@inkeep/agents-core 0.22.11 → 0.23.0

package/dist/client-exports.d.ts

@@ -1,8 +1,9 @@
-export { h as ACTIVITY_NAMES, f as ACTIVITY_STATUS, e as ACTIVITY_TYPES, g as AGENT_IDS, o as AGGREGATE_OPERATORS, A as AI_OPERATIONS, i as AI_TOOL_TYPES, n as DATA_SOURCES, j as DATA_TYPES, D as DELEGATION_FROM_SUB_AGENT_ID, b as DELEGATION_ID, a as DELEGATION_TO_SUB_AGENT_ID, F as FIELD_TYPES, O as OPERATORS, l as ORDER_DIRECTIONS, P as PANEL_TYPES, p as QUERY_DEFAULTS, k as QUERY_EXPRESSIONS, Q as QUERY_FIELD_CONFIGS, m as QUERY_TYPES, R as REDUCE_OPERATIONS, d as SPAN_KEYS, S as SPAN_NAMES, T as TRANSFER_FROM_SUB_AGENT_ID, c as TRANSFER_TO_SUB_AGENT_ID, U as UNKNOWN_VALUE } from './signoz-queries-Bqpkx5sK.js';
+export { i as ACTIVITY_NAMES, g as ACTIVITY_STATUS, f as ACTIVITY_TYPES, h as AGENT_IDS, p as AGGREGATE_OPERATORS, A as AI_OPERATIONS, j as AI_TOOL_TYPES, o as DATA_SOURCES, k as DATA_TYPES, D as DELEGATION_FROM_SUB_AGENT_ID, b as DELEGATION_ID, a as DELEGATION_TO_SUB_AGENT_ID, F as FIELD_TYPES, O as OPERATORS, m as ORDER_DIRECTIONS, P as PANEL_TYPES, q as QUERY_DEFAULTS, l as QUERY_EXPRESSIONS, Q as QUERY_FIELD_CONFIGS, n as QUERY_TYPES, R as REDUCE_OPERATIONS, e as SPAN_KEYS, S as SPAN_NAMES, T as TRANSFER_FROM_SUB_AGENT_ID, c as TRANSFER_TO_SUB_AGENT_ID, U as UNKNOWN_VALUE, d as detectAuthenticationRequired } from './auth-detection-BO8bSpe4.js';
 import { z } from 'zod';
-import { C as ConversationHistoryConfig, F as FunctionApiInsertSchema, A as ApiKeyApiUpdateSchema, a as FullAgentAgentInsertSchema } from './utility-06QUJeMa.js';
-export { e as AgentStopWhen, b as AgentStopWhenSchema, h as CredentialStoreType, j as FunctionApiSelectSchema, k as FunctionApiUpdateSchema, i as MCPTransportType, g as ModelSettings, M as ModelSettingsSchema, d as StopWhen, S as StopWhenSchema, f as SubAgentStopWhen, c as SubAgentStopWhenSchema } from './utility-06QUJeMa.js';
+import { C as ConversationHistoryConfig, F as FunctionApiInsertSchema, A as ApiKeyApiUpdateSchema, a as FullAgentAgentInsertSchema } from './utility-mGrlR4Ta.js';
+export { e as AgentStopWhen, b as AgentStopWhenSchema, h as CredentialStoreType, j as FunctionApiSelectSchema, k as FunctionApiUpdateSchema, i as MCPTransportType, g as ModelSettings, M as ModelSettingsSchema, d as StopWhen, S as StopWhenSchema, f as SubAgentStopWhen, c as SubAgentStopWhenSchema } from './utility-mGrlR4Ta.js';
 export { v as validatePropsAsJsonSchema } from './props-validation-BMR1qNiy.js';
+import 'pino';
 import 'drizzle-zod';
 import 'drizzle-orm/sqlite-core';
 import '@hono/zod-openapi';
@@ -128,8 +129,8 @@ declare const DataComponentApiInsertSchema: z.ZodObject<{
     props: z.ZodRecord<z.ZodString, z.ZodUnknown>;
 }, z.core.$strip>;
 declare const ArtifactComponentApiInsertSchema: z.ZodObject<{
-    name: z.ZodString;
     id: z.ZodString;
+    name: z.ZodString;
     description: z.ZodString;
     props: z.ZodOptional<z.ZodNullable<z.ZodType<Record<string, unknown>, Record<string, unknown>, z.core.$ZodTypeInternals<Record<string, unknown>, Record<string, unknown>>>>>;
 }, {
@@ -164,11 +165,12 @@ declare const FullAgentDefinitionSchema: z.ZodObject<{
     description: z.ZodOptional<z.ZodString>;
     defaultSubAgentId: z.ZodOptional<z.ZodString>;
     subAgents: z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodObject<{
-        name: z.ZodString;
         id: z.ZodString;
+        name: z.ZodString;
+        description: z.ZodString;
+        prompt: z.ZodString;
         createdAt: z.ZodOptional<z.ZodString>;
         updatedAt: z.ZodOptional<z.ZodString>;
-        description: z.ZodString;
         models: z.ZodOptional<z.ZodObject<{
