palaryn 0.1.0

package/dist/src/mcp/oauth-provider.js

@@ -0,0 +1,360 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PalarynOAuthProvider = exports.AUTH_CODE_LIFETIME_MS = void 0;
+const crypto_1 = require("crypto");
+const oauth_pages_1 = require("./oauth-pages");
+const session_1 = require("../auth/session");
+const auth_1 = require("../middleware/auth");
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+/** Maximum lifetime for authorization codes (in milliseconds). Default: 60 seconds. */
+exports.AUTH_CODE_LIFETIME_MS = 60 * 1000;
+/** Maximum lifetime for CSRF tokens (in milliseconds). Default: 10 minutes. */
+const CSRF_TOKEN_TTL_MS = 10 * 60 * 1000;
+/** Maximum number of CSRF tokens stored concurrently. */
+const CSRF_TOKEN_MAX_SIZE = 10000;
+// ---------------------------------------------------------------------------
+// Provider implementation
+// ---------------------------------------------------------------------------
+class PalarynOAuthProvider {
+    constructor(deps) {
+        /** CSRF tokens: token → { createdAt, expiresAt } */
+        this.csrfTokens = new Map();
+        this._clientsStore = deps.clientsStore;
+        this.authCodes = deps.authCodeStore;
+        this.tokens = deps.tokenStore;
+        this.users = deps.userStore;
+        this.workspaces = deps.workspaceStore;
+        this.members = deps.workspaceMemberStore;
+        this.sessions = deps.sessionStore;
+        this.rbacConfig = deps.rbacConfig;
+        this.loginUrl = deps.loginUrl || '/login';
+        // Periodically clean up expired CSRF tokens
+        this.csrfCleanupInterval = setInterval(() => this.cleanupCsrfTokens(), 60000);
+        this.csrfCleanupInterval.unref();
+    }
+    /** Stop the periodic CSRF cleanup interval. */
+    close() {
+        clearInterval(this.csrfCleanupInterval);
+    }
+    get clientsStore() {
+        return this._clientsStore;
+    }
+    // -----------------------------------------------------------------------
+    // authorize — show consent page or redirect to login
+    // -----------------------------------------------------------------------
+    async authorize(client, params, res) {
+        // Validate redirect URI
+        const uriCheck = PalarynOAuthProvider.validateRedirectUri(params.redirectUri);
+        if (!uriCheck.valid) {
+            res.status(400).send((0, oauth_pages_1.renderErrorPage)('Invalid redirect URI', uriCheck.reason || 'The redirect URI is not allowed.'));
+            return;
+        }
+        // Verify redirect_uri matches one of the client's registered redirect URIs
+        const registeredUris = (client.redirect_uris || []).map((u) => u.toString());
+        if (registeredUris.length > 0 && !registeredUris.includes(params.redirectUri)) {
+            res.status(400).send((0, oauth_pages_1.renderErrorPage)('Redirect URI mismatch', 'The redirect URI does not match any registered URIs for this client.'));
+            return;
+        }
+        // Read the session cookie from the request (available via res.req)
+        const req = res.req;
+        const sessionId = req.cookies?.[session_1.SESSION_COOKIE_NAME];
+        if (!sessionId) {
+            // Not logged in → redirect to login with return_to
+            const returnTo = this.buildAuthorizeReturnUrl(client, params);
+            res.redirect(`${this.loginUrl}?return_to=${encodeURIComponent(returnTo)}`);
+            return;
+        }
+        const session = this.sessions.getById(sessionId);
+        if (!session) {
+            const returnTo = this.buildAuthorizeReturnUrl(client, params);
+            res.redirect(`${this.loginUrl}?return_to=${encodeURIComponent(returnTo)}`);
+            return;
+        }
+        const user = this.users.getById(session.user_id);
+        if (!user || user.status !== 'active') {
+            res.status(403).send((0, oauth_pages_1.renderErrorPage)('Account unavailable', 'Your account is not active.'));
+            return;
+        }
+        // Get workspaces the user belongs to
+        const memberships = this.members.getByUser(user.id);
+        const userWorkspaces = memberships
+            .map((m) => {
+            const ws = this.workspaces.getById(m.workspace_id);
+            return ws ? { id: ws.id, name: ws.name, slug: ws.slug } : null;
+        })
+            .filter(Boolean);
+        if (userWorkspaces.length === 0) {
+            res.status(403).send((0, oauth_pages_1.renderErrorPage)('No workspaces', 'You need at least one workspace to authorize MCP access.'));
+            return;
+        }
+        // Generate CSRF token (with cleanup of expired/overflow)
+        this.cleanupCsrfTokens();
+        const now = Date.now();
+        const csrfToken = (0, crypto_1.randomBytes)(32).toString('hex');
+        this.csrfTokens.set(csrfToken, { createdAt: now, expiresAt: now + CSRF_TOKEN_TTL_MS });
+        // Render consent page
+        const html = (0, oauth_pages_1.renderConsentPage)({
+            clientName: client.client_name || client.client_id,
+            scopes: params.scopes || [],
+            workspaces: userWorkspaces,
+            clientId: client.client_id,
+            redirectUri: params.redirectUri,
+            state: params.state,
+            codeChallenge: params.codeChallenge,
+            csrfToken,
+        });
+        // Override Helmet's CSP to allow form-action redirect to Claude Code's localhost callback
+        res.setHeader('Content-Security-Policy', "default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; form-action 'self' http://localhost:* http://127.0.0.1:*");
+        res.status(200).type('html').send(html);
+    }
