@scupit/mcp-ecosystem 0.1.0

package/dist/commands/reconcile-server.js

@@ -0,0 +1,213 @@
+import { logger } from "../utils/index.js";
+import { deriveCanonicalResourceUri, resolveScopes, resolveGrantTargets, } from "../config/index.js";
+import { reconcileClient } from "./reconcile-client.js";
+const SCOPE_DESCRIPTIONS = {
+    "resources.read": "Read MCP resources",
+    "prompts.read": "Read MCP prompts",
+    "tools.read": "Execute read-only tools",
+    "tools.write": "Execute mutating tools",
+};
+export async function reconcileServer(ctx, serverSlug) {
+    const { config } = ctx;
+    const serverConfig = config.serverConfigs.get(serverSlug);
+    if (!serverConfig) {
+        throw new Error(`Unknown server slug: "${serverSlug}"`);
+    }
+    const ecosystem = config.ecosystem;
+    const identifier = deriveCanonicalResourceUri(ecosystem, serverConfig.slug);
+    const allScopes = resolveScopes(ecosystem, serverConfig);
+    logger.info(`Reconciling server: ${serverConfig.name} (${serverConfig.slug})`);
+    logger.debug(`  Identifier: ${identifier}`);
+    logger.debug(`  Scopes: ${allScopes.join(", ")}`);
+    // ── Phase 1: Reconcile Auth0 API ──
+    const apiResult = await reconcileApi(ctx, serverConfig, identifier, allScopes);
+    // ── Phase 2: Reconcile access policy ──
+    if (apiResult.action !== "dry_run") {
+        await reconcileAccessPolicy(ctx, apiResult.auth0ApiId, serverConfig);
+    }
+    // ── Phase 3: Reconcile client grants ──
+    const grantTargets = resolveGrantTargets(ecosystem, serverConfig, config.clientConfigs);
+    const grantResults = [];
+    for (const target of grantTargets) {
+        const clientConfig = config.clientConfigs.get(target.clientKey);
+        if (!clientConfig) {
+            logger.warn(`  Skipping grant for unknown client: ${target.clientKey}`);
+            continue;
+        }
+        let clientId = clientConfig.auth0.existing_client_id;
+        if (!clientId) {
+            logger.info(`  Ensuring client "${target.clientKey}" exists...`);
+            const clientResult = await reconcileClient(ctx, target.clientKey);
+            clientId = clientResult.clientId;
+        }
+        if (!clientId || clientId === "__DRY_RUN__") {
+            grantResults.push({
+                clientKey: target.clientKey,
+                clientId: clientId ?? "__DRY_RUN__",
+                action: "dry_run",
+                scopes: target.scopes,
+                subjectType: target.subjectType,
+            });
+            continue;
+        }
+        if (target.subjectType === "client" &&
+            resolveClientAccessPolicy(serverConfig) === "deny_all") {
+            logger.warn(`  Server "${serverSlug}" has client access policy deny_all. ` +
+                `Skipping M2M grant for "${target.clientKey}". ` +
+                `Set access_policy.client to "require_client_grant" to enable.`);
+            continue;
+        }
+        const grantResult = await reconcileGrant(ctx, target.clientKey, clientId, identifier, target.scopes, target.subjectType);
+        grantResults.push(grantResult);
+    }
+    logger.blank();
+    logger.success(`Server "${serverConfig.name}" reconciliation complete.`);
+    return {
+        slug: serverConfig.slug,
+        apiIdentifier: identifier,
+        auth0ApiId: apiResult.auth0ApiId,
+        action: apiResult.action,
+        scopes: allScopes,
+        grantResults,
+    };
+}
+async function reconcileApi(ctx, server, identifier, scopes) {
+    const { config, auth0, dryRun } = ctx;
+    const ecosystem = config.ecosystem;
+    const signingAlg = ecosystem.defaults.api.signing_alg;
+    const tokenDialect = ecosystem.defaults.api.token_dialect;
+    const scopePayload = scopes.map((s) => ({
+        value: s,
+        description: SCOPE_DESCRIPTIONS[s] ?? `Scope: ${s}`,
+    }));
+    if (server.auth0?.existing_api_id) {
+        logger.info(`  Using existing API ID: ${server.auth0.existing_api_id}`);
+        const existing = await auth0.getApi(server.auth0.existing_api_id);
+        return reconcileExistingApi(ctx, existing, server, scopePayload, signingAlg, tokenDialect);
+    }
+    logger.info("  Searching for existing Auth0 API by identifier...");
+    const existing = await auth0.findApiByIdentifier(identifier);
+    if (existing) {
+        logger.info(`  Found existing API: ${existing.name} (${existing.id})`);
+        return reconcileExistingApi(ctx, existing, server, scopePayload, signingAlg, tokenDialect);
+    }
+    if (server.auth0?.create_api_if_missing === false) {
+        throw new Error(`No Auth0 API found for identifier "${identifier}" and create_api_if_missing is false.`);
+    }
+    if (dryRun) {
+        logger.info("  [DRY RUN] Would create Auth0 API.");
+        return { auth0ApiId: "__DRY_RUN__", action: "dry_run" };
+    }
+    logger.info("  Creating Auth0 API...");
+    const newApi = await auth0.createApi({
+        name: server.name,
+        identifier,
+        signing_alg: signingAlg,
+        token_dialect: tokenDialect,
+        enforce_policies: true,
+        scopes: scopePayload,
+    });
+    logger.success(`  API created: ${newApi.name} (${newApi.id})`);
+    return { auth0ApiId: newApi.id, action: "created" };
+}
+async function reconcileExistingApi(ctx, existing, _server, desiredScopes, signingAlg, tokenDialect) {
+    const { auth0, dryRun } = ctx;
+    const needsUpdate = existing.signing_alg !== signingAlg ||
+        existing.token_dialect !== tokenDialect ||
+        !scopesMatch(existing.scopes ?? [], desiredScopes);
+    if (!needsUpdate) {
+        logger.info("  API is up to date.");
+        return { auth0ApiId: existing.id, action: "unchanged" };
+    }
+    if (dryRun) {
+        logger.info("  [DRY RUN] Would update Auth0 API.");
+        return { auth0ApiId: existing.id, action: "dry_run" };
+    }
+    logger.info("  Updating Auth0 API...");
+    await auth0.updateApi(existing.id, {
+        signing_alg: signingAlg,
+        token_dialect: tokenDialect,
+        enforce_policies: true,
+        scopes: desiredScopes,
+    });
+    logger.success("  API updated.");
+    return { auth0ApiId: existing.id, action: "updated" };
+}
+function scopesMatch(existing, desired) {
+    const existingValues = new Set(existing.map((s) => s.value));
+    const desiredValues = new Set(desired.map((s) => s.value));
+    if (existingValues.size !== desiredValues.size)
+        return false;
+    for (const v of desiredValues) {
+        if (!existingValues.has(v))
+            return false;
+    }
+    return true;
+}
+async function reconcileAccessPolicy(ctx, apiId, server) {
+    const { auth0, dryRun, config } = ctx;
+    const userPolicy = server.access_policy?.user ?? config.ecosystem.defaults.api.user_access_policy;
+    const clientPolicy = server.access_policy?.client ??
+        config.ecosystem.defaults.api.client_access_policy;
+    logger.debug(`  Access policy: user=${userPolicy}, client=${clientPolicy}`);
+    if (dryRun) {
+        logger.info("  [DRY RUN] Would update access policy.");
+        return;
+    }
+    try {
+        await auth0.updateApi(apiId, {
+            enforce_policies: true,
+        });
+    }
+    catch {
+        logger.debug("  Note: Access policy enforcement may need to be configured via the Auth0 Dashboard " +
+            "if the Management API does not support direct subject_type_authorization patches.");
+    }
+}
+function resolveClientAccessPolicy(server) {
+    return server.access_policy?.client ?? "deny_all";
+}
+async function reconcileGrant(ctx, clientKey, clientId, audience, scopes, subjectType) {
+    const { auth0, dryRun } = ctx;
+    logger.info(`  Reconciling grant: ${clientKey} -> ${audience} (${subjectType})`);
+    logger.debug(`    Scopes: ${scopes.join(", ")}`);
+    const existingGrant = await auth0.findClientGrant(clientId, audience, subjectType);
+    if (existingGrant) {
+        const existingScopes = new Set(existingGrant.scope);
+        const desiredScopes = new Set(scopes);
+        const scopesEqual = existingScopes.size === desiredScopes.size &&
+            [...desiredScopes].every((s) => existingScopes.has(s));
+        if (scopesEqual) {
+            logger.info(`    Grant exists and is up to date.`);
+            return {
+                clientKey,
+                clientId,
+                action: "unchanged",
+                scopes,
+                subjectType,
+            };
+        }
+        if (dryRun) {
+            logger.info(`    [DRY RUN] Would update grant scopes.`);
+            return { clientKey, clientId, action: "dry_run", scopes, subjectType };
+        }
+        logger.info(`    Updating grant scopes...`);
+        await auth0.updateClientGrant(existingGrant.id, { scope: scopes });
+        logger.success(`    Grant updated.`);
+        return { clientKey, clientId, action: "updated", scopes, subjectType };
+    }
+    if (dryRun) {
+        logger.info(`    [DRY RUN] Would create grant.`);
+        return { clientKey, clientId, action: "dry_run", scopes, subjectType };
+    }
+    logger.info(`    Creating grant...`);
+    await auth0.createClientGrant({
+        client_id: clientId,
+        audience,
+        scope: scopes,
+        subject_type: subjectType,
+    });
+    logger.success(`    Grant created.`);
+    return { clientKey, clientId, action: "created", scopes, subjectType };
+}
+//# sourceMappingURL=reconcile-server.js.map

