npm - palaryn - Versions diffs - 0.1.0 - Mend

palaryn 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (607) hide show

package/LICENSE +21 -0
package/README.md +716 -0
package/dist/sdk/typescript/src/client.d.ts +71 -0
package/dist/sdk/typescript/src/client.d.ts.map +1 -0
package/dist/sdk/typescript/src/client.js +176 -0
package/dist/sdk/typescript/src/client.js.map +1 -0
package/dist/sdk/typescript/src/errors.d.ts +50 -0
package/dist/sdk/typescript/src/errors.d.ts.map +1 -0
package/dist/sdk/typescript/src/errors.js +103 -0
package/dist/sdk/typescript/src/errors.js.map +1 -0
package/dist/sdk/typescript/src/index.d.ts +4 -0
package/dist/sdk/typescript/src/index.d.ts.map +1 -0
package/dist/sdk/typescript/src/index.js +15 -0
package/dist/sdk/typescript/src/index.js.map +1 -0
package/dist/sdk/typescript/src/types.d.ts +101 -0
package/dist/sdk/typescript/src/types.d.ts.map +1 -0
package/dist/sdk/typescript/src/types.js +6 -0
package/dist/sdk/typescript/src/types.js.map +1 -0
package/dist/src/admin/index.d.ts +2 -0
package/dist/src/admin/index.d.ts.map +1 -0
package/dist/src/admin/index.js +6 -0
package/dist/src/admin/index.js.map +1 -0
package/dist/src/admin/routes.d.ts +5 -0
package/dist/src/admin/routes.d.ts.map +1 -0
package/dist/src/admin/routes.js +471 -0
package/dist/src/admin/routes.js.map +1 -0
package/dist/src/admin/templates.d.ts +51 -0
package/dist/src/admin/templates.d.ts.map +1 -0
package/dist/src/admin/templates.js +500 -0
package/dist/src/admin/templates.js.map +1 -0
package/dist/src/anomaly/detector.d.ts +141 -0
package/dist/src/anomaly/detector.d.ts.map +1 -0
package/dist/src/anomaly/detector.js +554 -0
package/dist/src/anomaly/detector.js.map +1 -0
package/dist/src/anomaly/index.d.ts +2 -0
package/dist/src/anomaly/index.d.ts.map +1 -0
package/dist/src/anomaly/index.js +7 -0
package/dist/src/anomaly/index.js.map +1 -0
package/dist/src/approval/manager.d.ts +147 -0
package/dist/src/approval/manager.d.ts.map +1 -0
package/dist/src/approval/manager.js +511 -0
package/dist/src/approval/manager.js.map +1 -0
package/dist/src/approval/webhook.d.ts +36 -0
package/dist/src/approval/webhook.d.ts.map +1 -0
package/dist/src/approval/webhook.js +135 -0
package/dist/src/approval/webhook.js.map +1 -0
package/dist/src/audit/logger.d.ts +70 -0
package/dist/src/audit/logger.d.ts.map +1 -0
package/dist/src/audit/logger.js +440 -0
package/dist/src/audit/logger.js.map +1 -0
package/dist/src/auth/index.d.ts +6 -0
package/dist/src/auth/index.d.ts.map +1 -0
package/dist/src/auth/index.js +22 -0
package/dist/src/auth/index.js.map +1 -0
package/dist/src/auth/password.d.ts +3 -0
package/dist/src/auth/password.d.ts.map +1 -0
package/dist/src/auth/password.js +25 -0
package/dist/src/auth/password.js.map +1 -0
package/dist/src/auth/pkce.d.ts +13 -0
package/dist/src/auth/pkce.d.ts.map +1 -0
package/dist/src/auth/pkce.js +58 -0
package/dist/src/auth/pkce.js.map +1 -0
package/dist/src/auth/providers.d.ts +28 -0
package/dist/src/auth/providers.d.ts.map +1 -0
package/dist/src/auth/providers.js +198 -0
package/dist/src/auth/providers.js.map +1 -0
package/dist/src/auth/routes.d.ts +14 -0
package/dist/src/auth/routes.d.ts.map +1 -0
package/dist/src/auth/routes.js +431 -0
package/dist/src/auth/routes.js.map +1 -0
package/dist/src/auth/session.d.ts +24 -0
package/dist/src/auth/session.d.ts.map +1 -0
package/dist/src/auth/session.js +105 -0
package/dist/src/auth/session.js.map +1 -0
package/dist/src/billing/index.d.ts +7 -0
package/dist/src/billing/index.d.ts.map +1 -0
package/dist/src/billing/index.js +14 -0
package/dist/src/billing/index.js.map +1 -0
package/dist/src/billing/plan-enforcer.d.ts +44 -0
package/dist/src/billing/plan-enforcer.d.ts.map +1 -0
package/dist/src/billing/plan-enforcer.js +110 -0
package/dist/src/billing/plan-enforcer.js.map +1 -0
package/dist/src/billing/routes.d.ts +15 -0
package/dist/src/billing/routes.d.ts.map +1 -0
package/dist/src/billing/routes.js +193 -0
package/dist/src/billing/routes.js.map +1 -0
package/dist/src/billing/stripe-client.d.ts +14 -0
package/dist/src/billing/stripe-client.d.ts.map +1 -0
package/dist/src/billing/stripe-client.js +51 -0
package/dist/src/billing/stripe-client.js.map +1 -0
package/dist/src/billing/webhook-handler.d.ts +19 -0
package/dist/src/billing/webhook-handler.d.ts.map +1 -0
package/dist/src/billing/webhook-handler.js +169 -0
package/dist/src/billing/webhook-handler.js.map +1 -0
package/dist/src/billing/webhook-routes.d.ts +5 -0
package/dist/src/billing/webhook-routes.d.ts.map +1 -0
package/dist/src/billing/webhook-routes.js +30 -0
package/dist/src/billing/webhook-routes.js.map +1 -0
package/dist/src/budget/manager.d.ts +95 -0
package/dist/src/budget/manager.d.ts.map +1 -0
package/dist/src/budget/manager.js +547 -0
package/dist/src/budget/manager.js.map +1 -0
package/dist/src/budget/usage-extractor.d.ts +38 -0
package/dist/src/budget/usage-extractor.d.ts.map +1 -0
package/dist/src/budget/usage-extractor.js +165 -0
package/dist/src/budget/usage-extractor.js.map +1 -0
package/dist/src/cli.d.ts +3 -0
package/dist/src/cli.d.ts.map +1 -0
package/dist/src/cli.js +115 -0
package/dist/src/cli.js.map +1 -0
package/dist/src/config/defaults.d.ts +3 -0
package/dist/src/config/defaults.d.ts.map +1 -0
package/dist/src/config/defaults.js +243 -0
package/dist/src/config/defaults.js.map +1 -0
package/dist/src/config/validate.d.ts +15 -0
package/dist/src/config/validate.d.ts.map +1 -0
package/dist/src/config/validate.js +105 -0
package/dist/src/config/validate.js.map +1 -0
package/dist/src/dlp/composite-scanner.d.ts +47 -0
package/dist/src/dlp/composite-scanner.d.ts.map +1 -0
package/dist/src/dlp/composite-scanner.js +186 -0
package/dist/src/dlp/composite-scanner.js.map +1 -0
package/dist/src/dlp/index.d.ts +10 -0
package/dist/src/dlp/index.d.ts.map +1 -0
package/dist/src/dlp/index.js +26 -0
package/dist/src/dlp/index.js.map +1 -0
package/dist/src/dlp/interfaces.d.ts +33 -0
package/dist/src/dlp/interfaces.d.ts.map +1 -0
package/dist/src/dlp/interfaces.js +3 -0
package/dist/src/dlp/interfaces.js.map +1 -0
package/dist/src/dlp/patterns.d.ts +9 -0
package/dist/src/dlp/patterns.d.ts.map +1 -0
package/dist/src/dlp/patterns.js +25 -0
package/dist/src/dlp/patterns.js.map +1 -0
package/dist/src/dlp/prompt-injection-backend.d.ts +68 -0
package/dist/src/dlp/prompt-injection-backend.d.ts.map +1 -0
package/dist/src/dlp/prompt-injection-backend.js +148 -0
package/dist/src/dlp/prompt-injection-backend.js.map +1 -0
package/dist/src/dlp/prompt-injection-patterns.d.ts +32 -0
package/dist/src/dlp/prompt-injection-patterns.d.ts.map +1 -0
package/dist/src/dlp/prompt-injection-patterns.js +290 -0
package/dist/src/dlp/prompt-injection-patterns.js.map +1 -0
package/dist/src/dlp/regex-backend.d.ts +32 -0
package/dist/src/dlp/regex-backend.d.ts.map +1 -0
package/dist/src/dlp/regex-backend.js +153 -0
package/dist/src/dlp/regex-backend.js.map +1 -0
package/dist/src/dlp/scanner.d.ts +122 -0
package/dist/src/dlp/scanner.d.ts.map +1 -0
package/dist/src/dlp/scanner.js +444 -0
package/dist/src/dlp/scanner.js.map +1 -0
package/dist/src/dlp/text-normalizer.d.ts +41 -0
package/dist/src/dlp/text-normalizer.d.ts.map +1 -0
package/dist/src/dlp/text-normalizer.js +203 -0
package/dist/src/dlp/text-normalizer.js.map +1 -0
package/dist/src/dlp/trufflehog-backend.d.ts +64 -0
package/dist/src/dlp/trufflehog-backend.d.ts.map +1 -0
package/dist/src/dlp/trufflehog-backend.js +151 -0
package/dist/src/dlp/trufflehog-backend.js.map +1 -0
package/dist/src/executor/http-executor.d.ts +25 -0
package/dist/src/executor/http-executor.d.ts.map +1 -0
package/dist/src/executor/http-executor.js +333 -0
package/dist/src/executor/http-executor.js.map +1 -0
package/dist/src/executor/index.d.ts +6 -0
package/dist/src/executor/index.d.ts.map +1 -0
package/dist/src/executor/index.js +12 -0
package/dist/src/executor/index.js.map +1 -0
package/dist/src/executor/interfaces.d.ts +11 -0
package/dist/src/executor/interfaces.d.ts.map +1 -0
