agor-live 0.17.2 → 0.17.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli/lib/banner.d.ts +1 -1
- package/dist/cli/lib/banner.js +1 -1
- package/dist/cli/lib/check-migrations.test.js +9627 -9112
- package/dist/cli/lib/daemon-manager.test.js +9632 -9117
- package/dist/cli/lib/help.js +1 -1
- package/dist/core/api/index.d.cts +3 -3
- package/dist/core/api/index.d.ts +3 -3
- package/dist/core/{board-comment-DIdOJrSF.d.cts → board-comment-CCFVVN7K.d.cts} +0 -2
- package/dist/core/{board-comment-3N-jSgsk.d.ts → board-comment-iT3DgZb4.d.ts} +0 -2
- package/dist/core/claude/index.cjs +29 -19
- package/dist/core/claude/index.d.cts +2 -2
- package/dist/core/claude/index.d.ts +2 -2
- package/dist/core/claude/index.js +32 -33
- package/dist/core/client/index.cjs +49 -0
- package/dist/core/client/index.d.cts +7 -7
- package/dist/core/client/index.d.ts +7 -7
- package/dist/core/client/index.js +46 -0
- package/dist/core/{client-B5PyIvNc.d.cts → client-CemqXk0v.d.cts} +116 -100
- package/dist/core/{client-C1CsRi19.d.ts → client-uYEOha6g.d.ts} +116 -100
- package/dist/core/config/browser.d.cts +3 -3
- package/dist/core/config/browser.d.ts +3 -3
- package/dist/core/config/index.cjs +84 -41
- package/dist/core/config/index.d.cts +59 -17
- package/dist/core/config/index.d.ts +59 -17
- package/dist/core/config/index.js +86 -55
- package/dist/core/{config-manager-TxxjFMRd.d.cts → config-manager-B8TP9Kz0.d.cts} +12 -3
- package/dist/core/{config-manager-DTrsj6G3.d.ts → config-manager-CDEB0FY4.d.ts} +12 -3
- package/dist/core/{config-services-YEZ4DwCD.d.cts → config-services-CXyQKEK5.d.cts} +1 -1
- package/dist/core/{config-services-DcO2GRgh.d.ts → config-services-DhM7_yWn.d.ts} +1 -1
- package/dist/core/db/index.cjs +235 -175
- package/dist/core/db/index.d.cts +190 -147
- package/dist/core/db/index.d.ts +190 -147
- package/dist/core/db/index.js +239 -190
- package/dist/core/db/session-guard.d.cts +4 -4
- package/dist/core/db/session-guard.d.ts +4 -4
- package/dist/core/drizzle/postgres/0028_queued_tasks.sql +8 -0
- package/dist/core/drizzle/postgres/0030_migrate_queued_messages.sql +24 -0
- package/dist/core/drizzle/postgres/0031_restructure_agentic_tool_config.sql +201 -0
- package/dist/core/drizzle/postgres/meta/_journal.json +21 -0
- package/dist/core/drizzle/sqlite/0039_queued_tasks.sql +13 -0
- package/dist/core/drizzle/sqlite/0040_migrate_queued_messages.sql +61 -0
- package/dist/core/drizzle/sqlite/0041_restructure_agentic_tool_config.sql +204 -0
- package/dist/core/drizzle/sqlite/meta/_journal.json +21 -0
- package/dist/core/gateway/index.d.cts +2 -2
- package/dist/core/gateway/index.d.ts +2 -2
- package/dist/core/{gateway-BnOlAelY.d.cts → gateway-BWq4j_Ll.d.cts} +1 -1
- package/dist/core/{gateway-B_4X-v07.d.ts → gateway-C3Jm_akw.d.ts} +1 -1
- package/dist/core/git/index.d.cts +4 -4
- package/dist/core/git/index.d.ts +4 -4
- package/dist/core/index.cjs +474 -201
- package/dist/core/index.d.cts +12 -10
- package/dist/core/index.d.ts +12 -10
- package/dist/core/index.js +473 -216
- package/dist/core/lib/feathers-validation.cjs +2 -1
- package/dist/core/lib/feathers-validation.d.cts +1 -1
- package/dist/core/lib/feathers-validation.d.ts +1 -1
- package/dist/core/lib/feathers-validation.js +2 -1
- package/dist/core/mcp/index.cjs +26 -16
- package/dist/core/mcp/index.js +26 -16
- package/dist/core/{message-DinITA7a.d.cts → message-CSWOsdcZ.d.cts} +1 -9
- package/dist/core/{message-CHUUP6OS.d.ts → message-DZa8g0s0.d.ts} +1 -9
- package/dist/core/models/index.d.cts +3 -73
- package/dist/core/models/index.d.ts +3 -73
- package/dist/core/package.json +5 -0
- package/dist/core/permissions/index.d.cts +1 -1
- package/dist/core/permissions/index.d.ts +1 -1
- package/dist/core/resolve-config-BcL-Hv8k.d.ts +74 -0
- package/dist/core/resolve-config-DTCxuSBx.d.cts +74 -0
- package/dist/core/seed/index.cjs +145 -98
- package/dist/core/seed/index.js +148 -112
- package/dist/core/{session-guard-C0LkDEN7.d.ts → session-guard-BFqVtBoS.d.ts} +1 -1
- package/dist/core/{session-guard-kvAx_8Fb.d.cts → session-guard-KHh0cnET.d.cts} +1 -1
- package/dist/core/sessions/index.cjs +184 -0
- package/dist/core/sessions/index.d.cts +79 -0
- package/dist/core/sessions/index.d.ts +79 -0
- package/dist/core/sessions/index.js +157 -0
- package/dist/core/{task-BLPFCORT.d.ts → task-BHV-YHg1.d.ts} +41 -3
- package/dist/core/{task-wht1RJEL.d.cts → task-C2Hy7H6u.d.cts} +41 -3
- package/dist/core/templates/session-context.d.cts +1 -1
- package/dist/core/templates/session-context.d.ts +1 -1
- package/dist/core/tools/mcp/oauth-mcp-transport.cjs +168 -66
- package/dist/core/tools/mcp/oauth-mcp-transport.d.cts +92 -16
- package/dist/core/tools/mcp/oauth-mcp-transport.d.ts +92 -16
- package/dist/core/tools/mcp/oauth-mcp-transport.js +165 -66
- package/dist/core/tools/mcp/oauth-refresh.cjs +43 -53
- package/dist/core/tools/mcp/oauth-refresh.d.cts +3 -3
- package/dist/core/tools/mcp/oauth-refresh.d.ts +3 -3
- package/dist/core/tools/mcp/oauth-refresh.js +58 -78
- package/dist/core/types/index.cjs +49 -0
- package/dist/core/types/index.d.cts +7 -7
- package/dist/core/types/index.d.ts +7 -7
- package/dist/core/types/index.js +46 -0
- package/dist/core/{types-DNqfdt1z.d.cts → types-D4Rl6ZKN.d.cts} +18 -2
- package/dist/core/{types-DqPMmTad.d.ts → types-n61iaXub.d.ts} +18 -2
- package/dist/core/unix/index.cjs +164 -110
- package/dist/core/unix/index.d.cts +7 -8
- package/dist/core/unix/index.d.ts +7 -8
- package/dist/core/unix/index.js +167 -124
- package/dist/core/{user-DkNdeFoz.d.cts → user-CpfkcV2C.d.cts} +139 -13
- package/dist/core/{user-BfVWBmXA.d.ts → user-DP-XZMIM.d.ts} +139 -13
- package/dist/core/utils/permission-mode-mapper.d.cts +0 -2
- package/dist/core/utils/permission-mode-mapper.d.ts +0 -2
- package/dist/daemon/index.js +2976 -2791
- package/dist/daemon/main.js +2976 -2791
- package/dist/daemon/mcp/server.js +177 -134
- package/dist/daemon/mcp/tools/analytics.js +19 -5
- package/dist/daemon/mcp/tools/artifacts.js +19 -5
- package/dist/daemon/mcp/tools/boards.js +19 -5
- package/dist/daemon/mcp/tools/card-types.js +19 -5
- package/dist/daemon/mcp/tools/cards.js +19 -5
- package/dist/daemon/mcp/tools/environment.js +19 -5
- package/dist/daemon/mcp/tools/mcp-servers.d.ts +29 -2
- package/dist/daemon/mcp/tools/mcp-servers.js +64 -54
