palaryn 0.1.0

package/dist/src/mcp/index.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthTokenStore = exports.AuthCodeStore = exports.OAuthClientsStore = exports.HybridTokenVerifier = exports.PalarynOAuthProvider = exports.createMCPHttpHandler = exports.startMCPBridge = exports.MCPBridge = void 0;
+var bridge_1 = require("./bridge");
+Object.defineProperty(exports, "MCPBridge", { enumerable: true, get: function () { return bridge_1.MCPBridge; } });
+Object.defineProperty(exports, "startMCPBridge", { enumerable: true, get: function () { return bridge_1.startMCPBridge; } });
+var http_transport_1 = require("./http-transport");
+Object.defineProperty(exports, "createMCPHttpHandler", { enumerable: true, get: function () { return http_transport_1.createMCPHttpHandler; } });
+var oauth_provider_1 = require("./oauth-provider");
+Object.defineProperty(exports, "PalarynOAuthProvider", { enumerable: true, get: function () { return oauth_provider_1.PalarynOAuthProvider; } });
+var auth_verifier_1 = require("./auth-verifier");
+Object.defineProperty(exports, "HybridTokenVerifier", { enumerable: true, get: function () { return auth_verifier_1.HybridTokenVerifier; } });
+var oauth_stores_1 = require("./oauth-stores");
+Object.defineProperty(exports, "OAuthClientsStore", { enumerable: true, get: function () { return oauth_stores_1.OAuthClientsStore; } });
+Object.defineProperty(exports, "AuthCodeStore", { enumerable: true, get: function () { return oauth_stores_1.AuthCodeStore; } });
+Object.defineProperty(exports, "OAuthTokenStore", { enumerable: true, get: function () { return oauth_stores_1.OAuthTokenStore; } });
+//# sourceMappingURL=index.js.map

package/dist/src/mcp/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/mcp/index.ts"],"names":[],"mappings":";;;AAAA,mCAAqD;AAA5C,mGAAA,SAAS,OAAA;AAAE,wGAAA,cAAc,OAAA;AAElC,mDAAwD;AAA/C,sHAAA,oBAAoB,OAAA;AAE7B,mDAAwD;AAA/C,sHAAA,oBAAoB,OAAA;AAE7B,iDAAsD;AAA7C,oHAAA,mBAAmB,OAAA;AAE5B,+CAAmF;AAA1E,iHAAA,iBAAiB,OAAA;AAAE,6GAAA,aAAa,OAAA;AAAE,+GAAA,eAAe,OAAA"}

package/dist/src/mcp/oauth-pages.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Server-rendered HTML pages for MCP OAuth 2.0 consent flow.
+ * Follows the same pattern as src/admin/templates.ts.
+ */
+export interface ConsentPageParams {
+    clientName: string;
+    scopes: string[];
+    workspaces: {
+        id: string;
+        name: string;
+        slug: string;
+    }[];
+    /** Hidden fields to pass through the OAuth params */
+    clientId: string;
+    redirectUri: string;
+    state?: string;
+    codeChallenge: string;
+    /** CSRF token */
+    csrfToken: string;
+}
+export declare function renderConsentPage(params: ConsentPageParams): string;
+export declare function renderErrorPage(error: string, description?: string): string;
+//# sourceMappingURL=oauth-pages.d.ts.map

package/dist/src/mcp/oauth-pages.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-pages.d.ts","sourceRoot":"","sources":["../../../src/mcp/oauth-pages.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAWH,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,UAAU,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IACzD,qDAAqD;IACrD,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,CAAC;IACtB,iBAAiB;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,iBAAiB,GAAG,MAAM,CAoFnE;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAyB3E"}

