@frontmcp/plugin-approval 0.0.1 → 0.7.1

package/approval/schemas.d.ts

@@ -0,0 +1,179 @@
+/**
+ * Zod validation schemas for approval types.
+ *
+ * @module @frontmcp/utils/approval
+ */
+import { z } from 'zod';
+import { ApprovalScope, ApprovalState } from './types';
+export declare const approvalScopeSchema: z.ZodEnum<typeof ApprovalScope>;
+export declare const approvalStateSchema: z.ZodEnum<typeof ApprovalState>;
+export declare const approvalMethodSchema: z.ZodEnum<{
+    api: "api";
+    interactive: "interactive";
+    implicit: "implicit";
+    delegation: "delegation";
+    batch: "batch";
+}>;
+export declare const approvalSourceTypeSchema: z.ZodString;
+export declare const revocationMethodSchema: z.ZodEnum<{
+    policy: "policy";
+    interactive: "interactive";
+    implicit: "implicit";
+    expiry: "expiry";
+}>;
+export declare const approvalCategorySchema: z.ZodEnum<{
+    admin: "admin";
+    read: "read";
+    write: "write";
+    delete: "delete";
+    execute: "execute";
+}>;
+export declare const riskLevelSchema: z.ZodEnum<{
+    low: "low";
+    medium: "medium";
+    high: "high";
+    critical: "critical";
+}>;
+export declare const approvalContextSchema: z.ZodObject<{
+    type: z.ZodString;
+    identifier: z.ZodString;
+    metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.core.$strip>;
+export declare const delegationContextSchema: z.ZodObject<{
+    delegatorId: z.ZodString;
+    delegateId: z.ZodString;
+    purpose: z.ZodOptional<z.ZodString>;
+    constraints: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.core.$strip>;
+export declare const approvalGrantorSchema: z.ZodObject<{
+    source: z.ZodString;
+    identifier: z.ZodOptional<z.ZodString>;
+    displayName: z.ZodOptional<z.ZodString>;
+    method: z.ZodOptional<z.ZodEnum<{
+        api: "api";
+        interactive: "interactive";
+        implicit: "implicit";
+        delegation: "delegation";
+        batch: "batch";
+    }>>;
+    origin: z.ZodOptional<z.ZodString>;
+    delegationContext: z.ZodOptional<z.ZodObject<{
+        delegatorId: z.ZodString;
+        delegateId: z.ZodString;
+        purpose: z.ZodOptional<z.ZodString>;
+        constraints: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export declare const approvalRevokerSchema: z.ZodObject<{
+    source: z.ZodString;
+    identifier: z.ZodOptional<z.ZodString>;
+    displayName: z.ZodOptional<z.ZodString>;
+    method: z.ZodOptional<z.ZodEnum<{
+        policy: "policy";
+        interactive: "interactive";
+        implicit: "implicit";
+        expiry: "expiry";
+    }>>;
+}, z.core.$strip>;
+export declare const approvalRecordSchema: z.ZodObject<{
+    toolId: z.ZodString;
+    state: z.ZodEnum<typeof ApprovalState>;
+    scope: z.ZodEnum<typeof ApprovalScope>;
+    grantedAt: z.ZodNumber;
+    expiresAt: z.ZodOptional<z.ZodNumber>;
+    ttlMs: z.ZodOptional<z.ZodNumber>;
+    sessionId: z.ZodOptional<z.ZodString>;
+    userId: z.ZodOptional<z.ZodString>;
+    context: z.ZodOptional<z.ZodObject<{
+        type: z.ZodString;
+        identifier: z.ZodString;
+        metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, z.core.$strip>>;
+    grantedBy: z.ZodObject<{
+        source: z.ZodString;
+        identifier: z.ZodOptional<z.ZodString>;
+        displayName: z.ZodOptional<z.ZodString>;
+        method: z.ZodOptional<z.ZodEnum<{
+            api: "api";
+            interactive: "interactive";
+            implicit: "implicit";
+            delegation: "delegation";
+            batch: "batch";
+        }>>;
+        origin: z.ZodOptional<z.ZodString>;
+        delegationContext: z.ZodOptional<z.ZodObject<{
+            delegatorId: z.ZodString;
+            delegateId: z.ZodString;
+            purpose: z.ZodOptional<z.ZodString>;
+            constraints: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        }, z.core.$strip>>;
+    }, z.core.$strip>;
+    approvalChain: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        source: z.ZodString;
+        identifier: z.ZodOptional<z.ZodString>;
+        displayName: z.ZodOptional<z.ZodString>;
+        method: z.ZodOptional<z.ZodEnum<{
+            api: "api";
+            interactive: "interactive";
+            implicit: "implicit";
+            delegation: "delegation";
+            batch: "batch";
+        }>>;
+        origin: z.ZodOptional<z.ZodString>;
+        delegationContext: z.ZodOptional<z.ZodObject<{
+            delegatorId: z.ZodString;
+            delegateId: z.ZodString;
+            purpose: z.ZodOptional<z.ZodString>;
+            constraints: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        }, z.core.$strip>>;
+    }, z.core.$strip>>>;
+    reason: z.ZodOptional<z.ZodString>;
+    metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    revokedAt: z.ZodOptional<z.ZodNumber>;
+    revokedBy: z.ZodOptional<z.ZodObject<{
+        source: z.ZodString;
+        identifier: z.ZodOptional<z.ZodString>;
+        displayName: z.ZodOptional<z.ZodString>;
+        method: z.ZodOptional<z.ZodEnum<{
+            policy: "policy";
+            interactive: "interactive";
+            implicit: "implicit";
+            expiry: "expiry";
+        }>>;
+    }, z.core.$strip>>;
+    revocationReason: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export declare const toolApprovalRequirementSchema: z.ZodObject<{
+    required: z.ZodOptional<z.ZodBoolean>;
+    defaultScope: z.ZodOptional<z.ZodEnum<typeof ApprovalScope>>;
+    allowedScopes: z.ZodOptional<z.ZodArray<z.ZodEnum<typeof ApprovalScope>>>;
+    maxTtlMs: z.ZodOptional<z.ZodNumber>;
+    alwaysPrompt: z.ZodOptional<z.ZodBoolean>;
+    skipApproval: z.ZodOptional<z.ZodBoolean>;
+    approvalMessage: z.ZodOptional<z.ZodString>;
+    category: z.ZodOptional<z.ZodEnum<{
+        admin: "admin";
+        read: "read";
+        write: "write";
+        delete: "delete";
+        execute: "execute";
+    }>>;
+    riskLevel: z.ZodOptional<z.ZodEnum<{
+        low: "low";
+        medium: "medium";
+        high: "high";
+        critical: "critical";
+    }>>;
+    preApprovedContexts: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        type: z.ZodString;
+        identifier: z.ZodString;
+        metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, z.core.$strip>>>;
+}, z.core.$strip>;
+export type ApprovalContextInput = z.input<typeof approvalContextSchema>;
+export type DelegationContextInput = z.input<typeof delegationContextSchema>;
+export type ApprovalGrantorInput = z.input<typeof approvalGrantorSchema>;
+export type ApprovalRevokerInput = z.input<typeof approvalRevokerSchema>;
+export type ApprovalRecordInput = z.input<typeof approvalRecordSchema>;
+export type ToolApprovalRequirementInput = z.input<typeof toolApprovalRequirementSchema>;
+//# sourceMappingURL=schemas.d.ts.map

