@frontmcp/sdk 0.7.2 → 0.8.1

package/auth/session/orchestrated-token.store.d.ts

@@ -0,0 +1,155 @@
+/**
+ * Orchestrated Token Store
+ *
+ * Token store implementations for OrchestratedAuthorization.
+ * These stores manage upstream provider tokens (access + refresh) indexed
+ * by authorization ID and provider ID.
+ *
+ * Key differences from the low-level TokenStore in @frontmcp/auth:
+ * - Uses composite keys (authorizationId + providerId)
+ * - Handles access/refresh tokens as separate entries
+ * - Returns decrypted strings directly (encryption is handled internally)
+ */
+import { TokenStore } from '../authorization/orchestrated.authorization';
+/**
+ * Options for InMemoryOrchestratedTokenStore
+ */
+export interface InMemoryOrchestratedTokenStoreOptions {
+    /**
+     * Encryption key for token storage. If not provided, tokens are stored in plain text.
+     * For production, always provide an encryption key.
+     */
+    encryptionKey?: Uint8Array;
+    /**
+     * Default TTL in milliseconds for token records.
+     * If not set and token has no expiresAt, records persist until explicitly deleted.
+     * @default undefined (no automatic expiration)
+     */
+    defaultTtlMs?: number;
+    /**
+     * Interval for cleanup of expired tokens (ms).
+     * @default 60000 (1 minute)
+     */
+    cleanupIntervalMs?: number;
+}
+/**
+ * In-Memory Orchestrated Token Store
+ *
+ * Development/testing implementation for storing upstream provider tokens.
+ * Supports optional encryption for tokens at rest.
+ *
+ * For production, use a persistent store backed by Redis or similar.
+ *
+ * @example
+ * ```typescript
+ * import { InMemoryOrchestratedTokenStore } from '@frontmcp/sdk';
+ *
+ * // Without encryption (dev only)
+ * const store = new InMemoryOrchestratedTokenStore();
+ *
+ * // With encryption (recommended)
+ * const key = randomBytes(32);
+ * const store = new InMemoryOrchestratedTokenStore({ encryptionKey: key });
+ *
+ * // Store tokens
+ * await store.storeTokens('auth-123', 'github', {
+ *   accessToken: 'gho_xxxx',
+ *   refreshToken: 'ghr_yyyy',
+ *   expiresAt: Date.now() + 3600000,
+ * });
+ *
+ * // Retrieve tokens
+ * const accessToken = await store.getAccessToken('auth-123', 'github');
+ * ```
+ */
+export declare class InMemoryOrchestratedTokenStore implements TokenStore {
+    /** Token storage: Map<compositeKey, ProviderTokenRecord> */
+    private readonly tokens;
+    /** Encryption key for secure storage */
+    private readonly encryptionKey?;
+    /** Derived keys cache for HKDF */
+    private readonly derivedKeys;
+    /** Cleanup interval timer */
+    private cleanupTimer?;
+    /** Default TTL for records */
+    private readonly defaultTtlMs?;
+    constructor(options?: InMemoryOrchestratedTokenStoreOptions);
+    /**
+     * Build composite key from authorizationId and providerId
+     */
+    private buildKey;
+    /**
+     * Derive encryption key for a specific composite key using HKDF
+     */
+    private deriveKeyForRecord;
+    /**
+     * Encrypt a token record
+     */
+    private encryptRecord;
+    /**
+     * Decrypt a token record
+     */
+    private decryptRecord;
+    /**
+     * Get raw record (handles encryption if enabled)
+     */
+    private getRecord;
+    /**
+     * Retrieve decrypted access token for a provider
+     */
+    getAccessToken(authorizationId: string, providerId: string): Promise<string | null>;
+    /**
+     * Retrieve decrypted refresh token for a provider
+     */
+    getRefreshToken(authorizationId: string, providerId: string): Promise<string | null>;
+    /**
+     * Store tokens for a provider
+     */
+    storeTokens(authorizationId: string, providerId: string, tokens: {
+        accessToken: string;
+        refreshToken?: string;
+        expiresAt?: number;
+    }): Promise<void>;
+    /**
+     * Delete tokens for a provider
+     */
+    deleteTokens(authorizationId: string, providerId: string): Promise<void>;
+    /**
+     * Check if tokens exist for a provider
+     */
+    hasTokens(authorizationId: string, providerId: string): Promise<boolean>;
+    /**
+     * Delete all tokens for an authorization
+     */
+    deleteAllForAuthorization(authorizationId: string): Promise<void>;
+    /**
+     * Get all provider IDs for an authorization
+     */
+    getProviderIds(authorizationId: string): Promise<string[]>;
+    /**
+     * Clean up expired tokens
+     */
+    cleanup(): Promise<void>;
+    /**
+     * Stop the cleanup timer
+     */
+    dispose(): void;
+    /**
+     * Get total number of stored token records (for testing/monitoring)
+     */
+    get size(): number;
+    /**
+     * Clear all tokens (for testing)
+     */
+    clear(): void;
+    /**
+     * Migrate tokens from one authorization ID to another.
+     * Used when tokens are stored with a pending ID during federated auth
+     * and need to be accessible under the real authorization ID.
+     *
+     * @param fromAuthId - Source authorization ID (e.g., "pending:abc123")
+     * @param toAuthId - Target authorization ID (e.g., "def456")
+     */
+    migrateTokens(fromAuthId: string, toAuthId: string): Promise<void>;
+}
+//# sourceMappingURL=orchestrated-token.store.d.ts.map

