@sentropic/h2a-cli 0.24.0 → 0.25.1

package/dist/index.d.ts

@@ -20,6 +20,7 @@ export { isNewerVersion, parseSemver, checkUpgrade, performUpgrade, currentCliVe
 export { cmdUpgrade, cmdOrg, cmdCoach } from "./cli.js";
 export { resolveSysmlElement, hashSysmlElement, verifyEnvelopeSysmlRef, extractSysmlRef, sysmlQueryScope, type SysmlFetchImpl, type SysmlFetchResponse, type ResolveSysmlOptions, type VerifyEnvelopeSysmlOptions, type VerifyEnvelopeSysmlResult, type H2ASysmlQueryScope, type H2ASysmlQueryDetail } from "./runtime/sysml/index.js";
 export { acceptRemoteEnvelope, createRemoteServer, rejectionStatus, remoteServerForStore, sendRemoteEnvelope, type AcceptRemoteOptions, type H2AAcceptRejection, type H2AAcceptResult, type RemoteServerForStoreOptions, type RemoteServerOptions, type SendRemoteOptions, type SendRemoteResult } from "./runtime/remote/index.js";
+export * from "./runtime/mcp-http/index.js";
 export declare const H2A_CLI_HOSTS: readonly [import("./hosts/codex.js").H2AConfigurableHostDescriptor, import("./hosts/codex.js").H2AConfigurableHostDescriptor, import("./hosts/codex.js").H2AConfigurableHostDescriptor, import("./hosts/codex.js").H2AConfigurableHostDescriptor];
 export declare const H2A_CLI_ADAPTER: {
     readonly packageName: "@sentropic/h2a-cli";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EACL,aAAa,EACb,eAAe,EACf,MAAM,EACN,uBAAuB,EACvB,WAAW,EACX,aAAa,EACb,cAAc,EACf,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAC;AAElD,YAAY,EACV,6BAA6B,EAC7B,iBAAiB,EACjB,WAAW,EACX,oBAAoB,EACpB,sBAAsB,EACvB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,eAAe,EACf,cAAc,EACd,eAAe,EACf,YAAY,EACZ,sBAAsB,EACtB,aAAa,EACb,eAAe,EACf,MAAM,EACN,uBAAuB,EACvB,WAAW,EACX,aAAa,EACb,cAAc,EACf,CAAC;AAEF,OAAO,EACL,sBAAsB,EACtB,6BAA6B,EAC7B,KAAK,cAAc,EACnB,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,EACxB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,gBAAgB,EAChB,wBAAwB,EACxB,gBAAgB,EAChB,cAAc,EACd,QAAQ,EACR,YAAY,EACZ,eAAe,EACf,cAAc,EACd,sBAAsB,EACtB,SAAS,EACT,YAAY,EACZ,YAAY,EACZ,eAAe,EACf,kBAAkB,EAClB,cAAc,EACd,SAAS,EACT,aAAa,EACb,QAAQ,EACR,YAAY,EACZ,aAAa,EACb,KAAK,uBAAuB,EAC5B,KAAK,WAAW,EAChB,KAAK,qBAAqB,EAC1B,KAAK,iBAAiB,EACtB,KAAK,sBAAsB,EAC3B,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,mBAAmB,EACxB,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,SAAS,EACd,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACrB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EACL,4BAA4B,EAC5B,sBAAsB,EACtB,eAAe,EACf,eAAe,EACf,WAAW,EACX,KAAK,sBAAsB,EAC3B,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,SAAS,EACd,KAAK,iBAAiB,EACtB,KAAK,WAAW,EAChB,KAAK,aAAa,EAClB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,sBAAsB,EAC5B,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,gBAAgB,EAChB,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EACvB,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EACL,eAAe,EACf,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EACtB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EACL,UAAU,EACV,iBAAiB,EACjB,YAAY,EACZ,kBAAkB,EAClB,YAAY,EACZ,oBAAoB,EACpB,YAAY,EACZ,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,mBAAmB,EACnB,kBAAkB,EAClB,gBAAgB,EAChB,eAAe,EACf,UAAU,EACV,wBAAwB,EACxB,gBAAgB,EAChB,cAAc,EACd,eAAe,EACf,sBAAsB,EACtB,qBAAqB,EACrB,wBAAwB,EACxB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EACtB,KAAK,qBAAqB,EAC1B,KAAK,aAAa,EAClB,KAAK,iBAAiB,EACtB,KAAK,qBAAqB,EAC1B,KAAK,mBAAmB,EACxB,KAAK,yBAAyB,EAC9B,KAAK,iBAAiB,EACtB,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,EACzB,KAAK,uBAAuB,EAC5B,KAAK,uBAAuB,EAC5B,KAAK,kBAAkB,EACvB,KAAK,oBAAoB,EACzB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,sBAAsB,EAC3B,KAAK,yBAAyB,EAC/B,MAAM,6BAA6B,CAAC;AAErC,OAAO,EACL,aAAa,EACb,YAAY,EACZ,aAAa,EACb,eAAe,EACf,eAAe,IAAI,uBAAuB,EAC1C,eAAe,EACf,eAAe,EACf,aAAa,IAAI,qBAAqB,EACtC,sBAAsB,EACtB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EACrB,KAAK,YAAY,EACjB,KAAK,eAAe,EACrB,MAAM,6BAA6B,CAAC;AAErC,OAAO,EACL,cAAc,EACd,WAAW,EACX,4BAA4B,EAC5B,cAAc,EACd,eAAe,EACf,aAAa,EACb,uBAAuB,EACvB,2BAA2B,EAC3B,4BAA4B,EAC5B,KAAK,mCAAmC,EACxC,KAAK,uBAAuB,EAC5B,KAAK,uBAAuB,EAC5B,KAAK,0BAA0B,EAC/B,KAAK,eAAe,EACpB,KAAK,oBAAoB,EACzB,KAAK,oBAAoB,EACzB,KAAK,SAAS,EACd,KAAK,aAAa,EAClB,KAAK,8BAA8B,EACnC,KAAK,4BAA4B,EACjC,KAAK,mCAAmC,EACzC,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,gBAAgB,EAChB,cAAc,EACd,eAAe,EACf,eAAe,EACf,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,KAAK,qBAAqB,EAC3B,MAAM,+BAA+B,CAAC;AAEvC,OAAO,EACL,sBAAsB,EACtB,6BAA6B,EAC7B,YAAY,EACZ,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,oBAAoB,EACpB,KAAK,mBAAmB,EACxB,KAAK,sBAAsB,EAC3B,KAAK,eAAe,EACpB,KAAK,sBAAsB,EAC3B,KAAK,qBAAqB,EAC1B,KAAK,2BAA2B,EAChC,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EACtB,KAAK,mBAAmB,EACzB,MAAM,6BAA6B,CAAC;AAErC,OAAO,EACL,cAAc,EACd,WAAW,EACX,YAAY,EACZ,cAAc,EACd,iBAAiB,EACjB,gBAAgB,EAChB,SAAS,EACT,UAAU,EACV,eAAe,EACf,wBAAwB,EACxB,oBAAoB,EACpB,KAAK,aAAa,EAClB,KAAK,cAAc,EACnB,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,EACxB,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