toolcraft 0.0.5 → 0.0.7

package/node_modules/mcp-oauth/dist/client/token-endpoint.d.ts

@@ -0,0 +1,40 @@
+import type { OAuthMetadataFetch, StoredOAuthTokens } from "./types.js";
+interface OAuthErrorShape {
+    error: string;
+    error_description?: string;
+    error_uri?: string;
+}
+export declare class OAuthError extends Error {
+    readonly error: string;
+    readonly errorDescription: string | undefined;
+    readonly errorUri: string | undefined;
+    readonly error_description: string | undefined;
+    readonly error_uri: string | undefined;
+    readonly status: number;
+    readonly retryable: boolean;
+    readonly terminal: boolean;
+    constructor(shape: OAuthErrorShape, status: number);
+}
+export declare function isRetryableOAuthError(error: unknown): error is OAuthError;
+export declare function exchangeAuthorizationCode(input: {
+    tokenEndpoint: string;
+    clientId: string;
+    clientSecret?: string;
+    code: string;
+    codeVerifier: string;
+    redirectUri: string;
+    resource: string;
+    fetch: OAuthMetadataFetch;
+    now: () => number;
+}): Promise<StoredOAuthTokens>;
+export declare function refreshAccessToken(input: {
+    tokenEndpoint: string;
+    clientId: string;
+    clientSecret?: string;
+    refreshToken: string;
+    resource: string;
+    fetch: OAuthMetadataFetch;
+    now: () => number;
+}): Promise<StoredOAuthTokens>;
+export declare function readOAuthJsonObjectResponse(response: Response): Promise<Record<string, unknown>>;
+export {};

package/node_modules/mcp-oauth/dist/client/token-endpoint.js

@@ -0,0 +1,143 @@
+import { canonicalizeResourceIndicator } from "../resource-indicator.js";
+export class OAuthError extends Error {
+    error;
+    errorDescription;
+    errorUri;
+    error_description;
+    error_uri;
+    status;
+    retryable;
+    terminal;
+    constructor(shape, status) {
+        super(shape.error_description ?? shape.error);
+        this.name = "OAuthError";
+        this.error = shape.error;
+        this.errorDescription = shape.error_description;
+        this.errorUri = shape.error_uri;
+        this.error_description = shape.error_description;
+        this.error_uri = shape.error_uri;
+        this.status = status;
+        this.retryable = isRetryableOAuthError(this);
+        this.terminal = !this.retryable;
+    }
+}
+export function isRetryableOAuthError(error) {
+    return (error instanceof OAuthError
+        && (error.status >= 500
+            || error.error === "server_error"
+            || error.error === "temporarily_unavailable"));
+}
+export async function exchangeAuthorizationCode(input) {
+    const resource = canonicalizeResourceIndicator(input.resource);
+    return requestTokens({
+        tokenEndpoint: input.tokenEndpoint,
+        clientId: input.clientId,
+        clientSecret: input.clientSecret,
+        params: {
+            grant_type: "authorization_code",
+            code: input.code,
+            code_verifier: input.codeVerifier,
+            redirect_uri: input.redirectUri,
+            resource,
+        },
+        fetch: input.fetch,
+        now: input.now,
+    });
+}
+export async function refreshAccessToken(input) {
+    const resource = canonicalizeResourceIndicator(input.resource);
+    return requestTokens({
+        tokenEndpoint: input.tokenEndpoint,
+        clientId: input.clientId,
+        clientSecret: input.clientSecret,
+        params: {
+            grant_type: "refresh_token",
+            refresh_token: input.refreshToken,
+            resource,
+        },
+        fetch: input.fetch,
+        now: input.now,
+    });
+}
+async function requestTokens(input) {
+    const body = new URLSearchParams({
+        client_id: input.clientId,
+        ...input.params,
+    });
+    if (input.clientSecret !== undefined) {
+        body.set("client_secret", input.clientSecret);
+    }
+    const response = await input.fetch(input.tokenEndpoint, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+        },
+        body: body.toString(),
+    });
+    const payload = await readOAuthJsonObjectResponse(response);
+    if (typeof payload.access_token !== "string" || payload.access_token.length === 0) {
+        throw new Error("OAuth token response missing access_token");
+    }
+    const tokenType = normalizeBearerTokenType(payload.token_type);
+    if (tokenType === null) {
+        throw new Error("OAuth token response missing token_type=Bearer");
+    }
+    return {
+        accessToken: payload.access_token,
+        refreshToken: typeof payload.refresh_token === "string" && payload.refresh_token.length > 0
+            ? payload.refresh_token
+            : undefined,
+        tokenType,
+        expiresAt: typeof payload.expires_in === "number" && Number.isFinite(payload.expires_in)
+            ? input.now() + (payload.expires_in * 1000)
+            : null,
+        scope: typeof payload.scope === "string" && payload.scope.length > 0
+            ? payload.scope
+            : undefined,
+    };
+}
+export async function readOAuthJsonObjectResponse(response) {
+    const fallbackError = createFallbackOAuthError(response.status);
+    let payload;
+    try {
+        payload = await response.json();
+    }
+    catch {
+        if (!response.ok) {
+            throw fallbackError;
+        }
+        throw new Error("OAuth response must be a JSON object");
+    }
+    if (typeof payload !== "object" || payload === null || Array.isArray(payload)) {
+        if (!response.ok) {
+            throw fallbackError;
+        }
+        throw new Error("OAuth response must be a JSON object");
+    }
+    const record = payload;
+    if (!response.ok) {
+        throw new OAuthError(readOAuthError(record, fallbackError.error), response.status);
+    }
+    return record;
+}
+function readOAuthError(payload, fallbackError = "server_error") {
+    return {
+        error: typeof payload.error === "string" ? payload.error : fallbackError,
+        error_description: typeof payload.error_description === "string"
+            ? payload.error_description
+            : undefined,
+        error_uri: typeof payload.error_uri === "string"
+            ? payload.error_uri
+            : undefined,
+    };
+}
+function createFallbackOAuthError(status) {
+    const error = status === 503 ? "temporarily_unavailable" : "server_error";
+    return new OAuthError({ error }, status);
+}
+function normalizeBearerTokenType(value) {
+    if (typeof value !== "string") {
+        return null;
+    }
+    return value.toLowerCase() === "bearer" ? "Bearer" : null;
+}

