@lanonasis/oauth-client 1.2.0 → 1.2.2

package/dist/browser.mjs

@@ -0,0 +1,1286 @@
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+
+// src/flows/base-flow.ts
+import fetch from "cross-fetch";
+var BaseOAuthFlow = class {
+  constructor(config) {
+    this.clientId = config.clientId;
+    this.authBaseUrl = config.authBaseUrl || "https://auth.lanonasis.com";
+    this.scope = config.scope || "memories:read memories:write memories:delete profile";
+  }
+  async makeTokenRequest(body) {
+    const response = await fetch(`${this.authBaseUrl}/oauth/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body)
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      throw new Error(data.error_description || "Token request failed");
+    }
+    return data;
+  }
+  generateState() {
+    const array = new Uint8Array(32);
+    if (typeof crypto !== "undefined" && crypto.getRandomValues) {
+      crypto.getRandomValues(array);
+    } else {
+      throw new Error("Secure random generation is not available");
+    }
+    return this.base64URLEncode(array);
+  }
+  base64URLEncode(buffer) {
+    const bytes = buffer instanceof ArrayBuffer ? new Uint8Array(buffer) : buffer;
+    let binary = "";
+    bytes.forEach((byte) => {
+      binary += String.fromCharCode(byte);
+    });
+    const base64 = typeof btoa !== "undefined" ? btoa(binary) : Buffer.from(bytes).toString("base64");
+    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+  }
+  async refreshToken(refreshToken) {
+    return this.makeTokenRequest({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      client_id: this.clientId
+    });
+  }
+  async revokeToken(token, tokenType = "access_token") {
+    const response = await fetch(`${this.authBaseUrl}/oauth/revoke`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        token,
+        token_type_hint: tokenType,
+        client_id: this.clientId
+      })
+    });
+    if (!response.ok) {
+      throw new Error("Failed to revoke token");
+    }
+  }
+};
+
+// src/flows/desktop-flow.ts
+var DesktopOAuthFlow = class extends BaseOAuthFlow {
+  constructor(config) {
+    super({
+      ...config,
+      clientId: config.clientId || "lanonasis-mcp-desktop"
+    });
+    this.authWindow = null;
+    this.redirectUri = config.redirectUri || "lanonasis://oauth/callback";
+  }
+  async authenticate() {
+    const pkce = await this.generatePKCEChallenge();
+    const state = this.generateState();
+    const authUrl = this.buildAuthorizationUrl(pkce.codeChallenge, state);
+    const authCode = await this.openAuthWindow(authUrl, state);
+    return await this.exchangeCodeForToken(authCode, pkce.codeVerifier);
+  }
+  async generatePKCEChallenge() {
+    const codeVerifier = this.generateCodeVerifier();
+    const codeChallenge = await this.generateCodeChallenge(codeVerifier);
+    return { codeVerifier, codeChallenge };
+  }
+  generateCodeVerifier() {
+    const array = new Uint8Array(32);
+    if (typeof crypto !== "undefined" && crypto.getRandomValues) {
+      crypto.getRandomValues(array);
+    } else {
+      throw new Error("Secure random generation is not available in this environment");
+    }
+    return this.base64URLEncode(array);
+  }
+  async generateCodeChallenge(verifier) {
+    const subtle = typeof crypto !== "undefined" ? crypto.subtle : void 0;
+    if (!subtle) {
+      throw new Error("Web Crypto is required to generate PKCE code challenge");
+    }
+    const encoder = new TextEncoder();
+    const data = encoder.encode(verifier);
+    const hash = await subtle.digest("SHA-256", data);
+    return this.base64URLEncode(hash);
+  }
+  buildAuthorizationUrl(codeChallenge, state) {
+    const params = new URLSearchParams({
+      client_id: this.clientId,
+      response_type: "code",
+      redirect_uri: this.redirectUri,
+      scope: this.scope,
+      code_challenge: codeChallenge,
+      code_challenge_method: "S256",
+      state
+    });
+    return `${this.authBaseUrl}/oauth/authorize?${params}`;
+  }
+  async openAuthWindow(authUrl, expectedState) {
+    return new Promise((resolve, reject) => {
+      if (typeof window !== "undefined") {
+        this.openBrowserWindow(authUrl, expectedState, resolve, reject);
+      } else {
+        this.openElectronWindow(authUrl, expectedState, resolve, reject);
+      }
+    });
+  }
+  openBrowserWindow(authUrl, expectedState, resolve, reject) {
+    const width = 500;
+    const height = 700;
+    const left = (window.screen.width - width) / 2;
+    const top = (window.screen.height - height) / 2;
+    this.authWindow = window.open(
+      authUrl,
+      "Lan Onasis Login",
+      `width=${width},height=${height},left=${left},top=${top},toolbar=no,menubar=no`
+    );
+    if (!this.authWindow) {
+      reject(new Error("Failed to open authentication window"));
+      return;
+    }
+    const checkInterval = setInterval(() => {
+      try {
+        if (!this.authWindow || this.authWindow.closed) {
+          clearInterval(checkInterval);
+          reject(new Error("Authentication window was closed"));
+          return;
+        }
+        const currentUrl = this.authWindow.location.href;
