@kya-os/mcp-i-core 1.2.3-canary.7 → 1.3.1

package/dist/services/oauth-service.js

@@ -0,0 +1,348 @@
+"use strict";
+/**
+ * OAuth Service
+ *
+ * Handles OAuth token exchange and refresh using PKCE (Proof Key for Code Exchange).
+ * Supports both direct PKCE exchange with OAuth providers and proxy mode via AgentShield.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthService = void 0;
+/**
+ * Service for OAuth token exchange and refresh
+ */
+class OAuthService {
+    config;
+    constructor(config) {
+        this.config = {
+            configService: config.configService,
+            fetchProvider: config.fetchProvider,
+            agentShieldApiUrl: config.agentShieldApiUrl,
+            agentShieldApiKey: config.agentShieldApiKey,
+            projectId: config.projectId,
+            logger: config.logger || (() => { }),
+        };
+    }
+    /**
+     * Exchange authorization code for IDP tokens using PKCE
+     *
+     * For PKCE providers: Exchanges code directly with OAuth provider (no client secret)
+     * For proxy mode: Exchanges code via AgentShield API
+     *
+     * @param provider - OAuth provider name (e.g., "github", "google")
+     * @param code - Authorization code from OAuth callback
+     * @param codeVerifier - PKCE code verifier (optional for non-PKCE providers in proxy mode)
+     * @param redirectUri - Redirect URI used in authorization request
+     * @returns IDP tokens (access_token, refresh_token, expires_at, etc.)
+     */
+    async exchangeToken(provider, code, codeVerifier, redirectUri) {
+        // Fetch provider config
+        const oauthConfig = await this.config.configService.getOAuthConfig(this.config.projectId);
+        const providerConfig = oauthConfig.providers[provider];
+        if (!providerConfig) {
+            throw new Error(`Provider "${provider}" not configured for project "${this.config.projectId}"`);
+        }
+        // For PKCE providers, require codeVerifier
+        if (providerConfig.supportsPKCE && !providerConfig.proxyMode) {
+            if (!codeVerifier) {
+                throw new Error(`Provider "${provider}" requires PKCE code_verifier for token exchange`);
+            }
+            return this.exchangeTokenPKCE(providerConfig, code, codeVerifier, redirectUri || "");
+        }
+        // For proxy mode, codeVerifier is optional (only included if PKCE is supported)
+        if (providerConfig.proxyMode) {
+            return this.exchangeTokenProxy(providerConfig, code, codeVerifier, redirectUri || "");
+        }
+        throw new Error(`Provider "${provider}" configuration is invalid: must support PKCE or use proxy mode`);
+    }
+    /**
+     * Exchange token directly with OAuth provider using PKCE
+     */
+    async exchangeTokenPKCE(providerConfig, code, codeVerifier, redirectUri) {
+        this.config.logger("[OAuthService] Exchanging token with PKCE", {
+            provider: providerConfig.authorizationUrl,
+            tokenUrl: providerConfig.tokenUrl,
+        });
+        const response = await this.config.fetchProvider.fetch(providerConfig.tokenUrl, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+                Accept: "application/json",
+            },
+            body: new URLSearchParams({
+                grant_type: "authorization_code",
+                code,
+                redirect_uri: redirectUri,
+                client_id: providerConfig.clientId,
+                code_verifier: codeVerifier,
+            }).toString(),
+        });
+        if (!response.ok) {
+            const errorText = await response.text().catch(() => "Unknown error");
+            let errorData;
+            try {
+                errorData = JSON.parse(errorText);
+            }
+            catch {
+                errorData = { error: errorText };
+            }
+            const errorMessage = errorData.error_description || errorData.error || errorText;
+            this.config.logger("[OAuthService] Token exchange failed", {
+                status: response.status,
+                error: errorMessage,
+                provider: providerConfig.tokenUrl,
+            });
+            throw new Error(`Token exchange failed: ${errorMessage} (${response.status})`);
+        }
+        const tokens = await response.json();
+        // Validate required fields
+        if (!tokens.access_token) {
+            throw new Error("Token response missing access_token");
+        }
+        // Calculate expiration timestamp
+        const expiresIn = tokens.expires_in || 3600; // Default 1 hour
+        const expiresAt = Date.now() + expiresIn * 1000;
+        const idpTokens = {
+            access_token: tokens.access_token,
+            refresh_token: tokens.refresh_token,
+            expires_in: expiresIn,
+            expires_at: expiresAt,
+            token_type: tokens.token_type || "Bearer",
+            scope: tokens.scope,
+        };
+        this.config.logger("[OAuthService] Token exchange successful", {
+            provider: providerConfig.tokenUrl,
+            expiresAt: new Date(expiresAt).toISOString(),
+            hasRefreshToken: !!idpTokens.refresh_token,
+        });
+        return idpTokens;
+    }
+    /**
+     * Exchange token via AgentShield proxy (for providers that require proxy mode)
+     *
+     * Note: For Phase 3 two-step flow, OAuth tokens are retrieved separately via
+     * OAuthTokenRetrievalService in the callback handler. This method maintains
+     * backward compatibility for direct proxy mode usage.
