@kontext-dev/js-sdk 0.1.0

package/dist/kontext-CgIBANFo.d.cts

@@ -0,0 +1,308 @@
+import { Router } from 'express';
+import * as _modelcontextprotocol_sdk_server_streamableHttp_js from '@modelcontextprotocol/sdk/server/streamableHttp.js';
+import * as _modelcontextprotocol_sdk_server_auth_types_js from '@modelcontextprotocol/sdk/server/auth/types.js';
+import * as _modelcontextprotocol_sdk_shared_auth_js from '@modelcontextprotocol/sdk/shared/auth.js';
+import * as _modelcontextprotocol_sdk_server_auth_provider_js from '@modelcontextprotocol/sdk/server/auth/provider.js';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+
+/**
+ * Known integration short names.
+ *
+ * Custom integrations can be passed as arbitrary strings.
+ */
+type KnownIntegration = "github" | "gmail" | "google-calendar" | "google-drive" | "slack" | "linear" | "notion" | "jira" | "confluence" | "figma" | "stripe" | "shopify" | "salesforce" | "hubspot" | "asana" | "discord" | "twilio" | "sendgrid" | "openai" | "anthropic";
+/**
+ * An integration name — either a well-known short name or a custom string.
+ */
+type IntegrationName = KnownIntegration | (string & {});
+/**
+ * A credential returned by `kontext.require()`.
+ *
+ * Provides the access token and a pre-formatted authorization header.
+ *
+ * @example
+ * ```typescript
+ * const github = await kontext.require("github", token);
+ * const res = await fetch("https://api.github.com/user", {
+ *   headers: { Authorization: github.authorization },
+ * });
+ * ```
+ */
+interface IntegrationCredential {
+    /** The raw access token for the integration */
+    accessToken: string;
+    /** Token type (usually "Bearer") */
+    tokenType: string;
+    /**
+     * Pre-formatted authorization header value.
+     * Typically `"Bearer <accessToken>"`, ready to use in HTTP headers.
+     */
+    authorization: string;
+    /** Time in seconds until the token expires (undefined = no expiry info) */
+    expiresIn?: number;
+    /** Scopes granted by the integration */
+    scope?: string;
+    /** The integration name this credential was issued for */
+    integration: IntegrationName;
+}
+/**
+ * A decrypted per-user credential map for internal MCP integrations.
+ */
+interface IntegrationResolvedCredentials {
+    /** The original integration identifier passed to requireCredentials() */
+    integration: IntegrationName;
+    /** Canonical integration UUID */
+    integrationId: string;
+    /** Credential key/value map resolved for the current user */
+    credentials: Record<string, string>;
+}
+/**
+ * Configuration for the `Kontext` class.
+ *
+ * @example
+ * ```typescript
+ * const kontext = new Kontext({ clientId: "mcp_my-server" });
+ * ```
+ */
+interface KontextOptions {
+    /** OAuth client ID from the Kontext dashboard. */
+    clientId: string;
+    /** Kontext API base URL. @default "https://api.kontext.dev" */
+    apiUrl?: string;
+    /** OAuth client secret. @default KONTEXT_CLIENT_SECRET env var */
+    clientSecret?: string;
+    /**
+     * Optional token issuer override(s) accepted during bearer token validation.
+     * Use this when your OAuth server issues tokens with an issuer different from
+     * the public metadata issuer.
+     *
+     * @default KONTEXT_TOKEN_ISSUER env var (comma-separated values supported)
+     */
+    tokenIssuer?: string | string[];
+}
+/**
+ * A factory function that creates a fresh `McpServer` instance per session.
+ *
+ * Use this in production to support concurrent MCP sessions — `McpServer.connect()`
+ * is 1:1 per the MCP spec, so sharing a single instance across sessions will throw.
+ */
+type McpServerFactory = () => McpServer;
+/**
+ * An `McpServer` instance (for single-session / local dev) or a factory
+ * function that creates one per session (for concurrent production use).
+ */
+type McpServerOrFactory = McpServer | McpServerFactory;
+
+/**
+ * Options for `kontext.middleware(server)`.
+ */
+interface MiddlewareOptions {
+    /** Path for the MCP transport endpoint. @default "/mcp" */
+    mcpPath?: string;
+    /** URL of this server (for resource metadata). Auto-detected from request if not set. */
+    resourceServerUrl?: string;
+    /**
+     * Skip OAuth metadata fetching and bearer auth entirely.
