@frontmcp/sdk 0.4.1 → 0.5.0

package/src/auth/flows/session.verify.flow.d.ts

@@ -2,16 +2,8 @@ import { FlowBase, FlowRunOptions } from '../../common';
 import 'reflect-metadata';
 import { z } from 'zod';
 declare const inputSchema: z.ZodObject<{
-    request: z.ZodObject<{}, "passthrough", z.ZodTypeAny, z.objectOutputType<{}, z.ZodTypeAny, "passthrough">, z.objectInputType<{}, z.ZodTypeAny, "passthrough">>;
-}, "strip", z.ZodTypeAny, {
-    request: {} & {
-        [k: string]: unknown;
-    };
-}, {
-    request: {} & {
-        [k: string]: unknown;
-    };
-}>;
+    request: z.ZodObject<{}, z.core.$loose>;
+}, z.core.$strip>;
 declare const stateSchema: z.ZodObject<{
     baseUrl: z.ZodString;
     authorizationHeader: z.ZodOptional<z.ZodString>;
@@ -20,357 +12,101 @@ declare const stateSchema: z.ZodObject<{
     sessionProtocol: z.ZodOptional<z.ZodString>;
     prmMetadataPath: z.ZodOptional<z.ZodString>;
     prmMetadataHeader: z.ZodOptional<z.ZodString>;
-    jwtPayload: z.ZodOptional<z.ZodObject<{}, "passthrough", z.ZodTypeAny, z.objectOutputType<{}, z.ZodTypeAny, "passthrough">, z.objectInputType<{}, z.ZodTypeAny, "passthrough">>>;
+    jwtPayload: z.ZodOptional<z.ZodObject<{}, z.core.$loose>>;
     user: z.ZodOptional<z.ZodObject<{
         iss: z.ZodString;
         sid: z.ZodOptional<z.ZodString>;
         sub: z.ZodString;
         exp: z.ZodOptional<z.ZodNumber>;
         iat: z.ZodOptional<z.ZodNumber>;
-        aud: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>;
+        aud: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
         email: z.ZodOptional<z.ZodString>;
         username: z.ZodOptional<z.ZodString>;
         preferred_username: z.ZodOptional<z.ZodString>;
         name: z.ZodOptional<z.ZodString>;
         picture: z.ZodOptional<z.ZodString>;
-    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
-        iss: z.ZodString;
-        sid: z.ZodOptional<z.ZodString>;
-        sub: z.ZodString;
-        exp: z.ZodOptional<z.ZodNumber>;
-        iat: z.ZodOptional<z.ZodNumber>;
-        aud: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>;
-        email: z.ZodOptional<z.ZodString>;
-        username: z.ZodOptional<z.ZodString>;
-        preferred_username: z.ZodOptional<z.ZodString>;
-        name: z.ZodOptional<z.ZodString>;
-        picture: z.ZodOptional<z.ZodString>;
-    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
-        iss: z.ZodString;
-        sid: z.ZodOptional<z.ZodString>;
-        sub: z.ZodString;
-        exp: z.ZodOptional<z.ZodNumber>;
-        iat: z.ZodOptional<z.ZodNumber>;
-        aud: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>;
-        email: z.ZodOptional<z.ZodString>;
-        username: z.ZodOptional<z.ZodString>;
-        preferred_username: z.ZodOptional<z.ZodString>;
-        name: z.ZodOptional<z.ZodString>;
-        picture: z.ZodOptional<z.ZodString>;
-    }, z.ZodTypeAny, "passthrough">>>;
+    }, z.core.$loose>>;
     session: z.ZodOptional<z.ZodObject<{
         id: z.ZodString;
-        payload: z.ZodObject<{
+        payload: z.ZodOptional<z.ZodObject<{
             nodeId: z.ZodString;
             authSig: z.ZodString;
             uuid: z.ZodString;
             iat: z.ZodNumber;
-            protocol: z.ZodEnum<["legacy-sse", "sse", "streamable-http", "stateful-http", "stateless-http"]>;
-        }, "strip", z.ZodTypeAny, {
-            uuid: string;
-            nodeId: string;
-            authSig: string;
-            iat: number;
-            protocol: "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-        }, {
-            uuid: string;
-            nodeId: string;
-            authSig: string;
-            iat: number;
-            protocol: "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-        }>;
-    }, "strip", z.ZodTypeAny, {
-        id: string;
-        payload: {
-            uuid: string;
-            nodeId: string;
-            authSig: string;
-            iat: number;
-            protocol: "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-        };
-    }, {
-        id: string;
-        payload: {
-            uuid: string;
-            nodeId: string;
-            authSig: string;
-            iat: number;
-            protocol: "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-        };
-    }>>;
-}, "strip", z.ZodTypeAny, {
-    baseUrl: string;
-    session?: {
-        id: string;
-        payload: {
-            uuid: string;
-            nodeId: string;
-            authSig: string;
-            iat: number;
-            protocol: "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-        };