+     */
+    async exchangeTokenProxy(providerConfig, code, codeVerifier, redirectUri) {
+        // Exchange via AgentShield proxy endpoint
+        const proxyUrl = `${this.config.agentShieldApiUrl}/api/v1/oauth/token`;
+        this.config.logger("[OAuthService] Exchanging token via proxy", {
+            proxyUrl,
+            provider: providerConfig.authorizationUrl,
+            hasCodeVerifier: !!codeVerifier,
+            supportsPKCE: providerConfig.supportsPKCE,
+        });
+        // Build request body - only include code_verifier if PKCE is supported and provided
+        const requestBody = {
+            grant_type: "authorization_code",
+            code,
+            redirect_uri: redirectUri || "",
+            provider: providerConfig.authorizationUrl,
+            project_id: this.config.projectId,
+        };
+        // Include code_verifier only if provider supports PKCE and verifier is provided
+        if (providerConfig.supportsPKCE && codeVerifier) {
+            requestBody.code_verifier = codeVerifier;
+        }
+        const response = await this.config.fetchProvider.fetch(proxyUrl, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${this.config.agentShieldApiKey}`,
+            },
+            body: JSON.stringify(requestBody),
+        });
+        if (!response.ok) {
+            const errorText = await response.text().catch(() => "Unknown error");
+            let errorData;
+            try {
+                errorData = JSON.parse(errorText);
+            }
+            catch {
+                errorData = { error: errorText };
+            }
+            const errorMessage = errorData.error_description || errorData.error || errorText;
+            this.config.logger("[OAuthService] Proxy token exchange failed", {
+                status: response.status,
+                error: errorMessage,
+                proxyUrl,
+            });
+            throw new Error(`Proxy token exchange failed: ${errorMessage} (${response.status})`);
+        }
+        const result = await response.json();
+        const tokens = result.data || result;
+        // Validate required fields
+        if (!tokens.access_token) {
+            throw new Error("Proxy token response missing access_token");
+        }
+        // Calculate expiration timestamp
+        const expiresIn = tokens.expires_in || 3600; // Default 1 hour
+        const expiresAt = Date.now() + expiresIn * 1000;
+        const idpTokens = {
+            access_token: tokens.access_token,
+            refresh_token: tokens.refresh_token,
+            expires_in: expiresIn,
+            expires_at: expiresAt,
+            token_type: tokens.token_type || "Bearer",
+            scope: tokens.scope,
+        };
+        this.config.logger("[OAuthService] Proxy token exchange successful", {
+            proxyUrl,
+            expiresAt: new Date(expiresAt).toISOString(),
+            hasRefreshToken: !!idpTokens.refresh_token,
+        });
+        return idpTokens;
+    }
+    /**
+     * Refresh IDP access token using refresh token
+     *
+     * For PKCE providers: Refreshes directly with OAuth provider
+     * For proxy mode: Refreshes via AgentShield API
+     *
+     * @param provider - OAuth provider name
+     * @param refreshToken - Refresh token from previous token exchange
+     * @returns New IDP tokens or null if refresh failed
+     */
+    async refreshToken(provider, refreshToken) {
+        // Fetch provider config
+        const oauthConfig = await this.config.configService.getOAuthConfig(this.config.projectId);
+        const providerConfig = oauthConfig.providers[provider];
+        if (!providerConfig) {
+            this.config.logger("[OAuthService] Provider not found for refresh", {
+                provider,
+            });
+            return null;
+        }
+        // For PKCE providers, refresh directly with OAuth provider
+        if (providerConfig.supportsPKCE && !providerConfig.proxyMode) {
+            return this.refreshTokenPKCE(providerConfig, refreshToken);
+        }
+        // For proxy mode, refresh via AgentShield
+        if (providerConfig.proxyMode) {
+            return this.refreshTokenProxy(providerConfig, refreshToken);
+        }
+        return null;
+    }
+    /**
+     * Refresh token directly with OAuth provider using PKCE
+     */
+    async refreshTokenPKCE(providerConfig, refreshToken) {
+        this.config.logger("[OAuthService] Refreshing token with PKCE", {
+            provider: providerConfig.tokenUrl,
+        });
+        try {
+            const response = await this.config.fetchProvider.fetch(providerConfig.tokenUrl, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/x-www-form-urlencoded",
+                    Accept: "application/json",
+                },
+                body: new URLSearchParams({
