@lanonasis/oauth-client 1.2.1 → 1.2.2

package/dist/index.mjs

@@ -5,12 +5,16 @@ var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require
   throw Error('Dynamic require of "' + x + '" is not supported');
 });
 
+// src/flows/terminal-flow.ts
+import fetch2 from "cross-fetch";
+
 // src/flows/base-flow.ts
+import fetch from "cross-fetch";
 var BaseOAuthFlow = class {
   constructor(config) {
     this.clientId = config.clientId;
     this.authBaseUrl = config.authBaseUrl || "https://auth.lanonasis.com";
-    this.scope = config.scope || "mcp:read mcp:write api_keys:manage";
+    this.scope = config.scope || "memories:read memories:write memories:delete profile";
   }
   async makeTokenRequest(body) {
     const response = await fetch(`${this.authBaseUrl}/oauth/token`, {
@@ -26,11 +30,10 @@ var BaseOAuthFlow = class {
   }
   generateState() {
     const array = new Uint8Array(32);
-    if (typeof window !== "undefined" && window.crypto) {
-      window.crypto.getRandomValues(array);
+    if (typeof crypto !== "undefined" && crypto.getRandomValues) {
+      crypto.getRandomValues(array);
     } else {
-      const crypto = __require("crypto");
-      crypto.randomFillSync(array);
+      throw new Error("Secure random generation is not available");
     }
     return this.base64URLEncode(array);
   }
@@ -40,7 +43,8 @@ var BaseOAuthFlow = class {
     bytes.forEach((byte) => {
       binary += String.fromCharCode(byte);
     });
-    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+    const base64 = typeof btoa !== "undefined" ? btoa(binary) : Buffer.from(bytes).toString("base64");
+    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
   }
   async refreshToken(refreshToken) {
     return this.makeTokenRequest({
@@ -66,7 +70,6 @@ var BaseOAuthFlow = class {
 };
 
 // src/flows/terminal-flow.ts
-import open from "open";
 var TerminalOAuthFlow = class extends BaseOAuthFlow {
   constructor(config) {
     super({
@@ -89,7 +92,7 @@ var TerminalOAuthFlow = class extends BaseOAuthFlow {
     }
   }
   async requestDeviceCode() {
-    const response = await fetch(`${this.authBaseUrl}/oauth/device`, {
+    const response = await fetch2(`${this.authBaseUrl}/oauth/device`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
@@ -114,6 +117,7 @@ var TerminalOAuthFlow = class extends BaseOAuthFlow {
   }
   async openBrowser(url) {
     try {
+      const { default: open } = await import("open");
       await Promise.race([
         this.waitForEnter(),
         new Promise((resolve) => setTimeout(resolve, 2e3))
@@ -162,7 +166,7 @@ var TerminalOAuthFlow = class extends BaseOAuthFlow {
     throw new Error("Authorization timeout - please try again");
   }
   async checkDeviceCode(deviceCode) {
-    const response = await fetch(`${this.authBaseUrl}/oauth/token`, {
+    const response = await fetch2(`${this.authBaseUrl}/oauth/token`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
@@ -203,25 +207,22 @@ var DesktopOAuthFlow = class extends BaseOAuthFlow {
   }
   generateCodeVerifier() {
     const array = new Uint8Array(32);
-    if (typeof window !== "undefined" && window.crypto) {
-      window.crypto.getRandomValues(array);
+    if (typeof crypto !== "undefined" && crypto.getRandomValues) {
+      crypto.getRandomValues(array);
     } else {
-      const crypto = __require("crypto");
-      crypto.randomFillSync(array);
+      throw new Error("Secure random generation is not available in this environment");
     }
     return this.base64URLEncode(array);
   }
   async generateCodeChallenge(verifier) {
-    if (typeof window !== "undefined" && window.crypto?.subtle) {
-      const encoder = new TextEncoder();
-      const data = encoder.encode(verifier);
-      const hash = await window.crypto.subtle.digest("SHA-256", data);
-      return this.base64URLEncode(hash);
-    } else {
-      const crypto = __require("crypto");
-      const hash = crypto.createHash("sha256").update(verifier).digest();
