
+ * // => { source: 'user' }
+ *
+ * normalizeGrantor({ source: 'user', identifier: 'user-123' })
+ * // => { source: 'user', identifier: 'user-123' }
+ * ```
+ */
+export declare function normalizeGrantor(input: ApprovalGrantor | ApprovalSourceType | undefined): ApprovalGrantor;
+/**
+ * Normalize a revokedBy input to the structured ApprovalRevoker format.
+ * Accepts either a simple string source type or a full ApprovalRevoker object.
+ *
+ * @param input - String source type or ApprovalRevoker object
+ * @returns Normalized ApprovalRevoker object
+ *
+ * @example
+ * ```typescript
+ * normalizeRevoker('expiry')
+ * // => { source: 'expiry' }
+ *
+ * normalizeRevoker({ source: 'admin', identifier: 'admin-456' })
+ * // => { source: 'admin', identifier: 'admin-456' }
+ * ```
+ */
+export declare function normalizeRevoker(input: ApprovalRevoker | RevocationSourceType | undefined): ApprovalRevoker;
+//# sourceMappingURL=factories.d.ts.map

package/approval/factories.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"factories.d.ts","sourceRoot":"","sources":["../../src/approval/factories.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,KAAK,EACV,eAAe,EACf,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACpB,iBAAiB,EACjB,cAAc,EACf,MAAM,SAAS,CAAC;AAMjB;;;;;;;;;;;;;GAaG;AACH,wBAAgB,WAAW,CACzB,MAAM,EAAE,MAAM,EACd,WAAW,CAAC,EAAE,MAAM,EACpB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,cAAc,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,GACrD,eAAe,CAQjB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,eAAe,CAOpF;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,YAAY,CAC1B,OAAO,EAAE,MAAM,EACf,WAAW,CAAC,EAAE,MAAM,EACpB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,cAAc,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,GACrD,eAAe,CAQjB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,aAAa,CAAC,QAAQ,SAAW,GAAG,eAAe,CAMlE;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,YAAY,CAC1B,OAAO,EAAE,MAAM,EACf,iBAAiB,EAAE,iBAAiB,EACpC,WAAW,CAAC,EAAE,MAAM,GACnB,eAAe,CAQjB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,UAAU,CAAC,YAAY,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,eAAe,CAQtF;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,eAAe,CAQhF;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,WAAW,IAAI,eAAe,CAM7C;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,MAAM,EACd,UAAU,CAAC,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE;IACR,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;CACvC,GACA,eAAe,CASjB;AAMD;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,eAAe,CAOjF;AAED;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,eAAe,CAOnF;AAED;;;;GAIG;AACH,wBAAgB,aAAa,IAAI,eAAe,CAK/C;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,eAAe,CAMrE;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,eAAe,CAOpF;AAMD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,eAAe,GAAG,kBAAkB,GAAG,SAAS,GAAG,eAAe,CAQzG;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,eAAe,GAAG,oBAAoB,GAAG,SAAS,GAAG,eAAe,CAQ3G"}

package/approval/guards.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Type guards for approval types.
+ *
+ * @module @frontmcp/utils/approval
+ */
+import type { ApprovalGrantor, ApprovalSourceType } from './types';
+/**
+ * Check if a grantor is of a specific source type.
+ *
+ * @param grantor - The grantor to check
+ * @param source - The source type to check for
+ * @returns true if the grantor matches the source type
+ */
+export declare function isGrantorSource(grantor: ApprovalGrantor, source: ApprovalSourceType): boolean;
+/**
+ * Check if a grantor was granted by a human (user or admin).
+ *
+ * @param grantor - The grantor to check
+ * @returns true if granted by a human
+ */
+export declare function isHumanGrantor(grantor: ApprovalGrantor): boolean;
+/**
+ * Check if a grantor was auto-granted (policy, system, test).
+ *
+ * @param grantor - The grantor to check
+ * @returns true if auto-granted
+ */
+export declare function isAutoGrantor(grantor: ApprovalGrantor): boolean;
+/**
+ * Check if a grantor was delegated (agent with delegation context).
+ *
+ * @param grantor - The grantor to check
+ * @returns true if delegated
+ */
+export declare function isDelegatedGrantor(grantor: ApprovalGrantor): boolean;
+/**
+ * Check if a grantor is from an API source (api or oauth).
+ *
+ * @param grantor - The grantor to check
+ * @returns true if from API
+ */
+export declare function isApiGrantor(grantor: ApprovalGrantor): boolean;
+/**
+ * Check if a grantor has an identifier.
+ *
+ * @param grantor - The grantor to check
+ * @returns true if has identifier
+ */
+export declare function hasGrantorIdentifier(grantor: ApprovalGrantor): grantor is ApprovalGrantor & {
+    identifier: string;
+};
+/**
+ * Check if a grantor has display name.
+ *
+ * @param grantor - The grantor to check
+ * @returns true if has display name
+ */
+export declare function hasGrantorDisplayName(grantor: ApprovalGrantor): grantor is ApprovalGrantor & {
+    displayName: string;
+};
+//# sourceMappingURL=guards.d.ts.map

