@agentforge-io/core 0.2.0

package/dist/services/connector-registry.service.js

@@ -0,0 +1,278 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ConnectorRegistryService = exports.InMemoryAuthorizeStateStore = exports.ConnectorError = void 0;
+const crypto_1 = require("crypto");
+class ConnectorError extends Error {
+    constructor(code, message) {
+        super(message);
+        this.code = code;
+        this.status =
+            code === 'unknown_connector' || code === 'not_connected'
+                ? 404
+                : code === 'not_configured'
+                    ? 409
+                    : 400;
+    }
+}
+exports.ConnectorError = ConnectorError;
+class InMemoryAuthorizeStateStore {
+    constructor() {
+        this.map = new Map();
+    }
+    set(state, value) {
+        this.map.set(state, value);
+        // 10-minute TTL: trash unconsumed states so dead callbacks don't pile up.
+        setTimeout(() => this.map.delete(state), 10 * 60 * 1000).unref?.();
+    }
+    consume(state) {
+        const v = this.map.get(state) ?? null;
+        if (v)
+            this.map.delete(state);
+        return v;
+    }
+}
+exports.InMemoryAuthorizeStateStore = InMemoryAuthorizeStateStore;
+/**
+ * Central registry for OAuth-based connectors. Holds the in-memory map of
+ * `ConnectorDefinition`s, drives the OAuth dance via `OAuth2Service`,
+ * encrypts/persists tokens via `cipher` + `authRepo`, and on each agent
+ * run synthesises per-user tool definitions whose handlers receive a
+ * fresh access token.
+ *
+ * The lifecycle is intentionally not "register tools globally at boot" —
+ * doing so would leak one user's tools to another. Instead, callers ask
+ * the registry for `toolsForUser(userId)` and merge the result into the
+ * ToolRegistry's per-call view.
+ */
+class ConnectorRegistryService {
+    constructor(deps) {
+        this.deps = deps;
+        this.defs = new Map();
+        /**
+         * Connectors whose client creds are present. The registry treats the
+         * "catalog" (which providers we *support*) as separate from the
+         * "configured" set (which ones can actually run an OAuth flow). Hosts
+         * call `setConfigured(id, def)` when secrets land and `markUnconfigured`
+         * when they're cleared — neither call removes the definition from the
+         * catalog, so the Directory always shows the full grid.
+         */
+        this.configured = new Set();
+        this.stateStore = deps.stateStore ?? new InMemoryAuthorizeStateStore();
+        this.refreshSkewSeconds = deps.refreshSkewSeconds ?? 60;
+    }
+    /**
+     * Register a connector into the catalog. Catalog registration is one-shot
+     * (per-id) and unrelated to credential availability — call this at boot
+     * for every provider the platform supports. To then mark it as ready for
+     * OAuth flows, follow up with `setConfigured()` once creds resolve.
+     */
+    register(def) {
+        if (this.defs.has(def.id)) {
+            throw new Error(`Connector "${def.id}" already registered`);
+        }
+        this.defs.set(def.id, def);
+    }
+    /**
+     * Mark a registered connector as configured AND refresh its definition.
+     * The definition is replaced because OAuth `clientId` / `clientSecret`
+     * live inside it — when the operator rotates creds the def itself
+     * changes. Existing per-user `ConnectorAuth` rows keep working: tokens
+     * are provider-issued, not tied to the client secret.
+     */
+    setConfigured(def) {
+        this.defs.set(def.id, def);
+        this.configured.add(def.id);
+    }
+    /**
+     * Mark a connector as unconfigured. The definition stays in the catalog
+     * (so the card keeps rendering with a "Needs admin setup" hint) but
+     * `startAuthorize` will refuse and per-user tools stop surfacing — we
+     * can't refresh tokens without client creds either, so silently dropping
+     * tools is friendlier than letting them 401 mid-call.
+     */
+    markUnconfigured(connectorId) {
