@inso_web/els-mcp 0.1.0

package/dist/http/jwks.js

@@ -0,0 +1,34 @@
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+/**
+ * JWKS resolver через `jose.createRemoteJWKSet`.
+ *
+ * `createRemoteJWKSet` сам кеширует ключи (`cacheMaxAge`) и реализует cooldown
+ * между retry'ами при cache-miss (`cooldownDuration`). Мы используем:
+ *   - cacheMaxAge:      10 минут   — TTL ключа в кеше
+ *   - cooldownDuration: 10 секунд  — минимальный интервал между miss-fetch'ами
+ *   - timeoutDuration:  5 секунд   — HTTP timeout на fetch JWKS
+ *
+ * Для dev: переменная `MCP_OIDC_JWKS_URL` уже подхватывается через config —
+ * можно указать локальный auth URL (`http://localhost:4002/oidc/.well-known/jwks.json`).
+ */
+const CACHE_MAX_AGE_MS = 10 * 60 * 1000;
+const COOLDOWN_MS = 10 * 1000;
+const TIMEOUT_MS = 5 * 1000;
+export function createJwksResolver(config) {
+    const jwks = createRemoteJWKSet(new URL(config.oidcJwksUrl), {
+        cacheMaxAge: CACHE_MAX_AGE_MS,
+        cooldownDuration: COOLDOWN_MS,
+        timeoutDuration: TIMEOUT_MS,
+    });
+    return {
+        async verify(token) {
+            const { payload } = await jwtVerify(token, jwks, {
+                issuer: config.oidcIssuer,
+                audience: config.oidcAudience,
+                algorithms: ['RS256'],
+            });
+            return payload;
+        },
+    };
+}
+//# sourceMappingURL=jwks.js.map

package/dist/http/jwks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwks.js","sourceRoot":"","sources":["../../src/http/jwks.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAmB,SAAS,EAAE,MAAM,MAAM,CAAC;AAGtE;;;;;;;;;;;GAWG;AAEH,MAAM,gBAAgB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AACxC,MAAM,WAAW,GAAG,EAAE,GAAG,IAAI,CAAC;AAC9B,MAAM,UAAU,GAAG,CAAC,GAAG,IAAI,CAAC;AAO5B,MAAM,UAAU,kBAAkB,CAAC,MAAc;IAC/C,MAAM,IAAI,GAAG,kBAAkB,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE;QAC3D,WAAW,EAAE,gBAAgB;QAC7B,gBAAgB,EAAE,WAAW;QAC7B,eAAe,EAAE,UAAU;KAC5B,CAAC,CAAC;IAEH,OAAO;QACL,KAAK,CAAC,MAAM,CAAC,KAAa;YACxB,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE;gBAC/C,MAAM,EAAE,MAAM,CAAC,UAAU;gBACzB,QAAQ,EAAE,MAAM,CAAC,YAAY;gBAC7B,UAAU,EAAE,CAAC,OAAO,CAAC;aACtB,CAAC,CAAC;YACH,OAAO,OAAO,CAAC;QACjB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/http/middleware/auth.d.ts

@@ -0,0 +1,11 @@
+import type { RequestHandler } from 'express';
+import type { Logger } from 'pino';
+import type { Config } from '../../config.js';
+import type { JwksResolver } from '../jwks.js';
+export interface CreateAuthOptions {
+    config: Config;
+    jwks: JwksResolver;
+    log?: Logger;
+}
+export declare function createAuthMiddleware(opts: CreateAuthOptions): RequestHandler;
+//# sourceMappingURL=auth.d.ts.map

package/dist/http/middleware/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/http/middleware/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAyB,cAAc,EAAY,MAAM,SAAS,CAAC;AAC/E,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AACnC,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAoB/C,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,YAAY,CAAC;IACnB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,iBAAiB,GAAG,cAAc,CAiI5E"}

