@fuul/mcp-server 0.2.0

package/README.md

@@ -0,0 +1,218 @@
+# @fuul/mcp-server
+
+Fuul [Model Context Protocol](https://modelcontextprotocol.io/) server: OAuth CLI (`fuul-mcp`), stdio MCP entry (`fuul-mcp-server`), metadata tools, project and affiliate analytics, incentive and payout operations (reads plus `dry_run` / `confirmed` writes), and rate-limit-aware errors.
+
+## Documentation
+
+| Resource | Purpose |
+| -------- | ------- |
+| [docs/README.md](docs/README.md) | Index of all docs in this repo |
+| [docs/AGENTS.md](docs/AGENTS.md) | Tool ↔ HTTP map (audit, support, PR review) |
+| [docs/mcp-phase2/CONSUMER.md](docs/mcp-phase2/CONSUMER.md) | Staging/production URLs, API expectations |
+| [docs/mcp-phase2/tool-prompts.md](docs/mcp-phase2/tool-prompts.md) | Sample prompts for tooling and evals |
+| [CHANGELOG.md](CHANGELOG.md) | Release notes |
+
+## Install (pick one path)
+
+### 1. Claude Code plugin (marketplace)
+
+Adds the MCP server plus a **skill** that documents how to use Fuul tools.
+
+In **Claude Code**:
+
+```text
+/plugin marketplace add kuyen-labs/mcp_server
+/plugin install fuul-mcp@fuul-mcp
+```
+
+One-time OAuth in a terminal (same tokens the MCP uses):
+
+```bash
+npx -y @fuul/mcp-server@latest fuul-mcp login
+npx -y @fuul/mcp-server@latest fuul-mcp whoami
+```
+
+Optional: set **staging** in the plugin’s user settings — `FUUL_API_BASE_URL` = `https://api.stg.fuul.xyz`. Default is production `https://api.fuul.xyz`.
+
+Requires **`@fuul/mcp-server@0.2.0`** or newer on npm (for the `fuul-mcp-server` binary). After the first release with this version, `npx @latest` resolves correctly.
+
+### 2. npm / npx (any MCP client)
+
+Use the published package without cloning:
+
+| Command | Role |
+| ------- | ---- |
+| `npx -y @fuul/mcp-server@latest fuul-mcp-server` | Stdio MCP server (what clients spawn) |
+| `npx -y @fuul/mcp-server@latest fuul-mcp login` | Browser OAuth; writes `~/.fuul/tokens.json` |
+| `npx -y @fuul/mcp-server@latest fuul-mcp whoami` | `GET /api/v1/auth/user` |
+
+Point your client at `fuul-mcp-server` with `cwd` optional; config can be passed via `env` (see **Configuration**).
+
+### 3. Clone (development)
+
+```bash
+git clone https://github.com/kuyen-labs/mcp_server.git
+cd mcp_server
+npm ci
+cp .env.example .env   # optional; defaults match production Agent OAuth
+npm run build
+```
+
+Run the CLI from the repo:
+
+```bash
+npm run cli -- login
+npm run cli -- whoami
+```
+
+Run the MCP server:
+
+```bash
+npm start
+# or: npm run dev
+```
+
+## Configuration
+
+Environment variables are read from `process.env` and, when present, a **`.env` file in the current working directory** (`dotenv`). See [.env.example](.env.example).
+
+| Variable | Purpose |
+| -------- | ------- |
+| `FUUL_API_BASE_URL` | API origin only, no trailing slash. Production: `https://api.fuul.xyz`. Staging: `https://api.stg.fuul.xyz`. |
+| `FUUL_OAUTH_CLIENT_ID` | OAuth client id (default `fuul-agent`). |
+| `FUUL_OAUTH_REDIRECT_URI` | Loopback callback (default `http://127.0.0.1:8765/callback`). |
+| `FUUL_MCP_TOOL_TIMEOUT_MS` | Per-tool timeout in ms (default `90000`). |
+| `FUUL_MCP_DEBUG` | Set to `1` or `true` for debug logging. |
+
+**Note:** Values in `.env` are local dev convenience; they are **not** published in the npm package (`package.json` only ships `dist/`). OAuth **tokens** live in `~/.fuul/tokens.json`, not in `.env`.
+
+## MCP tool examples
+
+Clients send JSON arguments; shapes match [docs/AGENTS.md](docs/AGENTS.md). Illustrative only — use real UUIDs from your tenant.
+
+**Session**
+
+- `ping` → `{}` (no API call)
+- `whoami` → `{}` (requires login)
+
+**Metadata**
+
+- `list_chains`, `list_trigger_types`, `list_payout_schemas` → `{}`
+
+**Projects**
+
+- `list_projects` → `{ "page": 1, "query": "acme" }`
+- `get_project` → `{ "project_id": "<uuid>" }`
+- `list_incentives` / `get_incentive` / `get_trigger` → see tool descriptions in the client
+
+**Affiliate analytics**
+
+- `get_affiliate_portal_stats` → `project_id`, `user_identifier` (e.g. `evm:0x...`)
+- `get_project_affiliate_total_stats` → `project_id`, optional `dateRange`, filters
+- `get_project_affiliates_breakdown` → `project_id`, **`groupBy`** (`audience` \| `tier` \| `region` \| `status`)
+
+**Writes (two steps: `dry_run: true` then `confirmed: true`)**
+
+- `create_incentive_program`, `update_incentive_program`, `approve_payouts`, `reject_payouts`
+
+## Run and debug
+
+```bash
+npm run build && npm start
+```
+
+MCP Inspector:
+
+```bash
+npm run build
+npx @modelcontextprotocol/inspector node dist/index.js
+```
+
+## Client setup
+
+### Cursor
+
+1. Complete **Clone** or use **npx** so `dist/index.js` or `fuul-mcp-server` exists; run **`fuul-mcp login`** once.
+2. **Settings → MCP** (or user `mcp.json`): spawn stdio with `command` + `args`, and set **`cwd`** to a folder that contains `.env` if you use one.
+
+Example:
+
+```json
+{
+  "mcpServers": {
+    "fuul": {
+      "command": "node",
+      "args": ["C:\\path\\to\\mcp_server\\dist\\index.js"],
+      "cwd": "C:\\path\\to\\mcp_server"
+    }
+  }
+}
+```
+
+Or with npx:
+
+```json
+{
+  "mcpServers": {
+    "fuul": {
+      "command": "npx",
+      "args": ["-y", "@fuul/mcp-server@latest", "fuul-mcp-server"],
+      "env": {
+        "FUUL_API_BASE_URL": "https://api.fuul.xyz"
+      }
+    }
+  }
+}
+```
+
+### Claude Desktop
+
+Use the same `mcpServers` idea in the app’s developer config. See [Anthropic MCP docs](https://docs.anthropic.com/en/docs/mcp).
+
+### Claude Code (manual MCP, without the plugin)
+
+Configure stdio per your Claude Code version: `node` + path to `dist/index.js`, or `npx` + `fuul-mcp-server` as above.
+
+## Repository layout
+
+```text
+mcp_server/
+├── .claude-plugin/           # Claude Code marketplace manifest
+│   └── marketplace.json
+├── plugins/
+│   └── fuul-mcp/             # Plugin: MCP config + skill
+│       ├── .claude-plugin/
+│       │   └── plugin.json
+│       ├── .mcp.json
+│       └── skills/fuul/SKILL.md
+├── src/                      # TypeScript source
+├── docs/                     # Maintainer and integrator docs
+├── .github/workflows/        # ci.yml, publish.yml
+└── dist/                     # `npm run build` (gitignored)
+```
+
+## Requirements
+
+- **Node.js** 18+
+- A running **fuul-server** (staging or production) with **Agent OAuth** configured
+
+## CI and releases
+
+On each push/PR to `main` / `master`, GitHub Actions runs **lint**, **test**, and **build** in parallel.
+
+Publishing to npm is triggered by publishing a **GitHub Release** (see [.github/workflows/publish.yml](.github/workflows/publish.yml)); the repository needs an `NPM_TOKEN` secret.
+
+## Scripts
+
+| Script | Description |
+| ------ | ----------- |
+| `npm run build` | Compile TypeScript → `dist/` |
+| `npm start` | Run MCP server (`node dist/index.js`) |
+| `npm run cli` | OAuth CLI via `tsx` (`src/cli.ts`) |
+| `npm run dev` | MCP via `tsx` (`src/index.ts`) |
+| `npm run lint` | ESLint on `src/` |
+| `npm run test` | Vitest |
+
+## License
+
+MIT — see `package.json`.

