@mcp-z/oauth 1.0.0

package/dist/esm/templates.js

@@ -0,0 +1,132 @@
+/**
+ * HTML templates for OAuth callback pages
+ *
+ * These templates are shown in the browser after OAuth authorization
+ * for loopback OAuth flows (RFC 8252).
+ */ /**
+ * HTML template for successful OAuth authorization
+ */ export function getSuccessTemplate() {
+    return `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Authorization Successful</title>
+  <style>
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, sans-serif;
+      display: flex;
+      justify-content: center;
+      align-items: center;
+      height: 100vh;
+      margin: 0;
+      background: linear-gradient(135deg, #e8ebf7 0%, #ede9f2 100%);
+    }
+    .container {
+      background: white;
+      padding: 3rem;
+      border-radius: 1rem;
+      box-shadow: 0 20px 60px rgba(0,0,0,0.3);
+      text-align: center;
+      max-width: 400px;
+    }
+    h1 {
+      color: #2d3748;
+      margin-bottom: 1rem;
+      font-size: 1.875rem;
+    }
+    p {
+      color: #718096;
+      font-size: 1.125rem;
+      margin-bottom: 1.5rem;
+    }
+    .icon {
+      font-size: 4rem;
+      margin-bottom: 1rem;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="icon">✅</div>
+    <h1>Authorization Successful!</h1>
+    <p>You can close this window and return to your terminal.</p>
+  </div>
+  <script>
+    // Auto-close after 3 seconds
+    setTimeout(() => {
+      window.close();
+    }, 3000);
+  </script>
+</body>
+</html>
+  `.trim();
+}
+/**
+ * HTML template for OAuth error
+ */ export function getErrorTemplate(error) {
+    return `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Authorization Failed</title>
+  <style>
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, sans-serif;
+      display: flex;
+      justify-content: center;
+      align-items: center;
+      height: 100vh;
+      margin: 0;
+      background: linear-gradient(135deg, #fce9f7 0%, #faebed 100%);
+    }
+    .container {
+      background: white;
+      padding: 3rem;
+      border-radius: 1rem;
+      box-shadow: 0 20px 60px rgba(0,0,0,0.3);
+      text-align: center;
+      max-width: 400px;
+    }
+    h1 {
+      color: #2d3748;
+      margin-bottom: 1rem;
+      font-size: 1.875rem;
+    }
+    p {
+      color: #718096;
+      font-size: 1.125rem;
+      margin-bottom: 1.5rem;
+    }
+    .error {
+      background: #fed7d7;
+      color: #9b2c2c;
+      padding: 0.75rem;
+      border-radius: 0.5rem;
+      margin-top: 1rem;
+      font-family: monospace;
+      font-size: 0.875rem;
+    }
+    .icon {
+      font-size: 4rem;
+      margin-bottom: 1rem;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="icon">❌</div>
+    <h1>Authorization Failed</h1>
+    <p>Please try again from your terminal.</p>
+    <div class="error">${escapeHtml(error)}</div>
+  </div>
+</body>
+</html>
+  `.trim();
+}
+/**
+ * Escape HTML special characters to prevent XSS
+ */ export function escapeHtml(unsafe) {
+    return unsafe.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;').replace(/'/g, '&#039;');
+}

package/dist/esm/templates.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/templates.ts"],"sourcesContent":["/**\n * HTML templates for OAuth callback pages\n *\n * These templates are shown in the browser after OAuth authorization\n * for loopback OAuth flows (RFC 8252).\n */\n\n/**\n * HTML template for successful OAuth authorization\n */\nexport function getSuccessTemplate(): string {\n  return `\n<!DOCTYPE html>\n<html>\n<head>\n  <meta charset=\"utf-8\">\n  <title>Authorization Successful</title>\n  <style>\n    body {\n      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, sans-serif;\n      display: flex;\n      justify-content: center;\n      align-items: center;\n      height: 100vh;\n      margin: 0;\n      background: linear-gradient(135deg, #e8ebf7 0%, #ede9f2 100%);\n    }\n    .container {\n      background: white;\n      padding: 3rem;\n      border-radius: 1rem;\n      box-shadow: 0 20px 60px rgba(0,0,0,0.3);\n      text-align: center;\n      max-width: 400px;\n    }\n    h1 {\n      color: #2d3748;\n      margin-bottom: 1rem;\n      font-size: 1.875rem;\n    }\n    p {\n      color: #718096;\n      font-size: 1.125rem;\n      margin-bottom: 1.5rem;\n    }\n    .icon {\n      font-size: 4rem;\n      margin-bottom: 1rem;\n    }\n  </style>\n</head>\n<body>\n  <div class=\"container\">\n    <div class=\"icon\">✅</div>\n    <h1>Authorization Successful!</h1>\n    <p>You can close this window and return to your terminal.