npm - @frontmcp/sdk - Versions diffs - 0.2.3 → 0.3.0 - Mend

@frontmcp/sdk 0.2.3 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (896) hide show

package/src/auth/session/record/session.base.js ADDED Viewed

@@ -0,0 +1,123 @@
+"use strict";
+// auth/session/record/session.base.ts
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SessionView = exports.Session = void 0;
+const session_transport_1 = require("../session.transport");
+class Session {
+    // ---------------- public immutable data ----------------
+    id;
+    createdAt;
+    scopeId;
+    user;
+    claims;
+    /** Epoch millis when the bearer token expires (if available). */
+    expiresAt;
+    authorizedProviders;
+    authorizedProviderIds;
+    authorizedApps;
+    authorizedAppIds;
+    authorizedResources;
+    scopes;
+    authorizedTools;
+    authorizedToolIds;
+    authorizedPrompts;
+    authorizedPromptIds;
+    // ---------------- private/shared ----------------
+    #scope;
+    #issuer;
+    token;
+    #activeTransportId;
+    constructor(ctx) {
+        this.id = ctx.id;
+        this.createdAt = ctx.createdAt || Date.now();
+        this.#scope = ctx.scope;
+        this.#issuer = ctx.issuer;
+        this.scopeId = ctx.scope.id;
+        this.user = ctx.user;
+        this.claims = ctx.claims;
+        // derive token expiration from JWT claims if present (exp in seconds)
+        const exp = (ctx.claims && typeof ctx.claims['exp'] === 'number') ? Number(ctx.claims['exp']) : undefined;
+        if (exp) {
+            this.expiresAt = exp > 1e12 ? exp : exp * 1000;
+        }
+        // project authorized fields (defaults to empty)
+        this.authorizedProviders = ctx.authorizedProviders ?? {};
+        this.authorizedProviderIds = ctx.authorizedProviderIds ?? [];
+        this.authorizedApps = ctx.authorizedApps ?? {};
+        this.authorizedAppIds = ctx.authorizedAppIds ?? [];
+        this.authorizedResources = ctx.authorizedResources ?? [];
+        this.authorizedTools = ctx.authorizedTools ?? {};
+        this.authorizedToolIds = ctx.authorizedToolIds ?? [];
+        this.authorizedPrompts = ctx.authorizedPrompts ?? {};
+        this.authorizedPromptIds = ctx.authorizedPromptIds ?? [];
+        this.token = ctx.token;
+        this.#activeTransportId = ctx.sessionId;
+    }
+    /**
+     * Get the scope associated with this session.
+     * Can be used by subclasses to implement custom scope handling.
+     * @protected
+     */
+    get scope() {
+        return this.#scope;
+    }
+    // ---------------- accessors ----------------
+    get issuer() {
+        return this.#issuer;
+    }
+    async getTransportSessionId() {
+        if (this.#activeTransportId)
+            return this.#activeTransportId;
+        const mode = this.scope.metadata.session?.transportIdMode ?? 'uuid';
+        if (typeof mode === 'string') {
+            return session_transport_1.TransportIdGenerator.createId(mode);
+        }
+        else {
+            const modeResult = await mode(this.issuer);
+            return session_transport_1.TransportIdGenerator.createId(modeResult);
+        }
+    }
+    // ---------------- scoped view ----------------
+    scoped(allowed) {
+        const fn = typeof allowed === 'function'
+            ? allowed
+            : Array.isArray(allowed)
+                ? (id) => allowed.includes(id)
+                : (id) => id === allowed;
+        return new SessionView(this, fn);
+    }
+}
+exports.Session = Session;
+class SessionView {
+    parent;
+    allow;
+    constructor(parent, allow) {
+        this.parent = parent;
+        this.allow = allow;
+    }
+    get id() {
+        return this.parent.id;
+    }
+    get mode() {
+        return this.parent.mode;
+    }
+    get user() {
+        return this.parent.user;
+    }
+    get claims() {
+        return this.parent.claims;
+    }
+    get authorizedApps() {
+        return this.parent.authorizedApps;
+    }
+    async getToken(providerId) {
+        if (!this.allow(providerId))
+            throw new Error(`scoped_denied:${providerId}`);
+        return this.parent.getToken(providerId);
+    }
+    get transportId() {
+        return this.parent.getTransportSessionId;
+    }
+}
+exports.SessionView = SessionView;
+//# sourceMappingURL=session.base.js.map

