agents 0.3.6 → 0.3.8

package/dist/client.js

@@ -1,3 +1,203 @@
-import { n as agentFetch, r as camelCaseToKebabCase, t as AgentClient } from "./client-CEO0P7vN.js";
+import { t as MessageType } from "./types-BITaDFf-.js";
+import { t as camelCaseToKebabCase } from "./utils-B49TmLCI.js";
+import { PartySocket } from "partysocket";
 
-export { AgentClient, agentFetch, camelCaseToKebabCase };
+//#region src/client.ts
+/**
+* WebSocket client for connecting to an Agent
+*/
+var AgentClient = class extends PartySocket {
+	/**
+	* @deprecated Use agentFetch instead
+	*/
+	static fetch(_opts) {
+		throw new Error("AgentClient.fetch is not implemented, use agentFetch instead");
+	}
+	/**
+	* Promise that resolves when identity has been received from the server.
+	* Useful for waiting before making calls that depend on knowing the instance.
+	* Resets on connection close so it can be awaited again after reconnect.
+	*/
+	get ready() {
+		return this._readyPromise;
+	}
+	_resetReady() {
+		this._readyPromise = new Promise((resolve) => {
+			this._resolveReady = resolve;
+		});
+	}
+	constructor(options) {
+		const agentNamespace = camelCaseToKebabCase(options.agent);
+		const socketOptions = options.basePath ? {
+			basePath: options.basePath,
+			path: options.path,
+			...options
+		} : {
+			party: agentNamespace,
+			prefix: "agents",
+			room: options.name || "default",
+			path: options.path,
+			...options
+		};
+		super(socketOptions);
+		this.identified = false;
+		this._pendingCalls = /* @__PURE__ */ new Map();
+		this._previousName = null;
+		this._previousAgent = null;
+		this.agent = agentNamespace;
+		this.name = options.name || "default";
+		this.options = options;
+		this._resetReady();
+		this.addEventListener("message", (event) => {
+			if (typeof event.data === "string") {
+				let parsedMessage;
+				try {
+					parsedMessage = JSON.parse(event.data);
+				} catch (_error) {
+					return;
+				}
+				if (parsedMessage.type === MessageType.CF_AGENT_IDENTITY) {
+					const oldName = this._previousName;
+					const oldAgent = this._previousAgent;
+					const newName = parsedMessage.name;
+					const newAgent = parsedMessage.agent;
+					this.identified = true;
+					this._resolveReady();
+					if (oldName !== null && oldAgent !== null && (oldName !== newName || oldAgent !== newAgent)) if (this.options.onIdentityChange) this.options.onIdentityChange(oldName, newName, oldAgent, newAgent);
+					else {
+						const agentChanged = oldAgent !== newAgent;
+						const nameChanged = oldName !== newName;
+						let changeDescription = "";
+						if (agentChanged && nameChanged) changeDescription = `agent "${oldAgent}" → "${newAgent}", instance "${oldName}" → "${newName}"`;
+						else if (agentChanged) changeDescription = `agent "${oldAgent}" → "${newAgent}"`;
+						else changeDescription = `instance "${oldName}" → "${newName}"`;
+						console.warn(`[agents] Identity changed on reconnect: ${changeDescription}. This can happen with server-side routing (e.g., basePath with getAgentByName) where the instance is determined by auth/session. Provide onIdentityChange callback to handle this explicitly, or ignore if this is expected for your routing pattern.`);
+					}
+					this._previousName = newName;
+					this._previousAgent = newAgent;
+					this.name = newName;
+					this.agent = newAgent;
+					this.options.onIdentity?.(newName, newAgent);
+					return;
+				}
+				if (parsedMessage.type === MessageType.CF_AGENT_STATE) {
+					this.options.onStateUpdate?.(parsedMessage.state, "server");
+					return;
+				}
+				if (parsedMessage.type === MessageType.RPC) {
+					const response = parsedMessage;
+					const pending = this._pendingCalls.get(response.id);
+					if (!pending) return;
+					if (!response.success) {
+						pending.reject(new Error(response.error));
+						this._pendingCalls.delete(response.id);
+						pending.stream?.onError?.(response.error);
+						return;
+					}
+					if ("done" in response) if (response.done) {
+						pending.resolve(response.result);
+						this._pendingCalls.delete(response.id);
+						pending.stream?.onDone?.(response.result);
+					} else pending.stream?.onChunk?.(response.result);
+					else {
+						pending.resolve(response.result);
+						this._pendingCalls.delete(response.id);
+					}
+				}
+			}
+		});
+		this.addEventListener("close", () => {
+			this.identified = false;
+			this._resetReady();
+			this._rejectPendingCalls("Connection closed");
+		});
+	}
+	/**
+	* Reject all pending RPC calls with the given reason.
+	*/
+	_rejectPendingCalls(reason) {
+		const error = new Error(reason);
+		for (const pending of this._pendingCalls.values()) {
+			pending.reject(error);
+			pending.stream?.onError?.(reason);
+		}
+		this._pendingCalls.clear();
+	}
+	setState(state) {
+		this.send(JSON.stringify({
+			state,
+			type: MessageType.CF_AGENT_STATE
+		}));
+		this.options.onStateUpdate?.(state, "client");
+	}
+	/**
+	* Close the connection and immediately reject all pending RPC calls.
+	* This provides immediate feedback on intentional close rather than
+	* waiting for the WebSocket close handshake to complete.
+	*
+	* Note: Any calls made after `close()` will be rejected when the
+	* underlying WebSocket close event fires.
+	*/
+	close(code, reason) {
+		this._rejectPendingCalls("Connection closed");
+		super.close(code, reason);
+	}
+	async call(method, args = [], options) {
+		return new Promise((resolve, reject) => {
+			const id = crypto.randomUUID();
+			let timeoutId;
+			const isLegacyFormat = options && ("onChunk" in options || "onDone" in options || "onError" in options);
+			const streamOptions = isLegacyFormat ? options : options?.stream;
+			const timeout = isLegacyFormat ? void 0 : options?.timeout;
+			if (timeout) timeoutId = setTimeout(() => {
+				const pending = this._pendingCalls.get(id);
+				this._pendingCalls.delete(id);
+				const errorMessage = `RPC call to ${method} timed out after ${timeout}ms`;
+				pending?.stream?.onError?.(errorMessage);
+				reject(new Error(errorMessage));
+			}, timeout);
+			this._pendingCalls.set(id, {
+				reject: (e) => {
+					if (timeoutId) clearTimeout(timeoutId);
+					reject(e);
+				},
+				resolve: (value) => {
+					if (timeoutId) clearTimeout(timeoutId);
+					resolve(value);
+				},
+				stream: streamOptions,
+				type: null
+			});
+			const request = {
+				args,
+				id,
+				method,
+				type: MessageType.RPC
+			};
+			this.send(JSON.stringify(request));
+		});
+	}
