npm - @frontmcp/sdk - Versions diffs - 0.6.0 → 0.6.2 - Mend

@frontmcp/sdk 0.6.0 → 0.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1053) hide show

package/src/auth/authorization/transparent.authorization.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"transparent.authorization.js","sourceRoot":"","sources":["../../../../src/auth/authorization/transparent.authorization.ts"],"names":[],"mappings":";AAAA,kDAAkD;;;AAElD,mCAAoC;AACpC,+DAA0D;AAmE1D;;;;;;;;GAQG;AACH,MAAa,wBAAyB,SAAQ,uCAAiB;IACpD,IAAI,GAAa,aAAa,CAAC;IAExC;;OAEG;IACM,UAAU,CAAS;IAE5B;;OAEG;IACM,YAAY,CAAU;IAE/B,YACE,GAGC;QAED,KAAK,CAAC,GAAG,CAAC,CAAC;QACX,IAAI,CAAC,UAAU,GAAG,GAAG,CAAC,UAAU,CAAC;QACjC,IAAI,CAAC,YAAY,GAAG,GAAG,CAAC,YAAY,CAAC;IACvC,CAAC;IAED;;;;;;;;;;;;;;;;;OAiBG;IACH,MAAM,CAAC,iBAAiB,CAAC,GAAsC;QAC7D,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,GAAG,WAAW,EAAE,GAAG,GAAG,CAAC;QAEzE,qCAAqC;QACrC,MAAM,IAAI,GAAa;YACrB,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,SAAS,EAAE,KAAK;SACjB,CAAC;QAEF,4BAA4B;QAC5B,MAAM,MAAM,GAAG,wBAAwB,CAAC,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAEnE,0CAA0C;QAC1C,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;QAE/D,6DAA6D;QAC7D,MAAM,EAAE,GAAG,wBAAwB,CAAC,uBAAuB,CAAC,KAAK,CAAC,CAAC;QAEnE,kDAAkD;QAClD,MAAM,gBAAgB,GAAqB;YACzC,EAAE,EAAE,UAAU;YACd,GAAG,EAAE,SAAS;YACd,OAAO,EAAE,OAAkC;YAC3C,SAAS,EAAE,OAAO,EAAE,yCAAyC;YAC7D,KAAK,EAAE,qBAAqB;SAC7B,CAAC;QAEF,OAAO,IAAI,wBAAwB,CAAC;YAClC,EAAE;YACF,WAAW,EAAE,KAAK;YAClB,IAAI;YACJ,MAAM,EAAE,OAAkC;YAC1C,SAAS;YACT,MAAM;YACN,KAAK;YACL,UAAU;YACV,YAAY;YACZ,mBAAmB,EAAE,EAAE,CAAC,UAAU,CAAC,EAAE,gBAAgB,EAAE;YACvD,qBAAqB,EAAE,CAAC,UAAU,CAAC;YACnC,GAAG,WAAW;SACf,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,QAAQ,CAAC,WAAoB;QACjC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACnE,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,WAAW,CAAC,KAAoC;QAC7D,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QACtB,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QACvC,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC5C,CAAC;IAED;;;OAGG;IACK,MAAM,CAAC,uBAAuB,CAAC,KAAa;QAClD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC;QACpC,OAAO,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC/E,CAAC;IAED;;OAEG;IACH,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,KAAK,CAAuB,CAAC;IACpD,CAAC;IAED;;OAEG;IACH,IAAI,QAAQ;QACV,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,KAAK,CAAkC,CAAC;IAC/D,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,GAAW;QACrB,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC/B,IAAI,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC5B,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC;YAAE,OAAO,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC3D,OAAO,QAAQ,KAAK,GAAG,CAAC;IAC1B,CAAC;CACF;AAlJD,4DAkJC","sourcesContent":["// auth/authorization/transparent.authorization.ts\n\nimport { createHash } from 'crypto';\nimport { AuthorizationBase } from './authorization.class';\nimport { AuthorizationCreateCtx, AuthUser } from './authorization.types';\nimport { ProviderSnapshot } from '../session/session.types';\nimport { AuthMode } from '../../common';\n\n/**\n * Verified JWT payload from transparent auth provider\n */\nexport interface TransparentVerifiedPayload {\n /** Subject identifier */\n sub: string;\n /** Issuer */\n iss?: string;\n /** Audience */\n aud?: string | string[];\n /** Expiration (seconds since epoch) */\n exp?: number;\n /** Issued at (seconds since epoch) */\n iat?: number;\n /** Scopes (space-separated or array) */\n scope?: string | string[];\n /** Display name */\n name?: string;\n /** Email */\n email?: string;\n /** Picture URL */\n picture?: string;\n /** Additional claims */\n [key: string]: unknown;\n}\n\n/**\n * Context for creating a TransparentAuthorization\n */\nexport interface TransparentAuthorizationCreateCtx {\n /**\n * The original bearer token (passed through to downstream)\n */\n token: string;\n\n /**\n * Verified JWT payload from the upstream provider\n */\n payload: TransparentVerifiedPayload;\n\n /**\n * Provider ID for this authorization\n */\n providerId: string;\n\n /**\n * Provider name for display/logging\n */\n providerName?: string;\n\n /**\n * Precomputed authorization projections\n */\n authorizedTools?: AuthorizationCreateCtx['authorizedTools'];\n authorizedToolIds?: string[];\n authorizedPrompts?: AuthorizationCreateCtx['authorizedPrompts'];\n authorizedPromptIds?: string[];\n authorizedApps?: AuthorizationCreateCtx['authorizedApps'];\n authorizedAppIds?: string[];\n authorizedResources?: string[];\n}\n\n/**\n * TransparentAuthorization - Pass-through OAuth tokens\n *\n * In transparent mode:\n * - The client's token is forwarded directly to downstream services\n * - Token validation happens via the upstream provider's JWKS\n * - getToken() returns the original bearer token\n * - Ideal when the auth server is the source of truth\n */\nexport class TransparentAuthorization extends AuthorizationBase {\n readonly mode: AuthMode = 'transparent';\n\n /**\n * Provider ID that issued the token\n */\n readonly providerId: string;\n\n /**\n * Provider display name\n */\n readonly providerName?: string;\n\n private constructor(\n ctx: AuthorizationCreateCtx & {\n providerId: string;\n providerName?: string;\n },\n ) {\n super(ctx);\n this.providerId = ctx.providerId;\n this.providerName = ctx.providerName;\n }\n\n /**\n * Create a TransparentAuthorization from a verified JWT\n *\n * @param ctx - Creation context with token and verified payload\n * @returns A new TransparentAuthorization instance\n *\n * @example\n * ```typescript\n * const auth = TransparentAuthorization.fromVerifiedToken({\n * token: bearerToken,\n * payload: verifiedClaims,\n * providerId: 'auth0',\n * });\n *\n * // Pass token through to downstream\n * const token = await auth.getToken();\n * ```\n */\n static fromVerifiedToken(ctx: TransparentAuthorizationCreateCtx): TransparentAuthorization {\n const { token, payload, providerId, providerName, ...projections } = ctx;\n\n // Extract user identity from payload\n const user: AuthUser = {\n sub: payload.sub,\n name: payload.name,\n email: payload.email,\n picture: payload.picture,\n anonymous: false,\n };\n\n // Parse scopes from payload\n const scopes = TransparentAuthorization.parseScopes(payload.scope);\n\n // Calculate expiration from JWT exp claim\n const expiresAt = payload.exp ? payload.exp * 1000 : undefined;\n\n // Generate authorization ID from token signature fingerprint\n const id = TransparentAuthorization.generateAuthorizationId(token);\n\n // Create provider snapshot for this authorization\n const providerSnapshot: ProviderSnapshot = {\n id: providerId,\n exp: expiresAt,\n payload: payload as Record<string, unknown>,\n embedMode: 'plain', // transparent mode keeps token in memory\n token, // the original token\n };\n\n return new TransparentAuthorization({\n id,\n isAnonymous: false,\n user,\n claims: payload as Record<string, unknown>,\n expiresAt,\n scopes,\n token,\n providerId,\n providerName,\n authorizedProviders: { [providerId]: providerSnapshot },\n authorizedProviderIds: [providerId],\n ...projections,\n });\n }\n\n /**\n * Get the original bearer token for pass-through\n *\n * In transparent mode, the same token is returned regardless of providerId\n * since only one provider (the upstream) issued the token.\n *\n * @param _providerId - Ignored in transparent mode\n * @returns The original bearer token\n */\n async getToken(_providerId?: string): Promise<string> {\n if (!this.token) {\n throw new Error('TransparentAuthorization: Token not available');\n }\n return this.token;\n }\n\n /**\n * Parse scope claim from JWT payload\n */\n private static parseScopes(scope: string | string[] | undefined): string[] {\n if (!scope) return [];\n if (Array.isArray(scope)) return scope;\n return scope.split(/\\s+/).filter(Boolean);\n }\n\n /**\n * Generate authorization ID from token signature\n * Uses SHA-256 fingerprint of the token signature for uniqueness\n */\n private static generateAuthorizationId(token: string): string {\n const parts = token.split('.');\n const signature = parts[2] || token;\n return createHash('sha256').update(signature).digest('hex').substring(0, 16);\n }\n\n /**\n * Get the issuer from the token claims\n */\n get issuer(): string | undefined {\n return this.claims?.['iss'] as string | undefined;\n }\n\n /**\n * Get the audience from the token claims\n */\n get audience(): string | string[] | undefined {\n return this.claims?.['aud'] as string | string[] | undefined;\n }\n\n /**\n * Check if the token was issued for a specific audience\n */\n hasAudience(aud: string): boolean {\n const tokenAud = this.audience;\n if (!tokenAud) return false;\n if (Array.isArray(tokenAud)) return tokenAud.includes(aud);\n return tokenAud === aud;\n }\n}\n"]}

package/src/auth/consent/consent.types.js DELETED Viewed

@@ -1,119 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.federatedSelectionSchema = exports.federatedLoginStateSchema = exports.federatedProviderItemSchema = exports.consentStateSchema = exports.consentSelectionSchema = exports.consentToolItemSchema = exports.consentConfigSchema = void 0;
-/**
- * Consent Flow Types and Schemas
- *
- * Defines types for the tool consent flow that allows users to select
- * which MCP tools they want to expose to the LLM.
- */
-const zod_1 = require("zod");
-const common_1 = require("../../common");
-Object.defineProperty(exports, "consentConfigSchema", { enumerable: true, get: function () { return common_1.consentConfigSchema; } });
-// ============================================
-// Consent Configuration Schemas
-// ============================================
-/**
- * Tool consent item schema - represents a tool available for consent
- */
-exports.consentToolItemSchema = zod_1.z.object({
-    /** Tool ID (e.g., 'slack:send_message') */
-    id: zod_1.z.string().min(1),
-    /** Tool name for display */
-    name: zod_1.z.string().min(1),
-    /** Tool description */
-    description: zod_1.z.string().optional(),
-    /** App ID this tool belongs to */
-    appId: zod_1.z.string().min(1),
-    /** App name for display */
-    appName: zod_1.z.string().min(1),
-    /** Whether the tool is selected by default */
-    defaultSelected: zod_1.z.boolean().default(true),
-    /** Whether this tool requires specific scopes */
-    requiredScopes: zod_1.z.array(zod_1.z.string()).optional(),
-    /** Category for grouping (e.g., 'read', 'write', 'admin') */
-    category: zod_1.z.string().optional(),
-});
-/**
- * Consent selection schema - user's tool selection
- */
-exports.consentSelectionSchema = zod_1.z.object({
-    /** Selected tool IDs */
-    selectedTools: zod_1.z.array(zod_1.z.string()),
-    /** Whether all tools were selected */
-    allSelected: zod_1.z.boolean(),
-    /** Timestamp when consent was given */
-    consentedAt: zod_1.z.string().datetime(),
-    /** Consent version for tracking changes */
-    consentVersion: zod_1.z.string().default('1.0'),
-});
-/**
- * Consent page state schema - stored in pending authorization
- */
-exports.consentStateSchema = zod_1.z.object({
-    /** Whether consent flow is enabled */
-    enabled: zod_1.z.boolean(),
-    /** Available tools for consent */
-    availableTools: zod_1.z.array(exports.consentToolItemSchema),
-    /** Pre-selected tools (from previous consent or defaults) */
-    preselectedTools: zod_1.z.array(zod_1.z.string()).optional(),
-    /** Whether to show all tools or group by app */
-    groupByApp: zod_1.z.boolean().default(true),
-    /** Custom consent message */
-    customMessage: zod_1.z.string().optional(),
-});
-// ============================================
-// Federated Login Schemas
-// ============================================
-/**
- * Auth provider item for federated login UI
- */
-exports.federatedProviderItemSchema = zod_1.z.object({
-    /** Provider ID (derived or explicit) */
-    id: zod_1.z.string().min(1),
-    /** Provider display name */
-    name: zod_1.z.string().min(1),
-    /** Provider description */
-    description: zod_1.z.string().optional(),
-    /** Provider icon URL or emoji */
-    icon: zod_1.z.string().optional(),
-    /** Provider type */
-    type: zod_1.z.enum(['local', 'remote', 'transparent']),
-    /** OAuth provider URL (for remote providers) */
-    providerUrl: zod_1.z.string().url().optional(),
