@frontmcp/sdk 1.3.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (186) hide show
  1. package/README.md +65 -60
  2. package/agent/agent.scope.d.ts +164 -0
  3. package/agent/agent.scope.d.ts.map +1 -1
  4. package/app/instances/app.esm.instance.d.ts.map +1 -1
  5. package/app/instances/app.remote.instance.d.ts.map +1 -1
  6. package/auth/auth-ui/auth-ui.contract.d.ts +149 -0
  7. package/auth/auth-ui/auth-ui.contract.d.ts.map +1 -0
  8. package/auth/auth-ui/auth-ui.registry.d.ts +151 -0
  9. package/auth/auth-ui/auth-ui.registry.d.ts.map +1 -0
  10. package/auth/auth-ui/auth-ui.render.d.ts +49 -0
  11. package/auth/auth-ui/auth-ui.render.d.ts.map +1 -0
  12. package/auth/auth-ui/auth-ui.state.d.ts +62 -0
  13. package/auth/auth-ui/auth-ui.state.d.ts.map +1 -0
  14. package/auth/auth-ui/index.d.ts +24 -0
  15. package/auth/auth-ui/index.d.ts.map +1 -0
  16. package/auth/auth.registry.d.ts.map +1 -1
  17. package/auth/authorized-apps.utils.d.ts +51 -0
  18. package/auth/authorized-apps.utils.d.ts.map +1 -0
  19. package/auth/consent-tools.helper.d.ts +26 -0
  20. package/auth/consent-tools.helper.d.ts.map +1 -0
  21. package/auth/consent.utils.d.ts +62 -0
  22. package/auth/consent.utils.d.ts.map +1 -0
  23. package/auth/credentials/credentials.context-extension.d.ts +63 -0
  24. package/auth/credentials/credentials.context-extension.d.ts.map +1 -0
  25. package/auth/credentials/credentials.providers.d.ts +40 -0
  26. package/auth/credentials/credentials.providers.d.ts.map +1 -0
  27. package/auth/credentials/index.d.ts +3 -0
  28. package/auth/credentials/index.d.ts.map +1 -0
  29. package/auth/flows/auth.verify.flow.d.ts.map +1 -1
  30. package/auth/flows/oauth.auth-ui.flow.d.ts +53 -0
  31. package/auth/flows/oauth.auth-ui.flow.d.ts.map +1 -0
  32. package/auth/flows/oauth.authorize.flow.d.ts +51 -9
  33. package/auth/flows/oauth.authorize.flow.d.ts.map +1 -1
  34. package/auth/flows/oauth.callback.flow.d.ts +118 -5
  35. package/auth/flows/oauth.callback.flow.d.ts.map +1 -1
  36. package/auth/flows/oauth.connect.flow.d.ts +89 -0
  37. package/auth/flows/oauth.connect.flow.d.ts.map +1 -0
  38. package/auth/flows/oauth.provider-callback.flow.d.ts +34 -4
  39. package/auth/flows/oauth.provider-callback.flow.d.ts.map +1 -1
  40. package/auth/flows/oauth.register.flow.d.ts +16 -20
  41. package/auth/flows/oauth.register.flow.d.ts.map +1 -1
  42. package/auth/flows/oauth.token.flow.d.ts +2 -2
  43. package/auth/flows/oauth.token.flow.d.ts.map +1 -1
  44. package/auth/flows/oauth.userinfo.flow.d.ts +67 -0
  45. package/auth/flows/oauth.userinfo.flow.d.ts.map +1 -0
  46. package/auth/flows/session.verify.flow.d.ts +2 -2
  47. package/auth/flows/session.verify.flow.d.ts.map +1 -1
  48. package/auth/flows/well-known.jwks.flow.d.ts +3 -3
  49. package/auth/flows/well-known.oauth-authorization-server.flow.d.ts +3 -2
  50. package/auth/flows/well-known.oauth-authorization-server.flow.d.ts.map +1 -1
  51. package/auth/flows/well-known.prm.flow.d.ts +1 -1
  52. package/auth/flows/well-known.prm.flow.d.ts.map +1 -1
  53. package/auth/instances/instance.local-primary-auth.d.ts +226 -12
  54. package/auth/instances/instance.local-primary-auth.d.ts.map +1 -1
  55. package/auth/secure-store/index.d.ts +3 -0
  56. package/auth/secure-store/index.d.ts.map +1 -0
  57. package/auth/secure-store/secure-store.context-extension.d.ts +61 -0
  58. package/auth/secure-store/secure-store.context-extension.d.ts.map +1 -0
  59. package/auth/secure-store/secure-store.providers.d.ts +36 -0
  60. package/auth/secure-store/secure-store.providers.d.ts.map +1 -0
  61. package/common/decorators/agent.decorator.d.ts +32 -0
  62. package/common/decorators/agent.decorator.d.ts.map +1 -1
  63. package/common/decorators/app.decorator.d.ts.map +1 -1
  64. package/common/decorators/front-mcp.decorator.d.ts.map +1 -1
  65. package/common/decorators/skill.decorator.d.ts.map +1 -1
  66. package/common/decorators/tool.decorator.d.ts +44 -0
  67. package/common/decorators/tool.decorator.d.ts.map +1 -1
  68. package/common/entries/scope.entry.d.ts +7 -0
  69. package/common/entries/scope.entry.d.ts.map +1 -1
  70. package/common/entries/skill.entry.d.ts +22 -1
  71. package/common/entries/skill.entry.d.ts.map +1 -1
  72. package/common/entries/tool.entry.d.ts +17 -0
  73. package/common/entries/tool.entry.d.ts.map +1 -1
  74. package/common/interfaces/internal/primary-auth-provider.interface.d.ts +18 -0
  75. package/common/interfaces/internal/primary-auth-provider.interface.d.ts.map +1 -1
  76. package/common/interfaces/tool.interface.d.ts +26 -0
  77. package/common/interfaces/tool.interface.d.ts.map +1 -1
  78. package/common/metadata/app.metadata.d.ts +472 -0
  79. package/common/metadata/app.metadata.d.ts.map +1 -1
  80. package/common/metadata/front-mcp.metadata.d.ts +1773 -52
  81. package/common/metadata/front-mcp.metadata.d.ts.map +1 -1
  82. package/common/metadata/index.d.ts +1 -0
  83. package/common/metadata/index.d.ts.map +1 -1
  84. package/common/metadata/output-policy.d.ts +82 -0
  85. package/common/metadata/output-policy.d.ts.map +1 -0
  86. package/common/metadata/skill.metadata.d.ts +45 -1
  87. package/common/metadata/skill.metadata.d.ts.map +1 -1
  88. package/common/metadata/tool-ui.metadata.d.ts +1 -1
  89. package/common/metadata/tool-ui.metadata.d.ts.map +1 -1
  90. package/common/metadata/tool.metadata.d.ts +65 -0
  91. package/common/metadata/tool.metadata.d.ts.map +1 -1
  92. package/common/schemas/http-output.schema.d.ts +25 -25
  93. package/common/schemas/http-output.schema.d.ts.map +1 -1
  94. package/common/tokens/app.tokens.d.ts.map +1 -1
  95. package/common/tokens/front-mcp.tokens.d.ts.map +1 -1
  96. package/common/tokens/skill.tokens.d.ts +2 -0
  97. package/common/tokens/skill.tokens.d.ts.map +1 -1
  98. package/common/tokens/tool.tokens.d.ts +1 -0
  99. package/common/tokens/tool.tokens.d.ts.map +1 -1
  100. package/common/types/auth/session.types.d.ts +2 -2
  101. package/common/types/options/auth/index.d.ts +4 -4
  102. package/common/types/options/auth/index.d.ts.map +1 -1
  103. package/common/types/options/auth/interfaces.d.ts +1 -1
  104. package/common/types/options/auth/interfaces.d.ts.map +1 -1
  105. package/common/types/options/auth/orchestrated.schema.d.ts +1 -1
  106. package/common/types/options/auth/orchestrated.schema.d.ts.map +1 -1
  107. package/common/types/options/auth/shared.schemas.d.ts +2 -2
  108. package/common/types/options/auth/shared.schemas.d.ts.map +1 -1
  109. package/common/types/options/http/index.d.ts +1 -1
  110. package/common/types/options/http/index.d.ts.map +1 -1
  111. package/common/types/options/http/interfaces.d.ts +56 -1
  112. package/common/types/options/http/interfaces.d.ts.map +1 -1
  113. package/common/types/options/http/schema.d.ts +15 -0
  114. package/common/types/options/http/schema.d.ts.map +1 -1
