@frontmcp/sdk 0.4.0 → 0.5.0

package/src/auth/session/authorization-vault.js

@@ -0,0 +1,817 @@
+"use strict";
+/**
+ * Authorization Vault
+ *
+ * Secure storage for stateful authorization sessions.
+ * Stores provider tokens, consent selections, and session metadata.
+ *
+ * Supports multiple credential types:
+ * - OAuth tokens (access_token, refresh_token, scopes)
+ * - API Keys (key value, header name)
+ * - Basic Auth (username, password)
+ * - Private Keys (PEM/JWK format for signing)
+ * - Custom credentials (extensible)
+ *
+ * In stateful mode:
+ * - Access token is a non-rotatable key to this vault
+ * - All sensitive data stored server-side
+ * - Supports incremental authorization via links
+ *
+ * In stateless mode:
+ * - No vault used, all data in JWT claims
+ * - No incremental authorization support
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RedisAuthorizationVault = exports.InMemoryAuthorizationVault = exports.authorizationVaultEntrySchema = exports.pendingIncrementalAuthSchema = exports.vaultFederatedRecordSchema = exports.vaultConsentRecordSchema = exports.appCredentialSchema = exports.credentialSchema = exports.customCredentialSchema = exports.mtlsCredentialSchema = exports.privateKeyCredentialSchema = exports.bearerCredentialSchema = exports.basicAuthCredentialSchema = exports.apiKeyCredentialSchema = exports.oauthCredentialSchema = exports.credentialTypeSchema = void 0;
+const zod_1 = require("zod");
+const node_crypto_1 = require("node:crypto");
+// ============================================
+// Credential Type Enum
+// ============================================
+/**
+ * Supported credential types for app authentication
+ */
+exports.credentialTypeSchema = zod_1.z.enum([
+    'oauth', // OAuth 2.0 tokens
+    'api_key', // API key (header or query param)
+    'basic', // Basic auth (username:password)
+    'bearer', // Bearer token (static)
+    'private_key', // Private key for signing (JWT, etc.)
+    'mtls', // Mutual TLS certificate
+    'custom', // Custom credential type
+]);
+// ============================================
+// Credential Schemas by Type
+// ============================================
+/**
+ * OAuth credential - standard OAuth 2.0 tokens
+ */
+exports.oauthCredentialSchema = zod_1.z.object({
+    type: zod_1.z.literal('oauth'),
+    /** Access token */
+    accessToken: zod_1.z.string(),
+    /** Refresh token (optional) */
+    refreshToken: zod_1.z.string().optional(),
+    /** Token type (usually 'Bearer') */
+    tokenType: zod_1.z.string().default('Bearer'),
+    /** Token expiration timestamp (epoch ms) */
+    expiresAt: zod_1.z.number().optional(),
+    /** Granted scopes */
+    scopes: zod_1.z.array(zod_1.z.string()).default([]),
+    /** ID token for OIDC (optional) */
+    idToken: zod_1.z.string().optional(),
+});
+/**
+ * API Key credential - sent in header or query param
+ */
+exports.apiKeyCredentialSchema = zod_1.z.object({
+    type: zod_1.z.literal('api_key'),
+    /** The API key value */
+    key: zod_1.z.string().min(1),
+    /** Header name to use (e.g., 'X-API-Key', 'Authorization') */
+    headerName: zod_1.z.string().default('X-API-Key'),
+    /** Prefix for the header value (e.g., 'Bearer ', 'Api-Key ') */
+    headerPrefix: zod_1.z.string().optional(),
+    /** Alternative: send as query parameter */
+    queryParam: zod_1.z.string().optional(),
+});
+/**
+ * Basic Auth credential - username and password
+ */
+exports.basicAuthCredentialSchema = zod_1.z.object({
+    type: zod_1.z.literal('basic'),
+    /** Username */
+    username: zod_1.z.string().min(1),
+    /** Password */
+    password: zod_1.z.string(),
