@frontmcp/sdk 0.7.2 → 0.8.1

package/transport/transport.registry.d.ts

@@ -25,6 +25,9 @@ export declare class TransportService {
     private sessionStore?;
     /**
      * Transport persistence configuration
+     * - `false`: Explicitly disabled
+     * - `object`: Enabled with config (redis, defaultTtlMs)
+     * - `undefined`: Not configured
      */
     private persistenceConfig?;
     /**
@@ -36,7 +39,12 @@ export declare class TransportService {
      * Key: JSON-encoded {t: type, h: tokenHash, s: sessionId}, Value: Promise that resolves when creation completes
      */
     private readonly creationMutex;
-    constructor(scope: Scope, persistenceConfig?: TransportPersistenceConfigInput);
+    /**
+     * Get the default TTL for session persistence.
+     * Returns undefined if persistence is disabled or not configured.
+     */
+    private getDefaultTtlMs;
+    constructor(scope: Scope, persistenceConfig?: false | TransportPersistenceConfigInput);
     private initialize;
     destroy(): Promise<void>;
     getTransporter(type: TransportType, token: string, sessionId: string): Promise<Transporter | undefined>;

package/transport/transport.registry.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"transport.registry.d.ts","sourceRoot":"","sources":["../../src/transport/transport.registry.ts"],"names":[],"mappings":"AAEA,OAAO,EAEL,WAAW,EAIX,aAAa,EAEd,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EAAE,cAAc,EAAE,+BAA+B,EAAE,MAAM,WAAW,CAAC;AAC5E,OAAO,EAAE,KAAK,EAAE,MAAM,UAAU,CAAC;AAIjC,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAMhD,qBAAa,gBAAgB;IAC3B,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAsC;IAC7D,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAU;IACtC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAe;IACpC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAQ;IAE9B;;;;;;;OAOG;IACH,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAkC;IACjE,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAS;IAE7C;;;OAGG;IACH,OAAO,CAAC,YAAY,CAAC,CAAqF;IAE1G;;OAEG;IACH,OAAO,CAAC,iBAAiB,CAAC,CAAkC;IAE5D;;OAEG;IACH,OAAO,CAAC,kBAAkB,CAAC,CAAe;IAE1C;;;OAGG;IACH,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAgD;gBAElE,KAAK,EAAE,KAAK,EAAE,iBAAiB,CAAC,EAAE,+BAA+B;YA+B/D,UAAU;IAwClB,OAAO;IAcP,cAAc,CAAC,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC;IAsB7G;;;;;;;;;;;OAWG;IACG,gBAAgB,CACpB,IAAI,EAAE,aAAa,EACnB,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE;QACR,iBAAiB,CAAC,EAAE,MAAM,CAAC;QAC3B,yBAAyB,CAAC,EAAE,OAAO,CAAC;KACrC,GACA,OAAO,CAAC,aAAa,GAAG,SAAS,CAAC;IAmCrC;;;;;;;;;;OAUG;IACG,mBAAmB,CACvB,IAAI,EAAE,aAAa,EACnB,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,aAAa,EAAE,aAAa,EAC5B,GAAG,EAAE,cAAc,GAClB,OAAO,CAAC,WAAW,CAAC;IAkCvB;;OAEG;YACW,qBAAqB;IAoE7B,iBAAiB,CACrB,IAAI,EAAE,aAAa,EACnB,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,cAAc,GAClB,OAAO,CAAC,WAAW,CAAC;IA2BvB;;OAEG;YACW,mBAAmB;IA2D3B,kBAAkB,CAAC,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAoB/G;;;OAGG;IACG,sCAAsC,CAAC,IAAI,EAAE,aAAa,