kavachos 0.0.1

package/dist/mcp/index.js

@@ -0,0 +1,1005 @@
+import '../chunk-PZ5AY32C.js';
+import { z } from 'zod';
+import { getRandomValues, randomUUID } from 'crypto';
+import { jwtVerify, SignJWT } from 'jose';
+
+var McpClientRegistrationSchema = z.object({
+  redirect_uris: z.array(z.string().url()),
+  token_endpoint_auth_method: z.enum(["none", "client_secret_basic", "client_secret_post"]).default("client_secret_basic").optional(),
+  grant_types: z.array(z.enum(["authorization_code", "refresh_token"])).default(["authorization_code"]).optional(),
+  response_types: z.array(z.enum(["code"])).default(["code"]).optional(),
+  client_name: z.string().optional(),
+  client_uri: z.string().url().optional(),
+  logo_uri: z.string().url().optional(),
+  scope: z.string().optional(),
+  contacts: z.array(z.string()).optional(),
+  tos_uri: z.string().url().optional(),
+  policy_uri: z.string().url().optional(),
+  software_id: z.string().optional(),
+  software_version: z.string().optional()
+});
+var McpAuthorizeRequestSchema = z.object({
+  response_type: z.literal("code"),
+  client_id: z.string().min(1),
+  redirect_uri: z.string().min(1),
+  scope: z.string().optional(),
+  state: z.string().optional(),
+  code_challenge: z.string().min(43).max(128),
+  code_challenge_method: z.literal("S256"),
+  resource: z.string().url().optional()
+});
+var McpTokenRequestSchema = z.discriminatedUnion("grant_type", [
+  z.object({
+    grant_type: z.literal("authorization_code"),
+    code: z.string().min(1),
+    redirect_uri: z.string().min(1),
+    client_id: z.string().min(1),
+    client_secret: z.string().optional(),
+    code_verifier: z.string().min(43).max(128),
+    resource: z.string().url().optional()
+  }),
+  z.object({
+    grant_type: z.literal("refresh_token"),
+    refresh_token: z.string().min(1),
+    client_id: z.string().min(1),
+    client_secret: z.string().optional(),
+    scope: z.string().optional(),
+    resource: z.string().url().optional()
+  })
+]);
+function generateSecureToken(byteLength) {
+  const bytes = new Uint8Array(byteLength);
+  getRandomValues(bytes);
+  return uint8ArrayToBase64Url(bytes);
+}
+function generateAuthorizationCode() {
+  return randomUUID();
+}
+async function computeS256Challenge(codeVerifier) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(codeVerifier);
+  const digest = await globalThis.crypto.subtle.digest("SHA-256", data);
+  return uint8ArrayToBase64Url(new Uint8Array(digest));
+}
+async function verifyS256(codeVerifier, codeChallenge) {
+  const computed = await computeS256Challenge(codeVerifier);
+  return timingSafeEqual(computed, codeChallenge);
+}
+function timingSafeEqual(a, b) {
+  if (a.length !== b.length) {
+    return false;
+  }
+  const encoder = new TextEncoder();
+  const bufA = encoder.encode(a);
+  const bufB = encoder.encode(b);
+  let diff = 0;
+  for (let i = 0; i < bufA.length; i++) {
+    diff |= bufA[i] ^ bufB[i];
+  }
+  return diff === 0;
+}
+function uint8ArrayToBase64Url(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function parseRequestBody(request) {
+  const contentType = request.headers.get("content-type") ?? "";
+  if (contentType.includes("application/x-www-form-urlencoded")) {
+    const text = await request.text();
+    const params = new URLSearchParams(text);
+    const result = {};
+    for (const [key, value] of params.entries()) {
+      result[key] = value;
+    }
+    return result;
+  }
+  if (contentType.includes("application/json")) {
+    const json = await request.json();
+    if (typeof json === "object" && json !== null) {
+      const result = {};
+      for (const [key, value] of Object.entries(json)) {
+        if (typeof value === "string") {
+          result[key] = value;
+        }
+      }
+      return result;
+    }
+  }
+  return {};
+}
+function extractBasicAuth(request) {
+  const authorization = request.headers.get("authorization");
+  if (!authorization?.startsWith("Basic ")) {
+    return null;
+  }
+  try {
+    const encoded = authorization.slice(6);
+    const decoded = atob(encoded);
