@frontmcp/sdk 0.5.0 → 0.6.0

package/src/common/types/options/auth.options.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.options.js","sourceRoot":"","sources":["../../../../../src/common/types/options/auth.options.ts"],"names":[],"mappings":";AAAA,uCAAuC;;;AAyuBvC,4CAEC;AAKD,oCAEC;AAKD,8CAEC;AAKD,gDAEC;AAKD,kDAEC;AAKD,oDAEC;AAKD,gDAKC;AAtxBD,6BAAwB;AACxB,kCAA6E;AAE7E,2FAA+F;AAE/F,+CAA+C;AAC/C,iBAAiB;AACjB,+CAA+C;AAE/C;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C;;;OAGG;IACH,KAAK,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IAEtE;;;OAGG;IACH,OAAO,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IAExE;;;OAGG;IACH,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;CAClC,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C;;;OAGG;IACH,OAAO,EAAE,gBAAS,CAAC,EAAE,CAAC,OAAC,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE;IAE1D;;;OAGG;IACH,IAAI,EAAE,0BAAmB,CAAC,QAAQ,EAAE;IAEpC;;;OAGG;IACH,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC9B,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,0BAA0B,GAAG,OAAC,CAAC,MAAM,CAAC;IACjD;;;OAGG;IACH,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAE1B;;OAEG;IACH,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE3B;;;OAGG;IACH,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEzB;;;OAGG;IACH,IAAI,EAAE,0BAAmB,CAAC,QAAQ,EAAE;IAEpC;;OAEG;IACH,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEpC;;OAEG;IACH,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE/B;;OAEG;IACH,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEnC;;OAEG;IACH,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAEtC;;;OAGG;IACH,UAAU,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAEtC;;OAEG;IACH,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEzC;;OAEG;IACH,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAE1C;;OAEG;IACH,oBAAoB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEjD;;OAEG;IACH,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;CAC9C,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE;IACnE,OAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;IACvC,OAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,2CAAiB,EAAE,CAAC;CAClE,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C;;;OAGG;IACH,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAElC;;;OAGG;IACH,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;CACpC,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC,CAAC;AAE9E;;;;;;;;GAQG;AACU,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C;;;;OAIG;IACH,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAEnC;;;OAGG;IACH,UAAU,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAErC;;;OAGG;IACH,gBAAgB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE3C;;;OAGG;IACH,cAAc,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAEzC;;;OAGG;IACH,gBAAgB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE3C;;OAEG;IACH,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEpC;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE1C;;;OAGG;IACH,aAAa,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAE7C;;OAEG;IACH,oBAAoB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACrD,CAAC,CAAC;AAEH;;;GAGG;AACU,QAAA,2BAA2B,GAAG,OAAC,CAAC,MAAM,CAAC;IAClD;;;;;OAKG;IACH,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAElC;;;;;OAKG;IACH,kBAAkB,EAAE,gCAAwB,CAAC,OAAO,CAAC,WAAW,CAAC;IAEjE;;;OAGG;IACH,SAAS,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAEpC;;;OAGG;IACH,iBAAiB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;CAC7C,CAAC,CAAC;AAEH,+CAA+C;AAC/C,mBAAmB;AACnB,4CAA4C;AAC5C,+CAA+C;AAE/C;;;GAGG;AACU,QAAA,qBAAqB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5C;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE3C;;;OAGG;IACH,iBAAiB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE5C;;;OAGG;IACH,oBAAoB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE/C;;;;;OAKG;IACH,mBAAmB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE/C;;;OAGG;IACH,kBAAkB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE9C;;;;OAIG;IACH,2BAA2B,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;CACvD,CAAC,CAAC;AAEH,+CAA+C;AAC/C,cAAc;AACd,+CAA+C;AAC/C,+CAA+C;AAElC,QAAA,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IAEzB;;;OAGG;IACH,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE7B;;;OAGG;IACH,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAEpC;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAE3D;;OAEG;IACH,YAAY,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAEjD;;;OAGG;IACH,IAAI,EAAE,0BAAmB,CAAC,QAAQ,EAAE;IAEpC;;;OAGG;IACH,OAAO,EAAE,gBAAS,CAAC,EAAE,CAAC,OAAC,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE;IAE1D;;;OAGG;IACH,SAAS,EAAE,6BAAqB,CAAC,QAAQ,EAAE;CAC5C,CAAC,CAAC;AAEH,+CAA+C;AAC/C,mBAAmB;AACnB,iDAAiD;AACjD,+CAA+C;AAElC,QAAA,4BAA4B,GAAG,OAAC,CAAC,MAAM,CAAC;IACnD,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,aAAa,CAAC;IAE9B;;OAEG;IACH,MAAM,EAAE,kCAA0B;IAElC;;;OAGG;IACH,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEvE;;;;OAIG;IACH,cAAc,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAE/C;;;OAGG;IACH,cAAc,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE1C;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAE3D;;OAEG;IACH,YAAY,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAEjD;;;OAGG;IACH,SAAS,EAAE,6BAAqB,CAAC,QAAQ,EAAE;CAC5C,CAAC,CAAC;AAEH,+CAA+C;AAC/C,oBAAoB;AACpB,+DAA+D;AAC/D,+CAA+C;AAE/C;;GAEG;AACU,QAAA,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,cAAc,CAAC;IAC/B,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,OAAO,CAAC;IAExB;;OAEG;IACH,KAAK,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAE1C;;;OAGG;IACH,YAAY,EAAE,gCAAwB,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IAElE;;;;;OAKG;IACH,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC;IAElE;;;;;OAKG;IACH,kBAAkB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE9C;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAE3D;;OAEG;IACH,YAAY,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAEjD;;;;OAIG;IACH,OAAO,EAAE,2BAAmB,CAAC,QAAQ,EAAE;IAEvC;;OAEG;IACH,OAAO,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAE5C;;OAEG;IACH,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEvE;;;;OAIG;IACH,eAAe,EAAE,mCAA2B,CAAC,QAAQ,EAAE;IAEvD;;;OAGG;IACH,SAAS,EAAE,6BAAqB,CAAC,QAAQ,EAAE;CAC5C,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,cAAc,CAAC;IAC/B,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IAEzB;;OAEG;IACH,MAAM,EAAE,kCAA0B;IAElC;;OAEG;IACH,KAAK,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAE1C;;;OAGG;IACH,YAAY,EAAE,gCAAwB,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IAElE;;;;;OAKG;IACH,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC;IAElE;;;;;OAKG;IACH,kBAAkB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE9C;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAE3D;;OAEG;IACH,YAAY,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAEjD;;;;OAIG;IACH,OAAO,EAAE,2BAAmB,CAAC,QAAQ,EAAE;IAEvC;;OAEG;IACH,OAAO,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAE5C;;OAEG;IACH,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEvE;;;;OAIG;IACH,eAAe,EAAE,mCAA2B,CAAC,QAAQ,EAAE;IAEvD;;;OAGG;IACH,SAAS,EAAE,6BAAqB,CAAC,QAAQ,EAAE;CAC5C,CAAC,CAAC;AAEH,+BAA+B;AAClB,QAAA,6BAA6B,GAAG,OAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE;IACxE,+BAAuB;IACvB,gCAAwB;CACzB,CAAC,CAAC;AAEH,+CAA+C;AAC/C,uBAAuB;AACvB,+CAA+C;AAE/C;;;;GAIG;AACU,QAAA,iBAAiB,GAAG,OAAC,CAAC,KAAK,CAAC;IACvC,+BAAuB;IACvB,oCAA4B;IAC5B,+BAAuB;IACvB,gCAAwB;CACzB,CAAC,CAAC;AAoIH,MAAM,sBAAsB,GAAG;IAC7B,UAAU,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAClC,iBAAiB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CACF,CAAC;AAE7B,QAAA,oBAAoB,GAAG,OAAC,CAAC,KAAK,CAAC;IAC1C,+BAAuB,CAAC,MAAM,CAAC,sBAAsB,CAAC;IACtD,oCAA4B,CAAC,MAAM,CAAC,sBAAsB,CAAC;IAC3D,+BAAuB,CAAC,MAAM,CAAC,sBAAsB,CAAC;IACtD,gCAAwB,CAAC,MAAM,CAAC,sBAAsB,CAAC;CACxD,CAAC,CAAC;AAKH,+CAA+C;AAC/C,mBAAmB;AACnB,+CAA+C;AAE/C;;GAEG;AACH,SAAgB,gBAAgB,CAAC,KAAuB;IACtD,OAAO,yBAAiB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,SAAgB,YAAY,CAAC,OAAuC;IAClE,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,OAAuC;IACvE,OAAO,OAAO,CAAC,IAAI,KAAK,aAAa,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAAC,OAAuC;IACxE,OAAO,OAAO,CAAC,IAAI,KAAK,cAAc,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,SAAgB,mBAAmB,CAAC,OAAgC;IAClE,OAAO,OAAO,CAAC,IAAI,KAAK,OAAO,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAAC,OAAgC;IACnE,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAAC,OAAoB;IACrD,IAAI,OAAO,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3C,IAAI,OAAO,CAAC,IAAI,KAAK,aAAa;QAAE,OAAO,OAAO,CAAC,cAAc,CAAC;IAClE,IAAI,OAAO,CAAC,IAAI,KAAK,cAAc;QAAE,OAAO,OAAO,CAAC,kBAAkB,CAAC;IACvE,OAAO,KAAK,CAAC;AACf,CAAC","sourcesContent":["// common/types/options/auth.options.ts\n\nimport { z } from 'zod';\nimport { JSONWebKeySet, jsonWebKeySetSchema, JWK, jwkSchema } from '../auth';\nimport { RawZodShape } from '../common.types';\nimport { RedisConfig, redisConfigSchema } from '../../../auth/session/transport-session.types';\n\n// ============================================\n// SHARED SCHEMAS\n// ============================================\n\n/**\n * Public access configuration for tools/prompts\n */\nexport const publicAccessConfigSchema = z.object({\n  /**\n   * Allow all tools or explicit whitelist\n   * @default 'all'\n   */\n  tools: z.union([z.literal('all'), z.array(z.string())]).default('all'),\n\n  /**\n   * Allow all prompts or explicit whitelist\n   * @default 'all'\n   */\n  prompts: z.union([z.literal('all'), z.array(z.string())]).default('all'),\n\n  /**\n   * Rate limit per IP per minute\n   * @default 60\n   */\n  rateLimit: z.number().default(60),\n});\n\n/**\n * Local signing configuration (for orchestrated local type)\n */\nexport const localSigningConfigSchema = z.object({\n  /**\n   * Private key for signing orchestrated tokens\n   * @default auto-generated\n   */\n  signKey: jwkSchema.or(z.instanceof(Uint8Array)).optional(),\n\n  /**\n   * JWKS for token verification\n   * @default auto-generated\n   */\n  jwks: jsonWebKeySetSchema.optional(),\n\n  /**\n   * Issuer identifier for orchestrated tokens\n   * @default auto-derived from server URL\n   */\n  issuer: z.string().optional(),\n});\n\n/**\n * Remote OAuth provider configuration (for orchestrated remote and transparent)\n */\nexport const remoteProviderConfigSchema = z.object({\n  /**\n   * OAuth provider base URL\n   * @example 'https://auth.example.com'\n   */\n  provider: z.string().url(),\n\n  /**\n   * Provider display name\n   */\n  name: z.string().optional(),\n\n  /**\n   * Unique identifier for this provider\n   * @default derived from provider URL\n   */\n  id: z.string().optional(),\n\n  /**\n   * Inline JWKS for offline token verification\n   * Falls back to fetching from provider's /.well-known/jwks.json\n   */\n  jwks: jsonWebKeySetSchema.optional(),\n\n  /**\n   * Custom JWKS URI if not at standard path\n   */\n  jwksUri: z.string().url().optional(),\n\n  /**\n   * Client ID for this MCP server (for orchestrated mode)\n   */\n  clientId: z.string().optional(),\n\n  /**\n   * Client secret (for confidential clients in orchestrated mode)\n   */\n  clientSecret: z.string().optional(),\n\n  /**\n   * Scopes to request from the upstream provider\n   */\n  scopes: z.array(z.string()).optional(),\n\n  /**\n   * Enable Dynamic Client Registration (DCR)\n   * @default false\n   */\n  dcrEnabled: z.boolean().default(false),\n\n  /**\n   * Authorization endpoint override\n   */\n  authEndpoint: z.string().url().optional(),\n\n  /**\n   * Token endpoint override\n   */\n  tokenEndpoint: z.string().url().optional(),\n\n  /**\n   * Registration endpoint override (for DCR)\n   */\n  registrationEndpoint: z.string().url().optional(),\n\n  /**\n   * User info endpoint override\n   */\n  userInfoEndpoint: z.string().url().optional(),\n});\n\n/**\n * Token storage configuration for orchestrated mode\n */\nexport const tokenStorageConfigSchema = z.discriminatedUnion('type', [\n  z.object({ type: z.literal('memory') }),\n  z.object({ type: z.literal('redis'), config: redisConfigSchema }),\n]);\n\n/**\n * Token refresh configuration\n */\nexport const tokenRefreshConfigSchema = z.object({\n  /**\n   * Enable automatic token refresh\n   * @default true\n   */\n  enabled: z.boolean().default(true),\n\n  /**\n   * Refresh token before expiry by this many seconds\n   * @default 60\n   */\n  skewSeconds: z.number().default(60),\n});\n\n/**\n * Behavior when a tool from a skipped (not yet authorized) app is called\n */\nexport const skippedAppBehaviorSchema = z.enum(['anonymous', 'require-auth']);\n\n/**\n * Consent configuration for tool selection\n * Allows users to choose which MCP tools to expose to the LLM\n *\n * Note: This schema is the canonical definition. It is duplicated in\n * auth/consent/consent.types.ts for domain-specific use. Both schemas\n * MUST be kept in sync. The duplication exists to avoid circular\n * dependencies between common/ and auth/ modules.