@infamousendeavors/lunchmoney-mcp 0.3.0

package/LICENSE

@@ -0,0 +1,25 @@
+MIT License
+
+Copyright (c) 2026 Joe Garcia
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+---
+
+Based on lunch-money-mcp by Gilbert Pellegrom (https://github.com/gilbitron/lunch-money-mcp), MIT License.

package/README.md

@@ -0,0 +1,288 @@
+# lunchmoney-mcp
+
+[![npm version](https://img.shields.io/npm/v/@infamousendeavors/lunchmoney-mcp.svg)](https://www.npmjs.com/package/@infamousendeavors/lunchmoney-mcp)
+[![npm downloads](https://img.shields.io/npm/dm/@infamousendeavors/lunchmoney-mcp.svg)](https://www.npmjs.com/package/@infamousendeavors/lunchmoney-mcp)
+[![GitHub downloads](https://img.shields.io/github/downloads/infamousendeavors/lunchmoney-mcp/total.svg)](https://github.com/infamousendeavors/lunchmoney-mcp/releases)
+[![CI](https://github.com/infamousendeavors/lunchmoney-mcp/actions/workflows/ci.yml/badge.svg)](https://github.com/infamousendeavors/lunchmoney-mcp/actions/workflows/ci.yml)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+
+The definitive MCP server for [Lunch Money](https://lunchmoney.app) -- manage your finances through any AI assistant that supports the Model Context Protocol.
+
+37 tools covering every Lunch Money API endpoint. Runs locally via stdio or remotely over HTTP with OAuth 2.1. Credentials never touch disk in plain text.
+
+## Quick Start
+
+```bash
+npx lunchmoney-mcp setup          # Store your API token in the OS keychain
+npx lunchmoney-mcp                # Start the MCP server (stdio)
+```
+
+Then add it to your MCP client. For Claude Desktop, add this to your config:
+
+```json
+{
+  "mcpServers": {
+    "lunchmoney": {
+      "command": "npx",
+      "args": ["lunchmoney-mcp"]
+    }
+  }
+}
+```
+
+That's it. Ask your AI assistant to "show my recent transactions" and you're off.
+
+## Features
+
+- **37 tools** -- full CRUD for transactions, categories, tags, budgets, recurring items, assets, and Plaid accounts
+- **Two transport modes** -- stdio for local AI clients (Claude Desktop, Cursor) or HTTP for remote/multi-user deployments
+- **Secure credential storage** -- API tokens in the OS keychain (macOS Keychain, GNOME Keyring, Windows Credential Manager); OAuth session tokens encrypted with AES-256-GCM
+- **4 OAuth providers** -- Google, GitHub, CyberArk Identity, or any custom OAuth 2.1 provider
+- **Deploy anywhere** -- Docker, systemd, Railway, Render, Fly.io with one-click configs included
+- **278 tests** -- comprehensive test suite with >90% coverage
+
+## Setup
+
+### Local (stdio mode)
+
+Best for single-user setups with Claude Desktop, Cursor, or other local MCP clients.
+
+```bash
+# Install globally (optional -- npx works too)
+npm install -g lunchmoney-mcp
+
+# Run the setup wizard to store your token securely
+lunchmoney-mcp setup
+
+# Start the server
+lunchmoney-mcp
+```
+
+Your API token is stored in the OS keychain and never written to disk. Get a token at [my.lunchmoney.app/developers](https://my.lunchmoney.app/developers).
+
+Alternatively, you can configure the token from within your AI assistant using the `configureLunchMoneyToken` tool -- no terminal required.
+
+### Remote (HTTP mode)
+
+Best for multi-user deployments, shared teams, or running on a server.
+
+```bash
+# Set required environment variables
+export LUNCH_MONEY_API_TOKEN="your-token"
+export AUTH_PROVIDER="google"  # or github, cyberark, custom
