@lanonasis/oauth-client 1.2.1 → 1.2.3

package/dist/index.cjs

@@ -31,23 +31,29 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var index_exports = {};
 __export(index_exports, {
   ApiKeyStorage: () => ApiKeyStorage,
+  ApiKeyStorageWeb: () => ApiKeyStorageWeb,
   BaseOAuthFlow: () => BaseOAuthFlow,
   DesktopOAuthFlow: () => DesktopOAuthFlow,
   MCPClient: () => MCPClient,
   TerminalOAuthFlow: () => TerminalOAuthFlow,
-  TokenStorage: () => TokenStorage
+  TokenStorage: () => TokenStorage,
+  TokenStorageWeb: () => TokenStorageWeb
 });
 module.exports = __toCommonJS(index_exports);
 
+// src/flows/terminal-flow.ts
+var import_cross_fetch2 = __toESM(require("cross-fetch"), 1);
+
 // src/flows/base-flow.ts
+var import_cross_fetch = __toESM(require("cross-fetch"), 1);
 var BaseOAuthFlow = class {
   constructor(config) {
     this.clientId = config.clientId;
     this.authBaseUrl = config.authBaseUrl || "https://auth.lanonasis.com";
-    this.scope = config.scope || "mcp:read mcp:write api_keys:manage";
+    this.scope = config.scope || "memories:read memories:write memories:delete profile";
   }
   async makeTokenRequest(body) {
-    const response = await fetch(`${this.authBaseUrl}/oauth/token`, {
+    const response = await (0, import_cross_fetch.default)(`${this.authBaseUrl}/oauth/token`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify(body)
@@ -60,11 +66,10 @@ var BaseOAuthFlow = class {
   }
   generateState() {
     const array = new Uint8Array(32);
-    if (typeof window !== "undefined" && window.crypto) {
-      window.crypto.getRandomValues(array);
+    if (typeof crypto !== "undefined" && crypto.getRandomValues) {
+      crypto.getRandomValues(array);
     } else {
-      const crypto = require("crypto");
-      crypto.randomFillSync(array);
+      throw new Error("Secure random generation is not available");
     }
     return this.base64URLEncode(array);
   }
@@ -74,7 +79,8 @@ var BaseOAuthFlow = class {
     bytes.forEach((byte) => {
       binary += String.fromCharCode(byte);
     });
-    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+    const base64 = typeof btoa !== "undefined" ? btoa(binary) : Buffer.from(bytes).toString("base64");
+    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
   }
   async refreshToken(refreshToken) {
     return this.makeTokenRequest({
@@ -84,7 +90,7 @@ var BaseOAuthFlow = class {
     });
   }
   async revokeToken(token, tokenType = "access_token") {
-    const response = await fetch(`${this.authBaseUrl}/oauth/revoke`, {
+    const response = await (0, import_cross_fetch.default)(`${this.authBaseUrl}/oauth/revoke`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
@@ -100,7 +106,6 @@ var BaseOAuthFlow = class {
 };
 
 // src/flows/terminal-flow.ts
-var import_open = __toESM(require("open"), 1);
 var TerminalOAuthFlow = class extends BaseOAuthFlow {
   constructor(config) {
     super({
@@ -123,7 +128,7 @@ var TerminalOAuthFlow = class extends BaseOAuthFlow {
     }
   }
   async requestDeviceCode() {
-    const response = await fetch(`${this.authBaseUrl}/oauth/device`, {
+    const response = await (0, import_cross_fetch2.default)(`${this.authBaseUrl}/oauth/device`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
@@ -148,12 +153,13 @@ var TerminalOAuthFlow = class extends BaseOAuthFlow {
   }
   async openBrowser(url) {
     try {
+      const { default: open } = await import("open");
       await Promise.race([
         this.waitForEnter(),
         new Promise((resolve) => setTimeout(resolve, 2e3))
       ]);
       console.log("Opening browser...");
-      await (0, import_open.default)(url);
+      await open(url);
     } catch (error) {
       console.log("Please open the URL manually in your browser.");
     }
@@ -196,7 +202,7 @@ var TerminalOAuthFlow = class extends BaseOAuthFlow {
     throw new Error("Authorization timeout - please try again");
   }
   async checkDeviceCode(deviceCode) {
-    const response = await fetch(`${this.authBaseUrl}/oauth/token`, {
+    const response = await (0, import_cross_fetch2.default)(`${this.authBaseUrl}/oauth/token`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
@@ -237,25 +243,22 @@ var DesktopOAuthFlow = class extends BaseOAuthFlow {
   }
   generateCodeVerifier() {
