npm - @wonderwhy-er/desktop-commander - Versions diffs - 0.2.17 → 0.2.18-alpha.1 - Mend

@wonderwhy-er/desktop-commander 0.2.17 → 0.2.18-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (36) hide show

package/README.md +1 -4
package/dist/http-server-auto-tunnel.d.ts +1 -0
package/dist/http-server-auto-tunnel.js +667 -0
package/dist/http-server-named-tunnel.d.ts +2 -0
package/dist/http-server-named-tunnel.js +167 -0
package/dist/http-server-tunnel.d.ts +2 -0
package/dist/http-server-tunnel.js +111 -0
package/dist/http-server.d.ts +2 -0
package/dist/http-server.js +270 -0
package/dist/index.js +4 -0
package/dist/oauth/auth-middleware.d.ts +20 -0
package/dist/oauth/auth-middleware.js +62 -0
package/dist/oauth/index.d.ts +3 -0
package/dist/oauth/index.js +3 -0
package/dist/oauth/oauth-manager.d.ts +80 -0
package/dist/oauth/oauth-manager.js +179 -0
package/dist/oauth/oauth-routes.d.ts +3 -0
package/dist/oauth/oauth-routes.js +377 -0
package/dist/server.js +32 -7
package/dist/setup-claude-server.js +43 -5
package/dist/terminal-manager.d.ts +1 -1
package/dist/terminal-manager.js +56 -1
package/dist/tools/config.js +2 -0
package/dist/tools/feedback.js +2 -2
package/dist/tools/improved-process-tools.js +179 -58
package/dist/tools/schemas.d.ts +9 -0
package/dist/tools/schemas.js +3 -0
package/dist/types.d.ts +19 -0
package/dist/utils/feature-flags.d.ts +43 -0
package/dist/utils/feature-flags.js +147 -0
package/dist/utils/toolHistory.js +3 -8
package/dist/utils/usageTracker.d.ts +4 -0
package/dist/utils/usageTracker.js +63 -37
package/dist/version.d.ts +1 -1
package/dist/version.js +1 -1
package/package.json +2 -1

package/dist/oauth/oauth-manager.d.ts ADDED Viewed

@@ -0,0 +1,80 @@
+interface JWTPayload {
+    sub: string;
+    client_id: string;
+    scope: string;
+    [key: string]: any;
+}
+interface TokenValidation {
+    valid: boolean;
+    username?: string;
+    client_id?: string;
+    scope?: string;
+    error?: string;
+}
+interface ClientData {
+    client_id: string;
+    client_name: string;
+    redirect_uris: string[];
+    grant_types: string[];
+    response_types: string[];
+}
+interface AuthCodeData {
+    username: string;
+    client_id: string;
+    redirect_uri: string;
+    code_challenge?: string;
+    code_challenge_method?: string;
+    scope: string;
+    expiresAt: number;
+}
+export declare class OAuthManager {
+    private users;
+    private codes;
+    private clients;
+    private privateKey;
+    private publicKey;
+    private baseUrl;
+    constructor(baseUrl: string);
+    /**
+     * Pre-register well-known OAuth clients with fixed IDs
+     * This prevents issues when server restarts and clients still have cached IDs
+     */
+    private preRegisterWellKnownClients;
+    /**
+     * Create a JWT token with the given payload
+     */
+    createJWT(payload: JWTPayload): string;
+    /**
+     * Validate a JWT token
+     */
+    validateToken(token: string): TokenValidation;
+    /**
+     * Register a new OAuth client
+     */
+    registerClient(redirect_uris: string[], client_name?: string): ClientData;
+    /**
+     * Get a client by ID
+     */
+    getClient(clientId: string): ClientData | undefined;
+    /**
+     * List all registered client IDs (for debugging)
+     */
+    listClients(): string;
+    /**
+     * Validate user credentials
+     */
+    validateUser(username: string, password: string): boolean;
+    /**
+     * Create an authorization code
+     */
+    createAuthCode(data: Omit<AuthCodeData, 'expiresAt'>): string;
+    /**
+     * Validate and consume an authorization code
+     */
+    validateAuthCode(code: string, client_id: string, redirect_uri: string, code_verifier?: string): {
+        valid: boolean;
+        data?: AuthCodeData;
+        error?: string;
+    };
+}
+export {};

package/dist/oauth/oauth-manager.js ADDED Viewed

@@ -0,0 +1,179 @@
+import crypto from 'crypto';
+export class OAuthManager {
+    constructor(baseUrl) {
+        this.users = new Map([['admin', 'password123']]);
+        this.codes = new Map();
+        this.clients = new Map();
+        this.baseUrl = baseUrl;
+        // Generate RSA keys for JWT signing
+        const keys = crypto.generateKeyPairSync('rsa', {
+            modulusLength: 2048,
+            publicKeyEncoding: { type: 'spki', format: 'pem' },
+            privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
+        });
+        this.privateKey = keys.privateKey;
