@frontmcp/plugin-approval 0.0.1 → 0.7.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@frontmcp/plugin-approval",
-  "version": "0.0.1",
+  "version": "0.7.1",
   "description": "Approval plugin for FrontMCP - tool authorization workflow with PKCE webhook security",
   "author": "AgentFront <info@agentfront.dev>",
   "license": "Apache-2.0",
@@ -47,8 +47,8 @@
   },
   "dependencies": {
     "ioredis": "^5.8.0",
-    "@frontmcp/sdk": "0.7.0",
-    "@frontmcp/utils": "0.7.0",
+    "@frontmcp/sdk": "0.7.1",
+    "@frontmcp/utils": "0.7.1",
     "reflect-metadata": "^0.2.2",
     "zod": "^4.0.0"
   },

package/services/approval.service.d.ts

@@ -0,0 +1,85 @@
+/**
+ * Service for programmatically managing tool approvals.
+ *
+ * @module @frontmcp/plugin-approval
+ */
+import type { ApprovalStore, ApprovalQuery } from '../stores/approval-store.interface';
+import type { ApprovalRecord, ApprovalContext, ApprovalGrantor, ApprovalRevoker, ApprovalSourceType, RevocationSourceType } from '../types';
+/**
+ * Options for granting approvals via the service.
+ */
+export interface GrantOptions {
+    /** Who/what is granting the approval (defaults to 'policy') */
+    grantedBy?: ApprovalGrantor | ApprovalSourceType;
+    /** Optional reason for the approval */
+    reason?: string;
+    /** Additional metadata */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Options for revoking approvals via the service.
+ */
+export interface RevokeOptions {
+    /** Who/what is revoking the approval (defaults to 'policy') */
+    revokedBy?: ApprovalRevoker | RevocationSourceType;
+    /** Optional reason for revocation */
+    reason?: string;
+}
+/**
+ * Service for programmatically managing tool approvals.
+ */
+export declare class ApprovalService {
+    private readonly store;
+    private readonly sessionId;
+    private readonly userId?;
+    constructor(store: ApprovalStore, sessionId: string, userId?: string | undefined);
+    /**
+     * Check if a tool is approved for current session/user.
+     */
+    isApproved(toolId: string, context?: ApprovalContext): Promise<boolean>;
+    /**
+     * Get approval record for a tool.
+     */
+    getApproval(toolId: string): Promise<ApprovalRecord | undefined>;
+    /**
+     * Get all approvals for current session.
+     */
+    getSessionApprovals(): Promise<ApprovalRecord[]>;
+    /**
+     * Get all approvals for current user (across sessions).
+     */
+    getUserApprovals(): Promise<ApprovalRecord[]>;
+    /**
+     * Query approvals with custom filters.
+     */
+    queryApprovals(query: Partial<ApprovalQuery>): Promise<ApprovalRecord[]>;
+    /**
+     * Grant session-scoped approval for a tool.
+     */
+    grantSessionApproval(toolId: string, options?: GrantOptions): Promise<ApprovalRecord>;
+    /**
+     * Grant user-scoped approval for a tool.
+     */
+    grantUserApproval(toolId: string, options?: GrantOptions): Promise<ApprovalRecord>;
+    /**
+     * Grant time-limited approval for a tool.
+     */
+    grantTimeLimitedApproval(toolId: string, ttlMs: number, options?: GrantOptions): Promise<ApprovalRecord>;
+    /**
+     * Grant context-specific approval for a tool.
+     */
+    grantContextApproval(toolId: string, context: ApprovalContext, options?: GrantOptions): Promise<ApprovalRecord>;
+    /**
+     * Revoke approval for a tool.
+     */
+    revokeApproval(toolId: string, options?: RevokeOptions): Promise<boolean>;
+    /**
+     * Clear all session approvals.
+     */
+    clearSessionApprovals(): Promise<number>;
+}
+/**
+ * Factory function for creating ApprovalService instances.
+ */
+export declare function createApprovalService(store: ApprovalStore, sessionId: string, userId?: string): ApprovalService;
+//# sourceMappingURL=approval.service.d.ts.map

