arc-1 0.9.18 → 0.9.19

package/dist/server/http.d.ts

@@ -24,45 +24,10 @@
  *
  * 4. Health endpoint is always unauthenticated — needed for CF health checks.
  */
+import type { XsuaaCredentials } from '@arc-mcp/xsuaa-auth';
 import type { Server as McpServer } from '@modelcontextprotocol/sdk/server/index.js';
-import type { Request, Response } from 'express';
 import express from 'express';
-import type { OAuthStateCodec } from './oauth-state.js';
-import type { StatelessDcrClientStore } from './stateless-client-store.js';
 import type { ServerConfig } from './types.js';
-import type { XsuaaCredentials } from './xsuaa.js';
-/**
- * Express handler for ARC-1's `/oauth/callback`, the second half of the
- * XSUAA callback proxy that fixes the `+`-in-state bug (issue #214).
- *
- * XSUAA redirects here (not to the client) with an opaque base64url `state`
- * token that ARC-1's `authorize()` minted. We verify + decode it to recover
- * the client's ORIGINAL `redirect_uri` and `state`, then 302 to the client
- * re-emitting the state via `URL.searchParams` — whose serializer encodes a
- * literal `+` as `%2B`, exactly the encoding the client's parser expects.
- *
- * Removal condition + upstream tracking (XSUAA root cause, arc-1#214,
- * vscode#314715) are documented at the top of `oauth-state.ts`.
- *
- * SECURITY (authorization-code interception, security audit 2026-06): the
- * signed state carries the originating DCR `client_id` (`decoded.clientId`).
- * Before forwarding the auth code (or an error) to `decoded.clientRedirectUri`,
- * we verify that redirect_uri is actually registered for that client. The
- * signature alone is insufficient: all DCR clients share one XSUAA app, so a
- * forged-state attack is blocked by the HMAC, but the redirect target must
- * still belong to the client that will exchange the code. For stateless DCR
- * clients (`arc1-…`) the registered redirect_uris are baked immutably into the
- * signed `client_id`, so this check deterministically rejects an attacker who
- * substitutes their own redirect_uri on a victim's `client_id`. For the shared
- * pre-registered XSUAA default client the redirect_uri is checked against the
- * static allowlist (mirrors xs-security.json) instead — `clientStore` makes
- * both decisions via `checkRedirectUri`.
- *
- * Exported for unit tests; mounted in `startHttpServer`. When `clientStore` is
- * omitted (legacy unit tests of the issue-#214 round-trip) the binding check is
- * skipped; production always passes it.
- */
-export declare function createOAuthCallbackHandler(stateCodec: OAuthStateCodec, clientStore?: StatelessDcrClientStore): (req: Request, res: Response) => Promise<void>;
 /**
  * Apply security headers (helmet) and opt-in CORS to an Express app.
  *
@@ -93,16 +58,20 @@ export declare function applySecurityMiddleware(app: express.Application, allowe
 export declare function startHttpServer(serverFactory: () => McpServer, config: ServerConfig, xsuaaCredentials?: XsuaaCredentials): Promise<void>;
 /**
  * Create a token verifier for standard auth mode (API key + OIDC).
- * Returns AuthInfo so the MCP SDK populates extra.authInfo on the request,
- * enabling scope enforcement, per-request safety, and principal propagation.
- */
-export declare function createStandardVerifier(config: ServerConfig): (token: string) => Promise<import('@modelcontextprotocol/sdk/server/auth/types.js').AuthInfo>;
-/**
- * Extract scopes from an OIDC JWT payload.
  *
- * Tries `scope` (space-separated string, standard OIDC) then `scp` (array, Azure AD style).
- * Filters to known scopes, applies implied scope expansion, and falls back to read-only
- * when no scope claims are present (safe default for providers that don't emit scopes).
+ * Built entirely from the `@arc-mcp/xsuaa-auth` package's chained verifier
+ * (constant-time api-key compare + hardened OIDC), mirroring how XSUAA mode wires
+ * its chain — minus the XSUAA verifier, which standard mode doesn't have. The
+ * chain order is XSUAA → OIDC → api-key; with no XSUAA verifier that collapses to
+ * OIDC → api-key, which is order-immaterial here (token types are disjoint) and
+ * preserves the previous behavior (api-key matched first only mattered because
+ * the two paths never overlap). Returns `AuthInfo` so the MCP SDK populates
+ * `extra.authInfo` on the request context, enabling scope enforcement,
+ * per-request safety, and principal propagation.
+ *
+ * Async because the package is dynamic-imported (lazy, consistent with the rest
+ * of this module); the returned verifier itself is the package's sync-built
+ * chained verifier.