package/dist/affiliate-portal/affiliate-portal-queries.d.ts

@@ -0,0 +1,15 @@
+import type { GetAffiliatePortalStatsInput, GetProjectAffiliatesBreakdownInput, GetProjectAffiliateTotalStatsInput } from '../tools/tool-schemas.js';
+/** Query object for GET /api/v1/projects/:projectId/affiliate-portal/stats */
+export declare function affiliatePortalStatsQueryFromInput(input: GetAffiliatePortalStatsInput): Record<string, unknown>;
+/** Query object for GET .../affiliate-portal/total-stats */
+export declare function projectAffiliateTotalStatsQueryFromInput(input: GetProjectAffiliateTotalStatsInput): Record<string, unknown>;
+/** Query object for GET .../affiliate-portal/global-breakdown */
+export declare function projectAffiliatesBreakdownQueryFromInput(input: GetProjectAffiliatesBreakdownInput): Record<string, unknown>;
+type AffiliatePortalSegment = 'stats' | 'total-stats' | 'global-breakdown';
+/** Relative URL path with query string for affiliate-portal GET routes. */
+export declare function buildAffiliatePortalGetPath(projectId: string, segment: AffiliatePortalSegment, query: Record<string, unknown>): string;
+export declare function affiliatePortalStatsPath(input: GetAffiliatePortalStatsInput): string;
+export declare function projectAffiliateTotalStatsPath(input: GetProjectAffiliateTotalStatsInput): string;
+export declare function projectAffiliatesBreakdownPath(input: GetProjectAffiliatesBreakdownInput): string;
+export {};
+//# sourceMappingURL=affiliate-portal-queries.d.ts.map

