npm - mcp-server-framework - Versions diffs - 1.0.0 - Mend

mcp-server-framework 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (673) hide show

package/CHANGELOG.md +174 -0
package/LICENSE-GPL.md +219 -0
package/LICENSE.md +187 -0
package/README.md +439 -0
package/build/config/config-cache.d.ts +120 -0
package/build/config/config-cache.d.ts.map +1 -0
package/build/config/config-cache.js +310 -0
package/build/config/config-cache.js.map +1 -0
package/build/config/env.d.ts +476 -0
package/build/config/env.d.ts.map +1 -0
package/build/config/env.js +441 -0
package/build/config/env.js.map +1 -0
package/build/config/extensions.d.ts +107 -0
package/build/config/extensions.d.ts.map +1 -0
package/build/config/extensions.js +152 -0
package/build/config/extensions.js.map +1 -0
package/build/config/file/index.d.ts +8 -0
package/build/config/file/index.d.ts.map +1 -0
package/build/config/file/index.js +10 -0
package/build/config/file/index.js.map +1 -0
package/build/config/file/loader.d.ts +31 -0
package/build/config/file/loader.d.ts.map +1 -0
package/build/config/file/loader.js +313 -0
package/build/config/file/loader.js.map +1 -0
package/build/config/file/schema.d.ts +583 -0
package/build/config/file/schema.d.ts.map +1 -0
package/build/config/file/schema.js +388 -0
package/build/config/file/schema.js.map +1 -0
package/build/config/index.d.ts +15 -0
package/build/config/index.d.ts.map +1 -0
package/build/config/index.js +27 -0
package/build/config/index.js.map +1 -0
package/build/config/startup-warnings.d.ts +46 -0
package/build/config/startup-warnings.d.ts.map +1 -0
package/build/config/startup-warnings.js +61 -0
package/build/config/startup-warnings.js.map +1 -0
package/build/connection/connection-state.d.ts +196 -0
package/build/connection/connection-state.d.ts.map +1 -0
package/build/connection/connection-state.js +426 -0
package/build/connection/connection-state.js.map +1 -0
package/build/connection/core/base.d.ts +43 -0
package/build/connection/core/base.d.ts.map +1 -0
package/build/connection/core/base.js +82 -0
package/build/connection/core/base.js.map +1 -0
package/build/connection/core/constants.d.ts +121 -0
package/build/connection/core/constants.d.ts.map +1 -0
package/build/connection/core/constants.js +151 -0
package/build/connection/core/constants.js.map +1 -0
package/build/connection/core/index.d.ts +13 -0
package/build/connection/core/index.d.ts.map +1 -0
package/build/connection/core/index.js +14 -0
package/build/connection/core/index.js.map +1 -0
package/build/connection/core/types.d.ts +102 -0
package/build/connection/core/types.d.ts.map +1 -0
package/build/connection/core/types.js +31 -0
package/build/connection/core/types.js.map +1 -0
package/build/connection/index.d.ts +19 -0
package/build/connection/index.d.ts.map +1 -0
package/build/connection/index.js +22 -0
package/build/connection/index.js.map +1 -0
package/build/connection/types.d.ts +125 -0
package/build/connection/types.d.ts.map +1 -0
package/build/connection/types.js +39 -0
package/build/connection/types.js.map +1 -0
package/build/errors/categories/auth.d.ts +59 -0
package/build/errors/categories/auth.d.ts.map +1 -0
package/build/errors/categories/auth.js +111 -0
package/build/errors/categories/auth.js.map +1 -0
package/build/errors/categories/connection.d.ts +70 -0
package/build/errors/categories/connection.d.ts.map +1 -0
package/build/errors/categories/connection.js +120 -0
package/build/errors/categories/connection.js.map +1 -0
package/build/errors/categories/index.d.ts +14 -0
package/build/errors/categories/index.d.ts.map +1 -0
package/build/errors/categories/index.js +20 -0
package/build/errors/categories/index.js.map +1 -0
package/build/errors/categories/operation.d.ts +83 -0
package/build/errors/categories/operation.d.ts.map +1 -0
package/build/errors/categories/operation.js +149 -0
package/build/errors/categories/operation.js.map +1 -0
package/build/errors/categories/protocol.d.ts +68 -0
package/build/errors/categories/protocol.d.ts.map +1 -0
package/build/errors/categories/protocol.js +135 -0
package/build/errors/categories/protocol.js.map +1 -0
package/build/errors/categories/session.d.ts +50 -0
package/build/errors/categories/session.d.ts.map +1 -0
package/build/errors/categories/session.js +97 -0
package/build/errors/categories/session.js.map +1 -0
package/build/errors/categories/system.d.ts +95 -0
package/build/errors/categories/system.d.ts.map +1 -0
package/build/errors/categories/system.js +190 -0
package/build/errors/categories/system.js.map +1 -0
package/build/errors/categories/transport.d.ts +70 -0
package/build/errors/categories/transport.d.ts.map +1 -0
package/build/errors/categories/transport.js +148 -0
package/build/errors/categories/transport.js.map +1 -0
package/build/errors/categories/validation.d.ts +140 -0
package/build/errors/categories/validation.d.ts.map +1 -0
package/build/errors/categories/validation.js +311 -0
package/build/errors/categories/validation.js.map +1 -0
package/build/errors/core/base.d.ts +103 -0
package/build/errors/core/base.d.ts.map +1 -0
package/build/errors/core/base.js +219 -0
package/build/errors/core/base.js.map +1 -0
package/build/errors/core/constants.d.ts +40 -0
package/build/errors/core/constants.d.ts.map +1 -0
package/build/errors/core/constants.js +49 -0
package/build/errors/core/constants.js.map +1 -0
package/build/errors/core/error-codes.d.ts +72 -0
package/build/errors/core/error-codes.d.ts.map +1 -0
package/build/errors/core/error-codes.js +88 -0
package/build/errors/core/error-codes.js.map +1 -0
package/build/errors/core/http.d.ts +69 -0
package/build/errors/core/http.d.ts.map +1 -0
package/build/errors/core/http.js +106 -0
package/build/errors/core/http.js.map +1 -0
package/build/errors/core/index.d.ts +23 -0
package/build/errors/core/index.d.ts.map +1 -0
package/build/errors/core/index.js +41 -0
package/build/errors/core/index.js.map +1 -0
package/build/errors/core/json-rpc.d.ts +69 -0
package/build/errors/core/json-rpc.d.ts.map +1 -0
package/build/errors/core/json-rpc.js +79 -0
package/build/errors/core/json-rpc.js.map +1 -0
package/build/errors/core/messages.d.ts +51 -0
package/build/errors/core/messages.d.ts.map +1 -0
package/build/errors/core/messages.js +59 -0
package/build/errors/core/messages.js.map +1 -0
package/build/errors/core/types.d.ts +80 -0
package/build/errors/core/types.d.ts.map +1 -0
package/build/errors/core/types.js +10 -0
package/build/errors/core/types.js.map +1 -0
package/build/errors/factory.d.ts +199 -0
package/build/errors/factory.d.ts.map +1 -0
package/build/errors/factory.js +244 -0
package/build/errors/factory.js.map +1 -0
package/build/errors/index.d.ts +35 -0
package/build/errors/index.d.ts.map +1 -0
package/build/errors/index.js +67 -0
package/build/errors/index.js.map +1 -0
package/build/index.d.ts +93 -0
package/build/index.d.ts.map +1 -0
package/build/index.js +107 -0
package/build/index.js.map +1 -0
package/build/logger/core/constants.d.ts +143 -0
package/build/logger/core/constants.d.ts.map +1 -0
package/build/logger/core/constants.js +206 -0
package/build/logger/core/constants.js.map +1 -0
package/build/logger/core/context.d.ts +170 -0
package/build/logger/core/context.d.ts.map +1 -0
package/build/logger/core/context.js +237 -0
package/build/logger/core/context.js.map +1 -0
package/build/logger/core/errors.d.ts +101 -0
package/build/logger/core/errors.d.ts.map +1 -0
package/build/logger/core/errors.js +128 -0
package/build/logger/core/errors.js.map +1 -0
package/build/logger/core/format.d.ts +40 -0
package/build/logger/core/format.d.ts.map +1 -0
package/build/logger/core/format.js +47 -0
package/build/logger/core/format.js.map +1 -0
package/build/logger/core/index.d.ts +19 -0
package/build/logger/core/index.d.ts.map +1 -0
package/build/logger/core/index.js +47 -0
package/build/logger/core/index.js.map +1 -0
package/build/logger/core/trace-context.d.ts +51 -0
package/build/logger/core/trace-context.d.ts.map +1 -0
package/build/logger/core/trace-context.js +42 -0
package/build/logger/core/trace-context.js.map +1 -0
package/build/logger/core/types.d.ts +233 -0
package/build/logger/core/types.d.ts.map +1 -0
package/build/logger/core/types.js +10 -0
package/build/logger/core/types.js.map +1 -0
package/build/logger/factory.d.ts +150 -0
package/build/logger/factory.d.ts.map +1 -0
package/build/logger/factory.js +236 -0
package/build/logger/factory.js.map +1 -0
package/build/logger/formatters/index.d.ts +12 -0
package/build/logger/formatters/index.d.ts.map +1 -0
package/build/logger/formatters/index.js +15 -0
package/build/logger/formatters/index.js.map +1 -0
package/build/logger/formatters/json-formatter.d.ts +54 -0
package/build/logger/formatters/json-formatter.d.ts.map +1 -0
package/build/logger/formatters/json-formatter.js +80 -0