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,WAAW,CAAC;IAuB5G;;;OAGG;IACG,0CAA0C,CAC9C,IAAI,EAAE,aAAa,EACnB,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,cAAc,GAClB,OAAO,CAAC,WAAW,CAAC;IAuBvB;;;;;;;;;;;;OAYG;IACH,iBAAiB,CAAC,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO;IAMjF;;;OAGG;IACG,sBAAsB,CAAC,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAkBrG,OAAO,CAAC,MAAM;IAId;;;OAGG;IACH,OAAO,CAAC,cAAc;IAItB;;;OAGG;IACH,OAAO,CAAC,eAAe;IAYvB,OAAO,CAAC,KAAK;IAUb,OAAO,CAAC,gBAAgB;IASxB,OAAO,CAAC,iBAAiB;IASzB,OAAO,CAAC,WAAW;IAQnB,OAAO,CAAC,WAAW;IAqDnB,OAAO,CAAC,UAAU;CASnB"}
+{"version":3,"file":"transport.registry.d.ts","sourceRoot":"","sources":["../../src/transport/transport.registry.ts"],"names":[],"mappings":"AAEA,OAAO,EAEL,WAAW,EAIX,aAAa,EAEd,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EAAE,cAAc,EAAE,+BAA+B,EAAE,MAAM,WAAW,CAAC;AAC5E,OAAO,EAAE,KAAK,EAAE,MAAM,UAAU,CAAC;AAIjC,OAAO,EAAE,aAAa,EAAsB,MAAM,iBAAiB,CAAC;AAKpE,qBAAa,gBAAgB;IAC3B,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAsC;IAC7D,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAU;IACtC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAe;IACpC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAQ;IAE9B;;;;;;;OAOG;IACH,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAkC;IACjE,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAS;IAE7C;;;OAGG;IACH,OAAO,CAAC,YAAY,CAAC,CAAqF;IAE1G;;;;;OAKG;IACH,OAAO,CAAC,iBAAiB,CAAC,CAA0C;IAEpE;;OAEG;IACH,OAAO,CAAC,kBAAkB,CAAC,CAAe;IAE1C;;;OAGG;IACH,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAgD;IAE9E;;;OAGG;IACH,OAAO,CAAC,eAAe;gBAIX,KAAK,EAAE,KAAK,EAAE,iBAAiB,CAAC,EAAE,KAAK,GAAG,+BAA+B;YAgCvE,UAAU;IA0ClB,OAAO;IAcP,cAAc,CAAC,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC;IAsB7G;;;;;;;;;;;OAWG;IACG,gBAAgB,CACpB,IAAI,EAAE,aAAa,EACnB,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE;QACR,iBAAiB,CAAC,EAAE,MAAM,CAAC;QAC3B,yBAAyB,CAAC,EAAE,OAAO,CAAC;KACrC,GACA,OAAO,CAAC,aAAa,GAAG,SAAS,CAAC;IAmCrC;;;;;;;;;;OAUG;IACG,mBAAmB,CACvB,IAAI,EAAE,aAAa,EACnB,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,aAAa,EAAE,aAAa,EAC5B,GAAG,EAAE,cAAc,GAClB,OAAO,CAAC,WAAW,CAAC;IAkCvB;;OAEG;YACW,qBAAqB;IAoE7B,iBAAiB,CACrB,IAAI,EAAE,aAAa,EACnB,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,cAAc,GAClB,OAAO,CAAC,WAAW,CAAC;IA2BvB;;OAEG;YACW,mBAAmB;IA2D3B,kBAAkB,CAAC,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAoB/G;;;OAGG;IACG,sCAAsC,CAAC,IAAI,EAAE,aAAa,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,WAAW,CAAC;IAuB5G;;;OAGG;IACG,0CAA0C,CAC9C,IAAI,EAAE,aAAa,EACnB,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,cAAc,GAClB,OAAO,CAAC,WAAW,CAAC;IAuBvB;;;;;;;;;;;;OAYG;IACH,iBAAiB,CAAC,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO;IAMjF;;;OAGG;IACG,sBAAsB,CAAC,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAkBrG,OAAO,CAAC,MAAM;IAId;;;OAGG;IACH,OAAO,CAAC,cAAc;IAItB;;;OAGG;IACH,OAAO,CAAC,eAAe;IAYvB,OAAO,CAAC,KAAK;IAUb,OAAO,CAAC,gBAAgB;IASxB,OAAO,CAAC,iBAAiB;IASzB,OAAO,CAAC,WAAW;IAQnB,OAAO,CAAC,WAAW;IAqDnB,OAAO,CAAC,UAAU;CASnB"}