+    const colonIndex = decoded.indexOf(":");
+    if (colonIndex === -1) {
+      return null;
+    }
+    const id = decoded.slice(0, colonIndex);
+    const secret = decoded.slice(colonIndex + 1);
+    if (!id || !secret) {
+      return null;
+    }
+    return [id, secret];
+  } catch {
+    return null;
+  }
+}
+function extractBearerToken(request) {
+  const authorization = request.headers.get("authorization");
+  if (!authorization?.startsWith("Bearer ")) {
+    return null;
+  }
+  return authorization.slice(7);
+}
+
+// src/mcp/authorize.ts
+async function handleAuthorize(ctx, request) {
+  const url = new URL(request.url);
+  const params = {};
+  for (const [key, value] of url.searchParams.entries()) {
+    params[key] = value;
+  }
+  const parsed = McpAuthorizeRequestSchema.safeParse(params);
+  if (!parsed.success) {
+    return {
+      success: false,
+      error: {
+        code: "INVALID_REQUEST",
+        message: "Invalid authorization request parameters",
+        details: { issues: parsed.error.flatten().fieldErrors }
+      }
+    };
+  }
+  const {
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    scope: scopeParam,
+    state,
+    code_challenge: codeChallenge,
+    code_challenge_method: codeChallengeMethod,
+    resource
+  } = parsed.data;
+  const client = await ctx.findClient(clientId);
+  if (!client) {
+    return {
+      success: false,
+      error: {
+        code: "INVALID_CLIENT",
+        message: `Unknown client_id: ${clientId}`
+      }
+    };
+  }
+  if (client.disabled) {
+    return {
+      success: false,
+      error: {
+        code: "INVALID_CLIENT",
+        message: "Client is disabled"
+      }
+    };
+  }
+  if (!client.redirectUris.includes(redirectUri)) {
+    return {
+      success: false,
+      error: {
+        code: "INVALID_REDIRECT_URI",
+        message: "redirect_uri does not match any registered redirect URI"
+      }
+    };
+  }
+  if (codeChallengeMethod !== "S256") {
+    return {
+      success: false,
+      error: {
+        code: "INVALID_REQUEST",
+        message: "Only S256 code_challenge_method is supported"
+      }
+    };
+  }
+  if (resource !== void 0) {
+    const allowedResources = ctx.config.allowedResources;
+    if (allowedResources && allowedResources.length > 0) {
+      if (!allowedResources.includes(resource)) {
+        return {
+          success: false,
+          error: {
+            code: "INVALID_TARGET",
+            message: `Resource '${resource}' is not a recognized MCP server`
+          }
+        };
+      }
+    }
+  }
+  const requestedScopes = scopeParam ? scopeParam.split(" ").filter(Boolean) : [];
+  const supportedScopes = new Set(ctx.config.scopes ?? []);
+  const defaultScopes = /* @__PURE__ */ new Set(["openid", "profile", "email", "offline_access"]);
+  const allSupported = /* @__PURE__ */ new Set([...supportedScopes, ...defaultScopes]);
+  for (const scope of requestedScopes) {
+    if (!allSupported.has(scope)) {
+      return {
+        success: false,
+        error: {
+          code: "INVALID_SCOPE",
+          message: `Unsupported scope: ${scope}`
+        }
+      };
+    }
+  }
+  const effectiveScopes = requestedScopes.length > 0 ? requestedScopes : ["openid"];
+  const userId = await ctx.resolveUserId(request);
+  if (!userId) {
+    return {
+      success: false,
+      error: {
+        code: "LOGIN_REQUIRED",
+        message: "User must be authenticated before authorization",
+        details: {
+          loginPage: ctx.config.loginPage,
+          // Pass all original query params so the login page can redirect back
+          returnTo: request.url
+        }
+      }
+    };
+  }
+  const code = generateAuthorizationCode();
+  const now = /* @__PURE__ */ new Date();
+  const expiresAt = new Date(now.getTime() + ctx.config.codeTtl * 1e3);
+  const authCode = {
+    code,
+    clientId,
+    userId,
+    redirectUri,
+    scope: effectiveScopes,
+    codeChallenge,
+    codeChallengeMethod: "S256",
+    resource: resource ?? null,
+    expiresAt,
+    createdAt: now
