palaryn 0.1.0 → 0.3.2

package/src/mcp/http-transport.ts

@@ -0,0 +1,698 @@
+import express from 'express';
+import { randomUUID } from 'crypto';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
+import { z } from 'zod';
+import { Gateway } from '../server/gateway';
+import { ToolCall, ToolCallArgs, ToolInfo } from '../types/tool-call';
+import { ToolResult } from '../types/tool-result';
+import { internalAuthTokens } from './internal-auth';
+
+// ---------------------------------------------------------------------------
+// Configuration
+// ---------------------------------------------------------------------------
+
+export interface MCPHttpConfig {
+  /** Platform identifier (default: 'mcp_http') */
+  platform?: string;
+  /** Gateway's own base URL — when set, self-referencing requests get the OAuth token injected */
+  gateway_base_url?: string;
+}
+
+interface ResolvedMCPHttpConfig {
+  platform: string;
+  gateway_base_url?: string;
+}
+
+function resolveConfig(config?: MCPHttpConfig): ResolvedMCPHttpConfig {
+  return {
+    platform: config?.platform || 'mcp_http',
+    gateway_base_url: config?.gateway_base_url,
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Auth identity resolution
+// ---------------------------------------------------------------------------
+
+interface IdentityOverride {
+  workspace_id: string;
+  actor_id: string;
+  api_key_tags?: string[];
+  /** Raw OAuth access token — used for self-referencing gateway requests */
+  token?: string;
+}
+
+/**
+ * Resolve the identity for a tool call from the authenticated request context.
+ *
+ * Handles two shapes:
+ * - Legacy (AuthContext from auth middleware): workspace_id/actor_id at top level
+ * - OAuth (MCP AuthInfo from requireBearerAuth): workspace_id/actor_id in .extra
+ *
+ * Returns undefined if authInfo is missing or incomplete. Callers must reject
+ * the request when identity is undefined — no fallback defaults are used.
+ */
+function resolveIdentity(extra?: { authInfo?: unknown }): IdentityOverride | undefined {
+  if (!extra?.authInfo) return undefined;
+  const authInfo = extra.authInfo as Record<string, unknown>;
+
+  // Try top-level (legacy AuthContext shape)
+  let wsId = authInfo.workspace_id;
+  let actorId = authInfo.actor_id;
+
+  // Fall back to .extra (MCP OAuth AuthInfo shape)
+  let apiKeyTags: string[] | undefined;
+  if ((!wsId || !actorId) && authInfo.extra && typeof authInfo.extra === 'object') {
+    const extraObj = authInfo.extra as Record<string, unknown>;
+    wsId = wsId || extraObj.workspace_id;
+    actorId = actorId || extraObj.actor_id;
+    if (Array.isArray(extraObj.api_key_tags)) apiKeyTags = extraObj.api_key_tags as string[];
+  }
+  // Also check top-level api_key_tags (legacy AuthContext shape)
+  if (!apiKeyTags && Array.isArray(authInfo.api_key_tags)) {
+    apiKeyTags = authInfo.api_key_tags as string[];
+  }
+
+  if (typeof wsId === 'string' && wsId && typeof actorId === 'string' && actorId) {
+    const token = typeof authInfo.token === 'string' ? authInfo.token : undefined;
+    return { workspace_id: wsId, actor_id: actorId, api_key_tags: apiKeyTags, token };
+  }
+  return undefined;
+}
+
+// ---------------------------------------------------------------------------
+// Shared helpers (same patterns as bridge.ts)
+// ---------------------------------------------------------------------------
+
+function methodToCapability(method: string): ToolInfo['capability'] {
+  switch (method.toUpperCase()) {
+    case 'GET':
+    case 'HEAD':
+    case 'OPTIONS':
+      return 'read';
+    case 'POST':
+    case 'PUT':
+    case 'PATCH':
+      return 'write';
+    case 'DELETE':
+      return 'delete';
+    default:
+      return 'write';
+  }
+}
+
+function parseBody(body: string): unknown {
+  try {
+    return JSON.parse(body);
+  } catch {
+    return body;
+  }
+}
+
+function buildToolCall(
+  config: ResolvedMCPHttpConfig,
+  params: {
+    toolName: string;
+    capability: ToolInfo['capability'];
+    args: ToolCallArgs;
+    constraints?: { timeout_ms?: number; max_cost_usd?: number };
