npm - @frontmcp/sdk - Versions diffs - 0.6.0 → 0.6.2 - Mend

@frontmcp/sdk 0.6.0 → 0.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1053) hide show

package/src/common/types/options/auth.options.js DELETED Viewed

@@ -1,560 +0,0 @@
-"use strict";
-// common/types/options/auth.options.ts
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.appAuthOptionsSchema = exports.authOptionsSchema = exports.orchestratedAuthOptionsSchema = exports.orchestratedRemoteSchema = exports.orchestratedLocalSchema = exports.transparentAuthOptionsSchema = exports.publicAuthOptionsSchema = exports.transportConfigSchema = exports.transportRecreationConfigSchema = exports.incrementalAuthConfigSchema = exports.consentConfigSchema = exports.skippedAppBehaviorSchema = exports.tokenRefreshConfigSchema = exports.tokenStorageConfigSchema = exports.remoteProviderConfigSchema = exports.localSigningConfigSchema = exports.publicAccessConfigSchema = void 0;
-exports.parseAuthOptions = parseAuthOptions;
-exports.isPublicMode = isPublicMode;
-exports.isTransparentMode = isTransparentMode;
-exports.isOrchestratedMode = isOrchestratedMode;
-exports.isOrchestratedLocal = isOrchestratedLocal;
-exports.isOrchestratedRemote = isOrchestratedRemote;
-exports.allowsPublicAccess = allowsPublicAccess;
-const zod_1 = require("zod");
-const auth_1 = require("../auth");
-const transport_session_types_1 = require("../../../auth/session/transport-session.types");
-// ============================================
-// SHARED SCHEMAS
-// ============================================
-/**
- * Public access configuration for tools/prompts
- */
-exports.publicAccessConfigSchema = zod_1.z.object({
-    /**
-     * Allow all tools or explicit whitelist
-     * @default 'all'
-     */
-    tools: zod_1.z.union([zod_1.z.literal('all'), zod_1.z.array(zod_1.z.string())]).default('all'),
-    /**
-     * Allow all prompts or explicit whitelist
-     * @default 'all'
-     */
-    prompts: zod_1.z.union([zod_1.z.literal('all'), zod_1.z.array(zod_1.z.string())]).default('all'),
-    /**
-     * Rate limit per IP per minute
-     * @default 60
-     */
-    rateLimit: zod_1.z.number().default(60),
-});
-/**
- * Local signing configuration (for orchestrated local type)
- */
-exports.localSigningConfigSchema = zod_1.z.object({
-    /**
-     * Private key for signing orchestrated tokens
-     * @default auto-generated
-     */
-    signKey: auth_1.jwkSchema.or(zod_1.z.instanceof(Uint8Array)).optional(),
-    /**
-     * JWKS for token verification
-     * @default auto-generated
-     */
-    jwks: auth_1.jsonWebKeySetSchema.optional(),
-    /**
-     * Issuer identifier for orchestrated tokens
-     * @default auto-derived from server URL
-     */
-    issuer: zod_1.z.string().optional(),
-});
-/**
- * Remote OAuth provider configuration (for orchestrated remote and transparent)
- */
-exports.remoteProviderConfigSchema = zod_1.z.object({
-    /**
-     * OAuth provider base URL
-     * @example 'https://auth.example.com'
-     */
-    provider: zod_1.z.string().url(),
-    /**
-     * Provider display name
-     */
-    name: zod_1.z.string().optional(),
-    /**
-     * Unique identifier for this provider
-     * @default derived from provider URL
-     */
-    id: zod_1.z.string().optional(),
-    /**
-     * Inline JWKS for offline token verification
-     * Falls back to fetching from provider's /.well-known/jwks.json
-     */
-    jwks: auth_1.jsonWebKeySetSchema.optional(),
-    /**
-     * Custom JWKS URI if not at standard path
-     */
-    jwksUri: zod_1.z.string().url().optional(),
-    /**
-     * Client ID for this MCP server (for orchestrated mode)
-     */
-    clientId: zod_1.z.string().optional(),
-    /**
-     * Client secret (for confidential clients in orchestrated mode)
-     */
-    clientSecret: zod_1.z.string().optional(),
-    /**
-     * Scopes to request from the upstream provider
-     */
-    scopes: zod_1.z.array(zod_1.z.string()).optional(),
-    /**
-     * Enable Dynamic Client Registration (DCR)
-     * @default false
-     */
-    dcrEnabled: zod_1.z.boolean().default(false),
-    /**
-     * Authorization endpoint override
-     */
-    authEndpoint: zod_1.z.string().url().optional(),
-    /**
-     * Token endpoint override
-     */
-    tokenEndpoint: zod_1.z.string().url().optional(),
-    /**
-     * Registration endpoint override (for DCR)
-     */
-    registrationEndpoint: zod_1.z.string().url().optional(),
-    /**
-     * User info endpoint override
-     */
-    userInfoEndpoint: zod_1.z.string().url().optional(),
-});
-/**
- * Token storage configuration for orchestrated mode
- */
-exports.tokenStorageConfigSchema = zod_1.z.discriminatedUnion('type', [
-    zod_1.z.object({ type: zod_1.z.literal('memory') }),
-    zod_1.z.object({ type: zod_1.z.literal('redis'), config: transport_session_types_1.redisConfigSchema }),
-]);
-/**
- * Token refresh configuration
- */
-exports.tokenRefreshConfigSchema = zod_1.z.object({
-    /**
-     * Enable automatic token refresh
-     * @default true
-     */
-    enabled: zod_1.z.boolean().default(true),
-    /**
-     * Refresh token before expiry by this many seconds
-     * @default 60
-     */
-    skewSeconds: zod_1.z.number().default(60),
-});
-/**
- * Behavior when a tool from a skipped (not yet authorized) app is called
- */
-exports.skippedAppBehaviorSchema = zod_1.z.enum(['anonymous', 'require-auth']);
-/**
- * Consent configuration for tool selection
- * Allows users to choose which MCP tools to expose to the LLM
- *
- * Note: This schema is the canonical definition. It is duplicated in
- * auth/consent/consent.types.ts for domain-specific use. Both schemas
- * MUST be kept in sync. The duplication exists to avoid circular
- * dependencies between common/ and auth/ modules.