             base: z.ZodOptional<z.ZodObject<{
                 model: z.ZodOptional<z.ZodString>;
@@ -192,7 +194,6 @@ declare const FullAgentDefinitionSchema: z.ZodObject<{
         }, {
             stepCountIs?: number | undefined;
         }>>>>;
-        prompt: z.ZodString;
         conversationHistoryConfig: z.ZodOptional<z.ZodNullable<z.ZodType<ConversationHistoryConfig, ConversationHistoryConfig, z.core.$ZodTypeInternals<ConversationHistoryConfig, ConversationHistoryConfig>>>>;
         type: z.ZodLiteral<"internal">;
         canUse: z.ZodArray<z.ZodObject<{

package/dist/client-exports.js

@@ -1,6 +1,6 @@
-export { ACTIVITY_NAMES, ACTIVITY_STATUS, ACTIVITY_TYPES, AGENT_IDS, AGGREGATE_OPERATORS, AI_OPERATIONS, AI_TOOL_TYPES, DATA_SOURCES, DATA_TYPES, DELEGATION_FROM_SUB_AGENT_ID, DELEGATION_ID, DELEGATION_TO_SUB_AGENT_ID, FIELD_TYPES, OPERATORS, ORDER_DIRECTIONS, PANEL_TYPES, QUERY_DEFAULTS, QUERY_EXPRESSIONS, QUERY_FIELD_CONFIGS, QUERY_TYPES, REDUCE_OPERATIONS, SPAN_KEYS, SPAN_NAMES, TRANSFER_FROM_SUB_AGENT_ID, TRANSFER_TO_SUB_AGENT_ID, UNKNOWN_VALUE } from './chunk-QFIITHNT.js';
-import { ModelSettingsSchema, FullAgentAgentInsertSchema, ArtifactComponentApiInsertSchema } from './chunk-4SE2FOJY.js';
-export { AgentStopWhenSchema, FunctionApiInsertSchema, FunctionApiSelectSchema, FunctionApiUpdateSchema, ModelSettingsSchema, StopWhenSchema, SubAgentStopWhenSchema, validatePropsAsJsonSchema } from './chunk-4SE2FOJY.js';
+export { ACTIVITY_NAMES, ACTIVITY_STATUS, ACTIVITY_TYPES, AGENT_IDS, AGGREGATE_OPERATORS, AI_OPERATIONS, AI_TOOL_TYPES, DATA_SOURCES, DATA_TYPES, DELEGATION_FROM_SUB_AGENT_ID, DELEGATION_ID, DELEGATION_TO_SUB_AGENT_ID, FIELD_TYPES, OPERATORS, ORDER_DIRECTIONS, PANEL_TYPES, QUERY_DEFAULTS, QUERY_EXPRESSIONS, QUERY_FIELD_CONFIGS, QUERY_TYPES, REDUCE_OPERATIONS, SPAN_KEYS, SPAN_NAMES, TRANSFER_FROM_SUB_AGENT_ID, TRANSFER_TO_SUB_AGENT_ID, UNKNOWN_VALUE, detectAuthenticationRequired } from './chunk-5GAUAB2P.js';
+import { ModelSettingsSchema, FullAgentAgentInsertSchema, ArtifactComponentApiInsertSchema } from './chunk-HN77JIDP.js';
+export { AgentStopWhenSchema, FunctionApiInsertSchema, FunctionApiSelectSchema, FunctionApiUpdateSchema, ModelSettingsSchema, StopWhenSchema, SubAgentStopWhenSchema, validatePropsAsJsonSchema } from './chunk-HN77JIDP.js';
 import { CredentialStoreType } from './chunk-YFHT5M2R.js';
 export { CredentialStoreType, MCPTransportType } from './chunk-YFHT5M2R.js';
 import { z } from 'zod';

package/dist/db/schema.d.cts

@@ -1,7 +1,7 @@
 import 'drizzle-orm';
 import 'drizzle-orm/sqlite-core';
-import '../utility-06QUJeMa.cjs';
-export { E as agentRelations, H as agentToolRelationsRelations, a as agents, w as apiKeys, G as apiKeysRelations, j as artifactComponents, M as artifactComponentsRelations, b as contextCache, C as contextCacheRelations, c as contextConfigs, B as contextConfigsRelations, r as conversations, K as conversationsRelations, x as credentialReferences, I as credentialReferencesRelations, h as dataComponents, O as dataComponentsRelations, f as externalAgents, F as externalAgentsRelations, m as functionTools, T as functionToolsRelations, n as functions, R as functionsRelations, v as ledgerArtifacts, Q as ledgerArtifactsRelations, u as messages, L as messagesRelations, p as projects, z as projectsRelations, k as subAgentArtifactComponents, N as subAgentArtifactComponentsRelations, i as subAgentDataComponents, P as subAgentDataComponentsRelations, q as subAgentFunctionToolRelations, U as subAgentFunctionToolRelationsRelations, e as subAgentRelations, S as subAgentRelationsRelations, o as subAgentToolRelations, d as subAgents, D as subAgentsRelations, g as taskRelations, A as taskRelationsRelations, t as tasks, y as tasksRelations, l as tools, J as toolsRelations } from '../schema-B8-O-pmG.cjs';
