noodleseed-cli 0.1.4

package/node_modules/@noodle-borg/service/dist/oauth/google.js

@@ -0,0 +1,39 @@
+import { OAuth2Client } from 'google-auth-library';
+export class GoogleOAuthAuthenticator {
+    #config;
+    #client;
+    constructor(config) {
+        this.#config = config;
+        this.#client = new OAuth2Client({
+            clientId: config.clientId,
+            clientSecret: config.clientSecret,
+            redirectUri: config.redirectUri,
+        });
+    }
+    authorizationUrl(state) {
+        return this.#client.generateAuthUrl({
+            scope: ['openid', 'email', 'profile'],
+            state,
+            access_type: 'online',
+            // Force the account chooser so a returning user can pick the identity; also a UX guard against
+            // silently reusing a wrong session.
+            prompt: 'select_account',
+        });
+    }
+    async exchange(code) {
+        const { tokens } = await this.#client.getToken(code);
+        const idToken = tokens.id_token;
+        if (!idToken)
+            throw new Error('Google token response had no id_token');
+        const ticket = await this.#client.verifyIdToken({ idToken, audience: this.#config.clientId });
+        const payload = ticket.getPayload();
+        const subject = payload?.sub;
+        const email = payload?.email;
+        const emailVerified = payload?.email_verified;
+        if (typeof subject !== 'string' || typeof email !== 'string' || emailVerified !== true) {
+            throw new Error('Google identity is missing a verified subject/email');
+        }
+        return { subject, email };
+    }
+}
+//# sourceMappingURL=google.js.map

package/node_modules/@noodle-borg/service/dist/oauth/google.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"google.js","sourceRoot":"","sources":["../../src/oauth/google.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AA6BnD,MAAM,OAAO,wBAAwB;IAC1B,OAAO,CAAoB;IAC3B,OAAO,CAAe;IAE/B,YAAY,MAAyB;QACnC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,OAAO,GAAG,IAAI,YAAY,CAAC;YAC9B,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,WAAW,EAAE,MAAM,CAAC,WAAW;SAChC,CAAC,CAAC;IACL,CAAC;IAED,gBAAgB,CAAC,KAAa;QAC5B,OAAO,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC;YAClC,KAAK,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC;YACrC,KAAK;YACL,WAAW,EAAE,QAAQ;YACrB,+FAA+F;YAC/F,oCAAoC;YACpC,MAAM,EAAE,gBAAgB;SACzB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,IAAY;QACzB,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACrD,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC;QAChC,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QACvE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC9F,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QACpC,MAAM,OAAO,GAAG,OAAO,EAAE,GAAG,CAAC;QAC7B,MAAM,KAAK,GAAG,OAAO,EAAE,KAAK,CAAC;QAC7B,MAAM,aAAa,GAAG,OAAO,EAAE,cAAc,CAAC;QAC9C,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;YACvF,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;QACzE,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC5B,CAAC;CACF"}

package/node_modules/@noodle-borg/service/dist/oauth/paths.d.ts

@@ -0,0 +1,3 @@
+/** Whether a request path is owned by the authorization-server sub-app (delegated from the front-door). */
+export declare function isAuthServerPath(pathname: string): boolean;
+//# sourceMappingURL=paths.d.ts.map

package/node_modules/@noodle-borg/service/dist/oauth/paths.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"paths.d.ts","sourceRoot":"","sources":["../../src/oauth/paths.ts"],"names":[],"mappings":"AAeA,2GAA2G;AAC3G,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE1D"}

package/node_modules/@noodle-borg/service/dist/oauth/paths.js

@@ -0,0 +1,19 @@
+/**
+ * Paths owned by the authorization-server sub-app (OA-2). Kept in its own dependency-free module so the
+ * raw-`node:http` front-door can decide delegation without importing Express — Express (and the AS app) load
+ * lazily, only when the authorization server is actually enabled.
+ */
+const AUTH_SERVER_PATHS = new Set([
+    '/authorize',
+    '/token',
+    '/register',
+    '/oauth/google/callback',
+    '/oauth/consent',
+    '/.well-known/oauth-authorization-server',
+    '/.well-known/jwks.json',
+]);
+/** Whether a request path is owned by the authorization-server sub-app (delegated from the front-door). */
+export function isAuthServerPath(pathname) {
+    return AUTH_SERVER_PATHS.has(pathname);
+}
+//# sourceMappingURL=paths.js.map

package/node_modules/@noodle-borg/service/dist/oauth/paths.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"paths.js","sourceRoot":"","sources":["../../src/oauth/paths.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,iBAAiB,GAAwB,IAAI,GAAG,CAAC;IACrD,YAAY;IACZ,QAAQ;IACR,WAAW;IACX,wBAAwB;IACxB,gBAAgB;IAChB,yCAAyC;IACzC,wBAAwB;CACzB,CAAC,CAAC;AAEH,2GAA2G;AAC3G,MAAM,UAAU,gBAAgB,CAAC,QAAgB;IAC/C,OAAO,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AACzC,CAAC"}

