npm - @frontmcp/sdk - Versions diffs - 0.4.0 → 0.5.0 - Mend

@frontmcp/sdk 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (558) hide show

package/README.md +30 -18
package/package.json +20 -5
package/src/app/app.registry.d.ts +3 -2
package/src/app/app.registry.js +3 -1
package/src/app/app.registry.js.map +1 -1
package/src/app/instances/app.local.instance.js +2 -2
package/src/app/instances/app.local.instance.js.map +1 -1
package/src/auth/auth.registry.d.ts +34 -2
package/src/auth/auth.registry.js +162 -24
package/src/auth/auth.registry.js.map +1 -1
package/src/auth/auth.utils.js +8 -9
package/src/auth/auth.utils.js.map +1 -1
package/src/auth/authorization/authorization.class.d.ts +125 -0
package/src/auth/authorization/authorization.class.js +224 -0
package/src/auth/authorization/authorization.class.js.map +1 -0
package/src/auth/authorization/authorization.types.d.ts +300 -0
package/src/auth/authorization/authorization.types.js +79 -0
package/src/auth/authorization/authorization.types.js.map +1 -0
package/src/auth/authorization/index.d.ts +5 -0
package/src/auth/authorization/index.js +19 -0
package/src/auth/authorization/index.js.map +1 -0
package/src/auth/authorization/orchestrated.authorization.d.ts +242 -0
package/src/auth/authorization/orchestrated.authorization.js +306 -0
package/src/auth/authorization/orchestrated.authorization.js.map +1 -0
package/src/auth/authorization/public.authorization.d.ts +91 -0
package/src/auth/authorization/public.authorization.js +132 -0
package/src/auth/authorization/public.authorization.js.map +1 -0
package/src/auth/authorization/transparent.authorization.d.ts +130 -0
package/src/auth/authorization/transparent.authorization.js +147 -0
package/src/auth/authorization/transparent.authorization.js.map +1 -0
package/src/auth/consent/consent.types.d.ts +111 -0
package/src/auth/consent/consent.types.js +119 -0
package/src/auth/consent/consent.types.js.map +1 -0
package/src/auth/consent/index.d.ts +1 -0
package/src/auth/consent/index.js +13 -0
package/src/auth/consent/index.js.map +1 -0
package/src/auth/detection/auth-provider-detection.d.ts +84 -0
package/src/auth/detection/auth-provider-detection.js +230 -0
package/src/auth/detection/auth-provider-detection.js.map +1 -0
package/src/auth/detection/index.d.ts +1 -0
package/src/auth/detection/index.js +15 -0
package/src/auth/detection/index.js.map +1 -0
package/src/auth/flows/auth.verify.flow.d.ts +110 -0
package/src/auth/flows/auth.verify.flow.js +379 -0
package/src/auth/flows/auth.verify.flow.js.map +1 -0
package/src/auth/flows/oauth.authorize.flow.d.ts +118 -164
package/src/auth/flows/oauth.authorize.flow.js +701 -33
package/src/auth/flows/oauth.authorize.flow.js.map +1 -1
package/src/auth/flows/oauth.callback.flow.d.ts +117 -0
package/src/auth/flows/oauth.callback.flow.js +357 -0
package/src/auth/flows/oauth.callback.flow.js.map +1 -0
package/src/auth/flows/oauth.register.flow.d.ts +32 -125
package/src/auth/flows/oauth.token.flow.d.ts +52 -154
package/src/auth/flows/oauth.token.flow.js +193 -55
package/src/auth/flows/oauth.token.flow.js.map +1 -1
package/src/auth/flows/session.verify.flow.d.ts +66 -321
package/src/auth/flows/session.verify.flow.js +107 -18
package/src/auth/flows/session.verify.flow.js.map +1 -1
package/src/auth/flows/well-known.jwks.flow.d.ts +34 -205
package/src/auth/flows/well-known.jwks.flow.js +15 -8
package/src/auth/flows/well-known.jwks.flow.js.map +1 -1
package/src/auth/flows/well-known.oauth-authorization-server.flow.d.ts +48 -223
package/src/auth/flows/well-known.oauth-authorization-server.flow.js +2 -3
package/src/auth/flows/well-known.oauth-authorization-server.flow.js.map +1 -1
package/src/auth/flows/well-known.prm.flow.d.ts +19 -120
package/src/auth/flows/well-known.prm.flow.js +3 -4
package/src/auth/flows/well-known.prm.flow.js.map +1 -1
package/src/auth/instances/instance.local-primary-auth.d.ts +91 -4
package/src/auth/instances/instance.local-primary-auth.js +236 -6
package/src/auth/instances/instance.local-primary-auth.js.map +1 -1
package/src/auth/instances/instance.remote-primary-auth.d.ts +4 -3
package/src/auth/instances/instance.remote-primary-auth.js +2 -2
package/src/auth/instances/instance.remote-primary-auth.js.map +1 -1
package/src/auth/session/authorization-vault.d.ts +611 -0
package/src/auth/session/authorization-vault.js +817 -0
package/src/auth/session/authorization-vault.js.map +1 -0
package/src/auth/session/authorization.store.d.ts +301 -0
package/src/auth/session/authorization.store.js +323 -0
package/src/auth/session/authorization.store.js.map +1 -0
package/src/auth/session/encrypted-authorization-vault.d.ts +181 -0
package/src/auth/session/encrypted-authorization-vault.js +493 -0
package/src/auth/session/encrypted-authorization-vault.js.map +1 -0
package/src/auth/session/index.d.ts +4 -4
package/src/auth/session/index.js +11 -7
package/src/auth/session/index.js.map +1 -1
package/src/auth/session/session.schema.d.ts +1 -1
package/src/auth/session/session.service.d.ts +1 -1
package/src/auth/session/transport-session.manager.d.ts +101 -0
package/src/auth/session/transport-session.manager.js +300 -0
package/src/auth/session/transport-session.manager.js.map +1 -0
package/src/auth/session/transport-session.types.d.ts +457 -0
package/src/auth/session/transport-session.types.js +110 -0
package/src/auth/session/transport-session.types.js.map +1 -0
package/src/auth/session/utils/session-id.utils.d.ts +14 -2
package/src/auth/session/utils/session-id.utils.js +68 -19
package/src/auth/session/utils/session-id.utils.js.map +1 -1
package/src/auth/session/vault-encryption.d.ts +189 -0
package/src/auth/session/vault-encryption.js +263 -0
package/src/auth/session/vault-encryption.js.map +1 -0
package/src/auth/ui/base-layout.d.ts +188 -0
package/src/auth/ui/base-layout.js +292 -0
package/src/auth/ui/base-layout.js.map +1 -0
package/src/auth/ui/htmx-templates.d.ts +135 -0
package/src/auth/ui/htmx-templates.js +433 -0
package/src/auth/ui/htmx-templates.js.map +1 -0
package/src/auth/ui/index.d.ts +11 -0
package/src/auth/ui/index.js +35 -0
package/src/auth/ui/index.js.map +1 -0
package/src/auth/utils/audience.validator.d.ts +129 -0
package/src/auth/utils/audience.validator.js +196 -0
package/src/auth/utils/audience.validator.js.map +1 -0
package/src/auth/utils/index.d.ts +2 -0
package/src/auth/utils/index.js +7 -0
package/src/auth/utils/index.js.map +1 -0
package/src/auth/utils/www-authenticate.utils.d.ts +97 -0
package/src/auth/utils/www-authenticate.utils.js +183 -0
package/src/auth/utils/www-authenticate.utils.js.map +1 -0
package/src/common/common.schema.d.ts +2 -16
package/src/common/constants.d.ts +3 -0
package/src/common/constants.js +6 -1
package/src/common/constants.js.map +1 -1
package/src/common/decorators/decorator-utils.d.ts +131 -0
package/src/common/decorators/decorator-utils.js +195 -0
package/src/common/decorators/decorator-utils.js.map +1 -0
package/src/common/decorators/front-mcp.decorator.js +3 -2
package/src/common/decorators/front-mcp.decorator.js.map +1 -1
package/src/common/decorators/hook.decorator.d.ts +58 -2
package/src/common/decorators/hook.decorator.js +127 -17
package/src/common/decorators/hook.decorator.js.map +1 -1
package/src/common/decorators/plugin.decorator.d.ts +1 -1
package/src/common/decorators/plugin.decorator.js +11 -10
package/src/common/decorators/plugin.decorator.js.map +1 -1
package/src/common/decorators/resource.decorator.d.ts +32 -3
package/src/common/decorators/resource.decorator.js +46 -4
package/src/common/decorators/resource.decorator.js.map +1 -1
package/src/common/decorators/tool.decorator.d.ts +54 -5
package/src/common/decorators/tool.decorator.js.map +1 -1
package/src/common/dynamic/dynamic.plugin.d.ts +22 -11
package/src/common/dynamic/dynamic.plugin.js +7 -1
package/src/common/dynamic/dynamic.plugin.js.map +1 -1
package/src/common/entries/prompt.entry.d.ts +46 -2
package/src/common/entries/prompt.entry.js +10 -0
package/src/common/entries/prompt.entry.js.map +1 -1
package/src/common/entries/resource.entry.d.ts +69 -6
package/src/common/entries/resource.entry.js +27 -3
package/src/common/entries/resource.entry.js.map +1 -1
package/src/common/entries/scope.entry.d.ts +5 -1
package/src/common/entries/scope.entry.js +3 -3
package/src/common/entries/scope.entry.js.map +1 -1
package/src/common/flow/flow.utils.d.ts +56 -0
package/src/common/flow/flow.utils.js +96 -0
package/src/common/flow/flow.utils.js.map +1 -0
package/src/common/index.d.ts +2 -2
package/src/common/index.js +2 -2
package/src/common/index.js.map +1 -1
package/src/common/interfaces/execution-context.interface.d.ts +59 -0
package/src/common/interfaces/execution-context.interface.js +81 -0
package/src/common/interfaces/execution-context.interface.js.map +1 -0
package/src/common/interfaces/flow.interface.d.ts +1 -1
package/src/common/interfaces/flow.interface.js.map +1 -1
package/src/common/interfaces/index.d.ts +1 -0
package/src/common/interfaces/index.js +1 -0
package/src/common/interfaces/index.js.map +1 -1
package/src/common/interfaces/internal/primary-auth-provider.interface.d.ts +17 -2
package/src/common/interfaces/internal/primary-auth-provider.interface.js +52 -4
package/src/common/interfaces/internal/primary-auth-provider.interface.js.map +1 -1
package/src/common/interfaces/internal/registry.interface.d.ts +16 -2
package/src/common/interfaces/internal/registry.interface.js.map +1 -1
package/src/common/interfaces/plugin.interface.js.map +1 -1
package/src/common/interfaces/prompt.interface.d.ts +53 -4
package/src/common/interfaces/prompt.interface.js +78 -0
package/src/common/interfaces/prompt.interface.js.map +1 -1
package/src/common/interfaces/resource.interface.d.ts +47 -17
package/src/common/interfaces/resource.interface.js +53 -0
package/src/common/interfaces/resource.interface.js.map +1 -1
package/src/common/interfaces/tool.interface.d.ts +39 -22