- */
-exports.consentConfigSchema = zod_1.z.object({
-    /**
-     * Enable consent flow for tool selection
-     * When enabled, users can choose which tools to expose to the LLM
-     * @default false
-     */
-    enabled: zod_1.z.boolean().default(false),
-    /**
-     * Group tools by app in the consent UI
-     * @default true
-     */
-    groupByApp: zod_1.z.boolean().default(true),
-    /**
-     * Show tool descriptions in consent UI
-     * @default true
-     */
-    showDescriptions: zod_1.z.boolean().default(true),
-    /**
-     * Allow selecting all tools at once
-     * @default true
-     */
-    allowSelectAll: zod_1.z.boolean().default(true),
-    /**
-     * Require at least one tool to be selected
-     * @default true
-     */
-    requireSelection: zod_1.z.boolean().default(true),
-    /**
-     * Custom message to display on consent page
-     */
-    customMessage: zod_1.z.string().optional(),
-    /**
-     * Remember consent for future sessions
-     * @default true
-     */
-    rememberConsent: zod_1.z.boolean().default(true),
-    /**
-     * Tools to exclude from consent (always available)
-     * Useful for essential tools that should always be accessible
-     */
-    excludedTools: zod_1.z.array(zod_1.z.string()).optional(),
-    /**
-     * Tools to always include in consent (pre-selected)
-     */
-    defaultSelectedTools: zod_1.z.array(zod_1.z.string()).optional(),
-});
-/**
- * Progressive/Incremental authorization configuration
- * Allows users to authorize apps one at a time after initial auth
- */
-exports.incrementalAuthConfigSchema = zod_1.z.object({
-    /**
-     * Enable incremental (progressive) authorization
-     * When enabled, users can skip app authorizations during initial auth
-     * and authorize individual apps later when needed
-     * @default true
-     */
-    enabled: zod_1.z.boolean().default(true),
-    /**
-     * Behavior when a tool from a skipped app is called
-     * - 'anonymous': If app supports anonymous access, use it; otherwise require auth
-     * - 'require-auth': Always require authorization (return auth_url)
-     * @default 'anonymous'
-     */
-    skippedAppBehavior: exports.skippedAppBehaviorSchema.default('anonymous'),
-    /**
-     * Allow users to skip app authorization during initial auth flow
-     * @default true
-     */
-    allowSkip: zod_1.z.boolean().default(true),
-    /**
-     * Show all apps in a single authorization page (vs step-by-step)
-     * @default true
-     */
-    showAllAppsAtOnce: zod_1.z.boolean().default(true),
-});
-// ============================================
-// TRANSPORT CONFIG (DEPRECATED)
-// These schemas are kept for backward compatibility during migration.
-// Use top-level transport config instead.
-// DELETE after v1.0.0
-// ============================================
-/**
- * @deprecated Use top-level transport config instead. This will be removed in v1.0.0.
- */
-exports.transportRecreationConfigSchema = zod_1.z
-    .object({
-    enabled: zod_1.z.boolean().default(false),
-    redis: transport_session_types_1.redisConfigSchema.optional(),
-    defaultTtlMs: zod_1.z.number().int().positive().default(3600000),
-})
-    .refine((data) => {
-    if (data.enabled && !data.redis) {
-        return false;
-    }
-    return true;
-}, {
-    message: 'Redis configuration is required when transport recreation is enabled',
-    path: ['redis'],
-});
-/**
- * @deprecated Use top-level transport config instead. This will be removed in v1.0.0.
- */
-exports.transportConfigSchema = zod_1.z.object({
-    enableLegacySSE: zod_1.z.boolean().default(false),
-    enableSseListener: zod_1.z.boolean().default(true),
-    enableStreamableHttp: zod_1.z.boolean().default(true),
-    enableStatelessHttp: zod_1.z.boolean().default(false),
-    enableStatefulHttp: zod_1.z.boolean().default(false),
-    requireSessionForStreamable: zod_1.z.boolean().default(true),
-    recreation: zod_1.z.lazy(() => exports.transportRecreationConfigSchema).optional(),
-});
-// ============================================
-// PUBLIC MODE
-// No authentication required, anonymous access
-// ============================================
-exports.publicAuthOptionsSchema = zod_1.z.object({
-    mode: zod_1.z.literal('public'),
-    /**
-     * Issuer identifier for anonymous JWTs
-     * @default auto-derived from server URL
-     */
-    issuer: zod_1.z.string().optional(),
-    /**
-     * Anonymous session TTL in seconds
-     * @default 3600 (1 hour)
-     */
-    sessionTtl: zod_1.z.number().default(3600),
-    /**
-     * Scopes granted to anonymous sessions
-     * @default ['anonymous']
-     */
-    anonymousScopes: zod_1.z.array(zod_1.z.string()).default(['anonymous']),
-    /**
-     * Tool/prompt access configuration for anonymous users
-     */
-    publicAccess: exports.publicAccessConfigSchema.optional(),
-    /**
-     * JWKS for token verification
-     * @default auto-generated
-     */
-    jwks: auth_1.jsonWebKeySetSchema.optional(),
-    /**
-     * Private key for signing anonymous tokens
-     * @default auto-generated
-     */
-    signKey: auth_1.jwkSchema.or(zod_1.z.instanceof(Uint8Array)).optional(),
-    /**
-     * @deprecated Use top-level transport config instead. Kept for backward compatibility.
-     */
-    transport: exports.transportConfigSchema.optional(),
-});
-// ============================================
-// TRANSPARENT MODE
-// Pass-through OAuth tokens from remote provider
-// ============================================
-exports.transparentAuthOptionsSchema = zod_1.z.object({
-    mode: zod_1.z.literal('transparent'),
-    /**
-     * Remote OAuth provider configuration (required)
-     */
-    remote: exports.remoteProviderConfigSchema,
-    /**
-     * Expected token audience
-     * If not set, defaults to the resource URL
-     */
-    expectedAudience: zod_1.z.union([zod_1.z.string(), zod_1.z.array(zod_1.z.string())]).optional(),
-    /**
-     * Required scopes for access
-     * Empty array means any valid token is accepted
-     * @default []
-     */
-    requiredScopes: zod_1.z.array(zod_1.z.string()).default([]),
-    /**
-     * Allow anonymous fallback when no token is provided
-     * @default false
-     */
-    allowAnonymous: zod_1.z.boolean().default(false),
-    /**
-     * Scopes granted to anonymous sessions (when allowAnonymous=true)
-     * @default ['anonymous']
-     */
-    anonymousScopes: zod_1.z.array(zod_1.z.string()).default(['anonymous']),
-    /**
-     * Public access config for anonymous users (when allowAnonymous=true)
-     */
-    publicAccess: exports.publicAccessConfigSchema.optional(),
-    /**
-     * @deprecated Use top-level transport config instead. Kept for backward compatibility.