package/node_modules/@noodle-borg/service/dist/oauth/provider.d.ts

@@ -0,0 +1,61 @@
+import type { OAuthRegisteredClientsStore } from '@modelcontextprotocol/sdk/server/auth/clients.js';
+import type { AuthorizationParams, OAuthServerProvider } from '@modelcontextprotocol/sdk/server/auth/provider.js';
+import type { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';
+import type { OAuthClientInformationFull, OAuthTokens } from '@modelcontextprotocol/sdk/shared/auth.js';
+import { type SigningKeyProvider } from '@noodle-borg/auth';
+import type { Request, Response } from 'express';
+import type { GoogleAuthenticator } from './google.js';
+import type { OAuthStore } from './store.js';
+export interface NoodleOAuthProviderConfig {
+    /** The authorization server issuer (its public origin, e.g. `https://borg.noodleseed.com`). */
+    readonly issuer: string;
+    readonly store: OAuthStore;
+    readonly signer: SigningKeyProvider;
+    readonly google: GoogleAuthenticator;
+    /** When set, only users whose email ends with this domain may authorize (alpha gate, e.g. `@noodleseed.com`). */
+    readonly allowedEmailDomain?: string;
+    readonly accessTokenTtlSeconds?: number;
+    readonly refreshTokenTtlSeconds?: number;
+    readonly authCodeTtlSeconds?: number;
+    readonly pendingTtlSeconds?: number;
+    readonly consentTtlSeconds?: number;
+}
+/**
+ * The self-hosted OAuth authorization server provider (OA-2,
+ * [ADR 0042](../../../../docs/decisions/0042-self-hosted-oauth-authorization-server.md)). Implements the MCP
+ * SDK's {@link OAuthServerProvider}: DCR via {@link clientsStore}, an `authorize` that federates to Google,
+ * PKCE-validated code exchange (the SDK validates the verifier against {@link challengeForAuthorizationCode}),
+ * and rotating refresh tokens. Tokens are minted by `@noodle-borg/auth` and are exactly what the OA-1
+ * resource-server verifier validates (`iss` = this issuer, `aud` = the tenant MCP URL, `sub` = Google subject).
+ *
+ * The Google callback + consent interstitial are extra routes (`handleGoogleCallback`, `handleConsent`) the
+ * Express app wires alongside the SDK handlers; the confused-deputy consent step is mandatory because we
+ * federate all clients through one static Google client.
+ */
+export declare class NoodleOAuthProvider implements OAuthServerProvider {
+    #private;
+    constructor(config: NoodleOAuthProviderConfig);
+    get clientsStore(): OAuthRegisteredClientsStore;
+    /** Begin authorization: persist the pending request and redirect the user to "Sign in with Google". */
+    authorize(client: OAuthClientInformationFull, params: AuthorizationParams, res: Response): Promise<void>;
+    /** Return the stored PKCE challenge for a code (non-destructive — the SDK validates the verifier against it). */
+    challengeForAuthorizationCode(client: OAuthClientInformationFull, authorizationCode: string): Promise<string>;
+    /** Redeem an authorization code (single-use) and mint the owner's tokens. PKCE was validated by the SDK. */
+    exchangeAuthorizationCode(client: OAuthClientInformationFull, authorizationCode: string, _codeVerifier?: string, redirectUri?: string, resource?: URL): Promise<OAuthTokens>;
+    /** Rotate a refresh token (single-use): mint a fresh access token and a new refresh token. */
+    exchangeRefreshToken(client: OAuthClientInformationFull, refreshToken: string, _scopes?: string[], resource?: URL): Promise<OAuthTokens>;
+    /** Verify an access token (issuer/signature/expiry). Provided for interface completeness — the data-plane
+     * resource server verifies with its own audience-bound verifier; this is not on the AS request path. */
+    verifyAccessToken(token: string): Promise<AuthInfo>;
+    /** RFC 8414 authorization-server metadata (plus our `jwks_uri`), served at `/.well-known/oauth-authorization-server`. */
+    metadata(): Record<string, unknown>;
+    /** The public JWKS the resource server (and external validators) read to verify access tokens. */
+    jwks(): Promise<{
+        keys: unknown[];
+    }>;
+    /** Google callback: consume the pending auth, verify the Google identity, and render the consent page. */
+    handleGoogleCallback(req: Request, res: Response): Promise<void>;
+    /** Consent decision: on approve, mint a PKCE-bound code and redirect to the client; on deny, redirect with an error. */
+    handleConsent(req: Request, res: Response): Promise<void>;
+}
+//# sourceMappingURL=provider.d.ts.map

