npm - @frontmcp/sdk - Versions diffs - 0.4.0 → 0.5.0 - Mend

@frontmcp/sdk 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (558) hide show

package/README.md +30 -18
package/package.json +20 -5
package/src/app/app.registry.d.ts +3 -2
package/src/app/app.registry.js +3 -1
package/src/app/app.registry.js.map +1 -1
package/src/app/instances/app.local.instance.js +2 -2
package/src/app/instances/app.local.instance.js.map +1 -1
package/src/auth/auth.registry.d.ts +34 -2
package/src/auth/auth.registry.js +162 -24
package/src/auth/auth.registry.js.map +1 -1
package/src/auth/auth.utils.js +8 -9
package/src/auth/auth.utils.js.map +1 -1
package/src/auth/authorization/authorization.class.d.ts +125 -0
package/src/auth/authorization/authorization.class.js +224 -0
package/src/auth/authorization/authorization.class.js.map +1 -0
package/src/auth/authorization/authorization.types.d.ts +300 -0
package/src/auth/authorization/authorization.types.js +79 -0
package/src/auth/authorization/authorization.types.js.map +1 -0
package/src/auth/authorization/index.d.ts +5 -0
package/src/auth/authorization/index.js +19 -0
package/src/auth/authorization/index.js.map +1 -0
package/src/auth/authorization/orchestrated.authorization.d.ts +242 -0
package/src/auth/authorization/orchestrated.authorization.js +306 -0
package/src/auth/authorization/orchestrated.authorization.js.map +1 -0
package/src/auth/authorization/public.authorization.d.ts +91 -0
package/src/auth/authorization/public.authorization.js +132 -0
package/src/auth/authorization/public.authorization.js.map +1 -0
package/src/auth/authorization/transparent.authorization.d.ts +130 -0
package/src/auth/authorization/transparent.authorization.js +147 -0
package/src/auth/authorization/transparent.authorization.js.map +1 -0
package/src/auth/consent/consent.types.d.ts +111 -0
package/src/auth/consent/consent.types.js +119 -0
package/src/auth/consent/consent.types.js.map +1 -0
package/src/auth/consent/index.d.ts +1 -0
package/src/auth/consent/index.js +13 -0
package/src/auth/consent/index.js.map +1 -0
package/src/auth/detection/auth-provider-detection.d.ts +84 -0
package/src/auth/detection/auth-provider-detection.js +230 -0
package/src/auth/detection/auth-provider-detection.js.map +1 -0
package/src/auth/detection/index.d.ts +1 -0
package/src/auth/detection/index.js +15 -0
package/src/auth/detection/index.js.map +1 -0
package/src/auth/flows/auth.verify.flow.d.ts +110 -0
package/src/auth/flows/auth.verify.flow.js +379 -0
package/src/auth/flows/auth.verify.flow.js.map +1 -0
package/src/auth/flows/oauth.authorize.flow.d.ts +118 -164
package/src/auth/flows/oauth.authorize.flow.js +701 -33
package/src/auth/flows/oauth.authorize.flow.js.map +1 -1
package/src/auth/flows/oauth.callback.flow.d.ts +117 -0
package/src/auth/flows/oauth.callback.flow.js +357 -0
package/src/auth/flows/oauth.callback.flow.js.map +1 -0
package/src/auth/flows/oauth.register.flow.d.ts +32 -125
package/src/auth/flows/oauth.token.flow.d.ts +52 -154
package/src/auth/flows/oauth.token.flow.js +193 -55
package/src/auth/flows/oauth.token.flow.js.map +1 -1
package/src/auth/flows/session.verify.flow.d.ts +66 -321
package/src/auth/flows/session.verify.flow.js +107 -18
package/src/auth/flows/session.verify.flow.js.map +1 -1
package/src/auth/flows/well-known.jwks.flow.d.ts +34 -205
package/src/auth/flows/well-known.jwks.flow.js +15 -8
package/src/auth/flows/well-known.jwks.flow.js.map +1 -1
package/src/auth/flows/well-known.oauth-authorization-server.flow.d.ts +48 -223
package/src/auth/flows/well-known.oauth-authorization-server.flow.js +2 -3
package/src/auth/flows/well-known.oauth-authorization-server.flow.js.map +1 -1
package/src/auth/flows/well-known.prm.flow.d.ts +19 -120
package/src/auth/flows/well-known.prm.flow.js +3 -4
package/src/auth/flows/well-known.prm.flow.js.map +1 -1
package/src/auth/instances/instance.local-primary-auth.d.ts +91 -4
package/src/auth/instances/instance.local-primary-auth.js +236 -6
package/src/auth/instances/instance.local-primary-auth.js.map +1 -1
package/src/auth/instances/instance.remote-primary-auth.d.ts +4 -3
package/src/auth/instances/instance.remote-primary-auth.js +2 -2
package/src/auth/instances/instance.remote-primary-auth.js.map +1 -1
package/src/auth/session/authorization-vault.d.ts +611 -0
package/src/auth/session/authorization-vault.js +817 -0
package/src/auth/session/authorization-vault.js.map +1 -0
package/src/auth/session/authorization.store.d.ts +301 -0
package/src/auth/session/authorization.store.js +323 -0
package/src/auth/session/authorization.store.js.map +1 -0
package/src/auth/session/encrypted-authorization-vault.d.ts +181 -0
package/src/auth/session/encrypted-authorization-vault.js +493 -0
package/src/auth/session/encrypted-authorization-vault.js.map +1 -0
package/src/auth/session/index.d.ts +4 -4
package/src/auth/session/index.js +11 -7
package/src/auth/session/index.js.map +1 -1
package/src/auth/session/session.schema.d.ts +1 -1
package/src/auth/session/session.service.d.ts +1 -1
package/src/auth/session/transport-session.manager.d.ts +101 -0
package/src/auth/session/transport-session.manager.js +300 -0
package/src/auth/session/transport-session.manager.js.map +1 -0
package/src/auth/session/transport-session.types.d.ts +457 -0
package/src/auth/session/transport-session.types.js +110 -0
package/src/auth/session/transport-session.types.js.map +1 -0
package/src/auth/session/utils/session-id.utils.d.ts +14 -2
package/src/auth/session/utils/session-id.utils.js +68 -19
package/src/auth/session/utils/session-id.utils.js.map +1 -1
package/src/auth/session/vault-encryption.d.ts +189 -0
package/src/auth/session/vault-encryption.js +263 -0
package/src/auth/session/vault-encryption.js.map +1 -0
package/src/auth/ui/base-layout.d.ts +188 -0
package/src/auth/ui/base-layout.js +292 -0
package/src/auth/ui/base-layout.js.map +1 -0
package/src/auth/ui/htmx-templates.d.ts +135 -0
package/src/auth/ui/htmx-templates.js +433 -0
package/src/auth/ui/htmx-templates.js.map +1 -0
package/src/auth/ui/index.d.ts +11 -0
package/src/auth/ui/index.js +35 -0
package/src/auth/ui/index.js.map +1 -0
package/src/auth/utils/audience.validator.d.ts +129 -0
package/src/auth/utils/audience.validator.js +196 -0
package/src/auth/utils/audience.validator.js.map +1 -0
package/src/auth/utils/index.d.ts +2 -0
package/src/auth/utils/index.js +7 -0
package/src/auth/utils/index.js.map +1 -0
package/src/auth/utils/www-authenticate.utils.d.ts +97 -0
package/src/auth/utils/www-authenticate.utils.js +183 -0
package/src/auth/utils/www-authenticate.utils.js.map +1 -0
package/src/common/common.schema.d.ts +2 -16
package/src/common/constants.d.ts +3 -0
package/src/common/constants.js +6 -1
package/src/common/constants.js.map +1 -1
package/src/common/decorators/decorator-utils.d.ts +131 -0
package/src/common/decorators/decorator-utils.js +195 -0
package/src/common/decorators/decorator-utils.js.map +1 -0
package/src/common/decorators/front-mcp.decorator.js +3 -2
package/src/common/decorators/front-mcp.decorator.js.map +1 -1
package/src/common/decorators/hook.decorator.d.ts +58 -2
package/src/common/decorators/hook.decorator.js +127 -17
package/src/common/decorators/hook.decorator.js.map +1 -1
package/src/common/decorators/plugin.decorator.d.ts +1 -1
package/src/common/decorators/plugin.decorator.js +11 -10
package/src/common/decorators/plugin.decorator.js.map +1 -1
package/src/common/decorators/resource.decorator.d.ts +32 -3
package/src/common/decorators/resource.decorator.js +46 -4
package/src/common/decorators/resource.decorator.js.map +1 -1
package/src/common/decorators/tool.decorator.d.ts +54 -5
package/src/common/decorators/tool.decorator.js.map +1 -1
package/src/common/dynamic/dynamic.plugin.d.ts +22 -11
package/src/common/dynamic/dynamic.plugin.js +7 -1
package/src/common/dynamic/dynamic.plugin.js.map +1 -1
package/src/common/entries/prompt.entry.d.ts +46 -2
package/src/common/entries/prompt.entry.js +10 -0
package/src/common/entries/prompt.entry.js.map +1 -1
package/src/common/entries/resource.entry.d.ts +69 -6