+    context?: { purpose?: string; labels?: string[] };
+    identity: IdentityOverride;
+  },
+): ToolCall {
+  const wsId = params.identity.workspace_id;
+  const actorId = params.identity.actor_id;
+  const toolCall: ToolCall = {
+    tool_call_id: randomUUID(),
+    task_id: randomUUID(),
+    workspace_id: wsId,
+    actor: { type: 'agent', id: actorId, display: actorId },
+    source: { platform: config.platform },
+    tool: {
+      name: params.toolName,
+      version: '1.0.0',
+      capability: params.capability,
+    },
+    args: params.args,
+    timestamp: new Date().toISOString(),
+  };
+
+  if (params.constraints?.timeout_ms != null || params.constraints?.max_cost_usd != null) {
+    toolCall.constraints = {};
+    if (params.constraints.timeout_ms != null) {
+      toolCall.constraints.timeout_ms = params.constraints.timeout_ms;
+    }
+    if (params.constraints.max_cost_usd != null) {
+      toolCall.constraints.max_cost_usd = params.constraints.max_cost_usd;
+    }
+  }
+
+  if (params.context?.purpose || params.context?.labels) {
+    toolCall.context = {};
+    if (params.context.purpose) {
+      toolCall.context.purpose = params.context.purpose;
+    }
+    if (params.context.labels) {
+      toolCall.context.labels = params.context.labels;
+    }
+  }
+
+  // Merge API key tags into context.labels
+  if (params.identity.api_key_tags && params.identity.api_key_tags.length > 0) {
+    if (!toolCall.context) toolCall.context = {};
+    const existing = toolCall.context.labels || [];
+    toolCall.context.labels = [...new Set([...existing, ...params.identity.api_key_tags])];
+  }
+
+  return toolCall;
+}
+
+/** Store internal auth token for self-referencing gateway requests. */
+function setInternalAuth(
+  config: ResolvedMCPHttpConfig,
+  identity: IdentityOverride,
+  toolCall: ToolCall,
+  targetUrl: string,
+): void {
+  if (config.gateway_base_url && identity.token && targetUrl.startsWith(config.gateway_base_url)) {
+    internalAuthTokens.set(toolCall.tool_call_id, {
+      token: identity.token,
+      gateway_base_url: config.gateway_base_url,
+    });
+  }
+}
+
+function formatResult(result: ToolResult): { content: Array<{ type: 'text'; text: string }>; isError?: boolean } {
+  const isError = result.status === 'error' || result.status === 'blocked';
+
+  let primaryText: string;
+  if (result.error) {
+    primaryText = result.error;
+  } else if (result.output?.body !== undefined) {
+    primaryText =
+      typeof result.output.body === 'string'
+        ? result.output.body
+        : JSON.stringify(result.output.body, null, 2);
+  } else {
+    primaryText = `Request completed with status: ${result.status}`;
+  }
+
+  const metadata = {
+    tool_call_id: result.tool_call_id,
+    task_id: result.task_id,
+    status: result.status,
+    policy: result.policy,
+    dlp: {
+      detected: result.dlp.detected,
+      severity: result.dlp.severity,
+      redaction_count: result.dlp.redactions.length,
+    },
+    budget: result.budget,
+    timing: result.timing,
+    http_status: result.output?.http_status,
+  };
+
+  return {
+    content: [
+      { type: 'text', text: primaryText },
+      { type: 'text', text: `--- Gateway Metadata ---\n${JSON.stringify(metadata, null, 2)}` },
+    ],
+    isError,
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Auth & capability helpers
+// ---------------------------------------------------------------------------
+
+/** Build a standard MCP error result for auth failures. */
+function authRequiredError() {
+  return {
+    content: [{ type: 'text' as const, text: JSON.stringify({ error: 'Authentication required. Provide valid credentials.', error_code: 'AUTH_REQUIRED' }) }],
+    isError: true,
+  };
+}
+
+/**
+ * Check capability-level RBAC permission from the authenticated context.
+ * Returns an error message if permission is denied, or null if allowed.
+ * When authInfo has no permissions array (e.g. auth disabled), returns null (allow).
+ *
+ * Handles both legacy AuthContext (permissions at top level) and
+ * MCP OAuth AuthInfo (permissions in .extra).
