@zoer7788/mcp-nexus-node 0.1.5 → 0.1.7

package/vendor/devspace/dist/db/migrations.js

@@ -0,0 +1,123 @@
+const migrations = [
+    {
+        version: 1,
+        name: "workspace-state",
+        up: migrateWorkspaceState,
+    },
+    {
+        version: 2,
+        name: "oauth-state",
+        up: migrateOAuthState,
+    },
+];
+export function migrateDatabase(sqlite) {
+    const migrate = sqlite.transaction(() => {
+        sqlite.exec(`
+      create table if not exists devspace_schema_migrations (
+        version integer primary key,
+        name text not null,
+        applied_at text not null
+      );
+    `);
+        const applied = new Set(sqlite.prepare("select version from devspace_schema_migrations").all().map((row) => row.version));
+        const recordMigration = sqlite.prepare("insert into devspace_schema_migrations (version, name, applied_at) values (?, ?, ?)");
+        for (const migration of migrations) {
+            if (applied.has(migration.version))
+                continue;
+            migration.up(sqlite);
+            recordMigration.run(migration.version, migration.name, new Date().toISOString());
+        }
+    });
+    migrate.immediate();
+}
+function migrateWorkspaceState(sqlite) {
+    sqlite.exec(`
+    create table if not exists workspace_sessions (
+      id text primary key,
+      root text not null,
+      status text not null default 'active',
+      mode text not null default 'checkout',
+      source_root text,
+      base_ref text,
+      base_sha text,
+      managed text not null default 'false',
+      created_at text not null,
+      last_used_at text not null
+    );
+
+    create index if not exists workspace_sessions_root_idx
+      on workspace_sessions(root, last_used_at desc);
+
+    create index if not exists workspace_sessions_status_idx
+      on workspace_sessions(status, last_used_at desc);
+
+    create table if not exists loaded_agent_files (
+      workspace_session_id text not null,
+      path text not null,
+      content_hash text not null,
+      content text not null,
+      loaded_at text not null,
+      last_seen_at text not null,
+      primary key (workspace_session_id, path),
+      foreign key (workspace_session_id)
+        references workspace_sessions(id)
+        on delete cascade
+    );
+
+    create index if not exists loaded_agent_files_path_idx
+      on loaded_agent_files(path);
+  `);
+    addColumnIfMissing(sqlite, "workspace_sessions", "mode", "text not null default 'checkout'");
+    addColumnIfMissing(sqlite, "workspace_sessions", "source_root", "text");
+    addColumnIfMissing(sqlite, "workspace_sessions", "base_ref", "text");
+    addColumnIfMissing(sqlite, "workspace_sessions", "base_sha", "text");
+    addColumnIfMissing(sqlite, "workspace_sessions", "managed", "text not null default 'false'");
+}
+function migrateOAuthState(sqlite) {
+    sqlite.exec(`
+    create table if not exists oauth_clients (
+      client_id text primary key,
+      client_json text not null,
+      issued_at integer not null
+    );
+
+    create index if not exists oauth_clients_issued_at_idx
+      on oauth_clients(issued_at desc);
+
+    create table if not exists oauth_access_tokens (
+      token_hash text primary key,
+      client_id text not null,
+      scopes_json text not null,
+      expires_at integer not null,
+      resource text,
+      foreign key (client_id) references oauth_clients(client_id) on delete cascade
+    );
+
+    create index if not exists oauth_access_tokens_client_id_idx
+      on oauth_access_tokens(client_id);
+
+    create index if not exists oauth_access_tokens_expires_at_idx
+      on oauth_access_tokens(expires_at);
+
+    create table if not exists oauth_refresh_tokens (
+      token_hash text primary key,
+      client_id text not null,
+      scopes_json text not null,
+      expires_at integer not null,
+      resource text,