package/src/common/entries/resource.entry.js +27 -3
package/src/common/entries/resource.entry.js.map +1 -1
package/src/common/entries/scope.entry.d.ts +5 -1
package/src/common/entries/scope.entry.js +3 -3
package/src/common/entries/scope.entry.js.map +1 -1
package/src/common/flow/flow.utils.d.ts +56 -0
package/src/common/flow/flow.utils.js +96 -0
package/src/common/flow/flow.utils.js.map +1 -0
package/src/common/index.d.ts +2 -2
package/src/common/index.js +2 -2
package/src/common/index.js.map +1 -1
package/src/common/interfaces/execution-context.interface.d.ts +59 -0
package/src/common/interfaces/execution-context.interface.js +81 -0
package/src/common/interfaces/execution-context.interface.js.map +1 -0
package/src/common/interfaces/flow.interface.d.ts +1 -1
package/src/common/interfaces/flow.interface.js.map +1 -1
package/src/common/interfaces/index.d.ts +1 -0
package/src/common/interfaces/index.js +1 -0
package/src/common/interfaces/index.js.map +1 -1
package/src/common/interfaces/internal/primary-auth-provider.interface.d.ts +17 -2
package/src/common/interfaces/internal/primary-auth-provider.interface.js +52 -4
package/src/common/interfaces/internal/primary-auth-provider.interface.js.map +1 -1
package/src/common/interfaces/internal/registry.interface.d.ts +16 -2
package/src/common/interfaces/internal/registry.interface.js.map +1 -1
package/src/common/interfaces/plugin.interface.js.map +1 -1
package/src/common/interfaces/prompt.interface.d.ts +53 -4
package/src/common/interfaces/prompt.interface.js +78 -0
package/src/common/interfaces/prompt.interface.js.map +1 -1
package/src/common/interfaces/resource.interface.d.ts +47 -17
package/src/common/interfaces/resource.interface.js +53 -0
package/src/common/interfaces/resource.interface.js.map +1 -1
package/src/common/interfaces/tool.interface.d.ts +39 -22
package/src/common/interfaces/tool.interface.js +61 -34
package/src/common/interfaces/tool.interface.js.map +1 -1
package/src/common/metadata/adapter.metadata.d.ts +1 -9
package/src/common/metadata/app.metadata.d.ts +425 -730
package/src/common/metadata/auth-provider.metadata.d.ts +2 -12
package/src/common/metadata/flow.metadata.d.ts +10 -25
package/src/common/metadata/front-mcp.metadata.d.ts +602 -1023
package/src/common/metadata/front-mcp.metadata.js +6 -4
package/src/common/metadata/front-mcp.metadata.js.map +1 -1
package/src/common/metadata/hook.metadata.d.ts +1 -1
package/src/common/metadata/hook.metadata.js.map +1 -1
package/src/common/metadata/index.d.ts +1 -0
package/src/common/metadata/index.js +1 -0
package/src/common/metadata/index.js.map +1 -1
package/src/common/metadata/logger.metadata.d.ts +1 -9
package/src/common/metadata/plugin.metadata.d.ts +8 -30
package/src/common/metadata/prompt.metadata.d.ts +4 -161
package/src/common/metadata/provider.metadata.d.ts +2 -12
package/src/common/metadata/resource.metadata.d.ts +6 -98
package/src/common/metadata/resource.metadata.js +15 -6
package/src/common/metadata/resource.metadata.js.map +1 -1
package/src/common/metadata/tool-ui.metadata.d.ts +10 -0
package/src/common/metadata/tool-ui.metadata.js +12 -0
package/src/common/metadata/tool-ui.metadata.js.map +1 -0
package/src/common/metadata/tool.metadata.d.ts +78 -199
package/src/common/metadata/tool.metadata.js +11 -14
package/src/common/metadata/tool.metadata.js.map +1 -1
package/src/common/providers/base-config.provider.d.ts +84 -0
package/src/common/providers/base-config.provider.js +128 -0
package/src/common/providers/base-config.provider.js.map +1 -0
package/src/common/records/plugin.record.d.ts +5 -6
package/src/common/records/plugin.record.js.map +1 -1
package/src/common/records/prompt.record.js.map +1 -1
package/src/common/records/resource.record.d.ts +17 -1
package/src/common/records/resource.record.js +12 -6
package/src/common/records/resource.record.js.map +1 -1
package/src/common/records/tool.record.js.map +1 -1
package/src/common/schemas/annotated-class.schema.d.ts +9 -9
package/src/common/schemas/annotated-class.schema.js +92 -27
package/src/common/schemas/annotated-class.schema.js.map +1 -1
package/src/common/schemas/http-input.schema.d.ts +6 -30
package/src/common/schemas/http-output.schema.d.ts +326 -1630
package/src/common/schemas/http-output.schema.js +39 -1
package/src/common/schemas/http-output.schema.js.map +1 -1
package/src/common/tokens/front-mcp.tokens.js +4 -1
package/src/common/tokens/front-mcp.tokens.js.map +1 -1
package/src/common/tokens/resource.tokens.d.ts +2 -0
package/src/common/tokens/resource.tokens.js +4 -1
package/src/common/tokens/resource.tokens.js.map +1 -1
package/src/common/tokens/tool.tokens.d.ts +2 -0
package/src/common/tokens/tool.tokens.js +2 -0
package/src/common/tokens/tool.tokens.js.map +1 -1
package/src/common/types/auth/jwt.types.d.ts +5 -31
package/src/common/types/auth/session.types.d.ts +97 -192
package/src/common/types/auth/session.types.js +24 -11
package/src/common/types/auth/session.types.js.map +1 -1
package/src/common/types/options/auth.options.d.ts +1013 -490
package/src/common/types/options/auth.options.js +554 -36
package/src/common/types/options/auth.options.js.map +1 -1
package/src/common/types/options/http.options.d.ts +1 -9
package/src/common/types/options/logging.options.d.ts +7 -13
package/src/common/types/options/logging.options.js +4 -0
package/src/common/types/options/logging.options.js.map +1 -1
package/src/common/types/options/server-info.options.d.ts +3 -31
package/src/common/types/options/session.options.d.ts +90 -10
package/src/common/types/options/session.options.js +26 -3
package/src/common/types/options/session.options.js.map +1 -1
package/src/common/utils/decide-request-intent.utils.d.ts +8 -46
package/src/common/utils/decide-request-intent.utils.js +88 -23
package/src/common/utils/decide-request-intent.utils.js.map +1 -1
package/src/completion/flows/complete.flow.d.ts +74 -0
package/src/completion/flows/complete.flow.js +199 -0
package/src/completion/flows/complete.flow.js.map +1 -0
package/src/errors/authorization-required.error.d.ts +189 -0
package/src/errors/authorization-required.error.js +274 -0
package/src/errors/authorization-required.error.js.map +1 -0
package/src/errors/index.d.ts +2 -1
package/src/errors/index.js +17 -1
package/src/errors/index.js.map +1 -1
package/src/errors/mcp.error.d.ts +101 -1
package/src/errors/mcp.error.js +147 -2
package/src/errors/mcp.error.js.map +1 -1
package/src/flows/flow.instance.js +4 -3
package/src/flows/flow.instance.js.map +1 -1
package/src/flows/flow.registry.js.map +1 -1
package/src/flows/flow.stages.js +14 -11
package/src/flows/flow.stages.js.map +1 -1
package/src/front-mcp/front-mcp.providers.d.ts +464 -102
package/src/front-mcp/front-mcp.providers.js +3 -5
package/src/front-mcp/front-mcp.providers.js.map +1 -1
package/src/hooks/hook.instance.d.ts +1 -1
package/src/hooks/hook.instance.js +5 -2
package/src/hooks/hook.instance.js.map +1 -1
package/src/hooks/hook.registry.js +7 -5
package/src/hooks/hook.registry.js.map +1 -1
package/src/index.d.ts +28 -9
package/src/index.js +5 -1
package/src/index.js.map +1 -1
package/src/logger/instances/instance.logger.js +3 -2
package/src/logger/instances/instance.logger.js.map +1 -1
package/src/logger/logger.registry.js +7 -2
package/src/logger/logger.registry.js.map +1 -1
package/src/logging/flows/set-level.flow.d.ts +62 -0
package/src/logging/flows/set-level.flow.js +108 -0
package/src/logging/flows/set-level.flow.js.map +1 -0
package/src/mcp-apps/csp.d.ts +111 -0
package/src/mcp-apps/csp.js +267 -0
package/src/mcp-apps/csp.js.map +1 -0
package/src/mcp-apps/index.d.ts +23 -0
package/src/mcp-apps/index.js +91 -0
package/src/mcp-apps/index.js.map +1 -0
package/src/mcp-apps/schemas.d.ts +403 -0
package/src/mcp-apps/schemas.js +345 -0
package/src/mcp-apps/schemas.js.map +1 -0
package/src/mcp-apps/template.d.ts +94 -0
package/src/mcp-apps/template.js +419 -0
package/src/mcp-apps/template.js.map +1 -0
package/src/mcp-apps/types.d.ts +323 -0
package/src/mcp-apps/types.js +59 -0
package/src/mcp-apps/types.js.map +1 -0
package/src/notification/index.d.ts +1 -0