+export GOOGLE_CLIENT_ID="..."
+export GOOGLE_CLIENT_SECRET="..."
+export BASE_URL="https://your-domain.com"
+
+# Start the server
+lunchmoney-mcp --http --port 8080
+```
+
+HTTP mode requires OAuth 2.1 for authentication. See [Authentication](#authentication) below.
+
+### Environment Variable Fallback
+
+For containers and CI where no OS keychain is available:
+
+```bash
+export LUNCH_MONEY_API_TOKEN="your-token"
+lunchmoney-mcp
+```
+
+## Authentication
+
+HTTP mode supports four OAuth providers. Set `AUTH_PROVIDER` and the corresponding credentials:
+
+### Google
+
+```bash
+AUTH_PROVIDER=google
+GOOGLE_CLIENT_ID=your-client-id
+GOOGLE_CLIENT_SECRET=your-client-secret
+```
+
+### GitHub
+
+```bash
+AUTH_PROVIDER=github
+GITHUB_CLIENT_ID=your-client-id
+GITHUB_CLIENT_SECRET=your-client-secret
+```
+
+### CyberArk Identity
+
+```bash
+AUTH_PROVIDER=cyberark
+CYBERARK_TENANT_URL=https://abc1234.id.cyberark.cloud
+CYBERARK_CLIENT_ID=your-client-id    # or OAUTH_CLIENT_ID
+CYBERARK_CLIENT_SECRET=your-secret   # or OAUTH_CLIENT_SECRET
+```
+
+### Custom OAuth
+
+```bash
+AUTH_PROVIDER=custom
+OAUTH_CLIENT_ID=your-client-id
+OAUTH_CLIENT_SECRET=your-client-secret
+OAUTH_AUTH_URL=https://provider.com/authorize
+OAUTH_TOKEN_URL=https://provider.com/token
+OAUTH_SCOPES=openid,email  # optional, defaults to openid,email
+```
+
+## Deployment
+
+Pre-built deployment configs are included in the repository.
+
+### Docker
+
+```bash
+docker build -t lunchmoney-mcp .
+docker run -p 8080:8080 \
+  -e LUNCH_MONEY_API_TOKEN="your-token" \
+  -e AUTH_PROVIDER=google \
+  -e GOOGLE_CLIENT_ID="..." \
+  -e GOOGLE_CLIENT_SECRET="..." \
+  -e BASE_URL="https://your-domain.com" \
+  lunchmoney-mcp
+```
+
+Or with Docker Compose:
+
+```bash
+docker compose up
+```
+
+### systemd
+
+A systemd service file is included at `deploy/lunchmoney-mcp.service`. Copy it to `/etc/systemd/system/` and configure the environment variables.
+
+### Railway
+
+[![Deploy on Railway](https://railway.app/button.svg)](https://railway.app/template)
+
+The included `railway.json` configures the build and start commands automatically. Set your environment variables in the Railway dashboard.
+
+### Render
+
+The included `render.yaml` defines the service as a private worker. Set your environment variables in the Render dashboard.
+
+### Fly.io
+
+```bash
+fly launch
+fly secrets set LUNCH_MONEY_API_TOKEN="your-token"
+fly secrets set AUTH_PROVIDER=google GOOGLE_CLIENT_ID="..." GOOGLE_CLIENT_SECRET="..."
+fly deploy
+```
+
+## Tools Reference
+
+### Setup (1 tool)
+
+| Tool | Description |
+|------|-------------|
+| `configureLunchMoneyToken` | Configure and validate your Lunch Money API token |
+
+### User (1 tool)
+
+| Tool | Description |
+|------|-------------|
+| `getUser` | Get account details including email, name, and currency preferences |
+
+### Categories (7 tools)
+
+| Tool | Description |
+|------|-------------|
+| `getCategories` | List all categories including groups and parent categories |
+| `getCategory` | Get a single category by ID |
+| `createCategory` | Create a new spending or income category |
+| `updateCategory` | Update an existing category's properties |
+| `deleteCategory` | Delete a category by ID |
+| `createCategoryGroup` | Create a new category group with optional category IDs |
+| `addToGroup` | Add existing categories to a category group |
+
+### Tags (4 tools)
+
