@portel/photon 1.4.1 → 1.5.1

package/dist/security-scanner.js

@@ -23,7 +23,7 @@ export class SecurityScanner {
             results.push(result);
             if (result.hasVulnerabilities) {
                 totalVulnerabilities += result.vulnerabilities.length;
-                result.vulnerabilities.forEach(vuln => {
+                result.vulnerabilities.forEach((vuln) => {
                     switch (vuln.severity) {
                         case 'critical':
                             criticalCount++;
@@ -98,15 +98,14 @@ export class SecurityScanner {
         }
         // npm audit v7+ format
         for (const [vulnPackage, vulnData] of Object.entries(auditData.vulnerabilities)) {
-            const vuln = vulnData;
             // Check if this vulnerability affects our target package
-            if (vulnPackage === packageName || vuln.via?.includes(packageName)) {
+            if (vulnPackage === packageName || vulnData.via?.includes(packageName)) {
                 vulnerabilities.push({
-                    severity: vuln.severity || 'moderate',
-                    title: vuln.name || vulnPackage,
-                    url: vuln.url,
-                    via: vuln.via?.filter((v) => typeof v === 'string'),
-                    range: vuln.range,
+                    severity: vulnData.severity || 'moderate',
+                    title: vulnData.name || vulnPackage,
+                    url: vulnData.url,
+                    via: vulnData.via?.filter((v) => typeof v === 'string'),
+                    range: vulnData.range,
                 });
             }
         }
@@ -130,8 +129,7 @@ export class SecurityScanner {
             return false; // Default to false for now
         }
         catch (error) {
-            // Package doesn't exist or other error
-            return false;
+            return false; // package doesn't exist or registry unreachable
         }
     }
     /**
@@ -139,11 +137,16 @@ export class SecurityScanner {
      */
     getSeveritySymbol(severity) {
         switch (severity) {
-            case 'critical': return '🔴';
-            case 'high': return '🟠';
-            case 'moderate': return '🟡';
-            case 'low': return '🔵';
-            default: return 'ℹ️';
+            case 'critical':
+                return '🔴';
+            case 'high':
+                return '🟠';
+            case 'moderate':
+                return '🟡';
+            case 'low':
+                return '🔵';
+            default:
+                return 'ℹ️';
         }
     }
     /**

package/dist/security-scanner.js.map

@@ -1 +1 @@
-{"version":3,"file":"security-scanner.js","sourceRoot":"","sources":["../src/security-scanner.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AACrC,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AACjC,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAElC,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;AA2BlC,MAAM,OAAO,eAAe;IAC1B;;OAEG;IACH,KAAK,CAAC,QAAQ,CAAC,OAAe,EAAE,YAAsB;QACpD,MAAM,OAAO,GAA4B,EAAE,CAAC;QAC5C,IAAI,oBAAoB,GAAG,CAAC,CAAC;QAC7B,IAAI,aAAa,GAAG,CAAC,CAAC;QACtB,IAAI,SAAS,GAAG,CAAC,CAAC;QAClB,IAAI,aAAa,GAAG,CAAC,CAAC;QACtB,IAAI,QAAQ,GAAG,CAAC,CAAC;QAEjB,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;YAC/B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YACxD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAErB,IAAI,MAAM,CAAC,kBAAkB,EAAE,CAAC;gBAC9B,oBAAoB,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC;gBACtD,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE;oBACpC,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;wBACtB,KAAK,UAAU;4BAAE,aAAa,EAAE,CAAC;4BAAC,MAAM;wBACxC,KAAK,MAAM;4BAAE,SAAS,EAAE,CAAC;4BAAC,MAAM;wBAChC,KAAK,UAAU;4BAAE,aAAa,EAAE,CAAC;4BAAC,MAAM;wBACxC,KAAK,KAAK;4BAAE,QAAQ,EAAE,CAAC;4BAAC,MAAM;oBAChC,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO;YACP,YAAY,EAAE,OAAO;YACrB,oBAAoB;YACpB,aAAa;YACb,SAAS;YACT,aAAa;YACb,QAAQ;SACT,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,eAAe,CAAC,OAAe,EAAE,UAAkB;QAC/D,yCAAyC;QACzC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,QAAQ,CAAC;QACxC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,2CAA2C;QAEzE,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,YAAY,EAAE,cAAc,EAAE,OAAO,CAAC,CAAC;QAEzF,IAAI,CAAC;YACH,uCAAuC;YACvC,MAAM,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAEzB,4CAA4C;YAC5C,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,kBAAkB,EAAE;gBACrD,GAAG,EAAE,OAAO;gBACZ,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YAEH,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YACrC,MAAM,eAAe,GAAG,IAAI,CAAC,sBAAsB,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;YAErE,OAAO;gBACL,UAAU,EAAE,IAAI;gBAChB,OAAO;gBACP,eAAe;gBACf,kBAAkB,EAAE,eAAe,CAAC,MAAM,GAAG,CAAC;aAC/C,CAAC;QACJ,CAAC;QAAC,OAAO,KAAU,EAAE,CAAC;YACpB,2EAA2E;YAC3E,0CAA0C;YAC1C,OAAO;gBACL,UAAU,EAAE,IAAI;gBAChB,OAAO;gBACP,eAAe,EAAE,EAAE;gBACnB,kBAAkB,EAAE,KAAK;aAC1B,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACK,sBAAsB,CAAC,SAAc,EAAE,WAAmB;QAChE,MAAM,eAAe,GAAwB,EAAE,CAAC;QAEhD,IAAI,CAAC,SAAS,CAAC,eAAe,EAAE,CAAC;YAC/B,OAAO,eAAe,CAAC;QACzB,CAAC;QAED,uBAAuB;QACvB,KAAK,MAAM,CAAC,WAAW,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,eAAe,CAAC,EAAE,CAAC;YAChF,MAAM,IAAI,GAAG,QAAe,CAAC;YAE7B,yDAAyD;YACzD,IAAI,WAAW,KAAK,WAAW,IAAI,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAEnE,eAAe,CAAC,IAAI,CAAC;oBACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,UAAU;oBACrC,KAAK,EAAE,IAAI,CAAC,IAAI,IAAI,WAAW;oBAC/B,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;oBACxD,KAAK,EAAE,IAAI,CAAC,KAAK;iBAClB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,eAAe,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,kBAAkB,CAAC,UAAkB;QACzC,IAAI,CAAC;YACH,0CAA0C;YAC1C,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,QAAQ,CAAC;YACxC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAE7B,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,YAAY,IAAI,IAAI,OAAO,UAAU,EAAE;gBACxE,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YAEH,2DAA2D;YAC3D,sEAAsE;YACtE,wCAAwC;YACxC,OAAO,KAAK,CAAC,CAAC,2BAA2B;QAC3C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,uCAAuC;YACvC,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACH,iBAAiB,CAAC,QAAgB;QAChC,QAAQ,QAAQ,EAAE,CAAC;YACjB,KAAK,UAAU,CAAC,CAAC,OAAO,IAAI,CAAC;YAC7B,KAAK,MAAM,CAAC,CAAC,OAAO,IAAI,CAAC;YACzB,KAAK,UAAU,CAAC,CAAC,OAAO,IAAI,CAAC;YAC7B,KAAK,KAAK,CAAC,CAAC,OAAO,IAAI,CAAC;YACxB,OAAO,CAAC,CAAC,OAAO,IAAI,CAAC;QACvB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,iBAAiB,CAAC,MAAsB;QACtC,IAAI,MAAM,CAAC,oBAAoB,KAAK,CAAC,EAAE,CAAC;YACtC,OAAO,KAAK,MAAM,CAAC,OAAO,4BAA4B,CAAC;QACzD,CAAC;QAED,IAAI,MAAM,GAAG,OAAO,MAAM,CAAC,OAAO,KAAK,MAAM,CAAC,oBAAoB,0BAA0B,CAAC;QAE7F,IAAI,MAAM,CAAC,aAAa,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,mBAAmB,MAAM,CAAC,aAAa,IAAI,CAAC;QACxD,CAAC;QACD,IAAI,MAAM,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,eAAe,MAAM,CAAC,SAAS,IAAI,CAAC;QAChD,CAAC;QACD,IAAI,MAAM,CAAC,aAAa,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,mBAAmB,MAAM,CAAC,aAAa,IAAI,CAAC;QACxD,CAAC;QACD,IAAI,MAAM,CAAC,QAAQ,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,cAAc,MAAM,CAAC,QAAQ,IAAI,CAAC;QAC9C,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}
+{"version":3,"file":"security-scanner.js","sourceRoot":"","sources":["../src/security-scanner.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AACrC,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AACjC,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAElC,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;AAuClC,MAAM,OAAO,eAAe;IAC1B;;OAEG;IACH,KAAK,CAAC,QAAQ,CAAC,OAAe,EAAE,YAAsB;QACpD,MAAM,OAAO,GAA4B,EAAE,CAAC;QAC5C,IAAI,oBAAoB,GAAG,CAAC,CAAC;QAC7B,IAAI,aAAa,GAAG,CAAC,CAAC;QACtB,IAAI,SAAS,GAAG,CAAC,CAAC;QAClB,IAAI,aAAa,GAAG,CAAC,CAAC;QACtB,IAAI,QAAQ,GAAG,CAAC,CAAC;QAEjB,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;YAC/B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YACxD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAErB,IAAI,MAAM,CAAC,kBAAkB,EAAE,CAAC;gBAC9B,oBAAoB,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC;gBACtD,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;oBACtC,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;wBACtB,KAAK,UAAU;4BACb,aAAa,EAAE,CAAC;4BAChB,MAAM;wBACR,KAAK,MAAM;4BACT,SAAS,EAAE,CAAC;4BACZ,MAAM;wBACR,KAAK,UAAU;4BACb,aAAa,EAAE,CAAC;4BAChB,MAAM;wBACR,KAAK,KAAK;4BACR,QAAQ,EAAE,CAAC;4BACX,MAAM;oBACV,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO;YACP,YAAY,EAAE,OAAO;YACrB,oBAAoB;YACpB,aAAa;YACb,SAAS;YACT,aAAa;YACb,QAAQ;SACT,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,eAAe,CAC3B,OAAe,EACf,UAAkB;QAElB,yCAAyC;QACzC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,QAAQ,CAAC;QACxC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,2CAA2C;QAEzE,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,YAAY,EAAE,cAAc,EAAE,OAAO,CAAC,CAAC;QAEzF,IAAI,CAAC;YACH,uCAAuC;YACvC,MAAM,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAEzB,4CAA4C;YAC5C,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,kBAAkB,EAAE;gBACrD,GAAG,EAAE,OAAO;gBACZ,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YAEH,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YACrC,MAAM,eAAe,GAAG,IAAI,CAAC,sBAAsB,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;YAErE,OAAO;gBACL,UAAU,EAAE,IAAI;gBAChB,OAAO;gBACP,eAAe;gBACf,kBAAkB,EAAE,eAAe,CAAC,MAAM,GAAG,CAAC;aAC/C,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,2EAA2E;YAC