@lindblad/complai-mcp 0.1.0

package/README.md

@@ -0,0 +1,303 @@
+# COMPLAI MCP Server
+
+An MCP (Model Context Protocol) server that provides compliance overview data to AI assistants.
+
+**Package:** `@lindblad/complai-mcp`
+
+## Features
+
+- **Compliance overview**: `complai_compliance_brief` - Get organization-wide compliance status
+- **User authentication**: Log in with your COMPLAI credentials via browser (no secrets needed)
+- **M2M authentication**: Alternative machine-to-machine auth for automation
+- **AI-optimized responses**: Structured data with human-readable alerts
+- **Mock mode**: Test without API credentials
+- **Persistent sessions**: Login is saved locally - no need to re-authenticate
+
+## Installation
+
+### From npm (Recommended)
+
+```bash
+# Install globally
+npm install -g @lindblad/complai-mcp
+
+# Or run directly with npx
+npx @lindblad/complai-mcp
+```
+
+### From Source
+
+```bash
+git clone <repo-url>
+cd mcps/complai-brief
+npm install
+npm run build
+```
+
+## Quick Start with Cursor/Claude Desktop
+
+### Using npx (Easiest)
+
+Add to your MCP configuration (`.cursor/mcp.json` or `claude_desktop_config.json`):
+
+```json
+{
+  "mcpServers": {
+    "complai": {
+      "command": "npx",
+      "args": ["@lindblad/complai-mcp"],
+      "env": {
+        "COMPLAI_API_URL": "https://api.complai.com",
+        "COMPLAI_AUTH0_DOMAIN": "lindcon.eu.auth0.com",
+        "COMPLAI_AUTH0_CLIENT_ID": "your-client-id",
+        "COMPLAI_AUTH0_AUDIENCE": "https://api.complai.com",
+        "COMPLAI_ORGANIZATION_ID": "org_xxxxx"
+      }
+    }
+  }
+}
+```
+
+### Using Global Install
+
+```json
+{
+  "mcpServers": {
+    "complai": {
+      "command": "complai-mcp",
+      "env": {
+        "COMPLAI_API_URL": "https://api.complai.com",
+        "COMPLAI_AUTH0_DOMAIN": "lindcon.eu.auth0.com",
+        "COMPLAI_AUTH0_CLIENT_ID": "your-client-id",
+        "COMPLAI_AUTH0_AUDIENCE": "https://api.complai.com",
+        "COMPLAI_ORGANIZATION_ID": "org_xxxxx"
+      }
+    }
+  }
+}
+```
+
+## Authentication Modes
+
+### User Authentication (Recommended)
+
+No client secret required. Users authenticate via browser using their COMPLAI credentials.
+
+1. Configure without `COMPLAI_AUTH0_CLIENT_SECRET`:
+
+```json
+{
+  "mcpServers": {
+    "complai": {
+      "command": "npx",
+      "args": ["@lindblad/complai-mcp"],
+      "env": {
+        "COMPLAI_API_URL": "https://api.complai.com",
+        "COMPLAI_AUTH0_DOMAIN": "lindcon.eu.auth0.com",
+        "COMPLAI_AUTH0_CLIENT_ID": "your-client-id",
+        "COMPLAI_AUTH0_AUDIENCE": "https://api.complai.com",
+        "COMPLAI_ORGANIZATION_ID": "org_xxxxx"
+      }
+    }
+  }
+}
+```
+
+2. When you first use a COMPLAI tool, use `complai_login`:
+   - You'll get a URL and code
+   - Open the URL in your browser
+   - Enter the code and log in with your COMPLAI credentials
+   - Done! Your session is saved to `~/.complai/`
+
+### M2M Authentication (For Automation)
+
+For scripts, CI/CD, or shared environments. Requires a client secret.
+
+```json
+{
+  "mcpServers": {
+    "complai": {
+      "command": "npx",
+      "args": ["@lindblad/complai-mcp"],
+      "env": {
+        "COMPLAI_API_URL": "https://api.complai.com",
+        "COMPLAI_AUTH0_DOMAIN": "lindcon.eu.auth0.com",
+        "COMPLAI_AUTH0_CLIENT_ID": "your-m2m-client-id",
+        "COMPLAI_AUTH0_CLIENT_SECRET": "your-m2m-client-secret",
+        "COMPLAI_AUTH0_AUDIENCE": "https://api.complai.com",
+        "COMPLAI_ORGANIZATION_ID": "org_xxxxx"
+      }
+    }
+  }
+}
+```
+
+### Mock Mode
+
+For testing without any API connection:
+
+```json
+{
+  "mcpServers": {
+    "complai": {
+      "command": "npx",
+      "args": ["@lindblad/complai-mcp"],
+      "env": {
+        "COMPLAI_MOCK_MODE": "true"
+      }
+    }
+  }
+}
+```
+
+## Authentication Flow
+
+### First Time Setup (User Auth Mode)
+
+When you start the server for the first time, it will prompt for authentication:
+
+```
+COMPLAI MCP Server v0.1.0
