@wootsup/mcp 0.1.0 → 0.3.0

package/skills/apimapper/reference/jmespath-pitfalls.md

@@ -0,0 +1,108 @@
+# JMESPath Pitfalls
+
+The nine traps that bite every Transform JMESPath expression in API Mapper, plus the date-primitive functions added in 2.0.8 that finally make weekday-name ↔ ISO-datetime joins tractable.
+
+## The 9 traps
+
+1. **Top-level vs item-level scope.** A flat `[].name` projects across items; bare `name` reads the wrapper object. Mixing the two is the most common cause of `null` everywhere.
+2. **Implicit numeric coercion.** `[?price > 100]` reads `price` as a string when the API returns a string. Cast first with `to_number(price) > \`100\`` or normalize upstream.
+3. **`@` vs nothing.** Inside multi-select hashes the `@` refers to the current item — `{name: @.name}` is shorthand. Forgetting `@` inside a filter expression (`[?@.x == 'y']`) is silently parsed as a function call.
+4. **String-quoted literals.** JSON literals use backticks: `\`100\``, `\`true\``, `\`null\``. Single-quoted strings (`'red'`) are raw strings. Mixing them up yields lexer errors that the engine reports far from the actual typo.
+5. **`null` propagation through pipes.** `items | [].name | [?contains(@, 'foo')]` returns `null` (not `[]`) when an item has no `name`. Wrap with `coalesce_empty(@, '')` or filter `not_null(@)`.
+6. **`length()` on null.** Vendor `length(null)` throws. Use `length(@.items || \`[]\`)` to default.
+7. **Backslash-escapes inside raw strings.** Single-quoted strings do NOT honour `\n` / `\t`. To embed a literal `'` use `'\\''` (close, escape, open).
+8. **Empty-array vs missing-key.** `[?tags]` keeps items whose `tags` is non-empty AND non-null. To match items with the *key* present regardless of value, use `[?contains(keys(@), 'tags')]`.
+9. **Multi-projection collapse on header-skip slices.** `[1:][*].{weekday: [0], open: [1]}` looks like "slice off the header row, then map each remaining row into a hash", but JMESPath parses `[1:][*]` as a *chained multi-projection* that flattens row boundaries before the hash runs. The fix is one pipe: `[1:] | [*].{weekday: [0], open: [1]}`. See "Symptom / Cause / Fix" below.
+
+### Pitfall 9 in detail (header-skip slice → hash projection)
+
+**Symptom.** Output schema auto-detection returns flat columns prefixed with the row index, like:
+
+```
+0_weekday, 0_open, 0_close,
+1_weekday, 1_open, 1_close,
+2_weekday, 2_open, 2_close, ...
+```
+
+Each row also reads as `null` in the actual data preview. Every binding in the Multi-Items element lands on the wrapper object instead of the row.
+
+**Cause.** `[1:][*]` is two consecutive projections. JMESPath flattens them: the inner array index dissolves, so the trailing `.{weekday: [0], ...}` operates on the wrapper object's positional slots, not on each row. The auto-detected schema reflects that flattened shape.
+
+**Fix.** Insert a pipe between the slice and the hash projection so the second stage starts fresh:
+
+```jmespath
+# Working — pipe resets the projection so [*] iterates row-by-row
+[1:] | [*].{
+  weekday: [0],
+  open:    [1],
+  close:   [2]
+}
+```
+
+This recipe is the canonical shape for "Google Sheets export with a header row" sources. If you find yourself debugging `0_*` / `1_*` / `2_*` column names in the YOOtheme source field picker, this is almost always the cause.
+
+## Date-primitive functions (new in 2.0.8)
+
+JMESPath has no built-in date support. API Mapper ships four custom date primitives so weekday-name ↔ ISO-datetime joins (Calendly → Sheet schedule, HubSpot meeting-times → office-hours, etc.) become possible without exporting to a sidecar service.
+
+| Function | Signature | Returns |
+|----------|-----------|---------|
+| `date_weekday` | `date_weekday(iso_string [, tz])` | English weekday name `"Monday"`..`"Sunday"`, or `null` on bad input |
+| `date_iso_to_time` | `date_iso_to_time(iso_string [, tz])` | `"HH:MM"` 24-hour time, or `null` |
+| `date_iso_to_date` | `date_iso_to_date(iso_string [, tz])` | `"YYYY-MM-DD"` calendar date, or `null` |
+| `time_in_window` | `time_in_window(time, from, to)` | `true` if `time` is in `[from, to)`. Supports cross-midnight when `from > to`. `false` on any malformed input |
+
+### Timezone rules
+
+- `tz` is an IANA timezone string (`"Europe/Berlin"`, `"America/New_York"`, `"UTC"`).
+- If `tz` is omitted, the offset already encoded in the input string is preserved. A Calendly payload `"2026-06-04T09:00:00+02:00"` returns `"09:00"` from `date_iso_to_time(@, )` (no second arg) — i.e. the customer's local time.
+- If `tz` IS supplied, the datetime is shifted into that zone first.
+- An unknown timezone (typo, mistaken country code) returns `null`. This is the same graceful-failure mode as malformed datetimes — one bad row never crashes the flow.
+
+### The Maria recipe (Calendly + Sheet weekday-join)
+
+```
+# Source A — Calendly available_times
+[].{
+  day: date_weekday(start_time, 'Europe/Berlin'),
+  local_time: date_iso_to_time(start_time, 'Europe/Berlin'),
+  start_time: start_time
+}
+```
+
+Now each Calendly slot carries a Sheet-comparable `day` (e.g. `"Wednesday"`) AND a comparable `local_time` (e.g. `"09:30"`). See `merge-two-sources-on-key` for the full join pattern.
+
+### Slot-against-business-hours filter
+
+```
+[?time_in_window(date_iso_to_time(start_time, 'Europe/Berlin'),
+                 '09:00', '17:00')]
+```
+
+Cross-midnight windows (bars, support shifts):
+
+```
+[?time_in_window(local_time, '22:00', '02:00')]   # 10pm..2am
+```
+
+## Depth-cap warning
+
+JMESPath expression depth is capped at **10 levels** of bracket / pipe nesting. Above that, the engine returns `expression too deeply nested (N levels)`.
+
+**As of 2.0.8 this is caught at flow-write time** (HTTP 422 on `flow_create` / `flow_update`) with per-node `jmespathErrors`. The response payload looks like:
+
+```json
+{
+  "success": false,
+  "error": "1 JMESPath expression exceeded the depth limit of 10",
+  "jmespathErrors": { "t1": "JMESPath expression too deeply nested (13 levels). Maximum: 10" },
+  "status": 422
+}
+```
+
+If you hit this, the cure is almost always to split the expression into TWO transform nodes piped together — that resets the depth counter and is easier to debug.
+
+## See also
+
+- `merge-two-sources-on-key` — joining two sources on a shared key, with date-primitive bridging.
+- `troubleshooting` — broader error triage.

