@cobaltcore-dev/aurora 0.5.0 → 0.7.0

package/dist/server/index.d.ts

@@ -1,4 +1,13 @@
-import { FastifyInstance } from 'fastify';
+import * as fastify from 'fastify';
+import { FastifyInstance, FastifyRequest } from 'fastify';
+import * as _trpc_server from '@trpc/server';
+import { AnyRouter } from '@trpc/server';
+import * as _cobaltcore_dev_signal_openstack from '@cobaltcore-dev/signal-openstack';
+import { SignalOpenstackSessionType } from '@cobaltcore-dev/signal-openstack';
+import { ProxyConfig } from './shared-types';
+import * as fastify_types_type_provider from 'fastify/types/type-provider';
+import * as http from 'http';
+import { z } from 'zod';
 
 declare module "fastify" {
     interface FastifyRequest {
@@ -34,8 +43,568 @@ interface AuroraServerConfig {
      * over the legacy in-tree permission_custom_policies/ directory.
      */
     policyDir: string;
+    /**
+     * Additional tRPC routers to merge into the Aurora router at startup.
+     *
+     * Routers passed here share the same Fastify request context as the built-in
+     * Aurora routers (session cookies, OpenStack client, rescoping helpers).
+     *
+     * **Requirements:**
+     * - Routers MUST be created with the `auroraRouter` function exported from
+     *   `@cobaltcore-dev/aurora/server`. Using a different `initTRPC` instance
+     *   produces an incompatible context type and will cause runtime failures when
+     *   procedures attempt to access `ctx.openstack`, `ctx.validateSession`, etc.
+     * - Use `protectedProcedure` (or `projectScopedProcedure` /
+     *   `domainScopedProcedure`) for any procedure that requires an authenticated
+     *   session. All of these are exported from `@cobaltcore-dev/aurora/server`.
+     *
+     * @example
+     * ```ts
+     * import { auroraRouter, protectedProcedure, createServer } from "@cobaltcore-dev/aurora/server"
+     * import { z } from "zod"
+     *
+     * const customRouter = auroraRouter({
+     *   feedback: protectedProcedure
+     *     .input(z.object({ message: z.string() }))
+     *     .mutation(async ({ input }) => ({ status: "received" })),
+     * })
+     *
+     * createServer({ ..., routers: [customRouter] })
+     * ```
+     */
+    routers?: AnyRouter[];
 }
 
 declare function createServer(config: AuroraServerConfig): Promise<FastifyInstance>;
 
