@frontmcp/sdk 0.4.1 → 0.5.0

package/src/common/types/options/auth.options.d.ts

@@ -1,513 +1,1036 @@
 import { z } from 'zod';
-import { JSONWebKeySet, JWK } from '../auth';
-export type RemoteAuthOptions = {
-    type: 'remote';
-    /**
-     * unique id for the provider
-     */
-    id?: string;
-    /**
-     * human-readable name for the provider
-     */
-    name: string;
-    /**
-     * base url of the provider
-     * if the provider does not support dcr it will be used with local auth provider proxy
-     * to register client dynamically you have to provide client id for the registration flow
-     * @example https://my-company.frontegg.com
-     */
-    baseUrl: string;
-    /**
-     * enable dynamic client registration (DCR) flow, if your provider does not support DCR
-     * you can set this to false and provide clientId for authorization flow, we will use local auth provider proxy
-     * to register a dynamic client with the provided clientId or by called clientId function with client info
-     * by default, the provider will use the registration endpoint to register the client dynamically
-     */
-    dcrEnabled?: boolean;
-    /**
-     * Only used if your auth provider does not support DCR.
-     * for Dcr auth provider the client id acquired by the registration flow
-     */
-    clientId?: string | ((clientInfo: {
-        clientId: string;
-    }) => string);
-    /**
-     * Set default gateway oauth server mode, this will be overridden by discovery flow.
-     * if set to transparent and the discovery flow detect orchestrated mode it will switch to orchestrated mode
-     * @default 'transparent'
-     */
-    mode?: 'orchestrated' | 'transparent';
-    /**
-     * allow anonymous access to the provider
-     * @default false - allowing anonymous access will make the provider to issue an orchestrated token
-     */
-    allowAnonymous?: boolean;
-    /**
-     * allow consent mode to select tools/resource/prompts after authorization
-     * for scoped based access token
-     * @default false - allowing anonymous access will make the provider to issue an orchestrated token
-     */
-    consent?: boolean;
-    /**
-     * scopes for the token endpoint
-     * @default undefined - all scopes supported by th provider
-     */
-    scopes?: string[];
-    /**
-     * authorization provider supported grant types, currently only authorization_code and refresh_token are supported
-     * @default undefined - default is what presented in the /.well-known/oauth-authorization-server
-     */
-    grantTypes?: ('authorization_code' | 'refresh_token')[];
-    /**
-     * authorization endpoint for the provider
-     * @default undefined - default is what presented in the /.well-known/oauth-authorization-server
-     */
-    authEndpoint?: string;
-    /**
-     * token endpoint for the provider
-     * @default undefined - default is what presented in the /.well-known/oauth-authorization-server
-     */
-    tokenEndpoint?: string;
-    /**
-     * registration endpoint for the provider (DCR)
-     * @default undefined - default is what presented in the /.well-known/oauth-authorization-server
-     */
-    registrationEndpoint?: string;
-    /**
-     * user info endpoint for the provider
-     * @default undefined - default is what presented in the /.well-known/oauth-authorization-server
-     */
-    userInfoEndpoint?: string;
-    /**
-     * Inline JWKS for the provider to verify tokens without automatic fetching
-     * @default undefined - default is what presented in the /.well-known/jwks.json
-     */
-    jwks?: JSONWebKeySet;
-    /**
-     * jwks uri for the provider
-     * @default undefined - default is what presented in the /.well-known/oauth-authorization-server
-     */
-    jwksUri?: string;
-};
-export declare const remoteAuthOptionsSchema: z.ZodObject<{
-    type: z.ZodLiteral<"remote">;
+import { JWK } from '../auth';
+/**
+ * Public access configuration for tools/prompts
+ */
+export declare const publicAccessConfigSchema: z.ZodObject<{
+    tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+    prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+    rateLimit: z.ZodDefault<z.ZodNumber>;
+}, z.core.$strip>;
+/**
+ * Local signing configuration (for orchestrated local type)
+ */
+export declare const localSigningConfigSchema: z.ZodObject<{
+    signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>, z.ZodCustom<Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>]>>;
+    jwks: z.ZodOptional<z.ZodObject<{
+        keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+    }, z.core.$strip>>;
+    issuer: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+/**
+ * Remote OAuth provider configuration (for orchestrated remote and transparent)
+ */
+export declare const remoteProviderConfigSchema: z.ZodObject<{
+    provider: z.ZodString;
+    name: z.ZodOptional<z.ZodString>;
     id: z.ZodOptional<z.ZodString>;
-    name: z.ZodString;
-    baseUrl: z.ZodString;
-    dcrEnabled: z.ZodOptional<z.ZodBoolean>;
-    clientId: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodFunction<z.ZodTuple<[z.ZodObject<{
-        clientId: z.ZodString;
-    }, "strip", z.ZodTypeAny, {
-        clientId: string;
-    }, {
-        clientId: string;
-    }>], z.ZodUnknown>, z.ZodString>]>>;
-    mode: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<"orchestrated">, z.ZodLiteral<"transparent">]>>;
-    allowAnonymous: z.ZodOptional<z.ZodBoolean>;
-    consent: z.ZodOptional<z.ZodBoolean>;
     jwks: z.ZodOptional<z.ZodObject<{
-        keys: z.ZodArray<z.ZodType<JWK, z.ZodTypeDef, JWK>, "many">;
-    }, "strip", z.ZodTypeAny, {
-        keys: JWK[];
-    }, {
-        keys: JWK[];
-    }>>;
-    scopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    grantTypes: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodLiteral<"authorization_code">, z.ZodLiteral<"refresh_token">]>, "many">>;
+        keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+    }, z.core.$strip>>;
+    jwksUri: z.ZodOptional<z.ZodString>;
+    clientId: z.ZodOptional<z.ZodString>;
+    clientSecret: z.ZodOptional<z.ZodString>;
+    scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    dcrEnabled: z.ZodDefault<z.ZodBoolean>;
     authEndpoint: z.ZodOptional<z.ZodString>;
     tokenEndpoint: z.ZodOptional<z.ZodString>;
     registrationEndpoint: z.ZodOptional<z.ZodString>;
     userInfoEndpoint: z.ZodOptional<z.ZodString>;
-    jwksUri: z.ZodOptional<z.ZodString>;
-}, "strip", z.ZodTypeAny, {
-    type: "remote";
-    name: string;
-    baseUrl: string;
-    id?: string | undefined;
-    dcrEnabled?: boolean | undefined;
-    clientId?: string | ((args_0: {
-        clientId: string;
-    }, ...args: unknown[]) => string) | undefined;
-    mode?: "orchestrated" | "transparent" | undefined;
-    allowAnonymous?: boolean | undefined;
-    consent?: boolean | undefined;
-    scopes?: string[] | undefined;
-    grantTypes?: ("authorization_code" | "refresh_token")[] | undefined;
-    authEndpoint?: string | undefined;
-    tokenEndpoint?: string | undefined;
-    registrationEndpoint?: string | undefined;
-    userInfoEndpoint?: string | undefined;
-    jwks?: {
-        keys: JWK[];
-    } | undefined;
-    jwksUri?: string | undefined;
-}, {
-    type: "remote";
-    name: string;
-    baseUrl: string;
-    id?: string | undefined;
-    dcrEnabled?: boolean | undefined;
-    clientId?: string | ((args_0: {
-        clientId: string;
-    }, ...args: unknown[]) => string) | undefined;
-    mode?: "orchestrated" | "transparent" | undefined;
-    allowAnonymous?: boolean | undefined;
-    consent?: boolean | undefined;
-    scopes?: string[] | undefined;
-    grantTypes?: ("authorization_code" | "refresh_token")[] | undefined;