package/node_modules/mcp-oauth/dist/client/types.d.ts

@@ -0,0 +1,113 @@
+import type http from "node:http";
+import type { CreateSecretStoreInput } from "auth-store";
+export type OAuthMetadataFetch = (input: string | URL, init?: RequestInit) => Promise<Response>;
+export interface OAuthProtectedResourceMetadata extends Record<string, unknown> {
+    resource: string;
+    authorization_servers: string[];
+}
+export interface OAuthAuthorizationServerMetadata extends Record<string, unknown> {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    registration_endpoint?: string;
+    response_types_supported: string[];
+    code_challenge_methods_supported: string[];
+    authorization_response_iss_parameter_supported?: boolean;
+}
+export interface OAuthDiscoveryResult {
+    resource: string;
+    resourceMetadataUrl: string;
+    resourceMetadata: OAuthProtectedResourceMetadata;
+    authorizationServer: string;
+    authorizationServerMetadataUrl: string;
+    authorizationServerMetadata: OAuthAuthorizationServerMetadata;
+}
+export interface OAuthUnauthorizedChallenge {
+    scheme: "Bearer";
+    params: Record<string, string>;
+    raw: string;
+}
+export interface OAuthClientProvider {
+    authorizeRequest?(input: {
+        requestUrl: URL;
+        headers: Headers;
+        fetch: OAuthMetadataFetch;
+    }): Promise<void> | void;
+    handleUnauthorized(input: {
+        requestUrl: URL;
+        response: Response;
+        challenge: OAuthUnauthorizedChallenge | null;
+        discovery: OAuthDiscoveryResult;
+        fetch: OAuthMetadataFetch;
+    }): Promise<{
+        action: "retry";
+    } | {
+        action: "fail";
+        error?: Error;
+    }> | {
+        action: "retry";
+    } | {
+        action: "fail";
+        error?: Error;
+    };
+}
+export interface OAuthClientMetadata {
+    clientName?: string;
+    scope?: string;
+    softwareId?: string;
+    softwareVersion?: string;
+}
+export interface StoredOAuthTokens {
+    accessToken: string;
+    refreshToken?: string;
+    tokenType: "Bearer";
+    expiresAt: number | null;
+    scope?: string;
+}
+export interface StoredOAuthSession {
+    resource: string;
+    authorizationServer: string;
+    client: {
+        clientId: string;
+        clientSecret?: string;
+    };
+    tokens?: StoredOAuthTokens;
+    discovery: {
+        resourceMetadataUrl: string;
+        resourceMetadata: Record<string, unknown>;
+        authorizationServerMetadata: Record<string, unknown>;
+    };
+}
+export interface OAuthSessionStore {
+    load(resource: string): Promise<StoredOAuthSession | null>;
+    save(resource: string, session: StoredOAuthSession): Promise<void>;
+    clear(resource: string): Promise<void>;
+}
+export interface DefaultOAuthClientProviderOptions {
+    client: {
+        mode: "dynamic";
+        clientId?: string;
+        clientSecret?: string;
+        metadata?: OAuthClientMetadata;
+    } | {
+        mode: "static";
+        clientId: string;
+        clientSecret?: string;
+        metadata?: OAuthClientMetadata;
+    };
+    browser: {
+        openBrowser(url: string): Promise<void>;
+        readLine?: () => Promise<string>;
+        createServer?: () => http.Server;
+        landingPage?: {
+            title: string;
+            body: string;
+        };
+    };
+    sessionStore?: OAuthSessionStore;
+    authStore?: CreateSecretStoreInput;
+    now?: () => number;
+}
+export type OAuthClientProviderOptions = {
+    provider: OAuthClientProvider;
+} | DefaultOAuthClientProviderOptions;