package/auth/session/orchestrated-token.store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"orchestrated-token.store.d.ts","sourceRoot":"","sources":["../../../src/auth/session/orchestrated-token.store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,6CAA6C,CAAC;AAczE;;GAEG;AACH,MAAM,WAAW,qCAAqC;IACpD;;;OAGG;IACH,aAAa,CAAC,EAAE,UAAU,CAAC;IAE3B;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,qBAAa,8BAA+B,YAAW,UAAU;IAC/D,4DAA4D;IAC5D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAmD;IAE1E,wCAAwC;IACxC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAa;IAE5C,kCAAkC;IAClC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAiC;IAE7D,6BAA6B;IAC7B,OAAO,CAAC,YAAY,CAAC,CAAiC;IAEtD,8BAA8B;IAC9B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAS;gBAE3B,OAAO,GAAE,qCAA0C;IAgB/D;;OAEG;IACH,OAAO,CAAC,QAAQ;IAIhB;;OAEG;YACW,kBAAkB;IAqBhC;;OAEG;YACW,aAAa;IAe3B;;OAEG;YACW,aAAa;IAa3B;;OAEG;YACW,SAAS;IAqCvB;;OAEG;IACG,cAAc,CAAC,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAKzF;;OAEG;IACG,eAAe,CAAC,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAK1F;;OAEG;IACG,WAAW,CACf,eAAe,EAAE,MAAM,EACvB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;QACN,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,GACA,OAAO,CAAC,IAAI,CAAC;IAsBhB;;OAEG;IACG,YAAY,CAAC,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAM9E;;OAEG;IACG,SAAS,CAAC,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAK9E;;OAEG;IACG,yBAAyB,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUvE;;OAEG;IACG,cAAc,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAkBhE;;OAEG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAgC9B;;OAEG;IACH,OAAO,IAAI,IAAI;IAOf;;OAEG;IACH,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED;;OAEG;IACH,KAAK,IAAI,IAAI;IAKb;;;;;;;OAOG;IACG,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CA0CzE"}

package/auth/session/record/session.base.d.ts

@@ -20,12 +20,12 @@ export interface BaseCreateCtx {
     scopes?: string[];
     authorizedTools?: Record<string, {
         executionPath: [string, string];
-        details?: Record<string, any>;
+        details?: Record<string, unknown>;
     }>;
     authorizedToolIds?: string[];
     authorizedPrompts?: Record<string, {
         executionPath: [string, string];
-        details?: Record<string, any>;
+        details?: Record<string, unknown>;
     }>;
     authorizedPromptIds?: string[];
 }
@@ -36,7 +36,7 @@ export interface SessionUser {
     picture?: string;
 }
 export interface SessionClaims {
-    [key: string]: any;
+    [key: string]: unknown;
 }
 export declare abstract class Session {
     #private;
@@ -59,12 +59,12 @@ export declare abstract class Session {
     readonly scopes?: string[];
     readonly authorizedTools?: Record<string, {
         executionPath: [string, string];
-        details?: Record<string, any>;
+        details?: Record<string, unknown>;
     }>;
     readonly authorizedToolIds?: string[];
     readonly authorizedPrompts?: Record<string, {
         executionPath: [string, string];
-        details?: Record<string, any>;
+        details?: Record<string, unknown>;
     }>;
     readonly authorizedPromptIds?: string[];
     protected token: string;
@@ -91,7 +91,7 @@ export declare class SessionView {
     private readonly allow;
     constructor(parent: Session, allow: (id: string) => boolean);
     get id(): string;
-    get mode(): SessionMode;
+    get mode(): "mcp";
     get user(): SessionUser;
     get claims(): Record<string, unknown> | undefined;
     get authorizedApps(): Record<string, {
@@ -99,6 +99,6 @@ export declare class SessionView {
         toolIds: string[];
     }>;
     getToken(providerId: string): Promise<string>;
-    get transportId(): () => Promise<string>;
+    getTransportSessionId(): Promise<string>;
 }
 //# sourceMappingURL=session.base.d.ts.map

package/auth/session/record/session.base.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session.base.d.ts","sourceRoot":"","sources":["../../../../src/auth/session/record/session.base.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAGtE,OAAO,EAAE,KAAK,EAAE,MAAM,gBAAgB,CAAC;AAEvC,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,KAAK,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,WAAW,CAAC;IAClB,MAAM,CAAC,EAAE,aAAa,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,mBAAmB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;IACvD,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;IACnE,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAElB,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,aAAa,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;KAAE,CAAC,CAAC;IACrG,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,aAAa,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;KAAE,CAAC,CAAC;IACvG,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;CAChC;AAGD,MAAM,WAAW,WAAW;IAC1B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAGD,MAAM,WAAW,aAAa;IAC5B,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED,8BAAsB,OAAO;;IAE3B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;IACpC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;IAC3B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC1C,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAE5B,QAAQ,CAAC,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;IAC/D,QAAQ,CAAC,qBAAqB,EAAE,MAAM,EAAE,CAAC;IACzC,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;IAC3E,QAAQ,CAAC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IACpC,QAAQ,CAAC,mBAAmB,EAAE,MAAM,EAAE,CAAC;IACvC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,aAAa,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;KAAE,CAAC,CAAC;IAC9G,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IACtC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,aAAa,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;KAAE,CAAC,CAAC;IAChH,QAAQ,CAAC,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAKxC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC;IAIxB,SAAS,aAAa,GAAG,EAAE,aAAa;IA4BxC;;;;OAIG;IACH,SAAS,KAAK,KAAK,IAAI,KAAK,CAE3B;IAGD,IAAI,MAAM,IAAI,MAAM,CAEnB;IAEK,qBAAqB,IAAI,OAAO,CAAC,MAAM,CAAC;IAa9C;;;;;OAKG;IACH,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM;IAGhE,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,CAAC,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC;CAS9D;AAED,qBAAa,WAAW;IACV,OAAO,CAAC,QAAQ,CAAC,MAAM;IAAW,OAAO,CAAC,QAAQ,CAAC,KAAK;gBAAvC,MAAM,EAAE,OAAO,EAAmB,KAAK,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO;IAE7F,IAAI,EAAE,WAEL;IACD,IAAI,IAAI,gBAEP;IACD,IAAI,IAAI,gBAEP;IACD,IAAI,MAAM,wCAET;IACD,IAAI,cAAc;YA1G4B,MAAM;iBAAW,MAAM,EAAE;OA4GtE;IAEK,QAAQ,CAAC,UAAU,EAAE,MAAM;IAIjC,IAAI,WAAW,UAxDgB,OAAO,CAAC,MAAM,CAAC,CA0D7C;CACF"}
+{"version":3,"file":"session.base.d.ts","sourceRoot":"","sources":["../../../../src/auth/session/record/session.base.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAEtE,OAAO,EAAE,KAAK,EAAE,MAAM,gBAAgB,CAAC;AAEvC,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,KAAK,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,WAAW,CAAC;IAClB,MAAM,CAAC,EAAE,aAAa,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,mBAAmB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;IACvD,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;IACnE,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAElB,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,aAAa,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC,CAAC;IACzG,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,aAAa,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC,CAAC;IAC3G,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;CAChC;AAGD,MAAM,WAAW,WAAW;IAC1B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAGD,MAAM,WAAW,aAAa;IAC5B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,8BAAsB,OAAO;;IAE3B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;IACpC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;IAC3B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC1C,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAE5B,QAAQ,CAAC,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;IAC/D,QAAQ,CAAC,qBAAqB,EAAE,MAAM,EAAE,CAAC;IACzC,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;IAC3E,QAAQ,CAAC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IACpC,QAAQ,CAAC,mBAAmB,EAAE,MAAM,EAAE,CAAC;IACvC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,aAAa,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC,CAAC;IAClH,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IACtC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,aAAa,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC,CAAC;IACpH,QAAQ,CAAC,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAKxC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC;IAIxB,SAAS,aAAa,GAAG,EAAE,aAAa;IA2BxC;;;;OAIG;IACH,SAAS,KAAK,KAAK,IAAI,KAAK,CAE3B;IAGD,IAAI,MAAM,IAAI,MAAM,CAEnB;IAEK,qBAAqB,IAAI,OAAO,CAAC,MAAM,CAAC;IAM9C;;;;;OAKG;IACH,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM;IAGhE,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,CAAC,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC;CAS9D;AAED,qBAAa,WAAW;IAEpB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,KAAK;gBADL,MAAM,EAAE,OAAO,EACf,KAAK,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO;IAGjD,IAAI,EAAE,WAEL;IACD,IAAI,IAAI,UAEP;IACD,IAAI,IAAI,gBAEP;IACD,IAAI,MAAM,wCAET;IACD,IAAI,cAAc;YArG4B,MAAM;iBAAW,MAAM,EAAE;OAuGtE;IAEK,QAAQ,CAAC,UAAU,EAAE,MAAM;IAKjC,qBAAqB,IAAI,OAAO,CAAC,MAAM,CAAC;CAGzC"}

