npm - @mcp-z/client - Versions diffs - 1.0.0 - Mend

@mcp-z/client 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (211) hide show

package/AGENTS.md +159 -0
package/LICENSE +21 -0
package/README.md +90 -0
package/dist/cjs/auth/capability-discovery.d.cts +25 -0
package/dist/cjs/auth/capability-discovery.d.ts +25 -0
package/dist/cjs/auth/capability-discovery.js +280 -0
package/dist/cjs/auth/capability-discovery.js.map +1 -0
package/dist/cjs/auth/index.d.cts +9 -0
package/dist/cjs/auth/index.d.ts +9 -0
package/dist/cjs/auth/index.js +28 -0
package/dist/cjs/auth/index.js.map +1 -0
package/dist/cjs/auth/interactive-oauth-flow.d.cts +58 -0
package/dist/cjs/auth/interactive-oauth-flow.d.ts +58 -0
package/dist/cjs/auth/interactive-oauth-flow.js +537 -0
package/dist/cjs/auth/interactive-oauth-flow.js.map +1 -0
package/dist/cjs/auth/oauth-callback-listener.d.cts +56 -0
package/dist/cjs/auth/oauth-callback-listener.d.ts +56 -0
package/dist/cjs/auth/oauth-callback-listener.js +333 -0
package/dist/cjs/auth/oauth-callback-listener.js.map +1 -0
package/dist/cjs/auth/pkce.d.cts +17 -0
package/dist/cjs/auth/pkce.d.ts +17 -0
package/dist/cjs/auth/pkce.js +192 -0
package/dist/cjs/auth/pkce.js.map +1 -0
package/dist/cjs/auth/rfc9728-discovery.d.cts +34 -0
package/dist/cjs/auth/rfc9728-discovery.d.ts +34 -0
package/dist/cjs/auth/rfc9728-discovery.js +436 -0
package/dist/cjs/auth/rfc9728-discovery.js.map +1 -0
package/dist/cjs/auth/types.d.cts +137 -0
package/dist/cjs/auth/types.d.ts +137 -0
package/dist/cjs/auth/types.js +9 -0
package/dist/cjs/auth/types.js.map +1 -0
package/dist/cjs/client-helpers.d.cts +55 -0
package/dist/cjs/client-helpers.d.ts +55 -0
package/dist/cjs/client-helpers.js +128 -0
package/dist/cjs/client-helpers.js.map +1 -0
package/dist/cjs/config/server-loader.d.cts +27 -0
package/dist/cjs/config/server-loader.d.ts +27 -0
package/dist/cjs/config/server-loader.js +111 -0
package/dist/cjs/config/server-loader.js.map +1 -0
package/dist/cjs/config/validate-config.d.cts +15 -0
package/dist/cjs/config/validate-config.d.ts +15 -0
package/dist/cjs/config/validate-config.js +128 -0
package/dist/cjs/config/validate-config.js.map +1 -0
package/dist/cjs/connection/connect-client.d.cts +59 -0
package/dist/cjs/connection/connect-client.d.ts +59 -0
package/dist/cjs/connection/connect-client.js +536 -0
package/dist/cjs/connection/connect-client.js.map +1 -0
package/dist/cjs/connection/existing-process-transport.d.cts +40 -0
package/dist/cjs/connection/existing-process-transport.d.ts +40 -0
package/dist/cjs/connection/existing-process-transport.js +274 -0
package/dist/cjs/connection/existing-process-transport.js.map +1 -0
package/dist/cjs/connection/types.d.cts +61 -0
package/dist/cjs/connection/types.d.ts +61 -0
package/dist/cjs/connection/types.js +53 -0
package/dist/cjs/connection/types.js.map +1 -0
package/dist/cjs/connection/wait-for-http-ready.d.cts +15 -0
package/dist/cjs/connection/wait-for-http-ready.d.ts +15 -0
package/dist/cjs/connection/wait-for-http-ready.js +232 -0
package/dist/cjs/connection/wait-for-http-ready.js.map +1 -0
package/dist/cjs/dcr/dcr-authenticator.d.cts +73 -0
package/dist/cjs/dcr/dcr-authenticator.d.ts +73 -0
package/dist/cjs/dcr/dcr-authenticator.js +655 -0
package/dist/cjs/dcr/dcr-authenticator.js.map +1 -0
package/dist/cjs/dcr/dynamic-client-registrar.d.cts +28 -0
package/dist/cjs/dcr/dynamic-client-registrar.d.ts +28 -0
package/dist/cjs/dcr/dynamic-client-registrar.js +245 -0
package/dist/cjs/dcr/dynamic-client-registrar.js.map +1 -0
package/dist/cjs/dcr/index.d.cts +8 -0
package/dist/cjs/dcr/index.d.ts +8 -0
package/dist/cjs/dcr/index.js +24 -0
package/dist/cjs/dcr/index.js.map +1 -0
package/dist/cjs/index.d.cts +21 -0
package/dist/cjs/index.d.ts +21 -0
package/dist/cjs/index.js +94 -0
package/dist/cjs/index.js.map +1 -0
package/dist/cjs/monkey-patches.d.cts +6 -0
package/dist/cjs/monkey-patches.d.ts +6 -0
package/dist/cjs/monkey-patches.js +236 -0
package/dist/cjs/monkey-patches.js.map +1 -0
package/dist/cjs/package.json +1 -0
package/dist/cjs/response-wrappers.d.cts +41 -0
package/dist/cjs/response-wrappers.d.ts +41 -0
package/dist/cjs/response-wrappers.js +443 -0
package/dist/cjs/response-wrappers.js.map +1 -0
package/dist/cjs/search/index.d.cts +6 -0
package/dist/cjs/search/index.d.ts +6 -0
package/dist/cjs/search/index.js +25 -0
package/dist/cjs/search/index.js.map +1 -0
package/dist/cjs/search/search.d.cts +22 -0
package/dist/cjs/search/search.d.ts +22 -0
package/dist/cjs/search/search.js +630 -0
package/dist/cjs/search/search.js.map +1 -0
package/dist/cjs/search/types.d.cts +122 -0
package/dist/cjs/search/types.d.ts +122 -0
package/dist/cjs/search/types.js +10 -0
package/dist/cjs/search/types.js.map +1 -0
package/dist/cjs/spawn/spawn-server.d.cts +83 -0
package/dist/cjs/spawn/spawn-server.d.ts +83 -0
package/dist/cjs/spawn/spawn-server.js +410 -0
package/dist/cjs/spawn/spawn-server.js.map +1 -0
package/dist/cjs/spawn/spawn-servers.d.cts +151 -0
package/dist/cjs/spawn/spawn-servers.d.ts +151 -0
package/dist/cjs/spawn/spawn-servers.js +911 -0
package/dist/cjs/spawn/spawn-servers.js.map +1 -0
package/dist/cjs/types.d.cts +11 -0
package/dist/cjs/types.d.ts +11 -0
package/dist/cjs/types.js +10 -0
package/dist/cjs/types.js.map +1 -0
package/dist/cjs/utils/logger.d.cts +24 -0
package/dist/cjs/utils/logger.d.ts +24 -0
package/dist/cjs/utils/logger.js +80 -0
package/dist/cjs/utils/logger.js.map +1 -0
package/dist/cjs/utils/path-utils.d.cts +45 -0
package/dist/cjs/utils/path-utils.d.ts +45 -0
package/dist/cjs/utils/path-utils.js +158 -0
package/dist/cjs/utils/path-utils.js.map +1 -0
package/dist/cjs/utils/sanitizer.d.cts +30 -0
package/dist/cjs/utils/sanitizer.d.ts +30 -0
package/dist/cjs/utils/sanitizer.js +124 -0
package/dist/cjs/utils/sanitizer.js.map +1 -0
package/dist/esm/auth/capability-discovery.d.ts +25 -0
package/dist/esm/auth/capability-discovery.js +110 -0
package/dist/esm/auth/capability-discovery.js.map +1 -0
package/dist/esm/auth/index.d.ts +9 -0
package/dist/esm/auth/index.js +6 -0
package/dist/esm/auth/index.js.map +1 -0
package/dist/esm/auth/interactive-oauth-flow.d.ts +58 -0
package/dist/esm/auth/interactive-oauth-flow.js +217 -0
package/dist/esm/auth/interactive-oauth-flow.js.map +1 -0
package/dist/esm/auth/oauth-callback-listener.d.ts +56 -0
package/dist/esm/auth/oauth-callback-listener.js +166 -0
package/dist/esm/auth/oauth-callback-listener.js.map +1 -0
package/dist/esm/auth/pkce.d.ts +17 -0
package/dist/esm/auth/pkce.js +41 -0
package/dist/esm/auth/pkce.js.map +1 -0
package/dist/esm/auth/rfc9728-discovery.d.ts +34 -0
package/dist/esm/auth/rfc9728-discovery.js +157 -0
package/dist/esm/auth/rfc9728-discovery.js.map +1 -0
package/dist/esm/auth/types.d.ts +137 -0
package/dist/esm/auth/types.js +7 -0
package/dist/esm/auth/types.js.map +1 -0
package/dist/esm/client-helpers.d.ts +55 -0
package/dist/esm/client-helpers.js +81 -0
package/dist/esm/client-helpers.js.map +1 -0
package/dist/esm/config/server-loader.d.ts +27 -0
package/dist/esm/config/server-loader.js +49 -0
package/dist/esm/config/server-loader.js.map +1 -0
package/dist/esm/config/validate-config.d.ts +15 -0
package/dist/esm/config/validate-config.js +76 -0
package/dist/esm/config/validate-config.js.map +1 -0
package/dist/esm/connection/connect-client.d.ts +59 -0
package/dist/esm/connection/connect-client.js +272 -0
package/dist/esm/connection/connect-client.js.map +1 -0
package/dist/esm/connection/existing-process-transport.d.ts +40 -0
package/dist/esm/connection/existing-process-transport.js +103 -0
package/dist/esm/connection/existing-process-transport.js.map +1 -0
package/dist/esm/connection/types.d.ts +61 -0
package/dist/esm/connection/types.js +34 -0
package/dist/esm/connection/types.js.map +1 -0
package/dist/esm/connection/wait-for-http-ready.d.ts +15 -0
package/dist/esm/connection/wait-for-http-ready.js +43 -0
package/dist/esm/connection/wait-for-http-ready.js.map +1 -0
package/dist/esm/dcr/dcr-authenticator.d.ts +73 -0
package/dist/esm/dcr/dcr-authenticator.js +235 -0
package/dist/esm/dcr/dcr-authenticator.js.map +1 -0
package/dist/esm/dcr/dynamic-client-registrar.d.ts +28 -0
package/dist/esm/dcr/dynamic-client-registrar.js +66 -0
package/dist/esm/dcr/dynamic-client-registrar.js.map +1 -0
package/dist/esm/dcr/index.d.ts +8 -0
package/dist/esm/dcr/index.js +5 -0
package/dist/esm/dcr/index.js.map +1 -0
package/dist/esm/index.d.ts +21 -0
package/dist/esm/index.js +22 -0
package/dist/esm/index.js.map +1 -0
package/dist/esm/monkey-patches.d.ts +6 -0
package/dist/esm/monkey-patches.js +32 -0
package/dist/esm/monkey-patches.js.map +1 -0
package/dist/esm/package.json +1 -0
package/dist/esm/response-wrappers.d.ts +41 -0
package/dist/esm/response-wrappers.js +201 -0
package/dist/esm/response-wrappers.js.map +1 -0
package/dist/esm/search/index.d.ts +6 -0
package/dist/esm/search/index.js +3 -0
package/dist/esm/search/index.js.map +1 -0
package/dist/esm/search/search.d.ts +22 -0
package/dist/esm/search/search.js +236 -0
package/dist/esm/search/search.js.map +1 -0
package/dist/esm/search/types.d.ts +122 -0
package/dist/esm/search/types.js +8 -0
package/dist/esm/search/types.js.map +1 -0
package/dist/esm/spawn/spawn-server.d.ts +83 -0
package/dist/esm/spawn/spawn-server.js +145 -0
package/dist/esm/spawn/spawn-server.js.map +1 -0
package/dist/esm/spawn/spawn-servers.d.ts +151 -0
package/dist/esm/spawn/spawn-servers.js +406 -0
package/dist/esm/spawn/spawn-servers.js.map +1 -0
package/dist/esm/types.d.ts +11 -0
package/dist/esm/types.js +9 -0
package/dist/esm/types.js.map +1 -0
package/dist/esm/utils/logger.d.ts +24 -0
package/dist/esm/utils/logger.js +59 -0
package/dist/esm/utils/logger.js.map +1 -0
package/dist/esm/utils/path-utils.d.ts +45 -0
package/dist/esm/utils/path-utils.js +89 -0
package/dist/esm/utils/path-utils.js.map +1 -0
package/dist/esm/utils/sanitizer.d.ts +30 -0
package/dist/esm/utils/sanitizer.js +43 -0
package/dist/esm/utils/sanitizer.js.map +1 -0
package/package.json +92 -0
package/schemas/servers.d.ts +90 -0
package/schemas/servers.schema.json +104 -0