package/dist/affiliate-portal/affiliate-portal-queries.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"affiliate-portal-queries.d.ts","sourceRoot":"","sources":["../../src/affiliate-portal/affiliate-portal-queries.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,4BAA4B,EAAE,kCAAkC,EAAE,kCAAkC,EAAE,MAAM,0BAA0B,CAAC;AASrJ,8EAA8E;AAC9E,wBAAgB,kCAAkC,CAAC,KAAK,EAAE,4BAA4B,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAE/G;AAED,4DAA4D;AAC5D,wBAAgB,wCAAwC,CAAC,KAAK,EAAE,kCAAkC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAE3H;AAED,iEAAiE;AACjE,wBAAgB,wCAAwC,CAAC,KAAK,EAAE,kCAAkC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAE3H;AAED,KAAK,sBAAsB,GAAG,OAAO,GAAG,aAAa,GAAG,kBAAkB,CAAC;AAE3E,2EAA2E;AAC3E,wBAAgB,2BAA2B,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,sBAAsB,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAItI;AAED,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,4BAA4B,GAAG,MAAM,CAEpF;AAED,wBAAgB,8BAA8B,CAAC,KAAK,EAAE,kCAAkC,GAAG,MAAM,CAEhG;AAED,wBAAgB,8BAA8B,CAAC,KAAK,EAAE,kCAAkC,GAAG,MAAM,CAEhG"}

package/dist/affiliate-portal/affiliate-portal-queries.js

@@ -0,0 +1,35 @@
+import { buildNestQueryString } from '../http/nest-query.js';
+import { compactQuery } from '../util/compact-query.js';
+function omitProjectId(input) {
+    const { project_id, ...rest } = input;
+    void project_id;
+    return rest;
+}
+/** Query object for GET /api/v1/projects/:projectId/affiliate-portal/stats */
+export function affiliatePortalStatsQueryFromInput(input) {
+    return omitProjectId(input);
+}
+/** Query object for GET .../affiliate-portal/total-stats */
+export function projectAffiliateTotalStatsQueryFromInput(input) {
+    return omitProjectId(input);
+}
+/** Query object for GET .../affiliate-portal/global-breakdown */
+export function projectAffiliatesBreakdownQueryFromInput(input) {
+    return omitProjectId(input);
+}
+/** Relative URL path with query string for affiliate-portal GET routes. */
+export function buildAffiliatePortalGetPath(projectId, segment, query) {
+    const base = `/api/v1/projects/${projectId}/affiliate-portal/${segment}`;
+    const q = buildNestQueryString(compactQuery(query));
+    return q ? `${base}?${q}` : base;
+}
+export function affiliatePortalStatsPath(input) {
+    return buildAffiliatePortalGetPath(input.project_id, 'stats', affiliatePortalStatsQueryFromInput(input));
+}
+export function projectAffiliateTotalStatsPath(input) {
+    return buildAffiliatePortalGetPath(input.project_id, 'total-stats', projectAffiliateTotalStatsQueryFromInput(input));
+}
+export function projectAffiliatesBreakdownPath(input) {
+    return buildAffiliatePortalGetPath(input.project_id, 'global-breakdown', projectAffiliatesBreakdownQueryFromInput(input));
+}
+//# sourceMappingURL=affiliate-portal-queries.js.map

package/dist/affiliate-portal/affiliate-portal-queries.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"affiliate-portal-queries.js","sourceRoot":"","sources":["../../src/affiliate-portal/affiliate-portal-queries.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAE7D,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAExD,SAAS,aAAa,CAAmC,KAAQ;IAC/D,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,EAAE,GAAG,KAAK,CAAC;IACtC,KAAK,UAAU,CAAC;IAChB,OAAO,IAAI,CAAC;AACd,CAAC;AAED,8EAA8E;AAC9E,MAAM,UAAU,kCAAkC,CAAC,KAAmC;IACpF,OAAO,aAAa,CAAC,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED,4DAA4D;AAC5D,MAAM,UAAU,wCAAwC,CAAC,KAAyC;IAChG,OAAO,aAAa,CAAC,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED,iEAAiE;AACjE,MAAM,UAAU,wCAAwC,CAAC,KAAyC;IAChG,OAAO,aAAa,CAAC,KAAK,CAAC,CAAC;AAC9B,CAAC;AAID,2EAA2E;AAC3E,MAAM,UAAU,2BAA2B,CAAC,SAAiB,EAAE,OAA+B,EAAE,KAA8B;IAC5H,MAAM,IAAI,GAAG,oBAAoB,SAAS,qBAAqB,OAAO,EAAE,CAAC;IACzE,MAAM,CAAC,GAAG,oBAAoB,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;IACpD,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACnC,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,KAAmC;IAC1E,OAAO,2BAA2B,CAAC,KAAK,CAAC,UAAU,EAAE,OAAO,EAAE,kCAAkC,CAAC,KAAK,CAAC,CAAC,CAAC;AAC3G,CAAC;AAED,MAAM,UAAU,8BAA8B,CAAC,KAAyC;IACtF,OAAO,2BAA2B,CAAC,KAAK,CAAC,UAAU,EAAE,aAAa,EAAE,wCAAwC,CAAC,KAAK,CAAC,CAAC,CAAC;AACvH,CAAC;AAED,MAAM,UAAU,8BAA8B,CAAC,KAAyC;IACtF,OAAO,2BAA2B,CAAC,KAAK,CAAC,UAAU,EAAE,kBAAkB,EAAE,wCAAwC,CAAC,KAAK,CAAC,CAAC,CAAC;AAC5H,CAAC"}

