@frontmcp/sdk 0.4.1 → 0.5.0

package/src/common/types/options/auth.options.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.options.js","sourceRoot":"","sources":["../../../../../src/common/types/options/auth.options.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AACxB,kCAA6E;AAsGhE,QAAA,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IACzB,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACzB,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE;IAChB,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE;IACnB,UAAU,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAClC,QAAQ,EAAE,OAAC;SACR,KAAK,CAAC;QACL,OAAC,CAAC,MAAM,EAAE;QACV,OAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,OAAC,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;KAAC,CAAC;SAC5E,QAAQ,EAAE;IACb,IAAI,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,OAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAC/E,cAAc,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACtC,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAC/B,IAAI,EAAE,0BAAmB,CAAC,QAAQ,EAAE;IACpC,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACtC,UAAU,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE,OAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACtG,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnC,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,oBAAoB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3C,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACvC,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACU,CAAC,CAAC;AAwD/B,QAAA,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,OAAO,CAAC;IACxB,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE;IAChB,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACtC,UAAU,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE,OAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACtG,cAAc,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACtC,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAC/B,IAAI,EAAE,0BAAmB,CAAC,QAAQ,EAAE;IACpC,OAAO,EAAE,gBAAS,CAAC,EAAE,CAAC,OAAC,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE;CACnB,CAAC,CAAC;AAG9B,QAAA,iBAAiB,GAAG,OAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE;IAC5D,+BAAuB;IACvB,8BAAsB;CACvB,CAAC,CAAC;AAsBH,MAAM,sBAAsB,GAAG;IAC7B,UAAU,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAClC,iBAAiB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CACF,CAAC;AAE7B,QAAA,oBAAoB,GAAG,OAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE;IAC/D,+BAAuB,CAAC,MAAM,CAAC,sBAAsB,CAAC;IACtD,8BAAsB,CAAC,MAAM,CAAC,sBAAsB,CAAC;CACtD,CAAC,CAAC","sourcesContent":["import { z } from 'zod';\nimport { JSONWebKeySet, jsonWebKeySetSchema, JWK, jwkSchema } from '../auth';\nimport { RawZodShape } from '../common.types';\n\nexport type RemoteAuthOptions = {\n  type: 'remote';\n\n  /**\n   * unique id for the provider\n   */\n  id?: string;\n  /**\n   * human-readable name for the provider\n   */\n  name: string;\n  /**\n   * base url of the provider\n   * if the provider does not support dcr it will be used with local auth provider proxy\n   * to register client dynamically you have to provide client id for the registration flow\n   * @example https://my-company.frontegg.com\n   */\n  baseUrl: string;\n\n  /**\n   * enable dynamic client registration (DCR) flow, if your provider does not support DCR\n   * you can set this to false and provide clientId for authorization flow, we will use local auth provider proxy\n   * to register a dynamic client with the provided clientId or by called clientId function with client info\n   * by default, the provider will use the registration endpoint to register the client dynamically\n   */\n  dcrEnabled?: boolean;\n\n  /**\n   * Only used if your auth provider does not support DCR.\n   * for Dcr auth provider the client id acquired by the registration flow\n   */\n  clientId?: string | ((clientInfo: { clientId: string }) => string);\n\n  /**\n   * Set default gateway oauth server mode, this will be overridden by discovery flow.\n   * if set to transparent and the discovery flow detect orchestrated mode it will switch to orchestrated mode\n   * @default 'transparent'\n   */\n  mode?: 'orchestrated' | 'transparent';\n\n  /**\n   * allow anonymous access to the provider\n   * @default false - allowing anonymous access will make the provider to issue an orchestrated token\n   */\n  allowAnonymous?: boolean;\n\n  /**\n   * allow consent mode to select tools/resource/prompts after authorization\n   * for scoped based access token\n   * @default false - allowing anonymous access will make the provider to issue an orchestrated token\n   */\n  consent?: boolean;\n\n\n  /**\n   * scopes for the token endpoint\n   * @default undefined - all scopes supported by th provider\n   */\n  scopes?: string[];\n  /**\n   * authorization provider supported grant types, currently only authorization_code and refresh_token are supported\n   * @default undefined - default is what presented in the /.well-known/oauth-authorization-server\n   */\n  grantTypes?: ('authorization_code' | 'refresh_token')[];\n\n  /**\n   * authorization endpoint for the provider\n   * @default undefined - default is what presented in the /.well-known/oauth-authorization-server\n   */\n  authEndpoint?: string;\n  /**\n   * token endpoint for the provider\n   * @default undefined - default is what presented in the /.well-known/oauth-authorization-server\n   */\n  tokenEndpoint?: string;\n  /**\n   * registration endpoint for the provider (DCR)\n   * @default undefined - default is what presented in the /.well-known/oauth-authorization-server\n   */\n  registrationEndpoint?: string;\n  /**\n   * user info endpoint for the provider\n   * @default undefined - default is what presented in the /.well-known/oauth-authorization-server\n   */\n  userInfoEndpoint?: string;\n\n  /**\n   * Inline JWKS for the provider to verify tokens without automatic fetching\n   * @default undefined - default is what presented in the /.well-known/jwks.json\n   */\n  jwks?: JSONWebKeySet;\n\n  /**\n   * jwks uri for the provider\n   * @default undefined - default is what presented in the /.well-known/oauth-authorization-server\n   */\n  jwksUri?: string;\n};\n\nexport const remoteAuthOptionsSchema = z.object({\n  type: z.literal('remote'),\n  id: z.string().optional(),\n  name: z.string(),\n  baseUrl: z.string(),\n  dcrEnabled: z.boolean().optional(),\n  clientId: z\n    .union([\n      z.string(),\n      z.function().args(z.object({ clientId: z.string() })).returns(z.string())])\n    .optional(),\n  mode: z.union([z.literal('orchestrated'), z.literal('transparent')]).optional(),\n  allowAnonymous: z.boolean().optional(),\n  consent: z.boolean().optional(),\n  jwks: jsonWebKeySetSchema.optional(),\n  scopes: z.array(z.string()).optional(),\n  grantTypes: z.array(z.union([z.literal('authorization_code'), z.literal('refresh_token')])).optional(),\n  authEndpoint: z.string().optional(),\n  tokenEndpoint: z.string().optional(),\n  registrationEndpoint: z.string().optional(),\n  userInfoEndpoint: z.string().optional(),\n  jwksUri: z.string().optional(),\n} satisfies RawZodShape<RemoteAuthOptions>);\n\nexport type LocalAuthOptions = {\n  type: 'local';\n\n  /**\n   * unique id for the provider\n   */\n  id: string;\n\n  /**\n   * human-readable name for the provider\n   */\n  name: string;\n\n  /**\n   * scopes for the token endpoint\n   * @default undefined - all scopes supported by th provider\n   */\n  scopes?: string[];\n  /**\n   * currently only authorization_code and refresh_token are supported\n   * @default ['authorization_code', 'refresh_token']\n   */\n  grantTypes?: ('authorization_code' | 'refresh_token')[];\n\n  /**\n   * allow anonymous access to the provider\n   * in this case the provider will act as an authorization server\n   * @default true\n   */\n  allowAnonymous?: boolean;\n\n  /**\n   * allow consent mode to select tools/resource/prompts after authorization\n   * for scoped based access token\n   * @default false - allowing anonymous access will make the provider to issue an orchestrated token\n   */\n  consent?: boolean;\n\n  /**\n   * Inline JWKS for the provider to verify tokens for local provider\n   * it will also used in /.well-known/jwks.json\n   * @default undefined - default is auto generated keys and saved in the temp folder\n   */\n  jwks?: JSONWebKeySet;\n\n  /**\n   * private key signing tokens for local provider\n   * @default undefined - default is auto generated keys and saved in the temp folder\n   */\n  signKey?: JWK | Uint8Array;\n\n};\n\n\nexport const localAuthOptionsSchema = z.object({\n  type: z.literal('local'),\n  id: z.string(),\n  name: z.string(),\n  scopes: z.array(z.string()).optional(),\n  grantTypes: z.array(z.union([z.literal('authorization_code'), z.literal('refresh_token')])).optional(),\n  allowAnonymous: z.boolean().optional(),\n  consent: z.boolean().optional(),\n  jwks: jsonWebKeySetSchema.optional(),\n  signKey: jwkSchema.or(z.instanceof(Uint8Array)).optional(),\n} satisfies RawZodShape<LocalAuthOptions>);\n\n\nexport const authOptionsSchema = z.discriminatedUnion('type', [\n  remoteAuthOptionsSchema,\n  localAuthOptionsSchema,\n]);\n\nexport type AuthOptions = RemoteAuthOptions | LocalAuthOptions;\n\n\ntype StandaloneOption = {\n  /**\n   * if the provider is standalone or not, if standalone it will register an oauth service provider\n   * on app's entry path, if not standalone it will be registered as a child provider\n   * under the root provider\n   * @default false\n   */\n  standalone?: boolean;\n\n  /**\n   * if the provider should be excluded from the parent provider's discovery\n   * this used for standalone providers\n   * @default false\n   */\n  excludeFromParent?: boolean;\n};\n\nconst standaloneOptionSchema = {\n  standalone: z.boolean().optional(),\n  excludeFromParent: z.boolean().optional(),\n} satisfies RawZodShape<StandaloneOption>;\n\nexport const appAuthOptionsSchema = z.discriminatedUnion('type', [\n  remoteAuthOptionsSchema.extend(standaloneOptionSchema),\n  localAuthOptionsSchema.extend(standaloneOptionSchema),\n]);\n\n\nexport type AppAuthOptions = (RemoteAuthOptions | LocalAuthOptions) & StandaloneOption;"]}
