@mcp-guardian/server 0.3.0 → 0.5.0

package/dist/auth/auth-types.d.ts

@@ -0,0 +1,40 @@
+/**
+ * OAuth 2.1 / OIDC authentication types for MCP Guardian proxy.
+ */
+export interface AuthConfig {
+    /** OIDC issuer URL (e.g., https://accounts.google.com) */
+    issuer: string;
+    /** Expected audience claim in JWT */
+    audience: string;
+    /** Whether authentication is required (fail-closed) or optional (fail-open) */
+    required: boolean;
+    /** JWKS URI override (default: auto-discovered from issuer) */
+    jwksUri?: string;
+    /** Clock tolerance in seconds for JWT validation */
+    clockTolerance?: number;
+}
+export interface AgentIdentity {
+    /** Subject claim (sub) — unique agent identifier */
+    sub: string;
+    /** Client ID from the token */
+    clientId?: string;
+    /** Scopes granted to this agent */
+    scopes?: string[];
+    /** Issuer of the token */
+    issuer: string;
+    /** Token expiry timestamp */
+    expiresAt?: number;
+}
+export interface AuthValidationResult {
+    valid: boolean;
+    identity?: AgentIdentity;
+    error?: string;
+}
+export interface OIDCDiscovery {
+    issuer: string;
+    jwks_uri: string;
+    authorization_endpoint?: string;
+    token_endpoint?: string;
+    scopes_supported?: string[];
+}
+//# sourceMappingURL=auth-types.d.ts.map

package/dist/auth/auth-types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-types.d.ts","sourceRoot":"","sources":["../../src/auth/auth-types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,WAAW,UAAU;IACzB,0DAA0D;IAC1D,MAAM,EAAE,MAAM,CAAC;IACf,qCAAqC;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,+EAA+E;IAC/E,QAAQ,EAAE,OAAO,CAAC;IAClB,+DAA+D;IAC/D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,oDAAoD;IACpD,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,aAAa;IAC5B,oDAAoD;IACpD,GAAG,EAAE,MAAM,CAAC;IACZ,+BAA+B;IAC/B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,mCAAmC;IACnC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,0BAA0B;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,6BAA6B;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,OAAO,CAAC;IACf,QAAQ,CAAC,EAAE,aAAa,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC7B"}

package/dist/auth/auth-types.js

@@ -0,0 +1,5 @@
+/**
+ * OAuth 2.1 / OIDC authentication types for MCP Guardian proxy.
+ */
+export {};
+//# sourceMappingURL=auth-types.js.map

package/dist/auth/auth-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-types.js","sourceRoot":"","sources":["../../src/auth/auth-types.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/dist/auth/dashboard-auth.d.ts

@@ -0,0 +1,97 @@
+export interface AuthResult {
+    authenticated: boolean;
+    reason?: string;
+    identity?: string;
+}
+export interface DashboardAuthConfig {
+    /** Enable authentication on dashboard API */
+    enabled: boolean;
+    /** Pre-shared API key (simplest auth) */
+    apiKey?: string;
+    /** JWT HMAC secret for session tokens */
+    jwtSecret?: string;
+    /** Session token expiry in seconds */
+    sessionTtlSeconds: number;
+    /** Allowed origins for CORS/CSRF validation */
+    allowedOrigins: string[];
+    /** Maximum login attempts per minute per IP */
+    maxLoginAttemptsPerMinute: number;
+}
+/**
+ * DashboardAuth provides authentication for the dashboard HTTP server.
+ *
+ * Two modes:
+ * 1. API Key: Set DASHBOARD_API_KEY, pass as ?api_key=<key> or Authorization: Bearer <key>
+ * 2. JWT Sessions: Set DASHBOARD_JWT_SECRET, POST /api/login with credentials
+ */
+export declare class DashboardAuth {
+    private config;
+    private loginRateMap;
+    private activeTokens;
+    private cleanupInterval;
+    constructor(config?: Partial<DashboardAuthConfig>);
+    /**
+     * Authenticate a dashboard HTTP request.
+     * Checks multiple sources:
+     * 1. ?api_key=<key> query parameter
+     * 2. Authorization: Bearer <token> header
+     * 3. X-API-Key: <key> header
+     */
+    authenticate(req: {
+        url?: string;
+        headers?: Record<string, string | string[] | undefined>;
+        method?: string;
+    }): AuthResult;
+    /**
+     * Handle a login attempt. Creates a session token if credentials are valid.
+     * Credentials are validated against DASHBOARD_USERNAME / DASHBOARD_PASSWORD env vars.
+     */
+    login(req: {
+        url?: string;
+        headers?: Record<string, string | string[] | undefined>;
+        body?: {
+            username?: string;
+            password?: string;
+            api_key?: string;
+        };
+        ip?: string;
+    }): {
+        success: boolean;
+        token?: string;
+        error?: string;
+    };
+    /**
+     * Revoke a session token (logout).
+     */
+    logout(token: string): void;
+    /**
+     * Generate login page HTML (serves at /login when JWT auth is enabled).
+     */
+    getLoginPageHtml(error?: string): string;
+    /**
+     * Check if auth is enabled and required.
+     */
+    isEnabled(): boolean;
+    /**
+     * Check if JWT session-based auth is configured (vs API key only).
+     */
+    hasJwtSessionAuth(): boolean;
+    /**
+     * Create a signed HMAC session token.
+     */
+    private createSessionToken;
+    /**
+     * Timing-safe string comparison to prevent timing attacks on API keys.
+     */
+    private timingSafeCompare;
+    /**
+     * Validate CSRF protection via Origin/Referer headers.
+     */
+    private validateCsrf;
+    private isAllowedOrigin;
+    private checkLoginRate;
+    private normalizeHeaders;
+    private cleanupRateMap;
+    dispose(): void;
+}
+//# sourceMappingURL=dashboard-auth.d.ts.map