package/src/auth/session/record/session.base.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"session.base.js","sourceRoot":"","sources":["../../../../../src/auth/session/record/session.base.ts"],"names":[],"mappings":";AAAA,sCAAsC;;;AAGtC,4DAA4D;AAuC5D,MAAsB,OAAO;IAC3B,0DAA0D;IACjD,EAAE,CAAS;IAEX,SAAS,CAAS;IAClB,OAAO,CAAS;IAChB,IAAI,CAAc;IAClB,MAAM,CAA2B;IAC1C,iEAAiE;IACxD,SAAS,CAAU;IAEnB,mBAAmB,CAAmC;IACtD,qBAAqB,CAAW;IAChC,cAAc,CAAoD;IAClE,gBAAgB,CAAW;IAC3B,mBAAmB,CAAW;IAC9B,MAAM,CAAY;IAClB,eAAe,CAAsF;IACrG,iBAAiB,CAAY;IAC7B,iBAAiB,CAAsF;IACvG,mBAAmB,CAAY;IAExC,mDAAmD;IACnD,MAAM,CAAQ;IACd,OAAO,CAAS;IACN,KAAK,CAAS;IAExB,kBAAkB,CAAU;IAE5B,YAAsB,GAAkB;QACtC,IAAI,CAAC,EAAE,GAAG,GAAG,CAAC,EAAE,CAAC;QACjB,IAAI,CAAC,SAAS,GAAG,GAAG,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7C,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC;QACxB,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC;QAC1B,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;QACzB,sEAAsE;QACtE,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,IAAI,OAAQ,GAAG,CAAC,MAAc,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAE,GAAG,CAAC,MAAc,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAC5H,IAAI,GAAG,EAAE,CAAC;YACR,IAAI,CAAC,SAAS,GAAG,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC;QACjD,CAAC;QACD,gDAAgD;QAChD,IAAI,CAAC,mBAAmB,GAAG,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;QACzD,IAAI,CAAC,qBAAqB,GAAG,GAAG,CAAC,qBAAqB,IAAI,EAAE,CAAC;QAC7D,IAAI,CAAC,cAAc,GAAG,GAAG,CAAC,cAAc,IAAI,EAAE,CAAC;QAC/C,IAAI,CAAC,gBAAgB,GAAG,GAAG,CAAC,gBAAgB,IAAI,EAAE,CAAC;QACnD,IAAI,CAAC,mBAAmB,GAAG,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;QACzD,IAAI,CAAC,eAAe,GAAG,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC;QACjD,IAAI,CAAC,iBAAiB,GAAG,GAAG,CAAC,iBAAiB,IAAI,EAAE,CAAC;QACrD,IAAI,CAAC,iBAAiB,GAAG,GAAG,CAAC,iBAAiB,IAAI,EAAE,CAAC;QACrD,IAAI,CAAC,mBAAmB,GAAG,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;QACzD,IAAI,CAAC,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC;QACvB,IAAI,CAAC,kBAAkB,GAAG,GAAG,CAAC,SAAS,CAAC;IAC1C,CAAC;IAED;;;;OAIG;IACH,IAAc,KAAK;QACjB,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IACD,8CAA8C;IAE9C,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,qBAAqB;QACzB,IAAI,IAAI,CAAC,kBAAkB;YAAE,OAAO,IAAI,CAAC,kBAAkB,CAAC;QAC5D,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,EAAE,eAAe,IAAI,MAAM,CAAC;QACpE,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7B,OAAO,wCAAoB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC7C,CAAC;aAAM,CAAC;YACN,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC3C,OAAO,wCAAoB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IAUD,gDAAgD;IAChD,MAAM,CAAC,OAAsD;QAC3D,MAAM,EAAE,GACN,OAAO,OAAO,KAAK,UAAU;YAC3B,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;gBACxB,CAAC,CAAC,CAAC,EAAU,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACtC,CAAC,CAAC,CAAC,EAAU,EAAE,EAAE,CAAC,EAAE,KAAK,OAAO,CAAC;QACrC,OAAO,IAAI,WAAW,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACnC,CAAC;CACF;AAnGD,0BAmGC;AAED,MAAa,WAAW;IACO;IAAkC;IAA/D,YAA6B,MAAe,EAAmB,KAA8B;QAAhE,WAAM,GAAN,MAAM,CAAS;QAAmB,UAAK,GAAL,KAAK,CAAyB;IAAG,CAAC;IAEjG,IAAI,EAAE;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;IACxB,CAAC;IACD,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;IAC1B,CAAC;IACD,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;IAC1B,CAAC;IACD,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;IAC5B,CAAC;IACD,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,UAAkB;QAC/B,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,iBAAiB,UAAU,EAAE,CAAC,CAAC;QAC5E,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC;IAC3C,CAAC;CACF;AA1BD,kCA0BC","sourcesContent":["// auth/session/record/session.base.ts\n\nimport type { ProviderSnapshot, SessionMode } from '../session.types';\nimport { TransportIdGenerator } from '../session.transport';\nimport { Scope } from '../../../scope';\n\nexport interface BaseCreateCtx {\n id: string;\n sessionId?: string;\n scope: Scope;\n issuer: string;\n token: string;\n user: SessionUser;\n claims?: SessionClaims;\n createdAt?: number;\n // optional precomputed authorization projections\n authorizedProviders?: Record<string, ProviderSnapshot>;\n authorizedProviderIds?: string[];\n authorizedApps?: Record<string, { id: string; toolIds: string[] }>;\n authorizedAppIds?: string[];\n authorizedResources?: string[];\n scopes?: string[];\n // Scoped tools/prompts maps\n authorizedTools?: Record<string, { executionPath: [string, string]; details?: Record<string, any> }>;\n authorizedToolIds?: string[];\n authorizedPrompts?: Record<string, { executionPath: [string, string]; details?: Record<string, any> }>;\n authorizedPromptIds?: string[];\n}\n\n// TODO: can be extended\nexport interface SessionUser {\n sub?: string;\n name?: string;\n email?: string;\n picture?: string;\n}\n\n// TODO: can be extended\nexport interface SessionClaims {\n [key: string]: any;\n}\n\nexport abstract class Session {\n // ---------------- public immutable data ----------------\n readonly id: string;\n abstract readonly mode: SessionMode;\n readonly createdAt: number;\n readonly scopeId: string;\n readonly user: SessionUser;\n readonly claims?: Record<string, unknown>;\n /** Epoch millis when the bearer token expires (if available). */\n readonly expiresAt?: number;\n\n readonly authorizedProviders: Record<string, ProviderSnapshot>;\n readonly authorizedProviderIds: string[];\n readonly authorizedApps: Record<string, { id: string; toolIds: string[] }>;\n readonly authorizedAppIds: string[];\n readonly authorizedResources: string[];\n readonly scopes?: string[];\n readonly authorizedTools?: Record<string, { executionPath: [string, string]; details?: Record<string, any> }>;\n readonly authorizedToolIds?: string[];\n readonly authorizedPrompts?: Record<string, { executionPath: [string, string]; details?: Record<string, any> }>;\n readonly authorizedPromptIds?: string[];\n\n // ---------------- private/shared ----------------\n #scope: Scope;\n #issuer: string;\n protected token: string;\n\n #activeTransportId?: string;\n\n protected constructor(ctx: BaseCreateCtx) {\n this.id = ctx.id;\n this.createdAt = ctx.createdAt || Date.now();\n this.#scope = ctx.scope;\n this.#issuer = ctx.issuer;\n this.scopeId = ctx.scope.id;\n this.user = ctx.user;\n this.claims = ctx.claims;\n // derive token expiration from JWT claims if present (exp in seconds)\n const exp = (ctx.claims && typeof (ctx.claims as any)['exp'] === 'number') ? Number((ctx.claims as any)['exp']) : undefined;\n if (exp) {\n this.expiresAt = exp > 1e12 ? exp : exp * 1000;\n }\n // project authorized fields (defaults to empty)\n this.authorizedProviders = ctx.authorizedProviders ?? {};\n this.authorizedProviderIds = ctx.authorizedProviderIds ?? [];\n this.authorizedApps = ctx.authorizedApps ?? {};\n this.authorizedAppIds = ctx.authorizedAppIds ?? [];\n this.authorizedResources = ctx.authorizedResources ?? [];\n this.authorizedTools = ctx.authorizedTools ?? {};\n this.authorizedToolIds = ctx.authorizedToolIds ?? [];\n this.authorizedPrompts = ctx.authorizedPrompts ?? {};\n this.authorizedPromptIds = ctx.authorizedPromptIds ?? [];\n this.token = ctx.token;\n this.#activeTransportId = ctx.sessionId;\n }\n\n /**\n * Get the scope associated with this session.\n * Can be used by subclasses to implement custom scope handling.\n * @protected\n */\n protected get scope(): Scope {\n return this.#scope;\n }\n // ---------------- accessors ----------------\n\n get issuer(): string {\n return this.#issuer;\n }\n\n async getTransportSessionId(): Promise<string> {\n if (this.#activeTransportId) return this.#activeTransportId;\n const mode = this.scope.metadata.session?.transportIdMode ?? 'uuid';\n if (typeof mode === 'string') {\n return TransportIdGenerator.createId(mode);\n } else {\n const modeResult = await mode(this.issuer);\n return TransportIdGenerator.createId(modeResult);\n }\n }\n\n /**\n * Get the access token for a given provider.\n * Must be implemented in subclasses based on session topology.\n * @protected\n * @param providerId\n */\n abstract getToken(providerId?: string): Promise<string> | string;\n\n // ---------------- scoped view ----------------\n scoped(allowed: string | string[] | ((id: string) => boolean)) {\n const fn =\n typeof allowed === 'function'\n ? allowed\n : Array.isArray(allowed)\n ? (id: string) => allowed.includes(id)\n : (id: string) => id === allowed;\n return new SessionView(this, fn);\n }\n}\n\nexport class SessionView {\n constructor(private readonly parent: Session, private readonly allow: (id: string) => boolean) {}\n\n get id() {\n return this.parent.id;\n }\n get mode() {\n return this.parent.mode;\n }\n get user() {\n return this.parent.user;\n }\n get claims() {\n return this.parent.claims;\n }\n get authorizedApps() {\n return this.parent.authorizedApps;\n }\n\n async getToken(providerId: string) {\n if (!this.allow(providerId)) throw new Error(`scoped_denied:${providerId}`);\n return this.parent.getToken(providerId);\n }\n get transportId() {\n return this.parent.getTransportSessionId;\n }\n}\n"]}