+    // -----------------------------------------------------------------------
+    // handleConsentDecision — called from POST /authorize/decision
+    // -----------------------------------------------------------------------
+    async handleConsentDecision(body, sessionUserId) {
+        const { client_id, redirect_uri, state, code_challenge, scopes, csrf_token, workspace_id, decision, } = body;
+        // Validate CSRF
+        const csrfEntry = this.csrfTokens.get(csrf_token);
+        if (!csrfEntry || Date.now() > csrfEntry.expiresAt) {
+            return { error: 'Invalid or expired CSRF token', status: 403 };
+        }
+        this.csrfTokens.delete(csrf_token);
+        // Validate redirect URI
+        const uriCheck = PalarynOAuthProvider.validateRedirectUri(redirect_uri);
+        if (!uriCheck.valid) {
+            return { error: uriCheck.reason || 'Invalid redirect URI', status: 400 };
+        }
+        // Validate client
+        const client = this._clientsStore.getClient(client_id);
+        if (!client) {
+            return { error: 'Unknown client', status: 400 };
+        }
+        // Verify redirect_uri matches registered URIs
+        const registeredUris = (client.redirect_uris || []).map((u) => u.toString());
+        if (registeredUris.length > 0 && !registeredUris.includes(redirect_uri)) {
+            return { error: 'Redirect URI does not match registered URIs', status: 400 };
+        }
+        const redirectUrl = new URL(redirect_uri);
+        // Denied
+        if (decision !== 'approve') {
+            redirectUrl.searchParams.set('error', 'access_denied');
+            redirectUrl.searchParams.set('error_description', 'User denied the request');
+            if (state)
+                redirectUrl.searchParams.set('state', state);
+            return { redirectUrl: redirectUrl.toString() };
+        }
+        // Verify workspace membership
+        const membership = this.members.getByUser(sessionUserId)
+            .find((m) => m.workspace_id === workspace_id);
+        if (!membership) {
+            return { error: 'Invalid workspace selection', status: 403 };
+        }
+        // Generate authorization code
+        const code = (0, crypto_1.randomBytes)(32).toString('hex');
+        this.authCodes.save({
+            code,
+            clientId: client_id,
+            codeChallenge: code_challenge,
+            redirectUri: redirect_uri,
+            scopes: scopes ? scopes.split(' ') : [],
+            userId: sessionUserId,
+            workspaceId: workspace_id,
+            state,
+            expiresAt: Date.now() + exports.AUTH_CODE_LIFETIME_MS,
+        });
+        redirectUrl.searchParams.set('code', code);
+        if (state)
+            redirectUrl.searchParams.set('state', state);
+        return { redirectUrl: redirectUrl.toString() };
+    }
+    // -----------------------------------------------------------------------
+    // challengeForAuthorizationCode
+    // -----------------------------------------------------------------------
+    async challengeForAuthorizationCode(_client, authorizationCode) {
+        const entry = this.authCodes.get(authorizationCode);
+        if (!entry) {
+            throw new Error('Authorization code not found or expired');
+        }
+        return entry.codeChallenge;
+    }
+    // -----------------------------------------------------------------------
+    // exchangeAuthorizationCode
+    // -----------------------------------------------------------------------
+    async exchangeAuthorizationCode(client, authorizationCode, _codeVerifier, _redirectUri, _resource) {
+        const entry = this.authCodes.get(authorizationCode);
+        if (!entry) {
+            throw new Error('Authorization code not found or expired');
+        }
+        if (entry.clientId !== client.client_id) {
+            throw new Error('Client ID mismatch');
+        }
+        // Consume (delete) the auth code FIRST to guarantee single-use.
+        // If token issuance fails after this, the client must request a new code.
+        this.authCodes.consume(authorizationCode);
+        return this.issueTokens(client.client_id, entry.userId, entry.workspaceId, entry.scopes);
+    }
+    // -----------------------------------------------------------------------
+    // exchangeRefreshToken
+    // -----------------------------------------------------------------------
+    async exchangeRefreshToken(client, refreshToken, scopes, _resource) {
+        const entry = this.tokens.getRefreshToken(refreshToken);
+        if (!entry) {
+            throw new Error('Invalid refresh token');
+        }
+        if (entry.clientId !== client.client_id) {
+            throw new Error('Client ID mismatch');
+        }
+        // Revoke old refresh token (rotation)
+        this.tokens.revokeRefreshToken(refreshToken);
+        const effectiveScopes = scopes && scopes.length > 0 ? scopes : entry.scopes;
+        return this.issueTokens(client.client_id, entry.userId, entry.workspaceId, effectiveScopes);
+    }
+    // -----------------------------------------------------------------------
+    // verifyAccessToken
+    // -----------------------------------------------------------------------
+    async verifyAccessToken(token) {
+        const entry = this.tokens.getAccessToken(token);
+        if (!entry) {
+            throw new Error('Invalid or expired access token');
+        }
+        // Resolve user's workspace role → RBAC permissions
+        const memberships = this.members.getByUser(entry.userId);
+        const membership = memberships.find((m) => m.workspace_id === entry.workspaceId);
