skybridge 0.0.0-dev.ff50fdb → 0.0.0-dev.ffaef7a

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (437) hide show
  1. package/README.md +124 -114
  2. package/dist/cli/build-helpers.d.ts +10 -0
  3. package/dist/cli/build-helpers.js +93 -0
  4. package/dist/cli/build-helpers.js.map +1 -0
  5. package/dist/cli/build-helpers.test.js +89 -0
  6. package/dist/cli/build-helpers.test.js.map +1 -0
  7. package/dist/cli/build-steps.d.ts +2 -0
  8. package/dist/cli/build-steps.js +68 -0
  9. package/dist/cli/build-steps.js.map +1 -0
  10. package/dist/cli/build-steps.test.js +52 -0
  11. package/dist/cli/build-steps.test.js.map +1 -0
  12. package/dist/cli/detect-port.d.ts +18 -0
  13. package/dist/cli/detect-port.js +50 -0
  14. package/dist/cli/detect-port.js.map +1 -0
  15. package/dist/cli/header.d.ts +1 -1
  16. package/dist/cli/header.js +1 -1
  17. package/dist/cli/header.js.map +1 -1
  18. package/dist/cli/resolve-views-dir.d.ts +1 -0
  19. package/dist/cli/resolve-views-dir.js +17 -0
  20. package/dist/cli/resolve-views-dir.js.map +1 -0
  21. package/dist/cli/run-command.js.map +1 -1
  22. package/dist/cli/run-plain.d.ts +18 -0
  23. package/dist/cli/run-plain.js +89 -0
  24. package/dist/cli/run-plain.js.map +1 -0
  25. package/dist/cli/telemetry.js.map +1 -1
  26. package/dist/cli/tunnel-control-server.d.ts +9 -0
  27. package/dist/cli/tunnel-control-server.js +31 -0
  28. package/dist/cli/tunnel-control-server.js.map +1 -0
  29. package/dist/cli/tunnel-control-server.test.d.ts +1 -0
  30. package/dist/cli/tunnel-control-server.test.js +39 -0
  31. package/dist/cli/tunnel-control-server.test.js.map +1 -0
  32. package/dist/cli/tunnel-handler.d.ts +3 -0
  33. package/dist/cli/tunnel-handler.js +48 -0
  34. package/dist/cli/tunnel-handler.js.map +1 -0
  35. package/dist/cli/tunnel-handler.test.d.ts +1 -0
  36. package/dist/cli/tunnel-handler.test.js +105 -0
  37. package/dist/cli/tunnel-handler.test.js.map +1 -0
  38. package/dist/cli/tunnel.d.ts +57 -0
  39. package/dist/cli/tunnel.js +154 -0
  40. package/dist/cli/tunnel.js.map +1 -0
  41. package/dist/cli/tunnel.test.d.ts +1 -0
  42. package/dist/cli/tunnel.test.js +190 -0
  43. package/dist/cli/tunnel.test.js.map +1 -0
  44. package/dist/cli/types.d.ts +5 -0
  45. package/dist/cli/types.js +2 -0
  46. package/dist/cli/types.js.map +1 -0
  47. package/dist/cli/use-execute-steps.d.ts +3 -2
  48. package/dist/cli/use-execute-steps.js +6 -1
  49. package/dist/cli/use-execute-steps.js.map +1 -1
  50. package/dist/cli/use-messages.d.ts +3 -0
  51. package/dist/cli/use-messages.js +11 -0
  52. package/dist/cli/use-messages.js.map +1 -0
  53. package/dist/cli/use-nodemon.d.ts +16 -0
  54. package/dist/cli/use-nodemon.js +84 -0
  55. package/dist/cli/use-nodemon.js.map +1 -0
  56. package/dist/cli/use-open-browser.d.ts +1 -0
  57. package/dist/cli/use-open-browser.js +44 -0
  58. package/dist/cli/use-open-browser.js.map +1 -0
  59. package/dist/cli/use-tunnel.d.ts +14 -0
  60. package/dist/cli/use-tunnel.js +131 -0
  61. package/dist/cli/use-tunnel.js.map +1 -0
  62. package/dist/cli/use-typescript-check.d.ts +15 -0
  63. package/dist/cli/use-typescript-check.js +97 -0
  64. package/dist/cli/use-typescript-check.js.map +1 -0
  65. package/dist/commands/build.d.ts +0 -3
  66. package/dist/commands/build.js +3 -16
  67. package/dist/commands/build.js.map +1 -1
  68. package/dist/commands/create.d.ts +9 -0
  69. package/dist/commands/create.js +30 -0
  70. package/dist/commands/create.js.map +1 -0
  71. package/dist/commands/dev.d.ts +5 -1
  72. package/dist/commands/dev.js +109 -13
  73. package/dist/commands/dev.js.map +1 -1
  74. package/dist/commands/start.d.ts +3 -1
  75. package/dist/commands/start.js +37 -15
  76. package/dist/commands/start.js.map +1 -1
  77. package/dist/commands/telemetry/disable.js.map +1 -1
  78. package/dist/commands/telemetry/enable.js.map +1 -1
  79. package/dist/commands/telemetry/status.js.map +1 -1
  80. package/dist/server/asset-base-url-transform-plugin.d.ts +11 -0
  81. package/dist/server/asset-base-url-transform-plugin.js +48 -0
  82. package/dist/server/asset-base-url-transform-plugin.js.map +1 -0
  83. package/dist/server/asset-base-url-transform-plugin.test.d.ts +1 -0
  84. package/dist/server/asset-base-url-transform-plugin.test.js +134 -0
  85. package/dist/server/asset-base-url-transform-plugin.test.js.map +1 -0
  86. package/dist/server/auth/discovery.d.ts +32 -0
  87. package/dist/server/auth/discovery.js +56 -0
  88. package/dist/server/auth/discovery.js.map +1 -0
  89. package/dist/server/auth/discovery.test.d.ts +1 -0
  90. package/dist/server/auth/discovery.test.js +93 -0
  91. package/dist/server/auth/discovery.test.js.map +1 -0
  92. package/dist/server/auth/index.d.ts +18 -0
  93. package/dist/server/auth/index.js +2 -0
  94. package/dist/server/auth/index.js.map +1 -0
  95. package/dist/server/auth/providers/auth0.d.ts +18 -0
  96. package/dist/server/auth/providers/auth0.js +31 -0
  97. package/dist/server/auth/providers/auth0.js.map +1 -0
  98. package/dist/server/auth/providers/auth0.test.d.ts +1 -0
  99. package/dist/server/auth/providers/auth0.test.js +48 -0
  100. package/dist/server/auth/providers/auth0.test.js.map +1 -0
  101. package/dist/server/auth/providers/clerk.d.ts +14 -0
  102. package/dist/server/auth/providers/clerk.js +16 -0
  103. package/dist/server/auth/providers/clerk.js.map +1 -0
  104. package/dist/server/auth/providers/clerk.test.d.ts +1 -0
  105. package/dist/server/auth/providers/clerk.test.js +28 -0
  106. package/dist/server/auth/providers/clerk.test.js.map +1 -0
  107. package/dist/server/auth/providers/custom.d.ts +24 -0
  108. package/dist/server/auth/providers/custom.js +37 -0
  109. package/dist/server/auth/providers/custom.js.map +1 -0
  110. package/dist/server/auth/providers/custom.test.d.ts +1 -0
  111. package/dist/server/auth/providers/custom.test.js +107 -0
  112. package/dist/server/auth/providers/custom.test.js.map +1 -0
  113. package/dist/server/auth/providers/descope.d.ts +15 -0
  114. package/dist/server/auth/providers/descope.js +33 -0
  115. package/dist/server/auth/providers/descope.js.map +1 -0
  116. package/dist/server/auth/providers/descope.test.d.ts +1 -0
  117. package/dist/server/auth/providers/descope.test.js +37 -0
  118. package/dist/server/auth/providers/descope.test.js.map +1 -0
  119. package/dist/server/auth/providers/shared.d.ts +2 -0
  120. package/dist/server/auth/providers/shared.js +6 -0
  121. package/dist/server/auth/providers/shared.js.map +1 -0
  122. package/dist/server/auth/providers/shared.test.d.ts +1 -0
  123. package/dist/server/auth/providers/shared.test.js +10 -0
  124. package/dist/server/auth/providers/shared.test.js.map +1 -0
  125. package/dist/server/auth/providers/stytch.d.ts +12 -0
  126. package/dist/server/auth/providers/stytch.js +13 -0
  127. package/dist/server/auth/providers/stytch.js.map +1 -0
  128. package/dist/server/auth/providers/workos.d.ts +11 -0
  129. package/dist/server/auth/providers/workos.js +12 -0
  130. package/dist/server/auth/providers/workos.js.map +1 -0
  131. package/dist/server/auth/security-schemes.d.ts +13 -0
  132. package/dist/server/auth/security-schemes.js +53 -0
  133. package/dist/server/auth/security-schemes.js.map +1 -0
  134. package/dist/server/auth/security-schemes.test.d.ts +1 -0
  135. package/dist/server/auth/security-schemes.test.js +90 -0
  136. package/dist/server/auth/security-schemes.test.js.map +1 -0
  137. package/dist/server/auth/setup.d.ts +6 -0
  138. package/dist/server/auth/setup.js +98 -0
  139. package/dist/server/auth/setup.js.map +1 -0
  140. package/dist/server/auth/setup.test.d.ts +1 -0
  141. package/dist/server/auth/setup.test.js +450 -0
  142. package/dist/server/auth/setup.test.js.map +1 -0
  143. package/dist/server/auth/verify.d.ts +12 -0
  144. package/dist/server/auth/verify.js +38 -0
  145. package/dist/server/auth/verify.js.map +1 -0
  146. package/dist/server/auth/verify.test.d.ts +1 -0
  147. package/dist/server/auth/verify.test.js +100 -0
  148. package/dist/server/auth/verify.test.js.map +1 -0
  149. package/dist/server/auth.d.ts +20 -0
  150. package/dist/server/auth.js +28 -0
  151. package/dist/server/auth.js.map +1 -0
  152. package/dist/server/build-manifest.test.d.ts +1 -0
  153. package/dist/server/build-manifest.test.js +27 -0
  154. package/dist/server/build-manifest.test.js.map +1 -0
  155. package/dist/server/content-helpers.d.ts +67 -0
  156. package/dist/server/content-helpers.js +79 -0
  157. package/dist/server/content-helpers.js.map +1 -0
  158. package/dist/server/content-helpers.test.d.ts +1 -0
  159. package/dist/server/content-helpers.test.js +70 -0
  160. package/dist/server/content-helpers.test.js.map +1 -0
  161. package/dist/server/express.d.ts +11 -0
  162. package/dist/server/express.js +101 -0
