@kya-os/mcp-i-core 1.3.7-canary.0 → 1.3.7-canary.clientinfo.20251126041014

package/dist/services/oauth-provider-registry.js

@@ -0,0 +1,128 @@
+"use strict";
+/**
+ * OAuth Provider Registry
+ *
+ * Manages OAuth provider configurations loaded from AgentShield API.
+ * Provides efficient lookup and caching of provider configurations.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthProviderRegistry = void 0;
+/**
+ * Registry for OAuth providers
+ *
+ * Wraps OAuthConfigService to provide a simple lookup interface
+ * for provider configurations.
+ */
+class OAuthProviderRegistry {
+    configService;
+    validator;
+    providers = new Map();
+    _configuredProvider = null;
+    constructor(configService, validator) {
+        this.configService = configService;
+        this.validator = validator;
+    }
+    /**
+     * Load providers from AgentShield API
+     *
+     * Fetches OAuth configuration and caches providers in memory.
+     * Clears existing providers before loading new ones.
+     * Also stores the configured provider from the API response.
+     *
+     * @param projectId - Project ID to load providers for
+     */
+    async loadFromAgentShield(projectId) {
+        const config = await this.configService.getOAuthConfig(projectId);
+        // Clear existing providers
+        this.providers.clear();
+        // Store the configured provider from API response
+        // This is the provider the user has explicitly configured in AgentShield dashboard
+        this._configuredProvider = config.configuredProvider || null;
+        // Register all providers from config
+        for (const [name, providerConfig] of Object.entries(config.providers)) {
+            this.providers.set(name, providerConfig);
+        }
+    }
+    /**
+     * Get the explicitly configured provider for this project
+     *
+     * Returns the provider that the user has configured in AgentShield dashboard.
+     * Used by ProviderResolver as fallback when tool doesn't specify oauthProvider.
+     *
+     * @returns Configured provider name, or null if no provider is configured
+     */
+    getConfiguredProvider() {
+        return this._configuredProvider;
+    }
+    /**
+     * Get provider by name
+     *
+     * @param name - Provider name (e.g., "github", "google")
+     * @returns Provider configuration or null if not found
+     */
+    getProvider(name) {
+        return this.providers.get(name) || null;
+    }
+    /**
+     * Get all providers
+     *
+     * @returns Array of all registered provider configurations
+     */
+    getAllProviders() {
+        return Array.from(this.providers.values());
+    }
+    /**
+     * Check if provider exists
+     *
+     * @param name - Provider name to check
+     * @returns True if provider is registered, false otherwise
+     */
+    hasProvider(name) {
+        return this.providers.has(name);
+    }
+    /**
+     * Get all provider names
+     *
+     * @returns Array of provider names
+     */
+    getProviderNames() {
+        return Array.from(this.providers.keys());
+    }
+    /**
+     * Register a custom provider with validation
+     *
+     * @param name - Provider name (e.g., "custom-idp")
+     * @param provider - Provider configuration
+     * @throws ProviderValidationError if validation fails
+     */
+    registerCustomProvider(name, provider) {
+        // Validate provider configuration if validator is available
+        if (this.validator) {
+            this.validator.validate(provider, name);
+        }
+        // Register provider
+        this.providers.set(name, provider);
+    }
+    /**
+     * Get provider with custom parameters merged
+     *
+     * Convenience method that returns provider config with custom parameters
+     * already applied to authorization URL building context.
+     *
+     * @param name - Provider name
+     * @returns Provider configuration with custom params, or null if not found
+     */
+    getProviderWithParams(name) {
+        const provider = this.getProvider(name);
+        if (!provider) {
+            return null;
+        }
+        // Return provider as-is (customParams are already in the config)
+        // This method exists for future extensibility if we need to merge params
+        return provider;
+    }
+}
+exports.OAuthProviderRegistry = OAuthProviderRegistry;
+//# sourceMappingURL=oauth-provider-registry.js.map

package/dist/services/oauth-provider-registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-provider-registry.js","sourceRoot":"","sources":["../../src/services/oauth-provider-registry.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAMH;;;;;GAKG;AACH,MAAa,qBAAqB;IAKtB;IACA;IALF,SAAS,GAA+B,IAAI,GAAG,EAAE,CAAC;IAClD,mBAAmB,GAAkB,IAAI,CAAC;IAElD,YACU,aAAiC,EACjC,SAA6B;QAD7B,kBAAa,GAAb,aAAa,CAAoB;QACjC,cAAS,GAAT,SAAS,CAAoB;IACpC,CAAC;IAEJ;;;;;;;;OAQG;IACH,KAAK,CAAC,mBAAmB,CAAC,SAAiB;QACzC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;QAElE,2BAA2B;QAC3B,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;QAEvB,kDAAkD;QAClD,mFAAmF;QACnF,IAAI,CAAC,mBAAmB,GAAG,MAAM,CAAC,kBAAkB,IAAI,IAAI,CAAC;QAE7D,qCAAqC;QACrC,KAAK,MAAM,CAAC,IAAI,EAAE,cAAc,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;YACtE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACH,qBAAqB;QACnB,OAAO,IAAI,CAAC,mBAAmB,CAAC;IAClC,CAAC;IAED;;;;;OAKG;IACH,WAAW,CAAC,IAAY;QACtB,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC;IAC1C,CAAC;IAED;;;;OAIG;IACH,eAAe;QACb,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED;;;;;OAKG;IACH,WAAW,CAAC,IAAY;QACtB,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;IAED;;;;OAIG;IACH,gBAAgB;QACd,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3C,CAAC;IAED;;;;;;OAMG;IACH,sBAAsB,CAAC,IAAY,EAAE,QAAuB;QAC1D,4DAA4D;QAC5D,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC1C,CAAC;QAED,oBAAoB;QACpB,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IACrC,CAAC;IAED;;;;;;;;OAQG;IACH,qBAAqB,CAAC,IAAY;QAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,IAAI,CAAC;QACd,CAAC;QAED,iEAAiE;QACjE,yEAAyE;QACzE,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AAxHD,sDAwHC"}

package/dist/services/oauth-service.d.ts

@@ -0,0 +1,77 @@
+/**
+ * OAuth Service
+ *
+ * Handles OAuth token exchange and refresh using PKCE (Proof Key for Code Exchange).
