@frontmcp/sdk 0.6.0 → 0.6.2

package/src/auth/session/authorization-vault.js

@@ -1,817 +0,0 @@
-"use strict";
-/**
- * Authorization Vault
- *
- * Secure storage for stateful authorization sessions.
- * Stores provider tokens, consent selections, and session metadata.
- *
- * Supports multiple credential types:
- * - OAuth tokens (access_token, refresh_token, scopes)
- * - API Keys (key value, header name)
- * - Basic Auth (username, password)
- * - Private Keys (PEM/JWK format for signing)
- * - Custom credentials (extensible)
- *
- * In stateful mode:
- * - Access token is a non-rotatable key to this vault
- * - All sensitive data stored server-side
- * - Supports incremental authorization via links
- *
- * In stateless mode:
- * - No vault used, all data in JWT claims
- * - No incremental authorization support
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.RedisAuthorizationVault = exports.InMemoryAuthorizationVault = exports.authorizationVaultEntrySchema = exports.pendingIncrementalAuthSchema = exports.vaultFederatedRecordSchema = exports.vaultConsentRecordSchema = exports.appCredentialSchema = exports.credentialSchema = exports.customCredentialSchema = exports.mtlsCredentialSchema = exports.privateKeyCredentialSchema = exports.bearerCredentialSchema = exports.basicAuthCredentialSchema = exports.apiKeyCredentialSchema = exports.oauthCredentialSchema = exports.credentialTypeSchema = void 0;
-const zod_1 = require("zod");
-const node_crypto_1 = require("node:crypto");
-// ============================================
-// Credential Type Enum
-// ============================================
-/**
- * Supported credential types for app authentication
- */
-exports.credentialTypeSchema = zod_1.z.enum([
-    'oauth', // OAuth 2.0 tokens
-    'api_key', // API key (header or query param)
-    'basic', // Basic auth (username:password)
-    'bearer', // Bearer token (static)
-    'private_key', // Private key for signing (JWT, etc.)
-    'mtls', // Mutual TLS certificate
-    'custom', // Custom credential type
-]);
-// ============================================
-// Credential Schemas by Type
-// ============================================
-/**
- * OAuth credential - standard OAuth 2.0 tokens
- */
-exports.oauthCredentialSchema = zod_1.z.object({
-    type: zod_1.z.literal('oauth'),
-    /** Access token */
-    accessToken: zod_1.z.string(),
-    /** Refresh token (optional) */
-    refreshToken: zod_1.z.string().optional(),
-    /** Token type (usually 'Bearer') */
-    tokenType: zod_1.z.string().default('Bearer'),
-    /** Token expiration timestamp (epoch ms) */
-    expiresAt: zod_1.z.number().optional(),
-    /** Granted scopes */
-    scopes: zod_1.z.array(zod_1.z.string()).default([]),
-    /** ID token for OIDC (optional) */
-    idToken: zod_1.z.string().optional(),
-});
-/**
- * API Key credential - sent in header or query param
- */
-exports.apiKeyCredentialSchema = zod_1.z.object({
-    type: zod_1.z.literal('api_key'),
-    /** The API key value */
-    key: zod_1.z.string().min(1),
-    /** Header name to use (e.g., 'X-API-Key', 'Authorization') */
-    headerName: zod_1.z.string().default('X-API-Key'),
-    /** Prefix for the header value (e.g., 'Bearer ', 'Api-Key ') */
-    headerPrefix: zod_1.z.string().optional(),
-    /** Alternative: send as query parameter */
-    queryParam: zod_1.z.string().optional(),
-});
-/**
- * Basic Auth credential - username and password
- */
-exports.basicAuthCredentialSchema = zod_1.z.object({
-    type: zod_1.z.literal('basic'),
-    /** Username */
-    username: zod_1.z.string().min(1),
-    /** Password */
-    password: zod_1.z.string(),
