nitrostack 1.0.0

package/dist/core/middleware/middleware.interface.d.ts

@@ -0,0 +1,29 @@
+import 'reflect-metadata';
+import { ExecutionContext } from '../types.js';
+/**
+ * Middleware Interface
+ *
+ * Middleware can intercept tool execution for cross-cutting concerns
+ * like logging, authentication, validation, etc.
+ *
+ * @example
+ * ```typescript
+ * @Middleware()
+ * export class LoggingMiddleware implements MiddlewareInterface {
+ *   async use(context: ExecutionContext, next: () => Promise<any>) {
+ *     console.log('Before:', context.toolName);
+ *     const result = await next();
+ *     console.log('After:', context.toolName);
+ *     return result;
+ *   }
+ * }
+ * ```
+ */
+export interface MiddlewareInterface {
+    use(context: ExecutionContext, next: () => Promise<any>): Promise<any>;
+}
+/**
+ * Middleware constructor type
+ */
+export type MiddlewareConstructor = new (...args: any[]) => MiddlewareInterface;
+//# sourceMappingURL=middleware.interface.d.ts.map

package/dist/core/middleware/middleware.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.interface.d.ts","sourceRoot":"","sources":["../../../src/core/middleware/middleware.interface.ts"],"names":[],"mappings":"AAAA,OAAO,kBAAkB,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE/C;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,mBAAmB;IAClC,GAAG,CAAC,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,MAAM,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;CACxE;AAED;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAAG,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,mBAAmB,CAAC"}

package/dist/core/middleware/middleware.interface.js

@@ -0,0 +1,2 @@
+import 'reflect-metadata';
+//# sourceMappingURL=middleware.interface.js.map

package/dist/core/middleware/middleware.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.interface.js","sourceRoot":"","sources":["../../../src/core/middleware/middleware.interface.ts"],"names":[],"mappings":"AAAA,OAAO,kBAAkB,CAAC"}

package/dist/core/module.d.ts

@@ -0,0 +1,74 @@
+import 'reflect-metadata';
+/**
+ * Module metadata key
+ */
+export declare const MODULE_METADATA: unique symbol;
+/**
+ * Module metadata interface
+ */
+export interface ModuleMetadata {
+    /** Module name */
+    name: string;
+    /** Module description */
+    description?: string;
+    /** Controllers (classes with @Tool, @Resource, @Prompt decorators) */
+    controllers?: any[];
+    /** Services (dependency injection) */
+    providers?: any[];
+    /** Other modules to import */
+    imports?: any[];
+    /** Items to export to other modules */
+    exports?: any[];
+}
+/**
+ * Module class (internal)
+ */
+declare class ModuleClass {
+    metadata: ModuleMetadata;
+    constructor(metadata: ModuleMetadata);
+    /**
+     * Get all controllers from this module
+     */
+    getControllers(): any[];
+    /**
+     * Get module name
+     */
+    getName(): string;
+    /**
+     * Get module description
+     */
+    getDescription(): string | undefined;
+}
+/**
+ * Module decorator - Defines a module with controllers, providers, imports
+ *
+ * @example
+ * ```typescript
+ * @Module({
+ *   name: 'auth',
+ *   description: 'Authentication module',
+ *   controllers: [AuthController],
+ * })
+ * export class AuthModule {}
+ * ```
+ */
+export declare function ModuleDecorator(metadata: ModuleMetadata): <T extends {
+    new (...args: any[]): {};
+}>(constructor: T) => {
+    new (...args: any[]): {};
+    getMetadata(): ModuleMetadata;
+} & T;
+export { ModuleDecorator as Module };
+/**
+ * Create a module instance from a class
+ */
+export declare function createModule(moduleClass: any): ModuleClass;
+/**
+ * Check if a class is a module
+ */
+export declare function isModule(target: any): boolean;
+/**
+ * Get module metadata from a class
+ */
+export declare function getModuleMetadata(target: any): ModuleMetadata | undefined;
+//# sourceMappingURL=module.d.ts.map

