@frontmcp/sdk 0.9.0 → 0.11.0

package/auth/authorization/orchestrated.authorization.d.ts

@@ -1,258 +0,0 @@
-import { AuthorizationBase } from './authorization.class';
-import { AuthorizationCreateCtx, AuthUser } from './authorization.types';
-import { EncryptedBlob } from '../session';
-import { AuthMode } from '../../common';
-/**
- * Token store interface for orchestrated mode
- * Implementations can be memory-based, Redis, or custom stores
- */
-export interface TokenStore {
-    /**
-     * Retrieve decrypted access token for a provider
-     */
-    getAccessToken(authorizationId: string, providerId: string): Promise<string | null>;
-    /**
-     * Retrieve decrypted refresh token for a provider
-     */
-    getRefreshToken(authorizationId: string, providerId: string): Promise<string | null>;
-    /**
-     * Store tokens for a provider (encrypted)
-     */
-    storeTokens(authorizationId: string, providerId: string, tokens: {
-        accessToken: string;
-        refreshToken?: string;
-        expiresAt?: number;
-    }): Promise<void>;
-    /**
-     * Delete tokens for a provider
-     */
-    deleteTokens(authorizationId: string, providerId: string): Promise<void>;
-    /**
-     * Check if tokens exist for a provider
-     */
-    hasTokens(authorizationId: string, providerId: string): Promise<boolean>;
-    /**
-     * Get all provider IDs that have tokens stored for this authorization.
-     */
-    getProviderIds(authorizationId: string): Promise<string[]>;
-    /**
-     * Migrate tokens from one authorization ID to another.
-     * Used when tokens are stored with a pending ID during federated auth
-     * and need to be accessible under the real authorization ID.
-     *
-     * @param fromAuthId - Source authorization ID (e.g., "pending:abc123")
-     * @param toAuthId - Target authorization ID (e.g., "def456")
-     */
-    migrateTokens(fromAuthId: string, toAuthId: string): Promise<void>;
-}
-/**
- * Token refresh callback type
- */
-export type TokenRefreshCallback = (providerId: string, refreshToken: string) => Promise<{
-    accessToken: string;
-    refreshToken?: string;
-    expiresIn?: number;
-}>;
-/**
- * Provider token state for orchestrated authorization
- */
-export interface OrchestratedProviderState {
-    /** Provider ID */
-    id: string;
-    /** Encrypted access token blob */
-    accessTokenEnc?: EncryptedBlob;
-    /** Encrypted refresh token blob */
-    refreshTokenEnc?: EncryptedBlob;
-    /** Token expiration (epoch ms) */
-    expiresAt?: number;
-    /** External reference ID (for vault/store) */
-    secretRefId?: string;
-    /** Refresh reference ID */
-    refreshRefId?: string;
-}
-/**
- * Context for creating an OrchestratedAuthorization
- */
-export interface OrchestratedAuthorizationCreateCtx {
-    /**
-     * The local JWT issued by the orchestrating server
-     */
-    token: string;
-    /**
-     * User identity from upstream provider
-     */
-    user: AuthUser;
-    /**
-     * Scopes granted to this authorization
-     */
-    scopes?: string[];
-    /**
-     * JWT claims
-     */
-    claims?: Record<string, unknown>;
-    /**
-     * Expiration (epoch ms)
-     */
-    expiresAt?: number;
-    /**
-     * Primary provider ID (default for getToken)
-     */
-    primaryProviderId?: string;
-    /**
-     * Token store for retrieving/storing provider tokens
-     */
-    tokenStore?: TokenStore;
-    /**
-     * Token refresh callback
-     */
-    onTokenRefresh?: TokenRefreshCallback;
-    /**
-     * Provider states (with encrypted tokens)
-     */
-    providers?: Record<string, OrchestratedProviderState>;
-    /**
-     * Precomputed authorization projections
-     */
-    authorizedTools?: AuthorizationCreateCtx['authorizedTools'];
-    authorizedToolIds?: string[];
-    authorizedPrompts?: AuthorizationCreateCtx['authorizedPrompts'];
-    authorizedPromptIds?: string[];
-    authorizedApps?: AuthorizationCreateCtx['authorizedApps'];
-    authorizedAppIds?: string[];
-    authorizedResources?: string[];
-    /**
-     * Provider IDs that the user has explicitly authorized during federated login.
-     * Populated from JWT claims (`federated.selectedProviders`) or token store.
-     * Controls which providers the authorization has access to for progressive auth.
-     */
-    authorizedProviderIds?: string[];
-}
-/**
- * OrchestratedAuthorization - Local auth server with secure token storage
- *
