nitrostack 1.0.0

package/dist/auth/token-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.js","sourceRoot":"","sources":["../../src/auth/token-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,aAAa,CAAC;AAC7B,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,MAAM,MAAM,QAAQ,CAAC;AAmC5B;;;GAGG;AACH,MAAM,OAAO,gBAAgB;IACnB,MAAM,GAA6B,IAAI,GAAG,EAAE,CAAC;IAErD,KAAK,CAAC,SAAS,CAAC,GAAW,EAAE,KAAkB;QAC7C,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,GAAW;QACxB,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,mBAAmB;QACnB,IAAI,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;YAC/B,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACxB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAW;QAC3B,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,QAAQ;QACZ,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;IACtB,CAAC;IAEO,cAAc,CAAC,KAAkB;QACvC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,UAAU,CAAC;IACvC,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,OAAO,cAAc;IACjB,SAAS,CAAS;IAClB,aAAa,CAAU;IAE/B,YAAY,SAAiB,EAAE,aAAsB;QACnD,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAW,EAAE,KAAkB;QAC7C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACvC,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACpB,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,GAAW;QACxB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACvC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QAE1B,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,mBAAmB;QACnB,IAAI,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;YACnB,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;YAC9B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAW;QAC3B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACvC,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;QACnB,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,QAAQ;QACZ,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACvC,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;IAC5B,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,UAAU;QACtB,IAAI,CAAC;YACH,0BAA0B;YAC1B,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAElE,YAAY;YACZ,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YAExD,mCAAmC;YACnC,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YAE/D,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;QAAC,OAAO,KAAU,EAAE,CAAC;YACpB,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC5B,OAAO,EAAE,CAAC,CAAC,yBAAyB;YACtC,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,UAAU,CAAC,MAAmC;QAC1D,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAEhD,mCAAmC;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;QAElE,4CAA4C;QAC5C,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE;YACvC,IAAI,EAAE,KAAK,EAAE,4BAA4B;SAC1C,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,OAAO,CAAC,IAAY;QAC1B,IAAI,CAAC,IAAI,CAAC,aAAa;YAAE,OAAO,IAAI,CAAC;QAErC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC/C,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAClC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QAE7D,IAAI,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;QACnD,SAAS,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAEjC,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAEpC,+BAA+B;QAC/B,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,EAAE,CAAC;IACzE,CAAC;IAED;;OAEG;IACK,OAAO,CAAC,IAAY;QAC1B,IAAI,CAAC,IAAI,CAAC,aAAa;YAAE,OAAO,IAAI,CAAC;QAErC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAE9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;QAED,MAAM,CAAC,KAAK,EAAE,UAAU,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAC7C,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QACrC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QAE/C,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QACjE,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAE7B,IAAI,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAC1D,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAEpC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACK,SAAS,CAAC,QAAgB;QAChC,sCAAsC;QACtC,gDAAgD;QAChD,MAAM,IAAI,GAAG,wBAAwB,CAAC;QACtC,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;IACjE,CAAC;IAEO,cAAc,CAAC,KAAkB;QACvC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,UAAU,CAAC;IACvC,CAAC;CACF;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,uBAAuB,CACrC,SAAkB,EAClB,aAAsB;IAEtB,MAAM,WAAW,GAAG,SAAS,IAAI,mBAAmB,EAAE,CAAC;IAEvD,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,IAAI,cAAc,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;IACxD,CAAC;IAED,OAAO,IAAI,cAAc,CAAC,WAAW,CAAC,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB;IAC1B,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC;IAC/D,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,aAAa,EAAE,aAAa,CAAC,CAAC;AACvD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,KAAkB;IAC/C,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,UAAU,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,SAAiB;IACnD,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,QAAqH,EACrH,QAAiB;IAEjB,OAAO;QACL,YAAY,EAAE,QAAQ,CAAC,YAAY;QACnC,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,mBAAmB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,EAAE,iBAAiB;QACpH,aAAa,EAAE,QAAQ,CAAC,aAAa;QACrC,KAAK,EAAE,QAAQ,CAAC,KAAK;QACrB,QAAQ;KACT,CAAC;AACJ,CAAC"}

