@scupit/mcp-ecosystem 0.1.0

package/dist/mcp-runtime/auth-middleware.js

@@ -0,0 +1,88 @@
+import { TokenValidator, InsufficientScopeError } from "./token-validator.js";
+import { send401Challenge } from "./www-authenticate.js";
+/**
+ * Creates an Express/Connect-compatible middleware that validates bearer tokens.
+ *
+ * On success, attaches `req.auth` with the validated token claims.
+ * On failure, sends a proper 401 WWW-Authenticate challenge per MCP spec.
+ */
+export function createAuthMiddleware(options) {
+    const validator = new TokenValidator({
+        issuer: options.issuer,
+        audience: options.audience,
+        jwksUri: options.jwksUri,
+    });
+    return async (req, res, next) => {
+        const authHeader = req.headers.authorization;
+        if (!authHeader || !authHeader.startsWith("Bearer ")) {
+            send401Challenge(res, {
+                resourceMetadataUrl: options.resourceMetadataUrl,
+                error: "invalid_request",
+                errorDescription: "Missing or malformed Authorization header",
+            });
+            return;
+        }
+        const token = authHeader.slice(7);
+        try {
+            const payload = await validator.validate(token);
+            req.auth = payload;
+            next?.();
+        }
+        catch (err) {
+            if (err instanceof InsufficientScopeError) {
+                send401Challenge(res, {
+                    resourceMetadataUrl: options.resourceMetadataUrl,
+                    requiredScopes: err.requiredScopes,
+                    error: "insufficient_scope",
+                    errorDescription: err.message,
+                });
+                return;
+            }
+            send401Challenge(res, {
+                resourceMetadataUrl: options.resourceMetadataUrl,
+                error: "invalid_token",
+                errorDescription: err instanceof Error ? err.message : "Token validation failed",
+            });
+        }
+    };
+}
+/**
+ * Factory for route-level scope enforcement middleware.
+ *
+ * Usage:
+ *   app.post('/tools/execute', requireScopes(['tools.write']), handler);
+ */
+export function requireScopes(scopes) {
+    return (req, res, next) => {
+        const auth = req.auth;
+        if (!auth) {
+            res.writeHead(401, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ error: "unauthorized" }));
+            return;
+        }
+        const tokenScopes = new Set();
+        if (typeof auth["scope"] === "string") {
+            for (const s of auth["scope"].split(" ")) {
+                if (s)
+                    tokenScopes.add(s);
+            }
+        }
+        if (Array.isArray(auth["permissions"])) {
+            for (const p of auth["permissions"]) {
+                if (typeof p === "string")
+                    tokenScopes.add(p);
+            }
+        }
+        const hasSufficientScope = scopes.some((s) => tokenScopes.has(s));
+        if (!hasSufficientScope) {
+            res.writeHead(403, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({
+                error: "insufficient_scope",
+                required_scopes: scopes,
+            }));
+            return;
+        }
+        next?.();
+    };
+}
+//# sourceMappingURL=auth-middleware.js.map