+  };
+  await ctx.storeAuthorizationCode(authCode);
+  const redirectUrl = new URL(redirectUri);
+  redirectUrl.searchParams.set("code", code);
+  if (state) {
+    redirectUrl.searchParams.set("state", state);
+  }
+  return {
+    success: true,
+    data: {
+      redirectUri: redirectUrl.toString(),
+      code,
+      state: state ?? null
+    }
+  };
+}
+
+// src/mcp/metadata.ts
+function getAuthorizationServerMetadata(ctx) {
+  const { issuer, baseUrl, scopes } = ctx.config;
+  const defaultScopes = ["openid", "profile", "email", "offline_access"];
+  const allScopes = [.../* @__PURE__ */ new Set([...defaultScopes, ...scopes ?? []])];
+  return {
+    issuer,
+    authorization_endpoint: `${baseUrl}/mcp/authorize`,
+    token_endpoint: `${baseUrl}/mcp/token`,
+    registration_endpoint: `${baseUrl}/mcp/register`,
+    jwks_uri: `${baseUrl}/mcp/jwks`,
+    scopes_supported: allScopes,
+    response_types_supported: ["code"],
+    response_modes_supported: ["query"],
+    grant_types_supported: ["authorization_code", "refresh_token"],
+    token_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post", "none"],
+    code_challenge_methods_supported: ["S256"],
+    revocation_endpoint: `${baseUrl}/mcp/revoke`
+  };
+}
+function getProtectedResourceMetadata(ctx) {
+  const { issuer, baseUrl, scopes } = ctx.config;
+  const defaultScopes = ["openid", "profile", "email", "offline_access"];
+  const allScopes = [.../* @__PURE__ */ new Set([...defaultScopes, ...scopes ?? []])];
+  return {
+    resource: issuer,
+    authorization_servers: [issuer],
+    jwks_uri: `${baseUrl}/mcp/jwks`,
+    scopes_supported: allScopes,
+    bearer_methods_supported: ["header"],
+    resource_signing_alg_values_supported: ["HS256"]
+  };
+}
+async function resolveClientIdMetadataDocument(clientId) {
+  try {
+    const url = new URL(clientId);
+    if (url.protocol !== "https:") {
+      return null;
+    }
+    const response = await fetch(clientId, {
+      headers: { Accept: "application/json" },
+      signal: AbortSignal.timeout(5e3)
+    });
+    if (!response.ok) {
+      return null;
+    }
+    const metadata = await response.json();
+    if (Array.isArray(metadata.redirect_uris)) {
+      return metadata.redirect_uris;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+async function registerClient(ctx, body) {
+  const parsed = McpClientRegistrationSchema.safeParse(body);
+  if (!parsed.success) {
+    return {
+      success: false,
+      error: {
+        code: "INVALID_CLIENT_METADATA",
+        message: "Invalid client registration request",
+        details: { issues: parsed.error.flatten().fieldErrors }
+      }
+    };
+  }
+  const data = parsed.data;
+  const redirectUris = data.redirect_uris;
+  const grantTypes = data.grant_types ?? ["authorization_code"];
+  const responseTypes = data.response_types ?? ["code"];
+  const authMethod = data.token_endpoint_auth_method ?? "client_secret_basic";
+  if (grantTypes.includes("authorization_code") && redirectUris.length === 0) {
+    return {
+      success: false,
+      error: {
+        code: "INVALID_REDIRECT_URI",
+        message: "redirect_uris are required when grant_types includes authorization_code"
+      }
+    };
+  }
+  if (grantTypes.includes("authorization_code") && !responseTypes.includes("code")) {
+    return {
+      success: false,
+      error: {
+        code: "INVALID_CLIENT_METADATA",
+        message: "response_types must include 'code' when grant_types includes 'authorization_code'"
+      }
+    };
+  }
+  for (const uri of redirectUris) {
+    try {
+      const parsed2 = new URL(uri);
+      if (parsed2.protocol !== "https:" && parsed2.hostname !== "localhost" && parsed2.hostname !== "127.0.0.1" && parsed2.hostname !== "[::1]") {
+        return {
+          success: false,
+          error: {
+            code: "INVALID_REDIRECT_URI",
+            message: `redirect_uri must use HTTPS (or localhost for development): ${uri}`
+          }
+        };
+      }
+      if (parsed2.hash) {
+        return {
+          success: false,
