patchwork-os 0.2.0-alpha.3 → 0.2.0-alpha.4

package/dist/connectors/mcpClient.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcpClient.js","sourceRoot":"","sources":["../../src/connectors/mcpClient.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AA6BH,MAAM,KAAK,GAAG,IAAI,GAAG,EAAsB,CAAC;AAE5C,MAAM,eAAe,GAAG,MAAM,CAAC;AAE/B,SAAS,SAAS,CAAC,GAAW;IAC5B,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACpB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,SAAS,EAAE,CAAC;QAC7B,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,CAAC,CAAC,KAAK,CAAC;AACjB,CAAC;AAED,SAAS,SAAS,CAAC,GAAW,EAAE,KAAoB,EAAE,KAAa;IACjE,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,KAAK,CAAC,KAAK,EAAE,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,gBAAgB,CAAC,GAAa;IAC3C,MAAM,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;IACjD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAC9B,IAAI,EAAE,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACrC,iDAAiD;QACjD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAClC,IAAI,IAAI,GAAkB,IAAI,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,IAAI,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1B,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAClC,IAAI,OAAO,IAAI,OAAO,KAAK,QAAQ;oBAAE,IAAI,GAAG,OAAO,CAAC;YACtD,CAAC;QACH,CAAC;QACD,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACjE,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IACD,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,WAAW,CAAC,MAA+B,EAAE,EAAU;IAC9D,MAAM,GAAG,GAAG,IAAI,eAAe,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChD,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,MAAM,CAAC,OAAO;YAAE,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;;YACxC,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;IACjE,CAAC;IACD,MAAM,CAAC,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC5E,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;IAC5E,OAAO,GAAG,CAAC,MAAM,CAAC;AACpB,CAAC;AAED,MAAM,OAAO,SAAS;IAMD;IACA;IANX,SAAS,GAAkB,IAAI,CAAC;IAChC,WAAW,GAAG,KAAK,CAAC;IACpB,MAAM,GAAG,CAAC,CAAC;IAEnB,YACmB,QAAgB,EAChB,cAAqC;QADrC,aAAQ,GAAR,QAAQ,CAAQ;QAChB,mBAAc,GAAd,cAAc,CAAuB;IACrD,CAAC;IAEI,KAAK,CAAC,IAAI,CAChB,IAAa,EACb,OAAuB,EAAE;QAEzB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,IAAI,eAAe,CAAC,CAAC;QAC3E,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,qCAAqC;YAC7C,aAAa,EAAE,UAAU,KAAK,EAAE;SACjC,CAAC;QACF,IAAI,IAAI,CAAC,SAAS;YAAE,OAAO,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;QAE/D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE;YACrC,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;YAC1B,MAAM;SACP,CAAC,CAAC;QACH,0CAA0C;QAC1C,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;QAC9C,IAAI,GAAG;YAAE,IAAI,CAAC,SAAS,GAAG,GAAG,CAAC;QAE9B,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,OAAO,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YACjD,MAAM,IAAI,KAAK,CAAC,YAAY,GAAG,CAAC,MAAM,OAAO,IAAI,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC,CAAC;QAC5E,CAAC;QACD,OAAO,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,OAAuB,EAAE;QACvD,IAAI,IAAI,CAAC,WAAW;YAAE,OAAO;QAC7B,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,CAC3B;YACE,OAAO,EAAE,KAAK;YACd,EAAE;YACF,MAAM,EAAE,YAAY;YACpB,MAAM,EAAE;gBACN,eAAe,EAAE,YAAY;gBAC7B,YAAY,EAAE,EAAE;gBAChB,UAAU,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,KAAK,EAAE;aACrD;SACF,EACD,IAAI,CACL,CAAsD,CAAC;QACxD,IAAI,IAAI,EAAE,KAAK;YACb,MAAM,IAAI,KAAK,CAAC,0BAA0B,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QAClE,8CAA8C;QAC9C,MAAM,IAAI,CAAC,IAAI,CACb,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,2BAA2B,EAAE,EACvD,IAAI,CACL,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAClB,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,SAAS,CACb,OAAuB,EAAE;QAIzB,MAAM,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,CAC3B,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,EAC5C,IAAI,CACL,CASA,CAAC;QACF,IAAI,IAAI,EAAE,KAAK;YAAE,MAAM,IAAI,KAAK,CAAC,eAAe,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACtE,OAAO,IAAI,CAAC,MAAM,EAAE,KAAK,IAAI,EAAE,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,QAAQ,CACZ,IAAY,EACZ,IAA6B,EAC7B,OAAuB,EAAE;QAEzB,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACrC,IAAI,GAAG;gBAAE,OAAO,GAAG,CAAC;QACtB,CAAC;QACD,MAAM,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,CAC3B;YACE,OAAO,EAAE,KAAK;YACd,EAAE;YACF,MAAM,EAAE,YAAY;YACpB,MAAM,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE;SAClC,EACD,IAAI,CACL,CAA4D,CAAC;QAC9D,IAAI,IAAI,EAAE,KAAK;YACb,MAAM,IAAI,KAAK,CAAC,cAAc,IAAI,KAAK,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QAC/D,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAC9C,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO;iBACvB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;iBAClB,MAAM,CAAC,OAAO,CAAC;iBACf,IAAI,CAAC,GAAG,CAAC;iBACT,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,YAAY,IAAI,oBAAoB,GAAG,IAAI,SAAS,EAAE,CAAC,CAAC;QAC1E,CAAC;QACD,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACrC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QACpD,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,wGAAwG;IACxG,MAAM,CAAC,WAAW,CAAc,MAAqB;QACnD,IAAI,MAAM,CAAC,iBAAiB,KAAK,SAAS,EAAE,CAAC;YAC3C,OAAO,MAAM,CAAC,iBAAsB,CAAC;QACvC,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,EAAE,IAAI,CAAC;QACjE,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QAC7D,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAM,CAAC;IAC/B,CAAC;IAED,qEAAqE;IACrE,KAAK,CAAC,IAAI,CAAC,OAAuB,EAAE;QAClC,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YAC3B,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF"}

package/dist/connectors/mcpOAuth.d.ts

@@ -0,0 +1,73 @@
+/**
+ * OAuth 2.1 PKCE helper for upstream MCP servers.