+        this.publicKey = keys.publicKey;
+        console.log('🔐 OAuth Manager: JWT Keys generated');
+        // Pre-register well-known clients for common AI tools
+        // This survives server restarts as they use fixed IDs
+        this.preRegisterWellKnownClients();
+    }
+    /**
+     * Pre-register well-known OAuth clients with fixed IDs
+     * This prevents issues when server restarts and clients still have cached IDs
+     */
+    preRegisterWellKnownClients() {
+        // ChatGPT client
+        const chatgptClient = {
+            client_id: 'chatgpt-fixed-client-id',
+            client_name: 'ChatGPT',
+            redirect_uris: [
+                'https://chatgpt.com/connector_platform_oauth_redirect',
+                'https://chat.openai.com/connector_platform_oauth_redirect'
+            ],
+            grant_types: ['authorization_code'],
+            response_types: ['code']
+        };
+        this.clients.set(chatgptClient.client_id, chatgptClient);
+        console.log(`🔐 Pre-registered: ${chatgptClient.client_name} (${chatgptClient.client_id})`);
+        // Claude client
+        const claudeClient = {
+            client_id: 'claude-fixed-client-id',
+            client_name: 'Claude',
+            redirect_uris: [
+                'https://claude.ai/oauth/callback',
+                'http://localhost:3000/callback'
+            ],
+            grant_types: ['authorization_code'],
+            response_types: ['code']
+        };
+        this.clients.set(claudeClient.client_id, claudeClient);
+        console.log(`🔐 Pre-registered: ${claudeClient.client_name} (${claudeClient.client_id})`);
+    }
+    /**
+     * Create a JWT token with the given payload
+     */
+    createJWT(payload) {
+        const header = { alg: 'RS256', typ: 'JWT', kid: 'key-1' };
+        const now = Math.floor(Date.now() / 1000);
+        const claims = {
+            ...payload,
+            iat: now,
+            exp: now + 3600, // 1 hour expiration
+            iss: this.baseUrl,
+            aud: this.baseUrl
+        };
+        const encodedHeader = Buffer.from(JSON.stringify(header)).toString('base64url');
+        const encodedPayload = Buffer.from(JSON.stringify(claims)).toString('base64url');
+        const signature = crypto.sign('sha256', Buffer.from(`${encodedHeader}.${encodedPayload}`), this.privateKey);
+        return `${encodedHeader}.${encodedPayload}.${signature.toString('base64url')}`;
+    }
+    /**
+     * Validate a JWT token
+     */
+    validateToken(token) {
+        try {
+            const parts = token.split('.');
+            if (parts.length !== 3) {
+                return { valid: false, error: 'Invalid token format' };
+            }
+            const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+            // Check expiration
+            if (payload.exp < Math.floor(Date.now() / 1000)) {
+                return { valid: false, error: 'Token expired' };
+            }
+            // Verify signature
+            const signature = parts[2];
+            const data = `${parts[0]}.${parts[1]}`;
+            const valid = crypto.verify('sha256', Buffer.from(data), this.publicKey, Buffer.from(signature, 'base64url'));
+            if (!valid) {
+                return { valid: false, error: 'Invalid signature' };
+            }
+            return {
+                valid: true,
+                username: payload.sub,
+                client_id: payload.client_id,
+                scope: payload.scope
+            };
+        }
+        catch (err) {
+            return { valid: false, error: err instanceof Error ? err.message : 'Unknown error' };
+        }
+    }
+    /**
+     * Register a new OAuth client
+     */
+    registerClient(redirect_uris, client_name) {
+        const clientId = crypto.randomUUID();
+        const client = {
+            client_id: clientId,
+            client_name: client_name || 'MCP Client',
+            redirect_uris,
+            grant_types: ['authorization_code'],
+            response_types: ['code']
+        };
+        this.clients.set(clientId, client);
+        console.log(`🔐 OAuth Manager: Registered client ${clientId} (${client.client_name})`);
+        return client;
+    }
+    /**
+     * Get a client by ID
+     */
+    getClient(clientId) {
+        return this.clients.get(clientId);
+    }
+    /**
+     * List all registered client IDs (for debugging)
+     */
+    listClients() {
