agor-live 0.17.2 → 0.17.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (316) hide show
  1. package/dist/cli/lib/banner.d.ts +1 -1
  2. package/dist/cli/lib/banner.js +1 -1
  3. package/dist/cli/lib/check-migrations.test.js +9627 -9112
  4. package/dist/cli/lib/daemon-manager.test.js +9632 -9117
  5. package/dist/cli/lib/help.js +1 -1
  6. package/dist/core/api/index.d.cts +3 -3
  7. package/dist/core/api/index.d.ts +3 -3
  8. package/dist/core/{board-comment-DIdOJrSF.d.cts → board-comment-CCFVVN7K.d.cts} +0 -2
  9. package/dist/core/{board-comment-3N-jSgsk.d.ts → board-comment-iT3DgZb4.d.ts} +0 -2
  10. package/dist/core/claude/index.cjs +29 -19
  11. package/dist/core/claude/index.d.cts +2 -2
  12. package/dist/core/claude/index.d.ts +2 -2
  13. package/dist/core/claude/index.js +32 -33
  14. package/dist/core/client/index.cjs +49 -0
  15. package/dist/core/client/index.d.cts +7 -7
  16. package/dist/core/client/index.d.ts +7 -7
  17. package/dist/core/client/index.js +46 -0
  18. package/dist/core/{client-B5PyIvNc.d.cts → client-CemqXk0v.d.cts} +116 -100
  19. package/dist/core/{client-C1CsRi19.d.ts → client-uYEOha6g.d.ts} +116 -100
  20. package/dist/core/config/browser.d.cts +3 -3
  21. package/dist/core/config/browser.d.ts +3 -3
  22. package/dist/core/config/index.cjs +84 -41
  23. package/dist/core/config/index.d.cts +59 -17
  24. package/dist/core/config/index.d.ts +59 -17
  25. package/dist/core/config/index.js +86 -55
  26. package/dist/core/{config-manager-TxxjFMRd.d.cts → config-manager-B8TP9Kz0.d.cts} +12 -3
  27. package/dist/core/{config-manager-DTrsj6G3.d.ts → config-manager-CDEB0FY4.d.ts} +12 -3
  28. package/dist/core/{config-services-YEZ4DwCD.d.cts → config-services-CXyQKEK5.d.cts} +1 -1
  29. package/dist/core/{config-services-DcO2GRgh.d.ts → config-services-DhM7_yWn.d.ts} +1 -1
  30. package/dist/core/db/index.cjs +235 -175
  31. package/dist/core/db/index.d.cts +190 -147
  32. package/dist/core/db/index.d.ts +190 -147
  33. package/dist/core/db/index.js +239 -190
  34. package/dist/core/db/session-guard.d.cts +4 -4
  35. package/dist/core/db/session-guard.d.ts +4 -4
  36. package/dist/core/drizzle/postgres/0028_queued_tasks.sql +8 -0
  37. package/dist/core/drizzle/postgres/0030_migrate_queued_messages.sql +24 -0
  38. package/dist/core/drizzle/postgres/0031_restructure_agentic_tool_config.sql +201 -0
  39. package/dist/core/drizzle/postgres/meta/_journal.json +21 -0
  40. package/dist/core/drizzle/sqlite/0039_queued_tasks.sql +13 -0
  41. package/dist/core/drizzle/sqlite/0040_migrate_queued_messages.sql +61 -0
  42. package/dist/core/drizzle/sqlite/0041_restructure_agentic_tool_config.sql +204 -0
  43. package/dist/core/drizzle/sqlite/meta/_journal.json +21 -0
  44. package/dist/core/gateway/index.d.cts +2 -2
  45. package/dist/core/gateway/index.d.ts +2 -2
  46. package/dist/core/{gateway-BnOlAelY.d.cts → gateway-BWq4j_Ll.d.cts} +1 -1
  47. package/dist/core/{gateway-B_4X-v07.d.ts → gateway-C3Jm_akw.d.ts} +1 -1
  48. package/dist/core/git/index.d.cts +4 -4
  49. package/dist/core/git/index.d.ts +4 -4
  50. package/dist/core/index.cjs +474 -201
  51. package/dist/core/index.d.cts +12 -10
  52. package/dist/core/index.d.ts +12 -10
  53. package/dist/core/index.js +473 -216
  54. package/dist/core/lib/feathers-validation.cjs +2 -1
  55. package/dist/core/lib/feathers-validation.d.cts +1 -1
  56. package/dist/core/lib/feathers-validation.d.ts +1 -1
  57. package/dist/core/lib/feathers-validation.js +2 -1
  58. package/dist/core/mcp/index.cjs +26 -16
  59. package/dist/core/mcp/index.js +26 -16
  60. package/dist/core/{message-DinITA7a.d.cts → message-CSWOsdcZ.d.cts} +1 -9
  61. package/dist/core/{message-CHUUP6OS.d.ts → message-DZa8g0s0.d.ts} +1 -9
  62. package/dist/core/models/index.d.cts +3 -73
  63. package/dist/core/models/index.d.ts +3 -73
  64. package/dist/core/package.json +5 -0
  65. package/dist/core/permissions/index.d.cts +1 -1
  66. package/dist/core/permissions/index.d.ts +1 -1
  67. package/dist/core/resolve-config-BcL-Hv8k.d.ts +74 -0
  68. package/dist/core/resolve-config-DTCxuSBx.d.cts +74 -0
  69. package/dist/core/seed/index.cjs +145 -98
  70. package/dist/core/seed/index.js +148 -112
  71. package/dist/core/{session-guard-C0LkDEN7.d.ts → session-guard-BFqVtBoS.d.ts} +1 -1
  72. package/dist/core/{session-guard-kvAx_8Fb.d.cts → session-guard-KHh0cnET.d.cts} +1 -1
  73. package/dist/core/sessions/index.cjs +184 -0
  74. package/dist/core/sessions/index.d.cts +79 -0
  75. package/dist/core/sessions/index.d.ts +79 -0
  76. package/dist/core/sessions/index.js +157 -0
  77. package/dist/core/{task-BLPFCORT.d.ts → task-BHV-YHg1.d.ts} +41 -3
  78. package/dist/core/{task-wht1RJEL.d.cts → task-C2Hy7H6u.d.cts} +41 -3
  79. package/dist/core/templates/session-context.d.cts +1 -1
  80. package/dist/core/templates/session-context.d.ts +1 -1
  81. package/dist/core/tools/mcp/oauth-mcp-transport.cjs +168 -66
  82. package/dist/core/tools/mcp/oauth-mcp-transport.d.cts +92 -16
  83. package/dist/core/tools/mcp/oauth-mcp-transport.d.ts +92 -16
  84. package/dist/core/tools/mcp/oauth-mcp-transport.js +165 -66
  85. package/dist/core/tools/mcp/oauth-refresh.cjs +43 -53
  86. package/dist/core/tools/mcp/oauth-refresh.d.cts +3 -3
  87. package/dist/core/tools/mcp/oauth-refresh.d.ts +3 -3
  88. package/dist/core/tools/mcp/oauth-refresh.js +58 -78
  89. package/dist/core/types/index.cjs +49 -0
  90. package/dist/core/types/index.d.cts +7 -7
  91. package/dist/core/types/index.d.ts +7 -7
  92. package/dist/core/types/index.js +46 -0
  93. package/dist/core/{types-DNqfdt1z.d.cts → types-D4Rl6ZKN.d.cts} +18 -2
  94. package/dist/core/{types-DqPMmTad.d.ts → types-n61iaXub.d.ts} +18 -2
  95. package/dist/core/unix/index.cjs +164 -110
  96. package/dist/core/unix/index.d.cts +7 -8
  97. package/dist/core/unix/index.d.ts +7 -8
  98. package/dist/core/unix/index.js +167 -124
  99. package/dist/core/{user-DkNdeFoz.d.cts → user-CpfkcV2C.d.cts} +139 -13
  100. package/dist/core/{user-BfVWBmXA.d.ts → user-DP-XZMIM.d.ts} +139 -13
  101. package/dist/core/utils/permission-mode-mapper.d.cts +0 -2