  163. package/dist/server/express.js.map +1 -0
  164. package/dist/server/express.test.d.ts +1 -0
  165. package/dist/server/express.test.js +491 -0
  166. package/dist/server/express.test.js.map +1 -0
  167. package/dist/server/file-ref.d.ts +28 -0
  168. package/dist/server/file-ref.js +27 -0
  169. package/dist/server/file-ref.js.map +1 -0
  170. package/dist/server/index.d.ts +14 -3
  171. package/dist/server/index.js +11 -2
  172. package/dist/server/index.js.map +1 -1
  173. package/dist/server/inferUtilityTypes.d.ts +6 -6
  174. package/dist/server/inferUtilityTypes.js.map +1 -1
  175. package/dist/server/metric.d.ts +14 -0
  176. package/dist/server/metric.js +62 -0
  177. package/dist/server/metric.js.map +1 -0
  178. package/dist/server/middleware.d.ts +137 -0
  179. package/dist/server/middleware.js +93 -0
  180. package/dist/server/middleware.js.map +1 -0
  181. package/dist/server/middleware.test-d.d.ts +1 -0
  182. package/dist/server/middleware.test-d.js +75 -0
  183. package/dist/server/middleware.test-d.js.map +1 -0
  184. package/dist/server/middleware.test.d.ts +1 -0
  185. package/dist/server/middleware.test.js +493 -0
  186. package/dist/server/middleware.test.js.map +1 -0
  187. package/dist/server/requestOrigin.d.ts +7 -0
  188. package/dist/server/requestOrigin.js +25 -0
  189. package/dist/server/requestOrigin.js.map +1 -0
  190. package/dist/server/server.d.ts +391 -58
  191. package/dist/server/server.js +644 -97
  192. package/dist/server/server.js.map +1 -1
  193. package/dist/server/templateHelper.d.ts +5 -7
  194. package/dist/server/templateHelper.js +3 -22
  195. package/dist/server/templateHelper.js.map +1 -1
  196. package/dist/server/templates.generated.d.ts +4 -0
  197. package/dist/server/templates.generated.js +47 -0
  198. package/dist/server/templates.generated.js.map +1 -0
  199. package/dist/server/tunnel-proxy-router.d.ts +7 -0
  200. package/dist/server/tunnel-proxy-router.js +110 -0
  201. package/dist/server/tunnel-proxy-router.js.map +1 -0
  202. package/dist/server/tunnel-proxy-router.test.d.ts +1 -0
  203. package/dist/server/tunnel-proxy-router.test.js +229 -0
  204. package/dist/server/tunnel-proxy-router.test.js.map +1 -0
  205. package/dist/server/view-name.test-d.d.ts +1 -0
  206. package/dist/server/view-name.test-d.js +8 -0
  207. package/dist/server/view-name.test-d.js.map +1 -0
  208. package/dist/server/view-resource-resolution.test.d.ts +6 -0
  209. package/dist/server/view-resource-resolution.test.js +171 -0
  210. package/dist/server/view-resource-resolution.test.js.map +1 -0
  211. package/dist/server/viewsDevServer.d.ts +14 -0
  212. package/dist/server/viewsDevServer.js +45 -0
  213. package/dist/server/viewsDevServer.js.map +1 -0
  214. package/dist/test/utils.d.ts +13 -21
  215. package/dist/test/utils.js +42 -37
  216. package/dist/test/utils.js.map +1 -1
  217. package/dist/test/view.test.d.ts +1 -0
  218. package/dist/test/view.test.js +536 -0
  219. package/dist/test/view.test.js.map +1 -0
  220. package/dist/version.d.ts +1 -0
  221. package/dist/version.js +3 -0
  222. package/dist/version.js.map +1 -0
  223. package/dist/web/bridges/adaptor.d.ts +51 -0
  224. package/dist/web/bridges/adaptor.js +330 -0
  225. package/dist/web/bridges/adaptor.js.map +1 -0
  226. package/dist/web/bridges/adaptor.test.d.ts +1 -0
  227. package/dist/web/bridges/adaptor.test.js +208 -0
  228. package/dist/web/bridges/adaptor.test.js.map +1 -0
  229. package/dist/web/bridges/apps-sdk/bridge.d.ts +7 -2
  230. package/dist/web/bridges/apps-sdk/bridge.js +15 -3
  231. package/dist/web/bridges/apps-sdk/bridge.js.map +1 -1
  232. package/dist/web/bridges/apps-sdk/index.d.ts +1 -2
  233. package/dist/web/bridges/apps-sdk/index.js +0 -1
  234. package/dist/web/bridges/apps-sdk/index.js.map +1 -1
  235. package/dist/web/bridges/apps-sdk/types.d.ts +32 -14
  236. package/dist/web/bridges/apps-sdk/types.js.map +1 -1
  237. package/dist/web/bridges/apps-sdk/use-apps-sdk-context.d.ts +11 -0
  238. package/dist/web/bridges/apps-sdk/use-apps-sdk-context.js +11 -0
  239. package/dist/web/bridges/apps-sdk/use-apps-sdk-context.js.map +1 -1
  240. package/dist/web/bridges/get-adaptor.d.ts +7 -0
  241. package/dist/web/bridges/get-adaptor.js +9 -7
  242. package/dist/web/bridges/get-adaptor.js.map +1 -1
  243. package/dist/web/bridges/get-adaptor.test.d.ts +1 -0
  244. package/dist/web/bridges/get-adaptor.test.js +32 -0
  245. package/dist/web/bridges/get-adaptor.test.js.map +1 -0
  246. package/dist/web/bridges/index.js.map +1 -1
  247. package/dist/web/bridges/mcp-app/bridge.d.ts +27 -31
  248. package/dist/web/bridges/mcp-app/bridge.js +109 -198
  249. package/dist/web/bridges/mcp-app/bridge.js.map +1 -1
  250. package/dist/web/bridges/mcp-app/bridge.test.d.ts +1 -0
  251. package/dist/web/bridges/mcp-app/bridge.test.js +17 -0
  252. package/dist/web/bridges/mcp-app/bridge.test.js.map +1 -0
  253. package/dist/web/bridges/mcp-app/index.d.ts +0 -1
  254. package/dist/web/bridges/mcp-app/index.js +0 -1
  255. package/dist/web/bridges/mcp-app/index.js.map +1 -1
  256. package/dist/web/bridges/mcp-app/types.js.map +1 -1
  257. package/dist/web/bridges/mcp-app/use-mcp-app-context.d.ts +17 -3
  258. package/dist/web/bridges/mcp-app/use-mcp-app-context.js +14 -2
  259. package/dist/web/bridges/mcp-app/use-mcp-app-context.js.map +1 -1
  260. package/dist/web/bridges/mcp-app/use-mcp-app-context.test.js +1 -41
  261. package/dist/web/bridges/mcp-app/use-mcp-app-context.test.js.map +1 -1
  262. package/dist/web/bridges/mcp-app/view-tools.test.d.ts +1 -0
  263. package/dist/web/bridges/mcp-app/view-tools.test.js +143 -0
  264. package/dist/web/bridges/mcp-app/view-tools.test.js.map +1 -0
  265. package/dist/web/bridges/types.d.ts +130 -14
  266. package/dist/web/bridges/types.js +14 -1
  267. package/dist/web/bridges/types.js.map +1 -1
  268. package/dist/web/bridges/types.test.d.ts +1 -0
  269. package/dist/web/bridges/types.test.js +19 -0
  270. package/dist/web/bridges/types.test.js.map +1 -0
  271. package/dist/web/bridges/use-host-context.d.ts +5 -0
  272. package/dist/web/bridges/use-host-context.js +5 -0
  273. package/dist/web/bridges/use-host-context.js.map +1 -1
  274. package/dist/web/components/modal-provider.d.ts +1 -1
  275. package/dist/web/components/modal-provider.js +5 -6
  276. package/dist/web/components/modal-provider.js.map +1 -1
  277. package/dist/web/create-store.d.ts +26 -0
  278. package/dist/web/create-store.js +43 -3
  279. package/dist/web/create-store.js.map +1 -1
  280. package/dist/web/create-store.test.js +31 -25
  281. package/dist/web/create-store.test.js.map +1 -1
  282. package/dist/web/data-llm.d.ts +35 -2
  283. package/dist/web/data-llm.js +31 -3
  284. package/dist/web/data-llm.js.map +1 -1
  285. package/dist/web/data-llm.test.js +50 -35
  286. package/dist/web/data-llm.test.js.map +1 -1
  287. package/dist/web/generate-helpers.d.ts +22 -18
  288. package/dist/web/generate-helpers.js +22 -18
  289. package/dist/web/generate-helpers.js.map +1 -1
  290. package/dist/web/generate-helpers.test-d.js +30 -28
  291. package/dist/web/generate-helpers.test-d.js.map +1 -1
  292. package/dist/web/generate-helpers.test.js.map +1 -1
  293. package/dist/web/helpers/state.d.ts +2 -2
  294. package/dist/web/helpers/state.js +11 -11
  295. package/dist/web/helpers/state.js.map +1 -1
  296. package/dist/web/helpers/state.test.js +9 -9
  297. package/dist/web/helpers/state.test.js.map +1 -1
  298. package/dist/web/hooks/index.d.ts +6 -2
  299. package/dist/web/hooks/index.js +5 -1
  300. package/dist/web/hooks/index.js.map +1 -1
  301. package/dist/web/hooks/test/utils.d.ts +6 -2
  302. package/dist/web/hooks/test/utils.js +17 -2
  303. package/dist/web/hooks/test/utils.js.map +1 -1
  304. package/dist/web/hooks/use-call-tool.d.ts +45 -0
  305. package/dist/web/hooks/use-call-tool.js +28 -0
  306. package/dist/web/hooks/use-call-tool.js.map +1 -1
  307. package/dist/web/hooks/use-call-tool.test-d.js.map +1 -1
  308. package/dist/web/hooks/use-call-tool.test.js +62 -27
  309. package/dist/web/hooks/use-call-tool.test.js.map +1 -1
  310. package/dist/web/hooks/use-display-mode.d.ts +23 -3
  311. package/dist/web/hooks/use-display-mode.js +20 -0
  312. package/dist/web/hooks/use-display-mode.js.map +1 -1
  313. package/dist/web/hooks/use-display-mode.test-d.d.ts +1 -0
  314. package/dist/web/hooks/use-display-mode.test-d.js +8 -0
  315. package/dist/web/hooks/use-display-mode.test-d.js.map +1 -0
  316. package/dist/web/hooks/use-display-mode.test.js +56 -20
  317. package/dist/web/hooks/use-display-mode.test.js.map +1 -1
  318. package/dist/web/hooks/use-download.d.ts +5 -0
  319. package/dist/web/hooks/use-download.js +8 -0
  320. package/dist/web/hooks/use-download.js.map +1 -0
  321. package/dist/web/hooks/use-download.test.d.ts +1 -0
