npm - @nyuchi/mzizi-mcp - Versions diffs - 0.3.0 - Mend

@nyuchi/mzizi-mcp 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (38) hide show

package/README.md +186 -0
package/dist/auth/authkit-handler.d.ts +28 -0
package/dist/auth/authkit-handler.d.ts.map +1 -0
package/dist/auth/authkit-handler.js +164 -0
package/dist/auth/authkit-handler.js.map +1 -0
package/dist/auth/mcp-api-handler.d.ts +19 -0
package/dist/auth/mcp-api-handler.d.ts.map +1 -0
package/dist/auth/mcp-api-handler.js +30 -0
package/dist/auth/mcp-api-handler.js.map +1 -0
package/dist/auth/oauth-utils.d.ts +47 -0
package/dist/auth/oauth-utils.d.ts.map +1 -0
package/dist/auth/oauth-utils.js +295 -0
package/dist/auth/oauth-utils.js.map +1 -0
package/dist/auth/props.d.ts +18 -0
package/dist/auth/props.d.ts.map +1 -0
package/dist/auth/props.js +2 -0
package/dist/auth/props.js.map +1 -0
package/dist/env.d.ts +22 -0
package/dist/env.d.ts.map +1 -0
package/dist/env.js +12 -0
package/dist/env.js.map +1 -0
package/dist/http.d.ts +22 -0
package/dist/http.d.ts.map +1 -0
package/dist/http.js +72 -0
package/dist/http.js.map +1 -0
package/dist/server.d.ts +33 -0
package/dist/server.d.ts.map +1 -0
package/dist/server.js +272 -0
package/dist/server.js.map +1 -0
package/dist/stdio.d.ts +13 -0
package/dist/stdio.d.ts.map +1 -0
package/dist/stdio.js +34 -0
package/dist/stdio.js.map +1 -0
package/dist/worker.d.ts +23 -0
package/dist/worker.d.ts.map +1 -0
package/dist/worker.js +30 -0
package/dist/worker.js.map +1 -0
package/package.json +69 -0