+    /** Pre-computed base64 encoded value (optional, for caching) */
+    encodedValue: zod_1.z.string().optional(),
+});
+/**
+ * Bearer token credential - static bearer token
+ */
+exports.bearerCredentialSchema = zod_1.z.object({
+    type: zod_1.z.literal('bearer'),
+    /** The bearer token value */
+    token: zod_1.z.string().min(1),
+    /** Token expiration (optional, for static tokens that expire) */
+    expiresAt: zod_1.z.number().optional(),
+});
+/**
+ * Private key credential - for JWT signing or request signing
+ */
+exports.privateKeyCredentialSchema = zod_1.z.object({
+    type: zod_1.z.literal('private_key'),
+    /** Key format */
+    format: zod_1.z.enum(['pem', 'jwk', 'pkcs8', 'pkcs12']),
+    /** The key data (PEM string or JWK JSON) */
+    keyData: zod_1.z.string(),
+    /** Key ID (for JWK) */
+    keyId: zod_1.z.string().optional(),
+    /** Algorithm to use for signing */
+    algorithm: zod_1.z.string().optional(),
+    /** Passphrase if key is encrypted */
+    passphrase: zod_1.z.string().optional(),
+    /** Associated certificate (for mTLS) */
+    certificate: zod_1.z.string().optional(),
+});
+/**
+ * mTLS credential - client certificate for mutual TLS
+ */
+exports.mtlsCredentialSchema = zod_1.z.object({
+    type: zod_1.z.literal('mtls'),
+    /** Client certificate (PEM format) */
+    certificate: zod_1.z.string(),
+    /** Private key (PEM format) */
+    privateKey: zod_1.z.string(),
+    /** Passphrase if private key is encrypted */
+    passphrase: zod_1.z.string().optional(),
+    /** CA certificate chain (optional) */
+    caCertificate: zod_1.z.string().optional(),
+});
+/**
+ * Custom credential - extensible for app-specific auth
+ */
+exports.customCredentialSchema = zod_1.z.object({
+    type: zod_1.z.literal('custom'),
+    /** Custom type identifier */
+    customType: zod_1.z.string().min(1),
+    /** Arbitrary credential data */
+    data: zod_1.z.record(zod_1.z.string(), zod_1.z.unknown()),
+    /** Headers to include in requests */
+    headers: zod_1.z.record(zod_1.z.string(), zod_1.z.string()).optional(),
+});
+/**
+ * Union of all credential types
+ */
+exports.credentialSchema = zod_1.z.discriminatedUnion('type', [
+    exports.oauthCredentialSchema,
+    exports.apiKeyCredentialSchema,
+    exports.basicAuthCredentialSchema,
+    exports.bearerCredentialSchema,
+    exports.privateKeyCredentialSchema,
+    exports.mtlsCredentialSchema,
+    exports.customCredentialSchema,
+]);
+// ============================================
+// App Credential Schema
+// ============================================
+/**
+ * Credential stored for an app in the vault
+ */
+exports.appCredentialSchema = zod_1.z.object({
+    /** App ID this credential belongs to */
+    appId: zod_1.z.string().min(1),
+    /** Provider ID within the app (for apps with multiple auth providers) */
+    providerId: zod_1.z.string().min(1),
+    /** The credential data */
+    credential: exports.credentialSchema,
+    /** Timestamp when credential was acquired */
+    acquiredAt: zod_1.z.number(),
+    /** Timestamp when credential was last used */
+    lastUsedAt: zod_1.z.number().optional(),
+    /** Credential expiration (if applicable) */
+    expiresAt: zod_1.z.number().optional(),
+    /** Whether this credential is currently valid */
+    isValid: zod_1.z.boolean().default(true),
+    /** Error message if credential is invalid */
+    invalidReason: zod_1.z.string().optional(),
+    /** User info associated with this credential */
+    userInfo: zod_1.z
+        .object({
+        sub: zod_1.z.string().optional(),
+        email: zod_1.z.string().optional(),