package/dist/http/middleware/auth.js

@@ -0,0 +1,225 @@
+import { recordAuthRejection } from '../../observability/metrics.js';
+/**
+ * Auth middleware для HTTP transport.
+ *
+ * Поддерживает два path:
+ *   A. ELS-key Bearer (`Bearer els_(live|test)_...`) — passthrough в ELS как есть.
+ *   B. OIDC JWT Bearer — локально валидируем через JWKS (INSO Auth).
+ *
+ * Если оба заголовка не подходят (или их нет) — 401 с `WWW-Authenticate`,
+ * указывающим на RFC 9728 resource metadata.
+ *
+ * Маршруты `/healthz`, `/readyz` и `/.well-known/*` исключены из этого
+ * middleware на уровне роутинга — здесь мы их не проверяем.
+ */
+const ELS_KEY_REGEX = /^els_(live|test)_[\w-]{30,}$/;
+export function createAuthMiddleware(opts) {
+    const { config, jwks, log } = opts;
+    const wwwAuthHeader = buildWwwAuthenticate(config.publicUrl);
+    return async function authMiddleware(req, res, next) {
+        const authHeader = readAuthorization(req);
+        if (!authHeader) {
+            reject(res, log, wwwAuthHeader, 'missing_authorization', 401, {
+                error: 'unauthorized',
+                error_description: 'Missing Authorization header',
+                resource_metadata: `${config.publicUrl}/.well-known/oauth-protected-resource`,
+            });
+            return;
+        }
+        const token = authHeader.slice('Bearer '.length).trim();
+        if (token.length === 0) {
+            reject(res, log, wwwAuthHeader, 'empty_bearer', 401, {
+                error: 'invalid_token',
+                error_description: 'Empty Bearer token',
+            });
+            return;
+        }
+        // Path A: ELS-key (priority — phase 3)
+        if (ELS_KEY_REGEX.test(token)) {
+            const ctx = buildElsKeyContext(req, token, config);
+            req.context = ctx;
+            log?.debug?.({ keyId: ctx.keyId, requestId: ctx.requestId }, 'auth: els-key');
+            next();
+            return;
+        }
+        // Path B: OIDC JWT
+        if (looksLikeJwt(token)) {
+            try {
+                const payload = await jwks.verify(token);
+                const sub = typeof payload.sub === 'string' ? payload.sub : '';
+                if (!sub) {
+                    recordAuthRejection('oidc_missing_sub');
+                    log?.warn?.({ requestId: pickRequestId(req) }, 'OIDC reject: missing sub');
+                    reject(res, log, wwwAuthHeader, null, 401, {
+                        error: 'invalid_token',
+                        error_description: 'JWT missing sub claim',
+                    });
+                    return;
+                }
+                // Phase 6: scope-claim обязателен (не просто пустой).
+                if (!hasScopeClaim(payload)) {
+                    recordAuthRejection('oidc_missing_scope_claim');
+                    log?.warn?.({ sub, requestId: pickRequestId(req) }, 'OIDC reject: scope claim absent');
+                    reject(res, log, wwwAuthHeader, null, 403, {
+                        error: 'insufficient_scope',
+                        error_description: 'Token has no scope claim (scope / scp)',
+                        required_scope: 'errors:mcp-read',
+                    });
+                    return;
+                }
+                const scopes = extractScopes(payload);
+                if (!scopes.includes('errors:mcp-read')) {
+                    recordAuthRejection('oidc_insufficient_scope');
+                    log?.warn?.({ sub, scopes, requestId: pickRequestId(req) }, 'OIDC reject: insufficient scope');
+                    reject(res, log, wwwAuthHeader, null, 403, {
+                        error: 'insufficient_scope',
+                        error_description: 'Token lacks required scope "errors:mcp-read"',
+                        required_scope: 'errors:mcp-read',
+                    });
+                    return;
+                }
+                // Phase 6: проверка audience — JWT должен содержать ожидаемую audience.
+                if (!hasAudience(payload, config.oidcAudience)) {
+                    recordAuthRejection('oidc_invalid_audience');
+                    log?.warn?.({ sub, aud: payload.aud, expected: config.oidcAudience, requestId: pickRequestId(req) }, 'OIDC reject: invalid audience');
+                    reject(res, log, wwwAuthHeader, null, 401, {
+                        error: 'invalid_token',
+                        error_description: `Token audience does not include "${config.oidcAudience}"`,
+                    });
+                    return;
+                }
+                // TODO Phase 4: реальный resolver sub → доступные appSlugs через LK API.
+                // Phase 3 workaround: либо ENV MCP_OIDC_DEMO_APP_SLUG, либо отказ.