+{"version":3,"file":"auth.options.js","sourceRoot":"","sources":["../../../../../src/common/types/options/auth.options.ts"],"names":[],"mappings":";AAAA,uCAAuC;;;AAyuBvC,4CAEC;AAKD,oCAEC;AAKD,8CAEC;AAKD,gDAEC;AAKD,kDAEC;AAKD,oDAEC;AAKD,gDAKC;AAtxBD,6BAAwB;AACxB,kCAA6E;AAE7E,2FAA+F;AAE/F,+CAA+C;AAC/C,iBAAiB;AACjB,+CAA+C;AAE/C;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C;;;OAGG;IACH,KAAK,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IAEtE;;;OAGG;IACH,OAAO,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IAExE;;;OAGG;IACH,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;CAClC,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C;;;OAGG;IACH,OAAO,EAAE,gBAAS,CAAC,EAAE,CAAC,OAAC,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE;IAE1D;;;OAGG;IACH,IAAI,EAAE,0BAAmB,CAAC,QAAQ,EAAE;IAEpC;;;OAGG;IACH,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC9B,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,0BAA0B,GAAG,OAAC,CAAC,MAAM,CAAC;IACjD;;;OAGG;IACH,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAE1B;;OAEG;IACH,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE3B;;;OAGG;IACH,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEzB;;;OAGG;IACH,IAAI,EAAE,0BAAmB,CAAC,QAAQ,EAAE;IAEpC;;OAEG;IACH,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEpC;;OAEG;IACH,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE/B;;OAEG;IACH,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEnC;;OAEG;IACH,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAEtC;;;OAGG;IACH,UAAU,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAEtC;;OAEG;IACH,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEzC;;OAEG;IACH,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAE1C;;OAEG;IACH,oBAAoB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEjD;;OAEG;IACH,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;CAC9C,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE;IACnE,OAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;IACvC,OAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,2CAAiB,EAAE,CAAC;CAClE,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C;;;OAGG;IACH,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAElC;;;OAGG;IACH,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;CACpC,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC,CAAC;AAE9E;;;;;;;;GAQG;AACU,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C;;;;OAIG;IACH,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAEnC;;;OAGG;IACH,UAAU,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAErC;;;OAGG;IACH,gBAAgB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE3C;;;OAGG;IACH,cAAc,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAEzC;;;OAGG;IACH,gBAAgB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE3C;;OAEG;IACH,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEpC;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE1C;;;OAGG;IACH,aAAa,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAE7C;;OAEG;IACH,oBAAoB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACrD,CAAC,CAAC;AAEH;;;GAGG;AACU,QAAA,2BAA2B,GAAG,OAAC,CAAC,MAAM,CAAC;IAClD;;;;;OAKG;IACH,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAElC;;;;;OAKG;IACH,kBAAkB,EAAE,gCAAwB,CAAC,OAAO,CAAC,WAAW,CAAC;IAEjE;;;OAGG;IACH,SAAS,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAEpC;;;OAGG;IACH,iBAAiB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;CAC7C,CAAC,CAAC;AAEH,+CAA+C;AAC/C,mBAAmB;AACnB,4CAA4C;AAC5C,+CAA+C;AAE/C;;;GAGG;AACU,QAAA,qBAAqB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5C;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE3C;;;OAGG;IACH,iBAAiB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE5C;;;OAGG;IACH,oBAAoB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE/C;;;;;OAKG;IACH,mBAAmB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE/C;;;OAGG;IACH,kBAAkB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE9C;;;;OAIG;IACH,2BAA2B,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;CACvD,CAAC,CAAC;AAEH,+CAA+C;AAC/C,cAAc;AACd,+CAA+C;AAC/C,+CAA+C;AAElC,QAAA,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IAEzB;;;OAGG;IACH,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE7B;;;OAGG;IACH,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAEpC;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAE3D;;OAEG;IACH,YAAY,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAEjD;;;OAGG;IACH,IAAI,EAAE,0BAAmB,CAAC,QAAQ,EAAE;IAEpC;;;OAGG;IACH,OAAO,EAAE,gBAAS,CAAC,EAAE,CAAC,OAAC,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE;IAE1D;;;OAGG;IACH,SAAS,EAAE,6BAAqB,CAAC,QAAQ,EAAE;CAC5C,CAAC,CAAC;AAEH,+CAA+C;AAC/C,mBAAmB;AACnB,iDAAiD;AACjD,+CAA+C;AAElC,QAAA,4BAA4B,GAAG,OAAC,CAAC,MAAM,CAAC;IACnD,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,aAAa,CAAC;IAE9B;;OAEG;IACH,MAAM,EAAE,kCAA0B;IAElC;;;OAGG;IACH,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEvE;;;;OAIG;IACH,cAAc,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAE/C;;;OAGG;IACH,cAAc,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE1C;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAE3D;;OAEG;IACH,YAAY,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAEjD;;;OAGG;IACH,SAAS,EAAE,6BAAqB,CAAC,QAAQ,EAAE;CAC5C,CAAC,CAAC;AAEH,+CAA+C;AAC/C,oBAAoB;AACpB,+DAA+D;AAC/D,+CAA+C;AAE/C;;GAEG;AACU,QAAA,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,cAAc,CAAC;IAC/B,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,OAAO,CAAC;IAExB;;OAEG;IACH,KAAK,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAE1C;;;OAGG;IACH,YAAY,EAAE,gCAAwB,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IAElE;;;;;OAKG;IACH,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC;IAElE;;;;;OAKG;IACH,kBAAkB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE9C;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAE3D;;OAEG;IACH,YAAY,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAEjD;;;;OAIG;IACH,OAAO,EAAE,2BAAmB,CAAC,QAAQ,EAAE;IAEvC;;OAEG;IACH,OAAO,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAE5C;;OAEG;IACH,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEvE;;;;OAIG;IACH,eAAe,EAAE,mCAA2B,CAAC,QAAQ,EAAE;IAEvD;;;OAGG;IACH,SAAS,EAAE,6BAAqB,CAAC,QAAQ,EAAE;CAC5C,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,cAAc,CAAC;IAC/B,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IAEzB;;OAEG;IACH,MAAM,EAAE,kCAA0B;IAElC;;OAEG;IACH,KAAK,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAE1C;;;OAGG;IACH,YAAY,EAAE,gCAAwB,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IAElE;;;;;OAKG;IACH,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC;IAElE;;;;;OAKG;IACH,kBAAkB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE9C;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAE3D;;OAEG;IACH,YAAY,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAEjD;;;;OAIG;IACH,OAAO,EAAE,2BAAmB,CAAC,QAAQ,EAAE;IAEvC;;OAEG;IACH,OAAO,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAE5C;;OAEG;IACH,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEvE;;;;OAIG;IACH,eAAe,EAAE,mCAA2B,CAAC,QAAQ,EAAE;IAEvD;;;OAGG;IACH,SAAS,EAAE,6BAAqB,CAAC,QAAQ,EAAE;CAC5C,CAAC,CAAC;AAEH,+BAA+B;AAClB,QAAA,6BAA6B,GAAG,OAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE;IACxE,+BAAuB;IACvB,gCAAwB;CACzB,CAAC,CAAC;AAEH,+CAA+C;AAC/C,uBAAuB;AACvB,+CAA+C;AAE/C;;;;GAIG;AACU,QAAA,iBAAiB,GAAG,OAAC,CAAC,KAAK,CAAC;IACvC,+BAAuB;IACvB,oCAA4B;IAC5B,+BAAuB;IACvB,gCAAwB;CACzB,CAAC,CAAC;AAoIH,MAAM,sBAAsB,GAAG;IAC7B,UAAU,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAClC,iBAAiB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CACF,CAAC;AAE7B,QAAA,oBAAoB,GAAG,OAAC,CAAC,KAAK,CAAC;IAC1C,+BAAuB,CAAC,MAAM,CAAC,sBAAsB,CAAC;IACtD,oCAA4B,CAAC,MAAM,CAAC,sBAAsB,CAAC;IAC3D,+BAAuB,CAAC,MAAM,CAAC,sBAAsB,CAAC;IACtD,gCAAwB,CAAC,MAAM,CAAC,sBAAsB,CAAC;CACxD,CAAC,CAAC;AAKH,+CAA+C;AAC/C,mBAAmB;AACnB,+CAA+C;AAE/C;;GAEG;AACH,SAAgB,gBAAgB,CAAC,KAAuB;IACtD,OAAO,yBAAiB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,SAAgB,YAAY,CAAC,OAAuC;IAClE,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,OAAuC;IACvE,OAAO,OAAO,CAAC,IAAI,KAAK,aAAa,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAAC,OAAuC;IACxE,OAAO,OAAO,CAAC,IAAI,KAAK,cAAc,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,SAAgB,mBAAmB,CAAC,OAAgC;IAClE,OAAO,OAAO,CAAC,IAAI,KAAK,OAAO,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAAC,OAAgC;IACnE,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAAC,OAAoB;IACrD,IAAI,OAAO,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3C,IAAI,OAAO,CAAC,IAAI,KAAK,aAAa;QAAE,OAAO,OAAO,CAAC,cAAc,CAAC;IAClE,IAAI,OAAO,CAAC,IAAI,KAAK,cAAc;QAAE,OAAO,OAAO,CAAC,kBAAkB,CAAC;IACvE,OAAO,KAAK,CAAC;AACf,CAAC","sourcesContent":["// common/types/options/auth.options.ts\n\nimport { z } from 'zod';\nimport { JSONWebKeySet, jsonWebKeySetSchema, JWK, jwkSchema } from '../auth';\nimport { RawZodShape } from '../common.types';\nimport { RedisConfig, redisConfigSchema } from '../../../auth/session/transport-session.types';\n\n// ============================================\n// SHARED SCHEMAS\n// ============================================\n\n/**\n * Public access configuration for tools/prompts\n */\nexport const publicAccessConfigSchema = z.object({\n  /**\n   * Allow all tools or explicit whitelist\n   * @default 'all'\n   */\n  tools: z.union([z.literal('all'), z.array(z.string())]).default('all'),\n\n  /**\n   * Allow all prompts or explicit whitelist\n   * @default 'all'\n   */\n  prompts: z.union([z.literal('all'), z.array(z.string())]).default('all'),\n\n  /**\n   * Rate limit per IP per minute\n   * @default 60\n   */\n  rateLimit: z.number().default(60),\n});\n\n/**\n * Local signing configuration (for orchestrated local type)\n */\nexport const localSigningConfigSchema = z.object({\n  /**\n   * Private key for signing orchestrated tokens\n   * @default auto-generated\n   */\n  signKey: jwkSchema.or(z.instanceof(Uint8Array)).optional(),\n\n  /**\n   * JWKS for token verification\n   * @default auto-generated\n   */\n  jwks: jsonWebKeySetSchema.optional(),\n\n  /**\n   * Issuer identifier for orchestrated tokens\n   * @default auto-derived from server URL\n   */\n  issuer: z.string().optional(),\n});\n\n/**\n * Remote OAuth provider configuration (for orchestrated remote and transparent)\n */\nexport const remoteProviderConfigSchema = z.object({\n  /**\n   * OAuth provider base URL\n   * @example 'https://auth.example.com'\n   */\n  provider: z.string().url(),\n\n  /**\n   * Provider display name\n   */\n  name: z.string().optional(),\n\n  /**\n   * Unique identifier for this