package/transport/transport.types.d.ts

@@ -1,9 +1,6 @@
 import { AuthenticatedServerRequest } from '../server/server.types';
-import { ElicitResult } from '@modelcontextprotocol/sdk/types.js';
-import { ZodType } from 'zod';
-import { Infer } from '../types/zod.types';
 import { ServerResponse } from '../common';
-export type TransportType = 'sse' | 'streamable-http' | 'http' | 'stateless-http';
+export type TransportType = 'sse' | 'streamable-http' | 'http' | 'stateless-http' | 'in-memory' | 'stdio';
 export interface TransportKey {
     type: TransportType;
     token: string;
@@ -54,8 +51,4 @@ export interface TransportRegistryOptions {
 export type TransportTokenBucket = Map<string, Transporter>;
 export type TransportTypeBucket = Map<string, TransportTokenBucket>;
 export type TransportRegistryBucket = Map<TransportType, TransportTypeBucket>;
-export type TypedElicitResult<T extends ZodType> = {
-    action: ElicitResult['action'];
-    content: Infer<T>;
-};
 //# sourceMappingURL=transport.types.d.ts.map

package/transport/transport.types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"transport.types.d.ts","sourceRoot":"","sources":["../../src/transport/transport.types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAC;AAClE,OAAO,EAAE,OAAO,EAAE,MAAM,KAAK,CAAC;AAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAE3C,MAAM,MAAM,aAAa,GAAG,KAAK,GAAG,iBAAiB,GAAG,MAAM,GAAG,gBAAgB,CAAC;AAElF,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,aAAa,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,IAAI,MAAM,CAAC;IAEjB,SAAS,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE5C,MAAM,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzC,MAAM,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC;IAE1D,YAAY,CACV,GAAG,EAAE,YAAY,EACjB,OAAO,EAAE;QACP,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;KACzD,EACD,EAAE,EAAE;QACF,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC;QAC3E,eAAe,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,GAAG,IAAI,CAAC;QAClD,aAAa,CAAC,UAAU,CAAC,EAAE,UAAU,GAAG,MAAM,GAAG,IAAI,CAAC;QACtD,OAAO,CAAC,CAAC,GAAG,EAAE,KAAK,GAAG,MAAM,GAAG,IAAI,CAAC;KACrC,GACA,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjB,aAAa,CAAC,GAAG,EAAE,YAAY,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAClE;AAID,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAE3B,UAAU,CAAC,GAAG,EAAE,0BAA0B,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEhF,aAAa,CAAC,GAAG,EAAE,0BAA0B,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEnF,OAAO,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAExC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAE3C;;;;OAIG;IACH,iBAAiB,IAAI,IAAI,CAAC;CAC3B;AAED,MAAM,WAAW,wBAAwB;IACvC,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,GAAG,CAAC,EAAE,YAAY,CAAC;CACpB;AAED,MAAM,MAAM,oBAAoB,GAAG,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;AAC5D,MAAM,MAAM,mBAAmB,GAAG,GAAG,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC;AACpE,MAAM,MAAM,uBAAuB,GAAG,GAAG,CAAC,aAAa,EAAE,mBAAmB,CAAC,CAAC;AAE9E,MAAM,MAAM,iBAAiB,CAAC,CAAC,SAAS,OAAO,IAAI;IAAE,MAAM,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAC;IAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,CAAA;CAAE,CAAC"}
+{"version":3,"file":"transport.types.d.ts","sourceRoot":"","sources":["../../src/transport/transport.types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AACpE,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAE3C,MAAM,MAAM,aAAa,GAAG,KAAK,GAAG,iBAAiB,GAAG,MAAM,GAAG,gBAAgB,GAAG,WAAW,GAAG,OAAO,CAAC;AAE1G,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,aAAa,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,IAAI,MAAM,CAAC;IAEjB,SAAS,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE5C,MAAM,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzC,MAAM,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC;IAE1D,YAAY,CACV,GAAG,EAAE,YAAY,EACjB,OAAO,EAAE;QACP,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;KACzD,EACD,EAAE,EAAE;QACF,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC;QAC3E,eAAe,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,GAAG,IAAI,CAAC;QAClD,aAAa,CAAC,UAAU,CAAC,EAAE,UAAU,GAAG,MAAM,GAAG,IAAI,CAAC;QACtD,OAAO,CAAC,CAAC,GAAG,EAAE,KAAK,GAAG,MAAM,GAAG,IAAI,CAAC;KACrC,GACA,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjB,aAAa,CAAC,GAAG,EAAE,YAAY,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAClE;AAID,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAE3B,UAAU,CAAC,GAAG,EAAE,0BAA0B,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEhF,aAAa,CAAC,GAAG,EAAE,0BAA0B,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEnF,OAAO,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAExC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAE3C;;;;OAIG;IACH,iBAAiB,IAAI,IAAI,CAAC;CAC3B;AAED,MAAM,WAAW,wBAAwB;IACvC,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,GAAG,CAAC,EAAE,YAAY,CAAC;CACpB;AAED,MAAM,MAAM,oBAAoB,GAAG,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;AAC5D,MAAM,MAAM,mBAAmB,GAAG,GAAG,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC;AACpE,MAAM,MAAM,uBAAuB,GAAG,GAAG,CAAC,aAAa,EAAE,mBAAmB,CAAC,CAAC"}

package/auth/jwks/dev-key-persistence.d.ts

@@ -1,64 +0,0 @@
-import { JSONWebKeySet } from 'jose';
-/**
- * Data structure for persisted development keys
- */
-export interface DevKeyData {
-    /** Key ID (kid) */
-    kid: string;
-    /** Private key in JWK format (portable) */
-    privateKey: JsonWebKey;
-    /** Public JWKS for verification */
-    publicJwk: JSONWebKeySet;
-    /** Key creation timestamp (ms) */
-    createdAt: number;
-    /** Algorithm used */
-    alg: 'RS256' | 'ES256';
-}
-/**
- * Options for dev key persistence
- */
-export interface DevKeyPersistenceOptions {
-    /**
-     * Path to store dev keys
-     * @default '.frontmcp/dev-keys.json'
-     */
-    keyPath?: string;
-    /**
-     * Enable persistence in production (NOT RECOMMENDED)
-     * @default false
-     */
-    forceEnable?: boolean;
-}
-/**
- * Check if dev key persistence is enabled based on environment and options
- */
-export declare function isDevKeyPersistenceEnabled(options?: DevKeyPersistenceOptions): boolean;
-/**
- * Resolve the key file path
- */
-export declare function resolveKeyPath(options?: DevKeyPersistenceOptions): string;
-/**
- * Load persisted dev key from file
- *
- * @param options - Persistence options
- * @returns The loaded key data or null if not found/invalid
- */
-export declare function loadDevKey(options?: DevKeyPersistenceOptions): Promise<DevKeyData | null>;
-/**
- * Save dev key to file
- *
- * Uses atomic write (temp file + rename) to prevent corruption.
- * Sets file permissions to 0o600 (owner read/write only) for security.
- *
- * @param keyData - Key data to persist
- * @param options - Persistence options
- * @returns true if save succeeded, false otherwise
- */
-export declare function saveDevKey(keyData: DevKeyData, options?: DevKeyPersistenceOptions): Promise<boolean>;
-/**
- * Delete persisted dev key
- *
- * @param options - Persistence options
- */
-export declare function deleteDevKey(options?: DevKeyPersistenceOptions): Promise<void>;
-//# sourceMappingURL=dev-key-persistence.d.ts.map

