@kontext-dev/js-sdk 0.1.0

package/dist/verify/index.js

@@ -0,0 +1,315 @@
+import { createRemoteJWKSet, jwtVerify, errors, decodeProtectedHeader } from 'jose';
+
+// src/verify/verifier.ts
+
+// src/verify/errors.ts
+var TokenVerificationError = class _TokenVerificationError extends Error {
+  code;
+  constructor(code, message) {
+    super(message);
+    this.name = "TokenVerificationError";
+    this.code = code;
+    Object.setPrototypeOf(this, _TokenVerificationError.prototype);
+  }
+};
+
+// src/verify/jwks-client.ts
+var DEFAULT_CACHE_TTL_MS = 5 * 60 * 1e3;
+var DEFAULT_REFETCH_COOLDOWN_MS = 30 * 1e3;
+var JwksClient = class {
+  jwksUrl;
+  cacheTtlMs;
+  refetchCooldownMs;
+  customFetch;
+  jwks = null;
+  lastFetchAt = 0;
+  lastRefreshAt = 0;
+  constructor(options) {
+    this.jwksUrl = new URL(options.jwksUrl);
+    this.cacheTtlMs = options.cacheTtlMs ?? DEFAULT_CACHE_TTL_MS;
+    this.refetchCooldownMs = options.refetchCooldownMs ?? DEFAULT_REFETCH_COOLDOWN_MS;
+    this.customFetch = options.fetch;
+  }
+  /**
+   * Get the JWKS key resolver for use with jose's jwtVerify.
+   *
+   * Creates the remote JWKS on first call and caches it.
+   * The jose library handles internal caching and key lookup.
+   */
+  getKeyResolver() {
+    const now = Date.now();
+    if (this.jwks && now - this.lastFetchAt > this.cacheTtlMs) {
+      this.jwks = null;
+    }
+    if (!this.jwks) {
+      this.jwks = createRemoteJWKSet(this.jwksUrl, {
+        // jose handles caching internally, we just track our own refresh timing
+        ...this.customFetch && {
+          [/* @__PURE__ */ Symbol.for("fetch")]: this.customFetch
+        }
+      });
+      this.lastFetchAt = now;
+    }
+    return this.jwks;
+  }
+  /**
+   * Force refresh the JWKS cache.
+   *
+   * Respects the refetch cooldown to prevent rapid refetching.
+   * Returns true if refresh was performed, false if cooldown not elapsed.
+   */
+  refresh() {
+    const now = Date.now();
+    if (!this.canRefresh()) {
+      return false;
+    }
+    this.jwks = null;
+    this.lastRefreshAt = now;
+    return true;
+  }
+  /**
+   * Check if a refresh is allowed (cooldown elapsed).
+   */
+  canRefresh() {
+    return Date.now() - this.lastRefreshAt >= this.refetchCooldownMs;
+  }
+  /**
+   * Handle unknown kid errors by attempting refresh.
+   *
+   * @returns TokenVerificationError if refresh not allowed or already attempted
+   */
+  handleUnknownKid(kid) {
+    if (this.refresh()) {
+      return null;
+    }
+    return new TokenVerificationError(
+      "UNKNOWN_KID",
+      `Unknown key ID: ${kid}. JWKS refresh on cooldown.`
+    );
+  }
+  /**
+   * Clear the cache, forcing a fresh fetch on next access.
+   */
+  clearCache() {
+    this.jwks = null;
+    this.lastFetchAt = 0;
+  }
+};
+
+// src/verify/verifier.ts
+var DEFAULT_CLOCK_TOLERANCE_SEC = 30;
+var SUPPORTED_ALGORITHMS = ["ES256", "RS256"];
+var KontextTokenVerifier = class {
+  config;
+  jwksClient;
+  audiences;
+  constructor(config) {
+    this.config = {
+      jwksUrl: config.jwksUrl,
+      issuer: config.issuer,
+      audience: config.audience,
+      requiredScopes: config.requiredScopes ?? [],
+      cacheTtlMs: config.cacheTtlMs ?? 5 * 60 * 1e3,
+      refetchCooldownMs: config.refetchCooldownMs ?? 30 * 1e3,
+      clockToleranceSec: config.clockToleranceSec ?? DEFAULT_CLOCK_TOLERANCE_SEC,
+      fetch: config.fetch
+    };
+    this.audiences = Array.isArray(config.audience) ? config.audience : [config.audience];
+    this.jwksClient = new JwksClient({
+      jwksUrl: config.jwksUrl,
+      cacheTtlMs: this.config.cacheTtlMs,
+      refetchCooldownMs: this.config.refetchCooldownMs,
+      fetch: config.fetch
+    });
+  }
+  /**
+   * Verify a JWT token.
+   *
+   * @param token - The JWT token string (without "Bearer " prefix)
+   * @returns VerifyResult with success=true and claims, or success=false and error
+   */
+  async verify(token) {
+    try {
+      return await this.verifyInternal(token, false);
+    } catch (error) {
+      if (error instanceof TokenVerificationError) {
+        return { success: false, error };
+      }
+      return {
+        success: false,
+        error: new TokenVerificationError(
+          "INVALID_TOKEN_FORMAT",
+          `Unexpected verification error: ${error.message}`
+        )
+      };
+    }
+  }
+  /**
+   * Verify a JWT token and return claims or null.
+   * Simpler API for cases where you don't need error details.
+   *
+   * @param token - The JWT token string (without "Bearer " prefix)
+   * @returns VerifiedTokenClaims if valid, null if invalid
+   */
+  async verifyOrNull(token) {
+    const result = await this.verify(token);
+    return result.success ? result.claims : null;
+  }
+  /**
+   * Clear the JWKS cache, forcing a fresh fetch on next verification.
