@frontmcp/sdk 1.3.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (186) hide show
  1. package/README.md +65 -60
  2. package/agent/agent.scope.d.ts +164 -0
  3. package/agent/agent.scope.d.ts.map +1 -1
  4. package/app/instances/app.esm.instance.d.ts.map +1 -1
  5. package/app/instances/app.remote.instance.d.ts.map +1 -1
  6. package/auth/auth-ui/auth-ui.contract.d.ts +149 -0
  7. package/auth/auth-ui/auth-ui.contract.d.ts.map +1 -0
  8. package/auth/auth-ui/auth-ui.registry.d.ts +151 -0
  9. package/auth/auth-ui/auth-ui.registry.d.ts.map +1 -0
  10. package/auth/auth-ui/auth-ui.render.d.ts +49 -0
  11. package/auth/auth-ui/auth-ui.render.d.ts.map +1 -0
  12. package/auth/auth-ui/auth-ui.state.d.ts +62 -0
  13. package/auth/auth-ui/auth-ui.state.d.ts.map +1 -0
  14. package/auth/auth-ui/index.d.ts +24 -0
  15. package/auth/auth-ui/index.d.ts.map +1 -0
  16. package/auth/auth.registry.d.ts.map +1 -1
  17. package/auth/authorized-apps.utils.d.ts +51 -0
  18. package/auth/authorized-apps.utils.d.ts.map +1 -0
  19. package/auth/consent-tools.helper.d.ts +26 -0
  20. package/auth/consent-tools.helper.d.ts.map +1 -0
  21. package/auth/consent.utils.d.ts +62 -0
  22. package/auth/consent.utils.d.ts.map +1 -0
  23. package/auth/credentials/credentials.context-extension.d.ts +63 -0
  24. package/auth/credentials/credentials.context-extension.d.ts.map +1 -0
  25. package/auth/credentials/credentials.providers.d.ts +40 -0
  26. package/auth/credentials/credentials.providers.d.ts.map +1 -0
  27. package/auth/credentials/index.d.ts +3 -0
  28. package/auth/credentials/index.d.ts.map +1 -0
  29. package/auth/flows/auth.verify.flow.d.ts.map +1 -1
  30. package/auth/flows/oauth.auth-ui.flow.d.ts +53 -0
  31. package/auth/flows/oauth.auth-ui.flow.d.ts.map +1 -0
  32. package/auth/flows/oauth.authorize.flow.d.ts +51 -9
  33. package/auth/flows/oauth.authorize.flow.d.ts.map +1 -1
  34. package/auth/flows/oauth.callback.flow.d.ts +118 -5
  35. package/auth/flows/oauth.callback.flow.d.ts.map +1 -1
  36. package/auth/flows/oauth.connect.flow.d.ts +89 -0
  37. package/auth/flows/oauth.connect.flow.d.ts.map +1 -0
  38. package/auth/flows/oauth.provider-callback.flow.d.ts +34 -4
  39. package/auth/flows/oauth.provider-callback.flow.d.ts.map +1 -1
  40. package/auth/flows/oauth.register.flow.d.ts +16 -20
  41. package/auth/flows/oauth.register.flow.d.ts.map +1 -1
  42. package/auth/flows/oauth.token.flow.d.ts +2 -2
  43. package/auth/flows/oauth.token.flow.d.ts.map +1 -1
  44. package/auth/flows/oauth.userinfo.flow.d.ts +67 -0
  45. package/auth/flows/oauth.userinfo.flow.d.ts.map +1 -0
  46. package/auth/flows/session.verify.flow.d.ts +2 -2
  47. package/auth/flows/session.verify.flow.d.ts.map +1 -1
  48. package/auth/flows/well-known.jwks.flow.d.ts +3 -3
  49. package/auth/flows/well-known.oauth-authorization-server.flow.d.ts +3 -2
  50. package/auth/flows/well-known.oauth-authorization-server.flow.d.ts.map +1 -1
  51. package/auth/flows/well-known.prm.flow.d.ts +1 -1
  52. package/auth/flows/well-known.prm.flow.d.ts.map +1 -1
  53. package/auth/instances/instance.local-primary-auth.d.ts +226 -12
  54. package/auth/instances/instance.local-primary-auth.d.ts.map +1 -1
  55. package/auth/secure-store/index.d.ts +3 -0
  56. package/auth/secure-store/index.d.ts.map +1 -0
  57. package/auth/secure-store/secure-store.context-extension.d.ts +61 -0
  58. package/auth/secure-store/secure-store.context-extension.d.ts.map +1 -0
  59. package/auth/secure-store/secure-store.providers.d.ts +36 -0
  60. package/auth/secure-store/secure-store.providers.d.ts.map +1 -0
  61. package/common/decorators/agent.decorator.d.ts +32 -0
  62. package/common/decorators/agent.decorator.d.ts.map +1 -1
  63. package/common/decorators/app.decorator.d.ts.map +1 -1
  64. package/common/decorators/front-mcp.decorator.d.ts.map +1 -1
  65. package/common/decorators/skill.decorator.d.ts.map +1 -1
  66. package/common/decorators/tool.decorator.d.ts +44 -0
  67. package/common/decorators/tool.decorator.d.ts.map +1 -1
  68. package/common/entries/scope.entry.d.ts +7 -0
  69. package/common/entries/scope.entry.d.ts.map +1 -1
  70. package/common/entries/skill.entry.d.ts +22 -1
  71. package/common/entries/skill.entry.d.ts.map +1 -1
  72. package/common/entries/tool.entry.d.ts +17 -0
  73. package/common/entries/tool.entry.d.ts.map +1 -1
  74. package/common/interfaces/internal/primary-auth-provider.interface.d.ts +18 -0
  75. package/common/interfaces/internal/primary-auth-provider.interface.d.ts.map +1 -1
  76. package/common/interfaces/tool.interface.d.ts +26 -0
  77. package/common/interfaces/tool.interface.d.ts.map +1 -1
  78. package/common/metadata/app.metadata.d.ts +472 -0
  79. package/common/metadata/app.metadata.d.ts.map +1 -1
  80. package/common/metadata/front-mcp.metadata.d.ts +1773 -52
  81. package/common/metadata/front-mcp.metadata.d.ts.map +1 -1
  82. package/common/metadata/index.d.ts +1 -0
  83. package/common/metadata/index.d.ts.map +1 -1
  84. package/common/metadata/output-policy.d.ts +82 -0
  85. package/common/metadata/output-policy.d.ts.map +1 -0
  86. package/common/metadata/skill.metadata.d.ts +45 -1
  87. package/common/metadata/skill.metadata.d.ts.map +1 -1
  88. package/common/metadata/tool-ui.metadata.d.ts +1 -1
  89. package/common/metadata/tool-ui.metadata.d.ts.map +1 -1
  90. package/common/metadata/tool.metadata.d.ts +65 -0
  91. package/common/metadata/tool.metadata.d.ts.map +1 -1
  92. package/common/schemas/http-output.schema.d.ts +25 -25
  93. package/common/schemas/http-output.schema.d.ts.map +1 -1
  94. package/common/tokens/app.tokens.d.ts.map +1 -1
  95. package/common/tokens/front-mcp.tokens.d.ts.map +1 -1
  96. package/common/tokens/skill.tokens.d.ts +2 -0
  97. package/common/tokens/skill.tokens.d.ts.map +1 -1
  98. package/common/tokens/tool.tokens.d.ts +1 -0
  99. package/common/tokens/tool.tokens.d.ts.map +1 -1
  100. package/common/types/auth/session.types.d.ts +2 -2
  101. package/common/types/options/auth/index.d.ts +4 -4
  102. package/common/types/options/auth/index.d.ts.map +1 -1
  103. package/common/types/options/auth/interfaces.d.ts +1 -1
  104. package/common/types/options/auth/interfaces.d.ts.map +1 -1
  105. package/common/types/options/auth/orchestrated.schema.d.ts +1 -1