+};
+/**
+* Make an HTTP request to an Agent
+* @param opts Connection options
+* @param init Request initialization options
+* @returns Promise resolving to a Response
+*/
+function agentFetch(opts, init) {
+	const agentNamespace = camelCaseToKebabCase(opts.agent);
+	if (opts.basePath) return PartySocket.fetch({
+		basePath: opts.basePath,
+		...opts
+	}, init);
+	return PartySocket.fetch({
+		party: agentNamespace,
+		prefix: "agents",
+		room: opts.name || "default",
+		...opts
+	}, init);
+}
+
+//#endregion
+export { AgentClient, agentFetch };
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","names":[],"sources":["../src/client.ts"],"sourcesContent":["import {\n  type PartyFetchOptions,\n  PartySocket,\n  type PartySocketOptions\n} from \"partysocket\";\nimport type { RPCRequest, RPCResponse } from \"./\";\nimport type {\n  SerializableReturnValue,\n  SerializableValue\n} from \"./serializable\";\nimport { MessageType } from \"./types\";\n\n/**\n * Options for creating an AgentClient\n */\nexport type AgentClientOptions<State = unknown> = Omit<\n  PartySocketOptions,\n  \"party\" | \"room\"\n> & {\n  /** Name of the agent to connect to (ignored if basePath is set) */\n  agent: string;\n  /** Name of the specific Agent instance (ignored if basePath is set) */\n  name?: string;\n  /**\n   * Full URL path - bypasses agent/name URL construction.\n   * When set, the client connects to this path directly.\n   * Server must handle routing manually (e.g., with getAgentByName + fetch).\n   * @example\n   * // Client connects to /user, server routes based on session\n   * useAgent({ agent: \"UserAgent\", basePath: \"user\" })\n   */\n  basePath?: string;\n  /** Called when the Agent's state is updated */\n  onStateUpdate?: (state: State, source: \"server\" | \"client\") => void;\n  /**\n   * Called when the server sends the agent's identity on connect.\n   * Useful when using basePath, as the actual instance name is determined server-side.\n   * @param name The actual agent instance name\n   * @param agent The agent class name (kebab-case)\n   */\n  onIdentity?: (name: string, agent: string) => void;\n  /**\n   * Called when identity changes on reconnect (different instance than before).\n   * If not provided and identity changes, a warning will be logged.\n   * @param oldName Previous instance name\n   * @param newName New instance name\n   * @param oldAgent Previous agent class name\n   * @param newAgent New agent class name\n   */\n  onIdentityChange?: (\n    oldName: string,\n    newName: string,\n    oldAgent: string,\n    newAgent: string\n  ) => void;\n  /**\n   * Additional path to append to the URL.\n   * Works with both standard routing and basePath.\n   * @example\n   * // With basePath: /user/settings\n   * { basePath: \"user\", path: \"settings\" }\n   * // Standard: /agents/my-agent/room/settings\n   * { agent: \"MyAgent\", name: \"room\", path: \"settings\" }\n   */\n  path?: string;\n};\n\n/**\n * Options for streaming RPC calls\n */\nexport type StreamOptions = {\n  /** Called when a chunk of data is received */\n  onChunk?: (chunk: unknown) => void;\n  /** Called when the stream ends */\n  onDone?: (finalChunk: unknown) => void;\n  /** Called when an error occurs */\n  onError?: (error: string) => void;\n};\n\n/**\n * Options for RPC calls\n */\nexport type CallOptions = {\n  /** Timeout in milliseconds. If the call doesn't complete within this time, it will be rejected. */\n  timeout?: number;\n  /** Streaming options for handling streaming responses */\n  stream?: StreamOptions;\n};\n\n/**\n * Options for the agentFetch function\n */\nexport type AgentClientFetchOptions = Omit<\n  PartyFetchOptions,\n  \"party\" | \"room\"\n> & {\n  /** Name of the agent to connect to (ignored if basePath is set) */\n  agent: string;\n  /** Name of the specific Agent instance (ignored if basePath is set) */\n  name?: string;\n  /**\n   * Full URL path - bypasses agent/name URL construction.\n   * When set, the request is made to this path directly.\n   */\n  basePath?: string;\n};\n\nimport { camelCaseToKebabCase } from \"./utils\";\n\n/**\n * WebSocket client for connecting to an Agent\n */\nexport class AgentClient<State = unknown> extends PartySocket {\n  /**\n   * @deprecated Use agentFetch instead\n   */\n  static fetch(_opts: PartyFetchOptions): Promise<Response> {\n    throw new Error(\n      \"AgentClient.fetch is not implemented, use agentFetch instead\"\n    );\n  }\n  agent: string;\n  name: string;\n\n  /**\n   * Whether the client has received identity from the server.\n   * Becomes true after the first identity message is received.\n   * Resets to false on connection close.\n   */\n  identified = false;\n\n  /**\n   * Promise that resolves when identity has been received from the server.\n   * Useful for waiting before making calls that depend on knowing the instance.\n   * Resets on connection close so it can be awaited again after reconnect.\n   */\n  get ready(): Promise<void> {\n    return this._readyPromise;\n  }\n\n  private options: AgentClientOptions<State>;\n  private _pendingCalls = new Map<\n    string,\n    {\n      resolve: (value: unknown) => void;\n      reject: (error: Error) => void;\n      stream?: StreamOptions;\n      type?: unknown;\n    }\n  >();\n  private _readyPromise!: Promise<void>;\n  private _resolveReady!: () => void;\n  private _previousName: string | null = null;\n  private _previousAgent: string | null = null;\n\n  private _resetReady() {\n    this._readyPromise = new Promise((resolve) => {\n      this._resolveReady = resolve;\n    });\n  }\n\n  constructor(options: AgentClientOptions<State>) {\n    const agentNamespace = camelCaseToKebabCase(options.agent);\n\n    // If basePath is provided, use it directly; otherwise construct from agent/name\n    const socketOptions = options.basePath\n      ? { basePath: options.basePath, path: options.path, ...options }\n      : {\n          party: agentNamespace,\n          prefix: \"agents\",\n          room: options.name || \"default\",\n          path: options.path,\n          ...options\n        };\n\n    super(socketOptions);\n    this.agent = agentNamespace;\n    this.name = options.name || \"default\";\n    this.options = options;\n\n    // Initialize ready promise\n    this._resetReady();\n\n    this.addEventListener(\"message\", (event) => {\n      if (typeof event.data === \"string\") {\n        let parsedMessage: Record<string, unknown>;\n        try {\n          parsedMessage = JSON.parse(event.data);\n        } catch (_error) {\n          // silently ignore invalid messages for now\n          // TODO: log errors with log levels\n          return;\n        }\n        if (parsedMessage.type === MessageType.CF_AGENT_IDENTITY) {\n          const oldName = this._previousName;\n          const oldAgent = this._previousAgent;\n          const newName = parsedMessage.name as string;\n          const newAgent = parsedMessage.agent as string;\n\n          // Resolve ready/identified\n          this.identified = true;\n          this._resolveReady();\n\n          // Detect identity change on reconnect\n          if (\n            oldName !