@frontmcp/sdk 0.6.0 → 0.6.2

package/src/auth/session/record/session.base.js

@@ -1,125 +0,0 @@
-"use strict";
-// auth/session/record/session.base.ts
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.SessionView = exports.Session = void 0;
-const session_transport_1 = require("../session.transport");
-class Session {
-    // ---------------- public immutable data ----------------
-    id;
-    createdAt;
-    scopeId;
-    user;
-    claims;
-    /** Epoch millis when the bearer token expires (if available). */
-    expiresAt;
-    authorizedProviders;
-    authorizedProviderIds;
-    authorizedApps;
-    authorizedAppIds;
-    authorizedResources;
-    scopes;
-    authorizedTools;
-    authorizedToolIds;
-    authorizedPrompts;
-    authorizedPromptIds;
-    // ---------------- private/shared ----------------
-    #scope;
-    #issuer;
-    token;
-    #activeTransportId;
-    constructor(ctx) {
-        this.id = ctx.id;
-        this.createdAt = ctx.createdAt || Date.now();
-        this.#scope = ctx.scope;
-        this.#issuer = ctx.issuer;
-        this.scopeId = ctx.scope.id;
-        this.user = ctx.user;
-        this.claims = ctx.claims;
-        // derive token expiration from JWT claims if present (exp in seconds)
-        const exp = ctx.claims && typeof ctx.claims['exp'] === 'number' ? Number(ctx.claims['exp']) : undefined;
-        if (exp) {
-            this.expiresAt = exp > 1e12 ? exp : exp * 1000;
-        }
-        // project authorized fields (defaults to empty)
-        this.authorizedProviders = ctx.authorizedProviders ?? {};
-        this.authorizedProviderIds = ctx.authorizedProviderIds ?? [];
-        this.authorizedApps = ctx.authorizedApps ?? {};
-        this.authorizedAppIds = ctx.authorizedAppIds ?? [];
-        this.authorizedResources = ctx.authorizedResources ?? [];
-        this.authorizedTools = ctx.authorizedTools ?? {};
-        this.authorizedToolIds = ctx.authorizedToolIds ?? [];
-        this.authorizedPrompts = ctx.authorizedPrompts ?? {};
-        this.authorizedPromptIds = ctx.authorizedPromptIds ?? [];
-        this.token = ctx.token;
-        this.#activeTransportId = ctx.sessionId;
-    }
-    /**
-     * Get the scope associated with this session.
-     * Can be used by subclasses to implement custom scope handling.
-     * @protected
-     */
-    get scope() {
-        return this.#scope;
-    }
-    // ---------------- accessors ----------------
-    get issuer() {
-        return this.#issuer;
-    }
-    async getTransportSessionId() {
-        if (this.#activeTransportId)
-            return this.#activeTransportId;
-        const mode = this.scope.metadata.transport?.transportIdMode ?? 'uuid';
-        if (typeof mode === 'string') {
-            return session_transport_1.TransportIdGenerator.createId(mode);
-        }
-        else {
-            // Cast to proper function type since Zod's z.function() type is too generic
-            const modeFn = mode;
-            const modeResult = await modeFn(this.issuer);
-            return session_transport_1.TransportIdGenerator.createId(modeResult);
-        }
-    }
-    // ---------------- scoped view ----------------
-    scoped(allowed) {
-        const fn = typeof allowed === 'function'
-            ? allowed
-            : Array.isArray(allowed)
-                ? (id) => allowed.includes(id)
-                : (id) => id === allowed;
-        return new SessionView(this, fn);
-    }
-}
-exports.Session = Session;
-class SessionView {
-    parent;
-    allow;
-    constructor(parent, allow) {
-        this.parent = parent;
-        this.allow = allow;
-    }
-    get id() {
-        return this.parent.id;
-    }
-    get mode() {
-        return this.parent.mode;
-    }
-    get user() {
-        return this.parent.user;
-    }
-    get claims() {
-        return this.parent.claims;
-    }
-    get authorizedApps() {
-        return this.parent.authorizedApps;
-    }
-    async getToken(providerId) {
-        if (!this.allow(providerId))
-            throw new Error(`scoped_denied:${providerId}`);
-        return this.parent.getToken(providerId);
-    }
-    get transportId() {
-        return this.parent.getTransportSessionId;
-    }
-}
-exports.SessionView = SessionView;
-//# sourceMappingURL=session.base.js.map