  322. package/dist/web/hooks/use-download.test.js +103 -0
  323. package/dist/web/hooks/use-download.test.js.map +1 -0
  324. package/dist/web/hooks/use-files.d.ts +34 -1
  325. package/dist/web/hooks/use-files.js +33 -0
  326. package/dist/web/hooks/use-files.js.map +1 -1
  327. package/dist/web/hooks/use-files.test.js +35 -3
  328. package/dist/web/hooks/use-files.test.js.map +1 -1
  329. package/dist/web/hooks/use-layout.d.ts +2 -0
  330. package/dist/web/hooks/use-layout.js +2 -0
  331. package/dist/web/hooks/use-layout.js.map +1 -1
  332. package/dist/web/hooks/use-layout.test.js +62 -29
  333. package/dist/web/hooks/use-layout.test.js.map +1 -1
  334. package/dist/web/hooks/use-open-external.d.ts +20 -1
  335. package/dist/web/hooks/use-open-external.js +17 -1
  336. package/dist/web/hooks/use-open-external.js.map +1 -1
  337. package/dist/web/hooks/use-open-external.test.js +38 -13
  338. package/dist/web/hooks/use-open-external.test.js.map +1 -1
  339. package/dist/web/hooks/use-register-view-tool.d.ts +38 -0
  340. package/dist/web/hooks/use-register-view-tool.js +50 -0
  341. package/dist/web/hooks/use-register-view-tool.js.map +1 -0
  342. package/dist/web/hooks/use-request-close.d.ts +16 -0
  343. package/dist/web/hooks/use-request-close.js +21 -0
  344. package/dist/web/hooks/use-request-close.js.map +1 -0
  345. package/dist/web/hooks/use-request-close.test.d.ts +1 -0
  346. package/dist/web/hooks/use-request-close.test.js +47 -0
  347. package/dist/web/hooks/use-request-close.test.js.map +1 -0
  348. package/dist/web/hooks/use-request-modal.d.ts +16 -1
  349. package/dist/web/hooks/use-request-modal.js +19 -4
  350. package/dist/web/hooks/use-request-modal.js.map +1 -1
  351. package/dist/web/hooks/use-request-modal.test.js +15 -1
  352. package/dist/web/hooks/use-request-modal.test.js.map +1 -1
  353. package/dist/web/hooks/use-request-size.d.ts +20 -0
  354. package/dist/web/hooks/use-request-size.js +24 -0
  355. package/dist/web/hooks/use-request-size.js.map +1 -0
  356. package/dist/web/hooks/use-request-size.test.d.ts +1 -0
  357. package/dist/web/hooks/use-request-size.test.js +47 -0
  358. package/dist/web/hooks/use-request-size.test.js.map +1 -0
  359. package/dist/web/hooks/use-send-follow-up-message.d.ts +19 -1
  360. package/dist/web/hooks/use-send-follow-up-message.js +19 -2
  361. package/dist/web/hooks/use-send-follow-up-message.js.map +1 -1
  362. package/dist/web/hooks/use-set-open-in-app-url.d.ts +17 -0
  363. package/dist/web/hooks/use-set-open-in-app-url.js +17 -0
  364. package/dist/web/hooks/use-set-open-in-app-url.js.map +1 -1
  365. package/dist/web/hooks/use-set-open-in-app-url.test.js +30 -16
  366. package/dist/web/hooks/use-set-open-in-app-url.test.js.map +1 -1
  367. package/dist/web/hooks/use-tool-info.d.ts +53 -2
  368. package/dist/web/hooks/use-tool-info.js +30 -7
  369. package/dist/web/hooks/use-tool-info.js.map +1 -1
  370. package/dist/web/hooks/use-tool-info.test-d.js +11 -29
  371. package/dist/web/hooks/use-tool-info.test-d.js.map +1 -1
  372. package/dist/web/hooks/use-tool-info.test.js +43 -33
  373. package/dist/web/hooks/use-tool-info.test.js.map +1 -1
  374. package/dist/web/hooks/use-user.d.ts +2 -0
  375. package/dist/web/hooks/use-user.js +20 -2
  376. package/dist/web/hooks/use-user.js.map +1 -1
  377. package/dist/web/hooks/use-user.test.js +101 -27
  378. package/dist/web/hooks/use-user.test.js.map +1 -1
  379. package/dist/web/hooks/use-view-state.d.ts +25 -0
  380. package/dist/web/hooks/use-view-state.js +32 -0
  381. package/dist/web/hooks/use-view-state.js.map +1 -0
  382. package/dist/web/hooks/use-view-state.test.d.ts +1 -0
  383. package/dist/web/hooks/use-view-state.test.js +181 -0
  384. package/dist/web/hooks/use-view-state.test.js.map +1 -0
  385. package/dist/web/index.d.ts +1 -2
  386. package/dist/web/index.js +1 -2
  387. package/dist/web/index.js.map +1 -1
  388. package/dist/web/mount-view.d.ts +20 -0
  389. package/dist/web/{mount-widget.js → mount-view.js} +21 -2
  390. package/dist/web/mount-view.js.map +1 -0
  391. package/dist/web/plugin/data-llm.test.js.map +1 -1
  392. package/dist/web/plugin/plugin.d.ts +32 -1
  393. package/dist/web/plugin/plugin.js +167 -18
  394. package/dist/web/plugin/plugin.js.map +1 -1
  395. package/dist/web/plugin/scan-views.d.ts +16 -0
  396. package/dist/web/plugin/scan-views.js +88 -0
  397. package/dist/web/plugin/scan-views.js.map +1 -0
  398. package/dist/web/plugin/scan-views.test.d.ts +1 -0
  399. package/dist/web/plugin/scan-views.test.js +99 -0
  400. package/dist/web/plugin/scan-views.test.js.map +1 -0
  401. package/dist/web/plugin/transform-data-llm.js +1 -1
  402. package/dist/web/plugin/transform-data-llm.js.map +1 -1
  403. package/dist/web/plugin/transform-data-llm.test.js.map +1 -1
  404. package/dist/web/plugin/validate-view.d.ts +1 -0
  405. package/dist/web/plugin/validate-view.js +9 -0
  406. package/dist/web/plugin/validate-view.js.map +1 -0
  407. package/dist/web/plugin/validate-view.test.d.ts +1 -0
  408. package/dist/web/plugin/validate-view.test.js +24 -0
  409. package/dist/web/plugin/validate-view.test.js.map +1 -0
  410. package/dist/web/proxy.js +0 -1
  411. package/dist/web/proxy.js.map +1 -1
  412. package/dist/web/types.d.ts +4 -0
  413. package/dist/web/types.js.map +1 -1
  414. package/package.json +51 -29
  415. package/tsconfig.base.json +33 -0
  416. package/dist/server/templates/development.hbs +0 -66
  417. package/dist/server/templates/production.hbs +0 -7
  418. package/dist/server/widgetsDevServer.d.ts +0 -12
  419. package/dist/server/widgetsDevServer.js +0 -47
  420. package/dist/server/widgetsDevServer.js.map +0 -1
  421. package/dist/test/widget.test.js +0 -255
  422. package/dist/test/widget.test.js.map +0 -1
  423. package/dist/web/bridges/apps-sdk/adaptor.d.ts +0 -22
  424. package/dist/web/bridges/apps-sdk/adaptor.js +0 -64
  425. package/dist/web/bridges/apps-sdk/adaptor.js.map +0 -1
  426. package/dist/web/bridges/mcp-app/adaptor.d.ts +0 -36
  427. package/dist/web/bridges/mcp-app/adaptor.js +0 -185
  428. package/dist/web/bridges/mcp-app/adaptor.js.map +0 -1
  429. package/dist/web/hooks/use-widget-state.d.ts +0 -4
  430. package/dist/web/hooks/use-widget-state.js +0 -32
  431. package/dist/web/hooks/use-widget-state.js.map +0 -1
  432. package/dist/web/hooks/use-widget-state.test.js +0 -61
  433. package/dist/web/hooks/use-widget-state.test.js.map +0 -1
  434. package/dist/web/mount-widget.d.ts +0 -1
  435. package/dist/web/mount-widget.js.map +0 -1
  436. /package/dist/{test/widget.test.d.ts → cli/build-helpers.test.d.ts} +0 -0
  437. /package/dist/{web/hooks/use-widget-state.test.d.ts → cli/build-steps.test.d.ts} +0 -0
@@ -0,0 +1,15 @@
1
+ import type { OAuthConfig } from "../index.js";
2
+ import { type CustomProviderOptions } from "./custom.js";
3
+ /**
4
+ * OAuth provider for a Descope MCP Server. `url` is the MCP Server's **Discovery
5
+ * URL** (a.k.a. Issuer) from the console's Connection Information, e.g.
6
+ * `https://api.descope.com/v1/apps/agentic/<projectId>/<mcpServerId>` (or your
7
+ * custom domain). Requires DCR enabled on the MCP Server. For Descope with DCR
8
+ * disabled and Alpic's DCR proxy, use {@link customProvider} with `serverUrl`
9
+ * instead (see `examples/auth-descope-alpic`). The token `audience` defaults to
10
+ * the **Project ID** derived from the URL — Descope binds `aud` to [DCR client
11
+ * id, project id], not the server URL; pass `audience` to override.
12
+ */
13
+ export declare function descopeProvider(opts: {
14
+ url: string;
15
+ } & Omit<CustomProviderOptions, "issuer">): Promise<OAuthConfig>;
@@ -0,0 +1,33 @@
1
+ import { customProvider } from "./custom.js";
2
+ /**
3
+ * Derives the Descope Project ID from an MCP Server URL
4
+ * (`…/agentic/<projectId>/<mcpServerId>`). Descope binds the token `aud` to the
5
+ * project id, so it doubles as the audience.
6
+ */
7
+ function projectIdFromUrl(url) {
8
+ const projectId = url.match(/\/agentic\/([^/]+)\/[^/]+/)?.[1];
9
+ if (!projectId) {
10
+ throw new Error(`Could not derive the Descope project id from "${url}"; pass an explicit \`audience\`.`);
11
+ }
12
+ return projectId;
13
+ }
14
+ /**
15
+ * OAuth provider for a Descope MCP Server. `url` is the MCP Server's **Discovery
16
+ * URL** (a.k.a. Issuer) from the console's Connection Information, e.g.
17
+ * `https://api.descope.com/v1/apps/agentic/<projectId>/<mcpServerId>` (or your
18
+ * custom domain). Requires DCR enabled on the MCP Server. For Descope with DCR
19
+ * disabled and Alpic's DCR proxy, use {@link customProvider} with `serverUrl`
20
+ * instead (see `examples/auth-descope-alpic`). The token `audience` defaults to
21
+ * the **Project ID** derived from the URL — Descope binds `aud` to [DCR client
22
+ * id, project id], not the server URL; pass `audience` to override.
