npm - mcp4openapi - Versions diffs - 0.2.8 → 0.3.1 - Mend

mcp4openapi 0.2.8 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (358) hide show

package/README.md +143 -63
package/dist/scripts/validate-profile.js +3 -3
package/dist/scripts/validate-profile.js.map +1 -1
package/dist/src/argument-normalizer.d.ts +5 -0
package/dist/src/argument-normalizer.d.ts.map +1 -0
package/dist/src/argument-normalizer.js +61 -0
package/dist/src/argument-normalizer.js.map +1 -0
package/dist/src/auth/oauth-provider.d.ts +131 -0
package/dist/src/auth/oauth-provider.d.ts.map +1 -0
package/dist/src/auth/oauth-provider.js +839 -0
package/dist/src/auth/oauth-provider.js.map +1 -0
package/dist/src/cli-config.d.ts +9 -0
package/dist/src/cli-config.d.ts.map +1 -0
package/dist/src/cli-config.js +111 -0
package/dist/src/cli-config.js.map +1 -0
package/dist/src/core/cli-config.d.ts +9 -0
package/dist/src/core/cli-config.d.ts.map +1 -0
package/dist/src/core/cli-config.js +125 -0
package/dist/src/core/cli-config.js.map +1 -0
package/dist/src/core/constants.d.ts +86 -0
package/dist/src/core/constants.d.ts.map +1 -0
package/dist/src/core/constants.js +86 -0
package/dist/src/core/constants.js.map +1 -0
package/dist/src/core/errors.d.ts +59 -0
package/dist/src/core/errors.d.ts.map +1 -0
package/dist/src/core/errors.js +119 -0
package/dist/src/core/errors.js.map +1 -0
package/dist/src/core/filtering.d.ts +19 -0
package/dist/src/core/filtering.d.ts.map +1 -0
package/dist/src/core/filtering.js +292 -0
package/dist/src/core/filtering.js.map +1 -0
package/dist/src/core/index.d.ts +26 -0
package/dist/src/core/index.d.ts.map +1 -0
package/dist/src/core/index.js +276 -0
package/dist/src/core/index.js.map +1 -0
package/dist/src/core/lib.d.ts +8 -0
package/dist/src/core/lib.d.ts.map +1 -0
package/dist/src/core/lib.js +7 -0
package/dist/src/core/lib.js.map +1 -0
package/dist/src/core/logger.d.ts +59 -0
package/dist/src/core/logger.d.ts.map +1 -0
package/dist/src/core/logger.js +197 -0
package/dist/src/core/logger.js.map +1 -0
package/dist/src/core/metrics.d.ts +97 -0
package/dist/src/core/metrics.d.ts.map +1 -0
package/dist/src/core/metrics.js +273 -0
package/dist/src/core/metrics.js.map +1 -0
package/dist/src/core/naming-warnings.d.ts +23 -0
package/dist/src/core/naming-warnings.d.ts.map +1 -0
package/dist/src/core/naming-warnings.js +83 -0
package/dist/src/core/naming-warnings.js.map +1 -0
package/dist/src/core/naming.d.ts +58 -0
package/dist/src/core/naming.d.ts.map +1 -0
package/dist/src/core/naming.js +510 -0
package/dist/src/core/naming.js.map +1 -0
package/dist/src/errors.d.ts +6 -0
package/dist/src/errors.d.ts.map +1 -1
package/dist/src/errors.js +15 -6
package/dist/src/errors.js.map +1 -1
package/dist/src/filtering.d.ts +19 -0
package/dist/src/filtering.d.ts.map +1 -0
package/dist/src/filtering.js +292 -0
package/dist/src/filtering.js.map +1 -0
package/dist/src/generated-schemas.d.ts +290 -79
package/dist/src/generated-schemas.d.ts.map +1 -1
package/dist/src/generated-schemas.js +17 -2
package/dist/src/generated-schemas.js.map +1 -1
package/dist/src/http-transport-config.d.ts +6 -0
package/dist/src/http-transport-config.d.ts.map +1 -0
package/dist/src/http-transport-config.js +47 -0
package/dist/src/http-transport-config.js.map +1 -0
package/dist/src/http-transport.d.ts +63 -13
package/dist/src/http-transport.d.ts.map +1 -1
package/dist/src/http-transport.js +1045 -482
package/dist/src/http-transport.js.map +1 -1
package/dist/src/index.d.ts +1 -6
package/dist/src/index.d.ts.map +1 -1
package/dist/src/index.js +1 -170
package/dist/src/index.js.map +1 -1
package/dist/src/interceptors.d.ts +1 -0
package/dist/src/interceptors.d.ts.map +1 -1
package/dist/src/interceptors.js +73 -63
package/dist/src/interceptors.js.map +1 -1
package/dist/src/lib.d.ts +1 -7
package/dist/src/lib.d.ts.map +1 -1
package/dist/src/lib.js +1 -6
package/dist/src/lib.js.map +1 -1
package/dist/src/logger.d.ts +5 -0
package/dist/src/logger.d.ts.map +1 -1
package/dist/src/logger.js +9 -1
package/dist/src/logger.js.map +1 -1
package/dist/src/mcp/mcp-server-manager.d.ts +20 -0
package/dist/src/mcp/mcp-server-manager.d.ts.map +1 -0
package/dist/src/mcp/mcp-server-manager.js +38 -0
package/dist/src/mcp/mcp-server-manager.js.map +1 -0
package/dist/src/mcp/mcp-server.d.ts +205 -0
package/dist/src/mcp/mcp-server.d.ts.map +1 -0
package/dist/src/mcp/mcp-server.js +1473 -0
package/dist/src/mcp/mcp-server.js.map +1 -0
package/dist/src/mcp-server-manager.d.ts +20 -0
package/dist/src/mcp-server-manager.d.ts.map +1 -0
package/dist/src/mcp-server-manager.js +38 -0
package/dist/src/mcp-server-manager.js.map +1 -0
package/dist/src/mcp-server.d.ts +28 -0
package/dist/src/mcp-server.d.ts.map +1 -1
package/dist/src/mcp-server.js +406 -109
package/dist/src/mcp-server.js.map +1 -1
package/dist/src/metrics.d.ts +11 -0
package/dist/src/metrics.d.ts.map +1 -1
package/dist/src/metrics.js +61 -0
package/dist/src/metrics.js.map +1 -1
package/dist/src/oauth-provider.d.ts +5 -0
package/dist/src/oauth-provider.d.ts.map +1 -1
package/dist/src/oauth-provider.js +29 -1
package/dist/src/oauth-provider.js.map +1 -1
package/dist/src/openapi/openapi-parser.d.ts +70 -0
package/dist/src/openapi/openapi-parser.d.ts.map +1 -0
package/dist/src/openapi/openapi-parser.js +458 -0
package/dist/src/openapi/openapi-parser.js.map +1 -0
package/dist/src/profile/profile-loader.d.ts +78 -0
package/dist/src/profile/profile-loader.d.ts.map +1 -0
package/dist/src/profile/profile-loader.js +490 -0
package/dist/src/profile/profile-loader.js.map +1 -0
package/dist/src/profile/profile-registry.d.ts +19 -0
package/dist/src/profile/profile-registry.d.ts.map +1 -0
package/dist/src/profile/profile-registry.js +43 -0
package/dist/src/profile/profile-registry.js.map +1 -0
package/dist/src/profile/profile-resolver.d.ts +41 -0
package/dist/src/profile/profile-resolver.d.ts.map +1 -0
package/dist/src/profile/profile-resolver.js +324 -0
package/dist/src/profile/profile-resolver.js.map +1 -0
package/dist/src/profile/startup-profile.d.ts +17 -0
package/dist/src/profile/startup-profile.d.ts.map +1 -0
package/dist/src/profile/startup-profile.js +30 -0
package/dist/src/profile/startup-profile.js.map +1 -0
package/dist/src/profile/startup-validation.d.ts +11 -0
package/dist/src/profile/startup-validation.d.ts.map +1 -0
package/dist/src/profile/startup-validation.js +21 -0
package/dist/src/profile/startup-validation.js.map +1 -0
package/dist/src/profile-loader.d.ts +1 -0
package/dist/src/profile-loader.d.ts.map +1 -1
package/dist/src/profile-loader.js +14 -3
package/dist/src/profile-loader.js.map +1 -1
package/dist/src/profile-registry.d.ts +18 -0
package/dist/src/profile-registry.d.ts.map +1 -0