package/dist/commands/reconcile-server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reconcile-server.js","sourceRoot":"","sources":["../../src/commands/reconcile-server.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAC3C,OAAO,EACL,0BAA0B,EAC1B,aAAa,EACb,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAExD,MAAM,kBAAkB,GAA2B;IACjD,gBAAgB,EAAE,oBAAoB;IACtC,cAAc,EAAE,kBAAkB;IAClC,YAAY,EAAE,yBAAyB;IACvC,aAAa,EAAE,wBAAwB;CACxC,CAAC;AAmBF,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,GAAmB,EACnB,UAAkB;IAElB,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;IACvB,MAAM,YAAY,GAAG,MAAM,CAAC,aAAa,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC1D,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,yBAAyB,UAAU,GAAG,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;IACnC,MAAM,UAAU,GAAG,0BAA0B,CAAC,SAAS,EAAE,YAAY,CAAC,IAAI,CAAC,CAAC;IAC5E,MAAM,SAAS,GAAG,aAAa,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;IAEzD,MAAM,CAAC,IAAI,CACT,uBAAuB,YAAY,CAAC,IAAI,KAAK,YAAY,CAAC,IAAI,GAAG,CAClE,CAAC;IACF,MAAM,CAAC,KAAK,CAAC,iBAAiB,UAAU,EAAE,CAAC,CAAC;IAC5C,MAAM,CAAC,KAAK,CAAC,aAAa,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAElD,qCAAqC;IAErC,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC,GAAG,EAAE,YAAY,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;IAE/E,yCAAyC;IAEzC,IAAI,SAAS,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACnC,MAAM,qBAAqB,CAAC,GAAG,EAAE,SAAS,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;IACvE,CAAC;IAED,yCAAyC;IAEzC,MAAM,YAAY,GAAG,mBAAmB,CACtC,SAAS,EACT,YAAY,EACZ,MAAM,CAAC,aAAa,CACrB,CAAC;IAEF,MAAM,YAAY,GAAkB,EAAE,CAAC;IAEvC,KAAK,MAAM,MAAM,IAAI,YAAY,EAAE,CAAC;QAClC,MAAM,YAAY,GAAG,MAAM,CAAC,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAChE,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,CAAC,IAAI,CACT,wCAAwC,MAAM,CAAC,SAAS,EAAE,CAC3D,CAAC;YACF,SAAS;QACX,CAAC;QAED,IAAI,QAAQ,GAAG,YAAY,CAAC,KAAK,CAAC,kBAAkB,CAAC;QAErD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,CAAC,sBAAsB,MAAM,CAAC,SAAS,aAAa,CAAC,CAAC;YACjE,MAAM,YAAY,GAAG,MAAM,eAAe,CAAC,GAAG,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;YAClE,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC;QACnC,CAAC;QAED,IAAI,CAAC,QAAQ,IAAI,QAAQ,KAAK,aAAa,EAAE,CAAC;YAC5C,YAAY,CAAC,IAAI,CAAC;gBAChB,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,QAAQ,EAAE,QAAQ,IAAI,aAAa;gBACnC,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,WAAW,EAAE,MAAM,CAAC,WAAW;aAChC,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QAED,IACE,MAAM,CAAC,WAAW,KAAK,QAAQ;YAC/B,yBAAyB,CAAC,YAAY,CAAC,KAAK,UAAU,EACtD,CAAC;YACD,MAAM,CAAC,IAAI,CACT,aAAa,UAAU,uCAAuC;gBAC5D,2BAA2B,MAAM,CAAC,SAAS,KAAK;gBAChD,+DAA+D,CAClE,CAAC;YACF,SAAS;QACX,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,cAAc,CACtC,GAAG,EACH,MAAM,CAAC,SAAS,EAChB,QAAQ,EACR,UAAU,EACV,MAAM,CAAC,MAAM,EACb,MAAM,CAAC,WAAW,CACnB,CAAC;QACF,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACjC,CAAC;IAED,MAAM,CAAC,KAAK,EAAE,CAAC;IACf,MAAM,CAAC,OAAO,CAAC,WAAW,YAAY,CAAC,IAAI,4BAA4B,CAAC,CAAC;IAEzE,OAAO;QACL,IAAI,EAAE,YAAY,CAAC,IAAI;QACvB,aAAa,EAAE,UAAU;QACzB,UAAU,EAAE,SAAS,CAAC,UAAU;QAChC,MAAM,EAAE,SAAS,CAAC,MAAM;QACxB,MAAM,EAAE,SAAS;QACjB,YAAY;KACb,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,GAAmB,EACnB,MAAoB,EACpB,UAAkB,EAClB,MAAgB;IAKhB,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;IACtC,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;IAEnC,MAAM,UAAU,GAAG,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC;IACtD,MAAM,YAAY,GAAG,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,aAAa,CAAC;IAE1D,MAAM,YAAY,GAAoB,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACvD,KAAK,EAAE,CAAC;QACR,WAAW,EAAE,kBAAkB,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,EAAE;KACpD,CAAC,CAAC,CAAC;IAEJ,IAAI,MAAM,CAAC,KAAK,EAAE,eAAe,EAAE,CAAC;QAClC,MAAM,CAAC,IAAI,CACT,4BAA4B,MAAM,CAAC,KAAK,CAAC,eAAe,EAAE,CAC3D,CAAC;QACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;QAClE,OAAO,oBAAoB,CACzB,GAAG,EACH,QAAQ,EACR,MAAM,EACN,YAAY,EACZ,UAAU,EACV,YAAY,CACb,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;IACnE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,mBAAmB,CAAC,UAAU,CAAC,CAAC;IAE7D,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,yBAAyB,QAAQ,CAAC,IAAI,KAAK,QAAQ,CAAC,EAAE,GAAG,CAAC,CAAC;QACvE,OAAO,oBAAoB,CACzB,GAAG,EACH,QAAQ,EACR,MAAM,EACN,YAAY,EACZ,UAAU,EACV,YAAY,CACb,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,EAAE,qBAAqB,KAAK,KAAK,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CACb,sCAAsC,UAAU,uCAAuC,CACxF,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;QACnD,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC1D,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;IACvC,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC;QACnC,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,UAAU;QACV,WAAW,EAAE,UAAU;QACvB,aAAa,EAAE,YAAY;QAC3B,gBAAgB,EAAE,IAAI;QACtB,MAAM,EAAE,YAAY;KACrB,CAAC,CAAC;IAEH,MAAM,CAAC,OAAO,CAAC,kBAAkB,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC;IAC/D,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;AACtD,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,GAAmB,EACnB,QAAkB,EAClB,OAAqB,EACrB,aAA8B,EAC9B,UAAkB,EAClB,YAAoB;IAKpB,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;IAE9B,MAAM,WAAW,GACf,QAAQ,CAAC,WAAW,KAAK,UAAU;QACnC,QAAQ,CAAC,aAAa,KAAK,YAAY;QACvC,CAAC,WAAW,CAAC,QAAQ,CAAC,MAAM,IAAI,EAAE,EAAE,aAAa,CAAC,CAAC;IAErD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QACpC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC1D,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;QACnD,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IACxD,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;IACvC,MAAM,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,EAAE;QACjC,WAAW,EAAE,UAAU;QACvB,aAAa,EAAE,YAAY;QAC3B,gBAAgB,EAAE,IAAI;QACtB,MAAM,EAAE,aAAa;KACtB,CAAC,CAAC;IAEH,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACjC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;AACxD,CAAC;AAED,SAAS,WAAW,CAClB,QAAyB,EACzB,OAAwB;IAExB,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IAC7D,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IAC3D,IAAI,cAAc,CAAC,IAAI,KAAK,aAAa,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAC7D,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;QAC9B,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;IAC3C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,qBAAqB,CAClC,GAAmB,EACnB,KAAa,EACb,MAAoB;IAEpB,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;IACtC,MAAM,UAAU,GACd,MAAM,CAAC,aAAa,EAAE,IAAI,IAAI,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,kBAAkB,CAAC;IACjF,MAAM,YAAY,GAChB,MAAM,CAAC,aAAa,EAAE,MAAM;QAC5B,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,oBAAoB,CAAC;IAErD,MAAM,CAAC,KAAK,CAAC,yBAAyB,UAAU,YAAY,YAAY,EAAE,CAAC,CAAC;IAE5E,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;QACvD,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,MAAM,KAAK,CAAC,SAAS,CAAC,KAAK,EAAE;YAC3B,gBAAgB,EAAE,IAAI;SAC6C,CAAC,CAAC;IACzE,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,CAAC,KAAK,CACV,sFAAsF;YACpF,mFAAmF,CACtF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,yBAAyB,CAAC,MAAoB;IACrD,OAAO,MAAM,CAAC,aAAa,EAAE,MAAM,IAAI,UAAU,CAAC;AACpD,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,GAAmB,EACnB,SAAiB,EACjB,QAAgB,EAChB,QAAgB,EAChB,MAAgB,EAChB,WAAmB;IAEnB,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;IAE9B,MAAM,CAAC,IAAI,CACT,wBAAwB,SAAS,OAAO,QAAQ,KAAK,WAAW,GAAG,CACpE,CAAC;IACF,MAAM,CAAC,KAAK,CAAC,eAAe,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEjD,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,eAAe,CAC/C,QAAQ,EACR,QAAQ,EACR,WAAW,CACZ,CAAC;IAEF,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QACpD,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QACtC,MAAM,WAAW,GACf,cAAc,CAAC,IAAI,KAAK,aAAa,CAAC,IAAI;YAC1C,CAAC,GAAG,aAAa,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAEzD,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;YACnD,OAAO;gBACL,SAAS;gBACT,QAAQ;gBACR,MAAM,EAAE,WAAW;gBACnB,MAAM;gBACN,WAAW;aACZ,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;YACxD,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;QACzE,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;QAC5C,MAAM,KAAK,CAAC,iBAAiB,CAAC,aAAa,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACnE,MAAM,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;QACrC,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IACzE,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;QACjD,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IACzE,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACrC,MAAM,KAAK,CAAC,iBAAiB,CAAC;QAC5B,SAAS,EAAE,QAAQ;QACnB,QAAQ;QACR,KAAK,EAAE,MAAM;QACb,YAAY,EAAE,WAAW;KAC1B,CAAC,CAAC;IACH,MAAM,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAErC,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;AACzE,CAAC"}

