@portel/photon 1.33.0 → 1.33.1

package/README.md

@@ -550,6 +550,8 @@ Uses Bun's compiler under the hood. The binary bundles the photon, its `@depende
 | `@param ... {@format email}` | Param | Input validation and field type |
 | `@param ... {@min N} {@max N}` | Param | Numeric range constraints |
 | `@ui` | Class/Method | Link a custom HTML template |
+| `@auth` | Class | Require or describe MCP authentication and populate `this.caller` |
+| `@scope` | Method | Override the inferred OAuth scope for a protected MCP tool call |
 | `@expose` | Method | Auto-bind to `POST /api/<kebab>` for SPA fetch (`public` skips the SameSite gate) |
 | `@get /path` | Method | HTTP-only GET route; shown as a web app in Beam, not an MCP tool. Supports `:param` segments |
 | `@post /path` | Method | HTTP-only POST route; shown as a web app in Beam, not an MCP tool. Supports `:param` segments |
@@ -574,6 +576,7 @@ Uses Bun's compiler under the hood. The binary bundles the photon, its `@depende
 |---|---|
 | [Getting Started](./docs/getting-started.md) | Install, build, and run your first photon in 5 minutes |
 | [Core Concepts](./docs/concepts.md) | The 6 ideas behind Photon |
+| [Tag Reference](./docs/reference/DOCBLOCK-TAGS.md) | Public reference for every docblock tag Photon understands |
 | [Output Formats](./docs/formats.md) | Visual gallery of every `@format` type |
 | [Intent Metadata](./docs/reference/INTENT-METADATA.md) | How comments, schemas, annotations, and formats map to native surfaces |
 | [Settings](./docs/GUIDE.md#settings-user-configurable-knobs) | Declare runtime knobs with `protected settings` (the canonical config pattern) |
@@ -585,6 +588,7 @@ Uses Bun's compiler under the hood. The binary bundles the photon, its `@depende
 |---|---|
 | [Custom UI](./docs/guides/CUSTOM-UI.md) | Build rich interactive interfaces with the photon bridge API |
 | [OAuth](./docs/guides/AUTH.md) | Built-in OAuth 2.0 with Google, GitHub, Microsoft |
+| [MCP JWT Auth](./docs/guides/MCP-JWT-AUTH.md) | Secure deployed MCP tool calls with short-lived scoped JWTs |
 | [MCP Client Registration](./docs/guides/mcp-client-registration.md) | Register MCP clients with Photon's AS via CIMD or DCR |
 | [Observability](./docs/guides/observability.md) | OpenTelemetry traces, metrics, logs, and structured errors |
 | [Protocol Features](./docs/guides/PROTOCOL-FEATURES.md) | Capability handshake, structured errors, trace correlation |
@@ -603,7 +607,7 @@ Uses Bun's compiler under the hood. The binary bundles the photon, its `@depende
 | [Marketplace Publishing](./docs/guides/MARKETPLACE-PUBLISHING.md) | Create and share team marketplaces |
 | [Best Practices](./docs/guides/BEST-PRACTICES.md) | Patterns for production photons |
 
-**Reference:** [Complete Developer Guide](./docs/GUIDE.md) · [Tag Reference](./docs/reference/DOCBLOCK-TAGS.md) · [Naming Conventions](./docs/guides/NAMING-CONVENTIONS.md) · [Architecture](./docs/internals/ARCHITECTURE.md) · [OAuth Authorization Server](./docs/internals/OAUTH-AUTHORIZATION-SERVER.md) · [Lifecycle & Ingress](./docs/internals/LIFECYCLE-AND-INGRESS.md) · [PHOTON_DIR & Namespace](./docs/internals/PHOTON-DIR-AND-NAMESPACE.md) · [Changelog](./CHANGELOG.md) · [Contributing](./CONTRIBUTING.md)
+**Reference:** [Complete Developer Guide](./docs/GUIDE.md) · [Tag Reference](./docs/reference/DOCBLOCK-TAGS.md) · [Naming Conventions](./docs/guides/NAMING-CONVENTIONS.md) · [Architecture](./docs/internals/ARCHITECTURE.md) · [Lifecycle & Ingress](./docs/internals/LIFECYCLE-AND-INGRESS.md) · [PHOTON_DIR & Namespace](./docs/internals/PHOTON-DIR-AND-NAMESPACE.md) · [Changelog](./CHANGELOG.md) · [Contributing](./CONTRIBUTING.md)
 