package/dist/src/executor/interfaces.js +3 -0
package/dist/src/executor/interfaces.js.map +1 -0
package/dist/src/executor/noop-executor.d.ts +13 -0
package/dist/src/executor/noop-executor.d.ts.map +1 -0
package/dist/src/executor/noop-executor.js +21 -0
package/dist/src/executor/noop-executor.js.map +1 -0
package/dist/src/executor/registry.d.ts +30 -0
package/dist/src/executor/registry.d.ts.map +1 -0
package/dist/src/executor/registry.js +62 -0
package/dist/src/executor/registry.js.map +1 -0
package/dist/src/executor/slack-executor.d.ts +24 -0
package/dist/src/executor/slack-executor.d.ts.map +1 -0
package/dist/src/executor/slack-executor.js +147 -0
package/dist/src/executor/slack-executor.js.map +1 -0
package/dist/src/index.d.ts +25 -0
package/dist/src/index.d.ts.map +1 -0
package/dist/src/index.js +74 -0
package/dist/src/index.js.map +1 -0
package/dist/src/mcp/auth-verifier.d.ts +23 -0
package/dist/src/mcp/auth-verifier.d.ts.map +1 -0
package/dist/src/mcp/auth-verifier.js +162 -0
package/dist/src/mcp/auth-verifier.js.map +1 -0
package/dist/src/mcp/bridge.d.ts +132 -0
package/dist/src/mcp/bridge.d.ts.map +1 -0
package/dist/src/mcp/bridge.js +734 -0
package/dist/src/mcp/bridge.js.map +1 -0
package/dist/src/mcp/http-transport.d.ts +32 -0
package/dist/src/mcp/http-transport.d.ts.map +1 -0
package/dist/src/mcp/http-transport.js +538 -0
package/dist/src/mcp/http-transport.js.map +1 -0
package/dist/src/mcp/index.d.ts +10 -0
package/dist/src/mcp/index.d.ts.map +1 -0
package/dist/src/mcp/index.js +17 -0
package/dist/src/mcp/index.js.map +1 -0
package/dist/src/mcp/oauth-pages.d.ts +23 -0
package/dist/src/mcp/oauth-pages.d.ts.map +1 -0
package/dist/src/mcp/oauth-pages.js +121 -0
package/dist/src/mcp/oauth-pages.js.map +1 -0
package/dist/src/mcp/oauth-postgres-stores.d.ts +55 -0
package/dist/src/mcp/oauth-postgres-stores.d.ts.map +1 -0
package/dist/src/mcp/oauth-postgres-stores.js +226 -0
package/dist/src/mcp/oauth-postgres-stores.js.map +1 -0
package/dist/src/mcp/oauth-provider.d.ts +95 -0
package/dist/src/mcp/oauth-provider.d.ts.map +1 -0
package/dist/src/mcp/oauth-provider.js +360 -0
package/dist/src/mcp/oauth-provider.js.map +1 -0
package/dist/src/mcp/oauth-stores.d.ts +62 -0
package/dist/src/mcp/oauth-stores.d.ts.map +1 -0
package/dist/src/mcp/oauth-stores.js +154 -0
package/dist/src/mcp/oauth-stores.js.map +1 -0
package/dist/src/mcp/server.d.ts +18 -0
package/dist/src/mcp/server.d.ts.map +1 -0
package/dist/src/mcp/server.js +51 -0
package/dist/src/mcp/server.js.map +1 -0
package/dist/src/metrics/collector.d.ts +106 -0
package/dist/src/metrics/collector.d.ts.map +1 -0
package/dist/src/metrics/collector.js +311 -0
package/dist/src/metrics/collector.js.map +1 -0
package/dist/src/metrics/index.d.ts +2 -0
package/dist/src/metrics/index.d.ts.map +1 -0
package/dist/src/metrics/index.js +6 -0
package/dist/src/metrics/index.js.map +1 -0
package/dist/src/middleware/auth.d.ts +77 -0
package/dist/src/middleware/auth.d.ts.map +1 -0
package/dist/src/middleware/auth.js +720 -0
package/dist/src/middleware/auth.js.map +1 -0
package/dist/src/middleware/session.d.ts +18 -0
package/dist/src/middleware/session.d.ts.map +1 -0
package/dist/src/middleware/session.js +67 -0
package/dist/src/middleware/session.js.map +1 -0
package/dist/src/middleware/validate.d.ts +3 -0
package/dist/src/middleware/validate.d.ts.map +1 -0
package/dist/src/middleware/validate.js +85 -0
package/dist/src/middleware/validate.js.map +1 -0
package/dist/src/policy/engine.d.ts +107 -0
package/dist/src/policy/engine.d.ts.map +1 -0
package/dist/src/policy/engine.js +646 -0
package/dist/src/policy/engine.js.map +1 -0
package/dist/src/policy/index.d.ts +3 -0
package/dist/src/policy/index.d.ts.map +1 -0
package/dist/src/policy/index.js +8 -0
package/dist/src/policy/index.js.map +1 -0
package/dist/src/policy/opa-engine.d.ts +176 -0
package/dist/src/policy/opa-engine.d.ts.map +1 -0
package/dist/src/policy/opa-engine.js +790 -0
package/dist/src/policy/opa-engine.js.map +1 -0
package/dist/src/proxy/forward-proxy.d.ts +30 -0
package/dist/src/proxy/forward-proxy.d.ts.map +1 -0
package/dist/src/proxy/forward-proxy.js +580 -0
package/dist/src/proxy/forward-proxy.js.map +1 -0
package/dist/src/proxy/index.d.ts +2 -0
package/dist/src/proxy/index.d.ts.map +1 -0
package/dist/src/proxy/index.js +8 -0
package/dist/src/proxy/index.js.map +1 -0
package/dist/src/ratelimit/limiter.d.ts +45 -0
package/dist/src/ratelimit/limiter.d.ts.map +1 -0
package/dist/src/ratelimit/limiter.js +158 -0
package/dist/src/ratelimit/limiter.js.map +1 -0
package/dist/src/replay/engine.d.ts +40 -0
package/dist/src/replay/engine.d.ts.map +1 -0
package/dist/src/replay/engine.js +106 -0
package/dist/src/replay/engine.js.map +1 -0
package/dist/src/replay/index.d.ts +2 -0
package/dist/src/replay/index.d.ts.map +1 -0
package/dist/src/replay/index.js +6 -0
package/dist/src/replay/index.js.map +1 -0
package/dist/src/saas/index.d.ts +2 -0
package/dist/src/saas/index.d.ts.map +1 -0
package/dist/src/saas/index.js +18 -0
package/dist/src/saas/index.js.map +1 -0
package/dist/src/saas/routes.d.ts +18 -0
package/dist/src/saas/routes.d.ts.map +1 -0
package/dist/src/saas/routes.js +1566 -0
package/dist/src/saas/routes.js.map +1 -0
package/dist/src/server/app.d.ts +44 -0
package/dist/src/server/app.d.ts.map +1 -0
package/dist/src/server/app.js +854 -0
package/dist/src/server/app.js.map +1 -0
package/dist/src/server/errors.d.ts +32 -0
package/dist/src/server/errors.d.ts.map +1 -0
package/dist/src/server/errors.js +39 -0
package/dist/src/server/errors.js.map +1 -0
package/dist/src/server/gateway.d.ts +165 -0
package/dist/src/server/gateway.d.ts.map +1 -0
package/dist/src/server/gateway.js +964 -0
package/dist/src/server/gateway.js.map +1 -0
package/dist/src/server/index.d.ts +2 -0
package/dist/src/server/index.d.ts.map +1 -0
package/dist/src/server/index.js +295 -0
package/dist/src/server/index.js.map +1 -0
package/dist/src/server/logger.d.ts +33 -0
package/dist/src/server/logger.d.ts.map +1 -0
package/dist/src/server/logger.js +230 -0
package/dist/src/server/logger.js.map +1 -0
package/dist/src/server/stream-proxy.d.ts +32 -0
package/dist/src/server/stream-proxy.d.ts.map +1 -0
package/dist/src/server/stream-proxy.js +184 -0
package/dist/src/server/stream-proxy.js.map +1 -0
package/dist/src/storage/file-persistence.d.ts +48 -0
package/dist/src/storage/file-persistence.d.ts.map +1 -0
package/dist/src/storage/file-persistence.js +280 -0
package/dist/src/storage/file-persistence.js.map +1 -0
package/dist/src/storage/index.d.ts +5 -0
package/dist/src/storage/index.d.ts.map +1 -0
package/dist/src/storage/index.js +21 -0
package/dist/src/storage/index.js.map +1 -0
package/dist/src/storage/interfaces.d.ts +237 -0
package/dist/src/storage/interfaces.d.ts.map +1 -0
package/dist/src/storage/interfaces.js +3 -0
package/dist/src/storage/interfaces.js.map +1 -0
package/dist/src/storage/memory.d.ts +162 -0
package/dist/src/storage/memory.d.ts.map +1 -0
package/dist/src/storage/memory.js +603 -0
package/dist/src/storage/memory.js.map +1 -0
package/dist/src/storage/postgres.d.ts +267 -0
package/dist/src/storage/postgres.d.ts.map +1 -0
package/dist/src/storage/postgres.js +1555 -0
package/dist/src/storage/postgres.js.map +1 -0
package/dist/src/storage/redis.d.ts +202 -0
package/dist/src/storage/redis.d.ts.map +1 -0
package/dist/src/storage/redis.js +629 -0
package/dist/src/storage/redis.js.map +1 -0
package/dist/src/tracing/index.d.ts +2 -0
package/dist/src/tracing/index.d.ts.map +1 -0
package/dist/src/tracing/index.js +6 -0
package/dist/src/tracing/index.js.map +1 -0
package/dist/src/tracing/provider.d.ts +43 -0
package/dist/src/tracing/provider.d.ts.map +1 -0
package/dist/src/tracing/provider.js +74 -0
package/dist/src/tracing/provider.js.map +1 -0
package/dist/src/trust/calculator.d.ts +54 -0
package/dist/src/trust/calculator.d.ts.map +1 -0
package/dist/src/trust/calculator.js +102 -0
package/dist/src/trust/calculator.js.map +1 -0