package/src/auth/session/record/session.base.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"session.base.js","sourceRoot":"","sources":["../../../../../src/auth/session/record/session.base.ts"],"names":[],"mappings":";AAAA,sCAAsC;;;AAItC,4DAA4D;AAuC5D,MAAsB,OAAO;IAC3B,0DAA0D;IACjD,EAAE,CAAS;IAEX,SAAS,CAAS;IAClB,OAAO,CAAS;IAChB,IAAI,CAAc;IAClB,MAAM,CAA2B;IAC1C,iEAAiE;IACxD,SAAS,CAAU;IAEnB,mBAAmB,CAAmC;IACtD,qBAAqB,CAAW;IAChC,cAAc,CAAoD;IAClE,gBAAgB,CAAW;IAC3B,mBAAmB,CAAW;IAC9B,MAAM,CAAY;IAClB,eAAe,CAAsF;IACrG,iBAAiB,CAAY;IAC7B,iBAAiB,CAAsF;IACvG,mBAAmB,CAAY;IAExC,mDAAmD;IACnD,MAAM,CAAQ;IACd,OAAO,CAAS;IACN,KAAK,CAAS;IAExB,kBAAkB,CAAU;IAE5B,YAAsB,GAAkB;QACtC,IAAI,CAAC,EAAE,GAAG,GAAG,CAAC,EAAE,CAAC;QACjB,IAAI,CAAC,SAAS,GAAG,GAAG,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7C,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC;QACxB,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC;QAC1B,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;QACzB,sEAAsE;QACtE,MAAM,GAAG,GACP,GAAG,CAAC,MAAM,IAAI,OAAQ,GAAG,CAAC,MAAc,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAE,GAAG,CAAC,MAAc,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAChH,IAAI,GAAG,EAAE,CAAC;YACR,IAAI,CAAC,SAAS,GAAG,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC;QACjD,CAAC;QACD,gDAAgD;QAChD,IAAI,CAAC,mBAAmB,GAAG,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;QACzD,IAAI,CAAC,qBAAqB,GAAG,GAAG,CAAC,qBAAqB,IAAI,EAAE,CAAC;QAC7D,IAAI,CAAC,cAAc,GAAG,GAAG,CAAC,cAAc,IAAI,EAAE,CAAC;QAC/C,IAAI,CAAC,gBAAgB,GAAG,GAAG,CAAC,gBAAgB,IAAI,EAAE,CAAC;QACnD,IAAI,CAAC,mBAAmB,GAAG,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;QACzD,IAAI,CAAC,eAAe,GAAG,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC;QACjD,IAAI,CAAC,iBAAiB,GAAG,GAAG,CAAC,iBAAiB,IAAI,EAAE,CAAC;QACrD,IAAI,CAAC,iBAAiB,GAAG,GAAG,CAAC,iBAAiB,IAAI,EAAE,CAAC;QACrD,IAAI,CAAC,mBAAmB,GAAG,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;QACzD,IAAI,CAAC,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC;QACvB,IAAI,CAAC,kBAAkB,GAAG,GAAG,CAAC,SAAS,CAAC;IAC1C,CAAC;IAED;;;;OAIG;IACH,IAAc,KAAK;QACjB,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IACD,8CAA8C;IAE9C,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,qBAAqB;QACzB,IAAI,IAAI,CAAC,kBAAkB;YAAE,OAAO,IAAI,CAAC,kBAAkB,CAAC;QAC5D,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,SAAS,EAAE,eAAe,IAAI,MAAM,CAAC;QACtE,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7B,OAAO,wCAAoB,CAAC,QAAQ,CAAC,IAAuB,CAAC,CAAC;QAChE,CAAC;aAAM,CAAC;YACN,4EAA4E;YAC5E,MAAM,MAAM,GAAG,IAAsE,CAAC;YACtF,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC7C,OAAO,wCAAoB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IAUD,gDAAgD;IAChD,MAAM,CAAC,OAAsD;QAC3D,MAAM,EAAE,GACN,OAAO,OAAO,KAAK,UAAU;YAC3B,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;gBACxB,CAAC,CAAC,CAAC,EAAU,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACtC,CAAC,CAAC,CAAC,EAAU,EAAE,EAAE,CAAC,EAAE,KAAK,OAAO,CAAC;QACrC,OAAO,IAAI,WAAW,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACnC,CAAC;CACF;AAtGD,0BAsGC;AAED,MAAa,WAAW;IACO;IAAkC;IAA/D,YAA6B,MAAe,EAAmB,KAA8B;QAAhE,WAAM,GAAN,MAAM,CAAS;QAAmB,UAAK,GAAL,KAAK,CAAyB;IAAG,CAAC;IAEjG,IAAI,EAAE;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;IACxB,CAAC;IACD,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;IAC1B,CAAC;IACD,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;IAC1B,CAAC;IACD,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;IAC5B,CAAC;IACD,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,UAAkB;QAC/B,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,iBAAiB,UAAU,EAAE,CAAC,CAAC;QAC5E,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC;IAC3C,CAAC;CACF;AA1BD,kCA0BC","sourcesContent":["// auth/session/record/session.base.ts\n\nimport type { ProviderSnapshot, SessionMode } from '../session.types';\nimport type { TransportIdMode } from '../../../common';\nimport { TransportIdGenerator } from '../session.transport';\nimport { Scope } from '../../../scope';\n\nexport interface BaseCreateCtx {\n  id: string;\n  sessionId?: string;\n  scope: Scope;\n  issuer: string;\n  token: string;\n  user: SessionUser;\n  claims?: SessionClaims;\n  createdAt?: number;\n  // optional precomputed authorization projections\n  authorizedProviders?: Record<string, ProviderSnapshot>;\n  authorizedProviderIds?: string[];\n  authorizedApps?: Record<string, { id: string; toolIds: string[] }>;\n  authorizedAppIds?: string[];\n  authorizedResources?: string[];\n  scopes?: string[];\n  // Scoped tools/prompts maps\n  authorizedTools?: Record<string, { executionPath: [string, string]; details?: Record<string, any> }>;\n  authorizedToolIds?: string[];\n  authorizedPrompts?: Record<string, { executionPath: [string, string]; details?: Record<string, any> }>;\n  authorizedPromptIds?: string[];\n}\n\n// TODO: can be extended\nexport interface SessionUser {\n  sub?: string;\n  name?: string;\n  email?: string;\n  picture?: string;\n}\n\n// TODO: can be extended\nexport interface SessionClaims {\n  [key: string]: any;\n}\n\nexport abstract class Session {\n  // ---------------- public immutable data ----------------\n  readonly id: string;\n  abstract readonly mode: SessionMode;\n  readonly createdAt: number;\n  readonly scopeId: string;\n  readonly user: SessionUser;\n  readonly claims?: Record<string, unknown>;\n  /** Epoch millis when the bearer token expires (if available). */\n  readonly expiresAt?: number;\n\n  readonly authorizedProviders: Record<string, ProviderSnapshot>;\n  readonly authorizedProviderIds: string[];\n  readonly authorizedApps: Record<string, { id: string; toolIds: string[] }>;\n  readonly authorizedAppIds: string[];\n  readonly authorizedResources: string[];\n  readonly scopes?: string[];\n  readonly authorizedTools?: Record<string, { executionPath: [string, string]; details?: Record<string, any> }>;\n  readonly authorizedToolIds?: string[];\n  readonly authorizedPrompts?: Record<string, { executionPath: [string, string]; details?: Record<string, any> }>;\n  readonly authorizedPromptIds?: string[];\n\n  // ---------------- private/shared ----------------\n  #scope: Scope;\n  #issuer: string;\n  protected token: string;\n\n  #activeTransportId?: string;\n\n  protected constructor(ctx: BaseCreateCtx) {\n    this.id = ctx.id;\n    this.createdAt = ctx.createdAt || Date.now();\n    this.#scope = ctx.scope;\n    this.#issuer = ctx.issuer;\n    this.scopeId = ctx.scope.id;\n    this.user = ctx.user;\n    this.claims = ctx.claims;\n    // derive token expiration from JWT claims if present (exp in seconds)\n    const exp =\n      ctx.claims && typeof (ctx.claims as any)['exp'] === 'number' ? Number((ctx.claims as any)['exp']) : undefined;\n    if (exp) {\n      this.expiresAt = exp > 1e12 ? exp : exp * 1000;\n    }\n    // project authorized fields (defaults to empty)\n    this.authorizedProviders = ctx.authorizedProviders ?? {};\n    this.authorizedProviderIds = ctx.authorizedProviderIds ?? [];\n    this.authorizedApps = ctx.authorizedApps ?? {};\n    this.authorizedAppIds = ctx.authorizedAppIds ?? [];\n    this.authorizedResources = ctx.authorizedResources ?? [];\n    this.authorizedTools = ctx.authorizedTools ?? {};\n    this.authorizedToolIds = ctx.authorizedToolIds ?? [];\n    this.authorizedPrompts = ctx.authorizedPrompts ?? {};\n    this.authorizedPromptIds = ctx.authorizedPromptIds ?? [];\n    this.token = ctx.token;\n    this.#activeTransportId = ctx.sessionId;\n  }\n\n  /**\n   * Get the scope associated with this session.\n   * Can be used by subclasses to implement custom scope handling.\n   * @protected\n   */\n  protected get scope(): Scope {\n    return this.#scope;\n  }\n  // ---------------- accessors ----------------\n\n  get issuer(): string {\n    return this.#issuer;\n  }\n\n  async getTransportSessionId(): Promise<string> {\n    if (this.#activeTransportId) return this.#activeTransportId;\n    const mode = this.scope.metadata.transport?.transportIdMode ?? 'uuid';\n    if (typeof mode === 'string') {\n      return TransportIdGenerator.createId(mode as TransportIdMode);\n    } else {\n      // Cast to proper function type since Zod's z.function() type is too generic\n      const modeFn = mode as (issuer: string) => Promise<TransportIdMode> | TransportIdMode;\n      const modeResult = await modeFn(this.issuer);\n      return TransportIdGenerator.createId(modeResult);\n    }\n  }\n\n  /**\n   * Get the access token for a given provider.\n   * Must be implemented in subclasses based on session topology.\n   * @protected\n   * @param providerId\n   */\n  abstract getToken(providerId?: string): Promise<string> | string;\n\n  // ---------------- scoped view ----------------\n  scoped(allowed: string | string[] | ((id: string) => boolean)) {\n    const fn =\n      typeof allowed === 'function'\n        ? allowed\n        : Array.isArray(allowed)\n        ? (id: string) => allowed.includes(id)\n        : (id: string) => id === allowed;\n    return new SessionView(this, fn);\n  }\n}\n\nexport class SessionView {\n  constructor(private readonly parent: Session, private readonly allow: (id: string) => boolean) {}\n\n  get id() {\n    return this.parent.id;\n  }\n  get mode() {\n    return this.parent.mode;\n  }\n  get user() {\n    return this.parent.user;\n  }\n  get claims() {\n    return this.parent.claims;\n  }\n  get authorizedApps() {\n    return this.parent.authorizedApps;\n  }\n\n  async getToken(providerId: string) {\n    if (!this.allow(providerId)) throw new Error(`scoped_denied:${providerId}`);\n    return this.parent.getToken(providerId);\n  }\n  get transportId() {\n    return this.parent.getTransportSessionId;\n  }\n}\n"]}