 ---
 

package/dist/auth/mcp-jwt.d.ts

@@ -0,0 +1,59 @@
+import { type JsonWebKey } from 'node:crypto';
+export interface PhotonAuthIssuer {
+    issuer: string;
+    algorithm: 'ES256';
+    kid: string;
+    defaultTtlSeconds: number;
+}
+export interface PhotonAuthTokenOptions {
+    agent: string;
+    audience: string;
+    tenant?: string;
+    scopes?: string[];
+    ttlSeconds?: number;
+    now?: Date;
+    jti?: string;
+}
+export interface PhotonAuthVerifyOptions {
+    issuer: string;
+    audience: string;
+    jwks: {
+        keys: JsonWebKey[];
+    };
+    now?: Date;
+    clockSkewSeconds?: number;
+    requiredScopes?: string[];
+}
+export type PhotonJwtVerifyReason = 'missing_token' | 'malformed_token' | 'unsupported_alg' | 'unknown_kid' | 'bad_signature' | 'expired_token' | 'token_not_yet_valid' | 'wrong_issuer' | 'wrong_audience' | 'insufficient_scope' | 'tenant_mismatch';
+export interface PhotonJwtClaims {
+    iss: string;
+    sub: string;
+    aud: string | string[];
+    tenant_id: string;
+    client_id: string;
+    scope?: string;
+    iat: number;
+    nbf: number;
+    exp: number;
+    jti: string;
+    [key: string]: unknown;
+}
+export type PhotonJwtVerifyResult = {
+    ok: true;
+    claims: PhotonJwtClaims;
+} | {
+    ok: false;
+    reason: PhotonJwtVerifyReason;
+};
+export declare function createPhotonAuthKeypair(name: string, now?: Date): {
+    issuer: PhotonAuthIssuer;
+    privateJwk: JsonWebKey;
+    publicJwk: JsonWebKey;
+    jwks: {
+        keys: JsonWebKey[];
+    };
+};
+export declare function signPhotonAuthToken(issuer: PhotonAuthIssuer, privateJwk: JsonWebKey, options: PhotonAuthTokenOptions): string;
+export declare function verifyPhotonAuthToken(token: string | null | undefined, options: PhotonAuthVerifyOptions): PhotonJwtVerifyResult;
+export declare function normalizeScopes(scopes: string[]): string[];
+//# sourceMappingURL=mcp-jwt.d.ts.map

package/dist/auth/mcp-jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-jwt.d.ts","sourceRoot":"","sources":["../../src/auth/mcp-jwt.ts"],"names":[],"mappings":"AAAA,OAAO,EAOL,KAAK,UAAU,EAChB,MAAM,aAAa,CAAC;AAErB,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,OAAO,CAAC;IACnB,GAAG,EAAE,MAAM,CAAC;IACZ,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,sBAAsB;IACrC,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,GAAG,CAAC,EAAE,IAAI,CAAC;IACX,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,uBAAuB;IACtC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE;QAAE,IAAI,EAAE,UAAU,EAAE,CAAA;KAAE,CAAC;IAC7B,GAAG,CAAC,EAAE,IAAI,CAAC;IACX,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,MAAM,qBAAqB,GAC7B,eAAe,GACf,iBAAiB,GACjB,iBAAiB,GACjB,aAAa,GACb,eAAe,GACf,eAAe,GACf,qBAAqB,GACrB,cAAc,GACd,gBAAgB,GAChB,oBAAoB,GACpB,iBAAiB,CAAC;AAEtB,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,MAAM,qBAAqB,GAC7B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,eAAe,CAAA;CAAE,GACrC;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,qBAAqB,CAAA;CAAE,CAAC;AAEjD,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,MAAM,EACZ,GAAG,OAAa,GACf;IACD,MAAM,EAAE,gBAAgB,CAAC;IACzB,UAAU,EAAE,UAAU,CAAC;IACvB,SAAS,EAAE,UAAU,CAAC;IACtB,IAAI,EAAE;QAAE,IAAI,EAAE,UAAU,EAAE,CAAA;KAAE,CAAC;CAC9B,CAsBA;AAED,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,gBAAgB,EACxB,UAAU,EAAE,UAAU,EACtB,OAAO,EAAE,sBAAsB,GAC9B,MAAM,CAiBR;AAED,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAChC,OAAO,EAAE,uBAAuB,GAC/B,qBAAqB,CA4CvB;AAED,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAY1D"}

