@sentropic/h2a-cli 0.38.1 → 0.39.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/runtime/mcp-http/app.d.ts +14 -0
- package/dist/runtime/mcp-http/app.d.ts.map +1 -1
- package/dist/runtime/mcp-http/app.js +52 -8
- package/dist/runtime/mcp-http/app.js.map +1 -1
- package/dist/runtime/mcp-http/oauth/crypto.d.ts +9 -0
- package/dist/runtime/mcp-http/oauth/crypto.d.ts.map +1 -1
- package/dist/runtime/mcp-http/oauth/crypto.js +10 -0
- package/dist/runtime/mcp-http/oauth/crypto.js.map +1 -1
- package/dist/runtime/mcp-http/oauth/file-store.d.ts +8 -0
- package/dist/runtime/mcp-http/oauth/file-store.d.ts.map +1 -1
- package/dist/runtime/mcp-http/oauth/file-store.js.map +1 -1
- package/dist/runtime/mcp-http/oauth/single-tenant-provider.d.ts +2 -0
- package/dist/runtime/mcp-http/oauth/single-tenant-provider.d.ts.map +1 -1
- package/dist/runtime/mcp-http/oauth/single-tenant-provider.js +16 -7
- package/dist/runtime/mcp-http/oauth/single-tenant-provider.js.map +1 -1
- package/dist/runtime/mcp-http/serve.d.ts +8 -0
- package/dist/runtime/mcp-http/serve.d.ts.map +1 -1
- package/dist/runtime/mcp-http/serve.js +46 -2
- package/dist/runtime/mcp-http/serve.js.map +1 -1
- package/package.json +2 -2
|
@@ -14,6 +14,20 @@ export interface HostedAppDeps {
|
|
|
14
14
|
* 39-auth instead of the consent secret. Omit for single-tenant.
|
|
15
15
|
*/
|
|
16
16
|
brokerLogin?: BrokerLogin;
|
|
17
|
+
/**
|
|
18
|
+
* EVO-12 P2 (mode 3, multi-tenant): per-user /mcp serving. When present AND
|
|
19
|
+
* `oauthConfig.brokerMode`, the /mcp handler derives each request's tenant
|
|
20
|
+
* root from the access token's `sub` (rootForSub(baseRoot, sub)) and serves
|
|
21
|
+
* that tenant's h2a dispatch — instead of the single `h2aMcpServer`. Underlying
|
|
22
|
+
* servers are cached per root; a session is pinned to the tenant that opened
|
|
23
|
+
* it (a token for another tenant cannot reuse it). `h2aMcpServer` remains the
|
|
24
|
+
* fallback for any non-broker path.
|
|
25
|
+
*/
|
|
26
|
+
tenancy?: {
|
|
27
|
+
baseRoot: string;
|
|
28
|
+
/** Build the in-process h2a dispatch rooted at `root` (e.g. createMcpServer({ root })). */
|
|
29
|
+
createServer: (root: string) => McpServer;
|
|
30
|
+
};
|
|
17
31
|
}
|
|
18
32
|
export declare function createHostedApp(deps: HostedAppDeps): Hono;
|
|
19
33
|
//# sourceMappingURL=app.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"app.d.ts","sourceRoot":"","sources":["../../../src/runtime/mcp-http/app.ts"],"names":[],"mappings":"AAQA,OAAO,EAAgB,IAAI,EAAE,MAAM,MAAM,CAAC;AAE1C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAElD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAA0B,KAAK,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAEtF,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAC;
|
|
1
|
+
{"version":3,"file":"app.d.ts","sourceRoot":"","sources":["../../../src/runtime/mcp-http/app.ts"],"names":[],"mappings":"AAQA,OAAO,EAAgB,IAAI,EAAE,MAAM,MAAM,CAAC;AAE1C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAElD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAA0B,KAAK,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAEtF,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAC;AAGnF,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,yBAAyB,CAAC;IACzC,WAAW,EAAE,oBAAoB,CAAC;IAClC,2FAA2F;IAC3F,YAAY,EAAE,SAAS,CAAC;IACxB;;;;OAIG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B;;;;;;;;OAQG;IACH,OAAO,CAAC,EAAE;QACR,QAAQ,EAAE,MAAM,CAAC;QACjB,2FAA2F;QAC3F,YAAY,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,SAAS,CAAC;KAC3C,CAAC;CACH;AAQD,wBAAgB,eAAe,CAAC,IAAI,EAAE,aAAa,GAAG,IAAI,CAmIzD"}
|
|
@@ -11,6 +11,7 @@ import { buildHostedMcpServer } from "./hosted-mcp-server.js";
|
|
|
11
11
|
import { buildBrokerRoutes } from "./oauth/broker-routes.js";
|
|
12
12
|
import { H2A_HOSTED_OAUTH_SCOPE } from "./oauth/config.js";
|
|
13
13
|
import { buildOAuthRoutes } from "./oauth/hono-oauth-router.js";
|
|
14
|
+
import { rootForSub } from "./oauth/tenancy.js";
|
|
14
15
|
export function createHostedApp(deps) {
|
|
15
16
|
const app = new Hono();
|
|
16
17
|
const wwwAuthenticateHeader = `Bearer error="Unauthorized", error_description="Unauthorized", resource_metadata="${deps.oauthConfig.resourceMetadataUrl}"`;
|
|
@@ -22,24 +23,24 @@ export function createHostedApp(deps) {
|
|
|
22
23
|
if (deps.oauthConfig.brokerMode && deps.brokerLogin) {
|
|
23
24
|
app.route("/", buildBrokerRoutes({
|
|
24
25
|
brokerLogin: deps.brokerLogin,
|
|
25
|
-
issueClaudeaiCode: async (claudeai,
|
|
26
|
+
issueClaudeaiCode: async (claudeai, ctx) => {
|
|
26
27
|
const client = await deps.oauthProvider.clientsStore.getClient(claudeai.client_id);
|
|
27
28
|
if (!client)
|
|
28
29
|
throw new Error("unknown client_id");
|
|
30
|
+
// Bind the 39-auth subject to the issued code: it rides code→token so
|
|
31
|
+
// verifyAccessToken restores it and /mcp serves rootForSub(base, sub).
|
|
29
32
|
const code = await deps.oauthProvider.issueAuthorizationCode(client, {
|
|
30
33
|
redirectUri: claudeai.redirect_uri,
|
|
31
34
|
codeChallenge: claudeai.code_challenge ?? "",
|
|
32
35
|
scopes: [H2A_HOSTED_OAUTH_SCOPE],
|
|
33
|
-
...(claudeai.state ? { state: claudeai.state } : {})
|
|
36
|
+
...(claudeai.state ? { state: claudeai.state } : {}),
|
|
37
|
+
...(ctx.sub ? { sub: ctx.sub } : {})
|
|
34
38
|
});
|
|
35
39
|
const redirect = new URL(claudeai.redirect_uri);
|
|
36
40
|
redirect.searchParams.set("code", code);
|
|
37
41
|
if (claudeai.state)
|
|
38
42
|
redirect.searchParams.set("state", claudeai.state);
|
|
39
43
|
return redirect.href;
|
|
40
|
-
// NOTE: per-user-root /mcp serving (binding _ctx.sub/root through the
|
|
41
|
-
// token → serving that tenant's root) is the seed-gated finale — needs
|
|
42
|
-
// provider token metadata + a live 39-auth client to validate.
|
|
43
44
|
}
|
|
44
45
|
}));
|
|
45
46
|
}
|
|
@@ -60,9 +61,50 @@ export function createHostedApp(deps) {
|
|
|
60
61
|
invalidAuthenticationHeader: { wwwAuthenticateHeader: () => wwwAuthenticateHeader }
|
|
61
62
|
});
|
|
62
63
|
const sessions = new Map();
|
|
64
|
+
// EVO-12 P2 (mode 3): per-tenant h2a dispatch, cached by root. The underlying
|
|
65
|
+
// server is reused across sessions/requests of the same tenant; the hosted
|
|
66
|
+
// read-only wrapper is still built per session.