package/auth/session/record/session.mcp.d.ts

@@ -0,0 +1,11 @@
+import { BaseCreateCtx, Session } from './session.base';
+/**
+ * Represents an MCP session created from a verified authorization.
+ * The session holds user identity, claims, and authorized entities (apps, tools, resources).
+ */
+export declare class McpSession extends Session {
+    readonly mode = "mcp";
+    constructor(ctx: BaseCreateCtx);
+    getToken(): Promise<string> | string;
+}
+//# sourceMappingURL=session.mcp.d.ts.map

package/auth/session/record/session.mcp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.mcp.d.ts","sourceRoot":"","sources":["../../../../src/auth/session/record/session.mcp.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAExD;;;GAGG;AACH,qBAAa,UAAW,SAAQ,OAAO;IACrC,QAAQ,CAAC,IAAI,SAAS;gBACV,GAAG,EAAE,aAAa;IAIrB,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM;CAG9C"}

package/auth/session/redis-session.store.d.ts

@@ -1,4 +1,4 @@
-import { Redis } from 'ioredis';
+import type { Redis } from 'ioredis';
 import { SessionStore, StoredSession, RedisConfig, SessionSecurityConfig } from './transport-session.types';
 import { FrontMcpLogger } from '../../common/interfaces/logger.interface';
 /**
@@ -13,6 +13,7 @@ export interface RedisSessionStoreConfig extends RedisConfig {
  *
  * Provides persistent session storage for distributed deployments.
  * Sessions are stored as JSON with optional TTL.
+ * Uses @frontmcp/utils RedisStorageAdapter internally.
  *
  * Security features (configurable via security option):
  * - HMAC signing: Detects session data tampering
@@ -20,7 +21,7 @@ export interface RedisSessionStoreConfig extends RedisConfig {
  * - Max lifetime: Prevents indefinite session extension
  */
 export declare class RedisSessionStore implements SessionStore {
-    private readonly redis;
+    private readonly storage;
     private readonly keyPrefix;
     private readonly defaultTtlMs;
     private readonly logger?;
@@ -34,10 +35,14 @@ export declare class RedisSessionStore implements SessionStore {
         security?: SessionSecurityConfig;
     }, logger?: FrontMcpLogger);
     /**
-     * Get the full Redis key for a session ID
+     * Get the full key for a session ID (without prefix, adapter handles it)
      * @throws Error if sessionId is empty
      */
-    private key;
+    private validateSessionId;
+    /**
+     * Ensure the storage adapter is connected
+     */
+    private ensureConnected;
     /**
      * Get a stored session by ID
      *
@@ -76,7 +81,7 @@ export declare class RedisSessionStore implements SessionStore {
     /**
      * Get the underlying Redis client (for advanced use cases)
      */
-    getRedisClient(): Redis;
+    getRedisClient(): Redis | undefined;
     /**
      * Test Redis connection by sending a PING command.
      * Useful for validating connection on startup.

