npm - @frontmcp/sdk - Versions diffs - 0.4.1 → 0.5.0 - Mend

@frontmcp/sdk 0.4.1 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (558) hide show

package/README.md +30 -18
package/package.json +20 -5
package/src/app/app.registry.d.ts +3 -2
package/src/app/app.registry.js +3 -1
package/src/app/app.registry.js.map +1 -1
package/src/app/instances/app.local.instance.js +2 -2
package/src/app/instances/app.local.instance.js.map +1 -1
package/src/auth/auth.registry.d.ts +34 -2
package/src/auth/auth.registry.js +162 -24
package/src/auth/auth.registry.js.map +1 -1
package/src/auth/auth.utils.js +8 -9
package/src/auth/auth.utils.js.map +1 -1
package/src/auth/authorization/authorization.class.d.ts +125 -0
package/src/auth/authorization/authorization.class.js +224 -0
package/src/auth/authorization/authorization.class.js.map +1 -0
package/src/auth/authorization/authorization.types.d.ts +300 -0
package/src/auth/authorization/authorization.types.js +79 -0
package/src/auth/authorization/authorization.types.js.map +1 -0
package/src/auth/authorization/index.d.ts +5 -0
package/src/auth/authorization/index.js +19 -0
package/src/auth/authorization/index.js.map +1 -0
package/src/auth/authorization/orchestrated.authorization.d.ts +242 -0
package/src/auth/authorization/orchestrated.authorization.js +306 -0
package/src/auth/authorization/orchestrated.authorization.js.map +1 -0
package/src/auth/authorization/public.authorization.d.ts +91 -0
package/src/auth/authorization/public.authorization.js +132 -0
package/src/auth/authorization/public.authorization.js.map +1 -0
package/src/auth/authorization/transparent.authorization.d.ts +130 -0
package/src/auth/authorization/transparent.authorization.js +147 -0
package/src/auth/authorization/transparent.authorization.js.map +1 -0
package/src/auth/consent/consent.types.d.ts +111 -0
package/src/auth/consent/consent.types.js +119 -0
package/src/auth/consent/consent.types.js.map +1 -0
package/src/auth/consent/index.d.ts +1 -0
package/src/auth/consent/index.js +13 -0
package/src/auth/consent/index.js.map +1 -0
package/src/auth/detection/auth-provider-detection.d.ts +84 -0
package/src/auth/detection/auth-provider-detection.js +230 -0
package/src/auth/detection/auth-provider-detection.js.map +1 -0
package/src/auth/detection/index.d.ts +1 -0
package/src/auth/detection/index.js +15 -0
package/src/auth/detection/index.js.map +1 -0
package/src/auth/flows/auth.verify.flow.d.ts +110 -0
package/src/auth/flows/auth.verify.flow.js +379 -0
package/src/auth/flows/auth.verify.flow.js.map +1 -0
package/src/auth/flows/oauth.authorize.flow.d.ts +118 -164
package/src/auth/flows/oauth.authorize.flow.js +701 -33
package/src/auth/flows/oauth.authorize.flow.js.map +1 -1
package/src/auth/flows/oauth.callback.flow.d.ts +117 -0
package/src/auth/flows/oauth.callback.flow.js +357 -0
package/src/auth/flows/oauth.callback.flow.js.map +1 -0
package/src/auth/flows/oauth.register.flow.d.ts +32 -125
package/src/auth/flows/oauth.token.flow.d.ts +52 -154
package/src/auth/flows/oauth.token.flow.js +193 -55
package/src/auth/flows/oauth.token.flow.js.map +1 -1
package/src/auth/flows/session.verify.flow.d.ts +66 -321
package/src/auth/flows/session.verify.flow.js +107 -18
package/src/auth/flows/session.verify.flow.js.map +1 -1
package/src/auth/flows/well-known.jwks.flow.d.ts +34 -205
package/src/auth/flows/well-known.jwks.flow.js +15 -8
package/src/auth/flows/well-known.jwks.flow.js.map +1 -1
package/src/auth/flows/well-known.oauth-authorization-server.flow.d.ts +48 -223
package/src/auth/flows/well-known.oauth-authorization-server.flow.js +2 -3
package/src/auth/flows/well-known.oauth-authorization-server.flow.js.map +1 -1
package/src/auth/flows/well-known.prm.flow.d.ts +19 -120
package/src/auth/flows/well-known.prm.flow.js +3 -4
package/src/auth/flows/well-known.prm.flow.js.map +1 -1
package/src/auth/instances/instance.local-primary-auth.d.ts +91 -4
package/src/auth/instances/instance.local-primary-auth.js +236 -6
package/src/auth/instances/instance.local-primary-auth.js.map +1 -1
package/src/auth/instances/instance.remote-primary-auth.d.ts +4 -3
package/src/auth/instances/instance.remote-primary-auth.js +2 -2
package/src/auth/instances/instance.remote-primary-auth.js.map +1 -1
package/src/auth/session/authorization-vault.d.ts +611 -0
package/src/auth/session/authorization-vault.js +817 -0
package/src/auth/session/authorization-vault.js.map +1 -0
package/src/auth/session/authorization.store.d.ts +301 -0
package/src/auth/session/authorization.store.js +323 -0
package/src/auth/session/authorization.store.js.map +1 -0
package/src/auth/session/encrypted-authorization-vault.d.ts +181 -0
package/src/auth/session/encrypted-authorization-vault.js +493 -0
package/src/auth/session/encrypted-authorization-vault.js.map +1 -0
package/src/auth/session/index.d.ts +4 -4
package/src/auth/session/index.js +11 -7
package/src/auth/session/index.js.map +1 -1
package/src/auth/session/session.schema.d.ts +1 -1
package/src/auth/session/session.service.d.ts +1 -1
package/src/auth/session/transport-session.manager.d.ts +101 -0
package/src/auth/session/transport-session.manager.js +300 -0
package/src/auth/session/transport-session.manager.js.map +1 -0
package/src/auth/session/transport-session.types.d.ts +457 -0
package/src/auth/session/transport-session.types.js +110 -0
package/src/auth/session/transport-session.types.js.map +1 -0
package/src/auth/session/utils/session-id.utils.d.ts +14 -2
package/src/auth/session/utils/session-id.utils.js +68 -19
package/src/auth/session/utils/session-id.utils.js.map +1 -1
package/src/auth/session/vault-encryption.d.ts +189 -0
package/src/auth/session/vault-encryption.js +263 -0
package/src/auth/session/vault-encryption.js.map +1 -0
package/src/auth/ui/base-layout.d.ts +188 -0
package/src/auth/ui/base-layout.js +292 -0
package/src/auth/ui/base-layout.js.map +1 -0
package/src/auth/ui/htmx-templates.d.ts +135 -0
package/src/auth/ui/htmx-templates.js +433 -0
package/src/auth/ui/htmx-templates.js.map +1 -0
package/src/auth/ui/index.d.ts +11 -0
package/src/auth/ui/index.js +35 -0
package/src/auth/ui/index.js.map +1 -0
package/src/auth/utils/audience.validator.d.ts +129 -0
package/src/auth/utils/audience.validator.js +196 -0
package/src/auth/utils/audience.validator.js.map +1 -0
package/src/auth/utils/index.d.ts +2 -0
package/src/auth/utils/index.js +7 -0
package/src/auth/utils/index.js.map +1 -0
package/src/auth/utils/www-authenticate.utils.d.ts +97 -0
package/src/auth/utils/www-authenticate.utils.js +183 -0
package/src/auth/utils/www-authenticate.utils.js.map +1 -0
package/src/common/common.schema.d.ts +2 -16
package/src/common/constants.d.ts +3 -0
package/src/common/constants.js +6 -1
package/src/common/constants.js.map +1 -1
package/src/common/decorators/decorator-utils.d.ts +131 -0
package/src/common/decorators/decorator-utils.js +195 -0
package/src/common/decorators/decorator-utils.js.map +1 -0
package/src/common/decorators/front-mcp.decorator.js +3 -2
package/src/common/decorators/front-mcp.decorator.js.map +1 -1
package/src/common/decorators/hook.decorator.d.ts +58 -2
package/src/common/decorators/hook.decorator.js +127 -17
package/src/common/decorators/hook.decorator.js.map +1 -1
package/src/common/decorators/plugin.decorator.d.ts +1 -1
package/src/common/decorators/plugin.decorator.js +11 -10
package/src/common/decorators/plugin.decorator.js.map +1 -1
package/src/common/decorators/resource.decorator.d.ts +32 -3
package/src/common/decorators/resource.decorator.js +46 -4
package/src/common/decorators/resource.decorator.js.map +1 -1
package/src/common/decorators/tool.decorator.d.ts +54 -5
package/src/common/decorators/tool.decorator.js.map +1 -1
package/src/common/dynamic/dynamic.plugin.d.ts +22 -11
package/src/common/dynamic/dynamic.plugin.js +7 -1
package/src/common/dynamic/dynamic.plugin.js.map +1 -1
package/src/common/entries/prompt.entry.d.ts +46 -2
package/src/common/entries/prompt.entry.js +10 -0
package/src/common/entries/prompt.entry.js.map +1 -1
package/src/common/entries/resource.entry.d.ts +69 -6
package/src/common/entries/resource.entry.js +27 -3
package/src/common/entries/resource.entry.js.map +1 -1
package/src/common/entries/scope.entry.d.ts +5 -1
package/src/common/entries/scope.entry.js +3 -3
package/src/common/entries/scope.entry.js.map +1 -1
package/src/common/flow/flow.utils.d.ts +56 -0
package/src/common/flow/flow.utils.js +96 -0
package/src/common/flow/flow.utils.js.map +1 -0
package/src/common/index.d.ts +2 -2
package/src/common/index.js +2 -2
package/src/common/index.js.map +1 -1
package/src/common/interfaces/execution-context.interface.d.ts +59 -0
package/src/common/interfaces/execution-context.interface.js +81 -0
package/src/common/interfaces/execution-context.interface.js.map +1 -0
package/src/common/interfaces/flow.interface.d.ts +1 -1
package/src/common/interfaces/flow.interface.js.map +1 -1
package/src/common/interfaces/index.d.ts +1 -0
package/src/common/interfaces/index.js +1 -0
package/src/common/interfaces/index.js.map +1 -1
package/src/common/interfaces/internal/primary-auth-provider.interface.d.ts +17 -2
package/src/common/interfaces/internal/primary-auth-provider.interface.js +52 -4
package/src/common/interfaces/internal/primary-auth-provider.interface.js.map +1 -1
package/src/common/interfaces/internal/registry.interface.d.ts +16 -2
package/src/common/interfaces/internal/registry.interface.js.map +1 -1
package/src/common/interfaces/plugin.interface.js.map +1 -1
package/src/common/interfaces/prompt.interface.d.ts +53 -4
package/src/common/interfaces/prompt.interface.js +78 -0
package/src/common/interfaces/prompt.interface.js.map +1 -1
package/src/common/interfaces/resource.interface.d.ts +47 -17
package/src/common/interfaces/resource.interface.js +53 -0
package/src/common/interfaces/resource.interface.js.map +1 -1
package/src/common/interfaces/tool.interface.d.ts +39 -22
package/src/common/interfaces/tool.interface.js +61 -34
package/src/common/interfaces/tool.interface.js.map +1 -1
package/src/common/metadata/adapter.metadata.d.ts +1 -9
package/src/common/metadata/app.metadata.d.ts +425 -730
package/src/common/metadata/auth-provider.metadata.d.ts +2 -12
package/src/common/metadata/flow.metadata.d.ts +10 -25
package/src/common/metadata/front-mcp.metadata.d.ts +602 -1023
package/src/common/metadata/front-mcp.metadata.js +6 -4
package/src/common/metadata/front-mcp.metadata.js.map +1 -1
package/src/common/metadata/hook.metadata.d.ts +1 -1
package/src/common/metadata/hook.metadata.js.map +1 -1
package/src/common/metadata/index.d.ts +1 -0
package/src/common/metadata/index.js +1 -0
package/src/common/metadata/index.js.map +1 -1
package/src/common/metadata/logger.metadata.d.ts +1 -9