</p>\n  </div>\n  <script>\n    // Auto-close after 3 seconds\n    setTimeout(() => {\n      window.close();\n    }, 3000);\n  </script>\n</body>\n</html>\n  `.trim();\n}\n\n/**\n * HTML template for OAuth error\n */\nexport function getErrorTemplate(error: string): string {\n  return `\n<!DOCTYPE html>\n<html>\n<head>\n  <meta charset=\"utf-8\">\n  <title>Authorization Failed</title>\n  <style>\n    body {\n      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, sans-serif;\n      display: flex;\n      justify-content: center;\n      align-items: center;\n      height: 100vh;\n      margin: 0;\n      background: linear-gradient(135deg, #fce9f7 0%, #faebed 100%);\n    }\n    .container {\n      background: white;\n      padding: 3rem;\n      border-radius: 1rem;\n      box-shadow: 0 20px 60px rgba(0,0,0,0.3);\n      text-align: center;\n      max-width: 400px;\n    }\n    h1 {\n      color: #2d3748;\n      margin-bottom: 1rem;\n      font-size: 1.875rem;\n    }\n    p {\n      color: #718096;\n      font-size: 1.125rem;\n      margin-bottom: 1.5rem;\n    }\n    .error {\n      background: #fed7d7;\n      color: #9b2c2c;\n      padding: 0.75rem;\n      border-radius: 0.5rem;\n      margin-top: 1rem;\n      font-family: monospace;\n      font-size: 0.875rem;\n    }\n    .icon {\n      font-size: 4rem;\n      margin-bottom: 1rem;\n    }\n  </style>\n</head>\n<body>\n  <div class=\"container\">\n    <div class=\"icon\">❌</div>\n    <h1>Authorization Failed</h1>\n    <p>Please try again from your terminal.</p>\n    <div class=\"error\">${escapeHtml(error)}</div>\n  </div>\n</body>\n</html>\n  `.trim();\n}\n\n/**\n * Escape HTML special characters to prevent XSS\n */\nexport function escapeHtml(unsafe: string): string {\n  return unsafe.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/\"/g, '&quot;').replace(/'/g, '&#039;');\n}\n"],"names":["getSuccessTemplate","trim","getErrorTemplate","error","escapeHtml","unsafe","replace"],"mappings":"AAAA;;;;;CAKC,GAED;;CAEC,GACD,OAAO,SAASA;IACd,OAAO,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAsDR,CAAC,CAACC,IAAI;AACR;AAEA;;CAEC,GACD,OAAO,SAASC,iBAAiBC,KAAa;IAC5C,OAAO,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;uBAsDa,EAAEC,WAAWD,OAAO;;;;EAIzC,CAAC,CAACF,IAAI;AACR;AAEA;;CAEC,GACD,OAAO,SAASG,WAAWC,MAAc;IACvC,OAAOA,OAAOC,OAAO,CAAC,MAAM,SAASA,OAAO,CAAC,MAAM,QAAQA,OAAO,CAAC,MAAM,QAAQA,OAAO,CAAC,MAAM,UAAUA,OAAO,CAAC,MAAM;AACzH"}

package/dist/esm/types.d.ts

@@ -0,0 +1,343 @@
+/**
+ * Type definitions for multi-account management and OAuth integration
+ */
+import type { AnySchema, ZodRawShapeCompat } from '@modelcontextprotocol/sdk/server/zod-compat.js';
+import type { RequestHandlerExtra } from '@modelcontextprotocol/sdk/shared/protocol.js';
+import type { CallToolResult, GetPromptResult, ServerNotification, ServerRequest, ToolAnnotations } from '@modelcontextprotocol/sdk/types.js';
+export type Logger = Pick<Console, 'info' | 'error' | 'warn' | 'debug'>;
+export interface AccountInfo {
+    email: string;
+    alias?: string;
+    addedAt: string;
+    lastUsed?: string;
+    metadata?: {
+        name?: string;
+        picture?: string;
+        [key: string]: unknown;
+    };
+}
+/**
+ * MCP tool module definition with configuration and handler function.
+ *
+ * Represents a registered tool in the Model Context Protocol server that can be
+ * invoked by MCP clients. Tools are the primary mechanism for executing operations
+ * in response to client requests.
+ *
+ * @property name - Unique tool identifier (e.g., "gmail-message-send", "sheets-values-get")
+ * @property config - Tool configuration including description and schemas
+ * @property config.description - Human-readable description shown to MCP clients
+ * @property config.inputSchema - Zod schema defining tool arguments (JSON-serializable)
+ * @property config.outputSchema - Zod schema defining tool response structure
+ * @property handler - Async function that executes the tool operation
+ *
+ * @remarks
+ * This is the runtime representation of an MCP tool after registration. The handler
+ * receives JSON-serializable arguments validated against inputSchema and returns
+ * a CallToolResult validated against outputSchema.
+ *
+ * Tools are typically created using tool factory functions and registered with the
+ * MCP server during initialization.
+ *
+ * @example
+ * ```typescript
+ * const tool: McpTool = {
+ *   name: "gmail-message-send",
+ *   config: {
+ *     description: "Send an email message",
+ *     inputSchema: { to: { type: "string" }, subject: { type: "string" } },
+ *     outputSchema: { result: { type: "object" } }
+ *   },
+ *   handler: async (args, context) => {
+ *     // Implementation
+ *     return { content: [{ type: "text", text: "Message sent" }] };
+ *   }
+ * };
+ * ```
+ *
+ * @see {@link McpPrompt} for prompt module definition
+ */
+export interface McpTool {
+    name: string;
+    config: {
+        description: string;
+        inputSchema: Record<string, unknown>;
+        outputSchema: Record<string, unknown>;
+    };
+    handler: (args: unknown, context?: unknown) => Promise<CallToolResult>;
+}
+/**
+ * MCP prompt module definition with configuration and handler function.