package/dist/auth/dashboard-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dashboard-auth.d.ts","sourceRoot":"","sources":["../../src/auth/dashboard-auth.ts"],"names":[],"mappings":"AAmBA,MAAM,WAAW,UAAU;IACzB,aAAa,EAAE,OAAO,CAAC;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,6CAA6C;IAC7C,OAAO,EAAE,OAAO,CAAC;IACjB,yCAAyC;IACzC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,yCAAyC;IACzC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,sCAAsC;IACtC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,+CAA+C;IAC/C,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,+CAA+C;IAC/C,yBAAyB,EAAE,MAAM,CAAC;CACnC;AAUD;;;;;;GAMG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAsB;IACpC,OAAO,CAAC,YAAY,CAA0C;IAC9D,OAAO,CAAC,YAAY,CAA0B;IAC9C,OAAO,CAAC,eAAe,CAA+C;gBAE1D,MAAM,CAAC,EAAE,OAAO,CAAC,mBAAmB,CAAC;IA4BjD;;;;;;OAMG;IACH,YAAY,CAAC,GAAG,EAAE;QAChB,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;QACxD,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,GAAG,UAAU;IAyDd;;;OAGG;IACH,KAAK,CAAC,GAAG,EAAE;QACT,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;QACxD,IAAI,CAAC,EAAE;YAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;YAAC,OAAO,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;QAClE,EAAE,CAAC,EAAE,MAAM,CAAC;KACb,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAuDxD;;OAEG;IACH,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAI3B;;OAEG;IACH,gBAAgB,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM;IAyCxC;;OAEG;IACH,SAAS,IAAI,OAAO;IAIpB;;OAEG;IACH,iBAAiB,IAAI,OAAO;IAI5B;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAmB1B;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAOzB;;OAEG;IACH,OAAO,CAAC,YAAY;IA0BpB,OAAO,CAAC,eAAe;IAQvB,OAAO,CAAC,cAAc;IAYtB,OAAO,CAAC,gBAAgB;IASxB,OAAO,CAAC,cAAc;IAOtB,OAAO,IAAI,IAAI;CAKhB"}

