@wootsup/mcp 0.1.0-rc.1

package/dist/auth/keychain.js

@@ -0,0 +1,262 @@
+// src/auth/keychain.ts — Phase 5.1.
+//
+// Two storage backends behind a single Keychain interface:
+//
+//   - SystemKeychain: thin wrapper around @napi-rs/keyring 1.3.x (`Entry`).
+//     Uses the OS keychain — macOS Keychain, Linux Secret Service / DBus,
+//     Windows DPAPI.
+//
+//   - EncryptedFileKeychain: AES-256-GCM encrypted JSON file at
+//     `<configDir>/keychain.enc.json`. Used as fallback when the OS keychain
+//     isn't accessible (locked-down macOS sessions, minimal Linux without
+//     DBus, etc.).
+//
+// `createKeychain()` tries SystemKeychain first and falls back to the file
+// impl on any throw. The encryption key is derived via PBKDF2 from a constant
+// in-binary phrase + a per-install salt (random 32 bytes) stored beside the
+// vault at `<configDir>/.salt`. This is NOT a strong defense against a local
+// attacker with filesystem access, but it (a) prevents accidental leakage
+// through casual file inspection, and (b) is no worse than the alternative
+// (raw plaintext) for environments that already failed the system-keychain
+// probe.
+import { randomBytes, pbkdf2Sync, createCipheriv, createDecipheriv, } from "node:crypto";
+import { mkdirSync, existsSync, readFileSync, writeFileSync, } from "node:fs";
+import { createRequire } from "node:module";
+import { join } from "node:path";
+// ── SystemKeychain ───────────────────────────────────────────────────────
+const SERVICE_NAME = "@wootsup/mcp";
+// Defer the import error to construction time; tests on environments without
+// the native binary (rare — package ships prebuilts for all major OSes) can
+// fall through to the file impl via `createKeychain()`.
+//
+// We dynamic-require here because the napi binding initialises native code on
+// load; deferring keeps unrelated tests fast and lets `createKeychain()` catch
+// failures.
+export class SystemKeychain {
+    service;
+    constructor(service = SERVICE_NAME) {
+        this.service = service;
+        // Touch the binding eagerly so ctor throws on broken envs — that's the
+        // signal `createKeychain()` uses to fall back.
+        //
+        // The binding's `new Entry(service, username)` does no I/O itself but
+        // requires the native lib to be loadable.
+        loadKeyringModule();
+    }
+    async set(ref, value) {
+        const keyring = loadKeyringModule();
+        const entry = new keyring.Entry(this.service, ref);
+        entry.setPassword(value);
+    }
+    async get(ref) {
+        const keyring = loadKeyringModule();
+        const entry = new keyring.Entry(this.service, ref);
+        try {
+            const v = entry.getPassword();
+            // The 1.3.x binding returns null when there's no entry. Other failure
+            // modes throw (e.g. Ambiguous on Linux with duplicate secrets).
+            return v ?? null;
+        }
+        catch (e) {
+            // Treat "no entry" as a normal miss; rethrow any other failure.
+            if (isNoEntryError(e))
+                return null;
+            throw e;
+        }
+    }
+    async delete(ref) {
+        const keyring = loadKeyringModule();
+        const entry = new keyring.Entry(this.service, ref);
+        try {
+            entry.deletePassword();
+        }
+        catch (e) {
+            // Idempotent: missing entry is fine.
+            if (isNoEntryError(e))
+                return;
+            throw e;
+        }
+    }
+}
+let _keyringMod;
+function loadKeyringModule() {
+    if (_keyringMod)
+        return _keyringMod;
+    // The napi binding ships CJS and we want a synchronous throw at
+    // SystemKeychain ctor time, so we use createRequire (statically
+    // imported above) to load the CJS bridge from an ESM module.
+    //
+    // 2026-05-18 fix: the previous implementation used `require("node:module")`
+    // inside this function — but `require` is not defined globally in ESM,
+    // which made the SystemKeychain path fail with "require is not defined"
+    // before it could even try the keyring binding. The customer-facing
+    // symptom was every fresh install falling back to the file keychain.
+    const req = createRequire(import.meta.url);
+    _keyringMod = req("@napi-rs/keyring");
+    return _keyringMod;
+}
+function isNoEntryError(e) {
+    if (!(e instanceof Error))
+        return false;
+    // The 1.3.x bindings surface NoEntry as an Error whose message contains
+    // "NoEntry" or "no entry" depending on platform. Be liberal.
+    return /no\s*entry/i.test(e.message);
+}
+// ── EncryptedFileKeychain ────────────────────────────────────────────────
+// AES-GCM parameters: 256-bit key, 96-bit IV (NIST-recommended), 128-bit tag.
+const KEY_LEN = 32;
+const IV_LEN = 12;
+const TAG_LEN = 16;
+const SALT_LEN = 32;
+const PBKDF2_ITERS = 200_000;
+const PBKDF2_DIGEST = "sha256";
+// Constant in-binary phrase mixed with the per-install salt. Not a secret in
+// the cryptographic sense (it's checked into the repo), but ensures the
+// derived key is unique to this product even if two unrelated tools share the
+// same salt file path by accident.