provider\n   * @default derived from provider URL\n   */\n  id: z.string().optional(),\n\n  /**\n   * Inline JWKS for offline token verification\n   * Falls back to fetching from provider's /.well-known/jwks.json\n   */\n  jwks: jsonWebKeySetSchema.optional(),\n\n  /**\n   * Custom JWKS URI if not at standard path\n   */\n  jwksUri: z.string().url().optional(),\n\n  /**\n   * Client ID for this MCP server (for orchestrated mode)\n   */\n  clientId: z.string().optional(),\n\n  /**\n   * Client secret (for confidential clients in orchestrated mode)\n   */\n  clientSecret: z.string().optional(),\n\n  /**\n   * Scopes to request from the upstream provider\n   */\n  scopes: z.array(z.string()).optional(),\n\n  /**\n   * Enable Dynamic Client Registration (DCR)\n   * @default false\n   */\n  dcrEnabled: z.boolean().default(false),\n\n  /**\n   * Authorization endpoint override\n   */\n  authEndpoint: z.string().url().optional(),\n\n  /**\n   * Token endpoint override\n   */\n  tokenEndpoint: z.string().url().optional(),\n\n  /**\n   * Registration endpoint override (for DCR)\n   */\n  registrationEndpoint: z.string().url().optional(),\n\n  /**\n   * User info endpoint override\n   */\n  userInfoEndpoint: z.string().url().optional(),\n});\n\n/**\n * Token storage configuration for orchestrated mode\n */\nexport const tokenStorageConfigSchema = z.discriminatedUnion('type', [\n  z.object({ type: z.literal('memory') }),\n  z.object({ type: z.literal('redis'), config: redisConfigSchema }),\n]);\n\n/**\n * Token refresh configuration\n */\nexport const tokenRefreshConfigSchema = z.object({\n  /**\n   * Enable automatic token refresh\n   * @default true\n   */\n  enabled: z.boolean().default(true),\n\n  /**\n   * Refresh token before expiry by this many seconds\n   * @default 60\n   */\n  skewSeconds: z.number().default(60),\n});\n\n/**\n * Behavior when a tool from a skipped (not yet authorized) app is called\n */\nexport const skippedAppBehaviorSchema = z.enum(['anonymous', 'require-auth']);\n\n/**\n * Consent configuration for tool selection\n * Allows users to choose which MCP tools to expose to the LLM\n *\n * Note: This schema is the canonical definition. It is duplicated in\n * auth/consent/consent.types.ts for domain-specific use. Both schemas\n * MUST be kept in sync. The duplication exists to avoid circular\n * dependencies between common/ and auth/ modules.\n */\nexport const consentConfigSchema = z.object({\n  /**\n   * Enable consent flow for tool selection\n   * When enabled, users can choose which tools to expose to the LLM\n   * @default false\n   */\n  enabled: z.boolean().default(false),\n\n  /**\n   * Group tools by app in the consent UI\n   * @default true\n   */\n  groupByApp: z.boolean().default(true),\n\n  /**\n   * Show tool descriptions in consent UI\n   * @default true\n   */\n  showDescriptions: z.boolean().default(true),\n\n  /**\n   * Allow selecting all tools at once\n   * @default true\n   */\n  allowSelectAll: z.boolean().default(true),\n\n  /**\n   * Require at least one tool to be selected\n   * @default true\n   */\n  requireSelection: z.boolean().default(true),\n\n  /**\n   * Custom message to display on consent page\n   */\n  customMessage: z.string().optional(),\n\n  /**\n   * Remember consent for future sessions\n   * @default true\n   */\n  rememberConsent: z.boolean().default(true),\n\n  /**\n   * Tools to exclude from consent (always available)\n   * Useful for essential tools that should always be accessible\n   */\n  excludedTools: z.array(z.string()).optional(),\n\n  /**\n   * Tools to always include in consent (pre-selected)\n   */\n  defaultSelectedTools: z.array(z.string()).optional(),\n});\n\n/**\n * Progressive/Incremental authorization configuration\n * Allows users to authorize apps one at a time after initial auth\n */\nexport const incrementalAuthConfigSchema = z.object({\n  /**\n   * Enable incremental (progressive) authorization\n   * When enabled, users can skip app authorizations during initial auth\n   * and authorize individual apps later when needed\n   * @default true\n   */\n  enabled: z.boolean().default(true),\n\n  /**\n   * Behavior when a tool from a skipped app is called\n   * - 'anonymous': If app supports anonymous access, use it; otherwise require auth\n   * - 'require-auth': Always require authorization (return auth_url)\n   * @default 'anonymous'\n   */\n  skippedAppBehavior: skippedAppBehaviorSchema.default('anonymous'),\n\n  /**\n   * Allow users to skip app authorization during initial auth flow\n   * @default true\n   */\n  allowSkip: z.boolean().default(true),\n\n  /**\n   * Show all apps in a single authorization page (vs step-by-step)\n   * @default true\n   */\n  showAllAppsAtOnce: z.boolean().default(true),\n});\n\n// ============================================\n// TRANSPORT CONFIG\n// Protocol enablement and behavior settings\n// ============================================\n\n/**\n * Transport protocol configuration\n * Controls which transport protocols are enabled and their behavior\n */\nexport const transportConfigSchema = z.object({\n  /**\n   * Enable legacy SSE transport (old HTTP+SSE protocol)\n   * @default false\n   */\n  enableLegacySSE: z.boolean().default(false),\n\n  /**\n   * Enable SSE listener for server-initiated messages (GET /mcp with Accept: text/event-stream)\n   * @default true\n   */\n  enableSseListener: z.boolean().default(true),\n\n  /**\n   * Enable streamable HTTP transport (POST with SSE response)\n   * @default true\n   */\n  enableStreamableHttp: z.boolean().default(true),\n\n  /**\n   * Enable stateless HTTP mode (requests without session ID)\n   * When enabled, allows requests without prior initialize\n   * Uses shared singleton transport for anonymous, per-token singleton for authenticated\n   * @default false\n   */\n  enableStatelessHttp: z.boolean().default(false),\n\n  /**\n   * Enable stateful HTTP transport (JSON-only responses)\n   * @default false\n   */\n  enableStatefulHttp: z.boolean().default(false),\n\n  /**\n   * Require session ID for streamable HTTP (non-stateless mode)\n   * When false, streamable HTTP requests don't require prior initialize\n   * @default true\n   */\n  requireSessionForStreamable: z.boolean().default(true),\n});\n\n// ============================================\n// PUBLIC MODE\n// No authentication required, anonymous access\n// ============================================\n\nexport const publicAuthOptionsSchema = z.object({\n  mode: z.literal('public'),\n\n  /**\n   * Issuer identifier for anonymous JWTs\n   * @default auto-derived from server URL\n   */\n  issuer: z.string().optional(),\n\n  /**\n   * Anonymous session TTL in seconds\n   * @default 3600 (1 hour)\n   */\n  sessionTtl: z.number().default(3600),\n\n  /**\n   * Scopes granted to anonymous sessions\n   * @default ['anonymous']\n   */\n  anonymousScopes: z.array(z.string()).default(['anonymous']),\n\n  /**\n   * Tool/prompt access configuration for anonymous users\n   */\n  publicAccess: publicAccessConfigSchema.optional(),\n\n  /**\n   * JWKS for token verification\n   * @default auto-generated\n   */\n  jwks: jsonWebKeySetSchema.optional(),\n\n  /**\n   * Private key for signing anonymous tokens\n   * @default auto-generated\n   */\n  signKey: jwkSchema.or(z.instanceof(Uint8Array)).optional(),\n\n  /**\n   * Transport protocol configuration\n   * Controls which transports are enabled and their behavior\n   */\n  transport: transportConfigSchema.optional(),\n});\n\n// ============================================\n// TRANSPARENT MODE\n// Pass-through OAuth tokens from remote provider\n// ============================================\n\nexport const transparentAuthOptionsSchema = z.object({\n  mode: z.literal('transparent'),\n\n  /**\n   * Remote OAuth provider configuration (required)\n   */\n  remote: remoteProviderConfigSchema,\n\n  /**\n   * Expected token audience\n   * If not set, defaults to the resource URL\n   */\n  expectedAudience: z.union([z.string(), z.array(z.string())]).optional(),\n\n  /**\n   * Required scopes for access\n   * Empty array means any valid token is accepted\n   * @default []\n   */\n  requiredScopes: z.array(z.string()).default([]),\n\n  /**\n   * Allow anonymous fallback when no token is provided\n   * @default false\n   */\n  allowAnonymous: z.boolean().default(false),\n\n  /**\n   * Scopes granted to anonymous sessions (when allowAnonymous=true)\n   * @default ['anonymous']\n   */\n  anonymousScopes: z.array(z.string()).default(['anonymous']),\n\n  /**\n   * Public access config for anonymous users (when allowAnonymous=true)\n   */\n  publicAccess: publicAccessConfigSchema.optional(),\n\n  /**\n   * Transport protocol configuration\n   * Controls which transports are enabled and their behavior\n   */\n  transport: transportConfigSchema.optional(),\n});\n\n// ============================================\n// ORCHESTRATED MODE\n// Local auth server that can proxy to remote or be fully local\n// ============================================\n\n/**\n * Orchestrated mode with local authentication only\n */\nexport const orchestratedLocalSchema = z.object({\n  mode: z.literal('orchestrated'),\n  type: z.literal('local'),\n\n  /**\n   * Local signing configuration\n   */\n  local: localSigningConfigSchema.optional(),\n\n  /**\n   * Token storage configuration\n   * @default { type: 'memory' }\n   */\n  tokenStorage: tokenStorageConfigSchema.default({ type: 'memory' }),\n\n  /**\n   * Session storage mode\n   * - 'stateful': Store sessions in Redis/memory, JWT contains only reference\n   * - 'stateless': All state encrypted in JWT\n   * @default 'stateful'\n   */\n  sessionMode: z.enum(['stateful', 'stateless']).default('stateful'),\n\n  /**\n   * Allow default public access for unauthenticated requests\n   * When true: all tools are public by default, only tools marked with scopes require auth\n   * When false: all tools require authentication by default\n   * @default false\n   */\n  allowDefaultPublic: z.boolean().default(false),\n\n  /**\n   * Scopes granted to anonymous sessions (when allowDefaultPublic=true)\n   * @default ['anonymous']\n   */\n  anonymousScopes: z.array(z.string()).default(['anonymous']),\n\n  /**\n   * Public access config (when allowDefaultPublic=true)\n   */\n  publicAccess: publicAccessConfigSchema.optional(),\n\n  /**\n   * Consent flow