+          error: {
+            code: "INVALID_REDIRECT_URI",
+            message: `redirect_uri must not contain a fragment: ${uri}`
+          }
+        };
+      }
+    } catch {
+      return {
+        success: false,
+        error: {
+          code: "INVALID_REDIRECT_URI",
+          message: `redirect_uri is not a valid URL: ${uri}`
+        }
+      };
+    }
+  }
+  const clientId = randomUUID();
+  const isPublic = authMethod === "none";
+  const clientSecret = isPublic ? null : generateSecureToken(48);
+  if (data.client_uri) {
+    const metadataUris = await resolveClientIdMetadataDocument(data.client_uri);
+    if (metadataUris !== null) {
+      const metadataSet = new Set(metadataUris);
+      const mismatched = redirectUris.filter((u) => !metadataSet.has(u));
+      if (mismatched.length > 0) {
+        return {
+          success: false,
+          error: {
+            code: "INVALID_REDIRECT_URI",
+            message: "redirect_uris do not match those in the Client ID Metadata Document",
+            details: { mismatched }
+          }
+        };
+      }
+    }
+  }
+  const now = /* @__PURE__ */ new Date();
+  const client = {
+    clientId,
+    clientSecret,
+    clientName: data.client_name ?? null,
+    clientUri: data.client_uri ?? null,
+    logoUri: data.logo_uri ?? null,
+    redirectUris,
+    grantTypes,
+    responseTypes,
+    tokenEndpointAuthMethod: authMethod,
+    scope: data.scope ?? null,
+    contacts: data.contacts ?? null,
+    tosUri: data.tos_uri ?? null,
+    policyUri: data.policy_uri ?? null,
+    softwareId: data.software_id ?? null,
+    softwareVersion: data.software_version ?? null,
+    clientType: isPublic ? "public" : "confidential",
+    disabled: false,
+    userId: null,
+    createdAt: now,
+    updatedAt: now
+  };
+  await ctx.storeClient(client);
+  const response = {
+    client_id: clientId,
+    client_id_issued_at: Math.floor(now.getTime() / 1e3),
+    redirect_uris: redirectUris,
+    token_endpoint_auth_method: authMethod,
+    grant_types: grantTypes,
+    response_types: responseTypes,
+    ...data.client_name ? { client_name: data.client_name } : {},
+    ...data.client_uri ? { client_uri: data.client_uri } : {},
+    ...data.logo_uri ? { logo_uri: data.logo_uri } : {},
+    ...data.scope ? { scope: data.scope } : {},
+    ...data.contacts ? { contacts: data.contacts } : {},
+    ...data.tos_uri ? { tos_uri: data.tos_uri } : {},
+    ...data.policy_uri ? { policy_uri: data.policy_uri } : {},
+    ...data.software_id ? { software_id: data.software_id } : {},
+    ...data.software_version ? { software_version: data.software_version } : {},
+    ...clientSecret !== null ? { client_secret: clientSecret, client_secret_expires_at: 0 } : {}
+  };
+  return { success: true, data: response };
+}
+async function getSigningKey(secret) {
+  const encoder = new TextEncoder();
+  return globalThis.crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign", "verify"]
+  );
+}
+async function issueAccessTokenJwt(ctx, userId, clientId, scopes, resource) {
+  const secret = ctx.config.signingSecret;
+  if (!secret) {
+    throw new Error("MCP signingSecret is required to issue tokens");
+  }
+  const key = await getSigningKey(secret);
+  const jti = randomUUID();
+  const now = Math.floor(Date.now() / 1e3);
+  const exp = now + ctx.config.accessTokenTtl;
+  const expiresAt = new Date(exp * 1e3);
+  const audience = resource ?? ctx.config.issuer;
+  const jwt = await new SignJWT({
+    sub: userId,
+    client_id: clientId,
+    scope: scopes.join(" "),
+    jti
+  }).setProtectedHeader({ alg: "HS256", typ: "at+jwt" }).setIssuer(ctx.config.issuer).setAudience(audience).setIssuedAt(now).setExpirationTime(exp).sign(key);
+  return { jwt, jti, expiresAt };
+}
+function resolveClientCredentials(request, body) {
+  const basicAuth = extractBasicAuth(request);
+  if (basicAuth) {
+    return { clientId: basicAuth[0], clientSecret: basicAuth[1] };
+  }
+  const clientId = body.client_id;
+  if (!clientId) {
+    return null;
+  }
+  return {
+    clientId,