package/approval/schemas.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schemas.d.ts","sourceRoot":"","sources":["../../src/approval/schemas.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAMvD,eAAO,MAAM,mBAAmB,iCAA8B,CAAC;AAE/D,eAAO,MAAM,mBAAmB,iCAA8B,CAAC;AAE/D,eAAO,MAAM,oBAAoB;;;;;;EAAoE,CAAC;AAEtG,eAAO,MAAM,wBAAwB,aAAoB,CAAC;AAE1D,eAAO,MAAM,sBAAsB;;;;;EAA0D,CAAC;AAE9F,eAAO,MAAM,sBAAsB;;;;;;EAA0D,CAAC;AAE9F,eAAO,MAAM,eAAe;;;;;EAAgD,CAAC;AAM7E,eAAO,MAAM,qBAAqB;;;;iBAIhC,CAAC;AAMH,eAAO,MAAM,uBAAuB;;;;;iBAKlC,CAAC;AAMH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;iBAOhC,CAAC;AAEH,eAAO,MAAM,qBAAqB;;;;;;;;;;iBAKhC,CAAC;AAMH,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAiB/B,CAAC;AAMH,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;;;iBAWxC,CAAC;AAMH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AACzE,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAC7E,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AACzE,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AACzE,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AACvE,MAAM,MAAM,4BAA4B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAC"}

