UNPKG

@juspay/neurolink

Version:

Universal AI Development Platform with working MCP integration, multi-provider support, voice (TTS/STT/realtime), and professional CLI. 58+ external MCP servers discoverable, multimodal file processing, RAG pipelines. Build, test, and deploy AI applicatio

github.com/juspay/neurolink

juspay/neurolink

271 lines (270 loc) 9.77 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
/** * NeuroLink OAuth Token Store * * Secure storage for OAuth tokens with encoding support and multi-provider capability. * Stores tokens in the user's home directory with restrictive permissions. * * Features: * - Multi-provider token storage in a single tokens.json file * - Secure file storage with 0o600 permissions * - Token expiration checking with configurable buffer * - Simple XOR-based obfuscation (not encryption, but not plaintext) * - Automatic token refresh via configurable refresher functions * - Cross-platform support (Unix/macOS/Windows) */ import type { StoredOAuthTokens, TokenRefresher } from "../types/index.js"; /** * Secure token storage for OAuth tokens with multi-provider support * * Provides persistent storage for OAuth tokens with: * - Multi-provider support in a single file * - Secure file permissions (0o600) * - Optional obfuscation/encoding * - Token expiration checking with buffer * - Automatic token refresh via configurable refreshers * * @example * ```typescript * const store = new TokenStore(); * * // Save tokens for a provider * await store.saveTokens("anthropic", { * accessToken: "sk-...", * refreshToken: "rt-...", * expiresAt: Date.now() + 3600000, * tokenType: "Bearer", * }); * * // Set up automatic refresh * store.setTokenRefresher("anthropic", async (refreshToken) => { * // Call OAuth refresh endpoint * return newTokens; * }); * * // Get a valid token (auto-refreshes if needed) * const token = await store.getValidToken("anthropic"); * ``` */ export declare class TokenStore { private static readonly STORAGE_VERSION; private static readonly NEUROLINK_DIR; private static readonly TOKEN_FILE; private static readonly FILE_PERMISSIONS; private static readonly DIR_PERMISSIONS; /** Default expiration buffer: 1 hour (proactive refresh before actual expiry) */ private static readonly DEFAULT_EXPIRY_BUFFER_MS; private readonly storagePath; private readonly encryptionEnabled; private readonly encryptionKey; private readonly tokenRefreshers; private readonly inFlightRefreshes; private readonly _mutex; /** * Creates a new TokenStore instance * * @param options - Configuration options * @param options.encryptionEnabled - Whether to enable token obfuscation (default: true) * @param options.customStoragePath - Override the default storage path */ constructor(options?: { encryptionEnabled?: boolean; customStoragePath?: string; }); /** * Gets the path where tokens are stored * * @returns The absolute path to the token storage file */ getStoragePath(): string; /** * Saves OAuth tokens for a specific provider * * @param provider - The provider name (e.g., "anthropic", "openai") * @param tokens - The OAuth tokens to save * @throws TokenStoreError if storage fails */ saveTokens(provider: string, tokens: StoredOAuthTokens): Promise<void>; /** * Internal save without mutex — callers must already hold the mutex. */ private _saveTokensInternal; /** * Loads stored OAuth tokens for a specific provider * * @param provider - The provider name (e.g., "anthropic", "openai") * @returns The stored tokens, or null if not found * @throws TokenStoreError if reading fails (other than file not found) */ loadTokens(provider: string): Promise<StoredOAuthTokens | null>; /** * Internal load without mutex — callers must already hold the mutex. */ private _loadTokensInternal; /** * Clears stored tokens for a specific provider * * @param provider - The provider name (e.g., "anthropic", "openai") * @throws TokenStoreError if deletion fails */ clearTokens(provider: string): Promise<void>; private _clearTokensImpl; /** * Checks if the given tokens are expired * * @param tokens - The OAuth tokens to check * @param bufferMs - Buffer time in milliseconds before actual expiration (default: 5 minutes) * @returns true if token is expired or will expire within buffer time */ isTokenExpired(tokens: StoredOAuthTokens, bufferMs?: number): boolean; /** * Gets a valid access token for a provider, refreshing if needed * * If the stored token is expired or about to expire, and a refresher * function has been set, it will automatically refresh the token. * * @param provider - The provider