@frontmcp/sdk 0.7.2 → 0.8.0

package/auth/session/authorization.store.d.ts

@@ -1,302 +0,0 @@
-/**
- * Authorization Store for OAuth flows
- *
- * Stores authorization codes, PKCE challenges, and pending authorizations.
- * Supports both in-memory (dev/test) and Redis (production) backends.
- */
-import { z } from 'zod';
-/**
- * PKCE challenge data
- */
-export interface PkceChallenge {
-    /** S256 hashed code_challenge */
-    challenge: string;
-    /** Always 'S256' per OAuth 2.1 */
-    method: 'S256';
-}
-/**
- * Authorization code record stored during the OAuth flow
- */
-export interface AuthorizationCodeRecord {
-    /** The authorization code (opaque string) */
-    code: string;
-    /** Client ID that requested authorization */
-    clientId: string;
-    /** Redirect URI used in the authorization request */
-    redirectUri: string;
-    /** Requested scopes */
-    scopes: string[];
-    /** PKCE challenge for verification */
-    pkce: PkceChallenge;
-    /** User identifier (sub claim) */
-    userSub: string;
-    /** User email if available */
-    userEmail?: string;
-    /** User name if available */
-    userName?: string;
-    /** Original state parameter */
-    state?: string;
-    /** Creation timestamp (epoch ms) */
-    createdAt: number;
-    /** Expiration timestamp (epoch ms) - codes are short-lived (60s default) */
-    expiresAt: number;
-    /** Whether this code has been used (single-use) */
-    used: boolean;
-    /** Resource/audience the token will be issued for */
-    resource?: string;
-    /** Selected tool IDs from consent flow */
-    selectedToolIds?: string[];
-    /** Selected provider IDs from federated login */
-    selectedProviderIds?: string[];
-    /** Skipped provider IDs from federated login (for progressive auth) */
-    skippedProviderIds?: string[];
-    /** Whether consent was enabled for this authorization */
-    consentEnabled?: boolean;
-    /** Whether federated login was used */
-    federatedLoginUsed?: boolean;
-}
-/**
- * Consent state for tool selection
- */
-export interface ConsentStateRecord {
-    /** Whether consent flow is enabled */
-    enabled: boolean;
-    /** Available tool IDs for consent */
-    availableToolIds: string[];
-    /** Selected tool IDs (after user selection) */
-    selectedToolIds?: string[];
-    /** Whether consent has been completed */
-    consentCompleted: boolean;
-    /** Timestamp when consent was completed */
-    consentCompletedAt?: number;
-}
-/**
- * Federated login state for multi-provider auth
- */
-export interface FederatedLoginStateRecord {
-    /** Available provider IDs */
-    providerIds: string[];
-    /** Selected provider IDs */
-    selectedProviderIds?: string[];
-    /** Skipped provider IDs */
-    skippedProviderIds?: string[];
-    /** Provider-specific user data (after auth) */
-    providerUserData?: Record<string, {
-        email?: string;
-        name?: string;
-        sub?: string;
-    }>;
-}
-/**
- * Pending authorization request (before user authenticates)
- */
-export interface PendingAuthorizationRecord {
-    /** Unique ID for this pending authorization */
-    id: string;
-    /** Client ID requesting authorization */
-    clientId: string;
-    /** Redirect URI for callback */
-    redirectUri: string;
-    /** Requested scopes */
-    scopes: string[];
-    /** PKCE challenge */
-    pkce: PkceChallenge;
-    /** Original state parameter from client */
-    state?: string;
-    /** Resource/audience */
-    resource?: string;
-    /** Creation timestamp */
-    createdAt: number;
-    /** Expiration timestamp (pending requests expire after 10 minutes) */
-    expiresAt: number;
