@frontmcp/sdk 0.4.0 → 0.5.0

package/src/auth/session/authorization.store.js

@@ -0,0 +1,323 @@
+"use strict";
+// auth/session/authorization.store.ts
+/**
+ * Authorization Store for OAuth flows
+ *
+ * Stores authorization codes, PKCE challenges, and pending authorizations.
+ * Supports both in-memory (dev/test) and Redis (production) backends.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RedisAuthorizationStore = exports.InMemoryAuthorizationStore = exports.authorizationCodeRecordSchema = exports.pkceChallengeSchema = void 0;
+exports.verifyPkce = verifyPkce;
+exports.generatePkceChallenge = generatePkceChallenge;
+const node_crypto_1 = require("node:crypto");
+const zod_1 = require("zod");
+/**
+ * Zod schemas for validation
+ */
+exports.pkceChallengeSchema = zod_1.z.object({
+    challenge: zod_1.z.string().min(43).max(128),
+    method: zod_1.z.literal('S256'),
+});
+exports.authorizationCodeRecordSchema = zod_1.z.object({
+    code: zod_1.z.string().min(1),
+    clientId: zod_1.z.string().min(1),
+    redirectUri: zod_1.z.string().url(),
+    scopes: zod_1.z.array(zod_1.z.string()),
+    pkce: exports.pkceChallengeSchema,
+    userSub: zod_1.z.string().min(1),
+    userEmail: zod_1.z.string().email().optional(),
+    userName: zod_1.z.string().optional(),
+    state: zod_1.z.string().optional(),
+    createdAt: zod_1.z.number(),
+    expiresAt: zod_1.z.number(),
+    used: zod_1.z.boolean(),
+    resource: zod_1.z.string().url().optional(),
+});
+/**
+ * PKCE utilities
+ */
+function verifyPkce(codeVerifier, challenge) {
+    if (challenge.method !== 'S256') {
+        return false;
+    }
+    // S256: BASE64URL(SHA256(code_verifier)) === code_challenge
+    const hash = (0, node_crypto_1.createHash)('sha256').update(codeVerifier).digest('base64url');
+    return hash === challenge.challenge;
+}
+function generatePkceChallenge(codeVerifier) {
+    const challenge = (0, node_crypto_1.createHash)('sha256').update(codeVerifier).digest('base64url');
+    return { challenge, method: 'S256' };
+}
+/**
+ * In-Memory Authorization Store
+ *
+ * Development/testing implementation. Data is lost on restart.
+ * For production, use RedisAuthorizationStore.
+ */
+class InMemoryAuthorizationStore {
+    codes = new Map();
+    pending = new Map();
+    refreshTokens = new Map();
+    /** Default TTL for authorization codes (60 seconds) */
+    codeTtlMs = 60 * 1000;
+    /** Default TTL for pending authorizations (10 minutes) */
+    pendingTtlMs = 10 * 60 * 1000;
+    /** Default TTL for refresh tokens (30 days) */
+    refreshTtlMs = 30 * 24 * 60 * 60 * 1000;
+    generateCode() {
+        // Generate a cryptographically secure authorization code
+        return (0, node_crypto_1.randomUUID)().replace(/-/g, '') + (0, node_crypto_1.randomUUID)().replace(/-/g, '');
+    }
+    generateRefreshToken() {
+        return (0, node_crypto_1.randomUUID)() + '-' + (0, node_crypto_1.randomUUID)();
+    }
+    async storeAuthorizationCode(record) {
+        this.codes.set(record.code, record);
+    }
+    async getAuthorizationCode(code) {
+        const record = this.codes.get(code);
+        if (!record)
+            return null;
+        // Check expiration
+        if (Date.now() > record.expiresAt) {
+            this.codes.delete(code);
+            return null;
+        }
+        return record;
+    }
+    async markCodeUsed(code) {
+        const record = this.codes.get(code);
+        if (record) {
+            record.used = true;
+        }
+    }
+    async deleteAuthorizationCode(code) {
+        this.codes.delete(code);
+    }
+    async storePendingAuthorization(record) {
+        this.pending.set(record.id, record);
+    }
+    async getPendingAuthorization(id) {
+        const record = this.pending.get(id);
+        if (!record)
+            return null;
+        // Check expiration
+        if (Date.now() > record.expiresAt) {
+            this.pending.delete(id);
+            return null;
+        }
+        return record;
+    }
+    async deletePendingAuthorization(id) {
+        this.pending.delete(id);
+    }
+    async storeRefreshToken(record) {
+        this.refreshTokens.set(record.token, record);
+    }
+    async getRefreshToken(token) {
+        const record = this.refreshTokens.get(token);
+        if (!record)
+            return null;
+        // Check expiration and revocation
+        if (Date.now() > record.expiresAt || record.revoked) {
+            return null;
+        }
+        return record;
+    }
+    async revokeRefreshToken(token) {
+        const record = this.refreshTokens.get(token);
+        if (record) {
+            record.revoked = true;
+        }
+    }
+    async rotateRefreshToken(oldToken, newRecord) {
+        // Revoke old token
+        await this.revokeRefreshToken(oldToken);
+        // Store new token with reference to old
+        newRecord.previousToken = oldToken;
+        await this.storeRefreshToken(newRecord);
+    }
+    async cleanup() {
+        const now = Date.now();
+        // Clean expired codes
+        for (const [code, record] of this.codes) {
+            if (now > record.expiresAt) {
+                this.codes.delete(code);
+            }
+        }
+        // Clean expired pending authorizations
+        for (const [id, record] of this.pending) {
+            if (now > record.expiresAt) {
+                this.pending.delete(id);
+            }
+        }
+        // Clean expired/revoked refresh tokens
+        for (const [token, record] of this.refreshTokens) {
+            if (now > record.expiresAt || record.revoked) {
+                this.refreshTokens.delete(token);
+            }
+        }
+    }
+    /**
+     * Create an authorization code record with defaults
+     */
