npm - fa-mcp-sdk - Versions diffs - 0.4.76 → 0.4.77 - Mend

fa-mcp-sdk 0.4.76 → 0.4.77

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (198) hide show

package/README.md +319 -314
package/bin/fa-mcp.js +85 -68
package/cli-template/.claude/agents/javascript-pro.md +276 -276
package/cli-template/.claude/settings.json +50 -50
package/cli-template/.claude/skills/upgrade-guide/SKILL.md +2 -1
package/cli-template/.oxfmtrc.json +41 -0
package/cli-template/.oxlintrc.json +120 -0
package/cli-template/CLAUDE.md +358 -355
package/cli-template/FA-MCP-SDK-DOC/00-FA-MCP-SDK-index.md +132 -132
package/cli-template/FA-MCP-SDK-DOC/01-getting-started.md +146 -146
package/cli-template/FA-MCP-SDK-DOC/02-1-tools-and-api.md +431 -431
package/cli-template/FA-MCP-SDK-DOC/02-2-prompts-and-resources.md +201 -201
package/cli-template/FA-MCP-SDK-DOC/03-configuration.md +384 -384
package/cli-template/FA-MCP-SDK-DOC/04-authentication.md +412 -412
package/cli-template/FA-MCP-SDK-DOC/05-ad-authorization.md +196 -196
package/cli-template/FA-MCP-SDK-DOC/06-utilities.md +163 -163
package/cli-template/FA-MCP-SDK-DOC/07-testing-and-operations.md +127 -127
package/cli-template/jest.config.js +27 -30
package/cli-template/package.json +10 -5
package/cli-template/prompt-example-new-MCP.md +101 -101
package/cli-template/readme-docs/SKILLS.md +1 -1
package/cli-template/tsconfig.json +58 -58
package/cli-template/update.cjs +41 -38
package/config/custom-environment-variables.yaml +63 -63
package/config/development.yaml +4 -4
package/config/production.yaml +4 -4
package/config/test.yaml +26 -26
package/dist/core/_types_/TNtlm.d.ts.map +1 -1
package/dist/core/_types_/active-directory-config.d.ts.map +1 -1
package/dist/core/_types_/config.d.ts.map +1 -1
package/dist/core/_types_/types.d.ts.map +1 -1
package/dist/core/ad/group-checker.d.ts.map +1 -1
package/dist/core/ad/group-checker.js.map +1 -1
package/dist/core/agent-tester/agent-tester-router.d.ts.map +1 -1
package/dist/core/agent-tester/agent-tester-router.js +6 -6
package/dist/core/agent-tester/agent-tester-router.js.map +1 -1
package/dist/core/agent-tester/check-llm.d.ts.map +1 -1
package/dist/core/agent-tester/check-llm.js.map +1 -1
package/dist/core/agent-tester/services/SummaryMemory.d.ts.map +1 -1
package/dist/core/agent-tester/services/SummaryMemory.js +3 -9
package/dist/core/agent-tester/services/SummaryMemory.js.map +1 -1
package/dist/core/agent-tester/services/TesterAgentService.d.ts.map +1 -1
package/dist/core/agent-tester/services/TesterAgentService.js +25 -27
package/dist/core/agent-tester/services/TesterAgentService.js.map +1 -1
package/dist/core/agent-tester/services/TesterMcpClientService.d.ts.map +1 -1
package/dist/core/agent-tester/services/TesterMcpClientService.js +26 -25
package/dist/core/agent-tester/services/TesterMcpClientService.js.map +1 -1
package/dist/core/auth/admin-auth.d.ts.map +1 -1
package/dist/core/auth/admin-auth.js +5 -5
package/dist/core/auth/admin-auth.js.map +1 -1
package/dist/core/auth/agent-tester-auth.d.ts.map +1 -1
package/dist/core/auth/agent-tester-auth.js +1 -6
package/dist/core/auth/agent-tester-auth.js.map +1 -1