\n */\nexport const consentConfigSchema = z.object({\n  /**\n   * Enable consent flow for tool selection\n   * When enabled, users can choose which tools to expose to the LLM\n   * @default false\n   */\n  enabled: z.boolean().default(false),\n\n  /**\n   * Group tools by app in the consent UI\n   * @default true\n   */\n  groupByApp: z.boolean().default(true),\n\n  /**\n   * Show tool descriptions in consent UI\n   * @default true\n   */\n  showDescriptions: z.boolean().default(true),\n\n  /**\n   * Allow selecting all tools at once\n   * @default true\n   */\n  allowSelectAll: z.boolean().default(true),\n\n  /**\n   * Require at least one tool to be selected\n   * @default true\n   */\n  requireSelection: z.boolean().default(true),\n\n  /**\n   * Custom message to display on consent page\n   */\n  customMessage: z.string().optional(),\n\n  /**\n   * Remember consent for future sessions\n   * @default true\n   */\n  rememberConsent: z.boolean().default(true),\n\n  /**\n   * Tools to exclude from consent (always available)\n   * Useful for essential tools that should always be accessible\n   */\n  excludedTools: z.array(z.string()).optional(),\n\n  /**\n   * Tools to always include in consent (pre-selected)\n   */\n  defaultSelectedTools: z.array(z.string()).optional(),\n});\n\n/**\n * Progressive/Incremental authorization configuration\n * Allows users to authorize apps one at a time after initial auth\n */\nexport const incrementalAuthConfigSchema = z.object({\n  /**\n   * Enable incremental (progressive) authorization\n   * When enabled, users can skip app authorizations during initial auth\n   * and authorize individual apps later when needed\n   * @default true\n   */\n  enabled: z.boolean().default(true),\n\n  /**\n   * Behavior when a tool from a skipped app is called\n   * - 'anonymous': If app supports anonymous access, use it; otherwise require auth\n   * - 'require-auth': Always require authorization (return auth_url)\n   * @default 'anonymous'\n   */\n  skippedAppBehavior: skippedAppBehaviorSchema.default('anonymous'),\n\n  /**\n   * Allow users to skip app authorization during initial auth flow\n   * @default true\n   */\n  allowSkip: z.boolean().default(true),\n\n  /**\n   * Show all apps in a single authorization page (vs step-by-step)\n   * @default true\n   */\n  showAllAppsAtOnce: z.boolean().default(true),\n});\n\n// ============================================\n// TRANSPORT CONFIG\n// Protocol enablement and behavior settings\n// ============================================\n\n/**\n * Transport protocol configuration\n * Controls which transport protocols are enabled and their behavior\n */\nexport const transportConfigSchema = z.object({\n  /**\n   * Enable legacy SSE transport (old HTTP+SSE protocol)\n   * @default false\n   */\n  enableLegacySSE: z.boolean().default(false),\n\n  /**\n   * Enable SSE listener for server-initiated messages (GET /mcp with Accept: text/event-stream)\n   * @default true\n   */\n  enableSseListener: z.boolean().default(true),\n\n  /**\n   * Enable streamable HTTP transport (POST with SSE response)\n   * @default true\n   */\n  enableStreamableHttp: z.boolean().default(true),\n\n  /**\n   * Enable stateless HTTP mode (requests without session ID)\n   * When enabled, allows requests without prior initialize\n   * Uses shared singleton transport for anonymous, per-token singleton for authenticated\n   * @default false\n   */\n  enableStatelessHttp: z.boolean().default(false),\n\n  /**\n   * Enable stateful HTTP transport (JSON-only responses)\n   * @default false\n   */\n  enableStatefulHttp: z.boolean().default(false),\n\n  /**\n   * Require session ID for streamable HTTP (non-stateless mode)\n   * When false, streamable HTTP requests don't require prior initialize\n   * @default true\n   */\n  requireSessionForStreamable: z.boolean().default(true),\n});\n\n// ============================================\n// PUBLIC MODE\n// No authentication required, anonymous access\n// ============================================\n\nexport const publicAuthOptionsSchema = z.object({\n  mode: z.literal('public'),\n\n  /**\n   * Issuer identifier for anonymous JWTs\n   * @default auto-derived from server URL\n   */\n  issuer: z.string().optional(),\n\n  /**\n   * Anonymous session TTL in seconds\n   * @default 3600 (1 hour)\n   */\n  sessionTtl: z.number().default(3600),\n\n  /**\n   * Scopes granted to anonymous sessions\n   * @default ['anonymous']\n   */\n  anonymousScopes: z.array(z.string()).default(['anonymous']),\n\n  /**\n   * Tool/prompt access configuration for anonymous users\n   */\n  publicAccess: publicAccessConfigSchema.optional(),\n\n  /**\n   * JWKS for token verification\n   * @default auto-generated\n   */\n  jwks: jsonWebKeySetSchema.optional(),\n\n  /**\n   * Private key for signing anonymous tokens\n   * @default auto-generated\n   */\n  signKey: jwkSchema.or(z.instanceof(Uint8Array)).optional(),\n\n  /**\n   * Transport protocol configuration\n   * Controls which transports are enabled and their behavior\n   */\n  transport: transportConfigSchema.optional(),\n});\n\n// ============================================\n// TRANSPARENT MODE\n// Pass-through OAuth tokens from remote provider\n// ============================================\n\nexport const transparentAuthOptionsSchema = z.object({\n  mode: z.literal('transparent'),\n\n  /**\n   * Remote OAuth provider configuration (required)\n   */\n  remote: remoteProviderConfigSchema,\n\n  /**\n   * Expected token audience\n   * If not set, defaults to the resource URL\n   */\n  expectedAudience: z.union([z.string(), z.array(z.string())]).optional(),\n\n  /**\n   * Required scopes for access\n   * Empty array means any valid token is accepted\n   * @default []\n   */\n  requiredScopes: z.array(z.string()).default([]),\n\n  /**\n   * Allow anonymous fallback when no token is provided\n   * @default false\n   */\n  allowAnonymous: z.boolean().default(false),\n\n  /**\n   * Scopes granted to anonymous sessions (when allowAnonymous=true)\n   * @default ['anonymous']\n   */\n  anonymousScopes: z.array(z.string()).default(['anonymous']),\n\n  /**\n   * Public access config for anonymous users (when allowAnonymous=true)\n   */\n  publicAccess: publicAccessConfigSchema.optional(),\n\n  /**\n   * Transport protocol configuration\n   * Controls which transports are enabled and their behavior\n   */\n  transport: transportConfigSchema.optional(),\n});\n\n// ============================================\n// ORCHESTRATED MODE\n// Local auth server that can proxy to remote or be fully local\n// ============================================\n\n/**\n * Orchestrated mode with local authentication only\n */\nexport const orchestratedLocalSchema = z.object({\n  mode: z.literal('orchestrated'),\n  type: z.literal('local'),\n\n  /**\n   * Local signing configuration\n   */\n  local: localSigningConfigSchema.optional(),\n\n  /**\n   * Token storage configuration\n   * @default { type: 'memory' }\n   */\n  tokenStorage: tokenStorageConfigSchema.default({ type: 'memory' }),\n\n  /**\n   * Session storage mode\n   * - 'stateful': Store sessions in Redis/memory, JWT contains only reference\n   * - 'stateless': All state encrypted in JWT\n   * @default 'stateful'\n   */\n  sessionMode: z.enum(['stateful', 'stateless']).default('stateful'),\n\n  /**\n   * Allow default public access for unauthenticated requests\n   * When true: all tools are public by default, only tools marked with scopes require auth\n   * When false: all tools require authentication by default\n   * @default false\n   */\n  allowDefaultPublic: z.boolean().default(false),\n\n  /**\n   * Scopes granted to anonymous sessions (when allowDefaultPublic=true)\n   * @default ['anonymous']\n   */\n  anonymousScopes: z.array(z.string()).default(['anonymous']),\n\n  /**\n   * Public access config (when allowDefaultPublic=true)\n   */\n  publicAccess: publicAccessConfigSchema.optional(),\n\n  /**\n   * Consent flow configuration for tool selection\n   * Allows users to choose which MCP tools to expose to the LLM\n   * @default { enabled: false }\n   */\n  consent: consentConfigSchema.optional(),\n\n  /**\n   * Token refresh settings\n   */\n  refresh: tokenRefreshConfigSchema.optional(),\n\n  /**\n   * Expected token audience for validation\n   */\n  expectedAudience: z.union([z.string(), z.array(z.string())]).optional(),\n\n  /**\n   * Incremental (progressive) authorization configuration\n   * Allows users to skip app authorizations initially and authorize later\n   * @default { enabled: true, skippedAppBehavior: 'anonymous' }\n   */\n  incrementalAuth: incrementalAuthConfigSchema.optional(),\n\n  /**\n   * Transport protocol configuration\n   * Controls which transports are enabled and their behavior\n   */\n  transport: transportConfigSchema.optional(),\n});\n\n/**\n * Orchestrated mode with remote OAuth provider\n */\nexport const orchestratedRemoteSchema = z.object({\n  mode: z.literal('orchestrated'),\n  type: z.literal('remote'),\n\n  /**\n   * Remote OAuth provider configuration (required for remote type)\n   */\n  remote: remoteProviderConfigSchema,\n\n  /**\n   * Local signing configuration (for issuing local tokens after upstream auth)\n   */\n  local: localSigningConfigSchema.optional(),\n\n  /**\n   * Token storage configuration\n   * @default { type: 'memory' }\n   */\n  tokenStorage: tokenStorageConfigSchema.default({ type: 'memory' }),\n\n  /**\n   * Session storage mode\n   * - 'stateful': Store sessions in Redis/memory, JWT contains only reference\n   * - 'stateless': All state encrypted in JWT\n   * @default 'stateful'\n   */\n  sessionMode: z.enum(['stateful', 'stateless']).default('stateful'),\n\n  /**\n   * Allow default public access for unauthenticated requests\n   * When true: all tools are public by default, only tools marked with scopes require auth\n   * When false: all tools require authentication by default\n   * @default false\n   */\n  allowDefaultPublic: z.boolean().default(false),\n\n  /**\n   * Scopes granted to anonymous sessions (when allowDefaultPublic=true)\n   * @default ['anonymous']\n   */\n  anonymousScopes: z.array(z.string()).default(['anonymous']),\n\n  /**\n   * Public access config (when allowDefaultPublic=true)\n   */\n  publicAccess: publicAccessConfigSchema.optional(),\n\n  /**\n   * Consent flow configuration for tool selection\n   * Allows users to choose which MCP tools to expose to the LLM\n   * @default { enabled: false }\n   */\n  consent: consentConfigSchema.optional(),\n\n  /**\n   * Token refresh settings\n   */\n  refresh: tokenRefreshConfigSchema.optional(),\n\n  /**\n   * Expected token audience for validation\n   */\n  expectedAudience: z.union([z.string(), z.array(z.string())]).optional(),\n\n  /**\n   * Incremental (progressive) authorization configuration\n   * Allows users to skip app authorizations initially and authorize later\n   * @default { enabled: true, skippedAppBehavior: 'anonymous' }\n   */\n  incrementalAuth: incrementalAuthConfigSchema.optional(),\n\n  /**\n   * Transport protocol configuration\n   * Controls which transports are enabled and their behavior\n   */\n  transport: transportConfigSchema.optional(),\n});\n\n// Combined orchestrated schema\nexport const orchestratedAuthOptionsSchema = z.discriminatedUnion('type', [\n  orchestratedLocalSchema,\n  orchestratedRemoteSchema,\n]);\n\n// ============================================\n// UNIFIED AUTH OPTIONS\n// ============================================\n\n/**\n * Main auth options schema - discriminated by 'mode'\n *\n * Uses z.union because we have nested discriminators (orchestrated has 'type')\n */\nexport const authOptionsSchema = z.union([\n  publicAuthOptionsSchema,\n  transparentAuthOptionsSchema,\n  orchestratedLocalSchema,\n  orchestratedRemoteSchema,\n]);\n\n// ============================================\n// TYPE EXPORTS\n// ============================================\n\n/**\n * Public access configuration\n */\nexport type PublicAccessConfig = z.infer<typeof publicAccessConfigSchema>;\nexport type PublicAccessConfigInput = z.input<typeof publicAccessConfigSchema>;\n\n/**\n * Local signing configuration\n */\nexport type LocalSigningConfig = z.infer<typeof localSigningConfigSchema>;\nexport type LocalSigningConfigInput = z.input<typeof localSigningConfigSchema>;\n\n/**\n * Remote