-    /** Whether this is an incremental authorization request */
-    isIncremental?: boolean;
-    /** Target app ID for incremental authorization */
-    targetAppId?: string;
-    /** Target tool ID that triggered the incremental auth */
-    targetToolId?: string;
-    /** Existing session ID for incremental auth (to expand the token vault) */
-    existingSessionId?: string;
-    /** Existing authorization ID to expand */
-    existingAuthorizationId?: string;
-    /** Federated login state for multi-provider auth */
-    federatedLogin?: FederatedLoginStateRecord;
-    /** Consent state for tool selection */
-    consent?: ConsentStateRecord;
-}
-/**
- * Refresh token record
- */
-export interface RefreshTokenRecord {
-    /** The refresh token (opaque string) */
-    token: string;
-    /** Client ID */
-    clientId: string;
-    /** User identifier */
-    userSub: string;
-    /** Granted scopes */
-    scopes: string[];
-    /** Resource/audience */
-    resource?: string;
-    /** Creation timestamp */
-    createdAt: number;
-    /** Expiration timestamp */
-    expiresAt: number;
-    /** Whether this token has been revoked */
-    revoked: boolean;
-    /** Previous token if rotated */
-    previousToken?: string;
-}
-/**
- * Zod schemas for validation
- */
-export declare const pkceChallengeSchema: z.ZodObject<{
-    challenge: z.ZodString;
-    method: z.ZodLiteral<"S256">;
-}, z.core.$strip>;
-export declare const authorizationCodeRecordSchema: z.ZodObject<{
-    code: z.ZodString;
-    clientId: z.ZodString;
-    redirectUri: z.ZodString;
-    scopes: z.ZodArray<z.ZodString>;
-    pkce: z.ZodObject<{
-        challenge: z.ZodString;
-        method: z.ZodLiteral<"S256">;
-    }, z.core.$strip>;
-    userSub: z.ZodString;
-    userEmail: z.ZodOptional<z.ZodString>;
-    userName: z.ZodOptional<z.ZodString>;
-    state: z.ZodOptional<z.ZodString>;
-    createdAt: z.ZodNumber;
-    expiresAt: z.ZodNumber;
-    used: z.ZodBoolean;
-    resource: z.ZodOptional<z.ZodString>;
-}, z.core.$strip>;
-/**
- * Authorization Store Interface
- */
-export interface AuthorizationStore {
-    storeAuthorizationCode(record: AuthorizationCodeRecord): Promise<void>;
-    getAuthorizationCode(code: string): Promise<AuthorizationCodeRecord | null>;
-    markCodeUsed(code: string): Promise<void>;
-    deleteAuthorizationCode(code: string): Promise<void>;
-    storePendingAuthorization(record: PendingAuthorizationRecord): Promise<void>;
-    getPendingAuthorization(id: string): Promise<PendingAuthorizationRecord | null>;
-    deletePendingAuthorization(id: string): Promise<void>;
-    storeRefreshToken(record: RefreshTokenRecord): Promise<void>;
-    getRefreshToken(token: string): Promise<RefreshTokenRecord | null>;
-    revokeRefreshToken(token: string): Promise<void>;
-    rotateRefreshToken(oldToken: string, newRecord: RefreshTokenRecord): Promise<void>;
-    generateCode(): string;
-    generateRefreshToken(): string;
-    cleanup(): Promise<void>;
-}
-/**
- * PKCE utilities
- */
-export declare function verifyPkce(codeVerifier: string, challenge: PkceChallenge): boolean;
-export declare function generatePkceChallenge(codeVerifier: string): PkceChallenge;
-/**
- * In-Memory Authorization Store
- *
- * Development/testing implementation. Data is lost on restart.
- * For production, use RedisAuthorizationStore.
- */
-export declare class InMemoryAuthorizationStore implements AuthorizationStore {
-    private codes;
-    private pending;
-    private refreshTokens;
-    /** Default TTL for authorization codes (60 seconds) */
-    private readonly codeTtlMs;
-    /** Default TTL for pending authorizations (10 minutes) */
-    private readonly pendingTtlMs;