== null &&\n            oldAgent !== null &&\n            (oldName !== newName || oldAgent !== newAgent)\n          ) {\n            if (this.options.onIdentityChange) {\n              this.options.onIdentityChange(\n                oldName,\n                newName,\n                oldAgent,\n                newAgent\n              );\n            } else {\n              const agentChanged = oldAgent !== newAgent;\n              const nameChanged = oldName !== newName;\n              let changeDescription = \"\";\n              if (agentChanged && nameChanged) {\n                changeDescription = `agent \"${oldAgent}\" → \"${newAgent}\", instance \"${oldName}\" → \"${newName}\"`;\n              } else if (agentChanged) {\n                changeDescription = `agent \"${oldAgent}\" → \"${newAgent}\"`;\n              } else {\n                changeDescription = `instance \"${oldName}\" → \"${newName}\"`;\n              }\n              console.warn(\n                `[agents] Identity changed on reconnect: ${changeDescription}. ` +\n                  \"This can happen with server-side routing (e.g., basePath with getAgentByName) \" +\n                  \"where the instance is determined by auth/session. \" +\n                  \"Provide onIdentityChange callback to handle this explicitly, \" +\n                  \"or ignore if this is expected for your routing pattern.\"\n              );\n            }\n          }\n\n          // Always update from server identity (server is authoritative)\n          this._previousName = newName;\n          this._previousAgent = newAgent;\n          this.name = newName;\n          this.agent = newAgent;\n\n          // Call onIdentity callback\n          this.options.onIdentity?.(newName, newAgent);\n          return;\n        }\n        if (parsedMessage.type === MessageType.CF_AGENT_STATE) {\n          this.options.onStateUpdate?.(parsedMessage.state as State, \"server\");\n          return;\n        }\n        if (parsedMessage.type === MessageType.RPC) {\n          const response = parsedMessage as RPCResponse;\n          const pending = this._pendingCalls.get(response.id);\n          if (!pending) return;\n\n          if (!response.success) {\n            pending.reject(new Error(response.error));\n            this._pendingCalls.delete(response.id);\n            pending.stream?.onError?.(response.error);\n            return;\n          }\n\n          // Handle streaming responses\n          if (\"done\" in response) {\n            if (response.done) {\n              pending.resolve(response.result);\n              this._pendingCalls.delete(response.id);\n              pending.stream?.onDone?.(response.result);\n            } else {\n              pending.stream?.onChunk?.(response.result);\n            }\n          } else {\n            // Non-streaming response\n            pending.resolve(response.result);\n            this._pendingCalls.delete(response.id);\n          }\n        }\n      }\n    });\n\n    // Clean up pending calls and reset ready state when connection closes\n    this.addEventListener(\"close\", () => {\n      // Reset ready state for next connection\n      this.identified = false;\n      this._resetReady();\n\n      // Reject any remaining pending calls (e.g., from unexpected disconnect)\n      this._rejectPendingCalls(\"Connection closed\");\n    });\n  }\n\n  /**\n   * Reject all pending RPC calls with the given reason.\n   */\n  private _rejectPendingCalls(reason: string) {\n    const error = new Error(reason);\n    for (const pending of this._pendingCalls.values()) {\n      pending.reject(error);\n      pending.stream?.onError?.(reason);\n    }\n    this._pendingCalls.clear();\n  }\n\n  setState(state: State) {\n    this.send(JSON.stringify({ state, type: MessageType.CF_AGENT_STATE }));\n    this.options.onStateUpdate?.(state, \"client\");\n  }\n\n  /**\n   * Close the connection and immediately reject all pending RPC calls.\n   * This provides immediate feedback on intentional close rather than\n   * waiting for the WebSocket close handshake to complete.\n   *\n   * Note: Any calls made after `close()` will be rejected when the\n   * underlying WebSocket close event fires.\n   */\n  close(code?: number, reason?: string) {\n    // Immediately reject all pending calls on intentional close\n    this._rejectPendingCalls(\"Connection closed\");\n\n    // Then close the underlying socket\n    super.close(code, reason);\n  }\n\n  /**\n   * Call a method on the Agent\n   * @param method Name of the method to call\n   * @param args Arguments to pass to the method\n   * @param options Options for the call (timeout, streaming) or legacy StreamOptions\n   * @returns Promise that resolves with the method's return value\n   */\n  call<T extends SerializableReturnValue>(\n    method: string,\n    args?: SerializableValue[],\n    options?: CallOptions | StreamOptions\n  ): Promise<T>;\n  call<T = unknown>(\n    method: string,\n    args?: unknown[],\n    options?: CallOptions | StreamOptions\n  ): Promise<T>;\n  async call<T>(\n    method: string,\n    args: unknown[] = [],\n    options?: CallOptions | StreamOptions\n  ): Promise<T> {\n    return new Promise<T>((resolve, reject) => {\n      const id = crypto.randomUUID();\n      let timeoutId: ReturnType<typeof setTimeout> | undefined;\n\n      // Detect legacy format: { onChunk?, onDone?, onError? } vs new format: { timeout?, stream? }\n      const isLegacyFormat =\n        options &&\n        (\"onChunk\" in options || \"onDone\" in options || \"onError\" in options);\n      const streamOptions = isLegacyFormat\n        ? (options as StreamOptions)\n        : (options as CallOptions | undefined)?.stream;\n      const timeout = isLegacyFormat\n        ? undefined\n        : (options as CallOptions | undefined)?.timeout;\n\n      // Set up timeout if specified\n      if (timeout) {\n        timeoutId = setTimeout(() => {\n          const pending = this._pendingCalls.get(id);\n          this._pendingCalls.delete(id);\n          const errorMessage = `RPC call to ${method} timed out after ${timeout}ms`;\n          // Call stream onError callback if present (for streaming calls)\n          pending?.stream?.onError?.