package/src/common/interfaces/tool.interface.js +61 -34
package/src/common/interfaces/tool.interface.js.map +1 -1
package/src/common/metadata/adapter.metadata.d.ts +1 -9
package/src/common/metadata/app.metadata.d.ts +425 -730
package/src/common/metadata/auth-provider.metadata.d.ts +2 -12
package/src/common/metadata/flow.metadata.d.ts +10 -25
package/src/common/metadata/front-mcp.metadata.d.ts +602 -1023
package/src/common/metadata/front-mcp.metadata.js +6 -4
package/src/common/metadata/front-mcp.metadata.js.map +1 -1
package/src/common/metadata/hook.metadata.d.ts +1 -1
package/src/common/metadata/hook.metadata.js.map +1 -1
package/src/common/metadata/index.d.ts +1 -0
package/src/common/metadata/index.js +1 -0
package/src/common/metadata/index.js.map +1 -1
package/src/common/metadata/logger.metadata.d.ts +1 -9
package/src/common/metadata/plugin.metadata.d.ts +8 -30
package/src/common/metadata/prompt.metadata.d.ts +4 -161
package/src/common/metadata/provider.metadata.d.ts +2 -12
package/src/common/metadata/resource.metadata.d.ts +6 -98
package/src/common/metadata/resource.metadata.js +15 -6
package/src/common/metadata/resource.metadata.js.map +1 -1
package/src/common/metadata/tool-ui.metadata.d.ts +10 -0
package/src/common/metadata/tool-ui.metadata.js +12 -0
package/src/common/metadata/tool-ui.metadata.js.map +1 -0
package/src/common/metadata/tool.metadata.d.ts +78 -199
package/src/common/metadata/tool.metadata.js +11 -14
package/src/common/metadata/tool.metadata.js.map +1 -1
package/src/common/providers/base-config.provider.d.ts +84 -0
package/src/common/providers/base-config.provider.js +128 -0
package/src/common/providers/base-config.provider.js.map +1 -0
package/src/common/records/plugin.record.d.ts +5 -6
package/src/common/records/plugin.record.js.map +1 -1
package/src/common/records/prompt.record.js.map +1 -1
package/src/common/records/resource.record.d.ts +17 -1
package/src/common/records/resource.record.js +12 -6
package/src/common/records/resource.record.js.map +1 -1
package/src/common/records/tool.record.js.map +1 -1
package/src/common/schemas/annotated-class.schema.d.ts +9 -9
package/src/common/schemas/annotated-class.schema.js +92 -27
package/src/common/schemas/annotated-class.schema.js.map +1 -1
package/src/common/schemas/http-input.schema.d.ts +6 -30
package/src/common/schemas/http-output.schema.d.ts +326 -1630
package/src/common/schemas/http-output.schema.js +39 -1
package/src/common/schemas/http-output.schema.js.map +1 -1
package/src/common/tokens/front-mcp.tokens.js +4 -1
package/src/common/tokens/front-mcp.tokens.js.map +1 -1
package/src/common/tokens/resource.tokens.d.ts +2 -0
package/src/common/tokens/resource.tokens.js +4 -1
package/src/common/tokens/resource.tokens.js.map +1 -1
package/src/common/tokens/tool.tokens.d.ts +2 -0
package/src/common/tokens/tool.tokens.js +2 -0
package/src/common/tokens/tool.tokens.js.map +1 -1
package/src/common/types/auth/jwt.types.d.ts +5 -31
package/src/common/types/auth/session.types.d.ts +97 -192
package/src/common/types/auth/session.types.js +24 -11
package/src/common/types/auth/session.types.js.map +1 -1
package/src/common/types/options/auth.options.d.ts +1013 -490
package/src/common/types/options/auth.options.js +554 -36
package/src/common/types/options/auth.options.js.map +1 -1
package/src/common/types/options/http.options.d.ts +1 -9
package/src/common/types/options/logging.options.d.ts +7 -13
package/src/common/types/options/logging.options.js +4 -0
package/src/common/types/options/logging.options.js.map +1 -1
package/src/common/types/options/server-info.options.d.ts +3 -31
package/src/common/types/options/session.options.d.ts +90 -10
package/src/common/types/options/session.options.js +26 -3
package/src/common/types/options/session.options.js.map +1 -1
package/src/common/utils/decide-request-intent.utils.d.ts +8 -46
package/src/common/utils/decide-request-intent.utils.js +88 -23
package/src/common/utils/decide-request-intent.utils.js.map +1 -1
package/src/completion/flows/complete.flow.d.ts +74 -0
package/src/completion/flows/complete.flow.js +199 -0
package/src/completion/flows/complete.flow.js.map +1 -0
package/src/errors/authorization-required.error.d.ts +189 -0
package/src/errors/authorization-required.error.js +274 -0
package/src/errors/authorization-required.error.js.map +1 -0
package/src/errors/index.d.ts +2 -1
package/src/errors/index.js +17 -1
package/src/errors/index.js.map +1 -1
package/src/errors/mcp.error.d.ts +101 -1
package/src/errors/mcp.error.js +147 -2
package/src/errors/mcp.error.js.map +1 -1
package/src/flows/flow.instance.js +4 -3
package/src/flows/flow.instance.js.map +1 -1
package/src/flows/flow.registry.js.map +1 -1
package/src/flows/flow.stages.js +14 -11
package/src/flows/flow.stages.js.map +1 -1
package/src/front-mcp/front-mcp.providers.d.ts +464 -102
package/src/front-mcp/front-mcp.providers.js +3 -5
package/src/front-mcp/front-mcp.providers.js.map +1 -1
package/src/hooks/hook.instance.d.ts +1 -1
package/src/hooks/hook.instance.js +5 -2
package/src/hooks/hook.instance.js.map +1 -1
package/src/hooks/hook.registry.js +7 -5
package/src/hooks/hook.registry.js.map +1 -1
package/src/index.d.ts +28 -9
package/src/index.js +5 -1
package/src/index.js.map +1 -1
package/src/logger/instances/instance.logger.js +3 -2
package/src/logger/instances/instance.logger.js.map +1 -1
package/src/logger/logger.registry.js +7 -2
package/src/logger/logger.registry.js.map +1 -1
package/src/logging/flows/set-level.flow.d.ts +62 -0
package/src/logging/flows/set-level.flow.js +108 -0
package/src/logging/flows/set-level.flow.js.map +1 -0
package/src/mcp-apps/csp.d.ts +111 -0
package/src/mcp-apps/csp.js +267 -0
package/src/mcp-apps/csp.js.map +1 -0
package/src/mcp-apps/index.d.ts +23 -0
package/src/mcp-apps/index.js +91 -0
package/src/mcp-apps/index.js.map +1 -0
package/src/mcp-apps/schemas.d.ts +403 -0
package/src/mcp-apps/schemas.js +345 -0
package/src/mcp-apps/schemas.js.map +1 -0
package/src/mcp-apps/template.d.ts +94 -0
package/src/mcp-apps/template.js +419 -0
package/src/mcp-apps/template.js.map +1 -0
package/src/mcp-apps/types.d.ts +323 -0
package/src/mcp-apps/types.js +59 -0
package/src/mcp-apps/types.js.map +1 -0
package/src/notification/index.d.ts +1 -0
package/src/notification/index.js +13 -0
package/src/notification/index.js.map +1 -0
package/src/notification/notification.service.d.ts +378 -0
package/src/notification/notification.service.js +727 -0
package/src/notification/notification.service.js.map +1 -0
package/src/plugin/plugin.registry.js +12 -9
package/src/plugin/plugin.registry.js.map +1 -1
package/src/prompt/flows/get-prompt.flow.d.ts +153 -0
package/src/prompt/flows/get-prompt.flow.js +214 -0
package/src/prompt/flows/get-prompt.flow.js.map +1 -0
package/src/prompt/flows/prompts-list.flow.d.ts +67 -0
package/src/prompt/flows/prompts-list.flow.js +176 -0
package/src/prompt/flows/prompts-list.flow.js.map +1 -0
package/src/prompt/index.d.ts +7 -0
package/src/prompt/index.js +17 -0
package/src/prompt/index.js.map +1 -0
package/src/prompt/prompt.events.d.ts +17 -0
package/src/prompt/prompt.events.js +25 -0
package/src/prompt/prompt.events.js.map +1 -0
package/src/prompt/prompt.instance.d.ts +30 -0
package/src/prompt/prompt.instance.js +120 -0
package/src/prompt/prompt.instance.js.map +1 -0
package/src/prompt/prompt.registry.d.ts +79 -12
package/src/prompt/prompt.registry.js +360 -15
package/src/prompt/prompt.registry.js.map +1 -1
package/src/prompt/prompt.types.d.ts +26 -0
package/src/prompt/prompt.types.js +11 -0
package/src/prompt/prompt.types.js.map +1 -0
package/src/prompt/prompt.utils.d.ts +26 -0
package/src/prompt/prompt.utils.js +136 -0
package/src/prompt/prompt.utils.js.map +1 -0
package/src/provider/provider.registry.d.ts +12 -5
package/src/provider/provider.registry.js +30 -138
package/src/provider/provider.registry.js.map +1 -1
package/src/regsitry/registry.base.d.ts +1 -1
package/src/regsitry/registry.base.js.map +1 -1
package/src/resource/flows/read-resource.flow.d.ts +91 -0
package/src/resource/flows/read-resource.flow.js +270 -0
package/src/resource/flows/read-resource.flow.js.map +1 -0
package/src/resource/flows/resource-templates-list.flow.d.ts +64 -0
package/src/resource/flows/resource-templates-list.flow.js +191 -0
package/src/resource/flows/resource-templates-list.flow.js.map +1 -0
package/src/resource/flows/resources-list.flow.d.ts +64 -0
package/src/resource/flows/resources-list.flow.js +196 -0
package/src/resource/flows/resources-list.flow.js.map +1 -0
package/src/resource/flows/subscribe-resource.flow.d.ts +45 -0
package/src/resource/flows/subscribe-resource.flow.js +123 -0
package/src/resource/flows/subscribe-resource.flow.js.map +1 -0
package/src/resource/flows/unsubscribe-resource.flow.d.ts +44 -0
package/src/resource/flows/unsubscribe-resource.flow.js +107 -0
package/src/resource/flows/unsubscribe-resource.flow.js.map +1 -0
package/src/resource/index.d.ts +8 -0
package/src/resource/index.js +20 -0
package/src/resource/index.js.map +1 -0
package/src/resource/resource.events.d.ts +24 -0
package/src/resource/resource.events.js +17 -0
package/src/resource/resource.events.js.map +1 -0
package/src/resource/resource.instance.d.ts +35 -0
package/src/resource/resource.instance.js +163 -0
package/src/resource/resource.instance.js.map +1 -0
package/src/resource/resource.registry.d.ts +106 -12
package/src/resource/resource.registry.js +449 -13
package/src/resource/resource.registry.js.map +1 -1
package/src/resource/resource.types.d.ts +35 -0
package/src/resource/resource.types.js +11 -0
package/src/resource/resource.types.js.map +1 -0
package/src/resource/resource.utils.d.ts +30 -0
package/src/resource/resource.utils.js +151 -0
package/src/resource/resource.utils.js.map +1 -0
package/src/scope/flows/http.request.flow.d.ts +48 -330
package/src/scope/flows/http.request.flow.js +306 -78
