@agentadmit/sdk 1.0.0

package/dist/config.d.ts

@@ -0,0 +1,64 @@
+/**
+ * agentadmit/config.ts
+ * Configuration loader for AgentAdmit Node.js SDK.
+ *
+ * IMPORTANT: AgentAdmit uses MANDATORY hosted introspection.
+ * All token validation goes through api.agentadmit.com.
+ * There is no self-hosted mode. No local JWT validation. No bypass.
+ * This is required for security, audit logging, and scope enforcement.
+ */
+export interface ScopeDefinition {
+    name: string;
+    description: string;
+    category?: string;
+    role?: string;
+}
+export interface DurationOption {
+    label: string;
+    seconds: number | null;
+}
+export interface TierDefinition {
+    name: string;
+    connections_limit: number;
+    api_calls_monthly?: number;
+    hard_cap: boolean;
+    overage_per_thousand?: number;
+}
+export interface StorageConfig {
+    backend: 'mongodb' | 'memory';
+    uri?: string;
+    database?: string;
+    connections_collection?: string;
+    audit_log_collection?: string;
+    tokens_collection?: string;
+}
+export interface AgentAdmitConfig {
+    app_name: string;
+    app_id: string;
+    api_key: string;
+    api_base_url: string;
+    agentadmit_api_url: string;
+    agentadmit_verify_url: string;
+    token_prefix_connection: string;
+    token_prefix_access: string;
+    algorithm: string;
+    audience: string;
+    connection_token_ttl: number;
+    scopes: ScopeDefinition[];
+    durations: DurationOption[];
+    tiers: TierDefinition[];
+    default_tier: string;
+    storage: StorageConfig;
+    route_prefix: string;
+    discovery_path: string;
+    user_lookup_field: string;
+    private_key_path: string;
+    public_key_path: string;
+    /** Max retries on 429 before throwing RateLimitError. Default: 3. */
+    max_retries: number;
+}
+export declare function loadConfig(configPath?: string): AgentAdmitConfig;
+export declare function getConfig(): AgentAdmitConfig;
+export declare function getScopeMetadata(): ScopeDefinition[];
+export declare function getDurationOptions(): DurationOption[];
+export declare function getTierLimits(tierName: string): TierDefinition | undefined;

package/dist/config.js

@@ -0,0 +1,92 @@
+"use strict";
+/**
+ * agentadmit/config.ts
+ * Configuration loader for AgentAdmit Node.js SDK.
+ *
+ * IMPORTANT: AgentAdmit uses MANDATORY hosted introspection.
+ * All token validation goes through api.agentadmit.com.
+ * There is no self-hosted mode. No local JWT validation. No bypass.
+ * This is required for security, audit logging, and scope enforcement.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadConfig = loadConfig;
+exports.getConfig = getConfig;
+exports.getScopeMetadata = getScopeMetadata;
+exports.getDurationOptions = getDurationOptions;
+exports.getTierLimits = getTierLimits;
+const fs_1 = __importDefault(require("fs"));
+const js_yaml_1 = __importDefault(require("js-yaml"));
+const DEFAULT_CONFIG = {
+    app_name: 'My App',
+    app_id: '',
+    api_key: '',
+    api_base_url: 'http://localhost:3000',
+    agentadmit_api_url: 'https://api.agentadmit.com',
+    agentadmit_verify_url: 'https://api.agentadmit.com/v1/verify',
+    token_prefix_connection: 'ag_ct_',
+    token_prefix_access: 'ag_at_',
+    algorithm: 'RS256',
+    audience: 'agentadmit',
+    connection_token_ttl: 900,
+    scopes: [],
+    durations: [
+        { label: '1 Hour', seconds: 3600 },
+        { label: '24 Hours', seconds: 86400 },
+        { label: '7 Days', seconds: 604800 },
+        { label: '30 Days', seconds: 2592000 },
+        { label: 'Until I Revoke', seconds: null },
+    ],
+    tiers: [
+        { name: 'trial', connections_limit: 3, hard_cap: true },
+        { name: 'standard', connections_limit: 100, api_calls_monthly: 2000000, hard_cap: false },
+    ],
+    default_tier: 'standard',
+    storage: {
+        backend: 'mongodb',
+        uri: 'mongodb://localhost:27017',
+        database: 'agentadmit',
+        connections_collection: 'agentadmit_connections',
+        audit_log_collection: 'agentadmit_audit_log',
+        tokens_collection: 'agentadmit_tokens',
+    },
+    route_prefix: '/agentadmit',
+    discovery_path: '/.well-known/agentadmit',
+    user_lookup_field: 'user_id',
+    max_retries: 3,
+};
+let _config = null;
+function loadConfig(configPath = 'agentadmit.yaml') {
+    let resolvedPath = configPath;
+    if (!fs_1.default.existsSync(resolvedPath)) {
+        const envPath = process.env.AGENTADMIT_CONFIG;
+        if (envPath && fs_1.default.existsSync(envPath)) {
+            resolvedPath = envPath;
+        }
+        else {
+            throw new Error(`Config file not found: ${configPath}. Run 'agentadmit init' to generate one.`);
+        }
+    }
+    const raw = js_yaml_1.default.load(fs_1.default.readFileSync(resolvedPath, 'utf-8')) || {};
+    _config = { ...DEFAULT_CONFIG, ...raw };
+    console.log(`[AgentAdmit] Config loaded: ${resolvedPath} (${_config.scopes.length} scopes)`);
+    return _config;
+}
+function getConfig() {
+    if (!_config) {
+        throw new Error('AgentAdmit config not loaded. Call loadConfig() first.');
+    }
+    return _config;
+}
+function getScopeMetadata() {
+    return getConfig().scopes;
+}
+function getDurationOptions() {
+    return getConfig().durations;
+}
+function getTierLimits(tierName) {
+    const config = getConfig();
+    return config.tiers.find(t => t.name === tierName) || config.tiers.find(t => t.name === config.default_tier);
+}

