npm - patchwork-os - Versions diffs - 0.2.0-alpha.0 - Mend

patchwork-os 0.2.0-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (721) hide show

package/LICENSE +21 -0
package/README.bridge.md +352 -0
package/README.md +72 -0
package/deploy/README.md +172 -0
package/deploy/bootstrap-new-vps.sh +364 -0
package/deploy/claude-ide-bridge.service.template +67 -0
package/deploy/claude-ide-bridge@.service +31 -0
package/deploy/ecosystem.config.js.example +36 -0
package/deploy/install-vps-service.sh +240 -0
package/deploy/nginx-claude-bridge.conf.template +129 -0
package/dist/activityLog.d.ts +112 -0
package/dist/activityLog.js +399 -0
package/dist/activityLog.js.map +1 -0
package/dist/activityTypes.d.ts +28 -0
package/dist/activityTypes.js +9 -0
package/dist/activityTypes.js.map +1 -0
package/dist/adapters/base.d.ts +78 -0
package/dist/adapters/base.js +14 -0
package/dist/adapters/base.js.map +1 -0
package/dist/adapters/claude.d.ts +18 -0
package/dist/adapters/claude.js +276 -0
package/dist/adapters/claude.js.map +1 -0
package/dist/adapters/gemini.d.ts +17 -0
package/dist/adapters/gemini.js +218 -0
package/dist/adapters/gemini.js.map +1 -0
package/dist/adapters/grok.d.ts +7 -0
package/dist/adapters/grok.js +21 -0
package/dist/adapters/grok.js.map +1 -0
package/dist/adapters/index.d.ts +5 -0
package/dist/adapters/index.js +37 -0
package/dist/adapters/index.js.map +1 -0
package/dist/adapters/local.d.ts +7 -0
package/dist/adapters/local.js +22 -0
package/dist/adapters/local.js.map +1 -0
package/dist/adapters/openai.d.ts +22 -0
package/dist/adapters/openai.js +284 -0
package/dist/adapters/openai.js.map +1 -0
package/dist/adapters/sse.d.ts +13 -0
package/dist/adapters/sse.js +58 -0
package/dist/adapters/sse.js.map +1 -0
package/dist/analyticsAggregator.d.ts +28 -0
package/dist/analyticsAggregator.js +133 -0
package/dist/analyticsAggregator.js.map +1 -0
package/dist/analyticsPrefs.d.ts +9 -0
package/dist/analyticsPrefs.js +50 -0
package/dist/analyticsPrefs.js.map +1 -0
package/dist/analyticsSend.d.ts +12 -0
package/dist/analyticsSend.js +34 -0
package/dist/analyticsSend.js.map +1 -0
package/dist/approvalHttp.d.ts +46 -0
package/dist/approvalHttp.js +370 -0
package/dist/approvalHttp.js.map +1 -0
package/dist/approvalQueue.d.ts +49 -0
package/dist/approvalQueue.js +84 -0
package/dist/approvalQueue.js.map +1 -0
package/dist/automation.d.ts +675 -0
package/dist/automation.js +1038 -0
package/dist/automation.js.map +1 -0
package/dist/bridge.d.ts +85 -0
package/dist/bridge.js +1535 -0
package/dist/bridge.js.map +1 -0
package/dist/bridgeLockDiscovery.d.ts +11 -0
package/dist/bridgeLockDiscovery.js +49 -0
package/dist/bridgeLockDiscovery.js.map +1 -0
package/dist/bridgeToken.d.ts +22 -0
package/dist/bridgeToken.js +114 -0
package/dist/bridgeToken.js.map +1 -0
package/dist/bridgeToolsRules.d.ts +20 -0
package/dist/bridgeToolsRules.js +79 -0
package/dist/bridgeToolsRules.js.map +1 -0
package/dist/ccPermissions.d.ts +59 -0
package/dist/ccPermissions.js +163 -0
package/dist/ccPermissions.js.map +1 -0
package/dist/claudeDriver.d.ts +129 -0
package/dist/claudeDriver.js +459 -0
package/dist/claudeDriver.js.map +1 -0
package/dist/claudeMdPatch.d.ts +29 -0
package/dist/claudeMdPatch.js +164 -0
package/dist/claudeMdPatch.js.map +1 -0
package/dist/claudeOrchestrator.d.ts +171 -0
package/dist/claudeOrchestrator.js +591 -0
package/dist/claudeOrchestrator.js.map +1 -0
package/dist/commands/install.d.ts +1 -0
package/dist/commands/install.js +158 -0
package/dist/commands/install.js.map +1 -0
package/dist/commands/marketplace.d.ts +11 -0
package/dist/commands/marketplace.js +120 -0
package/dist/commands/marketplace.js.map +1 -0
package/dist/commands/patchworkInit.d.ts +14 -0
package/dist/commands/patchworkInit.js +155 -0
package/dist/commands/patchworkInit.js.map +1 -0
package/dist/commands/task.d.ts +14 -0
package/dist/commands/task.js +289 -0
package/dist/commands/task.js.map +1 -0
package/dist/commands/tokenEfficiency.d.ts +9 -0
package/dist/commands/tokenEfficiency.js +211 -0
package/dist/commands/tokenEfficiency.js.map +1 -0
package/dist/commands/tools.d.ts +28 -0
package/dist/commands/tools.js +326 -0
package/dist/commands/tools.js.map +1 -0
package/dist/commitIssueLinkLog.d.ts +77 -0
package/dist/commitIssueLinkLog.js +142 -0
package/dist/commitIssueLinkLog.js.map +1 -0
package/dist/companions/registry.d.ts +12 -0
package/dist/companions/registry.js +71 -0
package/dist/companions/registry.js.map +1 -0
package/dist/config.d.ts +105 -0
package/dist/config.js +720 -0
package/dist/config.js.map +1 -0
package/dist/crypto.d.ts +16 -0
package/dist/crypto.js +34 -0
package/dist/crypto.js.map +1 -0
package/dist/dashboard.d.ts +12 -0
package/dist/dashboard.js +149 -0
package/dist/dashboard.js.map +1 -0
package/dist/decisionTraceLog.d.ts +77 -0
package/dist/decisionTraceLog.js +147 -0
package/dist/decisionTraceLog.js.map +1 -0
package/dist/errors.d.ts +32 -0
package/dist/errors.js +34 -0
package/dist/errors.js.map +1 -0
package/dist/extensionClient.d.ts +279 -0
package/dist/extensionClient.js +1253 -0
package/dist/extensionClient.js.map +1 -0
package/dist/fileLock.d.ts +36 -0
package/dist/fileLock.js +121 -0
package/dist/fileLock.js.map +1 -0
package/dist/fp/activityAnalytics.d.ts +39 -0
package/dist/fp/activityAnalytics.js +111 -0
package/dist/fp/activityAnalytics.js.map +1 -0
package/dist/fp/async.d.ts +48 -0
package/dist/fp/async.js +60 -0
package/dist/fp/async.js.map +1 -0
package/dist/fp/automationInterpreter.d.ts +37 -0
package/dist/fp/automationInterpreter.js +523 -0
package/dist/fp/automationInterpreter.js.map +1 -0
package/dist/fp/automationProgram.d.ts +89 -0
package/dist/fp/automationProgram.js +29 -0
package/dist/fp/automationProgram.js.map +1 -0
package/dist/fp/automationState.d.ts +135 -0
package/dist/fp/automationState.js +206 -0
package/dist/fp/automationState.js.map +1 -0
package/dist/fp/automationUtils.d.ts +31 -0
package/dist/fp/automationUtils.js +61 -0
package/dist/fp/automationUtils.js.map +1 -0
package/dist/fp/brandedTypes.d.ts +32 -0
package/dist/fp/brandedTypes.js +41 -0
package/dist/fp/brandedTypes.js.map +1 -0
package/dist/fp/commandDescription.d.ts +18 -0
package/dist/fp/commandDescription.js +125 -0
package/dist/fp/commandDescription.js.map +1 -0
package/dist/fp/extensionSnapshot.d.ts +10 -0
package/dist/fp/extensionSnapshot.js +14 -0
package/dist/fp/extensionSnapshot.js.map +1 -0
package/dist/fp/index.d.ts +8 -0
package/dist/fp/index.js +9 -0
package/dist/fp/index.js.map +1 -0
package/dist/fp/interpreterContext.d.ts +69 -0
package/dist/fp/interpreterContext.js +56 -0
package/dist/fp/interpreterContext.js.map +1 -0
package/dist/fp/policyParser.d.ts +16 -0
package/dist/fp/policyParser.js +334 -0
package/dist/fp/policyParser.js.map +1 -0
package/dist/fp/result.d.ts +38 -0
package/dist/fp/result.js +57 -0
package/dist/fp/result.js.map +1 -0
package/dist/fp/tokenBucket.d.ts +27 -0
package/dist/fp/tokenBucket.js +36 -0
package/dist/fp/tokenBucket.js.map +1 -0
package/dist/index.d.ts +2 -0
package/dist/index.js +1465 -0
package/dist/index.js.map +1 -0
package/dist/instructionsUtils.d.ts +17 -0
package/dist/instructionsUtils.js +38 -0
package/dist/instructionsUtils.js.map +1 -0
package/dist/lockfile.d.ts +16 -0
package/dist/lockfile.js +172 -0
package/dist/lockfile.js.map +1 -0
package/dist/logger.d.ts +16 -0
package/dist/logger.js +68 -0
package/dist/logger.js.map +1 -0
package/dist/oauth.d.ts +105 -0
package/dist/oauth.js +880 -0
package/dist/oauth.js.map +1 -0
package/dist/orchestrator/childBridgeClient.d.ts +33 -0
package/dist/orchestrator/childBridgeClient.js +321 -0
package/dist/orchestrator/childBridgeClient.js.map +1 -0
package/dist/orchestrator/childBridgeRegistry.d.ts +67 -0
package/dist/orchestrator/childBridgeRegistry.js +297 -0
package/dist/orchestrator/childBridgeRegistry.js.map +1 -0
package/dist/orchestrator/index.d.ts +3 -0
package/dist/orchestrator/index.js +3 -0
package/dist/orchestrator/index.js.map +1 -0