package/dist/esm/auth/oauth-callback-listener.d.ts ADDED Viewed

@@ -0,0 +1,56 @@
+/**
+ * OAuth Callback Server for CLI Authentication
+ * Listens for OAuth authorization callbacks and captures authorization code
+ */
+import { type Logger } from '../utils/logger.js';
+import type { CallbackResult } from './types.js';
+export interface OAuthCallbackListenerOptions {
+    /** Port to listen on (required - use get-port package to find available port) */
+    port: number;
+    /** Optional logger for debug output (defaults to singleton logger) */
+    logger?: Logger;
+}
+/**
+ * OAuthCallbackListener handles OAuth redirect callbacks
+ * Starts a temporary HTTP server to receive authorization code
+ *
+ * Note: Caller is responsible for finding an available port using get-port package
+ */
+export declare class OAuthCallbackListener {
+    private server;
+    private resolveCallback?;
+    private rejectCallback?;
+    private timeout;
+    private port;
+    private logger;
+    constructor(options: OAuthCallbackListenerOptions);
+    /**
+     * Start the callback server
+     * Fails fast if port is already in use - caller should use get-port to find available port
+     */
+    start(): Promise<void>;
+    /**
+     * Listen on a specific port
+     */
+    private listen;
+    /**
+     * Handle incoming HTTP requests
+     */
+    private handleRequest;
+    /**
+     * Handle OAuth callback
+     */
+    private handleCallback;
+    /**
+     * Wait for OAuth callback with timeout
+     */
+    waitForCallback(timeoutMs?: number): Promise<CallbackResult>;
+    /**
+     * Stop the callback server and close
+     */
+    stop(): Promise<void>;
+    /**
+     * Get the callback URL for this server
+     */
+    getCallbackUrl(): string;
+}