package/skills/apimapper/reference/joomla.md

@@ -70,7 +70,7 @@ Joomla extensions install as a `.zip` (system plugin). The MCP server bundles a
 To verify the plugin is loaded:
 ```
 apimapper_health
-# → { platform: "joomla", version: "2.0.7", plugin: "enabled" }
+# → { platform: "joomla", version: "2.0.13", plugin: "enabled" }
 ```
 
 If `plugin: "disabled"`, enable via Joomla admin → Extensions → Plugins → search "API Mapper".

package/skills/apimapper/reference/library-template-discovery.md

@@ -0,0 +1,65 @@
+# Library template discovery
+
+Inspect a library template's contract BEFORE you activate it, so the connection
+lands fully configured the first time.
+
+## Why this matters
+
+The library is the mandatory first stop for any new API (see the library-first
+guard below). But before you call `apimapper_library_activate`, you want to know
+what the template actually declares: which base URL and endpoints it ships, which
+auth scheme it needs, and which placeholder values (`extra_fields`) you must pass.
+Activating blind is the single most common cause of an empty source that is hard
+to debug from downstream tool calls.
+
+## The discovery sequence
+
+```
+apimapper_library_featured({})                       # 1. the curated short-list
+apimapper_library_list({ query: '<api-name>' })      # 2. search the full catalog by name
+apimapper_library_connection_detail({ id: '<id>' })  # 3. read the template's full contract
+apimapper_credential_list({})                        # 4. find a matching credential (auth-protected templates)
+apimapper_library_activate({ id, credential_id, extra_fields })  # 5. activate, fully configured
+```
+
+Steps 1-2 are routed first-class; step 3 routes through the gateway:
+`apimapper_advanced({ tool: 'apimapper_library_connection_detail', arguments: { id } })`.
+
+## What `library_connection_detail` tells you
+
+Read these fields off the returned template before activating:
+
+| Field | What to do with it |
+|-------|--------------------|
+| `base_url` | The upstream host. Confirms which API the template targets. |
+| `endpoints` | The named requests the template ships (list/detail/search). The activated connection exposes these. |
+| `auth` scheme | `none`, `bearer`, `api_key`, or `oauth`. Tells you whether step 4 (credential) is required. |
+| `extra_fields` | The placeholder values YOU must supply at activation time (e.g. `spreadsheet_id` for Google Sheets, `api_key` for Pexels). Required `extra_fields` left unset land a broken connection. |
+
+## Then activate, not create
+
+Once you have read the contract:
+
+- **Auth-protected template** (Google Sheets, Notion, Airtable, Pexels,
+  OpenWeatherMap, Calendly, GitHub, ...): call `apimapper_credential_list({})`
+  first, then pass the right `credential_id` explicitly to `library_activate`.
+  The activation auto-links a credential only when exactly ONE matching one
+  exists for the provider; otherwise it returns a structured
+  `credential_required` / `credential_ambiguous` error listing the candidates.
+- Pass any required `extra_fields` the template declared in step 3.
+
+## The library-first guard (why you discover instead of hand-rolling)
+
+`apimapper_connection_create` is the fallback for niche or unknown APIs ONLY. The
+server enforces this: a custom `connection_create` whose endpoint host is covered
+by a curated template is rejected with HTTP 409 `error_code:
+library_template_available`. The error names the template and the exact
+`apimapper_library_activate({ id })` call to run instead, with a structured
+`library_suggestion`. Always inspect-then-activate before reaching for a custom
+connection.
+
+## Cross-references
+
+- `apimapper_get_skill({ topic: 'getting-started' })` — Step 1 (mandatory): check the library first.
+- `apimapper_get_skill({ topic: 'oauth' })` — wiring OAuth-protected templates.
+- `apimapper_library_connection_detail` — the tool this topic is about.