23
+ */
24
+ export function descopeProvider(opts) {
25
+ const { url, audience, ...rest } = opts;
26
+ const issuer = url.replace(/\/\.well-known\/[^?#]*$/, "").replace(/\/$/, "");
27
+ return customProvider({
28
+ issuer,
29
+ audience: audience ?? projectIdFromUrl(issuer),
30
+ ...rest,
31
+ });
32
+ }
33
+ //# sourceMappingURL=descope.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"descope.js","sourceRoot":"","sources":["../../../../src/server/auth/providers/descope.ts"],"names":[],"mappings":"AACA,OAAO,EAA8B,cAAc,EAAE,MAAM,aAAa,CAAC;AAEzE;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,GAAW;IACnC,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,2BAA2B,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC9D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,iDAAiD,GAAG,mCAAmC,CACxF,CAAC;IACJ,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,eAAe,CAC7B,IAA6D;IAE7D,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,GAAG,IAAI,CAAC;IACxC,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,yBAAyB,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC7E,OAAO,cAAc,CAAC;QACpB,MAAM;QACN,QAAQ,EAAE,QAAQ,IAAI,gBAAgB,CAAC,MAAM,CAAC;QAC9C,GAAG,IAAI;KACR,CAAC,CAAC;AACL,CAAC","sourcesContent":["import type { OAuthConfig } from \"../index.js\";\nimport { type CustomProviderOptions, customProvider } from \"./custom.js\";\n\n/**\n * Derives the Descope Project ID from an MCP Server URL\n * (`…/agentic/<projectId>/<mcpServerId>`). Descope binds the token `aud` to the\n * project id, so it doubles as the audience.\n */\nfunction projectIdFromUrl(url: string): string {\n const projectId = url.match(/\\/agentic\\/([^/]+)\\/[^/]+/)?.[1];\n if (!projectId) {\n throw new Error(\n `Could not derive the Descope project id from \"${url}\"; pass an explicit \\`audience\\`.`,\n );\n }\n return projectId;\n}\n\n/**\n * OAuth provider for a Descope MCP Server. `url` is the MCP Server's **Discovery\n * URL** (a.k.a. Issuer) from the console's Connection Information, e.g.\n * `https://api.descope.com/v1/apps/agentic/<projectId>/<mcpServerId>` (or your\n * custom domain). Requires DCR enabled on the MCP Server. For Descope with DCR\n * disabled and Alpic's DCR proxy, use {@link customProvider} with `serverUrl`\n * instead (see `examples/auth-descope-alpic`). The token `audience` defaults to\n * the **Project ID** derived from the URL — Descope binds `aud` to [DCR client\n * id, project id], not the server URL; pass `audience` to override.\n */\nexport function descopeProvider(\n opts: { url: string } & Omit<CustomProviderOptions, \"issuer\">,\n): Promise<OAuthConfig> {\n const { url, audience, ...rest } = opts;\n const issuer = url.replace(/\\/\\.well-known\\/[^?#]*$/, \"\").replace(/\\/$/, \"\");\n return customProvider({\n issuer,\n audience: audience ?? projectIdFromUrl(issuer),\n ...rest,\n });\n}\n"]}
@@ -0,0 +1 @@
1
+ export {};
@@ -0,0 +1,37 @@
1
+ // @vitest-environment node
2
+ import { afterEach, describe, expect, it, vi } from "vitest";
3
+ import { descopeProvider } from "./descope.js";
4
+ afterEach(() => vi.restoreAllMocks());
5
+ function discoveryDoc(issuer) {
6
+ return {
7
+ issuer,
8
+ authorization_endpoint: `${issuer}/authorize`,
9
+ token_endpoint: `${issuer}/token`,
10
+ registration_endpoint: `${issuer}/register`,
11
+ response_types_supported: ["code"],
12
+ scopes_supported: ["openid"],
13
+ jwks_uri: `${issuer}/.well-known/jwks.json`,
14
+ };
15
+ }
16
+ function mockDiscovery(issuer) {
17
+ return vi.spyOn(globalThis, "fetch").mockResolvedValue(new Response(JSON.stringify(discoveryDoc(issuer)), {
18
+ headers: { "content-type": "application/json" },
19
+ }));
20
+ }
21
+ describe("descopeProvider", () => {
22
+ it("derives issuer and audience (project id) from the MCP Server URL", async () => {
23
+ const issuer = "https://api.descope.com/v1/apps/agentic/P123/MS456";
24
+ const fetchSpy = mockDiscovery(issuer);
25
+ const config = await descopeProvider({ url: issuer });
26
+ expect(fetchSpy).toHaveBeenCalledWith(`${issuer}/.well-known/openid-configuration`, expect.anything());
27
+ expect(config.verify.issuer).toBe(issuer);
28
+ expect(config.verify.audience).toBe("P123");
29
+ });
30
+ it("lets an explicit audience override the derived project id", async () => {
31
+ const issuer = "https://api.descope.com/v1/apps/agentic/P123/MS456";
32
+ mockDiscovery(issuer);
33
+ const config = await descopeProvider({ url: issuer, audience: "custom" });
34
+ expect(config.verify.audience).toBe("custom");
35
+ });
36
+ });
37
+ //# sourceMappingURL=descope.test.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"descope.test.js","sourceRoot":"","sources":["../../../../src/server/auth/providers/descope.test.ts"],"names":[],"mappings":"AAAA,2BAA2B;AAC3B,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAE/C,SAAS,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,eAAe,EAAE,CAAC,CAAC;AAEtC,SAAS,YAAY,CAAC,MAAc;IAClC,OAAO;QACL,MAAM;QACN,sBAAsB,EAAE,GAAG,MAAM,YAAY;QAC7C,cAAc,EAAE,GAAG,MAAM,QAAQ;QACjC,qBAAqB,EAAE,GAAG,MAAM,WAAW;QAC3C,wBAAwB,EAAE,CAAC,MAAM,CAAC;QAClC,gBAAgB,EAAE,CAAC,QAAQ,CAAC;QAC5B,QAAQ,EAAE,GAAG,MAAM,wBAAwB;KAC5C,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,MAAc;IACnC,OAAO,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,iBAAiB,CACpD,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,EAAE;QACjD,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;KAChD,CAAC,CACH,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;QAChF,MAAM,MAAM,GAAG,oDAAoD,CAAC;QACpE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;QAEvC,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC;QAEtD,MAAM,CAAC,QAAQ,CAAC,CAAC,oBAAoB,CACnC,GAAG,MAAM,mCAAmC,EAC5C,MAAM,CAAC,QAAQ,EAAE,CAClB,CAAC;QACF,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,MAAM,MAAM,GAAG,oDAAoD,CAAC;QACpE,aAAa,CAAC,MAAM,CAAC,CAAC;QAEtB,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;QAE1E,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC","sourcesContent":["// @vitest-environment node\nimport { afterEach, describe, expect, it, vi } from \"vitest\";\nimport { descopeProvider } from \"./descope.js\";\n\nafterEach(() => vi.restoreAllMocks());\n\nfunction discoveryDoc(issuer: string) {\n return {\n issuer,\n authorization_endpoint: `${issuer}/authorize`,\n token_endpoint: `${issuer}/token`,\n registration_endpoint: `${issuer}/register`,\n response_types_supported: [\"code\"],\n scopes_supported: [\"openid\"],\n jwks_uri: `${issuer}/.well-known/jwks.json`,\n };\n}\n\nfunction mockDiscovery(issuer: string) {\n return vi.spyOn(globalThis, \"fetch\").mockResolvedValue(\n new Response(JSON.stringify(discoveryDoc(issuer)), {\n headers: { \"content-type\": \"application/json\" },\n }),\n );\n}\n\ndescribe(\"descopeProvider\", () => {\n it(\"derives issuer and audience (project id) from the MCP Server URL\", async () => {\n const issuer = \"https://api.descope.com/v1/apps/agentic/P123/MS456\";\n const fetchSpy = mockDiscovery(issuer);\n\n const config = await descopeProvider({ url: issuer });\n\n expect(fetchSpy).toHaveBeenCalledWith(\n `${issuer}/.well-known/openid-configuration`,\n expect.anything(),\n );\n expect(config.verify.issuer).toBe(issuer);\n expect(config.verify.audience).toBe(\"P123\");\n });\n\n it(\"lets an explicit audience override the derived project id\", async () => {\n const issuer = \"https://api.descope.com/v1/apps/agentic/P123/MS456\";\n mockDiscovery(issuer);\n\n const config = await descopeProvider({ url: issuer, audience: \"custom\" });\n\n expect(config.verify.audience).toBe(\"custom\");\n });\n});\n"]}
@@ -0,0 +1,2 @@
1
+ /** Normalises a bare host to an https issuer URL and strips a trailing slash. */
2
+ export declare function toIssuerUrl(domain: string): string;
@@ -0,0 +1,6 @@
1
+ /** Normalises a bare host to an https issuer URL and strips a trailing slash. */
2
+ export function toIssuerUrl(domain) {
3
+ const withScheme = /^https?:\/\//.test(domain) ? domain : `https://${domain}`;
4
+ return withScheme.replace(/\/$/, "");
5
+ }
6
+ //# sourceMappingURL=shared.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"shared.js","sourceRoot":"","sources":["../../../../src/server/auth/providers/shared.ts"],"names":[],"mappings":"AAAA,iFAAiF;AACjF,MAAM,UAAU,WAAW,CAAC,MAAc;IACxC,MAAM,UAAU,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,MAAM,EAAE,CAAC;IAC9E,OAAO,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACvC,CAAC","sourcesContent":["/** Normalises a bare host to an https issuer URL and strips a trailing slash. */\nexport function toIssuerUrl(domain: string): string {\n const withScheme = /^https?:\\/\\//.test(domain) ? domain : `https://${domain}`;\n return withScheme.replace(/\\/$/, \"\");\n}\n"]}
@@ -0,0 +1 @@
1
+ export {};
@@ -0,0 +1,10 @@
1
+ import { describe, expect, it } from "vitest";
2
+ import { toIssuerUrl } from "./shared.js";
3
+ describe("toIssuerUrl", () => {
4
+ it("adds https to a bare host, preserves an explicit scheme, strips a trailing slash", () => {
5
+ expect(toIssuerUrl("acme.authkit.app")).toBe("https://acme.authkit.app");
6
+ expect(toIssuerUrl("https://acme.authkit.app/")).toBe("https://acme.authkit.app");
7
+ expect(toIssuerUrl("http://localhost:3000")).toBe("http://localhost:3000");
8
+ });
9
+ });
10
+ //# sourceMappingURL=shared.test.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"shared.test.js","sourceRoot":"","sources":["../../../../src/server/auth/providers/shared.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;IAC3B,EAAE,CAAC,kFAAkF,EAAE,GAAG,EAAE;QAC1F,MAAM,CAAC,WAAW,CAAC,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QACzE,MAAM,CAAC,WAAW,CAAC,2BAA2B,CAAC,CAAC,CAAC,IAAI,CACnD,0BAA0B,CAC3B,CAAC;QACF,MAAM,CAAC,WAAW,CAAC,uBAAuB,CAAC,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC","sourcesContent":["import { describe, expect, it } from \"vitest\";\nimport { toIssuerUrl } from \"./shared.js\";\n\ndescribe(\"toIssuerUrl\", () => {\n it(\"adds https to a bare host, preserves an explicit scheme, strips a trailing slash\", () => {\n expect(toIssuerUrl(\"acme.authkit.app\")).toBe(\"https://acme.authkit.app\");\n expect(toIssuerUrl(\"https://acme.authkit.app/\")).toBe(\n \"https://acme.authkit.app\",\n );\n expect(toIssuerUrl(\"http://localhost:3000\")).toBe(\"http://localhost:3000\");\n });\n});\n"]}
@@ -0,0 +1,12 @@
1
+ import type { OAuthConfig } from "../index.js";
2
+ import { type CustomProviderOptions } from "./custom.js";
3
+ /**
4
+ * OAuth provider for Stytch Connected Apps. `domain` is the project domain,
5
+ * e.g. `acme.customers.stytch.dev`, or a configured custom domain. Requires
6
+ * DCR enabled in the Stytch dashboard. `audience` is the Stytch Project ID
7
+ * (the default token audience).