package/dist/esm/auth/oauth-callback-listener.js ADDED Viewed

@@ -0,0 +1,166 @@
+/**
+ * OAuth Callback Server for CLI Authentication
+ * Listens for OAuth authorization callbacks and captures authorization code
+ */ import http from 'node:http';
+import { logger as defaultLogger } from '../utils/logger.js';
+/**
+ * OAuthCallbackListener handles OAuth redirect callbacks
+ * Starts a temporary HTTP server to receive authorization code
+ *
+ * Note: Caller is responsible for finding an available port using get-port package
+ */ export class OAuthCallbackListener {
+    /**
+   * Start the callback server
+   * Fails fast if port is already in use - caller should use get-port to find available port
+   */ async start() {
+        await this.listen(this.port);
+        this.logger.debug(`✅ Callback server listening on http://localhost:${this.port}/callback`);
+    }
+    /**
+   * Listen on a specific port
+   */ listen(port) {
+        return new Promise((resolve, reject)=>{
+            this.server = http.createServer((req, res)=>{
+                this.handleRequest(req, res);
+            });
+            this.server.on('error', (error)=>{
+                reject(error);
+            });
+            this.server.listen(port, ()=>{
+                resolve();
+            });
+        });
+    }
+    /**
+   * Handle incoming HTTP requests
+   */ handleRequest(req, res) {
+        const url = new URL(req.url || '', `http://localhost:${this.port}`);
+        if (url.pathname === '/callback') {
+            this.handleCallback(url, res);
+        } else {
+            res.writeHead(404, {
+                'Content-Type': 'text/plain'
+            });
+            res.end('Not Found');
+        }
+    }
+    /**
+   * Handle OAuth callback
+   */ handleCallback(url, res) {
+        const code = url.searchParams.get('code');
+        const state = url.searchParams.get('state');
+        const error = url.searchParams.get('error');
+        const errorDescription = url.searchParams.get('error_description');
+        // Handle OAuth errors
+        if (error) {
+            const errorMessage = errorDescription ? `${error}: ${errorDescription}` : error;
+            res.writeHead(400, {
+                'Content-Type': 'text/html'
+            });
+            res.end(`
+        <html>
+          <body>
+            <h1>Authorization Failed</h1>
+            <p>${errorMessage}</p>
+            <script>setTimeout(() => window.close(), 3000);</script>
+          </body>
+        </html>
+      `);
+            if (this.rejectCallback) {
+                this.rejectCallback(new Error(errorMessage));
+            }
+            return;
+        }
+        // Validate code parameter
+        if (!code) {
+            res.writeHead(400, {
+                'Content-Type': 'text/html'
+            });
+            res.end(`
+        <html>
+          <body>
+            <h1>Invalid Callback</h1>
+            <p>Missing authorization code</p>
+            <script>setTimeout(() => window.close(), 3000);</script>
+          </body>
+        </html>
+      `);
+            if (this.rejectCallback) {
+                this.rejectCallback(new Error('Missing authorization code'));
+            }
+            return;
+        }
+        // Success - send confirmation page
+        res.writeHead(200, {
+            'Content-Type': 'text/html; charset=utf-8'
+        });
+        res.end(`
+      <html>
+        <head>
+          <meta charset="UTF-8">
+        </head>
+        <body>
+          <h1>Authorization Successful</h1>
+          <p>You can close this window and return to the terminal.</p>
+          <script>setTimeout(() => window.close(), 2000);</script>
+        </body>
+      </html>
+    `);
+        // Resolve the promise with authorization code
+        if (this.resolveCallback) {
+            const result = {
+                code
+            };
+            if (state) {
+                result.state = state;
+            }
+            this.resolveCallback(result);
+        }
+    }
+    /**
+   * Wait for OAuth callback with timeout
+   */ async waitForCallback(timeoutMs = 300000) {
+        return new Promise((resolve, reject)=>{
+            this.resolveCallback = resolve;
+            this.rejectCallback = reject;
+            // Set timeout to prevent hanging forever
+            this.timeout = setTimeout(()=>{
+                reject(new Error(`Authorization timeout - no callback received within ${timeoutMs / 1000} seconds`));
+                this.stop();
+            }, timeoutMs);
+        });
+    }
+    /**
+   * Stop the callback server and close
+   */ async stop() {
+        // Clear the timeout
+        if (this.timeout) {
+            clearTimeout(this.timeout);
+            this.timeout = undefined;
+        }
+        // Close the server
+        if (this.server) {
+            await new Promise((resolve)=>{
+                var _this_server;
+                (_this_server = this.server) === null || _this_server === void 0 ? void 0 : _this_server.close(()=>{
+                    this.logger.debug('🔒 Callback server closed');
+                    resolve();
+                });
+            });
+            this.server = undefined;
+        }
+    }
+    /**
+   * Get the callback URL for this server
+   */ getCallbackUrl() {
+        if (!this.port) {
+            throw new Error('Server not started - call start() first');
+        }
+        return `http://localhost:${this.port}/callback`;
+    }
+    constructor(options){
+        var _options_logger;
+        this.port = options.port;
+        this.logger = (_options_logger = options.logger) !== null && _options_logger !== void 0 ? _options_logger : defaultLogger;
+    }
+}

