@loop_ouroboros/mcp-hub-lite 1.2.5 → 1.2.7

package/dist/server/src/services/mcp-oauth/oauth-provider.d.ts

@@ -0,0 +1,42 @@
+/**
+ * MCP OAuth Client Provider implementing the SDK's OAuthClientProvider interface.
+ *
+ * Handles the full OAuth 2.0 authorization code flow with PKCE for MCP servers:
+ * - Persists tokens and client info to JSON files
+ * - Opens system browser for user authorization
+ * - Manages a local HTTP callback server for auth code capture
+ * - Supports token refresh and credential invalidation
+ */
+import type { OAuthClientProvider } from '@modelcontextprotocol/sdk/client/auth.js';
+import type { OAuthClientInformationMixed, OAuthTokens, OAuthClientMetadata } from '@modelcontextprotocol/sdk/shared/auth.js';
+import { OAuthCallbackServer } from './oauth-callback-server.js';
+import type { McpOAuthProviderOptions } from './oauth-types.js';
+export declare class McpOAuthClientProvider implements OAuthClientProvider {
+    private _callbackServer;
+    private storage;
+    private _configDir;
+    private _callbackPort;
+    private _serverUrlHash;
+    constructor(options: McpOAuthProviderOptions);
+    get redirectUrl(): string;
+    get clientMetadata(): OAuthClientMetadata;
+    clientInformation(): OAuthClientInformationMixed | undefined;
+    saveClientInformation(info: OAuthClientInformationMixed): void;
+    tokens(): OAuthTokens | undefined;
+    saveTokens(tokens: OAuthTokens): void;
+    redirectToAuthorization(authorizationUrl: URL): Promise<void>;
+    saveCodeVerifier(codeVerifier: string): void;
+    codeVerifier(): string;
+    invalidateCredentials(scope: 'all' | 'client' | 'tokens' | 'verifier' | 'discovery'): Promise<void>;
+    /**
+     * Starts the local callback server for auth code capture.
+     * Idempotent — returns existing server if already running.
+     */
+    startCallbackServer(): Promise<OAuthCallbackServer>;
+    /**
+     * Stops the callback server after auth flow completes.
+     */
+    stopCallbackServer(): Promise<void>;
+    getCallbackServer(): OAuthCallbackServer | null;
+}
+//# sourceMappingURL=oauth-provider.d.ts.map

package/dist/server/src/services/mcp-oauth/oauth-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-provider.d.ts","sourceRoot":"","sources":["../../../../../src/services/mcp-oauth/oauth-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,0CAA0C,CAAC;AACpF,OAAO,KAAK,EACV,2BAA2B,EAC3B,WAAW,EACX,mBAAmB,EACpB,MAAM,0CAA0C,CAAC;AAElD,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAMhE,qBAAa,sBAAuB,YAAW,mBAAmB;IAChE,OAAO,CAAC,eAAe,CAAoC;IAC3D,OAAO,CAAC,OAAO,CAAoB;IACnC,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,cAAc,CAAS;gBAEnB,OAAO,EAAE,uBAAuB;IAO5C,IAAI,WAAW,IAAI,MAAM,CAGxB;IAED,IAAI,cAAc,IAAI,mBAAmB,CAQxC;IAED,iBAAiB,IAAI,2BAA2B,GAAG,SAAS;IAI5D,qBAAqB,CAAC,IAAI,EAAE,2BAA2B,GAAG,IAAI;IAI9D,MAAM,IAAI,WAAW,GAAG,SAAS;IAIjC,UAAU,CAAC,MAAM,EAAE,WAAW,GAAG,IAAI;IAI/B,uBAAuB,CAAC,gBAAgB,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC;IA4BnE,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI;IAI5C,YAAY,IAAI,MAAM;IAIhB,qBAAqB,CACzB,KAAK,EAAE,KAAK,GAAG,QAAQ,GAAG,QAAQ,GAAG,UAAU,GAAG,WAAW,GAC5D,OAAO,CAAC,IAAI,CAAC;IAKhB;;;OAGG;IACG,mBAAmB,IAAI,OAAO,CAAC,mBAAmB,CAAC;IASzD;;OAEG;IACG,kBAAkB,IAAI,OAAO,CAAC,IAAI,CAAC;IAOzC,iBAAiB,IAAI,mBAAmB,GAAG,IAAI;CAGhD"}