package/dist/orchestrator/orchestratorBridge.d.ts +32 -0
package/dist/orchestrator/orchestratorBridge.js +412 -0
package/dist/orchestrator/orchestratorBridge.js.map +1 -0
package/dist/orchestrator/orchestratorConfig.d.ts +11 -0
package/dist/orchestrator/orchestratorConfig.js +85 -0
package/dist/orchestrator/orchestratorConfig.js.map +1 -0
package/dist/orchestrator/orchestratorTools.d.ts +16 -0
package/dist/orchestrator/orchestratorTools.js +272 -0
package/dist/orchestrator/orchestratorTools.js.map +1 -0
package/dist/patchworkCli.d.ts +15 -0
package/dist/patchworkCli.js +41 -0
package/dist/patchworkCli.js.map +1 -0
package/dist/patchworkConfig.d.ts +28 -0
package/dist/patchworkConfig.js +30 -0
package/dist/patchworkConfig.js.map +1 -0
package/dist/plugin.d.ts +106 -0
package/dist/plugin.js +31 -0
package/dist/plugin.js.map +1 -0
package/dist/pluginLoader.d.ts +44 -0
package/dist/pluginLoader.js +357 -0
package/dist/pluginLoader.js.map +1 -0
package/dist/pluginWatcher.d.ts +24 -0
package/dist/pluginWatcher.js +139 -0
package/dist/pluginWatcher.js.map +1 -0
package/dist/preToolUseHook.d.ts +10 -0
package/dist/preToolUseHook.js +57 -0
package/dist/preToolUseHook.js.map +1 -0
package/dist/probe.d.ts +35 -0
package/dist/probe.js +143 -0
package/dist/probe.js.map +1 -0
package/dist/prompts.d.ts +27 -0
package/dist/prompts.js +1680 -0
package/dist/prompts.js.map +1 -0
package/dist/quickTaskPresets.d.ts +64 -0
package/dist/quickTaskPresets.js +156 -0
package/dist/quickTaskPresets.js.map +1 -0
package/dist/recipes/compiler.d.ts +44 -0
package/dist/recipes/compiler.js +140 -0
package/dist/recipes/compiler.js.map +1 -0
package/dist/recipes/installer.d.ts +25 -0
package/dist/recipes/installer.js +62 -0
package/dist/recipes/installer.js.map +1 -0
package/dist/recipes/parser.d.ts +18 -0
package/dist/recipes/parser.js +160 -0
package/dist/recipes/parser.js.map +1 -0
package/dist/recipes/scheduler.d.ts +45 -0
package/dist/recipes/scheduler.js +110 -0
package/dist/recipes/scheduler.js.map +1 -0
package/dist/recipes/schema.d.ts +71 -0
package/dist/recipes/schema.js +11 -0
package/dist/recipes/schema.js.map +1 -0
package/dist/recipesHttp.d.ts +63 -0
package/dist/recipesHttp.js +183 -0
package/dist/recipesHttp.js.map +1 -0
package/dist/resources.d.ts +33 -0
package/dist/resources.js +266 -0
package/dist/resources.js.map +1 -0
package/dist/riskTier.d.ts +40 -0
package/dist/riskTier.js +142 -0
package/dist/riskTier.js.map +1 -0
package/dist/runLog.d.ts +90 -0
package/dist/runLog.js +143 -0
package/dist/runLog.js.map +1 -0
package/dist/server.d.ts +160 -0
package/dist/server.js +1244 -0
package/dist/server.js.map +1 -0
package/dist/sessionCheckpoint.d.ts +37 -0
package/dist/sessionCheckpoint.js +123 -0
package/dist/sessionCheckpoint.js.map +1 -0
package/dist/streamableHttp.d.ts +86 -0
package/dist/streamableHttp.js +702 -0
package/dist/streamableHttp.js.map +1 -0
package/dist/telemetry.d.ts +18 -0
package/dist/telemetry.js +95 -0
package/dist/telemetry.js.map +1 -0
package/dist/tools/activityLog.d.ts +140 -0
package/dist/tools/activityLog.js +204 -0
package/dist/tools/activityLog.js.map +1 -0
package/dist/tools/auditDependencies.d.ts +67 -0
package/dist/tools/auditDependencies.js +298 -0
package/dist/tools/auditDependencies.js.map +1 -0
package/dist/tools/batchLsp.d.ts +262 -0
package/dist/tools/batchLsp.js +328 -0
package/dist/tools/batchLsp.js.map +1 -0
package/dist/tools/blame-utils.d.ts +30 -0
package/dist/tools/blame-utils.js +60 -0
package/dist/tools/blame-utils.js.map +1 -0
package/dist/tools/bridgeDoctor.d.ts +78 -0
package/dist/tools/bridgeDoctor.js +542 -0
package/dist/tools/bridgeDoctor.js.map +1 -0
package/dist/tools/bridgeStatus.d.ts +122 -0
package/dist/tools/bridgeStatus.js +250 -0
package/dist/tools/bridgeStatus.js.map +1 -0
package/dist/tools/cancelClaudeTask.d.ts +48 -0
package/dist/tools/cancelClaudeTask.js +56 -0
package/dist/tools/cancelClaudeTask.js.map +1 -0
package/dist/tools/checkDocumentDirty.d.ts +56 -0
package/dist/tools/checkDocumentDirty.js +74 -0
package/dist/tools/checkDocumentDirty.js.map +1 -0
package/dist/tools/clipboard.d.ts +80 -0
package/dist/tools/clipboard.js +211 -0
package/dist/tools/clipboard.js.map +1 -0
package/dist/tools/closeTabs.d.ts +84 -0
package/dist/tools/closeTabs.js +97 -0
package/dist/tools/closeTabs.js.map +1 -0
package/dist/tools/codeLens.d.ts +50 -0
package/dist/tools/codeLens.js +47 -0
package/dist/tools/codeLens.js.map +1 -0
package/dist/tools/contextBundle.d.ts +75 -0
package/dist/tools/contextBundle.js +218 -0
package/dist/tools/contextBundle.js.map +1 -0
package/dist/tools/createIssueFromAIComment.d.ts +75 -0
package/dist/tools/createIssueFromAIComment.js +119 -0
package/dist/tools/createIssueFromAIComment.js.map +1 -0
package/dist/tools/ctxGetTaskContext.d.ts +103 -0
package/dist/tools/ctxGetTaskContext.js +274 -0
package/dist/tools/ctxGetTaskContext.js.map +1 -0
package/dist/tools/ctxQueryTraces.d.ts +142 -0
package/dist/tools/ctxQueryTraces.js +194 -0
package/dist/tools/ctxQueryTraces.js.map +1 -0
package/dist/tools/ctxSaveTrace.d.ts +87 -0
package/dist/tools/ctxSaveTrace.js +94 -0
package/dist/tools/ctxSaveTrace.js.map +1 -0
package/dist/tools/debug.d.ts +206 -0
package/dist/tools/debug.js +234 -0
package/dist/tools/debug.js.map +1 -0
package/dist/tools/decorations.d.ts +130 -0
package/dist/tools/decorations.js +160 -0
package/dist/tools/decorations.js.map +1 -0
package/dist/tools/detectUnusedCode.d.ts +78 -0
package/dist/tools/detectUnusedCode.js +173 -0
package/dist/tools/detectUnusedCode.js.map +1 -0
package/dist/tools/documentLinks.d.ts +62 -0
package/dist/tools/documentLinks.js +55 -0
package/dist/tools/documentLinks.js.map +1 -0
package/dist/tools/editText.d.ts +108 -0
package/dist/tools/editText.js +318 -0
package/dist/tools/editText.js.map +1 -0
package/dist/tools/enrichCommit.d.ts +89 -0
package/dist/tools/enrichCommit.js +201 -0
package/dist/tools/enrichCommit.js.map +1 -0
package/dist/tools/enrichStackTrace.d.ts +121 -0
package/dist/tools/enrichStackTrace.js +194 -0
package/dist/tools/enrichStackTrace.js.map +1 -0
package/dist/tools/explainDiagnostic.d.ts +137 -0
package/dist/tools/explainDiagnostic.js +230 -0
package/dist/tools/explainDiagnostic.js.map +1 -0
package/dist/tools/explainSymbol.d.ts +119 -0
package/dist/tools/explainSymbol.js +177 -0
package/dist/tools/explainSymbol.js.map +1 -0
package/dist/tools/fileOperations.d.ts +186 -0
package/dist/tools/fileOperations.js +330 -0
package/dist/tools/fileOperations.js.map +1 -0
package/dist/tools/fileWatcher.d.ts +107 -0
package/dist/tools/fileWatcher.js +121 -0
package/dist/tools/fileWatcher.js.map +1 -0
package/dist/tools/findFiles.d.ts +65 -0
package/dist/tools/findFiles.js +142 -0
package/dist/tools/findFiles.js.map +1 -0
package/dist/tools/findRelatedTests.d.ts +83 -0
package/dist/tools/findRelatedTests.js +196 -0
package/dist/tools/findRelatedTests.js.map +1 -0
package/dist/tools/fixAllLintErrors.d.ts +66 -0
package/dist/tools/fixAllLintErrors.js +128 -0
package/dist/tools/fixAllLintErrors.js.map +1 -0
package/dist/tools/foldingRanges.d.ts +50 -0
package/dist/tools/foldingRanges.js +51 -0
package/dist/tools/foldingRanges.js.map +1 -0
package/dist/tools/formatAndSave.d.ts +57 -0
package/dist/tools/formatAndSave.js +87 -0
package/dist/tools/formatAndSave.js.map +1 -0
package/dist/tools/formatDocument.d.ts +61 -0
package/dist/tools/formatDocument.js +144 -0
package/dist/tools/formatDocument.js.map +1 -0
package/dist/tools/generateAPIDocumentation.d.ts +62 -0
package/dist/tools/generateAPIDocumentation.js +249 -0
package/dist/tools/generateAPIDocumentation.js.map +1 -0
package/dist/tools/generateTests.d.ts +75 -0
package/dist/tools/generateTests.js +226 -0
package/dist/tools/generateTests.js.map +1 -0
package/dist/tools/getAIComments.d.ts +79 -0
package/dist/tools/getAIComments.js +93 -0
package/dist/tools/getAIComments.js.map +1 -0
package/dist/tools/getAnalyticsReport.d.ts +102 -0
package/dist/tools/getAnalyticsReport.js +137 -0