-    authEndpoint?: string | undefined;
-    tokenEndpoint?: string | undefined;
-    registrationEndpoint?: string | undefined;
-    userInfoEndpoint?: string | undefined;
-    jwks?: {
-        keys: JWK[];
-    } | undefined;
-    jwksUri?: string | undefined;
+}, z.core.$strip>;
+/**
+ * Token storage configuration for orchestrated mode
+ */
+export declare const tokenStorageConfigSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
+    type: z.ZodLiteral<"memory">;
+}, z.core.$strip>, z.ZodObject<{
+    type: z.ZodLiteral<"redis">;
+    config: z.ZodObject<{
+        host: z.ZodString;
+        port: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+        password: z.ZodOptional<z.ZodString>;
+        db: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+        tls: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+        keyPrefix: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+    }, z.core.$strip>;
+}, z.core.$strip>], "type">;
+/**
+ * Token refresh configuration
+ */
+export declare const tokenRefreshConfigSchema: z.ZodObject<{
+    enabled: z.ZodDefault<z.ZodBoolean>;
+    skewSeconds: z.ZodDefault<z.ZodNumber>;
+}, z.core.$strip>;
+/**
+ * Behavior when a tool from a skipped (not yet authorized) app is called
+ */
+export declare const skippedAppBehaviorSchema: z.ZodEnum<{
+    anonymous: "anonymous";
+    "require-auth": "require-auth";
 }>;
-export type LocalAuthOptions = {
-    type: 'local';
-    /**
-     * unique id for the provider
-     */
-    id: string;
-    /**
-     * human-readable name for the provider
-     */
-    name: string;
-    /**
-     * scopes for the token endpoint
-     * @default undefined - all scopes supported by th provider
-     */
-    scopes?: string[];
-    /**
-     * currently only authorization_code and refresh_token are supported
-     * @default ['authorization_code', 'refresh_token']
-     */
-    grantTypes?: ('authorization_code' | 'refresh_token')[];
-    /**
-     * allow anonymous access to the provider
-     * in this case the provider will act as an authorization server
-     * @default true
-     */
-    allowAnonymous?: boolean;
-    /**
-     * allow consent mode to select tools/resource/prompts after authorization
-     * for scoped based access token
-     * @default false - allowing anonymous access will make the provider to issue an orchestrated token
-     */
-    consent?: boolean;
-    /**
-     * Inline JWKS for the provider to verify tokens for local provider
-     * it will also used in /.well-known/jwks.json
-     * @default undefined - default is auto generated keys and saved in the temp folder
-     */
-    jwks?: JSONWebKeySet;
-    /**
-     * private key signing tokens for local provider
-     * @default undefined - default is auto generated keys and saved in the temp folder
-     */
-    signKey?: JWK | Uint8Array;
-};
-export declare const localAuthOptionsSchema: z.ZodObject<{
-    type: z.ZodLiteral<"local">;
-    id: z.ZodString;
-    name: z.ZodString;
-    scopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    grantTypes: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodLiteral<"authorization_code">, z.ZodLiteral<"refresh_token">]>, "many">>;
-    allowAnonymous: z.ZodOptional<z.ZodBoolean>;
-    consent: z.ZodOptional<z.ZodBoolean>;
+/**
+ * Consent configuration for tool selection
+ * Allows users to choose which MCP tools to expose to the LLM
+ *
+ * Note: This schema is the canonical definition. It is duplicated in
+ * auth/consent/consent.types.ts for domain-specific use. Both schemas
+ * MUST be kept in sync. The duplication exists to avoid circular
+ * dependencies between common/ and auth/ modules.
+ */
+export declare const consentConfigSchema: z.ZodObject<{
+    enabled: z.ZodDefault<z.ZodBoolean>;
+    groupByApp: z.ZodDefault<z.ZodBoolean>;
+    showDescriptions: z.ZodDefault<z.ZodBoolean>;
+    allowSelectAll: z.ZodDefault<z.ZodBoolean>;
+    requireSelection: z.ZodDefault<z.ZodBoolean>;
+    customMessage: z.ZodOptional<z.ZodString>;
+    rememberConsent: z.ZodDefault<z.ZodBoolean>;
+    excludedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    defaultSelectedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+}, z.core.$strip>;
+/**
+ * Progressive/Incremental authorization configuration
+ * Allows users to authorize apps one at a time after initial auth
+ */
+export declare const incrementalAuthConfigSchema: z.ZodObject<{
+    enabled: z.ZodDefault<z.ZodBoolean>;
+    skippedAppBehavior: z.ZodDefault<z.ZodEnum<{
+        anonymous: "anonymous";
+        "require-auth": "require-auth";
+    }>>;
+    allowSkip: z.ZodDefault<z.ZodBoolean>;
+    showAllAppsAtOnce: z.ZodDefault<z.ZodBoolean>;
+}, z.core.$strip>;
+/**
+ * Transport protocol configuration
+ * Controls which transport protocols are enabled and their behavior
+ */
+export declare const transportConfigSchema: z.ZodObject<{
+    enableLegacySSE: z.ZodDefault<z.ZodBoolean>;
+    enableSseListener: z.ZodDefault<z.ZodBoolean>;
+    enableStreamableHttp: z.ZodDefault<z.ZodBoolean>;
+    enableStatelessHttp: z.ZodDefault<z.ZodBoolean>;
+    enableStatefulHttp: z.ZodDefault<z.ZodBoolean>;
+    requireSessionForStreamable: z.ZodDefault<z.ZodBoolean>;
+}, z.core.$strip>;
+export declare const publicAuthOptionsSchema: z.ZodObject<{
+    mode: z.ZodLiteral<"public">;
+    issuer: z.ZodOptional<z.ZodString>;
+    sessionTtl: z.ZodDefault<z.ZodNumber>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
     jwks: z.ZodOptional<z.ZodObject<{
-        keys: z.ZodArray<z.ZodType<JWK, z.ZodTypeDef, JWK>, "many">;
-    }, "strip", z.ZodTypeAny, {
-        keys: JWK[];
-    }, {
-        keys: JWK[];
+        keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+    }, z.core.$strip>>;
+    signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>, z.ZodCustom<Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>]>>;
+    transport: z.ZodOptional<z.ZodObject<{
+        enableLegacySSE: z.ZodDefault<z.ZodBoolean>;
+        enableSseListener: z.ZodDefault<z.ZodBoolean>;
+        enableStreamableHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatelessHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatefulHttp: z.ZodDefault<z.ZodBoolean>;
+        requireSessionForStreamable: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export declare const transparentAuthOptionsSchema: z.ZodObject<{
+    mode: z.ZodLiteral<"transparent">;
+    remote: z.ZodObject<{
+        provider: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+        id: z.ZodOptional<z.ZodString>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+        }, z.core.$strip>>;
+        jwksUri: z.ZodOptional<z.ZodString>;
+        clientId: z.ZodOptional<z.ZodString>;
+        clientSecret: z.ZodOptional<z.ZodString>;
+        scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        dcrEnabled: z.ZodDefault<z.ZodBoolean>;
+        authEndpoint: z.ZodOptional<z.ZodString>;
+        tokenEndpoint: z.ZodOptional<z.ZodString>;
+        registrationEndpoint: z.ZodOptional<z.ZodString>;
+        userInfoEndpoint: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>;
+    expectedAudience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    requiredScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    allowAnonymous: z.ZodDefault<z.ZodBoolean>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    transport: z.ZodOptional<z.ZodObject<{
+        enableLegacySSE: z.ZodDefault<z.ZodBoolean>;
+        enableSseListener: z.ZodDefault<z.ZodBoolean>;
+        enableStreamableHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatelessHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatefulHttp: z.ZodDefault<z.ZodBoolean>;
+        requireSessionForStreamable: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+/**