+ *
+ * Represents a registered prompt template in the Model Context Protocol server that
+ * can be retrieved and rendered by MCP clients. Prompts provide reusable templates
+ * for common interaction patterns.
+ *
+ * @property name - Unique prompt identifier (e.g., "draft-email", "summarize-thread")
+ * @property config - Prompt configuration (schema and metadata are prompt-specific)
+ * @property handler - Async function that generates the prompt content
+ *
+ * @remarks
+ * This is the runtime representation of an MCP prompt after registration. Unlike
+ * {@link McpTool} which executes operations, prompts generate templated content
+ * that clients can use to structure interactions.
+ *
+ * The handler receives optional arguments and returns a GetPromptResult containing
+ * the rendered prompt messages.
+ *
+ * @example
+ * ```typescript
+ * const prompt: McpPrompt = {
+ *   name: "draft-email",
+ *   config: {
+ *     description: "Generate email draft from key points",
+ *     arguments: [{ name: "points", description: "Key points to include" }]
+ *   },
+ *   handler: async (args) => {
+ *     const points = args?.points || [];
+ *     return {
+ *       messages: [{
+ *         role: "user",
+ *         content: { type: "text", text: `Draft email covering: ${points.join(", ")}` }
+ *       }]
+ *     };
+ *   }
+ * };
+ * ```
+ *
+ * @see {@link McpTool} for tool module definition
+ */
+export interface McpPrompt {
+    name: string;
+    config: unknown;
+    handler: (args: unknown) => Promise<GetPromptResult>;
+}
+export declare class AccountManagerError extends Error {
+    code: string;
+    retryable: boolean;
+    constructor(message: string, code: string, retryable?: boolean);
+}
+export declare class AccountNotFoundError extends AccountManagerError {
+    constructor(accountRef: string);
+}
+export declare class ConfigurationError extends AccountManagerError {
+    constructor(message: string);
+}
+export declare class RequiresAuthenticationError extends AccountManagerError {
+    accountId: string | undefined;
+    constructor(service: string, accountId?: string);
+}
+export interface AuthEmailProvider {
+    getUserEmail(accountId?: string): Promise<string>;
+    authenticateNewAccount?(): Promise<string>;
+}
+export interface UserAuthProvider {
+    getUserId(req: unknown): Promise<string>;
+}
+export interface JWTUserAuthConfig {
+    secret?: string;
+    publicKey?: string | object;
+    jwksUrl?: string;
+    issuer?: string | string[];
+    audience?: string | string[];
+    userIdClaim?: string;
+    algorithms?: string[];
+    clockTolerance?: number;
+}
+export interface SessionUserAuthConfig {
+    sessionSecret: string;
+    cookieName?: string;
+    algorithm?: 'sha256' | 'sha512';
+}
+export interface Credentials {
+    accessToken: string;
+    expiresAt?: number;
+    refreshToken?: string;
+    scope?: string;
+    tokenType?: string;
+    idToken?: string;
+}
+export type AuthFlowDescriptor = {
+    kind: 'credentials';
+    connection?: string;
+    provider?: string;
+    credentials: Credentials;
+} | {
+    kind: 'auth_url';
+    connection?: string;
+    provider?: string;
+    url: string;
+    txn?: string;
+    state?: string;
+    codeVerifier?: string;
+    poll?: {
+        statusUrl: string;
+        interval?: number;
+    };
+    hint?: string;
+} | {
+    kind: 'device_code';
+    connection?: string;
+    provider?: string;
+    txn?: string;
+    device: {
+        userCode: string;
+        verificationUri: string;
+        verificationUriComplete?: string;
+        expiresIn: number;
+        interval: number;
+    };
+    poll?: {
+        statusUrl: string;
+        interval?: number;
+    };
+    hint?: string;
+} | {
+    kind: 'error';
+    error: string;
+    code?: number;
+};
+export declare class AuthRequiredError extends Error {
+    descriptor: AuthFlowDescriptor;
+    constructor(descriptor: AuthFlowDescriptor, message?: string);
+}
+export interface CachedToken {
+    accessToken: string;
+    refreshToken?: string;
+    expiresAt?: number;
+    scope?: string;
+}
+/**
+ * Tool config signature - explicit structural type mirroring SDK registerTool config
+ *
+ * Uses explicit structure instead of Parameters<> extraction to avoid TypeScript inference
+ * collapse to 'never' when using ToolModule[] arrays. The deep conditional types from
+ * Parameters<> cannot be unified across array elements.
+ *
+ * Validated against SDK signature for compatibility - compile errors if SDK changes.
+ *
+ * NOTE: This type is duplicated in @mcp-z/server for architectural independence.
+ * Keep these definitions synchronized manually when updating.
