@lanonasis/oauth-client 1.2.0 → 1.2.2

package/dist/index.cjs

@@ -31,23 +31,29 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var index_exports = {};
 __export(index_exports, {
   ApiKeyStorage: () => ApiKeyStorage,
+  ApiKeyStorageWeb: () => ApiKeyStorageWeb,
   BaseOAuthFlow: () => BaseOAuthFlow,
   DesktopOAuthFlow: () => DesktopOAuthFlow,
   MCPClient: () => MCPClient,
   TerminalOAuthFlow: () => TerminalOAuthFlow,
-  TokenStorage: () => TokenStorage
+  TokenStorage: () => TokenStorage,
+  TokenStorageWeb: () => TokenStorageWeb
 });
 module.exports = __toCommonJS(index_exports);
 
+// src/flows/terminal-flow.ts
+var import_cross_fetch2 = __toESM(require("cross-fetch"), 1);
+
 // src/flows/base-flow.ts
+var import_cross_fetch = __toESM(require("cross-fetch"), 1);
 var BaseOAuthFlow = class {
   constructor(config) {
     this.clientId = config.clientId;
     this.authBaseUrl = config.authBaseUrl || "https://auth.lanonasis.com";
-    this.scope = config.scope || "mcp:read mcp:write api_keys:manage";
+    this.scope = config.scope || "memories:read memories:write memories:delete profile";
   }
   async makeTokenRequest(body) {
-    const response = await fetch(`${this.authBaseUrl}/oauth/token`, {
+    const response = await (0, import_cross_fetch.default)(`${this.authBaseUrl}/oauth/token`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify(body)
@@ -60,11 +66,10 @@ var BaseOAuthFlow = class {
   }
   generateState() {
     const array = new Uint8Array(32);
-    if (typeof window !== "undefined" && window.crypto) {
-      window.crypto.getRandomValues(array);
+    if (typeof crypto !== "undefined" && crypto.getRandomValues) {
+      crypto.getRandomValues(array);
     } else {
-      const crypto = require("crypto");
-      crypto.randomFillSync(array);
+      throw new Error("Secure random generation is not available");
     }
     return this.base64URLEncode(array);
   }
@@ -74,7 +79,8 @@ var BaseOAuthFlow = class {
     bytes.forEach((byte) => {
       binary += String.fromCharCode(byte);
     });
-    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+    const base64 = typeof btoa !== "undefined" ? btoa(binary) : Buffer.from(bytes).toString("base64");
+    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
   }
   async refreshToken(refreshToken) {
     return this.makeTokenRequest({
@@ -84,7 +90,7 @@ var BaseOAuthFlow = class {
     });
   }
   async revokeToken(token, tokenType = "access_token") {
-    const response = await fetch(`${this.authBaseUrl}/oauth/revoke`, {
+    const response = await (0, import_cross_fetch.default)(`${this.authBaseUrl}/oauth/revoke`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
@@ -100,7 +106,6 @@ var BaseOAuthFlow = class {
 };
 
 // src/flows/terminal-flow.ts
-var import_open = __toESM(require("open"), 1);
 var TerminalOAuthFlow = class extends BaseOAuthFlow {
   constructor(config) {
     super({
@@ -123,7 +128,7 @@ var TerminalOAuthFlow = class extends BaseOAuthFlow {
     }
   }
   async requestDeviceCode() {
-    const response = await fetch(`${this.authBaseUrl}/oauth/device`, {
+    const response = await (0, import_cross_fetch2.default)(`${this.authBaseUrl}/oauth/device`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
@@ -148,12 +153,13 @@ var TerminalOAuthFlow = class extends BaseOAuthFlow {
   }
   async openBrowser(url) {
     try {
+      const { default: open } = await import("open");
       await Promise.race([
         this.waitForEnter(),
         new Promise((resolve) => setTimeout(resolve, 2e3))
       ]);
       console.log("Opening browser...");
-      await (0, import_open.default)(url);
+      await open(url);
     } catch (error) {
       console.log("Please open the URL manually in your browser.");
     }
@@ -196,7 +202,7 @@ var TerminalOAuthFlow = class extends BaseOAuthFlow {