-     */
-    transport: exports.transportConfigSchema.optional(),
-});
-// ============================================
-// ORCHESTRATED MODE
-// Local auth server that can proxy to remote or be fully local
-// ============================================
-/**
- * Orchestrated mode with local authentication only
- */
-exports.orchestratedLocalSchema = zod_1.z.object({
-    mode: zod_1.z.literal('orchestrated'),
-    type: zod_1.z.literal('local'),
-    /**
-     * Local signing configuration
-     */
-    local: exports.localSigningConfigSchema.optional(),
-    /**
-     * Token storage configuration
-     * @default { type: 'memory' }
-     */
-    tokenStorage: exports.tokenStorageConfigSchema.default({ type: 'memory' }),
-    /**
-     * Session storage mode
-     * - 'stateful': Store sessions in Redis/memory, JWT contains only reference
-     * - 'stateless': All state encrypted in JWT
-     * @default 'stateful'
-     */
-    sessionMode: zod_1.z.enum(['stateful', 'stateless']).default('stateful'),
-    /**
-     * Allow default public access for unauthenticated requests
-     * When true: all tools are public by default, only tools marked with scopes require auth
-     * When false: all tools require authentication by default
-     * @default false
-     */
-    allowDefaultPublic: zod_1.z.boolean().default(false),
-    /**
-     * Scopes granted to anonymous sessions (when allowDefaultPublic=true)
-     * @default ['anonymous']
-     */
-    anonymousScopes: zod_1.z.array(zod_1.z.string()).default(['anonymous']),
-    /**
-     * Public access config (when allowDefaultPublic=true)
-     */
-    publicAccess: exports.publicAccessConfigSchema.optional(),
-    /**
-     * Consent flow configuration for tool selection
-     * Allows users to choose which MCP tools to expose to the LLM
-     * @default { enabled: false }
-     */
-    consent: exports.consentConfigSchema.optional(),
-    /**
-     * Token refresh settings
-     */
-    refresh: exports.tokenRefreshConfigSchema.optional(),
-    /**
-     * Expected token audience for validation
-     */
-    expectedAudience: zod_1.z.union([zod_1.z.string(), zod_1.z.array(zod_1.z.string())]).optional(),
-    /**
-     * Incremental (progressive) authorization configuration
-     * Allows users to skip app authorizations initially and authorize later
-     * @default { enabled: true, skippedAppBehavior: 'anonymous' }
-     */
-    incrementalAuth: exports.incrementalAuthConfigSchema.optional(),
-    /**
-     * @deprecated Use top-level transport config instead. Kept for backward compatibility.
-     */
-    transport: exports.transportConfigSchema.optional(),
-});
-/**
- * Orchestrated mode with remote OAuth provider
- */
-exports.orchestratedRemoteSchema = zod_1.z.object({
-    mode: zod_1.z.literal('orchestrated'),
-    type: zod_1.z.literal('remote'),
-    /**
-     * Remote OAuth provider configuration (required for remote type)
-     */
-    remote: exports.remoteProviderConfigSchema,
-    /**
-     * Local signing configuration (for issuing local tokens after upstream auth)
-     */
-    local: exports.localSigningConfigSchema.optional(),
-    /**
-     * Token storage configuration
-     * @default { type: 'memory' }
-     */
-    tokenStorage: exports.tokenStorageConfigSchema.default({ type: 'memory' }),
-    /**
-     * Session storage mode
-     * - 'stateful': Store sessions in Redis/memory, JWT contains only reference
-     * - 'stateless': All state encrypted in JWT
-     * @default 'stateful'
-     */
-    sessionMode: zod_1.z.enum(['stateful', 'stateless']).default('stateful'),
-    /**
-     * Allow default public access for unauthenticated requests
-     * When true: all tools are public by default, only tools marked with scopes require auth
-     * When false: all tools require authentication by default
-     * @default false
-     */
-    allowDefaultPublic: zod_1.z.boolean().default(false),
-    /**
-     * Scopes granted to anonymous sessions (when allowDefaultPublic=true)
-     * @default ['anonymous']
-     */
-    anonymousScopes: zod_1.z.array(zod_1.z.string()).default(['anonymous']),
-    /**
-     * Public access config (when allowDefaultPublic=true)
-     */
-    publicAccess: exports.publicAccessConfigSchema.optional(),
-    /**
-     * Consent flow configuration for tool selection
-     * Allows users to choose which MCP tools to expose to the LLM
-     * @default { enabled: false }
-     */
-    consent: exports.consentConfigSchema.optional(),
-    /**
-     * Token refresh settings
-     */
-    refresh: exports.tokenRefreshConfigSchema.optional(),
-    /**
-     * Expected token audience for validation
-     */
-    expectedAudience: zod_1.z.union([zod_1.z.string(), zod_1.z.array(zod_1.z.string())]).optional(),
-    /**
-     * Incremental (progressive) authorization configuration
-     * Allows users to skip app authorizations initially and authorize later
-     * @default { enabled: true, skippedAppBehavior: 'anonymous' }
-     */
-    incrementalAuth: exports.incrementalAuthConfigSchema.optional(),
-    /**
-     * @deprecated Use top-level transport config instead. Kept for backward compatibility.
-     */
-    transport: exports.transportConfigSchema.optional(),
-});
-// Combined orchestrated schema
-exports.orchestratedAuthOptionsSchema = zod_1.z.discriminatedUnion('type', [
-    exports.orchestratedLocalSchema,
-    exports.orchestratedRemoteSchema,
-]);
-// ============================================
-// UNIFIED AUTH OPTIONS
-// ============================================
-/**
- * Main auth options schema - discriminated by 'mode'
- *
- * Uses z.union because we have nested discriminators (orchestrated has 'type')
- */
-exports.authOptionsSchema = zod_1.z.union([
-    exports.publicAuthOptionsSchema,
-    exports.transparentAuthOptionsSchema,
-    exports.orchestratedLocalSchema,
-    exports.orchestratedRemoteSchema,
-]);
-const standaloneOptionSchema = {
-    standalone: zod_1.z.boolean().optional(),
-    excludeFromParent: zod_1.z.boolean().optional(),
-};
-exports.appAuthOptionsSchema = zod_1.z.union([
-    exports.publicAuthOptionsSchema.extend(standaloneOptionSchema),
-    exports.transparentAuthOptionsSchema.extend(standaloneOptionSchema),
-    exports.orchestratedLocalSchema.extend(standaloneOptionSchema),
-    exports.orchestratedRemoteSchema.extend(standaloneOptionSchema),
-]);
-// ============================================
-// HELPER FUNCTIONS
-// ============================================
-/**
- * Parse and validate auth options with defaults
- */
-function parseAuthOptions(input) {
-    return exports.authOptionsSchema.parse(input);
-}
-/**
- * Check if options are public mode
- */
-function isPublicMode(options) {
-    return options.mode === 'public';
-}
-/**
- * Check if options are transparent mode
- */
-function isTransparentMode(options) {
-    return options.mode === 'transparent';
-}
-/**
- * Check if options are orchestrated mode
- */