+     * Useful for local development and testing with the MCP Inspector.
+     *
+     * **Never use in production.**
+     */
+    dangerouslyOmitAuth?: boolean;
+    /**
+     * Custom token verifier. Replaces the built-in `KontextTokenVerifier`.
+     *
+     * Use this to integrate custom session resolution (e.g. a gateway's
+     * internal verification API) while still using the middleware's
+     * transport, metadata, and session management.
+     *
+     * When provided, the middleware skips JWKS-based verification and
+     * delegates entirely to this verifier.
+     */
+    verifier?: _modelcontextprotocol_sdk_server_auth_provider_js.OAuthTokenVerifier;
+    /**
+     * Transform OAuth metadata after fetching from the authorization server.
+     *
+     * Useful for URL rewriting (e.g. replacing internal Hydra URLs with
+     * public-facing URLs in a gateway setup).
+     *
+     * The transform runs before the middleware rewrites the `issuer` field.
+     */
+    metadataTransform?: (metadata: _modelcontextprotocol_sdk_shared_auth_js.OAuthMetadata) => _modelcontextprotocol_sdk_shared_auth_js.OAuthMetadata;
+    /**
+     * Called after a new MCP session is initialized.
+     *
+     * When a custom `verifier` is provided, `authInfo` contains the
+     * result of that verifier (including `extra` fields). This allows
+     * the gateway to receive rich session context.
+     *
+     * The `transport` is provided so callers can manage session
+     * lifecycle (e.g. closing on revocation).
+     */
+    onSessionInitialized?: (sessionId: string, authInfo?: _modelcontextprotocol_sdk_server_auth_types_js.AuthInfo, transport?: _modelcontextprotocol_sdk_server_streamableHttp_js.StreamableHTTPServerTransport) => void;
+    /** Called when an MCP session is closed. */
+    onSessionClosed?: (sessionId: string) => void;
+    /** Maximum request body size for MCP POST requests. Passed to express.json({ limit }). @default "1mb" */
+    bodyLimit?: string | number;
+}
+
+/**
+ * Kontext — the v3 server SDK entry point.
+ *
+ * Two methods:
+ *   kontext.middleware(server) — Express middleware (auth + metadata + transport + sessions)
+ *   kontext.require(integration, token) — RFC 8693 token exchange with caching
+ *   kontext.requireCredentials(integration, token) — Resolve per-user internal credentials
+ *
+ * @example Factory pattern (recommended for production — supports concurrent sessions)
+ * ```typescript
+ * import { Kontext } from "@kontext-dev/js-sdk/server";
+ * import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+ * import express from "express";
+ *
+ * const kontext = new Kontext({ clientId: "mcp_my-server" });
+ *
+ * function createServer() {
+ *   const server = new McpServer({ name: "my-server", version: "1.0.0" });
+ *   server.tool("list_repos", {}, async (args, { authInfo }) => {
+ *     const github = await kontext.require("github", authInfo!.token);
+ *     const res = await fetch("https://api.github.com/user/repos", {
+ *       headers: { Authorization: github.authorization },
+ *     });
+ *     return { content: [{ type: "text", text: JSON.stringify(await res.json()) }] };
+ *   });
+ *   return server;
+ * }
+ *
+ * const app = express();
+ * app.use(kontext.middleware(createServer)); // /mcp endpoint + /.well-known/* metadata
+ * app.listen(3000);
+ * ```
+ */
+
+/**
+ * The v3 Kontext server SDK.
+ *
+ * Provides two methods:
+ * - `middleware(server)` — Express Router with auth metadata, bearer validation, and MCP transport.
+ *    Accepts an `McpServer` instance (single-session) or a factory `() => McpServer` (concurrent sessions).
+ * - `require(integration, token)` — RFC 8693 token exchange with in-memory caching
+ * - `requireCredentials(integration, token)` — Resolve per-user credential maps for internal integrations
+ */
+declare class Kontext {
+    private static readonly shutdownInstances;
+    private static shutdownHandlersRegistered;
+    private readonly clientId;
+    private readonly clientSecret;
+    private readonly apiUrl;
+    private readonly tokenIssuers;
+    private oauthMetadata;
+    private metadataFetchedAt;
+    private metadataPromise;
+    private readonly credentialCache;
+    private readonly resolvedCredentialCache;
+    private readonly runtimeAuthCache;
+    private readonly runtimeVerifierIds;
+    private runtimeVerifierIdCounter;
+    private serviceToken;
+    private serviceTokenExp;
+    private serviceTokenPromise;
+    private readonly agentSessionIds;
+    private readonly pendingSessionDisconnects;
+    constructor(options: KontextOptions);
+    /**
+     * Cleanup method for runtimes that create/dispose SDK instances dynamically.