+   */
+  clearCache() {
+    this.jwksClient.clearCache();
+  }
+  async verifyInternal(token, isRetry) {
+    const JWKS = this.jwksClient.getKeyResolver();
+    try {
+      const { payload, protectedHeader } = await jwtVerify(token, JWKS, {
+        issuer: this.config.issuer,
+        audience: this.audiences,
+        clockTolerance: this.config.clockToleranceSec,
+        algorithms: SUPPORTED_ALGORITHMS
+      });
+      const alg = protectedHeader.alg;
+      if (!SUPPORTED_ALGORITHMS.includes(alg)) {
+        throw new TokenVerificationError(
+          "UNSUPPORTED_ALGORITHM",
+          `Unsupported algorithm: ${alg}. Expected one of: ${SUPPORTED_ALGORITHMS.join(", ")}`
+        );
+      }
+      const jwtPayload = payload;
+      if (typeof jwtPayload.exp !== "number" || !Number.isFinite(jwtPayload.exp) || jwtPayload.exp <= 0) {
+        throw new TokenVerificationError(
+          "MISSING_CLAIMS",
+          "Token missing required exp claim"
+        );
+      }
+      const scopes = this.parseScopes(jwtPayload.scope);
+      for (const required of this.config.requiredScopes) {
+        if (!scopes.includes(required)) {
+          throw new TokenVerificationError(
+            "MISSING_SCOPE",
+            `Missing required scope: ${required}`
+          );
+        }
+      }
+      const clientId = jwtPayload.client_id || jwtPayload.sub;
+      if (!clientId) {
+        throw new TokenVerificationError(
+          "MISSING_CLAIMS",
+          "Token missing client_id and sub claims"
+        );
+      }
+      const claims = {
+        sub: jwtPayload.sub || "",
+        clientId,
+        scopes,
+        expiresAt: new Date(jwtPayload.exp * 1e3),
+        jti: jwtPayload.jti,
+        payload: jwtPayload
+      };
+      return { success: true, claims };
+    } catch (error) {
+      if (error instanceof errors.JWKSNoMatchingKey) {
+        if (!isRetry) {
+          const kid = this.extractKid(token);
+          const refreshError = this.jwksClient.handleUnknownKid(
+            kid || "unknown"
+          );
+          if (!refreshError) {
+            return this.verifyInternal(token, true);
+          }
+          return { success: false, error: refreshError };
+        }
+        return {
+          success: false,
+          error: new TokenVerificationError(
+            "UNKNOWN_KID",
+            "No matching key found in JWKS"
+          )
+        };
+      }
+      if (error instanceof errors.JWTExpired) {
+        return {
+          success: false,
+          error: new TokenVerificationError(
+            "TOKEN_EXPIRED",
+            "Token has expired"
+          )
+        };
+      }
+      if (error instanceof errors.JWTClaimValidationFailed) {
+        const message = error.message;
+        if (message.includes("iss")) {
+          const expected = Array.isArray(this.config.issuer) ? this.config.issuer.join(" or ") : this.config.issuer;
+          return {
+            success: false,
+            error: new TokenVerificationError(
+              "INVALID_ISSUER",
+              `Invalid issuer: expected ${expected}`
+            )
+          };
+        }
+        if (message.includes("aud")) {
+          return {
+            success: false,
+            error: new TokenVerificationError(
+              "INVALID_AUDIENCE",
+              `Invalid audience: expected one of ${this.audiences.join(", ")}`
+            )
+          };
+        }
+        if (message.includes("nbf")) {
+          return {
+            success: false,
+            error: new TokenVerificationError(
+              "TOKEN_NOT_YET_VALID",
+              "Token is not yet valid (nbf claim)"
+            )
+          };
+        }
+      }
+      if (error instanceof errors.JWSSignatureVerificationFailed) {
+        return {
+          success: false,
+          error: new TokenVerificationError(
+            "INVALID_SIGNATURE",
+            "Signature verification failed"
+          )
+        };
+      }
+      if (error instanceof errors.JWSInvalid) {
+        return {
+          success: false,
+          error: new TokenVerificationError(
+            "INVALID_TOKEN_FORMAT",
+            `Invalid JWS: ${error.message}`
+          )
+        };
+      }
+      if (error instanceof TokenVerificationError) {
+        throw error;
+      }
+      throw new TokenVerificationError(
+        "INVALID_TOKEN_FORMAT",
+        `Verification failed: ${error.message}`
+      );
+    }
+  }
+  parseScopes(scope) {
+    if (!scope) return [];
+    return scope.split(" ").map((s) => s.trim()).filter(Boolean);
+  }
+  extractKid(token) {
+    try {