package/dist/mcp-runtime/auth-middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-middleware.js","sourceRoot":"","sources":["../../src/mcp-runtime/auth-middleware.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAUzD;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAA8B;IACjE,MAAM,SAAS,GAAG,IAAI,cAAc,CAAC;QACnC,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,OAAO,EAAE,OAAO,CAAC,OAAO;KACzB,CAAC,CAAC;IAEH,OAAO,KAAK,EACV,GAAyC,EACzC,GAAmB,EACnB,IAA8B,EAC9B,EAAE;QACF,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;QAE7C,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACrD,gBAAgB,CAAC,GAAG,EAAE;gBACpB,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;gBAChD,KAAK,EAAE,iBAAiB;gBACxB,gBAAgB,EAAE,2CAA2C;aAC9D,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAElC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC/C,GAA2C,CAAC,IAAI,GAAG,OAAO,CAAC;YAC5D,IAAI,EAAE,EAAE,CAAC;QACX,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,sBAAsB,EAAE,CAAC;gBAC1C,gBAAgB,CAAC,GAAG,EAAE;oBACpB,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;oBAChD,cAAc,EAAE,GAAG,CAAC,cAAc;oBAClC,KAAK,EAAE,oBAAoB;oBAC3B,gBAAgB,EAAE,GAAG,CAAC,OAAO;iBAC9B,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,gBAAgB,CAAC,GAAG,EAAE;gBACpB,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;gBAChD,KAAK,EAAE,eAAe;gBACtB,gBAAgB,EACd,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,yBAAyB;aACjE,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,MAAgB;IAC5C,OAAO,CACL,GAAyD,EACzD,GAAmB,EACnB,IAA8B,EAC9B,EAAE;QACF,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;QACtB,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC;YACnD,OAAO;QACT,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;QACtC,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;YACtC,KAAK,MAAM,CAAC,IAAK,IAAI,CAAC,OAAO,CAAY,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;gBACrD,IAAI,CAAC;oBAAE,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;QACD,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;YACvC,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,aAAa,CAAa,EAAE,CAAC;gBAChD,IAAI,OAAO,CAAC,KAAK,QAAQ;oBAAE,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAChD,CAAC;QACH,CAAC;QAED,MAAM,kBAAkB,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAClE,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACxB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAC3D,GAAG,CAAC,GAAG,CACL,IAAI,CAAC,SAAS,CAAC;gBACb,KAAK,EAAE,oBAAoB;gBAC3B,eAAe,EAAE,MAAM;aACxB,CAAC,CACH,CAAC;YACF,OAAO;QACT,CAAC;QAED,IAAI,EAAE,EAAE,CAAC;IACX,CAAC,CAAC;AACJ,CAAC"}

package/dist/mcp-runtime/index.d.ts

@@ -0,0 +1,9 @@
+export { buildProtectedResourceMetadata, protectedResourceMetadataHandler, } from "./protected-resource-metadata.js";
+export type { ProtectedResourceMetadata, ProtectedResourceMetadataOptions, } from "./protected-resource-metadata.js";
+export { TokenValidator, InsufficientScopeError, } from "./token-validator.js";
+export type { TokenValidatorOptions, ValidatedToken, } from "./token-validator.js";
+export { buildWwwAuthenticateChallenge, send401Challenge, } from "./www-authenticate.js";
+export type { ChallengeOptions } from "./www-authenticate.js";
+export { createAuthMiddleware, requireScopes, } from "./auth-middleware.js";
+export type { AuthMiddlewareOptions } from "./auth-middleware.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/mcp-runtime/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/mcp-runtime/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,8BAA8B,EAC9B,gCAAgC,GACjC,MAAM,kCAAkC,CAAC;AAC1C,YAAY,EACV,yBAAyB,EACzB,gCAAgC,GACjC,MAAM,kCAAkC,CAAC;AAE1C,OAAO,EACL,cAAc,EACd,sBAAsB,GACvB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EACV,qBAAqB,EACrB,cAAc,GACf,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,6BAA6B,EAC7B,gBAAgB,GACjB,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAE9D,OAAO,EACL,oBAAoB,EACpB,aAAa,GACd,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/mcp-runtime/index.js

@@ -0,0 +1,5 @@
+export { buildProtectedResourceMetadata, protectedResourceMetadataHandler, } from "./protected-resource-metadata.js";
+export { TokenValidator, InsufficientScopeError, } from "./token-validator.js";
+export { buildWwwAuthenticateChallenge, send401Challenge, } from "./www-authenticate.js";
+export { createAuthMiddleware, requireScopes, } from "./auth-middleware.js";
+//# sourceMappingURL=index.js.map

package/dist/mcp-runtime/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/mcp-runtime/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,8BAA8B,EAC9B,gCAAgC,GACjC,MAAM,kCAAkC,CAAC;AAM1C,OAAO,EACL,cAAc,EACd,sBAAsB,GACvB,MAAM,sBAAsB,CAAC;AAM9B,OAAO,EACL,6BAA6B,EAC7B,gBAAgB,GACjB,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EACL,oBAAoB,EACpB,aAAa,GACd,MAAM,sBAAsB,CAAC"}