8
+ */
9
+ export declare function stytchProvider(opts: {
10
+ domain: string;
11
+ audience: string;
12
+ } & Omit<CustomProviderOptions, "issuer" | "audience">): Promise<OAuthConfig>;
@@ -0,0 +1,13 @@
1
+ import { customProvider } from "./custom.js";
2
+ import { toIssuerUrl } from "./shared.js";
3
+ /**
4
+ * OAuth provider for Stytch Connected Apps. `domain` is the project domain,
5
+ * e.g. `acme.customers.stytch.dev`, or a configured custom domain. Requires
6
+ * DCR enabled in the Stytch dashboard. `audience` is the Stytch Project ID
7
+ * (the default token audience).
8
+ */
9
+ export function stytchProvider(opts) {
10
+ const { domain, ...rest } = opts;
11
+ return customProvider({ issuer: toIssuerUrl(domain), ...rest });
12
+ }
13
+ //# sourceMappingURL=stytch.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"stytch.js","sourceRoot":"","sources":["../../../../src/server/auth/providers/stytch.ts"],"names":[],"mappings":"AACA,OAAO,EAA8B,cAAc,EAAE,MAAM,aAAa,CAAC;AACzE,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAC5B,IAGC;IAED,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,IAAI,CAAC;IACjC,OAAO,cAAc,CAAC,EAAE,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC;AAClE,CAAC","sourcesContent":["import type { OAuthConfig } from \"../index.js\";\nimport { type CustomProviderOptions, customProvider } from \"./custom.js\";\nimport { toIssuerUrl } from \"./shared.js\";\n\n/**\n * OAuth provider for Stytch Connected Apps. `domain` is the project domain,\n * e.g. `acme.customers.stytch.dev`, or a configured custom domain. Requires\n * DCR enabled in the Stytch dashboard. `audience` is the Stytch Project ID\n * (the default token audience).\n */\nexport function stytchProvider(\n opts: { domain: string; audience: string } & Omit<\n CustomProviderOptions,\n \"issuer\" | \"audience\"\n >,\n): Promise<OAuthConfig> {\n const { domain, ...rest } = opts;\n return customProvider({ issuer: toIssuerUrl(domain), ...rest });\n}\n"]}
@@ -0,0 +1,11 @@
1
+ import type { OAuthConfig } from "../index.js";
2
+ import { type CustomProviderOptions } from "./custom.js";
3
+ /**
4
+ * OAuth provider for WorkOS AuthKit. `domain` is the AuthKit domain, e.g.
5
+ * `acme.authkit.app`. Requires DCR enabled in the WorkOS dashboard
6
+ * (Connect → Configuration). `audience` is the MCP server's Resource Indicator.
7
+ */
8
+ export declare function workosProvider(opts: {
9
+ domain: string;
10
+ audience: string;
11
+ } & Omit<CustomProviderOptions, "issuer" | "audience">): Promise<OAuthConfig>;
@@ -0,0 +1,12 @@
1
+ import { customProvider } from "./custom.js";
2
+ import { toIssuerUrl } from "./shared.js";
3
+ /**
4
+ * OAuth provider for WorkOS AuthKit. `domain` is the AuthKit domain, e.g.
5
+ * `acme.authkit.app`. Requires DCR enabled in the WorkOS dashboard
6
+ * (Connect → Configuration). `audience` is the MCP server's Resource Indicator.
7
+ */
8
+ export function workosProvider(opts) {
9
+ const { domain, ...rest } = opts;
10
+ return customProvider({ issuer: toIssuerUrl(domain), ...rest });
11
+ }
12
+ //# sourceMappingURL=workos.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"workos.js","sourceRoot":"","sources":["../../../../src/server/auth/providers/workos.ts"],"names":[],"mappings":"AACA,OAAO,EAA8B,cAAc,EAAE,MAAM,aAAa,CAAC;AACzE,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAC5B,IAGC;IAED,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,IAAI,CAAC;IACjC,OAAO,cAAc,CAAC,EAAE,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC;AAClE,CAAC","sourcesContent":["import type { OAuthConfig } from \"../index.js\";\nimport { type CustomProviderOptions, customProvider } from \"./custom.js\";\nimport { toIssuerUrl } from \"./shared.js\";\n\n/**\n * OAuth provider for WorkOS AuthKit. `domain` is the AuthKit domain, e.g.\n * `acme.authkit.app`. Requires DCR enabled in the WorkOS dashboard\n * (Connect → Configuration). `audience` is the MCP server's Resource Indicator.\n */\nexport function workosProvider(\n opts: { domain: string; audience: string } & Omit<\n CustomProviderOptions,\n \"issuer\" | \"audience\"\n >,\n): Promise<OAuthConfig> {\n const { domain, ...rest } = opts;\n return customProvider({ issuer: toIssuerUrl(domain), ...rest });\n}\n"]}
@@ -0,0 +1,13 @@
1
+ import type { AuthInfo } from "../auth.js";
2
+ import type { SecurityScheme, ToolAuth } from "../server.js";
3
+ export declare function authToSecuritySchemes(auth: ToolAuth): SecurityScheme[];
4
+ export declare function securitySchemesAllowAnonymous(schemes: SecurityScheme[] | undefined): boolean;
5
+ export type SchemeFailure = {
6
+ error: "invalid_token" | "insufficient_scope";
7
+ description: string;
8
+ scopes: string[];
9
+ };
10
+ export declare function evaluateSecuritySchemes(schemes: SecurityScheme[] | undefined, authInfo: AuthInfo | undefined): SchemeFailure | undefined;
11
+ export declare function httpStatusForFailure(failure: SchemeFailure): 401 | 403;
12
+ export declare function clientPrefersInBandChallenge(userAgent: string | undefined): boolean;
13
+ export declare function wwwAuthenticateHeader(failure: SchemeFailure, resourceMetadataUrl?: string): string;
@@ -0,0 +1,53 @@
1
+ export function authToSecuritySchemes(auth) {
2
+ const oauth2 = {
3
+ type: "oauth2",
4
+ ...(auth.scopes?.length ? { scopes: auth.scopes } : {}),
5
+ };
6
+ return auth.public ? [{ type: "noauth" }, oauth2] : [oauth2];
7
+ }
8
+ export function securitySchemesAllowAnonymous(schemes) {
9
+ return !!schemes?.some((scheme) => scheme.type === "noauth");
10
+ }
11
+ export function evaluateSecuritySchemes(schemes, authInfo) {
12
+ if (securitySchemesAllowAnonymous(schemes)) {
13
+ return undefined;
14
+ }
15
+ const oauth2 = (schemes ?? []).filter((scheme) => scheme.type === "oauth2");
16
+ const required = oauth2.length ? oauth2 : [{ type: "oauth2" }];
17
+ const scopes = [
18
+ ...new Set(required.flatMap((scheme) => scheme.scopes ?? [])),
19
+ ];
20
+ if (!authInfo) {
21
+ return {
22
+ error: "invalid_token",
23
+ description: "Sign in to use this tool.",
24
+ scopes,
25
+ };
26
+ }
27
+ const satisfied = required.some((scheme) => (scheme.scopes ?? []).every((scope) => authInfo.scopes.includes(scope)));
28
+ return satisfied
29
+ ? undefined
30
+ : {
31
+ error: "insufficient_scope",
32
+ description: "Missing required scope for this tool.",
33
+ scopes,
34
+ };
35
+ }
36
+ export function httpStatusForFailure(failure) {
37
+ return failure.error === "insufficient_scope" ? 403 : 401;
38
+ }
39
+ export function clientPrefersInBandChallenge(userAgent) {
40
+ const ua = (userAgent ?? "").toLowerCase();
41
+ return ua.includes("openai") || ua.includes("chatgpt");
42
+ }
43
+ export function wwwAuthenticateHeader(failure, resourceMetadataUrl) {
44
+ let header = `Bearer error="${failure.error}", error_description="${failure.description}"`;
45
+ if (failure.scopes.length) {
46
+ header += `, scope="${failure.scopes.join(" ")}"`;
47
+ }
48
+ if (resourceMetadataUrl) {
49
+ header += `, resource_metadata="${resourceMetadataUrl}"`;
50
+ }
51
+ return header;
52
+ }
53
+ //# sourceMappingURL=security-schemes.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"security-schemes.js","sourceRoot":"","sources":["../../../src/server/auth/security-schemes.ts"],"names":[],"mappings":"AAGA,MAAM,UAAU,qBAAqB,CAAC,IAAc;IAClD,MAAM,MAAM,GAAmB;QAC7B,IAAI,EAAE,QAAQ;QACd,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACxD,CAAC;IACF,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;AAC/D,CAAC;AAED,MAAM,UAAU,6BAA6B,CAC3C,OAAqC;IAErC,OAAO,CAAC,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;AAC/D,CAAC;AAQD,MAAM,UAAU,uBAAuB,CACrC,OAAqC,EACrC,QAA8B;IAE9B,IAAI,6BAA6B,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3C,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,MAAM,MAAM,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;IAC5E,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAiB,EAAE,CAAC,CAAC;IACxE,MAAM,MAAM,GAAG;QACb,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;KAC9D,CAAC;IACF,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO;YACL,KAAK,EAAE,eAAe;YACtB,WAAW,EAAE,2BAA2B;YACxC,MAAM;SACP,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CACzC,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CACxE,CAAC;IACF,OAAO,SAAS;QACd,CAAC,CAAC,SAAS;QACX,CAAC,CAAC;YACE,KAAK,EAAE,oBAAoB;YAC3B,WAAW,EAAE,uCAAuC;YACpD,MAAM;SACP,CAAC;AACR,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,OAAsB;IACzD,OAAO,OAAO,CAAC,KAAK,KAAK,oBAAoB,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;AAC5D,CAAC;AAED,MAAM,UAAU,4BAA4B,CAC1C,SAA6B;IAE7B,MAAM,EAAE,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC3C,OAAO,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;AACzD,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,OAAsB,EACtB,mBAA4B;IAE5B,IAAI,MAAM,GAAG,iBAAiB,OAAO,CAAC,KAAK,yBAAyB,OAAO,CAAC,WAAW,GAAG,CAAC;IAC3F,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC1B,MAAM,IAAI,YAAY,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;IACpD,CAAC;IACD,IAAI,mBAAmB,EAAE,CAAC;QACxB,MAAM,IAAI,wBAAwB,mBAAmB,GAAG,CAAC;IAC3D,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC","sourcesContent":["import type { AuthInfo } from \"../auth.js\";\nimport type { SecurityScheme, ToolAuth } from \"../server.js\";\n\nexport function authToSecuritySchemes(auth: ToolAuth): SecurityScheme[] {\n const oauth2: SecurityScheme = {\n type: \"oauth2\",\n ...