package/dist/src/profile-registry.js +26 -0
package/dist/src/profile-registry.js.map +1 -0
package/dist/src/profile-resolver.d.ts +19 -0
package/dist/src/profile-resolver.d.ts.map +1 -0
package/dist/src/profile-resolver.js +167 -0
package/dist/src/profile-resolver.js.map +1 -0
package/dist/src/proxy-executor.d.ts.map +1 -1
package/dist/src/proxy-executor.js +7 -0
package/dist/src/proxy-executor.js.map +1 -1
package/dist/src/startup-profile.d.ts +17 -0
package/dist/src/startup-profile.d.ts.map +1 -0
package/dist/src/startup-profile.js +30 -0
package/dist/src/startup-profile.js.map +1 -0
package/dist/src/startup-validation.d.ts +11 -0
package/dist/src/startup-validation.d.ts.map +1 -0
package/dist/src/startup-validation.js +21 -0
package/dist/src/startup-validation.js.map +1 -0
package/dist/src/testing/dynamic-mock-server.d.ts +24 -0
package/dist/src/testing/dynamic-mock-server.d.ts.map +1 -0
package/dist/src/testing/dynamic-mock-server.js +138 -0
package/dist/src/testing/dynamic-mock-server.js.map +1 -0
package/dist/src/testing/request-assertions.d.ts +5 -0
package/dist/src/testing/request-assertions.d.ts.map +1 -0
package/dist/src/testing/request-assertions.js +165 -0
package/dist/src/testing/request-assertions.js.map +1 -0
package/dist/src/testing/template-utils.d.ts +10 -0
package/dist/src/testing/template-utils.d.ts.map +1 -0
package/dist/src/testing/template-utils.js +72 -0
package/dist/src/testing/template-utils.js.map +1 -0
package/dist/src/testing/test-http-utils.d.ts +1 -1
package/dist/src/testing/test-http-utils.d.ts.map +1 -1
package/dist/src/testing/test-http-utils.js +1 -1
package/dist/src/testing/test-http-utils.js.map +1 -1
package/dist/src/testing/test-loader.d.ts +6 -0
package/dist/src/testing/test-loader.d.ts.map +1 -0
package/dist/src/testing/test-loader.js +212 -0
package/dist/src/testing/test-loader.js.map +1 -0
package/dist/src/testing/test-schema.d.ts +1270 -0
package/dist/src/testing/test-schema.d.ts.map +1 -0
package/dist/src/testing/test-schema.js +76 -0
package/dist/src/testing/test-schema.js.map +1 -0
package/dist/src/tool-filter/compat.d.ts +49 -0
package/dist/src/tool-filter/compat.d.ts.map +1 -0
package/dist/src/tool-filter/compat.js +72 -0
package/dist/src/tool-filter/compat.js.map +1 -0
package/dist/src/tool-filter/config/env-config-parser.d.ts +38 -0
package/dist/src/tool-filter/config/env-config-parser.d.ts.map +1 -0
package/dist/src/tool-filter/config/env-config-parser.js +103 -0
package/dist/src/tool-filter/config/env-config-parser.js.map +1 -0
package/dist/src/tool-filter/config/header-config-parser.d.ts +37 -0
package/dist/src/tool-filter/config/header-config-parser.d.ts.map +1 -0
package/dist/src/tool-filter/config/header-config-parser.js +118 -0
package/dist/src/tool-filter/config/header-config-parser.js.map +1 -0
package/dist/src/tool-filter/errors.d.ts +18 -0
package/dist/src/tool-filter/errors.d.ts.map +1 -0
package/dist/src/tool-filter/errors.js +21 -0
package/dist/src/tool-filter/errors.js.map +1 -0
package/dist/src/tool-filter/filter/filter-engine.d.ts +45 -0
package/dist/src/tool-filter/filter/filter-engine.d.ts.map +1 -0
package/dist/src/tool-filter/filter/filter-engine.js +94 -0
package/dist/src/tool-filter/filter/filter-engine.js.map +1 -0
package/dist/src/tool-filter/filter/filter-rules.d.ts +44 -0
package/dist/src/tool-filter/filter/filter-rules.d.ts.map +1 -0
package/dist/src/tool-filter/filter/filter-rules.js +72 -0
package/dist/src/tool-filter/filter/filter-rules.js.map +1 -0
package/dist/src/tool-filter/filter/global-tool-filter.d.ts +40 -0
package/dist/src/tool-filter/filter/global-tool-filter.d.ts.map +1 -0
package/dist/src/tool-filter/filter/global-tool-filter.js +92 -0
package/dist/src/tool-filter/filter/global-tool-filter.js.map +1 -0
package/dist/src/tool-filter/filter/session-tool-filter.d.ts +29 -0
package/dist/src/tool-filter/filter/session-tool-filter.d.ts.map +1 -0
package/dist/src/tool-filter/filter/session-tool-filter.js +69 -0
package/dist/src/tool-filter/filter/session-tool-filter.js.map +1 -0
package/dist/src/tool-filter/index.d.ts +25 -0
package/dist/src/tool-filter/index.d.ts.map +1 -0
package/dist/src/tool-filter/index.js +30 -0
package/dist/src/tool-filter/index.js.map +1 -0
package/dist/src/tool-filter/integration/tool-filter-service.d.ts +44 -0
package/dist/src/tool-filter/integration/tool-filter-service.d.ts.map +1 -0
package/dist/src/tool-filter/integration/tool-filter-service.js +68 -0
package/dist/src/tool-filter/integration/tool-filter-service.js.map +1 -0
package/dist/src/tool-filter/operation/operation-classifier.d.ts +20 -0
package/dist/src/tool-filter/operation/operation-classifier.d.ts.map +1 -0
package/dist/src/tool-filter/operation/operation-classifier.js +26 -0
package/dist/src/tool-filter/operation/operation-classifier.js.map +1 -0
package/dist/src/tool-filter/operation/operation-detector.d.ts +30 -0
package/dist/src/tool-filter/operation/operation-detector.d.ts.map +1 -0
package/dist/src/tool-filter/operation/operation-detector.js +96 -0
package/dist/src/tool-filter/operation/operation-detector.js.map +1 -0
package/dist/src/tool-filter/operation/operation-resolver.d.ts +22 -0
package/dist/src/tool-filter/operation/operation-resolver.d.ts.map +1 -0
package/dist/src/tool-filter/operation/operation-resolver.js +32 -0
package/dist/src/tool-filter/operation/operation-resolver.js.map +1 -0
package/dist/src/tool-filter/regex/regex-compiler.d.ts +22 -0
package/dist/src/tool-filter/regex/regex-compiler.d.ts.map +1 -0
package/dist/src/tool-filter/regex/regex-compiler.js +56 -0
package/dist/src/tool-filter/regex/regex-compiler.js.map +1 -0
package/dist/src/tool-filter/regex/regex-validator.d.ts +24 -0
package/dist/src/tool-filter/regex/regex-validator.d.ts.map +1 -0
package/dist/src/tool-filter/regex/regex-validator.js +58 -0
package/dist/src/tool-filter/regex/regex-validator.js.map +1 -0
package/dist/src/tool-filter/types.d.ts +92 -0
package/dist/src/tool-filter/types.d.ts.map +1 -0
package/dist/src/tool-filter/types.js +5 -0
package/dist/src/tool-filter/types.js.map +1 -0
package/dist/src/tool-filter/utils.d.ts +11 -0
package/dist/src/tool-filter/utils.d.ts.map +1 -0
package/dist/src/tool-filter/utils.js +13 -0
package/dist/src/tool-filter/utils.js.map +1 -0
package/dist/src/tool-filter.d.ts +65 -0
package/dist/src/tool-filter.d.ts.map +1 -0
package/dist/src/tool-filter.js +471 -0
package/dist/src/tool-filter.js.map +1 -0
package/dist/src/tool-generator.d.ts +1 -0
package/dist/src/tool-generator.d.ts.map +1 -1
package/dist/src/tool-generator.js +15 -6
package/dist/src/tool-generator.js.map +1 -1
package/dist/src/tooling/composite-executor.d.ts +77 -0
