@portel/photon 1.4.1 → 1.6.0

package/dist/serv/local.js

@@ -0,0 +1,392 @@
+/**
+ * SERV Local Development Mode
+ *
+ * Zero external dependencies - everything runs in-memory.
+ * Perfect for local testing before deploying to Cloudflare.
+ */
+import { randomUUID } from 'crypto';
+import { MemorySessionStore } from './session/store.js';
+import { MemoryTenantStore } from './middleware/tenant.js';
+import { MemoryElicitationStore, MemoryGrantStore, OAuthProviderRegistry, OAuthFlowHandler, } from './auth/oauth.js';
+import { LocalTokenVault } from './vault/token-vault.js';
+import { JwtService } from './auth/jwt.js';
+import { TenantResolver } from './middleware/tenant.js';
+import { AuthMiddleware } from './middleware/auth.js';
+import { handleProtectedResourceRequest, handleAuthServerRequest, } from './auth/well-known.js';
+// ============================================================================
+// Local User Store (In-Memory)
+// ============================================================================
+export class LocalUserStore {
+    users = new Map();
+    emailIndex = new Map();
+    async findById(id) {
+        return this.users.get(id) ?? null;
+    }
+    async findByEmail(email) {
+        const id = this.emailIndex.get(email.toLowerCase());
+        return id ? (this.users.get(id) ?? null) : null;
+    }
+    async create(data) {
+        const user = {
+            id: randomUUID(),
+            ...data,
+            createdAt: new Date(),
+        };
+        this.users.set(user.id, user);
+        this.emailIndex.set(user.email.toLowerCase(), user.id);
+        return user;
+    }
+    add(user) {
+        this.users.set(user.id, user);
+        this.emailIndex.set(user.email.toLowerCase(), user.id);
+    }
+}
+// ============================================================================
+// Local Membership Store (In-Memory)
+// ============================================================================
+export class LocalMembershipStore {
+    memberships = new Map();
+    key(tenantId, userId) {
+        return `${tenantId}:${userId}`;
+    }
+    async find(tenantId, userId) {
+        return this.memberships.get(this.key(tenantId, userId)) ?? null;
+    }
+    async findByUser(userId) {
+        return Array.from(this.memberships.values()).filter((m) => m.userId === userId);
+    }
+    async create(data) {
+        const membership = {
+            ...data,
+            joinedAt: new Date(),
+        };
+        this.memberships.set(this.key(data.tenantId, data.userId), membership);
+        return membership;
+    }
+    add(membership) {
+        this.memberships.set(this.key(membership.tenantId, membership.userId), membership);
+    }
+}
+// ============================================================================
+// Local SERV Instance
+// ============================================================================
+export class LocalServ {
+    port;
+    baseUrl;
+    debug;
+    // Stores
+    sessions;
+    tenants;
+    users;
+    memberships;
+    elicitations;
+    grants;
+    vault;
+    // Services
+    jwt;
+    tenantResolver;
+    auth;
+    oauthProviders;
+    oauthFlow;
+    // Secrets (auto-generated for local dev)
+    secrets;
+    constructor(config = {}) {
+        this.port = config.port ?? 3000;
+        this.baseUrl = config.baseUrl ?? `http://localhost:${this.port}`;
+        this.debug = config.debug ?? false;
+        // Generate random secrets for local dev
+        this.secrets = {
+            jwt: `local-jwt-${randomUUID()}`,
+            encryption: `local-enc-${randomUUID()}`,
+            state: `local-state-${randomUUID()}`,
+        };
+        // Initialize stores
+        this.sessions = new MemorySessionStore();
+        this.tenants = new MemoryTenantStore();
+        this.users = new LocalUserStore();
+        this.memberships = new LocalMembershipStore();
+        this.elicitations = new MemoryElicitationStore();
+        this.grants = new MemoryGrantStore();
+        this.vault = new LocalTokenVault({ masterKey: this.secrets.encryption });
+        // Initialize JWT service
+        this.jwt = new JwtService({
+            secret: this.secrets.jwt,
+            issuer: this.baseUrl,
+        });
+        // Initialize tenant resolver
+        this.tenantResolver = new TenantResolver({
+            baseDomain: 'localhost',
+            store: this.tenants,
+        });
+        // Initialize auth middleware
+        this.auth = new AuthMiddleware({
+            jwtService: this.jwt,
+            sessionStore: this.sessions,
+            userStore: this.users,
+            membershipStore: this.memberships,
+        });
+        // Initialize OAuth
+        this.oauthProviders = new OAuthProviderRegistry();
+        this.oauthFlow = new OAuthFlowHandler({
+            baseUrl: this.baseUrl,
+            stateSecret: this.secrets.state,
