@zuwiki/mcp 0.1.0

package/dist/auth/client.js

@@ -0,0 +1,162 @@
+import { discoverAuthorizationServer } from "./discovery.js";
+import { registerClient } from "./registration.js";
+import { performAuthorizationCodeFlow, refreshAccessToken } from "./flow.js";
+import { applyTokenResponse, defaultCredentialsPath, isTokenExpired, loadCredentials, saveCredentials, } from "./tokens.js";
+export const DEFAULT_SCOPE = "openid profile email offline_access wiki:read wiki:write";
+/**
+ * Manages OAuth credentials for the local server.
+ *
+ * On the first call to ensureAccessToken it runs discovery, dynamic client
+ * registration and the authorization code flow if needed. Later calls reuse
+ * the refresh token as long as possible.
+ */
+export class AuthManager {
+    baseUrl;
+    credentialsPath;
+    scope;
+    clientName;
+    fetchImpl;
+    loopbackPorts;
+    log;
+    openBrowser;
+    interactive;
+    credentials = null;
+    metadata = null;
+    inflight = null;
+    constructor(options) {
+        this.baseUrl = options.baseUrl.replace(/\/+$/, "");
+        this.credentialsPath = options.credentialsPath ?? defaultCredentialsPath();
+        this.scope = options.scope ?? DEFAULT_SCOPE;
+        this.clientName = options.clientName ?? "Zuwiki MCP Server";
+        this.fetchImpl = options.fetchImpl ?? fetch;
+        this.loopbackPorts = options.loopbackPorts ?? [];
+        this.log = options.log ?? ((m) => process.stderr.write(m + "\n"));
+        this.openBrowser = options.openBrowser;
+        this.interactive = options.interactive ?? true;
+    }
+    getBaseUrl() {
+        return this.baseUrl;
+    }
+    async ensureAccessToken() {
+        if (this.inflight)
+            return this.inflight;
+        this.inflight = this.ensureAccessTokenInner().finally(() => {
+            this.inflight = null;
+        });
+        return this.inflight;
+    }
+    async ensureAccessTokenInner() {
+        const creds = await this.getCredentials();
+        if (creds.accessToken && !isTokenExpired(creds)) {
+            return creds.accessToken;
+        }
+        if (creds.refreshToken) {
+            try {
+                const metadata = await this.getMetadata();
+                const token = await refreshAccessToken({
+                    tokenEndpoint: metadata.token_endpoint,
+                    clientId: creds.clientId,
+                    clientSecret: creds.clientSecret,
+                    refreshToken: creds.refreshToken,
+                    fetchImpl: this.fetchImpl,
+                });
+                const updated = applyTokenResponse(creds, token);
+                this.credentials = updated;
+                await saveCredentials(this.credentialsPath, updated);
+                return updated.accessToken;
+            }
+            catch (err) {
+                this.log(`Token refresh failed, falling back to a fresh sign in. Reason: ${err.message}`);
+            }
+        }
+        if (!this.interactive) {
+            throw new Error("No valid access token and interactive login is disabled. Run the server once in stdio mode to sign in.");
+        }
+        return this.runInitialAuth();
+    }
+    /** Forces a refresh, for example after a 401 response. */
+    async invalidateAndRefresh() {
+        const creds = await this.getCredentials();
+        this.credentials = { ...creds, accessToken: undefined, expiresAt: undefined };
+        return this.ensureAccessToken();
+    }
+    async getCredentials() {
+        if (this.credentials)
+            return this.credentials;
+        const loaded = await loadCredentials(this.credentialsPath);
+        if (loaded && loaded.baseUrl === this.baseUrl && loaded.clientId) {
+            this.credentials = loaded;
+            return loaded;
+        }
+        if (loaded && loaded.baseUrl !== this.baseUrl) {
+            this.log(`Stored credentials are for ${loaded.baseUrl} which does not match the current base URL ${this.baseUrl}. A fresh sign in is required.`);
+        }
+        const metadata = await this.getMetadata();
+        if (!metadata.registration_endpoint) {
+            throw new Error("The authorization server does not support dynamic client registration and no credentials are stored.");
+        }
+        const redirectPlaceholder = "http://127.0.0.1/callback";
+        this.log("Registering a new OAuth client with the Zuwiki auth server.");
+        const registration = await registerClient(metadata.registration_endpoint, {
+            client_name: this.clientName,
+            redirect_uris: [redirectPlaceholder],
+            grant_types: ["authorization_code", "refresh_token"],
+            response_types: ["code"],
+            token_endpoint_auth_method: "none",
+            scope: this.scope,
+            application_type: "native",
+        }, this.fetchImpl);
+        const fresh = {
+            baseUrl: this.baseUrl,
+            clientId: registration.client_id,
+            clientSecret: registration.client_secret,
+            registrationAccessToken: registration.registration_access_token,
+            registrationClientUri: registration.registration_client_uri,
+        };
+        this.credentials = fresh;
+        await saveCredentials(this.credentialsPath, fresh);
+        return fresh;
+    }
+    async getMetadata() {
+        if (this.metadata)
+            return this.metadata;
+        this.metadata = await discoverAuthorizationServer(this.baseUrl, this.fetchImpl);
+        return this.metadata;
+    }
+    async runInitialAuth() {
+        const creds = await this.getCredentials();
+        const metadata = await this.getMetadata();
+        this.log("Opening the browser for Zuwiki sign in. If no window appears, copy the printed URL.");
+        const tokenResponse = await performAuthorizationCodeFlow({
+            metadata,
+            clientId: creds.clientId,
+            clientSecret: creds.clientSecret,
+            scope: this.scope,
+            preferredPorts: this.loopbackPorts,
+            fetchImpl: this.fetchImpl,
+            openBrowser: this.openBrowser,
+            onAuthorizationUrl: (url) => this.log(`Authorize URL: ${url}`),
+        });
+        const updated = applyTokenResponse(creds, tokenResponse);
+        this.credentials = updated;
+        await saveCredentials(this.credentialsPath, updated);