+      foreign key (client_id) references oauth_clients(client_id) on delete cascade
+    );
+
+    create index if not exists oauth_refresh_tokens_client_id_idx
+      on oauth_refresh_tokens(client_id);
+
+    create index if not exists oauth_refresh_tokens_expires_at_idx
+      on oauth_refresh_tokens(expires_at);
+  `);
+}
+function addColumnIfMissing(sqlite, table, column, definition) {
+    const columns = sqlite.prepare(`pragma table_info(${table})`).all();
+    if (columns.some((existingColumn) => existingColumn.name === column))
+        return;
+    sqlite.exec(`alter table ${table} add column ${column} ${definition}`);
+}

package/vendor/devspace/dist/db/schema.js

@@ -0,0 +1,52 @@
+import { index, integer, primaryKey, sqliteTable, text } from "drizzle-orm/sqlite-core";
+export const workspaceSessions = sqliteTable("workspace_sessions", {
+    id: text("id").primaryKey(),
+    root: text("root").notNull(),
+    status: text("status").notNull().default("active"),
+    mode: text("mode").notNull().default("checkout"),
+    sourceRoot: text("source_root"),
+    baseRef: text("base_ref"),
+    baseSha: text("base_sha"),
+    managed: text("managed").notNull().default("false"),
+    createdAt: text("created_at").notNull(),
+    lastUsedAt: text("last_used_at").notNull(),
+}, (table) => [
+    index("workspace_sessions_root_idx").on(table.root, table.lastUsedAt),
+    index("workspace_sessions_status_idx").on(table.status, table.lastUsedAt),
+]);
+export const loadedAgentFiles = sqliteTable("loaded_agent_files", {
+    workspaceSessionId: text("workspace_session_id")
+        .notNull()
+        .references(() => workspaceSessions.id, { onDelete: "cascade" }),
+    path: text("path").notNull(),
+    contentHash: text("content_hash").notNull(),
+    content: text("content").notNull(),
+    loadedAt: text("loaded_at").notNull(),
+    lastSeenAt: text("last_seen_at").notNull(),
+}, (table) => [
+    primaryKey({ columns: [table.workspaceSessionId, table.path] }),
+    index("loaded_agent_files_path_idx").on(table.path),
+]);
+export const oauthClients = sqliteTable("oauth_clients", {
+    clientId: text("client_id").primaryKey(),
+    clientJson: text("client_json").notNull(),
+    issuedAt: integer("issued_at").notNull(),
+});
+export const oauthAccessTokens = sqliteTable("oauth_access_tokens", {
+    tokenHash: text("token_hash").primaryKey(),
+    clientId: text("client_id")
+        .notNull()
+        .references(() => oauthClients.clientId, { onDelete: "cascade" }),
+    scopesJson: text("scopes_json").notNull(),
+    expiresAt: integer("expires_at").notNull(),
+    resource: text("resource"),
+});
+export const oauthRefreshTokens = sqliteTable("oauth_refresh_tokens", {
+    tokenHash: text("token_hash").primaryKey(),
+    clientId: text("client_id")
+        .notNull()
+        .references(() => oauthClients.clientId, { onDelete: "cascade" }),
+    scopesJson: text("scopes_json").notNull(),
+    expiresAt: integer("expires_at").notNull(),
+    resource: text("resource"),
+});

package/vendor/devspace/dist/git-worktrees.js

@@ -0,0 +1,134 @@
+import { randomBytes } from "node:crypto";
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import { mkdir, realpath, rm, stat } from "node:fs/promises";
+import { basename, join, relative, resolve } from "node:path";
+import { assertAllowedPath, isPathInsideRoot } from "./roots.js";
+const execFileAsync = promisify(execFile);
+export class GitWorktreeError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.code = code;
+        this.name = "GitWorktreeError";
+    }
+}
+export async function createManagedWorktree(input) {
+    const sourcePath = assertAllowedPath(input.sourcePath, input.config.allowedRoots);
+    try {
+        const sourceStats = await stat(sourcePath);
+        if (!sourceStats.isDirectory()) {
+            throw new GitWorktreeError("GIT_REPOSITORY_NOT_FOUND", `Cannot open workspace in worktree mode because the source path is not a directory: ${input.sourcePath}`);