package/dist/esm/auth/oauth-callback-listener.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/libs/client/src/auth/oauth-callback-listener.ts"],"sourcesContent":["/**\n * OAuth Callback Server for CLI Authentication\n * Listens for OAuth authorization callbacks and captures authorization code\n */\n\nimport http from 'node:http';\nimport { logger as defaultLogger, type Logger } from '../utils/logger.ts';\nimport type { CallbackResult } from './types.ts';\n\nexport interface OAuthCallbackListenerOptions {\n /** Port to listen on (required - use get-port package to find available port) */\n port: number;\n /** Optional logger for debug output (defaults to singleton logger) */\n logger?: Logger;\n}\n\n/**\n * OAuthCallbackListener handles OAuth redirect callbacks\n * Starts a temporary HTTP server to receive authorization code\n *\n * Note: Caller is responsible for finding an available port using get-port package\n */\nexport class OAuthCallbackListener {\n private server: http.Server | undefined;\n private resolveCallback?: (result: CallbackResult) => void;\n private rejectCallback?: (error: Error) => void;\n private timeout: NodeJS.Timeout | undefined;\n private port: number;\n private logger: Logger;\n\n constructor(options: OAuthCallbackListenerOptions) {\n this.port = options.port;\n this.logger = options.logger ?? defaultLogger;\n }\n\n /**\n * Start the callback server\n * Fails fast if port is already in use - caller should use get-port to find available port\n */\n async start(): Promise<void> {\n await this.listen(this.port);\n this.logger.debug(`✅ Callback server listening on http://localhost:${this.port}/callback`);\n }\n\n /**\n * Listen on a specific port\n */\n private listen(port: number): Promise<void> {\n return new Promise((resolve, reject) => {\n this.server = http.createServer((req, res) => {\n this.handleRequest(req, res);\n });\n\n this.server.on('error', (error) => {\n reject(error);\n });\n\n this.server.listen(port, () => {\n resolve();\n });\n });\n }\n\n /**\n * Handle incoming HTTP requests\n */\n private handleRequest(req: http.IncomingMessage, res: http.ServerResponse): void {\n const url = new URL(req.url || '', `http://localhost:${this.port}`);\n\n if (url.pathname === '/callback') {\n this.handleCallback(url, res);\n } else {\n res.writeHead(404, { 'Content-Type': 'text/plain' });\n res.end('Not Found');\n }\n }\n\n /**\n * Handle OAuth callback\n */\n private handleCallback(url: URL, res: http.ServerResponse): void {\n const code = url.searchParams.get('code');\n const state = url.searchParams.get('state');\n const error = url.searchParams.get('error');\n const errorDescription = url.searchParams.get('error_description');\n\n // Handle OAuth errors\n if (error) {\n const errorMessage = errorDescription ? `${error}: ${errorDescription}` : error;\n\n res.writeHead(400, { 'Content-Type': 'text/html' });\n res.end(`\n <html>\n <body>\n <h1>Authorization Failed</h1>\n <p>${errorMessage}</p>\n <script>setTimeout(() => window.close(), 3000);</script>\n </body>\n </html>\n `);\n\n if (this.rejectCallback) {\n this.rejectCallback(new Error(errorMessage));\n }\n return;\n }\n\n // Validate code parameter\n if (!code) {\n res.writeHead(400, { 'Content-Type': 'text/html' });\n res.end(`\n <html>\n <body>\n <h1>Invalid Callback</h1>\n <p>Missing authorization code</p>\n <script>setTimeout(() => window.close(), 3000);</script>\n </body>\n </html>\n `);\n\n if (this.rejectCallback) {\n this.rejectCallback(new Error('Missing authorization code'));\n }\n return;\n }\n\n // Success - send confirmation page\n res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });\n res.end(`\n <html>\n <head>\n <meta charset=\"UTF-8\">\n </head>\n <body>\n <h1>Authorization Successful</h1>\n <p>You can close this window and return to the terminal.</p>\n <script>setTimeout(() => window.close(), 2000);</script>\n </body>\n </html>\n `);\n\n // Resolve the promise with authorization code\n if (this.resolveCallback) {\n const result: CallbackResult = { code };\n if (state) {\n result.state = state;\n }\n this.resolveCallback(result);\n }\n }\n\n /**\n * Wait for OAuth callback with timeout\n */\n async waitForCallback(timeoutMs = 300000): Promise<CallbackResult> {\n return new Promise((resolve, reject) => {\n this.resolveCallback = resolve;\n this.rejectCallback = reject;\n\n // Set timeout to prevent hanging forever\n this.timeout = setTimeout(() => {\n reject(new Error(`Authorization timeout - no callback received within ${timeoutMs / 1000} seconds`));\n this.stop();\n }, timeoutMs);\n });\n }\n\n /**\n * Stop the callback server and close\n */\n async stop(): Promise<void> {\n // Clear the timeout\n if (this.timeout) {\n clearTimeout(this.timeout);\n this.timeout = undefined;\n }\n\n // Close the server\n if (this.server) {\n await new Promise<void>((resolve) => {\n this.server?.close(() => {\n this.logger.debug('🔒 Callback server closed');\n resolve();\n });\n });\n this.server = undefined;\n }\n }\n\n /**\n * Get the callback URL for this server\n */\n getCallbackUrl(): string {\n if (!this.port) {\n throw new Error('Server not started - call start() first');\n }\n return `http://localhost:${this.port}/callback`;\n }\n}\n"],"names":["http","logger","defaultLogger","OAuthCallbackListener","start","listen","port","debug","Promise","resolve","reject","server","createServer","req","res","handleRequest","on","error","url","URL","pathname","handleCallback","writeHead","end","code","searchParams","get","state","errorDescription","errorMessage","rejectCallback","Error","resolveCallback","result","waitForCallback","timeoutMs","timeout","setTimeout","stop","clearTimeout","undefined","close","getCallbackUrl","options"],"mappings":"AAAA;;;CAGC,GAED,OAAOA,UAAU,YAAY;AAC7B,SAASC,UAAUC,aAAa,QAAqB,qBAAqB;AAU1E;;;;;CAKC,GACD,OAAO,MAAMC;IAaX;;;GAGC,GACD,MAAMC,QAAuB;QAC3B,MAAM,IAAI,CAACC,MAAM,CAAC,IAAI,CAACC,IAAI;QAC3B,IAAI,CAACL,MAAM,CAACM,KAAK,CAAC,CAAC,gDAAgD,EAAE,IAAI,CAACD,IAAI,CAAC,SAAS,CAAC;IAC3F;IAEA;;GAEC,GACD,AAAQD,OAAOC,IAAY,EAAiB;QAC1C,OAAO,IAAIE,QAAQ,CAACC,SAASC;YAC3B,IAAI,CAACC,MAAM,GAAGX,KAAKY,YAAY,CAAC,CAACC,KAAKC;gBACpC,IAAI,CAACC,aAAa,CAACF,KAAKC;YAC1B;YAEA,IAAI,CAACH,MAAM,CAACK,EAAE,CAAC,SAAS,CAACC;gBACvBP,OAAOO;YACT;YAEA,IAAI,CAACN,MAAM,CAACN,MAAM,CAACC,MAAM;gBACvBG;YACF;QACF;IACF;IAEA;;GAEC,GACD,AAAQM,cAAcF,GAAyB,EAAEC,GAAwB,EAAQ;QAC/E,MAAMI,MAAM,IAAIC,IAAIN,IAAIK,GAAG,IAAI,IAAI,CAAC,iBAAiB,EAAE,IAAI,CAACZ,IAAI,EAAE;QAElE,IAAIY,IAAIE,QAAQ,KAAK,aAAa;YAChC,IAAI,CAACC,cAAc,CAACH,KAAKJ;QAC3B,OAAO;YACLA,IAAIQ,SAAS,CAAC,KAAK;gBAAE,gBAAgB;YAAa;YAClDR,IAAIS,GAAG,CAAC;QACV;IACF;IAEA;;GAEC,GACD,AAAQF,eAAeH,GAAQ,EAAEJ,GAAwB,EAAQ;QAC/D,MAAMU,OAAON,IAAIO,YAAY,CAACC,GAAG,CAAC;QAClC,MAAMC,QAAQT,IAAIO,YAAY,CAACC,GAAG,CAAC;QACnC,MAAMT,QAAQC,IAAIO,YAAY,CAACC,GAAG,CAAC;QACnC,MAAME,mBAAmBV,IAAIO,YAAY,CAACC,GAAG,CAAC;QAE9C,sBAAsB;QACtB,IAAIT,OAAO;YACT,MAAMY,eAAeD,mBAAmB,GAAGX,MAAM,EAAE,EAAEW,kBAAkB,GAAGX;YAE1EH,IAAIQ,SAAS,CAAC,KAAK;gBAAE,gBAAgB;YAAY;YACjDR,IAAIS,GAAG,CAAC,CAAC;;;;eAIA,EAAEM,aAAa;;;;MAIxB,CAAC;YAED,IAAI,IAAI,CAACC,cAAc,EAAE;gBACvB,IAAI,CAACA,cAAc,CAAC,IAAIC,MAAMF;YAChC;YACA;QACF;QAEA,0BAA0B;QAC1B,IAAI,CAACL,MAAM;YACTV,IAAIQ,SAAS,CAAC,KAAK;gBAAE,gBAAgB;YAAY;YACjDR,IAAIS,GAAG,CAAC,CAAC;;;;;;;;MAQT,CAAC;YAED,IAAI,IAAI,CAACO,cAAc,EAAE;gBACvB,IAAI,CAACA,cAAc,CAAC,IAAIC,MAAM;YAChC;YACA;QACF;QAEA,mCAAmC;QACnCjB,IAAIQ,SAAS,CAAC,KAAK;YAAE,gBAAgB;QAA2B;QAChER,IAAIS,GAAG,CAAC,CAAC;;;;;;;;;;;IAWT,CAAC;QAED,8CAA8C;QAC9C,IAAI,IAAI,CAACS,eAAe,EAAE;YACxB,MAAMC,SAAyB;gBAAET;YAAK;YACtC,IAAIG,OAAO;gBACTM,OAAON,KAAK,GAAGA;YACjB;YACA,IAAI,CAACK,eAAe,CAACC;QACvB;IACF;IAEA;;GAEC,GACD,MAAMC,gBAAgBC,YAAY,MAAM,EAA2B;QACjE,OAAO,IAAI3B,QAAQ,CAACC,SAASC;YAC3B,IAAI,CAACsB,eAAe,GAAGvB;YACvB,IAAI,CAACqB,cAAc,GAAGpB;YAEtB,yCAAyC;YACzC,IAAI,CAAC0B,OAAO,GAAGC,WAAW;gBACxB3B,OAAO,IAAIqB,MAAM,CAAC,oDAAoD,EAAEI,YAAY,KAAK,QAAQ,CAAC;gBAClG,IAAI,CAACG,IAAI;YACX,GAAGH;QACL;IACF;IAEA;;GAEC,GACD,MAAMG,OAAsB;QAC1B,oBAAoB;QACpB,IAAI,IAAI,CAACF,OAAO,EAAE;YAChBG,aAAa,IAAI,CAACH,OAAO;YACzB,IAAI,CAACA,OAAO,GAAGI;QACjB;QAEA,mBAAmB;QACnB,IAAI,IAAI,CAAC7B,MAAM,EAAE;YACf,MAAM,IAAIH,QAAc,CAACC;oBACvB;iBAAA,eAAA,IAAI,CAACE,MAAM,cAAX,mCAAA,aAAa8B,KAAK,CAAC;oBACjB,IAAI,CAACxC,MAAM,CAACM,KAAK,CAAC;oBAClBE;gBACF;YACF;YACA,IAAI,CAACE,MAAM,GAAG6B;QAChB;IACF;IAEA;;GAEC,GACDE,iBAAyB;QACvB,IAAI,CAAC,IAAI,CAACpC,IAAI,EAAE;YACd,MAAM,IAAIyB,MAAM;QAClB;QACA,OAAO,CAAC,iBAAiB,EAAE,IAAI,CAACzB,IAAI,CAAC,SAAS,CAAC;IACjD;IAvKA,YAAYqC,OAAqC,CAAE;YAEnCA;QADd,IAAI,CAACrC,IAAI,GAAGqC,QAAQrC,IAAI;QACxB,IAAI,CAACL,MAAM,IAAG0C,kBAAAA,QAAQ1C,MAAM,cAAd0C,6BAAAA,kBAAkBzC;IAClC;AAqKF"}