     throw new Error("Authorization timeout - please try again");
   }
   async checkDeviceCode(deviceCode) {
-    const response = await fetch(`${this.authBaseUrl}/oauth/token`, {
+    const response = await (0, import_cross_fetch2.default)(`${this.authBaseUrl}/oauth/token`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
@@ -237,25 +243,22 @@ var DesktopOAuthFlow = class extends BaseOAuthFlow {
   }
   generateCodeVerifier() {
     const array = new Uint8Array(32);
-    if (typeof window !== "undefined" && window.crypto) {
-      window.crypto.getRandomValues(array);
+    if (typeof crypto !== "undefined" && crypto.getRandomValues) {
+      crypto.getRandomValues(array);
     } else {
-      const crypto = require("crypto");
-      crypto.randomFillSync(array);
+      throw new Error("Secure random generation is not available in this environment");
     }
     return this.base64URLEncode(array);
   }
   async generateCodeChallenge(verifier) {
-    if (typeof window !== "undefined" && window.crypto?.subtle) {
-      const encoder = new TextEncoder();
-      const data = encoder.encode(verifier);
-      const hash = await window.crypto.subtle.digest("SHA-256", data);
-      return this.base64URLEncode(hash);
-    } else {
-      const crypto = require("crypto");
-      const hash = crypto.createHash("sha256").update(verifier).digest();
-      return this.base64URLEncode(hash);
+    const subtle = typeof crypto !== "undefined" ? crypto.subtle : void 0;
+    if (!subtle) {
+      throw new Error("Web Crypto is required to generate PKCE code challenge");
     }
+    const encoder = new TextEncoder();
+    const data = encoder.encode(verifier);
+    const hash = await subtle.digest("SHA-256", data);
+    return this.base64URLEncode(hash);
   }
   buildAuthorizationUrl(codeChallenge, state) {
     const params = new URLSearchParams({
@@ -457,13 +460,13 @@ var TokenStorage = class {
     const fs = require("fs").promises;
     const path = require("path");
     const os = require("os");
-    const crypto = require("crypto");
+    const crypto2 = require("crypto");
     const configDir = path.join(os.homedir(), ".lanonasis");
     const tokenFile = path.join(configDir, "mcp-tokens.enc");
     await fs.mkdir(configDir, { recursive: true });
     const key = this.getFileEncryptionKey();
-    const iv = crypto.randomBytes(16);
-    const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+    const iv = crypto2.randomBytes(16);
+    const cipher = crypto2.createCipheriv("aes-256-gcm", key, iv);
     let encrypted = cipher.update(tokenString, "utf8", "hex");
     encrypted += cipher.final("hex");
     const authTag = cipher.getAuthTag().toString("hex");
@@ -475,7 +478,7 @@ var TokenStorage = class {
     const fs = require("fs").promises;
     const path = require("path");
     const os = require("os");
-    const crypto = require("crypto");
+    const crypto2 = require("crypto");
     const tokenFile = path.join(os.homedir(), ".lanonasis", "mcp-tokens.enc");
     try {
       const data = await fs.readFile(tokenFile, "utf8");
@@ -485,7 +488,7 @@ var TokenStorage = class {
         const [ivHex, authTagHex, encrypted] = parts;
         const iv = Buffer.from(ivHex, "hex");
         const authTag = Buffer.from(authTagHex, "hex");
-        const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+        const decipher = crypto2.createDecipheriv("aes-256-gcm", key, iv);
         decipher.setAuthTag(authTag);
         let decrypted = decipher.update(encrypted, "hex", "utf8");
         decrypted += decipher.final("utf8");
@@ -494,7 +497,7 @@ var TokenStorage = class {
       if (parts.length === 2) {
         const [ivHex, encrypted] = parts;
         const iv = Buffer.from(ivHex, "hex");
