@agentforge-io/core 2.0.24 → 2.1.0

package/dist/services/billing.service.js

@@ -1,254 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.BillingError = exports.BillingService = void 0;
-/**
- * Billing for the B2C path: the end user is the payer. Mirrors
- * TenantBillingService, scoped to individual users.
- */
-class BillingService {
-    constructor(users, subscriptions, usageRecords, adapter, usageService, opts) {
-        this.users = users;
-        this.subscriptions = subscriptions;
-        this.usageRecords = usageRecords;
-        this.adapter = adapter;
-        this.usageService = usageService;
-        this.opts = opts;
-    }
-    // ─── Plans ──────────────────────────────────────────────────────────────
-    async getPlans() {
-        return this.opts.plans.list();
-    }
-    async getPlan(planId) {
-        const plan = await this.opts.plans.getPlan(planId);
-        if (!plan)
-            throw new BillingError('plan_not_found', `Plan "${planId}" not found`);
-        return plan;
-    }
-    async getDefaultPlanId() {
-        return this.opts.plans.getDefaultId();
-    }
-    // ─── Checkout ───────────────────────────────────────────────────────────
-    async createCheckout(input) {
-        const user = await this.users.findById(input.userId);
-        if (!user)
-            throw new BillingError('not_found', `User "${input.userId}" not found`);
-        const plan = await this.getPlan(input.planId);
-        if (!plan.stripePriceId) {
-            throw new BillingError('plan_not_purchasable', `Plan "${input.planId}" has no stripePriceId`);
-        }
-        // Lazy-create the Stripe customer for the user.
-        let customerId = user.providerCustomerId;
-        if (!customerId) {
-            customerId = await this.adapter.createCustomer({
-                email: user.email,
-                name: user.name,
-                metadata: { userId: user.id },
-            });
-            await this.users.update(user.id, { providerCustomerId: customerId });
-        }
-        const appUrl = input.appUrl ?? this.opts.billing?.appUrl ?? 'http://localhost:3000';
-        const successUrl = input.successUrl ??
-            this.opts.billing?.successUrl ??
-            `${appUrl}/billing/success?session_id={CHECKOUT_SESSION_ID}`;
-        const cancelUrl = input.cancelUrl ?? this.opts.billing?.cancelUrl ?? `${appUrl}/billing/cancel`;
-        const session = await this.adapter.createCheckoutSession({
-            userId: input.userId,
-            planId: input.planId,
-            stripePriceId: plan.stripePriceId,
-            successUrl,
-            cancelUrl,
-        });
-        return {
-            sessionId: session.sessionId,
-            url: session.url,
-            planId: input.planId,
-            userId: input.userId,
-        };
-    }
-    // ─── Portal ─────────────────────────────────────────────────────────────
-    async getPortalUrl(userId, returnUrl) {
-        const user = await this.users.findById(userId);
-        if (!user?.providerCustomerId) {
-            throw new BillingError('no_customer', 'User does not have a billing account');
-        }
-        const portalReturn = returnUrl ??
-            this.opts.billing?.portalReturnUrl ??
-            `${this.opts.billing?.appUrl ?? 'http://localhost:3000'}/billing`;
-        const url = await this.adapter.getPortalUrl(user.providerCustomerId, portalReturn);
-        return { url };
-    }
-    // ─── Webhook ────────────────────────────────────────────────────────────
-    async handleWebhook(payload, signature) {
-        const event = await this.adapter.handleWebhook(payload, signature);
-        this.opts.logger?.log(`Processing webhook event: ${event.type}`);
-        switch (event.type) {