+ *
+ * Supports two vendor modes:
+ *   - dyn-reg (Linear, Sentry): RFC 7591 dynamic client registration.
+ *     Registration data cached alongside tokens so we don't re-register every run.
+ *   - preregistered (GitHub): uses a hardcoded client_id + PKCE-only flow.
+ *
+ * Token files: ~/.patchwork/tokens/<vendor>-mcp.json (mode 0600)
+ *
+ * Flow:
+ *   1. startAuthorize({ vendor, config }) -> { url, state }
+ *      Dashboard opens `url` in a popup; stores `state` to correlate callback.
+ *   2. server.ts callback route calls completeAuthorize({ vendor, config, code, state })
+ *      -> persisted token file.
+ *   3. getAccessToken({ vendor }) reads token, refreshes if needed.
+ *   4. revoke({ vendor }) hits the revocation endpoint + deletes file.
+ */
+export type VendorId = "github" | "linear" | "sentry";
+export interface VendorConfig {
+    vendor: VendorId;
+    /** Base issuer (authorization server), used for discovery. */
+    issuer: string;
+    /** Explicit endpoints (overrides discovery). */
+    authorizationEndpoint?: string;
+    tokenEndpoint?: string;
+    registrationEndpoint?: string;
+    revocationEndpoint?: string;
+    /** Scopes requested in authorize URL. */
+    scopes: string[];
+    /** Redirect URI — must match what's registered / what the dashboard uses. */
+    redirectUri: string;
+    /** If true, use RFC 7591 dynamic client registration. */
+    useDynamicRegistration: boolean;
+    /** If useDynamicRegistration=false, this client_id is used. */
+    preregisteredClientId?: string;
+    /** Client secret for pre-registered clients (e.g. GitHub OAuth Apps). */
+    preregisteredClientSecret?: string;
+    /** Human-friendly client name for dyn-reg. */
+    clientName?: string;
+}
+export declare function vendorConfig(vendor: VendorId): VendorConfig;
+export interface McpTokenFile {
+    vendor: VendorId;
+    client_id: string;
+    client_secret?: string;
+    access_token: string;
+    refresh_token?: string;
+    expires_at?: number;
+    scope?: string;
+    connected_at: string;
+    /** Vendor-specific profile info captured at connect-time for UI display. */
+    profile?: Record<string, string>;
+}
+export declare function loadTokenFile(vendor: VendorId): McpTokenFile | null;
+/**
+ * Returns the authorize URL for the popup, and a `state` cookie value
+ * the callback must match. For dyn-reg vendors, registers a fresh client
+ * if we don't have one yet (re-uses existing one from token file on reconnect).
+ */
+export declare function startAuthorize(config: VendorConfig): Promise<{
+    url: string;
+    state: string;
+}>;
+export interface CompleteResult {
+    ok: true;
+    profile?: Record<string, string>;
+}
+/** Complete the authorize flow. Persists token file. */
+export declare function completeAuthorize(config: VendorConfig, code: string, state: string, profile?: Record<string, string>): Promise<CompleteResult>;
+export declare function getAccessToken(vendor: VendorId): Promise<string>;
+export declare function revoke(vendor: VendorId): Promise<void>;
+export declare function isConnected(vendor: VendorId): boolean;

package/dist/connectors/mcpOAuth.js

@@ -0,0 +1,338 @@
+/**
+ * OAuth 2.1 PKCE helper for upstream MCP servers.