+        if (currentUrl.startsWith(this.redirectUri)) {
+          clearInterval(checkInterval);
+          this.authWindow.close();
+          const url = new URL(currentUrl);
+          const code = url.searchParams.get("code");
+          const state = url.searchParams.get("state");
+          const error = url.searchParams.get("error");
+          if (error) {
+            reject(new Error(url.searchParams.get("error_description") || error));
+          } else if (state !== expectedState) {
+            reject(new Error("State mismatch - possible CSRF attack"));
+          } else if (code) {
+            resolve(code);
+          } else {
+            reject(new Error("No authorization code received"));
+          }
+        }
+      } catch (e) {
+      }
+    }, 500);
+  }
+  openElectronWindow(authUrl, expectedState, resolve, reject) {
+    const { BrowserWindow } = __require("electron");
+    const authWindow = new BrowserWindow({
+      width: 500,
+      height: 700,
+      webPreferences: {
+        nodeIntegration: false,
+        contextIsolation: true
+      }
+    });
+    authWindow.loadURL(authUrl);
+    authWindow.webContents.on("will-redirect", (event, url) => {
+      if (url.startsWith(this.redirectUri)) {
+        event.preventDefault();
+        authWindow.close();
+        const callbackUrl = new URL(url);
+        const code = callbackUrl.searchParams.get("code");
+        const state = callbackUrl.searchParams.get("state");
+        const error = callbackUrl.searchParams.get("error");
+        if (error) {
+          reject(new Error(callbackUrl.searchParams.get("error_description") || error));
+        } else if (state !== expectedState) {
+          reject(new Error("State mismatch"));
+        } else if (code) {
+          resolve(code);
+        }
+      }
+    });
+    authWindow.on("closed", () => {
+      reject(new Error("Authentication window was closed"));
+    });
+  }
+  async exchangeCodeForToken(code, codeVerifier) {
+    return this.makeTokenRequest({
+      grant_type: "authorization_code",
+      code,
+      client_id: this.clientId,
+      redirect_uri: this.redirectUri,
+      code_verifier: codeVerifier
+    });
+  }
+};
+
+// src/client/mcp-client.ts
+import fetch4 from "cross-fetch";
+
+// src/storage/token-storage.ts
+var TokenStorage = class {
+  constructor() {
+    this.storageKey = "lanonasis_mcp_tokens";
+    this.webEncryptionKeyStorage = "lanonasis_web_token_enc_key";
+    if (this.isNode()) {
+      try {
+        this.keytar = __require("keytar");
+      } catch (e) {
+        console.warn("Keytar not available - falling back to file storage");
+      }
+    }
+  }
+  async store(tokens) {
+    const tokensWithTimestamp = {
+      ...tokens,
+      issued_at: Date.now()
+    };
+    const tokenString = JSON.stringify(tokensWithTimestamp);
+    if (this.isNode()) {
+      if (this.keytar) {
+        await this.keytar.setPassword("lanonasis-mcp", "tokens", tokenString);
+      } else {
+        await this.storeToFile(tokenString);
+      }
+    } else if (this.isElectron()) {
+      await window.electronAPI.secureStore.set(this.storageKey, tokensWithTimestamp);
+    } else if (this.isMobile()) {
+      await window.SecureStorage.set(this.storageKey, tokenString);
+    } else {
+      const encrypted = await this.encrypt(tokenString);
+      localStorage.setItem(this.storageKey, encrypted);
+    }
+  }
+  async retrieve() {
+    let tokenString = null;
+    try {
+      if (this.isNode()) {
+        if (this.keytar) {
+          tokenString = await this.keytar.getPassword("lanonasis-mcp", "tokens");
+        }
+        if (!tokenString) {
+          tokenString = await this.retrieveFromFile();
+        }
+      } else if (this.isElectron()) {
+        const tokens = await window.electronAPI.secureStore.get(this.storageKey);
+        return tokens || null;
+      } else if (this.isMobile()) {
+        tokenString = await window.SecureStorage.get(this.storageKey);
+      } else {
+        const encrypted = localStorage.getItem(this.storageKey);
+        if (encrypted) {
+          tokenString = await this.decrypt(encrypted);
+        }
+      }
+      return tokenString ? JSON.parse(tokenString) : null;
+    } catch (error) {
+      console.error("Error retrieving tokens:", error);
+      return null;
+    }
+  }
+  async clear() {
+    if (this.isNode()) {
+      if (this.keytar) {
+        await this.keytar.deletePassword("lanonasis-mcp", "tokens");
+      }
+      await this.deleteFile();
+    } else if (this.isElectron()) {
+      await window.electronAPI.secureStore.delete(this.storageKey);
+    } else if (this.isMobile()) {
+      await window.SecureStorage.remove(this.storageKey);
+    } else {
+      localStorage.removeItem(this.storageKey);
+    }
+  }
+  isTokenExpired(tokens) {
+    if (tokens.token_type === "api-key" || tokens.expires_in === 0) {
+      return false;
+    }
+    if (!tokens.expires_in) return false;
+    if (!tokens.issued_at) {
+      console.warn("Token missing issued_at timestamp, treating as expired");
+      return true;
+    }
+    const expiresAt = tokens.issued_at + tokens.expires_in * 1e3;