package/dist/mcp-runtime/protected-resource-metadata.d.ts

@@ -0,0 +1,20 @@
+import type { IncomingMessage, ServerResponse } from "node:http";
+export interface ProtectedResourceMetadata {
+    resource: string;
+    authorization_servers: string[];
+    scopes_supported?: string[];
+    bearer_methods_supported?: string[];
+    resource_documentation?: string;
+}
+export interface ProtectedResourceMetadataOptions {
+    resourceUri: string;
+    authorizationServerUri: string;
+    scopes?: string[];
+}
+export declare function buildProtectedResourceMetadata(options: ProtectedResourceMetadataOptions): ProtectedResourceMetadata;
+/**
+ * Express/Connect-compatible middleware that serves the Protected Resource
+ * Metadata document at `/.well-known/oauth-protected-resource`.
+ */
+export declare function protectedResourceMetadataHandler(metadata: ProtectedResourceMetadata): (req: IncomingMessage, res: ServerResponse, next?: () => void) => void;
+//# sourceMappingURL=protected-resource-metadata.d.ts.map

package/dist/mcp-runtime/protected-resource-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"protected-resource-metadata.d.ts","sourceRoot":"","sources":["../../src/mcp-runtime/protected-resource-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAEjE,MAAM,WAAW,yBAAyB;IACxC,QAAQ,EAAE,MAAM,CAAC;IACjB,qBAAqB,EAAE,MAAM,EAAE,CAAC;IAChC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;IACpC,sBAAsB,CAAC,EAAE,MAAM,CAAC;CACjC;AAED,MAAM,WAAW,gCAAgC;IAC/C,WAAW,EAAE,MAAM,CAAC;IACpB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,wBAAgB,8BAA8B,CAC5C,OAAO,EAAE,gCAAgC,GACxC,yBAAyB,CAU3B;AAED;;;GAGG;AACH,wBAAgB,gCAAgC,CAC9C,QAAQ,EAAE,yBAAyB,IAI3B,KAAK,eAAe,EAAE,KAAK,cAAc,EAAE,OAAO,MAAM,IAAI,UAWrE"}

package/dist/mcp-runtime/protected-resource-metadata.js

@@ -0,0 +1,30 @@
+export function buildProtectedResourceMetadata(options) {
+    return {
+        resource: options.resourceUri,
+        authorization_servers: [options.authorizationServerUri],
+        ...(options.scopes &&
+            options.scopes.length > 0 && {
+            scopes_supported: options.scopes,
+        }),
+        bearer_methods_supported: ["header"],
+    };
+}
+/**
+ * Express/Connect-compatible middleware that serves the Protected Resource
+ * Metadata document at `/.well-known/oauth-protected-resource`.
+ */
+export function protectedResourceMetadataHandler(metadata) {
+    const body = JSON.stringify(metadata);
+    return (req, res, next) => {
+        if (req.url === "/.well-known/oauth-protected-resource") {
+            res.writeHead(200, {
+                "Content-Type": "application/json",
+                "Cache-Control": "public, max-age=3600",
+            });
+            res.end(body);
+            return;
+        }
+        next?.();
+    };
+}
+//# sourceMappingURL=protected-resource-metadata.js.map

package/dist/mcp-runtime/protected-resource-metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"protected-resource-metadata.js","sourceRoot":"","sources":["../../src/mcp-runtime/protected-resource-metadata.ts"],"names":[],"mappings":"AAgBA,MAAM,UAAU,8BAA8B,CAC5C,OAAyC;IAEzC,OAAO;QACL,QAAQ,EAAE,OAAO,CAAC,WAAW;QAC7B,qBAAqB,EAAE,CAAC,OAAO,CAAC,sBAAsB,CAAC;QACvD,GAAG,CAAC,OAAO,CAAC,MAAM;YAChB,OAAO,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI;YAC3B,gBAAgB,EAAE,OAAO,CAAC,MAAM;SACjC,CAAC;QACJ,wBAAwB,EAAE,CAAC,QAAQ,CAAC;KACrC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gCAAgC,CAC9C,QAAmC;IAEnC,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IAEtC,OAAO,CAAC,GAAoB,EAAE,GAAmB,EAAE,IAAiB,EAAE,EAAE;QACtE,IAAI,GAAG,CAAC,GAAG,KAAK,uCAAuC,EAAE,CAAC;YACxD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;gBACjB,cAAc,EAAE,kBAAkB;gBAClC,eAAe,EAAE,sBAAsB;aACxC,CAAC,CAAC;YACH,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACd,OAAO;QACT,CAAC;QACD,IAAI,EAAE,EAAE,CAAC;IACX,CAAC,CAAC;AACJ,CAAC"}

