noodleseed-cli 0.1.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +176 -0
- package/dist/cli.d.ts +3 -0
- package/dist/cli.d.ts.map +1 -0
- package/dist/cli.js +625 -0
- package/dist/cli.js.map +1 -0
- package/dist/config.d.ts +52 -0
- package/dist/config.d.ts.map +1 -0
- package/dist/config.js +77 -0
- package/dist/config.js.map +1 -0
- package/dist/control-plane.d.ts +33 -0
- package/dist/control-plane.d.ts.map +1 -0
- package/dist/control-plane.js +223 -0
- package/dist/control-plane.js.map +1 -0
- package/dist/deploy.d.ts +62 -0
- package/dist/deploy.d.ts.map +1 -0
- package/dist/deploy.js +182 -0
- package/dist/deploy.js.map +1 -0
- package/dist/dev.d.ts +50 -0
- package/dist/dev.d.ts.map +1 -0
- package/dist/dev.js +223 -0
- package/dist/dev.js.map +1 -0
- package/dist/index.d.ts +6 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +6 -0
- package/dist/index.js.map +1 -0
- package/dist/validate.d.ts +37 -0
- package/dist/validate.d.ts.map +1 -0
- package/dist/validate.js +46 -0
- package/dist/validate.js.map +1 -0
- package/node_modules/@noodle-borg/auth/dist/index.d.ts +14 -0
- package/node_modules/@noodle-borg/auth/dist/index.d.ts.map +1 -0
- package/node_modules/@noodle-borg/auth/dist/index.js +14 -0
- package/node_modules/@noodle-borg/auth/dist/index.js.map +1 -0
- package/node_modules/@noodle-borg/auth/dist/jwt-issuer.d.ts +21 -0
- package/node_modules/@noodle-borg/auth/dist/jwt-issuer.d.ts.map +1 -0
- package/node_modules/@noodle-borg/auth/dist/jwt-issuer.js +24 -0
- package/node_modules/@noodle-borg/auth/dist/jwt-issuer.js.map +1 -0
- package/node_modules/@noodle-borg/auth/dist/metadata.d.ts +27 -0
- package/node_modules/@noodle-borg/auth/dist/metadata.d.ts.map +1 -0
- package/node_modules/@noodle-borg/auth/dist/metadata.js +21 -0
- package/node_modules/@noodle-borg/auth/dist/metadata.js.map +1 -0
- package/node_modules/@noodle-borg/auth/dist/signer.d.ts +45 -0
- package/node_modules/@noodle-borg/auth/dist/signer.d.ts.map +1 -0
- package/node_modules/@noodle-borg/auth/dist/signer.js +47 -0
- package/node_modules/@noodle-borg/auth/dist/signer.js.map +1 -0
- package/node_modules/@noodle-borg/auth/dist/verify.d.ts +42 -0
- package/node_modules/@noodle-borg/auth/dist/verify.d.ts.map +1 -0
- package/node_modules/@noodle-borg/auth/dist/verify.js +48 -0
- package/node_modules/@noodle-borg/auth/dist/verify.js.map +1 -0
- package/node_modules/@noodle-borg/auth/package.json +27 -0
- package/node_modules/@noodle-borg/authoring/dist/index.d.ts +200 -0
- package/node_modules/@noodle-borg/authoring/dist/index.d.ts.map +1 -0
- package/node_modules/@noodle-borg/authoring/dist/index.js +504 -0
- package/node_modules/@noodle-borg/authoring/dist/index.js.map +1 -0
- package/node_modules/@noodle-borg/authoring/package.json +29 -0
- package/node_modules/@noodle-borg/compiler/dist/artifact/types.d.ts +203 -0
- package/node_modules/@noodle-borg/compiler/dist/artifact/types.d.ts.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/artifact/types.js +20 -0
- package/node_modules/@noodle-borg/compiler/dist/artifact/types.js.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/catalog/in-memory.d.ts +13 -0
- package/node_modules/@noodle-borg/compiler/dist/catalog/in-memory.d.ts.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/catalog/in-memory.js +19 -0
- package/node_modules/@noodle-borg/compiler/dist/catalog/in-memory.js.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/catalog/signature.d.ts +11 -0
- package/node_modules/@noodle-borg/compiler/dist/catalog/signature.d.ts.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/catalog/signature.js +31 -0
- package/node_modules/@noodle-borg/compiler/dist/catalog/signature.js.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/catalog/types.d.ts +43 -0
- package/node_modules/@noodle-borg/compiler/dist/catalog/types.d.ts.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/catalog/types.js +11 -0
- package/node_modules/@noodle-borg/compiler/dist/catalog/types.js.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/cli.d.ts +3 -0
- package/node_modules/@noodle-borg/compiler/dist/cli.d.ts.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/cli.js +19 -0
- package/node_modules/@noodle-borg/compiler/dist/cli.js.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/compile.d.ts +50 -0
- package/node_modules/@noodle-borg/compiler/dist/compile.d.ts.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/compile.js +719 -0
- package/node_modules/@noodle-borg/compiler/dist/compile.js.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/errors.d.ts +27 -0
- package/node_modules/@noodle-borg/compiler/dist/errors.d.ts.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/errors.js +2 -0
- package/node_modules/@noodle-borg/compiler/dist/errors.js.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/index.d.ts +13 -0
- package/node_modules/@noodle-borg/compiler/dist/index.d.ts.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/index.js +11 -0
- package/node_modules/@noodle-borg/compiler/dist/index.js.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/manifest/expression.d.ts +136 -0
- package/node_modules/@noodle-borg/compiler/dist/manifest/expression.d.ts.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/manifest/expression.js +552 -0
- package/node_modules/@noodle-borg/compiler/dist/manifest/expression.js.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/manifest/naming.d.ts +14 -0
- package/node_modules/@noodle-borg/compiler/dist/manifest/naming.d.ts.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/manifest/naming.js +18 -0
- package/node_modules/@noodle-borg/compiler/dist/manifest/naming.js.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/manifest/schema-refs.d.ts +24 -0
- package/node_modules/@noodle-borg/compiler/dist/manifest/schema-refs.d.ts.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/manifest/schema-refs.js +149 -0
- package/node_modules/@noodle-borg/compiler/dist/manifest/schema-refs.js.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/manifest/schema.d.ts +97 -0
- package/node_modules/@noodle-borg/compiler/dist/manifest/schema.d.ts.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/manifest/schema.js +157 -0
- package/node_modules/@noodle-borg/compiler/dist/manifest/schema.js.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/schema-export.d.ts +6 -0
- package/node_modules/@noodle-borg/compiler/dist/schema-export.d.ts.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/schema-export.js +28 -0
- package/node_modules/@noodle-borg/compiler/dist/schema-export.js.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/suggest.d.ts +41 -0
- package/node_modules/@noodle-borg/compiler/dist/suggest.d.ts.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/suggest.js +105 -0
- package/node_modules/@noodle-borg/compiler/dist/suggest.js.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/uri-template.d.ts +33 -0
- package/node_modules/@noodle-borg/compiler/dist/uri-template.d.ts.map +1 -0
- package/node_modules/@noodle-borg/compiler/dist/uri-template.js +83 -0
- package/node_modules/@noodle-borg/compiler/dist/uri-template.js.map +1 -0
- package/node_modules/@noodle-borg/compiler/package.json +32 -0
- package/node_modules/@noodle-borg/compute/dist/code-connector.d.ts +45 -0
- package/node_modules/@noodle-borg/compute/dist/code-connector.d.ts.map +1 -0
- package/node_modules/@noodle-borg/compute/dist/code-connector.js +53 -0
- package/node_modules/@noodle-borg/compute/dist/code-connector.js.map +1 -0
- package/node_modules/@noodle-borg/compute/dist/engine.d.ts +73 -0
- package/node_modules/@noodle-borg/compute/dist/engine.d.ts.map +1 -0
- package/node_modules/@noodle-borg/compute/dist/engine.js +31 -0
- package/node_modules/@noodle-borg/compute/dist/engine.js.map +1 -0
- package/node_modules/@noodle-borg/compute/dist/index.d.ts +4 -0
- package/node_modules/@noodle-borg/compute/dist/index.d.ts.map +1 -0
- package/node_modules/@noodle-borg/compute/dist/index.js +4 -0
- package/node_modules/@noodle-borg/compute/dist/index.js.map +1 -0
- package/node_modules/@noodle-borg/compute/dist/quickjs-engine.d.ts +31 -0
- package/node_modules/@noodle-borg/compute/dist/quickjs-engine.d.ts.map +1 -0
- package/node_modules/@noodle-borg/compute/dist/quickjs-engine.js +271 -0
- package/node_modules/@noodle-borg/compute/dist/quickjs-engine.js.map +1 -0
- package/node_modules/@noodle-borg/compute/package.json +29 -0
- package/node_modules/@noodle-borg/connector-defs/dist/compile.d.ts +46 -0
- package/node_modules/@noodle-borg/connector-defs/dist/compile.d.ts.map +1 -0
- package/node_modules/@noodle-borg/connector-defs/dist/compile.js +289 -0
- package/node_modules/@noodle-borg/connector-defs/dist/compile.js.map +1 -0
- package/node_modules/@noodle-borg/connector-defs/dist/index.d.ts +3 -0
- package/node_modules/@noodle-borg/connector-defs/dist/index.d.ts.map +1 -0
- package/node_modules/@noodle-borg/connector-defs/dist/index.js +3 -0
- package/node_modules/@noodle-borg/connector-defs/dist/index.js.map +1 -0
- package/node_modules/@noodle-borg/connector-defs/dist/schema.d.ts +332 -0
- package/node_modules/@noodle-borg/connector-defs/dist/schema.d.ts.map +1 -0
- package/node_modules/@noodle-borg/connector-defs/dist/schema.js +105 -0
- package/node_modules/@noodle-borg/connector-defs/dist/schema.js.map +1 -0
- package/node_modules/@noodle-borg/connector-defs/package.json +32 -0
- package/node_modules/@noodle-borg/connector-http/dist/http-connector.d.ts +86 -0
- package/node_modules/@noodle-borg/connector-http/dist/http-connector.d.ts.map +1 -0