package/dist/core/module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"module.d.ts","sourceRoot":"","sources":["../../src/core/module.ts"],"names":[],"mappings":"AAAA,OAAO,kBAAkB,CAAC;AAE1B;;GAEG;AACH,eAAO,MAAM,eAAe,eAA4B,CAAC;AAEzD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,kBAAkB;IAClB,IAAI,EAAE,MAAM,CAAC;IAEb,yBAAyB;IACzB,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,sEAAsE;IACtE,WAAW,CAAC,EAAE,GAAG,EAAE,CAAC;IAEpB,sCAAsC;IACtC,SAAS,CAAC,EAAE,GAAG,EAAE,CAAC;IAElB,8BAA8B;IAC9B,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC;IAEhB,uCAAuC;IACvC,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC;CACjB;AAED;;GAEG;AACH,cAAM,WAAW;IACI,QAAQ,EAAE,cAAc;gBAAxB,QAAQ,EAAE,cAAc;IAE3C;;OAEG;IACH,cAAc,IAAI,GAAG,EAAE;IAIvB;;OAEG;IACH,OAAO,IAAI,MAAM;IAIjB;;OAEG;IACH,cAAc,IAAI,MAAM,GAAG,SAAS;CAGrC;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,cAAc,IACrC,CAAC,SAAS;IAAE,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,CAAA;CAAE,EAAE,aAAa,CAAC;kBAA5B,GAAG,EAAE;mBAMtB,cAAc;MAKzC;AAGD,OAAO,EAAE,eAAe,IAAI,MAAM,EAAE,CAAC;AAErC;;GAEG;AACH,wBAAgB,YAAY,CAAC,WAAW,EAAE,GAAG,GAAG,WAAW,CAM1D;AAED;;GAEG;AACH,wBAAgB,QAAQ,CAAC,MAAM,EAAE,GAAG,GAAG,OAAO,CAE7C;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,GAAG,GAAG,cAAc,GAAG,SAAS,CAEzE"}

package/dist/core/module.js

@@ -0,0 +1,82 @@
+import 'reflect-metadata';
+/**
+ * Module metadata key
+ */
+export const MODULE_METADATA = Symbol('module:metadata');
+/**
+ * Module class (internal)
+ */
+class ModuleClass {
+    metadata;
+    constructor(metadata) {
+        this.metadata = metadata;
+    }
+    /**
+     * Get all controllers from this module
+     */
+    getControllers() {
+        return this.metadata.controllers || [];
+    }
+    /**
+     * Get module name
+     */
+    getName() {
+        return this.metadata.name;
+    }
+    /**
+     * Get module description
+     */
+    getDescription() {
+        return this.metadata.description;
+    }
+}
+/**
+ * Module decorator - Defines a module with controllers, providers, imports
+ *
+ * @example
+ * ```typescript
+ * @Module({
+ *   name: 'auth',
+ *   description: 'Authentication module',
+ *   controllers: [AuthController],
+ * })
+ * export class AuthModule {}
+ * ```
+ */
+export function ModuleDecorator(metadata) {
+    return function (constructor) {
+        // Store metadata on the class
+        Reflect.defineMetadata(MODULE_METADATA, metadata, constructor);
+        // Return a new class that extends the original
+        return class extends constructor {
+            static getMetadata() {
+                return Reflect.getMetadata(MODULE_METADATA, constructor) || metadata;
+            }
+        };
+    };
+}
+// Export as "Module" for decorator usage
+export { ModuleDecorator as Module };
+/**
+ * Create a module instance from a class
+ */
+export function createModule(moduleClass) {
+    const metadata = Reflect.getMetadata(MODULE_METADATA, moduleClass);
+    if (!metadata) {
+        throw new Error(`Class ${moduleClass.name} is not decorated with @Module`);
+    }
+    return new ModuleClass(metadata);
+}
+/**
+ * Check if a class is a module
+ */
+export function isModule(target) {
+    return Reflect.hasMetadata(MODULE_METADATA, target);
+}
+/**
+ * Get module metadata from a class
+ */
+export function getModuleMetadata(target) {
+    return Reflect.getMetadata(MODULE_METADATA, target);
+}
+//# sourceMappingURL=module.js.map