package/dist/src/mcp/oauth-pages.js

@@ -0,0 +1,121 @@
+"use strict";
+/**
+ * Server-rendered HTML pages for MCP OAuth 2.0 consent flow.
+ * Follows the same pattern as src/admin/templates.ts.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.renderConsentPage = renderConsentPage;
+exports.renderErrorPage = renderErrorPage;
+function escapeHtml(str) {
+    return String(str)
+        .replace(/&/g, '&')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#039;');
+}
+function renderConsentPage(params) {
+    const workspaceOptions = params.workspaces
+        .map((w) => `<option value="${escapeHtml(w.id)}">${escapeHtml(w.name)} (${escapeHtml(w.slug)})</option>`)
+        .join('\n');
+    const scopeList = params.scopes
+        .map((s) => `<li>${escapeHtml(s)}</li>`)
+        .join('\n');
+    return `<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; form-action 'self' http://localhost:* http://127.0.0.1:*">
+  <title>Authorize - Palaryn</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background: #f5f7fa; display: flex; align-items: center; justify-content: center; min-height: 100vh; }
+    .card { background: #fff; border-radius: 12px; padding: 32px; max-width: 440px; width: 100%; box-shadow: 0 4px 24px rgba(0,0,0,0.08); }
+    .logo { font-size: 20px; font-weight: 700; color: #1a1d23; margin-bottom: 4px; }
+    .subtitle { font-size: 14px; color: #6b7280; margin-bottom: 24px; }
+    .client-name { font-weight: 600; color: #1a1d23; }
+    .section-label { font-size: 13px; font-weight: 600; color: #374151; margin-bottom: 8px; }
+    .scope-list { list-style: none; margin-bottom: 20px; }
+    .scope-list li { padding: 6px 0; font-size: 14px; color: #4b5563; }
+    .scope-list li::before { content: "\\2713"; color: #10b981; margin-right: 8px; font-weight: 700; }
+    select { width: 100%; padding: 10px 12px; border: 1px solid #d1d5db; border-radius: 8px; font-size: 14px; margin-bottom: 24px; background: #fff; }
+    .btn-row { display: flex; gap: 12px; }
+    .btn { flex: 1; padding: 10px; border: none; border-radius: 8px; font-size: 14px; font-weight: 600; cursor: pointer; }
+    .btn-primary { background: #3b82f6; color: #fff; }
+    .btn-primary:hover { background: #2563eb; }
+    .btn-secondary { background: #f3f4f6; color: #374151; }
+    .btn-secondary:hover { background: #e5e7eb; }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <div class="logo">Palaryn</div>
+    <div class="subtitle">
+      <span class="client-name">${escapeHtml(params.clientName)}</span> wants to access your account
+    </div>
+
+    <div class="section-label">Permissions requested</div>
+    <ul class="scope-list">
+      ${scopeList || '<li>Execute tool calls through the gateway</li>'}
+    </ul>
+
+    <form method="POST" action="/authorize/decision">
+      <input type="hidden" name="client_id" value="${escapeHtml(params.clientId)}">
+      <input type="hidden" name="redirect_uri" value="${escapeHtml(params.redirectUri)}">
+      <input type="hidden" name="state" value="${escapeHtml(params.state || '')}">
+      <input type="hidden" name="code_challenge" value="${escapeHtml(params.codeChallenge)}">
+      <input type="hidden" name="scopes" value="${escapeHtml(params.scopes.join(' '))}">
+      <input type="hidden" name="csrf_token" value="${escapeHtml(params.csrfToken)}">
+
+      ${params.workspaces.length > 1
+        ? `<div class="section-label">Workspace</div>
+             <select name="workspace_id">${workspaceOptions}</select>`
+        : `<input type="hidden" name="workspace_id" value="${escapeHtml(params.workspaces[0]?.id || '')}">`}
+
+      <div class="btn-row">
+        <button type="submit" name="decision" value="deny" class="btn btn-secondary">Deny</button>
+        <button type="submit" name="decision" value="approve" class="btn btn-primary" id="approve-btn">Approve</button>
+      </div>
+    </form>
+  </div>
+  <script>
+    document.querySelector('form').addEventListener('submit', function(e) {
+      var form = this;
+      setTimeout(function() {
+        var btns = form.querySelectorAll('button');
+        for (var i = 0; i < btns.length; i++) { btns[i].disabled = true; }
+        document.getElementById('approve-btn').textContent = 'Authorizing...';
+      }, 0);
+    });
+  </script>
+</body>
+</html>`;
+}
+function renderErrorPage(error, description) {
+    return `<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'none'; style-src 'unsafe-inline'">
+  <title>Error - Palaryn</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background: #f5f7fa; display: flex; align-items: center; justify-content: center; min-height: 100vh; }
+    .card { background: #fff; border-radius: 12px; padding: 32px; max-width: 440px; width: 100%; box-shadow: 0 4px 24px rgba(0,0,0,0.08); text-align: center; }
+    .logo { font-size: 20px; font-weight: 700; color: #1a1d23; margin-bottom: 16px; }
+    .error { font-size: 16px; font-weight: 600; color: #dc2626; margin-bottom: 8px; }
+    .desc { font-size: 14px; color: #6b7280; }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <div class="logo">Palaryn</div>
+    <div class="error">${escapeHtml(error)}</div>
+    ${description ? `<div class="desc">${escapeHtml(description)}</div>` : ''}
+  </div>
+</body>
+</html>`;
+}
+//# sourceMappingURL=oauth-pages.js.map

package/dist/src/mcp/oauth-pages.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-pages.js","sourceRoot":"","sources":["../../../src/mcp/oauth-pages.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAwBH,8CAoFC;AAED,0CAyBC;AArID,SAAS,UAAU,CAAC,GAAW;IAC7B,OAAO,MAAM,CAAC,GAAG,CAAC;SACf,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;AAC7B,CAAC;AAeD,SAAgB,iBAAiB,CAAC,MAAyB;IACzD,MAAM,gBAAgB,GAAG,MAAM,CAAC,UAAU;SACvC,GAAG,CACF,CAAC,CAAC,EAAE,EAAE,CACJ,kBAAkB,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAC/F;SACA,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM;SAC5B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC;SACvC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCA+ByB,UAAU,CAAC,MAAM,CAAC,UAAU,CAAC;;;;;QAKvD,SAAS,IAAI,iDAAiD;;;;qDAIjB,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC;wDACxB,UAAU,CAAC,MAAM,CAAC,WAAW,CAAC;iDACrC,UAAU,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;0DACrB,UAAU,CAAC,MAAM,CAAC,aAAa,CAAC;kDACxC,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;sDAC/B,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC;;QAG1E,MAAM,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC;QAC1B,CAAC,CAAC;2CAC+B,gBAAgB,WAAW;QAC5D,CAAC,CAAC,mDAAmD,UAAU,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,IACnG;;;;;;;;;;;;;;;;;;;QAmBE,CAAC;AACT,CAAC;AAED,SAAgB,eAAe,CAAC,KAAa,EAAE,WAAoB;IACjE,OAAO;;;;;;;;;;;;;;;;;;;yBAmBgB,UAAU,CAAC,KAAK,CAAC;MACpC,WAAW,CAAC,CAAC,CAAC,qBAAqB,UAAU,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE;;;QAGrE,CAAC;AACT,CAAC"}