- package/node_modules/@noodle-borg/connector-http/dist/http-connector.js +138 -0
- package/node_modules/@noodle-borg/connector-http/dist/http-connector.js.map +1 -0
- package/node_modules/@noodle-borg/connector-http/dist/index.d.ts +3 -0
- package/node_modules/@noodle-borg/connector-http/dist/index.d.ts.map +1 -0
- package/node_modules/@noodle-borg/connector-http/dist/index.js +3 -0
- package/node_modules/@noodle-borg/connector-http/dist/index.js.map +1 -0
- package/node_modules/@noodle-borg/connector-http/dist/ssrf.d.ts +45 -0
- package/node_modules/@noodle-borg/connector-http/dist/ssrf.d.ts.map +1 -0
- package/node_modules/@noodle-borg/connector-http/dist/ssrf.js +57 -0
- package/node_modules/@noodle-borg/connector-http/dist/ssrf.js.map +1 -0
- package/node_modules/@noodle-borg/connector-http/package.json +30 -0
- package/node_modules/@noodle-borg/protocol/dist/adapter.d.ts +73 -0
- package/node_modules/@noodle-borg/protocol/dist/adapter.d.ts.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/adapter.js +2 -0
- package/node_modules/@noodle-borg/protocol/dist/adapter.js.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/adapters/mcp-2025-11-25.d.ts +19 -0
- package/node_modules/@noodle-borg/protocol/dist/adapters/mcp-2025-11-25.d.ts.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/adapters/mcp-2025-11-25.js +34 -0
- package/node_modules/@noodle-borg/protocol/dist/adapters/mcp-2025-11-25.js.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/index.d.ts +5 -0
- package/node_modules/@noodle-borg/protocol/dist/index.d.ts.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/index.js +5 -0
- package/node_modules/@noodle-borg/protocol/dist/index.js.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/jsonrpc.d.ts +19 -0
- package/node_modules/@noodle-borg/protocol/dist/jsonrpc.d.ts.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/jsonrpc.js +14 -0
- package/node_modules/@noodle-borg/protocol/dist/jsonrpc.js.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/mapping.d.ts +133 -0
- package/node_modules/@noodle-borg/protocol/dist/mapping.d.ts.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/mapping.js +181 -0
- package/node_modules/@noodle-borg/protocol/dist/mapping.js.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/negotiate.d.ts +13 -0
- package/node_modules/@noodle-borg/protocol/dist/negotiate.d.ts.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/negotiate.js +18 -0
- package/node_modules/@noodle-borg/protocol/dist/negotiate.js.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/registry.d.ts +17 -0
- package/node_modules/@noodle-borg/protocol/dist/registry.d.ts.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/registry.js +33 -0
- package/node_modules/@noodle-borg/protocol/dist/registry.js.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/sdk-server.d.ts +22 -0
- package/node_modules/@noodle-borg/protocol/dist/sdk-server.d.ts.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/sdk-server.js +91 -0
- package/node_modules/@noodle-borg/protocol/dist/sdk-server.js.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/server.d.ts +38 -0
- package/node_modules/@noodle-borg/protocol/dist/server.d.ts.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/server.js +89 -0
- package/node_modules/@noodle-borg/protocol/dist/server.js.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/stateless.d.ts +14 -0
- package/node_modules/@noodle-borg/protocol/dist/stateless.d.ts.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/stateless.js +28 -0
- package/node_modules/@noodle-borg/protocol/dist/stateless.js.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/widget/bootstrap.d.ts +24 -0
- package/node_modules/@noodle-borg/protocol/dist/widget/bootstrap.d.ts.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/widget/bootstrap.js +165 -0
- package/node_modules/@noodle-borg/protocol/dist/widget/bootstrap.js.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/widget/ext-apps-bundle.d.ts +4 -0
- package/node_modules/@noodle-borg/protocol/dist/widget/ext-apps-bundle.d.ts.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/widget/ext-apps-bundle.js +10 -0
- package/node_modules/@noodle-borg/protocol/dist/widget/ext-apps-bundle.js.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/widget/inject.d.ts +8 -0
- package/node_modules/@noodle-borg/protocol/dist/widget/inject.d.ts.map +1 -0
- package/node_modules/@noodle-borg/protocol/dist/widget/inject.js +36 -0
- package/node_modules/@noodle-borg/protocol/dist/widget/inject.js.map +1 -0
- package/node_modules/@noodle-borg/protocol/package.json +29 -0
- package/node_modules/@noodle-borg/runtime/dist/broker/map.d.ts +29 -0
- package/node_modules/@noodle-borg/runtime/dist/broker/map.d.ts.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/broker/map.js +38 -0
- package/node_modules/@noodle-borg/runtime/dist/broker/map.js.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/broker/secret-box.d.ts +103 -0
- package/node_modules/@noodle-borg/runtime/dist/broker/secret-box.d.ts.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/broker/secret-box.js +118 -0
- package/node_modules/@noodle-borg/runtime/dist/broker/secret-box.js.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/broker/static.d.ts +12 -0
- package/node_modules/@noodle-borg/runtime/dist/broker/static.d.ts.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/broker/static.js +15 -0
- package/node_modules/@noodle-borg/runtime/dist/broker/static.js.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/broker/types.d.ts +28 -0
- package/node_modules/@noodle-borg/runtime/dist/broker/types.d.ts.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/broker/types.js +2 -0
- package/node_modules/@noodle-borg/runtime/dist/broker/types.js.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/connector/in-memory.d.ts +29 -0
- package/node_modules/@noodle-borg/runtime/dist/connector/in-memory.d.ts.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/connector/in-memory.js +37 -0
- package/node_modules/@noodle-borg/runtime/dist/connector/in-memory.js.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/connector/types.d.ts +41 -0
- package/node_modules/@noodle-borg/runtime/dist/connector/types.d.ts.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/connector/types.js +2 -0
- package/node_modules/@noodle-borg/runtime/dist/connector/types.js.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/eval/evaluate.d.ts +39 -0
- package/node_modules/@noodle-borg/runtime/dist/eval/evaluate.d.ts.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/eval/evaluate.js +117 -0
- package/node_modules/@noodle-borg/runtime/dist/eval/evaluate.js.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/execute.d.ts +47 -0
- package/node_modules/@noodle-borg/runtime/dist/execute.d.ts.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/execute.js +297 -0
- package/node_modules/@noodle-borg/runtime/dist/execute.js.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/index.d.ts +12 -0
- package/node_modules/@noodle-borg/runtime/dist/index.d.ts.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/index.js +8 -0
- package/node_modules/@noodle-borg/runtime/dist/index.js.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/policy/allow-all.d.ts +10 -0
- package/node_modules/@noodle-borg/runtime/dist/policy/allow-all.d.ts.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/policy/allow-all.js +13 -0
- package/node_modules/@noodle-borg/runtime/dist/policy/allow-all.js.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/policy/types.d.ts +25 -0
- package/node_modules/@noodle-borg/runtime/dist/policy/types.d.ts.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/policy/types.js +2 -0
- package/node_modules/@noodle-borg/runtime/dist/policy/types.js.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/result.d.ts +19 -0
- package/node_modules/@noodle-borg/runtime/dist/result.d.ts.map +1 -0
- package/node_modules/@noodle-borg/runtime/dist/result.js +2 -0
- package/node_modules/@noodle-borg/runtime/dist/result.js.map +1 -0
- package/node_modules/@noodle-borg/runtime/package.json +27 -0
- package/node_modules/@noodle-borg/service/dist/auth/deploy-gate.d.ts +48 -0
- package/node_modules/@noodle-borg/service/dist/auth/deploy-gate.d.ts.map +1 -0
- package/node_modules/@noodle-borg/service/dist/auth/deploy-gate.js +79 -0
- package/node_modules/@noodle-borg/service/dist/auth/deploy-gate.js.map +1 -0
- package/node_modules/@noodle-borg/service/dist/index.d.ts +7 -0
- package/node_modules/@noodle-borg/service/dist/index.d.ts.map +1 -0
- package/node_modules/@noodle-borg/service/dist/index.js +7 -0
- package/node_modules/@noodle-borg/service/dist/index.js.map +1 -0
- package/node_modules/@noodle-borg/service/dist/main.d.ts +3 -0
- package/node_modules/@noodle-borg/service/dist/main.d.ts.map +1 -0
- package/node_modules/@noodle-borg/service/dist/main.js +171 -0
- package/node_modules/@noodle-borg/service/dist/main.js.map +1 -0
- package/node_modules/@noodle-borg/service/dist/oauth/app.d.ts +14 -0
- package/node_modules/@noodle-borg/service/dist/oauth/app.d.ts.map +1 -0
- package/node_modules/@noodle-borg/service/dist/oauth/app.js +48 -0
- package/node_modules/@noodle-borg/service/dist/oauth/app.js.map +1 -0
- package/node_modules/@noodle-borg/service/dist/oauth/consent.d.ts +18 -0
- package/node_modules/@noodle-borg/service/dist/oauth/consent.d.ts.map +1 -0
- package/node_modules/@noodle-borg/service/dist/oauth/consent.js +55 -0
- package/node_modules/@noodle-borg/service/dist/oauth/consent.js.map +1 -0
- package/node_modules/@noodle-borg/service/dist/oauth/google.d.ts +31 -0