  */
-export declare function extractOidcScopes(payload: Record<string, unknown>): string[];
+export declare function createStandardVerifier(config: ServerConfig): Promise<import('@arc-mcp/xsuaa-auth').Verifier>;
 //# sourceMappingURL=http.d.ts.map

package/dist/server/http.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../../src/server/http.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAE,MAAM,IAAI,SAAS,EAAE,MAAM,2CAA2C,CAAC;AAGrF,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACjD,OAAO,OAAO,MAAM,SAAS,CAAC;AAK9B,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAExD,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,6BAA6B,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AA0DnD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,eAAe,EAAE,WAAW,CAAC,EAAE,uBAAuB,IAC7F,KAAK,OAAO,EAAE,KAAK,QAAQ,KAAG,OAAO,CAAC,IAAI,CAAC,CA+H1D;AAoCD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,OAAO,CAAC,WAAW,EAAE,cAAc,EAAE,MAAM,EAAE,GAAG,IAAI,CA6DhG;AAuCD;;GAEG;AACH,wBAAsB,eAAe,CACnC,aAAa,EAAE,MAAM,SAAS,EAC9B,MAAM,EAAE,YAAY,EACpB,gBAAgB,CAAC,EAAE,gBAAgB,GAClC,OAAO,CAAC,IAAI,CAAC,CAqXf;AAID;;;;GAIG;AACH,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,YAAY,GACnB,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,gDAAgD,EAAE,QAAQ,CAAC,CAsD/F;AA0CD;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,EAAE,CAiC5E"}
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../../src/server/http.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAe,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACzE,OAAO,KAAK,EAAE,MAAM,IAAI,SAAS,EAAE,MAAM,2CAA2C,CAAC;AAIrF,OAAO,OAAO,MAAM,SAAS,CAAC;AAM9B,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AA2B/C;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,OAAO,CAAC,WAAW,EAAE,cAAc,EAAE,MAAM,EAAE,GAAG,IAAI,CA6DhG;AAuCD;;GAEG;AACH,wBAAsB,eAAe,CACnC,aAAa,EAAE,MAAM,SAAS,EAC9B,MAAM,EAAE,YAAY,EACpB,gBAAgB,CAAC,EAAE,gBAAgB,GAClC,OAAO,CAAC,IAAI,CAAC,CAgZf;AAkDD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,sBAAsB,CAAC,MAAM,EAAE,YAAY,GAAG,OAAO,CAAC,OAAO,qBAAqB,EAAE,QAAQ,CAAC,CAOlH"}

package/dist/server/http.js

@@ -30,237 +30,31 @@ import express from 'express';
 import helmet from 'helmet';
 import { expandScopes } from '../authz/policy.js';
 import { API_KEY_PROFILES } from './config.js';
-import { logger } from './logger.js';
+import { authLibLogger, logger } from './logger.js';
 import { VERSION } from './server.js';
-// ─── OAuth Callback Proxy Handler (issue #214) ───────────────────────
+// ─── API Key Entry Mapping ───────────────────────────────────────────
 /**
- * Minimal HTML-escape for embedding untrusted text (e.g. an OAuth
- * `error_description` from the query string) into the error page below.
+ * Map ARC-1's `config.apiKeys` (`{key, profile}[]`) to the package's
+ * `ApiKeyEntry[]` (`{key, scopes, clientId}`) so the package's constant-time
+ * api-key verifier resolves them identically to ARC-1's previous profile-based
+ * matching:
+ *   - scopes come from `API_KEY_PROFILES[profile]` after `expandScopes`,
+ *   - clientId is `api-key:<profile>` (same audit/identity string as before).
+ * Entries whose profile is unknown are dropped (defense in depth — profiles are
+ * already validated at config-parse time). Used by BOTH XSUAA and standard mode.
  */
-function escapeHtml(value) {
-    return value
-        .replace(/&/g, '&amp;')
-        .replace(/</g, '&lt;')
-        .replace(/>/g, '&gt;')
-        .replace(/"/g, '&quot;')
-        .replace(/'/g, '&#39;');
-}
-/**
- * Is this a loopback HTTP redirect URI (`http://localhost|127.0.0.1|[::1]`)?
- * Such callbacks are ephemeral local listeners that native MCP clients (GitHub
- * Copilot, MCP Inspector) tear down on failure — so on an OAuth error we render
- * a self-hosted page for them rather than 302-ing to a dead port. Hosted HTTPS
- * callbacks (claude.ai, Copilot Studio) and custom-scheme app callbacks
- * (`vscode:`, `cursor:`) are live and expect the spec error redirect, so they
- * keep getting it.