-      return this.base64URLEncode(hash);
+    const subtle = typeof crypto !== "undefined" ? crypto.subtle : void 0;
+    if (!subtle) {
+      throw new Error("Web Crypto is required to generate PKCE code challenge");
     }
+    const encoder = new TextEncoder();
+    const data = encoder.encode(verifier);
+    const hash = await subtle.digest("SHA-256", data);
+    return this.base64URLEncode(hash);
   }
   buildAuthorizationUrl(codeChallenge, state) {
     const params = new URLSearchParams({
@@ -406,6 +407,9 @@ var TokenStorage = class {
     }
   }
   isTokenExpired(tokens) {
+    if (tokens.token_type === "api-key" || tokens.expires_in === 0) {
+      return false;
+    }
     if (!tokens.expires_in) return false;
     if (!tokens.issued_at) {
       console.warn("Token missing issued_at timestamp, treating as expired");
@@ -420,13 +424,13 @@ var TokenStorage = class {
     const fs = __require("fs").promises;
     const path = __require("path");
     const os = __require("os");
-    const crypto = __require("crypto");
+    const crypto2 = __require("crypto");
     const configDir = path.join(os.homedir(), ".lanonasis");
     const tokenFile = path.join(configDir, "mcp-tokens.enc");
     await fs.mkdir(configDir, { recursive: true });
     const key = this.getFileEncryptionKey();
-    const iv = crypto.randomBytes(16);
-    const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+    const iv = crypto2.randomBytes(16);
+    const cipher = crypto2.createCipheriv("aes-256-gcm", key, iv);
     let encrypted = cipher.update(tokenString, "utf8", "hex");
     encrypted += cipher.final("hex");
     const authTag = cipher.getAuthTag().toString("hex");
@@ -438,7 +442,7 @@ var TokenStorage = class {
     const fs = __require("fs").promises;
     const path = __require("path");
     const os = __require("os");
-    const crypto = __require("crypto");
+    const crypto2 = __require("crypto");
     const tokenFile = path.join(os.homedir(), ".lanonasis", "mcp-tokens.enc");
     try {
       const data = await fs.readFile(tokenFile, "utf8");
@@ -448,7 +452,7 @@ var TokenStorage = class {
         const [ivHex, authTagHex, encrypted] = parts;
         const iv = Buffer.from(ivHex, "hex");
         const authTag = Buffer.from(authTagHex, "hex");
-        const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+        const decipher = crypto2.createDecipheriv("aes-256-gcm", key, iv);
         decipher.setAuthTag(authTag);
         let decrypted = decipher.update(encrypted, "hex", "utf8");
         decrypted += decipher.final("utf8");
@@ -457,7 +461,7 @@ var TokenStorage = class {
       if (parts.length === 2) {
         const [ivHex, encrypted] = parts;
         const iv = Buffer.from(ivHex, "hex");
-        const decipher = crypto.createDecipheriv("aes-256-cbc", key, iv);
+        const decipher = crypto2.createDecipheriv("aes-256-cbc", key, iv);
         let decrypted = decipher.update(encrypted, "hex", "utf8");
         decrypted += decipher.final("utf8");
         return decrypted;
@@ -479,17 +483,17 @@ var TokenStorage = class {
     }
   }
   getFileEncryptionKey() {
-    const crypto = __require("crypto");
+    const crypto2 = __require("crypto");
     const os = __require("os");
     const machineId = os.hostname() + os.userInfo().username;
     const salt = "lanonasis-mcp-oauth-2024";
-    return crypto.pbkdf2Sync(machineId, salt, 1e5, 32, "sha256");
+    return crypto2.pbkdf2Sync(machineId, salt, 1e5, 32, "sha256");
   }
   async encrypt(text) {
     if (typeof window === "undefined" || !window.crypto?.subtle) {
       const encoder2 = new TextEncoder();
       const data2 = encoder2.encode(text);
-      return btoa(String.fromCharCode(...data2));
+      return this.base64Encode(data2);
     }
     const encoder = new TextEncoder();
     const data = encoder.encode(text);
@@ -522,23 +526,15 @@ var TokenStorage = class {
     const combined = new Uint8Array(iv.length + encrypted.byteLength);