-export { type AuroraServerConfig, createServer };
+interface AuroraContext {
+    validateSession: () => boolean;
+    openstack?: Awaited<SignalOpenstackSessionType>;
+    signal: AbortSignal;
+    getUserInfo?: () => Promise<{
+        availableDomains: Array<{
+            id: string;
+            name: string;
+        }>;
+    } | undefined>;
+}
+interface FormFieldData {
+    [key: string]: string | string[];
+}
+interface AuroraPortalContext extends AuroraContext {
+    req: FastifyRequest;
+    /** Normalised identity endpoint (always ends with /) */
+    identityEndpoint: string;
+    /** Ceph/S3 region from consumer config */
+    cephRegion?: string;
+    /** Parsed list of image metadata keys excluded from the UI */
+    imageMetadataExcludedProperties: string[];
+    createSession: (params: {
+        user: string;
+        password: string;
+        domain: string;
+    }) => SignalOpenstackSessionType;
+    rescopeSession: (scope: {
+        projectId?: string;
+        domainId?: string;
+    }) => Promise<Awaited<SignalOpenstackSessionType | null>>;
+    terminateSession: () => Promise<void>;
+    formFields?: FormFieldData;
+}
+
+interface RequestParams {
+    method: "GET" | "POST" | "PUT" | "DELETE" | "PATCH" | "HEAD";
+    path: string;
+    options?: {
+        host?: string;
+        headers?: Record<string, string>;
+        body?: string | object | FormData | Blob | ArrayBuffer | ReadableStream;
+        queryParams?: Record<string, string | string[] | number | boolean | null | undefined>;
+        signal?: AbortSignal;
+        debug?: boolean;
+        proxy?: ProxyConfig;
+    };
+}
+type ActionBody = NonNullable<RequestParams["options"]>["body"];
+type ActionPath = RequestParams["path"];
+
+declare const auroraRouter: _trpc_server.TRPCRouterBuilder<{
+    ctx: AuroraPortalContext;
+    meta: object;
+    errorShape: _trpc_server.TRPCDefaultErrorShape;
+    transformer: false;
+}>;
+declare const publicProcedure: _trpc_server.TRPCProcedureBuilder<AuroraPortalContext, object, object, _trpc_server.TRPCUnsetMarker, _trpc_server.TRPCUnsetMarker, _trpc_server.TRPCUnsetMarker, _trpc_server.TRPCUnsetMarker, false>;
+declare const protectedProcedure: _trpc_server.TRPCProcedureBuilder<AuroraPortalContext, object, {
+    req: fastify.FastifyRequest<fastify.RouteGenericInterface, fastify.RawServerDefault, http.IncomingMessage, fastify.FastifySchema, fastify.FastifyTypeProviderDefault, unknown, fastify.FastifyBaseLogger, fastify_types_type_provider.ResolveFastifyRequestType<fastify.FastifyTypeProviderDefault, fastify.FastifySchema, fastify.RouteGenericInterface>>;
+    signal: AbortSignal;
+    createSession: (params: {
+        user: string;
+        password: string;
+        domain: string;
+    }) => _cobaltcore_dev_signal_openstack.SignalOpenstackSessionType;
+    rescopeSession: (scope: {
+        projectId?: string;
+        domainId?: string;
+    }) => Promise<Awaited<_cobaltcore_dev_signal_openstack.SignalOpenstackSessionType | null>>;
+    identityEndpoint: string;
+    cephRegion: string | undefined;
+    terminateSession: () => Promise<void>;
+    validateSession: () => boolean;
+    openstack: {
+        service: (name: string, serviceDefaultOptions?: _cobaltcore_dev_signal_openstack.SignalOpenstackOptions) => {
+            availableEndpoints: () => {
+                id: string;
+                interface: string;
+                region: string;
+                region_id: string;
+                url: string;
+            }[] | undefined;
+            getEndpoint: (options?: {
+                region?: string;
+                interfaceName?: string;
+            }) => string | null;
+            head: (path: ActionPath, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => Promise<Response>;
+            get: (path: ActionPath, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => Promise<Response>;
+            post: (path: ActionPath, values: ActionBody, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => Promise<Response>;
+            put: (path: ActionPath, values: ActionBody, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => Promise<Response>;
+            patch: (path: ActionPath, values: ActionBody, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => Promise<Response>;
+            del: (path: ActionPath, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => Promise<Response>;
+            cancellableHead: (path: ActionPath, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => _cobaltcore_dev_signal_openstack.CancellableRequest<Response>;
+            cancellableGet: (path: ActionPath, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => _cobaltcore_dev_signal_openstack.CancellableRequest<Response>;
+            cancellablePost: (path: ActionPath, values: ActionBody, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => _cobaltcore_dev_signal_openstack.CancellableRequest<Response>;
+            cancellablePut: (path: ActionPath, values: ActionBody, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => _cobaltcore_dev_signal_openstack.CancellableRequest<Response>;
+            cancellablePatch: (path: ActionPath, values: ActionBody, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => _cobaltcore_dev_signal_openstack.CancellableRequest<Response>;
+            cancellableDel: (path: ActionPath, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => _cobaltcore_dev_signal_openstack.CancellableRequest<Response>;
+        };
+        hasService: (name: string) => boolean;
+        terminate: () => Promise<void>;
+        rescope: (scope: _cobaltcore_dev_signal_openstack.AuthConfig["auth"]["scope"]) => Promise<void>;
+        getToken: () => {
+            authToken: string;
+            tokenData: {
+                application_credential?: {
+                    id: string;
+                    name: string;
+                    restricted: boolean;
+                };
+                audit_ids?: string[];
+                catalog?: {
+                    endpoints: {
+                        id: string;
+                        interface: string;
+                        region: string;
+                        region_id: string;