+        name: zod_1.z.string().optional(),
+    })
+        .optional(),
+    /** Metadata for tracking/debugging */
+    metadata: zod_1.z.record(zod_1.z.string(), zod_1.z.unknown()).optional(),
+});
+/**
+ * Consent record stored in vault
+ */
+exports.vaultConsentRecordSchema = zod_1.z.object({
+    /** Whether consent was enabled */
+    enabled: zod_1.z.boolean(),
+    /** Selected tool IDs (user approved these) */
+    selectedToolIds: zod_1.z.array(zod_1.z.string()),
+    /** Available tool IDs at time of consent */
+    availableToolIds: zod_1.z.array(zod_1.z.string()),
+    /** Timestamp when consent was given */
+    consentedAt: zod_1.z.number(),
+    /** Consent version for tracking changes */
+    version: zod_1.z.string().default('1.0'),
+});
+/**
+ * Federated login record stored in vault
+ */
+exports.vaultFederatedRecordSchema = zod_1.z.object({
+    /** Provider IDs that were selected */
+    selectedProviderIds: zod_1.z.array(zod_1.z.string()),
+    /** Provider IDs that were skipped (can be authorized later) */
+    skippedProviderIds: zod_1.z.array(zod_1.z.string()),
+    /** Primary provider ID */
+    primaryProviderId: zod_1.z.string().optional(),
+    /** Timestamp when federated login was completed */
+    completedAt: zod_1.z.number(),
+});
+/**
+ * Pending incremental authorization request
+ */
+exports.pendingIncrementalAuthSchema = zod_1.z.object({
+    /** Unique ID for this request */
+    id: zod_1.z.string(),
+    /** App ID being authorized */
+    appId: zod_1.z.string(),
+    /** Tool ID that triggered the auth request */
+    toolId: zod_1.z.string().optional(),
+    /** Authorization URL */
+    authUrl: zod_1.z.string(),
+    /** Required scopes */
+    requiredScopes: zod_1.z.array(zod_1.z.string()).optional(),
+    /** Whether elicit is being used */
+    elicitId: zod_1.z.string().optional(),
+    /** Timestamp when request was created */
+    createdAt: zod_1.z.number(),
+    /** Expiration timestamp */
+    expiresAt: zod_1.z.number(),
+    /** Status of the request */
+    status: zod_1.z.enum(['pending', 'completed', 'cancelled', 'expired']),
+});
+/**
+ * Authorization vault entry (the full session state)
+ */
+exports.authorizationVaultEntrySchema = zod_1.z.object({
+    /** Vault ID (maps to access token jti claim) */
+    id: zod_1.z.string(),
+    /** User subject identifier */
+    userSub: zod_1.z.string(),
+    /** User email */
+    userEmail: zod_1.z.string().optional(),
+    /** User name */
+    userName: zod_1.z.string().optional(),
+    /** Client ID that created this session */
+    clientId: zod_1.z.string(),
+    /** Creation timestamp */
+    createdAt: zod_1.z.number(),
+    /** Last access timestamp */
+    lastAccessAt: zod_1.z.number(),
+    /** App credentials (keyed by `${appId}:${providerId}`) */
+    appCredentials: zod_1.z.record(zod_1.z.string(), exports.appCredentialSchema).default({}),
+    /** Consent record */
+    consent: exports.vaultConsentRecordSchema.optional(),
+    /** Federated login record */
+    federated: exports.vaultFederatedRecordSchema.optional(),
+    /** Pending incremental authorization requests */
+    pendingAuths: zod_1.z.array(exports.pendingIncrementalAuthSchema),
+    /** Apps that are fully authorized */
+    authorizedAppIds: zod_1.z.array(zod_1.z.string()),
+    /** Apps that were skipped (not yet authorized) */
+    skippedAppIds: zod_1.z.array(zod_1.z.string()),
+});
+// ============================================
+// In-Memory Implementation
+// ============================================
+/**
+ * In-Memory Authorization Vault
+ *
+ * Development/testing implementation. Data is lost on restart.