provider configuration\n */\nexport type RemoteProviderConfig = z.infer<typeof remoteProviderConfigSchema>;\nexport type RemoteProviderConfigInput = z.input<typeof remoteProviderConfigSchema>;\n\n/**\n * Token storage configuration\n */\nexport type TokenStorageConfig = z.infer<typeof tokenStorageConfigSchema>;\nexport type TokenStorageConfigInput = z.input<typeof tokenStorageConfigSchema>;\n\n/**\n * Token refresh configuration\n */\nexport type TokenRefreshConfig = z.infer<typeof tokenRefreshConfigSchema>;\nexport type TokenRefreshConfigInput = z.input<typeof tokenRefreshConfigSchema>;\n\n/**\n * Incremental (progressive) authorization configuration\n */\nexport type IncrementalAuthConfig = z.infer<typeof incrementalAuthConfigSchema>;\nexport type IncrementalAuthConfigInput = z.input<typeof incrementalAuthConfigSchema>;\n\n/**\n * Skipped app behavior type\n */\nexport type SkippedAppBehavior = z.infer<typeof skippedAppBehaviorSchema>;\n\n/**\n * Consent configuration for tool selection\n */\nexport type ConsentConfig = z.infer<typeof consentConfigSchema>;\nexport type ConsentConfigInput = z.input<typeof consentConfigSchema>;\n\n/**\n * Transport protocol configuration\n */\nexport type TransportConfig = z.infer<typeof transportConfigSchema>;\nexport type TransportConfigInput = z.input<typeof transportConfigSchema>;\n\n/**\n * Public mode options (output type with defaults applied)\n */\nexport type PublicAuthOptions = z.infer<typeof publicAuthOptionsSchema>;\nexport type PublicAuthOptionsInput = z.input<typeof publicAuthOptionsSchema>;\n\n/**\n * Transparent mode options (output type with defaults applied)\n */\nexport type TransparentAuthOptions = z.infer<typeof transparentAuthOptionsSchema>;\nexport type TransparentAuthOptionsInput = z.input<typeof transparentAuthOptionsSchema>;\n\n/**\n * Orchestrated local mode options\n */\nexport type OrchestratedLocalOptions = z.infer<typeof orchestratedLocalSchema>;\nexport type OrchestratedLocalOptionsInput = z.input<typeof orchestratedLocalSchema>;\n\n/**\n * Orchestrated remote mode options\n */\nexport type OrchestratedRemoteOptions = z.infer<typeof orchestratedRemoteSchema>;\nexport type OrchestratedRemoteOptionsInput = z.input<typeof orchestratedRemoteSchema>;\n\n/**\n * Orchestrated mode options (union of local and remote)\n */\nexport type OrchestratedAuthOptions = z.infer<typeof orchestratedAuthOptionsSchema>;\nexport type OrchestratedAuthOptionsInput = z.input<typeof orchestratedAuthOptionsSchema>;\n\n/**\n * Auth options (output type with defaults applied)\n * Use this type when working with parsed/validated options\n */\nexport type AuthOptions = z.infer<typeof authOptionsSchema>;\n\n/**\n * Auth options input (input type for user configuration)\n * Use this type for the @frontmcp configuration\n */\nexport type AuthOptionsInput = z.input<typeof authOptionsSchema>;\n\n/**\n * Authentication mode\n */\nexport type AuthMode = 'public' | 'transparent' | 'orchestrated';\n\n/**\n * Orchestrated type (local or remote)\n */\nexport type OrchestratedType = 'local' | 'remote';\n\n// ============================================\n// APP-LEVEL AUTH OPTIONS (with standalone)\n// ============================================\n\ntype StandaloneOption = {\n  /**\n   * If the provider is standalone, it will register an OAuth service provider\n   * on app's entry path. If not standalone, it will be registered as a child\n   * provider under the root provider.\n   * @default false\n   */\n  standalone?: boolean;\n\n  /**\n   * If the provider should be excluded from the parent provider's discovery.\n   * Used for standalone providers.\n   * @default false\n   */\n  excludeFromParent?: boolean;\n};\n\nconst standaloneOptionSchema = {\n  standalone: z.boolean().optional(),\n  excludeFromParent: z.boolean().optional(),\n} satisfies RawZodShape<StandaloneOption>;\n\nexport const appAuthOptionsSchema = z.union([\n  publicAuthOptionsSchema.extend(standaloneOptionSchema),\n  transparentAuthOptionsSchema.extend(standaloneOptionSchema),\n  orchestratedLocalSchema.extend(standaloneOptionSchema),\n  orchestratedRemoteSchema.extend(standaloneOptionSchema),\n]);\n\nexport type AppAuthOptions = z.infer<typeof appAuthOptionsSchema>;\nexport type AppAuthOptionsInput = z.input<typeof appAuthOptionsSchema>;\n\n// ============================================\n// HELPER FUNCTIONS\n// ============================================\n\n/**\n * Parse and validate auth options with defaults\n */\nexport function parseAuthOptions(input: AuthOptionsInput): AuthOptions {\n  return authOptionsSchema.parse(input);\n}\n\n/**\n * Check if options are public mode\n */\nexport function isPublicMode(options: AuthOptions | AuthOptionsInput): options is PublicAuthOptions {\n  return options.mode === 'public';\n}\n\n/**\n * Check if options are transparent mode\n */\nexport function isTransparentMode(options: AuthOptions | AuthOptionsInput): options is TransparentAuthOptions {\n  return options.mode === 'transparent';\n}\n\n/**\n * Check if options are orchestrated mode\n */\nexport function isOrchestratedMode(options: AuthOptions | AuthOptionsInput): options is OrchestratedAuthOptions {\n  return options.mode === 'orchestrated';\n}\n\n/**\n * Check if orchestrated options are local type\n */\nexport function isOrchestratedLocal(options: OrchestratedAuthOptions): options is OrchestratedLocalOptions {\n  return options.type === 'local';\n}\n\n/**\n * Check if orchestrated options are remote type\n */\nexport function isOrchestratedRemote(options: OrchestratedAuthOptions): options is OrchestratedRemoteOptions {\n  return options.type === 'remote';\n}\n\n/**\n * Check if options allow public/anonymous access\n */\nexport function allowsPublicAccess(options: AuthOptions): boolean {\n  if (options.mode === 'public') return true;\n  if (options.mode === 'transparent') return options.allowAnonymous;\n  if (options.mode === 'orchestrated') return options.allowDefaultPublic;\n  return false;\n}\n"]}
+{"version":3,"file":"auth.options.js","sourceRoot":"","sources":["../../../../../src/common/types/options/auth.options.ts"],"names":[],"mappings":";AAAA,uCAAuC;;;AAyuBvC,4CAEC;AAKD,oCAEC;AAKD,8CAEC;AAKD,gDAEC;AAKD,kDAEC;AAKD,oDAEC;AAKD,gDAKC;AAtxBD,6BAAwB;AACxB,kCAA6E;AAE7E,2FAA+F;AAE/F,+CAA+C;AAC/C,iBAAiB;AACjB,+CAA+C;AAE/C;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C;;;OAGG;IACH,KAAK,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IAEtE;;;OAGG;IACH,OAAO,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IAExE;;;OAGG;IACH,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;CAClC,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C;;;OAGG;IACH,OAAO,EAAE,gBAAS,CAAC,EAAE,CAAC,OAAC,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE;IAE1D;;;OAGG;IACH,IAAI,EAAE,0BAAmB,CAAC,QAAQ,EAAE;IAEpC;;;OAGG;IACH,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC9B,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,0BAA0B,GAAG,OAAC,CAAC,MAAM,CAAC;IACjD;;;OAGG;IACH,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAE1B;;OAEG;IACH,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE3B;;;OAGG;IACH,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEzB;;;OAGG;IACH,IAAI,EAAE,0BAAmB,CAAC,QAAQ,EAAE;IAEpC;;OAEG;IACH,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEpC;;OAEG;IACH,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE/B;;OAEG;IACH,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEnC;;OAEG;IACH,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAEtC;;;OAGG;IACH,UAAU,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAEtC;;OAEG;IACH,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEzC;;OAEG;IACH,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAE1C;;OAEG;IACH,oBAAoB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEjD;;OAEG;IACH,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;CAC9C,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE;IACnE,OAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;IACvC,OAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,2CAAiB,EAAE,CAAC;CAClE,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C;;;OAGG;IACH,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAElC;;;OAGG;IACH,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;CACpC,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC,CAAC;AAE9E;;;;;;;;GAQG;AACU,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C;;;;OAIG;IACH,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAEnC;;;OAGG;IACH,UAAU,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAErC;;;OAGG;IACH,gBAAgB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE3C;;;OAGG;IACH,cAAc,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAEzC;;;OAGG;IACH,gBAAgB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE3C;;OAEG;IACH,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEpC;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE1C;;;OAGG;IACH,aAAa,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAE7C;;OAEG;IACH,oBAAoB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACrD,CAAC,CAAC;AAEH;;;GAGG;AACU,QAAA,2BAA2B,GAAG,OAAC,CAAC,MAAM,CAAC;IAClD;;;;;OAKG;IACH,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAElC;;;;;OAKG;IACH,kBAAkB,EAAE,gCAAwB,CAAC,OAAO,CAAC,WAAW,CAAC;IAEjE;;;OAGG;IACH,SAAS,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAEpC;;;OAGG;IACH,iBAAiB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;CAC7C,CAAC,CAAC;AAEH,+CAA+C;AAC/C,gCAAgC;AAChC,sEAAsE;AACtE,0CAA0C;AAC1C,sBAAsB;AACtB,+CAA+C;AAE/C;;GAEG;AACU,QAAA,+BAA+B,GAAG,OAAC;KAC7C,MAAM,CAAC;IACN,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACnC,KAAK,EAAE,2CAAiB,CAAC,QAAQ,EAAE;IACnC,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;CAC3D,CAAC;KACD,MAAM,CACL,CAAC,IAAI,EAAE,EAAE;IACP,IAAI,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC,EACD;IACE,OAAO,EAAE,sEAAsE;IAC/E,IAAI,EAAE,CAAC,OAAO,CAAC;CAChB,CACF,CAAC;AAEJ;;GAEG;AACU,QAAA,qBAAqB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5C,eAAe,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAC3C,iBAAiB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAC5C,oBAAoB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAC/C,mBAAmB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAC/C,kBAAkB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAC9C,2BAA2B,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IACtD,UAAU,EAAE,OAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,uCAA+B,CAAC,CAAC,QAAQ,EAAE;CACrE,CAAC,CAAC;AAEH,+CAA+C;AAC/C,cAAc;AACd,+CAA+C;AAC/C,+CAA+C;AAElC,QAAA,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IAEzB;;;OAGG;IACH,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE7B;;;OAGG;IACH,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAEpC;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAE3D;;OAEG;IACH,YAAY,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAEjD;;;OAGG;IACH,IAAI,EAAE,0BAAmB,CAAC,QAAQ,EAAE;IAEpC;;;OAGG;IACH,OAAO,EAAE,gBAAS,CAAC,EAAE,CAAC,OAAC,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE;IAE1D;;OAEG;IACH,SAAS,EAAE,6BAAqB,CAAC,QAAQ,EAAE;CAC5C,CAAC,CAAC;AAEH,+CAA+C;AAC/C,mBAAmB;AACnB,iDAAiD;AACjD,+CAA+C;AAElC,QAAA,4BAA4B,GAAG,OAAC,CAAC,MAAM,CAAC;IACnD,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,aAAa,CAAC;IAE9B;;OAEG;IACH,MAAM,EAAE,kCAA0B;IAElC;;;OAGG;IACH,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEvE;;;;OAIG;IACH,cAAc,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAE/C;;;OAGG;IACH,cAAc,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE1C;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAE3D;;OAEG;IACH,YAAY,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAEjD;;OAEG;IACH,SAAS,EAAE,6BAAqB,CAAC,QAAQ,EAAE;CAC5C,CAAC,CAAC;AAEH,+CAA+C;AAC/C,oBAAoB;AACpB,+DAA+D;AAC/D,+CAA+C;AAE/C;;GAEG;AACU,QAAA,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,cAAc,CAAC;IAC/B,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,OAAO,CAAC;IAExB;;OAEG;IACH,KAAK,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAE1C;;;OAGG;IACH,YAAY,EAAE,gCAAwB,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IAElE;;;;;OAKG;IACH,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC;IAElE;;;;;OAKG;IACH,kBAAkB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE9C;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAE3D;;OAEG;IACH,YAAY,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAEjD;;;;OAIG;IACH,OAAO,EAAE,2BAAmB,CAAC,QAAQ,EAAE;IAEvC;;OAEG;IACH,OAAO,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAE5C;;OAEG;IACH,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEvE;;;;OAIG;IACH,eAAe,EAAE,mCAA2B,CAAC,QAAQ,EAAE;IAEvD;;OAEG;IACH,SAAS,EAAE,6BAAqB,CAAC,QAAQ,EAAE;CAC5C,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,cAAc,CAAC;IAC/B,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IAEzB;;OAEG;IACH,MAAM,EAAE,kCAA0B;IAElC;;OAEG;IACH,KAAK,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAE1C;;;OAGG;IACH,YAAY,EAAE,gCAAwB,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IAElE;;;;;OAKG;IACH,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC;IAElE;;;;;OAKG;IACH,kBAAkB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE9C;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAE3D;;OAEG;IACH,YAAY,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAEjD;;;;OAIG;IACH,OAAO,EAAE,2BAAmB,CAAC,QAAQ,EAAE;IAEvC;;OAEG;IACH,OAAO,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAE5C;;OAEG;IACH,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEvE;;;;OAIG;IACH,eAAe,EAAE,mCAA2B,CAAC,QAAQ,EAAE;IAEvD;;OAEG;IACH,SAAS,EAAE,6BAAqB,CAAC,QAAQ,EAAE;CAC5C,CAAC,CAAC;AAEH,+BAA+B;AAClB,QAAA,6BAA6B,GAAG,OAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE;IACxE,+BAAuB;IACvB,gCAAwB;CACzB,CAAC,CAAC;AAEH,+CAA+C;AAC/C,uBAAuB;AACvB,+CAA+C;AAE/C;;;;GAIG;AACU,QAAA,iBAAiB,GAAG,OAAC,CAAC,KAAK,CAAC;IACvC,+BAAuB;IACvB,oCAA4B;IAC5B,+BAAuB;IACvB,gCAAwB;CACzB,CAAC,CAAC;AAgJH,MAAM,sBAAsB,GAAG;IAC7B,UAAU,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAClC,iBAAiB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CACF,CAAC;AAE7B,QAAA,oBAAoB,GAAG,OAAC,CAAC,KAAK,CAAC;IAC1C,+BAAuB,CAAC,MAAM,CAAC,sBAAsB,CAAC;IACtD,oCAA4B,CAAC,MAAM,CAAC,sBAAsB,CAAC;IAC3D,+BAAuB,CAAC,MAAM,CAAC,sBAAsB,CAAC;IACtD,gCAAwB,CAAC,MAAM,CAAC,sBAAsB,CAAC;CACxD,CAAC,CAAC;AAKH,+CAA+C;AAC/C,mBAAmB;AACnB,+CAA+C;AAE/C;;GAEG;AACH,SAAgB,gBAAgB,CAAC,KAAuB;IACtD,OAAO,yBAAiB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,SAAgB,YAAY,CAAC,OAAuC;IAClE,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,OAAuC;IACvE,OAAO,OAAO,CAAC,IAAI,KAAK,aAAa,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAAC,OAAuC;IACxE,OAAO,OAAO,CAAC,IAAI,KAAK,cAAc,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,SAAgB,mBAAmB,CAAC,OAAgC;IAClE,OAAO,OAAO,CAAC,IAAI,KAAK,OAAO,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAAC,OAAgC;IACnE,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAAC,OAAoB;IACrD,IAAI,OAAO,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3C,IAAI,OAAO,CAAC,IAAI,KAAK,aAAa;QAAE,OAAO,OAAO,CAAC,cAAc,CAAC;IAClE,IAAI,OAAO,CAAC,IAAI,KAAK,cAAc;QAAE,OAAO,OAAO,CAAC,kBAAkB,CAAC;IACvE,OAAO,KAAK,CAAC;AACf,CAAC","sourcesContent":["// common/types/options/auth.options.ts\n\nimport { z } from 'zod';\nimport { JSONWebKeySet, jsonWebKeySetSchema, JWK, jwkSchema } from '../auth';\nimport { RawZodShape } from '../common.types';\nimport { RedisConfig, redisConfigSchema } from '../../../auth/session/transport-session.types';\n\n// ============================================\n// SHARED SCHEMAS\n// ============================================\n\n/**\n * Public access configuration for tools/prompts\n */\nexport const publicAccessConfigSchema = z.object({\n  /**\n   * Allow all tools or explicit whitelist\n   * @default 'all'\n   */\n  tools: z.union([z.literal('all'), z.array(z.string())]).default('all'),\n\n  /**\n   * Allow all prompts or explicit whitelist\n   * @default 'all'\n   */\n  prompts: z.union([z.literal('all'), z.array(z.string())]).default('all'),\n\n  /**\n   * Rate limit per IP per minute\n   * @default 60\n   */\n  rateLimit: z.number().default(60),\n});\n\n/**\n * Local signing configuration (for orchestrated local type)\n */\nexport const localSigningConfigSchema = z.object({\n  /**\n   * Private key for signing orchestrated tokens\n   * @default auto-generated\n   */\n  signKey: jwkSchema.or(z.instanceof(Uint8Array)).optional(),\n\n  /**\n   * JWKS for token verification\n   * @default auto-generated\n   */\n  jwks: jsonWebKeySetSchema.optional(),\n\n  /**\n   * Issuer identifier for orchestrated tokens\n   * @default auto-derived from server URL\n   */\n  issuer: z.string().optional(),\n});\n\n/**\n * Remote OAuth provider configuration (for orchestrated remote and transparent)\n */\nexport const remoteProviderConfigSchema = z.object({\n  /**\n   * OAuth provider base URL\n   * @example 'https://auth.example.com'\n   */\n  provider: z.string().url(),\n\n  /**\n   * Provider display name\n   */\n  name: z.string().optional(),\n\n  /**\n   * Unique identifier for this provider\n   * @default derived from provider URL\n   */\n  id: z.string().optional(),\n\n  /**\n   * Inline JWKS for offline token verification\n   * Falls back to fetching from provider's /.well-known/jwks.json\n   */\n  jwks: jsonWebKeySetSchema.optional(),\n\n  /**\n   * Custom JWKS URI if not at standard path\n   */\n  jwksUri: z.string().url().optional(),\n\n  /**\n   * Client ID for this MCP server (for orchestrated mode)\n   */\n  clientId: z.string().optional(),\n\n  /**\n   * Client secret (for confidential clients in orchestrated mode)\n   */\n  clientSecret: z.string().optional(),\n\n  /**\n   * Scopes to request from the upstream provider\n   */\n  scopes: z.array(z.string()).optional(),\n\n  /**\n   * Enable Dynamic Client Registration (DCR)\n   * @default false\n   */\n  dcrEnabled: z.boolean().default(false),\n\n  /**\n   * Authorization endpoint override\n   */\n  authEndpoint: z.string().url().optional(),\n\n  /**\n   * Token endpoint override\n   */\n  tokenEndpoint: z.string().url().optional(),\n\n  /**\n   * Registration endpoint override (for DCR)\n   */\n  registrationEndpoint: z.string().url().optional(),\n\n  /**\n   * User info endpoint override\n   */\n  userInfoEndpoint: z.string().url().optional(),\n});\n\n/**\n * Token storage configuration for orchestrated mode\n */\nexport const tokenStorageConfigSchema = z.discriminatedUnion('type', [\n  z.object({ type: z.literal('memory') }),\n  z.object({ type: z.literal('redis'), config: redisConfigSchema }),\n]);\n\n/**\n * Token refresh configuration\n */\nexport const tokenRefreshConfigSchema = z.object({\n  /**\n   * Enable automatic token refresh\n   * @default true\n   */\n  enabled: z.boolean().default(true),\n\n  /**\n   * Refresh token before expiry by this many seconds\n   * @default 60\n   */\n  skewSeconds: z.number().default(60),\n});\n\n/**\n * Behavior when a tool from a skipped (not yet authorized) app is called\n */\nexport const skippedAppBehaviorSchema = z.enum(['anonymous', 'require-auth']);\n\n/**\n * Consent configuration for tool selection\n * Allows users to choose which MCP tools to expose to the LLM\n *\n * Note: This schema is the canonical definition. It is duplicated in\n * auth/consent/consent.types.ts for domain-specific use. Both schemas\n * MUST be kept in sync. The duplication exists to avoid circular\n * dependencies between common/ and auth/ modules.\n */\nexport const consentConfigSchema = z.object({\n  /**\n   * Enable consent flow for tool selection\n   * When enabled, users can choose which tools to expose to the LLM\n   * @default false\n   */\n  enabled: z.boolean().default(false),\n\n  /**\n   * Group tools by app in the consent UI\n   * @default true\n   */\n  groupByApp: z.boolean().default(true),\n\n  /**\n   * Show tool descriptions in consent UI\n   * @default true\n   */\n  showDescriptions: z.boolean().default(true),\n\n  /**\n   * Allow selecting all tools at once\n   * @default true\n   */\n  allowSelectAll: z.boolean().default(true),\n\n  /**\n   * Require at least one tool to be selected\n   * @default true\n   */\n  requireSelection: z.boolean().default(true),\n\n  /**\n   * Custom message to display on consent page\n   */\n  customMessage: z.string().optional(),\n\n  /**\n   * Remember consent for future sessions\n   * @default true\n   */\n  rememberConsent: z.boolean().default(true),\n\n  /**\n   * Tools to exclude from consent (always available)\n   * Useful for essential tools that should always be accessible\n   */\n  excludedTools: z.array(z.string()).optional(),\n\n  /**\n   * Tools to always include in consent (pre-selected)\n   */\n  defaultSelectedTools: z.array(z.string()).optional(),\n});\n\n/**\n * Progressive/Incremental authorization configuration\n * Allows users to authorize apps one at a time after initial auth\n */\nexport const incrementalAuthConfigSchema = z.object({\n  /**\n   * Enable incremental (progressive) authorization\n   * When enabled, users can skip app authorizations during initial auth\n   * and authorize individual apps later when needed\n   * @default true\n   */\n  enabled: z.boolean().default(true),\n\n  /**\n   * Behavior when a tool from a skipped app is called\n   * - 'anonymous': If app supports anonymous access, use it; otherwise require auth\n   * - 'require-auth': Always require authorization (return auth_url)\n   * @default 'anonymous'\n   */\n  skippedAppBehavior: skippedAppBehaviorSchema.default('anonymous'),\n\n  /**\n   * Allow users to skip app authorization during initial auth flow\n   * @default true\n   */\n  allowSkip: z.boolean().default(true),\n\n  /**\n   * Show all apps in a single authorization page (vs step-by-step)\n   * @default true\n   */\n  showAllAppsAtOnce: z.boolean().default(true),\n});\n\n// ============================================\n// TRANSPORT CONFIG (DEPRECATED)\n// These schemas are kept for backward compatibility during migration.\n// Use top-level transport config instead.\n// DELETE after v1.0.0\n// ============================================\n\n/**\n * @deprecated Use top-level transport config instead. This will be removed in v1.0.0.\n */\nexport const transportRecreationConfigSchema = z\n  .object({\n    enabled: z.boolean().default(false),\n    redis: redisConfigSchema.optional(),\n    defaultTtlMs: z.number().int().positive().default(3600000),\n  })\n  .refine(\n    (data) => {\n      if (data.enabled && !data.redis) {\n        return false;\n      }\n      return true;\n    },\n    {\n      message: 'Redis configuration is required when transport recreation is enabled',\n      path: ['redis'],\n    },\n  );\n\n/**\n * @deprecated Use top-level transport config instead. This will be removed in v1.0.0.\n */\nexport const transportConfigSchema = z.object({\n  enableLegacySSE: z.boolean().default(false),\n  enableSseListener: z.boolean().default(true),\n  enableStreamableHttp: z.boolean().default(true),\n  enableStatelessHttp: z.boolean().default(false),\n  enableStatefulHttp: z.boolean().default(false),\n  requireSessionForStreamable: z.boolean().default(true),\n  recreation: z.lazy(() => transportRecreationConfigSchema).optional(),\n});\n\n// ============================================\n// PUBLIC MODE\n// No authentication required, anonymous access\n// ============================================\n\nexport const publicAuthOptionsSchema = z.object({\n  mode: z.literal('public'),\n\n  /**\n   * Issuer identifier for anonymous JWTs\n   * @default auto-derived from server URL\n   */\n  issuer: z.string().optional(),\n\n  /**\n   * Anonymous session TTL in seconds\n   * @default 3600 (1 hour)\n   */\n  sessionTtl: z.number().default(3600),\n\n  /**\n   * Scopes granted to anonymous sessions\n   * @default ['anonymous']\n   */\n  anonymousScopes: z.array(z.string()).default(['anonymous']),\n\n  /**\n   * Tool/prompt access configuration for anonymous users\n   */\n  publicAccess: publicAccessConfigSchema.optional(),\n\n  /**\n   * JWKS for token verification\n   * @default auto-generated\n   */\n  jwks: jsonWebKeySetSchema.optional(),\n\n  /**\n   * Private key for signing anonymous tokens\n   * @default auto-generated\n   */\n  signKey: jwkSchema.or(z.instanceof(Uint8Array)).optional(),\n\n  /**\n   * @deprecated Use top-level transport config instead. Kept for backward compatibility.\n   */\n  transport: transportConfigSchema.optional(),\n});\n\n// ============================================\n// TRANSPARENT MODE\n// Pass-through OAuth tokens from remote provider\n// ============================================\n\nexport const transparentAuthOptionsSchema = z.object({\n  mode: z.literal('transparent'),\n\n  /**\n   * Remote OAuth provider configuration (required)\n   */\n  remote: remoteProviderConfigSchema,\n\n  /**\n   * Expected token audience\n   * If not set, defaults to the resource URL\n   */\n  expectedAudience: z.union([z.string(), z.array(z.string())]).optional(),\n\n  /**\n   * Required scopes for access\n   * Empty array means any valid token is accepted\n   * @default []\n   */\n  requiredScopes: z.array(z.string()).default([]),\n\n  /**\n   * Allow anonymous fallback when no token is provided\n   * @default false\n   */\n  allowAnonymous: z.boolean().default(false),\n\n  /**\n   * Scopes granted to anonymous sessions (when allowAnonymous=true)\n   * @default ['anonymous']\n   */\n  anonymousScopes: z.array(z.string()).default(['anonymous']),\n\n  /**\n   * Public access config for anonymous users (when allowAnonymous=true)\n   */\n  publicAccess: publicAccessConfigSchema.optional(),\n\n  /**\n   * @deprecated Use top-level transport config instead. Kept for backward compatibility.