@frontmcp/sdk 0.9.0 → 0.11.0

package/auth/detection/auth-provider-detection.d.ts

@@ -1,85 +0,0 @@
-/**
- * Auth Provider Detection
- *
- * Detects unique auth providers across nested apps and determines
- * if orchestrated mode is required at the parent scope level.
- *
- * When multiple apps have different auth providers, the parent MUST
- * use orchestrated mode to properly manage tokens for each provider.
- */
-import { z } from 'zod';
-import { AuthOptions } from '../../common';
-/**
- * Schema for a detected auth provider
- */
-export declare const detectedAuthProviderSchema: z.ZodObject<{
-    id: z.ZodString;
-    providerUrl: z.ZodOptional<z.ZodString>;
-    mode: z.ZodEnum<{
-        public: "public";
-        transparent: "transparent";
-        orchestrated: "orchestrated";
-    }>;
-    appIds: z.ZodArray<z.ZodString>;
-    scopes: z.ZodArray<z.ZodString>;
-    isParentProvider: z.ZodBoolean;
-}, z.core.$strip>;
-/**
- * Schema for auth provider detection result
- */
-export declare const authProviderDetectionResultSchema: z.ZodObject<{
-    providers: z.ZodMap<z.ZodString, z.ZodObject<{
-        id: z.ZodString;
-        providerUrl: z.ZodOptional<z.ZodString>;
-        mode: z.ZodEnum<{
-            public: "public";
-            transparent: "transparent";
-            orchestrated: "orchestrated";
-        }>;
-        appIds: z.ZodArray<z.ZodString>;
-        scopes: z.ZodArray<z.ZodString>;
-        isParentProvider: z.ZodBoolean;
-    }, z.core.$strip>>;
-    requiresOrchestration: z.ZodBoolean;
-    parentProviderId: z.ZodOptional<z.ZodString>;
-    childProviderIds: z.ZodArray<z.ZodString>;
-    uniqueProviderCount: z.ZodNumber;
-    validationErrors: z.ZodArray<z.ZodString>;
-    warnings: z.ZodArray<z.ZodString>;
-}, z.core.$strip>;
-export type DetectedAuthProvider = z.infer<typeof detectedAuthProviderSchema>;
-export type AuthProviderDetectionResult = z.infer<typeof authProviderDetectionResultSchema>;
-/**
- * App auth info for detection (minimal interface)
- */
-export interface AppAuthInfo {
-    id: string;
-    name: string;
-    auth?: AuthOptions;
-}
-/**
- * Derive a stable provider ID from auth options
- */
-export declare function deriveProviderId(options: AuthOptions): string;
-/**
- * Detect all unique auth providers across parent and apps
- *
- * @param parentAuth - Parent scope's auth options (may be undefined)
- * @param apps - Array of app auth info
- * @returns Detection result with providers, validation, and requirements
- */
-export declare function detectAuthProviders(parentAuth: AuthOptions | undefined, apps: AppAuthInfo[]): AuthProviderDetectionResult;
-/**
- * Check if a specific app requires orchestration
- * (i.e., has a different provider than parent)
- */
-export declare function appRequiresOrchestration(appAuth: AuthOptions | undefined, parentAuth: AuthOptions | undefined): boolean;
-/**
- * Get all OAuth scopes needed for a provider across all apps
- */
-export declare function getProviderScopes(detection: AuthProviderDetectionResult, providerId: string): string[];
-/**
- * Get apps that use a specific provider
- */
-export declare function getProviderApps(detection: AuthProviderDetectionResult, providerId: string): string[];
-//# sourceMappingURL=auth-provider-detection.d.ts.map

package/auth/detection/auth-provider-detection.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-provider-detection.d.ts","sourceRoot":"","sources":["../../../src/auth/detection/auth-provider-detection.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,WAAW,EAA6E,MAAM,cAAc,CAAC;AAMtH;;GAEG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;;;iBAarC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;;;;iBAe5C,CAAC;AAMH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAC9E,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAE5F;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,WAAW,CAAC;CACpB;AAMD;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,WAAW,GAAG,MAAM,CAkB7D;AA+BD;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,WAAW,GAAG,SAAS,EACnC,IAAI,EAAE,WAAW,EAAE,GAClB,2BAA2B,CAsF7B;AAiBD;;;GAGG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,WAAW,GAAG,SAAS,EAChC,UAAU,EAAE,WAAW,GAAG,SAAS,GAClC,OAAO,CAgBT;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,2BAA2B,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,EAAE,CAGtG;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,SAAS,EAAE,2BAA2B,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,EAAE,CAGpG"}