package/dist/auth/dashboard-auth.js

@@ -0,0 +1,319 @@
+/**
+ * Dashboard Authentication Middleware
+ *
+ * Provides JWT-based authentication for the dashboard HTTP API.
+ * Supports:
+ * - API key authentication (simple, internal deployments)
+ * - JWT session tokens (for multi-user deployments)
+ * - CSRF protection via Origin/Referer validation
+ * - Rate limiting on auth endpoints
+ * - Login endpoint with configurable credential source
+ *
+ * Enable with: DASHBOARD_AUTH_ENABLED=true
+ * Configure API key: DASHBOARD_API_KEY=<key>
+ * Configure JWT secret: DASHBOARD_JWT_SECRET=<secret>
+ */
+import { createHmac, randomBytes, timingSafeEqual } from 'crypto';
+import { Logger } from '../utils/logger.js';
+import { StructuredLogger } from '../utils/structured-logger.js';
+/**
+ * DashboardAuth provides authentication for the dashboard HTTP server.
+ *
+ * Two modes:
+ * 1. API Key: Set DASHBOARD_API_KEY, pass as ?api_key=<key> or Authorization: Bearer <key>
+ * 2. JWT Sessions: Set DASHBOARD_JWT_SECRET, POST /api/login with credentials
+ */
+export class DashboardAuth {
+    config;
+    loginRateMap = new Map();
+    activeTokens = new Set();
+    cleanupInterval = null;
+    constructor(config) {
+        const enabled = process.env['DASHBOARD_AUTH_ENABLED'] === 'true';
+        this.config = {
+            enabled: config?.enabled ?? enabled,
+            apiKey: config?.apiKey ?? process.env['DASHBOARD_API_KEY'] ?? undefined,
+            jwtSecret: config?.jwtSecret ?? process.env['DASHBOARD_JWT_SECRET'] ?? undefined,
+            sessionTtlSeconds: config?.sessionTtlSeconds ?? 3600,
+            allowedOrigins: config?.allowedOrigins ?? (process.env['DASHBOARD_ALLOWED_ORIGINS']
+                ? process.env['DASHBOARD_ALLOWED_ORIGINS'].split(',').map(s => s.trim())
+                : ['http://localhost:4000', 'http://localhost:3000', 'http://127.0.0.1:4000']),
+            maxLoginAttemptsPerMinute: config?.maxLoginAttemptsPerMinute ?? 5,
+        };
+        if (this.config.enabled && this.config.apiKey) {
+            Logger.info('[dashboard-auth] API key authentication enabled');
+        }
+        else if (this.config.enabled && this.config.jwtSecret) {
+            Logger.info('[dashboard-auth] JWT session authentication enabled');
+        }
+        else if (this.config.enabled) {
+            Logger.warn('[dashboard-auth] Auth enabled but no API key or JWT secret configured');
+        }
+        // Periodic cleanup of rate limit entries
+        if (this.config.enabled) {
+            this.cleanupInterval = setInterval(() => this.cleanupRateMap(), 60000);
+        }
+    }
+    /**
+     * Authenticate a dashboard HTTP request.
+     * Checks multiple sources:
+     * 1. ?api_key=<key> query parameter
+     * 2. Authorization: Bearer <token> header
+     * 3. X-API-Key: <key> header
+     */
+    authenticate(req) {
+        if (!this.config.enabled) {
+            return { authenticated: true, identity: 'anonymous' };
+        }
+        const url = req.url || '/';
+        const headers = this.normalizeHeaders(req.headers || {});
+        // ── CSRF check for mutating requests ──
+        if (req.method && ['POST', 'PUT', 'DELETE', 'PATCH'].includes(req.method)) {
+            const csrfResult = this.validateCsrf(headers);
+            if (!csrfResult.authenticated)
+                return csrfResult;
+        }
+        // ── Check query param API key ──
+        try {
+            const urlObj = new URL(url, 'http://localhost');
+            const queryKey = urlObj.searchParams.get('api_key');
+            if (queryKey && this.config.apiKey) {
+                if (this.timingSafeCompare(queryKey, this.config.apiKey)) {
+                    return { authenticated: true, identity: 'api_key' };
+                }
+            }
+        }
+        catch {
+            // Malformed URL — continue to other auth methods
+        }
+        // ── Check Authorization header ──
+        const authHeader = headers['authorization'];
+        if (authHeader) {
+            const bearerMatch = authHeader.match(/^Bearer\s+(.+)$/i);
+            if (bearerMatch) {
+                const token = bearerMatch[1];
+                // Check if it's the API key
+                if (this.config.apiKey && this.timingSafeCompare(token, this.config.apiKey)) {
+                    return { authenticated: true, identity: 'api_key' };