\n   */\n  transport: transportConfigSchema.optional(),\n});\n\n// ============================================\n// ORCHESTRATED MODE\n// Local auth server that can proxy to remote or be fully local\n// ============================================\n\n/**\n * Orchestrated mode with local authentication only\n */\nexport const orchestratedLocalSchema = z.object({\n  mode: z.literal('orchestrated'),\n  type: z.literal('local'),\n\n  /**\n   * Local signing configuration\n   */\n  local: localSigningConfigSchema.optional(),\n\n  /**\n   * Token storage configuration\n   * @default { type: 'memory' }\n   */\n  tokenStorage: tokenStorageConfigSchema.default({ type: 'memory' }),\n\n  /**\n   * Session storage mode\n   * - 'stateful': Store sessions in Redis/memory, JWT contains only reference\n   * - 'stateless': All state encrypted in JWT\n   * @default 'stateful'\n   */\n  sessionMode: z.enum(['stateful', 'stateless']).default('stateful'),\n\n  /**\n   * Allow default public access for unauthenticated requests\n   * When true: all tools are public by default, only tools marked with scopes require auth\n   * When false: all tools require authentication by default\n   * @default false\n   */\n  allowDefaultPublic: z.boolean().default(false),\n\n  /**\n   * Scopes granted to anonymous sessions (when allowDefaultPublic=true)\n   * @default ['anonymous']\n   */\n  anonymousScopes: z.array(z.string()).default(['anonymous']),\n\n  /**\n   * Public access config (when allowDefaultPublic=true)\n   */\n  publicAccess: publicAccessConfigSchema.optional(),\n\n  /**\n   * Consent flow configuration for tool selection\n   * Allows users to choose which MCP tools to expose to the LLM\n   * @default { enabled: false }\n   */\n  consent: consentConfigSchema.optional(),\n\n  /**\n   * Token refresh settings\n   */\n  refresh: tokenRefreshConfigSchema.optional(),\n\n  /**\n   * Expected token audience for validation\n   */\n  expectedAudience: z.union([z.string(), z.array(z.string())]).optional(),\n\n  /**\n   * Incremental (progressive) authorization configuration\n   * Allows users to skip app authorizations initially and authorize later\n   * @default { enabled: true, skippedAppBehavior: 'anonymous' }\n   */\n  incrementalAuth: incrementalAuthConfigSchema.optional(),\n\n  /**\n   * @deprecated Use top-level transport config instead. Kept for backward compatibility.\n   */\n  transport: transportConfigSchema.optional(),\n});\n\n/**\n * Orchestrated mode with remote OAuth provider\n */\nexport const orchestratedRemoteSchema = z.object({\n  mode: z.literal('orchestrated'),\n  type: z.literal('remote'),\n\n  /**\n   * Remote OAuth provider configuration (required for remote type)\n   */\n  remote: remoteProviderConfigSchema,\n\n  /**\n   * Local signing configuration (for issuing local tokens after upstream auth)\n   */\n  local: localSigningConfigSchema.optional(),\n\n  /**\n   * Token storage configuration\n   * @default { type: 'memory' }\n   */\n  tokenStorage: tokenStorageConfigSchema.default({ type: 'memory' }),\n\n  /**\n   * Session storage mode\n   * - 'stateful': Store sessions in Redis/memory, JWT contains only reference\n   * - 'stateless': All state encrypted in JWT\n   * @default 'stateful'\n   */\n  sessionMode: z.enum(['stateful', 'stateless']).default('stateful'),\n\n  /**\n   * Allow default public access for unauthenticated requests\n   * When true: all tools are public by default, only tools marked with scopes require auth\n   * When false: all tools require authentication by default\n   * @default false\n   */\n  allowDefaultPublic: z.boolean().default(false),\n\n  /**\n   * Scopes granted to anonymous sessions (when allowDefaultPublic=true)\n   * @default ['anonymous']\n   */\n  anonymousScopes: z.array(z.string()).default(['anonymous']),\n\n  /**\n   * Public access config (when allowDefaultPublic=true)\n   */\n  publicAccess: publicAccessConfigSchema.optional(),\n\n  /**\n   * Consent flow configuration for tool selection\n   * Allows users to choose which MCP tools to expose to the LLM\n   * @default { enabled: false }\n   */\n  consent: consentConfigSchema.optional(),\n\n  /**\n   * Token refresh settings\n   */\n  refresh: tokenRefreshConfigSchema.optional(),\n\n  /**\n   * Expected token audience for validation\n   */\n  expectedAudience: z.union([z.string(), z.array(z.string())]).optional(),\n\n  /**\n   * Incremental (progressive) authorization configuration\n   * Allows users to skip app authorizations initially and authorize later\n   * @default { enabled: true, skippedAppBehavior: 'anonymous' }\n   */\n  incrementalAuth: incrementalAuthConfigSchema.optional(),\n\n  /**\n   * @deprecated Use top-level transport config instead. Kept for backward compatibility.\n   */\n  transport: transportConfigSchema.optional(),\n});\n\n// Combined orchestrated schema\nexport const orchestratedAuthOptionsSchema = z.discriminatedUnion('type', [\n  orchestratedLocalSchema,\n  orchestratedRemoteSchema,\n]);\n\n// ============================================\n// UNIFIED AUTH OPTIONS\n// ============================================\n\n/**\n * Main auth options schema - discriminated by 'mode'\n *\n * Uses z.union because we have nested discriminators (orchestrated has 'type')\n */\nexport const authOptionsSchema = z.union([\n  publicAuthOptionsSchema,\n  transparentAuthOptionsSchema,\n  orchestratedLocalSchema,\n  orchestratedRemoteSchema,\n]);\n\n// ============================================\n// TYPE EXPORTS\n// ============================================\n\n/**\n * Public access configuration\n */\nexport type PublicAccessConfig = z.infer<typeof publicAccessConfigSchema>;\nexport type PublicAccessConfigInput = z.input<typeof publicAccessConfigSchema>;\n\n/**\n * Local signing configuration\n */\nexport type LocalSigningConfig = z.infer<typeof localSigningConfigSchema>;\nexport type LocalSigningConfigInput = z.input<typeof localSigningConfigSchema>;\n\n/**\n * Remote provider configuration\n */\nexport type RemoteProviderConfig = z.infer<typeof remoteProviderConfigSchema>;\nexport type RemoteProviderConfigInput = z.input<typeof remoteProviderConfigSchema>;\n\n/**\n * Token storage configuration\n */\nexport type TokenStorageConfig = z.infer<typeof tokenStorageConfigSchema>;\nexport type TokenStorageConfigInput = z.input<typeof tokenStorageConfigSchema>;\n\n/**\n * Token refresh configuration\n */\nexport type TokenRefreshConfig = z.infer<typeof tokenRefreshConfigSchema>;\nexport type TokenRefreshConfigInput = z.input<typeof tokenRefreshConfigSchema>;\n\n/**\n * Incremental (progressive) authorization configuration\n */\nexport type IncrementalAuthConfig = z.infer<typeof incrementalAuthConfigSchema>;\nexport type IncrementalAuthConfigInput = z.input<typeof incrementalAuthConfigSchema>;\n\n/**\n * Skipped app behavior type\n */\nexport type SkippedAppBehavior = z.infer<typeof skippedAppBehaviorSchema>;\n\n/**\n * Consent configuration for tool selection\n */\nexport type ConsentConfig = z.infer<typeof consentConfigSchema>;\nexport type ConsentConfigInput = z.input<typeof consentConfigSchema>;\n\n/**\n * @deprecated Use TransportOptions from transport.options.ts instead\n */\nexport type TransportConfig = z.infer<typeof transportConfigSchema>;\n/**\n * @deprecated Use TransportOptionsInput from transport.options.ts instead\n */\nexport type TransportConfigInput = z.input<typeof transportConfigSchema>;\n\n/**\n * @deprecated Use TransportPersistenceConfig from transport.options.ts instead\n */\nexport type TransportRecreationConfig = z.infer<typeof transportRecreationConfigSchema>;\n/**\n * @deprecated Use TransportPersistenceConfigInput from transport.options.ts instead\n */\nexport type TransportRecreationConfigInput = z.input<typeof transportRecreationConfigSchema>;\n\n/**\n * Public mode options (output type with defaults applied)\n */\nexport type PublicAuthOptions = z.infer<typeof publicAuthOptionsSchema>;\nexport type PublicAuthOptionsInput = z.input<typeof publicAuthOptionsSchema>;\n\n/**\n * Transparent mode options (output type with defaults applied)\n */\nexport type TransparentAuthOptions = z.infer<typeof transparentAuthOptionsSchema>;\nexport type TransparentAuthOptionsInput = z.input<typeof transparentAuthOptionsSchema>;\n\n/**\n * Orchestrated local mode options\n */\nexport type OrchestratedLocalOptions = z.infer<typeof orchestratedLocalSchema>;\nexport type OrchestratedLocalOptionsInput = z.input<typeof orchestratedLocalSchema>;\n\n/**\n * Orchestrated remote mode options\n */\nexport type OrchestratedRemoteOptions = z.infer<typeof orchestratedRemoteSchema>;\nexport type OrchestratedRemoteOptionsInput = z.input<typeof orchestratedRemoteSchema>;\n\n/**\n * Orchestrated mode options (union of local and remote)\n */\nexport type OrchestratedAuthOptions = z.infer<typeof orchestratedAuthOptionsSchema>;\nexport type OrchestratedAuthOptionsInput = z.input<typeof orchestratedAuthOptionsSchema>;\n\n/**\n * Auth options (output type with defaults applied)\n * Use this type when working with parsed/validated options\n */\nexport type AuthOptions = z.infer<typeof authOptionsSchema>;\n\n/**\n * Auth options input (input type for user configuration)\n * Use this type for the @frontmcp configuration\n */\nexport type AuthOptionsInput = z.input<typeof authOptionsSchema>;\n\n/**\n * Authentication mode\n */\nexport type AuthMode = 'public' | 'transparent' | 'orchestrated';\n\n/**\n * Orchestrated type (local or remote)\n */\nexport type OrchestratedType = 'local' | 'remote';\n\n// ============================================\n// APP-LEVEL AUTH OPTIONS (with standalone)\n// ============================================\n\ntype StandaloneOption = {\n  /**\n   * If the provider is standalone, it will register an OAuth service provider\n   * on app's entry path. If not standalone, it will be registered as a child\n   * provider under the root provider.\n   * @default false\n   */\n  standalone?: boolean;\n\n  /**\n   * If the provider should be excluded from the parent provider's discovery.\n   * Used for standalone providers.\n   * @default false\n   */\n  excludeFromParent?: boolean;\n};\n\nconst standaloneOptionSchema = {\n  standalone: z.boolean().optional(),\n  excludeFromParent: z.boolean().optional(),\n} satisfies RawZodShape<StandaloneOption>;\n\nexport const appAuthOptionsSchema = z.union([\n  publicAuthOptionsSchema.extend(standaloneOptionSchema),\n  transparentAuthOptionsSchema.extend(standaloneOptionSchema),\n  orchestratedLocalSchema.extend(standaloneOptionSchema),\n  orchestratedRemoteSchema.extend(standaloneOptionSchema),\n]);\n\nexport type AppAuthOptions = z.infer<typeof appAuthOptionsSchema>;\nexport type AppAuthOptionsInput = z.input<typeof appAuthOptionsSchema>;\n\n// ============================================\n// HELPER FUNCTIONS\n// ============================================\n\n/**\n * Parse and validate auth options with defaults\n */\nexport function parseAuthOptions(input: AuthOptionsInput): AuthOptions {\n  return authOptionsSchema.parse(input);\n}\n\n/**\n * Check if options are public mode\n */\nexport function isPublicMode(options: AuthOptions | AuthOptionsInput): options is PublicAuthOptions {\n  return options.mode === 'public';\n}\n\n/**\n * Check if options are transparent mode\n */\nexport function isTransparentMode(options: AuthOptions | AuthOptionsInput): options is TransparentAuthOptions {\n  return options.mode === 'transparent';\n}\n\n/**\n * Check if options are orchestrated mode\n */\nexport function isOrchestratedMode(options: AuthOptions | AuthOptionsInput): options is OrchestratedAuthOptions {\n  return options.mode === 'orchestrated';\n}\n\n/**\n * Check if orchestrated options are local type\n */\nexport function isOrchestratedLocal(options: OrchestratedAuthOptions): options is OrchestratedLocalOptions {\n  return options.type === 'local';\n}\n\n/**\n * Check if orchestrated options are remote type\n */\nexport function isOrchestratedRemote(options: OrchestratedAuthOptions): options is OrchestratedRemoteOptions {\n  return options.type === 'remote';\n}\n\n/**\n * Check if options allow public/anonymous access\n */\nexport function allowsPublicAccess(options: AuthOptions): boolean {\n  if (options.mode === 'public') return true;\n  if (options.mode === 'transparent') return options.allowAnonymous;\n  if (options.mode === 'orchestrated') return options.allowDefaultPublic;\n  return false;\n}\n"]}

