db-mcp 1.0.1

package/dist/auth/scopes.js

@@ -0,0 +1,349 @@
+/**
+ * db-mcp - OAuth Scopes
+ *
+ * Scope definitions and enforcement utilities for
+ * granular access control.
+ *
+ * Scope Patterns:
+ *   - read      : Read-only access to all databases
+ *   - write     : Read and write access to all databases
+ *   - admin     : Full administrative access
+ *   - db:{name} : Access to specific database only
+ *   - table:{db}:{table} : Access to specific table only
+ */
+import { TOOL_GROUPS } from "../filtering/ToolFilter.js";
+// =============================================================================
+// Scope Constants
+// =============================================================================
+/**
+ * Base scopes supported by the server
+ */
+export const BASE_SCOPES = ["read", "write", "admin"];
+/**
+ * Scope patterns (regex patterns for validation)
+ */
+export const SCOPE_PATTERNS = {
+    /** Read-only access */
+    READ: "read",
+    /** Read and write access */
+    WRITE: "write",
+    /** Full admin access */
+    ADMIN: "admin",
+    /** Database-specific access pattern */
+    DATABASE: /^db:([a-zA-Z0-9_-]+)$/,
+    /** Table-specific access pattern */
+    TABLE: /^table:([a-zA-Z0-9_-]+):([a-zA-Z0-9_-]+)$/,
+};
+/**
+ * All supported scope patterns for metadata
+ */
+export const SUPPORTED_SCOPES = [
+    "read",
+    "write",
+    "admin",
+    "db:{database}",
+    "table:{database}:{table}",
+];
+// =============================================================================
+// Scope to Tool Group Mapping
+// =============================================================================
+/**
+ * Tool groups accessible with read scope (read-only operations)
+ */
+export const READ_SCOPE_GROUPS = [
+    "core", // read_query, list_tables, describe_table, etc.
+];
+/**
+ * Tool groups accessible with write scope (read + write operations)
+ */
+export const WRITE_SCOPE_GROUPS = [
+    ...READ_SCOPE_GROUPS,
+    "json", // JSON operations
+    "text", // Text processing
+    "stats", // Statistical analysis
+    "vector", // Vector operations
+];
+/**
+ * Tool groups accessible with admin scope (all operations)
+ */
+export const ADMIN_SCOPE_GROUPS = [
+    ...WRITE_SCOPE_GROUPS,
+    "admin", // Administration
+];
+/**
+ * Read-only tools within the core group
+ * (used when scope is 'read' to filter write operations)
+ */
+export const READ_ONLY_TOOLS = new Set([
+    "execute_query", // If used with SELECT only
+    "read_query",
+    "list_tables",
+    "describe_table",
+    "list_schemas",
+    "get_schema",
+    "health_check",
+    "connection_status",
+    "database_stats",
+    "active_queries",
+    "resource_usage",
+    "analyze_query",
+    "explain_query",
+    "query_plan",
+]);
+/**
+ * Write tools that require 'write' scope
+ */
+export const WRITE_TOOLS = new Set([
+    "write_query",
+    "create_table",
+    "drop_table",
+    "json_insert",
+    "json_replace",
+    "json_remove",
+    "json_set",
+    "create_fts_index",
+    "create_vector_index",
+    "create_spatial_index",
+    "create_index",
+    "drop_index",
+    "reindex",
+]);
+/**
+ * Admin tools that require 'admin' scope
+ */
+export const ADMIN_TOOLS = new Set([
+    "vacuum_database",
+    "analyze_tables",
+    "pragma_get",
+    "pragma_set",
+    "extension_list",
+    "extension_install",
+    "optimize",
+    "backup_database",
+    "restore_database",
+    "backup_table",
+    "export_data",
+]);
+// =============================================================================
+// Scope Parsing
+// =============================================================================
+/**
+ * Parse a scope string (space-delimited) into an array
+ */
+export function parseScopes(scopeString) {
+    return scopeString
+        .split(/\s+/)
+        .map((s) => s.trim())
+        .filter((s) => s.length > 0);
+}
+/**
+ * Parse a database-specific scope
+ * @returns The database name or null if not a database scope
+ */
+export function parseDatabaseScope(scope) {
