@nexvora/mcp-server 0.3.1

package/dist/NexvoraClient.js

@@ -0,0 +1,266 @@
+import { z } from "zod";
+const AuditPayloadSchema = z.object({
+    toolName: z.string().min(1),
+    outcome: z.enum(["success", "error", "rate_limited", "unauthorized"]),
+    agentId: z.string().uuid().optional(),
+    durationMs: z.number().int().positive().optional(),
+    errorCode: z.string().optional(),
+});
+/** Thrown when the refresh token itself is expired or revoked. */
+export class SessionExpiredError extends Error {
+    constructor() {
+        super("Your NexVora session has expired. Run `nexvora login` to reconnect.");
+        this.name = "SessionExpiredError";
+    }
+}
+/**
+ * Thrown when a PAT (Personal Access Token) is rejected as expired or revoked.
+ *
+ * <p>PATs do not refresh automatically — when one returns 401 the user must
+ * regenerate it from the web UI. The message includes the exact URL so the
+ * MCP host can surface it directly to the user without them having to dig.</p>
+ */
+export class PatRevokedOrExpiredError extends Error {
+    constructor() {
+        super("Your NexVora PAT was rejected — it has been revoked or expired. " +
+            "Generate a new one at https://app.nxvora.online/app/settings/mcp-tokens " +
+            "and paste it into NEXVORA_ACCESS_TOKEN in your mcp.json.");
+        this.name = "PatRevokedOrExpiredError";
+    }
+}
+/**
+ * Thrown when the backend returns 403 with type=pat-scope-missing, indicating
+ * the PAT is valid but is not authorised for the tool the user just invoked.
+ *
+ * <p>The exact missing scope is included so the MCP host can render an
+ * actionable "add tool:foo to your PAT" message.</p>
+ */
+export class PatScopeMissingError extends Error {
+    requiredScope;
+    constructor(requiredScope) {
+        super(`Your NexVora PAT is missing the required scope: ${requiredScope}. ` +
+            "Generate a new PAT with this scope checked at " +
+            "https://app.nxvora.online/app/settings/mcp-tokens.");
+        this.requiredScope = requiredScope;
+        this.name = "PatScopeMissingError";
+    }
+}
+/** Wire-format prefix that identifies a PAT (as opposed to a session JWT). */
+const PAT_PREFIX = "nxv_pat_";
+/** {@code true} if the supplied access token is a Personal Access Token. */
+function isPat(accessToken) {
+    return accessToken.startsWith(PAT_PREFIX);
+}
+/**
+ * Thin HTTP client for the NexVora backend.
+ *
+ * When constructed with a {@link IConfigStore} it automatically refreshes
+ * expired access tokens — proactively (60 s before expiry) and reactively
+ * (on a first 401). Only one refresh round-trip is made even when concurrent
+ * requests all receive a 401 at the same time.
+ */
+export class NexvoraClient {
+    baseUrl;
+    accessToken;
+    agentId;
+    configStore;
+    /** Guards against concurrent refresh requests — shared across all in-flight calls. */
+    refreshPromise = null;
+    constructor(options) {
+        this.baseUrl = options.baseUrl.replace(/\/$/, "");
+        this.accessToken = options.accessToken;
+        this.agentId = options.agentId;
+        this.configStore = options.configStore;
+    }
+    authHeaders() {
+        return {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${this.accessToken}`,
+        };
+    }
+    // ── Token refresh ──────────────────────────────────────────────────────────
+    async ensureTokenFresh() {
+        // PATs never refresh — their lifetime is exactly the expiry on the
+        // mcp_pats row. Trying to /auth/refresh with a PAT would fail and
+        // confuse the user with a misleading "session expired" error.
+        if (isPat(this.accessToken))
+            return;
+        if (!this.configStore)
+            return;
+        let config;
+        try {
+            config = this.configStore.read();
+        }
+        catch {
+            return; // no config file yet — continue with the static token
+        }
+        const nowSecs = Math.floor(Date.now() / 1000);
+        if (config.expiresAt < nowSecs + 60) {
+            await this.triggerRefresh(config);
+        }
+    }
+    /**
+     * Ensures only one refresh is in-flight at a time.
+     * Concurrent callers await the same promise.
+     */
+    triggerRefresh(config) {
+        if (!this.refreshPromise) {
+            this.refreshPromise = this.performRefresh(config).finally(() => {
+                this.refreshPromise = null;
+            });
+        }
+        return this.refreshPromise;
+    }
+    async performRefresh(existingConfig) {
+        if (!this.configStore)
+            return;
+        let config;
+        try {
+            config = existingConfig ?? this.configStore.read();
+        }
+        catch {
+            throw new SessionExpiredError();
+        }
+        const response = await fetch(`${this.baseUrl}/auth/refresh`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ refreshToken: config.refreshToken }),
+        });
+        if (!response.ok) {
+            throw new SessionExpiredError();
+        }
+        const { accessToken, refreshToken, expiresAt } = (await response.json());
