@zykeco/sync-server 0.5.0 → 0.7.0

package/README.md

@@ -102,6 +102,76 @@ reply: { wiped: { dailyMetrics, weeklyMetrics, sleepSessions: number }, serverNo
 
 Deletes every row across the three sync namespaces (blobs untouched). The literal `confirm` string is enforced at the protocol layer.
 
+## MCP server
+
+The server ships an [MCP](https://modelcontextprotocol.io) endpoint at `POST /mcp` that exposes read-only tools over your synced data. Auth supports two OAuth 2.1 flows:
+
+- **`authorization_code` + PKCE** — for interactive clients like the Claude.ai web app and Claude Desktop "Custom Connectors". Dynamic Client Registration (RFC 7591) is supported.
+- **`client_credentials`** — for headless agents / CLIs that hold the `READ_SECRET` directly.
+
+### Required env vars
+
+| Var                     | Default | Purpose                                                                                            |
+| ----------------------- | ------- | -------------------------------------------------------------------------------------------------- |
+| `MCP_ENABLED`           | `true`  | Set `false` to disable the `/mcp` mount entirely.                                                  |
+| `MCP_CLIENT_ID`         | _req._  | Bootstrap client ID for the headless `client_credentials` grant. Public — pick anything memorable. |
+| `MCP_TOKEN_SECRET`      | _req._  | HMAC key for signing bearer tokens. ≥ 32 random bytes. Treat as a secret.                          |
+| `MCP_TOKEN_TTL_SECONDS` | `3600`  | Bearer token lifetime.                                                                             |
+
+### Endpoints
+
+| Method | Path                                      | Purpose                                                 |
+| ------ | ----------------------------------------- | ------------------------------------------------------- |
+| GET    | `/.well-known/oauth-authorization-server` | RFC 8414 metadata (root-level, what MCP clients probe). |
+| GET    | `/.well-known/oauth-protected-resource`   | RFC 9728 resource metadata pointing back to the AS.     |
+| POST   | `/mcp/register`                           | Dynamic Client Registration (RFC 7591).                 |
+| GET    | `/mcp/authorize`                          | Consent screen (PKCE flow).                             |
+| POST   | `/mcp/authorize`                          | Consent form submit — issues an authorization code.     |
+| POST   | `/mcp/oauth/token`                        | Token endpoint (both grants).                           |
+| POST   | `/mcp`                                    | MCP JSON-RPC. Requires `Authorization: Bearer <token>`. |
+
+### Connecting Claude.ai (web or desktop) as a custom connector
+
+1. **Deploy your server with `MCP_*` env vars set** and confirm it answers on a public HTTPS URL. From a browser, `https://YOUR_HOST/.well-known/oauth-authorization-server` should return JSON. If you self-host behind a proxy, make sure that path is forwarded to the sync server.
+2. **Open Claude.ai → Settings → Connectors → Add custom connector.**
+3. **Server URL:** enter `https://YOUR_HOST/mcp` (the `/mcp` path matters — that's the JSON-RPC endpoint, not the host root).
+4. **Click Connect.** Claude.ai will:
+   - Fetch the discovery doc at `/.well-known/oauth-authorization-server`.
+   - Self-register via `POST /mcp/register`.
+   - Open a new tab to `https://YOUR_HOST/mcp/authorize?...`.
+5. **On the consent screen:** verify the "Redirects to" line shows `https://claude.ai/api/mcp/auth_callback`. Paste your `READ_SECRET` into the form and click **Authorize**.
+6. **You're done.** Claude.ai redirects back, exchanges the code for a bearer token, and the connector goes online. The eight read tools (`list_daily_metrics`, `list_sleep_sessions`, `get_user_profile`, …) become available in the chat tool picker.
+
+Claude Desktop's "Add custom connector" flow is identical — same form, same URL.
+
+#### What if Claude.ai shows a 404 at `/authorize`?
+
+That means it's hitting the host root instead of the discovered path. Two causes:
+
+- The discovery doc isn't reachable. Curl `https://YOUR_HOST/.well-known/oauth-authorization-server` and confirm you get JSON, not your reverse proxy's 404 page. Add the path to your proxy rules.
+- You're on `@zykeco/sync-server < 0.7.0`. Upgrade — the auth-code flow ships from 0.7.0 onward.
+
+#### Token / client lifetime
+
+- Bearer tokens expire after `MCP_TOKEN_TTL_SECONDS` (default 1 h). Claude.ai re-runs the consent flow when expired.
+- DCR client registrations are **in-memory** — they don't survive a server restart. If you restart the server, remove the connector in Claude.ai and re-add it; takes ten seconds.
+
+### Connecting from headless agents (`client_credentials`)
+
+```bash
+# 1. Get a token using your READ_SECRET as the client secret.
+curl -X POST https://YOUR_HOST/mcp/oauth/token \
+  -d grant_type=client_credentials \
+  -d client_id=$MCP_CLIENT_ID \
+  -d client_secret=$READ_SECRET
+
+# 2. Use the access_token to call MCP.
+curl -X POST https://YOUR_HOST/mcp \
+  -H "Authorization: Bearer $ACCESS_TOKEN" \
+  -H "content-type: application/json" \
+  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'
+```
+
 ## Data model
 