+    const match = SCOPE_PATTERNS.DATABASE.exec(scope);
+    return match?.[1] ?? null;
+}
+/**
+ * Parse a table-specific scope
+ * @returns Object with database and table names, or null if not a table scope
+ */
+export function parseTableScope(scope) {
+    const match = SCOPE_PATTERNS.TABLE.exec(scope);
+    const database = match?.[1];
+    const table = match?.[2];
+    if (database !== undefined && table !== undefined) {
+        return { database, table };
+    }
+    return null;
+}
+// =============================================================================
+// Scope Validation
+// =============================================================================
+/**
+ * Check if a scope is valid (matches known patterns)
+ */
+export function isValidScope(scope) {
+    // Check base scopes
+    if (BASE_SCOPES.includes(scope)) {
+        return true;
+    }
+    // Check database pattern
+    if (SCOPE_PATTERNS.DATABASE.test(scope)) {
+        return true;
+    }
+    // Check table pattern
+    if (SCOPE_PATTERNS.TABLE.test(scope)) {
+        return true;
+    }
+    return false;
+}
+/**
+ * Check if scopes include admin access
+ */
+export function hasAdminScope(scopes) {
+    return scopes.includes("admin");
+}
+/**
+ * Check if scopes include write access
+ */
+export function hasWriteScope(scopes) {
+    return scopes.includes("write") || hasAdminScope(scopes);
+}
+/**
+ * Check if scopes include read access
+ */
+export function hasReadScope(scopes) {
+    return scopes.includes("read") || hasWriteScope(scopes);
+}
+// =============================================================================
+// Scope Enforcement
+// =============================================================================
+/**
+ * Check if a scope grants access to a specific tool
+ */
+export function scopeGrantsToolAccess(scope, toolName) {
+    // Admin scope grants access to all tools
+    if (scope === "admin") {
+        return true;
+    }
+    // Write scope grants access to write tools and below
+    if (scope === "write") {
+        if (ADMIN_TOOLS.has(toolName)) {
+            return false;
+        }
+        return true;
+    }
+    // Read scope only grants read-only tools
+    if (scope === "read") {
+        return READ_ONLY_TOOLS.has(toolName);
+    }
+    // Database/table scopes don't directly affect tool access
+    // They are used for filtering data, not tools
+    return false;
+}
+/**
+ * Check if any of the scopes grants access to a tool
+ */
+export function scopesGrantToolAccess(scopes, toolName) {
+    return scopes.some((scope) => scopeGrantsToolAccess(scope, toolName));
+}
+/**
+ * Check if a scope grants access to a specific database
+ */
+export function scopeGrantsDatabaseAccess(scope, databaseName) {
+    // Admin and write scopes grant access to all databases
+    if (scope === "admin" || scope === "write" || scope === "read") {
+        return true;
+    }
+    // Check database-specific scope
+    const dbName = parseDatabaseScope(scope);
+    if (dbName && dbName === databaseName) {
+        return true;
+    }
+    // Check table scope (grants access to the database of the table)
+    const tableScope = parseTableScope(scope);
+    if (tableScope?.database === databaseName) {
+        return true;
+    }
+    return false;
+}
+/**
+ * Check if any of the scopes grants access to a database
+ */
+export function scopesGrantDatabaseAccess(scopes, databaseName) {
+    return scopes.some((scope) => scopeGrantsDatabaseAccess(scope, databaseName));
+}
+/**
+ * Check if a scope grants access to a specific table
+ */
+export function scopeGrantsTableAccess(scope, databaseName, tableName) {
+    // Admin and write scopes grant access to all tables
+    if (scope === "admin" || scope === "write" || scope === "read") {
+        return true;
+    }
+    // Database scope grants access to all tables in that database
+    const dbName = parseDatabaseScope(scope);
+    if (dbName && dbName === databaseName) {
+        return true;