(auth.scopes?.length ? { scopes: auth.scopes } : {}),\n };\n return auth.public ? [{ type: \"noauth\" }, oauth2] : [oauth2];\n}\n\nexport function securitySchemesAllowAnonymous(\n schemes: SecurityScheme[] | undefined,\n): boolean {\n return !!schemes?.some((scheme) => scheme.type === \"noauth\");\n}\n\nexport type SchemeFailure = {\n error: \"invalid_token\" | \"insufficient_scope\";\n description: string;\n scopes: string[];\n};\n\nexport function evaluateSecuritySchemes(\n schemes: SecurityScheme[] | undefined,\n authInfo: AuthInfo | undefined,\n): SchemeFailure | undefined {\n if (securitySchemesAllowAnonymous(schemes)) {\n return undefined;\n }\n const oauth2 = (schemes ?? []).filter((scheme) => scheme.type === \"oauth2\");\n const required = oauth2.length ? oauth2 : [{ type: \"oauth2\" as const }];\n const scopes = [\n ...new Set(required.flatMap((scheme) => scheme.scopes ?? [])),\n ];\n if (!authInfo) {\n return {\n error: \"invalid_token\",\n description: \"Sign in to use this tool.\",\n scopes,\n };\n }\n const satisfied = required.some((scheme) =>\n (scheme.scopes ?? []).every((scope) => authInfo.scopes.includes(scope)),\n );\n return satisfied\n ? undefined\n : {\n error: \"insufficient_scope\",\n description: \"Missing required scope for this tool.\",\n scopes,\n };\n}\n\nexport function httpStatusForFailure(failure: SchemeFailure): 401 | 403 {\n return failure.error === \"insufficient_scope\" ? 403 : 401;\n}\n\nexport function clientPrefersInBandChallenge(\n userAgent: string | undefined,\n): boolean {\n const ua = (userAgent ?? \"\").toLowerCase();\n return ua.includes(\"openai\") || ua.includes(\"chatgpt\");\n}\n\nexport function wwwAuthenticateHeader(\n failure: SchemeFailure,\n resourceMetadataUrl?: string,\n): string {\n let header = `Bearer error=\"${failure.error}\", error_description=\"${failure.description}\"`;\n if (failure.scopes.length) {\n header += `, scope=\"${failure.scopes.join(\" \")}\"`;\n }\n if (resourceMetadataUrl) {\n header += `, resource_metadata=\"${resourceMetadataUrl}\"`;\n }\n return header;\n}\n"]}
@@ -0,0 +1 @@
1
+ export {};
@@ -0,0 +1,90 @@
1
+ import { describe, expect, it } from "vitest";
2
+ import { authToSecuritySchemes, clientPrefersInBandChallenge, evaluateSecuritySchemes, securitySchemesAllowAnonymous, wwwAuthenticateHeader, } from "./security-schemes.js";
3
+ describe("clientPrefersInBandChallenge", () => {
4
+ it("detects ChatGPT / OpenAI user agents", () => {
5
+ expect(clientPrefersInBandChallenge("openai-mcp/1.0")).toBe(true);
6
+ expect(clientPrefersInBandChallenge("ChatGPT")).toBe(true);
7
+ expect(clientPrefersInBandChallenge("Claude-User/1.0")).toBe(false);
8
+ expect(clientPrefersInBandChallenge(undefined)).toBe(false);
9
+ });
10
+ });
11
+ describe("authToSecuritySchemes", () => {
12
+ it("maps the auth shorthand", () => {
13
+ expect(authToSecuritySchemes({ public: true })).toEqual([
14
+ { type: "noauth" },
15
+ { type: "oauth2" },
16
+ ]);
17
+ expect(authToSecuritySchemes({})).toEqual([{ type: "oauth2" }]);
18
+ expect(authToSecuritySchemes({ scopes: ["checkout"] })).toEqual([
19
+ { type: "oauth2", scopes: ["checkout"] },
20
+ ]);
21
+ expect(authToSecuritySchemes({ public: true, scopes: ["checkout"] })).toEqual([{ type: "noauth" }, { type: "oauth2", scopes: ["checkout"] }]);
22
+ });
23
+ });
24
+ const authInfo = (scopes) => ({
25
+ token: "t",
26
+ clientId: "c",
27
+ scopes,
28
+ });
29
+ describe("securitySchemesAllowAnonymous", () => {
30
+ it("is true only when a noauth scheme is present", () => {
31
+ expect(securitySchemesAllowAnonymous([{ type: "noauth" }])).toBe(true);
32
+ expect(securitySchemesAllowAnonymous([{ type: "noauth" }, { type: "oauth2" }])).toBe(true);
33
+ expect(securitySchemesAllowAnonymous([{ type: "oauth2" }])).toBe(false);
34
+ expect(securitySchemesAllowAnonymous(undefined)).toBe(false);
35
+ });
36
+ });
37
+ describe("evaluateSecuritySchemes", () => {
38
+ it("lets anonymous callers through a noauth tool", () => {
39
+ const schemes = [{ type: "noauth" }, { type: "oauth2" }];
40
+ expect(evaluateSecuritySchemes(schemes, undefined)).toBeUndefined();
41
+ });
42
+ it("fails an oauth2-only tool with no token (invalid_token / 401)", () => {
43
+ expect(evaluateSecuritySchemes([{ type: "oauth2" }], undefined)?.error).toBe("invalid_token");
44
+ });
45
+ it("fails when the token is missing a required scope (insufficient_scope / 403)", () => {
46
+ const schemes = [
47
+ { type: "oauth2", scopes: ["checkout"] },
48
+ ];
49
+ expect(evaluateSecuritySchemes(schemes, authInfo(["openid"]))?.error).toBe("insufficient_scope");
50
+ });
51
+ it("passes when the token carries every required scope", () => {
52
+ const schemes = [
53
+ { type: "oauth2", scopes: ["checkout"] },
54
+ ];
55
+ expect(evaluateSecuritySchemes(schemes, authInfo(["openid", "checkout"]))).toBeUndefined();
56
+ });
57
+ it("treats an undeclared tool as auth-required, satisfied by any valid token", () => {
58
+ expect(evaluateSecuritySchemes(undefined, undefined)?.error).toBe("invalid_token");
59
+ expect(evaluateSecuritySchemes(undefined, authInfo([]))).toBeUndefined();
60
+ });
61
+ it("carries the tool's required scopes on the failure", () => {
62
+ const schemes = [
63
+ { type: "oauth2", scopes: ["checkout"] },
64
+ ];
65
+ expect(evaluateSecuritySchemes(schemes, undefined)?.scopes).toEqual([
66
+ "checkout",
67
+ ]);
68
+ expect(evaluateSecuritySchemes(schemes, authInfo(["openid"]))?.scopes).toEqual(["checkout"]);
69
+ });
70
+ });
71
+ describe("wwwAuthenticateHeader", () => {
72
+ it("names the required scopes so the client can step up", () => {
73
+ const header = wwwAuthenticateHeader({
74
+ error: "insufficient_scope",
75
+ description: "Missing required scope for this tool.",
76
+ scopes: ["checkout"],
77
+ });
78
+ expect(header).toContain('error="insufficient_scope"');
79
+ expect(header).toContain('scope="checkout"');
80
+ });
81
+ it("omits the scope parameter when there are none", () => {
82
+ const header = wwwAuthenticateHeader({
83
+ error: "invalid_token",
84
+ description: "Sign in to use this tool.",
85
+ scopes: [],
86
+ });
87
+ expect(header).not.toContain("scope=");
88
+ });
89
+ });
90
+ //# sourceMappingURL=security-schemes.test.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"security-schemes.test.js","sourceRoot":"","sources":["../../../src/server/auth/security-schemes.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAG9C,OAAO,EACL,qBAAqB,EACrB,4BAA4B,EAC5B,uBAAuB,EACvB,6BAA6B,EAC7B,qBAAqB,GACtB,MAAM,uBAAuB,CAAC;AAE/B,QAAQ,CAAC,8BAA8B,EAAE,GAAG,EAAE;IAC5C,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,CAAC,4BAA4B,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClE,MAAM,CAAC,4BAA4B,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3D,MAAM,CAAC,4BAA4B,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpE,MAAM,CAAC,4BAA4B,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,qBAAqB,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;YACtD,EAAE,IAAI,EAAE,QAAQ,EAAE;YAClB,EAAE,IAAI,EAAE,QAAQ,EAAE;SACnB,CAAC,CAAC;QACH,MAAM,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;QAChE,MAAM,CAAC,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;YAC9D,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE;SACzC,CAAC,CAAC;QACH,MAAM,CACJ,qBAAqB,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC,CAC9D,CAAC,OAAO,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,MAAM,QAAQ,GAAG,CAAC,MAAgB,EAAY,EAAE,CAAC,CAAC;IAChD,KAAK,EAAE,GAAG;IACV,QAAQ,EAAE,GAAG;IACb,MAAM;CACP,CAAC,CAAC;AAEH,QAAQ,CAAC,+BAA+B,EAAE,GAAG,EAAE;IAC7C,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,CAAC,6BAA6B,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvE,MAAM,CACJ,6BAA6B,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,CACxE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACb,MAAM,CAAC,6BAA6B,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxE,MAAM,CAAC,6BAA6B,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