+ * Supports both direct PKCE exchange with OAuth providers and proxy mode via AgentShield.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+import type { FetchProvider } from "../providers/base.js";
+import type { OAuthConfigService } from "./oauth-config.service.js";
+import type { IdpTokens } from "@kya-os/contracts/config";
+export interface OAuthServiceConfig {
+    /** OAuth config service for fetching provider configurations */
+    configService: OAuthConfigService;
+    /** Fetch provider for making HTTP requests */
+    fetchProvider: FetchProvider;
+    /** AgentShield API URL (for proxy mode) */
+    agentShieldApiUrl: string;
+    /** AgentShield API key (for proxy mode) */
+    agentShieldApiKey: string;
+    /** Project ID for fetching OAuth config */
+    projectId: string;
+    /** Optional logger callback for diagnostics */
+    logger?: (message: string, data?: unknown) => void;
+}
+/**
+ * Service for OAuth token exchange and refresh
+ */
+export declare class OAuthService {
+    private config;
+    constructor(config: OAuthServiceConfig);
+    /**
+     * Exchange authorization code for IDP tokens using PKCE
+     *
+     * For PKCE providers: Exchanges code directly with OAuth provider (no client secret)
+     * For proxy mode: Exchanges code via AgentShield API
+     *
+     * @param provider - OAuth provider name (e.g., "github", "google")
+     * @param code - Authorization code from OAuth callback
+     * @param codeVerifier - PKCE code verifier (optional for non-PKCE providers in proxy mode)
+     * @param redirectUri - Redirect URI used in authorization request
+     * @returns IDP tokens (access_token, refresh_token, expires_at, etc.)
+     */
+    exchangeToken(provider: string, code: string, codeVerifier?: string, redirectUri?: string): Promise<IdpTokens>;
+    /**
+     * Exchange token directly with OAuth provider using PKCE
+     */
+    private exchangeTokenPKCE;
+    /**
+     * Exchange token via AgentShield proxy (for providers that require proxy mode)
+     *
+     * Note: For Phase 3 two-step flow, OAuth tokens are retrieved separately via
+     * OAuthTokenRetrievalService in the callback handler. This method maintains
+     * backward compatibility for direct proxy mode usage.
+     */
+    private exchangeTokenProxy;
+    /**
+     * Refresh IDP access token using refresh token
+     *
+     * For PKCE providers: Refreshes directly with OAuth provider
+     * For proxy mode: Refreshes via AgentShield API
+     *
+     * @param provider - OAuth provider name
+     * @param refreshToken - Refresh token from previous token exchange
+     * @returns New IDP tokens or null if refresh failed
+     */
+    refreshToken(provider: string, refreshToken: string): Promise<IdpTokens | null>;
+    /**
+     * Refresh token directly with OAuth provider using PKCE
+     */
+    private refreshTokenPKCE;
+    /**
+     * Refresh token via AgentShield proxy
+     */
+    private refreshTokenProxy;
+}
+//# sourceMappingURL=oauth-service.d.ts.map

package/dist/services/oauth-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-service.d.ts","sourceRoot":"","sources":["../../src/services/oauth-service.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AACpE,OAAO,KAAK,EAAE,SAAS,EAAiB,MAAM,0BAA0B,CAAC;AAEzE,MAAM,WAAW,kBAAkB;IACjC,gEAAgE;IAChE,aAAa,EAAE,kBAAkB,CAAC;IAElC,8CAA8C;IAC9C,aAAa,EAAE,aAAa,CAAC;IAE7B,2CAA2C;IAC3C,iBAAiB,EAAE,MAAM,CAAC;IAE1B,2CAA2C;IAC3C,iBAAiB,EAAE,MAAM,CAAC;IAE1B,2CAA2C;IAC3C,SAAS,EAAE,MAAM,CAAC;IAElB,+CAA+C;IAC/C,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;CACpD;AAED;;GAEG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAEZ;gBAEU,MAAM,EAAE,kBAAkB;IAWtC;;;;;;;;;;;OAWG;IACG,aAAa,CACjB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,YAAY,CAAC,EAAE,MAAM,EACrB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,SAAS,CAAC;IAyCrB;;OAEG;YACW,iBAAiB;IAsH/B;;;;;;OAMG;YACW,kBAAkB;IAyGhC;;;;;;;;;OASG;IACG,YAAY,CAChB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IA2B5B;;OAEG;YACW,gBAAgB;IAuE9B;;OAEG;YACW,iBAAiB;CAkFhC"}

package/dist/services/oauth-service.js

@@ -0,0 +1,373 @@
+"use strict";
+/**
+ * OAuth Service
+ *
+ * Handles OAuth token exchange and refresh using PKCE (Proof Key for Code Exchange).
