@agentforge-io/core 2.0.24 → 2.1.1

package/dist/services/auth.service.d.ts

@@ -1,133 +0,0 @@
-import type { UserRepository, UserListOptions, UserListResult, AuthIdentityRepository, EmailTokenRepository } from '../repositories';
-import type { User } from '../domain/user';
-import type { RefreshTokenService } from './refresh-token.service';
-import type { EmailService } from './email.service';
-import type { Logger } from './tool-registry.service';
-export interface AuthUser {
-    userId: string;
-    email?: string;
-    name?: string;
-    /** RBAC role from the `af_users.role` column. */
-    role?: 'user' | 'platform_admin';
-    /** Convenience boolean derived from `role === 'platform_admin'`. */
-    isPlatformAdmin?: boolean;
-}
-export interface AuthResult {
-    accessToken: string;
-    refreshToken: string;
-    user: {
-        id: string;
-        email?: string;
-        name?: string;
-    };
-}
-export interface SessionMeta {
-    userAgent?: string;
-    ip?: string;
-}
-export interface AuthServiceOptions {
-    jwtSecret: string;
-    /** Access-token TTL — string accepted by jsonwebtoken (e.g. '15m'). Default: '15m'. */
-    accessTokenTtl?: string;
-    /** Lock account after N consecutive failed logins. Default: 5. */
-    lockoutThreshold?: number;
-    /** Lockout duration in minutes. Default: 15. */
-    lockoutMinutes?: number;
-    /** When true, login is blocked until the user has clicked the verify link. Default: false. */
-    requireEmailVerification?: boolean;
-    /** Default plan id assigned at registration. */
-    defaultPlanId?: string;
-    /** Initial credit balance for newly-registered users. */
-    initialCredits?: number;
-    /** Verify-email token TTL in hours. Default: 24. */
-    verifyTokenTtlHours?: number;
-    /** Password-reset token TTL in minutes. Default: 60. */
-    resetTokenTtlMinutes?: number;
-    /** Hook fired after a user is created via any strategy. */
-    onUserCreated?: (user: {
-        id: string;
-        email?: string;
-        name?: string;
-    }) => void | Promise<void>;
-    logger?: Logger;
-}
-export declare class AuthService {
-    private readonly users;
-    private readonly identities;
-    private readonly emailTokens;
-    private readonly refreshTokens;
-    private readonly email;
-    private readonly opts;
-    private readonly logger;
-    constructor(users: UserRepository, identities: AuthIdentityRepository, emailTokens: EmailTokenRepository, refreshTokens: RefreshTokenService, email: EmailService, opts: AuthServiceOptions);
-    register(params: {
-        email: string;
-        password: string;
-        name?: string;
-    }, meta?: SessionMeta): Promise<AuthResult>;
-    validateCredentials(email: string, password: string): Promise<User>;
-    login(email: string, password: string, meta?: SessionMeta): Promise<AuthResult>;
-    refresh(rawToken: string, meta?: SessionMeta): Promise<AuthResult>;
-    logout(rawRefreshToken?: string): Promise<void>;
-    logoutEverywhere(userId: string): Promise<void>;
-    signInWithProvider(profile: {
-        provider: string;
-        providerId: string;
-        email?: string;
-        emailVerified?: boolean;
-        name?: string;
-        metadata?: Record<string, unknown>;
-    }, meta?: SessionMeta): Promise<AuthResult>;
-    sendVerificationEmail(user: User): Promise<void>;
-    resendVerificationEmail(userId: string): Promise<void>;
-    verifyEmail(rawToken: string): Promise<{
-        userId: string;
-    }>;
-    /** Always returns success — never reveals whether the email exists. */
-    requestPasswordReset(email: string): Promise<void>;
-    resetPassword(rawToken: string, newPassword: string): Promise<void>;
-    /**
-     * Verify a JWT and return the resolved user. Returns null if the token is
-     * invalid/expired or the user no longer exists / is disabled.
-     */
-    /**
-     * Resolve a user from their id. Used by adapter-level JWT strategies that
-     * receive the decoded token payload from passport-jwt and need to populate
-     * `req.user`.