package/src/auth/session/record/session.stateful.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+import { Session, type BaseCreateCtx } from './session.base';
+export type StatefulCreateCtx = BaseCreateCtx & {};
+/**
+ * Represents a **stateful session** stored server-side (e.g., Redis).
+ * Nested OAuth tokens are never exposed in the JWT; instead, they are
+ * encrypted and persisted in Redis under a session key. The client only
+ * receives a lightweight reference to that key.
+ *
+ * Advantages:
+ * - Smaller JWT payloads and reduced token leakage risk.
+ * - Can refresh nested provider tokens on the fly without requiring
+ *   the user to re-authorize.
+ * - Well suited for multi-app setups with short-lived OAuth tokens.
+ */
+export declare class StatefulSession extends Session {
+    #private;
+    readonly mode = "stateful";
+    constructor(ctx: StatefulCreateCtx);
+    getToken(providerId?: string): Promise<string> | string;
+}

package/src/auth/session/record/session.stateful.js ADDED Viewed

@@ -0,0 +1,55 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.StatefulSession = void 0;
+const session_base_1 = require("./session.base");
+/**
+ * Represents a **stateful session** stored server-side (e.g., Redis).
+ * Nested OAuth tokens are never exposed in the JWT; instead, they are
+ * encrypted and persisted in Redis under a session key. The client only
+ * receives a lightweight reference to that key.
+ *
+ * Advantages:
+ * - Smaller JWT payloads and reduced token leakage risk.
+ * - Can refresh nested provider tokens on the fly without requiring
+ *   the user to re-authorize.
+ * - Well suited for multi-app setups with short-lived OAuth tokens.
+ */
+class StatefulSession extends session_base_1.Session {
+    mode = 'stateful';
+    /**
+     * Used to encrypt/decrypt nested provider tokens in #store.
+     * @private
+     */
+    // eslint-disable-next-line no-unused-private-class-members
+    #vault;
+    /**
+     * Used to store/retrieve encrypted nested provider tokens.
+     * By default it will be a memory store, but can be replaced with a
+     * persistent store like Redis by settings session.store in SecureMcp options
+     * @private
+     */
+    // eslint-disable-next-line no-unused-private-class-members
+    #store;
+    /**
+     * Per-provider refreshers (keyed by providerId).
+     * Used to refresh nested provider tokens on the fly.
+     * By default, it will use the default refresher, which is a simple
+     * refresher that refreshes the token by calling the provider's refresh endpoint.
+     *
+     * If you want to use a custom refresher, you can set it by setting session.refresher in SecureMcp options
+     * @private
+     */
+    // eslint-disable-next-line no-unused-private-class-members
+    #refreshers;
+    // eslint-disable-next-line no-unused-private-class-members
+    #defaultRefresher;
+    constructor(ctx) {
+        super(ctx);
+        throw new Error('Method not implemented.');
+    }
+    getToken(providerId) {
+        throw new Error('Method not implemented.');
+    }
+}
+exports.StatefulSession = StatefulSession;
+//# sourceMappingURL=session.stateful.js.map