- * In orchestrated mode:
- * - The MCP server acts as an OAuth client to upstream providers
- * - Provider tokens are encrypted and never exposed to the LLM
- * - Supports token refresh and multi-provider scenarios
- * - getToken() retrieves decrypted tokens from secure storage
- * - Ideal for multi-tenant, federated auth, or high-security scenarios
- */
-export declare class OrchestratedAuthorization extends AuthorizationBase {
-    #private;
-    readonly mode: AuthMode;
-    /**
-     * Primary provider ID (default for getToken)
-     */
-    readonly primaryProviderId?: string;
-    private constructor();
-    /**
-     * Create an OrchestratedAuthorization
-     *
-     * @param ctx - Creation context
-     * @returns A new OrchestratedAuthorization instance
-     *
-     * @example
-     * ```typescript
-     * const auth = OrchestratedAuthorization.create({
-     *   token: localJwt,
-     *   user: { sub: 'user123', name: 'John' },
-     *   primaryProviderId: 'github',
-     *   tokenStore: redisTokenStore,
-     *   providers: {
-     *     github: { id: 'github', secretRefId: 'vault:github:user123' },
-     *   },
-     * });
-     *
-     * // Retrieve token securely (never exposed to LLM)
-     * const githubToken = await auth.getToken('github');
-     * ```
-     */
-    static create(ctx: OrchestratedAuthorizationCreateCtx): OrchestratedAuthorization;
-    /**
-     * Get access token for a provider
-     *
-     * Retrieves the decrypted token from the secure store.
-     * If the token is expired and refresh is available, attempts refresh.
-     *
-     * @param providerId - Provider ID (defaults to primaryProviderId)
-     * @returns The decrypted access token
-     * @throws If no token store or no token available
-     */
-    getToken(providerId?: string): Promise<string>;
-    /**
-     * Refresh token and return new access token
-     */
-    private refreshAndGetToken;
-    /**
-     * Check if a provider has tokens stored
-     */
-    hasProvider(providerId: string): boolean;
-    /**
-     * Get all provider IDs with tokens
-     */
-    getProviderIds(): string[];
-    /**
-     * Add a new provider to this authorization
-     * Used when user authorizes additional providers after initial auth
-     */
-    addProvider(providerId: string, tokens: {
-        accessToken: string;
-        refreshToken?: string;
-        expiresIn?: number;
-    }): Promise<void>;
-    /**
-     * Add app authorization after initial auth (progressive authorization).
-     * Stores app tokens server-side and updates authorized apps without JWT reissue.
-     *
-     * @param appId - App ID to authorize
-     * @param toolIds - Tool IDs accessible through this app authorization
-     * @param tokens - OAuth tokens from the app's auth provider
-     *
-     * @example
-     * ```typescript
-     * // User clicks auth link for Slack app
-     * await auth.addAppAuthorization('slack', ['slack:send_message', 'slack:list_channels'], {
-     *   accessToken: slackAccessToken,
-     *   refreshToken: slackRefreshToken,
-     *   expiresIn: 3600,
-     * });
-     *
-     * // Now slack tools will work without re-auth
-     * ```
-     */
-    addAppAuthorization(appId: string, toolIds: string[], tokens: {
-        accessToken: string;
-        refreshToken?: string;
-        expiresIn?: number;
-    }): Promise<void>;
-    /**
-     * Get access token for a specific app (for tool execution).
-     * Retrieves the app's OAuth token from server-side storage.
-     *
-     * @param appId - App ID to get token for
-     * @returns The decrypted access token, or null if not authorized
-     */
-    getAppToken(appId: string): Promise<string | null>;
-    /**
-     * Check if an app is authorized (includes progressively authorized apps).
-     * Overrides base class to include mutable app authorization state.
-     */
-    isAppAuthorized(appId: string): boolean;
-    /**
-     * Get all authorized app IDs (includes progressively authorized apps).
-     */
-    getAllAuthorizedAppIds(): string[];
-    /**
-     * Get tool IDs authorized through an app.
-     */
-    getAppToolIds(appId: string): string[] | undefined;
-    /**
-     * Remove a provider from this authorization
-     */
-    removeProvider(providerId: string): Promise<void>;
-    /**
-     * Get the issuer (local orchestrator)
-     */
-    get issuer(): string | undefined;
-}
-//# sourceMappingURL=orchestrated.authorization.d.ts.map