+ * Orchestrated mode with local authentication only
+ */
+export declare const orchestratedLocalSchema: z.ZodObject<{
+    mode: z.ZodLiteral<"orchestrated">;
+    type: z.ZodLiteral<"local">;
+    local: z.ZodOptional<z.ZodObject<{
+        signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>, z.ZodCustom<Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>]>>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+        }, z.core.$strip>>;
+        issuer: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    tokenStorage: z.ZodDefault<z.ZodDiscriminatedUnion<[z.ZodObject<{
+        type: z.ZodLiteral<"memory">;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"redis">;
+        config: z.ZodObject<{
+            host: z.ZodString;
+            port: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            password: z.ZodOptional<z.ZodString>;
+            db: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            tls: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+            keyPrefix: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+        }, z.core.$strip>;
+    }, z.core.$strip>], "type">>;
+    sessionMode: z.ZodDefault<z.ZodEnum<{
+        stateful: "stateful";
+        stateless: "stateless";
     }>>;
-    signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<JWK, z.ZodTypeDef, JWK>, z.ZodType<Uint8Array<ArrayBuffer>, z.ZodTypeDef, Uint8Array<ArrayBuffer>>]>>;
-}, "strip", z.ZodTypeAny, {
-    type: "local";
-    id: string;
-    name: string;
-    allowAnonymous?: boolean | undefined;
-    consent?: boolean | undefined;
-    scopes?: string[] | undefined;
-    grantTypes?: ("authorization_code" | "refresh_token")[] | undefined;
-    jwks?: {
-        keys: JWK[];
-    } | undefined;
-    signKey?: JWK | Uint8Array<ArrayBuffer> | undefined;
-}, {
-    type: "local";
-    id: string;
-    name: string;
-    allowAnonymous?: boolean | undefined;
-    consent?: boolean | undefined;
-    scopes?: string[] | undefined;
-    grantTypes?: ("authorization_code" | "refresh_token")[] | undefined;
-    jwks?: {
-        keys: JWK[];
-    } | undefined;
-    signKey?: JWK | Uint8Array<ArrayBuffer> | undefined;
-}>;
-export declare const authOptionsSchema: z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
+    allowDefaultPublic: z.ZodDefault<z.ZodBoolean>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    consent: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        groupByApp: z.ZodDefault<z.ZodBoolean>;
+        showDescriptions: z.ZodDefault<z.ZodBoolean>;
+        allowSelectAll: z.ZodDefault<z.ZodBoolean>;
+        requireSelection: z.ZodDefault<z.ZodBoolean>;
+        customMessage: z.ZodOptional<z.ZodString>;
+        rememberConsent: z.ZodDefault<z.ZodBoolean>;
+        excludedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        defaultSelectedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>>;
+    refresh: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skewSeconds: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    expectedAudience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    incrementalAuth: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skippedAppBehavior: z.ZodDefault<z.ZodEnum<{
+            anonymous: "anonymous";
+            "require-auth": "require-auth";
+        }>>;
+        allowSkip: z.ZodDefault<z.ZodBoolean>;
+        showAllAppsAtOnce: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    transport: z.ZodOptional<z.ZodObject<{
+        enableLegacySSE: z.ZodDefault<z.ZodBoolean>;
+        enableSseListener: z.ZodDefault<z.ZodBoolean>;
+        enableStreamableHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatelessHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatefulHttp: z.ZodDefault<z.ZodBoolean>;
+        requireSessionForStreamable: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+/**
+ * Orchestrated mode with remote OAuth provider
+ */
+export declare const orchestratedRemoteSchema: z.ZodObject<{
+    mode: z.ZodLiteral<"orchestrated">;
     type: z.ZodLiteral<"remote">;
-    id: z.ZodOptional<z.ZodString>;
-    name: z.ZodString;
-    baseUrl: z.ZodString;
-    dcrEnabled: z.ZodOptional<z.ZodBoolean>;
-    clientId: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodFunction<z.ZodTuple<[z.ZodObject<{
-        clientId: z.ZodString;
-    }, "strip", z.ZodTypeAny, {
-        clientId: string;
-    }, {
-        clientId: string;
-    }>], z.ZodUnknown>, z.ZodString>]>>;
-    mode: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<"orchestrated">, z.ZodLiteral<"transparent">]>>;
-    allowAnonymous: z.ZodOptional<z.ZodBoolean>;
-    consent: z.ZodOptional<z.ZodBoolean>;
-    jwks: z.ZodOptional<z.ZodObject<{
-        keys: z.ZodArray<z.ZodType<JWK, z.ZodTypeDef, JWK>, "many">;
-    }, "strip", z.ZodTypeAny, {
-        keys: JWK[];
-    }, {
-        keys: JWK[];
+    remote: z.ZodObject<{
+        provider: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+        id: z.ZodOptional<z.ZodString>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+        }, z.core.$strip>>;
+        jwksUri: z.ZodOptional<z.ZodString>;
+        clientId: z.ZodOptional<z.ZodString>;
+        clientSecret: z.ZodOptional<z.ZodString>;
+        scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        dcrEnabled: z.ZodDefault<z.ZodBoolean>;
+        authEndpoint: z.ZodOptional<z.ZodString>;
+        tokenEndpoint: z.ZodOptional<z.ZodString>;
+        registrationEndpoint: z.ZodOptional<z.ZodString>;
+        userInfoEndpoint: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>;
+    local: z.ZodOptional<z.ZodObject<{
+        signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>, z.ZodCustom<Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>]>>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+        }, z.core.$strip>>;
+        issuer: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    tokenStorage: z.ZodDefault<z.ZodDiscriminatedUnion<[z.ZodObject<{
+        type: z.ZodLiteral<"memory">;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"redis">;
+        config: z.ZodObject<{
+            host: z.ZodString;
+            port: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            password: z.ZodOptional<z.ZodString>;
+            db: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            tls: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+            keyPrefix: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+        }, z.core.$strip>;
+    }, z.core.$strip>], "type">>;
+    sessionMode: z.ZodDefault<z.ZodEnum<{
+        stateful: "stateful";
+        stateless: "stateless";
     }>>;
-    scopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    grantTypes: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodLiteral<"authorization_code">, z.ZodLiteral<"refresh_token">]>, "many">>;
-    authEndpoint: z.ZodOptional<z.ZodString>;
-    tokenEndpoint: z.ZodOptional<z.ZodString>;
-    registrationEndpoint: z.ZodOptional<z.ZodString>;
-    userInfoEndpoint: z.ZodOptional<z.ZodString>;
-    jwksUri: z.ZodOptional<z.ZodString>;
-}, "strip", z.ZodTypeAny, {
-    type: "remote";
-    name: string;
-    baseUrl: string;
-    id?: string | undefined;
-    dcrEnabled?: boolean | undefined;
-    clientId?: string | ((args_0: {
-        clientId: string;
-    }, ...args: unknown[]) => string) | undefined;
-    mode?: "orchestrated" | "transparent" | undefined;
-    allowAnonymous?: boolean | undefined;
-    consent?: boolean | undefined;
-    scopes?: string[] | undefined;
-    grantTypes?: ("authorization_code" | "refresh_token")[] | undefined;
-    authEndpoint?: string | undefined;
-    tokenEndpoint?: string | undefined;