+        return updated.accessToken;
+    }
+}
+/**
+ * Holds the active organization id and lets callers update it at runtime.
+ * Shared with the server so that zuwiki_set_active_organization can take effect.
+ */
+export class OrganizationState {
+    organizationId;
+    constructor(organizationId) {
+        this.organizationId = organizationId;
+    }
+    get() {
+        return this.organizationId;
+    }
+    set(id) {
+        this.organizationId = id && id.length > 0 ? id : null;
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/auth/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/auth/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,2BAA2B,EAAoC,MAAM,gBAAgB,CAAC;AAC/F,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,4BAA4B,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAC7E,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EACtB,cAAc,EACd,eAAe,EACf,eAAe,GAEhB,MAAM,aAAa,CAAC;AAErB,MAAM,CAAC,MAAM,aAAa,GAAG,0DAA0D,CAAC;AAgBxF;;;;;;GAMG;AACH,MAAM,OAAO,WAAW;IACL,OAAO,CAAS;IAChB,eAAe,CAAS;IACxB,KAAK,CAAS;IACd,UAAU,CAAS;IACnB,SAAS,CAAe;IACxB,aAAa,CAAW;IACxB,GAAG,CAA4B;IAC/B,WAAW,CAAqC;IAChD,WAAW,CAAU;IAE9B,WAAW,GAA6B,IAAI,CAAC;IAC7C,QAAQ,GAAuC,IAAI,CAAC;IACpD,QAAQ,GAA2B,IAAI,CAAC;IAEhD,YAAY,OAA2B;QACrC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACnD,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,sBAAsB,EAAE,CAAC;QAC3E,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,aAAa,CAAC;QAC5C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,mBAAmB,CAAC;QAC5D,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,KAAK,CAAC;QAC5C,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,EAAE,CAAC;QACjD,IAAI,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;QAClE,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;QACvC,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,IAAI,CAAC;IACjD,CAAC;IAED,UAAU;QACR,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,iBAAiB;QACrB,IAAI,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC,QAAQ,CAAC;QACxC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,sBAAsB,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE;YACzD,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QACvB,CAAC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAEO,KAAK,CAAC,sBAAsB;QAClC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAE1C,IAAI,KAAK,CAAC,WAAW,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;YAChD,OAAO,KAAK,CAAC,WAAW,CAAC;QAC3B,CAAC;QAED,IAAI,KAAK,CAAC,YAAY,EAAE,CAAC;YACvB,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;gBAC1C,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC;oBACrC,aAAa,EAAE,QAAQ,CAAC,cAAc;oBACtC,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,YAAY,EAAE,KAAK,CAAC,YAAY;oBAChC,YAAY,EAAE,KAAK,CAAC,YAAY;oBAChC,SAAS,EAAE,IAAI,CAAC,SAAS;iBAC1B,CAAC,CAAC;gBACH,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;gBACjD,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC;gBAC3B,MAAM,eAAe,CAAC,IAAI,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;gBACrD,OAAO,OAAO,CAAC,WAAY,CAAC;YAC9B,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,CAAC,GAAG,CACN,kEAAmE,GAAa,CAAC,OAAO,EAAE,CAC3F,CAAC;YACJ,CAAC;QACH,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CACb,wGAAwG,CACzG,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,cAAc,EAAE,CAAC;IAC/B,CAAC;IAED,0DAA0D;IAC1D,KAAK,CAAC,oBAAoB;QACxB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC1C,IAAI,CAAC,WAAW,GAAG,EAAE,GAAG,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;QAC9E,OAAO,IAAI,CAAC,iBAAiB,EAAE,CAAC;IAClC,CAAC;IAEO,KAAK,CAAC,cAAc;QAC1B,IAAI,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC,WAAW,CAAC;QAC9C,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QAC3D,IAAI,MAAM,IAAI,MAAM,CAAC,OAAO,KAAK,IAAI,CAAC,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACjE,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC;YAC1B,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,IAAI,MAAM,IAAI,MAAM,CAAC,OAAO,KAAK,IAAI,CAAC,OAAO,EAAE,CAAC;YAC9C,IAAI,CAAC,GAAG,CACN,8BAA8B,MAAM,CAAC,OAAO,8CAA8C,IAAI,CAAC,OAAO,gCAAgC,CACvI,CAAC;QACJ,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;QAC1C,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CACb,sGAAsG,CACvG,CAAC;QACJ,CAAC;QACD,MAAM,mBAAmB,GAAG,2BAA2B,CAAC;QACxD,IAAI,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAC;QACxE,MAAM,YAAY,GAAG,MAAM,cAAc,CACvC,QAAQ,CAAC,qBAAqB,EAC9B;YACE,WAAW,EAAE,IAAI,CAAC,UAAU;YAC5B,aAAa,EAAE,CAAC,mBAAmB,CAAC;YACpC,WAAW,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;YACpD,cAAc,EAAE,CAAC,MAAM,CAAC;YACxB,0BAA0B,EAAE,MAAM;YAClC,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,gBAAgB,EAAE,QAAQ;SAC3B,EACD,IAAI,CAAC,SAAS,CACf,CAAC;QACF,MAAM,KAAK,GAAsB;YAC/B,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,QAAQ,EAAE,YAAY,CAAC,SAAS;YAChC,YAAY,EAAE,YAAY,CAAC,aAAa;YACxC,uBAAuB,EAAE,YAAY,CAAC,yBAAyB;YAC/D,qBAAqB,EAAE,YAAY,CAAC,uBAAuB;SAC5D,CAAC;QACF,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC;QACzB,MAAM,eAAe,CAAC,IAAI,CAAC,eAAe,EAAE,KAAK,CAAC,CAAC;QACnD,OAAO,KAAK,CAAC;IACf,CAAC;IAEO,KAAK,CAAC,WAAW;QACvB,IAAI,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC,QAAQ,CAAC;QACxC,IAAI,CAAC,QAAQ,GAAG,MAAM,2BAA2B,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;QAChF,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAEO,KAAK,CAAC,cAAc;QAC1B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC1C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;QAC1C,IAAI,CAAC,GAAG,CACN,qFAAqF,CACtF,CAAC;QACF,MAAM,aAAa,GAAG,MAAM,4BAA4B,CAAC;YACvD,QAAQ;YACR,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,YAAY,EAAE,KAAK,CAAC,YAAY;YAChC,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,cAAc,EAAE,IAAI,CAAC,aAAa;YAClC,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,kBAAkB,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,kBAAkB,GAAG,EAAE,CAAC;SAC/D,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;QACzD,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC;QAC3B,MAAM,eAAe,CAAC,IAAI,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;QACrD,OAAO,OAAO,CAAC,WAAY,CAAC;IAC9B,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,OAAO,iBAAiB;IACR;IAApB,YAAoB,cAA6B;QAA7B,mBAAc,GAAd,cAAc,CAAe;IAAG,CAAC;IAErD,GAAG;QACD,OAAO,IAAI,CAAC,cAAc,CAAC;IAC7B,CAAC;IAED,GAAG,CAAC,EAAiB;QACnB,IAAI,CAAC,cAAc,GAAG,EAAE,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IACxD,CAAC;CACF"}