package/src/common/metadata/plugin.metadata.d.ts +8 -30
package/src/common/metadata/prompt.metadata.d.ts +4 -161
package/src/common/metadata/provider.metadata.d.ts +2 -12
package/src/common/metadata/resource.metadata.d.ts +6 -98
package/src/common/metadata/resource.metadata.js +15 -6
package/src/common/metadata/resource.metadata.js.map +1 -1
package/src/common/metadata/tool-ui.metadata.d.ts +10 -0
package/src/common/metadata/tool-ui.metadata.js +12 -0
package/src/common/metadata/tool-ui.metadata.js.map +1 -0
package/src/common/metadata/tool.metadata.d.ts +78 -199
package/src/common/metadata/tool.metadata.js +11 -14
package/src/common/metadata/tool.metadata.js.map +1 -1
package/src/common/providers/base-config.provider.d.ts +84 -0
package/src/common/providers/base-config.provider.js +128 -0
package/src/common/providers/base-config.provider.js.map +1 -0
package/src/common/records/plugin.record.d.ts +5 -6
package/src/common/records/plugin.record.js.map +1 -1
package/src/common/records/prompt.record.js.map +1 -1
package/src/common/records/resource.record.d.ts +17 -1
package/src/common/records/resource.record.js +12 -6
package/src/common/records/resource.record.js.map +1 -1
package/src/common/records/tool.record.js.map +1 -1
package/src/common/schemas/annotated-class.schema.d.ts +9 -9
package/src/common/schemas/annotated-class.schema.js +92 -27
package/src/common/schemas/annotated-class.schema.js.map +1 -1
package/src/common/schemas/http-input.schema.d.ts +6 -30
package/src/common/schemas/http-output.schema.d.ts +326 -1630
package/src/common/schemas/http-output.schema.js +39 -1
package/src/common/schemas/http-output.schema.js.map +1 -1
package/src/common/tokens/front-mcp.tokens.js +4 -1
package/src/common/tokens/front-mcp.tokens.js.map +1 -1
package/src/common/tokens/resource.tokens.d.ts +2 -0
package/src/common/tokens/resource.tokens.js +4 -1
package/src/common/tokens/resource.tokens.js.map +1 -1
package/src/common/tokens/tool.tokens.d.ts +2 -0
package/src/common/tokens/tool.tokens.js +2 -0
package/src/common/tokens/tool.tokens.js.map +1 -1
package/src/common/types/auth/jwt.types.d.ts +5 -31
package/src/common/types/auth/session.types.d.ts +97 -192
package/src/common/types/auth/session.types.js +24 -11
package/src/common/types/auth/session.types.js.map +1 -1
package/src/common/types/options/auth.options.d.ts +1013 -490
package/src/common/types/options/auth.options.js +554 -36
package/src/common/types/options/auth.options.js.map +1 -1
package/src/common/types/options/http.options.d.ts +1 -9
package/src/common/types/options/logging.options.d.ts +7 -13
package/src/common/types/options/logging.options.js +4 -0
package/src/common/types/options/logging.options.js.map +1 -1
package/src/common/types/options/server-info.options.d.ts +3 -31
package/src/common/types/options/session.options.d.ts +90 -10
package/src/common/types/options/session.options.js +26 -3
package/src/common/types/options/session.options.js.map +1 -1
package/src/common/utils/decide-request-intent.utils.d.ts +8 -46
package/src/common/utils/decide-request-intent.utils.js +88 -23
package/src/common/utils/decide-request-intent.utils.js.map +1 -1
package/src/completion/flows/complete.flow.d.ts +74 -0
package/src/completion/flows/complete.flow.js +199 -0
package/src/completion/flows/complete.flow.js.map +1 -0
package/src/errors/authorization-required.error.d.ts +189 -0
package/src/errors/authorization-required.error.js +274 -0
package/src/errors/authorization-required.error.js.map +1 -0
package/src/errors/index.d.ts +2 -1
package/src/errors/index.js +17 -1
package/src/errors/index.js.map +1 -1
package/src/errors/mcp.error.d.ts +101 -1
package/src/errors/mcp.error.js +147 -2
package/src/errors/mcp.error.js.map +1 -1
package/src/flows/flow.instance.js +4 -3
package/src/flows/flow.instance.js.map +1 -1
package/src/flows/flow.registry.js.map +1 -1
package/src/flows/flow.stages.js +14 -11
package/src/flows/flow.stages.js.map +1 -1
package/src/front-mcp/front-mcp.providers.d.ts +464 -102
package/src/front-mcp/front-mcp.providers.js +3 -5
package/src/front-mcp/front-mcp.providers.js.map +1 -1
package/src/hooks/hook.instance.d.ts +1 -1
package/src/hooks/hook.instance.js +5 -2
package/src/hooks/hook.instance.js.map +1 -1
package/src/hooks/hook.registry.js +7 -5
package/src/hooks/hook.registry.js.map +1 -1
package/src/index.d.ts +28 -9
package/src/index.js +5 -1
package/src/index.js.map +1 -1
package/src/logger/instances/instance.logger.js +3 -2
package/src/logger/instances/instance.logger.js.map +1 -1
package/src/logger/logger.registry.js +7 -2
package/src/logger/logger.registry.js.map +1 -1
package/src/logging/flows/set-level.flow.d.ts +62 -0
package/src/logging/flows/set-level.flow.js +108 -0
package/src/logging/flows/set-level.flow.js.map +1 -0
package/src/mcp-apps/csp.d.ts +111 -0
package/src/mcp-apps/csp.js +267 -0
package/src/mcp-apps/csp.js.map +1 -0
package/src/mcp-apps/index.d.ts +23 -0
package/src/mcp-apps/index.js +91 -0
package/src/mcp-apps/index.js.map +1 -0
package/src/mcp-apps/schemas.d.ts +403 -0
package/src/mcp-apps/schemas.js +345 -0
package/src/mcp-apps/schemas.js.map +1 -0
package/src/mcp-apps/template.d.ts +94 -0
package/src/mcp-apps/template.js +419 -0
package/src/mcp-apps/template.js.map +1 -0
package/src/mcp-apps/types.d.ts +323 -0
package/src/mcp-apps/types.js +59 -0
package/src/mcp-apps/types.js.map +1 -0
package/src/notification/index.d.ts +1 -0
package/src/notification/index.js +13 -0
package/src/notification/index.js.map +1 -0
package/src/notification/notification.service.d.ts +378 -0
package/src/notification/notification.service.js +727 -0
package/src/notification/notification.service.js.map +1 -0
package/src/plugin/plugin.registry.js +12 -9
package/src/plugin/plugin.registry.js.map +1 -1
package/src/prompt/flows/get-prompt.flow.d.ts +153 -0
package/src/prompt/flows/get-prompt.flow.js +214 -0
package/src/prompt/flows/get-prompt.flow.js.map +1 -0
package/src/prompt/flows/prompts-list.flow.d.ts +67 -0
package/src/prompt/flows/prompts-list.flow.js +176 -0
package/src/prompt/flows/prompts-list.flow.js.map +1 -0
package/src/prompt/index.d.ts +7 -0
package/src/prompt/index.js +17 -0
package/src/prompt/index.js.map +1 -0
package/src/prompt/prompt.events.d.ts +17 -0
package/src/prompt/prompt.events.js +25 -0
package/src/prompt/prompt.events.js.map +1 -0
package/src/prompt/prompt.instance.d.ts +30 -0
package/src/prompt/prompt.instance.js +120 -0
package/src/prompt/prompt.instance.js.map +1 -0
package/src/prompt/prompt.registry.d.ts +79 -12
package/src/prompt/prompt.registry.js +360 -15
package/src/prompt/prompt.registry.js.map +1 -1
package/src/prompt/prompt.types.d.ts +26 -0
package/src/prompt/prompt.types.js +11 -0
package/src/prompt/prompt.types.js.map +1 -0
package/src/prompt/prompt.utils.d.ts +26 -0
package/src/prompt/prompt.utils.js +136 -0
package/src/prompt/prompt.utils.js.map +1 -0
package/src/provider/provider.registry.d.ts +12 -5
package/src/provider/provider.registry.js +30 -138
package/src/provider/provider.registry.js.map +1 -1
package/src/regsitry/registry.base.d.ts +1 -1
package/src/regsitry/registry.base.js.map +1 -1
package/src/resource/flows/read-resource.flow.d.ts +91 -0
package/src/resource/flows/read-resource.flow.js +270 -0
package/src/resource/flows/read-resource.flow.js.map +1 -0
package/src/resource/flows/resource-templates-list.flow.d.ts +64 -0
package/src/resource/flows/resource-templates-list.flow.js +191 -0
package/src/resource/flows/resource-templates-list.flow.js.map +1 -0
package/src/resource/flows/resources-list.flow.d.ts +64 -0
package/src/resource/flows/resources-list.flow.js +196 -0
package/src/resource/flows/resources-list.flow.js.map +1 -0
package/src/resource/flows/subscribe-resource.flow.d.ts +45 -0
package/src/resource/flows/subscribe-resource.flow.js +123 -0
package/src/resource/flows/subscribe-resource.flow.js.map +1 -0
package/src/resource/flows/unsubscribe-resource.flow.d.ts +44 -0
package/src/resource/flows/unsubscribe-resource.flow.js +107 -0
package/src/resource/flows/unsubscribe-resource.flow.js.map +1 -0
package/src/resource/index.d.ts +8 -0
package/src/resource/index.js +20 -0
package/src/resource/index.js.map +1 -0
package/src/resource/resource.events.d.ts +24 -0
package/src/resource/resource.events.js +17 -0
package/src/resource/resource.events.js.map +1 -0
package/src/resource/resource.instance.d.ts +35 -0
package/src/resource/resource.instance.js +163 -0
package/src/resource/resource.instance.js.map +1 -0
package/src/resource/resource.registry.d.ts +106 -12
package/src/resource/resource.registry.js +449 -13
package/src/resource/resource.registry.js.map +1 -1
package/src/resource/resource.types.d.ts +35 -0
package/src/resource/resource.types.js +11 -0
package/src/resource/resource.types.js.map +1 -0
package/src/resource/resource.utils.d.ts +30 -0
package/src/resource/resource.utils.js +151 -0
package/src/resource/resource.utils.js.map +1 -0
package/src/scope/flows/http.request.flow.d.ts +48 -330
package/src/scope/flows/http.request.flow.js +306 -78
package/src/scope/flows/http.request.flow.js.map +1 -1
package/src/scope/scope.instance.d.ts +12 -0
package/src/scope/scope.instance.js +145 -15
package/src/scope/scope.instance.js.map +1 -1
package/src/tool/flows/call-tool.flow.d.ts +64 -1110
package/src/tool/flows/call-tool.flow.js +303 -15
package/src/tool/flows/call-tool.flow.js.map +1 -1
package/src/tool/flows/tools-list.flow.d.ts +32 -473
package/src/tool/flows/tools-list.flow.js +121 -40
package/src/tool/flows/tools-list.flow.js.map +1 -1
package/src/tool/tool.events.d.ts +8 -1
package/src/tool/tool.events.js.map +1 -1
package/src/tool/tool.instance.d.ts +3 -1
package/src/tool/tool.instance.js +17 -3
package/src/tool/tool.instance.js.map +1 -1
package/src/tool/tool.registry.d.ts +7 -1
package/src/tool/tool.registry.js +26 -10
package/src/tool/tool.registry.js.map +1 -1
package/src/tool/tool.types.d.ts +4 -4
package/src/tool/tool.types.js.map +1 -1
package/src/tool/tool.utils.d.ts +3 -12
package/src/tool/tool.utils.js +39 -193
package/src/tool/tool.utils.js.map +1 -1
package/src/tool/ui/index.d.ts +22 -0
package/src/tool/ui/index.js +63 -0
package/src/tool/ui/index.js.map +1 -0
package/src/tool/ui/platform-adapters.d.ts +10 -0
package/src/tool/ui/platform-adapters.js +18 -0
package/src/tool/ui/platform-adapters.js.map +1 -0
package/src/tool/ui/template-helpers.d.ts +46 -0
package/src/tool/ui/template-helpers.js +112 -0
package/src/tool/ui/template-helpers.js.map +1 -0
package/src/tool/ui/ui-resource-template.d.ts +34 -0
package/src/tool/ui/ui-resource-template.js +64 -0
package/src/tool/ui/ui-resource-template.js.map +1 -0
package/src/tool/ui/ui-resource.handler.d.ts +74 -0
package/src/tool/ui/ui-resource.handler.js +129 -0