package/build/logger/formatters/json-formatter.js.map +1 -0
package/build/logger/formatters/schema.d.ts +230 -0
package/build/logger/formatters/schema.d.ts.map +1 -0
package/build/logger/formatters/schema.js +278 -0
package/build/logger/formatters/schema.js.map +1 -0
package/build/logger/formatters/text-formatter.d.ts +50 -0
package/build/logger/formatters/text-formatter.d.ts.map +1 -0
package/build/logger/formatters/text-formatter.js +93 -0
package/build/logger/formatters/text-formatter.js.map +1 -0
package/build/logger/index.d.ts +39 -0
package/build/logger/index.d.ts.map +1 -0
package/build/logger/index.js +43 -0
package/build/logger/index.js.map +1 -0
package/build/logger/logger.d.ts +278 -0
package/build/logger/logger.d.ts.map +1 -0
package/build/logger/logger.js +459 -0
package/build/logger/logger.js.map +1 -0
package/build/logger/mcp-logger.d.ts +177 -0
package/build/logger/mcp-logger.d.ts.map +1 -0
package/build/logger/mcp-logger.js +294 -0
package/build/logger/mcp-logger.js.map +1 -0
package/build/logger/scrubbing/index.d.ts +14 -0
package/build/logger/scrubbing/index.d.ts.map +1 -0
package/build/logger/scrubbing/index.js +16 -0
package/build/logger/scrubbing/index.js.map +1 -0
package/build/logger/scrubbing/injection-guard.d.ts +69 -0
package/build/logger/scrubbing/injection-guard.d.ts.map +1 -0
package/build/logger/scrubbing/injection-guard.js +102 -0
package/build/logger/scrubbing/injection-guard.js.map +1 -0
package/build/logger/scrubbing/secret-scrubber.d.ts +72 -0
package/build/logger/scrubbing/secret-scrubber.d.ts.map +1 -0
package/build/logger/scrubbing/secret-scrubber.js +177 -0
package/build/logger/scrubbing/secret-scrubber.js.map +1 -0
package/build/logger/writers/base-writer.d.ts +45 -0
package/build/logger/writers/base-writer.d.ts.map +1 -0
package/build/logger/writers/base-writer.js +41 -0
package/build/logger/writers/base-writer.js.map +1 -0
package/build/logger/writers/composite-writer.d.ts +83 -0
package/build/logger/writers/composite-writer.d.ts.map +1 -0
package/build/logger/writers/composite-writer.js +121 -0
package/build/logger/writers/composite-writer.js.map +1 -0
package/build/logger/writers/console-writer.d.ts +59 -0
package/build/logger/writers/console-writer.d.ts.map +1 -0
package/build/logger/writers/console-writer.js +73 -0
package/build/logger/writers/console-writer.js.map +1 -0
package/build/logger/writers/file-writer.d.ts +160 -0
package/build/logger/writers/file-writer.d.ts.map +1 -0
package/build/logger/writers/file-writer.js +345 -0
package/build/logger/writers/file-writer.js.map +1 -0
package/build/logger/writers/index.d.ts +15 -0
package/build/logger/writers/index.d.ts.map +1 -0
package/build/logger/writers/index.js +19 -0
package/build/logger/writers/index.js.map +1 -0
package/build/mcp/capabilities/apps/define-app.d.ts +68 -0
package/build/mcp/capabilities/apps/define-app.d.ts.map +1 -0
package/build/mcp/capabilities/apps/define-app.js +127 -0
package/build/mcp/capabilities/apps/define-app.js.map +1 -0
package/build/mcp/capabilities/apps/index.d.ts +10 -0
package/build/mcp/capabilities/apps/index.d.ts.map +1 -0
package/build/mcp/capabilities/apps/index.js +10 -0
package/build/mcp/capabilities/apps/index.js.map +1 -0
package/build/mcp/capabilities/capabilities.d.ts +24 -0
package/build/mcp/capabilities/capabilities.d.ts.map +1 -0
package/build/mcp/capabilities/capabilities.js +50 -0
package/build/mcp/capabilities/capabilities.js.map +1 -0
package/build/mcp/capabilities/index.d.ts +17 -0
package/build/mcp/capabilities/index.d.ts.map +1 -0
package/build/mcp/capabilities/index.js +20 -0
package/build/mcp/capabilities/index.js.map +1 -0
package/build/mcp/capabilities/prompts/define-prompt.d.ts +95 -0
package/build/mcp/capabilities/prompts/define-prompt.d.ts.map +1 -0
package/build/mcp/capabilities/prompts/define-prompt.js +109 -0
package/build/mcp/capabilities/prompts/define-prompt.js.map +1 -0
package/build/mcp/capabilities/prompts/index.d.ts +10 -0
package/build/mcp/capabilities/prompts/index.d.ts.map +1 -0
package/build/mcp/capabilities/prompts/index.js +10 -0
package/build/mcp/capabilities/prompts/index.js.map +1 -0
package/build/mcp/capabilities/registry/base-registry.d.ts +95 -0
package/build/mcp/capabilities/registry/base-registry.d.ts.map +1 -0
package/build/mcp/capabilities/registry/base-registry.js +149 -0
package/build/mcp/capabilities/registry/base-registry.js.map +1 -0
package/build/mcp/capabilities/registry/index.d.ts +16 -0
package/build/mcp/capabilities/registry/index.d.ts.map +1 -0
package/build/mcp/capabilities/registry/index.js +34 -0
package/build/mcp/capabilities/registry/index.js.map +1 -0
package/build/mcp/capabilities/registry/prompt-registry.d.ts +116 -0
package/build/mcp/capabilities/registry/prompt-registry.d.ts.map +1 -0
package/build/mcp/capabilities/registry/prompt-registry.js +232 -0
package/build/mcp/capabilities/registry/prompt-registry.js.map +1 -0
package/build/mcp/capabilities/registry/reset.d.ts +30 -0
package/build/mcp/capabilities/registry/reset.d.ts.map +1 -0
package/build/mcp/capabilities/registry/reset.js +48 -0
package/build/mcp/capabilities/registry/reset.js.map +1 -0
package/build/mcp/capabilities/registry/resource-registry.d.ts +152 -0
package/build/mcp/capabilities/registry/resource-registry.d.ts.map +1 -0
package/build/mcp/capabilities/registry/resource-registry.js +430 -0
package/build/mcp/capabilities/registry/resource-registry.js.map +1 -0
package/build/mcp/capabilities/registry/scope-enforcement.d.ts +48 -0
package/build/mcp/capabilities/registry/scope-enforcement.d.ts.map +1 -0
package/build/mcp/capabilities/registry/scope-enforcement.js +62 -0
package/build/mcp/capabilities/registry/scope-enforcement.js.map +1 -0
package/build/mcp/capabilities/registry/task-tool-registry.d.ts +96 -0
package/build/mcp/capabilities/registry/task-tool-registry.d.ts.map +1 -0
package/build/mcp/capabilities/registry/task-tool-registry.js +190 -0
package/build/mcp/capabilities/registry/task-tool-registry.js.map +1 -0
package/build/mcp/capabilities/registry/tool-registry.d.ts +100 -0
package/build/mcp/capabilities/registry/tool-registry.d.ts.map +1 -0
package/build/mcp/capabilities/registry/tool-registry.js +242 -0
package/build/mcp/capabilities/registry/tool-registry.js.map +1 -0
package/build/mcp/capabilities/resources/define-resource.d.ts +103 -0
package/build/mcp/capabilities/resources/define-resource.d.ts.map +1 -0
package/build/mcp/capabilities/resources/define-resource.js +137 -0
package/build/mcp/capabilities/resources/define-resource.js.map +1 -0
package/build/mcp/capabilities/resources/index.d.ts +10 -0
package/build/mcp/capabilities/resources/index.d.ts.map +1 -0
package/build/mcp/capabilities/resources/index.js +10 -0
package/build/mcp/capabilities/resources/index.js.map +1 -0
package/build/mcp/capabilities/server-capabilities.d.ts +33 -0
package/build/mcp/capabilities/server-capabilities.d.ts.map +1 -0
package/build/mcp/capabilities/server-capabilities.js +16 -0
package/build/mcp/capabilities/server-capabilities.js.map +1 -0
package/build/mcp/capabilities/tasks/define-task.d.ts +75 -0
package/build/mcp/capabilities/tasks/define-task.d.ts.map +1 -0
package/build/mcp/capabilities/tasks/define-task.js +93 -0
package/build/mcp/capabilities/tasks/define-task.js.map +1 -0
package/build/mcp/capabilities/tasks/index.d.ts +11 -0
package/build/mcp/capabilities/tasks/index.d.ts.map +1 -0
package/build/mcp/capabilities/tasks/index.js +11 -0
package/build/mcp/capabilities/tasks/index.js.map +1 -0
package/build/mcp/capabilities/tools/define-tool.d.ts +62 -0
package/build/mcp/capabilities/tools/define-tool.d.ts.map +1 -0
package/build/mcp/capabilities/tools/define-tool.js +73 -0
package/build/mcp/capabilities/tools/define-tool.js.map +1 -0
package/build/mcp/capabilities/tools/index.d.ts +10 -0
package/build/mcp/capabilities/tools/index.d.ts.map +1 -0
package/build/mcp/capabilities/tools/index.js +10 -0
package/build/mcp/capabilities/tools/index.js.map +1 -0
package/build/mcp/handlers/index.d.ts +19 -0
package/build/mcp/handlers/index.d.ts.map +1 -0
package/build/mcp/handlers/index.js +26 -0
package/build/mcp/handlers/index.js.map +1 -0
package/build/mcp/handlers/ping.d.ts +27 -0
package/build/mcp/handlers/ping.d.ts.map +1 -0
package/build/mcp/handlers/ping.js +61 -0
package/build/mcp/handlers/ping.js.map +1 -0
package/build/mcp/handlers/progress.d.ts +41 -0
package/build/mcp/handlers/progress.d.ts.map +1 -0
package/build/mcp/handlers/progress.js +79 -0
package/build/mcp/handlers/progress.js.map +1 -0
package/build/mcp/index.d.ts +28 -0
package/build/mcp/index.d.ts.map +1 -0
package/build/mcp/index.js +34 -0
package/build/mcp/index.js.map +1 -0
package/build/mcp/responses/helpers.d.ts +146 -0
package/build/mcp/responses/helpers.d.ts.map +1 -0
package/build/mcp/responses/helpers.js +197 -0