-     */
-    getById(userId: string): Promise<AuthUser | null>;
-    verifyAccessToken(rawToken: string): Promise<AuthUser | null>;
-    private toAuthUser;
-    /**
-     * Update a user's role. Caller is responsible for authorization; this
-     * method only enforces invariants:
-     *   - Demoting a platform_admin is blocked if it would leave zero platform
-     *     admins, to prevent locking yourself out of admin operations.
-     */
-    setUserRole(userId: string, role: User['role']): Promise<User>;
-    listUsers(opts?: UserListOptions): Promise<UserListResult>;
-    /**
-     * Look up a user by id and return the full `User` row (role, plan, last
-     * login, etc.) — distinct from `getById` which returns the lightweight
-     * `AuthUser` projection used in request contexts. Used by admin detail
-     * pages. Returns null when not found.
-     */
-    getFullUserById(userId: string): Promise<User | null>;
-    /**
-     * Boot-time backfill for instances upgrading to RBAC. If no user holds the
-     * `platform_admin` role, the oldest user is promoted so the operator isn't
-     * locked out. Idempotent — no-op when at least one admin already exists.
-     *
-     * Call once from your server bootstrap after the DB is connected.
-     */
-    ensurePlatformAdminBootstrap(): Promise<void>;
-    issueSession(user: User, meta?: SessionMeta): Promise<AuthResult>;
-    private signAccess;
-    private recordFailedLogin;
-    private recordSuccessfulLogin;
-    private mintEmailToken;
-    private consumeEmailToken;
-    private hashToken;
-    cleanupExpiredEmailTokens(olderThan?: Date): Promise<number>;
-    private runCreatedHook;
-}

package/dist/services/auth.service.js

@@ -1,411 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthService = void 0;
-const bcrypt = __importStar(require("bcryptjs"));
-const jwt = __importStar(require("jsonwebtoken"));
-const crypto_1 = require("crypto");
-const errors_1 = require("./errors");
-const BCRYPT_COST = 12;
-const noopLogger = { log: () => { }, warn: () => { }, debug: () => { }, error: () => { } };
-class AuthService {
-    constructor(users, identities, emailTokens, refreshTokens, email, opts) {
-        this.users = users;
-        this.identities = identities;
-        this.emailTokens = emailTokens;
-        this.refreshTokens = refreshTokens;
-        this.email = email;
-        this.opts = opts;
-        if (!opts.jwtSecret)
-            throw new Error('AuthService: jwtSecret is required');
-        this.logger = opts.logger ?? noopLogger;
-    }
-    // ─── Local strategy ───────────────────────────────────────────────────────
-    async register(params, meta = {}) {
-        const email = params.email.trim().toLowerCase();
-        const existing = await this.users.findByEmail(email);
-        if (existing)
-            throw new errors_1.AuthError('email_exists', 'An account with that email already exists');
-        const passwordHash = await bcrypt.hash(params.password, BCRYPT_COST);
-        // Bootstrap: the very first user on a fresh install is auto-promoted to
-        // platform_admin. Subsequent users default to `user` and can be promoted
-        // through the admin UI by an existing platform admin.