  106. package/common/types/options/auth/orchestrated.schema.d.ts.map +1 -1
  107. package/common/types/options/auth/shared.schemas.d.ts +2 -2
  108. package/common/types/options/auth/shared.schemas.d.ts.map +1 -1
  109. package/common/types/options/http/index.d.ts +1 -1
  110. package/common/types/options/http/index.d.ts.map +1 -1
  111. package/common/types/options/http/interfaces.d.ts +56 -1
  112. package/common/types/options/http/interfaces.d.ts.map +1 -1
  113. package/common/types/options/http/schema.d.ts +15 -0
  114. package/common/types/options/http/schema.d.ts.map +1 -1
  115. package/common/types/options/session/schema.d.ts +3 -3
  116. package/common/types/options/transport/schema.d.ts +1 -1
  117. package/common/utils/caller-dir.utils.d.ts +15 -0
  118. package/common/utils/caller-dir.utils.d.ts.map +1 -0
  119. package/common/utils/index.d.ts +1 -0
  120. package/common/utils/index.d.ts.map +1 -1
  121. package/errors/index.d.ts +3 -1
  122. package/errors/index.d.ts.map +1 -1
  123. package/errors/mcp.error.d.ts +36 -2
  124. package/errors/mcp.error.d.ts.map +1 -1
  125. package/errors/tool-credentials-required.error.d.ts +70 -0
  126. package/errors/tool-credentials-required.error.d.ts.map +1 -0
  127. package/esm/index.mjs +6551 -2688
  128. package/flows/flow.instance.d.ts.map +1 -1
  129. package/front-mcp/front-mcp.d.ts +52 -32
  130. package/front-mcp/front-mcp.d.ts.map +1 -1
  131. package/front-mcp/front-mcp.providers.d.ts +700 -8
  132. package/front-mcp/front-mcp.providers.d.ts.map +1 -1
  133. package/index.d.ts +29 -4
  134. package/index.d.ts.map +1 -1
  135. package/index.js +7138 -3307
  136. package/package.json +10 -11
  137. package/scope/flows/http.request.flow.d.ts +18 -1
  138. package/scope/flows/http.request.flow.d.ts.map +1 -1
  139. package/scope/optional-dependency.util.d.ts +39 -0
  140. package/scope/optional-dependency.util.d.ts.map +1 -0
  141. package/scope/scope.instance.d.ts +17 -0
  142. package/scope/scope.instance.d.ts.map +1 -1
  143. package/scope/scope.utils.d.ts.map +1 -1
  144. package/server/adapters/express.host.adapter.d.ts.map +1 -1
  145. package/server/custom-routes.helper.d.ts +81 -0
  146. package/server/custom-routes.helper.d.ts.map +1 -0
  147. package/skill/flows/http/llm-full-txt.flow.d.ts +1 -1
  148. package/skill/flows/http/llm-txt.flow.d.ts +1 -1
  149. package/skill/flows/http/skills-api.flow.d.ts +18 -1
  150. package/skill/flows/http/skills-api.flow.d.ts.map +1 -1
  151. package/skill/flows/load-skill.flow.d.ts +7 -0
  152. package/skill/flows/load-skill.flow.d.ts.map +1 -1
  153. package/skill/flows/search-skills.flow.d.ts +13 -0
  154. package/skill/flows/search-skills.flow.d.ts.map +1 -1
  155. package/skill/index.d.ts +1 -0
  156. package/skill/index.d.ts.map +1 -1
  157. package/skill/sep-2640/resources/skill-file.resource.d.ts.map +1 -1
  158. package/skill/sep-2640/resources/skill-index.resource.d.ts.map +1 -1
  159. package/skill/sep-2640/resources/skill-md.resource.d.ts.map +1 -1
  160. package/skill/sep-2640/sep-2640.per-skill.d.ts.map +1 -1
  161. package/skill/skill-authorities.helper.d.ts +100 -0
  162. package/skill/skill-authorities.helper.d.ts.map +1 -0
  163. package/skill/skill.instance.d.ts.map +1 -1
  164. package/skill/skill.registry.d.ts +34 -0
  165. package/skill/skill.registry.d.ts.map +1 -1
  166. package/task/helpers/cli-task-runner.d.ts.map +1 -1
  167. package/tool/flows/call-tool.flow.d.ts +26 -1
  168. package/tool/flows/call-tool.flow.d.ts.map +1 -1
  169. package/tool/flows/tool-credentials.gate.d.ts +31 -0
  170. package/tool/flows/tool-credentials.gate.d.ts.map +1 -0
  171. package/tool/flows/tools-list.flow.d.ts.map +1 -1
  172. package/tool/tool.instance.d.ts.map +1 -1
  173. package/tool/ui/index.d.ts +1 -1
  174. package/tool/ui/index.d.ts.map +1 -1
  175. package/tool/ui/ui-resource.handler.d.ts.map +1 -1
  176. package/tool/ui/ui-shared.d.ts +33 -1
  177. package/tool/ui/ui-shared.d.ts.map +1 -1
  178. package/transport/adapters/transport.local.adapter.d.ts.map +1 -1
  179. package/transport/flows/handle.sse.flow.d.ts +1 -1
  180. package/transport/flows/handle.streamable-http.flow.d.ts +58 -1
  181. package/transport/flows/handle.streamable-http.flow.d.ts.map +1 -1
  182. package/transport/mcp-handlers/call-tool-request.handler.d.ts.map +1 -1
  183. package/transport/mcp-handlers/read-resource-request.handler.d.ts.map +1 -1
  184. package/transport/mcp-handlers/skills-list-request.handler.d.ts.map +1 -1
  185. package/transport/mcp-handlers/skills-load-request.handler.d.ts.map +1 -1
  186. package/transport/mcp-handlers/skills-search-request.handler.d.ts.map +1 -1
@@ -0,0 +1,53 @@
1
+ import { FlowBase, type FlowRunOptions } from '../../common';
2
+ declare const extraInputSchema: import("@frontmcp/lazy-zod").ZodObject<{
3
+ request: import("@frontmcp/lazy-zod").ZodObject<{}, import("zod/v4/core").$loose>;
4
+ response: import("@frontmcp/lazy-zod").ZodObject<{}, import("zod/v4/core").$loose>;
5
+ next: import("@frontmcp/lazy-zod").ZodOptional<import("zod").ZodFunction<import("zod/v4/core").$ZodFunctionArgs, import("zod/v4/core").$ZodFunctionOut>>;
6
+ }, import("zod/v4/core").$strip>;
7
+ declare const extraStateSchema: import("@frontmcp/lazy-zod").ZodObject<{
8
+ action: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
9
+ pendingAuthId: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
10
+ csrf: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
11
+ payload: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodRecord<import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodUnknown>>;
12
+ }, import("zod/v4/core").$strip>;
13
+ declare const extraOutputSchema: import("@frontmcp/lazy-zod").ZodObject<{
14
+ kind: import("@frontmcp/lazy-zod").ZodLiteral<"json">;
15
+ status: import("@frontmcp/lazy-zod").ZodNumber;
16
+ body: import("@frontmcp/lazy-zod").ZodUnion<readonly [import("@frontmcp/lazy-zod").ZodObject<{}, import("zod/v4/core").$loose>, import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodAny>, import("@frontmcp/lazy-zod").ZodRecord<import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodAny>]>;
17
+ contentType: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodString>;
18