AAExD,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,sBAAsB,EACtB,eAAe,EACf,eAAe,EACf,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EACxB,KAAK,0BAA0B,EAC/B,KAAK,yBAAyB,EAC9B,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EACzB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,oBAAoB,EACpB,kBAAkB,EAClB,eAAe,EACf,oBAAoB,EACpB,kBAAkB,EAClB,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,eAAe,EACpB,KAAK,2BAA2B,EAChC,KAAK,mBAAmB,EACxB,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EACtB,MAAM,2BAA2B,CAAC;AAEnC,eAAO,MAAM,aAAa,mPAKhB,CAAC;AAEX,eAAO,MAAM,eAAe;;;;;;CAMlB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EACL,aAAa,EACb,eAAe,EACf,MAAM,EACN,uBAAuB,EACvB,WAAW,EACX,aAAa,EACb,cAAc,EACf,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAC;AAElD,YAAY,EACV,6BAA6B,EAC7B,iBAAiB,EACjB,WAAW,EACX,oBAAoB,EACpB,sBAAsB,EACvB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,eAAe,EACf,cAAc,EACd,eAAe,EACf,YAAY,EACZ,sBAAsB,EACtB,aAAa,EACb,eAAe,EACf,MAAM,EACN,uBAAuB,EACvB,WAAW,EACX,aAAa,EACb,cAAc,EACf,CAAC;AAEF,OAAO,EACL,sBAAsB,EACtB,6BAA6B,EAC7B,KAAK,cAAc,EACnB,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,EACxB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,gBAAgB,EAChB,wBAAwB,EACxB,gBAAgB,EAChB,cAAc,EACd,QAAQ,EACR,YAAY,EACZ,eAAe,EACf,cAAc,EACd,sBAAsB,EACtB,SAAS,EACT,YAAY,EACZ,YAAY,EACZ,eAAe,EACf,kBAAkB,EAClB,cAAc,EACd,SAAS,EACT,aAAa,EACb,QAAQ,EACR,YAAY,EACZ,aAAa,EACb,KAAK,uBAAuB,EAC5B,KAAK,WAAW,EAChB,KAAK,qBAAqB,EAC1B,KAAK,iBAAiB,EACtB,KAAK,sBAAsB,EAC3B,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,mBAAmB,EACxB,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,SAAS,EACd,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACrB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EACL,4BAA4B,EAC5B,sBAAsB,EACtB,eAAe,EACf,eAAe,EACf,WAAW,EACX,KAAK,sBAAsB,EAC3B,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,SAAS,EACd,KAAK,iBAAiB,EACtB,KAAK,WAAW,EAChB,KAAK,aAAa,EAClB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,sBAAsB,EAC5B,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,gBAAgB,EAChB,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EACvB,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EACL,eAAe,EACf,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EACtB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EACL,UAAU,EACV,iBAAiB,EACjB,YAAY,EACZ,kBAAkB,EAClB,YAAY,EACZ,oBAAoB,EACpB,YAAY,EACZ,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,mBAAmB,EACnB,kBAAkB,EAClB,gBAAgB,EAChB,eAAe,EACf,UAAU,EACV,wBAAwB,EACxB,gBAAgB,EAChB,cAAc,EACd,eAAe,EACf,sBAAsB,EACtB,qBAAqB,EACrB,wBAAwB,EACxB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EACtB,KAAK,qBAAqB,EAC1B,KAAK,aAAa,EAClB,KAAK,iBAAiB,EACtB,KAAK,qBAAqB,EAC1B,KAAK,mBAAmB,EACxB,KAAK,yBAAyB,EAC9B,KAAK,iBAAiB,EACtB,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,EACzB,KAAK,uBAAuB,EAC5B,KAAK,uBAAuB,EAC5B,KAAK,kBAAkB,EACvB,KAAK,oBAAoB,EACzB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,sBAAsB,EAC3B,KAAK,yBAAyB,EAC/B,MAAM,6BAA6B,CAAC;AAErC,OAAO,EACL,aAAa,EACb,YAAY,EACZ,aAAa,EACb,eAAe,EACf,eAAe,IAAI,uBAAuB,EAC1C,eAAe,EACf,eAAe,EACf,aAAa,IAAI,qBAAqB,EACtC,sBAAsB,EACtB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EACrB,KAAK,YAAY,EACjB,KAAK,eAAe,EACrB,MAAM,6BAA6B,CAAC;AAErC,OAAO,EACL,cAAc,EACd,WAAW,EACX,4BAA4B,EAC5B,cAAc,EACd,eAAe,EACf,aAAa,EACb,uBAAuB,EACvB,2BAA2B,EAC3B,4BAA4B,EAC5B,KAAK,mCAAmC,EACxC,KAAK,uBAAuB,EAC5B,KAAK,uBAAuB,EAC5B,KAAK,0BAA0B,EAC/B,KAAK,eAAe,EACpB,KAAK,oBAAoB,EACzB,KAAK,oBAAoB,EACzB,KAAK,SAAS,EACd,KAAK,aAAa,EAClB,KAAK,8BAA8B,EACnC,KAAK,4BAA4B,EACjC,KAAK,mCAAmC,EACzC,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,gBAAgB,EAChB,cAAc,EACd,eAAe,EACf,eAAe,EACf,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,KAAK,qBAAqB,EAC3B,MAAM,+BAA+B,CAAC;AAEvC,OAAO,EACL,sBAAsB,EACtB,6BAA6B,EAC7B,YAAY,EACZ,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,oBAAoB,EACpB,KAAK,mBAAmB,EACxB,KAAK,sBAAsB,EAC3B,KAAK,eAAe,EACpB,KAAK,sBAAsB,EAC3B,KAAK,qBAAqB,EAC1B,KAAK,2BAA2B,EAChC,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EACtB,KAAK,mBAAmB,EACzB,MAAM,6BAA6B,CAAC;AAErC,OAAO,EACL,cAAc,EACd,WAAW,EACX,YAAY,EACZ,cAAc,EACd,iBAAiB,EACjB,gBAAgB,EAChB,SAAS,EACT,UAAU,EACV,eAAe,EACf,wBAAwB,EACxB,oBAAoB,EACpB,KAAK,aAAa,EAClB,KAAK,cAAc,EACnB,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,EACxB,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AAExD,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,sBAAsB,EACtB,eAAe,EACf,eAAe,EACf,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EACxB,KAAK,0BAA0B,EAC/B,KAAK,yBAAyB,EAC9B,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EACzB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,oBAAoB,EACpB,kBAAkB,EAClB,eAAe,EACf,oBAAoB,EACpB,kBAAkB,EAClB,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,eAAe,EACpB,KAAK,2BAA2B,EAChC,KAAK,mBAAmB,EACxB,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EACtB,MAAM,2BAA2B,CAAC;AAEnC,cAAc,6BAA6B,CAAC;AAE5C,eAAO,MAAM,aAAa,mPAKhB,CAAC;AAEX,eAAO,MAAM,eAAe;;;;;;CAMlB,CAAC"}