configuration for tool selection\n   * Allows users to choose which MCP tools to expose to the LLM\n   * @default { enabled: false }\n   */\n  consent: consentConfigSchema.optional(),\n\n  /**\n   * Token refresh settings\n   */\n  refresh: tokenRefreshConfigSchema.optional(),\n\n  /**\n   * Expected token audience for validation\n   */\n  expectedAudience: z.union([z.string(), z.array(z.string())]).optional(),\n\n  /**\n   * Incremental (progressive) authorization configuration\n   * Allows users to skip app authorizations initially and authorize later\n   * @default { enabled: true, skippedAppBehavior: 'anonymous' }\n   */\n  incrementalAuth: incrementalAuthConfigSchema.optional(),\n\n  /**\n   * Transport protocol configuration\n   * Controls which transports are enabled and their behavior\n   */\n  transport: transportConfigSchema.optional(),\n});\n\n/**\n * Orchestrated mode with remote OAuth provider\n */\nexport const orchestratedRemoteSchema = z.object({\n  mode: z.literal('orchestrated'),\n  type: z.literal('remote'),\n\n  /**\n   * Remote OAuth provider configuration (required for remote type)\n   */\n  remote: remoteProviderConfigSchema,\n\n  /**\n   * Local signing configuration (for issuing local tokens after upstream auth)\n   */\n  local: localSigningConfigSchema.optional(),\n\n  /**\n   * Token storage configuration\n   * @default { type: 'memory' }\n   */\n  tokenStorage: tokenStorageConfigSchema.default({ type: 'memory' }),\n\n  /**\n   * Session storage mode\n   * - 'stateful': Store sessions in Redis/memory, JWT contains only reference\n   * - 'stateless': All state encrypted in JWT\n   * @default 'stateful'\n   */\n  sessionMode: z.enum(['stateful', 'stateless']).default('stateful'),\n\n  /**\n   * Allow default public access for unauthenticated requests\n   * When true: all tools are public by default, only tools marked with scopes require auth\n   * When false: all tools require authentication by default\n   * @default false\n   */\n  allowDefaultPublic: z.boolean().default(false),\n\n  /**\n   * Scopes granted to anonymous sessions (when allowDefaultPublic=true)\n   * @default ['anonymous']\n   */\n  anonymousScopes: z.array(z.string()).default(['anonymous']),\n\n  /**\n   * Public access config (when allowDefaultPublic=true)\n   */\n  publicAccess: publicAccessConfigSchema.optional(),\n\n  /**\n   * Consent flow configuration for tool selection\n   * Allows users to choose which MCP tools to expose to the LLM\n   * @default { enabled: false }\n   */\n  consent: consentConfigSchema.optional(),\n\n  /**\n   * Token refresh settings\n   */\n  refresh: tokenRefreshConfigSchema.optional(),\n\n  /**\n   * Expected token audience for validation\n   */\n  expectedAudience: z.union([z.string(), z.array(z.string())]).optional(),\n\n  /**\n   * Incremental (progressive) authorization configuration\n   * Allows users to skip app authorizations initially and authorize later\n   * @default { enabled: true, skippedAppBehavior: 'anonymous' }\n   */\n  incrementalAuth: incrementalAuthConfigSchema.optional(),\n\n  /**\n   * Transport protocol configuration\n   * Controls which transports are enabled and their behavior\n   */\n  transport: transportConfigSchema.optional(),\n});\n\n// Combined orchestrated schema\nexport const orchestratedAuthOptionsSchema = z.discriminatedUnion('type', [\n  orchestratedLocalSchema,\n  orchestratedRemoteSchema,\n]);\n\n// ============================================\n// UNIFIED AUTH OPTIONS\n// ============================================\n\n/**\n * Main auth options schema - discriminated by 'mode'\n *\n * Uses z.union because we have nested discriminators (orchestrated has 'type')\n */\nexport const authOptionsSchema = z.union([\n  publicAuthOptionsSchema,\n  transparentAuthOptionsSchema,\n  orchestratedLocalSchema,\n  orchestratedRemoteSchema,\n]);\n\n// ============================================\n// TYPE EXPORTS\n// ============================================\n\n/**\n * Public access configuration\n */\nexport type PublicAccessConfig = z.infer<typeof publicAccessConfigSchema>;\nexport type PublicAccessConfigInput = z.input<typeof publicAccessConfigSchema>;\n\n/**\n * Local signing configuration\n */\nexport type LocalSigningConfig = z.infer<typeof localSigningConfigSchema>;\nexport type LocalSigningConfigInput = z.input<typeof localSigningConfigSchema>;\n\n/**\n * Remote provider configuration\n */\nexport type RemoteProviderConfig = z.infer<typeof remoteProviderConfigSchema>;\nexport type RemoteProviderConfigInput = z.input<typeof remoteProviderConfigSchema>;\n\n/**\n * Token storage configuration\n */\nexport type TokenStorageConfig = z.infer<typeof tokenStorageConfigSchema>;\nexport type TokenStorageConfigInput = z.input<typeof tokenStorageConfigSchema>;\n\n/**\n * Token refresh configuration\n */\nexport type TokenRefreshConfig = z.infer<typeof tokenRefreshConfigSchema>;\nexport type TokenRefreshConfigInput = z.input<typeof tokenRefreshConfigSchema>;\n\n/**\n * Incremental (progressive) authorization configuration\n */\nexport type IncrementalAuthConfig = z.infer<typeof incrementalAuthConfigSchema>;\nexport type IncrementalAuthConfigInput = z.input<typeof incrementalAuthConfigSchema>;\n\n/**\n * Skipped app behavior type\n */\nexport type SkippedAppBehavior = z.infer<typeof skippedAppBehaviorSchema>;\n\n/**\n * Consent configuration for tool selection\n */\nexport type ConsentConfig = z.infer<typeof consentConfigSchema>;\nexport type ConsentConfigInput = z.input<typeof consentConfigSchema>;\n\n/**\n * Transport protocol configuration\n */\nexport type TransportConfig = z.infer<typeof transportConfigSchema>;\nexport type TransportConfigInput = z.input<typeof transportConfigSchema>;\n\n/**\n * Public mode options (output type with defaults applied)\n */\nexport type PublicAuthOptions = z.infer<typeof publicAuthOptionsSchema>;\nexport type PublicAuthOptionsInput = z.input<typeof publicAuthOptionsSchema>;\n\n/**\n * Transparent mode options (output type with defaults applied)\n */\nexport type TransparentAuthOptions = z.infer<typeof transparentAuthOptionsSchema>;\nexport type TransparentAuthOptionsInput = z.input<typeof transparentAuthOptionsSchema>;\n\n/**\n * Orchestrated local mode options\n */\nexport type OrchestratedLocalOptions = z.infer<typeof orchestratedLocalSchema>;\nexport type OrchestratedLocalOptionsInput = z.input<typeof orchestratedLocalSchema>;\n\n/**\n * Orchestrated remote mode options\n */\nexport type OrchestratedRemoteOptions = z.infer<typeof orchestratedRemoteSchema>;\nexport type OrchestratedRemoteOptionsInput = z.input<typeof orchestratedRemoteSchema>;\n\n/**\n * Orchestrated mode options (union of local and remote)\n */\nexport type OrchestratedAuthOptions = z.infer<typeof orchestratedAuthOptionsSchema>;\nexport type OrchestratedAuthOptionsInput = z.input<typeof orchestratedAuthOptionsSchema>;\n\n/**\n * Auth options (output type with defaults applied)\n * Use this type when working with parsed/validated options\n */\nexport type AuthOptions = z.infer<typeof authOptionsSchema>;\n\n/**\n * Auth options input (input type for user configuration)\n * Use this type for the @frontmcp configuration\n */\nexport type AuthOptionsInput = z.input<typeof authOptionsSchema>;\n\n/**\n * Authentication mode\n */\nexport type AuthMode = 'public' | 'transparent' | 'orchestrated';\n\n/**\n * Orchestrated type (local or remote)\n */\nexport type OrchestratedType = 'local' | 'remote';\n\n// ============================================\n// APP-LEVEL AUTH OPTIONS (with standalone)\n// ============================================\n\ntype StandaloneOption = {\n  /**\n   * If the provider is standalone, it will register an OAuth service provider\n   * on app's entry path. If not standalone, it will be registered as a child\n   * provider under the root provider.\n   * @default false\n   */\n  standalone?: boolean;\n\n  /**\n   * If the provider should be excluded from the parent provider's discovery.\n   * Used for standalone providers.\n   * @default false\n   */\n  excludeFromParent?: boolean;\n};\n\nconst standaloneOptionSchema = {\n  standalone: z.boolean().optional(),\n  excludeFromParent: z.boolean().optional(),\n} satisfies RawZodShape<StandaloneOption>;\n\nexport const appAuthOptionsSchema = z.union([\n  publicAuthOptionsSchema.extend(standaloneOptionSchema),\n  transparentAuthOptionsSchema.extend(standaloneOptionSchema),\n  orchestratedLocalSchema.extend(standaloneOptionSchema),\n  orchestratedRemoteSchema.extend(standaloneOptionSchema),\n]);\n\nexport type AppAuthOptions = z.infer<typeof appAuthOptionsSchema>;\nexport type AppAuthOptionsInput = z.input<typeof appAuthOptionsSchema>;\n\n// ============================================\n// HELPER FUNCTIONS\n// ============================================\n\n/**\n * Parse and validate auth options with defaults\n */\nexport function parseAuthOptions(input: AuthOptionsInput): AuthOptions {\n  return authOptionsSchema.parse(input);\n}\n\n/**\n * Check if options are public mode\n */\nexport function isPublicMode(options: AuthOptions | AuthOptionsInput): options is PublicAuthOptions {\n  return options.mode === 'public';\n}\n\n/**\n * Check if options are transparent mode\n */\nexport function isTransparentMode(options: AuthOptions | AuthOptionsInput): options is TransparentAuthOptions {\n  return options.mode === 'transparent';\n}\n\n/**\n * Check if options are orchestrated mode\n */\nexport function isOrchestratedMode(options: AuthOptions | AuthOptionsInput): options is OrchestratedAuthOptions {\n  return options.mode === 'orchestrated';\n}\n\n/**\n * Check if orchestrated options are local type\n */\nexport function isOrchestratedLocal(options: OrchestratedAuthOptions): options is OrchestratedLocalOptions {\n  return options.type === 'local';\n}\n\n/**\n * Check if orchestrated options are remote type\n */\nexport function isOrchestratedRemote(options: OrchestratedAuthOptions): options is OrchestratedRemoteOptions {\n  return options.type === 'remote';\n}\n\n/**\n * Check if options allow public/anonymous access\n */\nexport function allowsPublicAccess(options: AuthOptions): boolean {\n  if (options.mode === 'public') return true;\n  if (options.mode === 'transparent') return options.allowAnonymous;\n  if (options.mode === 'orchestrated') return options.allowDefaultPublic;\n  return false;\n}\n"]}