package/dist/errors.d.ts

@@ -0,0 +1,41 @@
+/**
+ * agentadmit/errors.ts
+ * Custom error types for the AgentAdmit Node.js SDK.
+ */
+/**
+ * Thrown when the AgentAdmit introspection endpoint returns HTTP 429
+ * and all retry attempts (with exponential backoff) have been exhausted.
+ *
+ * @example
+ * ```ts
+ * import { validateAgentToken, RateLimitError } from '@agentadmit/sdk';
+ *
+ * try {
+ *   await validateAgentToken(token);
+ * } catch (err) {
+ *   if (err instanceof RateLimitError) {
+ *     res.status(429).json({
+ *       error: 'rate_limited',
+ *       retry_after: err.retryAfter,
+ *     });
+ *   }
+ * }
+ * ```
+ */
+export declare class RateLimitError extends Error {
+    /** Seconds to wait before retrying (from Retry-After header), or null. */
+    readonly retryAfter: number | null;
+    /** Total request limit for the current window (X-RateLimit-Limit), or null. */
+    readonly limit: number | null;
+    /** Requests remaining in the current window (X-RateLimit-Remaining), or null. */
+    readonly remaining: number | null;
+    /** Unix timestamp when the rate limit window resets (X-RateLimit-Reset), or null. */
+    readonly reset: number | null;
+    constructor(options?: {
+        message?: string;
+        retryAfter?: number | null;
+        limit?: number | null;
+        remaining?: number | null;
+        reset?: number | null;
+    });
+}

package/dist/errors.js

@@ -0,0 +1,38 @@
+"use strict";
+/**
+ * agentadmit/errors.ts
+ * Custom error types for the AgentAdmit Node.js SDK.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RateLimitError = void 0;
+/**
+ * Thrown when the AgentAdmit introspection endpoint returns HTTP 429
+ * and all retry attempts (with exponential backoff) have been exhausted.
+ *
+ * @example
+ * ```ts
+ * import { validateAgentToken, RateLimitError } from '@agentadmit/sdk';
+ *
+ * try {
+ *   await validateAgentToken(token);
+ * } catch (err) {
+ *   if (err instanceof RateLimitError) {
+ *     res.status(429).json({
+ *       error: 'rate_limited',
+ *       retry_after: err.retryAfter,
+ *     });
+ *   }
+ * }
+ * ```
+ */
+class RateLimitError extends Error {
+    constructor(options = {}) {
+        super(options.message ?? 'AgentAdmit rate limit exceeded. Max retries exhausted.');
+        this.name = 'RateLimitError';
+        this.retryAfter = options.retryAfter ?? null;
+        this.limit = options.limit ?? null;
+        this.remaining = options.remaining ?? null;
+        this.reset = options.reset ?? null;
+    }
+}
+exports.RateLimitError = RateLimitError;