-        const isFirstUser = (await this.users.count()) === 0;
-        if (isFirstUser) {
-            this.logger.log('Bootstrap: first user — granting platform_admin role.');
-        }
-        const user = await this.users.create({
-            id: (0, crypto_1.randomUUID)(),
-            email,
-            name: params.name,
-            passwordHash,
-            authProvider: 'local',
-            currentPlanId: this.opts.defaultPlanId ?? 'free',
-            creditsBalance: this.opts.initialCredits ?? 0,
-            role: isFirstUser ? 'platform_admin' : 'user',
-            isActive: true,
-            failedLoginCount: 0,
-        });
-        await this.runCreatedHook(user);
-        if (this.email.isEnabled()) {
-            this.sendVerificationEmail(user).catch((err) => this.logger.warn(`Verification email on register failed: ${err.message}`));
-        }
-        return this.issueSession(user, meta);
-    }
-    async validateCredentials(email, password) {
-        const normalized = email.trim().toLowerCase();
-        const user = await this.users.findByEmailWithSecrets(normalized);
-        const invalid = () => new errors_1.AuthError('invalid_credentials', 'Invalid email or password');
-        if (!user || !user.passwordHash)
-            throw invalid();
-        if (!user.isActive)
-            throw new errors_1.AuthError('account_disabled', 'Account is disabled');
-        if (user.lockedUntil && user.lockedUntil > new Date()) {
-            const minutes = Math.ceil((user.lockedUntil.getTime() - Date.now()) / 60000);
-            throw new errors_1.AuthError('account_locked', `Account temporarily locked. Try again in ${minutes} minute${minutes === 1 ? '' : 's'}.`);
-        }
-        if (this.opts.requireEmailVerification && !user.emailVerifiedAt) {
-            throw new errors_1.AuthError('email_unverified', 'Please verify your email before signing in.');
-        }
-        const ok = await bcrypt.compare(password, user.passwordHash);
-        if (!ok) {
-            await this.recordFailedLogin(user);
-            throw invalid();
-        }
-        await this.recordSuccessfulLogin(user);
-        return user;
-    }
-    async login(email, password, meta = {}) {
-        const user = await this.validateCredentials(email, password);
-        return this.issueSession(user, meta);
-    }
-    async refresh(rawToken, meta = {}) {
-        const rotated = await this.refreshTokens.rotate(rawToken, meta);
-        const user = await this.users.findById(rotated.userId);
-        if (!user || !user.isActive) {
-            throw new errors_1.AuthError('account_disabled', 'Account is disabled');
-        }
-        return {
-            accessToken: this.signAccess(user),
-            refreshToken: rotated.token,
-            user: { id: user.id, email: user.email, name: user.name },
-        };
-    }
-    async logout(rawRefreshToken) {
-        if (rawRefreshToken)
-            await this.refreshTokens.revoke(rawRefreshToken);
-    }
-    async logoutEverywhere(userId) {
-        await this.refreshTokens.revokeAllForUser(userId);
-    }
-    // ─── OAuth / external providers ───────────────────────────────────────────
-    async signInWithProvider(profile, meta = {}) {
-        const identity = await this.identities.findByProvider(profile.provider, profile.providerId);
-        if (identity) {
-            const user = await this.users.findById(identity.userId);
-            if (!user || !user.isActive)
-                throw new errors_1.AuthError('account_disabled', 'Account is disabled');
-            return this.issueSession(user, meta);
-        }
-        const email = profile.email?.trim().toLowerCase();
-        let user = null;
-        if (email && profile.emailVerified) {
-            user = await this.users.findByEmail(email);
-        }
-        if (!user) {
-            user = await this.users.create({
-                id: (0, crypto_1.randomUUID)(),
-                email,
-                name: profile.name,
-                authProvider: profile.provider,
-                currentPlanId: this.opts.defaultPlanId ?? 'free',
-                creditsBalance: this.opts.initialCredits ?? 0,
-                isActive: true,
-                failedLoginCount: 0,
-            });
-            await this.runCreatedHook(user);
-        }
-        else if (!user.isActive) {
-            throw new errors_1.AuthError('account_disabled', 'Account is disabled');
-        }
-        await this.identities.create({
-            userId: user.id,
-            provider: profile.provider,
-            providerId: profile.providerId,
-            email,
-            metadata: profile.metadata,
-        });
-        return this.issueSession(user, meta);
-    }
-    // ─── Email verification + password reset ──────────────────────────────────
-    async sendVerificationEmail(user) {
-        if (!user.email)
-            return;
-        if (user.emailVerifiedAt)
-            return;
-        const ttlHours = this.opts.verifyTokenTtlHours ?? 24;
-        const token = await this.mintEmailToken(user.id, 'verify_email', ttlHours * 60 * 60 * 1000);
-        await this.email.sendVerifyEmail({ to: user.email, token });
-    }
-    async resendVerificationEmail(userId) {
-        const user = await this.users.findById(userId);
-        if (!user || !user.email) {
-            throw new errors_1.AuthError('no_email_on_file', 'No email on file for this user');
-        }
-        if (user.emailVerifiedAt)
-            return;
-        await this.sendVerificationEmail(user);
-    }
-    async verifyEmail(rawToken) {
-        const entity = await this.consumeEmailToken(rawToken, 'verify_email');
-        await this.users.update(entity.userId, { emailVerifiedAt: new Date() });
-        return { userId: entity.userId };
-    }
-    /** Always returns success — never reveals whether the email exists. */
-    async requestPasswordReset(email) {
-        const normalized = email.trim().toLowerCase();
-        const user = await this.users.findByEmail(normalized);
-        if (!user || !user.email || !user.isActive) {
-            // Constant-time-ish jitter so request timing doesn't leak existence either.
