@frontmcp/sdk 0.4.0 → 0.5.0

package/src/auth/detection/auth-provider-detection.js

@@ -0,0 +1,230 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authProviderDetectionResultSchema = exports.detectedAuthProviderSchema = void 0;
+exports.deriveProviderId = deriveProviderId;
+exports.detectAuthProviders = detectAuthProviders;
+exports.appRequiresOrchestration = appRequiresOrchestration;
+exports.getProviderScopes = getProviderScopes;
+exports.getProviderApps = getProviderApps;
+/**
+ * Auth Provider Detection
+ *
+ * Detects unique auth providers across nested apps and determines
+ * if orchestrated mode is required at the parent scope level.
+ *
+ * When multiple apps have different auth providers, the parent MUST
+ * use orchestrated mode to properly manage tokens for each provider.
+ */
+const zod_1 = require("zod");
+const common_1 = require("../../common");
+// ============================================
+// Schemas
+// ============================================
+/**
+ * Schema for a detected auth provider
+ */
+exports.detectedAuthProviderSchema = zod_1.z.object({
+    /** Unique provider ID (derived from URL or explicit id) */
+    id: zod_1.z.string(),
+    /** Provider URL (for remote providers) */
+    providerUrl: zod_1.z.string().optional(),
+    /** Auth mode of this provider */
+    mode: zod_1.z.enum(['public', 'transparent', 'orchestrated']),
+    /** App IDs that use this provider */
+    appIds: zod_1.z.array(zod_1.z.string()),
+    /** Collected OAuth scopes from all apps using this provider */
+    scopes: zod_1.z.array(zod_1.z.string()),
+    /** Whether this is the parent's provider */
+    isParentProvider: zod_1.z.boolean(),
+});
+/**
+ * Schema for auth provider detection result
+ */
+exports.authProviderDetectionResultSchema = zod_1.z.object({
+    /** Map of provider ID to detected provider info */
+    providers: zod_1.z.map(zod_1.z.string(), exports.detectedAuthProviderSchema),
+    /** Whether orchestration is required at parent level */
+    requiresOrchestration: zod_1.z.boolean(),
+    /** Parent provider ID (if any) */
+    parentProviderId: zod_1.z.string().optional(),
+    /** Child provider IDs (excluding parent) */
+    childProviderIds: zod_1.z.array(zod_1.z.string()),
+    /** Total unique provider count */
+    uniqueProviderCount: zod_1.z.number(),
+    /** Validation errors (if any) */
+    validationErrors: zod_1.z.array(zod_1.z.string()),
+    /** Warnings (non-fatal issues) */
+    warnings: zod_1.z.array(zod_1.z.string()),
+});
+// ============================================
+// Detection Functions
+// ============================================
+/**
+ * Derive a stable provider ID from auth options
+ */
+function deriveProviderId(options) {
+    if ((0, common_1.isPublicMode)(options)) {
+        return options.issuer ?? 'public';
+    }
+    if ((0, common_1.isTransparentMode)(options)) {
+        return options.remote.id ?? urlToProviderId(options.remote.provider);
+    }
+    if ((0, common_1.isOrchestratedMode)(options)) {
+        if ((0, common_1.isOrchestratedRemote)(options)) {
+            return options.remote.id ?? urlToProviderId(options.remote.provider);
+        }
+        // Local orchestrated - use issuer or 'local'
+        return options.local?.issuer ?? 'local';
+    }
+    return 'unknown';
+}
+/**
+ * Convert URL to a safe provider ID
+ */
+function urlToProviderId(url) {
+    try {
+        const parsed = new URL(url);
+        return parsed.hostname.replace(/\./g, '_');
+    }
+    catch {
+        return url.replace(/[^a-zA-Z0-9]/g, '_');
+    }
+}
+/**
+ * Extract OAuth scopes from auth options
+ */
+function extractScopes(options) {
+    if ((0, common_1.isTransparentMode)(options)) {
+        return options.requiredScopes || [];
+    }