(errorMessage);\n          reject(new Error(errorMessage));\n        }, timeout);\n      }\n\n      this._pendingCalls.set(id, {\n        reject: (e: Error) => {\n          if (timeoutId) clearTimeout(timeoutId);\n          reject(e);\n        },\n        resolve: (value: unknown) => {\n          if (timeoutId) clearTimeout(timeoutId);\n          resolve(value as T);\n        },\n        stream: streamOptions,\n        type: null as T\n      });\n\n      const request: RPCRequest = {\n        args,\n        id,\n        method,\n        type: MessageType.RPC\n      };\n\n      this.send(JSON.stringify(request));\n    });\n  }\n}\n\n/**\n * Make an HTTP request to an Agent\n * @param opts Connection options\n * @param init Request initialization options\n * @returns Promise resolving to a Response\n */\nexport function agentFetch(opts: AgentClientFetchOptions, init?: RequestInit) {\n  const agentNamespace = camelCaseToKebabCase(opts.agent);\n\n  // If basePath is provided, use it directly; otherwise construct from agent/name\n  // When basePath is set, room/party aren't used by PartySocket (basePath replaces the URL)\n  if (opts.basePath) {\n    return PartySocket.fetch(\n      { basePath: opts.basePath, ...opts } as unknown as PartyFetchOptions,\n      init\n    );\n  }\n\n  return PartySocket.fetch(\n    {\n      party: agentNamespace,\n      prefix: \"agents\",\n      room: opts.name || \"default\",\n      ...opts\n    },\n    init\n  );\n}\n"],"mappings":";;;;;;;;AAgHA,IAAa,cAAb,cAAkD,YAAY;;;;CAI5D,OAAO,MAAM,OAA6C;AACxD,QAAM,IAAI,MACR,+DACD;;;;;;;CAiBH,IAAI,QAAuB;AACzB,SAAO,KAAK;;CAkBd,AAAQ,cAAc;AACpB,OAAK,gBAAgB,IAAI,SAAS,YAAY;AAC5C,QAAK,gBAAgB;IACrB;;CAGJ,YAAY,SAAoC;EAC9C,MAAM,iBAAiB,qBAAqB,QAAQ,MAAM;EAG1D,MAAM,gBAAgB,QAAQ,WAC1B;GAAE,UAAU,QAAQ;GAAU,MAAM,QAAQ;GAAM,GAAG;GAAS,GAC9D;GACE,OAAO;GACP,QAAQ;GACR,MAAM,QAAQ,QAAQ;GACtB,MAAM,QAAQ;GACd,GAAG;GACJ;AAEL,QAAM,cAAc;oBA9CT;uCAYW,IAAI,KAQzB;uBAGoC;wBACC;AAuBtC,OAAK,QAAQ;AACb,OAAK,OAAO,QAAQ,QAAQ;AAC5B,OAAK,UAAU;AAGf,OAAK,aAAa;AAElB,OAAK,iBAAiB,YAAY,UAAU;AAC1C,OAAI,OAAO,MAAM,SAAS,UAAU;IAClC,IAAI;AACJ,QAAI;AACF,qBAAgB,KAAK,MAAM,MAAM,KAAK;aAC/B,QAAQ;AAGf;;AAEF,QAAI,cAAc,SAAS,YAAY,mBAAmB;KACxD,MAAM,UAAU,KAAK;KACrB,MAAM,WAAW,KAAK;KACtB,MAAM,UAAU,cAAc;KAC9B,MAAM,WAAW,cAAc;AAG/B,UAAK,aAAa;AAClB,UAAK,eAAe;AAGpB,SACE,YAAY,QACZ,aAAa,SACZ,YAAY,WAAW,aAAa,UAErC,KAAI,KAAK,QAAQ,iBACf,MAAK,QAAQ,iBACX,SACA,SACA,UACA,SACD;UACI;MACL,MAAM,eAAe,aAAa;MAClC,MAAM,cAAc,YAAY;MAChC,IAAI,oBAAoB;AACxB,UAAI,gBAAgB,YAClB,qBAAoB,UAAU,SAAS,OAAO,SAAS,eAAe,QAAQ,OAAO,QAAQ;eACpF,aACT,qBAAoB,UAAU,SAAS,OAAO,SAAS;UAEvD,qBAAoB,aAAa,QAAQ,OAAO,QAAQ;AAE1D,cAAQ,KACN,2CAA2C,kBAAkB,wPAK9D;;AAKL,UAAK,gBAAgB;AACrB,UAAK,iBAAiB;AACtB,UAAK,OAAO;AACZ,UAAK,QAAQ;AAGb,UAAK,QAAQ,aAAa,SAAS,SAAS;AAC5C;;AAEF,QAAI,cAAc,SAAS,YAAY,gBAAgB;AACrD,UAAK,QAAQ,gBAAgB,cAAc,OAAgB,SAAS;AACpE;;AAEF,QAAI,cAAc,SAAS,YAAY,KAAK;KAC1C,MAAM,WAAW;KACjB,MAAM,UAAU,KAAK,cAAc,IAAI,SAAS,GAAG;AACnD,SAAI,CAAC,QAAS;AAEd,SAAI,CAAC,SAAS,SAAS;AACrB,cAAQ,OAAO,IAAI,MAAM,SAAS,MAAM,CAAC;AACzC,WAAK,cAAc,OAAO,SAAS,GAAG;AACtC,cAAQ,QAAQ,UAAU,SAAS,MAAM;AACzC;;AAIF,SAAI,UAAU,SACZ,KAAI,SAAS,MAAM;AACjB,cAAQ,QAAQ,SAAS,OAAO;AAChC,WAAK,cAAc,OAAO,SAAS,GAAG;AACtC,cAAQ,QAAQ,SAAS,SAAS,OAAO;WAEzC,SAAQ,QAAQ,UAAU,SAAS,OAAO;UAEvC;AAEL,cAAQ,QAAQ,SAAS,OAAO;AAChC,WAAK,cAAc,OAAO,SAAS,GAAG;;;;IAI5C;AAGF,OAAK,iBAAiB,eAAe;AAEnC,QAAK,aAAa;AAClB,QAAK,aAAa;AAGlB,QAAK,oBAAoB,oBAAoB;IAC7C;;;;;CAMJ,AAAQ,oBAAoB,QAAgB;EAC1C,MAAM,QAAQ,IAAI,MAAM,OAAO;AAC/B,OAAK,MAAM,WAAW,KAAK,cAAc,QAAQ,EAAE;AACjD,WAAQ,OAAO,MAAM;AACrB,WAAQ,QAAQ,UAAU,OAAO;;AAEnC,OAAK,cAAc,OAAO;;CAG5B,SAAS,OAAc;AACrB,OAAK,KAAK,KAAK,UAAU;GAAE;GAAO,MAAM,YAAY;GAAgB,CAAC,CAAC;AACtE,OAAK,QAAQ,gBAAgB,OAAO,SAAS;;;;;;;;;;CAW/C,MAAM,MAAe,QAAiB;AAEpC,OAAK,oBAAoB,oBAAoB;AAG7C,QAAM,MAAM,MAAM,OAAO;;CAoB3B,MAAM,KACJ,QACA,OAAkB,EAAE,EACpB,SACY;AACZ,SAAO,IAAI,SAAY,SAAS,WAAW;GACzC,MAAM,KAAK,OAAO,YAAY;GAC9B,IAAI;GAGJ,MAAM,iBACJ,YACC,aAAa,WAAW,YAAY,WAAW,aAAa;GAC/D,MAAM,gBAAgB,iBACjB,UACA,SAAqC;GAC1C,MAAM,UAAU,iBACZ,SACC,SAAqC;AAG1C,OAAI,QACF,aAAY,iBAAiB;IAC3B,MAAM,UAAU,KAAK,cAAc,IAAI,GAAG;AAC1C,SAAK,cAAc,OAAO,GAAG;IAC7B,MAAM,eAAe,eAAe,OAAO,mBAAmB,QAAQ;AAEtE,aAAS,QAAQ,UAAU,aAAa;AACxC,WAAO,IAAI,MAAM,aAAa,CAAC;MAC9B,QAAQ;AAGb,QAAK,cAAc,IAAI,IAAI;IACzB,SAAS,MAAa;AACpB,SAAI,UAAW,cAAa,UAAU;AACtC,YAAO,EAAE;;IAEX,UAAU,UAAmB;AAC3B,SAAI,UAAW,cAAa,UAAU;AACtC,aAAQ,MAAW;;IAErB,QAAQ;IACR,MAAM;IACP,CAAC;GAEF,MAAM,UAAsB;IAC1B;IACA;IACA;IACA,MAAM,YAAY;IACnB;AAED,QAAK,KAAK,KAAK,UAAU,QAAQ,CAAC;IAClC;;;;;;;;;AAUN,SAAgB,WAAW,MAA+B,MAAoB;CAC5E,MAAM,iBAAiB,qBAAqB,KAAK,MAAM;AAIvD,KAAI,KAAK,SACP,QAAO,YAAY,MACjB;EAAE,UAAU,KAAK;EAAU,GAAG;EAAM,EACpC,KACD;AAGH,QAAO,YAAY,MACjB;EACE,OAAO;EACP,QAAQ;EACR,MAAM,KAAK,QAAQ;EACnB,GAAG;EACJ,EACD,KACD"}

package/dist/{do-oauth-client-provider-BH9zFtSy.d.ts → do-oauth-client-provider-BqnOQzjy.d.ts}

@@ -67,4 +67,4 @@ declare class DurableObjectOAuthClientProvider implements AgentsOAuthProvider {
 }
 //#endregion
 export { DurableObjectOAuthClientProvider as n, AgentsOAuthProvider as t };
-//# sourceMappingURL=do-oauth-client-provider-BH9zFtSy.d.ts.map
+//# sourceMappingURL=do-oauth-client-provider-BqnOQzjy.d.ts.map

package/dist/{do-oauth-client-provider-BfPFgQU0.js → do-oauth-client-provider-DDg8QrEA.js}

@@ -152,4 +152,4 @@ var DurableObjectOAuthClientProvider = class {
 
 //#endregion
 export { DurableObjectOAuthClientProvider as t };
-//# sourceMappingURL=do-oauth-client-provider-BfPFgQU0.js.map
+//# sourceMappingURL=do-oauth-client-provider-DDg8QrEA.js.map

package/dist/{do-oauth-client-provider-BfPFgQU0.js.map → do-oauth-client-provider-DDg8QrEA.js.map}

@@ -1 +1 @@