-    /** Apps using this provider */
-    appIds: zod_1.z.array(zod_1.z.string()),
-    /** App names using this provider */
-    appNames: zod_1.z.array(zod_1.z.string()),
-    /** Scopes required by this provider */
-    scopes: zod_1.z.array(zod_1.z.string()),
-    /** Whether this is the primary/parent provider */
-    isPrimary: zod_1.z.boolean(),
-    /** Whether this provider is optional (can be skipped) */
-    isOptional: zod_1.z.boolean().default(false),
-});
-/**
- * Federated login state schema
- */
-exports.federatedLoginStateSchema = zod_1.z.object({
-    /** All available providers */
-    providers: zod_1.z.array(exports.federatedProviderItemSchema),
-    /** Primary provider ID (if any) */
-    primaryProviderId: zod_1.z.string().optional(),
-    /** Whether user can skip optional providers */
-    allowSkip: zod_1.z.boolean().default(true),
-    /** Pre-selected provider IDs (from previous session) */
-    preselectedProviders: zod_1.z.array(zod_1.z.string()).optional(),
-});
-/**
- * Federated login selection schema
- */
-exports.federatedSelectionSchema = zod_1.z.object({
-    /** Selected provider IDs */
-    selectedProviders: zod_1.z.array(zod_1.z.string()),
-    /** Skipped provider IDs */
-    skippedProviders: zod_1.z.array(zod_1.z.string()),
-    /** Provider-specific metadata */
-    providerMetadata: zod_1.z.record(zod_1.z.string(), zod_1.z.unknown()).optional(),
-});
-//# sourceMappingURL=consent.types.js.map

package/src/auth/consent/consent.types.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"consent.types.js","sourceRoot":"","sources":["../../../../src/auth/consent/consent.types.ts"],"names":[],"mappings":";;;AAAA;;;;;GAKG;AACH,6BAAwB;AACxB,yCAAmD;AAG1C,oGAHA,4BAAmB,OAGA;AAE5B,+CAA+C;AAC/C,gCAAgC;AAChC,+CAA+C;AAE/C;;GAEG;AACU,QAAA,qBAAqB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5C,2CAA2C;IAC3C,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrB,4BAA4B;IAC5B,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,uBAAuB;IACvB,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,kCAAkC;IAClC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACxB,2BAA2B;IAC3B,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,8CAA8C;IAC9C,eAAe,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAC1C,iDAAiD;IACjD,cAAc,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC9C,6DAA6D;IAC7D,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAChC,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7C,wBAAwB;IACxB,aAAa,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IAClC,sCAAsC;IACtC,WAAW,EAAE,OAAC,CAAC,OAAO,EAAE;IACxB,uCAAuC;IACvC,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,2CAA2C;IAC3C,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CAC1C,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,kBAAkB,GAAG,OAAC,CAAC,MAAM,CAAC;IACzC,sCAAsC;IACtC,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE;IACpB,kCAAkC;IAClC,cAAc,EAAE,OAAC,CAAC,KAAK,CAAC,6BAAqB,CAAC;IAC9C,6DAA6D;IAC7D,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAChD,gDAAgD;IAChD,UAAU,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IACrC,6BAA6B;IAC7B,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACrC,CAAC,CAAC;AACH,+CAA+C;AAC/C,0BAA0B;AAC1B,+CAA+C;AAE/C;;GAEG;AACU,QAAA,2BAA2B,GAAG,OAAC,CAAC,MAAM,CAAC;IAClD,wCAAwC;IACxC,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrB,4BAA4B;IAC5B,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,2BAA2B;IAC3B,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,iCAAiC;IACjC,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3B,oBAAoB;IACpB,IAAI,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;IAChD,gDAAgD;IAChD,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACxC,+BAA+B;IAC/B,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IAC3B,oCAAoC;IACpC,QAAQ,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IAC7B,uCAAuC;IACvC,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IAC3B,kDAAkD;IAClD,SAAS,EAAE,OAAC,CAAC,OAAO,EAAE;IACtB,yDAAyD;IACzD,UAAU,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CACvC,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,yBAAyB,GAAG,OAAC,CAAC,MAAM,CAAC;IAChD,8BAA8B;IAC9B,SAAS,EAAE,OAAC,CAAC,KAAK,CAAC,mCAA2B,CAAC;IAC/C,mCAAmC;IACnC,iBAAiB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACxC,+CAA+C;IAC/C,SAAS,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IACpC,wDAAwD;IACxD,oBAAoB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACrD,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C,4BAA4B;IAC5B,iBAAiB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACtC,2BAA2B;IAC3B,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACrC,iCAAiC;IACjC,gBAAgB,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;CAC/D,CAAC,CAAC","sourcesContent":["/**\n * Consent Flow Types and Schemas\n *\n * Defines types for the tool consent flow that allows users to select\n * which MCP tools they want to expose to the LLM.\n */\nimport { z } from 'zod';\nimport { consentConfigSchema } from '../../common';\n\n// Re-export schema for tests\nexport { consentConfigSchema };\n\n// ============================================\n// Consent Configuration Schemas\n// ============================================\n\n/**\n * Tool consent item schema - represents a tool available for consent\n */\nexport const consentToolItemSchema = z.object({\n /** Tool ID (e.g., 'slack:send_message') */\n id: z.string().min(1),\n /** Tool name for display */\n name: z.string().min(1),\n /** Tool description */\n description: z.string().optional(),\n /** App ID this tool belongs to */\n appId: z.string().min(1),\n /** App name for display */\n appName: z.string().min(1),\n /** Whether the tool is selected by default */\n defaultSelected: z.boolean().default(true),\n /** Whether this tool requires specific scopes */\n requiredScopes: z.array(z.string()).optional(),\n /** Category for grouping (e.g., 'read', 'write', 'admin') */\n category: z.string().optional(),\n});\n\n/**\n * Consent selection schema - user's tool selection\n */\nexport const consentSelectionSchema = z.object({\n /** Selected tool IDs */\n selectedTools: z.array(z.string()),\n /** Whether all tools were selected */\n allSelected: z.boolean(),\n /** Timestamp when consent was given */\n consentedAt: z.string().datetime(),\n /** Consent version for tracking changes */\n consentVersion: z.string().default('1.0'),\n});\n\n/**\n * Consent page state schema - stored in pending authorization\n */\nexport const consentStateSchema = z.object({\n /** Whether consent flow is enabled */\n enabled: z.boolean(),\n /** Available tools for consent */\n availableTools: z.array(consentToolItemSchema),\n /** Pre-selected tools (from previous consent or defaults) */\n preselectedTools: z.array(z.string()).optional(),\n /** Whether to show all tools or group by app */\n groupByApp: z.boolean().default(true),\n /** Custom consent message */\n customMessage: z.string().optional(),\n});\n// ============================================\n// Federated Login Schemas\n// ============================================\n\n/**\n * Auth provider item for federated login UI\n */\nexport const federatedProviderItemSchema = z.object({\n /** Provider ID (derived or explicit) */\n id: z.string().min(1),\n /** Provider display name */\n name: z.string().min(1),\n /** Provider description */\n description: z.string().optional(),\n /** Provider icon URL or emoji */\n icon: z.string().optional(),\n /** Provider type */\n type: z.enum(['local', 'remote', 'transparent']),\n /** OAuth provider URL (for remote providers) */\n providerUrl: z.string().url().optional(),\n /** Apps using this provider */\n appIds: z.array(z.string()),\n /** App names using this provider */\n appNames: z.array(z.string()),\n /** Scopes required by this provider */\n scopes: z.array(z.string()),\n /** Whether this is the primary/parent provider */\n isPrimary: z.boolean(),\n /** Whether this provider is optional (can be skipped) */\n isOptional: z.boolean().default(false),\n});\n\n/**\n * Federated login state schema\n */\nexport const federatedLoginStateSchema = z.object({\n /** All available providers */\n providers: z.array(federatedProviderItemSchema),\n /** Primary provider ID (if any) */\n primaryProviderId: z.string().optional(),\n /** Whether user can skip optional providers */\n allowSkip: z.boolean().default(true),\n /** Pre-selected provider IDs (from previous session) */\n preselectedProviders: z.array(z.string()).optional(),\n});\n\n/**\n * Federated login selection schema\n */\nexport const federatedSelectionSchema = z.object({\n /** Selected provider IDs */\n selectedProviders: z.array(z.string()),\n /** Skipped provider IDs */\n skippedProviders: z.array(z.string()),\n /** Provider-specific metadata */\n providerMetadata: z.record(z.string(), z.unknown()).optional(),\n});\n\n// ============================================\n// Type Exports\n// ============================================\n\nexport type ConsentToolItem = z.infer<typeof consentToolItemSchema>;\nexport type ConsentSelection = z.infer<typeof consentSelectionSchema>;\nexport type ConsentState = z.infer<typeof consentStateSchema>;\nexport type ConsentConfig = z.infer<typeof consentConfigSchema>;\nexport type ConsentConfigInput = z.input<typeof consentConfigSchema>;\n\nexport type FederatedProviderItem = z.infer<typeof federatedProviderItemSchema>;\nexport type FederatedLoginState = z.infer<typeof federatedLoginStateSchema>;\nexport type FederatedSelection = z.infer<typeof federatedSelectionSchema>;\n"]}

package/src/auth/consent/index.js DELETED Viewed

@@ -1,13 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.federatedSelectionSchema = exports.federatedLoginStateSchema = exports.federatedProviderItemSchema = exports.consentStateSchema = exports.consentSelectionSchema = exports.consentToolItemSchema = void 0;
-// Consent Module Exports
-var consent_types_1 = require("./consent.types");
-// Schemas
-Object.defineProperty(exports, "consentToolItemSchema", { enumerable: true, get: function () { return consent_types_1.consentToolItemSchema; } });
-Object.defineProperty(exports, "consentSelectionSchema", { enumerable: true, get: function () { return consent_types_1.consentSelectionSchema; } });
-Object.defineProperty(exports, "consentStateSchema", { enumerable: true, get: function () { return consent_types_1.consentStateSchema; } });
-Object.defineProperty(exports, "federatedProviderItemSchema", { enumerable: true, get: function () { return consent_types_1.federatedProviderItemSchema; } });
-Object.defineProperty(exports, "federatedLoginStateSchema", { enumerable: true, get: function () { return consent_types_1.federatedLoginStateSchema; } });
-Object.defineProperty(exports, "federatedSelectionSchema", { enumerable: true, get: function () { return consent_types_1.federatedSelectionSchema; } });
-//# sourceMappingURL=index.js.map

package/src/auth/consent/index.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/auth/consent/index.ts"],"names":[],"mappings":";;;AAAA,yBAAyB;AACzB,iDAiByB;AAhBvB,UAAU;AACV,sHAAA,qBAAqB,OAAA;AACrB,uHAAA,sBAAsB,OAAA;AACtB,mHAAA,kBAAkB,OAAA;AAClB,4HAAA,2BAA2B,OAAA;AAC3B,0HAAA,yBAAyB,OAAA;AACzB,yHAAA,wBAAwB,OAAA","sourcesContent":["// Consent Module Exports\nexport {\n // Schemas\n consentToolItemSchema,\n consentSelectionSchema,\n consentStateSchema,\n federatedProviderItemSchema,\n federatedLoginStateSchema,\n federatedSelectionSchema,\n // Types\n ConsentToolItem,\n ConsentSelection,\n ConsentState,\n ConsentConfig,\n ConsentConfigInput,\n FederatedProviderItem,\n FederatedLoginState,\n FederatedSelection,\n} from './consent.types';\n"]}

package/src/auth/detection/auth-provider-detection.js DELETED Viewed

@@ -1,230 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.authProviderDetectionResultSchema = exports.detectedAuthProviderSchema = void 0;
-exports.deriveProviderId = deriveProviderId;
-exports.detectAuthProviders = detectAuthProviders;
-exports.appRequiresOrchestration = appRequiresOrchestration;
-exports.getProviderScopes = getProviderScopes;
-exports.getProviderApps = getProviderApps;
-/**
- * Auth Provider Detection
- *
- * Detects unique auth providers across nested apps and determines
- * if orchestrated mode is required at the parent scope level.
- *
- * When multiple apps have different auth providers, the parent MUST
- * use orchestrated mode to properly manage tokens for each provider.
