@frontmcp/sdk 1.3.0 → 1.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (186) hide show
  1. package/README.md +65 -60
  2. package/agent/agent.scope.d.ts +164 -0
  3. package/agent/agent.scope.d.ts.map +1 -1
  4. package/app/instances/app.esm.instance.d.ts.map +1 -1
  5. package/app/instances/app.remote.instance.d.ts.map +1 -1
  6. package/auth/auth-ui/auth-ui.contract.d.ts +149 -0
  7. package/auth/auth-ui/auth-ui.contract.d.ts.map +1 -0
  8. package/auth/auth-ui/auth-ui.registry.d.ts +151 -0
  9. package/auth/auth-ui/auth-ui.registry.d.ts.map +1 -0
  10. package/auth/auth-ui/auth-ui.render.d.ts +49 -0
  11. package/auth/auth-ui/auth-ui.render.d.ts.map +1 -0
  12. package/auth/auth-ui/auth-ui.state.d.ts +62 -0
  13. package/auth/auth-ui/auth-ui.state.d.ts.map +1 -0
  14. package/auth/auth-ui/index.d.ts +24 -0
  15. package/auth/auth-ui/index.d.ts.map +1 -0
  16. package/auth/auth.registry.d.ts.map +1 -1
  17. package/auth/authorized-apps.utils.d.ts +51 -0
  18. package/auth/authorized-apps.utils.d.ts.map +1 -0
  19. package/auth/consent-tools.helper.d.ts +26 -0
  20. package/auth/consent-tools.helper.d.ts.map +1 -0
  21. package/auth/consent.utils.d.ts +62 -0
  22. package/auth/consent.utils.d.ts.map +1 -0
  23. package/auth/credentials/credentials.context-extension.d.ts +63 -0
  24. package/auth/credentials/credentials.context-extension.d.ts.map +1 -0
  25. package/auth/credentials/credentials.providers.d.ts +40 -0
  26. package/auth/credentials/credentials.providers.d.ts.map +1 -0
  27. package/auth/credentials/index.d.ts +3 -0
  28. package/auth/credentials/index.d.ts.map +1 -0
  29. package/auth/flows/auth.verify.flow.d.ts.map +1 -1
  30. package/auth/flows/oauth.auth-ui.flow.d.ts +53 -0
  31. package/auth/flows/oauth.auth-ui.flow.d.ts.map +1 -0
  32. package/auth/flows/oauth.authorize.flow.d.ts +51 -9
  33. package/auth/flows/oauth.authorize.flow.d.ts.map +1 -1
  34. package/auth/flows/oauth.callback.flow.d.ts +118 -5
  35. package/auth/flows/oauth.callback.flow.d.ts.map +1 -1
  36. package/auth/flows/oauth.connect.flow.d.ts +89 -0
  37. package/auth/flows/oauth.connect.flow.d.ts.map +1 -0
  38. package/auth/flows/oauth.provider-callback.flow.d.ts +34 -4
  39. package/auth/flows/oauth.provider-callback.flow.d.ts.map +1 -1
  40. package/auth/flows/oauth.register.flow.d.ts +16 -20
  41. package/auth/flows/oauth.register.flow.d.ts.map +1 -1
  42. package/auth/flows/oauth.token.flow.d.ts +2 -2
  43. package/auth/flows/oauth.token.flow.d.ts.map +1 -1
  44. package/auth/flows/oauth.userinfo.flow.d.ts +67 -0
  45. package/auth/flows/oauth.userinfo.flow.d.ts.map +1 -0
  46. package/auth/flows/session.verify.flow.d.ts +2 -2
  47. package/auth/flows/session.verify.flow.d.ts.map +1 -1
  48. package/auth/flows/well-known.jwks.flow.d.ts +3 -3
  49. package/auth/flows/well-known.oauth-authorization-server.flow.d.ts +3 -2
  50. package/auth/flows/well-known.oauth-authorization-server.flow.d.ts.map +1 -1
  51. package/auth/flows/well-known.prm.flow.d.ts +1 -1
  52. package/auth/flows/well-known.prm.flow.d.ts.map +1 -1
  53. package/auth/instances/instance.local-primary-auth.d.ts +226 -12
  54. package/auth/instances/instance.local-primary-auth.d.ts.map +1 -1
  55. package/auth/secure-store/index.d.ts +3 -0
  56. package/auth/secure-store/index.d.ts.map +1 -0
  57. package/auth/secure-store/secure-store.context-extension.d.ts +61 -0
  58. package/auth/secure-store/secure-store.context-extension.d.ts.map +1 -0
  59. package/auth/secure-store/secure-store.providers.d.ts +36 -0
  60. package/auth/secure-store/secure-store.providers.d.ts.map +1 -0
  61. package/common/decorators/agent.decorator.d.ts +32 -0
  62. package/common/decorators/agent.decorator.d.ts.map +1 -1
  63. package/common/decorators/app.decorator.d.ts.map +1 -1
  64. package/common/decorators/front-mcp.decorator.d.ts.map +1 -1
  65. package/common/decorators/skill.decorator.d.ts.map +1 -1
  66. package/common/decorators/tool.decorator.d.ts +44 -0
  67. package/common/decorators/tool.decorator.d.ts.map +1 -1
  68. package/common/entries/scope.entry.d.ts +7 -0
  69. package/common/entries/scope.entry.d.ts.map +1 -1
  70. package/common/entries/skill.entry.d.ts +22 -1
  71. package/common/entries/skill.entry.d.ts.map +1 -1
  72. package/common/entries/tool.entry.d.ts +17 -0
  73. package/common/entries/tool.entry.d.ts.map +1 -1
  74. package/common/interfaces/internal/primary-auth-provider.interface.d.ts +18 -0
  75. package/common/interfaces/internal/primary-auth-provider.interface.d.ts.map +1 -1
  76. package/common/interfaces/tool.interface.d.ts +26 -0
  77. package/common/interfaces/tool.interface.d.ts.map +1 -1
  78. package/common/metadata/app.metadata.d.ts +472 -0
  79. package/common/metadata/app.metadata.d.ts.map +1 -1
  80. package/common/metadata/front-mcp.metadata.d.ts +1773 -52
  81. package/common/metadata/front-mcp.metadata.d.ts.map +1 -1
  82. package/common/metadata/index.d.ts +1 -0
  83. package/common/metadata/index.d.ts.map +1 -1
  84. package/common/metadata/output-policy.d.ts +82 -0
  85. package/common/metadata/output-policy.d.ts.map +1 -0
  86. package/common/metadata/skill.metadata.d.ts +45 -1
  87. package/common/metadata/skill.metadata.d.ts.map +1 -1
  88. package/common/metadata/tool-ui.metadata.d.ts +1 -1
  89. package/common/metadata/tool-ui.metadata.d.ts.map +1 -1
  90. package/common/metadata/tool.metadata.d.ts +65 -0
  91. package/common/metadata/tool.metadata.d.ts.map +1 -1
  92. package/common/schemas/http-output.schema.d.ts +25 -25
  93. package/common/schemas/http-output.schema.d.ts.map +1 -1
  94. package/common/tokens/app.tokens.d.ts.map +1 -1
  95. package/common/tokens/front-mcp.tokens.d.ts.map +1 -1
  96. package/common/tokens/skill.tokens.d.ts +2 -0
  97. package/common/tokens/skill.tokens.d.ts.map +1 -1
  98. package/common/tokens/tool.tokens.d.ts +1 -0