+    clientSecret: body.client_secret ?? null
+  };
+}
+async function handleTokenExchange(ctx, request) {
+  const body = await parseRequestBody(request);
+  const credentials = resolveClientCredentials(request, body);
+  if (!credentials) {
+    return {
+      success: false,
+      error: {
+        code: "INVALID_CLIENT",
+        message: "client_id is required"
+      }
+    };
+  }
+  body.client_id = credentials.clientId;
+  if (credentials.clientSecret) {
+    body.client_secret = credentials.clientSecret;
+  }
+  const parsed = McpTokenRequestSchema.safeParse(body);
+  if (!parsed.success) {
+    return {
+      success: false,
+      error: {
+        code: "INVALID_REQUEST",
+        message: "Invalid token request",
+        details: { issues: parsed.error.flatten().fieldErrors }
+      }
+    };
+  }
+  const data = parsed.data;
+  if (data.grant_type === "authorization_code") {
+    return handleAuthorizationCodeGrant(ctx, data, credentials.clientSecret);
+  }
+  return handleRefreshTokenGrant(ctx, data, credentials.clientSecret);
+}
+async function handleAuthorizationCodeGrant(ctx, data, clientSecret) {
+  const client = await ctx.findClient(data.client_id);
+  if (!client) {
+    return {
+      success: false,
+      error: { code: "INVALID_CLIENT", message: "Unknown client_id" }
+    };
+  }
+  if (client.disabled) {
+    return {
+      success: false,
+      error: { code: "INVALID_CLIENT", message: "Client is disabled" }
+    };
+  }
+  if (client.clientType === "confidential") {
+    if (!clientSecret || clientSecret !== client.clientSecret) {
+      return {
+        success: false,
+        error: { code: "INVALID_CLIENT", message: "Invalid client_secret" }
+      };
+    }
+  }
+  const authCode = await ctx.consumeAuthorizationCode(data.code);
+  if (!authCode) {
+    return {
+      success: false,
+      error: { code: "INVALID_GRANT", message: "Invalid or expired authorization code" }
+    };
+  }
+  if (authCode.expiresAt < /* @__PURE__ */ new Date()) {
+    return {
+      success: false,
+      error: { code: "INVALID_GRANT", message: "Authorization code has expired" }
+    };
+  }
+  if (authCode.clientId !== data.client_id) {
+    return {
+      success: false,
+      error: { code: "INVALID_GRANT", message: "client_id does not match authorization code" }
+    };
+  }
+  if (authCode.redirectUri !== data.redirect_uri) {
+    return {
+      success: false,
+      error: {
+        code: "INVALID_GRANT",
+        message: "redirect_uri does not match authorization code"
+      }
+    };
+  }
+  const pkceValid = await verifyS256(data.code_verifier, authCode.codeChallenge);
+  if (!pkceValid) {
+    return {
+      success: false,
+      error: { code: "INVALID_GRANT", message: "PKCE code_verifier verification failed" }
+    };
+  }
+  if (data.resource !== void 0 && authCode.resource !== null) {
+    if (data.resource !== authCode.resource) {
+      return {
+        success: false,
+        error: {
+          code: "INVALID_TARGET",
+          message: "resource parameter does not match authorization code"
+        }
+      };
+    }
+  }
+  const resource = data.resource ?? authCode.resource;
+  const { jwt, expiresAt } = await issueAccessTokenJwt(
+    ctx,
+    authCode.userId,
+    data.client_id,
+    authCode.scope,
+    resource
+  );
+  const includeRefreshToken = authCode.scope.includes("offline_access");
+  const refreshToken = includeRefreshToken ? generateSecureToken(48) : null;
+  const tokenRecord = {
+    accessToken: jwt,
+    refreshToken,
+    tokenType: "Bearer",
+    expiresIn: ctx.config.accessTokenTtl,
+    scope: authCode.scope,
+    clientId: data.client_id,
+    userId: authCode.userId,
+    resource,
+    expiresAt,
+    createdAt: /* @__PURE__ */ new Date()
+  };
+  await ctx.storeToken(tokenRecord);
+  const response = {
+    access_token: jwt,
+    token_type: "Bearer",
+    expires_in: ctx.config.accessTokenTtl,
+    scope: authCode.scope.join(" "),
+    ...refreshToken ? { refresh_token: refreshToken } : {}
+  };
+  return { success: true, data: response };
+}