package/dist/auth/discovery.d.ts

@@ -0,0 +1,14 @@
+export interface AuthorizationServerMetadata {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    registration_endpoint?: string;
+    jwks_uri?: string;
+    scopes_supported?: string[];
+    response_types_supported?: string[];
+    grant_types_supported?: string[];
+    code_challenge_methods_supported?: string[];
+    token_endpoint_auth_methods_supported?: string[];
+}
+export declare function discoverAuthorizationServer(baseUrl: string, fetchImpl?: typeof fetch): Promise<AuthorizationServerMetadata>;
+export declare function clearDiscoveryCache(): void;

package/dist/auth/discovery.js

@@ -0,0 +1,26 @@
+const cache = new Map();
+const TTL_MS = 5 * 60 * 1000;
+export async function discoverAuthorizationServer(baseUrl, fetchImpl = fetch) {
+    const normalized = baseUrl.replace(/\/+$/, "");
+    const cached = cache.get(normalized);
+    if (cached && cached.expiresAt > Date.now()) {
+        return cached.value;
+    }
+    const url = `${normalized}/.well-known/oauth-authorization-server`;
+    const response = await fetchImpl(url, {
+        headers: { accept: "application/json" },
+    });
+    if (!response.ok) {
+        throw new Error(`Authorization Server discovery failed (${response.status} ${response.statusText}) at ${url}`);
+    }
+    const metadata = (await response.json());
+    if (!metadata.authorization_endpoint || !metadata.token_endpoint) {
+        throw new Error("Discovery document is missing authorization_endpoint or token_endpoint");
+    }
+    cache.set(normalized, { value: metadata, expiresAt: Date.now() + TTL_MS });
+    return metadata;
+}
+export function clearDiscoveryCache() {
+    cache.clear();
+}
+//# sourceMappingURL=discovery.js.map