+─────────────────────────
+API:  https://api.test.complai.com
+Auth: User (Device Flow)
+
+Authentication required. Starting device authorization flow...
+
+┌─────────────────────────────────────────────────────────────┐
+│  Please complete authentication in your browser:            │
+│                                                             │
+│  1. Open:  https://complai-test.eu.auth0.com/activate       │
+│  2. Enter: ABCD-EFGH                                        │
+│                                                             │
+│  Waiting for authentication...                              │
+└─────────────────────────────────────────────────────────────┘
+
+✓ Authentication successful!
+
+Starting server...
+✓ Server ready
+```
+
+After logging in once, your session is saved to `~/.complai/` and you won't need to log in again.
+
+### Logging Out
+
+To log out, delete the stored credentials:
+```bash
+rm -rf ~/.complai/.credentials.enc
+```
+
+## Available Tools
+
+### `complai_list_organizations`
+
+List all COMPLAI organizations the user has access to.
+
+**Parameters:** None
+
+**Response:**
+```json
+{
+  "organizations": [
+    { "id": "org_xxx", "name": "Acme Corp" },
+    { "id": "org_yyy", "name": "Beta Inc" }
+  ],
+  "message": "User has access to 2 organizations. Ask which one to check."
+}
+```
+
+### `complai_compliance_brief`
+
+Get compliance status overview for a specific organization.
+
+**Parameters:**
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `organizationId` | string | Yes | The organization ID (from `complai_list_organizations`) |
+| `workspaceId` | string | No | Filter results to a specific workspace |
+
+**Response:**
+```json
+{
+  "summary": {
+    "description": "Compliance overview as of 2026-01-15",
+    "dataRooms": 24,
+    "assets": 156,
+    "manufacturers": 42,
+    "totalTasks": 89,
+    "overdueActions": 7
+  },
+  "riskDistribution": [
+    { "level": "High", "count": 3, "percentage": 12.5 },
+    { "level": "Medium", "count": 8, "percentage": 33.3 },
+    { "level": "Low", "count": 13, "percentage": 54.2 }
+  ],
+  "taskStatus": {
+    "overdue": 12,
+    "dueThisWeek": 8,
+    "onTrack": 45,
+    "noDeadline": 24
+  },
+  "alerts": [
+    "7 corrective actions are past their deadline",
+    "12 tasks are overdue"
+  ]
+}
+```
+
+## Development
+
+### Testing with MCP Inspector
+
+```bash
+npm run inspector
+```
+
+### Project Structure
+
+```
+complai-brief/
+├── src/
+│   ├── index.ts              # MCP server entry point
+│   ├── types.ts              # TypeScript interfaces
+│   ├── tools/
+│   │   └── compliance-brief.ts   # Tool implementation
+│   ├── auth/
+│   │   ├── token-manager.ts      # Unified token management
+│   │   └── device-auth.ts        # Device authorization flow
+│   ├── api/
+│   │   └── complai-client.ts     # API client
+│   └── config/
+│       └── config-loader.ts      # Configuration loading
+├── package.json
+├── tsconfig.json
+└── README.md
+```
+
+## Error Handling
+
+The server returns AI-friendly error messages:
+
+| Error | Message |
+|-------|---------|
+| Authentication failed | "Authentication failed. Check your client credentials." |
+| Network error | "Cannot reach COMPLAI API. Check your network connection." |
+| Rate limited | "Rate limit exceeded. Try again in X seconds." |
+| Permission denied | "You don't have access to this organization." |
+
+## Security
+
+- **User auth mode**: Refresh tokens are stored encrypted in `~/.complai/` with AES-256-GCM
+- **M2M mode**: Client secrets should be stored securely (environment variables recommended)
+- Encryption keys are stored with restrictive permissions (600)
+- Access tokens are cached in memory only (not persisted)
+- All API calls use HTTPS
+- MCP respects the same permissions as the COMPLAI web UI
+
+### Stored Files (User Auth Mode)
+
+| File | Purpose |
+|------|---------|
+| `~/.complai/.credentials.enc` | Encrypted refresh token |
+| `~/.complai/.key` | Encryption key (600 permissions) |

