fa-mcp-sdk 0.3.16 → 0.3.18

package/cli-template/FA-MCP-SDK-DOC/04-authentication.md

@@ -104,20 +104,52 @@ if (authError) {
 
 ### Custom Authentication
 
+`customAuthValidator` runs **before** standard auth (`Authorization` header check).
+
+**Execution order:**
+1. `customAuthValidator` is called first
+2. If `success: true` → request is allowed, standard auth is **skipped**
+3. If `success: false` → falls through to standard auth (`permanentServerTokens` / `basic` / `jwtToken`)
+4. If standard auth also fails → 401
+
+This allows using service-specific credentials (e.g. `x-api-key`, `x-service-token`) as an alternative
+to the MCP `Authorization` header, without disabling standard auth entirely.
+
 ```typescript
 import { CustomAuthValidator, AuthResult } from 'fa-mcp-sdk';
 
+// Example: bypass MCP auth if service-specific header is present
 const customValidator: CustomAuthValidator = async (req): Promise<AuthResult> => {
   const apiKey = req.headers['x-api-key'];
-  const valid = await validateApiKey(apiKey);
-
-  if (valid) return { success: true, authType: 'custom', username: 'api-user' };
-  return { success: false, error: 'Invalid API key' };
+  if (apiKey && await validateApiKey(apiKey)) {
+    return { success: true, authType: 'custom', username: 'api-user' };
+  }
+  // Return false → falls through to standard Authorization header check
+  return { success: false, error: 'No valid API key' };
 };
 
 const serverData: McpServerData = { ..., customAuthValidator: customValidator };
 ```
 
+**Example: allow requests with upstream service headers to bypass MCP auth**
+
+```typescript
+// Clients that pass x-service-token OR x-username+x-password are allowed in
+// without an MCP Authorization token. Clients without these headers still
+// need a valid Authorization header (permanentToken / basic / JWT).
+const serviceHeadersValidator: CustomAuthValidator = (req) => {
+  const h = req.headers as Record<string, string>;
+  if (h['x-service-token'] || (h['x-username'] && h['x-password'])) {
+    return { success: true, authType: 'custom' };
+  }
+  return { success: false, error: 'No service credentials and no MCP Authorization token' };
+};
+```
+
+> **Note:** `customAuthValidator` receives a request with **normalized** (lowercased) header names.
+> `authInfo` is **not** set on `req` when the validator runs — it is set by the middleware only after
+> successful authentication completes.
+
 ## AD Group Checking
 
 ### Configuration
@@ -144,6 +176,47 @@ const isAdmin = await isUserInGroup('john.doe', 'Admins');
 groupChecker.clearCache();  // Clear if needed
 ```
 
+## JWT IP Restriction
+
+When `webServer.auth.jwtToken.isCheckIP` is `true`, JWT tokens can include an `ip` field in their payload to restrict which client IPs may use the token.
+
+### Configuration
+
+```yaml
+# config/default.yaml
+webServer:
+  auth:
+    jwtToken:
+      isCheckIP: true  # Enable IP checking
+```
+
+### Token Generation
+
+When generating a token (via admin UI or `generateToken()`), include the `ip` field in the payload:
+
+```typescript
+const token = generateToken('john_doe', 3600, {
+  service: 'my-mcp-server',
+  ip: '192.168.1.100, 10.0.0.0/24',
+});
+```
+
+The `ip` field is a string of IP addresses and/or CIDR masks, separated by commas, semicolons, or spaces.
+
+In the admin UI (`/admin`), there is a dedicated "Allowed IP addresses" field for entering these values.
+
+### Behavior
+
+| `isCheckIP` | `payload.ip` | Client IP | Result |
+|-------------|-------------|-----------|--------|
+| `false` | any | any | IP not checked |
+| `true` | empty/missing | any | IP not checked (pass-through) |
+| `true` | `10.0.0.0/24` | `10.0.0.5` | Allowed |
+| `true` | `10.0.0.0/24` | `192.168.1.1` | Denied |
+| `true` | `192.168.1.1, 10.0.0.0/8` | `10.5.5.5` | Allowed (covered by /8) |
+
+Supported formats: IPv4, IPv6, CIDR notation (e.g., `10.0.0.0/24`, `fe80::/10`), IPv4-mapped IPv6 (`::ffff:192.168.1.1`).
+
 ## Client Examples
 