  115. package/common/types/options/session/schema.d.ts +3 -3
  116. package/common/types/options/transport/schema.d.ts +1 -1
  117. package/common/utils/caller-dir.utils.d.ts +15 -0
  118. package/common/utils/caller-dir.utils.d.ts.map +1 -0
  119. package/common/utils/index.d.ts +1 -0
  120. package/common/utils/index.d.ts.map +1 -1
  121. package/errors/index.d.ts +3 -1
  122. package/errors/index.d.ts.map +1 -1
  123. package/errors/mcp.error.d.ts +36 -2
  124. package/errors/mcp.error.d.ts.map +1 -1
  125. package/errors/tool-credentials-required.error.d.ts +70 -0
  126. package/errors/tool-credentials-required.error.d.ts.map +1 -0
  127. package/esm/index.mjs +6551 -2688
  128. package/flows/flow.instance.d.ts.map +1 -1
  129. package/front-mcp/front-mcp.d.ts +52 -32
  130. package/front-mcp/front-mcp.d.ts.map +1 -1
  131. package/front-mcp/front-mcp.providers.d.ts +700 -8
  132. package/front-mcp/front-mcp.providers.d.ts.map +1 -1
  133. package/index.d.ts +29 -4
  134. package/index.d.ts.map +1 -1
  135. package/index.js +7138 -3307
  136. package/package.json +10 -11
  137. package/scope/flows/http.request.flow.d.ts +18 -1
  138. package/scope/flows/http.request.flow.d.ts.map +1 -1
  139. package/scope/optional-dependency.util.d.ts +39 -0
  140. package/scope/optional-dependency.util.d.ts.map +1 -0
  141. package/scope/scope.instance.d.ts +17 -0
  142. package/scope/scope.instance.d.ts.map +1 -1
  143. package/scope/scope.utils.d.ts.map +1 -1
  144. package/server/adapters/express.host.adapter.d.ts.map +1 -1
  145. package/server/custom-routes.helper.d.ts +81 -0
  146. package/server/custom-routes.helper.d.ts.map +1 -0
  147. package/skill/flows/http/llm-full-txt.flow.d.ts +1 -1
  148. package/skill/flows/http/llm-txt.flow.d.ts +1 -1
  149. package/skill/flows/http/skills-api.flow.d.ts +18 -1
  150. package/skill/flows/http/skills-api.flow.d.ts.map +1 -1
  151. package/skill/flows/load-skill.flow.d.ts +7 -0
  152. package/skill/flows/load-skill.flow.d.ts.map +1 -1
  153. package/skill/flows/search-skills.flow.d.ts +13 -0
  154. package/skill/flows/search-skills.flow.d.ts.map +1 -1
  155. package/skill/index.d.ts +1 -0
  156. package/skill/index.d.ts.map +1 -1
  157. package/skill/sep-2640/resources/skill-file.resource.d.ts.map +1 -1
  158. package/skill/sep-2640/resources/skill-index.resource.d.ts.map +1 -1
  159. package/skill/sep-2640/resources/skill-md.resource.d.ts.map +1 -1
  160. package/skill/sep-2640/sep-2640.per-skill.d.ts.map +1 -1
  161. package/skill/skill-authorities.helper.d.ts +100 -0
  162. package/skill/skill-authorities.helper.d.ts.map +1 -0
  163. package/skill/skill.instance.d.ts.map +1 -1
  164. package/skill/skill.registry.d.ts +34 -0
  165. package/skill/skill.registry.d.ts.map +1 -1
  166. package/task/helpers/cli-task-runner.d.ts.map +1 -1
  167. package/tool/flows/call-tool.flow.d.ts +26 -1
  168. package/tool/flows/call-tool.flow.d.ts.map +1 -1
  169. package/tool/flows/tool-credentials.gate.d.ts +31 -0
  170. package/tool/flows/tool-credentials.gate.d.ts.map +1 -0
  171. package/tool/flows/tools-list.flow.d.ts.map +1 -1
  172. package/tool/tool.instance.d.ts.map +1 -1
  173. package/tool/ui/index.d.ts +1 -1
  174. package/tool/ui/index.d.ts.map +1 -1
  175. package/tool/ui/ui-resource.handler.d.ts.map +1 -1
  176. package/tool/ui/ui-shared.d.ts +33 -1
  177. package/tool/ui/ui-shared.d.ts.map +1 -1
  178. package/transport/adapters/transport.local.adapter.d.ts.map +1 -1
  179. package/transport/flows/handle.sse.flow.d.ts +1 -1
  180. package/transport/flows/handle.streamable-http.flow.d.ts +58 -1
  181. package/transport/flows/handle.streamable-http.flow.d.ts.map +1 -1
  182. package/transport/mcp-handlers/call-tool-request.handler.d.ts.map +1 -1
  183. package/transport/mcp-handlers/read-resource-request.handler.d.ts.map +1 -1
  184. package/transport/mcp-handlers/skills-list-request.handler.d.ts.map +1 -1
  185. package/transport/mcp-handlers/skills-load-request.handler.d.ts.map +1 -1
  186. package/transport/mcp-handlers/skills-search-request.handler.d.ts.map +1 -1
@@ -51,9 +51,9 @@ declare const stateSchema: import("@frontmcp/lazy-zod").ZodObject<{
51
51
  client_id: import("@frontmcp/lazy-zod").ZodString;
52
52
  }, import("zod/v4/core").$strip>], "grant_type">>;
53
53
  grantType: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
54
- anonymous: "anonymous";
55
54
  authorization_code: "authorization_code";
56
55
  refresh_token: "refresh_token";
56
+ anonymous: "anonymous";
57
57
  }>>;
58
58
  isDefaultAuthProvider: import("@frontmcp/lazy-zod").ZodBoolean;
59
59
  isOrchestrated: import("@frontmcp/lazy-zod").ZodBoolean;
@@ -82,8 +82,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodObject<{
82
82
  secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
83
83
  sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
84
84
  strict: "strict";
85
- lax: "lax";
86
85
  none: "none";
86
+ lax: "lax";
87
87
  }>>;
88
88
  maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
89
89
  expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
@@ -1 +1 @@
1
- {"version":3,"file":"oauth.token.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.token.flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH;;;;;;;;GAQG;AACH;;;;;;;;;;;GAWG;AAgCH,OAAO,EAGL,QAAQ,EAOR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AAGtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AA2CpC,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAkBf,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;gCAAiB,CAAC;AAEpC,QAAA,MAAM,IAAI;;;;CAI2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,aAAa,EAAE,cAAc,CAC3B,cAAc,EACd,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,aAAsB,CAAC;AAcpC,MAAM,CAAC,OAAO,OAAO,cAAe,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAC/D,OAAO,CAAC,MAAM,CAA6C;IAGrD,UAAU;IA4BV,aAAa;IAmBb,4BAA4B;IAiD5B,uBAAuB;IAiDvB,oBAAoB;IAkCpB,kBAAkB;IAqBlB,cAAc;CAGrB"}
1
+ {"version":3,"file":"oauth.token.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.token.flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH;;;;;;;;GAQG;AACH;;;;;;;;;;;GAWG;AAgCH,OAAO,EAGL,QAAQ,EAOR,KAAK,cAAc,EAEpB,MAAM,cAAc,CAAC;AAGtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AAgGpC,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAkBf,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;gCAAiB,CAAC;AAEpC,QAAA,MAAM,IAAI;;;;CAI2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,aAAa,EAAE,cAAc,CAC3B,cAAc,EACd,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,aAAsB,CAAC;AAcpC,MAAM,CAAC,OAAO,OAAO,cAAe,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAC/D,OAAO,CAAC,MAAM,CAA6C;IAGrD,UAAU;IAyCV,aAAa;IAmBb,4BAA4B;IAiD5B,uBAAuB;IAiDvB,oBAAoB;IAkCpB,kBAAkB;IAqBlB,cAAc;CAGrB"}
@@ -0,0 +1,67 @@
1
+ /**
2
+ * UserInfo Endpoint — GET /oauth/userinfo
3
+ *
4
+ * Who calls: a client holding a FrontMCP-issued access token.