+     * Ensures this instance can be garbage-collected by removing static references.
+     */
+    destroy(): Promise<void>;
+    private static ensureShutdownHandlers;
+    /**
+     * Express middleware: `.well-known` metadata + bearer auth + MCP transport + sessions.
+     *
+     * Must be mounted at the app root (not a sub-path) because RFC 9728 requires
+     * `/.well-known/oauth-protected-resource` at the root. Use `mcpPath` to set
+     * the transport endpoint path.
+     *
+     * @param server - An `McpServer` instance for single-session use, or a
+     *   `() => McpServer` factory for concurrent sessions (recommended in production).
+     *   `McpServer.connect()` is 1:1 per the MCP spec — passing a factory ensures
+     *   each session gets its own instance.
+     *
+     * @example Factory pattern (recommended for concurrent sessions)
+     * ```typescript
+     * app.use(kontext.middleware(() => createServer()));
+     * ```
+     *
+     * @example Single instance (local dev / single session)
+     * ```typescript
+     * app.use(kontext.middleware(server));
+     * ```
+     *
+     * @example Custom path
+     * ```typescript
+     * app.use(kontext.middleware(createServer, { mcpPath: "/api/mcp" }));
+     * ```
+     */
+    middleware(server: McpServerOrFactory, options?: MiddlewareOptions): Router;
+    /**
+     * Exchange a user's access token for an integration credential.
+     *
+     * @param integration - Integration name (e.g., "github")
+     * @param token - The user's Bearer token (from `authInfo.token`)
+     * @returns Integration credential with `accessToken` and `authorization` header
+     *
+     * @throws {IntegrationConnectionRequiredError} User hasn't connected this integration
+     * @throws {OAuthError} Token exchange failed
+     */
+    require(integration: IntegrationName, token: string): Promise<IntegrationCredential>;
+    /**
+     * Resolve per-user credential key/value pairs for an internal MCP integration.
+     *
+     * @param integration - Integration UUID or name
+     * @param token - The user's Bearer token (from `authInfo.token`)
+     * @returns Decrypted credential map for the current user and integration
+     *
+     * @throws {IntegrationConnectionRequiredError} User has not provided required credentials
+     * @throws {OAuthError} Runtime credential resolution failed
+     */
+    requireCredentials(integration: IntegrationName, token: string): Promise<IntegrationResolvedCredentials>;
+    private getGatewayAudiences;
+    private isGatewayScopedToken;
+    private extractTokenAudiences;
+    private resolveRuntimeIntegrationId;
+    private isUuid;
+    /**
+     * Fetch a browser-openable connect URL for a missing integration.
+     *
+     * Per the integration-interrupt-flow spec, the SDK:
+     * 1. Exchanges the user's token for a resource-scoped mcp-gateway JWT
+     * 2. Calls POST /mcp/integrations/:id/oauth/init with that JWT
+     * 3. Returns the `connectUrl` (intermediate endpoint with one-time token)
+     *
+     * The connect URL points to our own server (ticket pattern), which
+     * validates the ticket, sets a browser session cookie, then redirects
+     * to the actual OAuth provider.
+     */
+    private fetchConnectUrl;
+    private getOAuthMetadata;
+    private applyMetadataTransform;
+    private cloneOAuthMetadata;
+    private fetchOAuthMetadata;
+    private resolveResourceServerUrl;
+    private getOrCreateRuntimeAuthContext;
+    private getRuntimeAuthCacheKey;
+    private respondMetadataInitError;
+    private evictExpiredCredentials;
+    private evictExpiredResolvedCredentials;
+    private trimCacheToFit;
+    private createTokenVerifier;
+    private getServiceToken;
+    private reportEvent;
+    private createAgentSession;
+    private disconnectAgentSessionByAgentSessionId;
+    private disconnectAgentSession;
+    private disconnectAllSessions;
+    private runBearerAuth;
+    private createMcpHandler;
+}
+
+export { type IntegrationCredential as I, type KnownIntegration as K, type McpServerFactory as M, type IntegrationName as a, type IntegrationResolvedCredentials as b, Kontext as c, type KontextOptions as d, type McpServerOrFactory as e, type MiddlewareOptions as f };

package/dist/kontext-CgIBANFo.d.ts

@@ -0,0 +1,308 @@
+import { Router } from 'express';
+import * as _modelcontextprotocol_sdk_server_streamableHttp_js from '@modelcontextprotocol/sdk/server/streamableHttp.js';
+import * as _modelcontextprotocol_sdk_server_auth_types_js from '@modelcontextprotocol/sdk/server/auth/types.js';
+import * as _modelcontextprotocol_sdk_shared_auth_js from '@modelcontextprotocol/sdk/shared/auth.js';
+import * as _modelcontextprotocol_sdk_server_auth_provider_js from '@modelcontextprotocol/sdk/server/auth/provider.js';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+
+/**
+ * Known integration short names.