package/dist/mcp-runtime/token-validator.d.ts

@@ -0,0 +1,32 @@
+export interface TokenValidatorOptions {
+    issuer: string;
+    audience: string;
+    jwksUri?: string;
+}
+export interface ValidatedToken {
+    sub: string;
+    iss: string;
+    aud: string | string[];
+    exp: number;
+    iat: number;
+    scope?: string;
+    permissions?: string[];
+    [key: string]: unknown;
+}
+export declare class TokenValidator {
+    private readonly issuer;
+    private readonly audience;
+    private readonly jwks;
+    constructor(options: TokenValidatorOptions);
+    validate(token: string): Promise<ValidatedToken>;
+    /**
+     * Validate the token and check that it contains at least one of the required scopes.
+     */
+    validateWithScopes(token: string, requiredScopes: string[]): Promise<ValidatedToken>;
+}
+export declare class InsufficientScopeError extends Error {
+    readonly requiredScopes: string[];
+    readonly presentScopes: Set<string>;
+    constructor(required: string[], present: Set<string>);
+}
+//# sourceMappingURL=token-validator.d.ts.map

package/dist/mcp-runtime/token-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-validator.d.ts","sourceRoot":"","sources":["../../src/mcp-runtime/token-validator.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAA6C;gBAEtD,OAAO,EAAE,qBAAqB;IAQpC,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAUtD;;OAEG;IACG,kBAAkB,CACtB,KAAK,EAAE,MAAM,EACb,cAAc,EAAE,MAAM,EAAE,GACvB,OAAO,CAAC,cAAc,CAAC;CAY3B;AAoBD,qBAAa,sBAAuB,SAAQ,KAAK;IAC/C,SAAgB,cAAc,EAAE,MAAM,EAAE,CAAC;IACzC,SAAgB,aAAa,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;gBAE/B,QAAQ,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,GAAG,CAAC,MAAM,CAAC;CAQrD"}

package/dist/mcp-runtime/token-validator.js

@@ -0,0 +1,59 @@
+import * as jose from "jose";
+export class TokenValidator {
+    issuer;
+    audience;
+    jwks;
+    constructor(options) {
+        this.issuer = options.issuer;
+        this.audience = options.audience;
+        const jwksUrl = options.jwksUri ?? `${this.issuer}.well-known/jwks.json`;
+        this.jwks = jose.createRemoteJWKSet(new URL(jwksUrl));
+    }
+    async validate(token) {
+        const { payload } = await jose.jwtVerify(token, this.jwks, {
+            issuer: this.issuer,
+            audience: this.audience,
+            algorithms: ["RS256"],
+        });
+        return payload;
+    }
+    /**
+     * Validate the token and check that it contains at least one of the required scopes.
+     */
+    async validateWithScopes(token, requiredScopes) {
+        const payload = await this.validate(token);
+        const tokenScopes = extractScopes(payload);
+        const hasScope = requiredScopes.some((s) => tokenScopes.has(s));
+        if (!hasScope) {
+            throw new InsufficientScopeError(requiredScopes, tokenScopes);
+        }
+        return payload;
+    }
+}
+function extractScopes(payload) {
+    const scopes = new Set();
+    if (typeof payload.scope === "string") {
+        for (const s of payload.scope.split(" ")) {
+            if (s)
+                scopes.add(s);
+        }
+    }
+    if (Array.isArray(payload.permissions)) {
+        for (const p of payload.permissions) {
+            if (typeof p === "string")
+                scopes.add(p);
+        }
+    }
+    return scopes;
+}
+export class InsufficientScopeError extends Error {
+    requiredScopes;
+    presentScopes;
+    constructor(required, present) {
+        super(`Insufficient scope. Required one of: [${required.join(", ")}]. Present: [${[...present].join(", ")}]`);
+        this.name = "InsufficientScopeError";
+        this.requiredScopes = required;
+        this.presentScopes = present;
+    }
+}
+//# sourceMappingURL=token-validator.js.map