package/auth/jwks/dev-key-persistence.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"dev-key-persistence.d.ts","sourceRoot":"","sources":["../../../src/auth/jwks/dev-key-persistence.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,aAAa,EAAE,MAAM,MAAM,CAAC;AAIrC;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,mBAAmB;IACnB,GAAG,EAAE,MAAM,CAAC;IACZ,2CAA2C;IAC3C,UAAU,EAAE,UAAU,CAAC;IACvB,mCAAmC;IACnC,SAAS,EAAE,aAAa,CAAC;IACzB,kCAAkC;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,qBAAqB;IACrB,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AA2GD;;GAEG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,CAAC,EAAE,wBAAwB,GAAG,OAAO,CAUtF;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,CAAC,EAAE,wBAAwB,GAAG,MAAM,CAUzE;AAED;;;;;GAKG;AACH,wBAAsB,UAAU,CAAC,OAAO,CAAC,EAAE,wBAAwB,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CA6B/F;AAED;;;;;;;;;GASG;AACH,wBAAsB,UAAU,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,wBAAwB,GAAG,OAAO,CAAC,OAAO,CAAC,CAgC1G;AAED;;;;GAIG;AACH,wBAAsB,YAAY,CAAC,OAAO,CAAC,EAAE,wBAAwB,GAAG,OAAO,CAAC,IAAI,CAAC,CAWpF"}

package/auth/jwks/index.d.ts

@@ -1,4 +0,0 @@
-export * from './jwks.service';
-export * from './jwks.types';
-export * from './dev-key-persistence';
-//# sourceMappingURL=index.d.ts.map

package/auth/jwks/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/jwks/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,cAAc,CAAC;AAC7B,cAAc,uBAAuB,CAAC"}

package/auth/jwks/jwks.service.d.ts

@@ -1,58 +0,0 @@
-import { JSONWebKeySet } from 'jose';
-import { JwksServiceOptions, ProviderVerifyRef, VerifyResult } from './jwks.types';
-export declare class JwksService {
-    private readonly opts;
-    private warnedProviders;
-    private orchestratorKey;
-    private providerJwks;
-    private keyInitialized;
-    private keyInitPromise;
-    constructor(opts?: JwksServiceOptions);
-    /** Gateway's public JWKS (publish at /.well-known/jwks.json when orchestrated). */
-    getPublicJwks(): Promise<JSONWebKeySet>;
-    /** Verify a token issued by the gateway itself (orchestrated mode). */
-    verifyGatewayToken(token: string, expectedIssuer: string): Promise<VerifyResult>;
-    /**
-     * Verify a token against candidate transparent providers.
-     * Ensures JWKS are available (cached/TTL/AS discovery) per provider.
-     */
-    verifyTransparentToken(token: string, candidates: ProviderVerifyRef[]): Promise<VerifyResult>;
-    /**
-     * Check if the error is due to weak RSA key (< 2048 bits)
-     */
-    private isWeakKeyError;
-    /**
-     * Fallback verification for providers using RSA keys smaller than 2048 bits.
-     * Logs a security warning but allows verification to proceed.
-     */
-    private verifyWithWeakKey;
-    /**
-     * Find a matching key from JWKS based on token header
-     */
-    private findMatchingKey;
-    /** Directly set provider JWKS (e.g., inline keys from config). */
-    setProviderJwks(providerId: string, jwks: JSONWebKeySet): void;
-    /**
-     * Ensure JWKS for a provider:
-     *   1) inline jwks (if provided) → cache & return
-     *   2) cached & fresh (TTL)      → return
-     *   3) explicit jwksUri          → fetch, cache, return
-     *   4) discover jwks_uri via AS  → fetch AS metadata, then jwks_uri, cache, return
-     */
-    getJwksForProvider(ref: ProviderVerifyRef): Promise<JSONWebKeySet | undefined>;
-    /** Return the orchestrator public JWKS (generates/rotates as needed). */
-    getOrchestratorJwks(): Promise<JSONWebKeySet>;
-    /** Return private signing key + kid for issuing orchestrator tokens. */
-    getOrchestratorSigningKey(): Promise<{
-        kid: string;
-        key: import('node:crypto').KeyObject;
-        alg: string;
-    }>;
-    private tryFetchJwks;
-    private tryFetchAsMeta;
-    private fetchJson;
-    private ensureOrchestratorKey;
-    private initializeOrchestratorKey;
-    private generateKey;
-}
-//# sourceMappingURL=jwks.service.d.ts.map