+| Tool | Description |
+|------|-------------|
+| `getTags` | List all transaction tags |
+| `createTag` | Create a new tag for categorizing transactions |
+| `updateTag` | Update an existing tag's name |
+| `deleteTag` | Delete a tag by ID |
+
+### Transactions (10 tools)
+
+| Tool | Description |
+|------|-------------|
+| `getTransactions` | List transactions with filtering (date range, category, tags, status) |
+| `getTransaction` | Get a single transaction by ID |
+| `createTransaction` | Create a new transaction (expense, income, or transfer) |
+| `updateTransaction` | Update an existing transaction's properties |
+| `deleteTransaction` | Delete a transaction by ID |
+| `bulkUpdateTransactions` | Bulk update multiple transactions with the same changes |
+| `getTransactionGroup` | Retrieve a transaction group with all child transactions |
+| `createTransactionGroup` | Group multiple transactions under a single parent |
+| `deleteTransactionGroup` | Delete a group, restoring individual transactions |
+| `unsplitTransactions` | Reverse a split, merging child transactions back into parent |
+
+### Recurring Items (4 tools)
+
+| Tool | Description |
+|------|-------------|
+| `getRecurringItems` | List all recurring expense and income items |
+| `createRecurringItem` | Create a new recurring expense or income item |
+| `updateRecurringItem` | Update an existing recurring item's properties |
+| `deleteRecurringItem` | Delete a recurring item by ID |
+
+### Budgets (4 tools)
+
+| Tool | Description |
+|------|-------------|
+| `getBudgets` | List all budgets with category assignments and date ranges |
+| `createBudget` | Create a new budget for a category with amount and date range |
+| `updateBudget` | Update an existing budget's amount, category, or date range |
+| `deleteBudget` | Delete a budget by ID |
+
+### Assets (4 tools)
+
+| Tool | Description |
+|------|-------------|
+| `getAssets` | List all manually-managed assets |
+| `createAsset` | Create a new manually-managed asset |
+| `updateAsset` | Update an existing asset's properties including balance |
+| `deleteAsset` | Delete an asset by ID |
+
+### Plaid Accounts (2 tools)
+
+| Tool | Description |
+|------|-------------|
+| `getPlaidAccounts` | List all Plaid-connected accounts with balances |
+| `fetchPlaidAccounts` | Trigger a Plaid sync to update account balances |
+
+## CLI Reference
+
+```
+lunchmoney-mcp                  # Start in stdio mode (default)
+lunchmoney-mcp --http           # Start in HTTP mode with OAuth
+lunchmoney-mcp --http --port 3000  # HTTP mode on custom port
+lunchmoney-mcp setup            # Run the interactive setup wizard
+lunchmoney-mcp --version        # Print version
+```
+
+The server also reads the `PORT` environment variable when `--port` is not specified.
+
+## Security
+
+Credentials are stored in your OS keychain and never written to disk in plain text. OAuth session tokens are encrypted with AES-256-GCM, with the encryption key stored in the keychain.
+
+For full details on the two-tier credential architecture, threat model, and deployment security, see [SECURITY.md](SECURITY.md).
+
+## Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, testing guidelines, and pull request requirements.
+
+## License
+
+[MIT](LICENSE) -- Copyright (c) 2026 Joe Garcia
+
+Based on [lunch-money-mcp](https://github.com/gilbitron/lunch-money-mcp) by Gilbert Pellegrom, MIT License.