+                }
+                // Check if it's a valid session token
+                if (this.activeTokens.has(token)) {
+                    return { authenticated: true, identity: 'session' };
+                }
+            }
+        }
+        // ── Check X-API-Key header ──
+        const apiKeyHeader = headers['x-api-key'];
+        if (apiKeyHeader && this.config.apiKey) {
+            if (this.timingSafeCompare(apiKeyHeader, this.config.apiKey)) {
+                return { authenticated: true, identity: 'api_key' };
+            }
+        }
+        return { authenticated: false, reason: 'No valid authentication provided' };
+    }
+    /**
+     * Handle a login attempt. Creates a session token if credentials are valid.
+     * Credentials are validated against DASHBOARD_USERNAME / DASHBOARD_PASSWORD env vars.
+     */
+    login(req) {
+        if (!this.config.enabled || !this.config.jwtSecret) {
+            return { success: false, error: 'JWT auth not configured. Set DASHBOARD_JWT_SECRET.' };
+        }
+        // ── Rate limit login attempts ──
+        const ip = req.ip || 'unknown';
+        if (!this.checkLoginRate(ip)) {
+            StructuredLogger.info({
+                event: 'dashboard_login_rate_limited',
+                ip,
+            });
+            return { success: false, error: 'Too many login attempts. Try again later.' };
+        }
+        const body = req.body || {};
+        // Check API key shortcut
+        if (body.api_key && this.config.apiKey && this.timingSafeCompare(body.api_key, this.config.apiKey)) {
+            const token = this.createSessionToken();
+            Logger.info(`[dashboard-auth] Login via API key from ${ip}`);
+            return { success: true, token };
+        }
+        // Check username/password
+        const expectedUsername = process.env['DASHBOARD_USERNAME'];
+        const expectedPassword = process.env['DASHBOARD_PASSWORD'];
+        if (!expectedUsername || !expectedPassword) {
+            return { success: false, error: 'Login credentials not configured on server. Set DASHBOARD_USERNAME and DASHBOARD_PASSWORD.' };
+        }
+        if (body.username === expectedUsername &&
+            body.password &&
+            this.timingSafeCompare(body.password, expectedPassword)) {
+            const token = this.createSessionToken();
+            StructuredLogger.info({
+                event: 'dashboard_login',
+                ip,
+                identity: body.username,
+            });
+            return { success: true, token };
+        }
+        StructuredLogger.info({
+            event: 'dashboard_login_failed',
+            ip,
+            identity: body.username || 'unknown',
+        });
+        return { success: false, error: 'Invalid credentials' };
+    }
+    /**
+     * Revoke a session token (logout).
+     */
+    logout(token) {
+        this.activeTokens.delete(token);
+    }
+    /**
+     * Generate login page HTML (serves at /login when JWT auth is enabled).
+     */
+    getLoginPageHtml(error) {
+        const errorHtml = error ? `<div style="color:#f85149;margin-bottom:16px;padding:8px;background:#3d1f1f;border-radius:6px;">${error}</div>` : '';
+        return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>MCP Guardian — Login</title>
+<style>
+* { margin: 0; padding: 0; box-sizing: border-box; }
+body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', system-ui, sans-serif; background: #0d1117; color: #c9d1d9; display: flex; justify-content: center; align-items: center; min-height: 100vh; }
+.container { background: #161b22; border: 1px solid #30363d; border-radius: 8px; padding: 32px; width: 100%; max-width: 400px; }
+h1 { font-size: 20px; color: #58a6ff; margin-bottom: 8px; }
+h2 { font-size: 14px; color: #8b949e; margin-bottom: 24px; }
+label { display: block; font-size: 13px; color: #8b949e; margin-bottom: 4px; margin-top: 12px; }
+input { width: 100%; padding: 8px 12px; background: #0d1117; border: 1px solid #30363d; border-radius: 6px; color: #c9d1d9; font-size: 14px; }
+input:focus { outline: none; border-color: #58a6ff; }
+button { width: 100%; padding: 10px; background: #238636; color: #fff; border: none; border-radius: 6px; font-size: 14px; cursor: pointer; margin-top: 20px; }
+button:hover { background: #2ea043; }
+.footer { font-size: 12px; color: #8b949e; margin-top: 16px; text-align: center; }