+        let roles = [];
+        if (membership) {
+            if (membership.role === 'owner' || membership.role === 'admin') {
+                roles = ['admin'];
+            }
+            else if (membership.role === 'member') {
+                roles = ['operator'];
+            }
+            else {
+                roles = ['readonly'];
+            }
+        }
+        const permissions = (0, auth_1.resolvePermissions)(roles, this.rbacConfig);
+        return {
+            token,
+            clientId: entry.clientId,
+            scopes: entry.scopes,
+            expiresAt: entry.expiresAt,
+            extra: {
+                workspace_id: entry.workspaceId,
+                actor_id: `user:${entry.userId}`,
+                user_id: entry.userId,
+                roles,
+                permissions,
+                auth_method: 'oauth',
+            },
+        };
+    }
+    // -----------------------------------------------------------------------
+    // revokeToken
+    // -----------------------------------------------------------------------
+    async revokeToken(_client, request) {
+        // Try both token types
+        this.tokens.revokeAccessToken(request.token);
+        this.tokens.revokeRefreshToken(request.token);
+    }
+    // -----------------------------------------------------------------------
+    // Helpers
+    // -----------------------------------------------------------------------
+    issueTokens(clientId, userId, workspaceId, scopes) {
+        const nowSec = Math.floor(Date.now() / 1000);
+        const accessToken = (0, crypto_1.randomBytes)(32).toString('hex');
+        const refreshToken = (0, crypto_1.randomBytes)(32).toString('hex');
+        this.tokens.saveAccessToken({
+            token: accessToken,
+            clientId,
+            userId,
+            workspaceId,
+            scopes,
+            expiresAt: nowSec + this.tokens.accessTtlSeconds,
+            createdAt: nowSec,
+        });
+        this.tokens.saveRefreshToken({
+            token: refreshToken,
+            clientId,
+            userId,
+            workspaceId,
+            scopes,
+            expiresAt: nowSec + this.tokens.refreshTtlSeconds,
+            createdAt: nowSec,
+        });
+        return {
+            access_token: accessToken,
+            token_type: 'Bearer',
+            expires_in: this.tokens.accessTtlSeconds,
+            refresh_token: refreshToken,
+            scope: scopes.join(' '),
+        };
+    }
+    /**
+     * Remove expired CSRF tokens and evict oldest when map exceeds max size.
+     */
+    cleanupCsrfTokens() {
+        const now = Date.now();
+        // Remove expired tokens
+        for (const [token, entry] of this.csrfTokens) {
+            if (now > entry.expiresAt) {
+                this.csrfTokens.delete(token);
+            }
+        }
+        // Evict oldest if still over max size
+        if (this.csrfTokens.size >= CSRF_TOKEN_MAX_SIZE) {
+            const sorted = [...this.csrfTokens.entries()]
+                .sort((a, b) => a[1].createdAt - b[1].createdAt);
+            const toEvict = sorted.length - CSRF_TOKEN_MAX_SIZE + 1; // make room for the new one
+            for (let i = 0; i < toEvict; i++) {
+                this.csrfTokens.delete(sorted[i][0]);
+            }
+        }
+    }
+    /**
+     * Validate that a redirect URI is safe for dynamically registered clients.
+     * Only allows localhost-based redirect URIs (127.0.0.1, ::1, localhost).
+     * Blocks javascript:, data:, and other dangerous schemes.
+     */
+    static validateRedirectUri(uri) {
+        let parsed;
+        try {
+            parsed = new URL(uri);
+        }
+        catch {
+            return { valid: false, reason: 'Invalid URL format' };
+        }
+        // Block dangerous schemes
+        const dangerousSchemes = ['javascript:', 'data:', 'vbscript:', 'blob:'];
+        if (dangerousSchemes.includes(parsed.protocol)) {
+            return { valid: false, reason: `Dangerous scheme: ${parsed.protocol}` };
+        }
+        // Only allow http/https
+        if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+            return { valid: false, reason: `Unsupported scheme: ${parsed.protocol}` };
+        }
+        // For dynamically registered MCP clients, only allow localhost
+        const hostname = parsed.hostname;
+        const localhostHosts = ['localhost', '127.0.0.1', '::1', '[::1]'];
+        if (!localhostHosts.includes(hostname)) {
+            return { valid: false, reason: 'Only localhost redirect URIs are allowed for dynamic clients' };
+        }
+        return { valid: true };
+    }
+    buildAuthorizeReturnUrl(client, params) {
+        const url = new URL('/authorize', 'http://placeholder');
+        url.searchParams.set('client_id', client.client_id);
+        url.searchParams.set('redirect_uri', params.redirectUri);
+        url.searchParams.set('code_challenge', params.codeChallenge);
+        url.searchParams.set('code_challenge_method', 'S256');
+        if (params.state)
+            url.searchParams.set('state', params.state);
+        if (params.scopes?.length)
+            url.searchParams.set('scope', params.scopes.join(' '));
+        url.searchParams.set('response_type', 'code');
+        // Return only path + query (no host)
+        return url.pathname + url.search;
+    }
+}
+exports.PalarynOAuthProvider = PalarynOAuthProvider;
+//# sourceMappingURL=oauth-provider.js.map