+    if ((0, common_1.isOrchestratedMode)(options)) {
+        if ((0, common_1.isOrchestratedRemote)(options)) {
+            return options.remote.scopes || [];
+        }
+    }
+    return [];
+}
+/**
+ * Detect all unique auth providers across parent and apps
+ *
+ * @param parentAuth - Parent scope's auth options (may be undefined)
+ * @param apps - Array of app auth info
+ * @returns Detection result with providers, validation, and requirements
+ */
+function detectAuthProviders(parentAuth, apps) {
+    const providers = new Map();
+    const validationErrors = [];
+    const warnings = [];
+    let parentProviderId;
+    // Process parent auth if present
+    if (parentAuth) {
+        parentProviderId = deriveProviderId(parentAuth);
+        providers.set(parentProviderId, {
+            id: parentProviderId,
+            providerUrl: getProviderUrl(parentAuth),
+            mode: parentAuth.mode,
+            appIds: ['__parent__'],
+            scopes: extractScopes(parentAuth),
+            isParentProvider: true,
+        });
+    }
+    // Process each app's auth
+    for (const app of apps) {
+        if (!app.auth) {
+            // App inherits from parent - skip
+            continue;
+        }
+        const providerId = deriveProviderId(app.auth);
+        const existing = providers.get(providerId);
+        if (existing) {
+            // Same provider - merge app and scopes
+            existing.appIds.push(app.id);
+            const newScopes = extractScopes(app.auth);
+            existing.scopes = [...new Set([...existing.scopes, ...newScopes])];
+        }
+        else {
+            // New provider
+            providers.set(providerId, {
+                id: providerId,
+                providerUrl: getProviderUrl(app.auth),
+                mode: app.auth.mode,
+                appIds: [app.id],
+                scopes: extractScopes(app.auth),
+                isParentProvider: false,
+            });
+        }
+    }
+    // Determine child provider IDs (non-parent)
+    const childProviderIds = [...providers.keys()].filter((id) => id !== parentProviderId);
+    // Determine if orchestration is required
+    const uniqueProviderCount = providers.size;
+    const hasMultipleProviders = uniqueProviderCount > 1;
+    const hasChildOnlyProviders = childProviderIds.length > 0 && !parentProviderId;
+    const requiresOrchestration = hasMultipleProviders || hasChildOnlyProviders || (childProviderIds.length > 0 && parentProviderId !== undefined);
+    // Validate configuration
+    if (requiresOrchestration && parentAuth && (0, common_1.isTransparentMode)(parentAuth)) {
+        validationErrors.push(`Invalid auth configuration: Parent uses transparent mode but apps have their own auth providers. ` +
+            `Transparent mode passes tokens through without modification, which is incompatible with multi-provider setups. ` +
+            `Change parent auth to orchestrated mode to properly manage tokens for each provider. ` +
+            `Detected providers: ${[...providers.keys()].join(', ')}`);
+    }
+    // Add warnings for potential issues
+    if (uniqueProviderCount > 1 && parentAuth && (0, common_1.isPublicMode)(parentAuth)) {
+        warnings.push(`Parent uses public mode but apps have auth providers configured. ` +
+            `App-level auth will be used, but consider using orchestrated mode at parent for unified auth management.`);
+    }
+    return {
+        providers,
+        requiresOrchestration,
+        parentProviderId,
+        childProviderIds,
+        uniqueProviderCount,
+        validationErrors,
+        warnings,
+    };
+}
+/**
+ * Get provider URL from auth options (if remote)
+ */
+function getProviderUrl(options) {
+    if ((0, common_1.isTransparentMode)(options)) {