+ *
+ * Custom integrations can be passed as arbitrary strings.
+ */
+type KnownIntegration = "github" | "gmail" | "google-calendar" | "google-drive" | "slack" | "linear" | "notion" | "jira" | "confluence" | "figma" | "stripe" | "shopify" | "salesforce" | "hubspot" | "asana" | "discord" | "twilio" | "sendgrid" | "openai" | "anthropic";
+/**
+ * An integration name — either a well-known short name or a custom string.
+ */
+type IntegrationName = KnownIntegration | (string & {});
+/**
+ * A credential returned by `kontext.require()`.
+ *
+ * Provides the access token and a pre-formatted authorization header.
+ *
+ * @example
+ * ```typescript
+ * const github = await kontext.require("github", token);
+ * const res = await fetch("https://api.github.com/user", {
+ *   headers: { Authorization: github.authorization },
+ * });
+ * ```
+ */
+interface IntegrationCredential {
+    /** The raw access token for the integration */
+    accessToken: string;
+    /** Token type (usually "Bearer") */
+    tokenType: string;
+    /**
+     * Pre-formatted authorization header value.
+     * Typically `"Bearer <accessToken>"`, ready to use in HTTP headers.
+     */
+    authorization: string;
+    /** Time in seconds until the token expires (undefined = no expiry info) */
+    expiresIn?: number;
+    /** Scopes granted by the integration */
+    scope?: string;
+    /** The integration name this credential was issued for */
+    integration: IntegrationName;
+}
+/**
+ * A decrypted per-user credential map for internal MCP integrations.
+ */
+interface IntegrationResolvedCredentials {
+    /** The original integration identifier passed to requireCredentials() */
+    integration: IntegrationName;
+    /** Canonical integration UUID */
+    integrationId: string;
+    /** Credential key/value map resolved for the current user */
+    credentials: Record<string, string>;
+}
+/**
+ * Configuration for the `Kontext` class.
+ *
+ * @example
+ * ```typescript
+ * const kontext = new Kontext({ clientId: "mcp_my-server" });
+ * ```
+ */
+interface KontextOptions {
+    /** OAuth client ID from the Kontext dashboard. */
+    clientId: string;
+    /** Kontext API base URL. @default "https://api.kontext.dev" */
+    apiUrl?: string;
+    /** OAuth client secret. @default KONTEXT_CLIENT_SECRET env var */
+    clientSecret?: string;
+    /**
+     * Optional token issuer override(s) accepted during bearer token validation.
+     * Use this when your OAuth server issues tokens with an issuer different from
+     * the public metadata issuer.
+     *
+     * @default KONTEXT_TOKEN_ISSUER env var (comma-separated values supported)
+     */
+    tokenIssuer?: string | string[];
+}
+/**
+ * A factory function that creates a fresh `McpServer` instance per session.
+ *
+ * Use this in production to support concurrent MCP sessions — `McpServer.connect()`
+ * is 1:1 per the MCP spec, so sharing a single instance across sessions will throw.
+ */
+type McpServerFactory = () => McpServer;
+/**
+ * An `McpServer` instance (for single-session / local dev) or a factory
+ * function that creates one per session (for concurrent production use).
+ */
+type McpServerOrFactory = McpServer | McpServerFactory;
+
+/**
+ * Options for `kontext.middleware(server)`.
+ */
+interface MiddlewareOptions {
+    /** Path for the MCP transport endpoint. @default "/mcp" */
+    mcpPath?: string;
+    /** URL of this server (for resource metadata). Auto-detected from request if not set. */
+    resourceServerUrl?: string;
+    /**
+     * Skip OAuth metadata fetching and bearer auth entirely.
+     * Useful for local development and testing with the MCP Inspector.