package/src/auth/session/record/session.stateful.js

@@ -1,55 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.StatefulSession = void 0;
-const session_base_1 = require("./session.base");
-/**
- * Represents a **stateful session** stored server-side (e.g., Redis).
- * Nested OAuth tokens are never exposed in the JWT; instead, they are
- * encrypted and persisted in Redis under a session key. The client only
- * receives a lightweight reference to that key.
- *
- * Advantages:
- * - Smaller JWT payloads and reduced token leakage risk.
- * - Can refresh nested provider tokens on the fly without requiring
- *   the user to re-authorize.
- * - Well suited for multi-app setups with short-lived OAuth tokens.
- */
-class StatefulSession extends session_base_1.Session {
-    mode = 'stateful';
-    /**
-     * Used to encrypt/decrypt nested provider tokens in #store.
-     * @private
-     */
-    // eslint-disable-next-line no-unused-private-class-members
-    #vault;
-    /**
-     * Used to store/retrieve encrypted nested provider tokens.
-     * By default it will be a memory store, but can be replaced with a
-     * persistent store like Redis by settings session.store in SecureMcp options
-     * @private
-     */
-    // eslint-disable-next-line no-unused-private-class-members
-    #store;
-    /**
-     * Per-provider refreshers (keyed by providerId).
-     * Used to refresh nested provider tokens on the fly.
-     * By default, it will use the default refresher, which is a simple
-     * refresher that refreshes the token by calling the provider's refresh endpoint.
-     *
-     * If you want to use a custom refresher, you can set it by setting session.refresher in SecureMcp options
-     * @private
-     */
-    // eslint-disable-next-line no-unused-private-class-members
-    #refreshers;
-    // eslint-disable-next-line no-unused-private-class-members
-    #defaultRefresher;
-    constructor(ctx) {
-        super(ctx);
-        throw new Error('Method not implemented.');
-    }
-    getToken(providerId) {
-        throw new Error('Method not implemented.');
-    }
-}
-exports.StatefulSession = StatefulSession;
-//# sourceMappingURL=session.stateful.js.map

package/src/auth/session/record/session.stateful.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"session.stateful.js","sourceRoot":"","sources":["../../../../../src/auth/session/record/session.stateful.ts"],"names":[],"mappings":";;;AAAA,iDAA6D;AAO7D;;;;;;;;;;;GAWG;AACH,MAAa,eAAgB,SAAQ,sBAAO;IACjC,IAAI,GAAG,UAAU,CAAC;IAC3B;;;OAGG;IACH,2DAA2D;IAC3D,MAAM,CAAa;IACnB;;;;;OAKG;IACH,2DAA2D;IAC3D,MAAM,CAAa;IAEnB;;;;;;;;OAQG;IACH,2DAA2D;IAC3D,WAAW,CAAiC;IAC5C,2DAA2D;IAC3D,iBAAiB,CAAiB;IAElC,YAAY,GAAsB;QAChC,KAAK,CAAC,GAAU,CAAC,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;IAEQ,QAAQ,CAAC,UAAmB;QACnC,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;CAkCF;AAxED,0CAwEC","sourcesContent":["import { Session, type BaseCreateCtx } from './session.base';\nimport { TokenRefresher } from '../token.refresh';\nimport type { TokenStore } from '../token.store';\nimport type { TokenVault } from '../token.vault';\n\nexport type StatefulCreateCtx = BaseCreateCtx & {};\n\n/**\n * Represents a **stateful session** stored server-side (e.g., Redis).\n * Nested OAuth tokens are never exposed in the JWT; instead, they are\n * encrypted and persisted in Redis under a session key. The client only\n * receives a lightweight reference to that key.\n *\n * Advantages:\n * - Smaller JWT payloads and reduced token leakage risk.\n * - Can refresh nested provider tokens on the fly without requiring\n *   the user to re-authorize.\n * - Well suited for multi-app setups with short-lived OAuth tokens.\n */\nexport class StatefulSession extends Session {\n  readonly mode = 'stateful';\n  /**\n   * Used to encrypt/decrypt nested provider tokens in #store.\n   * @private\n   */\n  // eslint-disable-next-line no-unused-private-class-members\n  #vault: TokenVault;\n  /**\n   * Used to store/retrieve encrypted nested provider tokens.\n   * By default it will be a memory store, but can be replaced with a\n   * persistent store like Redis by settings session.store in SecureMcp options\n   * @private\n   */\n  // eslint-disable-next-line no-unused-private-class-members\n  #store: TokenStore;\n\n  /**\n   * Per-provider refreshers (keyed by providerId).\n   * Used to refresh nested provider tokens on the fly.\n   * By default, it will use the default refresher, which is a simple\n   * refresher that refreshes the token by calling the provider's refresh endpoint.\n   *\n   * If you want to use a custom refresher, you can set it by setting session.refresher in SecureMcp options\n   * @private\n   */\n  // eslint-disable-next-line no-unused-private-class-members\n  #refreshers: Record<string, TokenRefresher>;\n  // eslint-disable-next-line no-unused-private-class-members\n  #defaultRefresher: TokenRefresher;\n\n  constructor(ctx: StatefulCreateCtx) {\n    super(ctx as any);\n    throw new Error('Method not implemented.');\n  }\n\n  override getToken(providerId?: string): Promise<string> | string {\n    throw new Error('Method not implemented.');\n  }\n  //\n  // protected async attachProviderSecrets(p: ProviderInput): Promise<ProviderSnapshot> {\n  //   const snap: ProviderSnapshot = {\n  //     id: p.id,\n  //     exp: p.exp,\n  //     payload: p.payload,\n  //     apps: p.apps?.map(a => ({ id: String(a.id), toolIds: (a.toolIds ?? []).map(String) })),\n  //     embedMode: 'store-only',\n  //   };\n  //   if (p.token) snap.tokenEnc = encryptAesGcm(this.#key, p.token);\n  //   else if (p.enc) snap.tokenEnc = p.enc;\n  //   if (p.refreshToken) snap.refreshTokenEnc = encryptAesGcm(this.#key, p.refreshToken);\n  //   return snap;\n  // }\n  //\n  // protected async readAccessToken(providerId: string): Promise<string | undefined> {\n  //   const s = this.authorizedProviders[providerId];\n  //   if (!s?.tokenEnc) return undefined;\n  //   return decryptAesGcm(this.#key, s.tokenEnc);\n  // }\n  //\n  // protected readRefreshToken(providerId: string): string | undefined {\n  //   const s = this.authorizedProviders[providerId];\n  //   if (!s?.refreshTokenEnc) return undefined;\n  //   return decryptAesGcm(this.#key, s.refreshTokenEnc);\n  // }\n  //\n  // protected async persistRefreshedTokens(providerId: string, res: TokenRefreshResult): Promise<void> {\n  //   const s = this.authorizedProviders[providerId];\n  //   if (!s) return;\n  //   if (res.accessToken) s.tokenEnc = encryptAesGcm(this.#key, res.accessToken);\n  //   if (res.refreshToken) s.refreshTokenEnc = encryptAesGcm(this.#key, res.refreshToken);\n  // }\n}\n"]}