package/dist/src/trust/index.d.ts +2 -0
package/dist/src/trust/index.d.ts.map +1 -0
package/dist/src/trust/index.js +7 -0
package/dist/src/trust/index.js.map +1 -0
package/dist/src/types/budget.d.ts +30 -0
package/dist/src/types/budget.d.ts.map +1 -0
package/dist/src/types/budget.js +3 -0
package/dist/src/types/budget.js.map +1 -0
package/dist/src/types/config.d.ts +176 -0
package/dist/src/types/config.d.ts.map +1 -0
package/dist/src/types/config.js +3 -0
package/dist/src/types/config.js.map +1 -0
package/dist/src/types/events.d.ts +24 -0
package/dist/src/types/events.d.ts.map +1 -0
package/dist/src/types/events.js +3 -0
package/dist/src/types/events.js.map +1 -0
package/dist/src/types/index.d.ts +8 -0
package/dist/src/types/index.d.ts.map +1 -0
package/dist/src/types/index.js +24 -0
package/dist/src/types/index.js.map +1 -0
package/dist/src/types/policy.d.ts +60 -0
package/dist/src/types/policy.d.ts.map +1 -0
package/dist/src/types/policy.js +3 -0
package/dist/src/types/policy.js.map +1 -0
package/dist/src/types/stripe-config.d.ts +12 -0
package/dist/src/types/stripe-config.d.ts.map +1 -0
package/dist/src/types/stripe-config.js +3 -0
package/dist/src/types/stripe-config.js.map +1 -0
package/dist/src/types/subscription.d.ts +24 -0
package/dist/src/types/subscription.d.ts.map +1 -0
package/dist/src/types/subscription.js +38 -0
package/dist/src/types/subscription.js.map +1 -0
package/dist/src/types/tool-call.d.ts +42 -0
package/dist/src/types/tool-call.d.ts.map +1 -0
package/dist/src/types/tool-call.js +3 -0
package/dist/src/types/tool-call.js.map +1 -0
package/dist/src/types/tool-result.d.ts +58 -0
package/dist/src/types/tool-result.d.ts.map +1 -0
package/dist/src/types/tool-result.js +3 -0
package/dist/src/types/tool-result.js.map +1 -0
package/dist/src/types/user.d.ts +101 -0
package/dist/src/types/user.d.ts.map +1 -0
package/dist/src/types/user.js +6 -0
package/dist/src/types/user.js.map +1 -0
package/dist/tests/integration/api.test.d.ts +2 -0
package/dist/tests/integration/api.test.d.ts.map +1 -0
package/dist/tests/integration/api.test.js +1199 -0
package/dist/tests/integration/api.test.js.map +1 -0
package/dist/tests/integration/proxy.test.d.ts +2 -0
package/dist/tests/integration/proxy.test.d.ts.map +1 -0
package/dist/tests/integration/proxy.test.js +251 -0
package/dist/tests/integration/proxy.test.js.map +1 -0
package/dist/tests/integration/storage.test.d.ts +16 -0
package/dist/tests/integration/storage.test.d.ts.map +1 -0
package/dist/tests/integration/storage.test.js +826 -0
package/dist/tests/integration/storage.test.js.map +1 -0
package/dist/tests/unit/admin.test.d.ts +2 -0
package/dist/tests/unit/admin.test.d.ts.map +1 -0
package/dist/tests/unit/admin.test.js +698 -0
package/dist/tests/unit/admin.test.js.map +1 -0
package/dist/tests/unit/anomaly-detector.test.d.ts +2 -0
package/dist/tests/unit/anomaly-detector.test.d.ts.map +1 -0
package/dist/tests/unit/anomaly-detector.test.js +903 -0
package/dist/tests/unit/anomaly-detector.test.js.map +1 -0
package/dist/tests/unit/approval-manager.test.d.ts +2 -0
package/dist/tests/unit/approval-manager.test.d.ts.map +1 -0
package/dist/tests/unit/approval-manager.test.js +528 -0
package/dist/tests/unit/approval-manager.test.js.map +1 -0
package/dist/tests/unit/approval-webhook.test.d.ts +2 -0
package/dist/tests/unit/approval-webhook.test.d.ts.map +1 -0
package/dist/tests/unit/approval-webhook.test.js +355 -0
package/dist/tests/unit/approval-webhook.test.js.map +1 -0
package/dist/tests/unit/audit-logger.test.d.ts +2 -0
package/dist/tests/unit/audit-logger.test.d.ts.map +1 -0
package/dist/tests/unit/audit-logger.test.js +635 -0
package/dist/tests/unit/audit-logger.test.js.map +1 -0
package/dist/tests/unit/auth-routes.test.d.ts +2 -0
package/dist/tests/unit/auth-routes.test.d.ts.map +1 -0
package/dist/tests/unit/auth-routes.test.js +281 -0
package/dist/tests/unit/auth-routes.test.js.map +1 -0
package/dist/tests/unit/auth.test.d.ts +2 -0
package/dist/tests/unit/auth.test.d.ts.map +1 -0
package/dist/tests/unit/auth.test.js +1382 -0
package/dist/tests/unit/auth.test.js.map +1 -0
package/dist/tests/unit/billing.test.d.ts +2 -0
package/dist/tests/unit/billing.test.d.ts.map +1 -0
package/dist/tests/unit/billing.test.js +579 -0
package/dist/tests/unit/billing.test.js.map +1 -0
package/dist/tests/unit/budget-manager.test.d.ts +2 -0
package/dist/tests/unit/budget-manager.test.d.ts.map +1 -0
package/dist/tests/unit/budget-manager.test.js +778 -0
package/dist/tests/unit/budget-manager.test.js.map +1 -0
package/dist/tests/unit/budget-race.test.d.ts +2 -0
package/dist/tests/unit/budget-race.test.d.ts.map +1 -0
package/dist/tests/unit/budget-race.test.js +58 -0
package/dist/tests/unit/budget-race.test.js.map +1 -0
package/dist/tests/unit/cli.test.d.ts +2 -0
package/dist/tests/unit/cli.test.d.ts.map +1 -0
package/dist/tests/unit/cli.test.js +93 -0
package/dist/tests/unit/cli.test.js.map +1 -0
package/dist/tests/unit/concurrency.test.d.ts +2 -0
package/dist/tests/unit/concurrency.test.d.ts.map +1 -0
package/dist/tests/unit/concurrency.test.js +1270 -0
package/dist/tests/unit/concurrency.test.js.map +1 -0
package/dist/tests/unit/config-validate.test.d.ts +2 -0
package/dist/tests/unit/config-validate.test.d.ts.map +1 -0
package/dist/tests/unit/config-validate.test.js +230 -0
package/dist/tests/unit/config-validate.test.js.map +1 -0
package/dist/tests/unit/defaults.test.d.ts +2 -0
package/dist/tests/unit/defaults.test.d.ts.map +1 -0
package/dist/tests/unit/defaults.test.js +364 -0
package/dist/tests/unit/defaults.test.js.map +1 -0
package/dist/tests/unit/dlp-backends.test.d.ts +2 -0
package/dist/tests/unit/dlp-backends.test.d.ts.map +1 -0
package/dist/tests/unit/dlp-backends.test.js +563 -0
package/dist/tests/unit/dlp-backends.test.js.map +1 -0
package/dist/tests/unit/dlp-scanner.test.d.ts +2 -0
package/dist/tests/unit/dlp-scanner.test.d.ts.map +1 -0
package/dist/tests/unit/dlp-scanner.test.js +739 -0
package/dist/tests/unit/dlp-scanner.test.js.map +1 -0
package/dist/tests/unit/error-responses.test.d.ts +2 -0
package/dist/tests/unit/error-responses.test.d.ts.map +1 -0
package/dist/tests/unit/error-responses.test.js +101 -0
package/dist/tests/unit/error-responses.test.js.map +1 -0
package/dist/tests/unit/executor-registry.test.d.ts +2 -0
package/dist/tests/unit/executor-registry.test.d.ts.map +1 -0
package/dist/tests/unit/executor-registry.test.js +390 -0
package/dist/tests/unit/executor-registry.test.js.map +1 -0
package/dist/tests/unit/forward-proxy.test.d.ts +2 -0
package/dist/tests/unit/forward-proxy.test.d.ts.map +1 -0
package/dist/tests/unit/forward-proxy.test.js +621 -0
package/dist/tests/unit/forward-proxy.test.js.map +1 -0
package/dist/tests/unit/gateway-features.test.d.ts +2 -0
package/dist/tests/unit/gateway-features.test.d.ts.map +1 -0
package/dist/tests/unit/gateway-features.test.js +753 -0
package/dist/tests/unit/gateway-features.test.js.map +1 -0
package/dist/tests/unit/http-executor.test.d.ts +2 -0
package/dist/tests/unit/http-executor.test.d.ts.map +1 -0
package/dist/tests/unit/http-executor.test.js +310 -0
package/dist/tests/unit/http-executor.test.js.map +1 -0
package/dist/tests/unit/mcp-bridge.test.d.ts +2 -0
package/dist/tests/unit/mcp-bridge.test.d.ts.map +1 -0
package/dist/tests/unit/mcp-bridge.test.js +1136 -0
package/dist/tests/unit/mcp-bridge.test.js.map +1 -0
package/dist/tests/unit/mcp-http-transport.test.d.ts +2 -0
package/dist/tests/unit/mcp-http-transport.test.d.ts.map +1 -0
package/dist/tests/unit/mcp-http-transport.test.js +899 -0
package/dist/tests/unit/mcp-http-transport.test.js.map +1 -0
package/dist/tests/unit/mcp-oauth.test.d.ts +2 -0
package/dist/tests/unit/mcp-oauth.test.d.ts.map +1 -0
package/dist/tests/unit/mcp-oauth.test.js +759 -0
package/dist/tests/unit/mcp-oauth.test.js.map +1 -0
package/dist/tests/unit/mcp-server.test.d.ts +15 -0
package/dist/tests/unit/mcp-server.test.d.ts.map +1 -0
package/dist/tests/unit/mcp-server.test.js +158 -0