+     *
+     * **Never use in production.**
+     */
+    dangerouslyOmitAuth?: boolean;
+    /**
+     * Custom token verifier. Replaces the built-in `KontextTokenVerifier`.
+     *
+     * Use this to integrate custom session resolution (e.g. a gateway's
+     * internal verification API) while still using the middleware's
+     * transport, metadata, and session management.
+     *
+     * When provided, the middleware skips JWKS-based verification and
+     * delegates entirely to this verifier.
+     */
+    verifier?: _modelcontextprotocol_sdk_server_auth_provider_js.OAuthTokenVerifier;
+    /**
+     * Transform OAuth metadata after fetching from the authorization server.
+     *
+     * Useful for URL rewriting (e.g. replacing internal Hydra URLs with
+     * public-facing URLs in a gateway setup).
+     *
+     * The transform runs before the middleware rewrites the `issuer` field.
+     */
+    metadataTransform?: (metadata: _modelcontextprotocol_sdk_shared_auth_js.OAuthMetadata) => _modelcontextprotocol_sdk_shared_auth_js.OAuthMetadata;
+    /**
+     * Called after a new MCP session is initialized.
+     *
+     * When a custom `verifier` is provided, `authInfo` contains the
+     * result of that verifier (including `extra` fields). This allows
+     * the gateway to receive rich session context.
+     *
+     * The `transport` is provided so callers can manage session
+     * lifecycle (e.g. closing on revocation).
+     */
+    onSessionInitialized?: (sessionId: string, authInfo?: _modelcontextprotocol_sdk_server_auth_types_js.AuthInfo, transport?: _modelcontextprotocol_sdk_server_streamableHttp_js.StreamableHTTPServerTransport) => void;
+    /** Called when an MCP session is closed. */
+    onSessionClosed?: (sessionId: string) => void;
+    /** Maximum request body size for MCP POST requests. Passed to express.json({ limit }). @default "1mb" */
+    bodyLimit?: string | number;
+}
+
+/**
+ * Kontext — the v3 server SDK entry point.
+ *
+ * Two methods:
+ *   kontext.middleware(server) — Express middleware (auth + metadata + transport + sessions)
+ *   kontext.require(integration, token) — RFC 8693 token exchange with caching
+ *   kontext.requireCredentials(integration, token) — Resolve per-user internal credentials
+ *
+ * @example Factory pattern (recommended for production — supports concurrent sessions)
+ * ```typescript
+ * import { Kontext } from "@kontext-dev/js-sdk/server";
+ * import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+ * import express from "express";
+ *
+ * const kontext = new Kontext({ clientId: "mcp_my-server" });
+ *
+ * function createServer() {
+ *   const server = new McpServer({ name: "my-server", version: "1.0.0" });
+ *   server.tool("list_repos", {}, async (args, { authInfo }) => {
+ *     const github = await kontext.require("github", authInfo!.token);
+ *     const res = await fetch("https://api.github.com/user/repos", {
+ *       headers: { Authorization: github.authorization },
+ *     });
+ *     return { content: [{ type: "text", text: JSON.stringify(await res.json()) }] };
+ *   });
+ *   return server;
+ * }
+ *
+ * const app = express();
+ * app.use(kontext.middleware(createServer)); // /mcp endpoint + /.well-known/* metadata
+ * app.listen(3000);
+ * ```
+ */
+
+/**
+ * The v3 Kontext server SDK.
+ *
+ * Provides two methods:
+ * - `middleware(server)` — Express Router with auth metadata, bearer validation, and MCP transport.
+ *    Accepts an `McpServer` instance (single-session) or a factory `() => McpServer` (concurrent sessions).
+ * - `require(integration, token)` — RFC 8693 token exchange with in-memory caching
+ * - `requireCredentials(integration, token)` — Resolve per-user credential maps for internal integrations
+ */
+declare class Kontext {
+    private static readonly shutdownInstances;
+    private static shutdownHandlersRegistered;
+    private readonly clientId;
+    private readonly clientSecret;
+    private readonly apiUrl;
+    private readonly tokenIssuers;
+    private oauthMetadata;
+    private metadataFetchedAt;
+    private metadataPromise;
+    private readonly credentialCache;
+    private readonly resolvedCredentialCache;
+    private readonly runtimeAuthCache;
+    private readonly runtimeVerifierIds;
+    private runtimeVerifierIdCounter;
+    private serviceToken;
+    private serviceTokenExp;
+    private serviceTokenPromise;
+    private readonly agentSessionIds;
+    private readonly pendingSessionDisconnects;
+    constructor(options: KontextOptions);
+    /**
+     * Cleanup method for runtimes that create/dispose SDK instances dynamically.