-    } | undefined;
-    prmMetadataHeader?: string | undefined;
-    token?: string | undefined;
-    user?: z.objectOutputType<{
-        iss: z.ZodString;
-        sid: z.ZodOptional<z.ZodString>;
-        sub: z.ZodString;
-        exp: z.ZodOptional<z.ZodNumber>;
-        iat: z.ZodOptional<z.ZodNumber>;
-        aud: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>;
-        email: z.ZodOptional<z.ZodString>;
-        username: z.ZodOptional<z.ZodString>;
-        preferred_username: z.ZodOptional<z.ZodString>;
-        name: z.ZodOptional<z.ZodString>;
-        picture: z.ZodOptional<z.ZodString>;
-    }, z.ZodTypeAny, "passthrough"> | undefined;
-    authorizationHeader?: string | undefined;
-    sessionIdHeader?: string | undefined;
-    sessionProtocol?: string | undefined;
-    prmMetadataPath?: string | undefined;
-    jwtPayload?: z.objectOutputType<{}, z.ZodTypeAny, "passthrough"> | undefined;
-}, {
-    baseUrl: string;
-    session?: {
-        id: string;
-        payload: {
-            uuid: string;
-            nodeId: string;
-            authSig: string;
-            iat: number;
-            protocol: "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-        };
-    } | undefined;
-    prmMetadataHeader?: string | undefined;
-    token?: string | undefined;
-    user?: z.objectInputType<{
-        iss: z.ZodString;
-        sid: z.ZodOptional<z.ZodString>;
-        sub: z.ZodString;
-        exp: z.ZodOptional<z.ZodNumber>;
-        iat: z.ZodOptional<z.ZodNumber>;
-        aud: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>;
-        email: z.ZodOptional<z.ZodString>;
-        username: z.ZodOptional<z.ZodString>;
-        preferred_username: z.ZodOptional<z.ZodString>;
-        name: z.ZodOptional<z.ZodString>;
-        picture: z.ZodOptional<z.ZodString>;
-    }, z.ZodTypeAny, "passthrough"> | undefined;
-    authorizationHeader?: string | undefined;
-    sessionIdHeader?: string | undefined;
-    sessionProtocol?: string | undefined;
-    prmMetadataPath?: string | undefined;
-    jwtPayload?: z.objectInputType<{}, z.ZodTypeAny, "passthrough"> | undefined;
-}>;
-export declare const sessionVerifyOutputSchema: z.ZodUnion<[z.ZodObject<{
+            protocol: z.ZodOptional<z.ZodEnum<{
+                "legacy-sse": "legacy-sse";
+                sse: "sse";
+                "streamable-http": "streamable-http";
+                "stateful-http": "stateful-http";
+                "stateless-http": "stateless-http";
+            }>>;
+            isPublic: z.ZodOptional<z.ZodBoolean>;
+            platformType: z.ZodOptional<z.ZodEnum<{
+                unknown: "unknown";
+                continue: "continue";
+                openai: "openai";
+                claude: "claude";
+                gemini: "gemini";
+                cursor: "cursor";
+                cody: "cody";
+                "generic-mcp": "generic-mcp";
+                "ext-apps": "ext-apps";
+            }>>;
+        }, z.core.$strip>>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export declare const sessionVerifyOutputSchema: z.ZodUnion<readonly [z.ZodObject<{
     kind: z.ZodLiteral<"unauthorized">;
     prmMetadataHeader: z.ZodString;
-}, "strip", z.ZodTypeAny, {
-    kind: "unauthorized";
-    prmMetadataHeader: string;
-}, {
-    kind: "unauthorized";
-    prmMetadataHeader: string;
-}>, z.ZodObject<{
+}, z.core.$strip>, z.ZodObject<{
     kind: z.ZodLiteral<"authorized">;
     authorization: z.ZodObject<{
         token: z.ZodString;
         session: z.ZodOptional<z.ZodObject<{
             id: z.ZodString;
-            payload: z.ZodObject<{
+            payload: z.ZodOptional<z.ZodObject<{
                 nodeId: z.ZodString;
                 authSig: z.ZodString;
                 uuid: z.ZodString;
                 iat: z.ZodNumber;
-                protocol: z.ZodEnum<["legacy-sse", "sse", "streamable-http", "stateful-http", "stateless-http"]>;
-            }, "strip", z.ZodTypeAny, {
-                uuid: string;
-                nodeId: string;
-                authSig: string;
-                iat: number;
-                protocol: "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-            }, {
-                uuid: string;
-                nodeId: string;
-                authSig: string;
-                iat: number;
-                protocol: "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-            }>;
-        }, "strip", z.ZodTypeAny, {
-            id: string;
-            payload: {
-                uuid: string;
-                nodeId: string;
-                authSig: string;
-                iat: number;