package/auth/jwks/jwks.service.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"jwks.service.d.ts","sourceRoot":"","sources":["../../../src/auth/jwks/jwks.service.ts"],"names":[],"mappings":"AACA,OAAO,EAAuD,aAAa,EAAO,MAAM,MAAM,CAAC;AAE/F,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAYnF,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAEnB;IAEF,OAAO,CAAC,eAAe,CAAqB;IAG5C,OAAO,CAAC,eAAe,CAKrB;IAGF,OAAO,CAAC,YAAY,CAAiE;IAGrF,OAAO,CAAC,cAAc,CAAS;IAE/B,OAAO,CAAC,cAAc,CAA4B;gBAEtC,IAAI,CAAC,EAAE,kBAAkB;IAcrC,mFAAmF;IAC7E,aAAa,IAAI,OAAO,CAAC,aAAa,CAAC;IAQ7C,uEAAuE;IACjE,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAqCtF;;;OAGG;IACG,sBAAsB,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,iBAAiB,EAAE,GAAG,OAAO,CAAC,YAAY,CAAC;IAqDnG;;OAEG;IACH,OAAO,CAAC,cAAc;IAatB;;;OAGG;YACW,iBAAiB;IA2E/B;;OAEG;IACH,OAAO,CAAC,eAAe;IAqBvB,kEAAkE;IAClE,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa;IAIvD;;;;;;OAMG;IACG,kBAAkB,CAAC,GAAG,EAAE,iBAAiB,GAAG,OAAO,CAAC,aAAa,GAAG,SAAS,CAAC;IAmCpF,yEAAyE;IACnE,mBAAmB,IAAI,OAAO,CAAC,aAAa,CAAC;IAKnD,wEAAwE;IAClE,yBAAyB,IAAI,OAAO,CAAC;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,OAAO,aAAa,EAAE,SAAS,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;YAShG,YAAY;YAaZ,cAAc;YAQd,SAAS;YAgBT,qBAAqB;YAyBrB,yBAAyB;IAuDvC,OAAO,CAAC,WAAW;CAiBpB"}

package/auth/jwks/jwks.types.d.ts

@@ -1,33 +0,0 @@
-import { JSONWebKeySet } from 'jose';
-import { DevKeyPersistenceOptions } from './dev-key-persistence';
-export type JwksServiceOptions = {
-    orchestratorAlg?: 'RS256' | 'ES256';
-    rotateDays?: number;
-    /** TTL (ms) for cached provider JWKS before attempting refresh. Default: 6h */
-    providerJwksTtlMs?: number;
-    /** Timeout (ms) for network metadata/JWKS fetches. Default: 5s */
-    networkTimeoutMs?: number;
-    /**
-     * Options for dev key persistence (development mode only by default).
-     * When enabled, keys are saved to a file and reloaded on server restart.
-     */
-    devKeyPersistence?: DevKeyPersistenceOptions;
-};
-export type { DevKeyPersistenceOptions };
-/** Rich descriptor used by verification & fetching */
-export type ProviderVerifyRef = {
-    id: string;
-    issuerUrl: string;
-    jwksUri?: string;
-    jwks?: JSONWebKeySet;
-};
-export type VerifyResult = {
-    ok: boolean;
-    issuer?: string;
-    sub?: string;
-    providerId?: string;
-    header?: any;
-    payload?: any;
-    error?: string;
-};
-//# sourceMappingURL=jwks.types.d.ts.map

package/auth/jwks/jwks.types.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"jwks.types.d.ts","sourceRoot":"","sources":["../../../src/auth/jwks/jwks.types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,MAAM,CAAC;AACrC,OAAO,EAAE,wBAAwB,EAAE,MAAM,uBAAuB,CAAC;AAEjE,MAAM,MAAM,kBAAkB,GAAG;IAC/B,eAAe,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC;IACpC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+EAA+E;IAC/E,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,kEAAkE;IAClE,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;;OAGG;IACH,iBAAiB,CAAC,EAAE,wBAAwB,CAAC;CAC9C,CAAC;AAEF,YAAY,EAAE,wBAAwB,EAAE,CAAC;AAEzC,sDAAsD;AACtD,MAAM,MAAM,iBAAiB,GAAG;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,aAAa,CAAC;CACtB,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,OAAO,CAAC;IACZ,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,GAAG,CAAC;IACb,OAAO,CAAC,EAAE,GAAG,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC"}

package/auth/jwks/jwks.utils.d.ts

@@ -1,5 +0,0 @@
-export declare function trimSlash(s: string): string;
-export declare function normalizeIssuer(u?: string): string;
-/** Safe, no-verify JWT payload decode (returns undefined on error). */
-export declare function decodeJwtPayloadSafe(token?: string): Record<string, unknown> | undefined;
-//# sourceMappingURL=jwks.utils.d.ts.map