package/dist/server/src/services/mcp-oauth/oauth-provider.js

@@ -0,0 +1,121 @@
+/**
+ * MCP OAuth Client Provider implementing the SDK's OAuthClientProvider interface.
+ *
+ * Handles the full OAuth 2.0 authorization code flow with PKCE for MCP servers:
+ * - Persists tokens and client info to JSON files
+ * - Opens system browser for user authorization
+ * - Manages a local HTTP callback server for auth code capture
+ * - Supports token refresh and credential invalidation
+ */
+import { exec } from 'node:child_process';
+import { promisify } from 'node:util';
+import path from 'node:path';
+import os from 'node:os';
+import { OAuthTokenStorage } from './oauth-token-storage.js';
+import { OAuthCallbackServer } from './oauth-callback-server.js';
+const execAsync = promisify(exec);
+const DEFAULT_CONFIG_DIR = path.join(os.homedir(), '.mcp-hub-lite', 'oauth');
+export class McpOAuthClientProvider {
+    _callbackServer = null;
+    storage;
+    _configDir;
+    _callbackPort;
+    _serverUrlHash;
+    constructor(options) {
+        this._serverUrlHash = options.serverUrlHash;
+        this._configDir = options.configDir || DEFAULT_CONFIG_DIR;
+        this._callbackPort = options.callbackPort || 0;
+        this.storage = new OAuthTokenStorage(this._configDir, this._serverUrlHash);
+    }
+    get redirectUrl() {
+        if (!this._callbackServer)
+            return '';
+        return this._callbackServer.redirectUrl;
+    }
+    get clientMetadata() {
+        return {
+            redirect_uris: [this.redirectUrl],
+            token_endpoint_auth_method: 'none',
+            grant_types: ['authorization_code', 'refresh_token'],
+            response_types: ['code'],
+            client_name: 'MCP Hub Lite'
+        };
+    }
+    clientInformation() {
+        return this.storage.getClientInfo();
+    }
+    saveClientInformation(info) {
+        this.storage.saveClientInfo(info);
+    }
+    tokens() {
+        return this.storage.getTokens();
+    }
+    saveTokens(tokens) {
+        this.storage.saveTokens(tokens);
+    }
+    async redirectToAuthorization(authorizationUrl) {
+        const urlStr = authorizationUrl.toString();
+        const platform = process.platform;
+        let command;
+        if (platform === 'win32') {
+            command = `start "" "${urlStr}"`;
+        }
+        else if (platform === 'darwin') {
+            command = `open "${urlStr}"`;
+        }
+        else {
+            command = `xdg-open "${urlStr}"`;
+        }
+        try {
+            await execAsync(command);
+        }
+        catch {
+            // Fallback: spawn detached
+            const { spawn } = await import('node:child_process');
+            if (platform === 'win32') {
+                spawn('cmd', ['/c', 'start', '', urlStr], { detached: true, stdio: 'ignore' }).unref();
+            }
+            else if (platform === 'darwin') {
+                spawn('open', [urlStr], { detached: true, stdio: 'ignore' }).unref();
+            }
+            else {
+                spawn('xdg-open', [urlStr], { detached: true, stdio: 'ignore' }).unref();
+            }
+        }
+    }
+    saveCodeVerifier(codeVerifier) {
+        this.storage.saveCodeVerifier(codeVerifier);
+    }
+    codeVerifier() {
+        return this.storage.getCodeVerifier() || '';
+    }
+    async invalidateCredentials(scope) {
+        if (scope === 'discovery')
+            return; // Not persisted
+        this.storage.clear(scope);
+    }
+    /**
+     * Starts the local callback server for auth code capture.
+     * Idempotent — returns existing server if already running.
+     */
+    async startCallbackServer() {
+        if (this._callbackServer) {
+            return this._callbackServer;
+        }
+        this._callbackServer = new OAuthCallbackServer(this._callbackPort);
+        await this._callbackServer.start();
+        return this._callbackServer;
+    }
+    /**
+     * Stops the callback server after auth flow completes.
+     */
+    async stopCallbackServer() {
+        if (this._callbackServer) {
+            await this._callbackServer.stop();
+            this._callbackServer = null;
+        }
+    }
+    getCallbackServer() {
+        return this._callbackServer;
+    }
+}