5
+ *
6
+ * When: after obtaining an access token via /oauth/token, to resolve the
7
+ * authenticated user's claims (OIDC userinfo-style).
8
+ *
9
+ * Purpose: verify the Bearer token's HS256 signature + lifetime via the
10
+ * auth instance's {@link LocalPrimaryAuth.verifyGatewayToken} and return the
11
+ * user claims (`sub`, plus `email`/`name`/`picture` when present) as JSON.
12
+ * Returns 401 when the Authorization header is missing or the token fails
13
+ * verification.
14
+ *
15
+ * This endpoint backs the `userinfo_endpoint` advertised by the
16
+ * oauth-authorization-server discovery document in orchestrated/local mode.
17
+ */
18
+ import 'reflect-metadata';
19
+ import { FlowBase, type FlowRunOptions } from '../../common';
20
+ declare const inputSchema: import("@frontmcp/lazy-zod").ZodObject<{
21
+ request: import("@frontmcp/lazy-zod").ZodObject<{}, import("zod/v4/core").$loose>;
22
+ response: import("@frontmcp/lazy-zod").ZodObject<{}, import("zod/v4/core").$loose>;
23
+ next: import("@frontmcp/lazy-zod").ZodOptional<import("zod").ZodFunction<import("zod/v4/core").$ZodFunctionArgs, import("zod/v4/core").$ZodFunctionOut>>;
24
+ }, import("zod/v4/core").$strip>;
25
+ declare const stateSchema: import("@frontmcp/lazy-zod").ZodObject<{
26
+ token: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
27
+ baseUrl: import("@frontmcp/lazy-zod").ZodString;
28
+ }, import("zod/v4/core").$strip>;
29
+ declare const outputSchema: import("@frontmcp/lazy-zod").ZodObject<{
30
+ kind: import("@frontmcp/lazy-zod").ZodLiteral<"json">;
31
+ status: import("@frontmcp/lazy-zod").ZodNumber;
32
+ body: import("@frontmcp/lazy-zod").ZodUnion<readonly [import("@frontmcp/lazy-zod").ZodObject<{}, import("zod/v4/core").$loose>, import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodAny>, import("@frontmcp/lazy-zod").ZodRecord<import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodAny>]>;
33
+ contentType: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodString>;
34
+ headers: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodRecord<import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodUnion<readonly [import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodUnion<readonly [import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>]>]>>>>;
35
+ cookies: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodObject<{
36
+ name: import("@frontmcp/lazy-zod").ZodString;
37
+ value: import("@frontmcp/lazy-zod").ZodString;
38
+ path: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodString>;
39
+ domain: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
40
+ httpOnly: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
41
+ secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
42
+ sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
43
+ strict: "strict";
44
+ none: "none";
45
+ lax: "lax";
46
+ }>>;
47
+ maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
48
+ expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
49
+ }, import("zod/v4/core").$strip>>>>;
50
+ }, import("zod/v4/core").$strip>;
51
+ declare const plan: {
52
+ readonly pre: ["parseInput"];
53
+ readonly execute: ["verifyAndRespond"];
54
+ };
55
+ declare global {
56
+ interface ExtendFlows {
57
+ 'oauth:userinfo': FlowRunOptions<OauthUserInfoFlow, typeof plan, typeof inputSchema, typeof outputSchema, typeof stateSchema>;
58
+ }
59
+ }
60
+ declare const name: "oauth:userinfo";
61
+ export default class OauthUserInfoFlow extends FlowBase<typeof name> {
62
+ private logger;
63
+ parseInput(): Promise<void>;
64
+ verifyAndRespond(): Promise<void>;
65
+ }
66
+ export {};
67
+ //# sourceMappingURL=oauth.userinfo.flow.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"oauth.userinfo.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.userinfo.flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,kBAAkB,CAAC;AAK1B,OAAO,EAEL,QAAQ,EAOR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AAGtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AAEpC,QAAA,MAAM,WAAW;;;gCAGf,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;gCAAiB,CAAC;AAEpC,QAAA,MAAM,IAAI;;;CAG2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,gBAAgB,EAAE,cAAc,CAC9B,iBAAiB,EACjB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,gBAAyB,CAAC;AAcvC,MAAM,CAAC,OAAO,OAAO,iBAAkB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAClE,OAAO,CAAC,MAAM,CAAgD;IAGxD,UAAU;IASV,gBAAgB;CAuDvB"}
@@ -44,11 +44,11 @@ declare const stateSchema: import("@frontmcp/lazy-zod").ZodObject<{
44
44
  isPublic: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
45
45
  platformType: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
46
46
  unknown: "unknown";
47
+ continue: "continue";
47
48
  openai: "openai";
48
49
  claude: "claude";
49
50
  gemini: "gemini";
50
51
  cursor: "cursor";
51
- continue: "continue";
52
52
  cody: "cody";
53
53
  "generic-mcp": "generic-mcp";
54
54
  "ext-apps": "ext-apps";
@@ -84,11 +84,11 @@ export declare const sessionVerifyOutputSchema: import("@frontmcp/lazy-zod").Zod
84
84
  isPublic: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
85
85
  platformType: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
86
86
  unknown: "unknown";
87
+ continue: "continue";
87
88
  openai: "openai";
88
89
  claude: "claude";
89
90
  gemini: "gemini";
90
91
  cursor: "cursor";
91
- continue: "continue";
92
92
  cody: "cody";
93
93
  "generic-mcp": "generic-mcp";
94
94
  "ext-apps": "ext-apps";
@@ -1 +1 @@
1
- {"version":3,"file":"session.verify.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/session.verify.flow.ts"],"names":[],"mappings":"AACA,OAAO,EAGL,QAAQ,EAWR,KAAK,cAAc,EAEpB,MAAM,cAAc,CAAC;AAEtB,OAAO,kBAAkB,CAAC;AAoB1B,QAAA,MAAM,WAAW;;gCAAyB,CAAC;AAE3C,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAaf,CAAC;AAuBH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAAmE,CAAC;AAE1G,QAAA,MAAM,IAAI;;;CAG2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,gBAAgB,EAAE,cAAc,CAC9B,iBAAiB,EACjB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,yBAAyB,EAChC,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,gBAAyB,CAAC;AAyBvC,MAAM,CAAC,OAAO,OAAO,iBAAkB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAClE,MAAM,wCAA+C;IAErD,OAAO,CAAC,OAAO;IAMf;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAoExB,UAAU;IAiDhB;;;;;;;OAOG;IAEG,gBAAgB;IAwBtB;;;OAGG;IAUG,uBAAuB;IA4BvB,+BAA+B;IAQrC;;;;;;;OAOG;IAEG,WAAW;IAyGX,UAAU;IAIhB;;;;;OAKG;IAEG,kBAAkB;IAclB,qBAAqB;CAoB5B"}
1
+ {"version":3,"file":"session.verify.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/session.verify.flow.ts"],"names":[],"mappings":"AACA,OAAO,EAGL,QAAQ,EAWR,KAAK,cAAc,EAEpB,MAAM,cAAc,CAAC;AAEtB,OAAO,kBAAkB,CAAC;AAoB1B,QAAA,MAAM,WAAW;;gCAAyB,CAAC;AAE3C,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAaf,CAAC;AAuBH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAAmE,CAAC;AAE1G,QAAA,MAAM,IAAI;;;CAG2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,gBAAgB,EAAE,cAAc,CAC9B,iBAAiB,EACjB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,yBAAyB,EAChC,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,gBAAyB,CAAC;AAyBvC,MAAM,CAAC,OAAO,OAAO,iBAAkB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAClE,MAAM,wCAA+C;IAErD,OAAO,CAAC,OAAO;IAMf;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAoExB,UAAU;IAiDhB;;;;;;;OAOG;IAEG,gBAAgB;IAwBtB;;;OAGG;IAUG,uBAAuB;IA4BvB,+BAA+B;IAQrC;;;;;;;OAOG;IAEG,WAAW;IA4GX,UAAU;IAIhB;;;;;OAKG;IAEG,kBAAkB;IAclB,qBAAqB;CAoB5B"}
@@ -24,8 +24,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
24
24
  secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
25
25
  sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
26
26
  strict: "strict";
27
- lax: "lax";
28
27
  none: "none";
28
+ lax: "lax";
29
29
  }>>;
30
30
  maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
31
31
  expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
@@ -45,8 +45,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
45
45
  secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
46
46
  sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
47
47
  strict: "strict";
48
- lax: "lax";
49
48
  none: "none";
49
+ lax: "lax";
50
50
  }>>;
51
51
  maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
52
52
  expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
@@ -65,8 +65,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
65
65
  secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
66
66
  sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
67
67
  strict: "strict";
68
- lax: "lax";
69
68
  none: "none";
69
+ lax: "lax";
70
70
  }>>;
71
71
  maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
72
72
  expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
@@ -48,8 +48,8 @@ export declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonl
48
48
  secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
49
49
  sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
50
50
  strict: "strict";
51
- lax: "lax";
52
51
  none: "none";
52
+ lax: "lax";
53
53
  }>>;
54
54
  maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
55
55
  expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
@@ -69,8 +69,8 @@ export declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonl
69
69
  secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
70
70
  sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
71
71
  strict: "strict";
72
- lax: "lax";
73
72
  none: "none";
73
+ lax: "lax";
74
74
  }>>;
75
75
  maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
76
76
  expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
@@ -78,6 +78,7 @@ export declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonl
78
78
  }, import("zod/v4/core").$strip>]>;
79
79
  export declare const wellKnownAsStateSchema: import("@frontmcp/lazy-zod").ZodObject<{
80
80
  baseUrl: import("@frontmcp/lazy-zod").ZodString;
81
+ oauthBaseUrl: import("@frontmcp/lazy-zod").ZodString;
81
82
  scopesSupported: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>>;
82
83
  tokenEndpointAuthMethods: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodEnum<{
83
84
  client_secret_basic: "client_secret_basic";
@@ -1 +1 @@
1
- {"version":3,"file":"well-known.oauth-authorization-server.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/well-known.oauth-authorization-server.flow.ts"],"names":[],"mappings":"AACA,OAAO,kBAAkB,CAAC;AAE1B,OAAO,EAAE,CAAC,EAAE,MAAM,oBAAoB,CAAC;AAEvC,OAAO,EAEL,QAAQ,EAUR,KAAK,cAAc,EACnB,KAAK,UAAU,EACf,KAAK,aAAa,EACnB,MAAM,cAAc,CAAC;AAGtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AA4BpC,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAA0E,CAAC;AAEpG,eAAO,MAAM,sBAAsB;;;;;;;;;;;gCAUjC,CAAC;AAEH,QAAA,MAAM,eAAe;;;CAGgB,CAAC;AAEtC,KAAK,eAAe,GAAG,OAAO,eAAe,CAAC;AAC9C,KAAK,sBAAsB,GAAG,cAAc,CAC1C,eAAe,EACf,eAAe,EACf,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,sBAAsB,CAC9B,CAAC;AAEF,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,uCAAuC,EAAE,sBAAsB,CAAC;KACjE;CACF;AAED,QAAA,MAAM,IAAI,EAAG,uCAAgD,CAAC;AAa9D,MAAM,CAAC,OAAO,OAAO,eAAgB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAChE,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,UAAU;IAKtD,UAAU;IA0BV,WAAW;CA+BlB"}
1
+ {"version":3,"file":"well-known.oauth-authorization-server.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/well-known.oauth-authorization-server.flow.ts"],"names":[],"mappings":"AACA,OAAO,kBAAkB,CAAC;AAE1B,OAAO,EAAE,CAAC,EAAE,MAAM,oBAAoB,CAAC;AAGvC,OAAO,EAEL,QAAQ,EAWR,KAAK,cAAc,EACnB,KAAK,UAAU,EACf,KAAK,aAAa,EACnB,MAAM,cAAc,CAAC;AAoBtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AA4BpC,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAA0E,CAAC;AAEpG,eAAO,MAAM,sBAAsB;;;;;;;;;;;;gCAgBjC,CAAC;AAEH,QAAA,MAAM,eAAe;;;CAGgB,CAAC;AAEtC,KAAK,eAAe,GAAG,OAAO,eAAe,CAAC;AAC9C,KAAK,sBAAsB,GAAG,cAAc,CAC1C,eAAe,EACf,eAAe,EACf,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,sBAAsB,CAC9B,CAAC;AAEF,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,uCAAuC,EAAE,sBAAsB,CAAC;KACjE;CACF;AAED,QAAA,MAAM,IAAI,EAAG,uCAAgD,CAAC;AAa9D,MAAM,CAAC,OAAO,OAAO,eAAgB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAChE,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,UAAU;IAKtD,UAAU;IA+BV,WAAW;CA4ClB"}
@@ -25,8 +25,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodObject<{
25
25
  secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
26
26
  sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
27
27
  strict: "strict";
28
- lax: "lax";
29
28
  none: "none";
29
+ lax: "lax";
30
30
  }>>;
31
31
  maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
32
32
  expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
@@ -1 +1 @@
1
- {"version":3,"file":"well-known.prm.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/well-known.prm.flow.ts"],"names":[],"mappings":"AACA,OAAO,kBAAkB,CAAC;AAI1B,OAAO,EAGL,QAAQ,EAOR,KAAK,cAAc,EACnB,KAAK,UAAU,EACf,KAAK,aAAa,EACnB,MAAM,cAAc,CAAC;AAGtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AAEpC,QAAA,MAAM,WAAW;;;;;gCAKf,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;gCAShB,CAAC;AAEH,QAAA,MAAM,IAAI;;;;CAI2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,qCAAqC,EAAE,cAAc,CACnD,gBAAgB,EAChB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,qCAA8C,CAAC;AAa5D,MAAM,CAAC,OAAO,OAAO,gBAAiB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IACjE,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,UAAU;IAKtD,UAAU;IAiBY,WAAW;CA+BxC"}
1
+ {"version":3,"file":"well-known.prm.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/well-known.prm.flow.ts"],"names":[],"mappings":"AACA,OAAO,kBAAkB,CAAC;AAI1B,OAAO,EAGL,QAAQ,EAOR,KAAK,cAAc,EACnB,KAAK,UAAU,EACf,KAAK,aAAa,EACnB,MAAM,cAAc,CAAC;AAGtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AAEpC,QAAA,MAAM,WAAW;;;;;gCAKf,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;gCAShB,CAAC;AAEH,QAAA,MAAM,IAAI;;;;CAI2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,qCAAqC,EAAE,cAAc,CACnD,gBAAgB,EAChB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,qCAA8C,CAAC;AAa5D,MAAM,CAAC,OAAO,OAAO,gBAAiB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IACjE,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,UAAU;IAKtD,UAAU;IAiBY,WAAW;CAmCxC"}
@@ -1,4 +1,4 @@
1
- import { type AuthorizationStore, type FederatedAuthSessionStore, type OrchestratedTokenStore as TokenStore } from '@frontmcp/auth';
1
+ import { DcrClientRegistry, SessionCredentialVault, type AuthorizationStore, type ConsentStore, type DcrRegistryConfig, type FederatedAuthSessionStore, type SecureStoreBackend, type OrchestratedTokenStore as TokenStore, type VerifyResult } from '@frontmcp/auth';
2
2
  import { FrontMcpAuth, type FrontMcpLogger, type JWK, type ScopeEntry, type ServerRequest } from '../../common';
3
3
  import { type LocalAuthOptions, type PublicAuthOptions, type RemoteAuthOptions } from '../../common/types/options/auth';
4
4
  import type ProviderRegistry from '../../provider/provider.registry';
@@ -35,6 +35,21 @@ export interface ConsentMetadata {
35
35
  skippedProviderIds?: string[];
36
36
  consentEnabled?: boolean;
37
37
  federatedLoginUsed?: boolean;
38
+ /**
39
+ * Progressive/Incremental authorization: the set of app IDs this token grants
40
+ * access to. ONLY emitted when `incrementalAuth` is enabled for the scope —
41
+ * its presence turns on app-level gating in `checkToolAuthorization`, so it is
42
+ * deliberately omitted for non-incremental setups to preserve the historical
43
+ * allow-all behavior. Embedded as the `authorized_apps` claim by
44
+ * {@link LocalPrimaryAuth.signAccessToken}.