+ * For production, use RedisAuthorizationVault.
+ */
+class InMemoryAuthorizationVault {
+    vaults = new Map();
+    /** Default TTL for pending auth requests (10 minutes) */
+    pendingAuthTtlMs = 10 * 60 * 1000;
+    async create(params) {
+        const now = Date.now();
+        const entry = {
+            id: (0, node_crypto_1.randomUUID)(),
+            userSub: params.userSub,
+            userEmail: params.userEmail,
+            userName: params.userName,
+            clientId: params.clientId,
+            createdAt: now,
+            lastAccessAt: now,
+            appCredentials: {},
+            consent: params.consent,
+            federated: params.federated,
+            pendingAuths: [],
+            authorizedAppIds: params.authorizedAppIds ?? [],
+            skippedAppIds: params.skippedAppIds ?? [],
+        };
+        this.vaults.set(entry.id, entry);
+        return entry;
+    }
+    async get(id) {
+        const entry = this.vaults.get(id);
+        if (!entry)
+            return null;
+        // Note: lastAccessAt is updated on explicit operations, not on read
+        // This prevents unnecessary writes on read operations
+        return entry;
+    }
+    async update(id, updates) {
+        const entry = this.vaults.get(id);
+        if (!entry)
+            return;
+        Object.assign(entry, updates, { lastAccessAt: Date.now() });
+    }
+    async delete(id) {
+        this.vaults.delete(id);
+    }
+    async updateConsent(vaultId, consent) {
+        const entry = this.vaults.get(vaultId);
+        if (!entry)
+            return;
+        entry.consent = consent;
+        entry.lastAccessAt = Date.now();
+    }
+    async authorizeApp(vaultId, appId) {
+        const entry = this.vaults.get(vaultId);
+        if (!entry)
+            return;
+        // Remove from skipped, add to authorized
+        entry.skippedAppIds = entry.skippedAppIds.filter((id) => id !== appId);
+        if (!entry.authorizedAppIds.includes(appId)) {
+            entry.authorizedAppIds.push(appId);
+        }
+        entry.lastAccessAt = Date.now();
+    }
+    async createPendingAuth(vaultId, params) {
+        const entry = this.vaults.get(vaultId);
+        if (!entry) {
+            throw new Error(`Vault not found: ${vaultId}`);
+        }
+        const now = Date.now();
+        const pendingAuth = {
+            id: (0, node_crypto_1.randomUUID)(),
+            appId: params.appId,
+            toolId: params.toolId,
+            authUrl: params.authUrl,
+            requiredScopes: params.requiredScopes,
+            elicitId: params.elicitId,
+            createdAt: now,
+            expiresAt: now + (params.ttlMs ?? this.pendingAuthTtlMs),
+            status: 'pending',
+        };
+        entry.pendingAuths.push(pendingAuth);
+        entry.lastAccessAt = now;
+        return pendingAuth;
+    }
+    async getPendingAuth(vaultId, pendingAuthId) {
+        const entry = this.vaults.get(vaultId);
+        if (!entry)
+            return null;
+        const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
+        if (!pendingAuth)
+            return null;
+        // Check if expired
+        if (Date.now() > pendingAuth.expiresAt) {
+            pendingAuth.status = 'expired';
+        }
+        return pendingAuth;
+    }
+    async completePendingAuth(vaultId, pendingAuthId) {
+        const entry = this.vaults.get(vaultId);
+        if (!entry)
+            return;
+        const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
+        if (pendingAuth) {
+            pendingAuth.status = 'completed';
+            // Auto-authorize the app
+            await this.authorizeApp(vaultId, pendingAuth.appId);
+        }
+    }
+    async cancelPendingAuth(vaultId, pendingAuthId) {
+        const entry = this.vaults.get(vaultId);
+        if (!entry)
+            return;
+        const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
+        if (pendingAuth) {
+            pendingAuth.status = 'cancelled';
+        }
+    }
+    async isAppAuthorized(vaultId, appId) {
+        const entry = this.vaults.get(vaultId);
+        if (!entry)