package/dist/agent/write-confirmation.d.ts

@@ -0,0 +1,20 @@
+import { z } from 'zod';
+/**
+ * Standard input fragment for Phase 2 write tools. Extend with tool-specific fields.
+ * Flow: first call with dry_run: true (or omit confirmed) to get validation / preview;
+ * second call with confirmed: true to execute.
+ */
+export declare const writeConfirmationFieldsSchema: any;
+export type WriteConfirmationFields = z.infer<typeof writeConfirmationFieldsSchema>;
+export declare class WriteNotConfirmedError extends Error {
+    readonly code: "WRITE_NOT_CONFIRMED";
+    constructor(message?: string);
+}
+/**
+ * Enforces the mandatory confirmation pattern for mutating tools.
+ * - dry_run: true → caller should return preview only (no throw).
+ * - confirmed: true → mutation allowed.
+ * - Otherwise → throws WriteNotConfirmedError.
+ */
+export declare function assertWriteConfirmedOrDryRun(input: WriteConfirmationFields): void;
+//# sourceMappingURL=write-confirmation.d.ts.map

package/dist/agent/write-confirmation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"write-confirmation.d.ts","sourceRoot":"","sources":["../../src/agent/write-confirmation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;GAIG;AACH,eAAO,MAAM,6BAA6B,KAGxC,CAAC;AAEH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAC;AAEpF,qBAAa,sBAAuB,SAAQ,KAAK;IAC/C,QAAQ,CAAC,IAAI,EAAG,qBAAqB,CAAU;gBAEnC,OAAO,SAAiG;CAKrH;AAED;;;;;GAKG;AACH,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,uBAAuB,GAAG,IAAI,CAQjF"}

package/dist/agent/write-confirmation.js

@@ -0,0 +1,34 @@
+import { z } from 'zod';
+/**
+ * Standard input fragment for Phase 2 write tools. Extend with tool-specific fields.
+ * Flow: first call with dry_run: true (or omit confirmed) to get validation / preview;
+ * second call with confirmed: true to execute.
+ */
+export const writeConfirmationFieldsSchema = z.object({
+    dry_run: z.boolean().optional().describe('If true, validate and return a preview only; no server mutation.'),
+    confirmed: z.boolean().optional().describe('Must be true to perform the mutation after reviewing dry_run output.'),
+});
+export class WriteNotConfirmedError extends Error {
+    code = 'WRITE_NOT_CONFIRMED';
+    constructor(message = 'Mutation blocked: use dry_run: true first to validate, then call again with confirmed: true.') {
+        super(message);
+        this.name = 'WriteNotConfirmedError';
+        Object.setPrototypeOf(this, new.target.prototype);
+    }
+}
+/**
+ * Enforces the mandatory confirmation pattern for mutating tools.
+ * - dry_run: true → caller should return preview only (no throw).
+ * - confirmed: true → mutation allowed.
+ * - Otherwise → throws WriteNotConfirmedError.
+ */
+export function assertWriteConfirmedOrDryRun(input) {
+    if (input.dry_run === true) {
+        return;
+    }
+    if (input.confirmed === true) {
+        return;
+    }
+    throw new WriteNotConfirmedError();
+}
+//# sourceMappingURL=write-confirmation.js.map

package/dist/agent/write-confirmation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"write-confirmation.js","sourceRoot":"","sources":["../../src/agent/write-confirmation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;GAIG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAG,CAAC,CAAC,MAAM,CAAC;IACpD,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,kEAAkE,CAAC;IAC5G,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,sEAAsE,CAAC;CACnH,CAAC,CAAC;AAIH,MAAM,OAAO,sBAAuB,SAAQ,KAAK;IACtC,IAAI,GAAG,qBAA8B,CAAC;IAE/C,YAAY,OAAO,GAAG,8FAA8F;QAClH,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAC;QACrC,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,CAAC;CACF;AAED;;;;;GAKG;AACH,MAAM,UAAU,4BAA4B,CAAC,KAA8B;IACzE,IAAI,KAAK,CAAC,OAAO,KAAK,IAAI,EAAE,CAAC;QAC3B,OAAO;IACT,CAAC;IACD,IAAI,KAAK,CAAC,SAAS,KAAK,IAAI,EAAE,CAAC;QAC7B,OAAO;IACT,CAAC;IACD,MAAM,IAAI,sBAAsB,EAAE,CAAC;AACrC,CAAC"}