  99. package/common/tokens/tool.tokens.d.ts.map +1 -1
  100. package/common/types/auth/session.types.d.ts +2 -2
  101. package/common/types/options/auth/index.d.ts +4 -4
  102. package/common/types/options/auth/index.d.ts.map +1 -1
  103. package/common/types/options/auth/interfaces.d.ts +1 -1
  104. package/common/types/options/auth/interfaces.d.ts.map +1 -1
  105. package/common/types/options/auth/orchestrated.schema.d.ts +1 -1
  106. package/common/types/options/auth/orchestrated.schema.d.ts.map +1 -1
  107. package/common/types/options/auth/shared.schemas.d.ts +2 -2
  108. package/common/types/options/auth/shared.schemas.d.ts.map +1 -1
  109. package/common/types/options/http/index.d.ts +1 -1
  110. package/common/types/options/http/index.d.ts.map +1 -1
  111. package/common/types/options/http/interfaces.d.ts +56 -1
  112. package/common/types/options/http/interfaces.d.ts.map +1 -1
  113. package/common/types/options/http/schema.d.ts +15 -0
  114. package/common/types/options/http/schema.d.ts.map +1 -1
  115. package/common/types/options/session/schema.d.ts +3 -3
  116. package/common/types/options/transport/schema.d.ts +1 -1
  117. package/common/utils/caller-dir.utils.d.ts +15 -0
  118. package/common/utils/caller-dir.utils.d.ts.map +1 -0
  119. package/common/utils/index.d.ts +1 -0
  120. package/common/utils/index.d.ts.map +1 -1
  121. package/errors/index.d.ts +3 -1
  122. package/errors/index.d.ts.map +1 -1
  123. package/errors/mcp.error.d.ts +36 -2
  124. package/errors/mcp.error.d.ts.map +1 -1
  125. package/errors/tool-credentials-required.error.d.ts +70 -0
  126. package/errors/tool-credentials-required.error.d.ts.map +1 -0
  127. package/esm/index.mjs +6553 -2688
  128. package/flows/flow.instance.d.ts.map +1 -1
  129. package/front-mcp/front-mcp.d.ts +52 -32
  130. package/front-mcp/front-mcp.d.ts.map +1 -1
  131. package/front-mcp/front-mcp.providers.d.ts +700 -8
  132. package/front-mcp/front-mcp.providers.d.ts.map +1 -1
  133. package/index.d.ts +29 -4
  134. package/index.d.ts.map +1 -1
  135. package/index.js +7138 -3307
  136. package/package.json +28 -29
  137. package/scope/flows/http.request.flow.d.ts +18 -1
  138. package/scope/flows/http.request.flow.d.ts.map +1 -1
  139. package/scope/optional-dependency.util.d.ts +39 -0
  140. package/scope/optional-dependency.util.d.ts.map +1 -0
  141. package/scope/scope.instance.d.ts +17 -0
  142. package/scope/scope.instance.d.ts.map +1 -1
  143. package/scope/scope.utils.d.ts.map +1 -1
  144. package/server/adapters/express.host.adapter.d.ts.map +1 -1
  145. package/server/custom-routes.helper.d.ts +81 -0
  146. package/server/custom-routes.helper.d.ts.map +1 -0
  147. package/skill/flows/http/llm-full-txt.flow.d.ts +1 -1
  148. package/skill/flows/http/llm-txt.flow.d.ts +1 -1
  149. package/skill/flows/http/skills-api.flow.d.ts +18 -1
  150. package/skill/flows/http/skills-api.flow.d.ts.map +1 -1
  151. package/skill/flows/load-skill.flow.d.ts +7 -0
  152. package/skill/flows/load-skill.flow.d.ts.map +1 -1
  153. package/skill/flows/search-skills.flow.d.ts +13 -0
  154. package/skill/flows/search-skills.flow.d.ts.map +1 -1
  155. package/skill/index.d.ts +1 -0
  156. package/skill/index.d.ts.map +1 -1
  157. package/skill/sep-2640/resources/skill-file.resource.d.ts.map +1 -1
  158. package/skill/sep-2640/resources/skill-index.resource.d.ts.map +1 -1
  159. package/skill/sep-2640/resources/skill-md.resource.d.ts.map +1 -1
  160. package/skill/sep-2640/sep-2640.per-skill.d.ts.map +1 -1
  161. package/skill/skill-authorities.helper.d.ts +100 -0
  162. package/skill/skill-authorities.helper.d.ts.map +1 -0
  163. package/skill/skill.instance.d.ts.map +1 -1
  164. package/skill/skill.registry.d.ts +34 -0
  165. package/skill/skill.registry.d.ts.map +1 -1
  166. package/task/helpers/cli-task-runner.d.ts.map +1 -1
  167. package/tool/flows/call-tool.flow.d.ts +26 -1
  168. package/tool/flows/call-tool.flow.d.ts.map +1 -1
  169. package/tool/flows/tool-credentials.gate.d.ts +31 -0
  170. package/tool/flows/tool-credentials.gate.d.ts.map +1 -0
  171. package/tool/flows/tools-list.flow.d.ts.map +1 -1
  172. package/tool/tool.instance.d.ts.map +1 -1
  173. package/tool/ui/index.d.ts +1 -1
  174. package/tool/ui/index.d.ts.map +1 -1
  175. package/tool/ui/ui-resource.handler.d.ts.map +1 -1
  176. package/tool/ui/ui-shared.d.ts +33 -1
  177. package/tool/ui/ui-shared.d.ts.map +1 -1
  178. package/transport/adapters/transport.local.adapter.d.ts.map +1 -1
  179. package/transport/flows/handle.sse.flow.d.ts +1 -1
  180. package/transport/flows/handle.streamable-http.flow.d.ts +58 -1
  181. package/transport/flows/handle.streamable-http.flow.d.ts.map +1 -1
  182. package/transport/mcp-handlers/call-tool-request.handler.d.ts.map +1 -1
  183. package/transport/mcp-handlers/read-resource-request.handler.d.ts.map +1 -1
  184. package/transport/mcp-handlers/skills-list-request.handler.d.ts.map +1 -1
  185. package/transport/mcp-handlers/skills-load-request.handler.d.ts.map +1 -1
  186. package/transport/mcp-handlers/skills-search-request.handler.d.ts.map +1 -1
@@ -0,0 +1,151 @@
1
+ /**
2
+ * Auth-UI Registry (#469 — slot→file map + name→handler map).
3
+ *
4
+ * Built per OAuth scope from the scope's resolved auth options:
5
+ * - `auth.ui` — a {@link AuthSlot} → relative `.tsx`/`.jsx` PATH map, and
6
+ * - `auth.extras` — an extra-name → server HANDLER function map.
7
+ *
8
+ * It resolves each slot's file against the scope's captured source directory
9
+ * (the `@FrontMcp`/`@App` `__sourceDir`; absolute paths pass through) and owns
10
+ * the cross-cutting SERVER-side concerns the client contract delegates to the
11
+ * server:
12
+ * - CSRF minting + verifying (per pending-auth id),
13
+ * - the per-(pending-auth, extra) ACCUMULATOR that backs `useAddedItems(name)`,
14
+ * - the per-slot {@link AuthUiFileSource} the page builder transpiles.
