@frontmcp/sdk 0.5.0 → 0.6.0

package/src/auth/session/index.js

@@ -1,12 +1,14 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.InMemorySessionStore = exports.TransportSessionManager = void 0;
+exports.RedisSessionStore = exports.InMemorySessionStore = exports.TransportSessionManager = void 0;
 const tslib_1 = require("tslib");
 // Transport session architecture
 tslib_1.__exportStar(require("./transport-session.types"), exports);
 var transport_session_manager_1 = require("./transport-session.manager");
 Object.defineProperty(exports, "TransportSessionManager", { enumerable: true, get: function () { return transport_session_manager_1.TransportSessionManager; } });
 Object.defineProperty(exports, "InMemorySessionStore", { enumerable: true, get: function () { return transport_session_manager_1.InMemorySessionStore; } });
+var redis_session_store_1 = require("./redis-session.store");
+Object.defineProperty(exports, "RedisSessionStore", { enumerable: true, get: function () { return redis_session_store_1.RedisSessionStore; } });
 // Authorization store for OAuth flows
 tslib_1.__exportStar(require("./authorization.store"), exports);
 // Authorization vault for stateful sessions

package/src/auth/session/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/auth/session/index.ts"],"names":[],"mappings":";;;;AAAA,iCAAiC;AACjC,oEAA0C;AAC1C,yEAA4F;AAAnF,oIAAA,uBAAuB,OAAA;AAAE,iIAAA,oBAAoB,OAAA;AAEtD,sCAAsC;AACtC,gEAAsC;AAEtC,4CAA4C;AAC5C,gEAAsC","sourcesContent":["// Transport session architecture\nexport * from './transport-session.types';\nexport { TransportSessionManager, InMemorySessionStore } from './transport-session.manager';\n\n// Authorization store for OAuth flows\nexport * from './authorization.store';\n\n// Authorization vault for stateful sessions\nexport * from './authorization-vault';\n"]}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/auth/session/index.ts"],"names":[],"mappings":";;;;AAAA,iCAAiC;AACjC,oEAA0C;AAC1C,yEAA4F;AAAnF,oIAAA,uBAAuB,OAAA;AAAE,iIAAA,oBAAoB,OAAA;AACtD,6DAA0D;AAAjD,wHAAA,iBAAiB,OAAA;AAE1B,sCAAsC;AACtC,gEAAsC;AAEtC,4CAA4C;AAC5C,gEAAsC","sourcesContent":["// Transport session architecture\nexport * from './transport-session.types';\nexport { TransportSessionManager, InMemorySessionStore } from './transport-session.manager';\nexport { RedisSessionStore } from './redis-session.store';\n\n// Authorization store for OAuth flows\nexport * from './authorization.store';\n\n// Authorization vault for stateful sessions\nexport * from './authorization-vault';\n"]}

package/src/auth/session/record/session.base.js

@@ -36,7 +36,7 @@ class Session {
         this.user = ctx.user;
         this.claims = ctx.claims;
         // derive token expiration from JWT claims if present (exp in seconds)
-        const exp = (ctx.claims && typeof ctx.claims['exp'] === 'number') ? Number(ctx.claims['exp']) : undefined;
+        const exp = ctx.claims && typeof ctx.claims['exp'] === 'number' ? Number(ctx.claims['exp']) : undefined;
         if (exp) {
             this.expiresAt = exp > 1e12 ? exp : exp * 1000;
         }
@@ -68,12 +68,14 @@ class Session {
     async getTransportSessionId() {
         if (this.#activeTransportId)
             return this.#activeTransportId;
-        const mode = this.scope.metadata.session?.transportIdMode ?? 'uuid';
+        const mode = this.scope.metadata.transport?.transportIdMode ?? 'uuid';
         if (typeof mode === 'string') {
             return session_transport_1.TransportIdGenerator.createId(mode);
         }
         else {
-            const modeResult = await mode(this.issuer);
+            // Cast to proper function type since Zod's z.function() type is too generic
+            const modeFn = mode;
+            const modeResult = await modeFn(this.issuer);
             return session_transport_1.TransportIdGenerator.createId(modeResult);
         }
     }