+ */
+function checkCapabilityPermission(extra: { authInfo?: unknown }, capability: string): string | null {
+  if (!extra?.authInfo) return null;
+  const authInfo = extra.authInfo as Record<string, unknown>;
+
+  // Try top-level permissions (legacy), then .extra.permissions (OAuth)
+  let permissions = authInfo.permissions as string[] | undefined;
+  if (!permissions && authInfo.extra && typeof authInfo.extra === 'object') {
+    permissions = (authInfo.extra as Record<string, unknown>).permissions as string[] | undefined;
+  }
+  if (!permissions || permissions.length === 0) return null;
+
+  const required = `tool:execute:${capability}`;
+  const hasPermission = permissions.includes(required) ||
+                        permissions.includes('tool:execute') ||
+                        permissions.includes('admin:full');
+  if (!hasPermission) {
+    return `Permission denied: requires ${required}`;
+  }
+  return null;
+}
+
+/** Build a standard MCP error result for permission failures. */
+function permissionDeniedError(message: string) {
+  return {
+    content: [{ type: 'text' as const, text: JSON.stringify({ error: message, error_code: 'AUTH_INSUFFICIENT_PERMS' }) }],
+    isError: true,
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Approval polling — wait for human approval then re-execute
+// ---------------------------------------------------------------------------
+
+const APPROVAL_POLL_INTERVAL_MS = 3000;
+const APPROVAL_POLL_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
+
+/**
+ * If a tool call returns `needs_approval`, poll the approval store until it's
+ * resolved (approved/denied/expired) or we hit the timeout. On approval,
+ * re-execute the original tool call — the gateway will find the existing
+ * approval via `findApprovedForTask` and bypass the approval step.
+ */
+async function executeWithApprovalPolling(
+  gateway: Gateway,
+  toolCall: ToolCall,
+): Promise<ToolResult> {
+  const result = await gateway.execute(toolCall);
+
+  const approvalInfo = (result as any).approval;
+  if (result.status !== 'needs_approval' || !approvalInfo?.approval_id) {
+    return result;
+  }
+
+  const approvalId = approvalInfo.approval_id as string;
+  const approvalMgr = gateway.getApprovalManager();
+  const deadline = Date.now() + APPROVAL_POLL_TIMEOUT_MS;
+
+  // Poll until resolved or timeout
+  while (Date.now() < deadline) {
+    await new Promise((resolve) => setTimeout(resolve, APPROVAL_POLL_INTERVAL_MS));
+
+    const approval = approvalMgr.getApproval(approvalId);
+    if (!approval) break; // approval disappeared
+
+    if (approval.status === 'approved') {
+      // Re-execute — gateway.preExecute will find the existing approval
+      // via findApprovedForTask and allow the call through
+      return gateway.execute(toolCall);
+    }
+
+    if (approval.status === 'denied') {
+      return {
+        ...result,
+        status: 'blocked',
+        error: `Request denied by ${approval.resolved_by || 'approver'}${approval.denial_reason ? ': ' + approval.denial_reason : ''}`,
+      };
+    }
+
+    if (approval.status === 'expired') {
+      return {
+        ...result,
+        status: 'blocked',
+        error: 'Approval request expired before it was resolved.',
+      };
+    }
+  }
+
+  // Timeout — return the original needs_approval result so the caller knows
+  return {
+    ...result,
+    error: 'Approval polling timed out after 5 minutes. Approve via the admin panel and retry.',
+  };
+}
+
+// ---------------------------------------------------------------------------
+// MCP Server factory — creates a new McpServer with tools wired to Gateway
+// ---------------------------------------------------------------------------
+
+function createMCPServerInstance(gateway: Gateway, config: ResolvedMCPHttpConfig): McpServer {
+  const server = new McpServer(
+    { name: 'palaryn-mcp', version: '1.0.0' },
+    { capabilities: { tools: {} } },
+  );
+
+  // Shared Zod schemas for tool input
+  const headersSchema = z.record(z.string(), z.string()).optional().describe('HTTP headers as key-value pairs');
+  const timeoutSchema = z.number().optional().describe('Request timeout in milliseconds');
+  const costSchema = z.number().optional().describe('Maximum cost budget for this request in USD');
+  const purposeSchema = z.string().optional().describe('Description of why this request is being made');
+  const labelsSchema = z.array(z.string()).optional().describe('Classification labels for the request');
+
+  // Tool args are typed as Record<string, unknown> due to Zod v4 generic inference
+  // through the MCP SDK. We extract fields with runtime checks matching bridge.ts.