package/services/approval.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval.service.d.ts","sourceRoot":"","sources":["../../src/services/approval.service.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,oCAAoC,CAAC;AACvF,OAAO,KAAK,EACV,cAAc,EACd,eAAe,EACf,eAAe,EACf,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACrB,MAAM,UAAU,CAAC;AAGlB;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,+DAA+D;IAC/D,SAAS,CAAC,EAAE,eAAe,GAAG,kBAAkB,CAAC;IACjD,uCAAuC;IACvC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,+DAA+D;IAC/D,SAAS,CAAC,EAAE,eAAe,GAAG,oBAAoB,CAAC;IACnD,qCAAqC;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,qBAKa,eAAe;IAExB,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;gBAFP,KAAK,EAAE,aAAa,EACpB,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,MAAM,YAAA;IAOlC;;OAEG;IACG,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC;IAI7E;;OAEG;IACG,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,SAAS,CAAC;IAItE;;OAEG;IACG,mBAAmB,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;IAQtD;;OAEG;IACG,gBAAgB,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;IAUnD;;OAEG;IACG,cAAc,CAAC,KAAK,EAAE,OAAO,CAAC,aAAa,CAAC,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;IAY9E;;OAEG;IACG,oBAAoB,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,GAAE,YAAiB,GAAG,OAAO,CAAC,cAAc,CAAC;IAW/F;;OAEG;IACG,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,GAAE,YAAiB,GAAG,OAAO,CAAC,cAAc,CAAC;IAc5F;;OAEG;IACG,wBAAwB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,GAAE,YAAiB,GAAG,OAAO,CAAC,cAAc,CAAC;IAalH;;OAEG;IACG,oBAAoB,CACxB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,eAAe,EACxB,OAAO,GAAE,YAAiB,GACzB,OAAO,CAAC,cAAc,CAAC;IAiB1B;;OAEG;IACG,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,GAAE,aAAkB,GAAG,OAAO,CAAC,OAAO,CAAC;IAUnF;;OAEG;IACG,qBAAqB,IAAI,OAAO,CAAC,MAAM,CAAC;CAG/C;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,eAAe,CAE/G"}