+      const header = decodeProtectedHeader(token);
+      return header.kid ?? null;
+    } catch {
+      return null;
+    }
+  }
+};
+
+export { JwksClient, KontextTokenVerifier, TokenVerificationError };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/verify/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/verify/errors.ts","../../src/verify/jwks-client.ts","../../src/verify/verifier.ts"],"names":["joseErrors"],"mappings":";;;;;AAqBO,IAAM,sBAAA,GAAN,MAAM,uBAAA,SAA+B,KAAA,CAAM;AAAA,EACvC,IAAA;AAAA,EAET,WAAA,CAAY,MAAkC,OAAA,EAAiB;AAC7D,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,wBAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,uBAAA,CAAuB,SAAS,CAAA;AAAA,EAC9D;AACF;;;ACVA,IAAM,oBAAA,GAAuB,IAAI,EAAA,GAAK,GAAA;AACtC,IAAM,8BAA8B,EAAA,GAAK,GAAA;AAQlC,IAAM,aAAN,MAAiB;AAAA,EACL,OAAA;AAAA,EACA,UAAA;AAAA,EACA,iBAAA;AAAA,EACA,WAAA;AAAA,EAET,IAAA,GAA+B,IAAA;AAAA,EAC/B,WAAA,GAAc,CAAA;AAAA,EACd,aAAA,GAAgB,CAAA;AAAA,EAExB,YAAY,OAAA,EAA4B;AACtC,IAAA,IAAA,CAAK,OAAA,GAAU,IAAI,GAAA,CAAI,OAAA,CAAQ,OAAO,CAAA;AACtC,IAAA,IAAA,CAAK,UAAA,GAAa,QAAQ,UAAA,IAAc,oBAAA;AACxC,IAAA,IAAA,CAAK,iBAAA,GACH,QAAQ,iBAAA,IAAqB,2BAAA;AAC/B,IAAA,IAAA,CAAK,cAAc,OAAA,CAAQ,KAAA;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,cAAA,GAAkC;AAChC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAGrB,IAAA,IAAI,KAAK,IAAA,IAAQ,GAAA,GAAM,IAAA,CAAK,WAAA,GAAc,KAAK,UAAA,EAAY;AACzD,MAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAAA,IACd;AAEA,IAAA,IAAI,CAAC,KAAK,IAAA,EAAM;AACd,MAAA,IAAA,CAAK,IAAA,GAAO,kBAAA,CAAmB,IAAA,CAAK,OAAA,EAAS;AAAA;AAAA,QAE3C,GAAI,KAAK,WAAA,IAAe;AAAA,UACtB,iBAAC,MAAA,CAAO,GAAA,CAAI,OAAO,CAAC,GAAG,IAAA,CAAK;AAAA;AAC9B,OACD,CAAA;AACD,MAAA,IAAA,CAAK,WAAA,GAAc,GAAA;AAAA,IACrB;AAEA,IAAA,OAAO,IAAA,CAAK,IAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAA,GAAmB;AACjB,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAErB,IAAA,IAAI,CAAC,IAAA,CAAK,UAAA,EAAW,EAAG;AACtB,MAAA,OAAO,KAAA;AAAA,IACT;AAEA,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,aAAA,GAAgB,GAAA;AACrB,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAsB;AACpB,IAAA,OAAO,IAAA,CAAK,GAAA,EAAI,GAAI,IAAA,CAAK,iBAAiB,IAAA,CAAK,iBAAA;AAAA,EACjD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,iBAAiB,GAAA,EAA4C;AAC3D,IAAA,IAAI,IAAA,CAAK,SAAQ,EAAG;AAElB,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,OAAO,IAAI,sBAAA;AAAA,MACT,aAAA;AAAA,MACA,mBAAmB,GAAG,CAAA,2BAAA;AAAA,KACxB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAmB;AACjB,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,WAAA,GAAc,CAAA;AAAA,EAErB;AACF;;;ACnHA,IAAM,2BAAA,GAA8B,EAAA;AACpC,IAAM,oBAAA,GAAuB,CAAC,OAAA,EAAS,OAAO,CAAA;AA0CvC,IAAM,uBAAN,MAA2B;AAAA,EACf,MAAA;AAAA,EACA,UAAA;AAAA,EACA,SAAA;AAAA,EAEjB,YAAY,MAAA,EAAoC;AAC9C,IAAA,IAAA,CAAK,MAAA,GAAS;AAAA,MACZ,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,QAAQ,MAAA,CAAO,MAAA;AAAA,MACf,UAAU,MAAA,CAAO,QAAA;AAAA,MACjB,cAAA,EAAgB,MAAA,CAAO,cAAA,IAAkB,EAAC;AAAA,MAC1C,UAAA,EAAY,MAAA,CAAO,UAAA,IAAc,CAAA,GAAI,EAAA,GAAK,GAAA;AAAA,MAC1C,iBAAA,EAAmB,MAAA,CAAO,iBAAA,IAAqB,EAAA,GAAK,GAAA;AAAA,MACpD,iBAAA,EACE,OAAO,iBAAA,IAAqB,2BAAA;AAAA,MAC9B,OAAO,MAAA,CAAO;AAAA,KAChB;AAEA,IAAA,IAAA,CAAK,SAAA,GAAY,KAAA,CAAM,OAAA,CAAQ,MAAA,CAAO,QAAQ,IAC1C,MAAA,CAAO,QAAA,GACP,CAAC,MAAA,CAAO,QAAQ,CAAA;AAEpB,IAAA,IAAA,CAAK,UAAA,GAAa,IAAI,UAAA,CAAW;AAAA,MAC/B,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,UAAA,EAAY,KAAK,MAAA,CAAO,UAAA;AAAA,MACxB,iBAAA,EAAmB,KAAK,MAAA,CAAO,iBAAA;AAAA,MAC/B,OAAO,MAAA,CAAO;AAAA,KACf,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,OAAO,KAAA,EAAsC;AACjD,IAAA,IAAI;AACF,MAAA,OAAO,MAAM,IAAA,CAAK,cAAA,CAAe,KAAA,EAAO,KAAK,CAAA;AAAA,IAC/C,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,iBAAiB,sBAAA,EAAwB;AAC3C,QAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAM;AAAA,MACjC;AAGA,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,OAAO,IAAI,sBAAA;AAAA,UACT,sBAAA;AAAA,UACA,CAAA,+BAAA,EAAmC,MAAgB,OAAO,CAAA;AAAA;AAC5D,OACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,aAAa,KAAA,EAAoD;AACrE,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,MAAA,CAAO,KAAK,CAAA;AACtC,IAAA,OAAO,MAAA,CAAO,OAAA,GAAU,MAAA,CAAO,MAAA,GAAS,IAAA;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAmB;AACjB,IAAA,IAAA,CAAK,WAAW,UAAA,EAAW;AAAA,EAC7B;AAAA,EAEA,MAAc,cAAA,CACZ,KAAA,EACA,OAAA,EACuB;AACvB,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,UAAA,CAAW,cAAA,EAAe;AAE5C,IAAA,IAAI;AAEF,MAAA,MAAM,EAAE,OAAA,EAAS,eAAA,KAAoB,MAAM,SAAA,CAAU,OAAO,IAAA,EAAM;AAAA,QAChE,MAAA,EAAQ,KAAK,MAAA,CAAO,MAAA;AAAA,QACpB,UAAU,IAAA,CAAK,SAAA;AAAA,QACf,cAAA,EAAgB,KAAK,MAAA,CAAO,iBAAA;AAAA,QAC5B,UAAA,EAAY;AAAA,OACb,CAAA;AAGD,MAAA,MAAM,MAAM,eAAA,CAAgB,GAAA;AAC5B,MAAA,IAAI,CAAC,oBAAA,CAAqB,QAAA,CAAS,GAAG,CAAA,EAAG;AACvC,QAAA,MAAM,IAAI,sBAAA;AAAA,UACR,uBAAA;AAAA,UACA,0BAA0B,GAAG,CAAA,mBAAA,EAAsB,oBAAA,CAAqB,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,SACpF;AAAA,MACF;AAGA,MAAA,MAAM,UAAA,GAAa,OAAA;AACnB,MAAA,IACE,OAAO,UAAA,CAAW,GAAA,KAAQ,QAAA,IAC1B,CAAC,MAAA,CAAO,QAAA,CAAS,UAAA,CAAW,GAAG,CAAA,IAC/B,UAAA,CAAW,GAAA,IAAO,CAAA,EAClB;AACA,QAAA,MAAM,IAAI,sBAAA;AAAA,UACR,gBAAA;AAAA,UACA;AAAA,SACF;AAAA,MACF;AAGA,MAAA,MAAM,MAAA,GAAS,IAAA,CAAK,WAAA,CAAY,UAAA,CAAW,KAAK,CAAA;AAChD,MAAA,KAAA,MAAW,QAAA,IAAY,IAAA,CAAK,MAAA,CAAO,cAAA,EAAgB;AACjD,QAAA,IAAI,CAAC,MAAA,CAAO,QAAA,CAAS,QAAQ,CAAA,EAAG;AAC9B,UAAA,MAAM,IAAI,sBAAA;AAAA,YACR,eAAA;AAAA,YACA,2BAA2B,QAAQ,CAAA;AAAA,WACrC;AAAA,QACF;AAAA,MACF;AAGA,MAAA,MAAM,QAAA,GAAW,UAAA,CAAW,SAAA,IAAa,UAAA,CAAW,GAAA;AACpD,MAAA,IAAI,CAAC,QAAA,EAAU;AACb,QAAA,MAAM,IAAI,sBAAA;AAAA,UACR,gBAAA;AAAA,UACA;AAAA,SACF;AAAA,MACF;AAGA,MAAA,MAAM,MAAA,GAA8B;AAAA,QAClC,GAAA,EAAK,WAAW,GAAA,IAAO,EAAA;AAAA,QACvB,QAAA;AAAA,QACA,MAAA;AAAA,QACA,SAAA,EAAW,IAAI,IAAA,CAAK,UAAA,CAAW,MAAM,GAAI,CAAA;AAAA,QACzC,KAAK,UAAA,CAAW,GAAA;AAAA,QAChB,OAAA,EAAS;AAAA,OACX;AAEA,MAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,MAAA,EAAO;AAAA,IACjC,SAAS,KAAA,EAAO;AAEd,MAAA,IAAI,KAAA,YAAiBA,OAAW,iBAAA,EAAmB;AAEjD,QAAA,IAAI,CAAC,OAAA,EAAS;AACZ,UAAA,MAAM,GAAA,GAAM,IAAA,CAAK,UAAA,CAAW,KAAK,CAAA;AACjC,UAAA,MAAM,YAAA,GAAe,KAAK,UAAA,CAAW,gBAAA;AAAA,YACnC,GAAA,IAAO;AAAA,WACT;AACA,UAAA,IAAI,CAAC,YAAA,EAAc;AAEjB,YAAA,OAAO,IAAA,CAAK,cAAA,CAAe,KAAA,EAAO,IAAI,CAAA;AAAA,UACxC;AACA,UAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,YAAA,EAAa;AAAA,QAC/C;AAEA,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,OAAO,IAAI,sBAAA;AAAA,YACT,aAAA;AAAA,YACA;AAAA;AACF,SACF;AAAA,MACF;AAEA,MAAA,IAAI,KAAA,YAAiBA,OAAW,UAAA,EAAY;AAC1C,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,OAAO,IAAI,sBAAA;AAAA,YACT,eAAA;AAAA,YACA;AAAA;AACF,SACF;AAAA,MACF;AAEA,MAAA,IAAI,KAAA,YAAiBA,OAAW,wBAAA,EAA0B;AACxD,QAAA,MAAM,UAAU,KAAA,CAAM,OAAA;AACtB,QAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,KAAK,CAAA,EAAG;AAC3B,UAAA,MAAM,QAAA,GAAW,KAAA,CAAM,OAAA,CAAQ,IAAA,CAAK,OAAO,MAAM,CAAA,GAC7C,IAAA,CAAK,MAAA,CAAO,MAAA,CAAO,IAAA,CAAK,MAAM,CAAA,GAC9B,KAAK,MAAA,CAAO,MAAA;AAChB,UAAA,OAAO;AAAA,YACL,OAAA,EAAS,KAAA;AAAA,YACT,OAAO,IAAI,sBAAA;AAAA,cACT,gBAAA;AAAA,cACA,4BAA4B,QAAQ,CAAA;AAAA;AACtC,WACF;AAAA,QACF;AACA,QAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,KAAK,CAAA,EAAG;AAC3B,UAAA,OAAO;AAAA,YACL,OAAA,EAAS,KAAA;AAAA,YACT,OAAO,IAAI,sBAAA;AAAA,cACT,kBAAA;AAAA,cACA,CAAA,kCAAA,EAAqC,IAAA,CAAK,SAAA,CAAU,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA;AAChE,WACF;AAAA,QACF;AACA,QAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,KAAK,CAAA,EAAG;AAC3B,UAAA,OAAO;AAAA,YACL,OAAA,EAAS,KAAA;AAAA,YACT,OAAO,IAAI,sBAAA;AAAA,cACT,qBAAA;AAAA,cACA;AAAA;AACF,WACF;AAAA,QACF;AAAA,MACF;AAEA,MAAA,IAAI,KAAA,YAAiBA,OAAW,8BAAA,EAAgC;AAC9D,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,OAAO,IAAI,sBAAA;AAAA,YACT,mBAAA;AAAA,YACA;AAAA;AACF,SACF;AAAA,MACF;AAEA,MAAA,IAAI,KAAA,YAAiBA,OAAW,UAAA,EAAY;AAC1C,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,OAAO,IAAI,sBAAA;AAAA,YACT,sBAAA;AAAA,YACA,CAAA,aAAA,EAAgB,MAAM,OAAO,CAAA;AAAA;AAC/B,SACF;AAAA,MACF;AAGA,MAAA,IAAI,iBAAiB,sBAAA,EAAwB;AAC3C,QAAA,MAAM,KAAA;AAAA,MACR;AAGA,MAAA,MAAM,IAAI,sBAAA;AAAA,QACR,sBAAA;AAAA,QACA,CAAA,qBAAA,EAAyB,MAAgB,OAAO,CAAA;AAAA,OAClD;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,YAAY,KAAA,EAAqC;AACvD,IAAA,IAAI,CAAC,KAAA,EAAO,OAAO,EAAC;AACpB,IAAA,OAAO,KAAA,CACJ,KAAA,CAAM,GAAG,CAAA,CACT,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,IAAA,EAAM,CAAA,CACnB,MAAA,CAAO,OAAO,CAAA;AAAA,EACnB;AAAA,EAEQ,WAAW,KAAA,EAA8B;AAC/C,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,sBAAsB,KAAK,CAAA;AAC1C,MAAA,OAAO,OAAO,GAAA,IAAO,IAAA;AAAA,IACvB,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AACF","file":"index.js","sourcesContent":["/**\n * Token verification error codes.\n * These provide structured error information for debugging and error handling.\n */\nexport type TokenVerificationErrorCode =\n  | \"INVALID_TOKEN_FORMAT\"\n  | \"INVALID_SIGNATURE\"\n  | \"TOKEN_EXPIRED\"\n  | \"TOKEN_NOT_YET_VALID\"\n  | \"INVALID_ISSUER\"\n  | \"INVALID_AUDIENCE\"\n  | \"MISSING_SCOPE\"\n  | \"MISSING_CLAIMS\"\n  | \"JWKS_FETCH_FAILED\"\n  | \"UNKNOWN_KID\"\n  | \"UNSUPPORTED_ALGORITHM\";\n\n/**\n * Error thrown when token verification fails.\n * Contains a structured error code for programmatic handling.