@mcp-z/oauth 1.0.0 → 1.0.1

package/dist/esm/lib/account-server/loopback.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/lib/account-server/loopback.ts"],"sourcesContent":["/**\n * Loopback OAuth account management tools.\n *\n * Provides account management for LoopbackOAuthProvider (server-managed multi-account).\n * Users can add multiple accounts, switch between them, and manage identities.\n *\n * Tools:\n * - account-me: Show current user identity (email, alias, session expiry)\n * - account-switch: Use account (add if needed, switch if already linked)\n * - account-remove: Remove account and delete tokens\n * - account-list: Show all linked accounts (returns empty array if none)\n */\n\nimport type { CallToolResult } from '@modelcontextprotocol/sdk/types.js';\nimport { ErrorCode, McpError } from '@modelcontextprotocol/sdk/types.js';\nimport { z } from 'zod';\nimport { addAccount, getAccountInfo, getActiveAccount, getLinkedAccounts, removeAccount, setAccountInfo, setActiveAccount } from '../../account-utils.ts';\nimport type { AccountInfo, McpPrompt, McpTool } from '../../types.ts';\nimport { createAccountMe } from './me.ts';\nimport { findAccountByEmailOrAlias } from './shared-utils.ts';\nimport type { AccountLoopbackConfig } from './types.ts';\n\n/**\n * Create loopback OAuth account management tools.\n * Returns 4 tools: account-me, account-switch, account-remove, account-list.\n */\nexport function createLoopback(config: AccountLoopbackConfig): { tools: McpTool[]; prompts: McpPrompt[] } {\n  const { service, store, logger, auth } = config;\n\n  // Create account-me tool\n  const meTools = createAccountMe({ service, store, logger, mode: 'loopback' });\n\n  const tools: McpTool[] = [\n    ...meTools.tools,\n    // account-switch\n    {\n      name: 'account-switch',\n      config: {\n        description: `Use ${service} account (smart mode). If email/alias provided and already linked, switches to it without triggering OAuth. If not linked or no email provided, triggers OAuth browser flow to add account. Returns account email, whether it was newly added, and total account count.`,\n        inputSchema: {\n          email: z.string().optional().describe('Email address to link (if already linked, switches without OAuth)'),\n          alias: z.string().optional().describe('Optional alias for easy identification'),\n        } as const,\n        outputSchema: {\n          result: z.discriminatedUnion('type', [\n            z.object({\n              type: z.literal('success'),\n              email: z.string(),\n              isNew: z.boolean(),\n              totalAccounts: z.number(),\n              message: z.string(),\n            }),\n          ]),\n        } as const,\n      },\n      handler: async (args: unknown): Promise<CallToolResult> => {\n        const params = args as { email?: string; alias?: string };\n        try {\n          logger.info(`Starting account switch for ${service}`, { email: params.email, alias: params.alias });\n\n          // Get existing accounts\n          const existingAccounts = await getLinkedAccounts(store, { service });\n\n          let email: string;\n          let isNew: boolean;\n\n          // Smart behavior: check if email provided and already linked\n          if (params.email) {\n            // Find account by email or alias\n            const accountId = await findAccountByEmailOrAlias(store, service, params.email);\n\n            if (accountId) {\n              // Account already linked - just switch to it\n              email = accountId;\n              isNew = false;\n              logger.info(`Account already linked: ${email}, switching without OAuth`);\n\n              // Set as active account\n              await setActiveAccount(store, { service, accountId: email });\n\n              // Update alias if provided\n              if (params.alias) {\n                const existingInfo = await getAccountInfo(store, { accountId: email, service });\n                const accountInfo: AccountInfo = {\n                  email,\n                  alias: params.alias,\n                  addedAt: existingInfo?.addedAt ?? new Date().toISOString(),\n                };\n                await setAccountInfo(store, { accountId: email, service }, accountInfo);\n              }\n\n              const result = {\n                type: 'success' as const,\n                email,\n                isNew: false,\n                totalAccounts: existingAccounts.length,\n                message: `Account already linked: ${email}. Set as active account (no OAuth needed).`,\n              };\n\n              return {\n                content: [{ type: 'text' as const, text: JSON.stringify(result, null, 2) }],\n                structuredContent: { result },\n              };\n            }\n          }\n\n          // Not linked or no email provided - trigger OAuth flow for new account\n          // Check if provider supports interactive authentication\n          if (!auth.authenticateNewAccount) {\n            throw new Error('Account switching requires interactive authentication. ' + 'The current auth provider does not support authenticateNewAccount().');\n          }\n\n          // Trigger new authentication with account selection\n          email = await auth.authenticateNewAccount();\n\n          // Check if account already exists (in case OAuth returned different email than requested)\n          isNew = !existingAccounts.includes(email);\n\n          if (isNew) {\n            // Add new account\n            await addAccount(store, { service, accountId: email });\n            logger.info(`Added new ${service} account`, { email });\n          } else {\n            logger.info(`Account already linked: ${email}`);\n          }\n\n          // Set/update account info\n          const existingInfo = await getAccountInfo(store, { accountId: email, service });\n          const accountInfo: AccountInfo = {\n            email,\n            ...(params.alias ? { alias: params.alias } : {}),\n            addedAt: isNew ? new Date().toISOString() : (existingInfo?.addedAt ?? new Date().toISOString()),\n          };\n          await setAccountInfo(store, { accountId: email, service }, accountInfo);\n\n          // Set as active account\n          await setActiveAccount(store, { service, accountId: email });\n\n          const totalAccounts = isNew ? existingAccounts.length + 1 : existingAccounts.length;\n\n          const result = {\n            type: 'success' as const,\n            email,\n            isNew,\n            totalAccounts,\n            message: isNew ? `Successfully added ${service} account: ${email} (${totalAccounts} total)` : `Account already linked: ${email}. Set as active account.`,\n          };\n\n          return {\n            content: [{ type: 'text' as const, text: JSON.stringify(result, null, 2) }],\n            structuredContent: { result },\n          };\n        } catch (error) {\n          const message = error instanceof Error ? error.message : String(error);\n          throw new McpError(ErrorCode.InternalError, `Error switching ${service} account: ${message}`, {\n            stack: error instanceof Error ? error.stack : undefined,\n          });\n        }\n      },\n    },\n\n    // account-remove\n    {\n      name: 'account-remove',\n      config: {\n        description: `Remove ${service} account and delete stored tokens permanently. If removing the active account, the first remaining account becomes active. Requires email or alias parameter.`,\n        inputSchema: {\n          accountId: z.string().min(1).describe('Email address or alias of account to remove'),\n        } as const,\n        outputSchema: {\n          result: z.discriminatedUnion('type', [\n            z.object({\n              type: z.literal('success'),\n              service: z.string(),\n              removed: z.string(),\n              remainingAccounts: z.number(),\n              newActiveAccount: z.string().optional(),\n              message: z.string(),\n            }),\n          ]),\n        } as const,\n      },\n      handler: async (args: unknown): Promise<CallToolResult> => {\n        const params = args as { accountId: string };\n        try {\n          const linkedAccounts = await getLinkedAccounts(store, { service });\n          if (linkedAccounts.length === 0) {\n            throw new Error(`No ${service} accounts to remove`);\n          }\n\n          // Find account by email or alias\n          const accountId = await findAccountByEmailOrAlias(store, service, params.accountId);\n\n          if (!accountId) {\n            throw new Error(`Account not found: ${params.accountId}`);\n          }\n\n          // Get current active account\n          const activeAccount = await getActiveAccount(store, { service });\n          const removingActive = activeAccount === accountId;\n\n          // Remove the account\n          await removeAccount(store, { service, accountId });\n          const remainingAccounts = linkedAccounts.filter((id) => id !== accountId);\n\n          // If we removed the active account, set first remaining as active\n          let newActiveAccount: string | undefined;\n          if (removingActive && remainingAccounts.length > 0) {\n            const firstRemaining = remainingAccounts[0];\n            if (firstRemaining) {\n              newActiveAccount = firstRemaining;\n              await setActiveAccount(store, { service, accountId: newActiveAccount });\n            }\n          }\n\n          logger.info(`Successfully removed ${service} account`, { accountId, remainingAccounts: remainingAccounts.length });\n\n          const result = {\n            type: 'success' as const,\n            service,\n            removed: accountId,\n            remainingAccounts: remainingAccounts.length,\n            ...(newActiveAccount && { newActiveAccount }),\n            message: `Removed ${service} account: ${accountId}${newActiveAccount ? `. Active account is now: ${newActiveAccount}` : ''}`,\n          };\n\n          return {\n            content: [{ type: 'text' as const, text: JSON.stringify(result, null, 2) }],\n            structuredContent: { result },\n          };\n        } catch (error) {\n          const message = error instanceof Error ? error.message : String(error);\n          throw new McpError(ErrorCode.InternalError, `Error removing ${service} account: ${message}`, {\n            stack: error instanceof Error ? error.stack : undefined,\n          });\n        }\n      },\n    },\n\n    // account-list\n    {\n      name: 'account-list',\n      config: {\n        description: `List all linked ${service} accounts with their aliases and active status.`,\n        inputSchema: {} as const,\n        outputSchema: {\n          result: z.discriminatedUnion('type', [\n            z.object({\n              type: z.literal('success'),\n              service: z.string(),\n              accounts: z.array(\n                z.object({\n                  email: z.string(),\n                  alias: z.string().optional(),\n                  isActive: z.boolean(),\n                })\n              ),\n              totalAccounts: z.number(),\n              message: z.string(),\n            }),\n          ]),\n        } as const,\n      },\n      handler: async (): Promise<CallToolResult> => {\n        try {\n          const linkedAccounts = await getLinkedAccounts(store, { service });\n\n          // Return empty array gracefully (no error when no accounts)\n          if (linkedAccounts.length === 0) {\n            const result = {\n              type: 'success' as const,\n              service,\n              accounts: [],\n              totalAccounts: 0,\n              message: `No ${service} accounts linked. Use account-switch to add an account.`,\n            };\n\n            return {\n              content: [{ type: 'text' as const, text: JSON.stringify(result, null, 2) }],\n              structuredContent: { result },\n            };\n          }\n\n          const activeAccountId = await getActiveAccount(store, { service });\n\n          // Get account info for each linked account\n          const accounts = await Promise.all(\n            linkedAccounts.map(async (email) => {\n              const accountInfo = await getAccountInfo(store, { accountId: email, service });\n              return {\n                email,\n                alias: accountInfo?.alias,\n                isActive: email === activeAccountId,\n              };\n            })\n          );\n\n          const result = {\n            type: 'success' as const,\n            service,\n            accounts,\n            totalAccounts: linkedAccounts.length,\n            message: `Found ${linkedAccounts.length} ${service} account(s)`,\n          };\n\n          return {\n            content: [{ type: 'text' as const, text: JSON.stringify(result, null, 2) }],\n            structuredContent: { result },\n          };\n        } catch (error) {\n          const message = error instanceof Error ? error.message : String(error);\n          throw new McpError(ErrorCode.InternalError, `Error listing ${service} accounts: ${message}`, {\n            stack: error instanceof Error ? error.stack : undefined,\n          });\n        }\n      },\n    },\n  ];\n\n  const prompts: McpPrompt[] = [];\n\n  return { tools, prompts };\n}\n"],"names":["ErrorCode","McpError","z","addAccount","getAccountInfo","getActiveAccount","getLinkedAccounts","removeAccount","setAccountInfo","setActiveAccount","createAccountMe","findAccountByEmailOrAlias","createLoopback","config","service","store","logger","auth","meTools","mode","tools","name","description","inputSchema","email","string","optional","describe","alias","outputSchema","result","discriminatedUnion","object","type","literal","isNew","boolean","totalAccounts","number","message","handler","args","params","info","existingAccounts","accountId","existingInfo","accountInfo","addedAt","Date","toISOString","length","content","text","JSON","stringify","structuredContent","authenticateNewAccount","Error","includes","error","String","InternalError","stack","undefined","min","removed","remainingAccounts","newActiveAccount","linkedAccounts","activeAccount","removingActive","filter","id","firstRemaining","accounts","array","isActive","activeAccountId","Promise","all","map","prompts"],"mappings":"AAAA;;;;;;;;;;;CAWC,GAGD,SAASA,SAAS,EAAEC,QAAQ,QAAQ,qCAAqC;AACzE,SAASC,CAAC,QAAQ,MAAM;AACxB,SAASC,UAAU,EAAEC,cAAc,EAAEC,gBAAgB,EAAEC,iBAAiB,EAAEC,aAAa,EAAEC,cAAc,EAAEC,gBAAgB,QAAQ,yBAAyB;AAE1J,SAASC,eAAe,QAAQ,UAAU;AAC1C,SAASC,yBAAyB,QAAQ,oBAAoB;AAG9D;;;CAGC,GACD,OAAO,SAASC,eAAeC,MAA6B;IAC1D,MAAM,EAAEC,OAAO,EAAEC,KAAK,EAAEC,MAAM,EAAEC,IAAI,EAAE,GAAGJ;IAEzC,yBAAyB;IACzB,MAAMK,UAAUR,gBAAgB;QAAEI;QAASC;QAAOC;QAAQG,MAAM;IAAW;IAE3E,MAAMC,QAAmB;WACpBF,QAAQE,KAAK;QAChB,iBAAiB;QACjB;YACEC,MAAM;YACNR,QAAQ;gBACNS,aAAa,CAAC,IAAI,EAAER,QAAQ,uQAAuQ,CAAC;gBACpSS,aAAa;oBACXC,OAAOtB,EAAEuB,MAAM,GAAGC,QAAQ,GAAGC,QAAQ,CAAC;oBACtCC,OAAO1B,EAAEuB,MAAM,GAAGC,QAAQ,GAAGC,QAAQ,CAAC;gBACxC;gBACAE,cAAc;oBACZC,QAAQ5B,EAAE6B,kBAAkB,CAAC,QAAQ;wBACnC7B,EAAE8B,MAAM,CAAC;4BACPC,MAAM/B,EAAEgC,OAAO,CAAC;4BAChBV,OAAOtB,EAAEuB,MAAM;4BACfU,OAAOjC,EAAEkC,OAAO;4BAChBC,eAAenC,EAAEoC,MAAM;4BACvBC,SAASrC,EAAEuB,MAAM;wBACnB;qBACD;gBACH;YACF;YACAe,SAAS,OAAOC;gBACd,MAAMC,SAASD;gBACf,IAAI;;oBACFzB,OAAO2B,IAAI,CAAC,CAAC,4BAA4B,EAAE7B,SAAS,EAAE;wBAAEU,OAAOkB,OAAOlB,KAAK;wBAAEI,OAAOc,OAAOd,KAAK;oBAAC;oBAEjG,wBAAwB;oBACxB,MAAMgB,mBAAmB,MAAMtC,kBAAkBS,OAAO;wBAAED;oBAAQ;oBAElE,IAAIU;oBACJ,IAAIW;oBAEJ,6DAA6D;oBAC7D,IAAIO,OAAOlB,KAAK,EAAE;wBAChB,iCAAiC;wBACjC,MAAMqB,YAAY,MAAMlC,0BAA0BI,OAAOD,SAAS4B,OAAOlB,KAAK;wBAE9E,IAAIqB,WAAW;4BACb,6CAA6C;4BAC7CrB,QAAQqB;4BACRV,QAAQ;4BACRnB,OAAO2B,IAAI,CAAC,CAAC,wBAAwB,EAAEnB,MAAM,yBAAyB,CAAC;4BAEvE,wBAAwB;4BACxB,MAAMf,iBAAiBM,OAAO;gCAAED;gCAAS+B,WAAWrB;4BAAM;4BAE1D,2BAA2B;4BAC3B,IAAIkB,OAAOd,KAAK,EAAE;;gCAChB,MAAMkB,eAAe,MAAM1C,eAAeW,OAAO;oCAAE8B,WAAWrB;oCAAOV;gCAAQ;gCAC7E,MAAMiC,cAA2B;oCAC/BvB;oCACAI,OAAOc,OAAOd,KAAK;oCACnBoB,OAAO,WAAEF,yBAAAA,mCAAAA,aAAcE,OAAO,yCAAI,IAAIC,OAAOC,WAAW;gCAC1D;gCACA,MAAM1C,eAAeO,OAAO;oCAAE8B,WAAWrB;oCAAOV;gCAAQ,GAAGiC;4BAC7D;4BAEA,MAAMjB,SAAS;gCACbG,MAAM;gCACNT;gCACAW,OAAO;gCACPE,eAAeO,iBAAiBO,MAAM;gCACtCZ,SAAS,CAAC,wBAAwB,EAAEf,MAAM,0CAA0C,CAAC;4BACvF;4BAEA,OAAO;gCACL4B,SAAS;oCAAC;wCAAEnB,MAAM;wCAAiBoB,MAAMC,KAAKC,SAAS,CAACzB,QAAQ,MAAM;oCAAG;iCAAE;gCAC3E0B,mBAAmB;oCAAE1B;gCAAO;4BAC9B;wBACF;oBACF;oBAEA,uEAAuE;oBACvE,wDAAwD;oBACxD,IAAI,CAACb,KAAKwC,sBAAsB,EAAE;wBAChC,MAAM,IAAIC,MAAM,4DAA4D;oBAC9E;oBAEA,oDAAoD;oBACpDlC,QAAQ,MAAMP,KAAKwC,sBAAsB;oBAEzC,0FAA0F;oBAC1FtB,QAAQ,CAACS,iBAAiBe,QAAQ,CAACnC;oBAEnC,IAAIW,OAAO;wBACT,kBAAkB;wBAClB,MAAMhC,WAAWY,OAAO;4BAAED;4BAAS+B,WAAWrB;wBAAM;wBACpDR,OAAO2B,IAAI,CAAC,CAAC,UAAU,EAAE7B,QAAQ,QAAQ,CAAC,EAAE;4BAAEU;wBAAM;oBACtD,OAAO;wBACLR,OAAO2B,IAAI,CAAC,CAAC,wBAAwB,EAAEnB,OAAO;oBAChD;oBAEA,0BAA0B;oBAC1B,MAAMsB,eAAe,MAAM1C,eAAeW,OAAO;wBAAE8B,WAAWrB;wBAAOV;oBAAQ;oBAC7E,MAAMiC,cAA2B;wBAC/BvB;wBACA,GAAIkB,OAAOd,KAAK,GAAG;4BAAEA,OAAOc,OAAOd,KAAK;wBAAC,IAAI,CAAC,CAAC;wBAC/CoB,SAASb,QAAQ,IAAIc,OAAOC,WAAW,aAAMJ,yBAAAA,mCAAAA,aAAcE,OAAO,uCAAI,IAAIC,OAAOC,WAAW;oBAC9F;oBACA,MAAM1C,eAAeO,OAAO;wBAAE8B,WAAWrB;wBAAOV;oBAAQ,GAAGiC;oBAE3D,wBAAwB;oBACxB,MAAMtC,iBAAiBM,OAAO;wBAAED;wBAAS+B,WAAWrB;oBAAM;oBAE1D,MAAMa,gBAAgBF,QAAQS,iBAAiBO,MAAM,GAAG,IAAIP,iBAAiBO,MAAM;oBAEnF,MAAMrB,SAAS;wBACbG,MAAM;wBACNT;wBACAW;wBACAE;wBACAE,SAASJ,QAAQ,CAAC,mBAAmB,EAAErB,QAAQ,UAAU,EAAEU,MAAM,EAAE,EAAEa,cAAc,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAEb,MAAM,wBAAwB,CAAC;oBAC1J;oBAEA,OAAO;wBACL4B,SAAS;4BAAC;gCAAEnB,MAAM;gCAAiBoB,MAAMC,KAAKC,SAAS,CAACzB,QAAQ,MAAM;4BAAG;yBAAE;wBAC3E0B,mBAAmB;4BAAE1B;wBAAO;oBAC9B;gBACF,EAAE,OAAO8B,OAAO;oBACd,MAAMrB,UAAUqB,iBAAiBF,QAAQE,MAAMrB,OAAO,GAAGsB,OAAOD;oBAChE,MAAM,IAAI3D,SAASD,UAAU8D,aAAa,EAAE,CAAC,gBAAgB,EAAEhD,QAAQ,UAAU,EAAEyB,SAAS,EAAE;wBAC5FwB,OAAOH,iBAAiBF,QAAQE,MAAMG,KAAK,GAAGC;oBAChD;gBACF;YACF;QACF;QAEA,iBAAiB;QACjB;YACE3C,MAAM;YACNR,QAAQ;gBACNS,aAAa,CAAC,OAAO,EAAER,QAAQ,6JAA6J,CAAC;gBAC7LS,aAAa;oBACXsB,WAAW3C,EAAEuB,MAAM,GAAGwC,GAAG,CAAC,GAAGtC,QAAQ,CAAC;gBACxC;gBACAE,cAAc;oBACZC,QAAQ5B,EAAE6B,kBAAkB,CAAC,QAAQ;wBACnC7B,EAAE8B,MAAM,CAAC;4BACPC,MAAM/B,EAAEgC,OAAO,CAAC;4BAChBpB,SAASZ,EAAEuB,MAAM;4BACjByC,SAAShE,EAAEuB,MAAM;4BACjB0C,mBAAmBjE,EAAEoC,MAAM;4BAC3B8B,kBAAkBlE,EAAEuB,MAAM,GAAGC,QAAQ;4BACrCa,SAASrC,EAAEuB,MAAM;wBACnB;qBACD;gBACH;YACF;YACAe,SAAS,OAAOC;gBACd,MAAMC,SAASD;gBACf,IAAI;oBACF,MAAM4B,iBAAiB,MAAM/D,kBAAkBS,OAAO;wBAAED;oBAAQ;oBAChE,IAAIuD,eAAelB,MAAM,KAAK,GAAG;wBAC/B,MAAM,IAAIO,MAAM,CAAC,GAAG,EAAE5C,QAAQ,mBAAmB,CAAC;oBACpD;oBAEA,iCAAiC;oBACjC,MAAM+B,YAAY,MAAMlC,0BAA0BI,OAAOD,SAAS4B,OAAOG,SAAS;oBAElF,IAAI,CAACA,WAAW;wBACd,MAAM,IAAIa,MAAM,CAAC,mBAAmB,EAAEhB,OAAOG,SAAS,EAAE;oBAC1D;oBAEA,6BAA6B;oBAC7B,MAAMyB,gBAAgB,MAAMjE,iBAAiBU,OAAO;wBAAED;oBAAQ;oBAC9D,MAAMyD,iBAAiBD,kBAAkBzB;oBAEzC,qBAAqB;oBACrB,MAAMtC,cAAcQ,OAAO;wBAAED;wBAAS+B;oBAAU;oBAChD,MAAMsB,oBAAoBE,eAAeG,MAAM,CAAC,CAACC,KAAOA,OAAO5B;oBAE/D,kEAAkE;oBAClE,IAAIuB;oBACJ,IAAIG,kBAAkBJ,kBAAkBhB,MAAM,GAAG,GAAG;wBAClD,MAAMuB,iBAAiBP,iBAAiB,CAAC,EAAE;wBAC3C,IAAIO,gBAAgB;4BAClBN,mBAAmBM;4BACnB,MAAMjE,iBAAiBM,OAAO;gCAAED;gCAAS+B,WAAWuB;4BAAiB;wBACvE;oBACF;oBAEApD,OAAO2B,IAAI,CAAC,CAAC,qBAAqB,EAAE7B,QAAQ,QAAQ,CAAC,EAAE;wBAAE+B;wBAAWsB,mBAAmBA,kBAAkBhB,MAAM;oBAAC;oBAEhH,MAAMrB,SAAS;wBACbG,MAAM;wBACNnB;wBACAoD,SAASrB;wBACTsB,mBAAmBA,kBAAkBhB,MAAM;wBAC3C,GAAIiB,oBAAoB;4BAAEA;wBAAiB,CAAC;wBAC5C7B,SAAS,CAAC,QAAQ,EAAEzB,QAAQ,UAAU,EAAE+B,YAAYuB,mBAAmB,CAAC,yBAAyB,EAAEA,kBAAkB,GAAG,IAAI;oBAC9H;oBAEA,OAAO;wBACLhB,SAAS;4BAAC;gCAAEnB,MAAM;gCAAiBoB,MAAMC,KAAKC,SAAS,CAACzB,QAAQ,MAAM;4BAAG;yBAAE;wBAC3E0B,mBAAmB;4BAAE1B;wBAAO;oBAC9B;gBACF,EAAE,OAAO8B,OAAO;oBACd,MAAMrB,UAAUqB,iBAAiBF,QAAQE,MAAMrB,OAAO,GAAGsB,OAAOD;oBAChE,MAAM,IAAI3D,SAASD,UAAU8D,aAAa,EAAE,CAAC,eAAe,EAAEhD,QAAQ,UAAU,EAAEyB,SAAS,EAAE;wBAC3FwB,OAAOH,iBAAiBF,QAAQE,MAAMG,KAAK,GAAGC;oBAChD;gBACF;YACF;QACF;QAEA,eAAe;QACf;YACE3C,MAAM;YACNR,QAAQ;gBACNS,aAAa,CAAC,gBAAgB,EAAER,QAAQ,+CAA+C,CAAC;gBACxFS,aAAa,CAAC;gBACdM,cAAc;oBACZC,QAAQ5B,EAAE6B,kBAAkB,CAAC,QAAQ;wBACnC7B,EAAE8B,MAAM,CAAC;4BACPC,MAAM/B,EAAEgC,OAAO,CAAC;4BAChBpB,SAASZ,EAAEuB,MAAM;4BACjBkD,UAAUzE,EAAE0E,KAAK,CACf1E,EAAE8B,MAAM,CAAC;gCACPR,OAAOtB,EAAEuB,MAAM;gCACfG,OAAO1B,EAAEuB,MAAM,GAAGC,QAAQ;gCAC1BmD,UAAU3E,EAAEkC,OAAO;4BACrB;4BAEFC,eAAenC,EAAEoC,MAAM;4BACvBC,SAASrC,EAAEuB,MAAM;wBACnB;qBACD;gBACH;YACF;YACAe,SAAS;gBACP,IAAI;oBACF,MAAM6B,iBAAiB,MAAM/D,kBAAkBS,OAAO;wBAAED;oBAAQ;oBAEhE,4DAA4D;oBAC5D,IAAIuD,eAAelB,MAAM,KAAK,GAAG;wBAC/B,MAAMrB,SAAS;4BACbG,MAAM;4BACNnB;4BACA6D,UAAU,EAAE;4BACZtC,eAAe;4BACfE,SAAS,CAAC,GAAG,EAAEzB,QAAQ,uDAAuD,CAAC;wBACjF;wBAEA,OAAO;4BACLsC,SAAS;gCAAC;oCAAEnB,MAAM;oCAAiBoB,MAAMC,KAAKC,SAAS,CAACzB,QAAQ,MAAM;gCAAG;6BAAE;4BAC3E0B,mBAAmB;gCAAE1B;4BAAO;wBAC9B;oBACF;oBAEA,MAAMgD,kBAAkB,MAAMzE,iBAAiBU,OAAO;wBAAED;oBAAQ;oBAEhE,2CAA2C;oBAC3C,MAAM6D,WAAW,MAAMI,QAAQC,GAAG,CAChCX,eAAeY,GAAG,CAAC,OAAOzD;wBACxB,MAAMuB,cAAc,MAAM3C,eAAeW,OAAO;4BAAE8B,WAAWrB;4BAAOV;wBAAQ;wBAC5E,OAAO;4BACLU;4BACAI,KAAK,EAAEmB,wBAAAA,kCAAAA,YAAanB,KAAK;4BACzBiD,UAAUrD,UAAUsD;wBACtB;oBACF;oBAGF,MAAMhD,SAAS;wBACbG,MAAM;wBACNnB;wBACA6D;wBACAtC,eAAegC,eAAelB,MAAM;wBACpCZ,SAAS,CAAC,MAAM,EAAE8B,eAAelB,MAAM,CAAC,CAAC,EAAErC,QAAQ,WAAW,CAAC;oBACjE;oBAEA,OAAO;wBACLsC,SAAS;4BAAC;gCAAEnB,MAAM;gCAAiBoB,MAAMC,KAAKC,SAAS,CAACzB,QAAQ,MAAM;4BAAG;yBAAE;wBAC3E0B,mBAAmB;4BAAE1B;wBAAO;oBAC9B;gBACF,EAAE,OAAO8B,OAAO;oBACd,MAAMrB,UAAUqB,iBAAiBF,QAAQE,MAAMrB,OAAO,GAAGsB,OAAOD;oBAChE,MAAM,IAAI3D,SAASD,UAAU8D,aAAa,EAAE,CAAC,cAAc,EAAEhD,QAAQ,WAAW,EAAEyB,SAAS,EAAE;wBAC3FwB,OAAOH,iBAAiBF,QAAQE,MAAMG,KAAK,GAAGC;oBAChD;gBACF;YACF;QACF;KACD;IAED,MAAMkB,UAAuB,EAAE;IAE/B,OAAO;QAAE9D;QAAO8D;IAAQ;AAC1B"}