-    registrationEndpoint?: string | undefined;
-    userInfoEndpoint?: string | undefined;
-    jwks?: {
-        keys: JWK[];
-    } | undefined;
-    jwksUri?: string | undefined;
-}, {
-    type: "remote";
-    name: string;
-    baseUrl: string;
-    id?: string | undefined;
-    dcrEnabled?: boolean | undefined;
-    clientId?: string | ((args_0: {
-        clientId: string;
-    }, ...args: unknown[]) => string) | undefined;
-    mode?: "orchestrated" | "transparent" | undefined;
-    allowAnonymous?: boolean | undefined;
-    consent?: boolean | undefined;
-    scopes?: string[] | undefined;
-    grantTypes?: ("authorization_code" | "refresh_token")[] | undefined;
-    authEndpoint?: string | undefined;
-    tokenEndpoint?: string | undefined;
-    registrationEndpoint?: string | undefined;
-    userInfoEndpoint?: string | undefined;
-    jwks?: {
-        keys: JWK[];
-    } | undefined;
-    jwksUri?: string | undefined;
-}>, z.ZodObject<{
+    allowDefaultPublic: z.ZodDefault<z.ZodBoolean>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    consent: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        groupByApp: z.ZodDefault<z.ZodBoolean>;
+        showDescriptions: z.ZodDefault<z.ZodBoolean>;
+        allowSelectAll: z.ZodDefault<z.ZodBoolean>;
+        requireSelection: z.ZodDefault<z.ZodBoolean>;
+        customMessage: z.ZodOptional<z.ZodString>;
+        rememberConsent: z.ZodDefault<z.ZodBoolean>;
+        excludedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        defaultSelectedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>>;
+    refresh: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skewSeconds: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    expectedAudience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    incrementalAuth: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skippedAppBehavior: z.ZodDefault<z.ZodEnum<{
+            anonymous: "anonymous";
+            "require-auth": "require-auth";
+        }>>;
+        allowSkip: z.ZodDefault<z.ZodBoolean>;
+        showAllAppsAtOnce: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    transport: z.ZodOptional<z.ZodObject<{
+        enableLegacySSE: z.ZodDefault<z.ZodBoolean>;
+        enableSseListener: z.ZodDefault<z.ZodBoolean>;
+        enableStreamableHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatelessHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatefulHttp: z.ZodDefault<z.ZodBoolean>;
+        requireSessionForStreamable: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export declare const orchestratedAuthOptionsSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
+    mode: z.ZodLiteral<"orchestrated">;
     type: z.ZodLiteral<"local">;
-    id: z.ZodString;
-    name: z.ZodString;
-    scopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    grantTypes: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodLiteral<"authorization_code">, z.ZodLiteral<"refresh_token">]>, "many">>;
-    allowAnonymous: z.ZodOptional<z.ZodBoolean>;
-    consent: z.ZodOptional<z.ZodBoolean>;
-    jwks: z.ZodOptional<z.ZodObject<{
-        keys: z.ZodArray<z.ZodType<JWK, z.ZodTypeDef, JWK>, "many">;
-    }, "strip", z.ZodTypeAny, {
-        keys: JWK[];
-    }, {
-        keys: JWK[];
+    local: z.ZodOptional<z.ZodObject<{
+        signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>, z.ZodCustom<Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>]>>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+        }, z.core.$strip>>;
+        issuer: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    tokenStorage: z.ZodDefault<z.ZodDiscriminatedUnion<[z.ZodObject<{
+        type: z.ZodLiteral<"memory">;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"redis">;
+        config: z.ZodObject<{
+            host: z.ZodString;
+            port: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            password: z.ZodOptional<z.ZodString>;
+            db: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            tls: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+            keyPrefix: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+        }, z.core.$strip>;
+    }, z.core.$strip>], "type">>;
+    sessionMode: z.ZodDefault<z.ZodEnum<{
+        stateful: "stateful";
+        stateless: "stateless";
     }>>;
-    signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<JWK, z.ZodTypeDef, JWK>, z.ZodType<Uint8Array<ArrayBuffer>, z.ZodTypeDef, Uint8Array<ArrayBuffer>>]>>;
-}, "strip", z.ZodTypeAny, {
-    type: "local";
-    id: string;
-    name: string;
-    allowAnonymous?: boolean | undefined;
-    consent?: boolean | undefined;
-    scopes?: string[] | undefined;
-    grantTypes?: ("authorization_code" | "refresh_token")[] | undefined;
-    jwks?: {
-        keys: JWK[];
-    } | undefined;
-    signKey?: JWK | Uint8Array<ArrayBuffer> | undefined;
-}, {
-    type: "local";
-    id: string;
-    name: string;
-    allowAnonymous?: boolean | undefined;
-    consent?: boolean | undefined;
-    scopes?: string[] | undefined;
-    grantTypes?: ("authorization_code" | "refresh_token")[] | undefined;
-    jwks?: {
-        keys: JWK[];
-    } | undefined;
-    signKey?: JWK | Uint8Array<ArrayBuffer> | undefined;
-}>]>;
-export type AuthOptions = RemoteAuthOptions | LocalAuthOptions;
-type StandaloneOption = {
-    /**
-     * if the provider is standalone or not, if standalone it will register an oauth service provider
-     * on app's entry path, if not standalone it will be registered as a child provider
-     * under the root provider
-     * @default false
-     */
-    standalone?: boolean;
-    /**
-     * if the provider should be excluded from the parent provider's discovery
-     * this used for standalone providers
-     * @default false
-     */
-    excludeFromParent?: boolean;
-};
-export declare const appAuthOptionsSchema: z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
+    allowDefaultPublic: z.ZodDefault<z.ZodBoolean>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    consent: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        groupByApp: z.ZodDefault<z.ZodBoolean>;
+        showDescriptions: z.ZodDefault<z.ZodBoolean>;
+        allowSelectAll: z.ZodDefault<z.ZodBoolean>;
+        requireSelection: z.ZodDefault<z.ZodBoolean>;
+        customMessage: z.ZodOptional<z.ZodString>;
+        rememberConsent: z.ZodDefault<z.ZodBoolean>;
+        excludedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        defaultSelectedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>>;
+    refresh: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skewSeconds: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    expectedAudience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    incrementalAuth: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skippedAppBehavior: z.ZodDefault<z.ZodEnum<{
+            anonymous: "anonymous";
+            "require-auth": "require-auth";
+        }>>;
+        allowSkip: z.ZodDefault<z.ZodBoolean>;
+        showAllAppsAtOnce: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    transport: z.ZodOptional<z.ZodObject<{
+        enableLegacySSE: z.ZodDefault<z.ZodBoolean>;
+        enableSseListener: z.ZodDefault<z.ZodBoolean>;
+        enableStreamableHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatelessHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatefulHttp: z.ZodDefault<z.ZodBoolean>;
+        requireSessionForStreamable: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+}, z.core.$strip>, z.ZodObject<{
+    mode: z.ZodLiteral<"orchestrated">;
     type: z.ZodLiteral<"remote">;
-    id: z.ZodOptional<z.ZodString>;
-    name: z.ZodString;
-    baseUrl: z.ZodString;