+ */
+export type ToolConfig = {
+    title?: string;
+    description?: string;
+    inputSchema?: ZodRawShapeCompat | AnySchema;
+    outputSchema?: ZodRawShapeCompat | AnySchema;
+    annotations?: ToolAnnotations;
+    _meta?: Record<string, unknown>;
+};
+/**
+ * Tool handler signature with generic support for middleware.
+ *
+ * @template TArgs - Tool arguments type (default: unknown for SDK compatibility)
+ * @template TExtra - Request handler extra type (default: RequestHandlerExtra from SDK)
+ *
+ * Defaults provide SDK-extracted types for compatibility with MCP SDK.
+ * Generic parameters enable type-safe middleware transformation.
+ *
+ * NOTE: This interface is duplicated in @mcp-z/server for architectural independence.
+ * Keep these definitions synchronized manually when updating.
+ */
+export type ToolHandler<TArgs = unknown, TExtra = RequestHandlerExtra<ServerRequest, ServerNotification>> = (args: TArgs, extra: TExtra) => Promise<CallToolResult>;
+/**
+ * Tool module interface with bounded generics.
+ *
+ * @template TConfig - Tool config type (default: SDK ToolConfig)
+ * @template THandler - Handler function type (default: SDK ToolHandler)
+ *
+ * Use without generics for SDK-typed tools:
+ * - Business tool factories: `ToolModule`
+ * - Tool registration: `ToolModule[]`
+ *
+ * Use with generics for middleware transformation:
+ * - Auth middleware: `ToolModule<ToolConfig, ToolHandler<TArgs, EnrichedExtra>>`
+ *
+ * The bounds ensure compatibility with SDK registration.
+ *
+ * NOTE: This interface is duplicated in @mcp-z/server for architectural independence.
+ * Keep these definitions synchronized manually when updating.
+ *
+ * @see {@link ToolHandler} for handler function signature
+ * @see {@link AuthMiddlewareWrapper} for middleware wrapper pattern
+ */
+export interface ToolModule<TConfig = ToolConfig, THandler = unknown> {
+    name: string;
+    config: TConfig;
+    handler: THandler;
+}
+/**
+ * Middleware wrapper that enriches tool modules with authentication context.
+ *
+ * Wraps plain tool modules to inject authentication, logging, and request metadata.
+ * The wrapper pattern allows separation of business logic from cross-cutting concerns.
+ *
+ * @template TArgs - Tool arguments type (inferred from tool module)
+ * @template TExtra - Enriched extra type with auth context and logger
+ *
+ * @param toolModule - Plain tool module to wrap with auth middleware
+ * @returns Wrapped tool module with enriched handler signature
+ *
+ * @remarks
+ * Auth middleware wrappers typically:
+ * - Extract auth context from MCP request or OAuth provider
+ * - Inject logger instance for structured logging
+ * - Handle authentication errors with proper MCP error responses
+ * - Preserve tool configuration and metadata
+ *
+ * @example
+ * ```typescript
+ * // Actual usage pattern from OAuth providers (LoopbackOAuthProvider, ServiceAccountProvider, DcrOAuthProvider)
+ * const provider = new LoopbackOAuthProvider({ service: 'gmail', ... });
+ * const authMiddleware = provider.authMiddleware();
+ *
+ * // Apply middleware to tools (handlers receive enriched extra with authContext)
+ * const tools = toolFactories.map(f => f()).map(authMiddleware.withToolAuth);
+ * const resources = resourceFactories.map(f => f()).map(authMiddleware.withResourceAuth);
+ * const prompts = promptFactories.map(f => f()).map(authMiddleware.withPromptAuth);
+ *
+ * // Tool handler receives enriched extra with guaranteed authContext
+ * async function handler({ id }: In, extra: EnrichedExtra) {
+ *   // extra.authContext.auth is OAuth2Client (from middleware)
+ *   const gmail = google.gmail({ version: 'v1', auth: extra.authContext.auth });
+ *   // ... business logic with authenticated context
+ * }
+ * ```
+ *
+ * @see {@link ToolModule} for base tool interface
+ * @see {@link ToolHandler} for handler function signature
+ */
+export type AuthMiddlewareWrapper<TArgs = unknown, TExtra = RequestHandlerExtra<ServerRequest, ServerNotification>> = (toolModule: ToolModule) => ToolModule<ToolConfig, ToolHandler<TArgs, TExtra>>;
+/**
+ * Base interface for stateful OAuth adapters (LoopbackOAuthProvider pattern)
+ *
+ * Stateful adapters manage token storage, refresh, and multi-account state.
+ * Used for local development, test setup, and CI/CD workflows.
+ *
+ * Key characteristics:
+ * - Token storage and retrieval via tokenStore
+ * - Automatic token refresh with provider
+ * - Interactive OAuth flows (browser, ephemeral server)
+ * - Multi-account management
+ *
+ * Parameter usage:
+ * - accountId: Account identifier (email address for token storage)
+ */
+export interface OAuth2TokenStorageProvider {
+    /**
+     * Get access token for the specified account.
+     * If token is expired, automatically refreshes it.