     const array = new Uint8Array(32);
-    if (typeof window !== "undefined" && window.crypto) {
-      window.crypto.getRandomValues(array);
+    if (typeof crypto !== "undefined" && crypto.getRandomValues) {
+      crypto.getRandomValues(array);
     } else {
-      const crypto = require("crypto");
-      crypto.randomFillSync(array);
+      throw new Error("Secure random generation is not available in this environment");
     }
     return this.base64URLEncode(array);
   }
   async generateCodeChallenge(verifier) {
-    if (typeof window !== "undefined" && window.crypto?.subtle) {
-      const encoder = new TextEncoder();
-      const data = encoder.encode(verifier);
-      const hash = await window.crypto.subtle.digest("SHA-256", data);
-      return this.base64URLEncode(hash);
-    } else {
-      const crypto = require("crypto");
-      const hash = crypto.createHash("sha256").update(verifier).digest();
-      return this.base64URLEncode(hash);
+    const subtle = typeof crypto !== "undefined" ? crypto.subtle : void 0;
+    if (!subtle) {
+      throw new Error("Web Crypto is required to generate PKCE code challenge");
     }
+    const encoder = new TextEncoder();
+    const data = encoder.encode(verifier);
+    const hash = await subtle.digest("SHA-256", data);
+    return this.base64URLEncode(hash);
   }
   buildAuthorizationUrl(codeChallenge, state) {
     const params = new URLSearchParams({
@@ -440,6 +443,9 @@ var TokenStorage = class {
     }
   }
   isTokenExpired(tokens) {
+    if (tokens.token_type === "api-key" || tokens.expires_in === 0) {
+      return false;
+    }
     if (!tokens.expires_in) return false;
     if (!tokens.issued_at) {
       console.warn("Token missing issued_at timestamp, treating as expired");
@@ -454,13 +460,13 @@ var TokenStorage = class {
     const fs = require("fs").promises;
     const path = require("path");
     const os = require("os");
-    const crypto = require("crypto");
+    const crypto2 = require("crypto");
     const configDir = path.join(os.homedir(), ".lanonasis");
     const tokenFile = path.join(configDir, "mcp-tokens.enc");
     await fs.mkdir(configDir, { recursive: true });
     const key = this.getFileEncryptionKey();
-    const iv = crypto.randomBytes(16);
-    const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+    const iv = crypto2.randomBytes(16);
+    const cipher = crypto2.createCipheriv("aes-256-gcm", key, iv);
     let encrypted = cipher.update(tokenString, "utf8", "hex");
     encrypted += cipher.final("hex");
     const authTag = cipher.getAuthTag().toString("hex");
@@ -472,7 +478,7 @@ var TokenStorage = class {
     const fs = require("fs").promises;
     const path = require("path");
     const os = require("os");
-    const crypto = require("crypto");
+    const crypto2 = require("crypto");
     const tokenFile = path.join(os.homedir(), ".lanonasis", "mcp-tokens.enc");
     try {
       const data = await fs.readFile(tokenFile, "utf8");
@@ -482,7 +488,7 @@ var TokenStorage = class {
         const [ivHex, authTagHex, encrypted] = parts;
         const iv = Buffer.from(ivHex, "hex");
         const authTag = Buffer.from(authTagHex, "hex");
-        const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+        const decipher = crypto2.createDecipheriv("aes-256-gcm", key, iv);
         decipher.setAuthTag(authTag);
         let decrypted = decipher.update(encrypted, "hex", "utf8");
         decrypted += decipher.final("utf8");
@@ -491,7 +497,7 @@ var TokenStorage = class {
       if (parts.length === 2) {
         const [ivHex, encrypted] = parts;
         const iv = Buffer.from(ivHex, "hex");
-        const decipher = crypto.createDecipheriv("aes-256-cbc", key, iv);
+        const decipher = crypto2.createDecipheriv("aes-256-cbc", key, iv);
         let decrypted = decipher.update(encrypted, "hex", "utf8");
         decrypted += decipher.final("utf8");
         return decrypted;
@@ -513,17 +519,17 @@ var TokenStorage = class {
     }
   }
   getFileEncryptionKey() {
-    const crypto = require("crypto");
+    const crypto2 = require("crypto");
     const os = require("os");
     const machineId = os.hostname() + os.userInfo().username;
     const salt = "lanonasis-mcp-oauth-2024";