package/dist/index.d.ts

@@ -0,0 +1,13 @@
+/**
+ * @agentadmit/sdk — Node.js SDK for AgentAdmit
+ *
+ * User-mediated AI agent authorization. Plug-and-play for Express and Next.js.
+ */
+export { loadConfig, getConfig, getScopeMetadata, getDurationOptions, getTierLimits } from './config';
+export type { AgentAdmitConfig, ScopeDefinition, DurationOption, TierDefinition, StorageConfig } from './config';
+export { generateKeyPair, loadPrivateKey, loadPublicKey } from './keys';
+export { StorageBackend, MongoDBStorage, MemoryStorage, createStorage } from './storage';
+export { validateAgentToken, requireScope, requireScopeIfAgent, resolveAuth, checkConnectionCap, setStorage, setUserVerifier, } from './auth';
+export type { AgentContext } from './auth';
+export { createAgentAdmitRouter } from './routes';
+export { RateLimitError } from './errors';

package/dist/index.js

@@ -0,0 +1,34 @@
+"use strict";
+/**
+ * @agentadmit/sdk — Node.js SDK for AgentAdmit
+ *
+ * User-mediated AI agent authorization. Plug-and-play for Express and Next.js.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RateLimitError = exports.createAgentAdmitRouter = exports.setUserVerifier = exports.setStorage = exports.checkConnectionCap = exports.resolveAuth = exports.requireScopeIfAgent = exports.requireScope = exports.validateAgentToken = exports.createStorage = exports.MemoryStorage = exports.MongoDBStorage = exports.loadPublicKey = exports.loadPrivateKey = exports.generateKeyPair = exports.getTierLimits = exports.getDurationOptions = exports.getScopeMetadata = exports.getConfig = exports.loadConfig = void 0;
+var config_1 = require("./config");
+Object.defineProperty(exports, "loadConfig", { enumerable: true, get: function () { return config_1.loadConfig; } });
+Object.defineProperty(exports, "getConfig", { enumerable: true, get: function () { return config_1.getConfig; } });
+Object.defineProperty(exports, "getScopeMetadata", { enumerable: true, get: function () { return config_1.getScopeMetadata; } });
+Object.defineProperty(exports, "getDurationOptions", { enumerable: true, get: function () { return config_1.getDurationOptions; } });
+Object.defineProperty(exports, "getTierLimits", { enumerable: true, get: function () { return config_1.getTierLimits; } });
+var keys_1 = require("./keys");
+Object.defineProperty(exports, "generateKeyPair", { enumerable: true, get: function () { return keys_1.generateKeyPair; } });
+Object.defineProperty(exports, "loadPrivateKey", { enumerable: true, get: function () { return keys_1.loadPrivateKey; } });
+Object.defineProperty(exports, "loadPublicKey", { enumerable: true, get: function () { return keys_1.loadPublicKey; } });
+var storage_1 = require("./storage");
+Object.defineProperty(exports, "MongoDBStorage", { enumerable: true, get: function () { return storage_1.MongoDBStorage; } });
+Object.defineProperty(exports, "MemoryStorage", { enumerable: true, get: function () { return storage_1.MemoryStorage; } });
+Object.defineProperty(exports, "createStorage", { enumerable: true, get: function () { return storage_1.createStorage; } });
+var auth_1 = require("./auth");
+Object.defineProperty(exports, "validateAgentToken", { enumerable: true, get: function () { return auth_1.validateAgentToken; } });
+Object.defineProperty(exports, "requireScope", { enumerable: true, get: function () { return auth_1.requireScope; } });
+Object.defineProperty(exports, "requireScopeIfAgent", { enumerable: true, get: function () { return auth_1.requireScopeIfAgent; } });
+Object.defineProperty(exports, "resolveAuth", { enumerable: true, get: function () { return auth_1.resolveAuth; } });
+Object.defineProperty(exports, "checkConnectionCap", { enumerable: true, get: function () { return auth_1.checkConnectionCap; } });
+Object.defineProperty(exports, "setStorage", { enumerable: true, get: function () { return auth_1.setStorage; } });
+Object.defineProperty(exports, "setUserVerifier", { enumerable: true, get: function () { return auth_1.setUserVerifier; } });
+var routes_1 = require("./routes");
+Object.defineProperty(exports, "createAgentAdmitRouter", { enumerable: true, get: function () { return routes_1.createAgentAdmitRouter; } });
+var errors_1 = require("./errors");
+Object.defineProperty(exports, "RateLimitError", { enumerable: true, get: function () { return errors_1.RateLimitError; } });