-            case 'checkout.session.completed':
-                await this.onCheckoutCompleted(event.data);
-                break;
-            case 'customer.subscription.updated':
-                await this.onSubscriptionUpdated(event.data);
-                break;
-            case 'customer.subscription.deleted':
-                await this.onSubscriptionDeleted(event.data);
-                break;
-            case 'invoice.payment_failed':
-                await this.onPaymentFailed(event.data);
-                break;
-            default:
-                this.opts.logger?.debug?.(`Unhandled webhook event: ${event.type}`);
-        }
-    }
-    /**
-     * Same as handleWebhook but accepts an already-verified event. Used by
-     * routers that want to dispatch a single event to both the tenant and the
-     * user-centric handlers without re-verifying the signature.
-     */
-    async handleWebhookEvent(event) {
-        switch (event.type) {
-            case 'checkout.session.completed':
-                await this.onCheckoutCompleted(event.data);
-                break;
-            case 'customer.subscription.updated':
-                await this.onSubscriptionUpdated(event.data);
-                break;
-            case 'customer.subscription.deleted':
-                await this.onSubscriptionDeleted(event.data);
-                break;
-            case 'invoice.payment_failed':
-                await this.onPaymentFailed(event.data);
-                break;
-            default:
-                this.opts.logger?.debug?.(`Unhandled webhook event: ${event.type}`);
-        }
-    }
-    async onCheckoutCompleted(data) {
-        const { metadata, subscription: subscriptionId, customer } = data;
-        if (!metadata?.userId || !metadata?.planId)
-            return;
-        const plan = await this.opts.plans.getPlan(metadata.planId);
-        if (!plan)
-            return;
-        // 30 days default; refined when we can query the provider.
-        let periodEnd = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000);
-        if (subscriptionId) {
-            const sub = await this.adapter.getSubscription(subscriptionId);
-            periodEnd = sub.currentPeriodEnd;
-        }
-        const existing = await this.subscriptions.findByUserAndPlan(metadata.userId, metadata.planId);
-        if (existing) {
-            await this.subscriptions.update(existing.id, {
-                status: 'active',
-                providerSubscriptionId: subscriptionId,
-                providerCustomerId: customer,
-                currentPeriodEnd: periodEnd,
-                cancelAtPeriodEnd: false,
-            });
-        }
-        else {
-            await this.subscriptions.create({
-                userId: metadata.userId,
-                planId: metadata.planId,
-                status: 'active',
-                providerSubscriptionId: subscriptionId,
-                providerCustomerId: customer,
-                currentPeriodStart: new Date(),
-                currentPeriodEnd: periodEnd,
-                cancelAtPeriodEnd: false,
-            });
-        }
-        await this.users.update(metadata.userId, {
-            currentPlanId: metadata.planId,
-            providerCustomerId: customer,
-        });
-        this.opts.logger?.log(`User ${metadata.userId} activated plan "${metadata.planId}"`);
-    }
-    async onSubscriptionUpdated(data) {
-        const { id, status, current_period_end, cancel_at_period_end, metadata, items } = data;
-        if (!metadata?.userId)
-            return;
-        const periodEndTs = current_period_end ?? items?.data?.[0]?.current_period_end;
-        const periodEnd = typeof periodEndTs === 'number' && Number.isFinite(periodEndTs)
