payload-mcp-toolkit 0.3.4 → 0.7.4

package/dist/auth-strategy.js

@@ -0,0 +1,261 @@
+import { extractBearerToken, hashKey } from './hash';
+export const AUTH_STRATEGY_NAME = 'mcp-toolkit-bearer';
+/**
+ * Reads the row's slug, tolerating the pre-0.6 `collection` / `global`
+ * keys for one release. Logs a one-line warn when the legacy fallback
+ * fires so operators can spot keys that need re-saving. The fallback is
+ * scheduled for removal in v0.7.
+ */ let warnedLegacyShape = false;
+let warnedLegacyNonCustomOverride = false;
+/** @internal test-only: reset the one-time legacy warns. */ export function _resetLegacyWarnsForTests() {
+    warnedLegacyShape = false;
+    warnedLegacyNonCustomOverride = false;
+}
+function readScopeSlug(entry, legacyKey, logger) {
+    if (typeof entry?.slug === 'string') return entry.slug;
+    const legacy = entry?.[legacyKey];
+    if (typeof legacy === 'string') {
+        if (!warnedLegacyShape) {
+            warnedLegacyShape = true;
+            logger?.warn?.({
+                event: 'mcp.auth.legacy_scope_shape',
+                legacyKey
+            }, `[payload-mcp-toolkit] composeScopes read a pre-0.6 row using \`${legacyKey}\`; resave the API key to migrate to {slug, actions}. The fallback is removed in v0.7.`);
+        }
+        return legacy;
+    }
+    return null;
+}
+const VALID_ACTIONS = new Set([
+    'read',
+    'create',
+    'update',
+    'delete'
+]);
+const VALID_GLOBAL_ACTIONS = new Set([
+    'read',
+    'update'
+]);
+/**
+ * Builds the runtime `KeyScopes` shape consumed by `registry.assertScopeAllows`
+ * from the typed scope fields on the api-key row.
+ *
+ * Returns null when no typed fields are populated AND no preset is set
+ * (= full access — back-compat for pre-0.5 rows that pre-date scoped authz).
+ *
+ * Two complementary fail-closed rules:
+ *
+ * 1. **`'custom'` deny-all sentinel.** `'custom'` is a UI sentinel meaning
+ *    "use my override fields"; it never becomes `KeyScopes.preset` itself.
+ *    Payload persists unset JSON / select fields as `null`, so a fresh
+ *    Custom key with no overrides arrives as `{preset:'custom',
+ *    collectionScopes:null, globalScopes:null, toolAllow:null,
+ *    toolDeny:null}`. That row must deny everything (not fall through to
+ *    full access). The sentinel emits `{collections:{}, globals:{},
+ *    tools:{allow:[]}}`.
+ *
+ * 2. **Per-axis explicit-empty, Custom-only.** Under the Custom preset, an
+ *    empty array on any axis (even `[]`) is honoured as written — an empty
+ *    `toolAllow:[]` means "deny all tools on this axis", not "no opinion".
+ *    Under non-Custom presets, empty arrays are IGNORED because Payload's
+ *    hasMany / unpopulated-JSON reads return `[]` for fields the user
+ *    never touched (the override matrices are hidden in the admin UI under
+ *    non-Custom presets via `condition: isCustomPreset`). The on-write
+ *    counterpart of this rule lives in `createApiKeysCollection`'s
+ *    `beforeValidate` hook, which proactively nulls the override axes on
+ *    save when the preset is non-Custom — both layers must stay in sync.
+ *    Non-empty arrays still apply as layered narrowing under any preset.
+ *    `toolDeny` is a deny-list, so an empty array carries no entries — it
+ *    is dropped rather than emitted. NOTE: legacy non-Custom rows persisted
+ *    BEFORE v0.7.1 with populated stale override arrays continue to narrow
+ *    on read until each row is manually re-saved; the on-write fix only
+ *    applies to fresh writes.
+ */ export function composeScopes(row, logger) {
+    const presetRaw = row.preset;
+    const hasPreset = typeof presetRaw === 'string' && presetRaw.length > 0;
+    const hasCollectionScopesField = Array.isArray(row.collectionScopes);
+    const hasGlobalScopesField = Array.isArray(row.globalScopes);
+    const hasToolAllowField = Array.isArray(row.toolAllow);
+    const hasToolDenyField = Array.isArray(row.toolDeny);
+    // Pre-0.5 back-compat: row has no preset and no typed scope fields at
+    // all (all null/undefined). Treat as full access.
+    if (!hasPreset && !hasCollectionScopesField && !hasGlobalScopesField && !hasToolAllowField && !hasToolDenyField) {
+        return null;
+    }
+    // Sentinel: Custom preset with every axis null/undefined (no array
+    // committed) denies everything. Payload-persisted unset JSON / select
+    // fields arrive as null; this is the fresh-Custom-key case.
+    if (presetRaw === 'custom' && !hasCollectionScopesField && !hasGlobalScopesField && !hasToolAllowField && !hasToolDenyField) {
+        return {
+            collections: {},
+            globals: {},
+            tools: {
+                allow: []
+            }
+        };
+    }
+    const out = {};
+    const isCustomPreset = presetRaw === 'custom';
+    if (hasPreset && !isCustomPreset) {
+        out.preset = presetRaw;
+    }
+    // Under non-Custom presets, the override fields are hidden in the admin
+    // UI (`condition: isCustomPreset`) and Payload's hasMany / relational
+    // reads return `[]` for unpopulated relations even when the user never
+    // touched them. Treating that `[]` as "deny-all on this axis" turns
+    // every preset key into a deny-all key once it round-trips through the
+    // DB. Apply the explicit-empty-means-deny semantic only when the user
+    // is on the Custom preset (where the override fields are visible and
+    // meaningful); under preset modes, ignore empty arrays so that the
+    // preset alone drives access. Non-empty arrays still apply as layered
+    // narrowing, matching the field description ("layered on top of preset
+    // and collection scopes").
+    const treatEmptyAsScope = isCustomPreset;
+    // Legacy-row warn: non-Custom preset rows persisted BEFORE v0.7.1 may
+    // carry populated override arrays from a prior Custom configuration
+    // (the on-write null-out hook landed in v0.7.1). These still apply as
+    // layered narrowing on read — fail-closed-safe (narrows, never widens)
+    // but may not match operator intent. Warn once per process so legacy
+    // rows can be audited and re-saved.
