npm - palaryn - Versions diffs - 0.1.0 → 0.3.2 - Mend

palaryn 0.1.0 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (344) hide show

package/README.md +243 -588
package/dist/sdk/typescript/src/client.js +2 -2
package/dist/sdk/typescript/src/client.js.map +1 -1
package/dist/src/anomaly/detector.d.ts +7 -4
package/dist/src/anomaly/detector.d.ts.map +1 -1
package/dist/src/anomaly/detector.js +22 -12
package/dist/src/anomaly/detector.js.map +1 -1
package/dist/src/audit/logger.d.ts +10 -0
package/dist/src/audit/logger.d.ts.map +1 -1
package/dist/src/audit/logger.js +52 -38
package/dist/src/audit/logger.js.map +1 -1
package/dist/src/auth/routes.d.ts.map +1 -1
package/dist/src/auth/routes.js +35 -0
package/dist/src/auth/routes.js.map +1 -1
package/dist/src/budget/manager.d.ts +5 -0
package/dist/src/budget/manager.d.ts.map +1 -1
package/dist/src/budget/manager.js +32 -0
package/dist/src/budget/manager.js.map +1 -1
package/dist/src/budget/model-pricing.d.ts +20 -0
package/dist/src/budget/model-pricing.d.ts.map +1 -0
package/dist/src/budget/model-pricing.js +107 -0
package/dist/src/budget/model-pricing.js.map +1 -0
package/dist/src/budget/usage-extractor.d.ts +3 -1
package/dist/src/budget/usage-extractor.d.ts.map +1 -1
package/dist/src/budget/usage-extractor.js +47 -3
package/dist/src/budget/usage-extractor.js.map +1 -1
package/dist/src/config/defaults.d.ts.map +1 -1
package/dist/src/config/defaults.js +65 -13
package/dist/src/config/defaults.js.map +1 -1
package/dist/src/dlp/tool-patterns.d.ts +7 -0
package/dist/src/dlp/tool-patterns.d.ts.map +1 -0
package/dist/src/dlp/tool-patterns.js +34 -0
package/dist/src/dlp/tool-patterns.js.map +1 -0
package/dist/src/executor/filesystem-executor.d.ts +28 -0
package/dist/src/executor/filesystem-executor.d.ts.map +1 -0
package/dist/src/executor/filesystem-executor.js +192 -0
package/dist/src/executor/filesystem-executor.js.map +1 -0
package/dist/src/executor/http-executor.d.ts.map +1 -1
package/dist/src/executor/http-executor.js +22 -2
package/dist/src/executor/http-executor.js.map +1 -1
package/dist/src/executor/index.d.ts +4 -0
package/dist/src/executor/index.d.ts.map +1 -1
package/dist/src/executor/index.js +9 -1
package/dist/src/executor/index.js.map +1 -1
package/dist/src/executor/shell-executor.d.ts +22 -0
package/dist/src/executor/shell-executor.d.ts.map +1 -0
package/dist/src/executor/shell-executor.js +119 -0
package/dist/src/executor/shell-executor.js.map +1 -0
package/dist/src/executor/sql-executor.d.ts +29 -0
package/dist/src/executor/sql-executor.d.ts.map +1 -0
package/dist/src/executor/sql-executor.js +114 -0
package/dist/src/executor/sql-executor.js.map +1 -0
package/dist/src/executor/websocket-executor.d.ts +26 -0
package/dist/src/executor/websocket-executor.d.ts.map +1 -0
package/dist/src/executor/websocket-executor.js +205 -0
package/dist/src/executor/websocket-executor.js.map +1 -0
package/dist/src/interceptor/index.d.ts +2 -0
package/dist/src/interceptor/index.d.ts.map +1 -0
package/dist/src/interceptor/index.js +6 -0
package/dist/src/interceptor/index.js.map +1 -0
package/dist/src/interceptor/provider-interceptor.d.ts +36 -0
package/dist/src/interceptor/provider-interceptor.d.ts.map +1 -0
package/dist/src/interceptor/provider-interceptor.js +302 -0
package/dist/src/interceptor/provider-interceptor.js.map +1 -0
package/dist/src/mcp/auth-verifier.d.ts.map +1 -1
package/dist/src/mcp/auth-verifier.js +3 -2
package/dist/src/mcp/auth-verifier.js.map +1 -1
package/dist/src/mcp/bridge.d.ts +14 -10
package/dist/src/mcp/bridge.d.ts.map +1 -1
package/dist/src/mcp/bridge.js +51 -227
package/dist/src/mcp/bridge.js.map +1 -1
package/dist/src/mcp/http-transport.d.ts +2 -0
package/dist/src/mcp/http-transport.d.ts.map +1 -1
package/dist/src/mcp/http-transport.js +117 -66
package/dist/src/mcp/http-transport.js.map +1 -1
package/dist/src/mcp/internal-auth.d.ts +13 -0