\n */\nexport class TokenVerificationError extends Error {\n  readonly code: TokenVerificationErrorCode;\n\n  constructor(code: TokenVerificationErrorCode, message: string) {\n    super(message);\n    this.name = \"TokenVerificationError\";\n    this.code = code;\n    Object.setPrototypeOf(this, TokenVerificationError.prototype);\n  }\n}\n","import { createRemoteJWKSet, type JWTVerifyGetKey } from \"jose\";\nimport { TokenVerificationError } from \"./errors.js\";\n\n/**\n * Options for the JWKS client.\n */\nexport interface JwksClientOptions {\n  /** JWKS endpoint URL */\n  jwksUrl: string;\n\n  /** Cache TTL in milliseconds (default: 5 minutes) */\n  cacheTtlMs?: number;\n\n  /** Minimum time between refetches in milliseconds (default: 30 seconds) */\n  refetchCooldownMs?: number;\n\n  /** Custom fetch function for testing */\n  fetch?: typeof globalThis.fetch;\n}\n\nconst DEFAULT_CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes\nconst DEFAULT_REFETCH_COOLDOWN_MS = 30 * 1000; // 30 seconds\n\n/**\n * JWKS client with caching and rate-limited refetching.\n *\n * Uses jose's createRemoteJWKSet for JWKS fetching and caching,\n * but adds rate limiting to prevent DoS via rapid refetch requests.\n */\nexport class JwksClient {\n  private readonly jwksUrl: URL;\n  private readonly cacheTtlMs: number;\n  private readonly refetchCooldownMs: number;\n  private readonly customFetch?: typeof globalThis.fetch;\n\n  private jwks: JWTVerifyGetKey | null = null;\n  private lastFetchAt = 0;\n  private lastRefreshAt = 0;\n\n  constructor(options: JwksClientOptions) {\n    this.jwksUrl = new URL(options.jwksUrl);\n    this.cacheTtlMs = options.cacheTtlMs ?? DEFAULT_CACHE_TTL_MS;\n    this.refetchCooldownMs =\n      options.refetchCooldownMs ?? DEFAULT_REFETCH_COOLDOWN_MS;\n    this.customFetch = options.fetch;\n  }\n\n  /**\n   * Get the JWKS key resolver for use with jose's jwtVerify.\n   *\n   * Creates the remote JWKS on first call and caches it.\n   * The jose library handles internal caching and key lookup.\n   */\n  getKeyResolver(): JWTVerifyGetKey {\n    const now = Date.now();\n\n    // Check if we need to refresh (cache expired)\n    if (this.jwks && now - this.lastFetchAt > this.cacheTtlMs) {\n      this.jwks = null;\n    }\n\n    if (!this.jwks) {\n      this.jwks = createRemoteJWKSet(this.jwksUrl, {\n        // jose handles caching internally, we just track our own refresh timing\n        ...(this.customFetch && {\n          [Symbol.for(\"fetch\")]: this.customFetch,\n        }),\n      });\n      this.lastFetchAt = now;\n    }\n\n    return this.jwks;\n  }\n\n  /**\n   * Force refresh the JWKS cache.\n   *\n   * Respects the refetch cooldown to prevent rapid refetching.\n   * Returns true if refresh was performed, false if cooldown not elapsed.\n   */\n  refresh(): boolean {\n    const now = Date.now();\n\n    if (!this.canRefresh()) {\n      return false;\n    }\n\n    this.jwks = null;\n    this.lastRefreshAt = now;\n    return true;\n  }\n\n  /**\n   * Check if a refresh is allowed (cooldown elapsed).\n   */\n  canRefresh(): boolean {\n    return Date.now() - this.lastRefreshAt >= this.refetchCooldownMs;\n  }\n\n  /**\n   * Handle unknown kid errors by attempting refresh.\n   *\n   * @returns TokenVerificationError if refresh not allowed or already attempted\n   */\n  handleUnknownKid(kid: string): TokenVerificationError | null {\n    if (this.refresh()) {\n      // Refresh performed, caller should retry verification\n      return null;\n    }\n\n    // Cooldown not elapsed, return error\n    return new TokenVerificationError(\n      \"UNKNOWN_KID\",\n      `Unknown key ID: ${kid}. JWKS refresh on cooldown.`,\n    );\n  }\n\n  /**\n   * Clear the cache, forcing a fresh fetch on next access.\n   */\n  clearCache(): void {\n    this.jwks = null;\n    this.lastFetchAt = 0;\n    // Don't reset lastRefreshAt to maintain cooldown protection\n  }\n}\n","import { jwtVerify, decodeProtectedHeader, errors as joseErrors } from \"jose\";\nimport { JwksClient } from \"./jwks-client.js\";\nimport { TokenVerificationError } from \"./errors.js\";\nimport type {\n  KontextTokenVerifierConfig,\n  VerifiedTokenClaims,\n  VerifyResult,\n  JwtPayload,\n} from \"./types.js\";\n\nconst DEFAULT_CLOCK_TOLERANCE_SEC = 30;\nconst SUPPORTED_ALGORITHMS = [\"ES256\", \"RS256\"];\n\n/**\n * Token verifier for Kontext-issued JWTs using JWKS discovery.