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth/src/lib/account-server/loopback.ts"],"sourcesContent":["/**\n * Loopback OAuth account management tools.\n *\n * Provides account management for LoopbackOAuthProvider (server-managed multi-account).\n * Users can add multiple accounts, switch between them, and manage identities.\n *\n * Tools:\n * - account-me: Show current user identity (email, alias, session expiry)\n * - account-switch: Use account (add if needed, switch if already linked)\n * - account-remove: Remove account and delete tokens\n * - account-list: Show all linked accounts (returns empty array if none)\n */\n\nimport type { CallToolResult } from '@modelcontextprotocol/sdk/types.js';\nimport { ErrorCode, McpError } from '@modelcontextprotocol/sdk/types.js';\nimport { randomUUID } from 'crypto';\nimport { z } from 'zod';\nimport { addAccount, getAccountInfo, getActiveAccount, getLinkedAccounts, removeAccount, setAccountInfo, setActiveAccount } from '../../account-utils.ts';\nimport type { AccountInfo, McpPrompt, McpTool } from '../../types.ts';\nimport { createAccountMe } from './me.ts';\nimport { findAccountByEmailOrAlias } from './shared-utils.ts';\nimport type { AccountLoopbackConfig } from './types.ts';\n\n/**\n * Create loopback OAuth account management tools.\n * Returns 4 tools: account-me, account-switch, account-remove, account-list.\n */\nexport function createLoopback(config: AccountLoopbackConfig): { tools: McpTool[]; prompts: McpPrompt[] } {\n  const { service, store, logger, auth } = config;\n\n  // Create account-me tool\n  const meTools = createAccountMe({ service, store, logger, mode: 'loopback' });\n\n  const tools: McpTool[] = [\n    ...meTools.tools,\n    // account-switch\n    {\n      name: 'account-switch',\n      config: {\n        description: `Use ${service} account (smart mode). If email/alias provided and already linked, switches to it without triggering OAuth. If not linked or no email provided, triggers OAuth browser flow to add account. Returns account email, whether it was newly added, and total account count.`,\n        inputSchema: {\n          email: z.string().optional().describe('Email address to link (if already linked, switches without OAuth)'),\n          alias: z.string().optional().describe('Optional alias for easy identification'),\n        } as const,\n        outputSchema: {\n          result: z.discriminatedUnion('type', [\n            z.object({\n              type: z.literal('success'),\n              email: z.string(),\n              isNew: z.boolean(),\n              totalAccounts: z.number(),\n              message: z.string(),\n            }),\n          ]),\n        } as const,\n      },\n      handler: async (args: unknown): Promise<CallToolResult> => {\n        const params = args as { email?: string; alias?: string };\n        try {\n          logger.info(`Starting account switch for ${service}`, { email: params.email, alias: params.alias });\n\n          // Get existing accounts\n          const existingAccounts = await getLinkedAccounts(store, { service });\n\n          let email: string;\n          let isNew: boolean;\n\n          // Smart behavior: check if email provided and already linked\n          if (params.email) {\n            // Find account by email or alias\n            const accountId = await findAccountByEmailOrAlias(store, service, params.email);\n\n            if (accountId) {\n              // Account already linked - just switch to it\n              email = accountId;\n              isNew = false;\n              logger.info(`Account already linked: ${email}, switching without OAuth`);\n\n              // Set as active account\n              await setActiveAccount(store, { service, accountId: email });\n\n              // Update alias if provided\n              if (params.alias) {\n                const existingInfo = await getAccountInfo(store, { accountId: email, service });\n                const accountInfo: AccountInfo = {\n                  email,\n                  alias: params.alias,\n                  addedAt: existingInfo?.addedAt ?? new Date().toISOString(),\n                };\n                await setAccountInfo(store, { accountId: email, service }, accountInfo);\n              }\n\n              const result = {\n                type: 'success' as const,\n                email,\n                isNew: false,\n                totalAccounts: existingAccounts.length,\n                message: `Account already linked: ${email}. Set as active account (no OAuth needed).`,\n              };\n\n              return {\n                content: [{ type: 'text' as const, text: JSON.stringify(result, null, 2) }],\n                structuredContent: { result },\n              };\n            }\n          }\n\n          // Not linked or no email provided - trigger OAuth flow for new account\n          // Force an OAuth flow by passing a unique accountId to bypass any active account.\n          await auth.getAccessToken(`new:${randomUUID()}`);\n\n          email = await getActiveAccount(store, { service });\n          if (!email) {\n            throw new Error('OAuth flow completed without setting an active account');\n          }\n\n          // Check if account already exists (in case OAuth returned different email than requested)\n          isNew = !existingAccounts.includes(email);\n\n          if (isNew) {\n            // Add new account\n            await addAccount(store, { service, accountId: email });\n            logger.info(`Added new ${service} account`, { email });\n          } else {\n            logger.info(`Account already linked: ${email}`);\n          }\n\n          // Set/update account info\n          const existingInfo = await getAccountInfo(store, { accountId: email, service });\n          const accountInfo: AccountInfo = {\n            email,\n            ...(params.alias ? { alias: params.alias } : {}),\n            addedAt: isNew ? new Date().toISOString() : (existingInfo?.addedAt ?? new Date().toISOString()),\n          };\n          await setAccountInfo(store, { accountId: email, service }, accountInfo);\n\n          // Set as active account\n          await setActiveAccount(store, { service, accountId: email });\n\n          const totalAccounts = isNew ? existingAccounts.length + 1 : existingAccounts.length;\n\n          const result = {\n            type: 'success' as const,\n            email,\n            isNew,\n            totalAccounts,\n            message: isNew ? `Successfully added ${service} account: ${email} (${totalAccounts} total)` : `Account already linked: ${email}. Set as active account.`,\n          };\n\n          return {\n            content: [{ type: 'text' as const, text: JSON.stringify(result, null, 2) }],\n            structuredContent: { result },\n          };\n        } catch (error) {\n          const message = error instanceof Error ? error.message : String(error);\n          throw new McpError(ErrorCode.InternalError, `Error switching ${service} account: ${message}`, {\n            stack: error instanceof Error ? error.stack : undefined,\n          });\n        }\n      },\n    },\n\n    // account-remove\n    {\n      name: 'account-remove',\n      config: {\n        description: `Remove ${service} account and delete stored tokens permanently. If removing the active account, the first remaining account becomes active. Requires email or alias parameter.`,\n        inputSchema: {\n          accountId: z.string().min(1).describe('Email address or alias of account to remove'),\n        } as const,\n        outputSchema: {\n          result: z.discriminatedUnion('type', [\n            z.object({\n              type: z.literal('success'),\n              service: z.string(),\n              removed: z.string(),\n              remainingAccounts: z.number(),\n              newActiveAccount: z.string().optional(),\n              message: z.string(),\n            }),\n          ]),\n        } as const,\n      },\n      handler: async (args: unknown): Promise<CallToolResult> => {\n        const params = args as { accountId: string };\n        try {\n          const linkedAccounts = await getLinkedAccounts(store, { service });\n          if (linkedAccounts.length === 0) {\n            throw new Error(`No ${service} accounts to remove`);\n          }\n\n          // Find account by email or alias\n          const accountId = await findAccountByEmailOrAlias(store, service, params.accountId);\n\n          if (!accountId) {\n            throw new Error(`Account not found: ${params.accountId}`);\n          }\n\n          // Get current active account\n          const activeAccount = await getActiveAccount(store, { service });\n          const removingActive = activeAccount === accountId;\n\n          // Remove the account\n          await removeAccount(store, { service, accountId });\n          const remainingAccounts = linkedAccounts.filter((id) => id !== accountId);\n\n          // If we removed the active account, set first remaining as active\n          let newActiveAccount: string | undefined;\n          if (removingActive && remainingAccounts.length > 0) {\n            const firstRemaining = remainingAccounts[0];\n            if (firstRemaining) {\n              newActiveAccount = firstRemaining;\n              await setActiveAccount(store, { service, accountId: newActiveAccount });\n            }\n          }\n\n          logger.info(`Successfully removed ${service} account`, { accountId, remainingAccounts: remainingAccounts.length });\n\n          const result = {\n            type: 'success' as const,\n            service,\n            removed: accountId,\n            remainingAccounts: remainingAccounts.length,\n            ...(newActiveAccount && { newActiveAccount }),\n            message: `Removed ${service} account: ${accountId}${newActiveAccount ? `. Active account is now: ${newActiveAccount}` : ''}`,\n          };\n\n          return {\n            content: [{ type: 'text' as const, text: JSON.stringify(result, null, 2) }],\n            structuredContent: { result },\n          };\n        } catch (error) {\n          const message = error instanceof Error ? error.message : String(error);\n          throw new McpError(ErrorCode.InternalError, `Error removing ${service} account: ${message}`, {\n            stack: error instanceof Error ? error.stack : undefined,\n          });\n        }\n      },\n    },\n\n    // account-list\n    {\n      name: 'account-list',\n      config: {\n        description: `List all linked ${service} accounts with their aliases and active status.`,\n        inputSchema: {} as const,\n        outputSchema: {\n          result: z.discriminatedUnion('type', [\n            z.object({\n              type: z.literal('success'),\n              service: z.string(),\n              accounts: z.array(\n                z.object({\n                  email: z.string(),\n                  alias: z.string().optional(),\n                  isActive: z.boolean(),\n                })\n              ),\n              totalAccounts: z.number(),\n              message: z.string(),\n            }),\n          ]),\n        } as const,\n      },\n      handler: async (): Promise<CallToolResult> => {\n        try {\n          const linkedAccounts = await getLinkedAccounts(store, { service });\n\n          // Return empty array gracefully (no error when no accounts)\n          if (linkedAccounts.length === 0) {\n            const result = {\n              type: 'success' as const,\n              service,\n              accounts: [],\n              totalAccounts: 0,\n              message: `No ${service} accounts linked. Use account-switch to add an account.`,\n            };\n\n            return {\n              content: [{ type: 'text' as const, text: JSON.stringify(result, null, 2) }],\n              structuredContent: { result },\n            };\n          }\n\n          const activeAccountId = await getActiveAccount(store, { service });\n\n          // Get account info for each linked account\n          const accounts = await Promise.all(\n            linkedAccounts.map(async (email) => {\n              const accountInfo = await getAccountInfo(store, { accountId: email, service });\n              return {\n                email,\n                alias: accountInfo?.alias,\n                isActive: email === activeAccountId,\n              };\n            })\n          );\n\n          const result = {\n            type: 'success' as const,\n            service,\n            accounts,\n            totalAccounts: linkedAccounts.length,\n            message: `Found ${linkedAccounts.length} ${service} account(s)`,\n          };\n\n          return {\n            content: [{ type: 'text' as const, text: JSON.stringify(result, null, 2) }],\n            structuredContent: { result },\n          };\n        } catch (error) {\n          const message = error instanceof Error ? error.message : String(error);\n          throw new McpError(ErrorCode.InternalError, `Error listing ${service} accounts: ${message}`, {\n            stack: error instanceof Error ? error.stack : undefined,\n          });\n        }\n      },\n    },\n  ];\n\n  const prompts: McpPrompt[] = [];\n\n  return { tools, prompts };\n}\n"],"names":["ErrorCode","McpError","randomUUID","z","addAccount","getAccountInfo","getActiveAccount","getLinkedAccounts","removeAccount","setAccountInfo","setActiveAccount","createAccountMe","findAccountByEmailOrAlias","createLoopback","config","service","store","logger","auth","meTools","mode","tools","name","description","inputSchema","email","string","optional","describe","alias","outputSchema","result","discriminatedUnion","object","type","literal","isNew","boolean","totalAccounts","number","message","handler","args","params","info","existingAccounts","accountId","existingInfo","accountInfo","addedAt","Date","toISOString","length","content","text","JSON","stringify","structuredContent","getAccessToken","Error","includes","error","String","InternalError","stack","undefined","min","removed","remainingAccounts","newActiveAccount","linkedAccounts","activeAccount","removingActive","filter","id","firstRemaining","accounts","array","isActive","activeAccountId","Promise","all","map","prompts"],"mappings":"AAAA;;;;;;;;;;;CAWC,GAGD,SAASA,SAAS,EAAEC,QAAQ,QAAQ,qCAAqC;AACzE,SAASC,UAAU,QAAQ,SAAS;AACpC,SAASC,CAAC,QAAQ,MAAM;AACxB,SAASC,UAAU,EAAEC,cAAc,EAAEC,gBAAgB,EAAEC,iBAAiB,EAAEC,aAAa,EAAEC,cAAc,EAAEC,gBAAgB,QAAQ,yBAAyB;AAE1J,SAASC,eAAe,QAAQ,UAAU;AAC1C,SAASC,yBAAyB,QAAQ,oBAAoB;AAG9D;;;CAGC,GACD,OAAO,SAASC,eAAeC,MAA6B;IAC1D,MAAM,EAAEC,OAAO,EAAEC,KAAK,EAAEC,MAAM,EAAEC,IAAI,EAAE,GAAGJ;IAEzC,yBAAyB;IACzB,MAAMK,UAAUR,gBAAgB;QAAEI;QAASC;QAAOC;QAAQG,MAAM;IAAW;IAE3E,MAAMC,QAAmB;WACpBF,QAAQE,KAAK;QAChB,iBAAiB;QACjB;YACEC,MAAM;YACNR,QAAQ;gBACNS,aAAa,CAAC,IAAI,EAAER,QAAQ,uQAAuQ,CAAC;gBACpSS,aAAa;oBACXC,OAAOtB,EAAEuB,MAAM,GAAGC,QAAQ,GAAGC,QAAQ,CAAC;oBACtCC,OAAO1B,EAAEuB,MAAM,GAAGC,QAAQ,GAAGC,QAAQ,CAAC;gBACxC;gBACAE,cAAc;oBACZC,QAAQ5B,EAAE6B,kBAAkB,CAAC,QAAQ;wBACnC7B,EAAE8B,MAAM,CAAC;4BACPC,MAAM/B,EAAEgC,OAAO,CAAC;4BAChBV,OAAOtB,EAAEuB,MAAM;4BACfU,OAAOjC,EAAEkC,OAAO;4BAChBC,eAAenC,EAAEoC,MAAM;4BACvBC,SAASrC,EAAEuB,MAAM;wBACnB;qBACD;gBACH;YACF;YACAe,SAAS,OAAOC;gBACd,MAAMC,SAASD;gBACf,IAAI;;oBACFzB,OAAO2B,IAAI,CAAC,CAAC,4BAA4B,EAAE7B,SAAS,EAAE;wBAAEU,OAAOkB,OAAOlB,KAAK;wBAAEI,OAAOc,OAAOd,KAAK;oBAAC;oBAEjG,wBAAwB;oBACxB,MAAMgB,mBAAmB,MAAMtC,kBAAkBS,OAAO;wBAAED;oBAAQ;oBAElE,IAAIU;oBACJ,IAAIW;oBAEJ,6DAA6D;oBAC7D,IAAIO,OAAOlB,KAAK,EAAE;wBAChB,iCAAiC;wBACjC,MAAMqB,YAAY,MAAMlC,0BAA0BI,OAAOD,SAAS4B,OAAOlB,KAAK;wBAE9E,IAAIqB,WAAW;4BACb,6CAA6C;4BAC7CrB,QAAQqB;4BACRV,QAAQ;4BACRnB,OAAO2B,IAAI,CAAC,CAAC,wBAAwB,EAAEnB,MAAM,yBAAyB,CAAC;4BAEvE,wBAAwB;4BACxB,MAAMf,iBAAiBM,OAAO;gCAAED;gCAAS+B,WAAWrB;4BAAM;4BAE1D,2BAA2B;4BAC3B,IAAIkB,OAAOd,KAAK,EAAE;;gCAChB,MAAMkB,eAAe,MAAM1C,eAAeW,OAAO;oCAAE8B,WAAWrB;oCAAOV;gCAAQ;gCAC7E,MAAMiC,cAA2B;oCAC/BvB;oCACAI,OAAOc,OAAOd,KAAK;oCACnBoB,OAAO,WAAEF,yBAAAA,mCAAAA,aAAcE,OAAO,yCAAI,IAAIC,OAAOC,WAAW;gCAC1D;gCACA,MAAM1C,eAAeO,OAAO;oCAAE8B,WAAWrB;oCAAOV;gCAAQ,GAAGiC;4BAC7D;4BAEA,MAAMjB,SAAS;gCACbG,MAAM;gCACNT;gCACAW,OAAO;gCACPE,eAAeO,iBAAiBO,MAAM;gCACtCZ,SAAS,CAAC,wBAAwB,EAAEf,MAAM,0CAA0C,CAAC;4BACvF;4BAEA,OAAO;gCACL4B,SAAS;oCAAC;wCAAEnB,MAAM;wCAAiBoB,MAAMC,KAAKC,SAAS,CAACzB,QAAQ,MAAM;oCAAG;iCAAE;gCAC3E0B,mBAAmB;oCAAE1B;gCAAO;4BAC9B;wBACF;oBACF;oBAEA,uEAAuE;oBACvE,kFAAkF;oBAClF,MAAMb,KAAKwC,cAAc,CAAC,CAAC,IAAI,EAAExD,cAAc;oBAE/CuB,QAAQ,MAAMnB,iBAAiBU,OAAO;wBAAED;oBAAQ;oBAChD,IAAI,CAACU,OAAO;wBACV,MAAM,IAAIkC,MAAM;oBAClB;oBAEA,0FAA0F;oBAC1FvB,QAAQ,CAACS,iBAAiBe,QAAQ,CAACnC;oBAEnC,IAAIW,OAAO;wBACT,kBAAkB;wBAClB,MAAMhC,WAAWY,OAAO;4BAAED;4BAAS+B,WAAWrB;wBAAM;wBACpDR,OAAO2B,IAAI,CAAC,CAAC,UAAU,EAAE7B,QAAQ,QAAQ,CAAC,EAAE;4BAAEU;wBAAM;oBACtD,OAAO;wBACLR,OAAO2B,IAAI,CAAC,CAAC,wBAAwB,EAAEnB,OAAO;oBAChD;oBAEA,0BAA0B;oBAC1B,MAAMsB,eAAe,MAAM1C,eAAeW,OAAO;wBAAE8B,WAAWrB;wBAAOV;oBAAQ;oBAC7E,MAAMiC,cAA2B;wBAC/BvB;wBACA,GAAIkB,OAAOd,KAAK,GAAG;4BAAEA,OAAOc,OAAOd,KAAK;wBAAC,IAAI,CAAC,CAAC;wBAC/CoB,SAASb,QAAQ,IAAIc,OAAOC,WAAW,aAAMJ,yBAAAA,mCAAAA,aAAcE,OAAO,uCAAI,IAAIC,OAAOC,WAAW;oBAC9F;oBACA,MAAM1C,eAAeO,OAAO;wBAAE8B,WAAWrB;wBAAOV;oBAAQ,GAAGiC;oBAE3D,wBAAwB;oBACxB,MAAMtC,iBAAiBM,OAAO;wBAAED;wBAAS+B,WAAWrB;oBAAM;oBAE1D,MAAMa,gBAAgBF,QAAQS,iBAAiBO,MAAM,GAAG,IAAIP,iBAAiBO,MAAM;oBAEnF,MAAMrB,SAAS;wBACbG,MAAM;wBACNT;wBACAW;wBACAE;wBACAE,SAASJ,QAAQ,CAAC,mBAAmB,EAAErB,QAAQ,UAAU,EAAEU,MAAM,EAAE,EAAEa,cAAc,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAEb,MAAM,wBAAwB,CAAC;oBAC1J;oBAEA,OAAO;wBACL4B,SAAS;4BAAC;gCAAEnB,MAAM;gCAAiBoB,MAAMC,KAAKC,SAAS,CAACzB,QAAQ,MAAM;4BAAG;yBAAE;wBAC3E0B,mBAAmB;4BAAE1B;wBAAO;oBAC9B;gBACF,EAAE,OAAO8B,OAAO;oBACd,MAAMrB,UAAUqB,iBAAiBF,QAAQE,MAAMrB,OAAO,GAAGsB,OAAOD;oBAChE,MAAM,IAAI5D,SAASD,UAAU+D,aAAa,EAAE,CAAC,gBAAgB,EAAEhD,QAAQ,UAAU,EAAEyB,SAAS,EAAE;wBAC5FwB,OAAOH,iBAAiBF,QAAQE,MAAMG,KAAK,GAAGC;oBAChD;gBACF;YACF;QACF;QAEA,iBAAiB;QACjB;YACE3C,MAAM;YACNR,QAAQ;gBACNS,aAAa,CAAC,OAAO,EAAER,QAAQ,6JAA6J,CAAC;gBAC7LS,aAAa;oBACXsB,WAAW3C,EAAEuB,MAAM,GAAGwC,GAAG,CAAC,GAAGtC,QAAQ,CAAC;gBACxC;gBACAE,cAAc;oBACZC,QAAQ5B,EAAE6B,kBAAkB,CAAC,QAAQ;wBACnC7B,EAAE8B,MAAM,CAAC;4BACPC,MAAM/B,EAAEgC,OAAO,CAAC;4BAChBpB,SAASZ,EAAEuB,MAAM;4BACjByC,SAAShE,EAAEuB,MAAM;4BACjB0C,mBAAmBjE,EAAEoC,MAAM;4BAC3B8B,kBAAkBlE,EAAEuB,MAAM,GAAGC,QAAQ;4BACrCa,SAASrC,EAAEuB,MAAM;wBACnB;qBACD;gBACH;YACF;YACAe,SAAS,OAAOC;gBACd,MAAMC,SAASD;gBACf,IAAI;oBACF,MAAM4B,iBAAiB,MAAM/D,kBAAkBS,OAAO;wBAAED;oBAAQ;oBAChE,IAAIuD,eAAelB,MAAM,KAAK,GAAG;wBAC/B,MAAM,IAAIO,MAAM,CAAC,GAAG,EAAE5C,QAAQ,mBAAmB,CAAC;oBACpD;oBAEA,iCAAiC;oBACjC,MAAM+B,YAAY,MAAMlC,0BAA0BI,OAAOD,SAAS4B,OAAOG,SAAS;oBAElF,IAAI,CAACA,WAAW;wBACd,MAAM,IAAIa,MAAM,CAAC,mBAAmB,EAAEhB,OAAOG,SAAS,EAAE;oBAC1D;oBAEA,6BAA6B;oBAC7B,MAAMyB,gBAAgB,MAAMjE,iBAAiBU,OAAO;wBAAED;oBAAQ;oBAC9D,MAAMyD,iBAAiBD,kBAAkBzB;oBAEzC,qBAAqB;oBACrB,MAAMtC,cAAcQ,OAAO;wBAAED;wBAAS+B;oBAAU;oBAChD,MAAMsB,oBAAoBE,eAAeG,MAAM,CAAC,CAACC,KAAOA,OAAO5B;oBAE/D,kEAAkE;oBAClE,IAAIuB;oBACJ,IAAIG,kBAAkBJ,kBAAkBhB,MAAM,GAAG,GAAG;wBAClD,MAAMuB,iBAAiBP,iBAAiB,CAAC,EAAE;wBAC3C,IAAIO,gBAAgB;4BAClBN,mBAAmBM;4BACnB,MAAMjE,iBAAiBM,OAAO;gCAAED;gCAAS+B,WAAWuB;4BAAiB;wBACvE;oBACF;oBAEApD,OAAO2B,IAAI,CAAC,CAAC,qBAAqB,EAAE7B,QAAQ,QAAQ,CAAC,EAAE;wBAAE+B;wBAAWsB,mBAAmBA,kBAAkBhB,MAAM;oBAAC;oBAEhH,MAAMrB,SAAS;wBACbG,MAAM;wBACNnB;wBACAoD,SAASrB;wBACTsB,mBAAmBA,kBAAkBhB,MAAM;wBAC3C,GAAIiB,oBAAoB;4BAAEA;wBAAiB,CAAC;wBAC5C7B,SAAS,CAAC,QAAQ,EAAEzB,QAAQ,UAAU,EAAE+B,YAAYuB,mBAAmB,CAAC,yBAAyB,EAAEA,kBAAkB,GAAG,IAAI;oBAC9H;oBAEA,OAAO;wBACLhB,SAAS;4BAAC;gCAAEnB,MAAM;gCAAiBoB,MAAMC,KAAKC,SAAS,CAACzB,QAAQ,MAAM;4BAAG;yBAAE;wBAC3E0B,mBAAmB;4BAAE1B;wBAAO;oBAC9B;gBACF,EAAE,OAAO8B,OAAO;oBACd,MAAMrB,UAAUqB,iBAAiBF,QAAQE,MAAMrB,OAAO,GAAGsB,OAAOD;oBAChE,MAAM,IAAI5D,SAASD,UAAU+D,aAAa,EAAE,CAAC,eAAe,EAAEhD,QAAQ,UAAU,EAAEyB,SAAS,EAAE;wBAC3FwB,OAAOH,iBAAiBF,QAAQE,MAAMG,KAAK,GAAGC;oBAChD;gBACF;YACF;QACF;QAEA,eAAe;QACf;YACE3C,MAAM;YACNR,QAAQ;gBACNS,aAAa,CAAC,gBAAgB,EAAER,QAAQ,+CAA+C,CAAC;gBACxFS,aAAa,CAAC;gBACdM,cAAc;oBACZC,QAAQ5B,EAAE6B,kBAAkB,CAAC,QAAQ;wBACnC7B,EAAE8B,MAAM,CAAC;4BACPC,MAAM/B,EAAEgC,OAAO,CAAC;4BAChBpB,SAASZ,EAAEuB,MAAM;4BACjBkD,UAAUzE,EAAE0E,KAAK,CACf1E,EAAE8B,MAAM,CAAC;gCACPR,OAAOtB,EAAEuB,MAAM;gCACfG,OAAO1B,EAAEuB,MAAM,GAAGC,QAAQ;gCAC1BmD,UAAU3E,EAAEkC,OAAO;4BACrB;4BAEFC,eAAenC,EAAEoC,MAAM;4BACvBC,SAASrC,EAAEuB,MAAM;wBACnB;qBACD;gBACH;YACF;YACAe,SAAS;gBACP,IAAI;oBACF,MAAM6B,iBAAiB,MAAM/D,kBAAkBS,OAAO;wBAAED;oBAAQ;oBAEhE,4DAA4D;oBAC5D,IAAIuD,eAAelB,MAAM,KAAK,GAAG;wBAC/B,MAAMrB,SAAS;4BACbG,MAAM;4BACNnB;4BACA6D,UAAU,EAAE;4BACZtC,eAAe;4BACfE,SAAS,CAAC,GAAG,EAAEzB,QAAQ,uDAAuD,CAAC;wBACjF;wBAEA,OAAO;4BACLsC,SAAS;gCAAC;oCAAEnB,MAAM;oCAAiBoB,MAAMC,KAAKC,SAAS,CAACzB,QAAQ,MAAM;gCAAG;6BAAE;4BAC3E0B,mBAAmB;gCAAE1B;4BAAO;wBAC9B;oBACF;oBAEA,MAAMgD,kBAAkB,MAAMzE,iBAAiBU,OAAO;wBAAED;oBAAQ;oBAEhE,2CAA2C;oBAC3C,MAAM6D,WAAW,MAAMI,QAAQC,GAAG,CAChCX,eAAeY,GAAG,CAAC,OAAOzD;wBACxB,MAAMuB,cAAc,MAAM3C,eAAeW,OAAO;4BAAE8B,WAAWrB;4BAAOV;wBAAQ;wBAC5E,OAAO;4BACLU;4BACAI,KAAK,EAAEmB,wBAAAA,kCAAAA,YAAanB,KAAK;4BACzBiD,UAAUrD,UAAUsD;wBACtB;oBACF;oBAGF,MAAMhD,SAAS;wBACbG,MAAM;wBACNnB;wBACA6D;wBACAtC,eAAegC,eAAelB,MAAM;wBACpCZ,SAAS,CAAC,MAAM,EAAE8B,eAAelB,MAAM,CAAC,CAAC,EAAErC,QAAQ,WAAW,CAAC;oBACjE;oBAEA,OAAO;wBACLsC,SAAS;4BAAC;gCAAEnB,MAAM;gCAAiBoB,MAAMC,KAAKC,SAAS,CAACzB,QAAQ,MAAM;4BAAG;yBAAE;wBAC3E0B,mBAAmB;4BAAE1B;wBAAO;oBAC9B;gBACF,EAAE,OAAO8B,OAAO;oBACd,MAAMrB,UAAUqB,iBAAiBF,QAAQE,MAAMrB,OAAO,GAAGsB,OAAOD;oBAChE,MAAM,IAAI5D,SAASD,UAAU+D,aAAa,EAAE,CAAC,cAAc,EAAEhD,QAAQ,WAAW,EAAEyB,SAAS,EAAE;wBAC3FwB,OAAOH,iBAAiBF,QAAQE,MAAMG,KAAK,GAAGC;oBAChD;gBACF;YACF;QACF;KACD;IAED,MAAMkB,UAAuB,EAAE;IAE/B,OAAO;QAAE9D;QAAO8D;IAAQ;AAC1B"}

