@super_studio/ecforce-ai-agent-server 0.2.0-canary.2 → 0.2.0-canary.4

package/dist/chunk-FWCSY2DS.mjs

@@ -0,0 +1,37 @@
+var __defProp = Object.defineProperty;
+var __defProps = Object.defineProperties;
+var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
+var __getOwnPropSymbols = Object.getOwnPropertySymbols;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __propIsEnum = Object.prototype.propertyIsEnumerable;
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __spreadValues = (a, b) => {
+  for (var prop in b || (b = {}))
+    if (__hasOwnProp.call(b, prop))
+      __defNormalProp(a, prop, b[prop]);
+  if (__getOwnPropSymbols)
+    for (var prop of __getOwnPropSymbols(b)) {
+      if (__propIsEnum.call(b, prop))
+        __defNormalProp(a, prop, b[prop]);
+    }
+  return a;
+};
+var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
+var __objRest = (source, exclude) => {
+  var target = {};
+  for (var prop in source)
+    if (__hasOwnProp.call(source, prop) && exclude.indexOf(prop) < 0)
+      target[prop] = source[prop];
+  if (source != null && __getOwnPropSymbols)
+    for (var prop of __getOwnPropSymbols(source)) {
+      if (exclude.indexOf(prop) < 0 && __propIsEnum.call(source, prop))
+        target[prop] = source[prop];
+    }
+  return target;
+};
+
+export {
+  __spreadValues,
+  __spreadProps,
+  __objRest
+};

package/dist/chunk-ORMEWXMH.js

@@ -0,0 +1,37 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true});var __defProp = Object.defineProperty;
+var __defProps = Object.defineProperties;
+var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
+var __getOwnPropSymbols = Object.getOwnPropertySymbols;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __propIsEnum = Object.prototype.propertyIsEnumerable;
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __spreadValues = (a, b) => {
+  for (var prop in b || (b = {}))
+    if (__hasOwnProp.call(b, prop))
+      __defNormalProp(a, prop, b[prop]);
+  if (__getOwnPropSymbols)
+    for (var prop of __getOwnPropSymbols(b)) {
+      if (__propIsEnum.call(b, prop))
+        __defNormalProp(a, prop, b[prop]);
+    }
+  return a;
+};
+var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
+var __objRest = (source, exclude) => {
+  var target = {};
+  for (var prop in source)
+    if (__hasOwnProp.call(source, prop) && exclude.indexOf(prop) < 0)
+      target[prop] = source[prop];
+  if (source != null && __getOwnPropSymbols)
+    for (var prop of __getOwnPropSymbols(source)) {
+      if (exclude.indexOf(prop) < 0 && __propIsEnum.call(source, prop))
+        target[prop] = source[prop];
+    }
+  return target;
+};
+
+
+
+
+
+exports.__spreadValues = __spreadValues; exports.__spreadProps = __spreadProps; exports.__objRest = __objRest;

package/dist/index.js

@@ -1,34 +1,8 @@
-"use strict";Object.defineProperty(exports, "__esModule", {value: true});var __defProp = Object.defineProperty;
-var __defProps = Object.defineProperties;
-var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
-var __getOwnPropSymbols = Object.getOwnPropertySymbols;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __propIsEnum = Object.prototype.propertyIsEnumerable;
-var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __spreadValues = (a, b) => {
-  for (var prop in b || (b = {}))
-    if (__hasOwnProp.call(b, prop))
-      __defNormalProp(a, prop, b[prop]);
-  if (__getOwnPropSymbols)
-    for (var prop of __getOwnPropSymbols(b)) {
-      if (__propIsEnum.call(b, prop))
-        __defNormalProp(a, prop, b[prop]);
-    }
-  return a;
-};
-var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
-var __objRest = (source, exclude) => {
-  var target = {};
-  for (var prop in source)
-    if (__hasOwnProp.call(source, prop) && exclude.indexOf(prop) < 0)
-      target[prop] = source[prop];
-  if (source != null && __getOwnPropSymbols)
-    for (var prop of __getOwnPropSymbols(source)) {
-      if (exclude.indexOf(prop) < 0 && __propIsEnum.call(source, prop))
-        target[prop] = source[prop];
-    }
-  return target;
-};
+"use strict";Object.defineProperty(exports, "__esModule", {value: true});
+
+
+
+var _chunkORMEWXMHjs = require('./chunk-ORMEWXMH.js');
 
