@frontmcp/sdk 1.3.0 → 1.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +65 -60
- package/agent/agent.scope.d.ts +164 -0
- package/agent/agent.scope.d.ts.map +1 -1
- package/app/instances/app.esm.instance.d.ts.map +1 -1
- package/app/instances/app.remote.instance.d.ts.map +1 -1
- package/auth/auth-ui/auth-ui.contract.d.ts +149 -0
- package/auth/auth-ui/auth-ui.contract.d.ts.map +1 -0
- package/auth/auth-ui/auth-ui.registry.d.ts +151 -0
- package/auth/auth-ui/auth-ui.registry.d.ts.map +1 -0
- package/auth/auth-ui/auth-ui.render.d.ts +49 -0
- package/auth/auth-ui/auth-ui.render.d.ts.map +1 -0
- package/auth/auth-ui/auth-ui.state.d.ts +62 -0
- package/auth/auth-ui/auth-ui.state.d.ts.map +1 -0
- package/auth/auth-ui/index.d.ts +24 -0
- package/auth/auth-ui/index.d.ts.map +1 -0
- package/auth/auth.registry.d.ts.map +1 -1
- package/auth/authorized-apps.utils.d.ts +51 -0
- package/auth/authorized-apps.utils.d.ts.map +1 -0
- package/auth/consent-tools.helper.d.ts +26 -0
- package/auth/consent-tools.helper.d.ts.map +1 -0
- package/auth/consent.utils.d.ts +62 -0
- package/auth/consent.utils.d.ts.map +1 -0
- package/auth/credentials/credentials.context-extension.d.ts +63 -0
- package/auth/credentials/credentials.context-extension.d.ts.map +1 -0
- package/auth/credentials/credentials.providers.d.ts +40 -0
- package/auth/credentials/credentials.providers.d.ts.map +1 -0
- package/auth/credentials/index.d.ts +3 -0
- package/auth/credentials/index.d.ts.map +1 -0
- package/auth/flows/auth.verify.flow.d.ts.map +1 -1
- package/auth/flows/oauth.auth-ui.flow.d.ts +53 -0
- package/auth/flows/oauth.auth-ui.flow.d.ts.map +1 -0
- package/auth/flows/oauth.authorize.flow.d.ts +51 -9
- package/auth/flows/oauth.authorize.flow.d.ts.map +1 -1
- package/auth/flows/oauth.callback.flow.d.ts +118 -5
- package/auth/flows/oauth.callback.flow.d.ts.map +1 -1
- package/auth/flows/oauth.connect.flow.d.ts +89 -0
- package/auth/flows/oauth.connect.flow.d.ts.map +1 -0
- package/auth/flows/oauth.provider-callback.flow.d.ts +34 -4
- package/auth/flows/oauth.provider-callback.flow.d.ts.map +1 -1
- package/auth/flows/oauth.register.flow.d.ts +16 -20
- package/auth/flows/oauth.register.flow.d.ts.map +1 -1
- package/auth/flows/oauth.token.flow.d.ts +2 -2
- package/auth/flows/oauth.token.flow.d.ts.map +1 -1
- package/auth/flows/oauth.userinfo.flow.d.ts +67 -0
- package/auth/flows/oauth.userinfo.flow.d.ts.map +1 -0
- package/auth/flows/session.verify.flow.d.ts +2 -2
- package/auth/flows/session.verify.flow.d.ts.map +1 -1
- package/auth/flows/well-known.jwks.flow.d.ts +3 -3
- package/auth/flows/well-known.oauth-authorization-server.flow.d.ts +3 -2
- package/auth/flows/well-known.oauth-authorization-server.flow.d.ts.map +1 -1
- package/auth/flows/well-known.prm.flow.d.ts +1 -1
- package/auth/flows/well-known.prm.flow.d.ts.map +1 -1
- package/auth/instances/instance.local-primary-auth.d.ts +226 -12
- package/auth/instances/instance.local-primary-auth.d.ts.map +1 -1
- package/auth/secure-store/index.d.ts +3 -0
- package/auth/secure-store/index.d.ts.map +1 -0
- package/auth/secure-store/secure-store.context-extension.d.ts +61 -0
- package/auth/secure-store/secure-store.context-extension.d.ts.map +1 -0
- package/auth/secure-store/secure-store.providers.d.ts +36 -0
- package/auth/secure-store/secure-store.providers.d.ts.map +1 -0
- package/common/decorators/agent.decorator.d.ts +32 -0
- package/common/decorators/agent.decorator.d.ts.map +1 -1
- package/common/decorators/app.decorator.d.ts.map +1 -1
- package/common/decorators/front-mcp.decorator.d.ts.map +1 -1
- package/common/decorators/skill.decorator.d.ts.map +1 -1
- package/common/decorators/tool.decorator.d.ts +44 -0
- package/common/decorators/tool.decorator.d.ts.map +1 -1
- package/common/entries/scope.entry.d.ts +7 -0
- package/common/entries/scope.entry.d.ts.map +1 -1
- package/common/entries/skill.entry.d.ts +22 -1
- package/common/entries/skill.entry.d.ts.map +1 -1
- package/common/entries/tool.entry.d.ts +17 -0
- package/common/entries/tool.entry.d.ts.map +1 -1
- package/common/interfaces/internal/primary-auth-provider.interface.d.ts +18 -0
- package/common/interfaces/internal/primary-auth-provider.interface.d.ts.map +1 -1
- package/common/interfaces/tool.interface.d.ts +26 -0
- package/common/interfaces/tool.interface.d.ts.map +1 -1
- package/common/metadata/app.metadata.d.ts +472 -0
- package/common/metadata/app.metadata.d.ts.map +1 -1
- package/common/metadata/front-mcp.metadata.d.ts +1773 -52
- package/common/metadata/front-mcp.metadata.d.ts.map +1 -1
- package/common/metadata/index.d.ts +1 -0
- package/common/metadata/index.d.ts.map +1 -1
- package/common/metadata/output-policy.d.ts +82 -0
- package/common/metadata/output-policy.d.ts.map +1 -0
- package/common/metadata/skill.metadata.d.ts +45 -1
- package/common/metadata/skill.metadata.d.ts.map +1 -1
- package/common/metadata/tool-ui.metadata.d.ts +1 -1
- package/common/metadata/tool-ui.metadata.d.ts.map +1 -1
- package/common/metadata/tool.metadata.d.ts +65 -0
- package/common/metadata/tool.metadata.d.ts.map +1 -1
- package/common/schemas/http-output.schema.d.ts +25 -25
- package/common/schemas/http-output.schema.d.ts.map +1 -1
- package/common/tokens/app.tokens.d.ts.map +1 -1
- package/common/tokens/front-mcp.tokens.d.ts.map +1 -1
- package/common/tokens/skill.tokens.d.ts +2 -0
- package/common/tokens/skill.tokens.d.ts.map +1 -1
- package/common/tokens/tool.tokens.d.ts +1 -0
- package/common/tokens/tool.tokens.d.ts.map +1 -1
- package/common/types/auth/session.types.d.ts +2 -2
- package/common/types/options/auth/index.d.ts +4 -4
- package/common/types/options/auth/index.d.ts.map +1 -1
- package/common/types/options/auth/interfaces.d.ts +1 -1
- package/common/types/options/auth/interfaces.d.ts.map +1 -1
- package/common/types/options/auth/orchestrated.schema.d.ts +1 -1
- package/common/types/options/auth/orchestrated.schema.d.ts.map +1 -1
- package/common/types/options/auth/shared.schemas.d.ts +2 -2
- package/common/types/options/auth/shared.schemas.d.ts.map +1 -1
- package/common/types/options/http/index.d.ts +1 -1
- package/common/types/options/http/index.d.ts.map +1 -1
- package/common/types/options/http/interfaces.d.ts +56 -1
- package/common/types/options/http/interfaces.d.ts.map +1 -1
- package/common/types/options/http/schema.d.ts +15 -0
- package/common/types/options/http/schema.d.ts.map +1 -1
- package/common/types/options/session/schema.d.ts +3 -3
- package/common/types/options/transport/schema.d.ts +1 -1
- package/common/utils/caller-dir.utils.d.ts +15 -0