+    const now = Date.now();
+    return expiresAt - now < 3e5;
+  }
+  async storeToFile(tokenString) {
+    if (!this.isNode()) return;
+    const fs = __require("fs").promises;
+    const path = __require("path");
+    const os = __require("os");
+    const crypto2 = __require("crypto");
+    const configDir = path.join(os.homedir(), ".lanonasis");
+    const tokenFile = path.join(configDir, "mcp-tokens.enc");
+    await fs.mkdir(configDir, { recursive: true });
+    const key = this.getFileEncryptionKey();
+    const iv = crypto2.randomBytes(16);
+    const cipher = crypto2.createCipheriv("aes-256-gcm", key, iv);
+    let encrypted = cipher.update(tokenString, "utf8", "hex");
+    encrypted += cipher.final("hex");
+    const authTag = cipher.getAuthTag().toString("hex");
+    const data = [iv.toString("hex"), authTag, encrypted].join(":");
+    await fs.writeFile(tokenFile, data, { mode: 384 });
+  }
+  async retrieveFromFile() {
+    if (!this.isNode()) return null;
+    const fs = __require("fs").promises;
+    const path = __require("path");
+    const os = __require("os");
+    const crypto2 = __require("crypto");
+    const tokenFile = path.join(os.homedir(), ".lanonasis", "mcp-tokens.enc");
+    try {
+      const data = await fs.readFile(tokenFile, "utf8");
+      const parts = data.split(":");
+      const key = this.getFileEncryptionKey();
+      if (parts.length === 3) {
+        const [ivHex, authTagHex, encrypted] = parts;
+        const iv = Buffer.from(ivHex, "hex");
+        const authTag = Buffer.from(authTagHex, "hex");
+        const decipher = crypto2.createDecipheriv("aes-256-gcm", key, iv);
+        decipher.setAuthTag(authTag);
+        let decrypted = decipher.update(encrypted, "hex", "utf8");
+        decrypted += decipher.final("utf8");
+        return decrypted;
+      }
+      if (parts.length === 2) {
+        const [ivHex, encrypted] = parts;
+        const iv = Buffer.from(ivHex, "hex");
+        const decipher = crypto2.createDecipheriv("aes-256-cbc", key, iv);
+        let decrypted = decipher.update(encrypted, "hex", "utf8");
+        decrypted += decipher.final("utf8");
+        return decrypted;
+      }
+      throw new Error("Invalid encrypted token format");
+    } catch (error) {
+      return null;
+    }
+  }
+  async deleteFile() {
+    if (!this.isNode()) return;
+    const fs = __require("fs").promises;
+    const path = __require("path");
+    const os = __require("os");
+    const tokenFile = path.join(os.homedir(), ".lanonasis", "mcp-tokens.enc");
+    try {
+      await fs.unlink(tokenFile);
+    } catch (error) {
+    }
+  }
+  getFileEncryptionKey() {
+    const crypto2 = __require("crypto");
+    const os = __require("os");
+    const machineId = os.hostname() + os.userInfo().username;
+    const salt = "lanonasis-mcp-oauth-2024";
+    return crypto2.pbkdf2Sync(machineId, salt, 1e5, 32, "sha256");
+  }
+  async encrypt(text) {
+    if (typeof window === "undefined" || !window.crypto?.subtle) {
+      const encoder2 = new TextEncoder();
+      const data2 = encoder2.encode(text);
+      return this.base64Encode(data2);
+    }
+    const encoder = new TextEncoder();
+    const data = encoder.encode(text);
+    const passphrase = await this.getWebEncryptionKey();
+    const keyMaterial = await window.crypto.subtle.importKey(
+      "raw",
+      encoder.encode(passphrase),
+      "PBKDF2",
+      false,
+      ["deriveBits", "deriveKey"]
+    );
+    const key = await window.crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt: encoder.encode("lanonasis-token-salt"),
+        iterations: 1e5,
+        hash: "SHA-256"
+      },
+      keyMaterial,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    const iv = window.crypto.getRandomValues(new Uint8Array(12));
+    const encrypted = await window.crypto.subtle.encrypt(
+      { name: "AES-GCM", iv },
+      key,
+      data
+    );
+    const combined = new Uint8Array(iv.length + encrypted.byteLength);
+    combined.set(iv, 0);
+    combined.set(new Uint8Array(encrypted), iv.length);
+    return this.base64Encode(combined);
+  }
+  async decrypt(encrypted) {
+    if (typeof window === "undefined" || !window.crypto?.subtle) {
+      const bytes2 = this.base64Decode(encrypted);
+      const decoder2 = new TextDecoder();
+      return decoder2.decode(bytes2);
+    }
+    const bytes = this.base64Decode(encrypted);
+    const iv = bytes.slice(0, 12);
+    const data = bytes.slice(12);
+    const encoder = new TextEncoder();
+    const decoder = new TextDecoder();
+    const passphrase = await this.getWebEncryptionKey();
+    const keyMaterial = await window.crypto.subtle.importKey(
+      "raw",
+      encoder.encode(passphrase),
+      "PBKDF2",
+      false,
+      ["deriveBits", "deriveKey"]
+    );
+    const key = await window.crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt: encoder.encode("lanonasis-token-salt"),
+        iterations: 1e5,
+        hash: "SHA-256"
+      },
+      keyMaterial,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    const decrypted = await window.crypto.subtle.decrypt(
+      { name: "AES-GCM", iv },
+      key,
+      data