package/src/common/types/options/index.d.ts

@@ -3,3 +3,5 @@ export * from './session.options';
 export * from './http.options';
 export * from './auth.options';
 export * from './logging.options';
+export * from './redis.options';
+export * from './transport.options';

package/src/common/types/options/index.js

@@ -6,4 +6,6 @@ tslib_1.__exportStar(require("./session.options"), exports);
 tslib_1.__exportStar(require("./http.options"), exports);
 tslib_1.__exportStar(require("./auth.options"), exports);
 tslib_1.__exportStar(require("./logging.options"), exports);
+tslib_1.__exportStar(require("./redis.options"), exports);
+tslib_1.__exportStar(require("./transport.options"), exports);
 //# sourceMappingURL=index.js.map

package/src/common/types/options/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/common/types/options/index.ts"],"names":[],"mappings":";;;AAAA,gEAAsC;AACtC,4DAAkC;AAClC,yDAA+B;AAC/B,yDAA+B;AAC/B,4DAAkC","sourcesContent":["export * from './server-info.options';\nexport * from './session.options';\nexport * from './http.options';\nexport * from './auth.options';\nexport * from './logging.options';\n\n\n\n\n\n"]}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/common/types/options/index.ts"],"names":[],"mappings":";;;AAAA,gEAAsC;AACtC,4DAAkC;AAClC,yDAA+B;AAC/B,yDAA+B;AAC/B,4DAAkC;AAClC,0DAAgC;AAChC,8DAAoC","sourcesContent":["export * from './server-info.options';\nexport * from './session.options';\nexport * from './http.options';\nexport * from './auth.options';\nexport * from './logging.options';\nexport * from './redis.options';\nexport * from './transport.options';\n"]}

package/src/common/types/options/redis.options.d.ts

@@ -0,0 +1,22 @@
+import { z } from 'zod';
+/**
+ * Shared Redis configuration
+ * Used by transport persistence and auth token storage
+ */
+export declare const redisOptionsSchema: z.ZodObject<{
+    host: z.ZodString;
+    port: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+    password: z.ZodOptional<z.ZodString>;
+    db: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+    tls: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+    keyPrefix: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+    defaultTtlMs: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+}, z.core.$strip>;
+/**
+ * Redis configuration type (with defaults applied)
+ */
+export type RedisOptions = z.infer<typeof redisOptionsSchema>;
+/**
+ * Redis configuration input type (for user configuration)
+ */
+export type RedisOptionsInput = z.input<typeof redisOptionsSchema>;

package/src/common/types/options/redis.options.js

@@ -0,0 +1,45 @@
+"use strict";
+// common/types/options/redis.options.ts
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.redisOptionsSchema = void 0;
+const zod_1 = require("zod");
+/**
+ * Shared Redis configuration
+ * Used by transport persistence and auth token storage
+ */
+exports.redisOptionsSchema = zod_1.z.object({
+    /**
+     * Redis host
+     */
+    host: zod_1.z.string().trim().min(1),
+    /**
+     * Redis port
+     * @default 6379
+     */
+    port: zod_1.z.number().int().positive().max(65535).optional().default(6379),
+    /**
+     * Redis password (optional)
+     */
+    password: zod_1.z.string().optional(),
+    /**
+     * Redis database number
+     * @default 0
+     */
+    db: zod_1.z.number().int().nonnegative().optional().default(0),
+    /**
+     * Enable TLS connection
+     * @default false
+     */
+    tls: zod_1.z.boolean().optional().default(false),
+    /**
+     * Key prefix for all Redis keys
+     * @default 'mcp:'
+     */
+    keyPrefix: zod_1.z.string().optional().default('mcp:'),
+    /**
+     * Default TTL in milliseconds for stored data
+     * @default 3600000 (1 hour)
+     */
+    defaultTtlMs: zod_1.z.number().int().positive().optional().default(3600000),
+});
+//# sourceMappingURL=redis.options.js.map