package/dist/api/complai-client.d.ts

@@ -0,0 +1,46 @@
+import { ComplaiConfig, DashboardOverviewResponse, UserProfile, AuditRoomsResponse } from '../types.js';
+import { TokenManager } from '../auth/token-manager.js';
+/**
+ * HTTP client for COMPLAI api-auth0 endpoints.
+ * Handles authentication, organization context, and error handling.
+ */
+export declare class ComplaiClient {
+    private readonly tokenManager;
+    private readonly baseUrl;
+    private readonly defaultOrganizationId?;
+    constructor(config: ComplaiConfig, tokenManager: TokenManager);
+    /**
+     * Get the default organization ID if configured
+     */
+    getDefaultOrganizationId(): string | undefined;
+    /**
+     * Get current user profile including their organizations
+     */
+    getMe(): Promise<UserProfile>;
+    /**
+     * Get dashboard overview data for a specific organization
+     */
+    getDashboardOverview(organizationId: string, workspaceId?: string): Promise<DashboardOverviewResponse>;
+    /**
+     * Get audit rooms list with status overview
+     * Returns rooms with risk rating, engagement, task completion
+     */
+    getAuditRooms(organizationId: string, page?: number, pageSize?: number): Promise<AuditRoomsResponse>;
+    /**
+     * Make a GET request to the COMPLAI API
+     */
+    private get;
+    /**
+     * Make a POST request to the COMPLAI API
+     */
+    private post;
+    /**
+     * Make an authenticated request with retry on 401
+     */
+    private request;
+    /**
+     * Handle API errors with AI-friendly messages
+     */
+    private handleError;
+}
+//# sourceMappingURL=complai-client.d.ts.map

package/dist/api/complai-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"complai-client.d.ts","sourceRoot":"","sources":["../../src/api/complai-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,yBAAyB,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACxG,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAExD;;;GAGG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAe;IAC5C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAS;gBAEpC,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,YAAY;IAM7D;;OAEG;IACH,wBAAwB,IAAI,MAAM,GAAG,SAAS;IAI9C;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,WAAW,CAAC;IAInC;;OAEG;IACG,oBAAoB,CAAC,cAAc,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,yBAAyB,CAAC;IAQ5G;;;OAGG;IACG,aAAa,CAAC,cAAc,EAAE,MAAM,EAAE,IAAI,GAAE,MAAU,EAAE,QAAQ,GAAE,MAAW,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAKjH;;OAEG;YACW,GAAG;IAIjB;;OAEG;YACW,IAAI;IAIlB;;OAEG;YACW,OAAO;IA4CrB;;OAEG;YACW,WAAW;CAqB1B"}