+import '../utility-mGrlR4Ta.cjs';
+export { E as agentRelations, H as agentToolRelationsRelations, a as agents, w as apiKeys, G as apiKeysRelations, j as artifactComponents, M as artifactComponentsRelations, b as contextCache, C as contextCacheRelations, c as contextConfigs, B as contextConfigsRelations, r as conversations, K as conversationsRelations, x as credentialReferences, I as credentialReferencesRelations, h as dataComponents, O as dataComponentsRelations, f as externalAgents, F as externalAgentsRelations, m as functionTools, T as functionToolsRelations, n as functions, R as functionsRelations, v as ledgerArtifacts, Q as ledgerArtifactsRelations, u as messages, L as messagesRelations, p as projects, z as projectsRelations, k as subAgentArtifactComponents, N as subAgentArtifactComponentsRelations, i as subAgentDataComponents, P as subAgentDataComponentsRelations, q as subAgentFunctionToolRelations, U as subAgentFunctionToolRelationsRelations, e as subAgentRelations, S as subAgentRelationsRelations, o as subAgentToolRelations, d as subAgents, D as subAgentsRelations, g as taskRelations, A as taskRelationsRelations, t as tasks, y as tasksRelations, l as tools, J as toolsRelations } from '../schema-B8NMPwEM.cjs';
 import 'zod';
 import 'drizzle-zod';
 import '@hono/zod-openapi';

package/dist/db/schema.d.ts

@@ -1,7 +1,7 @@
 import 'drizzle-orm';
 import 'drizzle-orm/sqlite-core';
-import '../utility-06QUJeMa.js';
-export { E as agentRelations, H as agentToolRelationsRelations, a as agents, w as apiKeys, G as apiKeysRelations, j as artifactComponents, M as artifactComponentsRelations, b as contextCache, C as contextCacheRelations, c as contextConfigs, B as contextConfigsRelations, r as conversations, K as conversationsRelations, x as credentialReferences, I as credentialReferencesRelations, h as dataComponents, O as dataComponentsRelations, f as externalAgents, F as externalAgentsRelations, m as functionTools, T as functionToolsRelations, n as functions, R as functionsRelations, v as ledgerArtifacts, Q as ledgerArtifactsRelations, u as messages, L as messagesRelations, p as projects, z as projectsRelations, k as subAgentArtifactComponents, N as subAgentArtifactComponentsRelations, i as subAgentDataComponents, P as subAgentDataComponentsRelations, q as subAgentFunctionToolRelations, U as subAgentFunctionToolRelationsRelations, e as subAgentRelations, S as subAgentRelationsRelations, o as subAgentToolRelations, d as subAgents, D as subAgentsRelations, g as taskRelations, A as taskRelationsRelations, t as tasks, y as tasksRelations, l as tools, J as toolsRelations } from '../schema-BPRMaYtZ.js';
+import '../utility-mGrlR4Ta.js';
+export { E as agentRelations, H as agentToolRelationsRelations, a as agents, w as apiKeys, G as apiKeysRelations, j as artifactComponents, M as artifactComponentsRelations, b as contextCache, C as contextCacheRelations, c as contextConfigs, B as contextConfigsRelations, r as conversations, K as conversationsRelations, x as credentialReferences, I as credentialReferencesRelations, h as dataComponents, O as dataComponentsRelations, f as externalAgents, F as externalAgentsRelations, m as functionTools, T as functionToolsRelations, n as functions, R as functionsRelations, v as ledgerArtifacts, Q as ledgerArtifactsRelations, u as messages, L as messagesRelations, p as projects, z as projectsRelations, k as subAgentArtifactComponents, N as subAgentArtifactComponentsRelations, i as subAgentDataComponents, P as subAgentDataComponentsRelations, q as subAgentFunctionToolRelations, U as subAgentFunctionToolRelationsRelations, e as subAgentRelations, S as subAgentRelationsRelations, o as subAgentToolRelations, d as subAgents, D as subAgentsRelations, g as taskRelations, A as taskRelationsRelations, t as tasks, y as tasksRelations, l as tools, J as toolsRelations } from '../schema-PgBNwsV-.js';