 - **`daily_metrics`**, **`weekly_metrics`** — `{ id (PK), isoDate / weekStartIsoDate, metricKey, value, createdAt, updatedAt }`. Composite unique on `(date, metricKey)`.

package/dist/app.d.ts

@@ -0,0 +1,4 @@
+import { Hono } from 'hono';
+import type { Db } from './db/client.js';
+import type { Env } from './env.js';
+export declare function buildApp(db: Db, env: Env): Hono;

package/dist/app.js

@@ -0,0 +1,58 @@
+import { Hono } from 'hono';
+import { dailyMetricsRoutes } from './routes/daily-metrics.js';
+import { dailyStressBurdenRoutes } from './routes/daily-stress-burden.js';
+import { healthRoutes } from './routes/health.js';
+import { heartRateMinuteRoutes } from './routes/heart-rate-minute.js';
+import { hrZoneHistoryRoutes } from './routes/hr-zone-history.js';
+import { mcpRoutes } from './routes/mcp.js';
+import { sleepSessionsRoutes } from './routes/sleep-sessions.js';
+import { userProfileRoutes } from './routes/user-profile.js';
+import { userTimezonesRoutes } from './routes/user-timezones.js';
+import { weeklyMetricsRoutes } from './routes/weekly-metrics.js';
+import { wipeRoutes } from './routes/wipe.js';
+import { createDailyMetricsStore } from './stores/daily-metrics.js';
+import { createDailyStressBurdenStore } from './stores/daily-stress-burden.js';
+import { createHeartRateMinuteStore } from './stores/heart-rate-minute.js';
+import { createHrZoneHistoryStore } from './stores/hr-zone-history.js';
+import { createSleepSessionsStore } from './stores/sleep-sessions.js';
+import { createUserProfileStore } from './stores/user-profile.js';
+import { createUserTimezonesStore } from './stores/user-timezones.js';
+import { createWeeklyMetricsStore } from './stores/weekly-metrics.js';
+export function buildApp(db, env) {
+    const auth = { readSecret: env.readSecret, writeSecret: env.writeSecret };
+    const app = new Hono();
+    app.route('/v1/health', healthRoutes(db));
+    const dailyMetricsStore = createDailyMetricsStore(db);
+    const weeklyMetricsStore = createWeeklyMetricsStore(db);
+    const sleepSessionsStore = createSleepSessionsStore(db);
+    const userTimezonesStore = createUserTimezonesStore(db);
+    const userProfileStore = createUserProfileStore(db);
+    const dailyStressBurdenStore = createDailyStressBurdenStore(db);
+    const heartRateMinuteStore = createHeartRateMinuteStore(db);
+    const hrZoneHistoryStore = createHrZoneHistoryStore(db);
+    app.route('/v1/sync/daily-metrics', dailyMetricsRoutes(dailyMetricsStore, auth));
+    app.route('/v1/sync/weekly-metrics', weeklyMetricsRoutes(weeklyMetricsStore, auth));
+    app.route('/v1/sync/sleep-sessions', sleepSessionsRoutes(sleepSessionsStore, auth));
+    app.route('/v1/sync/user-timezones', userTimezonesRoutes(userTimezonesStore, auth));
+    app.route('/v1/sync/user-profile', userProfileRoutes(userProfileStore, auth));
+    app.route('/v1/sync/daily-stress-burden', dailyStressBurdenRoutes(dailyStressBurdenStore, auth));
+    app.route('/v1/sync/heart-rate-minute', heartRateMinuteRoutes(heartRateMinuteStore, auth));
+    app.route('/v1/sync/hr-zone-history', hrZoneHistoryRoutes(hrZoneHistoryStore, auth));
+    app.route('/v1/sync/wipe', wipeRoutes({
+        dailyMetrics: dailyMetricsStore,
+        weeklyMetrics: weeklyMetricsStore,
+        sleepSessions: sleepSessionsStore,
+        userTimezones: userTimezonesStore,
+        userProfile: userProfileStore,
+        dailyStressBurden: dailyStressBurdenStore,
+        heartRateMinute: heartRateMinuteStore,
+        hrZoneHistory: hrZoneHistoryStore,
+    }, auth));
+    if (env.mcp) {
+        const { mcp, discovery } = mcpRoutes({ db, env, mcp: env.mcp });
+        app.route('/mcp', mcp);
+        app.route('/', discovery);
+    }
+    return app;
+}
+//# sourceMappingURL=app.js.map