45
+ */
46
+ authorizedAppIds?: string[];
47
+ /**
48
+ * Custom claims from a local `authenticate` verifier (Checkpoint 3a). Merged
49
+ * into the access token by {@link LocalPrimaryAuth.signAccessToken} with a
50
+ * reserved-claim guard so they can never clobber sub/iss/exp/etc.
51
+ */
52
+ customClaims?: Record<string, unknown>;
38
53
  }
39
54
  /**
40
55
  * Extended token response from upstream providers (includes id_token)
@@ -81,30 +96,188 @@ export declare class LocalPrimaryAuth extends FrontMcpAuth<LocalPrimaryAuthOptio
81
96
  readonly keys: JWK[];
82
97
  readonly secret: Uint8Array;
83
98
  readonly logger: FrontMcpLogger;
84
- readonly authorizationStore: AuthorizationStore;
85
99
  private jwks;
86
100
  private cimdService;
87
- /** Federated auth session store for multi-provider flows */
88
- readonly federatedSessionStore: FederatedAuthSessionStore;
89
- /** Token store for upstream provider tokens */
90
- readonly orchestratedTokenStore: TokenStore;
101
+ /**
102
+ * Token storage backend selected from `options.tokenStorage`.
103
+ * - `'memory'` / undefined in-memory stores (default; lost on restart).
104
+ * - `{ redis }` / `{ sqlite }` → adapter-backed stores that survive restart.
105
+ *
106
+ * The three stores below are constructed in-memory synchronously in the
107
+ * constructor (preserving the exact legacy default behavior). When a
108
+ * persistent backend is configured, {@link initializeStores} swaps in the
109
+ * StorageAdapter-backed implementations during async `initialize()`, before
110
+ * the server signals ready.
111
+ */
112
+ private readonly tokenStorage;
113
+ /** OAuth authorization-code / pending / refresh-token store. */
114
+ private authorizationStoreImpl;
115
+ /** Federated auth session store for multi-provider flows. */
116
+ private federatedSessionStoreImpl;
117
+ /** Token store for upstream provider tokens. */
118
+ private orchestratedTokenStoreImpl;
119
+ /** Remembered per-(user, client) consent selections (`rememberConsent`). */
120
+ private consentStoreImpl;
121
+ /**
122
+ * Local-AS Dynamic Client Registration registry (#462). Seeded with any
123
+ * `dcr.clients` at construction so the authorize/token flows accept those
124
+ * pre-registered clients without a DCR round-trip, and mutated by
125
+ * `POST /oauth/register`. Always present (empty when no `dcr` is configured).
126
+ */
127
+ private readonly dcrClientRegistryImpl;
128
+ /** Storage adapter backing the persistent stores (kept for disposal). */
129
+ private storageAdapter?;
130
+ /**
131
+ * Per-session encrypted credential vault (Checkpoint 3b). Backs
132
+ * `this.credentials` in tools and persists `authenticate()` credentials.
133
+ * Constructed in {@link initialize} once the storage backend is known.
134
+ */
135
+ private credentialVaultImpl?;
136
+ /** Per-session encrypted credential vault (Checkpoint 3b), if enabled. */
137
+ get credentialVault(): SessionCredentialVault | undefined;
138
+ /**
139
+ * General session-scoped secure-secret store backend (#470). Backs
140
+ * `this.secureStore` in tools. Constructed in {@link initialize} from
141
+ * `auth.secureStore`; defaults to an in-memory, AES-256-GCM-encrypted backing.
142
+ */
143
+ private secureStoreBackendImpl?;
144
+ /** General secure-store backend (#470), if enabled. */
145
+ get secureStoreBackend(): SecureStoreBackend | undefined;
146
+ /** OAuth authorization-code / pending / refresh-token store. */
147
+ get authorizationStore(): AuthorizationStore;
148
+ /** Federated auth session store for multi-provider flows. */
149
+ get federatedSessionStore(): FederatedAuthSessionStore;
150
+ /** Token store for upstream provider tokens. */
151
+ get orchestratedTokenStore(): TokenStore;
152
+ /**
153
+ * Remembered per-(user, client) consent selections, backing
154
+ * `auth.consent.rememberConsent`. Shares the configured token-storage backend
155
+ * (memory by default; Redis/SQLite when persistent storage is configured).
156
+ */
157
+ get consentStore(): ConsentStore;
158
+ /**
159
+ * Local-AS Dynamic Client Registration registry (#462). Consulted by the
160
+ * register/authorize flows to enforce the declarative `dcr` allowlists and to
161
+ * look up pre-registered + dynamically-registered clients.
162
+ */
163
+ get dcrClientRegistry(): DcrClientRegistry;
164
+ /**
165
+ * Resolved local-AS DCR config. Only `local` mode carries `dcr`; every other
166
+ * mode returns `undefined`, preserving the historical behavior exactly.
167
+ */
168
+ getDcrConfig(): DcrRegistryConfig | undefined;
169
+ /**
170
+ * Whether `POST /oauth/register` and the `registration_endpoint` advertisement
171
+ * are active. Honors an explicit `dcr.enabled`; when unset, falls back to the
172
+ * historical guard (enabled in development, disabled in production).
173
+ */
174
+ isDcrEnabled(): boolean;
91
175
  /** Provider configurations (indexed by provider ID) */
92
176
  private readonly providerConfigs;
177
+ /**
178
+ * Remote-mode single upstream provider id (set by {@link registerRemoteProvider}).
179
+ *
180
+ * In `mode: 'remote'` FrontMCP federates exactly ONE mandatory upstream IdP.
181
+ * The authorize flow auto-starts federation against this id (no in-tree login
182
+ * page, no provider-selection page), and tools read its token via
183
+ * `this.orchestration.getToken(remoteProviderId)`. Undefined in every other mode.
184
+ */
185
+ private remoteProviderIdImpl?;
186
+ /** Remote-mode single upstream provider id, or undefined outside remote mode. */
187
+ get remoteProviderId(): string | undefined;
93
188
  /** Default access token TTL (1 hour) */
94
189
  private readonly accessTokenTtlSeconds;
95
190
  /** Default refresh token TTL (30 days) */
96
191
  private readonly refreshTokenTtlSeconds;
97
- /**
98
- * Get the authorization store as InMemoryAuthorizationStore with type guard.
99
- * This ensures type safety when using InMemory-specific methods.
100
- */
101
- private getInMemoryStore;
102
192
  constructor(scope: ScopeEntry, providers: ProviderRegistry, options: LocalPrimaryAuthOptions);
103
193
  /**
104
- * Derive issuer from options
194
+ * Derive issuer from options.
195
+ *
196
+ * `FRONTMCP_PUBLIC_HOST` overrides only the HOST portion of the boot-time
197
+ * issuer (see `this.host` in the constructor); the scheme stays `http` and
198
+ * the port stays `this.port`. To override the scheme and/or port (e.g.
199
+ * advertise `https://…` with no explicit port behind a TLS proxy), set an
200
+ * explicit `local.issuer` — that is the supported way to make the boot-time
201
+ * issuer match what discovery advertises. JWT verification accepts an issuer
202
+ * array, so tokens minted under a different scheme/port are still tolerated
203
+ * when running behind a TLS-terminating proxy, but `local.issuer` is the
204
+ * supported knob for aligning the issuer with discovery.
