npm - @signdocs-brasil/mcp-server - Versions diffs - 0.1.0 → 0.3.0 - Mend

@signdocs-brasil/mcp-server 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (47) hide show

package/README.md +77 -3
package/dist/bin/http.d.ts +2 -0
package/dist/bin/http.js +35 -0
package/dist/bin/http.js.map +1 -0
package/dist/bin/stdio.js +2 -1
package/dist/bin/stdio.js.map +1 -1
package/dist/client.d.ts +50 -0
package/dist/client.js +71 -0
package/dist/client.js.map +1 -1
package/dist/http/server.d.ts +29 -29
package/dist/http/server.js +160 -36
package/dist/http/server.js.map +1 -1
package/dist/http/shared.d.ts +31 -0
package/dist/http/shared.js +67 -0
package/dist/http/shared.js.map +1 -0
package/dist/index.d.ts +12 -0
package/dist/index.js +13 -0
package/dist/index.js.map +1 -0
package/dist/lambda.d.ts +51 -0
package/dist/lambda.js +96 -0
package/dist/lambda.js.map +1 -0
package/dist/schemas.d.ts +6 -6
package/dist/server.d.ts +7 -5
package/dist/server.js +13 -12
package/dist/server.js.map +1 -1
package/dist/tools/documents.d.ts +2 -1
package/dist/tools/documents.js +3 -4
package/dist/tools/documents.js.map +1 -1
package/dist/tools/envelopes.d.ts +2 -1
package/dist/tools/envelopes.js +6 -6
package/dist/tools/envelopes.js.map +1 -1
package/dist/tools/evidence.d.ts +2 -1
package/dist/tools/evidence.js +2 -3
package/dist/tools/evidence.js.map +1 -1
package/dist/tools/signingSessions.d.ts +2 -1
package/dist/tools/signingSessions.js +8 -8
package/dist/tools/signingSessions.js.map +1 -1
package/dist/tools/transactions.d.ts +2 -1
package/dist/tools/transactions.js +4 -5
package/dist/tools/transactions.js.map +1 -1
package/dist/tools/verify.d.ts +2 -1
package/dist/tools/verify.js +5 -7
package/dist/tools/verify.js.map +1 -1
package/dist/tools/webhooks.d.ts +2 -1
package/dist/tools/webhooks.js +5 -6
package/dist/tools/webhooks.js.map +1 -1
package/package.json +22 -6

package/README.md CHANGED Viewed

@@ -105,6 +105,76 @@ The server exposes grounding resources the model can read on demand:
 - `signdocs://policy-profiles` — valid `policyProfile` values and CUSTOM steps
 - `signdocs://webhook-events` — all subscribable event types
+## Remote HTTP transport (multi-tenant)
+The same tools are also served over **Streamable HTTP** so a single deployment
+can serve many AI agents/tenants — each authenticates per session with its own
+SignDocs credentials (no shared secret baked into the server).
+```bash
+npm run start:http        # or: signdocs-mcp-http   (listens on PORT, default 3000)
+# or containerized:
+docker build -t signdocs-mcp . && docker run -p 3000:3000 signdocs-mcp
+```
+**Endpoint:** `POST /mcp` (Streamable HTTP). Auth is required on the MCP
+`initialize` request, via the `Authorization` header:
+- `Authorization: Bearer <token>` — a SignDocs OAuth2 access token (from
+  `/oauth2/token`), passed straight through to the API.
+- `Authorization: Basic base64(clientId:clientSecret)` — the server runs the
+  `client_credentials` exchange for you.
+Pick the environment per session with `X-SignDocs-Environment: hml|production`
+(defaults to the server's configured default).
+The server behaves as an **OAuth 2.0 Resource Server**: it serves
+`GET /.well-known/oauth-protected-resource` (RFC 9728, pointing at the SignDocs
+authorization server) and answers an unauthenticated `initialize` with `401` +
+`WWW-Authenticate`. The SignDocs API remains the authoritative token validator.
+`GET /healthz` is an unauthenticated health probe.
+Example client config (Bearer):
+```json
+{
+  "mcpServers": {
+    "signdocs-remote": {
+      "type": "http",
+      "url": "https://your-host.example/mcp",
+      "headers": {
+        "Authorization": "Bearer <signdocs_access_token>",
+        "X-SignDocs-Environment": "hml"
+      }
+    }
+  }
+}
+```
+**Server env vars:** `PORT`, `HOST`, `SIGNDOCS_ENVIRONMENT` (default env),
+`MCP_PUBLIC_URL` (for resource metadata behind a proxy), `MCP_CORS_ORIGIN`,
+`MCP_DNS_REBINDING_PROTECTION=true` + `MCP_ALLOWED_HOSTS` / `MCP_ALLOWED_ORIGINS`
+(recommended in production).
+> Sessions are held in process memory, so run a single instance or use sticky
+> routing. For multi-instance/serverless, front it with sticky sessions or swap
+> the session map for a shared store + EventStore (resumability). Deploying onto
+> the existing `external-api` Lambda + API Gateway as a NestedStack is the
+> intended production path.
+### AWS Lambda
+For serverless hosting, `@signdocs-brasil/mcp-server/lambda` exports
+`createLambdaHandler` — an API Gateway HTTP API v2 handler that runs the MCP
+transport **statelessly** (one server per invocation, no session store), with the
+same Bearer/Basic auth. SignDocs hosts this on `mcp-hml.signdocs.com.br` /
+`mcp.signdocs.com.br`.
+```ts
+import { createLambdaHandler } from '@signdocs-brasil/mcp-server/lambda';
+export const handler = createLambdaHandler({ defaultEnvironment: 'hml' });
+```
 ## Development
 ```bash
@@ -116,6 +186,10 @@ npm run inspect    # build + launch MCP Inspector against the stdio server
 ## Roadmap
-- **v0.1 (this release):** local stdio server, full tool catalog, env credentials.