-{"version":3,"file":"do-oauth-client-provider-BfPFgQU0.js","names":["storage: DurableObjectStorage","clientName: string","baseRedirectUrl: string","storedState: StoredState","deleteKeys: string[]"],"sources":["../src/mcp/do-oauth-client-provider.ts"],"sourcesContent":["import type { OAuthClientProvider } from \"@modelcontextprotocol/sdk/client/auth.js\";\nimport type {\n  OAuthClientInformation,\n  OAuthClientInformationFull,\n  OAuthClientMetadata,\n  OAuthTokens\n} from \"@modelcontextprotocol/sdk/shared/auth.js\";\nimport { nanoid } from \"nanoid\";\n\nconst STATE_EXPIRATION_MS = 10 * 60 * 1000; // 10 minutes\n\ninterface StoredState {\n  nonce: string;\n  serverId: string;\n  createdAt: number;\n}\n\n// A slight extension to the standard OAuthClientProvider interface because `redirectToAuthorization` doesn't give us the interface we need\n// This allows us to track authentication for a specific server and associated dynamic client registration\nexport interface AgentsOAuthProvider extends OAuthClientProvider {\n  authUrl: string | undefined;\n  clientId: string | undefined;\n  serverId: string | undefined;\n  checkState(\n    state: string\n  ): Promise<{ valid: boolean; serverId?: string; error?: string }>;\n  consumeState(state: string): Promise<void>;\n  deleteCodeVerifier(): Promise<void>;\n}\n\nexport class DurableObjectOAuthClientProvider implements AgentsOAuthProvider {\n  private _authUrl_: string | undefined;\n  private _serverId_: string | undefined;\n  private _clientId_: string | undefined;\n\n  constructor(\n    public storage: DurableObjectStorage,\n    public clientName: string,\n    public baseRedirectUrl: string\n  ) {\n    if (!storage) {\n      throw new Error(\n        \"DurableObjectOAuthClientProvider requires a valid DurableObjectStorage instance\"\n      );\n    }\n  }\n\n  get clientMetadata(): OAuthClientMetadata {\n    return {\n      client_name: this.clientName,\n      client_uri: this.clientUri,\n      grant_types: [\"authorization_code\", \"refresh_token\"],\n      redirect_uris: [this.redirectUrl],\n      response_types: [\"code\"],\n      token_endpoint_auth_method: \"none\"\n    };\n  }\n\n  get clientUri() {\n    return new URL(this.redirectUrl).origin;\n  }\n\n  get redirectUrl() {\n    return this.baseRedirectUrl;\n  }\n\n  get clientId() {\n    if (!this._clientId_) {\n      throw new Error(\"Trying to access clientId before it was set\");\n    }\n    return this._clientId_;\n  }\n\n  set clientId(clientId_: string) {\n    this._clientId_ = clientId_;\n  }\n\n  get serverId() {\n    if (!this._serverId_) {\n      throw new Error(\"Trying to access serverId before it was set\");\n    }\n    return this._serverId_;\n  }\n\n  set serverId(serverId_: string) {\n    this._serverId_ = serverId_;\n  }\n\n  keyPrefix(clientId: string) {\n    return `/${this.clientName}/${this.serverId}/${clientId}`;\n  }\n\n  clientInfoKey(clientId: string) {\n    return `${this.keyPrefix(clientId)}/client_info/`;\n  }\n\n  async clientInformation(): Promise<OAuthClientInformation | undefined> {\n    if (!this._clientId_) {\n      return undefined;\n    }\n    return (\n      (await this.storage.get<OAuthClientInformation>(\n        this.clientInfoKey(this.clientId)\n      )) ?? undefined\n    );\n  }\n\n  async saveClientInformation(\n    clientInformation: OAuthClientInformationFull\n  ): Promise<void> {\n    await this.storage.put(\n      this.clientInfoKey(clientInformation.client_id),\n      clientInformation\n    );\n    this.clientId = clientInformation.client_id;\n  }\n\n  tokenKey(clientId: string) {\n    return `${this.keyPrefix(clientId)}/token`;\n  }\n\n  async tokens(): Promise<OAuthTokens | undefined> {\n    if (!this._clientId_) {\n      return undefined;\n    }\n    return (\n      (await this.storage.get<OAuthTokens>(this.tokenKey(this.clientId))) ??\n      undefined\n    );\n  }\n\n  async saveTokens(tokens: OAuthTokens): Promise<void> {\n    await this.storage.put(this.tokenKey(this.clientId), tokens);\n  }\n\n  get authUrl() {\n    return this._authUrl_;\n  }\n\n  stateKey(nonce: string) {\n    return `/${this.clientName}/${this.serverId}/state/${nonce}`;\n  }\n\n  async state(): Promise<string> {\n    const nonce = nanoid();\n    const state = `${nonce}.${this.serverId}`;\n    const storedState: StoredState = {\n      nonce,\n      serverId: this.serverId,\n      createdAt: Date.now()\n    };\n    await this.storage.put(this.stateKey(nonce), storedState);\n    return state;\n  }\n\n  async checkState(\n    state: string\n  ): Promise<{ valid: boolean; serverId?: string; error?: string }> {\n    const parts = state.split(\".\");\n    if (parts.length !== 2) {\n      return { valid: false, error: \"Invalid state format\" };\n    }\n\n    const [nonce, serverId] = parts;\n    const key = this.stateKey(nonce);\n    const storedState = await this.storage.get<StoredState>(key);\n\n    if (!storedState) {\n      return { valid: false, error: \"State not found or already used\" };\n    }\n\n    if (storedState.serverId !== serverId) {\n      await this.storage.delete(key);\n      return { valid: false, error: \"State serverId mismatch\" };\n    }\n\n    const age = Date.now() - storedState.createdAt;\n    if (age > STATE_EXPIRATION_MS) {\n      await this.storage.delete(key);\n      return { valid: false, error: \"State expired\" };\n    }\n\n    return { valid: true, serverId };\n  }\n\n  async consumeState(state: string): Promise<void> {\n    const parts = state.split(\".\");\n    if (parts.length !== 2) {\n      // This should never happen since checkState validates format first.\n      // Log for debugging but don't throw - state consumption is best-effort.\n      console.warn(\n        `[OAuth] consumeState called with invalid state format: ${state.substring(0, 20)}...`\n      );\n      return;\n    }\n    const [nonce] = parts;\n    await this.storage.delete(this.stateKey(nonce));\n  }\n\n  async redirectToAuthorization(authUrl: URL): Promise<void> {\n    this._authUrl_ = authUrl.toString();\n  }\n\n  async invalidateCredentials(\n    scope: \"all\" | \"client\" | \"tokens\" | \"verifier\"\n  ): Promise<void> {\n    if (!this._clientId_) return;\n\n    const deleteKeys: string[] = [];\n\n    if (scope === \"all\" || scope === \"client\") {\n      deleteKeys.push(this.clientInfoKey(this.clientId));\n    }\n    if (scope === \"all\" || scope === \"tokens\") {\n      deleteKeys.push(this.tokenKey(this.clientId));\n    }\n    if (scope === \"all\" || scope === \"verifier\") {\n      deleteKeys.push(this.codeVerifierKey(this.clientId));\n    }\n\n    if (deleteKeys.length > 0) {\n      await this.storage.delete(deleteKeys);\n    }\n  }\n\n  codeVerifierKey(clientId: string) {\n    return `${this.keyPrefix(clientId)}/code_verifier`;\n  }\n\n  async saveCodeVerifier(verifier: string): Promise<void> {\n    const key = this.codeVerifierKey(this.clientId);\n\n    // Don't overwrite existing verifier to preserve first PKCE verifier\n    const existing = await this.storage.get<string>(key);\n    