package/dist/src/tooling/composite-executor.d.ts.map +1 -0
package/dist/src/tooling/composite-executor.js +198 -0
package/dist/src/tooling/composite-executor.js.map +1 -0
package/dist/src/tooling/dag-executor.d.ts +49 -0
package/dist/src/tooling/dag-executor.d.ts.map +1 -0
package/dist/src/tooling/dag-executor.js +138 -0
package/dist/src/tooling/dag-executor.js.map +1 -0
package/dist/src/tooling/proxy-executor.d.ts +86 -0
package/dist/src/tooling/proxy-executor.d.ts.map +1 -0
package/dist/src/tooling/proxy-executor.js +501 -0
package/dist/src/tooling/proxy-executor.js.map +1 -0
package/dist/src/tooling/tool-generator.d.ts +67 -0
package/dist/src/tooling/tool-generator.d.ts.map +1 -0
package/dist/src/tooling/tool-generator.js +222 -0
package/dist/src/tooling/tool-generator.js.map +1 -0
package/dist/src/transport/http-client-factory.d.ts +65 -0
package/dist/src/transport/http-client-factory.d.ts.map +1 -0
package/dist/src/transport/http-client-factory.js +143 -0
package/dist/src/transport/http-client-factory.js.map +1 -0
package/dist/src/transport/http-transport-config.d.ts +6 -0
package/dist/src/transport/http-transport-config.d.ts.map +1 -0
package/dist/src/transport/http-transport-config.js +63 -0
package/dist/src/transport/http-transport-config.js.map +1 -0
package/dist/src/transport/http-transport.d.ts +329 -0
package/dist/src/transport/http-transport.d.ts.map +1 -0
package/dist/src/transport/http-transport.js +2584 -0
package/dist/src/transport/http-transport.js.map +1 -0
package/dist/src/transport/interceptors.d.ts +119 -0
package/dist/src/transport/interceptors.d.ts.map +1 -0
package/dist/src/transport/interceptors.js +413 -0
package/dist/src/transport/interceptors.js.map +1 -0
package/dist/src/transport/profile-index.d.ts +84 -0
package/dist/src/transport/profile-index.d.ts.map +1 -0
package/dist/src/transport/profile-index.js +405 -0
package/dist/src/transport/profile-index.js.map +1 -0
package/dist/src/types/http-transport.d.ts +26 -0
package/dist/src/types/http-transport.d.ts.map +1 -1
package/dist/src/types/openapi.d.ts +3 -0
package/dist/src/types/openapi.d.ts.map +1 -1
package/dist/src/types/profile.d.ts +16 -1
package/dist/src/types/profile.d.ts.map +1 -1
package/dist/src/validation/argument-normalizer.d.ts +6 -0
package/dist/src/validation/argument-normalizer.d.ts.map +1 -0
package/dist/src/validation/argument-normalizer.js +70 -0
package/dist/src/validation/argument-normalizer.js.map +1 -0
package/dist/src/validation/jsonrpc-validator.d.ts +27 -0
package/dist/src/validation/jsonrpc-validator.d.ts.map +1 -0
package/dist/src/validation/jsonrpc-validator.js +58 -0
package/dist/src/validation/jsonrpc-validator.js.map +1 -0
package/dist/src/validation/schema-validator.d.ts +30 -0
package/dist/src/validation/schema-validator.d.ts.map +1 -0
package/dist/src/validation/schema-validator.js +128 -0
package/dist/src/validation/schema-validator.js.map +1 -0
package/dist/src/validation/validation-utils.d.ts +49 -0
package/dist/src/validation/validation-utils.d.ts.map +1 -0
package/dist/src/validation/validation-utils.js +139 -0
package/dist/src/validation/validation-utils.js.map +1 -0
package/html/profile-index.html +386 -0
package/package.json +10 -3
package/profile-schema.json +77 -3
package/profiles/gitlab/developer-profile-oauth.json +1520 -0
package/profiles/gitlab/developer-profile-oauth.test.json +3432 -0
package/profiles/gitlab/developer-profile.json +1508 -0
package/profiles/gitlab/developer-profile.test.json +3432 -0
package/profiles/gitlab/openapi.yaml +6891 -0
package/profiles/n8n/openapi.yaml +2441 -0
package/profiles/n8n/profile-optimized.json +965 -0
package/profiles/n8n/profile-optimized.test.json +1078 -0
package/profiles/n8n/profile.json +1033 -0
package/profiles/n8n/profile.test.json +983 -0
package/profiles/n8n-nodes/openapi.yaml +24 -0
package/profiles/n8n-nodes/profile-nodes.json +44 -0
package/profiles/n8n-nodes/profile-nodes.test.json +91 -0
package/profiles/semgrep/openapi.yaml +4706 -0
package/profiles/semgrep/profile.json +692 -0
package/profiles/semgrep/profile.test.json +471 -0
package/profiles/youtrack/openapi.json +16976 -0
package/profiles/youtrack/profile.json +608 -0
package/profiles/youtrack/profile.test.json +1926 -0
package/dist/src/testing/fixtures.d.ts +0 -684
package/dist/src/testing/fixtures.d.ts.map +0 -1
package/dist/src/testing/fixtures.js +0 -528
package/dist/src/testing/fixtures.js.map +0 -1
package/dist/src/testing/mock-gitlab-server.d.ts +0 -43
package/dist/src/testing/mock-gitlab-server.d.ts.map +0 -1
package/dist/src/testing/mock-gitlab-server.js +0 -1026
package/dist/src/testing/mock-gitlab-server.js.map +0 -1
package/dist/src/testing/mock-semgrep-server.d.ts +0 -32
package/dist/src/testing/mock-semgrep-server.d.ts.map +0 -1
package/dist/src/testing/mock-semgrep-server.js +0 -213
package/dist/src/testing/mock-semgrep-server.js.map +0 -1
package/dist/src/testing/mock-youtrack-server.d.ts +0 -11
package/dist/src/testing/mock-youtrack-server.d.ts.map +0 -1
package/dist/src/testing/mock-youtrack-server.js +0 -152
package/dist/src/testing/mock-youtrack-server.js.map +0 -1

package/dist/src/auth/oauth-provider.js ADDED Viewed

@@ -0,0 +1,839 @@
+/**
+ * OAuth 2.0 Provider Adapter
+ *
+ * Implements MCP SDK OAuthServerProvider interface to integrate with external
+ * OAuth 2.0 authorization servers (e.g., GitLab, GitHub, etc.)
+ *
+ * Architecture:
+ * - This server acts as an OAuth client to the external provider (Proxy/Gateway)
+ * - Implements "Callback Mode":
+ *   1. Client -> MCP (Authorize) -> MCP redirects to Provider (with MCP callback URL)
+ *   2. Provider -> MCP (Callback) -> MCP exchanges code for tokens
+ *   3. MCP redirects to Client (with Internal Code)
+ *   4. Client -> MCP (Token) -> MCP returns stored tokens
+ */
+import { randomUUID, createHash, timingSafeEqual } from 'node:crypto';
+import { isIP } from 'node:net';
+import { OAUTH_PATHS, OAUTH_RATE_LIMIT } from '../core/constants.js';
+import { escapeHtmlSafe } from '../validation/validation-utils.js';
+/**
+ * In-memory store for OAuth client registrations
+ */
+export class InMemoryClientsStore {
+    constructor() {
+        this.clients = new Map();
+    }
+    async getClient(clientId) {
+        return this.clients.get(clientId);
+    }
+    async registerClient(clientMetadata) {
+        this.clients.set(clientMetadata.client_id, clientMetadata);
+        return clientMetadata;
+    }
+}
+/**
+ * OAuth Provider Adapter for external OAuth servers
+ */
+export class ExternalOAuthProvider {
+    constructor(config, logger) {
+        // In-memory storage
+        this.authorizationCodes = new Map();
+        this.accessTokens = new Map();