package/auth/detection/index.d.ts

@@ -1,2 +0,0 @@
-export { detectedAuthProviderSchema, authProviderDetectionResultSchema, DetectedAuthProvider, AuthProviderDetectionResult, AppAuthInfo, detectAuthProviders, deriveProviderId, appRequiresOrchestration, getProviderScopes, getProviderApps, } from './auth-provider-detection';
-//# sourceMappingURL=index.d.ts.map

package/auth/detection/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/detection/index.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,0BAA0B,EAC1B,iCAAiC,EAEjC,oBAAoB,EACpB,2BAA2B,EAC3B,WAAW,EAEX,mBAAmB,EACnB,gBAAgB,EAChB,wBAAwB,EACxB,iBAAiB,EACjB,eAAe,GAChB,MAAM,2BAA2B,CAAC"}

package/auth/machine-id.d.ts

@@ -1,28 +0,0 @@
-/**
- * Machine ID Utility
- *
- * Single source of truth for the machine ID used across session management.
- *
- * Configuration Priority:
- * 1. MACHINE_ID environment variable (highest priority, recommended for production)
- * 2. File persistence in dev mode (.frontmcp/machine-id)
- * 3. Random UUID (ephemeral, invalidates sessions on restart)
- *
- * For distributed deployments with Redis session storage, set MACHINE_ID
- * to the same value across all instances to allow session portability,
- * or use unique values per instance to enforce session affinity.
- */
-/**
- * Get the current machine ID.
- * Returns the override (if set via `setMachineIdOverride`) or the computed value.
- */
-export declare function getMachineId(): string;
-/**
- * Set a process-wide machine ID override.
- * Pass `undefined` to clear the override and revert to the computed value.
- *
- * This is used by `create()` to inject a stable machine ID for session continuity,
- * especially when using Redis-backed sessions across process restarts.
- */
-export declare function setMachineIdOverride(id: string | undefined): void;
-//# sourceMappingURL=machine-id.d.ts.map

package/auth/machine-id.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"machine-id.d.ts","sourceRoot":"","sources":["../../src/auth/machine-id.ts"],"names":[],"mappings":"AACA;;;;;;;;;;;;;GAaG;AA+GH;;;GAGG;AACH,wBAAgB,YAAY,IAAI,MAAM,CAErC;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CAEjE"}