\n *\n * Uses the jose library for robust JWT verification with support for:\n * - ES256 and RS256 algorithms\n * - JWKS-based key discovery with caching\n * - Key rotation support with rate-limited refetching\n * - Configurable clock tolerance\n * - Typed error responses\n *\n * @example\n * ```typescript\n * import { KontextTokenVerifier } from '@kontext-dev/js-sdk';\n *\n * const verifier = new KontextTokenVerifier({\n *   jwksUrl: 'https://api.kontext.dev/.well-known/jwks.json',\n *   issuer: 'kontext-token-exchange',\n *   audience: 'mcp-gateway',\n *   requiredScopes: ['mcp:invoke'],\n * });\n *\n * const result = await verifier.verify(bearerToken);\n * if (result.success) {\n *   console.log(`Verified token for client: ${result.claims.clientId}`);\n * } else {\n *   console.error(`Verification failed: ${result.error.code}`);\n * }\n * ```\n */\ninterface ResolvedConfig {\n  jwksUrl: string;\n  issuer: string | string[];\n  audience: string | string[];\n  requiredScopes: string[];\n  cacheTtlMs: number;\n  refetchCooldownMs: number;\n  clockToleranceSec: number;\n  fetch?: typeof globalThis.fetch;\n}\n\nexport class KontextTokenVerifier {\n  private readonly config: ResolvedConfig;\n  private readonly jwksClient: JwksClient;\n  private readonly audiences: string[];\n\n  constructor(config: KontextTokenVerifierConfig) {\n    this.config = {\n      jwksUrl: config.jwksUrl,\n      issuer: config.issuer,\n      audience: config.audience,\n      requiredScopes: config.requiredScopes ?? [],\n      cacheTtlMs: config.cacheTtlMs ?? 5 * 60 * 1000,\n      refetchCooldownMs: config.refetchCooldownMs ?? 30 * 1000,\n      clockToleranceSec:\n        config.clockToleranceSec ?? DEFAULT_CLOCK_TOLERANCE_SEC,\n      fetch: config.fetch,\n    };\n\n    this.audiences = Array.isArray(config.audience)\n      ? config.audience\n      : [config.audience];\n\n    this.jwksClient = new JwksClient({\n      jwksUrl: config.jwksUrl,\n      cacheTtlMs: this.config.cacheTtlMs,\n      refetchCooldownMs: this.config.refetchCooldownMs,\n      fetch: config.fetch,\n    });\n  }\n\n  /**\n   * Verify a JWT token.\n   *\n   * @param token - The JWT token string (without \"Bearer \" prefix)\n   * @returns VerifyResult with success=true and claims, or success=false and error\n   */\n  async verify(token: string): Promise<VerifyResult> {\n    try {\n      return await this.verifyInternal(token, false);\n    } catch (error) {\n      if (error instanceof TokenVerificationError) {\n        return { success: false, error };\n      }\n\n      // Unexpected error\n      return {\n        success: false,\n        error: new TokenVerificationError(\n          \"INVALID_TOKEN_FORMAT\",\n          `Unexpected verification error: ${(error as Error).message}`,\n        ),\n      };\n    }\n  }\n\n  /**\n   * Verify a JWT token and return claims or null.\n   * Simpler API for cases where you don't need error details.\n   *\n   * @param token - The JWT token string (without \"Bearer \" prefix)\n   * @returns VerifiedTokenClaims if valid, null if invalid\n   */\n  async verifyOrNull(token: string): Promise<VerifiedTokenClaims | null> {\n    const result = await this.verify(token);\n    return result.success ? result.claims : null;\n  }\n\n  /**\n   * Clear the JWKS cache, forcing a fresh fetch on next verification.\n   */\n  clearCache(): void {\n    this.jwksClient.clearCache();\n  }\n\n  private async verifyInternal(\n    token: string,\n    isRetry: boolean,\n  ): Promise<VerifyResult> {\n    const JWKS = this.jwksClient.getKeyResolver();\n\n    try {\n      // Use jose's jwtVerify for robust verification\n      const { payload, protectedHeader } = await jwtVerify(token, JWKS, {\n        issuer: this.config.issuer,\n        audience: this.audiences,\n        clockTolerance: this.config.clockToleranceSec,\n        algorithms: SUPPORTED_ALGORITHMS,\n      });\n\n      // Check algorithm is supported\n      const alg = protectedHeader.alg;\n      if (!SUPPORTED_ALGORITHMS.includes(alg)) {\n        throw new TokenVerificationError(\n          \"UNSUPPORTED_ALGORITHM\",\n          `Unsupported algorithm: ${alg}. Expected one of: ${SUPPORTED_ALGORITHMS.join(\", \")}`,\n        );\n      }\n\n      // Validate required claims\n      const jwtPayload = payload as JwtPayload;\n      if (\n        typeof jwtPayload.exp !== \"number\" ||\n        !Number.isFinite(jwtPayload.exp) ||\n        jwtPayload.exp <= 0\n      ) {\n        throw new TokenVerificationError(\n          \"MISSING_CLAIMS\",\n          \"Token missing required exp claim\",\n        );\n      }\n\n      // Extract and validate scopes\n      const scopes = this.parseScopes(jwtPayload.scope);\n      for (const required of this.config.requiredScopes) {\n        if (!scopes.includes(required)) {\n          throw new TokenVerificationError(\n            \"MISSING_SCOPE\",\n            `Missing required scope: ${required}`,\n          );\n        }\n      }\n\n      // Extract client ID\n      const clientId = jwtPayload.client_id || jwtPayload.sub;\n      if (!clientId) {\n        throw new