+        this.stateStore = new Map();
+        this.endpointsInitialized = false;
+        this.initializationPromise = null;
+        this.config = config;
+        this.logger = logger;
+        this._clientsStore = new InMemoryClientsStore();
+        // Resolve environment variables in OAuth config
+        this.config = this.resolveEnvVars(config);
+        // Pre-register mcp-proxy-client for VS Code compatibility
+        // VS Code doesn't call /oauth/register endpoint before calling /oauth/authorize
+        // This client has empty redirect_uris, allowing any redirect URI (validated at runtime)
+        const proxyClient = {
+            client_id: 'mcp-proxy-client',
+            client_secret: 'mcp-proxy-secret',
+            redirect_uris: [], // Empty = allow any redirect URI
+            grant_types: ['authorization_code', 'refresh_token'],
+            response_types: ['code'],
+            scope: this.config.scopes ? this.config.scopes.join(' ') : '',
+        };
+        this._clientsStore.registerClient(proxyClient);
+        this.logger.info('Pre-registered mcp-proxy-client for VS Code compatibility');
+    }
+    /**
+     * Lazy initialization of OAuth endpoints (async)
+     * Public method to allow HttpTransport to ensure initialization before client validation
+     */
+    async ensureEndpointsInitialized() {
+        if (this.endpointsInitialized) {
+            return;
+        }
+        // Prevent concurrent initializations
+        if (this.initializationPromise) {
+            return this.initializationPromise;
+        }
+        this.initializationPromise = (async () => {
+            // Register default client BEFORE deriving endpoints
+            // This ensures the client is available immediately, even if endpoint derivation fails
+            // The client_id from config should be registered as soon as possible to avoid
+            // race conditions where /oauth/authorize is called before initialization completes
+            if (this.config.client_id) {
+                // Allow localhost and configured redirect_uri for default client
+                const allowedUris = [];
+                if (this.config.redirect_uri) {
+                    allowedUris.push(this.config.redirect_uri);
+                }
+                // Also allow common localhost patterns for development/testing
+                allowedUris.push('http://localhost:3003/oauth/callback');
+                allowedUris.push('http://127.0.0.1:3003/oauth/callback');
+                const defaultClient = {
+                    client_id: this.config.client_id,
+                    client_secret: this.config.client_secret,
+                    redirect_uris: allowedUris,
+                    grant_types: ['authorization_code', 'refresh_token'],
+                    response_types: ['code'],
+                    scope: this.config.scopes ? this.config.scopes.join(' ') : '',
+                };
+                this._clientsStore.registerClient(defaultClient);
+                this.logger.info('Registered default OAuth client', {
+                    clientId: this.config.client_id,
+                    redirectUris: allowedUris
+                });
+            }
+            // Derive endpoints from issuer if needed
+            this.config = await this.deriveEndpointsFromIssuer(this.config);
+            // Validate that we have required endpoints
+            if (!this.config.authorization_endpoint || !this.config.token_endpoint) {
+                throw new Error('OAuth config must provide either issuer OR both authorization_endpoint and token_endpoint');
+            }
+            this.logger.info('ExternalOAuthProvider initialized', {
+                authEndpoint: this.config.authorization_endpoint,
+                tokenEndpoint: this.config.token_endpoint,
+                hasClientId: !!this.config.client_id,
+                scopes: this.config.scopes || [],
+            });
+            this.endpointsInitialized = true;
+        })();
+        return this.initializationPromise;
+    }
+    get clientsStore() {
+        return this._clientsStore;
+    }
+    get authorizationEndpoint() {
+        // May be undefined before ensureEndpointsInitialized() is called
+        // when OAuth config provides issuer instead of explicit endpoints
+        return this.config.authorization_endpoint;
+    }
+    get redirectUri() {
+        return this.config.redirect_uri;
+    }
+    get scopes() {
+        return this.config.scopes || [];
+    }
+    /**
+     * Fetch OAuth Authorization Server Metadata (RFC 8414)
+     */
+    async fetchOAuthMetadata(issuerUrl) {
+        try {
+            // Use URL constructor to properly handle trailing slashes
+            const metadataUrl = new URL(OAUTH_PATHS.WELL_KNOWN_AUTHORIZATION_SERVER, issuerUrl).toString();
+            const response = await fetch(metadataUrl, {
+                headers: { 'Accept': 'application/json' },
+                signal: AbortSignal.timeout(5000), // 5 second timeout
+            });
+            if (!response.ok) {
+                return null;
+            }
+            const metadata = await response.json();
+            return {
+                authorization_endpoint: metadata.authorization_endpoint,
+                token_endpoint: metadata.token_endpoint,
+            };
+        }
+        catch (error) {
+            this.logger.debug('OAuth metadata fetch failed', { issuerUrl, error });
+            return null;
+        }
+    }
+    /**
+     * Resolve environment variable references in OAuth config
+     */
+    resolveEnvVars(config) {
+        const resolve = (value) => {
+            if (!value)
+                return value;
+            const match = value.match(/^\$\{env:([^}]+)\}$/);
+            if (match) {
+                const envVar = match[1];
+                const envValue = process.env[envVar];
+                if (!envValue) {
+                    throw new Error(`Environment variable ${envVar} not found (referenced in OAuth config)`);
+                }
+                return envValue;
+            }
+            return value;
+        };
+        return {
+            ...config,
+            issuer: resolve(config.issuer),
+            authorization_endpoint: resolve(config.authorization_endpoint) || config.authorization_endpoint,
+            token_endpoint: resolve(config.token_endpoint) || config.token_endpoint,
+            client_id: resolve(config.client_id),
+            client_secret: resolve(config.client_secret),
+            redirect_uri: resolve(config.redirect_uri),
+            registration_endpoint: resolve(config.registration_endpoint),