- */
-function isLoopbackHttpRedirect(url) {
-    if (url.protocol !== 'http:')
-        return false;
-    const host = url.hostname.toLowerCase();
-    return host === 'localhost' || host === '127.0.0.1' || host === '::1' || host === '[::1]';
-}
-/**
- * Render a self-hosted OAuth error page for `/oauth/callback`. Surfaces the
- * IdP's error to the human (loopback MCP clients usually can't — they close
- * their listener on failure) with an actionable hint for the most common case,
- * `invalid_scope` (authenticated but no granted scopes → an admin must assign an
- * ARC-1 role collection under the user's login IdP). `clientReturnUrl` carries
- * the error + original state for the rare client still listening.
- */
-function renderOAuthErrorPage(error, errorDescription, clientReturnUrl) {
-    const hint = error === 'invalid_scope'
-        ? 'You are signed in, but your user is not granted any ARC-1 scopes. An administrator must assign you an ARC-1 role collection (for example "ARC-1 Admin") under the identity provider you sign in with — see the ARC-1 authorization docs.'
-        : 'Retry the sign-in from your MCP client. If it keeps failing, share this error with your ARC-1 administrator.';
-    const descBlock = errorDescription ? `<p><code>${escapeHtml(errorDescription)}</code></p>` : '';
-    return ('<!doctype html><html><head><meta charset="utf-8"><title>ARC-1 sign-in failed</title></head>' +
-        '<body style="font-family:sans-serif;max-width:42rem;margin:3rem auto;padding:0 1rem;line-height:1.5">' +
-        '<h1>ARC-1 sign-in failed</h1>' +
-        `<p><strong>Error:</strong> <code>${escapeHtml(error)}</code></p>` +
-        descBlock +
-        `<p>${escapeHtml(hint)}</p>` +
-        `<p><a href="${escapeHtml(clientReturnUrl)}">Return to your application</a></p>` +
-        '</body></html>');
-}
-/**
- * Express handler for ARC-1's `/oauth/callback`, the second half of the
- * XSUAA callback proxy that fixes the `+`-in-state bug (issue #214).
- *
- * XSUAA redirects here (not to the client) with an opaque base64url `state`
- * token that ARC-1's `authorize()` minted. We verify + decode it to recover
- * the client's ORIGINAL `redirect_uri` and `state`, then 302 to the client
- * re-emitting the state via `URL.searchParams` — whose serializer encodes a
- * literal `+` as `%2B`, exactly the encoding the client's parser expects.
- *
- * Removal condition + upstream tracking (XSUAA root cause, arc-1#214,
- * vscode#314715) are documented at the top of `oauth-state.ts`.
- *
- * SECURITY (authorization-code interception, security audit 2026-06): the
- * signed state carries the originating DCR `client_id` (`decoded.clientId`).
- * Before forwarding the auth code (or an error) to `decoded.clientRedirectUri`,
- * we verify that redirect_uri is actually registered for that client. The
- * signature alone is insufficient: all DCR clients share one XSUAA app, so a
- * forged-state attack is blocked by the HMAC, but the redirect target must
- * still belong to the client that will exchange the code. For stateless DCR
- * clients (`arc1-…`) the registered redirect_uris are baked immutably into the
- * signed `client_id`, so this check deterministically rejects an attacker who
- * substitutes their own redirect_uri on a victim's `client_id`. For the shared
- * pre-registered XSUAA default client the redirect_uri is checked against the
- * static allowlist (mirrors xs-security.json) instead — `clientStore` makes
- * both decisions via `checkRedirectUri`.
- *
- * Exported for unit tests; mounted in `startHttpServer`. When `clientStore` is
- * omitted (legacy unit tests of the issue-#214 round-trip) the binding check is
- * skipped; production always passes it.
- */
-export function createOAuthCallbackHandler(stateCodec, clientStore) {
-    return async (req, res) => {
-        const stateToken = typeof req.query.state === 'string' ? req.query.state : '';
-        const decoded = stateCodec.decode(stateToken);
-        if (decoded.kind !== 'ok') {
-            logger.warn('OAuth callback: invalid state token', { reason: decoded.reason });
-            // We cannot safely redirect anywhere — the client redirect_uri lives
-            // inside the (unverified) token. Return a terminal error page.
