@kya-os/mcp-i-core 1.3.7-canary.0 → 1.3.7-canary.clientinfo.20251126041014
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.turbo/turbo-build.log +4 -0
- package/.turbo/turbo-test$colon$coverage.log +4239 -0
- package/.turbo/turbo-test.log +2973 -0
- package/COMPLIANCE_IMPROVEMENT_REPORT.md +483 -0
- package/Composer 3.md +615 -0
- package/GPT-5.md +1169 -0
- package/OPUS-plan.md +352 -0
- package/PHASE_3_AND_4.1_SUMMARY.md +585 -0
- package/PHASE_3_SUMMARY.md +317 -0
- package/PHASE_4.1.3_SUMMARY.md +428 -0
- package/PHASE_4.1_COMPLETE.md +525 -0
- package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +1240 -0
- package/SCHEMA_COMPLIANCE_REPORT.md +275 -0
- package/TEST_PLAN.md +571 -0
- package/coverage/coverage-final.json +57 -0
- package/dist/__tests__/utils/mock-providers.d.ts +1 -2
- package/dist/__tests__/utils/mock-providers.d.ts.map +1 -1
- package/dist/__tests__/utils/mock-providers.js.map +1 -1
- package/dist/cache/oauth-config-cache.d.ts +69 -0
- package/dist/cache/oauth-config-cache.d.ts.map +1 -0
- package/dist/cache/oauth-config-cache.js +76 -0
- package/dist/cache/oauth-config-cache.js.map +1 -0
- package/dist/identity/idp-token-resolver.d.ts +53 -0
- package/dist/identity/idp-token-resolver.d.ts.map +1 -0
- package/dist/identity/idp-token-resolver.js +108 -0
- package/dist/identity/idp-token-resolver.js.map +1 -0
- package/dist/identity/idp-token-storage.interface.d.ts +42 -0
- package/dist/identity/idp-token-storage.interface.d.ts.map +1 -0
- package/dist/identity/idp-token-storage.interface.js +12 -0
- package/dist/identity/idp-token-storage.interface.js.map +1 -0
- package/dist/identity/user-did-manager.d.ts +39 -1
- package/dist/identity/user-did-manager.d.ts.map +1 -1
- package/dist/identity/user-did-manager.js +69 -3
- package/dist/identity/user-did-manager.js.map +1 -1
- package/dist/index.d.ts +24 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +43 -1
- package/dist/index.js.map +1 -1
- package/dist/runtime/audit-logger.d.ts +37 -0
- package/dist/runtime/audit-logger.d.ts.map +1 -0
- package/dist/runtime/audit-logger.js +9 -0
- package/dist/runtime/audit-logger.js.map +1 -0
- package/dist/runtime/base.d.ts +19 -2
- package/dist/runtime/base.d.ts.map +1 -1
- package/dist/runtime/base.js +227 -11
- package/dist/runtime/base.js.map +1 -1
- package/dist/services/access-control.service.d.ts.map +1 -1
- package/dist/services/access-control.service.js +199 -15
- package/dist/services/access-control.service.js.map +1 -1
- package/dist/services/authorization/authorization-registry.d.ts +29 -0
- package/dist/services/authorization/authorization-registry.d.ts.map +1 -0
- package/dist/services/authorization/authorization-registry.js +57 -0
- package/dist/services/authorization/authorization-registry.js.map +1 -0
- package/dist/services/authorization/types.d.ts +53 -0
- package/dist/services/authorization/types.d.ts.map +1 -0
- package/dist/services/authorization/types.js +10 -0
- package/dist/services/authorization/types.js.map +1 -0
- package/dist/services/batch-delegation.service.d.ts +53 -0
- package/dist/services/batch-delegation.service.d.ts.map +1 -0
- package/dist/services/batch-delegation.service.js +95 -0
- package/dist/services/batch-delegation.service.js.map +1 -0
- package/dist/services/index.d.ts +2 -0
- package/dist/services/index.d.ts.map +1 -1
- package/dist/services/index.js +4 -1
- package/dist/services/index.js.map +1 -1
- package/dist/services/oauth-config.service.d.ts +53 -0
- package/dist/services/oauth-config.service.d.ts.map +1 -0
- package/dist/services/oauth-config.service.js +141 -0
- package/dist/services/oauth-config.service.js.map +1 -0
- package/dist/services/oauth-provider-registry.d.ts +88 -0
- package/dist/services/oauth-provider-registry.d.ts.map +1 -0
- package/dist/services/oauth-provider-registry.js +128 -0
- package/dist/services/oauth-provider-registry.js.map +1 -0
- package/dist/services/oauth-service.d.ts +77 -0
- package/dist/services/oauth-service.d.ts.map +1 -0
- package/dist/services/oauth-service.js +373 -0
- package/dist/services/oauth-service.js.map +1 -0
- package/dist/services/oauth-token-retrieval.service.d.ts +49 -0
- package/dist/services/oauth-token-retrieval.service.d.ts.map +1 -0
- package/dist/services/oauth-token-retrieval.service.js +150 -0
- package/dist/services/oauth-token-retrieval.service.js.map +1 -0
- package/dist/services/provider-resolver.d.ts +48 -0
- package/dist/services/provider-resolver.d.ts.map +1 -0
- package/dist/services/provider-resolver.js +121 -0
- package/dist/services/provider-resolver.js.map +1 -0
- package/dist/services/provider-validator.d.ts +55 -0
- package/dist/services/provider-validator.d.ts.map +1 -0
- package/dist/services/provider-validator.js +135 -0
- package/dist/services/provider-validator.js.map +1 -0
- package/dist/services/session-registration.service.d.ts +80 -0
- package/dist/services/session-registration.service.d.ts.map +1 -0
- package/dist/services/session-registration.service.js +228 -0
- package/dist/services/session-registration.service.js.map +1 -0
- package/dist/services/tool-context-builder.d.ts +57 -0
- package/dist/services/tool-context-builder.d.ts.map +1 -0
- package/dist/services/tool-context-builder.js +125 -0
- package/dist/services/tool-context-builder.js.map +1 -0
- package/dist/services/tool-protection.service.d.ts +27 -0
- package/dist/services/tool-protection.service.d.ts.map +1 -1
- package/dist/services/tool-protection.service.js +194 -4
- package/dist/services/tool-protection.service.js.map +1 -1
- package/dist/types/oauth-required-error.d.ts +40 -0
- package/dist/types/oauth-required-error.d.ts.map +1 -0
- package/dist/types/oauth-required-error.js +40 -0
- package/dist/types/oauth-required-error.js.map +1 -0
- package/dist/utils/did-helpers.d.ts +33 -0
- package/dist/utils/did-helpers.d.ts.map +1 -1
- package/dist/utils/did-helpers.js +40 -0
- package/dist/utils/did-helpers.js.map +1 -1
- package/dist/utils/index.d.ts +1 -0
- package/dist/utils/index.d.ts.map +1 -1
- package/dist/utils/index.js +1 -0
- package/dist/utils/index.js.map +1 -1
- package/docs/API_REFERENCE.md +1362 -0
- package/docs/COMPLIANCE_MATRIX.md +691 -0
- package/docs/STATUSLIST2021_GUIDE.md +696 -0
- package/docs/W3C_VC_DELEGATION_GUIDE.md +710 -0
- package/package.json +23 -54
- package/scripts/audit-compliance.ts +724 -0
- package/src/__tests__/cache/tool-protection-cache.test.ts +640 -0
- package/src/__tests__/config/provider-runtime-config.test.ts +309 -0
- package/src/__tests__/delegation-e2e.test.ts +690 -0
- package/src/__tests__/identity/user-did-manager.test.ts +213 -0