-    /** Pre-computed base64 encoded value (optional, for caching) */
-    encodedValue: zod_1.z.string().optional(),
-});
-/**
- * Bearer token credential - static bearer token
- */
-exports.bearerCredentialSchema = zod_1.z.object({
-    type: zod_1.z.literal('bearer'),
-    /** The bearer token value */
-    token: zod_1.z.string().min(1),
-    /** Token expiration (optional, for static tokens that expire) */
-    expiresAt: zod_1.z.number().optional(),
-});
-/**
- * Private key credential - for JWT signing or request signing
- */
-exports.privateKeyCredentialSchema = zod_1.z.object({
-    type: zod_1.z.literal('private_key'),
-    /** Key format */
-    format: zod_1.z.enum(['pem', 'jwk', 'pkcs8', 'pkcs12']),
-    /** The key data (PEM string or JWK JSON) */
-    keyData: zod_1.z.string(),
-    /** Key ID (for JWK) */
-    keyId: zod_1.z.string().optional(),
-    /** Algorithm to use for signing */
-    algorithm: zod_1.z.string().optional(),
-    /** Passphrase if key is encrypted */
-    passphrase: zod_1.z.string().optional(),
-    /** Associated certificate (for mTLS) */
-    certificate: zod_1.z.string().optional(),
-});
-/**
- * mTLS credential - client certificate for mutual TLS
- */
-exports.mtlsCredentialSchema = zod_1.z.object({
-    type: zod_1.z.literal('mtls'),
-    /** Client certificate (PEM format) */
-    certificate: zod_1.z.string(),
-    /** Private key (PEM format) */
-    privateKey: zod_1.z.string(),
-    /** Passphrase if private key is encrypted */
-    passphrase: zod_1.z.string().optional(),
-    /** CA certificate chain (optional) */
-    caCertificate: zod_1.z.string().optional(),
-});
-/**
- * Custom credential - extensible for app-specific auth
- */
-exports.customCredentialSchema = zod_1.z.object({
-    type: zod_1.z.literal('custom'),
-    /** Custom type identifier */
-    customType: zod_1.z.string().min(1),
-    /** Arbitrary credential data */
-    data: zod_1.z.record(zod_1.z.string(), zod_1.z.unknown()),
-    /** Headers to include in requests */
-    headers: zod_1.z.record(zod_1.z.string(), zod_1.z.string()).optional(),
-});
-/**
- * Union of all credential types
- */
-exports.credentialSchema = zod_1.z.discriminatedUnion('type', [
-    exports.oauthCredentialSchema,
-    exports.apiKeyCredentialSchema,
-    exports.basicAuthCredentialSchema,
-    exports.bearerCredentialSchema,
-    exports.privateKeyCredentialSchema,
-    exports.mtlsCredentialSchema,
-    exports.customCredentialSchema,
-]);
-// ============================================
-// App Credential Schema
-// ============================================
-/**
- * Credential stored for an app in the vault
- */
-exports.appCredentialSchema = zod_1.z.object({
-    /** App ID this credential belongs to */
-    appId: zod_1.z.string().min(1),
-    /** Provider ID within the app (for apps with multiple auth providers) */
-    providerId: zod_1.z.string().min(1),
-    /** The credential data */
-    credential: exports.credentialSchema,
-    /** Timestamp when credential was acquired */
-    acquiredAt: zod_1.z.number(),
-    /** Timestamp when credential was last used */
-    lastUsedAt: zod_1.z.number().optional(),
-    /** Credential expiration (if applicable) */
-    expiresAt: zod_1.z.number().optional(),
-    /** Whether this credential is currently valid */
-    isValid: zod_1.z.boolean().default(true),
-    /** Error message if credential is invalid */
-    invalidReason: zod_1.z.string().optional(),
-    /** User info associated with this credential */
-    userInfo: zod_1.z
-        .object({
-        sub: zod_1.z.string().optional(),
-        email: zod_1.z.string().optional(),