package/services/challenge.service.d.ts

@@ -0,0 +1,115 @@
+/**
+ * PKCE Challenge Service for secure webhook approval flows.
+ *
+ * Implements RFC 7636 PKCE (Proof Key for Code Exchange) for secure
+ * authorization between the MCP server and external approval systems.
+ *
+ * @module @frontmcp/plugin-approval
+ */
+import { type NamespacedStorage, type RootStorage, type StorageConfig } from '@frontmcp/utils';
+import type { ChallengeRecord } from '../types';
+/**
+ * Configuration for ChallengeService.
+ */
+export interface ChallengeServiceOptions {
+    /**
+     * Storage configuration.
+     * @default { type: 'auto' }
+     */
+    storage?: StorageConfig;
+    /**
+     * Existing storage instance.
+     */
+    storageInstance?: RootStorage | NamespacedStorage;
+    /**
+     * Namespace for challenge keys.
+     * @default 'approval:challenge'
+     */
+    namespace?: string;
+    /**
+     * Default challenge TTL in seconds.
+     * @default 300 (5 minutes)
+     */
+    defaultTtlSeconds?: number;
+}
+/**
+ * Options for creating a challenge.
+ */
+export interface CreateChallengeOptions {
+    /** Tool ID being approved */
+    toolId: string;
+    /** Session ID (kept internal, never exposed) */
+    sessionId: string;
+    /** User ID if available */
+    userId?: string;
+    /** Requested approval scope */
+    requestedScope: string;
+    /** Request information for webhook */
+    requestInfo: {
+        toolName: string;
+        category?: string;
+        riskLevel?: string;
+        customMessage?: string;
+    };
+    /** TTL in seconds (overrides default) */
+    ttlSeconds?: number;
+}
+/**
+ * Service for managing PKCE challenges in webhook approval flows.
+ *
+ * Flow:
+ * 1. Create challenge: generates code_verifier + code_challenge
+ * 2. Store challenge: saves code_challenge → record mapping
+ * 3. Send to webhook: includes code_challenge (NOT code_verifier)
+ * 4. Receive callback: validate code_verifier against stored challenge
+ * 5. Grant approval if valid
+ */
+export declare class ChallengeService {
+    private storage;
+    private readonly options;
+    private initialized;
+    private ownedStorage;
+    constructor(options?: ChallengeServiceOptions);
+    /**
+     * Initialize the service.
+     */
+    initialize(): Promise<void>;
+    private ensureInitialized;
+    /**
+     * Create a new PKCE challenge for a tool approval request.
+     *
+     * @returns Object containing code_verifier (keep secret) and code_challenge (send to webhook)
+     */
+    createChallenge(options: CreateChallengeOptions): Promise<{
+        codeVerifier: string;
+        codeChallenge: string;
+        expiresAt: number;
+    }>;
+    /**
+     * Verify a code verifier and retrieve the challenge record.
+     *
+     * @throws ChallengeValidationError if verification fails
+     */
+    verifyAndConsume(codeVerifier: string): Promise<ChallengeRecord>;
+    /**
+     * Mark a challenge as having been sent to webhook.
+     */
+    markWebhookSent(codeChallenge: string): Promise<boolean>;
+    /**
+     * Get a challenge record without consuming it.
+     */
+    getChallenge(codeChallenge: string): Promise<ChallengeRecord | null>;
+    /**
+     * Delete a challenge.
+     */
+    deleteChallenge(codeChallenge: string): Promise<boolean>;
+    /**
+     * Close the service.
+     */
+    close(): Promise<void>;
+}
+/**
+ * Create a ChallengeService with memory storage.
+ */
+export declare function createMemoryChallengeService(options?: Omit<ChallengeServiceOptions, 'storage' | 'storageInstance'>): ChallengeService;
+//# sourceMappingURL=challenge.service.d.ts.map

package/services/challenge.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"challenge.service.d.ts","sourceRoot":"","sources":["../../src/services/challenge.service.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAGL,KAAK,iBAAiB,EACtB,KAAK,WAAW,EAGhB,KAAK,aAAa,EACnB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAEhD;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC;;;OAGG;IACH,OAAO,CAAC,EAAE,aAAa,CAAC;IAExB;;OAEG;IACH,eAAe,CAAC,EAAE,WAAW,GAAG,iBAAiB,CAAC;IAElD;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,6BAA6B;IAC7B,MAAM,EAAE,MAAM,CAAC;IAEf,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;IAElB,2BAA2B;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,+BAA+B;IAC/B,cAAc,EAAE,MAAM,CAAC;IAEvB,sCAAsC;IACtC,WAAW,EAAE;QACX,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,CAAC;IAEF,yCAAyC;IACzC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;;GASG;AACH,qBAKa,gBAAgB;IAC3B,OAAO,CAAC,OAAO,CAAqB;IACpC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAEtB;IACF,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,YAAY,CAAS;gBAEjB,OAAO,GAAE,uBAA4B;IASjD;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAejC,OAAO,CAAC,iBAAiB;IAMzB;;;;OAIG;IACG,eAAe,CAAC,OAAO,EAAE,sBAAsB,GAAG,OAAO,CAAC;QAC9D,YAAY,EAAE,MAAM,CAAC;QACrB,aAAa,EAAE,MAAM,CAAC;QACtB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;IAyBF;;;;OAIG;IACG,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC;IA0BtE;;OAEG;IACG,eAAe,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAqB9D;;OAEG;IACG,YAAY,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC;IAe1E;;OAEG;IACG,eAAe,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAU9D;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAM7B;AAaD;;GAEG;AACH,wBAAgB,4BAA4B,CAC1C,OAAO,GAAE,IAAI,CAAC,uBAAuB,EAAE,SAAS,GAAG,iBAAiB,CAAM,GACzE,gBAAgB,CAMlB"}