package/dist/tests/unit/mcp-server.test.js.map +1 -0
package/dist/tests/unit/metrics.test.d.ts +2 -0
package/dist/tests/unit/metrics.test.d.ts.map +1 -0
package/dist/tests/unit/metrics.test.js +208 -0
package/dist/tests/unit/metrics.test.js.map +1 -0
package/dist/tests/unit/oauth.test.d.ts +2 -0
package/dist/tests/unit/oauth.test.d.ts.map +1 -0
package/dist/tests/unit/oauth.test.js +281 -0
package/dist/tests/unit/oauth.test.js.map +1 -0
package/dist/tests/unit/opa-circuit-breaker.test.d.ts +2 -0
package/dist/tests/unit/opa-circuit-breaker.test.d.ts.map +1 -0
package/dist/tests/unit/opa-circuit-breaker.test.js +297 -0
package/dist/tests/unit/opa-circuit-breaker.test.js.map +1 -0
package/dist/tests/unit/opa-engine.test.d.ts +2 -0
package/dist/tests/unit/opa-engine.test.d.ts.map +1 -0
package/dist/tests/unit/opa-engine.test.js +1813 -0
package/dist/tests/unit/opa-engine.test.js.map +1 -0
package/dist/tests/unit/pipeline-timing.test.d.ts +2 -0
package/dist/tests/unit/pipeline-timing.test.d.ts.map +1 -0
package/dist/tests/unit/pipeline-timing.test.js +528 -0
package/dist/tests/unit/pipeline-timing.test.js.map +1 -0
package/dist/tests/unit/policy-engine.test.d.ts +2 -0
package/dist/tests/unit/policy-engine.test.d.ts.map +1 -0
package/dist/tests/unit/policy-engine.test.js +1345 -0
package/dist/tests/unit/policy-engine.test.js.map +1 -0
package/dist/tests/unit/policy-store.test.d.ts +2 -0
package/dist/tests/unit/policy-store.test.d.ts.map +1 -0
package/dist/tests/unit/policy-store.test.js +60 -0
package/dist/tests/unit/policy-store.test.js.map +1 -0
package/dist/tests/unit/postgres-storage.test.d.ts +2 -0
package/dist/tests/unit/postgres-storage.test.d.ts.map +1 -0
package/dist/tests/unit/postgres-storage.test.js +614 -0
package/dist/tests/unit/postgres-storage.test.js.map +1 -0
package/dist/tests/unit/prompt-injection-backend.test.d.ts +2 -0
package/dist/tests/unit/prompt-injection-backend.test.d.ts.map +1 -0
package/dist/tests/unit/prompt-injection-backend.test.js +621 -0
package/dist/tests/unit/prompt-injection-backend.test.js.map +1 -0
package/dist/tests/unit/proxy-hardening.test.d.ts +2 -0
package/dist/tests/unit/proxy-hardening.test.d.ts.map +1 -0
package/dist/tests/unit/proxy-hardening.test.js +166 -0
package/dist/tests/unit/proxy-hardening.test.js.map +1 -0
package/dist/tests/unit/rate-limiter.test.d.ts +2 -0
package/dist/tests/unit/rate-limiter.test.d.ts.map +1 -0
package/dist/tests/unit/rate-limiter.test.js +443 -0
package/dist/tests/unit/rate-limiter.test.js.map +1 -0
package/dist/tests/unit/redis-storage.test.d.ts +2 -0
package/dist/tests/unit/redis-storage.test.d.ts.map +1 -0
package/dist/tests/unit/redis-storage.test.js +766 -0
package/dist/tests/unit/redis-storage.test.js.map +1 -0
package/dist/tests/unit/replay-engine.test.d.ts +2 -0
package/dist/tests/unit/replay-engine.test.d.ts.map +1 -0
package/dist/tests/unit/replay-engine.test.js +371 -0
package/dist/tests/unit/replay-engine.test.js.map +1 -0
package/dist/tests/unit/saas-routes.test.d.ts +2 -0
package/dist/tests/unit/saas-routes.test.d.ts.map +1 -0
package/dist/tests/unit/saas-routes.test.js +1399 -0
package/dist/tests/unit/saas-routes.test.js.map +1 -0
package/dist/tests/unit/session.test.d.ts +2 -0
package/dist/tests/unit/session.test.d.ts.map +1 -0
package/dist/tests/unit/session.test.js +532 -0
package/dist/tests/unit/session.test.js.map +1 -0
package/dist/tests/unit/slack-executor.test.d.ts +2 -0
package/dist/tests/unit/slack-executor.test.d.ts.map +1 -0
package/dist/tests/unit/slack-executor.test.js +209 -0
package/dist/tests/unit/slack-executor.test.js.map +1 -0
package/dist/tests/unit/storage-hardening.test.d.ts +2 -0
package/dist/tests/unit/storage-hardening.test.d.ts.map +1 -0
package/dist/tests/unit/storage-hardening.test.js +165 -0
package/dist/tests/unit/storage-hardening.test.js.map +1 -0
package/dist/tests/unit/storage.test.d.ts +2 -0
package/dist/tests/unit/storage.test.d.ts.map +1 -0
package/dist/tests/unit/storage.test.js +698 -0
package/dist/tests/unit/storage.test.js.map +1 -0
package/dist/tests/unit/text-normalizer.test.d.ts +2 -0
package/dist/tests/unit/text-normalizer.test.d.ts.map +1 -0
package/dist/tests/unit/text-normalizer.test.js +229 -0
package/dist/tests/unit/text-normalizer.test.js.map +1 -0
package/dist/tests/unit/tracing.test.d.ts +2 -0
package/dist/tests/unit/tracing.test.d.ts.map +1 -0
package/dist/tests/unit/tracing.test.js +611 -0
package/dist/tests/unit/tracing.test.js.map +1 -0
package/dist/tests/unit/trust-calculator.test.d.ts +2 -0
package/dist/tests/unit/trust-calculator.test.d.ts.map +1 -0
package/dist/tests/unit/trust-calculator.test.js +497 -0
package/dist/tests/unit/trust-calculator.test.js.map +1 -0
package/dist/tests/unit/ts-sdk.test.d.ts +2 -0
package/dist/tests/unit/ts-sdk.test.d.ts.map +1 -0
package/dist/tests/unit/ts-sdk.test.js +421 -0
package/dist/tests/unit/ts-sdk.test.js.map +1 -0
package/dist/tests/unit/usage-extractor-llm.test.d.ts +2 -0
package/dist/tests/unit/usage-extractor-llm.test.d.ts.map +1 -0
package/dist/tests/unit/usage-extractor-llm.test.js +139 -0
package/dist/tests/unit/usage-extractor-llm.test.js.map +1 -0
package/dist/tests/unit/usage-extractor.test.d.ts +2 -0
package/dist/tests/unit/usage-extractor.test.d.ts.map +1 -0
package/dist/tests/unit/usage-extractor.test.js +271 -0
package/dist/tests/unit/usage-extractor.test.js.map +1 -0
package/dist/tests/unit/user-stores.test.d.ts +2 -0
package/dist/tests/unit/user-stores.test.d.ts.map +1 -0
package/dist/tests/unit/user-stores.test.js +687 -0
package/dist/tests/unit/user-stores.test.js.map +1 -0
package/dist/tests/unit/validate.test.d.ts +2 -0
package/dist/tests/unit/validate.test.d.ts.map +1 -0
package/dist/tests/unit/validate.test.js +545 -0
package/dist/tests/unit/validate.test.js.map +1 -0
package/package.json +86 -0
package/policy-packs/README.md +42 -0
package/policy-packs/default.yaml +46 -0
package/policy-packs/dev_fast.yaml +54 -0
package/policy-packs/prod_strict.yaml +83 -0

package/dist/tests/unit/mcp-oauth.test.js ADDED Viewed

@@ -0,0 +1,759 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+// ---------------------------------------------------------------------------
+// Mock SaaS stores
+// ---------------------------------------------------------------------------
+function createMockStores() {
+    const users = new Map();
+    const workspaces = new Map();
+    const members = [];
+    const sessions = new Map();
+    return {
+        userStore: {
+            create(u) { users.set(u.id, u); },
+            getById(id) { return users.get(id); },
+            getByEmail(email) { for (const u of users.values()) {
+                if (u.email === email)
+                    return u;
+            } return undefined; },
+            update(id, updates) { const u = users.get(id); if (!u)
+                return undefined; Object.assign(u, updates); return u; },
+            delete(id) { return users.delete(id); },
+            list() { return Array.from(users.values()); },
+        },
+        workspaceStore: {
+            create(w) { workspaces.set(w.id, w); },
+            getById(id) { return workspaces.get(id); },
+            getBySlug(slug) { for (const w of workspaces.values()) {
+                if (w.slug === slug)
+                    return w;
+            } return undefined; },
+            getByOwner(userId) { return Array.from(workspaces.values()).filter(w => w.owner_user_id === userId); },
+            update(id, updates) { const w = workspaces.get(id); if (!w)
+                return undefined; Object.assign(w, updates); return w; },
+            delete(id) { return workspaces.delete(id); },
+            list() { return Array.from(workspaces.values()); },
+        },
+        workspaceMemberStore: {
+            create(m) { members.push(m); },
+            getById(id) { return members.find(m => m.id === id); },
+            getByWorkspace(wsId) { return members.filter(m => m.workspace_id === wsId); },