package/dist/auth/mcp-jwt.js

@@ -0,0 +1,177 @@
+import { createPrivateKey, createPublicKey, createSign, createVerify, generateKeyPairSync, randomBytes, } from 'node:crypto';
+export function createPhotonAuthKeypair(name, now = new Date()) {
+    const date = now.toISOString().slice(0, 10);
+    const kid = `${name}-${date}`;
+    const { privateKey, publicKey } = generateKeyPairSync('ec', { namedCurve: 'P-256' });
+    const privateJwk = privateKey.export({ format: 'jwk' });
+    const publicJwk = publicKey.export({ format: 'jwk' });
+    for (const jwk of [privateJwk, publicJwk]) {
+        jwk.alg = 'ES256';
+        jwk.kid = kid;
+        jwk.use = 'sig';
+    }
+    return {
+        issuer: {
+            issuer: `photon-local:${name}`,
+            algorithm: 'ES256',
+            kid,
+            defaultTtlSeconds: 15 * 60,
+        },
+        privateJwk,
+        publicJwk,
+        jwks: { keys: [publicJwk] },
+    };
+}
+export function signPhotonAuthToken(issuer, privateJwk, options) {
+    const nowSec = Math.floor((options.now?.getTime() ?? Date.now()) / 1000);
+    const ttl = options.ttlSeconds ?? issuer.defaultTtlSeconds;
+    const scopes = normalizeScopes(options.scopes ?? []);
+    const payload = {
+        iss: issuer.issuer,
+        sub: `agent:${options.agent}`,
+        aud: options.audience,
+        tenant_id: options.tenant ?? 'default',
+        client_id: options.agent,
+        ...(scopes.length > 0 ? { scope: scopes.join(' ') } : {}),
+        iat: nowSec,
+        nbf: nowSec,
+        exp: nowSec + ttl,
+        jti: options.jti ?? `tok_${randomBytes(16).toString('base64url')}`,
+    };
+    return signJwt(payload, privateJwk, issuer.kid);
+}
+export function verifyPhotonAuthToken(token, options) {
+    if (!token)
+        return { ok: false, reason: 'missing_token' };
+    const parts = token.split('.');
+    if (parts.length !== 3)
+        return { ok: false, reason: 'malformed_token' };
+    let header;
+    let claims;
+    try {
+        header = JSON.parse(base64UrlDecode(parts[0]));
+        claims = JSON.parse(base64UrlDecode(parts[1]));
+    }
+    catch {
+        return { ok: false, reason: 'malformed_token' };
+    }
+    if (header.alg !== 'ES256')
+        return { ok: false, reason: 'unsupported_alg' };
+    const kid = typeof header.kid === 'string' ? header.kid : '';
+    const jwk = options.jwks.keys.find((key) => key.kid === kid);
+    if (!kid || !jwk)
+        return { ok: false, reason: 'unknown_kid' };
+    if (!verifyJwtSignature(parts, jwk))
+        return { ok: false, reason: 'bad_signature' };
+    if (claims.iss !== options.issuer)
+        return { ok: false, reason: 'wrong_issuer' };
+    const audMatches = Array.isArray(claims.aud)
+        ? claims.aud.includes(options.audience)
+        : claims.aud === options.audience;
+    if (!audMatches)
+        return { ok: false, reason: 'wrong_audience' };
+    const now = Math.floor((options.now?.getTime() ?? Date.now()) / 1000);
+    const skew = options.clockSkewSeconds ?? 60;
+    if (typeof claims.exp !== 'number' || claims.exp < now - skew) {
+        return { ok: false, reason: 'expired_token' };
+    }
+    if (typeof claims.nbf === 'number' && claims.nbf > now + skew) {
+        return { ok: false, reason: 'token_not_yet_valid' };
+    }
+    if (typeof claims.iat === 'number' && claims.iat > now + skew) {
+        return { ok: false, reason: 'token_not_yet_valid' };