+ * Supports both direct PKCE exchange with OAuth providers and proxy mode via AgentShield.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthService = void 0;
+/**
+ * Service for OAuth token exchange and refresh
+ */
+class OAuthService {
+    config;
+    constructor(config) {
+        this.config = {
+            configService: config.configService,
+            fetchProvider: config.fetchProvider,
+            agentShieldApiUrl: config.agentShieldApiUrl,
+            agentShieldApiKey: config.agentShieldApiKey,
+            projectId: config.projectId,
+            logger: config.logger || (() => { }),
+        };
+    }
+    /**
+     * Exchange authorization code for IDP tokens using PKCE
+     *
+     * For PKCE providers: Exchanges code directly with OAuth provider (no client secret)
+     * For proxy mode: Exchanges code via AgentShield API
+     *
+     * @param provider - OAuth provider name (e.g., "github", "google")
+     * @param code - Authorization code from OAuth callback
+     * @param codeVerifier - PKCE code verifier (optional for non-PKCE providers in proxy mode)
+     * @param redirectUri - Redirect URI used in authorization request
+     * @returns IDP tokens (access_token, refresh_token, expires_at, etc.)
+     */
+    async exchangeToken(provider, code, codeVerifier, redirectUri) {
+        // Fetch provider config
+        const oauthConfig = await this.config.configService.getOAuthConfig(this.config.projectId);
+        const providerConfig = oauthConfig.providers[provider];
+        if (!providerConfig) {
+            throw new Error(`Provider "${provider}" not configured for project "${this.config.projectId}"`);
+        }
+        // For PKCE providers, require codeVerifier
+        if (providerConfig.supportsPKCE && !providerConfig.proxyMode) {
+            if (!codeVerifier) {
+                throw new Error(`Provider "${provider}" requires PKCE code_verifier for token exchange`);
+            }
+            return this.exchangeTokenPKCE(providerConfig, code, codeVerifier, redirectUri || "");
+        }
+        // For proxy mode, codeVerifier is optional (only included if PKCE is supported)
+        if (providerConfig.proxyMode) {
+            return this.exchangeTokenProxy(providerConfig, code, codeVerifier, redirectUri || "");
+        }
+        throw new Error(`Provider "${provider}" configuration is invalid: must support PKCE or use proxy mode`);
+    }
+    /**
+     * Exchange token directly with OAuth provider using PKCE
+     */
+    async exchangeTokenPKCE(providerConfig, code, codeVerifier, redirectUri) {
+        this.config.logger("[OAuthService] Exchanging token with PKCE", {
+            provider: providerConfig.authorizationUrl,
+            tokenUrl: providerConfig.tokenUrl,
+            hasClientSecret: !!providerConfig.clientSecret,
+        });
+        // Build token exchange parameters
+        // Note: GitHub OAuth Apps require client_secret even with PKCE
+        // (GitHub Apps can use PKCE without client_secret, but OAuth Apps cannot)
+        const params = {
+            grant_type: "authorization_code",
+            code,
+            redirect_uri: redirectUri,
+            client_id: providerConfig.clientId,
+            code_verifier: codeVerifier,
+        };
+        // Include client_secret if provider has one configured
+        // This is required for GitHub OAuth Apps and other providers that need it
+        if (providerConfig.clientSecret) {
+            params.client_secret = providerConfig.clientSecret;
+        }
+        const response = await this.config.fetchProvider.fetch(providerConfig.tokenUrl, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+                Accept: "application/json",
+            },
+            body: new URLSearchParams(params).toString(),
+        });
+        if (!response.ok) {
+            const errorText = await response.text().catch(() => "Unknown error");
+            let errorData;
+            try {
+                errorData = JSON.parse(errorText);
+            }
+            catch {
+                errorData = { error: errorText };
+            }
+            const errorMessage = errorData.error_description || errorData.error || errorText;
+            this.config.logger("[OAuthService] Token exchange failed", {
+                status: response.status,
+                error: errorMessage,
+                provider: providerConfig.tokenUrl,
+            });
+            throw new Error(`Token exchange failed: ${errorMessage} (${response.status})`);
+        }
+        const tokens = await response.json();
+        // GitHub returns errors with 200 status - check for error field first
+        if (tokens.error) {
+            this.config.logger("[OAuthService] Token exchange returned error (200 status)", {
+                error: tokens.error,