package/dist/auth/discovery.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../src/auth/discovery.ts"],"names":[],"mappings":"AAaA,MAAM,KAAK,GAAG,IAAI,GAAG,EAAqE,CAAC;AAC3F,MAAM,MAAM,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAE7B,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,OAAe,EACf,YAA0B,KAAK;IAE/B,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACrC,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QAC5C,OAAO,MAAM,CAAC,KAAK,CAAC;IACtB,CAAC;IAED,MAAM,GAAG,GAAG,GAAG,UAAU,yCAAyC,CAAC;IACnE,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE;QACpC,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;KACxC,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CACb,0CAA0C,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,QAAQ,GAAG,EAAE,CAC9F,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAgC,CAAC;IAExE,IAAI,CAAC,QAAQ,CAAC,sBAAsB,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;QACjE,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAC;IAC5F,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,UAAU,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC,CAAC;IAC3E,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,mBAAmB;IACjC,KAAK,CAAC,KAAK,EAAE,CAAC;AAChB,CAAC"}

package/dist/auth/flow.d.ts

@@ -0,0 +1,21 @@
+import type { AuthorizationServerMetadata } from "./discovery.js";
+import type { TokenResponse } from "./tokens.js";
+export interface AuthorizationCodeFlowOptions {
+    metadata: AuthorizationServerMetadata;
+    clientId: string;
+    clientSecret?: string;
+    scope: string;
+    preferredPorts?: number[];
+    fetchImpl?: typeof fetch;
+    openBrowser?: (url: string) => Promise<unknown>;
+    onAuthorizationUrl?: (url: string) => void;
+}
+export declare function performAuthorizationCodeFlow(options: AuthorizationCodeFlowOptions): Promise<TokenResponse>;
+export declare function refreshAccessToken(opts: {
+    tokenEndpoint: string;
+    clientId: string;
+    clientSecret?: string;
+    refreshToken: string;
+    scope?: string;
+    fetchImpl?: typeof fetch;
+}): Promise<TokenResponse>;