package/src/auth/session/record/session.stateful.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"session.stateful.js","sourceRoot":"","sources":["../../../../../src/auth/session/record/session.stateful.ts"],"names":[],"mappings":";;;AAAA,iDAA6D;AAO7D;;;;;;;;;;;GAWG;AACH,MAAa,eAAgB,SAAQ,sBAAO;IACjC,IAAI,GAAG,UAAU,CAAC;IAC3B;;;OAGG;IACH,2DAA2D;IAC3D,MAAM,CAAa;IACnB;;;;;OAKG;IACH,2DAA2D;IAC3D,MAAM,CAAa;IAEnB;;;;;;;;OAQG;IACH,2DAA2D;IAC3D,WAAW,CAAiC;IAC5C,2DAA2D;IAC3D,iBAAiB,CAAiB;IAElC,YAAY,GAAsB;QAChC,KAAK,CAAC,GAAU,CAAC,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;IAEQ,QAAQ,CAAC,UAAmB;QACnC,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;CAkCF;AAxED,0CAwEC","sourcesContent":["import { Session, type BaseCreateCtx } from './session.base';\nimport { TokenRefresher } from '../token.refresh';\nimport type { TokenStore } from '../token.store';\nimport type { TokenVault } from '../token.vault';\n\nexport type StatefulCreateCtx = BaseCreateCtx & {};\n\n/**\n * Represents a **stateful session** stored server-side (e.g., Redis).\n * Nested OAuth tokens are never exposed in the JWT; instead, they are\n * encrypted and persisted in Redis under a session key. The client only\n * receives a lightweight reference to that key.\n *\n * Advantages:\n * - Smaller JWT payloads and reduced token leakage risk.\n * - Can refresh nested provider tokens on the fly without requiring\n * the user to re-authorize.\n * - Well suited for multi-app setups with short-lived OAuth tokens.\n */\nexport class StatefulSession extends Session {\n readonly mode = 'stateful';\n /**\n * Used to encrypt/decrypt nested provider tokens in #store.\n * @private\n */\n // eslint-disable-next-line no-unused-private-class-members\n #vault: TokenVault;\n /**\n * Used to store/retrieve encrypted nested provider tokens.\n * By default it will be a memory store, but can be replaced with a\n * persistent store like Redis by settings session.store in SecureMcp options\n * @private\n */\n // eslint-disable-next-line no-unused-private-class-members\n #store: TokenStore;\n\n /**\n * Per-provider refreshers (keyed by providerId).\n * Used to refresh nested provider tokens on the fly.\n * By default, it will use the default refresher, which is a simple\n * refresher that refreshes the token by calling the provider's refresh endpoint.\n *\n * If you want to use a custom refresher, you can set it by setting session.refresher in SecureMcp options\n * @private\n */\n // eslint-disable-next-line no-unused-private-class-members\n #refreshers: Record<string, TokenRefresher>;\n // eslint-disable-next-line no-unused-private-class-members\n #defaultRefresher: TokenRefresher;\n\n constructor(ctx: StatefulCreateCtx) {\n super(ctx as any);\n throw new Error('Method not implemented.');\n }\n\n override getToken(providerId?: string): Promise<string> | string {\n throw new Error('Method not implemented.');\n }\n //\n // protected async attachProviderSecrets(p: ProviderInput): Promise<ProviderSnapshot> {\n // const snap: ProviderSnapshot = {\n // id: p.id,\n // exp: p.exp,\n // payload: p.payload,\n // apps: p.apps?.map(a => ({ id: String(a.id), toolIds: (a.toolIds ?? []).map(String) })),\n // embedMode: 'store-only',\n // };\n // if (p.token) snap.tokenEnc = encryptAesGcm(this.#key, p.token);\n // else if (p.enc) snap.tokenEnc = p.enc;\n // if (p.refreshToken) snap.refreshTokenEnc = encryptAesGcm(this.#key, p.refreshToken);\n // return snap;\n // }\n //\n // protected async readAccessToken(providerId: string): Promise<string | undefined> {\n // const s = this.authorizedProviders[providerId];\n // if (!s?.tokenEnc) return undefined;\n // return decryptAesGcm(this.#key, s.tokenEnc);\n // }\n //\n // protected readRefreshToken(providerId: string): string | undefined {\n // const s = this.authorizedProviders[providerId];\n // if (!s?.refreshTokenEnc) return undefined;\n // return decryptAesGcm(this.#key, s.refreshTokenEnc);\n // }\n //\n // protected async persistRefreshedTokens(providerId: string, res: TokenRefreshResult): Promise<void> {\n // const s = this.authorizedProviders[providerId];\n // if (!s) return;\n // if (res.accessToken) s.tokenEnc = encryptAesGcm(this.#key, res.accessToken);\n // if (res.refreshToken) s.refreshTokenEnc = encryptAesGcm(this.#key, res.refreshToken);\n // }\n}\n"]}

package/src/auth/session/record/session.stateless.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import { Session, type BaseCreateCtx } from './session.base';
+export type StatefulCreateCtx = BaseCreateCtx & {};
+/**
+ * Represents a **stateful session (non-refreshable)** where nested OAuth
+ * tokens cannot be refreshed server-side. When a nested provider token
+ * expires, the user must re-authorize to obtain new credentials.
+ *
+ * Notes:
+ * - Simpler flow, but degrades UX when tokens are short-lived.
+ * - Prefer the refreshable stateful session for multi-app environments.
+ */
+export declare class StatelessSession extends Session {
+    #private;
+    readonly mode = "stateless";
+    constructor(ctx: StatefulCreateCtx);
+    getToken(providerId?: string): Promise<string> | string;
+}

package/src/auth/session/record/session.stateless.js ADDED Viewed

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.StatelessSession = void 0;
+const session_base_1 = require("./session.base");
+/**
+ * Represents a **stateful session (non-refreshable)** where nested OAuth
+ * tokens cannot be refreshed server-side. When a nested provider token
+ * expires, the user must re-authorize to obtain new credentials.
+ *
+ * Notes:
+ * - Simpler flow, but degrades UX when tokens are short-lived.
+ * - Prefer the refreshable stateful session for multi-app environments.
+ */
+class StatelessSession extends session_base_1.Session {
+    mode = 'stateless';
+    /**
+     * Used to encrypt/decrypt nested provider tokens in #store.
+     * @private
+     */
+    #vault;
+    constructor(ctx) {
+        super(ctx);
+        throw new Error('Method not implemented.');
+    }
+    getToken(providerId) {
+        throw new Error('Method not implemented.');
+    }
+}
+exports.StatelessSession = StatelessSession;
+//# sourceMappingURL=session.stateless.js.map

package/src/auth/session/record/session.stateless.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"session.stateless.js","sourceRoot":"","sources":["../../../../../src/auth/session/record/session.stateless.ts"],"names":[],"mappings":";;;AAAA,iDAA6D;AAK7D;;;;;;;;GAQG;AACH,MAAa,gBAAiB,SAAQ,sBAAO;IAClC,IAAI,GAAG,WAAW,CAAC;IAC5B;;;OAGG;IACH,MAAM,CAAa;IACnB,YAAY,GAAsB;QAChC,KAAK,CAAC,GAAU,CAAC,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;IACQ,QAAQ,CAAC,UAAmB;QACnC,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;CACF;AAdD,4CAcC","sourcesContent":["import { Session, type BaseCreateCtx } from './session.base';\nimport { TokenVault } from '../token.vault';\n\nexport type StatefulCreateCtx = BaseCreateCtx & {};\n\n/**\n * Represents a **stateful session (non-refreshable)** where nested OAuth\n * tokens cannot be refreshed server-side. When a nested provider token\n * expires, the user must re-authorize to obtain new credentials.\n *\n * Notes:\n * - Simpler flow, but degrades UX when tokens are short-lived.\n * - Prefer the refreshable stateful session for multi-app environments.\n */\nexport class StatelessSession extends Session {\n readonly mode = 'stateless';\n /**\n * Used to encrypt/decrypt nested provider tokens in #store.\n * @private\n */\n #vault: TokenVault;\n constructor(ctx: StatefulCreateCtx) {\n super(ctx as any);\n throw new Error('Method not implemented.');\n }\n override getToken(providerId?: string): Promise<string> | string {\n throw new Error('Method not implemented.');\n }\n}\n"]}

package/src/auth/session/record/session.transparent.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import { BaseCreateCtx, Session } from './session.base';
+interface TransparentCreateCtx extends BaseCreateCtx {
+    apps: string[];
+}
+/**
+ * Represents a transparent (Non-Orchestrated) session where delivered by authorization server.
+ * The session cannot have nest auth providers.
+ * The session cannot be refreshed.
+ * The session cannot be revoked.
+ * Useful for OAuth flows where the authorization server delivers the session.
+ */
+export declare class TransparentSession extends Session {
+    readonly mode = "transparent";
+    constructor(ctx: TransparentCreateCtx);
+    getToken(): Promise<string> | string;
+}
+export {};

