npm - couchloop-eq-mcp - Versions diffs - 1.0.3 → 1.0.5 - Mend

couchloop-eq-mcp 1.0.3 → 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (285) hide show

package/README.md +24 -11
package/dist/clients/shrinkChatClient.js +1 -1
package/dist/clients/shrinkChatClient.js.map +1 -1
package/dist/developer/analyzers/bloat-detector.d.ts +89 -0
package/dist/developer/analyzers/bloat-detector.d.ts.map +1 -0
package/dist/developer/analyzers/bloat-detector.js +483 -0
package/dist/developer/analyzers/bloat-detector.js.map +1 -0
package/dist/developer/backup/auto-backup.d.ts +96 -0
package/dist/developer/backup/auto-backup.d.ts.map +1 -0
package/dist/developer/backup/auto-backup.js +346 -0
package/dist/developer/backup/auto-backup.js.map +1 -0
package/dist/developer/blockers/package-blocker.d.ts +33 -0
package/dist/developer/blockers/package-blocker.d.ts.map +1 -0
package/dist/developer/blockers/package-blocker.js +224 -0
package/dist/developer/blockers/package-blocker.js.map +1 -0
package/dist/developer/evaluators/ai-error-preventer.d.ts +54 -0
package/dist/developer/evaluators/ai-error-preventer.d.ts.map +1 -0
package/dist/developer/evaluators/ai-error-preventer.js +270 -0
package/dist/developer/evaluators/ai-error-preventer.js.map +1 -0
package/dist/developer/evaluators/build-context-detector.d.ts +44 -0
package/dist/developer/evaluators/build-context-detector.d.ts.map +1 -0
package/dist/developer/evaluators/build-context-detector.js +258 -0
package/dist/developer/evaluators/build-context-detector.js.map +1 -0
package/dist/developer/evaluators/package-evaluator.d.ts +37 -0
package/dist/developer/evaluators/package-evaluator.d.ts.map +1 -0
package/dist/developer/evaluators/package-evaluator.js +278 -0
package/dist/developer/evaluators/package-evaluator.js.map +1 -0
package/dist/developer/guards/file-guardian.d.ts +79 -0
package/dist/developer/guards/file-guardian.d.ts.map +1 -0
package/dist/developer/guards/file-guardian.js +309 -0
package/dist/developer/guards/file-guardian.js.map +1 -0
package/dist/developer/managers/context-manager.d.ts +61 -0
package/dist/developer/managers/context-manager.d.ts.map +1 -0
package/dist/developer/managers/context-manager.js +302 -0
package/dist/developer/managers/context-manager.js.map +1 -0
package/dist/developer/metrics/complexity-calculator.d.ts +52 -0
package/dist/developer/metrics/complexity-calculator.d.ts.map +1 -0
package/dist/developer/metrics/complexity-calculator.js +259 -0
package/dist/developer/metrics/complexity-calculator.js.map +1 -0
package/dist/developer/reports/review-summary.d.ts +49 -0
package/dist/developer/reports/review-summary.d.ts.map +1 -0
package/dist/developer/reports/review-summary.js +249 -0
package/dist/developer/reports/review-summary.js.map +1 -0
package/dist/developer/scanners/review-assistant.d.ts +41 -0
package/dist/developer/scanners/review-assistant.d.ts.map +1 -0
package/dist/developer/scanners/review-assistant.js +374 -0
package/dist/developer/scanners/review-assistant.js.map +1 -0
package/dist/developer/scanners/secret-scanner.d.ts +66 -0
package/dist/developer/scanners/secret-scanner.d.ts.map +1 -0
package/dist/developer/scanners/secret-scanner.js +287 -0
package/dist/developer/scanners/secret-scanner.js.map +1 -0
package/dist/developer/scanners/sql-injection-detector.d.ts +54 -0
package/dist/developer/scanners/sql-injection-detector.d.ts.map +1 -0
package/dist/developer/scanners/sql-injection-detector.js +174 -0
package/dist/developer/scanners/sql-injection-detector.js.map +1 -0
package/dist/developer/scanners/xss-detector.d.ts +60 -0
package/dist/developer/scanners/xss-detector.d.ts.map +1 -0
package/dist/developer/scanners/xss-detector.js +229 -0
package/dist/developer/scanners/xss-detector.js.map +1 -0
package/dist/developer/types/ai-errors.d.ts +34 -0
package/dist/developer/types/ai-errors.d.ts.map +1 -0
package/dist/developer/types/ai-errors.js +271 -0
package/dist/developer/types/ai-errors.js.map +1 -0
package/dist/developer/types/package.d.ts +32 -0
package/dist/developer/types/package.d.ts.map +1 -0
package/dist/developer/types/package.js +5 -0
package/dist/developer/types/package.js.map +1 -0
package/dist/developer/updaters/dependency-updater.d.ts +102 -0
package/dist/developer/updaters/dependency-updater.d.ts.map +1 -0
package/dist/developer/updaters/dependency-updater.js +472 -0
package/dist/developer/updaters/dependency-updater.js.map +1 -0
package/dist/developer/validators/cargo.d.ts +14 -0
package/dist/developer/validators/cargo.d.ts.map +1 -0
package/dist/developer/validators/cargo.js +132 -0
package/dist/developer/validators/cargo.js.map +1 -0
package/dist/developer/validators/gem.d.ts +14 -0
package/dist/developer/validators/gem.d.ts.map +1 -0
package/dist/developer/validators/gem.js +85 -0
package/dist/developer/validators/gem.js.map +1 -0
package/dist/developer/validators/go.d.ts +14 -0
package/dist/developer/validators/go.d.ts.map +1 -0
package/dist/developer/validators/go.js +138 -0
package/dist/developer/validators/go.js.map +1 -0
package/dist/developer/validators/maven.d.ts +14 -0
package/dist/developer/validators/maven.d.ts.map +1 -0
package/dist/developer/validators/maven.js +99 -0
package/dist/developer/validators/maven.js.map +1 -0
package/dist/developer/validators/npm.d.ts +14 -0
package/dist/developer/validators/npm.d.ts.map +1 -0
package/dist/developer/validators/npm.js +96 -0
package/dist/developer/validators/npm.js.map +1 -0
package/dist/developer/validators/nuget.d.ts +15 -0
package/dist/developer/validators/nuget.d.ts.map +1 -0
package/dist/developer/validators/nuget.js +107 -0
package/dist/developer/validators/nuget.js.map +1 -0
package/dist/developer/validators/pypi.d.ts +14 -0
package/dist/developer/validators/pypi.d.ts.map +1 -0
package/dist/developer/validators/pypi.js +118 -0
package/dist/developer/validators/pypi.js.map +1 -0
package/dist/developer/validators/registry-manager.d.ts +37 -0
package/dist/developer/validators/registry-manager.d.ts.map +1 -0
package/dist/developer/validators/registry-manager.js +89 -0
package/dist/developer/validators/registry-manager.js.map +1 -0
package/dist/developer/validators/version-checker.d.ts +145 -0
package/dist/developer/validators/version-checker.d.ts.map +1 -0
package/dist/developer/validators/version-checker.js +529 -0
package/dist/developer/validators/version-checker.js.map +1 -0
package/dist/server/index.js.map +1 -1
package/dist/server/middleware/auth.d.ts +7 -9
package/dist/server/middleware/auth.d.ts.map +1 -1
package/dist/server/middleware/auth.js.map +1 -1
package/dist/tools/check-versions.d.ts +100 -0
package/dist/tools/check-versions.d.ts.map +1 -0
package/dist/tools/check-versions.js +328 -0
package/dist/tools/check-versions.js.map +1 -0
package/dist/tools/detect-code-smell.d.ts +9 -0
package/dist/tools/detect-code-smell.d.ts.map +1 -0
package/dist/tools/detect-code-smell.js +231 -0
package/dist/tools/detect-code-smell.js.map +1 -0
package/dist/tools/index.d.ts +471 -0
package/dist/tools/index.d.ts.map +1 -1
package/dist/tools/index.js +178 -0
package/dist/tools/index.js.map +1 -1
package/dist/tools/journey.js +1 -1
package/dist/tools/journey.js.map +1 -1
package/dist/tools/pre-review-code.d.ts +71 -0
package/dist/tools/pre-review-code.d.ts.map +1 -0
package/dist/tools/pre-review-code.js +159 -0
package/dist/tools/pre-review-code.js.map +1 -0
package/dist/tools/preserve-context.d.ts +27 -0
package/dist/tools/preserve-context.d.ts.map +1 -0
package/dist/tools/preserve-context.js +98 -0
package/dist/tools/preserve-context.js.map +1 -0
package/dist/tools/protect-files.d.ts +224 -0