+                const appSlug = config.oidcDemoAppSlug ?? '';
+                if (!appSlug) {
+                    recordAuthRejection('oidc_no_app_resolver');
+                    res.status(503).json({
+                        error: 'oidc_app_resolver_unavailable',
+                        error_description: 'OIDC sub → appSlug resolver not configured. Set MCP_OIDC_DEMO_APP_SLUG for Phase 3.',
+                    });
+                    return;
+                }
+                const ctx = buildOidcContext(req, sub, scopes, appSlug);
+                req.context = ctx;
+                log?.debug?.({ sub, requestId: ctx.requestId, appSlug }, 'auth: oidc');
+                next();
+                return;
+            }
+            catch (err) {
+                recordAuthRejection('oidc_verify_failed');
+                log?.warn?.({ err: errMsg(err) }, 'OIDC token verification failed');
+                reject(res, log, wwwAuthHeader, null, 401, {
+                    error: 'invalid_token',
+                    error_description: 'Failed to verify OIDC token',
+                });
+                return;
+            }
+        }
+        // Не похоже ни на ELS-key, ни на JWT
+        reject(res, log, wwwAuthHeader, 'unrecognized_token_shape', 401, {
+            error: 'invalid_token',
+            error_description: 'Token format not recognized',
+        });
+    };
+}
+function reject(res, _log, wwwAuthHeader, metricReason, status, body) {
+    if (metricReason !== null) {
+        try {
+            recordAuthRejection(metricReason);
+        }
+        catch {
+            // ignore
+        }
+    }
+    res.setHeader('WWW-Authenticate', wwwAuthHeader);
+    res.status(status).json(body);
+}
+function hasScopeClaim(payload) {
+    return payload.scope !== undefined || payload.scp !== undefined;
+}
+function hasAudience(payload, expected) {
+    const aud = payload.aud;
+    if (typeof aud === 'string')
+        return aud === expected;
+    if (Array.isArray(aud))
+        return aud.includes(expected);
+    return false;
+}
+function readAuthorization(req) {
+    const raw = req.headers.authorization;
+    if (!raw || typeof raw !== 'string')
+        return null;
+    if (!raw.toLowerCase().startsWith('bearer '))
+        return null;
+    return raw;
+}
+function looksLikeJwt(s) {
+    // header.payload.signature — три base64url-сегмента через точку.
+    return /^[\w-]+\.[\w-]+\.[\w-]+$/.test(s);
+}
+function extractScopes(payload) {
+    const raw = payload.scope ?? payload.scp;
+    if (typeof raw === 'string')
+        return raw.split(/\s+/).filter(Boolean);
+    if (Array.isArray(raw))
+        return raw.filter((x) => typeof x === 'string');
+    return [];
+}
+function buildElsKeyContext(req, token, _config) {
+    return {
+        authMethod: 'els-key',
+        elsApiKey: token,
+        appSlug: '', // не известен на этом этапе — резолвится в elsClient через ELS upstream
+        keyId: token.slice(0, 12), // els_live_xxxx — visibility для логов
+        ip: pickIp(req),
+        userAgent: pickUserAgent(req),
+        sessionId: pickSessionId(req),
+        requestId: pickRequestId(req),
+    };
+}
+function buildOidcContext(req, sub, scopes, appSlug) {
+    return {
+        authMethod: 'oidc',
+        oidcSub: sub,
+        scopes,
+        appSlug,
+        keyId: `oidc:${sub.slice(0, 8)}`,
+        ip: pickIp(req),
+        userAgent: pickUserAgent(req),
+        sessionId: pickSessionId(req),
+        requestId: pickRequestId(req),
+    };
+}
+function pickIp(req) {
+    const xff = req.headers['x-forwarded-for'];
+    if (typeof xff === 'string') {
+        const first = xff.split(',')[0]?.trim();
+        if (first)
+            return first;
+    }
+    return req.socket.remoteAddress ?? '';
+}
+function pickUserAgent(req) {
+    const ua = req.headers['user-agent'];
+    return typeof ua === 'string' ? ua : '';
+}
+function pickSessionId(req) {
+    const sid = req.headers['mcp-session-id'];
+    if (typeof sid === 'string' && sid.length > 0)
+        return sid;
+    return undefined;
+}
+function pickRequestId(req) {
+    const existing = req.headers['x-request-id'];
+    if (typeof existing === 'string' && existing.length > 0)
+        return existing;
+    // Запасной id, если request-id middleware не отработал.
+    return `req_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
+}
+function buildWwwAuthenticate(publicUrl) {
+    return `Bearer realm="els-mcp", resource_metadata="${publicUrl}/.well-known/oauth-protected-resource"`;
+}
+function errMsg(err) {
+    return err instanceof Error ? err.message : String(err);
+}
+//# sourceMappingURL=auth.js.map