package/src/common/types/options/http.options.d.ts

@@ -10,13 +10,5 @@ export declare const httpOptionsSchema: z.ZodObject<{
     port: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
     entryPath: z.ZodDefault<z.ZodString>;
     hostFactory: z.ZodOptional<z.ZodAny>;
-}, "strip", z.ZodTypeAny, {
-    port: number;
-    entryPath: string;
-    hostFactory?: any;
-}, {
-    port?: number | undefined;
-    entryPath?: string | undefined;
-    hostFactory?: any;
-}>;
+}, z.core.$strip>;
 export type HttpConfig = z.infer<typeof httpOptionsSchema>;

package/src/common/types/options/logging.options.d.ts

@@ -2,7 +2,11 @@ import { z } from 'zod';
 import { LogTransportType } from '../../interfaces';
 export declare enum LogLevel {
     Debug = 0,
+    /**
+     * @deprecated use 'Verbose' instead
+     */
     VERBOSE = 1,
+    Verbose = 1,
     Info = 2,
     Warn = 3,
     Error = 4,
@@ -20,19 +24,9 @@ export type LoggingOptions = {
     transports?: LogTransportType[];
 };
 export declare const loggingOptionsSchema: z.ZodObject<{
-    level: z.ZodDefault<z.ZodOptional<z.ZodNativeEnum<typeof LogLevel>>>;
+    level: z.ZodDefault<z.ZodOptional<z.ZodEnum<typeof LogLevel>>>;
     prefix: z.ZodOptional<z.ZodString>;
     enableConsole: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
-    transports: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodType<import("../../interfaces").Type<unknown>, z.ZodTypeDef, import("../../interfaces").Type<unknown>>, "many">>>;
-}, "strip", z.ZodTypeAny, {
-    level: LogLevel;
-    enableConsole: boolean;
-    transports: import("../../interfaces").Type<unknown>[];
-    prefix?: string | undefined;
-}, {
-    level?: LogLevel | undefined;
-    enableConsole?: boolean | undefined;
-    prefix?: string | undefined;
-    transports?: import("../../interfaces").Type<unknown>[] | undefined;
-}>;
+    transports: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodCustom<import("../../interfaces").Type<unknown>, import("../../interfaces").Type<unknown>>>>>;
+}, z.core.$strip>;
 export type LoggingConfigType = Omit<z.infer<typeof loggingOptionsSchema>, 'transports'>;

package/src/common/types/options/logging.options.js

@@ -6,7 +6,11 @@ const schemas_1 = require("../../schemas");
 var LogLevel;
 (function (LogLevel) {
     LogLevel[LogLevel["Debug"] = 0] = "Debug";
+    /**
+     * @deprecated use 'Verbose' instead
+     */
     LogLevel[LogLevel["VERBOSE"] = 1] = "VERBOSE";
+    LogLevel[LogLevel["Verbose"] = 1] = "Verbose";
     LogLevel[LogLevel["Info"] = 2] = "Info";
     LogLevel[LogLevel["Warn"] = 3] = "Warn";
     LogLevel[LogLevel["Error"] = 4] = "Error";