package/dist/tools/protect-files.d.ts.map +1 -0
package/dist/tools/protect-files.js +286 -0
package/dist/tools/protect-files.js.map +1 -0
package/dist/tools/scan-security.d.ts +38 -0
package/dist/tools/scan-security.d.ts.map +1 -0
package/dist/tools/scan-security.js +237 -0
package/dist/tools/scan-security.js.map +1 -0
package/dist/tools/validate_packages.d.ts +8 -0
package/dist/tools/validate_packages.d.ts.map +1 -0
package/dist/tools/validate_packages.js +159 -0
package/dist/tools/validate_packages.js.map +1 -0
package/dist/types/auth.d.ts +18 -18
package/dist/types/auth.d.ts.map +1 -1
package/dist/types/auth.js +91 -36
package/dist/types/auth.js.map +1 -1
package/dist/types/context.d.ts +46 -0
package/dist/types/context.d.ts.map +1 -0
package/dist/types/context.js +17 -0
package/dist/types/context.js.map +1 -0
package/dist/types/file-protection.d.ts +50 -0
package/dist/types/file-protection.d.ts.map +1 -0
package/dist/types/file-protection.js +9 -0
package/dist/types/file-protection.js.map +1 -0
package/dist/utils/errorHandler.d.ts.map +1 -1
package/dist/utils/errorHandler.js +2 -1
package/dist/utils/errorHandler.js.map +1 -1
package/package.json +23 -2
package/dist/db/migrate.d.ts +0 -4
package/dist/db/migrate.d.ts.map +0 -1
package/dist/db/migrate.js +0 -34
package/dist/db/migrate.js.map +0 -1
package/dist/db/migrations/schema.d.ts +0 -1074
package/dist/db/migrations/schema.d.ts.map +0 -1
package/dist/db/migrations/schema.js +0 -160
package/dist/db/migrations/schema.js.map +0 -1
package/dist/db/schema.d.ts +0 -1576
package/dist/db/schema.d.ts.map +0 -1
package/dist/db/schema.js +0 -204
package/dist/db/schema.js.map +0 -1
package/dist/db/seed.d.ts +0 -4
package/dist/db/seed.d.ts.map +0 -1
package/dist/db/seed.js +0 -57
package/dist/db/seed.js.map +0 -1
package/dist/db/seedOAuth.d.ts +0 -4
package/dist/db/seedOAuth.d.ts.map +0 -1
package/dist/db/seedOAuth.js +0 -76
package/dist/db/seedOAuth.js.map +0 -1
package/dist/governance/config.d.ts +0 -66
package/dist/governance/config.d.ts.map +0 -1
package/dist/governance/config.js +0 -238
package/dist/governance/config.js.map +0 -1
package/dist/governance/detectors/hallucination.d.ts +0 -61
package/dist/governance/detectors/hallucination.d.ts.map +0 -1
package/dist/governance/detectors/hallucination.js +0 -338
package/dist/governance/detectors/hallucination.js.map +0 -1
package/dist/governance/detectors/inconsistency.d.ts +0 -99
package/dist/governance/detectors/inconsistency.d.ts.map +0 -1
package/dist/governance/detectors/inconsistency.js +0 -548
package/dist/governance/detectors/inconsistency.js.map +0 -1
package/dist/governance/detectors/toneDrift.d.ts +0 -63
package/dist/governance/detectors/toneDrift.d.ts.map +0 -1
package/dist/governance/detectors/toneDrift.js +0 -421
package/dist/governance/detectors/toneDrift.js.map +0 -1
package/dist/governance/detectors/unsafeReasoning.d.ts +0 -54
package/dist/governance/detectors/unsafeReasoning.d.ts.map +0 -1
package/dist/governance/detectors/unsafeReasoning.js +0 -473
package/dist/governance/detectors/unsafeReasoning.js.map +0 -1
package/dist/governance/evaluationEngine.d.ts +0 -112
package/dist/governance/evaluationEngine.d.ts.map +0 -1
package/dist/governance/evaluationEngine.js +0 -265
package/dist/governance/evaluationEngine.js.map +0 -1
package/dist/governance/intervention.d.ts +0 -81
package/dist/governance/intervention.d.ts.map +0 -1
package/dist/governance/intervention.js +0 -405
package/dist/governance/intervention.js.map +0 -1
package/dist/server/oauth/anomalyDetection.d.ts +0 -146
package/dist/server/oauth/anomalyDetection.d.ts.map +0 -1
package/dist/server/oauth/anomalyDetection.js +0 -405
package/dist/server/oauth/anomalyDetection.js.map +0 -1
package/dist/server/oauth/authServer.d.ts +0 -61
package/dist/server/oauth/authServer.d.ts.map +0 -1
package/dist/server/oauth/authServer.js +0 -283
package/dist/server/oauth/authServer.js.map +0 -1
package/dist/server/oauth/dpop.d.ts +0 -135
package/dist/server/oauth/dpop.d.ts.map +0 -1
package/dist/server/oauth/dpop.js +0 -338
package/dist/server/oauth/dpop.js.map +0 -1
package/dist/server/oauth/gdpr/consent.d.ts +0 -173
package/dist/server/oauth/gdpr/consent.d.ts.map +0 -1
package/dist/server/oauth/gdpr/consent.js +0 -388
package/dist/server/oauth/gdpr/consent.js.map +0 -1
package/dist/server/oauth/gdpr/dataPortability.d.ts +0 -214
package/dist/server/oauth/gdpr/dataPortability.d.ts.map +0 -1
package/dist/server/oauth/gdpr/dataPortability.js +0 -486
package/dist/server/oauth/gdpr/dataPortability.js.map +0 -1
package/dist/server/oauth/gdpr/index.d.ts +0 -103
package/dist/server/oauth/gdpr/index.d.ts.map +0 -1
package/dist/server/oauth/gdpr/index.js +0 -273
package/dist/server/oauth/gdpr/index.js.map +0 -1
package/dist/server/oauth/gdpr/rightToErasure.d.ts +0 -184
package/dist/server/oauth/gdpr/rightToErasure.d.ts.map +0 -1
package/dist/server/oauth/gdpr/rightToErasure.js +0 -527
package/dist/server/oauth/gdpr/rightToErasure.js.map +0 -1
package/dist/server/oauth/monitoring/securityMonitor.d.ts +0 -218
package/dist/server/oauth/monitoring/securityMonitor.d.ts.map +0 -1
package/dist/server/oauth/monitoring/securityMonitor.js +0 -615
package/dist/server/oauth/monitoring/securityMonitor.js.map +0 -1
package/dist/server/oauth/pkce.d.ts +0 -61
package/dist/server/oauth/pkce.d.ts.map +0 -1
package/dist/server/oauth/pkce.js +0 -157
package/dist/server/oauth/pkce.js.map +0 -1
package/dist/server/oauth/providers/base.d.ts +0 -147
package/dist/server/oauth/providers/base.d.ts.map +0 -1
package/dist/server/oauth/providers/base.js +0 -312
package/dist/server/oauth/providers/base.js.map +0 -1
package/dist/server/oauth/providers/github.d.ts +0 -55
package/dist/server/oauth/providers/github.d.ts.map +0 -1
package/dist/server/oauth/providers/github.js +0 -225
package/dist/server/oauth/providers/github.js.map +0 -1
package/dist/server/oauth/providers/google.d.ts +0 -49
package/dist/server/oauth/providers/google.d.ts.map +0 -1
package/dist/server/oauth/providers/google.js +0 -153
package/dist/server/oauth/providers/google.js.map +0 -1
package/dist/server/oauth/providers/index.d.ts +0 -9
package/dist/server/oauth/providers/index.d.ts.map +0 -1
package/dist/server/oauth/providers/index.js +0 -24
package/dist/server/oauth/providers/index.js.map +0 -1
package/dist/server/oauth/refreshTokenRotation.d.ts +0 -114
package/dist/server/oauth/refreshTokenRotation.d.ts.map +0 -1
package/dist/server/oauth/refreshTokenRotation.js +0 -344
package/dist/server/oauth/refreshTokenRotation.js.map +0 -1
package/dist/server/oauth/security.d.ts +0 -101
package/dist/server/oauth/security.d.ts.map +0 -1
package/dist/server/oauth/security.js +0 -268
package/dist/server/oauth/security.js.map +0 -1
package/dist/server/oauth/tokenEncryption.d.ts +0 -80
package/dist/server/oauth/tokenEncryption.d.ts.map +0 -1
package/dist/server/oauth/tokenEncryption.js +0 -218
package/dist/server/oauth/tokenEncryption.js.map +0 -1
package/dist/tools/sendMessage-complex-backup.d.ts +0 -6
package/dist/tools/sendMessage-complex-backup.d.ts.map +0 -1
package/dist/tools/sendMessage-complex-backup.js +0 -545
package/dist/tools/sendMessage-complex-backup.js.map +0 -1
package/dist/tools/sendMessage-revised.d.ts +0 -11
package/dist/tools/sendMessage-revised.d.ts.map +0 -1
package/dist/tools/sendMessage-revised.js +0 -429
package/dist/tools/sendMessage-revised.js.map +0 -1
package/dist/tools/sendMessage-truly-simple.d.ts +0 -8
package/dist/tools/sendMessage-truly-simple.d.ts.map +0 -1
package/dist/tools/sendMessage-truly-simple.js +0 -299
package/dist/tools/sendMessage-truly-simple.js.map +0 -1