 ```bash

package/cli-template/FA-MCP-SDK-DOC/05-ad-authorization.md

@@ -56,33 +56,46 @@ groupAccess:
 
 ## Example 1: HTTP Level Restriction
 
-Block unauthorized users at HTTP level (403 before MCP processing):
+Block unauthorized users at HTTP level (403 before MCP processing).
+
+> **Important:** `customAuthValidator` runs **before** standard auth and before `authInfo` is set on
+> the request. It cannot read `(req as any).authInfo` — that value is populated by the middleware
+> only after successful authentication. Use `httpComponents.apiRouter` to add a post-auth middleware
+> if you need to check group membership after the user has been authenticated.
 
 ```typescript
 // src/start.ts
-import { appConfig, initMcpServer, CustomAuthValidator, initADGroupChecker } from 'fa-mcp-sdk';
+import { Router } from 'express';
+import { appConfig, initMcpServer, getMultiAuthError, initADGroupChecker } from 'fa-mcp-sdk';
 import { CustomAppConfig } from './_types_/custom-config.js';
 
 const config = appConfig as CustomAppConfig;
 const { isUserInGroup } = initADGroupChecker();
 
-const customAuthValidator: CustomAuthValidator = async (req) => {
-  const authInfo = (req as any).authInfo;
-  if (!authInfo?.username) return { success: false, error: 'User info unavailable' };
+// Post-auth AD group check: runs after standard auth has verified the token
+// and set authInfo on the request.
+const groupCheckRouter = Router();
+groupCheckRouter.use(async (req, res, next) => {
+  // Verify standard auth first (sets authInfo on req)
+  const authError = await getMultiAuthError(req);
+  if (authError) return res.status(authError.code).send(authError.message);
 
-  if (config.groupAccess.bypassGroupCheck) {
-    return { success: true, authType: authInfo.authType, username: authInfo.username };
-  }
+  if (config.groupAccess.bypassGroupCheck) return next();
 
-  const isInGroup = await isUserInGroup(authInfo.username, config.groupAccess.requiredGroup);
-  if (!isInGroup) {
-    return { success: false, error: `Forbidden: Not in group '${config.groupAccess.requiredGroup}'` };
-  }
+  const authInfo = (req as any).authInfo;
+  const username = authInfo?.username || authInfo?.payload?.user;
+  if (!username) return res.status(403).send('Forbidden: User info unavailable');
 
-  return { success: true, authType: authInfo.authType, username: authInfo.username };
-};
+  const isInGroup = await isUserInGroup(username, config.groupAccess.requiredGroup);
+  if (!isInGroup) return res.status(403).send(`Forbidden: Not in group '${config.groupAccess.requiredGroup}'`);
 
-await initMcpServer({ ..., customAuthValidator });
+  next();
+});
+
+await initMcpServer({
+  ...,
+  httpComponents: { apiRouter: groupCheckRouter },
+});
 ```
 
 ## Example 2: All Tools Restriction
@@ -172,6 +185,12 @@ export const handleToolCall = async (params: IToolHandlerParams) => {
 
 | Level | Location | Error Type | Use Case |
 |-------|----------|------------|----------|
-| HTTP Server | `customAuthValidator` | HTTP 403 | Block completely |
+| Pre-auth bypass | `customAuthValidator` | HTTP 401 | Allow alternative credentials (no `Authorization` header) |
+| HTTP Server (post-auth) | `httpComponents.apiRouter` + `getMultiAuthError` | HTTP 403 | Block completely after identity is known |
 | All Tools | `toolHandler` (global) | MCP Error | Allow HTTP, restrict tools |
 | Per Tool | `toolHandler` (per-tool) | MCP Error | Fine-grained permissions |
+
+> `customAuthValidator` is a **pre-auth** hook — it runs before standard auth and before `authInfo`
+> is available. Use it to allow alternative credentials, not to check group membership.
+> For group checks that require a verified username, use `httpComponents.apiRouter` (post-auth)
+> or `toolHandler` (per-call).