|
|
67
|
+
const multiTenant = Boolean(deps.oauthConfig.brokerMode && deps.tenancy);
|
|
68
|
+
const tenantServers = new Map();
|
|
69
|
+
const tenantServerFor = (root) => {
|
|
70
|
+
let server = tenantServers.get(root);
|
|
71
|
+
if (!server) {
|
|
72
|
+
server = deps.tenancy.createServer(root);
|
|
73
|
+
tenantServers.set(root, server);
|
|
74
|
+
}
|
|
75
|
+
return server;
|
|
76
|
+
};
|
|
77
|
+
/**
|
|
78
|
+
* Resolve the tenant root for a request from its (already bearer-validated)
|
|
79
|
+
* access token. Returns undefined in single-tenant mode. Throws if a broker
|
|
80
|
+
* token carries no `sub` (it is not bound to any tenant → forbidden).
|
|
81
|
+
*/
|
|
82
|
+
const resolveTenantRoot = async (c) => {
|
|
83
|
+
if (!multiTenant)
|
|
84
|
+
return undefined;
|
|
85
|
+
const header = c.req.header("authorization") ?? "";
|
|
86
|
+
const token = header.startsWith("Bearer ") ? header.slice("Bearer ".length) : "";
|
|
87
|
+
const info = await deps.oauthProvider.verifyAccessToken(token);
|
|
88
|
+
const sub = typeof info.extra?.sub === "string" ? info.extra.sub : undefined;
|
|
89
|
+
if (!sub)
|
|
90
|
+
throw new Error("access token is not bound to a tenant");
|
|
91
|
+
return rootForSub(deps.tenancy.baseRoot, sub);
|
|
92
|
+
};
|
|
93
|
+
const forbidden = (c) => c.json({ error: "access_denied", error_description: "token is not bound to this tenant" }, 403);
|
|
63
94
|
const mcpHandler = async (c) => {
|
|
95
|
+
let tenantRoot;
|
|
96
|
+
try {
|
|
97
|
+
tenantRoot = await resolveTenantRoot(c);
|
|
98
|
+
}
|
|
99
|
+
catch {
|
|
100
|
+
return forbidden(c);
|
|
101
|
+
}
|
|
64
102
|
const requestedSessionId = c.req.header("mcp-session-id");
|
|
65
103
|
let session = requestedSessionId ? sessions.get(requestedSessionId) : undefined;
|
|
104
|
+
// A session is pinned to the tenant that opened it: a token for another
|
|
105
|
+
// tenant must not be able to reuse it.
|
|
106
|
+
if (session && session.tenantRoot !== tenantRoot)
|
|
107
|
+
return forbidden(c);
|
|
66
108
|
if (!session) {
|
|
67
109
|
let created;
|
|
68
110
|
const transport = new StreamableHTTPTransport({
|
|
@@ -76,9 +118,11 @@ export function createHostedApp(deps) {
|
|
|
76
118
|
sessions.delete(sessionId);
|
|
77
119
|
}
|
|
78
120
|
});
|
|
79
|
-
created = { transport };
|
|
80
|
-
// One SDK server per session, exposing ONLY the read-only allowlist
|
|
81
|
-
|
|
121
|
+
created = { transport, ...(tenantRoot !== undefined && { tenantRoot }) };
|
|
122
|
+
// One SDK server per session, exposing ONLY the read-only allowlist —
|
|
123
|
+
// backed by the tenant's root in multi-tenant mode, else the single server.
|
|
124
|
+
const base = tenantRoot !== undefined ? tenantServerFor(tenantRoot) : deps.h2aMcpServer;
|
|
125
|
+
const server = buildHostedMcpServer(base);
|
|
82
126
|
await server.connect(transport);
|
|
83
127
|
session = created;
|
|
84
128
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"app.js","sourceRoot":"","sources":["../../../src/runtime/mcp-http/app.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,uBAAuB,EAAE,MAAM,WAAW,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAC5C,OAAO,EAAgB,IAAI,EAAE,MAAM,MAAM,CAAC;AAG1C,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAE9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,sBAAsB,EAA6B,MAAM,mBAAmB,CAAC;AACtF,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;
|
|
1
|
+
{"version":3,"file":"app.js","sourceRoot":"","sources":["../../../src/runtime/mcp-http/app.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,uBAAuB,EAAE,MAAM,WAAW,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAC5C,OAAO,EAAgB,IAAI,EAAE,MAAM,MAAM,CAAC;AAG1C,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAE9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,sBAAsB,EAA6B,MAAM,mBAAmB,CAAC;AACtF,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAEhE,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAmChD,MAAM,UAAU,eAAe,CAAC,IAAmB;IACjD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,qBAAqB,GAAG,qFAAqF,IAAI,CAAC,WAAW,CAAC,mBAAmB,GAAG,CAAC;IAE3J,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IACjD,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IAEhD,+EAA+E;IAC/E,0EAA0E;IAC1E,iFAAiF;IACjF,IAAI,IAAI,CAAC,WAAW,CAAC,UAAU,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,GAAG,CAAC,KAAK,CACP,GAAG,EACH,iBAAiB,CAAC;YAChB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,iBAAiB,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,EAAE,EAAE;gBACzC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;gBACnF,IAAI,CAAC,MAAM;oBAAE,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;gBAClD,sEAAsE;gBACtE,uEAAuE;gBACvE,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,sBAAsB,CAAC,MAAM,EAAE;oBACnE,WAAW,EAAE,QAAQ,CAAC,YAAY;oBAClC,aAAa,EAAE,QAAQ,CAAC,cAAc,IAAI,EAAE;oBAC5C,MAAM,EAAE,CAAC,sBAAsB,CAAC;oBAChC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACpD,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBACrC,CAAC,CAAC;gBACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;gBAChD,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;gBACxC,IAAI,QAAQ,CAAC,KAAK;oBAAE,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC;gBACvE,OAAO,QAAQ,CAAC,IAAI,CAAC;YACvB,CAAC;SACF,CAAC,CACH,CAAC;IACJ,CAAC;IAED,wEAAwE;IACxE,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,gBAAgB,CAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;IAEvE,oEAAoE;IACpE,MAAM,WAAW,GAAG,UAAU,CAAC;QAC7B,WAAW,EAAE,KAAK,EAAE,KAAa,EAAoB,EAAE;YACrD,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;gBAC/D,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;YACtD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,sBAAsB,EAAE,EAAE,qBAAqB,EAAE,GAAG,EAAE,CAAC,qBAAqB,EAAE;QAC9E,2BAA2B,EAAE,EAAE,qBAAqB,EAAE,GAAG,EAAE,CAAC,qBAAqB,EAAE;KACpF,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,IAAI,GAAG,EAA0B,CAAC;IAEnD,8EAA8E;IAC9E,2EAA2E;IAC3E,gDAAgD;IAChD,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC;IACzE,MAAM,aAAa,GAAG,IAAI,GAAG,EAAqB,CAAC;IACnD,MAAM,eAAe,GAAG,CAAC,IAAY,EAAa,EAAE;QAClD,IAAI,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,GAAG,IAAI,CAAC,OAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;YAC1C,aAAa,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAClC,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC;IAEF;;;;OAIG;IACH,MAAM,iBAAiB,GAAG,KAAK,EAAE,CAAU,EAA+B,EAAE;QAC1E,IAAI,CAAC,WAAW;YAAE,OAAO,SAAS,CAAC;QACnC,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC;QACnD,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACjF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QAC/D,MAAM,GAAG,GAAG,OAAO,IAAI,CAAC,KAAK,EAAE,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;QAC7E,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QACnE,OAAO,UAAU,CAAC,IAAI,CAAC,OAAQ,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IACjD,CAAC,CAAC;IAEF,MAAM,SAAS,GAAG,CAAC,CAAU,EAAE,EAAE,CAC/B,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,mCAAmC,EAAE,EAAE,GAAG,CAAC,CAAC;IAElG,MAAM,UAAU,GAAG,KAAK,EAAE,CAAU,EAAE,EAAE;QACtC,IAAI,UAA8B,CAAC;QACnC,IAAI,CAAC;YACH,UAAU,GAAG,MAAM,iBAAiB,CAAC,CAAC,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC;QACtB,CAAC;QAED,MAAM,kBAAkB,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAC1D,IAAI,OAAO,GAAG,kBAAkB,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEhF,wEAAwE;QACxE,uCAAuC;QACvC,IAAI,OAAO,IAAI,OAAO,CAAC,UAAU,KAAK,UAAU;YAAE,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC;QAEtE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,IAAI,OAAmC,CAAC;YACxC,MAAM,SAAS,GAAG,IAAI,uBAAuB,CAAC;gBAC5C,kBAAkB,EAAE,IAAI;gBACxB,kBAAkB,EAAE,GAAG,EAAE,CAAC,UAAU,EAAE;gBACtC,oBAAoB,EAAE,CAAC,SAAS,EAAE,EAAE;oBAClC,IAAI,OAAO;wBAAE,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;gBAChD,CAAC;gBACD,eAAe,EAAE,CAAC,SAAS,EAAE,EAAE;oBAC7B,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBAC7B,CAAC;aACF,CAAC,CAAC;YACH,OAAO,GAAG,EAAE,SAAS,EAAE,GAAG,CAAC,UAAU,KAAK,SAAS,IAAI,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;YACzE,sEAAsE;YACtE,4EAA4E;YAC5E,MAAM,IAAI,GAAG,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC;YACxF,MAAM,MAAM,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;YAC1C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAChC,OAAO,GAAG,OAAO,CAAC;QACpB,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;QACrD,OAAO,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAClC,CAAC,CAAC;IAEF,mFAAmF;IACnF,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;IAEzC,OAAO,GAAG,CAAC;AACb,CAAC"}
|
|
@@ -2,4 +2,13 @@ export declare function randomToken(byteLength?: number): string;
|
|
|
2
2
|
export declare function sha256Hex(value: string): string;
|
|
3
3
|
export declare function tokenHashPrefix(tokenHash: string): string;
|
|
4
4
|
export declare function timingSafeEqualString(a: string, b: string): boolean;
|
|
5
|
+
/**
|
|
6
|
+
* EVO-12 P2 (mode 3): a fresh PKCE pair for the gateway's upstream 39-auth leg.