+    createCodeRecord(params) {
+        const now = Date.now();
+        return {
+            code: this.generateCode(),
+            clientId: params.clientId,
+            redirectUri: params.redirectUri,
+            scopes: params.scopes,
+            pkce: params.pkce,
+            userSub: params.userSub,
+            userEmail: params.userEmail,
+            userName: params.userName,
+            state: params.state,
+            resource: params.resource,
+            createdAt: now,
+            expiresAt: now + this.codeTtlMs,
+            used: false,
+            // Consent and Federated Login Data
+            selectedToolIds: params.selectedToolIds,
+            selectedProviderIds: params.selectedProviderIds,
+            skippedProviderIds: params.skippedProviderIds,
+            consentEnabled: params.consentEnabled,
+            federatedLoginUsed: params.federatedLoginUsed,
+        };
+    }
+    /**
+     * Create a pending authorization record with defaults
+     */
+    createPendingRecord(params) {
+        const now = Date.now();
+        return {
+            id: (0, node_crypto_1.randomUUID)(),
+            clientId: params.clientId,
+            redirectUri: params.redirectUri,
+            scopes: params.scopes,
+            pkce: params.pkce,
+            state: params.state,
+            resource: params.resource,
+            createdAt: now,
+            expiresAt: now + this.pendingTtlMs,
+            // Progressive/Incremental Authorization Fields
+            isIncremental: params.isIncremental,
+            targetAppId: params.targetAppId,
+            targetToolId: params.targetToolId,
+            existingSessionId: params.existingSessionId,
+            existingAuthorizationId: params.existingAuthorizationId,
+            // Federated Login State
+            federatedLogin: params.federatedLogin,
+            // Consent State
+            consent: params.consent,
+        };
+    }
+    /**
+     * Create a refresh token record with defaults
+     */
+    createRefreshTokenRecord(params) {
+        const now = Date.now();
+        return {
+            token: this.generateRefreshToken(),
+            clientId: params.clientId,
+            userSub: params.userSub,
+            scopes: params.scopes,
+            resource: params.resource,
+            createdAt: now,
+            expiresAt: now + this.refreshTtlMs,
+            revoked: false,
+        };
+    }
+}
+exports.InMemoryAuthorizationStore = InMemoryAuthorizationStore;
+/**
+ * Redis Authorization Store (placeholder)
+ *
+ * Production implementation using Redis for distributed storage.
+ * TODO: Implement after in-memory store is validated.
+ */
+class RedisAuthorizationStore {
+    redis;
+    namespace;
+    constructor(
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    redis, namespace = 'oauth:') {
+        this.redis = redis;
+        this.namespace = namespace;
+    }
+    key(type, id) {
+        return `${this.namespace}${type}:${id}`;
+    }
+    generateCode() {
+        return (0, node_crypto_1.randomUUID)().replace(/-/g, '') + (0, node_crypto_1.randomUUID)().replace(/-/g, '');
+    }
+    generateRefreshToken() {
+        return (0, node_crypto_1.randomUUID)() + '-' + (0, node_crypto_1.randomUUID)();
+    }
+    async storeAuthorizationCode(record) {
+        const ttl = Math.max(Math.ceil((record.expiresAt - Date.now()) / 1000), 1);
+        await this.redis.set(this.key('code', record.code), JSON.stringify(record), 'EX', Math.max(ttl, 1));
+    }
+    async getAuthorizationCode(code) {
+        const data = await this.redis.get(this.key('code', code));
+        if (!data)
+            return null;
+        return JSON.parse(data);
+    }
+    async markCodeUsed(code) {
+        const record = await this.getAuthorizationCode(code);
+        if (record) {
+            record.used = true;
+            const ttl = Math.ceil((record.expiresAt - Date.now()) / 1000);
+            await this.redis.set(this.key('code', code), JSON.stringify(record), 'EX', Math.max(ttl, 1));
+        }
+    }
+    async deleteAuthorizationCode(code) {
+        await this.redis.del(this.key('code', code));
+    }
+    async storePendingAuthorization(record) {
+        const ttl = Math.max(Math.ceil((record.expiresAt - Date.now()) / 1000), 1);
+        await this.redis.set(this.key('pending', record.id), JSON.stringify(record), 'EX', ttl);
+    }
+    async getPendingAuthorization(id) {
+        const data = await this.redis.get(this.key('pending', id));
+        if (!data)
+            return null;
+        return JSON.parse(data);
+    }
+    async deletePendingAuthorization(id) {
+        await this.redis.del(this.key('pending', id));
+    }
+    async storeRefreshToken(record) {
+        const ttl = Math.ceil((record.expiresAt - Date.now()) / 1000);
+        await this.redis.set(this.key('refresh', record.token), JSON.stringify(record), 'EX', ttl);
+    }
+    async getRefreshToken(token) {
+        const data = await this.redis.get(this.key('refresh', token));
+        if (!data)
+            return null;
+        const record = JSON.parse(data);
+        if (record.revoked)
+            return null;
+        return record;
+    }
+    async revokeRefreshToken(token) {
+        const record = await this.getRefreshToken(token);
+        if (record) {
+            record.revoked = true;
+            const ttl = Math.ceil((record.expiresAt - Date.now()) / 1000);
+            await this.redis.set(this.key('refresh', token), JSON.stringify(record), 'EX', Math.max(ttl, 1));
+        }
+    }
+    async rotateRefreshToken(oldToken, newRecord) {
+        await this.revokeRefreshToken(oldToken);
+        newRecord.previousToken = oldToken;
+        await this.storeRefreshToken(newRecord);
