@mcp-ts/sdk 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (82) hide show
  1. package/README.md +113 -30
  2. package/dist/adapters/agui-adapter.d.mts +3 -3
  3. package/dist/adapters/agui-adapter.d.ts +3 -3
  4. package/dist/adapters/agui-middleware.d.mts +3 -3
  5. package/dist/adapters/agui-middleware.d.ts +3 -3
  6. package/dist/adapters/ai-adapter.d.mts +3 -3
  7. package/dist/adapters/ai-adapter.d.ts +3 -3
  8. package/dist/adapters/langchain-adapter.d.mts +3 -3
  9. package/dist/adapters/langchain-adapter.d.ts +3 -3
  10. package/dist/adapters/mastra-adapter.d.mts +1 -1
  11. package/dist/adapters/mastra-adapter.d.ts +1 -1
  12. package/dist/client/index.d.mts +2 -2
  13. package/dist/client/index.d.ts +2 -2
  14. package/dist/client/index.js +2 -2
  15. package/dist/client/index.js.map +1 -1
  16. package/dist/client/index.mjs +2 -2
  17. package/dist/client/index.mjs.map +1 -1
  18. package/dist/client/react.d.mts +9 -8
  19. package/dist/client/react.d.ts +9 -8
  20. package/dist/client/react.js +66 -26
  21. package/dist/client/react.js.map +1 -1
  22. package/dist/client/react.mjs +67 -27
  23. package/dist/client/react.mjs.map +1 -1
  24. package/dist/client/vue.d.mts +6 -5
  25. package/dist/client/vue.d.ts +6 -5
  26. package/dist/client/vue.js +27 -17
  27. package/dist/client/vue.js.map +1 -1
  28. package/dist/client/vue.mjs +27 -17
  29. package/dist/client/vue.mjs.map +1 -1
  30. package/dist/{index-Cfjsme-a.d.mts → index-ByIjEReo.d.mts} +2 -2
  31. package/dist/{index-CmjMd2ac.d.ts → index-CtXvKl8N.d.ts} +2 -2
  32. package/dist/index.d.mts +5 -5
  33. package/dist/index.d.ts +5 -5
  34. package/dist/index.js +729 -397
  35. package/dist/index.js.map +1 -1
  36. package/dist/index.mjs +724 -396
  37. package/dist/index.mjs.map +1 -1
  38. package/dist/{multi-session-client-DYNe6az3.d.mts → multi-session-client-CIMUGF8S.d.mts} +15 -41
  39. package/dist/{multi-session-client-BYtguGJm.d.ts → multi-session-client-CnvZEGPY.d.ts} +15 -41
  40. package/dist/server/index.d.mts +45 -17
  41. package/dist/server/index.d.ts +45 -17
  42. package/dist/server/index.js +721 -391
  43. package/dist/server/index.js.map +1 -1
  44. package/dist/server/index.mjs +718 -391
  45. package/dist/server/index.mjs.map +1 -1
  46. package/dist/shared/index.d.mts +9 -8
  47. package/dist/shared/index.d.ts +9 -8
  48. package/dist/shared/index.js +7 -5
  49. package/dist/shared/index.js.map +1 -1
  50. package/dist/shared/index.mjs +5 -4
  51. package/dist/shared/index.mjs.map +1 -1
  52. package/dist/{tool-router-BMzhoNYt.d.ts → tool-router-CZMrOG8J.d.ts} +1 -1
  53. package/dist/{tool-router-BhHsvBfP.d.mts → tool-router-CuApsDiV.d.mts} +1 -1
  54. package/dist/{types-CxFaaZrM.d.mts → types-DCk_IF4L.d.mts} +5 -3
  55. package/dist/{types-CxFaaZrM.d.ts → types-DCk_IF4L.d.ts} +5 -3
  56. package/migrations/neon/20260513010000_install_mcp_sessions.sql +40 -3
  57. package/migrations/neon/20260513020000_add_session_cleanup_cron.sql +4 -4
  58. package/migrations/supabase/20260330195700_install_mcp_sessions.sql +67 -3
  59. package/migrations/supabase/20260421010000_add_session_cleanup_cron.sql +6 -6
  60. package/package.json +13 -3
  61. package/src/client/core/sse-client.ts +2 -2
  62. package/src/client/react/index.ts +1 -1
  63. package/src/client/react/oauth-popup.tsx +34 -13
  64. package/src/client/react/use-mcp.ts +19 -45
  65. package/src/client/utils/session-state.ts +43 -0