+        return options.remote.provider;
+    }
+    if ((0, common_1.isOrchestratedMode)(options) && (0, common_1.isOrchestratedRemote)(options)) {
+        return options.remote.provider;
+    }
+    return undefined;
+}
+/**
+ * Check if a specific app requires orchestration
+ * (i.e., has a different provider than parent)
+ */
+function appRequiresOrchestration(appAuth, parentAuth) {
+    // No app auth = inherits from parent
+    if (!appAuth) {
+        return false;
+    }
+    // No parent auth = app manages its own auth
+    if (!parentAuth) {
+        return appAuth.mode !== 'public';
+    }
+    // Compare provider IDs
+    const appProviderId = deriveProviderId(appAuth);
+    const parentProviderId = deriveProviderId(parentAuth);
+    return appProviderId !== parentProviderId;
+}
+/**
+ * Get all OAuth scopes needed for a provider across all apps
+ */
+function getProviderScopes(detection, providerId) {
+    const provider = detection.providers.get(providerId);
+    return provider?.scopes ?? [];
+}
+/**
+ * Get apps that use a specific provider
+ */
+function getProviderApps(detection, providerId) {
+    const provider = detection.providers.get(providerId);
+    return provider?.appIds.filter((id) => id !== '__parent__') ?? [];
+}
+//# sourceMappingURL=auth-provider-detection.js.map

package/src/auth/detection/auth-provider-detection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-provider-detection.js","sourceRoot":"","sources":["../../../../src/auth/detection/auth-provider-detection.ts"],"names":[],"mappings":";;;AA6EA,4CAkBC;AAsCD,kDAyFC;AAqBD,4DAmBC;AAKD,8CAGC;AAKD,0CAGC;AAtRD;;;;;;;;GAQG;AACH,6BAAwB;AACxB,yCAAsH;AAEtH,+CAA+C;AAC/C,UAAU;AACV,+CAA+C;AAE/C;;GAEG;AACU,QAAA,0BAA0B,GAAG,OAAC,CAAC,MAAM,CAAC;IACjD,2DAA2D;IAC3D,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,0CAA0C;IAC1C,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,iCAAiC;IACjC,IAAI,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC;IACvD,qCAAqC;IACrC,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IAC3B,+DAA+D;IAC/D,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IAC3B,4CAA4C;IAC5C,gBAAgB,EAAE,OAAC,CAAC,OAAO,EAAE;CAC9B,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,iCAAiC,GAAG,OAAC,CAAC,MAAM,CAAC;IACxD,mDAAmD;IACnD,SAAS,EAAE,OAAC,CAAC,GAAG,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,kCAA0B,CAAC;IACxD,wDAAwD;IACxD,qBAAqB,EAAE,OAAC,CAAC,OAAO,EAAE;IAClC,kCAAkC;IAClC,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACvC,4CAA4C;IAC5C,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACrC,kCAAkC;IAClC,mBAAmB,EAAE,OAAC,CAAC,MAAM,EAAE;IAC/B,iCAAiC;IACjC,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACrC,kCAAkC;IAClC,QAAQ,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;CAC9B,CAAC,CAAC;AAkBH,+CAA+C;AAC/C,sBAAsB;AACtB,+CAA+C;AAE/C;;GAEG;AACH,SAAgB,gBAAgB,CAAC,OAAoB;IACnD,IAAI,IAAA,qBAAY,EAAC,OAAO,CAAC,EAAE,CAAC;QAC1B,OAAO,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAC;IACpC,CAAC;IAED,IAAI,IAAA,0BAAiB,EAAC,OAAO,CAAC,EAAE,CAAC;QAC/B,OAAO,OAAO,CAAC,MAAM,CAAC,EAAE,IAAI,eAAe,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACvE,CAAC;IAED,IAAI,IAAA,2BAAkB,EAAC,OAAO,CAAC,EAAE,CAAC;QAChC,IAAI,IAAA,6BAAoB,EAAC,OAAO,CAAC,EAAE,CAAC;YAClC,OAAO,OAAO,CAAC,MAAM,CAAC,EAAE,IAAI,eAAe,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACvE,CAAC;QACD,6CAA6C;QAC7C,OAAO,OAAO,CAAC,KAAK,EAAE,MAAM,IAAI,OAAO,CAAC;IAC1C,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,OAAO,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,GAAG,CAAC,OAAO,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,OAAoB;IACzC,IAAI,IAAA,0BAAiB,EAAC,OAAO,CAAC,EAAE,CAAC;QAC/B,OAAO,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC;IACtC,CAAC;IAED,IAAI,IAAA,2BAAkB,EAAC,OAAO,CAAC,EAAE,CAAC;QAChC,IAAI,IAAA,6BAAoB