package/dist/esm/auth/pkce.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ * PKCE (Proof Key for Code Exchange) utilities
+ * Implements RFC 7636 for OAuth 2.0 public client security
+ */
+import type { PkceParams } from './types.js';
+/**
+ * Generate PKCE parameters for OAuth 2.0 authorization code flow
+ * Uses S256 method (SHA-256 hash) as recommended by RFC 7636
+ *
+ * @returns PkceParams with code verifier, challenge, and method
+ *
+ * @example
+ * const pkce = await generatePkce();
+ * // Use pkce.codeChallenge and pkce.codeChallengeMethod in authorization URL
+ * // Store pkce.codeVerifier for token exchange
+ */
+export declare function generatePkce(): Promise<PkceParams>;

package/dist/esm/auth/pkce.js ADDED Viewed

@@ -0,0 +1,41 @@
+/**
+ * PKCE (Proof Key for Code Exchange) utilities
+ * Implements RFC 7636 for OAuth 2.0 public client security
+ */ import { createHash, randomBytes } from 'node:crypto';
+/**
+ * Generate random code verifier for PKCE (RFC 7636 Section 4.1)
+ * Returns cryptographically random string of 43-128 characters using base64url encoding
+ */ function generateRandomCodeVerifier() {
+    // RFC 7636 recommends 43-128 characters
+    // Using 32 random bytes -> 43 base64url characters
+    return randomBytes(32).toString('base64url');
+}
+/**
+ * Calculate PKCE code challenge from code verifier (RFC 7636 Section 4.2)
+ * Uses S256 method: BASE64URL(SHA256(ASCII(code_verifier)))
+ */ async function calculatePKCECodeChallenge(codeVerifier) {
+    const hash = createHash('sha256').update(codeVerifier, 'ascii').digest();
+    return Buffer.from(hash).toString('base64url');
+}
+/**
+ * Generate PKCE parameters for OAuth 2.0 authorization code flow
+ * Uses S256 method (SHA-256 hash) as recommended by RFC 7636
+ *
+ * @returns PkceParams with code verifier, challenge, and method
+ *
+ * @example
+ * const pkce = await generatePkce();
+ * // Use pkce.codeChallenge and pkce.codeChallengeMethod in authorization URL
+ * // Store pkce.codeVerifier for token exchange
+ */ export async function generatePkce() {
+    // Generate cryptographically random code verifier (RFC 7636 § 4.1)
+    const codeVerifier = generateRandomCodeVerifier();
+    // Generate code challenge using S256 method (RFC 7636 § 4.2)
+    // S256: BASE64URL(SHA256(ASCII(code_verifier)))
+    const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);
+    return {
+        codeVerifier,
+        codeChallenge,
+        codeChallengeMethod: 'S256'
+    };
+}

package/dist/esm/auth/pkce.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/libs/client/src/auth/pkce.ts"],"sourcesContent":["/**\n * PKCE (Proof Key for Code Exchange) utilities\n * Implements RFC 7636 for OAuth 2.0 public client security\n */\n\nimport { createHash, randomBytes } from 'node:crypto';\nimport type { PkceParams } from './types.ts';\n\n/**\n * Generate random code verifier for PKCE (RFC 7636 Section 4.1)\n * Returns cryptographically random string of 43-128 characters using base64url encoding\n */\nfunction generateRandomCodeVerifier(): string {\n // RFC 7636 recommends 43-128 characters\n // Using 32 random bytes -> 43 base64url characters\n return randomBytes(32).toString('base64url');\n}\n\n/**\n * Calculate PKCE code challenge from code verifier (RFC 7636 Section 4.2)\n * Uses S256 method: BASE64URL(SHA256(ASCII(code_verifier)))\n */\nasync function calculatePKCECodeChallenge(codeVerifier: string): Promise<string> {\n const hash = createHash('sha256').update(codeVerifier, 'ascii').digest();\n return Buffer.from(hash).toString('base64url');\n}\n\n/**\n * Generate PKCE parameters for OAuth 2.0 authorization code flow\n * Uses S256 method (SHA-256 hash) as recommended by RFC 7636\n *\n * @returns PkceParams with code verifier, challenge, and method\n *\n * @example\n * const pkce = await generatePkce();\n * // Use pkce.codeChallenge and pkce.codeChallengeMethod in authorization URL\n * // Store pkce.codeVerifier for token exchange\n */\nexport async function generatePkce(): Promise<PkceParams> {\n // Generate cryptographically random code verifier (RFC 7636 § 4.1)\n const codeVerifier = generateRandomCodeVerifier();\n\n // Generate code challenge using S256 method (RFC 7636 § 4.2)\n // S256: BASE64URL(SHA256(ASCII(code_verifier)))\n const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);\n\n return {\n codeVerifier,\n codeChallenge,\n codeChallengeMethod: 'S256',\n };\n}\n"],"names":["createHash","randomBytes","generateRandomCodeVerifier","toString","calculatePKCECodeChallenge","codeVerifier","hash","update","digest","Buffer","from","generatePkce","codeChallenge","codeChallengeMethod"],"mappings":"AAAA;;;CAGC,GAED,SAASA,UAAU,EAAEC,WAAW,QAAQ,cAAc;AAGtD;;;CAGC,GACD,SAASC;IACP,wCAAwC;IACxC,mDAAmD;IACnD,OAAOD,YAAY,IAAIE,QAAQ,CAAC;AAClC;AAEA;;;CAGC,GACD,eAAeC,2BAA2BC,YAAoB;IAC5D,MAAMC,OAAON,WAAW,UAAUO,MAAM,CAACF,cAAc,SAASG,MAAM;IACtE,OAAOC,OAAOC,IAAI,CAACJ,MAAMH,QAAQ,CAAC;AACpC;AAEA;;;;;;;;;;CAUC,GACD,OAAO,eAAeQ;IACpB,mEAAmE;IACnE,MAAMN,eAAeH;IAErB,6DAA6D;IAC7D,gDAAgD;IAChD,MAAMU,gBAAgB,MAAMR,2BAA2BC;IAEvD,OAAO;QACLA;QACAO;QACAC,qBAAqB;IACvB;AACF"}