package/dist/src/mcp/internal-auth.d.ts.map +1 -0
package/dist/src/mcp/internal-auth.js +12 -0
package/dist/src/mcp/internal-auth.js.map +1 -0
package/dist/src/mcp/tool-definitions.d.ts +41 -0
package/dist/src/mcp/tool-definitions.d.ts.map +1 -0
package/dist/src/mcp/tool-definitions.js +491 -0
package/dist/src/mcp/tool-definitions.js.map +1 -0
package/dist/src/middleware/auth.js.map +1 -1
package/dist/src/middleware/session.js.map +1 -1
package/dist/src/middleware/validate.d.ts +8 -0
package/dist/src/middleware/validate.d.ts.map +1 -1
package/dist/src/middleware/validate.js +45 -0
package/dist/src/middleware/validate.js.map +1 -1
package/dist/src/policy/engine.d.ts +4 -0
package/dist/src/policy/engine.d.ts.map +1 -1
package/dist/src/policy/engine.js +117 -0
package/dist/src/policy/engine.js.map +1 -1
package/dist/src/saas/routes.d.ts.map +1 -1
package/dist/src/saas/routes.js +355 -22
package/dist/src/saas/routes.js.map +1 -1
package/dist/src/server/app.d.ts.map +1 -1
package/dist/src/server/app.js +24 -3
package/dist/src/server/app.js.map +1 -1
package/dist/src/server/gateway.d.ts.map +1 -1
package/dist/src/server/gateway.js +17 -0
package/dist/src/server/gateway.js.map +1 -1
package/dist/src/server/index.d.ts.map +1 -1
package/dist/src/server/index.js +18 -0
package/dist/src/server/index.js.map +1 -1
package/dist/src/storage/interfaces.d.ts +14 -3
package/dist/src/storage/interfaces.d.ts.map +1 -1
package/dist/src/storage/memory.d.ts +2 -0
package/dist/src/storage/memory.d.ts.map +1 -1
package/dist/src/storage/memory.js +6 -0
package/dist/src/storage/memory.js.map +1 -1
package/dist/src/storage/postgres.d.ts +5 -0
package/dist/src/storage/postgres.d.ts.map +1 -1
package/dist/src/storage/postgres.js +16 -0
package/dist/src/storage/postgres.js.map +1 -1
package/dist/src/storage/redis.d.ts +10 -0
package/dist/src/storage/redis.d.ts.map +1 -1
package/dist/src/storage/redis.js +65 -0
package/dist/src/storage/redis.js.map +1 -1
package/dist/src/types/budget.d.ts +4 -0
package/dist/src/types/budget.d.ts.map +1 -1
package/dist/src/types/config.d.ts +58 -0
package/dist/src/types/config.d.ts.map +1 -1
package/dist/src/types/events.d.ts +1 -0
package/dist/src/types/events.d.ts.map +1 -1
package/dist/src/types/policy.d.ts +11 -1
package/dist/src/types/policy.d.ts.map +1 -1
package/dist/src/types/tool-result.d.ts +11 -0
package/dist/src/types/tool-result.d.ts.map +1 -1
package/dist/tests/unit/app-routes.test.d.ts +2 -0
package/dist/tests/unit/app-routes.test.d.ts.map +1 -0
package/dist/tests/unit/app-routes.test.js +715 -0
package/dist/tests/unit/app-routes.test.js.map +1 -0
package/dist/tests/unit/audit-logger.test.js +105 -0
package/dist/tests/unit/audit-logger.test.js.map +1 -1
package/dist/tests/unit/auth-providers.test.d.ts +2 -0
package/dist/tests/unit/auth-providers.test.d.ts.map +1 -0
package/dist/tests/unit/auth-providers.test.js +279 -0
package/dist/tests/unit/auth-providers.test.js.map +1 -0
package/dist/tests/unit/auth-routes-extended.test.d.ts +2 -0
package/dist/tests/unit/auth-routes-extended.test.d.ts.map +1 -0
package/dist/tests/unit/auth-routes-extended.test.js +993 -0
package/dist/tests/unit/auth-routes-extended.test.js.map +1 -0
package/dist/tests/unit/auth-verifier.test.d.ts +2 -0
package/dist/tests/unit/auth-verifier.test.d.ts.map +1 -0
package/dist/tests/unit/auth-verifier.test.js +505 -0
package/dist/tests/unit/auth-verifier.test.js.map +1 -0
package/dist/tests/unit/billing-routes.test.d.ts +2 -0
package/dist/tests/unit/billing-routes.test.d.ts.map +1 -0
package/dist/tests/unit/billing-routes.test.js +432 -0
package/dist/tests/unit/billing-routes.test.js.map +1 -0
package/dist/tests/unit/config-defaults.test.d.ts +2 -0
package/dist/tests/unit/config-defaults.test.d.ts.map +1 -0
package/dist/tests/unit/config-defaults.test.js +119 -0
package/dist/tests/unit/config-defaults.test.js.map +1 -0