+                errorDescription: tokens.error_description,
+                errorUri: tokens.error_uri,
+                provider: providerConfig.tokenUrl,
+                responseKeys: Object.keys(tokens),
+            });
+            throw new Error(`Token exchange failed: ${tokens.error_description || tokens.error}`);
+        }
+        // Validate required fields
+        if (!tokens.access_token) {
+            this.config.logger("[OAuthService] Token response missing access_token", {
+                responseKeys: Object.keys(tokens),
+                provider: providerConfig.tokenUrl,
+            });
+            throw new Error("Token response missing access_token");
+        }
+        // Calculate expiration timestamp
+        const expiresIn = tokens.expires_in || 3600; // Default 1 hour
+        const expiresAt = Date.now() + expiresIn * 1000;
+        const idpTokens = {
+            access_token: tokens.access_token,
+            refresh_token: tokens.refresh_token,
+            expires_in: expiresIn,
+            expires_at: expiresAt,
+            token_type: tokens.token_type || "Bearer",
+            scope: tokens.scope,
+        };
+        this.config.logger("[OAuthService] Token exchange successful", {
+            provider: providerConfig.tokenUrl,
+            expiresAt: new Date(expiresAt).toISOString(),
+            hasRefreshToken: !!idpTokens.refresh_token,
+        });
+        return idpTokens;
+    }
+    /**
+     * Exchange token via AgentShield proxy (for providers that require proxy mode)
+     *
+     * Note: For Phase 3 two-step flow, OAuth tokens are retrieved separately via
+     * OAuthTokenRetrievalService in the callback handler. This method maintains
+     * backward compatibility for direct proxy mode usage.
+     */
+    async exchangeTokenProxy(providerConfig, code, codeVerifier, redirectUri) {
+        // Exchange via AgentShield proxy endpoint
+        const proxyUrl = `${this.config.agentShieldApiUrl}/api/v1/oauth/token`;
+        this.config.logger("[OAuthService] Exchanging token via proxy", {
+            proxyUrl,
+            provider: providerConfig.authorizationUrl,
+            hasCodeVerifier: !!codeVerifier,
+            supportsPKCE: providerConfig.supportsPKCE,
+        });
+        // Build request body - only include code_verifier if PKCE is supported and provided
+        const requestBody = {
+            grant_type: "authorization_code",
+            code,
+            redirect_uri: redirectUri || "",
+            provider: providerConfig.authorizationUrl,
+            project_id: this.config.projectId,
+        };
+        // Include code_verifier only if provider supports PKCE and verifier is provided
+        if (providerConfig.supportsPKCE && codeVerifier) {
+            requestBody.code_verifier = codeVerifier;
+        }
+        const response = await this.config.fetchProvider.fetch(proxyUrl, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${this.config.agentShieldApiKey}`,
+            },
+            body: JSON.stringify(requestBody),
+        });
+        if (!response.ok) {
+            const errorText = await response.text().catch(() => "Unknown error");
+            let errorData;
+            try {
+                errorData = JSON.parse(errorText);
+            }
+            catch {
+                errorData = { error: errorText };
+            }
+            const errorMessage = errorData.error_description || errorData.error || errorText;
+            this.config.logger("[OAuthService] Proxy token exchange failed", {
+                status: response.status,
+                error: errorMessage,
+                proxyUrl,
+            });
+            throw new Error(`Proxy token exchange failed: ${errorMessage} (${response.status})`);
+        }
+        const result = await response.json();
+        const tokens = result.data || result;
+        // Validate required fields
+        if (!tokens.access_token) {
+            throw new Error("Proxy token response missing access_token");
+        }
+        // Calculate expiration timestamp
+        const expiresIn = tokens.expires_in || 3600; // Default 1 hour
+        const expiresAt = Date.now() + expiresIn * 1000;
+        const idpTokens = {
+            access_token: tokens.access_token,
+            refresh_token: tokens.refresh_token,
+            expires_in: expiresIn,
+            expires_at: expiresAt,
+            token_type: tokens.token_type || "Bearer",
+            scope: tokens.scope,
+        };
+        this.config.logger("[OAuthService] Proxy token exchange successful", {
+            proxyUrl,
+            expiresAt: new Date(expiresAt).toISOString(),
+            hasRefreshToken: !!idpTokens.refresh_token,
+        });
+        return idpTokens;
+    }
+    /**
+     * Refresh IDP access token using refresh token
+     *
+     * For PKCE providers: Refreshes directly with OAuth provider