- */
-const zod_1 = require("zod");
-const common_1 = require("../../common");
-// ============================================
-// Schemas
-// ============================================
-/**
- * Schema for a detected auth provider
- */
-exports.detectedAuthProviderSchema = zod_1.z.object({
-    /** Unique provider ID (derived from URL or explicit id) */
-    id: zod_1.z.string(),
-    /** Provider URL (for remote providers) */
-    providerUrl: zod_1.z.string().optional(),
-    /** Auth mode of this provider */
-    mode: zod_1.z.enum(['public', 'transparent', 'orchestrated']),
-    /** App IDs that use this provider */
-    appIds: zod_1.z.array(zod_1.z.string()),
-    /** Collected OAuth scopes from all apps using this provider */
-    scopes: zod_1.z.array(zod_1.z.string()),
-    /** Whether this is the parent's provider */
-    isParentProvider: zod_1.z.boolean(),
-});
-/**
- * Schema for auth provider detection result
- */
-exports.authProviderDetectionResultSchema = zod_1.z.object({
-    /** Map of provider ID to detected provider info */
-    providers: zod_1.z.map(zod_1.z.string(), exports.detectedAuthProviderSchema),
-    /** Whether orchestration is required at parent level */
-    requiresOrchestration: zod_1.z.boolean(),
-    /** Parent provider ID (if any) */
-    parentProviderId: zod_1.z.string().optional(),
-    /** Child provider IDs (excluding parent) */
-    childProviderIds: zod_1.z.array(zod_1.z.string()),
-    /** Total unique provider count */
-    uniqueProviderCount: zod_1.z.number(),
-    /** Validation errors (if any) */
-    validationErrors: zod_1.z.array(zod_1.z.string()),
-    /** Warnings (non-fatal issues) */
-    warnings: zod_1.z.array(zod_1.z.string()),
-});
-// ============================================
-// Detection Functions
-// ============================================
-/**
- * Derive a stable provider ID from auth options
- */
-function deriveProviderId(options) {
-    if ((0, common_1.isPublicMode)(options)) {
-        return options.issuer ?? 'public';
-    }
-    if ((0, common_1.isTransparentMode)(options)) {
-        return options.remote.id ?? urlToProviderId(options.remote.provider);
-    }
-    if ((0, common_1.isOrchestratedMode)(options)) {
-        if ((0, common_1.isOrchestratedRemote)(options)) {
-            return options.remote.id ?? urlToProviderId(options.remote.provider);
-        }
-        // Local orchestrated - use issuer or 'local'
-        return options.local?.issuer ?? 'local';
-    }
-    return 'unknown';
-}
-/**
- * Convert URL to a safe provider ID
- */
-function urlToProviderId(url) {
-    try {
-        const parsed = new URL(url);
-        return parsed.hostname.replace(/\./g, '_');
-    }
-    catch {
-        return url.replace(/[^a-zA-Z0-9]/g, '_');
-    }
-}
-/**
- * Extract OAuth scopes from auth options
- */
-function extractScopes(options) {
-    if ((0, common_1.isTransparentMode)(options)) {
-        return options.requiredScopes || [];
-    }
-    if ((0, common_1.isOrchestratedMode)(options)) {
-        if ((0, common_1.isOrchestratedRemote)(options)) {
-            return options.remote.scopes || [];
-        }
-    }
-    return [];
-}
-/**
- * Detect all unique auth providers across parent and apps
- *
- * @param parentAuth - Parent scope's auth options (may be undefined)
- * @param apps - Array of app auth info
- * @returns Detection result with providers, validation, and requirements
- */
-function detectAuthProviders(parentAuth, apps) {
-    const providers = new Map();
-    const validationErrors = [];
-    const warnings = [];
-    let parentProviderId;
-    // Process parent auth if present
-    if (parentAuth) {
-        parentProviderId = deriveProviderId(parentAuth);
-        providers.set(parentProviderId, {
-            id: parentProviderId,
-            providerUrl: getProviderUrl(parentAuth),
-            mode: parentAuth.mode,
-            appIds: ['__parent__'],
-            scopes: extractScopes(parentAuth),
-            isParentProvider: true,
-        });
-    }
-    // Process each app's auth
-    for (const app of apps) {
-        if (!app.auth) {
-            // App inherits from parent - skip
-            continue;
-        }
-        const providerId = deriveProviderId(app.auth);
-        const existing = providers.get(providerId);
-        if (existing) {
-            // Same provider - merge app and scopes
-            existing.appIds.push(app.id);
-            const newScopes = extractScopes(app.auth);
-            existing.scopes = [...new Set([...existing.scopes, ...newScopes])];
-        }
-        else {
-            // New provider
-            providers.set(providerId, {
-                id: providerId,
-                providerUrl: getProviderUrl(app.auth),
-                mode: app.auth.mode,
-                appIds: [app.id],
-                scopes: extractScopes(app.auth),
-                isParentProvider: false,
-            });
-        }
-    }
-    // Determine child provider IDs (non-parent)
-    const childProviderIds = [...providers.keys()].filter((id) => id !== parentProviderId);
-    // Determine if orchestration is required
-    const uniqueProviderCount = providers.size;
-    const hasMultipleProviders = uniqueProviderCount > 1;
-    const hasChildOnlyProviders = childProviderIds.length > 0 && !parentProviderId;
-    const requiresOrchestration = hasMultipleProviders || hasChildOnlyProviders || (childProviderIds.length > 0 && parentProviderId !== undefined);
-    // Validate configuration
-    if (requiresOrchestration && parentAuth && (0, common_1.isTransparentMode)(parentAuth)) {
-        validationErrors.push(`Invalid auth configuration: Parent uses transparent mode but apps have their own auth providers. ` +
-            `Transparent mode passes tokens through without modification, which is incompatible with multi-provider setups. ` +
-            `Change parent auth to orchestrated mode to properly manage tokens for each provider. ` +
-            `Detected providers: ${[...providers.keys()].join(', ')}`);
-    }
-    // Add warnings for potential issues
-    if (uniqueProviderCount > 1 && parentAuth && (0, common_1.isPublicMode)(parentAuth)) {