package/src/tool/ui/ui-resource.handler.js.map +1 -0
package/src/transport/adapters/transport.local.adapter.d.ts +2 -2
package/src/transport/adapters/transport.local.adapter.js +28 -7
package/src/transport/adapters/transport.local.adapter.js.map +1 -1
package/src/transport/adapters/transport.sse.adapter.d.ts +2 -2
package/src/transport/adapters/transport.sse.adapter.js +4 -3
package/src/transport/adapters/transport.sse.adapter.js.map +1 -1
package/src/transport/adapters/transport.streamable-http.adapter.d.ts +10 -3
package/src/transport/adapters/transport.streamable-http.adapter.js +54 -8
package/src/transport/adapters/transport.streamable-http.adapter.js.map +1 -1
package/src/transport/flows/handle.sse.flow.d.ts +29 -63
package/src/transport/flows/handle.sse.flow.js +78 -10
package/src/transport/flows/handle.sse.flow.js.map +1 -1
package/src/transport/flows/handle.stateless-http.flow.d.ts +29 -0
package/src/transport/flows/handle.stateless-http.flow.js +102 -0
package/src/transport/flows/handle.stateless-http.flow.js.map +1 -0
package/src/transport/flows/handle.streamable-http.flow.d.ts +32 -64
package/src/transport/flows/handle.streamable-http.flow.js +158 -26
package/src/transport/flows/handle.streamable-http.flow.js.map +1 -1
package/src/transport/legacy/legacy.sse.tranporter.d.ts +9 -0
package/src/transport/legacy/legacy.sse.tranporter.js +17 -2
package/src/transport/legacy/legacy.sse.tranporter.js.map +1 -1
package/src/transport/mcp-handlers/call-tool-request.handler.js +27 -1
package/src/transport/mcp-handlers/call-tool-request.handler.js.map +1 -1
package/src/transport/mcp-handlers/complete-request.handler.d.ts +69 -0
package/src/transport/mcp-handlers/complete-request.handler.js +11 -0
package/src/transport/mcp-handlers/complete-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/get-prompt-request.handler.d.ts +87 -0
package/src/transport/mcp-handlers/get-prompt-request.handler.js +11 -0
package/src/transport/mcp-handlers/get-prompt-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/index.d.ts +517 -208
package/src/transport/mcp-handlers/index.js +39 -2
package/src/transport/mcp-handlers/index.js.map +1 -1
package/src/transport/mcp-handlers/initialize-request.handler.d.ts +1 -1
package/src/transport/mcp-handlers/initialize-request.handler.js +73 -7
package/src/transport/mcp-handlers/initialize-request.handler.js.map +1 -1
package/src/transport/mcp-handlers/list-prompts-request.handler.d.ts +54 -0
package/src/transport/mcp-handlers/list-prompts-request.handler.js +11 -0
package/src/transport/mcp-handlers/list-prompts-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/list-resource-templates-request.handler.d.ts +51 -0
package/src/transport/mcp-handlers/list-resource-templates-request.handler.js +12 -0
package/src/transport/mcp-handlers/list-resource-templates-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/list-resources-request.handler.d.ts +51 -0
package/src/transport/mcp-handlers/list-resources-request.handler.js +12 -0
package/src/transport/mcp-handlers/list-resources-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/list-tools-request.handler.d.ts +19 -146
package/src/transport/mcp-handlers/logging-set-level-request.handler.d.ts +46 -0
package/src/transport/mcp-handlers/logging-set-level-request.handler.js +34 -0
package/src/transport/mcp-handlers/logging-set-level-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/mcp-handlers.types.d.ts +3 -7
package/src/transport/mcp-handlers/mcp-handlers.types.js.map +1 -1
package/src/transport/mcp-handlers/read-resource-request.handler.d.ts +46 -0
package/src/transport/mcp-handlers/read-resource-request.handler.js +12 -0
package/src/transport/mcp-handlers/read-resource-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/roots-list-changed-notification.handler.d.ts +11 -0
package/src/transport/mcp-handlers/roots-list-changed-notification.handler.js +26 -0
package/src/transport/mcp-handlers/roots-list-changed-notification.handler.js.map +1 -0
package/src/transport/mcp-handlers/subscribe-request.handler.d.ts +37 -0
package/src/transport/mcp-handlers/subscribe-request.handler.js +34 -0
package/src/transport/mcp-handlers/subscribe-request.handler.js.map +1 -0
package/src/transport/mcp-handlers/unsubscribe-request.handler.d.ts +37 -0
package/src/transport/mcp-handlers/unsubscribe-request.handler.js +34 -0
package/src/transport/mcp-handlers/unsubscribe-request.handler.js.map +1 -0
package/src/transport/transport.local.js +7 -2
package/src/transport/transport.local.js.map +1 -1
package/src/transport/transport.registry.d.ts +30 -0
package/src/transport/transport.registry.js +84 -1
package/src/transport/transport.registry.js.map +1 -1
package/src/transport/transport.types.d.ts +3 -3
package/src/transport/transport.types.js.map +1 -1
package/src/utils/content.utils.d.ts +48 -0
package/src/utils/content.utils.js +194 -0
package/src/utils/content.utils.js.map +1 -0
package/src/utils/index.d.ts +8 -0
package/src/utils/index.js +55 -0
package/src/utils/index.js.map +1 -0
package/src/utils/lineage.utils.d.ts +40 -0
package/src/utils/lineage.utils.js +82 -0
package/src/utils/lineage.utils.js.map +1 -0
package/src/utils/naming.utils.d.ts +46 -0
package/src/utils/naming.utils.js +136 -0
package/src/utils/naming.utils.js.map +1 -0
package/src/utils/types.utils.d.ts +2 -2
package/src/utils/types.utils.js.map +1 -1
package/src/utils/uri-template.utils.d.ts +57 -0
package/src/utils/uri-template.utils.js +113 -0
package/src/utils/uri-template.utils.js.map +1 -0
package/src/utils/uri-validation.utils.d.ts +40 -0
package/src/utils/uri-validation.utils.js +76 -0
package/src/utils/uri-validation.utils.js.map +1 -0
package/src/__test-utils__/fixtures/hook.fixtures.d.ts +0 -46
package/src/__test-utils__/fixtures/hook.fixtures.js +0 -114
package/src/__test-utils__/fixtures/hook.fixtures.js.map +0 -1
package/src/__test-utils__/fixtures/index.d.ts +0 -7
package/src/__test-utils__/fixtures/index.js +0 -11
package/src/__test-utils__/fixtures/index.js.map +0 -1
package/src/__test-utils__/fixtures/plugin.fixtures.d.ts +0 -46
package/src/__test-utils__/fixtures/plugin.fixtures.js +0 -127
package/src/__test-utils__/fixtures/plugin.fixtures.js.map +0 -1
package/src/__test-utils__/fixtures/provider.fixtures.d.ts +0 -69
package/src/__test-utils__/fixtures/provider.fixtures.js +0 -131
package/src/__test-utils__/fixtures/provider.fixtures.js.map +0 -1
package/src/__test-utils__/fixtures/scope.fixtures.d.ts +0 -14
package/src/__test-utils__/fixtures/scope.fixtures.js +0 -59
package/src/__test-utils__/fixtures/scope.fixtures.js.map +0 -1
package/src/__test-utils__/fixtures/tool.fixtures.d.ts +0 -36
package/src/__test-utils__/fixtures/tool.fixtures.js +0 -91
package/src/__test-utils__/fixtures/tool.fixtures.js.map +0 -1
package/src/__test-utils__/helpers/assertion.helpers.d.ts +0 -45
package/src/__test-utils__/helpers/assertion.helpers.js +0 -153
package/src/__test-utils__/helpers/assertion.helpers.js.map +0 -1
package/src/__test-utils__/helpers/async.helpers.d.ts +0 -48
package/src/__test-utils__/helpers/async.helpers.js +0 -112
package/src/__test-utils__/helpers/async.helpers.js.map +0 -1
package/src/__test-utils__/helpers/index.d.ts +0 -6
package/src/__test-utils__/helpers/index.js +0 -10
package/src/__test-utils__/helpers/index.js.map +0 -1
package/src/__test-utils__/helpers/setup.helpers.d.ts +0 -54
package/src/__test-utils__/helpers/setup.helpers.js +0 -106
package/src/__test-utils__/helpers/setup.helpers.js.map +0 -1
package/src/__test-utils__/index.d.ts +0 -9
package/src/__test-utils__/index.js +0 -14
package/src/__test-utils__/index.js.map +0 -1
package/src/__test-utils__/mocks/flow-instance.mock.d.ts +0 -50
package/src/__test-utils__/mocks/flow-instance.mock.js +0 -72
package/src/__test-utils__/mocks/flow-instance.mock.js.map +0 -1
package/src/__test-utils__/mocks/hook-registry.mock.d.ts +0 -25
package/src/__test-utils__/mocks/hook-registry.mock.js +0 -65
package/src/__test-utils__/mocks/hook-registry.mock.js.map +0 -1
package/src/__test-utils__/mocks/index.d.ts +0 -8
package/src/__test-utils__/mocks/index.js +0 -12
package/src/__test-utils__/mocks/index.js.map +0 -1
package/src/__test-utils__/mocks/plugin-registry.mock.d.ts +0 -43
package/src/__test-utils__/mocks/plugin-registry.mock.js +0 -70
package/src/__test-utils__/mocks/plugin-registry.mock.js.map +0 -1
package/src/__test-utils__/mocks/provider-registry.mock.d.ts +0 -39
package/src/__test-utils__/mocks/provider-registry.mock.js +0 -72
package/src/__test-utils__/mocks/provider-registry.mock.js.map +0 -1
package/src/__test-utils__/mocks/tool-registry.mock.d.ts +0 -43
package/src/__test-utils__/mocks/tool-registry.mock.js +0 -79
package/src/__test-utils__/mocks/tool-registry.mock.js.map +0 -1
package/src/auth/path.utils.d.ts +0 -20
package/src/auth/path.utils.js +0 -71
package/src/auth/path.utils.js.map +0 -1
package/src/common/decorators-old/async-with.decorator.d.ts +0 -10
package/src/common/decorators-old/async-with.decorator.js +0 -24
package/src/common/decorators-old/async-with.decorator.js.map +0 -1
package/src/common/decorators-old/auth-hook.decorator.d.ts +0 -14
package/src/common/decorators-old/auth-hook.decorator.js +0 -27
package/src/common/decorators-old/auth-hook.decorator.js.map +0 -1
package/src/common/decorators-old/session-hook.decorator.d.ts +0 -14
package/src/common/decorators-old/session-hook.decorator.js +0 -27
package/src/common/decorators-old/session-hook.decorator.js.map +0 -1

package/src/auth/session/utils/session-id.utils.js CHANGED Viewed

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.encryptJson = encryptJson;
+exports.decryptPublicSession = decryptPublicSession;
 exports.parseSessionHeader = parseSessionHeader;
 exports.createSessionId = createSessionId;
 exports.generateSessionCookie = generateSessionCookie;
@@ -9,6 +10,7 @@ exports.extractSessionFromCookie = extractSessionFromCookie;
 const crypto_1 = require("crypto");
 const tiny_ttl_cache_1 = require("./tiny-ttl-cache");
 const auth_token_utils_1 = require("./auth-token.utils");
+const notification_service_1 = require("../../../notification/notification.service");
 // 5s TTL cache for decrypted headers
 const cache = new tiny_ttl_cache_1.TinyTtlCache(5000);
 // Single-process machine id generated at server launch
@@ -39,27 +41,64 @@ function encryptJson(obj) {
     // Pack iv.tag.ct as base64url(iv.tag.ct)
     return `${b64urlEncode(iv)}.${b64urlEncode(tag)}.${b64urlEncode(ct)}`;
 }
-function decryptSessionId(sessionId, sig) {
-    const key = getKey();
-    const [ivB64, tagB64, ctB64] = sessionId.split('.');
+/**
+ * Low-level decryption that returns the raw JSON payload or null.
+ * Handles all crypto/parsing failures by returning null.