  66. package/src/client/vue/use-mcp.ts +18 -47
  67. package/src/server/handlers/sse-handler.ts +9 -4
  68. package/src/server/mcp/multi-session-client.ts +2 -6
  69. package/src/server/mcp/oauth-client.ts +73 -220
  70. package/src/server/mcp/storage-oauth-provider.ts +79 -50
  71. package/src/server/storage/file-backend.ts +74 -18
  72. package/src/server/storage/index.ts +2 -4
  73. package/src/server/storage/memory-backend.ts +49 -13
  74. package/src/server/storage/neon-backend.ts +201 -68
  75. package/src/server/storage/redis-backend.ts +81 -23
  76. package/src/server/storage/session-lifecycle.ts +78 -0
  77. package/src/server/storage/sqlite-backend.ts +89 -15
  78. package/src/server/storage/supabase-backend.ts +188 -63
  79. package/src/server/storage/types.ts +49 -16
  80. package/src/shared/constants.ts +5 -6
  81. package/src/shared/types.ts +5 -3
  82. package/src/shared/utils.ts +26 -0
@@ -18,8 +18,6 @@ interface AgentsOAuthProvider extends OAuthClientProvider {
18
18
  }>;
19
19
  consumeState(state: string): Promise<void>;
20
20
  deleteCodeVerifier(): Promise<void>;
21
- isTokenExpired(): boolean;
22
- setTokenExpiresAt(expiresAt: number): void;
23
21
  }
24
22
  interface StorageOAuthClientProviderOptions {
25
23
  userId: string;
@@ -51,7 +49,6 @@ declare class StorageOAuthClientProvider implements AgentsOAuthProvider {
51
49
  private _authUrl;
52
50
  private _clientId;
53
51
  private onRedirectCallback?;
54
- private tokenExpiresAt?;
55
52
  /**
56
53
  * Creates a new session-backed OAuth provider
57
54
  * @param options - Provider configuration
@@ -61,17 +58,17 @@ declare class StorageOAuthClientProvider implements AgentsOAuthProvider {
61
58
  get clientId(): string | undefined;
62
59
  set clientId(clientId_: string | undefined);
63
60
  /**
64
- * Loads OAuth data from the session store
61
+ * Loads OAuth credentials from the session store
65
62
  * @private
66
63
  */
67
- private getSessionData;
64
+ private getCredentials;
68
65
  /**
69
- * Saves OAuth data to the session store
70
- * @param data - Partial OAuth data to save
66
+ * Saves OAuth credentials to the session store
67
+ * @param data - Partial OAuth credentials to save
71
68
  * @private
72
69
  * @throws Error if session doesn't exist (session must be created by controller layer)
73
70
  */
74
- private saveSessionData;
71
+ private patchCredentials;
75
72
  /**
76
73
  * Retrieves stored OAuth client information
77
74
  */
@@ -86,20 +83,18 @@ declare class StorageOAuthClientProvider implements AgentsOAuthProvider {
86
83
  saveTokens(tokens: OAuthTokens): Promise<void>;
87
84
  get authUrl(): string | undefined;
88
85
  state(): Promise<string>;
89
- checkState(_state: string): Promise<{
86
+ checkState(state: string): Promise<{
90
87
  valid: boolean;
91
88
  serverId?: string;
92
89
  error?: string;
93
90
  }>;
94
- consumeState(_state: string): Promise<void>;
91
+ consumeState(state: string): Promise<void>;
95
92
  redirectToAuthorization(authUrl: URL): Promise<void>;
96
93
  invalidateCredentials(scope: "all" | "client" | "tokens" | "verifier"): Promise<void>;
97
94
  saveCodeVerifier(verifier: string): Promise<void>;
98
95
  codeVerifier(): Promise<string>;
99
96
  deleteCodeVerifier(): Promise<void>;
100
97
  tokens(): Promise<OAuthTokens | undefined>;
101
- isTokenExpired(): boolean;
102
- setTokenExpiresAt(expiresAt: number): void;