+                    grant_type: "refresh_token",
+                    refresh_token: refreshToken,
+                    client_id: providerConfig.clientId,
+                }).toString(),
+            });
+            if (!response.ok) {
+                this.config.logger("[OAuthService] Token refresh failed", {
+                    status: response.status,
+                    provider: providerConfig.tokenUrl,
+                });
+                return null;
+            }
+            const tokens = await response.json();
+            if (!tokens.access_token) {
+                this.config.logger("[OAuthService] Token refresh response missing access_token");
+                return null;
+            }
+            // Calculate expiration timestamp
+            const expiresIn = tokens.expires_in || 3600; // Default 1 hour
+            const expiresAt = Date.now() + expiresIn * 1000;
+            const idpTokens = {
+                access_token: tokens.access_token,
+                refresh_token: tokens.refresh_token || refreshToken, // Use new refresh token if provided, otherwise keep old one
+                expires_in: expiresIn,
+                expires_at: expiresAt,
+                token_type: tokens.token_type || "Bearer",
+                scope: tokens.scope,
+            };
+            this.config.logger("[OAuthService] Token refresh successful", {
+                provider: providerConfig.tokenUrl,
+                expiresAt: new Date(expiresAt).toISOString(),
+            });
+            return idpTokens;
+        }
+        catch (error) {
+            this.config.logger("[OAuthService] Token refresh error", {
+                error: error instanceof Error ? error.message : String(error),
+                provider: providerConfig.tokenUrl,
+            });
+            return null;
+        }
+    }
+    /**
+     * Refresh token via AgentShield proxy
+     */
+    async refreshTokenProxy(providerConfig, refreshToken) {
+        const proxyUrl = `${this.config.agentShieldApiUrl}/api/v1/oauth/token`;
+        this.config.logger("[OAuthService] Refreshing token via proxy", {
+            proxyUrl,
+            provider: providerConfig.authorizationUrl,
+        });
+        try {
+            const response = await this.config.fetchProvider.fetch(proxyUrl, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                    Authorization: `Bearer ${this.config.agentShieldApiKey}`,
+                },
+                body: JSON.stringify({
+                    grant_type: "refresh_token",
+                    refresh_token: refreshToken,
+                    provider: providerConfig.authorizationUrl,
+                    project_id: this.config.projectId,
+                }),
+            });
+            if (!response.ok) {
+                this.config.logger("[OAuthService] Proxy token refresh failed", {
+                    status: response.status,
+                    proxyUrl,
+                });
+                return null;
+            }
+            const result = await response.json();
+            const tokens = result.data || result;
+            if (!tokens.access_token) {
+                this.config.logger("[OAuthService] Proxy token refresh response missing access_token");
+                return null;
+            }
+            // Calculate expiration timestamp
+            const expiresIn = tokens.expires_in || 3600; // Default 1 hour
+            const expiresAt = Date.now() + expiresIn * 1000;
+            const idpTokens = {
+                access_token: tokens.access_token,
+                refresh_token: tokens.refresh_token || refreshToken,
+                expires_in: expiresIn,
+                expires_at: expiresAt,
+                token_type: tokens.token_type || "Bearer",
+                scope: tokens.scope,
+            };
+            this.config.logger("[OAuthService] Proxy token refresh successful", {
+                proxyUrl,
+                expiresAt: new Date(expiresAt).toISOString(),
+            });
+            return idpTokens;
+        }
+        catch (error) {
+            this.config.logger("[OAuthService] Proxy token refresh error", {
+                error: error instanceof Error ? error.message : String(error),
+                proxyUrl,
+            });
+            return null;
+        }
+    }
+}
+exports.OAuthService = OAuthService;
+//# sourceMappingURL=oauth-service.js.map