package/src/scope/flows/http.request.flow.js.map +1 -1
package/src/scope/scope.instance.d.ts +12 -0
package/src/scope/scope.instance.js +145 -15
package/src/scope/scope.instance.js.map +1 -1
package/src/tool/flows/call-tool.flow.d.ts +64 -1110
package/src/tool/flows/call-tool.flow.js +303 -15
package/src/tool/flows/call-tool.flow.js.map +1 -1
package/src/tool/flows/tools-list.flow.d.ts +32 -473
package/src/tool/flows/tools-list.flow.js +111 -10
package/src/tool/flows/tools-list.flow.js.map +1 -1
package/src/tool/tool.events.d.ts +8 -1
package/src/tool/tool.events.js.map +1 -1
package/src/tool/tool.instance.d.ts +3 -1
package/src/tool/tool.instance.js +17 -3
package/src/tool/tool.instance.js.map +1 -1
package/src/tool/tool.registry.d.ts +7 -1
package/src/tool/tool.registry.js +26 -10
package/src/tool/tool.registry.js.map +1 -1
package/src/tool/tool.types.d.ts +4 -4
package/src/tool/tool.types.js.map +1 -1
package/src/tool/tool.utils.d.ts +3 -12
package/src/tool/tool.utils.js +39 -193
package/src/tool/tool.utils.js.map +1 -1
package/src/tool/ui/index.d.ts +22 -0
package/src/tool/ui/index.js +63 -0
package/src/tool/ui/index.js.map +1 -0
package/src/tool/ui/platform-adapters.d.ts +10 -0
package/src/tool/ui/platform-adapters.js +18 -0
package/src/tool/ui/platform-adapters.js.map +1 -0
package/src/tool/ui/template-helpers.d.ts +46 -0
package/src/tool/ui/template-helpers.js +112 -0
package/src/tool/ui/template-helpers.js.map +1 -0
package/src/tool/ui/ui-resource-template.d.ts +34 -0
package/src/tool/ui/ui-resource-template.js +64 -0
package/src/tool/ui/ui-resource-template.js.map +1 -0
package/src/tool/ui/ui-resource.handler.d.ts +74 -0
package/src/tool/ui/ui-resource.handler.js +129 -0
package/src/tool/ui/ui-resource.handler.js.map +1 -0
package/src/transport/adapters/transport.local.adapter.d.ts +2 -2
package/src/transport/adapters/transport.local.adapter.js +28 -7
package/src/transport/adapters/transport.local.adapter.js.map +1 -1
package/src/transport/adapters/transport.sse.adapter.d.ts +2 -2
package/src/transport/adapters/transport.sse.adapter.js +4 -3
package/src/transport/adapters/transport.sse.adapter.js.map +1 -1
package/src/transport/adapters/transport.streamable-http.adapter.d.ts +10 -3
package/src/transport/adapters/transport.streamable-http.adapter.js +54 -8
package/src/transport/adapters/transport.streamable-http.adapter.js.map +1 -1
package/src/transport/flows/handle.sse.flow.d.ts +29 -63
package/src/transport/flows/handle.sse.flow.js +78 -10
package/src/transport/flows/handle.sse.flow.js.map +1 -1
package/src/transport/flows/handle.stateless-http.flow.d.ts +29 -0
package/src/transport/flows/handle.stateless-http.flow.js +102 -0
package/src/transport/flows/handle.stateless-http.flow.js.map +1 -0
package/src/transport/flows/handle.streamable-http.flow.d.ts +32 -64
package/src/transport/flows/handle.streamable-http.flow.js +158 -26
package/src/transport/flows/handle.streamable-http.flow.js.map +1 -1
package/src/transport/legacy/legacy.sse.tranporter.d.ts +9 -0
package/src/transport/legacy/legacy.sse.tranporter.js +17 -2
package/src/transport/legacy/legacy.sse.tranporter.js.map +1 -1
package/src/transport/mcp-handlers/call-tool-request.handler.js +27 -1
package/src/transport/mcp-handlers/call-tool-request.handler.js.map +1 -1
package/src/transport/mcp-handlers/complete-request.handler.d.ts +69 -0
package/src/transport/mcp-handlers/complete-request.handler.js +11 -0
package/src/transport/mcp-handlers/complete-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/get-prompt-request.handler.d.ts +87 -0
package/src/transport/mcp-handlers/get-prompt-request.handler.js +11 -0
package/src/transport/mcp-handlers/get-prompt-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/index.d.ts +517 -208
package/src/transport/mcp-handlers/index.js +39 -2
package/src/transport/mcp-handlers/index.js.map +1 -1
package/src/transport/mcp-handlers/initialize-request.handler.d.ts +1 -1
package/src/transport/mcp-handlers/initialize-request.handler.js +73 -7
package/src/transport/mcp-handlers/initialize-request.handler.js.map +1 -1
package/src/transport/mcp-handlers/list-prompts-request.handler.d.ts +54 -0
package/src/transport/mcp-handlers/list-prompts-request.handler.js +11 -0
package/src/transport/mcp-handlers/list-prompts-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/list-resource-templates-request.handler.d.ts +51 -0
package/src/transport/mcp-handlers/list-resource-templates-request.handler.js +12 -0
package/src/transport/mcp-handlers/list-resource-templates-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/list-resources-request.handler.d.ts +51 -0
package/src/transport/mcp-handlers/list-resources-request.handler.js +12 -0
package/src/transport/mcp-handlers/list-resources-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/list-tools-request.handler.d.ts +19 -146
package/src/transport/mcp-handlers/logging-set-level-request.handler.d.ts +46 -0
package/src/transport/mcp-handlers/logging-set-level-request.handler.js +34 -0
package/src/transport/mcp-handlers/logging-set-level-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/mcp-handlers.types.d.ts +3 -7
package/src/transport/mcp-handlers/mcp-handlers.types.js.map +1 -1
package/src/transport/mcp-handlers/read-resource-request.handler.d.ts +46 -0
package/src/transport/mcp-handlers/read-resource-request.handler.js +12 -0
package/src/transport/mcp-handlers/read-resource-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/roots-list-changed-notification.handler.d.ts +11 -0
package/src/transport/mcp-handlers/roots-list-changed-notification.handler.js +26 -0
package/src/transport/mcp-handlers/roots-list-changed-notification.handler.js.map +1 -0
package/src/transport/mcp-handlers/subscribe-request.handler.d.ts +37 -0
package/src/transport/mcp-handlers/subscribe-request.handler.js +34 -0
package/src/transport/mcp-handlers/subscribe-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/unsubscribe-request.handler.d.ts +37 -0
package/src/transport/mcp-handlers/unsubscribe-request.handler.js +34 -0
package/src/transport/mcp-handlers/unsubscribe-request.handler.js.map +1 -0
package/src/transport/transport.local.js +7 -2
package/src/transport/transport.local.js.map +1 -1
package/src/transport/transport.registry.d.ts +30 -0
package/src/transport/transport.registry.js +84 -1
package/src/transport/transport.registry.js.map +1 -1
package/src/transport/transport.types.d.ts +3 -3
package/src/transport/transport.types.js.map +1 -1
package/src/utils/content.utils.d.ts +48 -0
package/src/utils/content.utils.js +194 -0
package/src/utils/content.utils.js.map +1 -0
package/src/utils/index.d.ts +8 -0
package/src/utils/index.js +55 -0
package/src/utils/index.js.map +1 -0
package/src/utils/lineage.utils.d.ts +40 -0
package/src/utils/lineage.utils.js +82 -0
package/src/utils/lineage.utils.js.map +1 -0
package/src/utils/naming.utils.d.ts +46 -0
package/src/utils/naming.utils.js +136 -0
package/src/utils/naming.utils.js.map +1 -0
package/src/utils/types.utils.d.ts +2 -2
package/src/utils/types.utils.js.map +1 -1
package/src/utils/uri-template.utils.d.ts +57 -0
package/src/utils/uri-template.utils.js +113 -0
package/src/utils/uri-template.utils.js.map +1 -0
package/src/utils/uri-validation.utils.d.ts +40 -0
package/src/utils/uri-validation.utils.js +76 -0
package/src/utils/uri-validation.utils.js.map +1 -0
package/src/__test-utils__/fixtures/hook.fixtures.d.ts +0 -46
package/src/__test-utils__/fixtures/hook.fixtures.js +0 -114
package/src/__test-utils__/fixtures/hook.fixtures.js.map +0 -1
package/src/__test-utils__/fixtures/index.d.ts +0 -7
package/src/__test-utils__/fixtures/index.js +0 -11
package/src/__test-utils__/fixtures/index.js.map +0 -1
package/src/__test-utils__/fixtures/plugin.fixtures.d.ts +0 -46
package/src/__test-utils__/fixtures/plugin.fixtures.js +0 -127
package/src/__test-utils__/fixtures/plugin.fixtures.js.map +0 -1
package/src/__test-utils__/fixtures/provider.fixtures.d.ts +0 -69
package/src/__test-utils__/fixtures/provider.fixtures.js +0 -131
package/src/__test-utils__/fixtures/provider.fixtures.js.map +0 -1
package/src/__test-utils__/fixtures/scope.fixtures.d.ts +0 -14
package/src/__test-utils__/fixtures/scope.fixtures.js +0 -59
package/src/__test-utils__/fixtures/scope.fixtures.js.map +0 -1
package/src/__test-utils__/fixtures/tool.fixtures.d.ts +0 -36
package/src/__test-utils__/fixtures/tool.fixtures.js +0 -91
package/src/__test-utils__/fixtures/tool.fixtures.js.map +0 -1
package/src/__test-utils__/helpers/assertion.helpers.d.ts +0 -45
package/src/__test-utils__/helpers/assertion.helpers.js +0 -153
package/src/__test-utils__/helpers/assertion.helpers.js.map +0 -1
package/src/__test-utils__/helpers/async.helpers.d.ts +0 -48
package/src/__test-utils__/helpers/async.helpers.js +0 -112
package/src/__test-utils__/helpers/async.helpers.js.map +0 -1
package/src/__test-utils__/helpers/index.d.ts +0 -6
package/src/__test-utils__/helpers/index.js +0 -10
package/src/__test-utils__/helpers/index.js.map +0 -1
package/src/__test-utils__/helpers/setup.helpers.d.ts +0 -54
package/src/__test-utils__/helpers/setup.helpers.js +0 -106
package/src/__test-utils__/helpers/setup.helpers.js.map +0 -1
package/src/__test-utils__/index.d.ts +0 -9
package/src/__test-utils__/index.js +0 -14
package/src/__test-utils__/index.js.map +0 -1
package/src/__test-utils__/mocks/flow-instance.mock.d.ts +0 -50
package/src/__test-utils__/mocks/flow-instance.mock.js +0 -72
package/src/__test-utils__/mocks/flow-instance.mock.js.map +0 -1
package/src/__test-utils__/mocks/hook-registry.mock.d.ts +0 -25
package/src/__test-utils__/mocks/hook-registry.mock.js +0 -65
package/src/__test-utils__/mocks/hook-registry.mock.js.map +0 -1
package/src/__test-utils__/mocks/index.d.ts +0 -8
package/src/__test-utils__/mocks/index.js +0 -12
package/src/__test-utils__/mocks/index.js.map +0 -1