package/build/mcp/responses/helpers.js.map +1 -0
package/build/mcp/responses/index.d.ts +9 -0
package/build/mcp/responses/index.d.ts.map +1 -0
package/build/mcp/responses/index.js +12 -0
package/build/mcp/responses/index.js.map +1 -0
package/build/mcp/types/context.d.ts +371 -0
package/build/mcp/types/context.d.ts.map +1 -0
package/build/mcp/types/context.js +17 -0
package/build/mcp/types/context.js.map +1 -0
package/build/mcp/types/definition.d.ts +727 -0
package/build/mcp/types/definition.d.ts.map +1 -0
package/build/mcp/types/definition.js +29 -0
package/build/mcp/types/definition.js.map +1 -0
package/build/mcp/types/handler.d.ts +58 -0
package/build/mcp/types/handler.d.ts.map +1 -0
package/build/mcp/types/handler.js +10 -0
package/build/mcp/types/handler.js.map +1 -0
package/build/mcp/types/index.d.ts +21 -0
package/build/mcp/types/index.d.ts.map +1 -0
package/build/mcp/types/index.js +18 -0
package/build/mcp/types/index.js.map +1 -0
package/build/mcp/types/response.d.ts +79 -0
package/build/mcp/types/response.d.ts.map +1 -0
package/build/mcp/types/response.js +10 -0
package/build/mcp/types/response.js.map +1 -0
package/build/server/auth/auth-context.d.ts +52 -0
package/build/server/auth/auth-context.d.ts.map +1 -0
package/build/server/auth/auth-context.js +45 -0
package/build/server/auth/auth-context.js.map +1 -0
package/build/server/auth/guards.d.ts +72 -0
package/build/server/auth/guards.d.ts.map +1 -0
package/build/server/auth/guards.js +103 -0
package/build/server/auth/guards.js.map +1 -0
package/build/server/auth/index.d.ts +21 -0
package/build/server/auth/index.d.ts.map +1 -0
package/build/server/auth/index.js +20 -0
package/build/server/auth/index.js.map +1 -0
package/build/server/auth/oidc-discovery.d.ts +68 -0
package/build/server/auth/oidc-discovery.d.ts.map +1 -0
package/build/server/auth/oidc-discovery.js +234 -0
package/build/server/auth/oidc-discovery.js.map +1 -0
package/build/server/auth/oidc-provider.d.ts +96 -0
package/build/server/auth/oidc-provider.d.ts.map +1 -0
package/build/server/auth/oidc-provider.js +126 -0
package/build/server/auth/oidc-provider.js.map +1 -0
package/build/server/auth/types.d.ts +204 -0
package/build/server/auth/types.d.ts.map +1 -0
package/build/server/auth/types.js +29 -0
package/build/server/auth/types.js.map +1 -0
package/build/server/auth/upstream-provider.d.ts +161 -0
package/build/server/auth/upstream-provider.d.ts.map +1 -0
package/build/server/auth/upstream-provider.js +411 -0
package/build/server/auth/upstream-provider.js.map +1 -0
package/build/server/builder/constants.d.ts +45 -0
package/build/server/builder/constants.d.ts.map +1 -0
package/build/server/builder/constants.js +54 -0
package/build/server/builder/constants.js.map +1 -0
package/build/server/builder/index.d.ts +24 -0
package/build/server/builder/index.d.ts.map +1 -0
package/build/server/builder/index.js +25 -0
package/build/server/builder/index.js.map +1 -0
package/build/server/builder/primitive-collector.d.ts +24 -0
package/build/server/builder/primitive-collector.d.ts.map +1 -0
package/build/server/builder/primitive-collector.js +89 -0
package/build/server/builder/primitive-collector.js.map +1 -0
package/build/server/builder/server-builder.d.ts +53 -0
package/build/server/builder/server-builder.d.ts.map +1 -0
package/build/server/builder/server-builder.js +132 -0
package/build/server/builder/server-builder.js.map +1 -0
package/build/server/builder/types.d.ts +93 -0
package/build/server/builder/types.d.ts.map +1 -0
package/build/server/builder/types.js +25 -0
package/build/server/builder/types.js.map +1 -0
package/build/server/builder/validation.d.ts +36 -0
package/build/server/builder/validation.d.ts.map +1 -0
package/build/server/builder/validation.js +44 -0
package/build/server/builder/validation.js.map +1 -0
package/build/server/create-server.d.ts +57 -0
package/build/server/create-server.d.ts.map +1 -0
package/build/server/create-server.js +104 -0
package/build/server/create-server.js.map +1 -0
package/build/server/http/express-app.d.ts +103 -0
package/build/server/http/express-app.d.ts.map +1 -0
package/build/server/http/express-app.js +391 -0
package/build/server/http/express-app.js.map +1 -0
package/build/server/http/http-server.d.ts +67 -0
package/build/server/http/http-server.d.ts.map +1 -0
package/build/server/http/http-server.js +188 -0
package/build/server/http/http-server.js.map +1 -0
package/build/server/http/http-transport.d.ts +33 -0
package/build/server/http/http-transport.d.ts.map +1 -0
package/build/server/http/http-transport.js +84 -0
package/build/server/http/http-transport.js.map +1 -0
package/build/server/http/index.d.ts +15 -0
package/build/server/http/index.d.ts.map +1 -0
package/build/server/http/index.js +11 -0
package/build/server/http/index.js.map +1 -0
package/build/server/index.d.ts +25 -0
package/build/server/index.d.ts.map +1 -0
package/build/server/index.js +41 -0
package/build/server/index.js.map +1 -0
package/build/server/lifecycle.d.ts +114 -0
package/build/server/lifecycle.d.ts.map +1 -0
package/build/server/lifecycle.js +30 -0
package/build/server/lifecycle.js.map +1 -0
package/build/server/middleware/bearer-auth.d.ts +43 -0
package/build/server/middleware/bearer-auth.d.ts.map +1 -0
package/build/server/middleware/bearer-auth.js +75 -0
package/build/server/middleware/bearer-auth.js.map +1 -0
package/build/server/middleware/custom-header-auth.d.ts +40 -0
package/build/server/middleware/custom-header-auth.d.ts.map +1 -0
package/build/server/middleware/custom-header-auth.js +90 -0
package/build/server/middleware/custom-header-auth.js.map +1 -0
package/build/server/middleware/dns-rebinding.d.ts +25 -0
package/build/server/middleware/dns-rebinding.d.ts.map +1 -0
package/build/server/middleware/dns-rebinding.js +94 -0
package/build/server/middleware/dns-rebinding.js.map +1 -0
package/build/server/middleware/index.d.ts +69 -0
package/build/server/middleware/index.d.ts.map +1 -0
package/build/server/middleware/index.js +68 -0
package/build/server/middleware/index.js.map +1 -0
package/build/server/middleware/logging.d.ts +21 -0
package/build/server/middleware/logging.d.ts.map +1 -0
package/build/server/middleware/logging.js +36 -0
package/build/server/middleware/logging.js.map +1 -0
package/build/server/middleware/oauth-router.d.ts +50 -0
package/build/server/middleware/oauth-router.d.ts.map +1 -0
package/build/server/middleware/oauth-router.js +53 -0
package/build/server/middleware/oauth-router.js.map +1 -0
package/build/server/middleware/protocol-version.d.ts +13 -0
package/build/server/middleware/protocol-version.d.ts.map +1 -0
package/build/server/middleware/protocol-version.js +48 -0
package/build/server/middleware/protocol-version.js.map +1 -0
package/build/server/middleware/rate-limit.d.ts +47 -0
package/build/server/middleware/rate-limit.d.ts.map +1 -0
package/build/server/middleware/rate-limit.js +109 -0
package/build/server/middleware/rate-limit.js.map +1 -0
package/build/server/middleware/trust-proxy.d.ts +37 -0
package/build/server/middleware/trust-proxy.d.ts.map +1 -0
package/build/server/middleware/trust-proxy.js +154 -0
package/build/server/middleware/trust-proxy.js.map +1 -0
package/build/server/option-overrides.d.ts +25 -0
package/build/server/option-overrides.d.ts.map +1 -0
package/build/server/option-overrides.js +85 -0
package/build/server/option-overrides.js.map +1 -0
package/build/server/routes/health.d.ts +87 -0
package/build/server/routes/health.d.ts.map +1 -0
package/build/server/routes/health.js +183 -0
package/build/server/routes/health.js.map +1 -0
package/build/server/routes/index.d.ts +16 -0
package/build/server/routes/index.d.ts.map +1 -0
package/build/server/routes/index.js +18 -0
package/build/server/routes/index.js.map +1 -0
package/build/server/routes/metrics.d.ts +40 -0
package/build/server/routes/metrics.d.ts.map +1 -0
package/build/server/routes/metrics.js +81 -0
package/build/server/routes/metrics.js.map +1 -0
package/build/server/routes/oauth-router.d.ts +50 -0
package/build/server/routes/oauth-router.d.ts.map +1 -0
package/build/server/routes/oauth-router.js +53 -0
package/build/server/routes/oauth-router.js.map +1 -0
package/build/server/routes/readiness-status.d.ts +25 -0
package/build/server/routes/readiness-status.d.ts.map +1 -0
package/build/server/routes/readiness-status.js +27 -0
package/build/server/routes/readiness-status.js.map +1 -0
package/build/server/routes/sse-router.d.ts +43 -0
package/build/server/routes/sse-router.d.ts.map +1 -0
package/build/server/routes/sse-router.js +92 -0
package/build/server/routes/sse-router.js.map +1 -0
package/build/server/routes/streamable-http-router.d.ts +36 -0
package/build/server/routes/streamable-http-router.d.ts.map +1 -0
package/build/server/routes/streamable-http-router.js +59 -0