15
+ *
16
+ * The auth pages render ENTIRELY in the browser from a server-side single-file
17
+ * TRANSFORM routed through `@frontmcp/uipack`'s pluggable `renderComponent`: the
18
+ * slot's `.tsx` is transpiled with esbuild `transformSync` (deps stay external)
19
+ * and inlined as a `<script type="module">`, with react / react-dom /
20
+ * `@frontmcp/ui/auth` loaded from esm.sh via an import-map. The server NEVER
21
+ * imports, bundles, or evaluates the component — no IIFE bundle, no served `.js`.
22
+ *
23
+ * When NO file is registered for a slot, the flows fall back to the built-in
24
+ * HTML pages unchanged (the no-config default). No PII is stored — the
25
+ * accumulator holds whatever items the developer's extra handler accepted
26
+ * (their responsibility), keyed by opaque pending-auth id.
27
+ *
28
+ * @packageDocumentation
29
+ */
30
+ import { type AuthExtraHandler } from '@frontmcp/auth';
31
+ import { type FrontMcpLogger } from '../../common';
32
+ import { type AuthSlot, type AuthUiFileSource } from './auth-ui.contract';
33
+ /**
34
+ * The JSON returned to the client from an extra submit. Mirrors the client
35
+ * `AuthExtraResult` shape — `addedItems` here is the FULL accumulator MAP keyed
36
+ * by extra name (not the handler's per-call new-items list).
37
+ */
38
+ export interface AuthExtraRunResult {
39
+ ok: boolean;
40
+ error?: string;
41
+ addedItems?: Record<string, unknown[]>;
42
+ sideEffects?: Record<string, unknown>;
43
+ }
44
+ /**
45
+ * Registry of custom auth-UI slot files + extra handlers for a scope.
46
+ */
47
+ export declare class AuthUiRegistry {
48
+ private readonly slots;
49
+ private readonly extras;
50
+ private readonly pending;
51
+ private readonly logger?;
52
+ /**
53
+ * Optional per-specifier resolver overrides applied when building the page's
54
+ * import-map (e.g. mapping `@frontmcp/ui/auth` to a locally-served ESM URL in
55
+ * dev / offline, where it isn't on esm.sh).
56
+ */
57
+ private resolverOverrides?;
58
+ constructor(logger?: FrontMcpLogger);
59
+ /**
60
+ * Register the `auth.ui` slot→file map. Each relative path is resolved against
61
+ * `sourceDir` (the declaring `@FrontMcp`/`@App` directory); absolute paths pass
62
+ * through. Later registrations for the same slot win (so a scope can override a
63
+ * server-level default).
64
+ */
65
+ registerAuthUiMap(map: Partial<Record<AuthSlot, string>> | undefined, sourceDir: string): void;
66
+ /**
67
+ * Register the `auth.extras` name→handler map. Each value must be a function
68
+ * `(input, ctx) => AuthExtraResult | Promise<AuthExtraResult>`.
69
+ */
70
+ registerAuthExtrasMap(map: Record<string, AuthExtraHandler> | undefined): void;
71
+ /**
72
+ * Set per-specifier import-map overrides for the page builder. Use in dev /
73
+ * offline to point `@frontmcp/ui/auth` (not on esm.sh in a monorepo) at a
74
+ * locally-served ESM URL.
75
+ */
76
+ setResolverOverrides(overrides: Record<string, string> | undefined): void;
77
+ /** The configured import-map overrides (undefined when none). */
78
+ getResolverOverrides(): Record<string, string> | undefined;
79
+ /** Whether any custom slot file is registered. */
80
+ hasAny(): boolean;
81
+ /** Whether a custom file is registered for `slot`. */
82
+ hasSlot(slot: AuthSlot): boolean;
83
+ /** Whether any extra handler is registered. */
84
+ hasExtras(): boolean;
85
+ /**
86
+ * The file-based source for a slot, or `undefined` when the slot is
87
+ * unregistered or previously failed to build (error cached). Used by the page
88
+ * builder to transpile the `.tsx` server-side.
89
+ */
90
+ getSlotSource(slot: AuthSlot): AuthUiFileSource | undefined;
91
+ /**
92
+ * Whether a slot can be rendered — i.e. a file is registered for it (and it
93
+ * hasn't recorded a build error). Used by the page assembler to decide between
94
+ * the custom page and the built-in fallback.
95
+ */
96
+ canRenderSlot(slot: AuthSlot): boolean;
97
+ /**
98
+ * Record a transform/build error for a slot so a broken file isn't
99
+ * re-transpiled on every request (the slot then falls back to the built-in
100
+ * page). Called by the page builder when the transform throws.
101
+ */
102
+ recordSlotError(slot: AuthSlot, message: string): void;
103
+ /**
104
+ * Mint (or reuse) the CSRF token for a pending-auth id and return it. The
105
+ * token is stored server-side and echoed into {@link AuthFlowState.csrfToken}.
106
+ */
107
+ mintCsrf(pendingAuthId: string): string;
108
+ /**
109
+ * Look up a pending-ui entry, enforcing the TTL at read time: an expired entry
110
+ * is deleted and treated as absent. This guarantees a stale token can never
111
+ * validate even if no prune-triggering write happened after it expired.
112
+ */
113
+ private getActivePending;
114
+ /**
115
+ * Verify a submitted CSRF token against the minted one for this pending-auth.
116
+ * Returns false on any mismatch / unknown / expired pending id (caller rejects 400).
117
+ */
118
+ verifyCsrf(pendingAuthId: string | undefined, submitted: string | undefined): boolean;
119
+ /**
120
+ * Current accumulators for a pending-auth id (empty when none yet). Returns a
121
+ * DEEP copy — each array is cloned — so callers (e.g. an extra handler reading
122
+ * `ctx.current`) can never mutate the internal accumulator by reference.
123
+ */
124
+ getAddedItems(pendingAuthId: string | undefined): Record<string, unknown[]>;
125
+ /** Append accepted items to an extra's accumulator and return the full map. */
126
+ appendItems(pendingAuthId: string, extraName: string, items: unknown[]): Record<string, unknown[]>;
127
+ private ensurePending;
128
+ private pruneExpired;
129
+ /** Whether a handler is registered for `name`. */
130
+ hasExtra(name: string): boolean;
131
+ /**
132
+ * Route an extra submission to its registered handler. Persists accepted items
133
+ * into the per-pending-auth accumulator and returns the full result including
134
+ * the updated `addedItems` map (so the client refreshes without a reload).
135
+ * Returns `{ ok:false }` when no handler is registered for `name`.
136
+ *
137
+ * Note: the returned `addedItems` is the FULL accumulator MAP (keyed by extra
138
+ * name) — the client `AuthExtraResult` shape — not the handler's per-call
139
+ * `addedItems` (which is the list of NEW items).
140
+ */
141
+ runExtra(name: string, pendingAuthId: string | undefined, input: Record<string, unknown>): Promise<AuthExtraRunResult>;
142
+ /**
143
+ * Validate every registered slot's source at startup (mirroring tool-ui's
144
+ * `compileUIWidgets`): a missing / non-`.tsx` file is caught lazily at first
145
+ * render and cached as an error so the slot falls back to the built-in page
146
+ * instead of failing the request. This is just a cheap preflight log; it never
147
+ * throws — a broken component must not take the server down.