-    return crypto.pbkdf2Sync(machineId, salt, 1e5, 32, "sha256");
+    return crypto2.pbkdf2Sync(machineId, salt, 1e5, 32, "sha256");
   }
   async encrypt(text) {
     if (typeof window === "undefined" || !window.crypto?.subtle) {
       const encoder2 = new TextEncoder();
       const data2 = encoder2.encode(text);
-      return btoa(String.fromCharCode(...data2));
+      return this.base64Encode(data2);
     }
     const encoder = new TextEncoder();
     const data = encoder.encode(text);
@@ -556,23 +562,15 @@ var TokenStorage = class {
     const combined = new Uint8Array(iv.length + encrypted.byteLength);
     combined.set(iv, 0);
     combined.set(new Uint8Array(encrypted), iv.length);
-    return btoa(String.fromCharCode(...combined));
+    return this.base64Encode(combined);
   }
   async decrypt(encrypted) {
     if (typeof window === "undefined" || !window.crypto?.subtle) {
-      const binary2 = atob(encrypted);
-      const bytes2 = new Uint8Array(binary2.length);
-      for (let i = 0; i < binary2.length; i++) {
-        bytes2[i] = binary2.charCodeAt(i);
-      }
+      const bytes2 = this.base64Decode(encrypted);
       const decoder2 = new TextDecoder();
       return decoder2.decode(bytes2);
     }
-    const binary = atob(encrypted);
-    const bytes = new Uint8Array(binary.length);
-    for (let i = 0; i < binary.length; i++) {
-      bytes[i] = binary.charCodeAt(i);
-    }
+    const bytes = this.base64Decode(encrypted);
     const iv = bytes.slice(0, 12);
     const data = bytes.slice(12);
     const encoder = new TextEncoder();
@@ -613,6 +611,33 @@ var TokenStorage = class {
   isMobile() {
     return typeof window !== "undefined" && window.SecureStorage !== void 0;
   }
+  base64Encode(bytes) {
+    if (typeof btoa !== "undefined") {
+      let binary = "";
+      bytes.forEach((b) => {
+        binary += String.fromCharCode(b);
+      });
+      return btoa(binary);
+    }
+    if (typeof Buffer !== "undefined") {
+      return Buffer.from(bytes).toString("base64");
+    }
+    throw new Error("No base64 encoder available");
+  }
+  base64Decode(value) {
+    if (typeof atob !== "undefined") {
+      const binary = atob(value);
+      const bytes = new Uint8Array(binary.length);
+      for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+      }
+      return bytes;
+    }
+    if (typeof Buffer !== "undefined") {
+      return new Uint8Array(Buffer.from(value, "base64"));
+    }
+    throw new Error("No base64 decoder available");
+  }
   async getWebEncryptionKey() {
     const existing = typeof localStorage !== "undefined" ? localStorage.getItem(this.webEncryptionKeyStorage) : null;
     if (existing) {
@@ -624,7 +649,8 @@ var TokenStorage = class {
       window.crypto.getRandomValues(buf);
       raw = Array.from(buf).map((b) => b.toString(16).padStart(2, "0")).join("");
     } else {
-      raw = `${navigator.userAgent}-${Math.random().toString(36).slice(2)}-${Date.now()}`;
+      const ua = typeof navigator !== "undefined" ? navigator.userAgent : "node";
+      raw = `${ua}-${Math.random().toString(36).slice(2)}-${Date.now()}`;
     }
     if (typeof localStorage !== "undefined") {
       localStorage.setItem(this.webEncryptionKeyStorage, raw);
@@ -836,13 +862,13 @@ var ApiKeyStorage = class {
     const fs = require("fs").promises;
     const path = require("path");
     const os = require("os");
-    const crypto = require("crypto");
+    const crypto2 = require("crypto");
     const configDir = path.join(os.homedir(), ".lanonasis");
     const keyFile = path.join(configDir, "api-key.enc");
     await fs.mkdir(configDir, { recursive: true, mode: 448 });
     const key = this.getFileEncryptionKey();
-    const iv = crypto.randomBytes(16);
-    const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+    const iv = crypto2.randomBytes(16);
+    const cipher = crypto2.createCipheriv("aes-256-gcm", key, iv);
     let encrypted = cipher.update(keyString, "utf8", "hex");
     encrypted += cipher.final("hex");
     const authTag = cipher.getAuthTag();
@@ -854,7 +880,7 @@ var ApiKeyStorage = class {
     const fs = require("fs").promises;
     const path = require("path");
     const os = require("os");
-    const crypto = require("crypto");
+    const crypto2 = require("crypto");