package/dist/auth/token-validation.d.ts

@@ -0,0 +1,47 @@
+import { TokenIntrospection, McpAuthConfig } from './types.js';
+interface TokenValidationResult {
+    valid: boolean;
+    introspection?: TokenIntrospection;
+    error?: string;
+}
+/**
+ * Validate a Bearer token
+ *
+ * @param token - The access token to validate
+ * @param config - Auth configuration
+ * @returns Validation result with token introspection data
+ */
+export declare function validateToken(token: string, config: McpAuthConfig): Promise<TokenValidationResult>;
+/**
+ * Validate token audience (RFC 8707)
+ *
+ * CRITICAL: This prevents confused deputy attacks
+ * Token MUST be issued specifically for this resource
+ *
+ * @param introspection - Token introspection result
+ * @param expectedAudience - Expected audience value(s)
+ * @returns true if audience is valid
+ */
+export declare function validateAudience(introspection: TokenIntrospection, expectedAudience?: string | string[]): boolean;
+/**
+ * Validate scopes
+ *
+ * @param introspection - Token introspection result
+ * @param requiredScopes - Scopes required for the operation
+ * @returns true if token has all required scopes
+ */
+export declare function validateScopes(introspection: TokenIntrospection, requiredScopes: string[]): boolean;
+/**
+ * Extract Bearer token from Authorization header
+ */
+export declare function extractBearerToken(authHeader: string | undefined): string | null;
+/**
+ * Check if token is expired
+ */
+export declare function isTokenExpired(introspection: TokenIntrospection): boolean;
+/**
+ * Clear token cache (useful for testing)
+ */
+export declare function clearTokenCache(): void;
+export {};
+//# sourceMappingURL=token-validation.d.ts.map

package/dist/auth/token-validation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-validation.d.ts","sourceRoot":"","sources":["../../src/auth/token-validation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAqB/D,UAAU,qBAAqB;IAC7B,KAAK,EAAE,OAAO,CAAC;IACf,aAAa,CAAC,EAAE,kBAAkB,CAAC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAQD;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,aAAa,GACpB,OAAO,CAAC,qBAAqB,CAAC,CA0ChC;AAqFD;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAC9B,aAAa,EAAE,kBAAkB,EACjC,gBAAgB,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,GACnC,OAAO,CAgBT;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAC5B,aAAa,EAAE,kBAAkB,EACjC,cAAc,EAAE,MAAM,EAAE,GACvB,OAAO,CAWT;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI,CAOhF;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,aAAa,EAAE,kBAAkB,GAAG,OAAO,CAOzE;AA4CD;;GAEG;AACH,wBAAgB,eAAe,IAAI,IAAI,CAEtC"}