  102. package/dist/core/utils/permission-mode-mapper.d.ts +0 -2
  103. package/dist/daemon/index.js +2976 -2791
  104. package/dist/daemon/main.js +2976 -2791
  105. package/dist/daemon/mcp/server.js +177 -134
  106. package/dist/daemon/mcp/tools/analytics.js +19 -5
  107. package/dist/daemon/mcp/tools/artifacts.js +19 -5
  108. package/dist/daemon/mcp/tools/boards.js +19 -5
  109. package/dist/daemon/mcp/tools/card-types.js +19 -5
  110. package/dist/daemon/mcp/tools/cards.js +19 -5
  111. package/dist/daemon/mcp/tools/environment.js +19 -5
  112. package/dist/daemon/mcp/tools/mcp-servers.d.ts +29 -2
  113. package/dist/daemon/mcp/tools/mcp-servers.js +64 -54
  114. package/dist/daemon/mcp/tools/messages.js +19 -5
  115. package/dist/daemon/mcp/tools/repos.js +19 -5
  116. package/dist/daemon/mcp/tools/search.js +19 -5
  117. package/dist/daemon/mcp/tools/sessions.js +175 -53
  118. package/dist/daemon/mcp/tools/tasks.js +19 -5
  119. package/dist/daemon/mcp/tools/users.js +19 -5
  120. package/dist/daemon/mcp/tools/worktrees.js +37 -38
  121. package/dist/daemon/register-hooks.js +52 -1
  122. package/dist/daemon/register-routes.js +436 -424
  123. package/dist/daemon/register-services.js +255 -140
  124. package/dist/daemon/services/config.d.ts +7 -1
  125. package/dist/daemon/services/config.js +3 -2
  126. package/dist/daemon/services/gateway.js +28 -15
  127. package/dist/daemon/services/mcp-servers.d.ts +7 -2
  128. package/dist/daemon/services/repos.js +2 -0
  129. package/dist/daemon/services/sessions.d.ts +1 -1
  130. package/dist/daemon/services/sessions.js +8 -16
  131. package/dist/daemon/services/tasks.js +16 -10
  132. package/dist/daemon/services/terminals.js +2 -0
  133. package/dist/daemon/services/users.d.ts +27 -11
  134. package/dist/daemon/services/users.js +89 -43
  135. package/dist/daemon/services/worktree-owners.js +2 -0
  136. package/dist/daemon/services/worktrees.js +2 -0
  137. package/dist/daemon/setup/index.js +5 -2
  138. package/dist/daemon/setup/socketio.d.ts +10 -1
  139. package/dist/daemon/setup/socketio.js +7 -3
  140. package/dist/daemon/startup.js +13 -1
  141. package/dist/daemon/utils/apply-session-config-defaults.d.ts +54 -0
  142. package/dist/daemon/utils/apply-session-config-defaults.js +46 -0
  143. package/dist/daemon/utils/spawn-executor.js +2 -0
  144. package/dist/daemon/utils/worktree-authorization.d.ts +2 -4
  145. package/dist/executor/commands/zellij.d.ts.map +1 -1
  146. package/dist/executor/commands/zellij.js +2 -2
  147. package/dist/executor/handlers/sdk/base-executor.d.ts +4 -3
  148. package/dist/executor/handlers/sdk/base-executor.d.ts.map +1 -1
  149. package/dist/executor/handlers/sdk/base-executor.js +11 -5
  150. package/dist/executor/payload-types.d.ts +14 -14
  151. package/dist/executor/sdk-handlers/claude/claude-tool.d.ts.map +1 -1
  152. package/dist/executor/sdk-handlers/claude/claude-tool.js +9 -4
  153. package/dist/executor/sdk-handlers/claude/import/task-extractor.d.ts.map +1 -1
  154. package/dist/executor/sdk-handlers/claude/import/task-extractor.js +0 -5
  155. package/dist/executor/sdk-handlers/claude/message-builder.d.ts +23 -2
  156. package/dist/executor/sdk-handlers/claude/message-builder.d.ts.map +1 -1
  157. package/dist/executor/sdk-handlers/claude/message-builder.js +33 -2
  158. package/dist/executor/sdk-handlers/claude/permissions/permission-hooks.d.ts +9 -1
  159. package/dist/executor/sdk-handlers/claude/permissions/permission-hooks.d.ts.map +1 -1
  160. package/dist/executor/sdk-handlers/claude/permissions/permission-hooks.js +12 -0
  161. package/dist/executor/sdk-handlers/claude/query-builder.d.ts.map +1 -1
  162. package/dist/executor/sdk-handlers/claude/query-builder.js +11 -6
  163. package/dist/executor/sdk-handlers/codex/codex-tool.d.ts +0 -5
  164. package/dist/executor/sdk-handlers/codex/codex-tool.d.ts.map +1 -1
  165. package/dist/executor/sdk-handlers/codex/codex-tool.js +9 -24
  166. package/dist/executor/sdk-handlers/codex/prompt-service.d.ts +15 -2
  167. package/dist/executor/sdk-handlers/codex/prompt-service.d.ts.map +1 -1
  168. package/dist/executor/sdk-handlers/codex/prompt-service.js +39 -10
  169. package/dist/executor/sdk-handlers/copilot/copilot-tool.d.ts +0 -5
  170. package/dist/executor/sdk-handlers/copilot/copilot-tool.d.ts.map +1 -1
  171. package/dist/executor/sdk-handlers/copilot/copilot-tool.js +5 -22
  172. package/dist/executor/sdk-handlers/gemini/gemini-tool.d.ts +0 -5
  173. package/dist/executor/sdk-handlers/gemini/gemini-tool.d.ts.map +1 -1
  174. package/dist/executor/sdk-handlers/gemini/gemini-tool.js +9 -24
  175. package/dist/ui/assets/{CodeEditor.inner-CO-5PAnZ.js → CodeEditor.inner-CVLqZBtM.js} +1 -1
  176. package/dist/ui/assets/{CodeEditor.inner-CO-5PAnZ.js.gz → CodeEditor.inner-CVLqZBtM.js.gz} +0 -0
  177. package/dist/ui/assets/{_basePickBy-DfxojsEt.js → _basePickBy-CFq5ES2J.js} +1 -1
  178. package/dist/ui/assets/_basePickBy-CFq5ES2J.js.gz +0 -0
  179. package/dist/ui/assets/{_baseUniq-DWFPJOTC.js → _baseUniq-C4uKBvNt.js} +1 -1
  180. package/dist/ui/assets/_baseUniq-C4uKBvNt.js.gz +0 -0
  181. package/dist/ui/assets/{arc-vMZ_XGSI.js → arc-BnrcXDJJ.js} +1 -1
  182. package/dist/ui/assets/arc-BnrcXDJJ.js.gz +0 -0
  183. package/dist/ui/assets/{architectureDiagram-VXUJARFQ-DGpk_uOD.js → architectureDiagram-VXUJARFQ-DD9HD-WR.js} +1 -1
  184. package/dist/ui/assets/architectureDiagram-VXUJARFQ-DD9HD-WR.js.gz +0 -0
  185. package/dist/ui/assets/{base-80a1f760-BsVlOKqO.js → base-80a1f760-BK1VmxWU.js} +1 -1
  186. package/dist/ui/assets/{blockDiagram-VD42YOAC-BkRnxc94.js → blockDiagram-VD42YOAC-LBAckZZe.js} +1 -1
  187. package/dist/ui/assets/blockDiagram-VD42YOAC-LBAckZZe.js.gz +0 -0
  188. package/dist/ui/assets/{c4Diagram-YG6GDRKO-Dcf-anJy.js → c4Diagram-YG6GDRKO-yEdylcYP.js} +1 -1
  189. package/dist/ui/assets/{c4Diagram-YG6GDRKO-Dcf-anJy.js.gz → c4Diagram-YG6GDRKO-yEdylcYP.js.gz} +0 -0
  190. package/dist/ui/assets/channel-CMN-iY3Q.js +1 -0
  191. package/dist/ui/assets/{chunk-4BX2VUAB-C4oVWDo8.js → chunk-4BX2VUAB-IHtzKbmQ.js} +1 -1