105
205
  */
106
206
  private deriveIssuer;
207
+ /**
208
+ * Read the `tokenStorage` selection off the auth options. Only
209
+ * local/remote/orchestrated modes declare it; public mode does not, in which
210
+ * case we treat it as the in-memory default.
211
+ */
212
+ private readTokenStorage;
213
+ /**
214
+ * When a persistent token-storage backend (Redis/SQLite) is configured, build
215
+ * a shared `StorageAdapter` and swap the three in-memory stores for their
216
+ * adapter-backed equivalents. For `'memory'` (or unset) this is a no-op, so
217
+ * the default behavior is preserved exactly.
218
+ *
219
+ * The orchestrated-token store keeps using the JWT secret as its encryption
220
+ * key, so upstream provider tokens stay encrypted at rest in every backend.
221
+ */
222
+ private initializeStores;
223
+ /**
224
+ * Build the per-session credential vault (Checkpoint 3b) and register the
225
+ * `this.credentials` accessor + the `/oauth/connect` add-credential flow.
226
+ *
227
+ * Skipped in pure public mode (no authenticated subject / no authenticate()
228
+ * verifier there). The vault shares the persistent StorageAdapter when one is
229
+ * configured; otherwise it uses a dedicated in-memory adapter. The HMAC pepper
230
+ * and resume-link signing key both derive from the server JWT secret
231
+ * (`this.secret`), so resume URLs are framework-signed with the same trust
232
+ * root as the access tokens.
233
+ */
234
+ private initializeCredentialVault;
235
+ /**
236
+ * Read the `secureStore` selection off the auth options. Only
237
+ * local/remote/orchestrated modes declare it; public mode does not.
238
+ */
239
+ private readSecureStoreConfig;
240
+ /**
241
+ * Build the general session-scoped secure-secret store (#470) and register the
242
+ * `this.secureStore` accessor.
243
+ *
244
+ * Skipped in pure public mode (no authenticated subject / no session-bound
245
+ * secrets there). The backing comes from `auth.secureStore`:
246
+ * - unset / `'memory'` → in-memory, AES-256-GCM-encrypted store (default);
247
+ * - `{ sqlite }` / `{ redis }` → persistent encrypted store. When the chosen
248
+ * persistent backing matches the configured `tokenStorage`, the SAME
249
+ * StorageAdapter is reused (one connection);
250
+ * - `{ backend }` → a custom backing used as-is (e.g. an OS keychain) — the
251
+ * framework bundles NO native dependency for this path.
252
+ *
253
+ * The HKDF pepper for the built-in encrypted backings derives from the server
254
+ * JWT secret (`this.secret`) unless an explicit `encryption.pepper` is set, so
255
+ * secrets share the same trust root as the access tokens.
256
+ */
257
+ private initializeSecureStore;
258
+ /**
259
+ * Whether the `secureStore` config selects the SAME persistent backing as the
260
+ * configured `tokenStorage`, so they can share one StorageAdapter. Returns
261
+ * false for memory/custom/undefined and for mismatched backings (in which case
262
+ * the secure store gets its own adapter).
263
+ */
264
+ private secureStoreSharesTokenStorage;
107
265
  signAnonymousJwt(): Promise<string>;
266
+ /**
267
+ * Cryptographically verify a gateway-issued access token (public/local/remote
268
+ * "gateway" modes). Gateway tokens — both authenticated access tokens
269
+ * ({@link signAccessToken}) and anonymous tokens ({@link signAnonymousJwt}) —
270
+ * are HS256-signed with `this.secret`, so this instance is the sole holder of
271
+ * the verification key.
272
+ *
273
+ * Enforces the signature and lifetime claims (`exp`/`nbf`, checked by `jose`
274
+ * by default). Issuer equality is intentionally NOT enforced: proxy/tunnel
275
+ * deployments legitimately present an `iss` that differs from the
276
+ * request-derived base URL (see {@link deriveIssuer}). Algorithm is pinned to
277
+ * HS256 to block `alg` confusion (e.g. a forged `alg: none` or asymmetric
278
+ * header). `expectedIssuer` is accepted for parity/logging only.
279
+ */
280
+ verifyGatewayToken(token: string, expectedIssuer: string): Promise<VerifyResult>;
108
281
  /**
109
282
  * Sign an access token for an authenticated user
110
283
  */
@@ -142,6 +315,8 @@ export declare class LocalPrimaryAuth extends FrontMcpAuth<LocalPrimaryAuthOptio
142
315
  consentEnabled?: boolean;
143
316
  federatedLoginUsed?: boolean;
144
317
  pendingAuthId?: string;
318
+ authorizedAppIds?: string[];
319
+ customClaims?: Record<string, unknown>;
145
320
  }): Promise<string>;
146
321
  protected initialize(): Promise<void>;
147
322
  fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
@@ -151,6 +326,45 @@ export declare class LocalPrimaryAuth extends FrontMcpAuth<LocalPrimaryAuthOptio
151
326
  * Register an upstream OAuth provider configuration
152
327
  */
153
328
  registerProvider(config: UpstreamProviderConfig): void;
329
+ /**
330
+ * Bridge declarative `auth.providers` (local-mode multi-provider orchestration)
331
+ * into the upstream-provider registry. Runs once during `initialize()`.
332
+ *
333
+ * For each declared provider we map the ergonomic `authorizeUrl`/`tokenUrl`
334
+ * aliases onto the canonical `authorizationEndpoint`/`tokenEndpoint`, default
335
+ * `name`/`scopes`, and compute the per-provider callback URL from the issuer
336
+ * (`${issuer}/oauth/provider/${id}/callback`). No-op when not local mode or
337
+ * when no providers are declared, so existing configs are unaffected.
338
+ *
339
+ * Security: only non-PII provider metadata is read here; client secrets are
340
+ * kept in the provider config and never logged or exposed to the LLM.
341
+ */
342
+ private registerConfiguredProviders;
343
+ /**
344
+ * Remote mode (`mode: 'remote'`): register the flat remote config as the
345
+ * SINGLE mandatory upstream provider. Runs once during `initialize()`.
346
+ *
347
+ * The flat fields (`provider` base URL + `clientId`/`clientSecret`/`scopes`)
348
+ * and the `providerConfig` endpoint overrides (`authEndpoint`/`tokenEndpoint`/
349
+ * `userInfoEndpoint`/`jwksUri`) are mapped onto an {@link UpstreamProviderConfig}.
350
+ * Endpoints not explicitly overridden are derived from the `provider` base URL
351
+ * using the standard OIDC paths (`/authorize`, `/token`, `/userinfo`,
352
+ * `/.well-known/jwks.json`) — the same convention `transparent` mode uses for
353
+ * discovery. The provider id comes from `providerConfig.id` when set, else it
354
+ * is derived from the provider hostname (mirroring `deriveProviderId`).
355
+ *
356
+ * No-op outside remote mode, so local/public/transparent are unaffected.
357
+ *
358
+ * Security: only non-PII provider metadata is read here; the client secret is
359
+ * kept in the provider config and never logged or exposed to the LLM.
360
+ */
361
+ private registerRemoteProvider;
362
+ /**
363
+ * Derive a stable provider id from the upstream `provider` base URL, mirroring
364
+ * the detection layer's `deriveProviderId`/`urlToProviderId` (hostname with
365
+ * dots replaced by underscores) so the id is consistent across surfaces.