|
|
7
|
+
* The verifier is held server-side (broker pending state); the S256 challenge
|
|
8
|
+
* goes on the wire to /authorize.
|
|
9
|
+
*/
|
|
10
|
+
export declare function pkceS256(): {
|
|
11
|
+
verifier: string;
|
|
12
|
+
challenge: string;
|
|
13
|
+
};
|
|
5
14
|
//# sourceMappingURL=crypto.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/crypto.ts"],"names":[],"mappings":"AAKA,wBAAgB,WAAW,CAAC,UAAU,SAAK,GAAG,MAAM,CAEnD;AAED,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE/C;AAED,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAEzD;AAED,wBAAgB,qBAAqB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAInE"}
|
|
1
|
+
{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/crypto.ts"],"names":[],"mappings":"AAKA,wBAAgB,WAAW,CAAC,UAAU,SAAK,GAAG,MAAM,CAEnD;AAED,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE/C;AAED,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAEzD;AAED,wBAAgB,qBAAqB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAInE;AAED;;;;GAIG;AACH,wBAAgB,QAAQ,IAAI;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAIlE"}
|
|
@@ -16,4 +16,14 @@ export function timingSafeEqualString(a, b) {
|
|
|
16
16
|
const right = Buffer.from(sha256Hex(b), "hex");
|
|
17
17
|
return timingSafeEqual(left, right);
|
|
18
18
|
}
|
|
19
|
+
/**
|
|
20
|
+
* EVO-12 P2 (mode 3): a fresh PKCE pair for the gateway's upstream 39-auth leg.
|
|
21
|
+
* The verifier is held server-side (broker pending state); the S256 challenge
|
|
22
|
+
* goes on the wire to /authorize.
|
|
23
|
+
*/
|
|
24
|
+
export function pkceS256() {
|
|
25
|
+
const verifier = randomBytes(32).toString("base64url");
|
|
26
|
+
const challenge = createHash("sha256").update(verifier).digest("base64url");
|
|
27
|
+
return { verifier, challenge };
|
|
28
|
+
}
|
|
19
29
|
//# sourceMappingURL=crypto.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/crypto.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEvE,MAAM,UAAU,WAAW,CAAC,UAAU,GAAG,EAAE;IACzC,OAAO,WAAW,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,SAAiB;IAC/C,OAAO,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,CAAS,EAAE,CAAS;IACxD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAC9C,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAC/C,OAAO,eAAe,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AACtC,CAAC"}
|
|
1
|
+
{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/crypto.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEvE,MAAM,UAAU,WAAW,CAAC,UAAU,GAAG,EAAE;IACzC,OAAO,WAAW,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,SAAiB;IAC/C,OAAO,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,CAAS,EAAE,CAAS;IACxD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAC9C,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAC/C,OAAO,eAAe,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AACtC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,QAAQ;IACtB,MAAM,QAAQ,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACvD,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC5E,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;AACjC,CAAC"}
|
|
@@ -10,6 +10,12 @@ export interface StoredAuthorizationCode {
|
|
|
10
10
|
createdAt: number;
|
|
11
11
|
expiresAt: number;
|
|
12
12
|
consumedAt?: number;
|
|
13
|
+
/**
|
|
14
|
+
* EVO-12 P2 (mode 3, multi-tenant): the upstream 39-auth subject this code was
|
|
15
|
+
* minted for. Threaded code→token so /mcp can serve the per-user root. Absent
|
|
16
|
+
* for single-tenant (consent-secret) codes.
