@mcp-z/oauth-google 1.0.0

package/dist/esm/schemas/index.d.ts

@@ -0,0 +1,20 @@
+import { z } from 'zod';
+export declare const AuthRequiredBranchSchema: z.ZodObject<{
+    type: z.ZodLiteral<"auth_required">;
+    provider: z.ZodString;
+    message: z.ZodString;
+    url: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type AuthRequiredBranch = z.infer<typeof AuthRequiredBranchSchema>;
+export declare const AuthRequiredSchema: z.ZodObject<{
+    type: z.ZodLiteral<"auth_required">;
+    provider: z.ZodString;
+    message: z.ZodString;
+    url: z.ZodString;
+    flow: z.ZodOptional<z.ZodString>;
+    instructions: z.ZodString;
+    user_code: z.ZodOptional<z.ZodString>;
+    expires_in: z.ZodOptional<z.ZodNumber>;
+    accountId: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type AuthRequired = z.infer<typeof AuthRequiredSchema>;

package/dist/esm/schemas/index.js

@@ -0,0 +1,18 @@
+import { z } from 'zod';
+export const AuthRequiredBranchSchema = z.object({
+    type: z.literal('auth_required'),
+    provider: z.string(),
+    message: z.string(),
+    url: z.string().optional()
+});
+export const AuthRequiredSchema = z.object({
+    type: z.literal('auth_required'),
+    provider: z.string().describe('OAuth provider name (e.g., "google")'),
+    message: z.string().describe('Human-readable message explaining why auth is needed'),
+    url: z.string().url().describe('Authentication URL to open in browser'),
+    flow: z.string().optional().describe('Authentication flow type (e.g., "auth_url", "device_code")'),
+    instructions: z.string().describe('Clear instructions for the user'),
+    user_code: z.string().optional().describe('Code user must enter at verification URL (device flows only)'),
+    expires_in: z.number().optional().describe('Seconds until code expires (device flows only)'),
+    accountId: z.string().optional().describe('Account identifier (email) that requires authentication')
+}).describe('Authentication required with clear actionable instructions for user');

package/dist/esm/schemas/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth-google/src/schemas/index.ts"],"sourcesContent":["import { z } from 'zod';\n\nexport const AuthRequiredBranchSchema = z.object({\n  type: z.literal('auth_required'),\n  provider: z.string(),\n  message: z.string(),\n  url: z.string().optional(),\n});\nexport type AuthRequiredBranch = z.infer<typeof AuthRequiredBranchSchema>;\n\nexport const AuthRequiredSchema = z\n  .object({\n    type: z.literal('auth_required'),\n    provider: z.string().describe('OAuth provider name (e.g., \"google\")'),\n    message: z.string().describe('Human-readable message explaining why auth is needed'),\n    url: z.string().url().describe('Authentication URL to open in browser'),\n    flow: z.string().optional().describe('Authentication flow type (e.g., \"auth_url\", \"device_code\")'),\n    instructions: z.string().describe('Clear instructions for the user'),\n    user_code: z.string().optional().describe('Code user must enter at verification URL (device flows only)'),\n    expires_in: z.number().optional().describe('Seconds until code expires (device flows only)'),\n    accountId: z.string().optional().describe('Account identifier (email) that requires authentication'),\n  })\n  .describe('Authentication required with clear actionable instructions for user');\n\nexport type AuthRequired = z.infer<typeof AuthRequiredSchema>;\n"],"names":["z","AuthRequiredBranchSchema","object","type","literal","provider","string","message","url","optional","AuthRequiredSchema","describe","flow","instructions","user_code","expires_in","number","accountId"],"mappings":"AAAA,SAASA,CAAC,QAAQ,MAAM;AAExB,OAAO,MAAMC,2BAA2BD,EAAEE,MAAM,CAAC;IAC/CC,MAAMH,EAAEI,OAAO,CAAC;IAChBC,UAAUL,EAAEM,MAAM;IAClBC,SAASP,EAAEM,MAAM;IACjBE,KAAKR,EAAEM,MAAM,GAAGG,QAAQ;AAC1B,GAAG;AAGH,OAAO,MAAMC,qBAAqBV,EAC/BE,MAAM,CAAC;IACNC,MAAMH,EAAEI,OAAO,CAAC;IAChBC,UAAUL,EAAEM,MAAM,GAAGK,QAAQ,CAAC;IAC9BJ,SAASP,EAAEM,MAAM,GAAGK,QAAQ,CAAC;IAC7BH,KAAKR,EAAEM,MAAM,GAAGE,GAAG,GAAGG,QAAQ,CAAC;IAC/BC,MAAMZ,EAAEM,MAAM,GAAGG,QAAQ,GAAGE,QAAQ,CAAC;IACrCE,cAAcb,EAAEM,MAAM,GAAGK,QAAQ,CAAC;IAClCG,WAAWd,EAAEM,MAAM,GAAGG,QAAQ,GAAGE,QAAQ,CAAC;IAC1CI,YAAYf,EAAEgB,MAAM,GAAGP,QAAQ,GAAGE,QAAQ,CAAC;IAC3CM,WAAWjB,EAAEM,MAAM,GAAGG,QAAQ,GAAGE,QAAQ,CAAC;AAC5C,GACCA,QAAQ,CAAC,uEAAuE"}