package/dist/tests/unit/defaults.test.js +0 -10
package/dist/tests/unit/defaults.test.js.map +1 -1
package/dist/tests/unit/filesystem-executor.test.d.ts +2 -0
package/dist/tests/unit/filesystem-executor.test.d.ts.map +1 -0
package/dist/tests/unit/filesystem-executor.test.js +280 -0
package/dist/tests/unit/filesystem-executor.test.js.map +1 -0
package/dist/tests/unit/gateway-branches.test.d.ts +2 -0
package/dist/tests/unit/gateway-branches.test.d.ts.map +1 -0
package/dist/tests/unit/gateway-branches.test.js +1039 -0
package/dist/tests/unit/gateway-branches.test.js.map +1 -0
package/dist/tests/unit/http-executor-branches.test.d.ts +2 -0
package/dist/tests/unit/http-executor-branches.test.d.ts.map +1 -0
package/dist/tests/unit/http-executor-branches.test.js +495 -0
package/dist/tests/unit/http-executor-branches.test.js.map +1 -0
package/dist/tests/unit/logger.test.d.ts +2 -0
package/dist/tests/unit/logger.test.d.ts.map +1 -0
package/dist/tests/unit/logger.test.js +97 -0
package/dist/tests/unit/logger.test.js.map +1 -0
package/dist/tests/unit/mcp-internal-auth.test.d.ts +2 -0
package/dist/tests/unit/mcp-internal-auth.test.d.ts.map +1 -0
package/dist/tests/unit/mcp-internal-auth.test.js +445 -0
package/dist/tests/unit/mcp-internal-auth.test.js.map +1 -0
package/dist/tests/unit/metrics.test.js +102 -0
package/dist/tests/unit/metrics.test.js.map +1 -1
package/dist/tests/unit/model-pricing.test.d.ts +2 -0
package/dist/tests/unit/model-pricing.test.d.ts.map +1 -0
package/dist/tests/unit/model-pricing.test.js +87 -0
package/dist/tests/unit/model-pricing.test.js.map +1 -0
package/dist/tests/unit/oauth-stores.test.d.ts +2 -0
package/dist/tests/unit/oauth-stores.test.d.ts.map +1 -0
package/dist/tests/unit/oauth-stores.test.js +260 -0
package/dist/tests/unit/oauth-stores.test.js.map +1 -0
package/dist/tests/unit/policy-engine.test.js +466 -0
package/dist/tests/unit/policy-engine.test.js.map +1 -1
package/dist/tests/unit/provider-interceptor.test.d.ts +2 -0
package/dist/tests/unit/provider-interceptor.test.d.ts.map +1 -0
package/dist/tests/unit/provider-interceptor.test.js +472 -0
package/dist/tests/unit/provider-interceptor.test.js.map +1 -0
package/dist/tests/unit/saas-routes-branches.test.d.ts +2 -0
package/dist/tests/unit/saas-routes-branches.test.d.ts.map +1 -0
package/dist/tests/unit/saas-routes-branches.test.js +2165 -0
package/dist/tests/unit/saas-routes-branches.test.js.map +1 -0
package/dist/tests/unit/saas-routes-crud.test.d.ts +2 -0
package/dist/tests/unit/saas-routes-crud.test.d.ts.map +1 -0
package/dist/tests/unit/saas-routes-crud.test.js +332 -0
package/dist/tests/unit/saas-routes-crud.test.js.map +1 -0
package/dist/tests/unit/saas-routes-data.test.d.ts +2 -0
package/dist/tests/unit/saas-routes-data.test.d.ts.map +1 -0
package/dist/tests/unit/saas-routes-data.test.js +405 -0
package/dist/tests/unit/saas-routes-data.test.js.map +1 -0
package/dist/tests/unit/saas-routes.test.js +3 -3
package/dist/tests/unit/saas-routes.test.js.map +1 -1
package/dist/tests/unit/shell-executor.test.d.ts +2 -0
package/dist/tests/unit/shell-executor.test.d.ts.map +1 -0
package/dist/tests/unit/shell-executor.test.js +145 -0
package/dist/tests/unit/shell-executor.test.js.map +1 -0
package/dist/tests/unit/sql-executor.test.d.ts +2 -0
package/dist/tests/unit/sql-executor.test.d.ts.map +1 -0
package/dist/tests/unit/sql-executor.test.js +177 -0
package/dist/tests/unit/sql-executor.test.js.map +1 -0
package/dist/tests/unit/stream-proxy.test.d.ts +2 -0
package/dist/tests/unit/stream-proxy.test.d.ts.map +1 -0
package/dist/tests/unit/stream-proxy.test.js +147 -0
package/dist/tests/unit/stream-proxy.test.js.map +1 -0
package/dist/tests/unit/tool-definitions.test.d.ts +2 -0
package/dist/tests/unit/tool-definitions.test.d.ts.map +1 -0
package/dist/tests/unit/tool-definitions.test.js +184 -0
package/dist/tests/unit/tool-definitions.test.js.map +1 -0