package/dist/auth/oauth-utils.js ADDED Viewed

@@ -0,0 +1,295 @@
+// oauth-utils.ts
+// Vendored from Cloudflare's `remote-mcp-authkit` demo (Apache-2.0) — the same
+// helpers `nyuchi/mongodb-mcp` uses. OAuth helpers with CSRF protection and
+// session-bound state validation.
+export class OAuthError extends Error {
+    code;
+    description;
+    statusCode;
+    constructor(code, description, statusCode = 400) {
+        super(description);
+        this.code = code;
+        this.description = description;
+        this.statusCode = statusCode;
+        this.name = "OAuthError";
+    }
+    toResponse() {
+        return new Response(JSON.stringify({ error: this.code, error_description: this.description }), {
+            status: this.statusCode,
+            headers: { "Content-Type": "application/json" },
+        });
+    }
+}
+export function sanitizeText(text) {
+    return text
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#039;");
+}
+export function sanitizeUrl(url) {
+    const normalized = url.trim();
+    if (normalized.length === 0)
+        return "";
+    for (let i = 0; i < normalized.length; i++) {
+        const code = normalized.charCodeAt(i);
+        if ((code >= 0x00 && code <= 0x1f) || (code >= 0x7f && code <= 0x9f))
+            return "";
+    }
+    let parsedUrl;
+    try {
+        parsedUrl = new URL(normalized);
+    }
+    catch {
+        return "";
+    }
+    const allowedSchemes = ["https", "http"];
+    const scheme = parsedUrl.protocol.slice(0, -1).toLowerCase();
+    if (!allowedSchemes.includes(scheme))
+        return "";
+    return normalized;
+}
+export function generateCSRFProtection() {
+    const csrfCookieName = "__Host-CSRF_TOKEN";
+    const token = crypto.randomUUID();
+    const setCookie = `${csrfCookieName}=${token}; HttpOnly; Secure; Path=/; SameSite=Lax; Max-Age=600`;
+    return { token, setCookie };
+}
+export function validateCSRFToken(formData, request) {
+    const csrfCookieName = "__Host-CSRF_TOKEN";
+    const tokenFromForm = formData.get("csrf_token");
+    if (!tokenFromForm || typeof tokenFromForm !== "string") {
+        throw new OAuthError("invalid_request", "Missing CSRF token in form data", 400);
+    }
+    const cookieHeader = request.headers.get("Cookie") || "";
+    const cookies = cookieHeader.split(";").map((c) => c.trim());
+    const csrfCookie = cookies.find((c) => c.startsWith(`${csrfCookieName}=`));
+    const tokenFromCookie = csrfCookie ? csrfCookie.substring(csrfCookieName.length + 1) : null;
+    if (!tokenFromCookie) {
+        throw new OAuthError("invalid_request", "Missing CSRF token cookie", 400);
+    }
+    if (tokenFromForm !== tokenFromCookie) {
+        throw new OAuthError("invalid_request", "CSRF token mismatch", 400);
+    }
+    const clearCookie = `${csrfCookieName}=; HttpOnly; Secure; Path=/; SameSite=Lax; Max-Age=0`;
+    return { clearCookie };
+}
+export async function createOAuthState(oauthReqInfo, kv, stateTTL = 600) {
+    const stateToken = crypto.randomUUID();
+    await kv.put(`oauth:state:${stateToken}`, JSON.stringify(oauthReqInfo), {
+        expirationTtl: stateTTL,
+    });
+    return { stateToken };
+}
+export async function bindStateToSession(stateToken) {
+    const consentedStateCookieName = "__Host-CONSENTED_STATE";
+    const encoder = new TextEncoder();
+    const data = encoder.encode(stateToken);
+    const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+    const hashArray = Array.from(new Uint8Array(hashBuffer));
+    const hashHex = hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
+    const setCookie = `${consentedStateCookieName}=${hashHex}; HttpOnly; Secure; Path=/; SameSite=Lax; Max-Age=600`;
+    return { setCookie };
+}
+export async function validateOAuthState(request, kv) {
+    const consentedStateCookieName = "__Host-CONSENTED_STATE";
+    const url = new URL(request.url);
+    const stateFromQuery = url.searchParams.get("state");
+    if (!stateFromQuery) {
+        throw new OAuthError("invalid_request", "Missing state parameter", 400);
+    }
+    const storedDataJson = await kv.get(`oauth:state:${stateFromQuery}`);
+    if (!storedDataJson) {
+        throw new OAuthError("invalid_request", "Invalid or expired state", 400);
+    }
+    const cookieHeader = request.headers.get("Cookie") || "";
+    const cookies = cookieHeader.split(";").map((c) => c.trim());
+    const consentedStateCookie = cookies.find((c) => c.startsWith(`${consentedStateCookieName}=`));
+    const consentedStateHash = consentedStateCookie
+        ? consentedStateCookie.substring(consentedStateCookieName.length + 1)
+        : null;
+    if (!consentedStateHash) {
+        throw new OAuthError("invalid_request", "Missing session binding cookie - authorization flow must be restarted", 400);
+    }
+    const encoder = new TextEncoder();
+    const data = encoder.encode(stateFromQuery);
+    const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+    const hashArray = Array.from(new Uint8Array(hashBuffer));
+    const stateHash = hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
+    if (stateHash !== consentedStateHash) {
+        throw new OAuthError("invalid_request", "State token does not match session - possible CSRF attack detected", 400);
+    }
+    let oauthReqInfo;
+    try {
+        oauthReqInfo = JSON.parse(storedDataJson);
+    }
+    catch {
+        throw new OAuthError("server_error", "Invalid state data", 500);
+    }
+    await kv.delete(`oauth:state:${stateFromQuery}`);
+    const clearCookie = `${consentedStateCookieName}=; HttpOnly; Secure; Path=/; SameSite=Lax; Max-Age=0`;
+    return { oauthReqInfo, clearCookie };
+}
+export async function isClientApproved(request, clientId, cookieSecret) {
+    const approvedClients = await getApprovedClientsFromCookie(request, cookieSecret);
+    return approvedClients?.includes(clientId) ?? false;
+}
+export async function addApprovedClient(request, clientId, cookieSecret) {
+    const approvedClientsCookieName = "__Host-APPROVED_CLIENTS";
+    const THIRTY_DAYS_IN_SECONDS = 2592000;
+    const existingApprovedClients = (await getApprovedClientsFromCookie(request, cookieSecret)) || [];
+    const updatedApprovedClients = Array.from(new Set([...existingApprovedClients, clientId]));
+    const payload = JSON.stringify(updatedApprovedClients);
+    const signature = await signData(payload, cookieSecret);
+    const cookieValue = `${signature}.${btoa(payload)}`;
+    return `${approvedClientsCookieName}=${cookieValue}; HttpOnly; Secure; Path=/; SameSite=Lax; Max-Age=${THIRTY_DAYS_IN_SECONDS}`;
+}
+export function renderApprovalDialog(request, options) {
+    const { client, server, state, csrfToken, setCookie } = options;
+    const encodedState = btoa(JSON.stringify(state));
+    const serverName = sanitizeText(server.name);
+    const clientName = client?.clientName ? sanitizeText(client.clientName) : "Unknown MCP Client";
+    const serverDescription = server.description ? sanitizeText(server.description) : "";
+    const logoUrl = server.logo ? sanitizeText(sanitizeUrl(server.logo)) : "";
+    const clientUri = client?.clientUri ? sanitizeText(sanitizeUrl(client.clientUri)) : "";
+    const policyUri = client?.policyUri ? sanitizeText(sanitizeUrl(client.policyUri)) : "";