package/dist/index.js

@@ -19,6 +19,7 @@ export { isNewerVersion, parseSemver, checkUpgrade, performUpgrade, currentCliVe
 export { cmdUpgrade, cmdOrg, cmdCoach } from "./cli.js";
 export { resolveSysmlElement, hashSysmlElement, verifyEnvelopeSysmlRef, extractSysmlRef, sysmlQueryScope } from "./runtime/sysml/index.js";
 export { acceptRemoteEnvelope, createRemoteServer, rejectionStatus, remoteServerForStore, sendRemoteEnvelope } from "./runtime/remote/index.js";
+export * from "./runtime/mcp-http/index.js";
 export const H2A_CLI_HOSTS = [
     H2A_CODEX_HOST,
     H2A_CLAUDE_HOST,

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EACL,aAAa,EACb,eAAe,EACf,MAAM,EACN,uBAAuB,EACvB,WAAW,EACX,aAAa,EACb,cAAc,EACf,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAC;AAUlD,OAAO,EACL,eAAe,EACf,cAAc,EACd,eAAe,EACf,YAAY,EACZ,sBAAsB,EACtB,aAAa,EACb,eAAe,EACf,MAAM,EACN,uBAAuB,EACvB,WAAW,EACX,aAAa,EACb,cAAc,EACf,CAAC;AAEF,OAAO,EACL,sBAAsB,EACtB,6BAA6B,EAI9B,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,gBAAgB,EAChB,wBAAwB,EACxB,gBAAgB,EAChB,cAAc,EACd,QAAQ,EACR,YAAY,EACZ,eAAe,EACf,cAAc,EACd,sBAAsB,EACtB,SAAS,EACT,YAAY,EACZ,YAAY,EACZ,eAAe,EACf,kBAAkB,EAClB,cAAc,EACd,SAAS,EACT,aAAa,EACb,QAAQ,EACR,YAAY,EACZ,aAAa,EAiBd,MAAM,gCAAgC,CAAC;AAExC,OAAO,EACL,4BAA4B,EAC5B,sBAAsB,EACtB,eAAe,EACf,eAAe,EACf,WAAW,EAYZ,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,gBAAgB,EAGjB,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EACL,eAAe,EAGhB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EACL,UAAU,EACV,iBAAiB,EACjB,YAAY,EACZ,kBAAkB,EAClB,YAAY,EACZ,oBAAoB,EACpB,YAAY,EACZ,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,mBAAmB,EACnB,kBAAkB,EAClB,gBAAgB,EAChB,eAAe,EACf,UAAU,EACV,wBAAwB,EACxB,gBAAgB,EAChB,cAAc,EACd,eAAe,EACf,sBAAsB,EACtB,qBAAqB,EACrB,wBAAwB,EAqBzB,MAAM,6BAA6B,CAAC;AAErC,OAAO,EACL,aAAa,EACb,YAAY,EACZ,aAAa,EACb,eAAe,EACf,eAAe,IAAI,uBAAuB,EAC1C,eAAe,EACf,eAAe,EACf,aAAa,IAAI,qBAAqB,EACtC,sBAAsB,EAKvB,MAAM,6BAA6B,CAAC;AAErC,OAAO,EACL,cAAc,EACd,WAAW,EACX,4BAA4B,EAC5B,cAAc,EACd,eAAe,EACf,aAAa,EACb,uBAAuB,EACvB,2BAA2B,EAC3B,4BAA4B,EAa7B,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,gBAAgB,EAChB,cAAc,EACd,eAAe,EACf,eAAe,EAIhB,MAAM,+BAA+B,CAAC;AAEvC,OAAO,EACL,sBAAsB,EACtB,6BAA6B,EAC7B,YAAY,EACZ,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,oBAAoB,EAWrB,MAAM,6BAA6B,CAAC;AAErC,OAAO,EACL,cAAc,EACd,WAAW,EACX,YAAY,EACZ,cAAc,EACd,iBAAiB,EACjB,gBAAgB,EAChB,SAAS,EACT,UAAU,EACV,eAAe,EACf,wBAAwB,EACxB,oBAAoB,EAKrB,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AAExD,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,sBAAsB,EACtB,eAAe,EACf,eAAe,EAQhB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,oBAAoB,EACpB,kBAAkB,EAClB,eAAe,EACf,oBAAoB,EACpB,kBAAkB,EAQnB,MAAM,2BAA2B,CAAC;AAEnC,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,cAAc;IACd,eAAe;IACf,eAAe;IACf,YAAY;CACJ,CAAC;AAEX,MAAM,CAAC,MAAM,eAAe,GAAG;IAC7B,WAAW,EAAE,oBAAoB;IACjC,eAAe,EAAE,gBAAgB;IACjC,QAAQ,EAAE,eAAe;IACzB,KAAK,EAAE,aAAa;IACpB,YAAY,EAAE,sBAAsB;CAC5B,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EACL,aAAa,EACb,eAAe,EACf,MAAM,EACN,uBAAuB,EACvB,WAAW,EACX,aAAa,EACb,cAAc,EACf,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAC;AAUlD,OAAO,EACL,eAAe,EACf,cAAc,EACd,eAAe,EACf,YAAY,EACZ,sBAAsB,EACtB,aAAa,EACb,eAAe,EACf,MAAM,EACN,uBAAuB,EACvB,WAAW,EACX,aAAa,EACb,cAAc,EACf,CAAC;AAEF,OAAO,EACL,sBAAsB,EACtB,6BAA6B,EAI9B,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,gBAAgB,EAChB,wBAAwB,EACxB,gBAAgB,EAChB,cAAc,EACd,QAAQ,EACR,YAAY,EACZ,eAAe,EACf,cAAc,EACd,sBAAsB,EACtB,SAAS,EACT,YAAY,EACZ,YAAY,EACZ,eAAe,EACf,kBAAkB,EAClB,cAAc,EACd,SAAS,EACT,aAAa,EACb,QAAQ,EACR,YAAY,EACZ,aAAa,EAiBd,MAAM,gCAAgC,CAAC;AAExC,OAAO,EACL,4BAA4B,EAC5B,sBAAsB,EACtB,eAAe,EACf,eAAe,EACf,WAAW,EAYZ,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,gBAAgB,EAGjB,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EACL,eAAe,EAGhB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EACL,UAAU,EACV,iBAAiB,EACjB,YAAY,EACZ,kBAAkB,EAClB,YAAY,EACZ,oBAAoB,EACpB,YAAY,EACZ,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,mBAAmB,EACnB,kBAAkB,EAClB,gBAAgB,EAChB,eAAe,EACf,UAAU,EACV,wBAAwB,EACxB,gBAAgB,EAChB,cAAc,EACd,eAAe,EACf,sBAAsB,EACtB,qBAAqB,EACrB,wBAAwB,EAqBzB,MAAM,6BAA6B,CAAC;AAErC,OAAO,EACL,aAAa,EACb,YAAY,EACZ,aAAa,EACb,eAAe,EACf,eAAe,IAAI,uBAAuB,EAC1C,eAAe,EACf,eAAe,EACf,aAAa,IAAI,qBAAqB,EACtC,sBAAsB,EAKvB,MAAM,6BAA6B,CAAC;AAErC,OAAO,EACL,cAAc,EACd,WAAW,EACX,4BAA4B,EAC5B,cAAc,EACd,eAAe,EACf,aAAa,EACb,uBAAuB,EACvB,2BAA2B,EAC3B,4BAA4B,EAa7B,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,gBAAgB,EAChB,cAAc,EACd,eAAe,EACf,eAAe,EAIhB,MAAM,+BAA+B,CAAC;AAEvC,OAAO,EACL,sBAAsB,EACtB,6BAA6B,EAC7B,YAAY,EACZ,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,oBAAoB,EAWrB,MAAM,6BAA6B,CAAC;AAErC,OAAO,EACL,cAAc,EACd,WAAW,EACX,YAAY,EACZ,cAAc,EACd,iBAAiB,EACjB,gBAAgB,EAChB,SAAS,EACT,UAAU,EACV,eAAe,EACf,wBAAwB,EACxB,oBAAoB,EAKrB,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AAExD,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,sBAAsB,EACtB,eAAe,EACf,eAAe,EAQhB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,oBAAoB,EACpB,kBAAkB,EAClB,eAAe,EACf,oBAAoB,EACpB,kBAAkB,EAQnB,MAAM,2BAA2B,CAAC;AAEnC,cAAc,6BAA6B,CAAC;AAE5C,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,cAAc;IACd,eAAe;IACf,eAAe;IACf,YAAY;CACJ,CAAC;AAEX,MAAM,CAAC,MAAM,eAAe,GAAG;IAC7B,WAAW,EAAE,oBAAoB;IACjC,eAAe,EAAE,gBAAgB;IACjC,QAAQ,EAAE,eAAe;IACzB,KAAK,EAAE,aAAa;IACpB,YAAY,EAAE,sBAAsB;CAC5B,CAAC"}