     const keyFile = path.join(os.homedir(), ".lanonasis", "api-key.enc");
     try {
       const data = await fs.readFile(keyFile, "utf8");
@@ -865,7 +891,7 @@ var ApiKeyStorage = class {
       const key = this.getFileEncryptionKey();
       const iv = Buffer.from(ivHex, "hex");
       const authTag = Buffer.from(authTagHex, "hex");
-      const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+      const decipher = crypto2.createDecipheriv("aes-256-gcm", key, iv);
       decipher.setAuthTag(authTag);
       let decrypted = decipher.update(encrypted, "hex", "utf8");
       decrypted += decipher.final("utf8");
@@ -909,18 +935,18 @@ var ApiKeyStorage = class {
     }
   }
   getFileEncryptionKey() {
-    const crypto = require("crypto");
+    const crypto2 = require("crypto");
     const os = require("os");
     const machineId = os.hostname() + os.userInfo().username;
     const salt = "lanonasis-mcp-api-key-2024";
-    return crypto.pbkdf2Sync(machineId, salt, 1e5, 32, "sha256");
+    return crypto2.pbkdf2Sync(machineId, salt, 1e5, 32, "sha256");
   }
   // ==================== Web Encryption ====================
   async encrypt(text) {
     if (typeof window === "undefined" || !window.crypto || !window.crypto.subtle) {
       const encoder = new TextEncoder();
       const data = encoder.encode(text);
-      return btoa(String.fromCharCode(...data));
+      return this.base64Encode(data);
     }
     try {
       const encoder = new TextEncoder();
@@ -959,16 +985,12 @@ var ApiKeyStorage = class {
       console.error("Web encryption failed:", error);
       const encoder = new TextEncoder();
       const data = encoder.encode(text);
-      return btoa(String.fromCharCode(...data));
+      return this.base64Encode(data);
     }
   }
   async decrypt(encrypted) {
     if (typeof window === "undefined" || !window.crypto || !window.crypto.subtle) {
-      const binary = atob(encrypted);
-      const bytes = new Uint8Array(binary.length);
-      for (let i = 0; i < binary.length; i++) {
-        bytes[i] = binary.charCodeAt(i);
-      }
+      const bytes = this.base64Decode(encrypted);
       const decoder = new TextDecoder();
       return decoder.decode(bytes);
     }
@@ -1010,11 +1032,7 @@ var ApiKeyStorage = class {
       return decoder.decode(decrypted);
     } catch (error) {
       console.error("Web decryption failed:", error);
-      const binary = atob(encrypted);
-      const bytes = new Uint8Array(binary.length);
-      for (let i = 0; i < binary.length; i++) {
-        bytes[i] = binary.charCodeAt(i);
-      }
+      const bytes = this.base64Decode(encrypted);
       const decoder = new TextDecoder();
       return decoder.decode(bytes);
     }
@@ -1030,7 +1048,8 @@ var ApiKeyStorage = class {
       window.crypto.getRandomValues(buf);
       raw = Array.from(buf).map((b) => b.toString(16).padStart(2, "0")).join("");
     } else {
-      raw = `${navigator.userAgent}-${Math.random().toString(36).slice(2)}-${Date.now()}`;
+      const ua = typeof navigator !== "undefined" ? navigator.userAgent : "node";
+      raw = `${ua}-${Math.random().toString(36).slice(2)}-${Date.now()}`;
     }
     if (typeof localStorage !== "undefined") {
       localStorage.setItem(this.webEncryptionKeyStorage, raw);
@@ -1047,6 +1066,33 @@ var ApiKeyStorage = class {
   isMobile() {
     return typeof window !== "undefined" && window.SecureStorage !== void 0;
   }
+  base64Encode(bytes) {
+    if (typeof btoa !== "undefined") {
+      let binary = "";
+      bytes.forEach((b) => {
+        binary += String.fromCharCode(b);
+      });
+      return btoa(binary);
+    }
+    if (typeof Buffer !== "undefined") {
+      return Buffer.from(bytes).toString("base64");
+    }
+    throw new Error("No base64 encoder available");
+  }
+  base64Decode(value) {
+    if (typeof atob !== "undefined") {
+      const binary = atob(value);
+      const bytes = new Uint8Array(binary.length);
+      for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+      }
+      return bytes;
+    }
+    if (typeof Buffer !== "undefined") {
+      return new Uint8Array(Buffer.from(value, "base64"));
+    }
+    throw new Error("No base64 decoder available");
+  }
   /**
    * Normalize API keys to a SHA-256 hex digest.