 import 'zod';
 import 'drizzle-zod';
 import '@hono/zod-openapi';

package/dist/index.cjs

@@ -13,6 +13,7 @@ var client = require('@libsql/client');
 var libsql = require('drizzle-orm/libsql');
 var crypto = require('crypto');
 var util = require('util');
+var auth_js = require('@modelcontextprotocol/sdk/client/auth.js');
 var httpException = require('hono/http-exception');
 var index_js = require('@modelcontextprotocol/sdk/client/index.js');
 var sse_js = require('@modelcontextprotocol/sdk/client/sse.js');
@@ -214719,7 +214720,8 @@ var McpToolSchema = ToolInsertSchema.extend({
   status: ToolStatusSchema.default("unknown"),
   version: zodOpenapi.z.string().optional(),
   createdAt: zodOpenapi.z.date(),
-  updatedAt: zodOpenapi.z.date()
+  updatedAt: zodOpenapi.z.date(),
+  expiresAt: zodOpenapi.z.date().optional()
 });
 var MCPToolConfigSchema = McpToolSchema.omit({
   config: true,
@@ -217182,71 +217184,146 @@ function extractPublicId(key) {
 function maskApiKey(keyPrefix) {
   return `${keyPrefix}...`;
 }
-
-// src/utils/auth-detection.ts
-var getWellKnownUrls = (baseUrl) => [
-  `${baseUrl}/.well-known/oauth-authorization-server`,
-  `${baseUrl}/.well-known/openid-configuration`
-];
-var validateOAuthMetadata = (metadata) => {
-  return metadata.code_challenge_methods_supported?.includes("S256");
-};
-var buildOAuthConfig = (metadata) => ({
-  authorizationUrl: metadata.authorization_endpoint,
-  tokenUrl: metadata.token_endpoint,
-  registrationUrl: metadata.registration_endpoint,
-  supportsDynamicRegistration: !!metadata.registration_endpoint
-});
-var tryWellKnownEndpoints = async (baseUrl, logger14) => {
-  const wellKnownUrls = getWellKnownUrls(baseUrl);
-  for (const wellKnownUrl of wellKnownUrls) {
+function discoverScopes(resourceMetadata, metadata) {
+  const resourceScopes = resourceMetadata?.scopes_supported;
+  const oauthScopes = metadata?.scopes_supported;
+  const scopes = (resourceScopes?.length ? resourceScopes : oauthScopes) || [];
+  return scopes.length > 0 ? scopes.join(" ") : void 0;
+}
+async function discoverMcpMetadata(mcpServerUrl, logger14) {
+  try {
+    let resourceMetadata = null;
+    let authServerUrl = new URL(mcpServerUrl);
     try {
-      const response = await fetch(wellKnownUrl);
-      if (response.ok) {
-        const metadata = await response.json();
-        if (validateOAuthMetadata(metadata)) {
-          logger14?.debug({ baseUrl, wellKnownUrl }, "OAuth 2.1/PKCE support detected");
-          return buildOAuthConfig(metadata);
-        }
+      resourceMetadata = await auth_js.discoverOAuthProtectedResourceMetadata(mcpServerUrl);
+      if (resourceMetadata?.authorization_servers?.length && resourceMetadata.authorization_servers[0]) {
+        authServerUrl = new URL(resourceMetadata.authorization_servers[0]);
       }
-    } catch (error) {
-      logger14?.debug({ wellKnownUrl, error }, "OAuth endpoint check failed");
+    } catch {
+    }
+    const metadata = await auth_js.discoverAuthorizationServerMetadata(authServerUrl);
+    if (!metadata) {
+      throw new Error("Failed to discover OAuth authorization server metadata");
     }
+    logger14?.debug(
+      {
+        tokenEndpoint: metadata.token_endpoint,
+        authEndpoint: metadata.authorization_endpoint