+    }
+    async cleanup() {
+        // Redis handles cleanup via TTL, nothing to do here
+    }
+}
+exports.RedisAuthorizationStore = RedisAuthorizationStore;
+//# sourceMappingURL=authorization.store.js.map

package/src/auth/session/authorization.store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization.store.js","sourceRoot":"","sources":["../../../../src/auth/session/authorization.store.ts"],"names":[],"mappings":";AAAA,sCAAsC;AACtC;;;;;GAKG;;;AAmNH,gCAQC;AAED,sDAGC;AA9ND,6CAAqD;AACrD,6BAAwB;AA0JxB;;GAEG;AACU,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;IACtC,MAAM,EAAE,OAAC,CAAC,OAAO,CAAC,MAAM,CAAC;CAC1B,CAAC,CAAC;AAEU,QAAA,6BAA6B,GAAG,OAAC,CAAC,MAAM,CAAC;IACpD,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAC7B,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IAC3B,IAAI,EAAE,2BAAmB;IACzB,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;IACxC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;IACrB,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;IACrB,IAAI,EAAE,OAAC,CAAC,OAAO,EAAE;IACjB,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;CACtC,CAAC,CAAC;AA6BH;;GAEG;AACH,SAAgB,UAAU,CAAC,YAAoB,EAAE,SAAwB;IACvE,IAAI,SAAS,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,4DAA4D;IAC5D,MAAM,IAAI,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC3E,OAAO,IAAI,KAAK,SAAS,CAAC,SAAS,CAAC;AACtC,CAAC;AAED,SAAgB,qBAAqB,CAAC,YAAoB;IACxD,MAAM,SAAS,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAChF,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;AACvC,CAAC;AAED;;;;;GAKG;AACH,MAAa,0BAA0B;IAC7B,KAAK,GAAG,IAAI,GAAG,EAAmC,CAAC;IACnD,OAAO,GAAG,IAAI,GAAG,EAAsC,CAAC;IACxD,aAAa,GAAG,IAAI,GAAG,EAA8B,CAAC;IAE9D,uDAAuD;IACtC,SAAS,GAAG,EAAE,GAAG,IAAI,CAAC;IACvC,0DAA0D;IACzC,YAAY,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAC/C,+CAA+C;IAC9B,YAAY,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAEzD,YAAY;QACV,yDAAyD;QACzD,OAAO,IAAA,wBAAU,GAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,GAAG,IAAA,wBAAU,GAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACzE,CAAC;IAED,oBAAoB;QAClB,OAAO,IAAA,wBAAU,GAAE,GAAG,GAAG,GAAG,IAAA,wBAAU,GAAE,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,sBAAsB,CAAC,MAA+B;QAC1D,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,IAAY;QACrC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,mBAAmB;QACnB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;YAClC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACxB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,IAAY;QAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC;QACrB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,uBAAuB,CAAC,IAAY;QACxC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,yBAAyB,CAAC,MAAkC;QAChE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,uBAAuB,CAAC,EAAU;QACtC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACpC,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,mBAAmB;QACnB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;YAClC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACxB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,0BAA0B,CAAC,EAAU;QACzC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,MAA0B;QAChD,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC/C,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,KAAa;QACjC,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC7C,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,kCAAkC;QAClC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACpD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,KAAa;QACpC,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC7C,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC;QACxB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,QAAgB,EAAE,SAA6B;QACtE,mBAAmB;QACnB,MAAM,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAExC,wCAAwC;QACxC,SAAS,CAAC,aAAa,GAAG,QAAQ,CAAC;QACnC,MAAM,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,OAAO;QACX,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,sBAAsB;QACtB,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACxC,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;gBAC3B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;QAED,uCAAuC;QACvC,KAAK,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACxC,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;gBAC3B,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;QAED,uCAAuC;QACvC,KAAK,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACjD,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBAC7C,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,gBAAgB,CAAC,MAgBhB;QACC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,YAAY,EAAE;YACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,SAAS;YAC/B,IAAI,EAAE,KAAK;YACX,mCAAmC;YACnC,eAAe,EAAE,MAAM,CAAC,eAAe;YACvC,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;YAC/C,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;YAC7C,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;SAC9C,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,mBAAmB,CAAC,MAiBnB;QACC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,OAAO;YACL,EAAE,EAAE,IAAA,wBAAU,GAAE;YAChB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,YAAY;YAClC,+CAA+C;YAC/C,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;YAC3C,uBAAuB,EAAE,MAAM,CAAC,uBAAuB;YACvD,wBAAwB;YACxB,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,gBAAgB;YAChB,OAAO,EAAE,MAAM,CAAC,OAAO;SACxB,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,wBAAwB,CAAC,MAKxB;QACC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,OAAO;YACL,KAAK,EAAE,IAAI,CAAC,oBAAoB,EAAE;YAClC,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,YAAY;YAClC,OAAO,EAAE,KAAK;SACf,CAAC;IACJ,CAAC;CACF;AA7OD,gEA6OC;AAED;;;;;GAKG;AACH,MAAa,uBAAuB;IAGf;IACA;IAHnB;IACE,8DAA8D;IAC7C,KAAU,EACV,YAAY,QAAQ;QADpB,UAAK,GAAL,KAAK,CAAK;QACV,cAAS,GAAT,SAAS,CAAW;IACpC,CAAC;IAEI,GAAG,CAAC,IAAoC,EAAE,EAAU;QAC1D,OAAO,GAAG,IAAI,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;IAC1C,CAAC;IAED,YAAY;QACV,OAAO,IAAA,wBAAU,GAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,GAAG,IAAA,wBAAU,GAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACzE,CAAC;IAED,oBAAoB;QAClB,OAAO,IAAA,wBAAU,GAAE,GAAG,GAAG,GAAG,IAAA,wBAAU,GAAE,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,sBAAsB,CAAC,MAA+B;QAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;QAC3E,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;IACtG,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,IAAY;QACrC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC;QAC1D,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAA4B,CAAC;IACrD,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,IAAY;QAC7B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC;QACrD,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC;YACnB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;YAC9D,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/F,CAAC;IACH,CAAC;IAED,KAAK,CAAC,uBAAuB,CAAC,IAAY;QACxC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC;IAC/C,CAAC;IAED,KAAK,CAAC,yBAAyB,CAAC,MAAkC;QAChE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;QAC3E,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;IAC1F,CAAC;IAED,KAAK,CAAC,uBAAuB,CAAC,EAAU;QACtC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,CAAC;QAC3D,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAA+B,CAAC;IACxD,CAAC;IAED,KAAK,CAAC,0BAA0B,CAAC,EAAU;QACzC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,MAA0B;QAChD,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;QAC9D,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;IAC7F,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,KAAa;QACjC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC;QAC9D,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAuB,CAAC;QACtD,IAAI,MAAM,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAChC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,KAAa;QACpC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QACjD,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC;YACtB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;YAC9D,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,KAAK,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;QACnG,CAAC;IACH,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,QAAgB,EAAE,SAA6B;QACtE,MAAM,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACxC,SAAS,CAAC,aAAa,GAAG,QAAQ,CAAC;QACnC,MAAM,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,OAAO;QACX,oDAAoD;IACtD,CAAC;CACF;AAzFD,0DAyFC","sourcesContent":["// auth/session/authorization.store.ts\n/**\n * Authorization Store for OAuth flows\n *\n * Stores authorization codes, PKCE challenges, and pending authorizations.\n * Supports both in-memory (dev/test) and Redis (production) backends.\n */\n\nimport { randomUUID, createHash } from 'node:crypto';\nimport { z } from 'zod';\n\n/**\n * PKCE challenge data\n */\nexport interface PkceChallenge {\n  /** S256 hashed code_challenge */\n  challenge: string;\n  /** Always 'S256' per OAuth 2.1 */\n  method: 'S256';\n}\n\n/**\n * Authorization code record stored during the OAuth flow\n */\nexport interface AuthorizationCodeRecord {\n  /** The authorization code (opaque string) */\n  code: string;\n  /** Client ID that requested authorization */\n  clientId: string;\n  /** Redirect URI used in the authorization request */\n  redirectUri: string;\n  /** Requested scopes */\n  scopes: string[];\n  /** PKCE challenge for verification */\n  pkce: PkceChallenge;\n  /** User identifier (sub claim) */\n  userSub: string;\n  /** User email if available */\n  userEmail?: string;\n  /** User name if available */\n  userName?: string;\n  /** Original state parameter */\n  state?: string;\n  /** Creation timestamp (epoch ms) */\n  createdAt: number;\n  /** Expiration timestamp (epoch ms) - codes are short-lived (60s default) */\n  expiresAt: number;\n  /** Whether this code has been used (single-use) */\n  used: boolean;\n  /** Resource/audience the token will be issued for */\n  resource?: string;\n\n  // Consent and Federated Login Data\n  /** Selected tool IDs from consent flow */\n  selectedToolIds?: string[];\n  /** Selected provider IDs from federated login */\n  selectedProviderIds?: string[];\n  /** Skipped provider IDs from federated login (for progressive auth) */\n  skippedProviderIds?: string[];\n  /** Whether consent was enabled for this authorization */\n  consentEnabled?: boolean;\n  /** Whether federated login was used */\n  federatedLoginUsed?: boolean;\n}\n\n/**\n * Consent state for tool selection\n */\nexport interface ConsentStateRecord {\n  /** Whether consent flow is enabled */\n  enabled: boolean;\n  /** Available tool IDs for consent */\n  availableToolIds: string[];\n  /** Selected tool IDs (after user selection) */\n  selectedToolIds?: string[];\n  /** Whether consent has been completed */\n  consentCompleted: boolean;\n  /** Timestamp when consent was completed */\n  consentCompletedAt?: number;\n}\n\n/**\n * Federated login state for multi-provider auth\n */\nexport interface FederatedLoginStateRecord {\n  /** Available provider IDs */\n  providerIds: string[];\n  /** Selected provider IDs */\n  selectedProviderIds?: string[];\n  /** Skipped provider IDs */\n  skippedProviderIds?: string[];\n  /** Provider-specific user data (after auth) */\n  providerUserData?: Record<string, { email?: string; name?: string; sub?: string }>;\n}\n\n/**\n * Pending authorization request (before user authenticates)\n */\nexport interface PendingAuthorizationRecord {\n  /** Unique ID for this pending authorization */\n  id: string;\n  /** Client ID requesting authorization */\n  clientId: string;\n  /** Redirect URI for callback */\n  redirectUri: string;\n  /** Requested scopes */\n  scopes: string[];\n  /** PKCE challenge */\n  pkce: PkceChallenge;\n  /** Original state parameter from client */\n  state?: string;\n  /** Resource/audience */\n  resource?: string;\n  /** Creation timestamp */\n  createdAt: number;\n  /** Expiration timestamp (pending requests expire after 10 minutes) */\n  expiresAt: number;\n\n  // Progressive/Incremental Authorization Fields\n  /** Whether this is an incremental authorization request */\n  isIncremental?: boolean;\n  /** Target app ID for incremental authorization */\n  targetAppId?: string;\n  /** Target tool ID that triggered the incremental auth */\n  targetToolId?: string;\n  /** Existing session ID for incremental auth (to expand the token vault) */\n  existingSessionId?: string;\n  /** Existing authorization ID to expand */\n  existingAuthorizationId?: string;\n\n  // Federated Login State\n  /** Federated login state for multi-provider auth */\n  federatedLogin?: FederatedLoginStateRecord;\n\n  // Consent State\n  /** Consent state for tool selection */\n  consent?: ConsentStateRecord;\n}\n\n/**\n * Refresh token record\n */\nexport interface RefreshTokenRecord {\n  /** The refresh token (opaque string) */\n  token: string;\n  /** Client ID */\n  clientId: string;\n  /** User identifier */\n  userSub: string;\n  /** Granted scopes */\n  scopes: string[];\n  /** Resource/audience */\n  resource?: string;\n  /** Creation timestamp */\n  createdAt: number;\n  /** Expiration timestamp */\n  expiresAt: number;\n  /** Whether this token has been revoked */\n  revoked: boolean;\n  /** Previous token if rotated */\n  previousToken?: string;\n}\n\n/**\n * Zod schemas for validation\n */\nexport const pkceChallengeSchema = z.object({\n  challenge: z.string().min(43).max(128),\n  method: z.literal('S256'),\n});\n\nexport const authorizationCodeRecordSchema = z.object({\n  code: z.string().min(1),\n  clientId: z.string().min(1),\n  redirectUri: z.string().url(),\n  scopes: z.array(z.string()),\n  pkce: pkceChallengeSchema,\n  userSub: z.string().min(1),\n  userEmail: z.string().email().optional(),\n  userName: z.string().optional(),\n  state: z.string().optional(),\n  createdAt: z.number(),\n  expiresAt: z.number(),\n  used: z.boolean(),\n  resource: z.string().url().optional(),\n});\n\n/**\n * Authorization Store Interface\n */\nexport interface AuthorizationStore {\n  // Authorization code operations\n  storeAuthorizationCode(record: AuthorizationCodeRecord): Promise<void>;\n  getAuthorizationCode(code: string): Promise<AuthorizationCodeRecord | null>;\n  markCodeUsed(code: string): Promise<void>;\n  deleteAuthorizationCode(code: string): Promise<void>;\n\n  // Pending authorization operations\n  storePendingAuthorization(record: PendingAuthorizationRecord): Promise<void>;\n  getPendingAuthorization(id: string): Promise<PendingAuthorizationRecord | null>;\n  deletePendingAuthorization(id: string): Promise<void>;\n\n  // Refresh token operations\n  storeRefreshToken(record: RefreshTokenRecord): Promise<void>;\n  getRefreshToken(token: string): Promise<RefreshTokenRecord | null>;\n  revokeRefreshToken(token: string): Promise<void>;\n  rotateRefreshToken(oldToken: string, newRecord: RefreshTokenRecord): Promise<void>;\n\n  // Utility\n  generateCode(): string;\n  generateRefreshToken(): string;\n  cleanup(): Promise<void>;\n}\n\n/**\n * PKCE utilities\n */\nexport function verifyPkce(codeVerifier: string, challenge: PkceChallenge): boolean {\n  if (challenge.method !== 'S256') {\n    return false;\n  }\n\n  // S256: BASE64URL(SHA256(code_verifier)) === code_challenge\n  const hash = createHash('sha256').update(codeVerifier).digest('base64url');\n  return hash === challenge.challenge;\n}\n\nexport function generatePkceChallenge(codeVerifier: string): PkceChallenge {\n  const challenge = createHash('sha256').update(codeVerifier).digest('base64url');\n  return { challenge, method: 'S256' };\n}\n\n/**\n * In-Memory Authorization Store\n *\n * Development/testing implementation. Data is lost on restart.\n * For production, use RedisAuthorizationStore.\n */\nexport class InMemoryAuthorizationStore implements AuthorizationStore {\n  private codes = new Map<string, AuthorizationCodeRecord>();\n  private pending = new Map<string, PendingAuthorizationRecord>();\n  private refreshTokens = new Map<string, RefreshTokenRecord>();\n\n  /** Default TTL for authorization codes (60 seconds) */\n  private readonly codeTtlMs = 60 * 1000;\n  /** Default TTL for pending authorizations (10 minutes) */\n  private readonly pendingTtlMs = 10 * 60 * 1000;\n  /** Default TTL for refresh tokens (30 days) */\n  private readonly refreshTtlMs = 30 * 24 * 60 * 60 * 1000;\n\n  generateCode(): string {\n    // Generate a cryptographically secure authorization code\n    return randomUUID().replace(/-/g, '') + randomUUID().replace(/-/g, '');\n  }\n\n  generateRefreshToken(): string {\n    return randomUUID() + '-' + randomUUID();\n  }\n\n  async storeAuthorizationCode(record: AuthorizationCodeRecord): Promise<void> {\n    this.codes.set(record.code, record);\n  }\n\n  async getAuthorizationCode(code: string): Promise<AuthorizationCodeRecord | null> {\n    const record = this.codes.get(code);\n    if (!record) return null;\n\n    // Check expiration\n    if (Date.now() > record.expiresAt) {\n      this.codes.delete(code);\n      return null;\n    }\n\n    return record;\n  }\n\n  async markCodeUsed(code: string): Promise<void> {\n    const record = this.codes.get(code);\n    if (record) {\n      record.used = true;\n    }\n  }\n\n  async