 // src/lib/constants.ts
 var API_ENDPOINT = "http://localhost:4043";
@@ -105,7 +79,7 @@ var HttpClient = class {
         format,
         baseUrl,
         cancelToken
-      } = _b, params = __objRest(_b, [
+      } = _b, params = _chunkORMEWXMHjs.__objRest.call(void 0, _b, [
         "body",
         "secure",
         "path",
@@ -122,8 +96,8 @@ var HttpClient = class {
       const responseFormat = format || requestParams.format;
       return this.customFetch(
         `${baseUrl || this.baseUrl || ""}${path}${queryString ? `?${queryString}` : ""}`,
-        __spreadProps(__spreadValues({}, requestParams), {
-          headers: __spreadValues(__spreadValues({}, requestParams.headers || {}), type && type !== "multipart/form-data" /* FormData */ ? { "Content-Type": type } : {}),
+        _chunkORMEWXMHjs.__spreadProps.call(void 0, _chunkORMEWXMHjs.__spreadValues.call(void 0, {}, requestParams), {
+          headers: _chunkORMEWXMHjs.__spreadValues.call(void 0, _chunkORMEWXMHjs.__spreadValues.call(void 0, {}, requestParams.headers || {}), type && type !== "multipart/form-data" /* FormData */ ? { "Content-Type": type } : {}),
           signal: (cancelToken ? this.createAbortSignal(cancelToken) : requestParams.signal) || null,
           body: typeof body === "undefined" || body === null ? null : payloadFormatter(body)
         })
@@ -176,8 +150,8 @@ var HttpClient = class {
     return queryString ? `?${queryString}` : "";
   }
   mergeRequestParams(params1, params2) {
-    return __spreadProps(__spreadValues(__spreadValues(__spreadValues({}, this.baseApiParams), params1), params2 || {}), {
-      headers: __spreadValues(__spreadValues(__spreadValues({}, this.baseApiParams.headers || {}), params1.headers || {}), params2 && params2.headers || {})
+    return _chunkORMEWXMHjs.__spreadProps.call(void 0, _chunkORMEWXMHjs.__spreadValues.call(void 0, _chunkORMEWXMHjs.__spreadValues.call(void 0, _chunkORMEWXMHjs.__spreadValues.call(void 0, {}, this.baseApiParams), params1), params2 || {}), {
+      headers: _chunkORMEWXMHjs.__spreadValues.call(void 0, _chunkORMEWXMHjs.__spreadValues.call(void 0, _chunkORMEWXMHjs.__spreadValues.call(void 0, {}, this.baseApiParams.headers || {}), params1.headers || {}), params2 && params2.headers || {})
     });
   }
 };
@@ -194,7 +168,7 @@ var Api = class extends HttpClient {
        * @request GET:/v1/version
        * @secure
        */
-      getVersion: (params = {}) => this.request(__spreadValues({
+      getVersion: (params = {}) => this.request(_chunkORMEWXMHjs.__spreadValues.call(void 0, {
         path: `/v1/version`,
         method: "GET",
         secure: true,
@@ -211,7 +185,7 @@ var Api = class extends HttpClient {
        * @request POST:/v1/internal/create-session
        * @secure
        */
-      createSession: (data, params = {}) => this.request(__spreadValues({
+      createSession: (data, params = {}) => this.request(_chunkORMEWXMHjs.__spreadValues.call(void 0, {
         path: `/v1/internal/create-session`,
         method: "POST",
         body: data,
@@ -230,7 +204,7 @@ var Api = class extends HttpClient {
        * @request GET:/v1/agent
        * @secure
        */
-      list: (params = {}) => this.request(__spreadValues({
+      list: (params = {}) => this.request(_chunkORMEWXMHjs.__spreadValues.call(void 0, {
         path: `/v1/agent`,
         method: "GET",
         secure: true,
@@ -245,7 +219,7 @@ var Api = class extends HttpClient {
        * @request POST:/v1/agent
        * @secure
        */
-      create: (data, params = {}) => this.request(__spreadValues({
+      create: (data, params = {}) => this.request(_chunkORMEWXMHjs.__spreadValues.call(void 0, {
         path: `/v1/agent`,
         method: "POST",
         body: data,
@@ -262,7 +236,7 @@ var Api = class extends HttpClient {
        * @request GET:/v1/agent/{id}
        * @secure
        */
-      get: (id, params = {}) => this.request(__spreadValues({
+      get: (id, params = {}) => this.request(_chunkORMEWXMHjs.__spreadValues.call(void 0, {
         path: `/v1/agent/${id}`,
         method: "GET",
         secure: true,
@@ -277,7 +251,7 @@ var Api = class extends HttpClient {
        * @request PUT:/v1/agent/{id}
        * @secure
        */
-      update: (id, data, params = {}) => this.request(__spreadValues({
+      update: (id, data, params = {}) => this.request(_chunkORMEWXMHjs.__spreadValues.call(void 0, {
         path: `/v1/agent/${id}`,
         method: "PUT",
         body: data,
@@ -294,7 +268,7 @@ var Api = class extends HttpClient {
        * @request DELETE:/v1/agent/{id}
        * @secure
        */
-      delete: (id, data, params = {}) => this.request(__spreadValues({
+      delete: (id, data, params = {}) => this.request(_chunkORMEWXMHjs.__spreadValues.call(void 0, {
         path: `/v1/agent/${id}`,
         method: "DELETE",
         body: data,
@@ -311,7 +285,7 @@ var Api = class extends HttpClient {
        * @request GET:/v1/agent/{id}/interface-features