package/dist/services/oauth-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-service.js","sourceRoot":"","sources":["../../src/services/oauth-service.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AA0BH;;GAEG;AACH,MAAa,YAAY;IACf,MAAM,CAEZ;IAEF,YAAY,MAA0B;QACpC,IAAI,CAAC,MAAM,GAAG;YACZ,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;YAC3C,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;YAC3C,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;SACpC,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,aAAa,CACjB,QAAgB,EAChB,IAAY,EACZ,YAAqB,EACrB,WAAoB;QAEpB,wBAAwB;QACxB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,cAAc,CAChE,IAAI,CAAC,MAAM,CAAC,SAAS,CACtB,CAAC;QACF,MAAM,cAAc,GAAG,WAAW,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAEvD,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,aAAa,QAAQ,iCAAiC,IAAI,CAAC,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC;QAClG,CAAC;QAED,2CAA2C;QAC3C,IAAI,cAAc,CAAC,YAAY,IAAI,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC;YAC7D,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,MAAM,IAAI,KAAK,CACb,aAAa,QAAQ,kDAAkD,CACxE,CAAC;YACJ,CAAC;YACD,OAAO,IAAI,CAAC,iBAAiB,CAC3B,cAAc,EACd,IAAI,EACJ,YAAY,EACZ,WAAW,IAAI,EAAE,CAClB,CAAC;QACJ,CAAC;QAED,gFAAgF;QAChF,IAAI,cAAc,CAAC,SAAS,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC,kBAAkB,CAC5B,cAAc,EACd,IAAI,EACJ,YAAY,EACZ,WAAW,IAAI,EAAE,CAClB,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,KAAK,CACb,aAAa,QAAQ,iEAAiE,CACvF,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,iBAAiB,CAC7B,cAA6B,EAC7B,IAAY,EACZ,YAAoB,EACpB,WAAmB;QAEnB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,2CAA2C,EAAE;YAC9D,QAAQ,EAAE,cAAc,CAAC,gBAAgB;YACzC,QAAQ,EAAE,cAAc,CAAC,QAAQ;SAClC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,KAAK,CAAC,cAAc,CAAC,QAAQ,EAAE;YAC9E,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,MAAM,EAAE,kBAAkB;aAC3B;YACD,IAAI,EAAE,IAAI,eAAe,CAAC;gBACxB,UAAU,EAAE,oBAAoB;gBAChC,IAAI;gBACJ,YAAY,EAAE,WAAW;gBACzB,SAAS,EAAE,cAAc,CAAC,QAAQ;gBAClC,aAAa,EAAE,YAAY;aAC5B,CAAC,CAAC,QAAQ,EAAE;SACd,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,CAAC;YACrE,IAAI,SAAc,CAAC;YACnB,IAAI,CAAC;gBACH,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YACpC,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;YACnC,CAAC;YAED,MAAM,YAAY,GAChB,SAAS,CAAC,iBAAiB,IAAI,SAAS,CAAC,KAAK,IAAI,SAAS,CAAC;YAE9D,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,sCAAsC,EAAE;gBACzD,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,KAAK,EAAE,YAAY;gBACnB,QAAQ,EAAE,cAAc,CAAC,QAAQ;aAClC,CAAC,CAAC;YAEH,MAAM,IAAI,KAAK,CACb,0BAA0B,YAAY,KAAK,QAAQ,CAAC,MAAM,GAAG,CAC9D,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAMjC,CAAC;QAEF,2BAA2B;QAC3B,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QAED,iCAAiC;QACjC,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,iBAAiB;QAC9D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI,CAAC;QAEhD,MAAM,SAAS,GAAc;YAC3B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,UAAU,EAAE,SAAS;YACrB,UAAU,EAAE,SAAS;YACrB,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,QAAQ;YACzC,KAAK,EAAE,MAAM,CAAC,KAAK;SACpB,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,0CAA0C,EAAE;YAC7D,QAAQ,EAAE,cAAc,CAAC,QAAQ;YACjC,SAAS,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE;YAC5C,eAAe,EAAE,CAAC,CAAC,SAAS,CAAC,aAAa;SAC3C,CAAC,CAAC;QAEH,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;;;OAMG;IACK,KAAK,CAAC,kBAAkB,CAC9B,cAA6B,EAC7B,IAAY,EACZ,YAAqB,EACrB,WAAoB;QAEpB,0CAA0C;QAC1C,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,iBAAiB,qBAAqB,CAAC;QAEvE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,2CAA2C,EAAE;YAC9D,QAAQ;YACR,QAAQ,EAAE,cAAc,CAAC,gBAAgB;YACzC,eAAe,EAAE,CAAC,CAAC,YAAY;YAC/B,YAAY,EAAE,cAAc,CAAC,YAAY;SAC1C,CAAC,CAAC;QAEH,oFAAoF;QACpF,MAAM,WAAW,GAA2B;YAC1C,UAAU,EAAE,oBAAoB;YAChC,IAAI;YACJ,YAAY,EAAE,WAAW,IAAI,EAAE;YAC/B,QAAQ,EAAE,cAAc,CAAC,gBAAgB;YACzC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;SAClC,CAAC;QAEF,gFAAgF;QAChF,IAAI,cAAc,CAAC,YAAY,IAAI,YAAY,EAAE,CAAC;YAChD,WAAW,CAAC,aAAa,GAAG,YAAY,CAAC;QAC3C,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,KAAK,CAAC,QAAQ,EAAE;YAC/D,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE;aACzD;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,CAAC;YACrE,IAAI,SAAc,CAAC;YACnB,IAAI,CAAC;gBACH,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YACpC,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;YACnC,CAAC;YAED,MAAM,YAAY,GAChB,SAAS,CAAC,iBAAiB,IAAI,SAAS,CAAC,KAAK,IAAI,SAAS,CAAC;YAE9D,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,4CAA4C,EAAE;gBAC/D,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,KAAK,EAAE,YAAY;gBACnB,QAAQ;aACT,CAAC,CAAC;YAEH,MAAM,IAAI,KAAK,CACb,gCAAgC,YAAY,KAAK,QAAQ,CAAC,MAAM,GAAG,CACpE,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAajC,CAAC;QACF,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC;QAErC,2BAA2B;QAC3B,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QAED,iCAAiC;QACjC,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,iBAAiB;QAC9D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI,CAAC;QAEhD,MAAM,SAAS,GAAc;YAC3B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,UAAU,EAAE,SAAS;YACrB,UAAU,EAAE,SAAS;YACrB,