+    if (hasPreset && !isCustomPreset && !warnedLegacyNonCustomOverride && (hasCollectionScopesField && row.collectionScopes.length > 0 || hasGlobalScopesField && row.globalScopes.length > 0 || hasToolAllowField && row.toolAllow.length > 0)) {
+        warnedLegacyNonCustomOverride = true;
+        logger?.warn?.({
+            event: 'mcp.auth.legacy_non_custom_override'
+        }, `[payload-mcp-toolkit] composeScopes read an API key with a non-Custom preset (${presetRaw}) ` + `carrying populated override arrays. These still narrow access as written, but the ` + `v0.7.1 admin UI clears overrides on preset switch — re-save affected keys to align ` + `persisted state with current admin semantics.`);
+    }
+    const emitCollectionScopes = hasCollectionScopesField && (treatEmptyAsScope || row.collectionScopes.length > 0);
+    if (emitCollectionScopes) {
+        const collections = {};
+        for (const entry of row.collectionScopes){
+            const slug = readScopeSlug(entry, 'collection', logger);
+            if (!slug) continue;
+            const rawActions = Array.isArray(entry?.actions) ? entry.actions : [];
+            const actions = rawActions.filter((a)=>typeof a === 'string' && VALID_ACTIONS.has(a));
+            collections[slug] = actions;
+        }
+        out.collections = collections;
+    }
+    const emitGlobalScopes = hasGlobalScopesField && (treatEmptyAsScope || row.globalScopes.length > 0);
+    if (emitGlobalScopes) {
+        const globals = {};
+        for (const entry of row.globalScopes){
+            const slug = readScopeSlug(entry, 'global', logger);
+            if (!slug) continue;
+            const rawActions = Array.isArray(entry?.actions) ? entry.actions : [];
+            const actions = rawActions.filter((a)=>typeof a === 'string' && VALID_GLOBAL_ACTIONS.has(a));
+            globals[slug] = actions;
+        }
+        out.globals = globals;
+    }
+    const toolDeny = hasToolDenyField ? row.toolDeny.filter((t)=>typeof t === 'string') : [];
+    const emitDeny = toolDeny.length > 0;
+    const emitToolAllow = hasToolAllowField && (treatEmptyAsScope || row.toolAllow.length > 0);
+    if (emitToolAllow || emitDeny) {
+        out.tools = {};
+        if (emitToolAllow) {
+            const toolAllow = row.toolAllow.filter((t)=>typeof t === 'string');
+            out.tools.allow = toolAllow;
+        }
+        if (emitDeny) out.tools.deny = toolDeny;
+    }
+    return out;
+}
+/**
+ * Builds the Payload `auth.strategies` entry that authenticates MCP requests.
+ *
+ * Authenticates `Authorization: Bearer <plaintext>` by computing the
+ * upstream-compatible `apiKeyIndex` HMAC and looking up the row. On match,
+ * it fires a non-blocking `lastUsedAt` write and hydrates `req.user` with
+ * the linked user record + key context for downstream scope checks.
+ */ export function createBearerStrategy(options) {
+    const { collectionSlug, userCollection } = options;
+    return {
+        name: AUTH_STRATEGY_NAME,
+        authenticate: async ({ headers, payload })=>{
+            const headersAny = headers;
+            const headerValue = typeof headersAny.get === 'function' ? headersAny.get('authorization') : headersAny.authorization;
+            const token = extractBearerToken(headerValue ?? null);
+            if (!token) return {
+                user: null
+            };
+            const keyHash = hashKey(token, payload.secret);
+            const where = {
+                apiKeyIndex: {
+                    equals: keyHash
+                }
+            };
+            let docs = [];
+            try {
+                const result = await payload.find({
+                    collection: collectionSlug,
+                    where,
+                    depth: 1,
+                    limit: 1,
+                    pagination: false,
+                    overrideAccess: true
+                });
+                docs = result.docs ?? [];
+            } catch (err) {
+                payload.logger.error({
+                    err,
+                    event: 'mcp.auth.lookup_failed'
+                }, '[payload-mcp-toolkit] API-key lookup failed');
+                return {
+                    user: null
+                };
+            }
+            const row = docs[0];
+            if (!row) return {
+                user: null
+            };
+            const now = Date.now();
+            if (row.revokedAt) return {
+                user: null
+            };
+            if (row.expiresAt) {
+                const expiry = new Date(row.expiresAt).getTime();
+                if (Number.isFinite(expiry) && expiry < now) return {
+                    user: null
+                };
+            }
+            const linkedUser = row.user;
+            if (!linkedUser || typeof linkedUser !== 'object') return {
+                user: null
+            };
+            const effectiveScopes = composeScopes(row, payload.logger);
+            // Fire-and-forget: do not block the request on this write.
+            void payload.update({
+                collection: collectionSlug,
+                id: row.id,
+                data: {
+                    lastUsedAt: new Date().toISOString()
+                },
+                overrideAccess: true
+            }).catch(()=>{
+            // Intentionally swallow: lastUsedAt drift is acceptable.
+            });
+            const user = linkedUser;
+            return {
+                user: {
+                    ...user,
+                    collection: userCollection,
+                    _strategy: AUTH_STRATEGY_NAME,
+                    _mcpKey: {
+                        keyId: row.id,
+                        keyPrefix: typeof row.keyPrefix === 'string' ? row.keyPrefix : null,
+                        scopes: effectiveScopes
+                    }
+                }
+            };
+        }
+    };
+}
+/**
+ * Reads the per-request API-key context populated by the bearer strategy.
+ * Returns null for non-MCP requests (e.g. cookie-authenticated admin users).
+ */ export function getApiKeyContext(req) {
+    const user = req.user;
+    return user?._mcpKey ?? null;
+}
+
+//# sourceMappingURL=auth-strategy.js.map