package/build/server/routes/streamable-http-router.js.map +1 -0
package/build/server/server-instance.d.ts +185 -0
package/build/server/server-instance.d.ts.map +1 -0
package/build/server/server-instance.js +615 -0
package/build/server/server-instance.js.map +1 -0
package/build/server/server-options.d.ts +411 -0
package/build/server/server-options.d.ts.map +1 -0
package/build/server/server-options.js +17 -0
package/build/server/server-options.js.map +1 -0
package/build/server/session/in-memory-store.d.ts +128 -0
package/build/server/session/in-memory-store.d.ts.map +1 -0
package/build/server/session/in-memory-store.js +312 -0
package/build/server/session/in-memory-store.js.map +1 -0
package/build/server/session/index.d.ts +43 -0
package/build/server/session/index.d.ts.map +1 -0
package/build/server/session/index.js +47 -0
package/build/server/session/index.js.map +1 -0
package/build/server/session/mcp-session.d.ts +210 -0
package/build/server/session/mcp-session.d.ts.map +1 -0
package/build/server/session/mcp-session.js +428 -0
package/build/server/session/mcp-session.js.map +1 -0
package/build/server/session/session-factory.d.ts +119 -0
package/build/server/session/session-factory.d.ts.map +1 -0
package/build/server/session/session-factory.js +131 -0
package/build/server/session/session-factory.js.map +1 -0
package/build/server/session/session-housekeeper.d.ts +100 -0
package/build/server/session/session-housekeeper.d.ts.map +1 -0
package/build/server/session/session-housekeeper.js +217 -0
package/build/server/session/session-housekeeper.js.map +1 -0
package/build/server/session/session-manager.d.ts +227 -0
package/build/server/session/session-manager.d.ts.map +1 -0
package/build/server/session/session-manager.js +282 -0
package/build/server/session/session-manager.js.map +1 -0
package/build/server/session/session-store.d.ts +95 -0
package/build/server/session/session-store.d.ts.map +1 -0
package/build/server/session/session-store.js +13 -0
package/build/server/session/session-store.js.map +1 -0
package/build/server/session/session.d.ts +132 -0
package/build/server/session/session.d.ts.map +1 -0
package/build/server/session/session.js +61 -0
package/build/server/session/session.js.map +1 -0
package/build/server/transport/constants.d.ts +85 -0
package/build/server/transport/constants.d.ts.map +1 -0
package/build/server/transport/constants.js +103 -0
package/build/server/transport/constants.js.map +1 -0
package/build/server/transport/index.d.ts +21 -0
package/build/server/transport/index.d.ts.map +1 -0
package/build/server/transport/index.js +28 -0
package/build/server/transport/index.js.map +1 -0
package/build/server/transport/sse/handler.d.ts +46 -0
package/build/server/transport/sse/handler.d.ts.map +1 -0
package/build/server/transport/sse/handler.js +189 -0
package/build/server/transport/sse/handler.js.map +1 -0
package/build/server/transport/sse/index.d.ts +15 -0
package/build/server/transport/sse/index.d.ts.map +1 -0
package/build/server/transport/sse/index.js +14 -0
package/build/server/transport/sse/index.js.map +1 -0
package/build/server/transport/sse/transport.d.ts +94 -0
package/build/server/transport/sse/transport.d.ts.map +1 -0
package/build/server/transport/sse/transport.js +175 -0
package/build/server/transport/sse/transport.js.map +1 -0
package/build/server/transport/stdio-transport.d.ts +23 -0
package/build/server/transport/stdio-transport.d.ts.map +1 -0
package/build/server/transport/stdio-transport.js +59 -0
package/build/server/transport/stdio-transport.js.map +1 -0
package/build/server/transport/streamable-http/index.d.ts +9 -0
package/build/server/transport/streamable-http/index.d.ts.map +1 -0
package/build/server/transport/streamable-http/index.js +9 -0
package/build/server/transport/streamable-http/index.js.map +1 -0
package/build/server/transport/streamable-http/stateful-handler.d.ts +41 -0
package/build/server/transport/streamable-http/stateful-handler.d.ts.map +1 -0
package/build/server/transport/streamable-http/stateful-handler.js +264 -0
package/build/server/transport/streamable-http/stateful-handler.js.map +1 -0
package/build/server/transport/streamable-http/stateless-handler.d.ts +28 -0
package/build/server/transport/streamable-http/stateless-handler.d.ts.map +1 -0
package/build/server/transport/streamable-http/stateless-handler.js +81 -0
package/build/server/transport/streamable-http/stateless-handler.js.map +1 -0
package/build/server/transport/streamable-http/transport.d.ts +110 -0
package/build/server/transport/streamable-http/transport.d.ts.map +1 -0
package/build/server/transport/streamable-http/transport.js +118 -0
package/build/server/transport/streamable-http/transport.js.map +1 -0
package/build/server/transport/transport-context.d.ts +67 -0
package/build/server/transport/transport-context.d.ts.map +1 -0
package/build/server/transport/transport-context.js +38 -0
package/build/server/transport/transport-context.js.map +1 -0
package/build/server/transport/types.d.ts +56 -0
package/build/server/transport/types.d.ts.map +1 -0
package/build/server/transport/types.js +11 -0
package/build/server/transport/types.js.map +1 -0
package/build/server/transport-options.d.ts +248 -0
package/build/server/transport-options.d.ts.map +1 -0
package/build/server/transport-options.js +18 -0
package/build/server/transport-options.js.map +1 -0
package/build/server/types.d.ts +172 -0
package/build/server/types.d.ts.map +1 -0
package/build/server/types.js +9 -0
package/build/server/types.js.map +1 -0
package/build/telemetry/connection-telemetry-bridge.d.ts +30 -0
package/build/telemetry/connection-telemetry-bridge.d.ts.map +1 -0
package/build/telemetry/connection-telemetry-bridge.js +54 -0
package/build/telemetry/connection-telemetry-bridge.js.map +1 -0
package/build/telemetry/core/config.d.ts +38 -0
package/build/telemetry/core/config.d.ts.map +1 -0
package/build/telemetry/core/config.js +54 -0
package/build/telemetry/core/config.js.map +1 -0
package/build/telemetry/core/constants.d.ts +183 -0
package/build/telemetry/core/constants.d.ts.map +1 -0
package/build/telemetry/core/constants.js +207 -0
package/build/telemetry/core/constants.js.map +1 -0
package/build/telemetry/core/diag-logger.d.ts +35 -0
package/build/telemetry/core/diag-logger.d.ts.map +1 -0
package/build/telemetry/core/diag-logger.js +54 -0
package/build/telemetry/core/diag-logger.js.map +1 -0
package/build/telemetry/core/index.d.ts +12 -0
package/build/telemetry/core/index.d.ts.map +1 -0
package/build/telemetry/core/index.js +32 -0
package/build/telemetry/core/index.js.map +1 -0
package/build/telemetry/core/types.d.ts +106 -0
package/build/telemetry/core/types.d.ts.map +1 -0
package/build/telemetry/core/types.js +10 -0
package/build/telemetry/core/types.js.map +1 -0
package/build/telemetry/index.d.ts +59 -0
package/build/telemetry/index.d.ts.map +1 -0
package/build/telemetry/index.js +79 -0
package/build/telemetry/index.js.map +1 -0
package/build/telemetry/metrics.d.ts +127 -0
package/build/telemetry/metrics.d.ts.map +1 -0
package/build/telemetry/metrics.js +337 -0
package/build/telemetry/metrics.js.map +1 -0
package/build/telemetry/sdk.d.ts +110 -0
package/build/telemetry/sdk.d.ts.map +1 -0
package/build/telemetry/sdk.js +547 -0
package/build/telemetry/sdk.js.map +1 -0
package/build/telemetry/tracing.d.ts +78 -0
package/build/telemetry/tracing.d.ts.map +1 -0
package/build/telemetry/tracing.js +257 -0
package/build/telemetry/tracing.js.map +1 -0
package/build/utils/env-helpers.d.ts +46 -0
package/build/utils/env-helpers.d.ts.map +1 -0
package/build/utils/env-helpers.js +54 -0
package/build/utils/env-helpers.js.map +1 -0
package/build/utils/index.d.ts +14 -0
package/build/utils/index.d.ts.map +1 -0
package/build/utils/index.js +19 -0
package/build/utils/index.js.map +1 -0
package/build/utils/sensitive-keys.d.ts +48 -0
package/build/utils/sensitive-keys.d.ts.map +1 -0
package/build/utils/sensitive-keys.js +131 -0
package/build/utils/sensitive-keys.js.map +1 -0
package/build/utils/string-helpers.d.ts +126 -0
package/build/utils/string-helpers.d.ts.map +1 -0
package/build/utils/string-helpers.js +189 -0
package/build/utils/string-helpers.js.map +1 -0
package/build/utils/validation.d.ts +84 -0
package/build/utils/validation.d.ts.map +1 -0
package/build/utils/validation.js +111 -0
package/build/utils/validation.js.map +1 -0
package/build/utils/zod-helpers.d.ts +92 -0
package/build/utils/zod-helpers.d.ts.map +1 -0
package/build/utils/zod-helpers.js +120 -0
package/build/utils/zod-helpers.js.map +1 -0
package/package.json +133 -0

package/build/server/auth/oidc-discovery.d.ts ADDED Viewed

@@ -0,0 +1,68 @@
+/**
+ * OIDC Discovery Client
+ *
+ * Fetches and caches OpenID Connect Discovery documents (RFC 8414 / OpenID Connect Discovery 1.0).