- package/node_modules/@noodle-borg/service/dist/oauth/google.d.ts.map +1 -0
- package/node_modules/@noodle-borg/service/dist/oauth/google.js +39 -0
- package/node_modules/@noodle-borg/service/dist/oauth/google.js.map +1 -0
- package/node_modules/@noodle-borg/service/dist/oauth/paths.d.ts +3 -0
- package/node_modules/@noodle-borg/service/dist/oauth/paths.d.ts.map +1 -0
- package/node_modules/@noodle-borg/service/dist/oauth/paths.js +19 -0
- package/node_modules/@noodle-borg/service/dist/oauth/paths.js.map +1 -0
- package/node_modules/@noodle-borg/service/dist/oauth/provider.d.ts +61 -0
- package/node_modules/@noodle-borg/service/dist/oauth/provider.d.ts.map +1 -0
- package/node_modules/@noodle-borg/service/dist/oauth/provider.js +313 -0
- package/node_modules/@noodle-borg/service/dist/oauth/provider.js.map +1 -0
- package/node_modules/@noodle-borg/service/dist/oauth/store-postgres.d.ts +29 -0
- package/node_modules/@noodle-borg/service/dist/oauth/store-postgres.d.ts.map +1 -0
- package/node_modules/@noodle-borg/service/dist/oauth/store-postgres.js +176 -0
- package/node_modules/@noodle-borg/service/dist/oauth/store-postgres.js.map +1 -0
- package/node_modules/@noodle-borg/service/dist/oauth/store.d.ts +85 -0
- package/node_modules/@noodle-borg/service/dist/oauth/store.d.ts.map +1 -0
- package/node_modules/@noodle-borg/service/dist/oauth/store.js +57 -0
- package/node_modules/@noodle-borg/service/dist/oauth/store.js.map +1 -0
- package/node_modules/@noodle-borg/service/dist/oauth/tokens.d.ts +8 -0
- package/node_modules/@noodle-borg/service/dist/oauth/tokens.d.ts.map +1 -0
- package/node_modules/@noodle-borg/service/dist/oauth/tokens.js +13 -0
- package/node_modules/@noodle-borg/service/dist/oauth/tokens.js.map +1 -0
- package/node_modules/@noodle-borg/service/dist/secret/kms-master-key.d.ts +36 -0
- package/node_modules/@noodle-borg/service/dist/secret/kms-master-key.d.ts.map +1 -0
- package/node_modules/@noodle-borg/service/dist/secret/kms-master-key.js +51 -0
- package/node_modules/@noodle-borg/service/dist/secret/kms-master-key.js.map +1 -0
- package/node_modules/@noodle-borg/service/dist/service.d.ts +221 -0
- package/node_modules/@noodle-borg/service/dist/service.d.ts.map +1 -0
- package/node_modules/@noodle-borg/service/dist/service.js +1163 -0
- package/node_modules/@noodle-borg/service/dist/service.js.map +1 -0
- package/node_modules/@noodle-borg/service/dist/store/cloudsql-pool.d.ts +34 -0
- package/node_modules/@noodle-borg/service/dist/store/cloudsql-pool.d.ts.map +1 -0
- package/node_modules/@noodle-borg/service/dist/store/cloudsql-pool.js +38 -0
- package/node_modules/@noodle-borg/service/dist/store/cloudsql-pool.js.map +1 -0
- package/node_modules/@noodle-borg/service/dist/store/postgres.d.ts +56 -0
- package/node_modules/@noodle-borg/service/dist/store/postgres.d.ts.map +1 -0
- package/node_modules/@noodle-borg/service/dist/store/postgres.js +372 -0
- package/node_modules/@noodle-borg/service/dist/store/postgres.js.map +1 -0
- package/node_modules/@noodle-borg/service/dist/store.d.ts +192 -0
- package/node_modules/@noodle-borg/service/dist/store.d.ts.map +1 -0
- package/node_modules/@noodle-borg/service/dist/store.js +230 -0
- package/node_modules/@noodle-borg/service/dist/store.js.map +1 -0
- package/node_modules/@noodle-borg/service/package.json +44 -0
- package/node_modules/@noodle-borg/transport-http/dist/caller-auth.d.ts +15 -0
- package/node_modules/@noodle-borg/transport-http/dist/caller-auth.d.ts.map +1 -0
- package/node_modules/@noodle-borg/transport-http/dist/caller-auth.js +38 -0
- package/node_modules/@noodle-borg/transport-http/dist/caller-auth.js.map +1 -0
- package/node_modules/@noodle-borg/transport-http/dist/examples/serve-demo.d.ts +2 -0
- package/node_modules/@noodle-borg/transport-http/dist/examples/serve-demo.d.ts.map +1 -0
- package/node_modules/@noodle-borg/transport-http/dist/examples/serve-demo.js +129 -0
- package/node_modules/@noodle-borg/transport-http/dist/examples/serve-demo.js.map +1 -0
- package/node_modules/@noodle-borg/transport-http/dist/front-door.d.ts +46 -0
- package/node_modules/@noodle-borg/transport-http/dist/front-door.d.ts.map +1 -0
- package/node_modules/@noodle-borg/transport-http/dist/front-door.js +75 -0
- package/node_modules/@noodle-borg/transport-http/dist/front-door.js.map +1 -0
- package/node_modules/@noodle-borg/transport-http/dist/handler.d.ts +142 -0
- package/node_modules/@noodle-borg/transport-http/dist/handler.d.ts.map +1 -0
- package/node_modules/@noodle-borg/transport-http/dist/handler.js +387 -0
- package/node_modules/@noodle-borg/transport-http/dist/handler.js.map +1 -0
- package/node_modules/@noodle-borg/transport-http/dist/index.d.ts +6 -0
- package/node_modules/@noodle-borg/transport-http/dist/index.d.ts.map +1 -0
- package/node_modules/@noodle-borg/transport-http/dist/index.js +6 -0
- package/node_modules/@noodle-borg/transport-http/dist/index.js.map +1 -0
- package/node_modules/@noodle-borg/transport-http/dist/logging.d.ts +41 -0
- package/node_modules/@noodle-borg/transport-http/dist/logging.d.ts.map +1 -0
- package/node_modules/@noodle-borg/transport-http/dist/logging.js +71 -0
- package/node_modules/@noodle-borg/transport-http/dist/logging.js.map +1 -0
- package/node_modules/@noodle-borg/transport-http/dist/serve.d.ts +22 -0
- package/node_modules/@noodle-borg/transport-http/dist/serve.d.ts.map +1 -0
- package/node_modules/@noodle-borg/transport-http/dist/serve.js +25 -0
- package/node_modules/@noodle-borg/transport-http/dist/serve.js.map +1 -0
- package/node_modules/@noodle-borg/transport-http/package.json +30 -0
- package/package.json +78 -0
|
@@ -0,0 +1,387 @@
|
|
|
1
|
+
import { handleStatelessHttp, JSON_RPC } from '@noodle-borg/protocol';
|
|
2
|
+
import { bearerToken, CALLER_REALM, verifyCallerKey } from './caller-auth.js';
|
|
3
|
+
import { applySecurityHeaders, effectiveProto, enforceHttps, } from './front-door.js';
|
|
4
|
+
import { noopLogger } from './logging.js';
|
|
5
|
+
const DEFAULT_ENDPOINT = '/mcp';
|
|
6
|
+
const DEFAULT_MAX_BODY = 1 << 20;
|
|
7
|
+
/**
|
|
8
|
+
* Build a `node:http` request listener that serves one {@link ServedArtifact} over the MCP **Streamable
|
|
9
|
+
* HTTP** transport (the remote transport). This is the security/HTTP front-door: it validates origin,
|
|
10
|
+
* method, content negotiation, and body size, then hands the parsed JSON-RPC body to the official
|
|
11
|
+
* `@modelcontextprotocol/sdk` stateless transport ([ADR 0021]), which owns framing and version
|
|
12
|
+
* negotiation. It is **stateless** — no `MCP-Session-Id` is issued. Server-initiated streaming (SSE)
|
|
13
|
+
* is not offered, so `GET` returns `405`.
|
|
14
|
+
*/
|
|
15
|
+
export function createMcpHttpHandler(target, options = {}) {
|
|
16
|
+
const endpoint = options.endpoint ?? DEFAULT_ENDPOINT;
|
|
17
|
+
const maxBody = options.maxBodyBytes ?? DEFAULT_MAX_BODY;
|
|
18
|
+
const logger = options.logger ?? noopLogger;
|
|
19
|
+
const tls = options.tls ?? {};
|
|
20
|
+
return (req, res) => {
|
|
21
|
+
const start = Date.now();
|
|
22
|
+
applySecurityHeaders(res, tls);
|
|
23
|
+
if (enforceHttps(req, res, tls)) {
|
|
24
|
+
logRequest(logger, 'single', req, res, start);
|
|
25
|
+
return;
|
|
26
|
+
}
|
|
27
|
+
const url = new URL(req.url ?? '/', 'http://localhost');
|
|
28
|
+
if (url.pathname !== endpoint) {
|
|
29
|
+
sendJson(res, 404, rpcError(JSON_RPC.INVALID_REQUEST, 'not found'));
|
|
30
|
+
logRequest(logger, 'single', req, res, start);
|
|
31
|
+
return;
|
|
32
|
+
}
|
|
33
|
+
void guard(res, serveRequest(req, res, target, {
|
|
34
|
+
callerKeyHash: options.callerKeyHash,
|
|
35
|
+
accessMode: undefined,
|
|
36
|
+
ownerSubject: undefined,
|
|
37
|
+
org: undefined,
|
|
38
|
+
verifyOwnerToken: options.verifyOwnerToken,
|
|
39
|
+
authorizeDataPlaneIdentity: options.authorizeDataPlaneIdentity,
|
|
40
|
+
verifyCallerKeyForTenant: options.verifyCallerKeyForTenant,
|
|
41
|
+
admissionGate: options.admissionGate,
|
|
42
|
+
logger,
|
|
43
|
+
trustProxy: tls.trustProxy ?? false,
|
|
44
|
+
}, 'single', maxBody, options.allowedOrigins)).then(() => logRequest(logger, 'single', req, res, start));
|
|
45
|
+
};
|
|
46
|
+
}
|
|
47
|
+
const SERVER_PATH = /^\/([^/]+)\/mcp$/;
|
|
48
|
+
const TENANT_PROD_PATH = /^\/o\/([^/]+)\/([^/]+)\/mcp$/;
|
|
49
|
+
const TENANT_ENV_PATH = /^\/o\/([^/]+)\/([^/]+)\/([^/]+)\/mcp$/;
|
|
50
|
+
/**
|
|
51
|
+
* Build a `node:http` request listener that serves **many** tenants over MCP Streamable HTTP, routing
|
|
52
|
+
* by tenant paths. Each request reuses the same stateless pipeline as
|
|
53
|
+
* {@link createMcpHttpHandler}; an unknown path or unknown server id returns `404`.
|
|
54
|
+
*/
|
|
55
|
+
export function createMcpRouter(lookup, options = {}) {
|
|
56
|
+
const maxBody = options.maxBodyBytes ?? DEFAULT_MAX_BODY;
|
|
57
|
+
const logger = options.logger ?? noopLogger;
|
|
58
|
+
const tls = options.tls ?? {};
|
|
59
|
+
return (req, res) => {
|
|
60
|
+
const start = Date.now();
|
|
61
|
+
applySecurityHeaders(res, tls);
|
|
62
|
+
if (enforceHttps(req, res, tls)) {
|
|
63
|
+
logRequest(logger, '?', req, res, start);
|
|
64
|
+
return;
|
|
65
|
+
}
|
|
66
|
+
const url = new URL(req.url ?? '/', 'http://localhost');
|
|
67
|
+
const route = parseRoute(url.pathname);
|
|
68
|
+
// The resolver is async (it may point-read the store + recompile on a cache miss — ADR 0036). A
|
|
69
|
+
// resolved `undefined` (no such server) is a `404`; a resolver throw (store/compile error) falls
|
|
70
|
+
// through to `guard`'s `500`. Caller-key auth is still checked inside `serveRequest`, after resolution.