package/dist/keys.d.ts

@@ -0,0 +1,12 @@
+/**
+ * agentadmit/keys.ts
+ *
+ * DEPRECATED — AgentAdmit is a hosted service.
+ *
+ * All cryptographic operations (key generation, JWT signing, JWKS serving)
+ * are performed by the AgentAdmit hosted service. The SDK does NOT generate
+ * or load RSA key pairs. Calling any function in this module will throw.
+ */
+export declare function generateKeyPair(_outputDir?: string): never;
+export declare function loadPrivateKey(_keyPath?: string): never;
+export declare function loadPublicKey(_keyPath?: string): never;

package/dist/keys.js

@@ -0,0 +1,29 @@
+"use strict";
+/**
+ * agentadmit/keys.ts
+ *
+ * DEPRECATED — AgentAdmit is a hosted service.
+ *
+ * All cryptographic operations (key generation, JWT signing, JWKS serving)
+ * are performed by the AgentAdmit hosted service. The SDK does NOT generate
+ * or load RSA key pairs. Calling any function in this module will throw.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateKeyPair = generateKeyPair;
+exports.loadPrivateKey = loadPrivateKey;
+exports.loadPublicKey = loadPublicKey;
+function generateKeyPair(_outputDir) {
+    throw new Error('[AgentAdmit] generateKeyPair() is not supported. ' +
+        'AgentAdmit is a hosted service — all key management is handled server-side. ' +
+        'Remove any calls to generateKeyPair() from your codebase.');
+}
+function loadPrivateKey(_keyPath) {
+    throw new Error('[AgentAdmit] loadPrivateKey() is not supported. ' +
+        'AgentAdmit is a hosted service — JWT signing is handled by the hosted service. ' +
+        'Remove any calls to loadPrivateKey() from your codebase.');
+}
+function loadPublicKey(_keyPath) {
+    throw new Error('[AgentAdmit] loadPublicKey() is not supported. ' +
+        'AgentAdmit is a hosted service — token verification uses hosted introspection. ' +
+        'Remove any calls to loadPublicKey() from your codebase.');
+}

package/dist/routes.d.ts

@@ -0,0 +1,26 @@
+/**
+ * agentadmit/routes.ts
+ * Express router with all AgentAdmit endpoints.
+ *
+ * ALL token operations go through the AgentAdmit hosted service. The SDK does
+ * NOT sign JWTs, generate RSA keys, or serve JWKS endpoints. The hosted service
+ * owns all cryptographic operations.
+ */
+import { Router, Request } from 'express';
+import { StorageBackend } from './storage';
+interface RouterOptions {
+    storage: StorageBackend;
+    getCurrentUser: (req: Request) => Promise<Record<string, any> | null>;
+    determineRole?: (user: Record<string, any>) => string;
+    getUserTier?: (user: Record<string, any>) => string;
+    validateScopes?: (scopes: string[], user: Record<string, any>) => {
+        valid: boolean;
+        invalid: string[];
+    };
+    getEndpointsForScopes?: (scopes: string[]) => Record<string, any>[];
+}
+export declare function createAgentAdmitRouter(options: RouterOptions): {
+    wellknownRouter: Router;
+    agentadmitRouter: Router;
+};
+export {};