- package/common/utils/caller-dir.utils.d.ts.map +1 -0
- package/common/utils/index.d.ts +1 -0
- package/common/utils/index.d.ts.map +1 -1
- package/errors/index.d.ts +3 -1
- package/errors/index.d.ts.map +1 -1
- package/errors/mcp.error.d.ts +36 -2
- package/errors/mcp.error.d.ts.map +1 -1
- package/errors/tool-credentials-required.error.d.ts +70 -0
- package/errors/tool-credentials-required.error.d.ts.map +1 -0
- package/esm/index.mjs +6553 -2688
- package/flows/flow.instance.d.ts.map +1 -1
- package/front-mcp/front-mcp.d.ts +52 -32
- package/front-mcp/front-mcp.d.ts.map +1 -1
- package/front-mcp/front-mcp.providers.d.ts +700 -8
- package/front-mcp/front-mcp.providers.d.ts.map +1 -1
- package/index.d.ts +29 -4
- package/index.d.ts.map +1 -1
- package/index.js +7138 -3307
- package/package.json +28 -29
- package/scope/flows/http.request.flow.d.ts +18 -1
- package/scope/flows/http.request.flow.d.ts.map +1 -1
- package/scope/optional-dependency.util.d.ts +39 -0
- package/scope/optional-dependency.util.d.ts.map +1 -0
- package/scope/scope.instance.d.ts +17 -0
- package/scope/scope.instance.d.ts.map +1 -1
- package/scope/scope.utils.d.ts.map +1 -1
- package/server/adapters/express.host.adapter.d.ts.map +1 -1
- package/server/custom-routes.helper.d.ts +81 -0
- package/server/custom-routes.helper.d.ts.map +1 -0
- package/skill/flows/http/llm-full-txt.flow.d.ts +1 -1
- package/skill/flows/http/llm-txt.flow.d.ts +1 -1
- package/skill/flows/http/skills-api.flow.d.ts +18 -1
- package/skill/flows/http/skills-api.flow.d.ts.map +1 -1
- package/skill/flows/load-skill.flow.d.ts +7 -0
- package/skill/flows/load-skill.flow.d.ts.map +1 -1
- package/skill/flows/search-skills.flow.d.ts +13 -0
- package/skill/flows/search-skills.flow.d.ts.map +1 -1
- package/skill/index.d.ts +1 -0
- package/skill/index.d.ts.map +1 -1
- package/skill/sep-2640/resources/skill-file.resource.d.ts.map +1 -1
- package/skill/sep-2640/resources/skill-index.resource.d.ts.map +1 -1
- package/skill/sep-2640/resources/skill-md.resource.d.ts.map +1 -1
- package/skill/sep-2640/sep-2640.per-skill.d.ts.map +1 -1
- package/skill/skill-authorities.helper.d.ts +100 -0
- package/skill/skill-authorities.helper.d.ts.map +1 -0
- package/skill/skill.instance.d.ts.map +1 -1
- package/skill/skill.registry.d.ts +34 -0
- package/skill/skill.registry.d.ts.map +1 -1
- package/task/helpers/cli-task-runner.d.ts.map +1 -1
- package/tool/flows/call-tool.flow.d.ts +26 -1
- package/tool/flows/call-tool.flow.d.ts.map +1 -1
- package/tool/flows/tool-credentials.gate.d.ts +31 -0
- package/tool/flows/tool-credentials.gate.d.ts.map +1 -0
- package/tool/flows/tools-list.flow.d.ts.map +1 -1
- package/tool/tool.instance.d.ts.map +1 -1
- package/tool/ui/index.d.ts +1 -1
- package/tool/ui/index.d.ts.map +1 -1
- package/tool/ui/ui-resource.handler.d.ts.map +1 -1
- package/tool/ui/ui-shared.d.ts +33 -1
- package/tool/ui/ui-shared.d.ts.map +1 -1
- package/transport/adapters/transport.local.adapter.d.ts.map +1 -1
- package/transport/flows/handle.sse.flow.d.ts +1 -1
- package/transport/flows/handle.streamable-http.flow.d.ts +58 -1
- package/transport/flows/handle.streamable-http.flow.d.ts.map +1 -1
- package/transport/mcp-handlers/call-tool-request.handler.d.ts.map +1 -1
- package/transport/mcp-handlers/read-resource-request.handler.d.ts.map +1 -1
- package/transport/mcp-handlers/skills-list-request.handler.d.ts.map +1 -1
- package/transport/mcp-handlers/skills-load-request.handler.d.ts.map +1 -1
- package/transport/mcp-handlers/skills-search-request.handler.d.ts.map +1 -1
|
@@ -51,9 +51,9 @@ declare const stateSchema: import("@frontmcp/lazy-zod").ZodObject<{
|
|
|
51
51
|
client_id: import("@frontmcp/lazy-zod").ZodString;
|
|
52
52
|
}, import("zod/v4/core").$strip>], "grant_type">>;
|
|
53
53
|
grantType: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
54
|
-
anonymous: "anonymous";
|
|
55
54
|
authorization_code: "authorization_code";
|
|
56
55
|
refresh_token: "refresh_token";
|
|
56
|
+
anonymous: "anonymous";
|
|
57
57
|
}>>;
|
|
58
58
|
isDefaultAuthProvider: import("@frontmcp/lazy-zod").ZodBoolean;
|
|
59
59
|
isOrchestrated: import("@frontmcp/lazy-zod").ZodBoolean;
|
|
@@ -82,8 +82,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodObject<{
|
|
|
82
82
|
secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
83
83
|
sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
84
84
|
strict: "strict";
|
|
85
|
-
lax: "lax";
|
|
86
85
|
none: "none";
|
|
86
|
+
lax: "lax";
|
|
87
87
|
}>>;
|
|
88
88
|
maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
|
|
89
89
|
expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth.token.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.token.flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH;;;;;;;;GAQG;AACH;;;;;;;;;;;GAWG;AAgCH,OAAO,EAGL,QAAQ,EAOR,KAAK,cAAc,
|
|
1
|
+
{"version":3,"file":"oauth.token.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.token.flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH;;;;;;;;GAQG;AACH;;;;;;;;;;;GAWG;AAgCH,OAAO,EAGL,QAAQ,EAOR,KAAK,cAAc,EAEpB,MAAM,cAAc,CAAC;AAGtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AAgGpC,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAkBf,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;gCAAiB,CAAC;AAEpC,QAAA,MAAM,IAAI;;;;CAI2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,aAAa,EAAE,cAAc,CAC3B,cAAc,EACd,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,aAAsB,CAAC;AAcpC,MAAM,CAAC,OAAO,OAAO,cAAe,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAC/D,OAAO,CAAC,MAAM,CAA6C;IAGrD,UAAU;IAyCV,aAAa;IAmBb,4BAA4B;IAiD5B,uBAAuB;IAiDvB,oBAAoB;IAkCpB,kBAAkB;IAqBlB,cAAc;CAGrB"}
|
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* UserInfo Endpoint — GET /oauth/userinfo
|
|
3
|
+
*
|
|
4
|
+
* Who calls: a client holding a FrontMCP-issued access token.
|
|
5
|
+
*
|
|
6
|
+
* When: after obtaining an access token via /oauth/token, to resolve the
|
|
7
|
+
* authenticated user's claims (OIDC userinfo-style).
|
|
8
|
+
*
|
|
9
|
+
* Purpose: verify the Bearer token's HS256 signature + lifetime via the
|
|
10
|
+
* auth instance's {@link LocalPrimaryAuth.verifyGatewayToken} and return the
|
|
11
|
+
* user claims (`sub`, plus `email`/`name`/`picture` when present) as JSON.
|
|
12
|
+
* Returns 401 when the Authorization header is missing or the token fails
|
|
13
|
+
* verification.
|
|
14
|
+
*
|
|
15
|
+
* This endpoint backs the `userinfo_endpoint` advertised by the
|
|
16
|
+
* oauth-authorization-server discovery document in orchestrated/local mode.