package/src/auth/session/record/session.transparent.js ADDED Viewed

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TransparentSession = void 0;
+const session_base_1 = require("./session.base");
+/**
+ * Represents a transparent (Non-Orchestrated) session where delivered by authorization server.
+ * The session cannot have nest auth providers.
+ * The session cannot be refreshed.
+ * The session cannot be revoked.
+ * Useful for OAuth flows where the authorization server delivers the session.
+ */
+class TransparentSession extends session_base_1.Session {
+    mode = 'transparent';
+    constructor(ctx) {
+        super(ctx);
+    }
+    getToken() {
+        return this.token;
+    }
+}
+exports.TransparentSession = TransparentSession;
+//# sourceMappingURL=session.transparent.js.map

package/src/auth/session/record/session.transparent.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"session.transparent.js","sourceRoot":"","sources":["../../../../../src/auth/session/record/session.transparent.ts"],"names":[],"mappings":";;;AAAA,iDAAwD;AAMxD;;;;;;GAMG;AACH,MAAa,kBAAmB,SAAQ,sBAAO;IACpC,IAAI,GAAG,aAAa,CAAC;IAC9B,YAAY,GAAyB;QACnC,KAAK,CAAC,GAAU,CAAC,CAAC;IACpB,CAAC;IAEQ,QAAQ;QACf,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;CACF;AATD,gDASC","sourcesContent":["import { BaseCreateCtx, Session } from './session.base';\n\ninterface TransparentCreateCtx extends BaseCreateCtx {\n apps: string[];\n}\n\n/**\n * Represents a transparent (Non-Orchestrated) session where delivered by authorization server.\n * The session cannot have nest auth providers.\n * The session cannot be refreshed.\n * The session cannot be revoked.\n * Useful for OAuth flows where the authorization server delivers the session.\n */\nexport class TransparentSession extends Session {\n readonly mode = 'transparent';\n constructor(ctx: TransparentCreateCtx) {\n super(ctx as any);\n }\n\n override getToken(): Promise<string> | string {\n return this.token;\n }\n}\n"]}

package/src/auth/session/session.crypto.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import type { EncBlob } from './session.types';
+/** Encrypt UTF-8 text using AES-256-GCM. Returns base64url fields. */
+export declare function encryptAesGcm(key: Buffer, plaintext: string): EncBlob;
+/** Decrypt an AES-256-GCM blob (base64url fields) to UTF-8 text. */
+export declare function decryptAesGcm(key: Buffer, blob: EncBlob): string;
+/** HKDF-SHA256 (RFC 5869) to derive key material. */
+export declare function hkdfSha256(ikm: Buffer, salt: Buffer, info: Buffer, length: number): Buffer;

package/src/auth/session/session.crypto.js ADDED Viewed

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.encryptAesGcm = encryptAesGcm;
+exports.decryptAesGcm = decryptAesGcm;
+exports.hkdfSha256 = hkdfSha256;
+const tslib_1 = require("tslib");
+// auth/services/session/session.crypto.ts
+const node_crypto_1 = tslib_1.__importDefault(require("node:crypto"));
+/** Encrypt UTF-8 text using AES-256-GCM. Returns base64url fields. */
+function encryptAesGcm(key, plaintext) {
+    const iv = node_crypto_1.default.randomBytes(12);
+    const cipher = node_crypto_1.default.createCipheriv('aes-256-gcm', key, iv);
+    const data = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return {
+        alg: 'A256GCM',
+        iv: iv.toString('base64url'),
+        tag: tag.toString('base64url'),
+        data: data.toString('base64url'),
+    };
+}
+/** Decrypt an AES-256-GCM blob (base64url fields) to UTF-8 text. */
+function decryptAesGcm(key, blob) {
+    const iv = Buffer.from(blob.iv, 'base64url');
+    const tag = Buffer.from(blob.tag, 'base64url');
+    const data = Buffer.from(blob.data, 'base64url');
+    const decipher = node_crypto_1.default.createDecipheriv('aes-256-gcm', key, iv);
+    decipher.setAuthTag(tag);
+    const out = Buffer.concat([decipher.update(data), decipher.final()]);
+    return out.toString('utf8');
+}
+/** HKDF-SHA256 (RFC 5869) to derive key material. */
+function hkdfSha256(ikm, salt, info, length) {
+    const prk = node_crypto_1.default.createHmac('sha256', salt).update(ikm).digest();
+    let prev = Buffer.alloc(0);
+    const chunks = [];
+    let ctr = 1;
+    while (Buffer.concat(chunks).length < length) {
+        prev = node_crypto_1.default
+            .createHmac('sha256', prk)
+            .update(Buffer.concat([prev, info, Buffer.from([ctr++])]))
+            .digest();
+        chunks.push(prev);
+    }
+    return Buffer.concat(chunks).subarray(0, length);
+}
+//# sourceMappingURL=session.crypto.js.map

package/src/auth/session/session.crypto.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"session.crypto.js","sourceRoot":"","sources":["../../../../src/auth/session/session.crypto.ts"],"names":[],"mappings":";;AAKA,sCAWC;AAGD,sCAQC;AAGD,gCAaC;;AA3CD,0CAA0C;AAC1C,sEAAiC;AAGjC,sEAAsE;AACtE,SAAgB,aAAa,CAAC,GAAW,EAAE,SAAiB;IAC1D,MAAM,EAAE,GAAG,qBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,qBAAM,CAAC,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC7D,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC/E,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,OAAO;QACL,GAAG,EAAE,SAAS;QACd,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC5B,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC9B,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;KACjC,CAAC;AACJ,CAAC;AAED,oEAAoE;AACpE,SAAgB,aAAa,CAAC,GAAW,EAAE,IAAa;IACtD,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC;IAC7C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;IAC/C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACjD,MAAM,QAAQ,GAAG,qBAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACjE,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACrE,OAAO,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC9B,CAAC;AAED,qDAAqD;AACrD,SAAgB,UAAU,CAAC,GAAW,EAAE,IAAY,EAAE,IAAY,EAAE,MAAc;IAChF,MAAM,GAAG,GAAG,qBAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;IACnE,IAAI,IAAI,GAAW,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACnC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,GAAG,MAAM,EAAE,CAAC;QAC7C,IAAI,GAAG,qBAAM;aACV,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC;aACzB,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;aACzD,MAAM,EAAE,CAAC;QACZ,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpB,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;AACnD,CAAC","sourcesContent":["// auth/services/session/session.crypto.ts\nimport crypto from 'node:crypto';\nimport type { EncBlob } from './session.types';\n\n/** Encrypt UTF-8 text using AES-256-GCM. Returns base64url fields. */\nexport function encryptAesGcm(key: Buffer, plaintext: string): EncBlob {\n const iv = crypto.randomBytes(12);\n const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);\n const data = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);\n const tag = cipher.getAuthTag();\n return {\n alg: 'A256GCM',\n iv: iv.toString('base64url'),\n tag: tag.toString('base64url'),\n data: data.toString('base64url'),\n };\n}\n\n/** Decrypt an AES-256-GCM blob (base64url fields) to UTF-8 text. */\nexport function decryptAesGcm(key: Buffer, blob: EncBlob): string {\n const iv = Buffer.from(blob.iv, 'base64url');\n const tag = Buffer.from(blob.tag, 'base64url');\n const data = Buffer.from(blob.data, 'base64url');\n const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);\n decipher.setAuthTag(tag);\n const out = Buffer.concat([decipher.update(data), decipher.final()]);\n return out.toString('utf8');\n}\n\n/** HKDF-SHA256 (RFC 5869) to derive key material. */\nexport function hkdfSha256(ikm: Buffer, salt: Buffer, info: Buffer, length: number): Buffer {\n const prk = crypto.createHmac('sha256', salt).update(ikm).digest();\n let prev: Buffer = Buffer.alloc(0);\n const chunks: Buffer[] = [];\n let ctr = 1;\n while (Buffer.concat(chunks).length < length) {\n prev = crypto\n .createHmac('sha256', prk)\n .update(Buffer.concat([prev, info, Buffer.from([ctr++])]))\n .digest();\n chunks.push(prev);\n }\n return Buffer.concat(chunks).subarray(0, length);\n}\n"]}