     combined.set(iv, 0);
     combined.set(new Uint8Array(encrypted), iv.length);
-    return btoa(String.fromCharCode(...combined));
+    return this.base64Encode(combined);
   }
   async decrypt(encrypted) {
     if (typeof window === "undefined" || !window.crypto?.subtle) {
-      const binary2 = atob(encrypted);
-      const bytes2 = new Uint8Array(binary2.length);
-      for (let i = 0; i < binary2.length; i++) {
-        bytes2[i] = binary2.charCodeAt(i);
-      }
+      const bytes2 = this.base64Decode(encrypted);
       const decoder2 = new TextDecoder();
       return decoder2.decode(bytes2);
     }
-    const binary = atob(encrypted);
-    const bytes = new Uint8Array(binary.length);
-    for (let i = 0; i < binary.length; i++) {
-      bytes[i] = binary.charCodeAt(i);
-    }
+    const bytes = this.base64Decode(encrypted);
     const iv = bytes.slice(0, 12);
     const data = bytes.slice(12);
     const encoder = new TextEncoder();
@@ -579,6 +575,33 @@ var TokenStorage = class {
   isMobile() {
     return typeof window !== "undefined" && window.SecureStorage !== void 0;
   }
+  base64Encode(bytes) {
+    if (typeof btoa !== "undefined") {
+      let binary = "";
+      bytes.forEach((b) => {
+        binary += String.fromCharCode(b);
+      });
+      return btoa(binary);
+    }
+    if (typeof Buffer !== "undefined") {
+      return Buffer.from(bytes).toString("base64");
+    }
+    throw new Error("No base64 encoder available");
+  }
+  base64Decode(value) {
+    if (typeof atob !== "undefined") {
+      const binary = atob(value);
+      const bytes = new Uint8Array(binary.length);
+      for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+      }
+      return bytes;
+    }
+    if (typeof Buffer !== "undefined") {
+      return new Uint8Array(Buffer.from(value, "base64"));
+    }
+    throw new Error("No base64 decoder available");
+  }
   async getWebEncryptionKey() {
     const existing = typeof localStorage !== "undefined" ? localStorage.getItem(this.webEncryptionKeyStorage) : null;
     if (existing) {
@@ -590,7 +613,8 @@ var TokenStorage = class {
       window.crypto.getRandomValues(buf);
       raw = Array.from(buf).map((b) => b.toString(16).padStart(2, "0")).join("");
     } else {
-      raw = `${navigator.userAgent}-${Math.random().toString(36).slice(2)}-${Date.now()}`;
+      const ua = typeof navigator !== "undefined" ? navigator.userAgent : "node";
+      raw = `${ua}-${Math.random().toString(36).slice(2)}-${Date.now()}`;
     }
     if (typeof localStorage !== "undefined") {
       localStorage.setItem(this.webEncryptionKeyStorage, raw);
@@ -802,13 +826,13 @@ var ApiKeyStorage = class {
     const fs = __require("fs").promises;
     const path = __require("path");
     const os = __require("os");
-    const crypto = __require("crypto");
+    const crypto2 = __require("crypto");
     const configDir = path.join(os.homedir(), ".lanonasis");
     const keyFile = path.join(configDir, "api-key.enc");
     await fs.mkdir(configDir, { recursive: true, mode: 448 });
     const key = this.getFileEncryptionKey();
-    const iv = crypto.randomBytes(16);
-    const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+    const iv = crypto2.randomBytes(16);
+    const cipher = crypto2.createCipheriv("aes-256-gcm", key, iv);
     let encrypted = cipher.update(keyString, "utf8", "hex");
     encrypted += cipher.final("hex");
     const authTag = cipher.getAuthTag();
@@ -820,7 +844,7 @@ var ApiKeyStorage = class {
     const fs = __require("fs").promises;
     const path = __require("path");
     const os = __require("os");
-    const crypto = __require("crypto");
+    const crypto2 = __require("crypto");
     const keyFile = path.join(os.homedir(), ".lanonasis", "api-key.enc");
     try {
       const data = await fs.readFile(keyFile, "utf8");
@@ -831,7 +855,7 @@ var ApiKeyStorage = class {
       const key = this.getFileEncryptionKey();
       const iv = Buffer.from(ivHex, "hex");