package/dist/esm/lib/account-server/me.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/lib/account-server/me.ts"],"sourcesContent":["/**\n * Account \"me\" tool - Who am I currently authenticated as?\n *\n * Provides current user identity across all auth modes:\n * - Loopback: email, alias, sessionExpiresIn from stored tokens\n * - DCR/Stateless: email from bearer token context, sessionExpiresIn=null\n * - Device Code: email, sessionExpiresIn from stored tokens\n * - Service Account: email, sessionExpiresIn=\"never\" (JWT-based)\n *\n * Tool: {service}-account-me\n */\n\nimport type { CallToolResult } from '@modelcontextprotocol/sdk/types.js';\nimport { ErrorCode, McpError } from '@modelcontextprotocol/sdk/types.js';\nimport { z } from 'zod';\nimport { getAccountInfo, getActiveAccount, getToken } from '../../account-utils.ts';\nimport type { CachedToken, McpPrompt, McpTool } from '../../types.ts';\nimport type { AccountMeConfig } from './types.ts';\n\n/**\n * Format milliseconds as human-readable duration\n * Examples: \"2h 15m\", \"45m\", \"30s\"\n */\nfunction formatDuration(ms: number): string {\n  const totalSeconds = Math.floor(ms / 1000);\n\n  if (totalSeconds < 60) {\n    return `${totalSeconds}s`;\n  }\n\n  const minutes = Math.floor(totalSeconds / 60);\n  if (minutes < 60) {\n    return `${minutes}m`;\n  }\n\n  const hours = Math.floor(minutes / 60);\n  const remainingMinutes = minutes % 60;\n\n  if (remainingMinutes === 0) {\n    return `${hours}h`;\n  }\n\n  return `${hours}h ${remainingMinutes}m`;\n}\n\n/**\n * Create account-me tool for current user identity.\n *\n * Returns email, optional alias (loopback only), and session expiry info.\n * Throws error if no active account in loopback mode.\n */\nexport function createAccountMe(config: AccountMeConfig): { tools: McpTool[]; prompts: McpPrompt[] } {\n  const { service, store, logger, mode } = config;\n\n  const tools: McpTool[] = [\n    {\n      name: 'account-me',\n      config: {\n        description: `Show current ${service} user identity. Returns email, alias (if set), and session expiry information.`,\n        inputSchema: {} as const,\n        outputSchema: {\n          result: z.discriminatedUnion('type', [\n            z.object({\n              type: z.literal('success'),\n              service: z.string(),\n              email: z.string(),\n              alias: z.string().optional(),\n              sessionExpiresIn: z.string().nullable().optional(),\n              message: z.string(),\n            }),\n          ]),\n        } as const,\n      },\n      handler: async (_args: unknown, extra?: unknown): Promise<CallToolResult> => {\n        try {\n          // Mode-specific implementation\n          if (mode === 'stateless') {\n            // DCR/Stateless: Extract email from auth context\n            const authContext = (extra as { authContext?: { accountId?: string } })?.authContext;\n\n            if (!authContext?.accountId) {\n              throw new Error('No authentication context available. DCR mode requires bearer token.');\n            }\n\n            const result = {\n              type: 'success' as const,\n              service,\n              email: authContext.accountId,\n              sessionExpiresIn: null, // Client-managed\n              message: `Authenticated as ${authContext.accountId}. Session managed by MCP client.`,\n            };\n\n            return {\n              content: [{ type: 'text' as const, text: JSON.stringify(result, null, 2) }],\n              structuredContent: { result },\n            };\n          }\n\n          // Loopback/Device Code/Service Account: Use store\n          if (!store) {\n            throw new Error('Store is required for non-stateless mode');\n          }\n\n          // Get active account\n          const activeAccountId = await getActiveAccount(store, { service });\n          if (!activeAccountId) {\n            throw new Error(`No active ${service} account found. Use account-switch to add an account.`);\n          }\n\n          // Get account info (email, alias)\n          const accountInfo = await getAccountInfo(store, { accountId: activeAccountId, service });\n          const email = accountInfo?.email ?? activeAccountId;\n          const alias = accountInfo?.alias;\n\n          // Calculate session expiry\n          let sessionExpiresIn: string | null = null;\n          try {\n            const token = await getToken<CachedToken>(store, { accountId: activeAccountId, service });\n            if (token?.expiresAt) {\n              const now = Date.now();\n              if (token.expiresAt > now) {\n                sessionExpiresIn = formatDuration(token.expiresAt - now);\n              } else {\n                sessionExpiresIn = 'expired';\n              }\n            } else {\n              // No expiry = JWT-based service account or no token info\n              sessionExpiresIn = 'never';\n            }\n          } catch {\n            // Token not found or error reading - treat as \"never\" (service account pattern)\n            sessionExpiresIn = 'never';\n          }\n\n          const result = {\n            type: 'success' as const,\n            service,\n            email,\n            ...(alias && { alias }),\n            ...(sessionExpiresIn && { sessionExpiresIn }),\n            message: `Authenticated as ${email}${alias ? ` (${alias})` : ''}${sessionExpiresIn ? `. Session expires in ${sessionExpiresIn}` : ''}.`,\n          };\n\n          return {\n            content: [{ type: 'text' as const, text: JSON.stringify(result, null, 2) }],\n            structuredContent: { result },\n          };\n        } catch (error) {\n          const message = error instanceof Error ? error.message : String(error);\n          logger?.error?.('account-me.error', { service, error: message });\n\n          throw new McpError(ErrorCode.InternalError, `Error getting ${service} account info: ${message}`, {\n            stack: error instanceof Error ? error.stack : undefined,\n          });\n        }\n      },\n    },\n  ];\n\n  const prompts: McpPrompt[] = [];\n\n  return { tools, prompts };\n}\n"],"names":["ErrorCode","McpError","z","getAccountInfo","getActiveAccount","getToken","formatDuration","ms","totalSeconds","Math","floor","minutes","hours","remainingMinutes","createAccountMe","config","service","store","logger","mode","tools","name","description","inputSchema","outputSchema","result","discriminatedUnion","object","type","literal","string","email","alias","optional","sessionExpiresIn","nullable","message","handler","_args","extra","authContext","accountId","Error","content","text","JSON","stringify","structuredContent","activeAccountId","accountInfo","token","expiresAt","now","Date","error","String","InternalError","stack","undefined","prompts"],"mappings":"AAAA;;;;;;;;;;CAUC,GAGD,SAASA,SAAS,EAAEC,QAAQ,QAAQ,qCAAqC;AACzE,SAASC,CAAC,QAAQ,MAAM;AACxB,SAASC,cAAc,EAAEC,gBAAgB,EAAEC,QAAQ,QAAQ,yBAAyB;AAIpF;;;CAGC,GACD,SAASC,eAAeC,EAAU;IAChC,MAAMC,eAAeC,KAAKC,KAAK,CAACH,KAAK;IAErC,IAAIC,eAAe,IAAI;QACrB,OAAO,GAAGA,aAAa,CAAC,CAAC;IAC3B;IAEA,MAAMG,UAAUF,KAAKC,KAAK,CAACF,eAAe;IAC1C,IAAIG,UAAU,IAAI;QAChB,OAAO,GAAGA,QAAQ,CAAC,CAAC;IACtB;IAEA,MAAMC,QAAQH,KAAKC,KAAK,CAACC,UAAU;IACnC,MAAME,mBAAmBF,UAAU;IAEnC,IAAIE,qBAAqB,GAAG;QAC1B,OAAO,GAAGD,MAAM,CAAC,CAAC;IACpB;IAEA,OAAO,GAAGA,MAAM,EAAE,EAAEC,iBAAiB,CAAC,CAAC;AACzC;AAEA;;;;;CAKC,GACD,OAAO,SAASC,gBAAgBC,MAAuB;IACrD,MAAM,EAAEC,OAAO,EAAEC,KAAK,EAAEC,MAAM,EAAEC,IAAI,EAAE,GAAGJ;IAEzC,MAAMK,QAAmB;QACvB;YACEC,MAAM;YACNN,QAAQ;gBACNO,aAAa,CAAC,aAAa,EAAEN,QAAQ,8EAA8E,CAAC;gBACpHO,aAAa,CAAC;gBACdC,cAAc;oBACZC,QAAQvB,EAAEwB,kBAAkB,CAAC,QAAQ;wBACnCxB,EAAEyB,MAAM,CAAC;4BACPC,MAAM1B,EAAE2B,OAAO,CAAC;4BAChBb,SAASd,EAAE4B,MAAM;4BACjBC,OAAO7B,EAAE4B,MAAM;4BACfE,OAAO9B,EAAE4B,MAAM,GAAGG,QAAQ;4BAC1BC,kBAAkBhC,EAAE4B,MAAM,GAAGK,QAAQ,GAAGF,QAAQ;4BAChDG,SAASlC,EAAE4B,MAAM;wBACnB;qBACD;gBACH;YACF;YACAO,SAAS,OAAOC,OAAgBC;gBAC9B,IAAI;;oBACF,+BAA+B;oBAC/B,IAAIpB,SAAS,aAAa;wBACxB,iDAAiD;wBACjD,MAAMqB,cAAeD,kBAAAA,4BAAD,AAACA,MAAoDC,WAAW;wBAEpF,IAAI,EAACA,wBAAAA,kCAAAA,YAAaC,SAAS,GAAE;4BAC3B,MAAM,IAAIC,MAAM;wBAClB;wBAEA,MAAMjB,SAAS;4BACbG,MAAM;4BACNZ;4BACAe,OAAOS,YAAYC,SAAS;4BAC5BP,kBAAkB;4BAClBE,SAAS,CAAC,iBAAiB,EAAEI,YAAYC,SAAS,CAAC,gCAAgC,CAAC;wBACtF;wBAEA,OAAO;4BACLE,SAAS;gCAAC;oCAAEf,MAAM;oCAAiBgB,MAAMC,KAAKC,SAAS,CAACrB,QAAQ,MAAM;gCAAG;6BAAE;4BAC3EsB,mBAAmB;gCAAEtB;4BAAO;wBAC9B;oBACF;oBAEA,kDAAkD;oBAClD,IAAI,CAACR,OAAO;wBACV,MAAM,IAAIyB,MAAM;oBAClB;oBAEA,qBAAqB;oBACrB,MAAMM,kBAAkB,MAAM5C,iBAAiBa,OAAO;wBAAED;oBAAQ;oBAChE,IAAI,CAACgC,iBAAiB;wBACpB,MAAM,IAAIN,MAAM,CAAC,UAAU,EAAE1B,QAAQ,qDAAqD,CAAC;oBAC7F;oBAEA,kCAAkC;oBAClC,MAAMiC,cAAc,MAAM9C,eAAec,OAAO;wBAAEwB,WAAWO;wBAAiBhC;oBAAQ;oBACtF,MAAMe,gBAAQkB,wBAAAA,kCAAAA,YAAalB,KAAK,uCAAIiB;oBACpC,MAAMhB,QAAQiB,wBAAAA,kCAAAA,YAAajB,KAAK;oBAEhC,2BAA2B;oBAC3B,IAAIE,mBAAkC;oBACtC,IAAI;wBACF,MAAMgB,QAAQ,MAAM7C,SAAsBY,OAAO;4BAAEwB,WAAWO;4BAAiBhC;wBAAQ;wBACvF,IAAIkC,kBAAAA,4BAAAA,MAAOC,SAAS,EAAE;4BACpB,MAAMC,MAAMC,KAAKD,GAAG;4BACpB,IAAIF,MAAMC,SAAS,GAAGC,KAAK;gCACzBlB,mBAAmB5B,eAAe4C,MAAMC,SAAS,GAAGC;4BACtD,OAAO;gCACLlB,mBAAmB;4BACrB;wBACF,OAAO;4BACL,yDAAyD;4BACzDA,mBAAmB;wBACrB;oBACF,EAAE,OAAM;wBACN,gFAAgF;wBAChFA,mBAAmB;oBACrB;oBAEA,MAAMT,SAAS;wBACbG,MAAM;wBACNZ;wBACAe;wBACA,GAAIC,SAAS;4BAAEA;wBAAM,CAAC;wBACtB,GAAIE,oBAAoB;4BAAEA;wBAAiB,CAAC;wBAC5CE,SAAS,CAAC,iBAAiB,EAAEL,QAAQC,QAAQ,CAAC,EAAE,EAAEA,MAAM,CAAC,CAAC,GAAG,KAAKE,mBAAmB,CAAC,qBAAqB,EAAEA,kBAAkB,GAAG,GAAG,CAAC,CAAC;oBACzI;oBAEA,OAAO;wBACLS,SAAS;4BAAC;gCAAEf,MAAM;gCAAiBgB,MAAMC,KAAKC,SAAS,CAACrB,QAAQ,MAAM;4BAAG;yBAAE;wBAC3EsB,mBAAmB;4BAAEtB;wBAAO;oBAC9B;gBACF,EAAE,OAAO6B,OAAO;wBAEdpC;oBADA,MAAMkB,UAAUkB,iBAAiBZ,QAAQY,MAAMlB,OAAO,GAAGmB,OAAOD;oBAChEpC,mBAAAA,8BAAAA,gBAAAA,OAAQoC,KAAK,cAAbpC,oCAAAA,mBAAAA,QAAgB,oBAAoB;wBAAEF;wBAASsC,OAAOlB;oBAAQ;oBAE9D,MAAM,IAAInC,SAASD,UAAUwD,aAAa,EAAE,CAAC,cAAc,EAAExC,QAAQ,eAAe,EAAEoB,SAAS,EAAE;wBAC/FqB,OAAOH,iBAAiBZ,QAAQY,MAAMG,KAAK,GAAGC;oBAChD;gBACF;YACF;QACF;KACD;IAED,MAAMC,UAAuB,EAAE;IAE/B,OAAO;QAAEvC;QAAOuC;IAAQ;AAC1B"}
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth/src/lib/account-server/me.ts"],"sourcesContent":["/**\n * Account \"me\" tool - Who am I currently authenticated as?\n *\n * Provides current user identity across all auth modes:\n * - Loopback: email, alias, sessionExpiresIn from stored tokens\n * - DCR/Stateless: email from bearer token context, sessionExpiresIn=null\n * - Device Code: email, sessionExpiresIn from stored tokens\n * - Service Account: email, sessionExpiresIn=\"never\" (JWT-based)\n *\n * Tool: {service}-account-me\n */\n\nimport type { CallToolResult } from '@modelcontextprotocol/sdk/types.js';\nimport { ErrorCode, McpError } from '@modelcontextprotocol/sdk/types.js';\nimport { z } from 'zod';\nimport { getAccountInfo, getActiveAccount, getToken } from '../../account-utils.ts';\nimport type { CachedToken, McpPrompt, McpTool } from '../../types.ts';\nimport type { AccountMeConfig } from './types.ts';\n\n/**\n * Format milliseconds as human-readable duration\n * Examples: \"2h 15m\", \"45m\", \"30s\"\n */\nfunction formatDuration(ms: number): string {\n  const totalSeconds = Math.floor(ms / 1000);\n\n  if (totalSeconds < 60) {\n    return `${totalSeconds}s`;\n  }\n\n  const minutes = Math.floor(totalSeconds / 60);\n  if (minutes < 60) {\n    return `${minutes}m`;\n  }\n\n  const hours = Math.floor(minutes / 60);\n  const remainingMinutes = minutes % 60;\n\n  if (remainingMinutes === 0) {\n    return `${hours}h`;\n  }\n\n  return `${hours}h ${remainingMinutes}m`;\n}\n\n/**\n * Create account-me tool for current user identity.\n *\n * Returns email, optional alias (loopback only), and session expiry info.\n * Throws error if no active account in loopback mode.\n */\nexport function createAccountMe(config: AccountMeConfig): { tools: McpTool[]; prompts: McpPrompt[] } {\n  const { service, store, logger, mode } = config;\n\n  const tools: McpTool[] = [\n    {\n      name: 'account-me',\n      config: {\n        description: `Show current ${service} user identity. Returns email, alias (if set), and session expiry information.`,\n        inputSchema: {} as const,\n        outputSchema: {\n          result: z.discriminatedUnion('type', [\n            z.object({\n              type: z.literal('success'),\n              service: z.string(),\n              email: z.string(),\n              alias: z.string().optional(),\n              sessionExpiresIn: z.string().nullable().optional(),\n              message: z.string(),\n            }),\n          ]),\n        } as const,\n      },\n      handler: async (_args: unknown, extra?: unknown): Promise<CallToolResult> => {\n        try {\n          // Mode-specific implementation\n          if (mode === 'stateless') {\n            // DCR/Stateless: Extract email from auth context\n            const authContext = (extra as { authContext?: { accountId?: string } })?.authContext;\n\n            if (!authContext?.accountId) {\n              throw new Error('No authentication context available. DCR mode requires bearer token.');\n            }\n\n            const result = {\n              type: 'success' as const,\n              service,\n              email: authContext.accountId,\n              sessionExpiresIn: null, // Client-managed\n              message: `Authenticated as ${authContext.accountId}. Session managed by MCP client.`,\n            };\n\n            return {\n              content: [{ type: 'text' as const, text: JSON.stringify(result, null, 2) }],\n              structuredContent: { result },\n            };\n          }\n\n          // Loopback/Device Code/Service Account: Use store\n          if (!store) {\n            throw new Error('Store is required for non-stateless mode');\n          }\n\n          // Get active account\n          const activeAccountId = await getActiveAccount(store, { service });\n          if (!activeAccountId) {\n            throw new Error(`No active ${service} account found. Use account-switch to add an account.`);\n          }\n\n          // Get account info (email, alias)\n          const accountInfo = await getAccountInfo(store, { accountId: activeAccountId, service });\n          const email = accountInfo?.email ?? activeAccountId;\n          const alias = accountInfo?.alias;\n\n          // Calculate session expiry\n          let sessionExpiresIn: string | null = null;\n          try {\n            const token = await getToken<CachedToken>(store, { accountId: activeAccountId, service });\n            if (token?.expiresAt) {\n              const now = Date.now();\n              if (token.expiresAt > now) {\n                sessionExpiresIn = formatDuration(token.expiresAt - now);\n              } else {\n                sessionExpiresIn = 'expired';\n              }\n            } else {\n              // No expiry = JWT-based service account or no token info\n              sessionExpiresIn = 'never';\n            }\n          } catch {\n            // Token not found or error reading - treat as \"never\" (service account pattern)\n            sessionExpiresIn = 'never';\n          }\n\n          const result = {\n            type: 'success' as const,\n            service,\n            email,\n            ...(alias && { alias }),\n            ...(sessionExpiresIn && { sessionExpiresIn }),\n            message: `Authenticated as ${email}${alias ? ` (${alias})` : ''}${sessionExpiresIn ? `. Session expires in ${sessionExpiresIn}` : ''}.`,\n          };\n\n          return {\n            content: [{ type: 'text' as const, text: JSON.stringify(result, null, 2) }],\n            structuredContent: { result },\n          };\n        } catch (error) {\n          const message = error instanceof Error ? error.message : String(error);\n          logger?.error?.('account-me.error', { service, error: message });\n\n          throw new McpError(ErrorCode.InternalError, `Error getting ${service} account info: ${message}`, {\n            stack: error instanceof Error ? error.stack : undefined,\n          });\n        }\n      },\n    },\n  ];\n\n  const prompts: McpPrompt[] = [];\n\n  return { tools, prompts };\n}\n"],"names":["ErrorCode","McpError","z","getAccountInfo","getActiveAccount","getToken","formatDuration","ms","totalSeconds","Math","floor","minutes","hours","remainingMinutes","createAccountMe","config","service","store","logger","mode","tools","name","description","inputSchema","outputSchema","result","discriminatedUnion","object","type","literal","string","email","alias","optional","sessionExpiresIn","nullable","message","handler","_args","extra","authContext","accountId","Error","content","text","JSON","stringify","structuredContent","activeAccountId","accountInfo","token","expiresAt","now","Date","error","String","InternalError","stack","undefined","prompts"],"mappings":"AAAA;;;;;;;;;;CAUC,GAGD,SAASA,SAAS,EAAEC,QAAQ,QAAQ,qCAAqC;AACzE,SAASC,CAAC,QAAQ,MAAM;AACxB,SAASC,cAAc,EAAEC,gBAAgB,EAAEC,QAAQ,QAAQ,yBAAyB;AAIpF;;;CAGC,GACD,SAASC,eAAeC,EAAU;IAChC,MAAMC,eAAeC,KAAKC,KAAK,CAACH,KAAK;IAErC,IAAIC,eAAe,IAAI;QACrB,OAAO,GAAGA,aAAa,CAAC,CAAC;IAC3B;IAEA,MAAMG,UAAUF,KAAKC,KAAK,CAACF,eAAe;IAC1C,IAAIG,UAAU,IAAI;QAChB,OAAO,GAAGA,QAAQ,CAAC,CAAC;IACtB;IAEA,MAAMC,QAAQH,KAAKC,KAAK,CAACC,UAAU;IACnC,MAAME,mBAAmBF,UAAU;IAEnC,IAAIE,qBAAqB,GAAG;QAC1B,OAAO,GAAGD,MAAM,CAAC,CAAC;IACpB;IAEA,OAAO,GAAGA,MAAM,EAAE,EAAEC,iBAAiB,CAAC,CAAC;AACzC;AAEA;;;;;CAKC,GACD,OAAO,SAASC,gBAAgBC,MAAuB;IACrD,MAAM,EAAEC,OAAO,EAAEC,KAAK,EAAEC,MAAM,EAAEC,IAAI,EAAE,GAAGJ;IAEzC,MAAMK,QAAmB;QACvB;YACEC,MAAM;YACNN,QAAQ;gBACNO,aAAa,CAAC,aAAa,EAAEN,QAAQ,8EAA8E,CAAC;gBACpHO,aAAa,CAAC;gBACdC,cAAc;oBACZC,QAAQvB,EAAEwB,kBAAkB,CAAC,QAAQ;wBACnCxB,EAAEyB,MAAM,CAAC;4BACPC,MAAM1B,EAAE2B,OAAO,CAAC;4BAChBb,SAASd,EAAE4B,MAAM;4BACjBC,OAAO7B,EAAE4B,MAAM;4BACfE,OAAO9B,EAAE4B,MAAM,GAAGG,QAAQ;4BAC1BC,kBAAkBhC,EAAE4B,MAAM,GAAGK,QAAQ,GAAGF,QAAQ;4BAChDG,SAASlC,EAAE4B,MAAM;wBACnB;qBACD;gBACH;YACF;YACAO,SAAS,OAAOC,OAAgBC;gBAC9B,IAAI;;oBACF,+BAA+B;oBAC/B,IAAIpB,SAAS,aAAa;wBACxB,iDAAiD;wBACjD,MAAMqB,cAAeD,kBAAAA,4BAAD,AAACA,MAAoDC,WAAW;wBAEpF,IAAI,EAACA,wBAAAA,kCAAAA,YAAaC,SAAS,GAAE;4BAC3B,MAAM,IAAIC,MAAM;wBAClB;wBAEA,MAAMjB,SAAS;4BACbG,MAAM;4BACNZ;4BACAe,OAAOS,YAAYC,SAAS;4BAC5BP,kBAAkB;4BAClBE,SAAS,CAAC,iBAAiB,EAAEI,YAAYC,SAAS,CAAC,gCAAgC,CAAC;wBACtF;wBAEA,OAAO;4BACLE,SAAS;gCAAC;oCAAEf,MAAM;oCAAiBgB,MAAMC,KAAKC,SAAS,CAACrB,QAAQ,MAAM;gCAAG;6BAAE;4BAC3EsB,mBAAmB;gCAAEtB;4BAAO;wBAC9B;oBACF;oBAEA,kDAAkD;oBAClD,IAAI,CAACR,OAAO;wBACV,MAAM,IAAIyB,MAAM;oBAClB;oBAEA,qBAAqB;oBACrB,MAAMM,kBAAkB,MAAM5C,iBAAiBa,OAAO;wBAAED;oBAAQ;oBAChE,IAAI,CAACgC,iBAAiB;wBACpB,MAAM,IAAIN,MAAM,CAAC,UAAU,EAAE1B,QAAQ,qDAAqD,CAAC;oBAC7F;oBAEA,kCAAkC;oBAClC,MAAMiC,cAAc,MAAM9C,eAAec,OAAO;wBAAEwB,WAAWO;wBAAiBhC;oBAAQ;oBACtF,MAAMe,gBAAQkB,wBAAAA,kCAAAA,YAAalB,KAAK,uCAAIiB;oBACpC,MAAMhB,QAAQiB,wBAAAA,kCAAAA,YAAajB,KAAK;oBAEhC,2BAA2B;oBAC3B,IAAIE,mBAAkC;oBACtC,IAAI;wBACF,MAAMgB,QAAQ,MAAM7C,SAAsBY,OAAO;4BAAEwB,WAAWO;4BAAiBhC;wBAAQ;wBACvF,IAAIkC,kBAAAA,4BAAAA,MAAOC,SAAS,EAAE;4BACpB,MAAMC,MAAMC,KAAKD,GAAG;4BACpB,IAAIF,MAAMC,SAAS,GAAGC,KAAK;gCACzBlB,mBAAmB5B,eAAe4C,MAAMC,SAAS,GAAGC;4BACtD,OAAO;gCACLlB,mBAAmB;4BACrB;wBACF,OAAO;4BACL,yDAAyD;4BACzDA,mBAAmB;wBACrB;oBACF,EAAE,OAAM;wBACN,gFAAgF;wBAChFA,mBAAmB;oBACrB;oBAEA,MAAMT,SAAS;wBACbG,MAAM;wBACNZ;wBACAe;wBACA,GAAIC,SAAS;4BAAEA;wBAAM,CAAC;wBACtB,GAAIE,oBAAoB;4BAAEA;wBAAiB,CAAC;wBAC5CE,SAAS,CAAC,iBAAiB,EAAEL,QAAQC,QAAQ,CAAC,EAAE,EAAEA,MAAM,CAAC,CAAC,GAAG,KAAKE,mBAAmB,CAAC,qBAAqB,EAAEA,kBAAkB,GAAG,GAAG,CAAC,CAAC;oBACzI;oBAEA,OAAO;wBACLS,SAAS;4BAAC;gCAAEf,MAAM;gCAAiBgB,MAAMC,KAAKC,SAAS,CAACrB,QAAQ,MAAM;4BAAG;yBAAE;wBAC3EsB,mBAAmB;4BAAEtB;wBAAO;oBAC9B;gBACF,EAAE,OAAO6B,OAAO;wBAEdpC;oBADA,MAAMkB,UAAUkB,iBAAiBZ,QAAQY,MAAMlB,OAAO,GAAGmB,OAAOD;oBAChEpC,mBAAAA,8BAAAA,gBAAAA,OAAQoC,KAAK,cAAbpC,oCAAAA,mBAAAA,QAAgB,oBAAoB;wBAAEF;wBAASsC,OAAOlB;oBAAQ;oBAE9D,MAAM,IAAInC,SAASD,UAAUwD,aAAa,EAAE,CAAC,cAAc,EAAExC,QAAQ,eAAe,EAAEoB,SAAS,EAAE;wBAC/FqB,OAAOH,iBAAiBZ,QAAQY,MAAMG,KAAK,GAAGC;oBAChD;gBACF;YACF;QACF;KACD;IAED,MAAMC,UAAuB,EAAE;IAE/B,OAAO;QAAEvC;QAAOuC;IAAQ;AAC1B"}