-            res
-                .status(400)
-                .type('html')
-                .send('<!doctype html><html><body style="font-family:sans-serif;padding:2rem">' +
-                '<h1>Authentication failed</h1>' +
-                '<p>The OAuth state token was invalid or expired. Please retry the sign-in from your MCP client.</p>' +
-                '</body></html>');
-            return;
-        }
-        // ── Client-binding validation (authorization-code interception defense) ──
-        // Verify the recovered redirect_uri is an allowed target for the client_id
-        // that minted this state, BEFORE the success or error branches below — so
-        // neither a code nor an error response is ever steered to an unverified URI.
-        // The store decides per client type: a DCR client (`arc1-…`) is checked
-        // against the redirect_uris baked into its signed id; the shared XSUAA
-        // default client is checked against the static allowlist (mirrors
-        // xs-security.json), statelessly. Fails CLOSED on any lookup error.
-        if (clientStore && decoded.clientId) {
-            let verdict;
-            try {
-                verdict = await clientStore.checkRedirectUri(decoded.clientId, decoded.clientRedirectUri);
-            }
-            catch (err) {
-                logger.warn('OAuth callback: redirect_uri check threw — failing closed', {
-                    clientId: decoded.clientId,
-                    error: err instanceof Error ? err.message : String(err),
-                });
-                verdict = 'unknown_client';
-            }
-            if (verdict === 'unknown_client') {
-                logger.warn('OAuth callback: state references unknown client_id', { clientId: decoded.clientId });
-                res
-                    .status(400)
-                    .type('html')
-                    .send('<!doctype html><html><body style="font-family:sans-serif;padding:2rem">' +
-                    '<h1>Authentication failed</h1>' +
-                    '<p>The OAuth client referenced in the state token is no longer valid. Please retry the sign-in.</p>' +
-                    '</body></html>');
-                return;
-            }
-            if (verdict === 'unregistered') {
-                logger.warn('OAuth callback: redirect_uri not allowed for client', {
-                    clientId: decoded.clientId,
-                    redirectUri: decoded.clientRedirectUri,
-                });
-                res
-                    .status(400)
-                    .type('html')
-                    .send('<!doctype html><html><body style="font-family:sans-serif;padding:2rem">' +
-                    '<h1>Authentication failed</h1>' +
-                    '<p>The redirect URI in the state token is not registered for this client. Please retry the sign-in.</p>' +
-                    '</body></html>');
-                return;
-            }
-        }
-        let target;
-        try {
-            target = new URL(decoded.clientRedirectUri);
-        }
-        catch {
-            logger.warn('OAuth callback: stored redirect_uri is not a valid URL');
-            res.status(400).type('html').send('<!doctype html><html><body>Invalid redirect target.</body></html>');
-            return;
-        }
-        // On error there is no auth code. Forward the error to the client per the
-        // OAuth spec — EXCEPT for loopback HTTP callbacks. Native MCP clients
-        // (GitHub Copilot, MCP Inspector, …) tear down their ephemeral localhost
-        // listener the instant the flow fails, so a 302 there lands on a dead port
-        // and the user sees a blank ERR_CONNECTION_REFUSED with no clue why. For
-        // those we render a self-hosted page that surfaces the real reason (e.g.
-        // invalid_scope → missing role collection), with a best-effort link back.
-        // Hosted HTTPS callbacks (claude.ai, Copilot Studio) and custom-scheme app
-        // callbacks (vscode:, cursor:) are live and expect the redirect, so they
-        // keep getting it.
-        const error = typeof req.query.error === 'string' ? req.query.error : undefined;
-        if (error) {
-            const errorDescription = typeof req.query.error_description === 'string' ? req.query.error_description : '';
-            if (decoded.clientState !== undefined)
-                target.searchParams.set('state', decoded.clientState);
-            target.searchParams.set('error', error);
-            if (errorDescription)
-                target.searchParams.set('error_description', errorDescription);
-            const loopback = isLoopbackHttpRedirect(target);
-            logger.warn('OAuth callback: identity provider returned an error', {
-                error,
-                errorDescriptionPreview: errorDescription.slice(0, 200),
-                clientRedirectUriHost: target.host,
-                loopback,
-            });
-            if (loopback) {
-                res
-                    .status(400)
-                    .type('html')
-                    .send(renderOAuthErrorPage(error, errorDescription, target.toString()));
-            }
-            else {
-                res.redirect(302, target.toString());
-            }
-            return;
-        }
-        // Success: forward the authorization code, re-attaching the client's
-        // ORIGINAL state. URLSearchParams serialization encodes `+` as `%2B`, which
-        // is exactly what fixes the round-trip (issue #214).