package/skills/apimapper/reference/merge-two-sources-on-key.md

@@ -0,0 +1,99 @@
+# Merge two sources on a shared key
+
+Join items from two sources on a shared key, optionally filter the join, surface the result as one Source for YOOtheme.
+
+## When to use
+
+- You have two APIs whose rows belong together but live behind separate endpoints (orders + customers, Calendly slots + Sheet schedule, GitHub issues + sprint planning).
+- The keys you want to join on either (a) are already string-equal, or (b) need a small Transform to be made comparable (e.g. ISO datetime → weekday name).
+
+## The canonical recipe
+
+```
+Source-A  ─┐
+            ├─►  Merge (mode: join, key: <field>)  ─►  Filter  ─►  Output
+Source-B  ─┘
+```
+
+1. Drag both Source nodes onto the canvas, wire them up.
+2. Drag a Merge node between them. Set:
+   - `mode: join` — emit one row per Source-A item, with Source-B fields nested under `b`.
+   - `key`: the field name present on BOTH sides (e.g. `weekday`).
+3. (Optional) drag a Filter node after Merge — typical predicate uses both A- and B-side fields.
+4. Wire to Output (YOOtheme Source) and Publish.
+
+## When the keys aren't string-equal — date-primitive bridging
+
+This is the case Cold-AI #5 walk-through hit: Calendly emits `start_time` as ISO-UTC (`"2026-06-04T09:00:00+00:00"`), but the customer's Sheet schedule is keyed on weekday names (`"Wednesday"`). The keys aren't comparable as-is.
+
+**Fix:** insert a Transform node BEFORE Merge on the Calendly side that derives a Sheet-compatible key.
+
+### Maria's flow (Calendly + Google Sheet schedule)
+
+```
+Calendly available_times  ─► Transform (project day+local_time) ─┐
+                                                                  ├─► Merge (key: day)  ─► Filter ─► Output
+Google Sheet schedule      ──────────────────────────────────────┘
+```
+
+#### Step 1 — Transform on the Calendly side
+
+```
+[].{
+  day: date_weekday(start_time, 'Europe/Berlin'),
+  local_time: date_iso_to_time(start_time, 'Europe/Berlin'),
+  start_time: start_time
+}
+```
+
+Each Calendly row now carries:
+
+| field | value |
+|-------|-------|
+| `day` | `"Wednesday"` — Sheet-comparable |
+| `local_time` | `"09:00"` — comparable to Sheet's `open`/`close` |
+| `start_time` | original ISO datetime (preserved for downstream rendering) |
+
+#### Step 2 — Merge on `day`
+
+Merge mode `join`, key `day`. Sheet row arrives as `b` on each Calendly row:
+
+```json
+{
+  "day": "Wednesday",
+  "local_time": "09:00",
+  "start_time": "2026-06-03T07:00:00+00:00",
+  "b": { "weekday": "Wednesday", "open": "09:00", "close": "17:00" }
+}
+```
+
+#### Step 3 — Filter to slots inside business hours
+
+```
+[?time_in_window(local_time, b.open, b.close)]
+```
+
+`time_in_window` is left-closed, right-open ([from, to)) — a 17:00 close-time does NOT include a 17:00 slot. Cross-midnight windows (e.g. bar `22:00..02:00`) are also handled.
+
+#### Step 4 — Output
+
+Wire to a YOOtheme Output. Slots that survive Steps 1-3 become the rows of a YOOtheme Source named e.g. `BookableSlots`.
+
+## Other date-bridge patterns
+
+| Customer scenario | Source-A key | Source-B key | Bridge |
+|-------------------|--------------|--------------|--------|
+| HubSpot meetings ↔ office-hours | ISO datetime | weekday name | `date_weekday(@.start, tz)` |
+| Stripe invoices ↔ month-rollup | ISO datetime | `"YYYY-MM"` | `substring(date_iso_to_date(@.created, tz), 0, 7)` |
+| GitHub issues ↔ daily-standup notes | ISO datetime | `"YYYY-MM-DD"` | `date_iso_to_date(@.updated_at, tz)` |
+
+## Pitfalls
+
+- **Timezone matters.** A slot at `2026-06-04T23:30:00Z` is Wednesday in UTC but Thursday in Berlin. Always supply the second `tz` arg matching the customer's business timezone.
+- **`null` rows propagate.** A Calendly row with a malformed `start_time` projects to `{day: null, local_time: null, start_time: <bad>}`. The Merge will silently emit it under a `null` key — pre-filter with `[?day]` if you need to drop them.
+- **Depth limit.** Don't try to do the whole projection + merge + filter inside ONE expression. JMESPath caps depth at 10. Two transform nodes piped is cleaner and stays under the limit.
+
+## See also
+
+- `jmespath-pitfalls` — full pitfall catalogue + date-primitive function reference.
+- `yootheme` — how the published Source appears in YOOtheme Builder.