package/dist/esm/setup/config.d.ts

@@ -0,0 +1,112 @@
+/**
+ * Google OAuth configuration parsing from CLI arguments and environment variables.
+ *
+ * This module provides utilities to parse Google OAuth configuration from
+ * CLI arguments and environment variables, following the same pattern as @mcp-z/server's
+ * parseConfig().
+ */
+import type { DcrConfig, OAuthConfig } from '../types.js';
+export type { DcrConfig, OAuthConfig };
+/**
+ * Transport type for MCP servers
+ */
+type TransportType = 'stdio' | 'http';
+/**
+ * Parse Google OAuth configuration from CLI arguments and environment variables.
+ *
+ * CLI Arguments:
+ * - --auth: Auth mode ('loopback-oauth' | 'service-account' | 'dcr')
+ *   - Default: 'loopback-oauth' (if flag is omitted)
+ * - --headless: Disable browser opening for OAuth flow (default: false, true in test env)
+ * - --redirect-uri: Override OAuth redirect URI (default: ephemeral loopback)
+ * - --service-account-key-file: Service account key file path (required for service-account mode)
+ *
+ * Required environment variables:
+ * - GOOGLE_CLIENT_ID: OAuth 2.0 client ID from Google Cloud Console
+ *
+ * Optional environment variables:
+ * - GOOGLE_CLIENT_SECRET: OAuth 2.0 client secret (optional for public clients)
+ * - AUTH_MODE: Auth mode (same format as --auth flag)
+ * - HEADLESS: Headless mode flag ('true' to enable)
+ * - REDIRECT_URI: OAuth redirect URI (overridden by --redirect-uri CLI flag)
+ * - GOOGLE_SERVICE_ACCOUNT_KEY_FILE: Service account key file (for service-account mode)
+ *
+ * @param args - CLI arguments array (typically process.argv)
+ * @param env - Environment variables object (typically process.env)
+ * @param transport - Optional transport type. If 'stdio' and auth mode is 'dcr', throws an error.
+ * @returns Parsed Google OAuth configuration
+ * @throws Error if required environment variables are missing, values are invalid, or DCR is used with stdio transport
+ *
+ * @example Default mode (no flags)
+ * ```typescript
+ * const config = parseConfig(process.argv, process.env);
+ * // { auth: 'loopback-oauth' }
+ * ```
+ *
+ * @example Override auth mode
+ * ```typescript
+ * parseConfig(['--auth=loopback-oauth'], process.env);
+ * parseConfig(['--auth=service-account'], process.env);
+ * parseConfig(['--auth=dcr'], process.env);
+ * ```
+ *
+ * @example With transport validation
+ * ```typescript
+ * parseConfig(['--auth=dcr'], process.env, 'http'); // OK
+ * parseConfig(['--auth=dcr'], process.env, 'stdio'); // Throws error
+ * ```
+ *
+ * Valid auth modes:
+ * - loopback-oauth (default)
+ * - service-account
+ * - dcr (HTTP transport only)
+ */
+export declare function parseConfig(args: string[], env: Record<string, string | undefined>, transport?: TransportType): OAuthConfig;
+/**
+ * Build production configuration from process globals.
+ * Entry point for production server.
+ */
+export declare function createConfig(): OAuthConfig;
+/**
+ * Parse DCR configuration from CLI arguments and environment variables.
+ *
+ * CLI Arguments:
+ * - --dcr-mode: DCR mode ('self-hosted' | 'external')
+ *   - Default: 'self-hosted' (if flag is omitted)
+ * - --dcr-verify-url: External verification endpoint URL (required for external mode)
+ * - --dcr-store-uri: DCR client storage URI (required for self-hosted mode)
+ *
+ * Required environment variables:
+ * - GOOGLE_CLIENT_ID: OAuth 2.0 client ID from Google Cloud Console
+ *
+ * Optional environment variables:
+ * - GOOGLE_CLIENT_SECRET: OAuth 2.0 client secret (optional for public clients)
+ * - DCR_MODE: DCR mode (same format as --dcr-mode flag)
+ * - DCR_VERIFY_URL: External verification URL (same as --dcr-verify-url flag)
+ * - DCR_STORE_URI: DCR storage URI (same as --dcr-store-uri flag)
+ *
+ * @param args - CLI arguments array (typically process.argv)
+ * @param env - Environment variables object (typically process.env)
+ * @param scope - OAuth scopes to request (space-separated)
+ * @returns Parsed DCR configuration
+ * @throws Error if required environment variables are missing or validation fails
+ *
+ * @example Self-hosted mode
+ * ```typescript
+ * const config = parseDcrConfig(
+ *   ['--dcr-mode=self-hosted', '--dcr-store-uri=file:///path/to/store.json'],
+ *   process.env,
+ *   'https://www.googleapis.com/auth/drive.readonly'
+ * );
+ * ```
+ *
+ * @example External mode
+ * ```typescript
+ * const config = parseDcrConfig(
+ *   ['--dcr-mode=external', '--dcr-verify-url=https://auth0.example.com/verify'],
+ *   process.env,
+ *   'https://www.googleapis.com/auth/drive.readonly'
+ * );
+ * ```
+ */
+export declare function parseDcrConfig(args: string[], env: Record<string, string | undefined>, scope: string): DcrConfig;