package/dist/core/module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"module.js","sourceRoot":"","sources":["../../src/core/module.ts"],"names":[],"mappings":"AAAA,OAAO,kBAAkB,CAAC;AAE1B;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,MAAM,CAAC,iBAAiB,CAAC,CAAC;AAyBzD;;GAEG;AACH,MAAM,WAAW;IACI;IAAnB,YAAmB,QAAwB;QAAxB,aAAQ,GAAR,QAAQ,CAAgB;IAAG,CAAC;IAE/C;;OAEG;IACH,cAAc;QACZ,OAAO,IAAI,CAAC,QAAQ,CAAC,WAAW,IAAI,EAAE,CAAC;IACzC,CAAC;IAED;;OAEG;IACH,OAAO;QACL,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,cAAc;QACZ,OAAO,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;IACnC,CAAC;CACF;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,eAAe,CAAC,QAAwB;IACtD,OAAO,UAAkD,WAAc;QACrE,8BAA8B;QAC9B,OAAO,CAAC,cAAc,CAAC,eAAe,EAAE,QAAQ,EAAE,WAAW,CAAC,CAAC;QAE/D,+CAA+C;QAC/C,OAAO,KAAM,SAAQ,WAAW;YAC9B,MAAM,CAAC,WAAW;gBAChB,OAAO,OAAO,CAAC,WAAW,CAAC,eAAe,EAAE,WAAW,CAAC,IAAI,QAAQ,CAAC;YACvE,CAAC;SACF,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAED,yCAAyC;AACzC,OAAO,EAAE,eAAe,IAAI,MAAM,EAAE,CAAC;AAErC;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,WAAgB;IAC3C,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;IACnE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,SAAS,WAAW,CAAC,IAAI,gCAAgC,CAAC,CAAC;IAC7E,CAAC;IACD,OAAO,IAAI,WAAW,CAAC,QAAQ,CAAC,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,QAAQ,CAAC,MAAW;IAClC,OAAO,OAAO,CAAC,WAAW,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;AACtD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAW;IAC3C,OAAO,OAAO,CAAC,WAAW,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;AACtD,CAAC"}