package/auth/session/redis-session.store.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"redis-session.store.d.ts","sourceRoot":"","sources":["../../../src/auth/session/redis-session.store.ts"],"names":[],"mappings":"AACA,OAAgB,EAAE,KAAK,EAAgB,MAAM,SAAS,CAAC;AAEvD,OAAO,EACL,YAAY,EACZ,aAAa,EACb,WAAW,EAEX,qBAAqB,EACtB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,cAAc,EAAE,MAAM,0CAA0C,CAAC;AAI1E;;GAEG;AACH,MAAM,WAAW,uBAAwB,SAAQ,WAAW;IAC1D,iCAAiC;IACjC,QAAQ,CAAC,EAAE,qBAAqB,CAAC;CAClC;AAED;;;;;;;;;;GAUG;AACH,qBAAa,iBAAkB,YAAW,YAAY;IACpD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAQ;IAC9B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAiB;IACzC,OAAO,CAAC,gBAAgB,CAAS;IAGjC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAwB;IACjD,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAqB;gBAGhD,MAAM,EACF,uBAAuB,GACvB;QAAE,KAAK,EAAE,KAAK,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,qBAAqB,CAAA;KAAE,EACjG,MAAM,CAAC,EAAE,cAAc;IAyCzB;;;OAGG;IACH,OAAO,CAAC,GAAG;IAOX;;;;;;;;;;;OAWG;IACG,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,gBAAgB,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAsHpG;;OAEG;IACG,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA6BnF;;OAEG;IACG,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI9C;;OAEG;IACG,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIjD;;OAEG;IACH,OAAO,IAAI,MAAM;IAIjB;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAMjC;;OAEG;IACH,cAAc,IAAI,KAAK;IAIvB;;;;;OAKG;IACG,IAAI,IAAI,OAAO,CAAC,OAAO,CAAC;CAQ/B"}
+{"version":3,"file":"redis-session.store.d.ts","sourceRoot":"","sources":["../../../src/auth/session/redis-session.store.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAErC,OAAO,EACL,YAAY,EACZ,aAAa,EACb,WAAW,EAEX,qBAAqB,EACtB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,cAAc,EAAE,MAAM,0CAA0C,CAAC;AAI1E;;GAEG;AACH,MAAM,WAAW,uBAAwB,SAAQ,WAAW;IAC1D,iCAAiC;IACjC,QAAQ,CAAC,EAAE,qBAAqB,CAAC;CAClC;AAED;;;;;;;;;;;GAWG;AACH,qBAAa,iBAAkB,YAAW,YAAY;IACpD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAsB;IAC9C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAiB;IACzC,OAAO,CAAC,gBAAgB,CAAS;IAGjC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAwB;IACjD,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAqB;gBAGhD,MAAM,EACF,uBAAuB,GACvB;QAAE,KAAK,EAAE,KAAK,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,qBAAqB,CAAA;KAAE,EACjG,MAAM,CAAC,EAAE,cAAc;IAyCzB;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAMzB;;OAEG;YACW,eAAe;IAK7B;;;;;;;;;;;OAWG;IACG,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,gBAAgB,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAuIpG;;OAEG;IACG,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA+BnF;;OAEG;IACG,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAM9C;;OAEG;IACG,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAMjD;;OAEG;IACH,OAAO,IAAI,MAAM;IAIjB;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAMjC;;OAEG;IACH,cAAc,IAAI,KAAK,GAAG,SAAS;IAInC;;;;;OAKG;IACG,IAAI,IAAI,OAAO,CAAC,OAAO,CAAC;CAW/B"}

package/auth/session/session-crypto.d.ts

@@ -4,20 +4,17 @@
  * Provides HMAC signing and verification for stored session data.
  * Protects against session data tampering when stored in external
  * systems like Redis that don't provide application-level integrity.
+ *
+ * This module wraps the generic @frontmcp/utils HMAC signing utilities
+ * with session-specific types and environment-based secret handling.
  */
+import { isSignedData, type SignedData } from '@frontmcp/utils';
 import type { StoredSession } from './transport-session.types';
 /**
  * Signed session wrapper structure.
  * Contains the session data and its HMAC signature.
  */
-export interface SignedSession {
-    /** The session data */
-    data: StoredSession;
-    /** HMAC-SHA256 signature in base64url format */
-    sig: string;
-    /** Signature version for future algorithm changes */
-    v: 1;
-}
+export type SignedSession = SignedData<StoredSession>;
 /**
  * Configuration for session signing.
  */
@@ -74,7 +71,7 @@ export declare function verifySession(signedData: string, config?: SessionSignin
  * @param data - Raw data from storage
  * @returns true if the data appears to be a signed session
  */
-export declare function isSignedSession(data: string): boolean;
+export { isSignedData as isSignedSession };
 /**
  * Verify or parse a session, supporting both signed and unsigned formats.
  * Useful for backwards compatibility during migration.

package/auth/session/session-crypto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session-crypto.d.ts","sourceRoot":"","sources":["../../../src/auth/session/session-crypto.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAE/D;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,uBAAuB;IACvB,IAAI,EAAE,aAAa,CAAC;IACpB,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,qDAAqD;IACrD,CAAC,EAAE,CAAC,CAAC;CACN;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAmCD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,aAAa,EAAE,MAAM,CAAC,EAAE,oBAAoB,GAAG,MAAM,CAYzF;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,oBAAoB,GAAG,aAAa,GAAG,IAAI,CAsCrG;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAOrD;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,oBAAoB,GAAG,aAAa,GAAG,IAAI,CAatG"}
+{"version":3,"file":"session-crypto.d.ts","sourceRoot":"","sources":["../../../src/auth/session/session-crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAGL,YAAY,EAEZ,KAAK,UAAU,EAEhB,MAAM,iBAAiB,CAAC;AACzB,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAE/D;;;GAGG;AACH,MAAM,MAAM,aAAa,GAAG,UAAU,CAAC,aAAa,CAAC,CAAC;AAEtD;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AA+BD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,aAAa,EAAE,MAAM,CAAC,EAAE,oBAAoB,GAAG,MAAM,CAEzF;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,oBAAoB,GAAG,aAAa,GAAG,IAAI,CAErG;AAED;;;;;;GAMG;AACH,OAAO,EAAE,YAAY,IAAI,eAAe,EAAE,CAAC;AAE3C;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,oBAAoB,GAAG,aAAa,GAAG,IAAI,CAEtG"}