package/node_modules/@noodle-borg/service/dist/oauth/provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../src/oauth/provider.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,kDAAkD,CAAC;AAMpG,OAAO,KAAK,EACV,mBAAmB,EACnB,mBAAmB,EACpB,MAAM,mDAAmD,CAAC;AAE3D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gDAAgD,CAAC;AAC/E,OAAO,KAAK,EACV,0BAA0B,EAC1B,WAAW,EACZ,MAAM,0CAA0C,CAAC;AAClD,OAAO,EAGL,KAAK,kBAAkB,EAExB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAGjD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AACvD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAS7C,MAAM,WAAW,yBAAyB;IACxC,+FAA+F;IAC/F,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAC;IAC3B,QAAQ,CAAC,MAAM,EAAE,kBAAkB,CAAC;IACpC,QAAQ,CAAC,MAAM,EAAE,mBAAmB,CAAC;IACrC,iHAAiH;IACjH,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IACrC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IACxC,QAAQ,CAAC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IACzC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IACrC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;CACrC;AAeD;;;;;;;;;;;GAWG;AACH,qBAAa,mBAAoB,YAAW,mBAAmB;;gBASjD,MAAM,EAAE,yBAAyB;IAS7C,IAAI,YAAY,IAAI,2BAA2B,CAM9C;IAED,uGAAuG;IACjG,SAAS,CACb,MAAM,EAAE,0BAA0B,EAClC,MAAM,EAAE,mBAAmB,EAC3B,GAAG,EAAE,QAAQ,GACZ,OAAO,CAAC,IAAI,CAAC;IAoBhB,iHAAiH;IAC3G,6BAA6B,CACjC,MAAM,EAAE,0BAA0B,EAClC,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAAC,MAAM,CAAC;IAQlB,4GAA4G;IACtG,yBAAyB,CAC7B,MAAM,EAAE,0BAA0B,EAClC,iBAAiB,EAAE,MAAM,EACzB,aAAa,CAAC,EAAE,MAAM,EACtB,WAAW,CAAC,EAAE,MAAM,EACpB,QAAQ,CAAC,EAAE,GAAG,GACb,OAAO,CAAC,WAAW,CAAC;IAoBvB,8FAA8F;IACxF,oBAAoB,CACxB,MAAM,EAAE,0BAA0B,EAClC,YAAY,EAAE,MAAM,EACpB,OAAO,CAAC,EAAE,MAAM,EAAE,EAClB,QAAQ,CAAC,EAAE,GAAG,GACb,OAAO,CAAC,WAAW,CAAC;IAiBvB;4GACwG;IAClG,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAWzD,yHAAyH;IACzH,QAAQ,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAUnC,kGAAkG;IAClG,IAAI,IAAI,OAAO,CAAC;QAAE,IAAI,EAAE,OAAO,EAAE,CAAA;KAAE,CAAC;IAIpC,0GAA0G;IACpG,oBAAoB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IAyDtE,wHAAwH;IAClH,aAAa,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;CAgHhE"}