package/dist/tests/unit/usage-extractor.test.js +140 -0
package/dist/tests/unit/usage-extractor.test.js.map +1 -1
package/dist/tests/unit/webhook-handler.test.d.ts +2 -0
package/dist/tests/unit/webhook-handler.test.d.ts.map +1 -0
package/dist/tests/unit/webhook-handler.test.js +453 -0
package/dist/tests/unit/webhook-handler.test.js.map +1 -0
package/dist/tests/unit/webhook-routes.test.d.ts +2 -0
package/dist/tests/unit/webhook-routes.test.d.ts.map +1 -0
package/dist/tests/unit/webhook-routes.test.js +69 -0
package/dist/tests/unit/webhook-routes.test.js.map +1 -0
package/dist/tests/unit/websocket-executor.test.d.ts +2 -0
package/dist/tests/unit/websocket-executor.test.d.ts.map +1 -0
package/dist/tests/unit/websocket-executor.test.js +121 -0
package/dist/tests/unit/websocket-executor.test.js.map +1 -0
package/package.json +8 -2
package/policy-packs/demo_fail.yaml +41 -0
package/policy-packs/full_tools.yaml +136 -0
package/src/admin/index.ts +1 -0
package/src/admin/routes.ts +509 -0
package/src/admin/templates.ts +572 -0
package/src/anomaly/detector.ts +730 -0
package/src/anomaly/index.ts +1 -0
package/src/approval/manager.ts +569 -0
package/src/approval/webhook.ts +133 -0
package/src/audit/logger.ts +490 -0
package/src/auth/index.ts +5 -0
package/src/auth/password.ts +21 -0
package/src/auth/pkce.ts +22 -0
package/src/auth/providers.ts +208 -0
package/src/auth/routes.ts +561 -0
package/src/auth/session.ts +84 -0
package/src/billing/index.ts +6 -0
package/src/billing/plan-enforcer.ts +135 -0
package/src/billing/routes.ts +229 -0
package/src/billing/stripe-client.ts +58 -0
package/src/billing/webhook-handler.ts +182 -0
package/src/billing/webhook-routes.ts +28 -0
package/src/budget/manager.ts +679 -0
package/src/budget/model-pricing.ts +119 -0
package/src/budget/usage-extractor.ts +214 -0
package/src/cli.ts +91 -0
package/src/config/defaults.ts +261 -0
package/src/config/validate.ts +88 -0
package/src/dlp/composite-scanner.ts +213 -0
package/src/dlp/index.ts +9 -0
package/src/dlp/interfaces.ts +34 -0
package/src/dlp/patterns.ts +30 -0
package/src/dlp/prompt-injection-backend.ts +181 -0
package/src/dlp/prompt-injection-patterns.ts +302 -0
package/src/dlp/regex-backend.ts +181 -0
package/src/dlp/scanner.ts +502 -0
package/src/dlp/text-normalizer.ts +225 -0
package/src/dlp/tool-patterns.ts +35 -0
package/src/dlp/trufflehog-backend.ts +190 -0
package/src/executor/filesystem-executor.ts +196 -0
package/src/executor/http-executor.ts +349 -0
package/src/executor/index.ts +9 -0
package/src/executor/interfaces.ts +11 -0
package/src/executor/noop-executor.ts +23 -0
package/src/executor/registry.ts +64 -0
package/src/executor/shell-executor.ts +148 -0
package/src/executor/slack-executor.ts +176 -0
package/src/executor/sql-executor.ts +146 -0
package/src/executor/websocket-executor.ts +211 -0
package/src/index.ts +24 -0
package/src/interceptor/index.ts +1 -0
package/src/interceptor/provider-interceptor.ts +315 -0
package/src/mcp/auth-verifier.ts +152 -0
package/src/mcp/bridge.ts +703 -0
package/src/mcp/http-transport.ts +698 -0
package/src/mcp/index.ts +9 -0
package/src/mcp/internal-auth.ts +14 -0
package/src/mcp/oauth-pages.ts +139 -0
package/src/mcp/oauth-postgres-stores.ts +278 -0
package/src/mcp/oauth-provider.ts +536 -0
package/src/mcp/oauth-stores.ts +202 -0
package/src/mcp/server.ts +55 -0
package/src/mcp/tool-definitions.ts +562 -0
package/src/metrics/collector.ts +357 -0
package/src/metrics/index.ts +1 -0
package/src/middleware/auth.ts +814 -0
package/src/middleware/session.ts +85 -0
package/src/middleware/validate.ts +130 -0
package/src/policy/engine.ts +815 -0
package/src/policy/index.ts +2 -0
package/src/policy/opa-engine.ts +829 -0
package/src/proxy/forward-proxy.ts +649 -0
package/src/proxy/index.ts +1 -0
package/src/ratelimit/limiter.ts +196 -0
package/src/replay/engine.ts +142 -0