package/approval/types.d.ts

@@ -0,0 +1,252 @@
+/**
+ * Approval type definitions for tool authorization flows.
+ *
+ * These types define the structure for approval records, grantors, and revokers
+ * used in tool permission systems.
+ *
+ * @module @frontmcp/utils/approval
+ */
+/**
+ * Approval scope determines the lifetime and visibility of an approval.
+ */
+export declare enum ApprovalScope {
+    /** Valid only for current session - cleared on session end */
+    SESSION = "session",
+    /** Persists for user across sessions - stored with user identity */
+    USER = "user",
+    /** Time-limited approval - expires after TTL regardless of session */
+    TIME_LIMITED = "time_limited",
+    /** Tool-specific approval - tied to specific tool only */
+    TOOL_SPECIFIC = "tool_specific",
+    /** Context-specific approval - tied to context (e.g., repo, project) */
+    CONTEXT_SPECIFIC = "context_specific"
+}
+/**
+ * Approval state for a tool.
+ */
+export declare enum ApprovalState {
+    /** No approval decision made yet */
+    PENDING = "pending",
+    /** User approved the tool for execution */
+    APPROVED = "approved",
+    /** User denied the tool for execution */
+    DENIED = "denied",
+    /** Approval expired (TTL or session end) */
+    EXPIRED = "expired"
+}
+/**
+ * Context for context-specific approvals.
+ * Similar to Claude Code's repo-based permissions.
+ */
+export interface ApprovalContext {
+    /** Context type (e.g., 'repository', 'project', 'workspace') */
+    type: string;
+    /** Context identifier (e.g., repo path, project ID) */
+    identifier: string;
+    /** Optional additional context data */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Built-in source types for approval grants.
+ * The `(string & {})` union allows custom vendor-specific source types.
+ *
+ * @example
+ * ```typescript
+ * // Built-in sources
+ * grantedBy: { source: 'user' }
+ * grantedBy: { source: 'policy' }
+ *
+ * // Custom vendor sources
+ * grantedBy: { source: 'frontcloud-rbac' }
+ * grantedBy: { source: 'my-custom-auth' }
+ * ```
+ */
+export type ApprovalSourceType = 'user' | 'policy' | 'admin' | 'system' | 'agent' | 'api' | 'oauth' | 'test' | (string & {});
+/**
+ * How the approval was obtained.
+ */
+export type ApprovalMethod = 'interactive' | 'implicit' | 'delegation' | 'batch' | 'api';
+/**
+ * Context for delegated approvals (e.g., AI agent with delegated authority).
+ * Per MCP spec, tracks the delegation chain for audit purposes.
+ */
+export interface DelegationContext {
+    /** Who authorized the delegate (user ID, admin ID) */
+    delegatorId: string;
+    /** Who was authorized (agent ID, service account) */
+    delegateId: string;
+    /** Purpose of the delegation */
+    purpose?: string;
+    /** Constraints on the delegation (paths, actions, etc.) */
+    constraints?: Record<string, unknown>;
+}
+/**
+ * Full audit trail for who/what granted an approval.
+ * Supports MCP spec requirements for explicit consent tracking and accountability.
+ *
+ * @example
+ * ```typescript
+ * // Simple usage - just source type
+ * grantedBy: { source: 'user' }
+ *
+ * // Full audit trail
+ * grantedBy: {
+ *   source: 'user',
+ *   identifier: 'user-123',
+ *   displayName: 'John Doe',
+ *   method: 'interactive',
+ *   origin: 'ui',
+ * }
+ *
+ * // Agent with delegation
+ * grantedBy: {
+ *   source: 'agent',
+ *   identifier: 'claude-code',
+ *   displayName: 'Claude Code Assistant',
+ *   method: 'delegation',
+ *   delegationContext: {
+ *     delegatorId: 'user-123',
+ *     delegateId: 'claude-code',
+ *     purpose: 'code editing',
+ *   },
+ * }
+ * ```
+ */
+export interface ApprovalGrantor {
+    /** Source type - who/what granted this */
+    source: ApprovalSourceType;
+    /** Unique identifier (user ID, policy ID, API key prefix, etc.) */
+    identifier?: string;
+    /** Human-readable name for display */
+    displayName?: string;
+    /** How the approval was obtained */
+    method?: ApprovalMethod;
+    /** Where the approval originated (oauth, config, ui, cli, api) */