+            getByUser(userId) { return members.filter(m => m.user_id === userId); },
+            getByWorkspaceAndUser(wsId, userId) { return members.find(m => m.workspace_id === wsId && m.user_id === userId); },
+            update(id, updates) { const m = members.find(x => x.id === id); if (!m)
+                return undefined; Object.assign(m, updates); return m; },
+            delete(id) { const idx = members.findIndex(m => m.id === id); if (idx >= 0) {
+                members.splice(idx, 1);
+                return true;
+            } return false; },
+        },
+        sessionStore: {
+            create(s) { sessions.set(s.id, s); },
+            getById(id) { return sessions.get(id); },
+            getByUserId(userId) { return Array.from(sessions.values()).filter(s => s.user_id === userId); },
+            update(id, updates) { const s = sessions.get(id); if (!s)
+                return undefined; Object.assign(s, updates); return s; },
+            delete(id) { return sessions.delete(id); },
+            deleteExpired() { return 0; },
+            deleteByUserId(userId) { let count = 0; for (const [id, s] of sessions) {
+                if (s.user_id === userId) {
+                    sessions.delete(id);
+                    count++;
+                }
+            } return count; },
+        },
+    };
+}
+function seedTestData(stores) {
+    const now = new Date().toISOString();
+    stores.userStore.create({
+        id: 'usr_test1',
+        email: 'alice@test.com',
+        display_name: 'Alice',
+        status: 'active',
+        onboarding_completed: true,
+        created_at: now,
+        updated_at: now,
+    });
+    stores.workspaceStore.create({
+        id: 'ws_prod',
+        name: 'Production',
+        slug: 'production',
+        owner_user_id: 'usr_test1',
+        plan: 'free',
+        settings: {},
+        created_at: now,
+        updated_at: now,
+    });
+    stores.workspaceMemberStore.create({
+        id: 'wm_1',
+        workspace_id: 'ws_prod',
+        user_id: 'usr_test1',
+        role: 'owner',
+        joined_at: now,
+    });
+    stores.sessionStore.create({
+        id: 'sess_abc123',
+        user_id: 'usr_test1',
+        workspace_id: 'ws_prod',
+        expires_at: new Date(Date.now() + 3600000).toISOString(),
+        last_active_at: now,
+        created_at: now,
+    });
+}
+// ---------------------------------------------------------------------------
+// Imports
+// ---------------------------------------------------------------------------
+const oauth_stores_1 = require("../../src/mcp/oauth-stores");
+const oauth_provider_1 = require("../../src/mcp/oauth-provider");
+const auth_verifier_1 = require("../../src/mcp/auth-verifier");
+// ---------------------------------------------------------------------------
+// OAuth Stores
+// ---------------------------------------------------------------------------
+describe('OAuthClientsStore', () => {
+    let store;
+    beforeEach(() => { store = new oauth_stores_1.OAuthClientsStore(); });
+    it('registers a client with generated ID and secret', () => {
+        const client = store.registerClient({
+            redirect_uris: [new URL('http://localhost:3000/callback')],
+            client_name: 'Test Client',
+        });
+        expect(client.client_id).toMatch(/^pn_client_/);
+        expect(client.client_secret).toBeDefined();
+        expect(client.client_secret.length).toBe(64); // 32 bytes hex
+        expect(client.client_id_issued_at).toBeGreaterThan(0);
+        expect(client.client_name).toBe('Test Client');
+    });
+    it('retrieves a registered client by ID', () => {
+        const client = store.registerClient({
+            redirect_uris: [new URL('http://localhost:3000/callback')],
+        });
+        const found = store.getClient(client.client_id);
+        expect(found).toBeDefined();
+        expect(found.client_id).toBe(client.client_id);
+    });
+    it('returns undefined for unknown client ID', () => {
+        expect(store.getClient('nonexistent')).toBeUndefined();
+    });
+    it('serializes and loads entries for persistence', () => {
+        const client = store.registerClient({
+            redirect_uris: [new URL('http://localhost:3000/callback')],
+            client_name: 'Persistent',
+        });
+        const entries = store.entries();
+        expect(entries.length).toBe(1);
+        const newStore = new oauth_stores_1.OAuthClientsStore();
+        newStore.load(entries);
+        const found = newStore.getClient(client.client_id);
+        expect(found).toBeDefined();
+        expect(found.client_name).toBe('Persistent');
+    });
+});
+describe('AuthCodeStore', () => {
+    let store;
+    beforeEach(() => { store = new oauth_stores_1.AuthCodeStore(10000); }); // 10s TTL
+    afterEach(() => { store.destroy(); });
+    it('saves and retrieves an auth code', () => {
+        store.save({
+            code: 'code_123',
+            clientId: 'client_1',
+            codeChallenge: 'challenge',
+            redirectUri: 'http://localhost/callback',
+            scopes: ['mcp:tools'],
+            userId: 'usr_1',
+            workspaceId: 'ws_1',
+            expiresAt: Date.now() + 60000,
+        });
+        const entry = store.get('code_123');
+        expect(entry).toBeDefined();
+        expect(entry.clientId).toBe('client_1');
+    });
+    it('returns undefined for unknown code', () => {
+        expect(store.get('nonexistent')).toBeUndefined();
+    });
+    it('returns undefined for expired code', () => {
+        store.save({
+            code: 'expired',
+            clientId: 'client_1',
+            codeChallenge: 'challenge',
+            redirectUri: 'http://localhost/callback',
+            scopes: [],
+            userId: 'usr_1',
+            workspaceId: 'ws_1',
+            expiresAt: Date.now() - 1000, // Already expired
+        });
+        expect(store.get('expired')).toBeUndefined();
+    });
+    it('consume removes the code after retrieval', () => {
+        store.save({
+            code: 'one_time',
+            clientId: 'client_1',
+            codeChallenge: 'challenge',
+            redirectUri: 'http://localhost/callback',
+            scopes: [],
+            userId: 'usr_1',
+            workspaceId: 'ws_1',
+            expiresAt: Date.now() + 60000,
+        });
+        const entry = store.consume('one_time');
+        expect(entry).toBeDefined();
+        expect(store.get('one_time')).toBeUndefined(); // Gone after consume
+    });
+});
+describe('OAuthTokenStore', () => {
+    let store;
+    beforeEach(() => { store = new oauth_stores_1.OAuthTokenStore(3600, 86400); }); // 1h access, 24h refresh
+    afterEach(() => { store.destroy(); });
+    it('saves and retrieves access tokens', () => {
+        const nowSec = Math.floor(Date.now() / 1000);
+        store.saveAccessToken({
+            token: 'access_abc',
+            clientId: 'client_1',
+            userId: 'usr_1',
+            workspaceId: 'ws_1',
+            scopes: ['mcp:tools'],
+            expiresAt: nowSec + 3600,
+            createdAt: nowSec,
+        });
+        const entry = store.getAccessToken('access_abc');
+        expect(entry).toBeDefined();
+        expect(entry.workspaceId).toBe('ws_1');
+    });
+    it('returns undefined for expired access token', () => {
+        store.saveAccessToken({
+            token: 'expired_token',
+            clientId: 'client_1',
+            userId: 'usr_1',
+            workspaceId: 'ws_1',
+            scopes: [],
+            expiresAt: Math.floor(Date.now() / 1000) - 1,
+            createdAt: Math.floor(Date.now() / 1000) - 3601,
+        });
+        expect(store.getAccessToken('expired_token')).toBeUndefined();
+    });
+    it('revokes access tokens', () => {
+        const nowSec = Math.floor(Date.now() / 1000);
+        store.saveAccessToken({
+            token: 'revoke_me',