package/skills/apimapper/reference/troubleshooting.md

@@ -79,6 +79,26 @@ If `apimapper_diagnose` is unavailable in your version, run the manual checks be
 ### "Source not appearing in YOOtheme Builder"
 - Flow is saved but not **published**. See `skill://apimapper/yootheme` step 4.
 
+### "YOOtheme Builder source list missing newly-published flow"
+
+Symptom: A flow was just published with `apimapper_flow_full_recompile_publish`, but
+YOOtheme Builder's source dropdown (or `yootheme_builder_sources_list` from the
+sibling MCP) doesn't show it. The schema cache went stale.
+
+Fix (one of):
+
+- `apimapper_cache_invalidate({ scope: "yootheme.schema" })` — explicit flush of the
+  YOOtheme GraphQL schema cache files (`schema-*.{php,gql,error.gql}`). Direct-file
+  surface, bypasses the InvalidationBus.
+- `apimapper_flow_full_recompile_publish({ id: ..., autofix: true })` — re-publish
+  with autofix. Since 2.0.8 (Wave-12 F8) this clears the schema-`.php`/`.gql`/`.error.gql`
+  triplets correctly.
+
+Root cause was a glob-pattern gap in `YOOthemeSchemaCacheBuster` pre-2.0.8 — the
+`.gql` file was the source-of-truth for YT's `LoadSourceSchema::handle()`, but only
+`.php` files were unlinked. The `yootheme.schema` scope is the manual escape hatch
+for customers still on cached state from before the fix landed.
+
 ### "Source shows but fields are empty"
 - Field-name case mismatch. YOOtheme expects lowercase keys.
 - Fix: Transform projection should lowercase: `[*].{title: name, image: cover_url}`.

package/skills/apimapper/reference/yootheme.md

@@ -81,7 +81,7 @@ Same flow can ALSO emit a Shortcode output (`output_type="shortcode"`). Use this
 - Using outside YOOtheme (page builders, plugins)
 - Quick previews in admin
 
-Shortcode currently supports a subset of the YOOtheme render-time features. See `wootsup.com/docs/mcp/` (the shortcode subpage will land in Phase 2 — track via GitHub issues).
+Shortcode currently supports a subset of the YOOtheme render-time features. See `https://wootsup.com/docs/mcp/api-mapper/` (the shortcode subpage will land in a later release).
 
