@keystrokehq/keystroke 1.0.22 → 1.0.24

package/dist/{dist-DN31JPna.mjs → dist-24hGLXP2.mjs}

@@ -17286,7 +17286,7 @@ async function connectMcpServer(name, options) {
 }
 async function createTransport(url, transport, requestInit, fetchImpl) {
 	if (transport === "sse") {
-		const { SSEClientTransport } = await import("./sse-DUu9Naud.mjs");
+		const { SSEClientTransport } = await import("./sse-2x1Rj7T8.mjs");
 		return new SSEClientTransport(url, {
 			requestInit,
 			fetch: fetchImpl
@@ -17489,6 +17489,95 @@ const authVerificationsSqlite = sqliteTable("verification", {
 	createdAt: integer("created_at", { mode: "timestamp_ms" }).notNull(),
 	updatedAt: integer("updated_at", { mode: "timestamp_ms" }).notNull()
 }, (table) => [index("verification_identifier_idx").on(table.identifier)]);
+/**
+* Tables backing keystroke as an OAuth 2.1 Authorization Server for the
+* Universal MCP server: dynamically-registered MCP/AI clients, their issued
+* access/refresh tokens, and consent records.
+*
+* NOT to be confused with `oauth_apps` / `oauth_connections`, which model the
+* inverse — keystroke as an OAuth *client* storing our users' connections to
+* third-party providers. These `mcp_oauth_*` tables are the provider side.
+*
+* Wired to Better Auth via the Drizzle adapter (`authSchemaFor`). Better Auth
+* addresses these by its fixed model names (`oauthApplication`,
+* `oauthAccessToken`, `oauthConsent`) and by field name (the JS property keys
+* below); the physical table/column names are ours to choose.
+*
+* Note: access/refresh tokens are stored as opaque plaintext bearer strings
+* (the Better Auth mcp plugin looks them up directly and cannot hash them),
+* consistent with how the `sessions` table stores session tokens. They are
+* short-lived; rely on DB access controls + at-rest encryption.
+*/
+const mcpOauthClient = pgTable("mcp_oauth_client", {
+	id: text$1("id").primaryKey(),
+	name: text$1("name").notNull(),
+	icon: text$1("icon"),
+	metadata: text$1("metadata"),
+	clientId: text$1("client_id").notNull().unique(),
+	clientSecret: text$1("client_secret"),
+	redirectUrls: text$1("redirect_urls").notNull(),
+	type: text$1("type").notNull(),
+	disabled: boolean("disabled").notNull().default(false),
+	userId: text$1("user_id").references(() => users.id, { onDelete: "cascade" }),
+	createdAt: timestamp("created_at", { withTimezone: true }).notNull(),
+	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull()
+}, (table) => [index$1("mcp_oauth_client_user_id_idx").on(table.userId)]);
+const mcpOauthClientSqlite = sqliteTable("mcp_oauth_client", {
+	id: text("id").primaryKey(),
+	name: text("name").notNull(),
+	icon: text("icon"),
+	metadata: text("metadata"),
+	clientId: text("client_id").notNull().unique(),
+	clientSecret: text("client_secret"),
+	redirectUrls: text("redirect_urls").notNull(),
+	type: text("type").notNull(),
+	disabled: integer("disabled", { mode: "boolean" }).notNull().default(false),
+	userId: text("user_id").references(() => usersSqlite.id, { onDelete: "cascade" }),
+	createdAt: integer("created_at", { mode: "timestamp_ms" }).notNull(),
+	updatedAt: integer("updated_at", { mode: "timestamp_ms" }).notNull()
+}, (table) => [index("mcp_oauth_client_user_id_idx").on(table.userId)]);
+const mcpOauthAccessToken = pgTable("mcp_oauth_access_token", {
+	id: text$1("id").primaryKey(),
+	accessToken: text$1("access_token").notNull().unique(),
+	refreshToken: text$1("refresh_token").unique(),
+	accessTokenExpiresAt: timestamp("access_token_expires_at", { withTimezone: true }),
+	refreshTokenExpiresAt: timestamp("refresh_token_expires_at", { withTimezone: true }),
+	clientId: text$1("client_id").notNull(),
+	userId: text$1("user_id").references(() => users.id, { onDelete: "cascade" }),
+	scopes: text$1("scopes"),
+	createdAt: timestamp("created_at", { withTimezone: true }).notNull(),
+	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull()