148
+ */
149
+ warmup(): Promise<void>;
150
+ }
151
+ //# sourceMappingURL=auth-ui.registry.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"auth-ui.registry.d.ts","sourceRoot":"","sources":["../../../src/auth/auth-ui/auth-ui.registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,OAAO,EAAyB,KAAK,gBAAgB,EAAwB,MAAM,gBAAgB,CAAC;AAGpG,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,cAAc,CAAC;AACnD,OAAO,EAAE,KAAK,QAAQ,EAAE,KAAK,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAK1E;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,OAAO,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;IACvC,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACvC;AAqBD;;GAEG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAkC;IACxD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAuC;IAC9D,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyC;IACjE,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAiB;IACzC;;;;OAIG;IACH,OAAO,CAAC,iBAAiB,CAAC,CAAyB;gBAEvC,MAAM,CAAC,EAAE,cAAc;IAInC;;;;;OAKG;IACH,iBAAiB,CAAC,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,GAAG,SAAS,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI;IAc9F;;;OAGG;IACH,qBAAqB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,GAAG,SAAS,GAAG,IAAI;IAW9E;;;;OAIG;IACH,oBAAoB,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,SAAS,GAAG,IAAI;IAIzE,iEAAiE;IACjE,oBAAoB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,SAAS;IAI1D,kDAAkD;IAClD,MAAM,IAAI,OAAO;IAIjB,sDAAsD;IACtD,OAAO,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO;IAIhC,+CAA+C;IAC/C,SAAS,IAAI,OAAO;IAQpB;;;;OAIG;IACH,aAAa,CAAC,IAAI,EAAE,QAAQ,GAAG,gBAAgB,GAAG,SAAS;IAM3D;;;;OAIG;IACH,aAAa,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO;IAItC;;;;OAIG;IACH,eAAe,CAAC,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAYtD;;;OAGG;IACH,QAAQ,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM;IASvC;;;;OAIG;IACH,OAAO,CAAC,gBAAgB;IAUxB;;;OAGG;IACH,UAAU,CAAC,aAAa,EAAE,MAAM,GAAG,SAAS,EAAE,SAAS,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO;IAWrF;;;;OAIG;IACH,aAAa,CAAC,aAAa,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC;IAO3E,+EAA+E;IAC/E,WAAW,CAAC,aAAa,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC;IAOlG,OAAO,CAAC,aAAa;IAYrB,OAAO,CAAC,YAAY;IAWpB,kDAAkD;IAClD,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAI/B;;;;;;;;;OASG;IACG,QAAQ,CACZ,IAAI,EAAE,MAAM,EACZ,aAAa,EAAE,MAAM,GAAG,SAAS,EACjC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC7B,OAAO,CAAC,kBAAkB,CAAC;IAqC9B;;;;;;OAMG;IACG,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;CAQ9B"}
@@ -0,0 +1,49 @@
1
+ import { AUTH_MOUNT_ID, type AuthFlowState, type AuthSlot } from './auth-ui.contract';
2
+ import { type AuthUiRegistry } from './auth-ui.registry';
3
+ /**
4
+ * The mount id the client renders into. Re-exported from the server-owned
5
+ * contract so the shell and (via the wire contract) the `@frontmcp/ui/auth`
6
+ * client mount agree on a single value.
7
+ */
8
+ export { AUTH_MOUNT_ID };
9
+ /** Path the auth extra submissions POST to (action discriminates the extra). */
10
+ export declare function authUiExtraPath(fullPath: string): string;
11
+ /**
12
+ * The Content-Security-Policy for an auth-UI page.
13
+ *
14
+ * Allows `https://esm.sh` for module scripts + connections + styles (the
15
+ * import-map resolves every dependency there) and `'unsafe-inline'` for scripts
16
+ * (only the server-controlled, JSON-escaped state `<script>` is inline; never
17
+ * user input). It does NOT include `'unsafe-eval'` — the TSX→JS transform is
18
+ * done server-side, so the browser never evals source. Framing is denied to
19
+ * prevent clickjacking of the login / consent form.
20
+ */
21
+ export declare const AUTH_UI_CSP: string;
22
+ /**
23
+ * Build the auth security headers for an auth-UI page (CSP + anti-clickjacking).
24
+ *
25
+ * @param csp - Override the CSP value (defaults to {@link AUTH_UI_CSP}).
26
+ */
27
+ export declare function authUiPageHeaders(csp?: string): Record<string, string>;
28
+ /** Convenience wrapper used by the OAuth flows. Same as `authUiPageHeaders()`. */
29
+ export declare function authUiSecurityHeaders(): Record<string, string>;
30
+ /**
31
+ * Build the complete auth-UI HTML page for a slot.
32
+ *
33
+ * Returns `undefined` when the registry has no file for the slot — the caller
34
+ * then renders the built-in page (defaults preserved). On a transform/read
35
+ * failure the error is cached on the registry (so a broken file isn't
36
+ * re-transpiled every request) and `undefined` is returned (fallback).
37
+ */
38
+ export declare function buildAuthUiPage(options: {
39
+ registry: AuthUiRegistry;
40
+ slot: AuthSlot;
41
+ state: AuthFlowState;
42
+ fullPath: string;
43
+ /** Page <title> (defaults to a slot-appropriate label). */
44
+ title?: string;
45
+ }): {
46
+ html: string;
47
+ headers: Record<string, string>;
48
+ } | undefined;
49
+ //# sourceMappingURL=auth-ui.render.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"auth-ui.render.d.ts","sourceRoot":"","sources":["../../../src/auth/auth-ui/auth-ui.render.ts"],"names":[],"mappings":"AA+CA,OAAO,EAAwB,aAAa,EAAE,KAAK,aAAa,EAAE,KAAK,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC5G,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAEzD;;;;GAIG;AACH,OAAO,EAAE,aAAa,EAAE,CAAC;AAEzB,gFAAgF;AAChF,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAIxD;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,WAAW,QASZ,CAAC;AAEb;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,GAAE,MAAoB,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAOnF;AAED,kFAAkF;AAClF,wBAAgB,qBAAqB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAE9D;AAiBD;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE;IACvC,QAAQ,EAAE,cAAc,CAAC;IACzB,IAAI,EAAE,QAAQ,CAAC;IACf,KAAK,EAAE,aAAa,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,2DAA2D;IAC3D,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAAE,GAAG,SAAS,CAwChE"}
@@ -0,0 +1,62 @@
1
+ /**
2
+ * Per-slot {@link AuthFlowState} builders (#469, stage 2).
3
+ *
4
+ * Each builder maps the values an OAuth flow ALREADY computes for its built-in
5
+ * page (the same inputs fed to `renderLocalLoginPage` / `buildToolConsentPage` /
6
+ * `buildFederatedLoginPage` / `buildIncrementalAuthPage`) into the stage-1
7
+ * contract shape, plus the server-owned `csrfToken`, `submitUrl`, `extraUrl`,
8
+ * and accumulated `addedItems`. No PII is added — identity the user types is
9
+ * carried by the developer's own form fields, never serialized here.