+        return this.configured.delete(connectorId);
+    }
+    /**
+     * Hard-remove a connector from the catalog. Rarely needed — used by
+     * tests or to retire a deprecated provider. Per-user rows are NOT
+     * deleted automatically; the caller is responsible for that cleanup.
+     */
+    unregister(connectorId) {
+        this.configured.delete(connectorId);
+        return this.defs.delete(connectorId);
+    }
+    isConfigured(connectorId) {
+        return this.configured.has(connectorId);
+    }
+    list() {
+        return Array.from(this.defs.values());
+    }
+    get(connectorId) {
+        const def = this.defs.get(connectorId);
+        if (!def) {
+            throw new ConnectorError('unknown_connector', `No connector registered with id "${connectorId}"`);
+        }
+        return def;
+    }
+    // ─── OAuth flow ──────────────────────────────────────────────────────────
+    async startAuthorize(connectorId, userId, redirectUri) {
+        const def = this.get(connectorId);
+        if (!this.configured.has(connectorId)) {
+            throw new ConnectorError('not_configured', `Connector "${connectorId}" is not configured — the operator must ` +
+                `set its OAuth credentials before users can connect.`);
+        }
+        const { url, state, pkceVerifier } = this.deps.oauth.buildAuthorizeUrl(def.oauth, redirectUri);
+        await this.stateStore.set(state, {
+            userId,
+            connectorId,
+            pkceVerifier,
+            createdAt: Date.now(),
+        });
+        return { url };
+    }
+    /**
+     * Complete the OAuth callback. Verifies the `state`, exchanges the code
+     * for tokens, encrypts them, and upserts the `ConnectorAuth` row.
+     *
+     * Returns the resolved connector id so the caller can redirect the user
+     * back to the directory page with confirmation.
+     */
+    async completeAuthorize(state, code, redirectUri) {
+        const ctx = await this.stateStore.consume(state);
+        if (!ctx) {
+            throw new ConnectorError('invalid_state', 'OAuth state is unknown or expired');
+        }
+        const def = this.get(ctx.connectorId);
+        let tokens;
+        try {
+            tokens = await this.deps.oauth.exchangeCode(def.oauth, code, redirectUri, ctx.pkceVerifier);
+        }
+        catch (e) {
+            throw new ConnectorError('token_exchange_failed', e.message);
+        }
+        await this.upsertAuth(ctx.userId, ctx.connectorId, tokens);
+        return { connectorId: ctx.connectorId, userId: ctx.userId };
+    }
+    // ─── Per-user listing ────────────────────────────────────────────────────
+    async listForUser(userId) {
+        const authed = await this.deps.authRepo.listForUser(userId);
+        const byId = new Map(authed.map((a) => [a.connectorId, a]));
+        return this.list().map((def) => {
+            const a = byId.get(def.id);
+            return {
+                connectorId: def.id,
+                name: def.name,
+                description: def.description,
+                category: def.category,
+                iconUrl: def.iconUrl,
+                configured: this.configured.has(def.id),
+                connected: !!a && a.isActive,
+                accountLabel: a?.accountLabel,
+                connectedAt: a?.createdAt,
+            };
+        });
+    }
+    async disconnect(userId, connectorId) {
+        const a = await this.deps.authRepo.findByUserAndConnector(userId, connectorId);
+        if (!a)
+            throw new ConnectorError('not_connected', 'No active auth row');
+        await this.deps.authRepo.delete(a.id);
+    }
+    // ─── Per-user tool synthesis ─────────────────────────────────────────────
+    /**
+     * Returns the toolbelt for `userId`: one `AgentToolDefinition` per tool
+     * of every connector the user has authorized. Each handler is bound to a
+     * `ConnectorToolContext` whose `getAccessToken` lazy-refreshes when the
+     * cached token is close to expiry.
+     */