+ headers: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodRecord<import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodUnion<readonly [import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodUnion<readonly [import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>]>]>>>>;
19
+ cookies: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodObject<{
20
+ name: import("@frontmcp/lazy-zod").ZodString;
21
+ value: import("@frontmcp/lazy-zod").ZodString;
22
+ path: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodString>;
23
+ domain: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
24
+ httpOnly: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
25
+ secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
26
+ sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
27
+ strict: "strict";
28
+ none: "none";
29
+ lax: "lax";
30
+ }>>;
31
+ maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
32
+ expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
33
+ }, import("zod/v4/core").$strip>>>>;
34
+ }, import("zod/v4/core").$strip>;
35
+ declare const extraPlan: {
36
+ readonly pre: ["parseInput"];
37
+ readonly execute: ["handleExtra"];
38
+ };
39
+ declare global {
40
+ interface ExtendFlows {
41
+ 'oauth:auth-ui-extra': FlowRunOptions<OauthAuthUiExtraFlow, typeof extraPlan, typeof extraInputSchema, typeof extraOutputSchema, typeof extraStateSchema>;
42
+ }
43
+ }
44
+ declare const extraName: "oauth:auth-ui-extra";
45
+ export default class OauthAuthUiExtraFlow extends FlowBase<typeof extraName> {
46
+ private logger;
47
+ parseInput(): Promise<void>;
48
+ handleExtra(): Promise<void>;
49
+ /** Verify the extra's CSRF token against the pending record + registry. */
50
+ private verifyExtraCsrf;
51
+ }
52
+ export {};
53
+ //# sourceMappingURL=oauth.auth-ui.flow.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"oauth.auth-ui.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.auth-ui.flow.ts"],"names":[],"mappings":"AAyBA,OAAO,EAEL,QAAQ,EAMR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AAQtB,QAAA,MAAM,gBAAgB;;;;gCAAkB,CAAC;AACzC,QAAA,MAAM,gBAAgB;;;;;gCAKpB,CAAC;AACH,QAAA,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;gCAAiB,CAAC;AAEzC,QAAA,MAAM,SAAS;;;CAGsB,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,qBAAqB,EAAE,cAAc,CACnC,oBAAoB,EACpB,OAAO,SAAS,EAChB,OAAO,gBAAgB,EACvB,OAAO,iBAAiB,EACxB,OAAO,gBAAgB,CACxB,CAAC;KACH;CACF;AAED,QAAA,MAAM,SAAS,EAAG,qBAA8B,CAAC;AAcjD,MAAM,CAAC,OAAO,OAAO,oBAAqB,SAAQ,QAAQ,CAAC,OAAO,SAAS,CAAC;IAC1E,OAAO,CAAC,MAAM,CAAmD;IAG3D,UAAU;IA6BV,WAAW;IA2BjB,2EAA2E;YAC7D,eAAe;CAkB9B"}
@@ -49,6 +49,7 @@ declare const stateSchema: import("@frontmcp/lazy-zod").ZodObject<{
49
49
  targetAppId: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
50
50
  targetToolId: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
51
51
  existingSessionId: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
52
+ priorAuthorizedAppIds: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>>;
52
53
  requiresFederatedLogin: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
53
54
  requiresConsent: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
54
55
  isCimdClient: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
@@ -93,8 +94,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
93
94
  secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
94
95
  sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
95
96
  strict: "strict";
96
- lax: "lax";
97
97
  none: "none";
98
+ lax: "lax";
98
99
  }>>;
99
100
  maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
100
101
  expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
@@ -114,8 +115,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
114
115
  secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
115
116
  sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
116
117
  strict: "strict";
117
- lax: "lax";
118
118
  none: "none";
119
+ lax: "lax";
119
120
  }>>;
120
121
  maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
121
122
  expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
@@ -133,8 +134,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
133
134
  secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
134
135
  sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
135
136
  strict: "strict";
136
- lax: "lax";
137
137
  none: "none";
138
+ lax: "lax";
138
139
  }>>;
139
140
  maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
140
141
  expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
@@ -160,7 +161,47 @@ export default class OauthAuthorizeFlow extends FlowBase<typeof name> {
160
161
  checkIfAuthorized(): Promise<void>;
161
162
  prepareAuthorizationRequest(): Promise<void>;
162
163
  buildAuthorizeOutput(): Promise<void>;
164
+ /**
165
+ * Render a custom `@AuthUi` slot when one is registered for this scope.
166
+ *
167
+ * Mints the per-pending-auth CSRF token (server-owned), persists it onto the
168
+ * pending authorization record (so the callback can verify it across nodes),
169
+ * builds the {@link AuthFlowState} via `buildState`, SSRs the registered
170
+ * component, and responds with the assembled page + CSP / anti-clickjacking
171
+ * headers. Returns `true` when it handled the slot (caller should `return`),
172
+ * `false` to fall through to the built-in page (no renderer / build failed).
173
+ */
174
+ private tryRenderCustomSlot;
175
+ /**
176
+ * Remote mode (`mode: 'remote'`) auto-federation.
177
+ *
178
+ * Builds a federated auth session for the SINGLE mandatory upstream provider
179
+ * registered by {@link LocalPrimaryAuth.registerRemoteProvider}, starts it
180
+ * (fresh PKCE + state), persists the session, and redirects straight to the
181
+ * upstream IdP's authorization endpoint. This reuses the exact federated
182
+ * machinery the multi-provider local path uses (`/oauth/provider/:id/callback`
183
+ * then completes the exchange, stores upstream tokens, and mints the FrontMCP
184
+ * session token whose identity comes from the upstream user) — but skips the
185
+ * in-tree login page and the provider-selection page entirely.
186
+ *
187
+ * No identity is collected in-tree: the federated session is created with an
188
+ * EMPTY `userInfo` so the minted token's `sub`/`email`/`name` derive solely
189
+ * from the upstream provider (see the provider-callback flow).