package/dist/tools/getAnalyticsReport.js.map +1 -0
package/dist/tools/getArchitectureContext.d.ts +85 -0
package/dist/tools/getArchitectureContext.js +135 -0
package/dist/tools/getArchitectureContext.js.map +1 -0
package/dist/tools/getBufferContent.d.ts +80 -0
package/dist/tools/getBufferContent.js +207 -0
package/dist/tools/getBufferContent.js.map +1 -0
package/dist/tools/getChangeImpact.d.ts +76 -0
package/dist/tools/getChangeImpact.js +184 -0
package/dist/tools/getChangeImpact.js.map +1 -0
package/dist/tools/getClaudeTaskStatus.d.ts +87 -0
package/dist/tools/getClaudeTaskStatus.js +89 -0
package/dist/tools/getClaudeTaskStatus.js.map +1 -0
package/dist/tools/getCodeCoverage.d.ts +86 -0
package/dist/tools/getCodeCoverage.js +237 -0
package/dist/tools/getCodeCoverage.js.map +1 -0
package/dist/tools/getCommitsForIssue.d.ts +98 -0
package/dist/tools/getCommitsForIssue.js +106 -0
package/dist/tools/getCommitsForIssue.js.map +1 -0
package/dist/tools/getCurrentSelection.d.ts +123 -0
package/dist/tools/getCurrentSelection.js +113 -0
package/dist/tools/getCurrentSelection.js.map +1 -0
package/dist/tools/getDebugState.d.ts +140 -0
package/dist/tools/getDebugState.js +109 -0
package/dist/tools/getDebugState.js.map +1 -0
package/dist/tools/getDependencyTree.d.ts +59 -0
package/dist/tools/getDependencyTree.js +207 -0
package/dist/tools/getDependencyTree.js.map +1 -0
package/dist/tools/getDiagnostics.d.ts +108 -0
package/dist/tools/getDiagnostics.js +371 -0
package/dist/tools/getDiagnostics.js.map +1 -0
package/dist/tools/getDiffFromHandoff.d.ts +89 -0
package/dist/tools/getDiffFromHandoff.js +163 -0
package/dist/tools/getDiffFromHandoff.js.map +1 -0
package/dist/tools/getDocumentSymbols.d.ts +74 -0
package/dist/tools/getDocumentSymbols.js +177 -0
package/dist/tools/getDocumentSymbols.js.map +1 -0
package/dist/tools/getFileTree.d.ts +66 -0
package/dist/tools/getFileTree.js +131 -0
package/dist/tools/getFileTree.js.map +1 -0
package/dist/tools/getGitDiff.d.ts +50 -0
package/dist/tools/getGitDiff.js +73 -0
package/dist/tools/getGitDiff.js.map +1 -0
package/dist/tools/getGitHotspots.d.ts +88 -0
package/dist/tools/getGitHotspots.js +145 -0
package/dist/tools/getGitHotspots.js.map +1 -0
package/dist/tools/getGitLog.d.ts +62 -0
package/dist/tools/getGitLog.js +87 -0
package/dist/tools/getGitLog.js.map +1 -0
package/dist/tools/getGitStatus.d.ts +72 -0
package/dist/tools/getGitStatus.js +126 -0
package/dist/tools/getGitStatus.js.map +1 -0
package/dist/tools/getImportTree.d.ts +73 -0
package/dist/tools/getImportTree.js +223 -0
package/dist/tools/getImportTree.js.map +1 -0
package/dist/tools/getImportedSignatures.d.ts +62 -0
package/dist/tools/getImportedSignatures.js +255 -0
package/dist/tools/getImportedSignatures.js.map +1 -0
package/dist/tools/getOpenEditors.d.ts +62 -0
package/dist/tools/getOpenEditors.js +126 -0
package/dist/tools/getOpenEditors.js.map +1 -0
package/dist/tools/getPRTemplate.d.ts +68 -0
package/dist/tools/getPRTemplate.js +187 -0
package/dist/tools/getPRTemplate.js.map +1 -0
package/dist/tools/getProjectContext.d.ts +114 -0
package/dist/tools/getProjectContext.js +344 -0
package/dist/tools/getProjectContext.js.map +1 -0
package/dist/tools/getProjectInfo.d.ts +51 -0
package/dist/tools/getProjectInfo.js +325 -0
package/dist/tools/getProjectInfo.js.map +1 -0
package/dist/tools/getSecurityAdvisories.d.ts +105 -0
package/dist/tools/getSecurityAdvisories.js +472 -0
package/dist/tools/getSecurityAdvisories.js.map +1 -0
package/dist/tools/getSessionUsage.d.ts +58 -0
package/dist/tools/getSessionUsage.js +57 -0
package/dist/tools/getSessionUsage.js.map +1 -0
package/dist/tools/getSymbolHistory.d.ts +157 -0
package/dist/tools/getSymbolHistory.js +256 -0
package/dist/tools/getSymbolHistory.js.map +1 -0
package/dist/tools/getToolCapabilities.d.ts +69 -0
package/dist/tools/getToolCapabilities.js +298 -0
package/dist/tools/getToolCapabilities.js.map +1 -0
package/dist/tools/getTypeSignature.d.ts +70 -0
package/dist/tools/getTypeSignature.js +132 -0
package/dist/tools/getTypeSignature.js.map +1 -0
package/dist/tools/getWorkspaceFolders.d.ts +58 -0
package/dist/tools/getWorkspaceFolders.js +69 -0
package/dist/tools/getWorkspaceFolders.js.map +1 -0
package/dist/tools/getWorkspaceSettings.d.ts +44 -0
package/dist/tools/getWorkspaceSettings.js +70 -0
package/dist/tools/getWorkspaceSettings.js.map +1 -0
package/dist/tools/git-utils.d.ts +16 -0
package/dist/tools/git-utils.js +46 -0
package/dist/tools/git-utils.js.map +1 -0
package/dist/tools/gitHistory.d.ts +110 -0
package/dist/tools/gitHistory.js +167 -0
package/dist/tools/gitHistory.js.map +1 -0
package/dist/tools/gitWrite.d.ts +612 -0
package/dist/tools/gitWrite.js +983 -0
package/dist/tools/gitWrite.js.map +1 -0
package/dist/tools/github/actions.d.ts +152 -0
package/dist/tools/github/actions.js +195 -0
package/dist/tools/github/actions.js.map +1 -0
package/dist/tools/github/index.d.ts +3 -0
package/dist/tools/github/index.js +4 -0
package/dist/tools/github/index.js.map +1 -0
package/dist/tools/github/issues.d.ts +281 -0
package/dist/tools/github/issues.js +340 -0
package/dist/tools/github/issues.js.map +1 -0
package/dist/tools/github/pr.d.ts +433 -0
package/dist/tools/github/pr.js +588 -0
package/dist/tools/github/pr.js.map +1 -0
package/dist/tools/github/shared.d.ts +4 -0
package/dist/tools/github/shared.js +12 -0
package/dist/tools/github/shared.js.map +1 -0
package/dist/tools/handoffNote.d.ts +106 -0
package/dist/tools/handoffNote.js +232 -0
package/dist/tools/handoffNote.js.map +1 -0
package/dist/tools/headless/lspClient.d.ts +26 -0
package/dist/tools/headless/lspClient.js +221 -0
package/dist/tools/headless/lspClient.js.map +1 -0
package/dist/tools/headless/lspFallback.d.ts +28 -0
package/dist/tools/headless/lspFallback.js +122 -0
package/dist/tools/headless/lspFallback.js.map +1 -0
package/dist/tools/hoverAtCursor.d.ts +54 -0
package/dist/tools/hoverAtCursor.js +68 -0
package/dist/tools/hoverAtCursor.js.map +1 -0
package/dist/tools/httpClient.d.ts +141 -0
package/dist/tools/httpClient.js +486 -0
package/dist/tools/httpClient.js.map +1 -0
package/dist/tools/index.d.ts +49 -0
package/dist/tools/index.js +672 -0
package/dist/tools/index.js.map +1 -0
package/dist/tools/inlayHints.d.ts +81 -0
package/dist/tools/inlayHints.js +76 -0
package/dist/tools/inlayHints.js.map +1 -0
package/dist/tools/issueRefs.d.ts +14 -0
package/dist/tools/issueRefs.js +27 -0
package/dist/tools/issueRefs.js.map +1 -0
package/dist/tools/jumpToFirstError.d.ts +63 -0
package/dist/tools/jumpToFirstError.js +124 -0
package/dist/tools/jumpToFirstError.js.map +1 -0
package/dist/tools/launchQuickTask.d.ts +76 -0
package/dist/tools/launchQuickTask.js +170 -0
package/dist/tools/launchQuickTask.js.map +1 -0
package/dist/tools/linters/biome.d.ts +2 -0
package/dist/tools/linters/biome.js +44 -0
package/dist/tools/linters/biome.js.map +1 -0
package/dist/tools/linters/cargo.d.ts +2 -0
package/dist/tools/linters/cargo.js +45 -0
package/dist/tools/linters/cargo.js.map +1 -0
package/dist/tools/linters/eslint.d.ts +2 -0
package/dist/tools/linters/eslint.js +59 -0
package/dist/tools/linters/eslint.js.map +1 -0
package/dist/tools/linters/govet.d.ts +2 -0
package/dist/tools/linters/govet.js +37 -0
package/dist/tools/linters/govet.js.map +1 -0
package/dist/tools/linters/pyright.d.ts +2 -0
package/dist/tools/linters/pyright.js +34 -0
package/dist/tools/linters/pyright.js.map +1 -0
package/dist/tools/linters/ruff.d.ts +2 -0
package/dist/tools/linters/ruff.js +30 -0
package/dist/tools/linters/ruff.js.map +1 -0
package/dist/tools/linters/types.d.ts +16 -0
package/dist/tools/linters/types.js +2 -0
package/dist/tools/linters/types.js.map +1 -0
package/dist/tools/linters/typescript.d.ts +2 -0
package/dist/tools/linters/typescript.js +38 -0
package/dist/tools/linters/typescript.js.map +1 -0
package/dist/tools/listClaudeTasks.d.ts +84 -0
package/dist/tools/listClaudeTasks.js +88 -0
package/dist/tools/listClaudeTasks.js.map +1 -0
package/dist/tools/listTerminals.d.ts +55 -0