+    const tosUri = client?.tosUri ? sanitizeText(sanitizeUrl(client.tosUri)) : "";
+    const contacts = client?.contacts && client.contacts.length > 0 ? sanitizeText(client.contacts.join(", ")) : "";
+    const redirectUris = client?.redirectUris && client.redirectUris.length > 0
+        ? client.redirectUris
+            .map((uri) => {
+            const validated = sanitizeUrl(uri);
+            return validated ? sanitizeText(validated) : "";
+        })
+            .filter((uri) => uri !== "")
+        : [];
+    const htmlContent = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${clientName} | Authorization Request</title>
+  <style>
+    :root { --primary-color: #1f6f4f; --border-color: #e5e7eb; --text-color: #111; }
+    body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+           line-height: 1.6; color: var(--text-color); background: #f9fafb; margin: 0; }
+    .container { max-width: 600px; margin: 2rem auto; padding: 1rem; }
+    .precard { padding: 2rem; text-align: center; }
+    .card { background: #fff; border-radius: 8px; box-shadow: 0 8px 36px 8px rgba(0,0,0,0.08); padding: 2rem; }
+    .header { display: flex; align-items: center; justify-content: center; margin-bottom: 1.5rem; }
+    .logo { width: 48px; height: 48px; margin-right: 1rem; border-radius: 8px; }
+    .title { margin: 0; font-size: 1.3rem; font-weight: 500; }
+    .alert { font-size: 1.4rem; font-weight: 400; margin: 1rem 0; text-align: center; }
+    .client-info { border: 1px solid var(--border-color); border-radius: 6px; padding: 1rem 1rem 0.5rem; margin-bottom: 1.5rem; }
+    .client-detail { display: flex; margin-bottom: 0.5rem; align-items: baseline; }
+    .detail-label { font-weight: 500; min-width: 120px; }
+    .detail-value { font-family: ui-monospace, SFMono-Regular, Menlo, monospace; word-break: break-all; }
+    .detail-value.small { font-size: 0.85em; }
+    .actions { display: flex; justify-content: flex-end; gap: 1rem; margin-top: 2rem; }
+    .button { padding: 0.75rem 1.5rem; border-radius: 6px; font-weight: 500; cursor: pointer; border: none; font-size: 1rem; }
+    .button-primary { background: var(--primary-color); color: #fff; }
+    .button-secondary { background: transparent; border: 1px solid var(--border-color); color: var(--text-color); }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="precard">
+      <div class="header">
+        ${logoUrl ? `<img src="${logoUrl}" alt="${serverName} Logo" class="logo">` : ""}
+        <h1 class="title"><strong>${serverName}</strong></h1>
+      </div>
+      ${serverDescription ? `<p>${serverDescription}</p>` : ""}
+    </div>
+    <div class="card">
+      <h2 class="alert"><strong>${clientName}</strong> is requesting access</h2>
+      <div class="client-info">
+        <div class="client-detail">
+          <div class="detail-label">Name:</div>
+          <div class="detail-value">${clientName}</div>
+        </div>
+        ${clientUri ? `<div class="client-detail"><div class="detail-label">Website:</div><div class="detail-value small"><a href="${clientUri}" target="_blank" rel="noopener noreferrer">${clientUri}</a></div></div>` : ""}
+        ${policyUri ? `<div class="client-detail"><div class="detail-label">Privacy Policy:</div><div class="detail-value"><a href="${policyUri}" target="_blank" rel="noopener noreferrer">${policyUri}</a></div></div>` : ""}
+        ${tosUri ? `<div class="client-detail"><div class="detail-label">Terms of Service:</div><div class="detail-value"><a href="${tosUri}" target="_blank" rel="noopener noreferrer">${tosUri}</a></div></div>` : ""}
+        ${redirectUris.length > 0 ? `<div class="client-detail"><div class="detail-label">Redirect URIs:</div><div class="detail-value small">${redirectUris.map((u) => `<div>${u}</div>`).join("")}</div></div>` : ""}
+        ${contacts ? `<div class="client-detail"><div class="detail-label">Contact:</div><div class="detail-value">${contacts}</div></div>` : ""}
+      </div>
+      <p>This MCP Client is requesting access to the Mzizi design-system registry through <strong>${serverName}</strong>. mzizi-mcp is a free, public tool — if you approve, you will be redirected to sign in or create a free account.</p>
+      <form method="post" action="${new URL(request.url).pathname}">
+        <input type="hidden" name="state" value="${encodedState}">
+        <input type="hidden" name="csrf_token" value="${csrfToken}">
+        <div class="actions">
+          <button type="button" class="button button-secondary" onclick="window.history.back()">Cancel</button>
+          <button type="submit" class="button button-primary">Approve</button>
+        </div>
+      </form>
+    </div>
+  </div>
+</body>
+</html>`;
+    return new Response(htmlContent, {
+        headers: {
+            "Content-Security-Policy": "frame-ancestors 'none'",
+            "Content-Type": "text/html; charset=utf-8",
+            "Set-Cookie": setCookie,
+            "X-Frame-Options": "DENY",
+        },
+    });
+}
+async function getApprovedClientsFromCookie(request, cookieSecret) {
+    const approvedClientsCookieName = "__Host-APPROVED_CLIENTS";
+    const cookieHeader = request.headers.get("Cookie");
+    if (!cookieHeader)
+        return null;
+    const cookies = cookieHeader.split(";").map((c) => c.trim());
+    const targetCookie = cookies.find((c) => c.startsWith(`${approvedClientsCookieName}=`));
+    if (!targetCookie)
+        return null;
+    const cookieValue = targetCookie.substring(approvedClientsCookieName.length + 1);
+    const parts = cookieValue.split(".");
+    const signatureHex = parts[0];
+    const base64Payload = parts[1];
+    if (parts.length !== 2 || !signatureHex || !base64Payload)
+        return null;
+    const payload = atob(base64Payload);
+    const isValid = await verifySignature(signatureHex, payload, cookieSecret);
+    if (!isValid)
+        return null;
+    try {
+        const approvedClients = JSON.parse(payload);
+        if (!Array.isArray(approvedClients) ||
+            !approvedClients.every((item) => typeof item === "string")) {
+            return null;
+        }
+        return approvedClients;
+    }
+    catch {
+        return null;
+    }
+}
+async function signData(data, secret) {
+    const key = await importKey(secret);
+    const enc = new TextEncoder();
+    const signatureBuffer = await crypto.subtle.sign("HMAC", key, enc.encode(data));
+    return Array.from(new Uint8Array(signatureBuffer))
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+}
+async function verifySignature(signatureHex, data, secret) {
+    const key = await importKey(secret);
+    const enc = new TextEncoder();
+    try {
+        const signatureBytes = new Uint8Array(signatureHex.match(/.{1,2}/g).map((byte) => Number.parseInt(byte, 16)));
+        return await crypto.subtle.verify("HMAC", key, signatureBytes.buffer, enc.encode(data));
+    }
+    catch {
+        return false;
+    }
+}
+async function importKey(secret) {
+    if (!secret)
+        throw new Error("cookieSecret is required for signing cookies");
+    const enc = new TextEncoder();
+    return crypto.subtle.importKey("raw", enc.encode(secret), { hash: "SHA-256", name: "HMAC" }, false, ["sign", "verify"]);
+}
+//# sourceMappingURL=oauth-utils.js.map