    * Accepts pre-hashed input and lowercases it to prevent double hashing.
@@ -1071,9 +1117,338 @@ var ApiKeyStorage = class {
   }
 };
 
+// src/storage/token-storage-web.ts
+var TokenStorageWeb = class {
+  constructor() {
+    this.storageKey = "lanonasis_mcp_tokens";
+    this.webEncryptionKeyStorage = "lanonasis_web_token_enc_key";
+  }
+  async store(tokens) {
+    const tokensWithTimestamp = {
+      ...tokens,
+      issued_at: Date.now()
+    };
+    const tokenString = JSON.stringify(tokensWithTimestamp);
+    const encrypted = await this.encrypt(tokenString);
+    localStorage.setItem(this.storageKey, encrypted);
+  }
+  async retrieve() {
+    const encrypted = localStorage.getItem(this.storageKey);
+    if (!encrypted) return null;
+    try {
+      const tokenString = await this.decrypt(encrypted);
+      return JSON.parse(tokenString);
+    } catch {
+      return null;
+    }
+  }
+  async clear() {
+    localStorage.removeItem(this.storageKey);
+  }
+  isTokenExpired(tokens) {
+    if (tokens.token_type === "api-key" || tokens.expires_in === 0) return false;
+    if (!tokens.expires_in) return false;
+    if (!tokens.issued_at) return true;
+    const expiresAt = tokens.issued_at + tokens.expires_in * 1e3;
+    return expiresAt - Date.now() < 3e5;
+  }
+  async encrypt(text) {
+    if (typeof window === "undefined" || !window.crypto?.subtle) {
+      const encoder2 = new TextEncoder();
+      return this.base64Encode(encoder2.encode(text));
+    }
+    const encoder = new TextEncoder();
+    const data = encoder.encode(text);
+    const passphrase = await this.getWebEncryptionKey();
+    const keyMaterial = await window.crypto.subtle.importKey(
+      "raw",
+      encoder.encode(passphrase),
+      "PBKDF2",
+      false,
+      ["deriveBits", "deriveKey"]
+    );
+    const key = await window.crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt: encoder.encode("lanonasis-token-salt"),
+        iterations: 1e5,
+        hash: "SHA-256"
+      },
+      keyMaterial,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    const iv = window.crypto.getRandomValues(new Uint8Array(12));
+    const encrypted = await window.crypto.subtle.encrypt(
+      { name: "AES-GCM", iv },
+      key,
+      data
+    );
+    const combined = new Uint8Array(iv.length + encrypted.byteLength);
+    combined.set(iv, 0);
+    combined.set(new Uint8Array(encrypted), iv.length);
+    return this.base64Encode(combined);
+  }
+  async decrypt(encrypted) {
+    if (typeof window === "undefined" || !window.crypto?.subtle) {
+      const decoder2 = new TextDecoder();
+      return decoder2.decode(this.base64Decode(encrypted));
+    }
+    const bytes = this.base64Decode(encrypted);
+    const iv = bytes.slice(0, 12);
+    const data = bytes.slice(12);
+    const encoder = new TextEncoder();
+    const decoder = new TextDecoder();
+    const passphrase = await this.getWebEncryptionKey();
+    const keyMaterial = await window.crypto.subtle.importKey(
+      "raw",
+      encoder.encode(passphrase),
+      "PBKDF2",
+      false,
+      ["deriveBits", "deriveKey"]
+    );
+    const key = await window.crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt: encoder.encode("lanonasis-token-salt"),
+        iterations: 1e5,
+        hash: "SHA-256"
+      },
+      keyMaterial,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    const decrypted = await window.crypto.subtle.decrypt(
+      { name: "AES-GCM", iv },
+      key,
+      data
+    );
+    return decoder.decode(decrypted);
+  }
+  async getWebEncryptionKey() {
+    const existing = localStorage.getItem(this.webEncryptionKeyStorage);
+    if (existing) return existing;
+    const buf = new Uint8Array(32);
+    if (typeof window !== "undefined" && window.crypto?.getRandomValues) {
+      window.crypto.getRandomValues(buf);
+    }
+    const raw = Array.from(buf).map((b) => b.toString(16).padStart(2, "0")).join("");
+    localStorage.setItem(this.webEncryptionKeyStorage, raw);
