@casfa/client 0.0.1

package/dist/index-cPO-6GxE.d.ts

@@ -0,0 +1,338 @@
+import { DepotListItem, DepotCommit, CreateDepot, CreateDepotResponse, DepotDetail, ListDepotsQuery, UpdateDepot, ServiceInfo, NodeMetadata, PrepareNodes, PrepareNodesResponse, TokenExchange, Login, Refresh, ApproveRequest, ApproveRequestResponse, CreateAuthRequest, CreateAuthRequestResponse, PollRequestResponse, DenyRequest, DenyRequestResponse, TicketListItem, CreateTicket, CreateTicketResponse, TicketDetail, ListTicketsQuery, TicketSubmit, TokenListItem, CreateToken, CreateTokenResponse, TokenDetail, RevokeTokenResponse } from '@casfa/protocol';
+import { FetchResult, StoredUserToken } from './types/index.js';
+
+/**
+ * Depot API functions.
+ *
+ * Token Requirement:
+ * - All depot operations require Access Token with canManageDepot permission.
+ */
+
+type ListDepotsResponse = {
+    depots: DepotListItem[];
+    nextCursor?: string;
+};
+type CommitDepotResponse = {
+    depotId: string;
+    root: string;
+    updatedAt: number;
+};
+/**
+ * Create a new depot.
+ * Requires Access Token with canManageDepot.
+ */
+declare const createDepot: (baseUrl: string, realm: string, accessTokenBase64: string, params: CreateDepot) => Promise<FetchResult<CreateDepotResponse>>;
+/**
+ * List depots.
+ * Requires Access Token.
+ */
+declare const listDepots: (baseUrl: string, realm: string, accessTokenBase64: string, params?: ListDepotsQuery) => Promise<FetchResult<ListDepotsResponse>>;
+/**
+ * Get depot details.
+ * Requires Access Token.
+ */
+declare const getDepot: (baseUrl: string, realm: string, accessTokenBase64: string, depotId: string) => Promise<FetchResult<DepotDetail>>;
+/**
+ * Update depot metadata.
+ * Requires Access Token with canManageDepot.
+ */
+declare const updateDepot: (baseUrl: string, realm: string, accessTokenBase64: string, depotId: string, params: UpdateDepot) => Promise<FetchResult<DepotDetail>>;
+/**
+ * Delete a depot.
+ * Requires Access Token with canManageDepot.
+ */
+declare const deleteDepot: (baseUrl: string, realm: string, accessTokenBase64: string, depotId: string) => Promise<FetchResult<void>>;
+/**
+ * Commit new root to depot.
+ * Requires Access Token with canManageDepot.
+ */
+declare const commitDepot: (baseUrl: string, realm: string, accessTokenBase64: string, depotId: string, params: DepotCommit) => Promise<FetchResult<CommitDepotResponse>>;
+
+/**
+ * Service info API.
+ */
+
+/**
+ * Fetch service info from /api/info.
+ */
+declare const fetchServiceInfo: (baseUrl: string) => Promise<FetchResult<ServiceInfo>>;
+/**
+ * Health check.
+ */
+declare const healthCheck: (baseUrl: string) => Promise<FetchResult<{
+    status: string;
+}>>;
+
+/**
+ * Node API functions.
+ *
+ * Token Requirement:
+ * - GET /nodes/:nodeKey: Access Token (with X-CAS-Index-Path header)
+ * - POST /nodes/prepare: Access Token with canUpload
+ * - PUT /nodes/:nodeKey: Access Token with canUpload
+ */
+
+type NodeUploadResult = {
+    nodeKey: string;
+    status: "created" | "exists";
+};
+/**
+ * Get node content.
+ * Requires Access Token with scope covering the index path.
+ *
+ * @param indexPath - The CAS index path for scope verification (e.g., "depot:MAIN:0:1")
+ */
+declare const getNode: (baseUrl: string, realm: string, accessTokenBase64: string, nodeKey: string, indexPath: string) => Promise<FetchResult<Uint8Array>>;
+/**
+ * Get node metadata.
+ * Requires Access Token with scope covering the index path.
+ */
+declare const getNodeMetadata: (baseUrl: string, realm: string, accessTokenBase64: string, nodeKey: string, indexPath: string) => Promise<FetchResult<NodeMetadata>>;
+/**
+ * Prepare nodes for upload.