 ## Common pitfalls
 

package/dist/auth/oauth-provider.d.ts

@@ -1,68 +0,0 @@
-export interface OAuthClientRegistration {
-    client_id: string;
-    client_id_issued_at: number;
-    redirect_uris: string[];
-    client_name?: string;
-    token_endpoint_auth_method: "none";
-    grant_types: ["authorization_code", "refresh_token"];
-    response_types: ["code"];
-}
-export interface IssueCodeArgs {
-    client_id: string;
-    redirect_uri: string;
-    code_challenge: string;
-    code_challenge_method: "S256" | "plain";
-    scope: string;
-    state?: string;
-}
-export interface ExchangeCodeArgs {
-    client_id: string;
-    code: string;
-    redirect_uri: string;
-    code_verifier: string;
-}
-export interface RefreshArgs {
-    client_id: string;
-    refresh_token: string;
-}
-export interface TokenResponse {
-    access_token: string;
-    token_type: "Bearer";
-    expires_in: number;
-    refresh_token: string;
-    scope: string;
-}
-export interface AccessTokenInfo {
-    client_id: string;
-    scope: string;
-    expires_at: number;
-}
-export interface OAuthProviderOptions {
-    /** Clock function returning unix seconds. Default: Date.now()/1000. */
-    now?: () => number;
-    /** Authorization code TTL (default 600s = 10 min). */
-    codeTtlSeconds?: number;
-    /** Access token TTL (default 86400s = 24 h). */
-    tokenTtlSeconds?: number;
-    /** Refresh token TTL (default 604800s = 7 d). */
-    refreshTtlSeconds?: number;
-}
-export interface OAuthProvider {
-    registerClient(args: {
-        redirect_uris: string[];
-        client_name?: string;
-    }): OAuthClientRegistration;
-    getClient(client_id: string): OAuthClientRegistration | null;
-    issueCode(args: IssueCodeArgs): string;
-    exchangeCode(args: ExchangeCodeArgs): TokenResponse;
-    refreshToken(args: RefreshArgs): TokenResponse;
-    verifyAccessToken(token: string): AccessTokenInfo | null;
-    sweep(): number;
-    stats(): {
-        clients: number;
-        codes: number;
-        tokens: number;
-        refreshes: number;
-    };
-}
-export declare function createOAuthProvider(options?: OAuthProviderOptions): OAuthProvider;