package/dist/commands/verify-tenant.d.ts

@@ -0,0 +1,10 @@
+import type { CommandContext } from "../utils/index.js";
+export interface VerifyTenantResult {
+    tenantDomain: string;
+    managementAudience: string;
+    resourceParameterCompatibility: boolean;
+    manualActionRequired: boolean;
+    message: string;
+}
+export declare function verifyTenant(ctx: CommandContext): Promise<VerifyTenantResult>;
+//# sourceMappingURL=verify-tenant.d.ts.map

package/dist/commands/verify-tenant.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-tenant.d.ts","sourceRoot":"","sources":["../../src/commands/verify-tenant.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAGxD,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,8BAA8B,EAAE,OAAO,CAAC;IACxC,oBAAoB,EAAE,OAAO,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,wBAAsB,YAAY,CAChC,GAAG,EAAE,cAAc,GAClB,OAAO,CAAC,kBAAkB,CAAC,CAoG7B"}

package/dist/commands/verify-tenant.js

@@ -0,0 +1,76 @@
+import { logger } from "../utils/index.js";
+export async function verifyTenant(ctx) {
+    const { config, auth0, dryRun } = ctx;
+    const ecosystem = config.ecosystem;
+    logger.info(`Verifying tenant: ${ecosystem.auth0.tenant_domain}`);
+    logger.blank();
+    logger.info("Authenticating to Auth0 Management API...");
+    await auth0.authenticate();
+    logger.success("Management API authentication successful.");
+    logger.info("Fetching tenant settings...");
+    const tenantSettings = await auth0.getTenantSettings();
+    const rpcp = tenantSettings.flags?.["resource_param_compatibility_profile"] ?? false;
+    if (rpcp) {
+        logger.success("Resource Parameter Compatibility Profile is ENABLED.");
+    }
+    else {
+        logger.warn("Resource Parameter Compatibility Profile is DISABLED.");
+        logger.blank();
+        if (!dryRun) {
+            logger.info("Attempting to enable Resource Parameter Compatibility Profile...");
+            try {
+                await auth0.patchTenantSettings({
+                    flags: {
+                        ...tenantSettings.flags,
+                        resource_param_compatibility_profile: true,
+                    },
+                });
+                logger.success("Resource Parameter Compatibility Profile has been ENABLED.");
+                return {
+                    tenantDomain: ecosystem.auth0.tenant_domain,
+                    managementAudience: ecosystem.auth0.management_audience,
+                    resourceParameterCompatibility: true,
+                    manualActionRequired: false,
+                    message: "Resource Parameter Compatibility Profile was disabled and has been enabled programmatically.",
+                };
+            }
+            catch (err) {
+                logger.warn("Could not enable the setting programmatically.");
+                logger.debug(`Error: ${err instanceof Error ? err.message : String(err)}`);
+            }
+        }
+        logger.blank();
+        logger.error("MANUAL ACTION REQUIRED:");
+        logger.error("  1. Go to the Auth0 Dashboard");
+        logger.error("  2. Navigate to: Settings > Advanced > Settings");
+        logger.error("  3. Find 'Resource Parameter Compatibility Profile'");
+        logger.error("  4. Enable it");
+        logger.error("  5. Re-run this command to verify");
+        logger.blank();
+        return {
+            tenantDomain: ecosystem.auth0.tenant_domain,
+            managementAudience: ecosystem.auth0.management_audience,
+            resourceParameterCompatibility: false,
+            manualActionRequired: true,
+            message: "Resource Parameter Compatibility Profile is disabled. Enable it via Dashboard > Settings > Advanced > Settings.",
+        };
+    }
+    const dcr = tenantSettings.flags?.["enable_dynamic_client_registration"] ?? false;
+    if (dcr) {
+        logger.warn("Dynamic Client Registration is enabled. The baseline system uses static registration. " +
+            "Disable DCR unless you specifically need it.");
+    }
+    else {
+        logger.info("Dynamic Client Registration is disabled (expected for baseline).");
+    }
+    logger.blank();
+    logger.success("Tenant verification complete.");
+    return {
+        tenantDomain: ecosystem.auth0.tenant_domain,
+        managementAudience: ecosystem.auth0.management_audience,
+        resourceParameterCompatibility: true,
+        manualActionRequired: false,
+        message: "Tenant prerequisites are satisfied.",
+    };
+}
+//# sourceMappingURL=verify-tenant.js.map

package/dist/commands/verify-tenant.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-tenant.js","sourceRoot":"","sources":["../../src/commands/verify-tenant.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAU3C,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,GAAmB;IAEnB,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;IACtC,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;IAEnC,MAAM,CAAC,IAAI,CAAC,qBAAqB,SAAS,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC,CAAC;IAClE,MAAM,CAAC,KAAK,EAAE,CAAC;IAEf,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;IACzD,MAAM,KAAK,CAAC,YAAY,EAAE,CAAC;IAC3B,MAAM,CAAC,OAAO,CAAC,2CAA2C,CAAC,CAAC;IAE5D,MAAM,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;IAC3C,MAAM,cAAc,GAAG,MAAM,KAAK,CAAC,iBAAiB,EAAE,CAAC;IAEvD,MAAM,IAAI,GACR,cAAc,CAAC,KAAK,EAAE,CAAC,sCAAsC,CAAC,IAAI,KAAK,CAAC;IAE1E,IAAI,IAAI,EAAE,CAAC;QACT,MAAM,CAAC,OAAO,CAAC,sDAAsD,CAAC,CAAC;IACzE,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QACrE,MAAM,CAAC,KAAK,EAAE,CAAC;QAEf,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,CAAC,IAAI,CACT,kEAAkE,CACnE,CAAC;YACF,IAAI,CAAC;gBACH,MAAM,KAAK,CAAC,mBAAmB,CAAC;oBAC9B,KAAK,EAAE;wBACL,GAAG,cAAc,CAAC,KAAK;wBACvB,oCAAoC,EAAE,IAAI;qBAC3C;iBACF,CAAC,CAAC;gBACH,MAAM,CAAC,OAAO,CACZ,4DAA4D,CAC7D,CAAC;gBACF,OAAO;oBACL,YAAY,EAAE,SAAS,CAAC,KAAK,CAAC,aAAa;oBAC3C,kBAAkB,EAAE,SAAS,CAAC,KAAK,CAAC,mBAAmB;oBACvD,8BAA8B,EAAE,IAAI;oBACpC,oBAAoB,EAAE,KAAK;oBAC3B,OAAO,EACL,8FAA8F;iBACjG,CAAC;YACJ,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;gBAC9D,MAAM,CAAC,KAAK,CACV,UAAU,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC7D,CAAC;YACJ,CAAC;QACH,CAAC;QAED,MAAM,CAAC,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;QACxC,MAAM,CAAC,KAAK,CACV,gCAAgC,CACjC,CAAC;QACF,MAAM,CAAC,KAAK,CACV,kDAAkD,CACnD,CAAC;QACF,MAAM,CAAC,KAAK,CACV,sDAAsD,CACvD,CAAC;QACF,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAC/B,MAAM,CAAC,KAAK,CACV,oCAAoC,CACrC,CAAC;QACF,MAAM,CAAC,KAAK,EAAE,CAAC;QAEf,OAAO;YACL,YAAY,EAAE,SAAS,CAAC,KAAK,CAAC,aAAa;YAC3C,kBAAkB,EAAE,SAAS,CAAC,KAAK,CAAC,mBAAmB;YACvD,8BAA8B,EAAE,KAAK;YACrC,oBAAoB,EAAE,IAAI;YAC1B,OAAO,EACL,iHAAiH;SACpH,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,cAAc,CAAC,KAAK,EAAE,CAAC,oCAAoC,CAAC,IAAI,KAAK,CAAC;IAClF,IAAI,GAAG,EAAE,CAAC;QACR,MAAM,CAAC,IAAI,CACT,wFAAwF;YACtF,8CAA8C,CACjD,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,CAAC,KAAK,EAAE,CAAC;IACf,MAAM,CAAC,OAAO,CAAC,+BAA+B,CAAC,CAAC;IAEhD,OAAO;QACL,YAAY,EAAE,SAAS,CAAC,KAAK,CAAC,aAAa;QAC3C,kBAAkB,EAAE,SAAS,CAAC,KAAK,CAAC,mBAAmB;QACvD,8BAA8B,EAAE,IAAI;QACpC,oBAAoB,EAAE,KAAK;QAC3B,OAAO,EAAE,qCAAqC;KAC/C,CAAC;AACJ,CAAC"}