+      },
+      "MCP metadata discovery successful"
+    );
+    const discoveredScopes = discoverScopes(resourceMetadata ?? void 0, metadata);
+    return {
+      success: true,
+      metadata,
+      ...resourceMetadata && { resourceMetadata },
+      ...discoveredScopes && { scopes: discoveredScopes }
+    };
+  } catch (err) {
+    const errorMessage = err instanceof Error ? err.message : String(err);
+    logger14?.debug({ error: errorMessage }, "MCP metadata discovery failed");
+    return { success: false, error: errorMessage };
   }
-  return null;
-};
-var checkForOAuthEndpoints = async (serverUrl, logger14) => {
-  const config = await discoverOAuthEndpoints(serverUrl, logger14);
-  return config !== null;
-};
-var discoverOAuthEndpoints = async (serverUrl, logger14) => {
-  try {
-    const response = await fetch(serverUrl, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({})
+}
+async function initiateMcpOAuthFlow({
+  mcpServerUrl,
+  redirectUri,
+  state,
+  clientName = "Inkeep Agent Framework",
+  clientUri = "https://inkeep.com",
+  logoUri,
+  defaultClientId = "mcp-client",
+  logger: logger14
+}) {
+  const discoveryResult = await discoverMcpMetadata(mcpServerUrl, logger14);
+  if (!discoveryResult.success || !discoveryResult.metadata) {
+    throw new Error(`OAuth not supported by this server: ${discoveryResult.error}`);
+  }
+  const { metadata, resourceMetadata, scopes: discoveredScopes } = discoveryResult;
+  const clientMetadata = {
+    redirect_uris: [redirectUri],
+    token_endpoint_auth_method: "none",
+    // PKCE - no client secret
+    grant_types: ["authorization_code", "refresh_token"],
+    response_types: ["code"],
+    client_name: clientName,
+    client_uri: clientUri,
+    ...logoUri && { logo_uri: logoUri }
+  };
+  let clientInformation;
+  if (metadata.registration_endpoint) {
+    clientInformation = await auth_js.registerClient(mcpServerUrl, {
+      metadata,
+      clientMetadata
     });
-    if (response.status === 401) {
-      const wwwAuth = response.headers.get("WWW-Authenticate");
-      if (wwwAuth) {
-        const metadataMatch = wwwAuth.match(/as_uri="([^"]+)"/);
-        if (metadataMatch) {
-          const metadataResponse = await fetch(metadataMatch[1]);
-          if (metadataResponse.ok) {
-            const metadata = await metadataResponse.json();
-            if (metadata.authorization_servers?.length > 0) {
-              return await tryWellKnownEndpoints(metadata.authorization_servers[0], logger14);
-            }
-          }
-        }
-      }
-    }
-  } catch (_error) {
+  } else {
+    clientInformation = {
+      client_id: defaultClientId,
+      ...clientMetadata
+    };
   }
-  const url = new URL(serverUrl);
-  const baseUrl = `${url.protocol}//${url.host}`;
-  return await tryWellKnownEndpoints(baseUrl, logger14);
-};
+  const resource = resourceMetadata?.resource ? new URL(resourceMetadata.resource) : void 0;
+  const authResult = await auth_js.startAuthorization(mcpServerUrl, {
+    metadata,
+    clientInformation,
+    redirectUrl: redirectUri,
+    state,
+    scope: discoveredScopes || "",
+    ...resource && { resource }
+  });
+  logger14?.debug(
+    {
+      authorizationUrl: authResult.authorizationUrl.href,
+      scopes: discoveredScopes,
+      clientId: clientInformation.client_id
+    },
+    "MCP OAuth flow initiated successfully"
+  );
+  return {
+    authorizationUrl: authResult.authorizationUrl.href,
+    codeVerifier: authResult.codeVerifier,
+    state,
+    clientInformation,
+    metadata,
+    resourceUrl: resource?.href || void 0,
+    ...discoveredScopes && { scopes: discoveredScopes }