package/src/notification/index.js +13 -0
package/src/notification/index.js.map +1 -0
package/src/notification/notification.service.d.ts +378 -0
package/src/notification/notification.service.js +727 -0
package/src/notification/notification.service.js.map +1 -0
package/src/plugin/plugin.registry.js +12 -9
package/src/plugin/plugin.registry.js.map +1 -1
package/src/prompt/flows/get-prompt.flow.d.ts +153 -0
package/src/prompt/flows/get-prompt.flow.js +214 -0
package/src/prompt/flows/get-prompt.flow.js.map +1 -0
package/src/prompt/flows/prompts-list.flow.d.ts +67 -0
package/src/prompt/flows/prompts-list.flow.js +176 -0
package/src/prompt/flows/prompts-list.flow.js.map +1 -0
package/src/prompt/index.d.ts +7 -0
package/src/prompt/index.js +17 -0
package/src/prompt/index.js.map +1 -0
package/src/prompt/prompt.events.d.ts +17 -0
package/src/prompt/prompt.events.js +25 -0
package/src/prompt/prompt.events.js.map +1 -0
package/src/prompt/prompt.instance.d.ts +30 -0
package/src/prompt/prompt.instance.js +120 -0
package/src/prompt/prompt.instance.js.map +1 -0
package/src/prompt/prompt.registry.d.ts +79 -12
package/src/prompt/prompt.registry.js +360 -15
package/src/prompt/prompt.registry.js.map +1 -1
package/src/prompt/prompt.types.d.ts +26 -0
package/src/prompt/prompt.types.js +11 -0
package/src/prompt/prompt.types.js.map +1 -0
package/src/prompt/prompt.utils.d.ts +26 -0
package/src/prompt/prompt.utils.js +136 -0
package/src/prompt/prompt.utils.js.map +1 -0
package/src/provider/provider.registry.d.ts +12 -5
package/src/provider/provider.registry.js +30 -138
package/src/provider/provider.registry.js.map +1 -1
package/src/regsitry/registry.base.d.ts +1 -1
package/src/regsitry/registry.base.js.map +1 -1
package/src/resource/flows/read-resource.flow.d.ts +91 -0
package/src/resource/flows/read-resource.flow.js +270 -0
package/src/resource/flows/read-resource.flow.js.map +1 -0
package/src/resource/flows/resource-templates-list.flow.d.ts +64 -0
package/src/resource/flows/resource-templates-list.flow.js +191 -0
package/src/resource/flows/resource-templates-list.flow.js.map +1 -0
package/src/resource/flows/resources-list.flow.d.ts +64 -0
package/src/resource/flows/resources-list.flow.js +196 -0
package/src/resource/flows/resources-list.flow.js.map +1 -0
package/src/resource/flows/subscribe-resource.flow.d.ts +45 -0
package/src/resource/flows/subscribe-resource.flow.js +123 -0
package/src/resource/flows/subscribe-resource.flow.js.map +1 -0
package/src/resource/flows/unsubscribe-resource.flow.d.ts +44 -0
package/src/resource/flows/unsubscribe-resource.flow.js +107 -0
package/src/resource/flows/unsubscribe-resource.flow.js.map +1 -0
package/src/resource/index.d.ts +8 -0
package/src/resource/index.js +20 -0
package/src/resource/index.js.map +1 -0
package/src/resource/resource.events.d.ts +24 -0
package/src/resource/resource.events.js +17 -0
package/src/resource/resource.events.js.map +1 -0
package/src/resource/resource.instance.d.ts +35 -0
package/src/resource/resource.instance.js +163 -0
package/src/resource/resource.instance.js.map +1 -0
package/src/resource/resource.registry.d.ts +106 -12
package/src/resource/resource.registry.js +449 -13
package/src/resource/resource.registry.js.map +1 -1
package/src/resource/resource.types.d.ts +35 -0
package/src/resource/resource.types.js +11 -0
package/src/resource/resource.types.js.map +1 -0
package/src/resource/resource.utils.d.ts +30 -0
package/src/resource/resource.utils.js +151 -0
package/src/resource/resource.utils.js.map +1 -0
package/src/scope/flows/http.request.flow.d.ts +48 -330
package/src/scope/flows/http.request.flow.js +306 -78
package/src/scope/flows/http.request.flow.js.map +1 -1
package/src/scope/scope.instance.d.ts +12 -0
package/src/scope/scope.instance.js +145 -15
package/src/scope/scope.instance.js.map +1 -1
package/src/tool/flows/call-tool.flow.d.ts +64 -1110
package/src/tool/flows/call-tool.flow.js +303 -15
package/src/tool/flows/call-tool.flow.js.map +1 -1
package/src/tool/flows/tools-list.flow.d.ts +32 -473
package/src/tool/flows/tools-list.flow.js +111 -10
package/src/tool/flows/tools-list.flow.js.map +1 -1
package/src/tool/tool.events.d.ts +8 -1
package/src/tool/tool.events.js.map +1 -1
package/src/tool/tool.instance.d.ts +3 -1
package/src/tool/tool.instance.js +17 -3
package/src/tool/tool.instance.js.map +1 -1
package/src/tool/tool.registry.d.ts +7 -1
package/src/tool/tool.registry.js +26 -10
package/src/tool/tool.registry.js.map +1 -1
package/src/tool/tool.types.d.ts +4 -4
package/src/tool/tool.types.js.map +1 -1
package/src/tool/tool.utils.d.ts +3 -12
package/src/tool/tool.utils.js +39 -193
package/src/tool/tool.utils.js.map +1 -1
package/src/tool/ui/index.d.ts +22 -0
package/src/tool/ui/index.js +63 -0
package/src/tool/ui/index.js.map +1 -0
package/src/tool/ui/platform-adapters.d.ts +10 -0
package/src/tool/ui/platform-adapters.js +18 -0
package/src/tool/ui/platform-adapters.js.map +1 -0
package/src/tool/ui/template-helpers.d.ts +46 -0
package/src/tool/ui/template-helpers.js +112 -0
package/src/tool/ui/template-helpers.js.map +1 -0
package/src/tool/ui/ui-resource-template.d.ts +34 -0
package/src/tool/ui/ui-resource-template.js +64 -0
package/src/tool/ui/ui-resource-template.js.map +1 -0
package/src/tool/ui/ui-resource.handler.d.ts +74 -0
package/src/tool/ui/ui-resource.handler.js +129 -0
package/src/tool/ui/ui-resource.handler.js.map +1 -0
package/src/transport/adapters/transport.local.adapter.d.ts +2 -2
package/src/transport/adapters/transport.local.adapter.js +28 -7
package/src/transport/adapters/transport.local.adapter.js.map +1 -1
package/src/transport/adapters/transport.sse.adapter.d.ts +2 -2
package/src/transport/adapters/transport.sse.adapter.js +4 -3
package/src/transport/adapters/transport.sse.adapter.js.map +1 -1
package/src/transport/adapters/transport.streamable-http.adapter.d.ts +10 -3
package/src/transport/adapters/transport.streamable-http.adapter.js +54 -8
package/src/transport/adapters/transport.streamable-http.adapter.js.map +1 -1
package/src/transport/flows/handle.sse.flow.d.ts +29 -63
package/src/transport/flows/handle.sse.flow.js +78 -10
package/src/transport/flows/handle.sse.flow.js.map +1 -1
package/src/transport/flows/handle.stateless-http.flow.d.ts +29 -0
package/src/transport/flows/handle.stateless-http.flow.js +102 -0
package/src/transport/flows/handle.stateless-http.flow.js.map +1 -0
package/src/transport/flows/handle.streamable-http.flow.d.ts +32 -64
package/src/transport/flows/handle.streamable-http.flow.js +158 -26
package/src/transport/flows/handle.streamable-http.flow.js.map +1 -1
package/src/transport/legacy/legacy.sse.tranporter.d.ts +9 -0
package/src/transport/legacy/legacy.sse.tranporter.js +17 -2
package/src/transport/legacy/legacy.sse.tranporter.js.map +1 -1
package/src/transport/mcp-handlers/call-tool-request.handler.js +27 -1
package/src/transport/mcp-handlers/call-tool-request.handler.js.map +1 -1
package/src/transport/mcp-handlers/complete-request.handler.d.ts +69 -0
package/src/transport/mcp-handlers/complete-request.handler.js +11 -0
package/src/transport/mcp-handlers/complete-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/get-prompt-request.handler.d.ts +87 -0
package/src/transport/mcp-handlers/get-prompt-request.handler.js +11 -0
package/src/transport/mcp-handlers/get-prompt-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/index.d.ts +517 -208
package/src/transport/mcp-handlers/index.js +39 -2
package/src/transport/mcp-handlers/index.js.map +1 -1
package/src/transport/mcp-handlers/initialize-request.handler.d.ts +1 -1
package/src/transport/mcp-handlers/initialize-request.handler.js +73 -7
package/src/transport/mcp-handlers/initialize-request.handler.js.map +1 -1
package/src/transport/mcp-handlers/list-prompts-request.handler.d.ts +54 -0
package/src/transport/mcp-handlers/list-prompts-request.handler.js +11 -0
package/src/transport/mcp-handlers/list-prompts-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/list-resource-templates-request.handler.d.ts +51 -0
package/src/transport/mcp-handlers/list-resource-templates-request.handler.js +12 -0