package/auth/authorization/orchestrated.authorization.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"orchestrated.authorization.d.ts","sourceRoot":"","sources":["../../../src/auth/authorization/orchestrated.authorization.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,sBAAsB,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAEzE,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAGxC;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB;;OAEG;IACH,cAAc,CAAC,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAEpF;;OAEG;IACH,eAAe,CAAC,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAErF;;OAEG;IACH,WAAW,CACT,eAAe,EAAE,MAAM,EACvB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;QACN,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,GACA,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjB;;OAEG;IACH,YAAY,CAAC,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzE;;OAEG;IACH,SAAS,CAAC,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAEzE;;OAEG;IACH,cAAc,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE3D;;;;;;;OAOG;IACH,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACpE;AAED;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG,CACjC,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM,KACjB,OAAO,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,kBAAkB;IAClB,EAAE,EAAE,MAAM,CAAC;IACX,kCAAkC;IAClC,cAAc,CAAC,EAAE,aAAa,CAAC;IAC/B,mCAAmC;IACnC,eAAe,CAAC,EAAE,aAAa,CAAC;IAChC,kCAAkC;IAClC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8CAA8C;IAC9C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,2BAA2B;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,kCAAkC;IACjD;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;OAEG;IACH,IAAI,EAAE,QAAQ,CAAC;IAEf;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAElB;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAEjC;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;OAEG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B;;OAEG;IACH,UAAU,CAAC,EAAE,UAAU,CAAC;IAExB;;OAEG;IACH,cAAc,CAAC,EAAE,oBAAoB,CAAC;IAEtC;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,yBAAyB,CAAC,CAAC;IAEtD;;OAEG;IACH,eAAe,CAAC,EAAE,sBAAsB,CAAC,iBAAiB,CAAC,CAAC;IAC5D,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,iBAAiB,CAAC,EAAE,sBAAsB,CAAC,mBAAmB,CAAC,CAAC;IAChE,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,cAAc,CAAC,EAAE,sBAAsB,CAAC,gBAAgB,CAAC,CAAC;IAC1D,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;CAClC;AAED;;;;;;;;;GASG;AACH,qBAAa,yBAA0B,SAAQ,iBAAiB;;IAC9D,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAkB;IAEzC;;OAEG;IACH,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAiBpC,OAAO;IAeP;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,kCAAkC,GAAG,yBAAyB;IA2DjF;;;;;;;;;OASG;IACG,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAoCpD;;OAEG;YACW,kBAAkB;IA+BhC;;OAEG;IACH,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;IAIxC;;OAEG;IACH,cAAc,IAAI,MAAM,EAAE;IAI1B;;;OAGG;IACG,WAAW,CACf,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;QACN,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,GACA,OAAO,CAAC,IAAI,CAAC;IAqChB;;;;;;;;;;;;;;;;;;;OAmBG;IACG,mBAAmB,CACvB,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,MAAM,EAAE,EACjB,MAAM,EAAE;QACN,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,GACA,OAAO,CAAC,IAAI,CAAC;IAehB;;;;;;OAMG;IACG,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAcxD;;;OAGG;IACM,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAIhD;;OAEG;IACH,sBAAsB,IAAI,MAAM,EAAE;IAQlC;;OAEG;IACH,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS;IAIlD;;OAEG;IACG,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOvD;;OAEG;IACH,IAAI,MAAM,IAAI,MAAM,GAAG,SAAS,CAE/B;CACF"}