+        this.accessToken = accessToken;
+        this.configStore.write({ ...config, accessToken, refreshToken, expiresAt });
+    }
+    // ── Core request dispatcher ────────────────────────────────────────────────
+    async dispatchFetch(url, init) {
+        await this.ensureTokenFresh();
+        let response = await fetch(url, { ...init, headers: this.authHeaders() });
+        if (response.status === 401) {
+            // PATs never refresh — a 401 means the token is revoked or expired.
+            // Surface a targeted error pointing at the regen URL rather than the
+            // generic "session expired, run nexvora login" message that suits
+            // JWT users.
+            if (isPat(this.accessToken)) {
+                throw new PatRevokedOrExpiredError();
+            }
+            // JWT path: try one refresh then retry the original request once.
+            if (this.configStore) {
+                await this.triggerRefresh();
+                response = await fetch(url, { ...init, headers: this.authHeaders() });
+            }
+        }
+        // 403 with type=pat-scope-missing carries the exact scope the PAT lacks.
+        // Pull it out so we can throw a typed error that downstream tools can
+        // render as "your PAT needs tool:foo — regenerate at <url>".
+        if (response.status === 403 && isPat(this.accessToken)) {
+            const scope = await readMissingScope(response);
+            if (scope != null) {
+                throw new PatScopeMissingError(scope);
+            }
+        }
+        return response;
+    }
+    // ── Public API ─────────────────────────────────────────────────────────────
+    /**
+     * Sends an audit event to {@code POST /mcp/audit} fire-and-forget.
+     * Errors are silently swallowed to prevent audit failures from affecting tool callers.
+     */
+    async sendAudit(payload) {
+        try {
+            const validated = AuditPayloadSchema.parse(payload);
+            await fetch(`${this.baseUrl}/mcp/audit`, {
+                method: "POST",
+                headers: this.authHeaders(),
+                body: JSON.stringify(validated),
+            });
+        }
+        catch {
+            // audit failures must not surface to the tool caller
+        }
+    }
+    /**
+     * Makes an authenticated POST request to the NexVora backend.
+     *
+     * @throws {NexvoraApiError} on non-2xx responses
+     * @throws {SessionExpiredError} when the refresh token is also expired
+     */
+    async post(path, body) {
+        const response = await this.dispatchFetch(`${this.baseUrl}${path}`, {
+            method: "POST",
+            body: JSON.stringify(body),
+        });
+        if (!response.ok) {
+            const text = await response.text().catch(() => "");
+            throw new NexvoraApiError(response.status, text, path);
+        }
+        return response.json();
+    }
+    /**
+     * Makes an authenticated GET request to the NexVora backend.
+     *
+     * @throws {NexvoraApiError} on non-2xx responses
+     * @throws {SessionExpiredError} when the refresh token is also expired
+     */
+    async get(path) {
+        const response = await this.dispatchFetch(`${this.baseUrl}${path}`, {});
+        if (!response.ok) {
+            const text = await response.text().catch(() => "");
+            throw new NexvoraApiError(response.status, text, path);
+        }
+        return response.json();
+    }
+}
+/**
+ * Reads a 403 response body as RFC 7807 ProblemDetail and pulls the
+ * {@code required_scope} property out. Returns {@code null} for any other
+ * shape — the caller falls back to the generic error path.
+ *
+ * <p>The response body is consumed by this call; the dispatcher must not
+ * attempt to read it again. We clone first so the original {@link Response}
+ * remains usable if no scope is found.</p>
+ */
+async function readMissingScope(response) {
+    try {
+        const cloned = response.clone();
+        const body = (await cloned.json());
+        if (typeof body?.required_scope === "string" &&
+            body.type?.includes("pat-scope-missing")) {
+            return body.required_scope;
+        }
+    }
+    catch {
+        // not JSON, or fetch couldn't be cloned — fall through
+    }
+    return null;
+}
+/**
+ * Represents a non-2xx response from the NexVora API.
+ */
+export class NexvoraApiError extends Error {
+    statusCode;
+    body;
+    path;
+    constructor(statusCode, body, path) {
+        super(`NexVora API error ${statusCode} on ${path}: ${body}`);
+        this.statusCode = statusCode;
+        this.body = body;
+        this.path = path;
+        this.name = "NexvoraApiError";
+    }
+    get isRateLimited() {
+        return this.statusCode === 429;
+    }
+    get isUnauthorized() {
+        return this.statusCode === 401 || this.statusCode === 403;
+    }
+    toAuditOutcome() {
+        if (this.isRateLimited)
+            return "rate_limited";
+        if (this.isUnauthorized)
+            return "unauthorized";
+        return "error";
+    }
+}
+//# sourceMappingURL=NexvoraClient.js.map