+ */
+function decryptSessionJson(sessionId) {
+    const parts = sessionId.split('.');
+    if (parts.length !== 3)
+        return null;
+    const [ivB64, tagB64, ctB64] = parts;
     if (!ivB64 || !tagB64 || !ctB64)
         return null;
+    const key = getKey();
+    const iv = b64urlDecode(ivB64);
+    const tag = b64urlDecode(tagB64);
+    const ct = b64urlDecode(ctB64);
+    const decipher = (0, crypto_1.createDecipheriv)('aes-256-gcm', key, iv);
+    decipher.setAuthTag(tag);
+    const pt = Buffer.concat([decipher.update(ct), decipher.final()]);
+    return JSON.parse(pt.toString('utf8'));
+}
+function isValidSessionPayload(dec, sig) {
+    if (typeof dec !== 'object' || dec === null)
+        return false;
+    const d = dec;
+    return (typeof d['nodeId'] === 'string' &&
+        typeof d['authSig'] === 'string' &&
+        typeof d['uuid'] === 'string' &&
+        typeof d['iat'] === 'number' &&
+        d['authSig'] === sig);
+}
+function isValidPublicSessionPayload(dec) {
+    if (typeof dec !== 'object' || dec === null)
+        return false;
+    const d = dec;
+    return (typeof d['nodeId'] === 'string' &&
+        d['authSig'] === 'public' &&
+        typeof d['uuid'] === 'string' &&
+        typeof d['iat'] === 'number' &&
+        d['isPublic'] === true);
+}
+function decryptSessionId(sessionId, sig) {
+    const dec = safeDecrypt(sessionId);
+    return isValidSessionPayload(dec, sig) ? dec : null;
+}
+/**
+ * Decrypt a public session ID without signature verification.
+ * Public sessions use authSig: 'public' and isPublic: true
+ */
+function decryptPublicSession(sessionId) {
+    const dec = safeDecrypt(sessionId);
+    return isValidPublicSessionPayload(dec) ? dec : null;
+}
+/**
+ * Safe wrapper around decryptSessionJson that catches crypto/parse errors.
+ */
+function safeDecrypt(sessionId) {
     try {
-        const iv = b64urlDecode(ivB64);
-        const tag = b64urlDecode(tagB64);
-        const ct = b64urlDecode(ctB64);
-        const decipher = (0, crypto_1.createDecipheriv)('aes-256-gcm', key, iv);
-        decipher.setAuthTag(tag);
-        const pt = Buffer.concat([decipher.update(ct), decipher.final()]);
-        const dec = JSON.parse(pt.toString('utf8'));
-        if (typeof dec.nodeId === 'string' &&
-            typeof dec.authSig === 'string' &&
-            typeof dec.uuid === 'string' &&
-            typeof dec.iat === 'number' &&
-            dec.authSig === sig) {
-            return dec;
-        }
-        throw new Error('Invalid session id');
+        return decryptSessionJson(sessionId);
     }
     catch {
         return null;
@@ -103,14 +142,24 @@ function parseSessionHeader(sessionHeader, token) {
     // cache.set(headerSse, decodedSse);
     // return { header, decoded, headerSse, isNew: true };
 }
-function createSessionId(protocol, token) {
+function createSessionId(protocol, token, options) {
     const authSig = (0, auth_token_utils_1.getTokenSignatureFingerprint)(token);
+    // Detect platform from user-agent if provided (before MCP initialize)
+    let platformType;
+    if (options?.userAgent) {
+        platformType = (0, notification_service_1.detectPlatformFromUserAgent)(options.userAgent, options.platformDetectionConfig);
+        // Only set if we detected something meaningful
+        if (platformType === 'unknown') {
+            platformType = undefined;
+        }
+    }
     const payload = {
         nodeId: MACHINE_ID,
         authSig,
         uuid: (0, crypto_1.randomUUID)(),
         iat: nowSec(),
         protocol,
+        platformType,
     };
     const id = encryptJson(payload);
     cache.set(id, payload);

package/src/auth/session/utils/session-id.utils.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"session-id.utils.js","sourceRoot":"","sources":["../../../../../src/auth/session/utils/session-id.utils.ts"],"names":[],"mappings":";;AA+BA,kCASC;AAuCD,gDAmCC;AAED,0CAYC;AAED,sDAGC;AAED,4DAIC;AA3ID,yCAAyC;AACzC,mCAA+F;AAC/F,qDAAgD;AAEhD,yDAAkE;AAElE,qCAAqC;AACrC,MAAM,KAAK,GAAG,IAAI,6BAAY,CAA2B,IAAI,CAAC,CAAC;AAE/D,uDAAuD;AACvD,MAAM,UAAU,GAAG,CAAC,GAAG,EAAE;IACvB,2FAA2F;IAC3F,OAAO,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,IAAA,mBAAU,GAAE,CAAC,CAAC,sCAAsC;AAC1F,CAAC,CAAC,EAAE,CAAC;AAEL,2EAA2E;AAC3E,SAAS,MAAM;IACb,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,UAAU,CAAC,CAAC,sCAAsC;IACpG,OAAO,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,WAAW;AAChE,CAAC;AAED,SAAS,YAAY,CAAC,GAAW;IAC/B,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC5F,CAAC;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC1F,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED,SAAgB,WAAW,CAAC,GAAY;IACtC,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC;IACrB,MAAM,EAAE,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,CAAC,oBAAoB;IAChD,MAAM,MAAM,GAAG,IAAA,uBAAc,EAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC;IACpD,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC9D,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,yCAAyC;IACzC,OAAO,GAAG,YAAY,CAAC,EAAE,CAAC,IAAI,YAAY,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,EAAE,CAAC,EAAE,CAAC;AACxE,CAAC;AAED,SAAS,gBAAgB,CAAC,SAAiB,EAAE,GAAW;IACtD,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC;IACrB,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpD,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAC7C,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;QAC/B,MAAM,GAAG,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;QAC/B,MAAM,QAAQ,GAAG,IAAA,yBAAgB,EAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QAC1D,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QACzB,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAClE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QAC5C,IACE,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ;YAC9B,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ;YAC/B,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ;YAC5B,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ;YAC3B,GAAG,CAAC,OAAO,KAAK,GAAG,EACnB,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,MAAM;IACb,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;AACvC,CAAC;AAED;;;;GAIG;AACH,SAAgB,kBAAkB,CAChC,aAAiC,EACjC,KAAa;IAEb,MAAM,cAAc,GAAG,IAAA,+CAA4B,EAAC,KAAK,CAAC,CAAC;IAC3D,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QACxC,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,MAAM,CAAC,OAAO,KAAK,cAAc,EAAE,CAAC;gBACtC,OAAO,EAAE,EAAE,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;YAChD,CAAC;YACD,wCAAwC;QAC1C,CAAC;QAED,MAAM,GAAG,GAAG,gBAAgB,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;QAC5D,IAAI,GAAG,EAAE,CAAC;YACR,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,EAAE,EAAE,aAAa,EAAE,OAAO,EAAE,GAAuB,EAAE,CAAC;QACjE,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;IACjB,kBAAkB;IAElB,yCAAyC;IACzC,wBAAwB;IACxB,6BAA6B;IAC7B,wBAAwB;IACxB,mBAAmB;IACnB,KAAK;IACL,uCAAuC;IACvC,6CAA6C;IAC7C,8BAA8B;IAC9B,oCAAoC;IACpC,sDAAsD;AACxD,CAAC;AAED,SAAgB,eAAe,CAAC,QAA2B,EAAE,KAAa;IACxE,MAAM,OAAO,GAAG,IAAA,+CAA4B,EAAC,KAAK,CAAC,CAAC;IACpD,MAAM,OAAO,GAAqB;QAChC,MAAM,EAAE,UAAU;QAClB,OAAO;QACP,IAAI,EAAE,IAAA,mBAAU,GAAE;QAClB,GAAG,EAAE,MAAM,EAAE;QACb,QAAQ;KACT,CAAC;IACF,MAAM,EAAE,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IAChC,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;IACvB,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC;AACzB,CAAC;AAED,SAAgB,qBAAqB,CAAC,SAAiB,EAAE,YAAY,GAAG,EAAE,GAAG,EAAE;IAC7E,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAC9E,OAAO,kBAAkB,SAAS,qBAAqB,OAAO,0BAA0B,CAAC;AAC3F,CAAC;AAED,SAAgB,wBAAwB,CAAC,MAAe;IACtD,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC/D,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC9B,CAAC","sourcesContent":["// auth/session/utils/session-id.utils.ts\nimport { randomUUID, createHash, randomBytes, createCipheriv, createDecipheriv } from 'crypto';\nimport { TinyTtlCache } from './tiny-ttl-cache';\nimport { HttpRequestIntent, SessionIdPayload } from '../../../common';\nimport { getTokenSignatureFingerprint } from './auth-token.utils';\n\n// 5s TTL cache for decrypted headers\nconst cache = new TinyTtlCache<string, SessionIdPayload>(5000);\n\n// Single-process machine id generated at server launch\nconst MACHINE_ID = (() => {\n // Prefer an injected env (stable across restarts) if you have one; else random per launch:\n return process.env['MACHINE_ID'] \|\| randomUUID(); // TODO: move to gateway config module\n})();\n\n// Symmetric key derived from secret or machine id (stable for the process)\nfunction getKey(): Buffer {\n const base = process.env['MCP_SESSION_SECRET'] \|\| MACHINE_ID; // TODO: move to gateway config module\n return createHash('sha256').update(base).digest(); // 32 bytes\n}\n\nfunction b64urlEncode(buf: Buffer): string {\n return buf.toString('base64').replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/g, '');\n}\n\nfunction b64urlDecode(s: string): Buffer {\n const pad = 4 - (s.length % 4);\n const base64 = s.replace(/-/g, '+').replace(/_/g, '/') + (pad < 4 ? '='.repeat(pad) : '');\n return Buffer.from(base64, 'base64');\n}\n\nexport function encryptJson(obj: unknown): string {\n const key = getKey();\n const iv = randomBytes(12); // AES-GCM 96-bit IV\n const cipher = createCipheriv('aes-256-gcm', key, iv);\n const pt = Buffer.from(JSON.stringify(obj), 'utf8');\n const ct = Buffer.concat([cipher.update(pt), cipher.final()]);\n const tag = cipher.getAuthTag();\n // Pack iv.tag.ct as base64url(iv.tag.ct)\n return `${b64urlEncode(iv)}.${b64urlEncode(tag)}.${b64urlEncode(ct)}`;\n}\n\nfunction decryptSessionId(sessionId: string, sig: string): SessionIdPayload \| null {\n const key = getKey();\n const [ivB64, tagB64, ctB64] = sessionId.split('.');\n if (!ivB64 \|\| !tagB64 \|\| !ctB64) return null;\n try {\n const iv = b64urlDecode(ivB64);\n const tag = b64urlDecode(tagB64);\n const ct = b64urlDecode(ctB64);\n const decipher = createDecipheriv('aes-256-gcm', key, iv);\n decipher.setAuthTag(tag);\n const pt = Buffer.concat([decipher.update(ct), decipher.final()]);\n const dec = JSON.parse(pt.toString('utf8'));\n if (\n typeof dec.nodeId === 'string' &&\n typeof dec.authSig === 'string' &&\n typeof dec.uuid === 'string' &&\n typeof dec.iat === 'number' &&\n dec.authSig === sig\n ) {\n return dec;\n }\n\n throw new Error('Invalid session id');\n } catch {\n return null;\n }\n}\n\nfunction nowSec(): number {\n return Math.floor(Date.now() / 1000);\n}\n\n/*\n Validates an existing session header OR creates a fresh one.\n * - Valid: nodeId matches local, authSig matches current Authorization\n * - On any mismatch/decrypt error → generate new\n /\nexport function parseSessionHeader(\n sessionHeader: string \| undefined,\n token: string,\n): { id: string; payload: SessionIdPayload } \| undefined {\n const currentAuthSig = getTokenSignatureFingerprint(token);\n if (sessionHeader) {\n const cached = cache.get(sessionHeader);\n if (cached) {\n if (cached.authSig === currentAuthSig) {\n return { id: sessionHeader, payload: cached };\n }\n // fallthrough to regenerate if mismatch\n }\n\n const dec = decryptSessionId(sessionHeader, currentAuthSig);\n if (dec) {\n cache.set(sessionHeader, dec);\n return { id: sessionHeader, payload: dec as SessionIdPayload };\n }\n }\n\n return undefined;\n // // Create fresh\n\n // const decodedSse: SessionIdPayload = {\n // nodeId: MACHINE_ID,\n // authSig: currentAuthSig,\n // uuid: randomUUID(),\n // iat: nowSec(),\n // };\n // const header = encryptJson(decoded);\n // const headerSse = encryptJson(decodedSse);\n // cache.set(header, decoded);\n // cache.set(headerSse, decodedSse);\n // return { header, decoded, headerSse, isNew: true };\n}\n\nexport function createSessionId(protocol: HttpRequestIntent, token: string) {\n const authSig = getTokenSignatureFingerprint(token);\n const payload: SessionIdPayload = {\n nodeId: MACHINE_ID,\n authSig,\n uuid: randomUUID(),\n iat: nowSec(),\n protocol,\n };\n const id = encryptJson(payload);\n cache.set(id, payload);\n return { id, payload };\n}\n\nexport function generateSessionCookie(sessionId: string, ttlInMinutes = 60 24): string {\n const expires = new Date(Date.now() + ttlInMinutes * 60 * 1000).toUTCString();\n return `mcp_session_id=${sessionId}; Path=/; Expires=${expires}; HttpOnly; SameSite=Lax`;\n}\n\nexport function extractSessionFromCookie(cookie?: string): string \| undefined {\n if (!cookie) return undefined;\n const m = cookie.match(/(^\|;)\\smcp_session_id\\s=\\s([^;])/);\n return m ? m[2] : undefined;\n}\n\n\n"]}