-            ? new Date(periodEndTs * 1000)
-            : undefined;
-        await this.subscriptions.updateByProviderId(id, {
-            status: status,
-            cancelAtPeriodEnd: cancel_at_period_end ?? false,
-            ...(periodEnd ? { currentPeriodEnd: periodEnd } : {}),
-        });
-    }
-    async onSubscriptionDeleted(data) {
-        const { id, metadata } = data;
-        await this.subscriptions.updateByProviderId(id, { status: 'canceled' });
-        if (metadata?.userId) {
-            const defaultPlanId = await this.getDefaultPlanId();
-            await this.users.update(metadata.userId, { currentPlanId: defaultPlanId });
-        }
-    }
-    async onPaymentFailed(data) {
-        const { subscription } = data;
-        if (subscription) {
-            await this.subscriptions.updateByProviderId(subscription, { status: 'past_due' });
-        }
-    }
-    // ─── Overview ───────────────────────────────────────────────────────────
-    async getOverview(userId) {
-        const user = await this.users.findById(userId);
-        const subscription = await this.subscriptions.findActiveForUser(userId);
-        const usage = await this.usageService.getSummary(userId);
-        const planId = user?.currentPlanId ?? (await this.getDefaultPlanId());
-        const plan = await this.opts.plans.getPlan(planId);
-        return {
-            subscription: subscription
-                ? {
-                    id: subscription.id,
-                    userId,
-                    planId: subscription.planId,
-                    status: subscription.status,
-                    providerSubscriptionId: subscription.providerSubscriptionId,
-                    providerCustomerId: subscription.providerCustomerId,
-                    currentPeriodStart: subscription.currentPeriodStart ?? new Date(),
-                    currentPeriodEnd: subscription.currentPeriodEnd ?? new Date(),
-                    trialEnd: subscription.trialEnd,
-                    cancelAtPeriodEnd: subscription.cancelAtPeriodEnd,
-                    createdAt: subscription.createdAt,
-                    updatedAt: subscription.updatedAt,
-                }
-                : null,
-            usage,
-            plan: {
-                id: planId,
-                name: plan?.name ?? planId,
-                features: plan?.features ?? [],
-                limits: {
-                    requestsPerMonth: plan?.limits.requestsPerMonth ?? -1,
-                    tokensPerMonth: plan?.limits.tokensPerMonth ?? -1,
-                },
-            },
-        };
-    }
-    // ─── Cancel ─────────────────────────────────────────────────────────────
-    async cancelSubscription(userId, immediately = false) {
-        const subscription = await this.subscriptions.findActiveForUser(userId);
-        if (!subscription?.providerSubscriptionId) {
-            throw new BillingError('no_active_subscription', 'No active subscription found');
-        }
-        await this.adapter.cancelSubscription(subscription.providerSubscriptionId, !immediately);
-        await this.subscriptions.update(subscription.id, {
-            cancelAtPeriodEnd: !immediately,
-            status: immediately ? 'canceled' : subscription.status,
-        });
-        if (immediately) {
-            const defaultPlanId = await this.getDefaultPlanId();
-            await this.users.update(userId, { currentPlanId: defaultPlanId });
-        }
-    }
-}
-exports.BillingService = BillingService;
-class BillingError extends Error {
-    constructor(code, message) {
-        super(message);
-        this.code = code;
-        this.status = code === 'not_found' ? 404 : 400;
-    }
-}
-exports.BillingError = BillingError;