package/auth/authorization/public.authorization.d.ts

@@ -1,92 +0,0 @@
-import { AuthorizationBase } from './authorization.class';
-import { AuthMode } from '../../common';
-/**
- * Context for creating a PublicAuthorization
- */
-export interface PublicAuthorizationCreateCtx {
-    /**
-     * Anonymous user's identifier prefix
-     * @default 'anon'
-     */
-    prefix?: string;
-    /**
-     * Anonymous scopes granted to the user
-     * @default ['anonymous']
-     */
-    scopes?: string[];
-    /**
-     * Session TTL in milliseconds
-     * @default 3600000 (1 hour)
-     */
-    ttlMs?: number;
-    /**
-     * Issuer identifier for the anonymous JWT
-     */
-    issuer?: string;
-    /**
-     * Allowed tools for anonymous access
-     * If 'all', all tools are allowed
-     */
-    allowedTools?: 'all' | string[];
-    /**
-     * Allowed prompts for anonymous access
-     * If 'all', all prompts are allowed
-     */
-    allowedPrompts?: 'all' | string[];
-}
-/**
- * PublicAuthorization - Authorization for public/anonymous access mode
- *
- * In public mode:
- * - No authentication is required
- * - Anonymous sessions are auto-generated
- * - getToken() throws - anonymous users cannot access provider tokens
- * - Ideal for development, docs, public wikis, and read-only resources
- */
-export declare class PublicAuthorization extends AuthorizationBase {
-    readonly mode: AuthMode;
-    /**
-     * Issuer identifier for the anonymous authorization
-     */
-    readonly issuer?: string;
-    private constructor();
-    /**
-     * Create a new PublicAuthorization for anonymous access
-     *
-     * @param ctx - Creation context with optional configuration
-     * @returns A new PublicAuthorization instance
-     *
-     * @example
-     * ```typescript
-     * const auth = PublicAuthorization.create({
-     *   scopes: ['read', 'anonymous'],
-     *   ttlMs: 3600000,
-     *   allowedTools: ['search', 'get-docs'],
-     * });
-     * ```
-     */
-    static create(ctx?: PublicAuthorizationCreateCtx): PublicAuthorization;
-    /**
-     * Anonymous users cannot access provider tokens
-     *
-     * @throws Error always - anonymous users do not have provider tokens
-     */
-    getToken(_providerId?: string): Promise<string>;
-    /**
-     * Check if all tools are allowed (public access)
-     */
-    get allowsAllTools(): boolean;
-    /**
-     * Check if all prompts are allowed (public access)
-     */
-    get allowsAllPrompts(): boolean;
-    /**
-     * Override canAccessTool to support 'all' mode
-     */
-    canAccessTool(toolId: string): boolean;
-    /**
-     * Override canAccessPrompt to support 'all' mode
-     */
-    canAccessPrompt(promptId: string): boolean;
-}
-//# sourceMappingURL=public.authorization.d.ts.map

package/auth/authorization/public.authorization.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"public.authorization.d.ts","sourceRoot":"","sources":["../../../src/auth/authorization/public.authorization.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAE1D,OAAO,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAExC;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC3C;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAElB;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,YAAY,CAAC,EAAE,KAAK,GAAG,MAAM,EAAE,CAAC;IAEhC;;;OAGG;IACH,cAAc,CAAC,EAAE,KAAK,GAAG,MAAM,EAAE,CAAC;CACnC;AAED;;;;;;;;GAQG;AACH,qBAAa,mBAAoB,SAAQ,iBAAiB;IACxD,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAY;IAEnC;;OAEG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IAEzB,OAAO;IAKP;;;;;;;;;;;;;;OAcG;IACH,MAAM,CAAC,MAAM,CAAC,GAAG,GAAE,4BAAiC,GAAG,mBAAmB;IA6D1E;;;;OAIG;IACG,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAOrD;;OAEG;IACH,IAAI,cAAc,IAAI,OAAO,CAE5B;IAED;;OAEG;IACH,IAAI,gBAAgB,IAAI,OAAO,CAE9B;IAED;;OAEG;IACM,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAQ/C;;OAEG;IACM,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;CAOpD"}