package/src/common/types/options/redis.options.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redis.options.js","sourceRoot":"","sources":["../../../../../src/common/types/options/redis.options.ts"],"names":[],"mappings":";AAAA,wCAAwC;;;AAExC,6BAAwB;AAExB;;;GAGG;AACU,QAAA,kBAAkB,GAAG,OAAC,CAAC,MAAM,CAAC;IACzC;;OAEG;IACH,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAE9B;;;OAGG;IACH,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAErE;;OAEG;IACH,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE/B;;;OAGG;IACH,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAExD;;;OAGG;IACH,GAAG,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE1C;;;OAGG;IACH,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;IAEhD;;;OAGG;IACH,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;CACtE,CAAC,CAAC","sourcesContent":["// common/types/options/redis.options.ts\n\nimport { z } from 'zod';\n\n/**\n * Shared Redis configuration\n * Used by transport persistence and auth token storage\n */\nexport const redisOptionsSchema = z.object({\n  /**\n   * Redis host\n   */\n  host: z.string().trim().min(1),\n\n  /**\n   * Redis port\n   * @default 6379\n   */\n  port: z.number().int().positive().max(65535).optional().default(6379),\n\n  /**\n   * Redis password (optional)\n   */\n  password: z.string().optional(),\n\n  /**\n   * Redis database number\n   * @default 0\n   */\n  db: z.number().int().nonnegative().optional().default(0),\n\n  /**\n   * Enable TLS connection\n   * @default false\n   */\n  tls: z.boolean().optional().default(false),\n\n  /**\n   * Key prefix for all Redis keys\n   * @default 'mcp:'\n   */\n  keyPrefix: z.string().optional().default('mcp:'),\n\n  /**\n   * Default TTL in milliseconds for stored data\n   * @default 3600000 (1 hour)\n   */\n  defaultTtlMs: z.number().int().positive().optional().default(3600000),\n});\n\n/**\n * Redis configuration type (with defaults applied)\n */\nexport type RedisOptions = z.infer<typeof redisOptionsSchema>;\n\n/**\n * Redis configuration input type (for user configuration)\n */\nexport type RedisOptionsInput = z.input<typeof redisOptionsSchema>;\n"]}

package/src/common/types/options/transport.options.d.ts

@@ -0,0 +1,84 @@
+import { z } from 'zod';
+import { SessionMode, TransportIdMode, PlatformMappingEntry, PlatformDetectionConfig, platformDetectionConfigSchema } from './session.options';
+export type { SessionMode, TransportIdMode, PlatformMappingEntry, PlatformDetectionConfig };
+/**
+ * Transport persistence configuration
+ * Enables session persistence to Redis and automatic transport recreation after server restart
+ */
+export declare const transportPersistenceConfigSchema: z.ZodObject<{
+    enabled: z.ZodDefault<z.ZodBoolean>;
+    redis: z.ZodOptional<z.ZodObject<{
+        host: z.ZodString;
+        port: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+        password: z.ZodOptional<z.ZodString>;
+        db: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+        tls: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+        keyPrefix: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+        defaultTtlMs: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+    }, z.core.$strip>>;
+    defaultTtlMs: z.ZodDefault<z.ZodNumber>;
+}, z.core.$strip>;
+/**
+ * Transport options schema
+ * Consolidates transport protocol config + session lifecycle config
+ */
+export declare const transportOptionsSchema: z.ZodObject<{
+    sessionMode: z.ZodDefault<z.ZodOptional<z.ZodUnion<readonly [z.ZodLiteral<"stateful">, z.ZodLiteral<"stateless">, z.ZodFunction<z.core.$ZodFunctionArgs, z.core.$ZodFunctionOut>]>>>;
+    transportIdMode: z.ZodDefault<z.ZodOptional<z.ZodUnion<readonly [z.ZodLiteral<"uuid">, z.ZodLiteral<"jwt">, z.ZodFunction<z.core.$ZodFunctionArgs, z.core.$ZodFunctionOut>]>>>;
+    platformDetection: z.ZodOptional<z.ZodObject<{
+        mappings: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            pattern: z.ZodUnion<readonly [z.ZodString, z.ZodCustom<RegExp, RegExp>]>;
+            platform: z.ZodEnum<{
+                unknown: "unknown";
+                continue: "continue";
+                openai: "openai";
+                claude: "claude";
+                gemini: "gemini";
+                cursor: "cursor";
+                cody: "cody";
+                "generic-mcp": "generic-mcp";
+                "ext-apps": "ext-apps";
+            }>;
+        }, z.core.$strip>>>;
+        customOnly: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+    }, z.core.$strip>>;
+    enableLegacySSE: z.ZodDefault<z.ZodBoolean>;
+    enableSseListener: z.ZodDefault<z.ZodBoolean>;
+    enableStreamableHttp: z.ZodDefault<z.ZodBoolean>;
+    enableStatelessHttp: z.ZodDefault<z.ZodBoolean>;
+    enableStatefulHttp: z.ZodDefault<z.ZodBoolean>;
+    requireSessionForStreamable: z.ZodDefault<z.ZodBoolean>;
+    persistence: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        redis: z.ZodOptional<z.ZodObject<{
+            host: z.ZodString;
+            port: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            password: z.ZodOptional<z.ZodString>;
+            db: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+            tls: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+            keyPrefix: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+            defaultTtlMs: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+        }, z.core.$strip>>;
+        defaultTtlMs: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+/**
+ * Transport options type (with defaults applied)
+ */
+export type TransportOptions = z.infer<typeof transportOptionsSchema>;
+/**
+ * Transport options input type (for user configuration)
+ */
+export type TransportOptionsInput = z.input<typeof transportOptionsSchema>;
+/**
+ * Transport persistence configuration type
+ */
+export type TransportPersistenceConfig = z.infer<typeof transportPersistenceConfigSchema>;
+/**
+ * Transport persistence configuration input type
+ */
+export type TransportPersistenceConfigInput = z.input<typeof transportPersistenceConfigSchema>;
+/**
+ * Platform detection configuration type
+ */
+export type PlatformDetectionConfigType = z.infer<typeof platformDetectionConfigSchema>;

package/src/common/types/options/transport.options.js

@@ -0,0 +1,121 @@
+"use strict";
+// common/types/options/transport.options.ts
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.transportOptionsSchema = exports.transportPersistenceConfigSchema = void 0;
+const zod_1 = require("zod");
+const redis_options_1 = require("./redis.options");
+const session_options_1 = require("./session.options");
+// ============================================
+// TRANSPORT PERSISTENCE (from auth.transport.recreation)
+// ============================================
+/**
+ * Transport persistence configuration
+ * Enables session persistence to Redis and automatic transport recreation after server restart
+ */
+exports.transportPersistenceConfigSchema = zod_1.z.object({
+    /**
+     * Enable transport persistence to Redis
+     * When enabled, sessions are persisted to Redis and transports can be recreated after restart
+     * @default false
+     */
+    enabled: zod_1.z.boolean().default(false),
+    /**
+     * Redis configuration for session storage
+     * If omitted when enabled=true, uses top-level redis config
+     * Note: Validation for redis presence happens at runtime when persistence is used
+     */
+    redis: redis_options_1.redisOptionsSchema.optional(),
+    /**
+     * Default TTL for stored session metadata (milliseconds)
+     * @default 3600000 (1 hour)
+     */
+    defaultTtlMs: zod_1.z.number().int().positive().default(3600000),
+});
+// ============================================
+// TRANSPORT OPTIONS (unified config)
+// ============================================
+/**
+ * Transport options schema
+ * Consolidates transport protocol config + session lifecycle config
+ */
+exports.transportOptionsSchema = zod_1.z.object({
+    // ============================================
+    // Session Lifecycle (from session.options.ts)
+    // ============================================
+    /**
+     * Defines how the session lifecycle and nested tokens are managed.
+     *
+     * Modes:
+     * - `'stateful'`: Session and nested tokens are stored in a server-side store (e.g., Redis).
+     * - `'stateless'`: All session data (including nested tokens) is embedded within a signed/encrypted JWT.
+     *
+     * @default 'stateful'
+     */
+    sessionMode: zod_1.z
+        .union([zod_1.z.literal('stateful'), zod_1.z.literal('stateless'), zod_1.z.function()])
+        .optional()
+        .default('stateful'),
+    /**
+     * Defines how the Transport ID is generated, verified, and used across sessions.
+     *
+     * Modes:
+     * - `'uuid'`: Generates a random UUID per session.
+     * - `'jwt'`: Uses a signed JWT for stateless sessions, signed with a generated session key.
+     *
+     * @default 'uuid'
+     */
+    transportIdMode: zod_1.z
+        .union([zod_1.z.literal('uuid'), zod_1.z.literal('jwt'), zod_1.z.function()])
+        .optional()
+        .default('uuid'),
+    /**
+     * Configuration for detecting the AI platform from MCP client info.
+     * Allows custom mappings to override or supplement the default keyword-based detection.
+     */
+    platformDetection: session_options_1.platformDetectionConfigSchema.optional(),
+    // ============================================
+    // Transport Protocols (from auth.transport)
+    // ============================================
+    /**
+     * Enable legacy SSE transport (old HTTP+SSE protocol)
+     * @default false
+     */
+    enableLegacySSE: zod_1.z.boolean().default(false),
+    /**
+     * Enable SSE listener for server-initiated messages (GET /mcp with Accept: text/event-stream)
+     * @default true
+     */
+    enableSseListener: zod_1.z.boolean().default(true),
+    /**
+     * Enable streamable HTTP transport (POST with SSE response)
+     * @default true
+     */
+    enableStreamableHttp: zod_1.z.boolean().default(true),
+    /**
+     * Enable stateless HTTP mode (requests without session ID)
+     * When enabled, allows requests without prior initialize
+     * Uses shared singleton transport for anonymous, per-token singleton for authenticated
+     * @default false
+     */
+    enableStatelessHttp: zod_1.z.boolean().default(false),
+    /**
+     * Enable stateful HTTP transport (JSON-only responses)
+     * @default false
+     */
+    enableStatefulHttp: zod_1.z.boolean().default(false),
+    /**
+     * Require session ID for streamable HTTP (non-stateless mode)
+     * When false, streamable HTTP requests don't require prior initialize
+     * @default true
+     */
+    requireSessionForStreamable: zod_1.z.boolean().default(true),
+    // ============================================
+    // Transport Persistence
+    // ============================================
+    /**
+     * Transport persistence configuration
+     * When enabled, sessions are persisted to Redis and transports can be recreated after server restart
+     */
+    persistence: exports.transportPersistenceConfigSchema.optional(),
+});
+//# sourceMappingURL=transport.options.js.map