190
+ */
191
+ private startRemoteFederation;
163
192
  validateOutput(): Promise<void>;
193
+ /**
194
+ * Enforce the local-AS DCR allowlists (#462) at authorize time. Returns a
195
+ * human-readable rejection reason, or `undefined` when the request is allowed
196
+ * (including when no allowlist is configured, or the auth instance does not
197
+ * expose a DCR registry — e.g. non-local modes).
198
+ *
199
+ * - `allowedRedirectUris`: applies to ALL clients (CIMD or not) as an
200
+ * open-redirect / lateral-movement guard.
201
+ * - `allowedClientIds`: applies only to non-CIMD client ids; CIMD URLs are
202
+ * validated by the CIMD layer instead.
203
+ */
204
+ private checkDcrAllowlist;
164
205
  /**
165
206
  * Format Zod errors into human-readable strings
166
207
  */
@@ -170,7 +211,13 @@ export default class OauthAuthorizeFlow extends FlowBase<typeof name> {
170
211
  */
171
212
  private respondWithError;
172
213
  /**
173
- * Render a simple login page using HTMX templates
214
+ * Render the local login page.
215
+ *
216
+ * Honors `auth.login` (Checkpoint 3a): a `login.render` override yields full
217
+ * custom HTML, `login.fields` extends the built-in form, and otherwise the
218
+ * unchanged default email/name page is rendered. Rendering is delegated to
219
+ * the shared `renderLocalLoginPage` helper so the authorize flow and the
220
+ * callback error re-render stay in sync.
174
221
  */
175
222
  private renderLoginPage;
176
223
  /**
@@ -181,11 +228,6 @@ export default class OauthAuthorizeFlow extends FlowBase<typeof name> {
181
228
  * Render federated login page for multiple auth providers using HTMX templates
182
229
  */
183
230
  private renderFederatedLoginPage;
184
- /**
185
- * Render consent page for tool selection
186
- * This is a placeholder - in production, use Juris/Svelte for the UI
187
- */
188
- private renderConsentPage;
189
231
  /**
190
232
  * Render an error page
191
233
  */
@@ -1 +1 @@
1
- {"version":3,"file":"oauth.authorize.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.authorize.flow.ts"],"names":[],"mappings":"AA+BA,OAAO,EAAE,CAAC,EAAiB,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAGL,QAAQ,EAUR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AA6DtB;;GAEG;AACH,QAAA,MAAM,2BAA2B;;;;;;;;;gCAS/B,CAAC;AAEH;;GAEG;AACH,QAAA,MAAM,+BAA+B;;;gCAGnC,CAAC;AAEH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAChF,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,+BAA+B,CAAC,CAAC;AAMxF,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AAEpC,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAyBf,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAIhB,CAAC;AAEH,QAAA,MAAM,IAAI;;;;CAQ2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,iBAAiB,EAAE,cAAc,CAC/B,kBAAkB,EAClB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,iBAA0B,CAAC;AAcxC,MAAM,CAAC,OAAO,OAAO,kBAAmB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IACnE,OAAO,CAAC,MAAM,CAAiD;IAGzD,UAAU;IAiEV,aAAa;IAqGb,iBAAiB;IAOjB,2BAA2B;IAmG3B,oBAAoB;IA0GpB,cAAc;IAIpB;;OAEG;IACH,OAAO,CAAC,eAAe;IAOvB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAuBxB;;OAEG;IACH,OAAO,CAAC,eAAe;IAmBvB;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAyBjC;;OAEG;IACH,OAAO,CAAC,wBAAwB;IA2BhC;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAkRzB;;OAEG;IACH,OAAO,CAAC,eAAe;CAyCxB"}
1
+ {"version":3,"file":"oauth.authorize.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.authorize.flow.ts"],"names":[],"mappings":"AAkCA,OAAO,EAAE,CAAC,EAAiB,MAAM,oBAAoB,CAAC;AAGtD,OAAO,EAGL,QAAQ,EAWR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AAwEtB;;GAEG;AACH,QAAA,MAAM,2BAA2B;;;;;;;;;gCAS/B,CAAC;AAEH;;GAEG;AACH,QAAA,MAAM,+BAA+B;;;gCAGnC,CAAC;AAEH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAChF,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,+BAA+B,CAAC,CAAC;AAMxF,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AAEpC,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAgCf,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAIhB,CAAC;AAEH,QAAA,MAAM,IAAI;;;;CAQ2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,iBAAiB,EAAE,cAAc,CAC/B,kBAAkB,EAClB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,iBAA0B,CAAC;AAkCxC,MAAM,CAAC,OAAO,OAAO,kBAAmB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IACnE,OAAO,CAAC,MAAM,CAAiD;IAGzD,UAAU;IAmFV,aAAa;IAuHb,iBAAiB;IAOjB,2BAA2B;IAoH3B,oBAAoB;IAiL1B;;;;;;;;;OASG;YACW,mBAAmB;IA4CjC;;;;;;;;;;;;;;;OAeG;YACW,qBAAqB;IAsE7B,cAAc;IAIpB;;;;;;;;;;OAUG;IACH,OAAO,CAAC,iBAAiB;IAkBzB;;OAEG;IACH,OAAO,CAAC,eAAe;IAOvB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAuBxB;;;;;;;;OAQG;IACH,OAAO,CAAC,eAAe;IA+BvB;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAyBjC;;OAEG;IACH,OAAO,CAAC,wBAAwB;IA2BhC;;OAEG;IACH,OAAO,CAAC,eAAe;CAyCxB"}
@@ -29,16 +29,27 @@ declare const stateSchema: import("@frontmcp/lazy-zod").ZodObject<{
29
29
  resource: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
30
30
  authorizationCode: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
31
31
  userSub: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
32
+ loginFields: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodRecord<import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodString>>;
33
+ customClaims: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodRecord<import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodUnknown>>;
34
+ credentials: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodObject<{
35
+ key: import("@frontmcp/lazy-zod").ZodString;
36
+ secret: import("@frontmcp/lazy-zod").ZodString;
37
+ metadata: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodRecord<import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodUnknown>>;
38
+ }, import("zod/v4/core").$strip>>>;
32
39
  isIncremental: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
33
40
  targetAppId: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
34
41
  targetToolId: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
35
42
  existingSessionId: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
36
43
  existingAuthorizationId: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
44
+ priorAuthorizedAppIds: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>>;
45
+ authorizedAppIds: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>>;
37
46
  isFederated: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
38
47
  selectedProviders: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>>;
39
48
  skippedProviders: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>>;
40
49
  consentEnabled: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
41
50
  selectedTools: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>>;
51
+ consentSubmitted: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
52
+ csrf: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
42
53
  }, import("zod/v4/core").$strip>;
43
54
  declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [import("@frontmcp/lazy-zod").ZodObject<{
44
55
  kind: import("@frontmcp/lazy-zod").ZodLiteral<"redirect">;
@@ -54,8 +65,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
54
65
  secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
55
66
  sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
56
67
  strict: "strict";
57
- lax: "lax";
58
68
  none: "none";
69
+ lax: "lax";
59
70
  }>>;
60
71
  maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
61
72
  expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
@@ -73,8 +84,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
73
84
  secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
74
85
  sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
75
86
  strict: "strict";
76
- lax: "lax";
77
87
  none: "none";
88
+ lax: "lax";
78
89
  }>>;
79
90
  maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
80
91
  expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
@@ -97,9 +108,33 @@ export default class OauthCallbackFlow extends FlowBase<typeof name> {
97
108
  parseInput(): Promise<void>;
98
109
  validatePendingAuth(): Promise<void>;
99
110
  /**
100
- * Handle incremental authorization - expand existing session's token vault
101
- * For incremental auth, we add the app to the existing authorization without
102
- * requiring full re-authentication
111
+ * Compute the progressive/incremental authorization grant for the minted
112
+ * token (the `authorized_apps` claim).