TokenVerificationError(\n          \"MISSING_CLAIMS\",\n          \"Token missing client_id and sub claims\",\n        );\n      }\n\n      // Build verified claims\n      const claims: VerifiedTokenClaims = {\n        sub: jwtPayload.sub || \"\",\n        clientId,\n        scopes,\n        expiresAt: new Date(jwtPayload.exp * 1000),\n        jti: jwtPayload.jti,\n        payload: jwtPayload,\n      };\n\n      return { success: true, claims };\n    } catch (error) {\n      // Handle jose-specific errors\n      if (error instanceof joseErrors.JWKSNoMatchingKey) {\n        // Unknown kid - try refreshing JWKS once\n        if (!isRetry) {\n          const kid = this.extractKid(token);\n          const refreshError = this.jwksClient.handleUnknownKid(\n            kid || \"unknown\",\n          );\n          if (!refreshError) {\n            // Refresh performed, retry verification\n            return this.verifyInternal(token, true);\n          }\n          return { success: false, error: refreshError };\n        }\n\n        return {\n          success: false,\n          error: new TokenVerificationError(\n            \"UNKNOWN_KID\",\n            \"No matching key found in JWKS\",\n          ),\n        };\n      }\n\n      if (error instanceof joseErrors.JWTExpired) {\n        return {\n          success: false,\n          error: new TokenVerificationError(\n            \"TOKEN_EXPIRED\",\n            \"Token has expired\",\n          ),\n        };\n      }\n\n      if (error instanceof joseErrors.JWTClaimValidationFailed) {\n        const message = error.message;\n        if (message.includes(\"iss\")) {\n          const expected = Array.isArray(this.config.issuer)\n            ? this.config.issuer.join(\" or \")\n            : this.config.issuer;\n          return {\n            success: false,\n            error: new TokenVerificationError(\n              \"INVALID_ISSUER\",\n              `Invalid issuer: expected ${expected}`,\n            ),\n          };\n        }\n        if (message.includes(\"aud\")) {\n          return {\n            success: false,\n            error: new TokenVerificationError(\n              \"INVALID_AUDIENCE\",\n              `Invalid audience: expected one of ${this.audiences.join(\", \")}`,\n            ),\n          };\n        }\n        if (message.includes(\"nbf\")) {\n          return {\n            success: false,\n            error: new TokenVerificationError(\n              \"TOKEN_NOT_YET_VALID\",\n              \"Token is not yet valid (nbf claim)\",\n            ),\n          };\n        }\n      }\n\n      if (error instanceof joseErrors.JWSSignatureVerificationFailed) {\n        return {\n          success: false,\n          error: new TokenVerificationError(\n            \"INVALID_SIGNATURE\",\n            \"Signature verification failed\",\n          ),\n        };\n      }\n\n      if (error instanceof joseErrors.JWSInvalid) {\n        return {\n          success: false,\n          error: new TokenVerificationError(\n            \"INVALID_TOKEN_FORMAT\",\n            `Invalid JWS: ${error.message}`,\n          ),\n        };\n      }\n\n      // Re-throw TokenVerificationError\n      if (error instanceof TokenVerificationError) {\n        throw error;\n      }\n\n      // Unknown error\n      throw new TokenVerificationError(\n        \"INVALID_TOKEN_FORMAT\",\n        `Verification failed: ${(error as Error).message}`,\n      );\n    }\n  }\n\n  private parseScopes(scope: string | undefined): string[] {\n    if (!scope) return [];\n    return scope\n      .split(\" \")\n      .map((s) => s.trim())\n      .filter(Boolean);\n  }\n\n  private extractKid(token: string): string | null {\n    try {\n      const header = decodeProtectedHeader(token);\n      return header.kid ?? null;\n    } catch {\n      return null;\n    }\n  }\n}\n"]}

package/package.json

@@ -0,0 +1,221 @@
+{
+  "name": "@kontext-dev/js-sdk",
+  "version": "0.1.0",
+  "description": "Broker credentials between your AI agents and integrations.",
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "typesVersions": {
+    "*": {
+      "ai": [
+        "./dist/adapters/ai/index.d.ts"
+      ],
+      "server": [
+        "./dist/server/index.d.ts"
+      ],
+      "errors": [
+        "./dist/errors.d.ts"
+      ],
+      "management": [
+        "./dist/management/index.d.ts"
+      ],
+      "mcp": [
+        "./dist/mcp/index.d.ts"
+      ]
+    }
+  },
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "require": {
+        "types": "./dist/index.d.cts",
+        "default": "./dist/index.cjs"
+      }
+    },
+    "./client": {
+      "import": {