  192. package/dist/ui/assets/{chunk-55IACEB6-CsBbTu57.js → chunk-55IACEB6-C4o5tv_F.js} +1 -1
  193. package/dist/ui/assets/{chunk-B4BG7PRW-DtkeCZab.js → chunk-B4BG7PRW-EPkzLvlB.js} +1 -1
  194. package/dist/ui/assets/chunk-B4BG7PRW-EPkzLvlB.js.gz +0 -0
  195. package/dist/ui/assets/{chunk-DI55MBZ5-BQ_asW-1.js → chunk-DI55MBZ5-CW-Bzkzj.js} +1 -1
  196. package/dist/ui/assets/chunk-DI55MBZ5-CW-Bzkzj.js.gz +0 -0
  197. package/dist/ui/assets/{chunk-FMBD7UC4-DAdcLNG-.js → chunk-FMBD7UC4-DvGU02Io.js} +1 -1
  198. package/dist/ui/assets/{chunk-QN33PNHL-Do2zad3m.js → chunk-QN33PNHL-C-PIlz9n.js} +1 -1
  199. package/dist/ui/assets/{chunk-QZHKN3VN-CyhMmSdC.js → chunk-QZHKN3VN-BhpJFm6h.js} +1 -1
  200. package/dist/ui/assets/{chunk-TZMSLE5B-DlPypnIq.js → chunk-TZMSLE5B-Biake8IU.js} +1 -1
  201. package/dist/ui/assets/chunk-TZMSLE5B-Biake8IU.js.gz +0 -0
  202. package/dist/ui/assets/classDiagram-2ON5EDUG-Bz1et8oA.js +1 -0
  203. package/dist/ui/assets/classDiagram-v2-WZHVMYZB-Bz1et8oA.js +1 -0
  204. package/dist/ui/assets/clone-Dxo5sEAf.js +1 -0
  205. package/dist/ui/assets/{consoleHook-59e792cb-DHYIclEd.js → consoleHook-59e792cb-BzEkHWE8.js} +1 -1
  206. package/dist/ui/assets/consoleHook-59e792cb-BzEkHWE8.js.gz +0 -0
  207. package/dist/ui/assets/{cose-bilkent-S5V4N54A-DotJH9qH.js → cose-bilkent-S5V4N54A-vAiVi74s.js} +1 -1
  208. package/dist/ui/assets/cose-bilkent-S5V4N54A-vAiVi74s.js.gz +0 -0
  209. package/dist/ui/assets/{dagre-6UL2VRFP-Btssr8QF.js → dagre-6UL2VRFP-C8w7TshD.js} +1 -1
  210. package/dist/ui/assets/dagre-6UL2VRFP-C8w7TshD.js.gz +0 -0
  211. package/dist/ui/assets/{diagram-PSM6KHXK-D5_Jkog3.js → diagram-PSM6KHXK-CvnjEmtQ.js} +1 -1
  212. package/dist/ui/assets/diagram-PSM6KHXK-CvnjEmtQ.js.gz +0 -0
  213. package/dist/ui/assets/{diagram-QEK2KX5R-DlPEVSL5.js → diagram-QEK2KX5R-D245unng.js} +1 -1
  214. package/dist/ui/assets/diagram-QEK2KX5R-D245unng.js.gz +0 -0
  215. package/dist/ui/assets/{diagram-S2PKOQOG-CjO1k8aG.js → diagram-S2PKOQOG-DgGUHL8Z.js} +1 -1
  216. package/dist/ui/assets/diagram-S2PKOQOG-DgGUHL8Z.js.gz +0 -0
  217. package/dist/ui/assets/{erDiagram-Q2GNP2WA-3cO02-K3.js → erDiagram-Q2GNP2WA-Cf5paK9b.js} +1 -1
  218. package/dist/ui/assets/erDiagram-Q2GNP2WA-Cf5paK9b.js.gz +0 -0
  219. package/dist/ui/assets/{flowDiagram-NV44I4VS-CajTpSxI.js → flowDiagram-NV44I4VS-BJpHmEXV.js} +1 -1
  220. package/dist/ui/assets/flowDiagram-NV44I4VS-BJpHmEXV.js.gz +0 -0
  221. package/dist/ui/assets/{ganttDiagram-LVOFAZNH-CnY_bV3o.js → ganttDiagram-LVOFAZNH-zOyTZcXC.js} +1 -1
  222. package/dist/ui/assets/{ganttDiagram-LVOFAZNH-CnY_bV3o.js.gz → ganttDiagram-LVOFAZNH-zOyTZcXC.js.gz} +0 -0
  223. package/dist/ui/assets/{gitGraphDiagram-NY62KEGX-CH16bg-j.js → gitGraphDiagram-NY62KEGX-B0uxwqMv.js} +1 -1
  224. package/dist/ui/assets/gitGraphDiagram-NY62KEGX-B0uxwqMv.js.gz +0 -0
  225. package/dist/ui/assets/{graph-IQoZvE3o.js → graph-NWXc73TO.js} +1 -1
  226. package/dist/ui/assets/graph-NWXc73TO.js.gz +0 -0
  227. package/dist/ui/assets/{index-599aeaf7-RUCkgwsg.js → index-599aeaf7-BKmNqoNF.js} +1 -1
  228. package/dist/ui/assets/index-599aeaf7-BKmNqoNF.js.gz +0 -0
  229. package/dist/ui/assets/{index-B3AvIgqP.js → index-BRYNiHLB.js} +345 -349
  230. package/dist/ui/assets/index-BRYNiHLB.js.gz +0 -0
  231. package/dist/ui/assets/{index-QV5-5yA2.js → index-BX6Xmhes.js} +1 -1
  232. package/dist/ui/assets/index-BX6Xmhes.js.gz +0 -0
  233. package/dist/ui/assets/{index-ChmRuj_T.js → index-W1hIq1uU.js} +1 -1
  234. package/dist/ui/assets/index-W1hIq1uU.js.gz +0 -0
  235. package/dist/ui/assets/{index-C-quzPWC.js → index-ctuok0zf.js} +1 -1
  236. package/dist/ui/assets/index-ctuok0zf.js.gz +0 -0
  237. package/dist/ui/assets/{infoDiagram-ER5ION4S-2e4gZVGT.js → infoDiagram-ER5ION4S-CquCuoTH.js} +1 -1
  238. package/dist/ui/assets/{journeyDiagram-XKPGCS4Q-B5bgV3GH.js → journeyDiagram-XKPGCS4Q-B_XkufZ8.js} +1 -1
  239. package/dist/ui/assets/journeyDiagram-XKPGCS4Q-B_XkufZ8.js.gz +0 -0
  240. package/dist/ui/assets/{kanban-definition-3W4ZIXB7-Bp-aWRSc.js → kanban-definition-3W4ZIXB7-C2Bo9HkB.js} +1 -1
  241. package/dist/ui/assets/kanban-definition-3W4ZIXB7-C2Bo9HkB.js.gz +0 -0
  242. package/dist/ui/assets/katex-C6wkUDai.css +1 -0
  243. package/dist/ui/assets/{katex-DGRguze2.css.gz → katex-C6wkUDai.css.gz} +0 -0
  244. package/dist/ui/assets/{layout-BH-2XJZq.js → layout-D9A7Uaku.js} +1 -1
  245. package/dist/ui/assets/layout-D9A7Uaku.js.gz +0 -0
  246. package/dist/ui/assets/{linear-DCYXhl_f.js → linear-BJUwJsxE.js} +1 -1
  247. package/dist/ui/assets/linear-BJUwJsxE.js.gz +0 -0
  248. package/dist/ui/assets/{mermaid.core-BAuL6kgQ.js → mermaid.core-DcOEcjcA.js} +5 -5
  249. package/dist/ui/assets/mermaid.core-DcOEcjcA.js.gz +0 -0
  250. package/dist/ui/assets/{mindmap-definition-VGOIOE7T-DpH5N-N0.js → mindmap-definition-VGOIOE7T-BFT1m7BG.js} +1 -1
  251. package/dist/ui/assets/mindmap-definition-VGOIOE7T-BFT1m7BG.js.gz +0 -0
  252. package/dist/ui/assets/{pieDiagram-ADFJNKIX-BB8fBxj1.js → pieDiagram-ADFJNKIX-BFaX1oBV.js} +1 -1
  253. package/dist/ui/assets/pieDiagram-ADFJNKIX-BFaX1oBV.js.gz +0 -0
  254. package/dist/ui/assets/{quadrantDiagram-AYHSOK5B-D6oZLdUD.js → quadrantDiagram-AYHSOK5B-DQps5392.js} +1 -1
  255. package/dist/ui/assets/quadrantDiagram-AYHSOK5B-DQps5392.js.gz +0 -0
  256. package/dist/ui/assets/{requirementDiagram-UZGBJVZJ-B4uGPp8w.js → requirementDiagram-UZGBJVZJ-3EZ5KWEi.js} +1 -1
  257. package/dist/ui/assets/requirementDiagram-UZGBJVZJ-3EZ5KWEi.js.gz +0 -0
  258. package/dist/ui/assets/{sankeyDiagram-TZEHDZUN-MXhIjhme.js → sankeyDiagram-TZEHDZUN-D0qcydqq.js} +1 -1
  259. package/dist/ui/assets/sankeyDiagram-TZEHDZUN-D0qcydqq.js.gz +0 -0
  260. package/dist/ui/assets/{sequenceDiagram-WL72ISMW-Cm53TYug.js → sequenceDiagram-WL72ISMW-BCR5gaaN.js} +1 -1
  261. package/dist/ui/assets/sequenceDiagram-WL72ISMW-BCR5gaaN.js.gz +0 -0
  262. package/dist/ui/assets/{stateDiagram-FKZM4ZOC-BVuxUkj5.js → stateDiagram-FKZM4ZOC-BvX4FLQ9.js} +1 -1
  263. package/dist/ui/assets/stateDiagram-FKZM4ZOC-BvX4FLQ9.js.gz +0 -0
  264. package/dist/ui/assets/stateDiagram-v2-4FDKWEC3-CxLDvgTF.js +1 -0