package/dist/esm/setup/config.js

@@ -0,0 +1,258 @@
+/**
+ * Google OAuth configuration parsing from CLI arguments and environment variables.
+ *
+ * This module provides utilities to parse Google OAuth configuration from
+ * CLI arguments and environment variables, following the same pattern as @mcp-z/server's
+ * parseConfig().
+ */ import { resolve } from 'path';
+import { parseArgs } from 'util';
+/**
+ * Parse auth mode string into auth mode.
+ *
+ * @param value - Auth mode string ('loopback-oauth', 'service-account', or 'dcr')
+ * @returns Parsed auth mode
+ * @throws Error if value is invalid
+ *
+ * @example Valid formats
+ * ```typescript
+ * parseAuthMode('loopback-oauth')   // { auth: 'loopback-oauth' }
+ * parseAuthMode('service-account')  // { auth: 'service-account' }
+ * parseAuthMode('dcr')              // { auth: 'dcr' }
+ * ```
+ */ function parseAuthMode(value) {
+    if (value !== 'loopback-oauth' && value !== 'service-account' && value !== 'dcr') {
+        throw new Error(`Invalid --auth value: "${value}". Valid values: loopback-oauth, service-account, dcr`);
+    }
+    return {
+        auth: value
+    };
+}
+/**
+ * Parse Google OAuth configuration from CLI arguments and environment variables.
+ *
+ * CLI Arguments:
+ * - --auth: Auth mode ('loopback-oauth' | 'service-account' | 'dcr')
+ *   - Default: 'loopback-oauth' (if flag is omitted)
+ * - --headless: Disable browser opening for OAuth flow (default: false, true in test env)
+ * - --redirect-uri: Override OAuth redirect URI (default: ephemeral loopback)
+ * - --service-account-key-file: Service account key file path (required for service-account mode)
+ *
+ * Required environment variables:
+ * - GOOGLE_CLIENT_ID: OAuth 2.0 client ID from Google Cloud Console
+ *
+ * Optional environment variables:
+ * - GOOGLE_CLIENT_SECRET: OAuth 2.0 client secret (optional for public clients)
+ * - AUTH_MODE: Auth mode (same format as --auth flag)
+ * - HEADLESS: Headless mode flag ('true' to enable)
+ * - REDIRECT_URI: OAuth redirect URI (overridden by --redirect-uri CLI flag)
+ * - GOOGLE_SERVICE_ACCOUNT_KEY_FILE: Service account key file (for service-account mode)
+ *
+ * @param args - CLI arguments array (typically process.argv)
+ * @param env - Environment variables object (typically process.env)
+ * @param transport - Optional transport type. If 'stdio' and auth mode is 'dcr', throws an error.
+ * @returns Parsed Google OAuth configuration
+ * @throws Error if required environment variables are missing, values are invalid, or DCR is used with stdio transport
+ *
+ * @example Default mode (no flags)
+ * ```typescript
+ * const config = parseConfig(process.argv, process.env);
+ * // { auth: 'loopback-oauth' }
+ * ```
+ *
+ * @example Override auth mode
+ * ```typescript
+ * parseConfig(['--auth=loopback-oauth'], process.env);
+ * parseConfig(['--auth=service-account'], process.env);
+ * parseConfig(['--auth=dcr'], process.env);
+ * ```
+ *
+ * @example With transport validation
+ * ```typescript
+ * parseConfig(['--auth=dcr'], process.env, 'http'); // OK
+ * parseConfig(['--auth=dcr'], process.env, 'stdio'); // Throws error
+ * ```
+ *
+ * Valid auth modes:
+ * - loopback-oauth (default)
+ * - service-account
+ * - dcr (HTTP transport only)
+ */ export function parseConfig(args, env, transport) {
+    var _ref;
+    function requiredEnv(key) {
+        const value = env[key];
+        if (!value) {
+            throw new Error(`Environment variable ${key} is required for Google OAuth`);
+        }
+        return value;
+    }
+    // Parse CLI arguments
+    const { values } = parseArgs({
+        args,
+        options: {
+            auth: {
+                type: 'string'
+            },
+            headless: {
+                type: 'boolean'
+            },
+            'redirect-uri': {
+                type: 'string'
+            },
+            'service-account-key-file': {
+                type: 'string'
+            }
+        },
+        strict: false,
+        allowPositionals: true
+    });
+    const authArg = typeof values.auth === 'string' ? values.auth : undefined;
+    const envAuthMode = env.AUTH_MODE;
+    const mode = authArg || envAuthMode;
+    let auth;
+    if (mode) {
+        const parsed = parseAuthMode(mode);
+        auth = parsed.auth;
+    } else {
+        // DEFAULT: No flags provided, use loopback-oauth
+        auth = 'loopback-oauth';
+    }
+    // Validate: DCR only works with HTTP transport
+    if (auth === 'dcr' && transport === 'stdio') {
+        throw new Error('DCR authentication mode requires HTTP transport. DCR is not supported with stdio transport.');
+    }
+    const cliHeadless = typeof values.headless === 'boolean' ? values.headless : undefined;
+    const envHeadless = env.HEADLESS === 'true' ? true : env.HEADLESS === 'false' ? false : undefined;
+    const headless = (_ref = cliHeadless !== null && cliHeadless !== void 0 ? cliHeadless : envHeadless) !== null && _ref !== void 0 ? _ref : false;
+    const cliRedirectUri = typeof values['redirect-uri'] === 'string' ? values['redirect-uri'] : undefined;
+    const envRedirectUri = env.REDIRECT_URI;
+    const redirectUri = cliRedirectUri !== null && cliRedirectUri !== void 0 ? cliRedirectUri : envRedirectUri;
+    const clientId = requiredEnv('GOOGLE_CLIENT_ID');
+    const clientSecret = env.GOOGLE_CLIENT_SECRET;
+    let serviceAccountKeyFile;
+    if (auth === 'service-account') {
+        const cliKeyFile = typeof values['service-account-key-file'] === 'string' ? values['service-account-key-file'] : undefined;
+        serviceAccountKeyFile = cliKeyFile !== null && cliKeyFile !== void 0 ? cliKeyFile : env.GOOGLE_SERVICE_ACCOUNT_KEY_FILE;
+        if (!serviceAccountKeyFile) {
+            throw new Error('GOOGLE_SERVICE_ACCOUNT_KEY_FILE environment variable is required when using service account authentication. ' + 'Example: export GOOGLE_SERVICE_ACCOUNT_KEY_FILE=./service-account.json');
+        }
+        // Resolve relative paths now since cwd can change during execution
+        serviceAccountKeyFile = resolve(serviceAccountKeyFile);
+    }
+    return {
+        clientId,
+        ...clientSecret && {
+            clientSecret
+        },
+        auth,
+        headless,
+        ...redirectUri && {
+            redirectUri
+        },
+        ...serviceAccountKeyFile && {
+            serviceAccountKeyFile
+        }
+    };
+}
+/**
+ * Build production configuration from process globals.
+ * Entry point for production server.
+ */ export function createConfig() {
+    return parseConfig(process.argv, process.env);
+}
+/**
+ * Parse DCR configuration from CLI arguments and environment variables.
+ *
+ * CLI Arguments:
+ * - --dcr-mode: DCR mode ('self-hosted' | 'external')
+ *   - Default: 'self-hosted' (if flag is omitted)
+ * - --dcr-verify-url: External verification endpoint URL (required for external mode)
+ * - --dcr-store-uri: DCR client storage URI (required for self-hosted mode)
+ *
+ * Required environment variables:
+ * - GOOGLE_CLIENT_ID: OAuth 2.0 client ID from Google Cloud Console
+ *
+ * Optional environment variables:
+ * - GOOGLE_CLIENT_SECRET: OAuth 2.0 client secret (optional for public clients)
+ * - DCR_MODE: DCR mode (same format as --dcr-mode flag)
+ * - DCR_VERIFY_URL: External verification URL (same as --dcr-verify-url flag)
+ * - DCR_STORE_URI: DCR storage URI (same as --dcr-store-uri flag)
+ *
+ * @param args - CLI arguments array (typically process.argv)
+ * @param env - Environment variables object (typically process.env)
+ * @param scope - OAuth scopes to request (space-separated)
+ * @returns Parsed DCR configuration
+ * @throws Error if required environment variables are missing or validation fails
+ *
+ * @example Self-hosted mode
+ * ```typescript
+ * const config = parseDcrConfig(
+ *   ['--dcr-mode=self-hosted', '--dcr-store-uri=file:///path/to/store.json'],
+ *   process.env,
+ *   'https://www.googleapis.com/auth/drive.readonly'
+ * );
+ * ```
+ *
+ * @example External mode
+ * ```typescript
+ * const config = parseDcrConfig(
+ *   ['--dcr-mode=external', '--dcr-verify-url=https://auth0.example.com/verify'],
+ *   process.env,
+ *   'https://www.googleapis.com/auth/drive.readonly'
+ * );
+ * ```
+ */ export function parseDcrConfig(args, env, scope) {
+    function requiredEnv(key) {
+        const value = env[key];
+        if (!value) {
+            throw new Error(`Environment variable ${key} is required for DCR configuration`);
+        }
+        return value;
+    }
+    const { values } = parseArgs({
+        args,
+        options: {
+            'dcr-mode': {
+                type: 'string'
+            },
+            'dcr-verify-url': {
+                type: 'string'
+            },
+            'dcr-store-uri': {
+                type: 'string'
+            }
+        },
+        strict: false,
+        allowPositionals: true
+    });
+    const cliMode = typeof values['dcr-mode'] === 'string' ? values['dcr-mode'] : undefined;
+    const envMode = env.DCR_MODE;
+    const mode = cliMode || envMode || 'self-hosted';
+    if (mode !== 'self-hosted' && mode !== 'external') {
+        throw new Error(`Invalid --dcr-mode value: "${mode}". Valid values: self-hosted, external`);
+    }
+    const cliVerifyUrl = typeof values['dcr-verify-url'] === 'string' ? values['dcr-verify-url'] : undefined;
+    const envVerifyUrl = env.DCR_VERIFY_URL;
+    const verifyUrl = cliVerifyUrl || envVerifyUrl;
+    const cliStoreUri = typeof values['dcr-store-uri'] === 'string' ? values['dcr-store-uri'] : undefined;
+    const envStoreUri = env.DCR_STORE_URI;
+    const storeUri = cliStoreUri || envStoreUri;
+    if (mode === 'external' && !verifyUrl) {
+        throw new Error('DCR external mode requires --dcr-verify-url or DCR_VERIFY_URL environment variable');
+    }
+    const clientId = requiredEnv('GOOGLE_CLIENT_ID');
+    const clientSecret = env.GOOGLE_CLIENT_SECRET;
+    return {
+        mode,
+        ...verifyUrl && {
+            verifyUrl
+        },
+        ...storeUri && {
+            storeUri
+        },
+        clientId,
+        ...clientSecret && {
+            clientSecret
+        },
+        scope
+    };
+}