-        const decipher = crypto.createDecipheriv("aes-256-cbc", key, iv);
+        const decipher = crypto2.createDecipheriv("aes-256-cbc", key, iv);
         let decrypted = decipher.update(encrypted, "hex", "utf8");
         decrypted += decipher.final("utf8");
         return decrypted;
@@ -516,17 +519,17 @@ var TokenStorage = class {
     }
   }
   getFileEncryptionKey() {
-    const crypto = require("crypto");
+    const crypto2 = require("crypto");
     const os = require("os");
     const machineId = os.hostname() + os.userInfo().username;
     const salt = "lanonasis-mcp-oauth-2024";
-    return crypto.pbkdf2Sync(machineId, salt, 1e5, 32, "sha256");
+    return crypto2.pbkdf2Sync(machineId, salt, 1e5, 32, "sha256");
   }
   async encrypt(text) {
     if (typeof window === "undefined" || !window.crypto?.subtle) {
       const encoder2 = new TextEncoder();
       const data2 = encoder2.encode(text);
-      return btoa(String.fromCharCode(...data2));
+      return this.base64Encode(data2);
     }
     const encoder = new TextEncoder();
     const data = encoder.encode(text);
@@ -559,23 +562,15 @@ var TokenStorage = class {
     const combined = new Uint8Array(iv.length + encrypted.byteLength);
     combined.set(iv, 0);
     combined.set(new Uint8Array(encrypted), iv.length);
-    return btoa(String.fromCharCode(...combined));
+    return this.base64Encode(combined);
   }
   async decrypt(encrypted) {
     if (typeof window === "undefined" || !window.crypto?.subtle) {
-      const binary2 = atob(encrypted);
-      const bytes2 = new Uint8Array(binary2.length);
-      for (let i = 0; i < binary2.length; i++) {
-        bytes2[i] = binary2.charCodeAt(i);
-      }
+      const bytes2 = this.base64Decode(encrypted);
       const decoder2 = new TextDecoder();
       return decoder2.decode(bytes2);
     }
-    const binary = atob(encrypted);
-    const bytes = new Uint8Array(binary.length);
-    for (let i = 0; i < binary.length; i++) {
-      bytes[i] = binary.charCodeAt(i);
-    }
+    const bytes = this.base64Decode(encrypted);
     const iv = bytes.slice(0, 12);
     const data = bytes.slice(12);
     const encoder = new TextEncoder();
@@ -616,6 +611,33 @@ var TokenStorage = class {
   isMobile() {
     return typeof window !== "undefined" && window.SecureStorage !== void 0;
   }
+  base64Encode(bytes) {
+    if (typeof btoa !== "undefined") {
+      let binary = "";
+      bytes.forEach((b) => {
+        binary += String.fromCharCode(b);
+      });
+      return btoa(binary);
+    }
+    if (typeof Buffer !== "undefined") {
+      return Buffer.from(bytes).toString("base64");
+    }
+    throw new Error("No base64 encoder available");
+  }
+  base64Decode(value) {
+    if (typeof atob !== "undefined") {
+      const binary = atob(value);
+      const bytes = new Uint8Array(binary.length);
+      for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+      }
+      return bytes;
+    }
+    if (typeof Buffer !== "undefined") {
+      return new Uint8Array(Buffer.from(value, "base64"));
+    }
+    throw new Error("No base64 decoder available");
+  }
   async getWebEncryptionKey() {
     const existing = typeof localStorage !== "undefined" ? localStorage.getItem(this.webEncryptionKeyStorage) : null;
     if (existing) {
@@ -627,7 +649,8 @@ var TokenStorage = class {
       window.crypto.getRandomValues(buf);
       raw = Array.from(buf).map((b) => b.toString(16).padStart(2, "0")).join("");
     } else {
-      raw = `${navigator.userAgent}-${Math.random().toString(36).slice(2)}-${Date.now()}`;
+      const ua = typeof navigator !== "undefined" ? navigator.userAgent : "node";
+      raw = `${ua}-${Math.random().toString(36).slice(2)}-${Date.now()}`;
     }
     if (typeof localStorage !== "undefined") {
       localStorage.setItem(this.webEncryptionKeyStorage, raw);