|
|
17
|
+
*/
|
|
18
|
+
import 'reflect-metadata';
|
|
19
|
+
import { FlowBase, type FlowRunOptions } from '../../common';
|
|
20
|
+
declare const inputSchema: import("@frontmcp/lazy-zod").ZodObject<{
|
|
21
|
+
request: import("@frontmcp/lazy-zod").ZodObject<{}, import("zod/v4/core").$loose>;
|
|
22
|
+
response: import("@frontmcp/lazy-zod").ZodObject<{}, import("zod/v4/core").$loose>;
|
|
23
|
+
next: import("@frontmcp/lazy-zod").ZodOptional<import("zod").ZodFunction<import("zod/v4/core").$ZodFunctionArgs, import("zod/v4/core").$ZodFunctionOut>>;
|
|
24
|
+
}, import("zod/v4/core").$strip>;
|
|
25
|
+
declare const stateSchema: import("@frontmcp/lazy-zod").ZodObject<{
|
|
26
|
+
token: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
27
|
+
baseUrl: import("@frontmcp/lazy-zod").ZodString;
|
|
28
|
+
}, import("zod/v4/core").$strip>;
|
|
29
|
+
declare const outputSchema: import("@frontmcp/lazy-zod").ZodObject<{
|
|
30
|
+
kind: import("@frontmcp/lazy-zod").ZodLiteral<"json">;
|
|
31
|
+
status: import("@frontmcp/lazy-zod").ZodNumber;
|
|
32
|
+
body: import("@frontmcp/lazy-zod").ZodUnion<readonly [import("@frontmcp/lazy-zod").ZodObject<{}, import("zod/v4/core").$loose>, import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodAny>, import("@frontmcp/lazy-zod").ZodRecord<import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodAny>]>;
|
|
33
|
+
contentType: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodString>;
|
|
34
|
+
headers: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodRecord<import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodUnion<readonly [import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodUnion<readonly [import("@frontmcp/lazy-zod").ZodString, import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>]>]>>>>;
|
|
35
|
+
cookies: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodObject<{
|
|
36
|
+
name: import("@frontmcp/lazy-zod").ZodString;
|
|
37
|
+
value: import("@frontmcp/lazy-zod").ZodString;
|
|
38
|
+
path: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodString>;
|
|
39
|
+
domain: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodString>;
|
|
40
|
+
httpOnly: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
41
|
+
secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
42
|
+
sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
43
|
+
strict: "strict";
|
|
44
|
+
none: "none";
|
|
45
|
+
lax: "lax";
|
|
46
|
+
}>>;
|
|
47
|
+
maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
|
|
48
|
+
expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
|
|
49
|
+
}, import("zod/v4/core").$strip>>>>;
|
|
50
|
+
}, import("zod/v4/core").$strip>;
|
|
51
|
+
declare const plan: {
|
|
52
|
+
readonly pre: ["parseInput"];
|
|
53
|
+
readonly execute: ["verifyAndRespond"];
|
|
54
|
+
};
|
|
55
|
+
declare global {
|
|
56
|
+
interface ExtendFlows {
|
|
57
|
+
'oauth:userinfo': FlowRunOptions<OauthUserInfoFlow, typeof plan, typeof inputSchema, typeof outputSchema, typeof stateSchema>;
|
|
58
|
+
}
|
|
59
|
+
}
|
|
60
|
+
declare const name: "oauth:userinfo";
|
|
61
|
+
export default class OauthUserInfoFlow extends FlowBase<typeof name> {
|
|
62
|
+
private logger;
|
|
63
|
+
parseInput(): Promise<void>;
|
|
64
|
+
verifyAndRespond(): Promise<void>;
|
|
65
|
+
}
|
|
66
|
+
export {};
|
|
67
|
+
//# sourceMappingURL=oauth.userinfo.flow.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth.userinfo.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/oauth.userinfo.flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,kBAAkB,CAAC;AAK1B,OAAO,EAEL,QAAQ,EAOR,KAAK,cAAc,EACpB,MAAM,cAAc,CAAC;AAGtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AAEpC,QAAA,MAAM,WAAW;;;gCAGf,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;gCAAiB,CAAC;AAEpC,QAAA,MAAM,IAAI;;;CAG2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,gBAAgB,EAAE,cAAc,CAC9B,iBAAiB,EACjB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,gBAAyB,CAAC;AAcvC,MAAM,CAAC,OAAO,OAAO,iBAAkB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAClE,OAAO,CAAC,MAAM,CAAgD;IAGxD,UAAU;IASV,gBAAgB;CAuDvB"}
|
|
@@ -44,11 +44,11 @@ declare const stateSchema: import("@frontmcp/lazy-zod").ZodObject<{
|
|
|
44
44
|
isPublic: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
45
45
|
platformType: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
46
46
|
unknown: "unknown";
|
|
47
|
+
continue: "continue";
|
|
47
48
|
openai: "openai";
|
|
48
49
|
claude: "claude";
|
|
49
50
|
gemini: "gemini";
|
|
50
51
|
cursor: "cursor";
|
|
51
|
-
continue: "continue";
|
|
52
52
|
cody: "cody";
|
|
53
53
|
"generic-mcp": "generic-mcp";
|
|
54
54
|
"ext-apps": "ext-apps";
|
|
@@ -84,11 +84,11 @@ export declare const sessionVerifyOutputSchema: import("@frontmcp/lazy-zod").Zod
|
|
|
84
84
|
isPublic: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
85
85
|
platformType: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
86
86
|
unknown: "unknown";
|
|
87
|
+
continue: "continue";
|
|
87
88
|
openai: "openai";
|
|
88
89
|
claude: "claude";
|
|
89
90
|
gemini: "gemini";
|
|
90
91
|
cursor: "cursor";
|
|
91
|
-
continue: "continue";
|
|
92
92
|
cody: "cody";
|
|
93
93
|
"generic-mcp": "generic-mcp";
|
|
94
94
|
"ext-apps": "ext-apps";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"session.verify.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/session.verify.flow.ts"],"names":[],"mappings":"AACA,OAAO,EAGL,QAAQ,EAWR,KAAK,cAAc,EAEpB,MAAM,cAAc,CAAC;AAEtB,OAAO,kBAAkB,CAAC;AAoB1B,QAAA,MAAM,WAAW;;gCAAyB,CAAC;AAE3C,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAaf,CAAC;AAuBH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAAmE,CAAC;AAE1G,QAAA,MAAM,IAAI;;;CAG2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,gBAAgB,EAAE,cAAc,CAC9B,iBAAiB,EACjB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,yBAAyB,EAChC,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,gBAAyB,CAAC;AAyBvC,MAAM,CAAC,OAAO,OAAO,iBAAkB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAClE,MAAM,wCAA+C;IAErD,OAAO,CAAC,OAAO;IAMf;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAoExB,UAAU;IAiDhB;;;;;;;OAOG;IAEG,gBAAgB;IAwBtB;;;OAGG;IAUG,uBAAuB;IA4BvB,+BAA+B;IAQrC;;;;;;;OAOG;IAEG,WAAW;
|
|
1
|
+
{"version":3,"file":"session.verify.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/session.verify.flow.ts"],"names":[],"mappings":"AACA,OAAO,EAGL,QAAQ,EAWR,KAAK,cAAc,EAEpB,MAAM,cAAc,CAAC;AAEtB,OAAO,kBAAkB,CAAC;AAoB1B,QAAA,MAAM,WAAW;;gCAAyB,CAAC;AAE3C,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAaf,CAAC;AAuBH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAAmE,CAAC;AAE1G,QAAA,MAAM,IAAI;;;CAG2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,gBAAgB,EAAE,cAAc,CAC9B,iBAAiB,EACjB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,yBAAyB,EAChC,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,gBAAyB,CAAC;AAyBvC,MAAM,CAAC,OAAO,OAAO,iBAAkB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAClE,MAAM,wCAA+C;IAErD,OAAO,CAAC,OAAO;IAMf;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAoExB,UAAU;IAiDhB;;;;;;;OAOG;IAEG,gBAAgB;IAwBtB;;;OAGG;IAUG,uBAAuB;IA4BvB,+BAA+B;IAQrC;;;;;;;OAOG;IAEG,WAAW;IA4GX,UAAU;IAIhB;;;;;OAKG;IAEG,kBAAkB;IAclB,qBAAqB;CAoB5B"}
|
|
@@ -24,8 +24,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
|
|
|
24
24
|
secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
25
25
|
sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
26
26
|
strict: "strict";
|
|
27
|
-
lax: "lax";
|
|
28
27
|
none: "none";
|
|
28
|
+
lax: "lax";
|
|
29
29
|
}>>;
|
|
30
30
|
maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