package/dist/esm/setup/config.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth-google/src/setup/config.ts"],"sourcesContent":["/**\n * Google OAuth configuration parsing from CLI arguments and environment variables.\n *\n * This module provides utilities to parse Google OAuth configuration from\n * CLI arguments and environment variables, following the same pattern as @mcp-z/server's\n * parseConfig().\n */\n\nimport { resolve } from 'path';\nimport { parseArgs } from 'util';\nimport type { DcrConfig, OAuthConfig } from '../types.ts';\n\n// Re-export for direct imports from config.ts\nexport type { DcrConfig, OAuthConfig };\n\n/**\n * auth mode type (from OAuthConfig)\n */\ntype AuthMode = 'loopback-oauth' | 'service-account' | 'dcr';\n\n/**\n * Parse auth mode string into auth mode.\n *\n * @param value - Auth mode string ('loopback-oauth', 'service-account', or 'dcr')\n * @returns Parsed auth mode\n * @throws Error if value is invalid\n *\n * @example Valid formats\n * ```typescript\n * parseAuthMode('loopback-oauth')   // { auth: 'loopback-oauth' }\n * parseAuthMode('service-account')  // { auth: 'service-account' }\n * parseAuthMode('dcr')              // { auth: 'dcr' }\n * ```\n */\nfunction parseAuthMode(value: string): {\n  auth: AuthMode;\n} {\n  if (value !== 'loopback-oauth' && value !== 'service-account' && value !== 'dcr') {\n    throw new Error(`Invalid --auth value: \"${value}\". Valid values: loopback-oauth, service-account, dcr`);\n  }\n\n  return {\n    auth: value as AuthMode,\n  };\n}\n\n/**\n * Transport type for MCP servers\n */\ntype TransportType = 'stdio' | 'http';\n\n/**\n * Parse Google OAuth configuration from CLI arguments and environment variables.\n *\n * CLI Arguments:\n * - --auth: Auth mode ('loopback-oauth' | 'service-account' | 'dcr')\n *   - Default: 'loopback-oauth' (if flag is omitted)\n * - --headless: Disable browser opening for OAuth flow (default: false, true in test env)\n * - --redirect-uri: Override OAuth redirect URI (default: ephemeral loopback)\n * - --service-account-key-file: Service account key file path (required for service-account mode)\n *\n * Required environment variables:\n * - GOOGLE_CLIENT_ID: OAuth 2.0 client ID from Google Cloud Console\n *\n * Optional environment variables:\n * - GOOGLE_CLIENT_SECRET: OAuth 2.0 client secret (optional for public clients)\n * - AUTH_MODE: Auth mode (same format as --auth flag)\n * - HEADLESS: Headless mode flag ('true' to enable)\n * - REDIRECT_URI: OAuth redirect URI (overridden by --redirect-uri CLI flag)\n * - GOOGLE_SERVICE_ACCOUNT_KEY_FILE: Service account key file (for service-account mode)\n *\n * @param args - CLI arguments array (typically process.argv)\n * @param env - Environment variables object (typically process.env)\n * @param transport - Optional transport type. If 'stdio' and auth mode is 'dcr', throws an error.\n * @returns Parsed Google OAuth configuration\n * @throws Error if required environment variables are missing, values are invalid, or DCR is used with stdio transport\n *\n * @example Default mode (no flags)\n * ```typescript\n * const config = parseConfig(process.argv, process.env);\n * // { auth: 'loopback-oauth' }\n * ```\n *\n * @example Override auth mode\n * ```typescript\n * parseConfig(['--auth=loopback-oauth'], process.env);\n * parseConfig(['--auth=service-account'], process.env);\n * parseConfig(['--auth=dcr'], process.env);\n * ```\n *\n * @example With transport validation\n * ```typescript\n * parseConfig(['--auth=dcr'], process.env, 'http'); // OK\n * parseConfig(['--auth=dcr'], process.env, 'stdio'); // Throws error\n * ```\n *\n * Valid auth modes:\n * - loopback-oauth (default)\n * - service-account\n * - dcr (HTTP transport only)\n */\nexport function parseConfig(args: string[], env: Record<string, string | undefined>, transport?: TransportType): OAuthConfig {\n  function requiredEnv(key: string): string {\n    const value = env[key];\n    if (!value) {\n      throw new Error(`Environment variable ${key} is required for Google OAuth`);\n    }\n    return value;\n  }\n\n  // Parse CLI arguments\n  const { values } = parseArgs({\n    args,\n    options: {\n      auth: { type: 'string' },\n      headless: { type: 'boolean' },\n      'redirect-uri': { type: 'string' },\n      'service-account-key-file': { type: 'string' },\n    },\n    strict: false, // Allow other arguments\n    allowPositionals: true,\n  });\n\n  const authArg = typeof values.auth === 'string' ? values.auth : undefined;\n  const envAuthMode = env.AUTH_MODE;\n  const mode = authArg || envAuthMode;\n\n  let auth: AuthMode;\n\n  if (mode) {\n    const parsed = parseAuthMode(mode);\n    