3E,0CAA0C;YAC1C,OAAO;gBACL,UAAU,EAAE,IAAI;gBAChB,OAAO;gBACP,eAAe,EAAE,EAAE;gBACnB,kBAAkB,EAAE,KAAK;aAC1B,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACK,sBAAsB,CAC5B,SAAuB,EACvB,WAAmB;QAEnB,MAAM,eAAe,GAAwB,EAAE,CAAC;QAEhD,IAAI,CAAC,SAAS,CAAC,eAAe,EAAE,CAAC;YAC/B,OAAO,eAAe,CAAC;QACzB,CAAC;QAED,uBAAuB;QACvB,KAAK,MAAM,CAAC,WAAW,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,eAAe,CAAC,EAAE,CAAC;YAChF,yDAAyD;YACzD,IAAI,WAAW,KAAK,WAAW,IAAI,QAAQ,CAAC,GAAG,EAAE,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBACvE,eAAe,CAAC,IAAI,CAAC;oBACnB,QAAQ,EAAE,QAAQ,CAAC,QAAQ,IAAI,UAAU;oBACzC,KAAK,EAAE,QAAQ,CAAC,IAAI,IAAI,WAAW;oBACnC,GAAG,EAAE,QAAQ,CAAC,GAAG;oBACjB,GAAG,EAAE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;oBACpE,KAAK,EAAE,QAAQ,CAAC,KAAK;iBACtB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,eAAe,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,kBAAkB,CAAC,UAAkB;QACzC,IAAI,CAAC;YACH,0CAA0C;YAC1C,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,QAAQ,CAAC;YACxC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAE7B,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,YAAY,IAAI,IAAI,OAAO,UAAU,EAAE;gBACxE,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YAEH,2DAA2D;YAC3D,sEAAsE;YACtE,wCAAwC;YACxC,OAAO,KAAK,CAAC,CAAC,2BAA2B;QAC3C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,KAAK,CAAC,CAAC,gDAAgD;QAChE,CAAC;IACH,CAAC;IAED;;OAEG;IACH,iBAAiB,CAAC,QAAgB;QAChC,QAAQ,QAAQ,EAAE,CAAC;YACjB,KAAK,UAAU;gBACb,OAAO,IAAI,CAAC;YACd,KAAK,MAAM;gBACT,OAAO,IAAI,CAAC;YACd,KAAK,UAAU;gBACb,OAAO,IAAI,CAAC;YACd,KAAK,KAAK;gBACR,OAAO,IAAI,CAAC;YACd;gBACE,OAAO,IAAI,CAAC;QAChB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,iBAAiB,CAAC,MAAsB;QACtC,IAAI,MAAM,CAAC,oBAAoB,KAAK,CAAC,EAAE,CAAC;YACtC,OAAO,KAAK,MAAM,CAAC,OAAO,4BAA4B,CAAC;QACzD,CAAC;QAED,IAAI,MAAM,GAAG,OAAO,MAAM,CAAC,OAAO,KAAK,MAAM,CAAC,oBAAoB,0BAA0B,CAAC;QAE7F,IAAI,MAAM,CAAC,aAAa,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,mBAAmB,MAAM,CAAC,aAAa,IAAI,CAAC;QACxD,CAAC;QACD,IAAI,MAAM,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,eAAe,MAAM,CAAC,SAAS,IAAI,CAAC;QAChD,CAAC;QACD,IAAI,MAAM,CAAC,aAAa,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,mBAAmB,MAAM,CAAC,aAAa,IAAI,CAAC;QACxD,CAAC;QACD,IAAI,MAAM,CAAC,QAAQ,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,cAAc,MAAM,CAAC,QAAQ,IAAI,CAAC;QAC9C,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}

package/dist/serv/auth/jwt.d.ts

@@ -0,0 +1,89 @@
+/**
+ * JWT Token Utilities
+ *
+ * Handles JWT generation and validation for SERV sessions
+ * Uses HMAC-SHA256 for simplicity; can be upgraded to RSA/EC for production
+ */
+import type { Session, SessionToken, Tenant, User, Membership } from '../types/index.js';
+export interface JwtConfig {
+    /** Secret key for signing tokens (min 32 bytes recommended) */
+    secret: string;
+    /** Token issuer (e.g., 'https://serv.example.com') */
+    issuer: string;
+    /** Default token expiry in seconds */
+    expirySeconds: number;
+    /** Algorithm to use */
+    algorithm: 'HS256' | 'HS384' | 'HS512';
+}
+export declare class JwtService {
+    private config;
+    constructor(config: Partial<JwtConfig> & {
+        secret: string;
+        issuer: string;
+    });
+    /**
+     * Generate a session token
+     */
+    generateSessionToken(session: Session, tenant: Tenant, user?: User, membership?: Membership): string;
+    /**
+     * Verify and decode a token
+     */
+    verifySessionToken(token: string): SessionToken | null;
+    /**
+     * Decode without verification (for debugging)
+     */
+    decode(token: string): SessionToken | null;
+    /**
+     * Build audience URI for a tenant
+     */
+    private buildAudience;
+    /**
+     * Sign a payload and return JWT
+     */
+    private sign;
+    /**
+     * Verify a JWT and return payload
+     */
+    private verify;
+    /**
+     * Create HMAC signature
+     */
+    private createSignature;
+}
+/**
+ * Generate a code verifier for PKCE
+ */
+export declare function generateCodeVerifier(): string;
+/**
+ * Generate a code challenge from a verifier
+ */
+export declare function generateCodeChallenge(verifier: string): string;
+/**
+ * Verify a code verifier against a challenge
+ */
+export declare function verifyCodeChallenge(verifier: string, challenge: string): boolean;
+export interface OAuthState {
+    sessionId: string;
+    elicitationId: string;
+    photonId: string;
+    provider: string;
+    nonce: string;
+    timestamp: number;
+}
+/**
+ * Encode OAuth state for authorization request
+ */
+export declare function encodeOAuthState(state: OAuthState, secret: string): string;
+/**
+ * Decode and verify OAuth state
+ */
+export declare function decodeOAuthState(encoded: string, secret: string): OAuthState | null;