+            introspection_endpoint: resolve(config.introspection_endpoint),
+            revocation_endpoint: resolve(config.revocation_endpoint),
+        };
+    }
+    /**
+     * Derive OAuth endpoints from issuer if needed
+     */
+    async deriveEndpointsFromIssuer(config) {
+        // If both endpoints are explicitly provided, no need to derive
+        if (config.authorization_endpoint && config.token_endpoint) {
+            return config;
+        }
+        // If issuer is not provided, we can't derive
+        if (!config.issuer) {
+            if (!config.authorization_endpoint || !config.token_endpoint) {
+                throw new Error('OAuth config must provide either issuer OR both authorization_endpoint and token_endpoint');
+            }
+            return config;
+        }
+        const issuer = config.issuer;
+        this.logger.info('Deriving OAuth endpoints from issuer', { issuer });
+        // Try to fetch OAuth metadata
+        const metadata = await this.fetchOAuthMetadata(issuer);
+        if (metadata) {
+            this.logger.info('Successfully discovered OAuth endpoints', {
+                authorization_endpoint: metadata.authorization_endpoint,
+                token_endpoint: metadata.token_endpoint,
+            });
+            return {
+                ...config,
+                authorization_endpoint: config.authorization_endpoint || metadata.authorization_endpoint,
+                token_endpoint: config.token_endpoint || metadata.token_endpoint,
+            };
+        }
+        // Fallback to standard OAuth paths
+        this.logger.info('OAuth metadata fetch failed, using standard OAuth paths', { issuer });
+        return {
+            ...config,
+            authorization_endpoint: config.authorization_endpoint || `${issuer}/oauth/authorize`,
+            token_endpoint: config.token_endpoint || `${issuer}/oauth/token`,
+        };
+    }
+    /**
+     * Check if redirect URI host is allowed
+     * Prevents open redirect vulnerabilities (CWE-601)
+     */
+    isAllowedRedirectHost(redirectUri) {
+        try {
+            const url = new URL(redirectUri);
+            const hostname = url.hostname;
+            // Default to localhost only if not configured
+            const allowedHosts = this.config.allowed_redirect_hosts || ['localhost', '127.0.0.1'];
+            for (const allowed of allowedHosts) {
+                if (this.matchRedirectHost(hostname, allowed)) {
+                    return true;
+                }
+            }
+            return false;
+        }
+        catch {
+            // Invalid URL
+            return false;
+        }
+    }
+    /**
+     * Match hostname against allowlist entry
+     *
+     * Supports:
+     * - Exact hostnames
+     * - Wildcard subdomains (*.example.com)
+     * - IPv4 exact matches
+     * - IPv4 CIDR ranges (e.g., 10.0.0.0/8)
+     * - IPv6 exact matches
+     * - IPv6 CIDR ranges (e.g., 2001:db8::/32)
+     */
+    matchRedirectHost(hostname, pattern) {
+        const normalizedHost = this.stripIpv6Brackets(hostname);
+        const normalizedPattern = this.stripIpv6Brackets(pattern);
+        if (normalizedHost === normalizedPattern) {
+            return true;
+        }
+        if (normalizedPattern.startsWith('*.')) {
+            const domain = normalizedPattern.slice(2);
+            return normalizedHost === domain || normalizedHost.endsWith('.' + domain);
+        }
+        if (normalizedPattern.includes('/')) {
+            return this.matchCIDR(normalizedHost, normalizedPattern);
+        }
+        return false;
+    }
+    /**
+     * Check if IP address is within CIDR range
+     *
+     * Example: '192.168.1.50' matches '192.168.1.0/24'
+     *          '2001:db8::1' matches '2001:db8::/32'
+     */
+    matchCIDR(ip, cidr) {
+        const [rawRange, bits] = cidr.split('/');
+        const range = this.stripIpv6Brackets(rawRange);
+        const maskBits = parseInt(bits, 10);
+        if (isNaN(maskBits)) {
+            return false;
+        }
+        const ipVersion = isIP(ip);
+        const rangeVersion = isIP(range);
+        if (ipVersion === 0 || rangeVersion === 0 || ipVersion !== rangeVersion) {
+            return false;
+        }
+        if (ipVersion === 4) {
+            if (maskBits < 0 || maskBits > 32) {
+                this.logger.warn('Invalid IPv4 CIDR mask bits for redirect host allowlist', { cidr });
+                return false;
+            }
+            const ipInt = this.ipv4ToInt(ip);
+            const rangeInt = this.ipv4ToInt(range);
+            if (ipInt === null || rangeInt === null) {
+                return false;
+            }
+            const mask = (0xFFFFFFFF << (32 - maskBits)) >>> 0;
+            return (ipInt & mask) === (rangeInt & mask);
+        }
+        if (maskBits < 0 || maskBits > 128) {
+            this.logger.warn('Invalid IPv6 CIDR mask bits for redirect host allowlist', { cidr });
+            return false;
+        }
+        const ipInt = this.ipv6ToBigInt(ip);
+        const rangeInt = this.ipv6ToBigInt(range);
+        if (ipInt === null || rangeInt === null) {
+            return false;
+        }
+        const mask = this.ipv6Mask(maskBits);
+        return (ipInt & mask) === (rangeInt & mask);
+    }
+    /**
+     * Convert IPv4 address to 32-bit integer
+     */
+    ipv4ToInt(ip) {
+        const parts = ip.split('.');
+        if (parts.length !== 4) {
+            return null;
+        }
+        let result = 0;
+        for (let i = 0; i < 4; i++) {
+            const octet = parseInt(parts[i], 10);
+            if (isNaN(octet) || octet < 0 || octet > 255) {
+                return null;
+            }
+            result = (result << 8) | octet;
+        }
+        return result >>> 0;
+    }
+    /**
+     * Convert IPv6 address to 128-bit BigInt
+     */
+    ipv6ToBigInt(ip) {
+        const cleaned = this.stripIpv6Brackets(ip);
+        // Handle IPv4-mapped IPv6 (e.g., ::ffff:192.168.0.1)
+        let ipv4Tail = null;
+        let base = cleaned;
+        if (cleaned.includes('.')) {
+            const lastColon = cleaned.lastIndexOf(':');
+            if (lastColon === -1)
+                return null;
+            const ipv4Part = cleaned.slice(lastColon + 1);
+            ipv4Tail = this.ipv4ToInt(ipv4Part);
+            if (ipv4Tail === null)
+                return null;
+            base = cleaned.slice(0, lastColon);
+        }
+        const parts = base.split('::');
+        if (parts.length > 2) {
+            return null;
+        }
+        const head = parts[0] ? parts[0].split(':') : [];