package/dist/src/mcp/oauth-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-provider.js","sourceRoot":"","sources":["../../../src/mcp/oauth-provider.ts"],"names":[],"mappings":";;;AAaA,mCAAqC;AAgBrC,+CAAmE;AACnE,6CAAsD;AACtD,6CAAwD;AAGxD,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,uFAAuF;AAC1E,QAAA,qBAAqB,GAAG,EAAE,GAAG,IAAI,CAAC;AAE/C,+EAA+E;AAC/E,MAAM,iBAAiB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAEzC,yDAAyD;AACzD,MAAM,mBAAmB,GAAG,KAAM,CAAC;AAyCnC,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAE9E,MAAa,oBAAoB;IAe/B,YAAY,IAA8B;QAJ1C,oDAAoD;QAC5C,eAAU,GAAG,IAAI,GAAG,EAAqB,CAAC;QAIhD,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,YAAY,CAAC;QACvC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,aAAa,CAAC;QACpC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC;QAC9B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC;QAC5B,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,cAAc,CAAC;QACtC,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,oBAAoB,CAAC;QACzC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC;QAClC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;QAClC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC;QAE1C,4CAA4C;QAC5C,IAAI,CAAC,mBAAmB,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,iBAAiB,EAAE,EAAE,KAAM,CAAC,CAAC;QAC/E,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;IACnC,CAAC;IAED,+CAA+C;IAC/C,KAAK;QACH,aAAa,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAC1C,CAAC;IAED,IAAI,YAAY;QACd,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;IAED,0EAA0E;IAC1E,qDAAqD;IACrD,0EAA0E;IAE1E,KAAK,CAAC,SAAS,CACb,MAAkC,EAClC,MAA2B,EAC3B,GAAa;QAEb,wBAAwB;QACxB,MAAM,QAAQ,GAAG,oBAAoB,CAAC,mBAAmB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAC9E,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;YACpB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAA,6BAAe,EAAC,sBAAsB,EAAE,QAAQ,CAAC,MAAM,IAAI,kCAAkC,CAAC,CAAC,CAAC;YACrH,OAAO;QACT,CAAC;QAED,2EAA2E;QAC3E,MAAM,cAAc,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAe,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC3F,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;YAC9E,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAA,6BAAe,EAAC,uBAAuB,EAAE,sEAAsE,CAAC,CAAC,CAAC;YACvI,OAAO;QACT,CAAC;QAED,mEAAmE;QACnE,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;QACpB,MAAM,SAAS,GAAI,GAAW,CAAC,OAAO,EAAE,CAAC,6BAAmB,CAAC,CAAC;QAE9D,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,mDAAmD;YACnD,MAAM,QAAQ,GAAG,IAAI,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAC9D,GAAG,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,QAAQ,cAAc,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YAC3E,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACjD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,QAAQ,GAAG,IAAI,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAC9D,GAAG,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,QAAQ,cAAc,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YAC3E,OAAO;QACT,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YACtC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAA,6BAAe,EAAC,qBAAqB,EAAE,6BAA6B,CAAC,CAAC,CAAC;YAC5F,OAAO;QACT,CAAC;QAED,qCAAqC;QACrC,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACpD,MAAM,cAAc,GAAG,WAAW;aAC/B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;YACT,MAAM,EAAE,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;YACnD,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QACjE,CAAC,CAAC;aACD,MAAM,CAAC,OAAO,CAAiD,CAAC;QAEnE,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAChC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAA,6BAAe,EAAC,eAAe,EAAE,0DAA0D,CAAC,CAAC,CAAC;YACnH,OAAO;QACT,CAAC;QAED,yDAAyD;QACzD,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,SAAS,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAClD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,GAAG,iBAAiB,EAAE,CAAC,CAAC;QAEvF,sBAAsB;QACtB,MAAM,IAAI,GAAG,IAAA,+BAAiB,EAAC;YAC7B,UAAU,EAAE,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,SAAS;YAClD,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,EAAE;YAC3B,UAAU,EAAE,cAAc;YAC1B,QAAQ,EAAE,MAAM,CAAC,SAAS;YAC1B,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,SAAS;SACV,CAAC,CAAC;QAEH,0FAA0F;QAC1F,GAAG,CAAC,SAAS,CAAC,yBAAyB,EACrC,qIAAqI,CAAC,CAAC;QACzI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1C,CAAC;IAED,0EAA0E;IAC1E,+DAA+D;IAC/D,0EAA0E;IAE1E,KAAK,CAAC,qBAAqB,CACzB,IAA4B,EAC5B,aAAqB;QAErB,MAAM,EACJ,SAAS,EACT,YAAY,EACZ,KAAK,EACL,cAAc,EACd,MAAM,EACN,UAAU,EACV,YAAY,EACZ,QAAQ,GACT,GAAG,IAAI,CAAC;QAET,gBAAgB;QAChB,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAClD,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC;YACnD,OAAO,EAAE,KAAK,EAAE,+BAA+B,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QACjE,CAAC;QACD,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAEnC,wBAAwB;QACxB,MAAM,QAAQ,GAAG,oBAAoB,CAAC,mBAAmB,CAAC,YAAY,CAAC,CAAC;QACxE,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;YACpB,OAAO,EAAE,KAAK,EAAE,QAAQ,CAAC,MAAM,IAAI,sBAAsB,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QAC3E,CAAC;QAED,kBAAkB;QAClB,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACvD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,EAAE,KAAK,EAAE,gBAAgB,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QAClD,CAAC;QAED,8CAA8C;QAC9C,MAAM,cAAc,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAe,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC3F,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YACxE,OAAO,EAAE,KAAK,EAAE,6CAA6C,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QAC/E,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC;QAE1C,SAAS;QACT,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;YACvD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,EAAE,yBAAyB,CAAC,CAAC;YAC7E,IAAI,KAAK;gBAAE,