package/dist/tools/listTerminals.js +78 -0
package/dist/tools/listTerminals.js.map +1 -0
package/dist/tools/lsp.d.ts +1086 -0
package/dist/tools/lsp.js +1339 -0
package/dist/tools/lsp.js.map +1 -0
package/dist/tools/navigateToSymbolByName.d.ts +56 -0
package/dist/tools/navigateToSymbolByName.js +170 -0
package/dist/tools/navigateToSymbolByName.js.map +1 -0
package/dist/tools/openDiff.d.ts +66 -0
package/dist/tools/openDiff.js +126 -0
package/dist/tools/openDiff.js.map +1 -0
package/dist/tools/openFile.d.ts +69 -0
package/dist/tools/openFile.js +129 -0
package/dist/tools/openFile.js.map +1 -0
package/dist/tools/openInBrowser.d.ts +55 -0
package/dist/tools/openInBrowser.js +129 -0
package/dist/tools/openInBrowser.js.map +1 -0
package/dist/tools/organizeImports.d.ts +56 -0
package/dist/tools/organizeImports.js +115 -0
package/dist/tools/organizeImports.js.map +1 -0
package/dist/tools/performanceReport.d.ts +133 -0
package/dist/tools/performanceReport.js +218 -0
package/dist/tools/performanceReport.js.map +1 -0
package/dist/tools/planPersistence.d.ts +306 -0
package/dist/tools/planPersistence.js +485 -0
package/dist/tools/planPersistence.js.map +1 -0
package/dist/tools/previewEdit.d.ts +107 -0
package/dist/tools/previewEdit.js +270 -0
package/dist/tools/previewEdit.js.map +1 -0
package/dist/tools/recentTracesDigest.d.ts +35 -0
package/dist/tools/recentTracesDigest.js +98 -0
package/dist/tools/recentTracesDigest.js.map +1 -0
package/dist/tools/refactorAnalyze.d.ts +78 -0
package/dist/tools/refactorAnalyze.js +141 -0
package/dist/tools/refactorAnalyze.js.map +1 -0
package/dist/tools/refactorExtractFunction.d.ts +52 -0
package/dist/tools/refactorExtractFunction.js +121 -0
package/dist/tools/refactorExtractFunction.js.map +1 -0
package/dist/tools/refactorPreview.d.ts +75 -0
package/dist/tools/refactorPreview.js +93 -0
package/dist/tools/refactorPreview.js.map +1 -0
package/dist/tools/replaceBlock.d.ts +62 -0
package/dist/tools/replaceBlock.js +125 -0
package/dist/tools/replaceBlock.js.map +1 -0
package/dist/tools/resumeClaudeTask.d.ts +75 -0
package/dist/tools/resumeClaudeTask.js +149 -0
package/dist/tools/resumeClaudeTask.js.map +1 -0
package/dist/tools/runClaudeTask.d.ts +97 -0
package/dist/tools/runClaudeTask.js +224 -0
package/dist/tools/runClaudeTask.js.map +1 -0
package/dist/tools/runCommand.d.ts +82 -0
package/dist/tools/runCommand.js +101 -0
package/dist/tools/runCommand.js.map +1 -0
package/dist/tools/runTests.d.ts +146 -0
package/dist/tools/runTests.js +315 -0
package/dist/tools/runTests.js.map +1 -0
package/dist/tools/saveDocument.d.ts +50 -0
package/dist/tools/saveDocument.js +73 -0
package/dist/tools/saveDocument.js.map +1 -0
package/dist/tools/screenshot.d.ts +23 -0
package/dist/tools/screenshot.js +43 -0
package/dist/tools/screenshot.js.map +1 -0
package/dist/tools/screenshotAndAnnotate.d.ts +103 -0
package/dist/tools/screenshotAndAnnotate.js +192 -0
package/dist/tools/screenshotAndAnnotate.js.map +1 -0
package/dist/tools/searchAndReplace.d.ts +108 -0
package/dist/tools/searchAndReplace.js +281 -0
package/dist/tools/searchAndReplace.js.map +1 -0
package/dist/tools/searchTools.d.ts +61 -0
package/dist/tools/searchTools.js +85 -0
package/dist/tools/searchTools.js.map +1 -0
package/dist/tools/searchWorkspace.d.ts +99 -0
package/dist/tools/searchWorkspace.js +189 -0
package/dist/tools/searchWorkspace.js.map +1 -0
package/dist/tools/selectionRanges.d.ts +58 -0
package/dist/tools/selectionRanges.js +61 -0
package/dist/tools/selectionRanges.js.map +1 -0
package/dist/tools/semanticTokens.d.ts +87 -0
package/dist/tools/semanticTokens.js +86 -0
package/dist/tools/semanticTokens.js.map +1 -0
package/dist/tools/setActiveWorkspaceFolder.d.ts +41 -0
package/dist/tools/setActiveWorkspaceFolder.js +38 -0
package/dist/tools/setActiveWorkspaceFolder.js.map +1 -0
package/dist/tools/signatureHelp.d.ts +86 -0
package/dist/tools/signatureHelp.js +79 -0
package/dist/tools/signatureHelp.js.map +1 -0
package/dist/tools/spawnWorkspace.d.ts +103 -0
package/dist/tools/spawnWorkspace.js +268 -0
package/dist/tools/spawnWorkspace.js.map +1 -0
package/dist/tools/stackTraceParser.d.ts +43 -0
package/dist/tools/stackTraceParser.js +139 -0
package/dist/tools/stackTraceParser.js.map +1 -0
package/dist/tools/terminal.d.ts +352 -0
package/dist/tools/terminal.js +670 -0
package/dist/tools/terminal.js.map +1 -0
package/dist/tools/testRunners/cargoTest.d.ts +2 -0
package/dist/tools/testRunners/cargoTest.js +129 -0
package/dist/tools/testRunners/cargoTest.js.map +1 -0
package/dist/tools/testRunners/goTest.d.ts +2 -0
package/dist/tools/testRunners/goTest.js +108 -0
package/dist/tools/testRunners/goTest.js.map +1 -0
package/dist/tools/testRunners/pytest.d.ts +2 -0
package/dist/tools/testRunners/pytest.js +135 -0
package/dist/tools/testRunners/pytest.js.map +1 -0
package/dist/tools/testRunners/types.d.ts +18 -0
package/dist/tools/testRunners/types.js +2 -0
package/dist/tools/testRunners/types.js.map +1 -0
package/dist/tools/testRunners/vitestJest.d.ts +3 -0
package/dist/tools/testRunners/vitestJest.js +215 -0
package/dist/tools/testRunners/vitestJest.js.map +1 -0
package/dist/tools/testTraceToSource.d.ts +80 -0
package/dist/tools/testTraceToSource.js +206 -0
package/dist/tools/testTraceToSource.js.map +1 -0
package/dist/tools/transaction.d.ts +243 -0
package/dist/tools/transaction.js +309 -0
package/dist/tools/transaction.js.map +1 -0
package/dist/tools/typeHierarchy.d.ts +77 -0
package/dist/tools/typeHierarchy.js +86 -0
package/dist/tools/typeHierarchy.js.map +1 -0
package/dist/tools/utils.d.ts +124 -0
package/dist/tools/utils.js +566 -0
package/dist/tools/utils.js.map +1 -0
package/dist/tools/vscodeCommands.d.ts +90 -0
package/dist/tools/vscodeCommands.js +112 -0
package/dist/tools/vscodeCommands.js.map +1 -0
package/dist/tools/vscodeTasks.d.ts +102 -0
package/dist/tools/vscodeTasks.js +110 -0
package/dist/tools/vscodeTasks.js.map +1 -0
package/dist/tools/watchDiagnostics.d.ts +64 -0
package/dist/tools/watchDiagnostics.js +270 -0
package/dist/tools/watchDiagnostics.js.map +1 -0
package/dist/tools/workspaceSettings.d.ts +57 -0
package/dist/tools/workspaceSettings.js +80 -0
package/dist/tools/workspaceSettings.js.map +1 -0
package/dist/transport.d.ts +207 -0
package/dist/transport.js +1272 -0
package/dist/transport.js.map +1 -0
package/dist/version.d.ts +13 -0
package/dist/version.js +31 -0
package/dist/version.js.map +1 -0
package/dist/wsUtils.d.ts +8 -0
package/dist/wsUtils.js +54 -0
package/dist/wsUtils.js.map +1 -0
package/package.json +118 -0
package/scripts/gen-claude-desktop-config.sh +124 -0
package/scripts/gen-mcp-config.sh +390 -0
package/scripts/install-extension.sh +106 -0
package/scripts/mcp-stdio-shim.cjs +482 -0
package/scripts/postinstall.mjs +68 -0
package/scripts/start-all.sh +502 -0
package/scripts/start-orchestrator.sh +186 -0
package/scripts/start-remote.sh +126 -0
package/scripts/start-vps.sh +116 -0
package/templates/CLAUDE.bridge.md +125 -0
package/templates/automation-policies/security-first.json +46 -0
package/templates/automation-policies/strict-lint.json +41 -0
package/templates/automation-policies/test-driven.json +54 -0
package/templates/automation-policy.example.json +105 -0
package/templates/bridge-tools.md +111 -0
package/templates/dispatch-context.md +33 -0
package/templates/managed-agent/code-review-agent.md +50 -0
package/templates/managed-agent/managed-agent-mcp.json +102 -0
package/templates/recipes/ambient-journal.yaml +11 -0
package/templates/recipes/daily-status.yaml +21 -0
package/templates/recipes/lint-on-save.yaml +13 -0
package/templates/recipes/stale-branches.yaml +18 -0
package/templates/recipes/watch-failing-tests.yaml +15 -0
package/templates/scheduled-tasks/dependency-audit/SKILL.md +77 -0
package/templates/scheduled-tasks/health-check/SKILL.md +73 -0
package/templates/scheduled-tasks/nightly-review/SKILL.md +69 -0

package/dist/oauth.js ADDED Viewed

@@ -0,0 +1,880 @@
+/**
+ * OAuth 2.0 Authorization Server for claude-ide-bridge.