+ * Returns which nodes need to be uploaded vs already exist.
+ * Requires Access Token with canUpload.
+ */
+declare const prepareNodes: (baseUrl: string, realm: string, accessTokenBase64: string, params: PrepareNodes) => Promise<FetchResult<PrepareNodesResponse>>;
+/**
+ * Upload a node.
+ * Requires Access Token with canUpload.
+ */
+declare const putNode: (baseUrl: string, realm: string, accessTokenBase64: string, nodeKey: string, content: Uint8Array) => Promise<FetchResult<NodeUploadResult>>;
+
+/**
+ * OAuth API functions.
+ */
+
+type CognitoConfig = {
+    region: string;
+    userPoolId: string;
+    clientId: string;
+    domain: string;
+};
+type TokenResponse = {
+    accessToken: string;
+    refreshToken: string;
+    expiresIn: number;
+    idToken?: string;
+};
+type UserInfo = {
+    userId: string;
+    email: string;
+    role: string;
+};
+/**
+ * Get Cognito configuration.
+ */
+declare const getOAuthConfig: (baseUrl: string) => Promise<FetchResult<CognitoConfig>>;
+/**
+ * Exchange authorization code for tokens.
+ */
+declare const exchangeCode: (baseUrl: string, params: TokenExchange) => Promise<FetchResult<TokenResponse>>;
+/**
+ * Login with email and password.
+ */
+declare const login: (baseUrl: string, params: Login) => Promise<FetchResult<TokenResponse>>;
+/**
+ * Refresh access token.
+ */
+declare const refresh: (baseUrl: string, params: Refresh) => Promise<FetchResult<TokenResponse>>;
+/**
+ * Get current user info.
+ * Requires User JWT.
+ */
+declare const getMe: (baseUrl: string, userAccessToken: string) => Promise<FetchResult<UserInfo>>;
+/**
+ * Convert token response to stored user token.
+ */
+declare const tokenResponseToStoredUserToken: (response: TokenResponse, userId: string) => StoredUserToken;
+
+/**
+ * Client Authorization Request API functions.
+ *
+ * For CLI/desktop apps to request tokens through user approval.
+ */
+
+/**
+ * Create an authorization request.
+ * No auth required - called by CLI/desktop clients.
+ */
+declare const createAuthRequest: (baseUrl: string, params: CreateAuthRequest) => Promise<FetchResult<CreateAuthRequestResponse>>;
+/**
+ * Poll authorization request status.
+ * No auth required - called by CLI/desktop clients.
+ */
+declare const pollAuthRequest: (baseUrl: string, requestId: string) => Promise<FetchResult<PollRequestResponse>>;
+/**
+ * Get authorization request details.
+ * Requires User JWT.
+ */
+declare const getAuthRequest: (baseUrl: string, userAccessToken: string, requestId: string) => Promise<FetchResult<PollRequestResponse>>;
+/**
+ * Approve an authorization request.
+ * Requires User JWT.
+ */
+declare const approveAuthRequest: (baseUrl: string, userAccessToken: string, requestId: string, params?: ApproveRequest) => Promise<FetchResult<ApproveRequestResponse>>;
+/**
+ * Reject an authorization request.
+ * Requires User JWT.
+ */
+declare const rejectAuthRequest: (baseUrl: string, userAccessToken: string, requestId: string, params?: DenyRequest) => Promise<FetchResult<DenyRequestResponse>>;
+
+/**
+ * Ticket API functions.
+ *
+ * Token Requirement:
+ * - POST /api/realm/{realmId}/tickets: Access Token (create ticket, bind pre-issued token)
+ * - GET /api/realm/{realmId}/tickets: Access Token (list)
+ * - GET /api/realm/{realmId}/tickets/:ticketId: Access Token (get detail)
+ * - POST /api/realm/{realmId}/tickets/:ticketId/submit: Access Token (submit)
+ *
+ * Design Principle: All Realm data operations use Access Token.
+ * Delegate Token is only for issuing tokens.
+ *
+ * Two-step Ticket creation flow:
+ *   1. Issue Access Token using Delegate Token (POST /api/tokens/delegate)
+ *   2. Create Ticket and bind the token (POST /api/realm/{realmId}/tickets)
+ */
+
+type ListTicketsResponse = {
+    tickets: TicketListItem[];
+    nextCursor?: string;
+};
+type SubmitTicketResponse = {
+    ticketId: string;
+    status: "submitted";
+    root: string;
+    submittedAt: number;
+};
+/**
+ * Create a new ticket and bind a pre-issued Access Token.