package/auth/authorization/transparent.authorization.d.ts

@@ -1,131 +0,0 @@
-import { AuthorizationBase } from './authorization.class';
-import { AuthorizationCreateCtx } from './authorization.types';
-import { AuthMode } from '../../common';
-/**
- * Verified JWT payload from transparent auth provider
- */
-export interface TransparentVerifiedPayload {
-    /** Subject identifier */
-    sub: string;
-    /** Issuer */
-    iss?: string;
-    /** Audience */
-    aud?: string | string[];
-    /** Expiration (seconds since epoch) */
-    exp?: number;
-    /** Issued at (seconds since epoch) */
-    iat?: number;
-    /** Scopes (space-separated or array) */
-    scope?: string | string[];
-    /** Display name */
-    name?: string;
-    /** Email */
-    email?: string;
-    /** Picture URL */
-    picture?: string;
-    /** Additional claims */
-    [key: string]: unknown;
-}
-/**
- * Context for creating a TransparentAuthorization
- */
-export interface TransparentAuthorizationCreateCtx {
-    /**
-     * The original bearer token (passed through to downstream)
-     */
-    token: string;
-    /**
-     * Verified JWT payload from the upstream provider
-     */
-    payload: TransparentVerifiedPayload;
-    /**
-     * Provider ID for this authorization
-     */
-    providerId: string;
-    /**
-     * Provider name for display/logging
-     */
-    providerName?: string;
-    /**
-     * Precomputed authorization projections
-     */
-    authorizedTools?: AuthorizationCreateCtx['authorizedTools'];
-    authorizedToolIds?: string[];
-    authorizedPrompts?: AuthorizationCreateCtx['authorizedPrompts'];
-    authorizedPromptIds?: string[];
-    authorizedApps?: AuthorizationCreateCtx['authorizedApps'];
-    authorizedAppIds?: string[];
-    authorizedResources?: string[];
-}
-/**
- * TransparentAuthorization - Pass-through OAuth tokens
- *
- * In transparent mode:
- * - The client's token is forwarded directly to downstream services
- * - Token validation happens via the upstream provider's JWKS
- * - getToken() returns the original bearer token
- * - Ideal when the auth server is the source of truth
- */
-export declare class TransparentAuthorization extends AuthorizationBase {
-    readonly mode: AuthMode;
-    /**
-     * Provider ID that issued the token
-     */
-    readonly providerId: string;
-    /**
-     * Provider display name
-     */
-    readonly providerName?: string;
-    private constructor();
-    /**
-     * Create a TransparentAuthorization from a verified JWT
-     *
-     * @param ctx - Creation context with token and verified payload
-     * @returns A new TransparentAuthorization instance
-     *
-     * @example
-     * ```typescript
-     * const auth = TransparentAuthorization.fromVerifiedToken({
-     *   token: bearerToken,
-     *   payload: verifiedClaims,
-     *   providerId: 'auth0',
-     * });
-     *
-     * // Pass token through to downstream
-     * const token = await auth.getToken();
-     * ```
-     */
-    static fromVerifiedToken(ctx: TransparentAuthorizationCreateCtx): TransparentAuthorization;
-    /**
-     * Get the original bearer token for pass-through
-     *
-     * In transparent mode, the same token is returned regardless of providerId
-     * since only one provider (the upstream) issued the token.
-     *
-     * @param _providerId - Ignored in transparent mode
-     * @returns The original bearer token
-     */
-    getToken(_providerId?: string): Promise<string>;
-    /**
-     * Parse scope claim from JWT payload
-     */
-    private static parseScopes;
-    /**
-     * Generate authorization ID from token signature
-     * Uses SHA-256 fingerprint of the token signature for uniqueness
-     */
-    private static generateAuthorizationId;
-    /**
-     * Get the issuer from the token claims
-     */
-    get issuer(): string | undefined;
-    /**
-     * Get the audience from the token claims
-     */
-    get audience(): string | string[] | undefined;
-    /**
-     * Check if the token was issued for a specific audience
-     */
-    hasAudience(aud: string): boolean;
-}
-//# sourceMappingURL=transparent.authorization.d.ts.map