package/dist/runtime/mcp-http/app.d.ts

@@ -0,0 +1,12 @@
+import { Hono } from "hono";
+import type { McpServer } from "../mcp/server.js";
+import { type H2AHostedOAuthConfig } from "./oauth/config.js";
+import type { SingleTenantOAuthProvider } from "./oauth/single-tenant-provider.js";
+export interface HostedAppDeps {
+    oauthProvider: SingleTenantOAuthProvider;
+    oauthConfig: H2AHostedOAuthConfig;
+    /** The in-process h2a MCP dispatch (createMcpServer) — its read-only tools are exposed. */
+    h2aMcpServer: McpServer;
+}
+export declare function createHostedApp(deps: HostedAppDeps): Hono;
+//# sourceMappingURL=app.d.ts.map

package/dist/runtime/mcp-http/app.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"app.d.ts","sourceRoot":"","sources":["../../../src/runtime/mcp-http/app.ts"],"names":[],"mappings":"AAQA,OAAO,EAAgB,IAAI,EAAE,MAAM,MAAM,CAAC;AAE1C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAElD,OAAO,EAA0B,KAAK,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAEtF,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAC;AAEnF,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,yBAAyB,CAAC;IACzC,WAAW,EAAE,oBAAoB,CAAC;IAClC,2FAA2F;IAC3F,YAAY,EAAE,SAAS,CAAC;CACzB;AAMD,wBAAgB,eAAe,CAAC,IAAI,EAAE,aAAa,GAAG,IAAI,CAsDzD"}

package/dist/runtime/mcp-http/app.js

@@ -0,0 +1,61 @@
+/**
+ * EVO-12 hosted MCP HTTP app (Hono) — the self-AS OAuth surface + the
+ * bearer-gated Streamable-HTTP MCP endpoint, exposing only the read-only tools.
+ * `createHostedApp` is the testable core; the env-driven entrypoint is below.
+ */
+import { randomUUID } from "node:crypto";
+import { StreamableHTTPTransport } from "@hono/mcp";
+import { bearerAuth } from "@hono/mcp/auth";
+import { Hono } from "hono";
+import { buildHostedMcpServer } from "./hosted-mcp-server.js";
+import { H2A_HOSTED_OAUTH_SCOPE } from "./oauth/config.js";
+import { buildOAuthRoutes } from "./oauth/hono-oauth-router.js";
+export function createHostedApp(deps) {
+    const app = new Hono();
+    app.get("/healthz", (c) => c.json({ ok: true }));
+    app.get("/readyz", (c) => c.json({ ok: true }));
+    // OAuth AS + protected-resource metadata (unauthenticated) at the root.
+    app.route("/", buildOAuthRoutes(deps.oauthProvider, deps.oauthConfig));
+    // Bearer gate for /mcp: valid access token AND the read-only scope.
+    const requireAuth = bearerAuth({
+        verifyToken: async (token) => {
+            try {
+                const info = await deps.oauthProvider.verifyAccessToken(token);
+                return info.scopes.includes(H2A_HOSTED_OAUTH_SCOPE);
+            }
+            catch {
+                return false;
+            }
+        }
+    });
+    const sessions = new Map();
+    const mcpHandler = async (c) => {
+        const requestedSessionId = c.req.header("mcp-session-id");
+        let session = requestedSessionId ? sessions.get(requestedSessionId) : undefined;
+        if (!session) {
+            let created;
+            const transport = new StreamableHTTPTransport({
+                enableJsonResponse: true,
+                sessionIdGenerator: () => randomUUID(),
+                onsessioninitialized: (sessionId) => {
+                    if (created)
+                        sessions.set(sessionId, created);
+                },
+                onsessionclosed: (sessionId) => {
+                    sessions.delete(sessionId);
+                }
+            });
+            created = { transport };
+            // One SDK server per session, exposing ONLY the read-only allowlist.
+            const server = buildHostedMcpServer(deps.h2aMcpServer);
+            await server.connect(transport);
+            session = created;
+        }
+        const res = await session.transport.handleRequest(c);
+        return res ?? c.body(null, 202);
+    };
+    // claude.ai connects at the resource-server URL (/mcp); only /mcp is bearer-gated.
+    app.all("/mcp", requireAuth, mcpHandler);
+    return app;
+}
+//# sourceMappingURL=app.js.map

package/dist/runtime/mcp-http/app.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"app.js","sourceRoot":"","sources":["../../../src/runtime/mcp-http/app.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,uBAAuB,EAAE,MAAM,WAAW,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAC5C,OAAO,EAAgB,IAAI,EAAE,MAAM,MAAM,CAAC;AAG1C,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAC9D,OAAO,EAAE,sBAAsB,EAA6B,MAAM,mBAAmB,CAAC;AACtF,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAchE,MAAM,UAAU,eAAe,CAAC,IAAmB;IACjD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IAEvB,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IACjD,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IAEhD,wEAAwE;IACxE,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,gBAAgB,CAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;IAEvE,oEAAoE;IACpE,MAAM,WAAW,GAAG,UAAU,CAAC;QAC7B,WAAW,EAAE,KAAK,EAAE,KAAa,EAAoB,EAAE;YACrD,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;gBAC/D,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;YACtD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;KACF,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,IAAI,GAAG,EAA0B,CAAC;IAEnD,MAAM,UAAU,GAAG,KAAK,EAAE,CAAU,EAAE,EAAE;QACtC,MAAM,kBAAkB,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAC1D,IAAI,OAAO,GAAG,kBAAkB,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEhF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,IAAI,OAAmC,CAAC;YACxC,MAAM,SAAS,GAAG,IAAI,uBAAuB,CAAC;gBAC5C,kBAAkB,EAAE,IAAI;gBACxB,kBAAkB,EAAE,GAAG,EAAE,CAAC,UAAU,EAAE;gBACtC,oBAAoB,EAAE,CAAC,SAAS,EAAE,EAAE;oBAClC,IAAI,OAAO;wBAAE,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;gBAChD,CAAC;gBACD,eAAe,EAAE,CAAC,SAAS,EAAE,EAAE;oBAC7B,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBAC7B,CAAC;aACF,CAAC,CAAC;YACH,OAAO,GAAG,EAAE,SAAS,EAAE,CAAC;YACxB,qEAAqE;YACrE,MAAM,MAAM,GAAG,oBAAoB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YACvD,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAChC,OAAO,GAAG,OAAO,CAAC;QACpB,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;QACrD,OAAO,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAClC,CAAC,CAAC;IAEF,mFAAmF;IACnF,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;IAEzC,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/runtime/mcp-http/hosted-mcp-server.d.ts