package/auth/jwks/jwks.utils.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"jwks.utils.d.ts","sourceRoot":"","sources":["../../../src/auth/jwks/jwks.utils.ts"],"names":[],"mappings":"AAAA,wBAAgB,SAAS,CAAC,CAAC,EAAE,MAAM,UAElC;AACD,wBAAgB,eAAe,CAAC,CAAC,CAAC,EAAE,MAAM,UAEzC;AAED,uEAAuE;AACvE,wBAAgB,oBAAoB,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,CAgBxF"}

package/auth/oauth/flows/oauth.authorize.flow.d.ts

@@ -1,32 +0,0 @@
-export {};
-/**
- * Authorization Endpoint — GET /oauth/authorize
- *
- * Who calls: Browser via the Client (RP).
- *
- * When: Start of the flow.
- *
- * Purpose: Authenticate the user and obtain consent; returns an authorization code to the client’s redirect URI.
- *
- * Notes: Must support PKCE. Implicit/Hybrid are out in OAuth 2.1.
- */
-/**
- * Typical parameter shapes
- *
- * /oauth/authorize (GET)
- *
- * response_type=code, client_id, redirect_uri, scope, state, code_challenge, code_challenge_method=S256, (optionally request_uri from PAR)
- */
-/**
- * Quick checklist (security & correctness)
- * - PKCE (S256) required for public clients (and basically for all).
- * - Use authorization code grant only (no implicit/hybrid).
- * - Rotate refresh tokens and bind them to client + user + scopes.
- * - Prefer private_key_jwt or mTLS for confidential clients.
- * - PAR + JAR recommended for higher security.
- * - Consider DPoP (proof-of-possession) to reduce token replay.
- * - Keep codes very short-lived (e.g., ≤60 s) and single-use.
- * - Publish discovery and JWKS, rotate keys safely.
- * - Decide JWT vs opaque access tokens; provide introspection if opaque.
- */
-//# sourceMappingURL=oauth.authorize.flow.d.ts.map

package/auth/oauth/flows/oauth.authorize.flow.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth.authorize.flow.d.ts","sourceRoot":"","sources":["../../../../src/auth/oauth/flows/oauth.authorize.flow.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;AACH;;;;;;GAMG;AACH;;;;;;;;;;;GAWG"}

package/auth/oauth/flows/oauth.device-authorization.flow.d.ts

@@ -1,47 +0,0 @@
-/**
- * Device Authorization — POST /oauth/device_authorization
- *
- * Who calls: Device/TV app.
- *
- * Purpose: Start the device flow (user completes authorization on a second screen).
- */
-export {};
-/**
- * Quick checklist (security & correctness)
- * - PKCE (S256) required for public clients (and basically for all).
- * - Use authorization code grant only (no implicit/hybrid).
- * - Rotate refresh tokens and bind them to client + user + scopes.
- * - Prefer private_key_jwt or mTLS for confidential clients.
- * - PAR + JAR recommended for higher security.
- * - Consider DPoP (proof-of-possession) to reduce token replay.
- * - Keep codes very short-lived (e.g., ≤60 s) and single-use.
- * - Publish discovery and JWKS, rotate keys safely.
- * - Decide JWT vs opaque access tokens; provide introspection if opaque.
- */
-/**
- *
- * OAuth 2.0 Device Authorization Grant (“device code flow”)
- * Who does what (at a glance)
- *
- * Device/TV/CLI (no browser)
- * Calls POST /oauth/device_authorization, shows the user a code + URL, and polls POST /oauth/token.
- *
- * User (on phone/laptop browser)
- * Visits the given verification_uri and authenticates using your normal OAuth login (whatever you already have). No new UI required beyond two tiny endpoints.
- *
- * Auth Server (you)
- * Stores the device transaction and, after the user authenticates, marks it as approved so the device’s /oauth/token polling succeeds.
- *
- * Endpoints you need (only two “new” ones)
- *
- * POST /oauth/device_authorization ✅ (device calls)
- *
- * POST /oauth/token with grant urn:ietf:params:oauth:grant-type:device_code ✅ (device polls)
- *
- * GET /activate ➜ “UI handler” (user lands here from verification_uri — this just redirects into your existing /oauth/authorize)
- *
- * GET /activate/callback ➜ “UI handler” (your existing flow returns here after the user logs in; you flip the device record to approved and show a basic “All set” page)
- *
- * That’s it. No pages with complex consent screens are required; reuse your normal /oauth/authorize
- */
-//# sourceMappingURL=oauth.device-authorization.flow.d.ts.map

package/auth/oauth/flows/oauth.device-authorization.flow.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth.device-authorization.flow.d.ts","sourceRoot":"","sources":["../../../../src/auth/oauth/flows/oauth.device-authorization.flow.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;;AAEH;;;;;;;;;;;GAWG;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG"}