if (existing) {\n      return;\n    }\n\n    await this.storage.put(key, verifier);\n  }\n\n  async codeVerifier(): Promise<string> {\n    const codeVerifier = await this.storage.get<string>(\n      this.codeVerifierKey(this.clientId)\n    );\n    if (!codeVerifier) {\n      throw new Error(\"No code verifier found\");\n    }\n    return codeVerifier;\n  }\n\n  async deleteCodeVerifier(): Promise<void> {\n    await this.storage.delete(this.codeVerifierKey(this.clientId));\n  }\n}\n"],"mappings":";;;AASA,MAAM,sBAAsB,MAAU;AAqBtC,IAAa,mCAAb,MAA6E;CAK3E,YACE,AAAOA,SACP,AAAOC,YACP,AAAOC,iBACP;EAHO;EACA;EACA;AAEP,MAAI,CAAC,QACH,OAAM,IAAI,MACR,kFACD;;CAIL,IAAI,iBAAsC;AACxC,SAAO;GACL,aAAa,KAAK;GAClB,YAAY,KAAK;GACjB,aAAa,CAAC,sBAAsB,gBAAgB;GACpD,eAAe,CAAC,KAAK,YAAY;GACjC,gBAAgB,CAAC,OAAO;GACxB,4BAA4B;GAC7B;;CAGH,IAAI,YAAY;AACd,SAAO,IAAI,IAAI,KAAK,YAAY,CAAC;;CAGnC,IAAI,cAAc;AAChB,SAAO,KAAK;;CAGd,IAAI,WAAW;AACb,MAAI,CAAC,KAAK,WACR,OAAM,IAAI,MAAM,8CAA8C;AAEhE,SAAO,KAAK;;CAGd,IAAI,SAAS,WAAmB;AAC9B,OAAK,aAAa;;CAGpB,IAAI,WAAW;AACb,MAAI,CAAC,KAAK,WACR,OAAM,IAAI,MAAM,8CAA8C;AAEhE,SAAO,KAAK;;CAGd,IAAI,SAAS,WAAmB;AAC9B,OAAK,aAAa;;CAGpB,UAAU,UAAkB;AAC1B,SAAO,IAAI,KAAK,WAAW,GAAG,KAAK,SAAS,GAAG;;CAGjD,cAAc,UAAkB;AAC9B,SAAO,GAAG,KAAK,UAAU,SAAS,CAAC;;CAGrC,MAAM,oBAAiE;AACrE,MAAI,CAAC,KAAK,WACR;AAEF,SACG,MAAM,KAAK,QAAQ,IAClB,KAAK,cAAc,KAAK,SAAS,CAClC,IAAK;;CAIV,MAAM,sBACJ,mBACe;AACf,QAAM,KAAK,QAAQ,IACjB,KAAK,cAAc,kBAAkB,UAAU,EAC/C,kBACD;AACD,OAAK,WAAW,kBAAkB;;CAGpC,SAAS,UAAkB;AACzB,SAAO,GAAG,KAAK,UAAU,SAAS,CAAC;;CAGrC,MAAM,SAA2C;AAC/C,MAAI,CAAC,KAAK,WACR;AAEF,SACG,MAAM,KAAK,QAAQ,IAAiB,KAAK,SAAS,KAAK,SAAS,CAAC,IAClE;;CAIJ,MAAM,WAAW,QAAoC;AACnD,QAAM,KAAK,QAAQ,IAAI,KAAK,SAAS,KAAK,SAAS,EAAE,OAAO;;CAG9D,IAAI,UAAU;AACZ,SAAO,KAAK;;CAGd,SAAS,OAAe;AACtB,SAAO,IAAI,KAAK,WAAW,GAAG,KAAK,SAAS,SAAS;;CAGvD,MAAM,QAAyB;EAC7B,MAAM,QAAQ,QAAQ;EACtB,MAAM,QAAQ,GAAG,MAAM,GAAG,KAAK;EAC/B,MAAMC,cAA2B;GAC/B;GACA,UAAU,KAAK;GACf,WAAW,KAAK,KAAK;GACtB;AACD,QAAM,KAAK,QAAQ,IAAI,KAAK,SAAS,MAAM,EAAE,YAAY;AACzD,SAAO;;CAGT,MAAM,WACJ,OACgE;EAChE,MAAM,QAAQ,MAAM,MAAM,IAAI;AAC9B,MAAI,MAAM,WAAW,EACnB,QAAO;GAAE,OAAO;GAAO,OAAO;GAAwB;EAGxD,MAAM,CAAC,OAAO,YAAY;EAC1B,MAAM,MAAM,KAAK,SAAS,MAAM;EAChC,MAAM,cAAc,MAAM,KAAK,QAAQ,IAAiB,IAAI;AAE5D,MAAI,CAAC,YACH,QAAO;GAAE,OAAO;GAAO,OAAO;GAAmC;AAGnE,MAAI,YAAY,aAAa,UAAU;AACrC,SAAM,KAAK,QAAQ,OAAO,IAAI;AAC9B,UAAO;IAAE,OAAO;IAAO,OAAO;IAA2B;;AAI3D,MADY,KAAK,KAAK,GAAG,YAAY,YAC3B,qBAAqB;AAC7B,SAAM,KAAK,QAAQ,OAAO,IAAI;AAC9B,UAAO;IAAE,OAAO;IAAO,OAAO;IAAiB;;AAGjD,SAAO;GAAE,OAAO;GAAM;GAAU;;CAGlC,MAAM,aAAa,OAA8B;EAC/C,MAAM,QAAQ,MAAM,MAAM,IAAI;AAC9B,MAAI,MAAM,WAAW,GAAG;AAGtB,WAAQ,KACN,0DAA0D,MAAM,UAAU,GAAG,GAAG,CAAC,KAClF;AACD;;EAEF,MAAM,CAAC,SAAS;AAChB,QAAM,KAAK,QAAQ,OAAO,KAAK,SAAS,MAAM,CAAC;;CAGjD,MAAM,wBAAwB,SAA6B;AACzD,OAAK,YAAY,QAAQ,UAAU;;CAGrC,MAAM,sBACJ,OACe;AACf,MAAI,CAAC,KAAK,WAAY;EAEtB,MAAMC,aAAuB,EAAE;AAE/B,MAAI,UAAU,SAAS,UAAU,SAC/B,YAAW,KAAK,KAAK,cAAc,KAAK,SAAS,CAAC;AAEpD,MAAI,UAAU,SAAS,UAAU,SAC/B,YAAW,KAAK,KAAK,SAAS,KAAK,SAAS,CAAC;AAE/C,MAAI,UAAU,SAAS,UAAU,WAC/B,YAAW,KAAK,KAAK,gBAAgB,KAAK,SAAS,CAAC;AAGtD,MAAI,WAAW,SAAS,EACtB,OAAM,KAAK,QAAQ,OAAO,WAAW;;CAIzC,gBAAgB,UAAkB;AAChC,SAAO,GAAG,KAAK,UAAU,SAAS,CAAC;;CAGrC,MAAM,iBAAiB,UAAiC;EACtD,MAAM,MAAM,KAAK,gBAAgB,KAAK,SAAS;AAI/C,MADiB,MAAM,KAAK,QAAQ,IAAY,IAAI,CAElD;AAGF,QAAM,KAAK,QAAQ,IAAI,KAAK,SAAS;;CAGvC,MAAM,eAAgC;EACpC,MAAM,eAAe,MAAM,KAAK,QAAQ,IACtC,KAAK,gBAAgB,KAAK,SAAS,CACpC;AACD,MAAI,CAAC,aACH,OAAM,IAAI,MAAM,yBAAyB;AAE3C,SAAO;;CAGT,MAAM,qBAAoC;AACxC,QAAM,KAAK,QAAQ,OAAO,KAAK,gBAAgB,KAAK,SAAS,CAAC"}
+{"version":3,"file":"do-oauth-client-provider-DDg8QrEA.js","names":[],"sources":["../src/mcp/do-oauth-client-provider.ts"],"sourcesContent":["import type { OAuthClientProvider } from \"@modelcontextprotocol/sdk/client/auth.js\";\nimport type {\n  OAuthClientInformation,\n  OAuthClientInformationFull,\n  OAuthClientMetadata,\n  OAuthTokens\n} from \"@modelcontextprotocol/sdk/shared/auth.js\";\nimport { nanoid } from \"nanoid\";\n\nconst STATE_EXPIRATION_MS = 10 * 60 * 1000; // 10 minutes\n\ninterface StoredState {\n  nonce: string;\n  serverId: string;\n  createdAt: number;\n}\n\n// A slight extension to the standard OAuthClientProvider interface because `redirectToAuthorization` doesn't give us the interface we need\n// This allows us to track authentication for a specific server and associated dynamic client registration\nexport interface AgentsOAuthProvider extends OAuthClientProvider {\n  authUrl: string | undefined;\n  clientId: string | undefined;\n  serverId: string | undefined;\n  checkState(\n    state: string\n  ): Promise<{ valid: boolean; serverId?: string; error?: string }>;\n  consumeState(state: string): Promise<void>;\n  deleteCodeVerifier(): Promise<void>;\n}\n\nexport class DurableObjectOAuthClientProvider implements AgentsOAuthProvider {\n  private _authUrl_: string | undefined;\n  private _serverId_: string | undefined;\n  private _clientId_: string | undefined;\n\n  constructor(\n    public storage: DurableObjectStorage,\n    public clientName: string,\n    public baseRedirectUrl: string\n  ) {\n    if (!storage) {\n      throw new Error(\n        \"DurableObjectOAuthClientProvider requires a valid DurableObjectStorage instance\"\n      );\n    }\n  }\n\n  get clientMetadata(): OAuthClientMetadata {\n    return {\n      client_name: this.clientName,\n      client_uri: this.clientUri,\n      grant_types: [\"authorization_code\", \"refresh_token\"],\n      redirect_uris: [this.redirectUrl],\n      response_types: [\"code\"],\n      token_endpoint_auth_method: \"none\"\n    };\n  }\n\n  get clientUri() {\n    return new URL(this.redirectUrl).origin;\n  }\n\n  get redirectUrl() {\n    return this.baseRedirectUrl;\n  }\n\n  get clientId() {\n    if (!this._clientId_) {\n      throw new Error(\"Trying to access clientId before it was set\");\n    }\n    return this._clientId_;\n  }\n\n  set clientId(clientId_: string) {\n    this._clientId_ = clientId_;\n  }\n\n  get serverId() {\n    if (!this._serverId_) {\n      throw new Error(\"Trying to access serverId before it was set\");\n    }\n    return this._serverId_;\n  }\n\n  set serverId(serverId_: string) {\n    this._serverId_ = serverId_;\n  }\n\n  keyPrefix(clientId: string) {\n    return `/${this.clientName}/${this.serverId}/${clientId}`;\n  }\n\n  clientInfoKey(clientId: string) {\n    return `${this.keyPrefix(clientId)}/client_info/`;\n  }\n\n  async clientInformation(): Promise<OAuthClientInformation | undefined> {\n    if (!this._clientId_) {\n      return undefined;\n    }\n    return (\n      (await this.storage.get<OAuthClientInformation>(\n        this.clientInfoKey(this.clientId)\n      )) ?? undefined\n    );\n  }\n\n  async saveClientInformation(\n    clientInformation: OAuthClientInformationFull\n  ): Promise<void> {\n    await this.storage.put(\n      this.clientInfoKey(clientInformation.client_id),\n      clientInformation\n    );\n    this.clientId = clientInformation.client_id;\n  }\n\n  tokenKey(clientId: string) {\n    return `${this.keyPrefix(clientId)}/token`;\n  }\n\n  async tokens(): Promise<OAuthTokens | undefined> {\n    if (!this._clientId_) {\n      return undefined;\n    }\n    return (\n      (await this.storage.get<OAuthTokens>(this.tokenKey(this.clientId))) ??