+     * For proxy mode: Refreshes via AgentShield API
+     *
+     * @param provider - OAuth provider name
+     * @param refreshToken - Refresh token from previous token exchange
+     * @returns New IDP tokens or null if refresh failed
+     */
+    async refreshToken(provider, refreshToken) {
+        // Fetch provider config
+        const oauthConfig = await this.config.configService.getOAuthConfig(this.config.projectId);
+        const providerConfig = oauthConfig.providers[provider];
+        if (!providerConfig) {
+            this.config.logger("[OAuthService] Provider not found for refresh", {
+                provider,
+            });
+            return null;
+        }
+        // For PKCE providers, refresh directly with OAuth provider
+        if (providerConfig.supportsPKCE && !providerConfig.proxyMode) {
+            return this.refreshTokenPKCE(providerConfig, refreshToken);
+        }
+        // For proxy mode, refresh via AgentShield
+        if (providerConfig.proxyMode) {
+            return this.refreshTokenProxy(providerConfig, refreshToken);
+        }
+        return null;
+    }
+    /**
+     * Refresh token directly with OAuth provider using PKCE
+     */
+    async refreshTokenPKCE(providerConfig, refreshToken) {
+        this.config.logger("[OAuthService] Refreshing token with PKCE", {
+            provider: providerConfig.tokenUrl,
+        });
+        try {
+            const response = await this.config.fetchProvider.fetch(providerConfig.tokenUrl, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/x-www-form-urlencoded",
+                    Accept: "application/json",
+                },
+                body: new URLSearchParams({
+                    grant_type: "refresh_token",
+                    refresh_token: refreshToken,
+                    client_id: providerConfig.clientId,
+                }).toString(),
+            });
+            if (!response.ok) {
+                this.config.logger("[OAuthService] Token refresh failed", {
+                    status: response.status,
+                    provider: providerConfig.tokenUrl,
+                });
+                return null;
+            }
+            const tokens = await response.json();
+            if (!tokens.access_token) {
+                this.config.logger("[OAuthService] Token refresh response missing access_token");
+                return null;
+            }
+            // Calculate expiration timestamp
+            const expiresIn = tokens.expires_in || 3600; // Default 1 hour
+            const expiresAt = Date.now() + expiresIn * 1000;
+            const idpTokens = {
+                access_token: tokens.access_token,
+                refresh_token: tokens.refresh_token || refreshToken, // Use new refresh token if provided, otherwise keep old one
+                expires_in: expiresIn,
+                expires_at: expiresAt,
+                token_type: tokens.token_type || "Bearer",
+                scope: tokens.scope,
+            };
+            this.config.logger("[OAuthService] Token refresh successful", {
+                provider: providerConfig.tokenUrl,
+                expiresAt: new Date(expiresAt).toISOString(),
+            });
+            return idpTokens;
+        }
+        catch (error) {
+            this.config.logger("[OAuthService] Token refresh error", {
+                error: error instanceof Error ? error.message : String(error),
+                provider: providerConfig.tokenUrl,
+            });
+            return null;
+        }
+    }
+    /**
+     * Refresh token via AgentShield proxy
+     */
+    async refreshTokenProxy(providerConfig, refreshToken) {
+        const proxyUrl = `${this.config.agentShieldApiUrl}/api/v1/oauth/token`;
+        this.config.logger("[OAuthService] Refreshing token via proxy", {
+            proxyUrl,
+            provider: providerConfig.authorizationUrl,
+        });
+        try {
+            const response = await this.config.fetchProvider.fetch(proxyUrl, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                    Authorization: `Bearer ${this.config.agentShieldApiKey}`,
+                },
+                body: JSON.stringify({
+                    grant_type: "refresh_token",
+                    refresh_token: refreshToken,
+                    provider: providerConfig.authorizationUrl,
+                    project_id: this.config.projectId,
+                }),
+            });
+            if (!response.ok) {
+                this.config.logger("[OAuthService] Proxy token refresh failed", {
+                    status: response.status,
+                    proxyUrl,
+                });
+                return null;
+            }
+            const result = await response.json();
+            const tokens = result.data || result;
+            if (!tokens.access_token) {