package/cli-template/README.md

@@ -1,105 +1,105 @@
-# {{project.productName}}
-
-{{project.description}}
-
-## Install & Run
-
-### Quick Start
-```bash
-# Install
-npm install
-
-# Configure (copy config/local.yaml from config/_local.yaml)
-# Add database credentials
-
-# Build
-npm run build
-
-# Run (STDIO mode for Claude Desktop)
-npm start
-```
-
-### Test Run
-```bash
-# Unit tests
-npm test
-
-# MCP protocol tests
-npm run test:mcp        # STDIO mode
-npm run test:mcp-http   # HTTP mode
-npm run test:mcp-simple # Simple test
-```
-
-### Dual Transport System
-
-**STDIO Mode** (default for Claude Desktop):
-- Direct stdin/stdout communication
-- Optimal for Claude Desktop integration
-- No network ports required
-
-**HTTP Mode** (web integration):
-- HTTP server with Server-Sent Events (SSE)
-- Home page with server status at `http://localhost:{{port}}/`
-- Health check endpoint at `/health`
-- Direct JSON-RPC 2.0 endpoint at `/mcp`
-
-
-## Features
-
-
-
-## MCP Tools
-
-
-
-## MCP Prompts
-
-### `agent_brief`
-Brief description of agent capabilities for agent selection.
-
-### `agent_prompt`
-Complete prompt with instructions.
-
-## MCP Resources
-
-### `staff://agent/brief`
-Same as `agent_brief` prompt. **MIME:** text/plain
-
-### `staff://agent/prompt`
-Same as `agent_prompt` prompt. **MIME:** text/plain
-
-
-## 2. Configuration
-
-**Option A: Configuration File**
-
-**Option B: Environment Variables**
-
-
-## Claude Desktop Setup
-
-Add to `claude_desktop_config.json`:
-
-```json
-{
-  "mcpServers": {
-    "{{project.name}}": {
-      "command": "node",
-      "args": [
-        "<path-to-project>/mcp-staff-db/dist/src/index.js"
-      ],
-      "env": {
-      }
-    }
-  }
-}
-```
-
-## HTTP Mode Endpoints
-
-- **/** - Home page
-- **/health** - Health check
-- **/sse** - Server-Sent Events
-- **/mcp** - JSON-RPC 2.0
-
-## Security
+# {{project.productName}}
+
+{{project.description}}
+
+## Install & Run
+
+### Quick Start
+```bash
+# Install
+npm install
+
+# Configure (copy config/local.yaml from config/_local.yaml)
+# Add database credentials
+
+# Build
+npm run build
+
+# Run (STDIO mode for Claude Desktop)
+npm start
+```
+
+### Test Run
+```bash
+# Unit tests
+npm test
+
+# MCP protocol tests
+npm run test:mcp        # STDIO mode
+npm run test:mcp-http   # HTTP mode
+npm run test:mcp-simple # Simple test
+```
+
+### Dual Transport System
+
+**STDIO Mode** (default for Claude Desktop):
+- Direct stdin/stdout communication
+- Optimal for Claude Desktop integration
+- No network ports required
+
+**HTTP Mode** (web integration):
+- HTTP server with Server-Sent Events (SSE)
+- Home page with server status at `http://localhost:{{port}}/`
+- Health check endpoint at `/health`
+- Direct JSON-RPC 2.0 endpoint at `/mcp`
+
+
+## Features
+
+
+
+## MCP Tools
+
+
+
+## MCP Prompts
+
+### `agent_brief`
+Brief description of agent capabilities for agent selection.
+
+### `agent_prompt`
+Complete prompt with instructions.
+
+## MCP Resources
+
+### `staff://agent/brief`
+Same as `agent_brief` prompt. **MIME:** text/plain
+
+### `staff://agent/prompt`
+Same as `agent_prompt` prompt. **MIME:** text/plain
+
+
+## 2. Configuration
+
+**Option A: Configuration File**
+
+**Option B: Environment Variables**
+
+
+## Claude Desktop Setup
+
+Add to `claude_desktop_config.json`:
+
+```json
+{
+  "mcpServers": {
+    "{{project.name}}": {
+      "command": "node",
+      "args": [
+        "<path-to-project>/mcp-staff-db/dist/src/index.js"
+      ],
+      "env": {
+      }
+    }
+  }
+}
+```
+
+## HTTP Mode Endpoints
+
+- **/** - Home page
+- **/health** - Health check
+- **/sse** - Server-Sent Events
+- **/mcp** - JSON-RPC 2.0
+
+## Security