-                protocol: "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-            };
-        }, {
-            id: string;
-            payload: {
-                uuid: string;
-                nodeId: string;
-                authSig: string;
-                iat: number;
-                protocol: "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-            };
-        }>>;
+                protocol: z.ZodOptional<z.ZodEnum<{
+                    "legacy-sse": "legacy-sse";
+                    sse: "sse";
+                    "streamable-http": "streamable-http";
+                    "stateful-http": "stateful-http";
+                    "stateless-http": "stateless-http";
+                }>>;
+                isPublic: z.ZodOptional<z.ZodBoolean>;
+                platformType: z.ZodOptional<z.ZodEnum<{
+                    unknown: "unknown";
+                    continue: "continue";
+                    openai: "openai";
+                    claude: "claude";
+                    gemini: "gemini";
+                    cursor: "cursor";
+                    cody: "cody";
+                    "generic-mcp": "generic-mcp";
+                    "ext-apps": "ext-apps";
+                }>>;
+            }, z.core.$strip>>;
+        }, z.core.$strip>>;
         user: z.ZodObject<{
             iss: z.ZodString;
             sid: z.ZodOptional<z.ZodString>;
             sub: z.ZodString;
             exp: z.ZodOptional<z.ZodNumber>;
             iat: z.ZodOptional<z.ZodNumber>;
-            aud: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>;
+            aud: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
             email: z.ZodOptional<z.ZodString>;
             username: z.ZodOptional<z.ZodString>;
             preferred_username: z.ZodOptional<z.ZodString>;
             name: z.ZodOptional<z.ZodString>;
             picture: z.ZodOptional<z.ZodString>;
-        }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
-            iss: z.ZodString;
-            sid: z.ZodOptional<z.ZodString>;
-            sub: z.ZodString;
-            exp: z.ZodOptional<z.ZodNumber>;
-            iat: z.ZodOptional<z.ZodNumber>;
-            aud: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>;
-            email: z.ZodOptional<z.ZodString>;
-            username: z.ZodOptional<z.ZodString>;
-            preferred_username: z.ZodOptional<z.ZodString>;
-            name: z.ZodOptional<z.ZodString>;
-            picture: z.ZodOptional<z.ZodString>;
-        }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
-            iss: z.ZodString;
-            sid: z.ZodOptional<z.ZodString>;
-            sub: z.ZodString;
-            exp: z.ZodOptional<z.ZodNumber>;
-            iat: z.ZodOptional<z.ZodNumber>;
-            aud: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>;
-            email: z.ZodOptional<z.ZodString>;
-            username: z.ZodOptional<z.ZodString>;
-            preferred_username: z.ZodOptional<z.ZodString>;
-            name: z.ZodOptional<z.ZodString>;
-            picture: z.ZodOptional<z.ZodString>;
-        }, z.ZodTypeAny, "passthrough">>;
-    }, "strip", z.ZodTypeAny, {
-        token: string;
-        user: {
-            sub: string;
-            iss: string;
-            name?: string | undefined;
-            email?: string | undefined;
-            iat?: number | undefined;
-            sid?: string | undefined;
-            exp?: number | undefined;
-            aud?: string | string[] | undefined;
-            username?: string | undefined;
-            preferred_username?: string | undefined;
-            picture?: string | undefined;
-        } & {
-            [k: string]: unknown;
-        };
-        session?: {
-            id: string;
-            payload: {
-                uuid: string;
-                nodeId: string;
-                authSig: string;
-                iat: number;
-                protocol: "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-            };
-        } | undefined;
-    }, {
-        token: string;
-        user: {
-            sub: string;
-            iss: string;
-            name?: string | undefined;
-            email?: string | undefined;
-            iat?: number | undefined;
-            sid?: string | undefined;
-            exp?: number | undefined;
-            aud?: string | string[] | undefined;
-            username?: string | undefined;
-            preferred_username?: string | undefined;
-            picture?: string | undefined;
-        } & {
-            [k: string]: unknown;
-        };
-        session?: {
-            id: string;