package/dist/esm/auth/rfc9728-discovery.d.ts ADDED Viewed

@@ -0,0 +1,34 @@
+/**
+ * RFC 9728 Protected Resource Metadata Discovery
+ * Probes .well-known/oauth-protected-resource endpoint
+ */
+import type { AuthorizationServerMetadata, ProtectedResourceMetadata } from './types.js';
+/**
+ * Discover OAuth 2.0 Protected Resource Metadata (RFC 9728)
+ * Probes .well-known/oauth-protected-resource endpoint
+ *
+ * Discovery Strategy:
+ * 1. Try origin root: {origin}/.well-known/oauth-protected-resource
+ * 2. If 404, try sub-path: {origin}/.well-known/oauth-protected-resource{path}
+ *
+ * @param resourceUrl - URL of the protected resource (e.g., https://ai.todoist.net/mcp)
+ * @returns ProtectedResourceMetadata if discovered, null otherwise
+ *
+ * @example
+ * // Todoist case: MCP at ai.todoist.net/mcp, OAuth at todoist.com
+ * const metadata = await discoverProtectedResourceMetadata('https://ai.todoist.net/mcp');
+ * // Returns: { resource: "https://ai.todoist.net/mcp", authorization_servers: ["https://todoist.com"] }
+ */
+export declare function discoverProtectedResourceMetadata(resourceUrl: string): Promise<ProtectedResourceMetadata | null>;
+/**
+ * Discover OAuth 2.0 Authorization Server Metadata (RFC 8414)
+ * Probes .well-known/oauth-authorization-server endpoint
+ *
+ * @param authServerUrl - URL of the authorization server (typically from RFC 9728 discovery)
+ * @returns AuthorizationServerMetadata if discovered, null otherwise
+ *
+ * @example
+ * const metadata = await discoverAuthorizationServerMetadata('https://todoist.com');
+ * // Returns: { issuer: "https://todoist.com", authorization_endpoint: "...", ... }
+ */
+export declare function discoverAuthorizationServerMetadata(authServerUrl: string): Promise<AuthorizationServerMetadata | null>;

package/dist/esm/auth/rfc9728-discovery.js ADDED Viewed

@@ -0,0 +1,157 @@
+/**
+ * RFC 9728 Protected Resource Metadata Discovery
+ * Probes .well-known/oauth-protected-resource endpoint
+ */ /**
+ * Extract origin (protocol + host) from a URL
+ * @param url - Full URL that may include a path
+ * @returns Origin (e.g., "https://example.com") or original string if invalid URL
+ *
+ * @example
+ * getOrigin('https://example.com/mcp') // → 'https://example.com'
+ * getOrigin('http://localhost:9999/api/v1/mcp') // → 'http://localhost:9999'
+ */ function getOrigin(url) {
+    try {
+        return new URL(url).origin;
+    } catch  {
+        // Invalid URL - return as-is for graceful degradation
+        return url;
+    }
+}
+/**
+ * Extract path from a URL (without origin)
+ * @param url - Full URL
+ * @returns Path component (e.g., "/mcp", "/api/v1/mcp") or empty string if no path
+ */ function getPath(url) {
+    try {
+        const parsed = new URL(url);
+        // pathname includes leading slash, e.g., "/mcp"
+        return parsed.pathname === '/' ? '' : parsed.pathname;
+    } catch  {
+        return '';
+    }
+}
+/**
+ * Discover OAuth 2.0 Protected Resource Metadata (RFC 9728)
+ * Probes .well-known/oauth-protected-resource endpoint
+ *
+ * Discovery Strategy:
+ * 1. Try origin root: {origin}/.well-known/oauth-protected-resource
+ * 2. If 404, try sub-path: {origin}/.well-known/oauth-protected-resource{path}
+ *
+ * @param resourceUrl - URL of the protected resource (e.g., https://ai.todoist.net/mcp)
+ * @returns ProtectedResourceMetadata if discovered, null otherwise
+ *
+ * @example
+ * // Todoist case: MCP at ai.todoist.net/mcp, OAuth at todoist.com
+ * const metadata = await discoverProtectedResourceMetadata('https://ai.todoist.net/mcp');
+ * // Returns: { resource: "https://ai.todoist.net/mcp", authorization_servers: ["https://todoist.com"] }
+ */ export async function discoverProtectedResourceMetadata(resourceUrl) {
+    try {
+        const origin = getOrigin(resourceUrl);
+        const path = getPath(resourceUrl);
+        // Strategy 1: Try root location (REQUIRED by RFC 9728)
+        const rootUrl = `${origin}/.well-known/oauth-protected-resource`;
+        try {
+            const response = await fetch(rootUrl, {
+                method: 'GET',
+                headers: {
+                    Accept: 'application/json',
+                    Connection: 'close'
+                }
+            });
+            if (response.ok) {
+                const metadata = await response.json();
+                // Check if the discovered resource matches what we're looking for
+                if (metadata.resource === resourceUrl) {
+                    return metadata;
+                }
+                // If there's no path component, return root metadata
+                // (e.g., looking for http://example.com and found it)
+                if (!path) {
+                    return metadata;
+                }
+                // If requested URL starts with metadata.resource, the root metadata applies to sub-paths
+                // (e.g., looking for http://example.com/api/v1/mcp, found http://example.com)
+                if (resourceUrl.startsWith(metadata.resource)) {
+                    // Still try sub-path location to see if there's more specific metadata
+                    // But save root metadata as fallback
+                    const rootMetadata = metadata;
+                    // Try sub-path location for more specific metadata
+                    const subPathUrl = `${origin}/.well-known/oauth-protected-resource${path}`;
+                    try {
+                        const subPathResponse = await fetch(subPathUrl, {
+                            method: 'GET',
+                            headers: {
+                                Accept: 'application/json',
+                                Connection: 'close'
+                            }
+                        });
+                        if (subPathResponse.ok) {
+                            return await subPathResponse.json();
+                        }
+                    } catch  {
+                    // Sub-path failed, use root metadata
+                    }
+                    // Return root metadata as it applies to this resource
+                    return rootMetadata;
+                }
+            // Otherwise, try sub-path location before giving up
+            }
+        } catch  {
+        // Continue to sub-path location
+        }
+        // Strategy 2: Try sub-path location (MCP spec extension)
+        // Only try if there's a path component
+        if (path) {
+            const subPathUrl = `${origin}/.well-known/oauth-protected-resource${path}`;
+            try {
+                const response = await fetch(subPathUrl, {
+                    method: 'GET',
+                    headers: {
+                        Accept: 'application/json',
+                        Connection: 'close'
+                    }
+                });
+                if (response.ok) {
+                    return await response.json();
+                }
+            } catch  {
+            // Fall through to return null
+            }
+        }
+        // Neither location found or resource didn't match
+        return null;
+    } catch (_error) {
+        // Network error, invalid URL, or other failure
+        return null;
+    }
+}
+/**
+ * Discover OAuth 2.0 Authorization Server Metadata (RFC 8414)
+ * Probes .well-known/oauth-authorization-server endpoint
+ *
+ * @param authServerUrl - URL of the authorization server (typically from RFC 9728 discovery)
+ * @returns AuthorizationServerMetadata if discovered, null otherwise
+ *
+ * @example
+ * const metadata = await discoverAuthorizationServerMetadata('https://todoist.com');
+ * // Returns: { issuer: "https://todoist.com", authorization_endpoint: "...", ... }
+ */ export async function discoverAuthorizationServerMetadata(authServerUrl) {
+    try {
+        const origin = getOrigin(authServerUrl);
+        const wellKnownUrl = `${origin}/.well-known/oauth-authorization-server`;
+        const response = await fetch(wellKnownUrl, {
+            method: 'GET',
+            headers: {
+                Accept: 'application/json',
+                Connection: 'close'
+            }
+        });
+        if (!response.ok) {
+            return null;
+        }
+        return await response.json();
+    } catch (_error) {
+        return null;
+    }
+}