package/dist/app.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"app.js","sourceRoot":"","sources":["../src/app.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAI5B,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAC1E,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AACtE,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,4BAA4B,EAAE,MAAM,iCAAiC,CAAC;AAC/E,OAAO,EAAE,0BAA0B,EAAE,MAAM,+BAA+B,CAAC;AAC3E,OAAO,EAAE,wBAAwB,EAAE,MAAM,6BAA6B,CAAC;AACvE,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AAEtE,MAAM,UAAU,QAAQ,CAAC,EAAM,EAAE,GAAQ;IACvC,MAAM,IAAI,GAAe,EAAE,UAAU,EAAE,GAAG,CAAC,UAAU,EAAE,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE,CAAC;IACtF,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IAEvB,GAAG,CAAC,KAAK,CAAC,YAAY,EAAE,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC;IAE1C,MAAM,iBAAiB,GAAG,uBAAuB,CAAC,EAAE,CAAC,CAAC;IACtD,MAAM,kBAAkB,GAAG,wBAAwB,CAAC,EAAE,CAAC,CAAC;IACxD,MAAM,kBAAkB,GAAG,wBAAwB,CAAC,EAAE,CAAC,CAAC;IACxD,MAAM,kBAAkB,GAAG,wBAAwB,CAAC,EAAE,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,sBAAsB,CAAC,EAAE,CAAC,CAAC;IACpD,MAAM,sBAAsB,GAAG,4BAA4B,CAAC,EAAE,CAAC,CAAC;IAChE,MAAM,oBAAoB,GAAG,0BAA0B,CAAC,EAAE,CAAC,CAAC;IAC5D,MAAM,kBAAkB,GAAG,wBAAwB,CAAC,EAAE,CAAC,CAAC;IAExD,GAAG,CAAC,KAAK,CAAC,wBAAwB,EAAE,kBAAkB,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC,CAAC;IACjF,GAAG,CAAC,KAAK,CAAC,yBAAyB,EAAE,mBAAmB,CAAC,kBAAkB,EAAE,IAAI,CAAC,CAAC,CAAC;IACpF,GAAG,CAAC,KAAK,CAAC,yBAAyB,EAAE,mBAAmB,CAAC,kBAAkB,EAAE,IAAI,CAAC,CAAC,CAAC;IACpF,GAAG,CAAC,KAAK,CAAC,yBAAyB,EAAE,mBAAmB,CAAC,kBAAkB,EAAE,IAAI,CAAC,CAAC,CAAC;IACpF,GAAG,CAAC,KAAK,CAAC,uBAAuB,EAAE,iBAAiB,CAAC,gBAAgB,EAAE,IAAI,CAAC,CAAC,CAAC;IAC9E,GAAG,CAAC,KAAK,CAAC,8BAA8B,EAAE,uBAAuB,CAAC,sBAAsB,EAAE,IAAI,CAAC,CAAC,CAAC;IACjG,GAAG,CAAC,KAAK,CAAC,4BAA4B,EAAE,qBAAqB,CAAC,oBAAoB,EAAE,IAAI,CAAC,CAAC,CAAC;IAC3F,GAAG,CAAC,KAAK,CAAC,0BAA0B,EAAE,mBAAmB,CAAC,kBAAkB,EAAE,IAAI,CAAC,CAAC,CAAC;IACrF,GAAG,CAAC,KAAK,CACP,eAAe,EACf,UAAU,CACR;QACE,YAAY,EAAE,iBAAiB;QAC/B,aAAa,EAAE,kBAAkB;QACjC,aAAa,EAAE,kBAAkB;QACjC,aAAa,EAAE,kBAAkB;QACjC,WAAW,EAAE,gBAAgB;QAC7B,iBAAiB,EAAE,sBAAsB;QACzC,eAAe,EAAE,oBAAoB;QACrC,aAAa,EAAE,kBAAkB;KAClC,EACD,IAAI,CACL,CACF,CAAC;IAEF,IAAI,GAAG,CAAC,GAAG,EAAE,CAAC;QACZ,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,SAAS,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC;QAChE,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QACvB,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAC5B,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/env.d.ts

@@ -4,5 +4,11 @@ export interface Env {
     databaseUrl: string;
     readSecret: string;
     writeSecret: string;
+    mcp: McpEnv | null;
+}
+export interface McpEnv {
+    clientId: string;
+    tokenSecret: string;
+    tokenTtlSeconds: number;
 }
 export declare function loadEnv(): Env;

package/dist/env.js

@@ -4,7 +4,15 @@ export function loadEnv() {
     const databaseUrl = process.env.DATABASE_URL ?? 'file:./data/sync.db';
     const readSecret = required('READ_SECRET');
     const writeSecret = required('WRITE_SECRET');
-    return { port, databaseUrl, readSecret, writeSecret };
+    const mcpEnabled = (process.env.MCP_ENABLED ?? 'true').toLowerCase() !== 'false';
+    const mcp = mcpEnabled
+        ? {
+            clientId: required('MCP_CLIENT_ID'),
+            tokenSecret: required('MCP_TOKEN_SECRET'),
+            tokenTtlSeconds: Number(process.env.MCP_TOKEN_TTL_SECONDS ?? 3600),
+        }
+        : null;
+    return { port, databaseUrl, readSecret, writeSecret, mcp };
 }
 function required(name) {
     const value = process.env[name];