package/dist/auth/oauth-utils.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oauth-utils.js","sourceRoot":"","sources":["../../src/auth/oauth-utils.ts"],"names":[],"mappings":"AAAA,iBAAiB;AACjB,+EAA+E;AAC/E,4EAA4E;AAC5E,kCAAkC;AAIlC,MAAM,OAAO,UAAW,SAAQ,KAAK;IAE1B;IACA;IACA;IAHT,YACS,IAAY,EACZ,WAAmB,EACnB,aAAa,GAAG;QAEvB,KAAK,CAAC,WAAW,CAAC,CAAA;QAJX,SAAI,GAAJ,IAAI,CAAQ;QACZ,gBAAW,GAAX,WAAW,CAAQ;QACnB,eAAU,GAAV,UAAU,CAAM;QAGvB,IAAI,CAAC,IAAI,GAAG,YAAY,CAAA;IAC1B,CAAC;IAED,UAAU;QACR,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE,iBAAiB,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,EAAE;YAC7F,MAAM,EAAE,IAAI,CAAC,UAAU;YACvB,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;SAChD,CAAC,CAAA;IACJ,CAAC;CACF;AAwBD,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,OAAO,IAAI;SACR,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;AAC5B,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,GAAW;IACrC,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,EAAE,CAAA;IAC7B,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAA;IAEtC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3C,MAAM,IAAI,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;QACrC,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,CAAC;YAAE,OAAO,EAAE,CAAA;IACjF,CAAC;IAED,IAAI,SAAc,CAAA;IAClB,IAAI,CAAC;QACH,SAAS,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAA;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,cAAc,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IACxC,MAAM,MAAM,GAAG,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAA;IAC5D,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,EAAE,CAAA;IAE/C,OAAO,UAAU,CAAA;AACnB,CAAC;AAED,MAAM,UAAU,sBAAsB;IACpC,MAAM,cAAc,GAAG,mBAAmB,CAAA;IAC1C,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE,CAAA;IACjC,MAAM,SAAS,GAAG,GAAG,cAAc,IAAI,KAAK,uDAAuD,CAAA;IACnG,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,CAAA;AAC7B,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,QAAkB,EAAE,OAAgB;IACpE,MAAM,cAAc,GAAG,mBAAmB,CAAA;IAC1C,MAAM,aAAa,GAAG,QAAQ,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;IAEhD,IAAI,CAAC,aAAa,IAAI,OAAO,aAAa,KAAK,QAAQ,EAAE,CAAC;QACxD,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,iCAAiC,EAAE,GAAG,CAAC,CAAA;IACjF,CAAC;IAED,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAA;IACxD,MAAM,OAAO,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAA;IAC5D,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,cAAc,GAAG,CAAC,CAAC,CAAA;IAC1E,MAAM,eAAe,GAAG,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IAE3F,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,2BAA2B,EAAE,GAAG,CAAC,CAAA;IAC3E,CAAC;IAED,IAAI,aAAa,KAAK,eAAe,EAAE,CAAC;QACtC,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,qBAAqB,EAAE,GAAG,CAAC,CAAA;IACrE,CAAC;IAED,MAAM,WAAW,GAAG,GAAG,cAAc,sDAAsD,CAAA;IAC3F,OAAO,EAAE,WAAW,EAAE,CAAA;AACxB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,YAAyB,EACzB,EAAe,EACf,QAAQ,GAAG,GAAG;IAEd,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,EAAE,CAAA;IACtC,MAAM,EAAE,CAAC,GAAG,CAAC,eAAe,UAAU,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE;QACtE,aAAa,EAAE,QAAQ;KACxB,CAAC,CAAA;IACF,OAAO,EAAE,UAAU,EAAE,CAAA;AACvB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,UAAkB;IACzD,MAAM,wBAAwB,GAAG,wBAAwB,CAAA;IACzD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAA;IACjC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAA;IACvC,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAA;IAC9D,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,CAAA;IACxD,MAAM,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;IAE9E,MAAM,SAAS,GAAG,GAAG,wBAAwB,IAAI,OAAO,uDAAuD,CAAA;IAC/G,OAAO,EAAE,SAAS,EAAE,CAAA;AACtB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,OAAgB,EAChB,EAAe;IAEf,MAAM,wBAAwB,GAAG,wBAAwB,CAAA;IACzD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAChC,MAAM,cAAc,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;IAEpD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,yBAAyB,EAAE,GAAG,CAAC,CAAA;IACzE,CAAC;IAED,MAAM,cAAc,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,eAAe,cAAc,EAAE,CAAC,CAAA;IACpE,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,0BAA0B,EAAE,GAAG,CAAC,CAAA;IAC1E,CAAC;IAED,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAA;IACxD,MAAM,OAAO,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAA;IAC5D,MAAM,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,wBAAwB,GAAG,CAAC,CAAC,CAAA;IAC9F,MAAM,kBAAkB,GAAG,oBAAoB;QAC7C,CAAC,CAAC,oBAAoB,CAAC,SAAS,CAAC,wBAAwB,CAAC,MAAM,GAAG,CAAC,CAAC;QACrE,CAAC,CAAC,IAAI,CAAA;IAER,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,MAAM,IAAI,UAAU,CAClB,iBAAiB,EACjB,uEAAuE,EACvE,GAAG,CACJ,CAAA;IACH,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAA;IACjC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC,CAAA;IAC3C,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAA;IAC9D,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,CAAA;IACxD,MAAM,SAAS,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;IAEhF,IAAI,SAAS,KAAK,kBAAkB,EAAE,CAAC;QACrC,MAAM,IAAI,UAAU,CAClB,iBAAiB,EACjB,oEAAoE,EACpE,GAAG,CACJ,CAAA;IACH,CAAC;IAED,IAAI,YAAyB,CAAA;IAC7B,IAAI,CAAC;QACH,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAgB,CAAA;IAC1D,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,UAAU,CAAC,cAAc,EAAE,oBAAoB,EAAE,GAAG,CAAC,CAAA;IACjE,CAAC;IAED,MAAM,EAAE,CAAC,MAAM,CAAC,eAAe,cAAc,EAAE,CAAC,CAAA;IAEhD,MAAM,WAAW,GAAG,GAAG,wBAAwB,sDAAsD,CAAA;IACrG,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,CAAA;AACtC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,OAAgB,EAChB,QAAgB,EAChB,YAAoB;IAEpB,MAAM,eAAe,GAAG,MAAM,4BAA4B,CAAC,OAAO,EAAE,YAAY,CAAC,CAAA;IACjF,OAAO,eAAe,EAAE,QAAQ,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAA;AACrD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAAgB,EAChB,QAAgB,EAChB,YAAoB;IAEpB,MAAM,yBAAyB,GAAG,yBAAyB,CAAA;IAC3D,MAAM,sBAAsB,GAAG,OAAO,CAAA;IAEtC,MAAM,uBAAuB,GAAG,CAAC,MAAM,4BAA4B,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,IAAI,EAAE,CAAA;IACjG,MAAM,sBAAsB,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,uBAAuB,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAA;IAE1F,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAA;IACtD,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,YAAY,CAAC,CAAA;IACvD,MAAM,WAAW,GAAG,GAAG,SAAS,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE,CAAA;IAEnD,OAAO,GAAG,yBAAyB,IAAI,WAAW,qDAAqD,sBAAsB,EAAE,CAAA;AACjI,CAAC;AAUD,MAAM,UAAU,oBAAoB,CAAC,OAAgB,EAAE,OAA8B;IACnF,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,OAAO,CAAA;IAE/D,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAA;IAChD,MAAM,UAAU,GAAG,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;IAC5C,MAAM,UAAU,GAAG,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,oBAAoB,CAAA;IAC9F,MAAM,iBAAiB,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IAEpF,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IACzE,MAAM,SAAS,GAAG,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,WAAW,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IACtF,MAAM,SAAS,GAAG,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,WAAW,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IACtF,MAAM,MAAM,GAAG,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IAE7E,MAAM,QAAQ,GACZ,MAAM,EAAE,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IAEhG,MAAM,YAAY,GAChB,MAAM,EAAE,YAAY,IAAI,MAAM,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC;QACpD,CAAC,CAAC,MAAM,CAAC,YAAY;aAChB,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;YACX,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,CAAC,CAAA;YAClC,OAAO,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;QACjD,CAAC,CAAC;aACD,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,KAAK,EAAE,CAAC;QAChC,CAAC,CAAC,EAAE,CAAA;IAER,MAAM,WAAW,GAAG;;;;;WAKX,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;UA2BX,OAAO,CAAC,CAAC,CAAC,aAAa,OAAO,UAAU,UAAU,sBAAsB,CAAC,CAAC,CAAC,EAAE;oCACnD,UAAU;;QAEtC,iBAAiB,CAAC,CAAC,CAAC,MAAM,iBAAiB,MAAM,CAAC,CAAC,CAAC,EAAE;;;kCAG5B,UAAU;;;;sCAIN,UAAU;;UAEtC,SAAS,CAAC,CAAC,CAAC,+GAA+G,SAAS,+CAA+C,SAAS,kBAAkB,CAAC,CAAC,CAAC,EAAE;UACnN,SAAS,CAAC,CAAC,CAAC,gHAAgH,SAAS,+CAA+C,SAAS,kBAAkB,CAAC,CAAC,CAAC,EAAE;UACpN,MAAM,CAAC,CAAC,CAAC,kHAAkH,MAAM,+CAA+C,MAAM,kBAAkB,CAAC,CAAC,CAAC,EAAE;UAC7M,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,4GAA4G,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE;UAC5M,QAAQ,CAAC,CAAC,CAAC,gGAAgG,QAAQ,cAAc,CAAC,CAAC,CAAC,EAAE;;oGAE5C,UAAU;oCAC1E,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,QAAQ;mDACd,YAAY;wDACP,SAAS;;;;;;;;;QASzD,CAAA;IAEN,OAAO,IAAI,QAAQ,CAAC,WAAW,EAAE;QAC/B,OAAO,EAAE;YACP,yBAAyB,EAAE,wBAAwB;YACnD,cAAc,EAAE,0BAA0B;YAC1C,YAAY,EAAE,SAAS;YACvB,iBAAiB,EAAE,MAAM;SAC1B;KACF,CAAC,CAAA;AACJ,CAAC;AAED,KAAK,UAAU,4BAA4B,CACzC,OAAgB,EAChB,YAAoB;IAEpB,MAAM,yBAAyB,GAAG,yBAAyB,CAAA;IAE3D,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IAClD,IAAI,CAAC,YAAY;QAAE,OAAO,IAAI,CAAA;IAE9B,MAAM,OAAO,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAA;IAC5D,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,yBAAyB,GAAG,CAAC,CAAC,CAAA;IACvF,IAAI,CAAC,YAAY;QAAE,OAAO,IAAI,CAAA;IAE9B,MAAM,WAAW,GAAG,YAAY,CAAC,SAAS,CAAC,yBAAyB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;IAChF,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACpC,MAAM,YAAY,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;IAC7B,MAAM,aAAa,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;IAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,aAAa;QAAE,OAAO,IAAI,CAAA;IAEtE,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,CAAA;IAEnC,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,YAAY,EAAE,OAAO,EAAE,YAAY,CAAC,CAAA;IAC1E,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAA;IAEzB,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAC3C,IACE,CAAC,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC;YAC/B,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,IAAI,KAAK,QAAQ,CAAC,EAC1D,CAAC;YACD,OAAO,IAAI,CAAA;QACb,CAAC;QACD,OAAO,eAA2B,CAAA;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,KAAK,UAAU,QAAQ,CAAC,IAAY,EAAE,MAAc;IAClD,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAA;IACnC,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAA;IAC7B,MAAM,eAAe,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAA;IAC/E,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,eAAe,CAAC,CAAC;SAC/C,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAA;AACb,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,YAAoB,EACpB,IAAY,EACZ,MAAc;IAEd,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAA;IACnC,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAA;IAC7B,IAAI,CAAC;QACH,MAAM,cAAc,GAAG,IAAI,UAAU,CACnC,YAAY,CAAC,KAAK,CAAC,SAAS,CAAE,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CACxE,CAAA;QACD,OAAO,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,EAAE,cAAc,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAA;IACzF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,MAAc;IACrC,IAAI,CAAC,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAA;IAC5E,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAA;IAC7B,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B,KAAK,EACL,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,EAClB,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,EAAE,QAAQ,CAAC,CACnB,CAAA;AACH,CAAC"}