113
+ *
114
+ * EXPANSION model (claim-based, enforceable — mirrors how consent/federated
115
+ * grants already work in this codebase): the authorized-app set lives in the
116
+ * minted token's `authorized_apps` claim, which `checkToolAuthorization`
117
+ * enforces. Both the initial login and an incremental authorize mint a token
118
+ * via the normal code exchange; the difference is the computed grant:
119
+ *
120
+ * - INITIAL login: grant = the apps the client requested via `apps=`
121
+ * (`priorAuthorizedAppIds`); if none requested, grant ALL scope apps (a
122
+ * plain login keeps working for everything).
123
+ * - INCREMENTAL authorize (`mode=incremental&app=B`): grant = the prior apps
124
+ * (carried forward via `apps=`) UNION the newly-authorized `targetAppId`.
125
+ * So after authorizing app B, a `tools/call` on B's tool succeeds while app
126
+ * A keeps working — WITHOUT re-authorizing A.
127
+ *
128
+ * This stage ONLY emits a grant when `incrementalAuth.enabled` is true for an
129
+ * orchestrated scope. When incremental auth is disabled or the scope is not
130
+ * orchestrated, it leaves `authorizedAppIds` undefined → NO `authorized_apps`
131
+ * claim is minted → NO app-level gating (the historical allow-all behavior is
132
+ * preserved exactly). Federated logins mint their token in the provider
133
+ * callback flow, so this stage is a no-op for them.
134
+ *
135
+ * Unknown app ids (not present in the scope) are dropped so a client can never
136
+ * forge a grant to a non-existent app; app-level gating is per-real-app, so a
137
+ * bogus id is harmless anyway.
103
138
  */
104
139
  handleIncrementalAuth(): Promise<void>;
105
140
  /**
@@ -112,6 +147,84 @@ export default class OauthCallbackFlow extends FlowBase<typeof name> {
112
147
  handleFederatedAuth(): Promise<void>;
113
148
  createAuthorizationCode(): Promise<void>;
114
149
  redirectToClient(): Promise<void>;
150
+ /**
151
+ * Reserved OAuth/flow control params that must never be treated as custom
152
+ * login fields when collecting input for a custom `authenticate` verifier.
153
+ */
154
+ private static readonly RESERVED_LOGIN_PARAMS;
155
+ /**
156
+ * Collect submitted login-field values (built-in `email`/`name` plus any
157
+ * custom `login.fields`) from the GET query and a urlencoded POST body.
158
+ * Reserved OAuth/flow control params are excluded so they cannot be forwarded
159
+ * to the verifier as if they were login fields. Only string values are kept.
160
+ */
161
+ /**
162
+ * Defensively read a single param from a urlencoded POST body (some adapters
163
+ * parse the body into `request.body`). The consent form uses a GET round-trip
164
+ * (mirroring the federated page) so query params are the primary source; this
165
+ * is a fallback for adapters that route a POST body instead. Multi-valued
166
+ * keys keep all values so checkbox groups (`tools`) survive a POST.
167
+ */
168
+ private readBodyParam;
169
+ private collectLoginFields;
170
+ /**
171
+ * Build the {@link AuthenticateContext} from the flow scope and invoke the
172
+ * configured verifier. Verifier exceptions are caught and converted to a
173
+ * generic failure so a throwing verifier never produces a 500.
174
+ */
175
+ private runAuthenticate;
176
+ /**
177
+ * Outbound fetch handed to the verifier. Routes through the auth instance's
178
+ * `fetch` when available (so tests / adapters can intercept it), else the
179
+ * global fetch.
180
+ */
181
+ private contextFetch;
182
+ /**
183
+ * Resolve a human-readable client name for the verifier context. Uses the
184
+ * CIMD `client_name` when the client_id is a CIMD URL and resolvable; falls
185
+ * back to the raw client_id.
186
+ */
187
+ private resolveClientName;
188
+ /**
189
+ * Derive a subject from the configured login subject strategy.
190
+ *
191
+ * - `per-account`: hash the value of `login.subject.fromField` into a stable
192
+ * subject (same account → same `sub`).
193
+ * - otherwise (`per-session` / unset): return undefined so the caller falls
194
+ * back to the anonymous subject.
195
+ */
196
+ private deriveSubjectFromStrategy;
197
+ /**
198
+ * Re-render the local login page after a failed authenticate(), surfacing the
199
+ * verifier's message (and pre-selecting `retryField`). Submitted values are
200
+ * preserved on the form so the user does not have to re-enter everything.
201
+ */
202
+ private renderLoginRetryPage;
203
+ /**
204
+ * Render a custom `@AuthUi({ slot: 'consent' })` page when one is registered.
205
+ *
206
+ * Mints + persists the per-pending-auth CSRF token (reusing any token a prior
207
+ * custom page already set on the record, so a consent re-render keeps the same
208
+ * token), builds the consent {@link AuthFlowState} from the SAME tool
209
+ * projection the built-in screen uses, SSRs the component, and responds with
210
+ * the assembled page + CSP headers. Returns `true` when handled.
211
+ */
212
+ private tryRenderCustomConsent;
213
+ /**
214
+ * Render the tool-consent screen.
215
+ *
216
+ * The form GETs back to `/oauth/callback` carrying `pending_auth_id`,
217
+ * `consent_submitted=1`, the resolved identity (`email`/`name` + any custom
218
+ * `login.fields`), and the chosen `tools=` checkboxes — so the resubmit
219
+ * re-derives the SAME subject and proceeds to mint.
220
+ *
221
+ * Honors the `auth.consent` flags: `groupByApp`, `showDescriptions`,
222
+ * `customMessage`, `allowSelectAll`, `requireSelection`, `defaultSelectedTools`
223
+ * (pre-checked), and `excludedTools` (filtered out of the offered set by
224
+ * {@link projectConsentTools}). `error` re-renders the screen with a banner
225
+ * (used for an empty `requireSelection` submit).