+export declare function getJwtService(config?: Partial<JwtConfig> & {
+    secret: string;
+    issuer: string;
+}): JwtService;
+export declare function initJwtService(config: Partial<JwtConfig> & {
+    secret: string;
+    issuer: string;
+}): JwtService;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/serv/auth/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../src/serv/auth/jwt.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAMzF,MAAM,WAAW,SAAS;IACxB,+DAA+D;IAC/D,MAAM,EAAE,MAAM,CAAC;IACf,sDAAsD;IACtD,MAAM,EAAE,MAAM,CAAC;IACf,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,uBAAuB;IACvB,SAAS,EAAE,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;CACxC;AAWD,qBAAa,UAAU;IACrB,OAAO,CAAC,MAAM,CAAY;gBAEd,MAAM,EAAE,OAAO,CAAC,SAAS,CAAC,GAAG;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE;IAQ3E;;OAEG;IACH,oBAAoB,CAClB,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,MAAM,EACd,IAAI,CAAC,EAAE,IAAI,EACX,UAAU,CAAC,EAAE,UAAU,GACtB,MAAM;IAwBT;;OAEG;IACH,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI;IA4BtD;;OAEG;IACH,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI;IAY1C;;OAEG;IACH,OAAO,CAAC,aAAa;IAOrB;;OAEG;IACH,OAAO,CAAC,IAAI;IAeZ;;OAEG;IACH,OAAO,CAAC,MAAM;IA8Bd;;OAEG;IACH,OAAO,CAAC,eAAe;CAYxB;AAMD;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CAE7C;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAG9D;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAGhF;AAMD,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAO1E;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAyBnF;AAoBD,wBAAgB,aAAa,CAC3B,MAAM,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,GAAG;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC/D,UAAU,CAQZ;AAED,wBAAgB,cAAc,CAC5B,MAAM,EAAE,OAAO,CAAC,SAAS,CAAC,GAAG;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC9D,UAAU,CAGZ"}

package/dist/serv/auth/jwt.js

@@ -0,0 +1,239 @@
+/**
+ * JWT Token Utilities
+ *
+ * Handles JWT generation and validation for SERV sessions
+ * Uses HMAC-SHA256 for simplicity; can be upgraded to RSA/EC for production
+ */
+import { createHmac, randomBytes, timingSafeEqual } from 'crypto';
+const DEFAULT_CONFIG = {
+    expirySeconds: 15 * 60, // 15 minutes
+    algorithm: 'HS256',
+};
+// ============================================================================
+// JWT Implementation
+// ============================================================================
+export class JwtService {
+    config;
+    constructor(config) {
+        this.config = { ...DEFAULT_CONFIG, ...config };
+        if (this.config.secret.length < 32) {
+            console.warn('JWT secret is less than 32 characters. Consider using a stronger secret.');
+        }
+    }
+    /**
+     * Generate a session token
+     */
+    generateSessionToken(session, tenant, user, membership) {
+        const now = Math.floor(Date.now() / 1000);
+        const exp = Math.floor(session.expiresAt.getTime() / 1000);
+        const payload = {
+            // Standard claims
+            iss: this.config.issuer,
+            sub: user?.id ?? `anonymous:${session.id}`,
+            aud: this.buildAudience(tenant),
+            exp,
+            iat: now,
+            jti: session.id,
+            // SERV claims
+            tenant_id: tenant.id,
+            tenant_slug: tenant.slug,
+            user_id: user?.id,
+            role: membership?.role,
+            mcp_session_id: session.id,
+        };
+        return this.sign(payload);
+    }
+    /**
+     * Verify and decode a token
+     */
+    verifySessionToken(token) {
+        try {
+            const payload = this.verify(token);
+            if (!payload)
+                return null;
+            // Validate required claims
+            if (!payload.iss || !payload.sub || !payload.aud || !payload.exp || !payload.jti) {
+                return null;
+            }
+            // Check expiry
+            const now = Math.floor(Date.now() / 1000);
+            const exp = payload.exp;
+            if (exp < now) {
+                return null;
+            }
+            // Check issuer
+            if (payload.iss !== this.config.issuer) {
+                return null;
+            }
+            return payload;
+        }
+        catch {
+            return null; // invalid or expired token
+        }
+    }
+    /**
+     * Decode without verification (for debugging)
+     */
+    decode(token) {
+        try {
+            const parts = token.split('.');
+            if (parts.length !== 3)
+                return null;
+            const payload = JSON.parse(base64UrlDecode(parts[1]));
+            return payload;
+        }
+        catch {
+            return null; // malformed token