+    origin?: string;
+    /** For delegated approvals - who authorized the delegate */
+    delegationContext?: DelegationContext;
+}
+/**
+ * Revocation source types (includes approval sources + revocation-specific).
+ */
+export type RevocationSourceType = ApprovalSourceType | 'expiry' | 'session_end';
+/**
+ * Revocation method types.
+ */
+export type RevocationMethod = 'interactive' | 'implicit' | 'policy' | 'expiry';
+/**
+ * Tracking for who/what revoked an approval.
+ */
+export interface ApprovalRevoker {
+    /** Source type - who/what revoked this */
+    source: RevocationSourceType;
+    /** Unique identifier (user ID, etc.) */
+    identifier?: string;
+    /** Human-readable name for display */
+    displayName?: string;
+    /** How the revocation was triggered */
+    method?: RevocationMethod;
+}
+/**
+ * Approval record stored in memory/storage.
+ * Enhanced with full audit trail support per MCP spec requirements.
+ */
+export interface ApprovalRecord {
+    /** Tool identifier (fullName or name) */
+    toolId: string;
+    /** Current approval state */
+    state: ApprovalState;
+    /** Scope of this approval */
+    scope: ApprovalScope;
+    /** When the approval was granted (timestamp) */
+    grantedAt: number;
+    /** When the approval expires (timestamp) */
+    expiresAt?: number;
+    /** Time-to-live in milliseconds (for time-limited approvals) */
+    ttlMs?: number;
+    /** Session ID (for session-scoped approvals) */
+    sessionId?: string;
+    /** User ID (for user-scoped approvals) */
+    userId?: string;
+    /** Context (for context-specific approvals) */
+    context?: ApprovalContext;
+    /** Who/what granted the approval (full audit trail) */
+    grantedBy: ApprovalGrantor;
+    /** Approval chain for multi-step approvals */
+    approvalChain?: ApprovalGrantor[];
+    /** Optional reason for the approval */
+    reason?: string;
+    /** Approval metadata (e.g., IP, user agent) */
+    metadata?: Record<string, unknown>;
+    /** When the approval was revoked (timestamp) */
+    revokedAt?: number;
+    /** Who/what revoked the approval */
+    revokedBy?: ApprovalRevoker;
+    /** Reason for revocation */
+    revocationReason?: string;
+}
+/**
+ * Approval category for grouping UX.
+ */
+export type ApprovalCategory = 'read' | 'write' | 'delete' | 'execute' | 'admin';
+/**
+ * Risk level hint for UI.
+ */
+export type RiskLevel = 'low' | 'medium' | 'high' | 'critical';
+/**
+ * Approval requirement for a tool.
+ * Declares what approval is needed before tool execution.
+ */
+export interface ToolApprovalRequirement {
+    /**
+     * Whether this tool requires approval before execution.
+     * @default true if any approval options specified
+     */
+    required?: boolean;
+    /**
+     * Default scope for approvals (if user doesn't specify).
+     * @default 'session'
+     */
+    defaultScope?: ApprovalScope;
+    /**
+     * Allowed scopes for this tool.
+     * User cannot grant approval with a scope not in this list.
+     * @default all scopes allowed
+     */
+    allowedScopes?: ApprovalScope[];
+    /**
+     * Maximum TTL in milliseconds for time-limited approvals.
+     * Prevents users from setting very long TTLs for sensitive tools.
+     */
+    maxTtlMs?: number;
+    /**
+     * Whether to prompt on each call even if approved.
+     * For highly sensitive operations.
+     * @default false
+     */
+    alwaysPrompt?: boolean;
+    /**
+     * Whether to skip approval prompt entirely.
+     * For safe, read-only operations.
+     * @default false
+     */
+    skipApproval?: boolean;
+    /**
+     * Approval message shown to user when prompting.
+     */
+    approvalMessage?: string;
+    /**
+     * Categories for grouping approval UX.
+     */
+    category?: ApprovalCategory;
+    /**
+     * Risk level hint for UI.
+     */
+    riskLevel?: RiskLevel;
+    /**
+     * Contexts where this tool is pre-approved.
+     * E.g., "allow without approval in repo Z"
+     */
+    preApprovedContexts?: ApprovalContext[];
+}
+//# sourceMappingURL=types.d.ts.map