103
98
  }
104
99
 
105
100
  /**
@@ -198,11 +193,15 @@ declare class MCPClient {
198
193
  /**
199
194
  * Saves current session state to the session store
200
195
  * Creates new session if it doesn't exist, updates if it does
201
- * @param ttl - Time-to-live in seconds (defaults to 12hr for connected sessions)
202
- * @param active - Session status marker used to avoid unnecessary TTL rewrites
196
+ * @param status - Session lifecycle status used by storage cleanup
203
197
  * @private
204
198
  */
205
199
  private saveSession;
200
+ /**
201
+ * Removes transient setup/auth sessions without masking the original error.
202
+ * @private
203
+ */
204
+ private deleteTransientSession;
206
205
  /**
207
206
  * Try to connect using available transports
208
207
  * @returns The corrected transport type object if successful
@@ -223,7 +222,7 @@ declare class MCPClient {
223
222
  * Saves active session to Redis after successful authentication
224
223
  * @param authCode - Authorization code received from OAuth callback
225
224
  */
226
- finishAuth(authCode: string): Promise<void>;
225
+ finishAuth(authCode: string, state?: string): Promise<void>;
227
226
  /**
228
227
  * Lists all available tools from the connected MCP server
229
228
  * @returns List of tools with their schemas and descriptions
@@ -265,18 +264,6 @@ declare class MCPClient {
265
264
  * @throws {Error} When client is not connected
266
265
  */
267
266
  readResource(uri: string): Promise<ReadResourceResult>;
268
- /**
269
- * Refreshes the OAuth access token using the refresh token
270
- * Discovers OAuth metadata from server and exchanges refresh token for new access token
271
- * @returns True if refresh was successful, false otherwise
272
- */
273
- refreshToken(): Promise<boolean>;
274
- /**
275
- * Ensures OAuth tokens are valid, refreshing them if expired
276
- * Called automatically by connect() - rarely needs to be called manually
277
- * @returns True if valid tokens are available, false otherwise
278
- */
279
- getValidTokens(): Promise<boolean>;
280
267
  /**
281
268
  * Reconnects to MCP server using existing OAuth provider from Redis
282
269
  * Used for session restoration in serverless environments
@@ -334,15 +321,6 @@ declare class MCPClient {
334
321
  * @returns Session ID
335
322
  */
336
323
  getSessionId(): string;
337
- /**
338
- * Gets MCP server configuration for all active user sessions
339
- * Loads sessions from Redis, validates OAuth tokens, refreshes if expired
340
- * Returns ready-to-use configuration with valid auth headers
341
- * @param userId - User ID to fetch sessions for
342
- * @returns Object keyed by sanitized server labels containing transport, url, headers, etc.
343
- * @static
344
- */
345
- static getMcpServerConfig(userId: string): Promise<Record<string, any>>;
346
324
  }
347
325
 
348
326
  /**
@@ -392,12 +370,8 @@ declare class MultiSessionClient {
392
370
  *
393
371
  * A session is considered connectable when:
394
372
  * - It has a `serverId`, `serverUrl`, and `callbackUrl` (i.e. it was fully initialized)
395
- * - Its `active` flag is not explicitly `false` sessions with `active: false` are
396
- * either mid-OAuth flow, auth-pending, or previously failed. We skip those here
373
+ * - Its status is `active`. Pending sessions are skipped here
397
374
  * and let the OAuth flow complete separately before we try to reconnect them.