package/auth/session/encrypted-authorization-vault.d.ts

@@ -1,181 +0,0 @@
-/**
- * Encrypted Authorization Vault
- *
- * A vault implementation that encrypts all sensitive data using a key
- * derived from the client's JWT authorization token.
- *
- * Security Properties:
- * - Zero-knowledge storage: Server cannot decrypt credentials
- * - Client-side key: Encryption key derived from JWT (client must present token)
- * - Authenticated encryption: AES-256-GCM prevents tampering
- * - Per-vault keys: Each vault has a unique encryption key
- *
- * Usage:
- * ```typescript
- * const vault = new EncryptedRedisVault(redis, encryption);
- *
- * // On each request, derive key from JWT and set context
- * const key = encryption.deriveKeyFromToken(token, claims);
- * vault.setEncryptionKey(key);
- *
- * // Now all operations automatically encrypt/decrypt
- * await vault.addAppCredential(vaultId, credential);
- * ```
- */
-import { z } from 'zod';
-import { VaultEncryption, AuthorizationVault, AuthorizationVaultEntry, AppCredential, VaultConsentRecord, VaultFederatedRecord, PendingIncrementalAuth } from '@frontmcp/auth';
-/**
- * What we store in Redis - minimal metadata + encrypted blob
- */
-export declare const redisVaultEntrySchema: z.ZodObject<{
-    id: z.ZodString;
-    userSub: z.ZodString;
-    userEmail: z.ZodOptional<z.ZodString>;
-    userName: z.ZodOptional<z.ZodString>;
-    clientId: z.ZodString;
-    createdAt: z.ZodNumber;
-    lastAccessAt: z.ZodNumber;
-    authorizedAppIds: z.ZodArray<z.ZodString>;
-    skippedAppIds: z.ZodArray<z.ZodString>;
-    pendingAuthIds: z.ZodArray<z.ZodString>;
-    encrypted: z.ZodObject<{
-        v: z.ZodLiteral<1>;
-        alg: z.ZodLiteral<"aes-256-gcm">;
-        iv: z.ZodString;
-        ct: z.ZodString;
-        tag: z.ZodString;
-    }, z.core.$strip>;
-}, z.core.$strip>;
-export type RedisVaultEntry = z.infer<typeof redisVaultEntrySchema>;
-/**
- * Encryption context for the current request
- * Must be set before performing vault operations
- */
-export interface EncryptionContext {
-    /** Encryption key derived from JWT */
-    key: Uint8Array;
-    /** Vault ID (from JWT jti claim) */
-    vaultId: string;
-}
-/**
- * Redis vault with client-side encryption
- *
- * All sensitive data (tokens, credentials, consent, pending auths)
- * is encrypted using a key derived from the client's JWT.
- *
- * Use `runWithContext()` to set encryption context for concurrent safety.
- */
-export declare class EncryptedRedisVault implements AuthorizationVault {
-    private readonly redis;
-    private readonly encryption;
-    private readonly namespace;
-    constructor(redis: any, encryption: VaultEncryption, namespace?: string);
-    /**
-     * Run a callback with encryption context set for the current async scope.
-     * This is the recommended way to set encryption context as it is safe for
-     * concurrent requests (each request gets its own isolated context).
-     *
-     * @param context - Encryption context with key and vaultId
-     * @param fn - Async function to run with the context
-     * @returns The result of the callback
-     *
-     * @example
-     * ```typescript
-     * const result = await vault.runWithContext({ key, vaultId }, async () => {
-     *   await vault.get(id);
-     *   await vault.update(id, data);
-     *   return 'done';
-     * });
-     * ```
-     */
-    runWithContext<T>(context: EncryptionContext, fn: () => T | Promise<T>): T | Promise<T>;
-    /**
-     * Get current encryption key from AsyncLocalStorage.
-     */
-    private getKey;
-    /**
-     * Create Redis key from vault ID
-     */
-    private redisKey;
-    /**
-     * Create credential key from appId and providerId
-     */
-    private credentialKey;
-    /**
-     * Encrypt sensitive data
-     */
-    private encryptSensitive;
-    /**
-     * Decrypt sensitive data
-     */
-    private decryptSensitive;
-    /**
-     * Convert Redis entry to full vault entry (decrypts sensitive data)
-     */
-    private toVaultEntry;
-    /**
-     * Convert vault entry to Redis entry (encrypts sensitive data)
-     */
-    private toRedisEntry;
-    /**
-     * Save entry to Redis
-     */
-    private saveEntry;
-    /**
-     * Load entry from Redis
-     */
-    private loadEntry;
-    create(params: {
-        userSub: string;
-        userEmail?: string;
-        userName?: string;
-        clientId: string;
-        consent?: VaultConsentRecord;
-        federated?: VaultFederatedRecord;
-        authorizedAppIds?: string[];
-        skippedAppIds?: string[];
-    }): Promise<AuthorizationVaultEntry>;
-    get(id: string): Promise<AuthorizationVaultEntry | null>;
-    update(id: string, updates: Partial<AuthorizationVaultEntry>): Promise<void>;
-    delete(id: string): Promise<void>;
-    updateConsent(vaultId: string, consent: VaultConsentRecord): Promise<void>;
-    authorizeApp(vaultId: string, appId: string): Promise<void>;
-    createPendingAuth(vaultId: string, params: {
-        appId: string;
-        toolId?: string;
-        authUrl: string;
-        requiredScopes?: string[];
-        elicitId?: string;
-        ttlMs?: number;
-    }): Promise<PendingIncrementalAuth>;
-    getPendingAuth(vaultId: string, pendingAuthId: string): Promise<PendingIncrementalAuth | null>;
-    completePendingAuth(vaultId: string, pendingAuthId: string): Promise<void>;
-    cancelPendingAuth(vaultId: string, pendingAuthId: string): Promise<void>;
-    isAppAuthorized(vaultId: string, appId: string): Promise<boolean>;
-    getPendingAuths(vaultId: string): Promise<PendingIncrementalAuth[]>;
-    addAppCredential(vaultId: string, credential: AppCredential): Promise<void>;
-    removeAppCredential(vaultId: string, appId: string, providerId: string): Promise<void>;
-    getAppCredentials(vaultId: string, appId: string): Promise<AppCredential[]>;
-    getCredential(vaultId: string, appId: string, providerId: string): Promise<AppCredential | null>;
-    getAllCredentials(vaultId: string, filterByConsent?: boolean): Promise<AppCredential[]>;
-    updateCredential(vaultId: string, appId: string, providerId: string, updates: Partial<Pick<AppCredential, 'lastUsedAt' | 'isValid' | 'invalidReason' | 'expiresAt' | 'metadata'>>): Promise<void>;
-    shouldStoreCredential(vaultId: string, appId: string, toolIds?: string[]): Promise<boolean>;
-    invalidateCredential(vaultId: string, appId: string, providerId: string, reason: string): Promise<void>;
-    refreshOAuthCredential(vaultId: string, appId: string, providerId: string, tokens: {
-        accessToken: string;
-        refreshToken?: string;
-        expiresAt?: number;
-    }): Promise<void>;
-    cleanup(): Promise<void>;
-}
-/**
- * Create an encrypted vault with the given configuration
- */
-export declare function createEncryptedVault(redis: any, config?: {
-    pepper?: string;
-    namespace?: string;
-}): {
-    vault: EncryptedRedisVault;
-    encryption: VaultEncryption;
-};
-//# sourceMappingURL=encrypted-authorization-vault.d.ts.map