package/node_modules/@noodle-borg/service/dist/oauth/provider.js

@@ -0,0 +1,313 @@
+import { InvalidGrantError, InvalidRequestError, InvalidTokenError, } from '@modelcontextprotocol/sdk/server/auth/errors.js';
+import { createOAuthMetadata } from '@modelcontextprotocol/sdk/server/auth/router.js';
+import { createJwtVerifier, mintAccessToken, } from '@noodle-borg/auth';
+import { jwtVerify, SignJWT } from 'jose';
+import { renderConsentPage } from './consent.js';
+import { hashToken, randomToken } from './tokens.js';
+const ONE_HOUR = 3600;
+const THIRTY_DAYS = 30 * 24 * 3600;
+const TEN_MINUTES = 600;
+const FIVE_MINUTES = 300;
+const CONSENT_PATH = '/oauth/consent';
+/**
+ * The self-hosted OAuth authorization server provider (OA-2,
+ * [ADR 0042](../../../../docs/decisions/0042-self-hosted-oauth-authorization-server.md)). Implements the MCP
+ * SDK's {@link OAuthServerProvider}: DCR via {@link clientsStore}, an `authorize` that federates to Google,
+ * PKCE-validated code exchange (the SDK validates the verifier against {@link challengeForAuthorizationCode}),
+ * and rotating refresh tokens. Tokens are minted by `@noodle-borg/auth` and are exactly what the OA-1
+ * resource-server verifier validates (`iss` = this issuer, `aud` = the tenant MCP URL, `sub` = Google subject).
+ *
+ * The Google callback + consent interstitial are extra routes (`handleGoogleCallback`, `handleConsent`) the
+ * Express app wires alongside the SDK handlers; the confused-deputy consent step is mandatory because we
+ * federate all clients through one static Google client.
+ */
+export class NoodleOAuthProvider {
+    #config;
+    #accessTtl;
+    #refreshTtl;
+    #codeTtl;
+    #pendingTtl;
+    #consentTtl;
+    #verifier;
+    constructor(config) {
+        this.#config = config;
+        this.#accessTtl = config.accessTokenTtlSeconds ?? ONE_HOUR;
+        this.#refreshTtl = config.refreshTokenTtlSeconds ?? THIRTY_DAYS;
+        this.#codeTtl = config.authCodeTtlSeconds ?? TEN_MINUTES;
+        this.#pendingTtl = config.pendingTtlSeconds ?? TEN_MINUTES;
+        this.#consentTtl = config.consentTtlSeconds ?? FIVE_MINUTES;
+    }
+    get clientsStore() {
+        return {
+            getClient: (clientId) => this.#config.store.getClient(clientId),
+            registerClient: (client) => this.#config.store.putClient(client),
+        };
+    }
+    /** Begin authorization: persist the pending request and redirect the user to "Sign in with Google". */
+    async authorize(client, params, res) {
+        // RFC 8707: the client MUST bind the token to a resource. Owner-only tokens are audience-bound to the
+        // tenant MCP URL, so without it we cannot mint a usable token — fail before redirecting to Google.
+        if (!params.resource) {
+            throw new InvalidRequestError('the resource parameter is required');
+        }
+        const nonce = randomToken();
+        await this.#config.store.createPendingAuthorization({
+            state: hashToken(nonce),
+            clientId: client.client_id,
+            redirectUri: params.redirectUri,
+            codeChallenge: params.codeChallenge,
+            ...(params.state !== undefined ? { clientState: params.state } : {}),
+            resource: params.resource.href,
+            ...(params.scopes && params.scopes.length > 0 ? { scope: params.scopes.join(' ') } : {}),
+            expiresAt: this.#nowSeconds() + this.#pendingTtl,
+        });
+        res.redirect(302, this.#config.google.authorizationUrl(nonce));
+    }
+    /** Return the stored PKCE challenge for a code (non-destructive — the SDK validates the verifier against it). */
+    async challengeForAuthorizationCode(client, authorizationCode) {
+        const record = await this.#config.store.getAuthorizationCode(hashToken(authorizationCode));
+        if (!record || record.clientId !== client.client_id) {
+            throw new InvalidGrantError('invalid authorization code');
+        }
+        return record.codeChallenge;
+    }
+    /** Redeem an authorization code (single-use) and mint the owner's tokens. PKCE was validated by the SDK. */
+    async exchangeAuthorizationCode(client, authorizationCode, _codeVerifier, redirectUri, resource) {
+        const record = await this.#config.store.redeemAuthorizationCode(hashToken(authorizationCode));
+        if (!record || record.clientId !== client.client_id) {
+            throw new InvalidGrantError('invalid authorization code');
+        }
+        if (redirectUri !== undefined && redirectUri !== record.redirectUri) {
+            throw new InvalidGrantError('redirect_uri does not match the authorization request');
+        }
+        if (resource !== undefined && resource.href !== record.resource) {
+            throw new InvalidGrantError('resource does not match the authorization request');
+        }
+        return this.#issueTokens({
+            clientId: client.client_id,
+            ownerSubject: record.ownerSubject,
+            resource: record.resource,
+            ...(record.ownerEmail !== undefined ? { ownerEmail: record.ownerEmail } : {}),
+            ...(record.scope !== undefined ? { scope: record.scope } : {}),
+        });
+    }
+    /** Rotate a refresh token (single-use): mint a fresh access token and a new refresh token. */
+    async exchangeRefreshToken(client, refreshToken, _scopes, resource) {
+        const record = await this.#config.store.consumeRefreshToken(hashToken(refreshToken));
+        if (!record || record.clientId !== client.client_id) {
+            throw new InvalidGrantError('invalid refresh token');
+        }
+        if (resource !== undefined && resource.href !== record.resource) {
+            throw new InvalidGrantError('resource does not match the refresh token');
+        }
+        return this.#issueTokens({
+            clientId: client.client_id,
+            ownerSubject: record.ownerSubject,
+            resource: record.resource,
+            ...(record.ownerEmail !== undefined ? { ownerEmail: record.ownerEmail } : {}),
+            ...(record.scope !== undefined ? { scope: record.scope } : {}),
+        });
+    }
+    /** Verify an access token (issuer/signature/expiry). Provided for interface completeness — the data-plane
+     * resource server verifies with its own audience-bound verifier; this is not on the AS request path. */
+    async verifyAccessToken(token) {
+        const identity = await this.#verify()(token);
+        if (!identity)
+            throw new InvalidTokenError('invalid or expired access token');
+        return {
+            token,
+            clientId: '',
+            scopes: [...identity.scopes],
+            ...(identity.expiresAt !== undefined ? { expiresAt: identity.expiresAt } : {}),
+        };
+    }
+    /** RFC 8414 authorization-server metadata (plus our `jwks_uri`), served at `/.well-known/oauth-authorization-server`. */
+    metadata() {
+        const issuer = trimTrailingSlash(this.#config.issuer);
+        const base = createOAuthMetadata({ provider: this, issuerUrl: new URL(issuer) });
+        // The SDK emits `issuer` as `URL.href`, which appends a trailing slash for a path-less origin
+        // (`https://h` → `https://h/`). RFC 8414 §3.3 requires the metadata `issuer` to be identical to the
+        // issuer used to build the well-known URL, and our token `iss` + the PRM `authorization_servers` entry
+        // use the no-slash form — so normalize it back for consistency across all three.
+        return { ...base, issuer, jwks_uri: `${issuer}/.well-known/jwks.json` };
+    }