package/dist/config/index.d.ts

@@ -0,0 +1,3 @@
+export { loadAllConfig, deriveHostname, deriveCanonicalResourceUri, deriveMcpEndpoint, deriveProtectedResourceMetadataUrl, resolveScopes, resolveClientGroupMembers, resolveGrantTargets, } from "./loader.js";
+export type { LoadedConfig, ResolvedGrantTarget } from "./loader.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/config/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/config/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,cAAc,EACd,0BAA0B,EAC1B,iBAAiB,EACjB,kCAAkC,EAClC,aAAa,EACb,yBAAyB,EACzB,mBAAmB,GACpB,MAAM,aAAa,CAAC;AAErB,YAAY,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC"}

package/dist/config/index.js

@@ -0,0 +1,2 @@
+export { loadAllConfig, deriveHostname, deriveCanonicalResourceUri, deriveMcpEndpoint, deriveProtectedResourceMetadataUrl, resolveScopes, resolveClientGroupMembers, resolveGrantTargets, } from "./loader.js";
+//# sourceMappingURL=index.js.map

package/dist/config/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/config/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,cAAc,EACd,0BAA0B,EAC1B,iBAAiB,EACjB,kCAAkC,EAClC,aAAa,EACb,yBAAyB,EACzB,mBAAmB,GACpB,MAAM,aAAa,CAAC"}

package/dist/config/loader.d.ts

@@ -0,0 +1,21 @@
+import type { EcosystemConfig, ClientDescriptor, ClientConfig, ServerConfig } from "../types/index.js";
+export interface LoadedConfig {
+    ecosystem: EcosystemConfig;
+    clientDescriptors: Map<string, ClientDescriptor>;
+    clientConfigs: Map<string, ClientConfig>;
+    serverConfigs: Map<string, ServerConfig>;
+}
+export declare function loadAllConfig(rootDir: string): Promise<LoadedConfig>;
+export declare function deriveHostname(ecosystem: EcosystemConfig, slug: string): string;
+export declare function deriveCanonicalResourceUri(ecosystem: EcosystemConfig, slug: string): string;
+export declare function deriveMcpEndpoint(ecosystem: EcosystemConfig, slug: string): string;
+export declare function deriveProtectedResourceMetadataUrl(ecosystem: EcosystemConfig, slug: string): string;
+export declare function resolveScopes(ecosystem: EcosystemConfig, server: ServerConfig): string[];
+export declare function resolveClientGroupMembers(ecosystem: EcosystemConfig, groupName: string): string[];
+export interface ResolvedGrantTarget {
+    clientKey: string;
+    scopes: string[];
+    subjectType: "user" | "client";
+}
+export declare function resolveGrantTargets(ecosystem: EcosystemConfig, server: ServerConfig, clientConfigs: Map<string, ClientConfig>): ResolvedGrantTarget[];
+//# sourceMappingURL=loader.d.ts.map

package/dist/config/loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../src/config/loader.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EACV,eAAe,EACf,gBAAgB,EAChB,YAAY,EACZ,YAAY,EACb,MAAM,mBAAmB,CAAC;AAE3B,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,eAAe,CAAC;IAC3B,iBAAiB,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;IACjD,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;IACzC,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;CAC1C;AAyBD,wBAAsB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAiE1E;AAsDD,wBAAgB,cAAc,CAC5B,SAAS,EAAE,eAAe,EAC1B,IAAI,EAAE,MAAM,GACX,MAAM,CAIR;AAED,wBAAgB,0BAA0B,CACxC,SAAS,EAAE,eAAe,EAC1B,IAAI,EAAE,MAAM,GACX,MAAM,CAER;AAED,wBAAgB,iBAAiB,CAC/B,SAAS,EAAE,eAAe,EAC1B,IAAI,EAAE,MAAM,GACX,MAAM,CAER;AAED,wBAAgB,kCAAkC,CAChD,SAAS,EAAE,eAAe,EAC1B,IAAI,EAAE,MAAM,GACX,MAAM,CAER;AAED,wBAAgB,aAAa,CAC3B,SAAS,EAAE,eAAe,EAC1B,MAAM,EAAE,YAAY,GACnB,MAAM,EAAE,CAMV;AAED,wBAAgB,yBAAyB,CACvC,SAAS,EAAE,eAAe,EAC1B,SAAS,EAAE,MAAM,GAChB,MAAM,EAAE,CAEV;AAED,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,WAAW,EAAE,MAAM,GAAG,QAAQ,CAAC;CAChC;AAED,wBAAgB,mBAAmB,CACjC,SAAS,EAAE,eAAe,EAC1B,MAAM,EAAE,YAAY,EACpB,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,GACvC,mBAAmB,EAAE,CAoCvB"}