-- **Phase 2:** remote Streamable-HTTP transport with per-tenant OAuth (the tool
-  layer is already transport-agnostic — see `src/http/server.ts`).
+- **v0.1:** local stdio server, full tool catalog, env credentials.
+- **v0.2 (this release):** remote Streamable-HTTP transport with per-session,
+  per-tenant auth (Bearer passthrough or Basic client-credentials) and OAuth
+  Resource Server discovery. Tool layer is shared between both transports.
+- **Next:** deploy the HTTP transport onto `external-api` (Lambda + API Gateway
+  NestedStack); optional edge JWT validation + shared-store sessions for
+  horizontal scale.

package/dist/bin/http.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ #!/usr/bin/env node
2	+ export {};

package/dist/bin/http.js ADDED Viewed

@@ -0,0 +1,35 @@
+#!/usr/bin/env node
+import { createHttpServer } from '../http/server.js';
+import { resolveEnvironment } from '../client.js';
+/**
+ * Remote HTTP entrypoint. Unlike the stdio server, credentials are NOT read
+ * from env — each request carries its own (Bearer token or Basic client
+ * credentials), so one deployment serves many tenants.
+ */
+function envDefault() {
+    try {
+        return resolveEnvironment(process.env.SIGNDOCS_ENVIRONMENT);
+    }
+    catch {
+        return 'hml';
+    }
+}
+const port = Number(process.env.PORT ?? 3000);
+const host = process.env.HOST ?? '0.0.0.0';
+const server = createHttpServer({
+    defaultEnvironment: envDefault(),
+    corsOrigin: process.env.MCP_CORS_ORIGIN,
+    publicUrl: process.env.MCP_PUBLIC_URL,
+    enableDnsRebindingProtection: process.env.MCP_DNS_REBINDING_PROTECTION === 'true',
+    allowedHosts: process.env.MCP_ALLOWED_HOSTS?.split(',').map((h) => h.trim()).filter(Boolean),
+    allowedOrigins: process.env.MCP_ALLOWED_ORIGINS?.split(',').map((o) => o.trim()).filter(Boolean),
+});
+server.listen(port, host, () => {
+    process.stderr.write(`[signdocs-mcp-http] listening on http://${host}:${port}/mcp (default env: ${envDefault()})\n`);
+});
+for (const sig of ['SIGINT', 'SIGTERM']) {
+    process.on(sig, () => {
+        server.close(() => process.exit(0));
+    });
+}
+//# sourceMappingURL=http.js.map

package/dist/bin/http.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"http.js","sourceRoot":"","sources":["../../src/bin/http.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,kBAAkB,EAAoB,MAAM,cAAc,CAAC;AAEpE;;;;GAIG;AACH,SAAS,UAAU;IACjB,IAAI,CAAC;QACH,OAAO,kBAAkB,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAC9D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC,CAAC;AAC9C,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,SAAS,CAAC;AAE3C,MAAM,MAAM,GAAG,gBAAgB,CAAC;IAC9B,kBAAkB,EAAE,UAAU,EAAE;IAChC,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe;IACvC,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc;IACrC,4BAA4B,EAAE,OAAO,CAAC,GAAG,CAAC,4BAA4B,KAAK,MAAM;IACjF,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;IAC5F,cAAc,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;CACjG,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE;IAC7B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,2CAA2C,IAAI,IAAI,IAAI,sBAAsB,UAAU,EAAE,KAAK,CAAC,CAAC;AACvH,CAAC,CAAC,CAAC;AAEH,KAAK,MAAM,GAAG,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAU,EAAE,CAAC;IACjD,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE;QACnB,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/bin/stdio.js CHANGED Viewed

@@ -1,13 +1,14 @@
 #!/usr/bin/env node
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import { createServer } from '../server.js';
+import { getStdioContext } from '../client.js';
 /**
  * stdio entrypoint. AI clients (Claude Desktop/Code, Cursor, …) launch this
  * binary and speak MCP over stdin/stdout. NEVER write to stdout here — it is
  * the protocol channel; diagnostics go to stderr.
  */
 async function main() {
-    const server = createServer();
+    const server = createServer(getStdioContext());
     const transport = new StdioServerTransport();
     await server.connect(transport);
     process.stderr.write('[signdocs-mcp] server started on stdio\n');

package/dist/bin/stdio.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"stdio.js","sourceRoot":"","sources":["../../src/bin/stdio.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;~~AAE5C~~;;;;GAIG;AACH,KAAK,UAAU,IAAI;IACjB,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;~~IAC9B~~,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;AACnE,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,yBAAyB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACjH,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}
1	+ {"version":3,"file":"stdio.js","sourceRoot":"","sources":["../../src/bin/stdio.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAE/C;;;;GAIG;AACH,KAAK,UAAU,IAAI;IACjB,MAAM,MAAM,GAAG,YAAY,CAAC,eAAe,EAAE,CAAC,CAAC;IAC/C,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;AACnE,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,yBAAyB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACjH,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/client.d.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 import { SignDocsBrasilClient } from '@signdocs-brasil/api';
+import type { TokenCache, CachedToken } from '@signdocs-brasil/api';
 /**
  * Thin wrapper that turns environment variables into a configured
  * {@link SignDocsBrasilClient}. The official SDK owns the OAuth2
@@ -33,3 +34,52 @@ export declare function resetClientCache(): void;
  * link — it must carry the one-time embed token (`clientSecret`) as `?cs=`.