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,QAAQ;YACzC,KAAK,EAAE,MAAM,CAAC,KAAK;SACpB,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,gDAAgD,EAAE;YACnE,QAAQ;YACR,SAAS,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE;YAC5C,eAAe,EAAE,CAAC,CAAC,SAAS,CAAC,aAAa;SAC3C,CAAC,CAAC;QAEH,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,YAAY,CAChB,QAAgB,EAChB,YAAoB;QAEpB,wBAAwB;QACxB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,cAAc,CAChE,IAAI,CAAC,MAAM,CAAC,SAAS,CACtB,CAAC;QACF,MAAM,cAAc,GAAG,WAAW,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAEvD,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,+CAA+C,EAAE;gBAClE,QAAQ;aACT,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;QAED,2DAA2D;QAC3D,IAAI,cAAc,CAAC,YAAY,IAAI,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC;YAC7D,OAAO,IAAI,CAAC,gBAAgB,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC;QAED,0CAA0C;QAC1C,IAAI,cAAc,CAAC,SAAS,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC,iBAAiB,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;QAC9D,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,gBAAgB,CAC5B,cAA6B,EAC7B,YAAoB;QAEpB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,2CAA2C,EAAE;YAC9D,QAAQ,EAAE,cAAc,CAAC,QAAQ;SAClC,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,KAAK,CAAC,cAAc,CAAC,QAAQ,EAAE;gBAC9E,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;oBACnD,MAAM,EAAE,kBAAkB;iBAC3B;gBACD,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,UAAU,EAAE,eAAe;oBAC3B,aAAa,EAAE,YAAY;oBAC3B,SAAS,EAAE,cAAc,CAAC,QAAQ;iBACnC,CAAC,CAAC,QAAQ,EAAE;aACd,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,qCAAqC,EAAE;oBACxD,MAAM,EAAE,QAAQ,CAAC,MAAM;oBACvB,QAAQ,EAAE,cAAc,CAAC,QAAQ;iBAClC,CAAC,CAAC;gBACH,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAMjC,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;gBACzB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,4DAA4D,CAAC,CAAC;gBACjF,OAAO,IAAI,CAAC;YACd,CAAC;YAED,iCAAiC;YACjC,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,iBAAiB;YAC9D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI,CAAC;YAEhD,MAAM,SAAS,GAAc;gBAC3B,YAAY,EAAE,MAAM,CAAC,YAAY;gBACjC,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,YAAY,EAAE,4DAA4D;gBACjH,UAAU,EAAE,SAAS;gBACrB,UAAU,EAAE,SAAS;gBACrB,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,QAAQ;gBACzC,KAAK,EAAE,MAAM,CAAC,KAAK;aACpB,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,yCAAyC,EAAE;gBAC5D,QAAQ,EAAE,cAAc,CAAC,QAAQ;gBACjC,SAAS,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE;aAC7C,CAAC,CAAC;YAEH,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,oCAAoC,EAAE;gBACvD,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;gBAC7D,QAAQ,EAAE,cAAc,CAAC,QAAQ;aAClC,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,iBAAiB,CAC7B,cAA6B,EAC7B,YAAoB;QAEpB,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,iBAAiB,qBAAqB,CAAC;QAEvE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,2CAA2C,EAAE;YAC9D,QAAQ;YACR,QAAQ,EAAE,cAAc,CAAC,gBAAgB;SAC1C,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,KAAK,CAAC,QAAQ,EAAE;gBAC/D,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;oBAClC,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE;iBACzD;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,UAAU,EAAE,eAAe;oBAC3B,aAAa,EAAE,YAAY;oBAC3B,QAAQ,EAAE,cAAc,CAAC,gBAAgB;oBACzC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;iBAClC,CAAC;aACH,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,2CAA2C,EAAE;oBAC9D,MAAM,EAAE,QAAQ,CAAC,MAAM;oBACvB,QAAQ;iBACT,CAAC,CAAC;gBACH,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAajC,CAAC;YACF,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC;YAErC,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;gBACzB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,kEAAkE,CAAC,CAAC;gBACvF,OAAO,IAAI,CAAC;YACd,CAAC;YAED,iCAAiC;YACjC,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,iBAAiB;YAC9D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI,CAAC;YAEhD,MAAM,SAAS,GAAc;gBAC3B,YAAY,EAAE,MAAM,CAAC,YAAY;gBACjC,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,YAAY;gBACnD,UAAU,EAAE,SAAS;gBACrB,UAAU,EAAE,SAAS;gBACrB,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,QAAQ;gBACzC,KAAK,EAAE,MAAM,CAAC,KAAK;aACpB,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,+CAA+C,EAAE;gBAClE,QAAQ;gBACR,SAAS,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE;aAC7C,CAAC,CAAC;YAEH,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,0CAA0C,EAAE;gBAC7D,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;gBAC7D,QAAQ;aACT,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;CACF;AAxdD,oCAwdC"}

package/dist/services/oauth-token-retrieval.service.d.ts

@@ -0,0 +1,49 @@
+/**
+ * OAuth Token Retrieval Service
+ *
+ * Retrieves OAuth tokens from AgentShield after receiving delegation token.