+    );
+    return decoder.decode(decrypted);
+  }
+  isNode() {
+    return !!(typeof process !== "undefined" && process.versions && process.versions.node && !this.isElectron());
+  }
+  isElectron() {
+    return typeof window !== "undefined" && window.electronAPI !== void 0;
+  }
+  isMobile() {
+    return typeof window !== "undefined" && window.SecureStorage !== void 0;
+  }
+  base64Encode(bytes) {
+    if (typeof btoa !== "undefined") {
+      let binary = "";
+      bytes.forEach((b) => {
+        binary += String.fromCharCode(b);
+      });
+      return btoa(binary);
+    }
+    if (typeof Buffer !== "undefined") {
+      return Buffer.from(bytes).toString("base64");
+    }
+    throw new Error("No base64 encoder available");
+  }
+  base64Decode(value) {
+    if (typeof atob !== "undefined") {
+      const binary = atob(value);
+      const bytes = new Uint8Array(binary.length);
+      for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+      }
+      return bytes;
+    }
+    if (typeof Buffer !== "undefined") {
+      return new Uint8Array(Buffer.from(value, "base64"));
+    }
+    throw new Error("No base64 decoder available");
+  }
+  async getWebEncryptionKey() {
+    const existing = typeof localStorage !== "undefined" ? localStorage.getItem(this.webEncryptionKeyStorage) : null;
+    if (existing) {
+      return existing;
+    }
+    let raw = "";
+    if (typeof window !== "undefined" && window.crypto?.getRandomValues) {
+      const buf = new Uint8Array(32);
+      window.crypto.getRandomValues(buf);
+      raw = Array.from(buf).map((b) => b.toString(16).padStart(2, "0")).join("");
+    } else {
+      const ua = typeof navigator !== "undefined" ? navigator.userAgent : "node";
+      raw = `${ua}-${Math.random().toString(36).slice(2)}-${Date.now()}`;
+    }
+    if (typeof localStorage !== "undefined") {
+      localStorage.setItem(this.webEncryptionKeyStorage, raw);
+    }
+    return raw;
+  }
+};
+
+// src/storage/token-storage-web.ts
+var TokenStorageWeb = class {
+  constructor() {
+    this.storageKey = "lanonasis_mcp_tokens";
+    this.webEncryptionKeyStorage = "lanonasis_web_token_enc_key";
+  }
+  async store(tokens) {
+    const tokensWithTimestamp = {
+      ...tokens,
+      issued_at: Date.now()
+    };
+    const tokenString = JSON.stringify(tokensWithTimestamp);
+    const encrypted = await this.encrypt(tokenString);
+    localStorage.setItem(this.storageKey, encrypted);
+  }
+  async retrieve() {
+    const encrypted = localStorage.getItem(this.storageKey);
+    if (!encrypted) return null;
+    try {
+      const tokenString = await this.decrypt(encrypted);
+      return JSON.parse(tokenString);
+    } catch {
+      return null;
+    }
+  }
+  async clear() {
+    localStorage.removeItem(this.storageKey);
+  }
+  isTokenExpired(tokens) {
+    if (tokens.token_type === "api-key" || tokens.expires_in === 0) return false;
+    if (!tokens.expires_in) return false;
+    if (!tokens.issued_at) return true;
+    const expiresAt = tokens.issued_at + tokens.expires_in * 1e3;
+    return expiresAt - Date.now() < 3e5;
+  }
+  async encrypt(text) {
+    if (typeof window === "undefined" || !window.crypto?.subtle) {
+      const encoder2 = new TextEncoder();
+      return this.base64Encode(encoder2.encode(text));
+    }
+    const encoder = new TextEncoder();
+    const data = encoder.encode(text);
+    const passphrase = await this.getWebEncryptionKey();
+    const keyMaterial = await window.crypto.subtle.importKey(
+      "raw",
+      encoder.encode(passphrase),
+      "PBKDF2",
+      false,
+      ["deriveBits", "deriveKey"]
+    );
+    const key = await window.crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt: encoder.encode("lanonasis-token-salt"),
+        iterations: 1e5,
+        hash: "SHA-256"
+      },
+      keyMaterial,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    const iv = window.crypto.getRandomValues(new Uint8Array(12));
+    const encrypted = await window.crypto.subtle.encrypt(
+      { name: "AES-GCM", iv },
+      key,
+      data
+    );
+    const combined = new Uint8Array(iv.length + encrypted.byteLength);
+    combined.set(iv, 0);
+    combined.set(new Uint8Array(encrypted), iv.length);
+    return this.base64Encode(combined);
+  }
+  async decrypt(encrypted) {
+    if (typeof window === "undefined" || !window.crypto?.subtle) {
+      const decoder2 = new TextDecoder();
+      return decoder2.decode(this.base64Decode(encrypted));
+    }
+    const bytes = this.base64Decode(encrypted);
+    const iv = bytes.slice(0, 12);
+    const data = bytes.slice(12);
+    const encoder = new TextEncoder();
+    const decoder = new TextDecoder();
+    const passphrase = await this.getWebEncryptionKey();
+    const keyMaterial = await window.crypto.subtle.importKey(
+      "raw",
+      encoder.encode(passphrase),
+      "PBKDF2",
+      false,
+      ["deriveBits", "deriveKey"]
+    );
+    const key = await window.crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt: encoder.encode("lanonasis-token-salt"),
+        iterations: 1e5,
+        hash: "SHA-256"
+      },