package/approval/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/approval/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAMH;;GAEG;AACH,oBAAY,aAAa;IACvB,8DAA8D;IAC9D,OAAO,YAAY;IAEnB,oEAAoE;IACpE,IAAI,SAAS;IAEb,sEAAsE;IACtE,YAAY,iBAAiB;IAE7B,0DAA0D;IAC1D,aAAa,kBAAkB;IAE/B,wEAAwE;IACxE,gBAAgB,qBAAqB;CACtC;AAMD;;GAEG;AACH,oBAAY,aAAa;IACvB,oCAAoC;IACpC,OAAO,YAAY;IAEnB,2CAA2C;IAC3C,QAAQ,aAAa;IAErB,yCAAyC;IACzC,MAAM,WAAW;IAEjB,4CAA4C;IAC5C,OAAO,YAAY;CACpB;AAMD;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,gEAAgE;IAChE,IAAI,EAAE,MAAM,CAAC;IAEb,uDAAuD;IACvD,UAAU,EAAE,MAAM,CAAC;IAEnB,uCAAuC;IACvC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAMD;;;;;;;;;;;;;;GAcG;AACH,MAAM,MAAM,kBAAkB,GAC1B,MAAM,GACN,QAAQ,GACR,OAAO,GACP,QAAQ,GACR,OAAO,GACP,KAAK,GACL,OAAO,GACP,MAAM,GACN,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAElB;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,aAAa,GAAG,UAAU,GAAG,YAAY,GAAG,OAAO,GAAG,KAAK,CAAC;AAMzF;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,sDAAsD;IACtD,WAAW,EAAE,MAAM,CAAC;IAEpB,qDAAqD;IACrD,UAAU,EAAE,MAAM,CAAC;IAEnB,gCAAgC;IAChC,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,2DAA2D;IAC3D,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACvC;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,MAAM,WAAW,eAAe;IAC9B,0CAA0C;IAC1C,MAAM,EAAE,kBAAkB,CAAC;IAE3B,mEAAmE;IACnE,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,sCAAsC;IACtC,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,oCAAoC;IACpC,MAAM,CAAC,EAAE,cAAc,CAAC;IAExB,kEAAkE;IAClE,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,4DAA4D;IAC5D,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;CACvC;AAMD;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG,kBAAkB,GAAG,QAAQ,GAAG,aAAa,CAAC;AAEjF;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,aAAa,GAAG,UAAU,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAEhF;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,0CAA0C;IAC1C,MAAM,EAAE,oBAAoB,CAAC;IAE7B,wCAAwC;IACxC,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,sCAAsC;IACtC,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,uCAAuC;IACvC,MAAM,CAAC,EAAE,gBAAgB,CAAC;CAC3B;AAMD;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,yCAAyC;IACzC,MAAM,EAAE,MAAM,CAAC;IAEf,6BAA6B;IAC7B,KAAK,EAAE,aAAa,CAAC;IAErB,6BAA6B;IAC7B,KAAK,EAAE,aAAa,CAAC;IAErB,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;IAElB,4CAA4C;IAC5C,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,gEAAgE;IAChE,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,gDAAgD;IAChD,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,+CAA+C;IAC/C,OAAO,CAAC,EAAE,eAAe,CAAC;IAE1B,uDAAuD;IACvD,SAAS,EAAE,eAAe,CAAC;IAE3B,8CAA8C;IAC9C,aAAa,CAAC,EAAE,eAAe,EAAE,CAAC;IAElC,uCAAuC;IACvC,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAEnC,gDAAgD;IAChD,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,oCAAoC;IACpC,SAAS,CAAC,EAAE,eAAe,CAAC;IAE5B,4BAA4B;IAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAMD;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG,OAAO,GAAG,QAAQ,GAAG,SAAS,GAAG,OAAO,CAAC;AAEjF;;GAEG;AACH,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAE/D;;;GAGG;AACH,MAAM,WAAW,uBAAuB;IACtC;;;OAGG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;IAEnB;;;OAGG;IACH,YAAY,CAAC,EAAE,aAAa,CAAC;IAE7B;;;;OAIG;IACH,aAAa,CAAC,EAAE,aAAa,EAAE,CAAC;IAEhC;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB;;OAEG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB;;OAEG;IACH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAE5B;;OAEG;IACH,SAAS,CAAC,EAAE,SAAS,CAAC;IAEtB;;;OAGG;IACH,mBAAmB,CAAC,EAAE,eAAe,EAAE,CAAC;CACzC"}