package/src/auth/session/record/session.stateless.js

@@ -1,32 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.StatelessSession = void 0;
-const session_base_1 = require("./session.base");
-const mcp_error_1 = require("../../../errors/mcp.error");
-/**
- * Represents a **stateful session (non-refreshable)** where nested OAuth
- * tokens cannot be refreshed server-side. When a nested provider token
- * expires, the user must re-authorize to obtain new credentials.
- *
- * Notes:
- * - Simpler flow, but degrades UX when tokens are short-lived.
- * - Prefer the refreshable stateful session for multi-app environments.
- */
-class StatelessSession extends session_base_1.Session {
-    mode = 'stateless';
-    /**
-     * Used to encrypt/decrypt nested provider tokens in #store.
-     * @private
-     */
-    // eslint-disable-next-line no-unused-private-class-members
-    #vault;
-    constructor(ctx) {
-        super(ctx);
-        throw new mcp_error_1.InternalMcpError('StatelessSession not yet implemented', 'NOT_IMPLEMENTED');
-    }
-    getToken(_providerId) {
-        throw new mcp_error_1.InternalMcpError('Token refresh not supported in stateless mode', 'NOT_IMPLEMENTED');
-    }
-}
-exports.StatelessSession = StatelessSession;
-//# sourceMappingURL=session.stateless.js.map

package/src/auth/session/record/session.stateless.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"session.stateless.js","sourceRoot":"","sources":["../../../../../src/auth/session/record/session.stateless.ts"],"names":[],"mappings":";;;AAAA,iDAA6D;AAE7D,yDAA6D;AAI7D;;;;;;;;GAQG;AACH,MAAa,gBAAiB,SAAQ,sBAAO;IAClC,IAAI,GAAG,WAAW,CAAC;IAC5B;;;OAGG;IACH,2DAA2D;IAC3D,MAAM,CAAa;IACnB,YAAY,GAAsB;QAChC,KAAK,CAAC,GAAoB,CAAC,CAAC;QAC5B,MAAM,IAAI,4BAAgB,CAAC,sCAAsC,EAAE,iBAAiB,CAAC,CAAC;IACxF,CAAC;IACQ,QAAQ,CAAC,WAAoB;QACpC,MAAM,IAAI,4BAAgB,CAAC,+CAA+C,EAAE,iBAAiB,CAAC,CAAC;IACjG,CAAC;CACF;AAfD,4CAeC","sourcesContent":["import { Session, type BaseCreateCtx } from './session.base';\nimport { TokenVault } from '../token.vault';\nimport { InternalMcpError } from '../../../errors/mcp.error';\n\nexport type StatefulCreateCtx = BaseCreateCtx & Record<string, never>;\n\n/**\n * Represents a **stateful session (non-refreshable)** where nested OAuth\n * tokens cannot be refreshed server-side. When a nested provider token\n * expires, the user must re-authorize to obtain new credentials.\n *\n * Notes:\n * - Simpler flow, but degrades UX when tokens are short-lived.\n * - Prefer the refreshable stateful session for multi-app environments.\n */\nexport class StatelessSession extends Session {\n  readonly mode = 'stateless';\n  /**\n   * Used to encrypt/decrypt nested provider tokens in #store.\n   * @private\n   */\n  // eslint-disable-next-line no-unused-private-class-members\n  #vault: TokenVault;\n  constructor(ctx: StatefulCreateCtx) {\n    super(ctx as BaseCreateCtx);\n    throw new InternalMcpError('StatelessSession not yet implemented', 'NOT_IMPLEMENTED');\n  }\n  override getToken(_providerId?: string): Promise<string> | string {\n    throw new InternalMcpError('Token refresh not supported in stateless mode', 'NOT_IMPLEMENTED');\n  }\n}\n"]}

package/src/auth/session/record/session.transparent.js

@@ -1,22 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.TransparentSession = void 0;
-const session_base_1 = require("./session.base");
-/**
- * Represents a transparent (Non-Orchestrated) session where delivered by authorization server.
- * The session cannot have nest auth providers.
- * The session cannot be refreshed.
- * The session cannot be revoked.
- * Useful for OAuth flows where the authorization server delivers the session.
- */
-class TransparentSession extends session_base_1.Session {
-    mode = 'transparent';
-    constructor(ctx) {
-        super(ctx);
-    }
-    getToken() {
-        return this.token;
-    }
-}
-exports.TransparentSession = TransparentSession;
-//# sourceMappingURL=session.transparent.js.map