       const authTag = Buffer.from(authTagHex, "hex");
-      const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+      const decipher = crypto2.createDecipheriv("aes-256-gcm", key, iv);
       decipher.setAuthTag(authTag);
       let decrypted = decipher.update(encrypted, "hex", "utf8");
       decrypted += decipher.final("utf8");
@@ -875,18 +899,18 @@ var ApiKeyStorage = class {
     }
   }
   getFileEncryptionKey() {
-    const crypto = __require("crypto");
+    const crypto2 = __require("crypto");
     const os = __require("os");
     const machineId = os.hostname() + os.userInfo().username;
     const salt = "lanonasis-mcp-api-key-2024";
-    return crypto.pbkdf2Sync(machineId, salt, 1e5, 32, "sha256");
+    return crypto2.pbkdf2Sync(machineId, salt, 1e5, 32, "sha256");
   }
   // ==================== Web Encryption ====================
   async encrypt(text) {
     if (typeof window === "undefined" || !window.crypto || !window.crypto.subtle) {
       const encoder = new TextEncoder();
       const data = encoder.encode(text);
-      return btoa(String.fromCharCode(...data));
+      return this.base64Encode(data);
     }
     try {
       const encoder = new TextEncoder();
@@ -925,16 +949,12 @@ var ApiKeyStorage = class {
       console.error("Web encryption failed:", error);
       const encoder = new TextEncoder();
       const data = encoder.encode(text);
-      return btoa(String.fromCharCode(...data));
+      return this.base64Encode(data);
     }
   }
   async decrypt(encrypted) {
     if (typeof window === "undefined" || !window.crypto || !window.crypto.subtle) {
-      const binary = atob(encrypted);
-      const bytes = new Uint8Array(binary.length);
-      for (let i = 0; i < binary.length; i++) {
-        bytes[i] = binary.charCodeAt(i);
-      }
+      const bytes = this.base64Decode(encrypted);
       const decoder = new TextDecoder();
       return decoder.decode(bytes);
     }
@@ -976,11 +996,7 @@ var ApiKeyStorage = class {
       return decoder.decode(decrypted);
     } catch (error) {
       console.error("Web decryption failed:", error);
-      const binary = atob(encrypted);
-      const bytes = new Uint8Array(binary.length);
-      for (let i = 0; i < binary.length; i++) {
-        bytes[i] = binary.charCodeAt(i);
-      }
+      const bytes = this.base64Decode(encrypted);
       const decoder = new TextDecoder();
       return decoder.decode(bytes);
     }
@@ -996,7 +1012,8 @@ var ApiKeyStorage = class {
       window.crypto.getRandomValues(buf);
       raw = Array.from(buf).map((b) => b.toString(16).padStart(2, "0")).join("");
     } else {
-      raw = `${navigator.userAgent}-${Math.random().toString(36).slice(2)}-${Date.now()}`;
+      const ua = typeof navigator !== "undefined" ? navigator.userAgent : "node";
+      raw = `${ua}-${Math.random().toString(36).slice(2)}-${Date.now()}`;
     }
     if (typeof localStorage !== "undefined") {
       localStorage.setItem(this.webEncryptionKeyStorage, raw);
@@ -1013,6 +1030,33 @@ var ApiKeyStorage = class {
   isMobile() {
     return typeof window !== "undefined" && window.SecureStorage !== void 0;
   }
+  base64Encode(bytes) {
+    if (typeof btoa !== "undefined") {
+      let binary = "";
+      bytes.forEach((b) => {
+        binary += String.fromCharCode(b);
+      });
+      return btoa(binary);
+    }
+    if (typeof Buffer !== "undefined") {
+      return Buffer.from(bytes).toString("base64");
+    }
+    throw new Error("No base64 encoder available");
+  }
+  base64Decode(value) {
+    if (typeof atob !== "undefined") {
+      const binary = atob(value);
+      const bytes = new Uint8Array(binary.length);
+      for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+      }
+      return bytes;
+    }
+    if (typeof Buffer !== "undefined") {
+      return new Uint8Array(Buffer.from(value, "base64"));
+    }
+    throw new Error("No base64 decoder available");
+  }
   /**
    * Normalize API keys to a SHA-256 hex digest.