package/auth/oauth/flows/oauth.introspect.flow.d.ts

@@ -1,27 +0,0 @@
-/**
- * Token Introspection — POST /oauth/introspect
- *
- * Who calls: Resource servers (API gateways).
- *
- * Purpose: Check if a token is active and fetch metadata (subject, scopes, expiry)
- * when you use opaque tokens or want server-side validation (RFC 7662).
- */
-export {};
-/**
- * Typical parameter shapes
- *
- * /oauth/introspect (POST): token, optional token_type_hint
- */
-/**
- * Quick checklist (security & correctness)
- * - PKCE (S256) required for public clients (and basically for all).
- * - Use authorization code grant only (no implicit/hybrid).
- * - Rotate refresh tokens and bind them to client + user + scopes.
- * - Prefer private_key_jwt or mTLS for confidential clients.
- * - PAR + JAR recommended for higher security.
- * - Consider DPoP (proof-of-possession) to reduce token replay.
- * - Keep codes very short-lived (e.g., ≤60 s) and single-use.
- * - Publish discovery and JWKS, rotate keys safely.
- * - Decide JWT vs opaque access tokens; provide introspection if opaque.
- */
-//# sourceMappingURL=oauth.introspect.flow.d.ts.map

package/auth/oauth/flows/oauth.introspect.flow.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth.introspect.flow.d.ts","sourceRoot":"","sources":["../../../../src/auth/oauth/flows/oauth.introspect.flow.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;;AAEH;;;;GAIG;AACH;;;;;;;;;;;GAWG"}

package/auth/oauth/flows/oauth.par.flow.d.ts

@@ -1,28 +0,0 @@
-export {};
-/**
- * Pushed Authorization Requests (PAR) — POST /oauth/par
- *
- * Who calls: Client (before sending user to /authorize).
- *
- * Purpose: Client uploads the full authorization request; you return a request_uri the client forwards to /authorize.
- *
- * Why: Prevents parameter tampering and URL-length issues; recommended for high-security setups and with DPoP/JAR.
- */
-/**
- * Typical parameter shapes
-
- * /oauth/par (POST): same authz params as /authorize (client-authenticated), returns { request_uri, expires_in }
- */
-/**
- * Quick checklist (security & correctness)
- * - PKCE (S256) required for public clients (and basically for all).
- * - Use authorization code grant only (no implicit/hybrid).
- * - Rotate refresh tokens and bind them to client + user + scopes.
- * - Prefer private_key_jwt or mTLS for confidential clients.
- * - PAR + JAR recommended for higher security.
- * - Consider DPoP (proof-of-possession) to reduce token replay.
- * - Keep codes very short-lived (e.g., ≤60 s) and single-use.
- * - Publish discovery and JWKS, rotate keys safely.
- * - Decide JWT vs opaque access tokens; provide introspection if opaque.
- */
-//# sourceMappingURL=oauth.par.flow.d.ts.map

package/auth/oauth/flows/oauth.par.flow.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth.par.flow.d.ts","sourceRoot":"","sources":["../../../../src/auth/oauth/flows/oauth.par.flow.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;AACH;;;;GAIG;AACH;;;;;;;;;;;GAWG"}

package/auth/oauth/flows/oauth.revoke.flow.d.ts

@@ -1,26 +0,0 @@
-export {};
-/**
- * Token Revocation — POST /oauth/revoke
- *
- * Who calls: Client.
- *
- * Purpose: Invalidate an access or refresh token early (RFC 7009).
- */
-/**
- * Typical parameter shapes
- *
- * /oauth/revoke (POST): token, token_type_hint=access_token|refresh_token
- */
-/**
- * Quick checklist (security & correctness)
- * - PKCE (S256) required for public clients (and basically for all).
- * - Use authorization code grant only (no implicit/hybrid).
- * - Rotate refresh tokens and bind them to client + user + scopes.
- * - Prefer private_key_jwt or mTLS for confidential clients.
- * - PAR + JAR recommended for higher security.
- * - Consider DPoP (proof-of-possession) to reduce token replay.
- * - Keep codes very short-lived (e.g., ≤60 s) and single-use.
- * - Publish discovery and JWKS, rotate keys safely.
- * - Decide JWT vs opaque access tokens; provide introspection if opaque.
- */
-//# sourceMappingURL=oauth.revoke.flow.d.ts.map

package/auth/oauth/flows/oauth.revoke.flow.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth.revoke.flow.d.ts","sourceRoot":"","sources":["../../../../src/auth/oauth/flows/oauth.revoke.flow.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;AACH;;;;GAIG;AACH;;;;;;;;;;;GAWG"}