+</style>
+</head>
+<body>
+<div class="container">
+<h1>🛡️ MCP Guardian</h1>
+<h2>Dashboard Authentication</h2>
+${errorHtml}
+<form method="POST" action="/api/login">
+<label for="username">Username</label>
+<input type="text" id="username" name="username" required autofocus>
+<label for="password">Password</label>
+<input type="password" id="password" name="password" required>
+<button type="submit">Sign In</button>
+</form>
+<div class="footer">Internal deployment — authorized access only</div>
+</div>
+</body>
+</html>`;
+    }
+    /**
+     * Check if auth is enabled and required.
+     */
+    isEnabled() {
+        return this.config.enabled && !!(this.config.apiKey || this.config.jwtSecret);
+    }
+    /**
+     * Check if JWT session-based auth is configured (vs API key only).
+     */
+    hasJwtSessionAuth() {
+        return this.config.enabled && !!this.config.jwtSecret;
+    }
+    /**
+     * Create a signed HMAC session token.
+     */
+    createSessionToken() {
+        const payload = Buffer.from(JSON.stringify({
+            iat: Math.floor(Date.now() / 1000),
+            jti: randomBytes(16).toString('hex'),
+        })).toString('base64url');
+        const signature = createHmac('sha256', this.config.jwtSecret || randomBytes(32).toString('hex'))
+            .update(payload)
+            .digest('base64url');
+        const token = `${payload}.${signature}`;
+        this.activeTokens.add(token);
+        // Auto-expire after TTL
+        setTimeout(() => this.activeTokens.delete(token), this.config.sessionTtlSeconds * 1000);
+        return token;
+    }
+    /**
+     * Timing-safe string comparison to prevent timing attacks on API keys.
+     */
+    timingSafeCompare(a, b) {
+        if (a.length !== b.length)
+            return false;
+        const bufA = Buffer.from(a, 'utf-8');
+        const bufB = Buffer.from(b, 'utf-8');
+        return timingSafeEqual(bufA, bufB);
+    }
+    /**
+     * Validate CSRF protection via Origin/Referer headers.
+     */
+    validateCsrf(headers) {
+        const origin = headers['origin'];
+        const referer = headers['referer'];
+        // If both are missing and we're strict, could block
+        // For now, only validate when present
+        if (origin) {
+            if (!this.isAllowedOrigin(origin)) {
+                return { authenticated: false, reason: `Origin '${origin}' not allowed` };
+            }
+        }
+        if (referer) {
+            try {
+                const refererOrigin = new URL(referer).origin;
+                if (!this.isAllowedOrigin(refererOrigin)) {
+                    return { authenticated: false, reason: `Referer origin '${refererOrigin}' not allowed` };
+                }
+            }
+            catch {
+                // Malformed referer — allow through
+            }
+        }
+        return { authenticated: true };
+    }
+    isAllowedOrigin(origin) {
+        return this.config.allowedOrigins.some(allowed => {
+            if (allowed === '*')
+                return true;
+            if (allowed === origin)
+                return true;
+            return false;
+        });
+    }
+    checkLoginRate(ip) {
+        const now = Date.now();
+        let entry = this.loginRateMap.get(ip);
+        if (!entry || now > entry.resetAt) {
+            entry = { count: 1, resetAt: now + 60000 };
+            this.loginRateMap.set(ip, entry);
+            return true;
+        }
+        entry.count++;
+        return entry.count <= this.config.maxLoginAttemptsPerMinute;
+    }
+    normalizeHeaders(headers) {
+        const result = {};
+        for (const [key, value] of Object.entries(headers)) {
+            if (Array.isArray(value))
+                result[key.toLowerCase()] = value[0] || '';
+            else if (value !== undefined)
+                result[key.toLowerCase()] = value;
+        }
+        return result;
+    }
+    cleanupRateMap() {
+        const now = Date.now();
+        for (const [ip, entry] of this.loginRateMap) {
+            if (now > entry.resetAt)
+                this.loginRateMap.delete(ip);
+        }
+    }
+    dispose() {
+        if (this.cleanupInterval)
+            clearInterval(this.cleanupInterval);
+        this.activeTokens.clear();
+        this.loginRateMap.clear();
+    }
+}
+//# sourceMappingURL=dashboard-auth.js.map