package/src/auth/session/session.schema.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import { z } from 'zod';
+import { TransparentSession } from './record/session.transparent';
+import { StatefulSession } from './record/session.stateful';
+import { StatelessSession } from './record/session.stateless';
+export declare const SessionSchema: z.ZodUnion<[z.ZodType<TransparentSession, z.ZodTypeDef, TransparentSession>, z.ZodType<StatefulSession, z.ZodTypeDef, StatefulSession>, z.ZodType<StatelessSession, z.ZodTypeDef, StatelessSession>]>;

package/src/auth/session/session.schema.js ADDED Viewed

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SessionSchema = void 0;
+const zod_1 = require("zod");
+const session_transparent_1 = require("./record/session.transparent");
+const session_stateful_1 = require("./record/session.stateful");
+const session_stateless_1 = require("./record/session.stateless");
+exports.SessionSchema = zod_1.z.union([
+    zod_1.z.instanceof(session_transparent_1.TransparentSession),
+    zod_1.z.instanceof(session_stateful_1.StatefulSession),
+    zod_1.z.instanceof(session_stateless_1.StatelessSession),
+]);
+//# sourceMappingURL=session.schema.js.map

package/src/auth/session/session.schema.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"session.schema.js","sourceRoot":"","sources":["../../../../src/auth/session/session.schema.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AACxB,sEAAkE;AAClE,gEAA4D;AAC5D,kEAA8D;AAEjD,QAAA,aAAa,GAAG,OAAC,CAAC,KAAK,CAAC;IACnC,OAAC,CAAC,UAAU,CAAC,wCAAkB,CAAC;IAChC,OAAC,CAAC,UAAU,CAAC,kCAAe,CAAC;IAC7B,OAAC,CAAC,UAAU,CAAC,oCAAgB,CAAC;CAC/B,CAAC,CAAC","sourcesContent":["import { z } from 'zod';\nimport { TransparentSession } from './record/session.transparent';\nimport { StatefulSession } from './record/session.stateful';\nimport { StatelessSession } from './record/session.stateless';\n\nexport const SessionSchema = z.union([\n z.instanceof(TransparentSession),\n z.instanceof(StatefulSession),\n z.instanceof(StatelessSession),\n]);\n"]}

package/src/auth/session/session.service.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import { StatelessSession } from './record/session.stateless';
+import { StatefulSession } from './record/session.stateful';
+import { Scope } from '../../scope';
+import { CreateSessionArgs } from './session.types';
+import { TransparentSession } from './record/session.transparent';
+import { Authorization } from '../../common';
+export declare class SessionService {
+    private store;
+    keyOf(authorization: Authorization): Promise<void>;
+    /**
+     * Create and persist a new Session from verified auth data.
+     * The returned Session exposes async token helpers, scoped view, and transport JWT helpers.
+     */
+    createSession(scope: Scope, args: CreateSessionArgs): Promise<StatelessSession | StatefulSession | TransparentSession>;
+    private createOrchestratedSession;
+    private createTransparentSession;
+}

package/src/auth/session/session.service.js ADDED Viewed

@@ -0,0 +1,111 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SessionService = void 0;
+// auth/session/session.service.ts
+const session_stateless_1 = require("./record/session.stateless");
+const session_stateful_1 = require("./record/session.stateful");
+const session_transparent_1 = require("./record/session.transparent");
+const store_1 = require("../../store");
+const session_id_utils_1 = require("./utils/session-id.utils");
+class SessionService {
+    store = new store_1.ScopedInMemoryStore();
+    async keyOf(authorization) {
+        const sessionKey = (0, session_id_utils_1.encryptJson)({ token: authorization.token });
+        if (authorization.session) {
+        }
+    }
+    /**
+     * Create and persist a new Session from verified auth data.
+     * The returned Session exposes async token helpers, scoped view, and transport JWT helpers.
+     */
+    async createSession(scope, args) {
+        if (scope.orchestrated) {
+            return this.createOrchestratedSession(scope, args);
+        }
+        else {
+            return this.createTransparentSession(scope, args);
+        }
+    }
+    createOrchestratedSession(scope, args) {
+        const stateless = scope.metadata.session?.sessionMode === 'stateless';
+        if (stateless) {
+            return new session_stateless_1.StatelessSession(args);
+        }
+        else {
+            return new session_stateful_1.StatefulSession(args);
+        }
+    }
+    createTransparentSession(scope, args) {
+        const primary = scope.auth;
+        const apps = scope.apps.getApps();
+        const appIds = apps.map((app) => app.id);
+        // Prefer precomputed projections when provided
+        let authorizedApps = args.authorizedApps ?? {};
+        if (!args.authorizedApps) {
+            authorizedApps = {};
+            for (const app of apps) {
+                try {
+                    const toolNames = app.tools.getTools().map((t) => String(t.metadata.name));
+                    authorizedApps[app.id] = { id: app.id, toolIds: toolNames };
+                }
+                catch {
+                    authorizedApps[app.id] = { id: app.id, toolIds: [] };
+                }
+            }
+        }
+        // TODO: the authorized resources should be computed from the oauth-protected-resource flow
+        // let authorizedResources: string[] = args.authorizedResources ?? [];
+        // if (!args.authorizedResources) {
+        //   authorizedResources = [];
+        // }
+        // Providers snapshot
+        let authorizedProviders = args.authorizedProviders;
+        let authorizedProviderIds = args.authorizedProviderIds;
+        if (!authorizedProviders || !authorizedProviderIds) {
+            const expClaim = args.claims && typeof args.claims['exp'] === 'number'
+                ? Number(args.claims['exp'])
+                : undefined;
+            const providerSnapshot = {
+                id: primary.id,
+                exp: expClaim,
+                payload: args.claims ?? {},
+                apps: appIds.map((id) => ({ id, toolIds: authorizedApps[id]?.toolIds ?? [] })),
+                embedMode: 'plain',
+            };
+            authorizedProviders = { [primary.id]: providerSnapshot };
+            authorizedProviderIds = [primary.id];
+        }
+        // resolve granted scopes from token claims (scope or scp)
+        let scopes = args.scopes ?? [];
+        if (!args.scopes) {
+            const rawScope = (args.claims && (args.claims['scope'] ?? args.claims['scp']));
+            scopes = Array.isArray(rawScope)
+                ? rawScope.map(String)
+                : typeof rawScope === 'string'
+                    ? rawScope.split(/[\s,]+/).filter(Boolean)
+                    : [];
+        }
+        return new session_transparent_1.TransparentSession({
+            apps: appIds,
+            id: args.token,
+            sessionId: args.sessionId,
+            scope,
+            user: args.user,
+            issuer: primary.issuer,
+            token: args.token,
+            claims: args.claims,
+            authorizedProviders: authorizedProviders,
+            authorizedProviderIds: authorizedProviderIds,
+            authorizedApps,
+            authorizedAppIds: appIds,
+            authorizedResources: [], // TODO: fix
+            scopes,
+            authorizedTools: args.authorizedTools,
+            authorizedToolIds: args.authorizedToolIds,
+            authorizedPrompts: args.authorizedPrompts,
+            authorizedPromptIds: args.authorizedPromptIds,
+        });
+    }
+}
+exports.SessionService = SessionService;
+//# sourceMappingURL=session.service.js.map