+async function handleRefreshTokenGrant(ctx, data, clientSecret) {
+  const client = await ctx.findClient(data.client_id);
+  if (!client) {
+    return {
+      success: false,
+      error: { code: "INVALID_CLIENT", message: "Unknown client_id" }
+    };
+  }
+  if (client.disabled) {
+    return {
+      success: false,
+      error: { code: "INVALID_CLIENT", message: "Client is disabled" }
+    };
+  }
+  if (client.clientType === "confidential") {
+    if (!clientSecret || clientSecret !== client.clientSecret) {
+      return {
+        success: false,
+        error: { code: "INVALID_CLIENT", message: "Invalid client_secret" }
+      };
+    }
+  }
+  const existingToken = await ctx.findTokenByRefreshToken(data.refresh_token);
+  if (!existingToken) {
+    return {
+      success: false,
+      error: { code: "INVALID_GRANT", message: "Invalid refresh token" }
+    };
+  }
+  if (existingToken.clientId !== data.client_id) {
+    return {
+      success: false,
+      error: { code: "INVALID_GRANT", message: "client_id does not match refresh token" }
+    };
+  }
+  const refreshExpiry = new Date(
+    existingToken.createdAt.getTime() + ctx.config.refreshTokenTtl * 1e3
+  );
+  if (refreshExpiry < /* @__PURE__ */ new Date()) {
+    return {
+      success: false,
+      error: { code: "INVALID_GRANT", message: "Refresh token has expired" }
+    };
+  }
+  const scopes = data.scope ? data.scope.split(" ").filter((s) => existingToken.scope.includes(s)) : existingToken.scope;
+  const resource = data.resource ?? existingToken.resource;
+  await ctx.revokeToken(existingToken.accessToken);
+  const { jwt, expiresAt } = await issueAccessTokenJwt(
+    ctx,
+    existingToken.userId,
+    data.client_id,
+    scopes,
+    resource
+  );
+  const newRefreshToken = generateSecureToken(48);
+  const tokenRecord = {
+    accessToken: jwt,
+    refreshToken: newRefreshToken,
+    tokenType: "Bearer",
+    expiresIn: ctx.config.accessTokenTtl,
+    scope: scopes,
+    clientId: data.client_id,
+    userId: existingToken.userId,
+    resource,
+    expiresAt,
+    createdAt: /* @__PURE__ */ new Date()
+  };
+  await ctx.storeToken(tokenRecord);
+  const response = {
+    access_token: jwt,
+    token_type: "Bearer",
+    expires_in: ctx.config.accessTokenTtl,
+    refresh_token: newRefreshToken,
+    scope: scopes.join(" ")
+  };
+  return { success: true, data: response };
+}
+async function getVerificationKey(secret) {
+  const encoder = new TextEncoder();
+  return globalThis.crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["verify"]
+  );
+}
+async function validateAccessToken(ctx, token, options) {
+  const secret = ctx.config.signingSecret;
+  if (!secret) {
+    return {
+      success: false,
+      error: {
+        code: "SERVER_ERROR",
+        message: "MCP signingSecret is not configured"
+      }
+    };
+  }
+  let payload;
+  try {
+    const key = await getVerificationKey(secret);
+    const result = await jwtVerify(token, key, {
+      issuer: ctx.config.issuer,
+      algorithms: ["HS256"],
+      ...options?.expectedAudience ? { audience: options.expectedAudience } : {}
+    });
+    payload = result.payload;
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "Token verification failed";
+    let code = "INVALID_TOKEN";
+    if (message.includes("expired")) {
+      code = "TOKEN_EXPIRED";
+    } else if (message.includes("audience")) {
+      code = "INVALID_AUDIENCE";
+    } else if (message.includes("issuer")) {
+      code = "INVALID_ISSUER";
+    }
+    return {
+      success: false,
+      error: { code, message }
+    };
+  }
+  if (!payload.sub || !payload.client_id || !payload.jti) {
+    return {
+      success: false,
+      error: {
+        code: "INVALID_TOKEN",
+        message: "Token is missing required claims (sub, client_id, jti)"
+      }
+    };
+  }
+  const audience = payload.aud;
+  if (!audience) {
+    return {
+      success: false,
+      error: {
+        code: "INVALID_AUDIENCE",
+        message: "Token has no audience claim. Tokens must be bound to a resource."