|
|
71
|
+
void guard(res, (async () => {
|
|
72
|
+
const target = route?.kind === 'tenant' && options.tenantLookup
|
|
73
|
+
? await options.tenantLookup(route.ref)
|
|
74
|
+
: route?.kind === 'deployment'
|
|
75
|
+
? await lookup(route.deploymentId)
|
|
76
|
+
: undefined;
|
|
77
|
+
if (!target) {
|
|
78
|
+
sendJson(res, 404, rpcError(JSON_RPC.INVALID_REQUEST, 'not found'));
|
|
79
|
+
return;
|
|
80
|
+
}
|
|
81
|
+
const routeId = route?.kind === 'tenant'
|
|
82
|
+
? route.logId
|
|
83
|
+
: route?.kind === 'deployment'
|
|
84
|
+
? route.deploymentId
|
|
85
|
+
: '?';
|
|
86
|
+
const tenant = route?.kind === 'tenant' ? route.ref : undefined;
|
|
87
|
+
await serveRequest(req, res, target.served, {
|
|
88
|
+
callerKeyHash: target.callerKeyHash,
|
|
89
|
+
accessMode: target.accessMode,
|
|
90
|
+
ownerSubject: target.ownerSubject,
|
|
91
|
+
org: target.org,
|
|
92
|
+
verifyOwnerToken: options.verifyOwnerToken,
|
|
93
|
+
authorizeDataPlaneIdentity: options.authorizeDataPlaneIdentity,
|
|
94
|
+
verifyCallerKeyForTenant: options.verifyCallerKeyForTenant,
|
|
95
|
+
admissionGate: options.admissionGate,
|
|
96
|
+
logger,
|
|
97
|
+
trustProxy: tls.trustProxy ?? false,
|
|
98
|
+
}, routeId, maxBody, options.allowedOrigins, tenant);
|
|
99
|
+
})()).then(() => logRequest(logger, route?.logId ?? '?', req, res, start));
|
|
100
|
+
};
|
|
101
|
+
}
|
|
102
|
+
function parseRoute(pathname) {
|
|
103
|
+
const tenantEnv = TENANT_ENV_PATH.exec(pathname);
|
|
104
|
+
if (tenantEnv) {
|
|
105
|
+
const org = safeDecode(tenantEnv[1]);
|
|
106
|
+
const app = safeDecode(tenantEnv[2]);
|
|
107
|
+
const env = safeDecode(tenantEnv[3]);
|
|
108
|
+
if (org === null || app === null || env === null)
|
|
109
|
+
return null;
|
|
110
|
+
return { kind: 'tenant', ref: { org, app, env }, logId: `${org}/${app}/${env}` };
|
|
111
|
+
}
|
|
112
|
+
const tenantProd = TENANT_PROD_PATH.exec(pathname);
|
|
113
|
+
if (tenantProd) {
|
|
114
|
+
const org = safeDecode(tenantProd[1]);
|
|
115
|
+
const app = safeDecode(tenantProd[2]);
|
|
116
|
+
if (org === null || app === null)
|
|
117
|
+
return null;
|
|
118
|
+
return { kind: 'tenant', ref: { org, app, env: 'prod' }, logId: `${org}/${app}/prod` };
|
|
119
|
+
}
|
|
120
|
+
const deployment = SERVER_PATH.exec(pathname);
|
|
121
|
+
if (deployment) {
|
|
122
|
+
const deploymentId = safeDecode(deployment[1]);
|
|
123
|
+
if (deploymentId === null)
|
|
124
|
+
return null;
|
|
125
|
+
return { kind: 'deployment', deploymentId, logId: deploymentId };
|
|
126
|
+
}
|
|
127
|
+
return null;
|
|
128
|
+
}
|
|
129
|
+
/**
|
|
130
|
+
* Emit one `mcp.request` lifecycle line. Only safe scalars (id, method, status, latency) — never the
|
|
131
|
+
* Authorization header, caller key, body, or JSON-RPC params.
|
|
132
|
+
*/
|
|
133
|
+
function logRequest(logger, routeId, req, res, start) {
|
|
134
|
+
logger.info('mcp.request', {
|
|
135
|
+
serverId: routeId,
|
|
136
|
+
method: req.method ?? 'UNKNOWN',
|
|
137
|
+
status: res.statusCode,
|
|
138
|
+
latencyMs: Date.now() - start,
|
|
139
|
+
});
|
|
140
|
+
}
|
|
141
|
+
function safeDecode(value) {
|
|
142
|
+
try {
|
|
143
|
+
return decodeURIComponent(value);
|
|
144
|
+
}
|
|
145
|
+
catch {
|
|
146
|
+
return null;
|
|
147
|
+
}
|
|
148
|
+
}
|
|
149
|
+
function guard(res, fn) {
|
|
150
|
+
return fn.catch(() => {
|
|
151
|
+
if (!res.headersSent)
|
|
152
|
+
sendJson(res, 500, rpcError(JSON_RPC.INTERNAL_ERROR, 'internal error'));
|
|
153
|
+
});
|
|
154
|
+
}
|
|
155
|
+
/**
|
|
156
|
+
* The shared, stateless front-door (origin → method → auth → content-type → accept → body) for one resolved
|
|
157
|
+
* tenant. After the guards pass, the parsed JSON-RPC body is handed to the SDK transport, which writes
|
|
158
|
+
* the full response (including `202` for a notification). Path matching is done by the caller.
|
|
159
|
+
*/
|
|
160
|
+
async function serveRequest(req, res, target, auth, routeId, maxBody, allowed, tenant) {
|
|
161
|
+
const origin = header(req, 'origin');
|
|
162
|
+
if (origin !== undefined && !originAllowed(origin, allowed)) {
|
|
163
|
+
return sendJson(res, 403, rpcError(JSON_RPC.INVALID_REQUEST, 'origin not allowed'));
|
|
164
|
+
}
|
|
165
|
+
if (req.method !== 'POST') {
|
|
166
|
+
// No server-initiated SSE stream this phase: GET/DELETE/other are not allowed.
|
|
167
|
+
res.setHeader('Allow', 'POST');
|
|
168
|
+
return sendJson(res, 405, rpcError(JSON_RPC.INVALID_REQUEST, 'method not allowed'));
|
|
169
|
+
}
|
|
170
|
+
// Auth gate, before reading the body so an unauthenticated caller never has its payload buffered and the
|
|
171
|
+
// SDK transport is never constructed for it. Modes: shared per-server caller key (default), or
|
|
172
|
+
// identity-based OAuth access where a verified token is checked against the deployment's access policy.
|
|
173
|
+
if (isIdentityMode(auth.accessMode)) {
|
|
174
|
+
if (await denyIdentityMode(req, res, auth))
|
|
175
|
+
return;
|
|
176
|
+
}
|
|
177
|
+
else if (tenant !== undefined && auth.verifyCallerKeyForTenant !== undefined) {
|
|
178
|
+
if (!(await auth.verifyCallerKeyForTenant({
|
|
179
|
+
tenant,
|
|
180
|
+
token: bearerToken(req),
|
|
181
|
+
cachedCallerKeyHash: auth.callerKeyHash,
|
|
182
|
+
}))) {
|
|
183
|
+
return sendUnauthorized(res);
|
|
184
|
+
}
|
|
185
|
+
}
|
|
186
|
+
else if (auth.callerKeyHash !== undefined) {
|
|
187
|
+
if (!verifyCallerKey(bearerToken(req), auth.callerKeyHash))
|
|
188
|
+
return sendUnauthorized(res);
|
|
189
|
+
}
|
|
190
|
+
// Content negotiation (Accept / Content-Type) is owned by the SDK transport ([ADR 0021]); it returns
|
|
191
|
+
// `406`/`415` for non-compliant requests. The front-door only guards origin, method, and body size.
|
|
192
|
+
const body = await readBody(req, maxBody);
|
|
193
|
+
if (!body.ok)
|
|
194
|
+
return sendJson(res, 413, rpcError(JSON_RPC.INVALID_REQUEST, 'request body too large'));
|
|
195
|
+
let parsed;
|
|
196
|
+
try {
|
|
197
|
+
parsed = JSON.parse(body.text);
|
|
198
|
+
}
|
|
199
|
+
catch {
|
|
200
|
+
return sendJson(res, 400, rpcError(JSON_RPC.PARSE_ERROR, 'invalid JSON'));
|
|
201
|
+
}
|
|
202
|
+
const contexts = admissionContexts(parsed, {
|
|
203
|
+
routeId,
|
|
204
|
+
...(tenant !== undefined ? tenant : {}),
|
|
205
|
+
...(auth.accessMode !== undefined ? { accessMode: auth.accessMode } : {}),
|
|
206
|
+
});
|
|
207
|
+
for (const context of contexts) {
|
|
208
|
+
const decision = auth.admissionGate
|
|
209
|
+
? await auth.admissionGate(context)
|
|
210
|
+
: { allow: true };
|
|
211
|
+
auth.logger.info('mcp.admission', {
|
|
212
|
+
routeId: context.routeId,
|
|
213
|
+
method: context.method,
|
|
214
|
+
category: context.category,
|
|
215
|
+
...(context.name !== undefined ? { name: context.name } : {}),
|
|
216
|
+
...(context.org !== undefined ? { org: context.org } : {}),
|
|
217
|
+
...(context.app !== undefined ? { app: context.app } : {}),
|
|
218
|
+
...(context.env !== undefined ? { env: context.env } : {}),
|
|
219
|
+
...(context.accessMode !== undefined ? { accessMode: context.accessMode } : {}),
|
|
220
|
+
decision: decision.allow ? 'allow' : 'deny',
|
|
221
|
+
...(decision.reason !== undefined ? { reason: decision.reason } : {}),
|
|
222
|
+
});
|
|
223
|
+
if (!decision.allow) {
|
|
224
|
+
return sendJson(res, decision.status ?? 403, rpcError(JSON_RPC.INVALID_REQUEST, decision.reason));
|
|
225
|
+
}
|
|
226
|
+
}
|
|
227
|
+
// The SDK stateless transport owns JSON-RPC framing, version negotiation, and the response (200 for a
|
|
228
|
+
// request, 202 for a notification). We pass the already-read body so the body-size guard still applies.