package/auth/session/encrypted-authorization-vault.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"encrypted-authorization-vault.d.ts","sourceRoot":"","sources":["../../../src/auth/session/encrypted-authorization-vault.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,OAAO,EACL,eAAe,EAIf,kBAAkB,EAClB,uBAAuB,EACvB,aAAa,EACb,kBAAkB,EAClB,oBAAoB,EACpB,sBAAsB,EAEvB,MAAM,gBAAgB,CAAC;AAMxB;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;iBAuBhC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAMpE;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,sCAAsC;IACtC,GAAG,EAAE,UAAU,CAAC;IAChB,oCAAoC;IACpC,OAAO,EAAE,MAAM,CAAC;CACjB;AAYD;;;;;;;GAOG;AACH,qBAAa,mBAAoB,YAAW,kBAAkB;IAG1D,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,SAAS;gBAFT,KAAK,EAAE,GAAG,EACV,UAAU,EAAE,eAAe,EAC3B,SAAS,SAAW;IAGvC;;;;;;;;;;;;;;;;;OAiBG;IACH,cAAc,CAAC,CAAC,EAAE,OAAO,EAAE,iBAAiB,EAAE,EAAE,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;IAIvF;;OAEG;IACH,OAAO,CAAC,MAAM;IASd;;OAEG;IACH,OAAO,CAAC,QAAQ;IAIhB;;OAEG;IACH,OAAO,CAAC,aAAa;IAIrB;;OAEG;YACW,gBAAgB;IAI9B;;OAEG;YACW,gBAAgB;IAI9B;;OAEG;YACW,YAAY;IAoB1B;;OAEG;YACW,YAAY;IAuB1B;;OAEG;YACW,SAAS;IAKvB;;OAEG;YACW,SAAS;IAiBjB,MAAM,CAAC,MAAM,EAAE;QACnB,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,CAAC,EAAE,kBAAkB,CAAC;QAC7B,SAAS,CAAC,EAAE,oBAAoB,CAAC;QACjC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC5B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAsB9B,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC;IAWxD,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,uBAAuB,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAU5E,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIjC,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC;IAS1E,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAY3D,iBAAiB,CACrB,OAAO,EAAE,MAAM,EACf,MAAM,EAAE;QACN,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,GACA,OAAO,CAAC,sBAAsB,CAAC;IA0B5B,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,sBAAsB,GAAG,IAAI,CAAC;IAe9F,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAkB1E,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAWxE,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAajE,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,sBAAsB,EAAE,CAAC;IA0BnE,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IAa3E,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUtF,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAU3E,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAQhG,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,eAAe,UAAQ,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAgBrF,gBAAgB,CACpB,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,aAAa,EAAE,YAAY,GAAG,SAAS,GAAG,eAAe,GAAG,WAAW,GAAG,UAAU,CAAC,CAAC,GAC3G,OAAO,CAAC,IAAI,CAAC;IAaV,qBAAqB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAgB3F,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOvG,sBAAsB,CAC1B,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GACzE,OAAO,CAAC,IAAI,CAAC;IAwBV,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAK/B;AAMD;;GAEG;AACH,wBAAgB,oBAAoB,CAElC,KAAK,EAAE,GAAG,EACV,MAAM,GAAE;IACN,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;CACf,GACL;IAAE,KAAK,EAAE,mBAAmB,CAAC;IAAC,UAAU,EAAE,eAAe,CAAA;CAAE,CAK7D"}