+        }
+    }
+    /**
+     * Build audience URI for a tenant
+     */
+    buildAudience(tenant) {
+        if (tenant.settings.customDomain) {
+            return `https://${tenant.settings.customDomain}/mcp`;
+        }
+        return `${this.config.issuer}/tenant/${tenant.slug}/mcp`;
+    }
+    /**
+     * Sign a payload and return JWT
+     */
+    sign(payload) {
+        const header = {
+            alg: this.config.algorithm,
+            typ: 'JWT',
+        };
+        const headerB64 = base64UrlEncode(JSON.stringify(header));
+        const payloadB64 = base64UrlEncode(JSON.stringify(payload));
+        const signatureInput = `${headerB64}.${payloadB64}`;
+        const signature = this.createSignature(signatureInput);
+        return `${signatureInput}.${signature}`;
+    }
+    /**
+     * Verify a JWT and return payload
+     */
+    verify(token) {
+        const parts = token.split('.');
+        if (parts.length !== 3)
+            return null;
+        const [headerB64, payloadB64, signatureB64] = parts;
+        // Verify signature
+        const signatureInput = `${headerB64}.${payloadB64}`;
+        const expectedSignature = this.createSignature(signatureInput);
+        // Timing-safe comparison
+        const signatureBuffer = Buffer.from(signatureB64, 'base64url');
+        const expectedBuffer = Buffer.from(expectedSignature, 'base64url');
+        if (signatureBuffer.length !== expectedBuffer.length) {
+            return null;
+        }
+        if (!timingSafeEqual(signatureBuffer, expectedBuffer)) {
+            return null;
+        }
+        // Parse payload
+        try {
+            return JSON.parse(base64UrlDecode(payloadB64));
+        }
+        catch {
+            return null; // malformed payload
+        }
+    }
+    /**
+     * Create HMAC signature
+     */
+    createSignature(input) {
+        const algorithm = this.config.algorithm === 'HS256'
+            ? 'sha256'
+            : this.config.algorithm === 'HS384'
+                ? 'sha384'
+                : 'sha512';
+        const hmac = createHmac(algorithm, this.config.secret);
+        hmac.update(input);
+        return hmac.digest('base64url');
+    }
+}
+// ============================================================================
+// PKCE Utilities
+// ============================================================================
+/**
+ * Generate a code verifier for PKCE
+ */
+export function generateCodeVerifier() {
+    return randomBytes(32).toString('base64url');
+}
+/**
+ * Generate a code challenge from a verifier
+ */
+export function generateCodeChallenge(verifier) {
+    const hash = createHmac('sha256', '').update(verifier).digest();
+    return hash.toString('base64url');
+}
+/**
+ * Verify a code verifier against a challenge
+ */
+export function verifyCodeChallenge(verifier, challenge) {
+    const expected = generateCodeChallenge(verifier);
+    return expected === challenge;
+}
+/**
+ * Encode OAuth state for authorization request
+ */
+export function encodeOAuthState(state, secret) {
+    const payload = JSON.stringify(state);
+    const hmac = createHmac('sha256', secret);
+    hmac.update(payload);
+    const signature = hmac.digest('base64url');
+    return base64UrlEncode(`${payload}|${signature}`);
+}
+/**
+ * Decode and verify OAuth state
+ */
+export function decodeOAuthState(encoded, secret) {
+    try {
+        const decoded = base64UrlDecode(encoded);
+        const [payload, signature] = decoded.split('|');
+        if (!payload || !signature)
+            return null;
+        // Verify signature
+        const hmac = createHmac('sha256', secret);
+        hmac.update(payload);
+        const expectedSignature = hmac.digest('base64url');
+        if (signature !== expectedSignature)
+            return null;
+        const state = JSON.parse(payload);
+        // Check timestamp (5 minute max age)
+        if (Date.now() - state.timestamp > 5 * 60 * 1000) {
+            return null;
+        }
+        return state;
+    }
+    catch {
+        return null; // corrupt or missing state file
+    }
+}
+// ============================================================================
+// Base64URL Utilities
+// ============================================================================
+function base64UrlEncode(str) {
+    return Buffer.from(str, 'utf-8').toString('base64url');
+}
+function base64UrlDecode(str) {
+    return Buffer.from(str, 'base64url').toString('utf-8');
+}
+// ============================================================================
+// Factory Function
+// ============================================================================
+let jwtServiceInstance = null;