226
+ */
227
+ private renderConsentScreen;
115
228
  /**
116
229
  * Generate a stable user sub from email
117
230
  * In production, this would be the user's ID from the database
@@ -1 +1 @@
1
- {"version":3,"file":"oauth.callback.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.callback.flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EAAE,CAAC,EAAE,MAAM,oBAAoB,CAAC;AAGvC,OAAO,EAEL,QAAQ,EAOR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AAGtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AAEpC,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;gCA4Bf,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAAgD,CAAC;AAEnE,QAAA,MAAM,IAAI;;;CAG2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,gBAAgB,EAAE,cAAc,CAC9B,iBAAiB,EACjB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,gBAAyB,CAAC;AAcvC,MAAM,CAAC,OAAO,OAAO,iBAAkB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAClE,OAAO,CAAC,MAAM,CAAgD;IAGxD,UAAU;IAsDV,mBAAmB;IAqHzB;;;;OAIG;IAEG,qBAAqB;IAyB3B;;;;;;OAMG;IAEG,mBAAmB;IAiInB,uBAAuB;IAmEvB,gBAAgB;IAqCtB;;;OAGG;IACH,OAAO,CAAC,eAAe;IAQvB;;OAEG;IACH,OAAO,CAAC,eAAe;CAqDxB"}
1
+ {"version":3,"file":"oauth.callback.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.callback.flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAgBH,OAAO,EAAE,CAAC,EAAE,MAAM,oBAAoB,CAAC;AAGvC,OAAO,EAEL,QAAQ,EAQR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AAKtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AAEpC,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCA2Df,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAAgD,CAAC;AAEnE,QAAA,MAAM,IAAI;;;CAG2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,gBAAgB,EAAE,cAAc,CAC9B,iBAAiB,EACjB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,gBAAyB,CAAC;AAcvC,MAAM,CAAC,OAAO,OAAO,iBAAkB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAClE,OAAO,CAAC,MAAM,CAAgD;IAGxD,UAAU;IA6EV,mBAAmB;IAoXzB;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG;IAEG,qBAAqB;IA2D3B;;;;;;OAMG;IAEG,mBAAmB;IAiInB,uBAAuB;IA2GvB,gBAAgB;IAyCtB;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,qBAAqB,CAoB1C;IAEH;;;;;OAKG;IACH;;;;;;OAMG;IACH,OAAO,CAAC,aAAa;IAYrB,OAAO,CAAC,kBAAkB;IAsB1B;;;;OAIG;YACW,eAAe;IAgC7B;;;;OAIG;IACH,OAAO,CAAC,YAAY;IAQpB;;;;OAIG;YACW,iBAAiB;IAoB/B;;;;;;;OAOG;IACH,OAAO,CAAC,yBAAyB;IAYjC;;;;OAIG;IACH,OAAO,CAAC,oBAAoB;IAmB5B;;;;;;;;OAQG;YACW,sBAAsB;IA0EpC;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,mBAAmB;IA8D3B;;;OAGG;IACH,OAAO,CAAC,eAAe;IAQvB;;OAEG;IACH,OAAO,CAAC,eAAe;CAqDxB"}
@@ -0,0 +1,89 @@
1
+ /**
2
+ * OAuth Connect Endpoint — GET|POST /oauth/connect (Checkpoint 3b)
3
+ *
4
+ * Mid-session add-credential flow reached via a FRAMEWORK-SIGNED resume URL that
5
+ * `this.credentials.requireConnect({ key })` hands back when a credential is not
6
+ * connected.
7
+ *
8
+ * - GET /oauth/connect?token=… → verify the signed token, render a single
9
+ * add-credential field (reusing the 3a `login.fields` render surface).
10
+ * - POST /oauth/connect → re-verify the token, re-invoke the
11
+ * configured `authenticate({ fields, resume: { sub, key, context } })`
12
+ * verifier, and ADDITIVELY store the returned credential into the user's
13
+ * EXISTING vault. Refuses when there is no live vault (never mints a new one)
14
+ * so a stale link cannot resurrect a rotated-away session.
15
+ *
16
+ * This is auth-internal: it lives on the existing OAuth flow surface (registered
17
+ * by LocalPrimaryAuth), not via the public custom-route feature.
18
+ */
19
+ import { FlowBase, type FlowRunOptions } from '../../common';
20
+ declare const inputSchema: import("@frontmcp/lazy-zod").ZodObject<{
21
+ request: import("@frontmcp/lazy-zod").ZodObject<{}, import("zod/v4/core").$loose>;
22
+ response: import("@frontmcp/lazy-zod").ZodObject<{}, import("zod/v4/core").$loose>;
23
+ next: import("@frontmcp/lazy-zod").ZodOptional<import("zod").ZodFunction<import("zod/v4/core").$ZodFunctionArgs, import("zod/v4/core").$ZodFunctionOut>>;
24
+ }, import("zod/v4/core").$strip>;
25
+ declare const stateSchema: import("@frontmcp/lazy-zod").ZodObject<{
26
+ method: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
27
+ token: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
28
+ fields: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodRecord<import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodString>>;
29
+ }, import("zod/v4/core").$strip>;
30
+ declare const outputSchema: import("@frontmcp/lazy-zod").ZodObject<{
31
+ status: import("@frontmcp/lazy-zod").ZodNumber;
32
+ body: import("@frontmcp/lazy-zod").ZodString;
33
+ headers: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodRecord<import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodUnion<readonly [import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodUnion<readonly [import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>]>]>>>>;
34
+ cookies: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodObject<{
35
+ name: import("@frontmcp/lazy-zod").ZodString;
36
+ value: import("@frontmcp/lazy-zod").ZodString;
37
+ path: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodString>;
38
+ domain: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
39
+ httpOnly: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
40
+ secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
41
+ sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
42
+ strict: "strict";
43
+ none: "none";
44
+ lax: "lax";
45
+ }>>;
46
+ maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
47
+ expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
48
+ }, import("zod/v4/core").$strip>>>>;
49
+ kind: import("@frontmcp/lazy-zod").ZodLiteral<"html">;
50
+ contentType: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodLiteral<"text/html; charset=utf-8">>;
51
+ }, import("zod/v4/core").$strip>;
52
+ declare const plan: {
53
+ readonly pre: ["parseInput"];
54
+ readonly execute: ["handleConnect"];
55
+ };
56
+ declare global {
57
+ interface ExtendFlows {
58
+ 'oauth:connect': FlowRunOptions<OauthConnectFlow, typeof plan, typeof inputSchema, typeof outputSchema, typeof stateSchema>;
59
+ }
60
+ }
61
+ declare const name: "oauth:connect";
62
+ export default class OauthConnectFlow extends FlowBase<typeof name> {
63
+ private logger;
64
+ parseInput(): Promise<void>;
65
+ handleConnect(): Promise<void>;
66
+ /** Verify the signed resume token against the server secret (constant-time + expiry). */
67
+ private verifyToken;
68
+ /** Resolve the single credential field to render from `login.fields` (first field), or a default. */
69
+ private resolveConnectField;
70
+ /** Render the single-field connect page (reusing the login field renderer). */
71
+ private renderConnectPage;
72
+ /**
73
+ * Build the {@link AuthenticateContext} and invoke the verifier with the resume
74
+ * context. A throwing verifier is converted into a clean failure.