package/auth/session/federated-auth.session.d.ts

@@ -1,252 +0,0 @@
-/**
- * Federated Auth Session
- *
- * Manages state during multi-provider OAuth flows where a user needs to
- * authenticate with multiple upstream OAuth providers sequentially.
- *
- * Flow:
- * 1. User selects providers on federated login page
- * 2. System stores FederatedAuthSession with provider queue
- * 3. User is redirected to first provider's OAuth authorize endpoint
- * 4. After provider callback, tokens are stored and next provider is processed
- * 5. When all providers complete, FrontMCP JWT is issued
- */
-/**
- * PKCE data for upstream provider OAuth flow
- */
-export interface ProviderPkce {
-    /** Code verifier (used in token exchange) */
-    verifier: string;
-    /** Code challenge (sent to authorize endpoint) */
-    challenge: string;
-    /** Challenge method (always S256) */
-    method: 'S256';
-}
-/**
- * Token data received from an upstream provider
- */
-export interface ProviderTokens {
-    /** Access token */
-    accessToken: string;
-    /** Refresh token (if provided) */
-    refreshToken?: string;
-    /** Token expiration (epoch ms) */
-    expiresAt?: number;
-    /** Token type (usually 'Bearer') */
-    tokenType?: string;
-    /** Granted scopes */
-    scopes?: string[];
-    /** ID token (for OIDC providers) */
-    idToken?: string;
-}
-/**
- * User info from an upstream provider
- */
-export interface ProviderUserInfo {
-    /** Subject identifier from provider */
-    sub: string;
-    /** User email */
-    email?: string;
-    /** Display name */
-    name?: string;
-    /** Profile picture URL */
-    picture?: string;
-    /** Additional claims */
-    claims?: Record<string, unknown>;
-}
-/**
- * Completed provider entry in the federated session
- */
-export interface CompletedProvider {
-    /** Provider ID */
-    providerId: string;
-    /** OAuth tokens from the provider */
-    tokens: ProviderTokens;
-    /** User info from the provider */
-    userInfo?: ProviderUserInfo;
-    /** Timestamp when provider auth completed */
-    completedAt: number;
-}
-/**
- * Federated Auth Session state
- *
- * Stored during multi-provider OAuth flow to track progress
- */
-export interface FederatedAuthSession {
-    /** Unique session ID */
-    id: string;
-    /** Original pending auth ID (from /oauth/authorize request) */
-    pendingAuthId: string;
-    /** Client ID that initiated the auth flow */
-    clientId: string;
-    /** Redirect URI for final callback */
-    redirectUri: string;
-    /** Requested scopes for FrontMCP token */
-    scopes: string[];
-    /** Original state parameter from client */
-    state?: string;
-    /** Resource/audience for final token */
-    resource?: string;
-    /** User info (email, name) from initial login form */
-    userInfo: {
-        email?: string;
-        name?: string;
-        sub?: string;
-    };
-    /** PKCE challenge for final FrontMCP token exchange */
-    frontmcpPkce: {
-        challenge: string;
-        method: 'S256';
-    };
-    /** Queue of provider IDs remaining to auth */
-    providerQueue: string[];
-    /** Map of completed providers with their tokens */
-    completedProviders: Map<string, CompletedProvider>;
-    /** Providers that user declined/skipped */
-    skippedProviders: string[];
-    /** Currently active provider (being authenticated) */
-    currentProviderId?: string;
-    /** PKCE data for current provider's OAuth flow */
-    currentProviderPkce?: ProviderPkce;
-    /** State parameter for current provider's OAuth flow */
-    currentProviderState?: string;
-    /** Session creation timestamp */
-    createdAt: number;
-    /** Session expiration timestamp */
-    expiresAt: number;
-}
-/**
- * Serializable version of FederatedAuthSession for storage
- */
-export interface FederatedAuthSessionRecord {
-    id: string;
-    pendingAuthId: string;
-    clientId: string;
-    redirectUri: string;
-    scopes: string[];
-    state?: string;
-    resource?: string;
-    userInfo: {
-        email?: string;