- package/src/__tests__/index.test.ts +56 -0
- package/src/__tests__/integration/full-flow.test.ts +776 -0
- package/src/__tests__/integration.test.ts +281 -0
- package/src/__tests__/providers/base.test.ts +173 -0
- package/src/__tests__/providers/memory.test.ts +319 -0
- package/src/__tests__/regression/phase2-regression.test.ts +429 -0
- package/src/__tests__/runtime/audit-logger.test.ts +154 -0
- package/src/__tests__/runtime/base-extensions.test.ts +593 -0
- package/src/__tests__/runtime/base.test.ts +869 -0
- package/src/__tests__/runtime/delegation-flow.test.ts +164 -0
- package/src/__tests__/runtime/proof-client-did.test.ts +375 -0
- package/src/__tests__/runtime/route-interception.test.ts +686 -0
- package/src/__tests__/runtime/tool-protection-enforcement.test.ts +908 -0
- package/src/__tests__/services/agentshield-integration.test.ts +784 -0
- package/src/__tests__/services/cache-busting.test.ts +125 -0
- package/src/__tests__/services/oauth-service-pkce.test.ts +556 -0
- package/src/__tests__/services/provider-resolver-edge-cases.test.ts +591 -0
- package/src/__tests__/services/tool-protection-oauth-provider.test.ts +480 -0
- package/src/__tests__/services/tool-protection.service.test.ts +1366 -0
- package/src/__tests__/utils/mock-providers.ts +340 -0
- package/src/cache/oauth-config-cache.d.ts +69 -0
- package/src/cache/oauth-config-cache.d.ts.map +1 -0
- package/src/cache/oauth-config-cache.js.map +1 -0
- package/src/cache/oauth-config-cache.ts +123 -0
- package/src/cache/tool-protection-cache.ts +171 -0
- package/src/compliance/EXAMPLE.md +412 -0
- package/src/compliance/__tests__/schema-verifier.test.ts +797 -0
- package/src/compliance/index.ts +8 -0
- package/src/compliance/schema-registry.ts +460 -0
- package/src/compliance/schema-verifier.ts +708 -0
- package/src/config/__tests__/remote-config.spec.ts +268 -0
- package/src/config/remote-config.ts +174 -0
- package/src/config.ts +309 -0
- package/src/delegation/__tests__/audience-validator.test.ts +112 -0
- package/src/delegation/__tests__/bitstring.test.ts +346 -0
- package/src/delegation/__tests__/cascading-revocation.test.ts +628 -0
- package/src/delegation/__tests__/delegation-graph.test.ts +584 -0
- package/src/delegation/__tests__/utils.test.ts +152 -0
- package/src/delegation/__tests__/vc-issuer.test.ts +442 -0
- package/src/delegation/__tests__/vc-verifier.test.ts +922 -0
- package/src/delegation/audience-validator.ts +52 -0
- package/src/delegation/bitstring.ts +278 -0
- package/src/delegation/cascading-revocation.ts +370 -0
- package/src/delegation/delegation-graph.ts +299 -0
- package/src/delegation/index.ts +14 -0
- package/src/delegation/statuslist-manager.ts +353 -0
- package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +366 -0
- package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +228 -0
- package/src/delegation/storage/index.ts +9 -0
- package/src/delegation/storage/memory-graph-storage.ts +178 -0
- package/src/delegation/storage/memory-statuslist-storage.ts +77 -0
- package/src/delegation/utils.ts +42 -0
- package/src/delegation/vc-issuer.ts +232 -0
- package/src/delegation/vc-verifier.ts +568 -0
- package/src/identity/idp-token-resolver.ts +147 -0
- package/src/identity/idp-token-storage.interface.ts +59 -0
- package/src/identity/user-did-manager.ts +370 -0
- package/src/index.ts +271 -0
- package/src/providers/base.d.ts +91 -0
- package/src/providers/base.d.ts.map +1 -0
- package/src/providers/base.js.map +1 -0
- package/src/providers/base.ts +96 -0
- package/src/providers/memory.ts +142 -0
- package/src/runtime/audit-logger.ts +39 -0
- package/src/runtime/base.ts +1329 -0
- package/src/services/__tests__/access-control.integration.test.ts +443 -0
- package/src/services/__tests__/access-control.proof-response-validation.test.ts +578 -0
- package/src/services/__tests__/access-control.service.test.ts +970 -0
- package/src/services/__tests__/batch-delegation.service.test.ts +351 -0
- package/src/services/__tests__/crypto.service.test.ts +531 -0
- package/src/services/__tests__/oauth-provider-registry.test.ts +142 -0
- package/src/services/__tests__/proof-verifier.integration.test.ts +485 -0
- package/src/services/__tests__/proof-verifier.test.ts +489 -0
- package/src/services/__tests__/provider-resolution.integration.test.ts +202 -0
- package/src/services/__tests__/provider-resolver.test.ts +213 -0
- package/src/services/__tests__/storage.service.test.ts +358 -0
- package/src/services/access-control.service.ts +990 -0
- package/src/services/authorization/authorization-registry.ts +66 -0
- package/src/services/authorization/types.ts +71 -0
- package/src/services/batch-delegation.service.ts +137 -0
- package/src/services/crypto.service.ts +302 -0
- package/src/services/errors.ts +76 -0
- package/src/services/index.ts +18 -0
- package/src/services/oauth-config.service.d.ts +53 -0
- package/src/services/oauth-config.service.d.ts.map +1 -0
- package/src/services/oauth-config.service.js.map +1 -0
- package/src/services/oauth-config.service.ts +192 -0
- package/src/services/oauth-provider-registry.d.ts +57 -0
- package/src/services/oauth-provider-registry.d.ts.map +1 -0
- package/src/services/oauth-provider-registry.js.map +1 -0
- package/src/services/oauth-provider-registry.ts +141 -0
- package/src/services/oauth-service.ts +544 -0
- package/src/services/oauth-token-retrieval.service.ts +245 -0
- package/src/services/proof-verifier.ts +478 -0
- package/src/services/provider-resolver.d.ts +48 -0
- package/src/services/provider-resolver.d.ts.map +1 -0
- package/src/services/provider-resolver.js.map +1 -0
- package/src/services/provider-resolver.ts +146 -0
- package/src/services/provider-validator.ts +170 -0
- package/src/services/session-registration.service.ts +317 -0
- package/src/services/storage.service.ts +566 -0
- package/src/services/tool-context-builder.ts +172 -0
- package/src/services/tool-protection.service.ts +982 -0
- package/src/types/oauth-required-error.ts +63 -0
- package/src/types/tool-protection.ts +155 -0
- package/src/utils/__tests__/did-helpers.test.ts +101 -0
- package/src/utils/base64.ts +148 -0
- package/src/utils/cors.ts +83 -0
- package/src/utils/did-helpers.ts +150 -0
- package/src/utils/index.ts +8 -0
- package/src/utils/storage-keys.ts +278 -0
- package/tsconfig.json +21 -0
- package/vitest.config.ts +56 -0
|
@@ -0,0 +1,150 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* OAuth Token Retrieval Service
|
|
4
|
+
*
|
|
5
|
+
* Retrieves OAuth tokens from AgentShield after receiving delegation token.
|
|
6
|
+
* Implements the two-step token flow for Phase 3 custom IDP support.