package/dist/auth/token-validation.js

@@ -0,0 +1,237 @@
+/**
+ * Token Validation Utilities
+ *
+ * Validates Bearer tokens using either:
+ * 1. Token Introspection (RFC 7662)
+ * 2. JWT validation with JWKS (RFC 7517, RFC 7519)
+ *
+ * Note: Uses dynamic import for 'jose' to avoid ES module issues
+ */
+// Lazy-load jose to avoid ES module import issues
+let jose = null;
+async function getJose() {
+    if (!jose) {
+        jose = await import('jose');
+    }
+    return jose;
+}
+/**
+ * In-memory cache for token introspection results
+ * Reduces load on authorization server
+ */
+const tokenCache = new Map();
+/**
+ * Validate a Bearer token
+ *
+ * @param token - The access token to validate
+ * @param config - Auth configuration
+ * @returns Validation result with token introspection data
+ */
+export async function validateToken(token, config) {
+    // Check cache first
+    const cached = getFromCache(token);
+    if (cached) {
+        return { valid: true, introspection: cached };
+    }
+    try {
+        let introspection;
+        if (config.tokenIntrospectionEndpoint) {
+            // Method 1: Token Introspection (RFC 7662)
+            introspection = await introspectToken(token, config);
+        }
+        else if (config.jwksUri) {
+            // Method 2: JWT validation with JWKS
+            introspection = await validateJWT(token, config);
+        }
+        else {
+            return {
+                valid: false,
+                error: 'No token validation method configured. Set tokenIntrospectionEndpoint or jwksUri.',
+            };
+        }
+        if (!introspection.active) {
+            return { valid: false, error: 'Token is not active' };
+        }
+        // Validate audience (CRITICAL for security)
+        if (!validateAudience(introspection, config.audience)) {
+            return {
+                valid: false,
+                error: 'Token audience mismatch. Token not intended for this resource.',
+            };
+        }
+        // Cache the result
+        cacheToken(token, introspection, config.tokenCacheSeconds || 300);
+        return { valid: true, introspection };
+    }
+    catch (error) {
+        return { valid: false, error: error.message };
+    }
+}
+/**
+ * Introspect token using OAuth 2.0 Token Introspection (RFC 7662)
+ */
+async function introspectToken(token, config) {
+    if (!config.tokenIntrospectionEndpoint) {
+        throw new Error('Token introspection endpoint not configured');
+    }
+    // Prepare request with client authentication
+    const params = new URLSearchParams();
+    params.append('token', token);
+    params.append('token_type_hint', 'access_token');
+    const headers = {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        'Accept': 'application/json',
+    };
+    // Client authentication (if configured)
+    if (config.tokenIntrospectionClientId && config.tokenIntrospectionClientSecret) {
+        const credentials = Buffer.from(`${config.tokenIntrospectionClientId}:${config.tokenIntrospectionClientSecret}`).toString('base64');
+        headers['Authorization'] = `Basic ${credentials}`;
+    }
+    const response = await fetch(config.tokenIntrospectionEndpoint, {
+        method: 'POST',
+        headers,
+        body: params.toString(),
+    });
+    if (!response.ok) {
+        throw new Error(`Token introspection failed: ${response.status} ${response.statusText}`);
+    }
+    const result = await response.json();
+    return result;
+}
+/**
+ * Validate JWT using JWKS
+ */
+async function validateJWT(token, config) {
+    if (!config.jwksUri) {
+        throw new Error('JWKS URI not configured');
+    }
+    // Fetch JWKS
+    const joseLib = await getJose();
+    const JWKS = joseLib.createRemoteJWKSet(new URL(config.jwksUri));
+    // Verify JWT
+    const { payload } = await joseLib.jwtVerify(token, JWKS, {