,EAAC,OAAO,CAAC,EAAE,CAAC;YAClC,OAAO,OAAO,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;QACrC,CAAC;IACH,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,mBAAmB,CACjC,UAAmC,EACnC,IAAmB;IAEnB,MAAM,SAAS,GAAG,IAAI,GAAG,EAAgC,CAAC;IAC1D,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,gBAAoC,CAAC;IAEzC,iCAAiC;IACjC,IAAI,UAAU,EAAE,CAAC;QACf,gBAAgB,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAC;QAEhD,SAAS,CAAC,GAAG,CAAC,gBAAgB,EAAE;YAC9B,EAAE,EAAE,gBAAgB;YACpB,WAAW,EAAE,cAAc,CAAC,UAAU,CAAC;YACvC,IAAI,EAAE,UAAU,CAAC,IAAI;YACrB,MAAM,EAAE,CAAC,YAAY,CAAC;YACtB,MAAM,EAAE,aAAa,CAAC,UAAU,CAAC;YACjC,gBAAgB,EAAE,IAAI;SACvB,CAAC,CAAC;IACL,CAAC;IAED,0BAA0B;IAC1B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACd,kCAAkC;YAClC,SAAS;QACX,CAAC;QAED,MAAM,UAAU,GAAG,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC9C,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAE3C,IAAI,QAAQ,EAAE,CAAC;YACb,uCAAuC;YACvC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC7B,MAAM,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC1C,QAAQ,CAAC,MAAM,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;QACrE,CAAC;aAAM,CAAC;YACN,eAAe;YACf,SAAS,CAAC,GAAG,CAAC,UAAU,EAAE;gBACxB,EAAE,EAAE,UAAU;gBACd,WAAW,EAAE,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC;gBACrC,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI;gBACnB,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;gBAChB,MAAM,EAAE,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC;gBAC/B,gBAAgB,EAAE,KAAK;aACxB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,4CAA4C;IAC5C,MAAM,gBAAgB,GAAG,CAAC,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,KAAK,gBAAgB,CAAC,CAAC;IAEvF,yCAAyC;IACzC,MAAM,mBAAmB,GAAG,SAAS,CAAC,IAAI,CAAC;IAC3C,MAAM,oBAAoB,GAAG,mBAAmB,GAAG,CAAC,CAAC;IACrD,MAAM,qBAAqB,GAAG,gBAAgB,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC;IAE/E,MAAM,qBAAqB,GACzB,oBAAoB,IAAI,qBAAqB,IAAI,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,IAAI,gBAAgB,KAAK,SAAS,CAAC,CAAC;IAEnH,yBAAyB;IACzB,IAAI,qBAAqB,IAAI,UAAU,IAAI,IAAA,0BAAiB,EAAC,UAAU,CAAC,EAAE,CAAC;QACzE,gBAAgB,CAAC,IAAI,CACnB,mGAAmG;YACjG,iHAAiH;YACjH,uFAAuF;YACvF,uBAAuB,CAAC,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC5D,CAAC;IACJ,CAAC;IAED,oCAAoC;IACpC,IAAI,mBAAmB,GAAG,CAAC,IAAI,UAAU,IAAI,IAAA,qBAAY,EAAC,UAAU,CAAC,EAAE,CAAC;QACtE,QAAQ,CAAC,IAAI,CACX,mEAAmE;YACjE,0GAA0G,CAC7G,CAAC;IACJ,CAAC;IAED,OAAO;QACL,SAAS;QACT,qBAAqB;QACrB,gBAAgB;QAChB,gBAAgB;QAChB,mBAAmB;QACnB,gBAAgB;QAChB,QAAQ;KACT,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,OAAoB;IAC1C,IAAI,IAAA,0BAAiB,EAAC,OAAO,CAAC,EAAE,CAAC;QAC/B,OAAO,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC;IACjC,CAAC;IAED,IAAI,IAAA,2BAAkB,EAAC,OAAO,CAAC,IAAI,IAAA,6BAAoB,EAAC,OAAO,CAAC,EAAE,CAAC;QACjE,OAAO,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC;IACjC,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,SAAgB,wBAAwB,CACtC,OAAgC,EAChC,UAAmC;IAEnC,qCAAqC;IACrC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,KAAK,CAAC;IACf,CAAC;IAED,4CAA4C;IAC5C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC;IACnC,CAAC;IAED,uBAAuB;IACvB,MAAM,aAAa,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAChD,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAC;IAEtD,OAAO,aAAa,KAAK,gBAAgB,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,SAAsC,EAAE,UAAkB;IAC1F,MAAM,QAAQ,GAAG,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACrD,OAAO,QAAQ,EAAE,MAAM,IAAI,EAAE,CAAC;AAChC,CAAC;AAED;;GAEG;AACH,SAAgB,eAAe,CAAC,SAAsC,EAAE,UAAkB;IACxF,MAAM,QAAQ,GAAG,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACrD,OAAO,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,KAAK,YAAY,CAAC,IAAI,EAAE,CAAC;AACpE,CAAC","sourcesContent":["/**\n * Auth Provider Detection\n *\n * Detects unique auth providers across nested apps and determines\n * if orchestrated mode is required at the parent scope level.