package/cli-template/package.json

@@ -1,7 +1,7 @@
 {
   "name": "project.name",
   "productName": "{{project.productName}}",
-  "version": "0.0.3",
+  "version": "0.1.0",
   "description": "{{project.description}}",
   "type": "module",
   "main": "dist/src/start.js",
@@ -50,7 +50,7 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.26.0",
     "dotenv": "^17.2.4",
-    "fa-mcp-sdk": "^0.3.16"
+    "fa-mcp-sdk": "^0.3.18"
   },
   "devDependencies": {
     "@types/express": "^5.0.6",

package/cli-template/prompt-example-new-MCP.md

@@ -18,7 +18,7 @@ Authorization: Bearer <appConfig.accessPoints.currencyService.token>
 Example:
 
 ```http request
-GET http://smart-trade-ml.com:5002/currency-service/?rate=THBRUB
+GET http://smart-trade-ml.com:5001/currency-service/?rate=THBRUB
 Authorization: Bearer <appConfig.accessPoints.currencyService.token>
 ```
 
@@ -66,6 +66,7 @@ webServer:
       jwtToken:
          encryptKey: 'dbbe87db-90d0-4732-aae3-4089763ec392'
          checkMCPName: true
+         isCheckIP: false
       permanentServerTokens: ['psToken1']
 
    adminAuth:

package/cli-template/prompt_2026-03-17_13-53.md

@@ -0,0 +1,15 @@
+# Цель
+
+
+# Дополнительные сведения
+Смотри документацию в D:\DEV\FA\_pub\fa-mcp-sdk\cli-template\FA-MCP-SDK-DOC
+Конфигурация - D:\DEV\FA\_pub\fa-mcp-sdk\config\default.yaml
+D:\DEV\FA\_pub\fa-mcp-sdk\src\core\_types_\config.ts
+
+Код дергай отсюда
+D:\DEV\FA\_pub\fa-mcp-sdk\src\core\consul
+D:\DEV\FA\_pub\fa-mcp-sdk\src\core\bootstrap\init-config.ts
+D:\DEV\FA\_pub\fa-mcp-sdk\src\core\bootstrap\startup-info.ts
+ЗАпуск - D:\DEV\FA\_pub\fa-mcp-sdk\src\core\init-mcp-server.ts
+
+# Задача

package/cli-template/r/TEST HTTP.xml

@@ -1,9 +1,9 @@
-<component name="ProjectRunConfigurationManager">
-  <configuration
-      default="false"
-      name="TEST HTTP"
-      type="NodeJSConfigurationType"
-      path-to-js-file="tests/mcp/test-http.js" working-dir="$PROJECT_DIR$/">
-    <method v="2" />
-  </configuration>
-</component>
+<component name="ProjectRunConfigurationManager">
+  <configuration
+      default="false"
+      name="TEST HTTP"
+      type="NodeJSConfigurationType"
+      path-to-js-file="tests/mcp/test-http.js" working-dir="$PROJECT_DIR$/">
+    <method v="2" />
+  </configuration>
+</component>

package/cli-template/r/TEST SSE.xml

@@ -1,5 +1,5 @@
-<component name="ProjectRunConfigurationManager">
-  <configuration default="false" name="TEST SSE" type="NodeJSConfigurationType" path-to-js-file="tests/mcp/test-sse.js" working-dir="$PROJECT_DIR$/">
-    <method v="2" />
-  </configuration>
-</component>
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="TEST SSE" type="NodeJSConfigurationType" path-to-js-file="tests/mcp/test-sse.js" working-dir="$PROJECT_DIR$/">
+    <method v="2" />
+  </configuration>
+</component>

package/cli-template/r/TEST STDIO.xml

@@ -1,5 +1,5 @@
-<component name="ProjectRunConfigurationManager">
-  <configuration default="false" name="TEST STDIO" type="NodeJSConfigurationType" path-to-js-file="tests/mcp/test-stdio.js" working-dir="$PROJECT_DIR$">
-    <method v="2" />
-  </configuration>
-</component>
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="TEST STDIO" type="NodeJSConfigurationType" path-to-js-file="tests/mcp/test-stdio.js" working-dir="$PROJECT_DIR$">
+    <method v="2" />
+  </configuration>
+</component>