  265. package/dist/ui/assets/{timeline-definition-IT6M3QCI-CMypNiEP.js → timeline-definition-IT6M3QCI-_AWp5LJn.js} +1 -1
  266. package/dist/ui/assets/timeline-definition-IT6M3QCI-_AWp5LJn.js.gz +0 -0
  267. package/dist/ui/assets/{treemap-KMMF4GRG-BEtnV3BT.js → treemap-KMMF4GRG-BZ9FBl5-.js} +1 -1
  268. package/dist/ui/assets/treemap-KMMF4GRG-BZ9FBl5-.js.gz +0 -0
  269. package/dist/ui/assets/{xychartDiagram-PRI3JC2R-BnioEYUM.js → xychartDiagram-PRI3JC2R-_wB7yuVd.js} +1 -1
  270. package/dist/ui/assets/xychartDiagram-PRI3JC2R-_wB7yuVd.js.gz +0 -0
  271. package/dist/ui/index.html +1 -1
  272. package/package.json +8 -8
  273. package/dist/ui/assets/_basePickBy-DfxojsEt.js.gz +0 -0
  274. package/dist/ui/assets/_baseUniq-DWFPJOTC.js.gz +0 -0
  275. package/dist/ui/assets/arc-vMZ_XGSI.js.gz +0 -0
  276. package/dist/ui/assets/architectureDiagram-VXUJARFQ-DGpk_uOD.js.gz +0 -0
  277. package/dist/ui/assets/blockDiagram-VD42YOAC-BkRnxc94.js.gz +0 -0
  278. package/dist/ui/assets/channel-B9aI4bYN.js +0 -1
  279. package/dist/ui/assets/chunk-B4BG7PRW-DtkeCZab.js.gz +0 -0
  280. package/dist/ui/assets/chunk-DI55MBZ5-BQ_asW-1.js.gz +0 -0
  281. package/dist/ui/assets/chunk-TZMSLE5B-DlPypnIq.js.gz +0 -0
  282. package/dist/ui/assets/classDiagram-2ON5EDUG-p-68WO4Z.js +0 -1
  283. package/dist/ui/assets/classDiagram-v2-WZHVMYZB-p-68WO4Z.js +0 -1
  284. package/dist/ui/assets/clone-DzK5ogfn.js +0 -1
  285. package/dist/ui/assets/consoleHook-59e792cb-DHYIclEd.js.gz +0 -0
  286. package/dist/ui/assets/cose-bilkent-S5V4N54A-DotJH9qH.js.gz +0 -0
  287. package/dist/ui/assets/dagre-6UL2VRFP-Btssr8QF.js.gz +0 -0
  288. package/dist/ui/assets/diagram-PSM6KHXK-D5_Jkog3.js.gz +0 -0
  289. package/dist/ui/assets/diagram-QEK2KX5R-DlPEVSL5.js.gz +0 -0
  290. package/dist/ui/assets/diagram-S2PKOQOG-CjO1k8aG.js.gz +0 -0
  291. package/dist/ui/assets/erDiagram-Q2GNP2WA-3cO02-K3.js.gz +0 -0
  292. package/dist/ui/assets/flowDiagram-NV44I4VS-CajTpSxI.js.gz +0 -0
  293. package/dist/ui/assets/gitGraphDiagram-NY62KEGX-CH16bg-j.js.gz +0 -0
  294. package/dist/ui/assets/graph-IQoZvE3o.js.gz +0 -0
  295. package/dist/ui/assets/index-599aeaf7-RUCkgwsg.js.gz +0 -0
  296. package/dist/ui/assets/index-B3AvIgqP.js.gz +0 -0
  297. package/dist/ui/assets/index-C-quzPWC.js.gz +0 -0
  298. package/dist/ui/assets/index-ChmRuj_T.js.gz +0 -0
  299. package/dist/ui/assets/index-QV5-5yA2.js.gz +0 -0
  300. package/dist/ui/assets/journeyDiagram-XKPGCS4Q-B5bgV3GH.js.gz +0 -0
  301. package/dist/ui/assets/kanban-definition-3W4ZIXB7-Bp-aWRSc.js.gz +0 -0
  302. package/dist/ui/assets/katex-DGRguze2.css +0 -1
  303. package/dist/ui/assets/layout-BH-2XJZq.js.gz +0 -0
  304. package/dist/ui/assets/linear-DCYXhl_f.js.gz +0 -0
  305. package/dist/ui/assets/mermaid.core-BAuL6kgQ.js.gz +0 -0
  306. package/dist/ui/assets/mindmap-definition-VGOIOE7T-DpH5N-N0.js.gz +0 -0
  307. package/dist/ui/assets/pieDiagram-ADFJNKIX-BB8fBxj1.js.gz +0 -0
  308. package/dist/ui/assets/quadrantDiagram-AYHSOK5B-D6oZLdUD.js.gz +0 -0
  309. package/dist/ui/assets/requirementDiagram-UZGBJVZJ-B4uGPp8w.js.gz +0 -0
  310. package/dist/ui/assets/sankeyDiagram-TZEHDZUN-MXhIjhme.js.gz +0 -0
  311. package/dist/ui/assets/sequenceDiagram-WL72ISMW-Cm53TYug.js.gz +0 -0
  312. package/dist/ui/assets/stateDiagram-FKZM4ZOC-BVuxUkj5.js.gz +0 -0
  313. package/dist/ui/assets/stateDiagram-v2-4FDKWEC3-8Jeww6Dc.js +0 -1
  314. package/dist/ui/assets/timeline-definition-IT6M3QCI-CMypNiEP.js.gz +0 -0
  315. package/dist/ui/assets/treemap-KMMF4GRG-BEtnV3BT.js.gz +0 -0
  316. package/dist/ui/assets/xychartDiagram-PRI3JC2R-BnioEYUM.js.gz +0 -0
@@ -32,12 +32,15 @@ var oauth_mcp_transport_exports = {};
32
32
  __export(oauth_mcp_transport_exports, {
33
33
  clearAuthCodeTokenCache: () => clearAuthCodeTokenCache,
34
34
  completeMCPOAuthFlow: () => completeMCPOAuthFlow,
35
+ discoverAuthorizationServerFromMcpOrigin: () => discoverAuthorizationServerFromMcpOrigin,
35
36
  discoverResourceMetadataUrl: () => discoverResourceMetadataUrl,
37
+ fetchAuthorizationServerMetadata: () => fetchAuthorizationServerMetadata,
36
38
  getAuthCodeTokenCacheStats: () => getAuthCodeTokenCacheStats,
37
39
  getCachedOAuth21Token: () => getCachedOAuth21Token,
38
40
  isOAuthRequired: () => isOAuthRequired,
39
41
  parseOAuthCallback: () => parseOAuthCallback,
40
42
  performMCPOAuthFlow: () => performMCPOAuthFlow,
43
+ resolveMCPOAuthDiscovery: () => resolveMCPOAuthDiscovery,
41
44
  resolveResourceMetadataUrl: () => resolveResourceMetadataUrl,
42
45
  startMCPOAuthFlow: () => startMCPOAuthFlow
43
46
  });
@@ -100,6 +103,59 @@ async function resolveResourceMetadataUrl(wwwAuthenticateHeader, mcpUrl) {
100
103
  }
101
104
  return null;
102
105
  }
106
+ async function discoverAuthorizationServerFromMcpOrigin(mcpUrl) {
107
+ const url = new URL(mcpUrl);
108
+ const origin = url.origin;
109
+ const path = url.pathname === "/" ? "" : url.pathname.replace(/\/$/, "");
110
+ const candidates = [];
111
+ if (path) {
112
+ candidates.push(`${origin}/.well-known/oauth-authorization-server${path}`);
113
+ }
114
+ candidates.push(`${origin}/.well-known/oauth-authorization-server`);
115
+ if (path) {
116
+ candidates.push(`${origin}${path}/.well-known/openid-configuration`);
117
+ }
118
+ candidates.push(`${origin}/.well-known/openid-configuration`);
119
+ const unique = Array.from(new Set(candidates));
120
+ for (const candidate of unique) {
121
+ try {
122
+ console.log("[MCP OAuth] Trying AS-direct discovery:", candidate);
123
+ const response = await fetch(candidate, { signal: AbortSignal.timeout(1e4) });
124
+ if (!response.ok) continue;
125
+ const data = await response.json();
126
+ if (typeof data.authorization_endpoint === "string" && typeof data.token_endpoint === "string") {
127
+ console.log("[MCP OAuth] \u2713 Discovered AS metadata at:", candidate);
128
+ return {
129
+ metadata: data,
130
+ discoveredAt: candidate
131
+ };
132
+ }
133
+ } catch (err) {
134
+ console.log(
135
+ "[MCP OAuth] AS-direct discovery failed for",
136
+ candidate,
137
+ ":",
138
+ err instanceof Error ? err.message : String(err)