+            providers: this.oauthProviders,
+            elicitationStore: this.elicitations,
+            grantStore: this.grants,
+            tokenVault: this.vault,
+        });
+        this.log('LocalServ initialized', { port: this.port, baseUrl: this.baseUrl });
+    }
+    // ===========================================================================
+    // Setup Helpers
+    // ===========================================================================
+    /**
+     * Create a tenant for local testing
+     */
+    createTenant(options) {
+        const tenant = {
+            id: randomUUID(),
+            name: options.name,
+            slug: options.slug,
+            region: 'local',
+            plan: options.plan ?? 'free',
+            encryptionKeyId: 'local-key',
+            settings: {
+                allowAnonymousUsers: true,
+                sponsoredPhotons: [],
+            },
+            createdAt: new Date(),
+        };
+        this.tenants.add(tenant);
+        this.log('Created tenant', { slug: tenant.slug, id: tenant.id });
+        return tenant;
+    }
+    /**
+     * Create a user for local testing
+     */
+    createUser(options) {
+        const user = {
+            id: randomUUID(),
+            email: options.email,
+            emailVerified: options.verified ?? true,
+            createdAt: new Date(),
+        };
+        this.users.add(user);
+        this.log('Created user', { email: user.email, id: user.id });
+        return user;
+    }
+    /**
+     * Add a user to a tenant
+     */
+    addMembership(options) {
+        const membership = {
+            tenantId: options.tenant.id,
+            userId: options.user.id,
+            role: options.role ?? 'member',
+            status: 'active',
+            joinedAt: new Date(),
+        };
+        this.memberships.add(membership);
+        this.log('Added membership', {
+            user: options.user.email,
+            tenant: options.tenant.slug,
+            role: membership.role,
+        });
+        return membership;
+    }
+    /**
+     * Register an OAuth provider for testing
+     */
+    registerOAuthProvider(providerId, clientId, clientSecret) {
+        this.oauthProviders.register(providerId, clientId, clientSecret);
+        this.log('Registered OAuth provider', { providerId });
+    }
+    // ===========================================================================
+    // Session Management
+    // ===========================================================================
+    /**
+     * Create a session for a user in a tenant
+     */
+    async createSession(tenant, user) {
+        const session = await this.sessions.create({
+            tenantId: tenant.id,
+            userId: user?.id,
+            clientId: 'local-dev',
+        });
+        const token = this.jwt.generateSessionToken(session, tenant, user, user ? ((await this.memberships.find(tenant.id, user.id)) ?? undefined) : undefined);
+        this.log('Created session', {
+            sessionId: session.id,
+            tenant: tenant.slug,
+            user: user?.email ?? 'anonymous',
+        });
+        return { session, token };
+    }
+    // ===========================================================================
+    // Request Handling
+    // ===========================================================================
+    /**
+     * Handle an HTTP request (for use with Node.js http server)
+     */
+    async handleRequest(method, url, headers, body) {
+        const parsedUrl = new URL(url, this.baseUrl);
+        const path = parsedUrl.pathname;
+        this.log('Request', { method, path });
+        try {
+            // Well-known endpoints
+            if (path === '/.well-known/oauth-protected-resource') {
+                const tenant = await this.resolveTenant(headers);
+                if (!tenant)
+                    return this.notFound('Tenant not found');
+                return handleProtectedResourceRequest({ baseUrl: this.baseUrl }, tenant);
+            }
+            if (path === '/.well-known/oauth-authorization-server') {
+                const tenant = await this.resolveTenant(headers);
+                if (!tenant)
+                    return this.notFound('Tenant not found');
+                return handleAuthServerRequest({ baseUrl: this.baseUrl }, tenant);
+            }
+            // OAuth callback
+            if (path === '/auth/oauth/callback') {
+                const code = parsedUrl.searchParams.get('code');
+                const state = parsedUrl.searchParams.get('state');
+                if (!code || !state) {
+                    return this.badRequest('Missing code or state');
+                }
+                const tenant = await this.resolveTenant(headers);
+                if (!tenant)
+                    return this.notFound('Tenant not found');