package/src/__test-utils__/mocks/plugin-registry.mock.d.ts +0 -43
package/src/__test-utils__/mocks/plugin-registry.mock.js +0 -70
package/src/__test-utils__/mocks/plugin-registry.mock.js.map +0 -1
package/src/__test-utils__/mocks/provider-registry.mock.d.ts +0 -39
package/src/__test-utils__/mocks/provider-registry.mock.js +0 -72
package/src/__test-utils__/mocks/provider-registry.mock.js.map +0 -1
package/src/__test-utils__/mocks/tool-registry.mock.d.ts +0 -43
package/src/__test-utils__/mocks/tool-registry.mock.js +0 -79
package/src/__test-utils__/mocks/tool-registry.mock.js.map +0 -1
package/src/auth/path.utils.d.ts +0 -20
package/src/auth/path.utils.js +0 -71
package/src/auth/path.utils.js.map +0 -1
package/src/common/decorators-old/async-with.decorator.d.ts +0 -10
package/src/common/decorators-old/async-with.decorator.js +0 -24
package/src/common/decorators-old/async-with.decorator.js.map +0 -1
package/src/common/decorators-old/auth-hook.decorator.d.ts +0 -14
package/src/common/decorators-old/auth-hook.decorator.js +0 -27
package/src/common/decorators-old/auth-hook.decorator.js.map +0 -1
package/src/common/decorators-old/session-hook.decorator.d.ts +0 -14
package/src/common/decorators-old/session-hook.decorator.js +0 -27
package/src/common/decorators-old/session-hook.decorator.js.map +0 -1

package/src/auth/authorization/orchestrated.authorization.js ADDED Viewed

@@ -0,0 +1,306 @@
+"use strict";
+// auth/authorization/orchestrated.authorization.ts
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OrchestratedAuthorization = void 0;
+const crypto_1 = require("crypto");
+const authorization_class_1 = require("./authorization.class");
+/**
+ * OrchestratedAuthorization - Local auth server with secure token storage
+ *
+ * In orchestrated mode:
+ * - The MCP server acts as an OAuth client to upstream providers
+ * - Provider tokens are encrypted and never exposed to the LLM
+ * - Supports token refresh and multi-provider scenarios
+ * - getToken() retrieves decrypted tokens from secure storage
+ * - Ideal for multi-tenant, federated auth, or high-security scenarios
+ */
+class OrchestratedAuthorization extends authorization_class_1.AuthorizationBase {
+    mode = 'orchestrated';
+    /**
+     * Primary provider ID (default for getToken)
+     */
+    primaryProviderId;
+    /**
+     * Token store for secure token retrieval
+     */
+    #tokenStore;
+    /**
+     * Token refresh callback
+     */
+    #onTokenRefresh;
+    /**
+     * Provider states (encrypted tokens)
+     */
+    #providerStates;
+    constructor(ctx) {
+        super(ctx);
+        this.primaryProviderId = ctx.primaryProviderId;
+        this.#tokenStore = ctx.tokenStore;
+        this.#onTokenRefresh = ctx.onTokenRefresh;
+        this.#providerStates = ctx.providerStates ?? new Map();
+    }
+    /**
+     * Create an OrchestratedAuthorization
+     *
+     * @param ctx - Creation context
+     * @returns A new OrchestratedAuthorization instance
+     *
+     * @example
+     * ```typescript
+     * const auth = OrchestratedAuthorization.create({
+     *   token: localJwt,
+     *   user: { sub: 'user123', name: 'John' },
+     *   primaryProviderId: 'github',
+     *   tokenStore: redisTokenStore,
+     *   providers: {
+     *     github: { id: 'github', secretRefId: 'vault:github:user123' },
+     *   },
+     * });
+     *
+     * // Retrieve token securely (never exposed to LLM)
+     * const githubToken = await auth.getToken('github');
+     * ```
+     */
+    static create(ctx) {
+        const { token, user, scopes = [], claims, expiresAt, primaryProviderId, tokenStore, onTokenRefresh, providers = {}, ...projections } = ctx;
+        // Generate authorization ID from token
+        const id = OrchestratedAuthorization.generateAuthorizationId(token);
+        // Build provider states map
+        const providerStates = new Map();
+        const authorizedProviders = {};
+        const authorizedProviderIds = [];
+        for (const [providerId, state] of Object.entries(providers)) {
+            providerStates.set(providerId, state);
+            authorizedProviderIds.push(providerId);
+            // Create snapshot without exposing tokens
+            authorizedProviders[providerId] = {
+                id: providerId,
+                exp: state.expiresAt,
+                embedMode: state.secretRefId ? 'ref' : 'store-only',
+                secretRefId: state.secretRefId,
+                refreshRefId: state.refreshRefId,
+            };
+        }
+        return new OrchestratedAuthorization({
+            id,
+            isAnonymous: false,
+            user,
+            claims,
+            expiresAt,
+            scopes,
+            token,
+            primaryProviderId,
+            tokenStore,
+            onTokenRefresh,
+            providerStates,
+            authorizedProviders,
+            authorizedProviderIds,
+            ...projections,
+        });
+    }
+    /**
+     * Get access token for a provider
+     *
+     * Retrieves the decrypted token from the secure store.
+     * If the token is expired and refresh is available, attempts refresh.
+     *
+     * @param providerId - Provider ID (defaults to primaryProviderId)
+     * @returns The decrypted access token
+     * @throws If no token store or no token available
+     */
+    async getToken(providerId) {
+        const targetProviderId = providerId ?? this.primaryProviderId;
+        if (!targetProviderId) {
+            throw new Error('OrchestratedAuthorization: No provider ID specified and no primary provider set');
+        }
+        if (!this.#tokenStore) {
+            throw new Error('OrchestratedAuthorization: Token store not configured. ' +
+                'Orchestrated mode requires a token store for secure token retrieval.');
+        }
+        // Check if token exists
+        const hasToken = await this.#tokenStore.hasTokens(this.id, targetProviderId);
+        if (!hasToken) {
+            throw new Error(`OrchestratedAuthorization: No tokens available for provider "${targetProviderId}"`);
+        }
+        // Get access token
+        const accessToken = await this.#tokenStore.getAccessToken(this.id, targetProviderId);
+        if (accessToken) {
+            // Check if token needs refresh
+            const providerState = this.#providerStates.get(targetProviderId);
+            if (providerState?.expiresAt && providerState.expiresAt < Date.now()) {
+                return this.refreshAndGetToken(targetProviderId);
+            }
+            return accessToken;
+        }
+        // Try to refresh if we have a refresh token
+        return this.refreshAndGetToken(targetProviderId);
+    }
+    /**
+     * Refresh token and return new access token
+     */
+    async refreshAndGetToken(providerId) {
+        if (!this.#tokenStore || !this.#onTokenRefresh) {
+            throw new Error(`OrchestratedAuthorization: Token expired for provider "${providerId}" and refresh not available`);
+        }
+        const refreshToken = await this.#tokenStore.getRefreshToken(this.id, providerId);
+        if (!refreshToken) {
+            throw new Error(`OrchestratedAuthorization: No refresh token available for provider "${providerId}"`);
+        }
+        // Perform refresh
+        const result = await this.#onTokenRefresh(providerId, refreshToken);
+        // Store new tokens
+        await this.#tokenStore.storeTokens(this.id, providerId, {
+            accessToken: result.accessToken,
+            refreshToken: result.refreshToken,
+            expiresAt: result.expiresIn ? Date.now() + result.expiresIn * 1000 : undefined,
+        });
+        // Update provider state
+        const currentState = this.#providerStates.get(providerId);
+        if (currentState) {
+            currentState.expiresAt = result.expiresIn ? Date.now() + result.expiresIn * 1000 : undefined;
+        }
+        return result.accessToken;
+    }
+    /**
+     * Generate authorization ID from token
+     */
+    static generateAuthorizationId(token) {
+        const parts = token.split('.');
+        const signature = parts[2] || token;
+        return (0, crypto_1.createHash)('sha256').update(signature).digest('hex').substring(0, 16);
+    }
+    /**
+     * Check if a provider has tokens stored
+     */
+    hasProvider(providerId) {
+        return this.#providerStates.has(providerId);
+    }
+    /**
+     * Get all provider IDs with tokens
+     */
+    getProviderIds() {
+        return Array.from(this.#providerStates.keys());
+    }
+    /**
+     * Add a new provider to this authorization
+     * Used when user authorizes additional providers after initial auth
+     */
+    async addProvider(providerId, tokens) {
+        if (!this.#tokenStore) {
+            throw new Error('OrchestratedAuthorization: Token store required to add providers');
+        }
+        const expiresAt = tokens.expiresIn ? Date.now() + tokens.expiresIn * 1000 : undefined;
+        // Store tokens
+        await this.#tokenStore.storeTokens(this.id, providerId, {
+            accessToken: tokens.accessToken,
+            refreshToken: tokens.refreshToken,
+            expiresAt,
+        });
+        // Update internal state
+        this.#providerStates.set(providerId, {
+            id: providerId,
+            expiresAt,
+            secretRefId: `${this.id}:${providerId}`,
+        });
+        // Note: authorizedProviders/authorizedProviderIds are readonly
+        // The caller should create a new authorization if these need to be updated
+    }
+    // ============================================
+    // Progressive/Incremental Authorization
+    // ============================================
+    /**
+     * Mutable app authorization state for progressive auth.
+     * This allows expanding authorization without reissuing the session token.