package/dist/auth/flow.js

@@ -0,0 +1,188 @@
+import { createServer } from "node:http";
+import open from "open";
+import { generatePkcePair, generateState } from "./pkce.js";
+export async function performAuthorizationCodeFlow(options) {
+    const fetchImpl = options.fetchImpl ?? fetch;
+    const opener = options.openBrowser ?? ((url) => open(url));
+    const pkce = generatePkcePair();
+    const state = generateState();
+    const { redirectUri, awaitCallback, closeServer } = await startLoopbackServer(options.preferredPorts);
+    const authorizeUrl = buildAuthorizationUrl({
+        endpoint: options.metadata.authorization_endpoint,
+        clientId: options.clientId,
+        redirectUri,
+        scope: options.scope,
+        state,
+        codeChallenge: pkce.challenge,
+    });
+    options.onAuthorizationUrl?.(authorizeUrl);
+    try {
+        await opener(authorizeUrl);
+    }
+    catch {
+        // The browser could not be opened automatically. The URL was already emitted via onAuthorizationUrl.
+    }
+    try {
+        const { code, state: returnedState } = await awaitCallback;
+        if (returnedState !== state) {
+            throw new Error("OAuth state does not match, possible CSRF attempt.");
+        }
+        return await exchangeCodeForToken({
+            tokenEndpoint: options.metadata.token_endpoint,
+            clientId: options.clientId,
+            clientSecret: options.clientSecret,
+            code,
+            redirectUri,
+            codeVerifier: pkce.verifier,
+            fetchImpl,
+        });
+    }
+    finally {
+        closeServer();
+    }
+}
+function buildAuthorizationUrl(opts) {
+    const url = new URL(opts.endpoint);
+    url.searchParams.set("response_type", "code");
+    url.searchParams.set("client_id", opts.clientId);
+    url.searchParams.set("redirect_uri", opts.redirectUri);
+    url.searchParams.set("scope", opts.scope);
+    url.searchParams.set("state", opts.state);
+    url.searchParams.set("code_challenge", opts.codeChallenge);
+    url.searchParams.set("code_challenge_method", "S256");
+    return url.toString();
+}
+async function startLoopbackServer(preferredPorts) {
+    let resolveCallback;
+    let rejectCallback;
+    const awaitCallback = new Promise((resolve, reject) => {
+        resolveCallback = resolve;
+        rejectCallback = reject;
+    });
+    const server = createServer((req, res) => {
+        const url = new URL(req.url ?? "/", "http://127.0.0.1");
+        if (url.pathname !== "/callback") {
+            res.statusCode = 404;
+            res.end("Not Found");
+            return;
+        }
+        const error = url.searchParams.get("error");
+        if (error) {
+            const description = url.searchParams.get("error_description") ?? "";
+            res.statusCode = 400;
+            res.setHeader("content-type", "text/html; charset=utf-8");
+            res.end(renderHtml("Sign in failed", `The authorization server returned an error: <code>${escapeHtml(error)}</code>${description ? ` (${escapeHtml(description)})` : ""}.`));
+            rejectCallback(new Error(`Authorization server reported an error: ${error} ${description}`));
+            return;
+        }
+        const code = url.searchParams.get("code");
+        const state = url.searchParams.get("state");
+        if (!code || !state) {
+            res.statusCode = 400;
+            res.setHeader("content-type", "text/html; charset=utf-8");
+            res.end(renderHtml("Invalid response", "The callback is missing code or state."));
+            rejectCallback(new Error("Callback without code or state"));
+            return;
+        }
+        res.statusCode = 200;
+        res.setHeader("content-type", "text/html; charset=utf-8");
+        res.end(renderHtml("Sign in successful", "You can close this window and return to the terminal."));
+        resolveCallback({ code, state });
+    });
+    const port = await listenOnFirstAvailablePort(server, preferredPorts ?? []);
+    const redirectUri = `http://127.0.0.1:${port}/callback`;
+    return {
+        redirectUri,
+        awaitCallback,
+        closeServer: () => server.close(),
+    };
+}
+async function listenOnFirstAvailablePort(server, preferredPorts) {
+    const tryListen = (port) => new Promise((resolve, reject) => {
+        const onError = (err) => {
+            server.off("listening", onListening);
+            reject(err);
+        };
+        const onListening = () => {
+            server.off("error", onError);
+            const address = server.address();
+            resolve(address.port);
+        };
+        server.once("error", onError);
+        server.once("listening", onListening);
+        server.listen(port, "127.0.0.1");
+    });
+    for (const port of preferredPorts) {
+        try {
+            return await tryListen(port);
+        }
+        catch (err) {
+            if (err.code !== "EADDRINUSE") {
+                throw err;
+            }
+        }
+    }
+    return await tryListen(0);
+}
+async function exchangeCodeForToken(opts) {
+    const body = new URLSearchParams({
+        grant_type: "authorization_code",
+        code: opts.code,
+        redirect_uri: opts.redirectUri,
+        client_id: opts.clientId,
+        code_verifier: opts.codeVerifier,
+    });
+    if (opts.clientSecret) {
+        body.set("client_secret", opts.clientSecret);
+    }
+    const response = await opts.fetchImpl(opts.tokenEndpoint, {
+        method: "POST",
+        headers: {
+            "content-type": "application/x-www-form-urlencoded",
+            accept: "application/json",
+        },
+        body: body.toString(),
+    });
+    if (!response.ok) {
+        const text = await response.text().catch(() => "");
+        throw new Error(`Token exchange failed (${response.status}): ${text}`);
+    }
+    return (await response.json());
+}
+export async function refreshAccessToken(opts) {
+    const fetchImpl = opts.fetchImpl ?? fetch;
+    const body = new URLSearchParams({
+        grant_type: "refresh_token",
+        refresh_token: opts.refreshToken,
+        client_id: opts.clientId,
+    });
+    if (opts.clientSecret)
+        body.set("client_secret", opts.clientSecret);
+    if (opts.scope)
+        body.set("scope", opts.scope);
+    const response = await fetchImpl(opts.tokenEndpoint, {
+        method: "POST",
+        headers: {
+            "content-type": "application/x-www-form-urlencoded",
+            accept: "application/json",
+        },
+        body: body.toString(),
+    });
+    if (!response.ok) {
+        const text = await response.text().catch(() => "");
+        throw new Error(`Token refresh failed (${response.status}): ${text}`);
+    }
+    return (await response.json());
+}
+function renderHtml(title, message) {
+    return `<!doctype html><html lang="en"><head><meta charset="utf-8"><title>${escapeHtml(title)}</title><style>body{font-family:system-ui,sans-serif;max-width:520px;margin:64px auto;padding:0 24px;color:#1d1f23}h1{font-size:1.4rem;margin-bottom:0.5rem}p{line-height:1.5}</style></head><body><h1>${escapeHtml(title)}</h1><p>${message}</p></body></html>`;
+}
+function escapeHtml(input) {
+    return input
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#39;");
+}
+//# sourceMappingURL=flow.js.map