+        issuer: config.issuer,
+        audience: config.audience,
+    });
+    // Convert JWT payload to TokenIntrospection format
+    const introspection = {
+        active: true,
+        scope: typeof payload.scope === 'string' ? payload.scope : undefined,
+        client_id: typeof payload.client_id === 'string' ? payload.client_id : payload.azp,
+        username: typeof payload.username === 'string' ? payload.username : undefined,
+        token_type: 'Bearer',
+        exp: payload.exp,
+        iat: payload.iat,
+        nbf: payload.nbf,
+        sub: payload.sub,
+        aud: Array.isArray(payload.aud) ? payload.aud : payload.aud ? [payload.aud] : undefined,
+        iss: payload.iss,
+        jti: typeof payload.jti === 'string' ? payload.jti : undefined,
+    };
+    return introspection;
+}
+/**
+ * Validate token audience (RFC 8707)
+ *
+ * CRITICAL: This prevents confused deputy attacks
+ * Token MUST be issued specifically for this resource
+ *
+ * @param introspection - Token introspection result
+ * @param expectedAudience - Expected audience value(s)
+ * @returns true if audience is valid
+ */
+export function validateAudience(introspection, expectedAudience) {
+    if (!expectedAudience) {
+        // If no audience expected, skip validation
+        // (Not recommended for production)
+        return true;
+    }
+    const expected = Array.isArray(expectedAudience) ? expectedAudience : [expectedAudience];
+    const tokenAud = Array.isArray(introspection.aud)
+        ? introspection.aud
+        : introspection.aud
+            ? [introspection.aud]
+            : [];
+    // Token audience must include at least one expected audience
+    return expected.some((aud) => tokenAud.includes(aud));
+}
+/**
+ * Validate scopes
+ *
+ * @param introspection - Token introspection result
+ * @param requiredScopes - Scopes required for the operation
+ * @returns true if token has all required scopes
+ */
+export function validateScopes(introspection, requiredScopes) {
+    if (!requiredScopes || requiredScopes.length === 0) {
+        return true;
+    }
+    if (!introspection.scope) {
+        return false;
+    }
+    const tokenScopes = introspection.scope.split(' ');
+    return requiredScopes.every((scope) => tokenScopes.includes(scope));
+}
+/**
+ * Extract Bearer token from Authorization header
+ */
+export function extractBearerToken(authHeader) {
+    if (!authHeader) {
+        return null;
+    }
+    const match = authHeader.match(/^Bearer\s+(.+)$/i);
+    return match ? match[1] : null;
+}
+/**
+ * Check if token is expired
+ */
+export function isTokenExpired(introspection) {
+    if (!introspection.exp) {
+        return false; // No expiration set
+    }
+    const now = Math.floor(Date.now() / 1000);
+    return introspection.exp < now;
+}
+/**
+ * Cache token introspection result
+ */
+function cacheToken(token, result, seconds) {
+    const expiresAt = Date.now() + seconds * 1000;
+    tokenCache.set(token, { result, expiresAt });
+    // Clean up cache periodically
+    if (tokenCache.size > 1000) {
+        cleanupCache();
+    }
+}
+/**
+ * Get token from cache if valid
+ */
+function getFromCache(token) {
+    const cached = tokenCache.get(token);
+    if (!cached) {
+        return null;
+    }
+    if (Date.now() > cached.expiresAt) {
+        tokenCache.delete(token);
+        return null;
+    }
+    return cached.result;
+}
+/**
+ * Remove expired entries from cache
+ */
+function cleanupCache() {
+    const now = Date.now();
+    for (const [token, cached] of tokenCache.entries()) {
+        if (now > cached.expiresAt) {
+            tokenCache.delete(token);
+        }
+    }
+}
+/**
+ * Clear token cache (useful for testing)
+ */
+export function clearTokenCache() {
+    tokenCache.clear();
+}
+//# sourceMappingURL=token-validation.js.map