-            payload: {
-                uuid: string;
-                nodeId: string;
-                authSig: string;
-                iat: number;
-                protocol: "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-            };
-        } | undefined;
-    }>;
-}, "strip", z.ZodTypeAny, {
-    kind: "authorized";
-    authorization: {
-        token: string;
-        user: {
-            sub: string;
-            iss: string;
-            name?: string | undefined;
-            email?: string | undefined;
-            iat?: number | undefined;
-            sid?: string | undefined;
-            exp?: number | undefined;
-            aud?: string | string[] | undefined;
-            username?: string | undefined;
-            preferred_username?: string | undefined;
-            picture?: string | undefined;
-        } & {
-            [k: string]: unknown;
-        };
-        session?: {
-            id: string;
-            payload: {
-                uuid: string;
-                nodeId: string;
-                authSig: string;
-                iat: number;
-                protocol: "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-            };
-        } | undefined;
-    };
-}, {
-    kind: "authorized";
-    authorization: {
-        token: string;
-        user: {
-            sub: string;
-            iss: string;
-            name?: string | undefined;
-            email?: string | undefined;
-            iat?: number | undefined;
-            sid?: string | undefined;
-            exp?: number | undefined;
-            aud?: string | string[] | undefined;
-            username?: string | undefined;
-            preferred_username?: string | undefined;
-            picture?: string | undefined;
-        } & {
-            [k: string]: unknown;
-        };
-        session?: {
-            id: string;
-            payload: {
-                uuid: string;
-                nodeId: string;
-                authSig: string;
-                iat: number;
-                protocol: "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-            };
-        } | undefined;
-    };
-}>]>;
+        }, z.core.$loose>;
+    }, z.core.$strip>;
+}, z.core.$strip>]>;
 declare const plan: {
-    readonly pre: ["parseInput", "requireAuthorizationHeader", "verifyIfJwt"];
+    readonly pre: ["parseInput", "handlePublicMode", "requireAuthorizationHeader", "verifyIfJwt"];
     readonly execute: ["deriveUser", "parseSessionHeader", "buildAuthorizedOutput"];
 };
 declare global {
@@ -381,6 +117,15 @@ declare global {
 declare const name: "session:verify";
 export default class SessionVerifyFlow extends FlowBase<typeof name> {
     parseInput(): Promise<void>;
+    /**
+     * Handle public mode - allow anonymous access without requiring authorization
+     * In public mode, we create an anonymous authorization with a stateful session
+     * but NO token. This allows public docs/CI to work without Authorization header.
+     *
+     * CRITICAL: When client sends mcp-session-id header, we MUST use that exact ID
+     * for transport registry lookup. Creating a new session ID would cause mismatch.
+     */
+    handlePublicMode(): Promise<void>;
     requireAuthorizationOrChallenge(): Promise<void>;
     /**
      * If Authorization is a JWT:

package/src/auth/flows/session.verify.flow.js

@@ -6,10 +6,10 @@ const tslib_1 = require("tslib");
 const common_1 = require("../../common");
 require("reflect-metadata");
 const zod_1 = require("zod");
-const path_utils_1 = require("../path.utils");
 const auth_token_utils_1 = require("../session/utils/auth-token.utils");
 const jwks_1 = require("../jwks");
 const session_id_utils_1 = require("../session/utils/session-id.utils");
+const authorization_1 = require("../authorization");
 const inputSchema = common_1.httpRequestInputSchema;
 const stateSchema = zod_1.z.object({
     baseUrl: zod_1.z.string().min(1),
@@ -28,7 +28,7 @@ const UnauthorizedSchema = zod_1.z
     kind: zod_1.z.literal('unauthorized'),
     prmMetadataHeader: zod_1.z.string().describe('Path to protected resource metadata'),
 })
-    .describe('401 Unauthorized with \'WWW-Authenticate\' header for requesting authentication\'');
+    .describe("401 Unauthorized with 'WWW-Authenticate' header for requesting authentication");
 const AuthorizedSchema = zod_1.z
     .object({
     kind: zod_1.z.literal('authorized'),
@@ -37,7 +37,7 @@ const AuthorizedSchema = zod_1.z
     .describe('Authorized session information');
 exports.sessionVerifyOutputSchema = zod_1.z.union([UnauthorizedSchema, AuthorizedSchema]);
 const plan = {