10
+ *
11
+ * @packageDocumentation
12
+ */
13
+ import { type AuthFlowState, type AuthProvider, type AuthTool } from './auth-ui.contract';
14
+ /** Common server-owned fields every interactive slot needs. */
15
+ interface SlotCommon {
16
+ pendingAuthId: string;
17
+ /** The scope's `${fullPath}/oauth/callback` submit target. */
18
+ submitUrl: string;
19
+ /** The `${fullPath}/oauth/ui/extra` endpoint for `@AuthExtra` submits. */
20
+ extraUrl: string;
21
+ /** Minted CSRF token for this pending auth. */
22
+ csrfToken: string;
23
+ /** Server-side accumulators for this pending auth (keyed by extra name). */
24
+ addedItems?: Record<string, unknown[]>;
25
+ }
26
+ /** Build the `login` slot state. */
27
+ export declare function buildLoginState(common: SlotCommon, data: {
28
+ clientId: string;
29
+ clientName?: string;
30
+ scopes: string[];
31
+ redirectUri: string;
32
+ logoUri?: string;
33
+ }): AuthFlowState;
34
+ /** Build the `consent` slot state. */
35
+ export declare function buildConsentState(common: SlotCommon, data: {
36
+ clientId: string;
37
+ clientName?: string;
38
+ tools: AuthTool[];
39
+ redirectUri?: string;
40
+ }): AuthFlowState;
41
+ /** Build the `federated` slot state. */
42
+ export declare function buildFederatedState(common: SlotCommon, data: {
43
+ clientId: string;
44
+ clientName?: string;
45
+ providers: AuthProvider[];
46
+ redirectUri: string;
47
+ }): AuthFlowState;
48
+ /** Build the `incremental` slot state. */
49
+ export declare function buildIncrementalState(common: SlotCommon, data: {
50
+ appId: string;
51
+ appName: string;
52
+ appDescription?: string;
53
+ toolId?: string;
54
+ redirectUri: string;
55
+ }): AuthFlowState;
56
+ /** Build the `error` slot state (may have no pending auth yet). */
57
+ export declare function buildErrorState(data: {
58
+ error: string;
59
+ pendingAuthId?: string;
60
+ }): AuthFlowState;
61
+ export {};
62
+ //# sourceMappingURL=auth-ui.state.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"auth-ui.state.d.ts","sourceRoot":"","sources":["../../../src/auth/auth-ui/auth-ui.state.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,EAAoB,KAAK,aAAa,EAAE,KAAK,YAAY,EAAE,KAAK,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAE5G,+DAA+D;AAC/D,UAAU,UAAU;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,8DAA8D;IAC9D,SAAS,EAAE,MAAM,CAAC;IAClB,0EAA0E;IAC1E,QAAQ,EAAE,MAAM,CAAC;IACjB,+CAA+C;IAC/C,SAAS,EAAE,MAAM,CAAC;IAClB,4EAA4E;IAC5E,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;CACxC;AAED,oCAAoC;AACpC,wBAAgB,eAAe,CAC7B,MAAM,EAAE,UAAU,EAClB,IAAI,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAC;IAAC,WAAW,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,GACvG,aAAa,CAcf;AAED,sCAAsC;AACtC,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,UAAU,EAClB,IAAI,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,QAAQ,EAAE,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAAE,GACvF,aAAa,CAaf;AAED,wCAAwC;AACxC,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,UAAU,EAClB,IAAI,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,YAAY,EAAE,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GAC9F,aAAa,CAef;AAED,0CAA0C;AAC1C,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,UAAU,EAClB,IAAI,EAAE;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GACtG,aAAa,CAiBf;AAED,mEAAmE;AACnE,wBAAgB,eAAe,CAAC,IAAI,EAAE;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,aAAa,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,aAAa,CAM9F"}
@@ -0,0 +1,24 @@
1
+ /**
2
+ * Custom authorization-UI wiring (#469 — slot→file map + name→handler map).
3
+ *
4
+ * For each OAuth flow slot the server TRANSFORMS the developer's registered
5
+ * `.tsx` ONCE (esbuild `transformSync`, single file — deps stay external) via
6
+ * `@frontmcp/uipack`'s pluggable `renderComponent`, inlines it as a `<script
7
+ * type="module">`, and loads react / react-dom / `@frontmcp/ui/auth` from esm.sh
8
+ * via an import-map. `@frontmcp/ui/auth`'s `mountAuthPage` renders the component
9
+ * client-side into the empty `#frontmcp-auth-root` mount, honoring the
10
+ * framework-free `@frontmcp/ui/auth` contract (the server holds a matching,
11
+ * server-owned write-shape in `auth-ui.contract.ts`). There is NO bundling and
12
+ * the server never imports or evaluates the component, nor `@frontmcp/ui`.
13
+ *
14
+ * Registration is the `auth.ui` / `auth.extras` maps on the auth config — there
15
+ * is no decorator and no class. See `@frontmcp/auth`'s `AuthUiMap` /
16
+ * `AuthExtraHandler`.
17
+ *
18
+ * @packageDocumentation
19
+ */
20
+ export { AUTH_FLOW_GLOBAL_KEY, type AuthFlowState, type AuthSlot, type AuthProvider, type AuthTool, type AuthExtraResult, type AuthUiFileSource, } from './auth-ui.contract';
21
+ export { AuthUiRegistry, type AuthExtraRunResult } from './auth-ui.registry';
22
+ export { AUTH_MOUNT_ID, AUTH_UI_CSP, authUiExtraPath, authUiPageHeaders, authUiSecurityHeaders, buildAuthUiPage, } from './auth-ui.render';
23
+ export { buildLoginState, buildConsentState, buildFederatedState, buildIncrementalState, buildErrorState, } from './auth-ui.state';
24
+ //# sourceMappingURL=index.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/auth-ui/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,EACL,oBAAoB,EACpB,KAAK,aAAa,EAClB,KAAK,QAAQ,EACb,KAAK,YAAY,EACjB,KAAK,QAAQ,EACb,KAAK,eAAe,EACpB,KAAK,gBAAgB,GACtB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAAE,cAAc,EAAE,KAAK,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAG7E,OAAO,EACL,aAAa,EACb,WAAW,EACX,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,mBAAmB,EACnB,qBAAqB,EACrB,eAAe,GAChB,MAAM,iBAAiB,CAAC"}
@@ -1 +1 @@
1
- {"version":3,"file":"auth.registry.d.ts","sourceRoot":"","sources":["../../src/auth/auth.registry.ts"],"names":[],"mappings":"AACA,OAAO,kBAAkB,CAAC;AAE1B,OAAO,EAAyC,KAAK,2BAA2B,EAAE,MAAM,gBAAgB,CAAC;AAGzG,OAAO,EAEL,YAAY,EASZ,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EAGlB,KAAK,UAAU,EAChB,MAAM,WAAW,CAAC;AAGnB,OAAO,KAAK,gBAAgB,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAE,gBAAgB,EAAE,KAAK,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAa5E,qBAAa,YAAa,SAAQ,gBAAgB,CAAC,iBAAiB,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,CAAC;IAC3G,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAe;IACxC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAc;IAC5C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAiB;IACxC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IAEtC;;OAEG;IACH,QAAQ,CAAC,SAAS,EAAE,2BAA2B,CAAC;IAEhD;;OAEG;IACH,QAAQ,CAAC,qBAAqB,EAAE,OAAO,CAAC;gBAGtC,KAAK,EAAE,UAAU,EACjB,SAAS,EAAE,gBAAgB,EAC3B,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,KAAK,EAAE,aAAa,EACpB,YAAY,CAAC,EAAE,gBAAgB;IA6CjC;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAmB1B;;OAEG;IACH,OAAO,CAAC,cAAc;IA0BtB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAiB3B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAsB7B;;OAEG;IACH,OAAO,CAAC,iBAAiB;cAwBN,QAAQ,CAAC,IAAI,EAAE,gBAAgB,EAAE,GAAG,sBAAsB,CAAC,kBAAkB,CAAC;IAgBjG,SAAS,CAAC,UAAU;cAqBJ,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAO3C,UAAU,IAAI,YAAY;IAO1B,gBAAgB,IAAI,iBAAiB,EAAE;CAGxC"}