+     * Ensures this instance can be garbage-collected by removing static references.
+     */
+    destroy(): Promise<void>;
+    private static ensureShutdownHandlers;
+    /**
+     * Express middleware: `.well-known` metadata + bearer auth + MCP transport + sessions.
+     *
+     * Must be mounted at the app root (not a sub-path) because RFC 9728 requires
+     * `/.well-known/oauth-protected-resource` at the root. Use `mcpPath` to set
+     * the transport endpoint path.
+     *
+     * @param server - An `McpServer` instance for single-session use, or a
+     *   `() => McpServer` factory for concurrent sessions (recommended in production).
+     *   `McpServer.connect()` is 1:1 per the MCP spec — passing a factory ensures
+     *   each session gets its own instance.
+     *
+     * @example Factory pattern (recommended for concurrent sessions)
+     * ```typescript
+     * app.use(kontext.middleware(() => createServer()));
+     * ```
+     *
+     * @example Single instance (local dev / single session)
+     * ```typescript
+     * app.use(kontext.middleware(server));
+     * ```
+     *
+     * @example Custom path
+     * ```typescript
+     * app.use(kontext.middleware(createServer, { mcpPath: "/api/mcp" }));
+     * ```
+     */
+    middleware(server: McpServerOrFactory, options?: MiddlewareOptions): Router;
+    /**
+     * Exchange a user's access token for an integration credential.
+     *
+     * @param integration - Integration name (e.g., "github")
+     * @param token - The user's Bearer token (from `authInfo.token`)
+     * @returns Integration credential with `accessToken` and `authorization` header
+     *
+     * @throws {IntegrationConnectionRequiredError} User hasn't connected this integration
+     * @throws {OAuthError} Token exchange failed
+     */
+    require(integration: IntegrationName, token: string): Promise<IntegrationCredential>;
+    /**
+     * Resolve per-user credential key/value pairs for an internal MCP integration.
+     *
+     * @param integration - Integration UUID or name
+     * @param token - The user's Bearer token (from `authInfo.token`)
+     * @returns Decrypted credential map for the current user and integration
+     *
+     * @throws {IntegrationConnectionRequiredError} User has not provided required credentials
+     * @throws {OAuthError} Runtime credential resolution failed
+     */
+    requireCredentials(integration: IntegrationName, token: string): Promise<IntegrationResolvedCredentials>;
+    private getGatewayAudiences;
+    private isGatewayScopedToken;
+    private extractTokenAudiences;
+    private resolveRuntimeIntegrationId;
+    private isUuid;
+    /**
+     * Fetch a browser-openable connect URL for a missing integration.
+     *
+     * Per the integration-interrupt-flow spec, the SDK:
+     * 1. Exchanges the user's token for a resource-scoped mcp-gateway JWT
+     * 2. Calls POST /mcp/integrations/:id/oauth/init with that JWT
+     * 3. Returns the `connectUrl` (intermediate endpoint with one-time token)
+     *
+     * The connect URL points to our own server (ticket pattern), which
+     * validates the ticket, sets a browser session cookie, then redirects
+     * to the actual OAuth provider.
+     */
+    private fetchConnectUrl;
+    private getOAuthMetadata;
+    private applyMetadataTransform;
+    private cloneOAuthMetadata;
+    private fetchOAuthMetadata;
+    private resolveResourceServerUrl;
+    private getOrCreateRuntimeAuthContext;
+    private getRuntimeAuthCacheKey;
+    private respondMetadataInitError;
+    private evictExpiredCredentials;
+    private evictExpiredResolvedCredentials;
+    private trimCacheToFit;
+    private createTokenVerifier;
+    private getServiceToken;
+    private reportEvent;
+    private createAgentSession;
+    private disconnectAgentSessionByAgentSessionId;
+    private disconnectAgentSession;
+    private disconnectAllSessions;
+    private runBearerAuth;
+    private createMcpHandler;
+}
+
+export { type IntegrationCredential as I, type KnownIntegration as K, type McpServerFactory as M, type IntegrationName as a, type IntegrationResolvedCredentials as b, Kontext as c, type KontextOptions as d, type McpServerOrFactory as e, type MiddlewareOptions as f };