\n      undefined\n    );\n  }\n\n  async saveTokens(tokens: OAuthTokens): Promise<void> {\n    await this.storage.put(this.tokenKey(this.clientId), tokens);\n  }\n\n  get authUrl() {\n    return this._authUrl_;\n  }\n\n  stateKey(nonce: string) {\n    return `/${this.clientName}/${this.serverId}/state/${nonce}`;\n  }\n\n  async state(): Promise<string> {\n    const nonce = nanoid();\n    const state = `${nonce}.${this.serverId}`;\n    const storedState: StoredState = {\n      nonce,\n      serverId: this.serverId,\n      createdAt: Date.now()\n    };\n    await this.storage.put(this.stateKey(nonce), storedState);\n    return state;\n  }\n\n  async checkState(\n    state: string\n  ): Promise<{ valid: boolean; serverId?: string; error?: string }> {\n    const parts = state.split(\".\");\n    if (parts.length !== 2) {\n      return { valid: false, error: \"Invalid state format\" };\n    }\n\n    const [nonce, serverId] = parts;\n    const key = this.stateKey(nonce);\n    const storedState = await this.storage.get<StoredState>(key);\n\n    if (!storedState) {\n      return { valid: false, error: \"State not found or already used\" };\n    }\n\n    if (storedState.serverId !== serverId) {\n      await this.storage.delete(key);\n      return { valid: false, error: \"State serverId mismatch\" };\n    }\n\n    const age = Date.now() - storedState.createdAt;\n    if (age > STATE_EXPIRATION_MS) {\n      await this.storage.delete(key);\n      return { valid: false, error: \"State expired\" };\n    }\n\n    return { valid: true, serverId };\n  }\n\n  async consumeState(state: string): Promise<void> {\n    const parts = state.split(\".\");\n    if (parts.length !== 2) {\n      // This should never happen since checkState validates format first.\n      // Log for debugging but don't throw - state consumption is best-effort.\n      console.warn(\n        `[OAuth] consumeState called with invalid state format: ${state.substring(0, 20)}...`\n      );\n      return;\n    }\n    const [nonce] = parts;\n    await this.storage.delete(this.stateKey(nonce));\n  }\n\n  async redirectToAuthorization(authUrl: URL): Promise<void> {\n    this._authUrl_ = authUrl.toString();\n  }\n\n  async invalidateCredentials(\n    scope: \"all\" | \"client\" | \"tokens\" | \"verifier\"\n  ): Promise<void> {\n    if (!this._clientId_) return;\n\n    const deleteKeys: string[] = [];\n\n    if (scope === \"all\" || scope === \"client\") {\n      deleteKeys.push(this.clientInfoKey(this.clientId));\n    }\n    if (scope === \"all\" || scope === \"tokens\") {\n      deleteKeys.push(this.tokenKey(this.clientId));\n    }\n    if (scope === \"all\" || scope === \"verifier\") {\n      deleteKeys.push(this.codeVerifierKey(this.clientId));\n    }\n\n    if (deleteKeys.length > 0) {\n      await this.storage.delete(deleteKeys);\n    }\n  }\n\n  codeVerifierKey(clientId: string) {\n    return `${this.keyPrefix(clientId)}/code_verifier`;\n  }\n\n  async saveCodeVerifier(verifier: string): Promise<void> {\n    const key = this.codeVerifierKey(this.clientId);\n\n    // Don't overwrite existing verifier to preserve first PKCE verifier\n    const existing = await this.storage.get<string>(key);\n    if (existing) {\n      return;\n    }\n\n    await this.storage.put(key, verifier);\n  }\n\n  async codeVerifier(): Promise<string> {\n    const codeVerifier = await this.storage.get<string>(\n      this.codeVerifierKey(this.clientId)\n    );\n    if (!codeVerifier) {\n      throw new Error(\"No code verifier found\");\n    }\n    return codeVerifier;\n  }\n\n  async deleteCodeVerifier(): Promise<void> {\n    await this.storage.delete(this.codeVerifierKey(this.clientId));\n  }\n}\n"],"mappings":";;;AASA,MAAM,sBAAsB,MAAU;AAqBtC,IAAa,mCAAb,MAA6E;CAK3E,YACE,AAAO,SACP,AAAO,YACP,AAAO,iBACP;EAHO;EACA;EACA;AAEP,MAAI,CAAC,QACH,OAAM,IAAI,MACR,kFACD;;CAIL,IAAI,iBAAsC;AACxC,SAAO;GACL,aAAa,KAAK;GAClB,YAAY,KAAK;GACjB,aAAa,CAAC,sBAAsB,gBAAgB;GACpD,eAAe,CAAC,KAAK,YAAY;GACjC,gBAAgB,CAAC,OAAO;GACxB,4BAA4B;GAC7B;;CAGH,IAAI,YAAY;AACd,SAAO,IAAI,IAAI,KAAK,YAAY,CAAC;;CAGnC,IAAI,cAAc;AAChB,SAAO,KAAK;;CAGd,IAAI,WAAW;AACb,MAAI,CAAC,KAAK,WACR,OAAM,IAAI,MAAM,8CAA8C;AAEhE,SAAO,KAAK;;CAGd,IAAI,SAAS,WAAmB;AAC9B,OAAK,aAAa;;CAGpB,IAAI,WAAW;AACb,MAAI,CAAC,KAAK,WACR,OAAM,IAAI,MAAM,8CAA8C;AAEhE,SAAO,KAAK;;CAGd,IAAI,SAAS,WAAmB;AAC9B,OAAK,aAAa;;CAGpB,UAAU,UAAkB;AAC1B,SAAO,IAAI,KAAK,WAAW,GAAG,KAAK,SAAS,GAAG;;CAGjD,cAAc,UAAkB;AAC9B,SAAO,GAAG,KAAK,UAAU,SAAS,CAAC;;CAGrC,MAAM,oBAAiE;AACrE,MAAI,CAAC,KAAK,WACR;AAEF,SACG,MAAM,KAAK,QAAQ,IAClB,KAAK,cAAc,KAAK,SAAS,CAClC,IAAK;;CAIV,MAAM,sBACJ,mBACe;AACf,QAAM,KAAK,QAAQ,IACjB,KAAK,cAAc,kBAAkB,UAAU,EAC/C,kBACD;AACD,OAAK,WAAW,kBAAkB;;CAGpC,SAAS,UAAkB;AACzB,SAAO,GAAG,KAAK,UAAU,SAAS,CAAC;;CAGrC,MAAM,SAA2C;AAC/C,MAAI,CAAC,KAAK,WACR;AAEF,SACG,MAAM,KAAK,QAAQ,IAAiB,KAAK,SAAS,KAAK,SAAS,CAAC,IAClE;;CAIJ,MAAM,WAAW,QAAoC;AACnD,QAAM,KAAK,QAAQ,IAAI,KAAK,SAAS,KAAK,SAAS,EAAE,OAAO;;CAG9D,IAAI,UAAU;AACZ,SAAO,KAAK;;CAGd,SAAS,OAAe;AACtB,SAAO,IAAI,KAAK,WAAW,GAAG,KAAK,SAAS,SAAS;;CAGvD,MAAM,QAAyB;EAC7B,MAAM,QAAQ,QAAQ;EACtB,MAAM,QAAQ,GAAG,MAAM,GAAG,KAAK;EAC/B,MAAM,cAA2B;GAC/B;GACA,UAAU,KAAK;GACf,WAAW,KAAK,KAAK;GACtB;AACD,QAAM,KAAK,QAAQ,IAAI,KAAK,SAAS,MAAM,EAAE,YAAY;AACzD,SAAO;;CAGT,MAAM,WACJ,OACgE;EAChE,MAAM,QAAQ,MAAM,MAAM,IAAI;AAC9B,MAAI,MAAM,WAAW,EACnB,QAAO;GAAE,OAAO;GAAO,OAAO;GAAwB;EAGxD,MAAM,CAAC,OAAO,YAAY;EAC1B,MAAM,MAAM,KAAK,SAAS,MAAM;EAChC,MAAM,cAAc,MAAM,KAAK,QAAQ,IAAiB,IAAI;AAE5D,MAAI,CAAC,YACH,QAAO;GAAE,OAAO;GAAO,OAAO;GAAmC;AAGnE,MAAI,YAAY,aAAa,UAAU;AACrC,SAAM,KAAK,QAAQ,OAAO,IAAI;AAC9B,UAAO;IAAE,OAAO;IAAO,OAAO;IAA2B;;AAI3D,MADY,KAAK,KAAK,GAAG,YAAY,YAC3B,qBAAqB;AAC7B,SAAM,KAAK,QAAQ,OAAO,IAAI;AAC9B,UAAO;IAAE,OAAO;IAAO,OAAO;IAAiB;;AAGjD,SAAO;GAAE,OAAO;GAAM;GAAU;;CAGlC,MAAM,aAAa,OAA8B;EAC/C,MAAM,QAAQ,MAAM,MAAM,IAAI;AAC9B,MAAI,MAAM,WAAW,GAAG;AAGtB,WAAQ,KACN,0DAA0D,MAAM,UAAU,GAAG,GAAG,CAAC,KAClF;AACD;;EAEF,MAAM,CAAC,SAAS;AAChB,QAAM,KAAK,QAAQ,OAAO,KAAK,SAAS,MAAM,CAAC;;CAGjD,MAAM,wBAAwB,SAA6B;AACzD,OAAK,YAAY,QAAQ,UAAU;;CAGrC,MAAM,sBACJ,OACe;AACf,MAAI,CAAC,KAAK,WAAY;EAEtB,MAAM,aAAuB,EAAE;AAE/B,MAAI,UAAU,SAAS,UAAU,SAC/B,YAAW,KAAK,KAAK,cAAc,KAAK,SAAS,CAAC;AAEpD,MAAI,UAAU,SAAS,UAAU,SAC/B,YAAW,KAAK,KAAK,SAAS,KAAK,SAAS,CAAC;AAE/C,MAAI,UAAU,SAAS,UAAU,WAC/B,YAAW,KAAK,KAAK,gBAAgB,KAAK,SAAS,CAAC;AAGtD,MAAI,WAAW,SAAS,EACtB,OAAM,KAAK,QAAQ,OAAO,WAAW;;CAIzC,gBAAgB,UAAkB;AAChC,SAAO,GAAG,KAAK,UAAU,SAAS,CAAC;;CAGrC,MAAM,iBAAiB,UAAiC;EACtD,MAAM,MAAM,KAAK,gBAAgB,KAAK,SAAS;AAI/C,MADiB,MAAM,KAAK,QAAQ,IAAY,IAAI,CAElD;AAGF,QAAM,KAAK,QAAQ,IAAI,KAAK,SAAS;;CAGvC,MAAM,eAAgC;EACpC,MAAM,eAAe,MAAM,KAAK,QAAQ,IACtC,KAAK,gBAAgB,KAAK,SAAS,CACpC;AACD,MAAI,CAAC,aACH,OAAM,IAAI,MAAM,yBAAyB;AAE3C,SAAO;;CAGT,MAAM,qBAAoC;AACxC,QAAM,KAAK,QAAQ,OAAO,KAAK,gBAAgB,KAAK,SAAS,CAAC"}