package/dist/NexvoraClient.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"NexvoraClient.js","sourceRoot":"","sources":["../src/NexvoraClient.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAMxB,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IAClC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,OAAO,EAAE,cAAc,EAAE,cAAc,CAAC,CAAC;IACrE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;IACrC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAClD,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACjC,CAAC,CAAC;AAwBH,kEAAkE;AAClE,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IAC5C;QACE,KAAK,CACH,qEAAqE,CACtE,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;IACpC,CAAC;CACF;AAED;;;;;;GAMG;AACH,MAAM,OAAO,wBAAyB,SAAQ,KAAK;IACjD;QACE,KAAK,CACH,kEAAkE;YAChE,0EAA0E;YAC1E,0DAA0D,CAC7D,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAC;IACzC,CAAC;CACF;AAED;;;;;;GAMG;AACH,MAAM,OAAO,oBAAqB,SAAQ,KAAK;IACjB;IAA5B,YAA4B,aAAqB;QAC/C,KAAK,CACH,mDAAmD,aAAa,IAAI;YAClE,gDAAgD;YAChD,oDAAoD,CACvD,CAAC;QALwB,kBAAa,GAAb,aAAa,CAAQ;QAM/C,IAAI,CAAC,IAAI,GAAG,sBAAsB,CAAC;IACrC,CAAC;CACF;AAED,8EAA8E;AAC9E,MAAM,UAAU,GAAG,UAAU,CAAC;AAE9B,4EAA4E;AAC5E,SAAS,KAAK,CAAC,WAAmB;IAChC,OAAO,WAAW,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;AAC5C,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,OAAO,aAAa;IACP,OAAO,CAAS;IACzB,WAAW,CAAS;IACnB,OAAO,CAAU;IACT,WAAW,CAAgB;IAE5C,sFAAsF;IAC9E,cAAc,GAAyB,IAAI,CAAC;IAEpD,YAAY,OAA6B;QACvC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAClD,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;QACvC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAC/B,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;IACzC,CAAC;IAEO,WAAW;QACjB,OAAO;YACL,cAAc,EAAE,kBAAkB;YAClC,aAAa,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;SAC5C,CAAC;IACJ,CAAC;IAED,8EAA8E;IAEtE,KAAK,CAAC,gBAAgB;QAC5B,mEAAmE;QACnE,kEAAkE;QAClE,8DAA8D;QAC9D,IAAI,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC;YAAE,OAAO;QACpC,IAAI,CAAC,IAAI,CAAC,WAAW;YAAE,OAAO;QAC9B,IAAI,MAAc,CAAC;QACnB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,sDAAsD;QAChE,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC9C,IAAI,MAAM,CAAC,SAAS,GAAG,OAAO,GAAG,EAAE,EAAE,CAAC;YACpC,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,cAAc,CAAC,MAAe;QACpC,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE;gBAC7D,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;YAC7B,CAAC,CAAC,CAAC;QACL,CAAC;QACD,OAAO,IAAI,CAAC,cAAc,CAAC;IAC7B,CAAC;IAEO,KAAK,CAAC,cAAc,CAAC,cAAuB;QAClD,IAAI,CAAC,IAAI,CAAC,WAAW;YAAE,OAAO;QAE9B,IAAI,MAAc,CAAC;QACnB,IAAI,CAAC;YACH,MAAM,GAAG,cAAc,IAAI,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,mBAAmB,EAAE,CAAC;QAClC,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,eAAe,EAAE;YAC3D,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,YAAY,EAAE,MAAM,CAAC,YAAY,EAAE,CAAC;SAC5D,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,mBAAmB,EAAE,CAAC;QAClC,CAAC;QAED,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,SAAS,EAAE,GAC5C,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAyB,CAAC;QAElD,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,GAAG,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,SAAS,EAAE,CAAC,CAAC;IAC9E,CAAC;IAED,8EAA8E;IAEtE,KAAK,CAAC,aAAa,CAAC,GAAW,EAAE,IAAiB;QACxD,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAE9B,IAAI,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QAE1E,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,oEAAoE;YACpE,qEAAqE;YACrE,kEAAkE;YAClE,aAAa;YACb,IAAI,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC5B,MAAM,IAAI,wBAAwB,EAAE,CAAC;YACvC,CAAC;YACD,kEAAkE;YAClE,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBACrB,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;gBAC5B,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;YACxE,CAAC;QACH,CAAC;QAED,yEAAyE;QACzE,sEAAsE;QACtE,6DAA6D;QAC7D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YACvD,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,QAAQ,CAAC,CAAC;YAC/C,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;gBAClB,MAAM,IAAI,oBAAoB,CAAC,KAAK,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,8EAA8E;IAE9E;;;OAGG;IACH,KAAK,CAAC,SAAS,CAAC,OAAqB;QACnC,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,kBAAkB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACpD,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,YAAY,EAAE;gBACvC,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,IAAI,CAAC,WAAW,EAAE;gBAC3B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC;aAChC,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,qDAAqD;QACvD,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,IAAI,CAAI,IAAY,EAAE,IAAa;QACvC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,EAAE;YAClE,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;SAC3B,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YACnD,MAAM,IAAI,eAAe,CAAC,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QACzD,CAAC;QAED,OAAO,QAAQ,CAAC,IAAI,EAAgB,CAAC;IACvC,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,GAAG,CAAI,IAAY;QACvB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;QAExE,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YACnD,MAAM,IAAI,eAAe,CAAC,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QACzD,CAAC;QAED,OAAO,QAAQ,CAAC,IAAI,EAAgB,CAAC;IACvC,CAAC;CACF;AAED;;;;;;;;GAQG;AACH,KAAK,UAAU,gBAAgB,CAAC,QAAkB;IAChD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,EAAE,CAAC;QAChC,MAAM,IAAI,GAAG,CAAC,MAAM,MAAM,CAAC,IAAI,EAAE,CAGhC,CAAC;QACF,IACE,OAAO,IAAI,EAAE,cAAc,KAAK,QAAQ;YACxC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,mBAAmB,CAAC,EACxC,CAAC;YACD,OAAO,IAAI,CAAC,cAAc,CAAC;QAC7B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,uDAAuD;IACzD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,eAAgB,SAAQ,KAAK;IAEtB;IACA;IACA;IAHlB,YACkB,UAAkB,EAClB,IAAY,EACZ,IAAY;QAE5B,KAAK,CAAC,qBAAqB,UAAU,OAAO,IAAI,KAAK,IAAI,EAAE,CAAC,CAAC;QAJ7C,eAAU,GAAV,UAAU,CAAQ;QAClB,SAAI,GAAJ,IAAI,CAAQ;QACZ,SAAI,GAAJ,IAAI,CAAQ;QAG5B,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;IAED,IAAI,aAAa;QACf,OAAO,IAAI,CAAC,UAAU,KAAK,GAAG,CAAC;IACjC,CAAC;IAED,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,UAAU,KAAK,GAAG,IAAI,IAAI,CAAC,UAAU,KAAK,GAAG,CAAC;IAC5D,CAAC;IAED,cAAc;QACZ,IAAI,IAAI,CAAC,aAAa;YAAE,OAAO,cAAc,CAAC;QAC9C,IAAI,IAAI,CAAC,cAAc;YAAE,OAAO,cAAc,CAAC;QAC/C,OAAO,OAAO,CAAC;IACjB,CAAC;CACF"}