+ *
+ * Implements the MCP OAuth 2.0 profile required for authenticated remote servers:
+ *   - RFC 8414  Authorization Server Metadata (/.well-known/oauth-authorization-server)
+ *   - RFC 6749  Authorization Code Grant with PKCE (S256, RFC 7636)
+ *   - RFC 7009  Token Revocation (/oauth/revoke)
+ *
+ * Design
+ *   All state is in-memory. The bridge's static bearer token is the resource owner
+ *   credential: only someone who knows it can open an OAuth flow via the approval page.
+ *   Issued access tokens are opaque base64url strings stored in a TTL map.
+ *   resolveBearerToken() is called by server.ts to admit OAuth-issued tokens alongside
+ *   the static bridge token (backward compat).
+ *   Refresh tokens are not issued.
+ *
+ * Security
+ *   PKCE S256 mandatory. Auth codes single-use, 5 min TTL. Access tokens 24 h TTL.
+ *   All string comparisons via crypto.timingSafeEqual. HTML output attribute-escaped.
+ */
+import crypto from "node:crypto";
+import fs from "node:fs";
+import path from "node:path";
+import { URL } from "node:url";
+import { timingSafeStringEqual } from "./crypto.js";
+// ── CIMD SSRF guard ───────────────────────────────────────────────────────────
+/**
+ * Blocks private/loopback hostnames for CIMD fetches.
+ * CIMD URLs must be public HTTPS — rejecting private addresses prevents
+ * SSRF via a crafted client_id URL.
+ */
+function isPrivateCimdHost(hostname) {
+    const h = hostname.toLowerCase().replace(/^\[|]$/g, ""); // strip IPv6 brackets
+    if (h === "localhost" ||
+        h.startsWith("127.") ||
+        h.startsWith("10.") ||
+        h.startsWith("192.168.") ||
+        h === "::1" ||
+        h.startsWith("fc") ||
+        h.startsWith("fd") ||
+        h.startsWith("169.254."))
+        return true;
+    // 172.16.0.0/12
+    const m = /^172\.(\d+)\./.exec(h);
+    if (m && Number(m[1]) >= 16 && Number(m[1]) <= 31)
+        return true;
+    return false;
+}
+// ── Constants ─────────────────────────────────────────────────────────────────
+const CODE_TTL_MS = 5 * 60 * 1_000; // 5 min
+const TOKEN_TTL_MS = 24 * 60 * 60 * 1_000; // 24 hours
+const CLIENT_TTL_MS = 7 * 24 * 60 * 60 * 1_000; // 7 days — GC registered clients after a week
+const DEFAULT_SCOPE = "mcp";
+const SUPPORTED_SCOPES = ["mcp"];
+// ── OAuthServerImpl ───────────────────────────────────────────────────────────
+export class OAuthServerImpl {
+    bridgeToken;
+    issuerUrl;
+    authCodes = new Map();
+    accessTokens = new Map();
+    /** client_id → { redirectUris, issuedAt } (populated by handleRegister) */
+    registeredClients = new Map();
+    /** Per-IP registration rate limit: IP → { count, windowStart } */
+    registerIpCounts = new Map();
+    static REGISTER_IP_MAX = 10; // max registrations per IP per minute
+    static REGISTER_IP_WINDOW_MS = 60 * 1_000;
+    gcTimer;
+    /** CSRF nonces: flowId → { nonce, clientId, expiresAt } */
+    csrfNonces = new Map();
+    static CSRF_TTL_MS = 10 * 60 * 1_000; // 10 minutes
+    /**
+     * CIMD cache: client_id URL → { redirectUris, fetchedAt }
+     * Short TTL (5 min) — avoids re-fetching on every authorize request while
+     * staying fresh enough for clients that rotate their metadata.
+     */
+    cimdCache = new Map();
+    static CIMD_CACHE_TTL_MS = 5 * 60 * 1_000; // 5 min
+    static CIMD_MAX_BYTES = 8_192; // 8 KB max for metadata doc
+    /** Path to the persisted token file; null when persistence is disabled. */
+    tokenStorePath;
+    tokenTtlMs;
+    /**
+     * Tokens loaded from disk on startup: SHA-256(token) → AccessToken.
+     * In-memory issued tokens use `accessTokens` (raw key). Both are checked
+     * in resolveBearerToken — disk tokens are promoted to accessTokens on first use.