package/dist/mcp-runtime/token-validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-validator.js","sourceRoot":"","sources":["../../src/mcp-runtime/token-validator.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAmB7B,MAAM,OAAO,cAAc;IACR,MAAM,CAAS;IACf,QAAQ,CAAS;IACjB,IAAI,CAA6C;IAElE,YAAY,OAA8B;QACxC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QACjC,MAAM,OAAO,GACX,OAAO,CAAC,OAAO,IAAI,GAAG,IAAI,CAAC,MAAM,uBAAuB,CAAC;QAC3D,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;IACxD,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,KAAa;QAC1B,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE;YACzD,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,UAAU,EAAE,CAAC,OAAO,CAAC;SACtB,CAAC,CAAC;QAEH,OAAO,OAAoC,CAAC;IAC9C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,kBAAkB,CACtB,KAAa,EACb,cAAwB;QAExB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAE3C,MAAM,WAAW,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;QAC3C,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAEhE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,sBAAsB,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;QAChE,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;CACF;AAED,SAAS,aAAa,CAAC,OAAuB;IAC5C,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;IAEjC,IAAI,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACtC,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YACzC,IAAI,CAAC;gBAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QACvC,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;YACpC,IAAI,OAAO,CAAC,KAAK,QAAQ;gBAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,OAAO,sBAAuB,SAAQ,KAAK;IAC/B,cAAc,CAAW;IACzB,aAAa,CAAc;IAE3C,YAAY,QAAkB,EAAE,OAAoB;QAClD,KAAK,CACH,yCAAyC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACvG,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAC;QACrC,IAAI,CAAC,cAAc,GAAG,QAAQ,CAAC;QAC/B,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC;IAC/B,CAAC;CACF"}

package/dist/mcp-runtime/www-authenticate.d.ts

@@ -0,0 +1,19 @@
+import type { ServerResponse } from "node:http";
+export interface ChallengeOptions {
+    resourceMetadataUrl: string;
+    requiredScopes?: string[];
+    error?: string;
+    errorDescription?: string;
+}
+/**
+ * Build a WWW-Authenticate header value conforming to MCP's authorization spec.
+ *
+ * MCP requires servers to include `resource_metadata` in the challenge,
+ * and recommends including `scope` when applicable.
+ */
+export declare function buildWwwAuthenticateChallenge(options: ChallengeOptions): string;
+/**
+ * Send a 401 response with a proper WWW-Authenticate challenge.
+ */
+export declare function send401Challenge(res: ServerResponse, options: ChallengeOptions): void;
+//# sourceMappingURL=www-authenticate.d.ts.map

package/dist/mcp-runtime/www-authenticate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"www-authenticate.d.ts","sourceRoot":"","sources":["../../src/mcp-runtime/www-authenticate.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAEhD,MAAM,WAAW,gBAAgB;IAC/B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;GAKG;AACH,wBAAgB,6BAA6B,CAC3C,OAAO,EAAE,gBAAgB,GACxB,MAAM,CAuBR;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,cAAc,EACnB,OAAO,EAAE,gBAAgB,GACxB,IAAI,CAaN"}

package/dist/mcp-runtime/www-authenticate.js

@@ -0,0 +1,39 @@
+/**
+ * Build a WWW-Authenticate header value conforming to MCP's authorization spec.
+ *
+ * MCP requires servers to include `resource_metadata` in the challenge,
+ * and recommends including `scope` when applicable.
+ */
+export function buildWwwAuthenticateChallenge(options) {
+    const parts = ["Bearer"];
+    const params = [];
+    params.push(`resource_metadata="${options.resourceMetadataUrl}"`);
+    if (options.requiredScopes && options.requiredScopes.length > 0) {
+        params.push(`scope="${options.requiredScopes.join(" ")}"`);
+    }
+    if (options.error) {
+        params.push(`error="${options.error}"`);
+    }
+    if (options.errorDescription) {
+        params.push(`error_description="${options.errorDescription}"`);
+    }
+    if (params.length > 0) {
+        parts.push(params.join(", "));
+    }
+    return parts.join(" ");
+}
+/**
+ * Send a 401 response with a proper WWW-Authenticate challenge.
+ */
+export function send401Challenge(res, options) {
+    const challenge = buildWwwAuthenticateChallenge(options);
+    res.writeHead(401, {
+        "WWW-Authenticate": challenge,
+        "Content-Type": "application/json",
+    });
+    res.end(JSON.stringify({
+        error: options.error ?? "unauthorized",
+        error_description: options.errorDescription ?? "Authentication required",
+    }));
+}
+//# sourceMappingURL=www-authenticate.js.map