+ *
+ * Supports two vendor modes:
+ *   - dyn-reg (Linear, Sentry): RFC 7591 dynamic client registration.
+ *     Registration data cached alongside tokens so we don't re-register every run.
+ *   - preregistered (GitHub): uses a hardcoded client_id + PKCE-only flow.
+ *
+ * Token files: ~/.patchwork/tokens/<vendor>-mcp.json (mode 0600)
+ *
+ * Flow:
+ *   1. startAuthorize({ vendor, config }) -> { url, state }
+ *      Dashboard opens `url` in a popup; stores `state` to correlate callback.
+ *   2. server.ts callback route calls completeAuthorize({ vendor, config, code, state })
+ *      -> persisted token file.
+ *   3. getAccessToken({ vendor }) reads token, refreshes if needed.
+ *   4. revoke({ vendor }) hits the revocation endpoint + deletes file.
+ */
+import crypto from "node:crypto";
+import { existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync, } from "node:fs";
+import { homedir } from "node:os";
+import path from "node:path";
+// ── Known vendor configs ─────────────────────────────────────────────────────
+function defaultBridgeBase() {
+    const port = process.env.PATCHWORK_BRIDGE_PORT ?? "3101";
+    return (process.env.PATCHWORK_BRIDGE_URL ?? `http://localhost:${port}`).replace(/\/$/, "");
+}
+export function vendorConfig(vendor) {
+    const bridgeBase = defaultBridgeBase();
+    switch (vendor) {
+        case "github":
+            return {
+                vendor,
+                issuer: "https://github.com/login/oauth",
+                authorizationEndpoint: "https://github.com/login/oauth/authorize",
+                tokenEndpoint: "https://github.com/login/oauth/access_token",
+                revocationEndpoint: undefined, // GitHub OAuth apps use a different revoke path; best-effort delete only
+                scopes: ["repo", "read:org", "read:user"],
+                redirectUri: `${bridgeBase}/connections/github/callback`,
+                useDynamicRegistration: false,
+                preregisteredClientId: process.env.PATCHWORK_GITHUB_CLIENT_ID ?? "",
+                preregisteredClientSecret: process.env.PATCHWORK_GITHUB_CLIENT_SECRET,
+                clientName: "Patchwork OS",
+            };
+        case "linear":
+            return {
+                vendor,
+                issuer: "https://mcp.linear.app",
+                authorizationEndpoint: "https://mcp.linear.app/authorize",
+                tokenEndpoint: "https://mcp.linear.app/token",
+                registrationEndpoint: "https://mcp.linear.app/register",
+                revocationEndpoint: "https://mcp.linear.app/token", // per discovery doc
+                scopes: [],
+                redirectUri: `${bridgeBase}/connections/linear/callback`,
+                useDynamicRegistration: true,
+                clientName: "Patchwork OS",
+            };
+        case "sentry":
+            return {
+                vendor,
+                issuer: "https://mcp.sentry.dev",
+                authorizationEndpoint: "https://mcp.sentry.dev/oauth/authorize",
+                tokenEndpoint: "https://mcp.sentry.dev/oauth/token",
+                registrationEndpoint: "https://mcp.sentry.dev/oauth/register",
+                revocationEndpoint: "https://mcp.sentry.dev/oauth/token",
+                scopes: ["org:read", "project:write", "event:write"],
+                redirectUri: `${bridgeBase}/connections/sentry/callback`,
+                useDynamicRegistration: true,
+                clientName: "Patchwork OS",
+            };
+    }
+}
+function tokenPath(vendor) {
+    return path.join(homedir(), ".patchwork", "tokens", `${vendor}-mcp.json`);
+}
+export function loadTokenFile(vendor) {
+    const p = tokenPath(vendor);
+    if (!existsSync(p))
+        return null;
+    try {
+        return JSON.parse(readFileSync(p, "utf-8"));
+    }
+    catch {
+        return null;
+    }
+}
+function saveTokenFile(file) {
+    const p = tokenPath(file.vendor);
+    mkdirSync(path.dirname(p), { recursive: true, mode: 0o700 });
+    writeFileSync(p, JSON.stringify(file, null, 2), { mode: 0o600 });
+}
+function deleteTokenFile(vendor) {
+    const p = tokenPath(vendor);
+    if (existsSync(p))
+        unlinkSync(p);
+}
+// ── PKCE helpers ─────────────────────────────────────────────────────────────
+function base64url(buf) {
+    return buf
+        .toString("base64")
+        .replace(/=/g, "")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_");
+}
+function genVerifier() {
+    return base64url(crypto.randomBytes(32));
+}
+function challenge(verifier) {
+    return base64url(crypto.createHash("sha256").update(verifier).digest());
+}
+const pending = new Map();
+function gcPending() {
+    const now = Date.now();
+    for (const [k, v] of pending.entries()) {
+        if (v.expiresAt < now)
+            pending.delete(k);
+    }
+}
+async function dynamicRegister(config) {
+    if (!config.registrationEndpoint) {
+        throw new Error(`${config.vendor}: no registration endpoint configured`);
+    }
+    const body = {
+        client_name: config.clientName ?? "Patchwork OS",
+        redirect_uris: [config.redirectUri],
+        grant_types: ["authorization_code", "refresh_token"],
+        response_types: ["code"],
+        token_endpoint_auth_method: "none",
+        scope: config.scopes.join(" "),
+    };
+    const res = await fetch(config.registrationEndpoint, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", Accept: "application/json" },
+        body: JSON.stringify(body),
+    });
+    if (!res.ok) {
+        const snippet = (await res.text()).slice(0, 300);
+        throw new Error(`${config.vendor} dyn-reg failed ${res.status}: ${snippet}`);
+    }
+    const json = (await res.json());
+    if (!json.client_id)
+        throw new Error(`${config.vendor} dyn-reg missing client_id`);
+    return { clientId: json.client_id, clientSecret: json.client_secret };
+}
+// ── Authorize flow ───────────────────────────────────────────────────────────
+/**
+ * Returns the authorize URL for the popup, and a `state` cookie value
+ * the callback must match. For dyn-reg vendors, registers a fresh client
+ * if we don't have one yet (re-uses existing one from token file on reconnect).
