/** * SERV - Hosted Photon MCP Platform * * Multi-tenant MCP server hosting with OAuth 2.1 support */ export * from './types/index.js'; export { type SessionStore, type SessionConfig, MemorySessionStore, RedisSessionStore, createSessionStore, } from './session/store.js'; export { KVSessionStore, type KVNamespace } from './session/kv-store.js'; export { D1Client, SCHEMA as D1_SCHEMA, type D1Database } from './db/d1-client.js'; export { D1TenantStore, D1UserStore, D1MembershipStore, D1GrantStore, D1ElicitationStore, } from './db/d1-stores.js'; export { LocalServ, LocalUserStore, LocalMembershipStore, createLocalServ, getTestToken, type LocalServConfig, } from './local.js'; export { JwtService, initJwtService, getJwtService, generateCodeVerifier, generateCodeChallenge, verifyCodeChallenge, encodeOAuthState, decodeOAuthState, } from './auth/jwt.js'; export { OAuthProviderRegistry, OAuthFlowHandler, MemoryElicitationStore, MemoryGrantStore, type ElicitationStore, type GrantStore, } from './auth/oauth.js'; export { type TokenVault, LocalTokenVault, KmsTokenVault, createTokenVault, initTokenVault, getTokenVault, } from './vault/token-vault.js'; export { TenantResolver, MemoryTenantStore, RequestContextBuilder, extractTenantSlug, buildTenantUrl, buildResourceUri, type TenantStore, } from './middleware/tenant.js'; export { AuthMiddleware, hasPermission, parseMcpSessionId, generateClientFingerprint, type UserStore, type MembershipStore, } from './middleware/auth.js'; export { generateProtectedResourceMetadata, generateAuthServerMetadata, handleProtectedResourceRequest, handleAuthServerRequest, generateWwwAuthenticate, fetchClientMetadata, resolveClientMetadata, CimdCache, type WellKnownConfig, type ClientMetadataDocument, type CimdError, type CimdResult, type CimdFetchOptions, } from './auth/well-known.js'; export { handleAuthorize, handleToken, handleRegister, handleConsent, handleRevoke, handleIntrospect, DEFAULT_ENDPOINT_CONFIG, type AuthRequest, type AuthResponse, type EndpointConfig, type EndpointDeps, } from './auth/endpoints.js'; export { handleAuthServerHTTP, type AuthServerHTTPOptions } from './auth/http-adapter.js'; export { openAuthDatabase, SqliteAuthCodeStore, SqliteRefreshTokenStore, SqliteClientRegistry, SqliteConsentStore, SqlitePendingAuthorizationStore, } from './auth/sqlite-stores.js'; export { openOauthDatabase, SqliteElicitationStore, SqliteGrantStore, } from './auth/oauth-sqlite-stores.js'; export { MemoryAuthCodeStore, MemoryRefreshTokenStore, MemoryClientRegistry, MemoryConsentStore, MemoryPendingAuthorizationStore, generateSecureToken, hashClientSecret, verifyClientSecret, normalizeScopes, type AuthCodeStore, type RefreshTokenStore, type ClientRegistry, type ConsentStore, type PendingAuthorizationStore, type PendingAuthorization, } from './auth/auth-store.js'; export { OAuthContext, OAuthElicitationRequired, createOAuthInputProvider, PhotonExecutor, isOAuthElicitationError, formatElicitationToolResponse, type OAuthAsk, type OAuthResponse, type OAuthContextConfig, type OAuthInputProvider, type ExecutorConfig, type ExecutionContext, type ExecutionResult, } from './runtime/index.js'; import type { Tenant, Session, SessionCreateOptions } from './types/index.js'; import { type SessionStore } from './session/store.js'; import { JwtService } from './auth/jwt.js'; import { type TokenVault } from './vault/token-vault.js'; import { TenantResolver, type TenantStore } from './middleware/tenant.js'; import { AuthMiddleware, type UserStore, type MembershipStore } from './middleware/auth.js'; import { OAuthProviderRegistry, OAuthFlowHandler } from './auth/oauth.js'; import { CimdCache, type WellKnownConfig } from './auth/well-known.js'; import { type AuthCodeStore, type RefreshTokenStore, type ClientRegistry, type ConsentStore, type PendingAuthorizationStore } from './auth/auth-store.js'; import { type EndpointConfig, type EndpointDeps } from './auth/endpoints.js'; import { PhotonExecutor, type ExecutionContext } from './runtime/index.js'; export interface ServConfig { /** Base URL (e.g., 'https://serv.example.com') */ baseUrl: string; /** Base domain for subdomain routing (e.g., 'serv.example.com') */ baseDomain: string; /** JWT signing secret (min 32 chars) */ jwtSecret: string; /** Token encryption master key (min 32 chars) */ encryptionKey: string; /** OAuth state encryption secret */ stateSecret: string; /** Session store (optional, defaults to memory) */ sessionStore?: SessionStore; /** Tenant store (optional, defaults to memory) */ tenantStore?: TenantStore; /** User store (optional) */ userStore?: UserStore; /** Membership store (optional) */ membershipStore?: MembershipStore; /** Token vault (optional, defaults to local) */ tokenVault?: TokenVault; /** Authorization-server code store (optional, defaults to memory). */ authCodeStore?: AuthCodeStore; /** Refresh-token store (optional, defaults to memory). */ refreshTokenStore?: RefreshTokenStore; /** DCR client registry (optional, defaults to memory). */ clientRegistry?: ClientRegistry; /** Remembered-consent store (optional, defaults to memory). */ consentStore?: ConsentStore; /** Paused-authorization-request store (optional, defaults to memory). */ pendingAuthStore?: PendingAuthorizationStore; /** * Overrides for endpoint config (TTLs, first-party allowlist, loginUrl). * `issuer` / `authorizeUrl` / `consentUrl` are derived from the tenant * and can't be overridden; `loginUrl` is left open because the AS * adapter doesn't serve a `/login` handler — embedders MUST point it at * whatever login flow they actually serve (federated login, custom HTML, * PHOTON_SINGLE_USER short-circuit, etc.). */ endpointConfig?: Partial>; } export declare class Serv { readonly config: ServConfig; readonly sessionStore: SessionStore; readonly tenantStore: TenantStore; readonly tokenVault: TokenVault; readonly jwtService: JwtService; readonly tenantResolver: TenantResolver; readonly authMiddleware: AuthMiddleware; readonly oauthProviders: OAuthProviderRegistry; readonly oauthFlow: OAuthFlowHandler; readonly wellKnownConfig: WellKnownConfig; /** Authorization-server state (see /authorize, /token, /register). */ readonly authCodeStore: AuthCodeStore; readonly refreshTokenStore: RefreshTokenStore; readonly clientRegistry: ClientRegistry; readonly consentStore: ConsentStore; readonly pendingAuthStore: PendingAuthorizationStore; readonly cimdCache: CimdCache; private elicitationStore; private grantStore; constructor(config: ServConfig); /** * Build per-tenant endpoint dependencies for the OAuth 2.1 authorization * server handlers. Callers pass the resulting `EndpointDeps` to * `handleAuthorize` / `handleToken` / `handleRegister` / `handleConsent`. * * URLs are derived from the tenant slug unless overridden; Serv owns the * stores and JWT service so multiple tenants share them without coupling * to any HTTP framework. */ buildEndpointDeps(tenant: Tenant): EndpointDeps; /** * Register an OAuth provider */ registerOAuthProvider(providerId: string, clientId: string, clientSecret: string): void; /** * Add a tenant (for development/testing) */ addTenant(tenant: Tenant): void; /** * Create a session for a tenant */ createSession(options: SessionCreateOptions): Promise; /** * Generate a session token */ generateToken(session: Session, tenant: Tenant): string; /** * Start an OAuth elicitation flow */ startElicitation(session: Session, photonId: string, provider: string, scopes: string[]): Promise<{ url: string; elicitationId: string; }>; /** * Check if a grant exists for a photon */ checkGrant(tenantId: string, photonId: string, provider: string, requiredScopes: string[], userId?: string): Promise<{ valid: boolean; token?: string; }>; /** * Create a PhotonExecutor for running photons with OAuth support */ createExecutor(): PhotonExecutor; /** * Create an execution context for a photon */ createExecutionContext(session: Session, tenant: Tenant, photonId: string): ExecutionContext; /** * Shutdown the service */ shutdown(): Promise; } /** * Create a SERV instance for development */ export declare function createDevServ(options?: { baseUrl?: string; baseDomain?: string; }): Promise; //# sourceMappingURL=index.d.ts.map