package/src/common/types/options/transport.options.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"transport.options.js","sourceRoot":"","sources":["../../../../../src/common/types/options/transport.options.ts"],"names":[],"mappings":";AAAA,4CAA4C;;;AAE5C,6BAAwB;AACxB,mDAAqD;AACrD,uDAO2B;AAK3B,+CAA+C;AAC/C,yDAAyD;AACzD,+CAA+C;AAE/C;;;GAGG;AACU,QAAA,gCAAgC,GAAG,OAAC,CAAC,MAAM,CAAC;IACvD;;;;OAIG;IACH,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAEnC;;;;OAIG;IACH,KAAK,EAAE,kCAAkB,CAAC,QAAQ,EAAE;IAEpC;;;OAGG;IACH,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;CAC3D,CAAC,CAAC;AAEH,+CAA+C;AAC/C,qCAAqC;AACrC,+CAA+C;AAE/C;;;GAGG;AACU,QAAA,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7C,+CAA+C;IAC/C,8CAA8C;IAC9C,+CAA+C;IAE/C;;;;;;;;OAQG;IACH,WAAW,EAAE,OAAC;SACX,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,OAAC,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,OAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;SACpE,QAAQ,EAAE;SACV,OAAO,CAAC,UAAU,CAAC;IAEtB;;;;;;;;OAQG;IACH,eAAe,EAAE,OAAC;SACf,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,OAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;SAC1D,QAAQ,EAAE;SACV,OAAO,CAAC,MAAM,CAAC;IAElB;;;OAGG;IACH,iBAAiB,EAAE,+CAA6B,CAAC,QAAQ,EAAE;IAE3D,+CAA+C;IAC/C,4CAA4C;IAC5C,+CAA+C;IAE/C;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE3C;;;OAGG;IACH,iBAAiB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE5C;;;OAGG;IACH,oBAAoB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE/C;;;;;OAKG;IACH,mBAAmB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE/C;;;OAGG;IACH,kBAAkB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE9C;;;;OAIG;IACH,2BAA2B,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAEtD,+CAA+C;IAC/C,wBAAwB;IACxB,+CAA+C;IAE/C;;;OAGG;IACH,WAAW,EAAE,wCAAgC,CAAC,QAAQ,EAAE;CACzD,CAAC,CAAC","sourcesContent":["// common/types/options/transport.options.ts\n\nimport { z } from 'zod';\nimport { redisOptionsSchema } from './redis.options';\nimport {\n  SessionMode,\n  TransportIdMode,\n  PlatformMappingEntry,\n  PlatformDetectionConfig,\n  platformMappingEntrySchema,\n  platformDetectionConfigSchema,\n} from './session.options';\n\n// Re-export session types for convenience (these are the canonical definitions)\nexport type { SessionMode, TransportIdMode, PlatformMappingEntry, PlatformDetectionConfig };\n\n// ============================================\n// TRANSPORT PERSISTENCE (from auth.transport.recreation)\n// ============================================\n\n/**\n * Transport persistence configuration\n * Enables session persistence to Redis and automatic transport recreation after server restart\n */\nexport const transportPersistenceConfigSchema = z.object({\n  /**\n   * Enable transport persistence to Redis\n   * When enabled, sessions are persisted to Redis and transports can be recreated after restart\n   * @default false\n   */\n  enabled: z.boolean().default(false),\n\n  /**\n   * Redis configuration for session storage\n   * If omitted when enabled=true, uses top-level redis config\n   * Note: Validation for redis presence happens at runtime when persistence is used\n   */\n  redis: redisOptionsSchema.optional(),\n\n  /**\n   * Default TTL for stored session metadata (milliseconds)\n   * @default 3600000 (1 hour)\n   */\n  defaultTtlMs: z.number().int().positive().default(3600000),\n});\n\n// ============================================\n// TRANSPORT OPTIONS (unified config)\n// ============================================\n\n/**\n * Transport options schema\n * Consolidates transport protocol config + session lifecycle config\n */\nexport const transportOptionsSchema = z.object({\n  // ============================================\n  // Session Lifecycle (from session.options.ts)\n  // ============================================\n\n  /**\n   * Defines how the session lifecycle and nested tokens are managed.\n   *\n   * Modes:\n   * - `'stateful'`: Session and nested tokens are stored in a server-side store (e.g., Redis).\n   * - `'stateless'`: All session data (including nested tokens) is embedded within a signed/encrypted JWT.\n   *\n   * @default 'stateful'\n   */\n  sessionMode: z\n    .union([z.literal('stateful'), z.literal('stateless'), z.function()])\n    .optional()\n    .default('stateful'),\n\n  /**\n   * Defines how the Transport ID is generated, verified, and used across sessions.\n   *\n   * Modes:\n   * - `'uuid'`: Generates a random UUID per session.\n   * - `'jwt'`: Uses a signed JWT for stateless sessions, signed with a generated session key.\n   *\n   * @default 'uuid'\n   */\n  transportIdMode: z\n    .union([z.literal('uuid'), z.literal('jwt'), z.function()])\n    .optional()\n    .default('uuid'),\n\n  /**\n   * Configuration for detecting the AI platform from MCP client info.\n   * Allows custom mappings to override or supplement the default keyword-based detection.\n   */\n  platformDetection: platformDetectionConfigSchema.optional(),\n\n  // ============================================\n  // Transport Protocols (from auth.transport)\n  // ============================================\n\n  /**\n   * Enable legacy SSE transport (old HTTP+SSE protocol)\n   * @default false\n   */\n  enableLegacySSE: z.boolean().default(false),\n\n  /**\n   * Enable SSE listener for server-initiated messages (GET /mcp with Accept: text/event-stream)\n   * @default true\n   */\n  enableSseListener: z.boolean().default(true),\n\n  /**\n   * Enable streamable HTTP transport (POST with SSE response)\n   * @default true\n   */\n  enableStreamableHttp: z.boolean().default(true),\n\n  /**\n   * Enable stateless HTTP mode (requests without session ID)\n   * When enabled, allows requests without prior initialize\n   * Uses shared singleton transport for anonymous, per-token singleton for authenticated\n   * @default false\n   */\n  enableStatelessHttp: z.boolean().default(false),\n\n  /**\n   * Enable stateful HTTP transport (JSON-only responses)\n   * @default false\n   */\n  enableStatefulHttp: z.boolean().default(false),\n\n  /**\n   * Require session ID for streamable HTTP (non-stateless mode)\n   * When false, streamable HTTP requests don't require prior initialize\n   * @default true\n   */\n  requireSessionForStreamable: z.boolean().default(true),\n\n  // ============================================\n  // Transport Persistence\n  // ============================================\n\n  /**\n   * Transport persistence configuration\n   * When enabled, sessions are persisted to Redis and transports can be recreated after server restart\n   */\n  persistence: transportPersistenceConfigSchema.optional(),\n});\n\n// ============================================\n// TYPE EXPORTS\n// ============================================\n\n/**\n * Transport options type (with defaults applied)\n */\nexport type TransportOptions = z.infer<typeof transportOptionsSchema>;\n\n/**\n * Transport options input type (for user configuration)\n */\nexport type TransportOptionsInput = z.input<typeof transportOptionsSchema>;\n\n/**\n * Transport persistence configuration type\n */\nexport type TransportPersistenceConfig = z.infer<typeof transportPersistenceConfigSchema>;\n\n/**\n * Transport persistence configuration input type\n */\nexport type TransportPersistenceConfigInput = z.input<typeof transportPersistenceConfigSchema>;\n\n/**\n * Platform detection configuration type\n */\nexport type PlatformDetectionConfigType = z.infer<typeof platformDetectionConfigSchema>;\n"]}

package/src/completion/flows/complete.flow.d.ts

@@ -4,8 +4,15 @@ declare const inputSchema: z.ZodObject<{
     request: z.ZodObject<{
         method: z.ZodLiteral<"completion/complete">;
         params: z.ZodObject<{
+            task: z.ZodOptional<z.ZodObject<{
+                ttl: z.ZodOptional<z.ZodUnion<readonly [z.ZodNumber, z.ZodNull]>>;
+                pollInterval: z.ZodOptional<z.ZodNumber>;
+            }, z.core.$loose>>;
             _meta: z.ZodOptional<z.ZodObject<{
                 progressToken: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>>;
+                "io.modelcontextprotocol/related-task": z.ZodOptional<z.ZodObject<{
+                    taskId: z.ZodString;
+                }, z.core.$loose>>;
             }, z.core.$loose>>;
             ref: z.ZodUnion<readonly [z.ZodObject<{
                 type: z.ZodLiteral<"ref/prompt">;
@@ -26,7 +33,11 @@ declare const inputSchema: z.ZodObject<{
     ctx: z.ZodUnknown;
 }, z.core.$strip>;
 declare const outputSchema: z.ZodObject<{
-    _meta: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    _meta: z.ZodOptional<z.ZodObject<{
+        "io.modelcontextprotocol/related-task": z.ZodOptional<z.ZodObject<{
+            taskId: z.ZodString;
+        }, z.core.$loose>>;
+    }, z.core.$loose>>;
     completion: z.ZodObject<{
         values: z.ZodArray<z.ZodString>;
         total: z.ZodOptional<z.ZodNumber>;
@@ -46,7 +57,11 @@ declare const stateSchema: z.ZodObject<{
         value: z.ZodString;
     }, z.core.$strip>;
     output: z.ZodObject<{
-        _meta: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        _meta: z.ZodOptional<z.ZodObject<{
+            "io.modelcontextprotocol/related-task": z.ZodOptional<z.ZodObject<{
+                taskId: z.ZodString;
+            }, z.core.$loose>>;
+        }, z.core.$loose>>;
         completion: z.ZodObject<{
             values: z.ZodArray<z.ZodString>;
             total: z.ZodOptional<z.ZodNumber>;

package/src/context/frontmcp-context-storage.d.ts

@@ -0,0 +1,94 @@
+/**
+ * FrontMcpContextStorage - AsyncLocalStorage wrapper for unified context
+ *
+ * Provides concurrent-safe context propagation using Node.js AsyncLocalStorage.
+ * Access through DI only - never use static imports to access the storage directly.
+ *
+ * @example
+ * ```typescript
+ * // In a flow or middleware
+ * const storage = this.get(FrontMcpContextStorage);
+ * await storage.runFromHeaders(request.headers, {
+ *   sessionId: sessionId,
+ *   scopeId: scope.id,
+ * }, async () => {
+ *   // All code here can access the context via DI
+ *   const ctx = this.get(FRONTMCP_CONTEXT);
+ * });
+ * ```
+ */
+import { FrontMcpContext, FrontMcpContextArgs } from './frontmcp-context';
+import { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';
+/**
+ * FrontMcpContextStorage provides unified context via AsyncLocalStorage.
+ *
+ * This is a GLOBAL-scoped provider because it manages the storage itself,
+ * not the per-context data. The actual FrontMcpContext is accessed via
+ * the FRONTMCP_CONTEXT token which is CONTEXT-scoped.
+ */
+export declare class FrontMcpContextStorage {
+    /**
+     * Run a callback with a new FrontMcpContext.
+     *
+     * @param args - Arguments to create the context
+     * @param fn - Async function to run with the context
+     * @returns Result of the callback
+     */
+    run<T>(args: FrontMcpContextArgs, fn: () => T | Promise<T>): T | Promise<T>;
+    /**
+     * Run with context extracted from HTTP headers.
+     *
+     * Automatically parses trace context from headers using W3C Trace Context
+     * specification with fallback to x-frontmcp-trace-id.
+     *
+     * @param headers - HTTP headers
+     * @param args - Additional context args (sessionId, scopeId)
+     * @param fn - Async function to run
+     * @returns Result of the callback
+     */
+    runFromHeaders<T>(headers: Record<string, unknown>, args: Omit<FrontMcpContextArgs, 'traceContext' | 'metadata'>, fn: () => T | Promise<T>): T | Promise<T>;
+    /**
+     * Run with an existing FrontMcpContext.
+     *
+     * Useful when you need to propagate an existing context to a new async scope.
+     *
+     * @param context - Existing FrontMcpContext
+     * @param fn - Async function to run
+     * @returns Result of the callback
+     */
+    runWithContext<T>(context: FrontMcpContext, fn: () => T | Promise<T>): T | Promise<T>;
+    /**
+     * Get the current FrontMcpContext.
+     *
+     * @returns Current context or undefined if not in a context scope
+     */
+    getStore(): FrontMcpContext | undefined;
+    /**
+     * Get the current FrontMcpContext, throwing if not available.
+     *
+     * @throws Error if not in a context scope
+     */
+    getStoreOrThrow(): FrontMcpContext;
+    /**
+     * Check if currently running within a context.
+     *
+     * @returns True if a FrontMcpContext is available
+     */
+    hasContext(): boolean;
+    /**
+     * Update the authInfo in the current context.
+     *
+     * This mutates the existing context in place to preserve internal state
+     * (marks, store, sessionMetadata) while updating auth info.
+     *
+     * @param authInfo - Auth info fields to set/update (merged with existing)
+     * @param fn - Function to run after update
+     * @returns Result of the callback
+     */
+    updateAuthInfo<T>(authInfo: Partial<AuthInfo>, fn: () => T | Promise<T>): T | Promise<T>;
+}
+/**
+ * Alias for backward compatibility.
+ * @deprecated Use FrontMcpContextStorage instead
+ */
+export { FrontMcpContextStorage as ContextStorage };