package/dist/auth/flow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"flow.js","sourceRoot":"","sources":["../../src/auth/flow.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAA6C,MAAM,WAAW,CAAC;AAEpF,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAe5D,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,OAAqC;IAErC,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,KAAK,CAAC;IAC7C,MAAM,MAAM,GAAG,OAAO,CAAC,WAAW,IAAI,CAAC,CAAC,GAAW,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAEnE,MAAM,IAAI,GAAG,gBAAgB,EAAE,CAAC;IAChC,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAE9B,MAAM,EAAE,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,GAAG,MAAM,mBAAmB,CAC3E,OAAO,CAAC,cAAc,CACvB,CAAC;IAEF,MAAM,YAAY,GAAG,qBAAqB,CAAC;QACzC,QAAQ,EAAE,OAAO,CAAC,QAAQ,CAAC,sBAAsB;QACjD,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,WAAW;QACX,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,KAAK;QACL,aAAa,EAAE,IAAI,CAAC,SAAS;KAC9B,CAAC,CAAC;IAEH,OAAO,CAAC,kBAAkB,EAAE,CAAC,YAAY,CAAC,CAAC;IAE3C,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,qGAAqG;IACvG,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,aAAa,EAAE,GAAG,MAAM,aAAa,CAAC;QAC3D,IAAI,aAAa,KAAK,KAAK,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;QACxE,CAAC;QACD,OAAO,MAAM,oBAAoB,CAAC;YAChC,aAAa,EAAE,OAAO,CAAC,QAAQ,CAAC,cAAc;YAC9C,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,IAAI;YACJ,WAAW;YACX,YAAY,EAAE,IAAI,CAAC,QAAQ;YAC3B,SAAS;SACV,CAAC,CAAC;IACL,CAAC;YAAS,CAAC;QACT,WAAW,EAAE,CAAC;IAChB,CAAC;AACH,CAAC;AAWD,SAAS,qBAAqB,CAAC,IAA6B;IAC1D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACnC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAC9C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;IACvD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;IAC3D,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IACtD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAOD,KAAK,UAAU,mBAAmB,CAAC,cAAyB;IAK1D,IAAI,eAAkD,CAAC;IACvD,IAAI,cAAqC,CAAC;IAC1C,MAAM,aAAa,GAAG,IAAI,OAAO,CAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACpE,eAAe,GAAG,OAAO,CAAC;QAC1B,cAAc,GAAG,MAAM,CAAC;IAC1B,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAoB,EAAE,GAAmB,EAAE,EAAE;QACxE,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC;QACxD,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;YACjC,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;YACrB,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;YACrB,OAAO;QACT,CAAC;QACD,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,WAAW,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,EAAE,CAAC;YACpE,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;YACrB,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC;YAC1D,GAAG,CAAC,GAAG,CACL,UAAU,CACR,gBAAgB,EAChB,qDAAqD,UAAU,CAAC,KAAK,CAAC,UAAU,WAAW,CAAC,CAAC,CAAC,KAAK,UAAU,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,CACtI,CACF,CAAC;YACF,cAAc,CAAC,IAAI,KAAK,CAAC,2CAA2C,KAAK,IAAI,WAAW,EAAE,CAAC,CAAC,CAAC;YAC7F,OAAO;QACT,CAAC;QACD,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACpB,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;YACrB,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC;YAC1D,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,kBAAkB,EAAE,wCAAwC,CAAC,CAAC,CAAC;YAClF,cAAc,CAAC,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC,CAAC;YAC5D,OAAO;QACT,CAAC;QACD,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;QACrB,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC;QAC1D,GAAG,CAAC,GAAG,CACL,UAAU,CACR,oBAAoB,EACpB,uDAAuD,CACxD,CACF,CAAC;QACF,eAAe,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,MAAM,0BAA0B,CAAC,MAAM,EAAE,cAAc,IAAI,EAAE,CAAC,CAAC;IAC5E,MAAM,WAAW,GAAG,oBAAoB,IAAI,WAAW,CAAC;IAExD,OAAO;QACL,WAAW;QACX,aAAa;QACb,WAAW,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,KAAK,EAAE;KAClC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,0BAA0B,CACvC,MAAuC,EACvC,cAAwB;IAExB,MAAM,SAAS,GAAG,CAAC,IAAY,EAAE,EAAE,CACjC,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACtC,MAAM,OAAO,GAAG,CAAC,GAA0B,EAAE,EAAE;YAC7C,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;YACrC,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC,CAAC;QACF,MAAM,WAAW,GAAG,GAAG,EAAE;YACvB,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YAC7B,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,EAAiB,CAAC;YAChD,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACxB,CAAC,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;QACtC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEL,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;QAClC,IAAI,CAAC;YACH,OAAO,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC;QAC/B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAK,GAA6B,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBACzD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,MAAM,SAAS,CAAC,CAAC,CAAC,CAAC;AAC5B,CAAC;AAYD,KAAK,UAAU,oBAAoB,CAAC,IAA0B;IAC5D,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,oBAAoB;QAChC,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,YAAY,EAAE,IAAI,CAAC,WAAW;QAC9B,SAAS,EAAE,IAAI,CAAC,QAAQ;QACxB,aAAa,EAAE,IAAI,CAAC,YAAY;KACjC,CAAC,CAAC;IACH,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;QACtB,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,aAAa,EAAE;QACxD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,mCAAmC;YACnD,MAAM,EAAE,kBAAkB;SAC3B;QACD,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;KACtB,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QACnD,MAAM,IAAI,KAAK,CAAC,0BAA0B,QAAQ,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkB,CAAC;AAClD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,IAOxC;IACC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;IAC1C,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,eAAe;QAC3B,aAAa,EAAE,IAAI,CAAC,YAAY;QAChC,SAAS,EAAE,IAAI,CAAC,QAAQ;KACzB,CAAC,CAAC;IACH,IAAI,IAAI,CAAC,YAAY;QAAE,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;IACpE,IAAI,IAAI,CAAC,KAAK;QAAE,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;IAE9C,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,aAAa,EAAE;QACnD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,mCAAmC;YACnD,MAAM,EAAE,kBAAkB;SAC3B;QACD,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;KACtB,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QACnD,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IACxE,CAAC;IACD,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkB,CAAC;AAClD,CAAC;AAED,SAAS,UAAU,CAAC,KAAa,EAAE,OAAe;IAChD,OAAO,qEAAqE,UAAU,CAAC,KAAK,CAAC,0MAA0M,UAAU,CAAC,KAAK,CAAC,WAAW,OAAO,oBAAoB,CAAC;AACjW,CAAC;AAED,SAAS,UAAU,CAAC,KAAa;IAC/B,OAAO,KAAK;SACT,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AAC5B,CAAC"}