-    dcrEnabled: z.ZodOptional<z.ZodBoolean>;
-    clientId: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodFunction<z.ZodTuple<[z.ZodObject<{
-        clientId: z.ZodString;
-    }, "strip", z.ZodTypeAny, {
-        clientId: string;
-    }, {
-        clientId: string;
-    }>], z.ZodUnknown>, z.ZodString>]>>;
-    mode: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<"orchestrated">, z.ZodLiteral<"transparent">]>>;
-    allowAnonymous: z.ZodOptional<z.ZodBoolean>;
-    consent: z.ZodOptional<z.ZodBoolean>;
+    remote: z.ZodObject<{
+        provider: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+        id: z.ZodOptional<z.ZodString>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+        }, z.core.$strip>>;
+        jwksUri: z.ZodOptional<z.ZodString>;
+        clientId: z.ZodOptional<z.ZodString>;
+        clientSecret: z.ZodOptional<z.ZodString>;
+        scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        dcrEnabled: z.ZodDefault<z.ZodBoolean>;
+        authEndpoint: z.ZodOptional<z.ZodString>;
+        tokenEndpoint: z.ZodOptional<z.ZodString>;
+        registrationEndpoint: z.ZodOptional<z.ZodString>;
+        userInfoEndpoint: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>;
+    local: z.ZodOptional<z.ZodObject<{
+        signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>, z.ZodCustom<Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>]>>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+        }, z.core.$strip>>;
+        issuer: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    tokenStorage: z.ZodDefault<z.ZodDiscriminatedUnion<[z.ZodObject<{
+        type: z.ZodLiteral<"memory">;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"redis">;
+        config: z.ZodObject<{
+            host: z.ZodString;
+            port: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            password: z.ZodOptional<z.ZodString>;
+            db: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            tls: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+            keyPrefix: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+        }, z.core.$strip>;
+    }, z.core.$strip>], "type">>;
+    sessionMode: z.ZodDefault<z.ZodEnum<{
+        stateful: "stateful";
+        stateless: "stateless";
+    }>>;
+    allowDefaultPublic: z.ZodDefault<z.ZodBoolean>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    consent: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        groupByApp: z.ZodDefault<z.ZodBoolean>;
+        showDescriptions: z.ZodDefault<z.ZodBoolean>;
+        allowSelectAll: z.ZodDefault<z.ZodBoolean>;
+        requireSelection: z.ZodDefault<z.ZodBoolean>;
+        customMessage: z.ZodOptional<z.ZodString>;
+        rememberConsent: z.ZodDefault<z.ZodBoolean>;
+        excludedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        defaultSelectedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>>;
+    refresh: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skewSeconds: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    expectedAudience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    incrementalAuth: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skippedAppBehavior: z.ZodDefault<z.ZodEnum<{
+            anonymous: "anonymous";
+            "require-auth": "require-auth";
+        }>>;
+        allowSkip: z.ZodDefault<z.ZodBoolean>;
+        showAllAppsAtOnce: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    transport: z.ZodOptional<z.ZodObject<{
+        enableLegacySSE: z.ZodDefault<z.ZodBoolean>;
+        enableSseListener: z.ZodDefault<z.ZodBoolean>;
+        enableStreamableHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatelessHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatefulHttp: z.ZodDefault<z.ZodBoolean>;
+        requireSessionForStreamable: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+}, z.core.$strip>], "type">;
+/**
+ * Main auth options schema - discriminated by 'mode'
+ *
+ * Uses z.union because we have nested discriminators (orchestrated has 'type')
+ */
+export declare const authOptionsSchema: z.ZodUnion<readonly [z.ZodObject<{
+    mode: z.ZodLiteral<"public">;
+    issuer: z.ZodOptional<z.ZodString>;
+    sessionTtl: z.ZodDefault<z.ZodNumber>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
     jwks: z.ZodOptional<z.ZodObject<{
-        keys: z.ZodArray<z.ZodType<JWK, z.ZodTypeDef, JWK>, "many">;
-    }, "strip", z.ZodTypeAny, {
-        keys: JWK[];
-    }, {
-        keys: JWK[];
+        keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+    }, z.core.$strip>>;
+    signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>, z.ZodCustom<Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>]>>;
+    transport: z.ZodOptional<z.ZodObject<{
+        enableLegacySSE: z.ZodDefault<z.ZodBoolean>;
+        enableSseListener: z.ZodDefault<z.ZodBoolean>;
+        enableStreamableHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatelessHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatefulHttp: z.ZodDefault<z.ZodBoolean>;
+        requireSessionForStreamable: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+}, z.core.$strip>, z.ZodObject<{
+    mode: z.ZodLiteral<"transparent">;
+    remote: z.ZodObject<{
+        provider: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+        id: z.ZodOptional<z.ZodString>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+        }, z.core.$strip>>;
+        jwksUri: z.ZodOptional<z.ZodString>;
+        clientId: z.ZodOptional<z.ZodString>;
+        clientSecret: z.ZodOptional<z.ZodString>;
+        scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        dcrEnabled: z.ZodDefault<z.ZodBoolean>;
+        authEndpoint: z.ZodOptional<z.ZodString>;
+        tokenEndpoint: z.ZodOptional<z.ZodString>;
+        registrationEndpoint: z.ZodOptional<z.ZodString>;
+        userInfoEndpoint: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>;
+    expectedAudience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    requiredScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    allowAnonymous: z.ZodDefault<z.ZodBoolean>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    transport: z.ZodOptional<z.ZodObject<{
+        enableLegacySSE: z.ZodDefault<z.ZodBoolean>;
+        enableSseListener: z.ZodDefault<z.ZodBoolean>;
+        enableStreamableHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatelessHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatefulHttp: z.ZodDefault<z.ZodBoolean>;
+        requireSessionForStreamable: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+}, z.core.$strip>, z.ZodObject<{
+    mode: z.ZodLiteral<"orchestrated">;
+    type: z.ZodLiteral<"local">;
+    local: z.ZodOptional<z.ZodObject<{
+        signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>, z.ZodCustom<Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>]>>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+        }, z.core.$strip>>;
+        issuer: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    tokenStorage: z.ZodDefault<z.ZodDiscriminatedUnion<[z.ZodObject<{
+        type: z.ZodLiteral<"memory">;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"redis">;
+        config: z.ZodObject<{
+            host: z.ZodString;
+            port: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            password: z.ZodOptional<z.ZodString>;
+            db: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            tls: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+            keyPrefix: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+        }, z.core.$strip>;
+    }, z.core.$strip>], "type">>;
+    sessionMode: z.ZodDefault<z.ZodEnum<{
+        stateful: "stateful";