|
|
229
|
+
await handleStatelessHttp(target, req, res, parsed);
|
|
230
|
+
}
|
|
231
|
+
function admissionContexts(parsed, base) {
|
|
232
|
+
const items = Array.isArray(parsed) ? parsed : [parsed];
|
|
233
|
+
return items.map((item) => {
|
|
234
|
+
const method = rpcMethod(item);
|
|
235
|
+
const name = rpcTargetName(item, method);
|
|
236
|
+
return {
|
|
237
|
+
...base,
|
|
238
|
+
method,
|
|
239
|
+
category: admissionCategory(method),
|
|
240
|
+
...(name !== undefined ? { name } : {}),
|
|
241
|
+
};
|
|
242
|
+
});
|
|
243
|
+
}
|
|
244
|
+
function rpcMethod(value) {
|
|
245
|
+
if (typeof value !== 'object' || value === null)
|
|
246
|
+
return 'unknown';
|
|
247
|
+
const method = value.method;
|
|
248
|
+
return typeof method === 'string' ? method : 'unknown';
|
|
249
|
+
}
|
|
250
|
+
function rpcTargetName(value, method) {
|
|
251
|
+
if (typeof value !== 'object' || value === null)
|
|
252
|
+
return undefined;
|
|
253
|
+
const params = value.params;
|
|
254
|
+
if (typeof params !== 'object' || params === null)
|
|
255
|
+
return undefined;
|
|
256
|
+
const name = params.name;
|
|
257
|
+
if (typeof name === 'string')
|
|
258
|
+
return name;
|
|
259
|
+
const uri = params.uri;
|
|
260
|
+
return typeof uri === 'string' && method.startsWith('resources/') ? uri : undefined;
|
|
261
|
+
}
|
|
262
|
+
function admissionCategory(method) {
|
|
263
|
+
if (method === 'tools/list' ||
|
|
264
|
+
method === 'resources/list' ||
|
|
265
|
+
method === 'resources/templates/list' ||
|
|
266
|
+
method === 'prompts/list') {
|
|
267
|
+
return 'discovery';
|
|
268
|
+
}
|
|
269
|
+
if (method === 'resources/read' || method === 'prompts/get' || method.startsWith('completion/')) {
|
|
270
|
+
return 'read';
|
|
271
|
+
}
|
|
272
|
+
if (method === 'tools/call')
|
|
273
|
+
return 'execute';
|
|
274
|
+
return 'protocol';
|
|
275
|
+
}
|
|
276
|
+
function header(req, name) {
|
|
277
|
+
const value = req.headers[name];
|
|
278
|
+
return Array.isArray(value) ? value[0] : value;
|
|
279
|
+
}
|
|
280
|
+
function originAllowed(origin, allowed) {
|
|
281
|
+
if (allowed === undefined)
|
|
282
|
+
return true;
|
|
283
|
+
return typeof allowed === 'function' ? allowed(origin) : allowed.includes(origin);
|
|
284
|
+
}
|
|
285
|
+
async function readBody(req, max) {
|
|
286
|
+
const chunks = [];
|
|
287
|
+
let size = 0;
|
|
288
|
+
for await (const chunk of req) {
|
|
289
|
+
const buf = chunk;
|
|
290
|
+
size += buf.length;
|
|
291
|
+
if (size > max)
|
|
292
|
+
return { ok: false };
|
|
293
|
+
chunks.push(buf);
|
|
294
|
+
}
|
|
295
|
+
return { ok: true, text: Buffer.concat(chunks).toString('utf8') };
|
|
296
|
+
}
|
|
297
|
+
function sendJson(res, status, body) {
|
|
298
|
+
res.writeHead(status, { 'content-type': 'application/json; charset=utf-8' });
|
|
299
|
+
res.end(JSON.stringify(body));
|
|
300
|
+
}
|
|
301
|
+
/**
|
|
302
|
+
* A `401` with a bearer challenge and a transport-level JSON-RPC error body. For owner-only endpoints,
|
|
303
|
+
* `resourceMetadataUrl` is included so an MCP client can discover the authorization server (RFC 9728 /
|
|
304
|
+
* the MCP authorization spec); for caller-key endpoints the plain realm challenge is sent.
|
|
305
|
+
*/
|
|
306
|
+
function sendUnauthorized(res, resourceMetadataUrl) {
|
|
307
|
+
const challenge = resourceMetadataUrl !== undefined
|
|
308
|
+
? `Bearer realm="mrdn", resource_metadata="${resourceMetadataUrl}"`
|
|
309
|
+
: CALLER_REALM;
|
|
310
|
+
res.writeHead(401, {
|
|
311
|
+
'content-type': 'application/json; charset=utf-8',
|
|
312
|
+
'www-authenticate': challenge,
|
|
313
|
+
});
|
|
314
|
+
res.end(JSON.stringify(rpcError(JSON_RPC.INVALID_REQUEST, 'unauthorized')));
|
|
315
|
+
}
|
|
316
|
+
/** A `403` with a transport-level JSON-RPC error body (authenticated, but not authorized). */
|
|
317
|
+
function sendForbidden(res) {
|
|
318
|
+
sendJson(res, 403, rpcError(JSON_RPC.INVALID_REQUEST, 'forbidden'));
|
|
319
|
+
}
|
|
320
|
+
/**
|
|
321
|
+
* Identity gate (OA-1/OA-3): require a verified token and authorize it against the deployment access mode.
|
|
322
|
+
* Returns `true`
|
|
323
|
+
* when it has written a denial (`401` with a protected-resource-metadata challenge, or `403`), `false` when
|
|
324
|
+
* the request may proceed. Fails closed — a missing token or no configured verifier yields `401`.
|
|
325
|
+
*/
|
|
326
|
+
async function denyIdentityMode(req, res, auth) {
|
|
327
|
+
const challenge = protectedResourceMetadataUrl(req, auth.trustProxy);
|
|
328
|
+
const token = bearerToken(req);
|
|
329
|
+
if (token === null || auth.verifyOwnerToken === undefined) {
|
|
330
|
+
sendUnauthorized(res, challenge);
|
|
331
|
+
return true;
|
|
332
|
+
}
|
|
333
|
+
const identity = await auth.verifyOwnerToken(token, resourceUrl(req, auth.trustProxy));
|
|
334
|
+
if (identity === null) {
|
|
335
|
+
sendUnauthorized(res, challenge);
|
|
336
|
+
return true;
|
|
337
|
+
}
|
|
338
|
+
if (auth.accessMode === 'owner-only') {
|
|
339
|
+
if (auth.ownerSubject === undefined) {
|
|
340
|
+
sendUnauthorized(res, challenge);
|
|
341
|
+
return true;
|
|
342
|
+
}
|
|
343
|
+
if (identity.subject !== auth.ownerSubject) {
|
|
344
|
+
sendForbidden(res);
|
|
345
|
+
return true;
|
|
346
|
+
}
|
|
347
|
+
return false;
|
|
348
|
+
}
|
|
349
|
+
if (auth.accessMode === 'org-members' &&
|
|
350
|
+
(auth.org === undefined ||
|
|
351
|
+
auth.authorizeDataPlaneIdentity === undefined ||
|
|
352
|
+
!(await auth.authorizeDataPlaneIdentity({
|
|
353
|
+
accessMode: auth.accessMode,
|
|
354
|
+
org: auth.org,
|
|
355
|
+
subject: identity.subject,
|
|
356
|
+
...(identity.email !== undefined ? { email: identity.email } : {}),
|
|
357
|
+
})))) {
|
|
358
|
+
sendForbidden(res);
|
|
359
|
+
return true;
|
|
360
|
+
}
|
|
361
|
+
return false;
|
|
362
|
+
}
|
|
363
|
+
function isIdentityMode(mode) {
|
|
364
|
+
return mode === 'owner-only' || mode === 'org-members';
|
|
365
|
+
}
|
|
366
|
+
/** The public origin + path for this request, honouring the trusted forwarded-proto when configured. */
|
|
367
|
+
function requestUrl(req, trustProxy) {
|
|
368
|
+
const proto = effectiveProto(req, trustProxy);
|
|
369
|
+
const host = header(req, 'host') ?? 'localhost';
|
|
370
|
+
const pathname = new URL(req.url ?? '/', `${proto}://${host}`).pathname;
|
|
371
|
+
return { origin: `${proto}://${host}`, pathname };
|
|
372
|
+
}
|
|
373
|
+
/** The canonical resource identifier (the tenant MCP URL) a token must be audience-bound to (RFC 8707). */
|
|
374
|
+
function resourceUrl(req, trustProxy) {
|
|
375
|
+
const { origin, pathname } = requestUrl(req, trustProxy);
|
|
376
|
+
return `${origin}${pathname}`;
|
|
377
|
+
}
|
|
378
|
+
/** The RFC 9728 protected-resource-metadata URL for this request (well-known prefix before the path). */
|
|
379
|
+
function protectedResourceMetadataUrl(req, trustProxy) {
|
|
380
|
+
const { origin, pathname } = requestUrl(req, trustProxy);
|
|
381
|
+
return `${origin}/.well-known/oauth-protected-resource${pathname}`;
|
|
382
|
+
}
|
|
383
|
+
/** A transport-level JSON-RPC error response with no id (per the Streamable HTTP spec). */
|
|
384
|
+
function rpcError(code, message) {
|
|
385
|
+
return { jsonrpc: '2.0', id: null, error: { code, message } };
|
|
386
|
+
}
|
|
387
|
+
//# sourceMappingURL=handler.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"handler.js","sourceRoot":"","sources":["../src/handler.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,mBAAmB,EAAE,QAAQ,EAAuB,MAAM,uBAAuB,CAAC;AAC3F,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAC9E,OAAO,EACL,oBAAoB,EACpB,cAAc,EACd,YAAY,GAEb,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAe,UAAU,EAAE,MAAM,cAAc,CAAC;AAyGvD,MAAM,gBAAgB,GAAG,MAAM,CAAC;AAChC,MAAM,gBAAgB,GAAG,CAAC,IAAI,EAAE,CAAC;AAEjC;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAClC,MAAsB,EACtB,UAA8B,EAAE;IAEhC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,gBAAgB,CAAC;IACtD,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,IAAI,gBAAgB,CAAC;IACzD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,UAAU,CAAC;IAC5C,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC;IAE9B,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAClB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,oBAAoB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAC/B,IAAI,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;YAChC,UAAU,CAAC,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;YAC9C,OAAO;QACT,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC;QACxD,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC9B,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC,QAAQ,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC,CAAC;YACpE,UAAU,CAAC,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;YAC9C,OAAO;QACT,CAAC;QACD,KAAK,KAAK,CACR,GAAG,EACH,YAAY,CACV,GAAG,EACH,GAAG,EACH,MAAM,EACN;YACE,aAAa,EAAE,OAAO,CAAC,aAAa;YACpC,UAAU,EAAE,SAAS;YACrB,YAAY,EAAE,SAAS;YACvB,GAAG,EAAE,SAAS;YACd,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;YAC9D,wBAAwB,EAAE,OAAO,CAAC,wBAAwB;YAC1D,aAAa,EAAE,OAAO,CAAC,aAAa;YACpC,MAAM;YACN,UAAU,EAAE,GAAG,CAAC,UAAU,IAAI,KAAK;SACpC,EACD,QAAQ,EACR,OAAO,EACP,OAAO,CAAC,cAAc,CACvB,CACF,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;IAC9D,CAAC,CAAC;AACJ,CAAC;AA2BD,MAAM,WAAW,GAAG,kBAAkB,CAAC;AACvC,MAAM,gBAAgB,GAAG,8BAA8B,CAAC;AACxD,MAAM,eAAe,GAAG,uCAAuC,CAAC;AAEhE;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAC7B,MAAoB,EACpB,UAAyE,EAAE;IAE3E,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,IAAI,gBAAgB,CAAC;IACzD