package/services/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Service exports for ApprovalPlugin.
+ *
+ * @module @frontmcp/plugin-approval
+ */
+export { ApprovalService, createApprovalService, type GrantOptions, type RevokeOptions } from './approval.service';
+export { ChallengeService, createMemoryChallengeService, type ChallengeServiceOptions, type CreateChallengeOptions, } from './challenge.service';
+//# sourceMappingURL=index.d.ts.map

package/services/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/services/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,eAAe,EAAE,qBAAqB,EAAE,KAAK,YAAY,EAAE,KAAK,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnH,OAAO,EACL,gBAAgB,EAChB,4BAA4B,EAC5B,KAAK,uBAAuB,EAC5B,KAAK,sBAAsB,GAC5B,MAAM,qBAAqB,CAAC"}

package/stores/approval-storage.store.d.ts

@@ -0,0 +1,71 @@
+/**
+ * Storage-backed implementation of the ApprovalStore.
+ *
+ * @module @frontmcp/plugin-approval
+ */
+import { type RootStorage, type NamespacedStorage, type StorageConfig } from '@frontmcp/utils';
+import type { ApprovalStore, ApprovalQuery, GrantApprovalOptions, RevokeApprovalOptions } from './approval-store.interface';
+import { ApprovalScope, ApprovalState, type ApprovalRecord, type ApprovalContext } from '../types';
+/**
+ * Configuration options for ApprovalStorageStore.
+ */
+export interface ApprovalStorageStoreOptions {
+    /**
+     * Storage configuration. If not provided, uses auto-detection.
+     * @default { type: 'auto' }
+     */
+    storage?: StorageConfig;
+    /**
+     * Use an existing storage instance instead of creating a new one.
+     */
+    storageInstance?: RootStorage | NamespacedStorage;
+    /**
+     * Namespace prefix for approval keys.
+     * @default 'approval'
+     */
+    namespace?: string;
+    /**
+     * Cleanup interval for expired approvals (in seconds).
+     * Set to 0 to disable automatic cleanup.
+     * @default 60
+     */
+    cleanupIntervalSeconds?: number;
+}
+/**
+ * Storage-backed implementation of the ApprovalStore.
+ * Works with any storage backend (memory, Redis, Vercel KV, Upstash).
+ */
+export declare class ApprovalStorageStore implements ApprovalStore {
+    private storage;
+    private readonly options;
+    private cleanupInterval?;
+    private initialized;
+    private ownedStorage;
+    constructor(options?: ApprovalStorageStoreOptions);
+    /**
+     * Initialize the storage connection.
+     */
+    initialize(): Promise<void>;
+    private ensureInitialized;
+    private buildKey;
+    private parseRecord;
+    private isExpired;
+    getApproval(toolId: string, sessionId: string, userId?: string): Promise<ApprovalRecord | undefined>;
+    queryApprovals(query: ApprovalQuery): Promise<ApprovalRecord[]>;
+    grantApproval(options: GrantApprovalOptions): Promise<ApprovalRecord>;
+    revokeApproval(options: RevokeApprovalOptions): Promise<boolean>;
+    isApproved(toolId: string, sessionId: string, userId?: string, context?: ApprovalContext): Promise<boolean>;
+    clearSessionApprovals(sessionId: string): Promise<number>;
+    clearExpiredApprovals(): Promise<number>;
+    getStats(): Promise<{
+        totalApprovals: number;
+        byScope: Record<ApprovalScope, number>;
+        byState: Record<ApprovalState, number>;
+    }>;
+    close(): Promise<void>;
+}
+/**
+ * Create an ApprovalStorageStore with synchronous memory storage.
+ */
+export declare function createApprovalMemoryStore(options?: Omit<ApprovalStorageStoreOptions, 'storage' | 'storageInstance'>): ApprovalStorageStore;
+//# sourceMappingURL=approval-storage.store.d.ts.map