+    async toolsForUser(userId) {
+        const authed = await this.deps.authRepo.listForUser(userId);
+        const tools = [];
+        for (const a of authed) {
+            if (!a.isActive)
+                continue;
+            // Skip connectors whose creds were yanked from the secrets vault —
+            // we'd 401 inside the refresh step anyway, and the agent gets a
+            // useless tool. The auth row is left intact so the user gets their
+            // toolbelt back the moment the operator re-supplies creds.
+            if (!this.configured.has(a.connectorId))
+                continue;
+            const def = this.defs.get(a.connectorId);
+            if (!def)
+                continue;
+            const ctx = {
+                userId,
+                connectorId: a.connectorId,
+                getAccessToken: () => this.getAccessToken(a),
+            };
+            for (const factory of def.tools) {
+                tools.push({ ...factory.definition, execute: factory.build(ctx) });
+            }
+        }
+        return tools;
+    }
+    // ─── Internals ───────────────────────────────────────────────────────────
+    async upsertAuth(userId, connectorId, tokens) {
+        const existing = await this.deps.authRepo.findByUserAndConnector(userId, connectorId);
+        const expiresAt = tokens.expiresIn
+            ? new Date(Date.now() + tokens.expiresIn * 1000)
+            : undefined;
+        const accessTokenEncrypted = this.deps.cipher.encrypt(tokens.accessToken);
+        const refreshTokenEncrypted = tokens.refreshToken
+            ? this.deps.cipher.encrypt(tokens.refreshToken)
+            : undefined;
+        if (existing) {
+            await this.deps.authRepo.update(existing.id, {
+                accessTokenEncrypted,
+                // Some providers (Google) don't return a refresh_token on
+                // re-consent — keep the old one in that case.
+                ...(refreshTokenEncrypted ? { refreshTokenEncrypted } : {}),
+                expiresAt,
+                scope: tokens.scope,
+                isActive: true,
+            });
+        }
+        else {
+            await this.deps.authRepo.create({
+                id: (0, crypto_1.randomUUID)(),
+                userId,
+                connectorId,
+                accessTokenEncrypted,
+                refreshTokenEncrypted,
+                expiresAt,
+                scope: tokens.scope,
+                isActive: true,
+            });
+        }
+    }
+    async getAccessToken(a) {
+        const skewMs = this.refreshSkewSeconds * 1000;
+        const stillValid = !a.expiresAt || a.expiresAt.getTime() - Date.now() > skewMs;
+        if (stillValid) {
+            return this.deps.cipher.decrypt(a.accessTokenEncrypted);
+        }
+        if (!a.refreshTokenEncrypted) {
+            // No refresh token + expired access token = the user has to re-auth.
+            // Returning the stale token would just produce a confusing 401 from
+            // the provider; surfacing it explicitly is friendlier.
+            throw new ConnectorError('not_connected', `Token for ${a.connectorId} expired and no refresh token is available; user must re-authorize`);
+        }
+        const def = this.get(a.connectorId);
+        const refreshPlain = this.deps.cipher.decrypt(a.refreshTokenEncrypted);
+        const fresh = await this.deps.oauth.refresh(def.oauth, refreshPlain);
+        const expiresAt = fresh.expiresIn
+            ? new Date(Date.now() + fresh.expiresIn * 1000)
+            : undefined;
+        await this.deps.authRepo.update(a.id, {
+            accessTokenEncrypted: this.deps.cipher.encrypt(fresh.accessToken),
+            ...(fresh.refreshToken
+                ? { refreshTokenEncrypted: this.deps.cipher.encrypt(fresh.refreshToken) }
+                : {}),
+            expiresAt,
+            scope: fresh.scope,
+        });
+        return fresh.accessToken;
+    }
+}
+exports.ConnectorRegistryService = ConnectorRegistryService;