139
+ );
140
+ }
141
+ }
142
+ return null;
143
+ }
144
+ async function resolveMCPOAuthDiscovery(wwwAuthenticateHeader, mcpUrl) {
145
+ const rfc9728 = await resolveResourceMetadataUrl(wwwAuthenticateHeader, mcpUrl);
146
+ if (rfc9728) {
147
+ return { kind: "resource-metadata", ...rfc9728 };
148
+ }
149
+ const asDirect = await discoverAuthorizationServerFromMcpOrigin(mcpUrl);
150
+ if (asDirect) {
151
+ return {
152
+ kind: "authorization-server",
153
+ authServerMetadata: asDirect.metadata,
154
+ discoveredAt: asDirect.discoveredAt
155
+ };
156
+ }
157
+ return null;
158
+ }
103
159
  async function fetchResourceMetadata(metadataUrl) {
104
160
  const response = await fetch(metadataUrl, { signal: AbortSignal.timeout(15e3) });
105
161
  if (!response.ok) {
@@ -529,101 +585,72 @@ function getAuthCodeTokenCacheStats() {
529
585
  expiredEntries
530
586
  };
531
587
  }
532
- async function startMCPOAuthFlow(wwwAuthenticateHeader, clientId, redirectUri, options) {
533
- console.log("[MCP OAuth] Starting two-phase OAuth 2.1 flow");
534
- const metadataUrl = parseWWWAuthenticate(wwwAuthenticateHeader) || options?.resourceMetadataUrl;
535
- if (!metadataUrl) {
536
- throw new Error(
537
- "Could not determine OAuth resource metadata URL. The WWW-Authenticate header does not contain resource_metadata, and no pre-discovered metadata URL was provided."
538
- );
539
- }
540
- console.log("[MCP OAuth] Resource metadata URL:", metadataUrl);
541
- const resourceMetadata = await fetchResourceMetadata(metadataUrl);
542
- console.log("[MCP OAuth] Resource metadata:", resourceMetadata);
543
- if (!resourceMetadata.authorization_servers || resourceMetadata.authorization_servers.length === 0) {
544
- throw new Error("No authorization servers found in resource metadata");
545
- }
546
- const authServerUrl = resourceMetadata.authorization_servers[0];
547
- console.log("[MCP OAuth] Authorization server:", authServerUrl);
548
- const hasFullOverrides = options?.authorizationUrlOverride && options?.tokenUrlOverride;
549
- let authServerMetadata = null;
550
- if (hasFullOverrides) {
551
- console.log("[MCP OAuth] Skipping auth server metadata fetch \u2014 manual overrides provided:", {
552
- authorization: options.authorizationUrlOverride,
553
- token: options.tokenUrlOverride
554
- });
555
- } else {
556
- try {
557
- authServerMetadata = await fetchAuthorizationServerMetadata(authServerUrl);
558
- console.log("[MCP OAuth] Authorization server metadata:", authServerMetadata);
559
- } catch (metadataError) {
560
- if (options?.authorizationUrlOverride || options?.tokenUrlOverride) {
561
- console.log(
562
- "[MCP OAuth] Auth server metadata fetch failed, but partial overrides available:",
563
- metadataError instanceof Error ? metadataError.message : String(metadataError)
564
- );
565
- } else {
566
- throw metadataError;
567
- }
568
- }
569
- }
588
+ async function startMCPOAuthFlowWithAS(opts) {
589
+ const {
590
+ authServerMetadata,
591
+ cacheKey,
592
+ clientId,
593
+ redirectUri,
594
+ authorizationUrlOverride,
595
+ tokenUrlOverride,
596
+ fallbackRegistrationEndpoint,
597
+ resourceScopesSupported
598
+ } = opts;
599
+ const hasFullOverrides = !!(authorizationUrlOverride && tokenUrlOverride);
570
600
  const pkce = generatePKCE();
571
601
  const actualRedirectUri = redirectUri || "http://127.0.0.1:0/oauth/callback";
572
- const scopeString = options?.scope ? options.scope : !clientId && resourceMetadata.scopes_supported && resourceMetadata.scopes_supported.length > 0 ? resourceMetadata.scopes_supported.join(" ") : void 0;
602
+ const scopeString = opts.scope ? opts.scope : !clientId && resourceScopesSupported && resourceScopesSupported.length > 0 ? resourceScopesSupported.join(" ") : void 0;
573
603
  let actualClientId = clientId;
574
- let clientSecret = options?.clientSecret;
604
+ let resolvedClientSecret = opts.clientSecret;
575
605
  if (!actualClientId) {
576
- if (authServerMetadata?.registration_endpoint) {
577
- console.log("[MCP OAuth] Server supports Dynamic Client Registration");
578
- const registration = await registerDynamicClient(
579
- authServerMetadata.registration_endpoint,
580
- actualRedirectUri,
581
- "Agor MCP Client",
582
- scopeString
583
- );
584
- actualClientId = registration.client_id;
585
- clientSecret = registration.client_secret;
586
- } else if (!hasFullOverrides) {
587
- const mcpRegisterEndpoint = `${authServerUrl}/register`;
588
- console.log("[MCP OAuth] Trying MCP-style registration endpoint:", mcpRegisterEndpoint);
606
+ const registrationEndpoint = authServerMetadata?.registration_endpoint || fallbackRegistrationEndpoint;
607
+ if (registrationEndpoint) {
608
+ console.log("[MCP OAuth] Using DCR endpoint:", registrationEndpoint);
589
609
  try {
590
610
  const registration = await registerDynamicClient(
591
- mcpRegisterEndpoint,
611
+ registrationEndpoint,
592
612
  actualRedirectUri,
593
613
  "Agor MCP Client",
594
614
  scopeString
595
615
  );
596
616
  actualClientId = registration.client_id;
597
- clientSecret = registration.client_secret;
598
- } catch (_regError) {
617
+ resolvedClientSecret = registration.client_secret;
618
+ } catch (regError) {
619
+ const detail = regError instanceof Error ? regError.message : String(regError);
599
620
  throw new Error(
600
- "OAuth client_id is required but the authorization server does not support Dynamic Client Registration.\n\nRegister an OAuth app in the provider's developer portal and enter the Client ID (and Client Secret if required) in the MCP server configuration."
621
+ `Dynamic Client Registration failed.
622
+
623
+ Registration endpoint: ${registrationEndpoint}
624
+ Error: ${detail}
625
+
626
+ Register an OAuth app in the provider's developer portal and enter the Client ID (and Client Secret if required) in the MCP server configuration.`
601
627
  );
602
628
  }
603
- } else {
629
+ } else if (hasFullOverrides) {
604
630
  throw new Error(
605
631
  "OAuth client_id is required when using manual OAuth URL overrides.\n\nPlease provide a client_id in the MCP server configuration."