+     * If token is missing, triggers OAuth flow (interactive) or throws AuthRequired (headless).
+     *
+     * @param accountId - Account identifier for multi-account support
+     * @returns Access token string
+     */
+    getAccessToken(accountId?: string): Promise<string>;
+    /**
+     * Get email address for the specified account.
+     * Used during account registration to verify identity with provider.
+     *
+     * @param accountId - Account identifier
+     * @returns Email address from provider verification
+     */
+    getUserEmail(accountId?: string): Promise<string>;
+}

package/dist/esm/types.js

@@ -0,0 +1,34 @@
+/**
+ * Type definitions for multi-account management and OAuth integration
+ */ export class AccountManagerError extends Error {
+    constructor(message, code, retryable = false){
+        super(message);
+        this.name = 'AccountManagerError';
+        this.code = code;
+        this.retryable = retryable;
+    }
+}
+export class AccountNotFoundError extends AccountManagerError {
+    constructor(accountRef){
+        super(`Account '${accountRef}' not found`, 'ACCOUNT_NOT_FOUND', false);
+    }
+}
+export class ConfigurationError extends AccountManagerError {
+    constructor(message){
+        super(`Configuration error: ${message}`, 'CONFIGURATION_ERROR', false);
+    }
+}
+export class RequiresAuthenticationError extends AccountManagerError {
+    constructor(service, accountId){
+        const message = accountId ? `No account found for ${service} (account: ${accountId}). Use account-add to connect one.` : `No account found for ${service}. Use account-add to connect one.`;
+        super(message, 'REQUIRES_AUTHENTICATION', false);
+        this.accountId = accountId;
+    }
+}
+export class AuthRequiredError extends Error {
+    constructor(descriptor, message){
+        super(message || `Authentication required: ${descriptor.kind}`);
+        this.name = 'AuthRequiredError';
+        this.descriptor = descriptor;
+    }
+}

package/dist/esm/types.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/types.ts"],"sourcesContent":["/**\n * Type definitions for multi-account management and OAuth integration\n */\n\nimport type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';\nimport type { AnySchema, ZodRawShapeCompat } from '@modelcontextprotocol/sdk/server/zod-compat.js';\nimport type { RequestHandlerExtra } from '@modelcontextprotocol/sdk/shared/protocol.js';\nimport type { CallToolResult, GetPromptResult, ServerNotification, ServerRequest, ToolAnnotations } from '@modelcontextprotocol/sdk/types.js';\n\nexport type Logger = Pick<Console, 'info' | 'error' | 'warn' | 'debug'>;\n\nexport interface AccountInfo {\n  email: string;\n  alias?: string;\n  addedAt: string;\n  lastUsed?: string;\n  metadata?: {\n    name?: string;\n    picture?: string;\n    [key: string]: unknown;\n  };\n}\n\n/**\n * MCP tool module definition with configuration and handler function.\n *\n * Represents a registered tool in the Model Context Protocol server that can be\n * invoked by MCP clients. Tools are the primary mechanism for executing operations\n * in response to client requests.\n *\n * @property name - Unique tool identifier (e.g., \"gmail-message-send\", \"sheets-values-get\")\n * @property config - Tool configuration including description and schemas\n * @property config.description - Human-readable description shown to MCP clients\n * @property config.inputSchema - Zod schema defining tool arguments (JSON-serializable)\n * @property config.outputSchema - Zod schema defining tool response structure\n * @property handler - Async function that executes the tool operation\n *\n * @remarks\n * This is the runtime representation of an MCP tool after registration. The handler\n * receives JSON-serializable arguments validated against inputSchema and returns\n * a CallToolResult validated against outputSchema.\n *\n * Tools are typically created using tool factory functions and registered with the\n * MCP server during initialization.\n *\n * @example\n * ```typescript\n * const tool: McpTool = {\n *   name: \"gmail-message-send\",\n *   config: {\n *     description: \"Send an email message\",\n *     inputSchema: { to: { type: \"string\" }, subject: { type: \"string\" } },\n *     outputSchema: { result: { type: \"object\" } }\n *   },\n *   handler: async (args, context) => {\n *     // Implementation\n *     return { content: [{ type: \"text\", text: \"Message sent\" }] };\n *   }\n * };\n * ```\n *\n * @see {@link McpPrompt} for prompt module definition\n */\nexport interface McpTool {\n  name: string;\n  config: {\n    description: string;\n    inputSchema: Record<string, unknown>;\n    outputSchema: Record<string, unknown>;\n  };\n  handler: (args: unknown, context?: unknown) => Promise<CallToolResult>;\n}\n\n/**\n * MCP prompt module definition with configuration and handler function.