package/dist/auth/token-validation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-validation.js","sourceRoot":"","sources":["../../src/auth/token-validation.ts"],"names":[],"mappings":"AAEA;;;;;;;;GAQG;AAEH,kDAAkD;AAClD,IAAI,IAAI,GAAiC,IAAI,CAAC;AAC9C,KAAK,UAAU,OAAO;IACpB,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAQD;;;GAGG;AACH,MAAM,UAAU,GAAG,IAAI,GAAG,EAA6D,CAAC;AAExF;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAa,EACb,MAAqB;IAErB,oBAAoB;IACpB,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IACnC,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC;IAChD,CAAC;IAED,IAAI,CAAC;QACH,IAAI,aAAiC,CAAC;QAEtC,IAAI,MAAM,CAAC,0BAA0B,EAAE,CAAC;YACtC,2CAA2C;YAC3C,aAAa,GAAG,MAAM,eAAe,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACvD,CAAC;aAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YAC1B,qCAAqC;YACrC,aAAa,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACnD,CAAC;aAAM,CAAC;YACN,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,mFAAmF;aAC3F,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,CAAC;YAC1B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;QACxD,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC,gBAAgB,CAAC,aAAa,EAAE,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YACtD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,gEAAgE;aACxE,CAAC;QACJ,CAAC;QAED,mBAAmB;QACnB,UAAU,CAAC,KAAK,EAAE,aAAa,EAAE,MAAM,CAAC,iBAAiB,IAAI,GAAG,CAAC,CAAC;QAElE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC;IACxC,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC;IAChD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,eAAe,CAC5B,KAAa,EACb,MAAqB;IAErB,IAAI,CAAC,MAAM,CAAC,0BAA0B,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IAED,6CAA6C;IAC7C,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IACrC,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC9B,MAAM,CAAC,MAAM,CAAC,iBAAiB,EAAE,cAAc,CAAC,CAAC;IAEjD,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,mCAAmC;QACnD,QAAQ,EAAE,kBAAkB;KAC7B,CAAC;IAEF,wCAAwC;IACxC,IAAI,MAAM,CAAC,0BAA0B,IAAI,MAAM,CAAC,8BAA8B,EAAE,CAAC;QAC/E,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAC7B,GAAG,MAAM,CAAC,0BAA0B,IAAI,MAAM,CAAC,8BAA8B,EAAE,CAChF,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACrB,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;IACpD,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,0BAA0B,EAAE;QAC9D,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;KACxB,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,+BAA+B,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;IAC3F,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACrC,OAAO,MAA4B,CAAC;AACtC,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,WAAW,CACxB,KAAa,EACb,MAAqB;IAErB,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;IAED,aAAa;IACb,MAAM,OAAO,GAAG,MAAM,OAAO,EAAE,CAAC;IAChC,MAAM,IAAI,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IAEjE,aAAa;IACb,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE;QACvD,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;KAC1B,CAAC,CAAC;IAEH,mDAAmD;IACnD,MAAM,aAAa,GAAuB;QACxC,MAAM,EAAE,IAAI;QACZ,KAAK,EAAE,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;QACpE,SAAS,EAAE,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,GAAa;QAC5F,QAAQ,EAAE,OAAO,OAAO,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;QAC7E,UAAU,EAAE,QAAQ;QACpB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAa,CAAC,CAAC,CAAC,CAAC,SAAS;QACjG,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;KAC/D,CAAC;IAEF,OAAO,aAAa,CAAC;AACvB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAC9B,aAAiC,EACjC,gBAAoC;IAEpC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,2CAA2C;QAC3C,mCAAmC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC;IACzF,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,GAAG,CAAC;QAC/C,CAAC,CAAC,aAAa,CAAC,GAAG;QACnB,CAAC,CAAC,aAAa,CAAC,GAAG;YACnB,CAAC,CAAC,CAAC,aAAa,CAAC,GAAG,CAAC;YACrB,CAAC,CAAC,EAAE,CAAC;IAEP,6DAA6D;IAC7D,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;AACxD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAC5B,aAAiC,EACjC,cAAwB;IAExB,IAAI,CAAC,cAAc,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,WAAW,GAAG,aAAa,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACnD,OAAO,cAAc,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;AACtE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,UAA8B;IAC/D,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IACnD,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACjC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,aAAiC;IAC9D,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,CAAC;QACvB,OAAO,KAAK,CAAC,CAAC,oBAAoB;IACpC,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,OAAO,aAAa,CAAC,GAAG,GAAG,GAAG,CAAC;AACjC,CAAC;AAED;;GAEG;AACH,SAAS,UAAU,CAAC,KAAa,EAAE,MAA0B,EAAE,OAAe;IAC5E,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,GAAG,IAAI,CAAC;IAC9C,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IAE7C,8BAA8B;IAC9B,IAAI,UAAU,CAAC,IAAI,GAAG,IAAI,EAAE,CAAC;QAC3B,YAAY,EAAE,CAAC;IACjB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,KAAa;IACjC,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACrC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;QAClC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACzB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,MAAM,CAAC,MAAM,CAAC;AACvB,CAAC;AAED;;GAEG;AACH,SAAS,YAAY;IACnB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC;QACnD,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;YAC3B,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe;IAC7B,UAAU,CAAC,KAAK,EAAE,CAAC;AACrB,CAAC"}