package/src/transport/mcp-handlers/list-resource-templates-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/list-resources-request.handler.d.ts +51 -0
package/src/transport/mcp-handlers/list-resources-request.handler.js +12 -0
package/src/transport/mcp-handlers/list-resources-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/list-tools-request.handler.d.ts +19 -146
package/src/transport/mcp-handlers/logging-set-level-request.handler.d.ts +46 -0
package/src/transport/mcp-handlers/logging-set-level-request.handler.js +34 -0
package/src/transport/mcp-handlers/logging-set-level-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/mcp-handlers.types.d.ts +3 -7
package/src/transport/mcp-handlers/mcp-handlers.types.js.map +1 -1
package/src/transport/mcp-handlers/read-resource-request.handler.d.ts +46 -0
package/src/transport/mcp-handlers/read-resource-request.handler.js +12 -0
package/src/transport/mcp-handlers/read-resource-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/roots-list-changed-notification.handler.d.ts +11 -0
package/src/transport/mcp-handlers/roots-list-changed-notification.handler.js +26 -0
package/src/transport/mcp-handlers/roots-list-changed-notification.handler.js.map +1 -0
package/src/transport/mcp-handlers/subscribe-request.handler.d.ts +37 -0
package/src/transport/mcp-handlers/subscribe-request.handler.js +34 -0
package/src/transport/mcp-handlers/subscribe-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/unsubscribe-request.handler.d.ts +37 -0
package/src/transport/mcp-handlers/unsubscribe-request.handler.js +34 -0
package/src/transport/mcp-handlers/unsubscribe-request.handler.js.map +1 -0
package/src/transport/transport.local.js +7 -2
package/src/transport/transport.local.js.map +1 -1
package/src/transport/transport.registry.d.ts +30 -0
package/src/transport/transport.registry.js +84 -1
package/src/transport/transport.registry.js.map +1 -1
package/src/transport/transport.types.d.ts +3 -3
package/src/transport/transport.types.js.map +1 -1
package/src/utils/content.utils.d.ts +48 -0
package/src/utils/content.utils.js +194 -0
package/src/utils/content.utils.js.map +1 -0
package/src/utils/index.d.ts +8 -0
package/src/utils/index.js +55 -0
package/src/utils/index.js.map +1 -0
package/src/utils/lineage.utils.d.ts +40 -0
package/src/utils/lineage.utils.js +82 -0
package/src/utils/lineage.utils.js.map +1 -0
package/src/utils/naming.utils.d.ts +46 -0
package/src/utils/naming.utils.js +136 -0
package/src/utils/naming.utils.js.map +1 -0
package/src/utils/types.utils.d.ts +2 -2
package/src/utils/types.utils.js.map +1 -1
package/src/utils/uri-template.utils.d.ts +57 -0
package/src/utils/uri-template.utils.js +113 -0
package/src/utils/uri-template.utils.js.map +1 -0
package/src/utils/uri-validation.utils.d.ts +40 -0
package/src/utils/uri-validation.utils.js +76 -0
package/src/utils/uri-validation.utils.js.map +1 -0
package/src/__test-utils__/fixtures/hook.fixtures.d.ts +0 -46
package/src/__test-utils__/fixtures/hook.fixtures.js +0 -114
package/src/__test-utils__/fixtures/hook.fixtures.js.map +0 -1
package/src/__test-utils__/fixtures/index.d.ts +0 -7
package/src/__test-utils__/fixtures/index.js +0 -11
package/src/__test-utils__/fixtures/index.js.map +0 -1
package/src/__test-utils__/fixtures/plugin.fixtures.d.ts +0 -46
package/src/__test-utils__/fixtures/plugin.fixtures.js +0 -127
package/src/__test-utils__/fixtures/plugin.fixtures.js.map +0 -1
package/src/__test-utils__/fixtures/provider.fixtures.d.ts +0 -69
package/src/__test-utils__/fixtures/provider.fixtures.js +0 -131
package/src/__test-utils__/fixtures/provider.fixtures.js.map +0 -1
package/src/__test-utils__/fixtures/scope.fixtures.d.ts +0 -14
package/src/__test-utils__/fixtures/scope.fixtures.js +0 -59
package/src/__test-utils__/fixtures/scope.fixtures.js.map +0 -1
package/src/__test-utils__/fixtures/tool.fixtures.d.ts +0 -36
package/src/__test-utils__/fixtures/tool.fixtures.js +0 -91
package/src/__test-utils__/fixtures/tool.fixtures.js.map +0 -1
package/src/__test-utils__/helpers/assertion.helpers.d.ts +0 -45
package/src/__test-utils__/helpers/assertion.helpers.js +0 -153
package/src/__test-utils__/helpers/assertion.helpers.js.map +0 -1
package/src/__test-utils__/helpers/async.helpers.d.ts +0 -48
package/src/__test-utils__/helpers/async.helpers.js +0 -112
package/src/__test-utils__/helpers/async.helpers.js.map +0 -1
package/src/__test-utils__/helpers/index.d.ts +0 -6
package/src/__test-utils__/helpers/index.js +0 -10
package/src/__test-utils__/helpers/index.js.map +0 -1
package/src/__test-utils__/helpers/setup.helpers.d.ts +0 -54
package/src/__test-utils__/helpers/setup.helpers.js +0 -106
package/src/__test-utils__/helpers/setup.helpers.js.map +0 -1
package/src/__test-utils__/index.d.ts +0 -9
package/src/__test-utils__/index.js +0 -14
package/src/__test-utils__/index.js.map +0 -1
package/src/__test-utils__/mocks/flow-instance.mock.d.ts +0 -50
package/src/__test-utils__/mocks/flow-instance.mock.js +0 -72
package/src/__test-utils__/mocks/flow-instance.mock.js.map +0 -1
package/src/__test-utils__/mocks/hook-registry.mock.d.ts +0 -25
package/src/__test-utils__/mocks/hook-registry.mock.js +0 -65
package/src/__test-utils__/mocks/hook-registry.mock.js.map +0 -1
package/src/__test-utils__/mocks/index.d.ts +0 -8
package/src/__test-utils__/mocks/index.js +0 -12
package/src/__test-utils__/mocks/index.js.map +0 -1
package/src/__test-utils__/mocks/plugin-registry.mock.d.ts +0 -43
package/src/__test-utils__/mocks/plugin-registry.mock.js +0 -70
package/src/__test-utils__/mocks/plugin-registry.mock.js.map +0 -1
package/src/__test-utils__/mocks/provider-registry.mock.d.ts +0 -39
package/src/__test-utils__/mocks/provider-registry.mock.js +0 -72
package/src/__test-utils__/mocks/provider-registry.mock.js.map +0 -1
package/src/__test-utils__/mocks/tool-registry.mock.d.ts +0 -43
package/src/__test-utils__/mocks/tool-registry.mock.js +0 -79
package/src/__test-utils__/mocks/tool-registry.mock.js.map +0 -1
package/src/auth/path.utils.d.ts +0 -20
package/src/auth/path.utils.js +0 -71
package/src/auth/path.utils.js.map +0 -1
package/src/common/decorators-old/async-with.decorator.d.ts +0 -10
package/src/common/decorators-old/async-with.decorator.js +0 -24
package/src/common/decorators-old/async-with.decorator.js.map +0 -1
package/src/common/decorators-old/auth-hook.decorator.d.ts +0 -14
package/src/common/decorators-old/auth-hook.decorator.js +0 -27
package/src/common/decorators-old/auth-hook.decorator.js.map +0 -1
package/src/common/decorators-old/session-hook.decorator.d.ts +0 -14
package/src/common/decorators-old/session-hook.decorator.js +0 -27
package/src/common/decorators-old/session-hook.decorator.js.map +0 -1

package/src/auth/authorization/authorization.types.d.ts ADDED Viewed

@@ -0,0 +1,300 @@
+import { z } from 'zod';
+import { ProviderSnapshot } from '../session/session.types';
+import { TransportSession, TransportProtocol } from '../session';
+import type { AuthMode } from '../../common';
+/**
+ * User identity from authentication
+ */
+export interface AuthUser {
+    /** Subject identifier */
+    sub: string;
+    /** Display name */
+    name?: string;
+    /** Email address */
+    email?: string;
+    /** Profile picture URL */
+    picture?: string;
+    /** Whether this is an anonymous user */
+    anonymous?: boolean;
+}
+/**
+ * Authorized tool entry
+ */
+export interface AuthorizedTool {
+    /** Execution path: [appId, toolId] */
+    executionPath: [appId: string, toolId: string];
+    /** Required scopes for this tool */
+    scopes?: string[];
+    /** Additional tool metadata */
+    details?: Record<string, unknown>;
+}
+/**
+ * Authorized prompt entry
+ */
+export interface AuthorizedPrompt {
+    /** Execution path: [appId, promptId] */
+    executionPath: [appId: string, promptId: string];
+    /** Required scopes for this prompt */
+    scopes?: string[];
+    /** Additional prompt metadata */
+    details?: Record<string, unknown>;
+}
+/**
+ * Authorization represents the authenticated user context.