package/dist/env.js.map

@@ -1 +1 @@
-{"version":3,"file":"env.js","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AAAA,OAAO,eAAe,CAAC;AASvB,MAAM,UAAU,OAAO;IACrB,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC,CAAC;IAC9C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,qBAAqB,CAAC;IACtE,MAAM,UAAU,GAAG,QAAQ,CAAC,aAAa,CAAC,CAAC;IAC3C,MAAM,WAAW,GAAG,QAAQ,CAAC,cAAc,CAAC,CAAC;IAC7C,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC;AACxD,CAAC;AAED,SAAS,QAAQ,CAAC,IAAY;IAC5B,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAChC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,EAAE,CAAC,CAAC;IACvD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}
+{"version":3,"file":"env.js","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AAAA,OAAO,eAAe,CAAC;AAgBvB,MAAM,UAAU,OAAO;IACrB,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC,CAAC;IAC9C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,qBAAqB,CAAC;IACtE,MAAM,UAAU,GAAG,QAAQ,CAAC,aAAa,CAAC,CAAC;IAC3C,MAAM,WAAW,GAAG,QAAQ,CAAC,cAAc,CAAC,CAAC;IAE7C,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,MAAM,CAAC,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC;IACjF,MAAM,GAAG,GAAG,UAAU;QACpB,CAAC,CAAC;YACE,QAAQ,EAAE,QAAQ,CAAC,eAAe,CAAC;YACnC,WAAW,EAAE,QAAQ,CAAC,kBAAkB,CAAC;YACzC,eAAe,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,IAAI,CAAC;SACnE;QACH,CAAC,CAAC,IAAI,CAAC;IAET,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,UAAU,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC;AAC7D,CAAC;AAED,SAAS,QAAQ,CAAC,IAAY;IAC5B,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAChC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,EAAE,CAAC,CAAC;IACvD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/index.js

@@ -1,58 +1,12 @@
 import { serve } from '@hono/node-server';
-import { Hono } from 'hono';
+import { buildApp } from './app.js';
 import { createDb } from './db/client.js';
 import { runMigrations } from './db/migrate.js';
 import { loadEnv } from './env.js';
-import { dailyMetricsRoutes } from './routes/daily-metrics.js';
-import { dailyStressBurdenRoutes } from './routes/daily-stress-burden.js';
-import { healthRoutes } from './routes/health.js';
-import { heartRateMinuteRoutes } from './routes/heart-rate-minute.js';
-import { hrZoneHistoryRoutes } from './routes/hr-zone-history.js';
-import { sleepSessionsRoutes } from './routes/sleep-sessions.js';
-import { userProfileRoutes } from './routes/user-profile.js';
-import { userTimezonesRoutes } from './routes/user-timezones.js';
-import { weeklyMetricsRoutes } from './routes/weekly-metrics.js';
-import { wipeRoutes } from './routes/wipe.js';
-import { createDailyMetricsStore } from './stores/daily-metrics.js';
-import { createDailyStressBurdenStore } from './stores/daily-stress-burden.js';
-import { createHeartRateMinuteStore } from './stores/heart-rate-minute.js';
-import { createHrZoneHistoryStore } from './stores/hr-zone-history.js';
-import { createSleepSessionsStore } from './stores/sleep-sessions.js';
-import { createUserProfileStore } from './stores/user-profile.js';
-import { createUserTimezonesStore } from './stores/user-timezones.js';
-import { createWeeklyMetricsStore } from './stores/weekly-metrics.js';
 const env = loadEnv();
 const db = createDb(env.databaseUrl);
 await runMigrations(db);
-const auth = { readSecret: env.readSecret, writeSecret: env.writeSecret };
-const app = new Hono();
-app.route('/v1/health', healthRoutes(db));
-const dailyMetricsStore = createDailyMetricsStore(db);
-const weeklyMetricsStore = createWeeklyMetricsStore(db);
-const sleepSessionsStore = createSleepSessionsStore(db);
-const userTimezonesStore = createUserTimezonesStore(db);
-const userProfileStore = createUserProfileStore(db);
-const dailyStressBurdenStore = createDailyStressBurdenStore(db);
-const heartRateMinuteStore = createHeartRateMinuteStore(db);
-const hrZoneHistoryStore = createHrZoneHistoryStore(db);
-app.route('/v1/sync/daily-metrics', dailyMetricsRoutes(dailyMetricsStore, auth));
-app.route('/v1/sync/weekly-metrics', weeklyMetricsRoutes(weeklyMetricsStore, auth));
-app.route('/v1/sync/sleep-sessions', sleepSessionsRoutes(sleepSessionsStore, auth));
-app.route('/v1/sync/user-timezones', userTimezonesRoutes(userTimezonesStore, auth));
-app.route('/v1/sync/user-profile', userProfileRoutes(userProfileStore, auth));
-app.route('/v1/sync/daily-stress-burden', dailyStressBurdenRoutes(dailyStressBurdenStore, auth));
-app.route('/v1/sync/heart-rate-minute', heartRateMinuteRoutes(heartRateMinuteStore, auth));
-app.route('/v1/sync/hr-zone-history', hrZoneHistoryRoutes(hrZoneHistoryStore, auth));
-app.route('/v1/sync/wipe', wipeRoutes({
-    dailyMetrics: dailyMetricsStore,
-    weeklyMetrics: weeklyMetricsStore,
-    sleepSessions: sleepSessionsStore,
-    userTimezones: userTimezonesStore,
-    userProfile: userProfileStore,
-    dailyStressBurden: dailyStressBurdenStore,
-    heartRateMinute: heartRateMinuteStore,
-    hrZoneHistory: hrZoneHistoryStore,
-}, auth));
+const app = buildApp(db, env);
 serve({ fetch: app.fetch, port: env.port }, (info) => {
     console.info(`zyke-sync listening on http://localhost:${info.port}`);
 });