package/cli-template/r/generate-token.xml

@@ -1,14 +1,14 @@
-<component name="ProjectRunConfigurationManager">
-  <configuration default="false" name="generate-token" type="js.build_tools.npm" nameIsGenerated="true">
-    <package-json value="$PROJECT_DIR$/package.json" />
-    <command value="run" />
-    <scripts>
-      <script value="generate-token" />
-    </scripts>
-    <node-interpreter value="project" />
-    <envs>
-      <env name="DEBUG" value="ntlm:auth-flow,ntlm:ldap-proxy,ntlm:ldap-proxy-id" />
-    </envs>
-    <method v="2" />
-  </configuration>
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="generate-token" type="js.build_tools.npm" nameIsGenerated="true">
+    <package-json value="$PROJECT_DIR$/package.json" />
+    <command value="run" />
+    <scripts>
+      <script value="generate-token" />
+    </scripts>
+    <node-interpreter value="project" />
+    <envs>
+      <env name="DEBUG" value="ntlm:auth-flow,ntlm:ldap-proxy,ntlm:ldap-proxy-id" />
+    </envs>
+    <method v="2" />
+  </configuration>
 </component>

package/cli-template/r/lint-fix-build.xml

@@ -1,12 +1,12 @@
-<component name="ProjectRunConfigurationManager">
-  <configuration default="false" name="lint-fix-build" type="js.build_tools.npm" nameIsGenerated="true">
-    <package-json value="$PROJECT_DIR$/package.json" />
-    <command value="run" />
-    <scripts>
-      <script value="lint-fix-build" />
-    </scripts>
-    <node-interpreter value="project" />
-    <envs />
-    <method v="2" />
-  </configuration>
-</component>
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="lint-fix-build" type="js.build_tools.npm" nameIsGenerated="true">
+    <package-json value="$PROJECT_DIR$/package.json" />
+    <command value="run" />
+    <scripts>
+      <script value="lint-fix-build" />
+    </scripts>
+    <node-interpreter value="project" />
+    <envs />
+    <method v="2" />
+  </configuration>
+</component>

package/cli-template/r/remove-nul.xml

@@ -1,11 +1,11 @@
-<component name="ProjectRunConfigurationManager">
-  <configuration
-      default="false"
-      name="remove-nul.js"
-      type="NodeJSConfigurationType"
-      nameIsGenerated="true"
-      path-to-js-file="scripts/remove-nul.js"
-      working-dir="$PROJECT_DIR$">
-    <method v="2"/>
-  </configuration>
-</component>
+<component name="ProjectRunConfigurationManager">
+  <configuration
+      default="false"
+      name="remove-nul.js"
+      type="NodeJSConfigurationType"
+      nameIsGenerated="true"
+      path-to-js-file="scripts/remove-nul.js"
+      working-dir="$PROJECT_DIR$">
+    <method v="2"/>
+  </configuration>
+</component>

package/config/custom-environment-variables.yaml

@@ -44,6 +44,7 @@ webServer:
     jwtToken:
       encryptKey: WS_TOKEN_ENCRYPT_KEY
       checkMCPName: WS_CHECK_MC_NAME
+      isCheckIP: WS_JWT_CHECK_IP
     basic:
       username: WS_AUTH_BASIC_USERNAME
       password: WS_AUTH_BASIC_PASSWORD

package/config/default.yaml

@@ -176,6 +176,9 @@ webServer:
       encryptKey: '***'
       # If webServer.auth.enabled and the parameter true, the service name and the service specified in the token will be checked
       checkMCPName: true
+      # If true and JWT token contains non-empty 'ip' field,
+      # the client IP will be checked against the allowed list in the token
+      isCheckIP: false
 
     # ========================================================================
     # Basic Authentication - Base64 encoded username:password

package/config/development.yaml

@@ -1,4 +1,4 @@
----
-
-
-
+---
+
+
+

package/config/production.yaml

@@ -1,4 +1,4 @@
----
-
-
-
+---
+
+
+

package/dist/core/_types_/config.d.ts

@@ -16,6 +16,7 @@ interface IWebServerConfig {
             jwtToken: {
                 encryptKey: string;
                 checkMCPName: boolean;
+                isCheckIP: boolean;
             };
             permanentServerTokens: string[];
         };