package/dist/auth/props.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import type { User } from "@workos-inc/node";
+/**
+ * Identity carried on the access token the OAuth provider issues to an MCP
+ * client. Populated in the AuthKit `/callback` and made available to the MCP
+ * API handler as `ctx.props`.
+ *
+ * mzizi-mcp does not gate on `organizationId` or `permissions` — they are kept
+ * only so downstream tooling (fundi, gated collections) can read them later.
+ */
+export interface Props {
+    user: User;
+    accessToken: string;
+    refreshToken: string;
+    permissions: string[];
+    organizationId?: string;
+    [key: string]: unknown;
+}
+//# sourceMappingURL=props.d.ts.map

package/dist/auth/props.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"props.d.ts","sourceRoot":"","sources":["../../src/auth/props.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAA;AAE5C;;;;;;;GAOG;AACH,MAAM,WAAW,KAAK;IACpB,IAAI,EAAE,IAAI,CAAA;IACV,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,EAAE,MAAM,CAAA;IACpB,WAAW,EAAE,MAAM,EAAE,CAAA;IACrB,cAAc,CAAC,EAAE,MAAM,CAAA;IAGvB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;CACvB"}

package/dist/auth/props.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=props.js.map

package/dist/auth/props.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"props.js","sourceRoot":"","sources":["../../src/auth/props.ts"],"names":[],"mappings":""}

package/dist/env.d.ts ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+ * Worker environment bindings — shared across the OAuth provider, the WorkOS
+ * AuthKit handler, and the MCP API handler.
+ *
+ * mzizi-mcp is a free, public tool: anyone can sign up through WorkOS AuthKit
+ * and use it. There is deliberately NO org allowlist and NO required-permission
+ * gate (that is what `nyuchi/mongodb-mcp` does, because it is internal). This
+ * auth layer is the reusable foundation the rest of the Mzizi tooling (fundi
+ * and friends) can sit behind later.
+ */
+import type { OAuthHelpers } from "@cloudflare/workers-oauth-provider";
+export interface Env {
+    SUPABASE_URL: string;
+    SUPABASE_PUBLISHABLE_KEY: string;
+    SUPABASE_SECRET_KEY?: string;
+    WORKOS_CLIENT_ID: string;
+    WORKOS_CLIENT_SECRET: string;
+    COOKIE_ENCRYPTION_KEY: string;
+    OAUTH_KV: KVNamespace;
+    OAUTH_PROVIDER: OAuthHelpers;
+}
+//# sourceMappingURL=env.d.ts.map

package/dist/env.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AAEtE,MAAM,WAAW,GAAG;IAElB,YAAY,EAAE,MAAM,CAAA;IACpB,wBAAwB,EAAE,MAAM,CAAA;IAChC,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAG5B,gBAAgB,EAAE,MAAM,CAAA;IACxB,oBAAoB,EAAE,MAAM,CAAA;IAG5B,qBAAqB,EAAE,MAAM,CAAA;IAG7B,QAAQ,EAAE,WAAW,CAAA;IACrB,cAAc,EAAE,YAAY,CAAA;CAC7B"}