-function isOrchestratedMode(options) {
-    return options.mode === 'orchestrated';
-}
-/**
- * Check if orchestrated options are local type
- */
-function isOrchestratedLocal(options) {
-    return options.type === 'local';
-}
-/**
- * Check if orchestrated options are remote type
- */
-function isOrchestratedRemote(options) {
-    return options.type === 'remote';
-}
-/**
- * Check if options allow public/anonymous access
- */
-function allowsPublicAccess(options) {
-    if (options.mode === 'public')
-        return true;
-    if (options.mode === 'transparent')
-        return options.allowAnonymous;
-    if (options.mode === 'orchestrated')
-        return options.allowDefaultPublic;
-    return false;
-}
-//# sourceMappingURL=auth.options.js.map

package/src/common/types/options/auth.options.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"auth.options.js","sourceRoot":"","sources":["../../../../../src/common/types/options/auth.options.ts"],"names":[],"mappings":";AAAA,uCAAuC;;;AAyuBvC,4CAEC;AAKD,oCAEC;AAKD,8CAEC;AAKD,gDAEC;AAKD,kDAEC;AAKD,oDAEC;AAKD,gDAKC;AAtxBD,6BAAwB;AACxB,kCAA6E;AAE7E,2FAA+F;AAE/F,+CAA+C;AAC/C,iBAAiB;AACjB,+CAA+C;AAE/C;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C;;;OAGG;IACH,KAAK,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IAEtE;;;OAGG;IACH,OAAO,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IAExE;;;OAGG;IACH,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;CAClC,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C;;;OAGG;IACH,OAAO,EAAE,gBAAS,CAAC,EAAE,CAAC,OAAC,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE;IAE1D;;;OAGG;IACH,IAAI,EAAE,0BAAmB,CAAC,QAAQ,EAAE;IAEpC;;;OAGG;IACH,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC9B,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,0BAA0B,GAAG,OAAC,CAAC,MAAM,CAAC;IACjD;;;OAGG;IACH,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAE1B;;OAEG;IACH,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE3B;;;OAGG;IACH,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEzB;;;OAGG;IACH,IAAI,EAAE,0BAAmB,CAAC,QAAQ,EAAE;IAEpC;;OAEG;IACH,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEpC;;OAEG;IACH,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE/B;;OAEG;IACH,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEnC;;OAEG;IACH,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAEtC;;;OAGG;IACH,UAAU,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAEtC;;OAEG;IACH,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEzC;;OAEG;IACH,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAE1C;;OAEG;IACH,oBAAoB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEjD;;OAEG;IACH,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;CAC9C,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE;IACnE,OAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;IACvC,OAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,2CAAiB,EAAE,CAAC;CAClE,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C;;;OAGG;IACH,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAElC;;;OAGG;IACH,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;CACpC,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC,CAAC;AAE9E;;;;;;;;GAQG;AACU,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C;;;;OAIG;IACH,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAEnC;;;OAGG;IACH,UAAU,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAErC;;;OAGG;IACH,gBAAgB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE3C;;;OAGG;IACH,cAAc,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAEzC;;;OAGG;IACH,gBAAgB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE3C;;OAEG;IACH,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEpC;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE1C;;;OAGG;IACH,aAAa,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAE7C;;OAEG;IACH,oBAAoB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACrD,CAAC,CAAC;AAEH;;;GAGG;AACU,QAAA,2BAA2B,GAAG,OAAC,CAAC,MAAM,CAAC;IAClD;;;;;OAKG;IACH,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAElC;;;;;OAKG;IACH,kBAAkB,EAAE,gCAAwB,CAAC,OAAO,CAAC,WAAW,CAAC;IAEjE;;;OAGG;IACH,SAAS,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAEpC;;;OAGG;IACH,iBAAiB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;CAC7C,CAAC,CAAC;AAEH,+CAA+C;AAC/C,gCAAgC;AAChC,sEAAsE;AACtE,0CAA0C;AAC1C,sBAAsB;AACtB,+CAA+C;AAE/C;;GAEG;AACU,QAAA,+BAA+B,GAAG,OAAC;KAC7C,MAAM,CAAC;IACN,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACnC,KAAK,EAAE,2CAAiB,CAAC,QAAQ,EAAE;IACnC,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;CAC3D,CAAC;KACD,MAAM,CACL,CAAC,IAAI,EAAE,EAAE;IACP,IAAI,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC,EACD;IACE,OAAO,EAAE,sEAAsE;IAC/E,IAAI,EAAE,CAAC,OAAO,CAAC;CAChB,CACF,CAAC;AAEJ;;GAEG;AACU,QAAA,qBAAqB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5C,eAAe,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAC3C,iBAAiB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAC5C,oBAAoB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAC/C,mBAAmB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAC/C,kBAAkB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAC9C,2BAA2B,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IACtD,UAAU,EAAE,OAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,uCAA+B,CAAC,CAAC,QAAQ,EAAE;CACrE,CAAC,CAAC;AAEH,+CAA+C;AAC/C,cAAc;AACd,+CAA+C;AAC/C,+CAA+C;AAElC,QAAA,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IAEzB;;;OAGG;IACH,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE7B;;;OAGG;IACH,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAEpC;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAE3D;;OAEG;IACH,YAAY,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAEjD;;;OAGG;IACH,IAAI,EAAE,0BAAmB,CAAC,QAAQ,EAAE;IAEpC;;;OAGG;IACH,OAAO,EAAE,gBAAS,CAAC,EAAE,CAAC,OAAC,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE;IAE1D;;OAEG;IACH,SAAS,EAAE,6BAAqB,CAAC,QAAQ,EAAE;CAC5C,CAAC,CAAC;AAEH,+CAA+C;AAC/C,mBAAmB;AACnB,iDAAiD;AACjD,+CAA+C;AAElC,QAAA,4BAA4B,GAAG,OAAC,CAAC,MAAM,CAAC;IACnD,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,aAAa,CAAC;IAE9B;;OAEG;IACH,MAAM,EAAE,kCAA0B;IAElC;;;OAGG;IACH,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEvE;;;;OAIG;IACH,cAAc,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAE/C;;;OAGG;IACH,cAAc,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE1C;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAE3D;;OAEG;IACH,YAAY,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAEjD;;OAEG;IACH,SAAS,EAAE,6BAAqB,CAAC,QAAQ,EAAE;CAC5C,CAAC,CAAC;AAEH,+CAA+C;AAC/C,oBAAoB;AACpB,+DAA+D;AAC/D,+CAA+C;AAE/C;;GAEG;AACU,QAAA,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,cAAc,CAAC;IAC/B,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,OAAO,CAAC;IAExB;;OAEG;IACH,KAAK,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAE1C;;;OAGG;IACH,YAAY,EAAE,gCAAwB,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IAElE;;;;;OAKG;IACH,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC;IAElE;;;;;OAKG;IACH,kBAAkB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE9C;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAE3D;;OAEG;IACH,YAAY,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAEjD;;;;OAIG;IACH,OAAO,EAAE,2BAAmB,CAAC,QAAQ,EAAE;IAEvC;;OAEG;IACH,OAAO,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAE5C;;OAEG;IACH,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEvE;;;;OAIG;IACH,eAAe,EAAE,mCAA2B,CAAC,QAAQ,EAAE;IAEvD;;OAEG;IACH,SAAS,EAAE,6BAAqB,CAAC,QAAQ,EAAE;CAC5C,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,cAAc,CAAC;IAC/B,IAAI,EAAE,OAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IAEzB;;OAEG;IACH,MAAM,EAAE,kCAA0B;IAElC;;OAEG;IACH,KAAK,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAE1C;;;OAGG;IACH,YAAY,EAAE,gCAAwB,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IAElE;;;;;OAKG;IACH,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC;IAElE;;;;;OAKG;IACH,kBAAkB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAE9C;;;OAGG;IACH,eAAe,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,CAAC;IAE3D;;OAEG;IACH,YAAY,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAEjD;;;;OAIG;IACH,OAAO,EAAE,2BAAmB,CAAC,QAAQ,EAAE;IAEvC;;OAEG;IACH,OAAO,EAAE,gCAAwB,CAAC,QAAQ,EAAE;IAE5C;;OAEG;IACH,gBAAgB,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEvE;;;;OAIG;IACH,eAAe,EAAE,mCAA2B,CAAC,QAAQ,EAAE;IAEvD;;OAEG;IACH,SAAS,EAAE,6BAAqB,CAAC,QAAQ,EAAE;CAC5C,CAAC,CAAC;AAEH,+BAA+B;AAClB,QAAA,6BAA6B,GAAG,OAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE;IACxE,+BAAuB;IACvB,gCAAwB;CACzB,CAAC,CAAC;AAEH,+CAA+C;AAC/C,uBAAuB;AACvB,+CAA+C;AAE/C;;;;GAIG;AACU,QAAA,iBAAiB,GAAG,OAAC,CAAC,KAAK,CAAC;IACvC,+BAAuB;IACvB,oCAA4B;IAC5B,+BAAuB;IACvB,gCAAwB;CACzB,CAAC,CAAC;AAgJH,MAAM,sBAAsB,GAAG;IAC7B,UAAU,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAClC,iBAAiB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CACF,CAAC;AAE7B,QAAA,oBAAoB,GAAG,OAAC,CAAC,KAAK,CAAC;IAC1C,+BAAuB,CAAC,MAAM,CAAC,sBAAsB,CAAC;IACtD,oCAA4B,CAAC,MAAM,CAAC,sBAAsB,CAAC;IAC3D,+BAAuB,CAAC,MAAM,CAAC,sBAAsB,CAAC;IACtD,gCAAwB,CAAC,MAAM,CAAC,sBAAsB,CAAC;CACxD,CAAC,CAAC;AAKH,+CAA+C;AAC/C,mBAAmB;AACnB,+CAA+C;AAE/C;;GAEG;AACH,SAAgB,gBAAgB,CAAC,KAAuB;IACtD,OAAO,yBAAiB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,SAAgB,YAAY,CAAC,OAAuC;IAClE,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,OAAuC;IACvE,OAAO,OAAO,CAAC,IAAI,KAAK,aAAa,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAAC,OAAuC;IACxE,OAAO,OAAO,CAAC,IAAI,KAAK,cAAc,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,SAAgB,mBAAmB,CAAC,OAAgC;IAClE,OAAO,OAAO,CAAC,IAAI,KAAK,OAAO,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAAC,OAAgC;IACnE,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAAC,OAAoB;IACrD,IAAI,OAAO,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3C,IAAI,OAAO,CAAC,IAAI,KAAK,aAAa;QAAE,OAAO,OAAO,CAAC,cAAc,CAAC;IAClE,IAAI,OAAO,CAAC,IAAI,KAAK,cAAc;QAAE,OAAO,OAAO,CAAC,kBAAkB,CAAC;IACvE,OAAO,KAAK,CAAC;AACf,CAAC","sourcesContent":["// common/types/options/auth.options.ts\n\nimport { z } from 'zod';\nimport { JSONWebKeySet, jsonWebKeySetSchema, JWK, jwkSchema } from '../auth';\nimport { RawZodShape } from '../common.types';\nimport { RedisConfig, redisConfigSchema } from '../../../auth/session/transport-session.types';\n\n// ============================================\n// SHARED SCHEMAS\n// ============================================\n\n/**\n * Public access configuration for tools/prompts\n */\nexport const publicAccessConfigSchema = z.object({\n /**\n * Allow all tools or explicit whitelist\n * @default 'all'\n */\n tools: z.union([z.literal('all'), z.array(z.string())]).default('all'),\n\n /**\n * Allow all prompts or explicit whitelist\n * @default 'all'\n */\n prompts: z.union([z.literal('all'), z.array(z.string())]).default('all'),\n\n /**\n * Rate limit per IP per minute\n * @default 60\n */\n rateLimit: z.number().default(60),\n});\n\n/**\n * Local signing configuration (for orchestrated local type)\n */\nexport const localSigningConfigSchema = z.object({\n /**\n * Private key for signing orchestrated tokens\n * @default auto-generated\n */\n signKey: jwkSchema.or(z.instanceof(Uint8Array)).optional(),\n\n /**\n * JWKS for token verification\n * @default auto-generated\n */\n jwks: jsonWebKeySetSchema.optional(),\n\n /**\n * Issuer identifier for orchestrated tokens\n * @default auto-derived from server URL\n */\n issuer: z.string().optional(),\n});\n\n/**\n * Remote OAuth provider configuration (for orchestrated remote and transparent)\n */\nexport const remoteProviderConfigSchema = z.object({\n /**\n * OAuth provider base URL\n * @example 'https://auth.example.com'\n */\n provider: z.string().url(),\n\n /**\n * Provider display name\n */\n name: z.string().optional(),\n\n /**\n * Unique identifier for this provider\n * @default derived from provider URL\n */\n id: z.string().optional(),\n\n /**\n * Inline JWKS for offline token verification\n * Falls back to fetching from provider's /.well-known/jwks.json\n */\n jwks: jsonWebKeySetSchema.optional(),\n\n /**\n * Custom JWKS URI if not at standard path\n */\n jwksUri: z.string().url().optional(),\n\n /**\n * Client ID for this MCP server (for orchestrated mode)\n */\n clientId: z.string().optional(),\n\n /**\n * Client secret (for confidential clients in orchestrated mode)\n */\n clientSecret: z.string().optional(),\n\n /**\n * Scopes to request from the upstream provider\n */\n scopes: z.array(z.string()).optional(),\n\n /**\n * Enable Dynamic Client Registration (DCR)\n * @default false\n */\n dcrEnabled: z.boolean().default(false),\n\n /**\n * Authorization endpoint override\n */\n authEndpoint: z.string().url().optional(),\n\n /**\n * Token endpoint override\n */\n tokenEndpoint: z.string().url().optional(),\n\n /**\n * Registration endpoint override (for DCR)\n */\n registrationEndpoint: z.string().url().optional(),\n\n /**\n * User info endpoint override\n */\n userInfoEndpoint: z.string().url().optional(),\n});\n\n/**\n * Token storage configuration for orchestrated mode\n */\nexport const tokenStorageConfigSchema = z.discriminatedUnion('type', [\n z.object({ type: z.literal('memory') }),\n z.object({ type: z.literal('redis'), config: redisConfigSchema }),\n]);\n\n/**\n * Token refresh configuration\n */\nexport const tokenRefreshConfigSchema = z.object({\n /**\n * Enable automatic token refresh\n * @default true\n */\n enabled: z.boolean().default(true),\n\n /**\n * Refresh token before expiry by this many seconds\n * @default 60\n */\n skewSeconds: z.number().default(60),\n});\n\n/**\n * Behavior when a tool from a skipped (not yet authorized) app is called\n */\nexport const skippedAppBehaviorSchema = z.enum(['anonymous', 'require-auth']);\n\n/**\n * Consent configuration for tool selection\n * Allows users to choose which MCP tools to expose to the LLM\n *\n * Note: This schema is the canonical definition. It is duplicated in\n * auth/consent/consent.types.ts for domain-specific use. Both schemas\n * MUST be kept in sync. The duplication exists to avoid circular\n * dependencies between common/ and auth/ modules.