package/dist/api/complai-client.js

@@ -0,0 +1,113 @@
+/**
+ * HTTP client for COMPLAI api-auth0 endpoints.
+ * Handles authentication, organization context, and error handling.
+ */
+export class ComplaiClient {
+    tokenManager;
+    baseUrl;
+    defaultOrganizationId;
+    constructor(config, tokenManager) {
+        this.tokenManager = tokenManager;
+        this.baseUrl = config.api.baseUrl.replace(/\/$/, ''); // Remove trailing slash
+        this.defaultOrganizationId = config.api.organizationId;
+    }
+    /**
+     * Get the default organization ID if configured
+     */
+    getDefaultOrganizationId() {
+        return this.defaultOrganizationId;
+    }
+    /**
+     * Get current user profile including their organizations
+     */
+    async getMe() {
+        return this.get('/api/v2/me');
+    }
+    /**
+     * Get dashboard overview data for a specific organization
+     */
+    async getDashboardOverview(organizationId, workspaceId) {
+        const filters = workspaceId
+            ? { items: [{ field: 'workspaceId', value: workspaceId }] }
+            : { items: [] };
+        return this.post('/api/v2/dashboards/charts/overview', { filters }, organizationId);
+    }
+    /**
+     * Get audit rooms list with status overview
+     * Returns rooms with risk rating, engagement, task completion
+     */
+    async getAuditRooms(organizationId, page = 1, pageSize = 20) {
+        const url = `/api/v2/audit-rooms?page=${page}&pageSize=${pageSize}&orderField=name&order=ASC`;
+        return this.get(url, organizationId);
+    }
+    /**
+     * Make a GET request to the COMPLAI API
+     */
+    async get(path, organizationId) {
+        return this.request('GET', path, undefined, organizationId);
+    }
+    /**
+     * Make a POST request to the COMPLAI API
+     */
+    async post(path, body, organizationId) {
+        return this.request('POST', path, body, organizationId);
+    }
+    /**
+     * Make an authenticated request with retry on 401
+     */
+    async request(method, path, body, organizationId) {
+        const makeRequest = async (token) => {
+            const url = `${this.baseUrl}${path}`;
+            const headers = {
+                'Authorization': `Bearer ${token}`,
+                'Content-Type': 'application/json',
+            };
+            // Add organization context header if specified
+            if (organizationId) {
+                headers['x-organization-id'] = organizationId;
+            }
+            const options = {
+                method,
+                headers,
+            };
+            if (body !== undefined) {
+                options.body = JSON.stringify(body);
+            }
+            return fetch(url, options);
+        };
+        // First attempt
+        let token = await this.tokenManager.getToken();
+        let response = await makeRequest(token);
+        // Retry once on 401 with fresh token
+        if (response.status === 401) {
+            this.tokenManager.invalidate();
+            token = await this.tokenManager.refreshToken();
+            response = await makeRequest(token);
+        }
+        // Handle errors
+        if (!response.ok) {
+            await this.handleError(response);
+        }
+        return (await response.json());
+    }
+    /**
+     * Handle API errors with AI-friendly messages
+     */
+    async handleError(response) {
+        const status = response.status;
+        const errorText = await response.text().catch(() => 'Unknown error');
+        console.error(`[DEBUG] API Error ${status}: ${errorText}`);
+        if (status === 401 || status === 403) {
+            throw new Error(`Access denied (${status}): ${errorText}`);
+        }
+        if (status === 429) {
+            const retryAfter = response.headers.get('Retry-After') || '60';
+            throw new Error(`Rate limit exceeded. Try again in ${retryAfter} seconds.`);
+        }
+        if (status >= 500) {
+            throw new Error('COMPLAI API is temporarily unavailable. Try again later.');
+        }
+        throw new Error(`API error (${status}): ${errorText}`);
+    }
+}
+//# sourceMappingURL=complai-client.js.map