deleteAuthorizationCode(code: string): Promise<void> {\n    this.codes.delete(code);\n  }\n\n  async storePendingAuthorization(record: PendingAuthorizationRecord): Promise<void> {\n    this.pending.set(record.id, record);\n  }\n\n  async getPendingAuthorization(id: string): Promise<PendingAuthorizationRecord | null> {\n    const record = this.pending.get(id);\n    if (!record) return null;\n\n    // Check expiration\n    if (Date.now() > record.expiresAt) {\n      this.pending.delete(id);\n      return null;\n    }\n\n    return record;\n  }\n\n  async deletePendingAuthorization(id: string): Promise<void> {\n    this.pending.delete(id);\n  }\n\n  async storeRefreshToken(record: RefreshTokenRecord): Promise<void> {\n    this.refreshTokens.set(record.token, record);\n  }\n\n  async getRefreshToken(token: string): Promise<RefreshTokenRecord | null> {\n    const record = this.refreshTokens.get(token);\n    if (!record) return null;\n\n    // Check expiration and revocation\n    if (Date.now() > record.expiresAt || record.revoked) {\n      return null;\n    }\n\n    return record;\n  }\n\n  async revokeRefreshToken(token: string): Promise<void> {\n    const record = this.refreshTokens.get(token);\n    if (record) {\n      record.revoked = true;\n    }\n  }\n\n  async rotateRefreshToken(oldToken: string, newRecord: RefreshTokenRecord): Promise<void> {\n    // Revoke old token\n    await this.revokeRefreshToken(oldToken);\n\n    // Store new token with reference to old\n    newRecord.previousToken = oldToken;\n    await this.storeRefreshToken(newRecord);\n  }\n\n  async cleanup(): Promise<void> {\n    const now = Date.now();\n\n    // Clean expired codes\n    for (const [code, record] of this.codes) {\n      if (now > record.expiresAt) {\n        this.codes.delete(code);\n      }\n    }\n\n    // Clean expired pending authorizations\n    for (const [id, record] of this.pending) {\n      if (now > record.expiresAt) {\n        this.pending.delete(id);\n      }\n    }\n\n    // Clean expired/revoked refresh tokens\n    for (const [token, record] of this.refreshTokens) {\n      if (now > record.expiresAt || record.revoked) {\n        this.refreshTokens.delete(token);\n      }\n    }\n  }\n\n  /**\n   * Create an authorization code record with defaults\n   */\n  createCodeRecord(params: {\n    clientId: string;\n    redirectUri: string;\n    scopes: string[];\n    pkce: PkceChallenge;\n    userSub: string;\n    userEmail?: string;\n    userName?: string;\n    state?: string;\n    resource?: string;\n    // Consent and Federated Login Data\n    selectedToolIds?: string[];\n    selectedProviderIds?: string[];\n    skippedProviderIds?: string[];\n    consentEnabled?: boolean;\n    federatedLoginUsed?: boolean;\n  }): AuthorizationCodeRecord {\n    const now = Date.now();\n    return {\n      code: this.generateCode(),\n      clientId: params.clientId,\n      redirectUri: params.redirectUri,\n      scopes: params.scopes,\n      pkce: params.pkce,\n      userSub: params.userSub,\n      userEmail: params.userEmail,\n      userName: params.userName,\n      state: params.state,\n      resource: params.resource,\n      createdAt: now,\n      expiresAt: now + this.codeTtlMs,\n      used: false,\n      // Consent and Federated Login Data\n      selectedToolIds: params.selectedToolIds,\n      selectedProviderIds: params.selectedProviderIds,\n      skippedProviderIds: params.skippedProviderIds,\n      consentEnabled: params.consentEnabled,\n      federatedLoginUsed: params.federatedLoginUsed,\n    };\n  }\n\n  /**\n   * Create a pending authorization record with defaults\n   */\n  createPendingRecord(params: {\n    clientId: string;\n    redirectUri: string;\n    scopes: string[];\n    pkce: PkceChallenge;\n    state?: string;\n    resource?: string;\n    // Progressive/Incremental Authorization Fields\n    isIncremental?: boolean;\n    targetAppId?: string;\n    targetToolId?: string;\n    existingSessionId?: string;\n    existingAuthorizationId?: string;\n    // Federated Login State\n    federatedLogin?: FederatedLoginStateRecord;\n    // Consent State\n    consent?: ConsentStateRecord;\n  }): PendingAuthorizationRecord {\n    const now = Date.now();\n    return {\n      id: randomUUID(),\n      clientId: params.clientId,\n      redirectUri: params.redirectUri,\n      scopes: params.scopes,\n      pkce: params.pkce,\n      state: params.state,\n      resource: params.resource,\n      createdAt: now,\n      expiresAt: now + this.pendingTtlMs,\n      // Progressive/Incremental Authorization Fields\n      isIncremental: params.isIncremental,\n      targetAppId: params.targetAppId,\n      targetToolId: params.targetToolId,\n      existingSessionId: params.existingSessionId,\n      existingAuthorizationId: params.existingAuthorizationId,\n      // Federated Login State\n      federatedLogin: params.federatedLogin,\n      // Consent State\n      consent: params.consent,\n    };\n  }\n\n  /**\n   * Create a refresh token record with defaults\n   */\n  createRefreshTokenRecord(params: {\n    clientId: string;\n    userSub: string;\n    scopes: string[];\n    resource?: string;\n  }): RefreshTokenRecord {\n    const now = Date.now();\n    return {\n      token: this.generateRefreshToken(),\n      clientId: params.clientId,\n      userSub: params.userSub,\n      scopes: params.scopes,\n      resource: params.resource,\n      createdAt: now,\n      expiresAt: now + this.refreshTtlMs,\n      revoked: false,\n    };\n  }\n}\n\n/**\n * Redis Authorization Store (placeholder)\n *\n * Production implementation using Redis for distributed storage.\n * TODO: Implement after in-memory store is validated.