+     */
+    hashedTokens = new Map();
+    persistTimer = null;
+    constructor(bridgeToken, issuerUrl, opts) {
+        this.bridgeToken = bridgeToken;
+        this.issuerUrl = issuerUrl.replace(/\/$/, "");
+        this.tokenTtlMs = opts?.tokenTtlMs ?? TOKEN_TTL_MS;
+        this.tokenStorePath = opts?.configDir
+            ? path.join(opts.configDir, "ide", "oauth-tokens.json")
+            : null;
+        this.gcTimer = setInterval(() => {
+            const now = Date.now();
+            for (const [k, v] of this.authCodes)
+                if (v.expiresAt < now)
+                    this.authCodes.delete(k);
+            for (const [k, v] of this.accessTokens)
+                if (v.expiresAt < now)
+                    this.accessTokens.delete(k);
+            for (const [k, v] of this.registeredClients)
+                if (now - v.issuedAt > CLIENT_TTL_MS)
+                    this.registeredClients.delete(k);
+            for (const [k, v] of this.csrfNonces)
+                if (v.expiresAt < now)
+                    this.csrfNonces.delete(k);
+            for (const [k, v] of this.registerIpCounts)
+                if (now - v.windowStart > OAuthServerImpl.REGISTER_IP_WINDOW_MS)
+                    this.registerIpCounts.delete(k);
+            for (const [k, v] of this.cimdCache)
+                if (now - v.fetchedAt > OAuthServerImpl.CIMD_CACHE_TTL_MS)
+                    this.cimdCache.delete(k);
+        }, 10 * 60 * 1_000);
+        this.gcTimer.unref();
+        this.loadTokens();
+    }
+    destroy() {
+        // Flush any pending debounced persist before shutdown
+        if (this.persistTimer !== null) {
+            clearTimeout(this.persistTimer);
+            this.persistTimer = null;
+            this.persistTokens();
+        }
+        clearInterval(this.gcTimer);
+    }
+    // ── RFC 8414 discovery ────────────────────────────────────────────────────
+    handleDiscovery(res) {
+        this.sendJson(res, 200, {
+            issuer: this.issuerUrl,
+            authorization_endpoint: `${this.issuerUrl}/oauth/authorize`,
+            token_endpoint: `${this.issuerUrl}/oauth/token`,
+            revocation_endpoint: `${this.issuerUrl}/oauth/revoke`,
+            registration_endpoint: `${this.issuerUrl}/oauth/register`,
+            response_types_supported: ["code"],
+            grant_types_supported: ["authorization_code"],
+            code_challenge_methods_supported: ["S256"],
+            token_endpoint_auth_methods_supported: ["none"],
+            scopes_supported: SUPPORTED_SCOPES,
+        });
+    }
+    // ── RFC 7591 Dynamic Client Registration ──────────────────────────────────
+    async handleRegister(req, res) {
+        if (req.method !== "POST") {
+            res.writeHead(405, { Allow: "POST" });
+            res.end("Method Not Allowed");
+            return;
+        }
+        let body = {};
+        try {
+            const raw = await new Promise((resolve, reject) => {
+                let data = "";
+                const onData = (c) => {
+                    data += c.toString();
+                    if (data.length > 8192) {
+                        req.removeListener("data", onData);
+                        req.removeListener("end", onEnd);
+                        req.destroy();
+                        reject(new Error("too large"));
+                    }
+                };
+                const onEnd = () => resolve(data);
+                req.on("data", onData);
+                req.on("end", onEnd);
+                req.on("error", reject);
+            });
+            body = raw ? JSON.parse(raw) : {};
+        }
+        catch {
+            this.sendJson(res, 400, { error: "invalid_client_metadata" });
+            return;
+        }
+        const redirectUris = body.redirect_uris;
+        if (!Array.isArray(redirectUris) || redirectUris.length === 0) {
+            this.sendJson(res, 400, { error: "invalid_redirect_uri" });
+            return;
+        }
+        // Validate each redirect_uri is a well-formed absolute HTTPS (or localhost) URL
+        for (const uri of redirectUris) {
+            if (typeof uri !== "string") {
+                this.sendJson(res, 400, { error: "invalid_redirect_uri" });
+                return;
+            }
+            try {
+                const u = new URL(uri);
+                const isLocalhost = u.hostname === "localhost" || u.hostname === "127.0.0.1";
+                if (!isLocalhost && u.protocol !== "https:") {
+                    this.sendJson(res, 400, { error: "invalid_redirect_uri" });
+                    return;
+                }
+            }
+            catch {
+                this.sendJson(res, 400, { error: "invalid_redirect_uri" });
+                return;
+            }
+        }
+        // Validate scope if provided
+        if (body.scope !== undefined) {
+            const requestedScopes = String(body.scope).split(" ");
+            for (const s of requestedScopes) {
+                if (!SUPPORTED_SCOPES.includes(s)) {
+                    this.sendJson(res, 400, {
+                        error: "invalid_client_metadata",
+                        error_description: `unsupported scope: ${s}`,
+                    });
+                    return;
+                }
+            }
+        }
+        // Per-IP rate limit: max 10 registrations per minute per IP
+        const remoteIp = (req.socket?.remoteAddress ?? "unknown").slice(0, 64);
+        const now = Date.now();
+        const ipEntry = this.registerIpCounts.get(remoteIp);
+        if (ipEntry &&
+            now - ipEntry.windowStart < OAuthServerImpl.REGISTER_IP_WINDOW_MS) {
+            ipEntry.count++;
+            if (ipEntry.count > OAuthServerImpl.REGISTER_IP_MAX) {
+                this.sendJson(res, 429, {
+                    error: "too_many_requests",
+                    error_description: "per-IP client registration limit reached",
+                });
+                return;
+            }
+        }
+        else {
+            this.registerIpCounts.set(remoteIp, { count: 1, windowStart: now });
+        }
+        // Cap registered clients to prevent memory exhaustion via pre-auth DoS.
+        // /oauth/register requires no bearer token, so any caller can POST freely.
+        if (this.registeredClients.size >= 500) {
+            this.sendJson(res, 429, {
+                error: "too_many_requests",
+                error_description: "client registration limit reached",
+            });
+            return;
+        }
+        // Public clients only — no client secret issued
+        const clientId = this.randomToken(16);
+        this.registeredClients.set(clientId, {
+            redirectUris: redirectUris,
+            issuedAt: Date.now(),
+        });
+        this.sendJson(res, 201, {
+            client_id: clientId,
+            client_id_issued_at: Math.floor(Date.now() / 1000),
+            redirect_uris: redirectUris,
+            grant_types: ["authorization_code"],
+            response_types: ["code"],
+            token_endpoint_auth_method: "none",
+            ...(body.client_name
+                ? {
+                    client_name: typeof body.client_name === "string"
+                        ? body.client_name.replace(/[\x00-\x1f\x7f]/g, "").slice(0, 128)
+                        : undefined,
+                }
+                : {}),
+        });
+    }
+    // ── Authorization endpoint ────────────────────────────────────────────────
+    async handleAuthorize(req, res) {
+        const method = req.method ?? "GET";
+        if (method === "GET") {
+            await this.authorizeGet(req, res);
+        }
+        else if (method === "POST") {
+            await this.authorizePost(req, res);
+        }
+        else {
+            res.writeHead(405, { "Content-Type": "text/plain", Allow: "GET, POST" });
+            res.end("Method Not Allowed");
+        }
+    }
+    async authorizeGet(req, res) {
+        const url = new URL(req.url ?? "/", this.issuerUrl);
+        const { error, clientId, redirectUri, codeChallenge, scope, state } = await this.parseAuthorizeParams(url);
+        if (error) {
+            res.writeHead(400, { "Content-Type": "text/plain" });
+            res.end(error);
+            return;
+        }
+        // Generate CSRF nonce keyed by a random flowId (not client_id) so concurrent
+        // authorization flows for the same client_id cannot overwrite each other's nonce.
+        const csrfNonce = crypto.randomBytes(16).toString("hex");
+        const flowId = crypto.randomBytes(8).toString("hex");
+        this.csrfNonces.set(flowId, {
+            nonce: csrfNonce,
+            clientId: clientId,
+            expiresAt: Date.now() + OAuthServerImpl.CSRF_TTL_MS,
+        });
+        res.writeHead(200, {
+            "Content-Type": "text/html; charset=utf-8",
+            "Content-Security-Policy": "default-src 'none'; style-src 'unsafe-inline'; form-action 'self'; frame-ancestors 'none'",
+            "X-Frame-Options": "DENY",
+        });
+        res.end(this.approvalPage({
+            clientId: clientId,
+            redirectUri: redirectUri,
+            codeChallenge: codeChallenge,
+            scope: scope ?? DEFAULT_SCOPE,
+            state: state ?? "",
+            csrfNonce,
+            flowId,
+        }));
+    }
+    async authorizePost(req, res) {
+        let body;
+        try {
+            body = await this.readBody(req);
+        }
+        catch {
+            res.writeHead(400, { "Content-Type": "text/plain" });
+            res.end("request body too large");
+            return;
+        }
+        const action = body.get("action");
+        const clientId = body.get("client_id") ?? "";
+        const redirectUri = body.get("redirect_uri") ?? "";
+        const codeChallenge = body.get("code_challenge") ?? "";
+        const scope = body.get("scope") ?? DEFAULT_SCOPE;
+        const state = body.get("state") ?? "";
+        const csrfNonce = body.get("csrf_nonce") ?? "";
+        const flowId = body.get("flow_id") ?? "";
+        if (!clientId || !redirectUri || !codeChallenge) {
+            res.writeHead(400, { "Content-Type": "text/plain" });
+            res.end("missing parameters");
+            return;
+        }
+        // Verify CSRF nonce before any further processing.
+        // Look up by flowId (not clientId) to prevent concurrent-flow nonce collision attacks.
+        const storedCsrf = this.csrfNonces.get(flowId);
+        if (!storedCsrf ||
+            storedCsrf.expiresAt < Date.now() ||
+            storedCsrf.clientId !== clientId ||
+            !timingSafeStringEqual(csrfNonce, storedCsrf.nonce)) {
+            res.writeHead(403, { "Content-Type": "text/plain" });
+            res.end("invalid or expired CSRF token");
+            return;
+        }
+        // Consume the nonce (one-time use)
+        this.csrfNonces.delete(flowId);
+        // Validate redirect_uri against registered URIs to prevent open redirect
+        const registered = this.registeredClients.get(clientId);
+        if (!registered?.redirectUris.includes(redirectUri)) {
+            res.writeHead(400, { "Content-Type": "text/plain" });
+            res.end("invalid redirect_uri");
+            return;
+        }
+        if (action === "deny") {
+            const u = new URL(redirectUri);
+            u.searchParams.set("error", "access_denied");
+            if (state)
+                u.searchParams.set("state", state);
+            res.writeHead(302, { Location: u.toString() });
+            res.end();
+            return;
+        }
+        if (action !== "approve") {
+            res.writeHead(400, { "Content-Type": "text/plain" });
+            res.end("invalid action");
+            return;
+        }
+        // Verify bridge token on approve
+        const presentedToken = body.get("bridge_token") ?? "";
+        if (!timingSafeStringEqual(presentedToken, this.bridgeToken)) {
+            // Issue a fresh flowId + nonce for the retry so the form remains usable.