package/dist/src/mcp/oauth-postgres-stores.d.ts

@@ -0,0 +1,55 @@
+/**
+ * PostgreSQL-backed OAuth stores for MCP OAuth 2.0 flow.
+ *
+ * Extends the in-memory stores with write-through persistence to PostgreSQL.
+ * Follows the same pattern as other Postgres stores in src/storage/postgres.ts:
+ * - In-memory cache serves fast reads
+ * - Async writes to Postgres for durability
+ * - Hydration from DB at startup
+ *
+ * Auth codes (10-min TTL) remain in-memory only — not worth persisting.
+ */
+import { Pool } from 'pg';
+import { OAuthRegisteredClientsStore } from '@modelcontextprotocol/sdk/server/auth/clients.js';
+import { OAuthClientInformationFull } from '@modelcontextprotocol/sdk/shared/auth.js';
+import { StoredToken } from './oauth-stores';
+export declare class PostgresOAuthClientsStore implements OAuthRegisteredClientsStore {
+    private pool;
+    private clients;
+    private _pendingWrites;
+    constructor(pool: Pool);
+    static createTables(pool: Pool): Promise<void>;
+    hydrate(): Promise<void>;
+    getClient(clientId: string): OAuthClientInformationFull | undefined;
+    registerClient(client: Omit<OAuthClientInformationFull, 'client_id' | 'client_id_issued_at'>): OAuthClientInformationFull;
+    /** Serialize for persistence (compatibility with file-persistence) */
+    entries(): [string, OAuthClientInformationFull][];
+    /** Load from persisted data (compatibility with file-persistence) */
+    load(entries: [string, OAuthClientInformationFull][]): void;
+    clear(): void;
+    flush(): Promise<void>;
+}
+export declare class PostgresOAuthTokenStore {
+    private pool;
+    private accessTtlSec;
+    private refreshTtlSec;
+    private accessTokens;
+    private refreshTokens;
+    private cleanupTimer;
+    private _pendingWrites;
+    constructor(pool: Pool, accessTtlSec?: number, refreshTtlSec?: number);
+    static createTables(pool: Pool): Promise<void>;
+    hydrate(): Promise<void>;
+    saveAccessToken(entry: StoredToken): void;
+    getAccessToken(token: string): StoredToken | undefined;
+    revokeAccessToken(token: string): void;
+    saveRefreshToken(entry: StoredToken): void;
+    getRefreshToken(token: string): StoredToken | undefined;
+    revokeRefreshToken(token: string): void;
+    get accessTtlSeconds(): number;
+    get refreshTtlSeconds(): number;
+    private cleanup;
+    destroy(): void;
+    flush(): Promise<void>;
+}
+//# sourceMappingURL=oauth-postgres-stores.d.ts.map

package/dist/src/mcp/oauth-postgres-stores.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-postgres-stores.d.ts","sourceRoot":"","sources":["../../../src/mcp/oauth-postgres-stores.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAE1B,OAAO,EAAE,2BAA2B,EAAE,MAAM,kDAAkD,CAAC;AAC/F,OAAO,EAAE,0BAA0B,EAAE,MAAM,0CAA0C,CAAC;AACtF,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAsB7C,qBAAa,yBAA0B,YAAW,2BAA2B;IAI/D,OAAO,CAAC,IAAI;IAHxB,OAAO,CAAC,OAAO,CAAiD;IAChE,OAAO,CAAC,cAAc,CAAuB;gBAEzB,IAAI,EAAE,IAAI;WAEjB,YAAY,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAU9C,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAW9B,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,0BAA0B,GAAG,SAAS;IAInE,cAAc,CACZ,MAAM,EAAE,IAAI,CAAC,0BAA0B,EAAE,WAAW,GAAG,qBAAqB,CAAC,GAC5E,0BAA0B;IAkB7B,sEAAsE;IACtE,OAAO,IAAI,CAAC,MAAM,EAAE,0BAA0B,CAAC,EAAE;IAIjD,qEAAqE;IACrE,IAAI,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE,0BAA0B,CAAC,EAAE,GAAG,IAAI;IAM3D,KAAK,IAAI,IAAI;IAKP,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAK7B;AAMD,qBAAa,uBAAuB;IAOhC,OAAO,CAAC,IAAI;IACZ,OAAO,CAAC,YAAY;IACpB,OAAO,CAAC,aAAa;IARvB,OAAO,CAAC,YAAY,CAAkC;IACtD,OAAO,CAAC,aAAa,CAAkC;IACvD,OAAO,CAAC,YAAY,CAAiC;IACrD,OAAO,CAAC,cAAc,CAAuB;gBAGnC,IAAI,EAAE,IAAI,EACV,YAAY,GAAE,MAAa,EAC3B,aAAa,GAAE,MAAuB;WAMnC,YAAY,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAqB9C,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAiC9B,eAAe,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI;IAWzC,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS;IAYtD,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAMtC,gBAAgB,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI;IAW1C,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS;IAYvD,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAMvC,IAAI,gBAAgB,IAAI,MAAM,CAE7B;IAED,IAAI,iBAAiB,IAAI,MAAM,CAE9B;IAED,OAAO,CAAC,OAAO;IAef,OAAO,IAAI,IAAI;IAMT,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAK7B"}