package/dist/core/oauth-module.d.ts

@@ -0,0 +1,144 @@
+import 'reflect-metadata';
+/**
+ * OAuth 2.1 Module Configuration
+ *
+ * Compliant with:
+ * - OAuth 2.1 (draft-ietf-oauth-v2-1-13)
+ * - RFC 9728 - Protected Resource Metadata
+ * - RFC 8414 - Authorization Server Metadata
+ * - RFC 7591 - Dynamic Client Registration
+ * - RFC 8707 - Resource Indicators (Token Audience Binding)
+ * - RFC 7636 - PKCE
+ * - RFC 7662 - Token Introspection
+ */
+export interface OAuthModuleConfig {
+    /**
+     * Resource URI - The MCP server's public URL
+     * Used for token audience validation (RFC 8707)
+     */
+    resourceUri: string;
+    /**
+     * Authorization Server(s)
+     * The OAuth 2.1 authorization server URLs
+     */
+    authorizationServers: string[];
+    /**
+     * Supported scopes for this MCP server
+     * Example: ['mcp:read', 'mcp:write', 'tools:execute']
+     */
+    scopesSupported?: string[];
+    /**
+     * HTTP server configuration
+     * OAuth requires HTTP transport - port will be extracted from resourceUri or use this
+     */
+    http?: {
+        port?: number;
+        host?: string;
+        basePath?: string;
+    };
+    /**
+     * Token Introspection Endpoint (RFC 7662)
+     * Required for validating opaque tokens
+     */
+    tokenIntrospectionEndpoint?: string;
+    /**
+     * Client ID for token introspection
+     */
+    tokenIntrospectionClientId?: string;
+    /**
+     * Client Secret for token introspection
+     * Should be stored in environment variable
+     */
+    tokenIntrospectionClientSecret?: string;
+    /**
+     * Expected audience for tokens (RFC 8707)
+     * If not provided, defaults to resourceUri
+     */
+    audience?: string;
+    /**
+     * Issuer validation
+     * If provided, tokens must be from this issuer
+     */
+    issuer?: string;
+    /**
+     * Custom token validation
+     * Additional validation logic beyond spec requirements
+     */
+    customValidation?: (token: any) => Promise<boolean> | boolean;
+}
+/**
+ * OAuth Module - Enable OAuth 2.1 authentication in your MCP server
+ *
+ * This module provides:
+ * - Protected Resource Metadata (RFC 9728)
+ * - Token validation with audience binding (RFC 8707)
+ * - Token introspection (RFC 7662)
+ * - PKCE support (RFC 7636)
+ *
+ * Compatible with OpenAI Apps SDK and MCP specification.
+ *
+ * @example
+ * ```typescript
+ * import { McpApplicationFactory, OAuthModule } from 'nitrostack';
+ * import { AppModule } from './app.module.js';
+ *
+ * @McpApp({
+ *   module: AppModule,
+ *   server: {
+ *     name: 'OAuth MCP Server',
+ *     version: '1.0.0',
+ *   },
+ * })
+ * @Module({
+ *   name: 'app',
+ *   imports: [
+ *     // Enable OAuth 2.1 authentication
+ *     OAuthModule.forRoot({
+ *       resourceUri: process.env.RESOURCE_URI!,
+ *       authorizationServers: [process.env.AUTH_SERVER_URL!],
+ *       scopesSupported: ['mcp:read', 'mcp:write', 'tools:execute'],
+ *       tokenIntrospectionEndpoint: process.env.INTROSPECTION_ENDPOINT,
+ *       tokenIntrospectionClientId: process.env.INTROSPECTION_CLIENT_ID,
+ *       tokenIntrospectionClientSecret: process.env.INTROSPECTION_CLIENT_SECRET,
+ *     }),
+ *   ],
+ * })
+ * export class AppModule {}
+ * ```
+ */
+export declare class OAuthModule {
+    private static config;
+    /**
+     * Configure OAuth module for the application
+     */
+    static forRoot(config: OAuthModuleConfig): OAuthModuleConfig;
+    /**
+     * Get current OAuth configuration
+     */
+    static getConfig(): OAuthModuleConfig | null;
+    /**
+     * Validate an access token
+     *
+     * Performs:
+     * 1. Token introspection (if endpoint configured)
+     * 2. Audience validation (RFC 8707)
+     * 3. Issuer validation (if configured)
+     * 4. Custom validation (if configured)
+     */
+    static validateToken(token: string): Promise<{
+        valid: boolean;
+        payload?: any;
+        error?: string;
+    }>;
+    /**
+     * Introspect token using RFC 7662
+     * @private
+     */
+    private static introspectToken;
+    /**
+     * Decode JWT token (without validation)
+     * @private
+     */
+    private static decodeToken;
+}
+//# sourceMappingURL=oauth-module.d.ts.map

package/dist/core/oauth-module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-module.d.ts","sourceRoot":"","sources":["../../src/core/oauth-module.ts"],"names":[],"mappings":"AAAA,OAAO,kBAAkB,CAAC;AAE1B;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,iBAAiB;IAChC;;;OAGG;IACH,WAAW,EAAE,MAAM,CAAC;IAEpB;;;OAGG;IACH,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAE/B;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAE3B;;;OAGG;IACH,IAAI,CAAC,EAAE;QACL,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,CAAC;IAEF;;;OAGG;IACH,0BAA0B,CAAC,EAAE,MAAM,CAAC;IAEpC;;OAEG;IACH,0BAA0B,CAAC,EAAE,MAAM,CAAC;IAEpC;;;OAGG;IACH,8BAA8B,CAAC,EAAE,MAAM,CAAC;IAExC;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,gBAAgB,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC;CAC/D;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,MAAM,CAAC,MAAM,CAAkC;IAEvD;;OAEG;IACH,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,iBAAiB,GAAG,iBAAiB;IAmB5D;;OAEG;IACH,MAAM,CAAC,SAAS,IAAI,iBAAiB,GAAG,IAAI;IAI5C;;;;;;;;OAQG;WACU,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;QACjD,KAAK,EAAE,OAAO,CAAC;QACf,OAAO,CAAC,EAAE,GAAG,CAAC;QACd,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;IA0DF;;;OAGG;mBACkB,eAAe;IAyDpC;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;CAc3B"}