package/dist/auth/oauth-provider.js

@@ -1,232 +0,0 @@
-// src/auth/oauth-provider.ts — Phase 9.2.
-//
-// Minimal in-memory OAuth 2.0 Authorization-Code + PKCE + Dynamic Client
-// Registration (DCR) provider for the remote HTTP MCP transport.
-//
-// References:
-// - RFC 6749 (OAuth 2.0)
-// - RFC 7636 (PKCE)
-// - RFC 7591 (Dynamic Client Registration)
-// - workers-oauth-provider (Cloudflare reference, in-memory variant)
-//
-// Storage backend is process-local Maps with TTL-based expiry — the
-// hosted production service (mcp.wootsup.com) is expected to swap in a
-// persistent backend, but for unit/integration tests + the local DXT
-// bundle, in-memory is sufficient.
-//
-// Security notes:
-// - Tokens are 32 random bytes hex-encoded (no JWT — keeps the surface
-//   tiny and prevents misuse of unverified payloads).
-// - Authorization codes are 32 random bytes hex; single-use; bound to
-//   client_id + redirect_uri + code_challenge.
-// - PKCE S256 is REQUIRED; "plain" is rejected.
-// - On refresh, the old refresh token is invalidated (rotation).
-import { randomBytes, createHash, timingSafeEqual } from "node:crypto";
-// ── Helpers ────────────────────────────────────────────────────────────
-function randomId(prefix) {
-    return `${prefix}${randomBytes(12).toString("hex")}`;
-}
-function randomOpaque() {
-    return randomBytes(32).toString("hex");
-}
-/** Constant-time compare to thwart timing oracles on token / verifier lookups. */
-function safeEquals(a, b) {
-    const ba = Buffer.from(a);
-    const bb = Buffer.from(b);
-    if (ba.length !== bb.length)
-        return false;
-    return timingSafeEqual(ba, bb);
-}
-function s256(input) {
-    return createHash("sha256").update(input).digest("base64url");
-}
-// ── Factory ────────────────────────────────────────────────────────────
-export function createOAuthProvider(options = {}) {
-    const now = options.now ?? (() => Math.floor(Date.now() / 1000));
-    const codeTtl = options.codeTtlSeconds ?? 600;
-    const tokenTtl = options.tokenTtlSeconds ?? 86_400;
-    const refreshTtl = options.refreshTtlSeconds ?? 7 * 86_400;
-    const clients = new Map();
-    const codes = new Map();
-    const tokens = new Map();
-    const refreshes = new Map();
-    function registerClient(args) {
-        if (!Array.isArray(args.redirect_uris) || args.redirect_uris.length === 0) {
-            throw new Error("invalid_redirect_uri: at least one redirect_uri required");
-        }
-        for (const uri of args.redirect_uris) {
-            if (typeof uri !== "string" || uri.length === 0) {
-                throw new Error("invalid_redirect_uri");
-            }
-        }
-        const reg = {
-            client_id: randomId("cli_"),
-            client_id_issued_at: now(),
-            redirect_uris: [...args.redirect_uris],
-            client_name: args.client_name,
-            token_endpoint_auth_method: "none", // public client (mobile/native/AI)
-            grant_types: ["authorization_code", "refresh_token"],
-            response_types: ["code"],
-        };
-        clients.set(reg.client_id, reg);
-        return reg;
-    }
-    function getClient(client_id) {
-        return clients.get(client_id) ?? null;
-    }
-    function issueCode(args) {
-        const client = clients.get(args.client_id);
-        if (!client)
-            throw new Error("unknown_client");
-        if (!client.redirect_uris.includes(args.redirect_uri)) {
-            throw new Error("invalid_redirect_uri");
-        }
-        if (!args.code_challenge || typeof args.code_challenge !== "string") {
-            throw new Error("invalid_request: code_challenge required");
-        }
-        if (args.code_challenge_method !== "S256") {
-            // Reject "plain" — S256 is mandatory for safety.
-            throw new Error("invalid_request: code_challenge_method must be S256");
-        }
-        const code = randomId("code_");
-        codes.set(code, {
-            client_id: args.client_id,
-            redirect_uri: args.redirect_uri,
-            code_challenge: args.code_challenge,
-            code_challenge_method: args.code_challenge_method,
-            scope: args.scope,
-            expires_at: now() + codeTtl,
-            used: false,
-        });
-        return code;
-    }
-    function exchangeCode(args) {
-        const rec = codes.get(args.code);
-        if (!rec)
-            throw new Error("invalid_grant: code not found");
-        if (rec.used)
-            throw new Error("invalid_grant: code already used");
-        if (rec.expires_at < now())
-            throw new Error("invalid_grant: code expired");
-        if (rec.client_id !== args.client_id) {
-            throw new Error("invalid_grant: client_id mismatch");
-        }
-        if (rec.redirect_uri !== args.redirect_uri) {
-            throw new Error("invalid_grant: redirect_uri mismatch");
-        }
-        const challengeFromVerifier = s256(args.code_verifier);
-        if (!safeEquals(challengeFromVerifier, rec.code_challenge)) {
-            throw new Error("invalid_grant: code_verifier mismatch");
-        }
-        rec.used = true;
-        const accessToken = randomOpaque();
-        const refreshToken = randomOpaque();
-        tokens.set(accessToken, {
-            client_id: rec.client_id,
-            scope: rec.scope,
-            expires_at: now() + tokenTtl,
-        });
-        refreshes.set(refreshToken, {
-            client_id: rec.client_id,
-            scope: rec.scope,
-            expires_at: now() + refreshTtl,
-            revoked: false,
-        });
-        return {
-            access_token: accessToken,
-            refresh_token: refreshToken,
-            token_type: "Bearer",
-            expires_in: tokenTtl,
-            scope: rec.scope,
-        };
-    }
-    function refreshToken(args) {
-        const rec = refreshes.get(args.refresh_token);
-        if (!rec)
-            throw new Error("invalid_grant: refresh_token not found");
-        if (rec.revoked)
-            throw new Error("invalid_grant: refresh_token revoked");
-        if (rec.expires_at < now()) {
-            throw new Error("invalid_grant: refresh_token expired");
-        }
-        if (rec.client_id !== args.client_id) {
-            throw new Error("invalid_grant: client_id mismatch");
-        }
-        // Rotate: revoke the old refresh token, mint a new pair.
-        rec.revoked = true;
-        const accessToken = randomOpaque();
-        const newRefresh = randomOpaque();
-        tokens.set(accessToken, {
-            client_id: rec.client_id,
-            scope: rec.scope,
-            expires_at: now() + tokenTtl,
-        });
-        refreshes.set(newRefresh, {
-            client_id: rec.client_id,
-            scope: rec.scope,
-            expires_at: now() + refreshTtl,
-            revoked: false,
-        });
-        return {
-            access_token: accessToken,
-            refresh_token: newRefresh,
-            token_type: "Bearer",
-            expires_in: tokenTtl,
-            scope: rec.scope,
-        };
-    }
-    function verifyAccessToken(token) {
-        const rec = tokens.get(token);
-        if (!rec)
-            return null;
-        if (rec.expires_at < now())
-            return null;
-        return {
-            client_id: rec.client_id,
-            scope: rec.scope,
-            expires_at: rec.expires_at,
-        };
-    }
-    function sweep() {
-        const t = now();
-        let evicted = 0;
-        for (const [k, v] of codes) {
-            if (v.expires_at < t || v.used) {
-                codes.delete(k);
-                evicted++;
-            }
-        }
-        for (const [k, v] of tokens) {
-            if (v.expires_at < t) {
-                tokens.delete(k);
-                evicted++;
-            }
-        }
-        for (const [k, v] of refreshes) {
-            if (v.expires_at < t || v.revoked) {
-                refreshes.delete(k);
-                evicted++;
-            }
-        }
-        return evicted;
-    }
-    function stats() {
-        return {
-            clients: clients.size,
-            codes: codes.size,
-            tokens: tokens.size,
-            refreshes: refreshes.size,
-        };
-    }
-    return {
-        registerClient,
-        getClient,
-        issueCode,
-        exchangeCode,
-        refreshToken,
-        verifyAccessToken,
-        sweep,
-        stats,
-    };
-}
-//# sourceMappingURL=oauth-provider.js.map