@@ -839,13 +862,13 @@ var ApiKeyStorage = class {
     const fs = require("fs").promises;
     const path = require("path");
     const os = require("os");
-    const crypto = require("crypto");
+    const crypto2 = require("crypto");
     const configDir = path.join(os.homedir(), ".lanonasis");
     const keyFile = path.join(configDir, "api-key.enc");
     await fs.mkdir(configDir, { recursive: true, mode: 448 });
     const key = this.getFileEncryptionKey();
-    const iv = crypto.randomBytes(16);
-    const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+    const iv = crypto2.randomBytes(16);
+    const cipher = crypto2.createCipheriv("aes-256-gcm", key, iv);
     let encrypted = cipher.update(keyString, "utf8", "hex");
     encrypted += cipher.final("hex");
     const authTag = cipher.getAuthTag();
@@ -857,7 +880,7 @@ var ApiKeyStorage = class {
     const fs = require("fs").promises;
     const path = require("path");
     const os = require("os");
-    const crypto = require("crypto");
+    const crypto2 = require("crypto");
     const keyFile = path.join(os.homedir(), ".lanonasis", "api-key.enc");
     try {
       const data = await fs.readFile(keyFile, "utf8");
@@ -868,7 +891,7 @@ var ApiKeyStorage = class {
       const key = this.getFileEncryptionKey();
       const iv = Buffer.from(ivHex, "hex");
       const authTag = Buffer.from(authTagHex, "hex");
-      const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+      const decipher = crypto2.createDecipheriv("aes-256-gcm", key, iv);
       decipher.setAuthTag(authTag);
       let decrypted = decipher.update(encrypted, "hex", "utf8");
       decrypted += decipher.final("utf8");
@@ -912,18 +935,18 @@ var ApiKeyStorage = class {
     }
   }
   getFileEncryptionKey() {
-    const crypto = require("crypto");
+    const crypto2 = require("crypto");
     const os = require("os");
     const machineId = os.hostname() + os.userInfo().username;
     const salt = "lanonasis-mcp-api-key-2024";
-    return crypto.pbkdf2Sync(machineId, salt, 1e5, 32, "sha256");
+    return crypto2.pbkdf2Sync(machineId, salt, 1e5, 32, "sha256");
   }
   // ==================== Web Encryption ====================
   async encrypt(text) {
     if (typeof window === "undefined" || !window.crypto || !window.crypto.subtle) {
       const encoder = new TextEncoder();
       const data = encoder.encode(text);
-      return btoa(String.fromCharCode(...data));
+      return this.base64Encode(data);
     }
     try {
       const encoder = new TextEncoder();
@@ -962,16 +985,12 @@ var ApiKeyStorage = class {
       console.error("Web encryption failed:", error);
       const encoder = new TextEncoder();
       const data = encoder.encode(text);
-      return btoa(String.fromCharCode(...data));
+      return this.base64Encode(data);
     }
   }
   async decrypt(encrypted) {
     if (typeof window === "undefined" || !window.crypto || !window.crypto.subtle) {
-      const binary = atob(encrypted);
-      const bytes = new Uint8Array(binary.length);
-      for (let i = 0; i < binary.length; i++) {
-        bytes[i] = binary.charCodeAt(i);
-      }
+      const bytes = this.base64Decode(encrypted);
       const decoder = new TextDecoder();
       return decoder.decode(bytes);
     }
@@ -1013,11 +1032,7 @@ var ApiKeyStorage = class {
       return decoder.decode(decrypted);
     } catch (error) {
       console.error("Web decryption failed:", error);
-      const binary = atob(encrypted);
-      const bytes = new Uint8Array(binary.length);
-      for (let i = 0; i < binary.length; i++) {
-        bytes[i] = binary.charCodeAt(i);
-      }
+      const bytes = this.base64Decode(encrypted);
       const decoder = new TextDecoder();
       return decoder.decode(bytes);
     }
@@ -1033,7 +1048,8 @@ var ApiKeyStorage = class {