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,UAAU,CAAC;IAC5C,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC;IAE9B,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAClB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,oBAAoB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAC/B,IAAI,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;YAChC,UAAU,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;YACzC,OAAO;QACT,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC;QACxD,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACvC,gGAAgG;QAChG,iGAAiG;QACjG,wGAAwG;QACxG,KAAK,KAAK,CACR,GAAG,EACH,CAAC,KAAK,IAAI,EAAE;YACV,MAAM,MAAM,GACV,KAAK,EAAE,IAAI,KAAK,QAAQ,IAAI,OAAO,CAAC,YAAY;gBAC9C,CAAC,CAAC,MAAM,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC;gBACvC,CAAC,CAAC,KAAK,EAAE,IAAI,KAAK,YAAY;oBAC5B,CAAC,CAAC,MAAM,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC;oBAClC,CAAC,CAAC,SAAS,CAAC;YAClB,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC,QAAQ,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC,CAAC;gBACpE,OAAO;YACT,CAAC;YACD,MAAM,OAAO,GACX,KAAK,EAAE,IAAI,KAAK,QAAQ;gBACtB,CAAC,CAAC,KAAK,CAAC,KAAK;gBACb,CAAC,CAAC,KAAK,EAAE,IAAI,KAAK,YAAY;oBAC5B,CAAC,CAAC,KAAK,CAAC,YAAY;oBACpB,CAAC,CAAC,GAAG,CAAC;YACZ,MAAM,MAAM,GAAG,KAAK,EAAE,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;YAChE,MAAM,YAAY,CAChB,GAAG,EACH,GAAG,EACH,MAAM,CAAC,MAAM,EACb;gBACE,aAAa,EAAE,MAAM,CAAC,aAAa;gBACnC,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,YAAY,EAAE,MAAM,CAAC,YAAY;gBACjC,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;gBAC1C,0BAA0B,EAAE,OAAO,CAAC,0BAA0B;gBAC9D,wBAAwB,EAAE,OAAO,CAAC,wBAAwB;gBAC1D,aAAa,EAAE,OAAO,CAAC,aAAa;gBACpC,MAAM;gBACN,UAAU,EAAE,GAAG,CAAC,UAAU,IAAI,KAAK;aACpC,EACD,OAAO,EACP,OAAO,EACP,OAAO,CAAC,cAAc,EACtB,MAAM,CACP,CAAC;QACJ,CAAC,CAAC,EAAE,CACL,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,MAAM,EAAE,KAAK,EAAE,KAAK,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;IACzE,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CACjB,QAAgB;IAKhB,MAAM,SAAS,GAAG,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,GAAG,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAW,CAAC,CAAC;QAC/C,MAAM,GAAG,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAW,CAAC,CAAC;QAC/C,MAAM,GAAG,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAW,CAAC,CAAC;QAC/C,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAC9D,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,GAAG,GAAG,IAAI,GAAG,IAAI,GAAG,EAAE,EAAE,CAAC;IACnF,CAAC;IACD,MAAM,UAAU,GAAG,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACnD,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,GAAG,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC,CAAW,CAAC,CAAC;QAChD,MAAM,GAAG,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC,CAAW,CAAC,CAAC;QAChD,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAC9C,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,KAAK,EAAE,GAAG,GAAG,IAAI,GAAG,OAAO,EAAE,CAAC;IACzF,CAAC;IACD,MAAM,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC9C,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,YAAY,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC,CAAW,CAAC,CAAC;QACzD,IAAI,YAAY,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QACvC,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;IACnE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAS,UAAU,CACjB,MAAc,EACd,OAAe,EACf,GAAoB,EACpB,GAAmB,EACnB,KAAa;IAEb,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE;QACzB,QAAQ,EAAE,OAAO;QACjB,MAAM,EAAE,GAAG,CAAC,MAAM,IAAI,SAAS;QAC/B,MAAM,EAAE,GAAG,CAAC,UAAU;QACtB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;KAC9B,CAAC,CAAC;AACL,CAAC;AAED,SAAS,UAAU,CAAC,KAAa;IAC/B,IAAI,CAAC;QACH,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,KAAK,CAAC,GAAmB,EAAE,EAAiB;IACnD,OAAO,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE;QACnB,IAAI,CAAC,GAAG,CAAC,WAAW;YAAE,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC,QAAQ,CAAC,cAAc,EAAE,gBAAgB,CAAC,CAAC,CAAC;IAChG,CAAC,CAAC,CAAC;AACL,CAAC;AAiBD;;;;GAIG;AACH,KAAK,UAAU,YAAY,CACzB,GAAoB,EACpB,GAAmB,EACnB,MAAsB,EACtB,IAAe,EACf,OAAe,EACf,OAAe,EACf,OAAiC,EACjC,MAAuB;IAEvB,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IACrC,IAAI,MAAM,KAAK,SAAS,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC;QAC5D,OAAO,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC,QAAQ,CAAC,eAAe,EAAE,oBAAoB,CAAC,CAAC,CAAC;IACtF,CAAC;IAED,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC1B,+EAA+E;QAC/E,GAAG,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC/B,OAAO,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC,QAAQ,CAAC,eAAe,EAAE,oBAAoB,CAAC,CAAC,CAAC;IACtF,CAAC;IAED,yGAAyG;IACzG,+FAA+F;IAC/F,wGAAwG;IACxG,IAAI,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;QACpC,IAAI,MAAM,gBAAgB,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC;YAAE,OAAO;IACrD,CAAC;SAAM,IAAI,MAAM,KAAK,SAAS,IAAI,IAAI,CAAC,wBAAwB,KAAK,SAAS,EAAE,CAAC;QAC/E,IACE,CAAC,CAAC,MAAM,IAAI,CAAC,wBAAwB,CAAC;YACpC,MAAM;YACN,KAAK,EAAE,WAAW,CAAC,GAAG,CAAC;YACvB,mBAAmB,EAAE,IAAI,CAAC,aAAa;SACxC,CAAC,CAAC,EACH,CAAC;YACD,OAAO,gBAAgB,CAAC,GAAG,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;SAAM,IAAI,IAAI,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QAC5C,IAAI,CAAC,eAAe,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,aAAa,CAAC;YAAE,OAAO,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAC3F,CAAC;IAED,qGAAqG;IACrG,oGAAoG;IACpG,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAC1C,IAAI,CAAC,IAAI,CAAC,EAAE;QACV,OAAO,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC,QAAQ,CAAC,eAAe,EAAE,wBAAwB,CAAC,CAAC,CAAC;IAE1F,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC,QAAQ,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC,CAAC;IAC5E,CAAC;IAED,MAAM,QAAQ,GAAG,iBAAiB,CAAC,MAAM,EAAE;QACzC,OAAO;QACP,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QACvC,GAAG,CAAC,IAAI,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC1E,CAAC,CAAC;IACH,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa;YACjC,CAAC,CAAC,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC;YACnC,CAAC,CAAE,EAAE,KAAK,EAAE,IAAI,EAAY,CAAC;QAC/B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE;YAChC,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,GAAG,CAAC,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7D,GAAG,CAAC,OAAO,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC1D,GAAG,CAAC,OAAO,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC1D,GAAG,CAAC,OAAO,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC1D,GAAG,CAAC,OAAO,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC/E,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM;YAC3C,GAAG,CAAC,QAAQ,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtE,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;YACpB,OAAO,QAAQ,CACb,GAAG,EACH,QAAQ,CAAC,MAAM,IAAI,GAAG,EACtB,QAAQ,CAAC,QAAQ,CAAC,eAAe,EAAE,QAAQ,CAAC,MAAM,CAAC,CACpD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,sGAAsG;IACtG,wGAAwG;IACxG,MAAM,mBAAmB,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,iBAAiB,CACxB,MAAe,EACf,IAA4D;IAE5D,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IACxD,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QACxB,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;QAC/B,MAAM,IAAI,GAAG,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACzC,OAAO;YACL,GAAG,IAAI;YACP,MAAM;YACN,QAAQ,EAAE,iBAAiB,CAAC,MAAM,CAAC;YACnC,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACxC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,SAAS,CAAC,KAAc;IAC/B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,SAAS,CAAC;IAClE,MAAM,MAAM,GAAI,KAAuC,CAAC,MAAM,CAAC;IAC/D,OAAO,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;AACzD,CAAC;AAED,SAAS,aAAa,CAAC,KAAc,EAAE,MAAc;IACnD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,SAAS,CAAC;IAClE,MAAM,MAAM,GAAI,KAAuC,CAAC,MAAM,CAAC;IAC/D,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI;QAAE,OAAO,SAAS,CAAC;IACpE,MAAM,IAAI,GAAI,MAA8D,CAAC,IAAI,CAAC;IAClF,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC1C,MAAM,GAAG,GAAI,MAAqC,CAAC,GAAG,CAAC;IACvD,OAAO,OAAO,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;AACtF,CAAC;AAED,SAAS,iBAAiB,CAAC,MAAc;IACvC,IACE,MAAM,KAAK,YAAY;QACvB,MAAM,KAAK,gBAAgB;QAC3B,MAAM,KAAK,0BAA0B;QACrC,MAAM,KAAK,cAAc,EACzB,CAAC;QACD,OAAO,WAAW,CAAC;IACrB,CAAC;IACD,IAAI,MAAM,KAAK,gBAAgB,IAAI,MAAM,KAAK,aAAa,IAAI,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QAChG,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,IAAI,MAAM,KAAK,YAAY;QAAE,OAAO,SAAS,CAAC;IAC9C,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,MAAM,CAAC,GAAoB,EAAE,IAAY;IAChD,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAChC,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AACjD,CAAC;AAED,SAAS,aAAa,CAAC,MAAc,EAAE,OAAiC;IACtE,IAAI,OAAO,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IACvC,OAAO,OAAO,OAAO,KAAK,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACpF,CAAC;AAED,KAAK,UAAU,QAAQ,CACrB,GAAoB,EACpB,GAAW;IAEX,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,GAAG,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,KAAe,CAAC;QAC5B,IAAI,IAAI,GAAG,CAAC,MAAM,CAAC;QACnB,IAAI,IAAI,GAAG,GAAG;YAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnB,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;AACpE,CAAC;AAED,SAAS,QAAQ,CAAC,GAAmB,EAAE,MAAc,EAAE,IAAa;IAClE,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,cAAc,EAAE,iCAAiC,EAAE,CAAC,CAAC;IAC7E,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;AAChC,CAAC;AAED;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,GAAmB,EAAE,mBAA4B