+    }
+    // Check table-specific scope
+    const tableScope = parseTableScope(scope);
+    if (tableScope?.database === databaseName && tableScope.table === tableName) {
+        return true;
+    }
+    return false;
+}
+/**
+ * Check if any of the scopes grants access to a table
+ */
+export function scopesGrantTableAccess(scopes, databaseName, tableName) {
+    return scopes.some((scope) => scopeGrantsTableAccess(scope, databaseName, tableName));
+}
+// =============================================================================
+// Tool Group Utilities
+// =============================================================================
+/**
+ * Get the required minimum scope for a tool group
+ */
+export function getRequiredScopeForGroup(group) {
+    if (ADMIN_SCOPE_GROUPS.includes(group) &&
+        !WRITE_SCOPE_GROUPS.includes(group)) {
+        return "admin";
+    }
+    if (WRITE_SCOPE_GROUPS.includes(group) &&
+        !READ_SCOPE_GROUPS.includes(group)) {
+        return "write";
+    }
+    return "read";
+}
+/**
+ * Get the required minimum scope for a tool
+ */
+export function getRequiredScopeForTool(toolName) {
+    if (ADMIN_TOOLS.has(toolName)) {
+        return "admin";
+    }
+    if (WRITE_TOOLS.has(toolName)) {
+        return "write";
+    }
+    return "read";
+}
+/**
+ * Get tool groups accessible with given scopes
+ */
+export function getAccessibleToolGroups(scopes) {
+    if (hasAdminScope(scopes)) {
+        return [...ADMIN_SCOPE_GROUPS];
+    }
+    if (hasWriteScope(scopes)) {
+        return [...WRITE_SCOPE_GROUPS];
+    }
+    if (hasReadScope(scopes)) {
+        return [...READ_SCOPE_GROUPS];
+    }
+    return [];
+}
+/**
+ * Get all tools accessible with given scopes
+ */
+export function getAccessibleTools(scopes) {
+    const groups = getAccessibleToolGroups(scopes);
+    const allTools = [];
+    for (const group of groups) {
+        const groupTools = TOOL_GROUPS[group] ?? [];
+        for (const tool of groupTools) {
+            // For read scope, only include read-only tools
+            if (hasReadScope(scopes) && !hasWriteScope(scopes)) {
+                if (READ_ONLY_TOOLS.has(tool)) {
+                    allTools.push(tool);
+                }
+            }
+            else {
+                allTools.push(tool);
+            }
+        }
+    }
+    return [...new Set(allTools)];
+}
+//# sourceMappingURL=scopes.js.map

package/dist/auth/scopes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scopes.js","sourceRoot":"","sources":["../../src/auth/scopes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AAEzD,gFAAgF;AAChF,kBAAkB;AAClB,gFAAgF;AAEhF;;GAEG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAU,CAAC;AAE/D;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,uBAAuB;IACvB,IAAI,EAAE,MAAM;IACZ,4BAA4B;IAC5B,KAAK,EAAE,OAAO;IACd,wBAAwB;IACxB,KAAK,EAAE,OAAO;IACd,uCAAuC;IACvC,QAAQ,EAAE,uBAAuB;IACjC,oCAAoC;IACpC,KAAK,EAAE,2CAA2C;CAC1C,CAAC;AAEX;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,MAAM;IACN,OAAO;IACP,OAAO;IACP,eAAe;IACf,0BAA0B;CAClB,CAAC;AAEX,gFAAgF;AAChF,8BAA8B;AAC9B,gFAAgF;AAEhF;;GAEG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAgB;IAC5C,MAAM,EAAE,gDAAgD;CACzD,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAgB;IAC7C,GAAG,iBAAiB;IACpB,MAAM,EAAE,kBAAkB;IAC1B,MAAM,EAAE,kBAAkB;IAC1B,OAAO,EAAE,uBAAuB;IAChC,QAAQ,EAAE,oBAAoB;CAC/B,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAgB;IAC7C,GAAG,kBAAkB;IACrB,OAAO,EAAE,iBAAiB;CAC3B,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC;IACrC,eAAe,EAAE,2BAA2B;IAC5C,YAAY;IACZ,aAAa;IACb,gBAAgB;IAChB,cAAc;IACd,YAAY;IACZ,cAAc;IACd,mBAAmB;IACnB,gBAAgB;IAChB,gBAAgB;IAChB,gBAAgB;IAChB,eAAe;IACf,eAAe;IACf,YAAY;CACb,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC;IACjC,aAAa;IACb,cAAc;IACd,YAAY;IACZ,aAAa;IACb,cAAc;IACd,aAAa;IACb,UAAU;IACV,kBAAkB;IAClB,qBAAqB;IACrB,sBAAsB;IACtB,cAAc;IACd,YAAY;IACZ,SAAS;CACV,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC;IACjC,iBAAiB;IACjB,gBAAgB;IAChB,YAAY;IACZ,YAAY;IACZ,gBAAgB;IAChB,