package/approval.context-extension.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Context extension that adds `this.approval` to ExecutionContextBase.
+ *
+ * @module @frontmcp/plugin-approval
+ */
+import type { ApprovalService } from './services/approval.service';
+declare module '@frontmcp/sdk' {
+    interface ExecutionContextBase {
+        /**
+         * Approval service for managing tool authorizations.
+         * Provided by @frontmcp/plugin-approval.
+         */
+        readonly approval: ApprovalService;
+    }
+}
+/**
+ * Install the approval context extension.
+ * Adds `this.approval` property to ExecutionContextBase.
+ */
+export declare function installApprovalContextExtension(): void;
+//# sourceMappingURL=approval.context-extension.d.ts.map

package/approval.context-extension.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval.context-extension.d.ts","sourceRoot":"","sources":["../src/approval.context-extension.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAOnE,OAAO,QAAQ,eAAe,CAAC;IAC7B,UAAU,oBAAoB;QAC5B;;;WAGG;QACH,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAC;KACpC;CACF;AAQD;;;GAGG;AACH,wBAAgB,+BAA+B,IAAI,IAAI,CActD"}

package/approval.plugin.d.ts

@@ -0,0 +1,128 @@
+/**
+ * ApprovalPlugin - Tool authorization workflow with PKCE webhook security.
+ *
+ * @module @frontmcp/plugin-approval
+ */
+import { DynamicPlugin, ProviderType } from '@frontmcp/sdk';
+import type { StorageConfig, RootStorage, NamespacedStorage } from '@frontmcp/utils';
+import type { ApprovalMode } from './types';
+/**
+ * Configuration options for ApprovalPlugin.
+ */
+export interface ApprovalPluginOptions {
+    /**
+     * Storage configuration for approvals.
+     * @default { type: 'auto' }
+     */
+    storage?: StorageConfig;
+    /**
+     * Use existing storage instance.
+     */
+    storageInstance?: RootStorage | NamespacedStorage;
+    /**
+     * Namespace for approval keys.
+     * @default 'approval'
+     */
+    namespace?: string;
+    /**
+     * Approval workflow mode.
+     * - 'recheck': Poll external API for approval status
+     * - 'webhook': Use PKCE-secured webhooks for approval
+     * @default 'recheck'
+     */
+    mode?: ApprovalMode;
+    /**
+     * Recheck mode configuration.
+     */
+    recheck?: {
+        /** URL to check for approval status */
+        url?: string;
+        /** Authentication method */
+        auth?: 'jwt' | 'bearer' | 'none' | 'custom';
+        /** Interval between rechecks (ms) */
+        interval?: number;
+        /** Maximum recheck attempts */
+        maxAttempts?: number;
+    };
+    /**
+     * Webhook mode configuration.
+     */
+    webhook?: {
+        /** URL to send approval requests */
+        url?: string;
+        /** Include JWT in webhook payload */
+        includeJwt?: boolean;
+        /** Challenge TTL in seconds */
+        challengeTtl?: number;
+        /** Callback path for approval responses */
+        callbackPath?: string;
+    };
+    /**
+     * Enable approval audit logging.
+     * @default true
+     */
+    enableAudit?: boolean;
+    /**
+     * Maximum delegation depth for delegated approvals.
+     * @default 3
+     */
+    maxDelegationDepth?: number;
+    /**
+     * Cleanup interval for expired approvals (seconds).
+     * @default 60
+     */
+    cleanupIntervalSeconds?: number;
+}
+/**
+ * ApprovalPlugin for tool authorization workflows.
+ *
+ * Features:
+ * - Tool approval checking via hook
+ * - Multiple approval scopes (session, user, time-limited, context-specific)
+ * - PKCE webhook security for external approval systems
+ * - Recheck mode for polling approval status
+ * - Full audit trail support
+ *
+ * @example Basic usage
+ * ```typescript
+ * import { ApprovalPlugin } from '@frontmcp/plugin-approval';
+ *
+ * @FrontMcp({
+ *   plugins: [ApprovalPlugin.init()],
+ * })
+ * class MyServer {}
+ * ```
+ *
+ * @example With webhook mode
+ * ```typescript
+ * @FrontMcp({
+ *   plugins: [
+ *     ApprovalPlugin.init({
+ *       mode: 'webhook',
+ *       webhook: {
+ *         url: 'https://approval.example.com/webhook',
+ *         challengeTtl: 300,
+ *       },
+ *     }),
+ *   ],
+ * })
+ * class MyServer {}
+ * ```
+ */
+export default class ApprovalPlugin extends DynamicPlugin<ApprovalPluginOptions> {
+    static defaultOptions: ApprovalPluginOptions;
+    options: ApprovalPluginOptions;
+    constructor(options?: ApprovalPluginOptions);
+    /**
+     * Dynamic providers based on plugin options.
+     */
+    static dynamicProviders: (options: ApprovalPluginOptions) => ProviderType[];
+    /**
+     * Get plugin metadata including nested plugins.
+     */
+    static getPluginMetadata(_options: ApprovalPluginOptions): {
+        plugins?: unknown[];
+    };
+}
+export { ApprovalPlugin };
+//# sourceMappingURL=approval.plugin.d.ts.map