package/dist/services/conversation.service.d.ts

@@ -0,0 +1,47 @@
+import type { ConversationRepository, MessageRepository } from '../repositories';
+import type { Conversation, Message } from '../domain/conversation';
+import type { ConversationHistory, TokenUsage, ToolCallRecord } from '../types/agent.types';
+export declare class ConversationNotFoundError extends Error {
+    status: number;
+    code: string;
+    constructor(id: string);
+}
+export declare class ConversationService {
+    private readonly convRepo;
+    private readonly msgRepo;
+    constructor(convRepo: ConversationRepository, msgRepo: MessageRepository);
+    create(params: {
+        userId: string;
+        agentId: string;
+        title?: string;
+        metadata?: Record<string, unknown>;
+    }): Promise<Conversation>;
+    addMessage(params: {
+        conversationId: string;
+        userId: string;
+        role: 'user' | 'assistant' | 'system';
+        content: string;
+        toolCalls?: ToolCallRecord[];
+        usage?: TokenUsage;
+    }): Promise<Message>;
+    /** Throws on not-found OR cross-user access. */
+    private loadOwned;
+    getHistory(conversationId: string, userId: string): Promise<ConversationHistory>;
+    getAnthropicMessages(conversationId: string, userId: string): Promise<Array<{
+        role: 'user' | 'assistant';
+        content: string;
+    }>>;
+    listForUser(userId: string, options?: {
+        agentId?: string;
+        limit?: number;
+        offset?: number;
+    }): Promise<Conversation[]>;
+    ensureOwned(conversationId: string, userId: string): Promise<Conversation>;
+    /**
+     * Mark a conversation as `completed`. Callers should already have verified
+     * ownership; this just touches the status column. We keep the transcript
+     * untouched — the row stays around for admin/audit views.
+     */
+    markCompleted(conversationId: string): Promise<void>;
+    private mapMessage;
+}

package/dist/services/conversation.service.js

@@ -0,0 +1,101 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ConversationService = exports.ConversationNotFoundError = void 0;
+class ConversationNotFoundError extends Error {
+    constructor(id) {
+        super(`Conversation "${id}" not found`);
+        this.status = 404;
+        this.code = 'conversation_not_found';
+    }
+}
+exports.ConversationNotFoundError = ConversationNotFoundError;
+class ConversationService {
+    constructor(convRepo, msgRepo) {
+        this.convRepo = convRepo;
+        this.msgRepo = msgRepo;
+    }
+    async create(params) {
+        return this.convRepo.create({
+            userId: params.userId,
+            agentId: params.agentId,
+            title: params.title,
+            metadata: params.metadata,
+            status: 'active',
+            totalInputTokens: 0,
+            totalOutputTokens: 0,
+            messageCount: 0,
+        });
+    }
+    async addMessage(params) {
+        const msg = await this.msgRepo.create({
+            conversationId: params.conversationId,
+            userId: params.userId,
+            role: params.role,
+            content: params.content,
+            toolCalls: params.toolCalls,
+            usage: params.usage,
+        });
+        await this.convRepo.updateStats(params.conversationId, {
+            addInputTokens: params.usage?.inputTokens,
+            addOutputTokens: params.usage?.outputTokens,
+            addMessages: 1,
+        });
+        return msg;
+    }
+    /** Throws on not-found OR cross-user access. */
+    async loadOwned(conversationId, userId) {
+        const conv = await this.convRepo.findByIdForUser(conversationId, userId);
+        if (!conv) {
+            // Ambiguous on purpose — don't reveal whether the conversation exists or
+            // belongs to someone else.
+            throw new ConversationNotFoundError(conversationId);
+        }
+        return conv;
+    }
+    async getHistory(conversationId, userId) {
+        const conv = await this.loadOwned(conversationId, userId);
+        const messages = await this.msgRepo.listForConversation(conv.id, userId);
+        return {
+            conversationId: conv.id,
+            agentId: conv.agentId,
+            userId: conv.userId,
+            title: conv.title,
+            status: conv.status,
+            messages: messages.map(this.mapMessage),
+            createdAt: conv.createdAt,
+            updatedAt: conv.updatedAt,
+        };
+    }
+    async getAnthropicMessages(conversationId, userId) {
+        const conv = await this.loadOwned(conversationId, userId);
+        const messages = await this.msgRepo.listForConversation(conv.id, userId);
+        return messages
+            .filter((m) => m.role !== 'system')
+            .map((m) => ({ role: m.role, content: m.content }));
+    }
+    async listForUser(userId, options = {}) {
+        return this.convRepo.listForUser(userId, options);
+    }
+    async ensureOwned(conversationId, userId) {
+        return this.loadOwned(conversationId, userId);
+    }
+    /**
+     * Mark a conversation as `completed`. Callers should already have verified
+     * ownership; this just touches the status column. We keep the transcript
+     * untouched — the row stays around for admin/audit views.
+     */
+    async markCompleted(conversationId) {
+        await this.convRepo.updateStats(conversationId, { status: 'completed' });
+    }
+    mapMessage(msg) {
+        return {
+            id: msg.id,
+            role: msg.role,
+            content: msg.content,
+            toolCalls: msg.toolCalls,
+            usage: msg.usage,
+            createdAt: msg.createdAt,
+        };
+    }
+}
+exports.ConversationService = ConversationService;