auth = parsed.auth;\n  } else {\n    // DEFAULT: No flags provided, use loopback-oauth\n    auth = 'loopback-oauth';\n  }\n\n  // Validate: DCR only works with HTTP transport\n  if (auth === 'dcr' && transport === 'stdio') {\n    throw new Error('DCR authentication mode requires HTTP transport. DCR is not supported with stdio transport.');\n  }\n\n  const cliHeadless = typeof values.headless === 'boolean' ? values.headless : undefined;\n  const envHeadless = env.HEADLESS === 'true' ? true : env.HEADLESS === 'false' ? false : undefined;\n  const headless = cliHeadless ?? envHeadless ?? false;\n\n  const cliRedirectUri = typeof values['redirect-uri'] === 'string' ? values['redirect-uri'] : undefined;\n  const envRedirectUri = env.REDIRECT_URI;\n  const redirectUri = cliRedirectUri ?? envRedirectUri;\n\n  const clientId = requiredEnv('GOOGLE_CLIENT_ID');\n  const clientSecret = env.GOOGLE_CLIENT_SECRET;\n\n  let serviceAccountKeyFile: string | undefined;\n  if (auth === 'service-account') {\n    const cliKeyFile = typeof values['service-account-key-file'] === 'string' ? values['service-account-key-file'] : undefined;\n    serviceAccountKeyFile = cliKeyFile ?? env.GOOGLE_SERVICE_ACCOUNT_KEY_FILE;\n\n    if (!serviceAccountKeyFile) {\n      throw new Error('GOOGLE_SERVICE_ACCOUNT_KEY_FILE environment variable is required when using service account authentication. ' + 'Example: export GOOGLE_SERVICE_ACCOUNT_KEY_FILE=./service-account.json');\n    }\n\n    // Resolve relative paths now since cwd can change during execution\n    serviceAccountKeyFile = resolve(serviceAccountKeyFile);\n  }\n\n  return {\n    clientId,\n    ...(clientSecret && { clientSecret }),\n    auth,\n    headless,\n    ...(redirectUri && { redirectUri }),\n    ...(serviceAccountKeyFile && { serviceAccountKeyFile }),\n  };\n}\n\n/**\n * Build production configuration from process globals.\n * Entry point for production server.\n */\nexport function createConfig(): OAuthConfig {\n  return parseConfig(process.argv, process.env);\n}\n\n/**\n * Parse DCR configuration from CLI arguments and environment variables.\n *\n * CLI Arguments:\n * - --dcr-mode: DCR mode ('self-hosted' | 'external')\n *   - Default: 'self-hosted' (if flag is omitted)\n * - --dcr-verify-url: External verification endpoint URL (required for external mode)\n * - --dcr-store-uri: DCR client storage URI (required for self-hosted mode)\n *\n * Required environment variables:\n * - GOOGLE_CLIENT_ID: OAuth 2.0 client ID from Google Cloud Console\n *\n * Optional environment variables:\n * - GOOGLE_CLIENT_SECRET: OAuth 2.0 client secret (optional for public clients)\n * - DCR_MODE: DCR mode (same format as --dcr-mode flag)\n * - DCR_VERIFY_URL: External verification URL (same as --dcr-verify-url flag)\n * - DCR_STORE_URI: DCR storage URI (same as --dcr-store-uri flag)\n *\n * @param args - CLI arguments array (typically process.argv)\n * @param env - Environment variables object (typically process.env)\n * @param scope - OAuth scopes to request (space-separated)\n * @returns Parsed DCR configuration\n * @throws Error if required environment variables are missing or validation fails\n *\n * @example Self-hosted mode\n * ```typescript\n * const config = parseDcrConfig(\n *   ['--dcr-mode=self-hosted', '--dcr-store-uri=file:///path/to/store.json'],\n *   process.env,\n *   'https://www.googleapis.com/auth/drive.readonly'\n * );\n * ```\n *\n * @example External mode\n * ```typescript\n * const config = parseDcrConfig(\n *   ['--dcr-mode=external', '--dcr-verify-url=https://auth0.example.com/verify'],\n *   process.env,\n *   'https://www.googleapis.com/auth/drive.readonly'\n * );\n * ```\n */\nexport function parseDcrConfig(args: string[], env: Record<string, string | undefined>, scope: string): DcrConfig {\n  function requiredEnv(key: string): string {\n    const value = env[key];\n    if (!value) {\n      throw new Error(`Environment variable ${key} is required for DCR configuration`);\n    }\n    return value;\n  }\n\n  const { values } = parseArgs({\n    args,\n    options: {\n      'dcr-mode': { type: 'string' },\n      'dcr-verify-url': { type: 'string' },\n      'dcr-store-uri': { type: 'string' },\n    },\n    strict: false,\n    allowPositionals: true,\n  });\n\n  const cliMode = typeof values['dcr-mode'] === 'string' ? values['dcr-mode'] : undefined;\n  const envMode = env.DCR_MODE;\n  const mode = cliMode || envMode || 'self-hosted';\n\n  if (mode !== 'self-hosted' && mode !