- package/dist/daemon/mcp/tools/messages.js +19 -5
- package/dist/daemon/mcp/tools/repos.js +19 -5
- package/dist/daemon/mcp/tools/search.js +19 -5
- package/dist/daemon/mcp/tools/sessions.js +175 -53
- package/dist/daemon/mcp/tools/tasks.js +19 -5
- package/dist/daemon/mcp/tools/users.js +19 -5
- package/dist/daemon/mcp/tools/worktrees.js +37 -38
- package/dist/daemon/register-hooks.js +52 -1
- package/dist/daemon/register-routes.js +436 -424
- package/dist/daemon/register-services.js +255 -140
- package/dist/daemon/services/config.d.ts +7 -1
- package/dist/daemon/services/config.js +3 -2
- package/dist/daemon/services/gateway.js +28 -15
- package/dist/daemon/services/mcp-servers.d.ts +7 -2
- package/dist/daemon/services/repos.js +2 -0
- package/dist/daemon/services/sessions.d.ts +1 -1
- package/dist/daemon/services/sessions.js +8 -16
- package/dist/daemon/services/tasks.js +16 -10
- package/dist/daemon/services/terminals.js +2 -0
- package/dist/daemon/services/users.d.ts +27 -11
- package/dist/daemon/services/users.js +89 -43
- package/dist/daemon/services/worktree-owners.js +2 -0
- package/dist/daemon/services/worktrees.js +2 -0
- package/dist/daemon/setup/index.js +5 -2
- package/dist/daemon/setup/socketio.d.ts +10 -1
- package/dist/daemon/setup/socketio.js +7 -3
- package/dist/daemon/startup.js +13 -1
- package/dist/daemon/utils/apply-session-config-defaults.d.ts +54 -0
- package/dist/daemon/utils/apply-session-config-defaults.js +46 -0
- package/dist/daemon/utils/spawn-executor.js +2 -0
- package/dist/daemon/utils/worktree-authorization.d.ts +2 -4
- package/dist/executor/commands/zellij.d.ts.map +1 -1
- package/dist/executor/commands/zellij.js +2 -2
- package/dist/executor/handlers/sdk/base-executor.d.ts +4 -3
- package/dist/executor/handlers/sdk/base-executor.d.ts.map +1 -1
- package/dist/executor/handlers/sdk/base-executor.js +11 -5
- package/dist/executor/payload-types.d.ts +14 -14
- package/dist/executor/sdk-handlers/claude/claude-tool.d.ts.map +1 -1
- package/dist/executor/sdk-handlers/claude/claude-tool.js +9 -4
- package/dist/executor/sdk-handlers/claude/import/task-extractor.d.ts.map +1 -1
- package/dist/executor/sdk-handlers/claude/import/task-extractor.js +0 -5
- package/dist/executor/sdk-handlers/claude/message-builder.d.ts +23 -2
- package/dist/executor/sdk-handlers/claude/message-builder.d.ts.map +1 -1
- package/dist/executor/sdk-handlers/claude/message-builder.js +33 -2
- package/dist/executor/sdk-handlers/claude/permissions/permission-hooks.d.ts +9 -1
- package/dist/executor/sdk-handlers/claude/permissions/permission-hooks.d.ts.map +1 -1
- package/dist/executor/sdk-handlers/claude/permissions/permission-hooks.js +12 -0
- package/dist/executor/sdk-handlers/claude/query-builder.d.ts.map +1 -1
- package/dist/executor/sdk-handlers/claude/query-builder.js +11 -6
- package/dist/executor/sdk-handlers/codex/codex-tool.d.ts +0 -5
- package/dist/executor/sdk-handlers/codex/codex-tool.d.ts.map +1 -1
- package/dist/executor/sdk-handlers/codex/codex-tool.js +9 -24
- package/dist/executor/sdk-handlers/codex/prompt-service.d.ts +15 -2
- package/dist/executor/sdk-handlers/codex/prompt-service.d.ts.map +1 -1
- package/dist/executor/sdk-handlers/codex/prompt-service.js +39 -10
- package/dist/executor/sdk-handlers/copilot/copilot-tool.d.ts +0 -5
- package/dist/executor/sdk-handlers/copilot/copilot-tool.d.ts.map +1 -1
- package/dist/executor/sdk-handlers/copilot/copilot-tool.js +5 -22
- package/dist/executor/sdk-handlers/gemini/gemini-tool.d.ts +0 -5
- package/dist/executor/sdk-handlers/gemini/gemini-tool.d.ts.map +1 -1
- package/dist/executor/sdk-handlers/gemini/gemini-tool.js +9 -24
- package/dist/ui/assets/{CodeEditor.inner-CO-5PAnZ.js → CodeEditor.inner-CVLqZBtM.js} +1 -1
- package/dist/ui/assets/{CodeEditor.inner-CO-5PAnZ.js.gz → CodeEditor.inner-CVLqZBtM.js.gz} +0 -0
- package/dist/ui/assets/{_basePickBy-DfxojsEt.js → _basePickBy-CFq5ES2J.js} +1 -1
- package/dist/ui/assets/_basePickBy-CFq5ES2J.js.gz +0 -0
- package/dist/ui/assets/{_baseUniq-DWFPJOTC.js → _baseUniq-C4uKBvNt.js} +1 -1
- package/dist/ui/assets/_baseUniq-C4uKBvNt.js.gz +0 -0
- package/dist/ui/assets/{arc-vMZ_XGSI.js → arc-BnrcXDJJ.js} +1 -1
- package/dist/ui/assets/arc-BnrcXDJJ.js.gz +0 -0
- package/dist/ui/assets/{architectureDiagram-VXUJARFQ-DGpk_uOD.js → architectureDiagram-VXUJARFQ-DD9HD-WR.js} +1 -1
- package/dist/ui/assets/architectureDiagram-VXUJARFQ-DD9HD-WR.js.gz +0 -0
- package/dist/ui/assets/{base-80a1f760-BsVlOKqO.js → base-80a1f760-BK1VmxWU.js} +1 -1
- package/dist/ui/assets/{blockDiagram-VD42YOAC-BkRnxc94.js → blockDiagram-VD42YOAC-LBAckZZe.js} +1 -1
- package/dist/ui/assets/blockDiagram-VD42YOAC-LBAckZZe.js.gz +0 -0
- package/dist/ui/assets/{c4Diagram-YG6GDRKO-Dcf-anJy.js → c4Diagram-YG6GDRKO-yEdylcYP.js} +1 -1
- package/dist/ui/assets/{c4Diagram-YG6GDRKO-Dcf-anJy.js.gz → c4Diagram-YG6GDRKO-yEdylcYP.js.gz} +0 -0
- package/dist/ui/assets/channel-CMN-iY3Q.js +1 -0
- package/dist/ui/assets/{chunk-4BX2VUAB-C4oVWDo8.js → chunk-4BX2VUAB-IHtzKbmQ.js} +1 -1
- package/dist/ui/assets/{chunk-55IACEB6-CsBbTu57.js → chunk-55IACEB6-C4o5tv_F.js} +1 -1
- package/dist/ui/assets/{chunk-B4BG7PRW-DtkeCZab.js → chunk-B4BG7PRW-EPkzLvlB.js} +1 -1
- package/dist/ui/assets/chunk-B4BG7PRW-EPkzLvlB.js.gz +0 -0
- package/dist/ui/assets/{chunk-DI55MBZ5-BQ_asW-1.js → chunk-DI55MBZ5-CW-Bzkzj.js} +1 -1
- package/dist/ui/assets/chunk-DI55MBZ5-CW-Bzkzj.js.gz +0 -0
- package/dist/ui/assets/{chunk-FMBD7UC4-DAdcLNG-.js → chunk-FMBD7UC4-DvGU02Io.js} +1 -1
- package/dist/ui/assets/{chunk-QN33PNHL-Do2zad3m.js → chunk-QN33PNHL-C-PIlz9n.js} +1 -1
- package/dist/ui/assets/{chunk-QZHKN3VN-CyhMmSdC.js → chunk-QZHKN3VN-BhpJFm6h.js} +1 -1
- package/dist/ui/assets/{chunk-TZMSLE5B-DlPypnIq.js → chunk-TZMSLE5B-Biake8IU.js} +1 -1
- package/dist/ui/assets/chunk-TZMSLE5B-Biake8IU.js.gz +0 -0
- package/dist/ui/assets/classDiagram-2ON5EDUG-Bz1et8oA.js +1 -0
- package/dist/ui/assets/classDiagram-v2-WZHVMYZB-Bz1et8oA.js +1 -0
- package/dist/ui/assets/clone-Dxo5sEAf.js +1 -0
- package/dist/ui/assets/{consoleHook-59e792cb-DHYIclEd.js → consoleHook-59e792cb-BzEkHWE8.js} +1 -1
- package/dist/ui/assets/consoleHook-59e792cb-BzEkHWE8.js.gz +0 -0
- package/dist/ui/assets/{cose-bilkent-S5V4N54A-DotJH9qH.js → cose-bilkent-S5V4N54A-vAiVi74s.js} +1 -1