+const KDF_PHRASE = "apimapper-mcp/v1/keychain";
+export class EncryptedFileKeychain {
+    dir;
+    vaultPath;
+    saltPath;
+    cachedKey;
+    // In-memory mutex to serialise writes — vitest hits concurrent set() in the
+    // "concurrent writes" test and we don't want a torn JSON file.
+    writeChain = Promise.resolve();
+    constructor(configDir) {
+        this.dir = configDir;
+        this.vaultPath = join(configDir, "keychain.enc.json");
+        this.saltPath = join(configDir, ".salt");
+        if (!existsSync(this.dir)) {
+            mkdirSync(this.dir, { recursive: true });
+        }
+    }
+    deriveKey() {
+        if (this.cachedKey)
+            return this.cachedKey;
+        let salt;
+        if (existsSync(this.saltPath)) {
+            salt = readFileSync(this.saltPath);
+            if (salt.length !== SALT_LEN) {
+                // Corrupt salt — regenerate. Old entries become unreadable; that's
+                // an acceptable failure mode for a recovery flow.
+                salt = randomBytes(SALT_LEN);
+                writeFileSync(this.saltPath, salt, { mode: 0o600 });
+            }
+        }
+        else {
+            salt = randomBytes(SALT_LEN);
+            writeFileSync(this.saltPath, salt, { mode: 0o600 });
+        }
+        this.cachedKey = pbkdf2Sync(KDF_PHRASE, salt, PBKDF2_ITERS, KEY_LEN, PBKDF2_DIGEST);
+        return this.cachedKey;
+    }
+    readVault() {
+        if (!existsSync(this.vaultPath))
+            return {};
+        try {
+            const raw = readFileSync(this.vaultPath, "utf8");
+            if (!raw)
+                return {};
+            const parsed = JSON.parse(raw);
+            if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+                return {};
+            }
+            return parsed;
+        }
+        catch {
+            // Corrupt vault file: surface as empty rather than crashing — the
+            // surrounding flow can re-prompt for the token and overwrite.
+            return {};
+        }
+    }
+    writeVault(vault) {
+        writeFileSync(this.vaultPath, JSON.stringify(vault, null, 2), {
+            mode: 0o600,
+        });
+    }
+    encrypt(plaintext) {
+        const key = this.deriveKey();
+        const iv = randomBytes(IV_LEN);
+        const cipher = createCipheriv("aes-256-gcm", key, iv);
+        const ct = Buffer.concat([
+            cipher.update(plaintext, "utf8"),
+            cipher.final(),
+        ]);
+        const tag = cipher.getAuthTag();
+        return {
+            iv: iv.toString("base64"),
+            ciphertext: ct.toString("base64"),
+            tag: tag.toString("base64"),
+        };
+    }
+    decrypt(rec) {
+        try {
+            const key = this.deriveKey();
+            const iv = Buffer.from(rec.iv, "base64");
+            const ct = Buffer.from(rec.ciphertext, "base64");
+            const tag = Buffer.from(rec.tag, "base64");
+            if (iv.length !== IV_LEN || tag.length !== TAG_LEN)
+                return null;
+            const decipher = createDecipheriv("aes-256-gcm", key, iv);
+            decipher.setAuthTag(tag);
+            const pt = Buffer.concat([decipher.update(ct), decipher.final()]);
+            return pt.toString("utf8");
+        }
+        catch {
+            // Auth-tag mismatch or any other crypto error → return null so callers
+            // see "not found" rather than a hard error.
+            return null;
+        }
+    }
+    set(ref, value) {
+        // Serialise on the per-instance write chain to avoid torn JSON. Callers
+        // can still hit us concurrently — each set() waits for the prior one.
+        const next = this.writeChain.then(() => {
+            const vault = this.readVault();
+            vault[ref] = this.encrypt(value);
+            this.writeVault(vault);
+        });
+        this.writeChain = next.catch(() => undefined);
+        return next;
+    }
+    async get(ref) {
+        const vault = this.readVault();
+        const rec = vault[ref];
+        if (!rec)
+            return null;
+        return this.decrypt(rec);
+    }
+    delete(ref) {
+        const next = this.writeChain.then(() => {
+            const vault = this.readVault();
+            if (!(ref in vault))
+                return;
+            delete vault[ref];
+            this.writeVault(vault);
+        });
+        this.writeChain = next.catch(() => undefined);
+        return next;
+    }
+}
+export async function createKeychain(opts) {
+    const Ctor = opts.systemKeychainCtor ?? SystemKeychain;
+    try {
+        // Some envs throw on ctor; others throw on first read/write. We can only
+        // catch ctor failures synchronously here — read/write failures bubble up
+        // to the caller and are not auto-fallback (by design: silent fallback
+        // mid-session would mask data-loss).