+    }
+    const required = normalizeScopes(options.requiredScopes ?? []);
+    if (required.length > 0) {
+        const granted = new Set(normalizeScopes((claims.scope ?? '').split(/\s+/)));
+        for (const scope of required) {
+            if (!granted.has(scope))
+                return { ok: false, reason: 'insufficient_scope' };
+        }
+    }
+    return { ok: true, claims };
+}
+export function normalizeScopes(scopes) {
+    const out = [];
+    const seen = new Set();
+    for (const raw of scopes) {
+        for (const scope of raw.split(/\s+/)) {
+            const trimmed = scope.trim();
+            if (!trimmed || seen.has(trimmed))
+                continue;
+            seen.add(trimmed);
+            out.push(trimmed);
+        }
+    }
+    return out;
+}
+function signJwt(payload, privateJwk, kid) {
+    const header = { alg: 'ES256', typ: 'JWT', kid };
+    const input = `${base64UrlEncode(JSON.stringify(header))}.${base64UrlEncode(JSON.stringify(payload))}`;
+    const key = createPrivateKey({ key: privateJwk, format: 'jwk' });
+    const signer = createSign('sha256');
+    signer.update(input);
+    signer.end();
+    const der = signer.sign(key);
+    return `${input}.${derToP1363(der, 32).toString('base64url')}`;
+}
+function verifyJwtSignature(parts, publicJwk) {
+    try {
+        const key = createPublicKey({ key: publicJwk, format: 'jwk' });
+        const verifier = createVerify('sha256');
+        verifier.update(`${parts[0]}.${parts[1]}`);
+        verifier.end();
+        return verifier.verify(key, p1363ToDer(Buffer.from(parts[2], 'base64url')));
+    }
+    catch {
+        return false;
+    }
+}
+function base64UrlEncode(str) {
+    return Buffer.from(str, 'utf-8').toString('base64url');
+}
+function base64UrlDecode(str) {
+    return Buffer.from(str, 'base64url').toString('utf-8');
+}
+function derToP1363(der, componentLen) {
+    if (der[0] !== 0x30)
+        throw new Error('invalid DER signature');
+    let offset = 2;
+    if ((der[1] & 0x80) !== 0)
+        offset += der[1] & 0x7f;
+    const readInt = () => {
+        if (der[offset] !== 0x02)
+            throw new Error('invalid DER signature');
+        const len = der[offset + 1];
+        const start = offset + 2;
+        let value = der.subarray(start, start + len);
+        offset = start + len;
+        while (value.length > 1 && value[0] === 0x00)
+            value = value.subarray(1);
+        if (value.length > componentLen)
+            throw new Error('ECDSA component overflow');
+        return value;
+    };
+    const r = readInt();
+    const s = readInt();
+    const out = Buffer.alloc(componentLen * 2);
+    r.copy(out, componentLen - r.length);
+    s.copy(out, componentLen * 2 - s.length);
+    return out;
+}
+function p1363ToDer(p1363) {
+    if (p1363.length % 2 !== 0)
+        throw new Error('invalid P1363 signature');
+    const half = p1363.length / 2;
+    const encodeInt = (value) => {
+        let v = value;
+        while (v.length > 1 && v[0] === 0x00)
+            v = v.subarray(1);
+        if ((v[0] & 0x80) !== 0)
+            v = Buffer.concat([Buffer.from([0x00]), v]);
+        return Buffer.concat([Buffer.from([0x02, v.length]), v]);
+    };
+    const body = Buffer.concat([encodeInt(p1363.subarray(0, half)), encodeInt(p1363.subarray(half))]);
+    return Buffer.concat([Buffer.from([0x30, body.length]), body]);
+}
+//# sourceMappingURL=mcp-jwt.js.map