+ */
+export async function startAuthorize(config) {
+    gcPending();
+    let clientId = config.preregisteredClientId ?? "";
+    let clientSecret = config.preregisteredClientSecret;
+    if (config.useDynamicRegistration) {
+        // Re-use cached registration if available
+        const existing = loadTokenFile(config.vendor);
+        if (existing?.client_id) {
+            clientId = existing.client_id;
+            clientSecret = existing.client_secret;
+        }
+        else {
+            const reg = await dynamicRegister(config);
+            clientId = reg.clientId;
+            clientSecret = reg.clientSecret;
+        }
+    }
+    if (!clientId) {
+        throw new Error(`${config.vendor}: client_id not configured (set PATCHWORK_${config.vendor.toUpperCase()}_CLIENT_ID)`);
+    }
+    if (!config.useDynamicRegistration &&
+        config.preregisteredClientSecret === undefined &&
+        config.vendor === "github") {
+        throw new Error("github: client_secret not configured (set PATCHWORK_GITHUB_CLIENT_SECRET)");
+    }
+    const verifier = genVerifier();
+    const state = base64url(crypto.randomBytes(24));
+    pending.set(state, {
+        vendor: config.vendor,
+        verifier,
+        clientId,
+        clientSecret,
+        expiresAt: Date.now() + 10 * 60 * 1000,
+    });
+    const params = new URLSearchParams({
+        response_type: "code",
+        client_id: clientId,
+        redirect_uri: config.redirectUri,
+        state,
+        code_challenge: challenge(verifier),
+        code_challenge_method: "S256",
+    });
+    if (config.scopes.length)
+        params.set("scope", config.scopes.join(" "));
+    const authorizeUrl = config.authorizationEndpoint;
+    if (!authorizeUrl)
+        throw new Error(`${config.vendor}: no authorization_endpoint`);
+    return { url: `${authorizeUrl}?${params.toString()}`, state };
+}
+async function exchangeCode(config, code, verifier, clientId, clientSecret) {
+    if (!config.tokenEndpoint)
+        throw new Error(`${config.vendor}: no token_endpoint`);
+    const body = new URLSearchParams({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: config.redirectUri,
+        client_id: clientId,
+        code_verifier: verifier,
+    });
+    if (clientSecret)
+        body.set("client_secret", clientSecret);
+    const res = await fetch(config.tokenEndpoint, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+            Accept: "application/json",
+        },
+        body: body.toString(),
+    });
+    if (!res.ok) {
+        const snippet = (await res.text()).slice(0, 300);
+        throw new Error(`${config.vendor} token exchange ${res.status}: ${snippet}`);
+    }
+    // GitHub returns form-encoded by default unless Accept: application/json is honored
+    const ct = res.headers.get("content-type") ?? "";
+    if (ct.includes("application/x-www-form-urlencoded")) {
+        const text = await res.text();
+        const p = new URLSearchParams(text);
+        if (p.get("error"))
+            throw new Error(`${config.vendor}: ${p.get("error_description") ?? p.get("error")}`);
+        return {
+            access_token: p.get("access_token") ?? "",
+            refresh_token: p.get("refresh_token") ?? undefined,
+            expires_in: p.get("expires_in") ? Number(p.get("expires_in")) : undefined,
+            scope: p.get("scope") ?? undefined,
+        };
+    }
+    return (await res.json());
+}
+/** Complete the authorize flow. Persists token file. */
+export async function completeAuthorize(config, code, state, profile) {
+    gcPending();
+    const p = pending.get(state);
+    if (!p)
+        throw new Error(`${config.vendor}: invalid or expired state`);
+    pending.delete(state);
+    if (p.vendor !== config.vendor)
+        throw new Error(`${config.vendor}: vendor mismatch on state`);
+    const tok = await exchangeCode(config, code, p.verifier, p.clientId, p.clientSecret);
+    if (!tok.access_token)
+        throw new Error(`${config.vendor}: empty access_token`);
+    const expiresAt = tok.expires_in
+        ? Date.now() + tok.expires_in * 1000
+        : undefined;