|
|
17
|
+
*/
|
|
18
|
+
sub?: string;
|
|
13
19
|
}
|
|
14
20
|
export interface StoredToken {
|
|
15
21
|
tokenHash: string;
|
|
@@ -21,6 +27,8 @@ export interface StoredToken {
|
|
|
21
27
|
expiresAt: number;
|
|
22
28
|
revokedAt?: number;
|
|
23
29
|
parentRefreshTokenHash?: string;
|
|
30
|
+
/** EVO-12 P2: the 39-auth subject (see StoredAuthorizationCode.sub). */
|
|
31
|
+
sub?: string;
|
|
24
32
|
}
|
|
25
33
|
export declare class FileOAuthStore implements OAuthRegisteredClientsStore {
|
|
26
34
|
readonly path: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"file-store.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/file-store.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,kDAAkD,CAAC;AACpG,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,0CAA0C,CAAC;AAI3F,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"file-store.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/file-store.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,kDAAkD,CAAC;AACpG,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,0CAA0C,CAAC;AAI3F,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;;OAIG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,QAAQ,GAAG,SAAS,CAAC;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,wEAAwE;IACxE,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AASD,qBAAa,cAAe,YAAW,2BAA2B;IAGpD,QAAQ,CAAC,IAAI,EAAE,MAAM;IAFjC,OAAO,CAAC,QAAQ,CAA6E;gBAExE,IAAI,EAAE,MAAM;IAE3B,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAkBrB,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,GAAG,SAAS,CAAC;IAI5E,cAAc,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,0BAA0B,CAAC;IAMvF,oBAAoB,CACxB,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,IAAI,CAAC,uBAAuB,EAAE,UAAU,GAAG,YAAY,CAAC,GAC/D,OAAO,CAAC,IAAI,CAAC;IAMV,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,SAAS,CAAC;IAMpG,wBAAwB,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,SAAS,CAAC;IASxG,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,WAAW,EAAE,WAAW,GAAG,WAAW,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC;IAQnG,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC;IAI1D,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;YAQrD,OAAO;CAmBtB"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"file-store.js","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/file-store.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC5E,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIpC,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"file-store.js","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/file-store.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC5E,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIpC,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAyCxC,MAAM,OAAO,cAAc;IAGJ;IAFb,QAAQ,GAAa,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,kBAAkB,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IAE7F,YAAqB,IAAY;QAAZ,SAAI,GAAJ,IAAI,CAAQ;IAAG,CAAC;IAErC,KAAK,CAAC,IAAI;QACR,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAa,CAAC;YACzE,IAAI,CAAC,QAAQ,GAAG;gBACd,OAAO,EAAE,CAAC;gBACV,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,EAAE;gBAC7B,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,IAAI,EAAE;gBACnD,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,EAAE;aAC5B,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,KAAK,IAAI,MAAM,IAAI,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACzE,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;gBACrB,OAAO;YACT,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,QAAgB;QAC9B,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,MAAkC;QACrD,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,MAAM,CAAC;QACjD,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,oBAAoB,CACxB,IAAY,EACZ,MAAgE;QAEhE,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;QACjC,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,CAAC;QACrE,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,IAAY,EAAE,UAAkB;QACzD,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;QACjE,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,SAAS,IAAI,UAAU;YAAE,OAAO,SAAS,CAAC;QACrF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,wBAAwB,CAAC,IAAY,EAAE,UAAkB;QAC7D,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;QACjC,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAC1D,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,SAAS,IAAI,UAAU;YAAE,OAAO,SAAS,CAAC;QACrF,MAAM,CAAC,UAAU,GAAG,UAAU,CAAC;QAC/B,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,KAAa,EAAE,MAAoD;QAChF,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,MAAM,GAAG,EAAE,GAAG,MAAM,EAAE,SAAS,EAAE,CAAC;QACxC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,MAAM,CAAC;QACzC,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,KAAa;QAC3B,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAa,EAAE,UAAkB;QACjD,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QACtD,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YAC7C,MAAM,CAAC,SAAS,GAAG,UAAU,CAAC;YAC9B,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACvB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,OAAO;QACnB,MAAM,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACrD,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC;QAC3D,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC;QACjE,MAAM,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACjD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QACzC,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,uEAAuE;YACvE,qEAAqE;YACrE,gEAAgE;YAChE,MAAM,IAAI,GAAI,KAA+B,CAAC,IAAI,CAAC;YACnD,IAAI,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,QAAQ;gBAAE,MAAM,KAAK,CAAC;QACzD,CAAC;gBAAS,CAAC;YACT,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;QACvB,CAAC;QACD,MAAM,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC;CACF"}
|
|
@@ -39,6 +39,8 @@ interface IssueCodeParams {
|
|
|
39
39
|
scopes: string[];
|
|
40
40
|
resource?: URL;
|
|
41
41
|
state?: string;
|
|
42
|
+
/** EVO-12 P2 (mode 3): the 39-auth subject this code is minted for (broker flow). */
|
|
43
|
+
sub?: string;
|
|
42
44
|
}
|
|
43
45
|
type WideClientsStore = Omit<OAuthRegisteredClientsStore, "registerClient"> & {
|
|
44
46
|