-        name: zod_1.z.string().optional(),
-    })
-        .optional(),
-    /** Metadata for tracking/debugging */
-    metadata: zod_1.z.record(zod_1.z.string(), zod_1.z.unknown()).optional(),
-});
-/**
- * Consent record stored in vault
- */
-exports.vaultConsentRecordSchema = zod_1.z.object({
-    /** Whether consent was enabled */
-    enabled: zod_1.z.boolean(),
-    /** Selected tool IDs (user approved these) */
-    selectedToolIds: zod_1.z.array(zod_1.z.string()),
-    /** Available tool IDs at time of consent */
-    availableToolIds: zod_1.z.array(zod_1.z.string()),
-    /** Timestamp when consent was given */
-    consentedAt: zod_1.z.number(),
-    /** Consent version for tracking changes */
-    version: zod_1.z.string().default('1.0'),
-});
-/**
- * Federated login record stored in vault
- */
-exports.vaultFederatedRecordSchema = zod_1.z.object({
-    /** Provider IDs that were selected */
-    selectedProviderIds: zod_1.z.array(zod_1.z.string()),
-    /** Provider IDs that were skipped (can be authorized later) */
-    skippedProviderIds: zod_1.z.array(zod_1.z.string()),
-    /** Primary provider ID */
-    primaryProviderId: zod_1.z.string().optional(),
-    /** Timestamp when federated login was completed */
-    completedAt: zod_1.z.number(),
-});
-/**
- * Pending incremental authorization request
- */
-exports.pendingIncrementalAuthSchema = zod_1.z.object({
-    /** Unique ID for this request */
-    id: zod_1.z.string(),
-    /** App ID being authorized */
-    appId: zod_1.z.string(),
-    /** Tool ID that triggered the auth request */
-    toolId: zod_1.z.string().optional(),
-    /** Authorization URL */
-    authUrl: zod_1.z.string(),
-    /** Required scopes */
-    requiredScopes: zod_1.z.array(zod_1.z.string()).optional(),
-    /** Whether elicit is being used */
-    elicitId: zod_1.z.string().optional(),
-    /** Timestamp when request was created */
-    createdAt: zod_1.z.number(),
-    /** Expiration timestamp */
-    expiresAt: zod_1.z.number(),
-    /** Status of the request */
-    status: zod_1.z.enum(['pending', 'completed', 'cancelled', 'expired']),
-});
-/**
- * Authorization vault entry (the full session state)
- */
-exports.authorizationVaultEntrySchema = zod_1.z.object({
-    /** Vault ID (maps to access token jti claim) */
-    id: zod_1.z.string(),
-    /** User subject identifier */
-    userSub: zod_1.z.string(),
-    /** User email */
-    userEmail: zod_1.z.string().optional(),
-    /** User name */
-    userName: zod_1.z.string().optional(),
-    /** Client ID that created this session */
-    clientId: zod_1.z.string(),
-    /** Creation timestamp */
-    createdAt: zod_1.z.number(),
-    /** Last access timestamp */
-    lastAccessAt: zod_1.z.number(),
-    /** App credentials (keyed by `${appId}:${providerId}`) */
-    appCredentials: zod_1.z.record(zod_1.z.string(), exports.appCredentialSchema).default({}),
-    /** Consent record */
-    consent: exports.vaultConsentRecordSchema.optional(),
-    /** Federated login record */
-    federated: exports.vaultFederatedRecordSchema.optional(),
-    /** Pending incremental authorization requests */
-    pendingAuths: zod_1.z.array(exports.pendingIncrementalAuthSchema),
-    /** Apps that are fully authorized */
-    authorizedAppIds: zod_1.z.array(zod_1.z.string()),
-    /** Apps that were skipped (not yet authorized) */
-    skippedAppIds: zod_1.z.array(zod_1.z.string()),
-});
-// ============================================
-// In-Memory Implementation
-// ============================================
-/**
- * In-Memory Authorization Vault
- *
- * Development/testing implementation. Data is lost on restart.