+        const tail = parts.length === 2 && parts[1] ? parts[1].split(':') : [];
+        if (head.some(p => p === '') || tail.some(p => p === '')) {
+            return null;
+        }
+        const totalSegmentsNeeded = 8 - (ipv4Tail !== null ? 2 : 0);
+        let segments = [];
+        const parseHextets = (items) => {
+            const result = [];
+            for (const part of items) {
+                const num = parseInt(part || '0', 16);
+                if (isNaN(num) || num < 0 || num > 0xFFFF) {
+                    return null;
+                }
+                result.push(num);
+            }
+            return result;
+        };
+        const headVals = parseHextets(head);
+        const tailVals = parseHextets(tail);
+        if (!headVals || !tailVals) {
+            return null;
+        }
+        const missing = totalSegmentsNeeded - (headVals.length + tailVals.length);
+        if (missing < 0) {
+            return null;
+        }
+        segments = [...headVals, ...Array(missing).fill(0), ...tailVals];
+        if (segments.length !== totalSegmentsNeeded) {
+            return null;
+        }
+        if (ipv4Tail !== null) {
+            const high = (ipv4Tail >>> 16) & 0xFFFF;
+            const low = ipv4Tail & 0xFFFF;
+            segments.push(high, low);
+        }
+        if (segments.length !== 8) {
+            return null;
+        }
+        let value = 0n;
+        for (const part of segments) {
+            value = (value << 16n) + BigInt(part);
+        }
+        return value;
+    }
+    ipv6Mask(maskBits) {
+        if (maskBits === 0) {
+            return 0n;
+        }
+        const ones = (1n << BigInt(maskBits)) - 1n;
+        return BigInt.asUintN(128, ones << BigInt(128 - maskBits));
+    }
+    stripIpv6Brackets(value) {
+        return value.replace(/^\[/, '').replace(/\]$/, '');
+    }
+    /**
+     * Begin authorization flow
+     * Stores state and redirects to External Provider with MCP Callback URI
+     */
+    async authorize(client, params, res) {
+        await this.ensureEndpointsInitialized();
+        this.logger.info('Starting OAuth authorization', {
+            clientId: client.client_id,
+            scopes: params.scopes,
+            redirectUri: params.redirectUri,
+            registeredUris: client.redirect_uris,
+        });
+        // Validate redirect URI
+        if (client.redirect_uris && client.redirect_uris.length > 0 && !client.redirect_uris.includes(params.redirectUri)) {
+            this.logger.error('Invalid redirect URI', undefined, {
+                providedUri: params.redirectUri,
+                registeredUris: client.redirect_uris,
+            });
+            throw new Error('Unregistered redirect_uri');
+        }
+        // Validate redirect host against allowlist to prevent open redirect
+        if (!this.isAllowedRedirectHost(params.redirectUri)) {
+            this.logger.error('Redirect URI host not allowed', undefined, {
+                providedUri: params.redirectUri,
+                allowedHosts: this.config.allowed_redirect_hosts || ['localhost', '127.0.0.1'],
+            });
+            throw new Error('Redirect URI host not allowed');
+        }
+        const stateToken = randomUUID();
+        this.stateStore.set(stateToken, {
+            clientRedirectUri: params.redirectUri,
+            codeChallenge: params.codeChallenge,
+            originalState: params.state,
+            clientId: client.client_id,
+            scopes: params.scopes,
+            createdAt: Date.now(),
+        });
+        const authUrl = new URL(this.config.authorization_endpoint);
+        const clientId = this.config.client_id || client.client_id;
+        if (!this.config.redirect_uri) {
+            throw new Error('MCP4_OAUTH_REDIRECT_URI must be configured');
+        }
+        const callbackUri = this.config.redirect_uri;
+        authUrl.searchParams.set('client_id', clientId);
+        authUrl.searchParams.set('redirect_uri', callbackUri);
+        authUrl.searchParams.set('response_type', 'code');
+        authUrl.searchParams.set('state', stateToken);
+        if (params.scopes && params.scopes.length > 0) {
+            authUrl.searchParams.set('scope', params.scopes.join(' '));
+        }
+        else if (this.config.scopes && this.config.scopes.length > 0) {
+            authUrl.searchParams.set('scope', this.config.scopes.join(' '));
+        }
+        // NOTE: Do NOT forward PKCE parameters to external provider
+        // The MCP server acts as an OAuth proxy with client_secret (confidential client)
+        // PKCE is used only between Cursor <-> MCP, not between MCP <-> External Provider
+        // If we forwarded code_challenge, we would need code_verifier which only Cursor has
+        this.logger.info('Redirecting to external OAuth provider', {
+            authUrl: authUrl.toString(),
+            callbackUri,
+            stateToken,
+            hasClientSecret: !!this.config.client_secret,
+        });
+        res.redirect(authUrl.toString());
+    }
+    /**
+     * Handle callback from External Provider
+     * Exchanges code for tokens and redirects to Client with Internal Code
+     */
+    async handleCallback(req, res) {
+        await this.ensureEndpointsInitialized();
+        const { code, state, error } = req.query;
+        if (error) {
+            this.logger.error('OAuth callback error', undefined, { error, state });
+            // Sanitize error messages to prevent XSS
+            const safeError = escapeHtmlSafe(error);
+            res.status(400);
+            res.json({
+                error: safeError,
+                error_description: `Authorization failed: ${safeError}`
+            });
+            return;
+        }
+        if (!code || typeof code !== 'string') {
+            res.status(400).send('Missing authorization code');
+            return;
+        }
+        if (!state || typeof state !== 'string') {
+            res.status(400).send('Missing state parameter');
+            return;
+        }
+        const storedState = this.stateStore.get(state);
+        if (!storedState) {
+            res.status(400).send('Invalid or expired state');
+            return;
+        }
+        // Clean up state
+        this.stateStore.delete(state);
+        try {
+            // Exchange External Code for Tokens
+            const tokens = await this.exchangeCodeWithProvider(code, undefined, this.config.redirect_uri);
+            // Generate Internal Code
+            const internalCode = randomUUID();
+            // Store Internal Code -> Tokens mapping