registerClient?(client: OAuthClientInformationFull): OAuthClientInformationFull | Promise<OAuthClientInformationFull>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"single-tenant-provider.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/single-tenant-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,kDAAkD,CAAC;AAQpG,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,mDAAmD,CAAC;AAC7F,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gDAAgD,CAAC;AAC/E,OAAO,KAAK,EACV,0BAA0B,EAC1B,2BAA2B,EAC3B,WAAW,EACZ,MAAM,0CAA0C,CAAC;AAIlD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAGtD,MAAM,MAAM,gBAAgB,GACxB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,MAAM,EAAE,GAAG,GAAG,GAAG,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACpD;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC;AAE3C,UAAU,eAAe;IACvB,KAAK,EAAE,cAAc,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,GAAG,CAAC;IACf,aAAa,EAAE,GAAG,CAAC;IACnB,iBAAiB,EAAE,GAAG,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,SAAS,MAAM,EAAE,CAAC;IACvC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,sBAAsB,EAAE,MAAM,CAAC;IAC/B,UAAU,CAAC,EAAE,MAAM,MAAM,CAAC;CAC3B;AAED,UAAU,eAAe;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,GAAG,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"single-tenant-provider.d.ts","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/single-tenant-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,kDAAkD,CAAC;AAQpG,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,mDAAmD,CAAC;AAC7F,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gDAAgD,CAAC;AAC/E,OAAO,KAAK,EACV,0BAA0B,EAC1B,2BAA2B,EAC3B,WAAW,EACZ,MAAM,0CAA0C,CAAC;AAIlD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAGtD,MAAM,MAAM,gBAAgB,GACxB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,MAAM,EAAE,GAAG,GAAG,GAAG,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACpD;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC;AAE3C,UAAU,eAAe;IACvB,KAAK,EAAE,cAAc,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,GAAG,CAAC;IACf,aAAa,EAAE,GAAG,CAAC;IACnB,iBAAiB,EAAE,GAAG,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,SAAS,MAAM,EAAE,CAAC;IACvC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,sBAAsB,EAAE,MAAM,CAAC;IAC/B,UAAU,CAAC,EAAE,MAAM,MAAM,CAAC;CAC3B;AAED,UAAU,eAAe;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,GAAG,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,qFAAqF;IACrF,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,KAAK,gBAAgB,GAAG,IAAI,CAAC,2BAA2B,EAAE,gBAAgB,CAAC,GAAG;IAC5E,cAAc,CAAC,CACb,MAAM,EAAE,0BAA0B,GACjC,0BAA0B,GAAG,OAAO,CAAC,0BAA0B,CAAC,CAAC;CACrE,CAAC;AAEF,qBAAa,yBAAyB;IAGxB,OAAO,CAAC,QAAQ,CAAC,IAAI;IAFjC,QAAQ,CAAC,YAAY,EAAE,gBAAgB,CAAC;gBAEX,IAAI,EAAE,eAAe;IAmBlD,OAAO,CAAC,UAAU;IAIZ,gBAAgB,CACpB,MAAM,EAAE,0BAA0B,EAClC,MAAM,EAAE,mBAAmB,EAC3B,KAAK,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,aAAa,CAAC,EAAE,MAAM,CAAA;KAAE,GAChD,OAAO,CAAC,gBAAgB,CAAC;IAoBtB,sBAAsB,CAAC,MAAM,EAAE,0BAA0B,EAAE,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC;IAkB1G,OAAO,CAAC,iBAAiB;IAiEnB,6BAA6B,CACjC,OAAO,EAAE,0BAA0B,EACnC,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAAC,MAAM,CAAC;IAMZ,yBAAyB,CAC7B,MAAM,EAAE,0BAA0B,EAClC,iBAAiB,EAAE,MAAM,EACzB,aAAa,CAAC,EAAE,MAAM,EACtB,WAAW,CAAC,EAAE,MAAM,EACpB,QAAQ,CAAC,EAAE,GAAG,GACb,OAAO,CAAC,WAAW,CAAC;IAYjB,oBAAoB,CACxB,MAAM,EAAE,0BAA0B,EAClC,YAAY,EAAE,MAAM,EACpB,MAAM,CAAC,EAAE,MAAM,EAAE,EACjB,QAAQ,CAAC,EAAE,GAAG,GACb,OAAO,CAAC,WAAW,CAAC;IAkBjB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAsBnD,WAAW,CAAC,OAAO,EAAE,0BAA0B,EAAE,OAAO,EAAE,2BAA2B,GAAG,OAAO,CAAC,IAAI,CAAC;IAIrG,mBAAmB,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,WAAW,CAAC;YAIrE,WAAW;IAuCzB,OAAO,CAAC,eAAe;IAQvB,OAAO,CAAC,iBAAiB;CAQ1B"}
|
|
@@ -59,7 +59,8 @@ export class SingleTenantOAuthProvider {
|
|
|
59
59
|
scopes,
|
|
60
60
|
resource: resource.href,
|
|
61
61
|
createdAt: now,
|
|
62
|
-
expiresAt: now + this.opts.authCodeTtlSeconds
|
|
62
|
+
expiresAt: now + this.opts.authCodeTtlSeconds,
|
|
63
|
+
...(params.sub !== undefined && { sub: params.sub })
|
|
63
64
|
});
|
|
64
65
|
return code;
|
|
65
66
|
}
|
|
@@ -139,7 +140,7 @@ export class SingleTenantOAuthProvider {
|
|
|
139
140
|
throw new InvalidGrantError("redirect_uri does not match authorization code");
|
|
140
141
|
if (this.normalizeResource(resource).href !== record.resource)
|
|
141
142
|
throw new InvalidTargetError("resource does not match authorization code");
|
|
142
|
-
return this.issueTokens(client, record.scopes, new URL(record.resource), undefined);
|
|
143
|
+
return this.issueTokens(client, record.scopes, new URL(record.resource), undefined, record.sub);
|
|
143
144
|
}
|
|
144
145
|
async exchangeRefreshToken(client, refreshToken, scopes, resource) {
|
|
145
146
|
const record = await this.opts.store.findToken(refreshToken);
|
|
@@ -156,7 +157,7 @@ export class SingleTenantOAuthProvider {
|
|
|
156
157
|
throw new InvalidScopeError("requested scope exceeds refresh token scope");
|
|
157
158
|
}
|
|
158
159
|
await this.opts.store.revokeToken(refreshToken, now);
|
|
159
|
-
return this.issueTokens(client, requestedScopes, new URL(record.resource), sha256Hex(refreshToken));
|
|
160
|
+
return this.issueTokens(client, requestedScopes, new URL(record.resource), sha256Hex(refreshToken), record.sub);
|
|
160
161
|
}
|
|
161
162
|
async verifyAccessToken(token) {
|
|
162
163
|
const record = await this.opts.store.findToken(token);
|
|
@@ -170,7 +171,13 @@ export class SingleTenantOAuthProvider {
|
|
|
170
171
|
scopes: record.scopes,
|
|
171
172
|
expiresAt: record.expiresAt,
|
|
172
173
|
resource: new URL(record.resource),
|
|
173
|
-
extra: {
|
|
174
|
+
extra: {
|
|
175
|
+
tokenHashPrefix: tokenHashPrefix(record.tokenHash),
|
|
176
|
+
// EVO-12 P2 (mode 3): the per-user root key. Present iff this token was
|
|
177
|
+
// minted through the broker flow; the /mcp handler derives the tenant
|
|
178
|
+
// root from it (rootForSub) and serves that root.
|
|
179
|
+
...(record.sub !== undefined && { sub: record.sub })
|
|
180
|
+
}
|
|
174
181
|
};
|
|
175
182
|
}
|
|
176
183
|
async revokeToken(_client, request) {
|
|
@@ -179,7 +186,7 @@ export class SingleTenantOAuthProvider {
|
|
|
179
186
|
async issueTokensForTests(client) {
|
|
180
187
|
return this.issueTokens(client, [OAUTH_SCOPE], this.opts.resourceServerUrl, undefined);
|
|
181
188
|
}
|
|
182
|
-
async issueTokens(client, scopes, resource, parentRefreshTokenHash) {
|
|
189
|
+
async issueTokens(client, scopes, resource, parentRefreshTokenHash, sub) {
|
|
183
190
|
const accessToken = randomToken();
|
|
184
191
|
const refreshToken = randomToken();
|
|
185
192
|
const now = this.nowSeconds();
|
|
@@ -190,7 +197,8 @@ export class SingleTenantOAuthProvider {
|
|
|
190
197
|
resource: resource.href,
|
|
191
198
|
issuedAt: now,
|
|
192
199
|
expiresAt: now + this.opts.accessTokenTtlSeconds,
|
|
193
|
-
...(parentRefreshTokenHash !== undefined && { parentRefreshTokenHash })
|
|
200
|
+
...(parentRefreshTokenHash !== undefined && { parentRefreshTokenHash }),
|
|
201
|
+
...(sub !== undefined && { sub })
|
|
194
202
|
});
|
|
195
203
|
await this.opts.store.putToken(refreshToken, {
|
|
196
204
|
tokenType: "refresh",
|
|
@@ -199,7 +207,8 @@ export class SingleTenantOAuthProvider {
|
|
|
199
207
|
resource: resource.href,
|
|
200
208
|
issuedAt: now,
|
|
201
209
|
expiresAt: now + this.opts.refreshTokenTtlSeconds,
|
|
202
|
-
...(parentRefreshTokenHash !== undefined && { parentRefreshTokenHash })
|
|
210
|
+
...(parentRefreshTokenHash !== undefined && { parentRefreshTokenHash }),
|
|
211
|
+
...(sub !== undefined && { sub })
|
|
203
212
|
});
|
|
204
213
|
return {
|
|
205
214
|
access_token: accessToken,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"single-tenant-provider.js","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/single-tenant-provider.ts"],"names":[],"mappings":"AAUA,OAAO,EACL,0BAA0B,EAC1B,iBAAiB,EACjB,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EAClB,MAAM,iDAAiD,CAAC;AASzD,OAAO,EAAE,sBAAsB,IAAI,WAAW,EAAE,MAAM,aAAa,CAAC;AACpE,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,qBAAqB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE7F,OAAO,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;