+            clientId: 'client_1',
+            userId: 'usr_1',
+            workspaceId: 'ws_1',
+            scopes: [],
+            expiresAt: nowSec + 3600,
+            createdAt: nowSec,
+        });
+        store.revokeAccessToken('revoke_me');
+        expect(store.getAccessToken('revoke_me')).toBeUndefined();
+    });
+    it('saves and retrieves refresh tokens', () => {
+        const nowSec = Math.floor(Date.now() / 1000);
+        store.saveRefreshToken({
+            token: 'refresh_xyz',
+            clientId: 'client_1',
+            userId: 'usr_1',
+            workspaceId: 'ws_1',
+            scopes: ['mcp:tools'],
+            expiresAt: nowSec + 86400,
+            createdAt: nowSec,
+        });
+        const entry = store.getRefreshToken('refresh_xyz');
+        expect(entry).toBeDefined();
+    });
+    it('exposes TTL values', () => {
+        expect(store.accessTtlSeconds).toBe(3600);
+        expect(store.refreshTtlSeconds).toBe(86400);
+    });
+});
+// ---------------------------------------------------------------------------
+// PalarynOAuthProvider
+// ---------------------------------------------------------------------------
+describe('PalarynOAuthProvider', () => {
+    let stores;
+    let clientsStore;
+    let authCodeStore;
+    let tokenStore;
+    let provider;
+    beforeEach(() => {
+        stores = createMockStores();
+        seedTestData(stores);
+        clientsStore = new oauth_stores_1.OAuthClientsStore();
+        authCodeStore = new oauth_stores_1.AuthCodeStore();
+        tokenStore = new oauth_stores_1.OAuthTokenStore(3600, 86400);
+        provider = new oauth_provider_1.PalarynOAuthProvider({
+            clientsStore,
+            authCodeStore,
+            tokenStore,
+            userStore: stores.userStore,
+            workspaceStore: stores.workspaceStore,
+            workspaceMemberStore: stores.workspaceMemberStore,
+            sessionStore: stores.sessionStore,
+        });
+    });
+    afterEach(() => {
+        authCodeStore.destroy();
+        tokenStore.destroy();
+    });
+    it('exposes the clients store', () => {
+        expect(provider.clientsStore).toBe(clientsStore);
+    });
+    describe('authorize', () => {
+        it('redirects to login when no session cookie', async () => {
+            const client = clientsStore.registerClient({
+                redirect_uris: [new URL('http://localhost/callback')],
+                client_name: 'Test',
+            });
+            const res = {
+                req: { cookies: {} },
+                redirect: jest.fn(),
+                setHeader: jest.fn(),
+                status: jest.fn().mockReturnThis(),
+                type: jest.fn().mockReturnThis(),
+                send: jest.fn(),
+            };
+            await provider.authorize(client, { codeChallenge: 'test', redirectUri: 'http://localhost/callback', scopes: ['mcp:tools'] }, res);
+            expect(res.redirect).toHaveBeenCalled();
+            const redirectUrl = res.redirect.mock.calls[0][0];
+            expect(redirectUrl).toContain('/login');
+            expect(redirectUrl).toContain('return_to=');
+        });
+        it('renders consent page when session is valid', async () => {
+            const client = clientsStore.registerClient({
+                redirect_uris: [new URL('http://localhost/callback')],
+                client_name: 'Claude Code',
+            });
+            const res = {
+                req: { cookies: { pn_session: 'sess_abc123' } },
+                redirect: jest.fn(),
+                setHeader: jest.fn(),
+                status: jest.fn().mockReturnThis(),
+                type: jest.fn().mockReturnThis(),
+                send: jest.fn(),
+            };
+            await provider.authorize(client, { codeChallenge: 'test_challenge', redirectUri: 'http://localhost/callback', scopes: ['mcp:tools'] }, res);
+            expect(res.status).toHaveBeenCalledWith(200);
+            expect(res.type).toHaveBeenCalledWith('html');
+            const html = res.send.mock.calls[0][0];
+            expect(html).toContain('Claude Code');
+            expect(html).toContain('ws_prod'); // Single workspace → hidden input with workspace ID
+            expect(html).toContain('Approve');
+            expect(html).toContain('Deny');
+        });
+        it('shows error when user has no workspaces', async () => {
+            // Create a user with no workspace memberships
+            stores.userStore.create({
+                id: 'usr_lonely',
+                email: 'lonely@test.com',
+                display_name: 'Lonely',
+                status: 'active',
+                onboarding_completed: true,
+                created_at: new Date().toISOString(),
+                updated_at: new Date().toISOString(),
+            });
+            stores.sessionStore.create({
+                id: 'sess_lonely',
+                user_id: 'usr_lonely',
+                expires_at: new Date(Date.now() + 3600000).toISOString(),
+                last_active_at: new Date().toISOString(),
+                created_at: new Date().toISOString(),
+            });
+            const client = clientsStore.registerClient({
+                redirect_uris: [new URL('http://localhost/callback')],
+            });
+            const res = {
+                req: { cookies: { pn_session: 'sess_lonely' } },
+                redirect: jest.fn(),
+                setHeader: jest.fn(),
+                status: jest.fn().mockReturnThis(),
+                type: jest.fn().mockReturnThis(),
+                send: jest.fn(),
+            };
+            await provider.authorize(client, { codeChallenge: 'test', redirectUri: 'http://localhost/callback' }, res);
+            expect(res.status).toHaveBeenCalledWith(403);
+            const html = res.send.mock.calls[0][0];
+            expect(html).toContain('No workspaces');
+        });
+    });
+    describe('handleConsentDecision', () => {
+        let client;
+        let csrfToken;
+        beforeEach(async () => {
+            client = clientsStore.registerClient({
+                redirect_uris: [new URL('http://localhost/callback')],
+                client_name: 'Test',
+            });
+            // Trigger authorize to create CSRF token
+            const res = {
+                req: { cookies: { pn_session: 'sess_abc123' } },
+                redirect: jest.fn(),
+                setHeader: jest.fn(),
+                status: jest.fn().mockReturnThis(),
+                type: jest.fn().mockReturnThis(),
+                send: jest.fn(),
+            };
+            await provider.authorize(client, { codeChallenge: 'test_challenge', redirectUri: 'http://localhost/callback', scopes: ['mcp:tools'] }, res);
+            // Extract CSRF token from HTML
+            const html = res.send.mock.calls[0][0];
+            const csrfMatch = html.match(/name="csrf_token" value="([^"]+)"/);
+            csrfToken = csrfMatch[1];
+        });
+        it('generates auth code on approve', async () => {
+            const result = await provider.handleConsentDecision({
+                client_id: client.client_id,
+                redirect_uri: 'http://localhost/callback',
+                state: 'test_state',
+                code_challenge: 'test_challenge',
+                scopes: 'mcp:tools',
+                csrf_token: csrfToken,
+                workspace_id: 'ws_prod',
+                decision: 'approve',
+            }, 'usr_test1');
+            expect('redirectUrl' in result).toBe(true);
+            const url = new URL(result.redirectUrl);
+            expect(url.searchParams.get('code')).toBeTruthy();
+            expect(url.searchParams.get('state')).toBe('test_state');
+        });
+        it('returns access_denied on deny', async () => {
+            const result = await provider.handleConsentDecision({
+                client_id: client.client_id,