+ * Created from JWT verification, independent of transport.
+ * One authorization can have multiple transport sessions.
+ */
+export interface Authorization {
+    /** Unique authorization ID (derived from token signature) */
+    readonly id: string;
+    /** Auth mode that created this authorization */
+    readonly mode: AuthMode;
+    /** Whether this is an anonymous/public authorization */
+    readonly isAnonymous: boolean;
+    /** User identity */
+    readonly user: AuthUser;
+    /** JWT claims */
+    readonly claims?: Record<string, unknown>;
+    /** Token expiration (epoch ms) */
+    readonly expiresAt?: number;
+    /** Granted scopes */
+    readonly scopes: string[];
+    /** Authorized providers (for orchestrated mode) */
+    readonly authorizedProviders: Record<string, ProviderSnapshot>;
+    /** Authorized provider IDs */
+    readonly authorizedProviderIds: string[];
+    /** Authorized apps */
+    readonly authorizedApps: Record<string, {
+        id: string;
+        toolIds: string[];
+    }>;
+    /** Authorized app IDs */
+    readonly authorizedAppIds: string[];
+    /** Authorized tools */
+    readonly authorizedTools: Record<string, AuthorizedTool>;
+    /** Authorized tool IDs */
+    readonly authorizedToolIds: string[];
+    /** Authorized prompts */
+    readonly authorizedPrompts: Record<string, AuthorizedPrompt>;
+    /** Authorized prompt IDs */
+    readonly authorizedPromptIds: string[];
+    /** Authorized resources */
+    readonly authorizedResources: string[];
+    /**
+     * Get access token for a provider (orchestrated mode)
+     * @param providerId - Provider ID, defaults to primary
+     */
+    getToken(providerId?: string): Promise<string>;
+    /**
+     * Create a new transport session for this authorization
+     * @param protocol - Transport protocol (sse, streamable-http, etc.)
+     * @param fingerprint - Optional client fingerprint for tracking
+     */
+    createTransportSession(protocol: TransportProtocol, fingerprint?: string): TransportSession;
+    /**
+     * Get existing transport session by ID
+     * @param sessionId - Session ID to retrieve
+     */
+    getTransportSession(sessionId: string): TransportSession | undefined;
+    /**
+     * Check if a scope is granted
+     * @param scope - Scope to check
+     */
+    hasScope(scope: string): boolean;
+    /**
+     * Check if all scopes are granted
+     * @param scopes - Scopes to check
+     */
+    hasAllScopes(scopes: string[]): boolean;
+    /**
+     * Check if any scope is granted
+     * @param scopes - Scopes to check
+     */
+    hasAnyScope(scopes: string[]): boolean;
+    /**
+     * Check if a tool is authorized
+     * @param toolId - Tool ID to check
+     */
+    canAccessTool(toolId: string): boolean;
+    /**
+     * Check if a prompt is authorized
+     * @param promptId - Prompt ID to check
+     */
+    canAccessPrompt(promptId: string): boolean;
+}
+/**
+ * Context for creating an authorization
+ */
+export interface AuthorizationCreateCtx {
+    /** Unique ID (typically token signature fingerprint) */
+    id: string;
+    /** Whether this is anonymous */
+    isAnonymous: boolean;
+    /** User identity */
+    user: AuthUser;
+    /** JWT claims */
+    claims?: Record<string, unknown>;
+    /** Token expiration (epoch ms) */
+    expiresAt?: number;
+    /** Granted scopes */
+    scopes?: string[];
+    /** The original token (for transparent mode) */
+    token?: string;
+    /** Authorized providers */
+    authorizedProviders?: Record<string, ProviderSnapshot>;
+    /** Authorized provider IDs */
+    authorizedProviderIds?: string[];
+    /** Authorized apps */
+    authorizedApps?: Record<string, {
+        id: string;
+        toolIds: string[];
+    }>;
+    /** Authorized app IDs */
+    authorizedAppIds?: string[];
+    /** Authorized tools */
+    authorizedTools?: Record<string, AuthorizedTool>;
+    /** Authorized tool IDs */
+    authorizedToolIds?: string[];
+    /** Authorized prompts */
+    authorizedPrompts?: Record<string, AuthorizedPrompt>;
+    /** Authorized prompt IDs */
+    authorizedPromptIds?: string[];
+    /** Authorized resources */
+    authorizedResources?: string[];
+}
+/**
+ * LLM-safe session context (no tokens exposed)
+ */
+export interface LLMSafeAuthContext {
+    /** Authorization ID */
+    authorizationId: string;
+    /** Session ID */
+    sessionId: string;
+    /** Auth mode */
+    mode: AuthMode;
+    /** Whether anonymous */
+    isAnonymous: boolean;
+    /** User (sub and name only) */
+    user: {
+        sub: string;
+        name?: string;
+    };
+    /** Granted scopes */
+    scopes: string[];
+    /** Authorized tool IDs */
+    authorizedToolIds: string[];
+    /** Authorized prompt IDs */
+    authorizedPromptIds: string[];
+}
+export declare const authUserSchema: z.ZodObject<{
+    sub: z.ZodString;
+    name: z.ZodOptional<z.ZodString>;
+    email: z.ZodOptional<z.ZodString>;
+    picture: z.ZodOptional<z.ZodString>;
+    anonymous: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strip>;
+export declare const authorizedToolSchema: z.ZodObject<{
+    executionPath: z.ZodTuple<[z.ZodString, z.ZodString], null>;
+    scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    details: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.core.$strip>;
+export declare const authorizedPromptSchema: z.ZodObject<{
+    executionPath: z.ZodTuple<[z.ZodString, z.ZodString], null>;
+    scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    details: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.core.$strip>;
+export declare const authModeSchema: z.ZodEnum<{
+    public: "public";
+    transparent: "transparent";
+    orchestrated: "orchestrated";
+}>;
+export declare const llmSafeAuthContextSchema: z.ZodObject<{
+    authorizationId: z.ZodString;
+    sessionId: z.ZodString;
+    mode: z.ZodEnum<{
+        public: "public";
+        transparent: "transparent";
+        orchestrated: "orchestrated";
+    }>;
+    isAnonymous: z.ZodBoolean;
+    user: z.ZodObject<{
+        sub: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>;
+    scopes: z.ZodArray<z.ZodString>;
+    authorizedToolIds: z.ZodArray<z.ZodString>;
+    authorizedPromptIds: z.ZodArray<z.ZodString>;
+}, z.core.$strip>;
+/**
+ * State of app authorization within a session.
+ * Used for progressive authorization flow.
+ */
+export declare enum AppAuthState {
+    /** App has been fully authorized with tokens stored */
+    AUTHORIZED = "authorized",
+    /** User explicitly skipped this app during initial auth */
+    SKIPPED = "skipped",
+    /** App authorization is pending (not yet presented to user) */
+    PENDING = "pending"
+}
+/**
+ * App authorization record with state tracking.
+ * Stored server-side, NOT in JWT.
+ */
+export interface AppAuthorizationRecord {
+    /** App ID */
+    appId: string;
+    /** Current authorization state */
+    state: AppAuthState;
+    /** When the state was last changed (epoch ms) */
+    stateChangedAt: number;
+    /** Scopes granted for this app */
+    grantedScopes?: string[];
+    /** Auth provider ID used for this app */
+    authProviderId?: string;
+    /** Tool IDs accessible through this app authorization */
+    toolIds: string[];
+}
+/**
+ * Progressive auth session state.
+ * Tracks which apps are authorized, skipped, or pending.
+ * Stored server-side for security.