package/dist/core/_types_/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/core/_types_/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAC3D,OAAO,EAAE,SAAS,EAAE,MAAM,8BAA8B,CAAC;AAGzD,UAAU,gBAAgB;IACxB,SAAS,EAAE;QACT,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,EAAE,CAAC;QACtB,IAAI,EAAE;YACJ,OAAO,EAAE,OAAO,CAAC;YACjB,KAAK,CAAC,EAAE;gBACN,QAAQ,EAAE,MAAM,CAAC;gBACjB,QAAQ,EAAE,MAAM,CAAC;aAClB,CAAC;YACF,QAAQ,EAAE;gBACR,UAAU,EAAE,MAAM,CAAC;gBACnB,YAAY,EAAE,OAAO,CAAC;aACvB,CAAA;YACD,qBAAqB,EAAE,MAAM,EAAE,CAAC;SACjC,CAAC;QACF,SAAS,EAAE;YACT,OAAO,EAAE,OAAO,CAAC;YACjB,IAAI,EAAE,uBAAuB,GAAG,OAAO,GAAG,UAAU,GAAG,MAAM,CAAC;SAC/D,CAAC;KACH,CAAA;CACF;AAGD,UAAU,aAAa;IACrB,MAAM,EAAE;QACN,KAAK,EAAE,aAAa,CAAC;QACrB,aAAa,EAAE,OAAO,CAAC;QACvB,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,CAAA;CACF;AAED,UAAU,UAAU;IAClB,GAAG,EAAE;QACH,SAAS,EAAE;YACT,WAAW,EAAE,MAAM,CAAC;YACpB,QAAQ,EAAE,MAAM,CAAC;SAClB,CAAC;QACF,YAAY,EAAE,MAAM,GAAG,mBAAmB,CAAA;QAC1C,aAAa,EAAE,OAAO,GAAG,MAAM,CAAC;KACjC,CAAA;CACF;AAED,UAAU,cAAc;IACtB,OAAO,EAAE;QACP,OAAO,CAAC,EAAE;YACR,GAAG,EAAE,MAAM,CAAC;YACZ,WAAW,EAAE,MAAM,CAAC;SACrB,EAAE,CAAC;KACL,CAAA;CACF;AAED,UAAU,kBAAkB;IAC1B,WAAW,CAAC,EAAE;QACZ,OAAO,EAAE,OAAO,CAAC;QACjB,OAAO,EAAE,OAAO,CAAC;QACjB,MAAM,CAAC,EAAE;YACP,MAAM,EAAE,MAAM,CAAC;YACf,OAAO,CAAC,EAAE,MAAM,CAAC;SAClB,CAAC;QACF,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACrC,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,CAAA;CACF;AAED,UAAU,YAAY;IACpB,KAAK,EAAE;QACL,UAAU,EAAE,GAAG,CAAC;QAChB,QAAQ,EAAE,IAAI,CAAC;KAChB,CAAA;CACF;AAED,MAAM,WAAW,SAAU,SAAQ,SAAS,EAC1C,YAAY,EACZ,aAAa,EACb,kBAAkB,EAClB,gBAAgB,EAChB,UAAU,EACV,cAAc,EACd,kBAAkB;IAElB,YAAY,EAAE,OAAO,CAAC;IAEtB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IAEpB,YAAY,EAAE,aAAa,CAAC;IAC5B,MAAM,EAAE,eAAe,GAAG;QACxB,OAAO,EAAE;YACP,IAAI,EAAE,MAAM,CAAC;YACb,GAAG,EAAE,MAAM,CAAC;SACb,CAAC;KACH,CAAC;IACF,OAAO,EAAE;QACP,OAAO,EAAE,MAAM,CAAC;KACjB,CAAA;CACF"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/core/_types_/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAC3D,OAAO,EAAE,SAAS,EAAE,MAAM,8BAA8B,CAAC;AAGzD,UAAU,gBAAgB;IACxB,SAAS,EAAE;QACT,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,EAAE,CAAC;QACtB,IAAI,EAAE;YACJ,OAAO,EAAE,OAAO,CAAC;YACjB,KAAK,CAAC,EAAE;gBACN,QAAQ,EAAE,MAAM,CAAC;gBACjB,QAAQ,EAAE,MAAM,CAAC;aAClB,CAAC;YACF,QAAQ,EAAE;gBACR,UAAU,EAAE,MAAM,CAAC;gBACnB,YAAY,EAAE,OAAO,CAAC;gBACtB,SAAS,EAAE,OAAO,CAAC;aACpB,CAAA;YACD,qBAAqB,EAAE,MAAM,EAAE,CAAC;SACjC,CAAC;QACF,SAAS,EAAE;YACT,OAAO,EAAE,OAAO,CAAC;YACjB,IAAI,EAAE,uBAAuB,GAAG,OAAO,GAAG,UAAU,GAAG,MAAM,CAAC;SAC/D,CAAC;KACH,CAAA;CACF;AAGD,UAAU,aAAa;IACrB,MAAM,EAAE;QACN,KAAK,EAAE,aAAa,CAAC;QACrB,aAAa,EAAE,OAAO,CAAC;QACvB,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,CAAA;CACF;AAED,UAAU,UAAU;IAClB,GAAG,EAAE;QACH,SAAS,EAAE;YACT,WAAW,EAAE,MAAM,CAAC;YACpB,QAAQ,EAAE,MAAM,CAAC;SAClB,CAAC;QACF,YAAY,EAAE,MAAM,GAAG,mBAAmB,CAAA;QAC1C,aAAa,EAAE,OAAO,GAAG,MAAM,CAAC;KACjC,CAAA;CACF;AAED,UAAU,cAAc;IACtB,OAAO,EAAE;QACP,OAAO,CAAC,EAAE;YACR,GAAG,EAAE,MAAM,CAAC;YACZ,WAAW,EAAE,MAAM,CAAC;SACrB,EAAE,CAAC;KACL,CAAA;CACF;AAED,UAAU,kBAAkB;IAC1B,WAAW,CAAC,EAAE;QACZ,OAAO,EAAE,OAAO,CAAC;QACjB,OAAO,EAAE,OAAO,CAAC;QACjB,MAAM,CAAC,EAAE;YACP,MAAM,EAAE,MAAM,CAAC;YACf,OAAO,CAAC,EAAE,MAAM,CAAC;SAClB,CAAC;QACF,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACrC,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,CAAA;CACF;AAED,UAAU,YAAY;IACpB,KAAK,EAAE;QACL,UAAU,EAAE,GAAG,CAAC;QAChB,QAAQ,EAAE,IAAI,CAAC;KAChB,CAAA;CACF;AAED,MAAM,WAAW,SAAU,SAAQ,SAAS,EAC1C,YAAY,EACZ,aAAa,EACb,kBAAkB,EAClB,gBAAgB,EAChB,UAAU,EACV,cAAc,EACd,kBAAkB;IAElB,YAAY,EAAE,OAAO,CAAC;IAEtB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IAEpB,YAAY,EAAE,aAAa,CAAC;IAC5B,MAAM,EAAE,eAAe,GAAG;QACxB,OAAO,EAAE;YACP,IAAI,EAAE,MAAM,CAAC;YACb,GAAG,EAAE,MAAM,CAAC;SACb,CAAC;KACH,CAAC;IACF,OAAO,EAAE;QACP,OAAO,EAAE,MAAM,CAAC;KACjB,CAAA;CACF"}