- package/dist/ui/assets/cose-bilkent-S5V4N54A-vAiVi74s.js.gz +0 -0
- package/dist/ui/assets/{dagre-6UL2VRFP-Btssr8QF.js → dagre-6UL2VRFP-C8w7TshD.js} +1 -1
- package/dist/ui/assets/dagre-6UL2VRFP-C8w7TshD.js.gz +0 -0
- package/dist/ui/assets/{diagram-PSM6KHXK-D5_Jkog3.js → diagram-PSM6KHXK-CvnjEmtQ.js} +1 -1
- package/dist/ui/assets/diagram-PSM6KHXK-CvnjEmtQ.js.gz +0 -0
- package/dist/ui/assets/{diagram-QEK2KX5R-DlPEVSL5.js → diagram-QEK2KX5R-D245unng.js} +1 -1
- package/dist/ui/assets/diagram-QEK2KX5R-D245unng.js.gz +0 -0
- package/dist/ui/assets/{diagram-S2PKOQOG-CjO1k8aG.js → diagram-S2PKOQOG-DgGUHL8Z.js} +1 -1
- package/dist/ui/assets/diagram-S2PKOQOG-DgGUHL8Z.js.gz +0 -0
- package/dist/ui/assets/{erDiagram-Q2GNP2WA-3cO02-K3.js → erDiagram-Q2GNP2WA-Cf5paK9b.js} +1 -1
- package/dist/ui/assets/erDiagram-Q2GNP2WA-Cf5paK9b.js.gz +0 -0
- package/dist/ui/assets/{flowDiagram-NV44I4VS-CajTpSxI.js → flowDiagram-NV44I4VS-BJpHmEXV.js} +1 -1
- package/dist/ui/assets/flowDiagram-NV44I4VS-BJpHmEXV.js.gz +0 -0
- package/dist/ui/assets/{ganttDiagram-LVOFAZNH-CnY_bV3o.js → ganttDiagram-LVOFAZNH-zOyTZcXC.js} +1 -1
- package/dist/ui/assets/{ganttDiagram-LVOFAZNH-CnY_bV3o.js.gz → ganttDiagram-LVOFAZNH-zOyTZcXC.js.gz} +0 -0
- package/dist/ui/assets/{gitGraphDiagram-NY62KEGX-CH16bg-j.js → gitGraphDiagram-NY62KEGX-B0uxwqMv.js} +1 -1
- package/dist/ui/assets/gitGraphDiagram-NY62KEGX-B0uxwqMv.js.gz +0 -0
- package/dist/ui/assets/{graph-IQoZvE3o.js → graph-NWXc73TO.js} +1 -1
- package/dist/ui/assets/graph-NWXc73TO.js.gz +0 -0
- package/dist/ui/assets/{index-599aeaf7-RUCkgwsg.js → index-599aeaf7-BKmNqoNF.js} +1 -1
- package/dist/ui/assets/index-599aeaf7-BKmNqoNF.js.gz +0 -0
- package/dist/ui/assets/{index-B3AvIgqP.js → index-BRYNiHLB.js} +345 -349
- package/dist/ui/assets/index-BRYNiHLB.js.gz +0 -0
- package/dist/ui/assets/{index-QV5-5yA2.js → index-BX6Xmhes.js} +1 -1
- package/dist/ui/assets/index-BX6Xmhes.js.gz +0 -0
- package/dist/ui/assets/{index-ChmRuj_T.js → index-W1hIq1uU.js} +1 -1
- package/dist/ui/assets/index-W1hIq1uU.js.gz +0 -0
- package/dist/ui/assets/{index-C-quzPWC.js → index-ctuok0zf.js} +1 -1
- package/dist/ui/assets/index-ctuok0zf.js.gz +0 -0
- package/dist/ui/assets/{infoDiagram-ER5ION4S-2e4gZVGT.js → infoDiagram-ER5ION4S-CquCuoTH.js} +1 -1
- package/dist/ui/assets/{journeyDiagram-XKPGCS4Q-B5bgV3GH.js → journeyDiagram-XKPGCS4Q-B_XkufZ8.js} +1 -1
- package/dist/ui/assets/journeyDiagram-XKPGCS4Q-B_XkufZ8.js.gz +0 -0
- package/dist/ui/assets/{kanban-definition-3W4ZIXB7-Bp-aWRSc.js → kanban-definition-3W4ZIXB7-C2Bo9HkB.js} +1 -1
- package/dist/ui/assets/kanban-definition-3W4ZIXB7-C2Bo9HkB.js.gz +0 -0
- package/dist/ui/assets/katex-C6wkUDai.css +1 -0
- package/dist/ui/assets/{katex-DGRguze2.css.gz → katex-C6wkUDai.css.gz} +0 -0
- package/dist/ui/assets/{layout-BH-2XJZq.js → layout-D9A7Uaku.js} +1 -1
- package/dist/ui/assets/layout-D9A7Uaku.js.gz +0 -0
- package/dist/ui/assets/{linear-DCYXhl_f.js → linear-BJUwJsxE.js} +1 -1
- package/dist/ui/assets/linear-BJUwJsxE.js.gz +0 -0
- package/dist/ui/assets/{mermaid.core-BAuL6kgQ.js → mermaid.core-DcOEcjcA.js} +5 -5
- package/dist/ui/assets/mermaid.core-DcOEcjcA.js.gz +0 -0
- package/dist/ui/assets/{mindmap-definition-VGOIOE7T-DpH5N-N0.js → mindmap-definition-VGOIOE7T-BFT1m7BG.js} +1 -1
- package/dist/ui/assets/mindmap-definition-VGOIOE7T-BFT1m7BG.js.gz +0 -0
- package/dist/ui/assets/{pieDiagram-ADFJNKIX-BB8fBxj1.js → pieDiagram-ADFJNKIX-BFaX1oBV.js} +1 -1
- package/dist/ui/assets/pieDiagram-ADFJNKIX-BFaX1oBV.js.gz +0 -0
- package/dist/ui/assets/{quadrantDiagram-AYHSOK5B-D6oZLdUD.js → quadrantDiagram-AYHSOK5B-DQps5392.js} +1 -1
- package/dist/ui/assets/quadrantDiagram-AYHSOK5B-DQps5392.js.gz +0 -0
- package/dist/ui/assets/{requirementDiagram-UZGBJVZJ-B4uGPp8w.js → requirementDiagram-UZGBJVZJ-3EZ5KWEi.js} +1 -1
- package/dist/ui/assets/requirementDiagram-UZGBJVZJ-3EZ5KWEi.js.gz +0 -0
- package/dist/ui/assets/{sankeyDiagram-TZEHDZUN-MXhIjhme.js → sankeyDiagram-TZEHDZUN-D0qcydqq.js} +1 -1
- package/dist/ui/assets/sankeyDiagram-TZEHDZUN-D0qcydqq.js.gz +0 -0
- package/dist/ui/assets/{sequenceDiagram-WL72ISMW-Cm53TYug.js → sequenceDiagram-WL72ISMW-BCR5gaaN.js} +1 -1
- package/dist/ui/assets/sequenceDiagram-WL72ISMW-BCR5gaaN.js.gz +0 -0
- package/dist/ui/assets/{stateDiagram-FKZM4ZOC-BVuxUkj5.js → stateDiagram-FKZM4ZOC-BvX4FLQ9.js} +1 -1
- package/dist/ui/assets/stateDiagram-FKZM4ZOC-BvX4FLQ9.js.gz +0 -0
- package/dist/ui/assets/stateDiagram-v2-4FDKWEC3-CxLDvgTF.js +1 -0
- package/dist/ui/assets/{timeline-definition-IT6M3QCI-CMypNiEP.js → timeline-definition-IT6M3QCI-_AWp5LJn.js} +1 -1
- package/dist/ui/assets/timeline-definition-IT6M3QCI-_AWp5LJn.js.gz +0 -0
- package/dist/ui/assets/{treemap-KMMF4GRG-BEtnV3BT.js → treemap-KMMF4GRG-BZ9FBl5-.js} +1 -1
- package/dist/ui/assets/treemap-KMMF4GRG-BZ9FBl5-.js.gz +0 -0
- package/dist/ui/assets/{xychartDiagram-PRI3JC2R-BnioEYUM.js → xychartDiagram-PRI3JC2R-_wB7yuVd.js} +1 -1
- package/dist/ui/assets/xychartDiagram-PRI3JC2R-_wB7yuVd.js.gz +0 -0
- package/dist/ui/index.html +1 -1
- package/package.json +8 -8
- package/dist/ui/assets/_basePickBy-DfxojsEt.js.gz +0 -0
- package/dist/ui/assets/_baseUniq-DWFPJOTC.js.gz +0 -0
- package/dist/ui/assets/arc-vMZ_XGSI.js.gz +0 -0
- package/dist/ui/assets/architectureDiagram-VXUJARFQ-DGpk_uOD.js.gz +0 -0
- package/dist/ui/assets/blockDiagram-VD42YOAC-BkRnxc94.js.gz +0 -0
- package/dist/ui/assets/channel-B9aI4bYN.js +0 -1
- package/dist/ui/assets/chunk-B4BG7PRW-DtkeCZab.js.gz +0 -0
- package/dist/ui/assets/chunk-DI55MBZ5-BQ_asW-1.js.gz +0 -0
- package/dist/ui/assets/chunk-TZMSLE5B-DlPypnIq.js.gz +0 -0
- package/dist/ui/assets/classDiagram-2ON5EDUG-p-68WO4Z.js +0 -1
- package/dist/ui/assets/classDiagram-v2-WZHVMYZB-p-68WO4Z.js +0 -1
- package/dist/ui/assets/clone-DzK5ogfn.js +0 -1
- package/dist/ui/assets/consoleHook-59e792cb-DHYIclEd.js.gz +0 -0
- package/dist/ui/assets/cose-bilkent-S5V4N54A-DotJH9qH.js.gz +0 -0
- package/dist/ui/assets/dagre-6UL2VRFP-Btssr8QF.js.gz +0 -0
- package/dist/ui/assets/diagram-PSM6KHXK-D5_Jkog3.js.gz +0 -0
- package/dist/ui/assets/diagram-QEK2KX5R-DlPEVSL5.js.gz +0 -0
- package/dist/ui/assets/diagram-S2PKOQOG-CjO1k8aG.js.gz +0 -0
- package/dist/ui/assets/erDiagram-Q2GNP2WA-3cO02-K3.js.gz +0 -0
- package/dist/ui/assets/flowDiagram-NV44I4VS-CajTpSxI.js.gz +0 -0