package/approval/guards.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"guards.d.ts","sourceRoot":"","sources":["../../src/approval/guards.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAEnE;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAE7F;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAEhE;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAE/D;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAEpE;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAE9D;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,IAAI,eAAe,GAAG;IAAE,UAAU,EAAE,MAAM,CAAA;CAAE,CAElH;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,IAAI,eAAe,GAAG;IAAE,WAAW,EAAE,MAAM,CAAA;CAAE,CAEpH"}

package/approval/index.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Approval utilities for tool authorization flows.
+ *
+ * Provides types, schemas, factories, guards, and errors for implementing
+ * tool approval systems with full audit trail support.
+ *
+ * @module @frontmcp/plugin-approval
+ *
+ * @example
+ * ```typescript
+ * import {
+ *   ApprovalScope,
+ *   ApprovalState,
+ *   userGrantor,
+ *   testGrantor,
+ *   isHumanGrantor,
+ *   approvalRecordSchema,
+ * } from '@frontmcp/plugin-approval';
+ *
+ * // Create an approval record
+ * const record = {
+ *   toolId: 'file_write',
+ *   state: ApprovalState.APPROVED,
+ *   scope: ApprovalScope.SESSION,
+ *   grantedAt: Date.now(),
+ *   grantedBy: userGrantor('user-123', 'John Doe'),
+ * };
+ *
+ * // Validate with Zod
+ * const validated = approvalRecordSchema.parse(record);
+ *
+ * // Check grantor type
+ * if (isHumanGrantor(record.grantedBy)) {
+ *   console.log('Approved by human');
+ * }
+ * ```
+ */
+export { ApprovalScope, ApprovalState, type ApprovalContext, type ApprovalSourceType, type ApprovalMethod, type DelegationContext, type ApprovalGrantor, type RevocationSourceType, type RevocationMethod, type ApprovalRevoker, type ApprovalRecord, type ApprovalCategory, type RiskLevel, type ToolApprovalRequirement, } from './types';
+export { approvalScopeSchema, approvalStateSchema, approvalMethodSchema, approvalSourceTypeSchema, revocationMethodSchema, approvalCategorySchema, riskLevelSchema, approvalContextSchema, delegationContextSchema, approvalGrantorSchema, approvalRevokerSchema, approvalRecordSchema, toolApprovalRequirementSchema, type ApprovalContextInput, type DelegationContextInput, type ApprovalGrantorInput, type ApprovalRevokerInput, type ApprovalRecordInput, type ToolApprovalRequirementInput, } from './schemas';
+export { userGrantor, policyGrantor, adminGrantor, systemGrantor, agentGrantor, apiGrantor, oauthGrantor, testGrantor, customGrantor, userRevoker, adminRevoker, expiryRevoker, sessionEndRevoker, policyRevoker, normalizeGrantor, normalizeRevoker, } from './factories';
+export { isGrantorSource, isHumanGrantor, isAutoGrantor, isDelegatedGrantor, isApiGrantor, hasGrantorIdentifier, hasGrantorDisplayName, } from './guards';
+export { ApprovalError, ApprovalRequiredError, ApprovalOperationError, ApprovalScopeNotAllowedError, ApprovalExpiredError, ChallengeValidationError, } from './errors';
+//# sourceMappingURL=index.d.ts.map

package/approval/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/approval/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AAGH,OAAO,EAEL,aAAa,EACb,aAAa,EAEb,KAAK,eAAe,EACpB,KAAK,kBAAkB,EACvB,KAAK,cAAc,EACnB,KAAK,iBAAiB,EACtB,KAAK,eAAe,EACpB,KAAK,oBAAoB,EACzB,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACpB,KAAK,cAAc,EACnB,KAAK,gBAAgB,EACrB,KAAK,SAAS,EACd,KAAK,uBAAuB,GAC7B,MAAM,SAAS,CAAC;AAGjB,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,oBAAoB,EACpB,wBAAwB,EACxB,sBAAsB,EACtB,sBAAsB,EACtB,eAAe,EACf,qBAAqB,EACrB,uBAAuB,EACvB,qBAAqB,EACrB,qBAAqB,EACrB,oBAAoB,EACpB,6BAA6B,EAE7B,KAAK,oBAAoB,EACzB,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,EACzB,KAAK,oBAAoB,EACzB,KAAK,mBAAmB,EACxB,KAAK,4BAA4B,GAClC,MAAM,WAAW,CAAC;AAGnB,OAAO,EAEL,WAAW,EACX,aAAa,EACb,YAAY,EACZ,aAAa,EACb,YAAY,EACZ,UAAU,EACV,YAAY,EACZ,WAAW,EACX,aAAa,EAEb,WAAW,EACX,YAAY,EACZ,aAAa,EACb,iBAAiB,EACjB,aAAa,EAEb,gBAAgB,EAChB,gBAAgB,GACjB,MAAM,aAAa,CAAC;AAGrB,OAAO,EACL,eAAe,EACf,cAAc,EACd,aAAa,EACb,kBAAkB,EAClB,YAAY,EACZ,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,UAAU,CAAC;AAGlB,OAAO,EACL,aAAa,EACb,qBAAqB,EACrB,sBAAsB,EACtB,4BAA4B,EAC5B,oBAAoB,EACpB,wBAAwB,GACzB,MAAM,UAAU,CAAC"}