398
- *
399
- * Note: Sessions where `active` is `undefined` (legacy records) are included
400
- * for backwards compatibility.
401
375
  */
402
376
  private getActiveSessions;
403
377
  /**
@@ -18,8 +18,6 @@ interface AgentsOAuthProvider extends OAuthClientProvider {
18
18
  }>;
19
19
  consumeState(state: string): Promise<void>;
20
20
  deleteCodeVerifier(): Promise<void>;
21
- isTokenExpired(): boolean;
22
- setTokenExpiresAt(expiresAt: number): void;
23
21
  }
24
22
  interface StorageOAuthClientProviderOptions {
25
23
  userId: string;
@@ -51,7 +49,6 @@ declare class StorageOAuthClientProvider implements AgentsOAuthProvider {
51
49
  private _authUrl;
52
50
  private _clientId;
53
51
  private onRedirectCallback?;
54
- private tokenExpiresAt?;
55
52
  /**
56
53
  * Creates a new session-backed OAuth provider
57
54
  * @param options - Provider configuration
@@ -61,17 +58,17 @@ declare class StorageOAuthClientProvider implements AgentsOAuthProvider {
61
58
  get clientId(): string | undefined;
62
59
  set clientId(clientId_: string | undefined);
63
60
  /**
64
- * Loads OAuth data from the session store
61
+ * Loads OAuth credentials from the session store
65
62
  * @private
66
63
  */
67
- private getSessionData;
64
+ private getCredentials;
68
65
  /**
69
- * Saves OAuth data to the session store
70
- * @param data - Partial OAuth data to save
66
+ * Saves OAuth credentials to the session store
67
+ * @param data - Partial OAuth credentials to save
71
68
  * @private
72
69
  * @throws Error if session doesn't exist (session must be created by controller layer)
73
70
  */
74
- private saveSessionData;
71
+ private patchCredentials;
75
72
  /**
76
73
  * Retrieves stored OAuth client information
77
74
  */
@@ -86,20 +83,18 @@ declare class StorageOAuthClientProvider implements AgentsOAuthProvider {
86
83
  saveTokens(tokens: OAuthTokens): Promise<void>;
87
84
  get authUrl(): string | undefined;
88
85
  state(): Promise<string>;
89
- checkState(_state: string): Promise<{
86
+ checkState(state: string): Promise<{
90
87
  valid: boolean;
91
88
  serverId?: string;
92
89
  error?: string;
93
90
  }>;
94
- consumeState(_state: string): Promise<void>;
91
+ consumeState(state: string): Promise<void>;
95
92
  redirectToAuthorization(authUrl: URL): Promise<void>;
96
93
  invalidateCredentials(scope: "all" | "client" | "tokens" | "verifier"): Promise<void>;
97
94
  saveCodeVerifier(verifier: string): Promise<void>;
98
95
  codeVerifier(): Promise<string>;
99
96
  deleteCodeVerifier(): Promise<void>;
100
97
  tokens(): Promise<OAuthTokens | undefined>;
101
- isTokenExpired(): boolean;
102
- setTokenExpiresAt(expiresAt: number): void;
103
98
  }
104
99
 
105
100
  /**
@@ -198,11 +193,15 @@ declare class MCPClient {
198
193
  /**
199
194
  * Saves current session state to the session store
200
195
  * Creates new session if it doesn't exist, updates if it does
201
- * @param ttl - Time-to-live in seconds (defaults to 12hr for connected sessions)
202
- * @param active - Session status marker used to avoid unnecessary TTL rewrites
196
+ * @param status - Session lifecycle status used by storage cleanup
203
197
  * @private
204
198
  */
205
199
  private saveSession;
200
+ /**
201
+ * Removes transient setup/auth sessions without masking the original error.