package/dist/env.js ADDED Viewed

@@ -0,0 +1,12 @@
+/**
+ * Worker environment bindings — shared across the OAuth provider, the WorkOS
+ * AuthKit handler, and the MCP API handler.
+ *
+ * mzizi-mcp is a free, public tool: anyone can sign up through WorkOS AuthKit
+ * and use it. There is deliberately NO org allowlist and NO required-permission
+ * gate (that is what `nyuchi/mongodb-mcp` does, because it is internal). This
+ * auth layer is the reusable foundation the rest of the Mzizi tooling (fundi
+ * and friends) can sit behind later.
+ */
+export {};
+//# sourceMappingURL=env.js.map

package/dist/env.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"env.js","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG"}

package/dist/http.d.ts ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+ * HTTP / fetch-handler entry — Cloudflare Workers + Next.js routes + any
+ * Web-standard Request/Response runtime.
+ *
+ * Uses `@supabase/server`'s `createSupabaseContext(request, { auth: 'none' })`
+ * to mint a per-request anon-scoped `SupabaseClient`. RLS on
+ * `component_documents` enforces read-only.
+ */
+import { type WithSupabaseConfig } from "@supabase/server";
+export interface HttpHandlerOptions {
+    /**
+     * Override the default `@supabase/server` config. Defaults to
+     * `{ auth: 'none', cors: false }` — public read via the anon client.
+     */
+    supabaseConfig?: WithSupabaseConfig;
+}
+/**
+ * Build a fetch handler that serves the Mzizi MCP over Streamable HTTP.
+ * Stateless — each request creates a fresh transport + server pair.
+ */
+export declare function createMziziHttpHandler(options?: HttpHandlerOptions): (request: Request) => Promise<Response>;
+//# sourceMappingURL=http.d.ts.map

package/dist/http.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../src/http.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAyB,KAAK,kBAAkB,EAAE,MAAM,kBAAkB,CAAA;AAoCjF,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,cAAc,CAAC,EAAE,kBAAkB,CAAA;CACpC;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,GAAE,kBAAuB,IAGxC,SAAS,OAAO,KAAG,OAAO,CAAC,QAAQ,CAAC,CA8BlE"}

package/dist/http.js ADDED Viewed

@@ -0,0 +1,72 @@
+/**
+ * HTTP / fetch-handler entry — Cloudflare Workers + Next.js routes + any
+ * Web-standard Request/Response runtime.
+ *
+ * Uses `@supabase/server`'s `createSupabaseContext(request, { auth: 'none' })`
+ * to mint a per-request anon-scoped `SupabaseClient`. RLS on
+ * `component_documents` enforces read-only.
+ */
+import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
+import { createSupabaseContext } from "@supabase/server";
+import { createMziziMcpServer } from "./server.js";
+const CORS_HEADERS = {
+    "Access-Control-Allow-Origin": "*",
+    "Access-Control-Allow-Methods": "GET, POST, DELETE, OPTIONS",
+    "Access-Control-Allow-Headers": "Content-Type, MCP-Protocol-Version, MCP-Session-Id, apikey",
+};
+function withCors(response) {
+    const headers = new Headers(response.headers);
+    for (const [key, value] of Object.entries(CORS_HEADERS))
+        headers.set(key, value);
+    return new Response(response.body, {
+        status: response.status,
+        statusText: response.statusText,
+        headers,
+    });
+}
+// OAuth / OIDC discovery paths an MCP client probes to learn whether — and
+// how — it must authenticate (RFC 9728 / RFC 8414 + the MCP Authorization
+// spec). This server is public (`auth: "none"`); it advertises no auth
+// scheme. RFC 9728 §3.1 also allows the resource identifier to carry a path,
+// so the protected-resource probe can arrive with a trailing path segment.
+const OAUTH_DISCOVERY_PREFIXES = [
+    "/.well-known/oauth-protected-resource",
+    "/.well-known/oauth-authorization-server",
+    "/.well-known/openid-configuration",
+];
+function isOAuthDiscoveryPath(pathname) {
+    return OAUTH_DISCOVERY_PREFIXES.some((prefix) => pathname === prefix || pathname.startsWith(`${prefix}/`));
+}
+/**
+ * Build a fetch handler that serves the Mzizi MCP over Streamable HTTP.
+ * Stateless — each request creates a fresh transport + server pair.
+ */
+export function createMziziHttpHandler(options = {}) {
+    const config = options.supabaseConfig ?? { auth: "none", cors: false };
+    return async function handle(request) {
+        if (request.method === "OPTIONS") {
+            return new Response(null, { status: 204, headers: CORS_HEADERS });
+        }
+        // Answer auth-discovery probes with 404 so compliant MCP clients fall back
+        // to anonymous access. Without this the request reaches the Streamable HTTP
+        // transport, which rejects a discovery GET (no `text/event-stream` Accept)
+        // with a 406 — a response clients can't read as auth metadata, so they
+        // abort the connection instead of connecting unauthenticated.
+        if (isOAuthDiscoveryPath(new URL(request.url).pathname)) {
+            return withCors(new Response("Not Found", { status: 404 }));
+        }
+        const { data: ctx, error } = await createSupabaseContext(request, config);
+        if (error || !ctx) {
+            return withCors(Response.json({ error: error?.message ?? "Failed to create Supabase context" }, { status: error?.status ?? 500 }));
+        }
+        const transport = new WebStandardStreamableHTTPServerTransport({
+            sessionIdGenerator: undefined,
+            enableJsonResponse: true,
+        });
+        const server = await createMziziMcpServer(ctx.supabase);
+        await server.connect(transport);
+        const response = await transport.handleRequest(request);
+        return withCors(response);
+    };
+}
+//# sourceMappingURL=http.js.map