package/dist/src/mcp/oauth-postgres-stores.js

@@ -0,0 +1,226 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PostgresOAuthTokenStore = exports.PostgresOAuthClientsStore = void 0;
+const crypto_1 = require("crypto");
+// Reliable async query with retry (same pattern as storage/postgres.ts)
+async function reliableAsyncQuery(pool, sql, params) {
+    for (let attempt = 0; attempt < 3; attempt++) {
+        try {
+            await pool.query(sql, params);
+            return;
+        }
+        catch (err) {
+            if (attempt === 2) {
+                console.error('[OAuth Postgres] query failed after 3 attempts:', err.message);
+            }
+            else {
+                await new Promise(r => setTimeout(r, 100 * (attempt + 1)));
+            }
+        }
+    }
+}
+// ---------------------------------------------------------------------------
+// PostgresOAuthClientsStore
+// ---------------------------------------------------------------------------
+class PostgresOAuthClientsStore {
+    constructor(pool) {
+        this.pool = pool;
+        this.clients = new Map();
+        this._pendingWrites = [];
+    }
+    static async createTables(pool) {
+        await pool.query(`
+      CREATE TABLE IF NOT EXISTS mcp_oauth_clients (
+        client_id   TEXT PRIMARY KEY,
+        data        JSONB NOT NULL,
+        created_at  TEXT NOT NULL DEFAULT NOW()
+      );
+    `);
+    }
+    async hydrate() {
+        try {
+            const { rows } = await this.pool.query('SELECT client_id, data FROM mcp_oauth_clients');
+            for (const r of rows) {
+                this.clients.set(r.client_id, r.data);
+            }
+        }
+        catch (err) {
+            console.error('[PostgresOAuthClientsStore] hydrate failed:', err.message);
+        }
+    }
+    getClient(clientId) {
+        return this.clients.get(clientId);
+    }
+    registerClient(client) {
+        const clientId = `pn_client_${(0, crypto_1.randomUUID)().replace(/-/g, '').slice(0, 16)}`;
+        const clientSecret = (0, crypto_1.randomBytes)(32).toString('hex');
+        const full = {
+            ...client,
+            client_id: clientId,
+            client_secret: clientSecret,
+            client_id_issued_at: Math.floor(Date.now() / 1000),
+        };
+        this.clients.set(clientId, full);
+        this._pendingWrites.push(reliableAsyncQuery(this.pool, `INSERT INTO mcp_oauth_clients (client_id, data) VALUES ($1, $2)
+       ON CONFLICT (client_id) DO UPDATE SET data = $2`, [clientId, JSON.stringify(full)]));
+        return full;
+    }
+    /** Serialize for persistence (compatibility with file-persistence) */
+    entries() {
+        return Array.from(this.clients.entries());
+    }
+    /** Load from persisted data (compatibility with file-persistence) */
+    load(entries) {
+        for (const [id, client] of entries) {
+            this.clients.set(id, client);
+        }
+    }
+    clear() {
+        this.clients.clear();
+        this._pendingWrites.push(reliableAsyncQuery(this.pool, 'TRUNCATE mcp_oauth_clients'));
+    }
+    async flush() {
+        const writes = this._pendingWrites;
+        this._pendingWrites = [];
+        await Promise.all(writes);
+    }
+}
+exports.PostgresOAuthClientsStore = PostgresOAuthClientsStore;
+// ---------------------------------------------------------------------------
+// PostgresOAuthTokenStore
+// ---------------------------------------------------------------------------
+class PostgresOAuthTokenStore {
+    constructor(pool, accessTtlSec = 3600, refreshTtlSec = 30 * 24 * 3600) {
+        this.pool = pool;
+        this.accessTtlSec = accessTtlSec;
+        this.refreshTtlSec = refreshTtlSec;
+        this.accessTokens = new Map();
+        this.refreshTokens = new Map();
+        this._pendingWrites = [];
+        this.cleanupTimer = setInterval(() => this.cleanup(), 5 * 60000);
+        this.cleanupTimer.unref();
+    }
+    static async createTables(pool) {
+        await pool.query(`
+      CREATE TABLE IF NOT EXISTS mcp_oauth_tokens (
+        token       TEXT PRIMARY KEY,
+        token_type  TEXT NOT NULL,
+        client_id   TEXT NOT NULL,
+        user_id     TEXT NOT NULL,
+        workspace_id TEXT NOT NULL,
+        scopes      JSONB NOT NULL DEFAULT '[]',
+        expires_at  BIGINT NOT NULL,
+        created_at  BIGINT NOT NULL
+      );
+    `);
+        await pool.query(`
+      CREATE INDEX IF NOT EXISTS idx_mcp_oauth_tokens_type ON mcp_oauth_tokens (token_type);
+    `);
+        await pool.query(`
+      CREATE INDEX IF NOT EXISTS idx_mcp_oauth_tokens_user ON mcp_oauth_tokens (user_id);