== 'external') {\n    throw new Error(`Invalid --dcr-mode value: \"${mode}\". Valid values: self-hosted, external`);\n  }\n\n  const cliVerifyUrl = typeof values['dcr-verify-url'] === 'string' ? values['dcr-verify-url'] : undefined;\n  const envVerifyUrl = env.DCR_VERIFY_URL;\n  const verifyUrl = cliVerifyUrl || envVerifyUrl;\n\n  const cliStoreUri = typeof values['dcr-store-uri'] === 'string' ? values['dcr-store-uri'] : undefined;\n  const envStoreUri = env.DCR_STORE_URI;\n  const storeUri = cliStoreUri || envStoreUri;\n\n  if (mode === 'external' && !verifyUrl) {\n    throw new Error('DCR external mode requires --dcr-verify-url or DCR_VERIFY_URL environment variable');\n  }\n\n  const clientId = requiredEnv('GOOGLE_CLIENT_ID');\n  const clientSecret = env.GOOGLE_CLIENT_SECRET;\n\n  return {\n    mode,\n    ...(verifyUrl && { verifyUrl }),\n    ...(storeUri && { storeUri }),\n    clientId,\n    ...(clientSecret && { clientSecret }),\n    scope,\n  };\n}\n"],"names":["resolve","parseArgs","parseAuthMode","value","Error","auth","parseConfig","args","env","transport","cliHeadless","requiredEnv","key","values","options","type","headless","strict","allowPositionals","authArg","undefined","envAuthMode","AUTH_MODE","mode","parsed","envHeadless","HEADLESS","cliRedirectUri","envRedirectUri","REDIRECT_URI","redirectUri","clientId","clientSecret","GOOGLE_CLIENT_SECRET","serviceAccountKeyFile","cliKeyFile","GOOGLE_SERVICE_ACCOUNT_KEY_FILE","createConfig","process","argv","parseDcrConfig","scope","cliMode","envMode","DCR_MODE","cliVerifyUrl","envVerifyUrl","DCR_VERIFY_URL","verifyUrl","cliStoreUri","envStoreUri","DCR_STORE_URI","storeUri"],"mappings":"AAAA;;;;;;CAMC,GAED,SAASA,OAAO,QAAQ,OAAO;AAC/B,SAASC,SAAS,QAAQ,OAAO;AAWjC;;;;;;;;;;;;;CAaC,GACD,SAASC,cAAcC,KAAa;IAGlC,IAAIA,UAAU,oBAAoBA,UAAU,qBAAqBA,UAAU,OAAO;QAChF,MAAM,IAAIC,MAAM,CAAC,uBAAuB,EAAED,MAAM,qDAAqD,CAAC;IACxG;IAEA,OAAO;QACLE,MAAMF;IACR;AACF;AAOA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiDC,GACD,OAAO,SAASG,YAAYC,IAAc,EAAEC,GAAuC,EAAEC,SAAyB;QA2C3FC;IA1CjB,SAASC,YAAYC,GAAW;QAC9B,MAAMT,QAAQK,GAAG,CAACI,IAAI;QACtB,IAAI,CAACT,OAAO;YACV,MAAM,IAAIC,MAAM,CAAC,qBAAqB,EAAEQ,IAAI,6BAA6B,CAAC;QAC5E;QACA,OAAOT;IACT;IAEA,sBAAsB;IACtB,MAAM,EAAEU,MAAM,EAAE,GAAGZ,UAAU;QAC3BM;QACAO,SAAS;YACPT,MAAM;gBAAEU,MAAM;YAAS;YACvBC,UAAU;gBAAED,MAAM;YAAU;YAC5B,gBAAgB;gBAAEA,MAAM;YAAS;YACjC,4BAA4B;gBAAEA,MAAM;YAAS;QAC/C;QACAE,QAAQ;QACRC,kBAAkB;IACpB;IAEA,MAAMC,UAAU,OAAON,OAAOR,IAAI,KAAK,WAAWQ,OAAOR,IAAI,GAAGe;IAChE,MAAMC,cAAcb,IAAIc,SAAS;IACjC,MAAMC,OAAOJ,WAAWE;IAExB,IAAIhB;IAEJ,IAAIkB,MAAM;QACR,MAAMC,SAAStB,cAAcqB;QAC7BlB,OAAOmB,OAAOnB,IAAI;IACpB,OAAO;QACL,iDAAiD;QACjDA,OAAO;IACT;IAEA,+CAA+C;IAC/C,IAAIA,SAAS,SAASI,cAAc,SAAS;QAC3C,MAAM,IAAIL,MAAM;IAClB;IAEA,MAAMM,cAAc,OAAOG,OAAOG,QAAQ,KAAK,YAAYH,OAAOG,QAAQ,GAAGI;IAC7E,MAAMK,cAAcjB,IAAIkB,QAAQ,KAAK,SAAS,OAAOlB,IAAIkB,QAAQ,KAAK,UAAU,QAAQN;IACxF,MAAMJ,YAAWN,OAAAA,wBAAAA,yBAAAA,cAAee,yBAAff,kBAAAA,OAA8B;IAE/C,MAAMiB,iBAAiB,OAAOd,MAAM,CAAC,eAAe,KAAK,WAAWA,MAAM,CAAC,eAAe,GAAGO;IAC7F,MAAMQ,iBAAiBpB,IAAIqB,YAAY;IACvC,MAAMC,cAAcH,2BAAAA,4BAAAA,iBAAkBC;IAEtC,MAAMG,WAAWpB,YAAY;IAC7B,MAAMqB,eAAexB,IAAIyB,oBAAoB;IAE7C,IAAIC;IACJ,IAAI7B,SAAS,mBAAmB;QAC9B,MAAM8B,aAAa,OAAOtB,MAAM,CAAC,2BAA2B,KAAK,WAAWA,MAAM,CAAC,2BAA2B,GAAGO;QACjHc,wBAAwBC,uBAAAA,wBAAAA,aAAc3B,IAAI4B,+BAA+B;QAEzE,IAAI,CAACF,uBAAuB;YAC1B,MAAM,IAAI9B,MAAM,iHAAiH;QACnI;QAEA,mEAAmE;QACnE8B,wBAAwBlC,QAAQkC;IAClC;IAEA,OAAO;QACLH;QACA,GAAIC,gBAAgB;YAAEA;QAAa,CAAC;QACpC3B;QACAW;QACA,GAAIc,eAAe;YAAEA;QAAY,CAAC;QAClC,GAAII,yBAAyB;YAAEA;QAAsB,CAAC;IACxD;AACF;AAEA;;;CAGC,GACD,OAAO,SAASG;IACd,OAAO/B,YAAYgC,QAAQC,IAAI,EAAED,QAAQ9B,GAAG;AAC9C;AAEA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAyCC,GACD,OAAO,SAASgC,eAAejC,IAAc,EAAEC,GAAuC,EAAEiC,KAAa;IACnG,SAAS9B,YAAYC,GAAW;QAC9B,MAAMT,QAAQK,GAAG,CAACI,IAAI;QACtB,IAAI,CAACT,OAAO;YACV,MAAM,IAAIC,MAAM,CAAC,qBAAqB,EAAEQ,IAAI,kCAAkC,CAAC;QACjF;QACA,OAAOT;IACT;IAEA,MAAM,EAAEU,MAAM,EAAE,GAAGZ,UAAU;QAC3BM;QACAO,SAAS;YACP,YAAY;gBAAEC,MAAM;YAAS;YAC7B,kBAAkB;gBAAEA,MAAM;YAAS;YACnC,iBAAiB;gBAAEA,MAAM;YAAS;QACpC;QACAE,QAAQ;QACRC,kBAAkB;IACpB;IAEA,MAAMwB,UAAU,OAAO7B,MAAM,CAAC,WAAW,KAAK,WAAWA,MAAM,CAAC,WAAW,GAAGO;IAC9E,MAAMuB,UAAUnC,IAAIoC,QAAQ;IAC5B,MAAMrB,OAAOmB,WAAWC,WAAW;IAEnC,IAAIpB,SAAS,iBAAiBA,SAAS,YAAY;QACjD,MAAM,IAAInB,MAAM,CAAC,2BAA2B,EAAEmB,KAAK,sCAAsC,CAAC;IAC5F;IAEA,MAAMsB,eAAe,OAAOhC,MAAM,CAAC,iBAAiB,KAAK,WAAWA,MAAM,CAAC,iBAAiB,GAAGO;IAC/F,MAAM0B,eAAetC,IAAIuC,cAAc;IACvC,MAAMC,YAAYH,gBAAgBC;IAElC,MAAMG,cAAc,OAAOpC,MAAM,CAAC,gBAAgB,KAAK,WAAWA,MAAM,CAAC,gBAAgB,GAAGO;IAC5F,MAAM8B,cAAc1C,IAAI2C,aAAa;IACrC,MAAMC,WAAWH,eAAeC;IAEhC,IAAI3B,SAAS,cAAc,CAACyB,WAAW;QACrC,MAAM,IAAI5C,MAAM;IAClB;IAEA,MAAM2B,WAAWpB,YAAY;IAC7B,MAAMqB,eAAexB,IAAIyB,oBAAoB;IAE7C,OAAO;QACLV;QACA,GAAIyB,aAAa;YAAEA;QAAU,CAAC;QAC9B,GAAII,YAAY;YAAEA;QAAS,CAAC;QAC5BrB;QACA,GAAIC,gBAAgB;YAAEA;QAAa,CAAC;QACpCS;IACF;AACF"}