+                const result = await this.oauthFlow.handleCallback(code, state, tenant.id);
+                if (!result.success) {
+                    return this.badRequest(result.error ?? 'OAuth callback failed');
+                }
+                return {
+                    status: 200,
+                    headers: { 'Content-Type': 'text/html' },
+                    body: `
+            <!DOCTYPE html>
+            <html>
+            <head><title>Authorization Complete</title></head>
+            <body>
+              <h1>Authorization Successful</h1>
+              <p>You can close this window and retry your request.</p>
+              <script>window.close();</script>
+            </body>
+            </html>
+          `,
+                };
+            }
+            // MCP endpoint (placeholder)
+            if (path.endsWith('/mcp')) {
+                const tenant = await this.resolveTenant(headers);
+                if (!tenant)
+                    return this.notFound('Tenant not found');
+                const authResult = await this.auth.authenticate(tenant, headers['authorization']);
+                if (!authResult.success) {
+                    return {
+                        status: authResult.error.code,
+                        headers: {
+                            'Content-Type': 'application/json',
+                            ...(authResult.error.wwwAuthenticate
+                                ? { 'WWW-Authenticate': authResult.error.wwwAuthenticate }
+                                : {}),
+                        },
+                        body: JSON.stringify({ error: authResult.error.message }),
+                    };
+                }
+                // MCP endpoint status - actual MCP protocol handled via SSE transport
+                return {
+                    status: 200,
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({
+                        message: 'MCP endpoint ready',
+                        tenant: tenant.slug,
+                        session: authResult.context?.session?.id,
+                    }),
+                };
+            }
+            return this.notFound('Not found');
+        }
+        catch (err) {
+            this.log('Error', { error: err instanceof Error ? err.message : String(err) });
+            return {
+                status: 500,
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ error: 'Internal server error' }),
+            };
+        }
+    }
+    // ===========================================================================
+    // Helpers
+    // ===========================================================================
+    async resolveTenant(headers) {
+        // For local dev, try to find from path or default to first tenant
+        const host = headers['host'] ?? 'localhost';
+        // Try subdomain
+        const tenant = await this.tenantResolver.resolve({ host, headers: { host } });
+        if (tenant)
+            return tenant;
+        // For local dev, return first tenant if only one exists
+        // (This is a convenience for testing)
+        return null;
+    }
+    notFound(message) {
+        return {
+            status: 404,
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ error: message }),
+        };
+    }
+    badRequest(message) {
+        return {
+            status: 400,
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ error: message }),
+        };
+    }
+    log(message, data) {
+        if (this.debug) {
+            console.log(`[LocalServ] ${message}`, data ? JSON.stringify(data) : '');
+        }
+    }
+    // ===========================================================================
+    // Shutdown
+    // ===========================================================================
+    async shutdown() {
+        await this.sessions.close();
+        this.log('Shutdown complete');
+    }
+}
+// ============================================================================
+// Quick Start
+// ============================================================================
+/**
+ * Create a LocalServ instance with a default tenant and user
+ */
+export function createLocalServ(config) {
+    const serv = new LocalServ(config);
+    // Create default tenant
+    const tenant = serv.createTenant({
+        name: 'Local Dev',
+        slug: 'local',
+    });
+    // Create default user
+    const user = serv.createUser({
+        email: 'dev@localhost',
+        verified: true,
+    });
+    // Add user to tenant
+    const membership = serv.addMembership({
+        tenant,
+        user,
+        role: 'owner',
+    });
+    return { serv, tenant, user, membership };
+}
+/**
+ * Quick session token for testing
+ */
+export async function getTestToken(serv, tenant, user) {
+    const { token } = await serv.createSession(tenant, user);
+    return token;
+}
+//# sourceMappingURL=local.js.map