package/dist/core/auth/basic.d.ts.map +1 -1
package/dist/core/auth/basic.js.map +1 -1
package/dist/core/auth/ip-check.d.ts.map +1 -1
package/dist/core/auth/ip-check.js +1 -1
package/dist/core/auth/ip-check.js.map +1 -1
package/dist/core/auth/jwt.d.ts.map +1 -1
package/dist/core/auth/jwt.js +1 -1
package/dist/core/auth/jwt.js.map +1 -1
package/dist/core/auth/middleware.d.ts.map +1 -1
package/dist/core/auth/middleware.js +9 -6
package/dist/core/auth/middleware.js.map +1 -1
package/dist/core/auth/multi-auth.d.ts.map +1 -1
package/dist/core/auth/multi-auth.js +6 -6
package/dist/core/auth/multi-auth.js.map +1 -1
package/dist/core/auth/revocation.d.ts.map +1 -1
package/dist/core/auth/revocation.js +2 -6
package/dist/core/auth/revocation.js.map +1 -1
package/dist/core/auth/token-generator/ntlm/ntlm-auth-options.d.ts.map +1 -1
package/dist/core/auth/token-generator/ntlm/ntlm-auth-options.js +2 -2
package/dist/core/auth/token-generator/ntlm/ntlm-auth-options.js.map +1 -1
package/dist/core/auth/token-generator/ntlm/ntlm-domain-config.js +1 -1
package/dist/core/auth/token-generator/ntlm/ntlm-domain-config.js.map +1 -1
package/dist/core/auth/token-generator/ntlm/ntlm-integration.d.ts.map +1 -1
package/dist/core/auth/token-generator/ntlm/ntlm-integration.js +4 -2
package/dist/core/auth/token-generator/ntlm/ntlm-integration.js.map +1 -1
package/dist/core/auth/token-generator/server.d.ts.map +1 -1
package/dist/core/auth/token-generator/server.js.map +1 -1
package/dist/core/bootstrap/init-config.d.ts.map +1 -1
package/dist/core/bootstrap/init-config.js +2 -2
package/dist/core/bootstrap/init-config.js.map +1 -1
package/dist/core/bootstrap/startup-info.d.ts.map +1 -1
package/dist/core/bootstrap/startup-info.js +3 -7
package/dist/core/bootstrap/startup-info.js.map +1 -1
package/dist/core/cache/cache.d.ts.map +1 -1
package/dist/core/cache/cache.js +2 -2
package/dist/core/cache/cache.js.map +1 -1
package/dist/core/consul/deregister.d.ts.map +1 -1
package/dist/core/consul/deregister.js.map +1 -1
package/dist/core/consul/get-consul-api.d.ts.map +1 -1
package/dist/core/consul/get-consul-api.js +1 -2
package/dist/core/consul/get-consul-api.js.map +1 -1
package/dist/core/db/pg-db.d.ts.map +1 -1
package/dist/core/db/pg-db.js +3 -3
package/dist/core/db/pg-db.js.map +1 -1
package/dist/core/debug.d.ts.map +1 -1
package/dist/core/debug.js.map +1 -1
package/dist/core/errors/BaseMcpError.d.ts.map +1 -1
package/dist/core/errors/BaseMcpError.js.map +1 -1
package/dist/core/errors/ValidationError.d.ts.map +1 -1
package/dist/core/errors/ValidationError.js.map +1 -1
package/dist/core/errors/errors.d.ts.map +1 -1
package/dist/core/errors/errors.js +1 -1
package/dist/core/errors/errors.js.map +1 -1
package/dist/core/index.d.ts +6 -6
package/dist/core/index.d.ts.map +1 -1
package/dist/core/index.js +5 -5
package/dist/core/index.js.map +1 -1
package/dist/core/init-mcp-server.d.ts.map +1 -1
package/dist/core/init-mcp-server.js.map +1 -1
package/dist/core/logger.d.ts.map +1 -1
package/dist/core/logger.js +1 -1
package/dist/core/logger.js.map +1 -1
package/dist/core/mcp/create-mcp-server.d.ts.map +1 -1
package/dist/core/mcp/create-mcp-server.js +1 -1