package/src/common/types/options/logging.options.js.map

@@ -1 +1 @@
-{"version":3,"file":"logging.options.js","sourceRoot":"","sources":["../../../../../src/common/types/options/logging.options.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AACxB,2CAA8D;AAI9D,IAAY,QAOX;AAPD,WAAY,QAAQ;IAClB,yCAAS,CAAA;IACT,6CAAW,CAAA;IACX,uCAAQ,CAAA;IACR,uCAAQ,CAAA;IACR,yCAAS,CAAA;IACT,uCAAS,CAAA;AACX,CAAC,EAPW,QAAQ,wBAAR,QAAQ,QAOnB;AAEY,QAAA,YAAY,GAA6B;IACpD,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO;IACzB,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS;IAC7B,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM;IACvB,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM;IACvB,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO;IACzB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,KAAK;CACtB,CAAC;AAaW,QAAA,oBAAoB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3C,KAAK,EAAE,OAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;IAC/D,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,aAAa,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IACnD,UAAU,EAAE,OAAC,CAAC,KAAK,CAAC,uCAA6B,CAAC,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;CACpC,CAAC,CAAC","sourcesContent":["import { z } from 'zod';\nimport { annotatedFrontMcpLoggerSchema } from '../../schemas';\nimport { LogTransportType } from '../../interfaces';\nimport { RawZodShape } from '../common.types';\n\nexport enum LogLevel {\n  Debug = 0,\n  VERBOSE = 1,\n  Info = 2,\n  Warn = 3,\n  Error = 4,\n  Off = 100, // never log\n}\n\nexport const LogLevelName: Record<LogLevel, string> = {\n  [LogLevel.Debug]: 'debug',\n  [LogLevel.VERBOSE]: 'verbose',\n  [LogLevel.Info]: 'info',\n  [LogLevel.Warn]: 'warn',\n  [LogLevel.Error]: 'error',\n  [LogLevel.Off]: 'off',\n};\n\nexport type LoggingOptions = {\n  level?: LogLevel; // default to 'info'\n  enableConsole?: boolean;\n  prefix?: string;\n  /**\n   * Additional custom LogTransport types to register.\n   * @default []\n   */\n  transports?: LogTransportType[];\n};\n\nexport const loggingOptionsSchema = z.object({\n  level: z.nativeEnum(LogLevel).optional().default(LogLevel.Info),\n  prefix: z.string().optional(),\n  enableConsole: z.boolean().optional().default(true),\n  transports: z.array(annotatedFrontMcpLoggerSchema).optional().default([]),\n} satisfies RawZodShape<LoggingOptions>);\n\nexport type LoggingConfigType = Omit<z.infer<typeof loggingOptionsSchema>, 'transports'>;\n"]}
+{"version":3,"file":"logging.options.js","sourceRoot":"","sources":["../../../../../src/common/types/options/logging.options.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AACxB,2CAA8D;AAI9D,IAAY,QAWX;AAXD,WAAY,QAAQ;IAClB,yCAAS,CAAA;IACT;;OAEG;IACH,6CAAW,CAAA;IACX,6CAAiB,CAAA;IACjB,uCAAQ,CAAA;IACR,uCAAQ,CAAA;IACR,yCAAS,CAAA;IACT,uCAAS,CAAA;AACX,CAAC,EAXW,QAAQ,wBAAR,QAAQ,QAWnB;AAEY,QAAA,YAAY,GAA6B;IACpD,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO;IACzB,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS;IAC7B,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM;IACvB,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM;IACvB,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO;IACzB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,KAAK;CACtB,CAAC;AAaW,QAAA,oBAAoB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3C,KAAK,EAAE,OAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;IAC/D,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,aAAa,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IACnD,UAAU,EAAE,OAAC,CAAC,KAAK,CAAC,uCAA6B,CAAC,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;CACpC,CAAC,CAAC","sourcesContent":["import { z } from 'zod';\nimport { annotatedFrontMcpLoggerSchema } from '../../schemas';\nimport { LogTransportType } from '../../interfaces';\nimport { RawZodShape } from '../common.types';\n\nexport enum LogLevel {\n  Debug = 0,\n  /**\n   * @deprecated use 'Verbose' instead\n   */\n  VERBOSE = 1,\n  Verbose = VERBOSE,\n  Info = 2,\n  Warn = 3,\n  Error = 4,\n  Off = 100, // never log\n}\n\nexport const LogLevelName: Record<LogLevel, string> = {\n  [LogLevel.Debug]: 'debug',\n  [LogLevel.VERBOSE]: 'verbose',\n  [LogLevel.Info]: 'info',\n  [LogLevel.Warn]: 'warn',\n  [LogLevel.Error]: 'error',\n  [LogLevel.Off]: 'off',\n};\n\nexport type LoggingOptions = {\n  level?: LogLevel; // default to 'info'\n  enableConsole?: boolean;\n  prefix?: string;\n  /**\n   * Additional custom LogTransport types to register.\n   * @default []\n   */\n  transports?: LogTransportType[];\n};\n\nexport const loggingOptionsSchema = z.object({\n  level: z.nativeEnum(LogLevel).optional().default(LogLevel.Info),\n  prefix: z.string().optional(),\n  enableConsole: z.boolean().optional().default(true),\n  transports: z.array(annotatedFrontMcpLoggerSchema).optional().default([]),\n} satisfies RawZodShape<LoggingOptions>);\n\nexport type LoggingConfigType = Omit<z.infer<typeof loggingOptionsSchema>, 'transports'>;\n"]}

package/src/common/types/options/server-info.options.d.ts

@@ -15,34 +15,6 @@ export declare const serverInfoOptionsSchema: z.ZodObject<{
     icons: z.ZodOptional<z.ZodArray<z.ZodObject<{
         src: z.ZodString;
         mimeType: z.ZodOptional<z.ZodString>;
-        sizes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    }, "strip", z.ZodTypeAny, {
-        src: string;
-        mimeType?: string | undefined;
-        sizes?: string[] | undefined;
-    }, {
-        src: string;
-        mimeType?: string | undefined;
-        sizes?: string[] | undefined;
-    }>, "many">>;
-}, "strip", z.ZodTypeAny, {
-    name: string;
-    version: string;
-    title?: string | undefined;
-    icons?: {
-        src: string;
-        mimeType?: string | undefined;
-        sizes?: string[] | undefined;
-    }[] | undefined;
-    websiteUrl?: string | undefined;
-}, {
-    name: string;
-    version: string;
-    title?: string | undefined;
-    icons?: {
-        src: string;
-        mimeType?: string | undefined;
-        sizes?: string[] | undefined;
-    }[] | undefined;
-    websiteUrl?: string | undefined;
-}>;
+        sizes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>>>;
+}, z.core.$strip>;

package/src/common/types/options/session.options.d.ts

@@ -1,6 +1,32 @@
 import { z } from 'zod';
+import { AIPlatformType } from '../auth/session.types';
 export type SessionMode = 'stateful' | 'stateless';
 export type TransportIdMode = 'uuid' | 'jwt';
+/**
+ * A single platform mapping entry for custom client-to-platform detection.
+ */
+export interface PlatformMappingEntry {
+    /** Pattern to match against clientInfo.name (string for exact match, RegExp for pattern) */
+    pattern: string | RegExp;
+    /** The platform type to assign when pattern matches */
+    platform: AIPlatformType;
+}
+/**
+ * Configuration for platform detection from MCP client info.
+ */
+export interface PlatformDetectionConfig {
+    /**
+     * Custom mappings to check before default detection.
+     * Mappings are evaluated in order; first match wins.
+     */
+    mappings?: PlatformMappingEntry[];
+    /**
+     * If true, skip default detection when no custom mapping matches.
+     * The platform will be 'unknown' instead of attempting keyword-based detection.
+     * @default false
+     */
+    customOnly?: boolean;
+}
 export type SessionOptions = {
     /**
      * Defines how the session lifecycle and nested tokens are managed.
@@ -42,7 +68,7 @@ export type SessionOptions = {
      *   - For distributed systems, verification is optimized by checking if the session is already
      *     verified by an existing live transport ID. This allows fast validation when multiple
      *     transports are connected to a shared queue (high-availability setup).
-     *   - If the JWT’s transport ID is not found on the current worker node, the system attempts
+     *   - If the JWT's transport ID is not found on the current worker node, the system attempts
      *     to connect to the corresponding remote transport in the distributed infrastructure.
      *
      * - When using `'uuid'`:
@@ -54,14 +80,68 @@ export type SessionOptions = {
      * @default 'uuid'
      */
     transportIdMode?: TransportIdMode | ((issuer: string) => Promise<TransportIdMode> | TransportIdMode);
+    /**
+     * Configuration for detecting the AI platform from MCP client info.
+     * Allows custom mappings to override or supplement the default keyword-based detection.
+     */
+    platformDetection?: PlatformDetectionConfig;
 };
+/**
+ * Zod schema for platform mapping entry.
+ * Note: RegExp cannot be validated by zod, so we use passthrough for pattern.
+ */
+export declare const platformMappingEntrySchema: z.ZodObject<{
+    pattern: z.ZodUnion<readonly [z.ZodString, z.ZodCustom<RegExp, RegExp>]>;
+    platform: z.ZodEnum<{
+        unknown: "unknown";
+        continue: "continue";
+        openai: "openai";
+        claude: "claude";
+        gemini: "gemini";
+        cursor: "cursor";
+        cody: "cody";
+        "generic-mcp": "generic-mcp";
+        "ext-apps": "ext-apps";
+    }>;
+}, z.core.$strip>;
+/**
+ * Zod schema for platform detection configuration.
+ */
+export declare const platformDetectionConfigSchema: z.ZodObject<{
+    mappings: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        pattern: z.ZodUnion<readonly [z.ZodString, z.ZodCustom<RegExp, RegExp>]>;
+        platform: z.ZodEnum<{
+            unknown: "unknown";
+            continue: "continue";
+            openai: "openai";
+            claude: "claude";
+            gemini: "gemini";
+            cursor: "cursor";
+            cody: "cody";
+            "generic-mcp": "generic-mcp";
+            "ext-apps": "ext-apps";
+        }>;
+    }, z.core.$strip>>>;
+    customOnly: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+}, z.core.$strip>;
 export declare const sessionOptionsSchema: z.ZodObject<{
-    sessionMode: z.ZodDefault<z.ZodOptional<z.ZodUnion<[z.ZodLiteral<"stateful">, z.ZodLiteral<"stateless">, z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>]>>>;
-    transportIdMode: z.ZodDefault<z.ZodOptional<z.ZodUnion<[z.ZodLiteral<"uuid">, z.ZodLiteral<"jwt">, z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>]>>>;
-}, "strip", z.ZodTypeAny, {
-    sessionMode: ((...args: unknown[]) => unknown) | "stateful" | "stateless";
-    transportIdMode: ((...args: unknown[]) => unknown) | "uuid" | "jwt";
-}, {
-    sessionMode?: ((...args: unknown[]) => unknown) | "stateful" | "stateless" | undefined;
-    transportIdMode?: ((...args: unknown[]) => unknown) | "uuid" | "jwt" | undefined;
-}>;
+    sessionMode: z.ZodDefault<z.ZodOptional<z.ZodUnion<readonly [z.ZodLiteral<"stateful">, z.ZodLiteral<"stateless">, z.ZodFunction<z.core.$ZodFunctionArgs, z.core.$ZodFunctionOut>]>>>;
+    transportIdMode: z.ZodDefault<z.ZodOptional<z.ZodUnion<readonly [z.ZodLiteral<"uuid">, z.ZodLiteral<"jwt">, z.ZodFunction<z.core.$ZodFunctionArgs, z.core.$ZodFunctionOut>]>>>;
+    platformDetection: z.ZodOptional<z.ZodObject<{
+        mappings: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            pattern: z.ZodUnion<readonly [z.ZodString, z.ZodCustom<RegExp, RegExp>]>;
+            platform: z.ZodEnum<{
+                unknown: "unknown";
+                continue: "continue";
+                openai: "openai";
+                claude: "claude";
+                gemini: "gemini";
+                cursor: "cursor";
+                cody: "cody";
+                "generic-mcp": "generic-mcp";
+                "ext-apps": "ext-apps";
+            }>;
+        }, z.core.$strip>>>;
+        customOnly: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;