package/dist/config/loader.js

@@ -0,0 +1,181 @@
+import { readFile, readdir, stat } from "node:fs/promises";
+import { join } from "node:path";
+import { config as loadDotenv } from "dotenv";
+import { EcosystemConfigSchema, ClientDescriptorSchema, ClientConfigSchema, ServerConfigSchema, } from "../types/index.js";
+async function readJson(filePath) {
+    const raw = await readFile(filePath, "utf-8");
+    return JSON.parse(raw);
+}
+async function directoryExists(dirPath) {
+    try {
+        const s = await stat(dirPath);
+        return s.isDirectory();
+    }
+    catch {
+        return false;
+    }
+}
+async function fileExists(filePath) {
+    try {
+        const s = await stat(filePath);
+        return s.isFile();
+    }
+    catch {
+        return false;
+    }
+}
+export async function loadAllConfig(rootDir) {
+    loadDotenv({ path: join(rootDir, ".env") });
+    const ecosystemPath = join(rootDir, "ecosystem-configuration.json");
+    const ecosystemRaw = await readJson(ecosystemPath);
+    const ecosystem = EcosystemConfigSchema.parse(ecosystemRaw);
+    const clientDescriptors = new Map();
+    const descriptorsDir = join(rootDir, "client-descriptors");
+    if (await directoryExists(descriptorsDir)) {
+        const entries = await readdir(descriptorsDir);
+        for (const entry of entries) {
+            if (!entry.endsWith(".json"))
+                continue;
+            const raw = await readJson(join(descriptorsDir, entry));
+            const descriptor = ClientDescriptorSchema.parse(raw);
+            if (clientDescriptors.has(descriptor.descriptor_key)) {
+                throw new Error(`Duplicate client descriptor key: ${descriptor.descriptor_key}`);
+            }
+            clientDescriptors.set(descriptor.descriptor_key, descriptor);
+        }
+    }
+    const clientConfigs = new Map();
+    const clientsDir = join(rootDir, "oauth-clients");
+    if (await directoryExists(clientsDir)) {
+        const entries = await readdir(clientsDir);
+        for (const entry of entries) {
+            const clientDir = join(clientsDir, entry);
+            if (!(await directoryExists(clientDir)))
+                continue;
+            const configPath = join(clientDir, "client-configuration.json");
+            if (!(await fileExists(configPath)))
+                continue;
+            const raw = await readJson(configPath);
+            const clientCfg = ClientConfigSchema.parse(raw);
+            if (clientConfigs.has(clientCfg.client_key)) {
+                throw new Error(`Duplicate client key: ${clientCfg.client_key}`);
+            }
+            clientConfigs.set(clientCfg.client_key, clientCfg);
+        }
+    }
+    const serverConfigs = new Map();
+    const mcpsDir = join(rootDir, "mcps");
+    if (await directoryExists(mcpsDir)) {
+        const mcpEntries = await readdir(mcpsDir);
+        for (const entry of mcpEntries) {
+            const entryPath = join(mcpsDir, entry);
+            if (!(await directoryExists(entryPath)))
+                continue;
+            const mcpConfigPath = join(entryPath, "mcp-configuration.json");
+            if (!(await fileExists(mcpConfigPath)))
+                continue;
+            const raw = await readJson(mcpConfigPath);
+            const serverCfg = ServerConfigSchema.parse(raw);
+            if (serverConfigs.has(serverCfg.slug)) {
+                throw new Error(`Duplicate server slug: ${serverCfg.slug}`);
+            }
+            serverConfigs.set(serverCfg.slug, serverCfg);
+        }
+    }
+    validateCrossReferences(ecosystem, clientDescriptors, clientConfigs, serverConfigs);
+    return { ecosystem, clientDescriptors, clientConfigs, serverConfigs };
+}
+function validateCrossReferences(ecosystem, descriptors, clients, servers) {
+    for (const [key, client] of clients) {
+        if (client.descriptor && !descriptors.has(client.descriptor)) {
+            throw new Error(`Client "${key}" references unknown descriptor "${client.descriptor}"`);
+        }
+    }
+    const resourceUris = new Set();
+    for (const [slug, server] of servers) {
+        const uri = deriveCanonicalResourceUri(ecosystem, server.slug);
+        if (resourceUris.has(uri)) {
+            throw new Error(`Duplicate derived resource URI for server "${slug}": ${uri}`);
+        }
+        resourceUris.add(uri);
+        if (server.scope_profile && !ecosystem.defaults.scope_profiles[server.scope_profile]) {
+            throw new Error(`Server "${slug}" references unknown scope profile "${server.scope_profile}"`);
+        }
+        if (server.grants?.client_groups) {
+            for (const group of server.grants.client_groups) {
+                if (!ecosystem.client_groups?.[group]) {
+                    throw new Error(`Server "${slug}" references unknown client group "${group}"`);
+                }
+            }
+        }
+        if (server.grants?.client_overrides) {
+            for (const clientKey of Object.keys(server.grants.client_overrides)) {
+                if (!clients.has(clientKey)) {
+                    throw new Error(`Server "${slug}" has a grant override for unknown client "${clientKey}"`);
+                }
+            }
+        }
+    }
+}
+export function deriveHostname(ecosystem, slug) {
+    return ecosystem.domain.server_host_pattern
+        .replace("{slug}", slug)
+        .replace("{base_domain}", ecosystem.domain.base_domain);
+}
+export function deriveCanonicalResourceUri(ecosystem, slug) {
+    return `https://${deriveHostname(ecosystem, slug)}`;
+}
+export function deriveMcpEndpoint(ecosystem, slug) {
+    return `${deriveCanonicalResourceUri(ecosystem, slug)}/mcp`;
+}
+export function deriveProtectedResourceMetadataUrl(ecosystem, slug) {
+    return `${deriveCanonicalResourceUri(ecosystem, slug)}/.well-known/oauth-protected-resource`;
+}
+export function resolveScopes(ecosystem, server) {
+    const profileScopes = server.scope_profile
+        ? (ecosystem.defaults.scope_profiles[server.scope_profile] ?? [])
+        : [];
+    const extraScopes = server.extra_scopes ?? [];
+    return [...new Set([...profileScopes, ...extraScopes])];
+}
+export function resolveClientGroupMembers(ecosystem, groupName) {
+    return ecosystem.client_groups?.[groupName] ?? [];
+}
+export function resolveGrantTargets(ecosystem, server, clientConfigs) {
+    const allScopes = resolveScopes(ecosystem, server);
+    const targets = new Map();
+    if (server.grants?.client_groups) {
+        for (const group of server.grants.client_groups) {
+            const members = resolveClientGroupMembers(ecosystem, group);
+            for (const clientKey of members) {
+                const client = clientConfigs.get(clientKey);
+                if (!client)
+                    continue;
+                const profile = resolveClientProfile(ecosystem, client);
+                targets.set(clientKey, {
+                    clientKey,
+                    scopes: [...allScopes],
+                    subjectType: profile?.access_mode === "machine" ? "client" : "user",
+                });
+            }
+        }
+    }
+    if (server.grants?.client_overrides) {
+        for (const [clientKey, scopes] of Object.entries(server.grants.client_overrides)) {
+            const client = clientConfigs.get(clientKey);
+            if (!client)
+                continue;
+            const profile = resolveClientProfile(ecosystem, client);
+            targets.set(clientKey, {
+                clientKey,
+                scopes,
+                subjectType: profile?.access_mode === "machine" ? "client" : "user",
+            });
+        }
+    }
+    return [...targets.values()];
+}
+function resolveClientProfile(ecosystem, client) {
+    return ecosystem.defaults.client_profiles?.[client.profile];
+}
+//# sourceMappingURL=loader.js.map