  */
 export declare function buildSigningUrl(url: string, clientSecret: string): string;
+/**
+ * What every tool handler needs to talk to SignDocs. In the stdio server this
+ * is built once from env; in the remote HTTP server it is built per-request so
+ * each tenant is fully isolated (no shared client/token across requests).
+ */
+export interface ToolContext {
+    client: SignDocsBrasilClient;
+    environment: Environment;
+}
+/**
+ * A {@link TokenCache} pre-seeded with a caller-supplied access token. The SDK's
+ * AuthHandler checks the cache before exchanging credentials, so seeding it makes
+ * the SDK use the presented bearer directly and never call `/oauth2/token`.
+ * The SignDocs API remains the real validator — an invalid/expired token yields
+ * a 401 from the API, surfaced to the caller.
+ */
+export declare class StaticTokenCache implements TokenCache {
+    private readonly token;
+    constructor(accessToken: string, ttlMs?: number);
+    get(): CachedToken | null;
+    set(): void;
+    delete(): void;
+}
+export type BuildClientOptions = {
+    mode: 'credentials';
+    clientId: string;
+    clientSecret: string;
+    environment: Environment;
+    baseUrlOverride?: string;
+    scopes?: string[];
+} | {
+    mode: 'bearer';
+    bearer: string;
+    environment: Environment;
+    baseUrlOverride?: string;
+    scopes?: string[];
+};
+/**
+ * Build a fresh, request-scoped SDK client. `credentials` mode lets the SDK run
+ * the OAuth2 client_credentials exchange; `bearer` mode passes a pre-issued
+ * access token straight through via {@link StaticTokenCache}.
+ */
+export declare function buildClient(opts: BuildClientOptions): SignDocsBrasilClient;
+/**
+ * Build the tool context for the stdio server from environment variables.
+ * Credentials are resolved lazily (on first API call); the environment is read
+ * eagerly but does not require credentials.
+ */
+export declare function getStdioContext(env?: NodeJS.ProcessEnv): ToolContext;

package/dist/client.js CHANGED Viewed

@@ -77,4 +77,75 @@ export function resetClientCache() {
 export function buildSigningUrl(url, clientSecret) {
     return `${url}?cs=${encodeURIComponent(clientSecret)}`;
 }
+/**
+ * A {@link TokenCache} pre-seeded with a caller-supplied access token. The SDK's
+ * AuthHandler checks the cache before exchanging credentials, so seeding it makes
+ * the SDK use the presented bearer directly and never call `/oauth2/token`.
+ * The SignDocs API remains the real validator — an invalid/expired token yields
+ * a 401 from the API, surfaced to the caller.
+ */
+export class StaticTokenCache {
+    token;
+    constructor(accessToken, ttlMs = 60 * 60 * 1000) {
+        this.token = { accessToken, expiresAt: Date.now() + ttlMs };
+    }
+    get() {
+        return this.token;
+    }
+    set() {
+        /* no-op: the token is fixed for this request */
+    }
+    delete() {
+        /* no-op */
+    }
+}
+/**
+ * Build a fresh, request-scoped SDK client. `credentials` mode lets the SDK run
+ * the OAuth2 client_credentials exchange; `bearer` mode passes a pre-issued
+ * access token straight through via {@link StaticTokenCache}.
+ */
+export function buildClient(opts) {
+    const baseUrl = getBaseUrl(opts.environment, opts.baseUrlOverride);
+    const scopes = opts.scopes ?? DEFAULT_SCOPES;
+    if (opts.mode === 'bearer') {
+        return new SignDocsBrasilClient({
+            clientId: 'mcp-bearer-passthrough',
+            clientSecret: 'unused', // never used: the token cache short-circuits exchange
+            baseUrl,
+            scopes,
+            tokenCache: new StaticTokenCache(opts.bearer),
+        });
+    }
+    return new SignDocsBrasilClient({
+        clientId: opts.clientId,
+        clientSecret: opts.clientSecret,
+        baseUrl,
+        scopes,
+    });
+}
+/**
+ * A client proxy that defers construction until first use, so the stdio server
+ * can start and list tools/resources even with no credentials — a missing-cred
+ * error surfaces only when a tool actually calls the API.
+ */
+function lazyClient(factory) {
+    let instance;
+    return new Proxy({}, {
+        get(_target, prop, receiver) {
+            instance ??= factory();
+            return Reflect.get(instance, prop, receiver);
+        },
+    });
+}
+/**
+ * Build the tool context for the stdio server from environment variables.
+ * Credentials are resolved lazily (on first API call); the environment is read
+ * eagerly but does not require credentials.