+ * Requires Access Token.
+ *
+ * @param accessTokenBase64 - Caller's Access Token (for authentication)
+ * @param params.accessTokenId - Pre-issued Access Token ID to bind (for Tool use)
+ */
+declare const createTicket: (baseUrl: string, realm: string, accessTokenBase64: string, params: CreateTicket) => Promise<FetchResult<CreateTicketResponse>>;
+/**
+ * List tickets.
+ * Requires Access Token.
+ */
+declare const listTickets: (baseUrl: string, realm: string, accessTokenBase64: string, params?: ListTicketsQuery) => Promise<FetchResult<ListTicketsResponse>>;
+/**
+ * Get ticket details.
+ * Requires Access Token.
+ */
+declare const getTicket: (baseUrl: string, realm: string, accessTokenBase64: string, ticketId: string) => Promise<FetchResult<TicketDetail>>;
+/**
+ * Submit a ticket.
+ * Requires Access Token.
+ */
+declare const submitTicket: (baseUrl: string, realm: string, accessTokenBase64: string, ticketId: string, params: TicketSubmit) => Promise<FetchResult<SubmitTicketResponse>>;
+
+/**
+ * Token management API functions.
+ *
+ * Token Requirement:
+ * - POST /api/tokens: User JWT
+ * - GET /api/tokens: User JWT
+ * - GET /api/tokens/:tokenId: User JWT
+ * - POST /api/tokens/:tokenId/revoke: User JWT
+ * - POST /api/tokens/delegate: Delegate Token
+ */
+
+type ListTokensParams = {
+    limit?: number;
+    cursor?: string;
+    type?: "delegate" | "access";
+};
+type ListTokensResponse = {
+    tokens: TokenListItem[];
+    nextCursor?: string;
+};
+/**
+ * Create a new Delegate Token.
+ * Requires User JWT.
+ */
+declare const createToken: (baseUrl: string, userAccessToken: string, params: CreateToken) => Promise<FetchResult<CreateTokenResponse>>;
+/**
+ * List Delegate Tokens.
+ * Requires User JWT.
+ */
+declare const listTokens: (baseUrl: string, userAccessToken: string, params?: ListTokensParams) => Promise<FetchResult<ListTokensResponse>>;
+/**
+ * Get token details.
+ * Requires User JWT.
+ */
+declare const getToken: (baseUrl: string, userAccessToken: string, tokenId: string) => Promise<FetchResult<TokenDetail>>;
+/**
+ * Revoke a token.
+ * Requires User JWT.
+ */
+declare const revokeToken: (baseUrl: string, userAccessToken: string, tokenId: string) => Promise<FetchResult<RevokeTokenResponse>>;
+type DelegateTokenParams = {
+    name: string;
+    type: "delegate" | "access";
+    expiresIn?: number;
+    canUpload?: boolean;
+    canManageDepot?: boolean;
+    scope?: string[];
+};
+/**
+ * Delegate (re-issue) a token using existing Delegate Token.
+ * Requires Delegate Token.