+      keyMaterial,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    const decrypted = await window.crypto.subtle.decrypt(
+      { name: "AES-GCM", iv },
+      key,
+      data
+    );
+    return decoder.decode(decrypted);
+  }
+  async getWebEncryptionKey() {
+    const existing = localStorage.getItem(this.webEncryptionKeyStorage);
+    if (existing) return existing;
+    const buf = new Uint8Array(32);
+    if (typeof window !== "undefined" && window.crypto?.getRandomValues) {
+      window.crypto.getRandomValues(buf);
+    }
+    const raw = Array.from(buf).map((b) => b.toString(16).padStart(2, "0")).join("");
+    localStorage.setItem(this.webEncryptionKeyStorage, raw);
+    return raw;
+  }
+  base64Encode(bytes) {
+    let binary = "";
+    bytes.forEach((b) => {
+      binary += String.fromCharCode(b);
+    });
+    return btoa(binary);
+  }
+  base64Decode(value) {
+    const binary = atob(value);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+  }
+};
+
+// src/flows/terminal-flow.ts
+import fetch2 from "cross-fetch";
+var TerminalOAuthFlow = class extends BaseOAuthFlow {
+  constructor(config) {
+    super({
+      ...config,
+      clientId: config.clientId || "lanonasis-mcp-cli"
+    });
+    this.pollInterval = 5;
+  }
+  async authenticate() {
+    try {
+      const deviceResponse = await this.requestDeviceCode();
+      this.displayInstructions(deviceResponse);
+      if (deviceResponse.verification_uri_complete) {
+        await this.openBrowser(deviceResponse.verification_uri_complete);
+      }
+      return await this.pollForToken(deviceResponse);
+    } catch (error) {
+      console.error("Authentication failed:", error);
+      throw error;
+    }
+  }
+  async requestDeviceCode() {
+    const response = await fetch2(`${this.authBaseUrl}/oauth/device`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        client_id: this.clientId,
+        scope: this.scope
+      })
+    });
+    if (!response.ok) {
+      const error = await response.json();
+      throw new Error(error.error_description || "Failed to request device code");
+    }
+    const data = await response.json();
+    this.pollInterval = data.interval || 5;
+    return data;
+  }
+  displayInstructions(response) {
+    console.log("\n\u{1F510} Lan Onasis Authentication Required\n");
+    console.log(`Please visit: ${response.verification_uri}`);
+    console.log(`Enter code: ${response.user_code}
+`);
+    console.log("Or press Enter to open your browser automatically...");
+  }
+  async openBrowser(url) {
+    try {
+      const { default: open } = await import("open");
+      await Promise.race([
+        this.waitForEnter(),
+        new Promise((resolve) => setTimeout(resolve, 2e3))
+      ]);
+      console.log("Opening browser...");
+      await open(url);
+    } catch (error) {
+      console.log("Please open the URL manually in your browser.");
+    }
+  }
+  waitForEnter() {
+    return new Promise((resolve) => {
+      if (process.stdin.isTTY) {
+        process.stdin.setRawMode(true);
+        process.stdin.resume();
+        process.stdin.once("data", () => {
+          process.stdin.setRawMode(false);
+          process.stdin.pause();
+          resolve();
+        });
+      } else {
+        resolve();
+      }
+    });
+  }
+  async pollForToken(deviceResponse) {
+    const startTime = Date.now();
+    const expiresAt = startTime + deviceResponse.expires_in * 1e3;
+    console.log("Waiting for authorization...");
+    while (Date.now() < expiresAt) {
+      await new Promise((resolve) => setTimeout(resolve, this.pollInterval * 1e3));
+      try {
+        const token = await this.checkDeviceCode(deviceResponse.device_code);
+        console.log("\u2705 Authorization successful!\n");
+        return token;
+      } catch (error) {
+        if (error.message === "authorization_pending") {
+          process.stdout.write(".");
+        } else if (error.message === "slow_down") {
+          this.pollInterval += 5;
+        } else {
+          throw error;
+        }
+      }
+    }
+    throw new Error("Authorization timeout - please try again");
+  }
+  async checkDeviceCode(deviceCode) {
+    const response = await fetch2(`${this.authBaseUrl}/oauth/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+        device_code: deviceCode,
+        client_id: this.clientId
+      })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      throw new Error(data.error || "Token request failed");
+    }
+    return data;
+  }
+};
+
+// src/flows/apikey-flow.ts
+import fetch3 from "cross-fetch";
+var APIKeyFlow = class extends BaseOAuthFlow {
+  constructor(apiKey, authBaseUrl = "https://mcp.lanonasis.com") {
+    super({
+      clientId: "api-key-client",
+      authBaseUrl
+    });
+    this.apiKey = apiKey;
+  }
+  /**
+   * "Authenticate" by returning the API key as a virtual token
+   * The API key will be used directly in request headers
+   */
+  async authenticate() {
+    if (!this.apiKey || !this.apiKey.startsWith("lano_") && !this.apiKey.startsWith("vx_")) {
+      throw new Error(
+        'Invalid API key format. Must start with "lano_" or "vx_". Please regenerate your API key from the dashboard.'