+            return false;
+        return entry.authorizedAppIds.includes(appId);
+    }
+    async getPendingAuths(vaultId) {
+        const entry = this.vaults.get(vaultId);
+        if (!entry)
+            return [];
+        const now = Date.now();
+        // Update expired status and filter
+        return entry.pendingAuths.filter((p) => {
+            if (now > p.expiresAt && p.status === 'pending') {
+                p.status = 'expired';
+            }
+            return p.status === 'pending';
+        });
+    }
+    async cleanup() {
+        const now = Date.now();
+        for (const [id, entry] of this.vaults) {
+            // Clean up expired pending auths
+            entry.pendingAuths = entry.pendingAuths.filter((p) => {
+                if (now > p.expiresAt && p.status === 'pending') {
+                    p.status = 'expired';
+                }
+                // Keep for audit trail, or remove completely if desired
+                return p.status === 'pending';
+            });
+        }
+    }
+    // ============================================
+    // App Credential Methods
+    // ============================================
+    /** Create a credential key from appId and providerId */
+    credentialKey(appId, providerId) {
+        return `${appId}:${providerId}`;
+    }
+    async addAppCredential(vaultId, credential) {
+        const entry = this.vaults.get(vaultId);
+        if (!entry)
+            return;
+        // Check if we should store based on consent
+        const shouldStore = await this.shouldStoreCredential(vaultId, credential.appId);
+        if (!shouldStore) {
+            return;
+        }
+        const key = this.credentialKey(credential.appId, credential.providerId);
+        entry.appCredentials[key] = credential;
+        entry.lastAccessAt = Date.now();
+    }
+    async removeAppCredential(vaultId, appId, providerId) {
+        const entry = this.vaults.get(vaultId);
+        if (!entry)
+            return;
+        const key = this.credentialKey(appId, providerId);
+        delete entry.appCredentials[key];
+        entry.lastAccessAt = Date.now();
+    }
+    async getAppCredentials(vaultId, appId) {
+        const entry = this.vaults.get(vaultId);
+        if (!entry)
+            return [];
+        const prefix = `${appId}:`;
+        return Object.entries(entry.appCredentials)
+            .filter(([key]) => key.startsWith(prefix))
+            .map(([, cred]) => cred);
+    }
+    async getCredential(vaultId, appId, providerId) {
+        const entry = this.vaults.get(vaultId);
+        if (!entry)
+            return null;
+        const key = this.credentialKey(appId, providerId);
+        return entry.appCredentials[key] ?? null;
+    }
+    async getAllCredentials(vaultId, filterByConsent = false) {
+        const entry = this.vaults.get(vaultId);
+        if (!entry)
+            return [];
+        const allCredentials = Object.values(entry.appCredentials);
+        if (!filterByConsent || !entry.consent?.enabled) {
+            return allCredentials;
+        }
+        // Filter by consent - only return credentials for apps that have tools in consent selection
+        const consentedToolIds = new Set(entry.consent.selectedToolIds);
+        return allCredentials.filter((cred) => {
+            // Check if any tool for this app is in consent
+            // Tool IDs are typically formatted as `appId:toolName` or similar
+            return Array.from(consentedToolIds).some((toolId) => toolId.startsWith(`${cred.appId}:`));
+        });
+    }
+    async updateCredential(vaultId, appId, providerId, updates) {
+        const entry = this.vaults.get(vaultId);
+        if (!entry)
+            return;
+        const key = this.credentialKey(appId, providerId);
+        const credential = entry.appCredentials[key];
+        if (!credential)
+            return;
+        Object.assign(credential, updates);
+        entry.lastAccessAt = Date.now();
+    }
+    async shouldStoreCredential(vaultId, appId, toolIds) {
+        const entry = this.vaults.get(vaultId);
+        if (!entry)
+            return false;