package/{store/store.factory.d.ts → auth/session/session-store.factory.d.ts}

@@ -1,39 +1,13 @@
 /**
- * Storage Factory
+ * Session Store Factory
  *
- * Factory functions for creating store drivers and session stores
- * based on configuration. Supports both Redis and Vercel KV providers.
+ * Factory functions for creating session stores based on configuration.
+ * Supports Redis, Vercel KV providers.
+ * Uses @frontmcp/utils storage adapters internally.
  */
-import type { StoreDriver } from './store.types';
-import type { SessionStore } from '../auth/session/transport-session.types';
-import type { FrontMcpLogger } from '../common/interfaces/logger.interface';
-import { type RedisOptions, type PubsubOptions } from '../common/types/options/redis.options';
-/**
- * Create a store driver based on configuration
- *
- * @param options - Storage configuration (Redis or Vercel KV)
- * @returns A store driver instance (not connected)
- *
- * @example Redis
- * ```typescript
- * const driver = createStoreDriver({
- *   provider: 'redis',
- *   host: 'localhost',
- *   port: 6379,
- * });
- * await driver.connect();
- * ```
- *
- * @example Vercel KV
- * ```typescript
- * const driver = createStoreDriver({
- *   provider: 'vercel-kv',
- *   // Uses KV_REST_API_URL and KV_REST_API_TOKEN env vars
- * });
- * await driver.connect();
- * ```
- */
-export declare function createStoreDriver(options: RedisOptions): StoreDriver;
+import { type StorageAdapter } from '@frontmcp/utils';
+import type { SessionStore } from './transport-session.types';
+import { type FrontMcpLogger, type RedisOptions, type PubsubOptions } from '../../common';
 /**
  * Create a session store based on configuration
  *
@@ -74,7 +48,7 @@ export declare function createSessionStoreSync(options: RedisOptions, logger?: F
  * Use this when you need resource subscriptions with Vercel KV for sessions.
  *
  * @param options - Pub/sub configuration (Redis only)
- * @returns A Redis store driver with pub/sub support
+ * @returns A Redis storage adapter with pub/sub support
  *
  * @example Hybrid config
  * ```typescript
@@ -83,5 +57,5 @@ export declare function createSessionStoreSync(options: RedisOptions, logger?: F
  * const pubsubStore = createPubsubStore({ host: 'localhost', port: 6379 });
  * ```
  */
-export declare function createPubsubStore(options: PubsubOptions): StoreDriver;
-//# sourceMappingURL=store.factory.d.ts.map
+export declare function createPubsubStore(options: PubsubOptions): StorageAdapter;
+//# sourceMappingURL=session-store.factory.d.ts.map

package/auth/session/session-store.factory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-store.factory.d.ts","sourceRoot":"","sources":["../../../src/auth/session/session-store.factory.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAuB,KAAK,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EACL,KAAK,cAAc,EACnB,KAAK,YAAY,EAGjB,KAAK,aAAa,EAGnB,MAAM,cAAc,CAAC;AAEtB;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,YAAY,EAAE,MAAM,CAAC,EAAE,cAAc,GAAG,OAAO,CAAC,YAAY,CAAC,CAW9G;AAiDD;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,YAAY,EAAE,MAAM,CAAC,EAAE,cAAc,GAAG,YAAY,CAqBnG;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,aAAa,GAAG,cAAc,CAYxE"}

package/auth/session/session.service.d.ts

@@ -1,16 +1,12 @@
-import { StatelessSession } from './record/session.stateless';
-import { StatefulSession } from './record/session.stateful';
 import { Scope } from '../../scope';
 import { CreateSessionArgs } from './session.types';
-import { TransparentSession } from './record/session.transparent';
+import { McpSession } from './record/session.mcp';
 export declare class SessionService {
-    private store;
     /**
-     * Create and persist a new Session from verified auth data.
+     * Create a new Session from verified auth data.
      * The returned Session exposes async token helpers, scoped view, and transport JWT helpers.
      */
-    createSession(scope: Scope, args: CreateSessionArgs): Promise<TransparentSession | StatefulSession | StatelessSession>;
-    private createOrchestratedSession;
-    private createTransparentSession;
+    createSession(scope: Scope, args: CreateSessionArgs): McpSession;
+    private createMcpSession;
 }
 //# sourceMappingURL=session.service.d.ts.map

package/auth/session/session.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session.service.d.ts","sourceRoot":"","sources":["../../../src/auth/session/session.service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AACpC,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAGlE,qBAAa,cAAc;IACzB,OAAO,CAAC,KAAK,CAA6B;IAE1C;;;OAGG;IACG,aAAa,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,iBAAiB;IAQzD,OAAO,CAAC,yBAAyB;IASjC,OAAO,CAAC,wBAAwB;CA6EjC"}
+{"version":3,"file":"session.service.d.ts","sourceRoot":"","sources":["../../../src/auth/session/session.service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AACpC,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAElD,qBAAa,cAAc;IACzB;;;OAGG;IACH,aAAa,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,iBAAiB,GAAG,UAAU;IAIhE,OAAO,CAAC,gBAAgB;CAqFzB"}

package/auth/session/session.transport.d.ts

@@ -1,5 +1,11 @@
-import { TransportIdMode } from '../../common';
 export declare class TransportIdGenerator {
-    static createId(mode: TransportIdMode): string;
+    /**
+     * Create a transport session ID.
+     * Always generates JWT-style IDs for distributed session support.
+     *
+     * @param _mode - Deprecated parameter, kept for backwards compatibility
+     * @returns A JWT-style transport session ID (UUID without dashes)
+     */
+    static createId(_mode?: 'jwt'): string;
 }
 //# sourceMappingURL=session.transport.d.ts.map

package/auth/session/session.transport.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session.transport.d.ts","sourceRoot":"","sources":["../../../src/auth/session/session.transport.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAE/C,qBAAa,oBAAoB;IAC/B,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,eAAe,GAAG,MAAM;CAW/C"}
+{"version":3,"file":"session.transport.d.ts","sourceRoot":"","sources":["../../../src/auth/session/session.transport.ts"],"names":[],"mappings":"AAGA,qBAAa,oBAAoB;IAC/B;;;;;;OAMG;IACH,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,GAAG,MAAM;CAIvC"}