;IACzE,MAAM,SAAS,GACb,mBAAmB,KAAK,SAAS;QAC/B,CAAC,CAAC,2CAA2C,mBAAmB,GAAG;QACnE,CAAC,CAAC,YAAY,CAAC;IACnB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;QACjB,cAAc,EAAE,iCAAiC;QACjD,kBAAkB,EAAE,SAAS;KAC9B,CAAC,CAAC;IACH,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,eAAe,EAAE,cAAc,CAAC,CAAC,CAAC,CAAC;AAC9E,CAAC;AAED,8FAA8F;AAC9F,SAAS,aAAa,CAAC,GAAmB;IACxC,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC,QAAQ,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC,CAAC;AACtE,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,gBAAgB,CAC7B,GAAoB,EACpB,GAAmB,EACnB,IAAe;IAEf,MAAM,SAAS,GAAG,4BAA4B,CAAC,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACrE,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,KAAK,IAAI,IAAI,IAAI,CAAC,gBAAgB,KAAK,SAAS,EAAE,CAAC;QAC1D,gBAAgB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QACjC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,KAAK,EAAE,WAAW,CAAC,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;IACvF,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,gBAAgB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QACjC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,IAAI,CAAC,UAAU,KAAK,YAAY,EAAE,CAAC;QACrC,IAAI,IAAI,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;YACpC,gBAAgB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;YACjC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,QAAQ,CAAC,OAAO,KAAK,IAAI,CAAC,YAAY,EAAE,CAAC;YAC3C,aAAa,CAAC,GAAG,CAAC,CAAC;YACnB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IACE,IAAI,CAAC,UAAU,KAAK,aAAa;QACjC,CAAC,IAAI,CAAC,GAAG,KAAK,SAAS;YACrB,IAAI,CAAC,0BAA0B,KAAK,SAAS;YAC7C,CAAC,CAAC,MAAM,IAAI,CAAC,0BAA0B,CAAC;gBACtC,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,OAAO,EAAE,QAAQ,CAAC,OAAO;gBACzB,GAAG,CAAC,QAAQ,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACnE,CAAC,CAAC,CAAC,EACN,CAAC;QACD,aAAa,CAAC,GAAG,CAAC,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,cAAc,CAAC,IAA4B;IAClD,OAAO,IAAI,KAAK,YAAY,IAAI,IAAI,KAAK,aAAa,CAAC;AACzD,CAAC;AAED,wGAAwG;AACxG,SAAS,UAAU,CACjB,GAAoB,EACpB,UAAmB;IAEnB,MAAM,KAAK,GAAG,cAAc,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IAC9C,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,WAAW,CAAC;IAChD,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC;IACxE,OAAO,EAAE,MAAM,EAAE,GAAG,KAAK,MAAM,IAAI,EAAE,EAAE,QAAQ,EAAE,CAAC;AACpD,CAAC;AAED,2GAA2G;AAC3G,SAAS,WAAW,CAAC,GAAoB,EAAE,UAAmB;IAC5D,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,UAAU,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IACzD,OAAO,GAAG,MAAM,GAAG,QAAQ,EAAE,CAAC;AAChC,CAAC;AAED,yGAAyG;AACzG,SAAS,4BAA4B,CAAC,GAAoB,EAAE,UAAmB;IAC7E,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,UAAU,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IACzD,OAAO,GAAG,MAAM,wCAAwC,QAAQ,EAAE,CAAC;AACrE,CAAC;AAED,2FAA2F;AAC3F,SAAS,QAAQ,CACf,IAAY,EACZ,OAAe;IAEf,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC;AAChE,CAAC"}
|
|
@@ -0,0 +1,6 @@
|
|
|
1
|
+
export { bearerToken, CALLER_REALM, hashCallerKey, mintCallerKey, verifyCallerKey, } from './caller-auth.js';
|
|
2
|
+
export { applySecurityHeaders, effectiveProto, enforceHttps, type TlsPosture, } from './front-door.js';
|
|
3
|
+
export { type AccessMode, type AdmissionCategory, type AdmissionContext, type AdmissionDecision, type AdmissionGate, type CallerKeyTenantVerifier, createMcpHttpHandler, createMcpRouter, type DataPlaneIdentityAuthorizer, type HttpHandlerOptions, type OriginPolicy, type OwnerTokenVerifier, type ServedTarget, type ServerLookup, } from './handler.js';
|
|
4
|
+
export { createLogger, type LogFields, type Logger, type LoggerOptions, type LogLevel, type LogSink, noopLogger, stdoutSink, } from './logging.js';
|
|
5
|
+
export { type RunningServer, type ServeOptions, serveHttp } from './serve.js';
|
|
6
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,WAAW,EACX,YAAY,EACZ,aAAa,EACb,aAAa,EACb,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,oBAAoB,EACpB,cAAc,EACd,YAAY,EACZ,KAAK,UAAU,GAChB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EACL,KAAK,UAAU,EACf,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,KAAK,aAAa,EAClB,KAAK,uBAAuB,EAC5B,oBAAoB,EACpB,eAAe,EACf,KAAK,2BAA2B,EAChC,KAAK,kBAAkB,EACvB,KAAK,YAAY,EACjB,KAAK,kBAAkB,EACvB,KAAK,YAAY,EACjB,KAAK,YAAY,GAClB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,YAAY,EACZ,KAAK,SAAS,EACd,KAAK,MAAM,EACX,KAAK,aAAa,EAClB,KAAK,QAAQ,EACb,KAAK,OAAO,EACZ,UAAU,EACV,UAAU,GACX,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,KAAK,aAAa,EAAE,KAAK,YAAY,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC"}
|
|
@@ -0,0 +1,6 @@
|
|
|
1
|
+
export { bearerToken, CALLER_REALM, hashCallerKey, mintCallerKey, verifyCallerKey, } from './caller-auth.js';
|
|
2
|
+
export { applySecurityHeaders, effectiveProto, enforceHttps, } from './front-door.js';
|
|
3
|
+
export { createMcpHttpHandler, createMcpRouter, } from './handler.js';
|
|
4
|
+
export { createLogger, noopLogger, stdoutSink, } from './logging.js';
|
|
5
|
+
export { serveHttp } from './serve.js';
|
|
6
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,WAAW,EACX,YAAY,EACZ,aAAa,EACb,aAAa,EACb,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,oBAAoB,EACpB,cAAc,EACd,YAAY,GAEb,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAOL,oBAAoB,EACpB,eAAe,GAOhB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,YAAY,EAMZ,UAAU,EACV,UAAU,GACX,MAAM,cAAc,CAAC;AACtB,OAAO,EAAyC,SAAS,EAAE,MAAM,YAAY,CAAC"}
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Minimal structured (JSON-line) logging for the runtime front-door + deploy plane (Slice 27, ADR 0031).
|
|
3
|
+
*
|
|
4
|
+
* A precursor to full OpenTelemetry (ADR 0024, Phase 4); it shares that decision's **hard redaction**
|
|
5
|
+
* intent but pulls in no dependency. Safety is structural: every record is a **flat bag of scalars**
|
|
6
|
+
* built by hand from an allowlist at the call site, and non-scalar values are dropped to `[unloggable]`
|
|
7
|
+
* — so a stray token-bearing object can never be stringified into a line, and no call site ever logs a
|
|
8
|
+
* header map, request body, secret, caller key, or continuation token.
|
|
9
|
+
*/
|
|
10
|
+
export type LogLevel = 'debug' | 'info' | 'warn' | 'error';
|
|
11
|
+
/** A flat bag of **pre-redacted scalar** fields. Never pass raw secrets, tokens, headers, or bodies. */
|
|
12
|
+
export interface LogFields {
|
|
13
|
+
readonly [key: string]: string | number | boolean | null | undefined;
|
|
14
|
+
}
|
|
15
|
+
/** Destination for a finished log line. The default writes one compact JSON line + `\n` to stdout. */
|
|
16
|
+
export type LogSink = (line: string) => void;
|
|
17
|
+
export declare const stdoutSink: LogSink;
|
|
18
|
+
export interface LoggerOptions {
|
|
19
|
+
/** Minimum level to emit; lower levels are dropped. Default `info`. */
|
|
20
|
+
readonly level?: LogLevel;
|
|
21
|
+
/** Where lines go. Default {@link stdoutSink}. */
|
|
22
|
+
readonly sink?: LogSink;
|
|
23
|
+
/** Clock for the `ts` field (injectable for deterministic tests). Default `Date.now`. */
|
|
24
|
+
readonly clock?: () => number;
|
|
25
|
+
/** Static fields merged into every record (e.g. a service name). */
|
|
26
|
+
readonly base?: LogFields;
|
|
27
|
+
}
|
|
28
|
+
export interface Logger {
|
|
29
|
+
readonly level: LogLevel;
|
|
30
|
+
log(level: LogLevel, event: string, fields?: LogFields): void;
|
|
31
|
+
debug(event: string, fields?: LogFields): void;
|
|
32
|
+
info(event: string, fields?: LogFields): void;
|
|
33
|
+
warn(event: string, fields?: LogFields): void;
|
|
34
|
+
error(event: string, fields?: LogFields): void;
|
|
35
|
+
/** A logger with extra base fields (e.g. a per-request id) merged in. */
|
|
36
|
+
child(extra: LogFields): Logger;
|
|
37
|
+
}
|
|
38
|
+
export declare function createLogger(options?: LoggerOptions): Logger;
|
|
39
|
+
/** A logger that drops everything — the default so opting out (and existing callers) cost nothing. */
|
|
40
|
+
export declare const noopLogger: Logger;
|
|
41
|
+
//# sourceMappingURL=logging.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"logging.d.ts","sourceRoot":"","sources":["../src/logging.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;AAI3D,wGAAwG;AACxG,MAAM,WAAW,SAAS;IACxB,QAAQ,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,IAAI,GAAG,SAAS,CAAC;CACtE;AAED,sGAAsG;AACtG,MAAM,MAAM,OAAO,GAAG,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;AAE7C,eAAO,MAAM,UAAU,EAAE,OAExB,CAAC;AAEF,MAAM,WAAW,aAAa;IAC5B,uEAAuE;IACvE,QAAQ,CAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;IAC1B,kDAAkD;IAClD,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;IACxB,yFAAyF;IACzF,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,MAAM,CAAC;IAC9B,oEAAoE;IACpE,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,CAAC;CAC3B;AAED,MAAM,WAAW,MAAM;IACrB,QAAQ,CAAC,KAAK,EAAE,QAAQ,CAAC;IACzB,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,SAAS,GAAG,IAAI,CAAC;IAC9D,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,SAAS,GAAG,IAAI,CAAC;IAC/C,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,SAAS,GAAG,IAAI,CAAC;IAC9C,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,SAAS,GAAG,IAAI,CAAC;IAC9C,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,SAAS,GAAG,IAAI,CAAC;IAC/C,yEAAyE;IACzE,KAAK,CAAC,KAAK,EAAE,SAAS,GAAG,MAAM,CAAC;CACjC;AAaD,wBAAgB,YAAY,CAAC,OAAO,GAAE,aAAkB,GAAG,MAAM,CAiChE;AAID,sGAAsG;AACtG,eAAO,MAAM,UAAU,EAAE,MAQxB,CAAC"}
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Minimal structured (JSON-line) logging for the runtime front-door + deploy plane (Slice 27, ADR 0031).