package/SECURITY.md

@@ -0,0 +1,130 @@
+# Security
+
+## Credential Architecture
+
+lunchmoney-mcp uses a two-tier credential architecture designed to keep your financial data secure.
+
+### Tier 1: OS Keychain (Long-lived Secrets)
+
+Your Lunch Money API token and OAuth client credentials are stored in your operating system's native credential manager:
+
+- **macOS:** Keychain Access
+- **Linux:** Secret Service (GNOME Keyring / KDE Wallet)
+- **Windows:** Windows Credential Manager
+
+These credentials are:
+- Encrypted by the OS using your login password
+- Never written to disk in plain text
+- Stored under the service namespace `lunchmoney-mcp`
+- Accessible only to processes running as your user
+
+### Tier 2: Encrypted Disk Store (OAuth Session Tokens)
+
+When running in HTTP mode with OAuth, session tokens (access tokens, refresh tokens, authorization codes) are stored on disk for persistence across server restarts.
+
+- **Encryption:** AES-256-GCM (authenticated encryption)
+- **Encryption key:** Stored in the OS keychain (Tier 1), or supplied via the `ENCRYPTION_KEY` env var when no keychain is available (see below) -- the encrypted files are useless without it
+- **Location:** Platform-native data directory
+  - macOS: `~/Library/Application Support/lunchmoney-mcp/`
+  - Linux: `~/.local/share/lunchmoney-mcp/`
+  - Windows: `%APPDATA%/lunchmoney-mcp/`
+- **TTL:** Tokens expire automatically and are cleaned up periodically
+
+### ENV Variable Fallback
+
+For containerized deployments (Docker, Kubernetes) where no OS keychain is available, credentials can be passed via environment variables:
+
+- `LUNCH_MONEY_API_TOKEN` -- your Lunch Money API key
+- `GOOGLE_CLIENT_ID` / `GOOGLE_CLIENT_SECRET` -- for Google OAuth
+- `GITHUB_CLIENT_ID` / `GITHUB_CLIENT_SECRET` -- for GitHub OAuth
+- `CYBERARK_TENANT_URL` / `CYBERARK_CLIENT_ID` / `CYBERARK_CLIENT_SECRET` -- for CyberArk Identity OAuth
+- `OAUTH_CLIENT_ID` / `OAUTH_CLIENT_SECRET` / `OAUTH_AUTH_URL` / `OAUTH_TOKEN_URL` -- for custom OAuth
+
+**Important:** When using ENV vars, ensure your deployment platform encrypts environment variables at rest (Railway, Render, and Fly.io all do this by default).
+
+### Encryption Key (`ENCRYPTION_KEY`)
+
+In HTTP/OAuth mode the session store is encrypted with a stable key. The key is resolved in this order:
+
+1. **OS keychain** -- generated and persisted automatically on first run.
+2. **`ENCRYPTION_KEY` env var** -- used when the keychain is unavailable (containers, headless hosts).
+
+Requirements and behavior (as of 0.3.0):
+
+- **Format:** exactly 64 lowercase hexadecimal characters (32 bytes). An invalid value is a hard error -- the server refuses to start rather than run with a misconfigured key.
+- **Generate one:** `openssl rand -hex 32`
+- **Refuse, don't drift:** if the keychain is unavailable *and* `ENCRYPTION_KEY` is unset, the server **refuses to start in HTTP/OAuth mode**. Earlier versions silently generated an ephemeral key, which invalidated every stored session on each restart. Stdio mode has no persisted sessions, so it still allows an ephemeral key.
+- **Rotation:** in container deployments, set a new `ENCRYPTION_KEY` and restart. In keychain deployments, delete the `encryption-key` entry under the `lunchmoney-mcp` service in your OS credential manager and restart (a fresh key is generated). Rotating the key invalidates existing encrypted sessions; users re-authenticate on next use. Rotate if you suspect the key was exposed.
+
+## Threat Model
+
+| Threat | Mitigation |
+|--------|-----------|
+| API token stolen from disk | Token stored in OS keychain, never in plain text |
+| Session tokens stolen from disk | Encrypted with AES-256-GCM; encryption key in keychain |
+| Keychain compromised | Requires OS-level compromise (user login password) |
+| Token in chat history (configureLunchMoneyToken) | Optional -- users can use `npx lunchmoney-mcp setup` CLI instead |