@@ -0,0 +1,14 @@
+/**
+ * EVO-12 hosted MCP server — wraps the EXISTING in-process h2a tool dispatch
+ * (`McpServer.callTool`) behind an SDK `Server`, exposing ONLY the read-only
+ * allowlist. `dispatchHostedTool` refuses any non-allowlisted tool name
+ * (defense-in-depth: a signing/private-key tool is never reachable here, even
+ * if the wire asked for it).
+ */
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { type CallToolResult } from "@modelcontextprotocol/sdk/types.js";
+import type { McpServer } from "../mcp/server.js";
+export declare function dispatchHostedTool(h2a: McpServer, name: string, args: Record<string, unknown> | undefined): CallToolResult;
+/** SDK Server exposing only the read-only allowlist, dispatching to the h2a callTool. */
+export declare function buildHostedMcpServer(h2a: McpServer): Server;
+//# sourceMappingURL=hosted-mcp-server.d.ts.map

package/dist/runtime/mcp-http/hosted-mcp-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hosted-mcp-server.d.ts","sourceRoot":"","sources":["../../../src/runtime/mcp-http/hosted-mcp-server.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAEL,KAAK,cAAc,EAEpB,MAAM,oCAAoC,CAAC;AAI5C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAGlD,wBAAgB,kBAAkB,CAChC,GAAG,EAAE,SAAS,EACd,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,GACxC,cAAc,CAYhB;AAED,yFAAyF;AACzF,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,SAAS,GAAG,MAAM,CAoB3D"}

package/dist/runtime/mcp-http/hosted-mcp-server.js

@@ -0,0 +1,38 @@
+/**
+ * EVO-12 hosted MCP server — wraps the EXISTING in-process h2a tool dispatch
+ * (`McpServer.callTool`) behind an SDK `Server`, exposing ONLY the read-only
+ * allowlist. `dispatchHostedTool` refuses any non-allowlisted tool name
+ * (defense-in-depth: a signing/private-key tool is never reachable here, even
+ * if the wire asked for it).
+ */
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js";
+import { currentCliVersion } from "../upgrade/index.js";
+import { H2A_CLI_MCP_TOOL_DESCRIPTORS } from "../mcp/tools.js";
+import { hostedReadOnlyDescriptors, isHostedReadOnlyTool } from "./readonly-allowlist.js";
+export function dispatchHostedTool(h2a, name, args) {
+    if (!isHostedReadOnlyTool(name)) {
+        return {
+            content: [{ type: "text", text: `tool '${name}' is not exposed on the hosted read-only surface` }],
+            isError: true
+        };
+    }
+    const result = h2a.callTool(name, args);
+    if (result && typeof result === "object" && "error" in result && typeof result.error === "string") {
+        return { content: [{ type: "text", text: result.error }], isError: true };
+    }
+    return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+}
+/** SDK Server exposing only the read-only allowlist, dispatching to the h2a callTool. */
+export function buildHostedMcpServer(h2a) {
+    const server = new Server({ name: "h2a", version: currentCliVersion() }, { capabilities: { tools: { listChanged: true } } });
+    const announced = hostedReadOnlyDescriptors(H2A_CLI_MCP_TOOL_DESCRIPTORS).map((d) => ({
+        name: d.name,
+        description: d.description,
+        inputSchema: d.inputSchema
+    }));
+    server.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: announced }));
+    server.setRequestHandler(CallToolRequestSchema, async (req) => dispatchHostedTool(h2a, req.params.name, req.params.arguments ?? {}));
+    return server;
+}
+//# sourceMappingURL=hosted-mcp-server.js.map

package/dist/runtime/mcp-http/hosted-mcp-server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hosted-mcp-server.js","sourceRoot":"","sources":["../../../src/runtime/mcp-http/hosted-mcp-server.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EACL,qBAAqB,EAErB,sBAAsB,EACvB,MAAM,oCAAoC,CAAC;AAE5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,4BAA4B,EAAE,MAAM,iBAAiB,CAAC;AAE/D,OAAO,EAAE,yBAAyB,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAE1F,MAAM,UAAU,kBAAkB,CAChC,GAAc,EACd,IAAY,EACZ,IAAyC;IAEzC,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,IAAI,kDAAkD,EAAE,CAAC;YAClG,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACxC,IAAI,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,IAAI,MAAM,IAAI,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QAClG,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC5E,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;AAChF,CAAC;AAED,yFAAyF;AACzF,MAAM,UAAU,oBAAoB,CAAC,GAAc;IACjD,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE,EAAE,EAC7C,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,EAAE,EAAE,CACnD,CAAC;IAEF,MAAM,SAAS,GAAG,yBAAyB,CAAC,4BAA4B,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACpF,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,WAAW,EAAE,CAAC,CAAC,WAAW;QAC1B,WAAW,EAAE,CAAC,CAAC,WAAsC;KACtD,CAAC,CAAC,CAAC;IAEJ,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;IACrF,MAAM,CAAC,iBAAiB,CACtB,qBAAqB,EACrB,KAAK,EAAE,GAAG,EAA2B,EAAE,CACrC,kBAAkB,CAAC,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,IAAI,EAAE,CAAC,CACvE,CAAC;IAEF,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/runtime/mcp-http/index.d.ts

@@ -0,0 +1,14 @@
+/**
+ * EVO-12 hosted MCP over HTTP + self-AS OAuth (mcp-wave pattern), exposing the
+ * h2a read-only tool surface for claude.ai enrollment. Core is dep-free; this
+ * lives in @sentropic/h2a-cli.
+ */
+export { H2A_HOSTED_READONLY_TOOLS, hostedReadOnlyDescriptors, isHostedReadOnlyTool, toolTakesPrivateKey } from "./readonly-allowlist.js";
+export { buildHostedMcpServer, dispatchHostedTool } from "./hosted-mcp-server.js";
+export { createHostedApp, type HostedAppDeps } from "./app.js";
+export { startHostedServer, buildHostedConfigFromEnv, type HostedEnv, type HostedConfig, type StartedHostedServer } from "./serve.js";
+export { FileOAuthStore } from "./oauth/file-store.js";
+export { SingleTenantOAuthProvider } from "./oauth/single-tenant-provider.js";
+export { buildOAuthRoutes } from "./oauth/hono-oauth-router.js";
+export { oauthConfigFromEnv, H2A_HOSTED_OAUTH_SCOPE, type H2AHostedOAuthConfig, type H2AHostedOAuthEnv } from "./oauth/config.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/runtime/mcp-http/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/runtime/mcp-http/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,oBAAoB,EACpB,mBAAmB,EACpB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAClF,OAAO,EAAE,eAAe,EAAE,KAAK,aAAa,EAAE,MAAM,UAAU,CAAC;AAC/D,OAAO,EACL,iBAAiB,EACjB,wBAAwB,EACxB,KAAK,SAAS,EACd,KAAK,YAAY,EACjB,KAAK,mBAAmB,EACzB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EACtB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,EACvB,MAAM,mBAAmB,CAAC"}