+    /** The public JWKS the resource server (and external validators) read to verify access tokens. */
+    jwks() {
+        return this.#config.signer.publicJwks();
+    }
+    /** Google callback: consume the pending auth, verify the Google identity, and render the consent page. */
+    async handleGoogleCallback(req, res) {
+        if (typeof req.query.error === 'string') {
+            res.status(400).type('text/plain').send(`Google sign-in failed: ${req.query.error}`);
+            return;
+        }
+        const code = typeof req.query.code === 'string' ? req.query.code : undefined;
+        const state = typeof req.query.state === 'string' ? req.query.state : undefined;
+        if (!code || !state) {
+            res.status(400).type('text/plain').send('missing authorization code or state');
+            return;
+        }
+        const pending = await this.#config.store.consumePendingAuthorization(hashToken(state));
+        if (!pending) {
+            res.status(400).type('text/plain').send('unknown or expired authorization request');
+            return;
+        }
+        let identity;
+        try {
+            identity = await this.#config.google.exchange(code);
+        }
+        catch {
+            res.status(400).type('text/plain').send('Google authentication failed');
+            return;
+        }
+        if (this.#config.allowedEmailDomain &&
+            !identity.email.toLowerCase().endsWith(this.#config.allowedEmailDomain.toLowerCase())) {
+            res.status(403).type('text/plain').send('this Google account is not permitted');
+            return;
+        }
+        const consentToken = await this.#signConsent({
+            kind: 'consent',
+            clientId: pending.clientId,
+            redirectUri: pending.redirectUri,
+            codeChallenge: pending.codeChallenge,
+            resource: pending.resource,
+            ownerSubject: identity.subject,
+            ownerEmail: identity.email,
+            ...(pending.clientState !== undefined ? { clientState: pending.clientState } : {}),
+            ...(pending.scope !== undefined ? { scope: pending.scope } : {}),
+        });
+        const client = await this.#config.store.getClient(pending.clientId);
+        res
+            .status(200)
+            .type('html')
+            .send(renderConsentPage({
+            clientName: client?.client_name ?? pending.clientId,
+            resourceHost: hostOf(pending.resource),
+            redirectHost: hostOf(pending.redirectUri),
+            userEmail: identity.email,
+            consentToken,
+            consentAction: CONSENT_PATH,
+        }));
+    }
+    /** Consent decision: on approve, mint a PKCE-bound code and redirect to the client; on deny, redirect with an error. */
+    async handleConsent(req, res) {
+        const body = (req.body ?? {});
+        const consentToken = typeof body.consent_token === 'string' ? body.consent_token : undefined;
+        const decision = typeof body.decision === 'string' ? body.decision : undefined;
+        if (!consentToken) {
+            res.status(400).type('text/plain').send('missing consent_token');
+            return;
+        }
+        let claims;
+        try {
+            claims = await this.#verifyConsent(consentToken);
+        }
+        catch {
+            res.status(400).type('text/plain').send('invalid or expired consent');
+            return;
+        }
+        const redirect = new URL(claims.redirectUri);
+        if (decision !== 'approve') {
+            redirect.searchParams.set('error', 'access_denied');
+            if (claims.clientState !== undefined)
+                redirect.searchParams.set('state', claims.clientState);
+            res.redirect(302, redirect.href);
+            return;
+        }
+        const rawCode = randomToken();
+        await this.#config.store.createAuthorizationCode({
+            code: hashToken(rawCode),
+            clientId: claims.clientId,
+            codeChallenge: claims.codeChallenge,
+            redirectUri: claims.redirectUri,
+            resource: claims.resource,
+            ownerSubject: claims.ownerSubject,
+            ...(claims.ownerEmail !== undefined ? { ownerEmail: claims.ownerEmail } : {}),
+            ...(claims.scope !== undefined ? { scope: claims.scope } : {}),
+            expiresAt: this.#nowSeconds() + this.#codeTtl,
+        });
+        redirect.searchParams.set('code', rawCode);
+        if (claims.clientState !== undefined)
+            redirect.searchParams.set('state', claims.clientState);
+        res.redirect(302, redirect.href);
+    }
+    async #issueTokens(input) {
+        const access_token = await mintAccessToken(this.#config.signer, {
+            issuer: this.#config.issuer,
+            subject: input.ownerSubject,
+            audience: input.resource,
+            ...(input.ownerEmail !== undefined ? { email: input.ownerEmail } : {}),
+            ...(input.scope !== undefined ? { scope: input.scope } : {}),
+        }, this.#accessTtl);
+        const rawRefresh = randomToken();
+        await this.#config.store.createRefreshToken({
+            token: hashToken(rawRefresh),
+            clientId: input.clientId,
+            ownerSubject: input.ownerSubject,
+            resource: input.resource,
+            ...(input.ownerEmail !== undefined ? { ownerEmail: input.ownerEmail } : {}),
+            ...(input.scope !== undefined ? { scope: input.scope } : {}),
+            expiresAt: this.#nowSeconds() + this.#refreshTtl,
+        });
+        return {
+            access_token,
+            token_type: 'bearer',
+            expires_in: this.#accessTtl,
+            refresh_token: rawRefresh,
+            ...(input.scope !== undefined ? { scope: input.scope } : {}),
+        };
+    }
+    async #signConsent(claims) {
+        const key = await this.#config.signer.signingKey();
+        return new SignJWT({ ...claims })
+            .setProtectedHeader({ alg: key.alg, kid: key.kid })
+            .setIssuer(this.#config.issuer)
+            .setIssuedAt()
+            .setExpirationTime(`${this.#consentTtl}s`)
+            .sign(key.privateKey);
+    }
+    async #verifyConsent(token) {
+        const getKey = await this.#config.signer.verifierKey();
+        const { payload } = await jwtVerify(token, getKey, { issuer: this.#config.issuer });
+        if (!isConsentClaims(payload))
+            throw new Error('not a consent token');
+        return payload;
+    }
+    #verify() {
+        if (!this.#verifier) {
+            this.#verifier = createJwtVerifier({
+                issuer: this.#config.issuer,
+                keyResolver: this.#lazyKey,
+            });
+        }
+        return this.#verifier;
+    }
+    // A resolver that defers to the signer's public key on first use (the signer's key set is stable).
+    #lazyKey = async (header, input) => {
+        const getKey = await this.#config.signer.verifierKey();
+        return getKey(header, input);
+    };
+    #nowSeconds() {
+        return Math.floor(Date.now() / 1000);
+    }
+}
+function isConsentClaims(payload) {
+    return (payload.kind === 'consent' &&
+        typeof payload.clientId === 'string' &&
+        typeof payload.redirectUri === 'string' &&
+        typeof payload.codeChallenge === 'string' &&
+        typeof payload.resource === 'string' &&
+        typeof payload.ownerSubject === 'string');
+}
+function hostOf(url) {
+    try {
+        return new URL(url).host;
+    }
+    catch {
+        return url;
+    }
+}
+function trimTrailingSlash(url) {
+    return url.endsWith('/') ? url.slice(0, -1) : url;
+}
+//# sourceMappingURL=provider.js.map