package/dist/server/oauth/providers/google.d.ts.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"google.d.ts","sourceRoot":"","sources":["../../../../src/server/oauth/providers/google.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAGnF;;;GAGG;AACH,qBAAa,mBAAoB,SAAQ,aAAa;IACpD,QAAQ,CAAC,IAAI,YAAY;IACzB,QAAQ,CAAC,gBAAgB,kDAAkD;IAC3E,QAAQ,CAAC,QAAQ,yCAAyC;IAC1D,QAAQ,CAAC,WAAW,mDAAmD;IACvE,QAAQ,CAAC,SAAS,0CAA0C;IAC5D,QAAQ,CAAC,OAAO,gDAAgD;gBAEpD,MAAM,EAAE,cAAc;IAsBlC;;OAEG;IACH,SAAS,CAAC,gBAAgB,IAAI,MAAM,EAAE;IAWtC;;OAEG;IACH,SAAS,CAAC,iBAAiB,IAAI,MAAM;IAIrC;;OAEG;IACH,SAAS,CAAC,iBAAiB,CAAC,IAAI,EAAE,GAAG,GAAG,QAAQ;IAahD;;OAEG;IACH,SAAS,CAAC,qBAAqB,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI;IAe5D;;;OAGG;IACG,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IASjE;;OAEG;IACG,kBAAkB,CACtB,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,UAAU,GAAG,OAAO,GAAG,OAAO,GACtC,OAAO,CAAC,OAAO,CAAC;IAoBnB;;;OAGG;IACG,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,cAAc,GAAG,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC;IAyB7F;;OAEG;IACH,SAAS,CAAC,mBAAmB,CAAC,KAAK,EAAE,GAAG,GAAG,KAAK;CAYjD"}