package/dist/RateLimiter.d.ts

@@ -0,0 +1,32 @@
+export declare const DEFAULT_RATE_LIMITS: Record<string, number>;
+export type ConsumeResult = {
+    allowed: true;
+} | {
+    allowed: false;
+    retryAfterMs: number;
+};
+/**
+ * Smooth token-bucket with continuous refill.
+ *
+ * Capacity = perMinuteLimit (burst up to the full window's worth of tokens).
+ * Refill rate = perMinuteLimit / 60 tokens-per-second (smooth, not batch).
+ */
+export declare class TokenBucket {
+    private readonly capacity;
+    private readonly refillRatePerSec;
+    private tokens;
+    private lastRefill;
+    constructor(capacity: number, refillRatePerSec: number);
+    tryConsume(): ConsumeResult;
+    private refill;
+}
+/**
+ * One TokenBucket per registered tool name.
+ * Tools not in the registry are always allowed.
+ */
+export declare class RateLimiterRegistry {
+    private readonly buckets;
+    constructor(limits?: Record<string, number>);
+    tryConsume(toolName: string): ConsumeResult;
+}
+//# sourceMappingURL=RateLimiter.d.ts.map

package/dist/RateLimiter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RateLimiter.d.ts","sourceRoot":"","sources":["../src/RateLimiter.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAYtD,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG;IAAE,OAAO,EAAE,IAAI,CAAA;CAAE,GAAG;IAAE,OAAO,EAAE,KAAK,CAAC;IAAC,YAAY,EAAE,MAAM,CAAA;CAAE,CAAC;AAEzF;;;;;GAKG;AACH,qBAAa,WAAW;IAKpB,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,gBAAgB;IALnC,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,UAAU,CAAS;gBAGR,QAAQ,EAAE,MAAM,EAChB,gBAAgB,EAAE,MAAM;IAM3C,UAAU,IAAI,aAAa;IAW3B,OAAO,CAAC,MAAM;CAMf;AAED;;;GAGG;AACH,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAkC;gBAE9C,MAAM,GAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAuB;IAQhE,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa;CAK5C"}

package/dist/RateLimiter.js

@@ -0,0 +1,68 @@
+export const DEFAULT_RATE_LIMITS = {
+    nexvora_wallet_balance: 60,
+    nexvora_observatory: 60,
+    nexvora_agentstack_search: 30,
+    nexvora_agentstack_ask: 5,
+    nexvora_agentstack_answer: 10,
+    nexvora_feed_post: 10,
+    nexvora_feed_react: 60,
+    nexvora_consulting_search: 30,
+    nexvora_consulting_book: 5,
+    nexvora_knowledge_search: 30,
+    nexvora_knowledge_subscribe: 5,
+};
+/**
+ * Smooth token-bucket with continuous refill.
+ *
+ * Capacity = perMinuteLimit (burst up to the full window's worth of tokens).
+ * Refill rate = perMinuteLimit / 60 tokens-per-second (smooth, not batch).
+ */
+export class TokenBucket {
+    capacity;
+    refillRatePerSec;
+    tokens;
+    lastRefill;
+    constructor(capacity, refillRatePerSec) {
+        this.capacity = capacity;
+        this.refillRatePerSec = refillRatePerSec;
+        this.tokens = capacity;
+        this.lastRefill = Date.now();
+    }
+    tryConsume() {
+        this.refill();
+        if (this.tokens >= 1) {
+            this.tokens -= 1;
+            return { allowed: true };
+        }
+        // milliseconds until 1 token is available
+        const retryAfterMs = Math.ceil(((1 - this.tokens) / this.refillRatePerSec) * 1000);
+        return { allowed: false, retryAfterMs };
+    }
+    refill() {
+        const now = Date.now();
+        const elapsedSec = (now - this.lastRefill) / 1000;
+        this.tokens = Math.min(this.capacity, this.tokens + elapsedSec * this.refillRatePerSec);
+        this.lastRefill = now;
+    }
+}
+/**
+ * One TokenBucket per registered tool name.
+ * Tools not in the registry are always allowed.
+ */
+export class RateLimiterRegistry {
+    buckets = new Map();
+    constructor(limits = DEFAULT_RATE_LIMITS) {
+        for (const [toolName, perMinute] of Object.entries(limits)) {
+            if (perMinute > 0) {
+                this.buckets.set(toolName, new TokenBucket(perMinute, perMinute / 60));
+            }
+        }
+    }
+    tryConsume(toolName) {
+        const bucket = this.buckets.get(toolName);
+        if (!bucket)
+            return { allowed: true };
+        return bucket.tryConsume();
+    }
+}
+//# sourceMappingURL=RateLimiter.js.map