-        name?: string;
-        sub?: string;
-    };
-    frontmcpPkce: {
-        challenge: string;
-        method: 'S256';
-    };
-    providerQueue: string[];
-    completedProviders: Array<[string, CompletedProvider]>;
-    skippedProviders: string[];
-    currentProviderId?: string;
-    currentProviderPkce?: ProviderPkce;
-    currentProviderState?: string;
-    createdAt: number;
-    expiresAt: number;
-}
-/**
- * Federated Auth Session Store Interface
- */
-export interface FederatedAuthSessionStore {
-    /** Store a federated auth session */
-    store(session: FederatedAuthSession): Promise<void>;
-    /** Get a federated auth session by ID */
-    get(id: string): Promise<FederatedAuthSession | null>;
-    /** Delete a federated auth session */
-    delete(id: string): Promise<void>;
-    /** Update a federated auth session */
-    update(session: FederatedAuthSession): Promise<void>;
-}
-/**
- * Convert FederatedAuthSession to serializable record
- */
-export declare function toSessionRecord(session: FederatedAuthSession): FederatedAuthSessionRecord;
-/**
- * Convert serializable record back to FederatedAuthSession
- */
-export declare function fromSessionRecord(record: FederatedAuthSessionRecord): FederatedAuthSession;
-/**
- * Parameters for creating a federated auth session
- */
-export interface FederatedAuthSessionCreateParams {
-    pendingAuthId: string;
-    clientId: string;
-    redirectUri: string;
-    scopes: string[];
-    state?: string;
-    resource?: string;
-    userInfo: {
-        email?: string;
-        name?: string;
-        sub?: string;
-    };
-    frontmcpPkce: {
-        challenge: string;
-        method: 'S256';
-    };
-    providerIds: string[];
-}
-/**
- * In-Memory Federated Auth Session Store
- *
- * Development/testing implementation for federated auth session storage.
- */
-export declare class InMemoryFederatedAuthSessionStore implements FederatedAuthSessionStore {
-    private readonly sessions;
-    /** Default TTL for sessions (15 minutes) */
-    private readonly sessionTtlMs;
-    /** Cleanup interval timer */
-    private cleanupTimer?;
-    constructor();
-    store(session: FederatedAuthSession): Promise<void>;
-    get(id: string): Promise<FederatedAuthSession | null>;
-    delete(id: string): Promise<void>;
-    update(session: FederatedAuthSession): Promise<void>;
-    /**
-     * Clean up expired sessions
-     */
-    cleanup(): Promise<void>;
-    /**
-     * Stop the cleanup timer
-     */
-    dispose(): void;
-    /**
-     * Create a new federated auth session
-     */
-    createSession(params: FederatedAuthSessionCreateParams): FederatedAuthSession;
-    /**
-     * Get count (for testing/monitoring)
-     */
-    get size(): number;
-    /**
-     * Clear all sessions (for testing)
-     */
-    clear(): void;
-}
-/**
- * Create a new federated auth session object
- *
- * This is a standalone factory function that creates a FederatedAuthSession
- * without requiring a store instance. Use this for type-safe session creation.
- *
- * @param params Session parameters
- * @param ttlMs Session TTL in milliseconds (default: 15 minutes)
- */
-export declare function createFederatedAuthSession(params: FederatedAuthSessionCreateParams, ttlMs?: number): FederatedAuthSession;
-/**
- * Helper to check if all providers have been authenticated
- */
-export declare function isSessionComplete(session: FederatedAuthSession): boolean;
-/**
- * Helper to get the next provider to authenticate
- */
-export declare function getNextProvider(session: FederatedAuthSession): string | undefined;
-/**
- * Helper to mark current provider as complete and move to next
- */
-export declare function completeCurrentProvider(session: FederatedAuthSession, tokens: ProviderTokens, userInfo?: ProviderUserInfo): void;
-/**
- * Helper to start authentication with next provider
- */
-export declare function startNextProvider(session: FederatedAuthSession, pkce: ProviderPkce, state: string): string;
-//# sourceMappingURL=federated-auth.session.d.ts.map