606
632
  );
633
+ } else {
634
+ throw new Error(
635
+ "OAuth client_id is required but the authorization server does not advertise a Dynamic Client Registration endpoint (RFC 7591).\n\nRegister an OAuth app in the provider's developer portal and enter the Client ID (and Client Secret if required) in the MCP server configuration."
636
+ );
607
637
  }
608
638
  }
609
639
  const state = import_node_crypto.default.randomUUID();
610
- const tokenEndpoint = options?.tokenUrlOverride || authServerMetadata?.token_endpoint;
640
+ const tokenEndpoint = tokenUrlOverride || authServerMetadata?.token_endpoint;
611
641
  if (!tokenEndpoint) {
612
642
  throw new Error(
613
643
  "No token endpoint available. Either provide oauth_token_url in the MCP server config, or ensure the authorization server supports RFC 8414 metadata discovery."
614
644
  );
615
645
  }
616
- console.log("[MCP OAuth] Using token endpoint:", tokenEndpoint);
617
- if (options?.tokenUrlOverride) {
618
- console.log("[MCP OAuth] (overridden from:", authServerMetadata?.token_endpoint, ")");
619
- }
620
- const authorizationEndpoint = options?.authorizationUrlOverride || authServerMetadata?.authorization_endpoint;
646
+ const authorizationEndpoint = authorizationUrlOverride || authServerMetadata?.authorization_endpoint;
621
647
  if (!authorizationEndpoint) {
622
648
  throw new Error(
623
649
  "No authorization endpoint available. Either provide oauth_authorization_url in the MCP server config, or ensure the authorization server supports RFC 8414 metadata discovery."
624
650
  );
625
651
  }
626
652
  console.log("[MCP OAuth] Using authorization endpoint:", authorizationEndpoint);
653
+ console.log("[MCP OAuth] Using token endpoint:", tokenEndpoint);
627
654
  const authUrl = new URL(authorizationEndpoint);
628
655
  authUrl.searchParams.set("response_type", "code");
629
656
  authUrl.searchParams.set("client_id", actualClientId);
@@ -636,16 +663,88 @@ async function startMCPOAuthFlow(wwwAuthenticateHeader, clientId, redirectUri, o
636
663
  }
637
664
  console.log("[MCP OAuth] Authorization URL:", authUrl.toString());
638
665
  return {
639
- metadataUrl,
666
+ metadataUrl: cacheKey,
640
667
  tokenEndpoint,
641
668
  redirectUri: actualRedirectUri,
642
669
  pkceVerifier: pkce.verifier,
643
670
  clientId: actualClientId,
644
- clientSecret,
671
+ clientSecret: resolvedClientSecret,
645
672
  state,
646
673
  authorizationUrl: authUrl.toString()
647
674
  };
648
675
  }
676
+ async function startMCPOAuthFlow(wwwAuthenticateHeader, clientId, redirectUri, options) {
677
+ console.log("[MCP OAuth] Starting two-phase OAuth 2.1 flow");
678
+ if (options?.prefetchedAuthServerMetadata) {
679
+ if (!options.cacheKey) {
680
+ throw new Error(
681
+ "startMCPOAuthFlow: cacheKey is required when prefetchedAuthServerMetadata is provided (typically pass the MCP server URL)."
682
+ );
683
+ }
684
+ console.log(
685
+ "[MCP OAuth] Using prefetched AS metadata (RFC 9728 skipped):",
686
+ options.prefetchedAuthServerMetadata
687
+ );
688
+ return startMCPOAuthFlowWithAS({
689
+ authServerMetadata: options.prefetchedAuthServerMetadata,
690
+ cacheKey: options.cacheKey,
691
+ clientId,
692
+ redirectUri,
693
+ authorizationUrlOverride: options.authorizationUrlOverride,
694
+ tokenUrlOverride: options.tokenUrlOverride,
695
+ clientSecret: options.clientSecret,
696
+ scope: options.scope
697
+ });
698
+ }
699
+ const metadataUrl = parseWWWAuthenticate(wwwAuthenticateHeader) || options?.resourceMetadataUrl;
700
+ if (!metadataUrl) {
701
+ throw new Error(
702
+ "Could not determine OAuth resource metadata URL. The WWW-Authenticate header does not contain resource_metadata, and no pre-discovered metadata URL was provided."
703
+ );
704
+ }
705
+ console.log("[MCP OAuth] Resource metadata URL:", metadataUrl);
706
+ const resourceMetadata = await fetchResourceMetadata(metadataUrl);
707
+ console.log("[MCP OAuth] Resource metadata:", resourceMetadata);
708
+ if (!resourceMetadata.authorization_servers || resourceMetadata.authorization_servers.length === 0) {
709
+ throw new Error("No authorization servers found in resource metadata");
710
+ }
711
+ const authServerUrl = resourceMetadata.authorization_servers[0];
712
+ console.log("[MCP OAuth] Authorization server:", authServerUrl);
713
+ const hasFullOverrides = options?.authorizationUrlOverride && options?.tokenUrlOverride;
714
+ let authServerMetadata = null;
715
+ if (hasFullOverrides) {
716
+ console.log("[MCP OAuth] Skipping auth server metadata fetch \u2014 manual overrides provided:", {
717
+ authorization: options.authorizationUrlOverride,
718
+ token: options.tokenUrlOverride
719
+ });
720
+ } else {
721
+ try {
722
+ authServerMetadata = await fetchAuthorizationServerMetadata(authServerUrl);
723
+ console.log("[MCP OAuth] Authorization server metadata:", authServerMetadata);
724
+ } catch (metadataError) {
725
+ if (options?.authorizationUrlOverride || options?.tokenUrlOverride) {
726
+ console.log(
727
+ "[MCP OAuth] Auth server metadata fetch failed, but partial overrides available:",
728
+ metadataError instanceof Error ? metadataError.message : String(metadataError)
729
+ );
730
+ } else {
731
+ throw metadataError;
732
+ }
733
+ }
734
+ }
735
+ return startMCPOAuthFlowWithAS({
736
+ authServerMetadata,
737
+ cacheKey: metadataUrl,
738
+ clientId,
739
+ redirectUri,
740
+ authorizationUrlOverride: options?.authorizationUrlOverride,
741
+ tokenUrlOverride: options?.tokenUrlOverride,
742
+ clientSecret: options?.clientSecret,
743
+ scope: options?.scope,
744
+ fallbackRegistrationEndpoint: hasFullOverrides ? void 0 : `${authServerUrl}/register`,
745
+ resourceScopesSupported: resourceMetadata.scopes_supported
746
+ });
747
+ }
649
748
  async function completeMCPOAuthFlow(context, code, state) {
650
749
  console.log("[MCP OAuth] Completing OAuth flow with authorization code");
651
750
  console.log("[MCP OAuth] Token endpoint:", context.tokenEndpoint);
@@ -705,12 +804,15 @@ function parseOAuthCallback(callbackUrl) {
705
804
  0 && (module.exports = {
706
805
  clearAuthCodeTokenCache,
707
806
  completeMCPOAuthFlow,
807
+ discoverAuthorizationServerFromMcpOrigin,
708
808
  discoverResourceMetadataUrl,
809
+ fetchAuthorizationServerMetadata,
709
810
  getAuthCodeTokenCacheStats,
710
811
  getCachedOAuth21Token,
711
812
  isOAuthRequired,
712
813
  parseOAuthCallback,
713
814
  performMCPOAuthFlow,
815
+ resolveMCPOAuthDiscovery,
714
816
  resolveResourceMetadataUrl,
715
817
  startMCPOAuthFlow
716
818
  });
@@ -65,6 +65,79 @@ declare function resolveResourceMetadataUrl(wwwAuthenticateHeader: string | null
65
65
  metadataUrl: string;
66
66
  source: 'header' | 'well-known';
67
67
  } | null>;
68
+ /**
69
+ * Discover OAuth Authorization Server metadata directly at the MCP server's
70
+ * origin (RFC 8414 / OIDC fallback when RFC 9728 isn't implemented).
71
+ *
72
+ * Some MCP servers (e.g. Reo.Dev) skip the RFC 9728 Protected Resource Metadata
73
+ * layer entirely and instead serve the AS metadata document at their own
74
+ * origin. Claude Desktop's MCP client probes this path; we mirror that
75
+ * behaviour so 'paste URL → click Connect' works without manual config.