package/src/auth/session/record/session.base.js.map

@@ -1 +1 @@
-{"version":3,"file":"session.base.js","sourceRoot":"","sources":["../../../../../src/auth/session/record/session.base.ts"],"names":[],"mappings":";AAAA,sCAAsC;;;AAGtC,4DAA4D;AAuC5D,MAAsB,OAAO;IAC3B,0DAA0D;IACjD,EAAE,CAAS;IAEX,SAAS,CAAS;IAClB,OAAO,CAAS;IAChB,IAAI,CAAc;IAClB,MAAM,CAA2B;IAC1C,iEAAiE;IACxD,SAAS,CAAU;IAEnB,mBAAmB,CAAmC;IACtD,qBAAqB,CAAW;IAChC,cAAc,CAAoD;IAClE,gBAAgB,CAAW;IAC3B,mBAAmB,CAAW;IAC9B,MAAM,CAAY;IAClB,eAAe,CAAsF;IACrG,iBAAiB,CAAY;IAC7B,iBAAiB,CAAsF;IACvG,mBAAmB,CAAY;IAExC,mDAAmD;IACnD,MAAM,CAAQ;IACd,OAAO,CAAS;IACN,KAAK,CAAS;IAExB,kBAAkB,CAAU;IAE5B,YAAsB,GAAkB;QACtC,IAAI,CAAC,EAAE,GAAG,GAAG,CAAC,EAAE,CAAC;QACjB,IAAI,CAAC,SAAS,GAAG,GAAG,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7C,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC;QACxB,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC;QAC1B,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;QACzB,sEAAsE;QACtE,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,IAAI,OAAQ,GAAG,CAAC,MAAc,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAE,GAAG,CAAC,MAAc,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAC5H,IAAI,GAAG,EAAE,CAAC;YACR,IAAI,CAAC,SAAS,GAAG,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC;QACjD,CAAC;QACD,gDAAgD;QAChD,IAAI,CAAC,mBAAmB,GAAG,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;QACzD,IAAI,CAAC,qBAAqB,GAAG,GAAG,CAAC,qBAAqB,IAAI,EAAE,CAAC;QAC7D,IAAI,CAAC,cAAc,GAAG,GAAG,CAAC,cAAc,IAAI,EAAE,CAAC;QAC/C,IAAI,CAAC,gBAAgB,GAAG,GAAG,CAAC,gBAAgB,IAAI,EAAE,CAAC;QACnD,IAAI,CAAC,mBAAmB,GAAG,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;QACzD,IAAI,CAAC,eAAe,GAAG,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC;QACjD,IAAI,CAAC,iBAAiB,GAAG,GAAG,CAAC,iBAAiB,IAAI,EAAE,CAAC;QACrD,IAAI,CAAC,iBAAiB,GAAG,GAAG,CAAC,iBAAiB,IAAI,EAAE,CAAC;QACrD,IAAI,CAAC,mBAAmB,GAAG,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;QACzD,IAAI,CAAC,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC;QACvB,IAAI,CAAC,kBAAkB,GAAG,GAAG,CAAC,SAAS,CAAC;IAC1C,CAAC;IAED;;;;OAIG;IACH,IAAc,KAAK;QACjB,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IACD,8CAA8C;IAE9C,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,qBAAqB;QACzB,IAAI,IAAI,CAAC,kBAAkB;YAAE,OAAO,IAAI,CAAC,kBAAkB,CAAC;QAC5D,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,EAAE,eAAe,IAAI,MAAM,CAAC;QACpE,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7B,OAAO,wCAAoB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC7C,CAAC;aAAM,CAAC;YACN,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC3C,OAAO,wCAAoB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IAUD,gDAAgD;IAChD,MAAM,CAAC,OAAsD;QAC3D,MAAM,EAAE,GACN,OAAO,OAAO,KAAK,UAAU;YAC3B,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;gBACxB,CAAC,CAAC,CAAC,EAAU,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACtC,CAAC,CAAC,CAAC,EAAU,EAAE,EAAE,CAAC,EAAE,KAAK,OAAO,CAAC;QACrC,OAAO,IAAI,WAAW,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACnC,CAAC;CACF;AAnGD,0BAmGC;AAED,MAAa,WAAW;IACO;IAAkC;IAA/D,YAA6B,MAAe,EAAmB,KAA8B;QAAhE,WAAM,GAAN,MAAM,CAAS;QAAmB,UAAK,GAAL,KAAK,CAAyB;IAAG,CAAC;IAEjG,IAAI,EAAE;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;IACxB,CAAC;IACD,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;IAC1B,CAAC;IACD,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;IAC1B,CAAC;IACD,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;IAC5B,CAAC;IACD,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,UAAkB;QAC/B,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,iBAAiB,UAAU,EAAE,CAAC,CAAC;QAC5E,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC;IAC3C,CAAC;CACF;AA1BD,kCA0BC","sourcesContent":["// auth/session/record/session.base.ts\n\nimport type { ProviderSnapshot, SessionMode } from '../session.types';\nimport { TransportIdGenerator } from '../session.transport';\nimport { Scope } from '../../../scope';\n\nexport interface BaseCreateCtx {\n  id: string;\n  sessionId?: string;\n  scope: Scope;\n  issuer: string;\n  token: string;\n  user: SessionUser;\n  claims?: SessionClaims;\n  createdAt?: number;\n  // optional precomputed authorization projections\n  authorizedProviders?: Record<string, ProviderSnapshot>;\n  authorizedProviderIds?: string[];\n  authorizedApps?: Record<string, { id: string; toolIds: string[] }>;\n  authorizedAppIds?: string[];\n  authorizedResources?: string[];\n  scopes?: string[];\n  // Scoped tools/prompts maps\n  authorizedTools?: Record<string, { executionPath: [string, string]; details?: Record<string, any> }>;\n  authorizedToolIds?: string[];\n  authorizedPrompts?: Record<string, { executionPath: [string, string]; details?: Record<string, any> }>;\n  authorizedPromptIds?: string[];\n}\n\n// TODO: can be extended\nexport interface SessionUser {\n  sub?: string;\n  name?: string;\n  email?: string;\n  picture?: string;\n}\n\n// TODO: can be extended\nexport interface SessionClaims {\n  [key: string]: any;\n}\n\nexport abstract class Session {\n  // ---------------- public immutable data ----------------\n  readonly id: string;\n  abstract readonly mode: SessionMode;\n  readonly createdAt: number;\n  readonly scopeId: string;\n  readonly user: SessionUser;\n  readonly claims?: Record<string, unknown>;\n  /** Epoch millis when the bearer token expires (if available). */\n  readonly expiresAt?: number;\n\n  readonly authorizedProviders: Record<string, ProviderSnapshot>;\n  readonly authorizedProviderIds: string[];\n  readonly authorizedApps: Record<string, { id: string; toolIds: string[] }>;\n  readonly authorizedAppIds: string[];\n  readonly authorizedResources: string[];\n  readonly scopes?: string[];\n  readonly authorizedTools?: Record<string, { executionPath: [string, string]; details?: Record<string, any> }>;\n  readonly authorizedToolIds?: string[];\n  readonly authorizedPrompts?: Record<string, { executionPath: [string, string]; details?: Record<string, any> }>;\n  readonly authorizedPromptIds?: string[];\n\n  // ---------------- private/shared ----------------\n  #scope: Scope;\n  #issuer: string;\n  protected token: string;\n\n  #activeTransportId?: string;\n\n  protected constructor(ctx: BaseCreateCtx) {\n    this.id = ctx.id;\n    this.createdAt = ctx.createdAt || Date.now();\n    this.#scope = ctx.scope;\n    this.#issuer = ctx.issuer;\n    this.scopeId = ctx.scope.id;\n    this.user = ctx.user;\n    this.claims = ctx.claims;\n    // derive token expiration from JWT claims if present (exp in seconds)\n    const exp = (ctx.claims && typeof (ctx.claims as any)['exp'] === 'number') ? Number((ctx.claims as any)['exp']) : undefined;\n    if (exp) {\n      this.expiresAt = exp > 1e12 ? exp : exp * 1000;\n    }\n    // project authorized fields (defaults to empty)\n    this.authorizedProviders = ctx.authorizedProviders ?? {};\n    this.authorizedProviderIds = ctx.authorizedProviderIds ?? [];\n    this.authorizedApps = ctx.authorizedApps ?? {};\n    this.authorizedAppIds = ctx.authorizedAppIds ?? [];\n    this.authorizedResources = ctx.authorizedResources ?? [];\n    this.authorizedTools = ctx.authorizedTools ?? {};\n    this.authorizedToolIds = ctx.authorizedToolIds ?? [];\n    this.authorizedPrompts = ctx.authorizedPrompts ?? {};\n    this.authorizedPromptIds = ctx.authorizedPromptIds ?? [];\n    this.token = ctx.token;\n    this.#activeTransportId = ctx.sessionId;\n  }\n\n  /**\n   * Get the scope associated with this session.\n   * Can be used by subclasses to implement custom scope handling.\n   * @protected\n   */\n  protected get scope(): Scope {\n    return this.#scope;\n  }\n  // ---------------- accessors ----------------\n\n  get issuer(): string {\n    return this.#issuer;\n  }\n\n  async getTransportSessionId(): Promise<string> {\n    if (this.#activeTransportId) return this.#activeTransportId;\n    const mode = this.scope.metadata.session?.transportIdMode ?? 'uuid';\n    if (typeof mode === 'string') {\n      return TransportIdGenerator.createId(mode);\n    } else {\n      const modeResult = await mode(this.issuer);\n      return TransportIdGenerator.createId(modeResult);\n    }\n  }\n\n  /**\n   * Get the access token for a given provider.\n   * Must be implemented in subclasses based on session topology.\n   * @protected\n   * @param providerId\n   */\n  abstract getToken(providerId?: string): Promise<string> | string;\n\n  // ---------------- scoped view ----------------\n  scoped(allowed: string | string[] | ((id: string) => boolean)) {\n    const fn =\n      typeof allowed === 'function'\n        ? allowed\n        : Array.isArray(allowed)\n        ? (id: string) => allowed.includes(id)\n        : (id: string) => id === allowed;\n    return new SessionView(this, fn);\n  }\n}\n\nexport class SessionView {\n  constructor(private readonly parent: Session, private readonly allow: (id: string) => boolean) {}\n\n  get id() {\n    return this.parent.id;\n  }\n  get mode() {\n    return this.parent.mode;\n  }\n  get user() {\n    return this.parent.user;\n  }\n  get claims() {\n    return this.parent.claims;\n  }\n  get authorizedApps() {\n    return this.parent.authorizedApps;\n  }\n\n  async getToken(providerId: string) {\n    if (!this.allow(providerId)) throw new Error(`scoped_denied:${providerId}`);\n    return this.parent.getToken(providerId);\n  }\n  get transportId() {\n    return this.parent.getTransportSessionId;\n  }\n}\n"]}