package/auth/session/session.types.d.ts

@@ -1,6 +1,6 @@
 import { SessionUser } from './record/session.base';
-/** How provider tokens are managed in a session. */
-export type SessionMode = 'transparent' | 'stateful' | 'stateless';
+/** Session mode identifier. */
+export type SessionMode = 'mcp';
 /**
  * How a single provider’s access token is represented inside the session payload.
  */
@@ -41,7 +41,7 @@ export type ProviderSnapshot = {
 export type CreateSessionArgs = {
     token: string;
     sessionId?: string;
-    claims: Record<string, any>;
+    claims: Record<string, unknown>;
     user: SessionUser;
     authorizedProviders?: Record<string, import('./session.types').ProviderSnapshot>;
     authorizedProviderIds?: string[];
@@ -54,12 +54,12 @@ export type CreateSessionArgs = {
     scopes?: string[];
     authorizedTools?: Record<string, {
         executionPath: [string, string];
-        details?: Record<string, any>;
+        details?: Record<string, unknown>;
     }>;
     authorizedToolIds?: string[];
     authorizedPrompts?: Record<string, {
         executionPath: [string, string];
-        details?: Record<string, any>;
+        details?: Record<string, unknown>;
     }>;
     authorizedPromptIds?: string[];
 };

package/auth/session/session.types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session.types.d.ts","sourceRoot":"","sources":["../../../src/auth/session/session.types.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAEpD,oDAAoD;AACpD,MAAM,MAAM,WAAW,GAAG,aAAa,GAAG,UAAU,GAAG,WAAW,CAAC;AAEnE;;GAEG;AACH,MAAM,MAAM,iBAAiB,GACzB,YAAY,GACZ,WAAW,GACX,OAAO,GACP,KAAK,CAAC;AAEV,oDAAoD;AACpD,MAAM,MAAM,OAAO,GAAG;IAAE,GAAG,EAAE,SAAS,CAAC;IAAC,EAAE,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC;AAEhF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,IAAI,CAAC,EAAE,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;IACjD,SAAS,EAAE,iBAAiB,CAAC;IAG7B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE;QAAE,GAAG,EAAE,SAAS,CAAC;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IACrE,eAAe,CAAC,EAAE;QAAE,GAAG,EAAE,SAAS,CAAC;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAG5E,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,sEAAsE;AACtE,MAAM,MAAM,iBAAiB,GAAG;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC5B,IAAI,EAAE,WAAW,CAAC;IAElB,mBAAmB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,iBAAiB,EAAE,gBAAgB,CAAC,CAAC;IACjF,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;IACnE,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAElB,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,aAAa,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;KAAE,CAAC,CAAC;IACrG,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,aAAa,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;KAAE,CAAC,CAAC;IACvG,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;CAChC,CAAC"}
+{"version":3,"file":"session.types.d.ts","sourceRoot":"","sources":["../../../src/auth/session/session.types.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAEpD,+BAA+B;AAC/B,MAAM,MAAM,WAAW,GAAG,KAAK,CAAC;AAEhC;;GAEG;AACH,MAAM,MAAM,iBAAiB,GACzB,YAAY,GACZ,WAAW,GACX,OAAO,GACP,KAAK,CAAC;AAEV,oDAAoD;AACpD,MAAM,MAAM,OAAO,GAAG;IAAE,GAAG,EAAE,SAAS,CAAC;IAAC,EAAE,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC;AAEhF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,IAAI,CAAC,EAAE,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;IACjD,SAAS,EAAE,iBAAiB,CAAC;IAG7B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE;QAAE,GAAG,EAAE,SAAS,CAAC;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IACrE,eAAe,CAAC,EAAE;QAAE,GAAG,EAAE,SAAS,CAAC;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAG5E,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,sEAAsE;AACtE,MAAM,MAAM,iBAAiB,GAAG;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,IAAI,EAAE,WAAW,CAAC;IAElB,mBAAmB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,iBAAiB,EAAE,gBAAgB,CAAC,CAAC;IACjF,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;IACnE,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAElB,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,aAAa,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC,CAAC;IACzG,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,aAAa,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC,CAAC;IAC3G,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;CAChC,CAAC"}

package/auth/session/token.refresh.d.ts

@@ -1,6 +1,5 @@
 import type { ProviderSnapshot } from './session.types';
-import type { TokenStore } from './token.store';
-import type { TokenVault } from './token.vault';
+import type { TokenStore, TokenVault } from '@frontmcp/auth';
 export type TokenRefreshCtx = {
     /** The provider we’re refreshing for. */
     providerId: string;

package/auth/session/token.refresh.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"token.refresh.d.ts","sourceRoot":"","sources":["../../../src/auth/session/token.refresh.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAMhD,MAAM,MAAM,eAAe,GAAG;IAC5B,yCAAyC;IACzC,UAAU,EAAE,MAAM,CAAC;IAEnB,uEAAuE;IACvE,OAAO,EAAE;QACP,EAAE,EAAE,MAAM,CAAC;QACX,OAAO,EAAE,MAAM,CAAC;QAChB,+DAA+D;QAC/D,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;QACtD,sEAAsE;QACtE,QAAQ,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;YAAE,cAAc,CAAC,EAAE,MAAM,CAAC;YAAC,YAAY,CAAC,EAAE,OAAO,CAAA;SAAE,KAAK,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;KACrH,CAAC;IAEF,iEAAiE;IACjE,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,+EAA+E;IAC/E,QAAQ,EAAE,gBAAgB,CAAC;IAE3B;;;;OAIG;IACH,KAAK,CAAC,EAAE,UAAU,CAAC;IACnB,KAAK,CAAC,EAAE,UAAU,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,qCAAqC;IACrC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,oCAAoC;IACpC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,6EAA6E;IAC7E,GAAG,EAAE,MAAM,CAAC;IACZ,0EAA0E;IAC1E,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE,eAAe,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAC;AAMnF,yDAAyD;AACzD,wBAAgB,cAAc,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,SAAS,CAKtE;AAED,oFAAoF;AACpF,wBAAgB,cAAc,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,EAAE,OAAO,SAAK,GAAG,OAAO,CAKzE;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CACpC,WAAW,EAAE;IAAE,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAA;CAAE,EACtE,UAAU,EAAE,MAAM,EAClB,OAAO,SAAK,GACX,OAAO,CAIT;AAMD,uEAAuE;AACvE,wBAAgB,SAAS,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAW5D"}
+{"version":3,"file":"token.refresh.d.ts","sourceRoot":"","sources":["../../../src/auth/session/token.refresh.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAO7D,MAAM,MAAM,eAAe,GAAG;IAC5B,yCAAyC;IACzC,UAAU,EAAE,MAAM,CAAC;IAEnB,uEAAuE;IACvE,OAAO,EAAE;QACP,EAAE,EAAE,MAAM,CAAC;QACX,OAAO,EAAE,MAAM,CAAC;QAChB,+DAA+D;QAC/D,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;QACtD,sEAAsE;QACtE,QAAQ,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;YAAE,cAAc,CAAC,EAAE,MAAM,CAAC;YAAC,YAAY,CAAC,EAAE,OAAO,CAAA;SAAE,KAAK,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;KACrH,CAAC;IAEF,iEAAiE;IACjE,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,+EAA+E;IAC/E,QAAQ,EAAE,gBAAgB,CAAC;IAE3B;;;;OAIG;IACH,KAAK,CAAC,EAAE,UAAU,CAAC;IACnB,KAAK,CAAC,EAAE,UAAU,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,qCAAqC;IACrC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,oCAAoC;IACpC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,6EAA6E;IAC7E,GAAG,EAAE,MAAM,CAAC;IACZ,0EAA0E;IAC1E,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE,eAAe,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAC;AAMnF,yDAAyD;AACzD,wBAAgB,cAAc,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,SAAS,CAKtE;AAED,oFAAoF;AACpF,wBAAgB,cAAc,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,EAAE,OAAO,SAAK,GAAG,OAAO,CAKzE;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CACpC,WAAW,EAAE;IAAE,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAA;CAAE,EACtE,UAAU,EAAE,MAAM,EAClB,OAAO,SAAK,GACX,OAAO,CAIT;AAMD,uEAAuE;AACvE,wBAAgB,SAAS,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAW5D"}