|
|
1
|
+
{"version":3,"file":"single-tenant-provider.js","sourceRoot":"","sources":["../../../../src/runtime/mcp-http/oauth/single-tenant-provider.ts"],"names":[],"mappings":"AAUA,OAAO,EACL,0BAA0B,EAC1B,iBAAiB,EACjB,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EAClB,MAAM,iDAAiD,CAAC;AASzD,OAAO,EAAE,sBAAsB,IAAI,WAAW,EAAE,MAAM,aAAa,CAAC;AACpE,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,qBAAqB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE7F,OAAO,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAoC3D,MAAM,OAAO,yBAAyB;IAGP;IAFpB,YAAY,CAAmB;IAExC,YAA6B,IAAqB;QAArB,SAAI,GAAJ,IAAI,CAAiB;QAChD,IAAI,CAAC,YAAY,GAAG;YAClB,SAAS,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC;YAC5D,cAAc,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE;gBAC/B,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC,aAAa,EAAE,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBACpG,MAAM,IAAI,0BAA0B,CAAC,kDAAkD,CAAC,CAAC;gBAC3F,CAAC;gBACD,MAAM,UAAU,GAA+B;oBAC7C,GAAG,MAAM;oBACT,KAAK,EAAE,WAAW;oBAClB,WAAW,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;oBACpD,cAAc,EAAE,CAAC,MAAM,CAAC;oBACxB,0BAA0B,EAAE,MAAM,CAAC,0BAA0B,IAAI,MAAM;iBACxE,CAAC;gBACF,OAAO,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;YACpD,CAAC;SACF,CAAC;IACJ,CAAC;IAEO,UAAU;QAChB,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IACnE,CAAC;IAED,KAAK,CAAC,gBAAgB,CACpB,MAAkC,EAClC,MAA2B,EAC3B,KAAiD;QAEjD,IAAI,KAAK,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC5B,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,CAAC;QACnG,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,aAAa,IAAI,CAAC,qBAAqB,CAAC,KAAK,CAAC,aAAa,EAAE,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;YACjG,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,wBAAwB,CAAC,EAAE,CAAC;QAClH,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE;YACrD,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,MAAM,EAAE,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC;YAC3C,GAAG,CAAC,MAAM,CAAC,QAAQ,KAAK,SAAS,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC;YACnE,GAAG,CAAC,MAAM,CAAC,KAAK,KAAK,SAAS,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC;SAC3D,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAC7C,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACxC,IAAI,MAAM,CAAC,KAAK;YAAE,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC;IACvD,CAAC;IAED,KAAK,CAAC,sBAAsB,CAAC,MAAkC,EAAE,MAAuB;QACtF,MAAM,QAAQ,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACzD,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACnD,MAAM,IAAI,GAAG,WAAW,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QAC9B,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,IAAI,EAAE;YAC/C,QAAQ,EAAE,MAAM,CAAC,SAAS;YAC1B,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,MAAM;YACN,QAAQ,EAAE,QAAQ,CAAC,IAAI;YACvB,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,kBAAkB;YAC7C,GAAG,CAAC,MAAM,CAAC,GAAG,KAAK,SAAS,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC;SACrD,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,iBAAiB,CACvB,MAAkC,EAClC,MAA2B,EAC3B,KAAyB;QAEzB,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC5D,MAAM,QAAQ,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC;QAC9D,MAAM,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,SAAS,CAAC,CAAC;QACtE,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,iCAAiC,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QACxF,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;4BA4BiB,UAAU;;;;IAIlC,SAAS;;yBAEY,UAAU;2BACR,UAAU,CAAC,MAAM,CAAC,WAAW,CAAC;wBACjC,UAAU,CAAC,KAAK,CAAC;;;;mDAIU,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC;sDACzB,UAAU,CAAC,MAAM,CAAC,WAAW,CAAC;wDAC5B,UAAU,CAAC,MAAM,CAAC,aAAa,CAAC;;+CAEzC,UAAU,CAAC,KAAK,CAAC;kDACd,UAAU,CAAC,QAAQ,CAAC;MAChE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,4CAA4C,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;;;;;;;QAO1F,CAAC;IACP,CAAC;IAED,KAAK,CAAC,6BAA6B,CACjC,OAAmC,EACnC,iBAAyB;QAEzB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,iBAAiB,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;QAChG,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,iBAAiB,CAAC,0CAA0C,CAAC,CAAC;QACrF,OAAO,MAAM,CAAC,aAAa,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,yBAAyB,CAC7B,MAAkC,EAClC,iBAAyB,EACzB,aAAsB,EACtB,WAAoB,EACpB,QAAc;QAEd,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,wBAAwB,CAAC,iBAAiB,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;QACpG,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,iBAAiB,CAAC,yDAAyD,CAAC,CAAC;QACpG,IAAI,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,SAAS;YACtC,MAAM,IAAI,iBAAiB,CAAC,iDAAiD,CAAC,CAAC;QACjF,IAAI,WAAW,IAAI,WAAW,KAAK,MAAM,CAAC,WAAW;YACnD,MAAM,IAAI,iBAAiB,CAAC,gDAAgD,CAAC,CAAC;QAChF,IAAI,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,QAAQ;YAC3D,MAAM,IAAI,kBAAkB,CAAC,4CAA4C,CAAC,CAAC;QAC7E,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;IAClG,CAAC;IAED,KAAK,CAAC,oBAAoB,CACxB,MAAkC,EAClC,YAAoB,EACpB,MAAiB,EACjB,QAAc;QAEd,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QAC7D,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QAC9B,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,IAAI,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,SAAS,IAAI,GAAG,EAAE,CAAC;YAC7F,MAAM,IAAI,iBAAiB,CAAC,qCAAqC,CAAC,CAAC;QACrE,CAAC;QACD,IAAI,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,SAAS;YACtC,MAAM,IAAI,iBAAiB,CAAC,4CAA4C,CAAC,CAAC;QAC5E,IAAI,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,QAAQ;YAC3D,MAAM,IAAI,kBAAkB,CAAC,uCAAuC,CAAC,CAAC;QACxE,MAAM,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,CAAC;QACtE,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACrE,MAAM,IAAI,iBAAiB,CAAC,6CAA6C,CAAC,CAAC;QAC7E,CAAC;QACD,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC;QACrD,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,eAAe,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,SAAS,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;IAClH,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,KAAa;QACnC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QACtD,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QAC9B,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,KAAK,QAAQ,IAAI,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,SAAS,IAAI,GAAG,EAAE,CAAC;YAC5F,MAAM,IAAI,iBAAiB,CAAC,oCAAoC,CAAC,CAAC;QACpE,CAAC;QACD,OAAO;YACL,KAAK;YACL,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,QAAQ,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC;YAClC,KAAK,EAAE;gBACL,eAAe,EAAE,eAAe,CAAC,MAAM,CAAC,SAAS,CAAC;gBAClD,wEAAwE;gBACxE,sEAAsE;gBACtE,kDAAkD;gBAClD,GAAG,CAAC,MAAM,CAAC,GAAG,KAAK,SAAS,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC;aACrD;SACF,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,OAAmC,EAAE,OAAoC;QACzF,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;IACtE,