202
+ * @private
203
+ */
204
+ private deleteTransientSession;
206
205
  /**
207
206
  * Try to connect using available transports
208
207
  * @returns The corrected transport type object if successful
@@ -223,7 +222,7 @@ declare class MCPClient {
223
222
  * Saves active session to Redis after successful authentication
224
223
  * @param authCode - Authorization code received from OAuth callback
225
224
  */
226
- finishAuth(authCode: string): Promise<void>;
225
+ finishAuth(authCode: string, state?: string): Promise<void>;
227
226
  /**
228
227
  * Lists all available tools from the connected MCP server
229
228
  * @returns List of tools with their schemas and descriptions
@@ -265,18 +264,6 @@ declare class MCPClient {
265
264
  * @throws {Error} When client is not connected
266
265
  */
267
266
  readResource(uri: string): Promise<ReadResourceResult>;
268
- /**
269
- * Refreshes the OAuth access token using the refresh token
270
- * Discovers OAuth metadata from server and exchanges refresh token for new access token
271
- * @returns True if refresh was successful, false otherwise
272
- */
273
- refreshToken(): Promise<boolean>;
274
- /**
275
- * Ensures OAuth tokens are valid, refreshing them if expired
276
- * Called automatically by connect() - rarely needs to be called manually
277
- * @returns True if valid tokens are available, false otherwise
278
- */
279
- getValidTokens(): Promise<boolean>;
280
267
  /**
281
268
  * Reconnects to MCP server using existing OAuth provider from Redis
282
269
  * Used for session restoration in serverless environments
@@ -334,15 +321,6 @@ declare class MCPClient {
334
321
  * @returns Session ID
335
322
  */
336
323
  getSessionId(): string;
337
- /**
338
- * Gets MCP server configuration for all active user sessions
339
- * Loads sessions from Redis, validates OAuth tokens, refreshes if expired
340
- * Returns ready-to-use configuration with valid auth headers
341
- * @param userId - User ID to fetch sessions for
342
- * @returns Object keyed by sanitized server labels containing transport, url, headers, etc.
343
- * @static
344
- */
345
- static getMcpServerConfig(userId: string): Promise<Record<string, any>>;
346
324
  }
347
325
 
348
326
  /**
@@ -392,12 +370,8 @@ declare class MultiSessionClient {
392
370
  *
393
371
  * A session is considered connectable when:
394
372
  * - It has a `serverId`, `serverUrl`, and `callbackUrl` (i.e. it was fully initialized)
395
- * - Its `active` flag is not explicitly `false` sessions with `active: false` are
396
- * either mid-OAuth flow, auth-pending, or previously failed. We skip those here
373
+ * - Its status is `active`. Pending sessions are skipped here
397
374
  * and let the OAuth flow complete separately before we try to reconnect them.
398
- *
399
- * Note: Sessions where `active` is `undefined` (legacy records) are included
400
- * for backwards compatibility.