package/dist/http.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"http.js","sourceRoot":"","sources":["../src/http.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,wCAAwC,EAAE,MAAM,+DAA+D,CAAA;AACxH,OAAO,EAAE,qBAAqB,EAA2B,MAAM,kBAAkB,CAAA;AACjF,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAA;AAElD,MAAM,YAAY,GAAG;IACnB,6BAA6B,EAAE,GAAG;IAClC,8BAA8B,EAAE,4BAA4B;IAC5D,8BAA8B,EAAE,4DAA4D;CAC7F,CAAA;AAED,SAAS,QAAQ,CAAC,QAAkB;IAClC,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;IAC7C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC;QAAE,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;IAChF,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE;QACjC,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,OAAO;KACR,CAAC,CAAA;AACJ,CAAC;AAED,2EAA2E;AAC3E,0EAA0E;AAC1E,uEAAuE;AACvE,6EAA6E;AAC7E,2EAA2E;AAC3E,MAAM,wBAAwB,GAAG;IAC/B,uCAAuC;IACvC,yCAAyC;IACzC,mCAAmC;CACpC,CAAA;AAED,SAAS,oBAAoB,CAAC,QAAgB;IAC5C,OAAO,wBAAwB,CAAC,IAAI,CAClC,CAAC,MAAM,EAAE,EAAE,CAAC,QAAQ,KAAK,MAAM,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,MAAM,GAAG,CAAC,CACrE,CAAA;AACH,CAAC;AAUD;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,UAA8B,EAAE;IACrE,MAAM,MAAM,GAAuB,OAAO,CAAC,cAAc,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,CAAA;IAE1F,OAAO,KAAK,UAAU,MAAM,CAAC,OAAgB;QAC3C,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YACjC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC,CAAA;QACnE,CAAC;QACD,2EAA2E;QAC3E,4EAA4E;QAC5E,2EAA2E;QAC3E,uEAAuE;QACvE,8DAA8D;QAC9D,IAAI,oBAAoB,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;YACxD,OAAO,QAAQ,CAAC,IAAI,QAAQ,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAA;QAC7D,CAAC;QACD,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,MAAM,qBAAqB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;QACzE,IAAI,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC;YAClB,OAAO,QAAQ,CACb,QAAQ,CAAC,IAAI,CACX,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,IAAI,mCAAmC,EAAE,EAChE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,IAAI,GAAG,EAAE,CACjC,CACF,CAAA;QACH,CAAC;QACD,MAAM,SAAS,GAAG,IAAI,wCAAwC,CAAC;YAC7D,kBAAkB,EAAE,SAAS;YAC7B,kBAAkB,EAAE,IAAI;SACzB,CAAC,CAAA;QACF,MAAM,MAAM,GAAG,MAAM,oBAAoB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QACvD,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAA;QAC/B,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,aAAa,CAAC,OAAO,CAAC,CAAA;QACvD,OAAO,QAAQ,CAAC,QAAQ,CAAC,CAAA;IAC3B,CAAC,CAAA;AACH,CAAC"}

package/dist/server.d.ts ADDED Viewed

@@ -0,0 +1,33 @@
+/**
+ * Mzizi MCP — registry-driven server factory.
+ *
+ * The tool surface is NOT hardcoded. It is read at startup from the public
+ * `mcp_tool_registry` table (the same registry that powers the design system's
+ * MCP), and each tool is dispatched dynamically to its backing implementation:
+ *
+ *   • `sql_function`  → `supabase.rpc(fn, args)`   (the common case)
+ *   • `edge_function` → `supabase.functions.invoke(fn, { body: args })`
+ *   • `source_table`  → `supabase.from(table).select()` (fallback)
+ *
+ * This makes mzizi-mcp a drop-in replacement for the legacy design MCP: adding,
+ * renaming, or retiring a tool is a registry edit, not a code change. Argument
+ * names in the registry's `input_schema` (and in the curated fallback schemas
+ * below) match the SQL function parameters exactly, so arguments pass straight
+ * through to `rpc()` with no remapping.
+ *
+ * The factory takes a pre-built `SupabaseClient` so the same factory works
+ * across transports (HTTP per-request anon client; stdio long-lived anon
+ * client). RLS grants public read on `mcp_tool_registry`, `component_documents`,
+ * and EXECUTE on the document/registry RPCs.
+ */
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { SupabaseClient } from "@supabase/supabase-js";
+export declare const MZIZI_MCP_VERSION = "0.3.0";
+/**
+ * Build the Mzizi MCP server bound to a Supabase client with public read on
+ * `mcp_tool_registry` / `component_documents` and EXECUTE on the backing RPCs.
+ * The tool catalog is loaded from the registry; write-kind tools are excluded
+ * from this (anonymous, public) surface.
+ */
+export declare function createMziziMcpServer(supabase: SupabaseClient): Promise<McpServer>;
+//# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAA;AAMnE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAA;AAE3D,eAAO,MAAM,iBAAiB,UAAU,CAAA;AAiGxC;;;;;GAKG;AACH,wBAAsB,oBAAoB,CAAC,QAAQ,EAAE,cAAc,GAAG,OAAO,CAAC,SAAS,CAAC,CAqLvF"}