package/node_modules/@noodle-borg/service/dist/oauth/provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider.js","sourceRoot":"","sources":["../../src/oauth/provider.ts"],"names":[],"mappings":"AACA,OAAO,EACL,iBAAiB,EACjB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,iDAAiD,CAAC;AAKzD,OAAO,EAAE,mBAAmB,EAAE,MAAM,iDAAiD,CAAC;AAMtF,OAAO,EACL,iBAAiB,EACjB,eAAe,GAGhB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAmB,SAAS,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAGjD,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAErD,MAAM,QAAQ,GAAG,IAAI,CAAC;AACtB,MAAM,WAAW,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AACnC,MAAM,WAAW,GAAG,GAAG,CAAC;AACxB,MAAM,YAAY,GAAG,GAAG,CAAC;AACzB,MAAM,YAAY,GAAG,gBAAgB,CAAC;AA8BtC;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,mBAAmB;IACrB,OAAO,CAA4B;IACnC,UAAU,CAAS;IACnB,WAAW,CAAS;IACpB,QAAQ,CAAS;IACjB,WAAW,CAAS;IACpB,WAAW,CAAS;IAC7B,SAAS,CAA4B;IAErC,YAAY,MAAiC;QAC3C,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,qBAAqB,IAAI,QAAQ,CAAC;QAC3D,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,sBAAsB,IAAI,WAAW,CAAC;QAChE,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,kBAAkB,IAAI,WAAW,CAAC;QACzD,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,iBAAiB,IAAI,WAAW,CAAC;QAC3D,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,iBAAiB,IAAI,YAAY,CAAC;IAC9D,CAAC;IAED,IAAI,YAAY;QACd,OAAO;YACL,SAAS,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC;YAC/D,cAAc,EAAE,CAAC,MAAM,EAAE,EAAE,CACzB,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,MAAoC,CAAC;SACrE,CAAC;IACJ,CAAC;IAED,uGAAuG;IACvG,KAAK,CAAC,SAAS,CACb,MAAkC,EAClC,MAA2B,EAC3B,GAAa;QAEb,sGAAsG;QACtG,mGAAmG;QACnG,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,IAAI,mBAAmB,CAAC,oCAAoC,CAAC,CAAC;QACtE,CAAC;QACD,MAAM,KAAK,GAAG,WAAW,EAAE,CAAC;QAC5B,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,0BAA0B,CAAC;YAClD,KAAK,EAAE,SAAS,CAAC,KAAK,CAAC;YACvB,QAAQ,EAAE,MAAM,CAAC,SAAS;YAC1B,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,GAAG,CAAC,MAAM,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACpE,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,IAAI;YAC9B,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACxF,SAAS,EAAE,IAAI,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,WAAW;SACjD,CAAC,CAAC;QACH,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC,CAAC;IACjE,CAAC;IAED,iHAAiH;IACjH,KAAK,CAAC,6BAA6B,CACjC,MAAkC,EAClC,iBAAyB;QAEzB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC,CAAC;QAC3F,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,SAAS,EAAE,CAAC;YACpD,MAAM,IAAI,iBAAiB,CAAC,4BAA4B,CAAC,CAAC;QAC5D,CAAC;QACD,OAAO,MAAM,CAAC,aAAa,CAAC;IAC9B,CAAC;IAED,4GAA4G;IAC5G,KAAK,CAAC,yBAAyB,CAC7B,MAAkC,EAClC,iBAAyB,EACzB,aAAsB,EACtB,WAAoB,EACpB,QAAc;QAEd,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC,CAAC;QAC9F,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,SAAS,EAAE,CAAC;YACpD,MAAM,IAAI,iBAAiB,CAAC,4BAA4B,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,WAAW,KAAK,SAAS,IAAI,WAAW,KAAK,MAAM,CAAC,WAAW,EAAE,CAAC;YACpE,MAAM,IAAI,iBAAiB,CAAC,uDAAuD,CAAC,CAAC;QACvF,CAAC;QACD,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,CAAC,IAAI,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;YAChE,MAAM,IAAI,iBAAiB,CAAC,mDAAmD,CAAC,CAAC;QACnF,CAAC;QACD,OAAO,IAAI,CAAC,YAAY,CAAC;YACvB,QAAQ,EAAE,MAAM,CAAC,SAAS;YAC1B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,GAAG,CAAC,MAAM,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7E,GAAG,CAAC,MAAM,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC/D,CAAC,CAAC;IACL,CAAC;IAED,8FAA8F;IAC9F,KAAK,CAAC,oBAAoB,CACxB,MAAkC,EAClC,YAAoB,EACpB,OAAkB,EAClB,QAAc;QAEd,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,mBAAmB,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC;QACrF,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,SAAS,EAAE,CAAC;YACpD,MAAM,IAAI,iBAAiB,CAAC,uBAAuB,CAAC,CAAC;QACvD,CAAC;QACD,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,CAAC,IAAI,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;YAChE,MAAM,IAAI,iBAAiB,CAAC,2CAA2C,CAAC,CAAC;QAC3E,CAAC;QACD,OAAO,IAAI,CAAC,YAAY,CAAC;YACvB,QAAQ,EAAE,MAAM,CAAC,SAAS;YAC1B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,GAAG,CAAC,MAAM,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7E,GAAG,CAAC,MAAM,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC/D,CAAC,CAAC;IACL,CAAC;IAED;4GACwG;IACxG,KAAK,CAAC,iBAAiB,CAAC,KAAa;QACnC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ;YAAE,MAAM,IAAI,iBAAiB,CAAC,iCAAiC,CAAC,CAAC;QAC9E,OAAO;YACL,KAAK;YACL,QAAQ,EAAE,EAAE;YACZ,MAAM,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC;YAC5B,GAAG,CAAC,QAAQ,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC/E,CAAC;IACJ,CAAC;IAED,yHAAyH;IACzH,QAAQ;QACN,MAAM,MAAM,GAAG,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACtD,MAAM,IAAI,GAAG,mBAAmB,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACjF,8FAA8F;QAC9F,oGAAoG;QACpG,uGAAuG;QACvG,iFAAiF;QACjF,OAAO,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,wBAAwB,EAAE,CAAC;IAC1E,CAAC;IAED,kGAAkG;IAClG,IAAI;QACF,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;IAC1C,CAAC;IAED,0GAA0G;IAC1G,KAAK,CAAC,oBAAoB,CAAC,GAAY,EAAE,GAAa;QACpD,IAAI,OAAO,GAAG,CAAC,KAAK,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACxC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,0BAA0B,GAAG,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;YACrF,OAAO;QACT,CAAC;QACD,MAAM,IAAI,GAAG,OAAO,GAAG,CAAC,KAAK,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;QAC7E,MAAM,KAAK,GAAG,OAAO,GAAG,CAAC,KAAK,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAChF,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACpB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;YAC/E,OAAO;QACT,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,2BAA2B,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QACvF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;YACpF,OAAO;QACT,CAAC;QACD,IAAI,QAA4C,CAAC;QACjD,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACtD,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;YACxE,OAAO;QACT,CAAC;QACD,IACE,IAAI,CAAC,OAAO,CAAC,kBAAkB;YAC/B,CAAC,QAAQ,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,kBAAkB,CAAC,WAAW,EAAE,CAAC,EACrF,CAAC;YACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;YAChF,OAAO;QACT,CAAC;QACD,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC;YAC3C,IAAI,EAAE,SAAS;YACf,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,aAAa,EAAE,OAAO,CAAC,aAAa;YACpC,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,YAAY,EAAE,QAAQ,CAAC,OAAO;YAC9B,UAAU,EAAE,QAAQ,CAAC,KAAK;YAC1B,GAAG,CAAC,OAAO,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAClF,GAAG,CAAC,OAAO,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACjE,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACpE,GAAG;aACA,MAAM,CAAC,GAAG,CAAC;aACX,IAAI,CAAC,MAAM,CAAC;aACZ,IAAI,CACH,iBAAiB,CAAC;YAChB,UAAU,EAAE,MAAM,EAAE,WAAW,IAAI,OAAO,CAAC,QAAQ;YACnD,YAAY,EAAE,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC;YACtC,YAAY,EAAE,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC;YACzC,SAAS,EAAE,QAAQ,CAAC,KAAK;YACzB,YAAY;YACZ,aAAa,EAAE,YAAY;SAC5B,CAAC,CACH,CAAC;IACN,CAAC;IAED,wHAAwH;IACxH,KAAK,CAAC,aAAa,CAAC,GAAY,EAAE,GAAa;QAC7C,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAA4B,CAAC;QACzD,MAAM,YAAY,GAAG,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC;QAC7F,MAAM,QAAQ,GAAG,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;QAC/E,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;YACjE,OAAO;QACT,CAAC;QACD,IAAI,MAAqB,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,YAAY,CAAC,CAAC;QACnD,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;YACtE,OAAO;QACT,CAAC;QACD,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAC7C,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;YACpD,IAAI,MAAM,CAAC,WAAW,KAAK,SAAS;gBAAE,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;YAC7F,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;YACjC,OAAO;QACT,CAAC;QACD,MAAM,OAAO,GAAG,WAAW,EAAE,CAAC;QAC9B,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC;YAC/C,IAAI,EAAE,SAAS,CAAC,OAAO,CAAC;YACxB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,GAAG,CAAC,MAAM,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7E,GAAG,CAAC,MAAM,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9D,SAAS,EAAE,IAAI,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,QAAQ;SAC9C,CAAC,CAAC;QACH,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC3C,IAAI,MAAM,CAAC,WAAW,KAAK,SAAS;YAAE,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;QAC7F,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAMlB;QACC,MAAM,YAAY,GAAG,MAAM,eAAe,CACxC,IAAI,CAAC,OAAO,CAAC,MAAM,EACnB;YACE,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM;YAC3B,OAAO,EAAE,KAAK,CAAC,YAAY;YAC3B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,GAAG,CAAC,KAAK,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACtE,GAAG,CAAC,KAAK,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC7D,EACD,IAAI,CAAC,UAAU,CAChB,CAAC;QACF,MAAM,UAAU,GAAG,WAAW,EAAE,CAAC;QACjC,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC;YAC1C,KAAK,EAAE,SAAS,CAAC,UAAU,CAAC;YAC5B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,YAAY,EAAE,KAAK,CAAC,YAAY;YAChC,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,GAAG,CAAC,KAAK,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3E,GAAG,CAAC,KAAK,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5D,SAAS,EAAE,IAAI,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,WAAW;SACjD,CAAC,CAAC;QACH,OAAO;YACL,YAAY;YACZ,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,aAAa,EAAE,UAAU;YACzB,GAAG,CAAC,KAAK,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC7D,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,MAAqB;QACtC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;QACnD,OAAO,IAAI,OAAO,CAAC,EAAE,GAAG,MAAM,EAAE,CAAC;aAC9B,kBAAkB,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC;aAClD,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;aAC9B,WAAW,EAAE;aACb,iBAAiB,CAAC,GAAG,IAAI,CAAC,WAAW,GAAG,CAAC;aACzC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,KAAa;QAChC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QACvD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QACpF,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACtE,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,OAAO;QACL,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACpB,IAAI,CAAC,SAAS,GAAG,iBAAiB,CAAC;gBACjC,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM;gBAC3B,WAAW,EAAE,IAAI,CAAC,QAAQ;aAC3B,CAAC,CAAC;QACL,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED,mGAAmG;IACnG,QAAQ,GAAmC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE;QACjE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QACvD,OAAO,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAC/B,CAAC,CAAC;IAEF,WAAW;QACT,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IACvC,CAAC;CACF;AAED,SAAS,eAAe,CAAC,OAAmB;IAC1C,OAAO,CACJ,OAA8B,CAAC,IAAI,KAAK,SAAS;QAClD,OAAQ,OAAkC,CAAC,QAAQ,KAAK,QAAQ;QAChE,OAAQ,OAAqC,CAAC,WAAW,KAAK,QAAQ;QACtE,OAAQ,OAAuC,CAAC,aAAa,KAAK,QAAQ;QAC1E,OAAQ,OAAkC,CAAC,QAAQ,KAAK,QAAQ;QAChE,OAAQ,OAAsC,CAAC,YAAY,KAAK,QAAQ,CACzE,CAAC;AACJ,CAAC;AAED,SAAS,MAAM,CAAC,GAAW;IACzB,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,GAAG,CAAC;IACb,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAW;IACpC,OAAO,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;AACpD,CAAC"}