package/dist/routes.js

@@ -0,0 +1,209 @@
+"use strict";
+/**
+ * agentadmit/routes.ts
+ * Express router with all AgentAdmit endpoints.
+ *
+ * ALL token operations go through the AgentAdmit hosted service. The SDK does
+ * NOT sign JWTs, generate RSA keys, or serve JWKS endpoints. The hosted service
+ * owns all cryptographic operations.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAgentAdmitRouter = createAgentAdmitRouter;
+const express_1 = require("express");
+const crypto_1 = require("crypto");
+const config_1 = require("./config");
+const auth_1 = require("./auth");
+const AGENTADMIT_VERSION = '0.1';
+/**
+ * Make an authenticated request to the AgentAdmit hosted service.
+ */
+async function callHostedService(path, body) {
+    const config = (0, config_1.getConfig)();
+    const url = `${config.agentadmit_api_url.replace(/\/$/, '')}${path}`;
+    const resp = await fetch(url, {
+        method: 'POST',
+        headers: {
+            'Authorization': `Bearer ${config.api_key}`,
+            'Content-Type': 'application/json',
+            'X-App-Id': config.app_id,
+        },
+        body: JSON.stringify(body),
+    });
+    const data = await resp.json().catch(() => ({}));
+    return { status: resp.status, data };
+}
+function createAgentAdmitRouter(options) {
+    const config = (0, config_1.getConfig)();
+    const { storage, getCurrentUser } = options;
+    const determineRole = options.determineRole || (() => 'user');
+    const getUserTier = options.getUserTier || (() => config.default_tier);
+    const getEndpointsForScopes = options.getEndpointsForScopes || (() => []);
+    const validateScopes = options.validateScopes || ((scopes) => {
+        const validNames = new Set(config.scopes.map(s => s.name));
+        const invalid = scopes.filter(s => !validNames.has(s));
+        return { valid: invalid.length === 0, invalid };
+    });
+    const wellknownRouter = (0, express_1.Router)();
+    const agentadmitRouter = (0, express_1.Router)();
+    // Discovery
+    wellknownRouter.get('/.well-known/agentadmit', (_req, res) => {
+        const base = config.api_base_url.replace(/\/$/, '');
+        res.json({
+            agentadmit_version: AGENTADMIT_VERSION,
+            issuer: base,
+            app_name: config.app_name,
+            app_id: config.app_id,
+            api_base_url: base,
+            agentadmit_service_url: config.agentadmit_api_url,
+            scopes_endpoint: `${base}${config.route_prefix}/scopes`,
+            discovery_endpoint: `${base}${config.route_prefix}/discovery`,
+            connections_endpoint: `${base}${config.route_prefix}/connections`,
+            scopes_supported: config.scopes.map(s => s.name),
+            roles_supported: [...new Set(config.scopes.map(s => s.role || 'user'))],
+            duration_options: (0, config_1.getDurationOptions)(),
+        });
+    });
+    // Scopes
+    agentadmitRouter.get('/scopes', (_req, res) => {
+        res.json({
+            scopes: (0, config_1.getScopeMetadata)(),
+            roles: [...new Set(config.scopes.map(s => s.role || 'user'))],
+        });
+    });
+    // Durations
+    agentadmitRouter.get('/durations', (_req, res) => {
+        res.json({ durations: (0, config_1.getDurationOptions)() });
+    });
+    // Generate connection token — calls hosted service
+    agentadmitRouter.post('/connections/generate-token', async (req, res) => {
+        try {
+            const currentUser = await getCurrentUser(req);
+            if (!currentUser)
+                return res.status(401).json({ error: 'unauthorized' });
+            const { scopes, duration_seconds, label } = req.body;
+            if (!scopes || !Array.isArray(scopes)) {
+                return res.status(400).json({ error: 'invalid_request', error_description: 'scopes array required' });
+            }
+            const validation = validateScopes(scopes, currentUser);
+            if (!validation.valid) {
+                return res.status(400).json({ error: 'invalid_scope', invalid_scopes: validation.invalid });
+            }
+            const duration = duration_seconds || config.connection_token_ttl;
+            const userId = currentUser[config.user_lookup_field];
+            const role = determineRole(currentUser);
+            const userTier = getUserTier(currentUser);
+            await (0, auth_1.checkConnectionCap)(userId, userTier);
+            // Call AgentAdmit hosted service
+            const { status, data } = await callHostedService(`/api/v1/apps/${config.app_id}/token`, {
+                user_id: String(userId),
+                scopes,
+                duration_hours: Math.max(1, Math.floor(duration / 3600)),
+                label: label ?? null,
+                user_role: role,
+                metadata: { subscription_tier: userTier, app_name: config.app_name },