package/dist/auth/types.d.ts

@@ -0,0 +1,215 @@
+/**
+ * Authentication Types for NitroStack
+ * Based on OAuth 2.1 and MCP Authorization Specification
+ */
+/**
+ * OAuth 2.1 Token Response
+ */
+export interface TokenResponse {
+    access_token: string;
+    token_type: 'Bearer';
+    expires_in?: number;
+    refresh_token?: string;
+    scope?: string;
+}
+/**
+ * Token introspection result
+ */
+export interface TokenIntrospection {
+    active: boolean;
+    scope?: string;
+    client_id?: string;
+    username?: string;
+    token_type?: string;
+    exp?: number;
+    iat?: number;
+    nbf?: number;
+    sub?: string;
+    aud?: string | string[];
+    iss?: string;
+    jti?: string;
+}
+/**
+ * Protected Resource Metadata (RFC 9728)
+ */
+export interface ProtectedResourceMetadata {
+    resource: string;
+    authorization_servers: string[];
+    scopes_supported?: string[];
+    bearer_methods_supported?: ('header' | 'body' | 'query')[];
+    resource_signing_alg_values_supported?: string[];
+    resource_encryption_alg_values_supported?: string[];
+    resource_encryption_enc_values_supported?: string[];
+}
+/**
+ * Authorization Server Metadata (RFC 8414)
+ */
+export interface AuthorizationServerMetadata {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    jwks_uri?: string;
+    registration_endpoint?: string;
+    scopes_supported?: string[];
+    response_types_supported: string[];
+    response_modes_supported?: string[];
+    grant_types_supported?: string[];
+    token_endpoint_auth_methods_supported?: string[];
+    revocation_endpoint?: string;
+    revocation_endpoint_auth_methods_supported?: string[];
+    introspection_endpoint?: string;
+    introspection_endpoint_auth_methods_supported?: string[];
+    code_challenge_methods_supported: string[];
+    service_documentation?: string;
+    ui_locales_supported?: string[];
+}
+/**
+ * Dynamic Client Registration Request (RFC 7591)
+ */
+export interface ClientRegistrationRequest {
+    redirect_uris: string[];
+    token_endpoint_auth_method?: string;
+    grant_types?: string[];
+    response_types?: string[];
+    client_name?: string;
+    client_uri?: string;
+    logo_uri?: string;
+    scope?: string;
+    contacts?: string[];
+    tos_uri?: string;
+    policy_uri?: string;
+    jwks_uri?: string;
+    software_id?: string;
+    software_version?: string;
+}
+/**
+ * Dynamic Client Registration Response
+ */
+export interface ClientRegistrationResponse {
+    client_id: string;
+    client_secret?: string;
+    client_id_issued_at?: number;
+    client_secret_expires_at?: number;
+    redirect_uris: string[];
+    token_endpoint_auth_method?: string;
+    grant_types?: string[];
+    response_types?: string[];
+    client_name?: string;
+    client_uri?: string;
+    logo_uri?: string;
+    scope?: string;
+    contacts?: string[];
+    tos_uri?: string;
+    policy_uri?: string;
+    jwks_uri?: string;
+    software_id?: string;
+    software_version?: string;
+    registration_client_uri?: string;
+    registration_access_token?: string;
+}
+/**
+ * PKCE (Proof Key for Code Exchange) parameters
+ */
+export interface PKCEParams {
+    code_verifier: string;
+    code_challenge: string;
+    code_challenge_method: 'S256' | 'plain';
+}
+/**
+ * Authorization request parameters
+ */
+export interface AuthorizationRequest {
+    response_type: 'code';
+    client_id: string;
+    redirect_uri: string;
+    scope?: string;
+    state: string;
+    code_challenge: string;
+    code_challenge_method: 'S256' | 'plain';
+    resource?: string;
+}
+/**
+ * Token request parameters
+ */
+export interface TokenRequest {
+    grant_type: 'authorization_code' | 'refresh_token' | 'client_credentials';
+    code?: string;
+    redirect_uri?: string;
+    client_id: string;
+    client_secret?: string;
+    code_verifier?: string;
+    refresh_token?: string;
+    resource?: string;
+    scope?: string;
+}
+/**
+ * OAuth 2.1 Error Response
+ */
+export interface OAuth2Error {
+    error: string;