package/stores/approval-storage.store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval-storage.store.d.ts","sourceRoot":"","sources":["../../src/stores/approval-storage.store.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAGL,KAAK,WAAW,EAChB,KAAK,iBAAiB,EACtB,KAAK,aAAa,EACnB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,KAAK,EACV,aAAa,EACb,aAAa,EACb,oBAAoB,EACpB,qBAAqB,EACtB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,KAAK,cAAc,EAAE,KAAK,eAAe,EAAE,MAAM,UAAU,CAAC;AAkBnG;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C;;;OAGG;IACH,OAAO,CAAC,EAAE,aAAa,CAAC;IAExB;;OAEG;IACH,eAAe,CAAC,EAAE,WAAW,GAAG,iBAAiB,CAAC;IAElD;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;;OAIG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAC;CACjC;AAMD;;;GAGG;AACH,qBAKa,oBAAqB,YAAW,aAAa;IACxD,OAAO,CAAC,OAAO,CAAqB;IACpC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAEtB;IACF,OAAO,CAAC,eAAe,CAAC,CAAiB;IACzC,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,YAAY,CAAS;gBAEjB,OAAO,GAAE,2BAAgC;IASrD;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAwBjC,OAAO,CAAC,iBAAiB;IAMzB,OAAO,CAAC,QAAQ;IAQhB,OAAO,CAAC,WAAW;IAcnB,OAAO,CAAC,SAAS;IAIX,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,SAAS,CAAC;IAsBpG,cAAc,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;IAwC/D,aAAa,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,cAAc,CAAC;IA6BrE,cAAc,CAAC,OAAO,EAAE,qBAAqB,GAAG,OAAO,CAAC,OAAO,CAAC;IAahE,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC;IA+B3G,qBAAqB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAezD,qBAAqB,IAAI,OAAO,CAAC,MAAM,CAAC;IAuBxC,QAAQ,IAAI,OAAO,CAAC;QACxB,cAAc,EAAE,MAAM,CAAC;QACvB,OAAO,EAAE,MAAM,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QACvC,OAAO,EAAE,MAAM,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;KACxC,CAAC;IAsCI,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAY7B;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,GAAE,IAAI,CAAC,2BAA2B,EAAE,SAAS,GAAG,iBAAiB,CAAM,GAC7E,oBAAoB,CAMtB"}