package/dist/api/complai-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"complai-client.js","sourceRoot":"","sources":["../../src/api/complai-client.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,MAAM,OAAO,aAAa;IACP,YAAY,CAAe;IAC3B,OAAO,CAAS;IAChB,qBAAqB,CAAU;IAEhD,YAAY,MAAqB,EAAE,YAA0B;QAC3D,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;QACjC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,wBAAwB;QAC9E,IAAI,CAAC,qBAAqB,GAAG,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC;IACzD,CAAC;IAED;;OAEG;IACH,wBAAwB;QACtB,OAAO,IAAI,CAAC,qBAAqB,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,KAAK;QACT,OAAO,IAAI,CAAC,GAAG,CAAc,YAAY,CAAC,CAAC;IAC7C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,oBAAoB,CAAC,cAAsB,EAAE,WAAoB;QACrE,MAAM,OAAO,GAAG,WAAW;YACzB,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,EAAE;YAC3D,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QAElB,OAAO,IAAI,CAAC,IAAI,CAA4B,oCAAoC,EAAE,EAAE,OAAO,EAAE,EAAE,cAAc,CAAC,CAAC;IACjH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,aAAa,CAAC,cAAsB,EAAE,OAAe,CAAC,EAAE,WAAmB,EAAE;QACjF,MAAM,GAAG,GAAG,4BAA4B,IAAI,aAAa,QAAQ,4BAA4B,CAAC;QAC9F,OAAO,IAAI,CAAC,GAAG,CAAqB,GAAG,EAAE,cAAc,CAAC,CAAC;IAC3D,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,GAAG,CAAI,IAAY,EAAE,cAAuB;QACxD,OAAO,IAAI,CAAC,OAAO,CAAI,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,cAAc,CAAC,CAAC;IACjE,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,IAAI,CAAI,IAAY,EAAE,IAAa,EAAE,cAAuB;QACxE,OAAO,IAAI,CAAC,OAAO,CAAI,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;IAC7D,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,OAAO,CAAI,MAAc,EAAE,IAAY,EAAE,IAAc,EAAE,cAAuB;QAC5F,MAAM,WAAW,GAAG,KAAK,EAAE,KAAa,EAAqB,EAAE;YAC7D,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,CAAC;YACrC,MAAM,OAAO,GAA2B;gBACtC,eAAe,EAAE,UAAU,KAAK,EAAE;gBAClC,cAAc,EAAE,kBAAkB;aACnC,CAAC;YAEF,+CAA+C;YAC/C,IAAI,cAAc,EAAE,CAAC;gBACnB,OAAO,CAAC,mBAAmB,CAAC,GAAG,cAAc,CAAC;YAChD,CAAC;YAED,MAAM,OAAO,GAAgB;gBAC3B,MAAM;gBACN,OAAO;aACR,CAAC;YAEF,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;gBACvB,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YACtC,CAAC;YAED,OAAO,KAAK,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAC7B,CAAC,CAAC;QAEF,gBAAgB;QAChB,IAAI,KAAK,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC;QAC/C,IAAI,QAAQ,GAAG,MAAM,WAAW,CAAC,KAAK,CAAC,CAAC;QAExC,qCAAqC;QACrC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,IAAI,CAAC,YAAY,CAAC,UAAU,EAAE,CAAC;YAC/B,KAAK,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,YAAY,EAAE,CAAC;YAC/C,QAAQ,GAAG,MAAM,WAAW,CAAC,KAAK,CAAC,CAAC;QACtC,CAAC;QAED,gBAAgB;QAChB,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QACnC,CAAC;QAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAM,CAAC;IACtC,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,WAAW,CAAC,QAAkB;QAC1C,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;QAC/B,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,CAAC;QAErE,OAAO,CAAC,KAAK,CAAC,qBAAqB,MAAM,KAAK,SAAS,EAAE,CAAC,CAAC;QAE3D,IAAI,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,kBAAkB,MAAM,MAAM,SAAS,EAAE,CAAC,CAAC;QAC7D,CAAC;QAED,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;YACnB,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,IAAI,CAAC;YAC/D,MAAM,IAAI,KAAK,CAAC,qCAAqC,UAAU,WAAW,CAAC,CAAC;QAC9E,CAAC;QAED,IAAI,MAAM,IAAI,GAAG,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;QAC9E,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,cAAc,MAAM,MAAM,SAAS,EAAE,CAAC,CAAC;IACzD,CAAC;CACF"}