|
|
7
|
+
*
|
|
8
|
+
* @package @kya-os/mcp-i-core
|
|
9
|
+
*/
|
|
10
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
11
|
+
exports.OAuthTokenRetrievalService = void 0;
|
|
12
|
+
/**
|
|
13
|
+
* Service for retrieving OAuth tokens from AgentShield
|
|
14
|
+
*/
|
|
15
|
+
class OAuthTokenRetrievalService {
|
|
16
|
+
config;
|
|
17
|
+
constructor(config) {
|
|
18
|
+
const defaultRetryConfig = {
|
|
19
|
+
maxRetries: 3,
|
|
20
|
+
retryDelay: 1000,
|
|
21
|
+
retryBackoff: 2,
|
|
22
|
+
};
|
|
23
|
+
this.config = {
|
|
24
|
+
...config,
|
|
25
|
+
logger: config.logger || (() => { }),
|
|
26
|
+
retryConfig: {
|
|
27
|
+
...defaultRetryConfig,
|
|
28
|
+
...config.retryConfig,
|
|
29
|
+
},
|
|
30
|
+
};
|
|
31
|
+
}
|
|
32
|
+
/**
|
|
33
|
+
* Retrieve OAuth tokens from AgentShield
|
|
34
|
+
*
|
|
35
|
+
* @param delegationId - Delegation ID from token exchange response
|
|
36
|
+
* @param delegationToken - Delegation token (JWT) for authorization
|
|
37
|
+
* @returns OAuth tokens mapped to IdpTokens format, or null if unavailable
|
|
38
|
+
*/
|
|
39
|
+
async retrieveTokens(delegationId, delegationToken) {
|
|
40
|
+
const endpoint = `${this.config.baseUrl}/api/v1/bouncer/delegations/${delegationId}/tokens`;
|
|
41
|
+
this.config.logger("[OAuthTokenRetrievalService] Retrieving OAuth tokens", {
|
|
42
|
+
delegationId,
|
|
43
|
+
endpoint,
|
|
44
|
+
});
|
|
45
|
+
let lastError = null;
|
|
46
|
+
let attempt = 0;
|
|
47
|
+
// Retry logic for transient failures
|
|
48
|
+
while (attempt <= this.config.retryConfig.maxRetries) {
|
|
49
|
+
try {
|
|
50
|
+
const response = await this.config.fetchProvider(endpoint, {
|
|
51
|
+
method: "GET",
|
|
52
|
+
headers: {
|
|
53
|
+
Authorization: `Bearer ${delegationToken}`,
|
|
54
|
+
Accept: "application/json",
|
|
55
|
+
},
|
|
56
|
+
});
|
|
57
|
+
if (!response.ok) {
|
|
58
|
+
const errorData = await response.json().catch(() => ({}));
|
|
59
|
+
if (response.status === 404 || response.status === 401) {
|
|
60
|
+
// Token unavailable or unauthorized - don't retry
|
|
61
|
+
this.config.logger("[OAuthTokenRetrievalService] Tokens unavailable", {
|
|
62
|
+
status: response.status,
|
|
63
|
+
delegationId,
|
|
64
|
+
error: errorData,
|
|
65
|
+
});
|
|
66
|
+
return null;
|
|
67
|
+
}
|
|
68
|
+
// Transient error - retry
|
|
69
|
+
const errorMessage = errorData.error?.message ||
|
|
70
|
+
errorData.error ||
|
|
71
|
+
errorData.message ||
|
|
72
|
+
`HTTP ${response.status}`;
|
|
73
|
+
throw new Error(`Token retrieval failed: ${errorMessage}`);
|
|
74
|
+
}
|
|
75
|
+
const result = (await response.json());
|
|
76
|
+
if (!result.success) {
|
|
77
|
+
this.config.logger("[OAuthTokenRetrievalService] Token retrieval error response", {
|
|
78
|
+
delegationId,
|
|
79
|
+
error: result.error,
|
|
80
|
+
});
|
|
81
|
+
return null;
|
|
82
|
+
}
|
|
83
|
+
// Map response to IdpTokens format
|
|
84
|
+
const tokens = this.mapToIdpTokens(result.data);
|
|
85
|
+
this.config.logger("[OAuthTokenRetrievalService] OAuth tokens retrieved successfully", {
|
|
86
|
+
delegationId,
|
|
87
|
+
expiresAt: new Date(tokens.expires_at).toISOString(),
|
|
88
|
+
hasRefreshToken: !!tokens.refresh_token,
|
|
89
|
+
});
|
|
90
|
+
return tokens;
|
|
91
|
+
}
|
|
92
|
+
catch (error) {
|
|
93
|
+
lastError = error instanceof Error ? error : new Error(String(error));
|
|
94
|
+
if (attempt < this.config.retryConfig.maxRetries) {
|
|
95
|
+
const delay = this.config.retryConfig.retryDelay *
|
|
96
|
+
Math.pow(this.config.retryConfig.retryBackoff, attempt);
|
|
97
|
+
this.config.logger("[OAuthTokenRetrievalService] Retry attempt failed, retrying", {
|
|
98
|
+
attempt: attempt + 1,
|
|
99
|
+
maxRetries: this.config.retryConfig.maxRetries,
|
|
100
|
+
delay,
|
|
101
|
+
error: lastError.message,
|
|
102
|
+
});
|
|
103
|
+
await new Promise((resolve) => setTimeout(resolve, delay));
|
|
104
|
+
attempt++;
|
|
105
|
+
}
|
|
106
|
+
else {
|
|
107
|
+
// Max retries exceeded
|
|
108
|
+
this.config.logger("[OAuthTokenRetrievalService] Max retries exceeded", {
|
|
109
|
+
delegationId,
|
|
110
|
+
error: lastError.message,
|
|
111
|
+
attempts: attempt + 1,
|
|
112
|
+
});
|
|
113
|
+
// Return null instead of throwing - delegation token still valid
|
|
114
|
+
return null;
|
|
115
|
+
}
|
|
116
|
+
}
|
|
117
|
+
}
|
|
118
|
+
return null;
|
|
119
|
+
}
|
|
120
|
+
/**
|
|
121
|
+
* Map AgentShield response to IdpTokens format
|
|
122
|
+
*
|
|
123
|
+
* @param data - Response data from AgentShield
|
|
124
|
+
* @returns IdpTokens object
|
|
125
|
+
*/
|
|
126
|
+
mapToIdpTokens(data) {
|
|
127
|
+
// Convert ISO 8601 string to milliseconds timestamp
|
|
128
|
+
let expiresAt;
|
|
129
|
+
if (data.oauth_expires_at) {
|
|
130
|
+
expiresAt = new Date(data.oauth_expires_at).getTime();
|
|
131
|
+
}
|
|
132
|
+
else if (data.oauth_expires_in) {
|
|
133
|
+
expiresAt = Date.now() + data.oauth_expires_in * 1000;
|
|
134
|
+
}
|
|
135
|
+
else {
|
|
136
|
+
// Default to 1 hour if neither provided
|
|
137
|
+
expiresAt = Date.now() + 3600 * 1000;
|
|
138
|
+
}
|
|
139
|
+
return {
|
|
140
|
+
access_token: data.oauth_access_token,
|
|
141
|
+
refresh_token: data.oauth_refresh_token || undefined,
|
|
142
|
+
expires_in: data.oauth_expires_in || undefined,
|
|
143
|
+
expires_at: expiresAt,
|
|
144
|
+
token_type: data.oauth_token_type || "Bearer",
|
|
145
|
+
scope: data.oauth_scope || undefined,
|
|
146
|
+
};
|
|
147
|
+
}
|
|
148
|
+
}
|
|
149
|
+
exports.OAuthTokenRetrievalService = OAuthTokenRetrievalService;
|
|
150
|
+