+        const kc = new Ctor(opts.service ?? SERVICE_NAME);
+        return kc;
+    }
+    catch (e) {
+        if (!opts.silent) {
+            const msg = e instanceof Error ? e.message : String(e);
+            // eslint-disable-next-line no-console -- intentional one-shot stderr warning
+            console.warn(`[apimapper-mcp] System keychain unavailable (${msg}); ` +
+                `falling back to AES-GCM-encrypted file at ${opts.configDir}/keychain.enc.json`);
+        }
+        return new EncryptedFileKeychain(opts.configDir);
+    }
+}
+//# sourceMappingURL=keychain.js.map

package/dist/auth/keychain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain.js","sourceRoot":"","sources":["../../src/auth/keychain.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,EAAE;AACF,2DAA2D;AAC3D,EAAE;AACF,4EAA4E;AAC5E,0EAA0E;AAC1E,qBAAqB;AACrB,EAAE;AACF,gEAAgE;AAChE,6EAA6E;AAC7E,0EAA0E;AAC1E,mBAAmB;AACnB,EAAE;AACF,2EAA2E;AAC3E,8EAA8E;AAC9E,4EAA4E;AAC5E,6EAA6E;AAC7E,0EAA0E;AAC1E,2EAA2E;AAC3E,2EAA2E;AAC3E,SAAS;AAET,OAAO,EACL,WAAW,EACX,UAAU,EACV,cAAc,EACd,gBAAgB,GACjB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,SAAS,EACT,UAAU,EACV,YAAY,EACZ,aAAa,GACd,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAQjC,4EAA4E;AAE5E,MAAM,YAAY,GAAG,cAAc,CAAC;AAEpC,6EAA6E;AAC7E,4EAA4E;AAC5E,wDAAwD;AACxD,EAAE;AACF,8EAA8E;AAC9E,+EAA+E;AAC/E,YAAY;AAEZ,MAAM,OAAO,cAAc;IACR,OAAO,CAAS;IAEjC,YAAY,UAAkB,YAAY;QACxC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,uEAAuE;QACvE,+CAA+C;QAC/C,EAAE;QACF,sEAAsE;QACtE,0CAA0C;QAC1C,iBAAiB,EAAE,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,KAAa;QAClC,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;QACpC,MAAM,KAAK,GAAG,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACnD,KAAK,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;QACpC,MAAM,KAAK,GAAG,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACnD,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;YAC9B,sEAAsE;YACtE,gEAAgE;YAChE,OAAO,CAAC,IAAI,IAAI,CAAC;QACnB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,gEAAgE;YAChE,IAAI,cAAc,CAAC,CAAC,CAAC;gBAAE,OAAO,IAAI,CAAC;YACnC,MAAM,CAAC,CAAC;QACV,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;QACpC,MAAM,KAAK,GAAG,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACnD,IAAI,CAAC;YACH,KAAK,CAAC,cAAc,EAAE,CAAC;QACzB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,qCAAqC;YACrC,IAAI,cAAc,CAAC,CAAC,CAAC;gBAAE,OAAO;YAC9B,MAAM,CAAC,CAAC;QACV,CAAC;IACH,CAAC;CACF;AAaD,IAAI,WAAsC,CAAC;AAE3C,SAAS,iBAAiB;IACxB,IAAI,WAAW;QAAE,OAAO,WAAW,CAAC;IACpC,gEAAgE;IAChE,gEAAgE;IAChE,6DAA6D;IAC7D,EAAE;IACF,4EAA4E;IAC5E,uEAAuE;IACvE,wEAAwE;IACxE,oEAAoE;IACpE,qEAAqE;IACrE,MAAM,GAAG,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3C,WAAW,GAAG,GAAG,CAAC,kBAAkB,CAAkB,CAAC;IACvD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,SAAS,cAAc,CAAC,CAAU;IAChC,IAAI,CAAC,CAAC,CAAC,YAAY,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACxC,wEAAwE;IACxE,6DAA6D;IAC7D,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;AACvC,CAAC;AAED,4EAA4E;AAE5E,8EAA8E;AAC9E,MAAM,OAAO,GAAG,EAAE,CAAC;AACnB,MAAM,MAAM,GAAG,EAAE,CAAC;AAClB,MAAM,OAAO,GAAG,EAAE,CAAC;AACnB,MAAM,QAAQ,GAAG,EAAE,CAAC;AACpB,MAAM,YAAY,GAAG,OAAO,CAAC;AAC7B,MAAM,aAAa,GAAG,QAAQ,CAAC;AAE/B,6EAA6E;AAC7E,wEAAwE;AACxE,8EAA8E;AAC9E,mCAAmC;AACnC,MAAM,UAAU,GAAG,2BAA2B,CAAC;AAY/C,MAAM,OAAO,qBAAqB;IACf,GAAG,CAAS;IACZ,SAAS,CAAS;IAClB,QAAQ,CAAS;IAC1B,SAAS,CAAU;IAC3B,4EAA4E;IAC5E,+DAA+D;IACvD,UAAU,GAAqB,OAAO,CAAC,OAAO,EAAE,CAAC;IAEzD,YAAY,SAAiB;QAC3B,IAAI,CAAC,GAAG,GAAG,SAAS,CAAC;QACrB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,EAAE,mBAAmB,CAAC,CAAC;QACtD,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACzC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAEO,SAAS;QACf,IAAI,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC,SAAS,CAAC;QAC1C,IAAI,IAAY,CAAC;QACjB,IAAI,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9B,IAAI,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACnC,IAAI,IAAI,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;gBAC7B,mEAAmE;gBACnE,kDAAkD;gBAClD,IAAI,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;gBAC7B,aAAa,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;YACtD,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAI,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;YAC7B,aAAa,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACtD,CAAC;QACD,IAAI,CAAC,SAAS,GAAG,UAAU,CACzB,UAAU,EACV,IAAI,EACJ,YAAY,EACZ,OAAO,EACP,aAAa,CACd,CAAC;QACF,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAEO,SAAS;QACf,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC;YAAE,OAAO,EAAE,CAAC;QAC3C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;YACjD,IAAI,CAAC,GAAG;gBAAE,OAAO,EAAE,CAAC;YACpB,MAAM,MAAM,GAAY,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACxC,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBACnE,OAAO,EAAE,CAAC;YACZ,CAAC;YACD,OAAO,MAAoB,CAAC;QAC9B,CAAC;QAAC,MAAM,CAAC;YACP,kEAAkE;YAClE,8DAA8D;YAC9D,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAEO,UAAU,CAAC,KAAiB;QAClC,aAAa,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;YAC5D,IAAI,EAAE,