package/src/auth/session/record/session.transparent.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"session.transparent.js","sourceRoot":"","sources":["../../../../../src/auth/session/record/session.transparent.ts"],"names":[],"mappings":";;;AAAA,iDAAwD;AAMxD;;;;;;GAMG;AACH,MAAa,kBAAmB,SAAQ,sBAAO;IACpC,IAAI,GAAG,aAAa,CAAC;IAC9B,YAAY,GAAyB;QACnC,KAAK,CAAC,GAAU,CAAC,CAAC;IACpB,CAAC;IAEQ,QAAQ;QACf,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;CACF;AATD,gDASC","sourcesContent":["import { BaseCreateCtx, Session } from './session.base';\n\ninterface TransparentCreateCtx extends BaseCreateCtx {\n  apps: string[];\n}\n\n/**\n * Represents a transparent (Non-Orchestrated) session where delivered by authorization server.\n * The session cannot have nest auth providers.\n * The session cannot be refreshed.\n * The session cannot be revoked.\n * Useful for OAuth flows where the authorization server delivers the session.\n */\nexport class TransparentSession extends Session {\n  readonly mode = 'transparent';\n  constructor(ctx: TransparentCreateCtx) {\n    super(ctx as any);\n  }\n\n  override getToken(): Promise<string> | string {\n    return this.token;\n  }\n}\n"]}

package/src/auth/session/redis-session.store.js

@@ -1,204 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.RedisSessionStore = void 0;
-const tslib_1 = require("tslib");
-// auth/session/redis-session.store.ts
-const ioredis_1 = tslib_1.__importDefault(require("ioredis"));
-const crypto_1 = require("crypto");
-const transport_session_types_1 = require("./transport-session.types");
-/**
- * Redis-backed session store implementation
- *
- * Provides persistent session storage for distributed deployments.
- * Sessions are stored as JSON with optional TTL.
- */
-class RedisSessionStore {
-    redis;
-    keyPrefix;
-    defaultTtlMs;
-    logger;
-    externalInstance = false;
-    constructor(config, logger) {
-        // Default TTL of 1 hour for session extension on access
-        this.defaultTtlMs = ('defaultTtlMs' in config ? config.defaultTtlMs : undefined) ?? 3600000;
-        this.logger = logger;
-        if ('redis' in config && config.redis) {
-            // Use provided Redis instance
-            this.redis = config.redis;
-            this.keyPrefix = config.keyPrefix ?? 'mcp:session:';
-            this.externalInstance = true;
-        }
-        else {
-            // Create new Redis connection from config
-            const redisConfig = config;
-            const options = {
-                host: redisConfig.host,
-                port: redisConfig.port ?? 6379,
-                password: redisConfig.password,
-                db: redisConfig.db ?? 0,
-            };
-            if (redisConfig.tls) {
-                options.tls = {};
-            }
-            this.redis = new ioredis_1.default(options);
-            this.keyPrefix = redisConfig.keyPrefix ?? 'mcp:session:';
-        }
-    }
-    /**
-     * Get the full Redis key for a session ID
-     * @throws Error if sessionId is empty
-     */
-    key(sessionId) {
-        if (!sessionId || sessionId.trim() === '') {
-            throw new Error('[RedisSessionStore] sessionId cannot be empty');
-        }
-        return `${this.keyPrefix}${sessionId}`;
-    }
-    /**
-     * Get a stored session by ID
-     *
-     * Note: Uses atomic GETEX to extend TTL while reading, preventing race conditions
-     * where concurrent readers might resurrect expired sessions.
-     */
-    async get(sessionId) {
-        const key = this.key(sessionId);
-        // Use GETEX to atomically get and extend TTL in a single operation
-        // This prevents the race where one request deletes expired session
-        // while another is trying to extend it
-        let raw;
-        try {
-            // GETEX with EXAT/PXAT is atomic - no race condition possible
-            raw = await this.redis.getex(key, 'PX', this.defaultTtlMs);
-        }
-        catch {
-            // Fallback for older Redis versions that don't support GETEX
-            raw = await this.redis.get(key);
-        }
-        if (!raw)
-            return null;
-        try {
-            const parsed = JSON.parse(raw);
-            const result = transport_session_types_1.storedSessionSchema.safeParse(parsed);
-            if (!result.success) {
-                this.logger?.warn('[RedisSessionStore] Invalid session format', {
-                    sessionId: sessionId.slice(0, 20),
-                    errors: result.error.issues.slice(0, 3).map((i) => ({ path: i.path, message: i.message })),
-                });
-                // Delete invalid session data
-                this.delete(sessionId).catch(() => void 0);
-                return null;
-            }
-            const session = result.data;
-            // Check application-level expiration (separate from Redis TTL)
-            if (session.session.expiresAt && session.session.expiresAt < Date.now()) {
-                // Session is logically expired - delete it
-                // Note: We await the delete to ensure it completes before returning
-                // This prevents race conditions where another read might get the expired session
-                await this.delete(sessionId);
-                return null;
-            }
-            // Bound Redis TTL by session.expiresAt to avoid keeping expired sessions in Redis
-            // GETEX may have extended TTL beyond expiresAt, so we shorten it if needed
-            if (session.session.expiresAt) {
-                const ttlMs = Math.min(this.defaultTtlMs, session.session.expiresAt - Date.now());
-                if (ttlMs > 0 && ttlMs < this.defaultTtlMs) {
-                    // Fire-and-forget - we're only optimizing cache eviction timing
-                    this.redis.pexpire(key, ttlMs).catch(() => void 0);
-                }
-            }
-            // Update last accessed timestamp (in the returned object)
-            // Note: We don't fire-and-forget a set() here because:
-            // 1. GETEX already extended the Redis TTL
-            // 2. Fire-and-forget can cause race conditions with deletion
-            const updatedSession = {
-                ...session,
-                lastAccessedAt: Date.now(),
-            };
-            return updatedSession;
-        }
-        catch (error) {
-            this.logger?.warn('[RedisSessionStore] Failed to parse session', {
-                sessionId: sessionId.slice(0, 20),
-                error: error.message,
-            });
-            // Delete corrupted session payloads to prevent repeated failures
-            this.delete(sessionId).catch(() => void 0);
-            return null;
-        }
-    }
-    /**
-     * Store a session with optional TTL
-     */
-    async set(sessionId, session, ttlMs) {
-        const key = this.key(sessionId);
-        const value = JSON.stringify(session);
-        if (ttlMs && ttlMs > 0) {
-            // Use PX for millisecond precision
-            await this.redis.set(key, value, 'PX', ttlMs);
-        }
-        else if (session.session.expiresAt) {
-            // Use session's expiration if available
-            const ttl = session.session.expiresAt - Date.now();
-            if (ttl > 0) {
-                await this.redis.set(key, value, 'PX', ttl);
-            }
-            else {
-                // Already expired, but store anyway (will be cleaned up on next access)
-                await this.redis.set(key, value);
-            }
-        }
-        else {
-            // No TTL - session persists until explicitly deleted
-            await this.redis.set(key, value);
-        }
-    }
-    /**
-     * Delete a session
-     */
-    async delete(sessionId) {
-        await this.redis.del(this.key(sessionId));
-    }
-    /**
-     * Check if a session exists
-     */
-    async exists(sessionId) {
-        return (await this.redis.exists(this.key(sessionId))) === 1;
-    }
-    /**
-     * Allocate a new session ID
-     */
-    allocId() {
-        return (0, crypto_1.randomUUID)();
-    }
-    /**
-     * Disconnect from Redis (only if we created the connection)
-     */
-    async disconnect() {
-        if (!this.externalInstance) {
-            await this.redis.quit();
-        }
-    }
-    /**
-     * Get the underlying Redis client (for advanced use cases)
-     */
-    getRedisClient() {
-        return this.redis;
-    }
-    /**
-     * Test Redis connection by sending a PING command.
-     * Useful for validating connection on startup.
-     *
-     * @returns true if connection is healthy, false otherwise
-     */
-    async ping() {
-        try {
-            const result = await this.redis.ping();
-            return result === 'PONG';
-        }
-        catch {
-            return false;
-        }
-    }
-}
-exports.RedisSessionStore = RedisSessionStore;
-//# sourceMappingURL=redis-session.store.js.map