package/dist/core/oauth-module.js

@@ -0,0 +1,190 @@
+import 'reflect-metadata';
+/**
+ * OAuth Module - Enable OAuth 2.1 authentication in your MCP server
+ *
+ * This module provides:
+ * - Protected Resource Metadata (RFC 9728)
+ * - Token validation with audience binding (RFC 8707)
+ * - Token introspection (RFC 7662)
+ * - PKCE support (RFC 7636)
+ *
+ * Compatible with OpenAI Apps SDK and MCP specification.
+ *
+ * @example
+ * ```typescript
+ * import { McpApplicationFactory, OAuthModule } from 'nitrostack';
+ * import { AppModule } from './app.module.js';
+ *
+ * @McpApp({
+ *   module: AppModule,
+ *   server: {
+ *     name: 'OAuth MCP Server',
+ *     version: '1.0.0',
+ *   },
+ * })
+ * @Module({
+ *   name: 'app',
+ *   imports: [
+ *     // Enable OAuth 2.1 authentication
+ *     OAuthModule.forRoot({
+ *       resourceUri: process.env.RESOURCE_URI!,
+ *       authorizationServers: [process.env.AUTH_SERVER_URL!],
+ *       scopesSupported: ['mcp:read', 'mcp:write', 'tools:execute'],
+ *       tokenIntrospectionEndpoint: process.env.INTROSPECTION_ENDPOINT,
+ *       tokenIntrospectionClientId: process.env.INTROSPECTION_CLIENT_ID,
+ *       tokenIntrospectionClientSecret: process.env.INTROSPECTION_CLIENT_SECRET,
+ *     }),
+ *   ],
+ * })
+ * export class AppModule {}
+ * ```
+ */
+export class OAuthModule {
+    static config = null;
+    /**
+     * Configure OAuth module for the application
+     */
+    static forRoot(config) {
+        // Validate required fields
+        if (!config.resourceUri) {
+            throw new Error('OAuthModule: resourceUri is required');
+        }
+        if (!config.authorizationServers || config.authorizationServers.length === 0) {
+            throw new Error('OAuthModule: at least one authorizationServer is required');
+        }
+        // Set default audience to resourceUri if not provided
+        if (!config.audience) {
+            config.audience = config.resourceUri;
+        }
+        this.config = config;
+        return this.config;
+    }
+    /**
+     * Get current OAuth configuration
+     */
+    static getConfig() {
+        return this.config;
+    }
+    /**
+     * Validate an access token
+     *
+     * Performs:
+     * 1. Token introspection (if endpoint configured)
+     * 2. Audience validation (RFC 8707)
+     * 3. Issuer validation (if configured)
+     * 4. Custom validation (if configured)
+     */
+    static async validateToken(token) {
+        if (!this.config) {
+            return { valid: false, error: 'OAuth module not configured' };
+        }
+        try {
+            // If introspection endpoint is configured, use it
+            if (this.config.tokenIntrospectionEndpoint) {
+                return await this.introspectToken(token);
+            }
+            // For JWT tokens without introspection, decode and validate
+            // Note: In production, you should validate JWT signature
+            const payload = this.decodeToken(token);
+            if (!payload) {
+                return { valid: false, error: 'Invalid token format' };
+            }
+            // Validate audience (RFC 8707 - critical for security)
+            if (payload.aud) {
+                const audiences = Array.isArray(payload.aud) ? payload.aud : [payload.aud];
+                if (!audiences.includes(this.config.audience)) {
+                    return {
+                        valid: false,
+                        error: `Token audience mismatch. Expected: ${this.config.audience}, Got: ${audiences.join(', ')}`,
+                    };
+                }
+            }
+            // Validate issuer
+            if (this.config.issuer && payload.iss !== this.config.issuer) {
+                return {
+                    valid: false,
+                    error: `Token issuer mismatch. Expected: ${this.config.issuer}, Got: ${payload.iss}`,
+                };
+            }
+            // Check expiration
+            if (payload.exp && payload.exp < Date.now() / 1000) {
+                return { valid: false, error: 'Token expired' };
+            }
+            // Custom validation
+            if (this.config.customValidation) {
+                const customValid = await this.config.customValidation(payload);
+                if (!customValid) {
+                    return { valid: false, error: 'Custom validation failed' };
+                }
+            }
+            return { valid: true, payload };
+        }
+        catch (error) {
+            return { valid: false, error: error.message };
+        }
+    }
+    /**
+     * Introspect token using RFC 7662
+     * @private
+     */
+    static async introspectToken(token) {
+        if (!this.config?.tokenIntrospectionEndpoint) {
+            return { valid: false, error: 'Introspection endpoint not configured' };
+        }
+        try {
+            const auth = Buffer.from(`${this.config.tokenIntrospectionClientId}:${this.config.tokenIntrospectionClientSecret}`).toString('base64');
+            const response = await fetch(this.config.tokenIntrospectionEndpoint, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                    'Authorization': `Basic ${auth}`,
+                },
+                body: new URLSearchParams({
+                    token: token,
+                    token_type_hint: 'access_token',
+                }),
+            });
+            if (!response.ok) {
+                return {
+                    valid: false,
+                    error: `Introspection failed: ${response.status} ${response.statusText}`,
+                };
+            }
+            const result = await response.json();
+            if (!result.active) {
+                return { valid: false, error: 'Token is not active' };
+            }
+            // Validate audience from introspection response
+            if (result.aud) {
+                const audiences = Array.isArray(result.aud) ? result.aud : [result.aud];
+                if (!audiences.includes(this.config.audience)) {
+                    return {
+                        valid: false,
+                        error: `Token audience mismatch. Expected: ${this.config.audience}`,
+                    };
+                }
+            }
+            return { valid: true, payload: result };
+        }
+        catch (error) {
+            return { valid: false, error: `Introspection error: ${error.message}` };
+        }
+    }
+    /**
+     * Decode JWT token (without validation)
+     * @private
+     */
+    static decodeToken(token) {
+        try {
+            const parts = token.split('.');
+            if (parts.length !== 3)
+                return null;
+            const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString('utf8'));
+            return payload;
+        }
+        catch {
+            return null;
+        }
+    }
+}
+//# sourceMappingURL=oauth-module.js.map