package/dist/runtime/mcp-http/index.js

@@ -0,0 +1,14 @@
+/**
+ * EVO-12 hosted MCP over HTTP + self-AS OAuth (mcp-wave pattern), exposing the
+ * h2a read-only tool surface for claude.ai enrollment. Core is dep-free; this
+ * lives in @sentropic/h2a-cli.
+ */
+export { H2A_HOSTED_READONLY_TOOLS, hostedReadOnlyDescriptors, isHostedReadOnlyTool, toolTakesPrivateKey } from "./readonly-allowlist.js";
+export { buildHostedMcpServer, dispatchHostedTool } from "./hosted-mcp-server.js";
+export { createHostedApp } from "./app.js";
+export { startHostedServer, buildHostedConfigFromEnv } from "./serve.js";
+export { FileOAuthStore } from "./oauth/file-store.js";
+export { SingleTenantOAuthProvider } from "./oauth/single-tenant-provider.js";
+export { buildOAuthRoutes } from "./oauth/hono-oauth-router.js";
+export { oauthConfigFromEnv, H2A_HOSTED_OAUTH_SCOPE } from "./oauth/config.js";
+//# sourceMappingURL=index.js.map

package/dist/runtime/mcp-http/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/runtime/mcp-http/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,oBAAoB,EACpB,mBAAmB,EACpB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAClF,OAAO,EAAE,eAAe,EAAsB,MAAM,UAAU,CAAC;AAC/D,OAAO,EACL,iBAAiB,EACjB,wBAAwB,EAIzB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EAGvB,MAAM,mBAAmB,CAAC"}

package/dist/runtime/mcp-http/main.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=main.d.ts.map

package/dist/runtime/mcp-http/main.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"main.d.ts","sourceRoot":"","sources":["../../../src/runtime/mcp-http/main.ts"],"names":[],"mappings":""}

package/dist/runtime/mcp-http/main.js

@@ -0,0 +1,14 @@
+/**
+ * EVO-12 hosted MCP — runnable entrypoint (Docker CMD / `node dist/runtime/mcp-http/main.js`).
+ * Reads the deploy env and serves the OAuth-gated read-only MCP over HTTP.
+ */
+import { startHostedServer } from "./serve.js";
+startHostedServer()
+    .then((s) => {
+    process.stderr.write(`h2a hosted MCP (EVO-12) listening on :${s.port}\n`);
+})
+    .catch((e) => {
+    process.stderr.write(`h2a hosted MCP failed to start: ${e instanceof Error ? e.message : String(e)}\n`);
+    process.exit(1);
+});
+//# sourceMappingURL=main.js.map

package/dist/runtime/mcp-http/main.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"main.js","sourceRoot":"","sources":["../../../src/runtime/mcp-http/main.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAE/C,iBAAiB,EAAE;KAChB,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;IACV,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;AAC5E,CAAC,CAAC;KACD,KAAK,CAAC,CAAC,CAAU,EAAE,EAAE;IACpB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IACxG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/runtime/mcp-http/oauth/config.d.ts

@@ -0,0 +1,33 @@
+/**
+ * EVO-12 hosted OAuth — runtime config (ported from mcp-wave; decoupled from
+ * the Wave env type — takes a plain input object so it is unit-testable).
+ *
+ * Scope is read-only (`h2a:read`) — the hosted surface exposes only read tools
+ * (DEC-116 key custody; see ../readonly-allowlist).
+ */
+export declare const H2A_HOSTED_OAUTH_SCOPE = "h2a:read";
+export interface H2AHostedOAuthEnv {
+    PUBLIC_BASE_URL: string;
+    OAUTH_ISSUER_URL: string;
+    OAUTH_CONSENT_SECRET?: string;
+    OAUTH_ALLOWED_REDIRECT_URIS: string;
+    OAUTH_ACCESS_TOKEN_TTL_SECONDS: number;
+    OAUTH_REFRESH_TOKEN_TTL_SECONDS: number;
+    OAUTH_AUTH_CODE_TTL_SECONDS: number;
+    NODE_ENV?: string;
+}
+export interface H2AHostedOAuthConfig {
+    issuerUrl: URL;
+    publicBaseUrl: URL;
+    resourceServerUrl: URL;
+    resourceMetadataUrl: string;
+    consentSecret: string;
+    allowedRedirectUris: readonly string[];
+    accessTokenTtlSeconds: number;
+    refreshTokenTtlSeconds: number;
+    authCodeTtlSeconds: number;
+    nodeEnv: string;
+}
+export declare function parseOAuthCsv(value: string): string[];
+export declare function oauthConfigFromEnv(env: H2AHostedOAuthEnv): H2AHostedOAuthConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/runtime/mcp-http/oauth/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,eAAO,MAAM,sBAAsB,aAAa,CAAC;AAEjD,MAAM,WAAW,iBAAiB;IAChC,eAAe,EAAE,MAAM,CAAC;IACxB,gBAAgB,EAAE,MAAM,CAAC;IACzB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,2BAA2B,EAAE,MAAM,CAAC;IACpC,8BAA8B,EAAE,MAAM,CAAC;IACvC,+BAA+B,EAAE,MAAM,CAAC;IACxC,2BAA2B,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,GAAG,CAAC;IACf,aAAa,EAAE,GAAG,CAAC;IACnB,iBAAiB,EAAE,GAAG,CAAC;IACvB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,SAAS,MAAM,EAAE,CAAC;IACvC,qBAAqB,EAAE,MAAM,CAAC;IAC9B,sBAAsB,EAAE,MAAM,CAAC;IAC/B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,EAAE,CAKrD;AAED,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,iBAAiB,GAAG,oBAAoB,CAe/E"}