//# sourceMappingURL=oauth-token-retrieval.service.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oauth-token-retrieval.service.js","sourceRoot":"","sources":["../../src/services/oauth-token-retrieval.service.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAqDH;;GAEG;AACH,MAAa,0BAA0B;IAC7B,MAAM,CAEZ;IAEF,YAAY,MAAwC;QAClD,MAAM,kBAAkB,GAAG;YACzB,UAAU,EAAE,CAAC;YACb,UAAU,EAAE,IAAI;YAChB,YAAY,EAAE,CAAC;SAChB,CAAC;QAEF,IAAI,CAAC,MAAM,GAAG;YACZ,GAAG,MAAM;YACT,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;YACnC,WAAW,EAAE;gBACX,GAAG,kBAAkB;gBACrB,GAAG,MAAM,CAAC,WAAW;aACtB;SAGF,CAAC;IACJ,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,cAAc,CAClB,YAAoB,EACpB,eAAuB;QAEvB,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,+BAA+B,YAAY,SAAS,CAAC;QAE5F,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,sDAAsD,EAAE;YACzE,YAAY;YACZ,QAAQ;SACT,CAAC,CAAC;QAEH,IAAI,SAAS,GAAiB,IAAI,CAAC;QACnC,IAAI,OAAO,GAAG,CAAC,CAAC;QAEhB,qCAAqC;QACrC,OAAO,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC;YACrD,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,EAAE;oBACzD,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE;wBACP,aAAa,EAAE,UAAU,eAAe,EAAE;wBAC1C,MAAM,EAAE,kBAAkB;qBAC3B;iBACF,CAAC,CAAC;gBAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAEhB,CAAC;oBAEzC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;wBACvD,kDAAkD;wBAClD,IAAI,CAAC,MAAM,CAAC,MAAM,CAChB,iDAAiD,EACjD;4BACE,MAAM,EAAE,QAAQ,CAAC,MAAM;4BACvB,YAAY;4BACZ,KAAK,EAAE,SAAS;yBACjB,CACF,CAAC;wBACF,OAAO,IAAI,CAAC;oBACd,CAAC;oBAED,0BAA0B;oBAC1B,MAAM,YAAY,GACf,SAA8C,CAAC,KAAK,EAAE,OAAO;wBAC7D,SAAiB,CAAC,KAAK;wBACvB,SAAiB,CAAC,OAAO;wBAC1B,QAAQ,QAAQ,CAAC,MAAM,EAAE,CAAC;oBAE5B,MAAM,IAAI,KAAK,CAAC,2BAA2B,YAAY,EAAE,CAAC,CAAC;gBAC7D,CAAC;gBAED,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAED,CAAC;gBAErC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;oBACpB,IAAI,CAAC,MAAM,CAAC,MAAM,CAChB,6DAA6D,EAC7D;wBACE,YAAY;wBACZ,KAAK,EAAE,MAAM,CAAC,KAAK;qBACpB,CACF,CAAC;oBACF,OAAO,IAAI,CAAC;gBACd,CAAC;gBAED,mCAAmC;gBACnC,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBAEhD,IAAI,CAAC,MAAM,CAAC,MAAM,CAChB,kEAAkE,EAClE;oBACE,YAAY;oBACZ,SAAS,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE;oBACpD,eAAe,EAAE,CAAC,CAAC,MAAM,CAAC,aAAa;iBACxC,CACF,CAAC;gBAEF,OAAO,MAAM,CAAC;YAChB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,SAAS,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;gBAEtE,IAAI,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC;oBACjD,MAAM,KAAK,GACT,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,UAAU;wBAClC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;oBAE1D,IAAI,CAAC,MAAM,CAAC,MAAM,CAChB,6DAA6D,EAC7D;wBACE,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,UAAU;wBAC9C,KAAK;wBACL,KAAK,EAAE,SAAS,CAAC,OAAO;qBACzB,CACF,CAAC;oBAEF,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;oBAC3D,OAAO,EAAE,CAAC;gBACZ,CAAC;qBAAM,CAAC;oBACN,uBAAuB;oBACvB,IAAI,CAAC,MAAM,CAAC,MAAM,CAChB,mDAAmD,EACnD;wBACE,YAAY;wBACZ,KAAK,EAAE,SAAS,CAAC,OAAO;wBACxB,QAAQ,EAAE,OAAO,GAAG,CAAC;qBACtB,CACF,CAAC;oBACF,iEAAiE;oBACjE,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;OAKG;IACK,cAAc,CACpB,IAAyC;QAEzC,oDAAoD;QACpD,IAAI,SAAiB,CAAC;QACtB,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC1B,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,OAAO,EAAE,CAAC;QACxD,CAAC;aAAM,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACjC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC;QACxD,CAAC;aAAM,CAAC;YACN,wCAAwC;YACxC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;QACvC,CAAC;QAED,OAAO;YACL,YAAY,EAAE,IAAI,CAAC,kBAAkB;YACrC,aAAa,EAAE,IAAI,CAAC,mBAAmB,IAAI,SAAS;YACpD,UAAU,EAAE,IAAI,CAAC,gBAAgB,IAAI,SAAS;YAC9C,UAAU,EAAE,SAAS;YACrB,UAAU,EAAE,IAAI,CAAC,gBAAgB,IAAI,QAAQ;YAC7C,KAAK,EAAE,IAAI,CAAC,WAAW,IAAI,SAAS;SACrC,CAAC;IACJ,CAAC;CACF;AApLD,gEAoLC"}
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Provider Resolver
|
|
3
|
+
*
|
|
4
|
+
* Resolves OAuth provider for tools using priority-based resolution strategy.
|
|
5
|
+
* Supports Phase 2+ tool-specific providers with backward compatibility for Phase 1.
|
|
6
|
+
*
|
|
7
|
+
* @package @kya-os/mcp-i-core
|
|
8
|
+
*/
|
|
9
|
+
import type { ToolProtection } from "@kya-os/contracts/tool-protection";
|
|
10
|
+
import type { OAuthProviderRegistry } from "./oauth-provider-registry.js";
|
|
11
|
+
import type { OAuthConfigService } from "./oauth-config.service.js";
|
|
12
|
+
/**
|
|
13
|
+
* Resolves OAuth provider for tools with priority-based fallback strategy
|
|
14
|
+
*
|
|
15
|
+
* Priority order:
|
|
16
|
+
* 1. Tool-specific oauthProvider field (Phase 2+ preferred)
|
|
17
|
+
* 2. Scope prefix inference (fallback)
|
|
18
|
+
* 3. Project-configured provider from AgentShield dashboard
|
|
19
|
+
* 4. Error if no provider can be resolved
|
|
20
|
+
*/
|
|
21
|
+
export declare class ProviderResolver {
|
|
22
|
+
private registry;
|
|
23
|
+
private configService;
|
|
24
|
+
constructor(registry: OAuthProviderRegistry, configService: OAuthConfigService);
|
|
25
|
+
/**
|
|
26
|
+
* Resolve OAuth provider for a tool
|
|
27
|
+
*
|
|
28
|
+
* @param toolProtection - Tool protection configuration
|
|
29
|
+
* @param projectId - Project ID for fetching provider config
|
|
30
|
+
* @returns Provider name (never null - throws if cannot resolve)
|
|
31
|
+
* @throws Error if provider cannot be resolved
|
|
32
|
+
*/
|
|
33
|
+
resolveProvider(toolProtection: ToolProtection, projectId: string): Promise<string>;
|
|
34
|
+
/**
|
|
35
|
+
* Infer provider from scope prefixes
|
|
36
|
+
*
|
|
37
|
+
* Used as Priority 2 fallback when oauthProvider is not specified.
|
|
38
|
+
* Examples:
|
|
39
|
+
* - github:repo:read → github
|
|
40
|
+
* - gmail:read → google
|
|
41
|
+
* - microsoft:calendar:read → microsoft
|
|
42
|
+
*
|
|
43
|
+
* @param scopes - Required scopes for the tool
|
|
44
|
+
* @returns Provider name if uniquely inferred, null otherwise
|
|
45
|
+
*/
|
|
46
|
+
private inferProviderFromScopes;
|
|
47
|
+
}
|
|
48
|
+
//# sourceMappingURL=provider-resolver.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"provider-resolver.d.ts","sourceRoot":"","sources":["../../src/services/provider-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAC;AACxE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAC1E,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAEpE;;;;;;;;GAQG;AACH,qBAAa,gBAAgB;IAEzB,OAAO,CAAC,QAAQ;IAChB,OAAO,CAAC,aAAa;gBADb,QAAQ,EAAE,qBAAqB,EAC/B,aAAa,EAAE,kBAAkB;IAG3C;;;;;;;OAOG;IACG,eAAe,CACnB,cAAc,EAAE,cAAc,EAC9B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,CAAC;IAyDlB;;;;;;;;;;;OAWG;IACH,OAAO,CAAC,uBAAuB;CAoChC"}
|
|
@@ -0,0 +1,121 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Provider Resolver
|
|
4
|
+
*
|
|
5
|
+
* Resolves OAuth provider for tools using priority-based resolution strategy.
|
|
6
|
+
* Supports Phase 2+ tool-specific providers with backward compatibility for Phase 1.