mBAAmB;IACnB,UAAU;IACV,iBAAiB;IACjB,kBAAkB;IAClB,cAAc;IACd,aAAa;CACd,CAAC,CAAC;AAEH,gFAAgF;AAChF,gBAAgB;AAChB,gFAAgF;AAEhF;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,WAAmB;IAC7C,OAAO,WAAW;SACf,KAAK,CAAC,KAAK,CAAC;SACZ,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AACjC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAa;IAC9C,MAAM,KAAK,GAAG,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClD,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;AAC5B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAC7B,KAAa;IAEb,MAAM,KAAK,GAAG,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC/C,MAAM,QAAQ,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;IACzB,IAAI,QAAQ,KAAK,SAAS,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QAClD,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAC7B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,oBAAoB;IACpB,IAAK,WAAiC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACvD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,yBAAyB;IACzB,IAAI,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACxC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sBAAsB;IACtB,IAAI,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,MAAgB;IAC5C,OAAO,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,MAAgB;IAC5C,OAAO,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,aAAa,CAAC,MAAM,CAAC,CAAC;AAC3D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,MAAgB;IAC3C,OAAO,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,aAAa,CAAC,MAAM,CAAC,CAAC;AAC1D,CAAC;AAED,gFAAgF;AAChF,oBAAoB;AACpB,gFAAgF;AAEhF;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,KAAa,EACb,QAAgB;IAEhB,yCAAyC;IACzC,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,qDAAqD;IACrD,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;QACtB,IAAI,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,yCAAyC;IACzC,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;QACrB,OAAO,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACvC,CAAC;IAED,0DAA0D;IAC1D,8CAA8C;IAC9C,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,MAAgB,EAChB,QAAgB;IAEhB,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,qBAAqB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC;AACxE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,yBAAyB,CACvC,KAAa,EACb,YAAoB;IAEpB,uDAAuD;IACvD,IAAI,KAAK,KAAK,OAAO,IAAI,KAAK,KAAK,OAAO,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;QAC/D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,MAAM,MAAM,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IACzC,IAAI,MAAM,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,iEAAiE;IACjE,MAAM,UAAU,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IAC1C,IAAI,UAAU,EAAE,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,yBAAyB,CACvC,MAAgB,EAChB,YAAoB;IAEpB,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,yBAAyB,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC,CAAC;AAChF,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CACpC,KAAa,EACb,YAAoB,EACpB,SAAiB;IAEjB,oDAAoD;IACpD,IAAI,KAAK,KAAK,OAAO,IAAI,KAAK,KAAK,OAAO,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;QAC/D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,8DAA8D;IAC9D,MAAM,MAAM,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IACzC,IAAI,MAAM,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,6BAA6B;IAC7B,MAAM,UAAU,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IAC1C,IAAI,UAAU,EAAE,QAAQ,KAAK,YAAY,IAAI,UAAU,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAC5E,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CACpC,MAAgB,EAChB,YAAoB,EACpB,SAAiB;IAEjB,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAC3B,sBAAsB,CAAC,KAAK,EAAE,YAAY,EAAE,SAAS,CAAC,CACvD,CAAC;AACJ,CAAC;AAED,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF;;GAEG;AACH,MAAM,UAAU,wBAAwB,CAAC,KAAgB;IACvD,IACE,kBAAkB,CAAC,QAAQ,CAAC,KAAK,CAAC;QAClC,CAAC,kBAAkB,CAAC,QAAQ,CAAC,KAAK,CAAC,EACnC,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,IACE,kBAAkB,CAAC,QAAQ,CAAC,KAAK,CAAC;QAClC,CAAC,iBAAiB,CAAC,QAAQ,CAAC,KAAK,CAAC,EAClC,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,QAAgB;IACtD,IAAI,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9B,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,IAAI,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9B,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,MAAgB;IACtD,IAAI,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,GAAG,kBAAkB,CAAC,CAAC;IACjC,CAAC;IACD,IAAI,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,GAAG,kBAAkB,CAAC,CAAC;IACjC,CAAC;IACD,IAAI,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,iBAAiB,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAgB;IACjD,MAAM,MAAM,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;IAC/C,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,UAAU,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAC5C,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;YAC9B,+CAA+C;YAC/C,IAAI,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;gBACnD,IAAI,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC9B,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACtB,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC;AAChC,CAAC"}

package/dist/auth/types.d.ts

@@ -0,0 +1,257 @@
+/**
+ * db-mcp - OAuth Types
+ *
+ * Type definitions for OAuth 2.0 components including
+ * RFC 9728, RFC 8414, and RFC 7591 compliance.
+ */
+/**
+ * OAuth 2.0 Protected Resource Metadata (RFC 9728)
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc9728
+ */
+export interface ProtectedResourceMetadata {
+    /** Resource identifier (canonical URI) */
+    resource: string;
+    /** Authorization servers that can issue tokens for this resource */
+    authorization_servers?: string[];
+    /** JWKS URI for token verification (optional, usually from auth server) */
+    jwks_uri?: string;
+    /** Scopes supported by this resource */
+    scopes_supported?: string[];
+    /** Bearer token presentation methods supported */
+    bearer_methods_supported?: ("header" | "body" | "query")[];
+    /** Resource signing algorithms supported */
+    resource_signing_alg_values_supported?: string[];
+    /** Resource documentation URL */
+    resource_documentation?: string;
+    /** Resource policy URI */
+    resource_policy_uri?: string;
+    /** Resource terms of service URI */
+    resource_tos_uri?: string;
+}
+/**
+ * OAuth 2.0 Authorization Server Metadata (RFC 8414)
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc8414
+ */
+export interface AuthorizationServerMetadata {
+    /** Authorization server issuer identifier */
+    issuer: string;
+    /** Authorization endpoint URL */
+    authorization_endpoint?: string;
+    /** Token endpoint URL */
+    token_endpoint: string;
+    /** JWKS URI */
+    jwks_uri?: string;
+    /** Registration endpoint (RFC 7591) */
+    registration_endpoint?: string;
+    /** Scopes supported */
+    scopes_supported?: string[];
+    /** Response types supported */
+    response_types_supported?: string[];
+    /** Response modes supported */
+    response_modes_supported?: string[];
+    /** Grant types supported */
+    grant_types_supported?: string[];
+    /** Token endpoint auth methods supported */
+    token_endpoint_auth_methods_supported?: string[];
+    /** Token endpoint auth signing algorithms */
+    token_endpoint_auth_signing_alg_values_supported?: string[];
+    /** Service documentation URL */
+    service_documentation?: string;
+    /** UI locales supported */
+    ui_locales_supported?: string[];
+    /** OP policy URI */
+    op_policy_uri?: string;
+    /** OP terms of service URI */
+    op_tos_uri?: string;
+    /** Revocation endpoint */
+    revocation_endpoint?: string;
+    /** Revocation endpoint auth methods */
+    revocation_endpoint_auth_methods_supported?: string[];
+    /** Introspection endpoint */
+    introspection_endpoint?: string;
+    /** Introspection endpoint auth methods */
+    introspection_endpoint_auth_methods_supported?: string[];
+    /** Code challenge methods supported (PKCE) */