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAE1C,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AACnC,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAC1E,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AACtE,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,4BAA4B,EAAE,MAAM,iCAAiC,CAAC;AAC/E,OAAO,EAAE,0BAA0B,EAAE,MAAM,+BAA+B,CAAC;AAC3E,OAAO,EAAE,wBAAwB,EAAE,MAAM,6BAA6B,CAAC;AACvE,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AAEtE,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;AACtB,MAAM,EAAE,GAAG,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;AAErC,MAAM,aAAa,CAAC,EAAE,CAAC,CAAC;AAExB,MAAM,IAAI,GAAe,EAAE,UAAU,EAAE,GAAG,CAAC,UAAU,EAAE,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE,CAAC;AAEtF,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;AAEvB,GAAG,CAAC,KAAK,CAAC,YAAY,EAAE,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC;AAE1C,MAAM,iBAAiB,GAAG,uBAAuB,CAAC,EAAE,CAAC,CAAC;AACtD,MAAM,kBAAkB,GAAG,wBAAwB,CAAC,EAAE,CAAC,CAAC;AACxD,MAAM,kBAAkB,GAAG,wBAAwB,CAAC,EAAE,CAAC,CAAC;AACxD,MAAM,kBAAkB,GAAG,wBAAwB,CAAC,EAAE,CAAC,CAAC;AACxD,MAAM,gBAAgB,GAAG,sBAAsB,CAAC,EAAE,CAAC,CAAC;AACpD,MAAM,sBAAsB,GAAG,4BAA4B,CAAC,EAAE,CAAC,CAAC;AAChE,MAAM,oBAAoB,GAAG,0BAA0B,CAAC,EAAE,CAAC,CAAC;AAC5D,MAAM,kBAAkB,GAAG,wBAAwB,CAAC,EAAE,CAAC,CAAC;AAExD,GAAG,CAAC,KAAK,CAAC,wBAAwB,EAAE,kBAAkB,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC,CAAC;AACjF,GAAG,CAAC,KAAK,CAAC,yBAAyB,EAAE,mBAAmB,CAAC,kBAAkB,EAAE,IAAI,CAAC,CAAC,CAAC;AACpF,GAAG,CAAC,KAAK,CAAC,yBAAyB,EAAE,mBAAmB,CAAC,kBAAkB,EAAE,IAAI,CAAC,CAAC,CAAC;AACpF,GAAG,CAAC,KAAK,CAAC,yBAAyB,EAAE,mBAAmB,CAAC,kBAAkB,EAAE,IAAI,CAAC,CAAC,CAAC;AACpF,GAAG,CAAC,KAAK,CAAC,uBAAuB,EAAE,iBAAiB,CAAC,gBAAgB,EAAE,IAAI,CAAC,CAAC,CAAC;AAC9E,GAAG,CAAC,KAAK,CAAC,8BAA8B,EAAE,uBAAuB,CAAC,sBAAsB,EAAE,IAAI,CAAC,CAAC,CAAC;AACjG,GAAG,CAAC,KAAK,CAAC,4BAA4B,EAAE,qBAAqB,CAAC,oBAAoB,EAAE,IAAI,CAAC,CAAC,CAAC;AAC3F,GAAG,CAAC,KAAK,CAAC,0BAA0B,EAAE,mBAAmB,CAAC,kBAAkB,EAAE,IAAI,CAAC,CAAC,CAAC;AACrF,GAAG,CAAC,KAAK,CACP,eAAe,EACf,UAAU,CACR;IACE,YAAY,EAAE,iBAAiB;IAC/B,aAAa,EAAE,kBAAkB;IACjC,aAAa,EAAE,kBAAkB;IACjC,aAAa,EAAE,kBAAkB;IACjC,WAAW,EAAE,gBAAgB;IAC7B,iBAAiB,EAAE,sBAAsB;IACzC,eAAe,EAAE,oBAAoB;IACrC,aAAa,EAAE,kBAAkB;CAClC,EACD,IAAI,CACL,CACF,CAAC;AAEF,KAAK,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,EAAE,EAAE;IACnD,OAAO,CAAC,IAAI,CAAC,2CAA2C,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;AACvE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAE1C,OAAO,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AACpC,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAEnC,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;AACtB,MAAM,EAAE,GAAG,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;AAErC,MAAM,aAAa,CAAC,EAAE,CAAC,CAAC;AAExB,MAAM,GAAG,GAAG,QAAQ,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;AAE9B,KAAK,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,EAAE,EAAE;IACnD,OAAO,CAAC,IAAI,CAAC,2CAA2C,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;AACvE,CAAC,CAAC,CAAC"}

package/dist/mcp/auth-store.d.ts

@@ -0,0 +1,25 @@
+export interface RegisteredClient {
+    clientId: string;
+    redirectUris: string[];
+    clientName: string | null;
+    createdAt: number;
+}
+export interface AuthCodeRecord {
+    clientId: string;
+    redirectUri: string;
+    codeChallenge: string;
+    codeChallengeMethod: 'S256';
+    expiresAt: number;
+}
+export interface AuthStore {
+    bootstrap(clientId: string): void;
+    registerClient(input: {
+        redirectUris: string[];
+        clientName?: string | null;
+    }, nowMs?: number): RegisteredClient;
+    getClient(clientId: string): RegisteredClient | undefined;
+    issueCode(rec: Omit<AuthCodeRecord, 'expiresAt'>, nowMs?: number): string;
+    consumeCode(code: string, nowMs?: number): AuthCodeRecord | null;
+    clear(): void;
+}
+export declare function createAuthStore(): AuthStore;