|
|
7
|
+
*
|
|
8
|
+
* @package @kya-os/mcp-i-core
|
|
9
|
+
*/
|
|
10
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
11
|
+
exports.ProviderResolver = void 0;
|
|
12
|
+
/**
|
|
13
|
+
* Resolves OAuth provider for tools with priority-based fallback strategy
|
|
14
|
+
*
|
|
15
|
+
* Priority order:
|
|
16
|
+
* 1. Tool-specific oauthProvider field (Phase 2+ preferred)
|
|
17
|
+
* 2. Scope prefix inference (fallback)
|
|
18
|
+
* 3. Project-configured provider from AgentShield dashboard
|
|
19
|
+
* 4. Error if no provider can be resolved
|
|
20
|
+
*/
|
|
21
|
+
class ProviderResolver {
|
|
22
|
+
registry;
|
|
23
|
+
configService;
|
|
24
|
+
constructor(registry, configService) {
|
|
25
|
+
this.registry = registry;
|
|
26
|
+
this.configService = configService;
|
|
27
|
+
}
|
|
28
|
+
/**
|
|
29
|
+
* Resolve OAuth provider for a tool
|
|
30
|
+
*
|
|
31
|
+
* @param toolProtection - Tool protection configuration
|
|
32
|
+
* @param projectId - Project ID for fetching provider config
|
|
33
|
+
* @returns Provider name (never null - throws if cannot resolve)
|
|
34
|
+
* @throws Error if provider cannot be resolved
|
|
35
|
+
*/
|
|
36
|
+
async resolveProvider(toolProtection, projectId) {
|
|
37
|
+
// Priority 1: Tool-specific provider (Phase 2+ preferred)
|
|
38
|
+
if (toolProtection.oauthProvider) {
|
|
39
|
+
// Ensure registry is loaded before checking
|
|
40
|
+
if (this.registry.getProviderNames().length === 0) {
|
|
41
|
+
await this.registry.loadFromAgentShield(projectId);
|
|
42
|
+
}
|
|
43
|
+
if (!this.registry.hasProvider(toolProtection.oauthProvider)) {
|
|
44
|
+
throw new Error(`Provider "${toolProtection.oauthProvider}" not configured for project "${projectId}". ` +
|
|
45
|
+
`Add provider in project settings.`);
|
|
46
|
+
}
|
|
47
|
+
return toolProtection.oauthProvider;
|
|
48
|
+
}
|
|
49
|
+
// Priority 2: Scope prefix inference (fallback)
|
|
50
|
+
const inferredProvider = this.inferProviderFromScopes(toolProtection.requiredScopes || []);
|
|
51
|
+
if (inferredProvider) {
|
|
52
|
+
// Ensure registry is loaded before checking
|
|
53
|
+
if (this.registry.getProviderNames().length === 0) {
|
|
54
|
+
await this.registry.loadFromAgentShield(projectId);
|
|
55
|
+
}
|
|
56
|
+
if (this.registry.hasProvider(inferredProvider)) {
|
|
57
|
+
console.log(`[ProviderResolver] Inferred provider "${inferredProvider}" from scopes`);
|
|
58
|
+
return inferredProvider;
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
// Priority 3: Use explicitly configured provider from AgentShield dashboard
|
|
62
|
+
// This is the provider the user has actually configured, not just any available provider
|
|
63
|
+
await this.registry.loadFromAgentShield(projectId);
|
|
64
|
+
const configuredProvider = this.registry.getConfiguredProvider();
|
|
65
|
+
if (configuredProvider && this.registry.hasProvider(configuredProvider)) {
|
|
66
|
+
console.warn(`[ProviderResolver] Tool does not specify oauthProvider. ` +
|
|
67
|
+
`Using project-configured provider "${configuredProvider}" as fallback. ` +
|
|
68
|
+
`Consider explicitly setting oauthProvider in tool protection config.`);
|
|
69
|
+
return configuredProvider;
|
|
70
|
+
}
|
|
71
|
+
// Priority 4: Error if no provider is configured
|
|
72
|
+
// NOTE: We intentionally do NOT fall back to "first available provider" anymore
|
|
73
|
+
// because AgentShield returns ALL providers (even unconfigured ones).
|
|
74
|
+
// Only use providers explicitly configured by the user.
|
|
75
|
+
throw new Error(`Tool requires OAuth but no provider is configured for project "${projectId}". ` +
|
|
76
|
+
`Configure an OAuth provider in AgentShield dashboard.`);
|
|
77
|
+
}
|
|
78
|
+
/**
|
|
79
|
+
* Infer provider from scope prefixes
|
|
80
|
+
*
|
|
81
|
+
* Used as Priority 2 fallback when oauthProvider is not specified.
|
|
82
|
+
* Examples:
|
|
83
|
+
* - github:repo:read → github
|
|
84
|
+
* - gmail:read → google
|
|
85
|
+
* - microsoft:calendar:read → microsoft
|
|
86
|
+
*
|
|
87
|
+
* @param scopes - Required scopes for the tool
|
|
88
|
+
* @returns Provider name if uniquely inferred, null otherwise
|
|
89
|
+
*/
|
|
90
|
+
inferProviderFromScopes(scopes) {
|
|
91
|
+
if (!scopes || scopes.length === 0) {
|
|
92
|
+
return null;
|
|
93
|
+
}
|
|
94
|
+
// Extract first part of scope (before first colon)
|
|
95
|
+
const scopePrefixes = scopes.map((scope) => {
|
|
96
|
+
const parts = scope.split(":");
|
|
97
|
+
return parts[0].toLowerCase();
|
|
98
|
+
});
|
|
99
|
+
// Provider mapping
|
|
100
|
+
const providerMap = {
|
|
101
|
+
github: "github",
|
|
102
|
+
google: "google",
|
|
103
|
+
gmail: "google", // gmail:read → google
|
|
104
|
+
calendar: "google", // calendar:read → google (if ambiguous, use project default)
|
|
105
|
+
microsoft: "microsoft",
|
|
106
|
+
outlook: "microsoft",
|
|
107
|
+
slack: "slack",
|
|
108
|
+
auth0: "auth0",
|
|
109
|
+
okta: "okta",
|
|
110
|
+
};
|
|
111
|
+
// Find unique provider
|
|
112
|
+
const providers = new Set(scopePrefixes.map((prefix) => providerMap[prefix]).filter(Boolean));
|
|
113
|
+
if (providers.size === 1) {
|
|
114
|
+
return Array.from(providers)[0];
|
|
115
|
+
}
|
|
116
|
+
// Ambiguous or no prefix → return null (use project-level provider)
|
|
117
|
+
return null;
|
|
118
|
+
}
|
|
119
|
+
}
|
|
120
|
+
exports.ProviderResolver = ProviderResolver;
|
|
121
|
+
//# sourceMappingURL=provider-resolver.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"provider-resolver.js","sourceRoot":"","sources":["../../src/services/provider-resolver.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAMH;;;;;;;;GAQG;AACH,MAAa,gBAAgB;IAEjB;IACA;IAFV,YACU,QAA+B,EAC/B,aAAiC;QADjC,aAAQ,GAAR,QAAQ,CAAuB;QAC/B,kBAAa,GAAb,aAAa,CAAoB;IACxC,CAAC;IAEJ;;;;;;;OAOG;IACH,KAAK,CAAC,eAAe,CACnB,cAA8B,EAC9B,SAAiB;QAEjB,0DAA0D;QAC1D,IAAI,cAAc,CAAC,aAAa,EAAE,CAAC;YACjC,4CAA4C;YAC5C,IAAI,IAAI,CAAC,QAAQ,CAAC,gBAAgB,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAClD,MAAM,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;YACrD,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,cAAc,CAAC,aAAa,CAAC,EAAE,CAAC;gBAC7D,MAAM,IAAI,KAAK,CACb,aAAa,cAAc,CAAC,aAAa,iCAAiC,SAAS,KAAK;oBACtF,mCAAmC,CACtC,CAAC;YACJ,CAAC;YACD,OAAO,cAAc,CAAC,aAAa,CAAC;QACtC,CAAC;QAED,gDAAgD;QAChD,MAAM,gBAAgB,GAAG,IAAI,CAAC,uBAAuB,CACnD,cAAc,CAAC,cAAc,IAAI,EAAE,CACpC,CAAC;QACF,IAAI,gBAAgB,EAAE,CAAC;YACrB,4CAA4C;YAC5C,IAAI,IAAI,CAAC,QAAQ,CAAC,gBAAgB,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAClD,MAAM,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;YACrD,CAAC;YACD,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAChD,OAAO,CAAC,GAAG,CACT,yCAAyC,gBAAgB,eAAe,CACzE,CAAC;gBACF,OAAO,gBAAgB,CAAC;YAC1B,CAAC;QACH,CAAC;QAED,4EAA4E;QAC5E,yFAAyF;QACzF,MAAM,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;QACnD,MAAM,kBAAkB,GAAG,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE,CAAC;QAEjE,IAAI,kBAAkB,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACxE,OAAO,CAAC,IAAI,CACV,0DAA0D;gBACxD,sCAAsC,kBAAkB,iBAAiB;gBACzE,sEAAsE,CACzE,CAAC;YACF,OAAO,kBAAkB,CAAC;QAC5B,CAAC;QAED,iDAAiD;QACjD,gFAAgF;QAChF,sEAAsE;QACtE,wDAAwD;QACxD,MAAM,IAAI,KAAK,CACb,kEAAkE,SAAS,KAAK;YAC9E,uDAAuD,CAC1D,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;OAWG;IACK,uBAAuB,CAAC,MAAgB;QAC9C,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,mDAAmD;QACnD,MAAM,aAAa,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;YACzC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QAChC,CAAC,CAAC,CAAC;QAEH,mBAAmB;QACnB,MAAM,WAAW,GAA2B;YAC1C,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,QAAQ;YAChB,KAAK,EAAE,QAAQ,EAAE,sBAAsB;YACvC,QAAQ,EAAE,QAAQ,EAAE,6DAA6D;YACjF,SAAS,EAAE,WAAW;YACtB,OAAO,EAAE,WAAW;YACpB,KAAK,EAAE,OAAO;YACd,KAAK,EAAE,OAAO;YACd,IAAI,EAAE,MAAM;SACb,CAAC;QAEF,uBAAuB;QACvB,MAAM,SAAS,GAAG,IAAI,GAAG,CACvB,aAAa,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CACnE,CAAC;QAEF,IAAI,SAAS,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;QAClC,CAAC;QAED,oEAAoE;QACpE,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AA1HD,4CA0HC"}
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Provider Validator
|
|
3
|
+
*
|
|
4
|
+
* Validates OAuth provider configurations for custom IDP support.