package/node_modules/@noodle-borg/service/dist/oauth/store-postgres.d.ts

@@ -0,0 +1,29 @@
+import type { OAuthClientInformationFull } from '@modelcontextprotocol/sdk/shared/auth.js';
+import type { Pool } from 'pg';
+import type { AuthorizationCodeRecord, OAuthStore, PendingAuthorizationRecord, RefreshTokenRecord } from './store.js';
+/**
+ * Relational {@link OAuthStore} for the self-hosted authorization server (OA-2,
+ * [ADR 0042](../../../../docs/decisions/0042-self-hosted-oauth-authorization-server.md)). Shares the injected
+ * `pg.Pool` with {@link PostgresArtifactStore} so the AS state lives in the same strongly-consistent store
+ * that backs deployments — any Cloud Run instance can complete a flow another started.
+ *
+ * Single-use semantics are enforced in SQL: `DELETE … RETURNING` (codes, pending auth, refresh tokens) is
+ * row-atomic, so two concurrent redemptions of the same value yield exactly one winner; the loser gets zero
+ * rows. Expired rows are still deleted on consume (and returned as `undefined`), which doubles as cleanup.
+ */
+export declare class PostgresOAuthStore implements OAuthStore {
+    #private;
+    constructor(pool: Pool);
+    /** Create the OAuth tables if absent (idempotent). Run once at startup before serving AS endpoints. */
+    ensureSchema(): Promise<void>;
+    getClient(clientId: string): Promise<OAuthClientInformationFull | undefined>;
+    putClient(client: OAuthClientInformationFull): Promise<OAuthClientInformationFull>;
+    createPendingAuthorization(record: PendingAuthorizationRecord): Promise<void>;
+    consumePendingAuthorization(state: string): Promise<PendingAuthorizationRecord | undefined>;
+    createAuthorizationCode(record: AuthorizationCodeRecord): Promise<void>;
+    getAuthorizationCode(code: string): Promise<AuthorizationCodeRecord | undefined>;
+    redeemAuthorizationCode(code: string): Promise<AuthorizationCodeRecord | undefined>;
+    createRefreshToken(record: RefreshTokenRecord): Promise<void>;
+    consumeRefreshToken(token: string): Promise<RefreshTokenRecord | undefined>;
+}
+//# sourceMappingURL=store-postgres.d.ts.map

package/node_modules/@noodle-borg/service/dist/oauth/store-postgres.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"store-postgres.d.ts","sourceRoot":"","sources":["../../src/oauth/store-postgres.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,0CAA0C,CAAC;AAC3F,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAC/B,OAAO,KAAK,EACV,uBAAuB,EACvB,UAAU,EACV,0BAA0B,EAC1B,kBAAkB,EACnB,MAAM,YAAY,CAAC;AAEpB;;;;;;;;;GASG;AACH,qBAAa,kBAAmB,YAAW,UAAU;;gBAGvC,IAAI,EAAE,IAAI;IAItB,uGAAuG;IACjG,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IA8C7B,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,GAAG,SAAS,CAAC;IAQ5E,SAAS,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,0BAA0B,CAAC;IASlF,0BAA0B,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,IAAI,CAAC;IAkB7E,2BAA2B,CAC/B,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,0BAA0B,GAAG,SAAS,CAAC;IAmB5C,uBAAuB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC;IAmBvE,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,SAAS,CAAC;IAShF,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,SAAS,CAAC;IAUnF,kBAAkB,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC;IAiB7D,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,SAAS,CAAC;CAiBlF"}