        * @secure
        */
-      getInterfaceFeatures: (id, params = {}) => this.request(__spreadValues({
+      getInterfaceFeatures: (id, params = {}) => this.request(_chunkORMEWXMHjs.__spreadValues.call(void 0, {
         path: `/v1/agent/${id}/interface-features`,
         method: "GET",
         secure: true,
@@ -326,7 +300,7 @@ var Api = class extends HttpClient {
        * @request POST:/v1/agent/tool-settings
        * @secure
        */
-      getToolSettings: (data, params = {}) => this.request(__spreadValues({
+      getToolSettings: (data, params = {}) => this.request(_chunkORMEWXMHjs.__spreadValues.call(void 0, {
         path: `/v1/agent/tool-settings`,
         method: "POST",
         body: data,
@@ -345,7 +319,7 @@ var Api = class extends HttpClient {
        * @request GET:/v1/account
        * @secure
        */
-      list: (params = {}) => this.request(__spreadValues({
+      list: (params = {}) => this.request(_chunkORMEWXMHjs.__spreadValues.call(void 0, {
         path: `/v1/account`,
         method: "GET",
         secure: true,
@@ -360,7 +334,7 @@ var Api = class extends HttpClient {
        * @request GET:/v1/account/{projectId}
        * @secure
        */
-      get: (projectId, params = {}) => this.request(__spreadValues({
+      get: (projectId, params = {}) => this.request(_chunkORMEWXMHjs.__spreadValues.call(void 0, {
         path: `/v1/account/${projectId}`,
         method: "GET",
         secure: true,
@@ -377,7 +351,7 @@ var Api = class extends HttpClient {
        * @request GET:/v1/api-keys/{type}
        * @secure
        */
-      list: (type, params = {}) => this.request(__spreadValues({
+      list: (type, params = {}) => this.request(_chunkORMEWXMHjs.__spreadValues.call(void 0, {
         path: `/v1/api-keys/${type}`,
         method: "GET",
         secure: true,
@@ -392,7 +366,7 @@ var Api = class extends HttpClient {
        * @request POST:/v1/api-keys
        * @secure
        */
-      create: (data, params = {}) => this.request(__spreadValues({
+      create: (data, params = {}) => this.request(_chunkORMEWXMHjs.__spreadValues.call(void 0, {
         path: `/v1/api-keys`,
         method: "POST",
         body: data,
@@ -409,7 +383,7 @@ var Api = class extends HttpClient {
        * @request PATCH:/v1/api-keys/{id}
        * @secure
        */
-      update: (id, data, params = {}) => this.request(__spreadValues({
+      update: (id, data, params = {}) => this.request(_chunkORMEWXMHjs.__spreadValues.call(void 0, {
         path: `/v1/api-keys/${id}`,
         method: "PATCH",
         body: data,
@@ -426,7 +400,7 @@ var Api = class extends HttpClient {
        * @request DELETE:/v1/api-keys/{id}
        * @secure
        */
-      delete: (id, data, params = {}) => this.request(__spreadValues({
+      delete: (id, data, params = {}) => this.request(_chunkORMEWXMHjs.__spreadValues.call(void 0, {
         path: `/v1/api-keys/${id}`,
         method: "DELETE",
         body: data,
@@ -445,7 +419,7 @@ var Api = class extends HttpClient {
        * @request POST:/v1/chat/list-messages
        * @secure
        */
-      listMessages: (data, params = {}) => this.request(__spreadValues({
+      listMessages: (data, params = {}) => this.request(_chunkORMEWXMHjs.__spreadValues.call(void 0, {
         path: `/v1/chat/list-messages`,
         method: "POST",
         body: data,
@@ -462,7 +436,7 @@ var Api = class extends HttpClient {
        * @request POST:/v1/chat/my-list
        * @secure
        */
-      myList: (data, params = {}) => this.request(__spreadValues({
+      myList: (data, params = {}) => this.request(_chunkORMEWXMHjs.__spreadValues.call(void 0, {
         path: `/v1/chat/my-list`,
         method: "POST",
         body: data,
@@ -479,7 +453,7 @@ var Api = class extends HttpClient {
        * @request POST:/v1/chat/get-title
        * @secure
        */
-      getTitle: (data, params = {}) => this.request(__spreadValues({
+      getTitle: (data, params = {}) => this.request(_chunkORMEWXMHjs.__spreadValues.call(void 0, {
         path: `/v1/chat/get-title`,
         method: "POST",
         body: data,
@@ -496,7 +470,7 @@ var Api = class extends HttpClient {
        * @request POST:/v1/chat/submit-feedback
        * @secure
        */
-      submitFeedback: (data, params = {}) => this.request(__spreadValues({
+      submitFeedback: (data, params = {}) => this.request(_chunkORMEWXMHjs.__spreadValues.call(void 0, {
         path: `/v1/chat/submit-feedback`,
         method: "POST",
         body: data,
@@ -513,7 +487,7 @@ var Api = class extends HttpClient {
        * @request POST:/v1/chat/delete-feedback
        * @secure
        */
-      deleteFeedback: (data, params = {}) => this.request(__spreadValues({
+      deleteFeedback: (data, params = {}) => this.request(_chunkORMEWXMHjs.__spreadValues.call(void 0, {
         path: `/v1/chat/delete-feedback`,
         method: "POST",
         body: data,