+            });
+            if (status !== 200 && status !== 201) {
+                console.error('[AgentAdmit] Hosted token generation failed:', status, data);
+                return res.status(502).json({ error: 'token_generation_failed', error_description: 'Authorization service could not generate token' });
+            }
+            // Store local record
+            // Use hosted service's connection_id if provided; generate a local fallback
+            // to prevent duplicate-key errors when hosting service omits it.
+            await storage.storeConnection({
+                connection_id: data.connection_id || `conn_${(0, crypto_1.randomBytes)(16).toString('base64url')}`,
+                user_id: String(userId),
+                scopes,
+                role,
+                agent_label: label,
+                duration_seconds: duration,
+                status: 'active',
+            });
+            res.json({
+                connection_token: data.token || data.connection_token,
+                expires_in: duration,
+                scopes,
+            });
+        }
+        catch (err) {
+            console.error('[AgentAdmit] Generate token error:', err);
+            res.status(500).json({ error: 'server_error', error_description: err.message });
+        }
+    });
+    // Token exchange — forwards to hosted service
+    agentadmitRouter.post('/token', async (req, res) => {
+        try {
+            const { grant_type, connection_token, agent_id, agent_label, agent_metadata } = req.body;
+            if (grant_type !== 'connection_token') {
+                return res.status(400).json({ error: 'unsupported_grant_type' });
+            }
+            if (!connection_token) {
+                return res.status(400).json({ error: 'invalid_request', error_description: 'connection_token required' });
+            }
+            // Forward to AgentAdmit hosted service
+            const { status, data } = await callHostedService('/api/v1/exchange', {
+                token: connection_token,
+                agent_label: agent_label ?? null,
+                agent_id: agent_id ?? null,
+                agent_metadata: agent_metadata ?? null,
+            });
+            if (status !== 200) {
+                return res.status(status < 500 ? status : 502).json(data);
+            }
+            // Add endpoint map if available
+            if (getEndpointsForScopes && data.scopes) {
+                data.endpoints = getEndpointsForScopes(data.scopes);
+            }
+            res.json(data);
+        }
+        catch (err) {
+            const status = err.statusCode || 500;
+            res.status(status).json(err.detail || { error: 'server_error', error_description: err.message });
+        }
+    });
+    // List connections
+    agentadmitRouter.get('/connections', async (req, res) => {
+        try {
+            const currentUser = await getCurrentUser(req);
+            if (!currentUser)
+                return res.status(401).json({ error: 'unauthorized' });
+            const userId = currentUser[config.user_lookup_field];
+            const connections = await storage.listConnections(userId);
+            res.json({ connections, total: connections.length });
+        }
+        catch {
+            res.status(500).json({ error: 'server_error' });
+        }
+    });
+    // Delete connection — also notifies hosted service
+    agentadmitRouter.delete('/connections/:connectionId', async (req, res) => {
+        try {
+            const currentUser = await getCurrentUser(req);
+            if (!currentUser)
+                return res.status(401).json({ error: 'unauthorized' });
+            const userId = currentUser[config.user_lookup_field];
+            const conn = await storage.getConnection(req.params.connectionId);
+            if (!conn || conn.user_id !== String(userId)) {
+                return res.status(404).json({ error: 'not_found' });
+            }
+            if (conn.status !== 'active') {
+                return res.status(400).json({ error: 'already_revoked' });
+            }
+            // Notify hosted service
+            try {
+                await callHostedService('/api/v1/revoke', {
+                    connection_id: req.params.connectionId,
+                    reason: 'user_requested',
+                });
+            }
+            catch (e) {
+                console.warn('[AgentAdmit] Hosted revoke failed, revoking locally:', e);
+            }
+            await storage.revokeConnection(req.params.connectionId);
+            res.json({ revoked: true, connection_id: req.params.connectionId });
+        }
+        catch {
+            res.status(500).json({ error: 'server_error' });
+        }
+    });
+    return { wellknownRouter, agentadmitRouter };
+}