package/dist/auth-strategy.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/auth-strategy.ts"],"sourcesContent":["import type { AuthStrategy, PayloadRequest, Where } from 'payload'\r\nimport { extractBearerToken, hashKey } from './hash'\r\nimport type { CollectionAction, GlobalAction, KeyScopes, ScopePreset } from './types'\r\n\r\nexport type { CollectionAction, GlobalAction, KeyScopes, ScopePreset } from './types'\r\n\r\nexport const AUTH_STRATEGY_NAME = 'mcp-toolkit-bearer'\r\n\r\nexport interface CreateBearerStrategyOptions {\r\n  /** Slug of the API-keys collection (defaults to `payload-mcp-api-keys`). */\r\n  collectionSlug: string\r\n  /** Slug of the user collection that API keys link to. */\r\n  userCollection: string\r\n}\r\n\r\n/**\r\n * Stored shape for a row in `collectionScopes` / `globalScopes` (v0.6+).\r\n * The parent field name encodes the axis — collection-vs-global is not\r\n * repeated in the row payload. Legacy `collection` / `global` keys from\r\n * pre-0.6 rows are tolerated by `composeScopes` for one release; v0.7\r\n * drops the fallback (see CHANGELOG).\r\n */\r\ninterface ScopeRow {\r\n  slug?: unknown\r\n  /** @deprecated pre-0.6 collectionScopes shape — read via fallback only. */\r\n  collection?: unknown\r\n  /** @deprecated pre-0.6 globalScopes shape — read via fallback only. */\r\n  global?: unknown\r\n  actions?: unknown\r\n}\r\n\r\ninterface ApiKeyRow {\r\n  id: string | number\r\n  user: unknown\r\n  preset?: ScopePreset | 'custom' | null\r\n  collectionScopes?: ScopeRow[] | null\r\n  globalScopes?: ScopeRow[] | null\r\n  toolAllow?: string[] | null\r\n  toolDeny?: string[] | null\r\n  expiresAt?: string | Date | null\r\n  revokedAt?: string | Date | null\r\n  apiKey?: string | null\r\n  keyPrefix?: string | null\r\n}\r\n\r\n/**\r\n * Reads the row's slug, tolerating the pre-0.6 `collection` / `global`\r\n * keys for one release. Logs a one-line warn when the legacy fallback\r\n * fires so operators can spot keys that need re-saving. The fallback is\r\n * scheduled for removal in v0.7.\r\n */\r\nlet warnedLegacyShape = false\r\nlet warnedLegacyNonCustomOverride = false\r\n\r\n/** @internal test-only: reset the one-time legacy warns. */\r\nexport function _resetLegacyWarnsForTests(): void {\r\n  warnedLegacyShape = false\r\n  warnedLegacyNonCustomOverride = false\r\n}\r\n\r\nfunction readScopeSlug(\r\n  entry: ScopeRow,\r\n  legacyKey: 'collection' | 'global',\r\n  logger?: { warn?: (...args: unknown[]) => void } | undefined,\r\n): string | null {\r\n  if (typeof entry?.slug === 'string') return entry.slug\r\n  const legacy = entry?.[legacyKey]\r\n  if (typeof legacy === 'string') {\r\n    if (!warnedLegacyShape) {\r\n      warnedLegacyShape = true\r\n      logger?.warn?.(\r\n        { event: 'mcp.auth.legacy_scope_shape', legacyKey },\r\n        `[payload-mcp-toolkit] composeScopes read a pre-0.6 row using \\`${legacyKey}\\`; resave the API key to migrate to {slug, actions}. The fallback is removed in v0.7.`,\r\n      )\r\n    }\r\n    return legacy\r\n  }\r\n  return null\r\n}\r\n\r\nconst VALID_ACTIONS: ReadonlySet<CollectionAction> = new Set(['read', 'create', 'update', 'delete'])\r\nconst VALID_GLOBAL_ACTIONS: ReadonlySet<GlobalAction> = new Set(['read', 'update'])\r\n\r\n/**\r\n * Builds the runtime `KeyScopes` shape consumed by `registry.assertScopeAllows`\r\n * from the typed scope fields on the api-key row.\r\n *\r\n * Returns null when no typed fields are populated AND no preset is set\r\n * (= full access — back-compat for pre-0.5 rows that pre-date scoped authz).\r\n *\r\n * Two complementary fail-closed rules:\r\n *\r\n * 1. **`'custom'` deny-all sentinel.** `'custom'` is a UI sentinel meaning\r\n *    \"use my override fields\"; it never becomes `KeyScopes.preset` itself.\r\n *    Payload persists unset JSON / select fields as `null`, so a fresh\r\n *    Custom key with no overrides arrives as `{preset:'custom',\r\n *    collectionScopes:null, globalScopes:null, toolAllow:null,\r\n *    toolDeny:null}`. That row must deny everything (not fall through to\r\n *    full access). The sentinel emits `{collections:{}, globals:{},\r\n *    tools:{allow:[]}}`.\r\n *\r\n * 2. **Per-axis explicit-empty, Custom-only.** Under the Custom preset, an\r\n *    empty array on any axis (even `[]`) is honoured as written — an empty\r\n *    `toolAllow:[]` means \"deny all tools on this axis\", not \"no opinion\".\r\n *    Under non-Custom presets, empty arrays are IGNORED because Payload's\r\n *    hasMany / unpopulated-JSON reads return `[]` for fields the user\r\n *    never touched (the override matrices are hidden in the admin UI under\r\n *    non-Custom presets via `condition: isCustomPreset`). The on-write\r\n *    counterpart of this rule lives in `createApiKeysCollection`'s\r\n *    `beforeValidate` hook, which proactively nulls the override axes on\r\n *    save when the preset is non-Custom — both layers must stay in sync.\r\n *    Non-empty arrays still apply as layered narrowing under any preset.\r\n *    `toolDeny` is a deny-list, so an empty array carries no entries — it\r\n *    is dropped rather than emitted. NOTE: legacy non-Custom rows persisted\r\n *    BEFORE v0.7.1 with populated stale override arrays continue to narrow\r\n *    on read until each row is manually re-saved; the on-write fix only\r\n *    applies to fresh writes.