package/dist/services/email-templates.d.ts

@@ -1,18 +0,0 @@
-export declare function verifyEmailTemplate(params: {
-    appName?: string;
-    url: string;
-    expiresInHours: number;
-}): {
-    subject: string;
-    html: string;
-    text: string;
-};
-export declare function passwordResetTemplate(params: {
-    appName?: string;
-    url: string;
-    expiresInMinutes: number;
-}): {
-    subject: string;
-    html: string;
-    text: string;
-};

package/dist/services/email-templates.js

@@ -1,39 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.verifyEmailTemplate = verifyEmailTemplate;
-exports.passwordResetTemplate = passwordResetTemplate;
-const wrapper = (body) => `<!doctype html>
-<html><head><meta charset="utf-8" /></head>
-<body style="font-family: -apple-system, BlinkMacSystemFont, system-ui, sans-serif; background:#f4f4f7; padding:24px; color:#111;">
-  <div style="max-width:520px;margin:0 auto;background:#fff;border-radius:12px;padding:32px;box-shadow:0 2px 8px rgba(0,0,0,0.04);">
-    ${body}
-  </div>
-  <p style="text-align:center;color:#888;font-size:12px;margin-top:16px;">Powered by AgentForge</p>
-</body></html>`;
-const button = (url, label) => `<a href="${url}" style="display:inline-block;background:#7c5cff;color:#fff;padding:12px 22px;border-radius:8px;text-decoration:none;font-weight:600;font-size:14px;">${label}</a>`;
-function verifyEmailTemplate(params) {
-    const appName = params.appName ?? 'your account';
-    return {
-        subject: 'Confirm your email',
-        text: `Confirm your email for ${appName}: ${params.url}\n\nThis link expires in ${params.expiresInHours} hours.`,
-        html: wrapper(`
-      <h1 style="font-size:20px;margin:0 0 12px;">Confirm your email</h1>
-      <p style="margin:0 0 20px;color:#444;line-height:1.5;">Click the button below to verify your email and finish setting up ${appName}.</p>
-      ${button(params.url, 'Verify email')}
-      <p style="margin:24px 0 0;color:#888;font-size:13px;">This link expires in ${params.expiresInHours} hours. If you didn't sign up, you can ignore this email.</p>
-    `),
-    };
-}
-function passwordResetTemplate(params) {
-    const appName = params.appName ?? 'your account';
-    return {
-        subject: 'Reset your password',
-        text: `Reset your password for ${appName}: ${params.url}\n\nThis link expires in ${params.expiresInMinutes} minutes.`,
-        html: wrapper(`
-      <h1 style="font-size:20px;margin:0 0 12px;">Reset your password</h1>
-      <p style="margin:0 0 20px;color:#444;line-height:1.5;">We received a request to reset the password for ${appName}. Click below to choose a new one.</p>
-      ${button(params.url, 'Reset password')}
-      <p style="margin:24px 0 0;color:#888;font-size:13px;">This link expires in ${params.expiresInMinutes} minutes. If you didn't request a reset, you can safely ignore this email.</p>
-    `),
-    };
-}

package/dist/services/email.service.d.ts

@@ -1,26 +0,0 @@
-import type { EmailAdapter } from '../adapters/email/email-adapter.interface';
-export interface EmailServiceOptions {
-    /** Base URL the email links land on; the token is appended as `&token=` (or `?token=` if missing). */
-    verifyEmailUrl?: string;
-    resetPasswordUrl?: string;
-    /** TTL hints used in the email copy (must mirror what AuthService enforces). */
-    verifyTokenTtlHours?: number;
-    resetTokenTtlMinutes?: number;
-    /** When false, helpers do nothing and `enabled` returns false (noop adapter mode). */
-    enabled?: boolean;
-}
-export declare class EmailService {
-    private readonly adapter;
-    private readonly opts;
-    constructor(adapter: EmailAdapter, opts?: EmailServiceOptions);
-    isEnabled(): boolean;
-    sendVerifyEmail(input: {
-        to: string;
-        token: string;
-    }): Promise<void>;
-    sendPasswordResetEmail(input: {
-        to: string;
-        token: string;
-    }): Promise<void>;
-    private buildUrl;
-}

package/dist/services/email.service.js

@@ -1,42 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.EmailService = void 0;
-const email_templates_1 = require("./email-templates");
-class EmailService {
-    constructor(adapter, opts = {}) {
-        this.adapter = adapter;
-        this.opts = opts;
-    }
-    isEnabled() {
-        return this.opts.enabled !== false;
-    }
-    async sendVerifyEmail(input) {
-        const url = this.buildUrl(this.opts.verifyEmailUrl ?? '/verify-email', input.token);
-        const ttlHours = this.opts.verifyTokenTtlHours ?? 24;
-        const tpl = (0, email_templates_1.verifyEmailTemplate)({ url, expiresInHours: ttlHours });
-        await this.adapter.send({
-            to: input.to,
-            subject: tpl.subject,
-            html: tpl.html,
-            text: tpl.text,
-            tags: { purpose: 'verify_email' },
-        });
-    }
-    async sendPasswordResetEmail(input) {
-        const url = this.buildUrl(this.opts.resetPasswordUrl ?? '/reset-password', input.token);
-        const ttlMinutes = this.opts.resetTokenTtlMinutes ?? 60;
-        const tpl = (0, email_templates_1.passwordResetTemplate)({ url, expiresInMinutes: ttlMinutes });
-        await this.adapter.send({
-            to: input.to,
-            subject: tpl.subject,
-            html: tpl.html,
-            text: tpl.text,
-            tags: { purpose: 'reset_password' },
-        });
-    }
-    buildUrl(base, token) {
-        const sep = base.includes('?') ? '&' : '?';
-        return `${base}${sep}token=${encodeURIComponent(token)}`;
-    }
-}
-exports.EmailService = EmailService;