1
+ {"version":3,"file":"auth.registry.d.ts","sourceRoot":"","sources":["../../src/auth/auth.registry.ts"],"names":[],"mappings":"AACA,OAAO,kBAAkB,CAAC;AAE1B,OAAO,EAAyC,KAAK,2BAA2B,EAAE,MAAM,gBAAgB,CAAC;AAGzG,OAAO,EAEL,YAAY,EASZ,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EAGlB,KAAK,UAAU,EAChB,MAAM,WAAW,CAAC;AAGnB,OAAO,KAAK,gBAAgB,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAE,gBAAgB,EAAE,KAAK,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAa5E,qBAAa,YAAa,SAAQ,gBAAgB,CAAC,iBAAiB,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,CAAC;IAC3G,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAe;IACxC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAc;IAC5C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAiB;IACxC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IAEtC;;OAEG;IACH,QAAQ,CAAC,SAAS,EAAE,2BAA2B,CAAC;IAEhD;;OAEG;IACH,QAAQ,CAAC,qBAAqB,EAAE,OAAO,CAAC;gBAGtC,KAAK,EAAE,UAAU,EACjB,SAAS,EAAE,gBAAgB,EAC3B,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,KAAK,EAAE,aAAa,EACpB,YAAY,CAAC,EAAE,gBAAgB;IA6CjC;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAmB1B;;OAEG;IACH,OAAO,CAAC,cAAc;IA0BtB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAiB3B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAsB7B;;OAEG;IACH,OAAO,CAAC,iBAAiB;cA4BN,QAAQ,CAAC,IAAI,EAAE,gBAAgB,EAAE,GAAG,sBAAsB,CAAC,kBAAkB,CAAC;IAgBjG,SAAS,CAAC,UAAU;cAqBJ,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAO3C,UAAU,IAAI,YAAY;IAO1B,gBAAgB,IAAI,iBAAiB,EAAE;CAGxC"}
@@ -0,0 +1,51 @@
1
+ /**
2
+ * Progressive/Incremental authorization support.
3
+ *
4
+ * The set of app IDs a verified token may use lives in the `authorized_apps`
5
+ * claim embedded by {@link LocalPrimaryAuth.signAccessToken}. That claim is ONLY
6
+ * present when `incrementalAuth` is enabled for the scope — its ABSENCE is
7
+ * meaningful: no app-level gating (the historical allow-all behavior is
8
+ * preserved). When present, `checkToolAuthorization` enforces that the tool's
9
+ * parent app is a member of the set, and an incremental authorize for a new app
10
+ * mints a fresh token whose claim is the UNION of the prior apps plus the newly
11
+ * authorized one.
12
+ *
13
+ * This mirrors the consent claim model (see `consent.utils.ts`): the grant is
14
+ * carried in verified JWT claims and re-minted via the OAuth code exchange, so
15
+ * it is genuinely enforced rather than tracked in dormant server state.
16
+ */
17
+ /**
18
+ * Minimal `authInfo` projection this helper reads from. The HTTP request flow
19
+ * nests the verified user under `extra.user` (claims spread in via
20
+ * `deriveTypedUser`, so `authorized_apps` is present there); other transports
21
+ * may carry the user at the top level. The verified bearer `token` is the
22
+ * last-resort source — decoding it requires NO re-verification because the
23
+ * token already passed `session:verify` before any tool call runs.
24
+ */
25
+ interface AuthorizedAppsAuthInfoLike {
26
+ token?: string;
27
+ user?: unknown;
28
+ extra?: unknown;
29
+ }
30
+ /**
31
+ * Extract the authorized-app-id set from a verified `authInfo`.
32
+ *
33
+ * Returns:
34
+ * - a `Set<string>` of authorized app ids when the token carries an
35
+ * `authorized_apps` claim (the runtime enforcement set), or
36
+ * - `undefined` when there is NO such claim — the caller MUST treat this as
37
+ * "allow" so the default (incremental-disabled) behavior is preserved.
38
+ *
39
+ * Resolution order (first hit wins): `extra.user.authorized_apps`
40
+ * → `extra.authorized_apps` → `user.authorized_apps` → decode `token`. All
41
+ * sources are equivalent (they derive from the same verified claims); the
42
+ * fallbacks just make enforcement transport-agnostic.
43
+ *
44
+ * Security: this reads ALREADY-VERIFIED claims. The token decode path uses a
45
+ * no-verify payload decode purely to recover the claim that some transports
46
+ * drop from the projected `authInfo`; signature trust was established upstream
47
+ * in `auth:verify` / `session:verify`.
48
+ */
49
+ export declare function getAuthorizedAppIds(authInfo: AuthorizedAppsAuthInfoLike | undefined): Set<string> | undefined;
50
+ export {};
51
+ //# sourceMappingURL=authorized-apps.utils.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"authorized-apps.utils.d.ts","sourceRoot":"","sources":["../../src/auth/authorized-apps.utils.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;GAeG;AAEH;;;;;;;GAOG;AACH,UAAU,0BAA0B;IAClC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAoBD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,0BAA0B,GAAG,SAAS,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,SAAS,CAW7G"}
@@ -0,0 +1,26 @@
1
+ import { type ToolCard } from '@frontmcp/auth';
2
+ import { type ScopeEntry } from '../common';
3
+ /**
4
+ * Result of projecting the scope's tools into a consent-ready shape.
5
+ */
6
+ export interface ConsentToolProjection {
7
+ /** Tool cards for the consent screen, with `excludedTools` removed. */
8
+ toolCards: ToolCard[];
9
+ /**
10
+ * The offerable tool ids (effective runtime ids), with `excludedTools`
11
+ * removed. This is what the consent screen offers and what a submitted
12
+ * selection is validated against.
13
+ */
14
+ availableToolIds: string[];
15
+ }
16
+ /**
17
+ * Project the scope's tools into consent cards + available ids, applying the
18
+ * `excludedTools` filter (excluded tools are NEVER offered and NEVER required,
19
+ * because they are always available regardless of consent).
20
+ *
21
+ * Used by BOTH the authorize flow (to seed `pendingAuth.consent.availableToolIds`)
22
+ * and the callback flow (to render the consent screen + validate a submission),
23
+ * so the two surfaces can never drift.