package/dist/mcp-runtime/www-authenticate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"www-authenticate.js","sourceRoot":"","sources":["../../src/mcp-runtime/www-authenticate.ts"],"names":[],"mappings":"AASA;;;;;GAKG;AACH,MAAM,UAAU,6BAA6B,CAC3C,OAAyB;IAEzB,MAAM,KAAK,GAAa,CAAC,QAAQ,CAAC,CAAC;IACnC,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,MAAM,CAAC,IAAI,CAAC,sBAAsB,OAAO,CAAC,mBAAmB,GAAG,CAAC,CAAC;IAElE,IAAI,OAAO,CAAC,cAAc,IAAI,OAAO,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChE,MAAM,CAAC,IAAI,CAAC,UAAU,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7D,CAAC;IAED,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,CAAC,IAAI,CAAC,UAAU,OAAO,CAAC,KAAK,GAAG,CAAC,CAAC;IAC1C,CAAC;IAED,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;QAC7B,MAAM,CAAC,IAAI,CAAC,sBAAsB,OAAO,CAAC,gBAAgB,GAAG,CAAC,CAAC;IACjE,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAChC,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,GAAmB,EACnB,OAAyB;IAEzB,MAAM,SAAS,GAAG,6BAA6B,CAAC,OAAO,CAAC,CAAC;IACzD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;QACjB,kBAAkB,EAAE,SAAS;QAC7B,cAAc,EAAE,kBAAkB;KACnC,CAAC,CAAC;IACH,GAAG,CAAC,GAAG,CACL,IAAI,CAAC,SAAS,CAAC;QACb,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,cAAc;QACtC,iBAAiB,EACf,OAAO,CAAC,gBAAgB,IAAI,yBAAyB;KACxD,CAAC,CACH,CAAC;AACJ,CAAC"}

package/dist/mcp-server/create-server.d.ts

@@ -0,0 +1,44 @@
+import express from "express";
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+export interface RuntimeConfig {
+    server: {
+        name: string;
+        slug: string;
+        hostname: string;
+        resource_uri: string;
+        mcp_endpoint: string;
+    };
+    auth: {
+        issuer: string;
+        audience: string;
+        jwks_uri: string;
+        protected_resource_metadata_url: string;
+    };
+    scopes: string[];
+}
+/**
+ * Load the generated runtime config from an MCP server's directory.
+ * Reads `runtime-config.generated.json` produced by `mcp-ecosystem generate-artifacts`.
+ */
+export declare function loadRuntimeConfig(mcpDir: string): RuntimeConfig;
+export interface CreateMcpHttpServerOptions {
+    /** Override the MCP server version string. Defaults to "0.1.0". */
+    version?: string;
+}
+/**
+ * Create an Express app wired up with:
+ * - Protected Resource Metadata at `/.well-known/oauth-protected-resource`
+ * - Health check at `/health`
+ * - MCP Streamable HTTP transport at `/mcp`
+ *
+ * Returns the Express app and the McpServer instance for tool/resource registration.
+ */
+export declare function createMcpHttpServer(config: RuntimeConfig, options?: CreateMcpHttpServerOptions): {
+    app: import("express-serve-static-core").Express;
+    mcpServer: McpServer;
+};
+/**
+ * Start listening on the given port with a startup banner.
+ */
+export declare function startServer(app: express.Express, config: RuntimeConfig, port: number): void;
+//# sourceMappingURL=create-server.d.ts.map

package/dist/mcp-server/create-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-server.d.ts","sourceRoot":"","sources":["../../src/mcp-server/create-server.ts"],"names":[],"mappings":"AAEA,OAAO,OAAwC,MAAM,SAAS,CAAC;AAC/D,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAGpE,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE;QACN,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,CAAC;KACtB,CAAC;IACF,IAAI,EAAE;QACJ,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,+BAA+B,EAAE,MAAM,CAAC;KACzC,CAAC;IACF,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,aAAa,CAI/D;AAED,MAAM,WAAW,0BAA0B;IACzC,mEAAmE;IACnE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,aAAa,EACrB,OAAO,CAAC,EAAE,0BAA0B;;;EA+CrC;AAED;;GAEG;AACH,wBAAgB,WAAW,CACzB,GAAG,EAAE,OAAO,CAAC,OAAO,EACpB,MAAM,EAAE,aAAa,EACrB,IAAI,EAAE,MAAM,GACX,IAAI,CAUN"}