package/dist/server/src/services/mcp-oauth/oauth-token-storage.d.ts

@@ -0,0 +1,23 @@
+/**
+ * JSON file-based OAuth token persistence.
+ *
+ * Stores OAuth credentials (client info, tokens, code verifier) as JSON files
+ * in the config directory. Uses atomic writes (tmp + rename) to prevent corruption.
+ */
+import type { OAuthClientInformationMixed, OAuthTokens } from './oauth-types.js';
+export declare class OAuthTokenStorage {
+    private cache;
+    private filePath;
+    constructor(configDir: string, serverUrlHash: string);
+    private ensureDir;
+    private loadFromFile;
+    private saveToFile;
+    getClientInfo(): OAuthClientInformationMixed | undefined;
+    saveClientInfo(info: OAuthClientInformationMixed): void;
+    getTokens(): OAuthTokens | undefined;
+    saveTokens(tokens: OAuthTokens): void;
+    getCodeVerifier(): string | undefined;
+    saveCodeVerifier(verifier: string): void;
+    clear(scope: 'all' | 'client' | 'tokens' | 'verifier'): void;
+}
+//# sourceMappingURL=oauth-token-storage.d.ts.map

package/dist/server/src/services/mcp-oauth/oauth-token-storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-token-storage.d.ts","sourceRoot":"","sources":["../../../../../src/services/mcp-oauth/oauth-token-storage.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,KAAK,EACV,2BAA2B,EAC3B,WAAW,EAEZ,MAAM,kBAAkB,CAAC;AAE1B,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,KAAK,CAA4B;IACzC,OAAO,CAAC,QAAQ,CAAS;gBAEb,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM;IAIpD,OAAO,CAAC,SAAS;IAOjB,OAAO,CAAC,YAAY;IAepB,OAAO,CAAC,UAAU;IAclB,aAAa,IAAI,2BAA2B,GAAG,SAAS;IAOxD,cAAc,CAAC,IAAI,EAAE,2BAA2B,GAAG,IAAI;IAKvD,SAAS,IAAI,WAAW,GAAG,SAAS;IAOpC,UAAU,CAAC,MAAM,EAAE,WAAW,GAAG,IAAI;IAKrC,eAAe,IAAI,MAAM,GAAG,SAAS;IAOrC,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAKxC,KAAK,CAAC,KAAK,EAAE,KAAK,GAAG,QAAQ,GAAG,QAAQ,GAAG,UAAU,GAAG,IAAI;CAiB7D"}

package/dist/server/src/services/mcp-oauth/oauth-token-storage.js

@@ -0,0 +1,92 @@
+/**
+ * JSON file-based OAuth token persistence.
+ *
+ * Stores OAuth credentials (client info, tokens, code verifier) as JSON files
+ * in the config directory. Uses atomic writes (tmp + rename) to prevent corruption.
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+import { logger, LOG_MODULES } from '../../utils/logger/index.js';
+export class OAuthTokenStorage {
+    cache = {};
+    filePath;
+    constructor(configDir, serverUrlHash) {
+        this.filePath = path.join(configDir, `${serverUrlHash}_oauth.json`);
+    }
+    ensureDir() {
+        const dir = path.dirname(this.filePath);
+        if (!fs.existsSync(dir)) {
+            fs.mkdirSync(dir, { recursive: true });
+        }
+    }
+    loadFromFile() {
+        try {
+            if (fs.existsSync(this.filePath)) {
+                const raw = fs.readFileSync(this.filePath, 'utf-8');
+                return JSON.parse(raw);
+            }
+        }
+        catch (error) {
+            logger.warn(`Failed to read OAuth storage file: ${error instanceof Error ? error.message : String(error)}`, LOG_MODULES.dynamic('oauth-storage'));
+        }
+        return {};
+    }
+    saveToFile(data) {
+        try {
+            this.ensureDir();
+            const tmpPath = `${this.filePath}.tmp`;
+            fs.writeFileSync(tmpPath, JSON.stringify(data, null, 2), 'utf-8');
+            fs.renameSync(tmpPath, this.filePath);
+        }
+        catch (error) {
+            logger.error(`Failed to write OAuth storage file: ${error instanceof Error ? error.message : String(error)}`, LOG_MODULES.dynamic('oauth-storage'));
+        }
+    }
+    getClientInfo() {
+        if (!this.cache.clientInfo) {
+            this.cache = this.loadFromFile();
+        }
+        return this.cache.clientInfo;
+    }
+    saveClientInfo(info) {
+        this.cache.clientInfo = info;
+        this.saveToFile(this.cache);
+    }
+    getTokens() {
+        if (!this.cache.tokens) {
+            this.cache = this.loadFromFile();
+        }
+        return this.cache.tokens;
+    }
+    saveTokens(tokens) {
+        this.cache.tokens = tokens;
+        this.saveToFile(this.cache);
+    }
+    getCodeVerifier() {
+        if (!this.cache.codeVerifier) {
+            this.cache = this.loadFromFile();
+        }
+        return this.cache.codeVerifier;
+    }
+    saveCodeVerifier(verifier) {
+        this.cache.codeVerifier = verifier;
+        this.saveToFile(this.cache);
+    }
+    clear(scope) {
+        switch (scope) {
+            case 'all':
+                this.cache = {};
+                break;
+            case 'client':
+                delete this.cache.clientInfo;
+                break;
+            case 'tokens':
+                delete this.cache.tokens;
+                break;
+            case 'verifier':
+                delete this.cache.codeVerifier;
+                break;
+        }
+        this.saveToFile(this.cache);
+    }
+}