|
|
5
|
+
* Ensures provider configurations are valid before registration.
|
|
6
|
+
*
|
|
7
|
+
* @package @kya-os/mcp-i-core
|
|
8
|
+
*/
|
|
9
|
+
import type { OAuthProvider } from "@kya-os/contracts/config";
|
|
10
|
+
/**
|
|
11
|
+
* Validation error for provider configuration issues
|
|
12
|
+
*/
|
|
13
|
+
export declare class ProviderValidationError extends Error {
|
|
14
|
+
readonly field?: string | undefined;
|
|
15
|
+
constructor(message: string, field?: string | undefined);
|
|
16
|
+
}
|
|
17
|
+
/**
|
|
18
|
+
* Service for validating OAuth provider configurations
|
|
19
|
+
*/
|
|
20
|
+
export declare class ProviderValidator {
|
|
21
|
+
/**
|
|
22
|
+
* Validate provider configuration
|
|
23
|
+
*
|
|
24
|
+
* @param provider - Provider configuration to validate
|
|
25
|
+
* @param name - Provider name (for error messages)
|
|
26
|
+
* @throws ProviderValidationError if validation fails
|
|
27
|
+
*/
|
|
28
|
+
validate(provider: OAuthProvider, name: string): void;
|
|
29
|
+
/**
|
|
30
|
+
* Validate URL format
|
|
31
|
+
*
|
|
32
|
+
* @param url - URL to validate
|
|
33
|
+
* @param providerName - Provider name (for error messages)
|
|
34
|
+
* @param fieldName - Field name (for error messages)
|
|
35
|
+
* @throws ProviderValidationError if URL is invalid
|
|
36
|
+
*/
|
|
37
|
+
private validateUrl;
|
|
38
|
+
/**
|
|
39
|
+
* Validate custom parameters don't override reserved OAuth parameters
|
|
40
|
+
*
|
|
41
|
+
* @param customParams - Custom parameters to validate
|
|
42
|
+
* @param providerName - Provider name (for error messages)
|
|
43
|
+
* @throws ProviderValidationError if reserved parameter is overridden
|
|
44
|
+
*/
|
|
45
|
+
private validateCustomParams;
|
|
46
|
+
/**
|
|
47
|
+
* Test provider endpoint reachability (optional)
|
|
48
|
+
*
|
|
49
|
+
* @param provider - Provider configuration
|
|
50
|
+
* @param fetchProvider - Fetch implementation
|
|
51
|
+
* @returns True if endpoint is reachable, false otherwise
|
|
52
|
+
*/
|
|
53
|
+
testProvider(provider: OAuthProvider, fetchProvider: typeof fetch): Promise<boolean>;
|
|
54
|
+
}
|
|
55
|
+
//# sourceMappingURL=provider-validator.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"provider-validator.d.ts","sourceRoot":"","sources":["../../src/services/provider-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAe9D;;GAEG;AACH,qBAAa,uBAAwB,SAAQ,KAAK;aACH,KAAK,CAAC,EAAE,MAAM;gBAA/C,OAAO,EAAE,MAAM,EAAkB,KAAK,CAAC,EAAE,MAAM,YAAA;CAI5D;AAED;;GAEG;AACH,qBAAa,iBAAiB;IAC5B;;;;;;OAMG;IACH,QAAQ,CAAC,QAAQ,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI;IA6CrD;;;;;;;OAOG;IACH,OAAO,CAAC,WAAW;IAoBnB;;;;;;OAMG;IACH,OAAO,CAAC,oBAAoB;IAqB5B;;;;;;OAMG;IACG,YAAY,CAChB,QAAQ,EAAE,aAAa,EACvB,aAAa,EAAE,OAAO,KAAK,GAC1B,OAAO,CAAC,OAAO,CAAC;CAYpB"}
|
|
@@ -0,0 +1,135 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Provider Validator
|
|
4
|
+
*
|
|
5
|
+
* Validates OAuth provider configurations for custom IDP support.
|
|
6
|
+
* Ensures provider configurations are valid before registration.