package/dist/auth/oauth-client.d.ts

@@ -0,0 +1,13 @@
+import { type Env } from '../config/env.js';
+import { TokenStore } from './token-store.js';
+import type { StoredTokens } from './types.js';
+export declare class OAuthClient {
+    private readonly env;
+    private readonly tokenStore;
+    constructor(env: Env, tokenStore: TokenStore);
+    private log;
+    private http;
+    login(): Promise<void>;
+    refreshFromStore(): Promise<StoredTokens | null>;
+}
+//# sourceMappingURL=oauth-client.d.ts.map

package/dist/auth/oauth-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-client.d.ts","sourceRoot":"","sources":["../../src/auth/oauth-client.ts"],"names":[],"mappings":"AAMA,OAAO,EAAoB,KAAK,GAAG,EAAE,MAAM,kBAAkB,CAAC;AAE9D,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,KAAK,EAAE,YAAY,EAAiB,MAAM,YAAY,CAAC;AAI9D,qBAAa,WAAW;IAEpB,OAAO,CAAC,QAAQ,CAAC,GAAG;IACpB,OAAO,CAAC,QAAQ,CAAC,UAAU;gBADV,GAAG,EAAE,GAAG,EACR,UAAU,EAAE,UAAU;IAGzC,OAAO,CAAC,GAAG;IAMX,OAAO,CAAC,IAAI;IAUN,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAoDtB,gBAAgB,IAAI,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;CAiBvD"}