-        warnings.push(`Parent uses public mode but apps have auth providers configured. ` +
-            `App-level auth will be used, but consider using orchestrated mode at parent for unified auth management.`);
-    }
-    return {
-        providers,
-        requiresOrchestration,
-        parentProviderId,
-        childProviderIds,
-        uniqueProviderCount,
-        validationErrors,
-        warnings,
-    };
-}
-/**
- * Get provider URL from auth options (if remote)
- */
-function getProviderUrl(options) {
-    if ((0, common_1.isTransparentMode)(options)) {
-        return options.remote.provider;
-    }
-    if ((0, common_1.isOrchestratedMode)(options) && (0, common_1.isOrchestratedRemote)(options)) {
-        return options.remote.provider;
-    }
-    return undefined;
-}
-/**
- * Check if a specific app requires orchestration
- * (i.e., has a different provider than parent)
- */
-function appRequiresOrchestration(appAuth, parentAuth) {
-    // No app auth = inherits from parent
-    if (!appAuth) {
-        return false;
-    }
-    // No parent auth = app manages its own auth
-    if (!parentAuth) {
-        return appAuth.mode !== 'public';
-    }
-    // Compare provider IDs
-    const appProviderId = deriveProviderId(appAuth);
-    const parentProviderId = deriveProviderId(parentAuth);
-    return appProviderId !== parentProviderId;
-}
-/**
- * Get all OAuth scopes needed for a provider across all apps
- */
-function getProviderScopes(detection, providerId) {
-    const provider = detection.providers.get(providerId);
-    return provider?.scopes ?? [];
-}
-/**
- * Get apps that use a specific provider
- */
-function getProviderApps(detection, providerId) {
-    const provider = detection.providers.get(providerId);
-    return provider?.appIds.filter((id) => id !== '__parent__') ?? [];
-}
-//# sourceMappingURL=auth-provider-detection.js.map

package/src/auth/detection/auth-provider-detection.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"auth-provider-detection.js","sourceRoot":"","sources":["../../../../src/auth/detection/auth-provider-detection.ts"],"names":[],"mappings":";;;AA6EA,4CAkBC;AAsCD,kDAyFC;AAqBD,4DAmBC;AAKD,8CAGC;AAKD,0CAGC;AAtRD;;;;;;;;GAQG;AACH,6BAAwB;AACxB,yCAAsH;AAEtH,+CAA+C;AAC/C,UAAU;AACV,+CAA+C;AAE/C;;GAEG;AACU,QAAA,0BAA0B,GAAG,OAAC,CAAC,MAAM,CAAC;IACjD,2DAA2D;IAC3D,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,0CAA0C;IAC1C,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,iCAAiC;IACjC,IAAI,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC;IACvD,qCAAqC;IACrC,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IAC3B,+DAA+D;IAC/D,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IAC3B,4CAA4C;IAC5C,gBAAgB,EAAE,OAAC,CAAC,OAAO,EAAE;CAC9B,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,iCAAiC,GAAG,OAAC,CAAC,MAAM,CAAC;IACxD,mDAAmD;IACnD,SAAS,EAAE,OAAC,CAAC,GAAG,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,kCAA0B,CAAC;IACxD,wDAAwD;IACxD,qBAAqB,EAAE,OAAC,CAAC,OAAO,EAAE;IAClC,kCAAkC;IAClC,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACvC,4CAA4C;IAC5C,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACrC,kCAAkC;IAClC,mBAAmB,EAAE,OAAC,CAAC,MAAM,EAAE;IAC/B,iCAAiC;IACjC,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;IACrC,kCAAkC;IAClC,QAAQ,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC;CAC9B,CAAC,CAAC;AAkBH,+CAA+C;AAC/C,sBAAsB;AACtB,+CAA+C;AAE/C;;GAEG;AACH,SAAgB,gBAAgB,CAAC,OAAoB;IACnD,IAAI,IAAA,qBAAY,EAAC,OAAO,CAAC,EAAE,CAAC;QAC1B,OAAO,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAC;IACpC,CAAC;IAED,IAAI,IAAA,0BAAiB,EAAC,OAAO,CAAC,EAAE,CAAC;QAC/B,OAAO,OAAO,CAAC,MAAM,CAAC,EAAE,IAAI,eAAe,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACvE,CAAC;IAED,IAAI,IAAA,2BAAkB,EAAC,OAAO,CAAC,EAAE,CAAC;QAChC,IAAI,IAAA,6BAAoB,EAAC,OAAO,CAAC,EAAE,CAAC;YAClC,OAAO,OAAO,CAAC,MAAM,CAAC,EAAE,IAAI,eAAe,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACvE,CAAC;QACD,6CAA6C;QAC7C,OAAO,OAAO,CAAC,KAAK,EAAE,MAAM,IAAI,OAAO,CAAC;IAC1C,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,OAAO,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,GAAG,CAAC,OAAO,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,OAAoB;IACzC,IAAI,IAAA,0BAAiB,EAAC,OAAO,CAAC,EAAE,CAAC;QAC/B,OAAO,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC;IACtC,CAAC;IAED,IAAI,IAAA,2BAAkB,EAAC,OAAO,CAAC,EAAE,CAAC;QAChC,IAAI,IAAA,6BAAoB,EAAC,OAAO,CAAC,EAAE,CAAC;YAClC,OAAO,OAAO,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;QACrC,CAAC;IACH,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,mBAAmB,CACjC,UAAmC,EACnC,IAAmB;IAEnB,MAAM,SAAS,GAAG,IAAI,GAAG,EAAgC,CAAC;IAC1D,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,gBAAoC,CAAC;IAEzC,iCAAiC;IACjC,IAAI,UAAU,EAAE,CAAC;QACf,gBAAgB,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAC;QAEhD,SAAS,CAAC,GAAG,CAAC,gBAAgB,EAAE;YAC9B,EAAE,EAAE,gBAAgB;YACpB,WAAW,EAAE,cAAc,CAAC,UAAU,CAAC;YACvC,IAAI,EAAE,UAAU,CAAC,IAAI;YACrB,MAAM,EAAE,CAAC,YAAY,CAAC;YACtB,MAAM,EAAE,aAAa,CAAC,UAAU,CAAC;YACjC,gBAAgB,EAAE,IAAI;SACvB,CAAC,CAAC;IACL,CAAC;IAED,0BAA0B;IAC1B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACd,kCAAkC;YAClC,SAAS;QACX,CAAC;QAED,MAAM,UAAU,GAAG,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC9C,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAE3C,IAAI,QAAQ,EAAE,CAAC;YACb,uCAAuC;YACvC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC7B,MAAM,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC1C,QAAQ,CAAC,MAAM,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;QACrE,CAAC;aAAM,CAAC;YACN,eAAe;YACf,SAAS,CAAC,GAAG,CAAC,UAAU,EAAE;gBACxB,EAAE,EAAE,UAAU;gBACd,WAAW,EAAE,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC;gBACrC,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI;gBACnB,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;gBAChB,MAAM,EAAE,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC;gBAC/B,gBAAgB,EAAE,KAAK;aACxB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,4CAA4C;IAC5C,MAAM,gBAAgB,GAAG,CAAC,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,KAAK,gBAAgB,CAAC,CAAC;IAEvF,yCAAyC;IACzC,MAAM,mBAAmB,GAAG,SAAS,CAAC,IAAI,CAAC;IAC3C,MAAM,oBAAoB,GAAG,mBAAmB,GAAG,CAAC,CAAC;IACrD,MAAM,qBAAqB,GAAG,gBAAgB,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC;IAE/E,MAAM,qBAAqB,