package/auth/session/federated-auth.session.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"federated-auth.session.d.ts","sourceRoot":"","sources":["../../../src/auth/session/federated-auth.session.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAKH;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,CAAC;IACjB,kDAAkD;IAClD,SAAS,EAAE,MAAM,CAAC;IAClB,qCAAqC;IACrC,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,mBAAmB;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,kCAAkC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,kCAAkC;IAClC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,oCAAoC;IACpC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qBAAqB;IACrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,oCAAoC;IACpC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,uCAAuC;IACvC,GAAG,EAAE,MAAM,CAAC;IACZ,iBAAiB;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mBAAmB;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,0BAA0B;IAC1B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wBAAwB;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,kBAAkB;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,MAAM,EAAE,cAAc,CAAC;IACvB,kCAAkC;IAClC,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,6CAA6C;IAC7C,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,MAAM,WAAW,oBAAoB;IACnC,wBAAwB;IACxB,EAAE,EAAE,MAAM,CAAC;IAEX,+DAA+D;IAC/D,aAAa,EAAE,MAAM,CAAC;IAEtB,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,CAAC;IAEjB,sCAAsC;IACtC,WAAW,EAAE,MAAM,CAAC;IAEpB,0CAA0C;IAC1C,MAAM,EAAE,MAAM,EAAE,CAAC;IAEjB,2CAA2C;IAC3C,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,sDAAsD;IACtD,QAAQ,EAAE;QACR,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,CAAC;IAEF,uDAAuD;IACvD,YAAY,EAAE;QACZ,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IAEF,8CAA8C;IAC9C,aAAa,EAAE,MAAM,EAAE,CAAC;IAExB,mDAAmD;IACnD,kBAAkB,EAAE,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IAEnD,2CAA2C;IAC3C,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAE3B,sDAAsD;IACtD,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B,kDAAkD;IAClD,mBAAmB,CAAC,EAAE,YAAY,CAAC;IAEnC,wDAAwD;IACxD,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAE9B,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAElB,mCAAmC;IACnC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,EAAE,EAAE,MAAM,CAAC;IACX,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE;QACR,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,CAAC;IACF,YAAY,EAAE;QACZ,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,kBAAkB,EAAE,KAAK,CAAC,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC,CAAC;IACvD,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,mBAAmB,CAAC,EAAE,YAAY,CAAC;IACnC,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,qCAAqC;IACrC,KAAK,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEpD,yCAAyC;IACzC,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAAC;IAEtD,sCAAsC;IACtC,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAElC,sCAAsC;IACtC,MAAM,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACtD;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,oBAAoB,GAAG,0BAA0B,CAKzF;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,0BAA0B,GAAG,oBAAoB,CAK1F;AAED;;GAEG;AACH,MAAM,WAAW,gCAAgC;IAC/C,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC1D,YAAY,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IACpD,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AAED;;;;GAIG;AACH,qBAAa,iCAAkC,YAAW,yBAAyB;IACjF,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiD;IAE1E,4CAA4C;IAC5C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAkB;IAE/C,6BAA6B;IAC7B,OAAO,CAAC,YAAY,CAAC,CAAiC;;IAahD,KAAK,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC;IAKnD,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IAerD,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIjC,MAAM,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC;IAK1D;;OAEG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAS9B;;OAEG;IACH,OAAO,IAAI,IAAI;IAOf;;OAEG;IACH,aAAa,CAAC,MAAM,EAAE,gCAAgC,GAAG,oBAAoB;IAoB7E;;OAEG;IACH,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED;;OAEG;IACH,KAAK,IAAI,IAAI;CAGd;AAED;;;;;;;;GAQG;AACH,wBAAgB,0BAA0B,CACxC,MAAM,EAAE,gCAAgC,EACxC,KAAK,SAAiB,GACrB,oBAAoB,CAkBtB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAExE;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,oBAAoB,GAAG,MAAM,GAAG,SAAS,CAKjF;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,oBAAoB,EAC7B,MAAM,EAAE,cAAc,EACtB,QAAQ,CAAC,EAAE,gBAAgB,GAC1B,IAAI,CAiBN;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAmB1G"}