package/dist/core/mcp/create-mcp-server.js.map +1 -1
package/dist/core/mcp/prompts.d.ts.map +1 -1
package/dist/core/mcp/prompts.js.map +1 -1
package/dist/core/mcp/readme-assembler.d.ts.map +1 -1
package/dist/core/mcp/readme-assembler.js +3 -1
package/dist/core/mcp/readme-assembler.js.map +1 -1
package/dist/core/mcp/resources.d.ts.map +1 -1
package/dist/core/mcp/resources.js.map +1 -1
package/dist/core/mcp/server-stdio.d.ts.map +1 -1
package/dist/core/utils/formatToolResult.d.ts.map +1 -1
package/dist/core/utils/formatToolResult.js.map +1 -1
package/dist/core/utils/port-checker.d.ts.map +1 -1
package/dist/core/utils/port-checker.js.map +1 -1
package/dist/core/utils/rate-limit.d.ts.map +1 -1
package/dist/core/utils/rate-limit.js +2 -8
package/dist/core/utils/rate-limit.js.map +1 -1
package/dist/core/utils/testing/BaseMcpClient.d.ts.map +1 -1
package/dist/core/utils/testing/BaseMcpClient.js.map +1 -1
package/dist/core/utils/testing/McpHttpClient.d.ts.map +1 -1
package/dist/core/utils/testing/McpHttpClient.js +2 -2
package/dist/core/utils/testing/McpHttpClient.js.map +1 -1
package/dist/core/utils/testing/McpSseClient.d.ts.map +1 -1
package/dist/core/utils/testing/McpSseClient.js +3 -8
package/dist/core/utils/testing/McpSseClient.js.map +1 -1
package/dist/core/utils/testing/McpStdioClient.d.ts.map +1 -1
package/dist/core/utils/testing/McpStdioClient.js.map +1 -1
package/dist/core/utils/testing/McpStreamableHttpClient.d.ts.map +1 -1
package/dist/core/utils/testing/McpStreamableHttpClient.js +7 -8
package/dist/core/utils/testing/McpStreamableHttpClient.js.map +1 -1
package/dist/core/utils/utils.d.ts.map +1 -1
package/dist/core/utils/utils.js +3 -5
package/dist/core/utils/utils.js.map +1 -1
package/dist/core/web/admin-router.d.ts.map +1 -1
package/dist/core/web/admin-router.js +3 -3
package/dist/core/web/admin-router.js.map +1 -1
package/dist/core/web/cors.d.ts.map +1 -1
package/dist/core/web/cors.js.map +1 -1
package/dist/core/web/favicon-svg.d.ts.map +1 -1
package/dist/core/web/favicon-svg.js +1 -5
package/dist/core/web/favicon-svg.js.map +1 -1
package/dist/core/web/home-api.d.ts.map +1 -1
package/dist/core/web/home-api.js +7 -8
package/dist/core/web/home-api.js.map +1 -1
package/dist/core/web/openapi.d.ts.map +1 -1
package/dist/core/web/openapi.js +1 -3
package/dist/core/web/openapi.js.map +1 -1
package/dist/core/web/server-http.d.ts.map +1 -1
package/dist/core/web/server-http.js +4 -4
package/dist/core/web/server-http.js.map +1 -1
package/dist/core/web/static/agent-tester/index.html +323 -323
package/dist/core/web/static/agent-tester/script.js +311 -200
package/dist/core/web/static/agent-tester/styles.css +1840 -1840
package/dist/core/web/static/home/index.html +220 -220
package/dist/core/web/static/home/script.js +72 -43
package/dist/core/web/static/styles.css +927 -927
package/dist/core/web/static/token-gen/index.html +136 -136
package/dist/core/web/static/token-gen/script.js +58 -56
package/dist/core/web/svg-icons.d.ts.map +1 -1
package/dist/core/web/svg-icons.js +1 -5
package/dist/core/web/svg-icons.js.map +1 -1
package/package.json +10 -5