    * Accepts pre-hashed input and lowercases it to prevent double hashing.
@@ -1037,9 +1081,338 @@ var ApiKeyStorage = class {
   }
 };
 
+// src/storage/token-storage-web.ts
+var TokenStorageWeb = class {
+  constructor() {
+    this.storageKey = "lanonasis_mcp_tokens";
+    this.webEncryptionKeyStorage = "lanonasis_web_token_enc_key";
+  }
+  async store(tokens) {
+    const tokensWithTimestamp = {
+      ...tokens,
+      issued_at: Date.now()
+    };
+    const tokenString = JSON.stringify(tokensWithTimestamp);
+    const encrypted = await this.encrypt(tokenString);
+    localStorage.setItem(this.storageKey, encrypted);
+  }
+  async retrieve() {
+    const encrypted = localStorage.getItem(this.storageKey);
+    if (!encrypted) return null;
+    try {
+      const tokenString = await this.decrypt(encrypted);
+      return JSON.parse(tokenString);
+    } catch {
+      return null;
+    }
+  }
+  async clear() {
+    localStorage.removeItem(this.storageKey);
+  }
+  isTokenExpired(tokens) {
+    if (tokens.token_type === "api-key" || tokens.expires_in === 0) return false;
+    if (!tokens.expires_in) return false;
+    if (!tokens.issued_at) return true;
+    const expiresAt = tokens.issued_at + tokens.expires_in * 1e3;
+    return expiresAt - Date.now() < 3e5;
+  }
+  async encrypt(text) {
+    if (typeof window === "undefined" || !window.crypto?.subtle) {
+      const encoder2 = new TextEncoder();
+      return this.base64Encode(encoder2.encode(text));
+    }
+    const encoder = new TextEncoder();
+    const data = encoder.encode(text);
+    const passphrase = await this.getWebEncryptionKey();
+    const keyMaterial = await window.crypto.subtle.importKey(
+      "raw",
+      encoder.encode(passphrase),
+      "PBKDF2",
+      false,
+      ["deriveBits", "deriveKey"]
+    );
+    const key = await window.crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt: encoder.encode("lanonasis-token-salt"),
+        iterations: 1e5,
+        hash: "SHA-256"
+      },
+      keyMaterial,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    const iv = window.crypto.getRandomValues(new Uint8Array(12));
+    const encrypted = await window.crypto.subtle.encrypt(
+      { name: "AES-GCM", iv },
+      key,
+      data
+    );
+    const combined = new Uint8Array(iv.length + encrypted.byteLength);
+    combined.set(iv, 0);
+    combined.set(new Uint8Array(encrypted), iv.length);
+    return this.base64Encode(combined);
+  }
+  async decrypt(encrypted) {
+    if (typeof window === "undefined" || !window.crypto?.subtle) {
+      const decoder2 = new TextDecoder();
+      return decoder2.decode(this.base64Decode(encrypted));
+    }
+    const bytes = this.base64Decode(encrypted);
+    const iv = bytes.slice(0, 12);
+    const data = bytes.slice(12);
+    const encoder = new TextEncoder();
+    const decoder = new TextDecoder();
+    const passphrase = await this.getWebEncryptionKey();
+    const keyMaterial = await window.crypto.subtle.importKey(
+      "raw",
+      encoder.encode(passphrase),
+      "PBKDF2",
+      false,
+      ["deriveBits", "deriveKey"]
+    );
+    const key = await window.crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt: encoder.encode("lanonasis-token-salt"),
+        iterations: 1e5,
+        hash: "SHA-256"
+      },
+      keyMaterial,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    const decrypted = await window.crypto.subtle.decrypt(
+      { name: "AES-GCM", iv },
+      key,
+      data
+    );
+    return decoder.decode(decrypted);
+  }
+  async getWebEncryptionKey() {
+    const existing = localStorage.getItem(this.webEncryptionKeyStorage);
+    if (existing) return existing;
+    const buf = new Uint8Array(32);
+    if (typeof window !== "undefined" && window.crypto?.getRandomValues) {
+      window.crypto.getRandomValues(buf);
+    }
+    const raw = Array.from(buf).map((b) => b.toString(16).padStart(2, "0")).join("");
+    localStorage.setItem(this.webEncryptionKeyStorage, raw);
+    return raw;
+  }
+  base64Encode(bytes) {
+    let binary = "";
+    bytes.forEach((b) => {
+      binary += String.fromCharCode(b);
+    });
+    return btoa(binary);
+  }
+  base64Decode(value) {
+    const binary = atob(value);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+  }
+};
+
+// src/storage/api-key-storage-web.ts
+var ApiKeyStorageWeb = class {
+  constructor() {
+    this.storageKey = "lanonasis_api_key";