package/dist/config/loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.js","sourceRoot":"","sources":["../../src/config/loader.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,MAAM,IAAI,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EACtB,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,mBAAmB,CAAC;AAe3B,KAAK,UAAU,QAAQ,CAAC,QAAgB;IACtC,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC9C,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AACzB,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,OAAe;IAC5C,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,CAAC;QAC9B,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,QAAgB;IACxC,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC/B,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;IACpB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,OAAe;IACjD,UAAU,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;IAE5C,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,EAAE,8BAA8B,CAAC,CAAC;IACpE,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,CAAC;IACnD,MAAM,SAAS,GAAG,qBAAqB,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IAE5D,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAA4B,CAAC;IAC9D,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAC;IAC3D,IAAI,MAAM,eAAe,CAAC,cAAc,CAAC,EAAE,CAAC;QAC1C,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,CAAC;QAC9C,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE,SAAS;YACvC,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC,CAAC;YACxD,MAAM,UAAU,GAAG,sBAAsB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACrD,IAAI,iBAAiB,CAAC,GAAG,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;gBACrD,MAAM,IAAI,KAAK,CACb,oCAAoC,UAAU,CAAC,cAAc,EAAE,CAChE,CAAC;YACJ,CAAC;YACD,iBAAiB,CAAC,GAAG,CAAC,UAAU,CAAC,cAAc,EAAE,UAAU,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAG,IAAI,GAAG,EAAwB,CAAC;IACtD,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;IAClD,IAAI,MAAM,eAAe,CAAC,UAAU,CAAC,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,CAAC;QAC1C,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;YAC1C,IAAI,CAAC,CAAC,MAAM,eAAe,CAAC,SAAS,CAAC,CAAC;gBAAE,SAAS;YAClD,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,EAAE,2BAA2B,CAAC,CAAC;YAChE,IAAI,CAAC,CAAC,MAAM,UAAU,CAAC,UAAU,CAAC,CAAC;gBAAE,SAAS;YAC9C,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,UAAU,CAAC,CAAC;YACvC,MAAM,SAAS,GAAG,kBAAkB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAChD,IAAI,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC5C,MAAM,IAAI,KAAK,CACb,yBAAyB,SAAS,CAAC,UAAU,EAAE,CAChD,CAAC;YACJ,CAAC;YACD,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAG,IAAI,GAAG,EAAwB,CAAC;IACtD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACtC,IAAI,MAAM,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;QACnC,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;QAC1C,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;YAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;YACvC,IAAI,CAAC,CAAC,MAAM,eAAe,CAAC,SAAS,CAAC,CAAC;gBAAE,SAAS;YAClD,MAAM,aAAa,GAAG,IAAI,CAAC,SAAS,EAAE,wBAAwB,CAAC,CAAC;YAChE,IAAI,CAAC,CAAC,MAAM,UAAU,CAAC,aAAa,CAAC,CAAC;gBAAE,SAAS;YACjD,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,CAAC;YAC1C,MAAM,SAAS,GAAG,kBAAkB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAChD,IAAI,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,KAAK,CAAC,0BAA0B,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;YAC9D,CAAC;YACD,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;IAED,uBAAuB,CAAC,SAAS,EAAE,iBAAiB,EAAE,aAAa,EAAE,aAAa,CAAC,CAAC;IAEpF,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAE,aAAa,EAAE,aAAa,EAAE,CAAC;AACxE,CAAC;AAED,SAAS,uBAAuB,CAC9B,SAA0B,EAC1B,WAA0C,EAC1C,OAAkC,EAClC,OAAkC;IAElC,KAAK,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACpC,IAAI,MAAM,CAAC,UAAU,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;YAC7D,MAAM,IAAI,KAAK,CACb,WAAW,GAAG,oCAAoC,MAAM,CAAC,UAAU,GAAG,CACvE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IACvC,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACrC,MAAM,GAAG,GAAG,0BAA0B,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;QAC/D,IAAI,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CACb,8CAA8C,IAAI,MAAM,GAAG,EAAE,CAC9D,CAAC;QACJ,CAAC;QACD,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAEtB,IAAI,MAAM,CAAC,aAAa,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC;YACrF,MAAM,IAAI,KAAK,CACb,WAAW,IAAI,uCAAuC,MAAM,CAAC,aAAa,GAAG,CAC9E,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,EAAE,aAAa,EAAE,CAAC;YACjC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;gBAChD,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;oBACtC,MAAM,IAAI,KAAK,CACb,WAAW,IAAI,sCAAsC,KAAK,GAAG,CAC9D,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,EAAE,gBAAgB,EAAE,CAAC;YACpC,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBACpE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;oBAC5B,MAAM,IAAI,KAAK,CACb,WAAW,