+| ENV var exposure in containers | Use platform-provided secret management; never log ENV vars |
+| Man-in-the-middle on API calls | All API calls use HTTPS; the OAuth flow uses PKCE (see note below) |
+| Unauthorized MCP access (HTTP mode) | OAuth 2.1 with PKCE required for all authenticated endpoints (see note below) |
+| Silent/phishing OAuth grant | Consent required on every first-time grant (Google consent screen not suppressed) |
+| Lost encryption key in containers | Server refuses to start without a valid `ENCRYPTION_KEY` in HTTP/OAuth mode (no silent ephemeral key) |
+
+> **Note on PKCE:** the OAuth authorization flow (including PKCE / `code_challenge`) is implemented by FastMCP, not by this server directly. We rely on the behavior of the pinned `fastmcp` version (currently `3.35.0`) and do not override `code_challenge_method`. Treat the PKCE guarantee as transitive through that dependency; it is re-verified whenever FastMCP is bumped.
+
+## Supply Chain Security
+
+MCP servers are high-value targets — they sit between AI assistants and your data. A compromised dependency could turn this server into a data exfiltration tool. We take this seriously.
+
+### What We Do
+
+| Protection | How |
+|-----------|-----|
+| **Pinned dependencies** | All versions in `package.json` are exact (no `^` or `~`). A compromised new release won't auto-install. |
+| **Lockfile integrity** | `package-lock.json` is committed and CI uses `npm ci` (not `npm install`), ensuring the exact dependency tree is reproduced. |
+| **npm provenance** | Every release is published with `--provenance` from GitHub Actions, creating a cryptographic attestation linking the npm package to its source commit. Verify with `npm audit signatures`. |
+| **Automated vulnerability scanning** | `npm audit --audit-level=high` runs on every CI build. Known vulnerabilities block merges. |
+| **Signature verification** | `npm audit signatures` runs in CI to verify all installed packages have valid registry signatures. |
+| **Dependabot** | GitHub Dependabot monitors for vulnerable dependencies and opens PRs weekly. Major version bumps require manual review. |
+| **Minimal dependency surface** | Only 5 production dependencies. Dev dependencies (vitest, typescript, etc.) are not shipped in the npm package. |
+| **GitHub Actions pinned** | CI workflow actions are pinned to specific versions and monitored by Dependabot. |
+
+### What You Can Do
+
+**Verify provenance** of any installed version:
+```bash
+npm audit signatures
+```
+
+**Verify the package source** matches the GitHub repo:
+```bash
+# Check provenance attestation on npm
+npm view @infamousendeavors/lunchmoney-mcp --json | jq '.dist.attestations'
+```
+
+**Pin your install** to a specific version:
+```bash
+npm install -g @infamousendeavors/lunchmoney-mcp@0.3.0
+```
+
+**Audit before running:**
+```bash
+npx @infamousendeavors/lunchmoney-mcp --version  # check version
+npm audit                                    # check for known vulnerabilities
+```
+
+### Production Dependencies (5 total)
+
+| Package | Purpose | Why We Trust It |
+|---------|---------|----------------|
+| `fastmcp` | MCP protocol framework | Active development, MCP ecosystem standard |
+| `zod` | Input validation | 25k+ GitHub stars, widely audited |
+| `keytar` | OS keychain access | Community-maintained, native OS keychain binding |
+| `dotenv` | ENV file parsing | 30M+ weekly downloads, minimal surface area |
+| `env-paths` | Platform data dirs | Zero dependencies, 50 lines of code |
+
+Dev dependencies (`vitest`, `typescript`, `tsx`, `@types/node`, `@vitest/coverage-v8`) are NOT included in the published npm package — they are excluded via the `files` field in `package.json`.
+
+## Reporting Vulnerabilities
+
+If you discover a security vulnerability, please email joe at joe-garcia dot com instead of opening a public issue.