package/dist/esm/lib/account-server/shared-utils.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/lib/account-server/shared-utils.ts"],"sourcesContent":["import type { Keyv } from 'keyv';\nimport { getAccountInfo, getLinkedAccounts } from '../../account-utils.ts';\n\n/**\n * Find account ID by email or alias lookup.\n * Returns accountId if found, otherwise null.\n */\nexport async function findAccountByEmailOrAlias(store: Keyv, service: string, emailOrAlias: string): Promise<string | null> {\n  const linkedAccountIds = await getLinkedAccounts(store, { service });\n\n  // Try exact email match first\n  if (linkedAccountIds.includes(emailOrAlias)) {\n    return emailOrAlias;\n  }\n\n  // Search by alias\n  for (const accountId of linkedAccountIds) {\n    const info = await getAccountInfo(store, { accountId, service });\n    if (info?.alias === emailOrAlias) {\n      return accountId;\n    }\n  }\n\n  return null;\n}\n"],"names":["getAccountInfo","getLinkedAccounts","findAccountByEmailOrAlias","store","service","emailOrAlias","linkedAccountIds","includes","accountId","info","alias"],"mappings":"AACA,SAASA,cAAc,EAAEC,iBAAiB,QAAQ,yBAAyB;AAE3E;;;CAGC,GACD,OAAO,eAAeC,0BAA0BC,KAAW,EAAEC,OAAe,EAAEC,YAAoB;IAChG,MAAMC,mBAAmB,MAAML,kBAAkBE,OAAO;QAAEC;IAAQ;IAElE,8BAA8B;IAC9B,IAAIE,iBAAiBC,QAAQ,CAACF,eAAe;QAC3C,OAAOA;IACT;IAEA,kBAAkB;IAClB,KAAK,MAAMG,aAAaF,iBAAkB;QACxC,MAAMG,OAAO,MAAMT,eAAeG,OAAO;YAAEK;YAAWJ;QAAQ;QAC9D,IAAIK,CAAAA,iBAAAA,2BAAAA,KAAMC,KAAK,MAAKL,cAAc;YAChC,OAAOG;QACT;IACF;IAEA,OAAO;AACT"}
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth/src/lib/account-server/shared-utils.ts"],"sourcesContent":["import type { Keyv } from 'keyv';\nimport { getAccountInfo, getLinkedAccounts } from '../../account-utils.ts';\n\n/**\n * Find account ID by email or alias lookup.\n * Returns accountId if found, otherwise null.\n */\nexport async function findAccountByEmailOrAlias(store: Keyv, service: string, emailOrAlias: string): Promise<string | null> {\n  const linkedAccountIds = await getLinkedAccounts(store, { service });\n\n  // Try exact email match first\n  if (linkedAccountIds.includes(emailOrAlias)) {\n    return emailOrAlias;\n  }\n\n  // Search by alias\n  for (const accountId of linkedAccountIds) {\n    const info = await getAccountInfo(store, { accountId, service });\n    if (info?.alias === emailOrAlias) {\n      return accountId;\n    }\n  }\n\n  return null;\n}\n"],"names":["getAccountInfo","getLinkedAccounts","findAccountByEmailOrAlias","store","service","emailOrAlias","linkedAccountIds","includes","accountId","info","alias"],"mappings":"AACA,SAASA,cAAc,EAAEC,iBAAiB,QAAQ,yBAAyB;AAE3E;;;CAGC,GACD,OAAO,eAAeC,0BAA0BC,KAAW,EAAEC,OAAe,EAAEC,YAAoB;IAChG,MAAMC,mBAAmB,MAAML,kBAAkBE,OAAO;QAAEC;IAAQ;IAElE,8BAA8B;IAC9B,IAAIE,iBAAiBC,QAAQ,CAACF,eAAe;QAC3C,OAAOA;IACT;IAEA,kBAAkB;IAClB,KAAK,MAAMG,aAAaF,iBAAkB;QACxC,MAAMG,OAAO,MAAMT,eAAeG,OAAO;YAAEK;YAAWJ;QAAQ;QAC9D,IAAIK,CAAAA,iBAAAA,2BAAAA,KAAMC,KAAK,MAAKL,cAAc;YAChC,OAAOG;QACT;IACF;IAEA,OAAO;AACT"}

package/dist/esm/lib/account-server/stateless.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/lib/account-server/stateless.ts"],"sourcesContent":["/**\n * Stateless tool set for MCP OAuth mode (DCR).\n *\n * Use this when authentication is managed by the MCP client.\n * Tokens are provided per-request and not stored by the server.\n *\n * Tools:\n * - {service}-account-me: Show current user identity from bearer token\n */\n\nimport type { McpPrompt, McpTool } from '../../types.ts';\nimport { createAccountMe } from './me.ts';\nimport type { AccountStatelessConfig } from './types.ts';\n\n/**\n * Create stateless mode tools.\n * MCP client manages authentication. Server provides user identity from bearer token.\n * Returns 1 tool: account-me.\n */\nexport function createStateless(config: AccountStatelessConfig): { tools: McpTool[]; prompts: McpPrompt[] } {\n  const { service } = config;\n\n  // Create account-me tool for stateless mode\n  const meTools = createAccountMe({ service, mode: 'stateless' });\n\n  return { tools: meTools.tools, prompts: [] };\n}\n"],"names":["createAccountMe","createStateless","config","service","meTools","mode","tools","prompts"],"mappings":"AAAA;;;;;;;;CAQC,GAGD,SAASA,eAAe,QAAQ,UAAU;AAG1C;;;;CAIC,GACD,OAAO,SAASC,gBAAgBC,MAA8B;IAC5D,MAAM,EAAEC,OAAO,EAAE,GAAGD;IAEpB,4CAA4C;IAC5C,MAAME,UAAUJ,gBAAgB;QAAEG;QAASE,MAAM;IAAY;IAE7D,OAAO;QAAEC,OAAOF,QAAQE,KAAK;QAAEC,SAAS,EAAE;IAAC;AAC7C"}
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth/src/lib/account-server/stateless.ts"],"sourcesContent":["/**\n * Stateless tool set for MCP OAuth mode (DCR).\n *\n * Use this when authentication is managed by the MCP client.\n * Tokens are provided per-request and not stored by the server.\n *\n * Tools:\n * - {service}-account-me: Show current user identity from bearer token\n */\n\nimport type { McpPrompt, McpTool } from '../../types.ts';\nimport { createAccountMe } from './me.ts';\nimport type { AccountStatelessConfig } from './types.ts';\n\n/**\n * Create stateless mode tools.\n * MCP client manages authentication. Server provides user identity from bearer token.\n * Returns 1 tool: account-me.\n */\nexport function createStateless(config: AccountStatelessConfig): { tools: McpTool[]; prompts: McpPrompt[] } {\n  const { service } = config;\n\n  // Create account-me tool for stateless mode\n  const meTools = createAccountMe({ service, mode: 'stateless' });\n\n  return { tools: meTools.tools, prompts: [] };\n}\n"],"names":["createAccountMe","createStateless","config","service","meTools","mode","tools","prompts"],"mappings":"AAAA;;;;;;;;CAQC,GAGD,SAASA,eAAe,QAAQ,UAAU;AAG1C;;;;CAIC,GACD,OAAO,SAASC,gBAAgBC,MAA8B;IAC5D,MAAM,EAAEC,OAAO,EAAE,GAAGD;IAEpB,4CAA4C;IAC5C,MAAME,UAAUJ,gBAAgB;QAAEG;QAASE,MAAM;IAAY;IAE7D,OAAO;QAAEC,OAAOF,QAAQE,KAAK;QAAEC,SAAS,EAAE;IAAC;AAC7C"}

package/dist/esm/lib/account-server/types.d.ts

@@ -2,7 +2,7 @@
  * Configuration types for account tool factories.
  */
 import type { Keyv } from 'keyv';
-import type { AuthEmailProvider, Logger } from '../../types.js';
+import type { AccountAuthProvider, Logger } from '../../types.js';
 /**
  * Configuration for loopback OAuth account management.
  * Supports multiple accounts with server-managed tokens (LoopbackOAuthProvider).
@@ -11,7 +11,7 @@ export interface AccountLoopbackConfig {
     service: string;
     store: Keyv;
     logger: Logger;
-    auth: AuthEmailProvider;
+    auth: AccountAuthProvider;
 }
 /**
  * Configuration for stateless mode.

package/dist/esm/lib/account-server/types.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/lib/account-server/types.ts"],"sourcesContent":["/**\n * Configuration types for account tool factories.\n */\n\nimport type { Keyv } from 'keyv';\nimport type { AuthEmailProvider, Logger } from '../../types.ts';\n\n/**\n * Configuration for loopback OAuth account management.\n * Supports multiple accounts with server-managed tokens (LoopbackOAuthProvider).\n */\nexport interface AccountLoopbackConfig {\n  service: string;\n  store: Keyv;\n  logger: Logger;\n  auth: AuthEmailProvider;\n}\n\n/**\n * Configuration for stateless mode.\n * MCP client manages authentication. Server provides read-only status.\n */\nexport interface AccountStatelessConfig {\n  service: string;\n}\n\n/**\n * Configuration for account-me tool.\n * Works across all auth modes: loopback, stateless, device code, service account.\n */\nexport interface AccountMeConfig {\n  service: string;\n  store?: Keyv;\n  logger?: Logger;\n  mode: 'loopback' | 'stateless' | 'device-code' | 'service-account';\n}\n"],"names":[],"mappings":"AAAA;;CAEC,GAwBD;;;CAGC,GACD,WAKC"}
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth/src/lib/account-server/types.ts"],"sourcesContent":["/**\n * Configuration types for account tool factories.\n */\n\nimport type { Keyv } from 'keyv';\nimport type { AccountAuthProvider, Logger } from '../../types.ts';\n\n/**\n * Configuration for loopback OAuth account management.\n * Supports multiple accounts with server-managed tokens (LoopbackOAuthProvider).\n */\nexport interface AccountLoopbackConfig {\n  service: string;\n  store: Keyv;\n  logger: Logger;\n  auth: AccountAuthProvider;\n}\n\n/**\n * Configuration for stateless mode.\n * MCP client manages authentication. Server provides read-only status.\n */\nexport interface AccountStatelessConfig {\n  service: string;\n}\n\n/**\n * Configuration for account-me tool.\n * Works across all auth modes: loopback, stateless, device code, service account.\n */\nexport interface AccountMeConfig {\n  service: string;\n  store?: Keyv;\n  logger?: Logger;\n  mode: 'loopback' | 'stateless' | 'device-code' | 'service-account';\n}\n"],"names":[],"mappings":"AAAA;;CAEC,GAwBD;;;CAGC,GACD,WAKC"}

package/dist/esm/lib/dcr-types.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/lib/dcr-types.ts"],"sourcesContent":["/**\n * Dynamic Client Registration (DCR) types per RFC 7591\n *\n * Defines core types for OAuth 2.0 Dynamic Client Registration Protocol.\n * Used by providers to register clients dynamically with authorization servers.\n *\n * @see https://datatracker.ietf.org/doc/html/rfc7591\n */\n\nimport type { Logger } from '../types.ts';\n\n/**\n * Client metadata for dynamic registration request (RFC 7591 Section 2)\n *\n * All fields are optional per RFC 7591. Authorization server may have\n * required fields or default values based on policy.\n */\nexport interface DcrClientMetadata {\n  /** Array of redirection URI strings for redirect-based flows */\n  redirect_uris?: string[];\n\n  /** Client authentication method for token endpoint */\n  token_endpoint_auth_method?: 'none' | 'client_secret_post' | 'client_secret_basic';\n\n  /** OAuth 2.0 grant types the client may use */\n  grant_types?: string[];\n\n  /** OAuth 2.0 response types the client may use */\n  response_types?: string[];\n\n  /** Human-readable client name */\n  client_name?: string;\n\n  /** URL providing information about the client */\n  client_uri?: string;\n\n  /** URL referencing a logo for the client */\n  logo_uri?: string;\n\n  /** Space-separated list of scope values */\n  scope?: string;\n\n  /** Array of contact strings (typically email addresses) */\n  contacts?: string[];\n\n  /** URL pointing to terms of service document */\n  tos_uri?: string;\n\n  /** URL pointing to privacy policy document */\n  policy_uri?: string;\n\n  /** URL referencing the client's JSON Web Key Set */\n  jwks_uri?: string;\n\n  /** Client's JSON Web Key Set document value */\n  jwks?: object;\n\n  /** Unique identifier for the client software */\n  software_id?: string;\n\n  /** Version identifier for the client software */\n  software_version?: string;\n\n  /** JWT containing client metadata claims (signed software statement) */\n  software_statement?: string;\n}\n\n/**\n * Client information response from successful registration (RFC 7591 Section 3.2.1)\n *\n * Authorization server returns client credentials and echoes/modifies metadata.\n * client_id is always returned, client_secret is optional for public clients.\n */\nexport interface DcrClientInformation {\n  /** REQUIRED: OAuth 2.0 client identifier string */\n  client_id: string;\n\n  /** OPTIONAL: OAuth 2.0 client secret (omitted for public clients) */\n  client_secret?: string;\n\n  /** OPTIONAL: Timestamp of client ID issuance (seconds since Unix epoch) */\n  client_id_issued_at?: number;\n\n  /**\n   * REQUIRED if client_secret issued: Expiration timestamp (seconds since epoch)\n   * Value of 0 indicates the secret does not expire\n   */\n  client_secret_expires_at?: number;\n\n  // All registered metadata fields (echoed or server-modified)\n  redirect_uris?: string[];\n  token_endpoint_auth_method?: string;\n  grant_types?: string[];\n  response_types?: string[];\n  client_name?: string;\n  client_uri?: string;\n  logo_uri?: string;\n  scope?: string;\n  contacts?: string[];\n  tos_uri?: string;\n  policy_uri?: string;\n  jwks_uri?: string;\n  jwks?: object;\n  software_id?: string;\n  software_version?: string;\n}\n\n/**\n * Provider tokens for stateless DCR pattern\n *\n * In stateless mode, DCR provider receives provider credentials from context\n * rather than managing token storage. Used for MCP server deployments where\n * client manages all tokens.\n */\nexport interface ProviderTokens {\n  /** OAuth 2.0 access token for provider API calls */\n  accessToken: string;\n\n  /** Optional refresh token for token renewal */\n  refreshToken?: string;\n\n  /** Token expiration timestamp (seconds since Unix epoch) */\n  expiresAt?: number;\n\n  /** Space-separated list of granted scopes */\n  scope?: string;\n}\n\n/**\n * Configuration for DCR provider initialization\n *\n * Minimal config for creating DCR provider instances. Additional provider-specific\n * config (client IDs, secrets, redirect URIs) handled by concrete implementations.\n */\nexport interface DcrConfig {\n  /** Authorization server's registration endpoint URL */\n  registrationEndpoint: string;\n\n  /** Client metadata to register with authorization server */\n  metadata: DcrClientMetadata;\n\n  /** Optional logger for DCR operations */\n  logger?: Logger;\n}\n\n/**\n * DCR error response per RFC 7591 Section 3.2.2\n *\n * Authorization server returns HTTP 400 with error details when\n * registration fails due to invalid metadata or policy violations.\n */\nexport interface DcrErrorResponse {\n  /** REQUIRED: Single ASCII error code string */\n  error: 'invalid_redirect_uri' | 'invalid_client_metadata' | 'invalid_software_statement' | 'unapproved_software_statement' | string;\n\n  /** OPTIONAL: Human-readable ASCII description */\n  error_description?: string;\n}\n"],"names":[],"mappings":"AAAA;;;;;;;CAOC,GA0ID;;;;;CAKC,GACD,WAMC"}
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth/src/lib/dcr-types.ts"],"sourcesContent":["/**\n * Dynamic Client Registration (DCR) types per RFC 7591\n *\n * Defines core types for OAuth 2.0 Dynamic Client Registration Protocol.\n * Used by providers to register clients dynamically with authorization servers.\n *\n * @see https://datatracker.ietf.org/doc/html/rfc7591\n */\n\nimport type { Logger } from '../types.ts';\n\n/**\n * Client metadata for dynamic registration request (RFC 7591 Section 2)\n *\n * All fields are optional per RFC 7591. Authorization server may have\n * required fields or default values based on policy.\n */\nexport interface DcrClientMetadata {\n  /** Array of redirection URI strings for redirect-based flows */\n  redirect_uris?: string[];\n\n  /** Client authentication method for token endpoint */\n  token_endpoint_auth_method?: 'none' | 'client_secret_post' | 'client_secret_basic';\n\n  /** OAuth 2.0 grant types the client may use */\n  grant_types?: string[];\n\n  /** OAuth 2.0 response types the client may use */\n  response_types?: string[];\n\n  /** Human-readable client name */\n  client_name?: string;\n\n  /** URL providing information about the client */\n  client_uri?: string;\n\n  /** URL referencing a logo for the client */\n  logo_uri?: string;\n\n  /** Space-separated list of scope values */\n  scope?: string;\n\n  /** Array of contact strings (typically email addresses) */\n  contacts?: string[];\n\n  /** URL pointing to terms of service document */\n  tos_uri?: string;\n\n  /** URL pointing to privacy policy document */\n  policy_uri?: string;\n\n  /** URL referencing the client's JSON Web Key Set */\n  jwks_uri?: string;\n\n  /** Client's JSON Web Key Set document value */\n  jwks?: object;\n\n  /** Unique identifier for the client software */\n  software_id?: string;\n\n  /** Version identifier for the client software */\n  software_version?: string;\n\n  /** JWT containing client metadata claims (signed software statement) */\n  software_statement?: string;\n}\n\n/**\n * Client information response from successful registration (RFC 7591 Section 3.2.1)\n *\n * Authorization server returns client credentials and echoes/modifies metadata.\n * client_id is always returned, client_secret is optional for public clients.\n */\nexport interface DcrClientInformation {\n  /** REQUIRED: OAuth 2.0 client identifier string */\n  client_id: string;\n\n  /** OPTIONAL: OAuth 2.0 client secret (omitted for public clients) */\n  client_secret?: string;\n\n  /** OPTIONAL: Timestamp of client ID issuance (seconds since Unix epoch) */\n  client_id_issued_at?: number;\n\n  /**\n   * REQUIRED if client_secret issued: Expiration timestamp (seconds since epoch)\n   * Value of 0 indicates the secret does not expire\n   */\n  client_secret_expires_at?: number;\n\n  // All registered metadata fields (echoed or server-modified)\n  redirect_uris?: string[];\n  token_endpoint_auth_method?: string;\n  grant_types?: string[];\n  response_types?: string[];\n  client_name?: string;\n  client_uri?: string;\n  logo_uri?: string;\n  scope?: string;\n  contacts?: string[];\n  tos_uri?: string;\n  policy_uri?: string;\n  jwks_uri?: string;\n  jwks?: object;\n  software_id?: string;\n  software_version?: string;\n}\n\n/**\n * Provider tokens for stateless DCR pattern\n *\n * In stateless mode, DCR provider receives provider credentials from context\n * rather than managing token storage. Used for MCP server deployments where\n * client manages all tokens.\n */\nexport interface ProviderTokens {\n  /** OAuth 2.0 access token for provider API calls */\n  accessToken: string;\n\n  /** Optional refresh token for token renewal */\n  refreshToken?: string;\n\n  /** Token expiration timestamp (seconds since Unix epoch) */\n  expiresAt?: number;\n\n  /** Space-separated list of granted scopes */\n  scope?: string;\n}\n\n/**\n * Configuration for DCR provider initialization\n *\n * Minimal config for creating DCR provider instances. Additional provider-specific\n * config (client IDs, secrets, redirect URIs) handled by concrete implementations.\n */\nexport interface DcrConfig {\n  /** Authorization server's registration endpoint URL */\n  registrationEndpoint: string;\n\n  /** Client metadata to register with authorization server */\n  metadata: DcrClientMetadata;\n\n  /** Optional logger for DCR operations */\n  logger?: Logger;\n}\n\n/**\n * DCR error response per RFC 7591 Section 3.2.2\n *\n * Authorization server returns HTTP 400 with error details when\n * registration fails due to invalid metadata or policy violations.\n */\nexport interface DcrErrorResponse {\n  /** REQUIRED: Single ASCII error code string */\n  error: 'invalid_redirect_uri' | 'invalid_client_metadata' | 'invalid_software_statement' | 'unapproved_software_statement' | string;\n\n  /** OPTIONAL: Human-readable ASCII description */\n  error_description?: string;\n}\n"],"names":[],"mappings":"AAAA;;;;;;;CAOC,GA0ID;;;;;CAKC,GACD,WAMC"}

package/dist/esm/lib/rfc-metadata-types.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/lib/rfc-metadata-types.ts"],"sourcesContent":["/**\n * RFC 8414 Authorization Server Metadata\n * @see https://www.rfc-editor.org/rfc/rfc8414.html\n */\nexport interface RFC8414Metadata {\n  /** Authorization server issuer URL */\n  issuer: string;\n  /** OAuth 2.0 authorization endpoint */\n  authorization_endpoint: string;\n  /** OAuth 2.0 token endpoint */\n  token_endpoint: string;\n  /** Dynamic Client Registration endpoint (RFC 7591) */\n  registration_endpoint: string;\n  /** Optional: Token revocation endpoint */\n  revocation_endpoint?: string;\n  /** Optional: Supported OAuth scopes */\n  scopes_supported?: string[];\n  /** Optional: Supported response types */\n  response_types_supported?: string[];\n  /** Optional: Supported grant types */\n  grant_types_supported?: string[];\n  /** Optional: Supported token endpoint auth methods */\n  token_endpoint_auth_methods_supported?: string[];\n  /** Optional: Supported PKCE code challenge methods (RFC 7636) */\n  code_challenge_methods_supported?: string[];\n  /** Optional: Service documentation URL */\n  service_documentation?: string;\n  /** Allow additional provider-specific fields */\n  [key: string]: unknown;\n}\n\n/**\n * RFC 9728 Protected Resource Metadata\n * @see https://www.rfc-editor.org/rfc/rfc9728.html\n */\nexport interface RFC9728Metadata {\n  /** Protected resource URL */\n  resource: string;\n  /** List of authorization servers that can issue tokens for this resource */\n  authorization_servers: string[];\n  /** OAuth scopes supported by this resource */\n  scopes_supported: string[];\n  /** Methods for providing bearer tokens (typically ['header']) */\n  bearer_methods_supported: string[];\n  /** Allow additional provider-specific fields */\n  [key: string]: unknown;\n}\n"],"names":[],"mappings":"AAAA;;;CAGC,GA4BD;;;CAGC,GACD,WAWC"}
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth/src/lib/rfc-metadata-types.ts"],"sourcesContent":["/**\n * RFC 8414 Authorization Server Metadata\n * @see https://www.rfc-editor.org/rfc/rfc8414.html\n */\nexport interface RFC8414Metadata {\n  /** Authorization server issuer URL */\n  issuer: string;\n  /** OAuth 2.0 authorization endpoint */\n  authorization_endpoint: string;\n  /** OAuth 2.0 token endpoint */\n  token_endpoint: string;\n  /** Dynamic Client Registration endpoint (RFC 7591) */\n  registration_endpoint: string;\n  /** Optional: Token revocation endpoint */\n  revocation_endpoint?: string;\n  /** Optional: Supported OAuth scopes */\n  scopes_supported?: string[];\n  /** Optional: Supported response types */\n  response_types_supported?: string[];\n  /** Optional: Supported grant types */\n  grant_types_supported?: string[];\n  /** Optional: Supported token endpoint auth methods */\n  token_endpoint_auth_methods_supported?: string[];\n  /** Optional: Supported PKCE code challenge methods (RFC 7636) */\n  code_challenge_methods_supported?: string[];\n  /** Optional: Service documentation URL */\n  service_documentation?: string;\n  /** Allow additional provider-specific fields */\n  [key: string]: unknown;\n}\n\n/**\n * RFC 9728 Protected Resource Metadata\n * @see https://www.rfc-editor.org/rfc/rfc9728.html\n */\nexport interface RFC9728Metadata {\n  /** Protected resource URL */\n  resource: string;\n  /** List of authorization servers that can issue tokens for this resource */\n  authorization_servers: string[];\n  /** OAuth scopes supported by this resource */\n  scopes_supported: string[];\n  /** Methods for providing bearer tokens (typically ['header']) */\n  bearer_methods_supported: string[];\n  /** Allow additional provider-specific fields */\n  [key: string]: unknown;\n}\n"],"names":[],"mappings":"AAAA;;;CAGC,GA4BD;;;CAGC,GACD,WAWC"}