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;YACxD,OAAO,EAAE,WAAW,EAAE,WAAW,CAAC,QAAQ,EAAE,EAAE,CAAC;QACjD,CAAC;QAED,8BAA8B;QAC9B,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,aAAa,CAAC;aACrD,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,KAAK,YAAY,CAAC,CAAC;QAChD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,EAAE,KAAK,EAAE,6BAA6B,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QAC/D,CAAC;QAED,8BAA8B;QAC9B,MAAM,IAAI,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC7C,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;YAClB,IAAI;YACJ,QAAQ,EAAE,SAAS;YACnB,aAAa,EAAE,cAAc;YAC7B,WAAW,EAAE,YAAY;YACzB,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE;YACvC,MAAM,EAAE,aAAa;YACrB,WAAW,EAAE,YAAY;YACzB,KAAK;YACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,6BAAqB;SAC9C,CAAC,CAAC;QAEH,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAC3C,IAAI,KAAK;YAAE,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QACxD,OAAO,EAAE,WAAW,EAAE,WAAW,CAAC,QAAQ,EAAE,EAAE,CAAC;IACjD,CAAC;IAED,0EAA0E;IAC1E,gCAAgC;IAChC,0EAA0E;IAE1E,KAAK,CAAC,6BAA6B,CACjC,OAAmC,EACnC,iBAAyB;QAEzB,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QACpD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QACD,OAAO,KAAK,CAAC,aAAa,CAAC;IAC7B,CAAC;IAED,0EAA0E;IAC1E,4BAA4B;IAC5B,0EAA0E;IAE1E,KAAK,CAAC,yBAAyB,CAC7B,MAAkC,EAClC,iBAAyB,EACzB,aAAsB,EACtB,YAAqB,EACrB,SAAe;QAEf,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QACpD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QAED,IAAI,KAAK,CAAC,QAAQ,KAAK,MAAM,CAAC,SAAS,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;QACxC,CAAC;QAED,gEAAgE;QAChE,0EAA0E;QAC1E,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAE1C,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC3F,CAAC;IAED,0EAA0E;IAC1E,uBAAuB;IACvB,0EAA0E;IAE1E,KAAK,CAAC,oBAAoB,CACxB,MAAkC,EAClC,YAAoB,EACpB,MAAiB,EACjB,SAAe;QAEf,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC;QACxD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAC3C,CAAC;QAED,IAAI,KAAK,CAAC,QAAQ,KAAK,MAAM,CAAC,SAAS,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;QACxC,CAAC;QAED,sCAAsC;QACtC,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,YAAY,CAAC,CAAC;QAE7C,MAAM,eAAe,GAAG,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC;QAC5E,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;IAC9F,CAAC;IAED,0EAA0E;IAC1E,oBAAoB;IACpB,0EAA0E;IAE1E,KAAK,CAAC,iBAAiB,CAAC,KAAa;QACnC,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;QAChD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,mDAAmD;QACnD,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACzD,MAAM,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,KAAK,KAAK,CAAC,WAAW,CAAC,CAAC;QAEjF,IAAI,KAAK,GAAa,EAAE,CAAC;QACzB,IAAI,UAAU,EAAE,CAAC;YACf,IAAI,UAAU,CAAC,IAAI,KAAK,OAAO,IAAI,UAAU,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBAC/D,KAAK,GAAG,CAAC,OAAO,CAAC,CAAC;YACpB,CAAC;iBAAM,IAAI,UAAU,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACxC,KAAK,GAAG,CAAC,UAAU,CAAC,CAAC;YACvB,CAAC;iBAAM,CAAC;gBACN,KAAK,GAAG,CAAC,UAAU,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAG,IAAA,yBAAkB,EAAC,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAE/D,OAAO;YACL,KAAK;YACL,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,KAAK,EAAE;gBACL,YAAY,EAAE,KAAK,CAAC,WAAW;gBAC/B,QAAQ,EAAE,QAAQ,KAAK,CAAC,MAAM,EAAE;gBAChC,OAAO,EAAE,KAAK,CAAC,MAAM;gBACrB,KAAK;gBACL,WAAW;gBACX,WAAW,EAAE,OAAO;aACrB;SACF,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,cAAc;IACd,0EAA0E;IAE1E,KAAK,CAAC,WAAW,CACf,OAAmC,EACnC,OAAoC;QAEpC,uBAAuB;QACvB,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC7C,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC;IAED,0EAA0E;IAC1E,UAAU;IACV,0EAA0E;IAElE,WAAW,CACjB,QAAgB,EAChB,MAAc,EACd,WAAmB,EACnB,MAAgB;QAEhB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7C,MAAM,WAAW,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACpD,MAAM,YAAY,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAErD,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC;YAC1B,KAAK,EAAE,WAAW;YAClB,QAAQ;YACR,MAAM;YACN,WAAW;YACX,MAAM;YACN,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,gBAAgB;YAChD,SAAS,EAAE,MAAM;SAClB,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC;YAC3B,KAAK,EAAE,YAAY;YACnB,QAAQ;YACR,MAAM;YACN,WAAW;YACX,MAAM;YACN,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,iBAAiB;YACjD,SAAS,EAAE,MAAM;SAClB,CAAC,CAAC;QAEH,OAAO;YACL,YAAY,EAAE,WAAW;YACzB,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,gBAAgB;YACxC,aAAa,EAAE,YAAY;YAC3B,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;SACxB,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,iBAAiB;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,wBAAwB;QACxB,KAAK,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YAC7C,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;gBAC1B,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;QAED,sCAAsC;QACtC,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,IAAI,mBAAmB,EAAE,CAAC;YAChD,MAAM,MAAM,GAAG,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;iBAC1C,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;YACnD,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,GAAG,mBAAmB,GAAG,CAAC,CAAC,CAAC,4BAA4B;YACrF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;gBACjC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACvC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,MAAM,CAAC,mBAAmB,CAAC,GAAW;QACpC,IAAI,MAAW,CAAC;QAChB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QACxB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;QACxD,CAAC;QAED,0BAA0B;QAC1B,MAAM,gBAAgB,GAAG,CAAC,aAAa,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;QACxE,IAAI,gBAAgB