IAAI,8CAA8C,SAAS,GAAG,CAC1E,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,SAA0B,EAC1B,IAAY;IAEZ,OAAO,SAAS,CAAC,MAAM,CAAC,mBAAmB;SACxC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC;SACvB,OAAO,CAAC,eAAe,EAAE,SAAS,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;AAC5D,CAAC;AAED,MAAM,UAAU,0BAA0B,CACxC,SAA0B,EAC1B,IAAY;IAEZ,OAAO,WAAW,cAAc,CAAC,SAAS,EAAE,IAAI,CAAC,EAAE,CAAC;AACtD,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,SAA0B,EAC1B,IAAY;IAEZ,OAAO,GAAG,0BAA0B,CAAC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC;AAC9D,CAAC;AAED,MAAM,UAAU,kCAAkC,CAChD,SAA0B,EAC1B,IAAY;IAEZ,OAAO,GAAG,0BAA0B,CAAC,SAAS,EAAE,IAAI,CAAC,uCAAuC,CAAC;AAC/F,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,SAA0B,EAC1B,MAAoB;IAEpB,MAAM,aAAa,GAAG,MAAM,CAAC,aAAa;QACxC,CAAC,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC;QACjE,CAAC,CAAC,EAAE,CAAC;IACP,MAAM,WAAW,GAAG,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC;IAC9C,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,aAAa,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;AAC1D,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,SAA0B,EAC1B,SAAiB;IAEjB,OAAO,SAAS,CAAC,aAAa,EAAE,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;AACpD,CAAC;AAQD,MAAM,UAAU,mBAAmB,CACjC,SAA0B,EAC1B,MAAoB,EACpB,aAAwC;IAExC,MAAM,SAAS,GAAG,aAAa,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IACnD,MAAM,OAAO,GAAG,IAAI,GAAG,EAA+B,CAAC;IAEvD,IAAI,MAAM,CAAC,MAAM,EAAE,aAAa,EAAE,CAAC;QACjC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAChD,MAAM,OAAO,GAAG,yBAAyB,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;YAC5D,KAAK,MAAM,SAAS,IAAI,OAAO,EAAE,CAAC;gBAChC,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;gBAC5C,IAAI,CAAC,MAAM;oBAAE,SAAS;gBACtB,MAAM,OAAO,GAAG,oBAAoB,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;gBACxD,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE;oBACrB,SAAS;oBACT,MAAM,EAAE,CAAC,GAAG,SAAS,CAAC;oBACtB,WAAW,EAAE,OAAO,EAAE,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM;iBACpE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,EAAE,gBAAgB,EAAE,CAAC;QACpC,KAAK,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAC9C,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAC/B,EAAE,CAAC;YACF,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAC5C,IAAI,CAAC,MAAM;gBAAE,SAAS;YACtB,MAAM,OAAO,GAAG,oBAAoB,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;YACxD,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE;gBACrB,SAAS;gBACT,MAAM;gBACN,WAAW,EAAE,OAAO,EAAE,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM;aACpE,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;AAC/B,CAAC;AAED,SAAS,oBAAoB,CAC3B,SAA0B,EAC1B,MAAoB;IAEpB,OAAO,SAAS,CAAC,QAAQ,CAAC,eAAe,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;AAC9D,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,9 @@
+export type { EcosystemConfig, ClientProfile, AccessMode, GrantStrategy, TokenEndpointAuthMethod, UserAccessPolicy, ClientAccessPolicy, ClientProfileDefinition, ClientDescriptor, ReusePolicy, ClientConfig, ServerConfig, Auth0Application, Auth0Api, Auth0ClientGrant, Auth0TenantSettings, } from "./types/index.js";
+export { loadAllConfig, deriveHostname, deriveCanonicalResourceUri, deriveMcpEndpoint, deriveProtectedResourceMetadataUrl, resolveScopes, resolveGrantTargets, } from "./config/index.js";
+export type { LoadedConfig, ResolvedGrantTarget } from "./config/index.js";
+export { Auth0ManagementClient, Auth0ApiError } from "./auth0/index.js";
+export type { Auth0ManagementClientOptions } from "./auth0/index.js";
+export { buildProtectedResourceMetadata, protectedResourceMetadataHandler, TokenValidator, InsufficientScopeError, buildWwwAuthenticateChallenge, send401Challenge, createAuthMiddleware, requireScopes, } from "./mcp-runtime/index.js";
+export type { ProtectedResourceMetadata, ProtectedResourceMetadataOptions, TokenValidatorOptions, ValidatedToken, ChallengeOptions, AuthMiddlewareOptions, } from "./mcp-runtime/index.js";
+export type { RuntimeConfig } from "./mcp-server/index.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,YAAY,EACV,eAAe,EACf,aAAa,EACb,UAAU,EACV,aAAa,EACb,uBAAuB,EACvB,gBAAgB,EAChB,kBAAkB,EAClB,uBAAuB,EACvB,gBAAgB,EAChB,WAAW,EACX,YAAY,EACZ,YAAY,EACZ,gBAAgB,EAChB,QAAQ,EACR,gBAAgB,EAChB,mBAAmB,GACpB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EACL,aAAa,EACb,cAAc,EACd,0BAA0B,EAC1B,iBAAiB,EACjB,kCAAkC,EAClC,aAAa,EACb,mBAAmB,GACpB,MAAM,mBAAmB,CAAC;AAC3B,YAAY,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAG3E,OAAO,EAAE,qBAAqB,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACxE,YAAY,EAAE,4BAA4B,EAAE,MAAM,kBAAkB,CAAC;AAGrE,OAAO,EACL,8BAA8B,EAC9B,gCAAgC,EAChC,cAAc,EACd,sBAAsB,EACtB,6BAA6B,EAC7B,gBAAgB,EAChB,oBAAoB,EACpB,aAAa,GACd,MAAM,wBAAwB,CAAC;AAChC,YAAY,EACV,yBAAyB,EACzB,gCAAgC,EAChC,qBAAqB,EACrB,cAAc,EACd,gBAAgB,EAChB,qBAAqB,GACtB,MAAM,wBAAwB,CAAC;AAGhC,YAAY,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/index.js