package/dist/auth/mcp-jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-jwt.js","sourceRoot":"","sources":["../../src/auth/mcp-jwt.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,eAAe,EACf,UAAU,EACV,YAAY,EACZ,mBAAmB,EACnB,WAAW,GAEZ,MAAM,aAAa,CAAC;AA2DrB,MAAM,UAAU,uBAAuB,CACrC,IAAY,EACZ,GAAG,GAAG,IAAI,IAAI,EAAE;IAOhB,MAAM,IAAI,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC;IAC9B,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,mBAAmB,CAAC,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,CAAC;IACrF,MAAM,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACxD,MAAM,SAAS,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACtD,KAAK,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,SAAS,CAAC,EAAE,CAAC;QAC1C,GAAG,CAAC,GAAG,GAAG,OAAO,CAAC;QAClB,GAAG,CAAC,GAAG,GAAG,GAAG,CAAC;QACd,GAAG,CAAC,GAAG,GAAG,KAAK,CAAC;IAClB,CAAC;IACD,OAAO;QACL,MAAM,EAAE;YACN,MAAM,EAAE,gBAAgB,IAAI,EAAE;YAC9B,SAAS,EAAE,OAAO;YAClB,GAAG;YACH,iBAAiB,EAAE,EAAE,GAAG,EAAE;SAC3B;QACD,UAAU;QACV,SAAS;QACT,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;KAC5B,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,MAAwB,EACxB,UAAsB,EACtB,OAA+B;IAE/B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;IACzE,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,IAAI,MAAM,CAAC,iBAAiB,CAAC;IAC3D,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;IACrD,MAAM,OAAO,GAAoB;QAC/B,GAAG,EAAE,MAAM,CAAC,MAAM;QAClB,GAAG,EAAE,SAAS,OAAO,CAAC,KAAK,EAAE;QAC7B,GAAG,EAAE,OAAO,CAAC,QAAQ;QACrB,SAAS,EAAE,OAAO,CAAC,MAAM,IAAI,SAAS;QACtC,SAAS,EAAE,OAAO,CAAC,KAAK;QACxB,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACzD,GAAG,EAAE,MAAM;QACX,GAAG,EAAE,MAAM;QACX,GAAG,EAAE,MAAM,GAAG,GAAG;QACjB,GAAG,EAAE,OAAO,CAAC,GAAG,IAAI,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE;KACnE,CAAC;IACF,OAAO,OAAO,CAAC,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,KAAgC,EAChC,OAAgC;IAEhC,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAC1D,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IACxE,IAAI,MAA+B,CAAC;IACpC,IAAI,MAAuB,CAAC;IAC5B,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/C,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IAClD,CAAC;IACD,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IAC5E,MAAM,GAAG,GAAG,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;IAC7D,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;IAC7D,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;IAC9D,IAAI,CAAC,kBAAkB,CAAC,KAAK,EAAE,GAAG,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IACnF,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,CAAC,MAAM;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;IAChF,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC;QAC1C,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC;QACvC,CAAC,CAAC,MAAM,CAAC,GAAG,KAAK,OAAO,CAAC,QAAQ,CAAC;IACpC,IAAI,CAAC,UAAU;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAEhE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;IACtE,MAAM,IAAI,GAAG,OAAO,CAAC,gBAAgB,IAAI,EAAE,CAAC;IAC5C,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,GAAG,GAAG,GAAG,GAAG,IAAI,EAAE,CAAC;QAC9D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAChD,CAAC;IACD,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,GAAG,GAAG,GAAG,GAAG,IAAI,EAAE,CAAC;QAC9D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;IACtD,CAAC;IACD,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,GAAG,GAAG,GAAG,GAAG,IAAI,EAAE,CAAC;QAC9D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;IACtD,CAAC;IAED,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC;IAC/D,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC5E,KAAK,MAAM,KAAK,IAAI,QAAQ,EAAE,CAAC;YAC7B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC;gBAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;QAC9E,CAAC;IACH,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AAC9B,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,MAAgB;IAC9C,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,KAAK,MAAM,KAAK,IAAI,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YACrC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;YAC7B,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC;gBAAE,SAAS;YAC5C,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAClB,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,OAAO,CAAC,OAAgC,EAAE,UAAsB,EAAE,GAAW;IACpF,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;IACjD,MAAM,KAAK,GAAG,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;IACvG,MAAM,GAAG,GAAG,gBAAgB,CAAC,EAAE,GAAG,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACjE,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACrB,MAAM,CAAC,GAAG,EAAE,CAAC;IACb,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC7B,OAAO,GAAG,KAAK,IAAI,UAAU,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;AACjE,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAe,EAAE,SAAqB;IAChE,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,eAAe,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC/D,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;QACxC,QAAQ,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC3C,QAAQ,CAAC,GAAG,EAAE,CAAC;QACf,OAAO,QAAQ,CAAC,MAAM,CAAC,GAAG,EAAE,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC;IAC9E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,UAAU,CAAC,GAAW,EAAE,YAAoB;IACnD,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI;QAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC9D,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC;QAAE,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;IACnD,MAAM,OAAO,GAAG,GAAW,EAAE;QAC3B,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QACnE,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAC5B,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,CAAC;QACzB,IAAI,KAAK,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,KAAK,GAAG,GAAG,CAAC,CAAC;QAC7C,MAAM,GAAG,KAAK,GAAG,GAAG,CAAC;QACrB,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI;YAAE,KAAK,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QACxE,IAAI,KAAK,CAAC,MAAM,GAAG,YAAY;YAAE,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAC7E,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;IACF,MAAM,CAAC,GAAG,OAAO,EAAE,CAAC;IACpB,MAAM,CAAC,GAAG,OAAO,EAAE,CAAC;IACpB,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC;IAC3C,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,GAAG,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;IACzC,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,UAAU,CAAC,KAAa;IAC/B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IACvE,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;IAC9B,MAAM,SAAS,GAAG,CAAC,KAAa,EAAU,EAAE;QAC1C,IAAI,CAAC,GAAG,KAAK,CAAC;QACd,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI;YAAE,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QACxD,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC;YAAE,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACrE,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3D,CAAC,CAAC;IACF,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,EAAE,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAClG,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;AACjE,CAAC"}