package/src/common/types/options/session.options.js

@@ -1,9 +1,32 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.sessionOptionsSchema = void 0;
+exports.sessionOptionsSchema = exports.platformDetectionConfigSchema = exports.platformMappingEntrySchema = void 0;
 const zod_1 = require("zod");
+const session_types_1 = require("../auth/session.types");
+/**
+ * Zod schema for platform mapping entry.
+ * Note: RegExp cannot be validated by zod, so we use passthrough for pattern.
+ */
+exports.platformMappingEntrySchema = zod_1.z.object({
+    pattern: zod_1.z.union([zod_1.z.string(), zod_1.z.instanceof(RegExp)]),
+    platform: session_types_1.aiPlatformTypeSchema,
+});
+/**
+ * Zod schema for platform detection configuration.
+ */
+exports.platformDetectionConfigSchema = zod_1.z.object({
+    mappings: zod_1.z.array(exports.platformMappingEntrySchema).optional(),
+    customOnly: zod_1.z.boolean().optional().default(false),
+});
 exports.sessionOptionsSchema = zod_1.z.object({
-    sessionMode: zod_1.z.union([zod_1.z.literal('stateful'), zod_1.z.literal('stateless'), zod_1.z.function()]).optional().default('stateless'),
-    transportIdMode: zod_1.z.union([zod_1.z.literal('uuid'), zod_1.z.literal('jwt'), zod_1.z.function()]).optional().default('uuid'),
+    sessionMode: zod_1.z
+        .union([zod_1.z.literal('stateful'), zod_1.z.literal('stateless'), zod_1.z.function()])
+        .optional()
+        .default('stateless'),
+    transportIdMode: zod_1.z
+        .union([zod_1.z.literal('uuid'), zod_1.z.literal('jwt'), zod_1.z.function()])
+        .optional()
+        .default('uuid'),
+    platformDetection: exports.platformDetectionConfigSchema.optional(),
 });
 //# sourceMappingURL=session.options.js.map