package/dist/server/oauth/providers/google.js DELETED Viewed

@@ -1,153 +0,0 @@
-import { OAuthProvider } from './base.js';
-import { logger } from '../../../utils/logger.js';
-/**
- * Google OAuth 2.0 Provider
- * Implements Google Sign-In with OpenID Connect
- */
-export class GoogleOAuthProvider extends OAuthProvider {
-    name = 'google';
-    authorizationUrl = 'https://accounts.google.com/o/oauth2/v2/auth';
-    tokenUrl = 'https://oauth2.googleapis.com/token';
-    userInfoUrl = 'https://www.googleapis.com/oauth2/v2/userinfo';
-    revokeUrl = 'https://oauth2.googleapis.com/revoke';
-    jwksUrl = 'https://www.googleapis.com/oauth2/v3/certs';
-    constructor(config) {
-        super(config);
-        // Set Google-specific defaults
-        if (!this.config.scopes || this.config.scopes.length === 0) {
-            this.config.scopes = this.getDefaultScopes();
-        }
-        // Google-specific additional parameters
-        if (!this.config.additionalParams) {
-            this.config.additionalParams = {};
-        }
-        // Request refresh token
-        this.config.additionalParams.access_type = 'offline';
-        // Force approval prompt for refresh token on first auth
-        if (process.env.GOOGLE_FORCE_APPROVAL === 'true') {
-            this.config.additionalParams.prompt = 'consent';
-        }
-    }
-    /**
-     * Get default scopes for Google
-     */
-    getDefaultScopes() {
-        return [
-            'openid',
-            'email',
-            'profile',
-            // Add additional scopes as needed
-            // 'https://www.googleapis.com/auth/calendar.readonly',
-            // 'https://www.googleapis.com/auth/drive.file',
-        ];
-    }
-    /**
-     * Get expected issuer for Google
-     */
-    getExpectedIssuer() {
-        return 'https://accounts.google.com';
-    }
-    /**
-     * Normalize Google user info to common format
-     */
-    normalizeUserInfo(data) {
-        return {
-            id: data.id || data.sub,
-            email: data.email,
-            email_verified: data.email_verified || data.verified_email,
-            name: data.name,
-            picture: data.picture,
-            locale: data.locale,
-            provider: this.name,
-            raw: data,
-        };
-    }
-    /**
-     * Additional Google-specific ID token validation
-     */
-    validateIdTokenClaims(claims) {
-        super.validateIdTokenClaims(claims);
-        // Google-specific: Check HD claim for G Suite domains
-        const allowedDomain = process.env.GOOGLE_ALLOWED_DOMAIN;
-        if (allowedDomain && claims.hd !== allowedDomain) {
-            throw new Error(`User not from allowed domain: ${allowedDomain}`);
-        }
-        // Verify email is verified for Google accounts
-        if (claims.email && !claims.email_verified) {
-            throw new Error('Email not verified');
-        }
-    }
-    /**
-     * Google-specific user info enrichment
-     * Can fetch additional profile data if needed
-     */
-    async getEnrichedUserInfo(accessToken) {
-        const baseInfo = await this.getUserInfo(accessToken);
-        // Could fetch additional Google APIs data here
-        // For example: Google+ profile, Calendar info, etc.
-        return baseInfo;
-    }
-    /**
-     * Check if user has specific Google service access
-     */
-    async checkServiceAccess(accessToken, service) {
-        const serviceUrls = {
-            calendar: 'https://www.googleapis.com/calendar/v3/users/me/settings',
-            drive: 'https://www.googleapis.com/drive/v3/about',
-            gmail: 'https://www.googleapis.com/gmail/v1/users/me/profile',
-        };
-        try {
-            const response = await fetch(serviceUrls[service], {
-                headers: {
-                    'Authorization': `Bearer ${accessToken}`,
-                },
-            });
-            return response.ok;
-        }
-        catch {
-            return false;
-        }
-    }
-    /**
-     * Revoke Google tokens
-     * Google supports revoking both access and refresh tokens
-     */
-    async revokeToken(token, tokenType) {
-        // Google revokes all tokens associated with the grant
-        const params = new URLSearchParams({ token });
-        try {
-            const response = await fetch(this.revokeUrl, {
-                method: 'POST',
-                headers: {
-                    'Content-Type': 'application/x-www-form-urlencoded',
-                },
-                body: params.toString(),
-            });
-            if (response.ok) {
-                logger.info('Successfully revoked Google tokens');
-            }
-            else {
-                const error = await response.text();
-                logger.error(`Failed to revoke Google token: ${error}`);
-            }
-        }
-        catch (error) {
-            logger.error('Error revoking Google token:', error);
-            throw error;
-        }
-    }
-    /**
-     * Handle Google-specific errors
-     */
-    handleProviderError(error) {
-        // Handle Google-specific error codes
-        if (error.error === 'invalid_grant') {
-            throw new Error('Authorization code has been used or is invalid');
-        }
-        if (error.error === 'access_denied') {
-            throw new Error('User denied access to Google account');
-        }
-        throw error;
-    }
-}
-//# sourceMappingURL=google.js.map