package/dist/auto-ui/beam.d.ts

@@ -16,6 +16,7 @@ export declare function shouldServeLinkedAppForWebPath(pathname: string, searchP
 export declare function selectClientAppUi(photonInfo: PhotonInfo | undefined): string | undefined;
 export declare function shouldFallbackToClientAppForWebPath(pathname: string, searchParams: URLSearchParams, route: BeamWebRouteDef | undefined): boolean;
 export declare function findBeamWebRoute(routes: BeamWebRouteDef[] | undefined, method: string, requestPath: string): BeamWebRouteDef | undefined;
+export declare function rewriteBeamWebRedirectLocation(location: string | null, prefix: string, requestOrigin: string): string | null;
 import type { PhotonInfo } from './types.js';
 export type { PhotonConfig } from './beam/types.js';
 export type { BeamState } from './beam/types.js';

package/dist/auto-ui/beam.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"beam.d.ts","sourceRoot":"","sources":["../../src/auto-ui/beam.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAgEH,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAQD,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAenF;AAYD,wBAAgB,8BAA8B,CAC5C,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,eAAe,GAC5B,OAAO,CAIT;AAUD,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,UAAU,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAmBxF;AAED,wBAAgB,mCAAmC,CACjD,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,eAAe,EAC7B,KAAK,EAAE,eAAe,GAAG,SAAS,GACjC,OAAO,CAIT;AAED,wBAAgB,gBAAgB,CAC9B,MAAM,EAAE,eAAe,EAAE,GAAG,SAAS,EACrC,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,GAClB,eAAe,GAAG,SAAS,CAO7B;AA4GD,OAAO,KAAK,EACV,UAAU,EAKX,MAAM,YAAY,CAAC;AAsCpB,YAAY,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AACpD,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAqYjD,wBAAsB,SAAS,CAAC,aAAa,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA05FlF;AAED;;;GAGG;AACH,wBAAsB,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC,CAM9C"}
+{"version":3,"file":"beam.d.ts","sourceRoot":"","sources":["../../src/auto-ui/beam.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAgEH,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAQD,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAenF;AAYD,wBAAgB,8BAA8B,CAC5C,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,eAAe,GAC5B,OAAO,CAIT;AAUD,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,UAAU,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAmBxF;AAED,wBAAgB,mCAAmC,CACjD,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,eAAe,EAC7B,KAAK,EAAE,eAAe,GAAG,SAAS,GACjC,OAAO,CAIT;AAED,wBAAgB,gBAAgB,CAC9B,MAAM,EAAE,eAAe,EAAE,GAAG,SAAS,EACrC,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,GAClB,eAAe,GAAG,SAAS,CAO7B;AAwCD,wBAAgB,8BAA8B,CAC5C,QAAQ,EAAE,MAAM,GAAG,IAAI,EACvB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,MAAM,GACpB,MAAM,GAAG,IAAI,CAaf;AAsED,OAAO,KAAK,EACV,UAAU,EAKX,MAAM,YAAY,CAAC;AAsCpB,YAAY,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AACpD,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAqYjD,wBAAsB,SAAS,CAAC,aAAa,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAi7FlF;AAED;;;GAGG;AACH,wBAAsB,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC,CAM9C"}

package/dist/auto-ui/beam.js

@@ -165,6 +165,22 @@ async function writeFetchResponseToNode(response, res) {
         res.off('close', cancelReader);
     }
 }
+export function rewriteBeamWebRedirectLocation(location, prefix, requestOrigin) {
+    if (!location)
+        return null;
+    try {
+        const target = new URL(location, requestOrigin);
+        if (target.origin !== requestOrigin)
+            return location;
+        if (target.pathname === prefix || target.pathname.startsWith(`${prefix}/`)) {
+            return target.pathname + target.search + target.hash;
+        }
+        return `${prefix}${target.pathname}${target.search}${target.hash}`;
+    }
+    catch {
+        return location;
+    }
+}
 /**
  * Resolve raw icon image paths to MCP Icon[] format (data URIs)
  */
@@ -2125,6 +2141,25 @@ export async function startBeam(rawWorkingDir, port) {
                             });
                             const result = await fn.call(photonClass.instance, webReq);
                             if (result instanceof Response) {
+                                const prefix = `/web/${photonName}`;
+                                if (result.status >= 300 && result.status < 400) {
+                                    const responseHeaders = {};
+                                    result.headers.forEach((value, key) => {
+                                        if (key.toLowerCase() !== 'location')
+                                            responseHeaders[key] = value;
+                                    });
+                                    const location = rewriteBeamWebRedirectLocation(result.headers.get('location'), prefix, internalUrl.origin);
+                                    if (location) {
+                                        responseHeaders.location = location;
+                                    }
+                                    const body = Buffer.from(await result.arrayBuffer());
+                                    if (body.length > 0) {
+                                        responseHeaders['content-length'] = String(body.length);
+                                    }
+                                    res.writeHead(result.status, responseHeaders);
+                                    res.end(body.length > 0 ? body : undefined);
+                                    return;
+                                }
                                 const contentType = result.headers.get('content-type') || '';
                                 if (!contentType.includes('text/html')) {
                                     await writeFetchResponseToNode(result, res);
@@ -2137,7 +2172,6 @@ export async function startBeam(rawWorkingDir, port) {
                                     responseHeaders[key] = value;
                                 });
                                 let body = Buffer.from(await result.arrayBuffer());
-                                const prefix = `/web/${photonName}`;
                                 const interceptor = `<script>
 (function(){
   const _prefix="${prefix}";