package/dist/services/email-templates.d.ts

@@ -0,0 +1,18 @@
+export declare function verifyEmailTemplate(params: {
+    appName?: string;
+    url: string;
+    expiresInHours: number;
+}): {
+    subject: string;
+    html: string;
+    text: string;
+};
+export declare function passwordResetTemplate(params: {
+    appName?: string;
+    url: string;
+    expiresInMinutes: number;
+}): {
+    subject: string;
+    html: string;
+    text: string;
+};

package/dist/services/email-templates.js

@@ -0,0 +1,39 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyEmailTemplate = verifyEmailTemplate;
+exports.passwordResetTemplate = passwordResetTemplate;
+const wrapper = (body) => `<!doctype html>
+<html><head><meta charset="utf-8" /></head>
+<body style="font-family: -apple-system, BlinkMacSystemFont, system-ui, sans-serif; background:#f4f4f7; padding:24px; color:#111;">
+  <div style="max-width:520px;margin:0 auto;background:#fff;border-radius:12px;padding:32px;box-shadow:0 2px 8px rgba(0,0,0,0.04);">
+    ${body}
+  </div>
+  <p style="text-align:center;color:#888;font-size:12px;margin-top:16px;">Powered by AgentForge</p>
+</body></html>`;
+const button = (url, label) => `<a href="${url}" style="display:inline-block;background:#7c5cff;color:#fff;padding:12px 22px;border-radius:8px;text-decoration:none;font-weight:600;font-size:14px;">${label}</a>`;
+function verifyEmailTemplate(params) {
+    const appName = params.appName ?? 'your account';
+    return {
+        subject: 'Confirm your email',
+        text: `Confirm your email for ${appName}: ${params.url}\n\nThis link expires in ${params.expiresInHours} hours.`,
+        html: wrapper(`
+      <h1 style="font-size:20px;margin:0 0 12px;">Confirm your email</h1>
+      <p style="margin:0 0 20px;color:#444;line-height:1.5;">Click the button below to verify your email and finish setting up ${appName}.</p>
+      ${button(params.url, 'Verify email')}
+      <p style="margin:24px 0 0;color:#888;font-size:13px;">This link expires in ${params.expiresInHours} hours. If you didn't sign up, you can ignore this email.</p>
+    `),
+    };
+}
+function passwordResetTemplate(params) {
+    const appName = params.appName ?? 'your account';
+    return {
+        subject: 'Reset your password',
+        text: `Reset your password for ${appName}: ${params.url}\n\nThis link expires in ${params.expiresInMinutes} minutes.`,
+        html: wrapper(`
+      <h1 style="font-size:20px;margin:0 0 12px;">Reset your password</h1>
+      <p style="margin:0 0 20px;color:#444;line-height:1.5;">We received a request to reset the password for ${appName}. Click below to choose a new one.</p>
+      ${button(params.url, 'Reset password')}
+      <p style="margin:24px 0 0;color:#888;font-size:13px;">This link expires in ${params.expiresInMinutes} minutes. If you didn't request a reset, you can safely ignore this email.</p>
+    `),
+    };
+}