+  };
+}
+async function exchangeMcpAuthorizationCode({
+  mcpServerUrl,
+  metadata,
+  clientInformation,
+  authorizationCode,
+  codeVerifier,
+  redirectUri,
+  resourceUrl,
+  logger: logger14
+}) {
+  const resource = resourceUrl ? new URL(resourceUrl) : void 0;
+  const tokens = await auth_js.exchangeAuthorization(mcpServerUrl, {
+    metadata,
+    clientInformation,
+    authorizationCode,
+    codeVerifier,
+    redirectUri,
+    ...resource && { resource }
+  });
+  logger14?.debug(
+    {
+      tokenType: tokens.token_type,
+      hasRefreshToken: !!tokens.refresh_token,
+      expiresIn: tokens.expires_in
+    },
+    "MCP token exchange successful"
+  );
+  return {
+    access_token: tokens.access_token,
+    refresh_token: tokens.refresh_token,
+    expires_at: tokens.expires_in ? new Date(Date.now() + tokens.expires_in * 1e3) : void 0,
+    token_type: tokens.token_type || "Bearer",
+    scope: tokens.scope
+  };
+}
 var detectAuthenticationRequired = async ({
   serverUrl,
   toolId,
@@ -217254,53 +217331,17 @@ var detectAuthenticationRequired = async ({
   logger: logger14
 }) => {
   try {
-    const hasOAuthEndpoints = await checkForOAuthEndpoints(serverUrl, logger14);
-    if (hasOAuthEndpoints) {
-      logger14?.info(
-        { toolId, serverUrl },
-        "OAuth 2.1/PKCE support confirmed via endpoint discovery"
-      );
+    const discoveryResult = await discoverMcpMetadata(serverUrl, logger14);
+    if (discoveryResult.success && discoveryResult.metadata) {
+      logger14?.info({ toolId, serverUrl }, "MCP OAuth support confirmed via metadata discovery");
       return true;
     }
   } catch (discoveryError) {
-    logger14?.debug({ toolId, discoveryError }, "OAuth endpoint discovery failed");
-  }
-  try {
-    const response = await fetch(serverUrl, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({
-        jsonrpc: "2.0",
-        method: "initialize",
-        id: 1,
-        params: { protocolVersion: "2024-11-05", capabilities: {} }
-      })
-    });
-    if (response.status === 401) {
-      const wwwAuth = response.headers.get("WWW-Authenticate");
-      if (wwwAuth) {
-        const authLower = wwwAuth.toLowerCase();
-        const hasActiveOAuthFlow = authLower.includes("authorization_uri") || authLower.includes("as_uri=") || authLower.includes("bearer") && (authLower.includes("scope=") || authLower.includes("error_uri="));
-        if (hasActiveOAuthFlow) {
-          logger14?.info(
-            { toolId, wwwAuth },
-            "Active OAuth flow detected via WWW-Authenticate parameters"
-          );
-          return true;
-        } else {
-          logger14?.debug(
-            { toolId, wwwAuth },
-            "Bearer authentication detected - likely simple token auth, not OAuth"
-          );
-        }
-      }
-    }
-  } catch (fetchError) {
-    logger14?.debug({ toolId, fetchError }, "Direct fetch authentication check failed");
+    logger14?.debug({ toolId, discoveryError }, "MCP OAuth metadata discovery failed");
   }
   logger14?.debug(
-    { toolId, error: error.message },
-    "No OAuth 2.1/PKCE authentication requirement detected"
+    { toolId, error: error?.message },
+    "No MCP OAuth authentication requirement detected"
   );
   return false;
 };
@@ -218007,7 +218048,7 @@ var discoverToolsFromServer = async (tool2, dbClient, credentialStoreRegistry) =
         id: credentialReferenceId
       });
       if (!credentialReference) {
-        throw new Error(`Credential store not found: ${credentialReferenceId}`);
+        throw new Error(`Credential reference not found: ${credentialReferenceId}`);
       }