package/dist/RateLimiter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"RateLimiter.js","sourceRoot":"","sources":["../src/RateLimiter.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,mBAAmB,GAA2B;IACzD,sBAAsB,EAAE,EAAE;IAC1B,mBAAmB,EAAE,EAAE;IACvB,yBAAyB,EAAE,EAAE;IAC7B,sBAAsB,EAAE,CAAC;IACzB,yBAAyB,EAAE,EAAE;IAC7B,iBAAiB,EAAE,EAAE;IACrB,kBAAkB,EAAE,EAAE;IACtB,yBAAyB,EAAE,EAAE;IAC7B,uBAAuB,EAAE,CAAC;IAC1B,wBAAwB,EAAE,EAAE;IAC5B,2BAA2B,EAAE,CAAC;CAC/B,CAAC;AAIF;;;;;GAKG;AACH,MAAM,OAAO,WAAW;IAKH;IACA;IALX,MAAM,CAAS;IACf,UAAU,CAAS;IAE3B,YACmB,QAAgB,EAChB,gBAAwB;QADxB,aAAQ,GAAR,QAAQ,CAAQ;QAChB,qBAAgB,GAAhB,gBAAgB,CAAQ;QAEzC,IAAI,CAAC,MAAM,GAAG,QAAQ,CAAC;QACvB,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC/B,CAAC;IAED,UAAU;QACR,IAAI,CAAC,MAAM,EAAE,CAAC;QACd,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YACrB,IAAI,CAAC,MAAM,IAAI,CAAC,CAAC;YACjB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;QACD,0CAA0C;QAC1C,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC,CAAC;QACnF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;IAC1C,CAAC;IAEO,MAAM;QACZ,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,UAAU,GAAG,CAAC,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC;QAClD,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,GAAG,UAAU,GAAG,IAAI,CAAC,gBAAgB,CAAC,CAAC;QACxF,IAAI,CAAC,UAAU,GAAG,GAAG,CAAC;IACxB,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,OAAO,mBAAmB;IACb,OAAO,GAAG,IAAI,GAAG,EAAuB,CAAC;IAE1D,YAAY,SAAiC,mBAAmB;QAC9D,KAAK,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3D,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;gBAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,WAAW,CAAC,SAAS,EAAE,SAAS,GAAG,EAAE,CAAC,CAAC,CAAC;YACzE,CAAC;QACH,CAAC;IACH,CAAC;IAED,UAAU,CAAC,QAAgB;QACzB,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC1C,IAAI,CAAC,MAAM;YAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QACtC,OAAO,MAAM,CAAC,UAAU,EAAE,CAAC;IAC7B,CAAC;CACF"}

package/dist/auth/oauth.d.ts

@@ -0,0 +1,53 @@
+/**
+ * OAuth 2.0 Device Authorization Grant (RFC 8628) for the NexVora MCP CLI.
+ *
+ * This is the same flow the Rust daemon uses (see
+ * nexvora-daemon/crates/daemon-main/src/auth.rs). It is the locked auth model
+ * for headless clients per the daemon-auth-model design.
+ *
+ * Flow:
+ *   1. POST /oauth/device/authorize           → device_code + user_code +
+ *                                               verification_uri_complete
+ *   2. Print the user_code in the terminal and open
+ *      verification_uri_complete in the user's browser
+ *   3. Poll POST /oauth/device/token at the negotiated interval, honouring
+ *      authorization_pending / slow_down, until the user approves, denies,
+ *      or the code expires
+ *   4. Fetch the authenticated user profile to obtain the userId
+ *   5. Return a Config-compatible object for the caller to persist
+ */
+import type { Config } from "../config.js";
+export interface DeviceAuthorizationResponse {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    verification_uri_complete: string;
+    expires_in: number;
+    interval: number;
+}
+export interface DeviceTokenSuccess {
+    access_token: string;
+    refresh_token: string;
+    token_type: string;
+    expires_in: number;
+    scope?: string;
+}
+/**
+ * Error thrown when the device-grant flow ends without issuing tokens
+ * (denial, expiry, timeout, server error). The {@code code} property is the
+ * RFC 8628 / 6749 error code or "timeout".
+ */
+export declare class DeviceGrantError extends Error {
+    readonly code: string;
+    constructor(code: string, message: string);
+}
+/**
+ * Run the full interactive Device Grant login flow.
+ *
+ * @param serverUrl  Base URL of the NexVora API (e.g. https://api.nxvora.online)
+ * @returns          A completed Config object ready to be written by ConfigManager
+ */
+export declare function loginInteractive(serverUrl: string): Promise<Config>;
+export declare function startDeviceAuthorization(base: string): Promise<DeviceAuthorizationResponse>;
+export declare function pollForToken(base: string, grant: DeviceAuthorizationResponse): Promise<DeviceTokenSuccess>;
+//# sourceMappingURL=oauth.d.ts.map