package/dist/index.mjs

@@ -1,34 +1,8 @@
-var __defProp = Object.defineProperty;
-var __defProps = Object.defineProperties;
-var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
-var __getOwnPropSymbols = Object.getOwnPropertySymbols;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __propIsEnum = Object.prototype.propertyIsEnumerable;
-var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __spreadValues = (a, b) => {
-  for (var prop in b || (b = {}))
-    if (__hasOwnProp.call(b, prop))
-      __defNormalProp(a, prop, b[prop]);
-  if (__getOwnPropSymbols)
-    for (var prop of __getOwnPropSymbols(b)) {
-      if (__propIsEnum.call(b, prop))
-        __defNormalProp(a, prop, b[prop]);
-    }
-  return a;
-};
-var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
-var __objRest = (source, exclude) => {
-  var target = {};
-  for (var prop in source)
-    if (__hasOwnProp.call(source, prop) && exclude.indexOf(prop) < 0)
-      target[prop] = source[prop];
-  if (source != null && __getOwnPropSymbols)
-    for (var prop of __getOwnPropSymbols(source)) {
-      if (exclude.indexOf(prop) < 0 && __propIsEnum.call(source, prop))
-        target[prop] = source[prop];
-    }
-  return target;
-};
+import {
+  __objRest,
+  __spreadProps,
+  __spreadValues
+} from "./chunk-FWCSY2DS.mjs";
 
 // src/lib/constants.ts
 var API_ENDPOINT = "http://localhost:4043";

package/dist/lib/jwt.d.ts

@@ -0,0 +1,37 @@
+/**
+ * このロジックは最新(@auth/core@0.37.2)のAuth.jsのjwt.tsからコピーされました。
+ */
+/** Issues a JWT. By default, the JWT is encrypted using "A256CBC-HS512". */
+export declare function encode<Payload = object>(params: JWTEncodeParams<Payload>): Promise<string>;
+/** Decodes an Auth.js issued JWT. */
+export declare function decode<Payload = object>(params: JWTDecodeParams): Promise<Payload | null>;
+export interface JWTEncodeParams<Payload = object> {
+    /**
+     * The maximum age of the Auth.js issued JWT in seconds.
+     *
+     * @default 30 * 24 * 60 * 60 // 30 days
+     */
+    maxAge?: number;
+    /** Used in combination with `secret`, to derive the encryption secret for JWTs. */
+    salt: string;
+    /** Used in combination with `salt`, to derive the encryption secret for JWTs. */
+    secret: string | string[];
+    /** The JWT payload. */
+    token?: Payload;
+}
+export interface JWTDecodeParams {
+    /** Used in combination with `secret`, to derive the encryption secret for JWTs. */
+    salt: string;
+    /**
+     * Used in combination with `salt`, to derive the encryption secret for JWTs.
+     *
+     * @note
+     * You can also pass an array of secrets, in which case the first secret that successfully
+     * decrypts the JWT will be used. This is useful for rotating secrets without invalidating existing sessions.
+     * The newer secret should be added to the start of the array, which will be used for all new sessions.
+     */
+    secret: string | string[];
+    /** The Auth.js issued JWT to be decoded */
+    token?: string;
+}
+//# sourceMappingURL=jwt.d.ts.map

package/dist/lib/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../src/lib/jwt.ts"],"names":[],"mappings":"AAAA;;GAEG;AAkBH,4EAA4E;AAC5E,wBAAsB,MAAM,CAAC,OAAO,GAAG,MAAM,EAC3C,MAAM,EAAE,eAAe,CAAC,OAAO,CAAC,mBAqBjC;AAED,qCAAqC;AACrC,wBAAsB,MAAM,CAAC,OAAO,GAAG,MAAM,EAC3C,MAAM,EAAE,eAAe,GACtB,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAqCzB;AA2BD,MAAM,WAAW,eAAe,CAAC,OAAO,GAAG,MAAM;IAC/C;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,mFAAmF;IACnF,IAAI,EAAE,MAAM,CAAC;IACb,iFAAiF;IACjF,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC1B,uBAAuB;IACvB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,mFAAmF;IACnF,IAAI,EAAE,MAAM,CAAC;IACb;;;;;;;OAOG;IACH,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC1B,2CAA2C;IAC3C,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB"}