+    `);
+    }
+    async hydrate() {
+        try {
+            const nowSec = Date.now() / 1000;
+            const { rows } = await this.pool.query('SELECT * FROM mcp_oauth_tokens WHERE expires_at > $1', [Math.floor(nowSec)]);
+            for (const r of rows) {
+                const token = {
+                    token: r.token,
+                    clientId: r.client_id,
+                    userId: r.user_id,
+                    workspaceId: r.workspace_id,
+                    scopes: r.scopes || [],
+                    expiresAt: Number(r.expires_at),
+                    createdAt: Number(r.created_at),
+                };
+                if (r.token_type === 'access') {
+                    this.accessTokens.set(r.token, token);
+                }
+                else {
+                    this.refreshTokens.set(r.token, token);
+                }
+            }
+            // Clean up expired rows in background
+            this._pendingWrites.push(reliableAsyncQuery(this.pool, 'DELETE FROM mcp_oauth_tokens WHERE expires_at <= $1', [Math.floor(nowSec)]));
+        }
+        catch (err) {
+            console.error('[PostgresOAuthTokenStore] hydrate failed:', err.message);
+        }
+    }
+    saveAccessToken(entry) {
+        this.accessTokens.set(entry.token, entry);
+        this._pendingWrites.push(reliableAsyncQuery(this.pool, `INSERT INTO mcp_oauth_tokens (token, token_type, client_id, user_id, workspace_id, scopes, expires_at, created_at)
+       VALUES ($1, 'access', $2, $3, $4, $5, $6, $7)
+       ON CONFLICT (token) DO UPDATE SET expires_at = $6`, [entry.token, entry.clientId, entry.userId, entry.workspaceId,
+            JSON.stringify(entry.scopes), entry.expiresAt, entry.createdAt]));
+    }
+    getAccessToken(token) {
+        const entry = this.accessTokens.get(token);
+        if (!entry)
+            return undefined;
+        if (Date.now() / 1000 > entry.expiresAt) {
+            this.accessTokens.delete(token);
+            this._pendingWrites.push(reliableAsyncQuery(this.pool, 'DELETE FROM mcp_oauth_tokens WHERE token = $1', [token]));
+            return undefined;
+        }
+        return entry;
+    }
+    revokeAccessToken(token) {
+        this.accessTokens.delete(token);
+        this._pendingWrites.push(reliableAsyncQuery(this.pool, 'DELETE FROM mcp_oauth_tokens WHERE token = $1', [token]));
+    }
+    saveRefreshToken(entry) {
+        this.refreshTokens.set(entry.token, entry);
+        this._pendingWrites.push(reliableAsyncQuery(this.pool, `INSERT INTO mcp_oauth_tokens (token, token_type, client_id, user_id, workspace_id, scopes, expires_at, created_at)
+       VALUES ($1, 'refresh', $2, $3, $4, $5, $6, $7)
+       ON CONFLICT (token) DO UPDATE SET expires_at = $6`, [entry.token, entry.clientId, entry.userId, entry.workspaceId,
+            JSON.stringify(entry.scopes), entry.expiresAt, entry.createdAt]));
+    }
+    getRefreshToken(token) {
+        const entry = this.refreshTokens.get(token);
+        if (!entry)
+            return undefined;
+        if (Date.now() / 1000 > entry.expiresAt) {
+            this.refreshTokens.delete(token);
+            this._pendingWrites.push(reliableAsyncQuery(this.pool, 'DELETE FROM mcp_oauth_tokens WHERE token = $1', [token]));
+            return undefined;
+        }
+        return entry;
+    }
+    revokeRefreshToken(token) {
+        this.refreshTokens.delete(token);
+        this._pendingWrites.push(reliableAsyncQuery(this.pool, 'DELETE FROM mcp_oauth_tokens WHERE token = $1', [token]));
+    }
+    get accessTtlSeconds() {
+        return this.accessTtlSec;
+    }
+    get refreshTtlSeconds() {
+        return this.refreshTtlSec;
+    }
+    cleanup() {
+        const nowSec = Date.now() / 1000;
+        for (const [t, entry] of this.accessTokens) {
+            if (nowSec > entry.expiresAt)
+                this.accessTokens.delete(t);
+        }
+        for (const [t, entry] of this.refreshTokens) {
+            if (nowSec > entry.expiresAt)
+                this.refreshTokens.delete(t);
+        }
+        // Also clean DB
+        this._pendingWrites.push(reliableAsyncQuery(this.pool, 'DELETE FROM mcp_oauth_tokens WHERE expires_at <= $1', [Math.floor(nowSec)]));
+    }
+    destroy() {
+        clearInterval(this.cleanupTimer);
+        this.accessTokens.clear();
+        this.refreshTokens.clear();
+    }
+    async flush() {
+        const writes = this._pendingWrites;
+        this._pendingWrites = [];
+        await Promise.all(writes);
+    }
+}
+exports.PostgresOAuthTokenStore = PostgresOAuthTokenStore;
+//# sourceMappingURL=oauth-postgres-stores.js.map