|
|
31
31
|
expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
|
|
@@ -45,8 +45,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
|
|
|
45
45
|
secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
46
46
|
sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
47
47
|
strict: "strict";
|
|
48
|
-
lax: "lax";
|
|
49
48
|
none: "none";
|
|
49
|
+
lax: "lax";
|
|
50
50
|
}>>;
|
|
51
51
|
maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
|
|
52
52
|
expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
|
|
@@ -65,8 +65,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonly [impo
|
|
|
65
65
|
secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
66
66
|
sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
67
67
|
strict: "strict";
|
|
68
|
-
lax: "lax";
|
|
69
68
|
none: "none";
|
|
69
|
+
lax: "lax";
|
|
70
70
|
}>>;
|
|
71
71
|
maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
|
|
72
72
|
expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
|
|
@@ -48,8 +48,8 @@ export declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonl
|
|
|
48
48
|
secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
49
49
|
sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
50
50
|
strict: "strict";
|
|
51
|
-
lax: "lax";
|
|
52
51
|
none: "none";
|
|
52
|
+
lax: "lax";
|
|
53
53
|
}>>;
|
|
54
54
|
maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
|
|
55
55
|
expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
|
|
@@ -69,8 +69,8 @@ export declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonl
|
|
|
69
69
|
secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
70
70
|
sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
71
71
|
strict: "strict";
|
|
72
|
-
lax: "lax";
|
|
73
72
|
none: "none";
|
|
73
|
+
lax: "lax";
|
|
74
74
|
}>>;
|
|
75
75
|
maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
|
|
76
76
|
expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
|
|
@@ -78,6 +78,7 @@ export declare const outputSchema: import("@frontmcp/lazy-zod").ZodUnion<readonl
|
|
|
78
78
|
}, import("zod/v4/core").$strip>]>;
|
|
79
79
|
export declare const wellKnownAsStateSchema: import("@frontmcp/lazy-zod").ZodObject<{
|
|
80
80
|
baseUrl: import("@frontmcp/lazy-zod").ZodString;
|
|
81
|
+
oauthBaseUrl: import("@frontmcp/lazy-zod").ZodString;
|
|
81
82
|
scopesSupported: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodString>>;
|
|
82
83
|
tokenEndpointAuthMethods: import("@frontmcp/lazy-zod").ZodDefault<import("@frontmcp/lazy-zod").ZodArray<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
83
84
|
client_secret_basic: "client_secret_basic";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"well-known.oauth-authorization-server.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/well-known.oauth-authorization-server.flow.ts"],"names":[],"mappings":"AACA,OAAO,kBAAkB,CAAC;AAE1B,OAAO,EAAE,CAAC,EAAE,MAAM,oBAAoB,CAAC;
|
|
1
|
+
{"version":3,"file":"well-known.oauth-authorization-server.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/well-known.oauth-authorization-server.flow.ts"],"names":[],"mappings":"AACA,OAAO,kBAAkB,CAAC;AAE1B,OAAO,EAAE,CAAC,EAAE,MAAM,oBAAoB,CAAC;AAGvC,OAAO,EAEL,QAAQ,EAWR,KAAK,cAAc,EACnB,KAAK,UAAU,EACf,KAAK,aAAa,EACnB,MAAM,cAAc,CAAC;AAoBtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AA4BpC,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAA0E,CAAC;AAEpG,eAAO,MAAM,sBAAsB;;;;;;;;;;;;gCAgBjC,CAAC;AAEH,QAAA,MAAM,eAAe;;;CAGgB,CAAC;AAEtC,KAAK,eAAe,GAAG,OAAO,eAAe,CAAC;AAC9C,KAAK,sBAAsB,GAAG,cAAc,CAC1C,eAAe,EACf,eAAe,EACf,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,sBAAsB,CAC9B,CAAC;AAEF,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,uCAAuC,EAAE,sBAAsB,CAAC;KACjE;CACF;AAED,QAAA,MAAM,IAAI,EAAG,uCAAgD,CAAC;AAa9D,MAAM,CAAC,OAAO,OAAO,eAAgB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IAChE,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,UAAU;IAKtD,UAAU;IA+BV,WAAW;CA4ClB"}
|
|
@@ -25,8 +25,8 @@ declare const outputSchema: import("@frontmcp/lazy-zod").ZodObject<{
|
|
|
25
25
|
secure: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodBoolean>;
|
|
26
26
|
sameSite: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodEnum<{
|
|
27
27
|
strict: "strict";
|
|
28
|
-
lax: "lax";
|
|
29
28
|
none: "none";
|
|
29
|
+
lax: "lax";
|
|
30
30
|
}>>;
|
|
31
31
|
maxAge: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodNumber>;
|
|
32
32
|
expires: import("@frontmcp/lazy-zod").ZodOptional<import("@frontmcp/lazy-zod").ZodDate>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"well-known.prm.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/well-known.prm.flow.ts"],"names":[],"mappings":"AACA,OAAO,kBAAkB,CAAC;AAI1B,OAAO,EAGL,QAAQ,EAOR,KAAK,cAAc,EACnB,KAAK,UAAU,EACf,KAAK,aAAa,EACnB,MAAM,cAAc,CAAC;AAGtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AAEpC,QAAA,MAAM,WAAW;;;;;gCAKf,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;gCAShB,CAAC;AAEH,QAAA,MAAM,IAAI;;;;CAI2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,qCAAqC,EAAE,cAAc,CACnD,gBAAgB,EAChB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,qCAA8C,CAAC;AAa5D,MAAM,CAAC,OAAO,OAAO,gBAAiB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IACjE,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,UAAU;IAKtD,UAAU;IAiBY,WAAW;
|
|
1
|
+
{"version":3,"file":"well-known.prm.flow.d.ts","sourceRoot":"","sources":["../../../src/auth/flows/well-known.prm.flow.ts"],"names":[],"mappings":"AACA,OAAO,kBAAkB,CAAC;AAI1B,OAAO,EAGL,QAAQ,EAOR,KAAK,cAAc,EACnB,KAAK,UAAU,EACf,KAAK,aAAa,EACnB,MAAM,cAAc,CAAC;AAGtB,QAAA,MAAM,WAAW;;;;gCAAkB,CAAC;AAEpC,QAAA,MAAM,WAAW;;;;;gCAKf,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;gCAShB,CAAC;AAEH,QAAA,MAAM,IAAI;;;;CAI2B,CAAC;AAEtC,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,WAAW;QACnB,qCAAqC,EAAE,cAAc,CACnD,gBAAgB,EAChB,OAAO,IAAI,EACX,OAAO,WAAW,EAClB,OAAO,YAAY,EACnB,OAAO,WAAW,CACnB,CAAC;KACH;CACF;AAED,QAAA,MAAM,IAAI,EAAG,qCAA8C,CAAC;AAa5D,MAAM,CAAC,OAAO,OAAO,gBAAiB,SAAQ,QAAQ,CAAC,OAAO,IAAI,CAAC;IACjE,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,UAAU;IAKtD,UAAU;IAiBY,WAAW;CAmCxC"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { type AuthorizationStore, type FederatedAuthSessionStore, type OrchestratedTokenStore as TokenStore } from '@frontmcp/auth';
|
|
1
|
+
import { DcrClientRegistry, SessionCredentialVault, type AuthorizationStore, type ConsentStore, type DcrRegistryConfig, type FederatedAuthSessionStore, type SecureStoreBackend, type OrchestratedTokenStore as TokenStore, type VerifyResult } from '@frontmcp/auth';
|
|
2
2
|
import { FrontMcpAuth, type FrontMcpLogger, type JWK, type ScopeEntry, type ServerRequest } from '../../common';
|
|
3
3
|
import { type LocalAuthOptions, type PublicAuthOptions, type RemoteAuthOptions } from '../../common/types/options/auth';
|
|
4
4
|
import type ProviderRegistry from '../../provider/provider.registry';
|
|
@@ -35,6 +35,21 @@ export interface ConsentMetadata {
|
|
|
35
35
|
skippedProviderIds?: string[];
|
|
36
36
|
consentEnabled?: boolean;
|
|
37
37
|
federatedLoginUsed?: boolean;
|
|
38
|
+
/**
|
|
39
|
+
* Progressive/Incremental authorization: the set of app IDs this token grants
|
|
40
|
+
* access to. ONLY emitted when `incrementalAuth` is enabled for the scope —
|
|
41
|
+
* its presence turns on app-level gating in `checkToolAuthorization`, so it is
|
|
42
|
+
* deliberately omitted for non-incremental setups to preserve the historical
|
|
43
|
+
* allow-all behavior. Embedded as the `authorized_apps` claim by
|
|
44
|
+
* {@link LocalPrimaryAuth.signAccessToken}.