KAAK;SACZ,CAAC,CAAC;IACL,CAAC;IAEO,OAAO,CAAC,SAAiB;QAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;QAC7B,MAAM,EAAE,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;QAC/B,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QACtD,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC;YACvB,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC;YAChC,MAAM,CAAC,KAAK,EAAE;SACf,CAAC,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAChC,OAAO;YACL,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACzB,UAAU,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACjC,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;SAC5B,CAAC;IACJ,CAAC;IAEO,OAAO,CAAC,GAAoB;QAClC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;YAC7B,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;YACzC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;YACjD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;YAC3C,IAAI,EAAE,CAAC,MAAM,KAAK,MAAM,IAAI,GAAG,CAAC,MAAM,KAAK,OAAO;gBAAE,OAAO,IAAI,CAAC;YAChE,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;YAC1D,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;YACzB,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAClE,OAAO,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC7B,CAAC;QAAC,MAAM,CAAC;YACP,uEAAuE;YACvE,4CAA4C;YAC5C,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,GAAG,CAAC,GAAW,EAAE,KAAa;QAC5B,wEAAwE;QACxE,sEAAsE;QACtE,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE;YACrC,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;YAC/B,KAAK,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YACjC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;QACzB,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QAC9C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC;QACvB,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAED,MAAM,CAAC,GAAW;QAChB,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE;YACrC,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;YAC/B,IAAI,CAAC,CAAC,GAAG,IAAI,KAAK,CAAC;gBAAE,OAAO;YAC5B,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC;YAClB,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;QACzB,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QAC9C,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAuBD,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAA2B;IAE3B,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,IAAI,cAAc,CAAC;IACvD,IAAI,CAAC;QACH,yEAAyE;QACzE,yEAAyE;QACzE,sEAAsE;QACtE,qCAAqC;QACrC,MAAM,EAAE,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,YAAY,CAAC,CAAC;QAClD,OAAO,EAAE,CAAC;IACZ,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACvD,6EAA6E;YAC7E,OAAO,CAAC,IAAI,CACV,gDAAgD,GAAG,KAAK;gBACtD,6CAA6C,IAAI,CAAC,SAAS,oBAAoB,CAClF,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,qBAAqB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACnD,CAAC;AACH,CAAC"}

package/dist/auth/oauth-provider.d.ts

@@ -0,0 +1,68 @@
+export interface OAuthClientRegistration {
+    client_id: string;
+    client_id_issued_at: number;
+    redirect_uris: string[];
+    client_name?: string;
+    token_endpoint_auth_method: "none";
+    grant_types: ["authorization_code", "refresh_token"];
+    response_types: ["code"];
+}
+export interface IssueCodeArgs {
+    client_id: string;
+    redirect_uri: string;
+    code_challenge: string;
+    code_challenge_method: "S256" | "plain";
+    scope: string;
+    state?: string;
+}
+export interface ExchangeCodeArgs {
+    client_id: string;
+    code: string;
+    redirect_uri: string;
+    code_verifier: string;
+}
+export interface RefreshArgs {
+    client_id: string;
+    refresh_token: string;
+}
+export interface TokenResponse {
+    access_token: string;
+    token_type: "Bearer";
+    expires_in: number;
+    refresh_token: string;
+    scope: string;
+}
+export interface AccessTokenInfo {
+    client_id: string;
+    scope: string;
+    expires_at: number;
+}
+export interface OAuthProviderOptions {
+    /** Clock function returning unix seconds. Default: Date.now()/1000. */
+    now?: () => number;
+    /** Authorization code TTL (default 600s = 10 min). */
+    codeTtlSeconds?: number;
+    /** Access token TTL (default 86400s = 24 h). */
+    tokenTtlSeconds?: number;
+    /** Refresh token TTL (default 604800s = 7 d). */
+    refreshTtlSeconds?: number;
+}
+export interface OAuthProvider {
+    registerClient(args: {
+        redirect_uris: string[];
+        client_name?: string;
+    }): OAuthClientRegistration;
+    getClient(client_id: string): OAuthClientRegistration | null;
+    issueCode(args: IssueCodeArgs): string;
+    exchangeCode(args: ExchangeCodeArgs): TokenResponse;
+    refreshToken(args: RefreshArgs): TokenResponse;
+    verifyAccessToken(token: string): AccessTokenInfo | null;
+    sweep(): number;
+    stats(): {
+        clients: number;
+        codes: number;
+        tokens: number;
+        refreshes: number;
+    };
+}
+export declare function createOAuthProvider(options?: OAuthProviderOptions): OAuthProvider;

package/dist/auth/oauth-provider.js

@@ -0,0 +1,232 @@
+// src/auth/oauth-provider.ts — Phase 9.2.