+{"version":3,"file":"session.base.js","sourceRoot":"","sources":["../../../../../src/auth/session/record/session.base.ts"],"names":[],"mappings":";AAAA,sCAAsC;;;AAItC,4DAA4D;AAuC5D,MAAsB,OAAO;IAC3B,0DAA0D;IACjD,EAAE,CAAS;IAEX,SAAS,CAAS;IAClB,OAAO,CAAS;IAChB,IAAI,CAAc;IAClB,MAAM,CAA2B;IAC1C,iEAAiE;IACxD,SAAS,CAAU;IAEnB,mBAAmB,CAAmC;IACtD,qBAAqB,CAAW;IAChC,cAAc,CAAoD;IAClE,gBAAgB,CAAW;IAC3B,mBAAmB,CAAW;IAC9B,MAAM,CAAY;IAClB,eAAe,CAAsF;IACrG,iBAAiB,CAAY;IAC7B,iBAAiB,CAAsF;IACvG,mBAAmB,CAAY;IAExC,mDAAmD;IACnD,MAAM,CAAQ;IACd,OAAO,CAAS;IACN,KAAK,CAAS;IAExB,kBAAkB,CAAU;IAE5B,YAAsB,GAAkB;QACtC,IAAI,CAAC,EAAE,GAAG,GAAG,CAAC,EAAE,CAAC;QACjB,IAAI,CAAC,SAAS,GAAG,GAAG,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7C,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC;QACxB,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC;QAC1B,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;QACzB,sEAAsE;QACtE,MAAM,GAAG,GACP,GAAG,CAAC,MAAM,IAAI,OAAQ,GAAG,CAAC,MAAc,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAE,GAAG,CAAC,MAAc,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAChH,IAAI,GAAG,EAAE,CAAC;YACR,IAAI,CAAC,SAAS,GAAG,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC;QACjD,CAAC;QACD,gDAAgD;QAChD,IAAI,CAAC,mBAAmB,GAAG,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;QACzD,IAAI,CAAC,qBAAqB,GAAG,GAAG,CAAC,qBAAqB,IAAI,EAAE,CAAC;QAC7D,IAAI,CAAC,cAAc,GAAG,GAAG,CAAC,cAAc,IAAI,EAAE,CAAC;QAC/C,IAAI,CAAC,gBAAgB,GAAG,GAAG,CAAC,gBAAgB,IAAI,EAAE,CAAC;QACnD,IAAI,CAAC,mBAAmB,GAAG,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;QACzD,IAAI,CAAC,eAAe,GAAG,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC;QACjD,IAAI,CAAC,iBAAiB,GAAG,GAAG,CAAC,iBAAiB,IAAI,EAAE,CAAC;QACrD,IAAI,CAAC,iBAAiB,GAAG,GAAG,CAAC,iBAAiB,IAAI,EAAE,CAAC;QACrD,IAAI,CAAC,mBAAmB,GAAG,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;QACzD,IAAI,CAAC,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC;QACvB,IAAI,CAAC,kBAAkB,GAAG,GAAG,CAAC,SAAS,CAAC;IAC1C,CAAC;IAED;;;;OAIG;IACH,IAAc,KAAK;QACjB,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IACD,8CAA8C;IAE9C,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,qBAAqB;QACzB,IAAI,IAAI,CAAC,kBAAkB;YAAE,OAAO,IAAI,CAAC,kBAAkB,CAAC;QAC5D,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,SAAS,EAAE,eAAe,IAAI,MAAM,CAAC;QACtE,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7B,OAAO,wCAAoB,CAAC,QAAQ,CAAC,IAAuB,CAAC,CAAC;QAChE,CAAC;aAAM,CAAC;YACN,4EAA4E;YAC5E,MAAM,MAAM,GAAG,IAAsE,CAAC;YACtF,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC7C,OAAO,wCAAoB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IAUD,gDAAgD;IAChD,MAAM,CAAC,OAAsD;QAC3D,MAAM,EAAE,GACN,OAAO,OAAO,KAAK,UAAU;YAC3B,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;gBACxB,CAAC,CAAC,CAAC,EAAU,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACtC,CAAC,CAAC,CAAC,EAAU,EAAE,EAAE,CAAC,EAAE,KAAK,OAAO,CAAC;QACrC,OAAO,IAAI,WAAW,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACnC,CAAC;CACF;AAtGD,0BAsGC;AAED,MAAa,WAAW;IACO;IAAkC;IAA/D,YAA6B,MAAe,EAAmB,KAA8B;QAAhE,WAAM,GAAN,MAAM,CAAS;QAAmB,UAAK,GAAL,KAAK,CAAyB;IAAG,CAAC;IAEjG,IAAI,EAAE;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;IACxB,CAAC;IACD,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;IAC1B,CAAC;IACD,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;IAC1B,CAAC;IACD,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;IAC5B,CAAC;IACD,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,UAAkB;QAC/B,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,iBAAiB,UAAU,EAAE,CAAC,CAAC;QAC5E,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC;IAC3C,CAAC;CACF;AA1BD,kCA0BC","sourcesContent":["// auth/session/record/session.base.ts\n\nimport type { ProviderSnapshot, SessionMode } from '../session.types';\nimport type { TransportIdMode } from '../../../common';\nimport { TransportIdGenerator } from '../session.transport';\nimport { Scope } from '../../../scope';\n\nexport interface BaseCreateCtx {\n  id: string;\n  sessionId?: string;\n  scope: Scope;\n  issuer: string;\n  token: string;\n  user: SessionUser;\n  claims?: SessionClaims;\n  createdAt?: number;\n  // optional precomputed authorization projections\n  authorizedProviders?: Record<string, ProviderSnapshot>;\n  authorizedProviderIds?: string[];\n  authorizedApps?: Record<string, { id: string; toolIds: string[] }>;\n  authorizedAppIds?: string[];\n  authorizedResources?: string[];\n  scopes?: string[];\n  // Scoped tools/prompts maps\n  authorizedTools?: Record<string, { executionPath: [string, string]; details?: Record<string, any> }>;\n  authorizedToolIds?: string[];\n  authorizedPrompts?: Record<string, { executionPath: [string, string]; details?: Record<string, any> }>;\n  authorizedPromptIds?: string[];\n}\n\n// TODO: can be extended\nexport interface SessionUser {\n  sub?: string;\n  name?: string;\n  email?: string;\n  picture?: string;\n}\n\n// TODO: can be extended\nexport interface SessionClaims {\n  [key: string]: any;\n}\n\nexport abstract class Session {\n  // ---------------- public immutable data ----------------\n  readonly id: string;\n  abstract readonly mode: SessionMode;\n  readonly createdAt: number;\n  readonly scopeId: string;\n  readonly user: SessionUser;\n  readonly claims?: Record<string, unknown>;\n  /** Epoch millis when the bearer token expires (if available). */\n  readonly expiresAt?: number;\n\n  readonly authorizedProviders: Record<string, ProviderSnapshot>;\n  readonly authorizedProviderIds: string[];\n  readonly authorizedApps: Record<string, { id: string; toolIds: string[] }>;\n  readonly authorizedAppIds: string[];\n  readonly authorizedResources: string[];\n  readonly scopes?: string[];\n  readonly authorizedTools?: Record<string, { executionPath: [string, string]; details?: Record<string, any> }>;\n  readonly authorizedToolIds?: string[];\n  readonly authorizedPrompts?: Record<string, { executionPath: [string, string]; details?: Record<string, any> }>;\n  readonly authorizedPromptIds?: string[];\n\n  // ---------------- private/shared ----------------\n  #scope: Scope;\n  #issuer: string;\n  protected token: string;\n\n  #activeTransportId?: string;\n\n  protected constructor(ctx: BaseCreateCtx) {\n    this.id = ctx.id;\n    this.createdAt = ctx.createdAt || Date.now();\n    this.#scope = ctx.scope;\n    this.#issuer = ctx.issuer;\n    this.scopeId = ctx.scope.id;\n    this.user = ctx.user;\n    this.claims = ctx.claims;\n    // derive token expiration from JWT claims if present (exp in seconds)\n    const exp =\n      ctx.claims && typeof (ctx.claims as any)['exp'] === 'number' ? Number((ctx.claims as any)['exp']) : undefined;\n    if (exp) {\n      this.expiresAt = exp > 1e12 ? exp : exp * 1000;\n    }\n    // project authorized fields (defaults to empty)\n    this.authorizedProviders = ctx.authorizedProviders ?? {};\n    this.authorizedProviderIds = ctx.authorizedProviderIds ?? [];\n    this.authorizedApps = ctx.authorizedApps ?? {};\n    this.authorizedAppIds = ctx.authorizedAppIds ?? [];\n    this.authorizedResources = ctx.authorizedResources ?? [];\n    this.authorizedTools = ctx.authorizedTools ?? {};\n    this.authorizedToolIds = ctx.authorizedToolIds ?? [];\n    this.authorizedPrompts = ctx.authorizedPrompts ?? {};\n    this.authorizedPromptIds = ctx.authorizedPromptIds ?? [];\n    this.token = ctx.token;\n    this.#activeTransportId = ctx.sessionId;\n  }\n\n  /**\n   * Get the scope associated with this session.\n   * Can be used by subclasses to implement custom scope handling.\n   * @protected\n   */\n  protected get scope(): Scope {\n    return this.#scope;\n  }\n  // ---------------- accessors ----------------\n\n  get issuer(): string {\n    return this.#issuer;\n  }\n\n  async getTransportSessionId(): Promise<string> {\n    if (this.#activeTransportId) return this.#activeTransportId;\n    const mode = this.scope.metadata.transport?.transportIdMode ?? 'uuid';\n    if (typeof mode === 'string') {\n      return TransportIdGenerator.createId(mode as TransportIdMode);\n    } else {\n      // Cast to proper function type since Zod's z.function() type is too generic\n      const modeFn = mode as (issuer: string) => Promise<TransportIdMode> | TransportIdMode;\n      const modeResult = await modeFn(this.issuer);\n      return TransportIdGenerator.createId(modeResult);\n    }\n  }\n\n  /**\n   * Get the access token for a given provider.\n   * Must be implemented in subclasses based on session topology.\n   * @protected\n   * @param providerId\n   */\n  abstract getToken(providerId?: string): Promise<string> | string;\n\n  // ---------------- scoped view ----------------\n  scoped(allowed: string | string[] | ((id: string) => boolean)) {\n    const fn =\n      typeof allowed === 'function'\n        ? allowed\n        : Array.isArray(allowed)\n        ? (id: string) => allowed.includes(id)\n        : (id: string) => id === allowed;\n    return new SessionView(this, fn);\n  }\n}\n\nexport class SessionView {\n  constructor(private readonly parent: Session, private readonly allow: (id: string) => boolean) {}\n\n  get id() {\n    return this.parent.id;\n  }\n  get mode() {\n    return this.parent.mode;\n  }\n  get user() {\n    return this.parent.user;\n  }\n  get claims() {\n    return this.parent.claims;\n  }\n  get authorizedApps() {\n    return this.parent.authorizedApps;\n  }\n\n  async getToken(providerId: string) {\n    if (!this.allow(providerId)) throw new Error(`scoped_denied:${providerId}`);\n    return this.parent.getToken(providerId);\n  }\n  get transportId() {\n    return this.parent.getTransportSessionId;\n  }\n}\n"]}