+ */
+declare const delegateToken: (baseUrl: string, delegateTokenBase64: string, params: DelegateTokenParams) => Promise<FetchResult<CreateTokenResponse>>;
+
+/**
+ * API module exports for @casfa/client
+ */
+
+type index_CognitoConfig = CognitoConfig;
+type index_CommitDepotResponse = CommitDepotResponse;
+type index_DelegateTokenParams = DelegateTokenParams;
+type index_ListDepotsResponse = ListDepotsResponse;
+type index_ListTicketsResponse = ListTicketsResponse;
+type index_ListTokensParams = ListTokensParams;
+type index_ListTokensResponse = ListTokensResponse;
+type index_NodeUploadResult = NodeUploadResult;
+type index_SubmitTicketResponse = SubmitTicketResponse;
+type index_TokenResponse = TokenResponse;
+type index_UserInfo = UserInfo;
+declare const index_approveAuthRequest: typeof approveAuthRequest;
+declare const index_commitDepot: typeof commitDepot;
+declare const index_createAuthRequest: typeof createAuthRequest;
+declare const index_createDepot: typeof createDepot;
+declare const index_createTicket: typeof createTicket;
+declare const index_createToken: typeof createToken;
+declare const index_delegateToken: typeof delegateToken;
+declare const index_deleteDepot: typeof deleteDepot;
+declare const index_exchangeCode: typeof exchangeCode;
+declare const index_fetchServiceInfo: typeof fetchServiceInfo;
+declare const index_getAuthRequest: typeof getAuthRequest;
+declare const index_getDepot: typeof getDepot;
+declare const index_getMe: typeof getMe;
+declare const index_getNode: typeof getNode;
+declare const index_getNodeMetadata: typeof getNodeMetadata;
+declare const index_getOAuthConfig: typeof getOAuthConfig;
+declare const index_getTicket: typeof getTicket;
+declare const index_getToken: typeof getToken;
+declare const index_healthCheck: typeof healthCheck;
+declare const index_listDepots: typeof listDepots;
+declare const index_listTickets: typeof listTickets;
+declare const index_listTokens: typeof listTokens;
+declare const index_login: typeof login;
+declare const index_pollAuthRequest: typeof pollAuthRequest;
+declare const index_prepareNodes: typeof prepareNodes;
+declare const index_putNode: typeof putNode;
+declare const index_refresh: typeof refresh;
+declare const index_rejectAuthRequest: typeof rejectAuthRequest;
+declare const index_revokeToken: typeof revokeToken;
+declare const index_submitTicket: typeof submitTicket;
+declare const index_tokenResponseToStoredUserToken: typeof tokenResponseToStoredUserToken;
+declare const index_updateDepot: typeof updateDepot;
+declare namespace index {
+  export { type index_CognitoConfig as CognitoConfig, type index_CommitDepotResponse as CommitDepotResponse, type index_DelegateTokenParams as DelegateTokenParams, type index_ListDepotsResponse as ListDepotsResponse, type index_ListTicketsResponse as ListTicketsResponse, type index_ListTokensParams as ListTokensParams, type index_ListTokensResponse as ListTokensResponse, type index_NodeUploadResult as NodeUploadResult, type index_SubmitTicketResponse as SubmitTicketResponse, type index_TokenResponse as TokenResponse, type index_UserInfo as UserInfo, index_approveAuthRequest as approveAuthRequest, index_commitDepot as commitDepot, index_createAuthRequest as createAuthRequest, index_createDepot as createDepot, index_createTicket as createTicket, index_createToken as createToken, index_delegateToken as delegateToken, index_deleteDepot as deleteDepot, index_exchangeCode as exchangeCode, index_fetchServiceInfo as fetchServiceInfo, index_getAuthRequest as getAuthRequest, index_getDepot as getDepot, index_getMe as getMe, index_getNode as getNode, index_getNodeMetadata as getNodeMetadata, index_getOAuthConfig as getOAuthConfig, index_getTicket as getTicket, index_getToken as getToken, index_healthCheck as healthCheck, index_listDepots as listDepots, index_listTickets as listTickets, index_listTokens as listTokens, index_login as login, index_pollAuthRequest as pollAuthRequest, index_prepareNodes as prepareNodes, index_putNode as putNode, index_refresh as refresh, index_rejectAuthRequest as rejectAuthRequest, index_revokeToken as revokeToken, index_submitTicket as submitTicket, index_tokenResponseToStoredUserToken as tokenResponseToStoredUserToken, index_updateDepot as updateDepot };
+}
+