package/dist/services/errors.d.ts

@@ -1,7 +0,0 @@
-export type AuthErrorCode = 'invalid_credentials' | 'account_disabled' | 'account_locked' | 'email_unverified' | 'email_exists' | 'invalid_token' | 'token_expired' | 'token_consumed' | 'invalid_password' | 'no_email_on_file' | 'user_not_found' | 'last_admin';
-/** Framework-agnostic auth errors. Adapters map `status` to their HTTP layer. */
-export declare class AuthError extends Error {
-    readonly code: AuthErrorCode;
-    readonly status: number;
-    constructor(code: AuthErrorCode, message: string);
-}

package/dist/services/errors.js

@@ -1,27 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthError = void 0;
-const STATUS = {
-    invalid_credentials: 401,
-    account_disabled: 401,
-    account_locked: 401,
-    email_unverified: 401,
-    email_exists: 409,
-    invalid_token: 400,
-    token_expired: 400,
-    token_consumed: 400,
-    invalid_password: 400,
-    no_email_on_file: 400,
-    user_not_found: 404,
-    last_admin: 409,
-};
-/** Framework-agnostic auth errors. Adapters map `status` to their HTTP layer. */
-class AuthError extends Error {
-    constructor(code, message) {
-        super(message);
-        this.code = code;
-        this.name = 'AuthError';
-        this.status = STATUS[code];
-    }
-}
-exports.AuthError = AuthError;

package/dist/services/oauth.service.d.ts

@@ -1,73 +0,0 @@
-import type { OAuthProviderConfig } from '../types/config.types';
-/**
- * Framework-free OAuth 2.0 helper. Provider specs + token exchange +
- * profile normalization live here so every transport (Express, Nest,
- * Fastify, …) drives the same code path. Adapters bring the HTTP shell:
- *   - render an authorize redirect with the state we hand back
- *   - persist that state (cookie, KV, whatever) until the callback
- *   - call validateCallback on the way back in
- *
- * CSRF: the state must round-trip through the user-agent in a way the
- * server can verify. The Express adapter uses an httpOnly cookie scoped
- * to the callback path. The Nest adapter does the same. Custom adapters
- * are free to pick a different mechanism as long as `state` is opaque,
- * single-use, and tied to the originating browser.
- */
-export interface NormalizedOAuthProfile {
-    provider: string;
-    providerId: string;
-    email?: string;
-    emailVerified?: boolean;
-    name?: string;
-    metadata?: Record<string, unknown>;
-}
-export interface OAuthProviderSpec {
-    /** Identifier used in the URL: `/auth/{name}`. */
-    name: string;
-    authorizeUrl: string;
-    tokenUrl: string;
-    /** Optional second fetch — useful for GitHub where /user may not include email. */
-    fetchProfile: (accessToken: string) => Promise<NormalizedOAuthProfile>;
-    /** Extra params for the authorize redirect (scopes, prompts, etc.). */
-    authorizeExtras: () => Record<string, string>;
-}
-/**
- * Public name of the state cookie/header per provider. Adapters share the
- * convention so a session started under one transport could (in theory) be
- * resumed under another — and so the operations docs are consistent.
- */
-export declare const OAUTH_STATE_COOKIE_PREFIX = "af_oauth_state_";
-export declare const OAUTH_STATE_TTL_MS: number;
-/** Build the authorize URL + a fresh random state for the cookie/store. */
-export declare function buildAuthorizeUrl(spec: OAuthProviderSpec, cfg: OAuthProviderConfig): {
-    authorizeUrl: string;
-    state: string;
-};
-/**
- * Validate the callback against the expected state and exchange the
- * authorization code for an access token + normalized profile.
- *
- * Returns the profile on success. Throws OAuthCallbackError with a stable
- * `.code` on failure — adapters surface the code in the failure redirect.
- */
-export declare function completeAuthorization(input: {
-    spec: OAuthProviderSpec;
-    cfg: OAuthProviderConfig;
-    /** Querystring `state` sent back by the provider. */
-    returnedState: string | undefined;
-    /** State we persisted before redirecting to the provider. */
-    expectedState: string | undefined;
-    /** Querystring `code` from the provider. */
-    code: string | undefined;
-    /** Querystring `error` from the provider, if any. */
-    providerError: string | undefined;
-}): Promise<NormalizedOAuthProfile>;
-/** Stable error shape adapters can pattern-match on for the failure redirect. */
-export declare class OAuthCallbackError extends Error {
-    code: string;
-    constructor(code: string, message: string);
-}
-export declare const GOOGLE_OAUTH_SPEC: OAuthProviderSpec;
-export declare const GITHUB_OAUTH_SPEC: OAuthProviderSpec;
-/** Look up a built-in spec by name. Returns undefined for unknown names. */
-export declare function getOAuthProviderSpec(name: string): OAuthProviderSpec | undefined;