package/src/auth/session/record/session.stateless.d.ts

@@ -1,5 +1,5 @@
 import { Session, type BaseCreateCtx } from './session.base';
-export type StatefulCreateCtx = BaseCreateCtx & {};
+export type StatefulCreateCtx = BaseCreateCtx & Record<string, never>;
 /**
  * Represents a **stateful session (non-refreshable)** where nested OAuth
  * tokens cannot be refreshed server-side. When a nested provider token
@@ -13,5 +13,5 @@ export declare class StatelessSession extends Session {
     #private;
     readonly mode = "stateless";
     constructor(ctx: StatefulCreateCtx);
-    getToken(providerId?: string): Promise<string> | string;
+    getToken(_providerId?: string): Promise<string> | string;
 }

package/src/auth/session/record/session.stateless.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.StatelessSession = void 0;
 const session_base_1 = require("./session.base");
+const mcp_error_1 = require("../../../errors/mcp.error");
 /**
  * Represents a **stateful session (non-refreshable)** where nested OAuth
  * tokens cannot be refreshed server-side. When a nested provider token
@@ -17,13 +18,14 @@ class StatelessSession extends session_base_1.Session {
      * Used to encrypt/decrypt nested provider tokens in #store.
      * @private
      */
+    // eslint-disable-next-line no-unused-private-class-members
     #vault;
     constructor(ctx) {
         super(ctx);
-        throw new Error('Method not implemented.');
+        throw new mcp_error_1.InternalMcpError('StatelessSession not yet implemented', 'NOT_IMPLEMENTED');
     }
-    getToken(providerId) {
-        throw new Error('Method not implemented.');
+    getToken(_providerId) {
+        throw new mcp_error_1.InternalMcpError('Token refresh not supported in stateless mode', 'NOT_IMPLEMENTED');
     }
 }
 exports.StatelessSession = StatelessSession;