+      }
+    };
+  }
+  const tokenScopes = payload.scope ? payload.scope.split(" ") : [];
+  const requiredScopes = options?.requiredScopes ?? [];
+  for (const required of requiredScopes) {
+    if (!tokenScopes.includes(required)) {
+      return {
+        success: false,
+        error: {
+          code: "INSUFFICIENT_SCOPE",
+          message: `Token is missing required scope: ${required}`,
+          details: {
+            required: requiredScopes,
+            present: tokenScopes
+          }
+        }
+      };
+    }
+  }
+  const resource = Array.isArray(audience) ? audience[0] ?? null : audience;
+  const session = {
+    userId: payload.sub,
+    clientId: payload.client_id,
+    scopes: tokenScopes,
+    resource,
+    expiresAt: new Date(payload.exp * 1e3),
+    tokenId: payload.jti
+  };
+  return { success: true, data: session };
+}
+async function withMcpAuth(ctx, request, options) {
+  const token = extractBearerToken(request);
+  if (!token) {
+    const resourceMetadataUrl = `${ctx.config.baseUrl}/.well-known/oauth-protected-resource`;
+    return {
+      success: false,
+      error: {
+        code: "UNAUTHORIZED",
+        message: "Bearer token required",
+        details: {
+          "www-authenticate": `Bearer resource_metadata="${resourceMetadataUrl}"`
+        }
+      }
+    };
+  }
+  return validateAccessToken(ctx, token, options);
+}
+function buildUnauthorizedResponse(ctx, error) {
+  const resourceMetadataUrl = `${ctx.config.baseUrl}/.well-known/oauth-protected-resource`;
+  const wwwAuthenticate = `Bearer resource_metadata="${resourceMetadataUrl}"`;
+  return new Response(
+    JSON.stringify({
+      jsonrpc: "2.0",
+      error: {
+        code: -32e3,
+        message: error.message,
+        "www-authenticate": wwwAuthenticate
+      },
+      id: null
+    }),
+    {
+      status: 401,
+      headers: {
+        "Content-Type": "application/json",
+        "WWW-Authenticate": wwwAuthenticate,
+        "Access-Control-Expose-Headers": "WWW-Authenticate"
+      }
+    }
+  );
+}
+
+// src/mcp/server.ts
+var DEFAULT_ACCESS_TOKEN_TTL = 3600;
+var DEFAULT_REFRESH_TOKEN_TTL = 604800;
+var DEFAULT_CODE_TTL = 600;
+function createMcpModule(params) {
+  const config = params.config;
+  if (!config.issuer) {
+    throw new Error("McpConfig.issuer is required");
+  }
+  if (!config.baseUrl) {
+    throw new Error("McpConfig.baseUrl is required");
+  }
+  if (!config.signingSecret) {
+    throw new Error("McpConfig.signingSecret is required (>= 32 chars)");
+  }
+  if (config.signingSecret.length < 32) {
+    throw new Error("McpConfig.signingSecret must be at least 32 characters");
+  }
+  const resolvedConfig = {
+    ...config,
+    issuer: config.issuer,
+    baseUrl: config.baseUrl,
+    signingSecret: config.signingSecret,
+    accessTokenTtl: config.accessTokenTtl ?? DEFAULT_ACCESS_TOKEN_TTL,
+    refreshTokenTtl: config.refreshTokenTtl ?? DEFAULT_REFRESH_TOKEN_TTL,
+    codeTtl: config.codeTtl ?? DEFAULT_CODE_TTL
+  };
+  const ctx = {
+    config: resolvedConfig,
+    storeClient: params.storeClient,
+    findClient: params.findClient,
+    storeAuthorizationCode: params.storeAuthorizationCode,
+    consumeAuthorizationCode: params.consumeAuthorizationCode,
+    storeToken: params.storeToken,
+    findTokenByRefreshToken: params.findTokenByRefreshToken,
+    revokeToken: params.revokeToken,
+    resolveUserId: params.resolveUserId
+  };
+  return {
+    getMetadata: () => getAuthorizationServerMetadata(ctx),
+    getProtectedResourceMetadata: () => getProtectedResourceMetadata(ctx),
+    registerClient: (body) => registerClient(ctx, body),
+    authorize: (request) => handleAuthorize(ctx, request),
+    token: (request) => handleTokenExchange(ctx, request),