package/dist/mcp/auth-store.js

@@ -0,0 +1,51 @@
+import { randomBytes } from 'node:crypto';
+const AUTH_CODE_TTL_MS = 5 * 60 * 1000;
+export function createAuthStore() {
+    const clients = new Map();
+    const codes = new Map();
+    return {
+        bootstrap(clientId) {
+            if (!clients.has(clientId)) {
+                clients.set(clientId, {
+                    clientId,
+                    redirectUris: [],
+                    clientName: 'bootstrap (client_credentials only)',
+                    createdAt: Date.now(),
+                });
+            }
+        },
+        registerClient({ redirectUris, clientName = null }, nowMs = Date.now()) {
+            const clientId = `mcp_${randomBytes(18).toString('base64url')}`;
+            const client = {
+                clientId,
+                redirectUris: [...redirectUris],
+                clientName,
+                createdAt: nowMs,
+            };
+            clients.set(clientId, client);
+            return client;
+        },
+        getClient(clientId) {
+            return clients.get(clientId);
+        },
+        issueCode(rec, nowMs = Date.now()) {
+            const code = randomBytes(32).toString('base64url');
+            codes.set(code, { ...rec, expiresAt: nowMs + AUTH_CODE_TTL_MS });
+            return code;
+        },
+        consumeCode(code, nowMs = Date.now()) {
+            const rec = codes.get(code);
+            if (!rec)
+                return null;
+            codes.delete(code); // single-use
+            if (nowMs >= rec.expiresAt)
+                return null;
+            return rec;
+        },
+        clear() {
+            clients.clear();
+            codes.clear();
+        },
+    };
+}
+//# sourceMappingURL=auth-store.js.map

package/dist/mcp/auth-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-store.js","sourceRoot":"","sources":["../../src/mcp/auth-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAiB1C,MAAM,gBAAgB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAcvC,MAAM,UAAU,eAAe;IAC7B,MAAM,OAAO,GAAG,IAAI,GAAG,EAA4B,CAAC;IACpD,MAAM,KAAK,GAAG,IAAI,GAAG,EAA0B,CAAC;IAEhD,OAAO;QACL,SAAS,CAAC,QAAQ;YAChB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC3B,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE;oBACpB,QAAQ;oBACR,YAAY,EAAE,EAAE;oBAChB,UAAU,EAAE,qCAAqC;oBACjD,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;iBACtB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QACD,cAAc,CAAC,EAAE,YAAY,EAAE,UAAU,GAAG,IAAI,EAAE,EAAE,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE;YACpE,MAAM,QAAQ,GAAG,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAChE,MAAM,MAAM,GAAqB;gBAC/B,QAAQ;gBACR,YAAY,EAAE,CAAC,GAAG,YAAY,CAAC;gBAC/B,UAAU;gBACV,SAAS,EAAE,KAAK;aACjB,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC9B,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,SAAS,CAAC,QAAQ;YAChB,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC/B,CAAC;QACD,SAAS,CAAC,GAAG,EAAE,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE;YAC/B,MAAM,IAAI,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YACnD,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,GAAG,GAAG,EAAE,SAAS,EAAE,KAAK,GAAG,gBAAgB,EAAE,CAAC,CAAC;YACjE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,WAAW,CAAC,IAAI,EAAE,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE;YAClC,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC5B,IAAI,CAAC,GAAG;gBAAE,OAAO,IAAI,CAAC;YACtB,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,aAAa;YACjC,IAAI,KAAK,IAAI,GAAG,CAAC,SAAS;gBAAE,OAAO,IAAI,CAAC;YACxC,OAAO,GAAG,CAAC;QACb,CAAC;QACD,KAAK;YACH,OAAO,CAAC,KAAK,EAAE,CAAC;YAChB,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/mcp/consent.d.ts

@@ -0,0 +1,16 @@
+import type { HtmlEscapedString } from 'hono/utils/html';
+export interface ConsentViewModel {
+    clientId: string;
+    redirectUri: string;
+    state: string;
+    codeChallenge: string;
+    codeChallengeMethod: 'S256';
+    scope: string;
+    clientName: string | null;
+    error: string | null;
+}
+/**
+ * Render the consent screen. All user-controlled values are escaped by the
+ * `html` template tag — never inject raw strings into the template.
+ */
+export declare function renderConsent(vm: ConsentViewModel): HtmlEscapedString | Promise<HtmlEscapedString>;