+                this.config.logger("[OAuthService] Proxy token refresh response missing access_token");
+                return null;
+            }
+            // Calculate expiration timestamp
+            const expiresIn = tokens.expires_in || 3600; // Default 1 hour
+            const expiresAt = Date.now() + expiresIn * 1000;
+            const idpTokens = {
+                access_token: tokens.access_token,
+                refresh_token: tokens.refresh_token || refreshToken,
+                expires_in: expiresIn,
+                expires_at: expiresAt,
+                token_type: tokens.token_type || "Bearer",
+                scope: tokens.scope,
+            };
+            this.config.logger("[OAuthService] Proxy token refresh successful", {
+                proxyUrl,
+                expiresAt: new Date(expiresAt).toISOString(),
+            });
+            return idpTokens;
+        }
+        catch (error) {
+            this.config.logger("[OAuthService] Proxy token refresh error", {
+                error: error instanceof Error ? error.message : String(error),
+                proxyUrl,
+            });
+            return null;
+        }
+    }
+}
+exports.OAuthService = OAuthService;
+//# sourceMappingURL=oauth-service.js.map

package/dist/services/oauth-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-service.js","sourceRoot":"","sources":["../../src/services/oauth-service.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AA0BH;;GAEG;AACH,MAAa,YAAY;IACf,MAAM,CAEZ;IAEF,YAAY,MAA0B;QACpC,IAAI,CAAC,MAAM,GAAG;YACZ,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;YAC3C,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;YAC3C,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;SACpC,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,aAAa,CACjB,QAAgB,EAChB,IAAY,EACZ,YAAqB,EACrB,WAAoB;QAEpB,wBAAwB;QACxB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,cAAc,CAChE,IAAI,CAAC,MAAM,CAAC,SAAS,CACtB,CAAC;QACF,MAAM,cAAc,GAAG,WAAW,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAEvD,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,aAAa,QAAQ,iCAAiC,IAAI,CAAC,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC;QAClG,CAAC;QAED,2CAA2C;QAC3C,IAAI,cAAc,CAAC,YAAY,IAAI,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC;YAC7D,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,MAAM,IAAI,KAAK,CACb,aAAa,QAAQ,kDAAkD,CACxE,CAAC;YACJ,CAAC;YACD,OAAO,IAAI,CAAC,iBAAiB,CAC3B,cAAc,EACd,IAAI,EACJ,YAAY,EACZ,WAAW,IAAI,EAAE,CAClB,CAAC;QACJ,CAAC;QAED,gFAAgF;QAChF,IAAI,cAAc,CAAC,SAAS,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC,kBAAkB,CAC5B,cAAc,EACd,IAAI,EACJ,YAAY,EACZ,WAAW,IAAI,EAAE,CAClB,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,KAAK,CACb,aAAa,QAAQ,iEAAiE,CACvF,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,iBAAiB,CAC7B,cAA6B,EAC7B,IAAY,EACZ,YAAoB,EACpB,WAAmB;QAEnB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,2CAA2C,EAAE;YAC9D,QAAQ,EAAE,cAAc,CAAC,gBAAgB;YACzC,QAAQ,EAAE,cAAc,CAAC,QAAQ;YACjC,eAAe,EAAE,CAAC,CAAC,cAAc,CAAC,YAAY;SAC/C,CAAC,CAAC;QAEH,kCAAkC;QAClC,+DAA+D;QAC/D,0EAA0E;QAC1E,MAAM,MAAM,GAA2B;YACrC,UAAU,EAAE,oBAAoB;YAChC,IAAI;YACJ,YAAY,EAAE,WAAW;YACzB,SAAS,EAAE,cAAc,CAAC,QAAQ;YAClC,aAAa,EAAE,YAAY;SAC5B,CAAC;QAEF,uDAAuD;QACvD,0EAA0E;QAC1E,IAAI,cAAc,CAAC,YAAY,EAAE,CAAC;YAChC,MAAM,CAAC,aAAa,GAAG,cAAc,CAAC,YAAY,CAAC;QACrD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,KAAK,CAAC,cAAc,CAAC,QAAQ,EAAE;YAC9E,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,MAAM,EAAE,kBAAkB;aAC3B;YACD,IAAI,EAAE,IAAI,eAAe,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE;SAC7C,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,CAAC;YACrE,IAAI,SAAc,CAAC;YACnB,IAAI,CAAC;gBACH,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YACpC,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;YACnC,CAAC;YAED,MAAM,YAAY,GAChB,SAAS,CAAC,iBAAiB,IAAI,SAAS,CAAC,KAAK,IAAI,SAAS,CAAC;YAE9D,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,sCAAsC,EAAE;gBACzD,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,KAAK,EAAE,YAAY;gBACnB,QAAQ,EAAE,cAAc,CAAC,QAAQ;aAClC,CAAC,CAAC;YAEH,MAAM,IAAI,KAAK,CACb,0BAA0B,YAAY,KAAK,QAAQ,CAAC,MAAM,GAAG,CAC9D,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAUjC,CAAC;QAEF,sEAAsE;QACtE,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,2DAA2D,EAAE;gBAC9E,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,gBAAgB,EAAE,MAAM,CAAC,iBAAiB;gBAC1C,QAAQ,EAAE,MAAM,CAAC,SAAS;gBAC1B,QAAQ,EAAE,cAAc,CAAC,QAAQ;gBACjC,YAAY,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC;aAClC,CAAC,CAAC;YACH,MAAM,IAAI,KAAK,CACb,0BAA0B,MAAM,CAAC,iBAAiB,IAAI,MAAM,CAAC,KAAK,EAAE,CACrE,CAAC;QACJ,CAAC;QAED,2BAA2B;QAC3B,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;YACzB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,oDAAoD,EAAE;gBACvE,YAAY,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC;gBACjC,