package/src/replay/index.ts +1 -0
package/src/saas/index.ts +1 -0
package/src/saas/routes.ts +2178 -0
package/src/server/app.ts +985 -0
package/src/server/errors.ts +49 -0
package/src/server/gateway.ts +1130 -0
package/src/server/index.ts +307 -0
package/src/server/logger.ts +255 -0
package/src/server/stream-proxy.ts +202 -0
package/src/storage/file-persistence.ts +315 -0
package/src/storage/index.ts +4 -0
package/src/storage/interfaces.ts +287 -0
package/src/storage/memory.ts +686 -0
package/src/storage/postgres.ts +1831 -0
package/src/storage/redis.ts +835 -0
package/src/tracing/index.ts +1 -0
package/src/tracing/provider.ts +100 -0
package/src/trust/calculator.ts +141 -0
package/src/trust/index.ts +7 -0
package/src/types/budget.ts +36 -0
package/src/types/config.ts +278 -0
package/src/types/events.ts +41 -0
package/src/types/express.d.ts +14 -0
package/src/types/index.ts +7 -0
package/src/types/policy.ts +83 -0
package/src/types/stripe-config.ts +11 -0
package/src/types/subscription.ts +59 -0
package/src/types/tool-call.ts +47 -0
package/src/types/tool-result.ts +82 -0
package/src/types/user.ts +125 -0
package/tsconfig.json +24 -0

package/src/mcp/internal-auth.ts ADDED Viewed

@@ -0,0 +1,14 @@
+/**
+ * Side-channel for passing MCP OAuth tokens to the HttpExecutor without
+ * polluting ToolCall.args (which would trigger DLP and leak into audit logs).
+ *
+ * Keyed by `tool_call_id` — the MCP handler sets an entry before gateway.execute(),
+ * and the HttpExecutor consumes (and deletes) it during request execution.
+ */
+export interface InternalAuthEntry {
+  token: string;
+  gateway_base_url: string;
+}
+export const internalAuthTokens = new Map<string, InternalAuthEntry>();

package/src/mcp/oauth-pages.ts ADDED Viewed

@@ -0,0 +1,139 @@
+/**
+ * Server-rendered HTML pages for MCP OAuth 2.0 consent flow.
+ * Follows the same pattern as src/admin/templates.ts.
+ */
+function escapeHtml(str: string): string {
+  return String(str)
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#039;');
+}
+export interface ConsentPageParams {
+  clientName: string;
+  scopes: string[];
+  workspaces: { id: string; name: string; slug: string }[];
+  /** Hidden fields to pass through the OAuth params */
+  clientId: string;
+  redirectUri: string;
+  state?: string;
+  codeChallenge: string;
+  /** CSRF token */
+  csrfToken: string;
+}
+export function renderConsentPage(params: ConsentPageParams): string {
+  const workspaceOptions = params.workspaces
+    .map(
+      (w) =>
+        `<option value="${escapeHtml(w.id)}">${escapeHtml(w.name)} (${escapeHtml(w.slug)})</option>`,
+    )
+    .join('\n');
+  const scopeList = params.scopes
+    .map((s) => `<li>${escapeHtml(s)}</li>`)
+    .join('\n');
+  return `<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; form-action 'self' http://localhost:* http://127.0.0.1:*">
+  <title>Authorize - Palaryn</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background: #f5f7fa; display: flex; align-items: center; justify-content: center; min-height: 100vh; }
+    .card { background: #fff; border-radius: 12px; padding: 32px; max-width: 440px; width: 100%; box-shadow: 0 4px 24px rgba(0,0,0,0.08); }
+    .logo { font-size: 20px; font-weight: 700; color: #1a1d23; margin-bottom: 4px; }
+    .subtitle { font-size: 14px; color: #6b7280; margin-bottom: 24px; }
+    .client-name { font-weight: 600; color: #1a1d23; }
+    .section-label { font-size: 13px; font-weight: 600; color: #374151; margin-bottom: 8px; }
+    .scope-list { list-style: none; margin-bottom: 20px; }
+    .scope-list li { padding: 6px 0; font-size: 14px; color: #4b5563; }
+    .scope-list li::before { content: "\\2713"; color: #10b981; margin-right: 8px; font-weight: 700; }
+    select { width: 100%; padding: 10px 12px; border: 1px solid #d1d5db; border-radius: 8px; font-size: 14px; margin-bottom: 24px; background: #fff; }