package/dist/core/oauth-module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-module.js","sourceRoot":"","sources":["../../src/core/oauth-module.ts"],"names":[],"mappings":"AAAA,OAAO,kBAAkB,CAAC;AA+E1B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AACH,MAAM,OAAO,WAAW;IACd,MAAM,CAAC,MAAM,GAA6B,IAAI,CAAC;IAEvD;;OAEG;IACH,MAAM,CAAC,OAAO,CAAC,MAAyB;QACtC,2BAA2B;QAC3B,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,oBAAoB,IAAI,MAAM,CAAC,oBAAoB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7E,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;QAC/E,CAAC;QAED,sDAAsD;QACtD,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,WAAW,CAAC;QACvC,CAAC;QAED,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,SAAS;QACd,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED;;;;;;;;OAQG;IACH,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,KAAa;QAKtC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,6BAA6B,EAAE,CAAC;QAChE,CAAC;QAED,IAAI,CAAC;YACH,kDAAkD;YAClD,IAAI,IAAI,CAAC,MAAM,CAAC,0BAA0B,EAAE,CAAC;gBAC3C,OAAO,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;YAC3C,CAAC;YAED,4DAA4D;YAC5D,yDAAyD;YACzD,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YAExC,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC;YACzD,CAAC;YAED,uDAAuD;YACvD,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;gBAChB,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBAC3E,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,QAAS,CAAC,EAAE,CAAC;oBAC/C,OAAO;wBACL,KAAK,EAAE,KAAK;wBACZ,KAAK,EAAE,sCAAsC,IAAI,CAAC,MAAM,CAAC,QAAQ,UAAU,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;qBAClG,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,kBAAkB;YAClB,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;gBAC7D,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,KAAK,EAAE,oCAAoC,IAAI,CAAC,MAAM,CAAC,MAAM,UAAU,OAAO,CAAC,GAAG,EAAE;iBACrF,CAAC;YACJ,CAAC;YAED,mBAAmB;YACnB,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;gBACnD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;YAClD,CAAC;YAED,oBAAoB;YACpB,IAAI,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE,CAAC;gBACjC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;gBAChE,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC;gBAC7D,CAAC;YACH,CAAC;YAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;QAElC,CAAC;QAAC,OAAO,KAAU,EAAE,CAAC;YACpB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC;QAChD,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,KAAa;QAKhD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,0BAA0B,EAAE,CAAC;YAC7C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,uCAAuC,EAAE,CAAC;QAC1E,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CACtB,GAAG,IAAI,CAAC,MAAM,CAAC,0BAA0B,IAAI,IAAI,CAAC,MAAM,CAAC,8BAA8B,EAAE,CAC1F,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAErB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,0BAA0B,EAAE;gBACnE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;oBACnD,eAAe,EAAE,SAAS,IAAI,EAAE;iBACjC;gBACD,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,KAAK,EAAE,KAAK;oBACZ,eAAe,EAAE,cAAc;iBAChC,CAAC;aACH,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,KAAK,EAAE,yBAAyB,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE;iBACzE,CAAC;YACJ,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YAErC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;gBACnB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;YACxD,CAAC;YAED,gDAAgD;YAChD,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;gBACf,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBACxE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,QAAS,CAAC,EAAE,CAAC;oBAC/C,OAAO;wBACL,KAAK,EAAE,KAAK;wBACZ,KAAK,EAAE,sCAAsC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE;qBACpE,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;QAE1C,CAAC;QAAC,OAAO,KAAU,EAAE,CAAC;YACpB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,wBAAwB,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC;QAC1E,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,MAAM,CAAC,WAAW,CAAC,KAAa;QACtC,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YAEpC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CACxB,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CACpD,CAAC;YAEF,OAAO,OAAO,CAAC;QACjB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC"}