366
+ */
367
+ private deriveRemoteProviderId;
154
368
  /**
155
369
  * Get provider configuration
156
370
  */
@@ -1 +1 @@
1
- {"version":3,"file":"instance.local-primary-auth.d.ts","sourceRoot":"","sources":["../../../src/auth/instances/instance.local-primary-auth.ts"],"names":[],"mappings":"AAEA,OAAO,EAML,KAAK,kBAAkB,EACvB,KAAK,yBAAyB,EAC9B,KAAK,sBAAsB,IAAI,UAAU,EAC1C,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EACL,YAAY,EAEZ,KAAK,cAAc,EACnB,KAAK,GAAG,EACR,KAAK,UAAU,EACf,KAAK,aAAa,EACnB,MAAM,cAAc,CAAC;AACtB,OAAO,EAIL,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,KAAK,iBAAiB,EACvB,MAAM,iCAAiC,CAAC;AAEzC,OAAO,KAAK,gBAAgB,MAAM,kCAAkC,CAAC;AAYrE;;GAEG;AACH,MAAM,MAAM,uBAAuB,GAAG,iBAAiB,GAAG,gBAAgB,GAAG,iBAAiB,CAAC;AAI/F;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,QAAQ,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC9B,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,kBAAkB;IAClB,EAAE,EAAE,MAAM,CAAC;IACX,mBAAmB;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,6BAA6B;IAC7B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,qBAAqB;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,oCAAoC;IACpC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gBAAgB;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,+CAA+C;IAC/C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gCAAgC;IAChC,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,qCAAqC;IACrC,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,qBAAa,gBAAiB,SAAQ,YAAY,CAAC,uBAAuB,CAAC;IAqCvE,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,SAAS;IArCnB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,GAAG,EAAE,CAAM;IAC1B,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC;IAC5B,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAChC,QAAQ,CAAC,kBAAkB,EAAE,kBAAkB,CAAC;IAChD,OAAO,CAAC,IAAI,CAAqB;IACjC,OAAO,CAAC,WAAW,CAA0B;IAE7C,4DAA4D;IAC5D,QAAQ,CAAC,qBAAqB,EAAE,yBAAyB,CAAC;IAE1D,+CAA+C;IAC/C,QAAQ,CAAC,sBAAsB,EAAE,UAAU,CAAC;IAE5C,uDAAuD;IACvD,OAAO,CAAC,QAAQ,CAAC,eAAe,CAA6C;IAE7E,wCAAwC;IACxC,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAQ;IAC9C,0CAA0C;IAC1C,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAkB;IAEzD;;;OAGG;IACH,OAAO,CAAC,gBAAgB;gBAQd,KAAK,EAAE,UAAU,EACjB,SAAS,EAAE,gBAAgB,EACnC,OAAO,EAAE,uBAAuB;IAkClC;;OAEG;IACH,OAAO,CAAC,YAAY;IAmBd,gBAAgB;IAUtB;;OAEG;IACG,eAAe,CACnB,IAAI,EAAE,QAAQ,EACd,MAAM,EAAE,MAAM,EAAE,EAChB,QAAQ,CAAC,EAAE,MAAM,EACjB,eAAe,CAAC,EAAE,eAAe,GAChC,OAAO,CAAC,MAAM,CAAC;IA0ClB;;OAEG;IACG,YAAY,CAChB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,aAAa,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,CAAC;IA+GxE;;OAEG;IACG,kBAAkB,CACtB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,aAAa,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,CAAC;IA2CxE;;OAEG;IACG,uBAAuB,CAAC,MAAM,EAAE;QACpC,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,aAAa,EAAE,MAAM,CAAC;QACtB,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,MAAM,CAAC;QAElB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAC3B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC/B,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC9B,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAE7B,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,GAAG,OAAO,CAAC,MAAM,CAAC;cA4BH,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IA6BlC,KAAK,CAAC,KAAK,EAAE,WAAW,GAAG,GAAG,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;IAItE,QAAQ,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;YAI1C,iBAAiB;IAoB/B;;OAEG;IACH,gBAAgB,CAAC,MAAM,EAAE,sBAAsB,GAAG,IAAI;IAKtD;;OAEG;IACH,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,sBAAsB,GAAG,SAAS;IAIzE;;OAEG;IACG,yBAAyB,CAC7B,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;QACN,KAAK,EAAE,MAAM,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;QACtB,mBAAmB,EAAE,MAAM,CAAC;QAC5B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;KACnB,GACA,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAwBzB;;OAEG;IACG,oBAAoB,CACxB,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,MAAM,EACZ,YAAY,CAAC,EAAE,MAAM,GACpB,OAAO,CAAC,qBAAqB,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,CAAC;IA6DhF;;OAEG;IACG,mBAAmB,CACvB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC;IAsD9G;;OAEG;IACG,oBAAoB,CACxB,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,qBAAqB,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,CAAC;CA8CjF"}
1
+ {"version":3,"file":"instance.local-primary-auth.d.ts","sourceRoot":"","sources":["../../../src/auth/instances/instance.local-primary-auth.ts"],"names":[],"mappings":"AAEA,OAAO,EAGL,iBAAiB,EASjB,sBAAsB,EAMtB,KAAK,kBAAkB,EACvB,KAAK,YAAY,EACjB,KAAK,iBAAiB,EACtB,KAAK,yBAAyB,EAC9B,KAAK,kBAAkB,EAGvB,KAAK,sBAAsB,IAAI,UAAU,EACzC,KAAK,YAAY,EAClB,MAAM,gBAAgB,CAAC;AAYxB,OAAO,EACL,YAAY,EAEZ,KAAK,cAAc,EACnB,KAAK,GAAG,EACR,KAAK,UAAU,EACf,KAAK,aAAa,EACnB,MAAM,cAAc,CAAC;AACtB,OAAO,EAML,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,KAAK,iBAAiB,EACvB,MAAM,iCAAiC,CAAC;AAEzC,OAAO,KAAK,gBAAgB,MAAM,kCAAkC,CAAC;AAmBrE;;GAEG;AACH,MAAM,MAAM,uBAAuB,GAAG,iBAAiB,GAAG,gBAAgB,GAAG,iBAAiB,CAAC;AAI/F;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,QAAQ,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC9B,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B;;;;;;;OAOG;IACH,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACxC;AAwBD;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,kBAAkB;IAClB,EAAE,EAAE,MAAM,CAAC;IACX,mBAAmB;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,6BAA6B;IAC7B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,qBAAqB;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,oCAAoC;IACpC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gBAAgB;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,+CAA+C;IAC/C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gCAAgC;IAChC,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,qCAAqC;IACrC,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,qBAAa,gBAAiB,SAAQ,YAAY,CAAC,uBAAuB,CAAC;IAuJvE,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,SAAS;IAvJnB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,GAAG,EAAE,CAAM;IAC1B,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC;IAC5B,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAChC,OAAO,CAAC,IAAI,CAAqB;IACjC,OAAO,CAAC,WAAW,CAA0B;IAE7C;;;;;;;;;;OAUG;IACH,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAiC;IAE9D,gEAAgE;IAChE,OAAO,CAAC,sBAAsB,CAAqB;IAEnD,6DAA6D;IAC7D,OAAO,CAAC,yBAAyB,CAA4B;IAE7D,gDAAgD;IAChD,OAAO,CAAC,0BAA0B,CAAa;IAE/C,4EAA4E;IAC5E,OAAO,CAAC,gBAAgB,CAAe;IAEvC;;;;;OAKG;IACH,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAoB;IAE1D,yEAAyE;IACzE,OAAO,CAAC,cAAc,CAAC,CAAiB;IAExC;;;;OAIG;IACH,OAAO,CAAC,mBAAmB,CAAC,CAAyB;IAErD,0EAA0E;IAC1E,IAAI,eAAe,IAAI,sBAAsB,GAAG,SAAS,CAExD;IAED;;;;OAIG;IACH,OAAO,CAAC,sBAAsB,CAAC,CAAqB;IAEpD,uDAAuD;IACvD,IAAI,kBAAkB,IAAI,kBAAkB,GAAG,SAAS,CAEvD;IAED,gEAAgE;IAChE,IAAI,kBAAkB,IAAI,kBAAkB,CAE3C;IAED,6DAA6D;IAC7D,IAAI,qBAAqB,IAAI,yBAAyB,CAErD;IAED,gDAAgD;IAChD,IAAI,sBAAsB,IAAI,UAAU,CAEvC;IAED;;;;OAIG;IACH,IAAI,YAAY,IAAI,YAAY,CAE/B;IAED;;;;OAIG;IACH,IAAI,iBAAiB,IAAI,iBAAiB,CAEzC;IAED;;;OAGG;IACH,YAAY,IAAI,iBAAiB,GAAG,SAAS;IAO7C;;;;OAIG;IACH,YAAY,IAAI,OAAO;IAQvB,uDAAuD;IACvD,OAAO,CAAC,QAAQ,CAAC