package/dist/auth/oauth-client.js

@@ -0,0 +1,185 @@
+import http from 'node:http';
+import { URL } from 'node:url';
+import axios from 'axios';
+import open from 'open';
+import { apiOriginFromEnv } from '../config/env.js';
+import { createCodeChallengeS256, createCodeVerifier, createOAuthState } from './pkce.js';
+const LOGIN_TIMEOUT_MS = 15 * 60 * 1000;
+export class OAuthClient {
+    env;
+    tokenStore;
+    constructor(env, tokenStore) {
+        this.env = env;
+        this.tokenStore = tokenStore;
+    }
+    log(...args) {
+        if (this.env.debug) {
+            console.error('[fuul-mcp]', ...args);
+        }
+    }
+    http() {
+        const baseURL = apiOriginFromEnv(this.env);
+        return axios.create({
+            baseURL,
+            timeout: 30_000,
+            headers: { 'Content-Type': 'application/json' },
+            validateStatus: () => true,
+        });
+    }
+    async login() {
+        const origin = apiOriginFromEnv(this.env);
+        const verifier = createCodeVerifier();
+        const challenge = createCodeChallengeS256(verifier);
+        const state = createOAuthState();
+        const redirectUri = this.env.FUUL_OAUTH_REDIRECT_URI;
+        const { port, hostname, pathname } = parseRedirect(redirectUri);
+        const authorizeUrl = new URL(`${origin}/oauth/authorize`);
+        authorizeUrl.searchParams.set('response_type', 'code');
+        authorizeUrl.searchParams.set('client_id', this.env.FUUL_OAUTH_CLIENT_ID);
+        authorizeUrl.searchParams.set('redirect_uri', redirectUri);
+        authorizeUrl.searchParams.set('state', state);
+        authorizeUrl.searchParams.set('code_challenge', challenge);
+        authorizeUrl.searchParams.set('code_challenge_method', 'S256');
+        const codePromise = captureAuthorizationCode({
+            port,
+            hostname,
+            pathname,
+            expectedState: state,
+            timeoutMs: LOGIN_TIMEOUT_MS,
+            log: this.log.bind(this),
+        });
+        this.log('Opening browser for login:', authorizeUrl.toString());
+        await open(authorizeUrl.toString());
+        const { code } = await codePromise;
+        const client = this.http();
+        const tokenRes = await client.post('/oauth/token', {
+            grant_type: 'authorization_code',
+            code,
+            redirect_uri: redirectUri,
+            client_id: this.env.FUUL_OAUTH_CLIENT_ID,
+            code_verifier: verifier,
+        });
+        if (tokenRes.status !== 200 || !tokenRes.data?.access_token) {
+            const body = tokenRes.data;
+            const msg = body?.error_description || `Token exchange failed (HTTP ${tokenRes.status})`;
+            throw new Error(msg);
+        }
+        const tokens = tokenResponseToStored(tokenRes.data);
+        await this.tokenStore.write(tokens);
+        console.log('Logged in. Tokens saved to ~/.fuul/tokens.json');
+    }
+    async refreshFromStore() {
+        const current = await this.tokenStore.read();
+        if (!current?.refresh_token) {
+            return null;
+        }
+        const client = this.http();
+        const tokenRes = await client.post('/oauth/token', {
+            grant_type: 'refresh_token',
+            refresh_token: current.refresh_token,
+        });
+        if (tokenRes.status !== 200 || !tokenRes.data?.access_token) {
+            return null;
+        }
+        const tokens = tokenResponseToStored(tokenRes.data);
+        await this.tokenStore.write(tokens);
+        return tokens;
+    }
+}
+function tokenResponseToStored(data) {
+    const expires_at_ms = Date.now() + Math.max(0, data.expires_in) * 1000;
+    return {
+        access_token: data.access_token,
+        refresh_token: data.refresh_token,
+        expires_at_ms,
+    };
+}
+function parseRedirect(redirectUri) {
+    const u = new URL(redirectUri);
+    const port = u.port ? Number(u.port) : u.protocol === 'https:' ? 443 : 80;
+    const hostname = u.hostname;
+    const pathname = u.pathname || '/';
+    return { port, hostname, pathname };
+}
+function captureAuthorizationCode(opts) {
+    const { port, hostname, pathname, expectedState, timeoutMs, log } = opts;
+    return new Promise((resolve, reject) => {
+        let settled = false;
+        const timer = setTimeout(() => {
+            if (!settled) {
+                settled = true;
+                server.close();
+                reject(new Error('Login timed out waiting for browser redirect'));
+            }
+        }, timeoutMs);
+        const server = http.createServer((req, res) => {
+            void (async () => {
+                try {
+                    const hostUrl = `http://${req.headers.host ?? `${hostname}:${port}`}`;
+                    const url = new URL(req.url ?? '/', hostUrl);
+                    if (url.pathname !== pathname) {
+                        res.writeHead(404, { 'Content-Type': 'text/plain' });
+                        res.end('Not found');
+                        return;
+                    }
+                    const oauthError = url.searchParams.get('error');
+                    if (oauthError) {
+                        const desc = url.searchParams.get('error_description') ?? oauthError;
+                        res.writeHead(400, { 'Content-Type': 'text/html; charset=utf-8' });
+                        res.end(`<p>Authorization error: ${escapeHtml(desc)}</p>`);
+                        if (!settled) {
+                            settled = true;
+                            clearTimeout(timer);
+                            server.close();
+                            reject(new Error(desc));
+                        }
+                        return;
+                    }
+                    const code = url.searchParams.get('code');
+                    const state = url.searchParams.get('state');
+                    if (!code || state !== expectedState) {
+                        res.writeHead(400, { 'Content-Type': 'text/html; charset=utf-8' });
+                        res.end('<p>Invalid callback (missing code or state mismatch).</p>');
+                        if (!settled) {
+                            settled = true;
+                            clearTimeout(timer);
+                            server.close();
+                            reject(new Error('Invalid OAuth callback'));
+                        }
+                        return;
+                    }
+                    res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
+                    res.end('<p>Login complete. You can close this window.</p>');
+                    if (!settled) {
+                        settled = true;
+                        clearTimeout(timer);
+                        server.close(() => resolve({ code }));
+                    }
+                }
+                catch (e) {
+                    log(e);
+                    if (!settled) {
+                        settled = true;
+                        clearTimeout(timer);
+                        server.close();
+                        reject(e instanceof Error ? e : new Error(String(e)));
+                    }
+                }
+            })();
+        });
+        server.on('error', (e) => {
+            if (!settled) {
+                settled = true;
+                clearTimeout(timer);
+                reject(e);
+            }
+        });
+        server.listen(port, hostname, () => {
+            log(`Listening for OAuth callback on http://${hostname}:${port}${pathname}`);
+        });
+    });
+}
+function escapeHtml(s) {
+    return s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/"/g, '&quot;');
+}
+//# sourceMappingURL=oauth-client.js.map