+        }
+    }
+    catch (error) {
+        if (error instanceof GitWorktreeError)
+            throw error;
+        throw new GitWorktreeError("GIT_REPOSITORY_NOT_FOUND", `Cannot open workspace in worktree mode because the source path does not exist: ${input.sourcePath}`);
+    }
+    const sourceRoot = await resolveGitRoot(sourcePath, input.config.allowedRoots);
+    const baseRef = input.baseRef ?? "HEAD";
+    const baseSha = await resolveBaseCommit(sourceRoot, baseRef);
+    const dirtySource = (await git(["status", "--porcelain=v1"], sourceRoot)).trim().length > 0;
+    const worktreePath = managedWorktreePath({
+        worktreeRoot: input.config.worktreeRoot,
+        repoRoot: sourceRoot,
+    });
+    await mkdir(input.config.worktreeRoot, { recursive: true });
+    assertAllowedPath(worktreePath, [input.config.worktreeRoot]);
+    try {
+        await git(["worktree", "add", "--detach", worktreePath, baseSha], sourceRoot);
+    }
+    catch (error) {
+        await rm(worktreePath, { recursive: true, force: true });
+        const message = error instanceof Error ? error.message : String(error);
+        throw new GitWorktreeError("GIT_WORKTREE_CREATE_FAILED", `Git failed to create the managed worktree. ${message}`);
+    }
+    return {
+        sourceRoot,
+        path: worktreePath,
+        baseRef,
+        baseSha,
+        dirtySource,
+        detached: true,
+        managed: true,
+    };
+}
+async function resolveGitRoot(path, allowedRoots) {
+    try {
+        const output = await git(["rev-parse", "--show-toplevel"], path);
+        return await assertGitRootAllowed(output.trim(), allowedRoots);
+    }
+    catch (error) {
+        if (isGitUnavailable(error)) {
+            throw new GitWorktreeError("GIT_NOT_AVAILABLE", "Cannot open workspace in worktree mode because Git is not available on this machine.");
+        }
+        throw new GitWorktreeError("GIT_REPOSITORY_NOT_FOUND", `Cannot open workspace in worktree mode because this path is not inside a Git repository: ${path}. Use mode=\"checkout\" to work directly in this directory, or initialize Git and create an initial commit first.`);
+    }
+}
+async function assertGitRootAllowed(gitRoot, allowedRoots) {
+    try {
+        return assertAllowedPath(gitRoot, allowedRoots);
+    }
+    catch {
+        const canonicalGitRoot = await realpath(gitRoot);
+        for (const allowedRoot of allowedRoots) {
+            const canonicalAllowedRoot = await realpath(allowedRoot).catch(() => undefined);
+            if (!canonicalAllowedRoot || !isPathInsideRoot(canonicalGitRoot, canonicalAllowedRoot)) {
+                continue;
+            }
+            const logicalGitRoot = resolve(allowedRoot, relative(canonicalAllowedRoot, canonicalGitRoot));
+            return assertAllowedPath(logicalGitRoot, allowedRoots);
+        }
+        return assertAllowedPath(canonicalGitRoot, allowedRoots);
+    }
+}
+async function resolveBaseCommit(sourceRoot, baseRef) {
+    try {
+        return (await git(["rev-parse", "--verify", `${baseRef}^{commit}`], sourceRoot)).trim();
+    }
+    catch (error) {
+        if (baseRef === "HEAD") {
+            throw new GitWorktreeError("GIT_REPOSITORY_HAS_NO_COMMITS", "Cannot open workspace in worktree mode because the repository has no commits yet. Create an initial commit first, or use mode=\"checkout\".");
+        }
+        throw new GitWorktreeError("GIT_INVALID_BASE_REF", `Cannot open workspace in worktree mode because baseRef ${JSON.stringify(baseRef)} does not resolve to a commit.`);
+    }
+}
+function managedWorktreePath(input) {
+    const repoName = sanitizePathSegment(basename(input.repoRoot)) || "repo";
+    const worktreeId = randomBytes(4).toString("hex");
+    return join(input.worktreeRoot, `${repoName}-${worktreeId}`);
+}
+function sanitizePathSegment(value) {
+    return value
+        .replace(/[^a-zA-Z0-9._-]+/g, "-")