+    .btn-row { display: flex; gap: 12px; }
+    .btn { flex: 1; padding: 10px; border: none; border-radius: 8px; font-size: 14px; font-weight: 600; cursor: pointer; }
+    .btn-primary { background: #3b82f6; color: #fff; }
+    .btn-primary:hover { background: #2563eb; }
+    .btn-secondary { background: #f3f4f6; color: #374151; }
+    .btn-secondary:hover { background: #e5e7eb; }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <div class="logo">Palaryn</div>
+    <div class="subtitle">
+      <span class="client-name">${escapeHtml(params.clientName)}</span> wants to access your account
+    </div>
+    <div class="section-label">Permissions requested</div>
+    <ul class="scope-list">
+      ${scopeList || '<li>Execute tool calls through the gateway</li>'}
+    </ul>
+    <form method="POST" action="/authorize/decision">
+      <input type="hidden" name="client_id" value="${escapeHtml(params.clientId)}">
+      <input type="hidden" name="redirect_uri" value="${escapeHtml(params.redirectUri)}">
+      <input type="hidden" name="state" value="${escapeHtml(params.state || '')}">
+      <input type="hidden" name="code_challenge" value="${escapeHtml(params.codeChallenge)}">
+      <input type="hidden" name="scopes" value="${escapeHtml(params.scopes.join(' '))}">
+      <input type="hidden" name="csrf_token" value="${escapeHtml(params.csrfToken)}">
+      ${
+        params.workspaces.length > 1
+          ? `<div class="section-label">Workspace</div>
+             <select name="workspace_id">${workspaceOptions}</select>`
+          : `<input type="hidden" name="workspace_id" value="${escapeHtml(params.workspaces[0]?.id || '')}">`
+      }
+      <div class="btn-row">
+        <button type="submit" name="decision" value="deny" class="btn btn-secondary">Deny</button>
+        <button type="submit" name="decision" value="approve" class="btn btn-primary" id="approve-btn">Approve</button>
+      </div>
+    </form>
+  </div>
+  <script>
+    document.querySelector('form').addEventListener('submit', function(e) {
+      var form = this;
+      setTimeout(function() {
+        var btns = form.querySelectorAll('button');
+        for (var i = 0; i < btns.length; i++) { btns[i].disabled = true; }
+        document.getElementById('approve-btn').textContent = 'Authorizing...';
+      }, 0);
+    });
+  </script>
+</body>
+</html>`;
+}
+export function renderErrorPage(error: string, description?: string): string {
+  return `<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'none'; style-src 'unsafe-inline'">
+  <title>Error - Palaryn</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background: #f5f7fa; display: flex; align-items: center; justify-content: center; min-height: 100vh; }
+    .card { background: #fff; border-radius: 12px; padding: 32px; max-width: 440px; width: 100%; box-shadow: 0 4px 24px rgba(0,0,0,0.08); text-align: center; }
+    .logo { font-size: 20px; font-weight: 700; color: #1a1d23; margin-bottom: 16px; }
+    .error { font-size: 16px; font-weight: 600; color: #dc2626; margin-bottom: 8px; }
+    .desc { font-size: 14px; color: #6b7280; }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <div class="logo">Palaryn</div>
+    <div class="error">${escapeHtml(error)}</div>
+    ${description ? `<div class="desc">${escapeHtml(description)}</div>` : ''}
+  </div>
+</body>
+</html>`;
+}

package/src/mcp/oauth-postgres-stores.ts ADDED Viewed

@@ -0,0 +1,278 @@
+/**
+ * PostgreSQL-backed OAuth stores for MCP OAuth 2.0 flow.
+ *
+ * Extends the in-memory stores with write-through persistence to PostgreSQL.
+ * Follows the same pattern as other Postgres stores in src/storage/postgres.ts:
+ * - In-memory cache serves fast reads
+ * - Async writes to Postgres for durability
+ * - Hydration from DB at startup
+ *
+ * Auth codes (10-min TTL) remain in-memory only — not worth persisting.