,eAAe,CAA6C;IAE7E;;;;;;;OAOG;IACH,OAAO,CAAC,oBAAoB,CAAC,CAAS;IAEtC,iFAAiF;IACjF,IAAI,gBAAgB,IAAI,MAAM,GAAG,SAAS,CAEzC;IAED,wCAAwC;IACxC,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAQ;IAC9C,0CAA0C;IAC1C,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAkB;gBAG/C,KAAK,EAAE,UAAU,EACjB,SAAS,EAAE,gBAAgB,EACnC,OAAO,EAAE,uBAAuB;IAoDlC;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,YAAY;IAmBpB;;;;OAIG;IACH,OAAO,CAAC,gBAAgB;IAOxB;;;;;;;;OAQG;YACW,gBAAgB;IA8B9B;;;;;;;;;;OAUG;YACW,yBAAyB;IAgDvC;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IAO7B;;;;;;;;;;;;;;;;OAgBG;YACW,qBAAqB;IA0CnC;;;;;OAKG;IACH,OAAO,CAAC,6BAA6B;IAO/B,gBAAgB;IAUtB;;;;;;;;;;;;;OAaG;IACY,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAkB/F;;OAEG;IACG,eAAe,CACnB,IAAI,EAAE,QAAQ,EACd,MAAM,EAAE,MAAM,EAAE,EAChB,QAAQ,CAAC,EAAE,MAAM,EACjB,eAAe,CAAC,EAAE,eAAe,GAChC,OAAO,CAAC,MAAM,CAAC;IAgElB;;OAEG;IACG,YAAY,CAChB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,aAAa,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,CAAC;IAuHxE;;OAEG;IACG,kBAAkB,CACtB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,aAAa,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,CAAC;IA2CxE;;OAEG;IACG,uBAAuB,CAAC,MAAM,EAAE;QACpC,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,aAAa,EAAE,MAAM,CAAC;QACtB,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,MAAM,CAAC;QAElB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAC3B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC/B,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC9B,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAE7B,aAAa,CAAC,EAAE,MAAM,CAAC;QAGvB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;QAE5B,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACxC,GAAG,OAAO,CAAC,MAAM,CAAC;cA+BH,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAsDlC,KAAK,CAAC,KAAK,EAAE,WAAW,GAAG,GAAG,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;IAItE,QAAQ,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;YAI1C,iBAAiB;IAuB/B;;OAEG;IACH,gBAAgB,CAAC,MAAM,EAAE,sBAAsB,GAAG,IAAI;IAKtD;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,2BAA2B;IAyCnC;;;;;;;;;;;;;;;;;OAiBG;IACH,OAAO,CAAC,sBAAsB;IAqC9B;;;;OAIG;IACH,OAAO,CAAC,sBAAsB;IAQ9B;;OAEG;IACH,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,sBAAsB,GAAG,SAAS;IAIzE;;OAEG;IACG,yBAAyB,CAC7B,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;QACN,KAAK,EAAE,MAAM,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;QACtB,mBAAmB,EAAE,MAAM,CAAC;QAC5B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;KACnB,GACA,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAwBzB;;OAEG;IACG,oBAAoB,CACxB,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,MAAM,EACZ,YAAY,CAAC,EAAE,MAAM,GACpB,OAAO,CAAC,qBAAqB,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,CAAC;IA4EhF;;OAEG;IACG,mBAAmB,CACvB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC;IAsD9G;;OAEG;IACG,oBAAoB,CACxB,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,qBAAqB,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,CAAC;CA8CjF"}
@@ -0,0 +1,3 @@
1
+ export { SECURE_STORE_BACKEND, createSecureStoreProviders, resolveRequestSessionId } from './secure-store.providers';
2
+ export { secureStoreContextExtension, getSecureStore, tryGetSecureStore } from './secure-store.context-extension';
3
+ //# sourceMappingURL=index.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/secure-store/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,oBAAoB,EAAE,0BAA0B,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAC;AAGrH,OAAO,EAAE,2BAA2B,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC"}
@@ -0,0 +1,61 @@
1
+ /**
2
+ * Secure-store Context Extension (#470)
3
+ *
4
+ * Module augmentation + context-extension configuration that adds
5
+ * `this.secureStore` to ExecutionContextBase, mirroring `this.credentials`.
6
+ *
7
+ * `this.secureStore` exposes the general, session-scoped {@link SecureStoreAccessor}
8
+ * so tools (and auth UI) can read/write arbitrary user-typed secrets keyed by
9
+ * the configured scope (user / session / global), with the backing pluggable per
10
+ * deployment (memory / sqlite / redis / a custom OS-keychain backend).
11
+ */
12
+ import { type SecureStoreAccessor } from '@frontmcp/auth';
13
+ import type { ContextExtension } from '../../common/metadata/plugin.metadata';
14
+ declare module '../../common/interfaces/execution-context.interface' {
15
+ interface ExecutionContextBase {
16
+ /**
17
+ * General session-scoped secure-secret store (#470). A typed accessor over a
18
+ * pluggable backend for arbitrary user-typed secrets. Available in
19
+ * `local`/`remote` auth modes.
20
+ *
21
+ * Distinct from {@link ExecutionContextBase.credentials}: `credentials` is the
22
+ * OAuth-credential vault (resume URLs, per-authorize rotation); `secureStore`
23
+ * is a general key→secret store with selectable backing.
24
+ *
25
+ * @example
26
+ * ```typescript
27
+ * @Tool({ name: 'save_api_key' })
28
+ * class SaveApiKeyTool extends ToolContext {
29
+ * async execute(input: Input): Promise<Output> {
30
+ * await this.secureStore.set('stg.api-key', input.apiKey);
31
+ * const key = await this.secureStore.get<string>('stg.api-key');
32
+ * const keys = await this.secureStore.list();
33
+ * // …
34
+ * }
35
+ * }
36
+ * ```
37
+ */
38
+ readonly secureStore: SecureStoreAccessor;
39
+ }
40
+ }
41
+ /**
42
+ * Context extension configuration for `this.secureStore`. Registers the lazy
43
+ * getter on ExecutionContextBase.prototype; resolves {@link SECURE_STORE_ACCESSOR}
44
+ * from the request scope.
45
+ */
46
+ export declare const secureStoreContextExtension: ContextExtension;
47
+ /**
48
+ * Get the {@link SecureStoreAccessor} from a context. Throws via the DI layer
49
+ * when not configured (see {@link secureStoreContextExtension.errorMessage}).
50
+ */
51
+ export declare function getSecureStore(ctx: {
52
+ get: <T>(token: unknown) => T;
53
+ }): SecureStoreAccessor;
54
+ /**
55
+ * Try to get the {@link SecureStoreAccessor}; returns undefined when not
56
+ * available (graceful degradation).
57
+ */
58
+ export declare function tryGetSecureStore(ctx: {
59
+ tryGet: <T>(token: unknown) => T | undefined;
60
+ }): SecureStoreAccessor | undefined;
61
+ //# sourceMappingURL=secure-store.context-extension.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"secure-store.context-extension.d.ts","sourceRoot":"","sources":["../../../src/auth/secure-store/secure-store.context-extension.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAyB,KAAK,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAEjF,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,uCAAuC,CAAC;AAM9E,OAAO,QAAQ,qDAAqD,CAAC;IACnE,UAAU,oBAAoB;QAC5B;;;;;;;;;;;;;;;;;;;;;WAqBG;QACH,QAAQ,CAAC,WAAW,EAAE,mBAAmB,CAAC;KAC3C;CACF;AAMD;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,EAAE,gBAMzC,CAAC;AAMF;;;GAGG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE;IAAE,GAAG,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,KAAK,CAAC,CAAA;CAAE,GAAG,mBAAmB,CAE1F;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE;IACrC,MAAM,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,KAAK,CAAC,GAAG,SAAS,CAAC;CAC9C,GAAG,mBAAmB,GAAG,SAAS,CAElC"}