package/auth/authorization/transparent.authorization.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"transparent.authorization.d.ts","sourceRoot":"","sources":["../../../src/auth/authorization/transparent.authorization.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,sBAAsB,EAAY,MAAM,uBAAuB,CAAC;AAEzE,OAAO,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAExC;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,yBAAyB;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,aAAa;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,eAAe;IACf,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,uCAAuC;IACvC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,sCAAsC;IACtC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,wCAAwC;IACxC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC1B,mBAAmB;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,YAAY;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wBAAwB;IACxB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,iCAAiC;IAChD;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;OAEG;IACH,OAAO,EAAE,0BAA0B,CAAC;IAEpC;;OAEG;IACH,UAAU,EAAE,MAAM,CAAC;IAEnB;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;OAEG;IACH,eAAe,CAAC,EAAE,sBAAsB,CAAC,iBAAiB,CAAC,CAAC;IAC5D,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,iBAAiB,CAAC,EAAE,sBAAsB,CAAC,mBAAmB,CAAC,CAAC;IAChE,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,cAAc,CAAC,EAAE,sBAAsB,CAAC,gBAAgB,CAAC,CAAC;IAC1D,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;CAChC;AAED;;;;;;;;GAQG;AACH,qBAAa,wBAAyB,SAAQ,iBAAiB;IAC7D,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAiB;IAExC;;OAEG;IACH,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAE5B;;OAEG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAE/B,OAAO;IAWP;;;;;;;;;;;;;;;;;OAiBG;IACH,MAAM,CAAC,iBAAiB,CAAC,GAAG,EAAE,iCAAiC,GAAG,wBAAwB;IA8C1F;;;;;;;;OAQG;IACG,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAOrD;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAM1B;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,uBAAuB;IAMtC;;OAEG;IACH,IAAI,MAAM,IAAI,MAAM,GAAG,SAAS,CAE/B;IAED;;OAEG;IACH,IAAI,QAAQ,IAAI,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAE5C;IAED;;OAEG;IACH,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;CAMlC"}