+     */
+    #mutableAuthorizedApps = new Map(Object.entries(this.authorizedApps ?? {}));
+    /**
+     * Add app authorization after initial auth (progressive authorization).
+     * Stores app tokens server-side and updates authorized apps without JWT reissue.
+     *
+     * @param appId - App ID to authorize
+     * @param toolIds - Tool IDs accessible through this app authorization
+     * @param tokens - OAuth tokens from the app's auth provider
+     *
+     * @example
+     * ```typescript
+     * // User clicks auth link for Slack app
+     * await auth.addAppAuthorization('slack', ['slack:send_message', 'slack:list_channels'], {
+     *   accessToken: slackAccessToken,
+     *   refreshToken: slackRefreshToken,
+     *   expiresIn: 3600,
+     * });
+     *
+     * // Now slack tools will work without re-auth
+     * ```
+     */
+    async addAppAuthorization(appId, toolIds, tokens) {
+        if (!this.#tokenStore) {
+            throw new Error('OrchestratedAuthorization: Token store required for progressive authorization');
+        }
+        // Use app ID as provider ID for app-specific token storage
+        const providerId = `app:${appId}`;
+        // Store tokens server-side (SECURITY: never expose in JWT)
+        await this.addProvider(providerId, tokens);
+        // Track app authorization in mutable state
+        this.#mutableAuthorizedApps.set(appId, { id: appId, toolIds });
+    }
+    /**
+     * Get access token for a specific app (for tool execution).
+     * Retrieves the app's OAuth token from server-side storage.
+     *
+     * @param appId - App ID to get token for
+     * @returns The decrypted access token, or null if not authorized
+     */
+    async getAppToken(appId) {
+        if (!this.#mutableAuthorizedApps.has(appId)) {
+            return null;
+        }
+        const providerId = `app:${appId}`;
+        try {
+            return await this.getToken(providerId);
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Check if an app is authorized (includes progressively authorized apps).
+     * Overrides base class to include mutable app authorization state.
+     */
+    isAppAuthorized(appId) {
+        return this.#mutableAuthorizedApps.has(appId) || super.isAppAuthorized(appId);
+    }
+    /**
+     * Get all authorized app IDs (includes progressively authorized apps).
+     */
+    getAllAuthorizedAppIds() {
+        const baseIds = new Set(this.authorizedAppIds ?? []);
+        for (const appId of this.#mutableAuthorizedApps.keys()) {
+            baseIds.add(appId);
+        }
+        return Array.from(baseIds);
+    }
+    /**
+     * Get tool IDs authorized through an app.
+     */
+    getAppToolIds(appId) {
+        return this.#mutableAuthorizedApps.get(appId)?.toolIds ?? this.authorizedApps?.[appId]?.toolIds;
+    }
+    /**
+     * Remove a provider from this authorization
+     */
+    async removeProvider(providerId) {
+        if (this.#tokenStore) {
+            await this.#tokenStore.deleteTokens(this.id, providerId);
+        }
+        this.#providerStates.delete(providerId);
+    }
+    /**
+     * Get the issuer (local orchestrator)
+     */
+    get issuer() {
+        return this.claims?.['iss'];
+    }
+}
+exports.OrchestratedAuthorization = OrchestratedAuthorization;
+//# sourceMappingURL=orchestrated.authorization.js.map

package/src/auth/authorization/orchestrated.authorization.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"orchestrated.authorization.js","sourceRoot":"","sources":["../../../../src/auth/authorization/orchestrated.authorization.ts"],"names":[],"mappings":";AAAA,mDAAmD;;;AAEnD,mCAAoC;AACpC,+DAA0D;AAwI1D;;;;;;;;;GASG;AACH,MAAa,yBAA0B,SAAQ,uCAAiB;IACrD,IAAI,GAAa,cAAc,CAAC;IAEzC;;OAEG;IACM,iBAAiB,CAAU;IAEpC;;OAEG;IACM,WAAW,CAAc;IAElC;;OAEG;IACM,eAAe,CAAwB;IAEhD;;OAEG;IACM,eAAe,CAAyC;IAEjE,YACE,GAKC;QAED,KAAK,CAAC,GAAG,CAAC,CAAC;QACX,IAAI,CAAC,iBAAiB,GAAG,GAAG,CAAC,iBAAiB,CAAC;QAC/C,IAAI,CAAC,WAAW,GAAG,GAAG,CAAC,UAAU,CAAC;QAClC,IAAI,CAAC,eAAe,GAAG,GAAG,CAAC,cAAc,CAAC;QAC1C,IAAI,CAAC,eAAe,GAAG,GAAG,CAAC,cAAc,IAAI,IAAI,GAAG,EAAE,CAAC;IACzD,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,MAAM,CAAC,MAAM,CAAC,GAAuC;QACnD,MAAM,EACJ,KAAK,EACL,IAAI,EACJ,MAAM,GAAG,EAAE,EACX,MAAM,EACN,SAAS,EACT,iBAAiB,EACjB,UAAU,EACV,cAAc,EACd,SAAS,GAAG,EAAE,EACd,GAAG,WAAW,EACf,GAAG,GAAG,CAAC;QAER,uCAAuC;QACvC,MAAM,EAAE,GAAG,yBAAyB,CAAC,uBAAuB,CAAC,KAAK,CAAC,CAAC;QAEpE,4BAA4B;QAC5B,MAAM,cAAc,GAAG,IAAI,GAAG,EAAqC,CAAC;QACpE,MAAM,mBAAmB,GAAqC,EAAE,CAAC;QACjE,MAAM,qBAAqB,GAAa,EAAE,CAAC;QAE3C,KAAK,MAAM,CAAC,UAAU,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;YAC5D,cAAc,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;YACtC,qBAAqB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAEvC,0CAA0C;YAC1C,mBAAmB,CAAC,UAAU,CAAC,GAAG;gBAChC,EAAE,EAAE,UAAU;gBACd,GAAG,EAAE,KAAK,CAAC,SAAS;gBACpB,SAAS,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,YAAY;gBACnD,WAAW,EAAE,KAAK,CAAC,WAAW;gBAC9B,YAAY,EAAE,KAAK,CAAC,YAAY;aACjC,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,yBAAyB,CAAC;YACnC,EAAE;YACF,WAAW,EAAE,KAAK;YAClB,IAAI;YACJ,MAAM;YACN,SAAS;YACT,MAAM;YACN,KAAK;YACL,iBAAiB;YACjB,UAAU;YACV,cAAc;YACd,cAAc;YACd,mBAAmB;YACnB,qBAAqB;YACrB,GAAG,WAAW;SACf,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,QAAQ,CAAC,UAAmB;QAChC,MAAM,gBAAgB,GAAG,UAAU,IAAI,IAAI,CAAC,iBAAiB,CAAC;QAE9D,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,iFAAiF,CAAC,CAAC;QACrG,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CACb,yDAAyD;gBACvD,sEAAsE,CACzE,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,EAAE,gBAAgB,CAAC,CAAC;QAC7E,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,gEAAgE,gBAAgB,GAAG,CAAC,CAAC;QACvG,CAAC;QAED,mBAAmB;QACnB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,EAAE,gBAAgB,CAAC,CAAC;QAErF,IAAI,WAAW,EAAE,CAAC;YAChB,+BAA+B;YAC/B,MAAM,aAAa,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;YACjE,IAAI,aAAa,EAAE,SAAS,IAAI,aAAa,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBACrE,OAAO,IAAI,CAAC,kBAAkB,CAAC,gBAAgB,CAAC,CAAC;YACnD,CAAC;YACD,OAAO,WAAW,CAAC;QACrB,CAAC;QAED,4CAA4C;QAC5C,OAAO,IAAI,CAAC,kBAAkB,CAAC,gBAAgB,CAAC,CAAC;IACnD,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,kBAAkB,CAAC,UAAkB;QACjD,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;YAC/C,MAAM,IAAI,KAAK,CACb,0DAA0D,UAAU,6BAA6B,CAClG,CAAC;QACJ,CAAC;QAED,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC;QACjF,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,uEAAuE,UAAU,GAAG,CAAC,CAAC;QACxG,CAAC;QAED,kBAAkB;QAClB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QAEpE,mBAAmB;QACnB,MAAM,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,EAAE,UAAU,EAAE;YACtD,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS;SAC/E,CAAC,CAAC;QAEH,wBAAwB;QACxB,MAAM,YAAY,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC1D,IAAI,YAAY,EAAE,CAAC;YACjB,YAAY,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;QAC/F,CAAC;QAED,OAAO,MAAM,CAAC,WAAW,CAAC;IAC5B,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,uBAAuB,CAAC,KAAa;QAClD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC;QACpC,OAAO,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC/E,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,UAAkB;QAC5B,OAAO,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC9C,CAAC;IAED;;OAEG;IACH,cAAc;QACZ,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC,CAAC;IACjD,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,WAAW,CACf,UAAkB,EAClB,MAIC;QAED,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;QACtF,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;QAEtF,eAAe;QACf,MAAM,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,EAAE,UAAU,EAAE;YACtD,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,SAAS;SACV,CAAC,CAAC;QAEH,wBAAwB;QACxB,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,UAAU,EAAE;YACnC,EAAE,EAAE,UAAU;YACd,SAAS;YACT,WAAW,EAAE,GAAG,IAAI,CAAC,EAAE,IAAI,UAAU,EAAE;SACxC,CAAC,CAAC;QAEH,+DAA+D;QAC/D,2EAA2E;IAC7E,CAAC;IAED,+CAA+C;IAC/C,wCAAwC;IACxC,+CAA+C;IAE/C;;;OAGG;IACH,sBAAsB,GAAmD,IAAI,GAAG,CAC9E,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,cAAc,IAAI,EAAE,CAAC,CAC1C,CAAC;IAEF;;;;;;;;;;;;;;;;;;;OAmBG;IACH,KAAK,CAAC,mBAAmB,CACvB,KAAa,EACb,OAAiB,EACjB,MAIC;QAED,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,+EAA+E,CAAC,CAAC;QACnG,CAAC;QAED,2DAA2D;QAC3D,MAAM,UAAU,GAAG,OAAO,KAAK,EAAE,CAAC;QAElC,2DAA2D;QAC3D,MAAM,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QAE3C,2CAA2C;QAC3C,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;IACjE,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,WAAW,CAAC,KAAa;QAC7B,IAAI,CAAC,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,UAAU,GAAG,OAAO,KAAK,EAAE,CAAC;QAElC,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;OAGG;IACM,eAAe,CAAC,KAAa;QACpC,OAAO,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAChF,CAAC;IAED;;OAEG;IACH,sBAAsB;QACpB,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,gBAAgB,IAAI,EAAE,CAAC,CAAC;QACrD,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,sBAAsB,CAAC,IAAI,EAAE,EAAE,CAAC;YACvD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC;QACD,OAAO,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,KAAa;QACzB,OAAO,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;IAClG,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAAC,UAAkB;QACrC,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,MAAM,IAAI,CAAC,WAAW,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC;QAC3D,CAAC;QACD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAC1C,CAAC;IAED;;OAEG;IACH,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,KAAK,CAAuB,CAAC;IACpD,CAAC;CACF;AAnXD,8DAmXC","sourcesContent":["// auth/authorization/orchestrated.authorization.ts\n\nimport { createHash } from 'crypto';\nimport { AuthorizationBase } from './authorization.class';\nimport { AuthorizationCreateCtx, AuthUser } from './authorization.types';\nimport { ProviderSnapshot } from '../session/session.types';\nimport { EncryptedBlob } from '../session';\nimport { AuthMode } from '../../common';\n\n/**\n * Token store interface for orchestrated mode\n * Implementations can be memory-based, Redis, or custom stores\n */\nexport interface TokenStore {\n /**\n * Retrieve decrypted access token for a provider\n */\n getAccessToken(authorizationId: string, providerId: string): Promise<string | null>;\n\n /**\n * Retrieve decrypted refresh token for a provider\n */\n getRefreshToken(authorizationId: string, providerId: string): Promise<string | null>;\n\n /**\n * Store tokens for a provider (encrypted)\n */\n storeTokens(\n authorizationId: string,\n providerId: string,\n tokens: {\n accessToken: string;\n refreshToken?: string;\n expiresAt?: number;\n },\n ): Promise<void>;\n\n /**\n * Delete tokens for a provider\n */\n deleteTokens(authorizationId: string, providerId: string): Promise<void>;\n\n /**\n * Check if tokens exist for a provider\n */\n hasTokens(authorizationId: string, providerId: string): Promise<boolean>;\n}\n\n/**\n * Token refresh callback type\n */\nexport type TokenRefreshCallback = (\n providerId: string,\n refreshToken: string,\n) => Promise<{\n accessToken: string;\n refreshToken?: string;\n expiresIn?: number;\n}>;\n\n/**\n * Provider token state for orchestrated authorization\n */\nexport interface OrchestratedProviderState {\n /** Provider ID */\n id: string;\n /** Encrypted access token blob */\n accessTokenEnc?: EncryptedBlob;\n /** Encrypted refresh token blob */\n refreshTokenEnc?: EncryptedBlob;\n /** Token expiration (epoch ms) */\n expiresAt?: number;\n /** External reference ID (for vault/store) */\n secretRefId?: string;\n /** Refresh reference ID */\n refreshRefId?: string;\n}\n\n/**\n * Context for creating an OrchestratedAuthorization\n */\nexport interface OrchestratedAuthorizationCreateCtx {\n /**\n * The local JWT issued by the orchestrating server\n */\n token: string;\n\n /**\n * User identity from upstream provider\n */\n user: AuthUser;\n\n /**\n * Scopes granted to this authorization\n */\n scopes?: string[];\n\n /**\n * JWT claims\n */\n claims?: Record<string, unknown>;\n\n /**\n * Expiration (epoch ms)\n */\n expiresAt?: number;\n\n /**\n * Primary provider ID (default for getToken)\n */\n primaryProviderId?: string;\n\n /**\n * Token store for retrieving/storing provider tokens\n */\n tokenStore?: TokenStore;\n\n /**\n * Token refresh callback\n */\n onTokenRefresh?: TokenRefreshCallback;\n\n /**\n * Provider states (with encrypted tokens)\n */\n providers?: Record<string, OrchestratedProviderState>;\n\n /**\n * Precomputed authorization projections\n */\n authorizedTools?: AuthorizationCreateCtx['authorizedTools'];\n authorizedToolIds?: string[];\n authorizedPrompts?: AuthorizationCreateCtx['authorizedPrompts'];\n authorizedPromptIds?: string[];\n authorizedApps?: AuthorizationCreateCtx['authorizedApps'];\n authorizedAppIds?: string[];\n authorizedResources?: string[];\n}\n\n/**\n * OrchestratedAuthorization - Local auth server with secure token storage\n *\n * In orchestrated mode:\n * - The MCP server acts as an OAuth client to upstream providers\n * - Provider tokens are encrypted and never exposed to the LLM\n * - Supports token refresh and multi-provider scenarios\n * - getToken() retrieves decrypted tokens from secure storage\n * - Ideal for multi-tenant, federated auth, or high-security scenarios\n */\nexport class OrchestratedAuthorization extends AuthorizationBase {\n readonly mode: AuthMode = 'orchestrated';\n\n /**\n * Primary provider ID (default for getToken)\n */\n readonly primaryProviderId?: string;\n\n /**\n * Token store for secure token retrieval\n */\n readonly #tokenStore?: TokenStore;\n\n /**\n * Token refresh callback\n */\n readonly #onTokenRefresh?: TokenRefreshCallback;\n\n /**\n * Provider states (encrypted tokens)\n */\n readonly #providerStates: Map<string, OrchestratedProviderState>;\n\n private constructor(\n ctx: AuthorizationCreateCtx & {\n primaryProviderId?: string;\n tokenStore?: TokenStore;\n onTokenRefresh?: TokenRefreshCallback;\n providerStates?: Map<string, OrchestratedProviderState>;\n },\n ) {\n super(ctx);\n this.primaryProviderId = ctx.primaryProviderId;\n this.#tokenStore = ctx.tokenStore;\n this.#onTokenRefresh = ctx.onTokenRefresh;\n this.#providerStates = ctx.providerStates ?? new Map();\n }\n\n /**\n * Create an OrchestratedAuthorization\n *\n * @param ctx - Creation context\n * @returns A new OrchestratedAuthorization instance\n *\n * @example\n * ```typescript\n * const auth = OrchestratedAuthorization.create({\n * token: localJwt,\n * user: { sub: 'user123', name: 'John' },\n * primaryProviderId: 'github',\n * tokenStore: redisTokenStore,\n * providers: {\n * github: { id: 'github', secretRefId: 'vault:github:user123' },\n * },\n * });\n *\n * // Retrieve token securely (never exposed to LLM)\n * const githubToken = await auth.getToken('github');\n * ```\n */\n static create(ctx: OrchestratedAuthorizationCreateCtx): OrchestratedAuthorization {\n const {\n token,\n user,\n scopes = [],\n claims,\n expiresAt,\n primaryProviderId,\n tokenStore,\n onTokenRefresh,\n providers = {},\n ...projections\n } = ctx;\n\n // Generate authorization ID from token\n const id = OrchestratedAuthorization.generateAuthorizationId(token);\n\n // Build provider states map\n const providerStates = new Map<string, OrchestratedProviderState>();\n const authorizedProviders: Record<string, ProviderSnapshot> = {};\n const authorizedProviderIds: string[] = [];\n\n for (const [providerId, state] of Object.entries(providers)) {\n providerStates.set(providerId, state);\n authorizedProviderIds.push(providerId);\n\n // Create snapshot without exposing tokens\n authorizedProviders[providerId] = {\n id: providerId,\n exp: state.expiresAt,\n embedMode: state.secretRefId ? 'ref' : 'store-only',\n secretRefId: state.secretRefId,\n refreshRefId: state.refreshRefId,\n };\n }\n\n return new OrchestratedAuthorization({\n id,\n isAnonymous: false,\n user,\n claims,\n expiresAt,\n scopes,\n token,\n primaryProviderId,\n tokenStore,\n onTokenRefresh,\n providerStates,\n authorizedProviders,\n authorizedProviderIds,\n ...projections,\n });\n }\n\n /**\n * Get access token for a provider\n *\n * Retrieves the decrypted token from the secure store.\n * If the token is expired and refresh is available, attempts refresh.\n *\n * @param providerId - Provider ID (defaults to primaryProviderId)\n * @returns The decrypted access token\n * @throws If no token store or no token available\n */\n async getToken(providerId?: string): Promise<string> {\n const targetProviderId = providerId ?? this.primaryProviderId;\n\n if (!targetProviderId) {\n throw new Error('OrchestratedAuthorization: No provider ID specified and no primary provider set');\n }\n\n if (!this.#tokenStore) {\n throw new Error(\n 'OrchestratedAuthorization: Token store not configured. ' +\n 'Orchestrated mode requires a token store for secure token retrieval.',\n );\n }\n\n // Check if token exists\n const hasToken = await this.#tokenStore.hasTokens(this.id, targetProviderId);\n if (!hasToken) {\n throw new Error(`OrchestratedAuthorization: No tokens available for provider \"${targetProviderId}\"`);\n }\n\n // Get access token\n const accessToken = await this.#tokenStore.getAccessToken(this.id, targetProviderId);\n\n if (accessToken) {\n // Check if token needs refresh\n const providerState = this.#providerStates.get(targetProviderId);\n if (providerState?.expiresAt && providerState.expiresAt < Date.now()) {\n return this.refreshAndGetToken(targetProviderId);\n }\n return accessToken;\n }\n\n // Try to refresh if we have a refresh token\n return this.refreshAndGetToken(targetProviderId);\n }\n\n /**\n * Refresh token and return new access token\n */\n private async refreshAndGetToken(providerId: string): Promise<string> {\n if (!this.#tokenStore || !this.#onTokenRefresh) {\n throw new Error(\n `OrchestratedAuthorization: Token expired for provider \"${providerId}\" and refresh not available`,\n );\n }\n\n const refreshToken = await this.#tokenStore.getRefreshToken(this.id, providerId);\n if (!refreshToken) {\n throw new Error(`OrchestratedAuthorization: No refresh token available for provider \"${providerId}\"`);\n }\n\n // Perform refresh\n const result = await this.#onTokenRefresh(providerId, refreshToken);\n\n // Store new tokens\n await this.#tokenStore.storeTokens(this.id, providerId, {\n accessToken: result.accessToken,\n refreshToken: result.refreshToken,\n expiresAt: result.expiresIn ? Date.now() + result.expiresIn * 1000 : undefined,\n });\n\n // Update provider state\n const currentState = this.#providerStates.get(providerId);\n if (currentState) {\n currentState.expiresAt = result.expiresIn ? Date.now() + result.expiresIn * 1000 : undefined;\n }\n\n return result.accessToken;\n }\n\n /**\n * Generate authorization ID from token\n */\n private static generateAuthorizationId(token: string): string {\n const parts = token.split('.');\n const signature = parts[2] || token;\n return createHash('sha256').update(signature).digest('hex').substring(0, 16);\n }\n\n /**\n * Check if a provider has tokens stored\n */\n hasProvider(providerId: string): boolean {\n return this.#providerStates.has(providerId);\n }\n\n /**\n * Get all provider IDs with tokens\n */\n getProviderIds(): string[] {\n return Array.from(this.#providerStates.keys());\n }\n\n /**\n * Add a new provider to this authorization\n * Used when user authorizes additional providers after initial auth\n */\n async addProvider(\n providerId: string,\n tokens: {\n accessToken: string;\n refreshToken?: string;\n expiresIn?: number;\n },\n ): Promise<void> {\n if (!this.