+ */
+export interface ProgressiveAuthState {
+    /** App authorization records by app ID */
+    apps: Record<string, AppAuthorizationRecord>;
+    /** Apps authorized during initial auth */
+    initiallyAuthorized: string[];
+    /** Apps skipped during initial auth */
+    initiallySkipped: string[];
+}
+/**
+ * Zod schema for AppAuthState enum
+ */
+export declare const appAuthStateSchema: z.ZodEnum<typeof AppAuthState>;
+/**
+ * Zod schema for AppAuthorizationRecord
+ */
+export declare const appAuthorizationRecordSchema: z.ZodObject<{
+    appId: z.ZodString;
+    state: z.ZodEnum<typeof AppAuthState>;
+    stateChangedAt: z.ZodNumber;
+    grantedScopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    authProviderId: z.ZodOptional<z.ZodString>;
+    toolIds: z.ZodArray<z.ZodString>;
+}, z.core.$strip>;
+/**
+ * Zod schema for ProgressiveAuthState
+ */
+export declare const progressiveAuthStateSchema: z.ZodObject<{
+    apps: z.ZodRecord<z.ZodString, z.ZodObject<{
+        appId: z.ZodString;
+        state: z.ZodEnum<typeof AppAuthState>;
+        stateChangedAt: z.ZodNumber;
+        grantedScopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        authProviderId: z.ZodOptional<z.ZodString>;
+        toolIds: z.ZodArray<z.ZodString>;
+    }, z.core.$strip>>;
+    initiallyAuthorized: z.ZodArray<z.ZodString>;
+    initiallySkipped: z.ZodArray<z.ZodString>;
+}, z.core.$strip>;

package/src/auth/authorization/authorization.types.js ADDED Viewed

@@ -0,0 +1,79 @@
+"use strict";
+// auth/authorization/authorization.types.ts
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.progressiveAuthStateSchema = exports.appAuthorizationRecordSchema = exports.appAuthStateSchema = exports.AppAuthState = exports.llmSafeAuthContextSchema = exports.authModeSchema = exports.authorizedPromptSchema = exports.authorizedToolSchema = exports.authUserSchema = void 0;
+const zod_1 = require("zod");
+// ============================================
+// Zod Schemas
+// ============================================
+exports.authUserSchema = zod_1.z.object({
+    sub: zod_1.z.string(),
+    name: zod_1.z.string().optional(),
+    email: zod_1.z.string().email().optional(),
+    picture: zod_1.z.string().url().optional(),
+    anonymous: zod_1.z.boolean().optional(),
+});
+exports.authorizedToolSchema = zod_1.z.object({
+    executionPath: zod_1.z.tuple([zod_1.z.string(), zod_1.z.string()]),
+    scopes: zod_1.z.array(zod_1.z.string()).optional(),
+    details: zod_1.z.record(zod_1.z.string(), zod_1.z.unknown()).optional(),
+});
+exports.authorizedPromptSchema = zod_1.z.object({
+    executionPath: zod_1.z.tuple([zod_1.z.string(), zod_1.z.string()]),
+    scopes: zod_1.z.array(zod_1.z.string()).optional(),
+    details: zod_1.z.record(zod_1.z.string(), zod_1.z.unknown()).optional(),
+});
+exports.authModeSchema = zod_1.z.enum(['public', 'transparent', 'orchestrated']);
+exports.llmSafeAuthContextSchema = zod_1.z.object({
+    authorizationId: zod_1.z.string(),
+    sessionId: zod_1.z.string(),
+    mode: exports.authModeSchema,
+    isAnonymous: zod_1.z.boolean(),
+    user: zod_1.z.object({
+        sub: zod_1.z.string(),
+        name: zod_1.z.string().optional(),
+    }),
+    scopes: zod_1.z.array(zod_1.z.string()),
+    authorizedToolIds: zod_1.z.array(zod_1.z.string()),
+    authorizedPromptIds: zod_1.z.array(zod_1.z.string()),
+});
+// ============================================
+// Progressive/Incremental Authorization Types
+// ============================================
+/**
+ * State of app authorization within a session.
+ * Used for progressive authorization flow.
+ */
+var AppAuthState;
+(function (AppAuthState) {
+    /** App has been fully authorized with tokens stored */
+    AppAuthState["AUTHORIZED"] = "authorized";
+    /** User explicitly skipped this app during initial auth */
+    AppAuthState["SKIPPED"] = "skipped";
+    /** App authorization is pending (not yet presented to user) */
+    AppAuthState["PENDING"] = "pending";
+})(AppAuthState || (exports.AppAuthState = AppAuthState = {}));
+/**
+ * Zod schema for AppAuthState enum
+ */
+exports.appAuthStateSchema = zod_1.z.nativeEnum(AppAuthState);
+/**
+ * Zod schema for AppAuthorizationRecord
+ */
+exports.appAuthorizationRecordSchema = zod_1.z.object({
+    appId: zod_1.z.string(),
+    state: exports.appAuthStateSchema,
+    stateChangedAt: zod_1.z.number(),
+    grantedScopes: zod_1.z.array(zod_1.z.string()).optional(),
+    authProviderId: zod_1.z.string().optional(),
+    toolIds: zod_1.z.array(zod_1.z.string()),
+});
+/**
+ * Zod schema for ProgressiveAuthState
+ */
+exports.progressiveAuthStateSchema = zod_1.z.object({
+    apps: zod_1.z.record(zod_1.z.string(), exports.appAuthorizationRecordSchema),
+    initiallyAuthorized: zod_1.z.array(zod_1.z.string()),
+    initiallySkipped: zod_1.z.array(zod_1.z.string()),
+});
+//# sourceMappingURL=authorization.types.js.map

package/src/auth/authorization/authorization.types.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"authorization.types.js","sourceRoot":"","sources":["../../../../src/auth/authorization/authorization.types.ts"],"names":[],"mappings":";AAAA,4CAA4C;;;AAE5C,6BAAwB;AAiNxB,+CAA+C;AAC/C,cAAc;AACd,+CAA+C;AAElC,QAAA,cAAc,GAAG,OAAC,CAAC,MAAM,CAAC;IACrC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3B,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;IACpC,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,SAAS,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CAClC,CAAC,CAAC;AAEU,QAAA,oBAAoB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3C,aAAa,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IAChD,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACtC,OAAO,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;CACtD,CAAC,CAAC;AAEU,QAAA,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7C,aAAa,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IAChD,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACtC,OAAO,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;CACtD,CAAC,CAAC;AAEU,QAAA,cAAc,GAAG,OAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC,CAAC;AAEnE,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE;IAC3B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;IACrB,IAAI,EAAE,sBAAc;IACpB,WAAW,EAAE,OAAC,CAAC,OAAO,EAAE;IACxB,IAAI,EAAE,OAAC,CAAC,MAAM,CAAC;QACb,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAC5B,CAAC;IACF,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IAC3B,iBAAiB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACtC,mBAAmB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;CACzC,CAAC,CAAC;AAEH,+CAA+C;AAC/C,8CAA8C;AAC9C,+CAA+C;AAE/C;;;GAGG;AACH,IAAY,YAOX;AAPD,WAAY,YAAY;IACtB,uDAAuD;IACvD,yCAAyB,CAAA;IACzB,2DAA2D;IAC3D,mCAAmB,CAAA;IACnB,+DAA+D;IAC/D,mCAAmB,CAAA;AACrB,CAAC,EAPW,YAAY,4BAAZ,YAAY,QAOvB;AAmCD;;GAEG;AACU,QAAA,kBAAkB,GAAG,OAAC,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;AAE7D;;GAEG;AACU,QAAA,4BAA4B,GAAG,OAAC,CAAC,MAAM,CAAC;IACnD,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE;IACjB,KAAK,EAAE,0BAAkB;IACzB,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE;IAC1B,aAAa,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC7C,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,OAAO,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;CAC7B,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,0BAA0B,GAAG,OAAC,CAAC,MAAM,CAAC;IACjD,IAAI,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,oCAA4B,CAAC;IACxD,mBAAmB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACxC,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;CACtC,CAAC,CAAC","sourcesContent":["// auth/authorization/authorization.types.ts\n\nimport { z } from 'zod';\nimport { ProviderSnapshot } from '../session/session.types';\nimport { TransportSession, TransportProtocol } from '../session';\nimport type { AuthMode } from '../../common';\n\n/**\n * User identity from authentication\n */\nexport interface AuthUser {\n /** Subject identifier */\n sub: string;\n /** Display name */\n name?: string;\n /** Email address */\n email?: string;\n /** Profile picture URL */\n picture?: string;\n /** Whether this is an anonymous user */\n anonymous?: boolean;\n}\n\n/**\n * Authorized tool entry\n */\nexport interface AuthorizedTool {\n /** Execution path: [appId, toolId] */\n executionPath: [appId: string, toolId: string];\n /** Required scopes for this tool */\n scopes?: string[];\n /** Additional tool metadata */\n details?: Record<string, unknown>;\n}\n\n/**\n * Authorized prompt entry\n */\nexport interface AuthorizedPrompt {\n /** Execution path: [appId, promptId] */\n executionPath: [appId: string, promptId: string];\n /** Required scopes for this prompt */\n scopes?: string[];\n /** Additional prompt metadata */\n details?: Record<string, unknown>;\n}\n\n/**\n * Authorization represents the authenticated user context.\n * Created from JWT verification, independent of transport.\n * One authorization can have multiple transport sessions.