package/src/auth/session/record/session.stateless.js.map

@@ -1 +1 @@
-{"version":3,"file":"session.stateless.js","sourceRoot":"","sources":["../../../../../src/auth/session/record/session.stateless.ts"],"names":[],"mappings":";;;AAAA,iDAA6D;AAK7D;;;;;;;;GAQG;AACH,MAAa,gBAAiB,SAAQ,sBAAO;IAClC,IAAI,GAAG,WAAW,CAAC;IAC5B;;;OAGG;IACH,MAAM,CAAa;IACnB,YAAY,GAAsB;QAChC,KAAK,CAAC,GAAU,CAAC,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;IACQ,QAAQ,CAAC,UAAmB;QACnC,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;CACF;AAdD,4CAcC","sourcesContent":["import { Session, type BaseCreateCtx } from './session.base';\nimport { TokenVault } from '../token.vault';\n\nexport type StatefulCreateCtx = BaseCreateCtx & {};\n\n/**\n * Represents a **stateful session (non-refreshable)** where nested OAuth\n * tokens cannot be refreshed server-side. When a nested provider token\n * expires, the user must re-authorize to obtain new credentials.\n *\n * Notes:\n * - Simpler flow, but degrades UX when tokens are short-lived.\n * - Prefer the refreshable stateful session for multi-app environments.\n */\nexport class StatelessSession extends Session {\n  readonly mode = 'stateless';\n  /**\n   * Used to encrypt/decrypt nested provider tokens in #store.\n   * @private\n   */\n  #vault: TokenVault;\n  constructor(ctx: StatefulCreateCtx) {\n    super(ctx as any);\n    throw new Error('Method not implemented.');\n  }\n  override getToken(providerId?: string): Promise<string> | string {\n    throw new Error('Method not implemented.');\n  }\n}\n"]}
+{"version":3,"file":"session.stateless.js","sourceRoot":"","sources":["../../../../../src/auth/session/record/session.stateless.ts"],"names":[],"mappings":";;;AAAA,iDAA6D;AAE7D,yDAA6D;AAI7D;;;;;;;;GAQG;AACH,MAAa,gBAAiB,SAAQ,sBAAO;IAClC,IAAI,GAAG,WAAW,CAAC;IAC5B;;;OAGG;IACH,2DAA2D;IAC3D,MAAM,CAAa;IACnB,YAAY,GAAsB;QAChC,KAAK,CAAC,GAAoB,CAAC,CAAC;QAC5B,MAAM,IAAI,4BAAgB,CAAC,sCAAsC,EAAE,iBAAiB,CAAC,CAAC;IACxF,CAAC;IACQ,QAAQ,CAAC,WAAoB;QACpC,MAAM,IAAI,4BAAgB,CAAC,+CAA+C,EAAE,iBAAiB,CAAC,CAAC;IACjG,CAAC;CACF;AAfD,4CAeC","sourcesContent":["import { Session, type BaseCreateCtx } from './session.base';\nimport { TokenVault } from '../token.vault';\nimport { InternalMcpError } from '../../../errors/mcp.error';\n\nexport type StatefulCreateCtx = BaseCreateCtx & Record<string, never>;\n\n/**\n * Represents a **stateful session (non-refreshable)** where nested OAuth\n * tokens cannot be refreshed server-side. When a nested provider token\n * expires, the user must re-authorize to obtain new credentials.\n *\n * Notes:\n * - Simpler flow, but degrades UX when tokens are short-lived.\n * - Prefer the refreshable stateful session for multi-app environments.\n */\nexport class StatelessSession extends Session {\n  readonly mode = 'stateless';\n  /**\n   * Used to encrypt/decrypt nested provider tokens in #store.\n   * @private\n   */\n  // eslint-disable-next-line no-unused-private-class-members\n  #vault: TokenVault;\n  constructor(ctx: StatefulCreateCtx) {\n    super(ctx as BaseCreateCtx);\n    throw new InternalMcpError('StatelessSession not yet implemented', 'NOT_IMPLEMENTED');\n  }\n  override getToken(_providerId?: string): Promise<string> | string {\n    throw new InternalMcpError('Token refresh not supported in stateless mode', 'NOT_IMPLEMENTED');\n  }\n}\n"]}

package/src/auth/session/redis-session.store.d.ts

@@ -0,0 +1,64 @@
+import { Redis } from 'ioredis';
+import { SessionStore, StoredSession, RedisConfig } from './transport-session.types';
+import { FrontMcpLogger } from '../../common/interfaces/logger.interface';
+/**
+ * Redis-backed session store implementation
+ *
+ * Provides persistent session storage for distributed deployments.
+ * Sessions are stored as JSON with optional TTL.
+ */
+export declare class RedisSessionStore implements SessionStore {
+    private readonly redis;
+    private readonly keyPrefix;
+    private readonly defaultTtlMs;
+    private readonly logger?;
+    private externalInstance;
+    constructor(config: RedisConfig | {
+        redis: Redis;
+        keyPrefix?: string;
+        defaultTtlMs?: number;
+    }, logger?: FrontMcpLogger);
+    /**
+     * Get the full Redis key for a session ID
+     * @throws Error if sessionId is empty
+     */
+    private key;
+    /**
+     * Get a stored session by ID
+     *
+     * Note: Uses atomic GETEX to extend TTL while reading, preventing race conditions
+     * where concurrent readers might resurrect expired sessions.
+     */
+    get(sessionId: string): Promise<StoredSession | null>;
+    /**
+     * Store a session with optional TTL
+     */
+    set(sessionId: string, session: StoredSession, ttlMs?: number): Promise<void>;
+    /**
+     * Delete a session
+     */
+    delete(sessionId: string): Promise<void>;
+    /**
+     * Check if a session exists
+     */
+    exists(sessionId: string): Promise<boolean>;
+    /**
+     * Allocate a new session ID
+     */
+    allocId(): string;
+    /**
+     * Disconnect from Redis (only if we created the connection)
+     */
+    disconnect(): Promise<void>;
+    /**
+     * Get the underlying Redis client (for advanced use cases)
+     */
+    getRedisClient(): Redis;
+    /**
+     * Test Redis connection by sending a PING command.
+     * Useful for validating connection on startup.
+     *
+     * @returns true if connection is healthy, false otherwise
+     */
+    ping(): Promise<boolean>;
+}