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,MAAkC;QAC1D,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,SAAS,CAAC,CAAC;IACzF,CAAC;IAEO,KAAK,CAAC,WAAW,CACvB,MAAkC,EAClC,MAAgB,EAChB,QAAa,EACb,sBAA0C,EAC1C,GAAY;QAEZ,MAAM,WAAW,GAAG,WAAW,EAAE,CAAC;QAClC,MAAM,YAAY,GAAG,WAAW,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QAC9B,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,WAAW,EAAE;YAC1C,SAAS,EAAE,QAAQ;YACnB,QAAQ,EAAE,MAAM,CAAC,SAAS;YAC1B,MAAM;YACN,QAAQ,EAAE,QAAQ,CAAC,IAAI;YACvB,QAAQ,EAAE,GAAG;YACb,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,qBAAqB;YAChD,GAAG,CAAC,sBAAsB,KAAK,SAAS,IAAI,EAAE,sBAAsB,EAAE,CAAC;YACvE,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,EAAE,GAAG,EAAE,CAAC;SAClC,CAAC,CAAC;QACH,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,YAAY,EAAE;YAC3C,SAAS,EAAE,SAAS;YACpB,QAAQ,EAAE,MAAM,CAAC,SAAS;YAC1B,MAAM;YACN,QAAQ,EAAE,QAAQ,CAAC,IAAI;YACvB,QAAQ,EAAE,GAAG;YACb,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,sBAAsB;YACjD,GAAG,CAAC,sBAAsB,KAAK,SAAS,IAAI,EAAE,sBAAsB,EAAE,CAAC;YACvE,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,EAAE,GAAG,EAAE,CAAC;SAClC,CAAC,CAAC;QACH,OAAO;YACL,YAAY,EAAE,WAAW;YACzB,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,qBAAqB;YAC3C,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;SACxB,CAAC;IACJ,CAAC;IAEO,eAAe,CAAC,MAAqC;QAC3D,MAAM,SAAS,GAAG,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;QAC5E,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,WAAW,CAAC,EAAE,CAAC;YACvD,MAAM,IAAI,iBAAiB,CAAC,QAAQ,WAAW,qBAAqB,CAAC,CAAC;QACxE,CAAC;QACD,OAAO,CAAC,WAAW,CAAC,CAAC;IACvB,CAAC;IAEO,iBAAiB,CAAC,QAAyB;QACjD,MAAM,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC;QACvC,IAAI,QAAQ,KAAK,SAAS;YAAE,OAAO,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACnD,MAAM,MAAM,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC/C,IAAI,QAAQ,CAAC,MAAM,KAAK,EAAE,CAAC,MAAM,IAAI,CAAC,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YAAE,OAAO,EAAE,CAAC;QACjF,MAAM,IAAI,kBAAkB,CAAC,iDAAiD,CAAC,CAAC;IAClF,CAAC;CACF;AAED,SAAS,UAAU,CAAC,KAAa;IAC/B,OAAO,KAAK;SACT,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC;SACxB,UAAU,CAAC,GAAG,EAAE,MAAM,CAAC;SACvB,UAAU,CAAC,GAAG,EAAE,MAAM,CAAC;SACvB,UAAU,CAAC,GAAG,EAAE,QAAQ,CAAC;SACzB,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAC9B,CAAC"}
|
|
@@ -13,6 +13,14 @@ export interface HostedEnv {
|
|
|
13
13
|
H2A_ROOT?: string;
|
|
14
14
|
PORT?: string;
|
|
15
15
|
NODE_ENV?: string;
|
|
16
|
+
H2A_BROKER_MODE?: string;
|
|
17
|
+
H2A_UPSTREAM_ISSUER?: string;
|
|
18
|
+
H2A_UPSTREAM_AUTHORIZE_URL?: string;
|
|
19
|
+
H2A_UPSTREAM_TOKEN_URL?: string;
|
|
20
|
+
H2A_UPSTREAM_CLIENT_ID?: string;
|
|
21
|
+
H2A_UPSTREAM_CLIENT_SECRET?: string;
|
|
22
|
+
H2A_UPSTREAM_REDIRECT_URI?: string;
|
|
23
|
+
H2A_UPSTREAM_SCOPES?: string;
|
|
16
24
|
}
|
|
17
25
|
export interface HostedConfig {
|
|
18
26
|
oauthConfig: H2AHostedOAuthConfig;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"serve.d.ts","sourceRoot":"","sources":["../../../src/runtime/mcp-http/serve.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;
|
|
1
|
+
{"version":3,"file":"serve.d.ts","sourceRoot":"","sources":["../../../src/runtime/mcp-http/serve.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAGlD,OAAO,EAAE,KAAK,oBAAoB,EAAsB,MAAM,mBAAmB,CAAC;AAMlF,MAAM,WAAW,SAAS;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,2BAA2B,CAAC,EAAE,MAAM,CAAC;IACrC,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,8BAA8B,CAAC,EAAE,MAAM,CAAC;IACxC,+BAA+B,CAAC,EAAE,MAAM,CAAC;IACzC,2BAA2B,CAAC,EAAE,MAAM,CAAC;IACrC,6BAA6B,CAAC,EAAE,MAAM,CAAC;IACvC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,yBAAyB,CAAC,EAAE,MAAM,CAAC;IACnC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAKD,MAAM,WAAW,YAAY;IAC3B,WAAW,EAAE,oBAAoB,CAAC;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd;AAED,yFAAyF;AACzF,wBAAgB,wBAAwB,CAAC,GAAG,EAAE,SAAS,GAAG,YAAY,CAuCrE;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,SAAS,CAAC;IACxB,IAAI,IAAI,IAAI,CAAC;CACd;AAED,wBAAsB,iBAAiB,CAAC,GAAG,GAAE,SAAuB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CA0ClG"}
|
|
@@ -7,8 +7,11 @@ import { join } from "node:path";
|
|
|
7
7
|
import { serve } from "@hono/node-server";
|
|
8
8
|
import { createMcpServer } from "../mcp/index.js";
|
|
9
9
|
import { createHostedApp } from "./app.js";
|
|
10
|
+
import { createBrokerLogin } from "./oauth/broker-login.js";
|
|
10
11
|
import { oauthConfigFromEnv } from "./oauth/config.js";
|
|
12
|
+
import { pkceS256, randomToken } from "./oauth/crypto.js";
|
|
11
13
|
import { FileOAuthStore } from "./oauth/file-store.js";
|
|
14
|
+
import { exchangeUpstreamCode } from "./oauth/oidc-rp.js";
|
|
12
15
|
import { SingleTenantOAuthProvider } from "./oauth/single-tenant-provider.js";
|
|
13
16
|
const DEFAULT_CLAUDE_REDIRECTS = "https://claude.ai/api/mcp/auth_callback,https://claude.com/api/mcp/auth_callback";
|
|
14
17
|
/** Pure: validate + derive the hosted config from env (defaults claude.ai redirects). */
|
|
@@ -28,7 +31,23 @@ export function buildHostedConfigFromEnv(env) {
|
|
|
28
31
|
OAUTH_ACCESS_TOKEN_TTL_SECONDS: Number(env.OAUTH_ACCESS_TOKEN_TTL_SECONDS ?? 3600),
|
|
29
32
|
OAUTH_REFRESH_TOKEN_TTL_SECONDS: Number(env.OAUTH_REFRESH_TOKEN_TTL_SECONDS ?? 1_209_600),
|
|
30
33
|
OAUTH_AUTH_CODE_TTL_SECONDS: Number(env.OAUTH_AUTH_CODE_TTL_SECONDS ?? 60),
|
|
31
|
-
NODE_ENV: env.NODE_ENV ?? "production"
|
|
34
|
+
NODE_ENV: env.NODE_ENV ?? "production",
|
|
35
|
+
// EVO-12 P2 (mode 3): broker passthrough — oauthConfigFromEnv parses these
|
|
36
|
+
// and throws if brokerMode is on but an upstream field is missing.
|
|
37
|
+
...(env.H2A_BROKER_MODE !== undefined && { H2A_BROKER_MODE: env.H2A_BROKER_MODE }),
|
|
38
|
+
...(env.H2A_UPSTREAM_ISSUER !== undefined && { H2A_UPSTREAM_ISSUER: env.H2A_UPSTREAM_ISSUER }),
|
|
39
|
+
...(env.H2A_UPSTREAM_AUTHORIZE_URL !== undefined && {
|
|
40
|
+
H2A_UPSTREAM_AUTHORIZE_URL: env.H2A_UPSTREAM_AUTHORIZE_URL
|
|
41
|
+
}),
|
|
42
|
+
...(env.H2A_UPSTREAM_TOKEN_URL !== undefined && { H2A_UPSTREAM_TOKEN_URL: env.H2A_UPSTREAM_TOKEN_URL }),
|
|
43
|
+
...(env.H2A_UPSTREAM_CLIENT_ID !== undefined && { H2A_UPSTREAM_CLIENT_ID: env.H2A_UPSTREAM_CLIENT_ID }),
|
|
44
|
+
...(env.H2A_UPSTREAM_CLIENT_SECRET !== undefined && {
|
|
45
|
+
H2A_UPSTREAM_CLIENT_SECRET: env.H2A_UPSTREAM_CLIENT_SECRET
|
|
46
|
+
}),
|
|
47
|
+
...(env.H2A_UPSTREAM_REDIRECT_URI !== undefined && {
|
|
48
|
+
H2A_UPSTREAM_REDIRECT_URI: env.H2A_UPSTREAM_REDIRECT_URI
|
|
49
|
+
}),
|
|
50
|
+
...(env.H2A_UPSTREAM_SCOPES !== undefined && { H2A_UPSTREAM_SCOPES: env.H2A_UPSTREAM_SCOPES })
|
|
32
51
|
});
|
|
33
52
|
return {
|
|
34
53
|
oauthConfig,
|
|
@@ -43,7 +62,32 @@ export async function startHostedServer(env = process.env) {
|
|
|
43
62
|
await store.load();
|
|
44
63
|
const oauthProvider = new SingleTenantOAuthProvider({ store, ...cfg.oauthConfig });
|
|
45
64
|
const h2aMcpServer = createMcpServer({ root: cfg.root });
|
|
46
|
-
|
|
65
|
+
// EVO-12 P2 (mode 3, multi-tenant gateway): when broker mode is configured,
|
|
66
|
+
// delegate user login to 39-auth and serve each user their own root.