+        const ids = Array.from(this.clients.keys());
+        return ids.length > 0 ? ids.join(', ') : 'none';
+    }
+    /**
+     * Validate user credentials
+     */
+    validateUser(username, password) {
+        return this.users.get(username) === password;
+    }
+    /**
+     * Create an authorization code
+     */
+    createAuthCode(data) {
+        const code = crypto.randomBytes(32).toString('base64url');
+        this.codes.set(code, {
+            ...data,
+            expiresAt: Date.now() + 600000 // 10 minutes
+        });
+        console.log(`🔐 OAuth Manager: Created auth code for user ${data.username}`);
+        return code;
+    }
+    /**
+     * Validate and consume an authorization code
+     */
+    validateAuthCode(code, client_id, redirect_uri, code_verifier) {
+        const codeData = this.codes.get(code);
+        if (!codeData) {
+            return { valid: false, error: 'Invalid or expired code' };
+        }
+        if (codeData.expiresAt < Date.now()) {
+            this.codes.delete(code);
+            return { valid: false, error: 'Code expired' };
+        }
+        if (codeData.client_id !== client_id || codeData.redirect_uri !== redirect_uri) {
+            return { valid: false, error: 'Client ID or redirect URI mismatch' };
+        }
+        // PKCE verification
+        if (codeData.code_challenge) {
+            if (!code_verifier) {
+                return { valid: false, error: 'code_verifier required' };
+            }
+            const hash = crypto.createHash('sha256').update(code_verifier).digest('base64url');
+            if (hash !== codeData.code_challenge) {
+                return { valid: false, error: 'Invalid code_verifier' };
+            }
+        }
+        // Delete code after use (one-time use)
+        this.codes.delete(code);
+        return { valid: true, data: codeData };
+    }
+}

package/dist/oauth/oauth-routes.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import { Router } from 'express';
+import { OAuthManager } from './oauth-manager.js';
+export declare function createOAuthRoutes(oauthManager: OAuthManager, baseUrl: string): Router;

package/dist/oauth/oauth-routes.js ADDED Viewed

@@ -0,0 +1,377 @@
+import { Router } from 'express';
+export function createOAuthRoutes(oauthManager, baseUrl) {
+    const router = Router();
+    // ==================== DISCOVERY ENDPOINTS ====================
+    /**
+     * OAuth Authorization Server Metadata
+     * https://tools.ietf.org/html/rfc8414
+     */
+    router.get('/.well-known/oauth-authorization-server', (req, res) => {
+        res.json({
+            issuer: baseUrl,
+            authorization_endpoint: `${baseUrl}/authorize`,
+            token_endpoint: `${baseUrl}/token`,
+            registration_endpoint: `${baseUrl}/register`,
+            response_types_supported: ['code'],
+            grant_types_supported: ['authorization_code'],
+            code_challenge_methods_supported: ['S256'],
+            token_endpoint_auth_methods_supported: ['none'],
+            scopes_supported: ['mcp:tools']
+        });
+    });
+    /**
+     * MCP-specific OAuth Authorization Server Metadata
+     * ChatGPT requires this endpoint with pre-registered client_id
+     */
+    router.get('/.well-known/oauth-authorization-server/mcp', (req, res) => {
+        res.json({
+            issuer: baseUrl,
+            authorization_endpoint: `${baseUrl}/authorize`,
+            token_endpoint: `${baseUrl}/token`,
+            registration_endpoint: `${baseUrl}/register`,
+            response_types_supported: ['code'],
+            grant_types_supported: ['authorization_code'],
+            code_challenge_methods_supported: ['S256'],
+            token_endpoint_auth_methods_supported: ['none'],
+            scopes_supported: ['mcp:tools'],
+            // MCP-specific: Pre-registered client for ChatGPT
+            mcp: {
+                client_id: 'chatgpt-fixed-client-id',
+                redirect_uri: `${baseUrl}/callback`
+            }
+        });
+    });
+    /**
+     * OAuth Protected Resource Metadata
+     * https://tools.ietf.org/html/rfc8707
+     */
+    router.get('/.well-known/oauth-protected-resource', (req, res) => {
+        res.json({
+            resource: baseUrl,
+            authorization_servers: [baseUrl],
+            scopes_supported: ['mcp:tools'],
+            bearer_methods_supported: ['header']
+        });
+    });
+    /**
+     * MCP-specific OAuth Protected Resource Metadata