+        .replace(/^-+|-+$/g, "")
+        .slice(0, 80);
+}
+async function git(args, cwd) {
+    try {
+        const { stdout } = await execFileAsync("git", args, {
+            cwd,
+            maxBuffer: 10 * 1024 * 1024,
+        });
+        return stdout;
+    }
+    catch (error) {
+        if (isGitUnavailable(error))
+            throw error;
+        const stderr = typeof error === "object" && error && "stderr" in error
+            ? String(error.stderr ?? "").trim()
+            : "";
+        const stdout = typeof error === "object" && error && "stdout" in error
+            ? String(error.stdout ?? "").trim()
+            : "";
+        const details = stderr || stdout || (error instanceof Error ? error.message : String(error));
+        throw new Error(details);
+    }
+}
+function isGitUnavailable(error) {
+    return Boolean(typeof error === "object" &&
+        error &&
+        "code" in error &&
+        error.code === "ENOENT");
+}

package/vendor/devspace/dist/git.js

@@ -0,0 +1,41 @@
+import { createHash } from "node:crypto";
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+const execFileAsync = promisify(execFile);
+export async function git(cwd, args, options = {}) {
+    const { stdout, stderr } = await execFileAsync("git", args, {
+        cwd,
+        env: options.env ? { ...process.env, ...options.env } : process.env,
+        maxBuffer: options.maxBuffer ?? 10 * 1024 * 1024,
+    });
+    return { stdout, stderr };
+}
+export async function getGitEligibility(cwd) {
+    try {
+        await git(cwd, ["rev-parse", "--is-inside-work-tree"]);
+    }
+    catch {
+        return {
+            ok: false,
+            reason: "not_git",
+            message: "workspace is not inside a git repository",
+        };
+    }
+    const gitRoot = (await git(cwd, ["rev-parse", "--show-toplevel"])).stdout.trim();
+    try {
+        await git(gitRoot, ["rev-parse", "--verify", "--quiet", "HEAD^{commit}"]);
+    }
+    catch {
+        return {
+            ok: false,
+            gitRoot,
+            reason: "no_head",
+            message: "repository has no HEAD commit",
+        };
+    }
+    return { ok: true, gitRoot };
+}
+export function safeWorkspaceRefSegment(workspaceId) {
+    const safe = workspaceId.replace(/[^A-Za-z0-9._-]/g, "-");
+    return safe.length > 0 ? safe : createHash("sha256").update(workspaceId).digest("hex").slice(0, 16);
+}

package/vendor/devspace/dist/logger.js

@@ -0,0 +1,69 @@
+const LEVEL_WEIGHT = {
+    silent: 0,
+    error: 1,
+    warn: 2,
+    info: 3,
+    debug: 4,
+};
+export function shouldLog(config, level) {
+    return LEVEL_WEIGHT[config.level] >= LEVEL_WEIGHT[level];
+}
+export function logEvent(config, level, event, fields = {}) {
+    if (!shouldLog(config, level))
+        return;
+    const entry = {
+        ts: new Date().toISOString(),
+        level,
+        event,
+        ...fields,
+    };
+    const line = config.format === "pretty" ? formatPretty(entry) : JSON.stringify(entry);
+    if (level === "error") {
+        console.error(line);
+    }
+    else if (level === "warn") {
+        console.warn(line);
+    }
+    else {
+        console.log(line);
+    }
+}
+export function requestIp(req, trustProxy) {
+    if (trustProxy) {
+        const cfConnectingIp = firstHeaderValue(req.header("cf-connecting-ip"));
+        if (cfConnectingIp)
+            return cfConnectingIp;
+        const forwardedFor = firstHeaderValue(req.header("x-forwarded-for"));
+        if (forwardedFor)
+            return forwardedFor;
+    }
+    return req.ip ?? req.socket.remoteAddress;
+}
+export function requestPath(req) {
+    return req.path || req.url.split("?")[0] || req.url;
+}
+export function sessionIdPrefix(sessionId) {
+    return sessionId ? sessionId.slice(0, 8) : undefined;
+}
+export function commandPreview(command) {
+    const normalized = command.replace(/\s+/g, " ").trim();