package/dist/serv/local.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"local.js","sourceRoot":"","sources":["../../src/serv/local.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAEpC,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EACL,sBAAsB,EACtB,gBAAgB,EAChB,qBAAqB,EACrB,gBAAgB,GACjB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EACL,8BAA8B,EAC9B,uBAAuB,GAExB,MAAM,sBAAsB,CAAC;AAE9B,+EAA+E;AAC/E,+BAA+B;AAC/B,+EAA+E;AAE/E,MAAM,OAAO,cAAc;IACjB,KAAK,GAAsB,IAAI,GAAG,EAAE,CAAC;IACrC,UAAU,GAAwB,IAAI,GAAG,EAAE,CAAC;IAEpD,KAAK,CAAC,QAAQ,CAAC,EAAU;QACvB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAa;QAC7B,MAAM,EAAE,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;QACpD,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,IAAoC;QAC/C,MAAM,IAAI,GAAS;YACjB,EAAE,EAAE,UAAU,EAAE;YAChB,GAAG,IAAI;YACP,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC;QACF,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;QAC9B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;QACvD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,IAAU;QACZ,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;QAC9B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;IACzD,CAAC;CACF;AAED,+EAA+E;AAC/E,qCAAqC;AACrC,+EAA+E;AAE/E,MAAM,OAAO,oBAAoB;IACvB,WAAW,GAA4B,IAAI,GAAG,EAAE,CAAC;IAEjD,GAAG,CAAC,QAAgB,EAAE,MAAc;QAC1C,OAAO,GAAG,QAAQ,IAAI,MAAM,EAAE,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,QAAgB,EAAE,MAAc;QACzC,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,IAAI,IAAI,CAAC;IAClE,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,MAAc;QAC7B,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;IAClF,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,IAAkC;QAC7C,MAAM,UAAU,GAAe;YAC7B,GAAG,IAAI;YACP,QAAQ,EAAE,IAAI,IAAI,EAAE;SACrB,CAAC;QACF,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE,UAAU,CAAC,CAAC;QACvE,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,GAAG,CAAC,UAAsB;QACxB,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,UAAU,CAAC,CAAC;IACrF,CAAC;CACF;AAeD,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E,MAAM,OAAO,SAAS;IACX,IAAI,CAAS;IACb,OAAO,CAAS;IAChB,KAAK,CAAU;IAExB,SAAS;IACA,QAAQ,CAAqB;IAC7B,OAAO,CAAoB;IAC3B,KAAK,CAAiB;IACtB,WAAW,CAAuB;IAClC,YAAY,CAAyB;IACrC,MAAM,CAAmB;IACzB,KAAK,CAAkB;IAEhC,WAAW;IACF,GAAG,CAAa;IAChB,cAAc,CAAiB;IAC/B,IAAI,CAAiB;IACrB,cAAc,CAAwB;IACtC,SAAS,CAAmB;IAErC,yCAAyC;IACxB,OAAO,CAItB;IAEF,YAAY,SAA0B,EAAE;QACtC,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,IAAI,CAAC;QAChC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,oBAAoB,IAAI,CAAC,IAAI,EAAE,CAAC;QACjE,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,KAAK,CAAC;QAEnC,wCAAwC;QACxC,IAAI,CAAC,OAAO,GAAG;YACb,GAAG,EAAE,aAAa,UAAU,EAAE,EAAE;YAChC,UAAU,EAAE,aAAa,UAAU,EAAE,EAAE;YACvC,KAAK,EAAE,eAAe,UAAU,EAAE,EAAE;SACrC,CAAC;QAEF,oBAAoB;QACpB,IAAI,CAAC,QAAQ,GAAG,IAAI,kBAAkB,EAAE,CAAC;QACzC,IAAI,CAAC,OAAO,GAAG,IAAI,iBAAiB,EAAE,CAAC;QACvC,IAAI,CAAC,KAAK,GAAG,IAAI,cAAc,EAAE,CAAC;QAClC,IAAI,CAAC,WAAW,GAAG,IAAI,oBAAoB,EAAE,CAAC;QAC9C,IAAI,CAAC,YAAY,GAAG,IAAI,sBAAsB,EAAE,CAAC;QACjD,IAAI,CAAC,MAAM,GAAG,IAAI,gBAAgB,EAAE,CAAC;QACrC,IAAI,CAAC,KAAK,GAAG,IAAI,eAAe,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;QAEzE,yBAAyB;QACzB,IAAI,CAAC,GAAG,GAAG,IAAI,UAAU,CAAC;YACxB,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG;YACxB,MAAM,EAAE,IAAI,CAAC,OAAO;SACrB,CAAC,CAAC;QAEH,6BAA6B;QAC7B,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,CAAC;YACvC,UAAU,EAAE,WAAW;YACvB,KAAK,EAAE,IAAI,CAAC,OAAO;SACpB,CAAC,CAAC;QAEH,6BAA6B;QAC7B,IAAI,CAAC,IAAI,GAAG,IAAI,cAAc,CAAC;YAC7B,UAAU,EAAE,IAAI,CAAC,GAAG;YACpB,YAAY,EAAE,IAAI,CAAC,QAAQ;YAC3B,SAAS,EAAE,IAAI,CAAC,KAAK;YACrB,eAAe,EAAE,IAAI,CAAC,WAAW;SAClC,CAAC,CAAC;QAEH,mBAAmB;QACnB,IAAI,CAAC,cAAc,GAAG,IAAI,qBAAqB,EAAE,CAAC;QAClD,IAAI,CAAC,SAAS,GAAG,IAAI,gBAAgB,CAAC;YACpC,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,WAAW,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK;YAC/B,SAAS,EAAE,IAAI,CAAC,cAAc;YAC9B,gBAAgB,EAAE,IAAI,CAAC,YAAY;YACnC,UAAU,EAAE,IAAI,CAAC,MAAM;YACvB,UAAU,EAAE,IAAI,CAAC,KAAK;SACvB,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,uBAAuB,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;IAChF,CAAC;IAED,8EAA8E;IAC9E,gBAAgB;IAChB,8EAA8E;IAE9E;;OAEG;IACH,YAAY,CAAC,OAIZ;QACC,MAAM,MAAM,GAAW;YACrB,EAAE,EAAE,UAAU,EAAE;YAChB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,MAAM,EAAE,OAAO;YACf,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,MAAM;YAC5B,eAAe,EAAE,WAAW;YAC5B,QAAQ,EAAE;gBACR,mBAAmB,EAAE,IAAI;gBACzB,gBAAgB,EAAE,EAAE;aACrB;YACD,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACzB,IAAI,CAAC,GAAG,CAAC,gBAAgB,EAAE,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,EAAE,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC;QACjE,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,OAA8C;QACvD,MAAM,IAAI,GAAS;YACjB,EAAE,EAAE,UAAU,EAAE;YAChB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,aAAa,