24
+ */
25
+ export declare function projectConsentTools(scope: ScopeEntry, excludedTools?: string[]): ConsentToolProjection;
26
+ //# sourceMappingURL=consent-tools.helper.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"consent-tools.helper.d.ts","sourceRoot":"","sources":["../../src/auth/consent-tools.helper.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAE/C,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,WAAW,CAAC;AAE5C;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,uEAAuE;IACvE,SAAS,EAAE,QAAQ,EAAE,CAAC;IACtB;;;;OAIG;IACH,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC5B;AAiBD;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,UAAU,EAAE,aAAa,CAAC,EAAE,MAAM,EAAE,GAAG,qBAAqB,CA+BtG"}
@@ -0,0 +1,62 @@
1
+ /**
2
+ * Shape of the `consent` claim embedded in a FrontMCP-minted access token by
3
+ * {@link LocalPrimaryAuth.signAccessToken}:
4
+ *
5
+ * ```json
6
+ * { "consent": { "enabled": true, "selectedTools": ["app:tool", ...] } }
7
+ * ```
8
+ *
9
+ * Only present when consent mode was enabled for the authorization that minted
10
+ * the token. Its ABSENCE is meaningful: consent disabled ⇒ no enforcement.
11
+ */
12
+ export interface ConsentClaim {
13
+ enabled?: boolean;
14
+ selectedTools?: string[];
15
+ }
16
+ /**
17
+ * Minimal `authInfo` projection this helper reads from. The HTTP request flow
18
+ * nests the verified user under `extra.user` (claims spread in via
19
+ * `deriveTypedUser`, so `consent` is present there); other transports may carry
20
+ * the user at the top level. The verified bearer `token` is the last-resort
21
+ * source — decoding it requires NO re-verification because the token already
22
+ * passed `session:verify` before any tool call runs.
23
+ */
24
+ interface ConsentAuthInfoLike {
25
+ token?: string;
26
+ user?: unknown;
27
+ extra?: unknown;
28
+ }
29
+ /**
30
+ * Extract the consented tool-id set from a verified `authInfo`.
31
+ *
32
+ * Returns:
33
+ * - a `Set<string>` of selected tool ids when the token carries an ENABLED
34
+ * `consent` claim (the runtime enforcement set), or
35
+ * - `undefined` when there is NO consent metadata — the caller MUST treat this
36
+ * as "allow" so the default (consent-disabled) behavior is preserved.
37
+ *
38
+ * Resolution order (first hit wins): `extra.user.consent` → `extra.consent`
39
+ * → `user.consent` → decode `token`. All sources are equivalent (they derive
40
+ * from the same verified claims); the fallbacks just make enforcement
41
+ * transport-agnostic.
42
+ *
43
+ * Security: this reads ALREADY-VERIFIED claims. The token decode path uses a
44
+ * no-verify payload decode purely to recover the `consent` claim that some
45
+ * transports drop from the projected `authInfo`; signature trust was
46
+ * established upstream in `auth:verify` / `session:verify`.
47
+ */
48
+ export declare function getConsentedToolIds(authInfo: ConsentAuthInfoLike | undefined): Set<string> | undefined;
49
+ /**
50
+ * Test whether a tool id is permitted by the consent set returned from
51
+ * {@link getConsentedToolIds}.
52
+ *
53
+ * - `consented === undefined` (no consent metadata) ⇒ always allowed.
54
+ * - otherwise the tool id must be a member of the set.
55
+ *
56
+ * `toolIds` accepts the tool's candidate identifiers (e.g. `fullName` and bare
57
+ * `name`); the tool is allowed if ANY of them was consented, matching the
58
+ * available-tool ids surfaced on the consent screen.
59
+ */
60
+ export declare function isToolConsented(consented: Set<string> | undefined, ...toolIds: Array<string | undefined>): boolean;
61
+ export {};
62
+ //# sourceMappingURL=consent.utils.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"consent.utils.d.ts","sourceRoot":"","sources":["../../src/auth/consent.utils.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;GAUG;AACH,MAAM,WAAW,YAAY;IAC3B,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED;;;;;;;GAOG;AACH,UAAU,mBAAmB;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;IAIf,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAsBD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,mBAAmB,GAAG,SAAS,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,SAAS,CAatG;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,SAAS,EAAE,GAAG,OAAO,EAAE,KAAK,CAAC,MAAM,GAAG,SAAS,CAAC,GAAG,OAAO,CAGlH"}
@@ -0,0 +1,63 @@
1
+ /**
2
+ * Credentials Context Extension (Checkpoint 3b)
3
+ *
4
+ * Module augmentation + context-extension configuration that adds
5
+ * `this.credentials` to ExecutionContextBase, mirroring `this.authProviders`
6
+ * and `this.orchestration`.
7
+ *
8
+ * `this.credentials` exposes the per-session, encrypted {@link CredentialsAccessor}
9
+ * so tools can read credentials a local `authenticate()` verifier persisted, and
10
+ * ask the agent to connect a missing credential mid-session via a
11
+ * framework-signed resume URL.
12
+ */
13
+ import { type CredentialsAccessor } from '@frontmcp/auth';
14
+ import type { ContextExtension } from '../../common/metadata/plugin.metadata';
15
+ declare module '../../common/interfaces/execution-context.interface' {
16
+ interface ExecutionContextBase {
17
+ /**
18
+ * Access per-session credentials persisted by a local `authenticate()`
19
+ * verifier (Checkpoint 3b). Only available in `local`/`remote` auth modes.
20
+ *
21
+ * @example
22
+ * ```typescript
23
+ * @Tool({ name: 'call_acme' })
24
+ * class CallAcmeTool extends ToolContext {
25
+ * async execute(input: Input): Promise<Output> {
26
+ * // Read a stored credential for the current session's subject
27
+ * const cred = await this.credentials.get('acme');
28
+ * if (!cred) {
29
+ * // Ask the user to connect it mid-session via a signed resume URL
30
+ * const res = await this.credentials.requireConnect({ key: 'acme' });
31
+ * if (!res.connected) {
32
+ * return { needsConnect: res.resumeUrl };
33
+ * }
34
+ * }
35
+ * // use cred.secret / cred.metadata …
36
+ * }
37
+ * }
38
+ * ```
39
+ */
40
+ readonly credentials: CredentialsAccessor;
41
+ }
42
+ }
43
+ /**
44
+ * Context extension configuration for `this.credentials`. Registers the lazy
45
+ * getter on ExecutionContextBase.prototype; resolves {@link CREDENTIALS_ACCESSOR}
46
+ * from the request scope.
47
+ */
48
+ export declare const credentialsContextExtension: ContextExtension;
49
+ /**
50
+ * Get the {@link CredentialsAccessor} from a context. Throws via the DI layer
51
+ * when not configured (see {@link credentialsContextExtension.errorMessage}).
52
+ */
53
+ export declare function getCredentials(ctx: {
54
+ get: <T>(token: unknown) => T;
55
+ }): CredentialsAccessor;
56
+ /**
57
+ * Try to get the {@link CredentialsAccessor}; returns undefined when not
58
+ * available (graceful degradation).