+    return normalized.length > 120 ? `${normalized.slice(0, 117)}...` : normalized;
+}
+function firstHeaderValue(value) {
+    return value?.split(",")[0]?.trim() || undefined;
+}
+function formatPretty(entry) {
+    const ts = String(entry.ts);
+    const level = String(entry.level).toUpperCase();
+    const event = String(entry.event);
+    const rest = Object.entries(entry)
+        .filter(([key, value]) => !["ts", "level", "event"].includes(key) && value !== undefined)
+        .map(([key, value]) => `${key}=${formatPrettyValue(value)}`)
+        .join(" ");
+    return rest ? `${ts} ${level} ${event} ${rest}` : `${ts} ${level} ${event}`;
+}
+function formatPrettyValue(value) {
+    if (typeof value === "string")
+        return JSON.stringify(value);
+    return JSON.stringify(value);
+}

package/vendor/devspace/dist/oauth-provider.js

@@ -0,0 +1,237 @@
+import { timingSafeEqual, randomBytes, randomUUID, createHash } from "node:crypto";
+import { AccessDeniedError, InvalidGrantError, InvalidRequestError, InvalidTokenError } from "@modelcontextprotocol/sdk/server/auth/errors.js";
+import { checkResourceAllowed, resourceUrlFromServerUrl } from "@modelcontextprotocol/sdk/shared/auth-utils.js";
+import { SqliteOAuthClientsStore, SqliteOAuthStore } from "./oauth-store.js";
+const CODE_TTL_MS = 5 * 60 * 1000;
+function randomToken() {
+    return randomBytes(32).toString("base64url");
+}
+function safeEquals(a, b) {
+    const left = Buffer.from(a);
+    const right = Buffer.from(b);
+    if (left.byteLength !== right.byteLength)
+        return false;
+    return timingSafeEqual(left, right);
+}
+function htmlEscape(value) {
+    return value
+        .replaceAll("&", "&")
+        .replaceAll("<", "&lt;")
+        .replaceAll(">", "&gt;")
+        .replaceAll('"', "&quot;")
+        .replaceAll("'", "&#39;");
+}
+function formHtml(params) {
+    const scopeText = params.scopes.length > 0 ? params.scopes.join(" ") : "devspace";
+    const resourceText = params.resource?.href ?? "DevSpace MCP endpoint";
+    const error = params.error
+        ? `<p class="error">${htmlEscape(params.error)}</p>`
+        : "";
+    const hiddenFields = Object.entries(params.fields)
+        .filter((entry) => entry[1] !== undefined)
+        .map(([name, value]) => `        <input type="hidden" name="${htmlEscape(name)}" value="${htmlEscape(value)}" />`)
+        .join("\n");
+    return `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>Connect DevSpace</title>
+    <style>
+      body { font-family: system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; margin: 0; background: #0f172a; color: #e2e8f0; }
+      main { max-width: 440px; margin: 12vh auto; padding: 32px; background: #111827; border: 1px solid #334155; border-radius: 18px; box-shadow: 0 24px 80px rgba(0,0,0,.35); }
+      h1 { margin: 0 0 12px; font-size: 28px; }
+      p { line-height: 1.5; color: #cbd5e1; }
+      dl { padding: 16px; background: #020617; border-radius: 12px; }
+      dt { color: #94a3b8; font-size: 12px; text-transform: uppercase; letter-spacing: .06em; }
+      dd { margin: 4px 0 12px; word-break: break-word; }
+      label { display: block; margin: 18px 0 8px; font-weight: 600; }
+      input { box-sizing: border-box; width: 100%; padding: 12px 14px; border-radius: 10px; border: 1px solid #475569; background: #020617; color: #e2e8f0; font-size: 16px; }
+      button { margin-top: 18px; width: 100%; border: 0; border-radius: 10px; padding: 12px 14px; font-weight: 700; color: #020617; background: #38bdf8; cursor: pointer; }
+      .error { color: #fecaca; background: #7f1d1d; border-radius: 10px; padding: 10px 12px; }
+      .warning { color: #fde68a; }
+    </style>
+  </head>
+  <body>
+    <main>
+      <h1>Connect DevSpace</h1>
+      <p class="warning">Only approve this if you are intentionally connecting your own ChatGPT or MCP client to this local machine.</p>
+      ${error}
+      <dl>
+        <dt>Client</dt><dd>${htmlEscape(params.clientName)}</dd>