+    this.webEncryptionKeyStorage = "lanonasis_web_enc_key";
+  }
+  async store(data) {
+    const payload = JSON.stringify({
+      ...data,
+      createdAt: data.createdAt || (/* @__PURE__ */ new Date()).toISOString()
+    });
+    const encrypted = await this.encrypt(payload);
+    localStorage.setItem(this.storageKey, encrypted);
+  }
+  async retrieve() {
+    const encrypted = localStorage.getItem(this.storageKey);
+    if (!encrypted) return null;
+    try {
+      const decrypted = await this.decrypt(encrypted);
+      return JSON.parse(decrypted);
+    } catch {
+      return null;
+    }
+  }
+  async clear() {
+    localStorage.removeItem(this.storageKey);
+  }
+  async encrypt(text) {
+    if (typeof window === "undefined" || !window.crypto?.subtle) {
+      const encoder2 = new TextEncoder();
+      return this.base64Encode(encoder2.encode(text));
+    }
+    const encoder = new TextEncoder();
+    const data = encoder.encode(text);
+    const passphrase = await this.getWebEncryptionKey();
+    const keyMaterial = await window.crypto.subtle.importKey(
+      "raw",
+      encoder.encode(passphrase),
+      "PBKDF2",
+      false,
+      ["deriveBits", "deriveKey"]
+    );
+    const key = await window.crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt: encoder.encode("lanonasis-api-key-salt"),
+        iterations: 1e5,
+        hash: "SHA-256"
+      },
+      keyMaterial,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    const iv = window.crypto.getRandomValues(new Uint8Array(12));
+    const encrypted = await window.crypto.subtle.encrypt(
+      { name: "AES-GCM", iv },
+      key,
+      data
+    );
+    const combined = new Uint8Array(iv.length + encrypted.byteLength);
+    combined.set(iv, 0);
+    combined.set(new Uint8Array(encrypted), iv.length);
+    return this.base64Encode(combined);
+  }
+  async decrypt(encrypted) {
+    if (typeof window === "undefined" || !window.crypto?.subtle) {
+      const decoder2 = new TextDecoder();
+      return decoder2.decode(this.base64Decode(encrypted));
+    }
+    const bytes = this.base64Decode(encrypted);
+    const iv = bytes.slice(0, 12);
+    const data = bytes.slice(12);
+    const encoder = new TextEncoder();
+    const decoder = new TextDecoder();
+    const passphrase = await this.getWebEncryptionKey();
+    const keyMaterial = await window.crypto.subtle.importKey(
+      "raw",
+      encoder.encode(passphrase),
+      "PBKDF2",
+      false,
+      ["deriveBits", "deriveKey"]
+    );
+    const key = await window.crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt: encoder.encode("lanonasis-api-key-salt"),
+        iterations: 1e5,
+        hash: "SHA-256"
+      },
+      keyMaterial,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    const decrypted = await window.crypto.subtle.decrypt(
+      { name: "AES-GCM", iv },
+      key,
+      data
+    );
+    return decoder.decode(decrypted);
+  }
+  async getWebEncryptionKey() {
+    const existing = localStorage.getItem(this.webEncryptionKeyStorage);
+    if (existing) return existing;
+    const buf = new Uint8Array(32);
+    if (typeof window !== "undefined" && window.crypto?.getRandomValues) {
+      window.crypto.getRandomValues(buf);
+    }
+    const raw = Array.from(buf).map((b) => b.toString(16).padStart(2, "0")).join("");
+    localStorage.setItem(this.webEncryptionKeyStorage, raw);
+    return raw;
+  }
+  base64Encode(bytes) {
+    let binary = "";
+    bytes.forEach((b) => {
+      binary += String.fromCharCode(b);
+    });
+    return btoa(binary);
+  }
+  base64Decode(value) {
+    const binary = atob(value);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+  }
+};
+
+// src/client/mcp-client.ts
+import fetch4 from "cross-fetch";
+
+// src/flows/apikey-flow.ts
+import fetch3 from "cross-fetch";
+var APIKeyFlow = class extends BaseOAuthFlow {
+  constructor(apiKey, authBaseUrl = "https://mcp.lanonasis.com") {
+    super({
+      clientId: "api-key-client",
+      authBaseUrl
+    });
+    this.apiKey = apiKey;
+  }
+  /**
+   * "Authenticate" by returning the API key as a virtual token
+   * The API key will be used directly in request headers
+   */
+  async authenticate() {
+    if (!this.apiKey || !this.apiKey.startsWith("lano_") && !this.apiKey.startsWith("vx_")) {
+      throw new Error(
+        'Invalid API key format. Must start with "lano_" or "vx_". Please regenerate your API key from the dashboard.'