+                redirect_uri: 'http://localhost/callback',
+                state: 'test_state',
+                code_challenge: 'test_challenge',
+                scopes: 'mcp:tools',
+                csrf_token: csrfToken,
+                workspace_id: 'ws_prod',
+                decision: 'deny',
+            }, 'usr_test1');
+            expect('redirectUrl' in result).toBe(true);
+            const url = new URL(result.redirectUrl);
+            expect(url.searchParams.get('error')).toBe('access_denied');
+        });
+        it('rejects invalid CSRF token', async () => {
+            const result = await provider.handleConsentDecision({
+                client_id: client.client_id,
+                redirect_uri: 'http://localhost/callback',
+                code_challenge: 'test_challenge',
+                scopes: 'mcp:tools',
+                csrf_token: 'bad_token',
+                workspace_id: 'ws_prod',
+                decision: 'approve',
+            }, 'usr_test1');
+            expect('error' in result).toBe(true);
+            expect(result.status).toBe(403);
+        });
+        it('rejects wrong workspace', async () => {
+            const result = await provider.handleConsentDecision({
+                client_id: client.client_id,
+                redirect_uri: 'http://localhost/callback',
+                code_challenge: 'test_challenge',
+                scopes: 'mcp:tools',
+                csrf_token: csrfToken,
+                workspace_id: 'ws_nonexistent',
+                decision: 'approve',
+            }, 'usr_test1');
+            expect('error' in result).toBe(true);
+            expect(result.status).toBe(403);
+        });
+    });
+    describe('full token exchange flow', () => {
+        it('exchanges auth code for tokens', async () => {
+            const client = clientsStore.registerClient({
+                redirect_uris: [new URL('http://localhost/callback')],
+            });
+            // Save an auth code directly
+            authCodeStore.save({
+                code: 'test_code',
+                clientId: client.client_id,
+                codeChallenge: 'challenge123',
+                redirectUri: 'http://localhost/callback',
+                scopes: ['mcp:tools'],
+                userId: 'usr_test1',
+                workspaceId: 'ws_prod',
+                expiresAt: Date.now() + 60000,
+            });
+            const tokens = await provider.exchangeAuthorizationCode(client, 'test_code');
+            expect(tokens.access_token).toBeTruthy();
+            expect(tokens.refresh_token).toBeTruthy();
+            expect(tokens.token_type).toBe('Bearer');
+            expect(tokens.expires_in).toBe(3600);
+            expect(tokens.scope).toBe('mcp:tools');
+        });
+        it('rejects mismatched client ID', async () => {
+            const client1 = clientsStore.registerClient({ redirect_uris: [new URL('http://localhost/cb')] });
+            const client2 = clientsStore.registerClient({ redirect_uris: [new URL('http://localhost/cb')] });
+            authCodeStore.save({
+                code: 'code_for_client1',
+                clientId: client1.client_id,
+                codeChallenge: 'c',
+                redirectUri: 'http://localhost/cb',
+                scopes: [],
+                userId: 'usr_test1',
+                workspaceId: 'ws_prod',
+                expiresAt: Date.now() + 60000,
+            });
+            await expect(provider.exchangeAuthorizationCode(client2, 'code_for_client1')).rejects.toThrow('Client ID mismatch');
+        });
+        it('auth code is single-use', async () => {
+            const client = clientsStore.registerClient({ redirect_uris: [new URL('http://localhost/cb')] });
+            authCodeStore.save({
+                code: 'single_use',
+                clientId: client.client_id,
+                codeChallenge: 'c',
+                redirectUri: 'http://localhost/cb',
+                scopes: [],
+                userId: 'usr_test1',
+                workspaceId: 'ws_prod',
+                expiresAt: Date.now() + 60000,
+            });
+            await provider.exchangeAuthorizationCode(client, 'single_use');
+            await expect(provider.exchangeAuthorizationCode(client, 'single_use')).rejects.toThrow('not found');
+        });
+    });
+    describe('verifyAccessToken', () => {
+        it('returns AuthInfo with Palaryn context', async () => {
+            const client = clientsStore.registerClient({ redirect_uris: [new URL('http://localhost/cb')] });
+            authCodeStore.save({
+                code: 'code_verify',
+                clientId: client.client_id,
+                codeChallenge: 'c',
+                redirectUri: 'http://localhost/cb',
+                scopes: ['mcp:tools'],
+                userId: 'usr_test1',
+                workspaceId: 'ws_prod',
+                expiresAt: Date.now() + 60000,
+            });
+            const tokens = await provider.exchangeAuthorizationCode(client, 'code_verify');
+            const authInfo = await provider.verifyAccessToken(tokens.access_token);
+            expect(authInfo.token).toBe(tokens.access_token);
+            expect(authInfo.clientId).toBe(client.client_id);
+            expect(authInfo.scopes).toEqual(['mcp:tools']);
+            expect(authInfo.expiresAt).toBeGreaterThan(Date.now() / 1000);
+            expect(authInfo.extra).toBeDefined();
+            expect(authInfo.extra.workspace_id).toBe('ws_prod');
+            expect(authInfo.extra.actor_id).toBe('user:usr_test1');
+            expect(authInfo.extra.auth_method).toBe('oauth');
+            expect(authInfo.extra.roles).toEqual(['admin']); // owner maps to admin
+        });
+        it('rejects invalid token', async () => {
+            await expect(provider.verifyAccessToken('nonexistent_token')).rejects.toThrow('Invalid or expired');
+        });
+    });
+    describe('exchangeRefreshToken', () => {
+        it('rotates refresh token', async () => {
+            const client = clientsStore.registerClient({ redirect_uris: [new URL('http://localhost/cb')] });
+            authCodeStore.save({
+                code: 'code_refresh',
+                clientId: client.client_id,
+                codeChallenge: 'c',
+                redirectUri: 'http://localhost/cb',
+                scopes: ['mcp:tools'],
+                userId: 'usr_test1',
+                workspaceId: 'ws_prod',
+                expiresAt: Date.now() + 60000,
+            });
+            const tokens1 = await provider.exchangeAuthorizationCode(client, 'code_refresh');
+            const tokens2 = await provider.exchangeRefreshToken(client, tokens1.refresh_token);
+            // New tokens issued
+            expect(tokens2.access_token).toBeTruthy();
+            expect(tokens2.refresh_token).toBeTruthy();
+            expect(tokens2.access_token).not.toBe(tokens1.access_token);
+            expect(tokens2.refresh_token).not.toBe(tokens1.refresh_token);
+            // Old refresh token revoked
+            await expect(provider.exchangeRefreshToken(client, tokens1.refresh_token)).rejects.toThrow('Invalid refresh token');
+            // New access token works
+            const authInfo = await provider.verifyAccessToken(tokens2.access_token);
+            expect(authInfo.extra.workspace_id).toBe('ws_prod');
+        });
+    });
+    describe('revokeToken', () => {
+        it('revokes access token', async () => {
+            const client = clientsStore.registerClient({ redirect_uris: [new URL('http://localhost/cb')] });
+            authCodeStore.save({
+                code: 'code_revoke',
+                clientId: client.client_id,
+                codeChallenge: 'c',
+                redirectUri: 'http://localhost/cb',
+                scopes: [],
+                userId: 'usr_test1',
+                workspaceId: 'ws_prod',
+                expiresAt: Date.now() + 60000,