-    /** Default TTL for refresh tokens (30 days) */
-    private readonly refreshTtlMs;
-    generateCode(): string;
-    generateRefreshToken(): string;
-    storeAuthorizationCode(record: AuthorizationCodeRecord): Promise<void>;
-    getAuthorizationCode(code: string): Promise<AuthorizationCodeRecord | null>;
-    markCodeUsed(code: string): Promise<void>;
-    deleteAuthorizationCode(code: string): Promise<void>;
-    storePendingAuthorization(record: PendingAuthorizationRecord): Promise<void>;
-    getPendingAuthorization(id: string): Promise<PendingAuthorizationRecord | null>;
-    deletePendingAuthorization(id: string): Promise<void>;
-    storeRefreshToken(record: RefreshTokenRecord): Promise<void>;
-    getRefreshToken(token: string): Promise<RefreshTokenRecord | null>;
-    revokeRefreshToken(token: string): Promise<void>;
-    rotateRefreshToken(oldToken: string, newRecord: RefreshTokenRecord): Promise<void>;
-    cleanup(): Promise<void>;
-    /**
-     * Create an authorization code record with defaults
-     */
-    createCodeRecord(params: {
-        clientId: string;
-        redirectUri: string;
-        scopes: string[];
-        pkce: PkceChallenge;
-        userSub: string;
-        userEmail?: string;
-        userName?: string;
-        state?: string;
-        resource?: string;
-        selectedToolIds?: string[];
-        selectedProviderIds?: string[];
-        skippedProviderIds?: string[];
-        consentEnabled?: boolean;
-        federatedLoginUsed?: boolean;
-    }): AuthorizationCodeRecord;
-    /**
-     * Create a pending authorization record with defaults
-     */
-    createPendingRecord(params: {
-        clientId: string;
-        redirectUri: string;
-        scopes: string[];
-        pkce: PkceChallenge;
-        state?: string;
-        resource?: string;
-        isIncremental?: boolean;
-        targetAppId?: string;
-        targetToolId?: string;
-        existingSessionId?: string;
-        existingAuthorizationId?: string;
-        federatedLogin?: FederatedLoginStateRecord;
-        consent?: ConsentStateRecord;
-    }): PendingAuthorizationRecord;
-    /**
-     * Create a refresh token record with defaults
-     */
-    createRefreshTokenRecord(params: {
-        clientId: string;
-        userSub: string;
-        scopes: string[];
-        resource?: string;
-    }): RefreshTokenRecord;
-}
-/**
- * Redis Authorization Store (placeholder)
- *
- * Production implementation using Redis for distributed storage.
- * TODO: Implement after in-memory store is validated.
- */
-export declare class RedisAuthorizationStore implements AuthorizationStore {
-    private readonly redis;
-    private readonly namespace;
-    constructor(redis: any, namespace?: string);
-    private key;
-    generateCode(): string;
-    generateRefreshToken(): string;
-    storeAuthorizationCode(record: AuthorizationCodeRecord): Promise<void>;
-    getAuthorizationCode(code: string): Promise<AuthorizationCodeRecord | null>;
-    markCodeUsed(code: string): Promise<void>;
-    deleteAuthorizationCode(code: string): Promise<void>;
-    storePendingAuthorization(record: PendingAuthorizationRecord): Promise<void>;
-    getPendingAuthorization(id: string): Promise<PendingAuthorizationRecord | null>;
-    deletePendingAuthorization(id: string): Promise<void>;
-    storeRefreshToken(record: RefreshTokenRecord): Promise<void>;
-    getRefreshToken(token: string): Promise<RefreshTokenRecord | null>;
-    revokeRefreshToken(token: string): Promise<void>;
-    rotateRefreshToken(oldToken: string, newRecord: RefreshTokenRecord): Promise<void>;
-    cleanup(): Promise<void>;
-}
-//# sourceMappingURL=authorization.store.d.ts.map