package/dist/mcp-auth.d.ts

@@ -0,0 +1,35 @@
+/**
+ * 共通のMCPトークンのペイロード。
+ * すべてのapps(cdp, ma, bi)はこのトークンの形になります。
+ */
+export type MCPTokenPayload = {
+    source: string;
+    user: {
+        id: string;
+        name: string;
+        email: string;
+        projectId: string;
+    };
+};
+/**
+ * Uses Auth.js JWT encoding/decoding.
+ * @see https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/jwt.ts
+ */
+export declare function createMCPToken(payload: MCPTokenPayload, options?: {
+    secret?: string;
+    salt?: string;
+    maxAge?: number;
+}): Promise<{
+    token: string;
+    expiresAt: Date;
+}>;
+/**
+ * Uses Auth.js JWT encoding/decoding.
+ * @see https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/jwt.ts
+ */
+export declare function decodeMCPToken(token: string, options?: {
+    secret?: string;
+    salt?: string;
+}): Promise<MCPTokenPayload>;
+export declare function getMcpToken(req: Request): string;
+//# sourceMappingURL=mcp-auth.d.ts.map

package/dist/mcp-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-auth.d.ts","sourceRoot":"","sources":["../src/mcp-auth.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE;QACJ,EAAE,EAAE,MAAM,CAAC;QACX,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,EAAE,MAAM,CAAC;QACd,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;CACH,CAAC;AAKF;;;GAGG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,eAAe,EACxB,OAAO,CAAC,EAAE;IACR,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;;;GAkBF;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE;IACR,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,GACA,OAAO,CAAC,eAAe,CAAC,CAe1B;AAED,wBAAgB,WAAW,CAAC,GAAG,EAAE,OAAO,UAMvC"}

package/dist/mcp-auth.js

@@ -0,0 +1,136 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true});require('./chunk-ORMEWXMH.js');
+
+// src/lib/jwt.ts
+var _hkdf = require('@panva/hkdf');
+
+
+
+
+
+var _jose = require('jose');
+var DEFAULT_MAX_AGE = 30 * 24 * 60 * 60;
+var now = () => Date.now() / 1e3 | 0;
+var alg = "dir";
+var enc = "A256CBC-HS512";
+async function encode(params) {
+  const { token = {}, secret, maxAge = DEFAULT_MAX_AGE, salt } = params;
+  const secrets = Array.isArray(secret) ? secret : [secret];
+  const encryptionSecret = await getDerivedEncryptionKey(
+    enc,
+    secrets[0],
+    salt
+  );
+  const thumbprint = await _jose.calculateJwkThumbprint.call(void 0, 
+    { kty: "oct", k: _jose.base64url.encode(encryptionSecret) },
+    `sha${encryptionSecret.byteLength << 3}`
+  );
+  return await new (0, _jose.EncryptJWT)(token).setProtectedHeader({ alg, enc, kid: thumbprint }).setIssuedAt().setExpirationTime(now() + maxAge).setJti(crypto.randomUUID()).encrypt(encryptionSecret);
+}
+async function decode(params) {
+  const { token, secret, salt } = params;
+  const secrets = Array.isArray(secret) ? secret : [secret];
+  if (!token) {
+    return null;
+  }
+  const { payload } = await _jose.jwtDecrypt.call(void 0, 
+    token,
+    async ({ kid, enc: enc2 }) => {
+      for (const secret2 of secrets) {
+        const encryptionSecret = await getDerivedEncryptionKey(
+          enc2,
+          secret2,
+          salt
+        );
+        if (kid === void 0) {
+          return encryptionSecret;
+        }
+        const thumbprint = await _jose.calculateJwkThumbprint.call(void 0, 
+          { kty: "oct", k: _jose.base64url.encode(encryptionSecret) },
+          `sha${encryptionSecret.byteLength << 3}`
+        );
+        if (kid === thumbprint) {
+          return encryptionSecret;
+        }
+      }
+      throw new Error("no matching decryption secret");
+    },
+    {
+      clockTolerance: 15,
+      keyManagementAlgorithms: [alg],
+      contentEncryptionAlgorithms: [enc, "A256GCM"]
+    }
+  );
+  return payload;
+}
+async function getDerivedEncryptionKey(enc2, keyMaterial, salt) {
+  let length;
+  switch (enc2) {
+    case "A256CBC-HS512":
+      length = 64;
+      break;
+    case "A256GCM":
+      length = 32;
+      break;
+    default:
+      throw new Error("Unsupported JWT Content Encryption Algorithm");
+  }
+  return await _hkdf.hkdf.call(void 0, 
+    "sha256",
+    keyMaterial,
+    salt,
+    `Auth.js Generated Encryption Key (${salt})`,
+    length
+  );
+}
+
+// src/mcp-auth.ts
+var DEFAULT_MAX_AGE2 = 60 * 10;
+var DEFAULT_SALT = process.env.STAGE === "local" ? "dev" : process.env.STAGE;
+async function createMCPToken(payload, options) {
+  var _a, _b, _c;
+  const maxAge = (_a = options == null ? void 0 : options.maxAge) != null ? _a : DEFAULT_MAX_AGE2;
+  const secret = (_b = options == null ? void 0 : options.secret) != null ? _b : process.env.MCP_TOKEN_SECRET;
+  const salt = (_c = options == null ? void 0 : options.salt) != null ? _c : DEFAULT_SALT;
+  if (!secret || !salt) {
+    throw new Error("Secret or salt is not set");
+  }
+  const token = await encode({
+    token: payload,
+    secret,
+    salt,
+    maxAge
+  });
+  return {
+    token,
+    expiresAt: new Date(Date.now() + maxAge * 1e3)
+  };
+}
+async function decodeMCPToken(token, options) {
+  var _a, _b;
+  const secret = (_a = options == null ? void 0 : options.secret) != null ? _a : process.env.MCP_TOKEN_SECRET;
+  const salt = (_b = options == null ? void 0 : options.salt) != null ? _b : DEFAULT_SALT;
+  if (!secret || !salt) {
+    throw new Error("Secret or salt is not set");
+  }
+  const decoded = await decode({
+    token,
+    secret,
+    salt
+  });
+  if (!decoded) {
+    throw new Error("Invalid token");
+  }
+  return decoded;
+}
+function getMcpToken(req) {
+  const mcpToken = req.headers.get("X-MCP-Token");
+  if (!mcpToken || typeof mcpToken !== "string") {
+    throw new Error("Unauthorized");
+  }
+  return mcpToken;
+}
+
+
+
+
+exports.createMCPToken = createMCPToken; exports.decodeMCPToken = decodeMCPToken; exports.getMcpToken = getMcpToken;