1	+ {"version":3,"file":"session-id.utils.js","sourceRoot":"","sources":["../../../../../src/auth/session/utils/session-id.utils.ts"],"names":[],"mappings":";;AAiCA,kCASC;AAyDD,oDAGC;AAsBD,gDAmCC;AASD,0CAwBC;AAED,sDAGC;AAED,4DAIC;AA3MD,yCAAyC;AACzC,mCAA+F;AAC/F,qDAAgD;AAEhD,yDAAkE;AAClE,qFAAyF;AAGzF,qCAAqC;AACrC,MAAM,KAAK,GAAG,IAAI,6BAAY,CAA2B,IAAI,CAAC,CAAC;AAE/D,uDAAuD;AACvD,MAAM,UAAU,GAAG,CAAC,GAAG,EAAE;IACvB,2FAA2F;IAC3F,OAAO,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,IAAA,mBAAU,GAAE,CAAC,CAAC,sCAAsC;AAC1F,CAAC,CAAC,EAAE,CAAC;AAEL,2EAA2E;AAC3E,SAAS,MAAM;IACb,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,UAAU,CAAC,CAAC,sCAAsC;IACpG,OAAO,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,WAAW;AAChE,CAAC;AAED,SAAS,YAAY,CAAC,GAAW;IAC/B,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC5F,CAAC;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC1F,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED,SAAgB,WAAW,CAAC,GAAY;IACtC,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC;IACrB,MAAM,EAAE,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,CAAC,oBAAoB;IAChD,MAAM,MAAM,GAAG,IAAA,uBAAc,EAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC;IACpD,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC9D,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,yCAAyC;IACzC,OAAO,GAAG,YAAY,CAAC,EAAE,CAAC,IAAI,YAAY,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,EAAE,CAAC,EAAE,CAAC;AACxE,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CAAC,SAAiB;IAC3C,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC;IACrC,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAE7C,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC;IACrB,MAAM,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAC/B,MAAM,GAAG,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IACjC,MAAM,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAE/B,MAAM,QAAQ,GAAG,IAAA,yBAAgB,EAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC1D,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAClE,OAAO,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAY,EAAE,GAAW;IACtD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAC1D,MAAM,CAAC,GAAG,GAA8B,CAAC;IACzC,OAAO,CACL,OAAO,CAAC,CAAC,QAAQ,CAAC,KAAK,QAAQ;QAC/B,OAAO,CAAC,CAAC,SAAS,CAAC,KAAK,QAAQ;QAChC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,QAAQ;QAC7B,OAAO,CAAC,CAAC,KAAK,CAAC,KAAK,QAAQ;QAC5B,CAAC,CAAC,SAAS,CAAC,KAAK,GAAG,CACrB,CAAC;AACJ,CAAC;AAED,SAAS,2BAA2B,CAAC,GAAY;IAC/C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAC1D,MAAM,CAAC,GAAG,GAA8B,CAAC;IACzC,OAAO,CACL,OAAO,CAAC,CAAC,QAAQ,CAAC,KAAK,QAAQ;QAC/B,CAAC,CAAC,SAAS,CAAC,KAAK,QAAQ;QACzB,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,QAAQ;QAC7B,OAAO,CAAC,CAAC,KAAK,CAAC,KAAK,QAAQ;QAC5B,CAAC,CAAC,UAAU,CAAC,KAAK,IAAI,CACvB,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,SAAiB,EAAE,GAAW;IACtD,MAAM,GAAG,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IACnC,OAAO,qBAAqB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;AACtD,CAAC;AAED;;;GAGG;AACH,SAAgB,oBAAoB,CAAC,SAAiB;IACpD,MAAM,GAAG,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IACnC,OAAO,2BAA2B,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;AACvD,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,SAAiB;IACpC,IAAI,CAAC;QACH,OAAO,kBAAkB,CAAC,SAAS,CAAC,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,MAAM;IACb,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;AACvC,CAAC;AAED;;;;GAIG;AACH,SAAgB,kBAAkB,CAChC,aAAiC,EACjC,KAAa;IAEb,MAAM,cAAc,GAAG,IAAA,+CAA4B,EAAC,KAAK,CAAC,CAAC;IAC3D,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QACxC,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,MAAM,CAAC,OAAO,KAAK,cAAc,EAAE,CAAC;gBACtC,OAAO,EAAE,EAAE,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;YAChD,CAAC;YACD,wCAAwC;QAC1C,CAAC;QAED,MAAM,GAAG,GAAG,gBAAgB,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;QAC5D,IAAI,GAAG,EAAE,CAAC;YACR,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,EAAE,EAAE,aAAa,EAAE,OAAO,EAAE,GAAuB,EAAE,CAAC;QACjE,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;IACjB,kBAAkB;IAElB,yCAAyC;IACzC,wBAAwB;IACxB,6BAA6B;IAC7B,wBAAwB;IACxB,mBAAmB;IACnB,KAAK;IACL,uCAAuC;IACvC,6CAA6C;IAC7C,8BAA8B;IAC9B,oCAAoC;IACpC,sDAAsD;AACxD,CAAC;AASD,SAAgB,eAAe,CAAC,QAA+B,EAAE,KAAa,EAAE,OAA8B;IAC5G,MAAM,OAAO,GAAG,IAAA,+CAA4B,EAAC,KAAK,CAAC,CAAC;IAEpD,sEAAsE;IACtE,IAAI,YAAwC,CAAC;IAC7C,IAAI,OAAO,EAAE,SAAS,EAAE,CAAC;QACvB,YAAY,GAAG,IAAA,kDAA2B,EAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,uBAAuB,CAAC,CAAC;QAC/F,+CAA+C;QAC/C,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;YAC/B,YAAY,GAAG,SAAS,CAAC;QAC3B,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAqB;QAChC,MAAM,EAAE,UAAU;QAClB,OAAO;QACP,IAAI,EAAE,IAAA,mBAAU,GAAE;QAClB,GAAG,EAAE,MAAM,EAAE;QACb,QAAQ;QACR,YAAY;KACb,CAAC;IACF,MAAM,EAAE,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IAChC,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;IACvB,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC;AACzB,CAAC;AAED,SAAgB,qBAAqB,CAAC,SAAiB,EAAE,YAAY,GAAG,EAAE,GAAG,EAAE;IAC7E,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAC9E,OAAO,kBAAkB,SAAS,qBAAqB,OAAO,0BAA0B,CAAC;AAC3F,CAAC;AAED,SAAgB,wBAAwB,CAAC,MAAe;IACtD,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC/D,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC9B,CAAC","sourcesContent":["// auth/session/utils/session-id.utils.ts\nimport { randomUUID, createHash, randomBytes, createCipheriv, createDecipheriv } from 'crypto';\nimport { TinyTtlCache } from './tiny-ttl-cache';\nimport { SessionIdPayload, TransportProtocolType, AIPlatformType } from '../../../common';\nimport { getTokenSignatureFingerprint } from './auth-token.utils';\nimport { detectPlatformFromUserAgent } from '../../../notification/notification.service';\nimport type { PlatformDetectionConfig } from '../../../common/types/options/session.options';\n\n// 5s TTL cache for decrypted headers\nconst cache = new TinyTtlCache<string, SessionIdPayload>(5000);\n\n// Single-process machine id generated at server launch\nconst MACHINE_ID = (() => {\n // Prefer an injected env (stable across restarts) if you have one; else random per launch:\n return process.env['MACHINE_ID'] \|\| randomUUID(); // TODO: move to gateway config module\n})();\n\n// Symmetric key derived from secret or machine id (stable for the process)\nfunction getKey(): Buffer {\n const base = process.env['MCP_SESSION_SECRET'] \|\| MACHINE_ID; // TODO: move to gateway config module\n return createHash('sha256').update(base).digest(); // 32 bytes\n}\n\nfunction b64urlEncode(buf: Buffer): string {\n return buf.toString('base64').replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/g, '');\n}\n\nfunction b64urlDecode(s: string): Buffer {\n const pad = 4 - (s.length % 4);\n const base64 = s.replace(/-/g, '+').replace(/_/g, '/') + (pad < 4 ? '='.repeat(pad) : '');\n return Buffer.from(base64, 'base64');\n}\n\nexport function encryptJson(obj: unknown): string {\n const key = getKey();\n const iv = randomBytes(12); // AES-GCM 96-bit IV\n const cipher = createCipheriv('aes-256-gcm', key, iv);\n const pt = Buffer.from(JSON.stringify(obj), 'utf8');\n const ct = Buffer.concat([cipher.update(pt), cipher.final()]);\n const tag = cipher.getAuthTag();\n // Pack iv.tag.ct as base64url(iv.tag.ct)\n return `${b64urlEncode(iv)}.${b64urlEncode(tag)}.${b64urlEncode(ct)}`;\n}\n\n/*\n Low-level decryption that returns the raw JSON payload or null.\n * Handles all crypto/parsing failures by returning null.\n /\nfunction decryptSessionJson(sessionId: string): unknown {\n const parts = sessionId.split('.');\n if (parts.length !== 3) return null;\n\n const [ivB64, tagB64, ctB64] = parts;\n if (!ivB64 \|\| !tagB64 \|\| !ctB64) return null;\n\n const key = getKey();\n const iv = b64urlDecode(ivB64);\n const tag = b64urlDecode(tagB64);\n const ct = b64urlDecode(ctB64);\n\n const decipher = createDecipheriv('aes-256-gcm', key, iv);\n decipher.setAuthTag(tag);\n const pt = Buffer.concat([decipher.update(ct), decipher.final()]);\n return JSON.parse(pt.toString('utf8'));\n}\n\nfunction isValidSessionPayload(dec: unknown, sig: string): dec is SessionIdPayload {\n if (typeof dec !== 'object' \|\| dec === null) return false;\n const d = dec as Record<string, unknown>;\n return (\n typeof d['nodeId'] === 'string' &&\n typeof d['authSig'] === 'string' &&\n typeof d['uuid'] === 'string' &&\n typeof d['iat'] === 'number' &&\n d['authSig'] === sig\n );\n}\n\nfunction isValidPublicSessionPayload(dec: unknown): dec is SessionIdPayload {\n if (typeof dec !== 'object' \|\| dec === null) return false;\n const d = dec as Record<string, unknown>;\n return (\n typeof d['nodeId'] === 'string' &&\n d['authSig'] === 'public' &&\n typeof d['uuid'] === 'string' &&\n typeof d['iat'] === 'number' &&\n d['isPublic'] === true\n );\n}\n\nfunction decryptSessionId(sessionId: string, sig: string): SessionIdPayload \| null {\n const dec = safeDecrypt(sessionId);\n return isValidSessionPayload(dec, sig) ? dec : null;\n}\n\n/\n Decrypt a public session ID without signature verification.\n * Public sessions use authSig: 'public' and isPublic: true\n /\nexport function decryptPublicSession(sessionId: string): SessionIdPayload \| null {\n const dec = safeDecrypt(sessionId);\n return isValidPublicSessionPayload(dec) ? dec : null;\n}\n\n/\n Safe wrapper around decryptSessionJson that catches crypto/parse errors.\n /\nfunction safeDecrypt(sessionId: string): unknown {\n try {\n return decryptSessionJson(sessionId);\n } catch {\n return null;\n }\n}\n\nfunction nowSec(): number {\n return Math.floor(Date.now() / 1000);\n}\n\n/\n Validates an existing session header OR creates a fresh one.\n * - Valid: nodeId matches local, authSig matches current Authorization\n * - On any mismatch/decrypt error → generate new\n /\nexport function parseSessionHeader(\n sessionHeader: string \| undefined,\n token: string,\n): { id: string; payload: SessionIdPayload } \| undefined {\n const currentAuthSig = getTokenSignatureFingerprint(token);\n if (sessionHeader) {\n const cached = cache.get(sessionHeader);\n if (cached) {\n if (cached.authSig === currentAuthSig) {\n return { id: sessionHeader, payload: cached };\n }\n // fallthrough to regenerate if mismatch\n }\n\n const dec = decryptSessionId(sessionHeader, currentAuthSig);\n if (dec) {\n cache.set(sessionHeader, dec);\n return { id: sessionHeader, payload: dec as SessionIdPayload };\n }\n }\n\n return undefined;\n // // Create fresh\n\n // const decodedSse: SessionIdPayload = {\n // nodeId: MACHINE_ID,\n // authSig: currentAuthSig,\n // uuid: randomUUID(),\n // iat: nowSec(),\n // };\n // const header = encryptJson(decoded);\n // const headerSse = encryptJson(decodedSse);\n // cache.set(header, decoded);\n // cache.set(headerSse, decodedSse);\n // return { header, decoded, headerSse, isNew: true };\n}\n\nexport interface CreateSessionOptions {\n /* User-Agent header for pre-initialize platform detection /\n userAgent?: string;\n /* Platform detection configuration from scope /\n platformDetectionConfig?: PlatformDetectionConfig;\n}\n\nexport function createSessionId(protocol: TransportProtocolType, token: string, options?: CreateSessionOptions) {\n const authSig = getTokenSignatureFingerprint(token);\n\n // Detect platform from user-agent if provided (before MCP initialize)\n let platformType: AIPlatformType \| undefined;\n if (options?.userAgent) {\n platformType = detectPlatformFromUserAgent(options.userAgent, options.platformDetectionConfig);\n // Only set if we detected something meaningful\n if (platformType === 'unknown') {\n platformType = undefined;\n }\n }\n\n const payload: SessionIdPayload = {\n nodeId: MACHINE_ID,\n authSig,\n uuid: randomUUID(),\n iat: nowSec(),\n protocol,\n platformType,\n };\n const id = encryptJson(payload);\n cache.set(id, payload);\n return { id, payload };\n}\n\nexport function generateSessionCookie(sessionId: string, ttlInMinutes = 60 24): string {\n const expires = new Date(Date.now() + ttlInMinutes * 60 * 1000).toUTCString();\n return `mcp_session_id=${sessionId}; Path=/; Expires=${expires}; HttpOnly; SameSite=Lax`;\n}\n\nexport function extractSessionFromCookie(cookie?: string): string \| undefined {\n if (!cookie) return undefined;\n const m = cookie.match(/(^\|;)\\smcp_session_id\\s=\\s([^;])/);\n return m ? m[2] : undefined;\n}\n"]}

package/src/auth/session/vault-encryption.d.ts ADDED Viewed

@@ -0,0 +1,189 @@
+/**
+ * Vault Encryption
+ *
+ * Client-side key derivation for zero-knowledge credential storage.