401
375
  */
402
376
  private getActiveSessions;
403
377
  /**
@@ -1,14 +1,21 @@
1
- export { M as MCPClient, a as MultiSessionClient, S as StorageOAuthClientProvider } from '../multi-session-client-DYNe6az3.mjs';
1
+ export { M as MCPClient, a as MultiSessionClient, S as StorageOAuthClientProvider } from '../multi-session-client-CIMUGF8S.mjs';
2
2
  export { U as UnauthorizedError, s as sanitizeServerLabel } from '../utils-DELRKQPU.mjs';
3
3
  import { OAuthClientInformationMixed, OAuthTokens } from '@modelcontextprotocol/sdk/shared/auth.js';
4
4
  export { OAuthClientInformation, OAuthClientInformationFull, OAuthClientMetadata, OAuthTokens } from '@modelcontextprotocol/sdk/shared/auth.js';
5
5
  import { M as McpConnectionEvent, d as McpObservabilityEvent } from '../events-CK3N--3g.mjs';
6
6
  export { D as Disposable, E as Emitter, b as Event, c as McpConnectionState } from '../events-CK3N--3g.mjs';
7
- import { r as McpRpcResponse, q as McpRpcRequest } from '../types-CxFaaZrM.mjs';
8
- export { a as CallToolRequest, b as CallToolResponse, f as ConnectRequest, g as ConnectResponse, n as ListToolsResponse, T as ToolClient, u as ToolClientProvider, v as ToolInfo } from '../types-CxFaaZrM.mjs';
7
+ import { r as McpRpcResponse, q as McpRpcRequest } from '../types-DCk_IF4L.mjs';
8
+ export { a as CallToolRequest, b as CallToolResponse, f as ConnectRequest, g as ConnectResponse, n as ListToolsResponse, T as ToolClient, u as ToolClientProvider, v as ToolInfo } from '../types-DCk_IF4L.mjs';
9
9
  export { CallToolResult, ListToolsResult, Tool } from '@modelcontextprotocol/sdk/types.js';
10
10
  import '@modelcontextprotocol/sdk/client/auth.js';
11
11
 
12
+ interface OAuthState {
13
+ nonce: string;
14
+ sessionId: string;
15
+ serverId: string;
16
+ createdAt: number;
17
+ }
18
+ type SessionStatus = 'pending' | 'active';
12
19
  interface Session {
13
20
  sessionId: string;
14
21
  serverId?: string;
@@ -17,19 +24,30 @@ interface Session {
17
24
  transportType: 'sse' | 'streamable-http';
18
25
  callbackUrl: string;
19
26
  createdAt: number;
27
+ updatedAt?: number;
28
+ /**
29
+ * Storage-owned expiration timestamp for pending/inactive sessions.
30
+ * Active sessions use updatedAt-based dormancy cleanup instead.
31
+ */
32
+ expiresAt?: number | null;
20
33
  userId: string;
21
34
  headers?: Record<string, string>;
35
+ authUrl?: string | null;
22
36
  /**
23
- * Session status marker used for TTL transitions:
24
- * - false: short-lived intermediate/error/auth-pending session state
25
- * (keep this value when connection/auth is incomplete or failed)
26
- * - true: active long-lived session state after successful connection/auth completion
37
+ * Session status marker used for lifecycle cleanup:
38
+ * - pending: short-lived intermediate/auth-pending session state
39
+ * - active: restorable session after successful connection/auth completion
27
40
  */
28
- active?: boolean;
29
- clientInformation?: OAuthClientInformationMixed;
30
- tokens?: OAuthTokens;
31
- codeVerifier?: string;
32
- clientId?: string;
41
+ status?: SessionStatus;
42
+ }
43
+ interface SessionCredentials {
44
+ sessionId: string;
45
+ userId: string;
46
+ clientInformation?: OAuthClientInformationMixed | null;
47
+ tokens?: OAuthTokens | null;
48
+ codeVerifier?: string | null;
49
+ clientId?: string | null;
50
+ oauthState?: OAuthState | null;
33
51
  }
34
52
  type SessionMutationType = 'create' | 'update' | 'delete';
35
53
  interface SessionMutationEvent {
@@ -39,7 +57,6 @@ interface SessionMutationEvent {
39
57
  timestamp: number;
40
58
  session?: Session;
41
59
  patch?: Partial<Session>;
42
- ttl?: number;
43
60
  }
44
61
  type SessionMutationListener = (event: SessionMutationEvent) => void | Promise<void>;
45
62
  /**
@@ -57,21 +74,32 @@ interface SessionStore {
57
74
  /**
58
75
  * Creates a new session. Throws if session already exists.