package/dist/auth/dashboard-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dashboard-auth.js","sourceRoot":"","sources":["../../src/auth/dashboard-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AAClE,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAC5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AA+BjE;;;;;;GAMG;AACH,MAAM,OAAO,aAAa;IAChB,MAAM,CAAsB;IAC5B,YAAY,GAAgC,IAAI,GAAG,EAAE,CAAC;IACtD,YAAY,GAAgB,IAAI,GAAG,EAAE,CAAC;IACtC,eAAe,GAA0C,IAAI,CAAC;IAEtE,YAAY,MAAqC;QAC/C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,KAAK,MAAM,CAAC;QAEjE,IAAI,CAAC,MAAM,GAAG;YACZ,OAAO,EAAE,MAAM,EAAE,OAAO,IAAI,OAAO;YACnC,MAAM,EAAE,MAAM,EAAE,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,SAAS;YACvE,SAAS,EAAE,MAAM,EAAE,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,IAAI,SAAS;YAChF,iBAAiB,EAAE,MAAM,EAAE,iBAAiB,IAAI,IAAI;YACpD,cAAc,EAAE,MAAM,EAAE,cAAc,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC;gBACjF,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBACxE,CAAC,CAAC,CAAC,uBAAuB,EAAE,uBAAuB,EAAE,uBAAuB,CAAC,CAAC;YAChF,yBAAyB,EAAE,MAAM,EAAE,yBAAyB,IAAI,CAAC;SAClE,CAAC;QAEF,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YAC9C,MAAM,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;QACjE,CAAC;aAAM,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACxD,MAAM,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;QACrE,CAAC;aAAM,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YAC/B,MAAM,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;QACvF,CAAC;QAED,yCAAyC;QACzC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACxB,IAAI,CAAC,eAAe,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,KAAK,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,YAAY,CAAC,GAIZ;QACC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;QACxD,CAAC;QAED,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC;QAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;QAEzD,yCAAyC;QACzC,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1E,MAAM,UAAU,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;YAC9C,IAAI,CAAC,UAAU,CAAC,aAAa;gBAAE,OAAO,UAAU,CAAC;QACnD,CAAC;QAED,kCAAkC;QAClC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC;YAChD,MAAM,QAAQ,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACpD,IAAI,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;gBACnC,IAAI,IAAI,CAAC,iBAAiB,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;oBACzD,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;gBACtD,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iDAAiD;QACnD,CAAC;QAED,mCAAmC;QACnC,MAAM,UAAU,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;QAC5C,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,WAAW,GAAG,UAAU,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;YACzD,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;gBAE7B,4BAA4B;gBAC5B,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC5E,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;gBACtD,CAAC;gBAED,sCAAsC;gBACtC,IAAI,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;oBACjC,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;gBACtD,CAAC;YACH,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;QAC1C,IAAI,YAAY,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACvC,IAAI,IAAI,CAAC,iBAAiB,CAAC,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC7D,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;YACtD,CAAC;QACH,CAAC;QAED,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,EAAE,kCAAkC,EAAE,CAAC;IAC9E,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,GAKL;QACC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACnD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,oDAAoD,EAAE,CAAC;QACzF,CAAC;QAED,kCAAkC;QAClC,MAAM,EAAE,GAAG,GAAG,CAAC,EAAE,IAAI,SAAS,CAAC;QAC/B,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC,EAAE,CAAC;YAC7B,gBAAgB,CAAC,IAAI,CAAC;gBACpB,KAAK,EAAE,8BAA8B;gBACrC,EAAE;aACH,CAAC,CAAC;YACH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,2CAA2C,EAAE,CAAC;QAChF,CAAC;QAED,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;QAE5B,yBAAyB;QACzB,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;YACnG,MAAM,KAAK,GAAG,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACxC,MAAM,CAAC,IAAI,CAAC,2CAA2C,EAAE,EAAE,CAAC,CAAC;YAC7D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAClC,CAAC;QAED,0BAA0B;QAC1B,MAAM,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;QAC3D,MAAM,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;QAE3D,IAAI,CAAC,gBAAgB,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3C,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,4FAA4F,EAAE,CAAC;QACjI,CAAC;QAED,IACE,IAAI,CAAC,QAAQ,KAAK,gBAAgB;YAClC,IAAI,CAAC,QAAQ;YACb,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC,EACvD,CAAC;YACD,MAAM,KAAK,GAAG,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACxC,gBAAgB,CAAC,IAAI,CAAC;gBACpB,KAAK,EAAE,iBAAiB;gBACxB,EAAE;gBACF,QAAQ,EAAE,IAAI,CAAC,QAAQ;aACxB,CAAC,CAAC;YACH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAClC,CAAC;QAED,gBAAgB,CAAC,IAAI,CAAC;YACpB,KAAK,EAAE,wBAAwB;YAC/B,EAAE;YACF,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,SAAS;SACrC,CAAC,CAAC;QAEH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;IAC1D,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAa;QAClB,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC;IAED;;OAEG;IACH,gBAAgB,CAAC,KAAc;QAC7B,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,mGAAmG,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;QAEhJ,OAAO;;;;;;;;;;;;;;;;;;;;;;;;EAwBT,SAAS;;;;;;;;;;;QAWH,CAAC;IACP,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAChF,CAAC;IAED;;OAEG;IACH,iBAAiB;QACf,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;IACxD,CAAC;IAED;;OAEG;IACK,kBAAkB;QACxB,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACzC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;YAClC,GAAG,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;SACrC,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAE1B,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;aAC7F,MAAM,CAAC,OAAO,CAAC;aACf,MAAM,CAAC,WAAW,CAAC,CAAC;QAEvB,MAAM,KAAK,GAAG,GAAG,OAAO,IAAI,SAAS,EAAE,CAAC;QACxC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAE7B,wBAAwB;QACxB,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,iBAAiB,GAAG,IAAI,CAAC,CAAC;QAExF,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACK,iBAAiB,CAAC,CAAS,EAAE,CAAS;QAC5C,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QACxC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;QACrC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;QACrC,OAAO,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACrC,CAAC;IAED;;OAEG;IACK,YAAY,CAAC,OAA+B;QAClD,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;QACjC,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;QAEnC,oDAAoD;QACpD,sCAAsC;QACtC,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC;gBAClC,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,MAAM,eAAe,EAAE,CAAC;YAC5E,CAAC;QACH,CAAC;QAED,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC;gBACH,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;gBAC9C,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,EAAE,CAAC;oBACzC,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,aAAa,eAAe,EAAE,CAAC;gBAC3F,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,oCAAoC;YACtC,CAAC;QACH,CAAC;QAED,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACjC,CAAC;IAEO,eAAe,CAAC,MAAc;QACpC,OAAO,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;YAC/C,IAAI,OAAO,KAAK,GAAG;gBAAE,OAAO,IAAI,CAAC;YACjC,IAAI,OAAO,KAAK,MAAM;gBAAE,OAAO,IAAI,CAAC;YACpC,OAAO,KAAK,CAAC;QACf,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,cAAc,CAAC,EAAU;QAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC;YAClC,KAAK,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,KAAK,EAAE,CAAC;YAC3C,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YACjC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,KAAK,CAAC,KAAK,EAAE,CAAC;QACd,OAAO,KAAK,CAAC,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,yBAAyB,CAAC;IAC9D,CAAC;IAEO,gBAAgB,CAAC,OAAsD;QAC7E,MAAM,MAAM,GAA2B,EAAE,CAAC;QAC1C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACnD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;gBAAE,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;iBAChE,IAAI,KAAK,KAAK,SAAS;gBAAE,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,GAAG,KAAK,CAAC;QAClE,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,cAAc;QACpB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YAC5C,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO;gBAAE,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAED,OAAO;QACL,IAAI,IAAI,CAAC,eAAe;YAAE,aAAa,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QAC9D,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;QAC1B,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;IAC5B,CAAC;CACF"}