package/dist/src/mcp/oauth-postgres-stores.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-postgres-stores.js","sourceRoot":"","sources":["../../../src/mcp/oauth-postgres-stores.ts"],"names":[],"mappings":";;;AAYA,mCAAiD;AAKjD,wEAAwE;AACxE,KAAK,UAAU,kBAAkB,CAAC,IAAU,EAAE,GAAW,EAAE,MAAkB;IAC3E,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,CAAC,EAAE,OAAO,EAAE,EAAE,CAAC;QAC7C,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;YAC9B,OAAO;QACT,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;gBAClB,OAAO,CAAC,KAAK,CAAC,iDAAiD,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAChF,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,GAAG,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,4BAA4B;AAC5B,8EAA8E;AAE9E,MAAa,yBAAyB;IAIpC,YAAoB,IAAU;QAAV,SAAI,GAAJ,IAAI,CAAM;QAHtB,YAAO,GAAG,IAAI,GAAG,EAAsC,CAAC;QACxD,mBAAc,GAAoB,EAAE,CAAC;IAEZ,CAAC;IAElC,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,IAAU;QAClC,MAAM,IAAI,CAAC,KAAK,CAAC;;;;;;KAMhB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC;YACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,+CAA+C,CAAC,CAAC;YACxF,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;gBACrB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,6CAA6C,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5E,CAAC;IACH,CAAC;IAED,SAAS,CAAC,QAAgB;QACxB,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACpC,CAAC;IAED,cAAc,CACZ,MAA6E;QAE7E,MAAM,QAAQ,GAAG,aAAa,IAAA,mBAAU,GAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;QAC5E,MAAM,YAAY,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACrD,MAAM,IAAI,GAA+B;YACvC,GAAG,MAAM;YACT,SAAS,EAAE,QAAQ;YACnB,aAAa,EAAE,YAAY;YAC3B,mBAAmB,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;SACnD,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACjC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,EACnD;uDACiD,EACjD,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CACjC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sEAAsE;IACtE,OAAO;QACL,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED,qEAAqE;IACrE,IAAI,CAAC,OAA+C;QAClD,KAAK,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACnC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,KAAK;QACH,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACrB,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,EAAE,4BAA4B,CAAC,CAAC,CAAC;IACxF,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC;QACnC,IAAI,CAAC,cAAc,GAAG,EAAE,CAAC;QACzB,MAAM,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC5B,CAAC;CACF;AAzED,8DAyEC;AAED,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAE9E,MAAa,uBAAuB;IAMlC,YACU,IAAU,EACV,eAAuB,IAAI,EAC3B,gBAAwB,EAAE,GAAG,EAAE,GAAG,IAAI;QAFtC,SAAI,GAAJ,IAAI,CAAM;QACV,iBAAY,GAAZ,YAAY,CAAe;QAC3B,kBAAa,GAAb,aAAa,CAAyB;QARxC,iBAAY,GAAG,IAAI,GAAG,EAAuB,CAAC;QAC9C,kBAAa,GAAG,IAAI,GAAG,EAAuB,CAAC;QAE/C,mBAAc,GAAoB,EAAE,CAAC;QAO3C,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC,GAAG,KAAM,CAAC,CAAC;QAClE,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;IAC5B,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,IAAU;QAClC,MAAM,IAAI,CAAC,KAAK,CAAC;;;;;;;;;;;KAWhB,CAAC,CAAC;QACH,MAAM,IAAI,CAAC,KAAK,CAAC;;KAEhB,CAAC,CAAC;QACH,MAAM,IAAI,CAAC,KAAK,CAAC;;KAEhB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;YACjC,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CACpC,sDAAsD,EACtD,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CACrB,CAAC;YACF,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;gBACrB,MAAM,KAAK,GAAgB;oBACzB,KAAK,EAAE,CAAC,CAAC,KAAK;oBACd,QAAQ,EAAE,CAAC,CAAC,SAAS;oBACrB,MAAM,EAAE,CAAC,CAAC,OAAO;oBACjB,WAAW,EAAE,CAAC,CAAC,YAAY;oBAC3B,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,EAAE;oBACtB,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC;oBAC/B,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC;iBAChC,CAAC;gBACF,IAAI,CAAC,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;oBAC9B,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;gBACxC,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;gBACzC,CAAC;YACH,CAAC;YACD,sCAAsC;YACtC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,EACnD,qDAAqD,EACrD,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CACrB,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,2CAA2C,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC;IAED,eAAe,CAAC,KAAkB;QAChC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QAC1C,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,EACnD;;yDAEmD,EACnD,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,WAAW;YAC5D,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,SAAS,CAAC,CACjE,CAAC,CAAC;IACL,CAAC;IAED,cAAc,CAAC,KAAa;QAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC3C,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAC;QAC7B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YACxC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAChC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,EACnD,+CAA+C,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC7D,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,iBAAiB,CAAC,KAAa;QAC7B,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAChC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,EACnD,+CAA+C,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC/D,CAAC;IAED,gBAAgB,CAAC,KAAkB;QACjC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QAC3C,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,EACnD;;yDAEmD,EACnD,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,WAAW;YAC5D,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,SAAS,CAAC,CACjE,CAAC,CAAC;IACL,CAAC;IAED,eAAe,CAAC,KAAa;QAC3B,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAC;QAC7B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YACxC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACjC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,EACnD,+CAA+C,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC7D,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,kBAAkB,CAAC,KAAa;QAC9B,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACjC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,EACnD,+CAA+C,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC/D,CAAC;IAED,IAAI,gBAAgB;QAClB,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED,IAAI,iBAAiB;QACnB,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;IAEO,OAAO;QACb,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;QACjC,KAAK,MAAM,CAAC,CAAC,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YAC3C,IAAI,MAAM,GAAG,KAAK,CAAC,SAAS;gBAAE,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC5D,CAAC;QACD,KAAK,MAAM,CAAC,CAAC,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YAC5C,IAAI,MAAM,GAAG,KAAK,CAAC,SAAS;gBAAE,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC7D,CAAC;QACD,gBAAgB;QAChB,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,EACnD,qDAAqD,EACrD,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CACrB,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,aAAa,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACjC,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;QAC1B,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC;QACnC,IAAI,CAAC,cAAc,GAAG,EAAE,CAAC;QACzB,MAAM,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC5B,CAAC;CACF;AAjKD,0DAiKC"}