+ */
+export function getStdioContext(env = process.env) {
+    return {
+        client: lazyClient(() => getClient(env)),
+        environment: resolveEnvironment(env.SIGNDOCS_ENVIRONMENT),
+    };
+}
 //# sourceMappingURL=client.js.map

package/dist/client.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;~~AAW5D~~,MAAM,SAAS,GAAgC;IAC7C,UAAU,EAAE,6BAA6B;IACzC,uDAAuD;IACvD,GAAG,EAAE,iCAAiC;CACvC,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,mBAAmB;IACnB,oBAAoB;IACpB,aAAa;IACb,eAAe;IACf,gBAAgB;IAChB,oBAAoB;CACrB,CAAC;AAUF,MAAM,UAAU,kBAAkB,CAAC,GAAY;IAC7C,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC9C,IAAI,CAAC,KAAK,YAAY,IAAI,CAAC,KAAK,MAAM;QAAE,OAAO,YAAY,CAAC;IAC5D,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,aAAa,IAAI,CAAC,KAAK,aAAa,IAAI,CAAC,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAC/F,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,+BAA+B,CAAC,CAAC;AACvF,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,WAAwB,EAAE,QAAiB;IACpE,MAAM,OAAO,GAAG,QAAQ,EAAE,IAAI,EAAE,CAAC;IACjC,OAAO,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,OAAO,CAAC,MAAyB,OAAO,CAAC,GAAG;IAC1D,MAAM,QAAQ,GAAG,GAAG,CAAC,kBAAkB,EAAE,IAAI,EAAE,CAAC;IAChD,MAAM,YAAY,GAAG,GAAG,CAAC,sBAAsB,EAAE,IAAI,EAAE,CAAC;IACxD,IAAI,CAAC,QAAQ,IAAI,CAAC,YAAY,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CACb,kFAAkF;YAChF,4CAA4C,CAC/C,CAAC;IACJ,CAAC;IACD,MAAM,WAAW,GAAG,kBAAkB,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IACjE,MAAM,OAAO,GAAG,UAAU,CAAC,WAAW,EAAE,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAC/D,MAAM,SAAS,GAAG,GAAG,CAAC,eAAe,EAAE,IAAI,EAAE,CAAC;IAC9C,MAAM,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC;IACnE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;AAClE,CAAC;AAED,IAAI,MAAwC,CAAC;AAC7C,IAAI,SAAkC,CAAC;AAEvC,kFAAkF;AAClF,MAAM,UAAU,SAAS,CAAC,MAAyB,OAAO,CAAC,GAAG;IAC5D,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IACzB,SAAS,GAAG,GAAG,CAAC;IAChB,MAAM,GAAG,IAAI,oBAAoB,CAAC;QAChC,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,YAAY,EAAE,GAAG,CAAC,YAAY;QAC9B,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,MAAM,EAAE,GAAG,CAAC,MAAM;KACnB,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,kFAAkF;AAClF,MAAM,UAAU,cAAc,CAAC,MAAyB,OAAO,CAAC,GAAG;IACjE,IAAI,SAAS;QAAE,OAAO,SAAS,CAAC;IAChC,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IACzB,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,4CAA4C;AAC5C,MAAM,UAAU,gBAAgB;IAC9B,MAAM,GAAG,SAAS,CAAC;IACnB,SAAS,GAAG,SAAS,CAAC;AACxB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW,EAAE,YAAoB;IAC/D,OAAO,GAAG,GAAG,OAAO,kBAAkB,CAAC,YAAY,CAAC,EAAE,CAAC;AACzD,CAAC"}
1	+ {"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAY5D,MAAM,SAAS,GAAgC;IAC7C,UAAU,EAAE,6BAA6B;IACzC,uDAAuD;IACvD,GAAG,EAAE,iCAAiC;CACvC,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,mBAAmB;IACnB,oBAAoB;IACpB,aAAa;IACb,eAAe;IACf,gBAAgB;IAChB,oBAAoB;CACrB,CAAC;AAUF,MAAM,UAAU,kBAAkB,CAAC,GAAY;IAC7C,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC9C,IAAI,CAAC,KAAK,YAAY,IAAI,CAAC,KAAK,MAAM;QAAE,OAAO,YAAY,CAAC;IAC5D,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,aAAa,IAAI,CAAC,KAAK,aAAa,IAAI,CAAC,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAC/F,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,+BAA+B,CAAC,CAAC;AACvF,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,WAAwB,EAAE,QAAiB;IACpE,MAAM,OAAO,GAAG,QAAQ,EAAE,IAAI,EAAE,CAAC;IACjC,OAAO,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,OAAO,CAAC,MAAyB,OAAO,CAAC,GAAG;IAC1D,MAAM,QAAQ,GAAG,GAAG,CAAC,kBAAkB,EAAE,IAAI,EAAE,CAAC;IAChD,MAAM,YAAY,GAAG,GAAG,CAAC,sBAAsB,EAAE,IAAI,EAAE,CAAC;IACxD,IAAI,CAAC,QAAQ,IAAI,CAAC,YAAY,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CACb,kFAAkF;YAChF,4CAA4C,CAC/C,CAAC;IACJ,CAAC;IACD,MAAM,WAAW,GAAG,kBAAkB,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IACjE,MAAM,OAAO,GAAG,UAAU,CAAC,WAAW,EAAE,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAC/D,MAAM,SAAS,GAAG,GAAG,CAAC,eAAe,EAAE,IAAI,EAAE,CAAC;IAC9C,MAAM,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC;IACnE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;AAClE,CAAC;AAED,IAAI,MAAwC,CAAC;AAC7C,IAAI,SAAkC,CAAC;AAEvC,kFAAkF;AAClF,MAAM,UAAU,SAAS,CAAC,MAAyB,OAAO,CAAC,GAAG;IAC5D,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IACzB,SAAS,GAAG,GAAG,CAAC;IAChB,MAAM,GAAG,IAAI,oBAAoB,CAAC;QAChC,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,YAAY,EAAE,GAAG,CAAC,YAAY;QAC9B,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,MAAM,EAAE,GAAG,CAAC,MAAM;KACnB,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,kFAAkF;AAClF,MAAM,UAAU,cAAc,CAAC,MAAyB,OAAO,CAAC,GAAG;IACjE,IAAI,SAAS;QAAE,OAAO,SAAS,CAAC;IAChC,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IACzB,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,4CAA4C;AAC5C,MAAM,UAAU,gBAAgB;IAC9B,MAAM,GAAG,SAAS,CAAC;IACnB,SAAS,GAAG,SAAS,CAAC;AACxB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW,EAAE,YAAoB;IAC/D,OAAO,GAAG,GAAG,OAAO,kBAAkB,CAAC,YAAY,CAAC,EAAE,CAAC;AACzD,CAAC;AAcD;;;;;;GAMG;AACH,MAAM,OAAO,gBAAgB;IACV,KAAK,CAAc;IACpC,YAAY,WAAmB,EAAE,KAAK,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;QACrD,IAAI,CAAC,KAAK,GAAG,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC;IAC9D,CAAC;IACD,GAAG;QACD,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IACD,GAAG;QACD,gDAAgD;IAClD,CAAC;IACD,MAAM;QACJ,WAAW;IACb,CAAC;CACF;AAmBD;;;;GAIG;AACH,MAAM,UAAU,WAAW,CAAC,IAAwB;IAClD,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,eAAe,CAAC,CAAC;IACnE,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,cAAc,CAAC;IAC7C,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC3B,OAAO,IAAI,oBAAoB,CAAC;YAC9B,QAAQ,EAAE,wBAAwB;YAClC,YAAY,EAAE,QAAQ,EAAE,sDAAsD;YAC9E,OAAO;YACP,MAAM;YACN,UAAU,EAAE,IAAI,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC;SAC9C,CAAC,CAAC;IACL,CAAC;IACD,OAAO,IAAI,oBAAoB,CAAC;QAC9B,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,OAAO;QACP,MAAM;KACP,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,SAAS,UAAU,CAAC,OAAmC;IACrD,IAAI,QAA0C,CAAC;IAC/C,OAAO,IAAI,KAAK,CAAC,EAA0B,EAAE;QAC3C,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,QAAQ;YACzB,QAAQ,KAAK,OAAO,EAAE,CAAC;YACvB,OAAO,OAAO,CAAC,GAAG,CAAC,QAAkB,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;QACzD,CAAC;KACF,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,MAAyB,OAAO,CAAC,GAAG;IAClE,OAAO;QACL,MAAM,EAAE,UAAU,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACxC,WAAW,EAAE,kBAAkB,CAAC,GAAG,CAAC,oBAAoB,CAAC;KAC1D,CAAC;AACJ,CAAC"}

package/dist/http/server.d.ts CHANGED Viewed

@@ -1,34 +1,34 @@
+import { type Server } from 'node:http';
+import { type Environment } from '../client.js';
 /**
- * Phase 2 — remote Streamable-HTTP transport (designed, not yet built).
+ * Phase 2 — remote Streamable-HTTP transport (stateful sessions).
  *
- * The tool/resource layer in ../server.ts is deliberately transport-agnostic,
- * so going remote is purely an entrypoint + auth concern:
+ * One deployment serves many tenants. A session is established on the MCP
+ * `initialize` request, which MUST carry credentials:
+ *   - `Authorization: Bearer <token>`  → a SignDocs OAuth2 access token, passed through.
+ *   - `Authorization: Basic <base64(clientId:clientSecret)>` → server runs client_credentials.
+ * Environment via `X-SignDocs-Environment: hml|production` (default = server default).
  *
- *   import { StreamableHTTPServerTransport } from
- *     '@modelcontextprotocol/sdk/server/streamableHttp.js';
- *   const server = createServer();
- *   const transport = new StreamableHTTPServerTransport({ ...});
- *   await server.connect(transport);
- *   // node:http handler → transport.handleRequest(req, res, body)
+ * The tenant's SDK client is bound to that session; follow-up requests are routed
+ * by the `Mcp-Session-Id` header. Acts as an OAuth Resource Server: advertises the
+ * SignDocs authorization server (RFC 9728) and challenges unauthenticated initialize
+ * requests with WWW-Authenticate. The SignDocs API is the real token validator.
  *
- * Open design decisions to settle before implementing (see plan):
- *
- *  1. AUTH / MULTI-TENANCY. Unlike stdio (one set of env credentials), a
- *     hosted server serves many tenants. The MCP server should act as an
- *     OAuth Resource Server: each connecting AI presents its own SignDocs
- *     bearer token (issued by the existing /oauth2/token AS). Validate it with
- *     the same ES256/KMS verifier external-api uses (auth-middleware.ts) and
- *     build a PER-REQUEST SDK client scoped to that tenant — do NOT reuse the
- *     process-wide getClient() singleton, which would cross tenant boundaries.
- *
- *  2. DEPLOYMENT. Reuse the external-api Lambda + API Gateway pattern via a new
- *     NestedStack (the Core stack is at the CFN 500-resource limit — follow the
- *     EnvelopeHandlersStack precedent), or a small container behind the same WAF.
- *
- *  3. SESSION MODE. Stateless (sessionIdGenerator: undefined) fits serverless;
- *     confirm against the MCP spec version current at build time, plus DCR /
- *     protected-resource metadata discovery needs.
- *
- * Intentionally not wired up yet so the v0.1 stdio package stays dependency-light.
+ * Sessions live in process memory, so a single instance (or sticky routing) is
+ * assumed. For multi-instance/serverless, front with sticky sessions or swap this
+ * map for a shared store + an EventStore for resumability.
  */
-export declare function createHttpServer(): never;
+export interface HttpServerOptions {
+    /** Environment when a request doesn't specify one. Default 'hml'. */
+    defaultEnvironment?: Environment;
+    /** CORS Access-Control-Allow-Origin. Default '*'. */
+    corsOrigin?: string;
+    /** Public base URL for resource metadata (e.g. https://mcp.signdocs.com.br). Derived from the request if unset. */
+    publicUrl?: string;
+    /** DNS-rebinding protection — enable in production and pair with allowedHosts/Origins. Default false. */
+    enableDnsRebindingProtection?: boolean;
+    allowedHosts?: string[];
+    allowedOrigins?: string[];
+}
+/** Build (but do not start) the remote HTTP MCP server. Call `.listen(port)`. */
+export declare function createHttpServer(options?: HttpServerOptions): Server;

package/dist/http/server.js CHANGED Viewed

@@ -1,38 +1,162 @@
-/**
- * Phase 2 — remote Streamable-HTTP transport (designed, not yet built).
