/** * Well-Known Endpoints * * Implements RFC 9728 (Protected Resource Metadata) and RFC 8414 (Authorization Server Metadata) */ import type { ProtectedResourceMetadata, AuthorizationServerMetadata, Tenant } from '../types/index.js'; export interface WellKnownConfig { /** Base URL for SERV (e.g., 'https://serv.example.com') */ baseUrl: string; /** Scopes supported by SERV */ scopesSupported?: string[]; /** Documentation URL */ documentationUrl?: string; } /** * Generate protected resource metadata for a tenant */ export declare function generateProtectedResourceMetadata(config: WellKnownConfig, tenant: Tenant): ProtectedResourceMetadata; /** * Generate authorization server metadata for a tenant */ export declare function generateAuthServerMetadata(config: WellKnownConfig, tenant: Tenant): AuthorizationServerMetadata; export interface ClientMetadataDocument { client_id: string; client_name?: string; client_uri?: string; logo_uri?: string; redirect_uris: string[]; grant_types?: string[]; response_types?: string[]; scope?: string; contacts?: string[]; tos_uri?: string; policy_uri?: string; } /** * Error taxonomy for CIMD resolution failures. Maps to OAuth `invalid_client` * with distinct `error_description` so callers can diagnose misconfiguration. */ export type CimdError = 'not_https' | 'fetch_failed' | 'http_error' | 'invalid_json' | 'client_id_mismatch' | 'missing_redirect_uris' | 'domain_not_allowed' | 'timeout'; export interface CimdResult { ok: boolean; metadata?: ClientMetadataDocument; error?: CimdError; errorDescription?: string; fromCache?: boolean; } export interface CimdFetchOptions { /** Allowlist of hostnames; supports exact match or leading wildcard (*.claude.ai). Empty = allow all. */ allowedDomains?: string[]; /** Cache to consult/update. If omitted, fetch is uncached. */ cache?: CimdCache; /** Override fetch for testing. */ fetchImpl?: typeof fetch; } /** * Resolve a CIMD client_id to its metadata document with full validation, * caching, and domain-allowlist enforcement. */ export declare function resolveClientMetadata(clientId: string, opts?: CimdFetchOptions): Promise; /** * @deprecated Use resolveClientMetadata for structured errors + caching. * Retained for callers that only need the happy-path document. */ export declare function fetchClientMetadata(clientId: string): Promise; interface CimdCacheEntry { metadata: ClientMetadataDocument; etag?: string; expiresAt: number; } /** * LRU cache for CIMD metadata. Eviction on insert past capacity. */ export declare class CimdCache { private capacity; private entries; constructor(capacity?: number); get(clientId: string): CimdCacheEntry | undefined; set(clientId: string, entry: CimdCacheEntry): void; clear(): void; size(): number; } declare function isDomainAllowed(hostname: string, allowlist?: string[]): boolean; declare function resolveTtlMs(response: Response): number; /** * Internal exports for tests only. */ export declare const __test__: { isDomainAllowed: typeof isDomainAllowed; resolveTtlMs: typeof resolveTtlMs; }; /** * Handle /.well-known/oauth-protected-resource request */ export declare function handleProtectedResourceRequest(config: WellKnownConfig, tenant: Tenant): { status: number; headers: Record; body: string; }; /** * Handle /.well-known/oauth-authorization-server request */ export declare function handleAuthServerRequest(config: WellKnownConfig, tenant: Tenant): { status: number; headers: Record; body: string; }; /** * Generate WWW-Authenticate header for 401 responses */ export declare function generateWwwAuthenticate(baseUrl: string, tenant: Tenant, error?: string, errorDescription?: string): string; export {}; //# sourceMappingURL=well-known.d.ts.map