;IACvC,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,OAAO,GAAqB,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC3E,MAAM,CAAC,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;QACvE,MAAM,CACJ,uBAAuB,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EAAE,SAAS,CAAC,EAAE,KAAK,CAChE,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6EAA6E,EAAE,GAAG,EAAE;QACrF,MAAM,OAAO,GAAqB;YAChC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE;SACzC,CAAC;QACF,MAAM,CAAC,uBAAuB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,CACxE,oBAAoB,CACrB,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,OAAO,GAAqB;YAChC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE;SACzC,CAAC;QACF,MAAM,CACJ,uBAAuB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC,CACnE,CAAC,aAAa,EAAE,CAAC;IACpB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0EAA0E,EAAE,GAAG,EAAE;QAClF,MAAM,CAAC,uBAAuB,CAAC,SAAS,EAAE,SAAS,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,CAC/D,eAAe,CAChB,CAAC;QACF,MAAM,CAAC,uBAAuB,CAAC,SAAS,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IAC3E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,OAAO,GAAqB;YAChC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE;SACzC,CAAC;QACF,MAAM,CAAC,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC;YAClE,UAAU;SACX,CAAC,CAAC;QACH,MAAM,CACJ,uBAAuB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,MAAM,CAC/D,CAAC,OAAO,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,MAAM,MAAM,GAAG,qBAAqB,CAAC;YACnC,KAAK,EAAE,oBAAoB;YAC3B,WAAW,EAAE,uCAAuC;YACpD,MAAM,EAAE,CAAC,UAAU,CAAC;SACrB,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,4BAA4B,CAAC,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,MAAM,GAAG,qBAAqB,CAAC;YACnC,KAAK,EAAE,eAAe;YACtB,WAAW,EAAE,2BAA2B;YACxC,MAAM,EAAE,EAAE;SACX,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC","sourcesContent":["import { describe, expect, it } from \"vitest\";\nimport type { AuthInfo } from \"../auth.js\";\nimport type { SecurityScheme } from \"../server.js\";\nimport {\n authToSecuritySchemes,\n clientPrefersInBandChallenge,\n evaluateSecuritySchemes,\n securitySchemesAllowAnonymous,\n wwwAuthenticateHeader,\n} from \"./security-schemes.js\";\n\ndescribe(\"clientPrefersInBandChallenge\", () => {\n it(\"detects ChatGPT / OpenAI user agents\", () => {\n expect(clientPrefersInBandChallenge(\"openai-mcp/1.0\")).toBe(true);\n expect(clientPrefersInBandChallenge(\"ChatGPT\")).toBe(true);\n expect(clientPrefersInBandChallenge(\"Claude-User/1.0\")).toBe(false);\n expect(clientPrefersInBandChallenge(undefined)).toBe(false);\n });\n});\n\ndescribe(\"authToSecuritySchemes\", () => {\n it(\"maps the auth shorthand\", () => {\n expect(authToSecuritySchemes({ public: true })).toEqual([\n { type: \"noauth\" },\n { type: \"oauth2\" },\n ]);\n expect(authToSecuritySchemes({})).toEqual([{ type: \"oauth2\" }]);\n expect(authToSecuritySchemes({ scopes: [\"checkout\"] })).toEqual([\n { type: \"oauth2\", scopes: [\"checkout\"] },\n ]);\n expect(\n authToSecuritySchemes({ public: true, scopes: [\"checkout\"] }),\n ).toEqual([{ type: \"noauth\" }, { type: \"oauth2\", scopes: [\"checkout\"] }]);\n });\n});\n\nconst authInfo = (scopes: string[]): AuthInfo => ({\n token: \"t\",\n clientId: \"c\",\n scopes,\n});\n\ndescribe(\"securitySchemesAllowAnonymous\", () => {\n it(\"is true only when a noauth scheme is present\", () => {\n expect(securitySchemesAllowAnonymous([{ type: \"noauth\" }])).toBe(true);\n expect(\n securitySchemesAllowAnonymous([{ type: \"noauth\" }, { type: \"oauth2\" }]),\n ).toBe(true);\n expect(securitySchemesAllowAnonymous([{ type: \"oauth2\" }])).toBe(false);\n expect(securitySchemesAllowAnonymous(undefined)).toBe(false);\n });\n});\n\ndescribe(\"evaluateSecuritySchemes\", () => {\n it(\"lets anonymous callers through a noauth tool\", () => {\n const schemes: SecurityScheme[] = [{ type: \"noauth\" }, { type: \"oauth2\" }];\n expect(evaluateSecuritySchemes(schemes, undefined)).toBeUndefined();\n });\n\n it(\"fails an oauth2-only tool with no token (invalid_token / 401)\", () => {\n expect(\n evaluateSecuritySchemes([{ type: \"oauth2\" }], undefined)?.error,\n ).toBe(\"invalid_token\");\n });\n\n it(\"fails when the token is missing a required scope (insufficient_scope / 403)\", () => {\n const schemes: SecurityScheme[] = [\n { type: \"oauth2\", scopes: [\"checkout\"] },\n ];\n expect(evaluateSecuritySchemes(schemes, authInfo([\"openid\"]))?.error).toBe(\n \"insufficient_scope\",\n );\n });\n\n it(\"passes when the token carries every required scope\", () => {\n const schemes: SecurityScheme[] = [\n { type: \"oauth2\", scopes: [\"checkout\"] },\n ];\n expect(\n evaluateSecuritySchemes(schemes, authInfo([\"openid\", \"checkout\"])),\n ).toBeUndefined();\n });\n\n it(\"treats an undeclared tool as auth-required, satisfied by any valid token\", () => {\n expect(evaluateSecuritySchemes(undefined, undefined)?.error).toBe(\n \"invalid_token\",\n );\n expect(evaluateSecuritySchemes(undefined, authInfo([]))).toBeUndefined();\n });\n\n it(\"carries the tool's required scopes on the failure\", () => {\n const schemes: SecurityScheme[] = [\n { type: \"oauth2\", scopes: [\"checkout\"] },\n ];\n expect(evaluateSecuritySchemes(schemes, undefined)?.scopes).toEqual([\n \"checkout\",\n ]);\n expect(\n evaluateSecuritySchemes(schemes, authInfo([\"openid\"]))?.scopes,\n ).toEqual([\"checkout\"]);\n });\n});\n\ndescribe(\"wwwAuthenticateHeader\", () => {\n it(\"names the required scopes so the client can step up\", () => {\n const header = wwwAuthenticateHeader({\n error: \"insufficient_scope\",\n description: \"Missing required scope for this tool.\",\n scopes: [\"checkout\"],\n });\n expect(header).toContain('error=\"insufficient_scope\"');\n expect(header).toContain('scope=\"checkout\"');\n });\n\n it(\"omits the scope parameter when there are none\", () => {\n const header = wwwAuthenticateHeader({\n error: \"invalid_token\",\n description: \"Sign in to use this tool.\",\n scopes: [],\n });\n expect(header).not.toContain(\"scope=\");\n });\n});\n"]}
@@ -0,0 +1,6 @@
1
+ import type { Express } from "express";
2
+ import type { SecurityScheme } from "../server.js";
3
+ import type { OAuthConfig } from "./index.js";
4
+ export type ResourceMetadataUrlResolver = (getHeader: (key: string) => string | undefined) => string;
5
+ /** Mounts the well-known OAuth metadata and bearer auth on `/mcp`. */
6
+ export declare function setupOAuth(app: Express, config: OAuthConfig, schemesByTool: Map<string, SecurityScheme[] | undefined>): ResourceMetadataUrlResolver;
@@ -0,0 +1,98 @@
1
+ import { getOAuthProtectedResourceMetadataUrl, mcpAuthMetadataRouter, } from "@modelcontextprotocol/sdk/server/auth/router.js";
2
+ import cors from "cors";
3
+ import { optionalBearerAuth, requireBearerAuth } from "../auth.js";
4
+ import { resolveServerOrigin } from "../requestOrigin.js";
5
+ import { clientPrefersInBandChallenge, evaluateSecuritySchemes, httpStatusForFailure, securitySchemesAllowAnonymous, wwwAuthenticateHeader, } from "./security-schemes.js";
6
+ import { createJwksVerifier } from "./verify.js";
7
+ /** Mounts the well-known OAuth metadata and bearer auth on `/mcp`. */
8
+ export function setupOAuth(app, config, schemesByTool) {
9
+ if (!config.verify?.issuer) {
10
+ throw new Error("oauth.verify requires an `issuer`");
11
+ }
12
+ const acceptsAnonymous = () => [...schemesByTool.values()].some(securitySchemesAllowAnonymous);
13
+ const verifier = createJwksVerifier(config.verify);
14
+ const bearer = (options) => {
15
+ const required = requireBearerAuth(options);
16
+ const optional = optionalBearerAuth(options);
17
+ return (req, res, next) => (acceptsAnonymous() ? optional : required)(req, res, next);
18
+ };
19
+ let resourceMetadataUrl;
20
+ // baseUrl known at boot: bake the resource URLs once, no Host-header trust.
21
+ if (config.baseUrl !== undefined) {
22
+ let baseUrl;
23
+ try {
24
+ baseUrl = new URL(config.baseUrl);
25
+ }
26
+ catch {
27
+ throw new Error(`oauth.baseUrl must be a valid absolute URL, got: ${JSON.stringify(config.baseUrl)}`);
28
+ }
29
+ app.use(mcpAuthMetadataRouter({
30
+ oauthMetadata: config.oauthMetadata,
31
+ resourceServerUrl: baseUrl,
32
+ scopesSupported: config.scopesSupported,
33
+ }));
34
+ const url = getOAuthProtectedResourceMetadataUrl(baseUrl);
35
+ resourceMetadataUrl = () => url;
36
+ }
37
+ else {
38
+ // No baseUrl: resolve the resource origin per request from forwarded headers
39
+ // (same precedence the framework uses for view serverUrl). Origin headers are
40
+ // pathless, so the PRM path stays at root, matching the SDK's static layout.