-        const code = typeof req.query.code === 'string' ? req.query.code : '';
-        target.searchParams.set('code', code);
-        if (decoded.clientState !== undefined) {
-            target.searchParams.set('state', decoded.clientState);
-        }
-        logger.debug('OAuth callback: redirecting to client', {
-            clientRedirectUriHost: target.host,
-            hasState: decoded.clientState !== undefined,
-        });
-        res.redirect(302, target.toString());
-    };
-}
-// ─── API Key Matching Helper ─────────────────────────────────────────
-/**
- * Match a token against configured API keys (multi-key with profiles).
- * Returns the matched entry's profile and scopes, or undefined if no match.
- */
-function matchApiKey(token, config) {
-    // Multi-key: each API key has a named profile that maps to a scope set + partial SafetyConfig
-    if (config.apiKeys) {
-        for (const entry of config.apiKeys) {
-            if (token === entry.key) {
-                const profile = API_KEY_PROFILES[entry.profile];
-                if (!profile) {
-                    // Should have been caught at config parse; defense in depth
-                    return undefined;
-                }
-                const scopes = expandScopes(profile.scopes);
-                return { profile: entry.profile, scopes, clientId: `api-key:${entry.profile}` };
-            }
-        }
+function toApiKeyEntries(config) {
+    if (!config.apiKeys)
+        return [];
+    const entries = [];
+    for (const entry of config.apiKeys) {
+        const profile = API_KEY_PROFILES[entry.profile];
+        if (!profile)
+            continue;
+        entries.push({ key: entry.key, scopes: expandScopes(profile.scopes), clientId: `api-key:${entry.profile}` });
     }
-    return undefined;
+    return entries;
 }
-// ─── JWKS / JWT types (lazy-loaded from jose) ────────────────────────
-let joseModule = null;
-let jwksClient = null;
 // ─── Security Middleware (helmet + opt-in CORS) ──────────────────────
 /**
  * Apply security headers (helmet) and opt-in CORS to an Express app.
@@ -437,8 +231,8 @@ export async function startHttpServer(serverFactory, config, xsuaaCredentials) {
     if (config.xsuaaAuth && xsuaaCredentials) {
         const { mcpAuthRouter } = await import('@modelcontextprotocol/sdk/server/auth/router.js');
         const { requireBearerAuth } = await import('@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js');
-        const { createXsuaaOAuthProvider, createChainedTokenVerifier, createXsuaaTokenVerifier } = await import('./xsuaa.js');
-        const { getAppUrl } = await import('../adt/btp.js');
+        const { createXsuaaOAuthProvider, createChainedTokenVerifier, createXsuaaTokenVerifier, createOidcVerifier, createOAuthCallbackHandler, } = await import('@arc-mcp/xsuaa-auth');
+        const { getAppUrl } = await import('./app-url.js');
         // Determine app URL for OAuth metadata
         const appUrl = getAppUrl() ?? `http://${bindHost}:${port}`;
         // Compute the prefix-aware public base once, up front — it's needed both
@@ -453,15 +247,33 @@ export async function startHttpServer(serverFactory, config, xsuaaCredentials) {
         // URL sent to XSUAA as redirect_uri; the Express route is mounted at the root
         // `/oauth/callback` below since the proxy strips the prefix before forwarding.
         const oauthCallbackUrl = `${oauthFullBase}/oauth/callback`;
-        // Create XSUAA provider + chained verifier
+        // Create XSUAA provider + chained verifier.
+        //
+        // The package defaults its client_id prefix + KDF labels to `mcp-*`. ARC-1
+        // MUST override them to the historical `arc1-*` values so client_ids and
+        // OAuth-state tokens minted by previous ARC-1 releases keep validating
+        // (the signing-key derivation folds in the KDF label, and the prefix gates
+        // `getClient`). These three strings are part of ARC-1's on-the-wire
+        // contract — do not change them.
         const { provider, clientStore, stateCodec } = createXsuaaOAuthProvider(xsuaaCredentials, appUrl, {
+            clientIdPrefix: 'arc1-',
+            dcrKdfLabel: 'arc1-dcr/v1',
+            stateKdfLabel: 'arc1-oauth-state/v1',
             dcrTtlSeconds: config.oauthDcrTtlSeconds,
             dcrSigningSecret: config.dcrSigningSecret,
             callbackUrl: oauthCallbackUrl,
+            logger: authLibLogger,
         });
-        const xsuaaVerifier = createXsuaaTokenVerifier(xsuaaCredentials);
-        const oidcVerifier = config.oidcIssuer ? await createOidcVerifier(config) : undefined;
-        const chainedVerifier = createChainedTokenVerifier(config, xsuaaVerifier, oidcVerifier);
+        // Inject ARC-1's scope-expansion policy + logger so the verifier emits the
+        // same expanded AuthInfo.scopes ARC-1 produced before the extraction.