+            const client = await this._clientsStore.getClient(storedState.clientId);
+            if (!client)
+                throw new Error('Client not found');
+            this.authorizationCodes.set(internalCode, {
+                client,
+                params: {
+                    redirectUri: storedState.clientRedirectUri,
+                    codeChallenge: storedState.codeChallenge,
+                    scopes: storedState.scopes || [],
+                    state: storedState.originalState
+                },
+                createdAt: Date.now(),
+                tokens
+            });
+            // Re-validate redirect URI host + registration before redirect (defense-in-depth)
+            if (!this.isAllowedRedirectHost(storedState.clientRedirectUri)) {
+                this.logger.error('Redirect URI host not allowed (callback)', undefined, {
+                    storedUri: storedState.clientRedirectUri,
+                    allowedHosts: this.config.allowed_redirect_hosts || ['localhost', '127.0.0.1'],
+                });
+                res.status(400).send('Redirect URI host not allowed');
+                return;
+            }
+            if (client.redirect_uris && client.redirect_uris.length > 0 && !client.redirect_uris.includes(storedState.clientRedirectUri)) {
+                this.logger.error('Stored redirect URI no longer registered', undefined, {
+                    storedUri: storedState.clientRedirectUri,
+                    registeredUris: client.redirect_uris,
+                });
+                res.status(400).send('Unregistered redirect_uri');
+                return;
+            }
+            // Redirect to Client
+            let clientUrl;
+            try {
+                // Allow custom schemes (e.g., vscode://, cursor://) as long as the host was validated above
+                clientUrl = new URL(storedState.clientRedirectUri);
+            }
+            catch {
+                res.status(400).send('Invalid redirect URI');
+                return;
+            }
+            clientUrl.searchParams.set('code', internalCode);
+            if (storedState.originalState) {
+                clientUrl.searchParams.set('state', storedState.originalState);
+            }
+            this.logger.info('Redirecting to client with internal code', {
+                clientUrl: clientUrl.toString(),
+                internalCode
+            });
+            // nosemgrep: javascript.express.open-redirect-deepsemgrep.open-redirect-deepsemgrep, javascript.express.web.tainted-redirect-express.tainted-redirect-express
+            res.redirect(clientUrl.toString());
+        }
+        catch (err) {
+            this.logger.error('Callback handling failed', err);
+            res.status(500).send('Internal Server Error during token exchange');
+        }
+    }
+    /**
+     * Get code challenge for authorization code (Internal)
+     */
+    async challengeForAuthorizationCode(client, authorizationCode) {
+        const codeData = this.authorizationCodes.get(authorizationCode);
+        if (!codeData) {
+            throw new Error('Invalid authorization code');
+        }
+        if (codeData.client.client_id !== client.client_id) {
+            throw new Error('Authorization code was not issued to this client');
+        }
+        return codeData.params.codeChallenge;
+    }
+    /**
+     * Exchange authorization code for access token (Internal)
+     */
+    async exchangeAuthorizationCode(client, authorizationCode, codeVerifier, redirectUri, resource) {
+        await this.ensureEndpointsInitialized();
+        this.logger.info('Exchanging internal authorization code', {
+            clientId: client.client_id,
+        });
+        const codeData = this.authorizationCodes.get(authorizationCode);
+        if (!codeData) {
+            throw new Error('Invalid authorization code');
+        }
+        if (codeData.client.client_id !== client.client_id) {
+            throw new Error('Authorization code was not issued to this client');
+        }
+        // Validate expiration (5 minutes)
+        const codeAge = Date.now() - codeData.createdAt;
+        const EXPIRATION_MS = 5 * 60 * 1000; // 5 minutes
+        if (codeAge > EXPIRATION_MS) {
+            this.authorizationCodes.delete(authorizationCode);
+            throw new Error('Authorization code expired');
+        }
+        // Validate PKCE if code challenge was provided
+        if (codeData.params.codeChallenge) {
+            if (!codeVerifier) {
+                throw new Error('code_verifier is required for PKCE');
+            }
+            // Verify code challenge (S256 method)
+            const hash = createHash('sha256').update(codeVerifier).digest('base64url');
+            // Use constant-time comparison to prevent timing attacks
+            const hashBuffer = Buffer.from(hash);
+            const challengeBuffer = Buffer.from(codeData.params.codeChallenge);
+            if (hashBuffer.length !== challengeBuffer.length || !timingSafeEqual(hashBuffer, challengeBuffer)) {
+                throw new Error('Invalid code_verifier');
+            }
+        }
+        if (!codeData.tokens) {
+            throw new Error('No tokens associated with this code');
+        }
+        // Delete authorization code (single use)
+        this.authorizationCodes.delete(authorizationCode);
+        // Store access token for validation
+        const tokenData = {
+            token: codeData.tokens.access_token,
+            clientId: client.client_id,
+            scopes: codeData.params.scopes || this.config.scopes || [],
+            expiresAt: codeData.tokens.expires_in
+                ? Date.now() + codeData.tokens.expires_in * 1000
+                : undefined,
+            resource,
+        };
+        this.accessTokens.set(codeData.tokens.access_token, tokenData);
+        return codeData.tokens;
+    }
+    /**
+     * Exchange authorization code with external OAuth provider
+     */
+    async exchangeCodeWithProvider(code, codeVerifier, redirectUri) {
+        const tokenUrl = this.config.token_endpoint;
+        const body = new URLSearchParams({
+            grant_type: 'authorization_code',
+            code,
+            redirect_uri: redirectUri,
+        });
+        if (codeVerifier) {
+            body.set('code_verifier', codeVerifier);
+        }
+        if (this.config.client_id) {
+            body.set('client_id', this.config.client_id);
+        }
+        if (this.config.client_secret) {
+            body.set('client_secret', this.config.client_secret);
+        }
+        this.logger.debug('Exchanging code with external provider', { tokenUrl });