package/approval.plugin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval.plugin.d.ts","sourceRoot":"","sources":["../src/approval.plugin.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,aAAa,EAAU,YAAY,EAAoD,MAAM,eAAe,CAAC;AACtH,OAAO,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAOrF,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAM5C;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC;;;OAGG;IACH,OAAO,CAAC,EAAE,aAAa,CAAC;IAExB;;OAEG;IACH,eAAe,CAAC,EAAE,WAAW,GAAG,iBAAiB,CAAC;IAElD;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;;;OAKG;IACH,IAAI,CAAC,EAAE,YAAY,CAAC;IAEpB;;OAEG;IACH,OAAO,CAAC,EAAE;QACR,uCAAuC;QACvC,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,4BAA4B;QAC5B,IAAI,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAAC;QAC5C,qCAAqC;QACrC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,+BAA+B;QAC/B,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IAEF;;OAEG;IACH,OAAO,CAAC,EAAE;QACR,oCAAoC;QACpC,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,qCAAqC;QACrC,UAAU,CAAC,EAAE,OAAO,CAAC;QACrB,+BAA+B;QAC/B,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,2CAA2C;QAC3C,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,CAAC;IAEF;;;OAGG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;IAEtB;;;OAGG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAE5B;;;OAGG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAC;CACjC;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AAYH,MAAM,CAAC,OAAO,OAAO,cAAe,SAAQ,aAAa,CAAC,qBAAqB,CAAC;IAC9E,MAAM,CAAC,cAAc,EAAE,qBAAqB,CAM1C;IAEF,OAAO,EAAE,qBAAqB,CAAC;gBAEnB,OAAO,GAAE,qBAA0B;IAQ/C;;OAEG;IACH,OAAgB,gBAAgB,GAAI,SAAS,qBAAqB,KAAG,YAAY,EAAE,CAoEjF;IAEF;;OAEG;IACH,MAAM,CAAC,iBAAiB,CAAC,QAAQ,EAAE,qBAAqB,GAAG;QAAE,OAAO,CAAC,EAAE,OAAO,EAAE,CAAA;KAAE;CAInF;AAGD,OAAO,EAAE,cAAc,EAAE,CAAC"}

package/approval.symbols.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Dependency injection symbols for ApprovalPlugin.
+ *
+ * @module @frontmcp/plugin-approval
+ */
+import { Reference } from '@frontmcp/sdk';
+import type { ApprovalStore } from './stores/approval-store.interface';
+import type { ApprovalService } from './services/approval.service';
+import type { ChallengeService } from './services/challenge.service';
+/**
+ * Token for injecting the ApprovalStore.
+ */
+export declare const ApprovalStoreToken: Reference<ApprovalStore>;
+/**
+ * Token for injecting the ApprovalService.
+ */
+export declare const ApprovalServiceToken: Reference<ApprovalService>;
+/**
+ * Token for injecting the ChallengeService (PKCE challenge management).
+ */
+export declare const ChallengeServiceToken: Reference<ChallengeService>;
+//# sourceMappingURL=approval.symbols.d.ts.map

package/approval.symbols.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval.symbols.d.ts","sourceRoot":"","sources":["../src/approval.symbols.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC1C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mCAAmC,CAAC;AACvE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAErE;;GAEG;AACH,eAAO,MAAM,kBAAkB,EAAE,SAAS,CAAC,aAAa,CAE3B,CAAC;AAE9B;;GAEG;AACH,eAAO,MAAM,oBAAoB,EAAE,SAAS,CAAC,eAAe,CAE7B,CAAC;AAEhC;;GAEG;AACH,eAAO,MAAM,qBAAqB,EAAE,SAAS,CAAC,gBAAgB,CAE9B,CAAC"}