\r\n */\r\nexport function composeScopes(\r\n  row: ApiKeyRow,\r\n  logger?: { warn?: (...args: unknown[]) => void },\r\n): KeyScopes | null {\r\n  const presetRaw = row.preset\r\n  const hasPreset = typeof presetRaw === 'string' && presetRaw.length > 0\r\n  const hasCollectionScopesField = Array.isArray(row.collectionScopes)\r\n  const hasGlobalScopesField = Array.isArray(row.globalScopes)\r\n  const hasToolAllowField = Array.isArray(row.toolAllow)\r\n  const hasToolDenyField = Array.isArray(row.toolDeny)\r\n\r\n  // Pre-0.5 back-compat: row has no preset and no typed scope fields at\r\n  // all (all null/undefined). Treat as full access.\r\n  if (\r\n    !hasPreset &&\r\n    !hasCollectionScopesField &&\r\n    !hasGlobalScopesField &&\r\n    !hasToolAllowField &&\r\n    !hasToolDenyField\r\n  ) {\r\n    return null\r\n  }\r\n\r\n  // Sentinel: Custom preset with every axis null/undefined (no array\r\n  // committed) denies everything. Payload-persisted unset JSON / select\r\n  // fields arrive as null; this is the fresh-Custom-key case.\r\n  if (\r\n    presetRaw === 'custom' &&\r\n    !hasCollectionScopesField &&\r\n    !hasGlobalScopesField &&\r\n    !hasToolAllowField &&\r\n    !hasToolDenyField\r\n  ) {\r\n    return { collections: {}, globals: {}, tools: { allow: [] } }\r\n  }\r\n\r\n  const out: KeyScopes = {}\r\n  const isCustomPreset = presetRaw === 'custom'\r\n  if (hasPreset && !isCustomPreset) {\r\n    out.preset = presetRaw as ScopePreset\r\n  }\r\n\r\n  // Under non-Custom presets, the override fields are hidden in the admin\r\n  // UI (`condition: isCustomPreset`) and Payload's hasMany / relational\r\n  // reads return `[]` for unpopulated relations even when the user never\r\n  // touched them. Treating that `[]` as \"deny-all on this axis\" turns\r\n  // every preset key into a deny-all key once it round-trips through the\r\n  // DB. Apply the explicit-empty-means-deny semantic only when the user\r\n  // is on the Custom preset (where the override fields are visible and\r\n  // meaningful); under preset modes, ignore empty arrays so that the\r\n  // preset alone drives access. Non-empty arrays still apply as layered\r\n  // narrowing, matching the field description (\"layered on top of preset\r\n  // and collection scopes\").\r\n  const treatEmptyAsScope = isCustomPreset\r\n\r\n  // Legacy-row warn: non-Custom preset rows persisted BEFORE v0.7.1 may\r\n  // carry populated override arrays from a prior Custom configuration\r\n  // (the on-write null-out hook landed in v0.7.1). These still apply as\r\n  // layered narrowing on read — fail-closed-safe (narrows, never widens)\r\n  // but may not match operator intent. Warn once per process so legacy\r\n  // rows can be audited and re-saved.\r\n  if (\r\n    hasPreset &&\r\n    !isCustomPreset &&\r\n    !warnedLegacyNonCustomOverride &&\r\n    ((hasCollectionScopesField && (row.collectionScopes as unknown[]).length > 0) ||\r\n      (hasGlobalScopesField && (row.globalScopes as unknown[]).length > 0) ||\r\n      (hasToolAllowField && (row.toolAllow as unknown[]).length > 0))\r\n  ) {\r\n    warnedLegacyNonCustomOverride = true\r\n    logger?.warn?.(\r\n      { event: 'mcp.auth.legacy_non_custom_override' },\r\n      `[payload-mcp-toolkit] composeScopes read an API key with a non-Custom preset (${presetRaw}) ` +\r\n        `carrying populated override arrays. These still narrow access as written, but the ` +\r\n        `v0.7.1 admin UI clears overrides on preset switch — re-save affected keys to align ` +\r\n        `persisted state with current admin semantics.`,\r\n    )\r\n  }\r\n\r\n  const emitCollectionScopes =\r\n    hasCollectionScopesField &&\r\n    (treatEmptyAsScope || (row.collectionScopes as unknown[]).length > 0)\r\n  if (emitCollectionScopes) {\r\n    const collections: Record<string, CollectionAction[]> = {}\r\n    for (const entry of row.collectionScopes as ScopeRow[]) {\r\n      const slug = readScopeSlug(entry, 'collection', logger)\r\n      if (!slug) continue\r\n      const rawActions = Array.isArray(entry?.actions) ? entry.actions : []\r\n      const actions = rawActions.filter(\r\n        (a): a is CollectionAction => typeof a === 'string' && VALID_ACTIONS.has(a as CollectionAction),\r\n      )\r\n      collections[slug] = actions\r\n    }\r\n    out.collections = collections\r\n  }\r\n\r\n  const emitGlobalScopes =\r\n    hasGlobalScopesField &&\r\n    (treatEmptyAsScope || (row.globalScopes as unknown[]).length > 0)\r\n  if (emitGlobalScopes) {\r\n    const globals: Record<string, GlobalAction[]> = {}\r\n    for (const entry of row.globalScopes as ScopeRow[]) {\r\n      const slug = readScopeSlug(entry, 'global', logger)\r\n      if (!slug) continue\r\n      const rawActions = Array.isArray(entry?.actions) ? entry.actions : []\r\n      const actions = rawActions.filter(\r\n        (a): a is GlobalAction => typeof a === 'string' && VALID_GLOBAL_ACTIONS.has(a as GlobalAction),\r\n      )\r\n      globals[slug] = actions\r\n    }\r\n    out.globals = globals\r\n  }\r\n\r\n  const toolDeny = hasToolDenyField\r\n    ? (row.toolDeny as unknown[]).filter((t): t is string => typeof t === 'string')\r\n    : []\r\n  const emitDeny = toolDeny.length > 0\r\n  const emitToolAllow =\r\n    hasToolAllowField &&\r\n    (treatEmptyAsScope || (row.toolAllow as unknown[]).length > 0)\r\n\r\n  if (emitToolAllow || emitDeny) {\r\n    out.tools = {}\r\n    if (emitToolAllow) {\r\n      const toolAllow = (row.toolAllow as unknown[]).filter((t): t is string => typeof t === 'string')\r\n      out.tools.allow = toolAllow\r\n    }\r\n    if (emitDeny) out.tools.deny = toolDeny\r\n  }\r\n\r\n  return out\r\n}\r\n\r\n/**\r\n * Builds the Payload `auth.strategies` entry that authenticates MCP requests.