package/dist/mcp-auth.mjs

@@ -0,0 +1,136 @@
+import "./chunk-FWCSY2DS.mjs";
+
+// src/lib/jwt.ts
+import { hkdf } from "@panva/hkdf";
+import {
+  base64url,
+  calculateJwkThumbprint,
+  EncryptJWT,
+  jwtDecrypt
+} from "jose";
+var DEFAULT_MAX_AGE = 30 * 24 * 60 * 60;
+var now = () => Date.now() / 1e3 | 0;
+var alg = "dir";
+var enc = "A256CBC-HS512";
+async function encode(params) {
+  const { token = {}, secret, maxAge = DEFAULT_MAX_AGE, salt } = params;
+  const secrets = Array.isArray(secret) ? secret : [secret];
+  const encryptionSecret = await getDerivedEncryptionKey(
+    enc,
+    secrets[0],
+    salt
+  );
+  const thumbprint = await calculateJwkThumbprint(
+    { kty: "oct", k: base64url.encode(encryptionSecret) },
+    `sha${encryptionSecret.byteLength << 3}`
+  );
+  return await new EncryptJWT(token).setProtectedHeader({ alg, enc, kid: thumbprint }).setIssuedAt().setExpirationTime(now() + maxAge).setJti(crypto.randomUUID()).encrypt(encryptionSecret);
+}
+async function decode(params) {
+  const { token, secret, salt } = params;
+  const secrets = Array.isArray(secret) ? secret : [secret];
+  if (!token) {
+    return null;
+  }
+  const { payload } = await jwtDecrypt(
+    token,
+    async ({ kid, enc: enc2 }) => {
+      for (const secret2 of secrets) {
+        const encryptionSecret = await getDerivedEncryptionKey(
+          enc2,
+          secret2,
+          salt
+        );
+        if (kid === void 0) {
+          return encryptionSecret;
+        }
+        const thumbprint = await calculateJwkThumbprint(
+          { kty: "oct", k: base64url.encode(encryptionSecret) },
+          `sha${encryptionSecret.byteLength << 3}`
+        );
+        if (kid === thumbprint) {
+          return encryptionSecret;
+        }
+      }
+      throw new Error("no matching decryption secret");
+    },
+    {
+      clockTolerance: 15,
+      keyManagementAlgorithms: [alg],
+      contentEncryptionAlgorithms: [enc, "A256GCM"]
+    }
+  );
+  return payload;
+}
+async function getDerivedEncryptionKey(enc2, keyMaterial, salt) {
+  let length;
+  switch (enc2) {
+    case "A256CBC-HS512":
+      length = 64;
+      break;
+    case "A256GCM":
+      length = 32;
+      break;
+    default:
+      throw new Error("Unsupported JWT Content Encryption Algorithm");
+  }
+  return await hkdf(
+    "sha256",
+    keyMaterial,
+    salt,
+    `Auth.js Generated Encryption Key (${salt})`,
+    length
+  );
+}
+
+// src/mcp-auth.ts
+var DEFAULT_MAX_AGE2 = 60 * 10;
+var DEFAULT_SALT = process.env.STAGE === "local" ? "dev" : process.env.STAGE;
+async function createMCPToken(payload, options) {
+  var _a, _b, _c;
+  const maxAge = (_a = options == null ? void 0 : options.maxAge) != null ? _a : DEFAULT_MAX_AGE2;
+  const secret = (_b = options == null ? void 0 : options.secret) != null ? _b : process.env.MCP_TOKEN_SECRET;
+  const salt = (_c = options == null ? void 0 : options.salt) != null ? _c : DEFAULT_SALT;
+  if (!secret || !salt) {
+    throw new Error("Secret or salt is not set");
+  }
+  const token = await encode({
+    token: payload,
+    secret,
+    salt,
+    maxAge
+  });
+  return {
+    token,
+    expiresAt: new Date(Date.now() + maxAge * 1e3)
+  };
+}
+async function decodeMCPToken(token, options) {
+  var _a, _b;
+  const secret = (_a = options == null ? void 0 : options.secret) != null ? _a : process.env.MCP_TOKEN_SECRET;
+  const salt = (_b = options == null ? void 0 : options.salt) != null ? _b : DEFAULT_SALT;
+  if (!secret || !salt) {
+    throw new Error("Secret or salt is not set");
+  }
+  const decoded = await decode({
+    token,
+    secret,
+    salt
+  });
+  if (!decoded) {
+    throw new Error("Invalid token");
+  }
+  return decoded;
+}
+function getMcpToken(req) {
+  const mcpToken = req.headers.get("X-MCP-Token");
+  if (!mcpToken || typeof mcpToken !== "string") {
+    throw new Error("Unauthorized");
+  }
+  return mcpToken;
+}
+export {
+  createMCPToken,
+  decodeMCPToken,
+  getMcpToken
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@super_studio/ecforce-ai-agent-server",
-  "version": "0.2.0-canary.2",
+  "version": "0.2.0-canary.4",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
   "types": "dist/index.d.ts",
@@ -14,6 +14,11 @@
       "import": "./dist/index.mjs",
       "require": "./dist/index.js",
       "default": "./dist/index.js"
+    },
+    "./mcp-auth": {
+      "import": "./dist/mcp-auth.mjs",
+      "require": "./dist/mcp-auth.js",
+      "default": "./dist/mcp-auth.js"
     }
   },
   "publishConfig": {
@@ -26,6 +31,10 @@
     "tsup": "8.5.0",
     "tsx": "4.19.3"
   },
+  "dependencies": {
+    "@panva/hkdf": "^1.2.1",
+    "jose": "^6.0.6"
+  },
   "scripts": {
     "dev": "npm-run-all --parallel dev:main dev:types",
     "dev:main": "tsup --watch",