,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC/C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QAC1E,CAAC;QAED,wBAAwB;QACxB,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAChE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,uBAAuB,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QAC5E,CAAC;QAED,+DAA+D;QAC/D,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;QACjC,MAAM,cAAc,GAAG,CAAC,WAAW,EAAE,WAAW,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;QAClE,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACvC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,8DAA8D,EAAE,CAAC;QAClG,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAEO,uBAAuB,CAC7B,MAAkC,EAClC,MAA2B;QAE3B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC;QACxD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;QACpD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;QACzD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;QAC7D,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;QACtD,IAAI,MAAM,CAAC,KAAK;YAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QAC9D,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM;YAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QAClF,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QAC9C,qCAAqC;QACrC,OAAO,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC;IACnC,CAAC;CACF;AA7bD,oDA6bC"}

package/dist/src/mcp/oauth-stores.d.ts

@@ -0,0 +1,62 @@
+import { OAuthRegisteredClientsStore } from '@modelcontextprotocol/sdk/server/auth/clients.js';
+import { OAuthClientInformationFull } from '@modelcontextprotocol/sdk/shared/auth.js';
+export declare class OAuthClientsStore implements OAuthRegisteredClientsStore {
+    private clients;
+    getClient(clientId: string): OAuthClientInformationFull | undefined;
+    registerClient(client: Omit<OAuthClientInformationFull, 'client_id' | 'client_id_issued_at'>): OAuthClientInformationFull;
+    /** Serialize for persistence */
+    entries(): [string, OAuthClientInformationFull][];
+    /** Load from persisted data */
+    load(entries: [string, OAuthClientInformationFull][]): void;
+    clear(): void;
+}
+export interface StoredAuthCode {
+    code: string;
+    clientId: string;
+    codeChallenge: string;
+    redirectUri: string;
+    scopes: string[];
+    userId: string;
+    workspaceId: string;
+    state?: string;
+    expiresAt: number;
+}
+export declare class AuthCodeStore {
+    private ttlMs;
+    private codes;
+    private cleanupTimer;
+    constructor(ttlMs?: number);
+    save(entry: StoredAuthCode): void;
+    get(code: string): StoredAuthCode | undefined;
+    consume(code: string): StoredAuthCode | undefined;
+    private cleanup;
+    destroy(): void;
+}
+export interface StoredToken {
+    token: string;
+    clientId: string;
+    userId: string;
+    workspaceId: string;
+    scopes: string[];
+    expiresAt: number;
+    createdAt: number;
+}
+export declare class OAuthTokenStore {
+    private accessTtlSec;
+    private refreshTtlSec;
+    private accessTokens;
+    private refreshTokens;
+    private cleanupTimer;
+    constructor(accessTtlSec?: number, refreshTtlSec?: number);
+    saveAccessToken(entry: StoredToken): void;
+    getAccessToken(token: string): StoredToken | undefined;
+    revokeAccessToken(token: string): void;
+    saveRefreshToken(entry: StoredToken): void;
+    getRefreshToken(token: string): StoredToken | undefined;
+    revokeRefreshToken(token: string): void;
+    get accessTtlSeconds(): number;
+    get refreshTtlSeconds(): number;
+    private cleanup;
+    destroy(): void;
+}
+//# sourceMappingURL=oauth-stores.d.ts.map

package/dist/src/mcp/oauth-stores.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-stores.d.ts","sourceRoot":"","sources":["../../../src/mcp/oauth-stores.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,2BAA2B,EAAE,MAAM,kDAAkD,CAAC;AAC/F,OAAO,EAAE,0BAA0B,EAAE,MAAM,0CAA0C,CAAC;AAMtF,qBAAa,iBAAkB,YAAW,2BAA2B;IACnE,OAAO,CAAC,OAAO,CAAiD;IAEhE,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,0BAA0B,GAAG,SAAS;IAInE,cAAc,CACZ,MAAM,EAAE,IAAI,CAAC,0BAA0B,EAAE,WAAW,GAAG,qBAAqB,CAAC,GAC5E,0BAA0B;IAa7B,gCAAgC;IAChC,OAAO,IAAI,CAAC,MAAM,EAAE,0BAA0B,CAAC,EAAE;IAIjD,+BAA+B;IAC/B,IAAI,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE,0BAA0B,CAAC,EAAE,GAAG,IAAI;IAM3D,KAAK,IAAI,IAAI;CAGd;AAMD,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,qBAAa,aAAa;IAIZ,OAAO,CAAC,KAAK;IAHzB,OAAO,CAAC,KAAK,CAAqC;IAClD,OAAO,CAAC,YAAY,CAAiC;gBAEjC,KAAK,GAAE,MAAuB;IAKlD,IAAI,CAAC,KAAK,EAAE,cAAc,GAAG,IAAI;IAIjC,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAU7C,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAQjD,OAAO,CAAC,OAAO;IASf,OAAO,IAAI,IAAI;CAIhB;AAMD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,qBAAa,eAAe;IAMxB,OAAO,CAAC,YAAY;IACpB,OAAO,CAAC,aAAa;IANvB,OAAO,CAAC,YAAY,CAAkC;IACtD,OAAO,CAAC,aAAa,CAAkC;IACvD,OAAO,CAAC,YAAY,CAAiC;gBAG3C,YAAY,GAAE,MAAa,EAC3B,aAAa,GAAE,MAAuB;IAMhD,eAAe,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI;IAIzC,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS;IAUtD,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAItC,gBAAgB,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI;IAI1C,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS;IAUvD,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAIvC,IAAI,gBAAgB,IAAI,MAAM,CAE7B;IAED,IAAI,iBAAiB,IAAI,MAAM,CAE9B;IAED,OAAO,CAAC,OAAO;IAUf,OAAO,IAAI,IAAI;CAKhB"}

package/dist/src/mcp/oauth-stores.js

@@ -0,0 +1,154 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthTokenStore = exports.AuthCodeStore = exports.OAuthClientsStore = void 0;
+/**
+ * In-memory OAuth stores for MCP OAuth 2.0 flow.