+export { listTokens as A, login as B, type CommitDepotResponse as C, type DelegateTokenParams as D, pollAuthRequest as E, prepareNodes as F, putNode as G, refresh as H, rejectAuthRequest as I, revokeToken as J, submitTicket as K, type ListDepotsResponse as L, tokenResponseToStoredUserToken as M, type NodeUploadResult as N, updateDepot as O, type SubmitTicketResponse as S, type TokenResponse as T, type UserInfo as U, type CognitoConfig as a, type ListTicketsResponse as b, type ListTokensParams as c, type ListTokensResponse as d, approveAuthRequest as e, commitDepot as f, createAuthRequest as g, createDepot as h, index as i, createTicket as j, createToken as k, delegateToken as l, deleteDepot as m, exchangeCode as n, fetchServiceInfo as o, getAuthRequest as p, getDepot as q, getMe as r, getNode as s, getNodeMetadata as t, getOAuthConfig as u, getTicket as v, getToken as w, healthCheck as x, listDepots as y, listTickets as z };

package/dist/index.d.ts

@@ -0,0 +1,298 @@
+import { ServiceInfo, CreateDepot, CreateDepotResponse, ListDepotsQuery, DepotDetail, UpdateDepot, DepotCommit, NodeMetadata, PrepareNodes, PrepareNodesResponse, CreateTicket, CreateTicketResponse, ListTicketsQuery, TicketDetail, TicketSubmit, CreateToken } from '@casfa/protocol';
+import { TokenState, StoredUserToken, StoredDelegateToken, StoredAccessToken, TokenStorageProvider, OnTokenChangeCallback, OnAuthRequiredCallback, FetchResult, ClientConfig } from './types/index.js';
+export { ClientError, emptyTokenState } from './types/index.js';
+import { L as ListDepotsResponse, C as CommitDepotResponse, N as NodeUploadResult, a as CognitoConfig, U as UserInfo, b as ListTicketsResponse, S as SubmitTicketResponse, c as ListTokensParams, d as ListTokensResponse, D as DelegateTokenParams } from './index-cPO-6GxE.js';
+export { i as api } from './index-cPO-6GxE.js';
+
+/**
+ * Token store - manages the three-tier token state.
+ *
+ * Provides a closure-based store for token state management with
+ * automatic persistence and change notifications.
+ */
+
+type TokenStore = {
+    /** Get current token state (immutable snapshot) */
+    getState: () => TokenState;
+    /** Set user JWT token */
+    setUser: (token: StoredUserToken | null) => void;
+    /** Set delegate token */
+    setDelegate: (token: StoredDelegateToken | null) => void;
+    /** Set access token */
+    setAccess: (token: StoredAccessToken | null) => void;
+    /** Clear all tokens */
+    clear: () => void;
+    /** Initialize from storage provider */
+    initialize: () => Promise<void>;
+};
+type TokenStoreConfig = {
+    storage?: TokenStorageProvider;
+    onTokenChange?: OnTokenChangeCallback;
+    onAuthRequired?: OnAuthRequiredCallback;
+};
+/**
+ * Create a token store instance.
+ */
+declare const createTokenStore: (config?: TokenStoreConfig) => TokenStore;
+
+/**
+ * Token selector and auto-issuer.
+ *
+ * Implements the "maximum authority" principle:
+ * - When issuing tokens, prefer User JWT (depth=0) over Delegate Token
+ * - Check issuer consistency before using existing tokens
+ * - Re-issue tokens when issuer is not maximized
+ */
+
+type TokenSelectorConfig = {
+    store: TokenStore;
+    baseUrl: string;
+    realm: string;
+    serverInfo: ServiceInfo | null;
+    defaultTokenTtl?: number;
+};
+type TokenSelector = {
+    /**
+     * Get or issue an Access Token.
+     * - If valid Access Token exists and is from max issuer, return it
+     * - Otherwise, issue a new one using User JWT or Delegate Token
+     */
+    ensureAccessToken: () => Promise<StoredAccessToken | null>;
+    /**
+     * Get or issue a Delegate Token.
+     * - If valid Delegate Token exists, return it
+     * - If User JWT exists, issue a new one
+     */
+    ensureDelegateToken: () => Promise<StoredDelegateToken | null>;
+};
+/**
+ * Create a token selector instance.
+ */
+declare const createTokenSelector: (config: TokenSelectorConfig) => TokenSelector;
+
+/**
+ * Depot methods for the stateful client.
+ */
+
+type DepotMethods = {
+    /** Create a new depot */
+    create: (params: CreateDepot) => Promise<FetchResult<CreateDepotResponse>>;
+    /** List depots */
+    list: (params?: ListDepotsQuery) => Promise<FetchResult<ListDepotsResponse>>;
+    /** Get depot details */
+    get: (depotId: string) => Promise<FetchResult<DepotDetail>>;
+    /** Update depot */
+    update: (depotId: string, params: UpdateDepot) => Promise<FetchResult<DepotDetail>>;
+    /** Delete depot */
+    delete: (depotId: string) => Promise<FetchResult<void>>;
+    /** Commit new root */
+    commit: (depotId: string, params: DepotCommit) => Promise<FetchResult<CommitDepotResponse>>;
+};
+
+/**
+ * Node methods for the stateful client.