+ *
+ * Security Model:
+ * - The JWT authorization token contains a unique `jti` (JWT ID) claim
+ * - A secret portion of the token (or a derived key) is used as the encryption key
+ * - The server stores encrypted blobs in Redis but CANNOT decrypt them
+ * - Only the client presenting the valid JWT can decrypt their vault
+ *
+ * Key Derivation:
+ * - Input: JWT token (after signature verification)
+ * - Extract: jti + a secret claim (e.g., `vaultKey` or derived from signature)
+ * - Derive: HKDF-SHA256 to produce AES-256 key
+ *
+ * Encryption:
+ * - Algorithm: AES-256-GCM (authenticated encryption)
+ * - IV: Random 12 bytes per encryption (stored with ciphertext)
+ * - Auth Tag: 16 bytes (ensures integrity)
+ */
+import { z } from 'zod';
+/**
+ * Encrypted data format stored in Redis
+ */
+export declare const encryptedDataSchema: z.ZodObject<{
+    v: z.ZodLiteral<1>;
+    alg: z.ZodLiteral<"aes-256-gcm">;
+    iv: z.ZodString;
+    ct: z.ZodString;
+    tag: z.ZodString;
+}, z.core.$strip>;
+export type EncryptedData = z.infer<typeof encryptedDataSchema>;
+/**
+ * JWT claims required for key derivation
+ */
+export interface VaultKeyDerivationClaims {
+    /** JWT ID - unique identifier for this token/vault */
+    jti: string;
+    /** Vault key material - secret claim added during token generation */
+    vaultKey?: string;
+    /** Subject - user identifier */
+    sub: string;
+    /** Issued at timestamp */
+    iat: number;
+}
+/**
+ * Vault encryption configuration
+ */
+export interface VaultEncryptionConfig {
+    /**
+     * Server-side pepper added to key derivation
+     * This adds defense-in-depth: even with a stolen JWT,
+     * attacker needs the pepper to derive the key
+     */
+    pepper?: string;
+    /**
+     * Key derivation info string for HKDF
+     * Allows domain separation between different uses
+     */
+    hkdfInfo?: string;
+}
+/**
+ * VaultEncryption handles encryption/decryption of vault credentials
+ * using keys derived from the client's JWT authorization token.
+ *
+ * @example
+ * ```typescript
+ * const encryption = new VaultEncryption({ pepper: process.env.VAULT_PEPPER });
+ *
+ * // After JWT verification, derive the encryption key
+ * const key = encryption.deriveKey(jwtClaims);
+ *
+ * // Encrypt credentials before storing
+ * const encrypted = encryption.encrypt(JSON.stringify(credentials), key);
+ *
+ * // Decrypt when reading
+ * const decrypted = encryption.decrypt(encrypted, key);
+ * const credentials = JSON.parse(decrypted);
+ * ```
+ */
+export declare class VaultEncryption {
+    private readonly pepper;
+    private readonly hkdfInfo;
+    constructor(config?: VaultEncryptionConfig);
+    /**
+     * Derive an encryption key from JWT claims
+     *
+     * The key derivation uses HKDF-like construction:
+     * 1. Combine jti + vaultKey + sub + iat + pepper
+     * 2. Apply HMAC-SHA256 to derive a 256-bit key
+     *
+     * @param claims - JWT claims containing key material
+     * @returns 32-byte encryption key
+     */
+    deriveKey(claims: VaultKeyDerivationClaims): Buffer;
+    /**
+     * Derive a key directly from the raw JWT token string
+     *
+     * This is useful when you want to derive the key from the token
+     * before or without fully parsing the claims. Uses the token's
+     * signature portion as additional entropy.
+     *
+     * @param token - The raw JWT token string
+     * @param claims - Parsed JWT claims
+     * @returns 32-byte encryption key
+     */
+    deriveKeyFromToken(token: string, claims: VaultKeyDerivationClaims): Buffer;
+    /**
+     * Encrypt plaintext data using AES-256-GCM
+     *
+     * @param plaintext - Data to encrypt (typically JSON string)
+     * @param key - 32-byte encryption key from deriveKey()
+     * @returns Encrypted data object (safe to store in Redis)
+     */
+    encrypt(plaintext: string, key: Buffer): EncryptedData;
+    /**
+     * Decrypt encrypted data using AES-256-GCM
+     *
+     * @param encrypted - Encrypted data object from encrypt()
+     * @param key - 32-byte encryption key from deriveKey()
+     * @returns Decrypted plaintext
+     * @throws Error if decryption fails (wrong key, tampered data, etc.)
+     */
+    decrypt(encrypted: EncryptedData, key: Buffer): string;
+    /**
+     * Encrypt a JavaScript object (serializes to JSON first)
+     *
+     * @param data - Object to encrypt
+     * @param key - Encryption key
+     * @returns Encrypted data
+     */
+    encryptObject<T>(data: T, key: Buffer): EncryptedData;
+    /**
+     * Decrypt and parse a JavaScript object
+     *
+     * @param encrypted - Encrypted data
+     * @param key - Encryption key
+     * @returns Decrypted and parsed object
+     */
+    decryptObject<T>(encrypted: EncryptedData, key: Buffer): T;
+    /**
+     * Check if data is in encrypted format
+     *
+     * @param data - Data to check
+     * @returns True if data appears to be encrypted
+     */
+    isEncrypted(data: unknown): data is EncryptedData;
+}
+/**
+ * Vault entry with encrypted credentials
+ *
+ * The structure separates:
+ * - Metadata (unencrypted): id, userSub, timestamps, app lists
+ * - Sensitive data (encrypted): provider tokens, app credentials
+ */
+export declare const encryptedVaultEntrySchema: z.ZodObject<{
+    id: z.ZodString;
+    userSub: z.ZodString;
+    userEmail: z.ZodOptional<z.ZodString>;
+    userName: z.ZodOptional<z.ZodString>;
+    clientId: z.ZodString;
+    createdAt: z.ZodNumber;
+    lastAccessAt: z.ZodNumber;
+    encryptedData: z.ZodObject<{
+        v: z.ZodLiteral<1>;
+        alg: z.ZodLiteral<"aes-256-gcm">;
+        iv: z.ZodString;
+        ct: z.ZodString;
+        tag: z.ZodString;
+    }, z.core.$strip>;
+    authorizedAppIds: z.ZodArray<z.ZodString>;
+    skippedAppIds: z.ZodArray<z.ZodString>;
+    pendingAuthIds: z.ZodDefault<z.ZodArray<z.ZodString>>;
+}, z.core.$strip>;
+export type EncryptedVaultEntry = z.infer<typeof encryptedVaultEntrySchema>;
+/**
+ * Sensitive data that gets encrypted
+ */
+export interface VaultSensitiveData {
+    /** App credentials */
+    appCredentials: Record<string, unknown>;
+    /** Consent record */
+    consent?: unknown;
+    /** Federated login record */
+    federated?: unknown;
+    /** Pending auth details (URLs, scopes, etc.) */
+    pendingAuths: unknown[];
+}

package/src/auth/session/vault-encryption.js ADDED Viewed

@@ -0,0 +1,263 @@
+"use strict";
+/**
+ * Vault Encryption
+ *
+ * Client-side key derivation for zero-knowledge credential storage.
+ *
+ * Security Model:
+ * - The JWT authorization token contains a unique `jti` (JWT ID) claim
+ * - A secret portion of the token (or a derived key) is used as the encryption key
+ * - The server stores encrypted blobs in Redis but CANNOT decrypt them
+ * - Only the client presenting the valid JWT can decrypt their vault
+ *
+ * Key Derivation:
+ * - Input: JWT token (after signature verification)
+ * - Extract: jti + a secret claim (e.g., `vaultKey` or derived from signature)
+ * - Derive: HKDF-SHA256 to produce AES-256 key
+ *
+ * Encryption:
+ * - Algorithm: AES-256-GCM (authenticated encryption)
+ * - IV: Random 12 bytes per encryption (stored with ciphertext)
+ * - Auth Tag: 16 bytes (ensures integrity)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.encryptedVaultEntrySchema = exports.VaultEncryption = exports.encryptedDataSchema = void 0;
+const node_crypto_1 = require("node:crypto");
+const zod_1 = require("zod");
+// ============================================
+// Types and Schemas
+// ============================================
+/**
+ * Encrypted data format stored in Redis
+ */
+exports.encryptedDataSchema = zod_1.z.object({
+    /** Version for future algorithm changes */
+    v: zod_1.z.literal(1),
+    /** Algorithm identifier */
+    alg: zod_1.z.literal('aes-256-gcm'),
+    /** Initialization vector (base64) */
+    iv: zod_1.z.string(),
+    /** Ciphertext (base64) */
+    ct: zod_1.z.string(),
+    /** Authentication tag (base64) */
+    tag: zod_1.z.string(),
+});
+// ============================================
+// Vault Encryption Class
+// ============================================
+/**
+ * VaultEncryption handles encryption/decryption of vault credentials
+ * using keys derived from the client's JWT authorization token.