package/dist/auth/dpop.d.ts

@@ -0,0 +1,38 @@
+import * as jose from 'jose';
+/**
+ * DPoP (Demonstrating Proof of Possession) — RFC 9449.
+ * Validates sender-constrained tokens to prevent token replay.
+ * The client must include a DPoP proof JWT in the DPoP header.
+ */
+export interface DPoPProof {
+    /** The access token hash (ath) claim */
+    ath?: string;
+    /** The HTTP method of the request */
+    htm: string;
+    /** The HTTP URI of the request */
+    htu: string;
+    /** Issued at (Unix timestamp) */
+    iat: number;
+    /** Unique JWT ID for replay detection */
+    jti: string;
+}
+export declare class DPoPValidator {
+    private usedNonces;
+    private readonly nonceTtlMs;
+    private lastCleanup;
+    constructor(nonceTtlMs?: number);
+    /**
+     * Validate a DPoP proof JWT.
+     * Checks: signature (JWK), htm, htu, iat freshness (60s window), ath (if access token provided), nonce replay.
+     */
+    validate(proofToken: string, jwk: jose.JWK, httpMethod: string, httpUri: string, accessToken?: string): Promise<{
+        valid: boolean;
+        error?: string;
+    }>;
+    /**
+     * Compute the access token hash (ath) as per RFC 9449 §4.2.
+     * ath = base64url(sha256(access_token))
+     */
+    private computeAth;
+}
+//# sourceMappingURL=dpop.d.ts.map

package/dist/auth/dpop.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop.d.ts","sourceRoot":"","sources":["../../src/auth/dpop.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAG7B;;;;GAIG;AACH,MAAM,WAAW,SAAS;IACxB,wCAAwC;IACxC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,qCAAqC;IACrC,GAAG,EAAE,MAAM,CAAC;IACZ,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;IACZ,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,yCAAyC;IACzC,GAAG,EAAE,MAAM,CAAC;CACb;AAED,qBAAa,aAAa;IACxB,OAAO,CAAC,UAAU,CAA0B;IAC5C,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,WAAW,CAAsB;gBAE7B,UAAU,GAAE,MAAuB;IAI/C;;;OAGG;IACG,QAAQ,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAyDzJ;;;OAGG;YACW,UAAU;CAIzB"}

package/dist/auth/dpop.js

@@ -0,0 +1,72 @@
+import * as jose from 'jose';
+import { Logger } from '../utils/logger.js';
+export class DPoPValidator {
+    usedNonces = new Set();
+    nonceTtlMs;
+    lastCleanup = Date.now();
+    constructor(nonceTtlMs = 10 * 60 * 1000) {
+        this.nonceTtlMs = nonceTtlMs;
+    }
+    /**
+     * Validate a DPoP proof JWT.
+     * Checks: signature (JWK), htm, htu, iat freshness (60s window), ath (if access token provided), nonce replay.
+     */
+    async validate(proofToken, jwk, httpMethod, httpUri, accessToken) {
+        try {
+            // Verify the proof JWT is signed by the client's private key matching the JWK
+            const publicKey = await jose.importJWK(jwk, 'ES256');
+            const { payload } = await jose.jwtVerify(proofToken, publicKey, {
+                algorithms: ['ES256', 'RS256', 'EdDSA'],
+                clockTolerance: 10,
+            });
+            const proof = payload;
+            // Validate htm (HTTP method)
+            if (proof.htm !== httpMethod.toUpperCase()) {
+                return { valid: false, error: `DPoP: htm mismatch (expected ${httpMethod.toUpperCase()}, got ${proof.htm})` };
+            }
+            // Validate htu (HTTP URI) — must match the request URI
+            if (proof.htu !== httpUri) {
+                return { valid: false, error: `DPoP: htu mismatch (expected ${httpUri}, got ${proof.htu})` };
+            }
+            // Validate iat freshness (must be within last 60 seconds)
+            const now = Math.floor(Date.now() / 1000);
+            if (proof.iat < now - 60) {
+                return { valid: false, error: 'DPoP: proof too old (iat > 60s ago)' };
+            }
+            if (proof.iat > now + 10) {
+                return { valid: false, error: 'DPoP: proof from the future' };
+            }
+            // Validate nonce (jti) for replay detection
+            if (this.usedNonces.has(proof.jti)) {
+                Logger.warn(`[dpop] Replay detected: jti ${proof.jti}`);
+                return { valid: false, error: 'DPoP: nonce already used (replay detected)' };
+            }
+            this.usedNonces.add(proof.jti);
+            // Validate ath (access token hash) if access token provided
+            if (accessToken && proof.ath) {
+                const expectedAth = await this.computeAth(accessToken);
+                if (proof.ath !== expectedAth) {
+                    return { valid: false, error: 'DPoP: ath mismatch (access token hash does not match)' };
+                }
+            }
+            // Periodic cleanup of old nonces
+            if (Date.now() - this.lastCleanup > 60000) {
+                this.usedNonces.clear();
+                this.lastCleanup = Date.now();
+            }
+            return { valid: true };
+        }
+        catch (err) {
+            return { valid: false, error: `DPoP validation failed: ${err?.message}` };
+        }
+    }
+    /**
+     * Compute the access token hash (ath) as per RFC 9449 §4.2.
+     * ath = base64url(sha256(access_token))
+     */
+    async computeAth(accessToken) {
+        const digest = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(accessToken));
+        return Buffer.from(digest).toString('base64url');
+    }
+}
+//# sourceMappingURL=dpop.js.map