+    return raw;
+  }
+  base64Encode(bytes) {
+    let binary = "";
+    bytes.forEach((b) => {
+      binary += String.fromCharCode(b);
+    });
+    return btoa(binary);
+  }
+  base64Decode(value) {
+    const binary = atob(value);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+  }
+};
+
+// src/storage/api-key-storage-web.ts
+var ApiKeyStorageWeb = class {
+  constructor() {
+    this.storageKey = "lanonasis_api_key";
+    this.webEncryptionKeyStorage = "lanonasis_web_enc_key";
+  }
+  async store(data) {
+    const payload = JSON.stringify({
+      ...data,
+      createdAt: data.createdAt || (/* @__PURE__ */ new Date()).toISOString()
+    });
+    const encrypted = await this.encrypt(payload);
+    localStorage.setItem(this.storageKey, encrypted);
+  }
+  async retrieve() {
+    const encrypted = localStorage.getItem(this.storageKey);
+    if (!encrypted) return null;
+    try {
+      const decrypted = await this.decrypt(encrypted);
+      return JSON.parse(decrypted);
+    } catch {
+      return null;
+    }
+  }
+  async clear() {
+    localStorage.removeItem(this.storageKey);
+  }
+  async encrypt(text) {
+    if (typeof window === "undefined" || !window.crypto?.subtle) {
+      const encoder2 = new TextEncoder();
+      return this.base64Encode(encoder2.encode(text));
+    }
+    const encoder = new TextEncoder();
+    const data = encoder.encode(text);
+    const passphrase = await this.getWebEncryptionKey();
+    const keyMaterial = await window.crypto.subtle.importKey(
+      "raw",
+      encoder.encode(passphrase),
+      "PBKDF2",
+      false,
+      ["deriveBits", "deriveKey"]
+    );
+    const key = await window.crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt: encoder.encode("lanonasis-api-key-salt"),
+        iterations: 1e5,
+        hash: "SHA-256"
+      },
+      keyMaterial,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    const iv = window.crypto.getRandomValues(new Uint8Array(12));
+    const encrypted = await window.crypto.subtle.encrypt(
+      { name: "AES-GCM", iv },
+      key,
+      data
+    );
+    const combined = new Uint8Array(iv.length + encrypted.byteLength);
+    combined.set(iv, 0);
+    combined.set(new Uint8Array(encrypted), iv.length);
+    return this.base64Encode(combined);
+  }
+  async decrypt(encrypted) {
+    if (typeof window === "undefined" || !window.crypto?.subtle) {
+      const decoder2 = new TextDecoder();
+      return decoder2.decode(this.base64Decode(encrypted));
+    }
+    const bytes = this.base64Decode(encrypted);
+    const iv = bytes.slice(0, 12);
+    const data = bytes.slice(12);
+    const encoder = new TextEncoder();
+    const decoder = new TextDecoder();
+    const passphrase = await this.getWebEncryptionKey();
+    const keyMaterial = await window.crypto.subtle.importKey(
+      "raw",
+      encoder.encode(passphrase),
+      "PBKDF2",
+      false,
+      ["deriveBits", "deriveKey"]
+    );
+    const key = await window.crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt: encoder.encode("lanonasis-api-key-salt"),
+        iterations: 1e5,
+        hash: "SHA-256"
+      },
+      keyMaterial,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    const decrypted = await window.crypto.subtle.decrypt(
+      { name: "AES-GCM", iv },
+      key,
+      data
+    );
+    return decoder.decode(decrypted);
+  }
+  async getWebEncryptionKey() {
+    const existing = localStorage.getItem(this.webEncryptionKeyStorage);
+    if (existing) return existing;
+    const buf = new Uint8Array(32);
+    if (typeof window !== "undefined" && window.crypto?.getRandomValues) {
+      window.crypto.getRandomValues(buf);
+    }
+    const raw = Array.from(buf).map((b) => b.toString(16).padStart(2, "0")).join("");
+    localStorage.setItem(this.webEncryptionKeyStorage, raw);
+    return raw;
+  }
+  base64Encode(bytes) {
+    let binary = "";
+    bytes.forEach((b) => {
+      binary += String.fromCharCode(b);