package/auth/session/authorization.store.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"authorization.store.d.ts","sourceRoot":"","sources":["../../../src/auth/session/authorization.store.ts"],"names":[],"mappings":"AACA;;;;;GAKG;AAGH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,kCAAkC;IAClC,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,6CAA6C;IAC7C,IAAI,EAAE,MAAM,CAAC;IACb,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,CAAC;IACjB,qDAAqD;IACrD,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB;IACvB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,sCAAsC;IACtC,IAAI,EAAE,aAAa,CAAC;IACpB,kCAAkC;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,8BAA8B;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,6BAA6B;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,+BAA+B;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,oCAAoC;IACpC,SAAS,EAAE,MAAM,CAAC;IAClB,4EAA4E;IAC5E,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,IAAI,EAAE,OAAO,CAAC;IACd,qDAAqD;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAGlB,0CAA0C;IAC1C,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,iDAAiD;IACjD,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,uEAAuE;IACvE,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC9B,yDAAyD;IACzD,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,uCAAuC;IACvC,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,sCAAsC;IACtC,OAAO,EAAE,OAAO,CAAC;IACjB,qCAAqC;IACrC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,+CAA+C;IAC/C,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,yCAAyC;IACzC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,2CAA2C;IAC3C,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,6BAA6B;IAC7B,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,4BAA4B;IAC5B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,2BAA2B;IAC3B,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC9B,+CAA+C;IAC/C,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACpF;AAED;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,+CAA+C;IAC/C,EAAE,EAAE,MAAM,CAAC;IACX,yCAAyC;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,gCAAgC;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB;IACvB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,qBAAqB;IACrB,IAAI,EAAE,aAAa,CAAC;IACpB,2CAA2C;IAC3C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,wBAAwB;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yBAAyB;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,sEAAsE;IACtE,SAAS,EAAE,MAAM,CAAC;IAGlB,2DAA2D;IAC3D,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,kDAAkD;IAClD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,yDAAyD;IACzD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,2EAA2E;IAC3E,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,0CAA0C;IAC1C,uBAAuB,CAAC,EAAE,MAAM,CAAC;IAGjC,oDAAoD;IACpD,cAAc,CAAC,EAAE,yBAAyB,CAAC;IAG3C,uCAAuC;IACvC,OAAO,CAAC,EAAE,kBAAkB,CAAC;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,wCAAwC;IACxC,KAAK,EAAE,MAAM,CAAC;IACd,gBAAgB;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,sBAAsB;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,qBAAqB;IACrB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,wBAAwB;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yBAAyB;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,2BAA2B;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,0CAA0C;IAC1C,OAAO,EAAE,OAAO,CAAC;IACjB,gCAAgC;IAChC,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;iBAG9B,CAAC;AAEH,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;iBAcxC,CAAC;AAEH;;GAEG;AACH,MAAM,WAAW,kBAAkB;IAEjC,sBAAsB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvE,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAAC;IAC5E,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1C,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAGrD,yBAAyB,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7E,uBAAuB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,GAAG,IAAI,CAAC,CAAC;IAChF,0BAA0B,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAGtD,iBAAiB,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7D,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IACnE,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACjD,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAGnF,YAAY,IAAI,MAAM,CAAC;IACvB,oBAAoB,IAAI,MAAM,CAAC;IAC/B,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,YAAY,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,GAAG,OAAO,CAQlF;AAED,wBAAgB,qBAAqB,CAAC,YAAY,EAAE,MAAM,GAAG,aAAa,CAGzE;AAED;;;;;GAKG;AACH,qBAAa,0BAA2B,YAAW,kBAAkB;IACnE,OAAO,CAAC,KAAK,CAA8C;IAC3D,OAAO,CAAC,OAAO,CAAiD;IAChE,OAAO,CAAC,aAAa,CAAyC;IAE9D,uDAAuD;IACvD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAa;IACvC,0DAA0D;IAC1D,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAkB;IAC/C,+CAA+C;IAC/C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAA4B;IAEzD,YAAY,IAAI,MAAM;IAKtB,oBAAoB,IAAI,MAAM;IAIxB,sBAAsB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC;IAItE,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC;IAa3E,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOzC,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIpD,yBAAyB,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,IAAI,CAAC;IAI5E,uBAAuB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,GAAG,IAAI,CAAC;IAa/E,0BAA0B,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIrD,iBAAiB,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC;IAI5D,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC;IAYlE,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOhD,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC;IASlF,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAyB9B;;OAEG;IACH,gBAAgB,CAAC,MAAM,EAAE;QACvB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,IAAI,EAAE,aAAa,CAAC;QACpB,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,MAAM,CAAC;QAElB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAC3B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC/B,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC9B,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,kBAAkB,CAAC,EAAE,OAAO,CAAC;KAC9B,GAAG,uBAAuB;IAyB3B;;OAEG;IACH,mBAAmB,CAAC,MAAM,EAAE;QAC1B,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,IAAI,EAAE,aAAa,CAAC;QACpB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,MAAM,CAAC;QAElB,aAAa,CAAC,EAAE,OAAO,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,iBAAiB,CAAC,EAAE,MAAM,CAAC;QAC3B,uBAAuB,CAAC,EAAE,MAAM,CAAC;QAEjC,cAAc,CAAC,EAAE,yBAAyB,CAAC;QAE3C,OAAO,CAAC,EAAE,kBAAkB,CAAC;KAC9B,GAAG,0BAA0B;IAyB9B;;OAEG;IACH,wBAAwB,CAAC,MAAM,EAAE;QAC/B,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,GAAG,kBAAkB;CAavB;AAED;;;;;GAKG;AACH,qBAAa,uBAAwB,YAAW,kBAAkB;IAG9D,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,SAAS;gBADT,KAAK,EAAE,GAAG,EACV,SAAS,SAAW;IAGvC,OAAO,CAAC,GAAG;IAIX,YAAY,IAAI,MAAM;IAItB,oBAAoB,IAAI,MAAM;IAIxB,sBAAsB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC;IAKtE,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC;IAM3E,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IASzC,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIpD,yBAAyB,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,IAAI,CAAC;IAK5E,uBAAuB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,GAAG,IAAI,CAAC;IAM/E,0BAA0B,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIrD,iBAAiB,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC;IAK5D,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC;IAQlE,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAShD,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC;IAMlF,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAG/B"}