package/dist/esm/pkce.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/pkce.ts"],"sourcesContent":["/**\n * PKCE (Proof Key for Code Exchange) utilities for OAuth 2.0\n *\n * Implements RFC 7636 PKCE extension for public OAuth clients.\n * Generates cryptographically secure code verifier and challenge.\n */\n\nimport { createHash, randomBytes } from 'crypto';\n\n/**\n * PKCE code verifier and challenge pair\n */\nexport interface PKCEPair {\n  /** Code verifier - random string sent to token endpoint */\n  verifier: string;\n  /** Code challenge - SHA256 hash of verifier sent to authorization endpoint */\n  challenge: string;\n}\n\n/**\n * Generate PKCE code verifier and challenge pair\n *\n * Uses SHA-256 hashing (S256 method) as recommended by RFC 7636.\n * Code verifier is 32 random bytes base64url-encoded (43 characters).\n *\n * @returns PKCE pair with verifier and challenge\n *\n * @example\n * ```typescript\n * const { verifier, challenge } = generatePKCE();\n *\n * // Use challenge in authorization URL\n * authUrl.searchParams.set('code_challenge', challenge);\n * authUrl.searchParams.set('code_challenge_method', 'S256');\n *\n * // Later, use verifier in token exchange\n * tokenParams.code_verifier = verifier;\n * ```\n */\nexport function generatePKCE(): PKCEPair {\n  const verifier = randomBytes(32).toString('base64url');\n  const challenge = createHash('sha256').update(verifier).digest('base64url');\n\n  return {\n    verifier,\n    challenge,\n  };\n}\n"],"names":["createHash","randomBytes","generatePKCE","verifier","toString","challenge","update","digest"],"mappings":"AAAA;;;;;CAKC,GAED,SAASA,UAAU,EAAEC,WAAW,QAAQ,SAAS;AAYjD;;;;;;;;;;;;;;;;;;;CAmBC,GACD,OAAO,SAASC;IACd,MAAMC,WAAWF,YAAY,IAAIG,QAAQ,CAAC;IAC1C,MAAMC,YAAYL,WAAW,UAAUM,MAAM,CAACH,UAAUI,MAAM,CAAC;IAE/D,OAAO;QACLJ;QACAE;IACF;AACF"}
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth/src/pkce.ts"],"sourcesContent":["/**\n * PKCE (Proof Key for Code Exchange) utilities for OAuth 2.0\n *\n * Implements RFC 7636 PKCE extension for public OAuth clients.\n * Generates cryptographically secure code verifier and challenge.\n */\n\nimport { createHash, randomBytes } from 'crypto';\n\n/**\n * PKCE code verifier and challenge pair\n */\nexport interface PKCEPair {\n  /** Code verifier - random string sent to token endpoint */\n  verifier: string;\n  /** Code challenge - SHA256 hash of verifier sent to authorization endpoint */\n  challenge: string;\n}\n\n/**\n * Generate PKCE code verifier and challenge pair\n *\n * Uses SHA-256 hashing (S256 method) as recommended by RFC 7636.\n * Code verifier is 32 random bytes base64url-encoded (43 characters).\n *\n * @returns PKCE pair with verifier and challenge\n *\n * @example\n * ```typescript\n * const { verifier, challenge } = generatePKCE();\n *\n * // Use challenge in authorization URL\n * authUrl.searchParams.set('code_challenge', challenge);\n * authUrl.searchParams.set('code_challenge_method', 'S256');\n *\n * // Later, use verifier in token exchange\n * tokenParams.code_verifier = verifier;\n * ```\n */\nexport function generatePKCE(): PKCEPair {\n  const verifier = randomBytes(32).toString('base64url');\n  const challenge = createHash('sha256').update(verifier).digest('base64url');\n\n  return {\n    verifier,\n    challenge,\n  };\n}\n"],"names":["createHash","randomBytes","generatePKCE","verifier","toString","challenge","update","digest"],"mappings":"AAAA;;;;;CAKC,GAED,SAASA,UAAU,EAAEC,WAAW,QAAQ,SAAS;AAYjD;;;;;;;;;;;;;;;;;;;CAmBC,GACD,OAAO,SAASC;IACd,MAAMC,WAAWF,YAAY,IAAIG,QAAQ,CAAC;IAC1C,MAAMC,YAAYL,WAAW,UAAUM,MAAM,CAACH,UAAUI,MAAM,CAAC;IAE/D,OAAO;QACLJ;QACAE;IACF;AACF"}

package/dist/esm/sanitizer.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/sanitizer.ts"],"sourcesContent":["/**\n * Data sanitization utilities for secure logging.\n * Redacts sensitive OAuth tokens, API keys, and credentials from log output.\n *\n * @example\n * ```typescript\n * sanitizeData({ accountId: 'test@example.com', access_token: 'secret_token_value' })\n * // { accountId: 'test@example.com', access_token: 'secr****alue' }\n *\n * sanitizeForLogging('Processing token', { token: 'secret_value' })\n * // { message: 'Processing token', meta: { token: 'secr****alue' } }\n * ```\n */\n\n/** Regex patterns for sensitive data that should be redacted from logs */\nconst SENSITIVE_PATTERNS = [\n  // OAuth tokens, codes, and secrets\n  /access_token['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /(access_token_[a-zA-Z0-9_]+)/gi,\n  /refresh_token['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /client_secret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /id_token['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /\\bcode['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /\\bstate['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /code_verifier['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /code_challenge['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /codeVerifier['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /codeChallenge['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /device_code['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /user_code['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /verification_uri['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /verification_uri_complete['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n\n  // Provider credentials and identifiers\n  /app_secret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /appSecret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /tenant_id['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /tenantId['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /client_id['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /clientId['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /app_id['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /appId['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /redirect_uri['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /redirectUri['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /subscription_key['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /subscriptionKey['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n\n  // Security secrets and keys\n  /webhook_secret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /webhookSecret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /signing_secret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /signingSecret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /encryption_key['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /encryptionKey['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /private_key['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /privateKey['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /certificate['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /cert['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n\n  // Authorization headers\n  /Authorization['\":\\s]*['\"]\\s*Bearer\\s+([^'\"]+)['\"]/gi,\n  /authorization['\":\\s]*['\"]\\s*Bearer\\s+([^'\"]+)['\"]/gi,\n  /Bearer\\s+([A-Za-z0-9+/=\\-_.]+)/gi,\n  /Authorization:\\s*Bearer\\s+([A-Za-z0-9+/=\\-_.]+)/gi,\n  /[A-Z_]+_(SECRET|KEY|TOKEN|PASSWORD)['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n\n  // Session and CSRF tokens\n  /\\bnonce['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /session[_-]?id['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /csrf[_-]?token['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n\n  // Other sensitive patterns\n  /\"email\"\\s*:\\s*\"([^@\"]{1,64}@[^.\"]{1,63}\\.[a-z]{2,6})\"/gi,\n  /api[_-]?key['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /password['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /\\b(ey[A-Za-z0-9+/=]+\\.[A-Za-z0-9+/=]+\\.[A-Za-z0-9+/=\\-_]+)/g,\n\n  // Base64 secrets (split into length ranges for practical matching)\n  /\\b([A-Za-z0-9+/]{60,200}={0,2})\\b/g,\n  /\\b([A-Za-z0-9+/]{201,1000}={0,2})\\b/g,\n  /\\b([A-Za-z0-9+/]{1001,5000}={0,2})\\b/g,\n\n  // Connection identifiers\n  /connection[_-]?id['\":\\s]*['\"]\\s*([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})['\"]/gi,\n];\n\n/** Field names that should be redacted when found as object keys */\nconst SENSITIVE_FIELDS = new Set([\n  'access_token',\n  'accessToken',\n  'refresh_token',\n  'refreshToken',\n  'client_secret',\n  'clientSecret',\n  'id_token',\n  'idToken',\n  'code',\n  'authorization_code',\n  'authorizationCode',\n  'device_code',\n  'deviceCode',\n  'user_code',\n  'userCode',\n  'verification_uri',\n  'verificationUri',\n  'verification_uri_complete',\n  'verificationUriComplete',\n  'client_id',\n  'clientId',\n  'app_id',\n  'appId',\n  'app_secret',\n  'appSecret',\n  'tenant_id',\n  'tenantId',\n  'bot_id',\n  'botId',\n  'workspace_id',\n  'workspaceId',\n  'organization_id',\n  'organizationId',\n  'redirect_uri',\n  'redirectUri',\n  'audience',\n  'realm',\n  'domain',\n  'webhook_secret',\n  'webhookSecret',\n  'signing_secret',\n  'signingSecret',\n  'subscription_key',\n  'subscriptionKey',\n  'encryption_key',\n  'encryptionKey',\n  'private_key',\n  'privateKey',\n  'certificate',\n  'cert',\n  'stripe-signature',\n  'x-hub-signature',\n  'x-hub-signature-256',\n  'x-slack-signature',\n  'x-mcp-z-webhook-secret',\n  'password',\n  'secret',\n  'token',\n  'authorization',\n  'credential',\n  'auth',\n  'verifier',\n  'challenge',\n  'code_verifier',\n  'codeVerifier',\n  'code_challenge',\n  'codeChallenge',\n  'nonce',\n  'session_id',\n  'sessionId',\n  'csrf_token',\n  'csrfToken',\n  'api_key',\n  'apiKey',\n  'state',\n  'connection_id',\n  'connectionId',\n  'gmail_connection_id',\n  'gmailConnectionId',\n]);\n\nfunction isAlreadySanitized(value: string): boolean {\n  return value.includes('****') || value.includes('[REDACTED]') || value === '[REDACTED]';\n}\n\nfunction redactValue(value: string): string {\n  if (isAlreadySanitized(value)) {\n    return value;\n  }\n\n  if (value.length <= 8) {\n    return '*'.repeat(value.length);\n  }\n\n  // Show first 4 and last 4 characters\n  return `${value.substring(0, 4)}****${value.substring(value.length - 4)}`;\n}\n\nexport function sanitizeData(data: unknown): unknown {\n  if (typeof data === 'string') {\n    if (isAlreadySanitized(data)) {\n      return data;\n    }\n\n    let sanitized = data;\n    for (const pattern of SENSITIVE_PATTERNS) {\n      sanitized = sanitized.replace(pattern, (match, captured) => {\n        if (typeof captured === 'string') {\n          const redacted = redactValue(captured);\n          return match.replace(captured, redacted);\n        }\n        return match;\n      });\n    }\n\n    return sanitized;\n  }\n\n  if (Array.isArray(data)) {\n    return data.map(sanitizeData);\n  }\n\n  if (data && typeof data === 'object') {\n    const sanitized: Record<string, unknown> = {};\n\n    for (const [key, value] of Object.entries(data)) {\n      const lowerKey = key.toLowerCase();\n\n      if (SENSITIVE_FIELDS.has(lowerKey) || SENSITIVE_FIELDS.has(key)) {\n        if (typeof value === 'string') {\n          sanitized[key] = redactValue(value);\n        } else {\n          sanitized[key] = '[REDACTED]';\n        }\n      } else {\n        sanitized[key] = sanitizeData(value);\n      }\n    }\n\n    return sanitized;\n  }\n\n  return data;\n}\n\n/**\n * Prevent log injection attacks by escaping control characters\n * SECURITY: Critical for preventing CRLF injection (OWASP A03)\n */\nexport function sanitizeLogMessage(message: string, maxLength = 50000): string {\n  if (typeof message !== 'string') {\n    return String(message);\n  }\n\n  // Truncation protection - prevent log poisoning via huge payloads\n  let processedMessage = message;\n  if (processedMessage.length > maxLength) {\n    processedMessage = `${processedMessage.substring(0, maxLength)} [TRUNCATED]`;\n  }\n\n  return (\n    processedMessage\n      .normalize('NFKC')\n      .replace(/\\r\\n|\\r|\\n/g, ' ')\n      .replace(/\\t/g, ' ')\n      // biome-ignore lint/suspicious/noControlCharactersInRegex: Security sanitization requires control character removal\n      .replace(/[\\x00-\\x1F\\x7F-\\x9F]/g, '')\n      .replace(/[\\u200B-\\u200D\\uFEFF]/g, '') // Zero-width chars used for obfuscation\n      .trim()\n  );\n}\n\n/**\n * Sanitize log message and metadata for safe logging\n * Applies both CRLF protection and sensitive data redaction\n *\n * @param message - The log message to sanitize\n * @param meta - Optional metadata object to sanitize\n * @param enableDataSanitization - Whether to apply sensitive data redaction (default: true)\n * @returns Sanitized message and metadata ready for logging\n */\nexport function sanitizeForLogging(message: string, meta?: Record<string, unknown>, enableDataSanitization = true): { message: string; meta: Record<string, unknown> } {\n  const cleanMessage = sanitizeLogMessage(message);\n\n  if (!enableDataSanitization) {\n    return {\n      message: cleanMessage,\n      meta: meta || {},\n    };\n  }\n\n  return {\n    message: sanitizeData(cleanMessage) as string,\n    meta: sanitizeData(meta || {}) as Record<string, unknown>,\n  };\n}\n\nexport function sanitizeForLoggingFormatter() {\n  return {\n    log: (obj) => {\n      const message = (obj.msg || obj.message || '') as string;\n      const { message: clean, meta } = sanitizeForLogging(message, obj as Record<string, unknown>);\n      return { ...meta, msg: clean };\n    },\n  };\n}\n"],"names":["SENSITIVE_PATTERNS","SENSITIVE_FIELDS","Set","isAlreadySanitized","value","includes","redactValue","length","repeat","substring","sanitizeData","data","sanitized","pattern","replace","match","captured","redacted","Array","isArray","map","key","Object","entries","lowerKey","toLowerCase","has","sanitizeLogMessage","message","maxLength","String","processedMessage","normalize","trim","sanitizeForLogging","meta","enableDataSanitization","cleanMessage","sanitizeForLoggingFormatter","log","obj","msg","clean"],"mappings":"AAAA;;;;;;;;;;;;CAYC,GAED,wEAAwE,GACxE,MAAMA,qBAAqB;IACzB,mCAAmC;IACnC;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IAEA,uCAAuC;IACvC;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IAEA,4BAA4B;IAC5B;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IAEA,wBAAwB;IACxB;IACA;IACA;IACA;IACA;IAEA,0BAA0B;IAC1B;IACA;IACA;IAEA,2BAA2B;IAC3B;IACA;IACA;IACA;IAEA,mEAAmE;IACnE;IACA;IACA;IAEA,yBAAyB;IACzB;CACD;AAED,kEAAkE,GAClE,MAAMC,mBAAmB,IAAIC,IAAI;IAC/B;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;CACD;AAED,SAASC,mBAAmBC,KAAa;IACvC,OAAOA,MAAMC,QAAQ,CAAC,WAAWD,MAAMC,QAAQ,CAAC,iBAAiBD,UAAU;AAC7E;AAEA,SAASE,YAAYF,KAAa;IAChC,IAAID,mBAAmBC,QAAQ;QAC7B,OAAOA;IACT;IAEA,IAAIA,MAAMG,MAAM,IAAI,GAAG;QACrB,OAAO,IAAIC,MAAM,CAACJ,MAAMG,MAAM;IAChC;IAEA,qCAAqC;IACrC,OAAO,GAAGH,MAAMK,SAAS,CAAC,GAAG,GAAG,IAAI,EAAEL,MAAMK,SAAS,CAACL,MAAMG,MAAM,GAAG,IAAI;AAC3E;AAEA,OAAO,SAASG,aAAaC,IAAa;IACxC,IAAI,OAAOA,SAAS,UAAU;QAC5B,IAAIR,mBAAmBQ,OAAO;YAC5B,OAAOA;QACT;QAEA,IAAIC,YAAYD;QAChB,KAAK,MAAME,WAAWb,mBAAoB;YACxCY,YAAYA,UAAUE,OAAO,CAACD,SAAS,CAACE,OAAOC;gBAC7C,IAAI,OAAOA,aAAa,UAAU;oBAChC,MAAMC,WAAWX,YAAYU;oBAC7B,OAAOD,MAAMD,OAAO,CAACE,UAAUC;gBACjC;gBACA,OAAOF;YACT;QACF;QAEA,OAAOH;IACT;IAEA,IAAIM,MAAMC,OAAO,CAACR,OAAO;QACvB,OAAOA,KAAKS,GAAG,CAACV;IAClB;IAEA,IAAIC,QAAQ,OAAOA,SAAS,UAAU;QACpC,MAAMC,YAAqC,CAAC;QAE5C,KAAK,MAAM,CAACS,KAAKjB,MAAM,IAAIkB,OAAOC,OAAO,CAACZ,MAAO;YAC/C,MAAMa,WAAWH,IAAII,WAAW;YAEhC,IAAIxB,iBAAiByB,GAAG,CAACF,aAAavB,iBAAiByB,GAAG,CAACL,MAAM;gBAC/D,IAAI,OAAOjB,UAAU,UAAU;oBAC7BQ,SAAS,CAACS,IAAI,GAAGf,YAAYF;gBAC/B,OAAO;oBACLQ,SAAS,CAACS,IAAI,GAAG;gBACnB;YACF,OAAO;gBACLT,SAAS,CAACS,IAAI,GAAGX,aAAaN;YAChC;QACF;QAEA,OAAOQ;IACT;IAEA,OAAOD;AACT;AAEA;;;CAGC,GACD,OAAO,SAASgB,mBAAmBC,OAAe,EAAEC,YAAY,KAAK;IACnE,IAAI,OAAOD,YAAY,UAAU;QAC/B,OAAOE,OAAOF;IAChB;IAEA,kEAAkE;IAClE,IAAIG,mBAAmBH;IACvB,IAAIG,iBAAiBxB,MAAM,GAAGsB,WAAW;QACvCE,mBAAmB,GAAGA,iBAAiBtB,SAAS,CAAC,GAAGoB,WAAW,YAAY,CAAC;IAC9E;IAEA,OACEE,iBACGC,SAAS,CAAC,QACVlB,OAAO,CAAC,eAAe,KACvBA,OAAO,CAAC,OAAO,IAChB,oHAAoH;KACnHA,OAAO,CAAC,yBAAyB,IACjCA,OAAO,CAAC,0BAA0B,IAAI,wCAAwC;KAC9EmB,IAAI;AAEX;AAEA;;;;;;;;CAQC,GACD,OAAO,SAASC,mBAAmBN,OAAe,EAAEO,IAA8B,EAAEC,yBAAyB,IAAI;IAC/G,MAAMC,eAAeV,mBAAmBC;IAExC,IAAI,CAACQ,wBAAwB;QAC3B,OAAO;YACLR,SAASS;YACTF,MAAMA,QAAQ,CAAC;QACjB;IACF;IAEA,OAAO;QACLP,SAASlB,aAAa2B;QACtBF,MAAMzB,aAAayB,QAAQ,CAAC;IAC9B;AACF;AAEA,OAAO,SAASG;IACd,OAAO;QACLC,KAAK,CAACC;YACJ,MAAMZ,UAAWY,IAAIC,GAAG,IAAID,IAAIZ,OAAO,IAAI;YAC3C,MAAM,EAAEA,SAASc,KAAK,EAAEP,IAAI,EAAE,GAAGD,mBAAmBN,SAASY;YAC7D,OAAO;gBAAE,GAAGL,IAAI;gBAAEM,KAAKC;YAAM;QAC/B;IACF;AACF"}
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth/src/sanitizer.ts"],"sourcesContent":["/**\n * Data sanitization utilities for secure logging.\n * Redacts sensitive OAuth tokens, API keys, and credentials from log output.\n *\n * @example\n * ```typescript\n * sanitizeData({ accountId: 'test@example.com', access_token: 'secret_token_value' })\n * // { accountId: 'test@example.com', access_token: 'secr****alue' }\n *\n * sanitizeForLogging('Processing token', { token: 'secret_value' })\n * // { message: 'Processing token', meta: { token: 'secr****alue' } }\n * ```\n */\n\n/** Regex patterns for sensitive data that should be redacted from logs */\nconst SENSITIVE_PATTERNS = [\n  // OAuth tokens, codes, and secrets\n  /access_token['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /(access_token_[a-zA-Z0-9_]+)/gi,\n  /refresh_token['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /client_secret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /id_token['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /\\bcode['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /\\bstate['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /code_verifier['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /code_challenge['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /codeVerifier['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /codeChallenge['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /device_code['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /user_code['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /verification_uri['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /verification_uri_complete['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n\n  // Provider credentials and identifiers\n  /app_secret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /appSecret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /tenant_id['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /tenantId['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /client_id['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /clientId['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /app_id['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /appId['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /redirect_uri['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /redirectUri['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /subscription_key['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /subscriptionKey['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n\n  // Security secrets and keys\n  /webhook_secret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /webhookSecret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /signing_secret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /signingSecret['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /encryption_key['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /encryptionKey['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /private_key['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /privateKey['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /certificate['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /cert['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n\n  // Authorization headers\n  /Authorization['\":\\s]*['\"]\\s*Bearer\\s+([^'\"]+)['\"]/gi,\n  /authorization['\":\\s]*['\"]\\s*Bearer\\s+([^'\"]+)['\"]/gi,\n  /Bearer\\s+([A-Za-z0-9+/=\\-_.]+)/gi,\n  /Authorization:\\s*Bearer\\s+([A-Za-z0-9+/=\\-_.]+)/gi,\n  /[A-Z_]+_(SECRET|KEY|TOKEN|PASSWORD)['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n\n  // Session and CSRF tokens\n  /\\bnonce['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /session[_-]?id['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /csrf[_-]?token['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n\n  // Other sensitive patterns\n  /\"email\"\\s*:\\s*\"([^@\"]{1,64}@[^.\"]{1,63}\\.[a-z]{2,6})\"/gi,\n  /api[_-]?key['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /password['\":\\s]*['\"]\\s*([^'\"]+)['\"]/gi,\n  /\\b(ey[A-Za-z0-9+/=]+\\.[A-Za-z0-9+/=]+\\.[A-Za-z0-9+/=\\-_]+)/g,\n\n  // Base64 secrets (split into length ranges for practical matching)\n  /\\b([A-Za-z0-9+/]{60,200}={0,2})\\b/g,\n  /\\b([A-Za-z0-9+/]{201,1000}={0,2})\\b/g,\n  /\\b([A-Za-z0-9+/]{1001,5000}={0,2})\\b/g,\n\n  // Connection identifiers\n  /connection[_-]?id['\":\\s]*['\"]\\s*([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})['\"]/gi,\n];\n\n/** Field names that should be redacted when found as object keys */\nconst SENSITIVE_FIELDS = new Set([\n  'access_token',\n  'accessToken',\n  'refresh_token',\n  'refreshToken',\n  'client_secret',\n  'clientSecret',\n  'id_token',\n  'idToken',\n  'code',\n  'authorization_code',\n  'authorizationCode',\n  'device_code',\n  'deviceCode',\n  'user_code',\n  'userCode',\n  'verification_uri',\n  'verificationUri',\n  'verification_uri_complete',\n  'verificationUriComplete',\n  'client_id',\n  'clientId',\n  'app_id',\n  'appId',\n  'app_secret',\n  'appSecret',\n  'tenant_id',\n  'tenantId',\n  'bot_id',\n  'botId',\n  'workspace_id',\n  'workspaceId',\n  'organization_id',\n  'organizationId',\n  'redirect_uri',\n  'redirectUri',\n  'audience',\n  'realm',\n  'domain',\n  'webhook_secret',\n  'webhookSecret',\n  'signing_secret',\n  'signingSecret',\n  'subscription_key',\n  'subscriptionKey',\n  'encryption_key',\n  'encryptionKey',\n  'private_key',\n  'privateKey',\n  'certificate',\n  'cert',\n  'stripe-signature',\n  'x-hub-signature',\n  'x-hub-signature-256',\n  'x-slack-signature',\n  'x-mcp-z-webhook-secret',\n  'password',\n  'secret',\n  'token',\n  'authorization',\n  'credential',\n  'auth',\n  'verifier',\n  'challenge',\n  'code_verifier',\n  'codeVerifier',\n  'code_challenge',\n  'codeChallenge',\n  'nonce',\n  'session_id',\n  'sessionId',\n  'csrf_token',\n  'csrfToken',\n  'api_key',\n  'apiKey',\n  'state',\n  'connection_id',\n  'connectionId',\n  'gmail_connection_id',\n  'gmailConnectionId',\n]);\n\nfunction isAlreadySanitized(value: string): boolean {\n  return value.includes('****') || value.includes('[REDACTED]') || value === '[REDACTED]';\n}\n\nfunction redactValue(value: string): string {\n  if (isAlreadySanitized(value)) {\n    return value;\n  }\n\n  if (value.length <= 8) {\n    return '*'.repeat(value.length);\n  }\n\n  // Show first 4 and last 4 characters\n  return `${value.substring(0, 4)}****${value.substring(value.length - 4)}`;\n}\n\nexport function sanitizeData(data: unknown): unknown {\n  if (typeof data === 'string') {\n    if (isAlreadySanitized(data)) {\n      return data;\n    }\n\n    let sanitized = data;\n    for (const pattern of SENSITIVE_PATTERNS) {\n      sanitized = sanitized.replace(pattern, (match, captured) => {\n        if (typeof captured === 'string') {\n          const redacted = redactValue(captured);\n          return match.replace(captured, redacted);\n        }\n        return match;\n      });\n    }\n\n    return sanitized;\n  }\n\n  if (Array.isArray(data)) {\n    return data.map(sanitizeData);\n  }\n\n  if (data && typeof data === 'object') {\n    const sanitized: Record<string, unknown> = {};\n\n    for (const [key, value] of Object.entries(data)) {\n      const lowerKey = key.toLowerCase();\n\n      if (SENSITIVE_FIELDS.has(lowerKey) || SENSITIVE_FIELDS.has(key)) {\n        if (typeof value === 'string') {\n          sanitized[key] = redactValue(value);\n        } else {\n          sanitized[key] = '[REDACTED]';\n        }\n      } else {\n        sanitized[key] = sanitizeData(value);\n      }\n    }\n\n    return sanitized;\n  }\n\n  return data;\n}\n\n/**\n * Prevent log injection attacks by escaping control characters\n * SECURITY: Critical for preventing CRLF injection (OWASP A03)\n */\nexport function sanitizeLogMessage(message: string, maxLength = 50000): string {\n  if (typeof message !== 'string') {\n    return String(message);\n  }\n\n  // Truncation protection - prevent log poisoning via huge payloads\n  let processedMessage = message;\n  if (processedMessage.length > maxLength) {\n    processedMessage = `${processedMessage.substring(0, maxLength)} [TRUNCATED]`;\n  }\n\n  return (\n    processedMessage\n      .normalize('NFKC')\n      .replace(/\\r\\n|\\r|\\n/g, ' ')\n      .replace(/\\t/g, ' ')\n      // biome-ignore lint/suspicious/noControlCharactersInRegex: Security sanitization requires control character removal\n      .replace(/[\\x00-\\x1F\\x7F-\\x9F]/g, '')\n      .replace(/[\\u200B-\\u200D\\uFEFF]/g, '') // Zero-width chars used for obfuscation\n      .trim()\n  );\n}\n\n/**\n * Sanitize log message and metadata for safe logging\n * Applies both CRLF protection and sensitive data redaction\n *\n * @param message - The log message to sanitize\n * @param meta - Optional metadata object to sanitize\n * @param enableDataSanitization - Whether to apply sensitive data redaction (default: true)\n * @returns Sanitized message and metadata ready for logging\n */\nexport function sanitizeForLogging(message: string, meta?: Record<string, unknown>, enableDataSanitization = true): { message: string; meta: Record<string, unknown> } {\n  const cleanMessage = sanitizeLogMessage(message);\n\n  if (!enableDataSanitization) {\n    return {\n      message: cleanMessage,\n      meta: meta || {},\n    };\n  }\n\n  return {\n    message: sanitizeData(cleanMessage) as string,\n    meta: sanitizeData(meta || {}) as Record<string, unknown>,\n  };\n}\n\nexport function sanitizeForLoggingFormatter() {\n  return {\n    log: (obj) => {\n      const message = (obj.msg || obj.message || '') as string;\n      const { message: clean, meta } = sanitizeForLogging(message, obj as Record<string, unknown>);\n      return { ...meta, msg: clean };\n    },\n  };\n}\n"],"names":["SENSITIVE_PATTERNS","SENSITIVE_FIELDS","Set","isAlreadySanitized","value","includes","redactValue","length","repeat","substring","sanitizeData","data","sanitized","pattern","replace","match","captured","redacted","Array","isArray","map","key","Object","entries","lowerKey","toLowerCase","has","sanitizeLogMessage","message","maxLength","String","processedMessage","normalize","trim","sanitizeForLogging","meta","enableDataSanitization","cleanMessage","sanitizeForLoggingFormatter","log","obj","msg","clean"],"mappings":"AAAA;;;;;;;;;;;;CAYC,GAED,wEAAwE,GACxE,MAAMA,qBAAqB;IACzB,mCAAmC;IACnC;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IAEA,uCAAuC;IACvC;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IAEA,4BAA4B;IAC5B;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IAEA,wBAAwB;IACxB;IACA;IACA;IACA;IACA;IAEA,0BAA0B;IAC1B;IACA;IACA;IAEA,2BAA2B;IAC3B;IACA;IACA;IACA;IAEA,mEAAmE;IACnE;IACA;IACA;IAEA,yBAAyB;IACzB;CACD;AAED,kEAAkE,GAClE,MAAMC,mBAAmB,IAAIC,IAAI;IAC/B;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;CACD;AAED,SAASC,mBAAmBC,KAAa;IACvC,OAAOA,MAAMC,QAAQ,CAAC,WAAWD,MAAMC,QAAQ,CAAC,iBAAiBD,UAAU;AAC7E;AAEA,SAASE,YAAYF,KAAa;IAChC,IAAID,mBAAmBC,QAAQ;QAC7B,OAAOA;IACT;IAEA,IAAIA,MAAMG,MAAM,IAAI,GAAG;QACrB,OAAO,IAAIC,MAAM,CAACJ,MAAMG,MAAM;IAChC;IAEA,qCAAqC;IACrC,OAAO,GAAGH,MAAMK,SAAS,CAAC,GAAG,GAAG,IAAI,EAAEL,MAAMK,SAAS,CAACL,MAAMG,MAAM,GAAG,IAAI;AAC3E;AAEA,OAAO,SAASG,aAAaC,IAAa;IACxC,IAAI,OAAOA,SAAS,UAAU;QAC5B,IAAIR,mBAAmBQ,OAAO;YAC5B,OAAOA;QACT;QAEA,IAAIC,YAAYD;QAChB,KAAK,MAAME,WAAWb,mBAAoB;YACxCY,YAAYA,UAAUE,OAAO,CAACD,SAAS,CAACE,OAAOC;gBAC7C,IAAI,OAAOA,aAAa,UAAU;oBAChC,MAAMC,WAAWX,YAAYU;oBAC7B,OAAOD,MAAMD,OAAO,CAACE,UAAUC;gBACjC;gBACA,OAAOF;YACT;QACF;QAEA,OAAOH;IACT;IAEA,IAAIM,MAAMC,OAAO,CAACR,OAAO;QACvB,OAAOA,KAAKS,GAAG,CAACV;IAClB;IAEA,IAAIC,QAAQ,OAAOA,SAAS,UAAU;QACpC,MAAMC,YAAqC,CAAC;QAE5C,KAAK,MAAM,CAACS,KAAKjB,MAAM,IAAIkB,OAAOC,OAAO,CAACZ,MAAO;YAC/C,MAAMa,WAAWH,IAAII,WAAW;YAEhC,IAAIxB,iBAAiByB,GAAG,CAACF,aAAavB,iBAAiByB,GAAG,CAACL,MAAM;gBAC/D,IAAI,OAAOjB,UAAU,UAAU;oBAC7BQ,SAAS,CAACS,IAAI,GAAGf,YAAYF;gBAC/B,OAAO;oBACLQ,SAAS,CAACS,IAAI,GAAG;gBACnB;YACF,OAAO;gBACLT,SAAS,CAACS,IAAI,GAAGX,aAAaN;YAChC;QACF;QAEA,OAAOQ;IACT;IAEA,OAAOD;AACT;AAEA;;;CAGC,GACD,OAAO,SAASgB,mBAAmBC,OAAe,EAAEC,YAAY,KAAK;IACnE,IAAI,OAAOD,YAAY,UAAU;QAC/B,OAAOE,OAAOF;IAChB;IAEA,kEAAkE;IAClE,IAAIG,mBAAmBH;IACvB,IAAIG,iBAAiBxB,MAAM,GAAGsB,WAAW;QACvCE,mBAAmB,GAAGA,iBAAiBtB,SAAS,CAAC,GAAGoB,WAAW,YAAY,CAAC;IAC9E;IAEA,OACEE,iBACGC,SAAS,CAAC,QACVlB,OAAO,CAAC,eAAe,KACvBA,OAAO,CAAC,OAAO,IAChB,oHAAoH;KACnHA,OAAO,CAAC,yBAAyB,IACjCA,OAAO,CAAC,0BAA0B,IAAI,wCAAwC;KAC9EmB,IAAI;AAEX;AAEA;;;;;;;;CAQC,GACD,OAAO,SAASC,mBAAmBN,OAAe,EAAEO,IAA8B,EAAEC,yBAAyB,IAAI;IAC/G,MAAMC,eAAeV,mBAAmBC;IAExC,IAAI,CAACQ,wBAAwB;QAC3B,OAAO;YACLR,SAASS;YACTF,MAAMA,QAAQ,CAAC;QACjB;IACF;IAEA,OAAO;QACLP,SAASlB,aAAa2B;QACtBF,MAAMzB,aAAayB,QAAQ,CAAC;IAC9B;AACF;AAEA,OAAO,SAASG;IACd,OAAO;QACLC,KAAK,CAACC;YACJ,MAAMZ,UAAWY,IAAIC,GAAG,IAAID,IAAIZ,OAAO,IAAI;YAC3C,MAAM,EAAEA,SAASc,KAAK,EAAEP,IAAI,EAAE,GAAGD,mBAAmBN,SAASY;YAC7D,OAAO;gBAAE,GAAGL,IAAI;gBAAEM,KAAKC;YAAM;QAC/B;IACF;AACF"}