+    saveTokenFile({
+        vendor: config.vendor,
+        client_id: p.clientId,
+        client_secret: p.clientSecret,
+        access_token: tok.access_token,
+        refresh_token: tok.refresh_token,
+        expires_at: expiresAt,
+        scope: tok.scope,
+        connected_at: new Date().toISOString(),
+        profile,
+    });
+    return { ok: true, profile };
+}
+// ── Token refresh ────────────────────────────────────────────────────────────
+async function refreshIfNeeded(config, file) {
+    const buffer = 60_000;
+    if (!file.expires_at || Date.now() < file.expires_at - buffer)
+        return file;
+    if (!file.refresh_token)
+        return file; // some vendors don't issue refresh tokens
+    if (!config.tokenEndpoint)
+        return file;
+    const body = new URLSearchParams({
+        grant_type: "refresh_token",
+        refresh_token: file.refresh_token,
+        client_id: file.client_id,
+    });
+    if (file.client_secret)
+        body.set("client_secret", file.client_secret);
+    const res = await fetch(config.tokenEndpoint, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+            Accept: "application/json",
+        },
+        body: body.toString(),
+    });
+    if (!res.ok) {
+        // Leave file as-is; caller will get 401 on next API call and re-auth
+        return file;
+    }
+    const json = (await res.json());
+    const updated = {
+        ...file,
+        access_token: json.access_token,
+        refresh_token: json.refresh_token ?? file.refresh_token,
+        expires_at: json.expires_in
+            ? Date.now() + json.expires_in * 1000
+            : undefined,
+    };
+    saveTokenFile(updated);
+    return updated;
+}
+export async function getAccessToken(vendor) {
+    const file = loadTokenFile(vendor);
+    if (!file)
+        throw new Error(`${vendor}: not connected`);
+    const config = vendorConfig(vendor);
+    const fresh = await refreshIfNeeded(config, file);
+    return fresh.access_token;
+}
+// ── Revocation ───────────────────────────────────────────────────────────────
+export async function revoke(vendor) {
+    const file = loadTokenFile(vendor);
+    const config = vendorConfig(vendor);
+    if (file && config.revocationEndpoint) {
+        const body = new URLSearchParams({
+            token: file.access_token,
+            client_id: file.client_id,
+        });
+        if (file.client_secret)
+            body.set("client_secret", file.client_secret);
+        await fetch(config.revocationEndpoint, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: body.toString(),
+        }).catch(() => { });
+    }
+    deleteTokenFile(vendor);
+}
+export function isConnected(vendor) {
+    return loadTokenFile(vendor) !== null;
+}
+//# sourceMappingURL=mcpOAuth.js.map

package/dist/connectors/mcpOAuth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcpOAuth.js","sourceRoot":"","sources":["../../src/connectors/mcpOAuth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EACL,UAAU,EACV,SAAS,EACT,YAAY,EACZ,UAAU,EACV,aAAa,GACd,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AA6B7B,gFAAgF;AAEhF,SAAS,iBAAiB;IACxB,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,MAAM,CAAC;IACzD,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,oBAAoB,IAAI,EAAE,CAC/D,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACvB,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,MAAgB;IAC3C,MAAM,UAAU,GAAG,iBAAiB,EAAE,CAAC;IACvC,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,QAAQ;YACX,OAAO;gBACL,MAAM;gBACN,MAAM,EAAE,gCAAgC;gBACxC,qBAAqB,EAAE,0CAA0C;gBACjE,aAAa,EAAE,6CAA6C;gBAC5D,kBAAkB,EAAE,SAAS,EAAE,yEAAyE;gBACxG,MAAM,EAAE,CAAC,MAAM,EAAE,UAAU,EAAE,WAAW,CAAC;gBACzC,WAAW,EAAE,GAAG,UAAU,8BAA8B;gBACxD,sBAAsB,EAAE,KAAK;gBAC7B,qBAAqB,EAAE,OAAO,CAAC,GAAG,CAAC,0BAA0B,IAAI,EAAE;gBACnE,yBAAyB,EAAE,OAAO,CAAC,GAAG,CAAC,8BAA8B;gBACrE,UAAU,EAAE,cAAc;aAC3B,CAAC;QACJ,KAAK,QAAQ;YACX,OAAO;gBACL,MAAM;gBACN,MAAM,EAAE,wBAAwB;gBAChC,qBAAqB,EAAE,kCAAkC;gBACzD,aAAa,EAAE,8BAA8B;gBAC7C,oBAAoB,EAAE,iCAAiC;gBACvD,kBAAkB,EAAE,8BAA8B,EAAE,oBAAoB;gBACxE,MAAM,EAAE,EAAE;gBACV,WAAW,EAAE,GAAG,UAAU,8BAA8B;gBACxD,sBAAsB,EAAE,IAAI;gBAC5B,UAAU,