package/dist/server/oauth/providers/google.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"google.js","sourceRoot":"","sources":["../../../../src/server/oauth/providers/google.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAA2C,MAAM,WAAW,CAAC;AACnF,OAAO,EAAE,MAAM,EAAE,MAAM,0BAA0B,CAAC;AAElD;;;GAGG;AACH,MAAM,OAAO,mBAAoB,SAAQ,aAAa;IAC3C,IAAI,GAAG,QAAQ,CAAC;IAChB,gBAAgB,GAAG,8CAA8C,CAAC;IAClE,QAAQ,GAAG,qCAAqC,CAAC;IACjD,WAAW,GAAG,+CAA+C,CAAC;IAC9D,SAAS,GAAG,sCAAsC,CAAC;IACnD,OAAO,GAAG,4CAA4C,CAAC;IAEhE,YAAY,MAAsB;QAChC,KAAK,CAAC,MAAM,CAAC,CAAC;QAEd,+BAA+B;QAC/B,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3D,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC/C,CAAC;QAED,wCAAwC;QACxC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE,CAAC;YAClC,IAAI,CAAC,MAAM,CAAC,gBAAgB,GAAG,EAAE,CAAC;QACpC,CAAC;QAED,wBAAwB;QACxB,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,WAAW,GAAG,SAAS,CAAC;QAErD,wDAAwD;QACxD,IAAI,OAAO,CAAC,GAAG,CAAC,qBAAqB,KAAK,MAAM,EAAE,CAAC;YACjD,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,MAAM,GAAG,SAAS,CAAC;QAClD,CAAC;IACH,CAAC;IAED;;OAEG;IACO,gBAAgB;QACxB,OAAO;YACL,QAAQ;YACR,OAAO;YACP,SAAS;YACT,kCAAkC;YAClC,uDAAuD;YACvD,gDAAgD;SACjD,CAAC;IACJ,CAAC;IAED;;OAEG;IACO,iBAAiB;QACzB,OAAO,6BAA6B,CAAC;IACvC,CAAC;IAED;;OAEG;IACO,iBAAiB,CAAC,IAAS;QACnC,OAAO;YACL,EAAE,EAAE,IAAI,CAAC,EAAE,IAAI,IAAI,CAAC,GAAG;YACvB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,cAAc,EAAE,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,cAAc;YAC1D,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,IAAI,CAAC,IAAI;YACnB,GAAG,EAAE,IAAI;SACV,CAAC;IACJ,CAAC;IAED;;OAEG;IACO,qBAAqB,CAAC,MAAqB;QACnD,KAAK,CAAC,qBAAqB,CAAC,MAAM,CAAC,CAAC;QAEpC,sDAAsD;QACtD,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;QACxD,IAAI,aAAa,IAAI,MAAM,CAAC,EAAE,KAAK,aAAa,EAAE,CAAC;YACjD,MAAM,IAAI,KAAK,CAAC,iCAAiC,aAAa,EAAE,CAAC,CAAC;QACpE,CAAC;QAED,+CAA+C;QAC/C,IAAI,MAAM,CAAC,KAAK,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;YAC3C,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;QACxC,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,mBAAmB,CAAC,WAAmB;QAC3C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;QAErD,+CAA+C;QAC/C,oDAAoD;QAEpD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,kBAAkB,CACtB,WAAmB,EACnB,OAAuC;QAEvC,MAAM,WAAW,GAAG;YAClB,QAAQ,EAAE,0DAA0D;YACpE,KAAK,EAAE,2CAA2C;YAClD,KAAK,EAAE,sDAAsD;SAC9D,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE;gBACjD,OAAO,EAAE;oBACP,eAAe,EAAE,UAAU,WAAW,EAAE;iBACzC;aACF,CAAC,CAAC;YAEH,OAAO,QAAQ,CAAC,EAAE,CAAC;QACrB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,WAAW,CAAC,KAAa,EAAE,SAA4C;QAC3E,sDAAsD;QACtD,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QAE9C,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,SAAU,EAAE;gBAC5C,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;iBACpD;gBACD,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;aACxB,CAAC,CAAC;YAEH,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;gBAChB,MAAM,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;YACpD,CAAC;iBAAM,CAAC;gBACN,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACpC,MAAM,CAAC,KAAK,CAAC,kCAAkC,KAAK,EAAE,CAAC,CAAC;YAC1D,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,8BAA8B,EAAE,KAAK,CAAC,CAAC;YACpD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACO,mBAAmB,CAAC,KAAU;QACtC,qCAAqC;QACrC,IAAI,KAAK,CAAC,KAAK,KAAK,eAAe,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;QACpE,CAAC;QAED,IAAI,KAAK,CAAC,KAAK,KAAK,eAAe,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,KAAK,CAAC;IACd,CAAC;CACF"}

package/dist/server/oauth/providers/index.d.ts DELETED Viewed

@@ -1,9 +0,0 @@
-/**
- * Register all available OAuth providers
- */
-export declare function registerProviders(): void;
-export { ProviderFactory } from './base.js';
-export { GoogleOAuthProvider } from './google.js';
-export { GitHubOAuthProvider } from './github.js';
-export type { OAuthProvider, TokenResponse, UserInfo, IdTokenClaims, ProviderConfig, } from './base.js';
-//# sourceMappingURL=index.d.ts.map

package/dist/server/oauth/providers/index.d.ts.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/server/oauth/providers/index.ts"],"names":[],"mappings":"AAKA;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,IAAI,CAYxC;AAMD,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,YAAY,EACV,aAAa,EACb,aAAa,EACb,QAAQ,EACR,aAAa,EACb,cAAc,GACf,MAAM,WAAW,CAAC"}

package/dist/server/oauth/providers/index.js DELETED Viewed

@@ -1,24 +0,0 @@
-import { ProviderFactory } from './base.js';
-import { GoogleOAuthProvider } from './google.js';
-import { GitHubOAuthProvider } from './github.js';
-import { logger } from '../../../utils/logger.js';
-/**
- * Register all available OAuth providers
- */
-export function registerProviders() {
-    // Register Google
-    ProviderFactory.register('google', GoogleOAuthProvider);
-    // Register GitHub
-    ProviderFactory.register('github', GitHubOAuthProvider);
-    // Additional providers can be registered here
-    // ProviderFactory.register('microsoft', MicrosoftOAuthProvider);
-    // ProviderFactory.register('apple', AppleOAuthProvider);
-    logger.info(`Registered ${ProviderFactory.getProviders().length} OAuth providers`);
-}
-// Auto-register on module load
-registerProviders();
-// Export all providers and factory
-export { ProviderFactory } from './base.js';
-export { GoogleOAuthProvider } from './google.js';
-export { GitHubOAuthProvider } from './github.js';
-//# sourceMappingURL=index.js.map

package/dist/server/oauth/providers/index.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/server/oauth/providers/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,MAAM,EAAE,MAAM,0BAA0B,CAAC;AAElD;;GAEG;AACH,MAAM,UAAU,iBAAiB;IAC/B,kBAAkB;IAClB,eAAe,CAAC,QAAQ,CAAC,QAAQ,EAAE,mBAAmB,CAAC,CAAC;IAExD,kBAAkB;IAClB,eAAe,CAAC,QAAQ,CAAC,QAAQ,EAAE,mBAAmB,CAAC,CAAC;IAExD,8CAA8C;IAC9C,iEAAiE;IACjE,yDAAyD;IAEzD,MAAM,CAAC,IAAI,CAAC,cAAc,eAAe,CAAC,YAAY,EAAE,CAAC,MAAM,kBAAkB,CAAC,CAAC;AACrF,CAAC;AAED,+BAA+B;AAC/B,iBAAiB,EAAE,CAAC;AAEpB,mCAAmC;AACnC,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC"}