package/stores/approval-store.interface.d.ts

@@ -0,0 +1,121 @@
+/**
+ * Interface for managing tool approvals.
+ *
+ * @module @frontmcp/plugin-approval
+ */
+import type { ApprovalScope, ApprovalState, ApprovalContext, ApprovalGrantor, ApprovalRevoker, ApprovalRecord, ApprovalSourceType, RevocationSourceType } from '../types';
+/**
+ * Query options for finding approvals.
+ */
+export interface ApprovalQuery {
+    /** Filter by tool ID */
+    toolId?: string;
+    /** Filter by multiple tool IDs */
+    toolIds?: string[];
+    /** Filter by scope */
+    scope?: ApprovalScope;
+    /** Filter by multiple scopes */
+    scopes?: ApprovalScope[];
+    /** Filter by state */
+    state?: ApprovalState;
+    /** Filter by multiple states */
+    states?: ApprovalState[];
+    /** Filter by session ID */
+    sessionId?: string;
+    /** Filter by user ID */
+    userId?: string;
+    /** Filter by context */
+    context?: ApprovalContext;
+    /** Include expired approvals (default: false) */
+    includeExpired?: boolean;
+}
+/**
+ * Options for granting approval.
+ */
+export interface GrantApprovalOptions {
+    /** Tool identifier */
+    toolId: string;
+    /** Approval scope */
+    scope: ApprovalScope;
+    /** Time-to-live in milliseconds (for time-limited approvals) */
+    ttlMs?: number;
+    /** Session ID (required for session-scoped) */
+    sessionId?: string;
+    /** User ID (required for user-scoped) */
+    userId?: string;
+    /** Context (required for context-specific) */
+    context?: ApprovalContext;
+    /** Who/what granted the approval */
+    grantedBy?: ApprovalGrantor | ApprovalSourceType;
+    /** Optional reason for the approval */
+    reason?: string;
+    /** Additional metadata */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Options for revoking approval.
+ */
+export interface RevokeApprovalOptions {
+    /** Tool identifier */
+    toolId: string;
+    /** Session ID (for session-scoped approvals) */
+    sessionId?: string;
+    /** User ID (for user-scoped approvals) */
+    userId?: string;
+    /** Context (for context-specific approvals) */
+    context?: ApprovalContext;
+    /** Who/what revoked the approval */
+    revokedBy?: ApprovalRevoker | RevocationSourceType;
+    /** Optional reason for revocation */
+    reason?: string;
+}
+/**
+ * Interface for managing tool approvals.
+ */
+export interface ApprovalStore {
+    /**
+     * Initialize the store.
+     */
+    initialize(): Promise<void>;
+    /**
+     * Get approval for a specific tool.
+     */
+    getApproval(toolId: string, sessionId: string, userId?: string): Promise<ApprovalRecord | undefined>;
+    /**
+     * Get all approvals matching a query.
+     */
+    queryApprovals(query: ApprovalQuery): Promise<ApprovalRecord[]>;
+    /**
+     * Grant approval for a tool.
+     */
+    grantApproval(options: GrantApprovalOptions): Promise<ApprovalRecord>;
+    /**
+     * Revoke approval for a tool.
+     */
+    revokeApproval(options: RevokeApprovalOptions): Promise<boolean>;
+    /**
+     * Check if a tool is approved.
+     */
+    isApproved(toolId: string, sessionId: string, userId?: string, context?: ApprovalContext): Promise<boolean>;
+    /**
+     * Clear all session approvals.
+     */
+    clearSessionApprovals(sessionId: string): Promise<number>;
+    /**
+     * Clear expired approvals.
+     */
+    clearExpiredApprovals(): Promise<number>;
+    /**
+     * Get approval statistics.
+     */
+    getStats(): Promise<{
+        totalApprovals: number;
+        byScope: Record<ApprovalScope, number>;
+        byState: Record<ApprovalState, number>;
+    }>;
+    /**
+     * Close the store and cleanup.
+     */
+    close(): Promise<void>;
+}
+//# sourceMappingURL=approval-store.interface.d.ts.map

package/stores/approval-store.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval-store.interface.d.ts","sourceRoot":"","sources":["../../src/stores/approval-store.interface.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,aAAa,EACb,aAAa,EACb,eAAe,EACf,eAAe,EACf,eAAe,EACf,cAAc,EACd,kBAAkB,EAClB,oBAAoB,EACrB,MAAM,UAAU,CAAC;AAMlB;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,wBAAwB;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,kCAAkC;IAClC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IAEnB,sBAAsB;IACtB,KAAK,CAAC,EAAE,aAAa,CAAC;IAEtB,gCAAgC;IAChC,MAAM,CAAC,EAAE,aAAa,EAAE,CAAC;IAEzB,sBAAsB;IACtB,KAAK,CAAC,EAAE,aAAa,CAAC;IAEtB,gCAAgC;IAChC,MAAM,CAAC,EAAE,aAAa,EAAE,CAAC;IAEzB,2BAA2B;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,wBAAwB;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,wBAAwB;IACxB,OAAO,CAAC,EAAE,eAAe,CAAC;IAE1B,iDAAiD;IACjD,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAMD;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,sBAAsB;IACtB,MAAM,EAAE,MAAM,CAAC;IAEf,qBAAqB;IACrB,KAAK,EAAE,aAAa,CAAC;IAErB,gEAAgE;IAChE,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,+CAA+C;IAC/C,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,yCAAyC;IACzC,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,8CAA8C;IAC9C,OAAO,CAAC,EAAE,eAAe,CAAC;IAE1B,oCAAoC;IACpC,SAAS,CAAC,EAAE,eAAe,GAAG,kBAAkB,CAAC;IAEjD,uCAAuC;IACvC,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,sBAAsB;IACtB,MAAM,EAAE,MAAM,CAAC;IAEf,gDAAgD;IAChD,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,+CAA+C;IAC/C,OAAO,CAAC,EAAE,eAAe,CAAC;IAE1B,oCAAoC;IACpC,SAAS,CAAC,EAAE,eAAe,GAAG,oBAAoB,CAAC;IAEnD,qCAAqC;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAMD;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B;;OAEG;IACH,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAE5B;;OAEG;IACH,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,SAAS,CAAC,CAAC;IAErG;;OAEG;IACH,cAAc,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC;IAEhE;;OAEG;IACH,aAAa,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;IAEtE;;OAEG;IACH,cAAc,CAAC,OAAO,EAAE,qBAAqB,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAEjE;;OAEG;IACH,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAE5G;;OAEG;IACH,qBAAqB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAE1D;;OAEG;IACH,qBAAqB,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;IAEzC;;OAEG;IACH,QAAQ,IAAI,OAAO,CAAC;QAClB,cAAc,EAAE,MAAM,CAAC;QACvB,OAAO,EAAE,MAAM,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QACvC,OAAO,EAAE,MAAM,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;KACxC,CAAC,CAAC;IAEH;;OAEG;IACH,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACxB"}