package/src/common/types/options/session.options.js.map

@@ -1 +1 @@
-{"version":3,"file":"session.options.js","sourceRoot":"","sources":["../../../../../src/common/types/options/session.options.ts"],"names":[],"mappings":";;;AACA,6BAAwB;AA4DX,QAAA,oBAAoB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3C,WAAW,EAAE,OAAC,CAAC,KAAK,CAClB,CAAC,OAAC,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,OAAC,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,OAAC,CAAC,QAAQ,EAAE,CAAC,CAC9D,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC;IACjC,eAAe,EAAE,OAAC,CAAC,KAAK,CACtB,CAAC,OAAC,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,OAAC,CAAC,QAAQ,EAAE,CAAC,CACpD,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;CACS,CAAC,CAAC","sourcesContent":["import { RawZodShape } from '../common.types';\nimport { z } from 'zod';\n\nexport type SessionMode = 'stateful' | 'stateless';\nexport type TransportIdMode = 'uuid' | 'jwt';\n\nexport type SessionOptions = {\n  /**\n   * Defines how the session lifecycle and nested tokens are managed.\n   *\n   * Modes:\n   * - `'stateful'`: Session and nested tokens are stored in a server-side store (e.g., Redis).\n   * - `'stateless'`: All session data (including nested tokens) is embedded within a signed/encrypted JWT.\n   *\n   * **Behavior:**\n   * - When using `'stateful'`:\n   *   - Nested OAuth tokens are **never exposed** in the JWT.\n   *   - Tokens are encrypted and persisted in Redis under a session key.\n   *   - The client receives only a lightweight reference (session key) instead of full credentials.\n   *   - Results in smaller JWT payloads and reduces token leakage risk.\n   *   - Allows seamless refresh of nested provider tokens without requiring user re-authorization.\n   *   - Recommended for multi-application environments or setups using short-lived OAuth tokens.\n   *\n   * - When using `'stateless'`:\n   *   - Stores all nested tokens directly within the JWT, enabling fully client-managed sessions.\n   *   - Does **not support token refresh** — once a nested provider token expires, re-authorization is required.\n   *   - Simplifies implementation but may degrade UX when tokens are short-lived.\n   *   - Best suited for lightweight or single-application environments where token rotation is less critical.\n   *\n   * @default 'stateful'\n   */\n  sessionMode?: SessionMode | ((issuer: string) => Promise<SessionMode> | SessionMode);\n  /**\n   * Defines how the Transport ID is generated, verified, and used across sessions.\n   *\n   * Modes:\n   * - `'uuid'`: Generates a random UUID per session.\n   * - `'jwt'`: Uses a signed JWT for stateless sessions, signed with a generated session key.\n   *\n   * **Behavior: **\n   * - When using `'jwt'`:\n   *   - Requires an active Redis connection to support distributed, stateless transport sessions.\n   *   - Each token is verified using a generated public key associated with the existing session.\n   *   - Enables access to a streamable HTTP transport session ID.\n   *   - For distributed systems, verification is optimized by checking if the session is already\n   *     verified by an existing live transport ID. This allows fast validation when multiple\n   *     transports are connected to a shared queue (high-availability setup).\n   *   - If the JWT’s transport ID is not found on the current worker node, the system attempts\n   *     to connect to the corresponding remote transport in the distributed infrastructure.\n   *\n   * - When using `'uuid'`:\n   *   - Provides a strict, node-bound session transport (single-node mode).\n   *   - Each request verifies the `Authorization` header and searches for a matching transport ID\n   *     derived from the hashed authorization header and the generated transport UUID.\n   *   - If no matching transport ID is found, an error (`TransportNotInitialized`) is thrown.\n   *\n   * @default 'uuid'\n   */\n  transportIdMode?: TransportIdMode | ((issuer: string) => Promise<TransportIdMode> | TransportIdMode);\n};\n\nexport const sessionOptionsSchema = z.object({\n  sessionMode: z.union(\n    [z.literal('stateful'), z.literal('stateless'), z.function()],\n  ).optional().default('stateless'),\n  transportIdMode: z.union(\n    [z.literal('uuid'), z.literal('jwt'), z.function()],\n  ).optional().default('uuid'),\n} satisfies RawZodShape<SessionOptions>);"]}
+{"version":3,"file":"session.options.js","sourceRoot":"","sources":["../../../../../src/common/types/options/session.options.ts"],"names":[],"mappings":";;;AACA,6BAAwB;AACxB,yDAA6E;AA6F7E;;;GAGG;AACU,QAAA,0BAA0B,GAAG,OAAC,CAAC,MAAM,CAAC;IACjD,OAAO,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;IACpD,QAAQ,EAAE,oCAAoB;CAC/B,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,6BAA6B,GAAG,OAAC,CAAC,MAAM,CAAC;IACpD,QAAQ,EAAE,OAAC,CAAC,KAAK,CAAC,kCAA0B,CAAC,CAAC,QAAQ,EAAE;IACxD,UAAU,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CAClD,CAAC,CAAC;AAEU,QAAA,oBAAoB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3C,WAAW,EAAE,OAAC;SACX,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,OAAC,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,OAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;SACpE,QAAQ,EAAE;SACV,OAAO,CAAC,WAAW,CAAC;IACvB,eAAe,EAAE,OAAC;SACf,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,OAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;SAC1D,QAAQ,EAAE;SACV,OAAO,CAAC,MAAM,CAAC;IAClB,iBAAiB,EAAE,qCAA6B,CAAC,QAAQ,EAAE;CACtB,CAAC,CAAC","sourcesContent":["import { RawZodShape } from '../common.types';\nimport { z } from 'zod';\nimport { AIPlatformType, aiPlatformTypeSchema } from '../auth/session.types';\n\nexport type SessionMode = 'stateful' | 'stateless';\nexport type TransportIdMode = 'uuid' | 'jwt';\n\n/**\n * A single platform mapping entry for custom client-to-platform detection.\n */\nexport interface PlatformMappingEntry {\n  /** Pattern to match against clientInfo.name (string for exact match, RegExp for pattern) */\n  pattern: string | RegExp;\n  /** The platform type to assign when pattern matches */\n  platform: AIPlatformType;\n}\n\n/**\n * Configuration for platform detection from MCP client info.\n */\nexport interface PlatformDetectionConfig {\n  /**\n   * Custom mappings to check before default detection.\n   * Mappings are evaluated in order; first match wins.\n   */\n  mappings?: PlatformMappingEntry[];\n  /**\n   * If true, skip default detection when no custom mapping matches.\n   * The platform will be 'unknown' instead of attempting keyword-based detection.\n   * @default false\n   */\n  customOnly?: boolean;\n}\n\nexport type SessionOptions = {\n  /**\n   * Defines how the session lifecycle and nested tokens are managed.\n   *\n   * Modes:\n   * - `'stateful'`: Session and nested tokens are stored in a server-side store (e.g., Redis).\n   * - `'stateless'`: All session data (including nested tokens) is embedded within a signed/encrypted JWT.\n   *\n   * **Behavior:**\n   * - When using `'stateful'`:\n   *   - Nested OAuth tokens are **never exposed** in the JWT.\n   *   - Tokens are encrypted and persisted in Redis under a session key.\n   *   - The client receives only a lightweight reference (session key) instead of full credentials.\n   *   - Results in smaller JWT payloads and reduces token leakage risk.\n   *   - Allows seamless refresh of nested provider tokens without requiring user re-authorization.\n   *   - Recommended for multi-application environments or setups using short-lived OAuth tokens.\n   *\n   * - When using `'stateless'`:\n   *   - Stores all nested tokens directly within the JWT, enabling fully client-managed sessions.\n   *   - Does **not support token refresh** — once a nested provider token expires, re-authorization is required.\n   *   - Simplifies implementation but may degrade UX when tokens are short-lived.\n   *   - Best suited for lightweight or single-application environments where token rotation is less critical.\n   *\n   * @default 'stateful'\n   */\n  sessionMode?: SessionMode | ((issuer: string) => Promise<SessionMode> | SessionMode);\n  /**\n   * Defines how the Transport ID is generated, verified, and used across sessions.\n   *\n   * Modes:\n   * - `'uuid'`: Generates a random UUID per session.\n   * - `'jwt'`: Uses a signed JWT for stateless sessions, signed with a generated session key.\n   *\n   * **Behavior: **\n   * - When using `'jwt'`:\n   *   - Requires an active Redis connection to support distributed, stateless transport sessions.\n   *   - Each token is verified using a generated public key associated with the existing session.\n   *   - Enables access to a streamable HTTP transport session ID.\n   *   - For distributed systems, verification is optimized by checking if the session is already\n   *     verified by an existing live transport ID. This allows fast validation when multiple\n   *     transports are connected to a shared queue (high-availability setup).\n   *   - If the JWT's transport ID is not found on the current worker node, the system attempts\n   *     to connect to the corresponding remote transport in the distributed infrastructure.\n   *\n   * - When using `'uuid'`:\n   *   - Provides a strict, node-bound session transport (single-node mode).\n   *   - Each request verifies the `Authorization` header and searches for a matching transport ID\n   *     derived from the hashed authorization header and the generated transport UUID.\n   *   - If no matching transport ID is found, an error (`TransportNotInitialized`) is thrown.\n   *\n   * @default 'uuid'\n   */\n  transportIdMode?: TransportIdMode | ((issuer: string) => Promise<TransportIdMode> | TransportIdMode);\n\n  /**\n   * Configuration for detecting the AI platform from MCP client info.\n   * Allows custom mappings to override or supplement the default keyword-based detection.\n   */\n  platformDetection?: PlatformDetectionConfig;\n};\n\n/**\n * Zod schema for platform mapping entry.\n * Note: RegExp cannot be validated by zod, so we use passthrough for pattern.\n */\nexport const platformMappingEntrySchema = z.object({\n  pattern: z.union([z.string(), z.instanceof(RegExp)]),\n  platform: aiPlatformTypeSchema,\n});\n\n/**\n * Zod schema for platform detection configuration.\n */\nexport const platformDetectionConfigSchema = z.object({\n  mappings: z.array(platformMappingEntrySchema).optional(),\n  customOnly: z.boolean().optional().default(false),\n});\n\nexport const sessionOptionsSchema = z.object({\n  sessionMode: z\n    .union([z.literal('stateful'), z.literal('stateless'), z.function()])\n    .optional()\n    .default('stateless'),\n  transportIdMode: z\n    .union([z.literal('uuid'), z.literal('jwt'), z.function()])\n    .optional()\n    .default('uuid'),\n  platformDetection: platformDetectionConfigSchema.optional(),\n} satisfies RawZodShape<SessionOptions>);\n"]}

package/src/common/utils/decide-request-intent.utils.d.ts

@@ -1,58 +1,20 @@
 import { z } from 'zod';
-import { ServerRequest } from "../interfaces";
-export declare const intentSchema: z.ZodUnion<[z.ZodLiteral<"legacy-sse">, z.ZodLiteral<"sse">, z.ZodLiteral<"streamable-http">, z.ZodLiteral<"stateful-http">, z.ZodLiteral<"stateless-http">, z.ZodLiteral<"unknown">]>;
+import { ServerRequest } from '../interfaces';
+export declare const intentSchema: z.ZodUnion<readonly [z.ZodLiteral<"legacy-sse">, z.ZodLiteral<"sse">, z.ZodLiteral<"streamable-http">, z.ZodLiteral<"stateful-http">, z.ZodLiteral<"stateless-http">, z.ZodLiteral<"delete-session">, z.ZodLiteral<"unknown">]>;
 export declare const decisionSchema: z.ZodObject<{
-    intent: z.ZodUnion<[z.ZodLiteral<"legacy-sse">, z.ZodLiteral<"sse">, z.ZodLiteral<"streamable-http">, z.ZodLiteral<"stateful-http">, z.ZodLiteral<"stateless-http">, z.ZodLiteral<"unknown">]>;
-    reasons: z.ZodArray<z.ZodString, "many">;
+    intent: z.ZodUnion<readonly [z.ZodLiteral<"legacy-sse">, z.ZodLiteral<"sse">, z.ZodLiteral<"streamable-http">, z.ZodLiteral<"stateful-http">, z.ZodLiteral<"stateless-http">, z.ZodLiteral<"delete-session">, z.ZodLiteral<"unknown">]>;
+    reasons: z.ZodArray<z.ZodString>;
     recommendation: z.ZodOptional<z.ZodObject<{
         httpStatus: z.ZodNumber;
         message: z.ZodString;
-    }, "strip", z.ZodTypeAny, {
-        message: string;
-        httpStatus: number;
-    }, {
-        message: string;
-        httpStatus: number;
-    }>>;
+    }, z.core.$strip>>;
     debug: z.ZodOptional<z.ZodObject<{
         key: z.ZodNumber;
         channel: z.ZodNumber;
         flags: z.ZodNumber;
-    }, "strip", z.ZodTypeAny, {
-        key: number;
-        channel: number;
-        flags: number;
-    }, {
-        key: number;
-        channel: number;
-        flags: number;
-    }>>;
-}, "strip", z.ZodTypeAny, {
-    intent: "unknown" | "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-    reasons: string[];
-    recommendation?: {
-        message: string;
-        httpStatus: number;
-    } | undefined;
-    debug?: {
-        key: number;
-        channel: number;
-        flags: number;
-    } | undefined;
-}, {
-    intent: "unknown" | "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-    reasons: string[];
-    recommendation?: {
-        message: string;
-        httpStatus: number;
-    } | undefined;
-    debug?: {
-        key: number;
-        channel: number;
-        flags: number;
-    } | undefined;
-}>;
-export type HttpRequestIntent = 'legacy-sse' | 'sse' | 'streamable-http' | 'stateful-http' | 'stateless-http';
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export type HttpRequestIntent = 'legacy-sse' | 'sse' | 'streamable-http' | 'stateful-http' | 'stateless-http' | 'delete-session';
 export type Intent = HttpRequestIntent | 'unknown';
 export type Decision = {
     intent: Intent;