+        const xsuaaVerifier = createXsuaaTokenVerifier(xsuaaCredentials, { expandScopes, logger: authLibLogger });
+        // OIDC verifier comes from the package (hardened: pinned `algorithms`
+        // allowlist, no `sub` in debug logs). `buildPackageOidcVerifier` threads
+        // ARC-1's historical contract (accepted scopes, `expandScopes`, the
+        // `['read']` fallback, clock tolerance). Construction is SYNC — the package
+        // lazy-imports jose + memoizes the JWKS on first verify.
+        const oidcVerifier = config.oidcIssuer ? buildPackageOidcVerifier(config, createOidcVerifier) : undefined;
+        const chainedVerifier = createChainedTokenVerifier({ apiKeys: toApiKeyEntries(config) }, xsuaaVerifier, oidcVerifier, { expandScopes, logger: authLibLogger });
         // Include resourceMetadataUrl so the 401 WWW-Authenticate header contains the PRM URL.
         // Copilot Studio (and other PRM-aware clients) use this to discover the OAuth endpoints.
         const resourceMetadataUrl = `${appUrl}/.well-known/oauth-protected-resource/mcp`;
@@ -583,7 +395,7 @@ export async function startHttpServer(serverFactory, config, xsuaaCredentials) {
         // XSUAA as oauthCallbackUrl. A strip-prefix proxy maps the public path
         // back to this root route. Handler is extracted (exported) so the
         // state-round-trip contract is unit-testable without a live XSUAA.
-        app.get('/oauth/callback', createOAuthCallbackHandler(stateCodec, clientStore));
+        app.get('/oauth/callback', createOAuthCallbackHandler(stateCodec, clientStore, { logger: authLibLogger }));
         // ─── Path-prefix-aware OAuth metadata override ────────────────
         // The MCP SDK's `mcpAuthRouter` builds endpoint URLs with
         // `new URL("/authorize", baseUrl).href`, which strips any path component
@@ -668,9 +480,9 @@ export async function startHttpServer(serverFactory, config, xsuaaCredentials) {
     }
     else {
         // ─── Standard Auth Mode (API key / OIDC) ─────────────────
-        if (config.oidcIssuer) {
-            await initJwks(config.oidcIssuer);
-        }
+        // No JWKS pre-warm needed: the package's OIDC verifier lazy-imports jose and
+        // memoizes the remote JWKS on the first verify (and retries on a transient
+        // discovery failure instead of caching the rejection).
         // Layer 1 on /mcp also applies outside XSUAA mode — API-key / OIDC / no-auth
         // deployments get the same anonymous-probing protection. OAuth endpoints don't
         // exist in non-XSUAA mode so only /mcp needs mounting here.
@@ -681,7 +493,7 @@ export async function startHttpServer(serverFactory, config, xsuaaCredentials) {
             // Use requireBearerAuth so that authInfo is populated on the MCP request context.
             // This enables scope enforcement, per-request safety, and principal propagation.
             const { requireBearerAuth } = await import('@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js');
-            const verifier = createStandardVerifier(config);
+            const verifier = await createStandardVerifier(config);
             const bearerAuth = requireBearerAuth({ verifier: { verifyAccessToken: verifier } });
             app.all('/mcp', bearerAuth, mcpHandler);
         }
@@ -725,152 +537,70 @@ export async function startHttpServer(serverFactory, config, xsuaaCredentials) {
         process.exit(1);
     });
 }
-// ─── Standard Mode Verifier ─────────────────────────────────────────
+// ─── OIDC Verifier (package-backed) ─────────────────────────────────
 /**
- * Create a token verifier for standard auth mode (API key + OIDC).
- * Returns AuthInfo so the MCP SDK populates extra.authInfo on the request,
- * enabling scope enforcement, per-request safety, and principal propagation.
+ * ARC-1's recognised scope names — the `acceptedScopes` allowlist threaded into
+ * the package's OIDC verifier so non-ARC-1 claims (e.g. Entra's `User.Read`) are
+ * filtered out, exactly as ARC-1's removed inline `extractOidcScopes` did.