+    code_challenge_methods_supported?: string[];
+}
+/**
+ * OAuth 2.0 Dynamic Client Registration Request (RFC 7591)
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7591
+ */
+export interface ClientRegistrationRequest {
+    /** Redirect URIs */
+    redirect_uris?: string[];
+    /** Token endpoint auth method */
+    token_endpoint_auth_method?: string;
+    /** Grant types requested */
+    grant_types?: string[];
+    /** Response types requested */
+    response_types?: string[];
+    /** Client name */
+    client_name?: string;
+    /** Client URI */
+    client_uri?: string;
+    /** Logo URI */
+    logo_uri?: string;
+    /** Scopes requested */
+    scope?: string;
+    /** Contacts */
+    contacts?: string[];
+    /** Terms of service URI */
+    tos_uri?: string;
+    /** Policy URI */
+    policy_uri?: string;
+    /** JWKS URI for client authentication */
+    jwks_uri?: string;
+    /** JWKS document for client authentication */
+    jwks?: JWKSDocument;
+    /** Software ID */
+    software_id?: string;
+    /** Software version */
+    software_version?: string;
+    /** Software statement (signed JWT) */
+    software_statement?: string;
+}
+/**
+ * OAuth 2.0 Dynamic Client Registration Response (RFC 7591)
+ */
+export interface ClientRegistrationResponse {
+    /** Client identifier */
+    client_id: string;
+    /** Client secret (for confidential clients) */
+    client_secret?: string;
+    /** Client secret expiration timestamp */
+    client_secret_expires_at?: number;
+    /** Registration access token */
+    registration_access_token?: string;
+    /** Registration client URI */
+    registration_client_uri?: string;
+    /** Client ID issued at timestamp */
+    client_id_issued_at?: number;
+    /** All other fields from the request */
+    [key: string]: unknown;
+}
+/**
+ * JSON Web Key (JWK)
+ */
+export interface JWK {
+    /** Key type (e.g., 'RSA', 'EC') */
+    kty: string;
+    /** Key use ('sig' for signature, 'enc' for encryption) */
+    use?: string;
+    /** Key operations */
+    key_ops?: string[];
+    /** Algorithm */
+    alg?: string;
+    /** Key ID */
+    kid?: string;
+    /** X.509 URL */
+    x5u?: string;
+    /** X.509 certificate chain */
+    x5c?: string[];
+    /** X.509 certificate SHA-1 thumbprint */
+    x5t?: string;
+    /** X.509 certificate SHA-256 thumbprint */
+    "x5t#S256"?: string;
+    /** RSA modulus */
+    n?: string;
+    /** RSA public exponent */
+    e?: string;
+    /** EC curve */
+    crv?: string;
+    /** EC x coordinate */
+    x?: string;
+    /** EC y coordinate */
+    y?: string;
+}
+/**
+ * JSON Web Key Set (JWKS)
+ */
+export interface JWKSDocument {
+    /** Array of JWK keys */
+    keys: JWK[];
+}
+/**
+ * Result of token validation
+ */
+export interface TokenValidationResult {
+    /** Whether the token is valid */
+    valid: boolean;
+    /** Validated claims (if valid) */
+    claims?: TokenClaims;
+    /** Error message (if invalid) */
+    error?: string;
+    /** Error code (if invalid) */
+    errorCode?: string;
+}
+/**
+ * Validated token claims
+ * Extended from the base TokenClaims in types/index.ts
+ */
+export interface TokenClaims {
+    /** Subject (user ID) */
+    sub: string;
+    /** Granted scopes (parsed from space-delimited string) */
+    scopes: string[];
+    /** Token expiration time (Unix timestamp) */
+    exp: number;
+    /** Token issued at time (Unix timestamp) */
+    iat: number;
+    /** Token issuer */
+    iss?: string | undefined;
+    /** Token audience */
+    aud?: string | string[] | undefined;
+    /** Not before time (Unix timestamp) */
+    nbf?: number | undefined;
+    /** JWT ID */
+    jti?: string | undefined;
+    /** Client ID */
+    client_id?: string | undefined;
+    /** Additional claims */
+    [key: string]: unknown;
+}
+/**
+ * Resource server configuration
+ */
+export interface ResourceServerConfig {
+    /** Resource identifier (canonical server URI) */
+    resource: string;