+        stateless: "stateless";
     }>>;
-    scopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    grantTypes: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodLiteral<"authorization_code">, z.ZodLiteral<"refresh_token">]>, "many">>;
-    authEndpoint: z.ZodOptional<z.ZodString>;
-    tokenEndpoint: z.ZodOptional<z.ZodString>;
-    registrationEndpoint: z.ZodOptional<z.ZodString>;
-    userInfoEndpoint: z.ZodOptional<z.ZodString>;
-    jwksUri: z.ZodOptional<z.ZodString>;
-} & {
+    allowDefaultPublic: z.ZodDefault<z.ZodBoolean>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    consent: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        groupByApp: z.ZodDefault<z.ZodBoolean>;
+        showDescriptions: z.ZodDefault<z.ZodBoolean>;
+        allowSelectAll: z.ZodDefault<z.ZodBoolean>;
+        requireSelection: z.ZodDefault<z.ZodBoolean>;
+        customMessage: z.ZodOptional<z.ZodString>;
+        rememberConsent: z.ZodDefault<z.ZodBoolean>;
+        excludedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        defaultSelectedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>>;
+    refresh: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skewSeconds: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    expectedAudience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    incrementalAuth: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skippedAppBehavior: z.ZodDefault<z.ZodEnum<{
+            anonymous: "anonymous";
+            "require-auth": "require-auth";
+        }>>;
+        allowSkip: z.ZodDefault<z.ZodBoolean>;
+        showAllAppsAtOnce: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    transport: z.ZodOptional<z.ZodObject<{
+        enableLegacySSE: z.ZodDefault<z.ZodBoolean>;
+        enableSseListener: z.ZodDefault<z.ZodBoolean>;
+        enableStreamableHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatelessHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatefulHttp: z.ZodDefault<z.ZodBoolean>;
+        requireSessionForStreamable: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+}, z.core.$strip>, z.ZodObject<{
+    mode: z.ZodLiteral<"orchestrated">;
+    type: z.ZodLiteral<"remote">;
+    remote: z.ZodObject<{
+        provider: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+        id: z.ZodOptional<z.ZodString>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+        }, z.core.$strip>>;
+        jwksUri: z.ZodOptional<z.ZodString>;
+        clientId: z.ZodOptional<z.ZodString>;
+        clientSecret: z.ZodOptional<z.ZodString>;
+        scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        dcrEnabled: z.ZodDefault<z.ZodBoolean>;
+        authEndpoint: z.ZodOptional<z.ZodString>;
+        tokenEndpoint: z.ZodOptional<z.ZodString>;
+        registrationEndpoint: z.ZodOptional<z.ZodString>;
+        userInfoEndpoint: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>;
+    local: z.ZodOptional<z.ZodObject<{
+        signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>, z.ZodCustom<Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>]>>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+        }, z.core.$strip>>;
+        issuer: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    tokenStorage: z.ZodDefault<z.ZodDiscriminatedUnion<[z.ZodObject<{
+        type: z.ZodLiteral<"memory">;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"redis">;
+        config: z.ZodObject<{
+            host: z.ZodString;
+            port: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            password: z.ZodOptional<z.ZodString>;
+            db: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            tls: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+            keyPrefix: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+        }, z.core.$strip>;
+    }, z.core.$strip>], "type">>;
+    sessionMode: z.ZodDefault<z.ZodEnum<{
+        stateful: "stateful";
+        stateless: "stateless";
+    }>>;
+    allowDefaultPublic: z.ZodDefault<z.ZodBoolean>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    consent: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        groupByApp: z.ZodDefault<z.ZodBoolean>;
+        showDescriptions: z.ZodDefault<z.ZodBoolean>;
+        allowSelectAll: z.ZodDefault<z.ZodBoolean>;
+        requireSelection: z.ZodDefault<z.ZodBoolean>;
+        customMessage: z.ZodOptional<z.ZodString>;
+        rememberConsent: z.ZodDefault<z.ZodBoolean>;
+        excludedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        defaultSelectedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>>;
+    refresh: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skewSeconds: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    expectedAudience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    incrementalAuth: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skippedAppBehavior: z.ZodDefault<z.ZodEnum<{
+            anonymous: "anonymous";
+            "require-auth": "require-auth";
+        }>>;
+        allowSkip: z.ZodDefault<z.ZodBoolean>;
+        showAllAppsAtOnce: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    transport: z.ZodOptional<z.ZodObject<{
+        enableLegacySSE: z.ZodDefault<z.ZodBoolean>;
+        enableSseListener: z.ZodDefault<z.ZodBoolean>;
+        enableStreamableHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatelessHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatefulHttp: z.ZodDefault<z.ZodBoolean>;
+        requireSessionForStreamable: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+}, z.core.$strip>]>;
+/**
+ * Public access configuration
+ */
+export type PublicAccessConfig = z.infer<typeof publicAccessConfigSchema>;
+export type PublicAccessConfigInput = z.input<typeof publicAccessConfigSchema>;
+/**
+ * Local signing configuration
+ */
+export type LocalSigningConfig = z.infer<typeof localSigningConfigSchema>;
+export type LocalSigningConfigInput = z.input<typeof localSigningConfigSchema>;
+/**
+ * Remote provider configuration
+ */
+export type RemoteProviderConfig = z.infer<typeof remoteProviderConfigSchema>;
+export type RemoteProviderConfigInput = z.input<typeof remoteProviderConfigSchema>;
+/**
+ * Token storage configuration
+ */
+export type TokenStorageConfig = z.infer<typeof tokenStorageConfigSchema>;
+export type TokenStorageConfigInput = z.input<typeof tokenStorageConfigSchema>;
+/**
+ * Token refresh configuration
+ */
+export type TokenRefreshConfig = z.infer<typeof tokenRefreshConfigSchema>;
+export type TokenRefreshConfigInput = z.input<typeof tokenRefreshConfigSchema>;
+/**
+ * Incremental (progressive) authorization configuration
+ */
+export type IncrementalAuthConfig = z.infer<typeof incrementalAuthConfigSchema>;
+export type IncrementalAuthConfigInput = z.input<typeof incrementalAuthConfigSchema>;
+/**
+ * Skipped app behavior type
+ */
+export type SkippedAppBehavior = z.infer<typeof skippedAppBehaviorSchema>;
+/**
+ * Consent configuration for tool selection
+ */
+export type ConsentConfig = z.infer<typeof consentConfigSchema>;
+export type ConsentConfigInput = z.input<typeof consentConfigSchema>;
+/**
+ * Transport protocol configuration
+ */
+export type TransportConfig = z.infer<typeof transportConfigSchema>;
+export type TransportConfigInput = z.input<typeof transportConfigSchema>;
+/**
+ * Public mode options (output type with defaults applied)
+ */
+export type PublicAuthOptions = z.infer<typeof publicAuthOptionsSchema>;
+export type PublicAuthOptionsInput = z.input<typeof publicAuthOptionsSchema>;
+/**
+ * Transparent mode options (output type with defaults applied)
+ */
+export type TransparentAuthOptions = z.infer<typeof transparentAuthOptionsSchema>;