package/auth/session/record/session.stateful.d.ts

@@ -1,21 +0,0 @@
-import { Session, type BaseCreateCtx } from './session.base';
-export type StatefulCreateCtx = BaseCreateCtx & {};
-/**
- * Represents a **stateful session** stored server-side (e.g., Redis).
- * Nested OAuth tokens are never exposed in the JWT; instead, they are
- * encrypted and persisted in Redis under a session key. The client only
- * receives a lightweight reference to that key.
- *
- * Advantages:
- * - Smaller JWT payloads and reduced token leakage risk.
- * - Can refresh nested provider tokens on the fly without requiring
- *   the user to re-authorize.
- * - Well suited for multi-app setups with short-lived OAuth tokens.
- */
-export declare class StatefulSession extends Session {
-    #private;
-    readonly mode = "stateful";
-    constructor(ctx: StatefulCreateCtx);
-    getToken(providerId?: string): Promise<string> | string;
-}
-//# sourceMappingURL=session.stateful.d.ts.map

package/auth/session/record/session.stateful.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"session.stateful.d.ts","sourceRoot":"","sources":["../../../../src/auth/session/record/session.stateful.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,KAAK,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAK7D,MAAM,MAAM,iBAAiB,GAAG,aAAa,GAAG,EAAE,CAAC;AAEnD;;;;;;;;;;;GAWG;AACH,qBAAa,eAAgB,SAAQ,OAAO;;IAC1C,QAAQ,CAAC,IAAI,cAAc;gBA8Bf,GAAG,EAAE,iBAAiB;IAKzB,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM;CAoCjE"}

package/auth/session/record/session.stateless.d.ts

@@ -1,18 +0,0 @@
-import { Session, type BaseCreateCtx } from './session.base';
-export type StatefulCreateCtx = BaseCreateCtx & Record<string, never>;
-/**
- * Represents a **stateful session (non-refreshable)** where nested OAuth
- * tokens cannot be refreshed server-side. When a nested provider token
- * expires, the user must re-authorize to obtain new credentials.
- *
- * Notes:
- * - Simpler flow, but degrades UX when tokens are short-lived.
- * - Prefer the refreshable stateful session for multi-app environments.
- */
-export declare class StatelessSession extends Session {
-    #private;
-    readonly mode = "stateless";
-    constructor(ctx: StatefulCreateCtx);
-    getToken(_providerId?: string): Promise<string> | string;
-}
-//# sourceMappingURL=session.stateless.d.ts.map