package/dist/mcp-server/create-server.js

@@ -0,0 +1,73 @@
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+import express from "express";
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+/**
+ * Load the generated runtime config from an MCP server's directory.
+ * Reads `runtime-config.generated.json` produced by `mcp-ecosystem generate-artifacts`.
+ */
+export function loadRuntimeConfig(mcpDir) {
+    const configPath = join(mcpDir, "runtime-config.generated.json");
+    const raw = readFileSync(configPath, "utf-8");
+    return JSON.parse(raw);
+}
+/**
+ * Create an Express app wired up with:
+ * - Protected Resource Metadata at `/.well-known/oauth-protected-resource`
+ * - Health check at `/health`
+ * - MCP Streamable HTTP transport at `/mcp`
+ *
+ * Returns the Express app and the McpServer instance for tool/resource registration.
+ */
+export function createMcpHttpServer(config, options) {
+    const app = express();
+    app.use(express.json());
+    app.get("/.well-known/oauth-protected-resource", (_req, res) => {
+        res.setHeader("Content-Type", "application/json");
+        res.setHeader("Cache-Control", "public, max-age=3600");
+        res.json({
+            resource: config.server.resource_uri,
+            authorization_servers: [config.auth.issuer],
+            scopes_supported: config.scopes,
+            bearer_methods_supported: ["header"],
+        });
+    });
+    app.get("/health", (_req, res) => {
+        res.json({ status: "ok", server: config.server.name });
+    });
+    const mcpServer = new McpServer({
+        name: config.server.name,
+        version: options?.version ?? "0.1.0",
+    });
+    app.post("/mcp", async (req, res) => {
+        const transport = new StreamableHTTPServerTransport({
+            sessionIdGenerator: undefined,
+        });
+        res.on("close", () => {
+            transport.close().catch(() => { });
+        });
+        await mcpServer.connect(transport);
+        await transport.handleRequest(req, res, req.body);
+    });
+    app.get("/mcp", (_req, res) => {
+        res.status(405).json({ error: "Method not allowed. Use POST for MCP requests." });
+    });
+    app.delete("/mcp", (_req, res) => {
+        res.status(405).json({ error: "Method not allowed." });
+    });
+    return { app, mcpServer };
+}
+/**
+ * Start listening on the given port with a startup banner.
+ */
+export function startServer(app, config, port) {
+    app.listen(port, () => {
+        console.log(`\n  ${config.server.name}`);
+        console.log(`  Listening on http://127.0.0.1:${port}`);
+        console.log(`  MCP endpoint: http://127.0.0.1:${port}/mcp`);
+        console.log(`  Protected Resource Metadata: http://127.0.0.1:${port}/.well-known/oauth-protected-resource`);
+        console.log(`  Health: http://127.0.0.1:${port}/health\n`);
+    });
+}
+//# sourceMappingURL=create-server.js.map

package/dist/mcp-server/create-server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-server.js","sourceRoot":"","sources":["../../src/mcp-server/create-server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,OAAwC,MAAM,SAAS,CAAC;AAC/D,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AAmBnG;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAc;IAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,EAAE,+BAA+B,CAAC,CAAC;IACjE,MAAM,GAAG,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAC9C,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAkB,CAAC;AAC1C,CAAC;AAOD;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CACjC,MAAqB,EACrB,OAAoC;IAEpC,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;IACtB,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAExB,GAAG,CAAC,GAAG,CAAC,uCAAuC,EAAE,CAAC,IAAa,EAAE,GAAa,EAAE,EAAE;QAChF,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;QAClD,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,sBAAsB,CAAC,CAAC;QACvD,GAAG,CAAC,IAAI,CAAC;YACP,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,YAAY;YACpC,qBAAqB,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC;YAC3C,gBAAgB,EAAE,MAAM,CAAC,MAAM;YAC/B,wBAAwB,EAAE,CAAC,QAAQ,CAAC;SACrC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,IAAa,EAAE,GAAa,EAAE,EAAE;QAClD,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,IAAI,SAAS,CAAC;QAC9B,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI;QACxB,OAAO,EAAE,OAAO,EAAE,OAAO,IAAI,OAAO;KACrC,CAAC,CAAC;IAEH,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QACrD,MAAM,SAAS,GAAG,IAAI,6BAA6B,CAAC;YAClD,kBAAkB,EAAE,SAAS;SAC9B,CAAC,CAAC;QAEH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACnB,SAAS,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACpC,CAAC,CAAC,CAAC;QAEH,MAAM,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACnC,MAAM,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,IAAa,EAAE,GAAa,EAAE,EAAE;QAC/C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gDAAgD,EAAE,CAAC,CAAC;IACpF,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,IAAa,EAAE,GAAa,EAAE,EAAE;QAClD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,CAAC;AAC5B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CACzB,GAAoB,EACpB,MAAqB,EACrB,IAAY;IAEZ,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE;QACpB,OAAO,CAAC,GAAG,CAAC,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QACzC,OAAO,CAAC,GAAG,CAAC,mCAAmC,IAAI,EAAE,CAAC,CAAC;QACvD,OAAO,CAAC,GAAG,CAAC,oCAAoC,IAAI,MAAM,CAAC,CAAC;QAC5D,OAAO,CAAC,GAAG,CACT,mDAAmD,IAAI,uCAAuC,CAC/F,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,8BAA8B,IAAI,WAAW,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/mcp-server/index.d.ts