+        <dt>Scope</dt><dd>${htmlEscape(scopeText)}</dd>
+        <dt>Resource</dt><dd>${htmlEscape(resourceText)}</dd>
+      </dl>
+      <form method="post">
+${hiddenFields}
+        <label for="owner_token">Owner password</label>
+        <input id="owner_token" name="owner_token" type="password" autocomplete="current-password" autofocus required />
+        <button type="submit">Authorize DevSpace</button>
+      </form>
+    </main>
+  </body>
+</html>`;
+}
+function requestedScopesAllowed(requested, supported) {
+    return requested.every((scope) => supported.includes(scope));
+}
+export class SingleUserOAuthProvider {
+    config;
+    clientsStore;
+    codes = new Map();
+    oauthStore;
+    resourceServerUrl;
+    constructor(config, resourceServerUrl, stateDir) {
+        this.config = config;
+        this.resourceServerUrl = resourceUrlFromServerUrl(resourceServerUrl);
+        this.oauthStore = new SqliteOAuthStore(stateDir);
+        this.clientsStore = new SqliteOAuthClientsStore(this.oauthStore, config.allowedRedirectHosts);
+    }
+    async authorize(client, params, res) {
+        if (!params.resource || !checkResourceAllowed({ requestedResource: params.resource, configuredResource: this.resourceServerUrl })) {
+            throw new InvalidRequestError("Invalid or missing OAuth resource");
+        }
+        if (!requestedScopesAllowed(params.scopes ?? [], this.config.scopes)) {
+            throw new InvalidRequestError("Requested scope is not supported");
+        }
+        if (res.req.method !== "POST") {
+            res.status(200).setHeader("Content-Type", "text/html; charset=utf-8");
+            res.send(formHtml({
+                clientName: client.client_name ?? client.client_id,
+                scopes: params.scopes ?? this.config.scopes,
+                resource: params.resource,
+                fields: authorizationFormFields(client, params),
+            }));
+            return;
+        }
+        const providedToken = String(res.req.body?.owner_token ?? "");
+        if (!safeEquals(providedToken, this.config.ownerToken)) {
+            res.status(401).setHeader("Content-Type", "text/html; charset=utf-8");
+            res.send(formHtml({
+                error: "The Owner password was not accepted.",
+                clientName: client.client_name ?? client.client_id,
+                scopes: params.scopes ?? this.config.scopes,
+                resource: params.resource,
+                fields: authorizationFormFields(client, params),
+            }));
+            return;
+        }
+        const code = `code-${randomUUID()}`;
+        this.codes.set(code, {
+            clientId: client.client_id,
+            params,
+            expiresAtMs: Date.now() + CODE_TTL_MS,
+        });
+        const redirectUrl = new URL(params.redirectUri);
+        redirectUrl.searchParams.set("code", code);
+        if (params.state !== undefined)
+            redirectUrl.searchParams.set("state", params.state);
+        res.redirect(302, redirectUrl.href);
+    }
+    async challengeForAuthorizationCode(client, authorizationCode) {
+        const record = this.validCodeRecord(client, authorizationCode);
+        return record.params.codeChallenge;
+    }
+    async exchangeAuthorizationCode(client, authorizationCode, _codeVerifier, redirectUri, resource) {
+        const record = this.validCodeRecord(client, authorizationCode);
+        if (redirectUri && redirectUri !== record.params.redirectUri) {
+            throw new InvalidGrantError("redirect_uri does not match the authorization request");
+        }
+        if (resource && !checkResourceAllowed({ requestedResource: resource, configuredResource: this.resourceServerUrl })) {
+            throw new InvalidGrantError("Invalid resource");
+        }
+        this.codes.delete(authorizationCode);
+        return this.issueTokens(client.client_id, record.params.scopes ?? this.config.scopes, record.params.resource);