package/dist/mcp/consent.js

@@ -0,0 +1,90 @@
+import { html } from 'hono/html';
+const STYLE = `
+  :root { color-scheme: light dark; }
+  body {
+    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+    max-width: 28rem;
+    margin: 3rem auto;
+    padding: 0 1.5rem;
+    line-height: 1.5;
+  }
+  h1 { font-size: 1.25rem; margin-bottom: 0.5rem; }
+  .meta { font-size: 0.875rem; color: #666; margin-bottom: 1.5rem; }
+  .meta dt { font-weight: 600; }
+  .meta dd { margin: 0 0 0.5rem 0; word-break: break-all; font-family: ui-monospace, monospace; font-size: 0.8125rem; }
+  .warn {
+    border: 1px solid #d97706;
+    background: #fef3c7;
+    color: #78350f;
+    padding: 0.75rem 1rem;
+    border-radius: 0.375rem;
+    font-size: 0.875rem;
+    margin-bottom: 1.5rem;
+  }
+  @media (prefers-color-scheme: dark) {
+    .warn { background: #422006; color: #fde68a; border-color: #b45309; }
+    .meta { color: #aaa; }
+  }
+  label { display: block; font-weight: 600; margin-bottom: 0.25rem; }
+  input[type="password"] {
+    width: 100%; padding: 0.5rem 0.625rem; font-size: 1rem;
+    border: 1px solid #ccc; border-radius: 0.375rem; box-sizing: border-box;
+  }
+  button {
+    margin-top: 1rem; padding: 0.625rem 1rem;
+    background: #2563eb; color: white; border: 0;
+    border-radius: 0.375rem; font-size: 1rem; cursor: pointer;
+  }
+  button:hover { background: #1d4ed8; }
+  .err { color: #b91c1c; font-size: 0.875rem; margin-top: 0.5rem; }
+`;
+/**
+ * Render the consent screen. All user-controlled values are escaped by the
+ * `html` template tag — never inject raw strings into the template.
+ */
+export function renderConsent(vm) {
+    const errBlock = vm.error ? html `<p class="err">${vm.error}</p>` : html ``;
+    return html `<!doctype html>
+    <html lang="en">
+      <head>
+        <meta charset="utf-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1" />
+        <title>Authorize MCP access</title>
+        <style>
+          ${STYLE}
+        </style>
+      </head>
+      <body>
+        <main>
+          <h1>Authorize MCP access</h1>
+          <p class="meta">
+            An MCP client is requesting access to your Zyke data. Verify the redirect target before
+            continuing.
+          </p>
+          <dl class="meta">
+            <dt>Client</dt>
+            <dd>${vm.clientName ?? vm.clientId}</dd>
+            <dt>Redirects to</dt>
+            <dd>${vm.redirectUri}</dd>
+          </dl>
+          <p class="warn">
+            Only continue if the redirect target above is a domain you trust (e.g.
+            <code>https://claude.ai/api/mcp/auth_callback</code>).
+          </p>
+          <form method="POST" action="/mcp/authorize" autocomplete="off">
+            <label for="password">Read secret</label>
+            <input id="password" type="password" name="password" autofocus required />
+            <input type="hidden" name="client_id" value="${vm.clientId}" />
+            <input type="hidden" name="redirect_uri" value="${vm.redirectUri}" />
+            <input type="hidden" name="state" value="${vm.state}" />
+            <input type="hidden" name="code_challenge" value="${vm.codeChallenge}" />
+            <input type="hidden" name="code_challenge_method" value="${vm.codeChallengeMethod}" />
+            <input type="hidden" name="scope" value="${vm.scope}" />
+            <button type="submit">Authorize</button>
+            ${errBlock}
+          </form>
+        </main>
+      </body>
+    </html>`;
+}
+//# sourceMappingURL=consent.js.map

package/dist/mcp/consent.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"consent.js","sourceRoot":"","sources":["../../src/mcp/consent.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAcjC,MAAM,KAAK,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAsCb,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,aAAa,CAC3B,EAAoB;IAEpB,MAAM,QAAQ,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAA,kBAAkB,EAAE,CAAC,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAA,EAAE,CAAC;IAC1E,OAAO,IAAI,CAAA;;;;;;;YAOD,KAAK;;;;;;;;;;;;kBAYC,EAAE,CAAC,UAAU,IAAI,EAAE,CAAC,QAAQ;;kBAE5B,EAAE,CAAC,WAAW;;;;;;;;;2DAS2B,EAAE,CAAC,QAAQ;8DACR,EAAE,CAAC,WAAW;uDACrB,EAAE,CAAC,KAAK;gEACC,EAAE,CAAC,aAAa;uEACT,EAAE,CAAC,mBAAmB;uDACtC,EAAE,CAAC,KAAK;;cAEjD,QAAQ;;;;YAIV,CAAC;AACb,CAAC"}

package/dist/mcp/metric-types.d.ts

@@ -0,0 +1,2 @@
+export type MetricValueType = 'seconds' | 'minutes' | 'milliseconds' | 'bpm' | 'percent' | 'ratio' | 'score' | 'count' | 'kcal' | 'meters' | 'kilograms' | 'celsius' | 'unknown';
+export declare function inferValueType(metricKey: string): MetricValueType;