- package/dist/ui/assets/gitGraphDiagram-NY62KEGX-CH16bg-j.js.gz +0 -0
- package/dist/ui/assets/graph-IQoZvE3o.js.gz +0 -0
- package/dist/ui/assets/index-599aeaf7-RUCkgwsg.js.gz +0 -0
- package/dist/ui/assets/index-B3AvIgqP.js.gz +0 -0
- package/dist/ui/assets/index-C-quzPWC.js.gz +0 -0
- package/dist/ui/assets/index-ChmRuj_T.js.gz +0 -0
- package/dist/ui/assets/index-QV5-5yA2.js.gz +0 -0
- package/dist/ui/assets/journeyDiagram-XKPGCS4Q-B5bgV3GH.js.gz +0 -0
- package/dist/ui/assets/kanban-definition-3W4ZIXB7-Bp-aWRSc.js.gz +0 -0
- package/dist/ui/assets/katex-DGRguze2.css +0 -1
- package/dist/ui/assets/layout-BH-2XJZq.js.gz +0 -0
- package/dist/ui/assets/linear-DCYXhl_f.js.gz +0 -0
- package/dist/ui/assets/mermaid.core-BAuL6kgQ.js.gz +0 -0
- package/dist/ui/assets/mindmap-definition-VGOIOE7T-DpH5N-N0.js.gz +0 -0
- package/dist/ui/assets/pieDiagram-ADFJNKIX-BB8fBxj1.js.gz +0 -0
- package/dist/ui/assets/quadrantDiagram-AYHSOK5B-D6oZLdUD.js.gz +0 -0
- package/dist/ui/assets/requirementDiagram-UZGBJVZJ-B4uGPp8w.js.gz +0 -0
- package/dist/ui/assets/sankeyDiagram-TZEHDZUN-MXhIjhme.js.gz +0 -0
- package/dist/ui/assets/sequenceDiagram-WL72ISMW-Cm53TYug.js.gz +0 -0
- package/dist/ui/assets/stateDiagram-FKZM4ZOC-BVuxUkj5.js.gz +0 -0
- package/dist/ui/assets/stateDiagram-v2-4FDKWEC3-8Jeww6Dc.js +0 -1
- package/dist/ui/assets/timeline-definition-IT6M3QCI-CMypNiEP.js.gz +0 -0
- package/dist/ui/assets/treemap-KMMF4GRG-BEtnV3BT.js.gz +0 -0
- package/dist/ui/assets/xychartDiagram-PRI3JC2R-BnioEYUM.js.gz +0 -0
|
@@ -32,12 +32,15 @@ var oauth_mcp_transport_exports = {};
|
|
|
32
32
|
__export(oauth_mcp_transport_exports, {
|
|
33
33
|
clearAuthCodeTokenCache: () => clearAuthCodeTokenCache,
|
|
34
34
|
completeMCPOAuthFlow: () => completeMCPOAuthFlow,
|
|
35
|
+
discoverAuthorizationServerFromMcpOrigin: () => discoverAuthorizationServerFromMcpOrigin,
|
|
35
36
|
discoverResourceMetadataUrl: () => discoverResourceMetadataUrl,
|
|
37
|
+
fetchAuthorizationServerMetadata: () => fetchAuthorizationServerMetadata,
|
|
36
38
|
getAuthCodeTokenCacheStats: () => getAuthCodeTokenCacheStats,
|
|
37
39
|
getCachedOAuth21Token: () => getCachedOAuth21Token,
|
|
38
40
|
isOAuthRequired: () => isOAuthRequired,
|
|
39
41
|
parseOAuthCallback: () => parseOAuthCallback,
|
|
40
42
|
performMCPOAuthFlow: () => performMCPOAuthFlow,
|
|
43
|
+
resolveMCPOAuthDiscovery: () => resolveMCPOAuthDiscovery,
|
|
41
44
|
resolveResourceMetadataUrl: () => resolveResourceMetadataUrl,
|
|
42
45
|
startMCPOAuthFlow: () => startMCPOAuthFlow
|
|
43
46
|
});
|
|
@@ -100,6 +103,59 @@ async function resolveResourceMetadataUrl(wwwAuthenticateHeader, mcpUrl) {
|
|
|
100
103
|
}
|
|
101
104
|
return null;
|
|
102
105
|
}
|
|
106
|
+
async function discoverAuthorizationServerFromMcpOrigin(mcpUrl) {
|
|
107
|
+
const url = new URL(mcpUrl);
|
|
108
|
+
const origin = url.origin;
|
|
109
|
+
const path = url.pathname === "/" ? "" : url.pathname.replace(/\/$/, "");
|
|
110
|
+
const candidates = [];
|
|
111
|
+
if (path) {
|
|
112
|
+
candidates.push(`${origin}/.well-known/oauth-authorization-server${path}`);
|
|
113
|
+
}
|
|
114
|
+
candidates.push(`${origin}/.well-known/oauth-authorization-server`);
|
|
115
|
+
if (path) {
|
|
116
|
+
candidates.push(`${origin}${path}/.well-known/openid-configuration`);
|
|
117
|
+
}
|
|
118
|
+
candidates.push(`${origin}/.well-known/openid-configuration`);
|
|
119
|
+
const unique = Array.from(new Set(candidates));
|
|
120
|
+
for (const candidate of unique) {
|
|
121
|
+
try {
|
|
122
|
+
console.log("[MCP OAuth] Trying AS-direct discovery:", candidate);
|
|
123
|
+
const response = await fetch(candidate, { signal: AbortSignal.timeout(1e4) });
|
|
124
|
+
if (!response.ok) continue;
|
|
125
|
+
const data = await response.json();
|
|
126
|
+
if (typeof data.authorization_endpoint === "string" && typeof data.token_endpoint === "string") {
|
|
127
|
+
console.log("[MCP OAuth] \u2713 Discovered AS metadata at:", candidate);
|
|
128
|
+
return {
|
|
129
|
+
metadata: data,
|
|
130
|
+
discoveredAt: candidate
|
|
131
|
+
};
|
|
132
|
+
}
|
|
133
|
+
} catch (err) {
|
|
134
|
+
console.log(
|
|
135
|
+
"[MCP OAuth] AS-direct discovery failed for",
|
|
136
|
+
candidate,
|
|
137
|
+
":",
|
|
138
|
+
err instanceof Error ? err.message : String(err)
|
|
139
|
+
);
|
|
140
|
+
}
|
|
141
|
+
}
|
|
142
|
+
return null;
|
|
143
|
+
}
|
|
144
|
+
async function resolveMCPOAuthDiscovery(wwwAuthenticateHeader, mcpUrl) {
|
|
145
|
+
const rfc9728 = await resolveResourceMetadataUrl(wwwAuthenticateHeader, mcpUrl);
|
|
146
|
+
if (rfc9728) {
|
|
147
|
+
return { kind: "resource-metadata", ...rfc9728 };
|
|
148
|
+
}
|
|
149
|
+
const asDirect = await discoverAuthorizationServerFromMcpOrigin(mcpUrl);
|
|
150
|
+
if (asDirect) {
|
|
151
|
+
return {
|
|
152
|
+
kind: "authorization-server",
|
|
153
|
+
authServerMetadata: asDirect.metadata,
|
|
154
|
+
discoveredAt: asDirect.discoveredAt
|
|
155
|
+
};
|
|
156
|
+
}
|
|
157
|
+
return null;
|
|
158
|
+
}
|
|
103
159
|
async function fetchResourceMetadata(metadataUrl) {
|
|
104
160
|
const response = await fetch(metadataUrl, { signal: AbortSignal.timeout(15e3) });
|
|
105
161
|
if (!response.ok) {
|
|
@@ -529,101 +585,72 @@ function getAuthCodeTokenCacheStats() {
|
|
|
529
585
|
expiredEntries
|
|
530
586
|
};
|
|
531
587
|
}
|
|
532
|
-
async function
|
|
533
|
-
|
|
534
|
-
|
|
535
|
-
|
|
536
|
-
|
|
537
|
-
|
|
538
|
-
|
|
539
|
-
|
|
540
|
-
|
|
541
|
-
|
|
542
|
-
|
|
543
|
-
|
|
544
|
-
throw new Error("No authorization servers found in resource metadata");
|
|
545
|
-
}
|
|
546
|
-
const authServerUrl = resourceMetadata.authorization_servers[0];
|
|
547
|
-
console.log("[MCP OAuth] Authorization server:", authServerUrl);
|
|
548
|
-
const hasFullOverrides = options?.authorizationUrlOverride && options?.tokenUrlOverride;
|
|
549
|
-
let authServerMetadata = null;
|
|
550
|
-
if (hasFullOverrides) {
|
|
551
|
-
console.log("[MCP OAuth] Skipping auth server metadata fetch \u2014 manual overrides provided:", {
|
|
552
|
-
authorization: options.authorizationUrlOverride,
|
|
553
|
-
token: options.tokenUrlOverride
|
|
554
|
-
});
|
|
555
|
-
} else {
|
|
556
|
-
try {
|
|
557
|
-
authServerMetadata = await fetchAuthorizationServerMetadata(authServerUrl);
|
|
558
|
-
console.log("[MCP OAuth] Authorization server metadata:", authServerMetadata);