+        "types": "./dist/client/index.d.ts",
+        "default": "./dist/client/index.js"
+      },
+      "require": {
+        "types": "./dist/client/index.d.cts",
+        "default": "./dist/client/index.cjs"
+      }
+    },
+    "./ai": {
+      "import": {
+        "types": "./dist/adapters/ai/index.d.ts",
+        "default": "./dist/adapters/ai/index.js"
+      },
+      "require": {
+        "types": "./dist/adapters/ai/index.d.cts",
+        "default": "./dist/adapters/ai/index.cjs"
+      }
+    },
+    "./server": {
+      "import": {
+        "types": "./dist/server/index.d.ts",
+        "default": "./dist/server/index.js"
+      },
+      "require": {
+        "types": "./dist/server/index.d.cts",
+        "default": "./dist/server/index.cjs"
+      }
+    },
+    "./cloudflare": {
+      "import": {
+        "types": "./dist/adapters/cloudflare/index.d.ts",
+        "default": "./dist/adapters/cloudflare/index.js"
+      },
+      "require": {
+        "types": "./dist/adapters/cloudflare/index.d.cts",
+        "default": "./dist/adapters/cloudflare/index.cjs"
+      }
+    },
+    "./errors": {
+      "import": {
+        "types": "./dist/errors.d.ts",
+        "default": "./dist/errors.js"
+      },
+      "require": {
+        "types": "./dist/errors.d.cts",
+        "default": "./dist/errors.cjs"
+      }
+    },
+    "./verify": {
+      "import": {
+        "types": "./dist/verify/index.d.ts",
+        "default": "./dist/verify/index.js"
+      },
+      "require": {
+        "types": "./dist/verify/index.d.cts",
+        "default": "./dist/verify/index.cjs"
+      }
+    },
+    "./react": {
+      "import": {
+        "types": "./dist/adapters/react/index.d.ts",
+        "default": "./dist/adapters/react/index.js"
+      },
+      "require": {
+        "types": "./dist/adapters/react/index.d.cts",
+        "default": "./dist/adapters/react/index.cjs"
+      }
+    },
+    "./react/cloudflare": {
+      "import": {
+        "types": "./dist/adapters/cloudflare/react.d.ts",
+        "default": "./dist/adapters/cloudflare/react.js"
+      },
+      "require": {
+        "types": "./dist/adapters/cloudflare/react.d.cts",
+        "default": "./dist/adapters/cloudflare/react.cjs"
+      }
+    },
+    "./management": {
+      "import": {
+        "types": "./dist/management/index.d.ts",
+        "default": "./dist/management/index.js"
+      },
+      "require": {
+        "types": "./dist/management/index.d.cts",
+        "default": "./dist/management/index.cjs"
+      }
+    },
+    "./mcp": {
+      "import": {
+        "types": "./dist/mcp/index.d.ts",
+        "default": "./dist/mcp/index.js"
+      },
+      "require": {
+        "types": "./dist/mcp/index.d.cts",
+        "default": "./dist/mcp/index.cjs"
+      }
+    },
+    "./oauth": {
+      "import": {
+        "types": "./dist/oauth/index.d.ts",
+        "default": "./dist/oauth/index.js"
+      },
+      "require": {
+        "types": "./dist/oauth/index.d.cts",
+        "default": "./dist/oauth/index.cjs"
+      }
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "lint": "eslint . --max-warnings 0",
+    "lint:fix": "eslint . --fix --max-warnings 0",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:integration": "vitest run --config vitest.integration.config.ts",
+    "check-types": "tsc -p tsconfig.json --noEmit",
+    "clean": "rm -rf dist"
+  },
+  "dependencies": {
+    "jose": "^6.1.3",
+    "zod": "^3.24.1"
+  },
+  "peerDependencies": {
+    "@modelcontextprotocol/sdk": "^1.26.0",
+    "agents": ">=0.4.0",
+    "ai": "^4.0.0",
+    "express": "^4.21.0 || ^5.0.0",
+    "react": "^18.0.0 || ^19.0.0"
+  },
+  "peerDependenciesMeta": {
+    "@modelcontextprotocol/sdk": {
+      "optional": true
+    },
+    "ai": {
+      "optional": true
+    },
+    "express": {
+      "optional": true
+    },
+    "agents": {
+      "optional": true
+    },
+    "react": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "@modelcontextprotocol/sdk": "^1.26.0",
+    "@types/bcryptjs": "^3.0.0",
+    "@types/react": "^19.0.0",
+    "@types/express": "^5.0.0",
+    "@types/node": "^24.10.1",
+    "@workspace/eslint-config": "workspace:*",
+    "@workspace/typescript-config": "workspace:*",
+    "agents": "^0.4.0",
+    "ai": "^4.3.19",
+    "bcryptjs": "^3.0.3",
+    "dotenv": "^17.2.3",
+    "eslint": "^9.18.0",
+    "tsup": "^8.4.0",
+    "typescript": "^5.9.3",
+    "vitest": "^3.0.7"
+  },
+  "keywords": [
+    "kontext",
+    "mcp",
+    "model-context-protocol",
+    "sdk",
+    "oauth"
+  ],
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/kontext-dev/spaces"
+  }
+}