package/dist/auth/oauth-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-client.js","sourceRoot":"","sources":["../../src/auth/oauth-client.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAE/B,OAAO,KAA6B,MAAM,OAAO,CAAC;AAClD,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,OAAO,EAAE,gBAAgB,EAAY,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAI1F,MAAM,gBAAgB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAExC,MAAM,OAAO,WAAW;IAEH;IACA;IAFnB,YACmB,GAAQ,EACR,UAAsB;QADtB,QAAG,GAAH,GAAG,CAAK;QACR,eAAU,GAAV,UAAU,CAAY;IACtC,CAAC;IAEI,GAAG,CAAC,GAAG,IAAe;QAC5B,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC;YACnB,OAAO,CAAC,KAAK,CAAC,YAAY,EAAE,GAAG,IAAI,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IAEO,IAAI;QACV,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3C,OAAO,KAAK,CAAC,MAAM,CAAC;YAClB,OAAO;YACP,OAAO,EAAE,MAAM;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,cAAc,EAAE,GAAG,EAAE,CAAC,IAAI;SAC3B,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,MAAM,GAAG,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC1C,MAAM,QAAQ,GAAG,kBAAkB,EAAE,CAAC;QACtC,MAAM,SAAS,GAAG,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QACpD,MAAM,KAAK,GAAG,gBAAgB,EAAE,CAAC;QACjC,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,uBAAuB,CAAC;QAErD,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;QAEhE,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,GAAG,MAAM,kBAAkB,CAAC,CAAC;QAC1D,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QACvD,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;QAC1E,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;QAC3D,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAC9C,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;QAC3D,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;QAE/D,MAAM,WAAW,GAAG,wBAAwB,CAAC;YAC3C,IAAI;YACJ,QAAQ;YACR,QAAQ;YACR,aAAa,EAAE,KAAK;YACpB,SAAS,EAAE,gBAAgB;YAC3B,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC;SACzB,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,4BAA4B,EAAE,YAAY,CAAC,QAAQ,EAAE,CAAC,CAAC;QAChE,MAAM,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC,CAAC;QAEpC,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,WAAW,CAAC;QAEnC,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAgB,cAAc,EAAE;YAChE,UAAU,EAAE,oBAAoB;YAChC,IAAI;YACJ,YAAY,EAAE,WAAW;YACzB,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,oBAAoB;YACxC,aAAa,EAAE,QAAQ;SACxB,CAAC,CAAC;QAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,YAAY,EAAE,CAAC;YAC5D,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAkD,CAAC;YACzE,MAAM,GAAG,GAAG,IAAI,EAAE,iBAAiB,IAAI,+BAA+B,QAAQ,CAAC,MAAM,GAAG,CAAC;YACzF,MAAM,IAAI,KAAK,CAAC,GAAG,CAAC,CAAC;QACvB,CAAC;QAED,MAAM,MAAM,GAAG,qBAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACpD,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAEpC,OAAO,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAC;IAChE,CAAC;IAED,KAAK,CAAC,gBAAgB;QACpB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;QAC7C,IAAI,CAAC,OAAO,EAAE,aAAa,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAgB,cAAc,EAAE;YAChE,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,OAAO,CAAC,aAAa;SACrC,CAAC,CAAC;QACH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,YAAY,EAAE,CAAC;YAC5D,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,MAAM,GAAG,qBAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACpD,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACpC,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED,SAAS,qBAAqB,CAAC,IAAmB;IAChD,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC;IACvE,OAAO;QACL,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,aAAa;KACd,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,WAAmB;IACxC,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IAC/B,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;IAC1E,MAAM,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC;IAC5B,MAAM,QAAQ,GAAG,CAAC,CAAC,QAAQ,IAAI,GAAG,CAAC;IACnC,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;AACtC,CAAC;AAWD,SAAS,wBAAwB,CAAC,IAAiB;IACjD,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,aAAa,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAEzE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,GAAG,IAAI,CAAC;gBACf,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC,CAAC;YACpE,CAAC;QACH,CAAC,EAAE,SAAS,CAAC,CAAC;QAEd,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YAC5C,KAAK,CAAC,KAAK,IAAI,EAAE;gBACf,IAAI,CAAC;oBACH,MAAM,OAAO,GAAG,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,GAAG,QAAQ,IAAI,IAAI,EAAE,EAAE,CAAC;oBACtE,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,OAAO,CAAC,CAAC;oBAE7C,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;wBAC9B,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,CAAC;wBACrD,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;wBACrB,OAAO;oBACT,CAAC;oBAED,MAAM,UAAU,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;oBACjD,IAAI,UAAU,EAAE,CAAC;wBACf,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,UAAU,CAAC;wBACrE,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE,CAAC,CAAC;wBACnE,GAAG,CAAC,GAAG,CAAC,2BAA2B,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;wBAC3D,IAAI,CAAC,OAAO,EAAE,CAAC;4BACb,OAAO,GAAG,IAAI,CAAC;4BACf,YAAY,CAAC,KAAK,CAAC,CAAC;4BACpB,MAAM,CAAC,KAAK,EAAE,CAAC;4BACf,MAAM,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;wBAC1B,CAAC;wBACD,OAAO;oBACT,CAAC;oBAED,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;oBAC1C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;oBAC5C,IAAI,CAAC,IAAI,IAAI,KAAK,KAAK,aAAa,EAAE,CAAC;wBACrC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE,CAAC,CAAC;wBACnE,GAAG,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;wBACrE,IAAI,CAAC,OAAO,EAAE,CAAC;4BACb,OAAO,GAAG,IAAI,CAAC;4BACf,YAAY,CAAC,KAAK,CAAC,CAAC;4BACpB,MAAM,CAAC,KAAK,EAAE,CAAC;4BACf,MAAM,CAAC,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC,CAAC;wBAC9C,CAAC;wBACD,OAAO;oBACT,CAAC;oBAED,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE,CAAC,CAAC;oBACnE,GAAG,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;oBAC7D,IAAI,CAAC,OAAO,EAAE,CAAC;wBACb,OAAO,GAAG,IAAI,CAAC;wBACf,YAAY,CAAC,KAAK,CAAC,CAAC;wBACpB,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;oBACxC,CAAC;gBACH,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACX,GAAG,CAAC,CAAC,CAAC,CAAC;oBACP,IAAI,CAAC,OAAO,EAAE,CAAC;wBACb,OAAO,GAAG,IAAI,CAAC;wBACf,YAAY,CAAC,KAAK,CAAC,CAAC;wBACpB,MAAM,CAAC,KAAK,EAAE,CAAC;wBACf,MAAM,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;oBACxD,CAAC;gBACH,CAAC;YACH,CAAC,CAAC,EAAE,CAAC;QACP,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;YACvB,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,GAAG,IAAI,CAAC;gBACf,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,MAAM,CAAC,CAAC,CAAC,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE;YACjC,GAAG,CAAC,0CAA0C,QAAQ,IAAI,IAAI,GAAG,QAAQ,EAAE,CAAC,CAAC;QAC/E,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,UAAU,CAAC,CAAS;IAC3B,OAAO,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;AAChF,CAAC"}