|
|
3
|
+
*
|
|
4
|
+
* A precursor to full OpenTelemetry (ADR 0024, Phase 4); it shares that decision's **hard redaction**
|
|
5
|
+
* intent but pulls in no dependency. Safety is structural: every record is a **flat bag of scalars**
|
|
6
|
+
* built by hand from an allowlist at the call site, and non-scalar values are dropped to `[unloggable]`
|
|
7
|
+
* — so a stray token-bearing object can never be stringified into a line, and no call site ever logs a
|
|
8
|
+
* header map, request body, secret, caller key, or continuation token.
|
|
9
|
+
*/
|
|
10
|
+
const LEVEL_ORDER = { debug: 10, info: 20, warn: 30, error: 40 };
|
|
11
|
+
export const stdoutSink = (line) => {
|
|
12
|
+
process.stdout.write(`${line}\n`);
|
|
13
|
+
};
|
|
14
|
+
/** Keys the record owns; a field may not overwrite them. */
|
|
15
|
+
const RESERVED = new Set(['ts', 'level', 'event']);
|
|
16
|
+
/** Coerce a field value to a loggable scalar; anything non-scalar becomes a marker (never serialized). */
|
|
17
|
+
function scalar(value) {
|
|
18
|
+
if (value === null || value === undefined)
|
|
19
|
+
return '';
|
|
20
|
+
const type = typeof value;
|
|
21
|
+
if (type === 'string' || type === 'number' || type === 'boolean')
|
|
22
|
+
return value;
|
|
23
|
+
return '[unloggable]';
|
|
24
|
+
}
|
|
25
|
+
export function createLogger(options = {}) {
|
|
26
|
+
const level = options.level ?? 'info';
|
|
27
|
+
const sink = options.sink ?? stdoutSink;
|
|
28
|
+
const clock = options.clock ?? Date.now;
|
|
29
|
+
const base = options.base ?? {};
|
|
30
|
+
function emit(lvl, event, fields) {
|
|
31
|
+
if (LEVEL_ORDER[lvl] < LEVEL_ORDER[level])
|
|
32
|
+
return;
|
|
33
|
+
const record = {
|
|
34
|
+
ts: new Date(clock()).toISOString(),
|
|
35
|
+
level: lvl,
|
|
36
|
+
event,
|
|
37
|
+
};
|
|
38
|
+
for (const [key, value] of Object.entries(base)) {
|
|
39
|
+
if (!RESERVED.has(key) && value !== undefined)
|
|
40
|
+
record[key] = scalar(value);
|
|
41
|
+
}
|
|
42
|
+
if (fields) {
|
|
43
|
+
for (const [key, value] of Object.entries(fields)) {
|
|
44
|
+
if (!RESERVED.has(key) && value !== undefined)
|
|
45
|
+
record[key] = scalar(value);
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
sink(JSON.stringify(record));
|
|
49
|
+
}
|
|
50
|
+
return {
|
|
51
|
+
level,
|
|
52
|
+
log: emit,
|
|
53
|
+
debug: (event, fields) => emit('debug', event, fields),
|
|
54
|
+
info: (event, fields) => emit('info', event, fields),
|
|
55
|
+
warn: (event, fields) => emit('warn', event, fields),
|
|
56
|
+
error: (event, fields) => emit('error', event, fields),
|
|
57
|
+
child: (extra) => createLogger({ level, sink, clock, base: { ...base, ...extra } }),
|
|
58
|
+
};
|
|
59
|
+
}
|
|
60
|
+
const noop = () => undefined;
|
|
61
|
+
/** A logger that drops everything — the default so opting out (and existing callers) cost nothing. */
|
|
62
|
+
export const noopLogger = {
|
|
63
|
+
level: 'error',
|
|
64
|
+
log: noop,
|
|
65
|
+
debug: noop,
|
|
66
|
+
info: noop,
|
|
67
|
+
warn: noop,
|
|
68
|
+
error: noop,
|
|
69
|
+
child: () => noopLogger,
|
|
70
|
+
};
|
|
71
|
+
//# sourceMappingURL=logging.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"logging.js","sourceRoot":"","sources":["../src/logging.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,MAAM,WAAW,GAA6B,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;AAU3F,MAAM,CAAC,MAAM,UAAU,GAAY,CAAC,IAAI,EAAE,EAAE;IAC1C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,IAAI,CAAC,CAAC;AACpC,CAAC,CAAC;AAwBF,4DAA4D;AAC5D,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;AAEnD,0GAA0G;AAC1G,SAAS,MAAM,CAAC,KAAmD;IACjE,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IACrD,MAAM,IAAI,GAAG,OAAO,KAAK,CAAC;IAC1B,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAC/E,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,UAAyB,EAAE;IACtD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,MAAM,CAAC;IACtC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,UAAU,CAAC;IACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,IAAI,CAAC,GAAG,CAAC;IACxC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC;IAEhC,SAAS,IAAI,CAAC,GAAa,EAAE,KAAa,EAAE,MAAkB;QAC5D,IAAI,WAAW,CAAC,GAAG,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC;YAAE,OAAO;QAClD,MAAM,MAAM,GAA8C;YACxD,EAAE,EAAE,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,GAAG;YACV,KAAK;SACN,CAAC;QACF,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YAChD,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,KAAK,SAAS;gBAAE,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QAC7E,CAAC;QACD,IAAI,MAAM,EAAE,CAAC;YACX,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBAClD,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,KAAK,SAAS;oBAAE,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;YAC7E,CAAC;QACH,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IAC/B,CAAC;IAED,OAAO;QACL,KAAK;QACL,GAAG,EAAE,IAAI;QACT,KAAK,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC;QACtD,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC;QACpD,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC;QACpD,KAAK,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC;QACtD,KAAK,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,YAAY,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,GAAG,KAAK,EAAE,EAAE,CAAC;KACpF,CAAC;AACJ,CAAC;AAED,MAAM,IAAI,GAAG,GAAS,EAAE,CAAC,SAAS,CAAC;AAEnC,sGAAsG;AACtG,MAAM,CAAC,MAAM,UAAU,GAAW;IAChC,KAAK,EAAE,OAAO;IACd,GAAG,EAAE,IAAI;IACT,KAAK,EAAE,IAAI;IACX,IAAI,EAAE,IAAI;IACV,IAAI,EAAE,IAAI;IACV,KAAK,EAAE,IAAI;IACX,KAAK,EAAE,GAAG,EAAE,CAAC,UAAU;CACxB,CAAC"}
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
import { type Server } from 'node:http';
|
|
2
|
+
import type { ServedArtifact } from '@noodle-borg/protocol';
|
|
3
|
+
import { type HttpHandlerOptions } from './handler.js';
|
|
4
|
+
export interface ServeOptions extends HttpHandlerOptions {
|
|
5
|
+
readonly target: ServedArtifact;
|
|
6
|
+
/** Port to bind. Default `0` (an ephemeral port — read the bound port from the result). */
|
|
7
|
+
readonly port?: number;
|
|
8
|
+
/** Host/interface to bind. Default `127.0.0.1` (localhost) per the transport security guidance. */
|
|
9
|
+
readonly host?: string;
|
|
10
|
+
}
|
|
11
|
+
export interface RunningServer {
|
|
12
|
+
readonly http: Server;
|
|
13
|
+
readonly url: string;
|
|
14
|
+
readonly port: number;
|
|
15
|
+
close(): Promise<void>;
|
|
16
|
+
}
|
|
17
|
+
/**
|
|
18
|
+
* Start a `node:http` server serving a {@link ServedArtifact} over Streamable HTTP. Binds `127.0.0.1`
|
|
19
|
+
* by default; a real remote deployment binds `0.0.0.0` behind a reverse proxy **and** Phase-3 auth.
|
|
20
|
+
*/
|
|
21
|
+
export declare function serveHttp(options: ServeOptions): Promise<RunningServer>;
|
|
22
|
+
//# sourceMappingURL=serve.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"serve.d.ts","sourceRoot":"","sources":["../src/serve.ts"],"names":[],"mappings":"AAAA,OAAO,EAAgB,KAAK,MAAM,EAAE,MAAM,WAAW,CAAC;AACtD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EAAwB,KAAK,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAE7E,MAAM,WAAW,YAAa,SAAQ,kBAAkB;IACtD,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAChC,2FAA2F;IAC3F,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,mGAAmG;IACnG,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACxB;AAED;;;GAGG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,aAAa,CAAC,CAkBvE"}
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
import { createServer } from 'node:http';
|
|
2
|
+
import { createMcpHttpHandler } from './handler.js';
|
|
3
|
+
/**
|
|
4
|
+
* Start a `node:http` server serving a {@link ServedArtifact} over Streamable HTTP. Binds `127.0.0.1`
|
|
5
|
+
* by default; a real remote deployment binds `0.0.0.0` behind a reverse proxy **and** Phase-3 auth.
|
|
6
|
+
*/
|
|
7
|
+
export function serveHttp(options) {
|
|
8
|
+
const host = options.host ?? '127.0.0.1';
|
|
9
|
+
const endpoint = options.endpoint ?? '/mcp';
|
|
10
|
+
const http = createServer(createMcpHttpHandler(options.target, options));
|
|
11
|
+
return new Promise((resolve, reject) => {
|
|
12
|
+
http.once('error', reject);
|
|
13
|
+
http.listen(options.port ?? 0, host, () => {
|
|
14
|
+
const address = http.address();
|
|
15
|
+
const port = typeof address === 'object' && address ? address.port : (options.port ?? 0);
|
|
16
|
+
resolve({
|
|
17
|
+
http,
|
|
18
|
+
port,
|
|
19
|
+
url: `http://${host}:${port}${endpoint}`,
|
|
20
|
+
close: () => new Promise((res, rej) => http.close((e) => (e ? rej(e) : res()))),
|
|
21
|
+
});
|
|
22
|
+
});
|
|
23
|
+
});
|
|
24
|
+
}
|
|
25
|
+
//# sourceMappingURL=serve.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"serve.js","sourceRoot":"","sources":["../src/serve.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAe,MAAM,WAAW,CAAC;AAEtD,OAAO,EAAE,oBAAoB,EAA2B,MAAM,cAAc,CAAC;AAiB7E;;;GAGG;AACH,MAAM,UAAU,SAAS,CAAC,OAAqB;IAC7C,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,WAAW,CAAC;IACzC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,MAAM,CAAC;IAC5C,MAAM,IAAI,GAAG,YAAY,CAAC,oBAAoB,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IAEzE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC3B,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE;YACxC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;YAC/B,MAAM,IAAI,GAAG,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC;YACzF,OAAO,CAAC;gBACN,IAAI;gBACJ,IAAI;gBACJ,GAAG,EAAE,UAAU,IAAI,IAAI,IAAI,GAAG,QAAQ,EAAE;gBACxC,KAAK,EAAE,GAAG,EAAE,CAAC,IAAI,OAAO,CAAO,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;aACtF,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}
|