+}, (table) => [index$1("mcp_oauth_access_token_client_id_idx").on(table.clientId), index$1("mcp_oauth_access_token_user_id_idx").on(table.userId)]);
+const mcpOauthAccessTokenSqlite = sqliteTable("mcp_oauth_access_token", {
+	id: text("id").primaryKey(),
+	accessToken: text("access_token").notNull().unique(),
+	refreshToken: text("refresh_token").unique(),
+	accessTokenExpiresAt: integer("access_token_expires_at", { mode: "timestamp_ms" }),
+	refreshTokenExpiresAt: integer("refresh_token_expires_at", { mode: "timestamp_ms" }),
+	clientId: text("client_id").notNull(),
+	userId: text("user_id").references(() => usersSqlite.id, { onDelete: "cascade" }),
+	scopes: text("scopes"),
+	createdAt: integer("created_at", { mode: "timestamp_ms" }).notNull(),
+	updatedAt: integer("updated_at", { mode: "timestamp_ms" }).notNull()
+}, (table) => [index("mcp_oauth_access_token_client_id_idx").on(table.clientId), index("mcp_oauth_access_token_user_id_idx").on(table.userId)]);
+const mcpOauthConsent = pgTable("mcp_oauth_consent", {
+	id: text$1("id").primaryKey(),
+	clientId: text$1("client_id").notNull(),
+	userId: text$1("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+	scopes: text$1("scopes"),
+	consentGiven: boolean("consent_given").notNull().default(false),
+	createdAt: timestamp("created_at", { withTimezone: true }).notNull(),
+	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull()
+}, (table) => [index$1("mcp_oauth_consent_client_id_idx").on(table.clientId), index$1("mcp_oauth_consent_user_id_idx").on(table.userId)]);
+const mcpOauthConsentSqlite = sqliteTable("mcp_oauth_consent", {
+	id: text("id").primaryKey(),
+	clientId: text("client_id").notNull(),
+	userId: text("user_id").notNull().references(() => usersSqlite.id, { onDelete: "cascade" }),
+	scopes: text("scopes"),
+	consentGiven: integer("consent_given", { mode: "boolean" }).notNull().default(false),
+	createdAt: integer("created_at", { mode: "timestamp_ms" }).notNull(),
+	updatedAt: integer("updated_at", { mode: "timestamp_ms" }).notNull()
+}, (table) => [index("mcp_oauth_consent_client_id_idx").on(table.clientId), index("mcp_oauth_consent_user_id_idx").on(table.userId)]);
 createRequire(import.meta.url);
 function buildPgSchema(registry) {
 	return Object.fromEntries(Object.entries(registry).map(([name, { pg }]) => [name, pg]));
@@ -17918,6 +18007,18 @@ const tableRegistry = {
 		pg: oauthConnections,
 		sqlite: oauthConnectionsSqlite
 	},
+	mcpOauthClient: {
+		pg: mcpOauthClient,
+		sqlite: mcpOauthClientSqlite
+	},
+	mcpOauthAccessToken: {
+		pg: mcpOauthAccessToken,
+		sqlite: mcpOauthAccessTokenSqlite
+	},
+	mcpOauthConsent: {
+		pg: mcpOauthConsent,
+		sqlite: mcpOauthConsentSqlite
+	},
 	secretValues: {
 		pg: secretValues,
 		sqlite: secretValuesSqlite
@@ -18840,4 +18941,4 @@ async function resolveActionCredentials(requirements, options) {
 //#endregion
 export { recordLlmUsageFromAssistantMessage as A, appendEvent as C, getProjectScopeId as D, getAgentByRoute as E, captureConsole as F, getTraceContext as I, logSystem as L, setSessionLiveMessage as M, setSessionTitle as N, getSession as O, touchSession as P, withSpan as R, addAgentSessionDuration as S, createSession as T, createFetchWithInit as _, resolveActionCredentials as a, JSONRPCMessageSchema as b, connectMcpDefinition as c, defineMcp as d, isMcp as f, extractWWWAuthenticateParams as g, auth as h, isCredentialError as i, resolveRunSourceFromTraceContext as j, listMessageEvents as k, connectMcpServer as l, UnauthorizedError as m, captureCredentialToolErrors as n, resolveMcpTools as o, createParser as p, createCredentialResolver as r, withCredentialAssignments as s, buildCredentialRunContext as t, connectMcpStdio as u, normalizeHeaders as v, clearLiveMessage as w, MESSAGE_EVENT_TYPE as x, zodToJsonSchema as y };
 
-//# sourceMappingURL=dist-DN31JPna.mjs.map
+//# sourceMappingURL=dist-24hGLXP2.mjs.map