+    /** Authorization servers that can issue tokens */
+    authorizationServers: string[];
+    /** Scopes supported by this resource */
+    scopesSupported: string[];
+    /** Bearer token methods accepted (default: ['header']) */
+    bearerMethodsSupported?: ("header" | "body" | "query")[];
+}
+/**
+ * Token validator configuration
+ */
+export interface TokenValidatorConfig {
+    /** JWKS URI for key discovery */
+    jwksUri: string;
+    /** Expected issuer */
+    issuer: string;
+    /** Expected audience */
+    audience: string;
+    /** Clock tolerance in seconds (default: 60) */
+    clockTolerance?: number | undefined;
+    /** JWKS cache TTL in seconds (default: 3600) */
+    jwksCacheTtl?: number | undefined;
+    /** Supported algorithms (default: ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512']) */
+    algorithms?: string[] | undefined;
+}
+/**
+ * Authorization server discovery configuration
+ */
+export interface AuthServerDiscoveryConfig {
+    /** Authorization server URL (issuer) */
+    authServerUrl: string;
+    /** Cache TTL in seconds (default: 3600) */
+    cacheTtl?: number | undefined;
+    /** Request timeout in milliseconds (default: 5000) */
+    timeout?: number | undefined;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/auth/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH;;;;GAIG;AACH,MAAM,WAAW,yBAAyB;IACxC,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,CAAC;IAEjB,oEAAoE;IACpE,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IAEjC,2EAA2E;IAC3E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,wCAAwC;IACxC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAE5B,kDAAkD;IAClD,wBAAwB,CAAC,EAAE,CAAC,QAAQ,GAAG,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC;IAE3D,4CAA4C;IAC5C,qCAAqC,CAAC,EAAE,MAAM,EAAE,CAAC;IAEjD,iCAAiC;IACjC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC,0BAA0B;IAC1B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAE7B,oCAAoC;IACpC,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAMD;;;;GAIG;AACH,MAAM,WAAW,2BAA2B;IAC1C,6CAA6C;IAC7C,MAAM,EAAE,MAAM,CAAC;IAEf,iCAAiC;IACjC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC,yBAAyB;IACzB,cAAc,EAAE,MAAM,CAAC;IAEvB,eAAe;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,uCAAuC;IACvC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAE/B,uBAAuB;IACvB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAE5B,+BAA+B;IAC/B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;IAEpC,+BAA+B;IAC/B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;IAEpC,4BAA4B;IAC5B,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IAEjC,4CAA4C;IAC5C,qCAAqC,CAAC,EAAE,MAAM,EAAE,CAAC;IAEjD,6CAA6C;IAC7C,gDAAgD,CAAC,EAAE,MAAM,EAAE,CAAC;IAE5D,gCAAgC;IAChC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAE/B,2BAA2B;IAC3B,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAEhC,oBAAoB;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB,8BAA8B;IAC9B,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,0BAA0B;IAC1B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAE7B,uCAAuC;IACvC,0CAA0C,CAAC,EAAE,MAAM,EAAE,CAAC;IAEtD,6BAA6B;IAC7B,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC,0CAA0C;IAC1C,6CAA6C,CAAC,EAAE,MAAM,EAAE,CAAC;IAEzD,8CAA8C;IAC9C,gCAAgC,CAAC,EAAE,MAAM,EAAE,CAAC;CAC7C;AAMD;;;;GAIG;AACH,MAAM,WAAW,yBAAyB;IACxC,oBAAoB;IACpB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IAEzB,iCAAiC;IACjC,0BAA0B,CAAC,EAAE,MAAM,CAAC;IAEpC,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IAEvB,+BAA+B;IAC/B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAE1B,kBAAkB;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,iBAAiB;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,eAAe;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,uBAAuB;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,eAAe;IACf,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IAEpB,2BAA2B;IAC3B,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,iBAAiB;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,yCAAyC;