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;YACvC,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC;QACF,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACrB,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;QAC7D,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,OAIb;QACC,MAAM,UAAU,GAAe;YAC7B,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE;YAC3B,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE;YACvB,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,QAAQ;YAC9B,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,IAAI,IAAI,EAAE;SACrB,CAAC;QACF,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACjC,IAAI,CAAC,GAAG,CAAC,kBAAkB,EAAE;YAC3B,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK;YACxB,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI;YAC3B,IAAI,EAAE,UAAU,CAAC,IAAI;SACtB,CAAC,CAAC;QACH,OAAO,UAAU,CAAC;IACpB,CAAC;IAED;;OAEG;IACH,qBAAqB,CAAC,UAAkB,EAAE,QAAgB,EAAE,YAAoB;QAC9E,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,UAAU,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;QACjE,IAAI,CAAC,GAAG,CAAC,2BAA2B,EAAE,EAAE,UAAU,EAAE,CAAC,CAAC;IACxD,CAAC;IAED,8EAA8E;IAC9E,qBAAqB;IACrB,8EAA8E;IAE9E;;OAEG;IACH,KAAK,CAAC,aAAa,CACjB,MAAc,EACd,IAAW;QAKX,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;YACzC,QAAQ,EAAE,MAAM,CAAC,EAAE;YACnB,MAAM,EAAE,IAAI,EAAE,EAAE;YAChB,QAAQ,EAAE,WAAW;SACtB,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,oBAAoB,CACzC,OAAO,EACP,MAAM,EACN,IAAI,EACJ,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CACpF,CAAC;QAEF,IAAI,CAAC,GAAG,CAAC,iBAAiB,EAAE;YAC1B,SAAS,EAAE,OAAO,CAAC,EAAE;YACrB,MAAM,EAAE,MAAM,CAAC,IAAI;YACnB,IAAI,EAAE,IAAI,EAAE,KAAK,IAAI,WAAW;SACjC,CAAC,CAAC;QAEH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC5B,CAAC;IAED,8EAA8E;IAC9E,mBAAmB;IACnB,8EAA8E;IAE9E;;OAEG;IACH,KAAK,CAAC,aAAa,CACjB,MAAc,EACd,GAAW,EACX,OAA+B,EAC/B,IAAa;QAMb,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAC7C,MAAM,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC;QAEhC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QAEtC,IAAI,CAAC;YACH,uBAAuB;YACvB,IAAI,IAAI,KAAK,uCAAuC,EAAE,CAAC;gBACrD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;gBACjD,IAAI,CAAC,MAAM;oBAAE,OAAO,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC;gBACtD,OAAO,8BAA8B,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,EAAE,MAAM,CAAC,CAAC;YAC3E,CAAC;YAED,IAAI,IAAI,KAAK,yCAAyC,EAAE,CAAC;gBACvD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;gBACjD,IAAI,CAAC,MAAM;oBAAE,OAAO,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC;gBACtD,OAAO,uBAAuB,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,EAAE,MAAM,CAAC,CAAC;YACpE,CAAC;YAED,iBAAiB;YACjB,IAAI,IAAI,KAAK,sBAAsB,EAAE,CAAC;gBACpC,MAAM,IAAI,GAAG,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAChD,MAAM,KAAK,GAAG,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAClD,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;oBACpB,OAAO,IAAI,CAAC,UAAU,CAAC,uBAAuB,CAAC,CAAC;gBAClD,CAAC;gBAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;gBACjD,IAAI,CAAC,MAAM;oBAAE,OAAO,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC;gBAEtD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;gBAC3E,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;oBACpB,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,IAAI,uBAAuB,CAAC,CAAC;gBAClE,CAAC;gBAED,OAAO;oBACL,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE;oBACxC,IAAI,EAAE;;;;;;;;;;WAUL;iBACF,CAAC;YACJ,CAAC;YAED,6BAA6B;YAC7B,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC1B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;gBACjD,IAAI,CAAC,MAAM;oBAAE,OAAO,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC;gBAEtD,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC;gBAElF,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;oBACxB,OAAO;wBACL,MAAM,EAAE,UAAU,CAAC,KAAM,CAAC,IAAI;wBAC9B,OAAO,EAAE;4BACP,cAAc,EAAE,kBAAkB;4BAClC,GAAG,CAAC,UAAU,CAAC,KAAM,CAAC,eAAe;gCACnC,CAAC,CAAC,EAAE,kBAAkB,EAAE,UAAU,CAAC,KAAM,CAAC,eAAe,EAAE;gCAC3D,CAAC,CAAC,EAAE,CAAC;yBACR;wBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,UAAU,CAAC,KAAM,CAAC,OAAO,EAAE,CAAC;qBAC3D,CAAC;gBACJ,CAAC;gBAED,sEAAsE;gBACtE,OAAO;oBACL,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;oBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;wBACnB,OAAO,EAAE,oBAAoB;wBAC7B,MAAM,EAAE,MAAM,CAAC,IAAI;wBACnB,OAAO,EAAE,UAAU,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE;qBACzC,CAAC;iBACH,CAAC;YACJ,CAAC;YAED,OAAO,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACpC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC/E,OAAO;gBACL,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC;aACzD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,8EAA8E;IAC9E,UAAU;IACV,8EAA8E;IAEtE,KAAK,CAAC,aAAa,CAAC,OAA+B;QACzD,kEAAkE;QAClE,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,WAAW,CAAC;QAE5C,gBAAgB;QAChB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;QAC9E,