package/dist/auth/oauth-provider.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth-provider.js","sourceRoot":"","sources":["../../src/auth/oauth-provider.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAC1C,EAAE;AACF,yEAAyE;AACzE,iEAAiE;AACjE,EAAE;AACF,cAAc;AACd,yBAAyB;AACzB,oBAAoB;AACpB,2CAA2C;AAC3C,qEAAqE;AACrE,EAAE;AACF,oEAAoE;AACpE,uEAAuE;AACvE,qEAAqE;AACrE,mCAAmC;AACnC,EAAE;AACF,kBAAkB;AAClB,uEAAuE;AACvE,sDAAsD;AACtD,sEAAsE;AACtE,+CAA+C;AAC/C,gDAAgD;AAChD,iEAAiE;AAEjE,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAmGvE,0EAA0E;AAE1E,SAAS,QAAQ,CAAC,MAAc;IAC9B,OAAO,GAAG,MAAM,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AACvD,CAAC;AAED,SAAS,YAAY;IACnB,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED,kFAAkF;AAClF,SAAS,UAAU,CAAC,CAAS,EAAE,CAAS;IACtC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC1B,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC1B,IAAI,EAAE,CAAC,MAAM,KAAK,EAAE,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,eAAe,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,IAAI,CAAC,KAAa;IACzB,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;AAChE,CAAC;AAED,0EAA0E;AAE1E,MAAM,UAAU,mBAAmB,CACjC,UAAgC,EAAE;IAElC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;IACjE,MAAM,OAAO,GAAG,OAAO,CAAC,cAAc,IAAI,GAAG,CAAC;IAC9C,MAAM,QAAQ,GAAG,OAAO,CAAC,eAAe,IAAI,MAAM,CAAC;IACnD,MAAM,UAAU,GAAG,OAAO,CAAC,iBAAiB,IAAI,CAAC,GAAG,MAAM,CAAC;IAE3D,MAAM,OAAO,GAAG,IAAI,GAAG,EAAmC,CAAC;IAC3D,MAAM,KAAK,GAAG,IAAI,GAAG,EAAsB,CAAC;IAC5C,MAAM,MAAM,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC9C,MAAM,SAAS,GAAG,IAAI,GAAG,EAAyB,CAAC;IAEnD,SAAS,cAAc,CAAC,IAGvB;QACC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1E,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;QAC9E,CAAC;QACD,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACrC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAChD,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;QACD,MAAM,GAAG,GAA4B;YACnC,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC;YAC3B,mBAAmB,EAAE,GAAG,EAAE;YAC1B,aAAa,EAAE,CAAC,GAAG,IAAI,CAAC,aAAa,CAAC;YACtC,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,0BAA0B,EAAE,MAAM,EAAE,mCAAmC;YACvE,WAAW,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;YACpD,cAAc,EAAE,CAAC,MAAM,CAAC;SACzB,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QAChC,OAAO,GAAG,CAAC;IACb,CAAC;IAED,SAAS,SAAS,CAAC,SAAiB;QAClC,OAAO,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC;IACxC,CAAC;IAED,SAAS,SAAS,CAAC,IAAmB;QACpC,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC3C,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAC/C,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YACtD,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,cAAc,IAAI,OAAO,IAAI,CAAC,cAAc,KAAK,QAAQ,EAAE,CAAC;YACpE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QACD,IAAI,IAAI,CAAC,qBAAqB,KAAK,MAAM,EAAE,CAAC;YAC1C,iDAAiD;YACjD,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;QACzE,CAAC;QACD,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC/B,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE;YACd,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,cAAc,EAAE,IAAI,CAAC,cAAc;YACnC,qBAAqB,EAAE,IAAI,CAAC,qBAAqB;YACjD,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,UAAU,EAAE,GAAG,EAAE,GAAG,OAAO;YAC3B,IAAI,EAAE,KAAK;SACZ,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED,SAAS,YAAY,CAAC,IAAsB;QAC1C,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjC,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QAC3D,IAAI,GAAG,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QAClE,IAAI,GAAG,CAAC,UAAU,GAAG,GAAG,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QAC3E,IAAI,GAAG,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QACD,IAAI,GAAG,CAAC,YAAY,KAAK,IAAI,CAAC,YAAY,EAAE,CAAC;YAC3C,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QACD,MAAM,qBAAqB,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACvD,IAAI,CAAC,UAAU,CAAC,qBAAqB,EAAE,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;YAC3D,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