GACzB,oBAAoB,IAAI,qBAAqB,IAAI,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,IAAI,gBAAgB,KAAK,SAAS,CAAC,CAAC;IAEnH,yBAAyB;IACzB,IAAI,qBAAqB,IAAI,UAAU,IAAI,IAAA,0BAAiB,EAAC,UAAU,CAAC,EAAE,CAAC;QACzE,gBAAgB,CAAC,IAAI,CACnB,mGAAmG;YACjG,iHAAiH;YACjH,uFAAuF;YACvF,uBAAuB,CAAC,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC5D,CAAC;IACJ,CAAC;IAED,oCAAoC;IACpC,IAAI,mBAAmB,GAAG,CAAC,IAAI,UAAU,IAAI,IAAA,qBAAY,EAAC,UAAU,CAAC,EAAE,CAAC;QACtE,QAAQ,CAAC,IAAI,CACX,mEAAmE;YACjE,0GAA0G,CAC7G,CAAC;IACJ,CAAC;IAED,OAAO;QACL,SAAS;QACT,qBAAqB;QACrB,gBAAgB;QAChB,gBAAgB;QAChB,mBAAmB;QACnB,gBAAgB;QAChB,QAAQ;KACT,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,OAAoB;IAC1C,IAAI,IAAA,0BAAiB,EAAC,OAAO,CAAC,EAAE,CAAC;QAC/B,OAAO,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC;IACjC,CAAC;IAED,IAAI,IAAA,2BAAkB,EAAC,OAAO,CAAC,IAAI,IAAA,6BAAoB,EAAC,OAAO,CAAC,EAAE,CAAC;QACjE,OAAO,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC;IACjC,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,SAAgB,wBAAwB,CACtC,OAAgC,EAChC,UAAmC;IAEnC,qCAAqC;IACrC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,KAAK,CAAC;IACf,CAAC;IAED,4CAA4C;IAC5C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC;IACnC,CAAC;IAED,uBAAuB;IACvB,MAAM,aAAa,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAChD,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAC;IAEtD,OAAO,aAAa,KAAK,gBAAgB,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,SAAsC,EAAE,UAAkB;IAC1F,MAAM,QAAQ,GAAG,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACrD,OAAO,QAAQ,EAAE,MAAM,IAAI,EAAE,CAAC;AAChC,CAAC;AAED;;GAEG;AACH,SAAgB,eAAe,CAAC,SAAsC,EAAE,UAAkB;IACxF,MAAM,QAAQ,GAAG,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACrD,OAAO,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,KAAK,YAAY,CAAC,IAAI,EAAE,CAAC;AACpE,CAAC","sourcesContent":["/**\n * Auth Provider Detection\n *\n * Detects unique auth providers across nested apps and determines\n * if orchestrated mode is required at the parent scope level.\n *\n * When multiple apps have different auth providers, the parent MUST\n * use orchestrated mode to properly manage tokens for each provider.\n */\nimport { z } from 'zod';\nimport { AuthOptions, isPublicMode, isTransparentMode, isOrchestratedMode, isOrchestratedRemote } from '../../common';\n\n// ============================================\n// Schemas\n// ============================================\n\n/**\n * Schema for a detected auth provider\n */\nexport const detectedAuthProviderSchema = z.object({\n /** Unique provider ID (derived from URL or explicit id) */\n id: z.string(),\n /** Provider URL (for remote providers) */\n providerUrl: z.string().optional(),\n /** Auth mode of this provider */\n mode: z.enum(['public', 'transparent', 'orchestrated']),\n /** App IDs that use this provider */\n appIds: z.array(z.string()),\n /** Collected OAuth scopes from all apps using this provider */\n scopes: z.array(z.string()),\n /** Whether this is the parent's provider */\n isParentProvider: z.boolean(),\n});\n\n/**\n * Schema for auth provider detection result\n */\nexport const authProviderDetectionResultSchema = z.object({\n /** Map of provider ID to detected provider info */\n providers: z.map(z.string(), detectedAuthProviderSchema),\n /** Whether orchestration is required at parent level */\n requiresOrchestration: z.boolean(),\n /** Parent provider ID (if any) */\n parentProviderId: z.string().optional(),\n /** Child provider IDs (excluding parent) */\n childProviderIds: z.array(z.string()),\n /** Total unique provider count */\n uniqueProviderCount: z.number(),\n /** Validation errors (if any) */\n validationErrors: z.array(z.string()),\n /** Warnings (non-fatal issues) */\n warnings: z.array(z.string()),\n});\n\n// ============================================\n// Types\n// ============================================\n\nexport type DetectedAuthProvider = z.infer<typeof detectedAuthProviderSchema>;\nexport type AuthProviderDetectionResult = z.infer<typeof authProviderDetectionResultSchema>;\n\n/**\n * App auth info for detection (minimal interface)\n */\nexport interface AppAuthInfo {\n id: string;\n name: string;\n auth?: AuthOptions;\n}\n\n// ============================================\n// Detection Functions\n// ============================================\n\n/**\n * Derive a stable provider ID from auth options\n */\nexport function deriveProviderId(options: AuthOptions): string {\n if (isPublicMode(options)) {\n return options.issuer ?? 'public';\n }\n\n if (isTransparentMode(options)) {\n return options.remote.id ?? urlToProviderId(options.remote.provider);\n }\n\n if (isOrchestratedMode(options)) {\n if (isOrchestratedRemote(options)) {\n return options.remote.id ?? urlToProviderId(options.remote.provider);\n }\n // Local orchestrated - use issuer or 'local'\n return options.local?.issuer ?? 'local';\n }\n\n return 'unknown';\n}\n\n/**\n * Convert URL to a safe provider ID\n */\nfunction urlToProviderId(url: string): string {\n try {\n const parsed = new URL(url);\n return parsed.hostname.replace(/\\./g, '_');\n } catch {\n return url.replace(/[^a-zA-Z0-9]/g, '_');\n }\n}\n\n/**\n * Extract OAuth scopes from auth options\n */\nfunction extractScopes(options: AuthOptions): string[] {\n if (isTransparentMode(options)) {\n return options.requiredScopes || [];\n }\n\n if (isOrchestratedMode(options)) {\n if (isOrchestratedRemote(options)) {\n return options.remote.scopes || [];\n }\n }\n\n return [];\n}\n\n/**\n * Detect all unique auth providers across parent and apps\n *\n * @param parentAuth - Parent scope's auth options (may be undefined)\n * @param apps - Array of app auth info\n * @returns Detection result with providers, validation, and requirements\n */\nexport function detectAuthProviders(\n parentAuth: AuthOptions | undefined,\n apps: AppAuthInfo[],\n): AuthProviderDetectionResult {\n const providers = new Map<string, DetectedAuthProvider>();\n const validationErrors: string[] = [];\n const warnings: string[] = [];\n let parentProviderId: string | undefined;\n\n // Process parent auth if present\n if (parentAuth) {\n parentProviderId = deriveProviderId(parentAuth);\n\n providers.set(parentProviderId, {\n id: parentProviderId,\n providerUrl: getProviderUrl(parentAuth),\n mode: parentAuth.mode,\n appIds: ['__parent__'],\n scopes: extractScopes(parentAuth),\n isParentProvider: true,\n });\n }\n\n // Process each app's auth\n for (const app of apps) {\n if (!app.auth) {\n // App inherits from parent - skip\n continue;\n }\n\n const providerId = deriveProviderId(app.auth);\n const existing = providers.get(providerId);\n\n if (existing) {\n // Same provider - merge app and scopes\n existing.appIds.push(app.id);\n const newScopes = extractScopes(app.auth);\n existing.scopes = [...new Set([...existing.scopes, ...newScopes])];\n } else {\n // New provider\n providers.set(providerId, {\n id: providerId,\n providerUrl: getProviderUrl(app.auth),\n mode: app.auth.mode,\n appIds: [app.id],\n scopes: extractScopes(app.auth),\n isParentProvider: false,\n });\n }\n }\n\n // Determine child provider IDs (non-parent)\n const childProviderIds = [...providers.keys()].filter((id) => id !== parentProviderId);\n\n // Determine if orchestration is required\n const uniqueProviderCount = providers.size;\n const hasMultipleProviders = uniqueProviderCount > 1;\n const hasChildOnlyProviders = childProviderIds.length > 0 && !parentProviderId;\n\n const requiresOrchestration =\n hasMultipleProviders || hasChildOnlyProviders || (childProviderIds.length > 0 && parentProviderId !== undefined);\n\n // Validate configuration\n if (requiresOrchestration && parentAuth && isTransparentMode(parentAuth)) {\n validationErrors.push(\n `Invalid auth configuration: Parent uses transparent mode but apps have their own auth providers. ` +\n `Transparent mode passes tokens through without modification, which is incompatible with multi-provider setups. ` +\n `Change parent auth to orchestrated mode to properly manage tokens for each provider. ` +\n `Detected providers: ${[...providers.keys()].join(', ')}`,\n );\n }\n\n // Add warnings for potential issues\n if (uniqueProviderCount > 1 && parentAuth && isPublicMode(parentAuth)) {\n warnings.push(\n `Parent uses public mode but apps have auth providers configured. ` +\n `App-level auth will be used, but consider using orchestrated mode at parent for unified auth management.`,\n );\n }\n\n return {\n providers,\n requiresOrchestration,\n parentProviderId,\n childProviderIds,\n uniqueProviderCount,\n validationErrors,\n warnings,\n };\n}\n\n/**\n * Get provider URL from auth options (if remote)\n */\nfunction getProviderUrl(options: AuthOptions): string | undefined {\n if (isTransparentMode(options)) {\n return options.remote.provider;\n }\n\n if (isOrchestratedMode(options) && isOrchestratedRemote(options)) {\n return options.remote.provider;\n }\n\n return undefined;\n}\n\n/**\n * Check if a specific app requires orchestration\n * (i.e., has a different provider than parent)\n */\nexport function appRequiresOrchestration(\n appAuth: AuthOptions | undefined,\n parentAuth: AuthOptions | undefined,\n): boolean {\n // No app auth = inherits from parent\n if (!appAuth) {\n return false;\n }\n\n // No parent auth = app manages its own auth\n if (!parentAuth) {\n return appAuth.mode !== 'public';\n }\n\n // Compare provider IDs\n const appProviderId = deriveProviderId(appAuth);\n const parentProviderId = deriveProviderId(parentAuth);\n\n return appProviderId !== parentProviderId;\n}\n\n/**\n * Get all OAuth scopes needed for a provider across all apps\n */\nexport function getProviderScopes(detection: AuthProviderDetectionResult, providerId: string): string[] {\n const provider = detection.providers.get(providerId);\n return provider?.scopes ?? [];\n}\n\n/**\n * Get apps that use a specific provider\n */\nexport function getProviderApps(detection: AuthProviderDetectionResult, providerId: string): string[] {\n const provider = detection.providers.get(providerId);\n return provider?.appIds.filter((id) => id !== '__parent__') ?? [];\n}\n"]}

package/src/auth/detection/index.js DELETED Viewed

@@ -1,15 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.getProviderApps = exports.getProviderScopes = exports.appRequiresOrchestration = exports.deriveProviderId = exports.detectAuthProviders = exports.authProviderDetectionResultSchema = exports.detectedAuthProviderSchema = void 0;
-// Auth Provider Detection Module
-var auth_provider_detection_1 = require("./auth-provider-detection");
-// Schemas
-Object.defineProperty(exports, "detectedAuthProviderSchema", { enumerable: true, get: function () { return auth_provider_detection_1.detectedAuthProviderSchema; } });
-Object.defineProperty(exports, "authProviderDetectionResultSchema", { enumerable: true, get: function () { return auth_provider_detection_1.authProviderDetectionResultSchema; } });
-// Functions
-Object.defineProperty(exports, "detectAuthProviders", { enumerable: true, get: function () { return auth_provider_detection_1.detectAuthProviders; } });
-Object.defineProperty(exports, "deriveProviderId", { enumerable: true, get: function () { return auth_provider_detection_1.deriveProviderId; } });
-Object.defineProperty(exports, "appRequiresOrchestration", { enumerable: true, get: function () { return auth_provider_detection_1.appRequiresOrchestration; } });
-Object.defineProperty(exports, "getProviderScopes", { enumerable: true, get: function () { return auth_provider_detection_1.getProviderScopes; } });
-Object.defineProperty(exports, "getProviderApps", { enumerable: true, get: function () { return auth_provider_detection_1.getProviderApps; } });
-//# sourceMappingURL=index.js.map

package/src/auth/detection/index.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/auth/detection/index.ts"],"names":[],"mappings":";;;AAAA,iCAAiC;AACjC,qEAcmC;AAbjC,UAAU;AACV,qIAAA,0BAA0B,OAAA;AAC1B,4IAAA,iCAAiC,OAAA;AAKjC,YAAY;AACZ,8HAAA,mBAAmB,OAAA;AACnB,2HAAA,gBAAgB,OAAA;AAChB,mIAAA,wBAAwB,OAAA;AACxB,4HAAA,iBAAiB,OAAA;AACjB,0HAAA,eAAe,OAAA","sourcesContent":["// Auth Provider Detection Module\nexport {\n // Schemas\n detectedAuthProviderSchema,\n authProviderDetectionResultSchema,\n // Types\n DetectedAuthProvider,\n AuthProviderDetectionResult,\n AppAuthInfo,\n // Functions\n detectAuthProviders,\n deriveProviderId,\n appRequiresOrchestration,\n getProviderScopes,\n getProviderApps,\n} from './auth-provider-detection';\n"]}