QAAQ,EAAE,cAAc,CAAC,QAAQ;aAClC,CAAC,CAAC;YACH,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QAED,iCAAiC;QACjC,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,iBAAiB;QAC9D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI,CAAC;QAEhD,MAAM,SAAS,GAAc;YAC3B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,UAAU,EAAE,SAAS;YACrB,UAAU,EAAE,SAAS;YACrB,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,QAAQ;YACzC,KAAK,EAAE,MAAM,CAAC,KAAK;SACpB,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,0CAA0C,EAAE;YAC7D,QAAQ,EAAE,cAAc,CAAC,QAAQ;YACjC,SAAS,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE;YAC5C,eAAe,EAAE,CAAC,CAAC,SAAS,CAAC,aAAa;SAC3C,CAAC,CAAC;QAEH,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;;;OAMG;IACK,KAAK,CAAC,kBAAkB,CAC9B,cAA6B,EAC7B,IAAY,EACZ,YAAqB,EACrB,WAAoB;QAEpB,0CAA0C;QAC1C,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,iBAAiB,qBAAqB,CAAC;QAEvE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,2CAA2C,EAAE;YAC9D,QAAQ;YACR,QAAQ,EAAE,cAAc,CAAC,gBAAgB;YACzC,eAAe,EAAE,CAAC,CAAC,YAAY;YAC/B,YAAY,EAAE,cAAc,CAAC,YAAY;SAC1C,CAAC,CAAC;QAEH,oFAAoF;QACpF,MAAM,WAAW,GAA2B;YAC1C,UAAU,EAAE,oBAAoB;YAChC,IAAI;YACJ,YAAY,EAAE,WAAW,IAAI,EAAE;YAC/B,QAAQ,EAAE,cAAc,CAAC,gBAAgB;YACzC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;SAClC,CAAC;QAEF,gFAAgF;QAChF,IAAI,cAAc,CAAC,YAAY,IAAI,YAAY,EAAE,CAAC;YAChD,WAAW,CAAC,aAAa,GAAG,YAAY,CAAC;QAC3C,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,KAAK,CAAC,QAAQ,EAAE;YAC/D,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE;aACzD;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,CAAC;YACrE,IAAI,SAAc,CAAC;YACnB,IAAI,CAAC;gBACH,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YACpC,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;YACnC,CAAC;YAED,MAAM,YAAY,GAChB,SAAS,CAAC,iBAAiB,IAAI,SAAS,CAAC,KAAK,IAAI,SAAS,CAAC;YAE9D,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,4CAA4C,EAAE;gBAC/D,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,KAAK,EAAE,YAAY;gBACnB,QAAQ;aACT,CAAC,CAAC;YAEH,MAAM,IAAI,KAAK,CACb,gCAAgC,YAAY,KAAK,QAAQ,CAAC,MAAM,GAAG,CACpE,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAajC,CAAC;QACF,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC;QAErC,2BAA2B;QAC3B,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QAED,iCAAiC;QACjC,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,iBAAiB;QAC9D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI,CAAC;QAEhD,MAAM,SAAS,GAAc;YAC3B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,UAAU,EAAE,SAAS;YACrB,UAAU,EAAE,SAAS;YACrB,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,QAAQ;YACzC,KAAK,EAAE,MAAM,CAAC,KAAK;SACpB,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,gDAAgD,EAAE;YACnE,QAAQ;YACR,SAAS,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE;YAC5C,eAAe,EAAE,CAAC,CAAC,SAAS,CAAC,aAAa;SAC3C,CAAC,CAAC;QAEH,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,YAAY,CAChB,QAAgB,EAChB,YAAoB;QAEpB,wBAAwB;QACxB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,cAAc,CAChE,IAAI,CAAC,MAAM,CAAC,SAAS,CACtB,CAAC;QACF,MAAM,cAAc,GAAG,WAAW,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAEvD,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,+CAA+C,EAAE;gBAClE,QAAQ;aACT,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;QAED,2DAA2D;QAC3D,IAAI,cAAc,CAAC,YAAY,IAAI,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC;YAC7D,OAAO,IAAI,CAAC,gBAAgB,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC;QAED,0CAA0C;QAC1C,IAAI,cAAc,CAAC,SAAS,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC,iBAAiB,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;QAC9D,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,gBAAgB,CAC5B,cAA6B,EAC7B,YAAoB;QAEpB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,2CAA2C,EAAE;YAC9D,QAAQ,EAAE,cAAc,CAAC,QAAQ;SAClC,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,KAAK,CAAC,cAAc,CAAC,QAAQ,EAAE;gBAC9E,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;oBACnD,MAAM,EAAE,kBAAkB;iBAC3B;gBACD,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,UAAU,EAAE,eAAe;oBAC3B,aAAa,EAAE,YAAY;oBAC3B,SAAS,EAAE,cAAc,CAAC,QAAQ;iBACnC,CAAC,CAAC,QAAQ,EAAE;aACd,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,qCAAqC,EAAE;oBACxD,MAAM,EAAE,QAAQ,CAAC,MAAM;oBACvB,QAAQ,EAAE,cAAc,CAAC,QAAQ;iBAClC,CAAC,CAAC;gBACH,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAMjC,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;gBACzB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,4DAA4D,CAAC,CAAC;gBACjF,OAAO,IAAI,CAAC;YACd,CAAC;YAED,iCAAiC;YACjC,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,iBAAiB;YAC9D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI,CAAC;YAEhD,MAAM,SAAS,GAAc;gBAC3B,YAAY,EAAE,MAAM,CAAC,YAAY;gBACjC,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,YAAY,EAAE,4DAA4D;gBACjH,UAAU,EAAE,SAAS;gBACrB,UAAU,EAAE,SAAS;gBACrB,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