       window.crypto.getRandomValues(buf);
       raw = Array.from(buf).map((b) => b.toString(16).padStart(2, "0")).join("");
     } else {
-      raw = `${navigator.userAgent}-${Math.random().toString(36).slice(2)}-${Date.now()}`;
+      const ua = typeof navigator !== "undefined" ? navigator.userAgent : "node";
+      raw = `${ua}-${Math.random().toString(36).slice(2)}-${Date.now()}`;
     }
     if (typeof localStorage !== "undefined") {
       localStorage.setItem(this.webEncryptionKeyStorage, raw);
@@ -1050,6 +1066,33 @@ var ApiKeyStorage = class {
   isMobile() {
     return typeof window !== "undefined" && window.SecureStorage !== void 0;
   }
+  base64Encode(bytes) {
+    if (typeof btoa !== "undefined") {
+      let binary = "";
+      bytes.forEach((b) => {
+        binary += String.fromCharCode(b);
+      });
+      return btoa(binary);
+    }
+    if (typeof Buffer !== "undefined") {
+      return Buffer.from(bytes).toString("base64");
+    }
+    throw new Error("No base64 encoder available");
+  }
+  base64Decode(value) {
+    if (typeof atob !== "undefined") {
+      const binary = atob(value);
+      const bytes = new Uint8Array(binary.length);
+      for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+      }
+      return bytes;
+    }
+    if (typeof Buffer !== "undefined") {
+      return new Uint8Array(Buffer.from(value, "base64"));
+    }
+    throw new Error("No base64 decoder available");
+  }
   /**
    * Normalize API keys to a SHA-256 hex digest.
    * Accepts pre-hashed input and lowercases it to prevent double hashing.
@@ -1074,7 +1117,279 @@ var ApiKeyStorage = class {
   }
 };
 
+// src/storage/token-storage-web.ts
+var TokenStorageWeb = class {
+  constructor() {
+    this.storageKey = "lanonasis_mcp_tokens";
+    this.webEncryptionKeyStorage = "lanonasis_web_token_enc_key";
+  }
+  async store(tokens) {
+    const tokensWithTimestamp = {
+      ...tokens,
+      issued_at: Date.now()
+    };
+    const tokenString = JSON.stringify(tokensWithTimestamp);
+    const encrypted = await this.encrypt(tokenString);
+    localStorage.setItem(this.storageKey, encrypted);
+  }
+  async retrieve() {
+    const encrypted = localStorage.getItem(this.storageKey);
+    if (!encrypted) return null;
+    try {
+      const tokenString = await this.decrypt(encrypted);
+      return JSON.parse(tokenString);
+    } catch {
+      return null;
+    }
+  }
+  async clear() {
+    localStorage.removeItem(this.storageKey);
+  }
+  isTokenExpired(tokens) {
+    if (tokens.token_type === "api-key" || tokens.expires_in === 0) return false;
+    if (!tokens.expires_in) return false;
+    if (!tokens.issued_at) return true;
+    const expiresAt = tokens.issued_at + tokens.expires_in * 1e3;
+    return expiresAt - Date.now() < 3e5;
+  }
+  async encrypt(text) {
+    if (typeof window === "undefined" || !window.crypto?.subtle) {
+      const encoder2 = new TextEncoder();
+      return this.base64Encode(encoder2.encode(text));
+    }
+    const encoder = new TextEncoder();
+    const data = encoder.encode(text);
+    const passphrase = await this.getWebEncryptionKey();
+    const keyMaterial = await window.crypto.subtle.importKey(
+      "raw",
+      encoder.encode(passphrase),
+      "PBKDF2",
+      false,
+      ["deriveBits", "deriveKey"]
+    );
+    const key = await window.crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt: encoder.encode("lanonasis-token-salt"),
+        iterations: 1e5,
+        hash: "SHA-256"
+      },
+      keyMaterial,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    const iv = window.crypto.getRandomValues(new Uint8Array(12));
+    const encrypted = await window.crypto.subtle.encrypt(
+      { name: "AES-GCM", iv },
+      key,
+      data
+    );