package/dist/runtime/mcp-http/oauth/config.js

@@ -0,0 +1,31 @@
+/**
+ * EVO-12 hosted OAuth — runtime config (ported from mcp-wave; decoupled from
+ * the Wave env type — takes a plain input object so it is unit-testable).
+ *
+ * Scope is read-only (`h2a:read`) — the hosted surface exposes only read tools
+ * (DEC-116 key custody; see ../readonly-allowlist).
+ */
+export const H2A_HOSTED_OAUTH_SCOPE = "h2a:read";
+export function parseOAuthCsv(value) {
+    return value
+        .split(",")
+        .map((item) => item.trim())
+        .filter((item) => item.length > 0);
+}
+export function oauthConfigFromEnv(env) {
+    const publicBaseUrl = new URL(env.PUBLIC_BASE_URL);
+    const issuerUrl = new URL(env.OAUTH_ISSUER_URL);
+    return {
+        issuerUrl,
+        publicBaseUrl,
+        resourceServerUrl: new URL("/mcp", publicBaseUrl),
+        resourceMetadataUrl: new URL("/.well-known/oauth-protected-resource/mcp", publicBaseUrl).href,
+        consentSecret: env.OAUTH_CONSENT_SECRET ?? "local-dev-consent",
+        allowedRedirectUris: parseOAuthCsv(env.OAUTH_ALLOWED_REDIRECT_URIS),
+        accessTokenTtlSeconds: env.OAUTH_ACCESS_TOKEN_TTL_SECONDS,
+        refreshTokenTtlSeconds: env.OAUTH_REFRESH_TOKEN_TTL_SECONDS,
+        authCodeTtlSeconds: env.OAUTH_AUTH_CODE_TTL_SECONDS,
+        nodeEnv: env.NODE_ENV ?? "development"
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/runtime/mcp-http/oauth/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,CAAC,MAAM,sBAAsB,GAAG,UAAU,CAAC;AA0BjD,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,OAAO,KAAK;SACT,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;SAC1B,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,GAAsB;IACvD,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACnD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAChD,OAAO;QACL,SAAS;QACT,aAAa;QACb,iBAAiB,EAAE,IAAI,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC;QACjD,mBAAmB,EAAE,IAAI,GAAG,CAAC,2CAA2C,EAAE,aAAa,CAAC,CAAC,IAAI;QAC7F,aAAa,EAAE,GAAG,CAAC,oBAAoB,IAAI,mBAAmB;QAC9D,mBAAmB,EAAE,aAAa,CAAC,GAAG,CAAC,2BAA2B,CAAC;QACnE,qBAAqB,EAAE,GAAG,CAAC,8BAA8B;QACzD,sBAAsB,EAAE,GAAG,CAAC,+BAA+B;QAC3D,kBAAkB,EAAE,GAAG,CAAC,2BAA2B;QACnD,OAAO,EAAE,GAAG,CAAC,QAAQ,IAAI,aAAa;KACvC,CAAC;AACJ,CAAC"}

package/dist/runtime/mcp-http/oauth/crypto.d.ts

@@ -0,0 +1,5 @@
+export declare function randomToken(byteLength?: number): string;
+export declare function sha256Hex(value: string): string;
+export declare function tokenHashPrefix(tokenHash: string): string;
+export declare function timingSafeEqualString(a: string, b: string): boolean;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/runtime/mcp-http/oauth/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/crypto.ts"],"names":[],"mappings":"AAKA,wBAAgB,WAAW,CAAC,UAAU,SAAK,GAAG,MAAM,CAEnD;AAED,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE/C;AAED,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAEzD;AAED,wBAAgB,qBAAqB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAInE"}

package/dist/runtime/mcp-http/oauth/crypto.js

@@ -0,0 +1,19 @@
+/**
+ * EVO-12 hosted OAuth — token crypto helpers (ported from mcp-wave, generic).
+ */
+import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
+export function randomToken(byteLength = 32) {
+    return randomBytes(byteLength).toString("base64url");
+}
+export function sha256Hex(value) {
+    return createHash("sha256").update(value).digest("hex");
+}
+export function tokenHashPrefix(tokenHash) {
+    return tokenHash.slice(0, 12);
+}
+export function timingSafeEqualString(a, b) {
+    const left = Buffer.from(sha256Hex(a), "hex");
+    const right = Buffer.from(sha256Hex(b), "hex");
+    return timingSafeEqual(left, right);
+}
+//# sourceMappingURL=crypto.js.map

package/dist/runtime/mcp-http/oauth/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/crypto.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEvE,MAAM,UAAU,WAAW,CAAC,UAAU,GAAG,EAAE;IACzC,OAAO,WAAW,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,SAAiB;IAC/C,OAAO,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,CAAS,EAAE,CAAS;IACxD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAC9C,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAC/C,OAAO,eAAe,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AACtC,CAAC"}

package/dist/runtime/mcp-http/oauth/file-store.d.ts

@@ -0,0 +1,40 @@
+import type { OAuthRegisteredClientsStore } from "@modelcontextprotocol/sdk/server/auth/clients.js";
+import type { OAuthClientInformationFull } from "@modelcontextprotocol/sdk/shared/auth.js";
+export interface StoredAuthorizationCode {
+    codeHash: string;
+    clientId: string;
+    redirectUri: string;
+    codeChallenge: string;
+    scopes: string[];
+    resource: string;
+    createdAt: number;
+    expiresAt: number;
+    consumedAt?: number;
+}
+export interface StoredToken {
+    tokenHash: string;
+    tokenType: "access" | "refresh";
+    clientId: string;
+    scopes: string[];
+    resource: string;
+    issuedAt: number;
+    expiresAt: number;
+    revokedAt?: number;
+    parentRefreshTokenHash?: string;
+}
+export declare class FileOAuthStore implements OAuthRegisteredClientsStore {
+    readonly path: string;
+    private snapshot;
+    constructor(path: string);
+    load(): Promise<void>;
+    getClient(clientId: string): Promise<OAuthClientInformationFull | undefined>;
+    registerClient(client: OAuthClientInformationFull): Promise<OAuthClientInformationFull>;
+    putAuthorizationCode(code: string, record: Omit<StoredAuthorizationCode, "codeHash" | "consumedAt">): Promise<void>;
+    getAuthorizationCode(code: string, nowSeconds: number): Promise<StoredAuthorizationCode | undefined>;
+    consumeAuthorizationCode(code: string, nowSeconds: number): Promise<StoredAuthorizationCode | undefined>;
+    putToken(token: string, record: Omit<StoredToken, "tokenHash" | "revokedAt">): Promise<StoredToken>;
+    findToken(token: string): Promise<StoredToken | undefined>;
+    revokeToken(token: string, nowSeconds: number): Promise<void>;
+    private persist;
+}
+//# sourceMappingURL=file-store.d.ts.map

package/dist/runtime/mcp-http/oauth/file-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-store.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/file-store.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,kDAAkD,CAAC;AACpG,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,0CAA0C,CAAC;AAI3F,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,QAAQ,GAAG,SAAS,CAAC;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,sBAAsB,CAAC,EAAE,MAAM,CAAC;CACjC;AASD,qBAAa,cAAe,YAAW,2BAA2B;IAGpD,QAAQ,CAAC,IAAI,EAAE,MAAM;IAFjC,OAAO,CAAC,QAAQ,CAA6E;gBAExE,IAAI,EAAE,MAAM;IAE3B,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAkBrB,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,GAAG,SAAS,CAAC;IAI5E,cAAc,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,0BAA0B,CAAC;IAMvF,oBAAoB,CACxB,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,IAAI,CAAC,uBAAuB,EAAE,UAAU,GAAG,YAAY,CAAC,GAC/D,OAAO,CAAC,IAAI,CAAC;IAMV,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,SAAS,CAAC;IAMpG,wBAAwB,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,SAAS,CAAC;IASxG,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,WAAW,EAAE,WAAW,GAAG,WAAW,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC;IAQnG,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC;IAI1D,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;YAQrD,OAAO;CAmBtB"}