#tokenStore) {\n throw new Error('OrchestratedAuthorization: Token store required to add providers');\n }\n\n const expiresAt = tokens.expiresIn ? Date.now() + tokens.expiresIn * 1000 : undefined;\n\n // Store tokens\n await this.#tokenStore.storeTokens(this.id, providerId, {\n accessToken: tokens.accessToken,\n refreshToken: tokens.refreshToken,\n expiresAt,\n });\n\n // Update internal state\n this.#providerStates.set(providerId, {\n id: providerId,\n expiresAt,\n secretRefId: `${this.id}:${providerId}`,\n });\n\n // Note: authorizedProviders/authorizedProviderIds are readonly\n // The caller should create a new authorization if these need to be updated\n }\n\n // ============================================\n // Progressive/Incremental Authorization\n // ============================================\n\n /**\n * Mutable app authorization state for progressive auth.\n * This allows expanding authorization without reissuing the session token.\n */\n #mutableAuthorizedApps: Map<string, { id: string; toolIds: string[] }> = new Map(\n Object.entries(this.authorizedApps ?? {}),\n );\n\n /**\n * Add app authorization after initial auth (progressive authorization).\n * Stores app tokens server-side and updates authorized apps without JWT reissue.\n *\n * @param appId - App ID to authorize\n * @param toolIds - Tool IDs accessible through this app authorization\n * @param tokens - OAuth tokens from the app's auth provider\n *\n * @example\n * ```typescript\n * // User clicks auth link for Slack app\n * await auth.addAppAuthorization('slack', ['slack:send_message', 'slack:list_channels'], {\n * accessToken: slackAccessToken,\n * refreshToken: slackRefreshToken,\n * expiresIn: 3600,\n * });\n *\n * // Now slack tools will work without re-auth\n * ```\n */\n async addAppAuthorization(\n appId: string,\n toolIds: string[],\n tokens: {\n accessToken: string;\n refreshToken?: string;\n expiresIn?: number;\n },\n ): Promise<void> {\n if (!this.#tokenStore) {\n throw new Error('OrchestratedAuthorization: Token store required for progressive authorization');\n }\n\n // Use app ID as provider ID for app-specific token storage\n const providerId = `app:${appId}`;\n\n // Store tokens server-side (SECURITY: never expose in JWT)\n await this.addProvider(providerId, tokens);\n\n // Track app authorization in mutable state\n this.#mutableAuthorizedApps.set(appId, { id: appId, toolIds });\n }\n\n /**\n * Get access token for a specific app (for tool execution).\n * Retrieves the app's OAuth token from server-side storage.\n *\n * @param appId - App ID to get token for\n * @returns The decrypted access token, or null if not authorized\n */\n async getAppToken(appId: string): Promise<string | null> {\n if (!this.#mutableAuthorizedApps.has(appId)) {\n return null;\n }\n\n const providerId = `app:${appId}`;\n\n try {\n return await this.getToken(providerId);\n } catch {\n return null;\n }\n }\n\n /**\n * Check if an app is authorized (includes progressively authorized apps).\n * Overrides base class to include mutable app authorization state.\n */\n override isAppAuthorized(appId: string): boolean {\n return this.#mutableAuthorizedApps.has(appId) || super.isAppAuthorized(appId);\n }\n\n /**\n * Get all authorized app IDs (includes progressively authorized apps).\n */\n getAllAuthorizedAppIds(): string[] {\n const baseIds = new Set(this.authorizedAppIds ?? []);\n for (const appId of this.#mutableAuthorizedApps.keys()) {\n baseIds.add(appId);\n }\n return Array.from(baseIds);\n }\n\n /**\n * Get tool IDs authorized through an app.\n */\n getAppToolIds(appId: string): string[] | undefined {\n return this.#mutableAuthorizedApps.get(appId)?.toolIds ?? this.authorizedApps?.[appId]?.toolIds;\n }\n\n /**\n * Remove a provider from this authorization\n */\n async removeProvider(providerId: string): Promise<void> {\n if (this.#tokenStore) {\n await this.#tokenStore.deleteTokens(this.id, providerId);\n }\n this.#providerStates.delete(providerId);\n }\n\n /**\n * Get the issuer (local orchestrator)\n */\n get issuer(): string | undefined {\n return this.claims?.['iss'] as string | undefined;\n }\n}\n"]}

package/src/auth/authorization/public.authorization.d.ts ADDED Viewed

@@ -0,0 +1,91 @@
+import { AuthorizationBase } from './authorization.class';
+import { AuthMode } from '../../common';
+/**
+ * Context for creating a PublicAuthorization
+ */
+export interface PublicAuthorizationCreateCtx {
+    /**
+     * Anonymous user's identifier prefix
+     * @default 'anon'
+     */
+    prefix?: string;
+    /**
+     * Anonymous scopes granted to the user
+     * @default ['anonymous']
+     */
+    scopes?: string[];
+    /**
+     * Session TTL in milliseconds
+     * @default 3600000 (1 hour)
+     */
+    ttlMs?: number;
+    /**
+     * Issuer identifier for the anonymous JWT
+     */
+    issuer?: string;
+    /**
+     * Allowed tools for anonymous access
+     * If 'all', all tools are allowed
+     */
+    allowedTools?: 'all' | string[];
+    /**
+     * Allowed prompts for anonymous access
+     * If 'all', all prompts are allowed
+     */
+    allowedPrompts?: 'all' | string[];
+}
+/**
+ * PublicAuthorization - Authorization for public/anonymous access mode
+ *
+ * In public mode:
+ * - No authentication is required
+ * - Anonymous sessions are auto-generated
+ * - getToken() throws - anonymous users cannot access provider tokens
+ * - Ideal for development, docs, public wikis, and read-only resources
+ */
+export declare class PublicAuthorization extends AuthorizationBase {
+    readonly mode: AuthMode;
+    /**
+     * Issuer identifier for the anonymous authorization
+     */
+    readonly issuer?: string;
+    private constructor();
+    /**
+     * Create a new PublicAuthorization for anonymous access
+     *
+     * @param ctx - Creation context with optional configuration
+     * @returns A new PublicAuthorization instance
+     *
+     * @example
+     * ```typescript
+     * const auth = PublicAuthorization.create({
+     *   scopes: ['read', 'anonymous'],
+     *   ttlMs: 3600000,
+     *   allowedTools: ['search', 'get-docs'],
+     * });
+     * ```
+     */
+    static create(ctx?: PublicAuthorizationCreateCtx): PublicAuthorization;
+    /**
+     * Anonymous users cannot access provider tokens
+     *
+     * @throws Error always - anonymous users do not have provider tokens
+     */
+    getToken(_providerId?: string): Promise<string>;
+    /**
+     * Check if all tools are allowed (public access)
+     */
+    get allowsAllTools(): boolean;
+    /**
+     * Check if all prompts are allowed (public access)
+     */
+    get allowsAllPrompts(): boolean;
+    /**
+     * Override canAccessTool to support 'all' mode
+     */
+    canAccessTool(toolId: string): boolean;
+    /**
+     * Override canAccessPrompt to support 'all' mode
+     */
+    canAccessPrompt(promptId: string): boolean;
+}

package/src/auth/authorization/public.authorization.js ADDED Viewed

@@ -0,0 +1,132 @@
+"use strict";
+// auth/authorization/public.authorization.ts
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PublicAuthorization = void 0;
+const crypto_1 = require("crypto");
+const authorization_class_1 = require("./authorization.class");
+/**
+ * PublicAuthorization - Authorization for public/anonymous access mode
+ *
+ * In public mode:
+ * - No authentication is required
+ * - Anonymous sessions are auto-generated
+ * - getToken() throws - anonymous users cannot access provider tokens
+ * - Ideal for development, docs, public wikis, and read-only resources
+ */
+class PublicAuthorization extends authorization_class_1.AuthorizationBase {
+    mode = 'public';
+    /**
+     * Issuer identifier for the anonymous authorization
+     */
+    issuer;
+    constructor(ctx) {
+        super(ctx);
+        this.issuer = ctx.issuer;
+    }
+    /**
+     * Create a new PublicAuthorization for anonymous access
+     *
+     * @param ctx - Creation context with optional configuration
+     * @returns A new PublicAuthorization instance
+     *
+     * @example
+     * ```typescript
+     * const auth = PublicAuthorization.create({
+     *   scopes: ['read', 'anonymous'],
+     *   ttlMs: 3600000,
+     *   allowedTools: ['search', 'get-docs'],
+     * });
+     * ```
+     */
+    static create(ctx = {}) {
+        const { prefix = 'anon', scopes = ['anonymous'], ttlMs = 3600000, // 1 hour default
+        issuer, allowedTools = 'all', allowedPrompts = 'all', } = ctx;
+        // Generate anonymous user identity
+        const uuid = (0, crypto_1.randomUUID)();
+        const sub = `${prefix}:${uuid}`;
+        const user = {
+            sub,
+            name: 'Anonymous',
+            anonymous: true,
+        };
+        // Calculate expiration
+        const expiresAt = ttlMs ? Date.now() + ttlMs : undefined;
+        // Build authorized tools map
+        const authorizedTools = {};
+        const authorizedToolIds = [];
+        if (allowedTools !== 'all' && Array.isArray(allowedTools)) {
+            for (const toolId of allowedTools) {
+                authorizedTools[toolId] = {
+                    executionPath: ['public', toolId],
+                };
+                authorizedToolIds.push(toolId);
+            }
+        }
+        // Build authorized prompts map
+        const authorizedPrompts = {};
+        const authorizedPromptIds = [];
+        if (allowedPrompts !== 'all' && Array.isArray(allowedPrompts)) {
+            for (const promptId of allowedPrompts) {
+                authorizedPrompts[promptId] = {
+                    executionPath: ['public', promptId],
+                };
+                authorizedPromptIds.push(promptId);
+            }
+        }
+        return new PublicAuthorization({
+            id: sub,
+            isAnonymous: true,