+     * ChatGPT queries this variant
+     */
+    router.get('/.well-known/oauth-protected-resource/mcp', (req, res) => {
+        res.json({
+            resource: baseUrl,
+            authorization_servers: [baseUrl],
+            scopes_supported: ['mcp:tools'],
+            bearer_methods_supported: ['header']
+        });
+    });
+    // ==================== CLIENT REGISTRATION ====================
+    /**
+     * Dynamic Client Registration
+     * https://tools.ietf.org/html/rfc7591
+     */
+    router.post('/register', (req, res) => {
+        const { redirect_uris, client_name } = req.body;
+        console.log(`\n🔐 CLIENT REGISTRATION`);
+        console.log(`   Client Name: ${client_name || 'Unnamed'}`);
+        console.log(`   Redirect URIs:`, redirect_uris);
+        if (!redirect_uris || !Array.isArray(redirect_uris) || redirect_uris.length === 0) {
+            return res.status(400).json({
+                error: 'invalid_redirect_uri',
+                error_description: 'redirect_uris must be a non-empty array'
+            });
+        }
+        // Check if this looks like ChatGPT
+        const isChatGPT = redirect_uris.some(uri => uri.includes('chatgpt.com') || uri.includes('openai.com'));
+        // Check if this looks like Claude
+        const isClaude = redirect_uris.some(uri => uri.includes('claude.ai') || uri.includes('anthropic.com'));
+        let client;
+        if (isChatGPT) {
+            // Return pre-registered ChatGPT client
+            client = oauthManager.getClient('chatgpt-fixed-client-id');
+            console.log(`✅ Using pre-registered ChatGPT client`);
+            // Add any new redirect URIs they're using
+            redirect_uris.forEach(uri => {
+                if (!client.redirect_uris.includes(uri)) {
+                    client.redirect_uris.push(uri);
+                    console.log(`   📝 Added redirect_uri: ${uri}`);
+                }
+            });
+        }
+        else if (isClaude) {
+            // Return pre-registered Claude client
+            client = oauthManager.getClient('claude-fixed-client-id');
+            console.log(`✅ Using pre-registered Claude client`);
+            // Add any new redirect URIs they're using
+            redirect_uris.forEach(uri => {
+                if (!client.redirect_uris.includes(uri)) {
+                    client.redirect_uris.push(uri);
+                    console.log(`   📝 Added redirect_uri: ${uri}`);
+                }
+            });
+        }
+        else {
+            // Register new client for other tools
+            client = oauthManager.registerClient(redirect_uris, client_name);
+            console.log(`✅ Registered new client: ${client.client_id}`);
+        }
+        res.status(201).json({
+            client_id: client.client_id,
+            client_name: client.client_name,
+            redirect_uris: client.redirect_uris,
+            grant_types: client.grant_types,
+            response_types: client.response_types,
+            token_endpoint_auth_method: 'none'
+        });
+    });
+    // ==================== AUTHORIZATION ====================
+    /**
+     * Authorization Endpoint (GET) - Display login page
+     */
+    router.get('/authorize', (req, res) => {
+        const { client_id, redirect_uri, response_type, state, code_challenge, code_challenge_method, scope } = req.query;
+        console.log(`\n🔐 AUTHORIZATION REQUEST`);
+        console.log(`   Client ID: ${client_id}`);
+        console.log(`   Redirect URI: ${redirect_uri}`);
+        console.log(`   Response Type: ${response_type}`);
+        console.log(`   State: ${state}`);
+        console.log(`   Code Challenge: ${code_challenge ? 'present' : 'missing'}`);
+        console.log(`   Scope: ${scope}`);
+        // Validate client
+        const client = oauthManager.getClient(client_id);
+        if (!client) {
+            console.log(`❌ Client ${client_id} not found. Was /register called?`);
+            console.log(`   Registered clients: ${oauthManager.listClients()}`);
+            return res.status(400).send(`
+        <html>
+          <head><title>Error</title></head>
+          <body style="font-family: system-ui; max-width: 400px; margin: 50px auto; padding: 20px;">
+            <h2>❌ Invalid Client</h2>
+            <p>The client_id <code>${client_id}</code> is not recognized.</p>
+            <p><small>The client must register at <code>/register</code> first.</small></p>