package/dist/esm/auth/rfc9728-discovery.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/libs/client/src/auth/rfc9728-discovery.ts"],"sourcesContent":["/**\n * RFC 9728 Protected Resource Metadata Discovery\n * Probes .well-known/oauth-protected-resource endpoint\n */\n\nimport type { AuthorizationServerMetadata, ProtectedResourceMetadata } from './types.ts';\n\n/**\n * Extract origin (protocol + host) from a URL\n * @param url - Full URL that may include a path\n * @returns Origin (e.g., \"https://example.com\") or original string if invalid URL\n *\n * @example\n * getOrigin('https://example.com/mcp') // → 'https://example.com'\n * getOrigin('http://localhost:9999/api/v1/mcp') // → 'http://localhost:9999'\n */\nfunction getOrigin(url: string): string {\n try {\n return new URL(url).origin;\n } catch {\n // Invalid URL - return as-is for graceful degradation\n return url;\n }\n}\n\n/**\n * Extract path from a URL (without origin)\n * @param url - Full URL\n * @returns Path component (e.g., \"/mcp\", \"/api/v1/mcp\") or empty string if no path\n */\nfunction getPath(url: string): string {\n try {\n const parsed = new URL(url);\n // pathname includes leading slash, e.g., \"/mcp\"\n return parsed.pathname === '/' ? '' : parsed.pathname;\n } catch {\n return '';\n }\n}\n\n/**\n * Discover OAuth 2.0 Protected Resource Metadata (RFC 9728)\n * Probes .well-known/oauth-protected-resource endpoint\n *\n * Discovery Strategy:\n * 1. Try origin root: {origin}/.well-known/oauth-protected-resource\n * 2. If 404, try sub-path: {origin}/.well-known/oauth-protected-resource{path}\n *\n * @param resourceUrl - URL of the protected resource (e.g., https://ai.todoist.net/mcp)\n * @returns ProtectedResourceMetadata if discovered, null otherwise\n *\n * @example\n * // Todoist case: MCP at ai.todoist.net/mcp, OAuth at todoist.com\n * const metadata = await discoverProtectedResourceMetadata('https://ai.todoist.net/mcp');\n * // Returns: { resource: \"https://ai.todoist.net/mcp\", authorization_servers: [\"https://todoist.com\"] }\n */\nexport async function discoverProtectedResourceMetadata(resourceUrl: string): Promise<ProtectedResourceMetadata | null> {\n try {\n const origin = getOrigin(resourceUrl);\n const path = getPath(resourceUrl);\n\n // Strategy 1: Try root location (REQUIRED by RFC 9728)\n const rootUrl = `${origin}/.well-known/oauth-protected-resource`;\n\n try {\n const response = await fetch(rootUrl, {\n method: 'GET',\n headers: { Accept: 'application/json', Connection: 'close' },\n });\n\n if (response.ok) {\n const metadata = (await response.json()) as ProtectedResourceMetadata;\n // Check if the discovered resource matches what we're looking for\n if (metadata.resource === resourceUrl) {\n return metadata;\n }\n // If there's no path component, return root metadata\n // (e.g., looking for http://example.com and found it)\n if (!path) {\n return metadata;\n }\n // If requested URL starts with metadata.resource, the root metadata applies to sub-paths\n // (e.g., looking for http://example.com/api/v1/mcp, found http://example.com)\n if (resourceUrl.startsWith(metadata.resource)) {\n // Still try sub-path location to see if there's more specific metadata\n // But save root metadata as fallback\n const rootMetadata = metadata;\n\n // Try sub-path location for more specific metadata\n const subPathUrl = `${origin}/.well-known/oauth-protected-resource${path}`;\n try {\n const subPathResponse = await fetch(subPathUrl, {\n method: 'GET',\n headers: { Accept: 'application/json', Connection: 'close' },\n });\n if (subPathResponse.ok) {\n return (await subPathResponse.json()) as ProtectedResourceMetadata;\n }\n } catch {\n // Sub-path failed, use root metadata\n }\n\n // Return root metadata as it applies to this resource\n return rootMetadata;\n }\n // Otherwise, try sub-path location before giving up\n }\n } catch {\n // Continue to sub-path location\n }\n\n // Strategy 2: Try sub-path location (MCP spec extension)\n // Only try if there's a path component\n if (path) {\n const subPathUrl = `${origin}/.well-known/oauth-protected-resource${path}`;\n\n try {\n const response = await fetch(subPathUrl, {\n method: 'GET',\n headers: { Accept: 'application/json', Connection: 'close' },\n });\n\n if (response.ok) {\n return (await response.json()) as ProtectedResourceMetadata;\n }\n } catch {\n // Fall through to return null\n }\n }\n\n // Neither location found or resource didn't match\n return null;\n } catch (_error) {\n // Network error, invalid URL, or other failure\n return null;\n }\n}\n\n/**\n * Discover OAuth 2.0 Authorization Server Metadata (RFC 8414)\n * Probes .well-known/oauth-authorization-server endpoint\n *\n * @param authServerUrl - URL of the authorization server (typically from RFC 9728 discovery)\n * @returns AuthorizationServerMetadata if discovered, null otherwise\n *\n * @example\n * const metadata = await discoverAuthorizationServerMetadata('https://todoist.com');\n * // Returns: { issuer: \"https://todoist.com\", authorization_endpoint: \"...\", ... }\n */\nexport async function discoverAuthorizationServerMetadata(authServerUrl: string): Promise<AuthorizationServerMetadata | null> {\n try {\n const origin = getOrigin(authServerUrl);\n const wellKnownUrl = `${origin}/.well-known/oauth-authorization-server`;\n\n const response = await fetch(wellKnownUrl, {\n method: 'GET',\n headers: { Accept: 'application/json', Connection: 'close' },\n });\n\n if (!response.ok) {\n return null;\n }\n\n return (await response.json()) as AuthorizationServerMetadata;\n } catch (_error) {\n return null;\n }\n}\n"],"names":["getOrigin","url","URL","origin","getPath","parsed","pathname","discoverProtectedResourceMetadata","resourceUrl","path","rootUrl","response","fetch","method","headers","Accept","Connection","ok","metadata","json","resource","startsWith","rootMetadata","subPathUrl","subPathResponse","_error","discoverAuthorizationServerMetadata","authServerUrl","wellKnownUrl"],"mappings":"AAAA;;;CAGC,GAID;;;;;;;;CAQC,GACD,SAASA,UAAUC,GAAW;IAC5B,IAAI;QACF,OAAO,IAAIC,IAAID,KAAKE,MAAM;IAC5B,EAAE,OAAM;QACN,sDAAsD;QACtD,OAAOF;IACT;AACF;AAEA;;;;CAIC,GACD,SAASG,QAAQH,GAAW;IAC1B,IAAI;QACF,MAAMI,SAAS,IAAIH,IAAID;QACvB,gDAAgD;QAChD,OAAOI,OAAOC,QAAQ,KAAK,MAAM,KAAKD,OAAOC,QAAQ;IACvD,EAAE,OAAM;QACN,OAAO;IACT;AACF;AAEA;;;;;;;;;;;;;;;CAeC,GACD,OAAO,eAAeC,kCAAkCC,WAAmB;IACzE,IAAI;QACF,MAAML,SAASH,UAAUQ;QACzB,MAAMC,OAAOL,QAAQI;QAErB,uDAAuD;QACvD,MAAME,UAAU,GAAGP,OAAO,qCAAqC,CAAC;QAEhE,IAAI;YACF,MAAMQ,WAAW,MAAMC,MAAMF,SAAS;gBACpCG,QAAQ;gBACRC,SAAS;oBAAEC,QAAQ;oBAAoBC,YAAY;gBAAQ;YAC7D;YAEA,IAAIL,SAASM,EAAE,EAAE;gBACf,MAAMC,WAAY,MAAMP,SAASQ,IAAI;gBACrC,kEAAkE;gBAClE,IAAID,SAASE,QAAQ,KAAKZ,aAAa;oBACrC,OAAOU;gBACT;gBACA,qDAAqD;gBACrD,sDAAsD;gBACtD,IAAI,CAACT,MAAM;oBACT,OAAOS;gBACT;gBACA,yFAAyF;gBACzF,8EAA8E;gBAC9E,IAAIV,YAAYa,UAAU,CAACH,SAASE,QAAQ,GAAG;oBAC7C,uEAAuE;oBACvE,qCAAqC;oBACrC,MAAME,eAAeJ;oBAErB,mDAAmD;oBACnD,MAAMK,aAAa,GAAGpB,OAAO,qCAAqC,EAAEM,MAAM;oBAC1E,IAAI;wBACF,MAAMe,kBAAkB,MAAMZ,MAAMW,YAAY;4BAC9CV,QAAQ;4BACRC,SAAS;gCAAEC,QAAQ;gCAAoBC,YAAY;4BAAQ;wBAC7D;wBACA,IAAIQ,gBAAgBP,EAAE,EAAE;4BACtB,OAAQ,MAAMO,gBAAgBL,IAAI;wBACpC;oBACF,EAAE,OAAM;oBACN,qCAAqC;oBACvC;oBAEA,sDAAsD;oBACtD,OAAOG;gBACT;YACA,oDAAoD;YACtD;QACF,EAAE,OAAM;QACN,gCAAgC;QAClC;QAEA,yDAAyD;QACzD,uCAAuC;QACvC,IAAIb,MAAM;YACR,MAAMc,aAAa,GAAGpB,OAAO,qCAAqC,EAAEM,MAAM;YAE1E,IAAI;gBACF,MAAME,WAAW,MAAMC,MAAMW,YAAY;oBACvCV,QAAQ;oBACRC,SAAS;wBAAEC,QAAQ;wBAAoBC,YAAY;oBAAQ;gBAC7D;gBAEA,IAAIL,SAASM,EAAE,EAAE;oBACf,OAAQ,MAAMN,SAASQ,IAAI;gBAC7B;YACF,EAAE,OAAM;YACN,8BAA8B;YAChC;QACF;QAEA,kDAAkD;QAClD,OAAO;IACT,EAAE,OAAOM,QAAQ;QACf,+CAA+C;QAC/C,OAAO;IACT;AACF;AAEA;;;;;;;;;;CAUC,GACD,OAAO,eAAeC,oCAAoCC,aAAqB;IAC7E,IAAI;QACF,MAAMxB,SAASH,UAAU2B;QACzB,MAAMC,eAAe,GAAGzB,OAAO,uCAAuC,CAAC;QAEvE,MAAMQ,WAAW,MAAMC,MAAMgB,cAAc;YACzCf,QAAQ;YACRC,SAAS;gBAAEC,QAAQ;gBAAoBC,YAAY;YAAQ;QAC7D;QAEA,IAAI,CAACL,SAASM,EAAE,EAAE;YAChB,OAAO;QACT;QAEA,OAAQ,MAAMN,SAASQ,IAAI;IAC7B,EAAE,OAAOM,QAAQ;QACf,OAAO;IACT;AACF"}