+ */
+
+type NodeMethods = {
+    /** Get node content */
+    get: (nodeKey: string, indexPath: string) => Promise<FetchResult<Uint8Array>>;
+    /** Get node metadata */
+    getMetadata: (nodeKey: string, indexPath: string) => Promise<FetchResult<NodeMetadata>>;
+    /** Prepare nodes for upload */
+    prepare: (params: PrepareNodes) => Promise<FetchResult<PrepareNodesResponse>>;
+    /** Upload a node */
+    put: (nodeKey: string, content: Uint8Array) => Promise<FetchResult<NodeUploadResult>>;
+};
+
+/**
+ * JWT refresh management with promise deduplication.
+ */
+
+type RefreshManager = {
+    /**
+     * Ensure user token is valid, refreshing if needed.
+     * Returns the valid user token or null if refresh failed.
+     */
+    ensureValidUserToken: () => Promise<StoredUserToken | null>;
+    /**
+     * Schedule proactive refresh before expiration.
+     */
+    scheduleProactiveRefresh: () => void;
+    /**
+     * Cancel any scheduled refresh.
+     */
+    cancelScheduledRefresh: () => void;
+};
+type RefreshManagerConfig = {
+    store: TokenStore;
+    baseUrl: string;
+    onAuthRequired?: OnAuthRequiredCallback;
+};
+/**
+ * Create a refresh manager for JWT token refresh.
+ */
+declare const createRefreshManager: (config: RefreshManagerConfig) => RefreshManager;
+
+/**
+ * OAuth methods for the stateful client.
+ */
+
+type OAuthMethods = {
+    /** Get Cognito configuration */
+    getConfig: () => Promise<FetchResult<CognitoConfig>>;
+    /** Login with email and password */
+    login: (email: string, password: string) => Promise<FetchResult<UserInfo>>;
+    /** Exchange authorization code for tokens */
+    exchangeCode: (code: string, redirectUri: string, codeVerifier?: string) => Promise<FetchResult<UserInfo>>;
+    /** Get current user info */
+    getMe: () => Promise<FetchResult<UserInfo>>;
+};
+
+/**
+ * Ticket methods for the stateful client.
+ *
+ * Design Principle: All Realm data operations use Access Token.
+ * Delegate Token is only for issuing tokens.
+ *
+ * Two-step Ticket creation flow:
+ *   1. Issue Access Token using tokens.delegate() (requires Delegate Token)
+ *   2. Create Ticket using tickets.create() (requires Access Token)
+ */
+
+type TicketMethods = {
+    /**
+     * Create a new ticket and bind a pre-issued Access Token.
+     * Requires Access Token.
+     *
+     * Note: The Access Token to bind must be issued first using tokens.delegate().
+     *
+     * @param params.accessTokenId - Pre-issued Access Token ID to bind (for Tool use)
+     */
+    create: (params: CreateTicket) => Promise<FetchResult<CreateTicketResponse>>;
+    /** List tickets */
+    list: (params?: ListTicketsQuery) => Promise<FetchResult<ListTicketsResponse>>;
+    /** Get ticket details */
+    get: (ticketId: string) => Promise<FetchResult<TicketDetail>>;
+    /** Submit ticket */
+    submit: (ticketId: string, params: TicketSubmit) => Promise<FetchResult<SubmitTicketResponse>>;
+};
+
+/**
+ * Token management methods for the stateful client.
+ */
+
+type TokenMethods = {
+    /** Create a new token (User JWT required) */
+    create: (params: CreateToken) => Promise<FetchResult<StoredDelegateToken | StoredAccessToken>>;
+    /** List tokens (User JWT required) */
+    list: (params?: ListTokensParams) => Promise<FetchResult<ListTokensResponse>>;
+    /** Revoke a token (User JWT required) */
+    revoke: (tokenId: string) => Promise<FetchResult<void>>;
+    /** Delegate a token using current Delegate Token */
+    delegate: (params: DelegateTokenParams) => Promise<FetchResult<StoredDelegateToken | StoredAccessToken>>;
+};
+
+/**
+ * Stateful CASFA Client
+ *
+ * A closure-based client that manages three-tier token hierarchy:
+ * - User JWT: OAuth login token, highest authority
+ * - Delegate Token: Re-delegation token, can issue child tokens
+ * - Access Token: Data access token, used for CAS operations
+ */
+
+/**
+ * The stateful CASFA client.