+    validateToken: (token, requiredScopes) => validateAccessToken(ctx, token, { requiredScopes }),
+    middleware: (request) => withMcpAuth(ctx, request)
+  };
+}
+function createMcpResponseHelpers(ctx) {
+  const corsHeaders = {
+    "Access-Control-Allow-Origin": "*",
+    "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
+    "Access-Control-Allow-Headers": "Content-Type, Authorization",
+    "Access-Control-Max-Age": "86400"
+  };
+  return {
+    /** Metadata endpoints: 200 with JSON */
+    metadataResponse: (data) => new Response(JSON.stringify(data), {
+      status: 200,
+      headers: {
+        "Content-Type": "application/json",
+        ...corsHeaders
+      }
+    }),
+    /** Registration: 201 with Cache-Control: no-store */
+    registrationResponse: (result) => {
+      if (!result.success) {
+        return new Response(
+          JSON.stringify({
+            error: "invalid_client_metadata",
+            error_description: result.error.message
+          }),
+          {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...corsHeaders }
+          }
+        );
+      }
+      return new Response(JSON.stringify(result.data), {
+        status: 201,
+        headers: {
+          "Content-Type": "application/json",
+          "Cache-Control": "no-store",
+          Pragma: "no-cache",
+          ...corsHeaders
+        }
+      });
+    },
+    /** Authorization: 302 redirect or error */
+    authorizeResponse: (result) => {
+      if (!result.success) {
+        if (result.error.code === "LOGIN_REQUIRED") {
+          const details = result.error.details;
+          if (details?.loginPage) {
+            const loginUrl = new URL(details.loginPage);
+            if (details.returnTo) {
+              loginUrl.searchParams.set("returnTo", details.returnTo);
+            }
+            return Response.redirect(loginUrl.toString(), 302);
+          }
+        }
+        return new Response(
+          JSON.stringify({
+            error: result.error.code.toLowerCase(),
+            error_description: result.error.message
+          }),
+          {
+            status: 400,
+            headers: { "Content-Type": "application/json" }
+          }
+        );
+      }
+      return Response.redirect(result.data.redirectUri, 302);
+    },
+    /** Token: 200 with Cache-Control: no-store or error */
+    tokenResponse: (result) => {
+      if (!result.success) {
+        const status = result.error.code === "INVALID_CLIENT" ? 401 : 400;
+        return new Response(
+          JSON.stringify({
+            error: result.error.code.toLowerCase(),
+            error_description: result.error.message
+          }),
+          {
+            status,
+            headers: {
+              "Content-Type": "application/json",
+              "Cache-Control": "no-store",
+              Pragma: "no-cache",
+              ...corsHeaders
+            }
+          }
+        );
+      }
+      return new Response(JSON.stringify(result.data), {
+        status: 200,
+        headers: {
+          "Content-Type": "application/json",
+          "Cache-Control": "no-store",
+          Pragma: "no-cache",
+          ...corsHeaders
+        }
+      });
+    },
+    /** Auth failure in JSON-RPC format for MCP resource servers */
+    unauthorizedResponse: (error) => buildUnauthorizedResponse(ctx, error)
+  };
+}
+
+export { McpAuthorizeRequestSchema, McpClientRegistrationSchema, McpTokenRequestSchema, buildUnauthorizedResponse, computeS256Challenge, createMcpModule, createMcpResponseHelpers, extractBasicAuth, extractBearerToken, generateSecureToken, getAuthorizationServerMetadata, getProtectedResourceMetadata, handleAuthorize, handleTokenExchange, parseRequestBody, registerClient, validateAccessToken, verifyS256, withMcpAuth };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map