package/node_modules/mcp-oauth/dist/client/types.js

@@ -0,0 +1 @@
+export {};

package/node_modules/mcp-oauth/dist/index.d.ts

@@ -0,0 +1,10 @@
+export { createAuthStoreSessionStore, } from "./client/auth-store-session-store.js";
+export { createDefaultOAuthClientProvider, createOAuthClientProvider, } from "./client/default-oauth-client-provider.js";
+export { buildSuccessPage, createLoopbackAuthorizationSession, extractCodeFromInput, } from "./client/loopback-authorization.js";
+export { generateCodeChallenge, generateCodeVerifier, } from "./client/pkce.js";
+export { OAuthError, } from "./client/token-endpoint.js";
+export { canonicalizeResourceIndicator, } from "./resource-indicator.js";
+export { createJwksTokenVerifier, } from "./server/jwks-token-verifier.js";
+export type { DefaultOAuthClientProviderOptions, OAuthAuthorizationServerMetadata, OAuthClientMetadata, OAuthClientProvider, OAuthClientProviderOptions, OAuthDiscoveryResult, OAuthMetadataFetch, OAuthProtectedResourceMetadata, OAuthSessionStore, OAuthUnauthorizedChallenge, StoredOAuthSession, StoredOAuthTokens, } from "./client/types.js";
+export type { JwksTokenVerifier, JwksTokenVerifierOptions, JwksVerifiedAccessToken, } from "./server/jwks-token-verifier.js";
+export type { LoopbackAuthorizationOptions, LoopbackAuthorizationSession, OAuthLandingPage, } from "./client/loopback-authorization.js";

package/node_modules/mcp-oauth/dist/index.js

@@ -0,0 +1,7 @@
+export { createAuthStoreSessionStore, } from "./client/auth-store-session-store.js";
+export { createDefaultOAuthClientProvider, createOAuthClientProvider, } from "./client/default-oauth-client-provider.js";
+export { buildSuccessPage, createLoopbackAuthorizationSession, extractCodeFromInput, } from "./client/loopback-authorization.js";
+export { generateCodeChallenge, generateCodeVerifier, } from "./client/pkce.js";
+export { OAuthError, } from "./client/token-endpoint.js";
+export { canonicalizeResourceIndicator, } from "./resource-indicator.js";
+export { createJwksTokenVerifier, } from "./server/jwks-token-verifier.js";