\n *\n * Represents a registered prompt template in the Model Context Protocol server that\n * can be retrieved and rendered by MCP clients. Prompts provide reusable templates\n * for common interaction patterns.\n *\n * @property name - Unique prompt identifier (e.g., \"draft-email\", \"summarize-thread\")\n * @property config - Prompt configuration (schema and metadata are prompt-specific)\n * @property handler - Async function that generates the prompt content\n *\n * @remarks\n * This is the runtime representation of an MCP prompt after registration. Unlike\n * {@link McpTool} which executes operations, prompts generate templated content\n * that clients can use to structure interactions.\n *\n * The handler receives optional arguments and returns a GetPromptResult containing\n * the rendered prompt messages.\n *\n * @example\n * ```typescript\n * const prompt: McpPrompt = {\n *   name: \"draft-email\",\n *   config: {\n *     description: \"Generate email draft from key points\",\n *     arguments: [{ name: \"points\", description: \"Key points to include\" }]\n *   },\n *   handler: async (args) => {\n *     const points = args?.points || [];\n *     return {\n *       messages: [{\n *         role: \"user\",\n *         content: { type: \"text\", text: `Draft email covering: ${points.join(\", \")}` }\n *       }]\n *     };\n *   }\n * };\n * ```\n *\n * @see {@link McpTool} for tool module definition\n */\nexport interface McpPrompt {\n  name: string;\n  config: unknown;\n  handler: (args: unknown) => Promise<GetPromptResult>;\n}\n\nexport class AccountManagerError extends Error {\n  public code: string;\n  public retryable: boolean;\n\n  constructor(message: string, code: string, retryable = false) {\n    super(message);\n    this.name = 'AccountManagerError';\n    this.code = code;\n    this.retryable = retryable;\n  }\n}\n\nexport class AccountNotFoundError extends AccountManagerError {\n  constructor(accountRef: string) {\n    super(`Account '${accountRef}' not found`, 'ACCOUNT_NOT_FOUND', false);\n  }\n}\n\nexport class ConfigurationError extends AccountManagerError {\n  constructor(message: string) {\n    super(`Configuration error: ${message}`, 'CONFIGURATION_ERROR', false);\n  }\n}\n\nexport class RequiresAuthenticationError extends AccountManagerError {\n  public accountId: string | undefined;\n\n  constructor(service: string, accountId?: string) {\n    const message = accountId ? `No account found for ${service} (account: ${accountId}). Use account-add to connect one.` : `No account found for ${service}. Use account-add to connect one.`;\n    super(message, 'REQUIRES_AUTHENTICATION', false);\n    this.accountId = accountId;\n  }\n}\n\nexport interface AuthEmailProvider {\n  getUserEmail(accountId?: string): Promise<string>;\n  authenticateNewAccount?(): Promise<string>;\n}\n\nexport interface UserAuthProvider {\n  getUserId(req: unknown): Promise<string>; // Throws if auth invalid\n}\n\nexport interface JWTUserAuthConfig {\n  secret?: string; // HS256 - MUST be at least 32 characters\n  publicKey?: string | object; // RS256/ES256 - PEM string, JWK object, or JWKS URL\n  jwksUrl?: string; // Alternative to publicKey\n  issuer?: string | string[];\n  audience?: string | string[];\n  userIdClaim?: string; // Default: 'sub'\n  algorithms?: string[]; // Default: auto-detect\n  clockTolerance?: number; // Default: 0\n}\n\nexport interface SessionUserAuthConfig {\n  sessionSecret: string; // MUST be at least 32 characters\n  cookieName?: string; // Default: 'session'\n  algorithm?: 'sha256' | 'sha512'; // Default: 'sha256'\n}\n\nexport interface Credentials {\n  accessToken: string;\n  expiresAt?: number;\n  refreshToken?: string;\n  scope?: string;\n  tokenType?: string;\n  idToken?: string;\n}\n\nexport type AuthFlowDescriptor =\n  | { kind: 'credentials'; connection?: string; provider?: string; credentials: Credentials }\n  | { kind: 'auth_url'; connection?: string; provider?: string; url: string; txn?: string; state?: string; codeVerifier?: string; poll?: { statusUrl: string; interval?: number }; hint?: string }\n  | { kind: 'device_code'; connection?: string; provider?: string; txn?: string; device: { userCode: string; verificationUri: string; verificationUriComplete?: string; expiresIn: number; interval: number }; poll?: { statusUrl: string; interval?: number }; hint?: string }\n  | { kind: 'error'; error: string; code?: number };\n\nexport class AuthRequiredError extends Error {\n  public descriptor: AuthFlowDescriptor;\n\n  constructor(descriptor: AuthFlowDescriptor, message?: string) {\n    super(message || `Authentication required: ${descriptor.kind}`);\n    this.name = 'AuthRequiredError';\n    this.descriptor = descriptor;\n  }\n}\n\nexport interface CachedToken {\n  accessToken: string;\n  refreshToken?: string;\n  expiresAt?: number;\n  scope?: string;\n}\n\n/**\n * Tool config signature - explicit structural type mirroring SDK registerTool config\n *\n * Uses explicit structure instead of Parameters<> extraction to avoid TypeScript inference\n * collapse to 'never' when using ToolModule[] arrays. The deep conditional types from\n * Parameters<> cannot be unified across array elements.