package/dist/storage.d.ts

@@ -0,0 +1,62 @@
+/**
+ * agentadmit/storage.ts
+ * Abstract storage interface + MongoDB + Memory implementations.
+ */
+export interface StorageBackend {
+    storeConnection(connection: Record<string, any>): Promise<void>;
+    getConnection(connectionId: string): Promise<Record<string, any> | null>;
+    getActiveConnection(connectionId: string): Promise<Record<string, any> | null>;
+    updateConnection(connectionId: string, updates: Record<string, any>): Promise<boolean>;
+    revokeConnection(connectionId: string): Promise<boolean>;
+    listConnections(userId: string): Promise<Record<string, any>[]>;
+    countActiveConnections(userId: string): Promise<number>;
+    storeToken(tokenRecord: Record<string, any>): Promise<void>;
+    getToken(tokenHash: string): Promise<Record<string, any> | null>;
+    markTokenUsed(tokenHash: string): Promise<boolean>;
+    logAccess(entry: Record<string, any>): Promise<void>;
+    countAuditCalls(userId: string, periodStart: Date, periodEnd: Date): Promise<number>;
+    getUser(userId: string, lookupField: string): Promise<Record<string, any> | null>;
+}
+export declare class MongoDBStorage implements StorageBackend {
+    private db;
+    private connections;
+    private auditLog;
+    private tokens;
+    private users;
+    constructor(uri: string, database: string, connectionsCollection: string, auditLogCollection: string, tokensCollection: string);
+    setUsersCollection(name: string): void;
+    storeConnection(connection: Record<string, any>): Promise<void>;
+    getConnection(connectionId: string): Promise<Record<string, any> | null>;
+    getActiveConnection(connectionId: string): Promise<Record<string, any> | null>;
+    updateConnection(connectionId: string, updates: Record<string, any>): Promise<boolean>;
+    revokeConnection(connectionId: string): Promise<boolean>;
+    listConnections(userId: string): Promise<Record<string, any>[]>;
+    countActiveConnections(userId: string): Promise<number>;
+    storeToken(tokenRecord: Record<string, any>): Promise<void>;
+    getToken(tokenHash: string): Promise<Record<string, any> | null>;
+    markTokenUsed(tokenHash: string): Promise<boolean>;
+    logAccess(entry: Record<string, any>): Promise<void>;
+    countAuditCalls(userId: string, periodStart: Date, periodEnd: Date): Promise<number>;
+    getUser(userId: string, lookupField?: string): Promise<Record<string, any> | null>;
+}
+export declare class MemoryStorage implements StorageBackend {
+    private _connections;
+    private _tokens;
+    private _auditLog;
+    private _users;
+    storeConnection(connection: Record<string, any>): Promise<void>;
+    getConnection(connectionId: string): Promise<Record<string, any> | null>;
+    getActiveConnection(connectionId: string): Promise<Record<string, any> | null>;
+    updateConnection(connectionId: string, updates: Record<string, any>): Promise<boolean>;
+    revokeConnection(connectionId: string): Promise<boolean>;
+    listConnections(userId: string): Promise<Record<string, any>[]>;
+    countActiveConnections(userId: string): Promise<number>;
+    storeToken(tokenRecord: Record<string, any>): Promise<void>;
+    getToken(tokenHash: string): Promise<Record<string, any> | null>;
+    markTokenUsed(tokenHash: string): Promise<boolean>;
+    logAccess(entry: Record<string, any>): Promise<void>;
+    countAuditCalls(userId: string, periodStart: Date, periodEnd: Date): Promise<number>;
+    getUser(userId: string, lookupField?: string): Promise<Record<string, any> | null>;
+    addTestUser(userId: string, data: Record<string, any>): void;
+}
+export declare function createStorage(config: any): StorageBackend;