|
|
7
|
+
*
|
|
8
|
+
* @package @kya-os/mcp-i-core
|
|
9
|
+
*/
|
|
10
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
11
|
+
exports.ProviderValidator = exports.ProviderValidationError = void 0;
|
|
12
|
+
/**
|
|
13
|
+
* Reserved OAuth parameters that cannot be overridden by custom parameters
|
|
14
|
+
*/
|
|
15
|
+
const RESERVED_PARAMETERS = [
|
|
16
|
+
"response_type",
|
|
17
|
+
"client_id",
|
|
18
|
+
"redirect_uri",
|
|
19
|
+
"scope",
|
|
20
|
+
"state",
|
|
21
|
+
"code_challenge",
|
|
22
|
+
"code_challenge_method",
|
|
23
|
+
];
|
|
24
|
+
/**
|
|
25
|
+
* Validation error for provider configuration issues
|
|
26
|
+
*/
|
|
27
|
+
class ProviderValidationError extends Error {
|
|
28
|
+
field;
|
|
29
|
+
constructor(message, field) {
|
|
30
|
+
super(message);
|
|
31
|
+
this.field = field;
|
|
32
|
+
this.name = "ProviderValidationError";
|
|
33
|
+
}
|
|
34
|
+
}
|
|
35
|
+
exports.ProviderValidationError = ProviderValidationError;
|
|
36
|
+
/**
|
|
37
|
+
* Service for validating OAuth provider configurations
|
|
38
|
+
*/
|
|
39
|
+
class ProviderValidator {
|
|
40
|
+
/**
|
|
41
|
+
* Validate provider configuration
|
|
42
|
+
*
|
|
43
|
+
* @param provider - Provider configuration to validate
|
|
44
|
+
* @param name - Provider name (for error messages)
|
|
45
|
+
* @throws ProviderValidationError if validation fails
|
|
46
|
+
*/
|
|
47
|
+
validate(provider, name) {
|
|
48
|
+
// Validate required fields
|
|
49
|
+
if (!provider.clientId || provider.clientId.trim().length === 0) {
|
|
50
|
+
throw new ProviderValidationError(`Provider "${name}" must have a clientId`, "clientId");
|
|
51
|
+
}
|
|
52
|
+
if (!provider.authorizationUrl || provider.authorizationUrl.trim().length === 0) {
|
|
53
|
+
throw new ProviderValidationError(`Provider "${name}" must have an authorizationUrl`, "authorizationUrl");
|
|
54
|
+
}
|
|
55
|
+
if (!provider.tokenUrl || provider.tokenUrl.trim().length === 0) {
|
|
56
|
+
throw new ProviderValidationError(`Provider "${name}" must have a tokenUrl`, "tokenUrl");
|
|
57
|
+
}
|
|
58
|
+
// Validate URL formats
|
|
59
|
+
this.validateUrl(provider.authorizationUrl, name, "authorizationUrl");
|
|
60
|
+
this.validateUrl(provider.tokenUrl, name, "tokenUrl");
|
|
61
|
+
if (provider.userInfoUrl) {
|
|
62
|
+
this.validateUrl(provider.userInfoUrl, name, "userInfoUrl");
|
|
63
|
+
}
|
|
64
|
+
// Validate proxy mode requirements
|
|
65
|
+
if (provider.proxyMode && !provider.requiresClientSecret) {
|
|
66
|
+
throw new ProviderValidationError(`Provider "${name}" with proxyMode=true must have requiresClientSecret=true`, "proxyMode");
|
|
67
|
+
}
|
|
68
|
+
// Validate custom parameters don't conflict with reserved parameters
|
|
69
|
+
if (provider.customParams) {
|
|
70
|
+
this.validateCustomParams(provider.customParams, name);
|
|
71
|
+
}
|
|
72
|
+
}
|
|
73
|
+
/**
|
|
74
|
+
* Validate URL format
|
|
75
|
+
*
|
|
76
|
+
* @param url - URL to validate
|
|
77
|
+
* @param providerName - Provider name (for error messages)
|
|
78
|
+
* @param fieldName - Field name (for error messages)
|
|
79
|
+
* @throws ProviderValidationError if URL is invalid
|
|
80
|
+
*/
|
|
81
|
+
validateUrl(url, providerName, fieldName) {
|
|
82
|
+
try {
|
|
83
|
+
const parsedUrl = new URL(url);
|
|
84
|
+
if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") {
|
|
85
|
+
throw new ProviderValidationError(`Provider "${providerName}" ${fieldName} must use HTTP or HTTPS protocol`, fieldName);
|
|
86
|
+
}
|
|
87
|
+
}
|
|
88
|
+
catch (error) {
|
|
89
|
+
if (error instanceof ProviderValidationError) {
|
|
90
|
+
throw error;
|
|
91
|
+
}
|
|
92
|
+
throw new ProviderValidationError(`Provider "${providerName}" ${fieldName} is not a valid URL: ${error instanceof Error ? error.message : String(error)}`, fieldName);
|
|
93
|
+
}
|
|
94
|
+
}
|
|
95
|
+
/**
|
|
96
|
+
* Validate custom parameters don't override reserved OAuth parameters
|
|
97
|
+
*
|
|
98
|
+
* @param customParams - Custom parameters to validate
|
|
99
|
+
* @param providerName - Provider name (for error messages)
|
|
100
|
+
* @throws ProviderValidationError if reserved parameter is overridden
|
|
101
|
+
*/
|
|
102
|
+
validateCustomParams(customParams, providerName) {
|
|
103
|
+
for (const [key, value] of Object.entries(customParams)) {
|
|
104
|
+
const normalizedKey = key.toLowerCase();
|
|
105
|
+
if (RESERVED_PARAMETERS.includes(normalizedKey)) {
|
|
106
|
+
throw new ProviderValidationError(`Provider "${providerName}" custom parameter "${key}" conflicts with reserved OAuth parameter. Reserved parameters: ${RESERVED_PARAMETERS.join(", ")}`, `customParams.${key}`);
|
|
107
|
+
}
|
|
108
|
+
if (!value || value.trim().length === 0) {
|
|
109
|
+
throw new ProviderValidationError(`Provider "${providerName}" custom parameter "${key}" has empty value`, `customParams.${key}`);
|
|
110
|
+
}
|
|
111
|
+
}
|
|
112
|
+
}
|
|
113
|
+
/**
|
|
114
|
+
* Test provider endpoint reachability (optional)
|
|
115
|
+
*
|
|
116
|
+
* @param provider - Provider configuration
|
|
117
|
+
* @param fetchProvider - Fetch implementation
|
|
118
|
+
* @returns True if endpoint is reachable, false otherwise
|
|
119
|
+
*/
|
|
120
|
+
async testProvider(provider, fetchProvider) {
|
|
121
|
+
try {
|
|
122
|
+
// Test authorization URL (HEAD request to avoid triggering OAuth flow)
|
|
123
|
+
const authResponse = await fetchProvider(provider.authorizationUrl, {
|
|
124
|
+
method: "HEAD",
|
|
125
|
+
signal: AbortSignal.timeout(5000), // 5 second timeout
|
|
126
|
+
});
|
|
127
|
+
return authResponse.ok || authResponse.status === 405; // 405 Method Not Allowed is OK
|
|
128
|
+
}
|
|
129
|
+
catch (error) {
|
|
130
|
+
return false;
|
|
131
|
+
}
|
|
132
|
+
}
|
|
133
|
+
}
|
|
134
|
+
exports.ProviderValidator = ProviderValidator;
|
|
135
|
+
//# sourceMappingURL=provider-validator.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"provider-validator.js","sourceRoot":"","sources":["../../src/services/provider-validator.