+    const combined = new Uint8Array(iv.length + encrypted.byteLength);
+    combined.set(iv, 0);
+    combined.set(new Uint8Array(encrypted), iv.length);
+    return this.base64Encode(combined);
+  }
+  async decrypt(encrypted) {
+    if (typeof window === "undefined" || !window.crypto?.subtle) {
+      const decoder2 = new TextDecoder();
+      return decoder2.decode(this.base64Decode(encrypted));
+    }
+    const bytes = this.base64Decode(encrypted);
+    const iv = bytes.slice(0, 12);
+    const data = bytes.slice(12);
+    const encoder = new TextEncoder();
+    const decoder = new TextDecoder();
+    const passphrase = await this.getWebEncryptionKey();
+    const keyMaterial = await window.crypto.subtle.importKey(
+      "raw",
+      encoder.encode(passphrase),
+      "PBKDF2",
+      false,
+      ["deriveBits", "deriveKey"]
+    );
+    const key = await window.crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt: encoder.encode("lanonasis-token-salt"),
+        iterations: 1e5,
+        hash: "SHA-256"
+      },
+      keyMaterial,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    const decrypted = await window.crypto.subtle.decrypt(
+      { name: "AES-GCM", iv },
+      key,
+      data
+    );
+    return decoder.decode(decrypted);
+  }
+  async getWebEncryptionKey() {
+    const existing = localStorage.getItem(this.webEncryptionKeyStorage);
+    if (existing) return existing;
+    const buf = new Uint8Array(32);
+    if (typeof window !== "undefined" && window.crypto?.getRandomValues) {
+      window.crypto.getRandomValues(buf);
+    }
+    const raw = Array.from(buf).map((b) => b.toString(16).padStart(2, "0")).join("");
+    localStorage.setItem(this.webEncryptionKeyStorage, raw);
+    return raw;
+  }
+  base64Encode(bytes) {
+    let binary = "";
+    bytes.forEach((b) => {
+      binary += String.fromCharCode(b);
+    });
+    return btoa(binary);
+  }
+  base64Decode(value) {
+    const binary = atob(value);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+  }
+};
+
+// src/storage/api-key-storage-web.ts
+var ApiKeyStorageWeb = class {
+  constructor() {
+    this.storageKey = "lanonasis_api_key";
+    this.webEncryptionKeyStorage = "lanonasis_web_enc_key";
+  }
+  async store(data) {
+    const payload = JSON.stringify({
+      ...data,
+      createdAt: data.createdAt || (/* @__PURE__ */ new Date()).toISOString()
+    });
+    const encrypted = await this.encrypt(payload);
+    localStorage.setItem(this.storageKey, encrypted);
+  }
+  async retrieve() {
+    const encrypted = localStorage.getItem(this.storageKey);
+    if (!encrypted) return null;
+    try {
+      const decrypted = await this.decrypt(encrypted);
+      return JSON.parse(decrypted);
+    } catch {
+      return null;
+    }
+  }
+  async clear() {
+    localStorage.removeItem(this.storageKey);
+  }
+  async encrypt(text) {
+    if (typeof window === "undefined" || !window.crypto?.subtle) {
+      const encoder2 = new TextEncoder();
+      return this.base64Encode(encoder2.encode(text));
+    }
+    const encoder = new TextEncoder();
+    const data = encoder.encode(text);
+    const passphrase = await this.getWebEncryptionKey();
+    const keyMaterial = await window.crypto.subtle.importKey(
+      "raw",
+      encoder.encode(passphrase),
+      "PBKDF2",
+      false,
+      ["deriveBits", "deriveKey"]
+    );
+    const key = await window.crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt: encoder.encode("lanonasis-api-key-salt"),
+        iterations: 1e5,
+        hash: "SHA-256"
+      },
+      keyMaterial,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    const iv = window.crypto.getRandomValues(new Uint8Array(12));
+    const encrypted = await window.crypto.subtle.encrypt(
+      { name: "AES-GCM", iv },
+      key,
+      data
+    );