package/stores/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Store exports for ApprovalPlugin.
+ *
+ * @module @frontmcp/plugin-approval
+ */
+export type { ApprovalStore, ApprovalQuery, GrantApprovalOptions, RevokeApprovalOptions, } from './approval-store.interface';
+export { ApprovalStorageStore, type ApprovalStorageStoreOptions, createApprovalMemoryStore, } from './approval-storage.store';
+//# sourceMappingURL=index.d.ts.map

package/stores/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/stores/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,YAAY,EACV,aAAa,EACb,aAAa,EACb,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EACL,oBAAoB,EACpB,KAAK,2BAA2B,EAChC,yBAAyB,GAC1B,MAAM,0BAA0B,CAAC"}

package/types/approval.types.d.ts

@@ -0,0 +1,98 @@
+/**
+ * Approval types for the plugin.
+ * Re-exports core types from the local approval module and defines plugin-specific types.
+ *
+ * @module @frontmcp/plugin-approval
+ */
+export { ApprovalScope, ApprovalState, type ApprovalSourceType, type RevocationSourceType, type ApprovalMethod, type ApprovalContext, type ApprovalGrantor, type ApprovalRevoker, type DelegationContext, type ApprovalRecord, type ToolApprovalRequirement, type ApprovalCategory, type RiskLevel, } from '../approval';
+/**
+ * Approval workflow mode.
+ */
+export type ApprovalMode = 'recheck' | 'webhook';
+/**
+ * Challenge record stored in Redis for PKCE webhook flow.
+ */
+export interface ChallengeRecord {
+    /** Tool ID being approved */
+    toolId: string;
+    /** Session ID (never exposed to webhook) */
+    sessionId: string;
+    /** User ID if available */
+    userId?: string;
+    /** Requested approval scope */
+    requestedScope: string;
+    /** Request information sent to webhook */
+    requestInfo: {
+        toolName: string;
+        category?: string;
+        riskLevel?: string;
+        customMessage?: string;
+    };
+    /** When the challenge was created */
+    createdAt: number;
+    /** When the challenge expires */
+    expiresAt: number;
+    /** Whether webhook has been sent */
+    webhookSent: boolean;
+}
+/**
+ * Webhook payload sent to external approval system.
+ */
+export interface WebhookPayload {
+    /** PKCE code challenge (SHA256 of code_verifier) */
+    codeChallenge: string;
+    /** Tool being approved */
+    toolId: string;
+    /** Tool name */
+    toolName: string;
+    /** Tool category */
+    category?: string;
+    /** Risk level */
+    riskLevel?: string;
+    /** Custom approval message */
+    approvalMessage?: string;
+    /** URL for callback */
+    callbackUrl: string;
+    /** Request timestamp */
+    timestamp: number;
+}
+/**
+ * Callback payload received from external approval system.
+ */
+export interface CallbackPayload {
+    /** PKCE code verifier (proves knowledge of challenge) */
+    codeVerifier: string;
+    /** Whether approved or denied */
+    approved: boolean;
+    /** Approval scope if approved */
+    scope?: string;
+    /** TTL in milliseconds if time-limited */
+    ttlMs?: number;
+    /** Who granted the approval */
+    grantedBy?: {
+        source: string;
+        identifier?: string;
+        displayName?: string;
+    };
+    /** Optional reason */
+    reason?: string;
+}
+/**
+ * Recheck response from external approval API.
+ */
+export interface RecheckResponse {
+    /** Whether approved */
+    approved: boolean;
+    /** Approval scope if approved */
+    scope?: string;
+    /** TTL in milliseconds if time-limited */
+    ttlMs?: number;
+    /** Who granted the approval */
+    grantedBy?: {
+        source: string;
+        identifier?: string;
+    };
+    /** Reason for denial if denied */
+    denialReason?: string;
+}
+//# sourceMappingURL=approval.types.d.ts.map