+ * Implements the two-step token flow for Phase 3 custom IDP support.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+import type { IdpTokens } from "@kya-os/contracts/config";
+/**
+ * Configuration for OAuthTokenRetrievalService
+ */
+export interface OAuthTokenRetrievalServiceConfig {
+    /** AgentShield API base URL */
+    baseUrl: string;
+    /** Fetch implementation */
+    fetchProvider: typeof fetch;
+    /** Optional logger callback */
+    logger?: (message: string, data?: any) => void;
+    /** Optional retry configuration */
+    retryConfig?: {
+        maxRetries?: number;
+        retryDelay?: number;
+        retryBackoff?: number;
+    };
+}
+/**
+ * Service for retrieving OAuth tokens from AgentShield
+ */
+export declare class OAuthTokenRetrievalService {
+    private config;
+    constructor(config: OAuthTokenRetrievalServiceConfig);
+    /**
+     * Retrieve OAuth tokens from AgentShield
+     *
+     * @param delegationId - Delegation ID from token exchange response
+     * @param delegationToken - Delegation token (JWT) for authorization
+     * @returns OAuth tokens mapped to IdpTokens format, or null if unavailable
+     */
+    retrieveTokens(delegationId: string, delegationToken: string): Promise<IdpTokens | null>;
+    /**
+     * Map AgentShield response to IdpTokens format
+     *
+     * @param data - Response data from AgentShield
+     * @returns IdpTokens object
+     */
+    private mapToIdpTokens;
+}
+//# sourceMappingURL=oauth-token-retrieval.service.d.ts.map

package/dist/services/oauth-token-retrieval.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-token-retrieval.service.d.ts","sourceRoot":"","sources":["../../src/services/oauth-token-retrieval.service.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AAE1D;;GAEG;AACH,MAAM,WAAW,gCAAgC;IAC/C,+BAA+B;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,2BAA2B;IAC3B,aAAa,EAAE,OAAO,KAAK,CAAC;IAC5B,+BAA+B;IAC/B,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,GAAG,KAAK,IAAI,CAAC;IAC/C,mCAAmC;IACnC,WAAW,CAAC,EAAE;QACZ,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,CAAC;CACH;AAiCD;;GAEG;AACH,qBAAa,0BAA0B;IACrC,OAAO,CAAC,MAAM,CAEZ;gBAEU,MAAM,EAAE,gCAAgC;IAmBpD;;;;;;OAMG;IACG,cAAc,CAClB,YAAY,EAAE,MAAM,EACpB,eAAe,EAAE,MAAM,GACtB,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IAqH5B;;;;;OAKG;IACH,OAAO,CAAC,cAAc;CAuBvB"}

package/dist/services/oauth-token-retrieval.service.js

@@ -0,0 +1,150 @@
+"use strict";
+/**
+ * OAuth Token Retrieval Service
+ *
+ * Retrieves OAuth tokens from AgentShield after receiving delegation token.
+ * Implements the two-step token flow for Phase 3 custom IDP support.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthTokenRetrievalService = void 0;
+/**
+ * Service for retrieving OAuth tokens from AgentShield
+ */
+class OAuthTokenRetrievalService {
+    config;
+    constructor(config) {
+        const defaultRetryConfig = {
+            maxRetries: 3,
+            retryDelay: 1000,
+            retryBackoff: 2,
+        };
+        this.config = {
+            ...config,
+            logger: config.logger || (() => { }),
+            retryConfig: {
+                ...defaultRetryConfig,
+                ...config.retryConfig,
+            },
+        };
+    }
+    /**
+     * Retrieve OAuth tokens from AgentShield
+     *
+     * @param delegationId - Delegation ID from token exchange response
+     * @param delegationToken - Delegation token (JWT) for authorization
+     * @returns OAuth tokens mapped to IdpTokens format, or null if unavailable
+     */
+    async retrieveTokens(delegationId, delegationToken) {
+        const endpoint = `${this.config.baseUrl}/api/v1/bouncer/delegations/${delegationId}/tokens`;
+        this.config.logger("[OAuthTokenRetrievalService] Retrieving OAuth tokens", {
+            delegationId,
+            endpoint,
+        });
+        let lastError = null;
+        let attempt = 0;
+        // Retry logic for transient failures
+        while (attempt <= this.config.retryConfig.maxRetries) {
+            try {
+                const response = await this.config.fetchProvider(endpoint, {
+                    method: "GET",
+                    headers: {
+                        Authorization: `Bearer ${delegationToken}`,
+                        Accept: "application/json",
+                    },
+                });
+                if (!response.ok) {
+                    const errorData = await response.json().catch(() => ({}));
+                    if (response.status === 404 || response.status === 401) {
+                        // Token unavailable or unauthorized - don't retry
+                        this.config.logger("[OAuthTokenRetrievalService] Tokens unavailable", {
+                            status: response.status,
+                            delegationId,
+                            error: errorData,
+                        });
+                        return null;
+                    }
+                    // Transient error - retry