package/dist/src/mcp/oauth-provider.d.ts

@@ -0,0 +1,95 @@
+/**
+ * MCP OAuth 2.0 Server Provider.
+ *
+ * Implements OAuthServerProvider from the MCP SDK. Handles:
+ * - Authorization (consent page with workspace picker)
+ * - Auth code exchange (code → access + refresh tokens)
+ * - Refresh token rotation
+ * - Access token verification (returns AuthInfo with Palaryn context)
+ * - Token revocation
+ *
+ * Reuses existing Palaryn session (pn_session cookie) for user identity.
+ */
+import { Response } from 'express';
+import { OAuthServerProvider, AuthorizationParams } from '@modelcontextprotocol/sdk/server/auth/provider.js';
+import { OAuthRegisteredClientsStore } from '@modelcontextprotocol/sdk/server/auth/clients.js';
+import { OAuthClientInformationFull, OAuthTokens, OAuthTokenRevocationRequest } from '@modelcontextprotocol/sdk/shared/auth.js';
+import { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';
+import { UserStore, WorkspaceStore, WorkspaceMemberStore, SessionStore } from '../storage/interfaces';
+import { AuthCodeStore, StoredToken } from './oauth-stores';
+import { RBACConfig } from '../types/config';
+/** Maximum lifetime for authorization codes (in milliseconds). Default: 60 seconds. */
+export declare const AUTH_CODE_LIFETIME_MS: number;
+/** Structural interface for token stores (supports both in-memory and Postgres-backed) */
+export interface OAuthTokenStoreInterface {
+    saveAccessToken(entry: StoredToken): void;
+    getAccessToken(token: string): StoredToken | undefined;
+    revokeAccessToken(token: string): void;
+    saveRefreshToken(entry: StoredToken): void;
+    getRefreshToken(token: string): StoredToken | undefined;
+    revokeRefreshToken(token: string): void;
+    readonly accessTtlSeconds: number;
+    readonly refreshTtlSeconds: number;
+}
+/** Structural interface for client stores (supports both in-memory and Postgres-backed) */
+export interface OAuthClientsStoreInterface extends OAuthRegisteredClientsStore {
+    getClient(clientId: string): OAuthClientInformationFull | undefined;
+}
+export interface PalarynOAuthProviderDeps {
+    clientsStore: OAuthClientsStoreInterface;
+    authCodeStore: AuthCodeStore;
+    tokenStore: OAuthTokenStoreInterface;
+    userStore: UserStore;
+    workspaceStore: WorkspaceStore;
+    workspaceMemberStore: WorkspaceMemberStore;
+    sessionStore: SessionStore;
+    rbacConfig?: RBACConfig;
+    /** URL to redirect to for login (default: /auth/login) */
+    loginUrl?: string;
+}
+export declare class PalarynOAuthProvider implements OAuthServerProvider {
+    private _clientsStore;
+    private authCodes;
+    private tokens;
+    private users;
+    private workspaces;
+    private members;
+    private sessions;
+    private rbacConfig?;
+    private loginUrl;
+    /** CSRF tokens: token → { createdAt, expiresAt } */
+    private csrfTokens;
+    private csrfCleanupInterval;
+    constructor(deps: PalarynOAuthProviderDeps);
+    /** Stop the periodic CSRF cleanup interval. */
+    close(): void;
+    get clientsStore(): OAuthRegisteredClientsStore;
+    authorize(client: OAuthClientInformationFull, params: AuthorizationParams, res: Response): Promise<void>;
+    handleConsentDecision(body: Record<string, string>, sessionUserId: string): Promise<{
+        redirectUrl: string;
+    } | {
+        error: string;
+        status: number;
+    }>;
+    challengeForAuthorizationCode(_client: OAuthClientInformationFull, authorizationCode: string): Promise<string>;
+    exchangeAuthorizationCode(client: OAuthClientInformationFull, authorizationCode: string, _codeVerifier?: string, _redirectUri?: string, _resource?: URL): Promise<OAuthTokens>;
+    exchangeRefreshToken(client: OAuthClientInformationFull, refreshToken: string, scopes?: string[], _resource?: URL): Promise<OAuthTokens>;
+    verifyAccessToken(token: string): Promise<AuthInfo>;
+    revokeToken(_client: OAuthClientInformationFull, request: OAuthTokenRevocationRequest): Promise<void>;
+    private issueTokens;
+    /**
+     * Remove expired CSRF tokens and evict oldest when map exceeds max size.
+     */
+    private cleanupCsrfTokens;
+    /**
+     * Validate that a redirect URI is safe for dynamically registered clients.
+     * Only allows localhost-based redirect URIs (127.0.0.1, ::1, localhost).
+     * Blocks javascript:, data:, and other dangerous schemes.
+     */
+    static validateRedirectUri(uri: string): {
+        valid: boolean;
+        reason?: string;
+    };
+    private buildAuthorizeReturnUrl;
+}
+//# sourceMappingURL=oauth-provider.d.ts.map