|
|
45
|
+
*/
|
|
46
|
+
authorizedAppIds?: string[];
|
|
47
|
+
/**
|
|
48
|
+
* Custom claims from a local `authenticate` verifier (Checkpoint 3a). Merged
|
|
49
|
+
* into the access token by {@link LocalPrimaryAuth.signAccessToken} with a
|
|
50
|
+
* reserved-claim guard so they can never clobber sub/iss/exp/etc.
|
|
51
|
+
*/
|
|
52
|
+
customClaims?: Record<string, unknown>;
|
|
38
53
|
}
|
|
39
54
|
/**
|
|
40
55
|
* Extended token response from upstream providers (includes id_token)
|
|
@@ -81,30 +96,188 @@ export declare class LocalPrimaryAuth extends FrontMcpAuth<LocalPrimaryAuthOptio
|
|
|
81
96
|
readonly keys: JWK[];
|
|
82
97
|
readonly secret: Uint8Array;
|
|
83
98
|
readonly logger: FrontMcpLogger;
|
|
84
|
-
readonly authorizationStore: AuthorizationStore;
|
|
85
99
|
private jwks;
|
|
86
100
|
private cimdService;
|
|
87
|
-
/**
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
101
|
+
/**
|
|
102
|
+
* Token storage backend selected from `options.tokenStorage`.
|
|
103
|
+
* - `'memory'` / undefined → in-memory stores (default; lost on restart).
|
|
104
|
+
* - `{ redis }` / `{ sqlite }` → adapter-backed stores that survive restart.
|
|
105
|
+
*
|
|
106
|
+
* The three stores below are constructed in-memory synchronously in the
|
|
107
|
+
* constructor (preserving the exact legacy default behavior). When a
|
|
108
|
+
* persistent backend is configured, {@link initializeStores} swaps in the
|
|
109
|
+
* StorageAdapter-backed implementations during async `initialize()`, before
|
|
110
|
+
* the server signals ready.
|
|
111
|
+
*/
|
|
112
|
+
private readonly tokenStorage;
|
|
113
|
+
/** OAuth authorization-code / pending / refresh-token store. */
|
|
114
|
+
private authorizationStoreImpl;
|
|
115
|
+
/** Federated auth session store for multi-provider flows. */
|
|
116
|
+
private federatedSessionStoreImpl;
|
|
117
|
+
/** Token store for upstream provider tokens. */
|
|
118
|
+
private orchestratedTokenStoreImpl;
|
|
119
|
+
/** Remembered per-(user, client) consent selections (`rememberConsent`). */
|
|
120
|
+
private consentStoreImpl;
|
|
121
|
+
/**
|
|
122
|
+
* Local-AS Dynamic Client Registration registry (#462). Seeded with any
|
|
123
|
+
* `dcr.clients` at construction so the authorize/token flows accept those
|
|
124
|
+
* pre-registered clients without a DCR round-trip, and mutated by
|
|
125
|
+
* `POST /oauth/register`. Always present (empty when no `dcr` is configured).
|
|
126
|
+
*/
|
|
127
|
+
private readonly dcrClientRegistryImpl;
|
|
128
|
+
/** Storage adapter backing the persistent stores (kept for disposal). */
|
|
129
|
+
private storageAdapter?;
|
|
130
|
+
/**
|
|
131
|
+
* Per-session encrypted credential vault (Checkpoint 3b). Backs
|
|
132
|
+
* `this.credentials` in tools and persists `authenticate()` credentials.
|
|
133
|
+
* Constructed in {@link initialize} once the storage backend is known.
|
|
134
|
+
*/
|
|
135
|
+
private credentialVaultImpl?;
|
|
136
|
+
/** Per-session encrypted credential vault (Checkpoint 3b), if enabled. */
|
|
137
|
+
get credentialVault(): SessionCredentialVault | undefined;
|
|
138
|
+
/**
|
|
139
|
+
* General session-scoped secure-secret store backend (#470). Backs
|
|
140
|
+
* `this.secureStore` in tools. Constructed in {@link initialize} from
|
|
141
|
+
* `auth.secureStore`; defaults to an in-memory, AES-256-GCM-encrypted backing.
|
|
142
|
+
*/
|
|
143
|
+
private secureStoreBackendImpl?;
|
|
144
|
+
/** General secure-store backend (#470), if enabled. */
|
|
145
|
+
get secureStoreBackend(): SecureStoreBackend | undefined;
|
|
146
|
+
/** OAuth authorization-code / pending / refresh-token store. */
|
|
147
|
+
get authorizationStore(): AuthorizationStore;
|
|
148
|
+
/** Federated auth session store for multi-provider flows. */
|
|
149
|
+
get federatedSessionStore(): FederatedAuthSessionStore;
|
|
150
|
+
/** Token store for upstream provider tokens. */
|
|
151
|
+
get orchestratedTokenStore(): TokenStore;
|
|
152
|
+
/**
|
|
153
|
+
* Remembered per-(user, client) consent selections, backing
|
|
154
|
+
* `auth.consent.rememberConsent`. Shares the configured token-storage backend
|
|
155
|
+
* (memory by default; Redis/SQLite when persistent storage is configured).
|
|
156
|
+
*/
|
|
157
|
+
get consentStore(): ConsentStore;
|
|
158
|
+
/**
|
|
159
|
+
* Local-AS Dynamic Client Registration registry (#462). Consulted by the
|
|
160
|
+
* register/authorize flows to enforce the declarative `dcr` allowlists and to
|
|
161
|
+
* look up pre-registered + dynamically-registered clients.
|
|
162
|
+
*/
|
|
163
|
+
get dcrClientRegistry(): DcrClientRegistry;
|
|
164
|
+
/**
|
|
165
|
+
* Resolved local-AS DCR config. Only `local` mode carries `dcr`; every other
|
|
166
|
+
* mode returns `undefined`, preserving the historical behavior exactly.
|
|
167
|
+
*/
|
|
168
|
+
getDcrConfig(): DcrRegistryConfig | undefined;
|
|
169
|
+
/**
|
|
170
|
+
* Whether `POST /oauth/register` and the `registration_endpoint` advertisement
|
|
171
|
+
* are active. Honors an explicit `dcr.enabled`; when unset, falls back to the
|
|
172
|
+
* historical guard (enabled in development, disabled in production).
|
|
173
|
+
*/
|
|
174
|
+
isDcrEnabled(): boolean;
|
|
91
175
|
/** Provider configurations (indexed by provider ID) */
|
|
92
176
|
private readonly providerConfigs;
|
|
177
|
+
/**
|
|
178
|
+
* Remote-mode single upstream provider id (set by {@link registerRemoteProvider}).
|
|
179
|
+
*
|
|
180
|
+
* In `mode: 'remote'` FrontMCP federates exactly ONE mandatory upstream IdP.