|
|
559
|
-
} catch (metadataError) {
|
|
560
|
-
if (options?.authorizationUrlOverride || options?.tokenUrlOverride) {
|
|
561
|
-
console.log(
|
|
562
|
-
"[MCP OAuth] Auth server metadata fetch failed, but partial overrides available:",
|
|
563
|
-
metadataError instanceof Error ? metadataError.message : String(metadataError)
|
|
564
|
-
);
|
|
565
|
-
} else {
|
|
566
|
-
throw metadataError;
|
|
567
|
-
}
|
|
568
|
-
}
|
|
569
|
-
}
|
|
588
|
+
async function startMCPOAuthFlowWithAS(opts) {
|
|
589
|
+
const {
|
|
590
|
+
authServerMetadata,
|
|
591
|
+
cacheKey,
|
|
592
|
+
clientId,
|
|
593
|
+
redirectUri,
|
|
594
|
+
authorizationUrlOverride,
|
|
595
|
+
tokenUrlOverride,
|
|
596
|
+
fallbackRegistrationEndpoint,
|
|
597
|
+
resourceScopesSupported
|
|
598
|
+
} = opts;
|
|
599
|
+
const hasFullOverrides = !!(authorizationUrlOverride && tokenUrlOverride);
|
|
570
600
|
const pkce = generatePKCE();
|
|
571
601
|
const actualRedirectUri = redirectUri || "http://127.0.0.1:0/oauth/callback";
|
|
572
|
-
const scopeString =
|
|
602
|
+
const scopeString = opts.scope ? opts.scope : !clientId && resourceScopesSupported && resourceScopesSupported.length > 0 ? resourceScopesSupported.join(" ") : void 0;
|
|
573
603
|
let actualClientId = clientId;
|
|
574
|
-
let
|
|
604
|
+
let resolvedClientSecret = opts.clientSecret;
|
|
575
605
|
if (!actualClientId) {
|
|
576
|
-
|
|
577
|
-
|
|
578
|
-
|
|
579
|
-
authServerMetadata.registration_endpoint,
|
|
580
|
-
actualRedirectUri,
|
|
581
|
-
"Agor MCP Client",
|
|
582
|
-
scopeString
|
|
583
|
-
);
|
|
584
|
-
actualClientId = registration.client_id;
|
|
585
|
-
clientSecret = registration.client_secret;
|
|
586
|
-
} else if (!hasFullOverrides) {
|
|
587
|
-
const mcpRegisterEndpoint = `${authServerUrl}/register`;
|
|
588
|
-
console.log("[MCP OAuth] Trying MCP-style registration endpoint:", mcpRegisterEndpoint);
|
|
606
|
+
const registrationEndpoint = authServerMetadata?.registration_endpoint || fallbackRegistrationEndpoint;
|
|
607
|
+
if (registrationEndpoint) {
|
|
608
|
+
console.log("[MCP OAuth] Using DCR endpoint:", registrationEndpoint);
|
|
589
609
|
try {
|
|
590
610
|
const registration = await registerDynamicClient(
|
|
591
|
-
|
|
611
|
+
registrationEndpoint,
|
|
592
612
|
actualRedirectUri,
|
|
593
613
|
"Agor MCP Client",
|
|
594
614
|
scopeString
|
|
595
615
|
);
|
|
596
616
|
actualClientId = registration.client_id;
|
|
597
|
-
|
|
598
|
-
} catch (
|
|
617
|
+
resolvedClientSecret = registration.client_secret;
|
|
618
|
+
} catch (regError) {
|
|
619
|
+
const detail = regError instanceof Error ? regError.message : String(regError);
|
|
599
620
|
throw new Error(
|
|
600
|
-
|
|
621
|
+
`Dynamic Client Registration failed.
|
|
622
|
+
|
|
623
|
+
Registration endpoint: ${registrationEndpoint}
|
|
624
|
+
Error: ${detail}
|
|
625
|
+
|
|
626
|
+
Register an OAuth app in the provider's developer portal and enter the Client ID (and Client Secret if required) in the MCP server configuration.`
|
|
601
627
|
);
|
|
602
628
|
}
|
|
603
|
-
} else {
|
|
629
|
+
} else if (hasFullOverrides) {
|
|
604
630
|
throw new Error(
|
|
605
631
|
"OAuth client_id is required when using manual OAuth URL overrides.\n\nPlease provide a client_id in the MCP server configuration."
|
|
606
632
|
);
|
|
633
|
+
} else {
|
|
634
|
+
throw new Error(
|
|
635
|
+
"OAuth client_id is required but the authorization server does not advertise a Dynamic Client Registration endpoint (RFC 7591).\n\nRegister an OAuth app in the provider's developer portal and enter the Client ID (and Client Secret if required) in the MCP server configuration."
|
|
636
|
+
);
|
|
607
637
|
}
|
|
608
638
|
}
|
|
609
639
|
const state = import_node_crypto.default.randomUUID();
|
|
610
|
-
const tokenEndpoint =
|
|
640
|
+
const tokenEndpoint = tokenUrlOverride || authServerMetadata?.token_endpoint;
|
|
611
641
|
if (!tokenEndpoint) {
|
|
612
642
|
throw new Error(
|
|
613
643
|
"No token endpoint available. Either provide oauth_token_url in the MCP server config, or ensure the authorization server supports RFC 8414 metadata discovery."
|
|
614
644
|
);
|
|
615
645
|
}
|
|
616
|
-
|
|
617
|
-
if (options?.tokenUrlOverride) {
|
|
618
|
-
console.log("[MCP OAuth] (overridden from:", authServerMetadata?.token_endpoint, ")");
|
|
619
|
-
}
|
|
620
|
-
const authorizationEndpoint = options?.authorizationUrlOverride || authServerMetadata?.authorization_endpoint;
|
|
646
|
+
const authorizationEndpoint = authorizationUrlOverride || authServerMetadata?.authorization_endpoint;
|
|
621
647
|
if (!authorizationEndpoint) {
|
|
622
648
|
throw new Error(
|
|
623
649
|
"No authorization endpoint available. Either provide oauth_authorization_url in the MCP server config, or ensure the authorization server supports RFC 8414 metadata discovery."
|
|
624
650
|
);
|
|
625
651
|
}
|
|
626
652
|
console.log("[MCP OAuth] Using authorization endpoint:", authorizationEndpoint);
|
|
653
|
+
console.log("[MCP OAuth] Using token endpoint:", tokenEndpoint);
|
|
627
654
|
const authUrl = new URL(authorizationEndpoint);
|
|
628
655
|
authUrl.searchParams.set("response_type", "code");
|
|
629
656
|
authUrl.searchParams.set("client_id", actualClientId);
|
|
@@ -636,16 +663,88 @@ async function startMCPOAuthFlow(wwwAuthenticateHeader, clientId, redirectUri, o
|
|
|
636
663
|
}
|
|
637
664
|
console.log("[MCP OAuth] Authorization URL:", authUrl.toString());
|
|
638
665
|
return {
|
|
639
|
-
metadataUrl,
|
|
666
|
+
metadataUrl: cacheKey,
|
|
640
667
|
tokenEndpoint,
|
|
641
668
|
redirectUri: actualRedirectUri,
|
|
642
669
|
pkceVerifier: pkce.verifier,
|
|
643
670
|
clientId: actualClientId,
|
|
644
|
-
clientSecret,
|
|
671
|
+
clientSecret: resolvedClientSecret,
|
|
645
672
|
state,
|
|
646
673
|
authorizationUrl: authUrl.toString()
|
|
647
674
|
};
|
|
648
675
|
}
|
|
676
|
+
async function startMCPOAuthFlow(wwwAuthenticateHeader, clientId, redirectUri, options) {
|
|
677
|
+
console.log("[MCP OAuth] Starting two-phase OAuth 2.1 flow");
|
|
678
|
+
if (options?.prefetchedAuthServerMetadata) {
|
|
679
|
+
if (!options.cacheKey) {
|
|
680
|
+
throw new Error(
|
|
681
|
+
"startMCPOAuthFlow: cacheKey is required when prefetchedAuthServerMetadata is provided (typically pass the MCP server URL)."