package/src/auth/session/redis-session.store.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"redis-session.store.js","sourceRoot":"","sources":["../../../../src/auth/session/redis-session.store.ts"],"names":[],"mappings":";;;;AAAA,sCAAsC;AACtC,8DAAuD;AACvD,mCAAoC;AACpC,uEAA0G;AAG1G;;;;;GAKG;AACH,MAAa,iBAAiB;IACX,KAAK,CAAQ;IACb,SAAS,CAAS;IAClB,YAAY,CAAS;IACrB,MAAM,CAAkB;IACjC,gBAAgB,GAAG,KAAK,CAAC;IAEjC,YACE,MAAiF,EACjF,MAAuB;QAEvB,wDAAwD;QACxD,IAAI,CAAC,YAAY,GAAG,CAAC,cAAc,IAAI,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC;QAC5F,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QAErB,IAAI,OAAO,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACtC,8BAA8B;YAC9B,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;YAC1B,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,cAAc,CAAC;YACpD,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC;QAC/B,CAAC;aAAM,CAAC;YACN,0CAA0C;YAC1C,MAAM,WAAW,GAAG,MAAqB,CAAC;YAC1C,MAAM,OAAO,GAAiB;gBAC5B,IAAI,EAAE,WAAW,CAAC,IAAI;gBACtB,IAAI,EAAE,WAAW,CAAC,IAAI,IAAI,IAAI;gBAC9B,QAAQ,EAAE,WAAW,CAAC,QAAQ;gBAC9B,EAAE,EAAE,WAAW,CAAC,EAAE,IAAI,CAAC;aACxB,CAAC;YAEF,IAAI,WAAW,CAAC,GAAG,EAAE,CAAC;gBACpB,OAAO,CAAC,GAAG,GAAG,EAAE,CAAC;YACnB,CAAC;YAED,IAAI,CAAC,KAAK,GAAG,IAAI,iBAAO,CAAC,OAAO,CAAC,CAAC;YAClC,IAAI,CAAC,SAAS,GAAG,WAAW,CAAC,SAAS,IAAI,cAAc,CAAC;QAC3D,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,GAAG,CAAC,SAAiB;QAC3B,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YAC1C,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACnE,CAAC;QACD,OAAO,GAAG,IAAI,CAAC,SAAS,GAAG,SAAS,EAAE,CAAC;IACzC,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,GAAG,CAAC,SAAiB;QACzB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAEhC,mEAAmE;QACnE,mEAAmE;QACnE,uCAAuC;QACvC,IAAI,GAAkB,CAAC;QACvB,IAAI,CAAC;YACH,8DAA8D;YAC9D,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAC7D,CAAC;QAAC,MAAM,CAAC;YACP,6DAA6D;YAC7D,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAClC,CAAC;QAED,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QAEtB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,MAAM,MAAM,GAAG,6CAAmB,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YAErD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,4CAA4C,EAAE;oBAC9D,SAAS,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;oBACjC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;iBAC3F,CAAC,CAAC;gBACH,8BAA8B;gBAC9B,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;gBAC3C,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC;YAE5B,+DAA+D;YAC/D,IAAI,OAAO,CAAC,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBACxE,2CAA2C;gBAC3C,oEAAoE;gBACpE,iFAAiF;gBACjF,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBAC7B,OAAO,IAAI,CAAC;YACd,CAAC;YAED,kFAAkF;YAClF,2EAA2E;YAC3E,IAAI,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;gBAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;gBAClF,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;oBAC3C,gEAAgE;oBAChE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;gBACrD,CAAC;YACH,CAAC;YAED,0DAA0D;YAC1D,uDAAuD;YACvD,0CAA0C;YAC1C,6DAA6D;YAC7D,MAAM,cAAc,GAAkB;gBACpC,GAAG,OAAO;gBACV,cAAc,EAAE,IAAI,CAAC,GAAG,EAAE;aAC3B,CAAC;YAEF,OAAO,cAAc,CAAC;QACxB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,6CAA6C,EAAE;gBAC/D,SAAS,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;gBACjC,KAAK,EAAG,KAAe,CAAC,OAAO;aAChC,CAAC,CAAC;YACH,iEAAiE;YACjE,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;YAC3C,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,GAAG,CAAC,SAAiB,EAAE,OAAsB,EAAE,KAAc;QACjE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAChC,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAEtC,IAAI,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;YACvB,mCAAmC;YACnC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;QAChD,CAAC;aAAM,IAAI,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;YACrC,wCAAwC;YACxC,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACnD,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;gBACZ,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAC9C,CAAC;iBAAM,CAAC;gBACN,wEAAwE;gBACxE,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;aAAM,CAAC;YACN,qDAAqD;YACrD,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,OAAO,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAC9D,CAAC;IAED;;OAEG;IACH,OAAO;QACL,OAAO,IAAA,mBAAU,GAAE,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU;QACd,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3B,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAC1B,CAAC;IACH,CAAC;IAED;;OAEG;IACH,cAAc;QACZ,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,IAAI;QACR,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YACvC,OAAO,MAAM,KAAK,MAAM,CAAC;QAC3B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF;AA7MD,8CA6MC","sourcesContent":["// auth/session/redis-session.store.ts\nimport IoRedis, { Redis, RedisOptions } from 'ioredis';\nimport { randomUUID } from 'crypto';\nimport { SessionStore, StoredSession, RedisConfig, storedSessionSchema } from './transport-session.types';\nimport { FrontMcpLogger } from '../../common/interfaces/logger.interface';\n\n/**\n * Redis-backed session store implementation\n *\n * Provides persistent session storage for distributed deployments.\n * Sessions are stored as JSON with optional TTL.\n */\nexport class RedisSessionStore implements SessionStore {\n  private readonly redis: Redis;\n  private readonly keyPrefix: string;\n  private readonly defaultTtlMs: number;\n  private readonly logger?: FrontMcpLogger;\n  private externalInstance = false;\n\n  constructor(\n    config: RedisConfig | { redis: Redis; keyPrefix?: string; defaultTtlMs?: number },\n    logger?: FrontMcpLogger,\n  ) {\n    // Default TTL of 1 hour for session extension on access\n    this.defaultTtlMs = ('defaultTtlMs' in config ? config.defaultTtlMs : undefined) ?? 3600000;\n    this.logger = logger;\n\n    if ('redis' in config && config.redis) {\n      // Use provided Redis instance\n      this.redis = config.redis;\n      this.keyPrefix = config.keyPrefix ?? 