59
76
  * @param session - Session data to create
60
- * @param ttl - Optional TTL in seconds (defaults to backend's default)
61
77
  */
62
- create(session: Session, ttl?: number): Promise<void>;
78
+ create(session: Session): Promise<void>;
63
79
  /**
64
80
  * Updates an existing session with partial data. Throws if session does not exist.
65
81
  * @param userId - User identifier
66
82
  * @param sessionId - Session identifier
67
83
  * @param data - Partial session data to update
68
- * @param ttl - Optional TTL in seconds (defaults to backend's default)
69
84
  */
70
- update(userId: string, sessionId: string, data: Partial<Session>, ttl?: number): Promise<void>;
85
+ update(userId: string, sessionId: string, data: Partial<Session>): Promise<void>;
86
+ /**
87
+ * Patches runtime credentials for an existing session.
88
+ * These values are separated from connection metadata in durable SQL stores.
89
+ */
90
+ patchCredentials(userId: string, sessionId: string, data: Partial<SessionCredentials>): Promise<void>;
71
91
  /**
72
92
  * Retrieves a session
73
93
  */
74
94
  get(userId: string, sessionId: string): Promise<Session | null>;
95
+ /**
96
+ * Retrieves runtime credentials for a session.
97
+ */
98
+ getCredentials(userId: string, sessionId: string): Promise<SessionCredentials | null>;
99
+ /**
100
+ * Clears runtime credentials without removing connection metadata.
101
+ */
102
+ clearCredentials(userId: string, sessionId: string): Promise<void>;
75
103
  /**
76
104
  * Gets full session data for all sessions owned by a user
77
105
  */
@@ -1,14 +1,21 @@
1
- export { M as MCPClient, a as MultiSessionClient, S as StorageOAuthClientProvider } from '../multi-session-client-BYtguGJm.js';
1
+ export { M as MCPClient, a as MultiSessionClient, S as StorageOAuthClientProvider } from '../multi-session-client-CnvZEGPY.js';
2
2
  export { U as UnauthorizedError, s as sanitizeServerLabel } from '../utils-DELRKQPU.js';
3
3
  import { OAuthClientInformationMixed, OAuthTokens } from '@modelcontextprotocol/sdk/shared/auth.js';
4
4
  export { OAuthClientInformation, OAuthClientInformationFull, OAuthClientMetadata, OAuthTokens } from '@modelcontextprotocol/sdk/shared/auth.js';
5
5
  import { M as McpConnectionEvent, d as McpObservabilityEvent } from '../events-CK3N--3g.js';
6
6
  export { D as Disposable, E as Emitter, b as Event, c as McpConnectionState } from '../events-CK3N--3g.js';
7
- import { r as McpRpcResponse, q as McpRpcRequest } from '../types-CxFaaZrM.js';
8
- export { a as CallToolRequest, b as CallToolResponse, f as ConnectRequest, g as ConnectResponse, n as ListToolsResponse, T as ToolClient, u as ToolClientProvider, v as ToolInfo } from '../types-CxFaaZrM.js';
7
+ import { r as McpRpcResponse, q as McpRpcRequest } from '../types-DCk_IF4L.js';
8
+ export { a as CallToolRequest, b as CallToolResponse, f as ConnectRequest, g as ConnectResponse, n as ListToolsResponse, T as ToolClient, u as ToolClientProvider, v as ToolInfo } from '../types-DCk_IF4L.js';
9
9
  export { CallToolResult, ListToolsResult, Tool } from '@modelcontextprotocol/sdk/types.js';
10
10
  import '@modelcontextprotocol/sdk/client/auth.js';
11
11
 
12
+ interface OAuthState {
13
+ nonce: string;
14
+ sessionId: string;
15
+ serverId: string;
16
+ createdAt: number;
17
+ }
18
+ type SessionStatus = 'pending' | 'active';
12
19
  interface Session {
13
20
  sessionId: string;
14
21
  serverId?: string;
@@ -17,19 +24,30 @@ interface Session {
17
24
  transportType: 'sse' | 'streamable-http';
18
25
  callbackUrl: string;
19
26
  createdAt: number;
27
+ updatedAt?: number;
28
+ /**
29
+ * Storage-owned expiration timestamp for pending/inactive sessions.