+ * Used by {@link createOidcProvider} to auto-discover upstream OAuth endpoints.
+ *
+ * The discovery document is fetched from `{issuer}/.well-known/openid-configuration`
+ * and cached with a configurable TTL (default: 1 hour). Subsequent calls to
+ * {@link getOidcDiscovery} return the cached version until the TTL expires.
+ *
+ * @example
+ * ```typescript
+ * const doc = await getOidcDiscovery('https://auth.example.com');
+ * console.log(doc.authorization_endpoint); // https://auth.example.com/authorize
+ * console.log(doc.token_endpoint);         // https://auth.example.com/token
+ * ```
+ *
+ * @module server/auth/oidc-discovery
+ */
+/**
+ * Subset of an OpenID Connect Discovery document relevant for OAuth proxy flows.
+ *
+ * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+ */
+export interface OidcDiscoveryDocument {
+    /** REQUIRED. URL of the authorization endpoint */
+    readonly authorization_endpoint: string;
+    /** REQUIRED. URL of the token endpoint */
+    readonly token_endpoint: string;
+    /** RECOMMENDED. URL of the UserInfo endpoint */
+    readonly userinfo_endpoint?: string;
+    /** URL of the token revocation endpoint (RFC 7009) */
+    readonly revocation_endpoint?: string;
+    /** JSON array of OAuth 2.0 scope values supported */
+    readonly scopes_supported?: readonly string[];
+    /** JSON array of client authentication methods supported at the token endpoint */
+    readonly token_endpoint_auth_methods_supported?: readonly string[];
+    /** The issuer identifier (must match the requested issuer URL) */
+    readonly issuer?: string;
+}
+/**
+ * Fetches an OIDC discovery document from the well-known endpoint.
+ *
+ * Always makes a network request — does NOT use the cache.
+ * Prefer {@link getOidcDiscovery} for cached access.
+ *
+ * @param issuerUrl - OIDC issuer URL (e.g. `https://auth.example.com`)
+ * @returns Parsed and validated discovery document
+ * @throws If the fetch fails or required fields are missing
+ */
+export declare function fetchOidcDiscovery(issuerUrl: string): Promise<OidcDiscoveryDocument>;
+/**
+ * Returns an OIDC discovery document, using a TTL-based cache.
+ *
+ * If a cached document exists and is within the TTL, returns it immediately.
+ * Otherwise, fetches a fresh document and updates the cache.
+ *
+ * @param issuerUrl - OIDC issuer URL (e.g. `https://auth.example.com`)
+ * @param ttlMs - Cache TTL in milliseconds (default: 1 hour)
+ * @returns Cached or freshly fetched discovery document
+ */
+export declare function getOidcDiscovery(issuerUrl: string, ttlMs?: number): Promise<OidcDiscoveryDocument>;
+/**
+ * Clears the OIDC discovery cache.
+ * Primarily for testing and hot-reload scenarios.
+ */
+export declare function clearOidcDiscoveryCache(): void;
+//# sourceMappingURL=oidc-discovery.d.ts.map

package/build/server/auth/oidc-discovery.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oidc-discovery.d.ts","sourceRoot":"","sources":["../../../src/server/auth/oidc-discovery.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAmEH;;;;GAIG;AACH,MAAM,WAAW,qBAAqB;IACpC,kDAAkD;IAClD,QAAQ,CAAC,sBAAsB,EAAE,MAAM,CAAC;IAExC,0CAA0C;IAC1C,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAEhC,gDAAgD;IAChD,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAEpC,sDAAsD;IACtD,QAAQ,CAAC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAEtC,qDAAqD;IACrD,QAAQ,CAAC,gBAAgB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAE9C,kFAAkF;IAClF,QAAQ,CAAC,qCAAqC,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAEnE,kEAAkE;IAClE,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;CAC1B;AAkED;;;;;;;;;GASG;AACH,wBAAsB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAiF1F;AAED;;;;;;;;;GASG;AACH,wBAAsB,gBAAgB,CACpC,SAAS,EAAE,MAAM,EACjB,KAAK,GAAE,MAAiC,GACvC,OAAO,CAAC,qBAAqB,CAAC,CAuBhC;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,IAAI,IAAI,CAE9C"}

package/build/server/auth/oidc-discovery.js ADDED Viewed

@@ -0,0 +1,234 @@
+/**
+ * OIDC Discovery Client
+ *
+ * Fetches and caches OpenID Connect Discovery documents (RFC 8414 / OpenID Connect Discovery 1.0).
+ * Used by {@link createOidcProvider} to auto-discover upstream OAuth endpoints.
+ *
+ * The discovery document is fetched from `{issuer}/.well-known/openid-configuration`
+ * and cached with a configurable TTL (default: 1 hour). Subsequent calls to
+ * {@link getOidcDiscovery} return the cached version until the TTL expires.
+ *
+ * @example
+ * ```typescript
+ * const doc = await getOidcDiscovery('https://auth.example.com');
+ * console.log(doc.authorization_endpoint); // https://auth.example.com/authorize
+ * console.log(doc.token_endpoint);         // https://auth.example.com/token
+ * ```
+ *
+ * @module server/auth/oidc-discovery
+ */
+import { logger as baseLogger } from "../../logger/index.js";
+// ============================================================================
+// Logger
+// ============================================================================
+const LOG_COMPONENT = "oidc-discovery";
+const LogMessages = {
+    FETCHING: "Fetching OIDC discovery from %s",
+    CACHED: "Using cached OIDC discovery for %s (age: %ds)",
+    REFRESHING: "Refreshing expired OIDC discovery for %s (age: %ds, ttl: %ds)",
+    FETCHED: "OIDC discovery fetched: authorization=%s token=%s userinfo=%s",
+    MISSING_FIELDS: "OIDC discovery at %s missing required fields: %s",
+    FETCH_FAILED: "OIDC discovery fetch failed for %s: %s",
+    ISSUER_MISMATCH: "OIDC discovery issuer mismatch: expected %s, got %s",
+    SSRF_BLOCKED: "OIDC discovery blocked: %s — %s",
+};
+const logger = baseLogger.child({ component: LOG_COMPONENT });
+// ============================================================================
+// Constants
+// ============================================================================
+/** Default TTL for cached discovery documents (1 hour) */
+const DEFAULT_DISCOVERY_TTL_MS = 60 * 60 * 1000;
+/** Default timeout for OIDC discovery fetch requests (10 seconds) */
+const DEFAULT_FETCH_TIMEOUT_MS = 10_000;
+/** Well-known path suffix for OIDC discovery */
+const WELL_KNOWN_PATH = "/.well-known/openid-configuration";
+/** Maximum number of cached OIDC discovery documents */
+const MAX_DISCOVERY_CACHE_SIZE = 50;
+/**
+ * Hostnames and IP patterns that must never be fetched (SSRF protection).
+ * Covers private IPv4 ranges (RFC 1918), link-local, loopback, and cloud metadata endpoints.
+ */
+const BLOCKED_HOST_PATTERNS = [
+    /^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/, // IPv4 loopback
+    /^10\.\d{1,3}\.\d{1,3}\.\d{1,3}$/, // 10.0.0.0/8
+    /^172\.(1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}$/, // 172.16.0.0/12
+    /^192\.168\.\d{1,3}\.\d{1,3}$/, // 192.168.0.0/16
+    /^169\.254\.\d{1,3}\.\d{1,3}$/, // Link-local
+    /^0\.0\.0\.0$/, // Unspecified
+    /^\[?::1\]?$/, // IPv6 loopback
+    /^\[?::ffff:/i, // IPv6-mapped IPv4 (e.g. ::ffff:192.168.1.1)
+    /^\[?fe80:/i, // IPv6 link-local
+    /^\[?fc00:/i, // IPv6 unique local
+    /^\[?fd/i, // IPv6 unique local
+];
+/** Hostnames that are always blocked regardless of scheme */
+const BLOCKED_HOSTNAMES = new Set([
+    "metadata.google.internal", // GCP metadata
+    "metadata.azure.internal", // Azure metadata (IMDS hostname variant)
+]);
+// ============================================================================
+// Cache
+// ============================================================================
+const discoveryCache = new Map();
+// ============================================================================
+// SSRF Protection
+// ============================================================================
+/**
+ * Validates a URL against SSRF attacks before fetching.
+ *
+ * Rules:
+ * - Only `https:` is allowed in production. `http:` is permitted only for
+ *   `localhost` / `127.0.0.1` (local development).
+ * - Private IP ranges, link-local addresses, and cloud metadata endpoints are blocked.
+ * - Non-standard ports on public hosts are allowed (common for dev/staging OIDC providers).