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,8CAA8C;IAC9C,IAAI,CAAC,EAAE,YAAY,CAAC;IAEpB,kBAAkB;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,uBAAuB;IACvB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B,sCAAsC;IACtC,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,wBAAwB;IACxB,SAAS,EAAE,MAAM,CAAC;IAElB,+CAA+C;IAC/C,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB,yCAAyC;IACzC,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAElC,gCAAgC;IAChC,yBAAyB,CAAC,EAAE,MAAM,CAAC;IAEnC,8BAA8B;IAC9B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IAEjC,oCAAoC;IACpC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAE7B,wCAAwC;IACxC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAMD;;GAEG;AACH,MAAM,WAAW,GAAG;IAClB,mCAAmC;IACnC,GAAG,EAAE,MAAM,CAAC;IAEZ,0DAA0D;IAC1D,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,qBAAqB;IACrB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IAEnB,gBAAgB;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,aAAa;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,gBAAgB;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,8BAA8B;IAC9B,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IAEf,yCAAyC;IACzC,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,2CAA2C;IAC3C,UAAU,CAAC,EAAE,MAAM,CAAC;IAGpB,kBAAkB;IAClB,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,0BAA0B;IAC1B,CAAC,CAAC,EAAE,MAAM,CAAC;IAGX,eAAe;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,sBAAsB;IACtB,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,sBAAsB;IACtB,CAAC,CAAC,EAAE,MAAM,CAAC;CACZ;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,wBAAwB;IACxB,IAAI,EAAE,GAAG,EAAE,CAAC;CACb;AAMD;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,iCAAiC;IACjC,KAAK,EAAE,OAAO,CAAC;IAEf,kCAAkC;IAClC,MAAM,CAAC,EAAE,WAAW,CAAC;IAErB,iCAAiC;IACjC,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,8BAA8B;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,wBAAwB;IACxB,GAAG,EAAE,MAAM,CAAC;IAEZ,0DAA0D;IAC1D,MAAM,EAAE,MAAM,EAAE,CAAC;IAEjB,6CAA6C;IAC7C,GAAG,EAAE,MAAM,CAAC;IAEZ,4CAA4C;IAC5C,GAAG,EAAE,MAAM,CAAC;IAEZ,mBAAmB;IACnB,GAAG,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAEzB,qBAAqB;IACrB,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC;IAEpC,uCAAuC;IACvC,GAAG,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAEzB,aAAa;IACb,GAAG,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAEzB,gBAAgB;IAChB,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAE/B,wBAAwB;IACxB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAMD;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,iDAAiD;IACjD,QAAQ,EAAE,MAAM,CAAC;IAEjB,kDAAkD;IAClD,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAE/B,wCAAwC;IACxC,eAAe,EAAE,MAAM,EAAE,CAAC;IAE1B,0DAA0D;IAC1D,sBAAsB,CAAC,EAAE,CAAC,QAAQ,GAAG,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC;CAC1D;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,iCAAiC;IACjC,OAAO,EAAE,MAAM,CAAC;IAEhB,sBAAsB;IACtB,MAAM,EAAE,MAAM,CAAC;IAEf,wBAAwB;IACxB,QAAQ,EAAE,MAAM,CAAC;IAEjB,+CAA+C;IAC/C,cAAc,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAEpC,gDAAgD;IAChD,YAAY,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAElC,6FAA6F;IAC7F,UAAU,CAAC,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC;CACnC;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,wCAAwC;IACxC,aAAa,EAAE,MAAM,CAAC;IAEtB,2CAA2C;IAC3C,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAE9B,sDAAsD;IACtD,OAAO,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAC9B"}

package/dist/auth/types.js

@@ -0,0 +1,8 @@
+/**
+ * db-mcp - OAuth Types
+ *
+ * Type definitions for OAuth 2.0 components including
+ * RFC 9728, RFC 8414, and RFC 7591 compliance.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/auth/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG"}

package/dist/cli.d.ts

@@ -0,0 +1,8 @@
+#!/usr/bin/env node
+/**
+ * db-mcp - Command Line Interface
+ *
+ * Entry point for running the db-mcp server from the command line.
+ */
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA;;;;GAIG"}