package/dist/src/mcp/oauth-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-provider.d.ts","sourceRoot":"","sources":["../../../src/mcp/oauth-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEnC,OAAO,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,mDAAmD,CAAC;AAC7G,OAAO,EAAE,2BAA2B,EAAE,MAAM,kDAAkD,CAAC;AAC/F,OAAO,EACL,0BAA0B,EAC1B,WAAW,EACX,2BAA2B,EAC5B,MAAM,0CAA0C,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAE,MAAM,gDAAgD,CAAC;AAC1E,OAAO,EACL,SAAS,EACT,cAAc,EACd,oBAAoB,EACpB,YAAY,EACb,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAI5D,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAM7C,uFAAuF;AACvF,eAAO,MAAM,qBAAqB,QAAY,CAAC;AAiB/C,0FAA0F;AAC1F,MAAM,WAAW,wBAAwB;IACvC,eAAe,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI,CAAC;IAC1C,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS,CAAC;IACvD,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACvC,gBAAgB,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI,CAAC;IAC3C,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS,CAAC;IACxD,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACxC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;CACpC;AAED,2FAA2F;AAC3F,MAAM,WAAW,0BAA2B,SAAQ,2BAA2B;IAC7E,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,0BAA0B,GAAG,SAAS,CAAC;CACrE;AAED,MAAM,WAAW,wBAAwB;IACvC,YAAY,EAAE,0BAA0B,CAAC;IACzC,aAAa,EAAE,aAAa,CAAC;IAC7B,UAAU,EAAE,wBAAwB,CAAC;IACrC,SAAS,EAAE,SAAS,CAAC;IACrB,cAAc,EAAE,cAAc,CAAC;IAC/B,oBAAoB,EAAE,oBAAoB,CAAC;IAC3C,YAAY,EAAE,YAAY,CAAC;IAC3B,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,0DAA0D;IAC1D,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAMD,qBAAa,oBAAqB,YAAW,mBAAmB;IAC9D,OAAO,CAAC,aAAa,CAA6B;IAClD,OAAO,CAAC,SAAS,CAAgB;IACjC,OAAO,CAAC,MAAM,CAA2B;IACzC,OAAO,CAAC,KAAK,CAAY;IACzB,OAAO,CAAC,UAAU,CAAiB;IACnC,OAAO,CAAC,OAAO,CAAuB;IACtC,OAAO,CAAC,QAAQ,CAAe;IAC/B,OAAO,CAAC,UAAU,CAAC,CAAa;IAChC,OAAO,CAAC,QAAQ,CAAS;IAEzB,oDAAoD;IACpD,OAAO,CAAC,UAAU,CAAgC;IAClD,OAAO,CAAC,mBAAmB,CAAiC;gBAEhD,IAAI,EAAE,wBAAwB;IAgB1C,+CAA+C;IAC/C,KAAK,IAAI,IAAI;IAIb,IAAI,YAAY,IAAI,2BAA2B,CAE9C;IAMK,SAAS,CACb,MAAM,EAAE,0BAA0B,EAClC,MAAM,EAAE,mBAAmB,EAC3B,GAAG,EAAE,QAAQ,GACZ,OAAO,CAAC,IAAI,CAAC;IAiFV,qBAAqB,CACzB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC;QAAE,WAAW,EAAE,MAAM,CAAA;KAAE,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IA6EjE,6BAA6B,CACjC,OAAO,EAAE,0BAA0B,EACnC,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAAC,MAAM,CAAC;IAYZ,yBAAyB,CAC7B,MAAM,EAAE,0BAA0B,EAClC,iBAAiB,EAAE,MAAM,EACzB,aAAa,CAAC,EAAE,MAAM,EACtB,YAAY,CAAC,EAAE,MAAM,EACrB,SAAS,CAAC,EAAE,GAAG,GACd,OAAO,CAAC,WAAW,CAAC;IAqBjB,oBAAoB,CACxB,MAAM,EAAE,0BAA0B,EAClC,YAAY,EAAE,MAAM,EACpB,MAAM,CAAC,EAAE,MAAM,EAAE,EACjB,SAAS,CAAC,EAAE,GAAG,GACd,OAAO,CAAC,WAAW,CAAC;IAqBjB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IA2CnD,WAAW,CACf,OAAO,EAAE,0BAA0B,EACnC,OAAO,EAAE,2BAA2B,GACnC,OAAO,CAAC,IAAI,CAAC;IAUhB,OAAO,CAAC,WAAW;IAuCnB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAqBzB;;;;OAIG;IACH,MAAM,CAAC,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IA6B5E,OAAO,CAAC,uBAAuB;CAehC"}