\r\n *\r\n * Authenticates `Authorization: Bearer <plaintext>` by computing the\r\n * upstream-compatible `apiKeyIndex` HMAC and looking up the row. On match,\r\n * it fires a non-blocking `lastUsedAt` write and hydrates `req.user` with\r\n * the linked user record + key context for downstream scope checks.\r\n */\r\nexport function createBearerStrategy(options: CreateBearerStrategyOptions): AuthStrategy {\r\n  const { collectionSlug, userCollection } = options\r\n\r\n  return {\r\n    name: AUTH_STRATEGY_NAME,\r\n    authenticate: async ({ headers, payload }) => {\r\n      const headersAny = headers as unknown as\r\n        | { get?: (name: string) => string | null }\r\n        | Record<string, string | undefined>\r\n      const headerValue =\r\n        typeof (headersAny as { get?: (name: string) => string | null }).get === 'function'\r\n          ? (headersAny as { get: (name: string) => string | null }).get('authorization')\r\n          : (headersAny as Record<string, string | undefined>).authorization\r\n      const token = extractBearerToken(headerValue ?? null)\r\n      if (!token) return { user: null }\r\n\r\n      const keyHash = hashKey(token, payload.secret)\r\n      const where: Where = { apiKeyIndex: { equals: keyHash } }\r\n\r\n      let docs: ApiKeyRow[] = []\r\n      try {\r\n        const result = (await payload.find({\r\n          collection: collectionSlug,\r\n          where,\r\n          depth: 1,\r\n          limit: 1,\r\n          pagination: false,\r\n          overrideAccess: true,\r\n        })) as unknown as { docs: ApiKeyRow[] }\r\n        docs = result.docs ?? []\r\n      } catch (err) {\r\n        payload.logger.error(\r\n          { err, event: 'mcp.auth.lookup_failed' },\r\n          '[payload-mcp-toolkit] API-key lookup failed',\r\n        )\r\n        return { user: null }\r\n      }\r\n\r\n      const row = docs[0]\r\n      if (!row) return { user: null }\r\n\r\n      const now = Date.now()\r\n      if (row.revokedAt) return { user: null }\r\n      if (row.expiresAt) {\r\n        const expiry = new Date(row.expiresAt).getTime()\r\n        if (Number.isFinite(expiry) && expiry < now) return { user: null }\r\n      }\r\n\r\n      const linkedUser = row.user\r\n      if (!linkedUser || typeof linkedUser !== 'object') return { user: null }\r\n\r\n      const effectiveScopes: KeyScopes | null = composeScopes(row, payload.logger)\r\n\r\n      // Fire-and-forget: do not block the request on this write.\r\n      void payload\r\n        .update({\r\n          collection: collectionSlug,\r\n          id: row.id,\r\n          data: { lastUsedAt: new Date().toISOString() } as Record<string, unknown>,\r\n          overrideAccess: true,\r\n        })\r\n        .catch(() => {\r\n          // Intentionally swallow: lastUsedAt drift is acceptable.\r\n        })\r\n\r\n      const user = linkedUser as Record<string, unknown>\r\n      return {\r\n        user: {\r\n          ...user,\r\n          collection: userCollection,\r\n          _strategy: AUTH_STRATEGY_NAME,\r\n          _mcpKey: {\r\n            keyId: row.id,\r\n            keyPrefix: typeof row.keyPrefix === 'string' ? row.keyPrefix : null,\r\n            scopes: effectiveScopes,\r\n          },\r\n        } as unknown as PayloadRequest['user'],\r\n      }\r\n    },\r\n  }\r\n}\r\n\r\n/**\r\n * Reads the per-request API-key context populated by the bearer strategy.\r\n * Returns null for non-MCP requests (e.g. cookie-authenticated admin users).\r\n */\r\nexport function getApiKeyContext(req: PayloadRequest): {\r\n  keyId: string | number\r\n  keyPrefix: string | null\r\n  scopes: KeyScopes | null\r\n} | null {\r\n  const user = req.user as\r\n    | (Record<string, unknown> & {\r\n        _mcpKey?: { keyId: string | number; keyPrefix: string | null; scopes: KeyScopes | null }\r\n      })\r\n    | null\r\n    | undefined\r\n  return user?._mcpKey ?? null\r\n}\r\n"],"names":["extractBearerToken","hashKey","AUTH_STRATEGY_NAME","warnedLegacyShape","warnedLegacyNonCustomOverride","_resetLegacyWarnsForTests","readScopeSlug","entry","legacyKey","logger","slug","legacy","warn","event","VALID_ACTIONS","Set","VALID_GLOBAL_ACTIONS","composeScopes","row","presetRaw","preset","hasPreset","length","hasCollectionScopesField","Array","isArray","collectionScopes","hasGlobalScopesField","globalScopes","hasToolAllowField","toolAllow","hasToolDenyField","toolDeny","collections","globals","tools","allow","out","isCustomPreset","treatEmptyAsScope","emitCollectionScopes","rawActions","actions","filter","a","has","emitGlobalScopes","t","emitDeny","emitToolAllow","deny","createBearerStrategy","options","collectionSlug","userCollection","name","authenticate","headers","payload","headersAny","headerValue","get","authorization","token","user","keyHash","secret","where","apiKeyIndex","equals","docs","result","find","collection","depth","limit","pagination","overrideAccess","err","error