+            user,
+            scopes,
+            expiresAt,
+            issuer,
+            authorizedTools: allowedTools === 'all' ? undefined : authorizedTools,
+            authorizedToolIds: allowedTools === 'all' ? undefined : authorizedToolIds,
+            authorizedPrompts: allowedPrompts === 'all' ? undefined : authorizedPrompts,
+            authorizedPromptIds: allowedPrompts === 'all' ? undefined : authorizedPromptIds,
+        });
+    }
+    /**
+     * Anonymous users cannot access provider tokens
+     *
+     * @throws Error always - anonymous users do not have provider tokens
+     */
+    async getToken(_providerId) {
+        throw new Error('PublicAuthorization: Anonymous users cannot access provider tokens. ' +
+            'Use transparent or orchestrated mode for token access.');
+    }
+    /**
+     * Check if all tools are allowed (public access)
+     */
+    get allowsAllTools() {
+        return this.authorizedToolIds.length === 0 && Object.keys(this.authorizedTools).length === 0;
+    }
+    /**
+     * Check if all prompts are allowed (public access)
+     */
+    get allowsAllPrompts() {
+        return this.authorizedPromptIds.length === 0 && Object.keys(this.authorizedPrompts).length === 0;
+    }
+    /**
+     * Override canAccessTool to support 'all' mode
+     */
+    canAccessTool(toolId) {
+        // If no specific tools defined, all are allowed
+        if (this.allowsAllTools) {
+            return true;
+        }
+        return super.canAccessTool(toolId);
+    }
+    /**
+     * Override canAccessPrompt to support 'all' mode
+     */
+    canAccessPrompt(promptId) {
+        // If no specific prompts defined, all are allowed
+        if (this.allowsAllPrompts) {
+            return true;
+        }
+        return super.canAccessPrompt(promptId);
+    }
+}
+exports.PublicAuthorization = PublicAuthorization;
+//# sourceMappingURL=public.authorization.js.map

package/src/auth/authorization/public.authorization.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"public.authorization.js","sourceRoot":"","sources":["../../../../src/auth/authorization/public.authorization.ts"],"names":[],"mappings":";AAAA,6CAA6C;;;AAE7C,mCAAoC;AACpC,+DAA0D;AA4C1D;;;;;;;;GAQG;AACH,MAAa,mBAAoB,SAAQ,uCAAiB;IAC/C,IAAI,GAAa,QAAQ,CAAC;IAEnC;;OAEG;IACM,MAAM,CAAU;IAEzB,YAAoB,GAAiD;QACnE,KAAK,CAAC,GAAG,CAAC,CAAC;QACX,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;IAC3B,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACH,MAAM,CAAC,MAAM,CAAC,MAAoC,EAAE;QAClD,MAAM,EACJ,MAAM,GAAG,MAAM,EACf,MAAM,GAAG,CAAC,WAAW,CAAC,EACtB,KAAK,GAAG,OAAO,EAAE,iBAAiB;QAClC,MAAM,EACN,YAAY,GAAG,KAAK,EACpB,cAAc,GAAG,KAAK,GACvB,GAAG,GAAG,CAAC;QAER,mCAAmC;QACnC,MAAM,IAAI,GAAG,IAAA,mBAAU,GAAE,CAAC;QAC1B,MAAM,GAAG,GAAG,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC;QAEhC,MAAM,IAAI,GAAa;YACrB,GAAG;YACH,IAAI,EAAE,WAAW;YACjB,SAAS,EAAE,IAAI;SAChB,CAAC;QAEF,uBAAuB;QACvB,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAEzD,6BAA6B;QAC7B,MAAM,eAAe,GAA8C,EAAE,CAAC;QACtE,MAAM,iBAAiB,GAAa,EAAE,CAAC;QACvC,IAAI,YAAY,KAAK,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;YAC1D,KAAK,MAAM,MAAM,IAAI,YAAY,EAAE,CAAC;gBAClC,eAAe,CAAC,MAAM,CAAC,GAAG;oBACxB,aAAa,EAAE,CAAC,QAAQ,EAAE,MAAM,CAAC;iBAClC,CAAC;gBACF,iBAAiB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,MAAM,iBAAiB,GAAgD,EAAE,CAAC;QAC1E,MAAM,mBAAmB,GAAa,EAAE,CAAC;QACzC,IAAI,cAAc,KAAK,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YAC9D,KAAK,MAAM,QAAQ,IAAI,cAAc,EAAE,CAAC;gBACtC,iBAAiB,CAAC,QAAQ,CAAC,GAAG;oBAC5B,aAAa,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;iBACpC,CAAC;gBACF,mBAAmB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACrC,CAAC;QACH,CAAC;QAED,OAAO,IAAI,mBAAmB,CAAC;YAC7B,EAAE,EAAE,GAAG;YACP,WAAW,EAAE,IAAI;YACjB,IAAI;YACJ,MAAM;YACN,SAAS;YACT,MAAM;YACN,eAAe,EAAE,YAAY,KAAK,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,eAAe;YACrE,iBAAiB,EAAE,YAAY,KAAK,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,iBAAiB;YACzE,iBAAiB,EAAE,cAAc,KAAK,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,iBAAiB;YAC3E,mBAAmB,EAAE,cAAc,KAAK,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,mBAAmB;SAChF,CAAC,CAAC;IACL,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,QAAQ,CAAC,WAAoB;QACjC,MAAM,IAAI,KAAK,CACb,sEAAsE;YACpE,wDAAwD,CAC3D,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,iBAAiB,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;IAC/F,CAAC;IAED;;OAEG;IACH,IAAI,gBAAgB;QAClB,OAAO,IAAI,CAAC,mBAAmB,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;IACnG,CAAC;IAED;;OAEG;IACM,aAAa,CAAC,MAAc;QACnC,gDAAgD;QAChD,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC;IAED;;OAEG;IACM,eAAe,CAAC,QAAgB;QACvC,kDAAkD;QAClD,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC;CACF;AAxID,kDAwIC","sourcesContent":["// auth/authorization/public.authorization.ts\n\nimport { randomUUID } from 'crypto';\nimport { AuthorizationBase } from './authorization.class';\nimport { AuthorizationCreateCtx, AuthUser } from './authorization.types';\nimport { AuthMode } from '../../common';\n\n/**\n * Context for creating a PublicAuthorization\n */\nexport interface PublicAuthorizationCreateCtx {\n /**\n * Anonymous user's identifier prefix\n * @default 'anon'\n */\n prefix?: string;\n\n /**\n * Anonymous scopes granted to the user\n * @default ['anonymous']\n */\n scopes?: string[];\n\n /**\n * Session TTL in milliseconds\n * @default 3600000 (1 hour)\n */\n ttlMs?: number;\n\n /**\n * Issuer identifier for the anonymous JWT\n */\n issuer?: string;\n\n /**\n * Allowed tools for anonymous access\n * If 'all', all tools are allowed\n */\n allowedTools?: 'all' | string[];\n\n /**\n * Allowed prompts for anonymous access\n * If 'all', all prompts are allowed\n */\n allowedPrompts?: 'all' | string[];\n}\n\n/**\n * PublicAuthorization - Authorization for public/anonymous access mode\n *\n * In public mode:\n * - No authentication is required\n * - Anonymous sessions are auto-generated\n * - getToken() throws - anonymous users cannot access provider tokens\n * - Ideal for development, docs, public wikis, and read-only resources\n */\nexport class PublicAuthorization extends AuthorizationBase {\n readonly mode: AuthMode = 'public';\n\n /**\n * Issuer identifier for the anonymous authorization\n */\n readonly issuer?: string;\n\n private constructor(ctx: AuthorizationCreateCtx & { issuer?: string }) {\n super(ctx);\n this.issuer = ctx.issuer;\n }\n\n /**\n * Create a new PublicAuthorization for anonymous access\n *\n * @param ctx - Creation context with optional configuration\n * @returns A new PublicAuthorization instance\n *\n * @example\n * ```typescript\n * const auth = PublicAuthorization.create({\n * scopes: ['read', 'anonymous'],\n * ttlMs: 3600000,\n * allowedTools: ['search', 'get-docs'],\n * });\n * ```\n */\n static create(ctx: PublicAuthorizationCreateCtx = {}): PublicAuthorization {\n const {\n prefix = 'anon',\n scopes = ['anonymous'],\n ttlMs = 3600000, // 1 hour default\n issuer,\n allowedTools = 'all',\n allowedPrompts = 'all',\n } = ctx;\n\n // Generate anonymous user identity\n const uuid = randomUUID();\n const sub = `${prefix}:${uuid}`;\n\n const user: AuthUser = {\n sub,\n name: 'Anonymous',\n anonymous: true,\n };\n\n // Calculate expiration\n const expiresAt = ttlMs ? Date.now() + ttlMs : undefined;\n\n // Build authorized tools map\n const authorizedTools: AuthorizationCreateCtx['authorizedTools'] = {};\n const authorizedToolIds: string[] = [];\n if (allowedTools !== 'all' && Array.isArray(allowedTools)) {\n for (const toolId of allowedTools) {\n authorizedTools[toolId] = {\n executionPath: ['public', toolId],\n };\n authorizedToolIds.push(toolId);\n }\n }\n\n // Build authorized prompts map\n const authorizedPrompts: AuthorizationCreateCtx['authorizedPrompts'] = {};\n const authorizedPromptIds: string[] = [];\n if (allowedPrompts !== 'all' && Array.isArray(allowedPrompts)) {\n for (const promptId of allowedPrompts) {\n authorizedPrompts[promptId] = {\n executionPath: ['public', promptId],\n };\n authorizedPromptIds.push(promptId);\n }\n }\n\n return new PublicAuthorization({\n id: sub,\n isAnonymous: true,\n user,\n scopes,\n expiresAt,\n issuer,\n authorizedTools: allowedTools === 'all' ? undefined : authorizedTools,\n authorizedToolIds: allowedTools === 'all' ? undefined : authorizedToolIds,\n authorizedPrompts: allowedPrompts === 'all' ? undefined : authorizedPrompts,\n authorizedPromptIds: allowedPrompts === 'all' ? undefined : authorizedPromptIds,\n });\n }\n\n /**\n * Anonymous users cannot access provider tokens\n *\n * @throws Error always - anonymous users do not have provider tokens\n */\n async getToken(_providerId?: string): Promise<string> {\n throw new Error(\n 'PublicAuthorization: Anonymous users cannot access provider tokens. ' +\n 'Use transparent or orchestrated mode for token access.',\n );\n }\n\n /**\n * Check if all tools are allowed (public access)\n */\n get allowsAllTools(): boolean {\n return this.authorizedToolIds.length === 0 && Object.keys(this.authorizedTools).length === 0;\n }\n\n /**\n * Check if all prompts are allowed (public access)\n */\n get allowsAllPrompts(): boolean {\n return this.authorizedPromptIds.length === 0 && Object.keys(this.authorizedPrompts).length === 0;\n }\n\n /**\n * Override canAccessTool to support 'all' mode\n */\n override canAccessTool(toolId: string): boolean {\n // If no specific tools defined, all are allowed\n if (this.allowsAllTools) {\n return true;\n }\n return super.canAccessTool(toolId);\n }\n\n /**\n * Override canAccessPrompt to support 'all' mode\n */\n override canAccessPrompt(promptId: string): boolean {\n // If no specific prompts defined, all are allowed\n if (this.allowsAllPrompts) {\n return true;\n }\n return super.canAccessPrompt(promptId);\n }\n}\n"]}