package/dist/auth/pkce.d.ts

@@ -0,0 +1,7 @@
+export interface PkcePair {
+    verifier: string;
+    challenge: string;
+    method: "S256";
+}
+export declare function generatePkcePair(byteLength?: number): PkcePair;
+export declare function generateState(byteLength?: number): string;

package/dist/auth/pkce.js

@@ -0,0 +1,20 @@
+import { randomBytes, createHash } from "node:crypto";
+function base64UrlEncode(input) {
+    return input
+        .toString("base64")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/, "");
+}
+export function generatePkcePair(byteLength = 32) {
+    if (byteLength < 32 || byteLength > 96) {
+        throw new Error("PKCE verifier byte length must be between 32 and 96.");
+    }
+    const verifier = base64UrlEncode(randomBytes(byteLength));
+    const challenge = base64UrlEncode(createHash("sha256").update(verifier).digest());
+    return { verifier, challenge, method: "S256" };
+}
+export function generateState(byteLength = 16) {
+    return base64UrlEncode(randomBytes(byteLength));
+}
+//# sourceMappingURL=pkce.js.map

package/dist/auth/pkce.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/auth/pkce.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAQtD,SAAS,eAAe,CAAC,KAAa;IACpC,OAAO,KAAK;SACT,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,UAAU,GAAG,EAAE;IAC9C,IAAI,UAAU,GAAG,EAAE,IAAI,UAAU,GAAG,EAAE,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IACD,MAAM,QAAQ,GAAG,eAAe,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,CAAC;IAC1D,MAAM,SAAS,GAAG,eAAe,CAC/B,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,CAC/C,CAAC;IACF,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,UAAU,GAAG,EAAE;IAC3C,OAAO,eAAe,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,CAAC;AAClD,CAAC"}

package/dist/auth/registration.d.ts

@@ -0,0 +1,21 @@
+export interface ClientRegistrationRequest {
+    client_name: string;
+    redirect_uris: string[];
+    grant_types: string[];
+    response_types: string[];
+    token_endpoint_auth_method: "none" | "client_secret_basic" | "client_secret_post";
+    scope: string;
+    application_type?: "native" | "web";
+}
+export interface ClientRegistrationResponse {
+    client_id: string;
+    client_secret?: string;
+    client_id_issued_at?: number;
+    client_secret_expires_at?: number;
+    registration_access_token?: string;
+    registration_client_uri?: string;
+    redirect_uris?: string[];
+    token_endpoint_auth_method?: string;
+    scope?: string;
+}
+export declare function registerClient(registrationEndpoint: string, request: ClientRegistrationRequest, fetchImpl?: typeof fetch): Promise<ClientRegistrationResponse>;

package/dist/auth/registration.js

@@ -0,0 +1,28 @@
+export async function registerClient(registrationEndpoint, request, fetchImpl = fetch) {
+    const response = await fetchImpl(registrationEndpoint, {
+        method: "POST",
+        headers: {
+            "content-type": "application/json",
+            accept: "application/json",
+        },
+        body: JSON.stringify(request),
+    });
+    if (!response.ok) {
+        const body = await safeReadText(response);
+        throw new Error(`Dynamic Client Registration failed (${response.status} ${response.statusText}): ${body}`);
+    }
+    const data = (await response.json());
+    if (!data.client_id) {
+        throw new Error("Registration response is missing client_id");
+    }
+    return data;
+}
+async function safeReadText(response) {
+    try {
+        return await response.text();
+    }
+    catch {
+        return "(response body unreadable)";
+    }
+}
+//# sourceMappingURL=registration.js.map

package/dist/auth/registration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registration.js","sourceRoot":"","sources":["../../src/auth/registration.ts"],"names":[],"mappings":"AAsBA,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,oBAA4B,EAC5B,OAAkC,EAClC,YAA0B,KAAK;IAE/B,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,oBAAoB,EAAE;QACrD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,kBAAkB;SAC3B;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;KAC9B,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC;QAC1C,MAAM,IAAI,KAAK,CACb,uCAAuC,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,MAAM,IAAI,EAAE,CAC1F,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA+B,CAAC;IACnE,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,QAAkB;IAC5C,IAAI,CAAC;QACH,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,4BAA4B,CAAC;IACtC,CAAC;AACH,CAAC"}