- *
- * The tool/resource layer in ../server.ts is deliberately transport-agnostic,
- * so going remote is purely an entrypoint + auth concern:
- *
- *   import { StreamableHTTPServerTransport } from
- *     '@modelcontextprotocol/sdk/server/streamableHttp.js';
- *   const server = createServer();
- *   const transport = new StreamableHTTPServerTransport({ ...});
- *   await server.connect(transport);
- *   // node:http handler → transport.handleRequest(req, res, body)
- *
- * Open design decisions to settle before implementing (see plan):
- *
- *  1. AUTH / MULTI-TENANCY. Unlike stdio (one set of env credentials), a
- *     hosted server serves many tenants. The MCP server should act as an
- *     OAuth Resource Server: each connecting AI presents its own SignDocs
- *     bearer token (issued by the existing /oauth2/token AS). Validate it with
- *     the same ES256/KMS verifier external-api uses (auth-middleware.ts) and
- *     build a PER-REQUEST SDK client scoped to that tenant — do NOT reuse the
- *     process-wide getClient() singleton, which would cross tenant boundaries.
- *
- *  2. DEPLOYMENT. Reuse the external-api Lambda + API Gateway pattern via a new
- *     NestedStack (the Core stack is at the CFN 500-resource limit — follow the
- *     EnvelopeHandlersStack precedent), or a small container behind the same WAF.
- *
- *  3. SESSION MODE. Stateless (sessionIdGenerator: undefined) fits serverless;
- *     confirm against the MCP spec version current at build time, plus DCR /
- *     protected-resource metadata discovery needs.
- *
- * Intentionally not wired up yet so the v0.1 stdio package stays dependency-light.
- */
-export function createHttpServer() {
-    throw new Error('Remote HTTP transport is not implemented in v0.1. Use the stdio entrypoint (bin/stdio.ts). ' +
-        'See src/http/server.ts for the Phase 2 design.');
+import { createServer as createNodeHttpServer, } from 'node:http';
+import { randomUUID } from 'node:crypto';
+import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
+import { isInitializeRequest } from '@modelcontextprotocol/sdk/types.js';
+import { createServer as createMcpServer } from '../server.js';
+import { extractAuthFromHeaders, environmentFromHeaders, buildContextForAuth, protectedResourceMetadata as buildProtectedResourceMetadata, wwwAuthenticate, headerValue, UNAUTHORIZED_BODY, } from './shared.js';
+function applyCors(res, opts) {
+    res.setHeader('Access-Control-Allow-Origin', opts.corsOrigin);
+    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, DELETE, OPTIONS');
+    res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, Mcp-Session-Id, Mcp-Protocol-Version, X-SignDocs-Environment');
+    res.setHeader('Access-Control-Expose-Headers', 'Mcp-Session-Id, WWW-Authenticate');
+}
+function sendJson(res, status, body, extra) {
+    res.writeHead(status, { 'Content-Type': 'application/json', ...extra });
+    res.end(JSON.stringify(body));
+}
+function publicBase(req, opts) {
+    if (opts.publicUrl)
+        return opts.publicUrl.replace(/\/$/, '');
+    const fwd = req.headers['x-forwarded-proto'];
+    const proto = (Array.isArray(fwd) ? fwd[0] : fwd)?.split(',')[0] ?? 'http';
+    const host = req.headers.host ?? 'localhost';
+    return `${proto}://${host}`;
+}
+function challenge(req, res, opts) {
+    res.setHeader('WWW-Authenticate', wwwAuthenticate(`${publicBase(req, opts)}/.well-known/oauth-protected-resource`));
+    sendJson(res, 401, UNAUTHORIZED_BODY);
+}
+function readBody(req) {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        req.on('data', (c) => chunks.push(c));
+        req.on('end', () => {
+            const raw = Buffer.concat(chunks).toString('utf8');
+            if (!raw)
+                return resolve(undefined);
+            try {
+                resolve(JSON.parse(raw));
+            }
+            catch (err) {
+                reject(err);
+            }
+        });
+        req.on('error', reject);
+    });
+}
+async function startSession(req, res, opts, sessions, body) {
+    const auth = extractAuthFromHeaders(req.headers);
+    if (!auth) {
+        challenge(req, res, opts);
+        return;
+    }
+    const environment = environmentFromHeaders(req.headers, opts.defaultEnvironment);
+    const ctx = buildContextForAuth(auth, environment);
+    const server = createMcpServer(ctx);
+    const transport = new StreamableHTTPServerTransport({
+        sessionIdGenerator: () => randomUUID(),
+        enableJsonResponse: true,
+        enableDnsRebindingProtection: opts.enableDnsRebindingProtection ?? false,
+        ...(opts.allowedHosts ? { allowedHosts: opts.allowedHosts } : {}),
+        ...(opts.allowedOrigins ? { allowedOrigins: opts.allowedOrigins } : {}),
+        onsessioninitialized: (sid) => {
+            sessions.set(sid, { transport, server });
+        },
+        onsessionclosed: (sid) => {
+            sessions.delete(sid);
+        },
+    });
+    transport.onclose = () => {
+        if (transport.sessionId)
+            sessions.delete(transport.sessionId);
+    };
+    await server.connect(transport);
+    await transport.handleRequest(req, res, body);
+}
+async function handlePost(req, res, opts, sessions) {
+    let body;
+    try {
+        body = await readBody(req);
+    }
+    catch {
+        sendJson(res, 400, { error: 'invalid_json', error_description: 'Request body is not valid JSON.' });
+        return;
+    }
+    const sessionId = headerValue(req.headers, 'mcp-session-id');
+    const existing = sessionId ? sessions.get(sessionId) : undefined;
+    if (existing) {
+        await existing.transport.handleRequest(req, res, body);
+        return;
+    }
+    if (isInitializeRequest(body)) {
+        await startSession(req, res, opts, sessions, body);
+        return;
+    }
+    sendJson(res, 400, {
+        error: 'invalid_session',
+        error_description: 'Missing or unknown Mcp-Session-Id. Send an initialize request first.',
+    });
+}
+async function handle(req, res, opts, sessions) {
+    applyCors(res, opts);
+    const method = req.method ?? 'GET';
+    if (method === 'OPTIONS') {
+        res.writeHead(204);
+        res.end();
+        return;
+    }
+    const path = new URL(req.url ?? '/', 'http://localhost').pathname;
+    if (method === 'GET' && path === '/healthz') {
+        sendJson(res, 200, { status: 'ok', transport: 'streamable-http', sessions: sessions.size });
+        return;
+    }
+    if (method === 'GET' && path === '/.well-known/oauth-protected-resource') {
+        sendJson(res, 200, buildProtectedResourceMetadata(`${publicBase(req, opts)}/mcp`, opts.defaultEnvironment));
+        return;
+    }
+    if (path !== '/mcp') {
+        sendJson(res, 404, { error: 'not_found' });
+        return;
+    }
+    if (method === 'POST') {
+        await handlePost(req, res, opts, sessions);
+        return;
+    }
+    // GET (SSE stream) and DELETE (session teardown) require an established session.