+        // If consent is not enabled, always allow
+        if (!entry.consent?.enabled) {
+            return true;
+        }
+        // If toolIds provided, check if any match consent selection
+        if (toolIds && toolIds.length > 0) {
+            return toolIds.some((toolId) => entry.consent.selectedToolIds.includes(toolId));
+        }
+        // Check if any tool for this app is in consent selection
+        const consentedToolIds = entry.consent.selectedToolIds;
+        return consentedToolIds.some((toolId) => toolId.startsWith(`${appId}:`));
+    }
+    async invalidateCredential(vaultId, appId, providerId, reason) {
+        await this.updateCredential(vaultId, appId, providerId, {
+            isValid: false,
+            invalidReason: reason,
+        });
+    }
+    async refreshOAuthCredential(vaultId, appId, providerId, tokens) {
+        const entry = this.vaults.get(vaultId);
+        if (!entry)
+            return;
+        const key = this.credentialKey(appId, providerId);
+        const credential = entry.appCredentials[key];
+        if (!credential || credential.credential.type !== 'oauth')
+            return;
+        // Update OAuth tokens
+        credential.credential.accessToken = tokens.accessToken;
+        if (tokens.refreshToken !== undefined) {
+            credential.credential.refreshToken = tokens.refreshToken;
+        }
+        if (tokens.expiresAt !== undefined) {
+            credential.credential.expiresAt = tokens.expiresAt;
+            credential.expiresAt = tokens.expiresAt;
+        }
+        // Mark as valid again
+        credential.isValid = true;
+        credential.invalidReason = undefined;
+        entry.lastAccessAt = Date.now();
+    }
+}
+exports.InMemoryAuthorizationVault = InMemoryAuthorizationVault;
+// ============================================
+// Redis Implementation (placeholder)
+// ============================================
+/**
+ * Redis Authorization Vault (placeholder)
+ *
+ * Production implementation using Redis for distributed storage.
+ * TODO: Implement after in-memory vault is validated.
+ */
+class RedisAuthorizationVault {
+    redis;
+    namespace;
+    constructor(
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    redis, namespace = 'vault:') {
+        this.redis = redis;
+        this.namespace = namespace;
+    }
+    key(id) {
+        return `${this.namespace}${id}`;
+    }
+    /** Create a credential key from appId and providerId */
+    credentialKey(appId, providerId) {
+        return `${appId}:${providerId}`;
+    }
+    async create(params) {
+        const now = Date.now();
+        const entry = {
+            id: (0, node_crypto_1.randomUUID)(),
+            userSub: params.userSub,
+            userEmail: params.userEmail,
+            userName: params.userName,
+            clientId: params.clientId,
+            createdAt: now,
+            lastAccessAt: now,
+            appCredentials: {},
+            consent: params.consent,
+            federated: params.federated,
+            pendingAuths: [],
+            authorizedAppIds: params.authorizedAppIds ?? [],
+            skippedAppIds: params.skippedAppIds ?? [],
+        };
+        await this.redis.set(this.key(entry.id), JSON.stringify(entry));
+        return entry;
+    }
+    async get(id) {
+        const data = await this.redis.get(this.key(id));
+        if (!data)
+            return null;
+        const entry = JSON.parse(data);
+        // Note: lastAccessAt is updated on explicit operations, not on read
+        // This prevents unnecessary writes on read operations
+        return entry;
+    }
+    async update(id, updates) {
+        const entry = await this.get(id);
+        if (!entry)
+            return;
+        Object.assign(entry, updates, { lastAccessAt: Date.now() });
+        await this.redis.set(this.key(id), JSON.stringify(entry));
+    }
+    async delete(id) {
+        await this.redis.del(this.key(id));
+    }
+    async updateConsent(vaultId, consent) {
+        const entry = await this.get(vaultId);
+        if (!entry)
+            return;
+        entry.consent = consent;