\n *\n * Validated against SDK signature for compatibility - compile errors if SDK changes.\n *\n * NOTE: This type is duplicated in @mcp-z/server for architectural independence.\n * Keep these definitions synchronized manually when updating.\n */\nexport type ToolConfig = {\n  title?: string;\n  description?: string;\n  inputSchema?: ZodRawShapeCompat | AnySchema;\n  outputSchema?: ZodRawShapeCompat | AnySchema;\n  annotations?: ToolAnnotations;\n  _meta?: Record<string, unknown>;\n};\n\n// Compile-time validation that ToolConfig is compatible with SDK\ntype _ValidateToolConfigAssignable = ToolConfig extends Parameters<McpServer['registerTool']>[1] ? true : never;\ntype _ValidateToolConfigReceivable = Parameters<McpServer['registerTool']>[1] extends ToolConfig ? true : never;\n\n/**\n * Tool handler signature with generic support for middleware.\n *\n * @template TArgs - Tool arguments type (default: unknown for SDK compatibility)\n * @template TExtra - Request handler extra type (default: RequestHandlerExtra from SDK)\n *\n * Defaults provide SDK-extracted types for compatibility with MCP SDK.\n * Generic parameters enable type-safe middleware transformation.\n *\n * NOTE: This interface is duplicated in @mcp-z/server for architectural independence.\n * Keep these definitions synchronized manually when updating.\n */\nexport type ToolHandler<TArgs = unknown, TExtra = RequestHandlerExtra<ServerRequest, ServerNotification>> = (args: TArgs, extra: TExtra) => Promise<CallToolResult>;\n\n/**\n * Tool module interface with bounded generics.\n *\n * @template TConfig - Tool config type (default: SDK ToolConfig)\n * @template THandler - Handler function type (default: SDK ToolHandler)\n *\n * Use without generics for SDK-typed tools:\n * - Business tool factories: `ToolModule`\n * - Tool registration: `ToolModule[]`\n *\n * Use with generics for middleware transformation:\n * - Auth middleware: `ToolModule<ToolConfig, ToolHandler<TArgs, EnrichedExtra>>`\n *\n * The bounds ensure compatibility with SDK registration.\n *\n * NOTE: This interface is duplicated in @mcp-z/server for architectural independence.\n * Keep these definitions synchronized manually when updating.\n *\n * @see {@link ToolHandler} for handler function signature\n * @see {@link AuthMiddlewareWrapper} for middleware wrapper pattern\n */\nexport interface ToolModule<TConfig = ToolConfig, THandler = unknown> {\n  name: string;\n  config: TConfig;\n  handler: THandler;\n}\n\n/**\n * Middleware wrapper that enriches tool modules with authentication context.\n *\n * Wraps plain tool modules to inject authentication, logging, and request metadata.\n * The wrapper pattern allows separation of business logic from cross-cutting concerns.\n *\n * @template TArgs - Tool arguments type (inferred from tool module)\n * @template TExtra - Enriched extra type with auth context and logger\n *\n * @param toolModule - Plain tool module to wrap with auth middleware\n * @returns Wrapped tool module with enriched handler signature\n *\n * @remarks\n * Auth middleware wrappers typically:\n * - Extract auth context from MCP request or OAuth provider\n * - Inject logger instance for structured logging\n * - Handle authentication errors with proper MCP error responses\n * - Preserve tool configuration and metadata\n *\n * @example\n * ```typescript\n * // Actual usage pattern from OAuth providers (LoopbackOAuthProvider, ServiceAccountProvider, DcrOAuthProvider)\n * const provider = new LoopbackOAuthProvider({ service: 'gmail', ... });\n * const authMiddleware = provider.authMiddleware();\n *\n * // Apply middleware to tools (handlers receive enriched extra with authContext)\n * const tools = toolFactories.map(f => f()).map(authMiddleware.withToolAuth);\n * const resources = resourceFactories.map(f => f()).map(authMiddleware.withResourceAuth);\n * const prompts = promptFactories.map(f => f()).map(authMiddleware.withPromptAuth);\n *\n * // Tool handler receives enriched extra with guaranteed authContext\n * async function handler({ id }: In, extra: EnrichedExtra) {\n *   // extra.authContext.auth is OAuth2Client (from middleware)\n *   const gmail = google.gmail({ version: 'v1', auth: extra.authContext.auth });\n *   // ... business logic with authenticated context\n * }\n * ```\n *\n * @see {@link ToolModule} for base tool interface\n * @see {@link ToolHandler} for handler function signature\n */\nexport type AuthMiddlewareWrapper<TArgs = unknown, TExtra = RequestHandlerExtra<ServerRequest, ServerNotification>> = (toolModule: ToolModule) => ToolModule<ToolConfig, ToolHandler<TArgs, TExtra>>;\n\n/**\n * Base interface for stateful OAuth adapters (LoopbackOAuthProvider pattern)\n *\n * Stateful adapters manage token storage, refresh, and multi-account state.