package/dist/runtime/mcp-http/oauth/file-store.js

@@ -0,0 +1,101 @@
+/**
+ * EVO-12 hosted OAuth — file-backed store for DCR clients, auth codes, tokens
+ * (ported from mcp-wave; generic, atomic-persist). Holds only OAuth artifacts
+ * (hashed codes/tokens) — never an h2a ed25519 private key.
+ */
+import { mkdir, open, readFile, rename, writeFile } from "node:fs/promises";
+import { dirname } from "node:path";
+import { sha256Hex } from "./crypto.js";
+export class FileOAuthStore {
+    path;
+    snapshot = { version: 1, clients: {}, authorizationCodes: {}, tokens: {} };
+    constructor(path) {
+        this.path = path;
+    }
+    async load() {
+        try {
+            const parsed = JSON.parse(await readFile(this.path, "utf8"));
+            this.snapshot = {
+                version: 1,
+                clients: parsed.clients ?? {},
+                authorizationCodes: parsed.authorizationCodes ?? {},
+                tokens: parsed.tokens ?? {}
+            };
+        }
+        catch (error) {
+            if (error instanceof Error && "code" in error && error.code === "ENOENT") {
+                await this.persist();
+                return;
+            }
+            throw error;
+        }
+    }
+    async getClient(clientId) {
+        return this.snapshot.clients[clientId];
+    }
+    async registerClient(client) {
+        this.snapshot.clients[client.client_id] = client;
+        await this.persist();
+        return client;
+    }
+    async putAuthorizationCode(code, record) {
+        const codeHash = sha256Hex(code);
+        this.snapshot.authorizationCodes[codeHash] = { ...record, codeHash };
+        await this.persist();
+    }
+    async getAuthorizationCode(code, nowSeconds) {
+        const record = this.snapshot.authorizationCodes[sha256Hex(code)];
+        if (!record || record.consumedAt || record.expiresAt <= nowSeconds)
+            return undefined;
+        return record;
+    }
+    async consumeAuthorizationCode(code, nowSeconds) {
+        const codeHash = sha256Hex(code);
+        const record = this.snapshot.authorizationCodes[codeHash];
+        if (!record || record.consumedAt || record.expiresAt <= nowSeconds)
+            return undefined;
+        record.consumedAt = nowSeconds;
+        await this.persist();
+        return record;
+    }
+    async putToken(token, record) {
+        const tokenHash = sha256Hex(token);
+        const stored = { ...record, tokenHash };
+        this.snapshot.tokens[tokenHash] = stored;
+        await this.persist();
+        return stored;
+    }
+    async findToken(token) {
+        return this.snapshot.tokens[sha256Hex(token)];
+    }
+    async revokeToken(token, nowSeconds) {
+        const record = this.snapshot.tokens[sha256Hex(token)];
+        if (record && record.revokedAt === undefined) {
+            record.revokedAt = nowSeconds;
+            await this.persist();
+        }
+    }
+    async persist() {
+        await mkdir(dirname(this.path), { recursive: true });
+        const body = `${JSON.stringify(this.snapshot, null, 2)}\n`;
+        const tempPath = `${this.path}.${process.pid}.${Date.now()}.tmp`;
+        await writeFile(tempPath, body, { mode: 0o600 });
+        const handle = await open(tempPath, "r");
+        try {
+            await handle.sync();
+        }
+        catch (error) {
+            // Windows rejects fsync on some handles with EPERM, and exotic FUSE/CI
+            // filesystems return ENOSYS. The durability hint is best-effort; the
+            // rename below still provides atomic replace on every platform.
+            const code = error.code;
+            if (code !== "EPERM" && code !== "ENOSYS")
+                throw error;
+        }
+        finally {
+            await handle.close();
+        }
+        await rename(tempPath, this.path);
+    }
+}
+//# sourceMappingURL=file-store.js.map

package/dist/runtime/mcp-http/oauth/file-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-store.js","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/file-store.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC5E,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIpC,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAiCxC,MAAM,OAAO,cAAc;IAGJ;IAFb,QAAQ,GAAa,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,kBAAkB,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IAE7F,YAAqB,IAAY;QAAZ,SAAI,GAAJ,IAAI,CAAQ;IAAG,CAAC;IAErC,KAAK,CAAC,IAAI;QACR,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAa,CAAC;YACzE,IAAI,CAAC,QAAQ,GAAG;gBACd,OAAO,EAAE,CAAC;gBACV,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,EAAE;gBAC7B,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,IAAI,EAAE;gBACnD,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,EAAE;aAC5B,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,KAAK,IAAI,MAAM,IAAI,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACzE,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;gBACrB,OAAO;YACT,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,QAAgB;QAC9B,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,MAAkC;QACrD,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,MAAM,CAAC;QACjD,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,oBAAoB,CACxB,IAAY,EACZ,MAAgE;QAEhE,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;QACjC,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,CAAC;QACrE,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,IAAY,EAAE,UAAkB;QACzD,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;QACjE,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,SAAS,IAAI,UAAU;YAAE,OAAO,SAAS,CAAC;QACrF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,wBAAwB,CAAC,IAAY,EAAE,UAAkB;QAC7D,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;QACjC,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAC1D,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,SAAS,IAAI,UAAU;YAAE,OAAO,SAAS,CAAC;QACrF,MAAM,CAAC,UAAU,GAAG,UAAU,CAAC;QAC/B,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,KAAa,EAAE,MAAoD;QAChF,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,MAAM,GAAG,EAAE,GAAG,MAAM,EAAE,SAAS,EAAE,CAAC;QACxC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,MAAM,CAAC;QACzC,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,KAAa;QAC3B,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAa,EAAE,UAAkB;QACjD,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QACtD,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YAC7C,MAAM,CAAC,SAAS,GAAG,UAAU,CAAC;YAC9B,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACvB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,OAAO;QACnB,MAAM,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACrD,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC;QAC3D,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC;QACjE,MAAM,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACjD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QACzC,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,uEAAuE;YACvE,qEAAqE;YACrE,gEAAgE;YAChE,MAAM,IAAI,GAAI,KAA+B,CAAC,IAAI,CAAC;YACnD,IAAI,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,QAAQ;gBAAE,MAAM,KAAK,CAAC;QACzD,CAAC;gBAAS,CAAC;YACT,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;QACvB,CAAC;QACD,MAAM,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC;CACF"}

package/dist/runtime/mcp-http/oauth/hono-oauth-router.d.ts

@@ -0,0 +1,5 @@
+import { Hono } from "hono";
+import { type H2AHostedOAuthConfig } from "./config.js";
+import type { SingleTenantOAuthProvider } from "./single-tenant-provider.js";
+export declare function buildOAuthRoutes(provider: SingleTenantOAuthProvider, oauth: H2AHostedOAuthConfig): Hono;
+//# sourceMappingURL=hono-oauth-router.d.ts.map

package/dist/runtime/mcp-http/oauth/hono-oauth-router.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hono-oauth-router.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/hono-oauth-router.ts"],"names":[],"mappings":"AAoBA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B,OAAO,EAAyC,KAAK,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAC/F,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,6BAA6B,CAAC;AAE7E,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,yBAAyB,EAAE,KAAK,EAAE,oBAAoB,GAAG,IAAI,CAsFvG"}