EAAE,cAAc;aAC3B,CAAC;QACJ,KAAK,QAAQ;YACX,OAAO;gBACL,MAAM;gBACN,MAAM,EAAE,wBAAwB;gBAChC,qBAAqB,EAAE,wCAAwC;gBAC/D,aAAa,EAAE,oCAAoC;gBACnD,oBAAoB,EAAE,uCAAuC;gBAC7D,kBAAkB,EAAE,oCAAoC;gBACxD,MAAM,EAAE,CAAC,UAAU,EAAE,eAAe,EAAE,aAAa,CAAC;gBACpD,WAAW,EAAE,GAAG,UAAU,8BAA8B;gBACxD,sBAAsB,EAAE,IAAI;gBAC5B,UAAU,EAAE,cAAc;aAC3B,CAAC;IACN,CAAC;AACH,CAAC;AAiBD,SAAS,SAAS,CAAC,MAAgB;IACjC,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,YAAY,EAAE,QAAQ,EAAE,GAAG,MAAM,WAAW,CAAC,CAAC;AAC5E,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAgB;IAC5C,MAAM,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;IAC5B,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAChC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,EAAE,OAAO,CAAC,CAAiB,CAAC;IAC9D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,IAAkB;IACvC,MAAM,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACjC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC7D,aAAa,CAAC,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AACnE,CAAC;AAED,SAAS,eAAe,CAAC,MAAgB;IACvC,MAAM,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;IAC5B,IAAI,UAAU,CAAC,CAAC,CAAC;QAAE,UAAU,CAAC,CAAC,CAAC,CAAC;AACnC,CAAC;AAED,gFAAgF;AAEhF,SAAS,SAAS,CAAC,GAAW;IAC5B,OAAO,GAAG;SACP,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;SACjB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,WAAW;IAClB,OAAO,SAAS,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,SAAS,CAAC,QAAgB;IACjC,OAAO,SAAS,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;AAC1E,CAAC;AAYD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAuB,CAAC;AAE/C,SAAS,SAAS;IAChB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;QACvC,IAAI,CAAC,CAAC,SAAS,GAAG,GAAG;YAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC;AASD,KAAK,UAAU,eAAe,CAC5B,MAAoB;IAEpB,IAAI,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,CAAC,MAAM,uCAAuC,CAAC,CAAC;IAC3E,CAAC;IACD,MAAM,IAAI,GAAG;QACX,WAAW,EAAE,MAAM,CAAC,UAAU,IAAI,cAAc;QAChD,aAAa,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC;QACnC,WAAW,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;QACpD,cAAc,EAAE,CAAC,MAAM,CAAC;QACxB,0BAA0B,EAAE,MAAM;QAClC,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;KAC/B,CAAC;IACF,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,oBAAoB,EAAE;QACnD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,EAAE,kBAAkB,EAAE;QAC3E,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;KAC3B,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,OAAO,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACjD,MAAM,IAAI,KAAK,CACb,GAAG,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,MAAM,KAAK,OAAO,EAAE,CAC5D,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAyB,CAAC;IACxD,IAAI,CAAC,IAAI,CAAC,SAAS;QACjB,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,CAAC,MAAM,4BAA4B,CAAC,CAAC;IAChE,OAAO,EAAE,QAAQ,EAAE,IAAI,CAAC,SAAS,EAAE,YAAY,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC;AACxE,CAAC;AAED,gFAAgF;AAEhF;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,MAAoB;IAEpB,SAAS,EAAE,CAAC;IAEZ,IAAI,QAAQ,GAAG,MAAM,CAAC,qBAAqB,IAAI,EAAE,CAAC;IAClD,IAAI,YAAY,GAAuB,MAAM,CAAC,yBAAyB,CAAC;IAExE,IAAI,MAAM,CAAC,sBAAsB,EAAE,CAAC;QAClC,0CAA0C;QAC1C,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC9C,IAAI,QAAQ,EAAE,SAAS,EAAE,CAAC;YACxB,QAAQ,GAAG,QAAQ,CAAC,SAAS,CAAC;YAC9B,YAAY,GAAG,QAAQ,CAAC,aAAa,CAAC;QACxC,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,CAAC;YAC1C,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;YACxB,YAAY,GAAG,GAAG,CAAC,YAAY,CAAC;QAClC,CAAC;IACH,CAAC;IACD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CACb,GAAG,MAAM,CAAC,MAAM,6CAA6C,MAAM,CAAC,MAAM,CAAC,WAAW,EAAE,aAAa,CACtG,CAAC;IACJ,CAAC;IACD,IACE,CAAC,MAAM,CAAC,sBAAsB;QAC9B,MAAM,CAAC,yBAAyB,KAAK,SAAS;QAC9C,MAAM,CAAC,MAAM,KAAK,QAAQ,EAC1B,CAAC;QACD,MAAM,IAAI,KAAK,CACb,2EAA2E,CAC5E,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IAChD,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE;QACjB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ;QACR,QAAQ;QACR,YAAY;QACZ,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;KACvC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,aAAa,EAAE,MAAM;QACrB,SAAS,EAAE,QAAQ;QACnB,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,KAAK;QACL,cAAc,EAAE,SAAS,CAAC,QAAQ,CAAC;QACnC,qBAAqB,EAAE,MAAM;KAC9B,CAAC,CAAC;IACH,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAEvE,MAAM,YAAY,GAAG,MAAM,CAAC,qBAAqB,CAAC;IAClD,IAAI,CAAC,YAAY;QACf,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,CAAC,MAAM,6BAA6B,CAAC,CAAC;IACjE,OAAO,EAAE,GAAG,EAAE,GAAG,YAAY,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;AAChE,CAAC;AAOD,KAAK,UAAU,YAAY,CACzB,MAAoB,EACpB,IAAY,EACZ,QAAgB,EAChB,QAAgB,EAChB,YAAgC;IAOhC,IAAI,CAAC,MAAM,CAAC,aAAa;QACvB,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,CAAC,MAAM,qBAAqB,CAAC,CAAC;IACzD,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,oBAAoB;QAChC,IAAI;QACJ,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,SAAS,EAAE,QAAQ;QACnB,aAAa,EAAE,QAAQ;KACxB,CAAC,CAAC;IACH,IAAI,YAAY;QAAE,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,YAAY,CAAC,CAAC;IAE1D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,aAAa,EAAE;QAC5C,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,mCAAmC;YACnD,MAAM,EAAE,kBAAkB;SAC3B;QACD,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;KACtB,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,OAAO,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACjD,MAAM,IAAI,KAAK,CACb,GAAG,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,MAAM,KAAK,OAAO,EAAE,CAC5D,CAAC;IACJ,CAAC;IACD,oFAAoF;IACpF,MAAM,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;IACjD,IAAI,EAAE,CAAC,QAAQ,CAAC,mCAAmC,CAAC,EAAE,CAAC;QACrD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,CAAC,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC;YAChB,MAAM,IAAI,KAAK,CACb,GAAG,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CACpE,CAAC;QACJ,OAAO;YACL,YAAY,EAAE,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE;YACzC,aAAa,EAAE,CAAC,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,SAAS;YAClD,UAAU,EAAE,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS;YACzE,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,SAAS;SACnC,CAAC;IACJ,CAAC;IACD,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAKvB,CAAC;AACJ,CAAC;AAED,wDAAwD;AACxD,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAAoB,EACpB,IAAY,EACZ,KAAa,EACb,OAAgC;IAEhC,SAAS,EAAE,CAAC;IACZ,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC7B,IAAI,CAAC,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,CAAC,MAAM,4BAA4B,CAAC,CAAC;IACtE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACtB,IAAI,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM;QAC5B,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,CAAC,MAAM,4BAA4B,CAAC,CAAC;IAEhE,MAAM,GAAG,GAAG,MAAM,YAAY,CAC5B,MAAM,EACN,IAAI,EACJ,CAAC,CAAC,QAAQ,EACV,CAAC,CAAC,QAAQ,EACV,CAAC,CAAC,YAAY,CACf,CAAC;IACF,IAAI,CAAC,GAAG,CAAC,YAAY;QACnB,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,CAAC,MAAM,sBAAsB,CAAC,CAAC;IAC1D,MAAM,SAAS,GAAG,GAAG,CAAC,UAAU;QAC9B,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,UAAU,GAAG,IAAI;QACpC,CAAC,CAAC,SAAS,CAAC;IAEd,aAAa,CAAC;QACZ,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,SAAS,EAAE,CAAC,CAAC,QAAQ;QACrB,aAAa,EAAE,CAAC,CAAC,YAAY;QAC7B,YAAY,EAAE,GAAG,CAAC,YAAY;QAC9B,aAAa,EAAE,GAAG,CAAC,aAAa;QAChC,UAAU,EAAE,SAAS;QACrB,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACtC,OAAO;KACR,CAAC,CAAC;IACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED,gFAAgF;AAEhF,KAAK,UAAU,eAAe,CAC5B,MAAoB,EACpB,IAAkB;IAElB,MAAM,MAAM,GAAG,MAAM,CAAC;IACtB,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,MAAM;QAAE,OAAO,IAAI,CAAC;IAC3E,IAAI,CAAC,IAAI,CAAC,aAAa;QAAE,OAAO,IAAI,CAAC,CAAC,0CAA0C;IAChF,IAAI,CAAC,MAAM,CAAC,aAAa;QAAE,OAAO,IAAI,CAAC;IAEvC,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,eAAe;QAC3B,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,SAAS,EAAE,IAAI,CAAC,SAAS;KAC1B,CAAC,CAAC;IACH,IAAI,IAAI,CAAC,aAAa;QAAE,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;IAEtE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,aAAa,EAAE;QAC5C,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,mCAAmC;YACnD,MAAM,EAAE,kBAAkB;SAC3B;QACD,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;KACtB,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