package/dist/server/src/services/mcp-oauth/oauth-types.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Type definitions for MCP OAuth authentication.
+ */
+import type { OAuthClientInformationMixed, OAuthTokens, OAuthClientMetadata } from '@modelcontextprotocol/sdk/shared/auth.js';
+export interface OAuthPersistenceData {
+    clientInfo?: OAuthClientInformationMixed;
+    tokens?: OAuthTokens;
+    codeVerifier?: string;
+}
+export interface McpOAuthConfig {
+    enabled?: boolean;
+    callbackPort?: number;
+    configDir?: string;
+}
+export interface McpOAuthProviderOptions {
+    serverUrlHash: string;
+    configDir: string;
+    callbackPort?: number;
+}
+export type { OAuthClientInformationMixed, OAuthTokens, OAuthClientMetadata };
+//# sourceMappingURL=oauth-types.d.ts.map

package/dist/server/src/services/mcp-oauth/oauth-types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-types.d.ts","sourceRoot":"","sources":["../../../../../src/services/mcp-oauth/oauth-types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EACV,2BAA2B,EAC3B,WAAW,EACX,mBAAmB,EACpB,MAAM,0CAA0C,CAAC;AAElD,MAAM,WAAW,oBAAoB;IACnC,UAAU,CAAC,EAAE,2BAA2B,CAAC;IACzC,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,uBAAuB;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,YAAY,EAAE,2BAA2B,EAAE,WAAW,EAAE,mBAAmB,EAAE,CAAC"}

package/dist/server/src/services/mcp-oauth/oauth-types.js

@@ -0,0 +1,4 @@
+/**
+ * Type definitions for MCP OAuth authentication.
+ */
+export {};

package/dist/server/src/utils/network-security.d.ts

@@ -0,0 +1,33 @@
+/**
+ * CIDR-based IP allowlist matching utility.
+ * Zero dependencies — pure functions operating on IPv4 dotted-decimal strings.
+ */
+/**
+ * Convert dotted-decimal IPv4 string to a 32-bit unsigned integer.
+ * Returns NaN for invalid inputs.
+ */
+export declare function ip4ToInt(ip: string): number;
+/**
+ * Normalize an IP string for IPv4 CIDR matching.
+ * - Strips "::ffff:" prefix from IPv4-mapped IPv6 addresses
+ * - Maps "::1" (IPv6 loopback) to "127.0.0.1"
+ * - Returns other values unchanged
+ */
+export declare function normalizeIp(ip: string): string;
+/**
+ * Parse a CIDR string "x.x.x.x/prefix" into network and mask.
+ * If no prefix is provided, assume /32 (single host).
+ * Returns null for invalid input.
+ */
+export declare function parseCidr(cidr: string): {
+    network: number;
+    mask: number;
+} | null;
+/**
+ * Check whether an IP address is allowed by any CIDR in the allowlist.
+ * - Empty/null/undefined list → true (allow all)
+ * - Invalid IP → false (block, safety default)
+ * - Invalid CIDR entries in the list are silently skipped
+ */
+export declare function isIpAllowed(ip: string, allowedNetworks: string[]): boolean;
+//# sourceMappingURL=network-security.d.ts.map

package/dist/server/src/utils/network-security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"network-security.d.ts","sourceRoot":"","sources":["../../../../src/utils/network-security.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;GAGG;AACH,wBAAgB,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,CAW3C;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,CAK9C;AAQD;;;;GAIG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAehF;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,EAAE,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG,OAAO,CAY1E"}