package/auth/consent/consent.types.d.ts

@@ -1,112 +0,0 @@
-/**
- * Consent Flow Types and Schemas
- *
- * Defines types for the tool consent flow that allows users to select
- * which MCP tools they want to expose to the LLM.
- */
-import { z } from 'zod';
-import { consentConfigSchema } from '../../common';
-export { consentConfigSchema };
-/**
- * Tool consent item schema - represents a tool available for consent
- */
-export declare const consentToolItemSchema: z.ZodObject<{
-    id: z.ZodString;
-    name: z.ZodString;
-    description: z.ZodOptional<z.ZodString>;
-    appId: z.ZodString;
-    appName: z.ZodString;
-    defaultSelected: z.ZodDefault<z.ZodBoolean>;
-    requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
-    category: z.ZodOptional<z.ZodString>;
-}, z.core.$strip>;
-/**
- * Consent selection schema - user's tool selection
- */
-export declare const consentSelectionSchema: z.ZodObject<{
-    selectedTools: z.ZodArray<z.ZodString>;
-    allSelected: z.ZodBoolean;
-    consentedAt: z.ZodString;
-    consentVersion: z.ZodDefault<z.ZodString>;
-}, z.core.$strip>;
-/**
- * Consent page state schema - stored in pending authorization
- */
-export declare const consentStateSchema: z.ZodObject<{
-    enabled: z.ZodBoolean;
-    availableTools: z.ZodArray<z.ZodObject<{
-        id: z.ZodString;
-        name: z.ZodString;
-        description: z.ZodOptional<z.ZodString>;
-        appId: z.ZodString;
-        appName: z.ZodString;
-        defaultSelected: z.ZodDefault<z.ZodBoolean>;
-        requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
-        category: z.ZodOptional<z.ZodString>;
-    }, z.core.$strip>>;
-    preselectedTools: z.ZodOptional<z.ZodArray<z.ZodString>>;
-    groupByApp: z.ZodDefault<z.ZodBoolean>;
-    customMessage: z.ZodOptional<z.ZodString>;
-}, z.core.$strip>;
-/**
- * Auth provider item for federated login UI
- */
-export declare const federatedProviderItemSchema: z.ZodObject<{
-    id: z.ZodString;
-    name: z.ZodString;
-    description: z.ZodOptional<z.ZodString>;
-    icon: z.ZodOptional<z.ZodString>;
-    type: z.ZodEnum<{
-        remote: "remote";
-        transparent: "transparent";
-        local: "local";
-    }>;
-    providerUrl: z.ZodOptional<z.ZodString>;
-    appIds: z.ZodArray<z.ZodString>;
-    appNames: z.ZodArray<z.ZodString>;
-    scopes: z.ZodArray<z.ZodString>;
-    isPrimary: z.ZodBoolean;
-    isOptional: z.ZodDefault<z.ZodBoolean>;
-}, z.core.$strip>;
-/**
- * Federated login state schema
- */
-export declare const federatedLoginStateSchema: z.ZodObject<{
-    providers: z.ZodArray<z.ZodObject<{
-        id: z.ZodString;
-        name: z.ZodString;
-        description: z.ZodOptional<z.ZodString>;
-        icon: z.ZodOptional<z.ZodString>;
-        type: z.ZodEnum<{
-            remote: "remote";
-            transparent: "transparent";
-            local: "local";
-        }>;
-        providerUrl: z.ZodOptional<z.ZodString>;
-        appIds: z.ZodArray<z.ZodString>;
-        appNames: z.ZodArray<z.ZodString>;
-        scopes: z.ZodArray<z.ZodString>;
-        isPrimary: z.ZodBoolean;
-        isOptional: z.ZodDefault<z.ZodBoolean>;
-    }, z.core.$strip>>;
-    primaryProviderId: z.ZodOptional<z.ZodString>;
-    allowSkip: z.ZodDefault<z.ZodBoolean>;
-    preselectedProviders: z.ZodOptional<z.ZodArray<z.ZodString>>;
-}, z.core.$strip>;
-/**
- * Federated login selection schema
- */
-export declare const federatedSelectionSchema: z.ZodObject<{
-    selectedProviders: z.ZodArray<z.ZodString>;
-    skippedProviders: z.ZodArray<z.ZodString>;
-    providerMetadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
-}, z.core.$strip>;
-export type ConsentToolItem = z.infer<typeof consentToolItemSchema>;
-export type ConsentSelection = z.infer<typeof consentSelectionSchema>;
-export type ConsentState = z.infer<typeof consentStateSchema>;
-export type ConsentConfig = z.infer<typeof consentConfigSchema>;
-export type ConsentConfigInput = z.input<typeof consentConfigSchema>;
-export type FederatedProviderItem = z.infer<typeof federatedProviderItemSchema>;
-export type FederatedLoginState = z.infer<typeof federatedLoginStateSchema>;
-export type FederatedSelection = z.infer<typeof federatedSelectionSchema>;
-//# sourceMappingURL=consent.types.d.ts.map

package/auth/consent/consent.types.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"consent.types.d.ts","sourceRoot":"","sources":["../../../src/auth/consent/consent.types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAGnD,OAAO,EAAE,mBAAmB,EAAE,CAAC;AAM/B;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;iBAiBhC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,sBAAsB;;;;;iBASjC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;iBAW7B,CAAC;AAKH;;GAEG;AACH,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;iBAuBtC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;iBASpC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,wBAAwB;;;;iBAOnC,CAAC;AAMH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AACpE,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AACtE,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAC9D,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAChE,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAErE,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAChF,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAC5E,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC"}

package/auth/consent/index.d.ts

@@ -1,2 +0,0 @@
-export { consentToolItemSchema, consentSelectionSchema, consentStateSchema, federatedProviderItemSchema, federatedLoginStateSchema, federatedSelectionSchema, ConsentToolItem, ConsentSelection, ConsentState, ConsentConfig, ConsentConfigInput, FederatedProviderItem, FederatedLoginState, FederatedSelection, } from './consent.types';
-//# sourceMappingURL=index.d.ts.map

package/auth/consent/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/consent/index.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,qBAAqB,EACrB,sBAAsB,EACtB,kBAAkB,EAClB,2BAA2B,EAC3B,yBAAyB,EACzB,wBAAwB,EAExB,eAAe,EACf,gBAAgB,EAChB,YAAY,EACZ,aAAa,EACb,kBAAkB,EAClB,qBAAqB,EACrB,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,iBAAiB,CAAC"}