package/dist/mcp/metric-types.js

@@ -0,0 +1,42 @@
+/**
+ * Hand-curated overrides for metric keys whose name doesn't follow the suffix
+ * convention. Add entries here as we learn about ambiguous keys. The suffix
+ * inference below handles the common case.
+ */
+const OVERRIDES = {
+    steps: 'count',
+    active_calories: 'kcal',
+    total_calories: 'kcal',
+    vo2_max: 'score',
+    weight: 'kilograms',
+    height: 'meters',
+    sleep_efficiency: 'ratio',
+};
+// Order matters — first match wins, so place longer/more specific suffixes first.
+const SUFFIX_RULES = [
+    { suffix: '_ms', type: 'milliseconds' },
+    { suffix: '_minutes', type: 'minutes' },
+    { suffix: '_min', type: 'minutes' },
+    { suffix: '_s', type: 'seconds' },
+    { suffix: '_bpm', type: 'bpm' },
+    { suffix: '_percent', type: 'percent' },
+    { suffix: '_pct', type: 'percent' },
+    { suffix: '_ratio', type: 'ratio' },
+    { suffix: '_score', type: 'score' },
+    { suffix: '_count', type: 'count' },
+    { suffix: '_kcal', type: 'kcal' },
+    { suffix: '_kg', type: 'kilograms' },
+    { suffix: '_m', type: 'meters' },
+    { suffix: '_c', type: 'celsius' },
+];
+export function inferValueType(metricKey) {
+    const override = OVERRIDES[metricKey];
+    if (override)
+        return override;
+    for (const rule of SUFFIX_RULES) {
+        if (metricKey.endsWith(rule.suffix))
+            return rule.type;
+    }
+    return 'unknown';
+}
+//# sourceMappingURL=metric-types.js.map

package/dist/mcp/metric-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"metric-types.js","sourceRoot":"","sources":["../../src/mcp/metric-types.ts"],"names":[],"mappings":"AAeA;;;;GAIG;AACH,MAAM,SAAS,GAAoC;IACjD,KAAK,EAAE,OAAO;IACd,eAAe,EAAE,MAAM;IACvB,cAAc,EAAE,MAAM;IACtB,OAAO,EAAE,OAAO;IAChB,MAAM,EAAE,WAAW;IACnB,MAAM,EAAE,QAAQ;IAChB,gBAAgB,EAAE,OAAO;CAC1B,CAAC;AAOF,kFAAkF;AAClF,MAAM,YAAY,GAAiB;IACjC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,cAAc,EAAE;IACvC,EAAE,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE;IACvC,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE;IACnC,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE;IACjC,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE;IAC/B,EAAE,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE;IACvC,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE;IACnC,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE;IACnC,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE;IACnC,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE;IACnC,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE;IACjC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,WAAW,EAAE;IACpC,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE;IAChC,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE;CAClC,CAAC;AAEF,MAAM,UAAU,cAAc,CAAC,SAAiB;IAC9C,MAAM,QAAQ,GAAG,SAAS,CAAC,SAAS,CAAC,CAAC;IACtC,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC9B,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;QAChC,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC,IAAI,CAAC;IACxD,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/mcp/oauth.d.ts

@@ -0,0 +1,61 @@
+import type { McpEnv } from '../env.js';
+import type { AuthStore } from './auth-store.js';
+export interface TokenIssueResult {
+    accessToken: string;
+    expiresIn: number;
+}
+export type TokenVerifyResult = {
+    ok: true;
+    expiresAt: number;
+} | {
+    ok: false;
+    reason: 'malformed' | 'bad_signature' | 'expired';
+};
+/**
+ * Issue an opaque, HMAC-signed bearer token.
+ *
+ * Token layout: `${b64url(payload)}.${hex(hmac_sha256(payload, secret))}`
+ * where `payload = random(16) || expiryUnixSeconds(uint64BE)`.
+ *
+ * Stateless — verification needs only the signing secret.
+ */
+export declare function issueToken(env: McpEnv, nowMs?: number): TokenIssueResult;
+export declare function verifyToken(token: string, env: McpEnv, nowMs?: number): TokenVerifyResult;
+export interface ClientCredentialsRequest {
+    clientId: string;
+    clientSecret: string;
+    grantType: string;
+}
+export type GrantResult = {
+    ok: true;
+    token: TokenIssueResult;
+} | {
+    ok: false;
+    status: number;
+    error: string;
+    description?: string;
+};
+/**
+ * Validate a client_credentials grant request against the configured MCP env
+ * + the read secret. Returns the access token on success.
+ */
+export declare function grantClientCredentials(req: ClientCredentialsRequest, env: McpEnv, readSecret: string, nowMs?: number): GrantResult;
+/**
+ * Compute the PKCE S256 code challenge for a verifier.
+ *
+ * RFC 7636 §4.2: `BASE64URL(SHA256(ASCII(verifier)))`.
+ */
+export declare function pkceS256Challenge(verifier: string): string;
+export interface AuthCodeRequest {
+    grantType: string;
+    code: string;
+    redirectUri: string;
+    clientId: string;
+    codeVerifier: string;
+}
+/**
+ * Validate an authorization_code grant + PKCE verifier and exchange it for a
+ * bearer token. The code is single-use — `consumeCode` deletes it regardless
+ * of validation outcome past the lookup.
+ */
+export declare function grantAuthorizationCode(req: AuthCodeRequest, env: McpEnv, store: AuthStore, nowMs?: number): GrantResult;