package/dist/http/middleware/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/http/middleware/auth.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAErE;;;;;;;;;;;;GAYG;AAEH,MAAM,aAAa,GAAG,8BAA8B,CAAC;AAQrD,MAAM,UAAU,oBAAoB,CAAC,IAAuB;IAC1D,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAEnC,MAAM,aAAa,GAAG,oBAAoB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAE7D,OAAO,KAAK,UAAU,cAAc,CAClC,GAAY,EACZ,GAAa,EACb,IAAkB;QAElB,MAAM,UAAU,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QAC1C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,aAAa,EAAE,uBAAuB,EAAE,GAAG,EAAE;gBAC5D,KAAK,EAAE,cAAc;gBACrB,iBAAiB,EAAE,8BAA8B;gBACjD,iBAAiB,EAAE,GAAG,MAAM,CAAC,SAAS,uCAAuC;aAC9E,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QACxD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,aAAa,EAAE,cAAc,EAAE,GAAG,EAAE;gBACnD,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,oBAAoB;aACxC,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,uCAAuC;QACvC,IAAI,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9B,MAAM,GAAG,GAAG,kBAAkB,CAAC,GAAG,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACnD,GAAG,CAAC,OAAO,GAAG,GAAG,CAAC;YAClB,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,SAAS,EAAE,GAAG,CAAC,SAAS,EAAE,EAAE,eAAe,CAAC,CAAC;YAC9E,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,mBAAmB;QACnB,IAAI,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;YACxB,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBACzC,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC/D,IAAI,CAAC,GAAG,EAAE,CAAC;oBACT,mBAAmB,CAAC,kBAAkB,CAAC,CAAC;oBACxC,GAAG,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,aAAa,CAAC,GAAG,CAAC,EAAE,EAAE,0BAA0B,CAAC,CAAC;oBAC3E,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,aAAa,EAAE,IAAI,EAAE,GAAG,EAAE;wBACzC,KAAK,EAAE,eAAe;wBACtB,iBAAiB,EAAE,uBAAuB;qBAC3C,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;gBAED,sDAAsD;gBACtD,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC5B,mBAAmB,CAAC,0BAA0B,CAAC,CAAC;oBAChD,GAAG,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,aAAa,CAAC,GAAG,CAAC,EAAE,EAAE,iCAAiC,CAAC,CAAC;oBACvF,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,aAAa,EAAE,IAAI,EAAE,GAAG,EAAE;wBACzC,KAAK,EAAE,oBAAoB;wBAC3B,iBAAiB,EAAE,wCAAwC;wBAC3D,cAAc,EAAE,iBAAiB;qBAClC,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;gBAED,MAAM,MAAM,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;gBACtC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;oBACxC,mBAAmB,CAAC,yBAAyB,CAAC,CAAC;oBAC/C,GAAG,EAAE,IAAI,EAAE,CACT,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,CAAC,GAAG,CAAC,EAAE,EAC9C,iCAAiC,CAClC,CAAC;oBACF,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,aAAa,EAAE,IAAI,EAAE,GAAG,EAAE;wBACzC,KAAK,EAAE,oBAAoB;wBAC3B,iBAAiB,EAAE,8CAA8C;wBACjE,cAAc,EAAE,iBAAiB;qBAClC,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;gBAED,wEAAwE;gBACxE,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC;oBAC/C,mBAAmB,CAAC,uBAAuB,CAAC,CAAC;oBAC7C,GAAG,EAAE,IAAI,EAAE,CACT,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,MAAM,CAAC,YAAY,EAAE,SAAS,EAAE,aAAa,CAAC,GAAG,CAAC,EAAE,EACvF,+BAA+B,CAChC,CAAC;oBACF,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,aAAa,EAAE,IAAI,EAAE,GAAG,EAAE;wBACzC,KAAK,EAAE,eAAe;wBACtB,iBAAiB,EAAE,oCAAoC,MAAM,CAAC,YAAY,GAAG;qBAC9E,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;gBAED,yEAAyE;gBACzE,mEAAmE;gBACnE,MAAM,OAAO,GAAG,MAAM,CAAC,eAAe,IAAI,EAAE,CAAC;gBAC7C,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,mBAAmB,CAAC,sBAAsB,CAAC,CAAC;oBAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;wBACnB,KAAK,EAAE,+BAA+B;wBACtC,iBAAiB,EACf,qFAAqF;qBACxF,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;gBAED,MAAM,GAAG,GAAG,gBAAgB,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;gBACxD,GAAG,CAAC,OAAO,GAAG,GAAG,CAAC;gBAClB,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,CAAC,SAAS,EAAE,OAAO,EAAE,EAAE,YAAY,CAAC,CAAC;gBACvE,IAAI,EAAE,CAAC;gBACP,OAAO;YACT,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,mBAAmB,CAAC,oBAAoB,CAAC,CAAC;gBAC1C,GAAG,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,gCAAgC,CAAC,CAAC;gBACpE,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,aAAa,EAAE,IAAI,EAAE,GAAG,EAAE;oBACzC,KAAK,EAAE,eAAe;oBACtB,iBAAiB,EAAE,6BAA6B;iBACjD,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;QACH,CAAC;QAED,qCAAqC;QACrC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,aAAa,EAAE,0BAA0B,EAAE,GAAG,EAAE;YAC/D,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,6BAA6B;SACjD,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,MAAM,CACb,GAAa,EACb,IAAwB,EACxB,aAAqB,EACrB,YAA2B,EAC3B,MAAc,EACd,IAA6B;IAE7B,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,mBAAmB,CAAC,YAAY,CAAC,CAAC;QACpC,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;IACH,CAAC;IACD,GAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,aAAa,CAAC,CAAC;IACjD,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,aAAa,CAAC,OAAgC;IACrD,OAAO,OAAO,CAAC,KAAK,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,CAAC;AAClE,CAAC;AAED,SAAS,WAAW,CAAC,OAAgC,EAAE,QAAgB;IACrE,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;IACxB,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,KAAK,QAAQ,CAAC;IACrD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACtD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAY;IACrC,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;IACtC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACjD,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1D,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,iEAAiE;IACjE,OAAO,0BAA0B,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,aAAa,CAAC,OAAgC;IACrD,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC;IACzC,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACrE,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;IACrF,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAY,EAAE,KAAa,EAAE,OAAe;IACtE,OAAO;QACL,UAAU,EAAE,SAAS;QACrB,SAAS,EAAE,KAAK;QAChB,OAAO,EAAE,EAAE,EAAE,wEAAwE;QACrF,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,uCAAuC;QAClE,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC;QACf,SAAS,EAAE,aAAa,CAAC,GAAG,CAAC;QAC7B,SAAS,EAAE,aAAa,CAAC,GAAG,CAAC;QAC7B,SAAS,EAAE,aAAa,CAAC,GAAG,CAAC;KAC9B,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CACvB,GAAY,EACZ,GAAW,EACX,MAAgB,EAChB,OAAe;IAEf,OAAO;QACL,UAAU,EAAE,MAAM;QAClB,OAAO,EAAE,GAAG;QACZ,MAAM;QACN,OAAO;QACP,KAAK,EAAE,QAAQ,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE;QAChC,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC;QACf,SAAS,EAAE,aAAa,CAAC,GAAG,CAAC;QAC7B,SAAS,EAAE,aAAa,CAAC,GAAG,CAAC;QAC7B,SAAS,EAAE,aAAa,CAAC,GAAG,CAAC;KAC9B,CAAC;AACJ,CAAC;AAED,SAAS,MAAM,CAAC,GAAY;IAC1B,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IAC3C,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;QACxC,IAAI,KAAK;YAAE,OAAO,KAAK,CAAC;IAC1B,CAAC;IACD,OAAO,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,EAAE,CAAC;AACxC,CAAC;AAED,SAAS,aAAa,CAAC,GAAY;IACjC,MAAM,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,OAAO,OAAO,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AAC1C,CAAC;AAED,SAAS,aAAa,CAAC,GAAY;IACjC,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAC1C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC;IAC1D,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,aAAa,CAAC,GAAY;IACjC,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAC7C,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,QAAQ,CAAC;IACzE,wDAAwD;IACxD,OAAO,OAAO,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;AACrF,CAAC;AAED,SAAS,oBAAoB,CAAC,SAAiB;IAC7C,OAAO,8CAA8C,SAAS,wCAAwC,CAAC;AACzG,CAAC;AAED,SAAS,MAAM,CAAC,GAAY;IAC1B,OAAO,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;AAC1D,CAAC"}