+        await this.redis.set(this.key(vaultId), JSON.stringify(entry));
+    }
+    async authorizeApp(vaultId, appId) {
+        const entry = await this.get(vaultId);
+        if (!entry)
+            return;
+        entry.skippedAppIds = entry.skippedAppIds.filter((id) => id !== appId);
+        if (!entry.authorizedAppIds.includes(appId)) {
+            entry.authorizedAppIds.push(appId);
+        }
+        await this.redis.set(this.key(vaultId), JSON.stringify(entry));
+    }
+    async createPendingAuth(vaultId, params) {
+        const entry = await this.get(vaultId);
+        if (!entry) {
+            throw new Error(`Vault not found: ${vaultId}`);
+        }
+        const now = Date.now();
+        const pendingAuth = {
+            id: (0, node_crypto_1.randomUUID)(),
+            appId: params.appId,
+            toolId: params.toolId,
+            authUrl: params.authUrl,
+            requiredScopes: params.requiredScopes,
+            elicitId: params.elicitId,
+            createdAt: now,
+            expiresAt: now + (params.ttlMs ?? 10 * 60 * 1000),
+            status: 'pending',
+        };
+        entry.pendingAuths.push(pendingAuth);
+        await this.redis.set(this.key(vaultId), JSON.stringify(entry));
+        return pendingAuth;
+    }
+    async getPendingAuth(vaultId, pendingAuthId) {
+        const entry = await this.get(vaultId);
+        if (!entry)
+            return null;
+        const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
+        if (!pendingAuth)
+            return null;
+        if (Date.now() > pendingAuth.expiresAt && pendingAuth.status === 'pending') {
+            pendingAuth.status = 'expired';
+            await this.redis.set(this.key(vaultId), JSON.stringify(entry));
+        }
+        return pendingAuth;
+    }
+    async completePendingAuth(vaultId, pendingAuthId) {
+        const entry = await this.get(vaultId);
+        if (!entry)
+            return;
+        const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
+        if (pendingAuth) {
+            pendingAuth.status = 'completed';
+            await this.authorizeApp(vaultId, pendingAuth.appId);
+        }
+    }
+    async cancelPendingAuth(vaultId, pendingAuthId) {
+        const entry = await this.get(vaultId);
+        if (!entry)
+            return;
+        const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
+        if (pendingAuth) {
+            pendingAuth.status = 'cancelled';
+            await this.redis.set(this.key(vaultId), JSON.stringify(entry));
+        }
+    }
+    async isAppAuthorized(vaultId, appId) {
+        const entry = await this.get(vaultId);
+        if (!entry)
+            return false;
+        return entry.authorizedAppIds.includes(appId);
+    }
+    async getPendingAuths(vaultId) {
+        const entry = await this.get(vaultId);
+        if (!entry)
+            return [];
+        const now = Date.now();
+        let updated = false;
+        const pending = entry.pendingAuths.filter((p) => {
+            if (now > p.expiresAt && p.status === 'pending') {
+                p.status = 'expired';
+                updated = true;
+            }
+            return p.status === 'pending';
+        });
+        if (updated) {
+            await this.redis.set(this.key(vaultId), JSON.stringify(entry));
+        }
+        return pending;
+    }
+    async cleanup() {
+        // Redis cleanup would use SCAN to find and clean entries
+        // This is a placeholder
+    }
+    // ============================================
+    // App Credential Methods
+    // ============================================
+    async addAppCredential(vaultId, credential) {
+        const entry = await this.get(vaultId);
+        if (!entry)
+            return;
+        // Check if we should store based on consent
+        const shouldStore = await this.shouldStoreCredential(vaultId, credential.appId);
+        if (!shouldStore) {
+            return;
+        }
+        const key = this.credentialKey(credential.appId, credential.providerId);
+        entry.appCredentials[key] = credential;