\n */\nexport class RedisAuthorizationStore implements AuthorizationStore {\n  constructor(\n    // eslint-disable-next-line @typescript-eslint/no-explicit-any\n    private readonly redis: any,\n    private readonly namespace = 'oauth:',\n  ) {}\n\n  private key(type: 'code' | 'pending' | 'refresh', id: string): string {\n    return `${this.namespace}${type}:${id}`;\n  }\n\n  generateCode(): string {\n    return randomUUID().replace(/-/g, '') + randomUUID().replace(/-/g, '');\n  }\n\n  generateRefreshToken(): string {\n    return randomUUID() + '-' + randomUUID();\n  }\n\n  async storeAuthorizationCode(record: AuthorizationCodeRecord): Promise<void> {\n    const ttl = Math.max(Math.ceil((record.expiresAt - Date.now()) / 1000), 1);\n    await this.redis.set(this.key('code', record.code), JSON.stringify(record), 'EX', Math.max(ttl, 1));\n  }\n\n  async getAuthorizationCode(code: string): Promise<AuthorizationCodeRecord | null> {\n    const data = await this.redis.get(this.key('code', code));\n    if (!data) return null;\n    return JSON.parse(data) as AuthorizationCodeRecord;\n  }\n\n  async markCodeUsed(code: string): Promise<void> {\n    const record = await this.getAuthorizationCode(code);\n    if (record) {\n      record.used = true;\n      const ttl = Math.ceil((record.expiresAt - Date.now()) / 1000);\n      await this.redis.set(this.key('code', code), JSON.stringify(record), 'EX', Math.max(ttl, 1));\n    }\n  }\n\n  async deleteAuthorizationCode(code: string): Promise<void> {\n    await this.redis.del(this.key('code', code));\n  }\n\n  async storePendingAuthorization(record: PendingAuthorizationRecord): Promise<void> {\n    const ttl = Math.max(Math.ceil((record.expiresAt - Date.now()) / 1000), 1);\n    await this.redis.set(this.key('pending', record.id), JSON.stringify(record), 'EX', ttl);\n  }\n\n  async getPendingAuthorization(id: string): Promise<PendingAuthorizationRecord | null> {\n    const data = await this.redis.get(this.key('pending', id));\n    if (!data) return null;\n    return JSON.parse(data) as PendingAuthorizationRecord;\n  }\n\n  async deletePendingAuthorization(id: string): Promise<void> {\n    await this.redis.del(this.key('pending', id));\n  }\n\n  async storeRefreshToken(record: RefreshTokenRecord): Promise<void> {\n    const ttl = Math.ceil((record.expiresAt - Date.now()) / 1000);\n    await this.redis.set(this.key('refresh', record.token), JSON.stringify(record), 'EX', ttl);\n  }\n\n  async getRefreshToken(token: string): Promise<RefreshTokenRecord | null> {\n    const data = await this.redis.get(this.key('refresh', token));\n    if (!data) return null;\n    const record = JSON.parse(data) as RefreshTokenRecord;\n    if (record.revoked) return null;\n    return record;\n  }\n\n  async revokeRefreshToken(token: string): Promise<void> {\n    const record = await this.getRefreshToken(token);\n    if (record) {\n      record.revoked = true;\n      const ttl = Math.ceil((record.expiresAt - Date.now()) / 1000);\n      await this.redis.set(this.key('refresh', token), JSON.stringify(record), 'EX', Math.max(ttl, 1));\n    }\n  }\n\n  async rotateRefreshToken(oldToken: string, newRecord: RefreshTokenRecord): Promise<void> {\n    await this.revokeRefreshToken(oldToken);\n    newRecord.previousToken = oldToken;\n    await this.storeRefreshToken(newRecord);\n  }\n\n  async cleanup(): Promise<void> {\n    // Redis handles cleanup via TTL, nothing to do here\n  }\n}\n"]}

package/src/auth/session/encrypted-authorization-vault.d.ts

@@ -0,0 +1,181 @@
+/**
+ * Encrypted Authorization Vault
+ *
+ * A vault implementation that encrypts all sensitive data using a key
+ * derived from the client's JWT authorization token.
+ *
+ * Security Properties:
+ * - Zero-knowledge storage: Server cannot decrypt credentials
+ * - Client-side key: Encryption key derived from JWT (client must present token)
+ * - Authenticated encryption: AES-256-GCM prevents tampering
+ * - Per-vault keys: Each vault has a unique encryption key
+ *
+ * Usage:
+ * ```typescript
+ * const vault = new EncryptedRedisVault(redis, encryption);
+ *
+ * // On each request, derive key from JWT and set context
+ * const key = encryption.deriveKeyFromToken(token, claims);
+ * vault.setEncryptionKey(key);
+ *
+ * // Now all operations automatically encrypt/decrypt
+ * await vault.addAppCredential(vaultId, credential);
+ * ```
+ */
+import { z } from 'zod';
+import { VaultEncryption } from './vault-encryption';
+import { AuthorizationVault, AuthorizationVaultEntry, AppCredential, VaultConsentRecord, VaultFederatedRecord, PendingIncrementalAuth } from './authorization-vault';
+/**
+ * What we store in Redis - minimal metadata + encrypted blob
+ */
+export declare const redisVaultEntrySchema: z.ZodObject<{
+    id: z.ZodString;
+    userSub: z.ZodString;
+    userEmail: z.ZodOptional<z.ZodString>;
+    userName: z.ZodOptional<z.ZodString>;
+    clientId: z.ZodString;
+    createdAt: z.ZodNumber;
+    lastAccessAt: z.ZodNumber;
+    authorizedAppIds: z.ZodArray<z.ZodString>;
+    skippedAppIds: z.ZodArray<z.ZodString>;
+    pendingAuthIds: z.ZodArray<z.ZodString>;
+    encrypted: z.ZodObject<{
+        v: z.ZodLiteral<1>;
+        alg: z.ZodLiteral<"aes-256-gcm">;
+        iv: z.ZodString;
+        ct: z.ZodString;
+        tag: z.ZodString;
+    }, z.core.$strip>;
+}, z.core.$strip>;
+export type RedisVaultEntry = z.infer<typeof redisVaultEntrySchema>;
+/**
+ * Encryption context for the current request
+ * Must be set before performing vault operations
+ */
+export interface EncryptionContext {
+    /** Encryption key derived from JWT */
+    key: Buffer;
+    /** Vault ID (from JWT jti claim) */
+    vaultId: string;
+}
+/**
+ * Redis vault with client-side encryption
+ *
+ * All sensitive data (tokens, credentials, consent, pending auths)
+ * is encrypted using a key derived from the client's JWT.