package/dist/esm/types.d.ts

@@ -0,0 +1,173 @@
+/**
+ * Standalone types for Google OAuth
+ * No dependencies on other @mcp-z packages except @mcp-z/oauth
+ */
+import type { AuthFlowDescriptor, CachedToken, DcrClientInformation, DcrClientMetadata, Logger, OAuth2TokenStorageProvider, ProviderTokens, ToolHandler, ToolModule, UserAuthProvider } from '@mcp-z/oauth';
+import type { RequestHandlerExtra } from '@modelcontextprotocol/sdk/shared/protocol.js';
+import type { ServerNotification, ServerRequest } from '@modelcontextprotocol/sdk/types.js';
+import type { OAuth2Client } from 'google-auth-library';
+import type { Keyv } from 'keyv';
+export type { Logger, CachedToken, ToolModule, ProviderTokens, DcrClientMetadata, DcrClientInformation };
+export { AuthRequiredError } from '@mcp-z/oauth';
+export type { ToolHandler, AuthFlowDescriptor, OAuth2TokenStorageProvider, UserAuthProvider, RequestHandlerExtra, ServerRequest, ServerNotification };
+/**
+ * Google service types that support OAuth
+ * OAuth clients support all Google services provided by googleapis
+ * @public
+ */
+export type GoogleService = string;
+/**
+ * OAuth client configuration for upstream provider
+ * @public
+ */
+export interface OAuthClientConfig {
+    /** OAuth client ID for upstream provider */
+    clientId: string;
+    /** OAuth client secret (optional for some flows) */
+    clientSecret?: string;
+}
+/**
+ * Google OAuth configuration interface.
+ * @public
+ */
+export interface OAuthConfig {
+    clientId: string;
+    /** Optional for public clients */
+    clientSecret?: string;
+    auth: 'loopback-oauth' | 'service-account' | 'dcr';
+    /** No browser interaction when true */
+    headless: boolean;
+    /** Defaults to ephemeral loopback */
+    redirectUri?: string;
+    /** Required when auth === 'service-account' */
+    serviceAccountKeyFile?: string;
+}
+/**
+ * DCR configuration for dynamic client registration
+ * @public
+ */
+export interface DcrConfig {
+    /** DCR mode: self-hosted (runs own OAuth server) or external (uses Auth0/Stitch) */
+    mode: 'self-hosted' | 'external';
+    /** External verification endpoint URL (required for external mode) */
+    verifyUrl?: string;
+    /** DCR client storage URI (required for self-hosted mode) */
+    storeUri?: string;
+    /** OAuth client ID for Google APIs */
+    clientId: string;
+    /** OAuth client secret (optional for public clients) */
+    clientSecret?: string;
+    /** OAuth scopes to request */
+    scope: string;
+    /** Logger instance */
+    logger?: Logger;
+}
+/**
+ * Configuration for loopback OAuth client
+ * @public
+ */
+export interface LoopbackOAuthConfig {
+    service: GoogleService;
+    clientId: string;
+    /** Optional for public clients */
+    clientSecret?: string | undefined;
+    scope: string;
+    /** No browser interaction when true */
+    headless: boolean;
+    logger: Logger;
+    tokenStore: Keyv<unknown>;
+    /** Defaults to ephemeral loopback */
+    redirectUri?: string;
+}
+/**
+ * Auth context injected into extra by middleware
+ * @public
+ */
+export interface AuthContext {
+    /**
+     * OAuth2Client ready for googleapis
+     * GUARANTEED to exist when handler runs
+     */
+    auth: OAuth2Client;
+    /**
+     * Account being used (for logging, debugging)
+     */
+    accountId: string;
+    /**
+     * User ID (multi-tenant only)
+     */
+    /**
+     * Additional metadata (e.g., service account email)
+     */
+    metadata?: {
+        serviceEmail?: string;
+        [key: string]: unknown;
+    };
+}
+/**
+ * Enriched extra with guaranteed auth context and logger
+ * Handlers receive this type - never plain RequestHandlerExtra
+ * @public
+ */
+export interface EnrichedExtra extends RequestHandlerExtra<ServerRequest, ServerNotification> {
+    /**
+     * Auth context injected by middleware
+     * GUARANTEED to exist (middleware catches auth failures)
+     */
+    authContext: AuthContext;
+    /**
+     * Logger injected by middleware
+     * GUARANTEED to exist
+     */
+    logger: Logger;
+    _meta?: {
+        accountId?: string;
+        [key: string]: unknown;
+    };
+}
+/**
+ * Registered client with full metadata
+ * Extends DcrClientInformation with internal timestamps
+ * @internal
+ */
+export interface RegisteredClient extends DcrClientInformation {
+    /** Creation timestamp (milliseconds since epoch) */
+    created_at: number;
+}
+/**
+ * Authorization code data structure
+ * @public
+ */
+export interface AuthorizationCode {
+    code: string;
+    client_id: string;
+    redirect_uri: string;
+    scope: string;
+    code_challenge?: string;
+    code_challenge_method?: string;
+    /** Google provider tokens obtained during authorization */
+    providerTokens: ProviderTokens;
+    created_at: number;
+    expires_at: number;
+}
+/**
+ * Access token data structure
+ * @public
+ */
+export interface AccessToken {
+    access_token: string;
+    token_type: 'Bearer';
+    expires_in: number;
+    refresh_token?: string;
+    scope: string;
+    client_id: string;
+    /** Google provider tokens */
+    providerTokens: ProviderTokens;
+    created_at: number;
+}
+/**
+ * Authentication required response type
+ * Re-exported from @mcp-z/oauth for consistency
+ * @public
+ */
+export type { AuthRequired, AuthRequiredBranch } from './schemas/index.js';