name (e.g., "anthropic", "openai") * @returns The valid access token, or null if not available * @throws TokenStoreError if refresh fails */ getValidToken(provider: string): Promise<string | null>; private _getValidTokenImpl; /** * Sets the token refresher function for a provider * * The refresher function will be called automatically when getValidToken * detects that the stored token is expired or about to expire. * * @param provider - The provider name (e.g., "anthropic", "openai") * @param refresher - Function that takes a refresh token and returns new tokens */ setTokenRefresher(provider: string, refresher: TokenRefresher): void; /** * Removes the token refresher function for a provider * * @param provider - The provider name (e.g., "anthropic", "openai") */ clearTokenRefresher(provider: string): void; /** * Checks if tokens exist for a specific provider * * @param provider - The provider name (e.g., "anthropic", "openai") * @returns true if tokens are stored for the provider */ hasTokens(provider: string): Promise<boolean>; /** * Lists all providers that have stored tokens * * @returns Array of provider names */ listProviders(): Promise<string[]>; /** * Lists all provider keys that start with the given prefix * * @param prefix - The prefix to filter by (e.g., "anthropic:") * @returns Array of matching provider keys */ listByPrefix(prefix: string): Promise<string[]>; /** * Marks a provider's tokens as permanently disabled (persisted to disk). * * Disabled accounts are skipped immediately by consumers — no wasted * round-trips. The state survives proxy restarts because it is stored * alongside the tokens in the JSON file. * * @param provider - The provider key (e.g., "anthropic:user@example.com") * @param reason - Optional human-readable reason (e.g., "refresh_failed") */ markDisabled(provider: string, reason?: string): Promise<void>; /** * Re-enables a previously disabled provider (persisted to disk). * * Clears the disabled flag, timestamp, and reason so the account can * be used again by the proxy pool. * * @param provider - The provider key (e.g., "anthropic:user@example.com") */ markEnabled(provider: string): Promise<void>; /** * Checks whether a provider's tokens are currently disabled. * * Returns false for providers that don't exist in the store (no tokens * at all) and for entries that predate the disabled field (backward compat). * * @param provider - The provider key * @returns true if the provider entry exists and is disabled */ isDisabled(provider: string): Promise<boolean>; /** * Lists all provider keys that are currently disabled. * * @returns Array of disabled provider keys (empty if none or no storage file) */ listDisabled(): Promise<string[]>; /** * Removes expired and unrefreshable token entries from disk. * * An entry is pruned when: * - Its access token is expired (with optional buffer) AND it has no * refresh token, AND it is NOT manually disabled. * * Manually disabled entries are preserved so that `auth enable` can * re-enable them later. They are only removed via explicit `clearTokens`. * * @param bufferMs - Extra buffer in milliseconds to subtract from expiresAt * when checking expiry (default: 0 — strict expiry check) * @returns Array of provider keys that were removed */ pruneExpired(bufferMs?: number): Promise<string[]>; /** * Clears all stored tokens for all providers * * @throws TokenStoreError if deletion fails */ clearAllTokens(): Promise<void>; /** * Loads the storage data from file */ private loadStorageData; /** * Saves storage data to file */ private saveStorageData; /** * Deletes the storage file */ private deleteStorageFile; /** * Validates token structure */ private validateTokens; /** * Ensures the storage directory exists with proper permissions */ private ensureDirectory; /** * Derives an encoding key from machine-specific information * This provides basic obfuscation - for production use, consider * using proper encryption with a user-provided key or system keychain */ private deriveEncryptionKey; /** * Simple XOR-based obfuscation * Note: This is NOT cryptographically secure, just basic obfuscation * For production use, consider using node:crypto with proper encryption */ private obfuscate; /** * Reverses the XOR obfuscation */ private deobfuscate; } /** * Default token store singleton instance * Uses default configuration with encryption enabled */ export declare const tokenStore: TokenStore; /** * Alias for backward compatibility * @deprecated Use tokenStore instead */ export declare const defaultTokenStore: TokenStore;