package/types/approval.types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval.types.d.ts","sourceRoot":"","sources":["../../src/types/approval.types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EACL,aAAa,EACb,aAAa,EACb,KAAK,kBAAkB,EACvB,KAAK,oBAAoB,EACzB,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,iBAAiB,EACtB,KAAK,cAAc,EACnB,KAAK,uBAAuB,EAC5B,KAAK,gBAAgB,EACrB,KAAK,SAAS,GACf,MAAM,aAAa,CAAC;AAMrB;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,SAAS,GAAG,SAAS,CAAC;AAEjD;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,6BAA6B;IAC7B,MAAM,EAAE,MAAM,CAAC;IAEf,4CAA4C;IAC5C,SAAS,EAAE,MAAM,CAAC;IAElB,2BAA2B;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,+BAA+B;IAC/B,cAAc,EAAE,MAAM,CAAC;IAEvB,0CAA0C;IAC1C,WAAW,EAAE;QACX,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,CAAC;IAEF,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAElB,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAElB,oCAAoC;IACpC,WAAW,EAAE,OAAO,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,oDAAoD;IACpD,aAAa,EAAE,MAAM,CAAC;IAEtB,0BAA0B;IAC1B,MAAM,EAAE,MAAM,CAAC;IAEf,gBAAgB;IAChB,QAAQ,EAAE,MAAM,CAAC;IAEjB,oBAAoB;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,iBAAiB;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,8BAA8B;IAC9B,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB,uBAAuB;IACvB,WAAW,EAAE,MAAM,CAAC;IAEpB,wBAAwB;IACxB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,yDAAyD;IACzD,YAAY,EAAE,MAAM,CAAC;IAErB,iCAAiC;IACjC,QAAQ,EAAE,OAAO,CAAC;IAElB,iCAAiC;IACjC,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,0CAA0C;IAC1C,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,+BAA+B;IAC/B,SAAS,CAAC,EAAE;QACV,MAAM,EAAE,MAAM,CAAC;QACf,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IAEF,sBAAsB;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,uBAAuB;IACvB,QAAQ,EAAE,OAAO,CAAC;IAElB,iCAAiC;IACjC,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,0CAA0C;IAC1C,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,+BAA+B;IAC/B,SAAS,CAAC,EAAE;QACV,MAAM,EAAE,MAAM,CAAC;QACf,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;IAEF,kCAAkC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB"}

package/types/index.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Type exports for ApprovalPlugin.
+ *
+ * @module @frontmcp/plugin-approval
+ */
+export * from './approval.types';
+//# sourceMappingURL=index.d.ts.map

package/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,cAAc,kBAAkB,CAAC"}