|
|
181
|
+
* The authorize flow auto-starts federation against this id (no in-tree login
|
|
182
|
+
* page, no provider-selection page), and tools read its token via
|
|
183
|
+
* `this.orchestration.getToken(remoteProviderId)`. Undefined in every other mode.
|
|
184
|
+
*/
|
|
185
|
+
private remoteProviderIdImpl?;
|
|
186
|
+
/** Remote-mode single upstream provider id, or undefined outside remote mode. */
|
|
187
|
+
get remoteProviderId(): string | undefined;
|
|
93
188
|
/** Default access token TTL (1 hour) */
|
|
94
189
|
private readonly accessTokenTtlSeconds;
|
|
95
190
|
/** Default refresh token TTL (30 days) */
|
|
96
191
|
private readonly refreshTokenTtlSeconds;
|
|
97
|
-
/**
|
|
98
|
-
* Get the authorization store as InMemoryAuthorizationStore with type guard.
|
|
99
|
-
* This ensures type safety when using InMemory-specific methods.
|
|
100
|
-
*/
|
|
101
|
-
private getInMemoryStore;
|
|
102
192
|
constructor(scope: ScopeEntry, providers: ProviderRegistry, options: LocalPrimaryAuthOptions);
|
|
103
193
|
/**
|
|
104
|
-
* Derive issuer from options
|
|
194
|
+
* Derive issuer from options.
|
|
195
|
+
*
|
|
196
|
+
* `FRONTMCP_PUBLIC_HOST` overrides only the HOST portion of the boot-time
|
|
197
|
+
* issuer (see `this.host` in the constructor); the scheme stays `http` and
|
|
198
|
+
* the port stays `this.port`. To override the scheme and/or port (e.g.
|
|
199
|
+
* advertise `https://…` with no explicit port behind a TLS proxy), set an
|
|
200
|
+
* explicit `local.issuer` — that is the supported way to make the boot-time
|
|
201
|
+
* issuer match what discovery advertises. JWT verification accepts an issuer
|
|
202
|
+
* array, so tokens minted under a different scheme/port are still tolerated
|
|
203
|
+
* when running behind a TLS-terminating proxy, but `local.issuer` is the
|
|
204
|
+
* supported knob for aligning the issuer with discovery.
|
|
105
205
|
*/
|
|
106
206
|
private deriveIssuer;
|
|
207
|
+
/**
|
|
208
|
+
* Read the `tokenStorage` selection off the auth options. Only
|
|
209
|
+
* local/remote/orchestrated modes declare it; public mode does not, in which
|
|
210
|
+
* case we treat it as the in-memory default.
|
|
211
|
+
*/
|
|
212
|
+
private readTokenStorage;
|
|
213
|
+
/**
|
|
214
|
+
* When a persistent token-storage backend (Redis/SQLite) is configured, build
|
|
215
|
+
* a shared `StorageAdapter` and swap the three in-memory stores for their
|
|
216
|
+
* adapter-backed equivalents. For `'memory'` (or unset) this is a no-op, so
|
|
217
|
+
* the default behavior is preserved exactly.
|
|
218
|
+
*
|
|
219
|
+
* The orchestrated-token store keeps using the JWT secret as its encryption
|
|
220
|
+
* key, so upstream provider tokens stay encrypted at rest in every backend.
|
|
221
|
+
*/
|
|
222
|
+
private initializeStores;
|
|
223
|
+
/**
|
|
224
|
+
* Build the per-session credential vault (Checkpoint 3b) and register the
|
|
225
|
+
* `this.credentials` accessor + the `/oauth/connect` add-credential flow.
|
|
226
|
+
*
|
|
227
|
+
* Skipped in pure public mode (no authenticated subject / no authenticate()
|
|
228
|
+
* verifier there). The vault shares the persistent StorageAdapter when one is
|
|
229
|
+
* configured; otherwise it uses a dedicated in-memory adapter. The HMAC pepper
|
|
230
|
+
* and resume-link signing key both derive from the server JWT secret
|
|
231
|
+
* (`this.secret`), so resume URLs are framework-signed with the same trust
|
|
232
|
+
* root as the access tokens.
|
|
233
|
+
*/
|
|
234
|
+
private initializeCredentialVault;
|
|
235
|
+
/**
|
|
236
|
+
* Read the `secureStore` selection off the auth options. Only
|
|
237
|
+
* local/remote/orchestrated modes declare it; public mode does not.
|
|
238
|
+
*/
|
|
239
|
+
private readSecureStoreConfig;
|
|
240
|
+
/**
|
|
241
|
+
* Build the general session-scoped secure-secret store (#470) and register the
|
|
242
|
+
* `this.secureStore` accessor.
|
|
243
|
+
*
|
|
244
|
+
* Skipped in pure public mode (no authenticated subject / no session-bound
|
|
245
|
+
* secrets there). The backing comes from `auth.secureStore`:
|
|
246
|
+
* - unset / `'memory'` → in-memory, AES-256-GCM-encrypted store (default);
|
|
247
|
+
* - `{ sqlite }` / `{ redis }` → persistent encrypted store. When the chosen
|
|
248
|
+
* persistent backing matches the configured `tokenStorage`, the SAME
|
|
249
|
+
* StorageAdapter is reused (one connection);
|
|
250
|
+
* - `{ backend }` → a custom backing used as-is (e.g. an OS keychain) — the
|
|
251
|
+
* framework bundles NO native dependency for this path.
|
|
252
|
+
*
|
|
253
|
+
* The HKDF pepper for the built-in encrypted backings derives from the server
|
|
254
|
+
* JWT secret (`this.secret`) unless an explicit `encryption.pepper` is set, so
|
|
255
|
+
* secrets share the same trust root as the access tokens.
|
|
256
|
+
*/
|
|
257
|
+
private initializeSecureStore;
|
|
258
|
+
/**
|
|
259
|
+
* Whether the `secureStore` config selects the SAME persistent backing as the
|
|
260
|
+
* configured `tokenStorage`, so they can share one StorageAdapter. Returns
|
|
261
|
+
* false for memory/custom/undefined and for mismatched backings (in which case
|
|
262
|
+
* the secure store gets its own adapter).
|
|
263
|
+
*/
|
|
264
|
+
private secureStoreSharesTokenStorage;
|
|
107
265
|
signAnonymousJwt(): Promise<string>;
|
|
266
|
+
/**
|
|
267
|
+
* Cryptographically verify a gateway-issued access token (public/local/remote
|
|
268
|
+
* "gateway" modes). Gateway tokens — both authenticated access tokens
|
|
269
|
+
* ({@link signAccessToken}) and anonymous tokens ({@link signAnonymousJwt}) —
|
|
270
|
+
* are HS256-signed with `this.secret`, so this instance is the sole holder of
|
|
271
|
+
* the verification key.
|
|
272
|
+
*
|
|
273
|
+
* Enforces the signature and lifetime claims (`exp`/`nbf`, checked by `jose`
|
|
274
|
+
* by default). Issuer equality is intentionally NOT enforced: proxy/tunnel
|
|
275
|
+
* deployments legitimately present an `iss` that differs from the
|
|
276
|
+
* request-derived base URL (see {@link deriveIssuer}). Algorithm is pinned to
|
|
277
|
+
* HS256 to block `alg` confusion (e.g. a forged `alg: none` or asymmetric
|
|
278
|
+
* header). `expectedIssuer` is accepted for parity/logging only.
|
|
279
|
+
*/
|
|
280
|
+
verifyGatewayToken(token: string, expectedIssuer: string): Promise<VerifyResult>;
|
|
108
281
|
/**
|
|
109
282
|
* Sign an access token for an authenticated user
|
|
110
283
|
*/
|
|
@@ -142,6 +315,8 @@ export declare class LocalPrimaryAuth extends FrontMcpAuth<LocalPrimaryAuthOptio
|
|
|
142
315
|
consentEnabled?: boolean;
|
|
143
316
|
federatedLoginUsed?: boolean;
|
|
144
317
|
pendingAuthId?: string;
|
|
318
|
+
authorizedAppIds?: string[];
|
|
319
|
+
customClaims?: Record<string, unknown>;
|
|
145
320
|
}): Promise<string>;
|
|
146
321
|
protected initialize(): Promise<void>;
|
|
147
322
|
fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
|
|
@@ -151,6 +326,45 @@ export declare class LocalPrimaryAuth extends FrontMcpAuth<LocalPrimaryAuthOptio
|
|
|
151
326
|
* Register an upstream OAuth provider configuration
|
|
152
327
|
*/
|
|
153
328
|
registerProvider(config: UpstreamProviderConfig): void;
|
|
329
|
+
/**
|
|
330
|
+
* Bridge declarative `auth.providers` (local-mode multi-provider orchestration)
|
|
331
|
+
* into the upstream-provider registry. Runs once during `initialize()`.