+ */
+import { Pool } from 'pg';
+import { randomUUID, randomBytes } from 'crypto';
+import { OAuthRegisteredClientsStore } from '@modelcontextprotocol/sdk/server/auth/clients.js';
+import { OAuthClientInformationFull } from '@modelcontextprotocol/sdk/shared/auth.js';
+import { StoredToken } from './oauth-stores';
+// Reliable async query with retry (same pattern as storage/postgres.ts)
+async function reliableAsyncQuery(pool: Pool, sql: string, params?: unknown[]): Promise<void> {
+  for (let attempt = 0; attempt < 3; attempt++) {
+    try {
+      await pool.query(sql, params);
+      return;
+    } catch (err: any) {
+      if (attempt === 2) {
+        console.error('[OAuth Postgres] query failed after 3 attempts:', err.message);
+      } else {
+        await new Promise(r => setTimeout(r, 100 * (attempt + 1)));
+      }
+    }
+  }
+}
+// ---------------------------------------------------------------------------
+// PostgresOAuthClientsStore
+// ---------------------------------------------------------------------------
+export class PostgresOAuthClientsStore implements OAuthRegisteredClientsStore {
+  private clients = new Map<string, OAuthClientInformationFull>();
+  private _pendingWrites: Promise<void>[] = [];
+  constructor(private pool: Pool) {}
+  static async createTables(pool: Pool): Promise<void> {
+    await pool.query(`
+      CREATE TABLE IF NOT EXISTS mcp_oauth_clients (
+        client_id   TEXT PRIMARY KEY,
+        data        JSONB NOT NULL,
+        created_at  TEXT NOT NULL DEFAULT NOW()
+      );
+    `);
+  }
+  async hydrate(): Promise<void> {
+    try {
+      const { rows } = await this.pool.query('SELECT client_id, data FROM mcp_oauth_clients');
+      for (const r of rows) {
+        this.clients.set(r.client_id, r.data);
+      }
+    } catch (err: any) {
+      console.error('[PostgresOAuthClientsStore] hydrate failed:', err.message);
+    }
+  }
+  getClient(clientId: string): OAuthClientInformationFull | undefined {
+    return this.clients.get(clientId);
+  }
+  registerClient(
+    client: Omit<OAuthClientInformationFull, 'client_id' | 'client_id_issued_at'>,
+  ): OAuthClientInformationFull {
+    const clientId = `pn_client_${randomUUID().replace(/-/g, '').slice(0, 16)}`;
+    const clientSecret = randomBytes(32).toString('hex');
+    const full: OAuthClientInformationFull = {
+      ...client,
+      client_id: clientId,
+      client_secret: clientSecret,
+      client_id_issued_at: Math.floor(Date.now() / 1000),
+    };
+    this.clients.set(clientId, full);
+    this._pendingWrites.push(reliableAsyncQuery(this.pool,
+      `INSERT INTO mcp_oauth_clients (client_id, data) VALUES ($1, $2)
+       ON CONFLICT (client_id) DO UPDATE SET data = $2`,
+      [clientId, JSON.stringify(full)],
+    ));
+    return full;
+  }
+  /** Serialize for persistence (compatibility with file-persistence) */
+  entries(): [string, OAuthClientInformationFull][] {
+    return Array.from(this.clients.entries());
+  }
+  /** Load from persisted data (compatibility with file-persistence) */
+  load(entries: [string, OAuthClientInformationFull][]): void {
+    for (const [id, client] of entries) {
+      this.clients.set(id, client);
+    }
+  }
+  clear(): void {
+    this.clients.clear();
+    this._pendingWrites.push(reliableAsyncQuery(this.pool, 'TRUNCATE mcp_oauth_clients'));
+  }
+  async flush(): Promise<void> {
+    const writes = this._pendingWrites;
+    this._pendingWrites = [];
+    await Promise.all(writes);
+  }
+}
+// ---------------------------------------------------------------------------
+// PostgresOAuthTokenStore
+// ---------------------------------------------------------------------------
+export class PostgresOAuthTokenStore {
+  private accessTokens = new Map<string, StoredToken>();
+  private refreshTokens = new Map<string, StoredToken>();
+  private cleanupTimer: ReturnType<typeof setInterval>;
+  private _pendingWrites: Promise<void>[] = [];
+  constructor(
+    private pool: Pool,
+    private accessTtlSec: number = 3600,
+    private refreshTtlSec: number = 30 * 24 * 3600,
+  ) {
+    this.cleanupTimer = setInterval(() => this.cleanup(), 5 * 60_000);
+    this.cleanupTimer.unref();
+  }
+  static async createTables(pool: Pool): Promise<void> {
+    await pool.query(`
+      CREATE TABLE IF NOT EXISTS mcp_oauth_tokens (
+        token       TEXT PRIMARY KEY,
+        token_type  TEXT NOT NULL,
+        client_id   TEXT NOT NULL,
+        user_id     TEXT NOT NULL,
+        workspace_id TEXT NOT NULL,
+        scopes      JSONB NOT NULL DEFAULT '[]',
+        expires_at  BIGINT NOT NULL,
+        created_at  BIGINT NOT NULL