+      );
+    }
+    if (this.apiKey.startsWith("vx_")) {
+      console.warn(
+        '\u26A0\uFE0F  DEPRECATION WARNING: API keys with "vx_" prefix are deprecated and will stop working soon. Please regenerate your API key from the dashboard to get a "lano_" prefixed key. Support for "vx_" keys will be removed in a future version.'
+      );
+    }
+    return {
+      access_token: this.apiKey,
+      token_type: "api-key",
+      expires_in: 0,
+      // API keys don't expire
+      issued_at: Date.now()
+    };
+  }
+  /**
+   * API keys don't need refresh
+   */
+  async refreshToken(refreshToken) {
+    throw new Error("API keys do not support token refresh");
+  }
+  /**
+   * Optional: Validate API key by making a test request
+   */
+  async validateAPIKey() {
+    try {
+      const response = await fetch3(`${this.config.authBaseUrl}/api/v1/health`, {
+        headers: {
+          "x-api-key": this.apiKey
+        }
+      });
+      return response.ok;
+    } catch (error) {
+      console.error("API key validation failed:", error);
+      return false;
+    }
+  }
+};
+
+// src/client/mcp-client.ts
+var MCPClient = class {
+  constructor(config = {}) {
+    // ← NEW: Track auth mode
+    this.ws = null;
+    this.eventSource = null;
+    this.accessToken = null;
+    this.refreshTimer = null;
+    this.config = {
+      mcpEndpoint: "wss://mcp.lanonasis.com",
+      autoRefresh: true,
+      ...config
+    };
+    const defaultStorage = typeof window !== "undefined" ? new TokenStorageWeb() : new TokenStorage();
+    this.tokenStorage = config.tokenStorage || defaultStorage;
+    this.authMode = config.apiKey ? "apikey" : "oauth";
+    if (this.authMode === "apikey") {
+      this.authFlow = new APIKeyFlow(
+        config.apiKey,
+        config.authBaseUrl || "https://mcp.lanonasis.com"
+      );
+    } else {
+      if (this.isTerminal()) {
+        this.authFlow = new TerminalOAuthFlow(config);
+      } else {
+        this.authFlow = new DesktopOAuthFlow(config);
+      }
+    }
+  }
+  async connect() {
+    try {
+      let tokens = await this.tokenStorage.retrieve();
+      if (this.authMode === "apikey") {
+        if (!tokens) {
+          tokens = await this.authenticate();
+        }
+        this.accessToken = tokens.access_token;
+      } else {
+        if (!tokens || this.tokenStorage.isTokenExpired(tokens)) {
+          if (tokens?.refresh_token) {
+            try {
+              tokens = await this.authFlow.refreshToken(tokens.refresh_token);
+              await this.tokenStorage.store(tokens);
+            } catch (error) {
+              tokens = await this.authenticate();
+            }
+          } else {
+            tokens = await this.authenticate();
+          }
+        }
+        this.accessToken = tokens.access_token;
+        if (this.config.autoRefresh && tokens.expires_in) {
+          this.scheduleTokenRefresh(tokens);
+        }
+      }
+      await this.establishConnection();
+    } catch (error) {
+      console.error("Failed to connect:", error);
+      throw error;
+    }
+  }
+  async authenticate() {
+    console.log("Authenticating with Lan Onasis...");
+    const tokens = await this.authFlow.authenticate();
+    await this.tokenStorage.store(tokens);
+    return tokens;
+  }
+  async ensureAccessToken() {
+    if (this.accessToken) return;
+    const tokens = await this.tokenStorage.retrieve();
+    if (!tokens) {
+      throw new Error("Not authenticated");
+    }
+    if (this.authMode === "apikey") {
+      this.accessToken = tokens.access_token;
+      return;
+    }
+    if (this.tokenStorage.isTokenExpired(tokens)) {
+      if (tokens.refresh_token) {
+        try {
+          const newTokens = await this.authFlow.refreshToken(tokens.refresh_token);
+          await this.tokenStorage.store(newTokens);
+          this.accessToken = newTokens.access_token;
+          return;
+        } catch (error) {
+          console.error("Token refresh failed:", error);
+          throw new Error("Token expired and refresh failed");
+        }
+      } else {
+        throw new Error("Token expired and no refresh token available");
+      }
+    }
+    this.accessToken = tokens.access_token;
+  }
+  scheduleTokenRefresh(tokens) {
+    if (this.refreshTimer) {
+      clearTimeout(this.refreshTimer);
+    }
+    const refreshIn = (tokens.expires_in - 300) * 1e3;
+    this.refreshTimer = setTimeout(async () => {
+      try {
+        if (tokens.refresh_token) {
+          const newTokens = await this.authFlow.refreshToken(tokens.refresh_token);
+          await this.tokenStorage.store(newTokens);
+          this.accessToken = newTokens.access_token;
+          this.scheduleTokenRefresh(newTokens);
+          await this.reconnect();
+        }
+      } catch (error) {
+        console.error("Token refresh failed:", error);
+      }
+    }, refreshIn);
+  }
+  async establishConnection() {
+    const endpoint = this.config.mcpEndpoint;
+    if (endpoint.startsWith("wss://")) {
+      await this.connectWebSocket(endpoint);