package/dist/server/src/utils/network-security.js

@@ -0,0 +1,83 @@
+/**
+ * CIDR-based IP allowlist matching utility.
+ * Zero dependencies — pure functions operating on IPv4 dotted-decimal strings.
+ */
+/**
+ * Convert dotted-decimal IPv4 string to a 32-bit unsigned integer.
+ * Returns NaN for invalid inputs.
+ */
+export function ip4ToInt(ip) {
+    const parts = ip.split('.');
+    if (parts.length !== 4)
+        return NaN;
+    let result = 0;
+    for (const part of parts) {
+        const octet = parseInt(part, 10);
+        if (octet < 0 || octet > 255 || String(octet) !== part)
+            return NaN;
+        result = ((result << 8) | octet) >>> 0;
+    }
+    return result;
+}
+/**
+ * Normalize an IP string for IPv4 CIDR matching.
+ * - Strips "::ffff:" prefix from IPv4-mapped IPv6 addresses
+ * - Maps "::1" (IPv6 loopback) to "127.0.0.1"
+ * - Returns other values unchanged
+ */
+export function normalizeIp(ip) {
+    if (!ip)
+        return ip;
+    if (ip === '::1')
+        return '127.0.0.1';
+    if (ip.startsWith('::ffff:'))
+        return ip.slice(7);
+    return ip;
+}
+function cidrMask(prefix) {
+    if (prefix <= 0)
+        return 0;
+    if (prefix >= 32)
+        return 0xffffffff >>> 0;
+    return (~0 << (32 - prefix)) >>> 0;
+}
+/**
+ * Parse a CIDR string "x.x.x.x/prefix" into network and mask.
+ * If no prefix is provided, assume /32 (single host).
+ * Returns null for invalid input.
+ */
+export function parseCidr(cidr) {
+    if (!cidr)
+        return null;
+    const slashIdx = cidr.indexOf('/');
+    const ipPart = slashIdx === -1 ? cidr : cidr.slice(0, slashIdx);
+    const prefixPart = slashIdx === -1 ? '32' : cidr.slice(slashIdx + 1);
+    const ip = ip4ToInt(ipPart);
+    if (isNaN(ip))
+        return null;
+    const prefix = parseInt(prefixPart, 10);
+    if (isNaN(prefix) || String(prefix) !== prefixPart || prefix < 0 || prefix > 32)
+        return null;
+    const mask = cidrMask(prefix);
+    return { network: (ip & mask) >>> 0, mask };
+}
+/**
+ * Check whether an IP address is allowed by any CIDR in the allowlist.
+ * - Empty/null/undefined list → true (allow all)
+ * - Invalid IP → false (block, safety default)
+ * - Invalid CIDR entries in the list are silently skipped
+ */
+export function isIpAllowed(ip, allowedNetworks) {
+    if (!allowedNetworks || allowedNetworks.length === 0)
+        return true;
+    const normalized = normalizeIp(ip);
+    const ipInt = ip4ToInt(normalized);
+    if (isNaN(ipInt))
+        return false;
+    for (const cidr of allowedNetworks) {
+        const parsed = parseCidr(cidr);
+        if (parsed && (ipInt & parsed.mask) >>> 0 === parsed.network)
+            return true;
+    }
+    return false;
+}

package/dist/server/src/utils/transports/streamable-http-transport.d.ts

@@ -1,5 +1,7 @@
 import { JSONRPCMessage } from '@modelcontextprotocol/sdk/types.js';
 import { Transport } from '@modelcontextprotocol/sdk/shared/transport.js';
+import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
+import type { OAuthClientProvider } from '@modelcontextprotocol/sdk/client/auth.js';
 /**
  * Streamable HTTP Transport implementation for MCP (Model Context Protocol)
  *
@@ -30,6 +32,7 @@ export declare class StreamableHttpTransport implements Transport {
     private headers;
     private timeout;
     private proxy?;
+    private authProvider?;
     /**
      * Internal reference to the underlying MCP SDK transport instance
      * @private
@@ -80,7 +83,7 @@ export declare class StreamableHttpTransport implements Transport {
      */
     constructor(url: string, headers?: Record<string, string>, timeout?: number, proxy?: {
         url: string;
-    } | undefined, serverName?: string, compositeKey?: string);
+    } | undefined, authProvider?: OAuthClientProvider | undefined, serverName?: string, compositeKey?: string);
     /**
      * Helper method to format log messages with server context.
      *
@@ -135,6 +138,14 @@ export declare class StreamableHttpTransport implements Transport {
      * // Transport is now closed and cannot send/receive messages
      * ```
      */
+    /**
+     * Returns the OAuth provider if configured, for connection manager to handle auth flow.
+     */
+    getOAuthProvider(): OAuthClientProvider | undefined;
+    /**
+     * Returns the underlying SDK transport for auth flow management.
+     */
+    getSdkTransport(): StreamableHTTPClientTransport | null;
     close(): Promise<void>;
     /**
      * Sends a JSON-RPC message to the connected MCP server