@@ -0,0 +1,3 @@
+export { loadRuntimeConfig, createMcpHttpServer, startServer, } from "./create-server.js";
+export type { RuntimeConfig, CreateMcpHttpServerOptions, } from "./create-server.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/mcp-server/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/mcp-server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,iBAAiB,EACjB,mBAAmB,EACnB,WAAW,GACZ,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EACV,aAAa,EACb,0BAA0B,GAC3B,MAAM,oBAAoB,CAAC"}

package/dist/mcp-server/index.js

@@ -0,0 +1,2 @@
+export { loadRuntimeConfig, createMcpHttpServer, startServer, } from "./create-server.js";
+//# sourceMappingURL=index.js.map

package/dist/mcp-server/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/mcp-server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,iBAAiB,EACjB,mBAAmB,EACnB,WAAW,GACZ,MAAM,oBAAoB,CAAC"}

package/dist/types/auth0-responses.d.ts

@@ -0,0 +1,46 @@
+/**
+ * Subset of Auth0 Management API response types used by the provisioner.
+ * These are not exhaustive -- only fields we read or write.
+ */
+export interface Auth0Application {
+    client_id: string;
+    name: string;
+    app_type?: string;
+    token_endpoint_auth_method?: string;
+    grant_types?: string[];
+    callbacks?: string[];
+    allowed_logout_urls?: string[];
+    web_origins?: string[];
+    client_metadata?: Record<string, string>;
+    refresh_token?: {
+        rotation_type?: string;
+        expiration_type?: string;
+        token_lifetime?: number;
+    };
+    client_secret?: string;
+}
+export interface Auth0ApiScope {
+    value: string;
+    description?: string;
+}
+export interface Auth0Api {
+    id: string;
+    name: string;
+    identifier: string;
+    signing_alg?: string;
+    token_dialect?: string;
+    enforce_policies?: boolean;
+    scopes?: Auth0ApiScope[];
+}
+export interface Auth0ClientGrant {
+    id: string;
+    client_id: string;
+    audience: string;
+    scope: string[];
+    subject_type?: string;
+}
+export interface Auth0TenantSettings {
+    flags?: Record<string, boolean>;
+    [key: string]: unknown;
+}
+//# sourceMappingURL=auth0-responses.d.ts.map

package/dist/types/auth0-responses.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth0-responses.d.ts","sourceRoot":"","sources":["../../src/types/auth0-responses.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACzC,aAAa,CAAC,EAAE;QACd,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,CAAC;KACzB,CAAC;IACF,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,MAAM,CAAC,EAAE,aAAa,EAAE,CAAC;CAC1B;AAED,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,mBAAmB;IAClC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB"}

package/dist/types/auth0-responses.js

@@ -0,0 +1,6 @@
+/**
+ * Subset of Auth0 Management API response types used by the provisioner.
+ * These are not exhaustive -- only fields we read or write.
+ */
+export {};
+//# sourceMappingURL=auth0-responses.js.map

package/dist/types/auth0-responses.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth0-responses.js","sourceRoot":"","sources":["../../src/types/auth0-responses.ts"],"names":[],"mappings":"AAAA;;;GAGG"}