|
|
682
|
+
);
|
|
683
|
+
}
|
|
684
|
+
console.log(
|
|
685
|
+
"[MCP OAuth] Using prefetched AS metadata (RFC 9728 skipped):",
|
|
686
|
+
options.prefetchedAuthServerMetadata
|
|
687
|
+
);
|
|
688
|
+
return startMCPOAuthFlowWithAS({
|
|
689
|
+
authServerMetadata: options.prefetchedAuthServerMetadata,
|
|
690
|
+
cacheKey: options.cacheKey,
|
|
691
|
+
clientId,
|
|
692
|
+
redirectUri,
|
|
693
|
+
authorizationUrlOverride: options.authorizationUrlOverride,
|
|
694
|
+
tokenUrlOverride: options.tokenUrlOverride,
|
|
695
|
+
clientSecret: options.clientSecret,
|
|
696
|
+
scope: options.scope
|
|
697
|
+
});
|
|
698
|
+
}
|
|
699
|
+
const metadataUrl = parseWWWAuthenticate(wwwAuthenticateHeader) || options?.resourceMetadataUrl;
|
|
700
|
+
if (!metadataUrl) {
|
|
701
|
+
throw new Error(
|
|
702
|
+
"Could not determine OAuth resource metadata URL. The WWW-Authenticate header does not contain resource_metadata, and no pre-discovered metadata URL was provided."
|
|
703
|
+
);
|
|
704
|
+
}
|
|
705
|
+
console.log("[MCP OAuth] Resource metadata URL:", metadataUrl);
|
|
706
|
+
const resourceMetadata = await fetchResourceMetadata(metadataUrl);
|
|
707
|
+
console.log("[MCP OAuth] Resource metadata:", resourceMetadata);
|
|
708
|
+
if (!resourceMetadata.authorization_servers || resourceMetadata.authorization_servers.length === 0) {
|
|
709
|
+
throw new Error("No authorization servers found in resource metadata");
|
|
710
|
+
}
|
|
711
|
+
const authServerUrl = resourceMetadata.authorization_servers[0];
|
|
712
|
+
console.log("[MCP OAuth] Authorization server:", authServerUrl);
|
|
713
|
+
const hasFullOverrides = options?.authorizationUrlOverride && options?.tokenUrlOverride;
|
|
714
|
+
let authServerMetadata = null;
|
|
715
|
+
if (hasFullOverrides) {
|
|
716
|
+
console.log("[MCP OAuth] Skipping auth server metadata fetch \u2014 manual overrides provided:", {
|
|
717
|
+
authorization: options.authorizationUrlOverride,
|
|
718
|
+
token: options.tokenUrlOverride
|
|
719
|
+
});
|
|
720
|
+
} else {
|
|
721
|
+
try {
|
|
722
|
+
authServerMetadata = await fetchAuthorizationServerMetadata(authServerUrl);
|
|
723
|
+
console.log("[MCP OAuth] Authorization server metadata:", authServerMetadata);
|
|
724
|
+
} catch (metadataError) {
|
|
725
|
+
if (options?.authorizationUrlOverride || options?.tokenUrlOverride) {
|
|
726
|
+
console.log(
|
|
727
|
+
"[MCP OAuth] Auth server metadata fetch failed, but partial overrides available:",
|
|
728
|
+
metadataError instanceof Error ? metadataError.message : String(metadataError)
|
|
729
|
+
);
|
|
730
|
+
} else {
|
|
731
|
+
throw metadataError;
|
|
732
|
+
}
|
|
733
|
+
}
|
|
734
|
+
}
|
|
735
|
+
return startMCPOAuthFlowWithAS({
|
|
736
|
+
authServerMetadata,
|
|
737
|
+
cacheKey: metadataUrl,
|
|
738
|
+
clientId,
|
|
739
|
+
redirectUri,
|
|
740
|
+
authorizationUrlOverride: options?.authorizationUrlOverride,
|
|
741
|
+
tokenUrlOverride: options?.tokenUrlOverride,
|
|
742
|
+
clientSecret: options?.clientSecret,
|
|
743
|
+
scope: options?.scope,
|
|
744
|
+
fallbackRegistrationEndpoint: hasFullOverrides ? void 0 : `${authServerUrl}/register`,
|
|
745
|
+
resourceScopesSupported: resourceMetadata.scopes_supported
|
|
746
|
+
});
|
|
747
|
+
}
|
|
649
748
|
async function completeMCPOAuthFlow(context, code, state) {
|
|
650
749
|
console.log("[MCP OAuth] Completing OAuth flow with authorization code");
|
|
651
750
|
console.log("[MCP OAuth] Token endpoint:", context.tokenEndpoint);
|
|
@@ -705,12 +804,15 @@ function parseOAuthCallback(callbackUrl) {
|
|
|
705
804
|
0 && (module.exports = {
|
|
706
805
|
clearAuthCodeTokenCache,
|
|
707
806
|
completeMCPOAuthFlow,
|
|
807
|
+
discoverAuthorizationServerFromMcpOrigin,
|
|
708
808
|
discoverResourceMetadataUrl,
|
|
809
|
+
fetchAuthorizationServerMetadata,
|
|
709
810
|
getAuthCodeTokenCacheStats,
|
|
710
811
|
getCachedOAuth21Token,
|
|
711
812
|
isOAuthRequired,
|
|
712
813
|
parseOAuthCallback,
|
|
713
814
|
performMCPOAuthFlow,
|
|
815
|
+
resolveMCPOAuthDiscovery,
|
|
714
816
|
resolveResourceMetadataUrl,
|
|
715
817
|
startMCPOAuthFlow
|
|
716
818
|
});
|
|
@@ -65,6 +65,79 @@ declare function resolveResourceMetadataUrl(wwwAuthenticateHeader: string | null
|
|
|
65
65
|
metadataUrl: string;
|
|
66
66
|
source: 'header' | 'well-known';
|
|
67
67
|
} | null>;
|
|
68
|
+
/**
|
|
69
|
+
* Discover OAuth Authorization Server metadata directly at the MCP server's
|
|
70
|
+
* origin (RFC 8414 / OIDC fallback when RFC 9728 isn't implemented).
|
|
71
|
+
*
|
|
72
|
+
* Some MCP servers (e.g. Reo.Dev) skip the RFC 9728 Protected Resource Metadata
|
|
73
|
+
* layer entirely and instead serve the AS metadata document at their own
|
|
74
|
+
* origin. Claude Desktop's MCP client probes this path; we mirror that
|
|
75
|
+
* behaviour so 'paste URL → click Connect' works without manual config.
|
|
76
|
+
*
|
|
77
|
+
* Probes (in order). Note that RFC 8414 and OIDC use *different* path-construction
|
|
78
|
+
* rules for path-bearing issuers:
|
|
79
|
+
* - RFC 8414 §3.1: insert `.well-known/oauth-authorization-server` between
|
|
80
|
+
* the host and the issuer's path → `{origin}/.well-known/...{path}`
|
|
81
|
+
* - OIDC Discovery 1.0 §4: append `.well-known/openid-configuration` after
|
|
82
|
+
* the issuer's path → `{origin}{path}/.well-known/...`
|
|
83
|
+
*
|
|
84
|
+
* Probe order:
|
|
85
|
+
* 1. {origin}/.well-known/oauth-authorization-server{path} (RFC 8414 path-aware)
|
|
86
|
+
* 2. {origin}/.well-known/oauth-authorization-server (root)
|
|
87
|
+
* 3. {origin}{path}/.well-known/openid-configuration (OIDC path-aware)
|
|
88
|
+
* 4. {origin}/.well-known/openid-configuration (OIDC root)
|
|
89
|
+
*
|
|
90
|
+
* @param mcpUrl - The MCP server URL
|
|
91
|
+
* @returns Discovered AS metadata + the URL it was fetched from, or null
|
|
92
|
+
*/
|
|
93
|
+
declare function discoverAuthorizationServerFromMcpOrigin(mcpUrl: string): Promise<{
|
|
94
|
+
metadata: AuthorizationServerMetadata;
|
|
95
|
+
discoveredAt: string;
|
|
96
|
+
} | null>;
|
|
97
|
+
/**
|
|
98
|
+
* Discriminated discovery result for MCP OAuth.
|
|
99
|
+
*
|
|
100
|
+
* The MCP Authorization spec layers three RFCs:
|
|
101
|
+
* - RFC 9728 (Protected Resource Metadata) — links resource server → AS list
|
|
102
|
+
* - RFC 8414 (Authorization Server Metadata) — describes the AS endpoints
|
|
103
|
+
* - RFC 7591 (Dynamic Client Registration) — register a client at runtime
|
|
104
|
+
*
|
|
105
|
+
* Real-world servers vary in what they actually implement. This type lets
|
|
106
|
+
* callers distinguish:
|
|
107
|
+
* - 'resource-metadata': RFC 9728 worked → fetch metadata URL → derive AS
|
|
108
|
+
* - 'authorization-server': RFC 9728 absent, but AS metadata served directly
|
|
109
|
+
* at the MCP origin (Reo.Dev pattern) → use it directly, skip RFC 9728.