package/dist/auth/oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../../src/auth/oauth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAKH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAiB3C,MAAM,WAAW,2BAA2B;IAC1C,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,EAAE,MAAM,CAAC;IACzB,yBAAyB,EAAE,MAAM,CAAC;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAOD;;;;GAIG;AACH,qBAAa,gBAAiB,SAAQ,KAAK;aACb,IAAI,EAAE,MAAM;gBAAZ,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;CAI1D;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAwBzE;AAID,wBAAsB,wBAAwB,CAC5C,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,2BAA2B,CAAC,CA4BtC;AAkBD,wBAAsB,YAAY,CAChC,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,2BAA2B,GACjC,OAAO,CAAC,kBAAkB,CAAC,CA0D7B"}

package/dist/auth/oauth.js

@@ -0,0 +1,175 @@
+/**
+ * OAuth 2.0 Device Authorization Grant (RFC 8628) for the NexVora MCP CLI.
+ *
+ * This is the same flow the Rust daemon uses (see
+ * nexvora-daemon/crates/daemon-main/src/auth.rs). It is the locked auth model
+ * for headless clients per the daemon-auth-model design.
+ *
+ * Flow:
+ *   1. POST /oauth/device/authorize           → device_code + user_code +
+ *                                               verification_uri_complete
+ *   2. Print the user_code in the terminal and open
+ *      verification_uri_complete in the user's browser
+ *   3. Poll POST /oauth/device/token at the negotiated interval, honouring
+ *      authorization_pending / slow_down, until the user approves, denies,
+ *      or the code expires
+ *   4. Fetch the authenticated user profile to obtain the userId
+ *   5. Return a Config-compatible object for the caller to persist
+ */
+import { exec } from "node:child_process";
+import { hostname } from "node:os";
+const CLIENT_ID = "nexvora-mcp-server";
+const SCOPE = "mcp:tools offline_access";
+const DEVICE_CODE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
+/** Hard ceiling regardless of the server-advertised expires_in. */
+const SAFETY_TIMEOUT_MS = 15 * 60 * 1000;
+/** Minimum interval between polls in seconds (defensive floor). */
+const MIN_POLL_INTERVAL_SECONDS = 1;
+/** RFC 8628 §3.5: on slow_down, increase the polling interval by 5 seconds. */
+const SLOW_DOWN_INCREMENT_MS = 5_000;
+/**
+ * Error thrown when the device-grant flow ends without issuing tokens
+ * (denial, expiry, timeout, server error). The {@code code} property is the
+ * RFC 8628 / 6749 error code or "timeout".
+ */
+export class DeviceGrantError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.code = code;
+        this.name = "DeviceGrantError";
+    }
+}
+/**
+ * Run the full interactive Device Grant login flow.
+ *
+ * @param serverUrl  Base URL of the NexVora API (e.g. https://api.nxvora.online)
+ * @returns          A completed Config object ready to be written by ConfigManager
+ */
+export async function loginInteractive(serverUrl) {
+    const base = serverUrl.replace(/\/$/, "");
+    // 1. Start the device authorization
+    const grant = await startDeviceAuthorization(base);
+    // 2. Print code + open browser
+    printUserPrompt(grant);
+    openBrowser(grant.verification_uri_complete);
+    // 3. Poll until decision
+    const tokens = await pollForToken(base, grant);
+    // 4. Fetch user profile (best-effort)
+    const userId = await fetchUserId(base, tokens.access_token);
+    const nowSecs = Math.floor(Date.now() / 1000);
+    return {
+        accessToken: tokens.access_token,
+        refreshToken: tokens.refresh_token,
+        expiresAt: nowSecs + tokens.expires_in,
+        serverUrl: base,
+        userId,
+    };
+}
+// ── Internal helpers ───────────────────────────────────────────────────────────
+export async function startDeviceAuthorization(base) {
+    const url = `${base}/oauth/device/authorize`;
+    let response;
+    try {
+        response = await fetch(url, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                client_id: CLIENT_ID,
+                scope: SCOPE,
+                device_name: hostname(),
+            }),
+        });
+    }
+    catch (err) {
+        throw new Error(`Could not reach ${url}: ${err.message}.\n` +
+            `Check NEXVORA_BASE_URL and your network connection.`);
+    }
+    if (!response.ok) {
+        const text = await response.text().catch(() => "");
+        throw new Error(`Failed to start OAuth device authorization (${response.status}) at ${url}.\n` +
+            `Is ${base} a valid NexVora server?` +
+            (text ? `\nServer said: ${text}` : ""));
+    }
+    return response.json();
+}
+function printUserPrompt(grant) {
+    console.error("");
+    console.error("To authenticate, visit:");
+    console.error(`  ${grant.verification_uri}`);
+    console.error("");
+    console.error("And enter this code:");
+    console.error(`  ${grant.user_code}`);
+    console.error("");
+    console.error("If your browser does not open automatically, paste this URL:");
+    console.error(`  ${grant.verification_uri_complete}`);
+    console.error("");
+    console.error(`Waiting for approval (code expires in ${grant.expires_in} seconds)...`);
+}
+export async function pollForToken(base, grant) {
+    const url = `${base}/oauth/device/token`;
+    const deadline = Date.now() + Math.min(grant.expires_in * 1000, SAFETY_TIMEOUT_MS);
+    let intervalMs = Math.max(MIN_POLL_INTERVAL_SECONDS, grant.interval) * 1000;
+    while (Date.now() < deadline) {
+        await sleep(intervalMs);
+        const response = await fetch(url, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                grant_type: DEVICE_CODE_GRANT_TYPE,
+                device_code: grant.device_code,
+                client_id: CLIENT_ID,
+            }),
+        });
+        if (response.ok) {
+            return response.json();
+        }
+        const body = (await response.json().catch(() => null));
+        const code = body?.error ?? "unknown_error";
+        switch (code) {
+            case "authorization_pending":
+                // Keep polling at the current interval.
+                continue;
+            case "slow_down":
+                // RFC 8628 §3.5: server says we're polling too fast.
+                intervalMs += SLOW_DOWN_INCREMENT_MS;
+                continue;
+            case "access_denied":
+                throw new DeviceGrantError(code, "Login cancelled — you denied the request.");
+            case "expired_token":
+                throw new DeviceGrantError(code, "Login expired before it was approved. Run `nexvora login` again.");
+            case "invalid_grant":
+                throw new DeviceGrantError(code, body?.error_description ??
+                    "The device grant is no longer valid. Run `nexvora login` again.");
+            default:
+                throw new DeviceGrantError(code, body?.error_description ?? `OAuth error: ${code}`);
+        }
+    }
+    throw new DeviceGrantError("timeout", "Login timed out before the device code expired. Run `nexvora login` again.");
+}
+async function fetchUserId(baseUrl, accessToken) {
+    const response = await fetch(`${baseUrl}/api/users/me`, {
+        headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (!response.ok) {
+        return "";
+    }
+    const user = (await response.json());
+    return user.id ?? user.userId ?? "";
+}
+function openBrowser(url) {
+    const cmd = process.platform === "win32"
+        ? `start "" "${url}"`
+        : process.platform === "darwin"
+            ? `open "${url}"`
+            : `xdg-open "${url}"`;
+    exec(cmd, (err) => {
+        if (err) {
+            console.error(`(Could not open browser automatically: ${err.message})`);
+        }
+    });
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+//# sourceMappingURL=oauth.js.map