- * For production, use RedisAuthorizationVault.
- */
-class InMemoryAuthorizationVault {
-    vaults = new Map();
-    /** Default TTL for pending auth requests (10 minutes) */
-    pendingAuthTtlMs = 10 * 60 * 1000;
-    async create(params) {
-        const now = Date.now();
-        const entry = {
-            id: (0, node_crypto_1.randomUUID)(),
-            userSub: params.userSub,
-            userEmail: params.userEmail,
-            userName: params.userName,
-            clientId: params.clientId,
-            createdAt: now,
-            lastAccessAt: now,
-            appCredentials: {},
-            consent: params.consent,
-            federated: params.federated,
-            pendingAuths: [],
-            authorizedAppIds: params.authorizedAppIds ?? [],
-            skippedAppIds: params.skippedAppIds ?? [],
-        };
-        this.vaults.set(entry.id, entry);
-        return entry;
-    }
-    async get(id) {
-        const entry = this.vaults.get(id);
-        if (!entry)
-            return null;
-        // Note: lastAccessAt is updated on explicit operations, not on read
-        // This prevents unnecessary writes on read operations
-        return entry;
-    }
-    async update(id, updates) {
-        const entry = this.vaults.get(id);
-        if (!entry)
-            return;
-        Object.assign(entry, updates, { lastAccessAt: Date.now() });
-    }
-    async delete(id) {
-        this.vaults.delete(id);
-    }
-    async updateConsent(vaultId, consent) {
-        const entry = this.vaults.get(vaultId);
-        if (!entry)
-            return;
-        entry.consent = consent;
-        entry.lastAccessAt = Date.now();
-    }
-    async authorizeApp(vaultId, appId) {
-        const entry = this.vaults.get(vaultId);
-        if (!entry)
-            return;
-        // Remove from skipped, add to authorized
-        entry.skippedAppIds = entry.skippedAppIds.filter((id) => id !== appId);
-        if (!entry.authorizedAppIds.includes(appId)) {
-            entry.authorizedAppIds.push(appId);
-        }
-        entry.lastAccessAt = Date.now();
-    }
-    async createPendingAuth(vaultId, params) {
-        const entry = this.vaults.get(vaultId);
-        if (!entry) {
-            throw new Error(`Vault not found: ${vaultId}`);
-        }
-        const now = Date.now();
-        const pendingAuth = {
-            id: (0, node_crypto_1.randomUUID)(),
-            appId: params.appId,
-            toolId: params.toolId,
-            authUrl: params.authUrl,
-            requiredScopes: params.requiredScopes,
-            elicitId: params.elicitId,
-            createdAt: now,
-            expiresAt: now + (params.ttlMs ?? this.pendingAuthTtlMs),
-            status: 'pending',
-        };
-        entry.pendingAuths.push(pendingAuth);
-        entry.lastAccessAt = now;
-        return pendingAuth;
-    }
-    async getPendingAuth(vaultId, pendingAuthId) {
-        const entry = this.vaults.get(vaultId);
-        if (!entry)
-            return null;
-        const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
-        if (!pendingAuth)
-            return null;
-        // Check if expired
-        if (Date.now() > pendingAuth.expiresAt) {
-            pendingAuth.status = 'expired';
-        }
-        return pendingAuth;
-    }
-    async completePendingAuth(vaultId, pendingAuthId) {
-        const entry = this.vaults.get(vaultId);
-        if (!entry)
-            return;
-        const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
-        if (pendingAuth) {
-            pendingAuth.status = 'completed';
-            // Auto-authorize the app
-            await this.authorizeApp(vaultId, pendingAuth.appId);
-        }
-    }
-    async cancelPendingAuth(vaultId, pendingAuthId) {
-        const entry = this.vaults.get(vaultId);
-        if (!entry)
-            return;
-        const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
-        if (pendingAuth) {
-            pendingAuth.status = 'cancelled';
-        }
-    }
-    async isAppAuthorized(vaultId, appId) {
-        const entry = this.vaults.get(vaultId);
-        if (!entry)