+      );
+    `);
+    await pool.query(`
+      CREATE INDEX IF NOT EXISTS idx_mcp_oauth_tokens_type ON mcp_oauth_tokens (token_type);
+    `);
+    await pool.query(`
+      CREATE INDEX IF NOT EXISTS idx_mcp_oauth_tokens_user ON mcp_oauth_tokens (user_id);
+    `);
+  }
+  async hydrate(): Promise<void> {
+    try {
+      const nowSec = Date.now() / 1000;
+      const { rows } = await this.pool.query(
+        'SELECT * FROM mcp_oauth_tokens WHERE expires_at > $1',
+        [Math.floor(nowSec)],
+      );
+      for (const r of rows) {
+        const token: StoredToken = {
+          token: r.token,
+          clientId: r.client_id,
+          userId: r.user_id,
+          workspaceId: r.workspace_id,
+          scopes: r.scopes || [],
+          expiresAt: Number(r.expires_at),
+          createdAt: Number(r.created_at),
+        };
+        if (r.token_type === 'access') {
+          this.accessTokens.set(r.token, token);
+        } else {
+          this.refreshTokens.set(r.token, token);
+        }
+      }
+      // Clean up expired rows in background
+      this._pendingWrites.push(reliableAsyncQuery(this.pool,
+        'DELETE FROM mcp_oauth_tokens WHERE expires_at <= $1',
+        [Math.floor(nowSec)],
+      ));
+    } catch (err: any) {
+      console.error('[PostgresOAuthTokenStore] hydrate failed:', err.message);
+    }
+  }
+  saveAccessToken(entry: StoredToken): void {
+    this.accessTokens.set(entry.token, entry);
+    this._pendingWrites.push(reliableAsyncQuery(this.pool,
+      `INSERT INTO mcp_oauth_tokens (token, token_type, client_id, user_id, workspace_id, scopes, expires_at, created_at)
+       VALUES ($1, 'access', $2, $3, $4, $5, $6, $7)
+       ON CONFLICT (token) DO UPDATE SET expires_at = $6`,
+      [entry.token, entry.clientId, entry.userId, entry.workspaceId,
+       JSON.stringify(entry.scopes), entry.expiresAt, entry.createdAt],
+    ));
+  }
+  getAccessToken(token: string): StoredToken | undefined {
+    const entry = this.accessTokens.get(token);
+    if (!entry) return undefined;
+    if (Date.now() / 1000 > entry.expiresAt) {
+      this.accessTokens.delete(token);
+      this._pendingWrites.push(reliableAsyncQuery(this.pool,
+        'DELETE FROM mcp_oauth_tokens WHERE token = $1', [token]));
+      return undefined;
+    }
+    return entry;
+  }
+  revokeAccessToken(token: string): void {
+    this.accessTokens.delete(token);
+    this._pendingWrites.push(reliableAsyncQuery(this.pool,
+      'DELETE FROM mcp_oauth_tokens WHERE token = $1', [token]));
+  }
+  saveRefreshToken(entry: StoredToken): void {
+    this.refreshTokens.set(entry.token, entry);
+    this._pendingWrites.push(reliableAsyncQuery(this.pool,
+      `INSERT INTO mcp_oauth_tokens (token, token_type, client_id, user_id, workspace_id, scopes, expires_at, created_at)
+       VALUES ($1, 'refresh', $2, $3, $4, $5, $6, $7)
+       ON CONFLICT (token) DO UPDATE SET expires_at = $6`,
+      [entry.token, entry.clientId, entry.userId, entry.workspaceId,
+       JSON.stringify(entry.scopes), entry.expiresAt, entry.createdAt],
+    ));
+  }
+  getRefreshToken(token: string): StoredToken | undefined {
+    const entry = this.refreshTokens.get(token);
+    if (!entry) return undefined;
+    if (Date.now() / 1000 > entry.expiresAt) {
+      this.refreshTokens.delete(token);
+      this._pendingWrites.push(reliableAsyncQuery(this.pool,
+        'DELETE FROM mcp_oauth_tokens WHERE token = $1', [token]));
+      return undefined;
+    }
+    return entry;
+  }
+  revokeRefreshToken(token: string): void {
+    this.refreshTokens.delete(token);
+    this._pendingWrites.push(reliableAsyncQuery(this.pool,
+      'DELETE FROM mcp_oauth_tokens WHERE token = $1', [token]));
+  }
+  get accessTtlSeconds(): number {
+    return this.accessTtlSec;
+  }
+  get refreshTtlSeconds(): number {
+    return this.refreshTtlSec;
+  }
+  private cleanup(): void {
+    const nowSec = Date.now() / 1000;
+    for (const [t, entry] of this.accessTokens) {
+      if (nowSec > entry.expiresAt) this.accessTokens.delete(t);
+    }
+    for (const [t, entry] of this.refreshTokens) {
+      if (nowSec > entry.expiresAt) this.refreshTokens.delete(t);
+    }
+    // Also clean DB
+    this._pendingWrites.push(reliableAsyncQuery(this.pool,
+      'DELETE FROM mcp_oauth_tokens WHERE expires_at <= $1',
+      [Math.floor(nowSec)],
+    ));
+  }
+  destroy(): void {
+    clearInterval(this.cleanupTimer);
+    this.accessTokens.clear();
+    this.refreshTokens.clear();
+  }
+  async flush(): Promise<void> {
+    const writes = this._pendingWrites;
+    this._pendingWrites = [];
+    await Promise.all(writes);
+  }
+}