package/src/auth/session/session.service.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"session.service.js","sourceRoot":"","sources":["../../../../src/auth/session/session.service.ts"],"names":[],"mappings":";;;AAAA,kCAAkC;AAClC,kEAA8D;AAC9D,gEAA4D;AAG5D,sEAAkE;AAElE,uCAAkD;AAClD,+DAAuD;AAEvD,MAAa,cAAc;IACjB,KAAK,GAAG,IAAI,2BAAmB,EAAE,CAAA;IAGzC,KAAK,CAAC,KAAK,CAAC,aAA4B;QACtC,MAAM,UAAU,GAAG,IAAA,8BAAW,EAAC,EAAC,KAAK,EAAC,aAAa,CAAC,KAAK,EAAC,CAAC,CAAC;QAC5D,IAAG,aAAa,CAAC,OAAO,EAAC,CAAC;QAE1B,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,aAAa,CAAC,KAAY,EAAE,IAAuB;QACvD,IAAI,KAAK,CAAC,YAAY,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC,yBAAyB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACrD,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,wBAAwB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAEO,yBAAyB,CAAC,KAAY,EAAE,IAAuB;QACrE,MAAM,SAAS,GAAG,KAAK,CAAC,QAAQ,CAAC,OAAO,EAAE,WAAW,KAAK,WAAW,CAAC;QACtE,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,IAAI,oCAAgB,CAAC,IAAW,CAAC,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,kCAAe,CAAC,IAAW,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAEO,wBAAwB,CAAC,KAAY,EAAE,IAAuB;QACpE,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC;QAE3B,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAClC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEzC,+CAA+C;QAC/C,IAAI,cAAc,GAAsD,IAAI,CAAC,cAAc,IAAI,EAAE,CAAC;QAClG,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,cAAc,GAAG,EAAE,CAAC;YACpB,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,IAAI,CAAC;oBACH,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;oBAC3E,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;gBAC9D,CAAC;gBAAC,MAAM,CAAC;oBACP,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;gBACvD,CAAC;YACH,CAAC;QACH,CAAC;QAED,2FAA2F;QAC3F,sEAAsE;QACtE,mCAAmC;QACnC,8BAA8B;QAC9B,IAAI;QAEJ,qBAAqB;QACrB,IAAI,mBAAmB,GAAG,IAAI,CAAC,mBAAmB,CAAC;QACnD,IAAI,qBAAqB,GAAG,IAAI,CAAC,qBAAqB,CAAC;QACvD,IAAI,CAAC,mBAAmB,IAAI,CAAC,qBAAqB,EAAE,CAAC;YACnD,MAAM,QAAQ,GACZ,IAAI,CAAC,MAAM,IAAI,OAAQ,IAAI,CAAC,MAAc,CAAC,KAAK,CAAC,KAAK,QAAQ;gBAC5D,CAAC,CAAC,MAAM,CAAE,IAAI,CAAC,MAAc,CAAC,KAAK,CAAC,CAAC;gBACrC,CAAC,CAAC,SAAS,CAAC;YAChB,MAAM,gBAAgB,GAAG;gBACvB,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,GAAG,EAAE,QAAQ;gBACb,OAAO,EAAE,IAAI,CAAC,MAAM,IAAI,EAAE;gBAC1B,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,OAAO,EAAE,cAAc,CAAC,EAAE,CAAC,EAAE,OAAO,IAAI,EAAE,EAAE,CAAC,CAAC;gBAC9E,SAAS,EAAE,OAAgB;aAC5B,CAAC;YACF,mBAAmB,GAAG,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,gBAAgB,EAAS,CAAC;YAChE,qBAAqB,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACvC,CAAC;QAED,0DAA0D;QAC1D,IAAI,MAAM,GAAa,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC;QACzC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,QAAQ,GAAG,CAAC,IAAI,CAAC,MAAM,IAAI,CAAE,IAAI,CAAC,MAAc,CAAC,OAAO,CAAC,IAAK,IAAI,CAAC,MAAc,CAAC,KAAK,CAAC,CAAC,CAAY,CAAC;YAC5G,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC;gBAC9B,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC;gBACtB,CAAC,CAAC,OAAO,QAAQ,KAAK,QAAQ;oBAC5B,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;oBAC1C,CAAC,CAAC,EAAE,CAAC;QACX,CAAC;QAED,OAAO,IAAI,wCAAkB,CAAC;YAC5B,IAAI,EAAE,MAAM;YACZ,EAAE,EAAE,IAAI,CAAC,KAAK;YACd,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,KAAK;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,mBAAmB,EAAE,mBAA0B;YAC/C,qBAAqB,EAAE,qBAA4B;YACnD,cAAc;YACd,gBAAgB,EAAE,MAAM;YACxB,mBAAmB,EAAE,EAAE,EAAE,YAAY;YACrC,MAAM;YACN,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;YACzC,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;YACzC,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;SACvC,CAAC,CAAC;IACZ,CAAC;CACF;AA7GD,wCA6GC","sourcesContent":["// auth/session/session.service.ts\nimport { StatelessSession } from './record/session.stateless';\nimport { StatefulSession } from './record/session.stateful';\nimport { Scope } from '../../scope';\nimport { CreateSessionArgs } from './session.types';\nimport { TransparentSession } from './record/session.transparent';\nimport { Authorization } from '../../common';\nimport { ScopedInMemoryStore } from '../../store';\nimport { encryptJson } from './utils/session-id.utils';\n\nexport class SessionService {\n private store = new ScopedInMemoryStore()\n\n\n async keyOf(authorization: Authorization) {\n const sessionKey = encryptJson({token:authorization.token});\n if(authorization.session){\n\n }\n }\n\n /**\n * Create and persist a new Session from verified auth data.\n * The returned Session exposes async token helpers, scoped view, and transport JWT helpers.\n */\n async createSession(scope: Scope, args: CreateSessionArgs) {\n if (scope.orchestrated) {\n return this.createOrchestratedSession(scope, args);\n } else {\n return this.createTransparentSession(scope, args);\n }\n }\n\n private createOrchestratedSession(scope: Scope, args: CreateSessionArgs) {\n const stateless = scope.metadata.session?.sessionMode === 'stateless';\n if (stateless) {\n return new StatelessSession(args as any);\n } else {\n return new StatefulSession(args as any);\n }\n }\n\n private createTransparentSession(scope: Scope, args: CreateSessionArgs) {\n const primary = scope.auth;\n\n const apps = scope.apps.getApps();\n const appIds = apps.map((app) => app.id);\n\n // Prefer precomputed projections when provided\n let authorizedApps: Record<string, { id: string; toolIds: string[] }> = args.authorizedApps ?? {};\n if (!args.authorizedApps) {\n authorizedApps = {};\n for (const app of apps) {\n try {\n const toolNames = app.tools.getTools().map((t) => String(t.metadata.name));\n authorizedApps[app.id] = { id: app.id, toolIds: toolNames };\n } catch {\n authorizedApps[app.id] = { id: app.id, toolIds: [] };\n }\n }\n }\n\n // TODO: the authorized resources should be computed from the oauth-protected-resource flow\n // let authorizedResources: string[] = args.authorizedResources ?? [];\n // if (!args.authorizedResources) {\n // authorizedResources = [];\n // }\n\n // Providers snapshot\n let authorizedProviders = args.authorizedProviders;\n let authorizedProviderIds = args.authorizedProviderIds;\n if (!authorizedProviders || !authorizedProviderIds) {\n const expClaim =\n args.claims && typeof (args.claims as any)['exp'] === 'number'\n ? Number((args.claims as any)['exp'])\n : undefined;\n const providerSnapshot = {\n id: primary.id,\n exp: expClaim,\n payload: args.claims ?? {},\n apps: appIds.map((id) => ({ id, toolIds: authorizedApps[id]?.toolIds ?? [] })),\n embedMode: 'plain' as const,\n };\n authorizedProviders = { [primary.id]: providerSnapshot } as any;\n authorizedProviderIds = [primary.id];\n }\n\n // resolve granted scopes from token claims (scope or scp)\n let scopes: string[] = args.scopes ?? [];\n if (!args.scopes) {\n const rawScope = (args.claims && ((args.claims as any)['scope'] ?? (args.claims as any)['scp'])) as unknown;\n scopes = Array.isArray(rawScope)\n ? rawScope.map(String)\n : typeof rawScope === 'string'\n ? rawScope.split(/[\\s,]+/).filter(Boolean)\n : [];\n }\n\n return new TransparentSession({\n apps: appIds,\n id: args.token,\n sessionId: args.sessionId,\n scope,\n user: args.user,\n issuer: primary.issuer,\n token: args.token,\n claims: args.claims,\n authorizedProviders: authorizedProviders as any,\n authorizedProviderIds: authorizedProviderIds as any,\n authorizedApps,\n authorizedAppIds: appIds,\n authorizedResources: [], // TODO: fix\n scopes,\n authorizedTools: args.authorizedTools,\n authorizedToolIds: args.authorizedToolIds,\n authorizedPrompts: args.authorizedPrompts,\n authorizedPromptIds: args.authorizedPromptIds,\n } as any);\n }\n}\n"]}