\n * Used for local development, test setup, and CI/CD workflows.\n *\n * Key characteristics:\n * - Token storage and retrieval via tokenStore\n * - Automatic token refresh with provider\n * - Interactive OAuth flows (browser, ephemeral server)\n * - Multi-account management\n *\n * Parameter usage:\n * - accountId: Account identifier (email address for token storage)\n */\nexport interface OAuth2TokenStorageProvider {\n  /**\n   * Get access token for the specified account.\n   * If token is expired, automatically refreshes it.\n   * If token is missing, triggers OAuth flow (interactive) or throws AuthRequired (headless).\n   *\n   * @param accountId - Account identifier for multi-account support\n   * @returns Access token string\n   */\n  getAccessToken(accountId?: string): Promise<string>;\n\n  /**\n   * Get email address for the specified account.\n   * Used during account registration to verify identity with provider.\n   *\n   * @param accountId - Account identifier\n   * @returns Email address from provider verification\n   */\n  getUserEmail(accountId?: string): Promise<string>;\n}\n"],"names":["AccountManagerError","Error","message","code","retryable","name","AccountNotFoundError","accountRef","ConfigurationError","RequiresAuthenticationError","service","accountId","AuthRequiredError","descriptor","kind"],"mappings":"AAAA;;CAEC,GAsHD,OAAO,MAAMA,4BAA4BC;IAIvC,YAAYC,OAAe,EAAEC,IAAY,EAAEC,YAAY,KAAK,CAAE;QAC5D,KAAK,CAACF;QACN,IAAI,CAACG,IAAI,GAAG;QACZ,IAAI,CAACF,IAAI,GAAGA;QACZ,IAAI,CAACC,SAAS,GAAGA;IACnB;AACF;AAEA,OAAO,MAAME,6BAA6BN;IACxC,YAAYO,UAAkB,CAAE;QAC9B,KAAK,CAAC,CAAC,SAAS,EAAEA,WAAW,WAAW,CAAC,EAAE,qBAAqB;IAClE;AACF;AAEA,OAAO,MAAMC,2BAA2BR;IACtC,YAAYE,OAAe,CAAE;QAC3B,KAAK,CAAC,CAAC,qBAAqB,EAAEA,SAAS,EAAE,uBAAuB;IAClE;AACF;AAEA,OAAO,MAAMO,oCAAoCT;IAG/C,YAAYU,OAAe,EAAEC,SAAkB,CAAE;QAC/C,MAAMT,UAAUS,YAAY,CAAC,qBAAqB,EAAED,QAAQ,WAAW,EAAEC,UAAU,kCAAkC,CAAC,GAAG,CAAC,qBAAqB,EAAED,QAAQ,iCAAiC,CAAC;QAC3L,KAAK,CAACR,SAAS,2BAA2B;QAC1C,IAAI,CAACS,SAAS,GAAGA;IACnB;AACF;AA2CA,OAAO,MAAMC,0BAA0BX;IAGrC,YAAYY,UAA8B,EAAEX,OAAgB,CAAE;QAC5D,KAAK,CAACA,WAAW,CAAC,yBAAyB,EAAEW,WAAWC,IAAI,EAAE;QAC9D,IAAI,CAACT,IAAI,GAAG;QACZ,IAAI,CAACQ,UAAU,GAAGA;IACpB;AACF"}

package/package.json

@@ -0,0 +1,82 @@
+{
+  "name": "@mcp-z/oauth",
+  "version": "1.0.0",
+  "description": "Multi-account orchestration and secure token storage for OAuth-based MCP servers",
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "oauth",
+    "oauth2",
+    "authentication",
+    "multi-account",
+    "account-management",
+    "token-storage",
+    "secure-storage",
+    "keyv",
+    "mcp-server",
+    "oauth-google",
+    "oauth-microsoft",
+    "config-management",
+    "encryption",
+    "duckdb",
+    "ai",
+    "claude"
+  ],
+  "homepage": "https://github.com/mcp-z/oauth#readme",
+  "bugs": {
+    "url": "https://github.com/mcp-z/oauth/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mcp-z/oauth.git"
+  },
+  "license": "MIT",
+  "author": "Kevin Malakoff <kmalakoff.info@gmail.com>",
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./dist/esm/index.d.ts",
+      "import": "./dist/esm/index.js",
+      "require": "./dist/cjs/index.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "main": "./dist/cjs/index.js",
+  "module": "./dist/esm/index.js",
+  "types": "./dist/esm/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsds build",
+    "format": "tsds format",
+    "prepublish:check": "ncp",
+    "prepublishOnly": "tsds validate",
+    "test": "npm run test:unit && npm run test:integration",
+    "test:engines": "nvu engines tsds test:node --no-timeouts 'test/**/*.test.ts'",
+    "test:integration": "tsds test:node --no-timeouts 'test/integration/**/*.test.ts'",
+    "test:unit": "tsds test:node --no-timeouts 'test/unit/**/*.test.ts'",
+    "version": "tsds version"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    "jose": "^6.1.3",
+    "keyv": "^5.5.5",
+    "keyv-file": "^5.3.3",
+    "zod": "^4.0.0"
+  },
+  "devDependencies": {
+    "@types/mocha": "^10.0.10",
+    "@types/node": "^25.0.2",
+    "node-version-use": "^2.1.6",
+    "ts-dev-stack": "^1.21.3",
+    "tsds-config": "^1.0.0",
+    "typescript": "^5.9.3"
+  },
+  "engines": {
+    "node": ">=24"
+  },
+  "tsds": {
+    "source": "src/index.ts"
+  }
+}