+  type ToolArgs = Record<string, unknown>;
+
+  function extractCommon(a: ToolArgs) {
+    return {
+      constraints: {
+        timeout_ms: typeof a.timeout_ms === 'number' ? a.timeout_ms : undefined,
+        max_cost_usd: typeof a.max_cost_usd === 'number' ? a.max_cost_usd : undefined,
+      },
+      context: {
+        purpose: typeof a.purpose === 'string' ? a.purpose : undefined,
+        labels: Array.isArray(a.labels) ? a.labels : undefined,
+      },
+    };
+  }
+
+  // --- http_request: arbitrary HTTP method ---
+  server.registerTool(
+    'http_request',
+    {
+      description:
+        'Execute an HTTP request through the Palaryn gateway. ' +
+        'Supports all HTTP methods. The request goes through policy evaluation, ' +
+        'DLP scanning, budget checks, and rate limiting before execution.',
+      inputSchema: {
+        url: z.string().describe('The target URL for the HTTP request'),
+        method: z
+          .enum(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'])
+          .optional()
+          .describe('HTTP method (defaults to GET)'),
+        headers: headersSchema,
+        body: z.string().optional().describe('Request body (typically JSON string for POST/PUT/PATCH)'),
+        timeout_ms: timeoutSchema,
+        max_cost_usd: costSchema,
+        purpose: purposeSchema,
+        labels: labelsSchema,
+      },
+      annotations: { title: 'HTTP Request', readOnlyHint: false, destructiveHint: true, openWorldHint: true },
+    },
+    async (a: ToolArgs, extra: { authInfo?: unknown }) => {
+      const identity = resolveIdentity(extra);
+      if (!identity) return authRequiredError();
+
+      const method = (typeof a.method === 'string' ? a.method : 'GET').toUpperCase();
+      const capability = methodToCapability(method);
+      const capError = checkCapabilityPermission(extra, capability);
+      if (capError) return permissionDeniedError(capError);
+
+      const { constraints, context } = extractCommon(a);
+      const toolCall = buildToolCall(config, {
+        toolName: 'http.request',
+        capability,
+        args: {
+          method,
+          url: a.url as string,
+          headers: a.headers as Record<string, string> | undefined,
+          body: typeof a.body === 'string' ? parseBody(a.body) : undefined,
+        },
+        constraints,
+        context,
+        identity,
+      });
+      setInternalAuth(config, identity, toolCall, a.url as string);
+      return formatResult(await executeWithApprovalPolling(gateway, toolCall));
+    },
+  );
+
+  // --- http_get: GET shorthand ---
+  server.registerTool(
+    'http_get',
+    {
+      description:
+        'Execute an HTTP GET request through the Palaryn gateway. ' +
+        'Shorthand for http_request with method=GET. The request goes through ' +
+        'policy evaluation, DLP scanning, budget checks, and rate limiting.',
+      inputSchema: {
+        url: z.string().describe('The target URL for the GET request'),
+        headers: headersSchema,
+        timeout_ms: timeoutSchema,
+        max_cost_usd: costSchema,
+        purpose: purposeSchema,
+        labels: labelsSchema,
+      },
+      annotations: { title: 'HTTP GET', readOnlyHint: true, destructiveHint: false, openWorldHint: true },
+    },
+    async (a: ToolArgs, extra: { authInfo?: unknown }) => {
+      const identity = resolveIdentity(extra);
+      if (!identity) return authRequiredError();
+
+      const capError = checkCapabilityPermission(extra, 'read');
+      if (capError) return permissionDeniedError(capError);
+
+      const { constraints, context } = extractCommon(a);
+      const toolCall = buildToolCall(config, {
+        toolName: 'http.get',
+        capability: 'read',
+        args: {
+          method: 'GET',
+          url: a.url as string,
+          headers: a.headers as Record<string, string> | undefined,
+        },
+        constraints,
+        context,
+        identity,
+      });
+      setInternalAuth(config, identity, toolCall, a.url as string);
+      return formatResult(await executeWithApprovalPolling(gateway, toolCall));
+    },
+  );
+
+  // --- http_post: POST shorthand ---
+  server.registerTool(
+    'http_post',
+    {
+      description:
+        'Execute an HTTP POST request through the Palaryn gateway. ' +
+        'Shorthand for http_request with method=POST. The request goes through ' +
+        'policy evaluation, DLP scanning, budget checks, and rate limiting.',
+      inputSchema: {
+        url: z.string().describe('The target URL for the POST request'),
+        headers: headersSchema,
+        body: z.string().optional().describe('Request body (typically a JSON string)'),
+        timeout_ms: timeoutSchema,
+        max_cost_usd: costSchema,
+        purpose: purposeSchema,
+        labels: labelsSchema,
+      },
+      annotations: { title: 'HTTP POST', readOnlyHint: false, destructiveHint: false, openWorldHint: true },
+    },
+    async (a: ToolArgs, extra: { authInfo?: unknown }) => {
+      const identity = resolveIdentity(extra);
+      if (!identity) return authRequiredError();
+
+      const capError = checkCapabilityPermission(extra, 'write');
+      if (capError) return permissionDeniedError(capError);
+
+      const { constraints, context } = extractCommon(a);
+      const toolCall = buildToolCall(config, {
+        toolName: 'http.post',
+        capability: 'write',
+        args: {
+          method: 'POST',
+          url: a.url as string,
+          headers: a.headers as Record<string, string> | undefined,
+          body: typeof a.body === 'string' ? parseBody(a.body) : undefined,
+        },
+        constraints,
+        context,
+        identity,
+      });
+      setInternalAuth(config, identity, toolCall, a.url as string);
+      return formatResult(await executeWithApprovalPolling(gateway, toolCall));
+    },
+  );
+
+  return server;
+}
+
+// ---------------------------------------------------------------------------
+// Express router factory
+// ---------------------------------------------------------------------------
+
+/**
+ * Creates an Express router that serves an MCP HTTP transport endpoint.
+ *
+ * Uses the Streamable HTTP transport from the MCP SDK with stateful sessions.
+ * Each MCP client session gets its own transport and server instance.
+ *
+ * Auth middleware must always be mounted upstream of this router. The transport
+ * reads authenticated identity from `extra.authInfo` (set by the MCP SDK from
+ * `req.auth`). When auth is disabled globally, the auth middleware still sets
+ * an anonymous identity which RBAC allows through.
+ *
+ * Mount at `/mcp`:
+ * ```typescript
+ * const { router } = createMCPHttpHandler(gateway);
+ * app.use('/mcp', authMiddleware, rbacToolExecute, router);
+ * ```
+ *
+ * Clients connect via: `claude mcp add palaryn --url https://host/mcp`
+ */
+export const MAX_SESSIONS = 1000;
+export const SESSION_TIMEOUT_MS = 30 * 60 * 1000; // 30 minutes
+
+export function createMCPHttpHandler(
+  gateway: Gateway,
+  config?: MCPHttpConfig,
+): { router: express.Router; close: () => Promise<void> } {
+  const resolvedConfig = resolveConfig(config);
+  const sessions = new Map<string, { transport: StreamableHTTPServerTransport; server: McpServer }>();
+  const sessionActivity = new Map<string, number>();
+
+  // Periodic cleanup of idle sessions
+  const cleanupInterval = setInterval(() => {
+    const now = Date.now();
+    for (const [id, lastActive] of sessionActivity) {
+      if (now - lastActive > SESSION_TIMEOUT_MS) {
+        const session = sessions.get(id);
+        if (session) {
+          session.server.close().catch(() => {});
+          sessions.delete(id);
+          sessionActivity.delete(id);
+        }
+      }
+    }
+  }, 60000);
+  cleanupInterval.unref();
+
+  const router = express.Router();
+
+  // POST /mcp — initialize new session or send requests to existing session
+  router.post('/', async (req, res) => {
+    try {
+      const sessionId = req.headers['mcp-session-id'] as string | undefined;
+
+      if (sessionId) {
+        // Session ID provided — route to existing session
+        const session = sessions.get(sessionId);
+        if (!session) {
+          res.status(404).json({
+            jsonrpc: '2.0',
+            error: { code: -32000, message: 'Session not found. The session may have expired.' },
+            id: null,
+          });
+          return;
+        }
+        sessionActivity.set(sessionId, Date.now());