package/dist/auth/pkce.d.ts

@@ -0,0 +1,5 @@
+/** RFC 7636 code verifier (43–128 characters). */
+export declare function createCodeVerifier(): string;
+export declare function createCodeChallengeS256(verifier: string): string;
+export declare function createOAuthState(): string;
+//# sourceMappingURL=pkce.d.ts.map

package/dist/auth/pkce.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/auth/pkce.ts"],"names":[],"mappings":"AAEA,kDAAkD;AAClD,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAED,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAEhE;AAED,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC"}

package/dist/auth/pkce.js

@@ -0,0 +1,12 @@
+import { createHash, randomBytes } from 'node:crypto';
+/** RFC 7636 code verifier (43–128 characters). */
+export function createCodeVerifier() {
+    return randomBytes(32).toString('base64url');
+}
+export function createCodeChallengeS256(verifier) {
+    return createHash('sha256').update(verifier).digest('base64url');
+}
+export function createOAuthState() {
+    return randomBytes(16).toString('base64url');
+}
+//# sourceMappingURL=pkce.js.map

package/dist/auth/pkce.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/auth/pkce.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAEtD,kDAAkD;AAClD,MAAM,UAAU,kBAAkB;IAChC,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,QAAgB;IACtD,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;AACnE,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC/C,CAAC"}

package/dist/auth/token-store.d.ts

@@ -0,0 +1,7 @@
+import type { StoredTokens } from './types.js';
+export declare class TokenStore {
+    read(): Promise<StoredTokens | null>;
+    write(tokens: StoredTokens): Promise<void>;
+    clear(): Promise<void>;
+}
+//# sourceMappingURL=token-store.d.ts.map

package/dist/auth/token-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.d.ts","sourceRoot":"","sources":["../../src/auth/token-store.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAS/C,qBAAa,UAAU;IACf,IAAI,IAAI,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IAapC,KAAK,CAAC,MAAM,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;IAY1C,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAO7B"}

package/dist/auth/token-store.js

@@ -0,0 +1,44 @@
+import { chmod, mkdir, readFile, unlink, writeFile } from 'node:fs/promises';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+const DIR_NAME = '.fuul';
+const FILE_NAME = 'tokens.json';
+function tokenFilePath() {
+    return join(homedir(), DIR_NAME, FILE_NAME);
+}
+export class TokenStore {
+    async read() {
+        try {
+            const raw = await readFile(tokenFilePath(), 'utf8');
+            const data = JSON.parse(raw);
+            if (!data.access_token || !data.refresh_token || typeof data.expires_at_ms !== 'number') {
+                return null;
+            }
+            return data;
+        }
+        catch {
+            return null;
+        }
+    }
+    async write(tokens) {
+        const dir = join(homedir(), DIR_NAME);
+        await mkdir(dir, { recursive: true });
+        const path = tokenFilePath();
+        await writeFile(path, `${JSON.stringify(tokens, null, 2)}\n`, 'utf8');
+        try {
+            await chmod(path, 0o600);
+        }
+        catch {
+            // Windows may ignore mode; ignore errors.
+        }
+    }
+    async clear() {
+        try {
+            await unlink(tokenFilePath());
+        }
+        catch {
+            // ignore if missing
+        }
+    }
+}
+//# sourceMappingURL=token-store.js.map

package/dist/auth/token-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.js","sourceRoot":"","sources":["../../src/auth/token-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7E,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAIjC,MAAM,QAAQ,GAAG,OAAO,CAAC;AACzB,MAAM,SAAS,GAAG,aAAa,CAAC;AAEhC,SAAS,aAAa;IACpB,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;AAC9C,CAAC;AAED,MAAM,OAAO,UAAU;IACrB,KAAK,CAAC,IAAI;QACR,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,aAAa,EAAE,EAAE,MAAM,CAAC,CAAC;YACpD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAiB,CAAC;YAC7C,IAAI,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,aAAa,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ,EAAE,CAAC;gBACxF,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,MAAoB;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC,CAAC;QACtC,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,MAAM,IAAI,GAAG,aAAa,EAAE,CAAC;QAC7B,MAAM,SAAS,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACtE,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAC3B,CAAC;QAAC,MAAM,CAAC;YACP,0CAA0C;QAC5C,CAAC;IACH,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,aAAa,EAAE,CAAC,CAAC;QAChC,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;IACH,CAAC;CACF"}