package/src/auth/session/redis-session.store.js

@@ -0,0 +1,204 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RedisSessionStore = void 0;
+const tslib_1 = require("tslib");
+// auth/session/redis-session.store.ts
+const ioredis_1 = tslib_1.__importDefault(require("ioredis"));
+const crypto_1 = require("crypto");
+const transport_session_types_1 = require("./transport-session.types");
+/**
+ * Redis-backed session store implementation
+ *
+ * Provides persistent session storage for distributed deployments.
+ * Sessions are stored as JSON with optional TTL.
+ */
+class RedisSessionStore {
+    redis;
+    keyPrefix;
+    defaultTtlMs;
+    logger;
+    externalInstance = false;
+    constructor(config, logger) {
+        // Default TTL of 1 hour for session extension on access
+        this.defaultTtlMs = ('defaultTtlMs' in config ? config.defaultTtlMs : undefined) ?? 3600000;
+        this.logger = logger;
+        if ('redis' in config && config.redis) {
+            // Use provided Redis instance
+            this.redis = config.redis;
+            this.keyPrefix = config.keyPrefix ?? 'mcp:session:';
+            this.externalInstance = true;
+        }
+        else {
+            // Create new Redis connection from config
+            const redisConfig = config;
+            const options = {
+                host: redisConfig.host,
+                port: redisConfig.port ?? 6379,
+                password: redisConfig.password,
+                db: redisConfig.db ?? 0,
+            };
+            if (redisConfig.tls) {
+                options.tls = {};
+            }
+            this.redis = new ioredis_1.default(options);
+            this.keyPrefix = redisConfig.keyPrefix ?? 'mcp:session:';
+        }
+    }
+    /**
+     * Get the full Redis key for a session ID
+     * @throws Error if sessionId is empty
+     */
+    key(sessionId) {
+        if (!sessionId || sessionId.trim() === '') {
+            throw new Error('[RedisSessionStore] sessionId cannot be empty');
+        }
+        return `${this.keyPrefix}${sessionId}`;
+    }
+    /**
+     * Get a stored session by ID
+     *
+     * Note: Uses atomic GETEX to extend TTL while reading, preventing race conditions
+     * where concurrent readers might resurrect expired sessions.
+     */
+    async get(sessionId) {
+        const key = this.key(sessionId);
+        // Use GETEX to atomically get and extend TTL in a single operation
+        // This prevents the race where one request deletes expired session
+        // while another is trying to extend it
+        let raw;
+        try {
+            // GETEX with EXAT/PXAT is atomic - no race condition possible
+            raw = await this.redis.getex(key, 'PX', this.defaultTtlMs);
+        }
+        catch {
+            // Fallback for older Redis versions that don't support GETEX
+            raw = await this.redis.get(key);
+        }
+        if (!raw)
+            return null;
+        try {
+            const parsed = JSON.parse(raw);
+            const result = transport_session_types_1.storedSessionSchema.safeParse(parsed);
+            if (!result.success) {
+                this.logger?.warn('[RedisSessionStore] Invalid session format', {
+                    sessionId: sessionId.slice(0, 20),
+                    errors: result.error.issues.slice(0, 3).map((i) => ({ path: i.path, message: i.message })),
+                });
+                // Delete invalid session data
+                this.delete(sessionId).catch(() => void 0);
+                return null;
+            }
+            const session = result.data;
+            // Check application-level expiration (separate from Redis TTL)
+            if (session.session.expiresAt && session.session.expiresAt < Date.now()) {
+                // Session is logically expired - delete it
+                // Note: We await the delete to ensure it completes before returning
+                // This prevents race conditions where another read might get the expired session
+                await this.delete(sessionId);
+                return null;
+            }
+            // Bound Redis TTL by session.expiresAt to avoid keeping expired sessions in Redis
+            // GETEX may have extended TTL beyond expiresAt, so we shorten it if needed
+            if (session.session.expiresAt) {
+                const ttlMs = Math.min(this.defaultTtlMs, session.session.expiresAt - Date.now());
+                if (ttlMs > 0 && ttlMs < this.defaultTtlMs) {
+                    // Fire-and-forget - we're only optimizing cache eviction timing
+                    this.redis.pexpire(key, ttlMs).catch(() => void 0);
+                }
+            }
+            // Update last accessed timestamp (in the returned object)
+            // Note: We don't fire-and-forget a set() here because:
+            // 1. GETEX already extended the Redis TTL
+            // 2. Fire-and-forget can cause race conditions with deletion
+            const updatedSession = {
+                ...session,
+                lastAccessedAt: Date.now(),
+            };
+            return updatedSession;
+        }
+        catch (error) {
+            this.logger?.warn('[RedisSessionStore] Failed to parse session', {
+                sessionId: sessionId.slice(0, 20),
+                error: error.message,
+            });
+            // Delete corrupted session payloads to prevent repeated failures
+            this.delete(sessionId).catch(() => void 0);
+            return null;
+        }
+    }
+    /**
+     * Store a session with optional TTL
+     */
+    async set(sessionId, session, ttlMs) {
+        const key = this.key(sessionId);
+        const value = JSON.stringify(session);
+        if (ttlMs && ttlMs > 0) {
+            // Use PX for millisecond precision
+            await this.redis.set(key, value, 'PX', ttlMs);
+        }
+        else if (session.session.expiresAt) {
+            // Use session's expiration if available
+            const ttl = session.session.expiresAt - Date.now();
+            if (ttl > 0) {
+                await this.redis.set(key, value, 'PX', ttl);
+            }
+            else {
+                // Already expired, but store anyway (will be cleaned up on next access)
+                await this.redis.set(key, value);
+            }
+        }
+        else {
+            // No TTL - session persists until explicitly deleted
+            await this.redis.set(key, value);
+        }
+    }
+    /**
+     * Delete a session
+     */
+    async delete(sessionId) {
+        await this.redis.del(this.key(sessionId));
+    }
+    /**
+     * Check if a session exists
+     */
+    async exists(sessionId) {
+        return (await this.redis.exists(this.key(sessionId))) === 1;
+    }
+    /**
+     * Allocate a new session ID
+     */
+    allocId() {
+        return (0, crypto_1.randomUUID)();
+    }
+    /**
+     * Disconnect from Redis (only if we created the connection)
+     */
+    async disconnect() {
+        if (!this.externalInstance) {
+            await this.redis.quit();
+        }
+    }
+    /**
+     * Get the underlying Redis client (for advanced use cases)
+     */
+    getRedisClient() {
+        return this.redis;
+    }
+    /**
+     * Test Redis connection by sending a PING command.
+     * Useful for validating connection on startup.
+     *
+     * @returns true if connection is healthy, false otherwise
+     */
+    async ping() {
+        try {
+            const result = await this.redis.ping();
+            return result === 'PONG';
+        }
+        catch {
+            return false;
+        }
+    }
+}
+exports.RedisSessionStore = RedisSessionStore;
+//# sourceMappingURL=redis-session.store.js.map