|
|
332
|
+
*
|
|
333
|
+
* For each declared provider we map the ergonomic `authorizeUrl`/`tokenUrl`
|
|
334
|
+
* aliases onto the canonical `authorizationEndpoint`/`tokenEndpoint`, default
|
|
335
|
+
* `name`/`scopes`, and compute the per-provider callback URL from the issuer
|
|
336
|
+
* (`${issuer}/oauth/provider/${id}/callback`). No-op when not local mode or
|
|
337
|
+
* when no providers are declared, so existing configs are unaffected.
|
|
338
|
+
*
|
|
339
|
+
* Security: only non-PII provider metadata is read here; client secrets are
|
|
340
|
+
* kept in the provider config and never logged or exposed to the LLM.
|
|
341
|
+
*/
|
|
342
|
+
private registerConfiguredProviders;
|
|
343
|
+
/**
|
|
344
|
+
* Remote mode (`mode: 'remote'`): register the flat remote config as the
|
|
345
|
+
* SINGLE mandatory upstream provider. Runs once during `initialize()`.
|
|
346
|
+
*
|
|
347
|
+
* The flat fields (`provider` base URL + `clientId`/`clientSecret`/`scopes`)
|
|
348
|
+
* and the `providerConfig` endpoint overrides (`authEndpoint`/`tokenEndpoint`/
|
|
349
|
+
* `userInfoEndpoint`/`jwksUri`) are mapped onto an {@link UpstreamProviderConfig}.
|
|
350
|
+
* Endpoints not explicitly overridden are derived from the `provider` base URL
|
|
351
|
+
* using the standard OIDC paths (`/authorize`, `/token`, `/userinfo`,
|
|
352
|
+
* `/.well-known/jwks.json`) — the same convention `transparent` mode uses for
|
|
353
|
+
* discovery. The provider id comes from `providerConfig.id` when set, else it
|
|
354
|
+
* is derived from the provider hostname (mirroring `deriveProviderId`).
|
|
355
|
+
*
|
|
356
|
+
* No-op outside remote mode, so local/public/transparent are unaffected.
|
|
357
|
+
*
|
|
358
|
+
* Security: only non-PII provider metadata is read here; the client secret is
|
|
359
|
+
* kept in the provider config and never logged or exposed to the LLM.
|
|
360
|
+
*/
|
|
361
|
+
private registerRemoteProvider;
|
|
362
|
+
/**
|
|
363
|
+
* Derive a stable provider id from the upstream `provider` base URL, mirroring
|
|
364
|
+
* the detection layer's `deriveProviderId`/`urlToProviderId` (hostname with
|
|
365
|
+
* dots replaced by underscores) so the id is consistent across surfaces.
|
|
366
|
+
*/
|
|
367
|
+
private deriveRemoteProviderId;
|
|
154
368
|
/**
|
|
155
369
|
* Get provider configuration
|
|
156
370
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"instance.local-primary-auth.d.ts","sourceRoot":"","sources":["../../../src/auth/instances/instance.local-primary-auth.ts"],"names":[],"mappings":"AAEA,OAAO,
|
|
1
|
+
{"version":3,"file":"instance.local-primary-auth.d.ts","sourceRoot":"","sources":["../../../src/auth/instances/instance.local-primary-auth.ts"],"names":[],"mappings":"AAEA,OAAO,EAGL,iBAAiB,EASjB,sBAAsB,EAMtB,KAAK,kBAAkB,EACvB,KAAK,YAAY,EACjB,KAAK,iBAAiB,EACtB,KAAK,yBAAyB,EAC9B,KAAK,kBAAkB,EAGvB,KAAK,sBAAsB,IAAI,UAAU,EACzC,KAAK,YAAY,EAClB,MAAM,gBAAgB,CAAC;AAYxB,OAAO,EACL,YAAY,EAEZ,KAAK,cAAc,EACnB,KAAK,GAAG,EACR,KAAK,UAAU,EACf,KAAK,aAAa,EACnB,MAAM,cAAc,CAAC;AACtB,OAAO,EAML,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,KAAK,iBAAiB,EACvB,MAAM,iCAAiC,CAAC;AAEzC,OAAO,KAAK,gBAAgB,MAAM,kCAAkC,CAAC;AAmBrE;;GAEG;AACH,MAAM,MAAM,uBAAuB,GAAG,iBAAiB,GAAG,gBAAgB,GAAG,iBAAiB,CAAC;AAI/F;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,QAAQ,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC9B,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B;;;;;;;OAOG;IACH,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACxC;AAwBD;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,kBAAkB;IAClB,EAAE,EAAE,MAAM,CAAC;IACX,mBAAmB;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,6BAA6B;IAC7B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,qBAAqB;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,oCAAoC;IACpC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gBAAgB;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,+CAA+C;IAC/C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gCAAgC;IAChC,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,qCAAqC;IACrC,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,qBAAa,gBAAiB,SAAQ,YAAY,CAAC,uBAAuB,CAAC;IAuJvE,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,SAAS;IAvJnB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,GAAG,EAAE,CAAM;IAC1B,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC;IAC5B,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAChC,OAAO,CAAC,IAAI,CAAqB;IACjC,OAAO,CAAC,WAAW,CAA0B;IAE7C;;;;;;;;;;OAUG;IACH,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAiC;IAE9D,gEAAgE;IAChE,OAAO,CAAC,sBAAsB,CAAqB;IAEnD,6DAA6D;IAC7D,OAAO,CAAC,yBAAyB,CAA4B;IAE7D,gDAAgD;IAChD,OAAO,CAAC,0BAA0B,CAAa;IAE/C,4EAA4E;IAC5E,OAAO,CAAC,gBAAgB,CAAe;IAEvC;;;;;OAKG;IACH,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAoB;IAE1D,yEAAyE;IACzE,OAAO,CAAC,cAAc,CAAC,CAAiB;IAExC;;;;OAIG;IACH,OAAO,CAAC,mBAAmB,CAAC,CAAyB;IAErD,0EAA0E;IAC1E,IAAI,eAAe,IAAI,sBAAsB,GAAG,SAAS,CAExD;IAED;;;;OAIG;IACH,OAAO,CAAC,sBAAsB,CAAC,CAAqB;IAEpD,uDAAuD;IACvD,IAAI,kBAAkB,IAAI,kBAAkB,GAAG,SAAS,CAEvD;IAED,gEAAgE;IAChE,IAAI,kBAAkB,IAAI,kBAAkB,CAE3C;IAED,6DAA6D;IAC7D,IAAI,qBAAqB,IAAI,yBAAyB,CAErD;IAED,gDAAgD;IAChD,IAAI,sBAAsB,IAAI,UAAU,CAEvC;IAED;;;;OAIG;IACH,IAAI,YAAY,IAAI,YAAY,CAE/B;IAED;;;;OAIG;IACH,IAAI,iBAAiB,IAAI,iBAAiB,CAEzC;IAED;;;OAGG;IACH,YAAY,IAAI,iBAAiB,GAAG,SAAS;IAO7C;;;;OAIG;IACH,YAAY,IAAI,OAAO;IAQvB,uDAAuD;IACvD,OAAO,CAAC,QAAQ,CAAC,eAAe,CAA6C;IAE7E;;;;;;;OAOG;IACH,OAAO,CAAC,oBAAoB,CAAC,CAAS;IAEtC,iFAAiF;IACjF,IAAI,gBAAgB,IAAI,MAAM,GAAG,SAAS,CAEzC;IAED,wCAAwC;IACxC,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAQ;IAC9C,0CAA0C;IAC1C,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAkB;gBAG/C,KAAK,EAAE,UAAU,EACjB,SAAS,EAAE,gBAAgB,EACnC,OAAO,EAAE,uBAAuB;IAoDlC;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,YAAY;IAmBpB;;;;OAIG;IACH,OAAO,CAAC,gBAAgB;IAOxB;;;;;;;;OAQG;YACW,gBAAgB;IA8B9B;;;;;;;;;;OAUG;YACW,yBAAyB;IAgDvC;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IAO7B;;;;;;;;;;;;;;;;OAgBG;YACW,qBAAqB;IA0CnC;;;;;OAKG;IACH,OAAO,CAAC,6BAA6B;IAO/B,gBAAgB;IAUtB;;;;;;;;;;;;;OAaG;IACY,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAkB/F;;OAEG;IACG,eAAe,CACnB,IAAI,EAAE,QAAQ,EACd,MAAM,EAAE,MAAM,EAAE,EAChB,QAAQ,CAAC,EAAE,MAAM,EACjB,eAAe,CAAC,EAAE,eAAe,GAChC,OAAO,CAAC,MAAM,CAAC;IAgElB;;OAEG;IACG,YAAY,CAChB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