-            await new Promise((r) => setTimeout(r, 100 + Math.random() * 200));
-            return;
-        }
-        const ttlMinutes = this.opts.resetTokenTtlMinutes ?? 60;
-        const token = await this.mintEmailToken(user.id, 'reset_password', ttlMinutes * 60 * 1000);
-        try {
-            await this.email.sendPasswordResetEmail({ to: user.email, token });
-        }
-        catch (err) {
-            this.logger.warn(`Password-reset email failed for user ${user.id}: ${err.message}`);
-        }
-    }
-    async resetPassword(rawToken, newPassword) {
-        if (!newPassword || newPassword.length < 8) {
-            throw new errors_1.AuthError('invalid_password', 'Password must be at least 8 characters');
-        }
-        const entity = await this.consumeEmailToken(rawToken, 'reset_password');
-        const passwordHash = await bcrypt.hash(newPassword, BCRYPT_COST);
-        await this.users.update(entity.userId, {
-            passwordHash,
-            failedLoginCount: 0,
-            lockedUntil: undefined,
-        });
-        await this.refreshTokens.revokeAllForUser(entity.userId);
-    }
-    // ─── Token verification (used by HTTP middleware) ─────────────────────────
-    /**
-     * Verify a JWT and return the resolved user. Returns null if the token is
-     * invalid/expired or the user no longer exists / is disabled.
-     */
-    /**
-     * Resolve a user from their id. Used by adapter-level JWT strategies that
-     * receive the decoded token payload from passport-jwt and need to populate
-     * `req.user`.
-     */
-    async getById(userId) {
-        const user = await this.users.findById(userId);
-        if (!user || !user.isActive)
-            return null;
-        return this.toAuthUser(user);
-    }
-    async verifyAccessToken(rawToken) {
-        let payload;
-        try {
-            payload = jwt.verify(rawToken, this.opts.jwtSecret);
-        }
-        catch {
-            return null;
-        }
-        if (!payload.sub)
-            return null;
-        const user = await this.users.findById(payload.sub);
-        if (!user || !user.isActive)
-            return null;
-        return this.toAuthUser(user);
-    }
-    toAuthUser(user) {
-        return {
-            userId: user.id,
-            email: user.email,
-            name: user.name,
-            role: user.role,
-            isPlatformAdmin: user.role === 'platform_admin',
-        };
-    }
-    // ─── User management (platform-admin operations) ──────────────────────────
-    /**
-     * Update a user's role. Caller is responsible for authorization; this
-     * method only enforces invariants:
-     *   - Demoting a platform_admin is blocked if it would leave zero platform
-     *     admins, to prevent locking yourself out of admin operations.
-     */
-    async setUserRole(userId, role) {
-        const user = await this.users.findById(userId);
-        if (!user)
-            throw new errors_1.AuthError('user_not_found', 'User not found');
-        if (user.role === role)
-            return user;
-        if (user.role === 'platform_admin' && role !== 'platform_admin') {
-            const remaining = await this.users.countByRole('platform_admin');
-            if (remaining <= 1) {
-                throw new errors_1.AuthError('last_admin', 'Cannot remove the last platform admin — promote someone else first.');
-            }
-        }
-        await this.users.update(userId, { role });
-        return { ...user, role };
-    }
-    async listUsers(opts) {
-        return this.users.list(opts);
-    }
-    /**
-     * Look up a user by id and return the full `User` row (role, plan, last
-     * login, etc.) — distinct from `getById` which returns the lightweight
-     * `AuthUser` projection used in request contexts. Used by admin detail
-     * pages. Returns null when not found.