package/auth/session/record/session.stateless.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"session.stateless.d.ts","sourceRoot":"","sources":["../../../../src/auth/session/record/session.stateless.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,KAAK,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAI7D,MAAM,MAAM,iBAAiB,GAAG,aAAa,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AAEtE;;;;;;;;GAQG;AACH,qBAAa,gBAAiB,SAAQ,OAAO;;IAC3C,QAAQ,CAAC,IAAI,eAAe;gBAOhB,GAAG,EAAE,iBAAiB;IAIzB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM;CAGlE"}

package/auth/session/record/session.transparent.d.ts

@@ -1,18 +0,0 @@
-import { BaseCreateCtx, Session } from './session.base';
-interface TransparentCreateCtx extends BaseCreateCtx {
-    apps: string[];
-}
-/**
- * Represents a transparent (Non-Orchestrated) session where delivered by authorization server.
- * The session cannot have nest auth providers.
- * The session cannot be refreshed.
- * The session cannot be revoked.
- * Useful for OAuth flows where the authorization server delivers the session.
- */
-export declare class TransparentSession extends Session {
-    readonly mode = "transparent";
-    constructor(ctx: TransparentCreateCtx);
-    getToken(): Promise<string> | string;
-}
-export {};
-//# sourceMappingURL=session.transparent.d.ts.map

package/auth/session/record/session.transparent.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"session.transparent.d.ts","sourceRoot":"","sources":["../../../../src/auth/session/record/session.transparent.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAExD,UAAU,oBAAqB,SAAQ,aAAa;IAClD,IAAI,EAAE,MAAM,EAAE,CAAC;CAChB;AAED;;;;;;GAMG;AACH,qBAAa,kBAAmB,SAAQ,OAAO;IAC7C,QAAQ,CAAC,IAAI,iBAAiB;gBAClB,GAAG,EAAE,oBAAoB;IAI5B,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM;CAG9C"}

package/auth/session/session.crypto.d.ts

@@ -1,8 +0,0 @@
-import type { EncBlob } from './session.types';
-/** Encrypt UTF-8 text using AES-256-GCM. Returns base64url fields. */
-export declare function encryptAesGcm(key: Buffer, plaintext: string): EncBlob;
-/** Decrypt an AES-256-GCM blob (base64url fields) to UTF-8 text. */
-export declare function decryptAesGcm(key: Buffer, blob: EncBlob): string;
-/** HKDF-SHA256 (RFC 5869) to derive key material. */
-export declare function hkdfSha256(ikm: Buffer, salt: Buffer, info: Buffer, length: number): Buffer;
-//# sourceMappingURL=session.crypto.d.ts.map

package/auth/session/session.crypto.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"session.crypto.d.ts","sourceRoot":"","sources":["../../../src/auth/session/session.crypto.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAE/C,sEAAsE;AACtE,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAWrE;AAED,oEAAoE;AACpE,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,MAAM,CAQhE;AAED,qDAAqD;AACrD,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAa1F"}

package/auth/session/session.schema.d.ts

@@ -1,6 +0,0 @@
-import { z } from 'zod';
-import { TransparentSession } from './record/session.transparent';
-import { StatefulSession } from './record/session.stateful';
-import { StatelessSession } from './record/session.stateless';
-export declare const SessionSchema: z.ZodUnion<readonly [z.ZodCustom<TransparentSession, TransparentSession>, z.ZodCustom<StatefulSession, StatefulSession>, z.ZodCustom<StatelessSession, StatelessSession>]>;
-//# sourceMappingURL=session.schema.d.ts.map

package/auth/session/session.schema.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"session.schema.d.ts","sourceRoot":"","sources":["../../../src/auth/session/session.schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAE9D,eAAO,MAAM,aAAa,4KAIxB,CAAC"}