package/dist/server/oauth/refreshTokenRotation.d.ts DELETED Viewed

@@ -1,114 +0,0 @@
-/**
- * Token family for tracking refresh token lineage
- */
-export interface TokenFamily {
-    familyId: string;
-    currentTokenHash: string;
-    previousTokenHashes: string[];
-    userId: string;
-    clientId: string;
-    createdAt: Date;
-    lastRotated: Date;
-    rotationCount: number;
-    metadata?: {
-        ipAddress?: string;
-        userAgent?: string;
-        deviceId?: string;
-    };
-}
-/**
- * Token rotation result
- */
-export interface TokenRotationResult {
-    accessToken: string;
-    refreshToken: string;
-    expiresIn: number;
-    tokenType: 'Bearer';
-}
-/**
- * Security event types for monitoring
- */
-export declare enum SecurityEvent {
-    TOKEN_ROTATED = "token_rotated",
-    TOKEN_REUSE_DETECTED = "token_reuse_detected",
-    TOKEN_FAMILY_REVOKED = "family_revoked",
-    SUSPICIOUS_ROTATION = "suspicious_rotation"
-}
-/**
- * Refresh Token Manager with rotation support
- * Implements automatic token rotation and reuse detection
- */
-export declare class RefreshTokenManager {
-    private tokenFamilies;
-    private readonly ACCESS_TOKEN_TTL;
-    private readonly REFRESH_TOKEN_TTL;
-    private readonly MAX_ROTATION_COUNT;
-    private readonly REUSE_DETECTION_WINDOW;
-    /**
-     * Generate a new token family for initial authentication
-     */
-    createTokenFamily(userId: string, clientId: string, metadata?: TokenFamily['metadata']): Promise<TokenRotationResult>;
-    /**
-     * Rotate refresh token
-     * Detects and prevents token reuse attacks
-     */
-    rotateRefreshToken(oldRefreshToken: string, metadata?: TokenFamily['metadata']): Promise<TokenRotationResult>;
-    /**
-     * Check if token has been reused
-     * Allows small grace period for legitimate retries
-     */
-    private isTokenReused;
-    /**
-     * Handle token reuse detection
-     * Revokes entire token family as a security measure
-     */
-    private handleTokenReuse;
-    /**
-     * Revoke an entire token family
-     * Used when token reuse or other attacks are detected
-     */
-    revokeTokenFamily(familyId: string): Promise<void>;
-    /**
-     * Revoke all tokens for a user
-     * Used in case of account compromise
-     */
-    revokeAllUserTokens(userId: string): Promise<void>;
-    /**
-     * Find token family by refresh token hash
-     */
-    private findTokenFamily;
-    /**
-     * Detect suspicious rotation patterns
-     */
-    private detectSuspiciousRotation;
-    /**
-     * Generate new refresh token
-     */
-    private generateRefreshToken;
-    /**
-     * Generate new access token (JWT)
-     */
-    private generateAccessToken;
-    /**
-     * Persist token family to database
-     */
-    private persistTokenFamily;
-    /**
-     * Update token family in database
-     */
-    private updateTokenFamily;
-    /**
-     * Log security event
-     */
-    private logSecurityEvent;
-    /**
-     * Notify security team of critical events
-     */
-    private notifySecurityTeam;
-    /**
-     * Clean up expired token families
-     */
-    cleanupExpiredFamilies(): Promise<void>;
-}
-export declare const refreshTokenManager: RefreshTokenManager;
-//# sourceMappingURL=refreshTokenRotation.d.ts.map

package/dist/server/oauth/refreshTokenRotation.d.ts.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"refreshTokenRotation.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/refreshTokenRotation.ts"],"names":[],"mappings":"AAQA;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,EAAE,MAAM,CAAC;IACzB,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,IAAI,CAAC;IAChB,WAAW,EAAE,IAAI,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE;QACT,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,QAAQ,CAAC;CACrB;AAED;;GAEG;AACH,oBAAY,aAAa;IACvB,aAAa,kBAAkB;IAC/B,oBAAoB,yBAAyB;IAC7C,oBAAoB,mBAAmB;IACvC,mBAAmB,wBAAwB;CAC5C;AAED;;;GAGG;AACH,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,aAAa,CAAkC;IACvD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAmD;IACpF,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAwD;IAC1F,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAO;IAC1C,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAQ;IAE/C;;OAEG;IACG,iBAAiB,CACrB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,QAAQ,CAAC,EAAE,WAAW,CAAC,UAAU,CAAC,GACjC,OAAO,CAAC,mBAAmB,CAAC;IAkC/B;;;OAGG;IACG,kBAAkB,CACtB,eAAe,EAAE,MAAM,EACvB,QAAQ,CAAC,EAAE,WAAW,CAAC,UAAU,CAAC,GACjC,OAAO,CAAC,mBAAmB,CAAC;IAiE/B;;;OAGG;YACW,aAAa;IAoB3B;;;OAGG;YACW,gBAAgB;IAM9B;;;OAGG;IACG,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAwBxD;;;OAGG;IACG,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAqBxD;;OAEG;YACW,eAAe;IAsD7B;;OAEG;IACH,OAAO,CAAC,wBAAwB;IA2BhC;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAI5B;;OAEG;YACW,mBAAmB;IAajC;;OAEG;YACW,kBAAkB;IAuBhC;;OAEG;YACW,iBAAiB;IAqB/B;;OAEG;YACW,gBAAgB;IAQ9B;;OAEG;YACW,kBAAkB;IAKhC;;OAEG;IACG,sBAAsB,IAAI,OAAO,CAAC,IAAI,CAAC;CAkB9C;AAGD,eAAO,MAAM,mBAAmB,qBAA4B,CAAC"}