+    if (method === 'GET' || method === 'DELETE') {
+        const sessionId = headerValue(req.headers, 'mcp-session-id');
+        const session = sessionId ? sessions.get(sessionId) : undefined;
+        if (!session) {
+            sendJson(res, 400, { error: 'invalid_session', error_description: 'Unknown or missing Mcp-Session-Id.' });
+            return;
+        }
+        await session.transport.handleRequest(req, res);
+        return;
+    }
+    sendJson(res, 405, { error: 'method_not_allowed' }, { Allow: 'GET, POST, DELETE, OPTIONS' });
+}
+/** Build (but do not start) the remote HTTP MCP server. Call `.listen(port)`. */
+export function createHttpServer(options = {}) {
+    const opts = {
+        ...options,
+        defaultEnvironment: options.defaultEnvironment ?? 'hml',
+        corsOrigin: options.corsOrigin ?? '*',
+    };
+    const sessions = new Map();
+    return createNodeHttpServer((req, res) => {
+        handle(req, res, opts, sessions).catch((err) => {
+            try {
+                if (!res.headersSent) {
+                    sendJson(res, 500, { error: 'internal_error', message: err instanceof Error ? err.message : String(err) });
+                }
+                else {
+                    res.end();
+                }
+            }
+            catch {
+                /* response already torn down */
+            }
+        });
+    });
 }
 //# sourceMappingURL=server.js.map

package/dist/http/server.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/http/server.ts"],"names":[],"mappings":"AAAA~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG~~;~~AACH~~,MAAM,UAAU,gBAAgB;~~IAC9B~~,MAAM,IAAI,KAAK,~~CACb~~,~~6FAA6F~~;~~QAC3F~~,~~gDAAgD~~,~~CACnD~~,CAAC;~~AACJ~~,CAAC"}
1	+ {"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/http/server.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,IAAI,oBAAoB,GAIrC,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AACnG,OAAO,EAAE,mBAAmB,EAAE,MAAM,oCAAoC,CAAC;AAEzE,OAAO,EAAE,YAAY,IAAI,eAAe,EAAE,MAAM,cAAc,CAAC;AAE/D,OAAO,EACL,sBAAsB,EACtB,sBAAsB,EACtB,mBAAmB,EACnB,yBAAyB,IAAI,8BAA8B,EAC3D,eAAe,EACf,WAAW,EACX,iBAAiB,GAElB,MAAM,aAAa,CAAC;AA4CrB,SAAS,SAAS,CAAC,GAAmB,EAAE,IAAqB;IAC3D,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IAC9D,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,4BAA4B,CAAC,CAAC;IAC5E,GAAG,CAAC,SAAS,CACX,8BAA8B,EAC9B,2FAA2F,CAC5F,CAAC;IACF,GAAG,CAAC,SAAS,CAAC,+BAA+B,EAAE,kCAAkC,CAAC,CAAC;AACrF,CAAC;AAED,SAAS,QAAQ,CAAC,GAAmB,EAAE,MAAc,EAAE,IAAa,EAAE,KAA8B;IAClG,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,KAAK,EAAE,CAAC,CAAC;IACxE,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,UAAU,CAAC,GAAoB,EAAE,IAAqB;IAC7D,IAAI,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC7D,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC7C,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;IAC3E,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,WAAW,CAAC;IAC7C,OAAO,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC;AAC9B,CAAC;AAED,SAAS,SAAS,CAAC,GAAoB,EAAE,GAAmB,EAAE,IAAqB;IACjF,GAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,eAAe,CAAC,GAAG,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,uCAAuC,CAAC,CAAC,CAAC;IACpH,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,iBAAiB,CAAC,CAAC;AACxC,CAAC;AAED,SAAS,QAAQ,CAAC,GAAoB;IACpC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9C,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACjB,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACnD,IAAI,CAAC,GAAG;gBAAE,OAAO,OAAO,CAAC,SAAS,CAAC,CAAC;YACpC,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;YAC3B,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,GAAoB,EACpB,GAAmB,EACnB,IAAqB,EACrB,QAA8B,EAC9B,IAAa;IAEb,MAAM,IAAI,GAAsB,sBAAsB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACpE,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QAC1B,OAAO;IACT,CAAC;IACD,MAAM,WAAW,GAAG,sBAAsB,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACjF,MAAM,GAAG,GAAG,mBAAmB,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACnD,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,SAAS,GAAG,IAAI,6BAA6B,CAAC;QAClD,kBAAkB,EAAE,GAAG,EAAE,CAAC,UAAU,EAAE;QACtC,kBAAkB,EAAE,IAAI;QACxB,4BAA4B,EAAE,IAAI,CAAC,4BAA4B,IAAI,KAAK;QACxE,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACjE,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,IAAI,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvE,oBAAoB,EAAE,CAAC,GAAG,EAAE,EAAE;YAC5B,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;QAC3C,CAAC;QACD,eAAe,EAAE,CAAC,GAAG,EAAE,EAAE;YACvB,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACvB,CAAC;KACF,CAAC,CAAC;IACH,SAAS,CAAC,OAAO,GAAG,GAAG,EAAE;QACvB,IAAI,SAAS,CAAC,SAAS;YAAE,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IAChE,CAAC,CAAC;IAEF,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,MAAM,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;AAChD,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