\n */\nexport const consentConfigSchema = z.object({\n /**\n * Enable consent flow for tool selection\n * When enabled, users can choose which tools to expose to the LLM\n * @default false\n */\n enabled: z.boolean().default(false),\n\n /**\n * Group tools by app in the consent UI\n * @default true\n */\n groupByApp: z.boolean().default(true),\n\n /**\n * Show tool descriptions in consent UI\n * @default true\n */\n showDescriptions: z.boolean().default(true),\n\n /**\n * Allow selecting all tools at once\n * @default true\n */\n allowSelectAll: z.boolean().default(true),\n\n /**\n * Require at least one tool to be selected\n * @default true\n */\n requireSelection: z.boolean().default(true),\n\n /**\n * Custom message to display on consent page\n */\n customMessage: z.string().optional(),\n\n /**\n * Remember consent for future sessions\n * @default true\n */\n rememberConsent: z.boolean().default(true),\n\n /**\n * Tools to exclude from consent (always available)\n * Useful for essential tools that should always be accessible\n */\n excludedTools: z.array(z.string()).optional(),\n\n /**\n * Tools to always include in consent (pre-selected)\n */\n defaultSelectedTools: z.array(z.string()).optional(),\n});\n\n/**\n * Progressive/Incremental authorization configuration\n * Allows users to authorize apps one at a time after initial auth\n */\nexport const incrementalAuthConfigSchema = z.object({\n /**\n * Enable incremental (progressive) authorization\n * When enabled, users can skip app authorizations during initial auth\n * and authorize individual apps later when needed\n * @default true\n */\n enabled: z.boolean().default(true),\n\n /**\n * Behavior when a tool from a skipped app is called\n * - 'anonymous': If app supports anonymous access, use it; otherwise require auth\n * - 'require-auth': Always require authorization (return auth_url)\n * @default 'anonymous'\n */\n skippedAppBehavior: skippedAppBehaviorSchema.default('anonymous'),\n\n /**\n * Allow users to skip app authorization during initial auth flow\n * @default true\n */\n allowSkip: z.boolean().default(true),\n\n /**\n * Show all apps in a single authorization page (vs step-by-step)\n * @default true\n */\n showAllAppsAtOnce: z.boolean().default(true),\n});\n\n// ============================================\n// TRANSPORT CONFIG (DEPRECATED)\n// These schemas are kept for backward compatibility during migration.\n// Use top-level transport config instead.\n// DELETE after v1.0.0\n// ============================================\n\n/**\n * @deprecated Use top-level transport config instead. This will be removed in v1.0.0.\n */\nexport const transportRecreationConfigSchema = z\n .object({\n enabled: z.boolean().default(false),\n redis: redisConfigSchema.optional(),\n defaultTtlMs: z.number().int().positive().default(3600000),\n })\n .refine(\n (data) => {\n if (data.enabled && !data.redis) {\n return false;\n }\n return true;\n },\n {\n message: 'Redis configuration is required when transport recreation is enabled',\n path: ['redis'],\n },\n );\n\n/**\n * @deprecated Use top-level transport config instead. This will be removed in v1.0.0.\n */\nexport const transportConfigSchema = z.object({\n enableLegacySSE: z.boolean().default(false),\n enableSseListener: z.boolean().default(true),\n enableStreamableHttp: z.boolean().default(true),\n enableStatelessHttp: z.boolean().default(false),\n enableStatefulHttp: z.boolean().default(false),\n requireSessionForStreamable: z.boolean().default(true),\n recreation: z.lazy(() => transportRecreationConfigSchema).optional(),\n});\n\n// ============================================\n// PUBLIC MODE\n// No authentication required, anonymous access\n// ============================================\n\nexport const publicAuthOptionsSchema = z.object({\n mode: z.literal('public'),\n\n /**\n * Issuer identifier for anonymous JWTs\n * @default auto-derived from server URL\n */\n issuer: z.string().optional(),\n\n /**\n * Anonymous session TTL in seconds\n * @default 3600 (1 hour)\n */\n sessionTtl: z.number().default(3600),\n\n /**\n * Scopes granted to anonymous sessions\n * @default ['anonymous']\n */\n anonymousScopes: z.array(z.string()).default(['anonymous']),\n\n /**\n * Tool/prompt access configuration for anonymous users\n */\n publicAccess: publicAccessConfigSchema.optional(),\n\n /**\n * JWKS for token verification\n * @default auto-generated\n */\n jwks: jsonWebKeySetSchema.optional(),\n\n /**\n * Private key for signing anonymous tokens\n * @default auto-generated\n */\n signKey: jwkSchema.or(z.instanceof(Uint8Array)).optional(),\n\n /**\n * @deprecated Use top-level transport config instead. Kept for backward compatibility.\n */\n transport: transportConfigSchema.optional(),\n});\n\n// ============================================\n// TRANSPARENT MODE\n// Pass-through OAuth tokens from remote provider\n// ============================================\n\nexport const transparentAuthOptionsSchema = z.object({\n mode: z.literal('transparent'),\n\n /**\n * Remote OAuth provider configuration (required)\n */\n remote: remoteProviderConfigSchema,\n\n /**\n * Expected token audience\n * If not set, defaults to the resource URL\n */\n expectedAudience: z.union([z.string(), z.array(z.string())]).optional(),\n\n /**\n * Required scopes for access\n * Empty array means any valid token is accepted\n * @default []\n */\n requiredScopes: z.array(z.string()).default([]),\n\n /**\n * Allow anonymous fallback when no token is provided\n * @default false\n */\n allowAnonymous: z.boolean().default(false),\n\n /**\n * Scopes granted to anonymous sessions (when allowAnonymous=true)\n * @default ['anonymous']\n */\n anonymousScopes: z.array(z.string()).default(['anonymous']),\n\n /**\n * Public access config for anonymous users (when allowAnonymous=true)\n */\n publicAccess: publicAccessConfigSchema.optional(),\n\n /**\n * @deprecated Use top-level transport config instead. Kept for backward compatibility.