+      );
+    }
+    if (this.apiKey.startsWith("vx_")) {
+      console.warn(
+        '\u26A0\uFE0F  DEPRECATION WARNING: API keys with "vx_" prefix are deprecated and will stop working soon. Please regenerate your API key from the dashboard to get a "lano_" prefixed key. Support for "vx_" keys will be removed in a future version.'
+      );
+    }
+    return {
+      access_token: this.apiKey,
+      token_type: "api-key",
+      expires_in: 0,
+      // API keys don't expire
+      issued_at: Date.now()
+    };
+  }
+  /**
+   * API keys don't need refresh
+   */
+  async refreshToken(refreshToken) {
+    throw new Error("API keys do not support token refresh");
+  }
+  /**
+   * Optional: Validate API key by making a test request
+   */
+  async validateAPIKey() {
+    try {
+      const response = await fetch3(`${this.config.authBaseUrl}/api/v1/health`, {
+        headers: {
+          "x-api-key": this.apiKey
+        }
+      });
+      return response.ok;
+    } catch (error) {
+      console.error("API key validation failed:", error);
+      return false;
+    }
+  }
+};
+
 // src/client/mcp-client.ts
 var MCPClient = class {
   constructor(config = {}) {
+    // ← NEW: Track auth mode
     this.ws = null;
     this.eventSource = null;
     this.accessToken = null;
@@ -1049,31 +1422,47 @@ var MCPClient = class {
       autoRefresh: true,
       ...config
     };
-    this.tokenStorage = new TokenStorage();
-    if (this.isTerminal()) {
-      this.authFlow = new TerminalOAuthFlow(config);
+    const defaultStorage = typeof window !== "undefined" ? new TokenStorageWeb() : new TokenStorage();
+    this.tokenStorage = config.tokenStorage || defaultStorage;
+    this.authMode = config.apiKey ? "apikey" : "oauth";
+    if (this.authMode === "apikey") {
+      this.authFlow = new APIKeyFlow(
+        config.apiKey,
+        config.authBaseUrl || "https://mcp.lanonasis.com"
+      );
     } else {
-      this.authFlow = new DesktopOAuthFlow(config);
+      if (this.isTerminal()) {
+        this.authFlow = new TerminalOAuthFlow(config);
+      } else {
+        this.authFlow = new DesktopOAuthFlow(config);
+      }
     }
   }
   async connect() {
     try {
       let tokens = await this.tokenStorage.retrieve();
-      if (!tokens || this.tokenStorage.isTokenExpired(tokens)) {
-        if (tokens?.refresh_token) {
-          try {
-            tokens = await this.authFlow.refreshToken(tokens.refresh_token);
-            await this.tokenStorage.store(tokens);
-          } catch (error) {
+      if (this.authMode === "apikey") {
+        if (!tokens) {
+          tokens = await this.authenticate();
+        }
+        this.accessToken = tokens.access_token;
+      } else {
+        if (!tokens || this.tokenStorage.isTokenExpired(tokens)) {
+          if (tokens?.refresh_token) {
+            try {
+              tokens = await this.authFlow.refreshToken(tokens.refresh_token);
+              await this.tokenStorage.store(tokens);
+            } catch (error) {
+              tokens = await this.authenticate();
+            }
+          } else {
             tokens = await this.authenticate();
           }
-        } else {
-          tokens = await this.authenticate();
         }
-      }
-      this.accessToken = tokens.access_token;
-      if (this.config.autoRefresh && tokens.expires_in) {
-        this.scheduleTokenRefresh(tokens);
+        this.accessToken = tokens.access_token;