package/dist/services/email.service.d.ts

@@ -0,0 +1,26 @@
+import type { EmailAdapter } from '../adapters/email/email-adapter.interface';
+export interface EmailServiceOptions {
+    /** Base URL the email links land on; the token is appended as `&token=` (or `?token=` if missing). */
+    verifyEmailUrl?: string;
+    resetPasswordUrl?: string;
+    /** TTL hints used in the email copy (must mirror what AuthService enforces). */
+    verifyTokenTtlHours?: number;
+    resetTokenTtlMinutes?: number;
+    /** When false, helpers do nothing and `enabled` returns false (noop adapter mode). */
+    enabled?: boolean;
+}
+export declare class EmailService {
+    private readonly adapter;
+    private readonly opts;
+    constructor(adapter: EmailAdapter, opts?: EmailServiceOptions);
+    isEnabled(): boolean;
+    sendVerifyEmail(input: {
+        to: string;
+        token: string;
+    }): Promise<void>;
+    sendPasswordResetEmail(input: {
+        to: string;
+        token: string;
+    }): Promise<void>;
+    private buildUrl;
+}

package/dist/services/email.service.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EmailService = void 0;
+const email_templates_1 = require("./email-templates");
+class EmailService {
+    constructor(adapter, opts = {}) {
+        this.adapter = adapter;
+        this.opts = opts;
+    }
+    isEnabled() {
+        return this.opts.enabled !== false;
+    }
+    async sendVerifyEmail(input) {
+        const url = this.buildUrl(this.opts.verifyEmailUrl ?? '/verify-email', input.token);
+        const ttlHours = this.opts.verifyTokenTtlHours ?? 24;
+        const tpl = (0, email_templates_1.verifyEmailTemplate)({ url, expiresInHours: ttlHours });
+        await this.adapter.send({
+            to: input.to,
+            subject: tpl.subject,
+            html: tpl.html,
+            text: tpl.text,
+            tags: { purpose: 'verify_email' },
+        });
+    }
+    async sendPasswordResetEmail(input) {
+        const url = this.buildUrl(this.opts.resetPasswordUrl ?? '/reset-password', input.token);
+        const ttlMinutes = this.opts.resetTokenTtlMinutes ?? 60;
+        const tpl = (0, email_templates_1.passwordResetTemplate)({ url, expiresInMinutes: ttlMinutes });
+        await this.adapter.send({
+            to: input.to,
+            subject: tpl.subject,
+            html: tpl.html,
+            text: tpl.text,
+            tags: { purpose: 'reset_password' },
+        });
+    }
+    buildUrl(base, token) {
+        const sep = base.includes('?') ? '&' : '?';
+        return `${base}${sep}token=${encodeURIComponent(token)}`;
+    }
+}
+exports.EmailService = EmailService;

package/dist/services/errors.d.ts

@@ -0,0 +1,7 @@
+export type AuthErrorCode = 'invalid_credentials' | 'account_disabled' | 'account_locked' | 'email_unverified' | 'email_exists' | 'invalid_token' | 'token_expired' | 'token_consumed' | 'invalid_password' | 'no_email_on_file' | 'user_not_found' | 'last_admin';
+/** Framework-agnostic auth errors. Adapters map `status` to their HTTP layer. */
+export declare class AuthError extends Error {
+    readonly code: AuthErrorCode;
+    readonly status: number;
+    constructor(code: AuthErrorCode, message: string);
+}