+//
+// Minimal in-memory OAuth 2.0 Authorization-Code + PKCE + Dynamic Client
+// Registration (DCR) provider for the remote HTTP MCP transport.
+//
+// References:
+// - RFC 6749 (OAuth 2.0)
+// - RFC 7636 (PKCE)
+// - RFC 7591 (Dynamic Client Registration)
+// - workers-oauth-provider (Cloudflare reference, in-memory variant)
+//
+// Storage backend is process-local Maps with TTL-based expiry — the
+// hosted production service (mcp.wootsup.com) is expected to swap in a
+// persistent backend, but for unit/integration tests + the local DXT
+// bundle, in-memory is sufficient.
+//
+// Security notes:
+// - Tokens are 32 random bytes hex-encoded (no JWT — keeps the surface
+//   tiny and prevents misuse of unverified payloads).
+// - Authorization codes are 32 random bytes hex; single-use; bound to
+//   client_id + redirect_uri + code_challenge.
+// - PKCE S256 is REQUIRED; "plain" is rejected.
+// - On refresh, the old refresh token is invalidated (rotation).
+import { randomBytes, createHash, timingSafeEqual } from "node:crypto";
+// ── Helpers ────────────────────────────────────────────────────────────
+function randomId(prefix) {
+    return `${prefix}${randomBytes(12).toString("hex")}`;
+}
+function randomOpaque() {
+    return randomBytes(32).toString("hex");
+}
+/** Constant-time compare to thwart timing oracles on token / verifier lookups. */
+function safeEquals(a, b) {
+    const ba = Buffer.from(a);
+    const bb = Buffer.from(b);
+    if (ba.length !== bb.length)
+        return false;
+    return timingSafeEqual(ba, bb);
+}
+function s256(input) {
+    return createHash("sha256").update(input).digest("base64url");
+}
+// ── Factory ────────────────────────────────────────────────────────────
+export function createOAuthProvider(options = {}) {
+    const now = options.now ?? (() => Math.floor(Date.now() / 1000));
+    const codeTtl = options.codeTtlSeconds ?? 600;
+    const tokenTtl = options.tokenTtlSeconds ?? 86_400;
+    const refreshTtl = options.refreshTtlSeconds ?? 7 * 86_400;
+    const clients = new Map();
+    const codes = new Map();
+    const tokens = new Map();
+    const refreshes = new Map();
+    function registerClient(args) {
+        if (!Array.isArray(args.redirect_uris) || args.redirect_uris.length === 0) {
+            throw new Error("invalid_redirect_uri: at least one redirect_uri required");
+        }
+        for (const uri of args.redirect_uris) {
+            if (typeof uri !== "string" || uri.length === 0) {
+                throw new Error("invalid_redirect_uri");
+            }
+        }
+        const reg = {
+            client_id: randomId("cli_"),
+            client_id_issued_at: now(),
+            redirect_uris: [...args.redirect_uris],
+            client_name: args.client_name,
+            token_endpoint_auth_method: "none", // public client (mobile/native/AI)
+            grant_types: ["authorization_code", "refresh_token"],
+            response_types: ["code"],
+        };
+        clients.set(reg.client_id, reg);
+        return reg;
+    }
+    function getClient(client_id) {
+        return clients.get(client_id) ?? null;
+    }
+    function issueCode(args) {
+        const client = clients.get(args.client_id);
+        if (!client)
+            throw new Error("unknown_client");
+        if (!client.redirect_uris.includes(args.redirect_uri)) {
+            throw new Error("invalid_redirect_uri");
+        }
+        if (!args.code_challenge || typeof args.code_challenge !== "string") {
+            throw new Error("invalid_request: code_challenge required");
+        }
+        if (args.code_challenge_method !== "S256") {
+            // Reject "plain" — S256 is mandatory for safety.