package/dist/email-8ljcpvwV.d.ts

@@ -0,0 +1,157 @@
+//#region src/email.d.ts
+/**
+ * Header object as returned by postal-mime and similar email parsing libraries.
+ * Each header has a lowercase key and a string value.
+ */
+type EmailHeader = {
+  /** Lowercase header name (e.g., "content-type", "x-custom-header") */ key: string; /** Header value */
+  value: string;
+};
+/**
+ * Check if an email appears to be an auto-reply based on standard headers.
+ * Checks for Auto-Submitted (RFC 3834), X-Auto-Response-Suppress, and Precedence headers.
+ *
+ * @param headers - Headers array from postal-mime Email.headers or similar format
+ * @returns true if email appears to be an auto-reply
+ *
+ * @example
+ * ```typescript
+ * if (isAutoReplyEmail(parsed.headers)) {
+ *   // Skip processing auto-replies
+ *   return;
+ * }
+ * ```
+ */
+declare function isAutoReplyEmail(headers: EmailHeader[]): boolean;
+/** Default signature expiration: 30 days in seconds */
+declare const DEFAULT_MAX_AGE_SECONDS: number;
+/**
+ * Sign agent routing headers for secure reply flows.
+ * Use this when sending outbound emails to ensure replies can be securely routed back.
+ *
+ * @param secret - Secret key for HMAC signing (store in environment variables)
+ * @param agentName - Name of the agent
+ * @param agentId - ID of the agent instance
+ * @returns Headers object with X-Agent-Name, X-Agent-ID, X-Agent-Sig, and X-Agent-Sig-Ts
+ *
+ * @example
+ * ```typescript
+ * const headers = await signAgentHeaders(env.EMAIL_SECRET, "MyAgent", this.name);
+ * // Use these headers when sending outbound emails
+ * ```
+ */
+declare function signAgentHeaders(
+  secret: string,
+  agentName: string,
+  agentId: string
+): Promise<Record<string, string>>;
+type EmailResolverResult = {
+  agentName: string;
+  agentId: string; /** @internal Indicates this resolver requires secure reply signing */
+  _secureRouted?: boolean;
+} | null;
+type EmailResolver<Env> = (
+  email: ForwardableEmailMessage,
+  env: Env
+) => Promise<EmailResolverResult>;
+/**
+ * Reason for signature verification failure
+ */
+type SignatureFailureReason =
+  | "missing_headers"
+  | "expired"
+  | "invalid"
+  | "malformed_timestamp";
+/**
+ * Options for createSecureReplyEmailResolver
+ */
+type SecureReplyResolverOptions = {
+  /**
+   * Maximum age of signature in seconds.
+   * Signatures older than this will be rejected.
+   * Default: 30 days (2592000 seconds)
+   */
+  maxAge?: number;
+  /**
+   * Callback invoked when signature verification fails.
+   * Useful for logging and debugging.
+   */
+  onInvalidSignature?: (
+    email: ForwardableEmailMessage,
+    reason: SignatureFailureReason
+  ) => void;
+};
+/**
+ * @deprecated REMOVED due to security vulnerability (IDOR via spoofed headers).
+ * @throws Always throws an error with migration guidance.
+ */
+declare function createHeaderBasedEmailResolver<Env>(): EmailResolver<Env>;
+/**
+ * Create a resolver for routing email replies with signature verification.
+ * This resolver verifies that replies contain a valid HMAC signature, preventing
+ * attackers from routing emails to arbitrary agent instances.
+ *
+ * @param secret - Secret key for HMAC verification (must match the key used with signAgentHeaders)
+ * @param options - Optional configuration for signature verification
+ * @returns A function that resolves the agent to route the email to, or null if signature is invalid
+ *
+ * @example
+ * ```typescript
+ * // In your email handler
+ * const secureResolver = createSecureReplyEmailResolver(env.EMAIL_SECRET, {
+ *   maxAge: 7 * 24 * 60 * 60, // 7 days
+ *   onInvalidSignature: (email, reason) => {
+ *     console.warn(`Invalid signature from ${email.from}: ${reason}`);
+ *   }
+ * });
+ * const addressResolver = createAddressBasedEmailResolver("MyAgent");
+ *
+ * await routeAgentEmail(email, env, {
+ *   resolver: async (email, env) => {
+ *     // Try secure reply routing first
+ *     const replyRouting = await secureResolver(email, env);
+ *     if (replyRouting) return replyRouting;
+ *     // Fall back to address-based routing
+ *     return addressResolver(email, env);
+ *   }
+ * });
+ * ```
+ */
+declare function createSecureReplyEmailResolver<Env>(
+  secret: string,
+  options?: SecureReplyResolverOptions
+): EmailResolver<Env>;
+/**
+ * Create a resolver that uses the email address to determine the agent to route the email to
+ * @param defaultAgentName The default agent name to use if the email address does not contain a sub-address
+ * @returns A function that resolves the agent to route the email to
+ */
+declare function createAddressBasedEmailResolver<Env>(
+  defaultAgentName: string
+): EmailResolver<Env>;
+/**
+ * Create a resolver that uses the agentName and agentId to determine the agent to route the email to
+ * @param agentName The name of the agent to route the email to
+ * @param agentId The id of the agent to route the email to
+ * @returns A function that resolves the agent to route the email to
+ */
+declare function createCatchAllEmailResolver<Env>(
+  agentName: string,
+  agentId: string
+): EmailResolver<Env>;
+//#endregion
+export {
+  SecureReplyResolverOptions as a,
+  createCatchAllEmailResolver as c,
+  isAutoReplyEmail as d,
+  signAgentHeaders as f,
+  EmailResolverResult as i,
+  createHeaderBasedEmailResolver as l,
+  EmailHeader as n,
+  SignatureFailureReason as o,
+  EmailResolver as r,
+  createAddressBasedEmailResolver as s,
+  DEFAULT_MAX_AGE_SECONDS as t,
+  createSecureReplyEmailResolver as u
+};
+//# sourceMappingURL=email-8ljcpvwV.d.ts.map