  */
-export function createStandardVerifier(config) {
-    return async (token) => {
-        // Lazy-import SDK error classes so bearerAuth maps them to 401/403
-        const { InvalidTokenError } = await import('@modelcontextprotocol/sdk/server/auth/errors.js');
-        // API key: match against multi-key map or single key
-        const apiKeyMatch = matchApiKey(token, config);
-        if (apiKeyMatch) {
-            // expiresAt is required by requireBearerAuth — use far-future expiry for static keys
-            const ONE_YEAR_SECS = 365 * 24 * 60 * 60;
-            return {
-                token,
-                clientId: apiKeyMatch.clientId,
-                scopes: apiKeyMatch.scopes,
-                expiresAt: Math.floor(Date.now() / 1000) + ONE_YEAR_SECS,
-            };
-        }
-        // OIDC: validate JWT and extract scopes
-        if (config.oidcIssuer) {
-            try {
-                if (!joseModule || !jwksClient) {
-                    await initJwks(config.oidcIssuer);
-                }
-                if (!joseModule || !jwksClient) {
-                    throw new Error('OIDC not initialized — check SAP_OIDC_ISSUER configuration');
-                }
-                const { payload } = await joseModule.jwtVerify(token, jwksClient, {
-                    issuer: config.oidcIssuer,
-                    audience: config.oidcAudience,
-                    requiredClaims: ['exp'],
-                    ...(config.oidcClockTolerance != null ? { clockTolerance: config.oidcClockTolerance } : {}),
-                });
-                logger.debug('Standard OIDC JWT validated', { sub: payload.sub, iss: payload.iss });
-                const scopes = extractOidcScopes(payload);
-                return {
-                    token,
-                    clientId: payload.azp ?? payload.sub ?? 'oidc-user',
-                    scopes,
-                    expiresAt: payload.exp,
-                    extra: { sub: payload.sub, iss: payload.iss },
-                };
-            }
-            catch (err) {
-                // Wrap JWT validation errors as InvalidTokenError so bearerAuth returns 401
-                if (err instanceof InvalidTokenError)
-                    throw err;
-                throw new InvalidTokenError(err.message ?? 'Invalid token');
-            }
-        }
-        throw new InvalidTokenError('Authentication failed: invalid token');
-    };
-}
-// ─── OIDC Verifier Factory ───────────────────────────────────────────
-/**
- * Create an Entra ID / OIDC token verifier using jose.
- * Returns a function compatible with the chained verifier.
- */
-async function createOidcVerifier(config) {
-    await initJwks(config.oidcIssuer);
-    return async (token) => {
-        if (!joseModule || !jwksClient) {
-            throw new Error('OIDC not initialized');
-        }
-        const { payload } = await joseModule.jwtVerify(token, jwksClient, {
-            issuer: config.oidcIssuer,
-            audience: config.oidcAudience,
-            requiredClaims: ['exp'],
-            ...(config.oidcClockTolerance != null ? { clockTolerance: config.oidcClockTolerance } : {}),
-        });
-        logger.debug('OIDC JWT validated', { sub: payload.sub, iss: payload.iss });
-        const scopes = extractOidcScopes(payload);
-        return {
-            token,
-            clientId: payload.azp ?? payload.sub ?? 'oidc-user',
-            scopes,
-            expiresAt: payload.exp,
-            extra: { sub: payload.sub, iss: payload.iss },
-        };
-    };
-}
-// ─── OIDC Scope Extraction ──────────────────────────────────────────
 const KNOWN_SCOPES = ['read', 'write', 'data', 'sql', 'transports', 'git', 'admin'];
 /**
- * Extract scopes from an OIDC JWT payload.
+ * Build the package's OIDC verifier from `ServerConfig`, threading ARC-1's
+ * historical contract so adopting it changes nothing observable except the two
+ * intended hardening wins (pinned `algorithms` allowlist + no `sub` in the debug
+ * log — both live inside the package now):
+ *   - `acceptedScopes = KNOWN_SCOPES` (same filter as the old inline code),
+ *   - `expandScopes` = ARC-1's policy expander (implied scopes: write⊇read, …),
+ *   - `fallbackScopes: ['read']` = ARC-1's legacy default — a verified token with
+ *     no scope claims, OR scope claims none of which are accepted, grants `['read']`
+ *     (the package defaults this to `[]`; ARC-1 opts back into read-only),
+ *   - `scopeClaim` left default (`'scope'`, preferred over `scp`),
+ *   - `clockToleranceSec` only when `config.oidcClockTolerance` is set.
+ *
+ * `config.oidcAudience` is optional in ARC-1 and was historically forwarded to
+ * jose verbatim (jose treats `undefined` as "skip the audience check"); the
+ * package forwards it the same way, so we pass it through unchanged. The package
+ * signature types `audience` as `string`; the cast preserves the
+ * undefined-passthrough without an empty-string audience that would force a
+ * (failing) audience check. `config.oidcIssuer` is asserted non-null — every
+ * call site is gated on `config.oidcIssuer`.
  *
- * Tries `scope` (space-separated string, standard OIDC) then `scp` (array, Azure AD style).