+    });
+    return btoa(binary);
+  }
+  base64Decode(value) {
+    const binary = atob(value);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+  }
+};
+
+// src/client/mcp-client.ts
+var import_cross_fetch4 = __toESM(require("cross-fetch"), 1);
+
+// src/flows/apikey-flow.ts
+var import_cross_fetch3 = __toESM(require("cross-fetch"), 1);
+var APIKeyFlow = class extends BaseOAuthFlow {
+  constructor(apiKey, authBaseUrl = "https://mcp.lanonasis.com") {
+    super({
+      clientId: "api-key-client",
+      authBaseUrl
+    });
+    this.apiKey = apiKey;
+  }
+  /**
+   * "Authenticate" by returning the API key as a virtual token
+   * The API key will be used directly in request headers
+   */
+  async authenticate() {
+    if (!this.apiKey || !this.apiKey.startsWith("lano_") && !this.apiKey.startsWith("vx_")) {
+      throw new Error(
+        'Invalid API key format. Must start with "lano_" or "vx_". Please regenerate your API key from the dashboard.'
+      );
+    }
+    if (this.apiKey.startsWith("vx_")) {
+      console.warn(
+        '\u26A0\uFE0F  DEPRECATION WARNING: API keys with "vx_" prefix are deprecated and will stop working soon. Please regenerate your API key from the dashboard to get a "lano_" prefixed key. Support for "vx_" keys will be removed in a future version.'
+      );
+    }
+    return {
+      access_token: this.apiKey,
+      token_type: "api-key",
+      expires_in: 0,
+      // API keys don't expire
+      issued_at: Date.now()
+    };
+  }
+  /**
+   * API keys don't need refresh
+   */
+  async refreshToken(refreshToken) {
+    throw new Error("API keys do not support token refresh");
+  }
+  /**
+   * Optional: Validate API key by making a test request
+   */
+  async validateAPIKey() {
+    try {
+      const response = await (0, import_cross_fetch3.default)(`${this.config.authBaseUrl}/api/v1/health`, {
+        headers: {
+          "x-api-key": this.apiKey
+        }
+      });
+      return response.ok;
+    } catch (error) {
+      console.error("API key validation failed:", error);
+      return false;
+    }
+  }
+};
+
 // src/client/mcp-client.ts
 var MCPClient = class {
   constructor(config = {}) {
+    // ← NEW: Track auth mode
     this.ws = null;
     this.eventSource = null;
     this.accessToken = null;
@@ -1083,31 +1458,47 @@ var MCPClient = class {
       autoRefresh: true,
       ...config
     };
-    this.tokenStorage = new TokenStorage();
-    if (this.isTerminal()) {
-      this.authFlow = new TerminalOAuthFlow(config);
+    const defaultStorage = typeof window !== "undefined" ? new TokenStorageWeb() : new TokenStorage();
+    this.tokenStorage = config.tokenStorage || defaultStorage;
+    this.authMode = config.apiKey ? "apikey" : "oauth";
+    if (this.authMode === "apikey") {
+      this.authFlow = new APIKeyFlow(
+        config.apiKey,
+        config.authBaseUrl || "https://mcp.lanonasis.com"
+      );
     } else {
-      this.authFlow = new DesktopOAuthFlow(config);
+      if (this.isTerminal()) {
+        this.authFlow = new TerminalOAuthFlow(config);
+      } else {
+        this.authFlow = new DesktopOAuthFlow(config);
+      }
     }
   }
   async connect() {
     try {
       let tokens = await this.tokenStorage.retrieve();
-      if (!tokens || this.tokenStorage.isTokenExpired(tokens)) {
-        if (tokens?.refresh_token) {
-          try {
-            tokens = await this.authFlow.refreshToken(tokens.refresh_token);
-            await this.tokenStorage.store(tokens);
-          } catch (error) {
+      if (this.authMode === "apikey") {
+        if (!tokens) {
+          tokens = await this.authenticate();
+        }
+        this.accessToken = tokens.access_token;
+      } else {
+        if (!tokens || this.tokenStorage.isTokenExpired(tokens)) {
+          if (tokens?.refresh_token) {
+            try {
+              tokens = await this.authFlow.refreshToken(tokens.refresh_token);
+              await this.tokenStorage.store(tokens);