,qEAAqE;QACrE,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAI7B,CAAC;IACF,MAAM,OAAO,GAAiB;QAC5B,GAAG,IAAI;QACP,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,aAAa,EAAE,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,aAAa;QACvD,UAAU,EAAE,IAAI,CAAC,UAAU;YACzB,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI;YACrC,CAAC,CAAC,SAAS;KACd,CAAC;IACF,aAAa,CAAC,OAAO,CAAC,CAAC;IACvB,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,MAAgB;IACnD,MAAM,IAAI,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACnC,IAAI,CAAC,IAAI;QAAE,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,iBAAiB,CAAC,CAAC;IACvD,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IACpC,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAClD,OAAO,KAAK,CAAC,YAAY,CAAC;AAC5B,CAAC;AAED,gFAAgF;AAEhF,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,MAAgB;IAC3C,MAAM,IAAI,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACnC,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IACpC,IAAI,IAAI,IAAI,MAAM,CAAC,kBAAkB,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;YAC/B,KAAK,EAAE,IAAI,CAAC,YAAY;YACxB,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC,CAAC;QACH,IAAI,IAAI,CAAC,aAAa;YAAE,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;QACtE,MAAM,KAAK,CAAC,MAAM,CAAC,kBAAkB,EAAE;YACrC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IACrB,CAAC;IACD,eAAe,CAAC,MAAM,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,MAAgB;IAC1C,OAAO,aAAa,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC;AACxC,CAAC"}

package/dist/connectors/sentry.d.ts

@@ -1,14 +1,14 @@
 /**
- * Sentry connector.
+ * Sentry connector — routes through Sentry's official MCP server.
  *
- * Uses Sentry's REST API with an auth token (no OAuth app required).
- * Token stored at ~/.patchwork/tokens/sentry.json (mode 0600).
- * Env vars: SENTRY_AUTH_TOKEN, SENTRY_ORG (optional default org slug).
+ * Endpoint: https://mcp.sentry.dev/mcp
+ * Auth:     OAuth 2.1 w/ PKCE; dynamic client registration (RFC 7591).
  *
- * HTTP routes registered in bridge.ts:
- *   POST   /connections/sentry/connect   — store token + verify
- *   POST   /connections/sentry/test      — verify stored token works
- *   DELETE /connections/sentry           — delete stored token
+ * HTTP routes (wired in src/server.ts):
+ *   GET    /connections/sentry/authorize — returns { url } for popup
+ *   GET    /connections/sentry/callback  — token exchange
+ *   POST   /connections/sentry/test      — ping MCP server
+ *   DELETE /connections/sentry           — revoke + delete token
  *
  * MCP tool: fetchSentryIssue — fetches a Sentry issue/event and returns
  * the stack trace string, ready to pass into enrichStackTrace.
@@ -24,24 +24,20 @@ export interface ConnectorStatus {
     lastSync?: string;
     org?: string;
 }
+export interface ConnectorHandlerResult {
+    status: number;
+    body: string;
+    contentType?: string;
+    redirect?: string;
+}
 export declare function loadTokens(): SentryTokens | null;
 export declare function getStatus(): ConnectorStatus;
-/**
- * Fetch the latest event for a Sentry issue and extract the stack trace text.
- * issueIdOrUrl accepts:
- *   - A numeric issue ID: "12345"
- *   - A Sentry issue URL: "https://sentry.io/organizations/my-org/issues/12345/"
- */
 export declare function fetchIssueStackTrace(issueIdOrUrl: string, signal?: AbortSignal): Promise<{
     stackTrace: string;
     title: string;
     issueId: string;
 }>;
-export interface ConnectorHandlerResult {
-    status: number;
-    body: string;
-    contentType?: string;
-}
-export declare function handleSentryConnect(body: unknown): Promise<ConnectorHandlerResult>;
+export declare function handleSentryAuthorize(): Promise<ConnectorHandlerResult>;
+export declare function handleSentryCallback(code: string | null, state: string | null, error: string | null): Promise<ConnectorHandlerResult>;
 export declare function handleSentryTest(): Promise<ConnectorHandlerResult>;
-export declare function handleSentryDisconnect(): ConnectorHandlerResult;
+export declare function handleSentryDisconnect(): Promise<ConnectorHandlerResult>;