41
+ const resolveOrigin = (getHeader) => new URL(resolveServerOrigin(getHeader));
42
+ app.use("/.well-known/oauth-authorization-server", cors(), (_req, res) => void res.json(config.oauthMetadata));
43
+ app.use("/.well-known/oauth-protected-resource", cors(), (req, res) => {
44
+ res.json({
45
+ resource: resolveOrigin((key) => req.get(key)).href,
46
+ authorization_servers: [config.oauthMetadata.issuer],
47
+ scopes_supported: config.scopesSupported,
48
+ });
49
+ });
50
+ resourceMetadataUrl = (getHeader) => getOAuthProtectedResourceMetadataUrl(resolveOrigin(getHeader));
51
+ }
52
+ app.use("/mcp", (req, res, next) => bearer({
53
+ verifier,
54
+ requiredScopes: config.requiredScopes,
55
+ resourceMetadataUrl: resourceMetadataUrl((key) => req.get(key)),
56
+ })(req, res, next));
57
+ app.use("/mcp", (req, res, next) => {
58
+ const body = req.body;
59
+ const calls = Array.isArray(body) ? body : [body];
60
+ const auth = req.auth;
61
+ let failure;
62
+ for (const call of calls) {
63
+ const tool = call?.params?.name;
64
+ if (call?.method === "tools/call" && tool && schemesByTool.has(tool)) {
65
+ failure = evaluateSecuritySchemes(schemesByTool.get(tool), auth);
66
+ if (failure) {
67
+ break;
68
+ }
69
+ }
70
+ }
71
+ if (!failure) {
72
+ return next();
73
+ }
74
+ const challenge = wwwAuthenticateHeader(failure, resourceMetadataUrl((key) => req.get(key)));
75
+ if (clientPrefersInBandChallenge(req.get("user-agent"))) {
76
+ if (Array.isArray(body)) {
77
+ return next();
78
+ }
79
+ res.json({
80
+ jsonrpc: "2.0",
81
+ id: body?.id ?? null,
82
+ result: {
83
+ content: [{ type: "text", text: failure.description }],
84
+ isError: true,
85
+ _meta: { "mcp/www_authenticate": [challenge] },
86
+ },
87
+ });
88
+ return;
89
+ }
90
+ res.set("WWW-Authenticate", challenge);
91
+ res.status(httpStatusForFailure(failure)).json({
92
+ error: failure.error,
93
+ error_description: failure.description,
94
+ });
95
+ });
96
+ return resourceMetadataUrl;
97
+ }
98
+ //# sourceMappingURL=setup.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"setup.js","sourceRoot":"","sources":["../../../src/server/auth/setup.ts"],"names":[],"mappings":"AACA,OAAO,EACL,oCAAoC,EACpC,qBAAqB,GACtB,MAAM,iDAAiD,CAAC;AACzD,OAAO,IAAI,MAAM,MAAM,CAAC;AAGxB,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAG1D,OAAO,EACL,4BAA4B,EAC5B,uBAAuB,EACvB,oBAAoB,EAEpB,6BAA6B,EAC7B,qBAAqB,GACtB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAMjD,sEAAsE;AACtE,MAAM,UAAU,UAAU,CACxB,GAAY,EACZ,MAAmB,EACnB,aAAwD;IAExD,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IAED,MAAM,gBAAgB,GAAG,GAAG,EAAE,CAC5B,CAAC,GAAG,aAAa,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;IAClE,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACnD,MAAM,MAAM,GAAG,CAAC,OAAoC,EAAkB,EAAE;QACtE,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAC5C,MAAM,QAAQ,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAC7C,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,CACxB,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;IAC/D,CAAC,CAAC;IAEF,IAAI,mBAAgD,CAAC;IAErD,4EAA4E;IAC5E,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QACjC,IAAI,OAAY,CAAC;QACjB,IAAI,CAAC;YACH,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACpC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CACb,oDAAoD,IAAI,CAAC,SAAS,CAChE,MAAM,CAAC,OAAO,CACf,EAAE,CACJ,CAAC;QACJ,CAAC;QACD,GAAG,CAAC,GAAG,CACL,qBAAqB,CAAC;YACpB,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,iBAAiB,EAAE,OAAO;YAC1B,eAAe,EAAE,MAAM,CAAC,eAAe;SACxC,CAAC,CACH,CAAC;QACF,MAAM,GAAG,GAAG,oCAAoC,CAAC,OAAO,CAAC,CAAC;QAC1D,mBAAmB,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC;IAClC,CAAC;SAAM,CAAC;QACN,6EAA6E;QAC7E,8EAA8E;QAC9E,6EAA6E;QAC7E,MAAM,aAAa,GAAG,CAAC,SAA8C,EAAE,EAAE,CACvE,IAAI,GAAG,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC,CAAC;QAC1C,GAAG,CAAC,GAAG,CACL,yCAAyC,EACzC,IAAI,EAAE,EACN,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE,CAAC,KAAK,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CACnD,CAAC;QACF,GAAG,CAAC,GAAG,CAAC,uCAAuC,EAAE,IAAI,EAAE,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YACpE,GAAG,CAAC,IAAI,CAAC;gBACP,QAAQ,EAAE,aAAa,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI;gBACnD,qBAAqB,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC;gBACpD,gBAAgB,EAAE,MAAM,CAAC,eAAe;aACzC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,mBAAmB,GAAG,CAAC,SAAS,EAAE,EAAE,CAClC,oCAAoC,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC;IACnE,CAAC;IAED,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,CACjC,MAAM,CAAC;QACL,QAAQ;QACR,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,mBAAmB,EAAE,mBAAmB,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;KAChE,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CACnB,CAAC;IAEF,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAMjC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAiC,CAAC;QACnD,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAClD,MAAM,IAAI,GAAI,GAAqC,CAAC,IAAI,CAAC;QACzD,IAAI,OAAkC,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC;YAChC,IAAI,IAAI,EAAE,MAAM,KAAK,YAAY,IAAI,IAAI,IAAI,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrE,OAAO,GAAG,uBAAuB,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC;gBACjE,IAAI,OAAO,EAAE,CAAC;oBACZ,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;QACD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QACD,MAAM,SAAS,GAAG,qBAAqB,CACrC,OAAO,EACP,mBAAmB,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAC3C,CAAC;QACF,IAAI,4BAA4B,CAAC,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC;YACxD,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxB,OAAO,IAAI,EAAE,CAAC;YAChB,CAAC;YACD,GAAG,CAAC,IAAI,CAAC;gBACP,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,IAAI,EAAE,EAAE,IAAI,IAAI;gBACpB,MAAM,EAAE;oBACN,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,WAAW,EAAE,CAAC;oBACtD,OAAO,EAAE,IAAI;oBACb,KAAK,EAAE,EAAE,sBAAsB,EAAE,CAAC,SAAS,CAAC,EAAE;iBAC/C;aACF,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,SAAS,CAAC,CAAC;QACvC,GAAG,CAAC,MAAM,CAAC,oBAAoB,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;YAC7C,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,iBAAiB,EAAE,OAAO,CAAC,WAAW;SACvC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,OAAO,mBAAmB,CAAC;AAC7B,CAAC","sourcesContent":["import type { BearerAuthMiddlewareOptions } from \"@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js\";\nimport {\n getOAuthProtectedResourceMetadataUrl,\n mcpAuthMetadataRouter,\n} from \"@modelcontextprotocol/sdk/server/auth/router.js\";\nimport cors from \"cors\";\nimport type { Express, Request, RequestHandler } from \"express\";\nimport type { AuthInfo } from \"../auth.js\";\nimport { optionalBearerAuth, requireBearerAuth } from \"../auth.js\";\nimport { resolveServerOrigin } from \"../requestOrigin.js\";\nimport type { SecurityScheme } from \"../server.js\";\nimport type { OAuthConfig } from \"./index.js\";\nimport {\n clientPrefersInBandChallenge,\n evaluateSecuritySchemes,\n httpStatusForFailure,\n type SchemeFailure,\n securitySchemesAllowAnonymous,\n wwwAuthenticateHeader,\n} from \"./security-schemes.js\";\nimport { createJwksVerifier } from \"./verify.js\";\n\nexport type ResourceMetadataUrlResolver = (\n getHeader: (key: string) => string | undefined,\n) => string;\n\n/** Mounts the well-known OAuth metadata and bearer auth on `/mcp`. */\nexport function setupOAuth(\n app: Express,\n config: OAuthConfig,\n schemesByTool: Map<string, SecurityScheme[] | undefined>,\n): ResourceMetadataUrlResolver {\n if (!config.verify?.issuer) {\n throw new Error(\"oauth.verify requires an `issuer`\");\n }\n\n const acceptsAnonymous = () =>\n [...schemesByTool.values()].some(securitySchemesAllowAnonymous);\n const verifier = createJwksVerifier(config.verify);\n const bearer = (options: BearerAuthMiddlewareOptions): RequestHandler => {\n const required = requireBearerAuth(options);\n const optional = optionalBearerAuth(options);\n return (req, res, next) =>\n (acceptsAnonymous() ? optional : required)(req, res, next);\n };\n\n let resourceMetadataUrl: ResourceMetadataUrlResolver;\n\n // baseUrl known at boot: bake the resource URLs once, no Host-header trust.\n if (config.baseUrl !== undefined) {\n let baseUrl: URL;\n try {\n baseUrl = new URL(config.baseUrl);\n } catch {\n throw new Error(\n `oauth.baseUrl must be a valid absolute URL, got: ${JSON.stringify(\n config.baseUrl,\n )}`,\n );\n }\n app.use(\n mcpAuthMetadataRouter({\n oauthMetadata: config.oauthMetadata,\n resourceServerUrl: baseUrl,\n scopesSupported: config.scopesSupported,\n }),\n );\n const url = getOAuthProtectedResourceMetadataUrl(baseUrl);\n resourceMetadataUrl = () => url;\n } else {\n // No baseUrl: resolve the resource origin per request from forwarded headers\n // (same precedence the framework uses for view serverUrl). Origin headers are\n // pathless, so the PRM path stays at root, matching the SDK's static layout.\n const resolveOrigin = (getHeader: (key: string) => string | undefined) =>\n new URL(resolveServerOrigin(getHeader));\n app.use(\n \"/.well-known/oauth-authorization-server\",\n cors(),\n (_req, res) => void res.json(config.oauthMetadata),\n );\n app.use(\"/.well-known/oauth-protected-resource\", cors(), (req, res) => {\n res.json({\n resource: resolveOrigin((key) => req.get(key)).href,\n authorization_servers: [config.oauthMetadata.issuer],\n scopes_supported: config.scopesSupported,\n });\n });\n resourceMetadataUrl = (getHeader) =>\n getOAuthProtectedResourceMetadataUrl(resolveOrigin(getHeader));\n }\n\n app.use(\"/mcp\", (req, res, next) =>\n bearer({\n verifier,\n requiredScopes: config.requiredScopes,\n resourceMetadataUrl: resourceMetadataUrl((key) => req.get(key)),\n })(req, res, next),\n );\n\n app.use(\"/mcp\", (req, res, next) => {\n type Call = {\n id?: string | number | null;\n method?: string;\n params?: { name?: string };\n };\n const body = req.body as Call | Call[] | undefined;\n const calls = Array.isArray(body) ? body : [body];\n const auth = (req as Request & { auth?: AuthInfo }).auth;\n let failure: SchemeFailure | undefined;\n for (const call of calls) {\n const tool = call?.params?.name;\n if (call?.method === \"tools/call\" && tool && schemesByTool.has(tool)) {\n failure = evaluateSecuritySchemes(schemesByTool.get(tool), auth);\n if (failure) {\n break;\n }\n }\n }\n if (!failure) {\n return next();\n }\n const challenge = wwwAuthenticateHeader(\n failure,\n resourceMetadataUrl((key) => req.get(key)),\n );\n if (clientPrefersInBandChallenge(req.get(\"user-agent\"))) {\n if (Array.isArray(body)) {\n return next();\n }\n res.json({\n jsonrpc: \"2.0\",\n id: body?.id ?? null,\n result: {\n content: [{ type: \"text\", text: failure.description }],\n isError: true,\n _meta: { \"mcp/www_authenticate\": [challenge] },\n },\n });\n return;\n }\n res.set(\"WWW-Authenticate\", challenge);\n res.status(httpStatusForFailure(failure)).json({\n error: failure.error,\n error_description: failure.description,\n });\n });\n\n return resourceMetadataUrl;\n}\n"]}
@@ -0,0 +1 @@
1
+ export {};