+    } else if (endpoint.startsWith("https://")) {
+      await this.connectSSE(endpoint);
+    } else {
+      throw new Error("Invalid MCP endpoint - must be wss:// or https://");
+    }
+  }
+  async connectWebSocket(endpoint) {
+    const wsUrl = new URL(endpoint);
+    wsUrl.pathname = "/ws";
+    if (this.accessToken) {
+      wsUrl.searchParams.set("access_token", this.accessToken);
+    }
+    if (typeof WebSocket !== "undefined") {
+      this.ws = new WebSocket(wsUrl.toString());
+    } else {
+      const { default: WS } = await import("ws");
+      if (this.authMode === "apikey") {
+        this.ws = new WS(wsUrl.toString(), {
+          headers: {
+            "x-api-key": this.accessToken
+          }
+        });
+      } else {
+        this.ws = new WS(wsUrl.toString(), {
+          headers: {
+            "Authorization": `Bearer ${this.accessToken}`
+          }
+        });
+      }
+    }
+    return new Promise((resolve, reject) => {
+      if (!this.ws) {
+        reject(new Error("WebSocket not initialized"));
+        return;
+      }
+      this.ws.onopen = () => {
+        console.log("MCP WebSocket connected");
+        resolve();
+      };
+      this.ws.onerror = (error) => {
+        console.error("WebSocket error:", error);
+        reject(error);
+      };
+      this.ws.onclose = (event) => {
+        console.log("WebSocket closed:", event.code, event.reason);
+        if (event.code !== 1008 && event.code !== 4001) {
+          setTimeout(() => this.reconnect(), 5e3);
+        }
+      };
+      this.ws.onmessage = (event) => {
+        this.handleMessage(event.data);
+      };
+    });
+  }
+  async connectSSE(endpoint) {
+    const sseUrl = new URL(endpoint);
+    sseUrl.pathname = "/sse";
+    if (typeof EventSource !== "undefined") {
+      this.eventSource = new EventSource(sseUrl.toString());
+    } else {
+      const EventSourceModule = await import("eventsource");
+      const ES = EventSourceModule.default || EventSourceModule;
+      if (this.authMode === "apikey") {
+        this.eventSource = new ES(sseUrl.toString(), {
+          headers: {
+            "x-api-key": this.accessToken
+          }
+        });
+      } else {
+        this.eventSource = new ES(sseUrl.toString(), {
+          headers: {
+            "Authorization": `Bearer ${this.accessToken}`
+          }
+        });
+      }
+    }
+    this.eventSource.onopen = () => {
+      console.log("MCP SSE connected");
+    };
+    this.eventSource.onerror = (error) => {
+      console.error("SSE error:", error);
+      setTimeout(() => this.reconnect(), 5e3);
+    };
+    this.eventSource.onmessage = (event) => {
+      this.handleMessage(event.data);
+    };
+  }
+  handleMessage(data) {
+    try {
+      const message = JSON.parse(data);
+      console.log("MCP message:", message);
+    } catch (error) {
+      console.error("Failed to parse message:", error);
+    }
+  }
+  async reconnect() {
+    this.disconnect();
+    await this.establishConnection();
+  }
+  async request(method, params) {
+    await this.ensureAccessToken();
+    if (!this.accessToken) {
+      throw new Error("Not authenticated");
+    }
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    if (this.authMode === "apikey") {
+      headers["x-api-key"] = this.accessToken;
+    } else {
+      headers["Authorization"] = `Bearer ${this.accessToken}`;
+    }
+    const response = await fetch4(`${this.config.mcpEndpoint}/api`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        id: this.generateId(),
+        method,
+        params
+      })
+    });
+    if (response.status === 401) {
+      if (this.authMode === "apikey") {
+        throw new Error("Invalid API key - please check your credentials");
+      }
+      const tokens = await this.tokenStorage.retrieve();
+      if (tokens?.refresh_token) {
+        const newTokens = await this.authFlow.refreshToken(tokens.refresh_token);
+        await this.tokenStorage.store(newTokens);
+        this.accessToken = newTokens.access_token;
+        return this.request(method, params);
+      } else {
+        await this.connect();
+        return this.request(method, params);
+      }
+    }
+    const result = await response.json();
+    if (result.error) {
+      throw new Error(result.error.message || "Request failed");
+    }
+    return result.result;
+  }
+  disconnect() {
+    if (this.ws) {
+      this.ws.close();
+      this.ws = null;
+    }
+    if (this.eventSource) {
+      this.eventSource.close();
+      this.eventSource = null;
+    }
+    if (this.refreshTimer) {
+      clearTimeout(this.refreshTimer);
+      this.refreshTimer = null;
+    }
+  }
+  async logout() {
+    const tokens = await this.tokenStorage.retrieve();
+    if (tokens) {
+      try {
+        if (tokens.access_token) {
+          await this.authFlow.revokeToken(tokens.access_token, "access_token");
+        }
+        if (tokens.refresh_token) {
+          await this.authFlow.revokeToken(tokens.refresh_token, "refresh_token");
+        }