package/{cli-template/.claude/hooks/eslint-fix.cjs → scripts/cc-hook-oxlint-oxfmt-fix.cjs} +109 -100
package/scripts/generate-jwt.js +5 -9
package/scripts/kill-port.js +5 -2
package/scripts/npm/run.js +1 -2
package/scripts/remove-nul.js +1 -1
package/scripts/update-sdk.js +36 -14
package/src/template/api/router.ts +3 -3
package/src/template/prompts/agent-brief.ts +0 -1
package/src/template/start.ts +3 -8
package/src/template/tools/handle-tool-call.ts +3 -3
package/src/template/tools/tools.ts +3 -7
package/src/tests/jest-simple-reporter.js +1 -1
package/src/tests/mcp/sse/mcp-sse-client-handling.md +111 -111
package/src/tests/mcp/sse/test-sse-npm-package.js +2 -3
package/src/tests/mcp/test-cases.js +6 -7
package/src/tests/mcp/test-http.js +2 -2
package/src/tests/mcp/test-sse.js +9 -7
package/src/tests/mcp/test-stdio.js +12 -8
package/src/tests/utils.ts +4 -3
package/cli-template/eslint.config.js +0 -27

package/cli-template/FA-MCP-SDK-DOC/05-ad-authorization.md CHANGED Viewed

@@ -1,196 +1,196 @@
-# AD Group Authorization
-Authorization by AD group membership. Assumes JWT auth is configured.
-## AD Configuration Types
-```typescript
-interface IADConfig {
-  ad: {
-    domains: { [domainName: string]: IDcConfig };
-    tlsOptions?: ConnectionOptions;
-    groupCacheTtlMs?: number;  // Default: 10 min
-    dnCacheTtlMs?: number;     // Default: 24 hours
-  };
-}
-interface IDcConfig {
-  controllers: string[];  // ['ldap://dc1.corp.com']
-  username: string;
-  password: string;
-  baseDn?: string;        // Auto-derived if omitted
-  default?: boolean;
-}
-```
-```yaml
-# config/default.yaml
-ad:
-  groupCacheTtlMs: 600000
-  domains:
-    CORP:
-      default: true
-      controllers: ['ldap://dc1.corp.com']
-      username: 'svc_mcp@corp.com'
-      password: '${AD_SERVICE_PASSWORD}'
-```
-## Custom Config Extension
-```typescript
-// src/_types_/custom-config.ts
-import { AppConfig } from 'fa-mcp-sdk';
-interface IGroupAccessConfig {
-  groupAccess: { requiredGroup: string; bypassGroupCheck?: boolean };
-}
-export interface CustomAppConfig extends AppConfig, IGroupAccessConfig {}
-```
-```yaml
-# config/default.yaml
-groupAccess:
-  requiredGroup: "DOMAIN\\MCP-Users"
-  bypassGroupCheck: false
-```
-## Example 1: HTTP Level Restriction
-Block unauthorized users at HTTP level (403 before MCP processing).
-> **Important:** `customAuthValidator` runs **before** standard auth and before `authInfo` is set on
-> the request. It cannot read `(req as any).authInfo` — that value is populated by the middleware
-> only after successful authentication. Use `httpComponents.apiRouter` to add a post-auth middleware
-> if you need to check group membership after the user has been authenticated.
-```typescript
-// src/start.ts
-import { Router } from 'express';
-import { appConfig, initMcpServer, getMultiAuthError, initADGroupChecker } from 'fa-mcp-sdk';
-import { CustomAppConfig } from './_types_/custom-config.js';
-const config = appConfig as CustomAppConfig;
-const { isUserInGroup } = initADGroupChecker();
-// Post-auth AD group check: runs after standard auth has verified the token
-// and set authInfo on the request.