+        const response = await fetch(tokenUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                'Accept': 'application/json',
+            },
+            body: body.toString(),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            this.logger.error('Token exchange failed', undefined, {
+                httpStatus: response.status,
+                errorMessage: errorText,
+            });
+            throw new Error(`Token exchange failed: ${response.status} ${errorText}`);
+        }
+        const tokenResponse = await response.json();
+        return tokenResponse;
+    }
+    async exchangeRefreshToken(client, refreshToken, scopes, resource) {
+        await this.ensureEndpointsInitialized();
+        this.logger.info('Exchanging refresh token', { clientId: client.client_id });
+        const tokenUrl = this.config.token_endpoint;
+        const body = new URLSearchParams({
+            grant_type: 'refresh_token',
+            refresh_token: refreshToken,
+        });
+        if (scopes && scopes.length > 0) {
+            body.set('scope', scopes.join(' '));
+        }
+        if (this.config.client_id) {
+            body.set('client_id', this.config.client_id);
+        }
+        if (this.config.client_secret) {
+            body.set('client_secret', this.config.client_secret);
+        }
+        const response = await fetch(tokenUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                'Accept': 'application/json',
+            },
+            body: body.toString(),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            this.logger.error('Refresh token exchange failed', undefined, {
+                httpStatus: response.status,
+                errorMessage: errorText,
+            });
+            throw new Error(`Refresh token exchange failed: ${response.status}`);
+        }
+        const tokenResponse = await response.json();
+        const tokenData = {
+            token: tokenResponse.access_token,
+            clientId: client.client_id,
+            scopes: scopes || this.config.scopes || [],
+            expiresAt: tokenResponse.expires_in
+                ? Date.now() + tokenResponse.expires_in * 1000
+                : undefined,
+            resource,
+        };
+        this.accessTokens.set(tokenResponse.access_token, tokenData);
+        return tokenResponse;
+    }
+    async verifyAccessToken(token) {
+        const tokenData = this.accessTokens.get(token);
+        if (!tokenData) {
+            if (this.config.introspection_endpoint) {
+                return await this.introspectToken(token);
+            }
+            throw new Error('Invalid or expired token');
+        }
+        if (tokenData.expiresAt && tokenData.expiresAt < Date.now()) {
+            this.accessTokens.delete(token);
+            throw new Error('Token expired');
+        }
+        return {
+            token,
+            clientId: tokenData.clientId,
+            scopes: tokenData.scopes,
+            expiresAt: tokenData.expiresAt ? Math.floor(tokenData.expiresAt / 1000) : undefined,
+            resource: tokenData.resource,
+        };
+    }
+    async introspectToken(token) {
+        const introspectionUrl = this.config.introspection_endpoint;
+        if (!introspectionUrl) {
+            throw new Error('Introspection endpoint not configured');
+        }
+        const body = new URLSearchParams({ token });
+        if (this.config.client_id) {
+            body.set('client_id', this.config.client_id);
+        }
+        if (this.config.client_secret) {
+            body.set('client_secret', this.config.client_secret);
+        }
+        const response = await fetch(introspectionUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                'Accept': 'application/json',
+            },
+            body: body.toString(),
+        });
+        if (!response.ok) {
+            throw new Error(`Token introspection failed: ${response.status}`);
+        }
+        const introspectionResponse = await response.json();
+        if (!introspectionResponse.active) {
+            throw new Error('Token is not active');
+        }
+        return {
+            token,
+            clientId: introspectionResponse.client_id || 'unknown',
+            scopes: introspectionResponse.scope ? introspectionResponse.scope.split(' ') : [],
+            expiresAt: introspectionResponse.exp,
+            resource: introspectionResponse.aud ? new URL(introspectionResponse.aud) : undefined,
+        };
+    }
+    async revokeToken(client, request) {
+        this.logger.info('Revoking token', { clientId: client.client_id });
+        this.accessTokens.delete(request.token);
+        if (this.config.revocation_endpoint) {
+            await this.revokeTokenWithProvider(request.token);
+        }
+    }
+    async revokeTokenWithProvider(token) {
+        const revocationUrl = this.config.revocation_endpoint;
+        if (!revocationUrl)
+            return;
+        const body = new URLSearchParams({ token });
+        if (this.config.client_id) {
+            body.set('client_id', this.config.client_id);
+        }
+        if (this.config.client_secret) {
+            body.set('client_secret', this.config.client_secret);
+        }
+        const response = await fetch(revocationUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+            },
+            body: body.toString(),
+        });
+        if (!response.ok) {
+            this.logger.warn('Token revocation failed', { status: response.status });
+        }
+    }
+    /**
+     * Cleanup expired states, codes, and tokens
+     * Called periodically by HttpTransport
+     */
+    cleanup() {
+        const now = Date.now();
+        // 1. Cleanup expired states (10 minutes)
+        const STATE_TIMEOUT = OAUTH_RATE_LIMIT.WINDOW_MS;
+        for (const [state, data] of this.stateStore.entries()) {
+            if (now - data.createdAt > STATE_TIMEOUT) {
+                this.stateStore.delete(state);
+            }
+        }
+        // 2. Cleanup expired authorization codes (5 minutes)
+        const CODE_TIMEOUT = 5 * 60 * 1000;
+        for (const [code, data] of this.authorizationCodes.entries()) {
+            if (now - data.createdAt > CODE_TIMEOUT) {
+                this.authorizationCodes.delete(code);
+            }
+        }
+        // 3. Cleanup expired access tokens
+        for (const [token, data] of this.accessTokens.entries()) {
+            if (data.expiresAt && data.expiresAt < now) {
+                this.accessTokens.delete(token);
+            }
+        }
+    }
+}
+//# sourceMappingURL=oauth-provider.js.map