+        await session.transport.handleRequest(req, res, req.body);
+        return;
+      }
+
+      // Enforce session limit — evict oldest inactive session if at capacity
+      if (sessions.size >= MAX_SESSIONS) {
+        let oldestId: string | null = null;
+        let oldestTime = Infinity;
+        for (const [id, time] of sessionActivity) {
+          if (time < oldestTime) {
+            oldestTime = time;
+            oldestId = id;
+          }
+        }
+        if (oldestId) {
+          const old = sessions.get(oldestId);
+          if (old) old.server.close().catch(() => {});
+          sessions.delete(oldestId);
+          sessionActivity.delete(oldestId);
+        }
+      }
+
+      // No session ID — create new session (initialize request)
+      const transport = new StreamableHTTPServerTransport({
+        sessionIdGenerator: () => randomUUID(),
+        onsessioninitialized: (id) => {
+          sessions.set(id, { transport, server });
+          sessionActivity.set(id, Date.now());
+        },
+        onsessionclosed: (id) => {
+          sessions.delete(id);
+          sessionActivity.delete(id);
+        },
+      });
+      const server = createMCPServerInstance(gateway, resolvedConfig);
+      await server.connect(transport);
+      await transport.handleRequest(req, res, req.body);
+    } catch (err) {
+      if (!res.headersSent) {
+        console.error('[mcp] POST /mcp error:', err);
+        res.status(500).json({
+          jsonrpc: '2.0',
+          error: { code: -32603, message: 'Internal error' },
+          id: null,
+        });
+      }
+    }
+  });
+
+  // GET /mcp — SSE stream for server-to-client notifications
+  router.get('/', async (req, res) => {
+    try {
+      const sessionId = req.headers['mcp-session-id'] as string | undefined;
+      if (!sessionId || !sessions.has(sessionId)) {
+        res.status(400).json({
+          jsonrpc: '2.0',
+          error: { code: -32000, message: 'Invalid or missing session ID.' },
+          id: null,
+        });
+        return;
+      }
+      sessionActivity.set(sessionId, Date.now());
+      const session = sessions.get(sessionId)!;
+      await session.transport.handleRequest(req, res);
+    } catch (err) {
+      if (!res.headersSent) {
+        console.error('[mcp] GET /mcp error:', err);
+        res.status(500).json({
+          jsonrpc: '2.0',
+          error: { code: -32603, message: 'Internal error' },
+          id: null,
+        });
+      }
+    }
+  });
+
+  // DELETE /mcp — session cleanup
+  router.delete('/', async (req, res) => {
+    try {
+      const sessionId = req.headers['mcp-session-id'] as string | undefined;
+      if (!sessionId || !sessions.has(sessionId)) {
+        res.status(404).json({
+          jsonrpc: '2.0',
+          error: { code: -32000, message: 'Session not found.' },
+          id: null,
+        });
+        return;
+      }
+      const session = sessions.get(sessionId)!;
+      await session.transport.handleRequest(req, res);
+      // onsessionclosed callback handles map cleanup
+    } catch (err) {
+      if (!res.headersSent) {
+        console.error('[mcp] DELETE /mcp error:', err);
+        res.status(500).json({
+          jsonrpc: '2.0',
+          error: { code: -32603, message: 'Internal error' },
+          id: null,
+        });
+      }
+    }
+  });
+
+  // Close all sessions — call on server shutdown
+  const close = async () => {
+    clearInterval(cleanupInterval);
+    for (const [, session] of sessions) {
+      await session.server.close();
+    }
+    sessions.clear();
+    sessionActivity.clear();
+  };
+
+  return { router, close };
+}

package/src/mcp/index.ts

@@ -0,0 +1,9 @@
+export { MCPBridge, startMCPBridge } from './bridge';
+export type { MCPBridgeConfig } from './bridge';
+export { createMCPHttpHandler } from './http-transport';
+export type { MCPHttpConfig } from './http-transport';
+export { PalarynOAuthProvider } from './oauth-provider';
+export type { PalarynOAuthProviderDeps } from './oauth-provider';
+export { HybridTokenVerifier } from './auth-verifier';
+export type { HybridVerifierDeps } from './auth-verifier';
+export { OAuthClientsStore, AuthCodeStore, OAuthTokenStore } from './oauth-stores';