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAIH;;GAEG;AACH,MAAM,mBAAmB,GAAG;IAC1B,eAAe;IACf,WAAW;IACX,cAAc;IACd,OAAO;IACP,OAAO;IACP,gBAAgB;IAChB,uBAAuB;CACf,CAAC;AAEX;;GAEG;AACH,MAAa,uBAAwB,SAAQ,KAAK;IACH;IAA7C,YAAY,OAAe,EAAkB,KAAc;QACzD,KAAK,CAAC,OAAO,CAAC,CAAC;QAD4B,UAAK,GAAL,KAAK,CAAS;QAEzD,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;IACxC,CAAC;CACF;AALD,0DAKC;AAED;;GAEG;AACH,MAAa,iBAAiB;IAC5B;;;;;;OAMG;IACH,QAAQ,CAAC,QAAuB,EAAE,IAAY;QAC5C,2BAA2B;QAC3B,IAAI,CAAC,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAChE,MAAM,IAAI,uBAAuB,CAC/B,aAAa,IAAI,wBAAwB,EACzC,UAAU,CACX,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,gBAAgB,IAAI,QAAQ,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAChF,MAAM,IAAI,uBAAuB,CAC/B,aAAa,IAAI,iCAAiC,EAClD,kBAAkB,CACnB,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAChE,MAAM,IAAI,uBAAuB,CAC/B,aAAa,IAAI,wBAAwB,EACzC,UAAU,CACX,CAAC;QACJ,CAAC;QAED,uBAAuB;QACvB,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,gBAAgB,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAC;QACtE,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,QAAQ,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;QAEtD,IAAI,QAAQ,CAAC,WAAW,EAAE,CAAC;YACzB,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,WAAW,EAAE,IAAI,EAAE,aAAa,CAAC,CAAC;QAC9D,CAAC;QAED,mCAAmC;QACnC,IAAI,QAAQ,CAAC,SAAS,IAAI,CAAC,QAAQ,CAAC,oBAAoB,EAAE,CAAC;YACzD,MAAM,IAAI,uBAAuB,CAC/B,aAAa,IAAI,2DAA2D,EAC5E,WAAW,CACZ,CAAC;QACJ,CAAC;QAED,qEAAqE;QACrE,IAAI,QAAQ,CAAC,YAAY,EAAE,CAAC;YAC1B,IAAI,CAAC,oBAAoB,CAAC,QAAQ,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACK,WAAW,CAAC,GAAW,EAAE,YAAoB,EAAE,SAAiB;QACtE,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,SAAS,CAAC,QAAQ,KAAK,OAAO,IAAI,SAAS,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACtE,MAAM,IAAI,uBAAuB,CAC/B,aAAa,YAAY,KAAK,SAAS,kCAAkC,EACzE,SAAS,CACV,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,uBAAuB,EAAE,CAAC;gBAC7C,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,IAAI,uBAAuB,CAC/B,aAAa,YAAY,KAAK,SAAS,wBAAwB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,EACvH,SAAS,CACV,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACK,oBAAoB,CAC1B,YAAoC,EACpC,YAAoB;QAEpB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;YACxD,MAAM,aAAa,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YACxC,IAAI,mBAAmB,CAAC,QAAQ,CAAC,aAAoB,CAAC,EAAE,CAAC;gBACvD,MAAM,IAAI,uBAAuB,CAC/B,aAAa,YAAY,uBAAuB,GAAG,mEAAmE,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EACtJ,gBAAgB,GAAG,EAAE,CACtB,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACxC,MAAM,IAAI,uBAAuB,CAC/B,aAAa,YAAY,uBAAuB,GAAG,mBAAmB,EACtE,gBAAgB,GAAG,EAAE,CACtB,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,YAAY,CAChB,QAAuB,EACvB,aAA2B;QAE3B,IAAI,CAAC;YACH,uEAAuE;YACvE,MAAM,YAAY,GAAG,MAAM,aAAa,CAAC,QAAQ,CAAC,gBAAgB,EAAE;gBAClE,MAAM,EAAE,MAAM;gBACd,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,mBAAmB;aACvD,CAAC,CAAC;YACH,OAAO,YAAY,CAAC,EAAE,IAAI,YAAY,CAAC,MAAM,KAAK,GAAG,CAAC,CAAC,+BAA+B;QACxF,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF;AAnID,8CAmIC"}
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Session Registration Service
|
|
3
|
+
*
|
|
4
|
+
* Registers MCP sessions with the AgentShield dashboard, enabling
|
|
5
|
+
* visibility into which MCP clients are connecting to agents.
|
|
6
|
+
*
|
|
7
|
+
* This is a fire-and-forget service - session registration should not
|
|
8
|
+
* block tool execution or affect the user experience.
|
|
9
|
+
*
|
|
10
|
+
* @package @kya-os/mcp-i-core
|
|
11
|
+
*/
|
|
12
|
+
import type { RegisterSessionRequest } from "@kya-os/contracts/agentshield-api";
|
|
13
|
+
import type { FetchProvider } from "../providers/base.js";
|
|
14
|
+
/**
|
|
15
|
+
* Configuration for the session registration service
|
|
16
|
+
*/
|
|
17
|
+
export interface SessionRegistrationServiceConfig {
|
|
18
|
+
/** Base URL for the AgentShield API (e.g., "https://kya.vouched.id") */
|
|
19
|
+
baseUrl: string;
|
|
20
|
+
/** API key for authentication */
|
|
21
|
+
apiKey: string;
|
|
22
|
+
/** Fetch provider for making HTTP requests (platform-agnostic) */
|
|
23
|
+
fetchProvider: FetchProvider;
|
|
24
|
+
/** Optional logger callback for diagnostics */
|
|
25
|
+
logger?: (message: string, data?: unknown) => void;
|
|
26
|
+
/** Timeout in milliseconds for the registration request (default: 5000) */
|
|
27
|
+
timeoutMs?: number;
|
|
28
|
+
}
|
|
29
|
+
/**
|
|
30
|
+
* Result of a session registration attempt
|
|
31
|
+
*/
|
|
32
|
+
export interface SessionRegistrationResult {
|
|
33
|
+
/** Whether registration was successful */
|
|
34
|
+
success: boolean;
|
|
35
|
+
/** Session ID that was registered */
|
|
36
|
+
sessionId: string;
|
|
37
|
+
/** Error message if registration failed */
|
|
38
|
+
error?: string;
|
|
39
|
+
}
|
|
40
|
+
/**
|
|
41
|
+
* Session Registration Service
|
|
42
|
+
*
|
|
43
|
+
* Registers MCP sessions with AgentShield for dashboard visibility.
|
|
44
|
+
* Designed to be non-blocking - failures are logged but don't throw.
|
|
45
|
+
*/
|
|
46
|
+
export declare class SessionRegistrationService {
|
|
47
|
+
private config;
|
|
48
|
+
constructor(config: SessionRegistrationServiceConfig);
|
|
49
|
+
/**
|
|
50
|
+
* Register a session with AgentShield
|
|
51
|
+
*
|
|
52
|
+
* This is a fire-and-forget operation. Failures are logged but don't throw.
|
|
53
|
+
* The method returns quickly and doesn't block the caller.
|
|
54
|
+
*
|
|
55
|
+
* @param request - Session registration request data
|
|
56
|
+
* @returns Result indicating success or failure
|
|
57
|
+
*/
|
|
58
|
+
registerSession(request: RegisterSessionRequest): Promise<SessionRegistrationResult>;
|
|
59
|
+
/**
|
|
60
|
+
* Fire-and-forget session registration
|
|
61
|
+
*
|
|
62
|
+
* Starts registration in the background without waiting for completion.
|
|
63
|
+
* Useful when you want to register a session but not delay the response.
|
|
64
|
+
*
|
|
65
|
+
* @param request - Session registration request data
|
|
66
|
+
*/
|
|
67
|
+
registerSessionAsync(request: RegisterSessionRequest): void;
|
|
68
|
+
}
|
|
69
|
+
/**
|
|
70
|
+
* Create a session registration service from common runtime config
|
|
71
|
+
*
|
|
72
|
+
* Helper function to create the service from typical environment config.
|
|
73
|
+
*/
|
|
74
|
+
export declare function createSessionRegistrationService(options: {
|
|
75
|
+
apiUrl: string;
|
|
76
|
+
apiKey: string;
|
|
77
|
+
fetchProvider: FetchProvider;
|
|
78
|
+
logger?: (message: string, data?: unknown) => void;
|
|
79
|
+
}): SessionRegistrationService | null;
|
|
80
|
+
//# sourceMappingURL=session-registration.service.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"session-registration.service.d.ts","sourceRoot":"","sources":["../../src/services/session-registration.service.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EACV,sBAAsB,EAEvB,MAAM,mCAAmC,CAAC;AAM3C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAE1D;;GAEG;AACH,MAAM,WAAW,gCAAgC;IAC/C,wEAAwE;IACxE,OAAO,EAAE,MAAM,CAAC;IAEhB,iCAAiC;IACjC,MAAM,EAAE,MAAM,CAAC;IAEf,kEAAkE;IAClE,aAAa,EAAE,aAAa,CAAC;IAE7B,+CAA+C;IAC/C,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;IAEnD,2EAA2E;IAC3E,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,0CAA0C;IAC1C,OAAO,EAAE,OAAO,CAAC;IACjB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,2CAA2C;IAC3C,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;GAKG;AACH,qBAAa,0BAA0B;IACrC,OAAO,CAAC,MAAM,CAKZ;gBAEU,MAAM,EAAE,gCAAgC;IAUpD;;;;;;;;OAQG;IACG,eAAe,CACnB,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,yBAAyB,CAAC;IA6KrC;;;;;;;OAOG;IACH,oBAAoB,CAAC,OAAO,EAAE,sBAAsB,GAAG,IAAI;CAc5D;AAED;;;;GAIG;AACH,wBAAgB,gCAAgC,CAAC,OAAO,EAAE;IACxD,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,aAAa,CAAC;IAC7B,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;CACpD,GAAG,0BAA0B,GAAG,IAAI,CAmBpC"}
|