-    pre: ['parseInput', 'requireAuthorizationHeader', 'verifyIfJwt'],
+    pre: ['parseInput', 'handlePublicMode', 'requireAuthorizationHeader', 'verifyIfJwt'],
     execute: ['deriveUser', 'parseSessionHeader', 'buildAuthorizedOutput'],
 };
 const name = 'session:verify';
@@ -45,17 +45,19 @@ const Stage = (0, common_1.StageHookOf)(name);
 let SessionVerifyFlow = class SessionVerifyFlow extends common_1.FlowBase {
     async parseInput() {
         const { request } = this.rawInput;
-        const entryPath = (0, path_utils_1.normalizeEntryPrefix)(this.scope.entryPath);
-        const routeBase = (0, path_utils_1.normalizeScopeBase)(this.scope.routeBase);
-        const baseUrl = (0, path_utils_1.getRequestBaseUrl)(request, entryPath);
+        const entryPath = (0, common_1.normalizeEntryPrefix)(this.scope.entryPath);
+        const routeBase = (0, common_1.normalizeScopeBase)(this.scope.routeBase);
+        const baseUrl = (0, common_1.getRequestBaseUrl)(request, entryPath);
         const authorizationHeader = request.headers?.['authorization'] ?? undefined;
         const httpTransportHeader = request.headers?.['http-transport'];
         const sessionIdRawHeader = request.headers?.['mcp-session-id'];
         const sessionIdQuery = request.query['sessionId'];
         const sessionIdHeader = sessionIdRawHeader ?? sessionIdQuery ?? undefined;
+        // Use sessionIdRawHeader (not sessionIdHeader) to distinguish header vs query param
+        // sessionIdHeader is the merged value, but we need to know the source for protocol selection
         const sessionProtocol = httpTransportHeader
             ? 'http'
-            : sessionIdHeader
+            : sessionIdRawHeader
                 ? 'streamable-http'
                 : sessionIdQuery
                     ? 'sse'
@@ -73,6 +75,75 @@ let SessionVerifyFlow = class SessionVerifyFlow extends common_1.FlowBase {
             prmMetadataHeader,
         });
     }
+    /**
+     * Handle public mode - allow anonymous access without requiring authorization
+     * In public mode, we create an anonymous authorization with a stateful session
+     * but NO token. This allows public docs/CI to work without Authorization header.
+     *
+     * CRITICAL: When client sends mcp-session-id header, we MUST use that exact ID
+     * for transport registry lookup. Creating a new session ID would cause mismatch.
+     */
+    async handlePublicMode() {
+        const authOptions = this.scope.auth?.options;
+        // Skip if not public mode or if authorization header is present (authenticated public)
+        if (!authOptions || !(0, common_1.isPublicMode)(authOptions)) {
+            return;
+        }
+        // If token is present, let the normal verification flow handle it
+        if (this.state.token) {
+            return;
+        }
+        const sessionIdHeader = this.state.sessionIdHeader;
+        const machineId = (0, authorization_1.getMachineId)();
+        // CRITICAL: If client sent session ID, ALWAYS use it for transport lookup.
+        // The transport registry uses this ID as the key. Creating a different ID
+        // would cause "session not initialized" error.
+        if (sessionIdHeader) {
+            // Try to decrypt/validate for payload extraction (optional - for nodeId validation)
+            const existingPayload = (0, session_id_utils_1.decryptPublicSession)(sessionIdHeader);
+            // Determine user based on whether we could extract payload
+            const user = existingPayload
+                ? { sub: `anon:${existingPayload.iat * 1000}`, iss: 'public', name: 'Anonymous' }
+                : { sub: `anon:${crypto.randomUUID()}`, iss: 'public', name: 'Anonymous' };
+            // ALWAYS use client's session ID, regardless of validation result.
+            // If payload is valid and nodeId matches, include payload for protocol detection.
+            // If validation failed, transport layer will handle the error appropriately.
+            this.respond({
+                kind: 'authorized',
+                authorization: {
+                    token: '',
+                    user,
+                    session: {
+                        id: sessionIdHeader, // ← CRITICAL: Always use client's session ID
+                        payload: existingPayload && existingPayload.nodeId === machineId ? existingPayload : undefined,
+                    },
+                },
+            });
+            return;
+        }
+        // No session header → create new session (initialize request)
+        // For new sessions, don't pre-determine protocol. Let transport handler detect it.