+    error_description?: string;
+    error_uri?: string;
+    state?: string;
+}
+/**
+ * WWW-Authenticate Challenge (RFC 6750)
+ */
+export interface WWWAuthenticateChallenge {
+    scheme: 'Bearer';
+    realm?: string;
+    scope?: string;
+    error?: string;
+    error_description?: string;
+    resource_metadata?: string;
+}
+/**
+ * Auth configuration for MCP Server
+ */
+export interface McpAuthConfig {
+    resourceUri: string;
+    authorizationServers: string[];
+    scopesSupported?: string[];
+    tokenIntrospectionEndpoint?: string;
+    tokenIntrospectionClientId?: string;
+    tokenIntrospectionClientSecret?: string;
+    jwksUri?: string;
+    audience?: string;
+    issuer?: string;
+    requireHttps?: boolean;
+    tokenCacheSeconds?: number;
+}
+/**
+ * Auth configuration for MCP Client
+ */
+export interface McpAuthClientConfig {
+    clientId?: string;
+    clientSecret?: string;
+    authorizationServerUrl: string;
+    redirectUri?: string;
+    scopes?: string[];
+    resource?: string;
+    autoRegister?: boolean;
+    registrationMetadata?: Partial<ClientRegistrationRequest>;
+}
+/**
+ * Stored token information
+ */
+export interface StoredToken {
+    access_token: string;
+    token_type: 'Bearer';
+    expires_at: number;
+    refresh_token?: string;
+    scope?: string;
+    resource?: string;
+}
+/**
+ * Auth context passed to handlers
+ */
+export interface AuthContext {
+    authenticated: boolean;
+    tokenInfo?: TokenIntrospection;
+    scopes: string[];
+    clientId?: string;
+    subject?: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/auth/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,QAAQ,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,OAAO,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,QAAQ,EAAE,MAAM,CAAC;IACjB,qBAAqB,EAAE,MAAM,EAAE,CAAC;IAChC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,CAAC,EAAE,CAAC,QAAQ,GAAG,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC;IAC3D,qCAAqC,CAAC,EAAE,MAAM,EAAE,CAAC;IACjD,wCAAwC,CAAC,EAAE,MAAM,EAAE,CAAC;IACpD,wCAAwC,CAAC,EAAE,MAAM,EAAE,CAAC;CACrD;AAED;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C,MAAM,EAAE,MAAM,CAAC;IACf,sBAAsB,EAAE,MAAM,CAAC;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,EAAE,MAAM,EAAE,CAAC;IACnC,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;IACpC,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,qCAAqC,CAAC,EAAE,MAAM,EAAE,CAAC;IACjD,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,0CAA0C,CAAC,EAAE,MAAM,EAAE,CAAC;IACtD,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,6CAA6C,CAAC,EAAE,MAAM,EAAE,CAAC;IACzD,gCAAgC,EAAE,MAAM,EAAE,CAAC;IAC3C,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;CACjC;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,yBAAyB,CAAC,EAAE,MAAM,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,qBAAqB,EAAE,MAAM,GAAG,OAAO,CAAC;CACzC;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,MAAM,CAAC;IACvB,qBAAqB,EAAE,MAAM,GAAG,OAAO,CAAC;IACxC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,oBAAoB,GAAG,eAAe,GAAG,oBAAoB,CAAC;IAC1E,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,MAAM,EAAE,QAAQ,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAE5B,WAAW,EAAE,MAAM,CAAC;IACpB,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAG3B,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,8BAA8B,CAAC,EAAE,MAAM,CAAC;IAGxC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAGhB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAElC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IAGtB,sBAAsB,EAAE,MAAM,CAAC;IAG/B,WAAW,CAAC,EAAE,MAAM,CAAC;IAGrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAGlB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAGlB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,oBAAoB,CAAC,EAAE,OAAO,CAAC,yBAAyB,CAAC,CAAC;CAC3D;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,QAAQ,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,aAAa,EAAE,OAAO,CAAC;IACvB,SAAS,CAAC,EAAE,kBAAkB,CAAC;IAC/B,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB"}