package/src/auth/session/redis-session.store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redis-session.store.js","sourceRoot":"","sources":["../../../../src/auth/session/redis-session.store.ts"],"names":[],"mappings":";;;;AAAA,sCAAsC;AACtC,8DAAuD;AACvD,mCAAoC;AACpC,uEAA0G;AAG1G;;;;;GAKG;AACH,MAAa,iBAAiB;IACX,KAAK,CAAQ;IACb,SAAS,CAAS;IAClB,YAAY,CAAS;IACrB,MAAM,CAAkB;IACjC,gBAAgB,GAAG,KAAK,CAAC;IAEjC,YACE,MAAiF,EACjF,MAAuB;QAEvB,wDAAwD;QACxD,IAAI,CAAC,YAAY,GAAG,CAAC,cAAc,IAAI,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC;QAC5F,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QAErB,IAAI,OAAO,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACtC,8BAA8B;YAC9B,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;YAC1B,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,cAAc,CAAC;YACpD,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC;QAC/B,CAAC;aAAM,CAAC;YACN,0CAA0C;YAC1C,MAAM,WAAW,GAAG,MAAqB,CAAC;YAC1C,MAAM,OAAO,GAAiB;gBAC5B,IAAI,EAAE,WAAW,CAAC,IAAI;gBACtB,IAAI,EAAE,WAAW,CAAC,IAAI,IAAI,IAAI;gBAC9B,QAAQ,EAAE,WAAW,CAAC,QAAQ;gBAC9B,EAAE,EAAE,WAAW,CAAC,EAAE,IAAI,CAAC;aACxB,CAAC;YAEF,IAAI,WAAW,CAAC,GAAG,EAAE,CAAC;gBACpB,OAAO,CAAC,GAAG,GAAG,EAAE,CAAC;YACnB,CAAC;YAED,IAAI,CAAC,KAAK,GAAG,IAAI,iBAAO,CAAC,OAAO,CAAC,CAAC;YAClC,IAAI,CAAC,SAAS,GAAG,WAAW,CAAC,SAAS,IAAI,cAAc,CAAC;QAC3D,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,GAAG,CAAC,SAAiB;QAC3B,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YAC1C,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACnE,CAAC;QACD,OAAO,GAAG,IAAI,CAAC,SAAS,GAAG,SAAS,EAAE,CAAC;IACzC,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,GAAG,CAAC,SAAiB;QACzB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAEhC,mEAAmE;QACnE,mEAAmE;QACnE,uCAAuC;QACvC,IAAI,GAAkB,CAAC;QACvB,IAAI,CAAC;YACH,8DAA8D;YAC9D,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAC7D,CAAC;QAAC,MAAM,CAAC;YACP,6DAA6D;YAC7D,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAClC,CAAC;QAED,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QAEtB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,MAAM,MAAM,GAAG,6CAAmB,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YAErD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,4CAA4C,EAAE;oBAC9D,SAAS,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;oBACjC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;iBAC3F,CAAC,CAAC;gBACH,8BAA8B;gBAC9B,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;gBAC3C,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC;YAE5B,+DAA+D;YAC/D,IAAI,OAAO,CAAC,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBACxE,2CAA2C;gBAC3C,oEAAoE;gBACpE,iFAAiF;gBACjF,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBAC7B,OAAO,IAAI,CAAC;YACd,CAAC;YAED,kFAAkF;YAClF,2EAA2E;YAC3E,IAAI,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;gBAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;gBAClF,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;oBAC3C,gEAAgE;oBAChE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;gBACrD,CAAC;YACH,CAAC;YAED,0DAA0D;YAC1D,uDAAuD;YACvD,0CAA0C;YAC1C,6DAA6D;YAC7D,MAAM,cAAc,GAAkB;gBACpC,GAAG,OAAO;gBACV,cAAc,EAAE,IAAI,CAAC,GAAG,EAAE;aAC3B,CAAC;YAEF,OAAO,cAAc,CAAC;QACxB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,6CAA6C,EAAE;gBAC/D,SAAS,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;gBACjC,KAAK,EAAG,KAAe,CAAC,OAAO;aAChC,CAAC,CAAC;YACH,iEAAiE;YACjE,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;YAC3C,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,GAAG,CAAC,SAAiB,EAAE,OAAsB,EAAE,KAAc;QACjE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAChC,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAEtC,IAAI,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;YACvB,mCAAmC;YACnC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;QAChD,CAAC;aAAM,IAAI,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;YACrC,wCAAwC;YACxC,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACnD,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;gBACZ,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAC9C,CAAC;iBAAM,CAAC;gBACN,wEAAwE;gBACxE,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;aAAM,CAAC;YACN,qDAAqD;YACrD,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,OAAO,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAC9D,CAAC;IAED;;OAEG;IACH,OAAO;QACL,OAAO,IAAA,mBAAU,GAAE,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU;QACd,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3B,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAC1B,CAAC;IACH,CAAC;IAED;;OAEG;IACH,cAAc;QACZ,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,IAAI;QACR,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YACvC,OAAO,MAAM,KAAK,MAAM,CAAC;QAC3B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF;AA7MD,8CA6MC","sourcesContent":["// auth/session/redis-session.store.ts\nimport IoRedis, { Redis, RedisOptions } from 'ioredis';\nimport { randomUUID } from 'crypto';\nimport { SessionStore, StoredSession, RedisConfig, storedSessionSchema } from './transport-session.types';\nimport { FrontMcpLogger } from '../../common/interfaces/logger.interface';\n\n/**\n * Redis-backed session store implementation\n *\n * Provides persistent session storage for distributed deployments.\n * Sessions are stored as JSON with optional TTL.\n */\nexport class RedisSessionStore implements SessionStore {\n  private readonly redis: Redis;\n  private readonly keyPrefix: string;\n  private readonly defaultTtlMs: number;\n  private readonly logger?: FrontMcpLogger;\n  private externalInstance = false;\n\n  constructor(\n    config: RedisConfig | { redis: Redis; keyPrefix?: string; defaultTtlMs?: number },\n    logger?: FrontMcpLogger,\n  ) {\n    // Default TTL of 1 hour for session extension on access\n    this.defaultTtlMs = ('defaultTtlMs' in config ? config.defaultTtlMs : undefined) ?? 3600000;\n    this.logger = logger;\n\n    if ('redis' in config && config.redis) {\n      // Use provided Redis instance\n      this.redis = config.redis;\n      this.keyPrefix = config.keyPrefix ?? 'mcp:session:';\n      this.externalInstance = true;\n    } else {\n      // Create new Redis connection from config\n      const redisConfig = config as RedisConfig;\n      const options: RedisOptions = {\n        host: redisConfig.host,\n        port: redisConfig.port ?? 6379,\n        password: redisConfig.password,\n        db: redisConfig.db ?? 0,\n      };\n\n      if (redisConfig.tls) {\n        options.tls = {};\n      }\n\n      this.redis = new IoRedis(options);\n      this.keyPrefix = redisConfig.keyPrefix ?? 'mcp:session:';\n    }\n  }\n\n  /**\n   * Get the full Redis key for a session ID\n   * @throws Error if sessionId is empty\n   */\n  private key(sessionId: string): string {\n    if (!sessionId || sessionId.trim() === '') {\n      throw new Error('[RedisSessionStore] sessionId cannot be empty');\n    }\n    return `${this.keyPrefix}${sessionId}`;\n  }\n\n  /**\n   * Get a stored session by ID\n   *\n   * Note: Uses atomic GETEX to extend TTL while reading, preventing race conditions\n   * where concurrent readers might resurrect expired sessions.\n   */\n  async get(sessionId: string): Promise<StoredSession | null> {\n    const key = this.key(sessionId);\n\n    // Use GETEX to atomically get and extend TTL in a single operation\n    // This prevents the race where one request deletes expired session\n    // while another is trying to extend it\n    let raw: string | null;\n    try {\n      // GETEX with EXAT/PXAT is atomic - no race condition possible\n      raw = await this.redis.getex(key, 'PX', this.defaultTtlMs);\n    } catch {\n      // Fallback for older Redis versions that don't support GETEX\n      raw = await this.redis.get(key);\n    }\n\n    if (!raw) return null;\n\n    try {\n      const parsed = JSON.parse(raw);\n      const result = storedSessionSchema.safeParse(parsed);\n\n      if (!result.success) {\n        this.logger?.warn('[RedisSessionStore] Invalid session format', {\n          sessionId: sessionId.slice(0, 20),\n          errors: result.error.issues.slice(0, 3).map((i) => ({ path: i.path, message: i.message })),\n        });\n        // Delete invalid session data\n        this.delete(sessionId).catch(() => void 0);\n        return null;\n      }\n\n      const session = result.data;\n\n      // Check application-level expiration (separate from Redis TTL)\n      if (session.session.expiresAt && session.session.expiresAt < Date.now()) {\n        // Session is logically expired - delete it\n        // Note: We await the delete to ensure it completes before returning\n        // This prevents race conditions where another read might get the expired session\n        await this.delete(sessionId);\n        return null;\n      }\n\n      // Bound Redis TTL by session.expiresAt to avoid keeping expired sessions in Redis\n      // GETEX may have extended TTL beyond expiresAt, so we shorten it if needed\n      if (session.session.expiresAt) {\n        const ttlMs = Math.min(this.defaultTtlMs, session.session.expiresAt - Date.now());\n        if (ttlMs > 0 && ttlMs < this.defaultTtlMs) {\n          // Fire-and-forget - we're only optimizing cache eviction timing\n          this.redis.pexpire(key, ttlMs).catch(() => void 0);\n        }\n      }\n\n      // Update last accessed timestamp (in the returned object)\n      // Note: We don't fire-and-forget a set() here because:\n      // 1. GETEX already extended the Redis TTL\n      // 2. Fire-and-forget can cause race conditions with deletion\n      const updatedSession: StoredSession = {\n        ...session,\n        lastAccessedAt: Date.now(),\n      };\n\n      return updatedSession;\n    } catch (error) {\n      this.logger?.warn('[RedisSessionStore] Failed to parse session', {\n        sessionId: sessionId.slice(0, 20),\n        error: (error as Error).message,\n      });\n      // Delete corrupted session payloads to prevent repeated failures\n      this.delete(sessionId).catch(() => void 0);\n      return null;\n    }\n  }\n\n  /**\n   * Store a session with optional TTL\n   */\n  async set(sessionId: string, session: StoredSession, ttlMs?: number): Promise<void> {\n    const key = this.key(sessionId);\n    const value = JSON.stringify(session);\n\n    if (ttlMs && ttlMs > 0) {\n      // Use PX for millisecond precision\n      await this.redis.set(key, value, 'PX', ttlMs);\n    } else if (session.session.expiresAt) {\n      // Use session's expiration if available\n      const ttl = session.session.expiresAt - Date.now();\n      if (ttl > 0) {\n        await this.redis.set(key, value, 'PX', ttl);\n      } else {\n        // Already expired, but store anyway (will be cleaned up on next access)\n        await this.redis.set(key, value);\n      }\n    } else {\n      // No TTL - session persists until explicitly deleted\n      await this.redis.set(key, value);\n    }\n  }\n\n  /**\n   * Delete a session\n   */\n  async delete(sessionId: string): Promise<void> {\n    await this.redis.del(this.key(sessionId));\n  }\n\n  /**\n   * Check if a session exists\n   */\n  async exists(sessionId: string): Promise<boolean> {\n    return (await this.redis.exists(this.key(sessionId))) === 1;\n  }\n\n  /**\n   * Allocate a new session ID\n   */\n  allocId(): string {\n    return randomUUID();\n  }\n\n  /**\n   * Disconnect from Redis (only if we created the connection)\n   */\n  async disconnect(): Promise<void> {\n    if (!this.externalInstance) {\n      await this.redis.quit();\n    }\n  }\n\n  /**\n   * Get the underlying Redis client (for advanced use cases)\n   */\n  getRedisClient(): Redis {\n    return this.redis;\n  }\n\n  /**\n   * Test Redis connection by sending a PING command.\n   * Useful for validating connection on startup.\n   *\n   * @returns true if connection is healthy, false otherwise\n   */\n  async ping(): Promise<boolean> {\n    try {\n      const result = await this.redis.ping();\n      return result === 'PONG';\n    } catch {\n      return false;\n    }\n  }\n}\n"]}

package/src/auth/session/session.service.d.ts

@@ -3,10 +3,8 @@ import { StatefulSession } from './record/session.stateful';
 import { Scope } from '../../scope';
 import { CreateSessionArgs } from './session.types';
 import { TransparentSession } from './record/session.transparent';
-import { Authorization } from '../../common';
 export declare class SessionService {
     private store;
-    keyOf(authorization: Authorization): Promise<void>;
     /**
      * Create and persist a new Session from verified auth data.
      * The returned Session exposes async token helpers, scoped view, and transport JWT helpers.

package/src/auth/session/session.service.js

@@ -6,14 +6,8 @@ const session_stateless_1 = require("./record/session.stateless");
 const session_stateful_1 = require("./record/session.stateful");
 const session_transparent_1 = require("./record/session.transparent");
 const store_1 = require("../../store");
-const session_id_utils_1 = require("./utils/session-id.utils");
 class SessionService {
     store = new store_1.ScopedInMemoryStore();
-    async keyOf(authorization) {
-        const sessionKey = (0, session_id_utils_1.encryptJson)({ token: authorization.token });
-        if (authorization.session) {
-        }
-    }
     /**
      * Create and persist a new Session from verified auth data.
      * The returned Session exposes async token helpers, scoped view, and transport JWT helpers.
@@ -27,7 +21,7 @@ class SessionService {
         }
     }
     createOrchestratedSession(scope, args) {
-        const stateless = scope.metadata.session?.sessionMode === 'stateless';
+        const stateless = scope.metadata.transport?.sessionMode === 'stateless';
         if (stateless) {
             return new session_stateless_1.StatelessSession(args);
         }