-const groupCheckRouter = Router();
-groupCheckRouter.use(async (req, res, next) => {
-  // Verify standard auth first (sets authInfo on req)
-  const authError = await getMultiAuthError(req);
-  if (authError) return res.status(authError.code).send(authError.message);
-  if (config.groupAccess.bypassGroupCheck) return next();
-  const authInfo = (req as any).authInfo;
-  const username = authInfo?.username || authInfo?.payload?.user;
-  if (!username) return res.status(403).send('Forbidden: User info unavailable');
-  const isInGroup = await isUserInGroup(username, config.groupAccess.requiredGroup);
-  if (!isInGroup) return res.status(403).send(`Forbidden: Not in group '${config.groupAccess.requiredGroup}'`);
-  next();
-});
-await initMcpServer({
-  ...,
-  httpComponents: { apiRouter: groupCheckRouter },
-});
-```
-## Example 2: All Tools Restriction
-Check in `toolHandler` (MCP error response):
-```typescript
-// src/tools/handle-tool-call.ts
-import { ToolExecutionError, appConfig, initADGroupChecker, IToolHandlerParams } from 'fa-mcp-sdk';
-import { CustomAppConfig } from '../_types_/custom-config.js';
-const config = appConfig as CustomAppConfig;
-const { isUserInGroup } = initADGroupChecker();
-async function checkToolAccess(payload: IToolHandlerParams['payload']) {
-  if (config.groupAccess.bypassGroupCheck) return;
-  if (!payload?.user) throw new ToolExecutionError('auth', 'User info unavailable');
-  const isInGroup = await isUserInGroup(payload.user, config.groupAccess.requiredGroup);
-  if (!isInGroup) {
-    throw new ToolExecutionError('auth', `Forbidden: User not in '${config.groupAccess.requiredGroup}'`);
-  }
-}
-export const handleToolCall = async (params: IToolHandlerParams) => {
-  await checkToolAccess(params.payload);  // Check ALL tools
-  // ... tool switch logic
-};
-```
-## Example 3: Per-Tool Restriction
-Different groups for different tools:
-```typescript
-// src/_types_/custom-config.ts
-interface IToolGroupAccessConfig {
-  toolGroupAccess: {
-    defaultGroup?: string;
-    tools: Record<string, { requiredGroup?: string; public?: boolean }>;
-    bypassGroupCheck?: boolean;
-  };
-}
-```
-```yaml
-# config/default.yaml
-toolGroupAccess:
-  defaultGroup: "DOMAIN\\MCP-Users"
-  bypassGroupCheck: false
-  tools:
-    get_public_data:
-      public: true
-    get_user_data:
-      requiredGroup: "DOMAIN\\MCP-Users"
-    admin_operation:
-      requiredGroup: "DOMAIN\\MCP-Admins"
-```
-```typescript
-// src/tools/handle-tool-call.ts
-async function checkToolAccess(toolName: string, payload: IToolHandlerParams['payload']) {
-  const toolAccess = config.toolGroupAccess;
-  if (toolAccess.bypassGroupCheck) return;
-  const toolConfig = toolAccess.tools[toolName];
-  if (toolConfig?.public) return;
-  if (!payload?.user) throw new ToolExecutionError(toolName, 'User info unavailable');
-  const requiredGroup = toolConfig?.requiredGroup || toolAccess.defaultGroup;
-  if (!requiredGroup) return;
-  const isInGroup = await isUserInGroup(payload.user, requiredGroup);
-  if (!isInGroup) {
-    throw new ToolExecutionError(toolName, `Forbidden: User not in '${requiredGroup}'`);
-  }
-}
-export const handleToolCall = async (params: IToolHandlerParams) => {
-  await checkToolAccess(params.name, params.payload);
-  // ... tool switch logic
-};
-```
-## Authorization Levels Summary
-| Level | Location | Error Type | Use Case |
-|-------|----------|------------|----------|
-| Pre-auth bypass | `customAuthValidator` | HTTP 401 | Allow alternative credentials (no `Authorization` header) |
-| HTTP Server (post-auth) | `httpComponents.apiRouter` + `getMultiAuthError` | HTTP 403 | Block completely after identity is known |
-| All Tools | `toolHandler` (global) | MCP Error | Allow HTTP, restrict tools |
-| Per Tool | `toolHandler` (per-tool) | MCP Error | Fine-grained permissions |
-> `customAuthValidator` is a **pre-auth** hook — it runs before standard auth and before `authInfo`
-> is available. Use it to allow alternative credentials, not to check group membership.