+export type TransparentAuthOptionsInput = z.input<typeof transparentAuthOptionsSchema>;
+/**
+ * Orchestrated local mode options
+ */
+export type OrchestratedLocalOptions = z.infer<typeof orchestratedLocalSchema>;
+export type OrchestratedLocalOptionsInput = z.input<typeof orchestratedLocalSchema>;
+/**
+ * Orchestrated remote mode options
+ */
+export type OrchestratedRemoteOptions = z.infer<typeof orchestratedRemoteSchema>;
+export type OrchestratedRemoteOptionsInput = z.input<typeof orchestratedRemoteSchema>;
+/**
+ * Orchestrated mode options (union of local and remote)
+ */
+export type OrchestratedAuthOptions = z.infer<typeof orchestratedAuthOptionsSchema>;
+export type OrchestratedAuthOptionsInput = z.input<typeof orchestratedAuthOptionsSchema>;
+/**
+ * Auth options (output type with defaults applied)
+ * Use this type when working with parsed/validated options
+ */
+export type AuthOptions = z.infer<typeof authOptionsSchema>;
+/**
+ * Auth options input (input type for user configuration)
+ * Use this type for the @frontmcp configuration
+ */
+export type AuthOptionsInput = z.input<typeof authOptionsSchema>;
+/**
+ * Authentication mode
+ */
+export type AuthMode = 'public' | 'transparent' | 'orchestrated';
+/**
+ * Orchestrated type (local or remote)
+ */
+export type OrchestratedType = 'local' | 'remote';
+export declare const appAuthOptionsSchema: z.ZodUnion<readonly [z.ZodObject<{
+    mode: z.ZodLiteral<"public">;
+    issuer: z.ZodOptional<z.ZodString>;
+    sessionTtl: z.ZodDefault<z.ZodNumber>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    jwks: z.ZodOptional<z.ZodObject<{
+        keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+    }, z.core.$strip>>;
+    signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>, z.ZodCustom<Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>]>>;
+    transport: z.ZodOptional<z.ZodObject<{
+        enableLegacySSE: z.ZodDefault<z.ZodBoolean>;
+        enableSseListener: z.ZodDefault<z.ZodBoolean>;
+        enableStreamableHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatelessHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatefulHttp: z.ZodDefault<z.ZodBoolean>;
+        requireSessionForStreamable: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    standalone: z.ZodOptional<z.ZodBoolean>;
+    excludeFromParent: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strip>, z.ZodObject<{
+    mode: z.ZodLiteral<"transparent">;
+    remote: z.ZodObject<{
+        provider: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+        id: z.ZodOptional<z.ZodString>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+        }, z.core.$strip>>;
+        jwksUri: z.ZodOptional<z.ZodString>;
+        clientId: z.ZodOptional<z.ZodString>;
+        clientSecret: z.ZodOptional<z.ZodString>;
+        scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        dcrEnabled: z.ZodDefault<z.ZodBoolean>;
+        authEndpoint: z.ZodOptional<z.ZodString>;
+        tokenEndpoint: z.ZodOptional<z.ZodString>;
+        registrationEndpoint: z.ZodOptional<z.ZodString>;
+        userInfoEndpoint: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>;
+    expectedAudience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    requiredScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    allowAnonymous: z.ZodDefault<z.ZodBoolean>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    transport: z.ZodOptional<z.ZodObject<{
+        enableLegacySSE: z.ZodDefault<z.ZodBoolean>;
+        enableSseListener: z.ZodDefault<z.ZodBoolean>;
+        enableStreamableHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatelessHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatefulHttp: z.ZodDefault<z.ZodBoolean>;
+        requireSessionForStreamable: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
     standalone: z.ZodOptional<z.ZodBoolean>;
     excludeFromParent: z.ZodOptional<z.ZodBoolean>;
-}, "strip", z.ZodTypeAny, {
-    type: "remote";
-    name: string;
-    baseUrl: string;
-    id?: string | undefined;
-    standalone?: boolean | undefined;
-    dcrEnabled?: boolean | undefined;
-    clientId?: string | ((args_0: {
-        clientId: string;
-    }, ...args: unknown[]) => string) | undefined;
-    mode?: "orchestrated" | "transparent" | undefined;
-    allowAnonymous?: boolean | undefined;
-    consent?: boolean | undefined;
-    scopes?: string[] | undefined;
-    grantTypes?: ("authorization_code" | "refresh_token")[] | undefined;
-    authEndpoint?: string | undefined;
-    tokenEndpoint?: string | undefined;
-    registrationEndpoint?: string | undefined;
-    userInfoEndpoint?: string | undefined;
-    jwks?: {
-        keys: JWK[];
-    } | undefined;
-    jwksUri?: string | undefined;
-    excludeFromParent?: boolean | undefined;
-}, {
-    type: "remote";
-    name: string;
-    baseUrl: string;
-    id?: string | undefined;
-    standalone?: boolean | undefined;
-    dcrEnabled?: boolean | undefined;
-    clientId?: string | ((args_0: {
-        clientId: string;
-    }, ...args: unknown[]) => string) | undefined;
-    mode?: "orchestrated" | "transparent" | undefined;
-    allowAnonymous?: boolean | undefined;
-    consent?: boolean | undefined;
-    scopes?: string[] | undefined;
-    grantTypes?: ("authorization_code" | "refresh_token")[] | undefined;
-    authEndpoint?: string | undefined;
-    tokenEndpoint?: string | undefined;
-    registrationEndpoint?: string | undefined;
-    userInfoEndpoint?: string | undefined;
-    jwks?: {
-        keys: JWK[];
-    } | undefined;
-    jwksUri?: string | undefined;
-    excludeFromParent?: boolean | undefined;
-}>, z.ZodObject<{
+}, z.core.$strip>, z.ZodObject<{
+    mode: z.ZodLiteral<"orchestrated">;
     type: z.ZodLiteral<"local">;
-    id: z.ZodString;
-    name: z.ZodString;
-    scopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    grantTypes: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodLiteral<"authorization_code">, z.ZodLiteral<"refresh_token">]>, "many">>;
-    allowAnonymous: z.ZodOptional<z.ZodBoolean>;
-    consent: z.ZodOptional<z.ZodBoolean>;
-    jwks: z.ZodOptional<z.ZodObject<{
-        keys: z.ZodArray<z.ZodType<JWK, z.ZodTypeDef, JWK>, "many">;
-    }, "strip", z.ZodTypeAny, {
-        keys: JWK[];
-    }, {
-        keys: JWK[];
+    local: z.ZodOptional<z.ZodObject<{
+        signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>, z.ZodCustom<Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>]>>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+        }, z.core.$strip>>;
+        issuer: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    tokenStorage: z.ZodDefault<z.ZodDiscriminatedUnion<[z.ZodObject<{
+        type: z.ZodLiteral<"memory">;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"redis">;
+        config: z.ZodObject<{
+            host: z.ZodString;
+            port: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            password: z.ZodOptional<z.ZodString>;
+            db: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            tls: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+            keyPrefix: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+        }, z.core.$strip>;
+    }, z.core.$strip>], "type">>;
+    sessionMode: z.ZodDefault<z.ZodEnum<{
+        stateful: "stateful";
+        stateless: "stateless";
+    }>>;
+    allowDefaultPublic: z.ZodDefault<z.ZodBoolean>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    consent: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        groupByApp: z.ZodDefault<z.ZodBoolean>;
+        showDescriptions: z.ZodDefault<z.ZodBoolean>;
+        allowSelectAll: z.ZodDefault<z.ZodBoolean>;
+        requireSelection: z.ZodDefault<z.ZodBoolean>;