package/dist/http/middleware/dcrRateLimit.d.ts

@@ -0,0 +1,29 @@
+import type { RequestHandler } from 'express';
+import type { Logger } from 'pino';
+import type { RedisService } from '../../cache/redis.js';
+/**
+ * Phase 6: Rate-limit middleware для **будущего** Dynamic Client Registration
+ * endpoint (`POST /oauth/register`). DCR ещё не реализован в auth-сервисе —
+ * этот файл — stub'а, готовая к подключению.
+ *
+ * Алгоритм:
+ *   - Redis-based sliding window: один счётчик per IP, ключ `mcp:dcr:rl:{ip}`.
+ *   - INCR + EXPIRE (на первый INCR) на window секунд.
+ *   - Если current > limit → 429 + `Retry-After`.
+ *   - Если Redis недоступен → fail-open (предупреждаем в log).
+ *
+ * Default лимит: 10 регистраций / час / IP. Можно тюнить через опции.
+ *
+ * NB: Подключать middleware ТОЛЬКО когда `/oauth/register` появится.
+ * Сейчас файл существует, но не используется в `http/app.ts`.
+ */
+export interface CreateDcrRateLimitOptions {
+    redis?: RedisService | null;
+    /** Лимит запросов на окно. Default 10. */
+    limit?: number;
+    /** Длина окна в секундах. Default 3600 (1 час). */
+    windowSec?: number;
+    log?: Logger;
+}
+export declare function createDcrRateLimit(opts?: CreateDcrRateLimitOptions): RequestHandler;
+//# sourceMappingURL=dcrRateLimit.d.ts.map

package/dist/http/middleware/dcrRateLimit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dcrRateLimit.d.ts","sourceRoot":"","sources":["../../../src/http/middleware/dcrRateLimit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAyB,cAAc,EAAY,MAAM,SAAS,CAAC;AAC/E,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AACnC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAEzD;;;;;;;;;;;;;;;GAeG;AAEH,MAAM,WAAW,yBAAyB;IACxC,KAAK,CAAC,EAAE,YAAY,GAAG,IAAI,CAAC;IAC5B,0CAA0C;IAC1C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mDAAmD;IACnD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAMD,wBAAgB,kBAAkB,CAAC,IAAI,GAAE,yBAA8B,GAAG,cAAc,CAoDvF"}

package/dist/http/middleware/dcrRateLimit.js

@@ -0,0 +1,59 @@
+const DEFAULT_LIMIT = 10;
+const DEFAULT_WINDOW_SEC = 3600;
+const KEY_PREFIX = 'mcp:dcr:rl:';
+export function createDcrRateLimit(opts = {}) {
+    const redis = opts.redis;
+    const limit = opts.limit ?? DEFAULT_LIMIT;
+    const windowSec = opts.windowSec ?? DEFAULT_WINDOW_SEC;
+    const log = opts.log;
+    return async function dcrRateLimit(req, res, next) {
+        const ip = pickIp(req);
+        if (!ip) {
+            // не определили IP — пропускаем
+            next();
+            return;
+        }
+        if (!redis || redis.unavailable) {
+            log?.warn?.({ ip }, 'dcrRateLimit: Redis unavailable, fail-open');
+            next();
+            return;
+        }
+        const key = `${KEY_PREFIX}${ip}`;
+        try {
+            const raw = redis.raw;
+            if (!raw) {
+                next();
+                return;
+            }
+            const current = await raw.incr(key);
+            if (current === 1) {
+                // первый INCR — выставляем TTL окна.
+                await raw.expire(key, windowSec);
+            }
+            if (current > limit) {
+                const ttl = await raw.ttl(key);
+                res.setHeader('Retry-After', String(Math.max(1, ttl)));
+                res.status(429).json({
+                    error: 'rate_limited',
+                    error_description: `DCR rate limit exceeded (${limit}/${windowSec}s)`,
+                });
+                return;
+            }
+        }
+        catch (err) {
+            // На ошибках Redis — fail-open.
+            log?.warn?.({ err: err.message, ip }, 'dcrRateLimit: Redis error, fail-open');
+        }
+        next();
+    };
+}
+function pickIp(req) {
+    const xff = req.headers['x-forwarded-for'];
+    if (typeof xff === 'string') {
+        const first = xff.split(',')[0]?.trim();
+        if (first)
+            return first;
+    }
+    return req.socket?.remoteAddress ?? '';
+}
+//# sourceMappingURL=dcrRateLimit.js.map