QACD,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;QAEhB,MAAM,WAAW,GAAG,YAAY,EAAE,CAAC;QACnC,MAAM,YAAY,GAAG,YAAY,EAAE,CAAC;QACpC,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE;YACtB,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,UAAU,EAAE,GAAG,EAAE,GAAG,QAAQ;SAC7B,CAAC,CAAC;QACH,SAAS,CAAC,GAAG,CAAC,YAAY,EAAE;YAC1B,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,UAAU,EAAE,GAAG,EAAE,GAAG,UAAU;YAC9B,OAAO,EAAE,KAAK;SACf,CAAC,CAAC;QAEH,OAAO;YACL,YAAY,EAAE,WAAW;YACzB,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,QAAQ;YACpB,KAAK,EAAE,GAAG,CAAC,KAAK;SACjB,CAAC;IACJ,CAAC;IAED,SAAS,YAAY,CAAC,IAAiB;QACrC,MAAM,GAAG,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC9C,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QACpE,IAAI,GAAG,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QACzE,IAAI,GAAG,CAAC,UAAU,GAAG,GAAG,EAAE,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QACD,IAAI,GAAG,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QACD,yDAAyD;QACzD,GAAG,CAAC,OAAO,GAAG,IAAI,CAAC;QAEnB,MAAM,WAAW,GAAG,YAAY,EAAE,CAAC;QACnC,MAAM,UAAU,GAAG,YAAY,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE;YACtB,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,UAAU,EAAE,GAAG,EAAE,GAAG,QAAQ;SAC7B,CAAC,CAAC;QACH,SAAS,CAAC,GAAG,CAAC,UAAU,EAAE;YACxB,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,UAAU,EAAE,GAAG,EAAE,GAAG,UAAU;YAC9B,OAAO,EAAE,KAAK;SACf,CAAC,CAAC;QACH,OAAO;YACL,YAAY,EAAE,WAAW;YACzB,aAAa,EAAE,UAAU;YACzB,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,QAAQ;YACpB,KAAK,EAAE,GAAG,CAAC,KAAK;SACjB,CAAC;IACJ,CAAC;IAED,SAAS,iBAAiB,CAAC,KAAa;QACtC,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC9B,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,IAAI,GAAG,CAAC,UAAU,GAAG,GAAG,EAAE;YAAE,OAAO,IAAI,CAAC;QACxC,OAAO;YACL,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,UAAU,EAAE,GAAG,CAAC,UAAU;SAC3B,CAAC;IACJ,CAAC;IAED,SAAS,KAAK;QACZ,MAAM,CAAC,GAAG,GAAG,EAAE,CAAC;QAChB,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,KAAK,EAAE,CAAC;YAC3B,IAAI,CAAC,CAAC,UAAU,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC/B,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBAChB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QACD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,EAAE,CAAC;YAC5B,IAAI,CAAC,CAAC,UAAU,GAAG,CAAC,EAAE,CAAC;gBACrB,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBACjB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QACD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,SAAS,EAAE,CAAC;YAC/B,IAAI,CAAC,CAAC,UAAU,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;gBAClC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBACpB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,SAAS,KAAK;QACZ,OAAO;YACL,OAAO,EAAE,OAAO,CAAC,IAAI;YACrB,KAAK,EAAE,KAAK,CAAC,IAAI;YACjB,MAAM,EAAE,MAAM,CAAC,IAAI;YACnB,SAAS,EAAE,SAAS,CAAC,IAAI;SAC1B,CAAC;IACJ,CAAC;IAED,OAAO;QACL,cAAc;QACd,SAAS;QACT,SAAS;QACT,YAAY;QACZ,YAAY;QACZ,iBAAiB;QACjB,KAAK;QACL,KAAK;KACN,CAAC;AACJ,CAAC"}

package/dist/server-http.d.ts

@@ -1,22 +0,0 @@
-#!/usr/bin/env node
-import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
-import { type ModuleStatus } from "@getimo/mcp-toolkit";
-import { type McpHandler, type HttpTransportServer } from "./transports/http.js";
-import { type OAuthProvider } from "./auth/oauth-provider.js";
-export interface BootOptions {
-    /** TCP port. Default: process.env.APIMAPPER_HTTP_PORT or 8901. */
-    port?: number;
-    /** Public URL hint for OAuth metadata. */
-    publicBaseUrl?: string;
-    /** Pluggable MCP handler — defaults to a stub that returns the original JSON-RPC id with an empty result. */
-    mcpHandler?: McpHandler;
-}
-export interface BootedHttpServer extends HttpTransportServer {
-    oauth: OAuthProvider;
-}
-/** Test-only — exposes the server + module load status for assertions. */
-export declare function _testGetMcpServer(): {
-    server: McpServer | null;
-    modules: ModuleStatus[];
-};
-export declare function bootHttpServer(options?: BootOptions): Promise<BootedHttpServer>;