package/src/auth/session/session.service.js.map

@@ -1 +1 @@
-{"version":3,"file":"session.service.js","sourceRoot":"","sources":["../../../../src/auth/session/session.service.ts"],"names":[],"mappings":";;;AAAA,kCAAkC;AAClC,kEAA8D;AAC9D,gEAA4D;AAG5D,sEAAkE;AAElE,uCAAkD;AAClD,+DAAuD;AAEvD,MAAa,cAAc;IACjB,KAAK,GAAG,IAAI,2BAAmB,EAAE,CAAA;IAGzC,KAAK,CAAC,KAAK,CAAC,aAA4B;QACtC,MAAM,UAAU,GAAG,IAAA,8BAAW,EAAC,EAAC,KAAK,EAAC,aAAa,CAAC,KAAK,EAAC,CAAC,CAAC;QAC5D,IAAG,aAAa,CAAC,OAAO,EAAC,CAAC;QAE1B,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,aAAa,CAAC,KAAY,EAAE,IAAuB;QACvD,IAAI,KAAK,CAAC,YAAY,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC,yBAAyB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACrD,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,wBAAwB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAEO,yBAAyB,CAAC,KAAY,EAAE,IAAuB;QACrE,MAAM,SAAS,GAAG,KAAK,CAAC,QAAQ,CAAC,OAAO,EAAE,WAAW,KAAK,WAAW,CAAC;QACtE,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,IAAI,oCAAgB,CAAC,IAAW,CAAC,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,kCAAe,CAAC,IAAW,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAEO,wBAAwB,CAAC,KAAY,EAAE,IAAuB;QACpE,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC;QAE3B,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAClC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEzC,+CAA+C;QAC/C,IAAI,cAAc,GAAsD,IAAI,CAAC,cAAc,IAAI,EAAE,CAAC;QAClG,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,cAAc,GAAG,EAAE,CAAC;YACpB,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,IAAI,CAAC;oBACH,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;oBAC3E,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;gBAC9D,CAAC;gBAAC,MAAM,CAAC;oBACP,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;gBACvD,CAAC;YACH,CAAC;QACH,CAAC;QAED,2FAA2F;QAC3F,sEAAsE;QACtE,mCAAmC;QACnC,8BAA8B;QAC9B,IAAI;QAEJ,qBAAqB;QACrB,IAAI,mBAAmB,GAAG,IAAI,CAAC,mBAAmB,CAAC;QACnD,IAAI,qBAAqB,GAAG,IAAI,CAAC,qBAAqB,CAAC;QACvD,IAAI,CAAC,mBAAmB,IAAI,CAAC,qBAAqB,EAAE,CAAC;YACnD,MAAM,QAAQ,GACZ,IAAI,CAAC,MAAM,IAAI,OAAQ,IAAI,CAAC,MAAc,CAAC,KAAK,CAAC,KAAK,QAAQ;gBAC5D,CAAC,CAAC,MAAM,CAAE,IAAI,CAAC,MAAc,CAAC,KAAK,CAAC,CAAC;gBACrC,CAAC,CAAC,SAAS,CAAC;YAChB,MAAM,gBAAgB,GAAG;gBACvB,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,GAAG,EAAE,QAAQ;gBACb,OAAO,EAAE,IAAI,CAAC,MAAM,IAAI,EAAE;gBAC1B,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,OAAO,EAAE,cAAc,CAAC,EAAE,CAAC,EAAE,OAAO,IAAI,EAAE,EAAE,CAAC,CAAC;gBAC9E,SAAS,EAAE,OAAgB;aAC5B,CAAC;YACF,mBAAmB,GAAG,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,gBAAgB,EAAS,CAAC;YAChE,qBAAqB,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACvC,CAAC;QAED,0DAA0D;QAC1D,IAAI,MAAM,GAAa,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC;QACzC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,QAAQ,GAAG,CAAC,IAAI,CAAC,MAAM,IAAI,CAAE,IAAI,CAAC,MAAc,CAAC,OAAO,CAAC,IAAK,IAAI,CAAC,MAAc,CAAC,KAAK,CAAC,CAAC,CAAY,CAAC;YAC5G,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC;gBAC9B,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC;gBACtB,CAAC,CAAC,OAAO,QAAQ,KAAK,QAAQ;oBAC5B,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;oBAC1C,CAAC,CAAC,EAAE,CAAC;QACX,CAAC;QAED,OAAO,IAAI,wCAAkB,CAAC;YAC5B,IAAI,EAAE,MAAM;YACZ,EAAE,EAAE,IAAI,CAAC,KAAK;YACd,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,KAAK;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,mBAAmB,EAAE,mBAA0B;YAC/C,qBAAqB,EAAE,qBAA4B;YACnD,cAAc;YACd,gBAAgB,EAAE,MAAM;YACxB,mBAAmB,EAAE,EAAE,EAAE,YAAY;YACrC,MAAM;YACN,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;YACzC,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;YACzC,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;SACvC,CAAC,CAAC;IACZ,CAAC;CACF;AA7GD,wCA6GC","sourcesContent":["// auth/session/session.service.ts\nimport { StatelessSession } from './record/session.stateless';\nimport { StatefulSession } from './record/session.stateful';\nimport { Scope } from '../../scope';\nimport { CreateSessionArgs } from './session.types';\nimport { TransparentSession } from './record/session.transparent';\nimport { Authorization } from '../../common';\nimport { ScopedInMemoryStore } from '../../store';\nimport { encryptJson } from './utils/session-id.utils';\n\nexport class SessionService {\n  private store = new ScopedInMemoryStore()\n\n\n  async keyOf(authorization: Authorization) {\n    const sessionKey = encryptJson({token:authorization.token});\n    if(authorization.session){\n\n    }\n  }\n\n  /**\n   * Create and persist a new Session from verified auth data.\n   * The returned Session exposes async token helpers, scoped view, and transport JWT helpers.\n   */\n  async createSession(scope: Scope, args: CreateSessionArgs) {\n    if (scope.orchestrated) {\n      return this.createOrchestratedSession(scope, args);\n    } else {\n      return this.createTransparentSession(scope, args);\n    }\n  }\n\n  private createOrchestratedSession(scope: Scope, args: CreateSessionArgs) {\n    const stateless = scope.metadata.session?.sessionMode === 'stateless';\n    if (stateless) {\n      return new StatelessSession(args as any);\n    } else {\n      return new StatefulSession(args as any);\n    }\n  }\n\n  private createTransparentSession(scope: Scope, args: CreateSessionArgs) {\n    const primary = scope.auth;\n\n    const apps = scope.apps.getApps();\n    const appIds = apps.map((app) => app.id);\n\n    // Prefer precomputed projections when provided\n    let authorizedApps: Record<string, { id: string; toolIds: string[] }> = args.authorizedApps ?? {};\n    if (!args.authorizedApps) {\n      authorizedApps = {};\n      for (const app of apps) {\n        try {\n          const toolNames = app.tools.getTools().map((t) => String(t.metadata.name));\n          authorizedApps[app.id] = { id: app.id, toolIds: toolNames };\n        } catch {\n          authorizedApps[app.id] = { id: app.id, toolIds: [] };\n        }\n      }\n    }\n\n    // TODO: the authorized resources should be computed from the oauth-protected-resource flow\n    // let authorizedResources: string[] = args.authorizedResources ?? [];\n    // if (!args.authorizedResources) {\n    //   authorizedResources = [];\n    // }\n\n    // Providers snapshot\n    let authorizedProviders = args.authorizedProviders;\n    let authorizedProviderIds = args.authorizedProviderIds;\n    if (!authorizedProviders || !authorizedProviderIds) {\n      const expClaim =\n        args.claims && typeof (args.claims as any)['exp'] === 'number'\n          ? Number((args.claims as any)['exp'])\n          : undefined;\n      const providerSnapshot = {\n        id: primary.id,\n        exp: expClaim,\n        payload: args.claims ?? {},\n        apps: appIds.map((id) => ({ id, toolIds: authorizedApps[id]?.toolIds ?? [] })),\n        embedMode: 'plain' as const,\n      };\n      authorizedProviders = { [primary.id]: providerSnapshot } as any;\n      authorizedProviderIds = [primary.id];\n    }\n\n    // resolve granted scopes from token claims (scope or scp)\n    let scopes: string[] = args.scopes ?? [];\n    if (!args.scopes) {\n      const rawScope = (args.claims && ((args.claims as any)['scope'] ?? (args.claims as any)['scp'])) as unknown;\n      scopes = Array.isArray(rawScope)\n        ? rawScope.map(String)\n        : typeof rawScope === 'string'\n          ? rawScope.split(/[\\s,]+/).filter(Boolean)\n          : [];\n    }\n\n    return new TransparentSession({\n      apps: appIds,\n      id: args.token,\n      sessionId: args.sessionId,\n      scope,\n      user: args.user,\n      issuer: primary.issuer,\n      token: args.token,\n      claims: args.claims,\n      authorizedProviders: authorizedProviders as any,\n      authorizedProviderIds: authorizedProviderIds as any,\n      authorizedApps,\n      authorizedAppIds: appIds,\n      authorizedResources: [], // TODO: fix\n      scopes,\n      authorizedTools: args.authorizedTools,\n      authorizedToolIds: args.authorizedToolIds,\n      authorizedPrompts: args.authorizedPrompts,\n      authorizedPromptIds: args.authorizedPromptIds,\n    } as any);\n  }\n}\n"]}
+{"version":3,"file":"session.service.js","sourceRoot":"","sources":["../../../../src/auth/session/session.service.ts"],"names":[],"mappings":";;;AAAA,kCAAkC;AAClC,kEAA8D;AAC9D,gEAA4D;AAG5D,sEAAkE;AAClE,uCAAkD;AAElD,MAAa,cAAc;IACjB,KAAK,GAAG,IAAI,2BAAmB,EAAE,CAAC;IAE1C;;;OAGG;IACH,KAAK,CAAC,aAAa,CAAC,KAAY,EAAE,IAAuB;QACvD,IAAI,KAAK,CAAC,YAAY,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC,yBAAyB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACrD,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,wBAAwB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAEO,yBAAyB,CAAC,KAAY,EAAE,IAAuB;QACrE,MAAM,SAAS,GAAG,KAAK,CAAC,QAAQ,CAAC,SAAS,EAAE,WAAW,KAAK,WAAW,CAAC;QACxE,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,IAAI,oCAAgB,CAAC,IAAW,CAAC,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,kCAAe,CAAC,IAAW,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAEO,wBAAwB,CAAC,KAAY,EAAE,IAAuB;QACpE,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC;QAE3B,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAClC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEzC,+CAA+C;QAC/C,IAAI,cAAc,GAAsD,IAAI,CAAC,cAAc,IAAI,EAAE,CAAC;QAClG,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,cAAc,GAAG,EAAE,CAAC;YACpB,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,IAAI,CAAC;oBACH,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;oBAC3E,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;gBAC9D,CAAC;gBAAC,MAAM,CAAC;oBACP,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;gBACvD,CAAC;YACH,CAAC;QACH,CAAC;QAED,2FAA2F;QAC3F,sEAAsE;QACtE,mCAAmC;QACnC,8BAA8B;QAC9B,IAAI;QAEJ,qBAAqB;QACrB,IAAI,mBAAmB,GAAG,IAAI,CAAC,mBAAmB,CAAC;QACnD,IAAI,qBAAqB,GAAG,IAAI,CAAC,qBAAqB,CAAC;QACvD,IAAI,CAAC,mBAAmB,IAAI,CAAC,qBAAqB,EAAE,CAAC;YACnD,MAAM,QAAQ,GACZ,IAAI,CAAC,MAAM,IAAI,OAAQ,IAAI,CAAC,MAAc,CAAC,KAAK,CAAC,KAAK,QAAQ;gBAC5D,CAAC,CAAC,MAAM,CAAE,IAAI,CAAC,MAAc,CAAC,KAAK,CAAC,CAAC;gBACrC,CAAC,CAAC,SAAS,CAAC;YAChB,MAAM,gBAAgB,GAAG;gBACvB,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,GAAG,EAAE,QAAQ;gBACb,OAAO,EAAE,IAAI,CAAC,MAAM,IAAI,EAAE;gBAC1B,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,OAAO,EAAE,cAAc,CAAC,EAAE,CAAC,EAAE,OAAO,IAAI,EAAE,EAAE,CAAC,CAAC;gBAC9E,SAAS,EAAE,OAAgB;aAC5B,CAAC;YACF,mBAAmB,GAAG,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,gBAAgB,EAAS,CAAC;YAChE,qBAAqB,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACvC,CAAC;QAED,0DAA0D;QAC1D,IAAI,MAAM,GAAa,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC;QACzC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,QAAQ,GAAG,CAAC,IAAI,CAAC,MAAM,IAAI,CAAE,IAAI,CAAC,MAAc,CAAC,OAAO,CAAC,IAAK,IAAI,CAAC,MAAc,CAAC,KAAK,CAAC,CAAC,CAAY,CAAC;YAC5G,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC;gBAC9B,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC;gBACtB,CAAC,CAAC,OAAO,QAAQ,KAAK,QAAQ;oBAC9B,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;oBAC1C,CAAC,CAAC,EAAE,CAAC;QACT,CAAC;QAED,OAAO,IAAI,wCAAkB,CAAC;YAC5B,IAAI,EAAE,MAAM;YACZ,EAAE,EAAE,IAAI,CAAC,KAAK;YACd,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,KAAK;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,mBAAmB,EAAE,mBAA0B;YAC/C,qBAAqB,EAAE,qBAA4B;YACnD,cAAc;YACd,gBAAgB,EAAE,MAAM;YACxB,mBAAmB,EAAE,EAAE,EAAE,YAAY;YACrC,MAAM;YACN,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;YACzC,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;YACzC,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;SACvC,CAAC,CAAC;IACZ,CAAC;CACF;AArGD,wCAqGC","sourcesContent":["// auth/session/session.service.ts\nimport { StatelessSession } from './record/session.stateless';\nimport { StatefulSession } from './record/session.stateful';\nimport { Scope } from '../../scope';\nimport { CreateSessionArgs } from './session.types';\nimport { TransparentSession } from './record/session.transparent';\nimport { ScopedInMemoryStore } from '../../store';\n\nexport class SessionService {\n  private store = new ScopedInMemoryStore();\n\n  /**\n   * Create and persist a new Session from verified auth data.\n   * The returned Session exposes async token helpers, scoped view, and transport JWT helpers.\n   */\n  async createSession(scope: Scope, args: CreateSessionArgs) {\n    if (scope.orchestrated) {\n      return this.createOrchestratedSession(scope, args);\n    } else {\n      return this.createTransparentSession(scope, args);\n    }\n  }\n\n  private createOrchestratedSession(scope: Scope, args: CreateSessionArgs) {\n    const stateless = scope.metadata.transport?.sessionMode === 'stateless';\n    if (stateless) {\n      return new StatelessSession(args as any);\n    } else {\n      return new StatefulSession(args as any);\n    }\n  }\n\n  private createTransparentSession(scope: Scope, args: CreateSessionArgs) {\n    const primary = scope.auth;\n\n    const apps = scope.apps.getApps();\n    const appIds = apps.map((app) => app.id);\n\n    // Prefer precomputed projections when provided\n    let authorizedApps: Record<string, { id: string; toolIds: string[] }> = args.authorizedApps ?? {};\n    if (!args.authorizedApps) {\n      authorizedApps = {};\n      for (const app of apps) {\n        try {\n          const toolNames = app.tools.getTools().map((t) => String(t.metadata.name));\n          authorizedApps[app.id] = { id: app.id, toolIds: toolNames };\n        } catch {\n          authorizedApps[app.id] = { id: app.id, toolIds: [] };\n        }\n      }\n    }\n\n    // TODO: the authorized resources should be computed from the oauth-protected-resource flow\n    // let authorizedResources: string[] = args.authorizedResources ?? [];\n    // if (!args.authorizedResources) {\n    //   authorizedResources = [];\n    // }\n\n    // Providers snapshot\n    let authorizedProviders = args.authorizedProviders;\n    let authorizedProviderIds = args.authorizedProviderIds;\n    if (!authorizedProviders || !authorizedProviderIds) {\n      const expClaim =\n        args.claims && typeof (args.claims as any)['exp'] === 'number'\n          ? Number((args.claims as any)['exp'])\n          : undefined;\n      const providerSnapshot = {\n        id: primary.id,\n        exp: expClaim,\n        payload: args.claims ?? {},\n        apps: appIds.map((id) => ({ id, toolIds: authorizedApps[id]?.toolIds ?? [] })),\n        embedMode: 'plain' as const,\n      };\n      authorizedProviders = { [primary.id]: providerSnapshot } as any;\n      authorizedProviderIds = [primary.id];\n    }\n\n    // resolve granted scopes from token claims (scope or scp)\n    let scopes: string[] = args.scopes ?? [];\n    if (!args.scopes) {\n      const rawScope = (args.claims && ((args.claims as any)['scope'] ?? (args.claims as any)['scp'])) as unknown;\n      scopes = Array.isArray(rawScope)\n        ? rawScope.map(String)\n        : typeof rawScope === 'string'\n        ? rawScope.split(/[\\s,]+/).filter(Boolean)\n        : [];\n    }\n\n    return new TransparentSession({\n      apps: appIds,\n      id: args.token,\n      sessionId: args.sessionId,\n      scope,\n      user: args.user,\n      issuer: primary.issuer,\n      token: args.token,\n      claims: args.claims,\n      authorizedProviders: authorizedProviders as any,\n      authorizedProviderIds: authorizedProviderIds as any,\n      authorizedApps,\n      authorizedAppIds: appIds,\n      authorizedResources: [], // TODO: fix\n      scopes,\n      authorizedTools: args.authorizedTools,\n      authorizedToolIds: args.authorizedToolIds,\n      authorizedPrompts: args.authorizedPrompts,\n      authorizedPromptIds: args.authorizedPromptIds,\n    } as any);\n  }\n}\n"]}

package/src/auth/session/transport-session.manager.js

@@ -6,6 +6,7 @@ const crypto_1 = require("crypto");
 const session_id_utils_1 = require("./utils/session-id.utils");
 const session_crypto_1 = require("./session.crypto");
 const authorization_class_1 = require("../authorization/authorization.class");
+const redis_session_store_1 = require("./redis-session.store");
 /**
  * In-memory session store implementation
  */
@@ -93,11 +94,8 @@ class TransportSessionManager {
             this.store = new InMemorySessionStore();
         }
         else if (config.store === 'redis') {
-            // Redis store would be instantiated here
-            // For now, fall back to in-memory
-            // TODO: Implement RedisSessionStore
-            console.warn('[TransportSessionManager] Redis store requested but not implemented - falling back to in-memory');
-            this.store = new InMemorySessionStore();
+            // Instantiate Redis session store
+            this.store = new redis_session_store_1.RedisSessionStore(config.config);
         }
         else {
             this.store = new InMemorySessionStore();