package/dist/services/errors.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthError = void 0;
+const STATUS = {
+    invalid_credentials: 401,
+    account_disabled: 401,
+    account_locked: 401,
+    email_unverified: 401,
+    email_exists: 409,
+    invalid_token: 400,
+    token_expired: 400,
+    token_consumed: 400,
+    invalid_password: 400,
+    no_email_on_file: 400,
+    user_not_found: 404,
+    last_admin: 409,
+};
+/** Framework-agnostic auth errors. Adapters map `status` to their HTTP layer. */
+class AuthError extends Error {
+    constructor(code, message) {
+        super(message);
+        this.code = code;
+        this.name = 'AuthError';
+        this.status = STATUS[code];
+    }
+}
+exports.AuthError = AuthError;

package/dist/services/in-memory-prepared-stream.store.d.ts

@@ -0,0 +1,13 @@
+import type { PreparedStreamPayload, PreparedStreamStore } from '../adapters/prepared-stream/prepared-stream.types';
+/**
+ * Default in-memory implementation. Single-instance deploys only. For multi-
+ * instance use the Redis-backed store (in @agentforge-io/nest or your own impl).
+ */
+export declare class InMemoryPreparedStreamStore implements PreparedStreamStore {
+    private readonly entries;
+    private sweeper?;
+    constructor();
+    put(streamId: string, payload: PreparedStreamPayload): Promise<void>;
+    takeOnce(streamId: string): Promise<PreparedStreamPayload | null>;
+    private sweep;
+}

package/dist/services/in-memory-prepared-stream.store.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InMemoryPreparedStreamStore = void 0;
+/**
+ * Default in-memory implementation. Single-instance deploys only. For multi-
+ * instance use the Redis-backed store (in @agentforge-io/nest or your own impl).
+ */
+class InMemoryPreparedStreamStore {
+    constructor() {
+        this.entries = new Map();
+        this.sweeper = setInterval(() => this.sweep(), 60_000);
+        if (typeof this.sweeper.unref === 'function')
+            this.sweeper.unref();
+    }
+    async put(streamId, payload) {
+        this.entries.set(streamId, payload);
+    }
+    async takeOnce(streamId) {
+        const entry = this.entries.get(streamId);
+        if (!entry)
+            return null;
+        this.entries.delete(streamId);
+        if (entry.expiresAt <= new Date())
+            return null;
+        return entry;
+    }
+    sweep() {
+        const now = Date.now();
+        for (const [id, entry] of this.entries) {
+            if (entry.expiresAt.getTime() <= now)
+                this.entries.delete(id);
+        }
+    }
+}
+exports.InMemoryPreparedStreamStore = InMemoryPreparedStreamStore;

package/dist/services/index.d.ts

@@ -0,0 +1,13 @@
+export { ToolRegistryService, type Logger } from './tool-registry.service';
+export { AgentRunnerService } from './agent-runner.service';
+export { PreparedStreamService, PreparedStreamError, } from './prepared-stream.service';
+export { InMemoryPreparedStreamStore } from './in-memory-prepared-stream.store';
+export { ConversationService, ConversationNotFoundError, } from './conversation.service';
+export { AgentService, AgentForbiddenError, type AgentNotFoundError, } from './agent.service';
+export { OrchestratorService, OrchestratorError, type OrchestratorServiceOptions, } from './orchestrator.service';
+export { AgentJobWorker } from './agent-job.worker';
+export { ChatTokenService, ChatTokenError, type CreateChatTokenInput, } from './chat-token.service';
+export { McpClientService, McpClientError, type McpToolHandle, } from './mcp-client.service';
+export { McpServerService, McpServerError, type CreateMcpServerInput, } from './mcp-server.service';
+export { OAuth2Service, type OAuth2ProviderConfig, type AuthorizeUrlResult, type TokenSet, } from './oauth2.service';
+export { ConnectorRegistryService, ConnectorError, InMemoryAuthorizeStateStore, type AuthorizeState, type AuthorizeStateStore, type ConnectorStatus, type TokenCipher, } from './connector-registry.service';