-            return false;
-        return entry.authorizedAppIds.includes(appId);
-    }
-    async getPendingAuths(vaultId) {
-        const entry = this.vaults.get(vaultId);
-        if (!entry)
-            return [];
-        const now = Date.now();
-        // Update expired status and filter
-        return entry.pendingAuths.filter((p) => {
-            if (now > p.expiresAt && p.status === 'pending') {
-                p.status = 'expired';
-            }
-            return p.status === 'pending';
-        });
-    }
-    async cleanup() {
-        const now = Date.now();
-        for (const [id, entry] of this.vaults) {
-            // Clean up expired pending auths
-            entry.pendingAuths = entry.pendingAuths.filter((p) => {
-                if (now > p.expiresAt && p.status === 'pending') {
-                    p.status = 'expired';
-                }
-                // Keep for audit trail, or remove completely if desired
-                return p.status === 'pending';
-            });
-        }
-    }
-    // ============================================
-    // App Credential Methods
-    // ============================================
-    /** Create a credential key from appId and providerId */
-    credentialKey(appId, providerId) {
-        return `${appId}:${providerId}`;
-    }
-    async addAppCredential(vaultId, credential) {
-        const entry = this.vaults.get(vaultId);
-        if (!entry)
-            return;
-        // Check if we should store based on consent
-        const shouldStore = await this.shouldStoreCredential(vaultId, credential.appId);
-        if (!shouldStore) {
-            return;
-        }
-        const key = this.credentialKey(credential.appId, credential.providerId);
-        entry.appCredentials[key] = credential;
-        entry.lastAccessAt = Date.now();
-    }
-    async removeAppCredential(vaultId, appId, providerId) {
-        const entry = this.vaults.get(vaultId);
-        if (!entry)
-            return;
-        const key = this.credentialKey(appId, providerId);
-        delete entry.appCredentials[key];
-        entry.lastAccessAt = Date.now();
-    }
-    async getAppCredentials(vaultId, appId) {
-        const entry = this.vaults.get(vaultId);
-        if (!entry)
-            return [];
-        const prefix = `${appId}:`;
-        return Object.entries(entry.appCredentials)
-            .filter(([key]) => key.startsWith(prefix))
-            .map(([, cred]) => cred);
-    }
-    async getCredential(vaultId, appId, providerId) {
-        const entry = this.vaults.get(vaultId);
-        if (!entry)
-            return null;
-        const key = this.credentialKey(appId, providerId);
-        return entry.appCredentials[key] ?? null;
-    }
-    async getAllCredentials(vaultId, filterByConsent = false) {
-        const entry = this.vaults.get(vaultId);
-        if (!entry)
-            return [];
-        const allCredentials = Object.values(entry.appCredentials);
-        if (!filterByConsent || !entry.consent?.enabled) {
-            return allCredentials;
-        }
-        // Filter by consent - only return credentials for apps that have tools in consent selection
-        const consentedToolIds = new Set(entry.consent.selectedToolIds);
-        return allCredentials.filter((cred) => {
-            // Check if any tool for this app is in consent
-            // Tool IDs are typically formatted as `appId:toolName` or similar
-            return Array.from(consentedToolIds).some((toolId) => toolId.startsWith(`${cred.appId}:`));
-        });
-    }
-    async updateCredential(vaultId, appId, providerId, updates) {
-        const entry = this.vaults.get(vaultId);
-        if (!entry)
-            return;
-        const key = this.credentialKey(appId, providerId);
-        const credential = entry.appCredentials[key];
-        if (!credential)
-            return;
-        Object.assign(credential, updates);
-        entry.lastAccessAt = Date.now();
-    }
-    async shouldStoreCredential(vaultId, appId, toolIds) {
-        const entry = this.vaults.get(vaultId);
-        if (!entry)
-            return false;