|
|
110
|
+
*/
|
|
111
|
+
type MCPOAuthDiscoveryResult = {
|
|
112
|
+
kind: 'resource-metadata';
|
|
113
|
+
metadataUrl: string;
|
|
114
|
+
source: 'header' | 'well-known';
|
|
115
|
+
} | {
|
|
116
|
+
kind: 'authorization-server';
|
|
117
|
+
authServerMetadata: AuthorizationServerMetadata;
|
|
118
|
+
discoveredAt: string;
|
|
119
|
+
};
|
|
120
|
+
/**
|
|
121
|
+
* Full MCP OAuth discovery cascade — the single entry point new daemon
|
|
122
|
+
* callsites should use.
|
|
123
|
+
*
|
|
124
|
+
* Walks the cascade in order:
|
|
125
|
+
* 1. WWW-Authenticate `resource_metadata="..."` (RFC 9728 via header hint)
|
|
126
|
+
* 2. `<origin>/.well-known/oauth-protected-resource` (RFC 9728 well-known)
|
|
127
|
+
* 3. `<origin>/.well-known/oauth-authorization-server` (RFC 8414 direct)
|
|
128
|
+
* 4. `<origin>/.well-known/openid-configuration` (OIDC discovery direct)
|
|
129
|
+
*
|
|
130
|
+
* Returns the first success. Each step's failure is logged but never thrown —
|
|
131
|
+
* a clean `null` lets the caller emit a single, specific error message.
|
|
132
|
+
*/
|
|
133
|
+
declare function resolveMCPOAuthDiscovery(wwwAuthenticateHeader: string | null, mcpUrl: string): Promise<MCPOAuthDiscoveryResult | null>;
|
|
134
|
+
/**
|
|
135
|
+
* Fetch Authorization Server Metadata (RFC 8414)
|
|
136
|
+
*
|
|
137
|
+
* Implements path-aware discovery per RFC 8414 Section 3.
|
|
138
|
+
* Falls back to OIDC discovery and naive URL construction.
|
|
139
|
+
*/
|
|
140
|
+
declare function fetchAuthorizationServerMetadata(authServerUrl: string): Promise<AuthorizationServerMetadata>;
|
|
68
141
|
/**
|
|
69
142
|
* Perform MCP OAuth 2.1 Authorization Code flow with PKCE.
|
|
70
143
|
*
|
|
@@ -154,21 +227,6 @@ interface OAuthFlowContext {
|
|
|
154
227
|
state: string;
|
|
155
228
|
authorizationUrl: string;
|
|
156
229
|
}
|
|
157
|
-
/**
|
|
158
|
-
* Start the OAuth 2.1 Authorization Code flow with PKCE
|
|
159
|
-
*
|
|
160
|
-
* This is the first phase of a two-phase OAuth flow for remote daemon scenarios.
|
|
161
|
-
* Returns the authorization URL to open in browser and context needed to complete
|
|
162
|
-
* the flow later.
|
|
163
|
-
*
|
|
164
|
-
* @param wwwAuthenticateHeader - The WWW-Authenticate header from 401 response
|
|
165
|
-
* @param clientId - OAuth client ID (optional, will use DCR if not provided)
|
|
166
|
-
* @param redirectUri - Custom redirect URI (optional, defaults to a placeholder)
|
|
167
|
-
* @param options - Additional options
|
|
168
|
-
* @param options.authorizationUrlOverride - Override the auto-discovered authorization endpoint URL
|
|
169
|
-
* @param options.tokenUrlOverride - Override the auto-discovered token endpoint URL
|
|
170
|
-
* @returns Authorization URL and flow context
|
|
171
|
-
*/
|
|
172
230
|
declare function startMCPOAuthFlow(wwwAuthenticateHeader: string, clientId?: string, redirectUri?: string, options?: {
|
|
173
231
|
authorizationUrlOverride?: string;
|
|
174
232
|
tokenUrlOverride?: string;
|
|
@@ -176,6 +234,24 @@ declare function startMCPOAuthFlow(wwwAuthenticateHeader: string, clientId?: str
|
|
|
176
234
|
scope?: string;
|
|
177
235
|
/** Pre-discovered resource metadata URL (used when WWW-Authenticate lacks resource_metadata) */
|
|
178
236
|
resourceMetadataUrl?: string;
|
|
237
|
+
/**
|
|
238
|
+
* Pre-discovered Authorization Server metadata. Used when the MCP server
|
|
239
|
+
* doesn't implement RFC 9728 but does serve RFC 8414 / OIDC metadata
|
|
240
|
+
* directly at its own origin (e.g. Reo.Dev). When provided, both
|
|
241
|
+
* `fetchResourceMetadata` and `fetchAuthorizationServerMetadata` are
|
|
242
|
+
* skipped — `prefetchedAuthServerMetadata` is used as-is.
|
|
243
|
+
*
|
|
244
|
+
* The `cacheKey` option (or the MCP URL via the caller's redirect plumbing)
|
|
245
|
+
* is used as the token cache key in place of an RFC 9728 metadata URL.
|
|
246
|
+
*/
|
|
247
|
+
prefetchedAuthServerMetadata?: AuthorizationServerMetadata;
|
|
248
|
+
/**
|
|
249
|
+
* Token cache key. When `prefetchedAuthServerMetadata` is provided there's
|
|
250
|
+
* no real RFC 9728 metadata URL to use as the key, so the caller passes a
|
|
251
|
+
* stable string (typically the MCP URL itself). `getCachedOAuth21Token`
|
|
252
|
+
* matches by URL origin, so any value sharing the MCP URL's origin works.
|
|
253
|
+
*/
|
|
254
|
+
cacheKey?: string;
|
|
179
255
|
}): Promise<OAuthFlowContext>;
|
|
180
256
|
/**
|
|
181
257
|
* Complete the OAuth 2.1 flow with authorization code
|
|
@@ -200,4 +276,4 @@ declare function parseOAuthCallback(callbackUrl: string): {
|
|
|
200
276
|
state: string;
|
|
201
277
|
};
|
|
202
278
|
|
|
203
|
-
export { type AuthorizationServerMetadata, type DynamicClientRegistrationResponse, type OAuthFlowContext, type OAuthMetadata, OAuthTokenResponse, clearAuthCodeTokenCache, completeMCPOAuthFlow, discoverResourceMetadataUrl, getAuthCodeTokenCacheStats, getCachedOAuth21Token, isOAuthRequired, parseOAuthCallback, performMCPOAuthFlow, resolveResourceMetadataUrl, startMCPOAuthFlow };
|
|
279
|
+
export { type AuthorizationServerMetadata, type DynamicClientRegistrationResponse, type MCPOAuthDiscoveryResult, type OAuthFlowContext, type OAuthMetadata, OAuthTokenResponse, clearAuthCodeTokenCache, completeMCPOAuthFlow, discoverAuthorizationServerFromMcpOrigin, discoverResourceMetadataUrl, fetchAuthorizationServerMetadata, getAuthCodeTokenCacheStats, getCachedOAuth21Token, isOAuthRequired, parseOAuthCallback, performMCPOAuthFlow, resolveMCPOAuthDiscovery, resolveResourceMetadataUrl, startMCPOAuthFlow };
|
|
@@ -65,6 +65,79 @@ declare function resolveResourceMetadataUrl(wwwAuthenticateHeader: string | null
|
|
|
65
65
|
metadataUrl: string;
|
|
66
66
|
source: 'header' | 'well-known';
|
|
67
67
|
} | null>;
|
|
68
|
+
/**
|
|
69
|
+
* Discover OAuth Authorization Server metadata directly at the MCP server's
|
|
70
|
+
* origin (RFC 8414 / OIDC fallback when RFC 9728 isn't implemented).
|
|
71
|
+
*
|
|
72
|
+
* Some MCP servers (e.g. Reo.Dev) skip the RFC 9728 Protected Resource Metadata
|
|
73
|
+
* layer entirely and instead serve the AS metadata document at their own
|
|
74
|
+
* origin. Claude Desktop's MCP client probes this path; we mirror that
|
|
75
|
+
* behaviour so 'paste URL → click Connect' works without manual config.