- * Filters to known scopes, applies implied scope expansion, and falls back to read-only
- * when no scope claims are present (safe default for providers that don't emit scopes).
+ * Construction is synchronous: the package lazy-imports jose and memoizes the
+ * remote JWKS on the first verify.
  */
-export function extractOidcScopes(payload) {
-    let rawScopes;
-    // Standard OIDC: space-separated string
-    if (typeof payload.scope === 'string') {
-        rawScopes = payload.scope.split(' ').filter((s) => s.length > 0);
-    }
-    // Azure AD / Entra: `scp` as space-delimited string (delegated tokens) or array (app tokens)
-    else if (typeof payload.scp === 'string') {
-        rawScopes = payload.scp.split(' ').filter((s) => s.length > 0);
-    }
-    else if (Array.isArray(payload.scp)) {
-        rawScopes = payload.scp.filter((s) => typeof s === 'string' && s.length > 0);
-    }
-    // No scope claims at all → read-only (safe default)
-    if (rawScopes === undefined) {
-        logger.warn('OIDC JWT has no scope/scp claims — granting read-only access. ' +
-            'Configure scope claims in your OIDC provider to grant write/data/sql access.');
-        return ['read'];
-    }
-    // Filter to known scopes
-    const filtered = rawScopes.filter((s) => KNOWN_SCOPES.includes(s));
-    // If scopes were present but none are known, grant minimum read access
-    if (filtered.length === 0) {
-        logger.warn('OIDC JWT has scope claims but none match known scopes — granting read-only', { rawScopes });
-        return ['read'];
-    }
-    return expandScopes(filtered);
+function buildPackageOidcVerifier(config, createOidcVerifier) {
+    return createOidcVerifier(config.oidcIssuer, config.oidcAudience, {
+        acceptedScopes: KNOWN_SCOPES,
+        expandScopes,
+        fallbackScopes: ['read'],
+        ...(config.oidcClockTolerance != null ? { clockToleranceSec: config.oidcClockTolerance } : {}),
+        logger: authLibLogger,
+    });
 }
+// ─── Standard Mode Verifier ─────────────────────────────────────────
 /**
- * Initialize JWKS client from OIDC discovery.
+ * Create a token verifier for standard auth mode (API key + OIDC).
+ *
+ * Built entirely from the `@arc-mcp/xsuaa-auth` package's chained verifier
+ * (constant-time api-key compare + hardened OIDC), mirroring how XSUAA mode wires
+ * its chain — minus the XSUAA verifier, which standard mode doesn't have. The
+ * chain order is XSUAA → OIDC → api-key; with no XSUAA verifier that collapses to
+ * OIDC → api-key, which is order-immaterial here (token types are disjoint) and
+ * preserves the previous behavior (api-key matched first only mattered because
+ * the two paths never overlap). Returns `AuthInfo` so the MCP SDK populates
+ * `extra.authInfo` on the request context, enabling scope enforcement,
+ * per-request safety, and principal propagation.
+ *
+ * Async because the package is dynamic-imported (lazy, consistent with the rest
+ * of this module); the returned verifier itself is the package's sync-built
+ * chained verifier.
  */
-async function initJwks(issuer) {
-    if (joseModule && jwksClient)
-        return;
-    try {
-        if (!joseModule) {
-            joseModule = await import('jose');
-        }
-        const jwksUri = new URL('.well-known/openid-configuration', issuer.endsWith('/') ? issuer : `${issuer}/`);
-        const discoveryResp = await fetch(jwksUri.toString());
-        const discovery = (await discoveryResp.json());
-        if (!discovery.jwks_uri) {
-            throw new Error(`No jwks_uri in OIDC discovery response from ${jwksUri}`);
-        }
-        jwksClient = joseModule.createRemoteJWKSet(new URL(discovery.jwks_uri));
-        logger.info('OIDC JWKS initialized', { issuer, jwksUri: discovery.jwks_uri });
-    }
-    catch (err) {
-        logger.error('Failed to initialize OIDC JWKS', {
-            issuer,
-            error: err instanceof Error ? err.message : String(err),
-        });
-    }
+export async function createStandardVerifier(config) {
+    const { createChainedTokenVerifier, createOidcVerifier } = await import('@arc-mcp/xsuaa-auth');
+    const oidcVerifier = config.oidcIssuer ? buildPackageOidcVerifier(config, createOidcVerifier) : undefined;
+    return createChainedTokenVerifier({ apiKeys: toApiKeyEntries(config) }, undefined, oidcVerifier, {
+        expandScopes,
+        logger: authLibLogger,
+    });
 }
 //# sourceMappingURL=http.js.map