package/auth/session/transport-session.manager.d.ts

@@ -1,4 +1,5 @@
-import { TransportSession, TransportProtocol, StoredSession, SessionStore, SessionStorageConfig, TransportState, EncryptedBlob } from './transport-session.types';
+import { type EncryptedBlob } from '@frontmcp/utils';
+import { TransportSession, TransportProtocol, StoredSession, SessionStore, SessionStorageConfig, TransportState } from './transport-session.types';
 /**
  * In-memory session store implementation
  */
@@ -76,18 +77,18 @@ export declare class TransportSessionManager {
      * Encode a session as an encrypted JWT for the Mcp-Session-Id header
      *
      * @param session - The transport session to encode
-     * @param additionalState - Additional encrypted state for stateless mode
+     * @param _additionalState - (deprecated) Reserved for backwards compatibility
      * @returns Encrypted session JWT
      */
-    encodeSessionJwt(session: TransportSession, additionalState?: {
-        state?: unknown;
-        tokens?: Record<string, unknown>;
-    }): string;
+    encodeSessionJwt(session: TransportSession, _additionalState?: unknown): string;
     /**
      * Decode an encrypted session JWT
      *
      * @param jwt - The encrypted session JWT
      * @returns Decoded session or null if invalid
+     *
+     * Note: In stateless mode, the session.id is the JWT token itself (not the decoded sid).
+     * This ensures consistency with createSession() which sets session.id = encodeSessionJwt().
      */
     private decryptSessionJwt;
     /**

package/auth/session/transport-session.manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"transport-session.manager.d.ts","sourceRoot":"","sources":["../../../src/auth/session/transport-session.manager.ts"],"names":[],"mappings":"AAGA,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EAGjB,aAAa,EACb,YAAY,EACZ,oBAAoB,EACpB,cAAc,EACd,aAAa,EACd,MAAM,2BAA2B,CAAC;AAMnC;;GAEG;AACH,qBAAa,oBAAqB,YAAW,YAAY;IACvD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAoC;IAEvD,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAqBrD,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAO7E,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIxC,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAkBjD,OAAO,IAAI,MAAM;IAIjB;;OAEG;IACH,OAAO,IAAI,MAAM;IAmBjB;;OAEG;IACH,IAAI,IAAI,IAAI,MAAM,CAEjB;CACF;AAED;;;;;;;;;;GAUG;AACH,qBAAa,uBAAuB;IAClC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAe;IACrC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAA2B;IAChD,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;gBAE3B,MAAM,EAAE,oBAAoB,GAAG;QAAE,gBAAgB,CAAC,EAAE,MAAM,CAAA;KAAE;IAsCxE;;;;;;;OAOG;IACG,aAAa,CACjB,eAAe,EAAE,MAAM,EACvB,QAAQ,EAAE,iBAAiB,EAC3B,OAAO,GAAE;QACP,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,cAAc,CAAC,EAAE,cAAc,CAAC;QAChC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;KACnC,GACL,OAAO,CAAC,gBAAgB,CAAC;IA6B5B;;;;;OAKG;IACG,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAWrE;;OAEG;IACG,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAQxE;;OAEG;IACG,aAAa,CACjB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE;QACP,cAAc,CAAC,EAAE,cAAc,CAAC;QAChC,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,GACA,OAAO,CAAC,OAAO,CAAC;IAqBnB;;OAEG;IACG,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAaxD;;;;;;OAMG;IACH,gBAAgB,CACd,OAAO,EAAE,gBAAgB,EACzB,eAAe,CAAC,EAAE;QAChB,KAAK,CAAC,EAAE,OAAO,CAAC;QAChB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KAClC,GACA,MAAM;IA2BT;;;;;OAKG;IACH,OAAO,CAAC,iBAAiB;IAuCzB;;OAEG;IACG,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAQxD;;OAEG;IACH,IAAI,WAAW,IAAI,WAAW,GAAG,UAAU,CAE1C;CACF"}
+{"version":3,"file":"transport-session.manager.d.ts","sourceRoot":"","sources":["../../../src/auth/session/transport-session.manager.ts"],"names":[],"mappings":"AAEA,OAAO,EAAsD,KAAK,aAAa,EAAE,MAAM,iBAAiB,CAAC;AACzG,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EAEjB,aAAa,EACb,YAAY,EACZ,oBAAoB,EACpB,cAAc,EACf,MAAM,2BAA2B,CAAC;AAInC;;GAEG;AACH,qBAAa,oBAAqB,YAAW,YAAY;IACvD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAoC;IAEvD,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAqBrD,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAO7E,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIxC,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAkBjD,OAAO,IAAI,MAAM;IAIjB;;OAEG;IACH,OAAO,IAAI,MAAM;IAmBjB;;OAEG;IACH,IAAI,IAAI,IAAI,MAAM,CAEjB;CACF;AAED;;;;;;;;;;GAUG;AACH,qBAAa,uBAAuB;IAClC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAe;IACrC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAA2B;IAChD,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAa;gBAE/B,MAAM,EAAE,oBAAoB,GAAG;QAAE,gBAAgB,CAAC,EAAE,MAAM,CAAA;KAAE;IAuCxE;;;;;;;OAOG;IACG,aAAa,CACjB,eAAe,EAAE,MAAM,EACvB,QAAQ,EAAE,iBAAiB,EAC3B,OAAO,GAAE;QACP,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,cAAc,CAAC,EAAE,cAAc,CAAC;QAChC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;KACnC,GACL,OAAO,CAAC,gBAAgB,CAAC;IAgC5B;;;;;OAKG;IACG,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAWrE;;OAEG;IACG,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAQxE;;OAEG;IACG,aAAa,CACjB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE;QACP,cAAc,CAAC,EAAE,cAAc,CAAC;QAChC,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,GACA,OAAO,CAAC,OAAO,CAAC;IAqBnB;;OAEG;IACG,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAaxD;;;;;;OAMG;IACH,gBAAgB,CAAC,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,CAAC,EAAE,OAAO,GAAG,MAAM;IAe/E;;;;;;;;OAQG;IACH,OAAO,CAAC,iBAAiB;IAoCzB;;OAEG;IACG,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAQxD;;OAEG;IACH,IAAI,WAAW,IAAI,WAAW,GAAG,UAAU,CAE1C;CACF"}