package/dist/services/oauth.service.js

@@ -1,174 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.GITHUB_OAUTH_SPEC = exports.GOOGLE_OAUTH_SPEC = exports.OAuthCallbackError = exports.OAUTH_STATE_TTL_MS = exports.OAUTH_STATE_COOKIE_PREFIX = void 0;
-exports.buildAuthorizeUrl = buildAuthorizeUrl;
-exports.completeAuthorization = completeAuthorization;
-exports.getOAuthProviderSpec = getOAuthProviderSpec;
-const crypto_1 = require("crypto");
-/**
- * Public name of the state cookie/header per provider. Adapters share the
- * convention so a session started under one transport could (in theory) be
- * resumed under another — and so the operations docs are consistent.
- */
-exports.OAUTH_STATE_COOKIE_PREFIX = 'af_oauth_state_';
-exports.OAUTH_STATE_TTL_MS = 10 * 60 * 1000; // 10 min
-/** Build the authorize URL + a fresh random state for the cookie/store. */
-function buildAuthorizeUrl(spec, cfg) {
-    const state = (0, crypto_1.randomBytes)(16).toString('hex');
-    const params = new URLSearchParams({
-        client_id: cfg.clientId,
-        redirect_uri: cfg.callbackURL,
-        response_type: 'code',
-        state,
-        ...spec.authorizeExtras(),
-    });
-    return {
-        authorizeUrl: `${spec.authorizeUrl}?${params.toString()}`,
-        state,
-    };
-}
-/**
- * Validate the callback against the expected state and exchange the
- * authorization code for an access token + normalized profile.
- *
- * Returns the profile on success. Throws OAuthCallbackError with a stable
- * `.code` on failure — adapters surface the code in the failure redirect.
- */
-async function completeAuthorization(input) {
-    if (input.providerError) {
-        throw new OAuthCallbackError(input.providerError, 'Provider returned an error');
-    }
-    if (!input.code) {
-        throw new OAuthCallbackError('missing_code', 'authorization code missing');
-    }
-    if (!input.expectedState || input.expectedState !== input.returnedState) {
-        throw new OAuthCallbackError('invalid_state', 'state mismatch');
-    }
-    let accessToken;
-    try {
-        accessToken = await exchangeCodeForToken({
-            tokenUrl: input.spec.tokenUrl,
-            clientId: input.cfg.clientId,
-            clientSecret: input.cfg.clientSecret,
-            code: input.code,
-            redirectUri: input.cfg.callbackURL,
-        });
-    }
-    catch (err) {
-        throw new OAuthCallbackError('token_exchange_failed', err.message);
-    }
-    try {
-        return await input.spec.fetchProfile(accessToken);
-    }
-    catch (err) {
-        throw new OAuthCallbackError('profile_fetch_failed', err.message);
-    }
-}
-/** Stable error shape adapters can pattern-match on for the failure redirect. */
-class OAuthCallbackError extends Error {
-    constructor(code, message) {
-        super(message);
-        this.name = 'OAuthCallbackError';
-        this.code = code;
-    }
-}
-exports.OAuthCallbackError = OAuthCallbackError;
-// ─── Token exchange ────────────────────────────────────────────────────────
-async function exchangeCodeForToken(input) {
-    const body = new URLSearchParams({
-        grant_type: 'authorization_code',
-        client_id: input.clientId,
-        client_secret: input.clientSecret,
-        code: input.code,
-        redirect_uri: input.redirectUri,
-    });
-    const res = await fetch(input.tokenUrl, {