package/dist/server/oauth/refreshTokenRotation.js DELETED Viewed

@@ -1,344 +0,0 @@
-import { randomBytes } from 'crypto';
-import { logger } from '../../utils/logger.js';
-import { getDb } from '../../db/client.js';
-import { oauthTokens } from '../../db/schema.js';
-import { eq, and, isNull } from 'drizzle-orm';
-import { tokenEncryption } from './tokenEncryption.js';
-import jwt from 'jsonwebtoken';
-/**
- * Security event types for monitoring
- */
-export var SecurityEvent;
-(function (SecurityEvent) {
-    SecurityEvent["TOKEN_ROTATED"] = "token_rotated";
-    SecurityEvent["TOKEN_REUSE_DETECTED"] = "token_reuse_detected";
-    SecurityEvent["TOKEN_FAMILY_REVOKED"] = "family_revoked";
-    SecurityEvent["SUSPICIOUS_ROTATION"] = "suspicious_rotation";
-})(SecurityEvent || (SecurityEvent = {}));
-/**
- * Refresh Token Manager with rotation support
- * Implements automatic token rotation and reuse detection
- */
-export class RefreshTokenManager {
-    tokenFamilies = new Map();
-    ACCESS_TOKEN_TTL = parseInt(process.env.ACCESS_TOKEN_TTL || '900'); // 15 minutes
-    REFRESH_TOKEN_TTL = parseInt(process.env.REFRESH_TOKEN_TTL || '2592000'); // 30 days
-    MAX_ROTATION_COUNT = 100; // Prevent infinite rotation
-    REUSE_DETECTION_WINDOW = 2000; // 2 seconds grace period
-    /**
-     * Generate a new token family for initial authentication
-     */
-    async createTokenFamily(userId, clientId, metadata) {
-        const familyId = randomBytes(16).toString('base64url');
-        const refreshToken = this.generateRefreshToken();
-        const refreshTokenHash = tokenEncryption.hashToken(refreshToken);
-        const family = {
-            familyId,
-            currentTokenHash: refreshTokenHash,
-            previousTokenHashes: [],
-            userId,
-            clientId,
-            createdAt: new Date(),
-            lastRotated: new Date(),
-            rotationCount: 0,
-            metadata,
-        };
-        // Store family in memory and database
-        this.tokenFamilies.set(familyId, family);
-        await this.persistTokenFamily(family, refreshToken);
-        // Generate access token
-        const accessToken = await this.generateAccessToken(userId, clientId);
-        logger.info(`Created new token family ${familyId} for user ${userId}`);
-        return {
-            accessToken,
-            refreshToken,
-            expiresIn: this.ACCESS_TOKEN_TTL,
-            tokenType: 'Bearer',
-        };
-    }
-    /**
-     * Rotate refresh token
-     * Detects and prevents token reuse attacks
-     */
-    async rotateRefreshToken(oldRefreshToken, metadata) {
-        const oldTokenHash = tokenEncryption.hashToken(oldRefreshToken);
-        // Find token family
-        const family = await this.findTokenFamily(oldTokenHash);
-        if (!family) {
-            logger.error('Refresh token not found - possible attack');
-            throw new Error('Invalid refresh token');
-        }
-        // Check for token reuse (replay attack)
-        if (await this.isTokenReused(family, oldTokenHash)) {
-            logger.error(`Token reuse detected for family ${family.familyId}`);
-            await this.handleTokenReuse(family);
-            throw new Error('Token reuse detected - all tokens revoked');
-        }
-        // Check rotation count to prevent infinite rotation
-        if (family.rotationCount >= this.MAX_ROTATION_COUNT) {
-            logger.warn(`Max rotation count reached for family ${family.familyId}`);
-            await this.revokeTokenFamily(family.familyId);
-            throw new Error('Maximum token rotations exceeded');
-        }
-        // Check for suspicious rotation patterns
-        if (this.detectSuspiciousRotation(family, metadata)) {
-            logger.warn(`Suspicious rotation pattern detected for family ${family.familyId}`);
-            await this.logSecurityEvent(SecurityEvent.SUSPICIOUS_ROTATION, family);
-        }
-        // Generate new tokens
-        const newRefreshToken = this.generateRefreshToken();
-        const newRefreshTokenHash = tokenEncryption.hashToken(newRefreshToken);
-        const newAccessToken = await this.generateAccessToken(family.userId, family.clientId);
-        // Update token family
-        family.previousTokenHashes.push(family.currentTokenHash);
-        family.currentTokenHash = newRefreshTokenHash;
-        family.lastRotated = new Date();
-        family.rotationCount++;
-        // Limit history to prevent memory bloat (keep last 10)
-        if (family.previousTokenHashes.length > 10) {
-            family.previousTokenHashes = family.previousTokenHashes.slice(-10);
-        }
-        // Update metadata if provided
-        if (metadata) {
-            family.metadata = { ...family.metadata, ...metadata };
-        }
-        // Persist changes
-        await this.updateTokenFamily(family, newRefreshToken, oldRefreshToken);
-        logger.info(`Rotated refresh token for family ${family.familyId}, rotation #${family.rotationCount}`);
-        return {
-            accessToken: newAccessToken,
-            refreshToken: newRefreshToken,
-            expiresIn: this.ACCESS_TOKEN_TTL,
-            tokenType: 'Bearer',
-        };
-    }
-    /**
-     * Check if token has been reused
-     * Allows small grace period for legitimate retries
-     */
-    async isTokenReused(family, tokenHash) {
-        // Current token is valid
-        if (tokenHash === family.currentTokenHash) {
-            return false;
-        }
-        // Check if it's a recently rotated token (within grace period)
-        const timeSinceRotation = Date.now() - family.lastRotated.getTime();
-        if (timeSinceRotation < this.REUSE_DETECTION_WINDOW) {
-            const lastPrevious = family.previousTokenHashes[family.previousTokenHashes.length - 1];
-            if (tokenHash === lastPrevious) {
-                logger.debug('Token use within grace period, allowing');
-                return false;
-            }
-        }
-        // Check if it's an old token (definite reuse)
-        return family.previousTokenHashes.includes(tokenHash);
-    }
-    /**
-     * Handle token reuse detection
-     * Revokes entire token family as a security measure
-     */
-    async handleTokenReuse(family) {
-        await this.logSecurityEvent(SecurityEvent.TOKEN_REUSE_DETECTED, family);
-        await this.revokeTokenFamily(family.familyId);
-        await this.notifySecurityTeam(family);
-    }
-    /**
-     * Revoke an entire token family
-     * Used when token reuse or other attacks are detected
-     */
-    async revokeTokenFamily(familyId) {
-        const family = this.tokenFamilies.get(familyId);
-        if (!family) {
-            return;
-        }
-        const db = getDb();
-        // Mark all tokens in family as revoked
-        await db.update(oauthTokens)
-            .set({
-            revokedAt: new Date(),