package/auth/oauth/flows/oauth.token.flow.d.ts

@@ -1,58 +0,0 @@
-/**
- * Token Endpoint — POST /oauth/token
- *
- * Who calls: Client (server-to-server).
- *
- * When: After getting the code (or for refresh).
- *
- * Purpose: Exchange authorization code + PKCE verifier for access token (and optional refresh token), or refresh an access token.
- */
-/**
- * Typical parameter shapes
- *
- * /oauth/token (POST, application/x-www-form-urlencoded)
- *
- * For code exchange: grant_type=authorization_code, code, redirect_uri, client_id (and auth), code_verifier
- *
- * For refresh: grant_type=refresh_token, refresh_token, client_id (and auth)
- */
-/**
- * Quick checklist (security & correctness)
- * - PKCE (S256) required for public clients (and basically for all).
- * - Use authorization code grant only (no implicit/hybrid).
- * - Rotate refresh tokens and bind them to client + user + scopes.
- * - Prefer private_key_jwt or mTLS for confidential clients.
- * - PAR + JAR recommended for higher security.
- * - Consider DPoP (proof-of-possession) to reduce token replay.
- * - Keep codes very short-lived (e.g., ≤60 s) and single-use.
- * - Publish discovery and JWKS, rotate keys safely.
- * - Decide JWT vs opaque access tokens; provide introspection if opaque.
- */
-export {};
-/**
- *
- * OAuth 2.0 Device Authorization Grant (“device code flow”)
- * Who does what (at a glance)
- *
- * Device/TV/CLI (no browser)
- * Calls POST /oauth/device_authorization, shows the user a code + URL, and polls POST /oauth/token.
- *
- * User (on phone/laptop browser)
- * Visits the given verification_uri and authenticates using your normal OAuth login (whatever you already have). No new UI required beyond two tiny endpoints.
- *
- * Auth Server (you)
- * Stores the device transaction and, after the user authenticates, marks it as approved so the device’s /oauth/token polling succeeds.
- *
- * Endpoints you need (only two “new” ones)
- *
- * POST /oauth/device_authorization ✅ (device calls)
- *
- * POST /oauth/token with grant urn:ietf:params:oauth:grant-type:device_code ✅ (device polls)
- *
- * GET /activate ➜ “UI handler” (user lands here from verification_uri — this just redirects into your existing /oauth/authorize)
- *
- * GET /activate/callback ➜ “UI handler” (your existing flow returns here after the user logs in; you flip the device record to approved and show a basic “All set” page)
- *
- * That’s it. No pages with complex consent screens are required; reuse your normal /oauth/authorize
- */
-//# sourceMappingURL=oauth.token.flow.d.ts.map

package/auth/oauth/flows/oauth.token.flow.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth.token.flow.d.ts","sourceRoot":"","sources":["../../../../src/auth/oauth/flows/oauth.token.flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH;;;;;;;;GAQG;AACH;;;;;;;;;;;GAWG;;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG"}

package/auth/oauth/flows/oauth.userinfo.flow.d.ts

@@ -1,23 +0,0 @@
-export {};
-/**
- * UserInfo (OIDC) — GET/POST /oauth/userinfo (Only if you add OpenID Connect)
- *
- * Who calls: Client with access token.
- *
- * Purpose: Return standard user claims.
- *
- * Note: Requires the openid scope; if you do OIDC, also expose /.well-known/openid-configuration (separate from OAuth discovery).
- */
-/**
- * Quick checklist (security & correctness)
- * - PKCE (S256) required for public clients (and basically for all).
- * - Use authorization code grant only (no implicit/hybrid).
- * - Rotate refresh tokens and bind them to client + user + scopes.
- * - Prefer private_key_jwt or mTLS for confidential clients.
- * - PAR + JAR recommended for higher security.
- * - Consider DPoP (proof-of-possession) to reduce token replay.
- * - Keep codes very short-lived (e.g., ≤60 s) and single-use.
- * - Publish discovery and JWKS, rotate keys safely.
- * - Decide JWT vs opaque access tokens; provide introspection if opaque.
- */
-//# sourceMappingURL=oauth.userinfo.flow.d.ts.map

package/auth/oauth/flows/oauth.userinfo.flow.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth.userinfo.flow.d.ts","sourceRoot":"","sources":["../../../../src/auth/oauth/flows/oauth.userinfo.flow.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;AACH;;;;;;;;;;;GAWG"}

package/auth/oauth/flows/oidc.logout.flow.d.ts

@@ -1,19 +0,0 @@
-export {};
-/**
- * Session/Logout (OIDC) — e.g., GET /oidc/logout (front-/back-channel variants)
- *
- * Purpose: Coordinate RP logout if you support OIDC logout.
- */
-/**
- * Quick checklist (security & correctness)
- * - PKCE (S256) required for public clients (and basically for all).
- * - Use authorization code grant only (no implicit/hybrid).
- * - Rotate refresh tokens and bind them to client + user + scopes.
- * - Prefer private_key_jwt or mTLS for confidential clients.
- * - PAR + JAR recommended for higher security.
- * - Consider DPoP (proof-of-possession) to reduce token replay.
- * - Keep codes very short-lived (e.g., ≤60 s) and single-use.
- * - Publish discovery and JWKS, rotate keys safely.
- * - Decide JWT vs opaque access tokens; provide introspection if opaque.
- */
-//# sourceMappingURL=oidc.logout.flow.d.ts.map

package/auth/oauth/flows/oidc.logout.flow.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oidc.logout.flow.d.ts","sourceRoot":"","sources":["../../../../src/auth/oauth/flows/oidc.logout.flow.ts"],"names":[],"mappings":";AAAA;;;;GAIG;AACH;;;;;;;;;;;GAWG"}