package/src/lib/jwt.ts

@@ -0,0 +1,142 @@
+/**
+ * このロジックは最新(@auth/core@0.37.2)のAuth.jsのjwt.tsからコピーされました。
+ */
+
+import { hkdf } from "@panva/hkdf";
+import {
+  base64url,
+  calculateJwkThumbprint,
+  EncryptJWT,
+  jwtDecrypt,
+} from "jose";
+
+const DEFAULT_MAX_AGE = 30 * 24 * 60 * 60; // 30 days
+
+const now = () => (Date.now() / 1000) | 0;
+
+const alg = "dir";
+const enc = "A256CBC-HS512";
+type Digest = Parameters<typeof calculateJwkThumbprint>[1];
+
+/** Issues a JWT. By default, the JWT is encrypted using "A256CBC-HS512". */
+export async function encode<Payload = object>(
+  params: JWTEncodeParams<Payload>,
+) {
+  const { token = {}, secret, maxAge = DEFAULT_MAX_AGE, salt } = params;
+  const secrets = Array.isArray(secret) ? secret : [secret];
+  const encryptionSecret = await getDerivedEncryptionKey(
+    enc,
+    secrets[0]!,
+    salt,
+  );
+
+  const thumbprint = await calculateJwkThumbprint(
+    { kty: "oct", k: base64url.encode(encryptionSecret) },
+    `sha${encryptionSecret.byteLength << 3}` as Digest,
+  );
+  // @ts-expect-error `jose` allows any object as payload.
+  return await new EncryptJWT(token)
+    .setProtectedHeader({ alg, enc, kid: thumbprint })
+    .setIssuedAt()
+    .setExpirationTime(now() + maxAge)
+    .setJti(crypto.randomUUID())
+    .encrypt(encryptionSecret);
+}
+
+/** Decodes an Auth.js issued JWT. */
+export async function decode<Payload = object>(
+  params: JWTDecodeParams,
+): Promise<Payload | null> {
+  const { token, secret, salt } = params;
+  const secrets = Array.isArray(secret) ? secret : [secret];
+  if (!token) {
+    return null;
+  }
+  const { payload } = await jwtDecrypt(
+    token,
+    async ({ kid, enc }) => {
+      for (const secret of secrets) {
+        const encryptionSecret = await getDerivedEncryptionKey(
+          enc,
+          secret,
+          salt,
+        );
+        if (kid === undefined) {
+          return encryptionSecret;
+        }
+
+        const thumbprint = await calculateJwkThumbprint(
+          { kty: "oct", k: base64url.encode(encryptionSecret) },
+          `sha${encryptionSecret.byteLength << 3}` as Digest,
+        );
+        if (kid === thumbprint) {
+          return encryptionSecret;
+        }
+      }
+
+      throw new Error("no matching decryption secret");
+    },
+    {
+      clockTolerance: 15,
+      keyManagementAlgorithms: [alg],
+      contentEncryptionAlgorithms: [enc, "A256GCM"],
+    },
+  );
+  return payload as Payload;
+}
+
+async function getDerivedEncryptionKey(
+  enc: string,
+  keyMaterial: Parameters<typeof hkdf>[1],
+  salt: Parameters<typeof hkdf>[2],
+) {
+  let length: number;
+  switch (enc) {
+    case "A256CBC-HS512":
+      length = 64;
+      break;
+    case "A256GCM":
+      length = 32;
+      break;
+    default:
+      throw new Error("Unsupported JWT Content Encryption Algorithm");
+  }
+  return await hkdf(
+    "sha256",
+    keyMaterial,
+    salt,
+    `Auth.js Generated Encryption Key (${salt})`,
+    length,
+  );
+}
+
+export interface JWTEncodeParams<Payload = object> {
+  /**