+            throw new Error("invalid_request: code_challenge_method must be S256");
+        }
+        const code = randomId("code_");
+        codes.set(code, {
+            client_id: args.client_id,
+            redirect_uri: args.redirect_uri,
+            code_challenge: args.code_challenge,
+            code_challenge_method: args.code_challenge_method,
+            scope: args.scope,
+            expires_at: now() + codeTtl,
+            used: false,
+        });
+        return code;
+    }
+    function exchangeCode(args) {
+        const rec = codes.get(args.code);
+        if (!rec)
+            throw new Error("invalid_grant: code not found");
+        if (rec.used)
+            throw new Error("invalid_grant: code already used");
+        if (rec.expires_at < now())
+            throw new Error("invalid_grant: code expired");
+        if (rec.client_id !== args.client_id) {
+            throw new Error("invalid_grant: client_id mismatch");
+        }
+        if (rec.redirect_uri !== args.redirect_uri) {
+            throw new Error("invalid_grant: redirect_uri mismatch");
+        }
+        const challengeFromVerifier = s256(args.code_verifier);
+        if (!safeEquals(challengeFromVerifier, rec.code_challenge)) {
+            throw new Error("invalid_grant: code_verifier mismatch");
+        }
+        rec.used = true;
+        const accessToken = randomOpaque();
+        const refreshToken = randomOpaque();
+        tokens.set(accessToken, {
+            client_id: rec.client_id,
+            scope: rec.scope,
+            expires_at: now() + tokenTtl,
+        });
+        refreshes.set(refreshToken, {
+            client_id: rec.client_id,
+            scope: rec.scope,
+            expires_at: now() + refreshTtl,
+            revoked: false,
+        });
+        return {
+            access_token: accessToken,
+            refresh_token: refreshToken,
+            token_type: "Bearer",
+            expires_in: tokenTtl,
+            scope: rec.scope,
+        };
+    }
+    function refreshToken(args) {
+        const rec = refreshes.get(args.refresh_token);
+        if (!rec)
+            throw new Error("invalid_grant: refresh_token not found");
+        if (rec.revoked)
+            throw new Error("invalid_grant: refresh_token revoked");
+        if (rec.expires_at < now()) {
+            throw new Error("invalid_grant: refresh_token expired");
+        }
+        if (rec.client_id !== args.client_id) {
+            throw new Error("invalid_grant: client_id mismatch");
+        }
+        // Rotate: revoke the old refresh token, mint a new pair.
+        rec.revoked = true;
+        const accessToken = randomOpaque();
+        const newRefresh = randomOpaque();
+        tokens.set(accessToken, {
+            client_id: rec.client_id,
+            scope: rec.scope,
+            expires_at: now() + tokenTtl,
+        });
+        refreshes.set(newRefresh, {
+            client_id: rec.client_id,
+            scope: rec.scope,
+            expires_at: now() + refreshTtl,
+            revoked: false,
+        });
+        return {
+            access_token: accessToken,
+            refresh_token: newRefresh,
+            token_type: "Bearer",
+            expires_in: tokenTtl,
+            scope: rec.scope,
+        };
+    }
+    function verifyAccessToken(token) {
+        const rec = tokens.get(token);
+        if (!rec)
+            return null;
+        if (rec.expires_at < now())
+            return null;
+        return {
+            client_id: rec.client_id,
+            scope: rec.scope,
+            expires_at: rec.expires_at,
+        };
+    }
+    function sweep() {
+        const t = now();
+        let evicted = 0;
+        for (const [k, v] of codes) {
+            if (v.expires_at < t || v.used) {
+                codes.delete(k);
+                evicted++;
+            }
+        }
+        for (const [k, v] of tokens) {
+            if (v.expires_at < t) {
+                tokens.delete(k);
+                evicted++;
+            }
+        }
+        for (const [k, v] of refreshes) {
+            if (v.expires_at < t || v.revoked) {
+                refreshes.delete(k);
+                evicted++;
+            }
+        }
+        return evicted;
+    }
+    function stats() {
+        return {
+            clients: clients.size,
+            codes: codes.size,
+            tokens: tokens.size,
+            refreshes: refreshes.size,
+        };
+    }
+    return {
+        registerClient,
+        getClient,
+        issueCode,
+        exchangeCode,
+        refreshToken,