+            const retryCsrfNonce = crypto.randomBytes(16).toString("hex");
+            const retryFlowId = crypto.randomBytes(8).toString("hex");
+            this.csrfNonces.set(retryFlowId, {
+                nonce: retryCsrfNonce,
+                clientId,
+                expiresAt: Date.now() + OAuthServerImpl.CSRF_TTL_MS,
+            });
+            res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+            res.end(this.approvalPage({
+                clientId,
+                redirectUri,
+                codeChallenge,
+                scope,
+                state,
+                tokenError: true,
+                csrfNonce: retryCsrfNonce,
+                flowId: retryFlowId,
+            }));
+            return;
+        }
+        const code = this.randomToken(32);
+        this.authCodes.set(code, {
+            clientId,
+            redirectUri,
+            codeChallenge,
+            scope,
+            expiresAt: Date.now() + CODE_TTL_MS,
+            used: false,
+        });
+        const dest = new URL(redirectUri);
+        dest.searchParams.set("code", code);
+        if (state)
+            dest.searchParams.set("state", state);
+        res.writeHead(302, { Location: dest.toString() });
+        res.end();
+    }
+    // ── Token endpoint ────────────────────────────────────────────────────────
+    async handleToken(req, res) {
+        let body;
+        try {
+            body = await this.readBody(req);
+        }
+        catch {
+            this.sendError(res, 400, "invalid_request");
+            return;
+        }
+        if (body.get("grant_type") !== "authorization_code") {
+            this.sendError(res, 400, "unsupported_grant_type");
+            return;
+        }
+        const code = body.get("code") ?? "";
+        const redirectUri = body.get("redirect_uri") ?? "";
+        const clientId = body.get("client_id") ?? "";
+        const verifier = body.get("code_verifier") ?? "";
+        if (!code || !redirectUri || !clientId || !verifier) {
+            this.sendError(res, 400, "invalid_request", "missing required parameters");
+            return;
+        }
+        const record = this.authCodes.get(code);
+        if (!record) {
+            this.sendError(res, 400, "invalid_grant", "authorization code not found or expired");
+            return;
+        }
+        if (record.used) {
+            this.sendError(res, 400, "invalid_grant", "authorization code already used");
+            return;
+        }
+        if (record.expiresAt < Date.now()) {
+            this.authCodes.delete(code);
+            this.sendError(res, 400, "invalid_grant", "authorization code expired");
+            return;
+        }
+        if (!timingSafeStringEqual(record.clientId, clientId)) {
+            this.sendError(res, 400, "invalid_grant", "client_id mismatch");
+            return;
+        }
+        if (!timingSafeStringEqual(record.redirectUri, redirectUri)) {
+            this.sendError(res, 400, "invalid_grant", "redirect_uri mismatch");
+            return;
+        }
+        if (!this.pkceVerify(verifier, record.codeChallenge)) {
+            this.sendError(res, 400, "invalid_grant", "code_verifier mismatch");
+            return;
+        }
+        // RFC 6749 §4.1.2: delete the auth code immediately on use.
+        // A missing code naturally rejects replay attempts (the !record check above).
+        this.authCodes.delete(code);
+        const accessToken = this.randomToken(32);
+        this.accessTokens.set(accessToken, {
+            clientId,
+            scope: record.scope,
+            expiresAt: Date.now() + this.tokenTtlMs,
+        });
+        this.schedulePersist();
+        this.sendJson(res, 200, {
+            access_token: accessToken,
+            token_type: "Bearer",
+            expires_in: Math.floor(this.tokenTtlMs / 1_000),
+            scope: record.scope,
+        });
+    }
+    // ── Revocation endpoint (RFC 7009) ────────────────────────────────────────
+    async handleRevoke(req, res) {
+        try {
+            const body = await this.readBody(req);
+            const token = body.get("token");
+            if (token) {
+                this.accessTokens.delete(token);
+                this.authCodes.delete(token);
+                // Also remove from hashed (disk-persisted) tokens
+                const hash = this.hashToken(token);
+                this.hashedTokens.delete(hash);
+                this.schedulePersist();
+            }
+        }
+        catch {
+            // RFC 7009: always 200
+        }
+        res.writeHead(200, {
+            "Content-Type": "application/json",
+            "Cache-Control": "no-store",
+        });
+        res.end("{}");
+    }
+    // ── Bearer resolution (called by server.ts) ───────────────────────────────
+    resolveBearerToken(token) {
+        const record = this.lookupToken(token);
+        if (!record)
+            return null;
+        return this.bridgeToken;
+    }
+    resolveBearerScope(token) {
+        const record = this.lookupToken(token);
+        if (!record)
+            return null;
+        return record.scope;
+    }
+    /**
+     * Lookup a bearer token in memory first, then fall back to disk-loaded hashed
+     * tokens. Promotes disk tokens to the in-memory map on first use for fast
+     * subsequent lookups.
+     */
+    lookupToken(token) {
+        // 1. Check in-memory map (tokens issued this session)
+        const inMemory = this.accessTokens.get(token);
+        if (inMemory) {
+            if (inMemory.expiresAt < Date.now()) {
+                this.accessTokens.delete(token);
+                return null;
+            }
+            return inMemory;
+        }
+        // 2. Check disk-loaded hashed tokens (tokens issued before last restart)
+        const hash = this.hashToken(token);
+        const fromDisk = this.hashedTokens.get(hash);
+        if (fromDisk) {
+            if (fromDisk.expiresAt < Date.now()) {
+                this.hashedTokens.delete(hash);
+                return null;
+            }
+            // Promote to in-memory for fast subsequent lookups
+            this.accessTokens.set(token, fromDisk);
+            this.hashedTokens.delete(hash);
+            return fromDisk;
+        }
+        return null;
+    }
+    // ── Token persistence helpers ─────────────────────────────────────────────
+    hashToken(token) {
+        return crypto.createHash("sha256").update(token).digest("hex");
+    }
+    loadTokens() {
+        if (!this.tokenStorePath)
+            return;
+        try {
+            const raw = fs.readFileSync(this.tokenStorePath, "utf8");
+            const parsed = JSON.parse(raw);
+            if (parsed.version !== 1 || typeof parsed.tokens !== "object")
+                return;
+            const entries = Object.entries(parsed.tokens);
+            // Cap: refuse to load a file with suspiciously many entries to prevent DoS
+            if (entries.length > 10_000) {
+                console.warn("[claude-ide-bridge] oauth-tokens.json contains >10,000 entries — skipping load");
+                return;
+            }
+            const now = Date.now();
+            for (const [hash, entry] of entries) {
+                // Validate each field before trusting the persisted data
+                if (typeof entry.clientId !== "string" ||
+                    typeof entry.scope !== "string" ||
+                    typeof entry.expiresAt !== "number" ||
+                    !Number.isFinite(entry.expiresAt) ||
+                    entry.expiresAt <= 0 ||
+                    !SUPPORTED_SCOPES.some((s) => entry.scope === s ||
+                        entry.scope
+                            .split(" ")
+                            .every((tok) => SUPPORTED_SCOPES.includes(tok)))) {
+                    continue; // skip invalid entries
+                }
+                if (entry.expiresAt > now) {
+                    this.hashedTokens.set(hash, {
+                        clientId: entry.clientId,
+                        scope: entry.scope,
+                        expiresAt: entry.expiresAt,
+                    });
+                }
+            }
+        }
+        catch {
+            // Missing or corrupt file — start fresh
+        }
+    }
+    persistTokens() {
+        if (!this.tokenStorePath)
+            return;
+        try {
+            const now = Date.now();
+            const tokens = {};
+            // Persist current in-memory tokens (keyed by hash).
+            // Invariant: a promoted disk token exists ONLY in `accessTokens` — it was
+            // deleted from `hashedTokens` at promotion time. Do not write it from both
+            // maps or revocation tracking breaks.
+            for (const [rawToken, record] of this.accessTokens) {
+                if (record.expiresAt > now) {
+                    tokens[this.hashToken(rawToken)] = {
+                        clientId: record.clientId,
+                        scope: record.scope,
+                        expiresAt: record.expiresAt,
+                    };
+                }
+            }
+            // Persist still-valid disk tokens that have not yet been promoted.
+            // The `!(hash in tokens)` guard is a safety net — promoted tokens should
+            // already be absent from `hashedTokens`, but the check prevents any
+            // double-write if that invariant is ever violated.
+            for (const [hash, record] of this.hashedTokens) {
+                if (record.expiresAt > now && !(hash in tokens)) {
+                    tokens[hash] = {
+                        clientId: record.clientId,
+                        scope: record.scope,
+                        expiresAt: record.expiresAt,
+                    };
+                }
+            }
+            const data = JSON.stringify({ version: 1, tokens }, null, 2);
+            const tmpPath = `${this.tokenStorePath}.tmp`;
+            const dir = path.dirname(this.tokenStorePath);
+            if (!fs.existsSync(dir))
+                fs.mkdirSync(dir, { recursive: true });
+            fs.writeFileSync(tmpPath, data, { mode: 0o600 });
+            fs.renameSync(tmpPath, this.tokenStorePath);
+            fs.chmodSync(this.tokenStorePath, 0o600);
+        }
+        catch {
+            // Best-effort — never block operation
+        }
+    }
+    schedulePersist() {
+        if (!this.tokenStorePath)
+            return;
+        if (this.persistTimer !== null)
+            clearTimeout(this.persistTimer);
+        this.persistTimer = setTimeout(() => {
+            this.persistTimer = null;
+            this.persistTokens();
+        }, 500).unref(); // unref so a pending flush doesn't prevent process exit
+    }
+    // ── Private helpers ───────────────────────────────────────────────────────
+    randomToken(bytes) {
+        return crypto.randomBytes(bytes).toString("base64url");
+    }
+    pkceVerify(verifier, challenge) {
+        const hash = crypto
+            .createHash("sha256")
+            .update(verifier)
+            .digest("base64url");
+        return timingSafeStringEqual(hash, challenge);
+    }
+    readBody(req) {
+        return new Promise((resolve, reject) => {
+            let data = "";
+            const onData = (chunk) => {
+                data += chunk.toString();
+                if (data.length > 8_192) {
+                    req.removeListener("data", onData);
+                    req.removeListener("end", onEnd);
+                    req.destroy();
+                    reject(new Error("Request body too large"));
+                }
+            };
+            const onEnd = () => resolve(new URLSearchParams(data));
+            req.on("data", onData);
+            req.on("end", onEnd);
+            req.on("error", reject);
+        });
+    }
+    sendJson(res, status, body) {
+        res.writeHead(status, {
+            "Content-Type": "application/json",
+            "Cache-Control": "no-store",
+            Pragma: "no-cache",
+        });
+        res.end(JSON.stringify(body));
+    }
+    sendError(res, status, error, description) {
+        this.sendJson(res, status, {
+            error,
+            ...(description ? { error_description: description } : {}),
+        });
+    }
+    /**
+     * Fetch and cache a Client ID Metadata Document (CIMD / SEP-991).