-> For group checks that require a verified username, use `httpComponents.apiRouter` (post-auth)
-> or `toolHandler` (per-call).
+# AD Group Authorization
+Authorization by AD group membership. Assumes JWT auth is configured.
+## AD Configuration Types
+```typescript
+interface IADConfig {
+  ad: {
+    domains: { [domainName: string]: IDcConfig };
+    tlsOptions?: ConnectionOptions;
+    groupCacheTtlMs?: number;  // Default: 10 min
+    dnCacheTtlMs?: number;     // Default: 24 hours
+  };
+}
+interface IDcConfig {
+  controllers: string[];  // ['ldap://dc1.corp.com']
+  username: string;
+  password: string;
+  baseDn?: string;        // Auto-derived if omitted
+  default?: boolean;
+}
+```
+```yaml
+# config/default.yaml
+ad:
+  groupCacheTtlMs: 600000
+  domains:
+    CORP:
+      default: true
+      controllers: ['ldap://dc1.corp.com']
+      username: 'svc_mcp@corp.com'
+      password: '${AD_SERVICE_PASSWORD}'
+```
+## Custom Config Extension
+```typescript
+// src/_types_/custom-config.ts
+import { AppConfig } from 'fa-mcp-sdk';
+interface IGroupAccessConfig {
+  groupAccess: { requiredGroup: string; bypassGroupCheck?: boolean };
+}
+export interface CustomAppConfig extends AppConfig, IGroupAccessConfig {}
+```
+```yaml
+# config/default.yaml
+groupAccess:
+  requiredGroup: "DOMAIN\\MCP-Users"
+  bypassGroupCheck: false
+```
+## Example 1: HTTP Level Restriction
+Block unauthorized users at HTTP level (403 before MCP processing).
+> **Important:** `customAuthValidator` runs **before** standard auth and before `authInfo` is set on
+> the request. It cannot read `(req as any).authInfo` — that value is populated by the middleware
+> only after successful authentication. Use `httpComponents.apiRouter` to add a post-auth middleware
+> if you need to check group membership after the user has been authenticated.
+```typescript
+// src/start.ts
+import { Router } from 'express';
+import { appConfig, initMcpServer, getMultiAuthError, initADGroupChecker } from 'fa-mcp-sdk';
+import { CustomAppConfig } from './_types_/custom-config.js';
+const config = appConfig as CustomAppConfig;
+const { isUserInGroup } = initADGroupChecker();
+// Post-auth AD group check: runs after standard auth has verified the token
+// and set authInfo on the request.