@@ -0,0 +1,7 @@
+// Public API: config loading and derivation
+export { loadAllConfig, deriveHostname, deriveCanonicalResourceUri, deriveMcpEndpoint, deriveProtectedResourceMetadataUrl, resolveScopes, resolveGrantTargets, } from "./config/index.js";
+// Public API: Auth0 management client
+export { Auth0ManagementClient, Auth0ApiError } from "./auth0/index.js";
+// Public API: MCP runtime helpers
+export { buildProtectedResourceMetadata, protectedResourceMetadataHandler, TokenValidator, InsufficientScopeError, buildWwwAuthenticateChallenge, send401Challenge, createAuthMiddleware, requireScopes, } from "./mcp-runtime/index.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAoBA,4CAA4C;AAC5C,OAAO,EACL,aAAa,EACb,cAAc,EACd,0BAA0B,EAC1B,iBAAiB,EACjB,kCAAkC,EAClC,aAAa,EACb,mBAAmB,GACpB,MAAM,mBAAmB,CAAC;AAG3B,sCAAsC;AACtC,OAAO,EAAE,qBAAqB,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAGxE,kCAAkC;AAClC,OAAO,EACL,8BAA8B,EAC9B,gCAAgC,EAChC,cAAc,EACd,sBAAsB,EACtB,6BAA6B,EAC7B,gBAAgB,EAChB,oBAAoB,EACpB,aAAa,GACd,MAAM,wBAAwB,CAAC"}

package/dist/mcp-runtime/auth-middleware.d.ts

@@ -0,0 +1,27 @@
+import type { IncomingMessage, ServerResponse } from "node:http";
+export interface AuthMiddlewareOptions {
+    resourceUri: string;
+    resourceMetadataUrl: string;
+    issuer: string;
+    audience: string;
+    jwksUri?: string;
+}
+/**
+ * Creates an Express/Connect-compatible middleware that validates bearer tokens.
+ *
+ * On success, attaches `req.auth` with the validated token claims.
+ * On failure, sends a proper 401 WWW-Authenticate challenge per MCP spec.
+ */
+export declare function createAuthMiddleware(options: AuthMiddlewareOptions): (req: IncomingMessage & {
+    auth?: unknown;
+}, res: ServerResponse, next?: (err?: unknown) => void) => Promise<void>;
+/**
+ * Factory for route-level scope enforcement middleware.
+ *
+ * Usage:
+ *   app.post('/tools/execute', requireScopes(['tools.write']), handler);
+ */
+export declare function requireScopes(scopes: string[]): (req: IncomingMessage & {
+    auth?: Record<string, unknown>;
+}, res: ServerResponse, next?: (err?: unknown) => void) => void;
+//# sourceMappingURL=auth-middleware.d.ts.map

package/dist/mcp-runtime/auth-middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-middleware.d.ts","sourceRoot":"","sources":["../../src/mcp-runtime/auth-middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAIjE,MAAM,WAAW,qBAAqB;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,qBAAqB,IAQ/D,KAAK,eAAe,GAAG;IAAE,IAAI,CAAC,EAAE,OAAO,CAAA;CAAE,EACzC,KAAK,cAAc,EACnB,OAAO,CAAC,GAAG,CAAC,EAAE,OAAO,KAAK,IAAI,mBAsCjC;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,IAE1C,KAAK,eAAe,GAAG;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,EACzD,KAAK,cAAc,EACnB,OAAO,CAAC,GAAG,CAAC,EAAE,OAAO,KAAK,IAAI,UAmCjC"}