+            } catch (error) {
+              tokens = await this.authenticate();
+            }
+          } else {
             tokens = await this.authenticate();
           }
-        } else {
-          tokens = await this.authenticate();
         }
-      }
-      this.accessToken = tokens.access_token;
-      if (this.config.autoRefresh && tokens.expires_in) {
-        this.scheduleTokenRefresh(tokens);
+        this.accessToken = tokens.access_token;
+        if (this.config.autoRefresh && tokens.expires_in) {
+          this.scheduleTokenRefresh(tokens);
+        }
       }
       await this.establishConnection();
     } catch (error) {
@@ -1127,6 +1518,10 @@ var MCPClient = class {
     if (!tokens) {
       throw new Error("Not authenticated");
     }
+    if (this.authMode === "apikey") {
+      this.accessToken = tokens.access_token;
+      return;
+    }
     if (this.tokenStorage.isTokenExpired(tokens)) {
       if (tokens.refresh_token) {
         try {
@@ -1183,11 +1578,19 @@ var MCPClient = class {
       this.ws = new WebSocket(wsUrl.toString());
     } else {
       const { default: WS } = await import("ws");
-      this.ws = new WS(wsUrl.toString(), {
-        headers: {
-          "Authorization": `Bearer ${this.accessToken}`
-        }
-      });
+      if (this.authMode === "apikey") {
+        this.ws = new WS(wsUrl.toString(), {
+          headers: {
+            "x-api-key": this.accessToken
+          }
+        });
+      } else {
+        this.ws = new WS(wsUrl.toString(), {
+          headers: {
+            "Authorization": `Bearer ${this.accessToken}`
+          }
+        });
+      }
     }
     return new Promise((resolve, reject) => {
       if (!this.ws) {
@@ -1221,11 +1624,19 @@ var MCPClient = class {
     } else {
       const EventSourceModule = await import("eventsource");
       const ES = EventSourceModule.default || EventSourceModule;
-      this.eventSource = new ES(sseUrl.toString(), {
-        headers: {
-          "Authorization": `Bearer ${this.accessToken}`
-        }
-      });
+      if (this.authMode === "apikey") {
+        this.eventSource = new ES(sseUrl.toString(), {
+          headers: {
+            "x-api-key": this.accessToken
+          }
+        });
+      } else {
+        this.eventSource = new ES(sseUrl.toString(), {
+          headers: {
+            "Authorization": `Bearer ${this.accessToken}`
+          }
+        });
+      }
     }
     this.eventSource.onopen = () => {
       console.log("MCP SSE connected");
@@ -1255,12 +1666,17 @@ var MCPClient = class {
     if (!this.accessToken) {
       throw new Error("Not authenticated");
     }
-    const response = await fetch(`${this.config.mcpEndpoint}/api`, {
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    if (this.authMode === "apikey") {
+      headers["x-api-key"] = this.accessToken;
+    } else {
+      headers["Authorization"] = `Bearer ${this.accessToken}`;
+    }
+    const response = await (0, import_cross_fetch4.default)(`${this.config.mcpEndpoint}/api`, {
       method: "POST",
-      headers: {
-        "Authorization": `Bearer ${this.accessToken}`,
-        "Content-Type": "application/json"
-      },
+      headers,
       body: JSON.stringify({
         jsonrpc: "2.0",
         id: this.generateId(),
@@ -1269,6 +1685,9 @@ var MCPClient = class {
       })
     });
     if (response.status === 401) {
+      if (this.authMode === "apikey") {
+        throw new Error("Invalid API key - please check your credentials");
+      }
       const tokens = await this.tokenStorage.retrieve();
       if (tokens?.refresh_token) {
         const newTokens = await this.authFlow.refreshToken(tokens.refresh_token);
@@ -1354,12 +1773,3 @@ var MCPClient = class {
     return this.request("memory/delete", { id });
   }
 };
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  ApiKeyStorage,
-  BaseOAuthFlow,
-  DesktopOAuthFlow,
-  MCPClient,
-  TerminalOAuthFlow,
-  TokenStorage
-});