30
+ * Active sessions use updatedAt-based dormancy cleanup instead.
31
+ */
32
+ expiresAt?: number | null;
20
33
  userId: string;
21
34
  headers?: Record<string, string>;
35
+ authUrl?: string | null;
22
36
  /**
23
- * Session status marker used for TTL transitions:
24
- * - false: short-lived intermediate/error/auth-pending session state
25
- * (keep this value when connection/auth is incomplete or failed)
26
- * - true: active long-lived session state after successful connection/auth completion
37
+ * Session status marker used for lifecycle cleanup:
38
+ * - pending: short-lived intermediate/auth-pending session state
39
+ * - active: restorable session after successful connection/auth completion
27
40
  */
28
- active?: boolean;
29
- clientInformation?: OAuthClientInformationMixed;
30
- tokens?: OAuthTokens;
31
- codeVerifier?: string;
32
- clientId?: string;
41
+ status?: SessionStatus;
42
+ }
43
+ interface SessionCredentials {
44
+ sessionId: string;
45
+ userId: string;
46
+ clientInformation?: OAuthClientInformationMixed | null;
47
+ tokens?: OAuthTokens | null;
48
+ codeVerifier?: string | null;
49
+ clientId?: string | null;
50
+ oauthState?: OAuthState | null;
33
51
  }
34
52
  type SessionMutationType = 'create' | 'update' | 'delete';
35
53
  interface SessionMutationEvent {
@@ -39,7 +57,6 @@ interface SessionMutationEvent {
39
57
  timestamp: number;
40
58
  session?: Session;
41
59
  patch?: Partial<Session>;
42
- ttl?: number;
43
60
  }
44
61
  type SessionMutationListener = (event: SessionMutationEvent) => void | Promise<void>;
45
62
  /**
@@ -57,21 +74,32 @@ interface SessionStore {
57
74
  /**
58
75
  * Creates a new session. Throws if session already exists.
59
76
  * @param session - Session data to create
60
- * @param ttl - Optional TTL in seconds (defaults to backend's default)
61
77
  */
62
- create(session: Session, ttl?: number): Promise<void>;
78
+ create(session: Session): Promise<void>;
63
79
  /**
64
80
  * Updates an existing session with partial data. Throws if session does not exist.
65
81
  * @param userId - User identifier
66
82
  * @param sessionId - Session identifier
67
83
  * @param data - Partial session data to update
68
- * @param ttl - Optional TTL in seconds (defaults to backend's default)
69
84
  */
70
- update(userId: string, sessionId: string, data: Partial<Session>, ttl?: number): Promise<void>;
85
+ update(userId: string, sessionId: string, data: Partial<Session>): Promise<void>;
86
+ /**
87
+ * Patches runtime credentials for an existing session.
88
+ * These values are separated from connection metadata in durable SQL stores.
89
+ */
90
+ patchCredentials(userId: string, sessionId: string, data: Partial<SessionCredentials>): Promise<void>;
71
91
  /**
72
92
  * Retrieves a session
73
93
  */
74
94
  get(userId: string, sessionId: string): Promise<Session | null>;
95
+ /**
96
+ * Retrieves runtime credentials for a session.
97
+ */
98
+ getCredentials(userId: string, sessionId: string): Promise<SessionCredentials | null>;
99
+ /**
100
+ * Clears runtime credentials without removing connection metadata.
101
+ */
102
+ clearCredentials(userId: string, sessionId: string): Promise<void>;
75
103
  /**
76
104
  * Gets full session data for all sessions owned by a user
77
105
  */