,QAAQ;gBACzC,KAAK,EAAE,MAAM,CAAC,KAAK;aACpB,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,yCAAyC,EAAE;gBAC5D,QAAQ,EAAE,cAAc,CAAC,QAAQ;gBACjC,SAAS,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE;aAC7C,CAAC,CAAC;YAEH,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,oCAAoC,EAAE;gBACvD,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;gBAC7D,QAAQ,EAAE,cAAc,CAAC,QAAQ;aAClC,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,iBAAiB,CAC7B,cAA6B,EAC7B,YAAoB;QAEpB,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,iBAAiB,qBAAqB,CAAC;QAEvE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,2CAA2C,EAAE;YAC9D,QAAQ;YACR,QAAQ,EAAE,cAAc,CAAC,gBAAgB;SAC1C,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,KAAK,CAAC,QAAQ,EAAE;gBAC/D,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;oBAClC,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE;iBACzD;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,UAAU,EAAE,eAAe;oBAC3B,aAAa,EAAE,YAAY;oBAC3B,QAAQ,EAAE,cAAc,CAAC,gBAAgB;oBACzC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;iBAClC,CAAC;aACH,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,2CAA2C,EAAE;oBAC9D,MAAM,EAAE,QAAQ,CAAC,MAAM;oBACvB,QAAQ;iBACT,CAAC,CAAC;gBACH,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAajC,CAAC;YACF,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC;YAErC,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;gBACzB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,kEAAkE,CAAC,CAAC;gBACvF,OAAO,IAAI,CAAC;YACd,CAAC;YAED,iCAAiC;YACjC,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,iBAAiB;YAC9D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI,CAAC;YAEhD,MAAM,SAAS,GAAc;gBAC3B,YAAY,EAAE,MAAM,CAAC,YAAY;gBACjC,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,YAAY;gBACnD,UAAU,EAAE,SAAS;gBACrB,UAAU,EAAE,SAAS;gBACrB,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,QAAQ;gBACzC,KAAK,EAAE,MAAM,CAAC,KAAK;aACpB,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,+CAA+C,EAAE;gBAClE,QAAQ;gBACR,SAAS,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE;aAC7C,CAAC,CAAC;YAEH,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,0CAA0C,EAAE;gBAC7D,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;gBAC7D,QAAQ;aACT,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;CACF;AA1fD,oCA0fC"}

package/dist/services/oauth-token-retrieval.service.d.ts

@@ -0,0 +1,49 @@
+/**
+ * OAuth Token Retrieval Service
+ *
+ * Retrieves OAuth tokens from AgentShield after receiving delegation token.
+ * Implements the two-step token flow for Phase 3 custom IDP support.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+import type { IdpTokens } from "@kya-os/contracts/config";
+/**
+ * Configuration for OAuthTokenRetrievalService
+ */
+export interface OAuthTokenRetrievalServiceConfig {
+    /** AgentShield API base URL */
+    baseUrl: string;
+    /** Fetch implementation */
+    fetchProvider: typeof fetch;
+    /** Optional logger callback */
+    logger?: (message: string, data?: any) => void;
+    /** Optional retry configuration */
+    retryConfig?: {
+        maxRetries?: number;
+        retryDelay?: number;
+        retryBackoff?: number;
+    };
+}
+/**
+ * Service for retrieving OAuth tokens from AgentShield
+ */
+export declare class OAuthTokenRetrievalService {
+    private config;
+    constructor(config: OAuthTokenRetrievalServiceConfig);
+    /**
+     * Retrieve OAuth tokens from AgentShield
+     *
+     * @param delegationId - Delegation ID from token exchange response
+     * @param delegationToken - Delegation token (JWT) for authorization
+     * @returns OAuth tokens mapped to IdpTokens format, or null if unavailable
+     */
+    retrieveTokens(delegationId: string, delegationToken: string): Promise<IdpTokens | null>;
+    /**
+     * Map AgentShield response to IdpTokens format
+     *
+     * @param data - Response data from AgentShield
+     * @returns IdpTokens object
+     */
+    private mapToIdpTokens;
+}
+//# sourceMappingURL=oauth-token-retrieval.service.d.ts.map

package/dist/services/oauth-token-retrieval.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-token-retrieval.service.d.ts","sourceRoot":"","sources":["../../src/services/oauth-token-retrieval.service.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AAE1D;;GAEG;AACH,MAAM,WAAW,gCAAgC;IAC/C,+BAA+B;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,2BAA2B;IAC3B,aAAa,EAAE,OAAO,KAAK,CAAC;IAC5B,+BAA+B;IAC/B,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,GAAG,KAAK,IAAI,CAAC;IAC/C,mCAAmC;IACnC,WAAW,CAAC,EAAE;QACZ,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,CAAC;CACH;AAiCD;;GAEG;AACH,qBAAa,0BAA0B;IACrC,OAAO,CAAC,MAAM,CAEZ;gBAEU,MAAM,EAAE,gCAAgC;IAmBpD;;;;;;OAMG;IACG,cAAc,CAClB,YAAY,EAAE,MAAM,EACpB,eAAe,EAAE,MAAM,GACtB,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IAqH5B;;;;;OAKG;IACH,OAAO,CAAC,cAAc;CAuBvB"}