76
+ *
77
+ * Probes (in order). Note that RFC 8414 and OIDC use *different* path-construction
78
+ * rules for path-bearing issuers:
79
+ * - RFC 8414 §3.1: insert `.well-known/oauth-authorization-server` between
80
+ * the host and the issuer's path → `{origin}/.well-known/...{path}`
81
+ * - OIDC Discovery 1.0 §4: append `.well-known/openid-configuration` after
82
+ * the issuer's path → `{origin}{path}/.well-known/...`
83
+ *
84
+ * Probe order:
85
+ * 1. {origin}/.well-known/oauth-authorization-server{path} (RFC 8414 path-aware)
86
+ * 2. {origin}/.well-known/oauth-authorization-server (root)
87
+ * 3. {origin}{path}/.well-known/openid-configuration (OIDC path-aware)
88
+ * 4. {origin}/.well-known/openid-configuration (OIDC root)
89
+ *
90
+ * @param mcpUrl - The MCP server URL
91
+ * @returns Discovered AS metadata + the URL it was fetched from, or null
92
+ */
93
+ declare function discoverAuthorizationServerFromMcpOrigin(mcpUrl: string): Promise<{
94
+ metadata: AuthorizationServerMetadata;
95
+ discoveredAt: string;
96
+ } | null>;
97
+ /**
98
+ * Discriminated discovery result for MCP OAuth.
99
+ *
100
+ * The MCP Authorization spec layers three RFCs:
101
+ * - RFC 9728 (Protected Resource Metadata) — links resource server → AS list
102
+ * - RFC 8414 (Authorization Server Metadata) — describes the AS endpoints
103
+ * - RFC 7591 (Dynamic Client Registration) — register a client at runtime
104
+ *
105
+ * Real-world servers vary in what they actually implement. This type lets
106
+ * callers distinguish:
107
+ * - 'resource-metadata': RFC 9728 worked → fetch metadata URL → derive AS
108
+ * - 'authorization-server': RFC 9728 absent, but AS metadata served directly
109
+ * at the MCP origin (Reo.Dev pattern) → use it directly, skip RFC 9728.
110
+ */
111
+ type MCPOAuthDiscoveryResult = {
112
+ kind: 'resource-metadata';
113
+ metadataUrl: string;
114
+ source: 'header' | 'well-known';
115
+ } | {
116
+ kind: 'authorization-server';
117
+ authServerMetadata: AuthorizationServerMetadata;
118
+ discoveredAt: string;
119
+ };
120
+ /**
121
+ * Full MCP OAuth discovery cascade — the single entry point new daemon
122
+ * callsites should use.
123
+ *
124
+ * Walks the cascade in order:
125
+ * 1. WWW-Authenticate `resource_metadata="..."` (RFC 9728 via header hint)
126
+ * 2. `<origin>/.well-known/oauth-protected-resource` (RFC 9728 well-known)
127
+ * 3. `<origin>/.well-known/oauth-authorization-server` (RFC 8414 direct)
128
+ * 4. `<origin>/.well-known/openid-configuration` (OIDC discovery direct)
129
+ *
130
+ * Returns the first success. Each step's failure is logged but never thrown —
131
+ * a clean `null` lets the caller emit a single, specific error message.
132
+ */
133
+ declare function resolveMCPOAuthDiscovery(wwwAuthenticateHeader: string | null, mcpUrl: string): Promise<MCPOAuthDiscoveryResult | null>;
134
+ /**
135
+ * Fetch Authorization Server Metadata (RFC 8414)
136
+ *
137
+ * Implements path-aware discovery per RFC 8414 Section 3.
138
+ * Falls back to OIDC discovery and naive URL construction.
139
+ */
140
+ declare function fetchAuthorizationServerMetadata(authServerUrl: string): Promise<AuthorizationServerMetadata>;
68
141
  /**
69
142
  * Perform MCP OAuth 2.1 Authorization Code flow with PKCE.
70
143
  *
@@ -154,21 +227,6 @@ interface OAuthFlowContext {
154
227
  state: string;
155
228
  authorizationUrl: string;
156
229
  }
157
- /**
158
- * Start the OAuth 2.1 Authorization Code flow with PKCE
159
- *
160
- * This is the first phase of a two-phase OAuth flow for remote daemon scenarios.
161
- * Returns the authorization URL to open in browser and context needed to complete
162
- * the flow later.
163
- *
164
- * @param wwwAuthenticateHeader - The WWW-Authenticate header from 401 response
165
- * @param clientId - OAuth client ID (optional, will use DCR if not provided)
166
- * @param redirectUri - Custom redirect URI (optional, defaults to a placeholder)
167
- * @param options - Additional options
168
- * @param options.authorizationUrlOverride - Override the auto-discovered authorization endpoint URL
169
- * @param options.tokenUrlOverride - Override the auto-discovered token endpoint URL
170
- * @returns Authorization URL and flow context
171
- */
172
230
  declare function startMCPOAuthFlow(wwwAuthenticateHeader: string, clientId?: string, redirectUri?: string, options?: {
173
231
  authorizationUrlOverride?: string;
174
232
  tokenUrlOverride?: string;
@@ -176,6 +234,24 @@ declare function startMCPOAuthFlow(wwwAuthenticateHeader: string, clientId?: str
176
234
  scope?: string;
177
235
  /** Pre-discovered resource metadata URL (used when WWW-Authenticate lacks resource_metadata) */
178
236
  resourceMetadataUrl?: string;
237
+ /**
238
+ * Pre-discovered Authorization Server metadata. Used when the MCP server
239
+ * doesn't implement RFC 9728 but does serve RFC 8414 / OIDC metadata
240
+ * directly at its own origin (e.g. Reo.Dev). When provided, both
241
+ * `fetchResourceMetadata` and `fetchAuthorizationServerMetadata` are
242
+ * skipped — `prefetchedAuthServerMetadata` is used as-is.
243
+ *
244
+ * The `cacheKey` option (or the MCP URL via the caller's redirect plumbing)
245
+ * is used as the token cache key in place of an RFC 9728 metadata URL.
246
+ */
247
+ prefetchedAuthServerMetadata?: AuthorizationServerMetadata;
248
+ /**
249
+ * Token cache key. When `prefetchedAuthServerMetadata` is provided there's
250
+ * no real RFC 9728 metadata URL to use as the key, so the caller passes a
251
+ * stable string (typically the MCP URL itself). `getCachedOAuth21Token`
252
+ * matches by URL origin, so any value sharing the MCP URL's origin works.
253
+ */
254
+ cacheKey?: string;
179
255
  }): Promise<OAuthFlowContext>;
180
256
  /**
181
257
  * Complete the OAuth 2.1 flow with authorization code
@@ -200,4 +276,4 @@ declare function parseOAuthCallback(callbackUrl: string): {
200
276
  state: string;
201
277
  };
202
278
 
203
- export { type AuthorizationServerMetadata, type DynamicClientRegistrationResponse, type OAuthFlowContext, type OAuthMetadata, OAuthTokenResponse, clearAuthCodeTokenCache, completeMCPOAuthFlow, discoverResourceMetadataUrl, getAuthCodeTokenCacheStats, getCachedOAuth21Token, isOAuthRequired, parseOAuthCallback, performMCPOAuthFlow, resolveResourceMetadataUrl, startMCPOAuthFlow };
279
+ export { type AuthorizationServerMetadata, type DynamicClientRegistrationResponse, type MCPOAuthDiscoveryResult, type OAuthFlowContext, type OAuthMetadata, OAuthTokenResponse, clearAuthCodeTokenCache, completeMCPOAuthFlow, discoverAuthorizationServerFromMcpOrigin, discoverResourceMetadataUrl, fetchAuthorizationServerMetadata, getAuthCodeTokenCacheStats, getCachedOAuth21Token, isOAuthRequired, parseOAuthCallback, performMCPOAuthFlow, resolveMCPOAuthDiscovery, resolveResourceMetadataUrl, startMCPOAuthFlow };
@@ -65,6 +65,79 @@ declare function resolveResourceMetadataUrl(wwwAuthenticateHeader: string | null
65
65
  metadataUrl: string;
66
66
  source: 'header' | 'well-known';
67
67
  } | null>;
68
+ /**
69
+ * Discover OAuth Authorization Server metadata directly at the MCP server's
70
+ * origin (RFC 8414 / OIDC fallback when RFC 9728 isn't implemented).