package/dist/core/auth/ip-check.d.ts

@@ -0,0 +1,18 @@
+/**
+ * IP address parsing and CIDR matching utilities for JWT IP checking.
+ * Pure TypeScript implementation — no external dependencies.
+ */
+/**
+ * Parses IP string (comma/semicolon/space-separated) into array of trimmed non-empty entries.
+ * Each entry is either a plain IP or a CIDR notation (e.g., "10.0.0.0/24").
+ */
+export declare function parseIpList(ipStr: string): string[];
+/**
+ * Checks if clientIp matches any entry in allowedIps.
+ * Supports:
+ *   - Exact match (IPv4 and IPv6)
+ *   - CIDR subnet match (e.g., 10.0.0.0/24)
+ *   - IPv4-mapped IPv6 normalization (::ffff:x.x.x.x → x.x.x.x)
+ */
+export declare function isIpAllowed(clientIp: string, allowedIps: string[]): boolean;
+//# sourceMappingURL=ip-check.d.ts.map

package/dist/core/auth/ip-check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ip-check.d.ts","sourceRoot":"","sources":["../../../src/core/auth/ip-check.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;GAGG;AACH,wBAAgB,WAAW,CAAE,KAAK,EAAE,MAAM,GAAG,MAAM,EAAE,CAQpD;AAmID;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,OAAO,CAK5E"}