package/src/auth/session/session.transport.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import { TransportIdMode } from '../../common';
+export declare class TransportIdGenerator {
+    static createId(mode: TransportIdMode): string;
+}

package/src/auth/session/session.transport.js ADDED Viewed

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TransportIdGenerator = void 0;
+// auth/session/session.transport.ts
+const node_crypto_1 = require("node:crypto");
+class TransportIdGenerator {
+    static createId(mode) {
+        switch (mode) {
+            case 'uuid':
+                return (0, node_crypto_1.randomUUID)();
+            case 'jwt':
+                // TODO: generate a JWT with a random UUID as the jti,
+                return (0, node_crypto_1.randomUUID)().replace(/-/g, '');
+            default:
+                throw new Error(`Unknown transport id mode: ${mode}`);
+        }
+    }
+}
+exports.TransportIdGenerator = TransportIdGenerator;
+//# sourceMappingURL=session.transport.js.map

package/src/auth/session/session.transport.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"session.transport.js","sourceRoot":"","sources":["../../../../src/auth/session/session.transport.ts"],"names":[],"mappings":";;;AAAA,oCAAoC;AACpC,6CAAyC;AAGzC,MAAa,oBAAoB;IAC/B,MAAM,CAAC,QAAQ,CAAC,IAAqB;QACnC,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,MAAM;gBACT,OAAO,IAAA,wBAAU,GAAE,CAAC;YACtB,KAAK,KAAK;gBACR,sDAAsD;gBACtD,OAAO,IAAA,wBAAU,GAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACxC;gBACE,MAAM,IAAI,KAAK,CAAC,8BAA8B,IAAI,EAAE,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;CACF;AAZD,oDAYC","sourcesContent":["// auth/session/session.transport.ts\nimport { randomUUID } from 'node:crypto';\nimport { TransportIdMode } from '../../common';\n\nexport class TransportIdGenerator {\n static createId(mode: TransportIdMode): string {\n switch (mode) {\n case 'uuid':\n return randomUUID();\n case 'jwt':\n // TODO: generate a JWT with a random UUID as the jti,\n return randomUUID().replace(/-/g, '');\n default:\n throw new Error(`Unknown transport id mode: ${mode}`);\n }\n }\n}\n"]}