+   * The maximum age of the Auth.js issued JWT in seconds.
+   *
+   * @default 30 * 24 * 60 * 60 // 30 days
+   */
+  maxAge?: number;
+  /** Used in combination with `secret`, to derive the encryption secret for JWTs. */
+  salt: string;
+  /** Used in combination with `salt`, to derive the encryption secret for JWTs. */
+  secret: string | string[];
+  /** The JWT payload. */
+  token?: Payload;
+}
+
+export interface JWTDecodeParams {
+  /** Used in combination with `secret`, to derive the encryption secret for JWTs. */
+  salt: string;
+  /**
+   * Used in combination with `salt`, to derive the encryption secret for JWTs.
+   *
+   * @note
+   * You can also pass an array of secrets, in which case the first secret that successfully
+   * decrypts the JWT will be used. This is useful for rotating secrets without invalidating existing sessions.
+   * The newer secret should be added to the start of the array, which will be used for all new sessions.
+   */
+  secret: string | string[];
+  /** The Auth.js issued JWT to be decoded */
+  token?: string;
+}

package/src/mcp-auth.ts

@@ -0,0 +1,83 @@
+import { decode, encode } from "./lib/jwt";
+
+/**
+ * 共通のMCPトークンのペイロード。
+ * すべてのapps(cdp, ma, bi)はこのトークンの形になります。
+ */
+export type MCPTokenPayload = {
+  source: string;
+  user: {
+    id: string;
+    name: string;
+    email: string;
+    projectId: string;
+  };
+};
+
+const DEFAULT_MAX_AGE = 60 * 10; // 10 minutes
+const DEFAULT_SALT = process.env.STAGE === "local" ? "dev" : process.env.STAGE;
+
+/**
+ * Uses Auth.js JWT encoding/decoding.
+ * @see https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/jwt.ts
+ */
+export async function createMCPToken(
+  payload: MCPTokenPayload,
+  options?: {
+    secret?: string;
+    salt?: string;
+    maxAge?: number;
+  },
+) {
+  const maxAge = options?.maxAge ?? DEFAULT_MAX_AGE;
+  const secret = options?.secret ?? process.env.MCP_TOKEN_SECRET;
+  const salt = options?.salt ?? DEFAULT_SALT;
+  if (!secret || !salt) {
+    throw new Error("Secret or salt is not set");
+  }
+  const token = await encode<MCPTokenPayload>({
+    token: payload,
+    secret,
+    salt,
+    maxAge,
+  });
+  return {
+    token,
+    expiresAt: new Date(Date.now() + maxAge * 1000),
+  };
+}
+
+/**
+ * Uses Auth.js JWT encoding/decoding.
+ * @see https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/jwt.ts
+ */
+export async function decodeMCPToken(
+  token: string,
+  options?: {
+    secret?: string;
+    salt?: string;
+  },
+): Promise<MCPTokenPayload> {
+  const secret = options?.secret ?? process.env.MCP_TOKEN_SECRET;
+  const salt = options?.salt ?? DEFAULT_SALT;
+  if (!secret || !salt) {
+    throw new Error("Secret or salt is not set");
+  }
+  const decoded = await decode<MCPTokenPayload>({
+    token,
+    secret,
+    salt,
+  });
+  if (!decoded) {
+    throw new Error("Invalid token");
+  }
+  return decoded;
+}
+
+export function getMcpToken(req: Request) {
+  const mcpToken = req.headers.get("X-MCP-Token");
+  if (!mcpToken || typeof mcpToken !== "string") {
+    throw new Error("Unauthorized");
+  }
+  return mcpToken;
+}