+        verifyAccessToken,
+        sweep,
+        stats,
+    };
+}
+//# sourceMappingURL=oauth-provider.js.map

package/dist/auth/oauth-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-provider.js","sourceRoot":"","sources":["../../src/auth/oauth-provider.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAC1C,EAAE;AACF,yEAAyE;AACzE,iEAAiE;AACjE,EAAE;AACF,cAAc;AACd,yBAAyB;AACzB,oBAAoB;AACpB,2CAA2C;AAC3C,qEAAqE;AACrE,EAAE;AACF,oEAAoE;AACpE,uEAAuE;AACvE,qEAAqE;AACrE,mCAAmC;AACnC,EAAE;AACF,kBAAkB;AAClB,uEAAuE;AACvE,sDAAsD;AACtD,sEAAsE;AACtE,+CAA+C;AAC/C,gDAAgD;AAChD,iEAAiE;AAEjE,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAmGvE,0EAA0E;AAE1E,SAAS,QAAQ,CAAC,MAAc;IAC9B,OAAO,GAAG,MAAM,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AACvD,CAAC;AAED,SAAS,YAAY;IACnB,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED,kFAAkF;AAClF,SAAS,UAAU,CAAC,CAAS,EAAE,CAAS;IACtC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC1B,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC1B,IAAI,EAAE,CAAC,MAAM,KAAK,EAAE,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,eAAe,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,IAAI,CAAC,KAAa;IACzB,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;AAChE,CAAC;AAED,0EAA0E;AAE1E,MAAM,UAAU,mBAAmB,CACjC,UAAgC,EAAE;IAElC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;IACjE,MAAM,OAAO,GAAG,OAAO,CAAC,cAAc,IAAI,GAAG,CAAC;IAC9C,MAAM,QAAQ,GAAG,OAAO,CAAC,eAAe,IAAI,MAAM,CAAC;IACnD,MAAM,UAAU,GAAG,OAAO,CAAC,iBAAiB,IAAI,CAAC,GAAG,MAAM,CAAC;IAE3D,MAAM,OAAO,GAAG,IAAI,GAAG,EAAmC,CAAC;IAC3D,MAAM,KAAK,GAAG,IAAI,GAAG,EAAsB,CAAC;IAC5C,MAAM,MAAM,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC9C,MAAM,SAAS,GAAG,IAAI,GAAG,EAAyB,CAAC;IAEnD,SAAS,cAAc,CAAC,IAGvB;QACC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1E,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;QAC9E,CAAC;QACD,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACrC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAChD,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;QACD,MAAM,GAAG,GAA4B;YACnC,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC;YAC3B,mBAAmB,EAAE,GAAG,EAAE;YAC1B,aAAa,EAAE,CAAC,GAAG,IAAI,CAAC,aAAa,CAAC;YACtC,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,0BAA0B,EAAE,MAAM,EAAE,mCAAmC;YACvE,WAAW,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;YACpD,cAAc,EAAE,CAAC,MAAM,CAAC;SACzB,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QAChC,OAAO,GAAG,CAAC;IACb,CAAC;IAED,SAAS,SAAS,CAAC,SAAiB;QAClC,OAAO,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC;IACxC,CAAC;IAED,SAAS,SAAS,CAAC,IAAmB;QACpC,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC3C,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAC/C,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YACtD,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,cAAc,IAAI,OAAO,IAAI,CAAC,cAAc,KAAK,QAAQ,EAAE,CAAC;YACpE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QACD,IAAI,IAAI,CAAC,qBAAqB,KAAK,MAAM,EAAE,CAAC;YAC1C,iDAAiD;YACjD,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;QACzE,CAAC;QACD,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC/B,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE;YACd,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,cAAc,EAAE,IAAI,CAAC,cAAc;YACnC,qBAAqB,EAAE,IAAI,CAAC,qBAAqB;YACjD,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,UAAU,EAAE,GAAG,EAAE,GAAG,OAAO;YAC3B,IAAI,EAAE,KAAK;SACZ,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED,SAAS,YAAY,CAAC,IAAsB;QAC1C,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjC,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QAC3D,IAAI,GAAG,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QAClE,IAAI,GAAG,CAAC,UAAU,GAAG,GAAG,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QAC3E,IAAI,GAAG,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QACD,IAAI,GAAG,CAAC,YAAY,KAAK,IAAI,CAAC,YAAY,EAAE,CAAC;YAC3C,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QACD,MAAM,qBAAqB,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACvD,IAAI,CAAC,UAAU,CAAC,qBAAqB,EAAE,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;YAC3D,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QACD,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;QAEhB,MAAM,WAAW,GAAG,YAAY,EAAE,CAAC;QACnC,MAAM,YAAY,GAAG,YAAY,EAAE,CAAC;QACpC,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE;YACtB,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,UAAU,EAAE,GAAG,EAAE,GAAG,QAAQ;SAC7B,CAAC,CAAC;QACH,SAAS,CAAC,GAAG,CAAC,YAAY,EAAE;YAC1B,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,UAAU,EAAE,GAAG,EAAE,GAAG,UAAU;YAC9B,OAAO,EAAE,KAAK