package/node_modules/mcp-oauth/dist/resource-indicator.d.ts

@@ -0,0 +1 @@
+export declare function canonicalizeResourceIndicator(value: string | URL): string;

package/node_modules/mcp-oauth/dist/resource-indicator.js

@@ -0,0 +1,11 @@
+export function canonicalizeResourceIndicator(value) {
+    let url;
+    try {
+        url = value instanceof URL ? new URL(value.toString()) : new URL(value);
+    }
+    catch {
+        throw new Error("Resource indicator must be an absolute URL");
+    }
+    url.hash = "";
+    return url.toString();
+}

package/node_modules/mcp-oauth/dist/server/jwks-token-verifier.d.ts

@@ -0,0 +1,27 @@
+type FetchLike = typeof fetch;
+export interface JwksTokenVerifierOptions {
+    jwksUrl: string | URL;
+    clockSkewSeconds?: number;
+    allowedAlgorithms?: readonly string[];
+    fetch?: FetchLike;
+}
+export interface JwksVerifiedAccessToken {
+    token: string;
+    issuer: string;
+    audience: string[];
+    scopes: string[];
+    expiresAt: number;
+    claims: Record<string, unknown>;
+    subject?: string;
+    clientId?: string;
+}
+export interface JwksTokenVerifier {
+    verify(input: {
+        token: string;
+        resource: string;
+        authorizationServers: readonly string[];
+        requiredScopes: readonly string[];
+    }): Promise<JwksVerifiedAccessToken>;
+}
+export declare function createJwksTokenVerifier(options: JwksTokenVerifierOptions): JwksTokenVerifier;
+export {};