+ *
+ * Stores OAuth clients (dynamic registration), access tokens, refresh tokens,
+ * and authorization codes. All stores use TTL-based auto-cleanup.
+ */
+const crypto_1 = require("crypto");
+// ---------------------------------------------------------------------------
+// OAuth Client Store
+// ---------------------------------------------------------------------------
+class OAuthClientsStore {
+    constructor() {
+        this.clients = new Map();
+    }
+    getClient(clientId) {
+        return this.clients.get(clientId);
+    }
+    registerClient(client) {
+        const clientId = `pn_client_${(0, crypto_1.randomUUID)().replace(/-/g, '').slice(0, 16)}`;
+        const clientSecret = (0, crypto_1.randomBytes)(32).toString('hex');
+        const full = {
+            ...client,
+            client_id: clientId,
+            client_secret: clientSecret,
+            client_id_issued_at: Math.floor(Date.now() / 1000),
+        };
+        this.clients.set(clientId, full);
+        return full;
+    }
+    /** Serialize for persistence */
+    entries() {
+        return Array.from(this.clients.entries());
+    }
+    /** Load from persisted data */
+    load(entries) {
+        for (const [id, client] of entries) {
+            this.clients.set(id, client);
+        }
+    }
+    clear() {
+        this.clients.clear();
+    }
+}
+exports.OAuthClientsStore = OAuthClientsStore;
+class AuthCodeStore {
+    constructor(ttlMs = 10 * 60 * 1000) {
+        this.ttlMs = ttlMs;
+        this.codes = new Map();
+        this.cleanupTimer = setInterval(() => this.cleanup(), 60000);
+        this.cleanupTimer.unref();
+    }
+    save(entry) {
+        this.codes.set(entry.code, entry);
+    }
+    get(code) {
+        const entry = this.codes.get(code);
+        if (!entry)
+            return undefined;
+        if (Date.now() > entry.expiresAt) {
+            this.codes.delete(code);
+            return undefined;
+        }
+        return entry;
+    }
+    consume(code) {
+        const entry = this.get(code);
+        if (entry) {
+            this.codes.delete(code);
+        }
+        return entry;
+    }
+    cleanup() {
+        const now = Date.now();
+        for (const [code, entry] of this.codes) {
+            if (now > entry.expiresAt) {
+                this.codes.delete(code);
+            }
+        }
+    }
+    destroy() {
+        clearInterval(this.cleanupTimer);
+        this.codes.clear();
+    }
+}
+exports.AuthCodeStore = AuthCodeStore;
+class OAuthTokenStore {
+    constructor(accessTtlSec = 3600, refreshTtlSec = 30 * 24 * 3600) {
+        this.accessTtlSec = accessTtlSec;
+        this.refreshTtlSec = refreshTtlSec;
+        this.accessTokens = new Map();
+        this.refreshTokens = new Map();
+        this.cleanupTimer = setInterval(() => this.cleanup(), 5 * 60000);
+        this.cleanupTimer.unref();
+    }
+    saveAccessToken(entry) {
+        this.accessTokens.set(entry.token, entry);
+    }
+    getAccessToken(token) {
+        const entry = this.accessTokens.get(token);
+        if (!entry)
+            return undefined;
+        if (Date.now() / 1000 > entry.expiresAt) {
+            this.accessTokens.delete(token);
+            return undefined;
+        }
+        return entry;
+    }
+    revokeAccessToken(token) {
+        this.accessTokens.delete(token);
+    }
+    saveRefreshToken(entry) {
+        this.refreshTokens.set(entry.token, entry);
+    }
+    getRefreshToken(token) {
+        const entry = this.refreshTokens.get(token);
+        if (!entry)
+            return undefined;
+        if (Date.now() / 1000 > entry.expiresAt) {
+            this.refreshTokens.delete(token);
+            return undefined;
+        }
+        return entry;
+    }
+    revokeRefreshToken(token) {
+        this.refreshTokens.delete(token);
+    }
+    get accessTtlSeconds() {
+        return this.accessTtlSec;
+    }
+    get refreshTtlSeconds() {
+        return this.refreshTtlSec;
+    }
+    cleanup() {
+        const nowSec = Date.now() / 1000;
+        for (const [t, entry] of this.accessTokens) {
+            if (nowSec > entry.expiresAt)
+                this.accessTokens.delete(t);
+        }
+        for (const [t, entry] of this.refreshTokens) {
+            if (nowSec > entry.expiresAt)
+                this.refreshTokens.delete(t);
+        }
+    }
+    destroy() {
+        clearInterval(this.cleanupTimer);
+        this.accessTokens.clear();
+        this.refreshTokens.clear();
+    }
+}
+exports.OAuthTokenStore = OAuthTokenStore;
+//# sourceMappingURL=oauth-stores.js.map