package/dist/api/client.d.ts

@@ -0,0 +1,11 @@
+export declare class LunchMoneyClient {
+    private baseURL;
+    private accessToken;
+    constructor(accessToken: string);
+    private request;
+    get<T>(endpoint: string, params?: Record<string, unknown>): Promise<T>;
+    post<T>(endpoint: string, body?: unknown): Promise<T>;
+    put<T>(endpoint: string, body?: unknown): Promise<T>;
+    delete<T>(endpoint: string): Promise<T>;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/api/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/api/client.ts"],"names":[],"mappings":"AAEA,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,WAAW,CAAS;gBAEhB,WAAW,EAAE,MAAM;YAQjB,OAAO;IAwDf,GAAG,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;IAiBtE,IAAI,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;IAOrD,GAAG,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;IAOpD,MAAM,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC;CAG9C"}

package/dist/api/client.js

@@ -0,0 +1,82 @@
+import { LunchMoneyAPIError, handleAPIError } from "../utils/errors.js";
+export class LunchMoneyClient {
+    baseURL;
+    accessToken;
+    constructor(accessToken) {
+        if (!accessToken) {
+            throw new Error("Lunch Money API token is required");
+        }
+        this.baseURL = "https://dev.lunchmoney.app/v1";
+        this.accessToken = accessToken;
+    }
+    async request(endpoint, options = {}) {
+        const url = `${this.baseURL}${endpoint}`;
+        const headers = {
+            Authorization: `Bearer ${this.accessToken}`,
+            "Content-Type": "application/json",
+            ...options.headers,
+        };
+        try {
+            const response = await fetch(url, {
+                ...options,
+                headers,
+            });
+            if (!response.ok) {
+                let errorMessage = `API request failed: ${response.statusText}`;
+                try {
+                    const errorData = await response.json();
+                    if (typeof errorData === "object" &&
+                        errorData !== null &&
+                        "error" in errorData &&
+                        typeof errorData.error === "string") {
+                        errorMessage = errorData.error;
+                    }
+                }
+                catch {
+                    // If response is not JSON, use status text
+                }
+                throw new LunchMoneyAPIError(errorMessage, response.status, await response.text().catch(() => undefined));
+            }
+            // Handle empty responses
+            const contentType = response.headers.get("content-type");
+            if (contentType && contentType.includes("application/json")) {
+                const data = await response.json();
+                return data;
+            }
+            return {};
+        }
+        catch (error) {
+            if (error instanceof LunchMoneyAPIError) {
+                throw error;
+            }
+            handleAPIError(error);
+        }
+    }
+    async get(endpoint, params) {
+        const queryString = params
+            ? `?${new URLSearchParams(Object.entries(params).reduce((acc, [key, value]) => {
+                if (value !== undefined && value !== null) {
+                    acc[key] = String(value);
+                }
+                return acc;
+            }, {})).toString()}`
+            : "";
+        return this.request(`${endpoint}${queryString}`, { method: "GET" });
+    }
+    async post(endpoint, body) {
+        return this.request(endpoint, {
+            method: "POST",
+            body: body ? JSON.stringify(body) : undefined,
+        });
+    }
+    async put(endpoint, body) {
+        return this.request(endpoint, {
+            method: "PUT",
+            body: body ? JSON.stringify(body) : undefined,
+        });
+    }
+    async delete(endpoint) {
+        return this.request(endpoint, { method: "DELETE" });
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/api/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/api/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAExE,MAAM,OAAO,gBAAgB;IACnB,OAAO,CAAS;IAChB,WAAW,CAAS;IAE5B,YAAY,WAAmB;QAC7B,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QACD,IAAI,CAAC,OAAO,GAAG,+BAA+B,CAAC;QAC/C,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;IACjC,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,QAAgB,EAChB,UAAuB,EAAE;QAEzB,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,GAAG,QAAQ,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG;YACd,aAAa,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;YAC3C,cAAc,EAAE,kBAAkB;YAClC,GAAG,OAAO,CAAC,OAAO;SACnB,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAChC,GAAG,OAAO;gBACV,OAAO;aACR,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,IAAI,YAAY,GAAG,uBAAuB,QAAQ,CAAC,UAAU,EAAE,CAAC;gBAChE,IAAI,CAAC;oBACH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;oBACxC,IACE,OAAO,SAAS,KAAK,QAAQ;wBAC7B,SAAS,KAAK,IAAI;wBAClB,OAAO,IAAI,SAAS;wBACpB,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EACnC,CAAC;wBACD,YAAY,GAAG,SAAS,CAAC,KAAK,CAAC;oBACjC,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,2CAA2C;gBAC7C,CAAC;gBAED,MAAM,IAAI,kBAAkB,CAC1B,YAAY,EACZ,QAAQ,CAAC,MAAM,EACf,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAC7C,CAAC;YACJ,CAAC;YAED,yBAAyB;YACzB,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YACzD,IAAI,WAAW,IAAI,WAAW,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBAC5D,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACnC,OAAO,IAAS,CAAC;YACnB,CAAC;YAED,OAAO,EAAO,CAAC;QACjB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,kBAAkB,EAAE,CAAC;gBACxC,MAAM,KAAK,CAAC;YACd,CAAC;YACD,cAAc,CAAC,KAAK,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,GAAG,CAAI,QAAgB,EAAE,MAAgC;QAC7D,MAAM,WAAW,GAAG,MAAM;YACxB,CAAC,CAAC,IAAI,IAAI,eAAe,CACvB,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,CAC3B,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;gBACpB,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;oBAC1C,GAAG,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC3B,CAAC;gBACD,OAAO,GAAG,CAAC;YACb,CAAC,EACD,EAA4B,CAC7B,CACF,CAAC,QAAQ,EAAE,EAAE;YACd,CAAC,CAAC,EAAE,CAAC;QACP,OAAO,IAAI,CAAC,OAAO,CAAI,GAAG,QAAQ,GAAG,WAAW,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACzE,CAAC;IAED,KAAK,CAAC,IAAI,CAAI,QAAgB,EAAE,IAAc;QAC5C,OAAO,IAAI,CAAC,OAAO,CAAI,QAAQ,EAAE;YAC/B,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;SAC9C,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,GAAG,CAAI,QAAgB,EAAE,IAAc;QAC3C,OAAO,IAAI,CAAC,OAAO,CAAI,QAAQ,EAAE;YAC/B,MAAM,EAAE,KAAK;YACb,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;SAC9C,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAI,QAAgB;QAC9B,OAAO,IAAI,CAAC,OAAO,CAAI,QAAQ,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;IACzD,CAAC;CACF"}