+     * Called when client_id is an HTTPS URL instead of an opaque registered ID.
+     * Returns the redirect_uris from the document, or null on any error.
+     *
+     * Security: only public HTTPS URLs are allowed (isPrivateCimdHost blocks
+     * RFC 1918 / loopback). Response size capped at CIMD_MAX_BYTES.
+     */
+    async fetchCimd(clientIdUrl) {
+        const cached = this.cimdCache.get(clientIdUrl);
+        if (cached &&
+            Date.now() - cached.fetchedAt < OAuthServerImpl.CIMD_CACHE_TTL_MS) {
+            return cached.redirectUris;
+        }
+        let parsed;
+        try {
+            parsed = new URL(clientIdUrl);
+        }
+        catch {
+            return null;
+        }
+        if (parsed.protocol !== "https:")
+            return null;
+        if (isPrivateCimdHost(parsed.hostname))
+            return null;
+        try {
+            const controller = new AbortController();
+            const timeout = setTimeout(() => controller.abort(), 5_000);
+            let body;
+            try {
+                // No redirects — CIMD metadata documents must be served directly at
+                // the registered client_id URL. Following Location headers from an
+                // attacker-controlled server could bypass the isPrivateCimdHost() guard
+                // regardless of per-hop re-validation.
+                const resp = await fetch(clientIdUrl, {
+                    signal: controller.signal,
+                    headers: { Accept: "application/json" },
+                    redirect: "error",
+                });
+                if (!resp.ok)
+                    return null;
+                // Stream with size cap to prevent OOM
+                const reader = resp.body?.getReader();
+                if (!reader)
+                    return null;
+                const chunks = [];
+                let total = 0;
+                while (true) {
+                    const { done, value } = await reader.read();
+                    if (done)
+                        break;
+                    total += value.length;
+                    if (total > OAuthServerImpl.CIMD_MAX_BYTES) {
+                        reader.cancel().catch(() => { });
+                        return null;
+                    }
+                    chunks.push(value);
+                }
+                body = Buffer.concat(chunks).toString("utf8");
+            }
+            finally {
+                clearTimeout(timeout);
+            }
+            const doc = JSON.parse(body);
+            const uris = doc.redirect_uris;
+            if (!Array.isArray(uris) || uris.length === 0)
+                return null;
+            const redirectUris = uris.filter((u) => typeof u === "string");
+            if (redirectUris.length === 0)
+                return null;
+            this.cimdCache.set(clientIdUrl, { redirectUris, fetchedAt: Date.now() });
+            return redirectUris;
+        }
+        catch {
+            return null;
+        }
+    }
+    async parseAuthorizeParams(url) {
+        const responseType = url.searchParams.get("response_type");
+        const clientId = url.searchParams.get("client_id");
+        const redirectUri = url.searchParams.get("redirect_uri");
+        const codeChallenge = url.searchParams.get("code_challenge");
+        const codeChallengeMethod = url.searchParams.get("code_challenge_method");
+        const state = url.searchParams.get("state");
+        if (responseType !== "code")
+            return { error: "unsupported_response_type" };
+        if (!clientId || !redirectUri || !codeChallenge)
+            return { error: "invalid_request" };
+        if (codeChallengeMethod !== "S256")
+            return { error: "invalid_request" };
+        // CIMD: if client_id is an HTTPS URL, fetch its metadata document to get
+        // redirect_uris dynamically (SEP-991 / Claude Code v2.1.81+).
+        // Otherwise fall back to the pre-registered client map.
+        let allowedRedirectUris;
+        if (clientId.startsWith("https://")) {
+            const cimdUris = await this.fetchCimd(clientId);
+            if (!cimdUris)
+                return { error: "invalid_client" };
+            allowedRedirectUris = cimdUris;
+            // Register the client dynamically so the POST handler can look it up
+            if (!this.registeredClients.has(clientId)) {
+                this.registeredClients.set(clientId, {
+                    redirectUris: cimdUris,
+                    issuedAt: Date.now(),
+                });
+            }
+        }
+        else {
+            const registered = this.registeredClients.get(clientId);
+            allowedRedirectUris = registered?.redirectUris;
+        }
+        if (!allowedRedirectUris?.includes(redirectUri)) {
+            return { error: "invalid_redirect_uri" };
+        }
+        return {
+            clientId,
+            redirectUri,
+            codeChallenge,
+            scope: url.searchParams.get("scope") ?? DEFAULT_SCOPE,
+            state: state ?? "",
+        };
+    }
+    // ── Approval page HTML ────────────────────────────────────────────────────
+    approvalPage(opts) {
+        const e = (s) => s
+            .replace(/&/g, "&amp;")
+            .replace(/</g, "&lt;")
+            .replace(/>/g, "&gt;")
+            .replace(/"/g, "&quot;")
+            .replace(/'/g, "&#39;");
+        return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <title>Authorize \u2014 Claude IDE Bridge</title>
+  <style>
+    *,*::before,*::after{box-sizing:border-box;margin:0;padding:0}
+    body{font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,sans-serif;
+         background:#0f1117;color:#e2e8f0;display:flex;align-items:center;
+         justify-content:center;min-height:100vh;padding:2rem}
+    .card{background:#1a1d27;border:1px solid #2d3148;border-radius:12px;
+          padding:2rem;max-width:420px;width:100%;box-shadow:0 4px 32px rgba(0,0,0,.4)}
+    .logo{font-size:1.5rem;font-weight:700;color:#818cf8;margin-bottom:1.5rem}
+    h1{font-size:1.1rem;margin-bottom:.5rem}
+    .client{font-size:.9rem;color:#94a3b8;margin-bottom:1.5rem;word-break:break-all}
+    .scope{background:#12141e;border:1px solid #2d3148;border-radius:8px;
+           padding:1rem;margin-bottom:1.5rem;font-size:.875rem;color:#94a3b8}
+    .scope strong{color:#e2e8f0;display:block;margin-bottom:.5rem}
+    .item::before{content:"\u2713 ";color:#34d399}
+    .token-field{margin-bottom:1.25rem}
+    .token-field label{display:block;font-size:.8rem;color:#94a3b8;margin-bottom:.4rem}
+    .token-field input{width:100%;padding:.5rem .75rem;background:#12141e;border:1px solid #2d3148;
+           border-radius:6px;color:#e2e8f0;font-size:.875rem;font-family:monospace}
+    .token-field input.err{border-color:#f87171}
+    .token-err{color:#f87171;font-size:.8rem;margin-top:.3rem}
+    .actions{display:flex;gap:.75rem}
+    button{flex:1;padding:.65rem 1rem;border:none;border-radius:8px;
+           font-size:.95rem;font-weight:600;cursor:pointer;transition:opacity .15s}
+    button:hover{opacity:.85}
+    .approve{background:#818cf8;color:#0f1117}
+    .deny{background:#2d3148;color:#94a3b8}
+    footer{margin-top:1.25rem;font-size:.75rem;color:#475569;text-align:center}
+  </style>
+</head>
+<body>
+  <div class="card">
+    <div class="logo">\u29ed Claude IDE Bridge</div>
+    <h1>Authorization Request</h1>
+    <p class="client">Client: <strong>${e(opts.clientId)}</strong></p>
+    <div class="scope">
+      <strong>Requested permissions</strong>
+      <div class="item">Full MCP tool access (read, write, execute)</div>
+    </div>
+    <form method="POST" action="/oauth/authorize">
+      <input type="hidden" name="client_id"      value="${e(opts.clientId)}">
+      <input type="hidden" name="redirect_uri"   value="${e(opts.redirectUri)}">
+      <input type="hidden" name="code_challenge" value="${e(opts.codeChallenge)}">
+      <input type="hidden" name="scope"          value="${e(opts.scope)}">
+      <input type="hidden" name="state"          value="${e(opts.state)}">
+      <input type="hidden" name="csrf_nonce"     value="${e(opts.csrfNonce ?? "")}">
+      <input type="hidden" name="flow_id"        value="${e(opts.flowId ?? "")}">
+      <div class="token-field">
+        <label for="bridge_token">Bridge Token</label>
+        <input id="bridge_token" type="password" name="bridge_token" placeholder="Paste your bridge token"
+               class="${opts.tokenError ? "err" : ""}" autocomplete="off" required>
+        ${opts.tokenError ? '<div class="token-err">Incorrect token — check your bridge token and try again.</div>' : ""}
+      </div>
+      <div class="actions">
+        <button class="approve" type="submit" name="action" value="approve">Authorize</button>
+        <button class="deny"    type="submit" name="action" value="deny">Deny</button>
+      </div>
+    </form>
+    <footer>
+      Issuer: ${e(this.issuerUrl)}<br>
+      Only approve if you initiated this from your MCP client.
+    </footer>
+  </div>
+</body>
+</html>`;
+    }
+}
+//# sourceMappingURL=oauth.js.map