package/dist/auth/oauth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.js","sourceRoot":"","sources":["../../src/auth/oauth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAC1C,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAInC,MAAM,SAAS,GAAG,oBAAoB,CAAC;AACvC,MAAM,KAAK,GAAG,0BAA0B,CAAC;AACzC,MAAM,sBAAsB,GAAG,8CAA8C,CAAC;AAE9E,mEAAmE;AACnE,MAAM,iBAAiB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAEzC,mEAAmE;AACnE,MAAM,yBAAyB,GAAG,CAAC,CAAC;AAEpC,+EAA+E;AAC/E,MAAM,sBAAsB,GAAG,KAAK,CAAC;AA0BrC;;;;GAIG;AACH,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IACb;IAA5B,YAA4B,IAAY,EAAE,OAAe;QACvD,KAAK,CAAC,OAAO,CAAC,CAAC;QADW,SAAI,GAAJ,IAAI,CAAQ;QAEtC,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,SAAiB;IACtD,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAE1C,oCAAoC;IACpC,MAAM,KAAK,GAAG,MAAM,wBAAwB,CAAC,IAAI,CAAC,CAAC;IAEnD,+BAA+B;IAC/B,eAAe,CAAC,KAAK,CAAC,CAAC;IACvB,WAAW,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAE7C,yBAAyB;IACzB,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAE/C,sCAAsC;IACtC,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IAE5D,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC9C,OAAO;QACL,WAAW,EAAE,MAAM,CAAC,YAAY;QAChC,YAAY,EAAE,MAAM,CAAC,aAAa;QAClC,SAAS,EAAE,OAAO,GAAG,MAAM,CAAC,UAAU;QACtC,SAAS,EAAE,IAAI;QACf,MAAM;KACP,CAAC;AACJ,CAAC;AAED,kFAAkF;AAElF,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,IAAY;IAEZ,MAAM,GAAG,GAAG,GAAG,IAAI,yBAAyB,CAAC;IAC7C,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC1B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,SAAS,EAAE,SAAS;gBACpB,KAAK,EAAE,KAAK;gBACZ,WAAW,EAAE,QAAQ,EAAE;aACxB,CAAC;SACH,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,mBAAmB,GAAG,KAAM,GAAa,CAAC,OAAO,KAAK;YACtD,qDAAqD,CACtD,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QACnD,MAAM,IAAI,KAAK,CACb,+CAA+C,QAAQ,CAAC,MAAM,QAAQ,GAAG,KAAK;YAC9E,MAAM,IAAI,0BAA0B;YACpC,CAAC,IAAI,CAAC,CAAC,CAAC,kBAAkB,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CACvC,CAAC;IACJ,CAAC;IACD,OAAO,QAAQ,CAAC,IAAI,EAA0C,CAAC;AACjE,CAAC;AAED,SAAS,eAAe,CAAC,KAAkC;IACzD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAClB,OAAO,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;IACzC,OAAO,CAAC,KAAK,CAAC,KAAK,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;IAC7C,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAClB,OAAO,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;IACtC,OAAO,CAAC,KAAK,CAAC,KAAK,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC;IACtC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAClB,OAAO,CAAC,KAAK,CAAC,8DAA8D,CAAC,CAAC;IAC9E,OAAO,CAAC,KAAK,CAAC,KAAK,KAAK,CAAC,yBAAyB,EAAE,CAAC,CAAC;IACtD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAClB,OAAO,CAAC,KAAK,CACX,yCAAyC,KAAK,CAAC,UAAU,cAAc,CACxE,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,IAAY,EACZ,KAAkC;IAElC,MAAM,GAAG,GAAG,GAAG,IAAI,qBAAqB,CAAC;IACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,GAAG,IAAI,EAAE,iBAAiB,CAAC,CAAC;IACnF,IAAI,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,yBAAyB,EAAE,KAAK,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC;IAE5E,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;QAC7B,MAAM,KAAK,CAAC,UAAU,CAAC,CAAC;QAExB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,UAAU,EAAE,sBAAsB;gBAClC,WAAW,EAAE,KAAK,CAAC,WAAW;gBAC9B,SAAS,EAAE,SAAS;aACrB,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;YAChB,OAAO,QAAQ,CAAC,IAAI,EAAiC,CAAC;QACxD,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAA0B,CAAC;QAChF,MAAM,IAAI,GAAG,IAAI,EAAE,KAAK,IAAI,eAAe,CAAC;QAE5C,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,uBAAuB;gBAC1B,wCAAwC;gBACxC,SAAS;YACX,KAAK,WAAW;gBACd,qDAAqD;gBACrD,UAAU,IAAI,sBAAsB,CAAC;gBACrC,SAAS;YACX,KAAK,eAAe;gBAClB,MAAM,IAAI,gBAAgB,CAAC,IAAI,EAAE,2CAA2C,CAAC,CAAC;YAChF,KAAK,eAAe;gBAClB,MAAM,IAAI,gBAAgB,CACxB,IAAI,EACJ,kEAAkE,CACnE,CAAC;YACJ,KAAK,eAAe;gBAClB,MAAM,IAAI,gBAAgB,CACxB,IAAI,EACJ,IAAI,EAAE,iBAAiB;oBACrB,iEAAiE,CACpE,CAAC;YACJ;gBACE,MAAM,IAAI,gBAAgB,CACxB,IAAI,EACJ,IAAI,EAAE,iBAAiB,IAAI,gBAAgB,IAAI,EAAE,CAClD,CAAC;QACN,CAAC;IACH,CAAC;IAED,MAAM,IAAI,gBAAgB,CACxB,SAAS,EACT,4EAA4E,CAC7E,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,OAAe,EAAE,WAAmB;IAC7D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,eAAe,EAAE;QACtD,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE;KACpD,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAqC,CAAC;IACzE,OAAO,IAAI,CAAC,EAAE,IAAI,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC;AACtC,CAAC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,GAAG,GACP,OAAO,CAAC,QAAQ,KAAK,OAAO;QAC1B,CAAC,CAAC,aAAa,GAAG,GAAG;QACrB,CAAC,CAAC,OAAO,CAAC,QAAQ,KAAK,QAAQ;YAC7B,CAAC,CAAC,SAAS,GAAG,GAAG;YACjB,CAAC,CAAC,aAAa,GAAG,GAAG,CAAC;IAE5B,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,EAAE;QAChB,IAAI,GAAG,EAAE,CAAC;YACR,OAAO,CAAC,KAAK,CAAC,0CAA0C,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC"}