+export function getJwtService(config) {
+    if (!jwtServiceInstance) {
+        if (!config) {
+            throw new Error('JWT service not initialized. Call with config first.');
+        }
+        jwtServiceInstance = new JwtService(config);
+    }
+    return jwtServiceInstance;
+}
+export function initJwtService(config) {
+    jwtServiceInstance = new JwtService(config);
+    return jwtServiceInstance;
+}
+//# sourceMappingURL=jwt.js.map

package/dist/serv/auth/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../../src/serv/auth/jwt.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AAkBlE,MAAM,cAAc,GAAuB;IACzC,aAAa,EAAE,EAAE,GAAG,EAAE,EAAE,aAAa;IACrC,SAAS,EAAE,OAAO;CACnB,CAAC;AAEF,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E,MAAM,OAAO,UAAU;IACb,MAAM,CAAY;IAE1B,YAAY,MAA+D;QACzE,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,MAAM,EAAe,CAAC;QAE5D,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YACnC,OAAO,CAAC,IAAI,CAAC,0EAA0E,CAAC,CAAC;QAC3F,CAAC;IACH,CAAC;IAED;;OAEG;IACH,oBAAoB,CAClB,OAAgB,EAChB,MAAc,EACd,IAAW,EACX,UAAuB;QAEvB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;QAE3D,MAAM,OAAO,GAA4B;YACvC,kBAAkB;YAClB,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YACvB,GAAG,EAAE,IAAI,EAAE,EAAE,IAAI,aAAa,OAAO,CAAC,EAAE,EAAE;YAC1C,GAAG,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC;YAC/B,GAAG;YACH,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,OAAO,CAAC,EAAE;YAEf,cAAc;YACd,SAAS,EAAE,MAAM,CAAC,EAAE;YACpB,WAAW,EAAE,MAAM,CAAC,IAAI;YACxB,OAAO,EAAE,IAAI,EAAE,EAAE;YACjB,IAAI,EAAE,UAAU,EAAE,IAAI;YACtB,cAAc,EAAE,OAAO,CAAC,EAAE;SAC3B,CAAC;QAEF,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,kBAAkB,CAAC,KAAa;QAC9B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnC,IAAI,CAAC,OAAO;gBAAE,OAAO,IAAI,CAAC;YAE1B,2BAA2B;YAC3B,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;gBACjF,OAAO,IAAI,CAAC;YACd,CAAC;YAED,eAAe;YACf,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,GAAG,GAAG,OAAO,CAAC,GAAa,CAAC;YAClC,IAAI,GAAG,GAAG,GAAG,EAAE,CAAC;gBACd,OAAO,IAAI,CAAC;YACd,CAAC;YAED,eAAe;YACf,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;gBACvC,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,OAAkC,CAAC;QAC5C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC,CAAC,2BAA2B;QAC1C,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAa;QAClB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YAEpC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACtD,OAAO,OAAuB,CAAC;QACjC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC,CAAC,kBAAkB;QACjC,CAAC;IACH,CAAC;IAED;;OAEG;IACK,aAAa,CAAC,MAAc;QAClC,IAAI,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC;YACjC,OAAO,WAAW,MAAM,CAAC,QAAQ,CAAC,YAAY,MAAM,CAAC;QACvD,CAAC;QACD,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,WAAW,MAAM,CAAC,IAAI,MAAM,CAAC;IAC3D,CAAC;IAED;;OAEG;IACK,IAAI,CAAC,OAAgC;QAC3C,MAAM,MAAM,GAAG;YACb,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;YAC1B,GAAG,EAAE,KAAK;SACX,CAAC;QAEF,MAAM,SAAS,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;QAC1D,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;QAE5D,MAAM,cAAc,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;QACpD,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;QAEvD,OAAO,GAAG,cAAc,IAAI,SAAS,EAAE,CAAC;IAC1C,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,KAAa;QAC1B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEpC,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;QAEpD,mBAAmB;QACnB,MAAM,cAAc,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;QACpD,MAAM,iBAAiB,GAAG,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;QAE/D,yBAAyB;QACzB,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;QAC/D,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,WAAW,CAAC,CAAC;QAEnE,IAAI,eAAe,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM,EAAE,CAAC;YACrD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC,eAAe,CAAC,eAAe,EAAE,cAAc,CAAC,EAAE,CAAC;YACtD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,gBAAgB;QAChB,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC,CAAC,oBAAoB;QACnC,CAAC;IACH,CAAC;IAED;;OAEG;IACK,eAAe,CAAC,KAAa;QACnC,MAAM,SAAS,GACb,IAAI,CAAC,MAAM,CAAC,SAAS,KAAK,OAAO;YAC/B,CAAC,CAAC,QAAQ;YACV,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,KAAK,OAAO;gBACjC,CAAC,CAAC,QAAQ;gBACV,CAAC,CAAC,QAAQ,CAAC;QAEjB,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACvD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnB,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAClC,CAAC;CACF;AAED,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC/C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAgB;IACpD,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,CAAC;IAChE,OAAO,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACpC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAgB,EAAE,SAAiB;IACrE,MAAM,QAAQ,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;IACjD,OAAO,QAAQ,KAAK,SAAS,CAAC;AAChC,CAAC;AAeD;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAiB,EAAE,MAAc;IAChE,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACtC,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACrB,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAE3C,OAAO,eAAe,CAAC,GAAG,OAAO,IAAI,SAAS,EAAE,CAAC,CAAC;AACpD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAe,EAAE,MAAc;IAC9D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;QACzC,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAEhD,IAAI,CAAC,OAAO,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QAExC,mBAAmB;QACnB,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC1C,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACrB,MAAM,iBAAiB,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAEnD,IAAI,SAAS,KAAK,iBAAiB;YAAE,OAAO,IAAI,CAAC;QAEjD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAe,CAAC;QAEhD,qCAAqC;QACrC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;YACjD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,CAAC,gCAAgC;IAC/C,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACzD,CAAC;AAED,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E,IAAI,kBAAkB,GAAsB,IAAI,CAAC;AAEjD,MAAM,UAAU,aAAa,CAC3B,MAAgE;IAEhE,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;QAC1E,CAAC;QACD,kBAAkB,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC;IACD,OAAO,kBAAkB,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,MAA+D;IAE/D,kBAAkB,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IAC5C,OAAO,kBAAkB,CAAC;AAC5B,CAAC"}

package/dist/serv/auth/oauth.d.ts

@@ -0,0 +1,117 @@
+/**
+ * OAuth Flow Handler
+ *
+ * Handles OAuth 2.1 flows for:
+ * 1. SERV as authorization server (client access to SERV)
+ * 2. SERV as client (third-party OAuth for photon access)
+ */
+import type { ElicitationRequest, PhotonGrant, Session } from '../types/index.js';
+import type { TokenVault } from '../vault/token-vault.js';
+export interface OAuthProviderConfig {
+    id: string;
+    name: string;
+    authorizationUrl: string;
+    tokenUrl: string;
+    userInfoUrl?: string;
+    scopes: string[];
+    clientId: string;
+    clientSecret: string;
+}
+export declare class OAuthProviderRegistry {
+    private providers;
+    /**
+     * Register a provider with credentials
+     */
+    register(providerId: string, clientId: string, clientSecret: string): void;
+    /**
+     * Register a custom provider
+     */
+    registerCustom(config: OAuthProviderConfig): void;
+    /**
+     * Get a provider by ID
+     */
+    get(providerId: string): OAuthProviderConfig | null;
+    /**
+     * Check if a provider is registered
+     */
+    has(providerId: string): boolean;
+}
+export interface ElicitationStore {
+    create(request: Omit<ElicitationRequest, 'id' | 'createdAt'>): Promise<ElicitationRequest>;
+    get(id: string): Promise<ElicitationRequest | null>;
+    update(id: string, data: Partial<ElicitationRequest>): Promise<void>;
+    delete(id: string): Promise<void>;
+    cleanup(): Promise<number>;
+}
+export declare class MemoryElicitationStore implements ElicitationStore {
+    private requests;
+    create(data: Omit<ElicitationRequest, 'id' | 'createdAt'>): Promise<ElicitationRequest>;
+    get(id: string): Promise<ElicitationRequest | null>;
+    update(id: string, data: Partial<ElicitationRequest>): Promise<void>;
+    delete(id: string): Promise<void>;
+    cleanup(): Promise<number>;
+}
+export interface GrantStore {
+    find(tenantId: string, photonId: string, provider: string, userId?: string): Promise<PhotonGrant | null>;
+    create(grant: Omit<PhotonGrant, 'id' | 'createdAt' | 'updatedAt'>): Promise<PhotonGrant>;
+    update(id: string, data: Partial<PhotonGrant>): Promise<void>;
+    delete(id: string): Promise<void>;
+    findByUser(tenantId: string, userId: string): Promise<PhotonGrant[]>;
+}
+export declare class MemoryGrantStore implements GrantStore {
+    private grants;
+    private key;
+    find(tenantId: string, photonId: string, provider: string, userId?: string): Promise<PhotonGrant | null>;
+    create(data: Omit<PhotonGrant, 'id' | 'createdAt' | 'updatedAt'>): Promise<PhotonGrant>;
+    update(id: string, data: Partial<PhotonGrant>): Promise<void>;
+    delete(id: string): Promise<void>;
+    findByUser(tenantId: string, userId: string): Promise<PhotonGrant[]>;
+}
+export interface OAuthFlowConfig {
+    /** Base URL for callbacks (e.g., 'https://serv.example.com') */
+    baseUrl: string;
+    /** Secret for state encryption */
+    stateSecret: string;
+    /** Provider registry */