package/dist/auth/dpop.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop.js","sourceRoot":"","sources":["../../src/auth/dpop.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAoB5C,MAAM,OAAO,aAAa;IAChB,UAAU,GAAgB,IAAI,GAAG,EAAE,CAAC;IAC3B,UAAU,CAAS;IAC5B,WAAW,GAAW,IAAI,CAAC,GAAG,EAAE,CAAC;IAEzC,YAAY,aAAqB,EAAE,GAAG,EAAE,GAAG,IAAI;QAC7C,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,QAAQ,CAAC,UAAkB,EAAE,GAAa,EAAE,UAAkB,EAAE,OAAe,EAAE,WAAoB;QACzG,IAAI,CAAC;YACH,8EAA8E;YAC9E,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YACrD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,SAAS,EAAE;gBAC9D,UAAU,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC;gBACvC,cAAc,EAAE,EAAE;aACnB,CAAC,CAAC;YAEH,MAAM,KAAK,GAAG,OAA+B,CAAC;YAE9C,6BAA6B;YAC7B,IAAI,KAAK,CAAC,GAAG,KAAK,UAAU,CAAC,WAAW,EAAE,EAAE,CAAC;gBAC3C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,gCAAgC,UAAU,CAAC,WAAW,EAAE,SAAS,KAAK,CAAC,GAAG,GAAG,EAAE,CAAC;YAChH,CAAC;YAED,uDAAuD;YACvD,IAAI,KAAK,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;gBAC1B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,gCAAgC,OAAO,SAAS,KAAK,CAAC,GAAG,GAAG,EAAE,CAAC;YAC/F,CAAC;YAED,0DAA0D;YAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,IAAI,KAAK,CAAC,GAAG,GAAG,GAAG,GAAG,EAAE,EAAE,CAAC;gBACzB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,qCAAqC,EAAE,CAAC;YACxE,CAAC;YACD,IAAI,KAAK,CAAC,GAAG,GAAG,GAAG,GAAG,EAAE,EAAE,CAAC;gBACzB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,6BAA6B,EAAE,CAAC;YAChE,CAAC;YAED,4CAA4C;YAC5C,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnC,MAAM,CAAC,IAAI,CAAC,+BAA+B,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;gBACxD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,4CAA4C,EAAE,CAAC;YAC/E,CAAC;YACD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAE/B,4DAA4D;YAC5D,IAAI,WAAW,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;gBAC7B,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;gBACvD,IAAI,KAAK,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;oBAC9B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,uDAAuD,EAAE,CAAC;gBAC1F,CAAC;YACH,CAAC;YAED,iCAAiC;YACjC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,WAAW,GAAG,KAAK,EAAE,CAAC;gBAC1C,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;gBACxB,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAChC,CAAC;YAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACzB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,2BAA2B,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC;QAC5E,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,UAAU,CAAC,WAAmB;QAC1C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;QAC5F,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACnD,CAAC;CACF"}

package/dist/auth/oauth.d.ts

@@ -0,0 +1,25 @@
+import { AuthConfig, AuthValidationResult, OIDCDiscovery } from './auth-types.js';
+export declare class OAuthValidator {
+    private config;
+    private jwks;
+    private cachedDiscovery;
+    constructor(config: AuthConfig);
+    /**
+     * Perform OIDC discovery to fetch JWKS URI from issuer.
+     */
+    discover(): Promise<OIDCDiscovery>;
+    /**
+     * Initialize JWKS from discovery or explicit URI.
+     */
+    init(): Promise<void>;
+    /**
+     * Validate a JWT bearer token and extract agent identity.
+     */
+    validate(token: string): Promise<AuthValidationResult>;
+    /**
+     * Extract Bearer token from Authorization header.
+     */
+    static extractToken(authorizationHeader?: string): string | null;
+    getConfig(): AuthConfig;
+}
+//# sourceMappingURL=oauth.d.ts.map

package/dist/auth/oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../../src/auth/oauth.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAiB,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAGjG,qBAAa,cAAc;IACzB,OAAO,CAAC,MAAM,CAAa;IAC3B,OAAO,CAAC,IAAI,CAA2D;IACvE,OAAO,CAAC,eAAe,CAA8B;gBAEzC,MAAM,EAAE,UAAU;IAI9B;;OAEG;IACG,QAAQ,IAAI,OAAO,CAAC,aAAa,CAAC;IAiBxC;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAS3B;;OAEG;IACG,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAkC5D;;OAEG;IACH,MAAM,CAAC,YAAY,CAAC,mBAAmB,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAMhE,SAAS,IAAI,UAAU;CAGxB"}