,GAAoB,EACpB,GAAmB,EACnB,IAAqB,EACrB,QAA8B;IAE9B,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,cAAc,EAAE,iBAAiB,EAAE,iCAAiC,EAAE,CAAC,CAAC;QACpG,OAAO;IACT,CAAC;IAED,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;IAC7D,MAAM,QAAQ,GAAG,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACjE,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,QAAQ,CAAC,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QACvD,OAAO;IACT,CAAC;IAED,IAAI,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9B,MAAM,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;QACnD,OAAO;IACT,CAAC;IAED,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE;QACjB,KAAK,EAAE,iBAAiB;QACxB,iBAAiB,EAAE,sEAAsE;KAC1F,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,MAAM,CACnB,GAAoB,EACpB,GAAmB,EACnB,IAAqB,EACrB,QAA8B;IAE9B,SAAS,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACrB,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,KAAK,CAAC;IAEnC,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACnB,GAAG,CAAC,GAAG,EAAE,CAAC;QACV,OAAO;IACT,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC;IAElE,IAAI,MAAM,KAAK,KAAK,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;QAC5C,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,iBAAiB,EAAE,QAAQ,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;QAC5F,OAAO;IACT,CAAC;IACD,IAAI,MAAM,KAAK,KAAK,IAAI,IAAI,KAAK,uCAAuC,EAAE,CAAC;QACzE,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,8BAA8B,CAAC,GAAG,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC;QAC5G,OAAO;IACT,CAAC;IAED,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;QACpB,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;QAC3C,OAAO;IACT,CAAC;IAED,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,MAAM,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;QAC3C,OAAO;IACT,CAAC;IAED,iFAAiF;IACjF,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC5C,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;QAC7D,MAAM,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAChE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,oCAAoC,EAAE,CAAC,CAAC;YAC1G,OAAO;QACT,CAAC;QACD,MAAM,OAAO,CAAC,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAChD,OAAO;IACT,CAAC;IAED,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,oBAAoB,EAAE,EAAE,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC,CAAC;AAC/F,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,gBAAgB,CAAC,UAA6B,EAAE;IAC9D,MAAM,IAAI,GAAoB;QAC5B,GAAG,OAAO;QACV,kBAAkB,EAAE,OAAO,CAAC,kBAAkB,IAAI,KAAK;QACvD,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,GAAG;KACtC,CAAC;IACF,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAmB,CAAC;IAC5C,OAAO,oBAAoB,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACvC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YAC7C,IAAI,CAAC;gBACH,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;oBACrB,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,gBAAgB,EAAE,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAC7G,CAAC;qBAAM,CAAC;oBACN,GAAG,CAAC,GAAG,EAAE,CAAC;gBACZ,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,gCAAgC;YAClC,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/http/shared.d.ts ADDED Viewed

@@ -0,0 +1,31 @@
+import { type Environment, type ToolContext } from '../client.js';
+/**
+ * Transport-agnostic auth/discovery helpers shared by the long-running HTTP
+ * server (http/server.ts) and the Lambda adapter (lambda.ts). Everything here
+ * works off a plain header map so it serves both Node IncomingMessage headers
+ * and API Gateway event headers.
+ */
+export type AuthResult = {
+    mode: 'bearer';
+    bearer: string;
+} | {
+    mode: 'credentials';
+    clientId: string;
+    clientSecret: string;
+};
+export type HeaderMap = Record<string, string | string[] | undefined>;
+export declare function headerValue(headers: HeaderMap, name: string): string | undefined;
+/** Parse the Authorization header into a Bearer token or Basic client credentials. */
+export declare function extractAuthFromHeaders(headers: HeaderMap): AuthResult | null;
+/** Resolve the SignDocs environment from the X-SignDocs-Environment header, else fallback. */
+export declare function environmentFromHeaders(headers: HeaderMap, fallback: Environment): Environment;
+/** Build a request-scoped tool context (fresh SDK client) from parsed auth. */
+export declare function buildContextForAuth(auth: AuthResult, environment: Environment): ToolContext;
+/** RFC 9728 protected-resource metadata pointing at the SignDocs authorization server. */
+export declare function protectedResourceMetadata(resourceUrl: string, environment: Environment): Record<string, unknown>;
+/** WWW-Authenticate challenge value pointing a client at the resource metadata. */
+export declare function wwwAuthenticate(metadataUrl: string): string;
+export declare const UNAUTHORIZED_BODY: {
+    error: string;
+    error_description: string;
+};