package/dist/server/src/utils/transports/streamable-http-transport.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"streamable-http-transport.d.ts","sourceRoot":"","sources":["../../../../../src/utils/transports/streamable-http-transport.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AACpE,OAAO,EAAE,SAAS,EAAE,MAAM,+CAA+C,CAAC;AAM1E;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,qBAAa,uBAAwB,YAAW,SAAS;IAyDrD,OAAO,CAAC,GAAG;IACX,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,KAAK,CAAC;IA3DhB;;;OAGG;IACH,OAAO,CAAC,SAAS,CAA8C;IAE/D;;;;OAIG;IACH,OAAO,CAAC,SAAS,CAAS;IAE1B;;;OAGG;IACH,OAAO,CAAC,WAAW,CAAC,CAAS;IAE7B;;;OAGG;IACH,OAAO,CAAC,aAAa,CAAC,CAAS;IAE/B;;;OAGG;IACI,SAAS,CAAC,EAAE,CAAC,OAAO,EAAE,cAAc,KAAK,IAAI,CAAC;IAErD;;;OAGG;IACI,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;IAExC;;;OAGG;IACI,OAAO,CAAC,EAAE,MAAM,IAAI,CAAC;IAE5B;;;;;;;;;;;OAWG;gBAEO,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAM,EACpC,OAAO,GAAE,MAAc,EACvB,KAAK,CAAC,EAAE;QAAE,GAAG,EAAE,MAAM,CAAA;KAAE,YAAA,EAC/B,UAAU,CAAC,EAAE,MAAM,EACnB,YAAY,CAAC,EAAE,MAAM;IAMvB;;;;;OAKG;IACH,OAAO,CAAC,gBAAgB;IAUxB;;;;;;;;;;;;;;;;;;;;;;;;;OAyBG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IA6G5B;;;;;;;;;;;;;;;;;;;OAmBG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAS5B;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACG,IAAI,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;CA6BnD"}
+{"version":3,"file":"streamable-http-transport.d.ts","sourceRoot":"","sources":["../../../../../src/utils/transports/streamable-http-transport.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AACpE,OAAO,EAAE,SAAS,EAAE,MAAM,+CAA+C,CAAC;AAE1E,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AACnG,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,0CAA0C,CAAC;AAIpF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,qBAAa,uBAAwB,YAAW,SAAS;IAyDrD,OAAO,CAAC,GAAG;IACX,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,KAAK,CAAC;IACd,OAAO,CAAC,YAAY,CAAC;IA5DvB;;;OAGG;IACH,OAAO,CAAC,SAAS,CAA8C;IAE/D;;;;OAIG;IACH,OAAO,CAAC,SAAS,CAAS;IAE1B;;;OAGG;IACH,OAAO,CAAC,WAAW,CAAC,CAAS;IAE7B;;;OAGG;IACH,OAAO,CAAC,aAAa,CAAC,CAAS;IAE/B;;;OAGG;IACI,SAAS,CAAC,EAAE,CAAC,OAAO,EAAE,cAAc,KAAK,IAAI,CAAC;IAErD;;;OAGG;IACI,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;IAExC;;;OAGG;IACI,OAAO,CAAC,EAAE,MAAM,IAAI,CAAC;IAE5B;;;;;;;;;;;OAWG;gBAEO,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAM,EACpC,OAAO,GAAE,MAAc,EACvB,KAAK,CAAC,EAAE;QAAE,GAAG,EAAE,MAAM,CAAA;KAAE,YAAA,EACvB,YAAY,CAAC,EAAE,mBAAmB,YAAA,EAC1C,UAAU,CAAC,EAAE,MAAM,EACnB,YAAY,CAAC,EAAE,MAAM;IAMvB;;;;;OAKG;IACH,OAAO,CAAC,gBAAgB;IAUxB;;;;;;;;;;;;;;;;;;;;;;;;;OAyBG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAsH5B;;;;;;;;;;;;;;;;;;;OAmBG;IACH;;OAEG;IACH,gBAAgB,IAAI,mBAAmB,GAAG,SAAS;IAInD;;OAEG;IACH,eAAe,IAAI,6BAA6B,GAAG,IAAI;IAIjD,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAS5B;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACG,IAAI,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;CA6BnD"}