+          </body>
+        </html>
+      `);
+        }
+        console.log(`✅ Client validated: ${client.client_name}`);
+        // Validate redirect_uri
+        if (!client.redirect_uris.includes(redirect_uri)) {
+            console.log(`❌ Invalid redirect_uri: ${redirect_uri}`);
+            console.log(`   Registered URIs:`, client.redirect_uris);
+            return res.status(400).send(`
+        <html>
+          <head><title>Error</title></head>
+          <body style="font-family: system-ui; max-width: 400px; margin: 50px auto; padding: 20px;">
+            <h2>❌ Invalid Redirect URI</h2>
+            <p>The redirect_uri <code>${redirect_uri}</code> is not registered for this client.</p>
+            <p><strong>Registered URIs for ${client.client_name}:</strong></p>
+            <ul>
+              ${client.redirect_uris.map(uri => `<li><code>${uri}</code></li>`).join('')}
+            </ul>
+          </body>
+        </html>
+      `);
+        }
+        // Display login page
+        res.send(`
+      <html>
+        <head>
+          <title>Desktop Commander - Login</title>
+          <style>
+            body {
+              font-family: system-ui, -apple-system, sans-serif;
+              max-width: 400px;
+              margin: 50px auto;
+              padding: 20px;
+              background: #f5f5f5;
+            }
+            .container {
+              background: white;
+              padding: 30px;
+              border-radius: 10px;
+              box-shadow: 0 2px 10px rgba(0,0,0,0.1);
+            }
+            h2 {
+              margin-top: 0;
+              color: #333;
+            }
+            .info {
+              background: #f0f0f0;
+              padding: 15px;
+              margin: 20px 0;
+              border-radius: 5px;
+              font-size: 14px;
+            }
+            input {
+              width: 100%;
+              padding: 12px;
+              margin: 10px 0;
+              box-sizing: border-box;
+              border: 1px solid #ddd;
+              border-radius: 5px;
+              font-size: 16px;
+            }
+            button {
+              width: 100%;
+              padding: 14px;
+              background: #0066cc;
+              color: white;
+              border: none;
+              border-radius: 5px;
+              cursor: pointer;
+              font-size: 16px;
+              font-weight: 600;
+            }
+            button:hover {
+              background: #0052a3;
+            }
+            .demo-creds {
+              text-align: center;
+              color: #666;
+              margin-top: 20px;
+              font-size: 14px;
+            }
+          </style>
+        </head>
+        <body>
+          <div class="container">
+            <h2>🔐 Login to Desktop Commander</h2>
+            <div class="info">
+              <strong>Client:</strong> ${client.client_name}
+            </div>
+            <form method="POST" action="/authorize">
+              <input type="hidden" name="client_id" value="${client_id}">
+              <input type="hidden" name="redirect_uri" value="${redirect_uri}">
+              <input type="hidden" name="response_type" value="${response_type}">
+              <input type="hidden" name="state" value="${state || ''}">
+              <input type="hidden" name="code_challenge" value="${code_challenge || ''}">
+              <input type="hidden" name="code_challenge_method" value="${code_challenge_method || ''}">
+              <input type="hidden" name="scope" value="${scope || 'mcp:tools'}">
+              <input type="text" name="username" placeholder="Username" required autofocus>
+              <input type="password" name="password" placeholder="Password" required>
+              <button type="submit">Login & Authorize</button>
+            </form>
+            <div class="demo-creds">
+              Demo credentials:<br>
+              <strong>admin</strong> / <strong>password123</strong>
+            </div>
+          </div>
+        </body>
+      </html>
+    `);
+    });
+    /**
+     * Authorization Endpoint (POST) - Process login
+     */
+    router.post('/authorize', (req, res) => {
+        const { username, password, client_id, redirect_uri, state, code_challenge, code_challenge_method, scope } = req.body;
+        console.log(`\n🔐 PROCESSING LOGIN`);
+        console.log(`   Username: ${username}`);