-        // If consent is not enabled, always allow
-        if (!entry.consent?.enabled) {
-            return true;
-        }
-        // If toolIds provided, check if any match consent selection
-        if (toolIds && toolIds.length > 0) {
-            return toolIds.some((toolId) => entry.consent.selectedToolIds.includes(toolId));
-        }
-        // Check if any tool for this app is in consent selection
-        const consentedToolIds = entry.consent.selectedToolIds;
-        return consentedToolIds.some((toolId) => toolId.startsWith(`${appId}:`));
-    }
-    async invalidateCredential(vaultId, appId, providerId, reason) {
-        await this.updateCredential(vaultId, appId, providerId, {
-            isValid: false,
-            invalidReason: reason,
-        });
-    }
-    async refreshOAuthCredential(vaultId, appId, providerId, tokens) {
-        const entry = this.vaults.get(vaultId);
-        if (!entry)
-            return;
-        const key = this.credentialKey(appId, providerId);
-        const credential = entry.appCredentials[key];
-        if (!credential || credential.credential.type !== 'oauth')
-            return;
-        // Update OAuth tokens
-        credential.credential.accessToken = tokens.accessToken;
-        if (tokens.refreshToken !== undefined) {
-            credential.credential.refreshToken = tokens.refreshToken;
-        }
-        if (tokens.expiresAt !== undefined) {
-            credential.credential.expiresAt = tokens.expiresAt;
-            credential.expiresAt = tokens.expiresAt;
-        }
-        // Mark as valid again
-        credential.isValid = true;
-        credential.invalidReason = undefined;
-        entry.lastAccessAt = Date.now();
-    }
-}
-exports.InMemoryAuthorizationVault = InMemoryAuthorizationVault;
-// ============================================
-// Redis Implementation (placeholder)
-// ============================================
-/**
- * Redis Authorization Vault (placeholder)
- *
- * Production implementation using Redis for distributed storage.
- * TODO: Implement after in-memory vault is validated.
- */
-class RedisAuthorizationVault {
-    redis;
-    namespace;
-    constructor(
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    redis, namespace = 'vault:') {
-        this.redis = redis;
-        this.namespace = namespace;
-    }
-    key(id) {
-        return `${this.namespace}${id}`;
-    }
-    /** Create a credential key from appId and providerId */
-    credentialKey(appId, providerId) {
-        return `${appId}:${providerId}`;
-    }
-    async create(params) {
-        const now = Date.now();
-        const entry = {
-            id: (0, node_crypto_1.randomUUID)(),
-            userSub: params.userSub,
-            userEmail: params.userEmail,
-            userName: params.userName,
-            clientId: params.clientId,
-            createdAt: now,
-            lastAccessAt: now,
-            appCredentials: {},
-            consent: params.consent,
-            federated: params.federated,
-            pendingAuths: [],
-            authorizedAppIds: params.authorizedAppIds ?? [],
-            skippedAppIds: params.skippedAppIds ?? [],
-        };
-        await this.redis.set(this.key(entry.id), JSON.stringify(entry));
-        return entry;
-    }
-    async get(id) {
-        const data = await this.redis.get(this.key(id));
-        if (!data)
-            return null;
-        const entry = JSON.parse(data);
-        // Note: lastAccessAt is updated on explicit operations, not on read
-        // This prevents unnecessary writes on read operations
-        return entry;
-    }
-    async update(id, updates) {
-        const entry = await this.get(id);
-        if (!entry)
-            return;
-        Object.assign(entry, updates, { lastAccessAt: Date.now() });
-        await this.redis.set(this.key(id), JSON.stringify(entry));
-    }
-    async delete(id) {
-        await this.redis.del(this.key(id));
-    }
-    async updateConsent(vaultId, consent) {
-        const entry = await this.get(vaultId);
-        if (!entry)
-            return;
-        entry.consent = consent;