71
+ *
72
+ * Some MCP servers (e.g. Reo.Dev) skip the RFC 9728 Protected Resource Metadata
73
+ * layer entirely and instead serve the AS metadata document at their own
74
+ * origin. Claude Desktop's MCP client probes this path; we mirror that
75
+ * behaviour so 'paste URL → click Connect' works without manual config.
76
+ *
77
+ * Probes (in order). Note that RFC 8414 and OIDC use *different* path-construction
78
+ * rules for path-bearing issuers:
79
+ * - RFC 8414 §3.1: insert `.well-known/oauth-authorization-server` between
80
+ * the host and the issuer's path → `{origin}/.well-known/...{path}`
81
+ * - OIDC Discovery 1.0 §4: append `.well-known/openid-configuration` after
82
+ * the issuer's path → `{origin}{path}/.well-known/...`
83
+ *
84
+ * Probe order:
85
+ * 1. {origin}/.well-known/oauth-authorization-server{path} (RFC 8414 path-aware)
86
+ * 2. {origin}/.well-known/oauth-authorization-server (root)
87
+ * 3. {origin}{path}/.well-known/openid-configuration (OIDC path-aware)
88
+ * 4. {origin}/.well-known/openid-configuration (OIDC root)
89
+ *
90
+ * @param mcpUrl - The MCP server URL
91
+ * @returns Discovered AS metadata + the URL it was fetched from, or null
92
+ */
93
+ declare function discoverAuthorizationServerFromMcpOrigin(mcpUrl: string): Promise<{
94
+ metadata: AuthorizationServerMetadata;
95
+ discoveredAt: string;
96
+ } | null>;
97
+ /**
98
+ * Discriminated discovery result for MCP OAuth.
99
+ *
100
+ * The MCP Authorization spec layers three RFCs:
101
+ * - RFC 9728 (Protected Resource Metadata) — links resource server → AS list
102
+ * - RFC 8414 (Authorization Server Metadata) — describes the AS endpoints
103
+ * - RFC 7591 (Dynamic Client Registration) — register a client at runtime
104
+ *
105
+ * Real-world servers vary in what they actually implement. This type lets
106
+ * callers distinguish:
107
+ * - 'resource-metadata': RFC 9728 worked → fetch metadata URL → derive AS
108
+ * - 'authorization-server': RFC 9728 absent, but AS metadata served directly
109
+ * at the MCP origin (Reo.Dev pattern) → use it directly, skip RFC 9728.
110
+ */
111
+ type MCPOAuthDiscoveryResult = {
112
+ kind: 'resource-metadata';
113
+ metadataUrl: string;
114
+ source: 'header' | 'well-known';
115
+ } | {
116
+ kind: 'authorization-server';
117
+ authServerMetadata: AuthorizationServerMetadata;
118
+ discoveredAt: string;
119
+ };
120
+ /**
121
+ * Full MCP OAuth discovery cascade — the single entry point new daemon
122
+ * callsites should use.
123
+ *
124
+ * Walks the cascade in order:
125
+ * 1. WWW-Authenticate `resource_metadata="..."` (RFC 9728 via header hint)
126
+ * 2. `<origin>/.well-known/oauth-protected-resource` (RFC 9728 well-known)
127
+ * 3. `<origin>/.well-known/oauth-authorization-server` (RFC 8414 direct)
128
+ * 4. `<origin>/.well-known/openid-configuration` (OIDC discovery direct)
129
+ *
130
+ * Returns the first success. Each step's failure is logged but never thrown —
131
+ * a clean `null` lets the caller emit a single, specific error message.
132
+ */
133
+ declare function resolveMCPOAuthDiscovery(wwwAuthenticateHeader: string | null, mcpUrl: string): Promise<MCPOAuthDiscoveryResult | null>;
134
+ /**
135
+ * Fetch Authorization Server Metadata (RFC 8414)
136
+ *
137
+ * Implements path-aware discovery per RFC 8414 Section 3.
138
+ * Falls back to OIDC discovery and naive URL construction.
139
+ */
140
+ declare function fetchAuthorizationServerMetadata(authServerUrl: string): Promise<AuthorizationServerMetadata>;
68
141
  /**
69
142
  * Perform MCP OAuth 2.1 Authorization Code flow with PKCE.
70
143
  *
@@ -154,21 +227,6 @@ interface OAuthFlowContext {
154
227
  state: string;
155
228
  authorizationUrl: string;
156
229
  }
157
- /**
158
- * Start the OAuth 2.1 Authorization Code flow with PKCE
159
- *
160
- * This is the first phase of a two-phase OAuth flow for remote daemon scenarios.
161
- * Returns the authorization URL to open in browser and context needed to complete
162
- * the flow later.
163
- *
164
- * @param wwwAuthenticateHeader - The WWW-Authenticate header from 401 response
165
- * @param clientId - OAuth client ID (optional, will use DCR if not provided)
166
- * @param redirectUri - Custom redirect URI (optional, defaults to a placeholder)
167
- * @param options - Additional options
168
- * @param options.authorizationUrlOverride - Override the auto-discovered authorization endpoint URL
169
- * @param options.tokenUrlOverride - Override the auto-discovered token endpoint URL
170
- * @returns Authorization URL and flow context
171
- */
172
230
  declare function startMCPOAuthFlow(wwwAuthenticateHeader: string, clientId?: string, redirectUri?: string, options?: {
173
231
  authorizationUrlOverride?: string;
174
232
  tokenUrlOverride?: string;
@@ -176,6 +234,24 @@ declare function startMCPOAuthFlow(wwwAuthenticateHeader: string, clientId?: str
176
234
  scope?: string;
177
235
  /** Pre-discovered resource metadata URL (used when WWW-Authenticate lacks resource_metadata) */
178
236
  resourceMetadataUrl?: string;
237
+ /**
238
+ * Pre-discovered Authorization Server metadata. Used when the MCP server
239
+ * doesn't implement RFC 9728 but does serve RFC 8414 / OIDC metadata
240
+ * directly at its own origin (e.g. Reo.Dev). When provided, both
241
+ * `fetchResourceMetadata` and `fetchAuthorizationServerMetadata` are
242
+ * skipped — `prefetchedAuthServerMetadata` is used as-is.
243
+ *
244
+ * The `cacheKey` option (or the MCP URL via the caller's redirect plumbing)
245
+ * is used as the token cache key in place of an RFC 9728 metadata URL.
246
+ */
247
+ prefetchedAuthServerMetadata?: AuthorizationServerMetadata;
248
+ /**
249
+ * Token cache key. When `prefetchedAuthServerMetadata` is provided there's
250
+ * no real RFC 9728 metadata URL to use as the key, so the caller passes a
251
+ * stable string (typically the MCP URL itself). `getCachedOAuth21Token`
252
+ * matches by URL origin, so any value sharing the MCP URL's origin works.
253
+ */
254
+ cacheKey?: string;
179
255
  }): Promise<OAuthFlowContext>;
180
256
  /**
181
257
  * Complete the OAuth 2.1 flow with authorization code
@@ -200,4 +276,4 @@ declare function parseOAuthCallback(callbackUrl: string): {
200
276
  state: string;
201
277
  };
202
278
 
203
- export { type AuthorizationServerMetadata, type DynamicClientRegistrationResponse, type OAuthFlowContext, type OAuthMetadata, OAuthTokenResponse, clearAuthCodeTokenCache, completeMCPOAuthFlow, discoverResourceMetadataUrl, getAuthCodeTokenCacheStats, getCachedOAuth21Token, isOAuthRequired, parseOAuthCallback, performMCPOAuthFlow, resolveResourceMetadataUrl, startMCPOAuthFlow };
279
+ export { type AuthorizationServerMetadata, type DynamicClientRegistrationResponse, type MCPOAuthDiscoveryResult, type OAuthFlowContext, type OAuthMetadata, OAuthTokenResponse, clearAuthCodeTokenCache, completeMCPOAuthFlow, discoverAuthorizationServerFromMcpOrigin, discoverResourceMetadataUrl, fetchAuthorizationServerMetadata, getAuthCodeTokenCacheStats, getCachedOAuth21Token, isOAuthRequired, parseOAuthCallback, performMCPOAuthFlow, resolveMCPOAuthDiscovery, resolveResourceMetadataUrl, startMCPOAuthFlow };