package/dist/auth/types.js

@@ -0,0 +1,6 @@
+/**
+ * Authentication Types for NitroStack
+ * Based on OAuth 2.1 and MCP Authorization Specification
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/auth/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/cli/commands/build.d.ts

@@ -0,0 +1,6 @@
+interface BuildOptions {
+    output: string;
+}
+export declare function buildCommand(options: BuildOptions): Promise<void>;
+export {};
+//# sourceMappingURL=build.d.ts.map

package/dist/cli/commands/build.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"build.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/build.ts"],"names":[],"mappings":"AASA,UAAU,YAAY;IACpB,MAAM,EAAE,MAAM,CAAC;CAChB;AAoBD,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,iBA2FvD"}

package/dist/cli/commands/build.js

@@ -0,0 +1,104 @@
+import chalk from 'chalk';
+import ora from 'ora';
+import { execSync, exec } from 'child_process';
+import { promisify } from 'util';
+import path from 'path';
+import fs from 'fs';
+const execAsync = promisify(exec);
+/**
+ * Check if a port is currently in use
+ * Returns true if port is in use, false otherwise
+ */
+async function isPortInUse(port) {
+    try {
+        const command = process.platform === 'win32'
+            ? `netstat -ano | findstr :${port}`
+            : `lsof -ti:${port} 2>/dev/null || netstat -an 2>/dev/null | grep LISTEN | grep ${port}`;
+        const { stdout } = await execAsync(command);
+        return stdout.trim().length > 0;
+    }
+    catch {
+        // Command failed means port is not in use
+        return false;
+    }
+}
+export async function buildCommand(options) {
+    console.log(chalk.blue.bold('\n📦 Building NitroStack server for production...\n'));
+    // Check if package.json exists
+    const packageJsonPath = path.join(process.cwd(), 'package.json');
+    if (!fs.existsSync(packageJsonPath)) {
+        console.error(chalk.red('Error: package.json not found. Are you in a NitroStack project?'));
+        process.exit(1);
+    }
+    // Check if tsconfig.json exists
+    const tsconfigPath = path.join(process.cwd(), 'tsconfig.json');
+    if (!fs.existsSync(tsconfigPath)) {
+        console.error(chalk.red('Error: tsconfig.json not found.'));
+        process.exit(1);
+    }
+    // Auto-detect widgets
+    const widgetsPath = path.join(process.cwd(), 'src', 'widgets');
+    const widgetsPackageJsonPath = path.join(widgetsPath, 'package.json');
+    const hasWidgets = fs.existsSync(widgetsPackageJsonPath);
+    // Check if dev server is running before building
+    console.log(chalk.gray('🔍 Checking for running dev servers...\n'));
+    const studioRunning = await isPortInUse(3000);
+    const widgetDevRunning = await isPortInUse(3001);
+    if (studioRunning || widgetDevRunning) {
+        console.log(chalk.red('❌ Cannot build while dev server is running!\n'));
+        if (studioRunning) {
+            console.log(chalk.yellow('⚠️  Studio is running on port 3000'));
+        }
+        if (widgetDevRunning) {
+            console.log(chalk.yellow('⚠️  Widget dev server is running on port 3001'));
+        }
+        console.log(chalk.red('\n🚫 Building while dev server is running causes cache corruption and widget errors.'));
+        console.log(chalk.cyan('\n💡 Solution:'));
+        console.log(chalk.white('   1. Stop the dev server (Press Ctrl+C in the terminal running "nitrostack dev")'));
+        console.log(chalk.white('   2. Run the build command again: npm run build\n'));
+        console.log(chalk.gray('Note: You don\'t need to build during development. Just use "nitrostack dev" for testing.\n'));
+        process.exit(1);
+    }
+    console.log(chalk.green('✅ No dev servers running, safe to build\n'));
+    try {
+        // Build widgets first if they exist
+        if (hasWidgets) {
+            console.log(chalk.blue('📦 Detected Next.js widgets, building...\n'));
+            // Install dependencies if needed
+            const widgetsNodeModulesPath = path.join(widgetsPath, 'node_modules');
+            if (!fs.existsSync(widgetsNodeModulesPath)) {
+                console.log(chalk.yellow('📥 Installing widget dependencies...\n'));
+                execSync('npm install', { cwd: widgetsPath, stdio: 'inherit' });
+            }
+            const widgetSpinner = ora('Building widgets...').start();
+            execSync('npm run build', {
+                cwd: widgetsPath,
+                stdio: 'pipe',
+                env: { ...process.env, NODE_ENV: 'production' },
+            });
+            widgetSpinner.succeed(chalk.green('Widgets built successfully!'));
+        }
+        // Build TypeScript
+        const spinner = ora('Compiling TypeScript...').start();
+        execSync('npx tsc', {
+            cwd: process.cwd(),
+            stdio: 'pipe',
+        });
+        spinner.succeed(chalk.green('TypeScript compiled successfully!'));
+        console.log(chalk.green.bold('\n✨ Build completed successfully!\n'));
+        console.log(chalk.white('Output directory:'), chalk.cyan(options.output));
+        if (hasWidgets) {
+            console.log(chalk.white('Widgets output:'), chalk.cyan('src/widgets/.next'));
+        }
+        console.log(chalk.white('\nTo start the server:\n'));
+        console.log(chalk.cyan('  npm start'));
+        console.log(chalk.white('\nor\n'));
+        console.log(chalk.cyan(`  nitrostack start\n`));
+    }
+    catch (error) {
+        console.error(chalk.red('\n❌ Build failed'));
+        console.error(chalk.red(error.message));
+        process.exit(1);
+    }
+}
+//# sourceMappingURL=build.js.map