package/dist/auth-provider.d.ts

@@ -0,0 +1,47 @@
+import { GoogleProvider, GitHubProvider, OAuthProvider } from "fastmcp";
+import type { TokenStorage } from "fastmcp/auth";
+export type AuthProviderType = "google" | "github" | "cyberark" | "custom";
+export interface AuthProviderOptions {
+    provider: AuthProviderType;
+    baseUrl: string;
+    clientId: string;
+    clientSecret: string;
+    /** CyberArk tenant URL (e.g. https://abc1234.id.cyberark.cloud) - required for cyberark provider */
+    cyberarkTenantUrl?: string;
+    /** OAuth authorization endpoint URL - required for custom provider */
+    authorizationEndpoint?: string;
+    /** OAuth token endpoint URL - required for custom provider */
+    tokenEndpoint?: string;
+    /** OAuth scopes - optional for custom provider (defaults to ['openid', 'email']) */
+    scopes?: string[];
+    /** Token storage backend for persisting OAuth sessions across restarts */
+    tokenStorage?: TokenStorage;
+    /** Encryption key for token storage (set to false to disable if already encrypted, or provide a hex string) */
+    encryptionKey?: false | string;
+}
+/**
+ * Create an OAuth auth provider for use with FastMCP HTTP transport.
+ * Supports Google, GitHub, CyberArk Identity, and custom OAuth providers.
+ */
+export declare function createAuthProvider(options: AuthProviderOptions): GoogleProvider | GitHubProvider | OAuthProvider<import("fastmcp").OAuthSession>;
+/**
+ * Additional environment-based config for providers that need extra fields.
+ */
+export interface AuthProviderEnvConfig {
+    clientId: string;
+    clientSecret: string;
+    /** CyberArk tenant URL - present only for cyberark provider */
+    cyberarkTenantUrl?: string;
+    /** OAuth authorization endpoint - present only for custom provider */
+    authorizationEndpoint?: string;
+    /** OAuth token endpoint - present only for custom provider */
+    tokenEndpoint?: string;
+    /** OAuth scopes - present only for custom provider */
+    scopes?: string[];
+}
+/**
+ * Read OAuth credentials from environment variables for the given provider.
+ * Throws if required env vars are missing.
+ */
+export declare function getAuthCredentialsFromEnv(provider: AuthProviderType): AuthProviderEnvConfig;
+//# sourceMappingURL=auth-provider.d.ts.map

package/dist/auth-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-provider.d.ts","sourceRoot":"","sources":["../src/auth-provider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACxE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAEjD,MAAM,MAAM,gBAAgB,GAAG,QAAQ,GAAG,QAAQ,GAAG,UAAU,GAAG,QAAQ,CAAC;AAE3E,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,oGAAoG;IACpG,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,sEAAsE;IACtE,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,8DAA8D;IAC9D,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,oFAAoF;IACpF,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,0EAA0E;IAC1E,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,+GAA+G;IAC/G,aAAa,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;CAChC;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,mBAAmB,mFAqE9D;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,+DAA+D;IAC/D,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,sEAAsE;IACtE,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,8DAA8D;IAC9D,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,sDAAsD;IACtD,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,gBAAgB,GAAG,qBAAqB,CAuD3F"}