package/dist/server/src/utils/transports/streamable-http-transport.js

@@ -32,6 +32,7 @@ export class StreamableHttpTransport {
     headers;
     timeout;
     proxy;
+    authProvider;
     /**
      * Internal reference to the underlying MCP SDK transport instance
      * @private
@@ -80,11 +81,12 @@ export class StreamableHttpTransport {
      * @param serverName - Optional server name for logging
      * @param compositeKey - Optional composite key (serverName-serverIndex) for logging
      */
-    constructor(url, headers = {}, timeout = 30000, proxy, serverName, compositeKey) {
+    constructor(url, headers = {}, timeout = 30000, proxy, authProvider, serverName, compositeKey) {
         this.url = url;
         this.headers = headers;
         this.timeout = timeout;
         this.proxy = proxy;
+        this.authProvider = authProvider;
         this._serverName = serverName;
         this._compositeKey = compositeKey;
     }
@@ -151,6 +153,11 @@ export class StreamableHttpTransport {
             const transportOptions = {
                 requestInit
             };
+            // Pass OAuth provider if configured
+            if (this.authProvider) {
+                transportOptions.authProvider = this.authProvider;
+                logger.info(this.formatLogMessage('Streamable HTTP transport configured with OAuth provider'), LOG_MODULES.HTTP_TRANSPORT);
+            }
             // Add proxy support if configured
             if (this.proxy?.url) {
                 const agent = new ProxyAgent(this.proxy.url);
@@ -215,6 +222,18 @@ export class StreamableHttpTransport {
      * // Transport is now closed and cannot send/receive messages
      * ```
      */
+    /**
+     * Returns the OAuth provider if configured, for connection manager to handle auth flow.
+     */
+    getOAuthProvider() {
+        return this.authProvider;
+    }
+    /**
+     * Returns the underlying SDK transport for auth flow management.
+     */
+    getSdkTransport() {
+        return this.transport;
+    }
     async close() {
         this.isClosing = true;
         if (this.transport) {

package/dist/server/src/utils/transports/transport-factory.d.ts

@@ -1,4 +1,5 @@
 import type { ServerRuntimeConfig } from '../../../shared/models/server.model.js';
+import { McpOAuthClientProvider } from '../../services/mcp-oauth/index.js';
 /**
  * Transport Factory - creates appropriate transport client based on server configuration
  */
@@ -16,6 +17,7 @@ export declare class TransportFactory {
     }, compositeKey?: string, options?: {
         readyPatterns?: string[];
         readyTimeout?: number;
+        authProvider?: McpOAuthClientProvider;
     }): import('@modelcontextprotocol/sdk/shared/transport.js').Transport;
     /**
      * Build system environment variables

package/dist/server/src/utils/transports/transport-factory.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"transport-factory.d.ts","sourceRoot":"","sources":["../../../../../src/utils/transports/transport-factory.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAG1E;;GAEG;AACH,qBAAa,gBAAgB;IAC3B;;;;;;;OAOG;IACH,MAAM,CAAC,eAAe,CACpB,MAAM,EAAE,mBAAmB,GAAG;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAC9C,YAAY,CAAC,EAAE,MAAM,EACrB,OAAO,CAAC,EAAE;QACR,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,GACA,OAAO,+CAA+C,EAAE,SAAS;IA+DpE;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,cAAc;IAW7B;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,eAAe;IAW9B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,wBAAwB;CA8CxC"}
+{"version":3,"file":"transport-factory.d.ts","sourceRoot":"","sources":["../../../../../src/utils/transports/transport-factory.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAE1E,OAAO,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AAKtE;;GAEG;AACH,qBAAa,gBAAgB;IAC3B;;;;;;;OAOG;IACH,MAAM,CAAC,eAAe,CACpB,MAAM,EAAE,mBAAmB,GAAG;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAC9C,YAAY,CAAC,EAAE,MAAM,EACrB,OAAO,CAAC,EAAE;QACR,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,YAAY,CAAC,EAAE,sBAAsB,CAAC;KACvC,GACA,OAAO,+CAA+C,EAAE,SAAS;IA4EpE;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,cAAc;IAW7B;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,eAAe;IAW9B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,wBAAwB;CA8CxC"}