-        await this.redis.set(this.key(vaultId), JSON.stringify(entry));
-    }
-    async authorizeApp(vaultId, appId) {
-        const entry = await this.get(vaultId);
-        if (!entry)
-            return;
-        entry.skippedAppIds = entry.skippedAppIds.filter((id) => id !== appId);
-        if (!entry.authorizedAppIds.includes(appId)) {
-            entry.authorizedAppIds.push(appId);
-        }
-        await this.redis.set(this.key(vaultId), JSON.stringify(entry));
-    }
-    async createPendingAuth(vaultId, params) {
-        const entry = await this.get(vaultId);
-        if (!entry) {
-            throw new Error(`Vault not found: ${vaultId}`);
-        }
-        const now = Date.now();
-        const pendingAuth = {
-            id: (0, node_crypto_1.randomUUID)(),
-            appId: params.appId,
-            toolId: params.toolId,
-            authUrl: params.authUrl,
-            requiredScopes: params.requiredScopes,
-            elicitId: params.elicitId,
-            createdAt: now,
-            expiresAt: now + (params.ttlMs ?? 10 * 60 * 1000),
-            status: 'pending',
-        };
-        entry.pendingAuths.push(pendingAuth);
-        await this.redis.set(this.key(vaultId), JSON.stringify(entry));
-        return pendingAuth;
-    }
-    async getPendingAuth(vaultId, pendingAuthId) {
-        const entry = await this.get(vaultId);
-        if (!entry)
-            return null;
-        const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
-        if (!pendingAuth)
-            return null;
-        if (Date.now() > pendingAuth.expiresAt && pendingAuth.status === 'pending') {
-            pendingAuth.status = 'expired';
-            await this.redis.set(this.key(vaultId), JSON.stringify(entry));
-        }
-        return pendingAuth;
-    }
-    async completePendingAuth(vaultId, pendingAuthId) {
-        const entry = await this.get(vaultId);
-        if (!entry)
-            return;
-        const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
-        if (pendingAuth) {
-            pendingAuth.status = 'completed';
-            await this.authorizeApp(vaultId, pendingAuth.appId);
-        }
-    }
-    async cancelPendingAuth(vaultId, pendingAuthId) {
-        const entry = await this.get(vaultId);
-        if (!entry)
-            return;
-        const pendingAuth = entry.pendingAuths.find((p) => p.id === pendingAuthId);
-        if (pendingAuth) {
-            pendingAuth.status = 'cancelled';
-            await this.redis.set(this.key(vaultId), JSON.stringify(entry));
-        }
-    }
-    async isAppAuthorized(vaultId, appId) {
-        const entry = await this.get(vaultId);
-        if (!entry)
-            return false;
-        return entry.authorizedAppIds.includes(appId);
-    }
-    async getPendingAuths(vaultId) {
-        const entry = await this.get(vaultId);
-        if (!entry)
-            return [];
-        const now = Date.now();
-        let updated = false;
-        const pending = entry.pendingAuths.filter((p) => {
-            if (now > p.expiresAt && p.status === 'pending') {
-                p.status = 'expired';
-                updated = true;
-            }
-            return p.status === 'pending';
-        });
-        if (updated) {
-            await this.redis.set(this.key(vaultId), JSON.stringify(entry));
-        }
-        return pending;
-    }
-    async cleanup() {
-        // Redis cleanup would use SCAN to find and clean entries
-        // This is a placeholder
-    }
-    // ============================================
-    // App Credential Methods
-    // ============================================
-    async addAppCredential(vaultId, credential) {
-        const entry = await this.get(vaultId);
-        if (!entry)
-            return;
-        // Check if we should store based on consent
-        const shouldStore = await this.shouldStoreCredential(vaultId, credential.appId);
-        if (!shouldStore) {
-            return;
-        }
-        const key = this.credentialKey(credential.appId, credential.providerId);
-        entry.appCredentials[key] = credential;