package/dist/core/pipes/pipe.decorator.d.ts

@@ -0,0 +1,55 @@
+import 'reflect-metadata';
+import { PipeConstructor } from './pipe.interface.js';
+/**
+ * Marks a class as a pipe
+ *
+ * @example
+ * ```typescript
+ * @Pipe()
+ * export class ValidationPipe implements PipeInterface {
+ *   transform(value: any, metadata: ArgumentMetadata) {
+ *     // Validate and transform
+ *     return value;
+ *   }
+ * }
+ * ```
+ */
+export declare function Pipe(): ClassDecorator;
+/**
+ * Apply pipes to tool input (entire input object)
+ *
+ * @example
+ * ```typescript
+ * @Tool({ name: 'create_user', ... })
+ * @UsePipes(ValidationPipe, TransformPipe)
+ * async createUser(input: any) { }
+ * ```
+ */
+export declare function UsePipes(...pipes: PipeConstructor[]): MethodDecorator;
+/**
+ * Parameter decorator to apply pipes to specific parameters
+ *
+ * @example
+ * ```typescript
+ * @Tool({ name: 'create_user', ... })
+ * async createUser(@Body(ValidationPipe) input: CreateUserDto) { }
+ * ```
+ */
+export declare function Body(...pipes: PipeConstructor[]): ParameterDecorator;
+/**
+ * Shorthand for validation pipe
+ */
+export declare function Validated(): ParameterDecorator;
+/**
+ * Get pipes for a method
+ */
+export declare function getPipeMetadata(target: any, propertyKey: string | symbol): PipeConstructor[];
+/**
+ * Get parameter pipes for a method
+ */
+export declare function getParamPipesMetadata(target: any, propertyKey: string | symbol): Record<number, any>;
+/**
+ * Check if a class is marked as a pipe
+ */
+export declare function isPipe(target: any): boolean;
+//# sourceMappingURL=pipe.decorator.d.ts.map

package/dist/core/pipes/pipe.decorator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pipe.decorator.d.ts","sourceRoot":"","sources":["../../../src/core/pipes/pipe.decorator.ts"],"names":[],"mappings":"AAAA,OAAO,kBAAkB,CAAC;AAC1B,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAMtD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,IAAI,IAAI,cAAc,CAIrC;AAED;;;;;;;;;GASG;AACH,wBAAgB,QAAQ,CAAC,GAAG,KAAK,EAAE,eAAe,EAAE,GAAG,eAAe,CAUrE;AAED;;;;;;;;GAQG;AACH,wBAAgB,IAAI,CAAC,GAAG,KAAK,EAAE,eAAe,EAAE,GAAG,kBAAkB,CAWpE;AAED;;GAEG;AACH,wBAAgB,SAAS,IAAI,kBAAkB,CAE9C;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,GAAG,eAAe,EAAE,CAE5F;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,GAAG,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAEpG;AAED;;GAEG;AACH,wBAAgB,MAAM,CAAC,MAAM,EAAE,GAAG,GAAG,OAAO,CAE3C"}