+        customMessage: z.ZodOptional<z.ZodString>;
+        rememberConsent: z.ZodDefault<z.ZodBoolean>;
+        excludedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        defaultSelectedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>>;
+    refresh: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skewSeconds: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    expectedAudience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    incrementalAuth: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skippedAppBehavior: z.ZodDefault<z.ZodEnum<{
+            anonymous: "anonymous";
+            "require-auth": "require-auth";
+        }>>;
+        allowSkip: z.ZodDefault<z.ZodBoolean>;
+        showAllAppsAtOnce: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    transport: z.ZodOptional<z.ZodObject<{
+        enableLegacySSE: z.ZodDefault<z.ZodBoolean>;
+        enableSseListener: z.ZodDefault<z.ZodBoolean>;
+        enableStreamableHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatelessHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatefulHttp: z.ZodDefault<z.ZodBoolean>;
+        requireSessionForStreamable: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    standalone: z.ZodOptional<z.ZodBoolean>;
+    excludeFromParent: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strip>, z.ZodObject<{
+    mode: z.ZodLiteral<"orchestrated">;
+    type: z.ZodLiteral<"remote">;
+    remote: z.ZodObject<{
+        provider: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+        id: z.ZodOptional<z.ZodString>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+        }, z.core.$strip>>;
+        jwksUri: z.ZodOptional<z.ZodString>;
+        clientId: z.ZodOptional<z.ZodString>;
+        clientSecret: z.ZodOptional<z.ZodString>;
+        scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        dcrEnabled: z.ZodDefault<z.ZodBoolean>;
+        authEndpoint: z.ZodOptional<z.ZodString>;
+        tokenEndpoint: z.ZodOptional<z.ZodString>;
+        registrationEndpoint: z.ZodOptional<z.ZodString>;
+        userInfoEndpoint: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>;
+    local: z.ZodOptional<z.ZodObject<{
+        signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>, z.ZodCustom<Uint8Array<ArrayBuffer>, Uint8Array<ArrayBuffer>>]>>;
+        jwks: z.ZodOptional<z.ZodObject<{
+            keys: z.ZodArray<z.ZodType<JWK, unknown, z.core.$ZodTypeInternals<JWK, unknown>>>;
+        }, z.core.$strip>>;
+        issuer: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    tokenStorage: z.ZodDefault<z.ZodDiscriminatedUnion<[z.ZodObject<{
+        type: z.ZodLiteral<"memory">;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"redis">;
+        config: z.ZodObject<{
+            host: z.ZodString;
+            port: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            password: z.ZodOptional<z.ZodString>;
+            db: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            tls: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+            keyPrefix: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+        }, z.core.$strip>;
+    }, z.core.$strip>], "type">>;
+    sessionMode: z.ZodDefault<z.ZodEnum<{
+        stateful: "stateful";
+        stateless: "stateless";
     }>>;
-    signKey: z.ZodOptional<z.ZodUnion<[z.ZodType<JWK, z.ZodTypeDef, JWK>, z.ZodType<Uint8Array<ArrayBuffer>, z.ZodTypeDef, Uint8Array<ArrayBuffer>>]>>;
-} & {
+    allowDefaultPublic: z.ZodDefault<z.ZodBoolean>;
+    anonymousScopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    publicAccess: z.ZodOptional<z.ZodObject<{
+        tools: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        prompts: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"all">, z.ZodArray<z.ZodString>]>>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    consent: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        groupByApp: z.ZodDefault<z.ZodBoolean>;
+        showDescriptions: z.ZodDefault<z.ZodBoolean>;
+        allowSelectAll: z.ZodDefault<z.ZodBoolean>;
+        requireSelection: z.ZodDefault<z.ZodBoolean>;
+        customMessage: z.ZodOptional<z.ZodString>;
+        rememberConsent: z.ZodDefault<z.ZodBoolean>;
+        excludedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        defaultSelectedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>>;
+    refresh: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skewSeconds: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    expectedAudience: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    incrementalAuth: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        skippedAppBehavior: z.ZodDefault<z.ZodEnum<{
+            anonymous: "anonymous";
+            "require-auth": "require-auth";
+        }>>;
+        allowSkip: z.ZodDefault<z.ZodBoolean>;
+        showAllAppsAtOnce: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    transport: z.ZodOptional<z.ZodObject<{
+        enableLegacySSE: z.ZodDefault<z.ZodBoolean>;
+        enableSseListener: z.ZodDefault<z.ZodBoolean>;
+        enableStreamableHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatelessHttp: z.ZodDefault<z.ZodBoolean>;
+        enableStatefulHttp: z.ZodDefault<z.ZodBoolean>;
+        requireSessionForStreamable: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
     standalone: z.ZodOptional<z.ZodBoolean>;
     excludeFromParent: z.ZodOptional<z.ZodBoolean>;
-}, "strip", z.ZodTypeAny, {
-    type: "local";
-    id: string;
-    name: string;
-    standalone?: boolean | undefined;
-    allowAnonymous?: boolean | undefined;
-    consent?: boolean | undefined;
-    scopes?: string[] | undefined;
-    grantTypes?: ("authorization_code" | "refresh_token")[] | undefined;
-    jwks?: {
-        keys: JWK[];
-    } | undefined;
-    signKey?: JWK | Uint8Array<ArrayBuffer> | undefined;
-    excludeFromParent?: boolean | undefined;
-}, {
-    type: "local";
-    id: string;
-    name: string;
-    standalone?: boolean | undefined;
-    allowAnonymous?: boolean | undefined;
-    consent?: boolean | undefined;
-    scopes?: string[] | undefined;
-    grantTypes?: ("authorization_code" | "refresh_token")[] | undefined;
-    jwks?: {
-        keys: JWK[];
-    } | undefined;
-    signKey?: JWK | Uint8Array<ArrayBuffer> | undefined;
-    excludeFromParent?: boolean | undefined;
-}>]>;
-export type AppAuthOptions = (RemoteAuthOptions | LocalAuthOptions) & StandaloneOption;
-export {};
+}, z.core.$strip>]>;
+export type AppAuthOptions = z.infer<typeof appAuthOptionsSchema>;
+export type AppAuthOptionsInput = z.input<typeof appAuthOptionsSchema>;
+/**
+ * Parse and validate auth options with defaults
+ */
+export declare function parseAuthOptions(input: AuthOptionsInput): AuthOptions;
+/**
+ * Check if options are public mode
+ */
+export declare function isPublicMode(options: AuthOptions | AuthOptionsInput): options is PublicAuthOptions;
+/**
+ * Check if options are transparent mode
+ */
+export declare function isTransparentMode(options: AuthOptions | AuthOptionsInput): options is TransparentAuthOptions;
+/**
+ * Check if options are orchestrated mode
+ */
+export declare function isOrchestratedMode(options: AuthOptions | AuthOptionsInput): options is OrchestratedAuthOptions;
+/**
+ * Check if orchestrated options are local type
+ */
+export declare function isOrchestratedLocal(options: OrchestratedAuthOptions): options is OrchestratedLocalOptions;
+/**
+ * Check if orchestrated options are remote type
+ */
+export declare function isOrchestratedRemote(options: OrchestratedAuthOptions): options is OrchestratedRemoteOptions;
+/**
+ * Check if options allow public/anonymous access
+ */
+export declare function allowsPublicAccess(options: AuthOptions): boolean;