+    providers: OAuthProviderRegistry;
+    /** Elicitation store */
+    elicitationStore: ElicitationStore;
+    /** Grant store */
+    grantStore: GrantStore;
+    /** Token vault for encryption */
+    tokenVault: TokenVault;
+}
+export declare class OAuthFlowHandler {
+    private config;
+    constructor(config: OAuthFlowConfig);
+    /**
+     * Start an OAuth elicitation flow
+     */
+    startElicitation(session: Session, photonId: string, provider: string, scopes: string[]): Promise<{
+        url: string;
+        elicitationId: string;
+    }>;
+    /**
+     * Handle OAuth callback
+     */
+    handleCallback(code: string, state: string, tenantId: string): Promise<{
+        success: boolean;
+        error?: string;
+    }>;
+    /**
+     * Check if a grant exists and is valid
+     */
+    checkGrant(tenantId: string, photonId: string, provider: string, requiredScopes: string[], userId?: string): Promise<{
+        valid: boolean;
+        token?: string;
+    }>;
+    /**
+     * Exchange authorization code for tokens
+     */
+    private exchangeCode;
+    /**
+     * Refresh an expired grant
+     */
+    private refreshGrant;
+}
+//# sourceMappingURL=oauth.d.ts.map

package/dist/serv/auth/oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../../../src/serv/auth/oauth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAGV,kBAAkB,EAClB,WAAW,EACX,OAAO,EAER,MAAM,mBAAmB,CAAC;AAO3B,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAS1D,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,gBAAgB,EAAE,MAAM,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;CACtB;AA6BD,qBAAa,qBAAqB;IAChC,OAAO,CAAC,SAAS,CAA+C;IAEhE;;OAEG;IACH,QAAQ,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI;IAW1E;;OAEG;IACH,cAAc,CAAC,MAAM,EAAE,mBAAmB,GAAG,IAAI;IAIjD;;OAEG;IACH,GAAG,CAAC,UAAU,EAAE,MAAM,GAAG,mBAAmB,GAAG,IAAI;IAInD;;OAEG;IACH,GAAG,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;CAGjC;AAMD,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,kBAAkB,EAAE,IAAI,GAAG,WAAW,CAAC,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC3F,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IACpD,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,kBAAkB,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACrE,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClC,OAAO,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CAC5B;AAMD,qBAAa,sBAAuB,YAAW,gBAAgB;IAC7D,OAAO,CAAC,QAAQ,CAA8C;IAExD,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,kBAAkB,EAAE,IAAI,GAAG,WAAW,CAAC,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAUvF,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC;IAUnD,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,kBAAkB,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAOpE,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIjC,OAAO,IAAI,OAAO,CAAC,MAAM,CAAC;CAWjC;AAMD,MAAM,WAAW,UAAU;IACzB,IAAI,CACF,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC/B,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,WAAW,EAAE,IAAI,GAAG,WAAW,GAAG,WAAW,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IACzF,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,WAAW,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9D,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClC,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;CACtE;AAMD,qBAAa,gBAAiB,YAAW,UAAU;IACjD,OAAO,CAAC,MAAM,CAAuC;IAErD,OAAO,CAAC,GAAG;IAIL,IAAI,CACR,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAKxB,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,IAAI,GAAG,WAAW,GAAG,WAAW,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC;IAavF,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,WAAW,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAS7D,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IASjC,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;CAS3E;AAMD,MAAM,WAAW,eAAe;IAC9B,gEAAgE;IAChE,OAAO,EAAE,MAAM,CAAC;IAChB,kCAAkC;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,wBAAwB;IACxB,SAAS,EAAE,qBAAqB,CAAC;IACjC,wBAAwB;IACxB,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,kBAAkB;IAClB,UAAU,EAAE,UAAU,CAAC;IACvB,iCAAiC;IACjC,UAAU,EAAE,UAAU,CAAC;CACxB;AAED,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,MAAM,CAAkB;gBAEpB,MAAM,EAAE,eAAe;IAInC;;OAEG;IACG,gBAAgB,CACpB,OAAO,EAAE,OAAO,EAChB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EAAE,GACf,OAAO,CAAC;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,aAAa,EAAE,MAAM,CAAA;KAAE,CAAC;IAmDlD;;OAEG;IACG,cAAc,CAClB,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAuFhD;;OAEG;IACG,UAAU,CACd,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,EAAE,EACxB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAiC9C;;OAEG;YACW,YAAY;IA4C1B;;OAEG;YACW,YAAY;CA0D3B"}