59
+ */
60
+ export declare function tryGetCredentials(ctx: {
61
+ tryGet: <T>(token: unknown) => T | undefined;
62
+ }): CredentialsAccessor | undefined;
63
+ //# sourceMappingURL=credentials.context-extension.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"credentials.context-extension.d.ts","sourceRoot":"","sources":["../../../src/auth/credentials/credentials.context-extension.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAwB,KAAK,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAEhF,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,uCAAuC,CAAC;AAM9E,OAAO,QAAQ,qDAAqD,CAAC;IACnE,UAAU,oBAAoB;QAC5B;;;;;;;;;;;;;;;;;;;;;;WAsBG;QACH,QAAQ,CAAC,WAAW,EAAE,mBAAmB,CAAC;KAC3C;CACF;AAMD;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,EAAE,gBAMzC,CAAC;AAMF;;;GAGG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE;IAAE,GAAG,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,KAAK,CAAC,CAAA;CAAE,GAAG,mBAAmB,CAE1F;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE;IACrC,MAAM,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,KAAK,CAAC,GAAG,SAAS,CAAC;CAC9C,GAAG,mBAAmB,GAAG,SAAS,CAElC"}
@@ -0,0 +1,40 @@
1
+ /**
2
+ * Credentials DI Providers (Checkpoint 3b)
3
+ *
4
+ * Registers the per-request {@link CredentialsAccessor} (`this.credentials`).
5
+ * The vault itself is a GLOBAL singleton owned by LocalPrimaryAuth; the accessor
6
+ * is CONTEXT-scoped because it must resolve the CURRENT request's authenticated
7
+ * subject (from {@link FrontMcpContext}) before reading the vault.
8
+ */
9
+ import { type SessionCredentialVault } from '@frontmcp/auth';
10
+ import { type Token } from '@frontmcp/di';
11
+ import { type ProviderType } from '../../common';
12
+ import { type FrontMcpContext } from '../../context/frontmcp-context';
13
+ /**
14
+ * GLOBAL DI token for the per-session credential vault singleton. Provided by
15
+ * LocalPrimaryAuth once its storage backend is initialized.
16
+ */
17
+ export declare const SESSION_CREDENTIAL_VAULT: Token<SessionCredentialVault>;
18
+ /**
19
+ * Resolve the authenticated subject for the current request from the verified
20
+ * auth info. The HTTP request flow stores the verified JWT user under
21
+ * `authInfo.extra.user`; the JWT `sub` is the credential-vault key. Anonymous
22
+ * sessions (`sub` empty or `anon:` prefixed) yield undefined so no credentials
23
+ * are exposed.
24
+ */
25
+ export declare function resolveRequestSub(ctx: FrontMcpContext): string | undefined;
26
+ /**
27
+ * Build the DI providers that back `this.credentials`.
28
+ *
29
+ * @param vault - the GLOBAL credential vault singleton.
30
+ * @param signingSecret - server HMAC secret used to sign resume tokens.
31
+ * @param basePath - auth scope base path used to build resume URLs.
32
+ * @param resumeTtlMs - optional resume-token TTL override.
33
+ */
34
+ export declare function createCredentialsProviders(opts: {
35
+ vault: SessionCredentialVault;
36
+ signingSecret: string;
37
+ basePath: string;
38
+ resumeTtlMs?: number;
39
+ }): ProviderType[];
40
+ //# sourceMappingURL=credentials.providers.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"credentials.providers.d.ts","sourceRoot":"","sources":["../../../src/auth/credentials/credentials.providers.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAiD,KAAK,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AAC5G,OAAO,EAAiB,KAAK,KAAK,EAAE,MAAM,cAAc,CAAC;AAEzD,OAAO,EAAkB,KAAK,YAAY,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,KAAK,eAAe,EAAE,MAAM,gCAAgC,CAAC;AAGtE;;;GAGG;AACH,eAAO,MAAM,wBAAwB,EAEhC,KAAK,CAAC,sBAAsB,CAAC,CAAC;AAEnC;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,eAAe,GAAG,MAAM,GAAG,SAAS,CAO1E;AAED;;;;;;;GAOG;AACH,wBAAgB,0BAA0B,CAAC,IAAI,EAAE;IAC/C,KAAK,EAAE,sBAAsB,CAAC;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,GAAG,YAAY,EAAE,CA6BjB"}
@@ -0,0 +1,3 @@
1
+ export { SESSION_CREDENTIAL_VAULT, createCredentialsProviders, resolveRequestSub } from './credentials.providers';
2
+ export { credentialsContextExtension, getCredentials, tryGetCredentials } from './credentials.context-extension';
3
+ //# sourceMappingURL=index.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/credentials/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,wBAAwB,EAAE,0BAA0B,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAGlH,OAAO,EAAE,2BAA2B,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC"}
@@ -1 +1 @@
1
- {"version":3,"file":"auth.verify.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/auth.verify.flow.ts"],"names":[],"mappings":"AAEA,OAAO,EAEL,QAAQ,EAQR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AAEtB,OAAO,kBAAkB,CAAC;AAI1B,OAAO,EAiBL,KAAK,aAAa,EAMnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,CAAC,EAAE,MAAM,oBAAoB,CAAC;AAKvC,QAAA,MAAM,WAAW;;gCAAyB,CAAC;AAG3C,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;gCAUf,CAAC;AA2BH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAAmE,CAAC;AAEvG,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAGtE,QAAA,MAAM,IAAI;;;CAU2B,CAAC;AAGtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,aAAa,EAAE,cAAc,CAC3B,cAAc,EACd,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,sBAAsB,EAC7B,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,aAAsB,CAAC;AAGpC;;;;;;;;;GASG;AAQH,MAAM,CAAC,OAAO,OAAO,cAAe,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAC/D,OAAO,CAAC,MAAM,CAA6C;IAE3D;;OAEG;IAEG,UAAU;IA6BhB;;OAEG;IAEG,iBAAiB;IAcvB;;OAEG;IAIG,gBAAgB;IAqBtB;;;OAGG;IAQG,uBAAuB;IAsB7B;;OAEG;IAWG,0BAA0B;IAShC;;OAEG;IAIG,WAAW;IAwGjB;;OAEG;IAEG,kBAAkB;IA8FxB;;OAEG;IACH,OAAO,CAAC,QAAQ;IA0BhB;;OAEG;IACH,OAAO,CAAC,WAAW;CAMpB"}
1
+ {"version":3,"file":"auth.verify.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/auth.verify.flow.ts"],"names":[],"mappings":"AAEA,OAAO,EAEL,QAAQ,EAQR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AAEtB,OAAO,kBAAkB,CAAC;AAI1B,OAAO,EAiBL,KAAK,aAAa,EAMnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,CAAC,EAAE,MAAM,oBAAoB,CAAC;AAKvC,QAAA,MAAM,WAAW;;gCAAyB,CAAC;AAG3C,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;gCAUf,CAAC;AA2BH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAAmE,CAAC;AAEvG,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAGtE,QAAA,MAAM,IAAI;;;CAU2B,CAAC;AAGtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,aAAa,EAAE,cAAc,CAC3B,cAAc,EACd,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,sBAAsB,EAC7B,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,aAAsB,CAAC;AAGpC;;;;;;;;;GASG;AAQH,MAAM,CAAC,OAAO,OAAO,cAAe,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAC/D,OAAO,CAAC,MAAM,CAA6C;IAE3D;;OAEG;IAEG,UAAU;IA6BhB;;OAEG;IAEG,iBAAiB;IAcvB;;OAEG;IAIG,gBAAgB;IAqBtB;;;OAGG;IAQG,uBAAuB;IAsB7B;;OAEG;IAWG,0BAA0B;IAShC;;OAEG;IAIG,WAAW;IAoHjB;;OAEG;IAEG,kBAAkB;IA8FxB;;OAEG;IACH,OAAO,CAAC,QAAQ;IA0BhB;;OAEG;IACH,OAAO,CAAC,WAAW;CAMpB"}