+ *
+ * Use `runWithContext()` to set encryption context for concurrent safety.
+ */
+export declare class EncryptedRedisVault implements AuthorizationVault {
+    private readonly redis;
+    private readonly encryption;
+    private readonly namespace;
+    constructor(redis: any, encryption: VaultEncryption, namespace?: string);
+    /**
+     * Run a callback with encryption context set for the current async scope.
+     * This is the recommended way to set encryption context as it is safe for
+     * concurrent requests (each request gets its own isolated context).
+     *
+     * @param context - Encryption context with key and vaultId
+     * @param fn - Async function to run with the context
+     * @returns The result of the callback
+     *
+     * @example
+     * ```typescript
+     * const result = await vault.runWithContext({ key, vaultId }, async () => {
+     *   await vault.get(id);
+     *   await vault.update(id, data);
+     *   return 'done';
+     * });
+     * ```
+     */
+    runWithContext<T>(context: EncryptionContext, fn: () => T | Promise<T>): T | Promise<T>;
+    /**
+     * Get current encryption key from AsyncLocalStorage.
+     */
+    private getKey;
+    /**
+     * Create Redis key from vault ID
+     */
+    private redisKey;
+    /**
+     * Create credential key from appId and providerId
+     */
+    private credentialKey;
+    /**
+     * Encrypt sensitive data
+     */
+    private encryptSensitive;
+    /**
+     * Decrypt sensitive data
+     */
+    private decryptSensitive;
+    /**
+     * Convert Redis entry to full vault entry (decrypts sensitive data)
+     */
+    private toVaultEntry;
+    /**
+     * Convert vault entry to Redis entry (encrypts sensitive data)
+     */
+    private toRedisEntry;
+    /**
+     * Save entry to Redis
+     */
+    private saveEntry;
+    /**
+     * Load entry from Redis
+     */
+    private loadEntry;
+    create(params: {
+        userSub: string;
+        userEmail?: string;
+        userName?: string;
+        clientId: string;
+        consent?: VaultConsentRecord;
+        federated?: VaultFederatedRecord;
+        authorizedAppIds?: string[];
+        skippedAppIds?: string[];
+    }): Promise<AuthorizationVaultEntry>;
+    get(id: string): Promise<AuthorizationVaultEntry | null>;
+    update(id: string, updates: Partial<AuthorizationVaultEntry>): Promise<void>;
+    delete(id: string): Promise<void>;
+    updateConsent(vaultId: string, consent: VaultConsentRecord): Promise<void>;
+    authorizeApp(vaultId: string, appId: string): Promise<void>;
+    createPendingAuth(vaultId: string, params: {
+        appId: string;
+        toolId?: string;
+        authUrl: string;
+        requiredScopes?: string[];
+        elicitId?: string;
+        ttlMs?: number;
+    }): Promise<PendingIncrementalAuth>;
+    getPendingAuth(vaultId: string, pendingAuthId: string): Promise<PendingIncrementalAuth | null>;
+    completePendingAuth(vaultId: string, pendingAuthId: string): Promise<void>;
+    cancelPendingAuth(vaultId: string, pendingAuthId: string): Promise<void>;
+    isAppAuthorized(vaultId: string, appId: string): Promise<boolean>;
+    getPendingAuths(vaultId: string): Promise<PendingIncrementalAuth[]>;
+    addAppCredential(vaultId: string, credential: AppCredential): Promise<void>;
+    removeAppCredential(vaultId: string, appId: string, providerId: string): Promise<void>;
+    getAppCredentials(vaultId: string, appId: string): Promise<AppCredential[]>;
+    getCredential(vaultId: string, appId: string, providerId: string): Promise<AppCredential | null>;
+    getAllCredentials(vaultId: string, filterByConsent?: boolean): Promise<AppCredential[]>;
+    updateCredential(vaultId: string, appId: string, providerId: string, updates: Partial<Pick<AppCredential, 'lastUsedAt' | 'isValid' | 'invalidReason' | 'expiresAt' | 'metadata'>>): Promise<void>;
+    shouldStoreCredential(vaultId: string, appId: string, toolIds?: string[]): Promise<boolean>;
+    invalidateCredential(vaultId: string, appId: string, providerId: string, reason: string): Promise<void>;
+    refreshOAuthCredential(vaultId: string, appId: string, providerId: string, tokens: {
+        accessToken: string;
+        refreshToken?: string;
+        expiresAt?: number;
+    }): Promise<void>;
+    cleanup(): Promise<void>;
+}
+/**
+ * Create an encrypted vault with the given configuration
+ */
+export declare function createEncryptedVault(redis: any, config?: {
+    pepper?: string;
+    namespace?: string;
+}): {
+    vault: EncryptedRedisVault;
+    encryption: VaultEncryption;
+};