","now","Date","revokedAt","expiresAt","expiry","getTime","Number","isFinite","linkedUser","effectiveScopes","update","id","data","lastUsedAt","toISOString","catch","_strategy","_mcpKey","keyId","keyPrefix","scopes","getApiKeyContext","req"],"mappings":"AACA,SAASA,kBAAkB,EAAEC,OAAO,QAAQ,SAAQ;AAKpD,OAAO,MAAMC,qBAAqB,qBAAoB;AAuCtD;;;;;CAKC,GACD,IAAIC,oBAAoB;AACxB,IAAIC,gCAAgC;AAEpC,0DAA0D,GAC1D,OAAO,SAASC;IACdF,oBAAoB;IACpBC,gCAAgC;AAClC;AAEA,SAASE,cACPC,KAAe,EACfC,SAAkC,EAClCC,MAA4D;IAE5D,IAAI,OAAOF,OAAOG,SAAS,UAAU,OAAOH,MAAMG,IAAI;IACtD,MAAMC,SAASJ,OAAO,CAACC,UAAU;IACjC,IAAI,OAAOG,WAAW,UAAU;QAC9B,IAAI,CAACR,mBAAmB;YACtBA,oBAAoB;YACpBM,QAAQG,OACN;gBAAEC,OAAO;gBAA+BL;YAAU,GAClD,CAAC,+DAA+D,EAAEA,UAAU,sFAAsF,CAAC;QAEvK;QACA,OAAOG;IACT;IACA,OAAO;AACT;AAEA,MAAMG,gBAA+C,IAAIC,IAAI;IAAC;IAAQ;IAAU;IAAU;CAAS;AACnG,MAAMC,uBAAkD,IAAID,IAAI;IAAC;IAAQ;CAAS;AAElF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAkCC,GACD,OAAO,SAASE,cACdC,GAAc,EACdT,MAAgD;IAEhD,MAAMU,YAAYD,IAAIE,MAAM;IAC5B,MAAMC,YAAY,OAAOF,cAAc,YAAYA,UAAUG,MAAM,GAAG;IACtE,MAAMC,2BAA2BC,MAAMC,OAAO,CAACP,IAAIQ,gBAAgB;IACnE,MAAMC,uBAAuBH,MAAMC,OAAO,CAACP,IAAIU,YAAY;IAC3D,MAAMC,oBAAoBL,MAAMC,OAAO,CAACP,IAAIY,SAAS;IACrD,MAAMC,mBAAmBP,MAAMC,OAAO,CAACP,IAAIc,QAAQ;IAEnD,sEAAsE;IACtE,kDAAkD;IAClD,IACE,CAACX,aACD,CAACE,4BACD,CAACI,wBACD,CAACE,qBACD,CAACE,kBACD;QACA,OAAO;IACT;IAEA,mEAAmE;IACnE,sEAAsE;IACtE,4DAA4D;IAC5D,IACEZ,cAAc,YACd,CAACI,4BACD,CAACI,wBACD,CAACE,qBACD,CAACE,kBACD;QACA,OAAO;YAAEE,aAAa,CAAC;YAAGC,SAAS,CAAC;YAAGC,OAAO;gBAAEC,OAAO,EAAE;YAAC;QAAE;IAC9D;IAEA,MAAMC,MAAiB,CAAC;IACxB,MAAMC,iBAAiBnB,cAAc;IACrC,IAAIE,aAAa,CAACiB,gBAAgB;QAChCD,IAAIjB,MAAM,GAAGD;IACf;IAEA,wEAAwE;IACxE,sEAAsE;IACtE,uEAAuE;IACvE,oEAAoE;IACpE,uEAAuE;IACvE,sEAAsE;IACtE,qEAAqE;IACrE,mEAAmE;IACnE,sEAAsE;IACtE,uEAAuE;IACvE,2BAA2B;IAC3B,MAAMoB,oBAAoBD;IAE1B,sEAAsE;IACtE,oEAAoE;IACpE,sEAAsE;IACtE,uEAAuE;IACvE,qEAAqE;IACrE,oCAAoC;IACpC,IACEjB,aACA,CAACiB,kBACD,CAAClC,iCACA,CAAA,AAACmB,4BAA4B,AAACL,IAAIQ,gBAAgB,CAAeJ,MAAM,GAAG,KACxEK,wBAAwB,AAACT,IAAIU,YAAY,CAAeN,MAAM,GAAG,KACjEO,qBAAqB,AAACX,IAAIY,SAAS,CAAeR,MAAM,GAAG,CAAC,GAC/D;QACAlB,gCAAgC;QAChCK,QAAQG,OACN;YAAEC,OAAO;QAAsC,GAC/C,CAAC,8EAA8E,EAAEM,UAAU,EAAE,CAAC,GAC5F,CAAC,kFAAkF,CAAC,GACpF,CAAC,mFAAmF,CAAC,GACrF,CAAC,6CAA6C,CAAC;IAErD;IAEA,MAAMqB,uBACJjB,4BACCgB,CAAAA,qBAAqB,AAACrB,IAAIQ,gBAAgB,CAAeJ,MAAM,GAAG,CAAA;IACrE,IAAIkB,sBAAsB;QACxB,MAAMP,cAAkD,CAAC;QACzD,KAAK,MAAM1B,SAASW,IAAIQ,gBAAgB,CAAgB;YACtD,MAAMhB,OAAOJ,cAAcC,OAAO,cAAcE;YAChD,IAAI,CAACC,MAAM;YACX,MAAM+B,aAAajB,MAAMC,OAAO,CAAClB,OAAOmC,WAAWnC,MAAMmC,OAAO,GAAG,EAAE;YACrE,MAAMA,UAAUD,WAAWE,MAAM,CAC/B,CAACC,IAA6B,OAAOA,MAAM,YAAY9B,cAAc+B,GAAG,CAACD;YAE3EX,WAAW,CAACvB,KAAK,GAAGgC;QACtB;QACAL,IAAIJ,WAAW,GAAGA;IACpB;IAEA,MAAMa,mBACJnB,wBACCY,CAAAA,qBAAqB,AAACrB,IAAIU,YAAY,CAAeN,MAAM,GAAG,CAAA;IACjE,IAAIwB,kBAAkB;QACpB,MAAMZ,UAA0C,CAAC;QACjD,KAAK,MAAM3B,SAASW,IAAIU,YAAY,CAAgB;YAClD,MAAMlB,OAAOJ,cAAcC,OAAO,UAAUE;YAC5C,IAAI,CAACC,MAAM;YACX,MAAM+B,aAAajB,MAAMC,OAAO,CAAClB,OAAOmC,WAAWnC,MAAMmC,OAAO,GAAG,EAAE;YACrE,MAAMA,UAAUD,WAAWE,MAAM,CAC/B,CAACC,IAAyB,OAAOA,MAAM,YAAY5B,qBAAqB6B,GAAG,CAACD;YAE9EV,OAAO,CAACxB,KAAK,GAAGgC;QAClB;QACAL,IAAIH,OAAO,GAAGA;IAChB;IAEA,MAAMF,WAAWD,mBACb,AAACb,IAAIc,QAAQ,CAAeW,MAAM,CAAC,CAACI,IAAmB,OAAOA,MAAM,YACpE,EAAE;IACN,MAAMC,WAAWhB,SAASV,MAAM,GAAG;IACnC,MAAM2B,gBACJpB,qBACCU,CAAAA,qBAAqB,AAACrB,IAAIY,SAAS,CAAeR,MAAM,GAAG,CAAA;IAE9D,IAAI2B,iBAAiBD,UAAU;QAC7BX,IAAIF,KAAK,GAAG,CAAC;QACb,IAAIc,eAAe;YACjB,MAAMnB,YAAY,AAACZ,IAAIY,SAAS,CAAea,MAAM,CAAC,CAACI,IAAmB,OAAOA,MAAM;YACvFV,IAAIF,KAAK,CAACC,KAAK,GAAGN;QACpB;QACA,IAAIkB,UAAUX,IAAIF,KAAK,CAACe,IAAI,GAAGlB;IACjC;IAEA,OAAOK;AACT;AAEA;;;;;;;CAOC,GACD,OAAO,SAASc,qBAAqBC,OAAoC;IACvE,MAAM,EAAEC,cAAc,EAAEC,cAAc,EAAE,GAAGF;IAE3C,OAAO;QACLG,MAAMrD;QACNsD,cAAc,OAAO,EAAEC,OAAO,EAAEC,OAAO,EAAE;YACvC,MAAMC,aAAaF;YAGnB,MAAMG,cACJ,OAAO,AAACD,WAAyDE,GAAG,KAAK,aACrE,AAACF,WAAwDE,GAAG,CAAC,mBAC7D,AAACF,WAAkDG,aAAa;YACtE,MAAMC,QAAQ/D,mBAAmB4D,eAAe;YAChD,IAAI,CAACG,OAAO,OAAO;gBAAEC,MAAM;YAAK;YAEhC,MAAMC,UAAUhE,QAAQ8D,OAAOL,QAAQQ,MAAM;YAC7C,MAAMC,QAAe;gBAAEC,aAAa;oBAAEC,QAAQJ;gBAAQ;YAAE;YAExD,IAAIK,OAAoB,EAAE;YAC1B,IAAI;gBACF,MAAMC,SAAU,MAAMb,QAAQc,IAAI,CAAC;oBACjCC,YAAYpB;oBACZc;oBACAO,OAAO;oBACPC,OAAO;oBACPC,YAAY;oBACZC,gBAAgB;gBAClB;gBACAP,OAAOC,OAAOD,IAAI,IAAI,EAAE;YAC1B,EAAE,OAAOQ,KAAK;gBACZpB,QAAQjD,MAAM,CAACsE,KAAK,CAClB;oBAAED;oBAAKjE,OAAO;gBAAyB,GACvC;gBAEF,OAAO;oBAAEmD,MAAM;gBAAK;YACtB;YAEA,MAAM9C,MAAMoD,IAAI,CAAC,EAAE;YACnB,IAAI,CAACpD,KAAK,OAAO;gBAAE8C,MAAM;YAAK;YAE9B,MAAMgB,MAAMC,KAAKD,GAAG;YACpB,IAAI9D,IAAIgE,SAAS,EAAE,OAAO;gBAAElB,MAAM;YAAK;YACvC,IAAI9C,IAAIiE,SAAS,EAAE;gBACjB,MAAMC,SAAS,IAAIH,KAAK/D,IAAIiE,SAAS,EAAEE,OAAO;gBAC9C,IAAIC,OAAOC,QAAQ,CAACH,WAAWA,SAASJ,KAAK,OAAO;oBAAEhB,MAAM;gBAAK;YACnE;YAEA,MAAMwB,aAAatE,IAAI8C,IAAI;YAC3B,IAAI,CAACwB,cAAc,OAAOA,eAAe,UAAU,OAAO;gBAAExB,MAAM;YAAK;YAEvE,MAAMyB,kBAAoCxE,cAAcC,KAAKwC,QAAQjD,MAAM;YAE3E,2DAA2D;YAC3D,KAAKiD,QACFgC,MAAM,CAAC;gBACNjB,YAAYpB;gBACZsC,IAAIzE,IAAIyE,EAAE;gBACVC,MAAM;oBAAEC,YAAY,IAAIZ,OAAOa,WAAW;gBAAG;gBAC7CjB,gBAAgB;YAClB,GACCkB,KAAK,CAAC;YACL,yDAAyD;YAC3D;YAEF,MAAM/B,OAAOwB;YACb,OAAO;gBACLxB,MAAM;oBACJ,GAAGA,IAAI;oBACPS,YAAYnB;oBACZ0C,WAAW9F;oBACX+F,SAAS;wBACPC,OAAOhF,IAAIyE,EAAE;wBACbQ,WAAW,OAAOjF,IAAIiF,SAAS,KAAK,WAAWjF,IAAIiF,SAAS,GAAG;wBAC/DC,QAAQX;oBACV;gBACF;YACF;QACF;IACF;AACF;AAEA;;;CAGC,GACD,OAAO,SAASY,iBAAiBC,GAAmB;IAKlD,MAAMtC,OAAOsC,IAAItC,IAAI;IAMrB,OAAOA,MAAMiC,WAAW;AAC1B"}