\n */\nexport interface Authorization {\n /** Unique authorization ID (derived from token signature) */\n readonly id: string;\n\n /** Auth mode that created this authorization */\n readonly mode: AuthMode;\n\n /** Whether this is an anonymous/public authorization */\n readonly isAnonymous: boolean;\n\n /** User identity */\n readonly user: AuthUser;\n\n /** JWT claims */\n readonly claims?: Record<string, unknown>;\n\n /** Token expiration (epoch ms) */\n readonly expiresAt?: number;\n\n /** Granted scopes */\n readonly scopes: string[];\n\n /** Authorized providers (for orchestrated mode) */\n readonly authorizedProviders: Record<string, ProviderSnapshot>;\n\n /** Authorized provider IDs */\n readonly authorizedProviderIds: string[];\n\n /** Authorized apps */\n readonly authorizedApps: Record<string, { id: string; toolIds: string[] }>;\n\n /** Authorized app IDs */\n readonly authorizedAppIds: string[];\n\n /** Authorized tools */\n readonly authorizedTools: Record<string, AuthorizedTool>;\n\n /** Authorized tool IDs */\n readonly authorizedToolIds: string[];\n\n /** Authorized prompts */\n readonly authorizedPrompts: Record<string, AuthorizedPrompt>;\n\n /** Authorized prompt IDs */\n readonly authorizedPromptIds: string[];\n\n /** Authorized resources */\n readonly authorizedResources: string[];\n\n /**\n * Get access token for a provider (orchestrated mode)\n * @param providerId - Provider ID, defaults to primary\n */\n getToken(providerId?: string): Promise<string>;\n\n /**\n * Create a new transport session for this authorization\n * @param protocol - Transport protocol (sse, streamable-http, etc.)\n * @param fingerprint - Optional client fingerprint for tracking\n */\n createTransportSession(protocol: TransportProtocol, fingerprint?: string): TransportSession;\n\n /**\n * Get existing transport session by ID\n * @param sessionId - Session ID to retrieve\n */\n getTransportSession(sessionId: string): TransportSession | undefined;\n\n /**\n * Check if a scope is granted\n * @param scope - Scope to check\n */\n hasScope(scope: string): boolean;\n\n /**\n * Check if all scopes are granted\n * @param scopes - Scopes to check\n */\n hasAllScopes(scopes: string[]): boolean;\n\n /**\n * Check if any scope is granted\n * @param scopes - Scopes to check\n */\n hasAnyScope(scopes: string[]): boolean;\n\n /**\n * Check if a tool is authorized\n * @param toolId - Tool ID to check\n */\n canAccessTool(toolId: string): boolean;\n\n /**\n * Check if a prompt is authorized\n * @param promptId - Prompt ID to check\n */\n canAccessPrompt(promptId: string): boolean;\n}\n\n/**\n * Context for creating an authorization\n */\nexport interface AuthorizationCreateCtx {\n /** Unique ID (typically token signature fingerprint) */\n id: string;\n /** Whether this is anonymous */\n isAnonymous: boolean;\n /** User identity */\n user: AuthUser;\n /** JWT claims */\n claims?: Record<string, unknown>;\n /** Token expiration (epoch ms) */\n expiresAt?: number;\n /** Granted scopes */\n scopes?: string[];\n /** The original token (for transparent mode) */\n token?: string;\n /** Authorized providers */\n authorizedProviders?: Record<string, ProviderSnapshot>;\n /** Authorized provider IDs */\n authorizedProviderIds?: string[];\n /** Authorized apps */\n authorizedApps?: Record<string, { id: string; toolIds: string[] }>;\n /** Authorized app IDs */\n authorizedAppIds?: string[];\n /** Authorized tools */\n authorizedTools?: Record<string, AuthorizedTool>;\n /** Authorized tool IDs */\n authorizedToolIds?: string[];\n /** Authorized prompts */\n authorizedPrompts?: Record<string, AuthorizedPrompt>;\n /** Authorized prompt IDs */\n authorizedPromptIds?: string[];\n /** Authorized resources */\n authorizedResources?: string[];\n}\n\n/**\n * LLM-safe session context (no tokens exposed)\n */\nexport interface LLMSafeAuthContext {\n /** Authorization ID */\n authorizationId: string;\n /** Session ID */\n sessionId: string;\n /** Auth mode */\n mode: AuthMode;\n /** Whether anonymous */\n isAnonymous: boolean;\n /** User (sub and name only) */\n user: { sub: string; name?: string };\n /** Granted scopes */\n scopes: string[];\n /** Authorized tool IDs */\n authorizedToolIds: string[];\n /** Authorized prompt IDs */\n authorizedPromptIds: string[];\n}\n\n// ============================================\n// Zod Schemas\n// ============================================\n\nexport const authUserSchema = z.object({\n sub: z.string(),\n name: z.string().optional(),\n email: z.string().email().optional(),\n picture: z.string().url().optional(),\n anonymous: z.boolean().optional(),\n});\n\nexport const authorizedToolSchema = z.object({\n executionPath: z.tuple([z.string(), z.string()]),\n scopes: z.array(z.string()).optional(),\n details: z.record(z.string(), z.unknown()).optional(),\n});\n\nexport const authorizedPromptSchema = z.object({\n executionPath: z.tuple([z.string(), z.string()]),\n scopes: z.array(z.string()).optional(),\n details: z.record(z.string(), z.unknown()).optional(),\n});\n\nexport const authModeSchema = z.enum(['public', 'transparent', 'orchestrated']);\n\nexport const llmSafeAuthContextSchema = z.object({\n authorizationId: z.string(),\n sessionId: z.string(),\n mode: authModeSchema,\n isAnonymous: z.boolean(),\n user: z.object({\n sub: z.string(),\n name: z.string().optional(),\n }),\n scopes: z.array(z.string()),\n authorizedToolIds: z.array(z.string()),\n authorizedPromptIds: z.array(z.string()),\n});\n\n// ============================================\n// Progressive/Incremental Authorization Types\n// ============================================\n\n/**\n * State of app authorization within a session.\n * Used for progressive authorization flow.\n */\nexport enum AppAuthState {\n /** App has been fully authorized with tokens stored */\n AUTHORIZED = 'authorized',\n /** User explicitly skipped this app during initial auth */\n SKIPPED = 'skipped',\n /** App authorization is pending (not yet presented to user) */\n PENDING = 'pending',\n}\n\n/**\n * App authorization record with state tracking.\n * Stored server-side, NOT in JWT.\n */\nexport interface AppAuthorizationRecord {\n /** App ID */\n appId: string;\n /** Current authorization state */\n state: AppAuthState;\n /** When the state was last changed (epoch ms) */\n stateChangedAt: number;\n /** Scopes granted for this app */\n grantedScopes?: string[];\n /** Auth provider ID used for this app */\n authProviderId?: string;\n /** Tool IDs accessible through this app authorization */\n toolIds: string[];\n}\n\n/**\n * Progressive auth session state.\n * Tracks which apps are authorized, skipped, or pending.\n * Stored server-side for security.\n */\nexport interface ProgressiveAuthState {\n /** App authorization records by app ID */\n apps: Record<string, AppAuthorizationRecord>;\n /** Apps authorized during initial auth */\n initiallyAuthorized: string[];\n /** Apps skipped during initial auth */\n initiallySkipped: string[];\n}\n\n/**\n * Zod schema for AppAuthState enum\n */\nexport const appAuthStateSchema = z.nativeEnum(AppAuthState);\n\n/**\n * Zod schema for AppAuthorizationRecord\n */\nexport const appAuthorizationRecordSchema = z.object({\n appId: z.string(),\n state: appAuthStateSchema,\n stateChangedAt: z.number(),\n grantedScopes: z.array(z.string()).optional(),\n authProviderId: z.string().optional(),\n toolIds: z.array(z.string()),\n});\n\n/**\n * Zod schema for ProgressiveAuthState\n */\nexport const progressiveAuthStateSchema = z.object({\n apps: z.record(z.string(), appAuthorizationRecordSchema),\n initiallyAuthorized: z.array(z.string()),\n initiallySkipped: z.array(z.string()),\n});\n"]}

package/src/auth/authorization/index.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+export * from './authorization.types';
+export { AuthorizationBase, getMachineId } from './authorization.class';
+export { PublicAuthorization, PublicAuthorizationCreateCtx } from './public.authorization';
+export { TransparentAuthorization, TransparentAuthorizationCreateCtx, TransparentVerifiedPayload, } from './transparent.authorization';
+export { OrchestratedAuthorization, OrchestratedAuthorizationCreateCtx, OrchestratedProviderState, TokenStore, TokenRefreshCallback, } from './orchestrated.authorization';

package/src/auth/authorization/index.js ADDED Viewed

@@ -0,0 +1,19 @@
+"use strict";
+// auth/authorization/index.ts
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OrchestratedAuthorization = exports.TransparentAuthorization = exports.PublicAuthorization = exports.getMachineId = exports.AuthorizationBase = void 0;
+const tslib_1 = require("tslib");
+// Types
+tslib_1.__exportStar(require("./authorization.types"), exports);
+// Base class
+var authorization_class_1 = require("./authorization.class");
+Object.defineProperty(exports, "AuthorizationBase", { enumerable: true, get: function () { return authorization_class_1.AuthorizationBase; } });
+Object.defineProperty(exports, "getMachineId", { enumerable: true, get: function () { return authorization_class_1.getMachineId; } });
+// Mode-specific implementations
+var public_authorization_1 = require("./public.authorization");
+Object.defineProperty(exports, "PublicAuthorization", { enumerable: true, get: function () { return public_authorization_1.PublicAuthorization; } });
+var transparent_authorization_1 = require("./transparent.authorization");
+Object.defineProperty(exports, "TransparentAuthorization", { enumerable: true, get: function () { return transparent_authorization_1.TransparentAuthorization; } });
+var orchestrated_authorization_1 = require("./orchestrated.authorization");