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;QAE1B,wDAAwD;QACxD,sCAAsC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,QAAQ,CAAC,OAAe;QAC9B,OAAO;YACL,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;SACzC,CAAC;IACJ,CAAC;IAEO,UAAU,CAAC,OAAe;QAChC,OAAO;YACL,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;SACzC,CAAC;IACJ,CAAC;IAEO,GAAG,CAAC,OAAe,EAAE,IAA8B;QACzD,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,GAAG,CAAC,eAAe,OAAO,EAAE,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC;IAED,8EAA8E;IAC9E,WAAW;IACX,8EAA8E;IAE9E,KAAK,CAAC,QAAQ;QACZ,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;QAC5B,IAAI,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAChC,CAAC;CACF;AAED,+EAA+E;AAC/E,cAAc;AACd,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,MAAwB;IAMtD,MAAM,IAAI,GAAG,IAAI,SAAS,CAAC,MAAM,CAAC,CAAC;IAEnC,wBAAwB;IACxB,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC;QAC/B,IAAI,EAAE,WAAW;QACjB,IAAI,EAAE,OAAO;KACd,CAAC,CAAC;IAEH,sBAAsB;IACtB,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC;QAC3B,KAAK,EAAE,eAAe;QACtB,QAAQ,EAAE,IAAI;KACf,CAAC,CAAC;IAEH,qBAAqB;IACrB,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC;QACpC,MAAM;QACN,IAAI;QACJ,IAAI,EAAE,OAAO;KACd,CAAC,CAAC;IAEH,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,IAAe,EAAE,MAAc,EAAE,IAAW;IAC7E,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACzD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/serv/middleware/auth.d.ts

@@ -0,0 +1,66 @@
+/**
+ * Authentication Middleware
+ *
+ * Validates Bearer tokens and attaches session to request context
+ */
+import type { User, Membership, RequestContext, Tenant } from '../types/index.js';
+import type { SessionStore } from '../session/store.js';
+import type { JwtService } from '../auth/jwt.js';
+export interface UserStore {
+    findById(id: string): Promise<User | null>;
+    findByEmail(email: string): Promise<User | null>;
+}
+export interface MembershipStore {
+    find(tenantId: string, userId: string): Promise<Membership | null>;
+}
+export interface AuthMiddlewareConfig {
+    jwtService: JwtService;
+    sessionStore: SessionStore;
+    userStore?: UserStore;
+    membershipStore?: MembershipStore;
+    /** Whether to allow anonymous access (no token) */
+    allowAnonymous?: boolean;
+    /** Required role(s) for access */
+    requiredRoles?: string[];
+}
+export interface AuthResult {
+    success: boolean;
+    context?: RequestContext;
+    error?: {
+        code: number;
+        message: string;
+        wwwAuthenticate?: string;
+    };
+}
+export declare class AuthMiddleware {
+    private config;
+    constructor(config: AuthMiddlewareConfig);
+    /**
+     * Authenticate a request
+     */
+    authenticate(tenant: Tenant, authHeader?: string): Promise<AuthResult>;
+    /**
+     * Extract Bearer token from Authorization header
+     */
+    private extractBearerToken;
+    /**
+     * Build WWW-Authenticate header value
+     */
+    private buildWwwAuthenticate;
+}
+/**
+ * Check if a role has required permission
+ */
+export declare function hasPermission(role: string, requiredRoles: string[]): boolean;
+/**
+ * Parse Mcp-Session-Id header
+ */
+export declare function parseMcpSessionId(header?: string): string | null;
+/**
+ * Generate client fingerprint from request
+ */
+export declare function generateClientFingerprint(request: {
+    headers?: Record<string, string>;
+    ip?: string;
+}): string;
+//# sourceMappingURL=auth.d.ts.map

package/dist/serv/middleware/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/serv/middleware/auth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAGV,IAAI,EACJ,UAAU,EACV,cAAc,EACd,MAAM,EACP,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAMjD,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;IAC3C,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;CAClD;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;CACpE;AAMD,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,UAAU,CAAC;IACvB,YAAY,EAAE,YAAY,CAAC;IAC3B,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,mDAAmD;IACnD,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,kCAAkC;IAClC,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;CAC1B;AAMD,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,cAAc,CAAC;IACzB,KAAK,CAAC,EAAE;QACN,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;CACH;AAMD,qBAAa,cAAc;IACzB,OAAO,CAAC,MAAM,CAAuB;gBAEzB,MAAM,EAAE,oBAAoB;IAIxC;;OAEG;IACG,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAwG5E;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAO1B;;OAEG;IACH,OAAO,CAAC,oBAAoB;CAa7B;AAMD;;GAEG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,GAAG,OAAO,CAa5E;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAGhE;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,OAAO,EAAE;IACjD,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,EAAE,CAAC,EAAE,MAAM,CAAC;CACb,GAAG,MAAM,CAiBT"}