package/dist/components/CollectionScopesMatrix.d.ts

@@ -0,0 +1,8 @@
+import * as React from 'react';
+export interface CollectionScopesMatrixProps {
+    path: string;
+    /** Forwarded via `clientProps` from `api-keys.ts`. */
+    availableCollections?: string[];
+}
+declare function CollectionScopesMatrix(props: CollectionScopesMatrixProps): React.ReactElement;
+export default CollectionScopesMatrix;

package/dist/components/CollectionScopesMatrix.js

@@ -0,0 +1,32 @@
+'use client';
+import { jsx as _jsx } from "react/jsx-runtime";
+import * as React from 'react';
+import { ScopesTable } from './ScopesTable';
+const ACTIONS = [
+    'read',
+    'create',
+    'update',
+    'delete'
+];
+const ACTION_LABELS = {
+    read: 'Read',
+    create: 'Create',
+    update: 'Update',
+    delete: 'Delete'
+};
+function CollectionScopesMatrix(props) {
+    const items = Array.isArray(props.availableCollections) ? props.availableCollections : [];
+    return /*#__PURE__*/ _jsx(ScopesTable, {
+        path: props.path,
+        items: items,
+        actions: ACTIONS,
+        actionLabels: ACTION_LABELS,
+        itemHeader: "Collection",
+        title: "Collection scopes",
+        description: 'Check the actions this key may perform on each collection. Unchecked rows are denied outright. Configured under the "Custom" preset; once set, these overrides apply to this key regardless of which preset is later selected.',
+        emptyMessage: "No collections are available to scope. Add collections to your Payload config and restart the dev server."
+    });
+}
+export default CollectionScopesMatrix;
+
+//# sourceMappingURL=CollectionScopesMatrix.js.map

package/dist/components/CollectionScopesMatrix.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/components/CollectionScopesMatrix.tsx"],"sourcesContent":["'use client'\r\n\r\nimport * as React from 'react'\r\nimport { ScopesTable } from './ScopesTable'\r\n\r\nconst ACTIONS = ['read', 'create', 'update', 'delete']\r\nconst ACTION_LABELS: Record<string, string> = {\r\n  read: 'Read',\r\n  create: 'Create',\r\n  update: 'Update',\r\n  delete: 'Delete',\r\n}\r\n\r\nexport interface CollectionScopesMatrixProps {\r\n  path: string\r\n  /** Forwarded via `clientProps` from `api-keys.ts`. */\r\n  availableCollections?: string[]\r\n}\r\n\r\nfunction CollectionScopesMatrix(props: CollectionScopesMatrixProps): React.ReactElement {\r\n  const items = Array.isArray(props.availableCollections) ? props.availableCollections : []\r\n  return (\r\n    <ScopesTable\r\n      path={props.path}\r\n      items={items}\r\n      actions={ACTIONS}\r\n      actionLabels={ACTION_LABELS}\r\n      itemHeader=\"Collection\"\r\n      title=\"Collection scopes\"\r\n      description='Check the actions this key may perform on each collection. Unchecked rows are denied outright. Configured under the \"Custom\" preset; once set, these overrides apply to this key regardless of which preset is later selected.'\r\n      emptyMessage=\"No collections are available to scope. Add collections to your Payload config and restart the dev server.\"\r\n    />\r\n  )\r\n}\r\n\r\nexport default CollectionScopesMatrix\r\n"],"names":["React","ScopesTable","ACTIONS","ACTION_LABELS","read","create","update","delete","CollectionScopesMatrix","props","items","Array","isArray","availableCollections","path","actions","actionLabels","itemHeader","title","description","emptyMessage"],"mappings":"AAAA;;AAEA,YAAYA,WAAW,QAAO;AAC9B,SAASC,WAAW,QAAQ,gBAAe;AAE3C,MAAMC,UAAU;IAAC;IAAQ;IAAU;IAAU;CAAS;AACtD,MAAMC,gBAAwC;IAC5CC,MAAM;IACNC,QAAQ;IACRC,QAAQ;IACRC,QAAQ;AACV;AAQA,SAASC,uBAAuBC,KAAkC;IAChE,MAAMC,QAAQC,MAAMC,OAAO,CAACH,MAAMI,oBAAoB,IAAIJ,MAAMI,oBAAoB,GAAG,EAAE;IACzF,qBACE,KAACZ;QACCa,MAAML,MAAMK,IAAI;QAChBJ,OAAOA;QACPK,SAASb;QACTc,cAAcb;QACdc,YAAW;QACXC,OAAM;QACNC,aAAY;QACZC,cAAa;;AAGnB;AAEA,eAAeZ,uBAAsB"}