-     */
-    async getFullUserById(userId) {
-        return this.users.findById(userId);
-    }
-    /**
-     * Boot-time backfill for instances upgrading to RBAC. If no user holds the
-     * `platform_admin` role, the oldest user is promoted so the operator isn't
-     * locked out. Idempotent — no-op when at least one admin already exists.
-     *
-     * Call once from your server bootstrap after the DB is connected.
-     */
-    async ensurePlatformAdminBootstrap() {
-        const adminCount = await this.users.countByRole('platform_admin');
-        if (adminCount > 0)
-            return;
-        const totalUsers = await this.users.count();
-        if (totalUsers === 0) {
-            // Fresh install — the first `register()` call will promote naturally.
-            return;
-        }
-        // Existing install with users but no admin. Prefer the oldest user that
-        // has an email — that's a real signup, not a test fixture seeded by
-        // earlier scripts. Fall back to the absolute oldest if no emailed user
-        // exists.
-        const all = await this.users.list();
-        // `list()` returns newest-first, so iterate from the tail (oldest first).
-        const ordered = [...all.items].reverse();
-        const target = ordered.find((u) => !!u.email) ?? ordered[0];
-        if (!target)
-            return;
-        await this.users.update(target.id, { role: 'platform_admin' });
-        this.logger.warn(`RBAC bootstrap: no platform admins found, promoted ` +
-            `${target.email ?? target.id} to platform_admin.`);
-    }
-    // ─── Internals ────────────────────────────────────────────────────────────
-    async issueSession(user, meta = {}) {
-        const accessToken = this.signAccess(user);
-        const minted = await this.refreshTokens.issue(user.id, meta);
-        return {
-            accessToken,
-            refreshToken: minted.token,
-            user: { id: user.id, email: user.email, name: user.name },
-        };
-    }
-    signAccess(user) {
-        const ttl = this.opts.accessTokenTtl ?? '15m';
-        return jwt.sign({ sub: user.id, email: user.email, name: user.name }, this.opts.jwtSecret, 
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        { expiresIn: ttl });
-    }
-    async recordFailedLogin(user) {
-        const threshold = this.opts.lockoutThreshold ?? 5;
-        const lockMinutes = this.opts.lockoutMinutes ?? 15;
-        const next = (user.failedLoginCount ?? 0) + 1;
-        if (next >= threshold) {
-            this.logger.warn(`User ${user.id} locked for ${lockMinutes}m after ${threshold} failed logins`);
-            await this.users.update(user.id, {
-                failedLoginCount: 0,
-                lockedUntil: new Date(Date.now() + lockMinutes * 60_000),
-            });
-        }
-        else {
-            await this.users.update(user.id, { failedLoginCount: next });
-        }
-    }
-    async recordSuccessfulLogin(user) {
-        await this.users.update(user.id, {
-            failedLoginCount: 0,
-            lockedUntil: undefined,
-            lastLoginAt: new Date(),
-        });
-    }
-    async mintEmailToken(userId, purpose, ttlMs) {
-        await this.emailTokens.invalidateActive(userId, purpose);
-        const raw = (0, crypto_1.randomBytes)(32).toString('hex');
-        await this.emailTokens.create({
-            userId,
-            tokenHash: this.hashToken(raw),
-            purpose,
-            expiresAt: new Date(Date.now() + ttlMs),
-        });
-        return raw;
-    }
-    async consumeEmailToken(rawToken, purpose) {
-        const tokenHash = this.hashToken(rawToken);
-        const entity = await this.emailTokens.findByHash(tokenHash);
-        if (!entity || entity.purpose !== purpose) {
-            throw new errors_1.AuthError('invalid_token', 'Invalid or expired token');
-        }
-        if (entity.consumedAt)