\n */\n transport: transportConfigSchema.optional(),\n});\n\n// ============================================\n// ORCHESTRATED MODE\n// Local auth server that can proxy to remote or be fully local\n// ============================================\n\n/**\n * Orchestrated mode with local authentication only\n */\nexport const orchestratedLocalSchema = z.object({\n mode: z.literal('orchestrated'),\n type: z.literal('local'),\n\n /**\n * Local signing configuration\n */\n local: localSigningConfigSchema.optional(),\n\n /**\n * Token storage configuration\n * @default { type: 'memory' }\n */\n tokenStorage: tokenStorageConfigSchema.default({ type: 'memory' }),\n\n /**\n * Session storage mode\n * - 'stateful': Store sessions in Redis/memory, JWT contains only reference\n * - 'stateless': All state encrypted in JWT\n * @default 'stateful'\n */\n sessionMode: z.enum(['stateful', 'stateless']).default('stateful'),\n\n /**\n * Allow default public access for unauthenticated requests\n * When true: all tools are public by default, only tools marked with scopes require auth\n * When false: all tools require authentication by default\n * @default false\n */\n allowDefaultPublic: z.boolean().default(false),\n\n /**\n * Scopes granted to anonymous sessions (when allowDefaultPublic=true)\n * @default ['anonymous']\n */\n anonymousScopes: z.array(z.string()).default(['anonymous']),\n\n /**\n * Public access config (when allowDefaultPublic=true)\n */\n publicAccess: publicAccessConfigSchema.optional(),\n\n /**\n * Consent flow configuration for tool selection\n * Allows users to choose which MCP tools to expose to the LLM\n * @default { enabled: false }\n */\n consent: consentConfigSchema.optional(),\n\n /**\n * Token refresh settings\n */\n refresh: tokenRefreshConfigSchema.optional(),\n\n /**\n * Expected token audience for validation\n */\n expectedAudience: z.union([z.string(), z.array(z.string())]).optional(),\n\n /**\n * Incremental (progressive) authorization configuration\n * Allows users to skip app authorizations initially and authorize later\n * @default { enabled: true, skippedAppBehavior: 'anonymous' }\n */\n incrementalAuth: incrementalAuthConfigSchema.optional(),\n\n /**\n * @deprecated Use top-level transport config instead. Kept for backward compatibility.\n */\n transport: transportConfigSchema.optional(),\n});\n\n/**\n * Orchestrated mode with remote OAuth provider\n */\nexport const orchestratedRemoteSchema = z.object({\n mode: z.literal('orchestrated'),\n type: z.literal('remote'),\n\n /**\n * Remote OAuth provider configuration (required for remote type)\n */\n remote: remoteProviderConfigSchema,\n\n /**\n * Local signing configuration (for issuing local tokens after upstream auth)\n */\n local: localSigningConfigSchema.optional(),\n\n /**\n * Token storage configuration\n * @default { type: 'memory' }\n */\n tokenStorage: tokenStorageConfigSchema.default({ type: 'memory' }),\n\n /**\n * Session storage mode\n * - 'stateful': Store sessions in Redis/memory, JWT contains only reference\n * - 'stateless': All state encrypted in JWT\n * @default 'stateful'\n */\n sessionMode: z.enum(['stateful', 'stateless']).default('stateful'),\n\n /**\n * Allow default public access for unauthenticated requests\n * When true: all tools are public by default, only tools marked with scopes require auth\n * When false: all tools require authentication by default\n * @default false\n */\n allowDefaultPublic: z.boolean().default(false),\n\n /**\n * Scopes granted to anonymous sessions (when allowDefaultPublic=true)\n * @default ['anonymous']\n */\n anonymousScopes: z.array(z.string()).default(['anonymous']),\n\n /**\n * Public access config (when allowDefaultPublic=true)\n */\n publicAccess: publicAccessConfigSchema.optional(),\n\n /**\n * Consent flow configuration for tool selection\n * Allows users to choose which MCP tools to expose to the LLM\n * @default { enabled: false }\n */\n consent: consentConfigSchema.optional(),\n\n /**\n * Token refresh settings\n */\n refresh: tokenRefreshConfigSchema.optional(),\n\n /**\n * Expected token audience for validation\n */\n expectedAudience: z.union([z.string(), z.array(z.string())]).optional(),\n\n /**\n * Incremental (progressive) authorization configuration\n * Allows users to skip app authorizations initially and authorize later\n * @default { enabled: true, skippedAppBehavior: 'anonymous' }\n */\n incrementalAuth: incrementalAuthConfigSchema.optional(),\n\n /**\n * @deprecated Use top-level transport config instead. Kept for backward compatibility.\n */\n transport: transportConfigSchema.optional(),\n});\n\n// Combined orchestrated schema\nexport const orchestratedAuthOptionsSchema = z.discriminatedUnion('type', [\n orchestratedLocalSchema,\n orchestratedRemoteSchema,\n]);\n\n// ============================================\n// UNIFIED AUTH OPTIONS\n// ============================================\n\n/**\n * Main auth options schema - discriminated by 'mode'\n *\n * Uses z.union because we have nested discriminators (orchestrated has 'type')\n */\nexport const authOptionsSchema = z.union([\n publicAuthOptionsSchema,\n transparentAuthOptionsSchema,\n orchestratedLocalSchema,\n orchestratedRemoteSchema,\n]);\n\n// ============================================\n// TYPE EXPORTS\n// ============================================\n\n/**\n * Public access configuration\n */\nexport type PublicAccessConfig = z.infer<typeof publicAccessConfigSchema>;\nexport type PublicAccessConfigInput = z.input<typeof publicAccessConfigSchema>;\n\n/**\n * Local signing configuration\n */\nexport type LocalSigningConfig = z.infer<typeof localSigningConfigSchema>;\nexport type LocalSigningConfigInput = z.input<typeof localSigningConfigSchema>;\n\n/**\n * Remote provider configuration\n */\nexport type RemoteProviderConfig = z.infer<typeof remoteProviderConfigSchema>;\nexport type RemoteProviderConfigInput = z.input<typeof remoteProviderConfigSchema>;\n\n/**\n * Token storage configuration\n */\nexport type TokenStorageConfig = z.infer<typeof tokenStorageConfigSchema>;\nexport type TokenStorageConfigInput = z.input<typeof tokenStorageConfigSchema>;\n\n/**\n * Token refresh configuration\n */\nexport type TokenRefreshConfig = z.infer<typeof tokenRefreshConfigSchema>;\nexport type TokenRefreshConfigInput = z.input<typeof tokenRefreshConfigSchema>;\n\n/**\n * Incremental (progressive) authorization configuration\n */\nexport type IncrementalAuthConfig = z.infer<typeof incrementalAuthConfigSchema>;\nexport type IncrementalAuthConfigInput = z.input<typeof incrementalAuthConfigSchema>;\n\n/**\n * Skipped app behavior type\n */\nexport type SkippedAppBehavior = z.infer<typeof skippedAppBehaviorSchema>;\n\n/**\n * Consent configuration for tool selection\n */\nexport type ConsentConfig = z.infer<typeof consentConfigSchema>;\nexport type ConsentConfigInput = z.input<typeof consentConfigSchema>;\n\n/**\n * @deprecated Use TransportOptions from transport.options.ts instead\n */\nexport type TransportConfig = z.infer<typeof transportConfigSchema>;\n/**\n * @deprecated Use TransportOptionsInput from transport.options.ts instead\n */\nexport type TransportConfigInput = z.input<typeof transportConfigSchema>;\n\n/**\n * @deprecated Use TransportPersistenceConfig from transport.options.ts instead\n */\nexport type TransportRecreationConfig = z.infer<typeof transportRecreationConfigSchema>;\n/**\n * @deprecated Use TransportPersistenceConfigInput from transport.options.ts instead\n */\nexport type TransportRecreationConfigInput = z.input<typeof transportRecreationConfigSchema>;\n\n/**\n * Public mode options (output type with defaults applied)\n */\nexport type PublicAuthOptions = z.infer<typeof publicAuthOptionsSchema>;\nexport type PublicAuthOptionsInput = z.input<typeof publicAuthOptionsSchema>;\n\n/**\n * Transparent mode options (output type with defaults applied)\n */\nexport type TransparentAuthOptions = z.infer<typeof transparentAuthOptionsSchema>;\nexport type TransparentAuthOptionsInput = z.input<typeof transparentAuthOptionsSchema>;\n\n/**\n * Orchestrated local mode options\n */\nexport type OrchestratedLocalOptions = z.infer<typeof orchestratedLocalSchema>;\nexport type OrchestratedLocalOptionsInput = z.input<typeof orchestratedLocalSchema>;\n\n/**\n * Orchestrated remote mode options\n */\nexport type OrchestratedRemoteOptions = z.infer<typeof orchestratedRemoteSchema>;\nexport type OrchestratedRemoteOptionsInput = z.input<typeof orchestratedRemoteSchema>;\n\n/**\n * Orchestrated mode options (union of local and remote)\n */\nexport type OrchestratedAuthOptions = z.infer<typeof orchestratedAuthOptionsSchema>;\nexport type OrchestratedAuthOptionsInput = z.input<typeof orchestratedAuthOptionsSchema>;\n\n/**\n * Auth options (output type with defaults applied)\n * Use this type when working with parsed/validated options\n */\nexport type AuthOptions = z.infer<typeof authOptionsSchema>;\n\n/**\n * Auth options input (input type for user configuration)\n * Use this type for the @frontmcp configuration\n */\nexport type AuthOptionsInput = z.input<typeof authOptionsSchema>;\n\n/**\n * Authentication mode\n */\nexport type AuthMode = 'public' | 'transparent' | 'orchestrated';\n\n/**\n * Orchestrated type (local or remote)\n */\nexport type OrchestratedType = 'local' | 'remote';\n\n// ============================================\n// APP-LEVEL AUTH OPTIONS (with standalone)\n// ============================================\n\ntype StandaloneOption = {\n /**\n * If the provider is standalone, it will register an OAuth service provider\n * on app's entry path. If not standalone, it will be registered as a child\n * provider under the root provider.\n * @default false\n */\n standalone?: boolean;\n\n /**\n * If the provider should be excluded from the parent provider's discovery.\n * Used for standalone providers.\n * @default false\n */\n excludeFromParent?: boolean;\n};\n\nconst standaloneOptionSchema = {\n standalone: z.boolean().optional(),\n excludeFromParent: z.boolean().optional(),\n} satisfies RawZodShape<StandaloneOption>;\n\nexport const appAuthOptionsSchema = z.union([\n publicAuthOptionsSchema.extend(standaloneOptionSchema),\n transparentAuthOptionsSchema.extend(standaloneOptionSchema),\n orchestratedLocalSchema.extend(standaloneOptionSchema),\n orchestratedRemoteSchema.extend(standaloneOptionSchema),\n]);\n\nexport type AppAuthOptions = z.infer<typeof appAuthOptionsSchema>;\nexport type AppAuthOptionsInput = z.input<typeof appAuthOptionsSchema>;\n\n// ============================================\n// HELPER FUNCTIONS\n// ============================================\n\n/**\n * Parse and validate auth options with defaults\n */\nexport function parseAuthOptions(input: AuthOptionsInput): AuthOptions {\n return authOptionsSchema.parse(input);\n}\n\n/**\n * Check if options are public mode\n */\nexport function isPublicMode(options: AuthOptions | AuthOptionsInput): options is PublicAuthOptions {\n return options.mode === 'public';\n}\n\n/**\n * Check if options are transparent mode\n */\nexport function isTransparentMode(options: AuthOptions | AuthOptionsInput): options is TransparentAuthOptions {\n return options.mode === 'transparent';\n}\n\n/**\n * Check if options are orchestrated mode\n */\nexport function isOrchestratedMode(options: AuthOptions | AuthOptionsInput): options is OrchestratedAuthOptions {\n return options.mode === 'orchestrated';\n}\n\n/**\n * Check if orchestrated options are local type\n */\nexport function isOrchestratedLocal(options: OrchestratedAuthOptions): options is OrchestratedLocalOptions {\n return options.type === 'local';\n}\n\n/**\n * Check if orchestrated options are remote type\n */\nexport function isOrchestratedRemote(options: OrchestratedAuthOptions): options is OrchestratedRemoteOptions {\n return options.type === 'remote';\n}\n\n/**\n * Check if options allow public/anonymous access\n */\nexport function allowsPublicAccess(options: AuthOptions): boolean {\n if (options.mode === 'public') return true;\n if (options.mode === 'transparent') return options.allowAnonymous;\n if (options.mode === 'orchestrated') return options.allowDefaultPublic;\n return false;\n}\n"]}

package/src/common/types/options/http.options.js DELETED Viewed

@@ -1,10 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.httpOptionsSchema = void 0;
-const zod_1 = require("zod");
-exports.httpOptionsSchema = zod_1.z.object({
-    port: zod_1.z.number().optional().default(3001),
-    entryPath: zod_1.z.string().default(''),
-    hostFactory: zod_1.z.any().optional(),
-});
-//# sourceMappingURL=http.options.js.map

package/src/common/types/options/http.options.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"http.options.js","sourceRoot":"","sources":["../../../../../src/common/types/options/http.options.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AAYX,QAAA,iBAAiB,GAAG,OAAC,CAAC,MAAM,CAAC;IACxC,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IACzC,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;IACjC,WAAW,EAAE,OAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;CAChC,CAAC,CAAC","sourcesContent":["import { z } from 'zod';\nimport { FrontMcpServer, ServerResponse } from '../../interfaces';\n\nexport type HttpOptions = {\n port?: number;\n /** MCP JSON-RPC entry ('' or '/mcp'); MUST match PRM resourcePath returned in well-known */\n entryPath?: string;\n\n hostFactory?: FrontMcpServer | ((config: HttpOptions) => FrontMcpServer);\n};\n\n\nexport const httpOptionsSchema = z.object({\n port: z.number().optional().default(3001),\n entryPath: z.string().default(''),\n hostFactory: z.any().optional(),\n});\n\n\n\nexport type HttpConfig = z.infer<typeof httpOptionsSchema>;"]}

package/src/common/types/options/index.js DELETED Viewed

@@ -1,11 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-const tslib_1 = require("tslib");
-tslib_1.__exportStar(require("./server-info.options"), exports);
-tslib_1.__exportStar(require("./session.options"), exports);
-tslib_1.__exportStar(require("./http.options"), exports);
-tslib_1.__exportStar(require("./auth.options"), exports);
-tslib_1.__exportStar(require("./logging.options"), exports);
-tslib_1.__exportStar(require("./redis.options"), exports);
-tslib_1.__exportStar(require("./transport.options"), exports);
-//# sourceMappingURL=index.js.map

package/src/common/types/options/index.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/common/types/options/index.ts"],"names":[],"mappings":";;;AAAA,gEAAsC;AACtC,4DAAkC;AAClC,yDAA+B;AAC/B,yDAA+B;AAC/B,4DAAkC;AAClC,0DAAgC;AAChC,8DAAoC","sourcesContent":["export * from './server-info.options';\nexport * from './session.options';\nexport * from './http.options';\nexport * from './auth.options';\nexport * from './logging.options';\nexport * from './redis.options';\nexport * from './transport.options';\n"]}