'mcp:session:';\n      this.externalInstance = true;\n    } else {\n      // Create new Redis connection from config\n      const redisConfig = config as RedisConfig;\n      const options: RedisOptions = {\n        host: redisConfig.host,\n        port: redisConfig.port ?? 6379,\n        password: redisConfig.password,\n        db: redisConfig.db ?? 0,\n      };\n\n      if (redisConfig.tls) {\n        options.tls = {};\n      }\n\n      this.redis = new IoRedis(options);\n      this.keyPrefix = redisConfig.keyPrefix ?? 'mcp:session:';\n    }\n  }\n\n  /**\n   * Get the full Redis key for a session ID\n   * @throws Error if sessionId is empty\n   */\n  private key(sessionId: string): string {\n    if (!sessionId || sessionId.trim() === '') {\n      throw new Error('[RedisSessionStore] sessionId cannot be empty');\n    }\n    return `${this.keyPrefix}${sessionId}`;\n  }\n\n  /**\n   * Get a stored session by ID\n   *\n   * Note: Uses atomic GETEX to extend TTL while reading, preventing race conditions\n   * where concurrent readers might resurrect expired sessions.\n   */\n  async get(sessionId: string): Promise<StoredSession | null> {\n    const key = this.key(sessionId);\n\n    // Use GETEX to atomically get and extend TTL in a single operation\n    // This prevents the race where one request deletes expired session\n    // while another is trying to extend it\n    let raw: string | null;\n    try {\n      // GETEX with EXAT/PXAT is atomic - no race condition possible\n      raw = await this.redis.getex(key, 'PX', this.defaultTtlMs);\n    } catch {\n      // Fallback for older Redis versions that don't support GETEX\n      raw = await this.redis.get(key);\n    }\n\n    if (!raw) return null;\n\n    try {\n      const parsed = JSON.parse(raw);\n      const result = storedSessionSchema.safeParse(parsed);\n\n      if (!result.success) {\n        this.logger?.warn('[RedisSessionStore] Invalid session format', {\n          sessionId: sessionId.slice(0, 20),\n          errors: result.error.issues.slice(0, 3).map((i) => ({ path: i.path, message: i.message })),\n        });\n        // Delete invalid session data\n        this.delete(sessionId).catch(() => void 0);\n        return null;\n      }\n\n      const session = result.data;\n\n      // Check application-level expiration (separate from Redis TTL)\n      if (session.session.expiresAt && session.session.expiresAt < Date.now()) {\n        // Session is logically expired - delete it\n        // Note: We await the delete to ensure it completes before returning\n        // This prevents race conditions where another read might get the expired session\n        await this.delete(sessionId);\n        return null;\n      }\n\n      // Bound Redis TTL by session.expiresAt to avoid keeping expired sessions in Redis\n      // GETEX may have extended TTL beyond expiresAt, so we shorten it if needed\n      if (session.session.expiresAt) {\n        const ttlMs = Math.min(this.defaultTtlMs, session.session.expiresAt - Date.now());\n        if (ttlMs > 0 && ttlMs < this.defaultTtlMs) {\n          // Fire-and-forget - we're only optimizing cache eviction timing\n          this.redis.pexpire(key, ttlMs).catch(() => void 0);\n        }\n      }\n\n      // Update last accessed timestamp (in the returned object)\n      // Note: We don't fire-and-forget a set() here because:\n      // 1. GETEX already extended the Redis TTL\n      // 2. Fire-and-forget can cause race conditions with deletion\n      const updatedSession: StoredSession = {\n        ...session,\n        lastAccessedAt: Date.now(),\n      };\n\n      return updatedSession;\n    } catch (error) {\n      this.logger?.warn('[RedisSessionStore] Failed to parse session', {\n        sessionId: sessionId.slice(0, 20),\n        error: (error as Error).message,\n      });\n      // Delete corrupted session payloads to prevent repeated failures\n      this.delete(sessionId).catch(() => void 0);\n      return null;\n    }\n  }\n\n  /**\n   * Store a session with optional TTL\n   */\n  async set(sessionId: string, session: StoredSession, ttlMs?: number): Promise<void> {\n    const key = this.key(sessionId);\n    const value = JSON.stringify(session);\n\n    if (ttlMs && ttlMs > 0) {\n      // Use PX for millisecond precision\n      await this.redis.set(key, value, 'PX', ttlMs);\n    } else if (session.session.expiresAt) {\n      // Use session's expiration if available\n      const ttl = session.session.expiresAt - Date.now();\n      if (ttl > 0) {\n        await this.redis.set(key, value, 'PX', ttl);\n      } else {\n        // Already expired, but store anyway (will be cleaned up on next access)\n        await this.redis.set(key, value);\n      }\n    } else {\n      // No TTL - session persists until explicitly deleted\n      await this.redis.set(key, value);\n    }\n  }\n\n  /**\n   * Delete a session\n   */\n  async delete(sessionId: string): Promise<void> {\n    await this.redis.del(this.key(sessionId));\n  }\n\n  /**\n   * Check if a session exists\n   */\n  async exists(sessionId: string): Promise<boolean> {\n    return (await this.redis.exists(this.key(sessionId))) === 1;\n  }\n\n  /**\n   * Allocate a new session ID\n   */\n  allocId(): string {\n    return randomUUID();\n  }\n\n  /**\n   * Disconnect from Redis (only if we created the connection)\n   */\n  async disconnect(): Promise<void> {\n    if (!this.externalInstance) {\n      await this.redis.quit();\n    }\n  }\n\n  /**\n   * Get the underlying Redis client (for advanced use cases)\n   */\n  getRedisClient(): Redis {\n    return this.redis;\n  }\n\n  /**\n   * Test Redis connection by sending a PING command.\n   * Useful for validating connection on startup.\n   *\n   * @returns true if connection is healthy, false otherwise\n   */\n  async ping(): Promise<boolean> {\n    try {\n      const result = await this.redis.ping();\n      return result === 'PONG';\n    } catch {\n      return false;\n    }\n  }\n}\n"]}