|
|
67
|
+
let brokerLogin;
|
|
68
|
+
let tenancy;
|
|
69
|
+
if (cfg.oauthConfig.brokerMode && cfg.oauthConfig.upstream) {
|
|
70
|
+
const upstream = cfg.oauthConfig.upstream;
|
|
71
|
+
const upstreamFetch = async (url, init) => {
|
|
72
|
+
const res = await fetch(url, init);
|
|
73
|
+
return { ok: res.ok, status: res.status, json: () => res.json() };
|
|
74
|
+
};
|
|
75
|
+
brokerLogin = createBrokerLogin({
|
|
76
|
+
config: upstream,
|
|
77
|
+
exchange: (code, codeVerifier) => exchangeUpstreamCode(upstream, { code, codeVerifier }, upstreamFetch),
|
|
78
|
+
baseRoot: cfg.root,
|
|
79
|
+
randomState: () => randomToken(),
|
|
80
|
+
pkce: pkceS256
|
|
81
|
+
});
|
|
82
|
+
tenancy = { baseRoot: cfg.root, createServer: (root) => createMcpServer({ root }) };
|
|
83
|
+
}
|
|
84
|
+
const app = createHostedApp({
|
|
85
|
+
oauthProvider,
|
|
86
|
+
oauthConfig: cfg.oauthConfig,
|
|
87
|
+
h2aMcpServer,
|
|
88
|
+
...(brokerLogin && { brokerLogin }),
|
|
89
|
+
...(tenancy && { tenancy })
|
|
90
|
+
});
|
|
47
91
|
const server = serve({ fetch: app.fetch, port: cfg.port });
|
|
48
92
|
return {
|
|
49
93
|
port: cfg.port,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"serve.js","sourceRoot":"","sources":["../../../src/runtime/mcp-http/serve.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAE1C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD,OAAO,EAAE,eAAe,
|
|
1
|
+
{"version":3,"file":"serve.js","sourceRoot":"","sources":["../../../src/runtime/mcp-http/serve.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAE1C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD,OAAO,EAAE,eAAe,EAAsB,MAAM,UAAU,CAAC;AAC/D,OAAO,EAAoB,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC9E,OAAO,EAA6B,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAClF,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,oBAAoB,EAAsB,MAAM,oBAAoB,CAAC;AAC9E,OAAO,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAC;AA0B9E,MAAM,wBAAwB,GAC5B,kFAAkF,CAAC;AASrF,yFAAyF;AACzF,MAAM,UAAU,wBAAwB,CAAC,GAAc;IACrD,MAAM,aAAa,GAAG,GAAG,CAAC,eAAe,CAAC;IAC1C,IAAI,CAAC,aAAa;QAAE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACnE,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;IACzD,MAAM,WAAW,GAAG,kBAAkB,CAAC;QACrC,eAAe,EAAE,aAAa;QAC9B,gBAAgB,EAAE,GAAG,CAAC,gBAAgB,IAAI,aAAa;QACvD,2BAA2B,EAAE,GAAG,CAAC,2BAA2B,IAAI,wBAAwB;QACxF,GAAG,CAAC,GAAG,CAAC,oBAAoB,KAAK,SAAS,IAAI,EAAE,oBAAoB,EAAE,GAAG,CAAC,oBAAoB,EAAE,CAAC;QACjG,GAAG,CAAC,GAAG,CAAC,6BAA6B,KAAK,SAAS,IAAI;YACrD,6BAA6B,EAAE,GAAG,CAAC,6BAA6B;SACjE,CAAC;QACF,8BAA8B,EAAE,MAAM,CAAC,GAAG,CAAC,8BAA8B,IAAI,IAAI,CAAC;QAClF,+BAA+B,EAAE,MAAM,CAAC,GAAG,CAAC,+BAA+B,IAAI,SAAS,CAAC;QACzF,2BAA2B,EAAE,MAAM,CAAC,GAAG,CAAC,2BAA2B,IAAI,EAAE,CAAC;QAC1E,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,YAAY;QACtC,2EAA2E;QAC3E,mEAAmE;QACnE,GAAG,CAAC,GAAG,CAAC,eAAe,KAAK,SAAS,IAAI,EAAE,eAAe,EAAE,GAAG,CAAC,eAAe,EAAE,CAAC;QAClF,GAAG,CAAC,GAAG,CAAC,mBAAmB,KAAK,SAAS,IAAI,EAAE,mBAAmB,EAAE,GAAG,CAAC,mBAAmB,EAAE,CAAC;QAC9F,GAAG,CAAC,GAAG,CAAC,0BAA0B,KAAK,SAAS,IAAI;YAClD,0BAA0B,EAAE,GAAG,CAAC,0BAA0B;SAC3D,CAAC;QACF,GAAG,CAAC,GAAG,CAAC,sBAAsB,KAAK,SAAS,IAAI,EAAE,sBAAsB,EAAE,GAAG,CAAC,sBAAsB,EAAE,CAAC;QACvG,GAAG,CAAC,GAAG,CAAC,sBAAsB,KAAK,SAAS,IAAI,EAAE,sBAAsB,EAAE,GAAG,CAAC,sBAAsB,EAAE,CAAC;QACvG,GAAG,CAAC,GAAG,CAAC,0BAA0B,KAAK,SAAS,IAAI;YAClD,0BAA0B,EAAE,GAAG,CAAC,0BAA0B;SAC3D,CAAC;QACF,GAAG,CAAC,GAAG,CAAC,yBAAyB,KAAK,SAAS,IAAI;YACjD,yBAAyB,EAAE,GAAG,CAAC,yBAAyB;SACzD,CAAC;QACF,GAAG,CAAC,GAAG,CAAC,mBAAmB,KAAK,SAAS,IAAI,EAAE,mBAAmB,EAAE,GAAG,CAAC,mBAAmB,EAAE,CAAC;KAC/F,CAAC,CAAC;IACH,OAAO;QACL,WAAW;QACX,SAAS,EAAE,GAAG,CAAC,gBAAgB,IAAI,IAAI,CAAC,IAAI,EAAE,oBAAoB,CAAC;QACnE,IAAI;QACJ,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC;KAC/B,CAAC;AACJ,CAAC;AAQD,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAAiB,OAAO,CAAC,GAAG;IAClE,MAAM,GAAG,GAAG,wBAAwB,CAAC,GAAG,CAAC,CAAC;IAC1C,MAAM,KAAK,GAAG,IAAI,cAAc,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAChD,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;IACnB,MAAM,aAAa,GAAG,IAAI,yBAAyB,CAAC,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;IACnF,MAAM,YAAY,GAAG,eAAe,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IAEzD,4EAA4E;IAC5E,qEAAqE;IACrE,IAAI,WAAoC,CAAC;IACzC,IAAI,OAA6C,CAAC;IAClD,IAAI,GAAG,CAAC,WAAW,CAAC,UAAU,IAAI,GAAG,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC;QAC3D,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC;QAC1C,MAAM,aAAa,GAAkB,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;YACvD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YACnC,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC;QACpE,CAAC,CAAC;QACF,WAAW,GAAG,iBAAiB,CAAC;YAC9B,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,CAAC,IAAI,EAAE,YAAY,EAAE,EAAE,CAAC,oBAAoB,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,EAAE,aAAa,CAAC;YACvG,QAAQ,EAAE,GAAG,CAAC,IAAI;YAClB,WAAW,EAAE,GAAG,EAAE,CAAC,WAAW,EAAE;YAChC,IAAI,EAAE,QAAQ;SACf,CAAC,CAAC;QACH,OAAO,GAAG,EAAE,QAAQ,EAAE,GAAG,CAAC,IAAI,EAAE,YAAY,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,eAAe,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IACtF,CAAC;IAED,MAAM,GAAG,GAAG,eAAe,CAAC;QAC1B,aAAa;QACb,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,YAAY;QACZ,GAAG,CAAC,WAAW,IAAI,EAAE,WAAW,EAAE,CAAC;QACnC,GAAG,CAAC,OAAO,IAAI,EAAE,OAAO,EAAE,CAAC;KAC5B,CAAC,CAAC;IACH,MAAM,MAAM,GAAG,KAAK,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3D,OAAO;QACL,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,YAAY;QACZ,IAAI,EAAE,GAAG,EAAE;YACR,MAAiC,CAAC,KAAK,EAAE,EAAE,CAAC;QAC/C,CAAC;KACF,CAAC;AACJ,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@sentropic/h2a-cli",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.39.0",
|
|
4
4
|
"description": "Unified CLI surface for h2a hosts and MCP-oriented coordination flows.",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"type": "module",
|
|
@@ -43,7 +43,7 @@
|
|
|
43
43
|
"@hono/mcp": "^0.3.0",
|
|
44
44
|
"@hono/node-server": "^2.0.4",
|
|
45
45
|
"@modelcontextprotocol/sdk": "^1.29.0",
|
|
46
|
-
"@sentropic/h2a": "^0.
|
|
46
|
+
"@sentropic/h2a": "^0.39.0",
|
|
47
47
|
"hono": "^4.12.23"
|
|
48
48
|
},
|
|
49
49
|
"publishConfig": {
|