;SACf,CAAC,CAAC;QAEH,OAAO;YACL,YAAY,EAAE,WAAW;YACzB,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,QAAQ;YACpB,KAAK,EAAE,GAAG,CAAC,KAAK;SACjB,CAAC;IACJ,CAAC;IAED,SAAS,YAAY,CAAC,IAAiB;QACrC,MAAM,GAAG,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC9C,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QACpE,IAAI,GAAG,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QACzE,IAAI,GAAG,CAAC,UAAU,GAAG,GAAG,EAAE,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QACD,IAAI,GAAG,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QACD,yDAAyD;QACzD,GAAG,CAAC,OAAO,GAAG,IAAI,CAAC;QAEnB,MAAM,WAAW,GAAG,YAAY,EAAE,CAAC;QACnC,MAAM,UAAU,GAAG,YAAY,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE;YACtB,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,UAAU,EAAE,GAAG,EAAE,GAAG,QAAQ;SAC7B,CAAC,CAAC;QACH,SAAS,CAAC,GAAG,CAAC,UAAU,EAAE;YACxB,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,UAAU,EAAE,GAAG,EAAE,GAAG,UAAU;YAC9B,OAAO,EAAE,KAAK;SACf,CAAC,CAAC;QACH,OAAO;YACL,YAAY,EAAE,WAAW;YACzB,aAAa,EAAE,UAAU;YACzB,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,QAAQ;YACpB,KAAK,EAAE,GAAG,CAAC,KAAK;SACjB,CAAC;IACJ,CAAC;IAED,SAAS,iBAAiB,CAAC,KAAa;QACtC,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC9B,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,IAAI,GAAG,CAAC,UAAU,GAAG,GAAG,EAAE;YAAE,OAAO,IAAI,CAAC;QACxC,OAAO;YACL,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,UAAU,EAAE,GAAG,CAAC,UAAU;SAC3B,CAAC;IACJ,CAAC;IAED,SAAS,KAAK;QACZ,MAAM,CAAC,GAAG,GAAG,EAAE,CAAC;QAChB,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,KAAK,EAAE,CAAC;YAC3B,IAAI,CAAC,CAAC,UAAU,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC/B,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBAChB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QACD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,EAAE,CAAC;YAC5B,IAAI,CAAC,CAAC,UAAU,GAAG,CAAC,EAAE,CAAC;gBACrB,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBACjB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QACD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,SAAS,EAAE,CAAC;YAC/B,IAAI,CAAC,CAAC,UAAU,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;gBAClC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBACpB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,SAAS,KAAK;QACZ,OAAO;YACL,OAAO,EAAE,OAAO,CAAC,IAAI;YACrB,KAAK,EAAE,KAAK,CAAC,IAAI;YACjB,MAAM,EAAE,MAAM,CAAC,IAAI;YACnB,SAAS,EAAE,SAAS,CAAC,IAAI;SAC1B,CAAC;IACJ,CAAC;IAED,OAAO;QACL,cAAc;QACd,SAAS;QACT,SAAS;QACT,YAAY;QACZ,YAAY;QACZ,iBAAiB;QACjB,KAAK;QACL,KAAK;KACN,CAAC;AACJ,CAAC"}

package/dist/auth/profiles.d.ts

@@ -0,0 +1,52 @@
+export type ProfilePlatform = "wordpress" | "joomla" | "standalone";
+export interface LastVerifiedIdentity {
+    plugin_version: string;
+    plugin_hash: string;
+    capabilities: string[];
+}
+export interface Profile {
+    /** Unique short name (e.g. "dev-wp", "client-x-prod"). */
+    name: string;
+    /** Base URL of the host. WordPress = wp-root, Joomla = site-root. */
+    siteUrl: string;
+    /** Platform kind — drives URL construction in the Platform abstraction. */
+    platform: ProfilePlatform;
+    /** Ref into the Keychain pointing at the raw amk_live_... token. */
+    keychainRef: string;
+    /**
+     * Snapshot of the last successful /identity probe — used to detect plugin
+     * drift on `apimapper_use_profile`. Optional because freshly added
+     * profiles haven't been probed yet.
+     */
+    lastVerifiedIdentity?: LastVerifiedIdentity;
+    /** ISO 8601 timestamp of when the profile was first added. */
+    addedAt: string;
+}
+/**
+ * Resolve the canonical config directory for apimapper-mcp:
+ *
+ *   - macOS/Linux: $XDG_CONFIG_HOME/apimapper-mcp/ if set, else
+ *                  $HOME/.config/apimapper-mcp/
+ *   - Windows:     %APPDATA%/apimapper-mcp/
+ *
+ * Falls back to $HOME/.apimapper-mcp/ if none of the env vars are set
+ * (degenerate environment — better than failing).
+ */
+export declare function resolveConfigDir(): string;
+export declare class ProfileStore {
+    private readonly dir;
+    private readonly profilesPath;
+    private readonly activePath;
+    constructor(configDir?: string);
+    private readAll;
+    private writeAll;
+    private readActiveName;
+    private writeActiveName;
+    list(): Promise<Profile[]>;
+    get(name: string): Promise<Profile | null>;
+    add(profile: Profile): Promise<void>;
+    remove(name: string): Promise<boolean>;
+    update(name: string, partial: Partial<Profile>): Promise<void>;
+    setActive(name: string): Promise<void>;
+    getActive(): Promise<Profile | null>;
+}