+    const combined = new Uint8Array(iv.length + encrypted.byteLength);
+    combined.set(iv, 0);
+    combined.set(new Uint8Array(encrypted), iv.length);
+    return this.base64Encode(combined);
+  }
+  async decrypt(encrypted) {
+    if (typeof window === "undefined" || !window.crypto?.subtle) {
+      const decoder2 = new TextDecoder();
+      return decoder2.decode(this.base64Decode(encrypted));
+    }
+    const bytes = this.base64Decode(encrypted);
+    const iv = bytes.slice(0, 12);
+    const data = bytes.slice(12);
+    const encoder = new TextEncoder();
+    const decoder = new TextDecoder();
+    const passphrase = await this.getWebEncryptionKey();
+    const keyMaterial = await window.crypto.subtle.importKey(
+      "raw",
+      encoder.encode(passphrase),
+      "PBKDF2",
+      false,
+      ["deriveBits", "deriveKey"]
+    );
+    const key = await window.crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt: encoder.encode("lanonasis-api-key-salt"),
+        iterations: 1e5,
+        hash: "SHA-256"
+      },
+      keyMaterial,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    const decrypted = await window.crypto.subtle.decrypt(
+      { name: "AES-GCM", iv },
+      key,
+      data
+    );
+    return decoder.decode(decrypted);
+  }
+  async getWebEncryptionKey() {
+    const existing = localStorage.getItem(this.webEncryptionKeyStorage);
+    if (existing) return existing;
+    const buf = new Uint8Array(32);
+    if (typeof window !== "undefined" && window.crypto?.getRandomValues) {
+      window.crypto.getRandomValues(buf);
+    }
+    const raw = Array.from(buf).map((b) => b.toString(16).padStart(2, "0")).join("");
+    localStorage.setItem(this.webEncryptionKeyStorage, raw);
+    return raw;
+  }
+  base64Encode(bytes) {
+    let binary = "";
+    bytes.forEach((b) => {
+      binary += String.fromCharCode(b);
+    });
+    return btoa(binary);
+  }
+  base64Decode(value) {
+    const binary = atob(value);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+  }
+};
+
+// src/client/mcp-client.ts
+var import_cross_fetch4 = __toESM(require("cross-fetch"), 1);
+
 // src/flows/apikey-flow.ts
+var import_cross_fetch3 = __toESM(require("cross-fetch"), 1);
 var APIKeyFlow = class extends BaseOAuthFlow {
   constructor(apiKey, authBaseUrl = "https://mcp.lanonasis.com") {
     super({
@@ -1117,7 +1432,7 @@ var APIKeyFlow = class extends BaseOAuthFlow {
    */
   async validateAPIKey() {
     try {
-      const response = await fetch(`${this.config.authBaseUrl}/api/v1/health`, {
+      const response = await (0, import_cross_fetch3.default)(`${this.config.authBaseUrl}/api/v1/health`, {
         headers: {
           "x-api-key": this.apiKey
         }
@@ -1143,7 +1458,8 @@ var MCPClient = class {
       autoRefresh: true,
       ...config
     };
-    this.tokenStorage = new TokenStorage();
+    const defaultStorage = typeof window !== "undefined" ? new TokenStorageWeb() : new TokenStorage();
+    this.tokenStorage = config.tokenStorage || defaultStorage;
     this.authMode = config.apiKey ? "apikey" : "oauth";
     if (this.authMode === "apikey") {
       this.authFlow = new APIKeyFlow(
@@ -1358,7 +1674,7 @@ var MCPClient = class {
     } else {
       headers["Authorization"] = `Bearer ${this.accessToken}`;
     }
-    const response = await fetch(`${this.config.mcpEndpoint}/api`, {
+    const response = await (0, import_cross_fetch4.default)(`${this.config.mcpEndpoint}/api`, {
       method: "POST",
       headers,
       body: JSON.stringify({
@@ -1457,12 +1773,3 @@ var MCPClient = class {
     return this.request("memory/delete", { id });
   }
 };
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  ApiKeyStorage,
-  BaseOAuthFlow,
-  DesktopOAuthFlow,
-  MCPClient,
-  TerminalOAuthFlow,
-  TokenStorage
-});