package/dist/esm/types.js

@@ -0,0 +1,6 @@
+/**
+ * Standalone types for Google OAuth
+ * No dependencies on other @mcp-z packages except @mcp-z/oauth
+ */ // Shared types from base @mcp-z/oauth package
+// Re-export error class
+export { AuthRequiredError } from '@mcp-z/oauth';

package/dist/esm/types.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth-google/src/types.ts"],"sourcesContent":["/**\n * Standalone types for Google OAuth\n * No dependencies on other @mcp-z packages except @mcp-z/oauth\n */\n\n// Shared types from base @mcp-z/oauth package\nimport type { AuthFlowDescriptor, CachedToken, DcrClientInformation, DcrClientMetadata, Logger, OAuth2TokenStorageProvider, ProviderTokens, ToolHandler, ToolModule, UserAuthProvider } from '@mcp-z/oauth';\nimport type { RequestHandlerExtra } from '@modelcontextprotocol/sdk/shared/protocol.js';\nimport type { ServerNotification, ServerRequest } from '@modelcontextprotocol/sdk/types.js';\nimport type { OAuth2Client } from 'google-auth-library';\nimport type { Keyv } from 'keyv';\n\n// Re-export only essential shared types for public API\nexport type { Logger, CachedToken, ToolModule, ProviderTokens, DcrClientMetadata, DcrClientInformation };\n\n// Re-export error class\nexport { AuthRequiredError } from '@mcp-z/oauth';\n\n// Re-export additional types for internal package use\nexport type { ToolHandler, AuthFlowDescriptor, OAuth2TokenStorageProvider, UserAuthProvider, RequestHandlerExtra, ServerRequest, ServerNotification };\n\n/**\n * Google service types that support OAuth\n * OAuth clients support all Google services provided by googleapis\n * @public\n */\nexport type GoogleService = string;\n\n// =============================================================================\n// Configuration Types\n// =============================================================================\n\n/**\n * OAuth client configuration for upstream provider\n * @public\n */\nexport interface OAuthClientConfig {\n  /** OAuth client ID for upstream provider */\n  clientId: string;\n  /** OAuth client secret (optional for some flows) */\n  clientSecret?: string;\n}\n\n/**\n * Google OAuth configuration interface.\n * @public\n */\nexport interface OAuthConfig {\n  clientId: string;\n  /** Optional for public clients */\n  clientSecret?: string;\n  auth: 'loopback-oauth' | 'service-account' | 'dcr';\n  /** No browser interaction when true */\n  headless: boolean;\n  /** Defaults to ephemeral loopback */\n  redirectUri?: string;\n  /** Required when auth === 'service-account' */\n  serviceAccountKeyFile?: string;\n}\n\n/**\n * DCR configuration for dynamic client registration\n * @public\n */\nexport interface DcrConfig {\n  /** DCR mode: self-hosted (runs own OAuth server) or external (uses Auth0/Stitch) */\n  mode: 'self-hosted' | 'external';\n  /** External verification endpoint URL (required for external mode) */\n  verifyUrl?: string;\n  /** DCR client storage URI (required for self-hosted mode) */\n  storeUri?: string;\n  /** OAuth client ID for Google APIs */\n  clientId: string;\n  /** OAuth client secret (optional for public clients) */\n  clientSecret?: string;\n  /** OAuth scopes to request */\n  scope: string;\n  /** Logger instance */\n  logger?: Logger;\n}\n\n/**\n * Configuration for loopback OAuth client\n * @public\n */\nexport interface LoopbackOAuthConfig {\n  service: GoogleService;\n  clientId: string;\n  /** Optional for public clients */\n  clientSecret?: string | undefined;\n  scope: string;\n  /** No browser interaction when true */\n  headless: boolean;\n  logger: Logger;\n  tokenStore: Keyv<unknown>;\n  /** Defaults to ephemeral loopback */\n  redirectUri?: string;\n}\n\n// =============================================================================\n// Middleware Types\n// =============================================================================\n\n/**\n * Auth context injected into extra by middleware\n * @public\n */\nexport interface AuthContext {\n  /**\n   * OAuth2Client ready for googleapis\n   * GUARANTEED to exist when handler runs\n   */\n  auth: OAuth2Client;\n\n  /**\n   * Account being used (for logging, debugging)\n   */\n  accountId: string;\n\n  /**\n   * User ID (multi-tenant only)\n   */\n\n  /**\n   * Additional metadata (e.g., service account email)\n   */\n  metadata?: {\n    serviceEmail?: string;\n    [key: string]: unknown;\n  };\n}\n\n/**\n * Enriched extra with guaranteed auth context and logger\n * Handlers receive this type - never plain RequestHandlerExtra\n * @public\n */\nexport interface EnrichedExtra extends RequestHandlerExtra<ServerRequest, ServerNotification> {\n  /**\n   * Auth context injected by middleware\n   * GUARANTEED to exist (middleware catches auth failures)\n   */\n  authContext: AuthContext;\n\n  /**\n   * Logger injected by middleware\n   * GUARANTEED to exist\n   */\n  logger: Logger;\n\n  // Preserve backchannel support\n  _meta?: {\n    accountId?: string;\n    [key: string]: unknown;\n  };\n}\n\n// =============================================================================\n// DCR Internal Types\n// =============================================================================\n\n/**\n * Registered client with full metadata\n * Extends DcrClientInformation with internal timestamps\n * @internal\n */\nexport interface RegisteredClient extends DcrClientInformation {\n  /** Creation timestamp (milliseconds since epoch) */\n  created_at: number;\n}\n\n/**\n * Authorization code data structure\n * @public\n */\nexport interface AuthorizationCode {\n  code: string;\n  client_id: string;\n  redirect_uri: string;\n  scope: string;\n  code_challenge?: string;\n  code_challenge_method?: string;\n  /** Google provider tokens obtained during authorization */\n  providerTokens: ProviderTokens;\n  created_at: number;\n  expires_at: number;\n}\n\n/**\n * Access token data structure\n * @public\n */\nexport interface AccessToken {\n  access_token: string;\n  token_type: 'Bearer';\n  expires_in: number;\n  refresh_token?: string;\n  scope: string;\n  client_id: string;\n  /** Google provider tokens */\n  providerTokens: ProviderTokens;\n  created_at: number;\n}\n\n// =============================================================================\n// Schema Types\n// =============================================================================\n\n/**\n * Authentication required response type\n * Re-exported from @mcp-z/oauth for consistency\n * @public\n */\nexport type { AuthRequired, AuthRequiredBranch } from './schemas/index.ts';\n"],"names":["AuthRequiredError"],"mappings":"AAAA;;;CAGC,GAED,8CAA8C;AAU9C,wBAAwB;AACxB,SAASA,iBAAiB,QAAQ,eAAe"}