+      } catch (error) {
+        console.error("Failed to revoke tokens:", error);
+      }
+    }
+    await this.tokenStorage.clear();
+    this.disconnect();
+    this.accessToken = null;
+  }
+  isTerminal() {
+    return !!(typeof process !== "undefined" && process.versions && process.versions.node && !this.isElectron());
+  }
+  isElectron() {
+    return typeof window !== "undefined" && window.electronAPI !== void 0;
+  }
+  generateId() {
+    return `${Date.now()}-${Math.random().toString(36).substr(2, 9)}`;
+  }
+  // MCP-specific methods
+  async createMemory(title, content, options) {
+    return this.request("memory/create", {
+      title,
+      content,
+      ...options
+    });
+  }
+  async searchMemories(query, options) {
+    return this.request("memory/search", {
+      query,
+      ...options
+    });
+  }
+  async getMemory(id) {
+    return this.request("memory/get", { id });
+  }
+  async updateMemory(id, updates) {
+    return this.request("memory/update", {
+      id,
+      ...updates
+    });
+  }
+  async deleteMemory(id) {
+    return this.request("memory/delete", { id });
+  }
+};
+
+// src/storage/api-key-storage-web.ts
+var ApiKeyStorageWeb = class {
+  constructor() {
+    this.storageKey = "lanonasis_api_key";
+    this.webEncryptionKeyStorage = "lanonasis_web_enc_key";
+  }
+  async store(data) {
+    const payload = JSON.stringify({
+      ...data,
+      createdAt: data.createdAt || (/* @__PURE__ */ new Date()).toISOString()
+    });
+    const encrypted = await this.encrypt(payload);
+    localStorage.setItem(this.storageKey, encrypted);
+  }
+  async retrieve() {
+    const encrypted = localStorage.getItem(this.storageKey);
+    if (!encrypted) return null;
+    try {
+      const decrypted = await this.decrypt(encrypted);
+      return JSON.parse(decrypted);
+    } catch {
+      return null;
+    }
+  }
+  async clear() {
+    localStorage.removeItem(this.storageKey);
+  }
+  async encrypt(text) {
+    if (typeof window === "undefined" || !window.crypto?.subtle) {
+      const encoder2 = new TextEncoder();
+      return this.base64Encode(encoder2.encode(text));
+    }
+    const encoder = new TextEncoder();
+    const data = encoder.encode(text);
+    const passphrase = await this.getWebEncryptionKey();
+    const keyMaterial = await window.crypto.subtle.importKey(
+      "raw",
+      encoder.encode(passphrase),
+      "PBKDF2",
+      false,
+      ["deriveBits", "deriveKey"]
+    );
+    const key = await window.crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt: encoder.encode("lanonasis-api-key-salt"),
+        iterations: 1e5,
+        hash: "SHA-256"
+      },
+      keyMaterial,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    const iv = window.crypto.getRandomValues(new Uint8Array(12));
+    const encrypted = await window.crypto.subtle.encrypt(
+      { name: "AES-GCM", iv },
+      key,
+      data
+    );
+    const combined = new Uint8Array(iv.length + encrypted.byteLength);
+    combined.set(iv, 0);
+    combined.set(new Uint8Array(encrypted), iv.length);
+    return this.base64Encode(combined);
+  }
+  async decrypt(encrypted) {
+    if (typeof window === "undefined" || !window.crypto?.subtle) {
+      const decoder2 = new TextDecoder();
+      return decoder2.decode(this.base64Decode(encrypted));
+    }
+    const bytes = this.base64Decode(encrypted);
+    const iv = bytes.slice(0, 12);
+    const data = bytes.slice(12);
+    const encoder = new TextEncoder();
+    const decoder = new TextDecoder();
+    const passphrase = await this.getWebEncryptionKey();
+    const keyMaterial = await window.crypto.subtle.importKey(
+      "raw",
+      encoder.encode(passphrase),
+      "PBKDF2",
+      false,
+      ["deriveBits", "deriveKey"]
+    );
+    const key = await window.crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt: encoder.encode("lanonasis-api-key-salt"),
+        iterations: 1e5,
+        hash: "SHA-256"
+      },
+      keyMaterial,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    const decrypted = await window.crypto.subtle.decrypt(
+      { name: "AES-GCM", iv },
+      key,
+      data
+    );
+    return decoder.decode(decrypted);
+  }
+  async getWebEncryptionKey() {
+    const existing = localStorage.getItem(this.webEncryptionKeyStorage);
+    if (existing) return existing;
+    const buf = new Uint8Array(32);
+    if (typeof window !== "undefined" && window.crypto?.getRandomValues) {
+      window.crypto.getRandomValues(buf);
+    }
+    const raw = Array.from(buf).map((b) => b.toString(16).padStart(2, "0")).join("");
+    localStorage.setItem(this.webEncryptionKeyStorage, raw);
+    return raw;
+  }
+  base64Encode(bytes) {
+    let binary = "";
+    bytes.forEach((b) => {
+      binary += String.fromCharCode(b);
+    });
+    return btoa(binary);
+  }
+  base64Decode(value) {
+    const binary = atob(value);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+  }
+};
+export {
+  ApiKeyStorageWeb,
+  BaseOAuthFlow,
+  DesktopOAuthFlow,
+  MCPClient,
+  TokenStorageWeb
+};