\n *\n * When multiple apps have different auth providers, the parent MUST\n * use orchestrated mode to properly manage tokens for each provider.\n */\nimport { z } from 'zod';\nimport { AuthOptions, isPublicMode, isTransparentMode, isOrchestratedMode, isOrchestratedRemote } from '../../common';\n\n// ============================================\n// Schemas\n// ============================================\n\n/**\n * Schema for a detected auth provider\n */\nexport const detectedAuthProviderSchema = z.object({\n  /** Unique provider ID (derived from URL or explicit id) */\n  id: z.string(),\n  /** Provider URL (for remote providers) */\n  providerUrl: z.string().optional(),\n  /** Auth mode of this provider */\n  mode: z.enum(['public', 'transparent', 'orchestrated']),\n  /** App IDs that use this provider */\n  appIds: z.array(z.string()),\n  /** Collected OAuth scopes from all apps using this provider */\n  scopes: z.array(z.string()),\n  /** Whether this is the parent's provider */\n  isParentProvider: z.boolean(),\n});\n\n/**\n * Schema for auth provider detection result\n */\nexport const authProviderDetectionResultSchema = z.object({\n  /** Map of provider ID to detected provider info */\n  providers: z.map(z.string(), detectedAuthProviderSchema),\n  /** Whether orchestration is required at parent level */\n  requiresOrchestration: z.boolean(),\n  /** Parent provider ID (if any) */\n  parentProviderId: z.string().optional(),\n  /** Child provider IDs (excluding parent) */\n  childProviderIds: z.array(z.string()),\n  /** Total unique provider count */\n  uniqueProviderCount: z.number(),\n  /** Validation errors (if any) */\n  validationErrors: z.array(z.string()),\n  /** Warnings (non-fatal issues) */\n  warnings: z.array(z.string()),\n});\n\n// ============================================\n// Types\n// ============================================\n\nexport type DetectedAuthProvider = z.infer<typeof detectedAuthProviderSchema>;\nexport type AuthProviderDetectionResult = z.infer<typeof authProviderDetectionResultSchema>;\n\n/**\n * App auth info for detection (minimal interface)\n */\nexport interface AppAuthInfo {\n  id: string;\n  name: string;\n  auth?: AuthOptions;\n}\n\n// ============================================\n// Detection Functions\n// ============================================\n\n/**\n * Derive a stable provider ID from auth options\n */\nexport function deriveProviderId(options: AuthOptions): string {\n  if (isPublicMode(options)) {\n    return options.issuer ?? 'public';\n  }\n\n  if (isTransparentMode(options)) {\n    return options.remote.id ?? urlToProviderId(options.remote.provider);\n  }\n\n  if (isOrchestratedMode(options)) {\n    if (isOrchestratedRemote(options)) {\n      return options.remote.id ?? urlToProviderId(options.remote.provider);\n    }\n    // Local orchestrated - use issuer or 'local'\n    return options.local?.issuer ?? 'local';\n  }\n\n  return 'unknown';\n}\n\n/**\n * Convert URL to a safe provider ID\n */\nfunction urlToProviderId(url: string): string {\n  try {\n    const parsed = new URL(url);\n    return parsed.hostname.replace(/\\./g, '_');\n  } catch {\n    return url.replace(/[^a-zA-Z0-9]/g, '_');\n  }\n}\n\n/**\n * Extract OAuth scopes from auth options\n */\nfunction extractScopes(options: AuthOptions): string[] {\n  if (isTransparentMode(options)) {\n    return options.requiredScopes || [];\n  }\n\n  if (isOrchestratedMode(options)) {\n    if (isOrchestratedRemote(options)) {\n      return options.remote.scopes || [];\n    }\n  }\n\n  return [];\n}\n\n/**\n * Detect all unique auth providers across parent and apps\n *\n * @param parentAuth - Parent scope's auth options (may be undefined)\n * @param apps - Array of app auth info\n * @returns Detection result with providers, validation, and requirements\n */\nexport function detectAuthProviders(\n  parentAuth: AuthOptions | undefined,\n  apps: AppAuthInfo[],\n): AuthProviderDetectionResult {\n  const providers = new Map<string, DetectedAuthProvider>();\n  const validationErrors: string[] = [];\n  const warnings: string[] = [];\n  let parentProviderId: string | undefined;\n\n  // Process parent auth if present\n  if (parentAuth) {\n    parentProviderId = deriveProviderId(parentAuth);\n\n    providers.set(parentProviderId, {\n      id: parentProviderId,\n      providerUrl: getProviderUrl(parentAuth),\n      mode: parentAuth.mode,\n      appIds: ['__parent__'],\n      scopes: extractScopes(parentAuth),\n      isParentProvider: true,\n    });\n  }\n\n  // Process each app's auth\n  for (const app of apps) {\n    if (!app.auth) {\n      // App inherits from parent - skip\n      continue;\n    }\n\n    const providerId = deriveProviderId(app.auth);\n    const existing = providers.get(providerId);\n\n    if (existing) {\n      // Same provider - merge app and scopes\n      existing.appIds.push(app.id);\n      const newScopes = extractScopes(app.auth);\n      existing.scopes = [...new Set([...existing.scopes, ...newScopes])];\n    } else {\n      // New provider\n      providers.set(providerId, {\n        id: providerId,\n        providerUrl: getProviderUrl(app.auth),\n        mode: app.auth.mode,\n        appIds: [app.id],\n        scopes: extractScopes(app.auth),\n        isParentProvider: false,\n      });\n    }\n  }\n\n  // Determine child provider IDs (non-parent)\n  const childProviderIds = [...providers.keys()].filter((id) => id !== parentProviderId);\n\n  // Determine if orchestration is required\n  const uniqueProviderCount = providers.size;\n  const hasMultipleProviders = uniqueProviderCount > 1;\n  const hasChildOnlyProviders = childProviderIds.length > 0 && !parentProviderId;\n\n  const requiresOrchestration =\n    hasMultipleProviders || hasChildOnlyProviders || (childProviderIds.length > 0 && parentProviderId !== undefined);\n\n  // Validate configuration\n  if (requiresOrchestration && parentAuth && isTransparentMode(parentAuth)) {\n    validationErrors.push(\n      `Invalid auth configuration: Parent uses transparent mode but apps have their own auth providers. ` +\n        `Transparent mode passes tokens through without modification, which is incompatible with multi-provider setups. ` +\n        `Change parent auth to orchestrated mode to properly manage tokens for each provider. ` +\n        `Detected providers: ${[...providers.keys()].join(', ')}`,\n    );\n  }\n\n  // Add warnings for potential issues\n  if (uniqueProviderCount > 1 && parentAuth && isPublicMode(parentAuth)) {\n    warnings.push(\n      `Parent uses public mode but apps have auth providers configured. ` +\n        `App-level auth will be used, but consider using orchestrated mode at parent for unified auth management.`,\n    );\n  }\n\n  return {\n    providers,\n    requiresOrchestration,\n    parentProviderId,\n    childProviderIds,\n    uniqueProviderCount,\n    validationErrors,\n    warnings,\n  };\n}\n\n/**\n * Get provider URL from auth options (if remote)\n */\nfunction getProviderUrl(options: AuthOptions): string | undefined {\n  if (isTransparentMode(options)) {\n    return options.remote.provider;\n  }\n\n  if (isOrchestratedMode(options) && isOrchestratedRemote(options)) {\n    return options.remote.provider;\n  }\n\n  return undefined;\n}\n\n/**\n * Check if a specific app requires orchestration\n * (i.e., has a different provider than parent)\n */\nexport function appRequiresOrchestration(\n  appAuth: AuthOptions | undefined,\n  parentAuth: AuthOptions | undefined,\n): boolean {\n  // No app auth = inherits from parent\n  if (!appAuth) {\n    return false;\n  }\n\n  // No parent auth = app manages its own auth\n  if (!parentAuth) {\n    return appAuth.mode !