75
+ */
76
+ private runAuthenticate;
77
+ /** Outbound fetch handed to the verifier (routes through the auth instance when available). */
78
+ private contextFetch;
79
+ /** Fire a `notifications/resources/updated` to connected sessions (best-effort). */
80
+ private notifyResourcesUpdated;
81
+ /** Parse a urlencoded/JSON POST body into a flat record. */
82
+ private coerceBody;
83
+ /** Collect submitted credential field values from query + body (excluding reserved params). */
84
+ private collectFields;
85
+ /** Render a small error page (escaped). */
86
+ private renderError;
87
+ }
88
+ export {};
89
+ //# sourceMappingURL=oauth.connect.flow.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"oauth.connect.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.connect.flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAgBH,OAAO,EAEL,QAAQ,EAMR,KAAK,cAAc,EAEpB,MAAM,cAAc,CAAC;AAGtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AAEpC,QAAA,MAAM,WAAW;;;;gCAOf,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;gCAAiB,CAAC;AAEpC,QAAA,MAAM,IAAI;;;CAG2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,eAAe,EAAE,cAAc,CAC7B,gBAAgB,EAChB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,eAAwB,CAAC;AAiBtC,MAAM,CAAC,OAAO,OAAO,gBAAiB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IACjE,OAAO,CAAC,MAAM,CAA+C;IAGvD,UAAU;IAeV,aAAa;IAwHnB,yFAAyF;IACzF,OAAO,CAAC,WAAW;IAKnB,qGAAqG;IACrG,OAAO,CAAC,mBAAmB;IAW3B,+EAA+E;IAC/E,OAAO,CAAC,iBAAiB;IAoBzB;;;OAGG;YACW,eAAe;IA4B7B,+FAA+F;IAC/F,OAAO,CAAC,YAAY;IAQpB,oFAAoF;IACpF,OAAO,CAAC,sBAAsB;IAiB9B,4DAA4D;IAC5D,OAAO,CAAC,UAAU;IAyBlB,+FAA+F;IAC/F,OAAO,CAAC,aAAa;IAerB,2CAA2C;IAC3C,OAAO,CAAC,WAAW;CAQpB"}
@@ -34,6 +34,9 @@ declare const stateSchema: import("@frontmcp/lazy-zod").ZodObject<{
34
34
  federatedSession: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodUnknown>;
35
35
  providerTokens: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodUnknown>;
36
36
  providerUserInfo: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodUnknown>;
37
+ consentSessionId: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
38
+ consentSubmitted: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
39
+ selectedTools: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>>;
37
40
  }, import("zod/v4/core").$strip>;
38
41
  declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [import("@frontmcp/lazy-zod").ZodObject<{
39
42
  kind: import("@frontmcp/lazy-zod").ZodLiteral<"redirect">;
@@ -49,8 +52,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
49
52
  secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
50
53
  sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
51
54
  strict: "strict";
52
- lax: "lax";
53
55
  none: "none";
56
+ lax: "lax";
54
57
  }>>;
55
58
  maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
56
59
  expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
@@ -68,8 +71,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
68
71
  secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
69
72
  sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
70
73
  strict: "strict";
71
- lax: "lax";
72
74
  none: "none";
75
+ lax: "lax";
73
76
  }>>;
74
77
  maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
75
78
  expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
@@ -78,7 +81,7 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
78
81
  contentType: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodLiteral<"text/html; charset=utf-8">>;
79
82
  }, import("zod/v4/core").$strip>]>;
80
83
  declare const plan: {
81
- readonly pre: ["parseInput", "loadFederatedSession", "validateProviderCallback"];
84
+ readonly pre: ["parseInput", "handleConsentSubmission", "loadFederatedSession", "validateProviderCallback"];
82
85
  readonly execute: ["exchangeProviderCode", "storeProviderTokens", "handleNextProviderOrComplete"];
83
86
  };
84
87
  declare global {
@@ -95,15 +98,42 @@ export default class OauthProviderCallbackFlow extends FlowBase<typeof name> {
95
98
  */
96
99
  private getLocalAuth;
97
100
  parseInput(): Promise<void>;
101
+ /**
102
+ * Handle a consent-screen submission for a federated login.
103
+ *
104
+ * Federated logins complete (mint the code) here, AFTER all providers are
105
+ * linked. When consent mode is enabled, {@link completeFederatedAuth} first
106
+ * renders the consent screen, which GETs back to this endpoint with
107
+ * `consent_session=<sessionId>` + `tools=`. This stage loads that still alive
108
+ * session, applies the selection (validating + `requireSelection`), and
109
+ * completes the mint — short-circuiting the provider-code path entirely.
110
+ */
111
+ handleConsentSubmission(): Promise<void>;
98
112
  loadFederatedSession(): Promise<void>;
99
113
  validateProviderCallback(): Promise<void>;
100
114
  exchangeProviderCode(): Promise<void>;
101
115
  storeProviderTokens(): Promise<void>;
102
116
  handleNextProviderOrComplete(): Promise<void>;
103
117
  /**
104
- * Complete the federated auth flow and issue FrontMCP JWT
118
+ * Complete the federated auth flow and issue FrontMCP JWT.
119
+ *
120
+ * When consent mode is enabled this runs in two passes:
121
+ * 1. First reach (no `consent.consentSubmitted`): render the consent screen,
122
+ * which GETs back to this endpoint with `consent_session` + `tools=`. The
123
+ * federated session is kept ALIVE for the round-trip.
124
+ * 2. Resubmit (`consent.consentSubmitted` true): validate the selection
125
+ * (honoring `requireSelection`) and mint the code with the consented set.
126
+ *
127
+ * With consent disabled, it mints immediately (historical behavior).
105
128
  */
106
129
  private completeFederatedAuth;
130
+ /**
131
+ * Render the federated consent screen. The form GETs back to this provider
132
+ * callback endpoint with `consent_session=<sessionId>` + the chosen `tools=`
133
+ * (and `consent_submitted=1`), so {@link handleConsentSubmission} completes
134
+ * the mint. Honors the same `auth.consent` flags as the non-federated path.