+    }
+    async exchangeRefreshToken(client, refreshToken, scopes, resource) {
+        const refreshTokenHash = hashToken(refreshToken);
+        const record = this.oauthStore.getRefreshToken(refreshTokenHash);
+        if (!record || record.clientId !== client.client_id || record.expiresAt < Math.floor(Date.now() / 1000)) {
+            throw new InvalidGrantError("Invalid refresh token");
+        }
+        if (resource && !checkResourceAllowed({ requestedResource: resource, configuredResource: this.resourceServerUrl })) {
+            throw new InvalidGrantError("Invalid resource");
+        }
+        const requestedScopes = scopes ?? record.scopes;
+        if (!requestedScopes.every((scope) => record.scopes.includes(scope))) {
+            throw new AccessDeniedError("Refresh token cannot grant requested scopes");
+        }
+        return this.issueTokens(client.client_id, requestedScopes, resource ?? (record.resource ? new URL(record.resource) : undefined), refreshTokenHash);
+    }
+    async verifyAccessToken(token) {
+        const record = this.oauthStore.getAccessToken(hashToken(token));
+        if (!record || record.expiresAt < Math.floor(Date.now() / 1000)) {
+            throw new InvalidTokenError("Invalid or expired access token");
+        }
+        return {
+            token,
+            clientId: record.clientId,
+            scopes: record.scopes,
+            expiresAt: record.expiresAt,
+            resource: record.resource ? new URL(record.resource) : undefined,
+        };
+    }
+    async revokeToken(_client, request) {
+        const hashed = hashToken(request.token);
+        this.oauthStore.deleteAccessToken(hashed);
+        this.oauthStore.deleteRefreshToken(hashed);
+    }
+    close() {
+        this.oauthStore.close();
+    }
+    validCodeRecord(client, authorizationCode) {
+        const record = this.codes.get(authorizationCode);
+        if (!record || record.clientId !== client.client_id || record.expiresAtMs < Date.now()) {
+            throw new InvalidGrantError("Invalid authorization code");
+        }
+        return record;
+    }
+    issueTokens(clientId, scopes, resource, consumedRefreshTokenHash) {
+        const now = Math.floor(Date.now() / 1000);
+        const accessToken = randomToken();
+        const refreshToken = randomToken();
+        const accessExpiresAt = now + this.config.accessTokenTtlSeconds;
+        const refreshExpiresAt = now + this.config.refreshTokenTtlSeconds;
+        const saved = this.oauthStore.saveTokenPair({
+            accessTokenHash: hashToken(accessToken),
+            accessToken: {
+                clientId,
+                scopes,
+                expiresAt: accessExpiresAt,
+                resource: resource?.href,
+            },
+            refreshTokenHash: hashToken(refreshToken),
+            refreshToken: {
+                clientId,
+                scopes,
+                expiresAt: refreshExpiresAt,
+                resource: resource?.href,
+            },
+        }, consumedRefreshTokenHash);
+        if (!saved) {
+            throw new InvalidGrantError("Invalid refresh token");
+        }
+        return {
+            access_token: accessToken,
+            token_type: "bearer",
+            expires_in: this.config.accessTokenTtlSeconds,
+            refresh_token: refreshToken,
+            scope: scopes.join(" "),
+        };
+    }
+}
+function authorizationFormFields(client, params) {
+    return {
+        response_type: "code",
+        client_id: client.client_id,
+        redirect_uri: params.redirectUri,
+        code_challenge: params.codeChallenge,
+        code_challenge_method: "S256",
+        scope: params.scopes?.join(" "),
+        state: params.state,
+        resource: params.resource?.href,
+    };
+}
+function hashToken(token) {
+    return createHash("sha256").update(token).digest("base64url");
+}