package/dist/esm/schemas/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/schemas/index.ts"],"sourcesContent":["/**\n * OAuth-specific schemas and response builders\n *\n * Provider-agnostic schemas and utilities for building OAuth auth_required responses.\n * Individual OAuth packages (oauth-google, oauth-microsoft) wrap these with provider-specific defaults.\n */\n\nimport { z } from 'zod';\n\n// Re-export z for use in middleware (MCP requires zod)\nexport type { z };\n\n/**\n * Authentication required response type\n */\nexport interface AuthRequired {\n  type: 'auth_required';\n  provider: string;\n  message: string;\n  url: string;\n  flow?: string;\n  instructions: string;\n  user_code?: string;\n  expires_in?: number;\n  accountId?: string;\n}\n\n/**\n * Zod schema for auth_required responses\n */\nexport const AuthRequiredSchema = z\n  .object({\n    type: z.literal('auth_required'),\n    provider: z.string().describe('OAuth provider name (e.g., \"google\", \"microsoft\")'),\n    message: z.string().describe('Human-readable message explaining why auth is needed'),\n    url: z.string().url().describe('Authentication URL to open in browser'),\n    flow: z.string().optional().describe('Authentication flow type (e.g., \"auth_url\", \"device_code\")'),\n    instructions: z.string().describe('Clear instructions for the user'),\n    user_code: z.string().optional().describe('Code user must enter at verification URL (device flows only)'),\n    expires_in: z.number().optional().describe('Seconds until code expires (device flows only)'),\n    accountId: z.string().optional().describe('Account identifier (email) that requires authentication'),\n  })\n  .describe('Authentication required with clear actionable instructions for user');\n"],"names":["z","AuthRequiredSchema","object","type","literal","provider","string","describe","message","url","flow","optional","instructions","user_code","expires_in","number","accountId"],"mappings":"AAAA;;;;;CAKC,GAED,SAASA,CAAC,QAAQ,MAAM;AAoBxB;;CAEC,GACD,OAAO,MAAMC,qBAAqBD,EAC/BE,MAAM,CAAC;IACNC,MAAMH,EAAEI,OAAO,CAAC;IAChBC,UAAUL,EAAEM,MAAM,GAAGC,QAAQ,CAAC;IAC9BC,SAASR,EAAEM,MAAM,GAAGC,QAAQ,CAAC;IAC7BE,KAAKT,EAAEM,MAAM,GAAGG,GAAG,GAAGF,QAAQ,CAAC;IAC/BG,MAAMV,EAAEM,MAAM,GAAGK,QAAQ,GAAGJ,QAAQ,CAAC;IACrCK,cAAcZ,EAAEM,MAAM,GAAGC,QAAQ,CAAC;IAClCM,WAAWb,EAAEM,MAAM,GAAGK,QAAQ,GAAGJ,QAAQ,CAAC;IAC1CO,YAAYd,EAAEe,MAAM,GAAGJ,QAAQ,GAAGJ,QAAQ,CAAC;IAC3CS,WAAWhB,EAAEM,MAAM,GAAGK,QAAQ,GAAGJ,QAAQ,CAAC;AAC5C,GACCA,QAAQ,CAAC,uEAAuE"}
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth/src/schemas/index.ts"],"sourcesContent":["/**\n * OAuth-specific schemas and response builders\n *\n * Provider-agnostic schemas and utilities for building OAuth auth_required responses.\n * Individual OAuth packages (oauth-google, oauth-microsoft) wrap these with provider-specific defaults.\n */\n\nimport { z } from 'zod';\n\n// Re-export z for use in middleware (MCP requires zod)\nexport type { z };\n\n/**\n * Authentication required response type\n */\nexport interface AuthRequired {\n  type: 'auth_required';\n  provider: string;\n  message: string;\n  url: string;\n  flow?: string;\n  instructions: string;\n  user_code?: string;\n  expires_in?: number;\n  accountId?: string;\n}\n\n/**\n * Zod schema for auth_required responses\n */\nexport const AuthRequiredSchema = z\n  .object({\n    type: z.literal('auth_required'),\n    provider: z.string().describe('OAuth provider name (e.g., \"google\", \"microsoft\")'),\n    message: z.string().describe('Human-readable message explaining why auth is needed'),\n    url: z.string().url().describe('Authentication URL to open in browser'),\n    flow: z.string().optional().describe('Authentication flow type (e.g., \"auth_url\", \"device_code\")'),\n    instructions: z.string().describe('Clear instructions for the user'),\n    user_code: z.string().optional().describe('Code user must enter at verification URL (device flows only)'),\n    expires_in: z.number().optional().describe('Seconds until code expires (device flows only)'),\n    accountId: z.string().optional().describe('Account identifier (email) that requires authentication'),\n  })\n  .describe('Authentication required with clear actionable instructions for user');\n"],"names":["z","AuthRequiredSchema","object","type","literal","provider","string","describe","message","url","flow","optional","instructions","user_code","expires_in","number","accountId"],"mappings":"AAAA;;;;;CAKC,GAED,SAASA,CAAC,QAAQ,MAAM;AAoBxB;;CAEC,GACD,OAAO,MAAMC,qBAAqBD,EAC/BE,MAAM,CAAC;IACNC,MAAMH,EAAEI,OAAO,CAAC;IAChBC,UAAUL,EAAEM,MAAM,GAAGC,QAAQ,CAAC;IAC9BC,SAASR,EAAEM,MAAM,GAAGC,QAAQ,CAAC;IAC7BE,KAAKT,EAAEM,MAAM,GAAGG,GAAG,GAAGF,QAAQ,CAAC;IAC/BG,MAAMV,EAAEM,MAAM,GAAGK,QAAQ,GAAGJ,QAAQ,CAAC;IACrCK,cAAcZ,EAAEM,MAAM,GAAGC,QAAQ,CAAC;IAClCM,WAAWb,EAAEM,MAAM,GAAGK,QAAQ,GAAGJ,QAAQ,CAAC;IAC1CO,YAAYd,EAAEe,MAAM,GAAGJ,QAAQ,GAAGJ,QAAQ,CAAC;IAC3CS,WAAWhB,EAAEM,MAAM,GAAGK,QAAQ,GAAGJ,QAAQ,CAAC;AAC5C,GACCA,QAAQ,CAAC,uEAAuE"}