== 'public';\n  }\n\n  // Compare provider IDs\n  const appProviderId = deriveProviderId(appAuth);\n  const parentProviderId = deriveProviderId(parentAuth);\n\n  return appProviderId !== parentProviderId;\n}\n\n/**\n * Get all OAuth scopes needed for a provider across all apps\n */\nexport function getProviderScopes(detection: AuthProviderDetectionResult, providerId: string): string[] {\n  const provider = detection.providers.get(providerId);\n  return provider?.scopes ?? [];\n}\n\n/**\n * Get apps that use a specific provider\n */\nexport function getProviderApps(detection: AuthProviderDetectionResult, providerId: string): string[] {\n  const provider = detection.providers.get(providerId);\n  return provider?.appIds.filter((id) => id !== '__parent__') ?? [];\n}\n"]}

package/src/auth/detection/index.d.ts

@@ -0,0 +1 @@
+export { detectedAuthProviderSchema, authProviderDetectionResultSchema, DetectedAuthProvider, AuthProviderDetectionResult, AppAuthInfo, detectAuthProviders, deriveProviderId, appRequiresOrchestration, getProviderScopes, getProviderApps, } from './auth-provider-detection';

package/src/auth/detection/index.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getProviderApps = exports.getProviderScopes = exports.appRequiresOrchestration = exports.deriveProviderId = exports.detectAuthProviders = exports.authProviderDetectionResultSchema = exports.detectedAuthProviderSchema = void 0;
+// Auth Provider Detection Module
+var auth_provider_detection_1 = require("./auth-provider-detection");
+// Schemas
+Object.defineProperty(exports, "detectedAuthProviderSchema", { enumerable: true, get: function () { return auth_provider_detection_1.detectedAuthProviderSchema; } });
+Object.defineProperty(exports, "authProviderDetectionResultSchema", { enumerable: true, get: function () { return auth_provider_detection_1.authProviderDetectionResultSchema; } });
+// Functions
+Object.defineProperty(exports, "detectAuthProviders", { enumerable: true, get: function () { return auth_provider_detection_1.detectAuthProviders; } });
+Object.defineProperty(exports, "deriveProviderId", { enumerable: true, get: function () { return auth_provider_detection_1.deriveProviderId; } });
+Object.defineProperty(exports, "appRequiresOrchestration", { enumerable: true, get: function () { return auth_provider_detection_1.appRequiresOrchestration; } });
+Object.defineProperty(exports, "getProviderScopes", { enumerable: true, get: function () { return auth_provider_detection_1.getProviderScopes; } });
+Object.defineProperty(exports, "getProviderApps", { enumerable: true, get: function () { return auth_provider_detection_1.getProviderApps; } });
+//# sourceMappingURL=index.js.map

package/src/auth/detection/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/auth/detection/index.ts"],"names":[],"mappings":";;;AAAA,iCAAiC;AACjC,qEAcmC;AAbjC,UAAU;AACV,qIAAA,0BAA0B,OAAA;AAC1B,4IAAA,iCAAiC,OAAA;AAKjC,YAAY;AACZ,8HAAA,mBAAmB,OAAA;AACnB,2HAAA,gBAAgB,OAAA;AAChB,mIAAA,wBAAwB,OAAA;AACxB,4HAAA,iBAAiB,OAAA;AACjB,0HAAA,eAAe,OAAA","sourcesContent":["// Auth Provider Detection Module\nexport {\n  // Schemas\n  detectedAuthProviderSchema,\n  authProviderDetectionResultSchema,\n  // Types\n  DetectedAuthProvider,\n  AuthProviderDetectionResult,\n  AppAuthInfo,\n  // Functions\n  detectAuthProviders,\n  deriveProviderId,\n  appRequiresOrchestration,\n  getProviderScopes,\n  getProviderApps,\n} from './auth-provider-detection';\n"]}

package/src/auth/flows/auth.verify.flow.d.ts

@@ -0,0 +1,110 @@
+import { FlowBase, FlowRunOptions } from '../../common';
+import 'reflect-metadata';