135
+ */
136
+ private renderConsentScreen;
107
137
  /**
108
138
  * Generate a deterministic user sub from email
109
139
  */
@@ -1 +1 @@
1
- {"version":3,"file":"oauth.provider-callback.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.provider-callback.flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAaH,OAAO,EAAE,CAAC,EAAE,MAAM,oBAAoB,CAAC;AAGvC,OAAO,EAEL,QAAQ,EAQR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AAItB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AAEpC,QAAA,MAAM,WAAW;;;;;;;;;;gCAcf,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAAgD,CAAC;AAEnE,QAAA,MAAM,IAAI;;;CAG2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,yBAAyB,EAAE,cAAc,CACvC,yBAAyB,EACzB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,yBAAkC,CAAC;AAchD,MAAM,CAAC,OAAO,OAAO,yBAA0B,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAC1E,OAAO,CAAC,MAAM,CAAwD;IAEtE;;;OAGG;IACH,OAAO,CAAC,YAAY;IASd,UAAU;IA0BV,oBAAoB;IAkEpB,wBAAwB;IAmDxB,oBAAoB;IA0EpB,mBAAmB;IAkDnB,4BAA4B;IAkElC;;OAEG;YACW,qBAAqB;IA8CnC;;OAEG;IACH,OAAO,CAAC,eAAe;IAQvB;;OAEG;IACH,OAAO,CAAC,eAAe;IAqDvB,OAAO,CAAC,kBAAkB;CAO3B"}
1
+ {"version":3,"file":"oauth.provider-callback.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.provider-callback.flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAeH,OAAO,EAAE,CAAC,EAAE,MAAM,oBAAoB,CAAC;AAGvC,OAAO,EAEL,QAAQ,EAQR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AAKtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AAEpC,QAAA,MAAM,WAAW;;;;;;;;;;;;;gCAmBf,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAAgD,CAAC;AAEnE,QAAA,MAAM,IAAI;;;CAG2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,yBAAyB,EAAE,cAAc,CACvC,yBAAyB,EACzB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,yBAAkC,CAAC;AAchD,MAAM,CAAC,OAAO,OAAO,yBAA0B,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAC1E,OAAO,CAAC,MAAM,CAAwD;IAEtE;;;OAGG;IACH,OAAO,CAAC,YAAY;IASd,UAAU;IAoChB;;;;;;;;;OASG;IAEG,uBAAuB;IAyCvB,oBAAoB;IAkEpB,wBAAwB;IAmDxB,oBAAoB;IA0EpB,mBAAmB;IAoEnB,4BAA4B;IAkElC;;;;;;;;;;;OAWG;YACW,qBAAqB;IAkKnC;;;;;OAKG;IACH,OAAO,CAAC,mBAAmB;IAsC3B;;OAEG;IACH,OAAO,CAAC,eAAe;IAQvB;;OAEG;IACH,OAAO,CAAC,eAAe;IAqDvB,OAAO,CAAC,kBAAkB;CAO3B"}
@@ -4,26 +4,20 @@
4
4
  * Who calls: Developers/automation.
5
5
  *
6
6
  * Purpose: Let clients register programmatically (redirect URIs, grant types, etc.).
7
+ *
8
+ * Control surface (#462): the LOCAL Authorization Server's DCR is governed by
9
+ * the declarative `auth.dcr` block. When `dcr` is omitted the historical
10
+ * behavior is preserved exactly — registration is enabled in development and
11
+ * disabled in production (via `isProduction()`), with no allowlist and no
12
+ * initial access token. When configured, this flow enforces:
13
+ * - `dcr.enabled === false` → 404 (behave as if the endpoint does not exist)
14
+ * - `dcr.initialAccessToken` → require `Authorization: Bearer <token>` (401)
15
+ * - `dcr.allowedClientIds` → registrations are pinned to an allowed id (400)
16
+ * - `dcr.allowedRedirectUris` → reject unlisted redirect_uris (400)
17
+ * Registered clients are stored on the per-instance {@link DcrClientRegistry}
18
+ * (LocalPrimaryAuth), so the authorize/token flows can validate them.
7
19
  */
8
20
  import { FlowBase, type FlowRunOptions } from '../../common';
9
- /** Simple in-memory registry (dev only) */
10
- type RegisteredClient = {
11
- client_id: string;
12
- client_secret?: string;
13
- token_endpoint_auth_method: 'none' | 'client_secret_basic' | 'client_secret_post' | 'private_key_jwt' | 'tls_client_auth';
14
- grant_types: string[];
15
- response_types: string[];
16
- redirect_uris: string[];
17
- client_name?: string;
18
- scope?: string;
19
- created_at: number;
20
- dev: boolean;
21
- };
22
- /** Optional: export getters so other flows can validate client_id */
23
- export declare const DevClientRegistry: {
24
- get(client_id: string): RegisteredClient | undefined;
25
- has(client_id: string): boolean;
26
- };
27
21
  declare const inputSchema: import("@frontmcp/lazy-zod").ZodObject<{
28
22
  request: import("@frontmcp/lazy-zod").ZodObject<{}, import("zod/v4/core").$loose>;
29
23
  response: import("@frontmcp/lazy-zod").ZodObject<{}, import("zod/v4/core").$loose>;
@@ -44,8 +38,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodObject<{
44
38
  secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
45
39
  sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
46
40
  strict: "strict";
47
- lax: "lax";
48
41
  none: "none";
42
+ lax: "lax";
49
43
  }>>;
50
44
  maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
51
45
  expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
@@ -72,7 +66,7 @@ declare const stateSchema: import("@frontmcp/lazy-zod").ZodObject<{
72
66
  client_name: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
73
67
  scope: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
74
68
  }, import("zod/v4/core").$loose>;
75
- isDev: import("@frontmcp/lazy-zod").ZodBoolean;
69
+ dcrEnabled: import("@frontmcp/lazy-zod").ZodBoolean;
76
70
  }, import("zod/v4/core").$strip>;
77
71
  declare const plan: {
78
72
  readonly pre: ["parseInput", "validateInput"];
@@ -87,6 +81,8 @@ declare global {
87
81
  declare const name: "oauth:register";
88
82
  export default class OauthRegisterFlow extends FlowBase<typeof name> {
89
83
  private registered?;
84
+ /** The local AS primary auth, which owns the DCR client registry (#462). */
85
+ private get localAuth();
90
86
  parseInput(): Promise<void>;
91
87
  validateInput(): Promise<void>;
92
88
  registerClient(): Promise<void>;
@@ -1 +1 @@
1
- {"version":3,"file":"oauth.register.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.register.flow.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAkBH,OAAO,EAEL,QAAQ,EAMR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AAEtB,2CAA2C;AAC3C,KAAK,gBAAgB,GAAG;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,0BAA0B,EACtB,MAAM,GACN,qBAAqB,GACrB,oBAAoB,GACpB,iBAAiB,GACjB,iBAAiB,CAAC;IACtB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,GAAG,EAAE,OAAO,CAAC;CACd,CAAC;AAIF,qEAAqE;AACrE,eAAO,MAAM,iBAAiB;mBACb,MAAM;mBAGN,MAAM;CAGtB,CAAC;AAEF,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AACpC,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;gCAAiB,CAAC;AAkBpC,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;gCAGf,CAAC;AAEH,QAAA,MAAM,IAAI;;;;CAI2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,gBAAgB,EAAE,cAAc,CAC9B,iBAAiB,EACjB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,gBAAyB,CAAC;AAcvC,MAAM,CAAC,OAAO,OAAO,iBAAkB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAClE,OAAO,CAAC,UAAU,CAAC,CAAmB;IAGhC,UAAU;IAaV,aAAa;IAwEb,cAAc;IA6Bd,mBAAmB;IAqBnB,cAAc;CAGrB"}
1
+ {"version":3,"file":"oauth.register.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.register.flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAmBH,OAAO,EAEL,QAAQ,EAMR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AAGtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AACpC,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;gCAAiB,CAAC;AAkBpC,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;gCAIf,CAAC;AAEH,QAAA,MAAM,IAAI;;;;CAI2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,gBAAgB,EAAE,cAAc,CAC9B,iBAAiB,EACjB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,gBAAyB,CAAC;AAsBvC,MAAM,CAAC,OAAO,OAAO,iBAAkB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAClE,OAAO,CAAC,UAAU,CAAC,CAAmB;IAEtC,4EAA4E;IAC5E,OAAO,KAAK,SAAS,GAEpB;IAGK,UAAU;IAeV,aAAa;IAyIb,cAAc;IA6Bd,mBAAmB;IA8BnB,cAAc;CAGrB"}