package/auth/session/utils/session-id.utils.d.ts

@@ -1,5 +1,5 @@
 import { SessionIdPayload, TransportProtocolType } from '../../../common';
-import type { PlatformDetectionConfig } from '../../../common/types/options/session.options';
+import type { PlatformDetectionConfig } from '../../../common/types/options/session';
 export declare function encryptJson(obj: unknown): string;
 /**
  * Decrypt a public session ID without signature verification.
@@ -21,6 +21,12 @@ export interface CreateSessionOptions {
     userAgent?: string;
     /** Platform detection configuration from scope */
     platformDetectionConfig?: PlatformDetectionConfig;
+    /**
+     * Whether this session is in skills-only mode.
+     * When true, tools/list returns empty array but skills/search and skills/load work normally.
+     * Detected from `?mode=skills_only` query param on connection.
+     */
+    skillsOnlyMode?: boolean;
 }
 export declare function createSessionId(protocol: TransportProtocolType, token: string, options?: CreateSessionOptions): {
     id: string;
@@ -38,4 +44,15 @@ export declare function extractSessionFromCookie(cookie?: string): string | unde
  * @returns true if the session was found and updated, false otherwise
  */
 export declare function updateSessionPayload(sessionId: string, updates: Partial<SessionIdPayload>): boolean;
+/**
+ * Retrieve client info (name/version) from a session ID.
+ * Useful for logging, stateless access, or when NotificationService is not available.
+ *
+ * @param sessionId - The encrypted session ID
+ * @returns Client info object or null if session is invalid or has no client info
+ */
+export declare function getSessionClientInfo(sessionId: string): {
+    name?: string;
+    version?: string;
+} | null;
 //# sourceMappingURL=session-id.utils.d.ts.map

package/auth/session/utils/session-id.utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session-id.utils.d.ts","sourceRoot":"","sources":["../../../../src/auth/session/utils/session-id.utils.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,gBAAgB,EAAE,qBAAqB,EAAkB,MAAM,iBAAiB,CAAC;AAG1F,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,+CAA+C,CAAC;AAuB7F,wBAAgB,WAAW,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAShD;AAqDD;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,MAAM,GAAG,gBAAgB,GAAG,IAAI,CAe/E;AAiBD;;;;GAIG;AACH,wBAAgB,kBAAkB,CAChC,aAAa,EAAE,MAAM,GAAG,SAAS,EACjC,KAAK,EAAE,MAAM,GACZ;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,gBAAgB,CAAA;CAAE,GAAG,SAAS,CAgCvD;AAED,MAAM,WAAW,oBAAoB;IACnC,8DAA8D;IAC9D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,uBAAuB,CAAC,EAAE,uBAAuB,CAAC;CACnD;AAED,wBAAgB,eAAe,CAAC,QAAQ,EAAE,qBAAqB,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,oBAAoB;;;EAwB7G;AAED,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,MAAM,EAAE,YAAY,SAAU,GAAG,MAAM,CAGvF;AAED,wBAAgB,wBAAwB,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAI5E;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,gBAAgB,CAAC,GAAG,OAAO,CAuBnG"}
+{"version":3,"file":"session-id.utils.d.ts","sourceRoot":"","sources":["../../../../src/auth/session/utils/session-id.utils.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,gBAAgB,EAAE,qBAAqB,EAAkB,MAAM,iBAAiB,CAAC;AAG1F,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,uCAAuC,CAAC;AA4CrF,wBAAgB,WAAW,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAKhD;AAyDD;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,MAAM,GAAG,gBAAgB,GAAG,IAAI,CAe/E;AAiBD;;;;GAIG;AACH,wBAAgB,kBAAkB,CAChC,aAAa,EAAE,MAAM,GAAG,SAAS,EACjC,KAAK,EAAE,MAAM,GACZ;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,gBAAgB,CAAA;CAAE,GAAG,SAAS,CAmBvD;AAED,MAAM,WAAW,oBAAoB;IACnC,8DAA8D;IAC9D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,uBAAuB,CAAC,EAAE,uBAAuB,CAAC;IAClD;;;;OAIG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,wBAAgB,eAAe,CAAC,QAAQ,EAAE,qBAAqB,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,oBAAoB;;;EA0B7G;AAED,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,MAAM,EAAE,YAAY,SAAU,GAAG,MAAM,CAGvF;AAED,wBAAgB,wBAAwB,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAI5E;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,gBAAgB,CAAC,GAAG,OAAO,CAoBnG;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,MAAM,GAAG;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAiBlG"}