-        method: 'POST',
-        headers: {
-            'Content-Type': 'application/x-www-form-urlencoded',
-            Accept: 'application/json',
-        },
-        body: body.toString(),
-    });
-    if (!res.ok)
-        throw new Error(`token endpoint returned ${res.status}`);
-    const json = (await res.json());
-    if (!json.access_token)
-        throw new Error('no access_token in response');
-    return json.access_token;
-}
-// ─── Provider specs ────────────────────────────────────────────────────────
-exports.GOOGLE_OAUTH_SPEC = {
-    name: 'google',
-    authorizeUrl: 'https://accounts.google.com/o/oauth2/v2/auth',
-    tokenUrl: 'https://oauth2.googleapis.com/token',
-    authorizeExtras: () => ({
-        scope: 'openid email profile',
-        access_type: 'offline',
-        prompt: 'select_account',
-    }),
-    async fetchProfile(accessToken) {
-        const r = await fetch('https://openidconnect.googleapis.com/v1/userinfo', {
-            headers: { Authorization: `Bearer ${accessToken}` },
-        });
-        if (!r.ok)
-            throw new Error(`userinfo ${r.status}`);
-        const p = (await r.json());
-        return {
-            provider: 'google',
-            providerId: p.sub,
-            email: p.email,
-            emailVerified: p.email_verified === true,
-            name: p.name,
-            metadata: { avatar: p.picture, locale: p.locale },
-        };
-    },
-};
-exports.GITHUB_OAUTH_SPEC = {
-    name: 'github',
-    authorizeUrl: 'https://github.com/login/oauth/authorize',
-    tokenUrl: 'https://github.com/login/oauth/access_token',
-    authorizeExtras: () => ({ scope: 'user:email' }),
-    async fetchProfile(accessToken) {
-        const headers = {
-            Authorization: `Bearer ${accessToken}`,
-            Accept: 'application/vnd.github+json',
-            'User-Agent': 'agentforge',
-        };
-        const userRes = await fetch('https://api.github.com/user', { headers });
-        if (!userRes.ok)
-            throw new Error(`/user ${userRes.status}`);
-        const u = (await userRes.json());
-        // /user.email is null when private. Fetch /user/emails to get the verified primary.
-        let email = u.email ?? undefined;
-        if (!email) {
-            const emailsRes = await fetch('https://api.github.com/user/emails', { headers });
-            if (emailsRes.ok) {
-                const emails = (await emailsRes.json());
-                email =
-                    emails.find((e) => e.primary && e.verified)?.email ??
-                        emails.find((e) => e.verified)?.email;
-            }
-        }
-        return {
-            provider: 'github',
-            providerId: String(u.id),
-            email,
-            emailVerified: !!email, // GitHub only returns verified emails through /user/emails
-            name: u.name || u.login,
-            metadata: {
-                username: u.login,
-                avatar: u.avatar_url,
-                profileUrl: u.html_url,
-            },
-        };
-    },
-};
-/** Look up a built-in spec by name. Returns undefined for unknown names. */
-function getOAuthProviderSpec(name) {
-    if (name === 'google')
-        return exports.GOOGLE_OAUTH_SPEC;
-    if (name === 'github')
-        return exports.GITHUB_OAUTH_SPEC;
-    return undefined;
-}