package/dist/auth/device-auth.d.ts

@@ -0,0 +1,98 @@
+/**
+ * Device Authorization Flow for Auth0
+ * Allows users to authenticate via browser without exposing client secrets
+ */
+export interface DeviceAuthConfig {
+    domain: string;
+    clientId: string;
+    audience: string;
+    scope?: string;
+}
+export interface DeviceCodeResponse {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    verification_uri_complete: string;
+    expires_in: number;
+    interval: number;
+}
+export interface TokenResponse {
+    access_token: string;
+    refresh_token?: string;
+    token_type: string;
+    expires_in: number;
+}
+/**
+ * Device Authorization Manager
+ * Handles the device code flow and token storage
+ */
+export declare class DeviceAuthManager {
+    private config;
+    private cachedAccessToken;
+    constructor(config: DeviceAuthConfig);
+    /**
+     * Get a valid access token, prompting for login if needed
+     */
+    getAccessToken(): Promise<string>;
+    /**
+     * Initiate device authorization flow
+     * Returns user instructions for completing authentication
+     */
+    initiateDeviceAuthorization(): Promise<{
+        userCode: string;
+        verificationUri: string;
+        verificationUriComplete: string;
+        expiresIn: number;
+        pollForToken: () => Promise<TokenResponse>;
+    }>;
+    /**
+     * Poll Auth0 for token after user completes authentication
+     */
+    private pollForToken;
+    /**
+     * Refresh the access token using a refresh token
+     */
+    private refreshAccessToken;
+    /**
+     * Cache access token in memory
+     */
+    private cacheToken;
+    /**
+     * Store refresh token encrypted on disk
+     */
+    private storeCredentials;
+    /**
+     * Load stored credentials from disk
+     */
+    private loadStoredCredentials;
+    /**
+     * Clear stored credentials (logout)
+     */
+    clearCredentials(): void;
+    /**
+     * Check if user is authenticated
+     */
+    isAuthenticated(): boolean;
+    /**
+     * Get or create encryption key
+     */
+    private getEncryptionKey;
+    /**
+     * Encrypt data using AES-256-GCM
+     */
+    private encrypt;
+    /**
+     * Decrypt data using AES-256-GCM
+     */
+    private decrypt;
+    private sleep;
+}
+/**
+ * Error thrown when authentication is required
+ */
+export declare class AuthenticationRequiredError extends Error {
+    readonly domain: string;
+    readonly clientId: string;
+    constructor(message: string, domain: string, clientId: string);
+}
+//# sourceMappingURL=device-auth.d.ts.map

package/dist/auth/device-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-auth.d.ts","sourceRoot":"","sources":["../../src/auth/device-auth.ts"],"names":[],"mappings":"AAKA;;;GAGG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,EAAE,MAAM,CAAC;IACzB,yBAAyB,EAAE,MAAM,CAAC;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAaD;;;GAGG;AACH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,MAAM,CAAmB;IACjC,OAAO,CAAC,iBAAiB,CAAqD;gBAElE,MAAM,EAAE,gBAAgB;IAOpC;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC,MAAM,CAAC;IAiCvC;;;OAGG;IACG,2BAA2B,IAAI,OAAO,CAAC;QAC3C,QAAQ,EAAE,MAAM,CAAC;QACjB,eAAe,EAAE,MAAM,CAAC;QACxB,uBAAuB,EAAE,MAAM,CAAC;QAChC,SAAS,EAAE,MAAM,CAAC;QAClB,YAAY,EAAE,MAAM,OAAO,CAAC,aAAa,CAAC,CAAC;KAC5C,CAAC;IA2BF;;OAEG;YACW,YAAY;IAmD1B;;OAEG;YACW,kBAAkB;IAmBhC;;OAEG;IACH,OAAO,CAAC,UAAU;IAOlB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAkBxB;;OAEG;IACH,OAAO,CAAC,qBAAqB;IA0B7B;;OAEG;IACH,gBAAgB,IAAI,IAAI;IAOxB;;OAEG;IACH,eAAe,IAAI,OAAO;IAO1B;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAexB;;OAEG;IACH,OAAO,CAAC,OAAO;IAaf;;OAEG;IACH,OAAO,CAAC,OAAO;IAqBf,OAAO,CAAC,KAAK;CAGd;AAED;;GAEG;AACH,qBAAa,2BAA4B,SAAQ,KAAK;aAGlC,MAAM,EAAE,MAAM;aACd,QAAQ,EAAE,MAAM;gBAFhC,OAAO,EAAE,MAAM,EACC,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM;CAKnC"}