-            throw new errors_1.AuthError('token_consumed', 'Token already used');
-        if (entity.expiresAt <= new Date())
-            throw new errors_1.AuthError('token_expired', 'Token expired');
-        await this.emailTokens.markConsumed(entity.id);
-        return entity;
-    }
-    hashToken(token) {
-        return (0, crypto_1.createHash)('sha256').update(token).digest('hex');
-    }
-    async cleanupExpiredEmailTokens(olderThan = new Date()) {
-        return this.emailTokens.deleteExpired(olderThan);
-    }
-    async runCreatedHook(user) {
-        const hook = this.opts.onUserCreated;
-        if (!hook)
-            return;
-        try {
-            await hook({ id: user.id, email: user.email, name: user.name });
-        }
-        catch (err) {
-            this.logger.warn(`onUserCreated hook failed: ${err.message}`);
-        }
-    }
-}
-exports.AuthService = AuthService;

package/dist/services/billing.service.d.ts

@@ -1,67 +0,0 @@
-import type { SubscriptionRepository, UserRepository, UsageRecordRepository } from '../repositories';
-import type { IBillingAdapter } from '../adapters/billing/billing-adapter.interface';
-import type { BillingConfig } from '../types/config.types';
-import type { Plan } from '../domain/plan';
-import type { UsageService } from './usage.service';
-import type { PlanService } from './plan.service';
-import type { BillingOverviewResult, CheckoutResult, PortalResult } from '../types/billing.types';
-export interface BillingServiceOptions {
-    billing?: BillingConfig;
-    defaultLimits?: {
-        requestsPerMonth?: number;
-        tokensPerMonth?: number;
-    };
-    logger?: {
-        warn: (m: string) => void;
-        log: (m: string) => void;
-        debug?: (m: string) => void;
-    };
-    /** Source of truth for plans (DB-backed in production). */
-    plans: PlanService;
-}
-/**
- * Billing for the B2C path: the end user is the payer. Mirrors
- * TenantBillingService, scoped to individual users.
- */
-export declare class BillingService {
-    private readonly users;
-    private readonly subscriptions;
-    private readonly usageRecords;
-    private readonly adapter;
-    private readonly usageService;
-    private readonly opts;
-    constructor(users: UserRepository, subscriptions: SubscriptionRepository, usageRecords: UsageRecordRepository, adapter: IBillingAdapter, usageService: UsageService, opts: BillingServiceOptions);
-    getPlans(): Promise<Plan[]>;
-    getPlan(planId: string): Promise<Plan>;
-    getDefaultPlanId(): Promise<string>;
-    createCheckout(input: {
-        userId: string;
-        planId: string;
-        /** Override URLs per request (e.g. coming from a frontend on a custom domain). */
-        successUrl?: string;
-        cancelUrl?: string;
-        appUrl?: string;
-    }): Promise<CheckoutResult>;
-    getPortalUrl(userId: string, returnUrl?: string): Promise<PortalResult>;
-    handleWebhook(payload: Buffer, signature: string): Promise<void>;
-    /**
-     * Same as handleWebhook but accepts an already-verified event. Used by
-     * routers that want to dispatch a single event to both the tenant and the
-     * user-centric handlers without re-verifying the signature.
-     */
-    handleWebhookEvent(event: {
-        type: string;
-        data: Record<string, unknown>;
-    }): Promise<void>;
-    private onCheckoutCompleted;
-    private onSubscriptionUpdated;
-    private onSubscriptionDeleted;
-    private onPaymentFailed;
-    getOverview(userId: string): Promise<BillingOverviewResult>;
-    cancelSubscription(userId: string, immediately?: boolean): Promise<void>;
-}
-export declare class BillingError extends Error {
-    status: number;
-    code: 'not_found' | 'plan_not_found' | 'plan_not_purchasable' | 'no_customer' | 'no_active_subscription';
-    constructor(code: 'not_found' | 'plan_not_found' | 'plan_not_purchasable' | 'no_customer' | 'no_active_subscription', message: string);
-}