+        const now = Date.now();
+        const user = { sub: `anon:${crypto.randomUUID()}`, iss: 'public', name: 'Anonymous' };
+        const uuid = crypto.randomUUID();
+        // Create a valid session payload matching the SessionIdPayload schema
+        const payload = {
+            uuid,
+            nodeId: machineId,
+            authSig: 'public',
+            iat: Math.floor(now / 1000),
+            isPublic: true,
+        };
+        const sessionId = (0, session_id_utils_1.encryptJson)(payload);
+        this.respond({
+            kind: 'authorized',
+            authorization: {
+                token: '',
+                user,
+                session: { id: sessionId, payload },
+            },
+        });
+    }
     async requireAuthorizationOrChallenge() {
         this.respond({
             kind: 'unauthorized',
@@ -91,7 +162,7 @@ let SessionVerifyFlow = class SessionVerifyFlow extends common_1.FlowBase {
         const jwks = this.get(jwks_1.JwksService); // TODO: fix providers
         const token = this.state.required.token;
         if (!(0, auth_token_utils_1.isJwt)(token)) {
-            // Non-JWT tokens are passed through; user will be mostly empty (the best effort later).
+            // Non-JWT tokens are not supported - require JWT for verification
             this.respond({
                 kind: 'unauthorized',
                 prmMetadataHeader: this.state.required.prmMetadataHeader,
@@ -99,23 +170,35 @@ let SessionVerifyFlow = class SessionVerifyFlow extends common_1.FlowBase {
             return;
         }
         // Best-effort verification using locally known keys (gateway/local provider cache).
-        let verify;
-        if (this.scope.auth.options.type === 'local') { // TODO: fix
-            verify = jwks.verifyGatewayToken(token, this.state.required.baseUrl);
+        // Add defensive null check for this.scope.auth (consistent with line 130)
+        const auth = this.scope.auth;
+        if (!auth) {
+            this.respond({
+                kind: 'unauthorized',
+                prmMetadataHeader: this.state.required.prmMetadataHeader,
+            });
+            return;
         }
-        else {
-            const primary = this.scope.auth.options;
-            const issuer = this.scope.auth.issuer;
+        let verify;
+        const authOptions = auth.options;
+        // Transparent mode uses remote provider's keys, all other modes use local keys
+        if ((0, common_1.isTransparentMode)(authOptions)) {
+            const primary = authOptions;
+            const issuer = auth.issuer;
             const providerRefs = [
                 {
-                    id: primary.id ?? 'default',
+                    id: primary.remote.id ?? 'default',
                     issuerUrl: issuer,
-                    jwks: primary.jwks,
-                    jwksUri: primary.jwksUri,
+                    jwks: primary.remote.jwks,
+                    jwksUri: primary.remote.jwksUri,
                 },
             ];
             verify = jwks.verifyTransparentToken(token, providerRefs);
         }
+        else {
+            // Public or orchestrated mode - verify against local gateway keys
+            verify = jwks.verifyGatewayToken(token, this.state.required.baseUrl);
+        }
         const result = await verify;
         if (result.ok) {
             this.state.set({ jwtPayload: result.payload });
@@ -136,7 +219,7 @@ let SessionVerifyFlow = class SessionVerifyFlow extends common_1.FlowBase {
      * - If NOT valid, ignore (no session)
      */
     async parseSessionHeader() {
-        const { sessionIdHeader, required: { token } } = this.state;
+        const { sessionIdHeader, required: { token }, } = this.state;
         const session = (0, session_id_utils_1.parseSessionHeader)(sessionIdHeader, token);
         if (session) {
             this.state.set('session', session);
@@ -160,6 +243,12 @@ tslib_1.__decorate([
     tslib_1.__metadata("design:paramtypes", []),
     tslib_1.__metadata("design:returntype", Promise)
 ], SessionVerifyFlow.prototype, "parseInput", null);
+tslib_1.__decorate([
+    Stage('handlePublicMode'),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", []),
+    tslib_1.__metadata("design:returntype", Promise)
+], SessionVerifyFlow.prototype, "handlePublicMode", null);
 tslib_1.__decorate([
     Stage('requireAuthorizationHeader', {
         filter: ({ state }) => !state.authorizationHeader,