package/dist/auth/tokens.d.ts

@@ -0,0 +1,25 @@
+export interface StoredCredentials {
+    baseUrl: string;
+    clientId: string;
+    clientSecret?: string;
+    registrationAccessToken?: string;
+    registrationClientUri?: string;
+    accessToken?: string;
+    refreshToken?: string;
+    tokenType?: string;
+    scope?: string;
+    expiresAt?: number;
+}
+export interface TokenResponse {
+    access_token: string;
+    token_type: string;
+    expires_in?: number;
+    refresh_token?: string;
+    scope?: string;
+    id_token?: string;
+}
+export declare function defaultCredentialsPath(): string;
+export declare function loadCredentials(path: string): Promise<StoredCredentials | null>;
+export declare function saveCredentials(path: string, creds: StoredCredentials): Promise<void>;
+export declare function applyTokenResponse(base: StoredCredentials, token: TokenResponse, now?: number): StoredCredentials;
+export declare function isTokenExpired(creds: StoredCredentials, now?: number): boolean;

package/dist/auth/tokens.js

@@ -0,0 +1,51 @@
+import { mkdir, readFile, writeFile, chmod } from "node:fs/promises";
+import { dirname } from "node:path";
+import { homedir } from "node:os";
+export function defaultCredentialsPath() {
+    const xdg = process.env.XDG_CONFIG_HOME;
+    const base = xdg && xdg.length > 0 ? xdg : `${homedir()}/.config`;
+    return `${base}/zuwiki-mcp/credentials.json`;
+}
+export async function loadCredentials(path) {
+    try {
+        const raw = await readFile(path, "utf8");
+        return JSON.parse(raw);
+    }
+    catch (err) {
+        if (err.code === "ENOENT") {
+            return null;
+        }
+        throw err;
+    }
+}
+export async function saveCredentials(path, creds) {
+    await mkdir(dirname(path), { recursive: true });
+    await writeFile(path, JSON.stringify(creds, null, 2) + "\n", "utf8");
+    try {
+        await chmod(path, 0o600);
+    }
+    catch {
+        // chmod is not available on Windows or non POSIX filesystems.
+    }
+}
+export function applyTokenResponse(base, token, now = Date.now()) {
+    const expiresAt = token.expires_in
+        ? now + Math.max(0, token.expires_in - 30) * 1000
+        : undefined;
+    return {
+        ...base,
+        accessToken: token.access_token,
+        refreshToken: token.refresh_token ?? base.refreshToken,
+        tokenType: token.token_type ?? base.tokenType ?? "Bearer",
+        scope: token.scope ?? base.scope,
+        expiresAt,
+    };
+}
+export function isTokenExpired(creds, now = Date.now()) {
+    if (!creds.accessToken)
+        return true;
+    if (!creds.expiresAt)
+        return false;
+    return creds.expiresAt <= now;
+}
+//# sourceMappingURL=tokens.js.map

package/dist/auth/tokens.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens.js","sourceRoot":"","sources":["../../src/auth/tokens.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAwBlC,MAAM,UAAU,sBAAsB;IACpC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IACxC,MAAM,IAAI,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,OAAO,EAAE,UAAU,CAAC;IAClE,OAAO,GAAG,IAAI,8BAA8B,CAAC;AAC/C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,IAAY;IAChD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACzC,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAsB,CAAC;IAC9C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,IAAY,EAAE,KAAwB;IAC1E,MAAM,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAChD,MAAM,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;IACrE,IAAI,CAAC;QACH,MAAM,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,8DAA8D;IAChE,CAAC;AACH,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,IAAuB,EACvB,KAAoB,EACpB,MAAc,IAAI,CAAC,GAAG,EAAE;IAExB,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU;QAChC,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,UAAU,GAAG,EAAE,CAAC,GAAG,IAAI;QACjD,CAAC,CAAC,SAAS,CAAC;IACd,OAAO;QACL,GAAG,IAAI;QACP,WAAW,EAAE,KAAK,CAAC,YAAY;QAC/B,YAAY,EAAE,KAAK,CAAC,aAAa,IAAI,IAAI,CAAC,YAAY;QACtD,SAAS,EAAE,KAAK,CAAC,UAAU,IAAI,IAAI,CAAC,SAAS,IAAI,QAAQ;QACzD,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK;QAChC,SAAS;KACV,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,KAAwB,EAAE,MAAc,IAAI,CAAC,GAAG,EAAE;IAC/E,IAAI,CAAC,KAAK,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,CAAC,KAAK,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IACnC,OAAO,KAAK,CAAC,SAAS,IAAI,GAAG,CAAC;AAChC,CAAC"}

package/dist/cli.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};