+        console.log(`   Client ID: ${client_id}`);
+        // Validate credentials
+        if (!oauthManager.validateUser(username, password)) {
+            return res.send(`
+        <html>
+          <head><title>Login Failed</title></head>
+          <body style="font-family: system-ui; max-width: 400px; margin: 50px auto; padding: 20px;">
+            <h2>❌ Invalid Credentials</h2>
+            <p>The username or password is incorrect.</p>
+            <a href="/authorize?client_id=${client_id}&redirect_uri=${encodeURIComponent(redirect_uri)}&response_type=code&state=${state || ''}&code_challenge=${code_challenge || ''}&code_challenge_method=${code_challenge_method || ''}&scope=${scope || 'mcp:tools'}">Try Again</a>
+          </body>
+        </html>
+      `);
+        }
+        // Create authorization code
+        const code = oauthManager.createAuthCode({
+            username,
+            client_id,
+            redirect_uri,
+            code_challenge,
+            code_challenge_method,
+            scope: scope || 'mcp:tools'
+        });
+        console.log(`✅ User ${username} authorized, redirecting...`);
+        // Redirect back to client with authorization code
+        const redirectUrl = new URL(redirect_uri);
+        redirectUrl.searchParams.set('code', code);
+        if (state) {
+            redirectUrl.searchParams.set('state', state);
+        }
+        res.redirect(redirectUrl.toString());
+    });
+    // ==================== TOKEN ENDPOINT ====================
+    /**
+     * Callback endpoint - for compatibility with MCP discovery
+     * This redirects to the client's actual redirect_uri with the code
+     */
+    router.get('/callback', (req, res) => {
+        const { code, state, error, error_description } = req.query;
+        console.log(`\n🔄 CALLBACK`);
+        console.log(`   Code: ${code ? 'present' : 'missing'}`);
+        console.log(`   State: ${state}`);
+        if (error) {
+            return res.send(`
+        <html>
+          <head><title>OAuth Error</title></head>
+          <body style="font-family: system-ui; max-width: 400px; margin: 50px auto; padding: 20px;">
+            <h2>❌ OAuth Error</h2>
+            <p><strong>Error:</strong> ${error}</p>
+            <p><strong>Description:</strong> ${error_description || 'No description provided'}</p>
+          </body>
+        </html>
+      `);
+        }
+        // This endpoint shouldn't really be called directly
+        // It's here for compatibility with the MCP discovery document
+        res.send(`
+      <html>
+        <head><title>OAuth Callback</title></head>
+        <body style="font-family: system-ui; max-width: 400px; margin: 50px auto; padding: 20px;">
+          <h2>✅ Authorization Successful</h2>
+          <p>You can close this window and return to the application.</p>
+        </body>
+      </html>
+    `);
+    });
+    /**
+     * Token Endpoint - Exchange authorization code for access token
+     */
+    router.post('/token', (req, res) => {
+        const { grant_type, code, redirect_uri, client_id, code_verifier } = req.body;
+        console.log(`\n🎫 TOKEN REQUEST`);
+        console.log(`   Grant Type: ${grant_type}`);
+        console.log(`   Client ID: ${client_id}`);
+        // Validate grant type
+        if (grant_type !== 'authorization_code') {
+            return res.status(400).json({
+                error: 'unsupported_grant_type',
+                error_description: 'Only authorization_code grant type is supported'
+            });
+        }
+        // Validate authorization code
+        const validation = oauthManager.validateAuthCode(code, client_id, redirect_uri, code_verifier);
+        if (!validation.valid) {
+            console.log(`❌ Token request failed: ${validation.error}`);
+            return res.status(400).json({
+                error: 'invalid_grant',
+                error_description: validation.error
+            });
+        }
+        // Create access token
+        const accessToken = oauthManager.createJWT({
+            sub: validation.data.username,
+            client_id: validation.data.client_id,
+            scope: validation.data.scope
+        });
+        console.log(`✅ Issued token for ${validation.data.username}`);
+        res.json({
+            access_token: accessToken,
+            token_type: 'Bearer',
+            expires_in: 3600,
+            scope: validation.data.scope
+        });
+    });
+    return router;
+}