package/dist/auth/pkce.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Generate a cryptographically random PKCE code_verifier.
+ * Length: 43 characters (32 random bytes → base64url, which is always within the
+ * required 43–128 range).
+ */
+export declare function generateVerifier(): string;
+/**
+ * Derive the PKCE code_challenge from a verifier using the S256 method.
+ * S256: BASE64URL(SHA256(ASCII(code_verifier)))
+ */
+export declare function deriveChallenge(verifier: string): string;
+//# sourceMappingURL=pkce.d.ts.map

package/dist/auth/pkce.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/auth/pkce.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAExD"}

package/dist/auth/pkce.js

@@ -0,0 +1,17 @@
+import { createHash, randomBytes } from "node:crypto";
+/**
+ * Generate a cryptographically random PKCE code_verifier.
+ * Length: 43 characters (32 random bytes → base64url, which is always within the
+ * required 43–128 range).
+ */
+export function generateVerifier() {
+    return randomBytes(32).toString("base64url");
+}
+/**
+ * Derive the PKCE code_challenge from a verifier using the S256 method.
+ * S256: BASE64URL(SHA256(ASCII(code_verifier)))
+ */
+export function deriveChallenge(verifier) {
+    return createHash("sha256").update(verifier, "ascii").digest("base64url");
+}
+//# sourceMappingURL=pkce.js.map