package/dist/esm/auth/types.d.ts ADDED Viewed

@@ -0,0 +1,137 @@
+/**
+ * Shared types for OAuth and DCR authentication
+ */
+/**
+ * OAuth callback result from authorization server
+ */
+export interface CallbackResult {
+    /** Authorization code from OAuth server */
+    code: string;
+    /** State parameter for CSRF protection */
+    state?: string;
+}
+/**
+ * PKCE (Proof Key for Code Exchange) parameters (RFC 7636)
+ * Used to secure OAuth 2.0 authorization code flow for public clients
+ */
+export interface PkceParams {
+    /** Code verifier - cryptographically random string (43-128 characters) */
+    codeVerifier: string;
+    /** Code challenge - derived from code verifier using challenge method */
+    codeChallenge: string;
+    /** Code challenge method - S256 (SHA-256) or plain */
+    codeChallengeMethod: 'S256' | 'plain';
+}
+/**
+ * OAuth token set with access and refresh tokens
+ */
+export interface TokenSet {
+    /** Access token for API requests */
+    accessToken: string;
+    /** Refresh token for obtaining new access tokens */
+    refreshToken: string;
+    /** Timestamp when access token expires (milliseconds since epoch) */
+    expiresAt: number;
+    /** Scopes granted for this token set */
+    scopes?: string[];
+    /** Client ID used for DCR registration (stored for future use) */
+    clientId?: string;
+    /** Client secret used for DCR registration (stored for future use) */
+    clientSecret?: string;
+}
+/**
+ * OAuth 2.0 Protected Resource Metadata (RFC 9728)
+ * Response from .well-known/oauth-protected-resource endpoint
+ */
+export interface ProtectedResourceMetadata {
+    /** The protected resource identifier */
+    resource: string;
+    /** List of authorization server URLs that can issue tokens for this resource */
+    authorization_servers: string[];
+    /** Optional list of scopes supported by this resource */
+    scopes_supported?: string[];
+    /** Optional list of bearer token methods supported (header, query, body) */
+    bearer_methods_supported?: string[];
+}
+/**
+ * OAuth 2.0 Authorization Server Metadata (RFC 8414)
+ * Response from .well-known/oauth-authorization-server endpoint
+ */
+export interface AuthorizationServerMetadata {
+    /** The authorization server's issuer identifier */
+    issuer?: string;
+    /** URL of the authorization endpoint */
+    authorization_endpoint?: string;
+    /** URL of the token endpoint */
+    token_endpoint?: string;
+    /** URL of the client registration endpoint (DCR - RFC 7591) */
+    registration_endpoint?: string;
+    /** URL of the token introspection endpoint */
+    introspection_endpoint?: string;
+    /** List of OAuth scopes supported by the authorization server */
+    scopes_supported?: string[];
+    /** Response types supported (code, token, etc.) */
+    response_types_supported?: string[];
+    /** Grant types supported (authorization_code, refresh_token, etc.) */
+    grant_types_supported?: string[];
+    /** Token endpoint authentication methods supported */
+    token_endpoint_auth_methods_supported?: string[];
+}
+/**
+ * OAuth server capabilities discovered from .well-known endpoint
+ */
+export interface AuthCapabilities {
+    /** Whether the server supports Dynamic Client Registration (RFC 7591) */
+    supportsDcr: boolean;
+    /** DCR client registration endpoint */
+    registrationEndpoint?: string;
+    /** OAuth authorization endpoint */
+    authorizationEndpoint?: string;
+    /** OAuth token endpoint */
+    tokenEndpoint?: string;
+    /** Token introspection endpoint */
+    introspectionEndpoint?: string;
+    /** Supported OAuth scopes */
+    scopes?: string[];
+}
+/**
+ * Client credentials from DCR registration
+ */
+export interface ClientCredentials {
+    /** OAuth client ID */
+    clientId: string;
+    /** OAuth client secret */
+    clientSecret: string;
+    /** Timestamp when client was registered */
+    issuedAt?: number;
+}
+/**
+ * Options for DCR client registration
+ */
+export interface DcrRegistrationOptions {
+    /** Client name to register */
+    clientName?: string;
+    /** Redirect URI for OAuth callback */
+    redirectUri?: string;
+}
+/**
+ * Options for OAuth authorization flow
+ */
+export interface OAuthFlowOptions {
+    /** Port for OAuth callback listener (required - use get-port to find available port) */
+    port: number;
+    /** Redirect URI for OAuth callback (optional - will be built from port if not provided) */
+    redirectUri?: string;
+    /** OAuth scopes to request */
+    scopes?: string[];
+    /** Resource parameter (RFC 8707) - target resource server identifier */
+    resource?: string;
+    /** Enable PKCE (RFC 7636) - recommended for all clients, required for public clients */
+    pkce?: boolean;
+    /** Headless mode (don't open browser) */
+    headless?: boolean;
+    /** Timeout for callback (milliseconds) */
+    timeout?: number;
+    /** Optional logger for debug output (defaults to singleton logger) */
+    logger?: import('../utils/logger.js').Logger;
+}