+        await this.redis.set(this.key(vaultId), JSON.stringify(entry));
+    }
+    async removeAppCredential(vaultId, appId, providerId) {
+        const entry = await this.get(vaultId);
+        if (!entry)
+            return;
+        const key = this.credentialKey(appId, providerId);
+        delete entry.appCredentials[key];
+        await this.redis.set(this.key(vaultId), JSON.stringify(entry));
+    }
+    async getAppCredentials(vaultId, appId) {
+        const entry = await this.get(vaultId);
+        if (!entry)
+            return [];
+        const prefix = `${appId}:`;
+        return Object.entries(entry.appCredentials)
+            .filter(([key]) => key.startsWith(prefix))
+            .map(([, cred]) => cred);
+    }
+    async getCredential(vaultId, appId, providerId) {
+        const entry = await this.get(vaultId);
+        if (!entry)
+            return null;
+        const key = this.credentialKey(appId, providerId);
+        return entry.appCredentials[key] ?? null;
+    }
+    async getAllCredentials(vaultId, filterByConsent = false) {
+        const entry = await this.get(vaultId);
+        if (!entry)
+            return [];
+        const allCredentials = Object.values(entry.appCredentials);
+        if (!filterByConsent || !entry.consent?.enabled) {
+            return allCredentials;
+        }
+        // Filter by consent - only return credentials for apps that have tools in consent selection
+        const consentedToolIds = new Set(entry.consent.selectedToolIds);
+        return allCredentials.filter((cred) => {
+            return Array.from(consentedToolIds).some((toolId) => toolId.startsWith(`${cred.appId}:`));
+        });
+    }
+    async updateCredential(vaultId, appId, providerId, updates) {
+        const entry = await this.get(vaultId);
+        if (!entry)
+            return;
+        const key = this.credentialKey(appId, providerId);
+        const credential = entry.appCredentials[key];
+        if (!credential)
+            return;
+        Object.assign(credential, updates);
+        await this.redis.set(this.key(vaultId), JSON.stringify(entry));
+    }
+    async shouldStoreCredential(vaultId, appId, toolIds) {
+        const entry = await this.get(vaultId);
+        if (!entry)
+            return false;
+        // If consent is not enabled, always allow
+        if (!entry.consent?.enabled) {
+            return true;
+        }
+        // If toolIds provided, check if any match consent selection
+        if (toolIds && toolIds.length > 0) {
+            return toolIds.some((toolId) => entry.consent.selectedToolIds.includes(toolId));
+        }
+        // Check if any tool for this app is in consent selection
+        const consentedToolIds = entry.consent.selectedToolIds;
+        return consentedToolIds.some((toolId) => toolId.startsWith(`${appId}:`));
+    }
+    async invalidateCredential(vaultId, appId, providerId, reason) {
+        await this.updateCredential(vaultId, appId, providerId, {
+            isValid: false,
+            invalidReason: reason,
+        });
+    }
+    async refreshOAuthCredential(vaultId, appId, providerId, tokens) {
+        const entry = await this.get(vaultId);
+        if (!entry)
+            return;
+        const key = this.credentialKey(appId, providerId);
+        const credential = entry.appCredentials[key];
+        if (!credential || credential.credential.type !== 'oauth')
+            return;
+        // Update OAuth tokens
+        credential.credential.accessToken = tokens.accessToken;
+        if (tokens.refreshToken !== undefined) {
+            credential.credential.refreshToken = tokens.refreshToken;
+        }
+        if (tokens.expiresAt !== undefined) {
+            credential.credential.expiresAt = tokens.expiresAt;
+            credential.expiresAt = tokens.expiresAt;
+        }
+        // Mark as valid again
+        credential.isValid = true;
+        credential.invalidReason = undefined;
+        await this.redis.set(this.key(vaultId), JSON.stringify(entry));
+    }
+}
+exports.RedisAuthorizationVault = RedisAuthorizationVault;
+//# sourceMappingURL=authorization-vault.js.map