package/node_modules/mcp-oauth/dist/server/jwks-token-verifier.js

@@ -0,0 +1,259 @@
+import { decodeProtectedHeader, errors, importJWK, jwtVerify, } from "jose";
+import { canonicalizeResourceIndicator } from "../resource-indicator.js";
+const DEFAULT_ALLOWED_ALGORITHMS = [
+    "ES256",
+    "ES384",
+    "ES512",
+    "RS256",
+    "RS384",
+    "RS512",
+    "PS256",
+    "PS384",
+    "PS512",
+    "EdDSA",
+];
+function isTokenVerificationErrorShape(error) {
+    if (!(error instanceof Error)) {
+        return false;
+    }
+    const challengeError = error;
+    return challengeError.error === "invalid_token"
+        || challengeError.error === "insufficient_scope";
+}
+function isObjectRecord(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isStringArray(value) {
+    return Array.isArray(value) && value.every((item) => typeof item === "string");
+}
+function toUrl(value, label) {
+    try {
+        return new URL(String(value));
+    }
+    catch {
+        throw new Error(`${label} must be an absolute URL`);
+    }
+}
+function normalizeAudience(value) {
+    if (typeof value === "string") {
+        return [value];
+    }
+    return isStringArray(value) ? [...value] : [];
+}
+function normalizeVerifiedAudience(value, expectedResource) {
+    const audiences = normalizeAudience(value);
+    if (audiences.length !== 1) {
+        throw createInvalidTokenError("audience mismatch");
+    }
+    let normalizedAudience;
+    try {
+        normalizedAudience = canonicalizeResourceIndicator(audiences[0] ?? "");
+    }
+    catch {
+        throw createInvalidTokenError("audience mismatch");
+    }
+    if (normalizedAudience !== expectedResource) {
+        throw createInvalidTokenError("audience mismatch");
+    }
+    return [normalizedAudience];
+}
+function parseScopes(payload) {
+    const raw = typeof payload.scope === "string"
+        ? payload.scope
+        : typeof payload.scopes === "string"
+            ? payload.scopes
+            : null;
+    if (raw !== null) {
+        return raw
+            .split(" ")
+            .map((scope) => scope.trim())
+            .filter((scope) => scope.length > 0);
+    }
+    return isStringArray(payload.scopes) ? [...payload.scopes] : [];
+}
+function toVerifiedAccessToken(token, payload, audience = normalizeAudience(payload.aud)) {
+    return {
+        token,
+        issuer: typeof payload.iss === "string" ? payload.iss : "",
+        audience,
+        scopes: parseScopes(payload),
+        expiresAt: typeof payload.exp === "number" ? payload.exp : 0,
+        claims: { ...payload },
+        ...(typeof payload.sub === "string"
+            ? {
+                subject: payload.sub,
+            }
+            : {}),
+        ...(typeof payload.client_id === "string"
+            ? {
+                clientId: payload.client_id,
+            }
+            : {}),
+    };
+}
+function createTokenVerificationError(input) {
+    return Object.assign(new Error(input.errorDescription ?? input.error), input);
+}
+function createInvalidTokenError(errorDescription) {
+    return createTokenVerificationError({
+        error: "invalid_token",
+        errorDescription,
+    });
+}
+function normalizeVerificationError(error) {
+    if (isTokenVerificationErrorShape(error)) {
+        return error;
+    }
+    if (error instanceof errors.JWTExpired) {
+        return createInvalidTokenError("token expired");
+    }
+    if (error instanceof errors.JWTClaimValidationFailed) {
+        if (error.claim === "aud") {
+            return createInvalidTokenError("audience mismatch");
+        }
+        if (error.claim === "iss") {
+            return createInvalidTokenError("issuer mismatch");
+        }
+        if (error.claim === "nbf") {
+            return createInvalidTokenError("token not active yet");
+        }
+        if (error.claim === "exp") {
+            return createInvalidTokenError("token expired");
+        }
+    }
+    if (error instanceof errors.JOSEAlgNotAllowed
+        || error instanceof errors.JOSENotSupported) {
+        return createInvalidTokenError("unsupported token algorithm");
+    }
+    if (error instanceof errors.JWKSNoMatchingKey
+        || error instanceof errors.JWKSMultipleMatchingKeys
+        || error instanceof errors.JWSSignatureVerificationFailed) {
+        return createInvalidTokenError("token signature invalid");
+    }
+    if (error instanceof errors.JWKSInvalid) {
+        return createInvalidTokenError("invalid JWKS document");
+    }
+    if (error instanceof errors.JWKSTimeout) {
+        return createInvalidTokenError("timed out loading JWKS");
+    }
+    if (error instanceof Error) {
+        return createInvalidTokenError(error.message);
+    }
+    return createInvalidTokenError("token verification failed");
+}
+async function loadJwks(jwksUrl, fetchImplementation) {
+    const response = await fetchImplementation(jwksUrl, {
+        headers: {
+            Accept: "application/json",
+        },
+    });
+    if (!response.ok) {
+        throw createInvalidTokenError(`unable to load JWKS (${response.status})`);
+    }
+    const payload = (await response.json());
+    if (!isObjectRecord(payload) || !Array.isArray(payload.keys)) {
+        throw createInvalidTokenError("invalid JWKS document");
+    }
+    return payload;
+}
+function resolveAlgorithm(token, allowedAlgorithms) {
+    const header = decodeProtectedHeader(token);
+    const alg = header.alg;
+    if (hasCriticalHeaderClaims(header)) {
+        throw createInvalidTokenError("unsupported critical token claims");
+    }
+    if (typeof alg !== "string"
+        || alg === "none"
+        || alg.startsWith("HS")
+        || !allowedAlgorithms.includes(alg)) {
+        throw createInvalidTokenError("unsupported token algorithm");
+    }
+    return alg;
+}
+function hasCriticalHeaderClaims(header) {
+    return Array.isArray(header.crit) && header.crit.length > 0;
+}
+function isVerificationCandidate(key, alg, kid) {
+    if (kid !== undefined && key.kid !== kid) {
+        return false;
+    }
+    if (typeof key.alg === "string" && key.alg !== alg) {
+        return false;
+    }
+    if (typeof key.use === "string" && key.use !== "sig") {
+        return false;
+    }
+    if (Array.isArray(key.key_ops) && !key.key_ops.includes("verify")) {
+        return false;
+    }
+    return true;
+}
+function shouldContinueWithNextKey(error) {
+    return error instanceof errors.JWSSignatureVerificationFailed;
+}
+async function verifyJwtAgainstJwks(input) {
+    const protectedHeader = decodeProtectedHeader(input.token);
+    const kid = typeof protectedHeader.kid === "string" ? protectedHeader.kid : undefined;
+    const candidateKeys = input.jwks.keys.filter((key) => isVerificationCandidate(key, input.alg, kid));
+    if (candidateKeys.length === 0) {
+        throw createInvalidTokenError("token signature invalid");
+    }
+    let lastSignatureError;
+    for (const candidate of candidateKeys) {
+        try {
+            const key = await importJWK(candidate, input.alg);
+            return await jwtVerify(input.token, key, {
+                algorithms: [input.alg],
+                issuer: [...input.authorizationServers],
+                clockTolerance: input.clockSkewSeconds,
+            });
+        }
+        catch (error) {
+            if (shouldContinueWithNextKey(error)) {
+                lastSignatureError = error;
+                continue;
+            }
+            throw error;
+        }
+    }
+    throw lastSignatureError ?? createInvalidTokenError("token signature invalid");
+}
+export function createJwksTokenVerifier(options) {
+    const jwksUrl = toUrl(options.jwksUrl, "jwksUrl");
+    const clockSkewSeconds = options.clockSkewSeconds ?? 30;
+    const allowedAlgorithms = options.allowedAlgorithms ?? DEFAULT_ALLOWED_ALGORITHMS;
+    const fetchImplementation = options.fetch ?? globalThis.fetch;
+    if (typeof fetchImplementation !== "function") {
+        throw new Error("fetch is not available; pass options.fetch explicitly");
+    }
+    return {
+        async verify(input) {
+            const expectedResource = canonicalizeResourceIndicator(input.resource);
+            const algorithm = resolveAlgorithm(input.token, allowedAlgorithms);
+            try {
+                const jwks = await loadJwks(jwksUrl, fetchImplementation);
+                const verified = await verifyJwtAgainstJwks({
+                    token: input.token,
+                    jwks,
+                    alg: algorithm,
+                    authorizationServers: input.authorizationServers,
+                    clockSkewSeconds,
+                });
+                const audience = normalizeVerifiedAudience(verified.payload.aud, expectedResource);
+                const accessToken = toVerifiedAccessToken(input.token, verified.payload, audience);
+                if (input.requiredScopes.length > 0
+                    && !accessToken.scopes.some((scope) => input.requiredScopes.includes(scope))) {
+                    throw createTokenVerificationError({
+                        error: "insufficient_scope",
+                        errorDescription: "insufficient scope",
+                        scope: [...input.requiredScopes],
+                    });
+                }
+                return accessToken;
+            }
+            catch (error) {
+                throw normalizeVerificationError(error);
+            }
+        },
+    };
+}