+ *
+ * @throws If the URL is unsafe for server-side fetch
+ */
+function validateDiscoveryUrl(url) {
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        throw new Error(`OIDC discovery URL is not a valid URL: ${url}`);
+    }
+    // Scheme validation: only https in production, http only for localhost
+    const isLocalhost = parsed.hostname === "localhost" || parsed.hostname === "127.0.0.1" || parsed.hostname === "::1";
+    if (parsed.protocol === "http:" && !isLocalhost) {
+        throw new Error(`OIDC discovery URL must use HTTPS: ${url}. ` + `HTTP is only allowed for localhost development.`);
+    }
+    if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+        throw new Error(`OIDC discovery URL must use HTTPS (got ${parsed.protocol}): ${url}`);
+    }
+    // Blocked hostname check (cloud metadata services)
+    if (BLOCKED_HOSTNAMES.has(parsed.hostname.toLowerCase())) {
+        throw new Error(`OIDC discovery URL targets a blocked host: ${parsed.hostname}`);
+    }
+    // Blocked IP pattern check (private networks, link-local, loopback)
+    // Skip for localhost — explicitly allowed above for development
+    if (!isLocalhost) {
+        for (const pattern of BLOCKED_HOST_PATTERNS) {
+            if (pattern.test(parsed.hostname)) {
+                throw new Error(`OIDC discovery URL targets a private/internal address: ${parsed.hostname}`);
+            }
+        }
+    }
+}
+// ============================================================================
+// Public API
+// ============================================================================
+/**
+ * Fetches an OIDC discovery document from the well-known endpoint.
+ *
+ * Always makes a network request — does NOT use the cache.
+ * Prefer {@link getOidcDiscovery} for cached access.
+ *
+ * @param issuerUrl - OIDC issuer URL (e.g. `https://auth.example.com`)
+ * @returns Parsed and validated discovery document
+ * @throws If the fetch fails or required fields are missing
+ */
+export async function fetchOidcDiscovery(issuerUrl) {
+    const normalizedIssuer = issuerUrl.replace(/\/+$/, "");
+    const discoveryUrl = `${normalizedIssuer}${WELL_KNOWN_PATH}`;
+    // SSRF protection: validate URL before fetching (CWE-918)
+    try {
+        validateDiscoveryUrl(discoveryUrl);
+    }
+    catch (err) {
+        const reason = err instanceof Error ? err.message : "invalid URL";
+        logger.error(LogMessages.SSRF_BLOCKED, discoveryUrl, reason);
+        throw err;
+    }
+    logger.info(LogMessages.FETCHING, discoveryUrl);
+    let response;
+    try {
+        response = await fetch(discoveryUrl, {
+            headers: { Accept: "application/json" },
+            signal: AbortSignal.timeout(DEFAULT_FETCH_TIMEOUT_MS),
+        });
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : "network error";
+        logger.error(LogMessages.FETCH_FAILED, discoveryUrl, message);
+        throw new Error(`OIDC discovery fetch failed for ${normalizedIssuer}: ${message}`, { cause: err });
+    }
+    if (!response.ok) {
+        throw new Error(`OIDC discovery failed for ${normalizedIssuer}: HTTP ${response.status}. ` +
+            `Ensure the provider supports OpenID Connect Discovery at ${discoveryUrl}`);
+    }
+    const data = (await response.json());
+    // Validate required fields
+    const missing = [];
+    if (typeof data.authorization_endpoint !== "string")
+        missing.push("authorization_endpoint");
+    if (typeof data.token_endpoint !== "string")
+        missing.push("token_endpoint");
+    if (missing.length > 0) {
+        logger.error(LogMessages.MISSING_FIELDS, discoveryUrl, missing.join(", "));
+        throw new Error(`OIDC discovery at ${discoveryUrl} is missing required fields: ${missing.join(", ")}`);
+    }
+    const document = {
+        authorization_endpoint: data.authorization_endpoint,
+        token_endpoint: data.token_endpoint,
+        ...(typeof data.userinfo_endpoint === "string" && {
+            userinfo_endpoint: data.userinfo_endpoint,
+        }),
+        ...(typeof data.revocation_endpoint === "string" && {
+            revocation_endpoint: data.revocation_endpoint,
+        }),
+        ...(Array.isArray(data.scopes_supported) && {
+            scopes_supported: data.scopes_supported,
+        }),
+        ...(Array.isArray(data.token_endpoint_auth_methods_supported) && {
+            token_endpoint_auth_methods_supported: data.token_endpoint_auth_methods_supported,
+        }),
+        ...(typeof data.issuer === "string" && { issuer: data.issuer }),
+    };
+    // RFC 8414: issuer in the discovery document MUST match the requested issuer URL
+    if (document.issuer && document.issuer.replace(/\/+$/, "") !== normalizedIssuer) {
+        logger.error(LogMessages.ISSUER_MISMATCH, normalizedIssuer, document.issuer);
+        throw new Error(`OIDC discovery issuer mismatch: requested ${normalizedIssuer} but document declares ${document.issuer}. ` +
+            `This may indicate a misconfigured or compromised OIDC provider.`);
+    }
+    logger.info(LogMessages.FETCHED, document.authorization_endpoint, document.token_endpoint, document.userinfo_endpoint ?? "(none)");
+    return document;
+}
+/**
+ * Returns an OIDC discovery document, using a TTL-based cache.
+ *
+ * If a cached document exists and is within the TTL, returns it immediately.
+ * Otherwise, fetches a fresh document and updates the cache.
+ *
+ * @param issuerUrl - OIDC issuer URL (e.g. `https://auth.example.com`)
+ * @param ttlMs - Cache TTL in milliseconds (default: 1 hour)
+ * @returns Cached or freshly fetched discovery document
+ */
+export async function getOidcDiscovery(issuerUrl, ttlMs = DEFAULT_DISCOVERY_TTL_MS) {
+    const normalizedIssuer = issuerUrl.replace(/\/+$/, "");
+    const cached = discoveryCache.get(normalizedIssuer);
+    if (cached) {
+        const ageMs = Date.now() - cached.fetchedAt;
+        if (ageMs < ttlMs) {
+            logger.debug(LogMessages.CACHED, normalizedIssuer, Math.floor(ageMs / 1000));
+            return cached.document;
+        }
+        logger.debug(LogMessages.REFRESHING, normalizedIssuer, Math.floor(ageMs / 1000), Math.floor(ttlMs / 1000));
+    }
+    const document = await fetchOidcDiscovery(normalizedIssuer);
+    // Evict oldest entry if cache is full
+    if (discoveryCache.size >= MAX_DISCOVERY_CACHE_SIZE && !discoveryCache.has(normalizedIssuer)) {
+        const oldestKey = discoveryCache.keys().next().value;
+        if (oldestKey !== undefined)
+            discoveryCache.delete(oldestKey);
+    }
+    discoveryCache.set(normalizedIssuer, { document, fetchedAt: Date.now() });
+    return document;
+}
+/**
+ * Clears the OIDC discovery cache.
+ * Primarily for testing and hot-reload scenarios.
+ */
+export function clearOidcDiscoveryCache() {
+    discoveryCache.clear();
+}
+//# sourceMappingURL=oidc-discovery.js.map

package/build/server/auth/oidc-discovery.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oidc-discovery.js","sourceRoot":"","sources":["../../../src/server/auth/oidc-discovery.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,MAAM,IAAI,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAE7D,+EAA+E;AAC/E,SAAS;AACT,+EAA+E;AAE/E,MAAM,aAAa,GAAG,gBAAgB,CAAC;AAEvC,MAAM,WAAW,GAAG;IAClB,QAAQ,EAAE,iCAAiC;IAC3C,MAAM,EAAE,+CAA+C;IACvD,UAAU,EAAE,+DAA+D;IAC3E,OAAO,EAAE,+DAA+D;IACxE,cAAc,EAAE,kDAAkD;IAClE,YAAY,EAAE,wCAAwC;IACtD,eAAe,EAAE,qDAAqD;IACtE,YAAY,EAAE,iCAAiC;CACvC,CAAC;AAEX,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,aAAa,EAAE,CAAC,CAAC;AAE9D,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,0DAA0D;AAC1D,MAAM,wBAAwB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAEhD,qEAAqE;AACrE,MAAM,wBAAwB,GAAG,MAAM,CAAC;AAExC,gDAAgD;AAChD,MAAM,eAAe,GAAG,mCAAmC,CAAC;AAE5D,wDAAwD;AACxD,MAAM,wBAAwB,GAAG,EAAE,CAAC;AAEpC;;;GAGG;AACH,MAAM,qBAAqB,GAAsB;IAC/C,kCAAkC,EAAE,gBAAgB;IACpD,iCAAiC,EAAE,aAAa;IAChD,6CAA6C,EAAE,gBAAgB;IAC/D,8BAA8B,EAAE,iBAAiB;IACjD,8BAA8B,EAAE,aAAa;IAC7C,cAAc,EAAE,cAAc;IAC9B,aAAa,EAAE,gBAAgB;IAC/B,cAAc,EAAE,6CAA6C;IAC7D,YAAY,EAAE,kBAAkB;IAChC,YAAY,EAAE,oBAAoB;IAClC,SAAS,EAAE,oBAAoB;CAChC,CAAC;AAEF,6DAA6D;AAC7D,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,0BAA0B,EAAE,eAAe;IAC3C,yBAAyB,EAAE,yCAAyC;CACrE,CAAC,CAAC;AAwCH,+EAA+E;AAC/E,QAAQ;AACR,+EAA+E;AAE/E,MAAM,cAAc,GAAG,IAAI,GAAG,EAAsB,CAAC;AAErD,+EAA+E;AAC/E,kBAAkB;AAClB,+EAA+E;AAE/E;;;;;;;;;;GAUG;AACH,SAAS,oBAAoB,CAAC,GAAW;IACvC,IAAI,MAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,0CAA0C,GAAG,EAAE,CAAC,CAAC;IACnE,CAAC;IAED,uEAAuE;IACvE,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,KAAK,WAAW,IAAI,MAAM,CAAC,QAAQ,KAAK,WAAW,IAAI,MAAM,CAAC,QAAQ,KAAK,KAAK,CAAC;IACpH,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CAAC,sCAAsC,GAAG,IAAI,GAAG,iDAAiD,CAAC,CAAC;IACrH,CAAC;IACD,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,0CAA0C,MAAM,CAAC,QAAQ,MAAM,GAAG,EAAE,CAAC,CAAC;IACxF,CAAC;IAED,mDAAmD;IACnD,IAAI,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,8CAA8C,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;IACnF,CAAC;IAED,oEAAoE;IACpE,gEAAgE;IAChE,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,KAAK,MAAM,OAAO,IAAI,qBAAqB,EAAE,CAAC;YAC5C,IAAI,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAClC,MAAM,IAAI,KAAK,CAAC,0DAA0D,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC/F,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,aAAa;AACb,+EAA+E;AAE/E;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,SAAiB;IACxD,MAAM,gBAAgB,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACvD,MAAM,YAAY,GAAG,GAAG,gBAAgB,GAAG,eAAe,EAAE,CAAC;IAE7D,0DAA0D;IAC1D,IAAI,CAAC;QACH,oBAAoB,CAAC,YAAY,CAAC,CAAC;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC;QAClE,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,YAAY,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;QAC7D,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;IAEhD,IAAI,QAA6B,CAAC;IAClC,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,KAAK,CAAC,YAAY,EAAE;YACnC,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,wBAAwB,CAAC;SACtD,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;QACrE,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC,CAAC;QAC9D,MAAM,IAAI,KAAK,CAAC,mCAAmC,gBAAgB,KAAK,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;IACrG,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CACb,6BAA6B,gBAAgB,UAAU,QAAQ,CAAC,MAAM,IAAI;YACxE,4DAA4D,YAAY,EAAE,CAC7E,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;IAEhE,2BAA2B;IAC3B,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,OAAO,IAAI,CAAC,sBAAsB,KAAK,QAAQ;QAAE,OAAO,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;IAC5F,IAAI,OAAO,IAAI,CAAC,cAAc,KAAK,QAAQ;QAAE,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAE5E,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,cAAc,EAAE,YAAY,EAAE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAC3E,MAAM,IAAI,KAAK,CAAC,qBAAqB,YAAY,gCAAgC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzG,CAAC;IAED,MAAM,QAAQ,GAA0B;QACtC,sBAAsB,EAAE,IAAI,CAAC,sBAAgC;QAC7D,cAAc,EAAE,IAAI,CAAC,cAAwB;QAC7C,GAAG,CAAC,OAAO,IAAI,CAAC,iBAAiB,KAAK,QAAQ,IAAI;YAChD,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;SAC1C,CAAC;QACF,GAAG,CAAC,OAAO,IAAI,CAAC,mBAAmB,KAAK,QAAQ,IAAI;YAClD,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;SAC9C,CAAC;QACF,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI;YAC1C,gBAAgB,EAAE,IAAI,CAAC,gBAA4B;SACpD,CAAC;QACF,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,qCAAqC,CAAC,IAAI;YAC/D,qCAAqC,EAAE,IAAI,CAAC,qCAAiD;SAC9F,CAAC;QACF,GAAG,CAAC,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC;KAChE,CAAC;IAEF,iFAAiF;IACjF,IAAI,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,gBAAgB,EAAE,CAAC;QAChF,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,eAAe,EAAE,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC7E,MAAM,IAAI,KAAK,CACb,6CAA6C,gBAAgB,0BAA0B,QAAQ,CAAC,MAAM,IAAI;YACxG,iEAAiE,CACpE,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,IAAI,CACT,WAAW,CAAC,OAAO,EACnB,QAAQ,CAAC,sBAAsB,EAC/B,QAAQ,CAAC,cAAc,EACvB,QAAQ,CAAC,iBAAiB,IAAI,QAAQ,CACvC,CAAC;IAEF,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,SAAiB,EACjB,QAAgB,wBAAwB;IAExC,MAAM,gBAAgB,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACvD,MAAM,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAEpD,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,CAAC;QAC5C,IAAI,KAAK,GAAG,KAAK,EAAE,CAAC;YAClB,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,EAAE,gBAAgB,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC;YAC7E,OAAO,MAAM,CAAC,QAAQ,CAAC;QACzB,CAAC;QACD,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,UAAU,EAAE,gBAAgB,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,IAAI,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC;IAC7G,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,gBAAgB,CAAC,CAAC;IAE5D,sCAAsC;IACtC,IAAI,cAAc,CAAC,IAAI,IAAI,wBAAwB,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAC7F,MAAM,SAAS,GAAG,cAAc,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;QACrD,IAAI,SAAS,KAAK,SAAS;YAAE,cAAc,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAChE,CAAC;IAED,cAAc,CAAC,GAAG,CAAC,gBAAgB,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAC1E,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB;IACrC,cAAc,CAAC,KAAK,EAAE,CAAC;AACzB,CAAC"}

package/build/server/auth/oidc-provider.d.ts ADDED Viewed

@@ -0,0 +1,96 @@
+/**
+ * OIDC Provider Factory
+ *
+ * Creates an {@link OAuthServerProvider} for any OpenID Connect-compliant
+ * authorization server using **automatic endpoint discovery**.
+ *
+ * Given just an issuer URL, the factory fetches the OIDC discovery document
+ * (`/.well-known/openid-configuration`) and configures a full upstream OAuth
+ * provider with server-side callbacks. This eliminates per-provider boilerplate
+ * for standard OIDC providers (Keycloak, Auth0, Okta, Azure AD, PocketID, etc.).
+ *
+ * @example
+ * ```typescript
+ * import { createOidcProvider, createServer } from 'mcp-server-framework';
+ *
+ * const { provider, callbackHandler } = await createOidcProvider({
+ *   issuer: 'https://auth.example.com',
+ *   clientId: process.env.OIDC_CLIENT_ID!,
+ *   clientSecret: process.env.OIDC_CLIENT_SECRET!,
+ *   serverUrl: 'http://localhost:8000',
+ * });
+ *
+ * const { start } = createServer({
+ *   name: 'my-server',
+ *   version: '1.0.0',
+ *   transport: { mode: 'http' },
+ *   auth: {
+ *     provider,
+ *     callbackHandler,
+ *     issuerUrl: new URL('http://localhost:8000'),
+ *   },
+ * });
+ * await start();
+ * ```
+ *
+ * @module server/auth/oidc-provider
+ */
+import type { AuthInfo } from "@modelcontextprotocol/sdk/server/auth/types.js";
+import type { UpstreamOAuthProviderResult } from "./upstream-provider.js";
+/**
+ * Options for {@link createOidcProvider}.
+ */
+export interface OidcProviderOptions {
+    /**
+     * OIDC issuer URL (e.g. `https://auth.example.com`).
+     * The discovery document is fetched from `{issuer}/.well-known/openid-configuration`.
+     */
+    readonly issuer: string;
+    /** Client ID registered with the OIDC provider */
+    readonly clientId: string;
+    /** Client secret registered with the OIDC provider */
+    readonly clientSecret: string;
+    /** MCP server base URL (e.g. `http://localhost:8000`). Used as redirect_uri target. */
+    readonly serverUrl: string;
+    /**
+     * Scopes to request from the upstream OIDC provider.
+     * @default ['openid', 'profile', 'email']
+     */
+    readonly upstreamScopes?: readonly string[];
+    /**
+     * MCP scopes granted to authenticated users.
+     * If not provided, the default `mapUserInfo` grants no scopes (empty array).
+     * When providing a custom `mapUserInfo`, this option is ignored.
+     */
+    readonly grantedScopes?: readonly string[];
+    /**
+     * Custom mapping from OIDC UserInfo response to MCP {@link AuthInfo}.
+     *
+     * When not provided, the default mapping uses standard OIDC claims:
+     * - `sub` → `clientId`
+     * - `grantedScopes` → `scopes`
+     * - 1h artificial `expiresAt` (token is re-verified on each request)
+     * - `name`, `email`, `preferred_username` → `extra`
+     */
+    readonly mapUserInfo?: (token: string, data: Record<string, unknown>) => Promise<AuthInfo>;
+    /**
+     * TTL for the cached OIDC discovery document in milliseconds.
+     * The discovery document is re-fetched when the TTL expires.
+     * @default 3600000 (1 hour)
+     */
+    readonly discoveryTtlMs?: number;
+}
+/**
+ * Creates an {@link OAuthServerProvider} for an OIDC-compliant authorization server.
+ *
+ * This is an **async factory** — it fetches the OIDC discovery document at creation
+ * time to resolve endpoint URLs. The discovery document is cached with a configurable
+ * TTL and refreshed transparently on subsequent token verifications.
+ *
+ * Internally delegates to {@link createUpstreamOAuthProvider} after resolving endpoints.
+ *
+ * @param options - OIDC provider configuration
+ * @returns Provider and callback handler, ready for {@link AuthOptions}
+ */
+export declare function createOidcProvider(options: OidcProviderOptions): Promise<UpstreamOAuthProviderResult>;
+//# sourceMappingURL=oidc-provider.d.ts.map

package/build/server/auth/oidc-provider.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oidc-provider.d.ts","sourceRoot":"","sources":["../../../src/server/auth/oidc-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gDAAgD,CAAC;AAG/E,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAC;AA0C1E;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC;;;OAGG;IACH,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IAExB,kDAAkD;IAClD,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAE1B,sDAAsD;IACtD,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAE9B,uFAAuF;IACvF,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAE3B;;;OAGG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAE5C;;;;OAIG;IACH,QAAQ,CAAC,aAAa,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAE3C;;;;;;;;OAQG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IAE3F;;;;OAIG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;CAClC;AAMD;;;;;;;;;;;GAWG;AACH,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,mBAAmB,GAAG,OAAO,CAAC,2BAA2B,CAAC,CA6E3G"}

package/build/server/auth/oidc-provider.js ADDED Viewed

@@ -0,0 +1,126 @@
+/**
+ * OIDC Provider Factory
+ *
+ * Creates an {@link OAuthServerProvider} for any OpenID Connect-compliant
+ * authorization server using **automatic endpoint discovery**.