+ *
+ * @example
+ * ```typescript
+ * const encryption = new VaultEncryption({ pepper: process.env.VAULT_PEPPER });
+ *
+ * // After JWT verification, derive the encryption key
+ * const key = encryption.deriveKey(jwtClaims);
+ *
+ * // Encrypt credentials before storing
+ * const encrypted = encryption.encrypt(JSON.stringify(credentials), key);
+ *
+ * // Decrypt when reading
+ * const decrypted = encryption.decrypt(encrypted, key);
+ * const credentials = JSON.parse(decrypted);
+ * ```
+ */
+class VaultEncryption {
+    pepper;
+    hkdfInfo;
+    constructor(config = {}) {
+        // Convert pepper to buffer, use empty if not provided
+        this.pepper = Buffer.from(config.pepper ?? '', 'utf8');
+        this.hkdfInfo = Buffer.from(config.hkdfInfo ?? 'frontmcp-vault-v1', 'utf8');
+    }
+    /**
+     * Derive an encryption key from JWT claims
+     *
+     * The key derivation uses HKDF-like construction:
+     * 1. Combine jti + vaultKey + sub + iat + pepper
+     * 2. Apply HMAC-SHA256 to derive a 256-bit key
+     *
+     * @param claims - JWT claims containing key material
+     * @returns 32-byte encryption key
+     */
+    deriveKey(claims) {
+        // Build the input key material (IKM)
+        // Using multiple claims ensures the key is unique per token
+        const ikm = Buffer.concat([
+            Buffer.from(claims.jti, 'utf8'),
+            Buffer.from(claims.vaultKey ?? '', 'utf8'),
+            Buffer.from(claims.sub, 'utf8'),
+            Buffer.from(claims.iat.toString(), 'utf8'),
+            this.pepper,
+        ]);
+        // HKDF-Extract: PRK = HMAC-SHA256(salt, IKM)
+        // Using hkdfInfo as salt for domain separation
+        const prk = (0, node_crypto_1.createHmac)('sha256', this.hkdfInfo).update(ikm).digest();
+        // HKDF-Expand: OKM = HMAC-SHA256(PRK, info || 0x01)
+        // We only need 32 bytes, so single iteration is sufficient
+        const okm = (0, node_crypto_1.createHmac)('sha256', prk)
+            .update(Buffer.concat([this.hkdfInfo, Buffer.from([0x01])]))
+            .digest();
+        return okm;
+    }
+    /**
+     * Derive a key directly from the raw JWT token string
+     *
+     * This is useful when you want to derive the key from the token
+     * before or without fully parsing the claims. Uses the token's
+     * signature portion as additional entropy.
+     *
+     * @param token - The raw JWT token string
+     * @param claims - Parsed JWT claims
+     * @returns 32-byte encryption key
+     */
+    deriveKeyFromToken(token, claims) {
+        // Extract signature from JWT (last part after final dot)
+        const parts = token.split('.');
+        const signature = parts[2] ?? '';
+        // Include signature in key derivation for additional entropy
+        const ikm = Buffer.concat([
+            Buffer.from(claims.jti, 'utf8'),
+            Buffer.from(claims.vaultKey ?? '', 'utf8'),
+            Buffer.from(claims.sub, 'utf8'),
+            Buffer.from(claims.iat.toString(), 'utf8'),
+            Buffer.from(signature, 'utf8'),
+            this.pepper,
+        ]);
+        const prk = (0, node_crypto_1.createHmac)('sha256', this.hkdfInfo).update(ikm).digest();
+        const okm = (0, node_crypto_1.createHmac)('sha256', prk)
+            .update(Buffer.concat([this.hkdfInfo, Buffer.from([0x01])]))
+            .digest();
+        return okm;
+    }
+    /**
+     * Encrypt plaintext data using AES-256-GCM
+     *
+     * @param plaintext - Data to encrypt (typically JSON string)
+     * @param key - 32-byte encryption key from deriveKey()
+     * @returns Encrypted data object (safe to store in Redis)
+     */
+    encrypt(plaintext, key) {
+        if (key.length !== 32) {
+            throw new Error('Encryption key must be 32 bytes');
+        }
+        // Generate random 12-byte IV (recommended for GCM)
+        const iv = (0, node_crypto_1.randomBytes)(12);
+        // Create cipher
+        const cipher = (0, node_crypto_1.createCipheriv)('aes-256-gcm', key, iv);
+        // Encrypt
+        const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+        // Get authentication tag
+        const tag = cipher.getAuthTag();
+        return {
+            v: 1,
+            alg: 'aes-256-gcm',
+            iv: iv.toString('base64'),
+            ct: ciphertext.toString('base64'),
+            tag: tag.toString('base64'),
+        };
+    }
+    /**
+     * Decrypt encrypted data using AES-256-GCM
+     *
+     * @param encrypted - Encrypted data object from encrypt()
+     * @param key - 32-byte encryption key from deriveKey()
+     * @returns Decrypted plaintext
+     * @throws Error if decryption fails (wrong key, tampered data, etc.)
+     */
+    decrypt(encrypted, key) {
+        if (key.length !== 32) {
+            throw new Error('Encryption key must be 32 bytes');
+        }
+        // Validate encrypted data format
+        const parsed = exports.encryptedDataSchema.safeParse(encrypted);
+        if (!parsed.success) {
+            throw new Error('Invalid encrypted data format');
+        }
+        const { iv, ct, tag } = parsed.data;
+        // Decode from base64
+        const ivBuffer = Buffer.from(iv, 'base64');
+        const ciphertext = Buffer.from(ct, 'base64');
+        const tagBuffer = Buffer.from(tag, 'base64');
+        // Create decipher
+        const decipher = (0, node_crypto_1.createDecipheriv)('aes-256-gcm', key, ivBuffer);
+        decipher.setAuthTag(tagBuffer);
+        // Decrypt
+        try {
+            const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+            return plaintext.toString('utf8');
+        }
+        catch (error) {
+            // GCM authentication failed - wrong key or tampered data
+            throw new Error('Decryption failed: invalid key or corrupted data');
+        }
+    }
+    /**
+     * Encrypt a JavaScript object (serializes to JSON first)
+     *
+     * @param data - Object to encrypt
+     * @param key - Encryption key
+     * @returns Encrypted data
+     */
+    encryptObject(data, key) {
+        return this.encrypt(JSON.stringify(data), key);
+    }
+    /**
+     * Decrypt and parse a JavaScript object
+     *
+     * @param encrypted - Encrypted data
+     * @param key - Encryption key
+     * @returns Decrypted and parsed object
+     */
+    decryptObject(encrypted, key) {
+        const plaintext = this.decrypt(encrypted, key);
+        return JSON.parse(plaintext);
+    }
+    /**
+     * Check if data is in encrypted format
+     *
+     * @param data - Data to check
+     * @returns True if data appears to be encrypted
+     */
+    isEncrypted(data) {
+        return exports.encryptedDataSchema.safeParse(data).success;
+    }
+}
+exports.VaultEncryption = VaultEncryption;
+// ============================================
+// Encrypted Vault Entry Schema
+// ============================================
+/**
+ * Vault entry with encrypted credentials
+ *
+ * The structure separates:
+ * - Metadata (unencrypted): id, userSub, timestamps, app lists
+ * - Sensitive data (encrypted): provider tokens, app credentials
+ */
+exports.encryptedVaultEntrySchema = zod_1.z.object({
+    /** Vault ID (maps to JWT jti claim) */
+    id: zod_1.z.string(),
+    /** User subject identifier */
+    userSub: zod_1.z.string(),
+    /** User email (unencrypted for display) */
+    userEmail: zod_1.z.string().optional(),
+    /** User name (unencrypted for display) */
+    userName: zod_1.z.string().optional(),
+    /** Client ID that created this session */
+    clientId: zod_1.z.string(),
+    /** Creation timestamp */
+    createdAt: zod_1.z.number(),
+    /** Last access timestamp */
+    lastAccessAt: zod_1.z.number(),
+    /** Encrypted sensitive data (provider tokens, credentials, consent) */
+    encryptedData: exports.encryptedDataSchema,
+    /** Apps that are fully authorized (unencrypted for quick lookup) */
+    authorizedAppIds: zod_1.z.array(zod_1.z.string()),
+    /** Apps that were skipped (unencrypted for quick lookup) */
+    skippedAppIds: zod_1.z.array(zod_1.z.string()),
+    /** Pending auth IDs (unencrypted for lookup, actual URLs encrypted) */
+    pendingAuthIds: zod_1.z.array(zod_1.z.string()).default([]),
+});
+//# sourceMappingURL=vault-encryption.js.map

package/src/auth/session/vault-encryption.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"vault-encryption.js","sourceRoot":"","sources":["../../../../src/auth/session/vault-encryption.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;;;AAEH,6CAAwF;AACxF,6BAAwB;AAExB,+CAA+C;AAC/C,oBAAoB;AACpB,+CAA+C;AAE/C;;GAEG;AACU,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C,2CAA2C;IAC3C,CAAC,EAAE,OAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IACf,2BAA2B;IAC3B,GAAG,EAAE,OAAC,CAAC,OAAO,CAAC,aAAa,CAAC;IAC7B,qCAAqC;IACrC,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,0BAA0B;IAC1B,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,kCAAkC;IAClC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;CAChB,CAAC,CAAC;AAmCH,+CAA+C;AAC/C,yBAAyB;AACzB,+CAA+C;AAE/C;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAa,eAAe;IACT,MAAM,CAAS;IACf,QAAQ,CAAS;IAElC,YAAY,SAAgC,EAAE;QAC5C,sDAAsD;QACtD,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;QACvD,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,mBAAmB,EAAE,MAAM,CAAC,CAAC;IAC9E,CAAC;IAED;;;;;;;;;OASG;IACH,SAAS,CAAC,MAAgC;QACxC,qCAAqC;QACrC,4DAA4D;QAC5D,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC;YAC/B,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,MAAM,CAAC;YAC1C,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC;YAC/B,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,MAAM,CAAC;YAC1C,IAAI,CAAC,MAAM;SACZ,CAAC,CAAC;QAEH,6CAA6C;QAC7C,+CAA+C;QAC/C,MAAM,GAAG,GAAG,IAAA,wBAAU,EAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;QAErE,oDAAoD;QACpD,2DAA2D;QAC3D,MAAM,GAAG,GAAG,IAAA,wBAAU,EAAC,QAAQ,EAAE,GAAG,CAAC;aAClC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;aAC3D,MAAM,EAAE,CAAC;QAEZ,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;;;;;;;;;OAUG;IACH,kBAAkB,CAAC,KAAa,EAAE,MAAgC;QAChE,yDAAyD;QACzD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAEjC,6DAA6D;QAC7D,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC;YAC/B,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,MAAM,CAAC;YAC1C,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC;YAC/B,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,MAAM,CAAC;YAC1C,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC;YAC9B,IAAI,CAAC,MAAM;SACZ,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,IAAA,wBAAU,EAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;QACrE,MAAM,GAAG,GAAG,IAAA,wBAAU,EAAC,QAAQ,EAAE,GAAG,CAAC;aAClC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;aAC3D,MAAM,EAAE,CAAC;QAEZ,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;;;;;OAMG;IACH,OAAO,CAAC,SAAiB,EAAE,GAAW;QACpC,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,mDAAmD;QACnD,MAAM,EAAE,GAAG,IAAA,yBAAW,EAAC,EAAE,CAAC,CAAC;QAE3B,gBAAgB;QAChB,MAAM,MAAM,GAAG,IAAA,4BAAc,EAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QAEtD,UAAU;QACV,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAErF,yBAAyB;QACzB,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAEhC,OAAO;YACL,CAAC,EAAE,CAAC;YACJ,GAAG,EAAE,aAAa;YAClB,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACzB,EAAE,EAAE,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACjC,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;SAC5B,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,OAAO,CAAC,SAAwB,EAAE,GAAW;QAC3C,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,iCAAiC;QACjC,MAAM,MAAM,GAAG,2BAAmB,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACxD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;QAED,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC;QAEpC,qBAAqB;QACrB,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;QAC3C,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;QAC7C,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAE7C,kBAAkB;QAClB,MAAM,QAAQ,GAAG,IAAA,8BAAgB,EAAC,aAAa,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;QAChE,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QAE/B,UAAU;QACV,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAEjF,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACpC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,yDAAyD;YACzD,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,aAAa,CAAI,IAAO,EAAE,GAAW;QACnC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,CAAC;IACjD,CAAC;IAED;;;;;;OAMG;IACH,aAAa,CAAI,SAAwB,EAAE,GAAW;QACpD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,CAAM,CAAC;IACpC,CAAC;IAED;;;;;OAKG;IACH,WAAW,CAAC,IAAa;QACvB,OAAO,2BAAmB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC;IACrD,CAAC;CACF;AAxLD,0CAwLC;AAED,+CAA+C;AAC/C,+BAA+B;AAC/B,+CAA+C;AAE/C;;;;;;GAMG;AACU,QAAA,yBAAyB,GAAG,OAAC,CAAC,MAAM,CAAC;IAChD,uCAAuC;IACvC,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,8BAA8B;IAC9B,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE;IACnB,2CAA2C;IAC3C,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,0CAA0C;IAC1C,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,0CAA0C;IAC1C,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE;IACpB,yBAAyB;IACzB,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE;IACrB,4BAA4B;IAC5B,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE;IACxB,uEAAuE;IACvE,aAAa,EAAE,2BAAmB;IAClC,oEAAoE;IACpE,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACrC,4DAA4D;IAC5D,aAAa,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IAClC,uEAAuE;IACvE,cAAc,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;CAChD,CAAC,CAAC","sourcesContent":["/**\n * Vault Encryption\n *\n * Client-side key derivation for zero-knowledge credential storage.\n *\n * Security Model:\n * - The JWT authorization token contains a unique `jti` (JWT ID) claim\n * - A secret portion of the token (or a derived key) is used as the encryption key\n * - The server stores encrypted blobs in Redis but CANNOT decrypt them\n * - Only the client presenting the valid JWT can decrypt their vault\n *\n * Key Derivation:\n * - Input: JWT token (after signature verification)\n * - Extract: jti + a secret claim (e.g., `vaultKey` or derived from signature)\n * - Derive: HKDF-SHA256 to produce AES-256 key\n *\n * Encryption:\n * - Algorithm: AES-256-GCM (authenticated encryption)\n * - IV: Random 12 bytes per encryption (stored with ciphertext)\n * - Auth Tag: 16 bytes (ensures integrity)\n */\n\nimport { createCipheriv, createDecipheriv, randomBytes, createHmac } from 'node:crypto';\nimport { z } from 'zod';\n\n// ============================================\n// Types and Schemas\n// ============================================\n\n/**\n * Encrypted data format stored in Redis\n */\nexport const encryptedDataSchema = z.object({\n /** Version for future algorithm changes */\n v: z.literal(1),\n /** Algorithm identifier */\n alg: z.literal('aes-256-gcm'),\n /** Initialization vector (base64) */\n iv: z.string(),\n /** Ciphertext (base64) */\n ct: z.string(),\n /** Authentication tag (base64) */\n tag: z.string(),\n});\n\nexport type EncryptedData = z.infer<typeof encryptedDataSchema>;\n\n/**\n * JWT claims required for key derivation\n */\nexport interface VaultKeyDerivationClaims {\n /** JWT ID - unique identifier for this token/vault */\n jti: string;\n /** Vault key material - secret claim added during token generation */\n vaultKey?: string;\n /** Subject - user identifier */\n sub: string;\n /** Issued at timestamp */\n iat: number;\n}\n\n/**\n * Vault encryption configuration\n */\nexport interface VaultEncryptionConfig {\n /**\n * Server-side pepper added to key derivation\n * This adds defense-in-depth: even with a stolen JWT,\n * attacker needs the pepper to derive the key\n */\n pepper?: string;\n /**\n * Key derivation info string for HKDF\n * Allows domain separation between different uses\n */\n hkdfInfo?: string;\n}\n\n// ============================================\n// Vault Encryption Class\n// ============================================\n\n/**\n * VaultEncryption handles encryption/decryption of vault credentials\n * using keys derived from the client's JWT authorization token.\n *\n * @example\n * ```typescript\n * const encryption = new VaultEncryption({ pepper: process.env.VAULT_PEPPER });\n *\n * // After JWT verification, derive the encryption key\n * const key = encryption.deriveKey(jwtClaims);\n *\n * // Encrypt credentials before storing\n * const encrypted = encryption.encrypt(JSON.stringify(credentials), key);\n *\n * // Decrypt when reading\n * const decrypted = encryption.decrypt(encrypted, key);\n * const credentials = JSON.parse(decrypted);\n * ```\n */\nexport class VaultEncryption {\n private readonly pepper: Buffer;\n private readonly hkdfInfo: Buffer;\n\n constructor(config: VaultEncryptionConfig = {}) {\n // Convert pepper to buffer, use empty if not provided\n this.pepper = Buffer.from(config.pepper ?? '', 'utf8');\n this.hkdfInfo = Buffer.from(config.hkdfInfo ?? 'frontmcp-vault-v1', 'utf8');\n }\n\n /**\n * Derive an encryption key from JWT claims\n *\n * The key derivation uses HKDF-like construction:\n * 1. Combine jti + vaultKey + sub + iat + pepper\n * 2. Apply HMAC-SHA256 to derive a 256-bit key\n *\n * @param claims - JWT claims containing key material\n * @returns 32-byte encryption key\n */\n deriveKey(claims: VaultKeyDerivationClaims): Buffer {\n // Build the input key material (IKM)\n // Using multiple claims ensures the key is unique per token\n const ikm = Buffer.concat([\n Buffer.from(claims.jti, 'utf8'),\n Buffer.from(claims.vaultKey ?? '', 'utf8'),\n Buffer.from(claims.sub, 'utf8'),\n Buffer.from(claims.iat.toString(), 'utf8'),\n this.pepper,\n ]);\n\n // HKDF-Extract: PRK = HMAC-SHA256(salt, IKM)\n // Using hkdfInfo as salt for domain separation\n const prk = createHmac('sha256', this.hkdfInfo).update(ikm).digest();\n\n // HKDF-Expand: OKM = HMAC-SHA256(PRK, info || 0x01)\n // We only need 32 bytes, so single iteration is sufficient\n const okm = createHmac('sha256', prk)\n .update(Buffer.concat([this.hkdfInfo, Buffer.from([0x01])]))\n .digest();\n\n return okm;\n }\n\n /**\n * Derive a key directly from the raw JWT token string\n *\n * This is useful when you want to derive the key from the token\n * before or without fully parsing the claims. Uses the token's\n * signature portion as additional entropy.\n *\n * @param token - The raw JWT token string\n * @param claims - Parsed JWT claims\n * @returns 32-byte encryption key\n */\n deriveKeyFromToken(token: string, claims: VaultKeyDerivationClaims): Buffer {\n // Extract signature from JWT (last part after final dot)\n const parts = token.split('.');\n const signature = parts[2] ?? '';\n\n // Include signature in key derivation for additional entropy\n const ikm = Buffer.concat([\n Buffer.from(claims.jti, 'utf8'),\n Buffer.from(claims.vaultKey ?? '', 'utf8'),\n Buffer.from(claims.sub, 'utf8'),\n Buffer.from(claims.iat.toString(), 'utf8'),\n Buffer.from(signature, 'utf8'),\n this.pepper,\n ]);\n\n const prk = createHmac('sha256', this.hkdfInfo).update(ikm).digest();\n const okm = createHmac('sha256', prk)\n .update(Buffer.concat([this.hkdfInfo, Buffer.from([0x01])]))\n .digest();\n\n return okm;\n }\n\n /**\n * Encrypt plaintext data using AES-256-GCM\n *\n * @param plaintext - Data to encrypt (typically JSON string)\n * @param key - 32-byte encryption key from deriveKey()\n * @returns Encrypted data object (safe to store in Redis)\n */\n encrypt(plaintext: string, key: Buffer): EncryptedData {\n if (key.length !== 32) {\n throw new Error('Encryption key must be 32 bytes');\n }\n\n // Generate random 12-byte IV (recommended for GCM)\n const iv = randomBytes(12);\n\n // Create cipher\n const cipher = createCipheriv('aes-256-gcm', key, iv);\n\n // Encrypt\n const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);\n\n // Get authentication tag\n const tag = cipher.getAuthTag();\n\n return {\n v: 1,\n alg: 'aes-256-gcm',\n iv: iv.toString('base64'),\n ct: ciphertext.toString('base64'),\n tag: tag.toString('base64'),\n };\n }\n\n /**\n * Decrypt encrypted data using AES-256-GCM\n *\n * @param encrypted - Encrypted data object from encrypt()\n * @param key - 32-byte encryption key from deriveKey()\n * @returns Decrypted plaintext\n * @throws Error if decryption fails (wrong key, tampered data, etc.)\n */\n decrypt(encrypted: EncryptedData, key: Buffer): string {\n if (key.length !== 32) {\n throw new Error('Encryption key must be 32 bytes');\n }\n\n // Validate encrypted data format\n const parsed = encryptedDataSchema.safeParse(encrypted);\n if (!parsed.success) {\n throw new Error('Invalid encrypted data format');\n }\n\n const { iv, ct, tag } = parsed.data;\n\n // Decode from base64\n const ivBuffer = Buffer.from(iv, 'base64');\n const ciphertext = Buffer.from(ct, 'base64');\n const tagBuffer = Buffer.from(tag, 'base64');\n\n // Create decipher\n const decipher = createDecipheriv('aes-256-gcm', key, ivBuffer);\n decipher.setAuthTag(tagBuffer);\n\n // Decrypt\n try {\n const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);\n\n return plaintext.toString('utf8');\n } catch (error) {\n // GCM authentication failed - wrong key or tampered data\n throw new Error('Decryption failed: invalid key or corrupted data');\n }\n }\n\n /**\n * Encrypt a JavaScript object (serializes to JSON first)\n *\n * @param data - Object to encrypt\n * @param key - Encryption key\n * @returns Encrypted data\n */\n encryptObject<T>(data: T, key: Buffer): EncryptedData {\n return this.encrypt(JSON.stringify(data), key);\n }\n\n /**\n * Decrypt and parse a JavaScript object\n *\n * @param encrypted - Encrypted data\n * @param key - Encryption key\n * @returns Decrypted and parsed object\n */\n decryptObject<T>(encrypted: EncryptedData, key: Buffer): T {\n const plaintext = this.decrypt(encrypted, key);\n return JSON.parse(plaintext) as T;\n }\n\n /**\n * Check if data is in encrypted format\n *\n * @param data - Data to check\n * @returns True if data appears to be encrypted\n */\n isEncrypted(data: unknown): data is EncryptedData {\n return encryptedDataSchema.safeParse(data).success;\n }\n}\n\n// ============================================\n// Encrypted Vault Entry Schema\n// ============================================\n\n/**\n * Vault entry with encrypted credentials\n *\n * The structure separates:\n * - Metadata (unencrypted): id, userSub, timestamps, app lists\n * - Sensitive data (encrypted): provider tokens, app credentials\n */\nexport const encryptedVaultEntrySchema = z.object({\n /** Vault ID (maps to JWT jti claim) */\n id: z.string(),\n /** User subject identifier */\n userSub: z.string(),\n /** User email (unencrypted for display) */\n userEmail: z.string().optional(),\n /** User name (unencrypted for display) */\n userName: z.string().optional(),\n /** Client ID that created this session */\n clientId: z.string(),\n /** Creation timestamp */\n createdAt: z.number(),\n /** Last access timestamp */\n lastAccessAt: z.number(),\n /** Encrypted sensitive data (provider tokens, credentials, consent) */\n encryptedData: encryptedDataSchema,\n /** Apps that are fully authorized (unencrypted for quick lookup) */\n authorizedAppIds: z.array(z.string()),\n /** Apps that were skipped (unencrypted for quick lookup) */\n skippedAppIds: z.array(z.string()),\n /** Pending auth IDs (unencrypted for lookup, actual URLs encrypted) */\n pendingAuthIds: z.array(z.string()).default([]),\n});\n\nexport type EncryptedVaultEntry = z.infer<typeof encryptedVaultEntrySchema>;\n\n/**\n * Sensitive data that gets encrypted\n */\nexport interface VaultSensitiveData {\n /** App credentials */\n appCredentials: Record<string, unknown>;\n /** Consent record */\n consent?: unknown;\n /** Federated login record */\n federated?: unknown;\n /** Pending auth details (URLs, scopes, etc.) */\n pendingAuths: unknown[];\n}\n"]}