,aAAa,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,CAAC;IAuHxE;;OAEG;IACG,kBAAkB,CACtB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,aAAa,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,CAAC;IA2CxE;;OAEG;IACG,uBAAuB,CAAC,MAAM,EAAE;QACpC,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,aAAa,EAAE,MAAM,CAAC;QACtB,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,MAAM,CAAC;QAElB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAC3B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC/B,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC9B,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAE7B,aAAa,CAAC,EAAE,MAAM,CAAC;QAGvB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;QAE5B,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACxC,GAAG,OAAO,CAAC,MAAM,CAAC;cA+BH,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAsDlC,KAAK,CAAC,KAAK,EAAE,WAAW,GAAG,GAAG,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;IAItE,QAAQ,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;YAI1C,iBAAiB;IAuB/B;;OAEG;IACH,gBAAgB,CAAC,MAAM,EAAE,sBAAsB,GAAG,IAAI;IAKtD;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,2BAA2B;IAyCnC;;;;;;;;;;;;;;;;;OAiBG;IACH,OAAO,CAAC,sBAAsB;IAqC9B;;;;OAIG;IACH,OAAO,CAAC,sBAAsB;IAQ9B;;OAEG;IACH,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,sBAAsB,GAAG,SAAS;IAIzE;;OAEG;IACG,yBAAyB,CAC7B,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;QACN,KAAK,EAAE,MAAM,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;QACtB,mBAAmB,EAAE,MAAM,CAAC;QAC5B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;KACnB,GACA,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAwBzB;;OAEG;IACG,oBAAoB,CACxB,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,MAAM,EACZ,YAAY,CAAC,EAAE,MAAM,GACpB,OAAO,CAAC,qBAAqB,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,CAAC;IA4EhF;;OAEG;IACG,mBAAmB,CACvB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC;IAsD9G;;OAEG;IACG,oBAAoB,CACxB,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,qBAAqB,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,CAAC;CA8CjF"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/secure-store/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,oBAAoB,EAAE,0BAA0B,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAC;AAGrH,OAAO,EAAE,2BAA2B,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC"}
|
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Secure-store Context Extension (#470)
|
|
3
|
+
*
|
|
4
|
+
* Module augmentation + context-extension configuration that adds
|
|
5
|
+
* `this.secureStore` to ExecutionContextBase, mirroring `this.credentials`.
|
|
6
|
+
*
|
|
7
|
+
* `this.secureStore` exposes the general, session-scoped {@link SecureStoreAccessor}
|
|
8
|
+
* so tools (and auth UI) can read/write arbitrary user-typed secrets keyed by
|
|
9
|
+
* the configured scope (user / session / global), with the backing pluggable per
|
|
10
|
+
* deployment (memory / sqlite / redis / a custom OS-keychain backend).
|
|
11
|
+
*/
|
|
12
|
+
import { type SecureStoreAccessor } from '@frontmcp/auth';
|
|
13
|
+
import type { ContextExtension } from '../../common/metadata/plugin.metadata';
|
|
14
|
+
declare module '../../common/interfaces/execution-context.interface' {
|
|
15
|
+
interface ExecutionContextBase {
|
|
16
|
+
/**
|
|
17
|
+
* General session-scoped secure-secret store (#470). A typed accessor over a
|
|
18
|
+
* pluggable backend for arbitrary user-typed secrets. Available in
|
|
19
|
+
* `local`/`remote` auth modes.
|
|
20
|
+
*
|
|
21
|
+
* Distinct from {@link ExecutionContextBase.credentials}: `credentials` is the
|
|
22
|
+
* OAuth-credential vault (resume URLs, per-authorize rotation); `secureStore`
|
|
23
|
+
* is a general key→secret store with selectable backing.
|
|
24
|
+
*
|
|
25
|
+
* @example
|
|
26
|
+
* ```typescript
|
|
27
|
+
* @Tool({ name: 'save_api_key' })
|
|
28
|
+
* class SaveApiKeyTool extends ToolContext {
|
|
29
|
+
* async execute(input: Input): Promise<Output> {
|
|
30
|
+
* await this.secureStore.set('stg.api-key', input.apiKey);
|
|
31
|
+
* const key = await this.secureStore.get<string>('stg.api-key');
|
|
32
|
+
* const keys = await this.secureStore.list();
|
|
33
|
+
* // …
|
|
34
|
+
* }
|
|
35
|
+
* }
|
|
36
|
+
* ```
|
|
37
|
+
*/
|
|
38
|
+
readonly secureStore: SecureStoreAccessor;
|
|
39
|
+
}
|
|
40
|
+
}
|
|
41
|
+
/**
|
|
42
|
+
* Context extension configuration for `this.secureStore`. Registers the lazy
|
|
43
|
+
* getter on ExecutionContextBase.prototype; resolves {@link SECURE_STORE_ACCESSOR}
|
|
44
|
+
* from the request scope.
|
|
45
|
+
*/
|
|
46
|
+
export declare const secureStoreContextExtension: ContextExtension;
|
|
47
|
+
/**
|
|
48
|
+
* Get the {@link SecureStoreAccessor} from a context. Throws via the DI layer
|
|
49
|
+
* when not configured (see {@link secureStoreContextExtension.errorMessage}).
|
|
50
|
+
*/
|
|
51
|
+
export declare function getSecureStore(ctx: {
|
|
52
|
+
get: <T>(token: unknown) => T;
|
|
53
|
+
}): SecureStoreAccessor;
|
|
54
|
+
/**
|
|
55
|
+
* Try to get the {@link SecureStoreAccessor}; returns undefined when not
|
|
56
|
+
* available (graceful degradation).
|
|
57
|
+
*/
|
|
58
|
+
export declare function tryGetSecureStore(ctx: {
|
|
59
|
+
tryGet: <T>(token: unknown) => T | undefined;
|
|
60
|
+
}): SecureStoreAccessor | undefined;
|
|
61
|
+
//# sourceMappingURL=secure-store.context-extension.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"secure-store.context-extension.d.ts","sourceRoot":"","sources":["../../../src/auth/secure-store/secure-store.context-extension.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAyB,KAAK,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAEjF,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,uCAAuC,CAAC;AAM9E,OAAO,QAAQ,qDAAqD,CAAC;IACnE,UAAU,oBAAoB;QAC5B;;;;;;;;;;;;;;;;;;;;;WAqBG;QACH,QAAQ,CAAC,WAAW,EAAE,mBAAmB,CAAC;KAC3C;CACF;AAMD;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,EAAE,gBAMzC,CAAC;AAMF;;;GAGG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE;IAAE,GAAG,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,KAAK,CAAC,CAAA;CAAE,GAAG,mBAAmB,CAE1F;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE;IACrC,MAAM,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,KAAK,CAAC,GAAG,SAAS,CAAC;CAC9C,GAAG,mBAAmB,GAAG,SAAS,CAElC"}
|