package/dist/serv/middleware/auth.js

@@ -0,0 +1,178 @@
+/**
+ * Authentication Middleware
+ *
+ * Validates Bearer tokens and attaches session to request context
+ */
+// ============================================================================
+// Auth Middleware
+// ============================================================================
+export class AuthMiddleware {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    /**
+     * Authenticate a request
+     */
+    async authenticate(tenant, authHeader) {
+        // Extract token from Authorization header
+        const token = this.extractBearerToken(authHeader);
+        // No token - check if anonymous is allowed
+        if (!token) {
+            if (this.config.allowAnonymous) {
+                return {
+                    success: true,
+                    context: { tenant },
+                };
+            }
+            return {
+                success: false,
+                error: {
+                    code: 401,
+                    message: 'Authorization required',
+                    wwwAuthenticate: this.buildWwwAuthenticate(tenant),
+                },
+            };
+        }
+        // Verify JWT
+        const payload = this.config.jwtService.verifySessionToken(token);
+        if (!payload) {
+            return {
+                success: false,
+                error: {
+                    code: 401,
+                    message: 'Invalid or expired token',
+                    wwwAuthenticate: this.buildWwwAuthenticate(tenant, 'invalid_token'),
+                },
+            };
+        }
+        // Verify tenant matches
+        if (payload.tenant_id !== tenant.id) {
+            return {
+                success: false,
+                error: {
+                    code: 403,
+                    message: 'Token not valid for this tenant',
+                },
+            };
+        }
+        // Get session from store
+        const session = await this.config.sessionStore.get(payload.mcp_session_id);
+        if (!session) {
+            return {
+                success: false,
+                error: {
+                    code: 401,
+                    message: 'Session expired or invalid',
+                    wwwAuthenticate: this.buildWwwAuthenticate(tenant, 'invalid_token'),
+                },
+            };
+        }
+        // Touch session for sliding expiration
+        await this.config.sessionStore.touch(session.id);
+        // Build context
+        const context = {
+            tenant,
+            session,
+        };
+        // Load user if available
+        if (payload.user_id && this.config.userStore) {
+            const user = await this.config.userStore.findById(payload.user_id);
+            if (user) {
+                context.user = user;
+                // Load membership
+                if (this.config.membershipStore) {
+                    const membership = await this.config.membershipStore.find(tenant.id, user.id);
+                    if (membership) {
+                        context.membership = membership;
+                    }
+                }
+            }
+        }
+        // Check required roles
+        if (this.config.requiredRoles && this.config.requiredRoles.length > 0) {
+            if (!context.membership || !this.config.requiredRoles.includes(context.membership.role)) {
+                return {
+                    success: false,
+                    error: {
+                        code: 403,
+                        message: 'Insufficient permissions',
+                    },
+                };
+            }
+        }
+        return {
+            success: true,
+            context,
+        };
+    }
+    /**
+     * Extract Bearer token from Authorization header
+     */
+    extractBearerToken(header) {
+        if (!header)
+            return null;
+        const match = header.match(/^Bearer\s+(.+)$/i);
+        return match ? match[1] : null;
+    }
+    /**
+     * Build WWW-Authenticate header value
+     */
+    buildWwwAuthenticate(tenant, error) {
+        const parts = [
+            'Bearer',
+            `realm="${tenant.slug}"`,
+            'resource_metadata="/.well-known/oauth-protected-resource"',
+        ];
+        if (error) {
+            parts.push(`error="${error}"`);
+        }
+        return parts.join(', ');
+    }
+}
+// ============================================================================
+// Helper Functions
+// ============================================================================
+/**
+ * Check if a role has required permission
+ */
+export function hasPermission(role, requiredRoles) {
+    // Role hierarchy: owner > admin > member > viewer
+    const hierarchy = {
+        owner: 4,
+        admin: 3,
+        member: 2,
+        viewer: 1,
+    };
+    const userLevel = hierarchy[role] ?? 0;