package/dist/esm/session-auth.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/session-auth.ts"],"sourcesContent":["/**\n * Session-based user authentication for multi-tenant deployments\n *\n * Extracts user ID from HTTP session cookies with HMAC signature verification.\n * Compatible with Express/Connect session middleware patterns.\n */\n\nimport { createHmac, timingSafeEqual } from 'crypto';\nimport type { SessionUserAuthConfig, UserAuthProvider } from './types.ts';\n\n/**\n * HTTP request interface (subset needed for session auth)\n */\ninterface HttpRequest {\n  headers?: {\n    cookie?: string;\n  };\n}\n\n/**\n * Session cookie structure\n */\ninterface SessionData {\n  userId: string;\n  exp?: number; // Optional expiration timestamp (ms)\n}\n\n/**\n * Session-based user authentication provider\n *\n * Verifies signed session cookies and extracts user IDs.\n * Use for multi-tenant deployments where users authenticate via web sessions.\n *\n * @example\n * ```typescript\n * // Multi-tenant server setup with session-based user authentication\n * const userAuth = new SessionUserAuth({\n *   sessionSecret: process.env.SESSION_SECRET!,\n *   cookieName: 'app_session',\n * });\n *\n * // Create OAuth adapters with session-based user identification\n * const oauthAdapters = await createOAuthAdapters(\n *   config.transport,\n *   {\n *     service: 'gmail',\n *     clientId: process.env.GOOGLE_CLIENT_ID!,\n *     clientSecret: process.env.GOOGLE_CLIENT_SECRET,\n *     scope: GOOGLE_SCOPE,\n *     auth: 'loopback-oauth',\n *     headless: false,\n *     redirectUri: undefined,\n *   },\n *   {\n *     logger,\n *     tokenStore,\n *     userAuth, // Session-based user identification for multi-tenant deployments\n *   }\n * );\n *\n * // Use auth middleware with tools\n * const { middleware: authMiddleware } = oauthAdapters;\n * const tools = toolFactories.map(f => f()).map(authMiddleware.withToolAuth);\n * ```\n */\nexport class SessionUserAuth implements UserAuthProvider {\n  private readonly secret: string;\n  private readonly cookieName: string;\n  private readonly algorithm: 'sha256' | 'sha512';\n\n  constructor(config: SessionUserAuthConfig) {\n    if (!config.sessionSecret || config.sessionSecret.length < 32) {\n      throw new Error('SessionUserAuth: sessionSecret must be at least 32 characters');\n    }\n\n    this.secret = config.sessionSecret;\n    this.cookieName = config.cookieName ?? 'session';\n    this.algorithm = config.algorithm ?? 'sha256';\n  }\n\n  /**\n   * Extract and verify user ID from session cookie\n   *\n   * @param req - HTTP request object with cookie header\n   * @returns User ID from verified session\n   * @throws Error if session missing, invalid, or expired\n   */\n  async getUserId(req: unknown): Promise<string> {\n    const httpReq = req as HttpRequest;\n\n    const cookieHeader = httpReq.headers?.cookie;\n    if (!cookieHeader) {\n      throw new Error('SessionUserAuth: No cookie header found');\n    }\n\n    const sessionCookie = this.parseCookie(cookieHeader, this.cookieName);\n    if (!sessionCookie) {\n      throw new Error(`SessionUserAuth: Session cookie '${this.cookieName}' not found`);\n    }\n\n    // Format: base64(data).signature\n    const parts = sessionCookie.split('.');\n    if (parts.length !== 2) {\n      throw new Error('SessionUserAuth: Invalid session format (expected data.signature)');\n    }\n\n    const [dataB64, signature] = parts as [string, string];\n\n    const expectedSignature = this.sign(dataB64);\n    if (!this.constantTimeCompare(signature, expectedSignature)) {\n      throw new Error('SessionUserAuth: Invalid session signature');\n    }\n\n    let sessionData: SessionData;\n    try {\n      const dataJson = Buffer.from(dataB64, 'base64').toString('utf8');\n      sessionData = JSON.parse(dataJson) as SessionData;\n    } catch {\n      throw new Error('SessionUserAuth: Invalid session data encoding');\n    }\n\n    if (sessionData.exp !== undefined && Date.now() > sessionData.exp) {\n      throw new Error('SessionUserAuth: Session expired');\n    }\n\n    if (!sessionData.userId || typeof sessionData.userId !== 'string') {\n      throw new Error('SessionUserAuth: Session missing userId field');\n    }\n\n    return sessionData.userId;\n  }\n\n  /**\n   * Parse cookie from header string\n   */\n  private parseCookie(cookieHeader: string, name: string): string | null {\n    const cookies = cookieHeader.split(';');\n    for (const cookie of cookies) {\n      const [key, ...valueParts] = cookie.trim().split('=');\n      if (key === name) {\n        return valueParts.join('='); // Handle values with = in them\n      }\n    }\n    return null;\n  }\n\n  /**\n   * Generate HMAC signature for session data\n   */\n  private sign(data: string): string {\n    return createHmac(this.algorithm, this.secret).update(data).digest('hex');\n  }\n\n  /**\n   * Constant-time string comparison to prevent timing attacks\n   */\n  private constantTimeCompare(a: string, b: string): boolean {\n    if (a.length !== b.length) {\n      return false;\n    }\n\n    const bufA = Buffer.from(a);\n    const bufB = Buffer.from(b);\n\n    return timingSafeEqual(bufA, bufB);\n  }\n\n  /**\n   * Helper for creating session cookies (for testing/integration)\n   *\n   * @param userId - User ID to encode in session\n   * @param expiresInMs - Optional expiration time in milliseconds from now\n   * @returns Signed session cookie value\n   */\n  createSessionCookie(userId: string, expiresInMs?: number): string {\n    const sessionData: SessionData = {\n      userId,\n      ...(expiresInMs !== undefined && { exp: Date.now() + expiresInMs }),\n    };\n\n    const dataJson = JSON.stringify(sessionData);\n    const dataB64 = Buffer.from(dataJson).toString('base64');\n    const signature = this.sign(dataB64);\n\n    return `${dataB64}.${signature}`;\n  }\n}\n"],"names":["createHmac","timingSafeEqual","SessionUserAuth","getUserId","req","httpReq","cookieHeader","headers","cookie","Error","sessionCookie","parseCookie","cookieName","parts","split","length","dataB64","signature","expectedSignature","sign","constantTimeCompare","sessionData","dataJson","Buffer","from","toString","JSON","parse","exp","undefined","Date","now","userId","name","cookies","key","valueParts","trim","join","data","algorithm","secret","update","digest","a","b","bufA","bufB","createSessionCookie","expiresInMs","stringify","config","sessionSecret"],"mappings":"AAAA;;;;;CAKC,GAED,SAASA,UAAU,EAAEC,eAAe,QAAQ,SAAS;AAoBrD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAqCC,GACD,OAAO,MAAMC;IAeX;;;;;;GAMC,GACD,MAAMC,UAAUC,GAAY,EAAmB;YAGxBC;QAFrB,MAAMA,UAAUD;QAEhB,MAAME,gBAAeD,mBAAAA,QAAQE,OAAO,cAAfF,uCAAAA,iBAAiBG,MAAM;QAC5C,IAAI,CAACF,cAAc;YACjB,MAAM,IAAIG,MAAM;QAClB;QAEA,MAAMC,gBAAgB,IAAI,CAACC,WAAW,CAACL,cAAc,IAAI,CAACM,UAAU;QACpE,IAAI,CAACF,eAAe;YAClB,MAAM,IAAID,MAAM,CAAC,iCAAiC,EAAE,IAAI,CAACG,UAAU,CAAC,WAAW,CAAC;QAClF;QAEA,iCAAiC;QACjC,MAAMC,QAAQH,cAAcI,KAAK,CAAC;QAClC,IAAID,MAAME,MAAM,KAAK,GAAG;YACtB,MAAM,IAAIN,MAAM;QAClB;QAEA,MAAM,CAACO,SAASC,UAAU,GAAGJ;QAE7B,MAAMK,oBAAoB,IAAI,CAACC,IAAI,CAACH;QACpC,IAAI,CAAC,IAAI,CAACI,mBAAmB,CAACH,WAAWC,oBAAoB;YAC3D,MAAM,IAAIT,MAAM;QAClB;QAEA,IAAIY;QACJ,IAAI;YACF,MAAMC,WAAWC,OAAOC,IAAI,CAACR,SAAS,UAAUS,QAAQ,CAAC;YACzDJ,cAAcK,KAAKC,KAAK,CAACL;QAC3B,EAAE,OAAM;YACN,MAAM,IAAIb,MAAM;QAClB;QAEA,IAAIY,YAAYO,GAAG,KAAKC,aAAaC,KAAKC,GAAG,KAAKV,YAAYO,GAAG,EAAE;YACjE,MAAM,IAAInB,MAAM;QAClB;QAEA,IAAI,CAACY,YAAYW,MAAM,IAAI,OAAOX,YAAYW,MAAM,KAAK,UAAU;YACjE,MAAM,IAAIvB,MAAM;QAClB;QAEA,OAAOY,YAAYW,MAAM;IAC3B;IAEA;;GAEC,GACD,AAAQrB,YAAYL,YAAoB,EAAE2B,IAAY,EAAiB;QACrE,MAAMC,UAAU5B,aAAaQ,KAAK,CAAC;QACnC,KAAK,MAAMN,UAAU0B,QAAS;YAC5B,MAAM,CAACC,KAAK,GAAGC,WAAW,GAAG5B,OAAO6B,IAAI,GAAGvB,KAAK,CAAC;YACjD,IAAIqB,QAAQF,MAAM;gBAChB,OAAOG,WAAWE,IAAI,CAAC,MAAM,+BAA+B;YAC9D;QACF;QACA,OAAO;IACT;IAEA;;GAEC,GACD,AAAQnB,KAAKoB,IAAY,EAAU;QACjC,OAAOvC,WAAW,IAAI,CAACwC,SAAS,EAAE,IAAI,CAACC,MAAM,EAAEC,MAAM,CAACH,MAAMI,MAAM,CAAC;IACrE;IAEA;;GAEC,GACD,AAAQvB,oBAAoBwB,CAAS,EAAEC,CAAS,EAAW;QACzD,IAAID,EAAE7B,MAAM,KAAK8B,EAAE9B,MAAM,EAAE;YACzB,OAAO;QACT;QAEA,MAAM+B,OAAOvB,OAAOC,IAAI,CAACoB;QACzB,MAAMG,OAAOxB,OAAOC,IAAI,CAACqB;QAEzB,OAAO5C,gBAAgB6C,MAAMC;IAC/B;IAEA;;;;;;GAMC,GACDC,oBAAoBhB,MAAc,EAAEiB,WAAoB,EAAU;QAChE,MAAM5B,cAA2B;YAC/BW;YACA,GAAIiB,gBAAgBpB,aAAa;gBAAED,KAAKE,KAAKC,GAAG,KAAKkB;YAAY,CAAC;QACpE;QAEA,MAAM3B,WAAWI,KAAKwB,SAAS,CAAC7B;QAChC,MAAML,UAAUO,OAAOC,IAAI,CAACF,UAAUG,QAAQ,CAAC;QAC/C,MAAMR,YAAY,IAAI,CAACE,IAAI,CAACH;QAE5B,OAAO,GAAGA,QAAQ,CAAC,EAAEC,WAAW;IAClC;IAnHA,YAAYkC,MAA6B,CAAE;YAMvBA,oBACDA;QANjB,IAAI,CAACA,OAAOC,aAAa,IAAID,OAAOC,aAAa,CAACrC,MAAM,GAAG,IAAI;YAC7D,MAAM,IAAIN,MAAM;QAClB;QAEA,IAAI,CAACgC,MAAM,GAAGU,OAAOC,aAAa;QAClC,IAAI,CAACxC,UAAU,IAAGuC,qBAAAA,OAAOvC,UAAU,cAAjBuC,gCAAAA,qBAAqB;QACvC,IAAI,CAACX,SAAS,IAAGW,oBAAAA,OAAOX,SAAS,cAAhBW,+BAAAA,oBAAoB;IACvC;AA4GF"}
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth/src/session-auth.ts"],"sourcesContent":["/**\n * Session-based user authentication for multi-tenant deployments\n *\n * Extracts user ID from HTTP session cookies with HMAC signature verification.\n * Compatible with Express/Connect session middleware patterns.\n */\n\nimport { createHmac, timingSafeEqual } from 'crypto';\nimport type { SessionUserAuthConfig, UserAuthProvider } from './types.ts';\n\n/**\n * HTTP request interface (subset needed for session auth)\n */\ninterface HttpRequest {\n  headers?: {\n    cookie?: string;\n  };\n}\n\n/**\n * Session cookie structure\n */\ninterface SessionData {\n  userId: string;\n  exp?: number; // Optional expiration timestamp (ms)\n}\n\n/**\n * Session-based user authentication provider\n *\n * Verifies signed session cookies and extracts user IDs.\n * Use for multi-tenant deployments where users authenticate via web sessions.\n *\n * @example\n * ```typescript\n * // Multi-tenant server setup with session-based user authentication\n * const userAuth = new SessionUserAuth({\n *   sessionSecret: process.env.SESSION_SECRET!,\n *   cookieName: 'app_session',\n * });\n *\n * // Create OAuth adapters with session-based user identification\n * const oauthAdapters = await createOAuthAdapters(\n *   config.transport,\n *   {\n *     service: 'gmail',\n *     clientId: process.env.GOOGLE_CLIENT_ID!,\n *     clientSecret: process.env.GOOGLE_CLIENT_SECRET,\n *     scope: GOOGLE_SCOPE,\n *     auth: 'loopback-oauth',\n *     headless: false,\n *     redirectUri: undefined,\n *   },\n *   {\n *     logger,\n *     tokenStore,\n *     userAuth, // Session-based user identification for multi-tenant deployments\n *   }\n * );\n *\n * // Use auth middleware with tools\n * const { middleware: authMiddleware } = oauthAdapters;\n * const tools = toolFactories.map(f => f()).map(authMiddleware.withToolAuth);\n * ```\n */\nexport class SessionUserAuth implements UserAuthProvider {\n  private readonly secret: string;\n  private readonly cookieName: string;\n  private readonly algorithm: 'sha256' | 'sha512';\n\n  constructor(config: SessionUserAuthConfig) {\n    if (!config.sessionSecret || config.sessionSecret.length < 32) {\n      throw new Error('SessionUserAuth: sessionSecret must be at least 32 characters');\n    }\n\n    this.secret = config.sessionSecret;\n    this.cookieName = config.cookieName ?? 'session';\n    this.algorithm = config.algorithm ?? 'sha256';\n  }\n\n  /**\n   * Extract and verify user ID from session cookie\n   *\n   * @param req - HTTP request object with cookie header\n   * @returns User ID from verified session\n   * @throws Error if session missing, invalid, or expired\n   */\n  async getUserId(req: unknown): Promise<string> {\n    const httpReq = req as HttpRequest;\n\n    const cookieHeader = httpReq.headers?.cookie;\n    if (!cookieHeader) {\n      throw new Error('SessionUserAuth: No cookie header found');\n    }\n\n    const sessionCookie = this.parseCookie(cookieHeader, this.cookieName);\n    if (!sessionCookie) {\n      throw new Error(`SessionUserAuth: Session cookie '${this.cookieName}' not found`);\n    }\n\n    // Format: base64(data).signature\n    const parts = sessionCookie.split('.');\n    if (parts.length !== 2) {\n      throw new Error('SessionUserAuth: Invalid session format (expected data.signature)');\n    }\n\n    const [dataB64, signature] = parts as [string, string];\n\n    const expectedSignature = this.sign(dataB64);\n    if (!this.constantTimeCompare(signature, expectedSignature)) {\n      throw new Error('SessionUserAuth: Invalid session signature');\n    }\n\n    let sessionData: SessionData;\n    try {\n      const dataJson = Buffer.from(dataB64, 'base64').toString('utf8');\n      sessionData = JSON.parse(dataJson) as SessionData;\n    } catch {\n      throw new Error('SessionUserAuth: Invalid session data encoding');\n    }\n\n    if (sessionData.exp !== undefined && Date.now() > sessionData.exp) {\n      throw new Error('SessionUserAuth: Session expired');\n    }\n\n    if (!sessionData.userId || typeof sessionData.userId !== 'string') {\n      throw new Error('SessionUserAuth: Session missing userId field');\n    }\n\n    return sessionData.userId;\n  }\n\n  /**\n   * Parse cookie from header string\n   */\n  private parseCookie(cookieHeader: string, name: string): string | null {\n    const cookies = cookieHeader.split(';');\n    for (const cookie of cookies) {\n      const [key, ...valueParts] = cookie.trim().split('=');\n      if (key === name) {\n        return valueParts.join('='); // Handle values with = in them\n      }\n    }\n    return null;\n  }\n\n  /**\n   * Generate HMAC signature for session data\n   */\n  private sign(data: string): string {\n    return createHmac(this.algorithm, this.secret).update(data).digest('hex');\n  }\n\n  /**\n   * Constant-time string comparison to prevent timing attacks\n   */\n  private constantTimeCompare(a: string, b: string): boolean {\n    if (a.length !== b.length) {\n      return false;\n    }\n\n    const bufA = Buffer.from(a);\n    const bufB = Buffer.from(b);\n\n    return timingSafeEqual(bufA, bufB);\n  }\n\n  /**\n   * Helper for creating session cookies (for testing/integration)\n   *\n   * @param userId - User ID to encode in session\n   * @param expiresInMs - Optional expiration time in milliseconds from now\n   * @returns Signed session cookie value\n   */\n  createSessionCookie(userId: string, expiresInMs?: number): string {\n    const sessionData: SessionData = {\n      userId,\n      ...(expiresInMs !== undefined && { exp: Date.now() + expiresInMs }),\n    };\n\n    const dataJson = JSON.stringify(sessionData);\n    const dataB64 = Buffer.from(dataJson).toString('base64');\n    const signature = this.sign(dataB64);\n\n    return `${dataB64}.${signature}`;\n  }\n}\n"],"names":["createHmac","timingSafeEqual","SessionUserAuth","getUserId","req","httpReq","cookieHeader","headers","cookie","Error","sessionCookie","parseCookie","cookieName","parts","split","length","dataB64","signature","expectedSignature","sign","constantTimeCompare","sessionData","dataJson","Buffer","from","toString","JSON","parse","exp","undefined","Date","now","userId","name","cookies","key","valueParts","trim","join","data","algorithm","secret","update","digest","a","b","bufA","bufB","createSessionCookie","expiresInMs","stringify","config","sessionSecret"],"mappings":"AAAA;;;;;CAKC,GAED,SAASA,UAAU,EAAEC,eAAe,QAAQ,SAAS;AAoBrD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAqCC,GACD,OAAO,MAAMC;IAeX;;;;;;GAMC,GACD,MAAMC,UAAUC,GAAY,EAAmB;YAGxBC;QAFrB,MAAMA,UAAUD;QAEhB,MAAME,gBAAeD,mBAAAA,QAAQE,OAAO,cAAfF,uCAAAA,iBAAiBG,MAAM;QAC5C,IAAI,CAACF,cAAc;YACjB,MAAM,IAAIG,MAAM;QAClB;QAEA,MAAMC,gBAAgB,IAAI,CAACC,WAAW,CAACL,cAAc,IAAI,CAACM,UAAU;QACpE,IAAI,CAACF,eAAe;YAClB,MAAM,IAAID,MAAM,CAAC,iCAAiC,EAAE,IAAI,CAACG,UAAU,CAAC,WAAW,CAAC;QAClF;QAEA,iCAAiC;QACjC,MAAMC,QAAQH,cAAcI,KAAK,CAAC;QAClC,IAAID,MAAME,MAAM,KAAK,GAAG;YACtB,MAAM,IAAIN,MAAM;QAClB;QAEA,MAAM,CAACO,SAASC,UAAU,GAAGJ;QAE7B,MAAMK,oBAAoB,IAAI,CAACC,IAAI,CAACH;QACpC,IAAI,CAAC,IAAI,CAACI,mBAAmB,CAACH,WAAWC,oBAAoB;YAC3D,MAAM,IAAIT,MAAM;QAClB;QAEA,IAAIY;QACJ,IAAI;YACF,MAAMC,WAAWC,OAAOC,IAAI,CAACR,SAAS,UAAUS,QAAQ,CAAC;YACzDJ,cAAcK,KAAKC,KAAK,CAACL;QAC3B,EAAE,OAAM;YACN,MAAM,IAAIb,MAAM;QAClB;QAEA,IAAIY,YAAYO,GAAG,KAAKC,aAAaC,KAAKC,GAAG,KAAKV,YAAYO,GAAG,EAAE;YACjE,MAAM,IAAInB,MAAM;QAClB;QAEA,IAAI,CAACY,YAAYW,MAAM,IAAI,OAAOX,YAAYW,MAAM,KAAK,UAAU;YACjE,MAAM,IAAIvB,MAAM;QAClB;QAEA,OAAOY,YAAYW,MAAM;IAC3B;IAEA;;GAEC,GACD,AAAQrB,YAAYL,YAAoB,EAAE2B,IAAY,EAAiB;QACrE,MAAMC,UAAU5B,aAAaQ,KAAK,CAAC;QACnC,KAAK,MAAMN,UAAU0B,QAAS;YAC5B,MAAM,CAACC,KAAK,GAAGC,WAAW,GAAG5B,OAAO6B,IAAI,GAAGvB,KAAK,CAAC;YACjD,IAAIqB,QAAQF,MAAM;gBAChB,OAAOG,WAAWE,IAAI,CAAC,MAAM,+BAA+B;YAC9D;QACF;QACA,OAAO;IACT;IAEA;;GAEC,GACD,AAAQnB,KAAKoB,IAAY,EAAU;QACjC,OAAOvC,WAAW,IAAI,CAACwC,SAAS,EAAE,IAAI,CAACC,MAAM,EAAEC,MAAM,CAACH,MAAMI,MAAM,CAAC;IACrE;IAEA;;GAEC,GACD,AAAQvB,oBAAoBwB,CAAS,EAAEC,CAAS,EAAW;QACzD,IAAID,EAAE7B,MAAM,KAAK8B,EAAE9B,MAAM,EAAE;YACzB,OAAO;QACT;QAEA,MAAM+B,OAAOvB,OAAOC,IAAI,CAACoB;QACzB,MAAMG,OAAOxB,OAAOC,IAAI,CAACqB;QAEzB,OAAO5C,gBAAgB6C,MAAMC;IAC/B;IAEA;;;;;;GAMC,GACDC,oBAAoBhB,MAAc,EAAEiB,WAAoB,EAAU;QAChE,MAAM5B,cAA2B;YAC/BW;YACA,GAAIiB,gBAAgBpB,aAAa;gBAAED,KAAKE,KAAKC,GAAG,KAAKkB;YAAY,CAAC;QACpE;QAEA,MAAM3B,WAAWI,KAAKwB,SAAS,CAAC7B;QAChC,MAAML,UAAUO,OAAOC,IAAI,CAACF,UAAUG,QAAQ,CAAC;QAC/C,MAAMR,YAAY,IAAI,CAACE,IAAI,CAACH;QAE5B,OAAO,GAAGA,QAAQ,CAAC,EAAEC,WAAW;IAClC;IAnHA,YAAYkC,MAA6B,CAAE;YAMvBA,oBACDA;QANjB,IAAI,CAACA,OAAOC,aAAa,IAAID,OAAOC,aAAa,CAACrC,MAAM,GAAG,IAAI;YAC7D,MAAM,IAAIN,MAAM;QAClB;QAEA,IAAI,CAACgC,MAAM,GAAGU,OAAOC,aAAa;QAClC,IAAI,CAACxC,UAAU,IAAGuC,qBAAAA,OAAOvC,UAAU,cAAjBuC,gCAAAA,qBAAqB;QACvC,IAAI,CAACX,SAAS,IAAGW,oBAAAA,OAAOX,SAAS,cAAhBW,+BAAAA,oBAAoB;IACvC;AA4GF"}

package/dist/esm/templates.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/templates.ts"],"sourcesContent":["/**\n * HTML templates for OAuth callback pages\n *\n * These templates are shown in the browser after OAuth authorization\n * for loopback OAuth flows (RFC 8252).\n */\n\n/**\n * HTML template for successful OAuth authorization\n */\nexport function getSuccessTemplate(): string {\n  return `\n<!DOCTYPE html>\n<html>\n<head>\n  <meta charset=\"utf-8\">\n  <title>Authorization Successful</title>\n  <style>\n    body {\n      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, sans-serif;\n      display: flex;\n      justify-content: center;\n      align-items: center;\n      height: 100vh;\n      margin: 0;\n      background: linear-gradient(135deg, #e8ebf7 0%, #ede9f2 100%);\n    }\n    .container {\n      background: white;\n      padding: 3rem;\n      border-radius: 1rem;\n      box-shadow: 0 20px 60px rgba(0,0,0,0.3);\n      text-align: center;\n      max-width: 400px;\n    }\n    h1 {\n      color: #2d3748;\n      margin-bottom: 1rem;\n      font-size: 1.875rem;\n    }\n    p {\n      color: #718096;\n      font-size: 1.125rem;\n      margin-bottom: 1.5rem;\n    }\n    .icon {\n      font-size: 4rem;\n      margin-bottom: 1rem;\n    }\n  </style>\n</head>\n<body>\n  <div class=\"container\">\n    <div class=\"icon\">✅</div>\n    <h1>Authorization Successful!</h1>\n    <p>You can close this window and return to your terminal.</p>\n  </div>\n  <script>\n    // Auto-close after 3 seconds\n    setTimeout(() => {\n      window.close();\n    }, 3000);\n  </script>\n</body>\n</html>\n  `.trim();\n}\n\n/**\n * HTML template for OAuth error\n */\nexport function getErrorTemplate(error: string): string {\n  return `\n<!DOCTYPE html>\n<html>\n<head>\n  <meta charset=\"utf-8\">\n  <title>Authorization Failed</title>\n  <style>\n    body {\n      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, sans-serif;\n      display: flex;\n      justify-content: center;\n      align-items: center;\n      height: 100vh;\n      margin: 0;\n      background: linear-gradient(135deg, #fce9f7 0%, #faebed 100%);\n    }\n    .container {\n      background: white;\n      padding: 3rem;\n      border-radius: 1rem;\n      box-shadow: 0 20px 60px rgba(0,0,0,0.3);\n      text-align: center;\n      max-width: 400px;\n    }\n    h1 {\n      color: #2d3748;\n      margin-bottom: 1rem;\n      font-size: 1.875rem;\n    }\n    p {\n      color: #718096;\n      font-size: 1.125rem;\n      margin-bottom: 1.5rem;\n    }\n    .error {\n      background: #fed7d7;\n      color: #9b2c2c;\n      padding: 0.75rem;\n      border-radius: 0.5rem;\n      margin-top: 1rem;\n      font-family: monospace;\n      font-size: 0.875rem;\n    }\n    .icon {\n      font-size: 4rem;\n      margin-bottom: 1rem;\n    }\n  </style>\n</head>\n<body>\n  <div class=\"container\">\n    <div class=\"icon\">❌</div>\n    <h1>Authorization Failed</h1>\n    <p>Please try again from your terminal.</p>\n    <div class=\"error\">${escapeHtml(error)}</div>\n  </div>\n</body>\n</html>\n  `.trim();\n}\n\n/**\n * Escape HTML special characters to prevent XSS\n */\nexport function escapeHtml(unsafe: string): string {\n  return unsafe.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/\"/g, '&quot;').replace(/'/g, '&#039;');\n}\n"],"names":["getSuccessTemplate","trim","getErrorTemplate","error","escapeHtml","unsafe","replace"],"mappings":"AAAA;;;;;CAKC,GAED;;CAEC,GACD,OAAO,SAASA;IACd,OAAO,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAsDR,CAAC,CAACC,IAAI;AACR;AAEA;;CAEC,GACD,OAAO,SAASC,iBAAiBC,KAAa;IAC5C,OAAO,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;uBAsDa,EAAEC,WAAWD,OAAO;;;;EAIzC,CAAC,CAACF,IAAI;AACR;AAEA;;CAEC,GACD,OAAO,SAASG,WAAWC,MAAc;IACvC,OAAOA,OAAOC,OAAO,CAAC,MAAM,SAASA,OAAO,CAAC,MAAM,QAAQA,OAAO,CAAC,MAAM,QAAQA,OAAO,CAAC,MAAM,UAAUA,OAAO,CAAC,MAAM;AACzH"}
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth/src/templates.ts"],"sourcesContent":["/**\n * HTML templates for OAuth callback pages\n *\n * These templates are shown in the browser after OAuth authorization\n * for loopback OAuth flows (RFC 8252).\n */\n\n/**\n * HTML template for successful OAuth authorization\n */\nexport function getSuccessTemplate(): string {\n  return `\n<!DOCTYPE html>\n<html>\n<head>\n  <meta charset=\"utf-8\">\n  <title>Authorization Successful</title>\n  <style>\n    body {\n      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, sans-serif;\n      display: flex;\n      justify-content: center;\n      align-items: center;\n      height: 100vh;\n      margin: 0;\n      background: linear-gradient(135deg, #e8ebf7 0%, #ede9f2 100%);\n    }\n    .container {\n      background: white;\n      padding: 3rem;\n      border-radius: 1rem;\n      box-shadow: 0 20px 60px rgba(0,0,0,0.3);\n      text-align: center;\n      max-width: 400px;\n    }\n    h1 {\n      color: #2d3748;\n      margin-bottom: 1rem;\n      font-size: 1.875rem;\n    }\n    p {\n      color: #718096;\n      font-size: 1.125rem;\n      margin-bottom: 1.5rem;\n    }\n    .icon {\n      font-size: 4rem;\n      margin-bottom: 1rem;\n    }\n  </style>\n</head>\n<body>\n  <div class=\"container\">\n    <div class=\"icon\">✅</div>\n    <h1>Authorization Successful!</h1>\n    <p>You can close this window and return to your terminal.</p>\n  </div>\n  <script>\n    // Auto-close after 3 seconds\n    setTimeout(() => {\n      window.close();\n    }, 3000);\n  </script>\n</body>\n</html>\n  `.trim();\n}\n\n/**\n * HTML template for OAuth error\n */\nexport function getErrorTemplate(error: string): string {\n  return `\n<!DOCTYPE html>\n<html>\n<head>\n  <meta charset=\"utf-8\">\n  <title>Authorization Failed</title>\n  <style>\n    body {\n      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, sans-serif;\n      display: flex;\n      justify-content: center;\n      align-items: center;\n      height: 100vh;\n      margin: 0;\n      background: linear-gradient(135deg, #fce9f7 0%, #faebed 100%);\n    }\n    .container {\n      background: white;\n      padding: 3rem;\n      border-radius: 1rem;\n      box-shadow: 0 20px 60px rgba(0,0,0,0.3);\n      text-align: center;\n      max-width: 400px;\n    }\n    h1 {\n      color: #2d3748;\n      margin-bottom: 1rem;\n      font-size: 1.875rem;\n    }\n    p {\n      color: #718096;\n      font-size: 1.125rem;\n      margin-bottom: 1.5rem;\n    }\n    .error {\n      background: #fed7d7;\n      color: #9b2c2c;\n      padding: 0.75rem;\n      border-radius: 0.5rem;\n      margin-top: 1rem;\n      font-family: monospace;\n      font-size: 0.875rem;\n    }\n    .icon {\n      font-size: 4rem;\n      margin-bottom: 1rem;\n    }\n  </style>\n</head>\n<body>\n  <div class=\"container\">\n    <div class=\"icon\">❌</div>\n    <h1>Authorization Failed</h1>\n    <p>Please try again from your terminal.</p>\n    <div class=\"error\">${escapeHtml(error)}</div>\n  </div>\n</body>\n</html>\n  `.trim();\n}\n\n/**\n * Escape HTML special characters to prevent XSS\n */\nexport function escapeHtml(unsafe: string): string {\n  return unsafe.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/\"/g, '&quot;').replace(/'/g, '&#039;');\n}\n"],"names":["getSuccessTemplate","trim","getErrorTemplate","error","escapeHtml","unsafe","replace"],"mappings":"AAAA;;;;;CAKC,GAED;;CAEC,GACD,OAAO,SAASA;IACd,OAAO,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAsDR,CAAC,CAACC,IAAI;AACR;AAEA;;CAEC,GACD,OAAO,SAASC,iBAAiBC,KAAa;IAC5C,OAAO,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;uBAsDa,EAAEC,WAAWD,OAAO;;;;EAIzC,CAAC,CAACF,IAAI;AACR;AAEA;;CAEC,GACD,OAAO,SAASG,WAAWC,MAAc;IACvC,OAAOA,OAAOC,OAAO,CAAC,MAAM,SAASA,OAAO,CAAC,MAAM,QAAQA,OAAO,CAAC,MAAM,QAAQA,OAAO,CAAC,MAAM,UAAUA,OAAO,CAAC,MAAM;AACzH"}

package/dist/esm/types.d.ts

@@ -126,10 +126,11 @@ export declare class RequiresAuthenticationError extends AccountManagerError {
     accountId: string | undefined;
     constructor(service: string, accountId?: string);
 }
-export interface AuthEmailProvider {
+export interface AccountAuthProvider {
+    getAccessToken(accountId?: string): Promise<string>;
     getUserEmail(accountId?: string): Promise<string>;
-    authenticateNewAccount?(): Promise<string>;
 }
+export type AuthEmailProvider = AccountAuthProvider;
 export interface UserAuthProvider {
     getUserId(req: unknown): Promise<string>;
 }