+const groupCheckRouter = Router();
+groupCheckRouter.use(async (req, res, next) => {
+  // Verify standard auth first (sets authInfo on req)
+  const authError = await getMultiAuthError(req);
+  if (authError) return res.status(authError.code).send(authError.message);
+  if (config.groupAccess.bypassGroupCheck) return next();
+  const authInfo = (req as any).authInfo;
+  const username = authInfo?.username || authInfo?.payload?.user;
+  if (!username) return res.status(403).send('Forbidden: User info unavailable');
+  const isInGroup = await isUserInGroup(username, config.groupAccess.requiredGroup);
+  if (!isInGroup) return res.status(403).send(`Forbidden: Not in group '${config.groupAccess.requiredGroup}'`);
+  next();
+});
+await initMcpServer({
+  ...,
+  httpComponents: { apiRouter: groupCheckRouter },
+});
+```
+## Example 2: All Tools Restriction
+Check in `toolHandler` (MCP error response):
+```typescript
+// src/tools/handle-tool-call.ts
+import { ToolExecutionError, appConfig, initADGroupChecker, IToolHandlerParams } from 'fa-mcp-sdk';
+import { CustomAppConfig } from '../_types_/custom-config.js';
+const config = appConfig as CustomAppConfig;
+const { isUserInGroup } = initADGroupChecker();
+async function checkToolAccess(payload: IToolHandlerParams['payload']) {
+  if (config.groupAccess.bypassGroupCheck) return;
+  if (!payload?.user) throw new ToolExecutionError('auth', 'User info unavailable');
+  const isInGroup = await isUserInGroup(payload.user, config.groupAccess.requiredGroup);
+  if (!isInGroup) {
+    throw new ToolExecutionError('auth', `Forbidden: User not in '${config.groupAccess.requiredGroup}'`);
+  }
+}
+export const handleToolCall = async (params: IToolHandlerParams) => {
+  await checkToolAccess(params.payload);  // Check ALL tools
+  // ... tool switch logic
+};
+```
+## Example 3: Per-Tool Restriction
+Different groups for different tools:
+```typescript
+// src/_types_/custom-config.ts
+interface IToolGroupAccessConfig {
+  toolGroupAccess: {
+    defaultGroup?: string;
+    tools: Record<string, { requiredGroup?: string; public?: boolean }>;
+    bypassGroupCheck?: boolean;
+  };
+}
+```
+```yaml
+# config/default.yaml
+toolGroupAccess:
+  defaultGroup: "DOMAIN\\MCP-Users"
+  bypassGroupCheck: false
+  tools:
+    get_public_data:
+      public: true
+    get_user_data:
+      requiredGroup: "DOMAIN\\MCP-Users"
+    admin_operation:
+      requiredGroup: "DOMAIN\\MCP-Admins"
+```
+```typescript
+// src/tools/handle-tool-call.ts
+async function checkToolAccess(toolName: string, payload: IToolHandlerParams['payload']) {
+  const toolAccess = config.toolGroupAccess;
+  if (toolAccess.bypassGroupCheck) return;
+  const toolConfig = toolAccess.tools[toolName];
+  if (toolConfig?.public) return;
+  if (!payload?.user) throw new ToolExecutionError(toolName, 'User info unavailable');
+  const requiredGroup = toolConfig?.requiredGroup || toolAccess.defaultGroup;
+  if (!requiredGroup) return;
+  const isInGroup = await isUserInGroup(payload.user, requiredGroup);
+  if (!isInGroup) {
+    throw new ToolExecutionError(toolName, `Forbidden: User not in '${requiredGroup}'`);
+  }
+}
+export const handleToolCall = async (params: IToolHandlerParams) => {
+  await checkToolAccess(params.name, params.payload);
+  // ... tool switch logic
+};
+```
+## Authorization Levels Summary
+| Level | Location | Error Type | Use Case |
+|-------|----------|------------|----------|
+| Pre-auth bypass | `customAuthValidator` | HTTP 401 | Allow alternative credentials (no `Authorization` header) |
+| HTTP Server (post-auth) | `httpComponents.apiRouter` + `getMultiAuthError` | HTTP 403 | Block completely after identity is known |
+| All Tools | `toolHandler` (global) | MCP Error | Allow HTTP, restrict tools |
+| Per Tool | `toolHandler` (per-tool) | MCP Error | Fine-grained permissions |
+> `customAuthValidator` is a **pre-auth** hook — it runs before standard auth and before `authInfo`
+> is available. Use it to allow alternative credentials, not to check group membership.
+> For group checks that require a verified username, use `httpComponents.apiRouter` (post-auth)
+> or `toolHandler` (per-call).