package/node_modules/mcp-oauth/dist/types.compile-check.d.ts

@@ -0,0 +1 @@
+export {};

package/node_modules/mcp-oauth/dist/types.compile-check.js

@@ -0,0 +1,22 @@
+const ignoredImplicitGrantOptions = {
+    client: {
+        mode: "static",
+        clientId: "client-id",
+        // @ts-expect-error implicit response types are not configurable via the public API
+        responseType: "token",
+    },
+    browser: {
+        openBrowser: async () => { },
+    },
+};
+const ignoredPasswordGrantOptions = {
+    client: {
+        mode: "dynamic",
+        // @ts-expect-error password grants are not configurable via the public API
+        grantType: "password",
+    },
+    browser: {
+        openBrowser: async () => { },
+    },
+};
+export {};

package/node_modules/mcp-oauth/package.json

@@ -0,0 +1,31 @@
+{
+  "name": "mcp-oauth",
+  "version": "0.0.1",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "scripts": {
+    "build": "tsc"
+  },
+  "dependencies": {
+    "auth-store": "*",
+    "jose": "^6.1.2"
+  },
+  "devDependencies": {
+    "tiny-oauth-test-server": "*"
+  },
+  "files": [
+    "dist"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/poe-platform/poe-code.git",
+    "directory": "packages/mcp-oauth"
+  }
+}

package/node_modules/tiny-mcp-client/.turbo/turbo-build.log

@@ -0,0 +1,4 @@
+
+> tiny-mcp-client@0.1.0 build
+> tsc
+