+import { z } from 'zod';
+import { Authorization } from '../authorization';
+declare const inputSchema: z.ZodObject<{
+    request: z.ZodObject<{}, z.core.$loose>;
+}, z.core.$strip>;
+declare const stateSchema: z.ZodObject<{
+    baseUrl: z.ZodString;
+    authorizationHeader: z.ZodOptional<z.ZodString>;
+    token: z.ZodOptional<z.ZodString>;
+    sessionIdHeader: z.ZodOptional<z.ZodString>;
+    prmUrl: z.ZodString;
+    wwwAuthenticateHeader: z.ZodString;
+    authMode: z.ZodOptional<z.ZodEnum<{
+        public: "public";
+        transparent: "transparent";
+        orchestrated: "orchestrated";
+    }>>;
+    jwtPayload: z.ZodOptional<z.ZodObject<{}, z.core.$loose>>;
+    user: z.ZodOptional<z.ZodObject<{
+        sub: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+        email: z.ZodOptional<z.ZodString>;
+        picture: z.ZodOptional<z.ZodString>;
+        anonymous: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export declare const authVerifyOutputSchema: z.ZodUnion<readonly [z.ZodObject<{
+    kind: z.ZodLiteral<"unauthorized">;
+    wwwAuthenticateHeader: z.ZodString;
+    reason: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>, z.ZodObject<{
+    kind: z.ZodLiteral<"authorized">;
+    authorization: z.ZodCustom<Authorization, Authorization>;
+    llmContext: z.ZodOptional<z.ZodObject<{
+        authorizationId: z.ZodString;
+        sessionId: z.ZodString;
+        mode: z.ZodEnum<{
+            public: "public";
+            transparent: "transparent";
+            orchestrated: "orchestrated";
+        }>;
+        isAnonymous: z.ZodBoolean;
+        user: z.ZodObject<{
+            sub: z.ZodString;
+            name: z.ZodOptional<z.ZodString>;
+        }, z.core.$strip>;
+        scopes: z.ZodArray<z.ZodString>;
+        authorizedToolIds: z.ZodArray<z.ZodString>;
+        authorizedPromptIds: z.ZodArray<z.ZodString>;
+    }, z.core.$strip>>;
+}, z.core.$strip>]>;
+export type AuthVerifyOutput = z.infer<typeof authVerifyOutputSchema>;
+declare const plan: {
+    readonly pre: ["parseInput", "determineAuthMode", "handlePublicMode", "requireAuthorizationHeader", "verifyToken"];
+    readonly execute: ["buildAuthorization"];
+};
+declare global {
+    interface ExtendFlows {
+        'auth:verify': FlowRunOptions<AuthVerifyFlow, typeof plan, typeof inputSchema, typeof authVerifyOutputSchema, typeof stateSchema>;
+    }
+}
+declare const name: "auth:verify";
+/**
+ * Auth Verify Flow
+ *
+ * New authorization verification flow that supports the three auth modes:
+ * - public: Auto-generate anonymous authorization
+ * - transparent: Pass-through OAuth tokens from upstream provider
+ * - orchestrated: Local auth server with secure token storage
+ *
+ * This flow creates Authorization objects instead of legacy Session objects.
+ */
+export default class AuthVerifyFlow extends FlowBase<typeof name> {
+    private logger;
+    /**
+     * Parse request headers and build WWW-Authenticate header
+     */
+    parseInput(): Promise<void>;
+    /**
+     * Determine which auth mode to use based on scope configuration
+     */
+    determineAuthMode(): Promise<void>;
+    /**
+     * Handle public mode - create anonymous authorization without requiring a token
+     */
+    handlePublicMode(): Promise<void>;
+    /**
+     * Require authorization header for non-public modes
+     */
+    requireAuthorizationHeader(): Promise<void>;
+    /**
+     * Verify the JWT token
+     */
+    verifyToken(): Promise<void>;
+    /**
+     * Build the Authorization object based on auth mode
+     */
+    buildAuthorization(): Promise<void>;
+    /**
+     * Parse TTL from string or number
+     */
+    private parseTtl;
+    /**
+     * Parse scopes from JWT claim
+     */
+    private parseScopes;
+}
+export {};