+    const minRequired = Math.min(...requiredRoles.map((r) => hierarchy[r] ?? 999));
+    return userLevel >= minRequired;
+}
+/**
+ * Parse Mcp-Session-Id header
+ */
+export function parseMcpSessionId(header) {
+    if (!header)
+        return null;
+    return header.trim() || null;
+}
+/**
+ * Generate client fingerprint from request
+ */
+export function generateClientFingerprint(request) {
+    const parts = [
+        request.headers?.['user-agent'] ?? '',
+        request.headers?.['accept-language'] ?? '',
+        request.ip ?? '',
+    ];
+    // Simple hash of concatenated parts
+    let hash = 0;
+    const str = parts.join('|');
+    for (let i = 0; i < str.length; i++) {
+        const char = str.charCodeAt(i);
+        hash = (hash << 5) - hash + char;
+        hash = hash & hash;
+    }
+    return Math.abs(hash).toString(36);
+}
+//# sourceMappingURL=auth.js.map

package/dist/serv/middleware/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/serv/middleware/auth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAuDH,+EAA+E;AAC/E,kBAAkB;AAClB,+EAA+E;AAE/E,MAAM,OAAO,cAAc;IACjB,MAAM,CAAuB;IAErC,YAAY,MAA4B;QACtC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAAC,MAAc,EAAE,UAAmB;QACpD,0CAA0C;QAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC;QAElD,2CAA2C;QAC3C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;gBAC/B,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,OAAO,EAAE,EAAE,MAAM,EAAE;iBACpB,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,GAAG;oBACT,OAAO,EAAE,wBAAwB;oBACjC,eAAe,EAAE,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC;iBACnD;aACF,CAAC;QACJ,CAAC;QAED,aAAa;QACb,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;QACjE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,GAAG;oBACT,OAAO,EAAE,0BAA0B;oBACnC,eAAe,EAAE,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,eAAe,CAAC;iBACpE;aACF,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,IAAI,OAAO,CAAC,SAAS,KAAK,MAAM,CAAC,EAAE,EAAE,CAAC;YACpC,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,GAAG;oBACT,OAAO,EAAE,iCAAiC;iBAC3C;aACF,CAAC;QACJ,CAAC;QAED,yBAAyB;QACzB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;QAC3E,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,GAAG;oBACT,OAAO,EAAE,4BAA4B;oBACrC,eAAe,EAAE,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,eAAe,CAAC;iBACpE;aACF,CAAC;QACJ,CAAC;QAED,uCAAuC;QACvC,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAEjD,gBAAgB;QAChB,MAAM,OAAO,GAAmB;YAC9B,MAAM;YACN,OAAO;SACR,CAAC;QAEF,yBAAyB;QACzB,IAAI,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC7C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YACnE,IAAI,IAAI,EAAE,CAAC;gBACT,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;gBAEpB,kBAAkB;gBAClB,IAAI,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;oBAChC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;oBAC9E,IAAI,UAAU,EAAE,CAAC;wBACf,OAAO,CAAC,UAAU,GAAG,UAAU,CAAC;oBAClC,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,uBAAuB;QACvB,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtE,IAAI,CAAC,OAAO,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxF,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE;wBACL,IAAI,EAAE,GAAG;wBACT,OAAO,EAAE,0BAA0B;qBACpC;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI;YACb,OAAO;SACR,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,kBAAkB,CAAC,MAAe;QACxC,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAC/C,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACjC,CAAC;IAED;;OAEG;IACK,oBAAoB,CAAC,MAAc,EAAE,KAAc;QACzD,MAAM,KAAK,GAAG;YACZ,QAAQ;YACR,UAAU,MAAM,CAAC,IAAI,GAAG;YACxB,2DAA2D;SAC5D,CAAC;QAEF,IAAI,KAAK,EAAE,CAAC;YACV,KAAK,CAAC,IAAI,CAAC,UAAU,KAAK,GAAG,CAAC,CAAC;QACjC,CAAC;QAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;CACF;AAED,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,IAAY,EAAE,aAAuB;IACjE,kDAAkD;IAClD,MAAM,SAAS,GAA2B;QACxC,KAAK,EAAE,CAAC;QACR,KAAK,EAAE,CAAC;QACR,MAAM,EAAE,CAAC;QACT,MAAM,EAAE,CAAC;KACV,CAAC;IAEF,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACvC,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC;IAE/E,OAAO,SAAS,IAAI,WAAW,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAe;IAC/C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,OAAO,MAAM,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC;AAC/B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,yBAAyB,CAAC,OAGzC;IACC,MAAM,KAAK,GAAG;QACZ,OAAO,CAAC,OAAO,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE;QACrC,OAAO,CAAC,OAAO,EAAE,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAC1C,OAAO,CAAC,EAAE,IAAI,EAAE;KACjB,CAAC;IAEF,oCAAoC;IACpC,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,MAAM,IAAI,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAC/B,IAAI,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;QACjC,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC;IACrB,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;AACrC,CAAC"}