package/dist/http/middleware/dcrRateLimit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dcrRateLimit.js","sourceRoot":"","sources":["../../../src/http/middleware/dcrRateLimit.ts"],"names":[],"mappings":"AA8BA,MAAM,aAAa,GAAG,EAAE,CAAC;AACzB,MAAM,kBAAkB,GAAG,IAAI,CAAC;AAChC,MAAM,UAAU,GAAG,aAAa,CAAC;AAEjC,MAAM,UAAU,kBAAkB,CAAC,OAAkC,EAAE;IACrE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IACzB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,aAAa,CAAC;IAC1C,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,kBAAkB,CAAC;IACvD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;IAErB,OAAO,KAAK,UAAU,YAAY,CAChC,GAAY,EACZ,GAAa,EACb,IAAkB;QAElB,MAAM,EAAE,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QACvB,IAAI,CAAC,EAAE,EAAE,CAAC;YACR,gCAAgC;YAChC,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QACD,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;YAChC,GAAG,EAAE,IAAI,EAAE,CAAC,EAAE,EAAE,EAAE,EAAE,4CAA4C,CAAC,CAAC;YAClE,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QACD,MAAM,GAAG,GAAG,GAAG,UAAU,GAAG,EAAE,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC;YACtB,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,IAAI,EAAE,CAAC;gBACP,OAAO;YACT,CAAC;YACD,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACpC,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;gBAClB,qCAAqC;gBACrC,MAAM,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;YACnC,CAAC;YACD,IAAI,OAAO,GAAG,KAAK,EAAE,CAAC;gBACpB,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAC/B,GAAG,CAAC,SAAS,CAAC,aAAa,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC;gBACvD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,KAAK,EAAE,cAAc;oBACrB,iBAAiB,EAAE,4BAA4B,KAAK,IAAI,SAAS,IAAI;iBACtE,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,gCAAgC;YAChC,GAAG,EAAE,IAAI,EAAE,CACT,EAAE,GAAG,EAAG,GAAa,CAAC,OAAO,EAAE,EAAE,EAAE,EACnC,sCAAsC,CACvC,CAAC;QACJ,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,MAAM,CAAC,GAAY;IAC1B,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IAC3C,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;QACxC,IAAI,KAAK;YAAE,OAAO,KAAK,CAAC;IAC1B,CAAC;IACD,OAAO,GAAG,CAAC,MAAM,EAAE,aAAa,IAAI,EAAE,CAAC;AACzC,CAAC"}

package/dist/http/middleware/errorHandler.d.ts

@@ -0,0 +1,12 @@
+import type { ErrorRequestHandler } from 'express';
+import type { Logger } from 'pino';
+/**
+ * Глобальный error handler для Express. Логирует исключение, отдаёт JSON 500.
+ *
+ * Должен быть зарегистрирован последним (`app.use(errorHandler(log))`).
+ *
+ * Phase 6: предпочитает per-request `req.log` (если установлен в requestId
+ * middleware) — иначе fallback на global logger.
+ */
+export declare function errorHandler(log?: Logger): ErrorRequestHandler;
+//# sourceMappingURL=errorHandler.d.ts.map

package/dist/http/middleware/errorHandler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errorHandler.d.ts","sourceRoot":"","sources":["../../../src/http/middleware/errorHandler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAEnC;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,mBAAmB,CAmB9D"}

package/dist/http/middleware/errorHandler.js

@@ -0,0 +1,26 @@
+/**
+ * Глобальный error handler для Express. Логирует исключение, отдаёт JSON 500.
+ *
+ * Должен быть зарегистрирован последним (`app.use(errorHandler(log))`).
+ *
+ * Phase 6: предпочитает per-request `req.log` (если установлен в requestId
+ * middleware) — иначе fallback на global logger.
+ */
+export function errorHandler(log) {
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    return function expressErrorHandler(err, req, res, _next) {
+        const requestId = typeof req.headers['x-request-id'] === 'string'
+            ? req.headers['x-request-id']
+            : undefined;
+        const reqLog = req.log ?? log;
+        reqLog?.error?.({ err: err instanceof Error ? err.message : String(err), path: req.path }, 'Unhandled error in HTTP handler');
+        if (res.headersSent)
+            return;
+        res.status(500).json({
+            error: 'internal',
+            error_description: 'Internal server error',
+            requestId,
+        });
+    };
+}
+//# sourceMappingURL=errorHandler.js.map

package/dist/http/middleware/errorHandler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errorHandler.js","sourceRoot":"","sources":["../../../src/http/middleware/errorHandler.ts"],"names":[],"mappings":"AAGA;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAAC,GAAY;IACvC,6DAA6D;IAC7D,OAAO,SAAS,mBAAmB,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK;QACtD,MAAM,SAAS,GACb,OAAO,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,KAAK,QAAQ;YAC7C,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC;YAC7B,CAAC,CAAC,SAAS,CAAC;QAChB,MAAM,MAAM,GAAG,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC;QAC9B,MAAM,EAAE,KAAK,EAAE,CACb,EAAE,GAAG,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,EACzE,iCAAiC,CAClC,CAAC;QACF,IAAI,GAAG,CAAC,WAAW;YAAE,OAAO;QAC5B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,UAAU;YACjB,iBAAiB,EAAE,uBAAuB;YAC1C,SAAS;SACV,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC"}