+ *
+ * Given just an issuer URL, the factory fetches the OIDC discovery document
+ * (`/.well-known/openid-configuration`) and configures a full upstream OAuth
+ * provider with server-side callbacks. This eliminates per-provider boilerplate
+ * for standard OIDC providers (Keycloak, Auth0, Okta, Azure AD, PocketID, etc.).
+ *
+ * @example
+ * ```typescript
+ * import { createOidcProvider, createServer } from 'mcp-server-framework';
+ *
+ * const { provider, callbackHandler } = await createOidcProvider({
+ *   issuer: 'https://auth.example.com',
+ *   clientId: process.env.OIDC_CLIENT_ID!,
+ *   clientSecret: process.env.OIDC_CLIENT_SECRET!,
+ *   serverUrl: 'http://localhost:8000',
+ * });
+ *
+ * const { start } = createServer({
+ *   name: 'my-server',
+ *   version: '1.0.0',
+ *   transport: { mode: 'http' },
+ *   auth: {
+ *     provider,
+ *     callbackHandler,
+ *     issuerUrl: new URL('http://localhost:8000'),
+ *   },
+ * });
+ * await start();
+ * ```
+ *
+ * @module server/auth/oidc-provider
+ */
+import { getOidcDiscovery } from "./oidc-discovery.js";
+import { createUpstreamOAuthProvider } from "./upstream-provider.js";
+import { logger as baseLogger } from "../../logger/index.js";
+// ============================================================================
+// Logger
+// ============================================================================
+const LOG_COMPONENT = "oidc-provider";
+const LogMessages = {
+    CREATING: "Creating OIDC provider for issuer %s",
+    CREATED: "OIDC provider ready (authorization=%s, token=%s, userinfo=%s)",
+    NO_USERINFO: "OIDC discovery for %s has no userinfo_endpoint — token verification may fail",
+};
+const logger = baseLogger.child({ component: LOG_COMPONENT });
+// ============================================================================
+// Constants
+// ============================================================================
+/** Default OIDC scopes to request from the upstream provider */
+const DEFAULT_UPSTREAM_SCOPES = ["openid", "profile", "email"];
+// ============================================================================
+// Factory
+// ============================================================================
+/**
+ * Creates an {@link OAuthServerProvider} for an OIDC-compliant authorization server.
+ *
+ * This is an **async factory** — it fetches the OIDC discovery document at creation
+ * time to resolve endpoint URLs. The discovery document is cached with a configurable
+ * TTL and refreshed transparently on subsequent token verifications.
+ *
+ * Internally delegates to {@link createUpstreamOAuthProvider} after resolving endpoints.
+ *
+ * @param options - OIDC provider configuration
+ * @returns Provider and callback handler, ready for {@link AuthOptions}
+ */
+export async function createOidcProvider(options) {
+    const { issuer, clientId, clientSecret, serverUrl, upstreamScopes = DEFAULT_UPSTREAM_SCOPES, grantedScopes, mapUserInfo, discoveryTtlMs, } = options;
+    logger.info(LogMessages.CREATING, issuer);
+    // Fetch OIDC discovery document (cached with TTL)
+    const discovery = await getOidcDiscovery(issuer, discoveryTtlMs);
+    if (!discovery.userinfo_endpoint) {
+        logger.warn(LogMessages.NO_USERINFO, issuer);
+    }
+    logger.info(LogMessages.CREATED, discovery.authorization_endpoint, discovery.token_endpoint, discovery.userinfo_endpoint ?? "(none)");
+    // Default OIDC UserInfo → AuthInfo mapping
+    const defaultMapUserInfo = async (token, data) => {
+        // @type-narrowing: OIDC UserInfo response contains standard claims
+        const claims = data;
+        // Validate required `sub` claim (OIDC Core §5.1) at system boundary
+        if (!claims.sub || typeof claims.sub !== "string") {
+            throw new Error("OIDC UserInfo response missing required 'sub' claim");
+        }
+        return {
+            token,
+            clientId: claims.sub,
+            scopes: grantedScopes ? [...grantedScopes] : [],
+            // SDK requireBearerAuth middleware requires expiresAt.
+            // Use 1h expiry — token is re-verified via userinfo on each request.
+            expiresAt: Math.floor(Date.now() / 1000) + 3600,
+            extra: {
+                provider: "oidc",
+                issuer,
+                // Validate optional claim types at system boundary — OIDC providers may return non-string values
+                username: typeof claims.preferred_username === "string" ? claims.preferred_username : undefined,
+                displayName: typeof claims.name === "string"
+                    ? claims.name
+                    : typeof claims.preferred_username === "string"
+                        ? claims.preferred_username
+                        : claims.sub,
+                email: typeof claims.email === "string" ? claims.email : undefined,
+            },
+        };
+    };
+    return createUpstreamOAuthProvider({
+        endpoints: {
+            authorizationUrl: discovery.authorization_endpoint,
+            tokenUrl: discovery.token_endpoint,
+            userinfoUrl: discovery.userinfo_endpoint,
+            revocationUrl: discovery.revocation_endpoint,
+        },
+        clientId,
+        clientSecret,
+        serverUrl,
+        upstreamScopes: [...upstreamScopes],
+        mapUserInfo: mapUserInfo ?? defaultMapUserInfo,
+        tokenRequestContentType: "form", // OIDC standard
+        upstreamAuthorizeParams: { response_type: "code" },
+        refreshTokenSupport: true,
+    });
+}
+//# sourceMappingURL=oidc-provider.js.map

package/build/server/auth/oidc-provider.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oidc-provider.js","sourceRoot":"","sources":["../../../src/server/auth/oidc-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AAGH,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAC;AAErE,OAAO,EAAE,MAAM,IAAI,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAE7D,+EAA+E;AAC/E,SAAS;AACT,+EAA+E;AAE/E,MAAM,aAAa,GAAG,eAAe,CAAC;AAEtC,MAAM,WAAW,GAAG;IAClB,QAAQ,EAAE,sCAAsC;IAChD,OAAO,EAAE,+DAA+D;IACxE,WAAW,EAAE,8EAA8E;CACnF,CAAC;AAEX,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,aAAa,EAAE,CAAC,CAAC;AAE9D,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,gEAAgE;AAChE,MAAM,uBAAuB,GAAG,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAU,CAAC;AAuExE,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,OAA4B;IACnE,MAAM,EACJ,MAAM,EACN,QAAQ,EACR,YAAY,EACZ,SAAS,EACT,cAAc,GAAG,uBAAuB,EACxC,aAAa,EACb,WAAW,EACX,cAAc,GACf,GAAG,OAAO,CAAC;IAEZ,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAE1C,kDAAkD;IAClD,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IAEjE,IAAI,CAAC,SAAS,CAAC,iBAAiB,EAAE,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,CAAC,IAAI,CACT,WAAW,CAAC,OAAO,EACnB,SAAS,CAAC,sBAAsB,EAChC,SAAS,CAAC,cAAc,EACxB,SAAS,CAAC,iBAAiB,IAAI,QAAQ,CACxC,CAAC;IAEF,2CAA2C;IAC3C,MAAM,kBAAkB,GAAG,KAAK,EAAE,KAAa,EAAE,IAA6B,EAAqB,EAAE;QACnG,mEAAmE;QACnE,MAAM,MAAM,GAAG,IAAqC,CAAC;QAErD,oEAAoE;QACpE,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YAClD,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;QACzE,CAAC;QAED,OAAO;YACL,KAAK;YACL,QAAQ,EAAE,MAAM,CAAC,GAAG;YACpB,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC,EAAE;YAC/C,uDAAuD;YACvD,qEAAqE;YACrE,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI;YAC/C,KAAK,EAAE;gBACL,QAAQ,EAAE,MAAM;gBAChB,MAAM;gBACN,iGAAiG;gBACjG,QAAQ,EAAE,OAAO,MAAM,CAAC,kBAAkB,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS;gBAC/F,WAAW,EACT,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ;oBAC7B,CAAC,CAAC,MAAM,CAAC,IAAI;oBACb,CAAC,CAAC,OAAO,MAAM,CAAC,kBAAkB,KAAK,QAAQ;wBAC7C,CAAC,CAAC,MAAM,CAAC,kBAAkB;wBAC3B,CAAC,CAAC,MAAM,CAAC,GAAG;gBAClB,KAAK,EAAE,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;aACnE;SACF,CAAC;IACJ,CAAC,CAAC;IAEF,OAAO,2BAA2B,CAAC;QACjC,SAAS,EAAE;YACT,gBAAgB,EAAE,SAAS,CAAC,sBAAsB;YAClD,QAAQ,EAAE,SAAS,CAAC,cAAc;YAClC,WAAW,EAAE,SAAS,CAAC,iBAAiB;YACxC,aAAa,EAAE,SAAS,CAAC,mBAAmB;SAC7C;QACD,QAAQ;QACR,YAAY;QACZ,SAAS;QACT,cAAc,EAAE,CAAC,GAAG,cAAc,CAAC;QACnC,WAAW,EAAE,WAAW,IAAI,kBAAkB;QAC9C,uBAAuB,EAAE,MAAM,EAAE,gBAAgB;QACjD,uBAAuB,EAAE,EAAE,aAAa,EAAE,MAAM,EAAE;QAClD,mBAAmB,EAAE,IAAI;KAC1B,CAAC,CAAC;AACL,CAAC"}