+Object.defineProperty(exports, "OrchestratedAuthorization", { enumerable: true, get: function () { return orchestrated_authorization_1.OrchestratedAuthorization; } });
+//# sourceMappingURL=index.js.map

package/src/auth/authorization/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/auth/authorization/index.ts"],"names":[],"mappings":";AAAA,8BAA8B;;;;AAE9B,QAAQ;AACR,gEAAsC;AAEtC,aAAa;AACb,6DAAwE;AAA/D,wHAAA,iBAAiB,OAAA;AAAE,mHAAA,YAAY,OAAA;AAExC,gCAAgC;AAChC,+DAA2F;AAAlF,2HAAA,mBAAmB,OAAA;AAC5B,yEAIqC;AAHnC,qIAAA,wBAAwB,OAAA;AAI1B,2EAMsC;AALpC,uIAAA,yBAAyB,OAAA","sourcesContent":["// auth/authorization/index.ts\n\n// Types\nexport * from './authorization.types';\n\n// Base class\nexport { AuthorizationBase, getMachineId } from './authorization.class';\n\n// Mode-specific implementations\nexport { PublicAuthorization, PublicAuthorizationCreateCtx } from './public.authorization';\nexport {\n TransparentAuthorization,\n TransparentAuthorizationCreateCtx,\n TransparentVerifiedPayload,\n} from './transparent.authorization';\nexport {\n OrchestratedAuthorization,\n OrchestratedAuthorizationCreateCtx,\n OrchestratedProviderState,\n TokenStore,\n TokenRefreshCallback,\n} from './orchestrated.authorization';\n"]}

package/src/auth/authorization/orchestrated.authorization.d.ts ADDED Viewed

@@ -0,0 +1,242 @@
+import { AuthorizationBase } from './authorization.class';
+import { AuthorizationCreateCtx, AuthUser } from './authorization.types';
+import { EncryptedBlob } from '../session';
+import { AuthMode } from '../../common';
+/**
+ * Token store interface for orchestrated mode
+ * Implementations can be memory-based, Redis, or custom stores
+ */
+export interface TokenStore {
+    /**
+     * Retrieve decrypted access token for a provider
+     */
+    getAccessToken(authorizationId: string, providerId: string): Promise<string | null>;
+    /**
+     * Retrieve decrypted refresh token for a provider
+     */
+    getRefreshToken(authorizationId: string, providerId: string): Promise<string | null>;
+    /**
+     * Store tokens for a provider (encrypted)
+     */
+    storeTokens(authorizationId: string, providerId: string, tokens: {
+        accessToken: string;
+        refreshToken?: string;
+        expiresAt?: number;
+    }): Promise<void>;
+    /**
+     * Delete tokens for a provider
+     */
+    deleteTokens(authorizationId: string, providerId: string): Promise<void>;
+    /**
+     * Check if tokens exist for a provider
+     */
+    hasTokens(authorizationId: string, providerId: string): Promise<boolean>;
+}
+/**
+ * Token refresh callback type
+ */
+export type TokenRefreshCallback = (providerId: string, refreshToken: string) => Promise<{
+    accessToken: string;
+    refreshToken?: string;
+    expiresIn?: number;
+}>;
+/**
+ * Provider token state for orchestrated authorization
+ */
+export interface OrchestratedProviderState {
+    /** Provider ID */
+    id: string;
+    /** Encrypted access token blob */
+    accessTokenEnc?: EncryptedBlob;
+    /** Encrypted refresh token blob */
+    refreshTokenEnc?: EncryptedBlob;
+    /** Token expiration (epoch ms) */
+    expiresAt?: number;
+    /** External reference ID (for vault/store) */
+    secretRefId?: string;
+    /** Refresh reference ID */
+    refreshRefId?: string;
+}
+/**
+ * Context for creating an OrchestratedAuthorization
+ */
+export interface OrchestratedAuthorizationCreateCtx {
+    /**
+     * The local JWT issued by the orchestrating server
+     */
+    token: string;
+    /**
+     * User identity from upstream provider
+     */
+    user: AuthUser;
+    /**
+     * Scopes granted to this authorization
+     */
+    scopes?: string[];
+    /**
+     * JWT claims
+     */
+    claims?: Record<string, unknown>;
+    /**
+     * Expiration (epoch ms)
+     */
+    expiresAt?: number;
+    /**
+     * Primary provider ID (default for getToken)
+     */
+    primaryProviderId?: string;
+    /**
+     * Token store for retrieving/storing provider tokens
+     */
+    tokenStore?: TokenStore;
+    /**
+     * Token refresh callback
+     */
+    onTokenRefresh?: TokenRefreshCallback;
+    /**
+     * Provider states (with encrypted tokens)
+     */
+    providers?: Record<string, OrchestratedProviderState>;
+    /**
+     * Precomputed authorization projections
+     */
+    authorizedTools?: AuthorizationCreateCtx['authorizedTools'];
+    authorizedToolIds?: string[];
+    authorizedPrompts?: AuthorizationCreateCtx['authorizedPrompts'];
+    authorizedPromptIds?: string[];
+    authorizedApps?: AuthorizationCreateCtx['authorizedApps'];
+    authorizedAppIds?: string[];
+    authorizedResources?: string[];
+}
+/**
+ * OrchestratedAuthorization - Local auth server with secure token storage
+ *
+ * In orchestrated mode:
+ * - The MCP server acts as an OAuth client to upstream providers
+ * - Provider tokens are encrypted and never exposed to the LLM
+ * - Supports token refresh and multi-provider scenarios
+ * - getToken() retrieves decrypted tokens from secure storage
+ * - Ideal for multi-tenant, federated auth, or high-security scenarios
+ */
+export declare class OrchestratedAuthorization extends AuthorizationBase {
+    #private;
+    readonly mode: AuthMode;
+    /**
+     * Primary provider ID (default for getToken)
+     */
+    readonly primaryProviderId?: string;
+    private constructor();
+    /**
+     * Create an OrchestratedAuthorization
+     *
+     * @param ctx - Creation context
+     * @returns A new OrchestratedAuthorization instance
+     *
+     * @example
+     * ```typescript
+     * const auth = OrchestratedAuthorization.create({
+     *   token: localJwt,
+     *   user: { sub: 'user123', name: 'John' },
+     *   primaryProviderId: 'github',
+     *   tokenStore: redisTokenStore,
+     *   providers: {
+     *     github: { id: 'github', secretRefId: 'vault:github:user123' },
+     *   },
+     * });
+     *
+     * // Retrieve token securely (never exposed to LLM)
+     * const githubToken = await auth.getToken('github');
+     * ```
+     */
+    static create(ctx: OrchestratedAuthorizationCreateCtx): OrchestratedAuthorization;
+    /**
+     * Get access token for a provider
+     *
+     * Retrieves the decrypted token from the secure store.
+     * If the token is expired and refresh is available, attempts refresh.
+     *
+     * @param providerId - Provider ID (defaults to primaryProviderId)
+     * @returns The decrypted access token
+     * @throws If no token store or no token available
+     */
+    getToken(providerId?: string): Promise<string>;
+    /**
+     * Refresh token and return new access token
+     */
+    private refreshAndGetToken;
+    /**
+     * Generate authorization ID from token
+     */
+    private static generateAuthorizationId;
+    /**
+     * Check if a provider has tokens stored
+     */
+    hasProvider(providerId: string): boolean;
+    /**
+     * Get all provider IDs with tokens
+     */
+    getProviderIds(): string[];
+    /**
+     * Add a new provider to this authorization
+     * Used when user authorizes additional providers after initial auth
+     */
+    addProvider(providerId: string, tokens: {
+        accessToken: string;
+        refreshToken?: string;
+        expiresIn?: number;
+    }): Promise<void>;
+    /**
+     * Add app authorization after initial auth (progressive authorization).
+     * Stores app tokens server-side and updates authorized apps without JWT reissue.
+     *
+     * @param appId - App ID to authorize
+     * @param toolIds - Tool IDs accessible through this app authorization
+     * @param tokens - OAuth tokens from the app's auth provider
+     *
+     * @example
+     * ```typescript
+     * // User clicks auth link for Slack app
+     * await auth.addAppAuthorization('slack', ['slack:send_message', 'slack:list_channels'], {
+     *   accessToken: slackAccessToken,
+     *   refreshToken: slackRefreshToken,
+     *   expiresIn: 3600,
+     * });
+     *
+     * // Now slack tools will work without re-auth
+     * ```
+     */
+    addAppAuthorization(appId: string, toolIds: string[], tokens: {
+        accessToken: string;
+        refreshToken?: string;
+        expiresIn?: number;
+    }): Promise<void>;
+    /**
+     * Get access token for a specific app (for tool execution).
+     * Retrieves the app's OAuth token from server-side storage.
+     *
+     * @param appId - App ID to get token for
+     * @returns The decrypted access token, or null if not authorized
+     */
+    getAppToken(appId: string): Promise<string | null>;
+    /**
+     * Check if an app is authorized (includes progressively authorized apps).
+     * Overrides base class to include mutable app authorization state.
+     */
+    isAppAuthorized(appId: string): boolean;
+    /**
+     * Get all authorized app IDs (includes progressively authorized apps).
+     */
+    getAllAuthorizedAppIds(): string[];
+    /**
+     * Get tool IDs authorized through an app.
+     */
+    getAppToolIds(appId: string): string[] | undefined;
+    /**
+     * Remove a provider from this authorization
+     */
+    removeProvider(providerId: string): Promise<void>;
+    /**
+     * Get the issuer (local orchestrator)
+     */
+    get issuer(): string | undefined;
+}