package/dist/esm/types.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/types.ts"],"sourcesContent":["/**\n * Type definitions for multi-account management and OAuth integration\n */\n\nimport type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';\nimport type { AnySchema, ZodRawShapeCompat } from '@modelcontextprotocol/sdk/server/zod-compat.js';\nimport type { RequestHandlerExtra } from '@modelcontextprotocol/sdk/shared/protocol.js';\nimport type { CallToolResult, GetPromptResult, ServerNotification, ServerRequest, ToolAnnotations } from '@modelcontextprotocol/sdk/types.js';\n\nexport type Logger = Pick<Console, 'info' | 'error' | 'warn' | 'debug'>;\n\nexport interface AccountInfo {\n  email: string;\n  alias?: string;\n  addedAt: string;\n  lastUsed?: string;\n  metadata?: {\n    name?: string;\n    picture?: string;\n    [key: string]: unknown;\n  };\n}\n\n/**\n * MCP tool module definition with configuration and handler function.\n *\n * Represents a registered tool in the Model Context Protocol server that can be\n * invoked by MCP clients. Tools are the primary mechanism for executing operations\n * in response to client requests.\n *\n * @property name - Unique tool identifier (e.g., \"gmail-message-send\", \"sheets-values-get\")\n * @property config - Tool configuration including description and schemas\n * @property config.description - Human-readable description shown to MCP clients\n * @property config.inputSchema - Zod schema defining tool arguments (JSON-serializable)\n * @property config.outputSchema - Zod schema defining tool response structure\n * @property handler - Async function that executes the tool operation\n *\n * @remarks\n * This is the runtime representation of an MCP tool after registration. The handler\n * receives JSON-serializable arguments validated against inputSchema and returns\n * a CallToolResult validated against outputSchema.\n *\n * Tools are typically created using tool factory functions and registered with the\n * MCP server during initialization.\n *\n * @example\n * ```typescript\n * const tool: McpTool = {\n *   name: \"gmail-message-send\",\n *   config: {\n *     description: \"Send an email message\",\n *     inputSchema: { to: { type: \"string\" }, subject: { type: \"string\" } },\n *     outputSchema: { result: { type: \"object\" } }\n *   },\n *   handler: async (args, context) => {\n *     // Implementation\n *     return { content: [{ type: \"text\", text: \"Message sent\" }] };\n *   }\n * };\n * ```\n *\n * @see {@link McpPrompt} for prompt module definition\n */\nexport interface McpTool {\n  name: string;\n  config: {\n    description: string;\n    inputSchema: Record<string, unknown>;\n    outputSchema: Record<string, unknown>;\n  };\n  handler: (args: unknown, context?: unknown) => Promise<CallToolResult>;\n}\n\n/**\n * MCP prompt module definition with configuration and handler function.\n *\n * Represents a registered prompt template in the Model Context Protocol server that\n * can be retrieved and rendered by MCP clients. Prompts provide reusable templates\n * for common interaction patterns.\n *\n * @property name - Unique prompt identifier (e.g., \"draft-email\", \"summarize-thread\")\n * @property config - Prompt configuration (schema and metadata are prompt-specific)\n * @property handler - Async function that generates the prompt content\n *\n * @remarks\n * This is the runtime representation of an MCP prompt after registration. Unlike\n * {@link McpTool} which executes operations, prompts generate templated content\n * that clients can use to structure interactions.\n *\n * The handler receives optional arguments and returns a GetPromptResult containing\n * the rendered prompt messages.\n *\n * @example\n * ```typescript\n * const prompt: McpPrompt = {\n *   name: \"draft-email\",\n *   config: {\n *     description: \"Generate email draft from key points\",\n *     arguments: [{ name: \"points\", description: \"Key points to include\" }]\n *   },\n *   handler: async (args) => {\n *     const points = args?.points || [];\n *     return {\n *       messages: [{\n *         role: \"user\",\n *         content: { type: \"text\", text: `Draft email covering: ${points.join(\", \")}` }\n *       }]\n *     };\n *   }\n * };\n * ```\n *\n * @see {@link McpTool} for tool module definition\n */\nexport interface McpPrompt {\n  name: string;\n  config: unknown;\n  handler: (args: unknown) => Promise<GetPromptResult>;\n}\n\nexport class AccountManagerError extends Error {\n  public code: string;\n  public retryable: boolean;\n\n  constructor(message: string, code: string, retryable = false) {\n    super(message);\n    this.name = 'AccountManagerError';\n    this.code = code;\n    this.retryable = retryable;\n  }\n}\n\nexport class AccountNotFoundError extends AccountManagerError {\n  constructor(accountRef: string) {\n    super(`Account '${accountRef}' not found`, 'ACCOUNT_NOT_FOUND', false);\n  }\n}\n\nexport class ConfigurationError extends AccountManagerError {\n  constructor(message: string) {\n    super(`Configuration error: ${message}`, 'CONFIGURATION_ERROR', false);\n  }\n}\n\nexport class RequiresAuthenticationError extends AccountManagerError {\n  public accountId: string | undefined;\n\n  constructor(service: string, accountId?: string) {\n    const message = accountId ? `No account found for ${service} (account: ${accountId}). Use account-add to connect one.` : `No account found for ${service}. Use account-add to connect one.`;\n    super(message, 'REQUIRES_AUTHENTICATION', false);\n    this.accountId = accountId;\n  }\n}\n\nexport interface AuthEmailProvider {\n  getUserEmail(accountId?: string): Promise<string>;\n  authenticateNewAccount?(): Promise<string>;\n}\n\nexport interface UserAuthProvider {\n  getUserId(req: unknown): Promise<string>; // Throws if auth invalid\n}\n\nexport interface JWTUserAuthConfig {\n  secret?: string; // HS256 - MUST be at least 32 characters\n  publicKey?: string | object; // RS256/ES256 - PEM string, JWK object, or JWKS URL\n  jwksUrl?: string; // Alternative to publicKey\n  issuer?: string | string[];\n  audience?: string | string[];\n  userIdClaim?: string; // Default: 'sub'\n  algorithms?: string[]; // Default: auto-detect\n  clockTolerance?: number; // Default: 0\n}\n\nexport interface SessionUserAuthConfig {\n  sessionSecret: string; // MUST be at least 32 characters\n  cookieName?: string; // Default: 'session'\n  algorithm?: 'sha256' | 'sha512'; // Default: 'sha256'\n}\n\nexport interface Credentials {\n  accessToken: string;\n  expiresAt?: number;\n  refreshToken?: string;\n  scope?: string;\n  tokenType?: string;\n  idToken?: string;\n}\n\nexport type AuthFlowDescriptor =\n  | { kind: 'credentials'; connection?: string; provider?: string; credentials: Credentials }\n  | { kind: 'auth_url'; connection?: string; provider?: string; url: string; txn?: string; state?: string; codeVerifier?: string; poll?: { statusUrl: string; interval?: number }; hint?: string }\n  | { kind: 'device_code'; connection?: string; provider?: string; txn?: string; device: { userCode: string; verificationUri: string; verificationUriComplete?: string; expiresIn: number; interval: number }; poll?: { statusUrl: string; interval?: number }; hint?: string }\n  | { kind: 'error'; error: string; code?: number };\n\nexport class AuthRequiredError extends Error {\n  public descriptor: AuthFlowDescriptor;\n\n  constructor(descriptor: AuthFlowDescriptor, message?: string) {\n    super(message || `Authentication required: ${descriptor.kind}`);\n    this.name = 'AuthRequiredError';\n    this.descriptor = descriptor;\n  }\n}\n\nexport interface CachedToken {\n  accessToken: string;\n  refreshToken?: string;\n  expiresAt?: number;\n  scope?: string;\n}\n\n/**\n * Tool config signature - explicit structural type mirroring SDK registerTool config\n *\n * Uses explicit structure instead of Parameters<> extraction to avoid TypeScript inference\n * collapse to 'never' when using ToolModule[] arrays. The deep conditional types from\n * Parameters<> cannot be unified across array elements.\n *\n * Validated against SDK signature for compatibility - compile errors if SDK changes.\n *\n * NOTE: This type is duplicated in @mcp-z/server for architectural independence.\n * Keep these definitions synchronized manually when updating.\n */\nexport type ToolConfig = {\n  title?: string;\n  description?: string;\n  inputSchema?: ZodRawShapeCompat | AnySchema;\n  outputSchema?: ZodRawShapeCompat | AnySchema;\n  annotations?: ToolAnnotations;\n  _meta?: Record<string, unknown>;\n};\n\n// Compile-time validation that ToolConfig is compatible with SDK\ntype _ValidateToolConfigAssignable = ToolConfig extends Parameters<McpServer['registerTool']>[1] ? true : never;\ntype _ValidateToolConfigReceivable = Parameters<McpServer['registerTool']>[1] extends ToolConfig ? true : never;\n\n/**\n * Tool handler signature with generic support for middleware.\n *\n * @template TArgs - Tool arguments type (default: unknown for SDK compatibility)\n * @template TExtra - Request handler extra type (default: RequestHandlerExtra from SDK)\n *\n * Defaults provide SDK-extracted types for compatibility with MCP SDK.\n * Generic parameters enable type-safe middleware transformation.\n *\n * NOTE: This interface is duplicated in @mcp-z/server for architectural independence.\n * Keep these definitions synchronized manually when updating.\n */\nexport type ToolHandler<TArgs = unknown, TExtra = RequestHandlerExtra<ServerRequest, ServerNotification>> = (args: TArgs, extra: TExtra) => Promise<CallToolResult>;\n\n/**\n * Tool module interface with bounded generics.\n *\n * @template TConfig - Tool config type (default: SDK ToolConfig)\n * @template THandler - Handler function type (default: SDK ToolHandler)\n *\n * Use without generics for SDK-typed tools:\n * - Business tool factories: `ToolModule`\n * - Tool registration: `ToolModule[]`\n *\n * Use with generics for middleware transformation:\n * - Auth middleware: `ToolModule<ToolConfig, ToolHandler<TArgs, EnrichedExtra>>`\n *\n * The bounds ensure compatibility with SDK registration.\n *\n * NOTE: This interface is duplicated in @mcp-z/server for architectural independence.\n * Keep these definitions synchronized manually when updating.\n *\n * @see {@link ToolHandler} for handler function signature\n * @see {@link AuthMiddlewareWrapper} for middleware wrapper pattern\n */\nexport interface ToolModule<TConfig = ToolConfig, THandler = unknown> {\n  name: string;\n  config: TConfig;\n  handler: THandler;\n}\n\n/**\n * Middleware wrapper that enriches tool modules with authentication context.\n *\n * Wraps plain tool modules to inject authentication, logging, and request metadata.\n * The wrapper pattern allows separation of business logic from cross-cutting concerns.\n *\n * @template TArgs - Tool arguments type (inferred from tool module)\n * @template TExtra - Enriched extra type with auth context and logger\n *\n * @param toolModule - Plain tool module to wrap with auth middleware\n * @returns Wrapped tool module with enriched handler signature\n *\n * @remarks\n * Auth middleware wrappers typically:\n * - Extract auth context from MCP request or OAuth provider\n * - Inject logger instance for structured logging\n * - Handle authentication errors with proper MCP error responses\n * - Preserve tool configuration and metadata\n *\n * @example\n * ```typescript\n * // Actual usage pattern from OAuth providers (LoopbackOAuthProvider, ServiceAccountProvider, DcrOAuthProvider)\n * const provider = new LoopbackOAuthProvider({ service: 'gmail', ... });\n * const authMiddleware = provider.authMiddleware();\n *\n * // Apply middleware to tools (handlers receive enriched extra with authContext)\n * const tools = toolFactories.map(f => f()).map(authMiddleware.withToolAuth);\n * const resources = resourceFactories.map(f => f()).map(authMiddleware.withResourceAuth);\n * const prompts = promptFactories.map(f => f()).map(authMiddleware.withPromptAuth);\n *\n * // Tool handler receives enriched extra with guaranteed authContext\n * async function handler({ id }: In, extra: EnrichedExtra) {\n *   // extra.authContext.auth is OAuth2Client (from middleware)\n *   const gmail = google.gmail({ version: 'v1', auth: extra.authContext.auth });\n *   // ... business logic with authenticated context\n * }\n * ```\n *\n * @see {@link ToolModule} for base tool interface\n * @see {@link ToolHandler} for handler function signature\n */\nexport type AuthMiddlewareWrapper<TArgs = unknown, TExtra = RequestHandlerExtra<ServerRequest, ServerNotification>> = (toolModule: ToolModule) => ToolModule<ToolConfig, ToolHandler<TArgs, TExtra>>;\n\n/**\n * Base interface for stateful OAuth adapters (LoopbackOAuthProvider pattern)\n *\n * Stateful adapters manage token storage, refresh, and multi-account state.\n * Used for local development, test setup, and CI/CD workflows.\n *\n * Key characteristics:\n * - Token storage and retrieval via tokenStore\n * - Automatic token refresh with provider\n * - Interactive OAuth flows (browser, ephemeral server)\n * - Multi-account management\n *\n * Parameter usage:\n * - accountId: Account identifier (email address for token storage)\n */\nexport interface OAuth2TokenStorageProvider {\n  /**\n   * Get access token for the specified account.\n   * If token is expired, automatically refreshes it.\n   * If token is missing, triggers OAuth flow (interactive) or throws AuthRequired (headless).\n   *\n   * @param accountId - Account identifier for multi-account support\n   * @returns Access token string\n   */\n  getAccessToken(accountId?: string): Promise<string>;\n\n  /**\n   * Get email address for the specified account.\n   * Used during account registration to verify identity with provider.\n   *\n   * @param accountId - Account identifier\n   * @returns Email address from provider verification\n   */\n  getUserEmail(accountId?: string): Promise<string>;\n}\n"],"names":["AccountManagerError","Error","message","code","retryable","name","AccountNotFoundError","accountRef","ConfigurationError","RequiresAuthenticationError","service","accountId","AuthRequiredError","descriptor","kind"],"mappings":"AAAA;;CAEC,GAsHD,OAAO,MAAMA,4BAA4BC;IAIvC,YAAYC,OAAe,EAAEC,IAAY,EAAEC,YAAY,KAAK,CAAE;QAC5D,KAAK,CAACF;QACN,IAAI,CAACG,IAAI,GAAG;QACZ,IAAI,CAACF,IAAI,GAAGA;QACZ,IAAI,CAACC,SAAS,GAAGA;IACnB;AACF;AAEA,OAAO,MAAME,6BAA6BN;IACxC,YAAYO,UAAkB,CAAE;QAC9B,KAAK,CAAC,CAAC,SAAS,EAAEA,WAAW,WAAW,CAAC,EAAE,qBAAqB;IAClE;AACF;AAEA,OAAO,MAAMC,2BAA2BR;IACtC,YAAYE,OAAe,CAAE;QAC3B,KAAK,CAAC,CAAC,qBAAqB,EAAEA,SAAS,EAAE,uBAAuB;IAClE;AACF;AAEA,OAAO,MAAMO,oCAAoCT;IAG/C,YAAYU,OAAe,EAAEC,SAAkB,CAAE;QAC/C,MAAMT,UAAUS,YAAY,CAAC,qBAAqB,EAAED,QAAQ,WAAW,EAAEC,UAAU,kCAAkC,CAAC,GAAG,CAAC,qBAAqB,EAAED,QAAQ,iCAAiC,CAAC;QAC3L,KAAK,CAACR,SAAS,2BAA2B;QAC1C,IAAI,CAACS,SAAS,GAAGA;IACnB;AACF;AA2CA,OAAO,MAAMC,0BAA0BX;IAGrC,YAAYY,UAA8B,EAAEX,OAAgB,CAAE;QAC5D,KAAK,CAACA,WAAW,CAAC,yBAAyB,EAAEW,WAAWC,IAAI,EAAE;QAC9D,IAAI,CAACT,IAAI,GAAG;QACZ,IAAI,CAACQ,UAAU,GAAGA;IACpB;AACF"}
+{"version":3,"sources":["/Users/kevin/Dev/Projects/mcp-z/oauth/src/types.ts"],"sourcesContent":["/**\n * Type definitions for multi-account management and OAuth integration\n */\n\nimport type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';\nimport type { AnySchema, ZodRawShapeCompat } from '@modelcontextprotocol/sdk/server/zod-compat.js';\nimport type { RequestHandlerExtra } from '@modelcontextprotocol/sdk/shared/protocol.js';\nimport type { CallToolResult, GetPromptResult, ServerNotification, ServerRequest, ToolAnnotations } from '@modelcontextprotocol/sdk/types.js';\n\nexport type Logger = Pick<Console, 'info' | 'error' | 'warn' | 'debug'>;\n\nexport interface AccountInfo {\n  email: string;\n  alias?: string;\n  addedAt: string;\n  lastUsed?: string;\n  metadata?: {\n    name?: string;\n    picture?: string;\n    [key: string]: unknown;\n  };\n}\n\n/**\n * MCP tool module definition with configuration and handler function.\n *\n * Represents a registered tool in the Model Context Protocol server that can be\n * invoked by MCP clients. Tools are the primary mechanism for executing operations\n * in response to client requests.\n *\n * @property name - Unique tool identifier (e.g., \"gmail-message-send\", \"sheets-values-get\")\n * @property config - Tool configuration including description and schemas\n * @property config.description - Human-readable description shown to MCP clients\n * @property config.inputSchema - Zod schema defining tool arguments (JSON-serializable)\n * @property config.outputSchema - Zod schema defining tool response structure\n * @property handler - Async function that executes the tool operation\n *\n * @remarks\n * This is the runtime representation of an MCP tool after registration. The handler\n * receives JSON-serializable arguments validated against inputSchema and returns\n * a CallToolResult validated against outputSchema.\n *\n * Tools are typically created using tool factory functions and registered with the\n * MCP server during initialization.\n *\n * @example\n * ```typescript\n * const tool: McpTool = {\n *   name: \"gmail-message-send\",\n *   config: {\n *     description: \"Send an email message\",\n *     inputSchema: { to: { type: \"string\" }, subject: { type: \"string\" } },\n *     outputSchema: { result: { type: \"object\" } }\n *   },\n *   handler: async (args, context) => {\n *     // Implementation\n *     return { content: [{ type: \"text\", text: \"Message sent\" }] };\n *   }\n * };\n * ```\n *\n * @see {@link McpPrompt} for prompt module definition\n */\nexport interface McpTool {\n  name: string;\n  config: {\n    description: string;\n    inputSchema: Record<string, unknown>;\n    outputSchema: Record<string, unknown>;\n  };\n  handler: (args: unknown, context?: unknown) => Promise<CallToolResult>;\n}\n\n/**\n * MCP prompt module definition with configuration and handler function.\n *\n * Represents a registered prompt template in the Model Context Protocol server that\n * can be retrieved and rendered by MCP clients. Prompts provide reusable templates\n * for common interaction patterns.\n *\n * @property name - Unique prompt identifier (e.g., \"draft-email\", \"summarize-thread\")\n * @property config - Prompt configuration (schema and metadata are prompt-specific)\n * @property handler - Async function that generates the prompt content\n *\n * @remarks\n * This is the runtime representation of an MCP prompt after registration. Unlike\n * {@link McpTool} which executes operations, prompts generate templated content\n * that clients can use to structure interactions.\n *\n * The handler receives optional arguments and returns a GetPromptResult containing\n * the rendered prompt messages.\n *\n * @example\n * ```typescript\n * const prompt: McpPrompt = {\n *   name: \"draft-email\",\n *   config: {\n *     description: \"Generate email draft from key points\",\n *     arguments: [{ name: \"points\", description: \"Key points to include\" }]\n *   },\n *   handler: async (args) => {\n *     const points = args?.points || [];\n *     return {\n *       messages: [{\n *         role: \"user\",\n *         content: { type: \"text\", text: `Draft email covering: ${points.join(\", \")}` }\n *       }]\n *     };\n *   }\n * };\n * ```\n *\n * @see {@link McpTool} for tool module definition\n */\nexport interface McpPrompt {\n  name: string;\n  config: unknown;\n  handler: (args: unknown) => Promise<GetPromptResult>;\n}\n\nexport class AccountManagerError extends Error {\n  public code: string;\n  public retryable: boolean;\n\n  constructor(message: string, code: string, retryable = false) {\n    super(message);\n    this.name = 'AccountManagerError';\n    this.code = code;\n    this.retryable = retryable;\n  }\n}\n\nexport class AccountNotFoundError extends AccountManagerError {\n  constructor(accountRef: string) {\n    super(`Account '${accountRef}' not found`, 'ACCOUNT_NOT_FOUND', false);\n  }\n}\n\nexport class ConfigurationError extends AccountManagerError {\n  constructor(message: string) {\n    super(`Configuration error: ${message}`, 'CONFIGURATION_ERROR', false);\n  }\n}\n\nexport class RequiresAuthenticationError extends AccountManagerError {\n  public accountId: string | undefined;\n\n  constructor(service: string, accountId?: string) {\n    const message = accountId ? `No account found for ${service} (account: ${accountId}). Use account-add to connect one.` : `No account found for ${service}. Use account-add to connect one.`;\n    super(message, 'REQUIRES_AUTHENTICATION', false);\n    this.accountId = accountId;\n  }\n}\n\nexport interface AccountAuthProvider {\n  getAccessToken(accountId?: string): Promise<string>;\n  getUserEmail(accountId?: string): Promise<string>;\n}\n\n// TODO: Remove AuthEmailProvider alias in a future major release.\nexport type AuthEmailProvider = AccountAuthProvider;\n\nexport interface UserAuthProvider {\n  getUserId(req: unknown): Promise<string>; // Throws if auth invalid\n}\n\nexport interface JWTUserAuthConfig {\n  secret?: string; // HS256 - MUST be at least 32 characters\n  publicKey?: string | object; // RS256/ES256 - PEM string, JWK object, or JWKS URL\n  jwksUrl?: string; // Alternative to publicKey\n  issuer?: string | string[];\n  audience?: string | string[];\n  userIdClaim?: string; // Default: 'sub'\n  algorithms?: string[]; // Default: auto-detect\n  clockTolerance?: number; // Default: 0\n}\n\nexport interface SessionUserAuthConfig {\n  sessionSecret: string; // MUST be at least 32 characters\n  cookieName?: string; // Default: 'session'\n  algorithm?: 'sha256' | 'sha512'; // Default: 'sha256'\n}\n\nexport interface Credentials {\n  accessToken: string;\n  expiresAt?: number;\n  refreshToken?: string;\n  scope?: string;\n  tokenType?: string;\n  idToken?: string;\n}\n\nexport type AuthFlowDescriptor =\n  | { kind: 'credentials'; connection?: string; provider?: string; credentials: Credentials }\n  | { kind: 'auth_url'; connection?: string; provider?: string; url: string; txn?: string; state?: string; codeVerifier?: string; poll?: { statusUrl: string; interval?: number }; hint?: string }\n  | { kind: 'device_code'; connection?: string; provider?: string; txn?: string; device: { userCode: string; verificationUri: string; verificationUriComplete?: string; expiresIn: number; interval: number }; poll?: { statusUrl: string; interval?: number }; hint?: string }\n  | { kind: 'error'; error: string; code?: number };\n\nexport class AuthRequiredError extends Error {\n  public descriptor: AuthFlowDescriptor;\n\n  constructor(descriptor: AuthFlowDescriptor, message?: string) {\n    super(message || `Authentication required: ${descriptor.kind}`);\n    this.name = 'AuthRequiredError';\n    this.descriptor = descriptor;\n  }\n}\n\nexport interface CachedToken {\n  accessToken: string;\n  refreshToken?: string;\n  expiresAt?: number;\n  scope?: string;\n}\n\n/**\n * Tool config signature - explicit structural type mirroring SDK registerTool config\n *\n * Uses explicit structure instead of Parameters<> extraction to avoid TypeScript inference\n * collapse to 'never' when using ToolModule[] arrays. The deep conditional types from\n * Parameters<> cannot be unified across array elements.\n *\n * Validated against SDK signature for compatibility - compile errors if SDK changes.\n *\n * NOTE: This type is duplicated in @mcp-z/server for architectural independence.\n * Keep these definitions synchronized manually when updating.\n */\nexport type ToolConfig = {\n  title?: string;\n  description?: string;\n  inputSchema?: ZodRawShapeCompat | AnySchema;\n  outputSchema?: ZodRawShapeCompat | AnySchema;\n  annotations?: ToolAnnotations;\n  _meta?: Record<string, unknown>;\n};\n\n// Compile-time validation that ToolConfig is compatible with SDK\ntype _ValidateToolConfigAssignable = ToolConfig extends Parameters<McpServer['registerTool']>[1] ? true : never;\ntype _ValidateToolConfigReceivable = Parameters<McpServer['registerTool']>[1] extends ToolConfig ? true : never;\n\n/**\n * Tool handler signature with generic support for middleware.\n *\n * @template TArgs - Tool arguments type (default: unknown for SDK compatibility)\n * @template TExtra - Request handler extra type (default: RequestHandlerExtra from SDK)\n *\n * Defaults provide SDK-extracted types for compatibility with MCP SDK.\n * Generic parameters enable type-safe middleware transformation.\n *\n * NOTE: This interface is duplicated in @mcp-z/server for architectural independence.\n * Keep these definitions synchronized manually when updating.\n */\nexport type ToolHandler<TArgs = unknown, TExtra = RequestHandlerExtra<ServerRequest, ServerNotification>> = (args: TArgs, extra: TExtra) => Promise<CallToolResult>;\n\n/**\n * Tool module interface with bounded generics.\n *\n * @template TConfig - Tool config type (default: SDK ToolConfig)\n * @template THandler - Handler function type (default: SDK ToolHandler)\n *\n * Use without generics for SDK-typed tools:\n * - Business tool factories: `ToolModule`\n * - Tool registration: `ToolModule[]`\n *\n * Use with generics for middleware transformation:\n * - Auth middleware: `ToolModule<ToolConfig, ToolHandler<TArgs, EnrichedExtra>>`\n *\n * The bounds ensure compatibility with SDK registration.\n *\n * NOTE: This interface is duplicated in @mcp-z/server for architectural independence.\n * Keep these definitions synchronized manually when updating.\n *\n * @see {@link ToolHandler} for handler function signature\n * @see {@link AuthMiddlewareWrapper} for middleware wrapper pattern\n */\nexport interface ToolModule<TConfig = ToolConfig, THandler = unknown> {\n  name: string;\n  config: TConfig;\n  handler: THandler;\n}\n\n/**\n * Middleware wrapper that enriches tool modules with authentication context.\n *\n * Wraps plain tool modules to inject authentication, logging, and request metadata.\n * The wrapper pattern allows separation of business logic from cross-cutting concerns.\n *\n * @template TArgs - Tool arguments type (inferred from tool module)\n * @template TExtra - Enriched extra type with auth context and logger\n *\n * @param toolModule - Plain tool module to wrap with auth middleware\n * @returns Wrapped tool module with enriched handler signature\n *\n * @remarks\n * Auth middleware wrappers typically:\n * - Extract auth context from MCP request or OAuth provider\n * - Inject logger instance for structured logging\n * - Handle authentication errors with proper MCP error responses\n * - Preserve tool configuration and metadata\n *\n * @example\n * ```typescript\n * // Actual usage pattern from OAuth providers (LoopbackOAuthProvider, ServiceAccountProvider, DcrOAuthProvider)\n * const provider = new LoopbackOAuthProvider({ service: 'gmail', ... });\n * const authMiddleware = provider.authMiddleware();\n *\n * // Apply middleware to tools (handlers receive enriched extra with authContext)\n * const tools = toolFactories.map(f => f()).map(authMiddleware.withToolAuth);\n * const resources = resourceFactories.map(f => f()).map(authMiddleware.withResourceAuth);\n * const prompts = promptFactories.map(f => f()).map(authMiddleware.withPromptAuth);\n *\n * // Tool handler receives enriched extra with guaranteed authContext\n * async function handler({ id }: In, extra: EnrichedExtra) {\n *   // extra.authContext.auth is OAuth2Client (from middleware)\n *   const gmail = google.gmail({ version: 'v1', auth: extra.authContext.auth });\n *   // ... business logic with authenticated context\n * }\n * ```\n *\n * @see {@link ToolModule} for base tool interface\n * @see {@link ToolHandler} for handler function signature\n */\nexport type AuthMiddlewareWrapper<TArgs = unknown, TExtra = RequestHandlerExtra<ServerRequest, ServerNotification>> = (toolModule: ToolModule) => ToolModule<ToolConfig, ToolHandler<TArgs, TExtra>>;\n\n/**\n * Base interface for stateful OAuth adapters (LoopbackOAuthProvider pattern)\n *\n * Stateful adapters manage token storage, refresh, and multi-account state.\n * Used for local development, test setup, and CI/CD workflows.\n *\n * Key characteristics:\n * - Token storage and retrieval via tokenStore\n * - Automatic token refresh with provider\n * - Interactive OAuth flows (browser, ephemeral server)\n * - Multi-account management\n *\n * Parameter usage:\n * - accountId: Account identifier (email address for token storage)\n */\nexport interface OAuth2TokenStorageProvider {\n  /**\n   * Get access token for the specified account.\n   * If token is expired, automatically refreshes it.\n   * If token is missing, triggers OAuth flow (interactive) or throws AuthRequired (headless).\n   *\n   * @param accountId - Account identifier for multi-account support\n   * @returns Access token string\n   */\n  getAccessToken(accountId?: string): Promise<string>;\n\n  /**\n   * Get email address for the specified account.\n   * Used during account registration to verify identity with provider.\n   *\n   * @param accountId - Account identifier\n   * @returns Email address from provider verification\n   */\n  getUserEmail(accountId?: string): Promise<string>;\n}\n"],"names":["AccountManagerError","Error","message","code","retryable","name","AccountNotFoundError","accountRef","ConfigurationError","RequiresAuthenticationError","service","accountId","AuthRequiredError","descriptor","kind"],"mappings":"AAAA;;CAEC,GAsHD,OAAO,MAAMA,4BAA4BC;IAIvC,YAAYC,OAAe,EAAEC,IAAY,EAAEC,YAAY,KAAK,CAAE;QAC5D,KAAK,CAACF;QACN,IAAI,CAACG,IAAI,GAAG;QACZ,IAAI,CAACF,IAAI,GAAGA;QACZ,IAAI,CAACC,SAAS,GAAGA;IACnB;AACF;AAEA,OAAO,MAAME,6BAA6BN;IACxC,YAAYO,UAAkB,CAAE;QAC9B,KAAK,CAAC,CAAC,SAAS,EAAEA,WAAW,WAAW,CAAC,EAAE,qBAAqB;IAClE;AACF;AAEA,OAAO,MAAMC,2BAA2BR;IACtC,YAAYE,OAAe,CAAE;QAC3B,KAAK,CAAC,CAAC,qBAAqB,EAAEA,SAAS,EAAE,uBAAuB;IAClE;AACF;AAEA,OAAO,MAAMO,oCAAoCT;IAG/C,YAAYU,OAAe,EAAEC,SAAkB,CAAE;QAC/C,MAAMT,UAAUS,YAAY,CAAC,qBAAqB,EAAED,QAAQ,WAAW,EAAEC,UAAU,kCAAkC,CAAC,GAAG,CAAC,qBAAqB,EAAED,QAAQ,iCAAiC,CAAC;QAC3L,KAAK,CAACR,SAAS,2BAA2B;QAC1C,IAAI,CAACS,SAAS,GAAGA;IACnB;AACF;AA8CA,OAAO,MAAMC,0BAA0BX;IAGrC,YAAYY,UAA8B,EAAEX,OAAgB,CAAE;QAC5D,KAAK,CAACA,WAAW,CAAC,yBAAyB,EAAEW,WAAWC,IAAI,EAAE;QAC9D,IAAI,CAACT,IAAI,GAAG;QACZ,IAAI,CAACQ,UAAU,GAAGA;IACpB;AACF"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mcp-z/oauth",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Multi-account orchestration and secure token storage for OAuth-based MCP servers",
   "keywords": [
     "mcp",
@@ -60,7 +60,7 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.0.0",
-    "jose": "^6.1.3",
+    "jose": "^6.0.0",
     "keyv": "^5.5.5",
     "keyv-file": "^5.3.3",
     "zod": "^4.0.0"