-        await this.redis.set(this.key(vaultId), JSON.stringify(entry));
-    }
-    async removeAppCredential(vaultId, appId, providerId) {
-        const entry = await this.get(vaultId);
-        if (!entry)
-            return;
-        const key = this.credentialKey(appId, providerId);
-        delete entry.appCredentials[key];
-        await this.redis.set(this.key(vaultId), JSON.stringify(entry));
-    }
-    async getAppCredentials(vaultId, appId) {
-        const entry = await this.get(vaultId);
-        if (!entry)
-            return [];
-        const prefix = `${appId}:`;
-        return Object.entries(entry.appCredentials)
-            .filter(([key]) => key.startsWith(prefix))
-            .map(([, cred]) => cred);
-    }
-    async getCredential(vaultId, appId, providerId) {
-        const entry = await this.get(vaultId);
-        if (!entry)
-            return null;
-        const key = this.credentialKey(appId, providerId);
-        return entry.appCredentials[key] ?? null;
-    }
-    async getAllCredentials(vaultId, filterByConsent = false) {
-        const entry = await this.get(vaultId);
-        if (!entry)
-            return [];
-        const allCredentials = Object.values(entry.appCredentials);
-        if (!filterByConsent || !entry.consent?.enabled) {
-            return allCredentials;
-        }
-        // Filter by consent - only return credentials for apps that have tools in consent selection
-        const consentedToolIds = new Set(entry.consent.selectedToolIds);
-        return allCredentials.filter((cred) => {
-            return Array.from(consentedToolIds).some((toolId) => toolId.startsWith(`${cred.appId}:`));
-        });
-    }
-    async updateCredential(vaultId, appId, providerId, updates) {
-        const entry = await this.get(vaultId);
-        if (!entry)
-            return;
-        const key = this.credentialKey(appId, providerId);
-        const credential = entry.appCredentials[key];
-        if (!credential)
-            return;
-        Object.assign(credential, updates);
-        await this.redis.set(this.key(vaultId), JSON.stringify(entry));
-    }
-    async shouldStoreCredential(vaultId, appId, toolIds) {
-        const entry = await this.get(vaultId);
-        if (!entry)
-            return false;
-        // If consent is not enabled, always allow
-        if (!entry.consent?.enabled) {
-            return true;
-        }
-        // If toolIds provided, check if any match consent selection
-        if (toolIds && toolIds.length > 0) {
-            return toolIds.some((toolId) => entry.consent.selectedToolIds.includes(toolId));
-        }
-        // Check if any tool for this app is in consent selection
-        const consentedToolIds = entry.consent.selectedToolIds;
-        return consentedToolIds.some((toolId) => toolId.startsWith(`${appId}:`));
-    }
-    async invalidateCredential(vaultId, appId, providerId, reason) {
-        await this.updateCredential(vaultId, appId, providerId, {
-            isValid: false,
-            invalidReason: reason,
-        });
-    }
-    async refreshOAuthCredential(vaultId, appId, providerId, tokens) {
-        const entry = await this.get(vaultId);
-        if (!entry)
-            return;
-        const key = this.credentialKey(appId, providerId);
-        const credential = entry.appCredentials[key];
-        if (!credential || credential.credential.type !== 'oauth')
-            return;
-        // Update OAuth tokens
-        credential.credential.accessToken = tokens.accessToken;
-        if (tokens.refreshToken !== undefined) {
-            credential.credential.refreshToken = tokens.refreshToken;
-        }
-        if (tokens.expiresAt !== undefined) {
-            credential.credential.expiresAt = tokens.expiresAt;
-            credential.expiresAt = tokens.expiresAt;
-        }
-        // Mark as valid again
-        credential.isValid = true;
-        credential.invalidReason = undefined;
-        await this.redis.set(this.key(vaultId), JSON.stringify(entry));
-    }
-}
-exports.RedisAuthorizationVault = RedisAuthorizationVault;
-//# sourceMappingURL=authorization-vault.js.map