+                    const errorMessage = errorData.error?.message ||
+                        errorData.error ||
+                        errorData.message ||
+                        `HTTP ${response.status}`;
+                    throw new Error(`Token retrieval failed: ${errorMessage}`);
+                }
+                const result = (await response.json());
+                if (!result.success) {
+                    this.config.logger("[OAuthTokenRetrievalService] Token retrieval error response", {
+                        delegationId,
+                        error: result.error,
+                    });
+                    return null;
+                }
+                // Map response to IdpTokens format
+                const tokens = this.mapToIdpTokens(result.data);
+                this.config.logger("[OAuthTokenRetrievalService] OAuth tokens retrieved successfully", {
+                    delegationId,
+                    expiresAt: new Date(tokens.expires_at).toISOString(),
+                    hasRefreshToken: !!tokens.refresh_token,
+                });
+                return tokens;
+            }
+            catch (error) {
+                lastError = error instanceof Error ? error : new Error(String(error));
+                if (attempt < this.config.retryConfig.maxRetries) {
+                    const delay = this.config.retryConfig.retryDelay *
+                        Math.pow(this.config.retryConfig.retryBackoff, attempt);
+                    this.config.logger("[OAuthTokenRetrievalService] Retry attempt failed, retrying", {
+                        attempt: attempt + 1,
+                        maxRetries: this.config.retryConfig.maxRetries,
+                        delay,
+                        error: lastError.message,
+                    });
+                    await new Promise((resolve) => setTimeout(resolve, delay));
+                    attempt++;
+                }
+                else {
+                    // Max retries exceeded
+                    this.config.logger("[OAuthTokenRetrievalService] Max retries exceeded", {
+                        delegationId,
+                        error: lastError.message,
+                        attempts: attempt + 1,
+                    });
+                    // Return null instead of throwing - delegation token still valid
+                    return null;
+                }
+            }
+        }
+        return null;
+    }
+    /**
+     * Map AgentShield response to IdpTokens format
+     *
+     * @param data - Response data from AgentShield
+     * @returns IdpTokens object
+     */
+    mapToIdpTokens(data) {
+        // Convert ISO 8601 string to milliseconds timestamp
+        let expiresAt;
+        if (data.oauth_expires_at) {
+            expiresAt = new Date(data.oauth_expires_at).getTime();
+        }
+        else if (data.oauth_expires_in) {
+            expiresAt = Date.now() + data.oauth_expires_in * 1000;
+        }
+        else {
+            // Default to 1 hour if neither provided
+            expiresAt = Date.now() + 3600 * 1000;
+        }
+        return {
+            access_token: data.oauth_access_token,
+            refresh_token: data.oauth_refresh_token || undefined,
+            expires_in: data.oauth_expires_in || undefined,
+            expires_at: expiresAt,
+            token_type: data.oauth_token_type || "Bearer",
+            scope: data.oauth_scope || undefined,
+        };
+    }
+}
+exports.OAuthTokenRetrievalService = OAuthTokenRetrievalService;
+//# sourceMappingURL=oauth-token-retrieval.service.js.map

package/dist/services/oauth-token-retrieval.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-token-retrieval.service.js","sourceRoot":"","sources":["../../src/services/oauth-token-retrieval.service.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAqDH;;GAEG;AACH,MAAa,0BAA0B;IAC7B,MAAM,CAEZ;IAEF,YAAY,MAAwC;QAClD,MAAM,kBAAkB,GAAG;YACzB,UAAU,EAAE,CAAC;YACb,UAAU,EAAE,IAAI;YAChB,YAAY,EAAE,CAAC;SAChB,CAAC;QAEF,IAAI,CAAC,MAAM,GAAG;YACZ,GAAG,MAAM;YACT,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;YACnC,WAAW,EAAE;gBACX,GAAG,kBAAkB;gBACrB,GAAG,MAAM,CAAC,WAAW;aACtB;SAGF,CAAC;IACJ,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,cAAc,CAClB,YAAoB,EACpB,eAAuB;QAEvB,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,+BAA+B,YAAY,SAAS,CAAC;QAE5F,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,sDAAsD,EAAE;YACzE,YAAY;YACZ,QAAQ;SACT,CAAC,CAAC;QAEH,IAAI,SAAS,GAAiB,IAAI,CAAC;QACnC,IAAI,OAAO,GAAG,CAAC,CAAC;QAEhB,qCAAqC;QACrC,OAAO,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC;YACrD,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,EAAE;oBACzD,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE;wBACP,aAAa,EAAE,UAAU,eAAe,EAAE;wBAC1C,MAAM,EAAE,kBAAkB;qBAC3B;iBACF,CAAC,CAAC;gBAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAEhB,CAAC;oBAEzC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;wBACvD,kDAAkD;wBAClD,IAAI,CAAC,MAAM,CAAC,MAAM,CAChB,iDAAiD,EACjD;4BACE,MAAM,EAAE,QAAQ,CAAC,MAAM;4BACvB,YAAY;4BACZ,KAAK,EAAE,SAAS;yBACjB,CACF,CAAC;wBACF,OAAO,IAAI,CAAC;oBACd,CAAC;oBAED,0BAA0B;oBAC1B,MAAM,YAAY,GACf,SAA8C,CAAC,KAAK,EAAE,OAAO;wBAC7D,SAAiB,CAAC,KAAK;wBACvB,SAAiB,CAAC,OAAO;wBAC1B,QAAQ,QAAQ,CAAC,MAAM,EAAE,CAAC;oBAE5B,MAAM,IAAI,KAAK,CAAC,2BAA2B,YAAY,EAAE,CAAC,CAAC;gBAC7D,CAAC;gBAED,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAED,CAAC;gBAErC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;oBACpB,IAAI,CAAC,MAAM,CAAC,MAAM,CAChB,6DAA6D,EAC7D;wBACE,YAAY;wBACZ,KAAK,EAAE,MAAM,CAAC,KAAK;qBACpB,CACF,CAAC;oBACF,OAAO,IAAI,CAAC;gBACd,CAAC;gBAED,mCAAmC;gBACnC,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBAEhD,IAAI,CAAC,MAAM,CAAC,MAAM,CAChB,kEAAkE,EAClE;oBACE,YAAY;oBACZ,SAAS,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE;oBACpD,eAAe,EAAE,CAAC,CAAC,MAAM,CAAC,aAAa;iBACxC,CACF,CAAC;gBAEF,OAAO,MAAM,CAAC;YAChB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,SAAS,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;gBAEtE,IAAI,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC;oBACjD,MAAM,KAAK,GACT,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,UAAU;wBAClC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;oBAE1D,IAAI,CAAC,MAAM,CAAC,MAAM,CAChB,6DAA6D,EAC7D;wBACE,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,UAAU;wBAC9C,KAAK;wBACL,KAAK,EAAE,SAAS,CAAC,OAAO;qBACzB,CACF,CAAC;oBAEF,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;oBAC3D,OAAO,EAAE,CAAC;gBACZ,CAAC;qBAAM,CAAC;oBACN,uBAAuB;oBACvB,IAAI,CAAC,MAAM,CAAC,MAAM,CAChB,mDAAmD,EACnD;wBACE,YAAY;wBACZ,KAAK,EAAE,SAAS,CAAC,OAAO;wBACxB,QAAQ,EAAE,OAAO,GAAG,CAAC;qBACtB,CACF,CAAC;oBACF,iEAAiE;oBACjE,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;OAKG;IACK,cAAc,CACpB,IAAyC;QAEzC,oDAAoD;QACpD,IAAI,SAAiB,CAAC;QACtB,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC1B,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,OAAO,EAAE,CAAC;QACxD,CAAC;aAAM,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACjC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC;QACxD,CAAC;aAAM,CAAC;YACN,wCAAwC;YACxC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;QACvC,CAAC;QAED,OAAO;YACL,YAAY,EAAE,IAAI,CAAC,kBAAkB;YACrC,aAAa,EAAE,IAAI,CAAC,mBAAmB,IAAI,SAAS;YACpD,UAAU,EAAE,IAAI,CAAC,gBAAgB,IAAI,SAAS;YAC9C,UAAU,EAAE,SAAS;YACrB,UAAU,EAAE,IAAI,CAAC,gBAAgB,IAAI,QAAQ;YAC7C,KAAK,EAAE,IAAI,CAAC,WAAW,IAAI,SAAS;SACrC,CAAC;IACJ,CAAC;CACF;AApLD,gEAoLC"}

package/dist/services/provider-resolver.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Provider Resolver
+ *
+ * Resolves OAuth provider for tools using priority-based resolution strategy.
+ * Supports Phase 2+ tool-specific providers with backward compatibility for Phase 1.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+import type { ToolProtection } from "@kya-os/contracts/tool-protection";
+import type { OAuthProviderRegistry } from "./oauth-provider-registry.js";
+import type { OAuthConfigService } from "./oauth-config.service.js";
+/**
+ * Resolves OAuth provider for tools with priority-based fallback strategy
+ *
+ * Priority order:
+ * 1. Tool-specific oauthProvider field (Phase 2+ preferred)
+ * 2. Scope prefix inference (fallback)
+ * 3. Project-configured provider from AgentShield dashboard
+ * 4. Error if no provider can be resolved
+ */
+export declare class ProviderResolver {
+    private registry;
+    private configService;
+    constructor(registry: OAuthProviderRegistry, configService: OAuthConfigService);
+    /**
+     * Resolve OAuth provider for a tool
+     *
+     * @param toolProtection - Tool protection configuration
+     * @param projectId - Project ID for fetching provider config
+     * @returns Provider name (never null - throws if cannot resolve)
+     * @throws Error if provider cannot be resolved
+     */
+    resolveProvider(toolProtection: ToolProtection, projectId: string): Promise<string>;
+    /**
+     * Infer provider from scope prefixes
+     *
+     * Used as Priority 2 fallback when oauthProvider is not specified.
+     * Examples:
+     * - github:repo:read → github
+     * - gmail:read → google
+     * - microsoft:calendar:read → microsoft
+     *
+     * @param scopes - Required scopes for the tool
+     * @returns Provider name if uniquely inferred, null otherwise
+     */
+    private inferProviderFromScopes;
+}
+//# sourceMappingURL=provider-resolver.d.ts.map

package/dist/services/provider-resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider-resolver.d.ts","sourceRoot":"","sources":["../../src/services/provider-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAC;AACxE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAC1E,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAEpE;;;;;;;;GAQG;AACH,qBAAa,gBAAgB;IAEzB,OAAO,CAAC,QAAQ;IAChB,OAAO,CAAC,aAAa;gBADb,QAAQ,EAAE,qBAAqB,EAC/B,aAAa,EAAE,kBAAkB;IAG3C;;;;;;;OAOG;IACG,eAAe,CACnB,cAAc,EAAE,cAAc,EAC9B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,CAAC;IAyDlB;;;;;;;;;;;OAWG;IACH,OAAO,CAAC,uBAAuB;CAoChC"}