       const storeReference = {
         credentialStoreId: credentialReference.credentialStoreId,
@@ -218086,6 +218127,38 @@ var dbResultToMcpTool = async (dbResult, dbClient, credentialStoreRegistry) => {
   let availableTools = [];
   let status = "unknown";
   let lastErrorComputed;
+  let expiresAt;
+  if (credentialReferenceId) {
+    const credentialReference = await getCredentialReference(dbClient)({
+      scopes: { tenantId: dbResult.tenantId, projectId: dbResult.projectId },
+      id: credentialReferenceId
+    });
+    if (credentialReference?.retrievalParams) {
+      const credentialStore = credentialStoreRegistry?.get(credentialReference.credentialStoreId);
+      if (credentialStore && credentialStore.type !== CredentialStoreType.memory) {
+        const lookupKey = getCredentialStoreLookupKeyFromRetrievalParams({
+          retrievalParams: credentialReference.retrievalParams,
+          credentialStoreType: credentialStore.type
+        });
+        if (lookupKey) {
+          const credentialDataString = await credentialStore.get(lookupKey);
+          if (credentialDataString) {
+            if (credentialStore.type === CredentialStoreType.nango) {
+              const nangoCredentialData = JSON.parse(credentialDataString);
+              if (nangoCredentialData.expiresAt) {
+                expiresAt = nangoCredentialData.expiresAt;
+              }
+            } else if (credentialStore.type === CredentialStoreType.keychain) {
+              const oauthTokens = JSON.parse(credentialDataString);
+              if (oauthTokens.expires_at) {
+                expiresAt = new Date(oauthTokens.expires_at);
+              }
+            }
+          }
+        }
+      }
+    }
+  }
   try {
     availableTools = await discoverToolsFromServer(dbResult, dbClient, credentialStoreRegistry);
     status = "healthy";
@@ -218117,6 +218190,7 @@ var dbResultToMcpTool = async (dbResult, dbClient, credentialStoreRegistry) => {
     credentialReferenceId: credentialReferenceId || void 0,
     createdAt: new Date(createdAt),
     updatedAt: new Date(now),
+    expiresAt,
     lastError: lastErrorComputed,
     headers: headers2 || void 0,
     imageUrl: imageUrl || void 0
@@ -224698,7 +224772,8 @@ var NangoCredentialStore = class {
       case "OAUTH2":
         return {
           token: extractAccessTokenForBearerType(credentials.access_token),
-          refresh_token: credentials.refresh_token
+          refresh_token: credentials.refresh_token,
+          expiresAt: credentials.expires_at
         };
       case "OAUTH2_CC":
         return {
@@ -225576,9 +225651,9 @@ exports.deleteSubAgentRelation = deleteSubAgentRelation;
 exports.deleteTool = deleteTool;
 exports.detectAuthenticationRequired = detectAuthenticationRequired;
 exports.determineContextTrigger = determineContextTrigger;
-exports.discoverOAuthEndpoints = discoverOAuthEndpoints;
 exports.errorResponseSchema = errorResponseSchema;
 exports.errorSchemaFactory = errorSchemaFactory;
+exports.exchangeMcpAuthorizationCode = exchangeMcpAuthorizationCode;
 exports.externalAgentExists = externalAgentExists;
 exports.externalAgentUrlExists = externalAgentUrlExists;
 exports.externalAgents = externalAgents;
@@ -225663,6 +225738,7 @@ exports.hasContextConfig = hasContextConfig;
 exports.hasCredentialReference = hasCredentialReference;
 exports.hashApiKey = hashApiKey;
 exports.headers = headers;
+exports.initiateMcpOAuthFlow = initiateMcpOAuthFlow;
 exports.invalidateHeadersCache = invalidateHeadersCache;
 exports.invalidateInvocationDefinitionsCache = invalidateInvocationDefinitionsCache;
 exports.isApiKeyExpired = isApiKeyExpired;