+ */
+type CasfaClient = {
+    /** Get current token state */
+    getState: () => TokenState;
+    /** Get server info */
+    getServerInfo: () => ServiceInfo | null;
+    /** Set delegate token (e.g., from external source) */
+    setDelegateToken: (token: StoredDelegateToken) => void;
+    /** Set access token (e.g., from external source) */
+    setAccessToken: (token: StoredAccessToken) => void;
+    /** Clear all tokens and logout */
+    logout: () => void;
+    /** OAuth methods */
+    oauth: OAuthMethods;
+    /** Token management methods */
+    tokens: TokenMethods;
+    /** Ticket methods */
+    tickets: TicketMethods;
+    /** Depot methods */
+    depots: DepotMethods;
+    /** Node methods */
+    nodes: NodeMethods;
+};
+/**
+ * Create a stateful CASFA client.
+ */
+declare const createClient: (config: ClientConfig) => Promise<CasfaClient>;
+
+/**
+ * Token validity and issuer consistency checks.
+ */
+
+/**
+ * Default buffer time before expiration (60 seconds).
+ */
+declare const DEFAULT_EXPIRY_BUFFER_MS = 60000;
+/**
+ * Check if a token is valid (not expired with buffer).
+ */
+declare const isTokenValid: (token: {
+    expiresAt: number;
+} | null, bufferMs?: number) => boolean;
+/**
+ * Check if token is expiring soon and should be refreshed proactively.
+ * Used for JWT refresh scheduling.
+ */
+declare const isTokenExpiringSoon: (token: {
+    expiresAt: number;
+} | null, windowMs?: number) => boolean;
+/**
+ * Check if user JWT is valid.
+ */
+declare const isUserTokenValid: (userToken: StoredUserToken | null, bufferMs?: number) => boolean;
+/**
+ * Check if delegate token is valid.
+ */
+declare const isDelegateTokenValid: (delegateToken: StoredDelegateToken | null, bufferMs?: number) => boolean;
+/**
+ * Check if access token is valid.
+ */
+declare const isAccessTokenValid: (accessToken: StoredAccessToken | null, bufferMs?: number) => boolean;
+/**
+ * Get the current max issuer ID.
+ * Priority: User JWT (userId) > Delegate Token (tokenId)
+ */
+declare const getMaxIssuerId: (state: TokenState) => string | null;
+/**
+ * Check if access token is issued by the current max issuer.
+ * If not, the access token should be re-issued.
+ */
+declare const isAccessTokenFromMaxIssuer: (state: TokenState) => boolean;
+/**
+ * Check if delegate token is issued by current user.
+ * If user JWT exists but delegate token is from a different user,
+ * we may want to re-issue the delegate token.
+ */
+declare const isDelegateTokenFromCurrentUser: (state: TokenState) => boolean;
+/**
+ * Determine if access token needs re-issue.
+ * Returns true if:
+ * - Access token is invalid/expired
+ * - Access token's issuer is not the current max issuer
+ */
+declare const shouldReissueAccessToken: (state: TokenState) => boolean;
+/**
+ * Determine if delegate token needs re-issue.
+ * Returns true if:
+ * - Delegate token is invalid/expired
+ * - User token exists but delegate token is not from current user
+ */
+declare const shouldReissueDelegateToken: (state: TokenState) => boolean;
+
+export { type CasfaClient, ClientConfig, DEFAULT_EXPIRY_BUFFER_MS, type DepotMethods, FetchResult, type NodeMethods, type OAuthMethods, OnAuthRequiredCallback, OnTokenChangeCallback, type RefreshManager, StoredAccessToken, StoredDelegateToken, StoredUserToken, type TicketMethods, type TokenMethods, type TokenSelector, TokenState, TokenStorageProvider, type TokenStore, createClient, createRefreshManager, createTokenSelector, createTokenStore, getMaxIssuerId, isAccessTokenFromMaxIssuer, isAccessTokenValid, isDelegateTokenFromCurrentUser, isDelegateTokenValid, isTokenExpiringSoon, isTokenValid, isUserTokenValid, shouldReissueAccessToken, shouldReissueDelegateToken };