package/src/auth/session/session.crypto.js

@@ -1,47 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.encryptAesGcm = encryptAesGcm;
-exports.decryptAesGcm = decryptAesGcm;
-exports.hkdfSha256 = hkdfSha256;
-const tslib_1 = require("tslib");
-// auth/services/session/session.crypto.ts
-const node_crypto_1 = tslib_1.__importDefault(require("node:crypto"));
-/** Encrypt UTF-8 text using AES-256-GCM. Returns base64url fields. */
-function encryptAesGcm(key, plaintext) {
-    const iv = node_crypto_1.default.randomBytes(12);
-    const cipher = node_crypto_1.default.createCipheriv('aes-256-gcm', key, iv);
-    const data = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
-    const tag = cipher.getAuthTag();
-    return {
-        alg: 'A256GCM',
-        iv: iv.toString('base64url'),
-        tag: tag.toString('base64url'),
-        data: data.toString('base64url'),
-    };
-}
-/** Decrypt an AES-256-GCM blob (base64url fields) to UTF-8 text. */
-function decryptAesGcm(key, blob) {
-    const iv = Buffer.from(blob.iv, 'base64url');
-    const tag = Buffer.from(blob.tag, 'base64url');
-    const data = Buffer.from(blob.data, 'base64url');
-    const decipher = node_crypto_1.default.createDecipheriv('aes-256-gcm', key, iv);
-    decipher.setAuthTag(tag);
-    const out = Buffer.concat([decipher.update(data), decipher.final()]);
-    return out.toString('utf8');
-}
-/** HKDF-SHA256 (RFC 5869) to derive key material. */
-function hkdfSha256(ikm, salt, info, length) {
-    const prk = node_crypto_1.default.createHmac('sha256', salt).update(ikm).digest();
-    let prev = Buffer.alloc(0);
-    const chunks = [];
-    let ctr = 1;
-    while (Buffer.concat(chunks).length < length) {
-        prev = node_crypto_1.default
-            .createHmac('sha256', prk)
-            .update(Buffer.concat([prev, info, Buffer.from([ctr++])]))
-            .digest();
-        chunks.push(prev);
-    }
-    return Buffer.concat(chunks).subarray(0, length);
-}
-//# sourceMappingURL=session.crypto.js.map

package/src/auth/session/session.crypto.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"session.crypto.js","sourceRoot":"","sources":["../../../../src/auth/session/session.crypto.ts"],"names":[],"mappings":";;AAKA,sCAWC;AAGD,sCAQC;AAGD,gCAaC;;AA3CD,0CAA0C;AAC1C,sEAAiC;AAGjC,sEAAsE;AACtE,SAAgB,aAAa,CAAC,GAAW,EAAE,SAAiB;IAC1D,MAAM,EAAE,GAAG,qBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,qBAAM,CAAC,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC7D,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC/E,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,OAAO;QACL,GAAG,EAAE,SAAS;QACd,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC5B,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC9B,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;KACjC,CAAC;AACJ,CAAC;AAED,oEAAoE;AACpE,SAAgB,aAAa,CAAC,GAAW,EAAE,IAAa;IACtD,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC;IAC7C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;IAC/C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACjD,MAAM,QAAQ,GAAG,qBAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACjE,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACrE,OAAO,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC9B,CAAC;AAED,qDAAqD;AACrD,SAAgB,UAAU,CAAC,GAAW,EAAE,IAAY,EAAE,IAAY,EAAE,MAAc;IAChF,MAAM,GAAG,GAAG,qBAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;IACnE,IAAI,IAAI,GAAW,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACnC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,GAAG,MAAM,EAAE,CAAC;QAC7C,IAAI,GAAG,qBAAM;aACV,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC;aACzB,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;aACzD,MAAM,EAAE,CAAC;QACZ,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpB,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;AACnD,CAAC","sourcesContent":["// auth/services/session/session.crypto.ts\nimport crypto from 'node:crypto';\nimport type { EncBlob } from './session.types';\n\n/** Encrypt UTF-8 text using AES-256-GCM. Returns base64url fields. */\nexport function encryptAesGcm(key: Buffer, plaintext: string): EncBlob {\n  const iv = crypto.randomBytes(12);\n  const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);\n  const data = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);\n  const tag = cipher.getAuthTag();\n  return {\n    alg: 'A256GCM',\n    iv: iv.toString('base64url'),\n    tag: tag.toString('base64url'),\n    data: data.toString('base64url'),\n  };\n}\n\n/** Decrypt an AES-256-GCM blob (base64url fields) to UTF-8 text. */\nexport function decryptAesGcm(key: Buffer, blob: EncBlob): string {\n  const iv = Buffer.from(blob.iv, 'base64url');\n  const tag = Buffer.from(blob.tag, 'base64url');\n  const data = Buffer.from(blob.data, 'base64url');\n  const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);\n  decipher.setAuthTag(tag);\n  const out = Buffer.concat([decipher.update(data), decipher.final()]);\n  return out.toString('utf8');\n}\n\n/** HKDF-SHA256 (RFC 5869) to derive key material. */\nexport function hkdfSha256(ikm: Buffer, salt: Buffer, info: Buffer, length: number): Buffer {\n  const prk = crypto.createHmac('sha256', salt).update(ikm).digest();\n  let prev: Buffer = Buffer.alloc(0);\n  const chunks: Buffer[] = [];\n  let ctr = 1;\n  while (Buffer.concat(chunks).length < length) {\n    prev = crypto\n      .createHmac('sha256', prk)\n      .update(Buffer.concat([prev, info, Buffer.from([ctr++])]))\n      .digest();\n    chunks.push(prev);\n  }\n  return Buffer.concat(chunks).subarray(0, length);\n}\n"]}

package/src/auth/session/session.schema.js

@@ -1,13 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.SessionSchema = void 0;
-const zod_1 = require("zod");
-const session_transparent_1 = require("./record/session.transparent");
-const session_stateful_1 = require("./record/session.stateful");
-const session_stateless_1 = require("./record/session.stateless");
-exports.SessionSchema = zod_1.z.union([
-    zod_1.z.instanceof(session_transparent_1.TransparentSession),
-    zod_1.z.instanceof(session_stateful_1.StatefulSession),
-    zod_1.z.instanceof(session_stateless_1.StatelessSession),
-]);
-//# sourceMappingURL=session.schema.js.map

package/src/auth/session/session.schema.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"session.schema.js","sourceRoot":"","sources":["../../../../src/auth/session/session.schema.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AACxB,sEAAkE;AAClE,gEAA4D;AAC5D,kEAA8D;AAEjD,QAAA,aAAa,GAAG,OAAC,CAAC,KAAK,CAAC;IACnC,OAAC,CAAC,UAAU,CAAC,wCAAkB,CAAC;IAChC,OAAC,CAAC,UAAU,CAAC,kCAAe,CAAC;IAC7B,OAAC,CAAC,UAAU,CAAC,oCAAgB,CAAC;CAC/B,CAAC,CAAC","sourcesContent":["import { z } from 'zod';\nimport { TransparentSession } from './record/session.transparent';\nimport { StatefulSession } from './record/session.stateful';\nimport { StatelessSession } from './record/session.stateless';\n\nexport const SessionSchema = z.union([\n  z.instanceof(TransparentSession),\n  z.instanceof(StatefulSession),\n  z.instanceof(StatelessSession),\n]);\n"]}