package/dist/http/middleware/originGuard.d.ts

@@ -0,0 +1,28 @@
+import type { RequestHandler } from 'express';
+import type { Logger } from 'pino';
+/**
+ * Phase 6 origin-validation middleware для /els/mcp.
+ *
+ * Семантика:
+ *   - Если запрос пришёл с `Origin` header (browser-based MCP клиент или
+ *     EventSource из веб-приложения) — origin валидируется против whitelist.
+ *     При несовпадении → 403 + `forbidden_origin`.
+ *   - Если `Origin` отсутствует (server-to-server: curl, MCP SDK из node,
+ *     Claude Desktop через stdio-proxy и т. п.) — middleware пропускает.
+ *
+ * Это дополнительная защита над cors():
+ *   - cors() блокирует preflight; но non-preflight POST без credentials
+ *     может пройти.
+ *   - originGuard явно отказывает unknown-origin'ам на пути /els/mcp.
+ *
+ * Wildcard `*` в whitelist: dev-only режим (NODE_ENV !== 'production').
+ */
+export interface CreateOriginGuardOptions {
+    /** Список разрешённых origin'ов. Пустой — guard отключён. */
+    allowed: string[];
+    /** Если true — `*` в whitelist означает «пропускать любой origin». */
+    allowWildcard?: boolean;
+    log?: Logger;
+}
+export declare function createOriginGuard(opts: CreateOriginGuardOptions): RequestHandler;
+//# sourceMappingURL=originGuard.d.ts.map

package/dist/http/middleware/originGuard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"originGuard.d.ts","sourceRoot":"","sources":["../../../src/http/middleware/originGuard.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAyB,cAAc,EAAY,MAAM,SAAS,CAAC;AAC/E,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAGnC;;;;;;;;;;;;;;;;GAgBG;AAEH,MAAM,WAAW,wBAAwB;IACvC,6DAA6D;IAC7D,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,sEAAsE;IACtE,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,wBAAwB,GAAG,cAAc,CAoDhF"}

package/dist/http/middleware/originGuard.js

@@ -0,0 +1,55 @@
+import { recordAuthRejection } from '../../observability/metrics.js';
+export function createOriginGuard(opts) {
+    const exact = new Set();
+    let wildcard = false;
+    for (const o of opts.allowed) {
+        if (o === '*') {
+            if (opts.allowWildcard)
+                wildcard = true;
+            continue;
+        }
+        if (o === 'http://localhost' || o === 'http://127.0.0.1')
+            continue;
+        exact.add(o);
+    }
+    // dev fallback — допускаем любой localhost-порт если http://localhost есть в списке.
+    const allowLocalhost = opts.allowed.includes('http://localhost');
+    return function originGuard(req, res, next) {
+        const origin = readOrigin(req);
+        // Нет origin — пропускаем (server-to-server).
+        if (!origin) {
+            next();
+            return;
+        }
+        if (wildcard) {
+            next();
+            return;
+        }
+        if (exact.has(origin)) {
+            next();
+            return;
+        }
+        if (allowLocalhost && /^http:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin)) {
+            next();
+            return;
+        }
+        try {
+            recordAuthRejection('forbidden_origin');
+        }
+        catch {
+            // не блокируем основной flow
+        }
+        opts.log?.warn?.({ origin, path: req.path }, 'originGuard rejection');
+        res.status(403).json({
+            error: 'forbidden_origin',
+            error_description: `Origin "${origin}" is not allowed`,
+        });
+    };
+}
+function readOrigin(req) {
+    const raw = req.headers.origin;
+    if (typeof raw === 'string' && raw.length > 0)
+        return raw;
+    return null;
+}
+//# sourceMappingURL=originGuard.js.map

package/dist/http/middleware/originGuard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"originGuard.js","sourceRoot":"","sources":["../../../src/http/middleware/originGuard.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AA4BrE,MAAM,UAAU,iBAAiB,CAAC,IAA8B;IAC9D,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;IAChC,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;QAC7B,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YACd,IAAI,IAAI,CAAC,aAAa;gBAAE,QAAQ,GAAG,IAAI,CAAC;YACxC,SAAS;QACX,CAAC;QACD,IAAI,CAAC,KAAK,kBAAkB,IAAI,CAAC,KAAK,kBAAkB;YAAE,SAAS;QACnE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACf,CAAC;IAED,qFAAqF;IACrF,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC;IAEjE,OAAO,SAAS,WAAW,CACzB,GAAY,EACZ,GAAa,EACb,IAAkB;QAElB,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAE/B,8CAA8C;QAC9C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QACD,IAAI,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YACtB,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QACD,IAAI,cAAc,IAAI,4CAA4C,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YAChF,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,mBAAmB,CAAC,kBAAkB,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,6BAA6B;QAC/B,CAAC;QACD,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,EAAE,uBAAuB,CAAC,CAAC;QACtE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,kBAAkB;YACzB,iBAAiB,EAAE,WAAW,MAAM,kBAAkB;SACvD,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,GAAY;IAC9B,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;IAC/B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC;IAC1D,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/http/middleware/requestId.d.ts