package/dist/components/GlobalScopesMatrix.d.ts

@@ -0,0 +1,8 @@
+import * as React from 'react';
+export interface GlobalScopesMatrixProps {
+    path: string;
+    /** Forwarded via `clientProps` from `api-keys.ts`. */
+    availableGlobals?: string[];
+}
+declare function GlobalScopesMatrix(props: GlobalScopesMatrixProps): React.ReactElement;
+export default GlobalScopesMatrix;

package/dist/components/GlobalScopesMatrix.js

@@ -0,0 +1,28 @@
+'use client';
+import { jsx as _jsx } from "react/jsx-runtime";
+import * as React from 'react';
+import { ScopesTable } from './ScopesTable';
+const ACTIONS = [
+    'read',
+    'update'
+];
+const ACTION_LABELS = {
+    read: 'Read',
+    update: 'Update'
+};
+function GlobalScopesMatrix(props) {
+    const items = Array.isArray(props.availableGlobals) ? props.availableGlobals : [];
+    return /*#__PURE__*/ _jsx(ScopesTable, {
+        path: props.path,
+        items: items,
+        actions: ACTIONS,
+        actionLabels: ACTION_LABELS,
+        itemHeader: "Global",
+        title: "Global scopes",
+        description: 'Check the actions this key may perform on each global. Globals only support Read and Update (singletons cannot be created or deleted). Configured under the "Custom" preset; once set, these overrides apply to this key regardless of which preset is later selected.',
+        emptyMessage: "No globals are available to scope. Add globals to your Payload config and restart the dev server."
+    });
+}
+export default GlobalScopesMatrix;
+
+//# sourceMappingURL=GlobalScopesMatrix.js.map

package/dist/components/GlobalScopesMatrix.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/components/GlobalScopesMatrix.tsx"],"sourcesContent":["'use client'\r\n\r\nimport * as React from 'react'\r\nimport { ScopesTable } from './ScopesTable'\r\n\r\nconst ACTIONS = ['read', 'update']\r\nconst ACTION_LABELS: Record<string, string> = {\r\n  read: 'Read',\r\n  update: 'Update',\r\n}\r\n\r\nexport interface GlobalScopesMatrixProps {\r\n  path: string\r\n  /** Forwarded via `clientProps` from `api-keys.ts`. */\r\n  availableGlobals?: string[]\r\n}\r\n\r\nfunction GlobalScopesMatrix(props: GlobalScopesMatrixProps): React.ReactElement {\r\n  const items = Array.isArray(props.availableGlobals) ? props.availableGlobals : []\r\n  return (\r\n    <ScopesTable\r\n      path={props.path}\r\n      items={items}\r\n      actions={ACTIONS}\r\n      actionLabels={ACTION_LABELS}\r\n      itemHeader=\"Global\"\r\n      title=\"Global scopes\"\r\n      description='Check the actions this key may perform on each global. Globals only support Read and Update (singletons cannot be created or deleted). Configured under the \"Custom\" preset; once set, these overrides apply to this key regardless of which preset is later selected.'\r\n      emptyMessage=\"No globals are available to scope. Add globals to your Payload config and restart the dev server.\"\r\n    />\r\n  )\r\n}\r\n\r\nexport default GlobalScopesMatrix\r\n"],"names":["React","ScopesTable","ACTIONS","ACTION_LABELS","read","update","GlobalScopesMatrix","props","items","Array","isArray","availableGlobals","path","actions","actionLabels","itemHeader","title","description","emptyMessage"],"mappings":"AAAA;;AAEA,YAAYA,WAAW,QAAO;AAC9B,SAASC,WAAW,QAAQ,gBAAe;AAE3C,MAAMC,UAAU;IAAC;IAAQ;CAAS;AAClC,MAAMC,gBAAwC;IAC5CC,MAAM;IACNC,QAAQ;AACV;AAQA,SAASC,mBAAmBC,KAA8B;IACxD,MAAMC,QAAQC,MAAMC,OAAO,CAACH,MAAMI,gBAAgB,IAAIJ,MAAMI,gBAAgB,GAAG,EAAE;IACjF,qBACE,KAACV;QACCW,MAAML,MAAMK,IAAI;QAChBJ,OAAOA;QACPK,SAASX;QACTY,cAAcX;QACdY,YAAW;QACXC,OAAM;QACNC,aAAY;QACZC,cAAa;;AAGnB;AAEA,eAAeZ,mBAAkB"}

package/dist/components/ScopesTable.d.ts

@@ -0,0 +1,19 @@
+import * as React from 'react';
+export interface ScopesTableProps {
+    path: string;
+    /** Slugs to render as rows. */
+    items: string[];
+    /** Action columns shown to the operator. */
+    actions: string[];
+    /** Display label per action (e.g. { read: 'Read', update: 'Update' }). */
+    actionLabels: Record<string, string>;
+    /** Header label for the leftmost column. */
+    itemHeader: string;
+    /** Page-level title rendered above the table. */
+    title: string;
+    /** Helper sentence rendered between title and table. */
+    description: string;
+    /** Copy shown when `items` is empty. */
+    emptyMessage: string;
+}
+export declare function ScopesTable(props: ScopesTableProps): React.ReactElement;