+            });
+            const tokens = await provider.exchangeAuthorizationCode(client, 'code_revoke');
+            await provider.revokeToken(client, { token: tokens.access_token });
+            await expect(provider.verifyAccessToken(tokens.access_token)).rejects.toThrow();
+        });
+    });
+    describe('challengeForAuthorizationCode', () => {
+        it('returns the stored code challenge', async () => {
+            const client = clientsStore.registerClient({ redirect_uris: [new URL('http://localhost/cb')] });
+            authCodeStore.save({
+                code: 'code_pkce',
+                clientId: client.client_id,
+                codeChallenge: 'S256_challenge_value',
+                redirectUri: 'http://localhost/cb',
+                scopes: [],
+                userId: 'usr_test1',
+                workspaceId: 'ws_prod',
+                expiresAt: Date.now() + 60000,
+            });
+            const challenge = await provider.challengeForAuthorizationCode(client, 'code_pkce');
+            expect(challenge).toBe('S256_challenge_value');
+        });
+        it('throws for unknown code', async () => {
+            const client = clientsStore.registerClient({ redirect_uris: [new URL('http://localhost/cb')] });
+            await expect(provider.challengeForAuthorizationCode(client, 'nonexistent')).rejects.toThrow('not found');
+        });
+    });
+});
+// ---------------------------------------------------------------------------
+// HybridTokenVerifier
+// ---------------------------------------------------------------------------
+describe('HybridTokenVerifier', () => {
+    let stores;
+    let clientsStore;
+    let authCodeStore;
+    let tokenStore;
+    let oauthProvider;
+    beforeEach(() => {
+        stores = createMockStores();
+        seedTestData(stores);
+        clientsStore = new oauth_stores_1.OAuthClientsStore();
+        authCodeStore = new oauth_stores_1.AuthCodeStore();
+        tokenStore = new oauth_stores_1.OAuthTokenStore(3600, 86400);
+        oauthProvider = new oauth_provider_1.PalarynOAuthProvider({
+            clientsStore,
+            authCodeStore,
+            tokenStore,
+            userStore: stores.userStore,
+            workspaceStore: stores.workspaceStore,
+            workspaceMemberStore: stores.workspaceMemberStore,
+            sessionStore: stores.sessionStore,
+        });
+    });
+    afterEach(() => {
+        authCodeStore.destroy();
+        tokenStore.destroy();
+    });
+    it('verifies OAuth tokens first', async () => {
+        const client = clientsStore.registerClient({ redirect_uris: [new URL('http://localhost/cb')] });
+        authCodeStore.save({
+            code: 'code_hybrid',
+            clientId: client.client_id,
+            codeChallenge: 'c',
+            redirectUri: 'http://localhost/cb',
+            scopes: ['mcp:tools'],
+            userId: 'usr_test1',
+            workspaceId: 'ws_prod',
+            expiresAt: Date.now() + 60000,
+        });
+        const tokens = await oauthProvider.exchangeAuthorizationCode(client, 'code_hybrid');
+        const verifier = new auth_verifier_1.HybridTokenVerifier({
+            oauthProvider,
+            authConfig: { enabled: true, api_keys: {} },
+        });
+        const authInfo = await verifier.verifyAccessToken(tokens.access_token);
+        expect(authInfo.extra.auth_method).toBe('oauth');
+        expect(authInfo.extra.workspace_id).toBe('ws_prod');
+    });
+    it('falls back to config API keys', async () => {
+        const verifier = new auth_verifier_1.HybridTokenVerifier({
+            oauthProvider,
+            authConfig: {
+                enabled: true,
+                api_keys: {
+                    'test-api-key-123': {
+                        workspace_id: 'ws_config',
+                        description: 'Test key',
+                        roles: [],
+                    },
+                },
+            },
+        });
+        const authInfo = await verifier.verifyAccessToken('test-api-key-123');
+        expect(authInfo.extra.auth_method).toBe('api_key');
+        expect(authInfo.extra.workspace_id).toBe('ws_config');
+    });
+    it('rejects expired config API keys', async () => {
+        const verifier = new auth_verifier_1.HybridTokenVerifier({
+            authConfig: {
+                enabled: true,
+                api_keys: {
+                    'expired-key': {
+                        workspace_id: 'ws_1',
+                        expires_at: new Date(Date.now() - 1000).toISOString(),
+                    },
+                },
+            },
+        });
+        await expect(verifier.verifyAccessToken('expired-key')).rejects.toThrow('expired');
+    });
+    it('rejects revoked config API keys', async () => {
+        const verifier = new auth_verifier_1.HybridTokenVerifier({
+            authConfig: {
+                enabled: true,
+                api_keys: {
+                    'revoked-key': {
+                        workspace_id: 'ws_1',
+                        revoked: true,
+                    },
+                },
+            },
+        });
+        await expect(verifier.verifyAccessToken('revoked-key')).rejects.toThrow('Invalid');
+    });
+    it('returns anonymous AuthInfo when auth disabled', async () => {
+        const verifier = new auth_verifier_1.HybridTokenVerifier({
+            authConfig: { enabled: false, api_keys: {} },
+        });
+        const authInfo = await verifier.verifyAccessToken('anything');
+        expect(authInfo.extra.auth_method).toBe('none');
+        expect(authInfo.extra.workspace_id).toBe('ws_default');
+    });
+    it('rejects unknown tokens when auth enabled and no OAuth', async () => {
+        const verifier = new auth_verifier_1.HybridTokenVerifier({
+            authConfig: { enabled: true, api_keys: {} },
+        });
+        await expect(verifier.verifyAccessToken('unknown')).rejects.toThrow('Invalid');
+    });
+});
+// ---------------------------------------------------------------------------
+// resolveIdentity with OAuth AuthInfo shape
+// ---------------------------------------------------------------------------
+describe('resolveIdentity with OAuth AuthInfo', () => {
+    // We test this indirectly through the http-transport module.
+    // The key behavior: identity is extracted from extra.workspace_id when
+    // top-level workspace_id is absent (OAuth shape).
+    it('extracts identity from extra field (OAuth shape)', () => {
+        // Simulate what requireBearerAuth sets on req.auth
+        const authInfo = {
+            token: 'abc',
+            clientId: 'pn_client_123',
+            scopes: ['mcp:tools'],
+            expiresAt: Math.floor(Date.now() / 1000) + 3600,
+            extra: {
+                workspace_id: 'ws_oauth',
+                actor_id: 'user:usr_1',
+                roles: ['admin'],
+                permissions: ['tool:execute'],
+                auth_method: 'oauth',
+            },
+        };
+        // Use the exported function from http-transport
+        // We can't easily import the private function, so we verify via integration
+        // by checking the extra field structure matches what resolveIdentity expects
+        expect(authInfo.extra.workspace_id).toBe('ws_oauth');
+        expect(authInfo.extra.actor_id).toBe('user:usr_1');
+    });
+    it('checkCapabilityPermission reads permissions from extra', () => {
+        // Same verification — the extra field has the right shape
+        const authInfo = {
+            token: 'abc',
+            clientId: 'pn_client_123',
+            scopes: ['mcp:tools'],
+            extra: {
+                permissions: ['tool:execute', 'tool:execute:read', 'tool:execute:write'],
+            },
+        };
+        expect(authInfo.extra.permissions).toContain('tool:execute');
+    });
+});
+//# sourceMappingURL=mcp-oauth.test.js.map