package/auth/session/token.store.d.ts

@@ -1,36 +0,0 @@
-import type { EncBlob } from './token.vault';
-export type SecretRecord = {
-    id: string;
-    blob: EncBlob;
-    updatedAt: number;
-};
-export interface TokenStore {
-    /** Create or overwrite a blob under a stable id. */
-    put(id: string, blob: EncBlob): Promise<void>;
-    /** Fetch encrypted blob by id. */
-    get(id: string): Promise<SecretRecord | undefined>;
-    /** Delete a reference. */
-    del(id: string): Promise<void>;
-    /** Allocate a new id (opaque). */
-    allocId(): string;
-}
-/** In-memory reference store (dev/test). */
-export declare class MemoryTokenStore implements TokenStore {
-    private m;
-    allocId(): string;
-    put(id: string, blob: EncBlob): Promise<void>;
-    get(id: string): Promise<SecretRecord | undefined>;
-    del(id: string): Promise<void>;
-}
-/** Redis (sketch) — replace `any` with your redis client type. */
-export declare class RedisTokenStore implements TokenStore {
-    private readonly redis;
-    private readonly ns;
-    constructor(redis: any, ns?: string);
-    allocId(): string;
-    key(id: string): string;
-    put(id: string, blob: EncBlob): Promise<void>;
-    get(id: string): Promise<SecretRecord | undefined>;
-    del(id: string): Promise<void>;
-}
-//# sourceMappingURL=token.store.d.ts.map

package/auth/session/token.store.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"token.store.d.ts","sourceRoot":"","sources":["../../../src/auth/session/token.store.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAE7C,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,WAAW,UAAU;IACzB,oDAAoD;IACpD,GAAG,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9C,kCAAkC;IAClC,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,SAAS,CAAC,CAAC;IACnD,0BAA0B;IAC1B,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,kCAAkC;IAClC,OAAO,IAAI,MAAM,CAAC;CACnB;AAED,4CAA4C;AAC5C,qBAAa,gBAAiB,YAAW,UAAU;IACjD,OAAO,CAAC,CAAC,CAAmC;IAC5C,OAAO;IAGD,GAAG,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO;IAG7B,GAAG,CAAC,EAAE,EAAE,MAAM;IAGd,GAAG,CAAC,EAAE,EAAE,MAAM;CAGrB;AAED,kEAAkE;AAClE,qBAAa,eAAgB,YAAW,UAAU;IACpC,OAAO,CAAC,QAAQ,CAAC,KAAK;IAAO,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAA/B,KAAK,EAAE,GAAG,EAAmB,EAAE,SAAS;IACrE,OAAO;IAGP,GAAG,CAAC,EAAE,EAAE,MAAM;IAIR,GAAG,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO;IAM7B,GAAG,CAAC,EAAE,EAAE,MAAM;IAMd,GAAG,CAAC,EAAE,EAAE,MAAM;CAGrB"}

package/auth/session/token.vault.d.ts

@@ -1,27 +0,0 @@
-export type EncBlob = {
-    alg: 'A256GCM';
-    kid: string;
-    iv: string;
-    tag: string;
-    data: string;
-    exp?: number;
-    meta?: Record<string, unknown>;
-};
-export type VaultKey = {
-    kid: string;
-    key: Buffer;
-};
-export declare class TokenVault {
-    /** Active key used for new encryptions */
-    private active;
-    /** All known keys by kid for decryption (includes active) */
-    private keys;
-    constructor(keys: VaultKey[]);
-    rotateTo(k: VaultKey): void;
-    encrypt(plaintext: string, opts?: {
-        exp?: number;
-        meta?: Record<string, unknown>;
-    }): EncBlob;
-    decrypt(blob: EncBlob): string;
-}
-//# sourceMappingURL=token.vault.d.ts.map

package/auth/session/token.vault.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"token.vault.d.ts","sourceRoot":"","sources":["../../../src/auth/session/token.vault.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,OAAO,GAAG;IACpB,GAAG,EAAE,SAAS,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChC,CAAC;AAEF,MAAM,MAAM,QAAQ,GAAG;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,CAAC;AAEpD,qBAAa,UAAU;IACrB,0CAA0C;IAC1C,OAAO,CAAC,MAAM,CAAW;IACzB,6DAA6D;IAC7D,OAAO,CAAC,IAAI,CAA6B;gBAE7B,IAAI,EAAE,QAAQ,EAAE;IAS5B,QAAQ,CAAC,CAAC,EAAE,QAAQ;IAKpB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,GAAG,OAAO;IAgB5F,OAAO,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM;CAW/B"}