@@ -0,0 +1,19 @@
+import type { RequestHandler } from 'express';
+import type { Logger } from 'pino';
+/**
+ * Простой request-id middleware. Принимает существующий `X-Request-Id`, либо
+ * генерирует новый UUIDv4. Кладёт в `req.headers['x-request-id']`, чтобы
+ * downstream middleware (auth) могли подхватить его в context.
+ *
+ * Также ставит response header `X-Request-Id` для клиента (полезно при триаже).
+ *
+ * Phase 6: если передан base logger — добавляем `req.log = base.child({...})`
+ * с per-request полями (`requestId`, `sessionId`). Downstream middleware
+ * (auth, errorHandler) могут использовать `req.log` для лучшей корреляции.
+ */
+export interface RequestIdOptions {
+    /** Базовый pino-логгер. Если задан — каждому запросу создаётся child. */
+    logger?: Logger;
+}
+export declare function requestId(opts?: RequestIdOptions): RequestHandler;
+//# sourceMappingURL=requestId.d.ts.map

package/dist/http/middleware/requestId.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"requestId.d.ts","sourceRoot":"","sources":["../../../src/http/middleware/requestId.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAyB,cAAc,EAAY,MAAM,SAAS,CAAC;AAE/E,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAEnC;;;;;;;;;;GAUG;AACH,MAAM,WAAW,gBAAgB;IAC/B,yEAAyE;IACzE,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wBAAgB,SAAS,CAAC,IAAI,GAAE,gBAAqB,GAAG,cAAc,CA0BrE"}

package/dist/http/middleware/requestId.js

@@ -0,0 +1,23 @@
+import { randomUUID } from 'node:crypto';
+export function requestId(opts = {}) {
+    const baseLogger = opts.logger;
+    return function requestIdMiddleware(req, res, next) {
+        let id = req.headers['x-request-id'];
+        if (typeof id !== 'string' || id.length === 0) {
+            id = randomUUID();
+            req.headers['x-request-id'] = id;
+        }
+        res.setHeader('X-Request-Id', id);
+        if (baseLogger) {
+            const sid = typeof req.headers['mcp-session-id'] === 'string'
+                ? req.headers['mcp-session-id']
+                : undefined;
+            req.log = baseLogger.child({
+                requestId: id,
+                ...(sid !== undefined ? { sessionId: sid } : {}),
+            });
+        }
+        next();
+    };
+}
+//# sourceMappingURL=requestId.js.map

package/dist/http/middleware/requestId.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"requestId.js","sourceRoot":"","sources":["../../../src/http/middleware/requestId.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAmBzC,MAAM,UAAU,SAAS,CAAC,OAAyB,EAAE;IACnD,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC;IAC/B,OAAO,SAAS,mBAAmB,CACjC,GAAY,EACZ,GAAa,EACb,IAAkB;QAElB,IAAI,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;QACrC,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9C,EAAE,GAAG,UAAU,EAAE,CAAC;YAClB,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,GAAG,EAAE,CAAC;QACnC,CAAC;QACD,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;QAElC,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,GAAG,GACP,OAAO,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC,KAAK,QAAQ;gBAC/C,CAAC,CAAE,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAY;gBAC3C,CAAC,CAAC,SAAS,CAAC;YAChB,GAAG,CAAC,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC;gBACzB,SAAS,EAAE,EAAE;gBACb,GAAG,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACjD,CAAC,CAAC;QACL,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/http/routes/health.d.ts

@@ -0,0 +1,24 @@
+import { Router } from 'express';
+import type { Logger } from 'pino';
+import type { ElsClient } from '../../elsClient.js';
+import type { RedisService } from '../../cache/redis.js';
+/**
+ * Health endpoints:
+ *   - `GET /health`  — INSO Uptime-совместимый формат: `{status, uptime, version, hostname}`.
+ *                     Используется LK Uptime Service (health-monitor) для мониторинга,
+ *                     парсит поле `version` (BUILD_VERSION из CI).
+ *   - `GET /healthz` — liveness (legacy alias). Всегда 200.
+ *   - `GET /readyz`  — readiness. Проверяет upstream ELS И Redis.
+ */
+export interface CreateHealthOptions {
+    elsClient?: ElsClient;
+    redis?: RedisService;
+    /** Дополнительные probe'ы (БД, etc.) — будут вызваны последовательно. */
+    probes?: Array<{
+        name: string;
+        check: () => Promise<void>;
+    }>;
+    log?: Logger;
+}
+export declare function createHealthRouter(opts?: CreateHealthOptions): Router;
+//# sourceMappingURL=health.d.ts.map

package/dist/http/routes/health.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"health.d.ts","sourceRoot":"","sources":["../../../src/http/routes/health.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAuB,MAAM,SAAS,CAAC;AAEtD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AACnC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAMzD;;;;;;;GAOG;AAEH,MAAM,WAAW,mBAAmB;IAClC,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,KAAK,CAAC,EAAE,YAAY,CAAC;IACrB,yEAAyE;IACzE,MAAM,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;KAAE,CAAC,CAAC;IAC7D,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,wBAAgB,kBAAkB,CAAC,IAAI,GAAE,mBAAwB,GAAG,MAAM,CAOzE"}