|
|
76
|
+
*
|
|
77
|
+
* Probes (in order). Note that RFC 8414 and OIDC use *different* path-construction
|
|
78
|
+
* rules for path-bearing issuers:
|
|
79
|
+
* - RFC 8414 §3.1: insert `.well-known/oauth-authorization-server` between
|
|
80
|
+
* the host and the issuer's path → `{origin}/.well-known/...{path}`
|
|
81
|
+
* - OIDC Discovery 1.0 §4: append `.well-known/openid-configuration` after
|
|
82
|
+
* the issuer's path → `{origin}{path}/.well-known/...`
|
|
83
|
+
*
|
|
84
|
+
* Probe order:
|
|
85
|
+
* 1. {origin}/.well-known/oauth-authorization-server{path} (RFC 8414 path-aware)
|
|
86
|
+
* 2. {origin}/.well-known/oauth-authorization-server (root)
|
|
87
|
+
* 3. {origin}{path}/.well-known/openid-configuration (OIDC path-aware)
|
|
88
|
+
* 4. {origin}/.well-known/openid-configuration (OIDC root)
|
|
89
|
+
*
|
|
90
|
+
* @param mcpUrl - The MCP server URL
|
|
91
|
+
* @returns Discovered AS metadata + the URL it was fetched from, or null
|
|
92
|
+
*/
|
|
93
|
+
declare function discoverAuthorizationServerFromMcpOrigin(mcpUrl: string): Promise<{
|
|
94
|
+
metadata: AuthorizationServerMetadata;
|
|
95
|
+
discoveredAt: string;
|
|
96
|
+
} | null>;
|
|
97
|
+
/**
|
|
98
|
+
* Discriminated discovery result for MCP OAuth.
|
|
99
|
+
*
|
|
100
|
+
* The MCP Authorization spec layers three RFCs:
|
|
101
|
+
* - RFC 9728 (Protected Resource Metadata) — links resource server → AS list
|
|
102
|
+
* - RFC 8414 (Authorization Server Metadata) — describes the AS endpoints
|
|
103
|
+
* - RFC 7591 (Dynamic Client Registration) — register a client at runtime
|
|
104
|
+
*
|
|
105
|
+
* Real-world servers vary in what they actually implement. This type lets
|
|
106
|
+
* callers distinguish:
|
|
107
|
+
* - 'resource-metadata': RFC 9728 worked → fetch metadata URL → derive AS
|
|
108
|
+
* - 'authorization-server': RFC 9728 absent, but AS metadata served directly
|
|
109
|
+
* at the MCP origin (Reo.Dev pattern) → use it directly, skip RFC 9728.
|
|
110
|
+
*/
|
|
111
|
+
type MCPOAuthDiscoveryResult = {
|
|
112
|
+
kind: 'resource-metadata';
|
|
113
|
+
metadataUrl: string;
|
|
114
|
+
source: 'header' | 'well-known';
|
|
115
|
+
} | {
|
|
116
|
+
kind: 'authorization-server';
|
|
117
|
+
authServerMetadata: AuthorizationServerMetadata;
|
|
118
|
+
discoveredAt: string;
|
|
119
|
+
};
|
|
120
|
+
/**
|
|
121
|
+
* Full MCP OAuth discovery cascade — the single entry point new daemon
|
|
122
|
+
* callsites should use.
|
|
123
|
+
*
|
|
124
|
+
* Walks the cascade in order:
|
|
125
|
+
* 1. WWW-Authenticate `resource_metadata="..."` (RFC 9728 via header hint)
|
|
126
|
+
* 2. `<origin>/.well-known/oauth-protected-resource` (RFC 9728 well-known)
|
|
127
|
+
* 3. `<origin>/.well-known/oauth-authorization-server` (RFC 8414 direct)
|
|
128
|
+
* 4. `<origin>/.well-known/openid-configuration` (OIDC discovery direct)
|
|
129
|
+
*
|
|
130
|
+
* Returns the first success. Each step's failure is logged but never thrown —
|
|
131
|
+
* a clean `null` lets the caller emit a single, specific error message.
|
|
132
|
+
*/
|
|
133
|
+
declare function resolveMCPOAuthDiscovery(wwwAuthenticateHeader: string | null, mcpUrl: string): Promise<MCPOAuthDiscoveryResult | null>;
|
|
134
|
+
/**
|
|
135
|
+
* Fetch Authorization Server Metadata (RFC 8414)
|
|
136
|
+
*
|
|
137
|
+
* Implements path-aware discovery per RFC 8414 Section 3.
|
|
138
|
+
* Falls back to OIDC discovery and naive URL construction.
|
|
139
|
+
*/
|
|
140
|
+
declare function fetchAuthorizationServerMetadata(authServerUrl: string): Promise<AuthorizationServerMetadata>;
|
|
68
141
|
/**
|
|
69
142
|
* Perform MCP OAuth 2.1 Authorization Code flow with PKCE.
|
|
70
143
|
*
|
|
@@ -154,21 +227,6 @@ interface OAuthFlowContext {
|
|
|
154
227
|
state: string;
|
|
155
228
|
authorizationUrl: string;
|
|
156
229
|
}
|
|
157
|
-
/**
|
|
158
|
-
* Start the OAuth 2.1 Authorization Code flow with PKCE
|
|
159
|
-
*
|
|
160
|
-
* This is the first phase of a two-phase OAuth flow for remote daemon scenarios.
|
|
161
|
-
* Returns the authorization URL to open in browser and context needed to complete
|
|
162
|
-
* the flow later.
|
|
163
|
-
*
|
|
164
|
-
* @param wwwAuthenticateHeader - The WWW-Authenticate header from 401 response
|
|
165
|
-
* @param clientId - OAuth client ID (optional, will use DCR if not provided)
|
|
166
|
-
* @param redirectUri - Custom redirect URI (optional, defaults to a placeholder)
|
|
167
|
-
* @param options - Additional options
|
|
168
|
-
* @param options.authorizationUrlOverride - Override the auto-discovered authorization endpoint URL
|
|
169
|
-
* @param options.tokenUrlOverride - Override the auto-discovered token endpoint URL
|
|
170
|
-
* @returns Authorization URL and flow context
|
|
171
|
-
*/
|
|
172
230
|
declare function startMCPOAuthFlow(wwwAuthenticateHeader: string, clientId?: string, redirectUri?: string, options?: {
|
|
173
231
|
authorizationUrlOverride?: string;
|
|
174
232
|
tokenUrlOverride?: string;
|
|
@@ -176,6 +234,24 @@ declare function startMCPOAuthFlow(wwwAuthenticateHeader: string, clientId?: str
|
|
|
176
234
|
scope?: string;
|
|
177
235
|
/** Pre-discovered resource metadata URL (used when WWW-Authenticate lacks resource_metadata) */
|
|
178
236
|
resourceMetadataUrl?: string;
|
|
237
|
+
/**
|
|
238
|
+
* Pre-discovered Authorization Server metadata. Used when the MCP server
|
|
239
|
+
* doesn't implement RFC 9728 but does serve RFC 8414 / OIDC metadata
|
|
240
|
+
* directly at its own origin (e.g. Reo.Dev). When provided, both
|
|
241
|
+
* `fetchResourceMetadata` and `fetchAuthorizationServerMetadata` are
|
|
242
|
+
* skipped — `prefetchedAuthServerMetadata` is used as-is.
|
|
243
|
+
*
|
|
244
|
+
* The `cacheKey` option (or the MCP URL via the caller's redirect plumbing)
|
|
245
|
+
* is used as the token cache key in place of an RFC 9728 metadata URL.
|
|
246
|
+
*/
|
|
247
|
+
prefetchedAuthServerMetadata?: AuthorizationServerMetadata;
|
|
248
|
+
/**
|
|
249
|
+
* Token cache key. When `prefetchedAuthServerMetadata` is provided there's
|
|
250
|
+
* no real RFC 9728 metadata URL to use as the key, so the caller passes a
|
|
251
|
+
* stable string (typically the MCP URL itself). `getCachedOAuth21Token`
|
|
252
|
+
* matches by URL origin, so any value sharing the MCP URL's origin works.
|
|
253
|
+
*/
|
|
254
|
+
cacheKey?: string;
|
|
179
255
|
}): Promise<OAuthFlowContext>;
|
|
180
256
|
/**
|
|
181
257
|
* Complete the OAuth 2.1 flow with authorization code
|
|
@@ -200,4 +276,4 @@ declare function parseOAuthCallback(callbackUrl: string): {
|
|
|
200
276
|
state: string;
|
|
201
277
|
};
|
|
202
278
|
|
|
203
|
-
export { type AuthorizationServerMetadata, type DynamicClientRegistrationResponse, type OAuthFlowContext, type OAuthMetadata, OAuthTokenResponse, clearAuthCodeTokenCache, completeMCPOAuthFlow, discoverResourceMetadataUrl, getAuthCodeTokenCacheStats, getCachedOAuth21Token, isOAuthRequired, parseOAuthCallback, performMCPOAuthFlow, resolveResourceMetadataUrl, startMCPOAuthFlow };
|
|
279
|
+
export { type AuthorizationServerMetadata, type DynamicClientRegistrationResponse, type MCPOAuthDiscoveryResult, type OAuthFlowContext, type OAuthMetadata, OAuthTokenResponse, clearAuthCodeTokenCache, completeMCPOAuthFlow, discoverAuthorizationServerFromMcpOrigin, discoverResourceMetadataUrl, fetchAuthorizationServerMetadata, getAuthCodeTokenCacheStats, getCachedOAuth21Token, isOAuthRequired, parseOAuthCallback, performMCPOAuthFlow, resolveMCPOAuthDiscovery, resolveResourceMetadataUrl, startMCPOAuthFlow };
|