package/dist/server/src/utils/transports/transport-factory.js

@@ -2,6 +2,10 @@ import { StdioTransport } from './stdio-transport.js';
 import { SseTransport } from './sse-transport.js';
 import { StreamableHttpTransport } from './streamable-http-transport.js';
 import { logStorage } from '../../services/log-storage.service.js';
+import { McpOAuthClientProvider } from '../../services/mcp-oauth/index.js';
+import { createHash } from 'node:crypto';
+import path from 'node:path';
+import os from 'node:os';
 /**
  * Transport Factory - creates appropriate transport client based on server configuration
  */
@@ -41,11 +45,22 @@ export class TransportFactory {
                 }
                 return new SseTransport(config.url, config.headers, config.reconnectInterval, config.maxReconnectAttempts, config.proxy, server.name, compositeKey);
             case 'streamable-http':
-            case 'http': // Compatibility with http type, treat as streamable-http
+            case 'http': {
+                // Compatibility with http type, treat as streamable-http
                 if (!config.url) {
                     throw new Error('Streamable HTTP transport requires a URL');
                 }
-                return new StreamableHttpTransport(config.url, config.headers, config.timeout, config.proxy, server.name, compositeKey);
+                // Use existing authProvider if given, otherwise create one (SDK auto-discovers OAuth)
+                const authProvider = options?.authProvider ||
+                    (() => {
+                        const serverUrlHash = createHash('md5').update(config.url).digest('hex').slice(0, 16);
+                        return new McpOAuthClientProvider({
+                            serverUrlHash,
+                            configDir: path.join(os.homedir(), '.mcp-hub-lite', 'oauth')
+                        });
+                    })();
+                return new StreamableHttpTransport(config.url, config.headers, config.timeout, config.proxy, authProvider, server.name, compositeKey);
+            }
             default:
                 throw new Error(`Unsupported transport type: ${config.type || 'undefined'}`);
         }

package/dist/server/src/utils/transports/transport.interface.d.ts

@@ -22,6 +22,7 @@ export interface SseTransportConfig {
         url: string;
     };
 }
+import type { OAuthClientProvider } from '@modelcontextprotocol/sdk/client/auth.js';
 /**
  * Streamable HTTP transport configuration
  */
@@ -33,6 +34,7 @@ export interface StreamableHttpTransportConfig {
     proxy?: {
         url: string;
     };
+    authProvider?: OAuthClientProvider;
 }
 /**
  * Generic server configuration

package/dist/server/src/utils/transports/transport.interface.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"transport.interface.d.ts","sourceRoot":"","sources":["../../../../../src/utils/transports/transport.interface.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,SAAS,GAAG,MAAM,GAAG,QAAQ,CAAC;CACxC;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,KAAK,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,KAAK,CAAC,EAAE;QACN,GAAG,EAAE,MAAM,CAAC;KACb,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,6BAA6B;IAC5C,IAAI,EAAE,iBAAiB,GAAG,MAAM,CAAC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE;QACN,GAAG,EAAE,MAAM,CAAC;KACb,CAAC;CACH;AAED;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAC7B,oBAAoB,GACpB,kBAAkB,GAClB,6BAA6B,CAAC"}
+{"version":3,"file":"transport.interface.d.ts","sourceRoot":"","sources":["../../../../../src/utils/transports/transport.interface.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,SAAS,GAAG,MAAM,GAAG,QAAQ,CAAC;CACxC;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,KAAK,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,KAAK,CAAC,EAAE;QACN,GAAG,EAAE,MAAM,CAAC;KACb,CAAC;CACH;AAED,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,0CAA0C,CAAC;AAEpF;;GAEG;AACH,MAAM,WAAW,6BAA6B;IAC5C,IAAI,EAAE,iBAAiB,GAAG,MAAM,CAAC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE;QACN,GAAG,EAAE,MAAM,CAAC;KACb,CAAC;IACF,YAAY,CAAC,EAAE,mBAAmB,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAC7B,oBAAoB,GACpB,kBAAkB,GAClB,6BAA6B,CAAC"}