-            revocationReason: 'family_revoked',
-        })
-            .where(eq(oauthTokens.tokenFamilyId, familyId));
-        // Remove from memory
-        this.tokenFamilies.delete(familyId);
-        logger.info(`Revoked token family ${familyId} for user ${family.userId}`);
-        await this.logSecurityEvent(SecurityEvent.TOKEN_FAMILY_REVOKED, family);
-    }
-    /**
-     * Revoke all tokens for a user
-     * Used in case of account compromise
-     */
-    async revokeAllUserTokens(userId) {
-        const db = getDb();
-        // Revoke all tokens
-        await db.update(oauthTokens)
-            .set({
-            revokedAt: new Date(),
-            revocationReason: 'user_revoked_all',
-        })
-            .where(eq(oauthTokens.userId, userId));
-        // Remove from memory
-        for (const [familyId, family] of this.tokenFamilies.entries()) {
-            if (family.userId === userId) {
-                this.tokenFamilies.delete(familyId);
-            }
-        }
-        logger.info(`Revoked all tokens for user ${userId}`);
-    }
-    /**
-     * Find token family by refresh token hash
-     */
-    async findTokenFamily(tokenHash) {
-        // Check memory cache first
-        for (const family of this.tokenFamilies.values()) {
-            if (family.currentTokenHash === tokenHash ||
-                family.previousTokenHashes.includes(tokenHash)) {
-                return family;
-            }
-        }
-        // Check database
-        const db = getDb();
-        const result = await db.select()
-            .from(oauthTokens)
-            .where(and(eq(oauthTokens.refreshTokenHash, tokenHash), isNull(oauthTokens.revokedAt)))
-            .limit(1);
-        if (result.length === 0) {
-            return null;
-        }
-        // Reconstruct family from database
-        const token = result[0];
-        // Handle nullable fields
-        if (!token || !token.tokenFamilyId || !token.refreshTokenHash || !token.clientId) {
-            return null;
-        }
-        const family = {
-            familyId: token.tokenFamilyId,
-            currentTokenHash: token.refreshTokenHash,
-            previousTokenHashes: [], // Would need separate table for full history
-            userId: token.userId,
-            clientId: token.clientId,
-            createdAt: token.createdAt,
-            lastRotated: token.createdAt,
-            rotationCount: 0,
-            metadata: {
-                ipAddress: token.ipAddress || undefined,
-                userAgent: token.userAgent || undefined,
-            },
-        };
-        // Cache in memory
-        this.tokenFamilies.set(family.familyId, family);
-        return family;
-    }
-    /**
-     * Detect suspicious rotation patterns
-     */
-    detectSuspiciousRotation(family, newMetadata) {
-        // Rapid rotation (more than once per minute)
-        const timeSinceLastRotation = Date.now() - family.lastRotated.getTime();
-        if (timeSinceLastRotation < 60000) {
-            return true;
-        }
-        // Different IP address
-        if (newMetadata?.ipAddress &&
-            family.metadata?.ipAddress &&
-            newMetadata.ipAddress !== family.metadata.ipAddress) {
-            return true;
-        }
-        // Different device
-        if (newMetadata?.deviceId &&
-            family.metadata?.deviceId &&
-            newMetadata.deviceId !== family.metadata.deviceId) {
-            return true;
-        }
-        return false;
-    }
-    /**
-     * Generate new refresh token
-     */
-    generateRefreshToken() {
-        return randomBytes(32).toString('base64url');
-    }
-    /**
-     * Generate new access token (JWT)
-     */
-    async generateAccessToken(userId, clientId) {
-        const payload = {
-            sub: userId,
-            client_id: clientId,
-            token_type: 'access',
-            iat: Math.floor(Date.now() / 1000),
-            exp: Math.floor(Date.now() / 1000) + this.ACCESS_TOKEN_TTL,
-        };
-        const secret = process.env.JWT_SECRET || 'dev-secret-change-in-production';
-        return jwt.sign(payload, secret, { algorithm: 'HS256' });
-    }
-    /**
-     * Persist token family to database
-     */
-    async persistTokenFamily(family, refreshToken) {
-        const db = getDb();
-        const encryptedToken = await tokenEncryption.encryptToken(refreshToken);
-        await db.insert(oauthTokens)
-            .values({
-            userId: family.userId,
-            clientId: family.clientId,
-            tokenFamilyId: family.familyId,
-            refreshTokenHash: family.currentTokenHash,
-            refreshTokenEncrypted: encryptedToken.encrypted,
-            accessTokenHash: '', // Will be set separately
-            accessTokenEncrypted: '', // Will be set separately
-            scope: 'default',
-            expiresAt: new Date(Date.now() + this.REFRESH_TOKEN_TTL * 1000),
-            ipAddress: family.metadata?.ipAddress,
-            userAgent: family.metadata?.userAgent,
-        });
-    }
-    /**
-     * Update token family in database
-     */
-    async updateTokenFamily(family, newRefreshToken, oldRefreshToken) {
-        const db = getDb();
-        const encryptedToken = await tokenEncryption.encryptToken(newRefreshToken);
-        const oldTokenHash = tokenEncryption.hashToken(oldRefreshToken);
-        // Mark old token as rotated
-        await db.update(oauthTokens)
-            .set({
-            revokedAt: new Date(),
-            revocationReason: 'rotated',
-        })
-            .where(eq(oauthTokens.refreshTokenHash, oldTokenHash));
-        // Insert new token
-        await this.persistTokenFamily(family, newRefreshToken);
-    }
-    /**
-     * Log security event
-     */
-    async logSecurityEvent(event, family) {
-        logger.warn(`Security event: ${event} for family ${family.familyId}, user ${family.userId}`);
-        // TODO: Log to audit table
-    }
-    /**
-     * Notify security team of critical events
-     */
-    async notifySecurityTeam(family) {
-        // TODO: Send alert to security team
-        logger.error(`SECURITY ALERT: Token reuse detected for user ${family.userId}`);
-    }
-    /**
-     * Clean up expired token families
-     */
-    async cleanupExpiredFamilies() {
-        const db = getDb();
-        const expiredDate = new Date(Date.now() - this.REFRESH_TOKEN_TTL * 1000);
-        await db.update(oauthTokens)
-            .set({
-            revokedAt: new Date(),
-            revocationReason: 'expired',
-        })
-            .where(and(eq(oauthTokens.revokedAt, null), eq(oauthTokens.expiresAt, expiredDate)));
-        logger.debug('Cleaned up expired token families');
-    }
-}
-// Export singleton instance
-export const refreshTokenManager = new RefreshTokenManager();
-//# sourceMappingURL=refreshTokenRotation.js.map