+        if (this.config.autoRefresh && tokens.expires_in) {
+          this.scheduleTokenRefresh(tokens);
+        }
       }
       await this.establishConnection();
     } catch (error) {
@@ -1093,6 +1482,10 @@ var MCPClient = class {
     if (!tokens) {
       throw new Error("Not authenticated");
     }
+    if (this.authMode === "apikey") {
+      this.accessToken = tokens.access_token;
+      return;
+    }
     if (this.tokenStorage.isTokenExpired(tokens)) {
       if (tokens.refresh_token) {
         try {
@@ -1149,11 +1542,19 @@ var MCPClient = class {
       this.ws = new WebSocket(wsUrl.toString());
     } else {
       const { default: WS } = await import("ws");
-      this.ws = new WS(wsUrl.toString(), {
-        headers: {
-          "Authorization": `Bearer ${this.accessToken}`
-        }
-      });
+      if (this.authMode === "apikey") {
+        this.ws = new WS(wsUrl.toString(), {
+          headers: {
+            "x-api-key": this.accessToken
+          }
+        });
+      } else {
+        this.ws = new WS(wsUrl.toString(), {
+          headers: {
+            "Authorization": `Bearer ${this.accessToken}`
+          }
+        });
+      }
     }
     return new Promise((resolve, reject) => {
       if (!this.ws) {
@@ -1187,11 +1588,19 @@ var MCPClient = class {
     } else {
       const EventSourceModule = await import("eventsource");
       const ES = EventSourceModule.default || EventSourceModule;
-      this.eventSource = new ES(sseUrl.toString(), {
-        headers: {
-          "Authorization": `Bearer ${this.accessToken}`
-        }
-      });
+      if (this.authMode === "apikey") {
+        this.eventSource = new ES(sseUrl.toString(), {
+          headers: {
+            "x-api-key": this.accessToken
+          }
+        });
+      } else {
+        this.eventSource = new ES(sseUrl.toString(), {
+          headers: {
+            "Authorization": `Bearer ${this.accessToken}`
+          }
+        });
+      }
     }
     this.eventSource.onopen = () => {
       console.log("MCP SSE connected");
@@ -1221,12 +1630,17 @@ var MCPClient = class {
     if (!this.accessToken) {
       throw new Error("Not authenticated");
     }
-    const response = await fetch(`${this.config.mcpEndpoint}/api`, {
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    if (this.authMode === "apikey") {
+      headers["x-api-key"] = this.accessToken;
+    } else {
+      headers["Authorization"] = `Bearer ${this.accessToken}`;
+    }
+    const response = await fetch4(`${this.config.mcpEndpoint}/api`, {
       method: "POST",
-      headers: {
-        "Authorization": `Bearer ${this.accessToken}`,
-        "Content-Type": "application/json"
-      },
+      headers,
       body: JSON.stringify({
         jsonrpc: "2.0",
         id: this.generateId(),
@@ -1235,6 +1649,9 @@ var MCPClient = class {
       })
     });
     if (response.status === 401) {
+      if (this.authMode === "apikey") {
+        throw new Error("Invalid API key - please check your credentials");
+      }
       const tokens = await this.tokenStorage.retrieve();
       if (tokens?.refresh_token) {
         const newTokens = await this.authFlow.refreshToken(tokens.refresh_token);
@@ -1322,9 +1739,11 @@ var MCPClient = class {
 };
 export {
   ApiKeyStorage,
+  ApiKeyStorageWeb,
   BaseOAuthFlow,
   DesktopOAuthFlow,
   MCPClient,
   TerminalOAuthFlow,
-  TokenStorage
+  TokenStorage,
+  TokenStorageWeb
 };