package/dist/src/mcp/oauth-stores.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-stores.js","sourceRoot":"","sources":["../../../src/mcp/oauth-stores.ts"],"names":[],"mappings":";;;AAAA;;;;;GAKG;AACH,mCAAiD;AAIjD,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E,MAAa,iBAAiB;IAA9B;QACU,YAAO,GAAG,IAAI,GAAG,EAAsC,CAAC;IAoClE,CAAC;IAlCC,SAAS,CAAC,QAAgB;QACxB,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACpC,CAAC;IAED,cAAc,CACZ,MAA6E;QAE7E,MAAM,QAAQ,GAAG,aAAa,IAAA,mBAAU,GAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;QAC5E,MAAM,YAAY,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACrD,MAAM,IAAI,GAA+B;YACvC,GAAG,MAAM;YACT,SAAS,EAAE,QAAQ;YACnB,aAAa,EAAE,YAAY;YAC3B,mBAAmB,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;SACnD,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACjC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,OAAO;QACL,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED,+BAA+B;IAC/B,IAAI,CAAC,OAA+C;QAClD,KAAK,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACnC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,KAAK;QACH,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;CACF;AArCD,8CAqCC;AAkBD,MAAa,aAAa;IAIxB,YAAoB,QAAgB,EAAE,GAAG,EAAE,GAAG,IAAI;QAA9B,UAAK,GAAL,KAAK,CAAyB;QAH1C,UAAK,GAAG,IAAI,GAAG,EAA0B,CAAC;QAIhD,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,KAAM,CAAC,CAAC;QAC9D,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;IAC5B,CAAC;IAED,IAAI,CAAC,KAAqB;QACxB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACpC,CAAC;IAED,GAAG,CAAC,IAAY;QACd,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAC;QAC7B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YACjC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACxB,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,CAAC,IAAY;QAClB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC7B,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAEO,OAAO;QACb,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACvC,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;gBAC1B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,aAAa,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACjC,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;CACF;AA5CD,sCA4CC;AAgBD,MAAa,eAAe;IAK1B,YACU,eAAuB,IAAI,EAC3B,gBAAwB,EAAE,GAAG,EAAE,GAAG,IAAI;QADtC,iBAAY,GAAZ,YAAY,CAAe;QAC3B,kBAAa,GAAb,aAAa,CAAyB;QANxC,iBAAY,GAAG,IAAI,GAAG,EAAuB,CAAC;QAC9C,kBAAa,GAAG,IAAI,GAAG,EAAuB,CAAC;QAOrD,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC,GAAG,KAAM,CAAC,CAAC;QAClE,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;IAC5B,CAAC;IAED,eAAe,CAAC,KAAkB;QAChC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC5C,CAAC;IAED,cAAc,CAAC,KAAa;QAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC3C,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAC;QAC7B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YACxC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAChC,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,iBAAiB,CAAC,KAAa;QAC7B,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC;IAED,gBAAgB,CAAC,KAAkB;QACjC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC7C,CAAC;IAED,eAAe,CAAC,KAAa;QAC3B,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAC;QAC7B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YACxC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACjC,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,kBAAkB,CAAC,KAAa;QAC9B,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;IAED,IAAI,gBAAgB;QAClB,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED,IAAI,iBAAiB;QACnB,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;IAEO,OAAO;QACb,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;QACjC,KAAK,MAAM,CAAC,CAAC,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YAC3C,IAAI,MAAM,GAAG,KAAK,CAAC,SAAS;gBAAE,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC5D,CAAC;QACD,KAAK,MAAM,CAAC,CAAC,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YAC5C,IAAI,MAAM,GAAG,KAAK,CAAC,SAAS;gBAAE,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,OAAO;QACL,aAAa,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACjC,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;QAC1B,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,CAAC;IAC7B,CAAC;CACF;AAxED,0CAwEC"}

package/dist/src/mcp/server.d.ts

@@ -0,0 +1,18 @@
+#!/usr/bin/env node
+/**
+ * Palaryn MCP Server — standalone entry point for Claude Code and other MCP clients.
+ *
+ * Usage:
+ *   node dist/mcp/server.js
+ *   claude mcp add palaryn -- node /path/to/dist/mcp/server.js
+ *
+ * Environment variables:
+ *   PALARYN_MCP_WORKSPACE  — Workspace ID (default: 'ws-claude-code')
+ *   PALARYN_MCP_ACTOR      — Actor ID (default: 'claude-code')
+ *   PALARYN_MCP_PLATFORM   — Platform identifier (default: 'claude_code')
+ *   POLICY_PACK_PATH       — Path to policy pack YAML (default: './policy-packs/default.yaml')
+ *
+ * All logging goes to stderr — stdout is reserved for MCP JSON-RPC messages.
+ */
+export declare function startMCPServer(): Promise<void>;
+//# sourceMappingURL=server.d.ts.map

package/dist/src/mcp/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../../src/mcp/server.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;GAcG;AAgBH,wBAAsB,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC,CAcpD"}