+                        url: string;
+                    }[];
+                    type: string;
+                    id: string;
+                    name: string;
+                }[];
+                expires_at: string;
+                issued_at: string;
+                methods: string[];
+                roles: {
+                    id: string;
+                    name: string;
+                }[];
+                system: {
+                    all: boolean;
+                };
+                project?: {
+                    domain?: {
+                        id?: string;
+                        name?: string;
+                    };
+                    id?: string;
+                    name?: string;
+                };
+                domain?: {
+                    id?: string;
+                    name?: string;
+                };
+                user: {
+                    domain: {
+                        id: string;
+                        name: string;
+                    };
+                    id: string;
+                    name: string;
+                    password_expires_at: string;
+                };
+            };
+            isExpired: () => boolean;
+            expiresAtDate: Date;
+            availableRegions: string[];
+            serviceEndpoint: (nameOrType: string, { region, interfaceName }: {
+                region?: string;
+                interfaceName: string;
+            }) => string | null;
+            hasService: (nameOrType: string) => boolean;
+            hasRole: (name: string) => boolean;
+        } | undefined;
+        isValid: () => boolean | "" | undefined;
+    } | undefined;
+    getUserInfo: (() => Promise<{
+        availableDomains: Array<{
+            id: string;
+            name: string;
+        }>;
+    } | undefined>) | undefined;
+    imageMetadataExcludedProperties: string[];
+    formFields: FormFieldData | undefined;
+}, _trpc_server.TRPCUnsetMarker, _trpc_server.TRPCUnsetMarker, _trpc_server.TRPCUnsetMarker, _trpc_server.TRPCUnsetMarker, false>;
+/**
+ * Base input schema that all project-scoped procedures must extend
+ * Ensures project_id is always present and validated
+ */
+declare const projectScopedInputSchema: z.ZodObject<{
+    project_id: z.ZodString;
+}, z.core.$strip>;
+/**
+ * Base input schema that all domain-scoped procedures must extend
+ * Ensures domain_id is always present and validated
+ */
+declare const domainScopedInputSchema: z.ZodObject<{
+    domain_id: z.ZodString;
+}, z.core.$strip>;
+/**
+ * Project-scoped procedure middleware
+ *
+ * Automatically handles OpenStack token rescoping to a specific project.
+ * This middleware ensures that all subsequent API calls have the correct
+ * project-scoped token, which is required for accessing project-level resources
+ * like compute instances, networks, volumes, etc.
+ *
+ * Requirements:
+ * - User must be authenticated (extends protectedProcedure)
+ * - Input is pre-validated with projectScopedInputSchema (base schema applied)
+ * - Additional input fields can be added by extending the base schema
+ *
+ * Behavior:
+ * - Validates project_id through Zod schema (no manual validation needed)
+ * - Rescopes the OpenStack session to the specified project using Keystone
+ * - Caches the scoped token in a cookie to avoid unnecessary rescoping on subsequent requests
+ * - Passes the rescoped session to downstream procedures via ctx.openstack
+ *
+ * Error handling:
+ * - BAD_REQUEST: If project_id is missing or invalid (handled by Zod schema)
+ * - UNAUTHORIZED: If token rescoping fails, including when the session cannot be
+ *   rescoped to the specified project (for example, due to an invalid token,
+ *   Keystone unavailability, or missing role assignment on that project)
+ *
+ * Usage example:
+ * ```ts
+ * export const computeRouter = {
+ *   listServers: projectScopedProcedure
+ *     .input(projectScopedInputSchema.extend({ limit: z.number().optional() }))
+ *     .query(async ({ ctx, input }) => {
+ *       // Token is already rescoped to the project
+ *       const compute = ctx.openstack.service("compute")
+ *       return compute.servers.list()
+ *     })
+ * }
+ * ```
+ *
+ * @important When extending the input schema, use projectScopedInputSchema.extend({ ... })
+ */
+declare const projectScopedProcedure: _trpc_server.TRPCProcedureBuilder<AuroraPortalContext, object, {
+    req: fastify.FastifyRequest<fastify.RouteGenericInterface, fastify.RawServerDefault, http.IncomingMessage, fastify.FastifySchema, fastify.FastifyTypeProviderDefault, unknown, fastify.FastifyBaseLogger, fastify_types_type_provider.ResolveFastifyRequestType<fastify.FastifyTypeProviderDefault, fastify.FastifySchema, fastify.RouteGenericInterface>>;
+    signal: AbortSignal;
+    createSession: (params: {
+        user: string;
+        password: string;
+        domain: string;
+    }) => _cobaltcore_dev_signal_openstack.SignalOpenstackSessionType;
+    rescopeSession: (scope: {
+        projectId?: string;
+        domainId?: string;
+    }) => Promise<Awaited<_cobaltcore_dev_signal_openstack.SignalOpenstackSessionType | null>>;
+    identityEndpoint: string;
+    cephRegion: string | undefined;
+    terminateSession: () => Promise<void>;
+    validateSession: () => boolean;
+    openstack: {
+        service: (name: string, serviceDefaultOptions?: _cobaltcore_dev_signal_openstack.SignalOpenstackOptions) => {
+            availableEndpoints: () => {
+                id: string;
+                interface: string;
+                region: string;
+                region_id: string;
+                url: string;
+            }[] | undefined;
+            getEndpoint: (options?: {
+                region?: string;
+                interfaceName?: string;
+            }) => string | null;
+            head: (path: ActionPath, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => Promise<Response>;
+            get: (path: ActionPath, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => Promise<Response>;
+            post: (path: ActionPath, values: ActionBody, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => Promise<Response>;
+            put: (path: ActionPath, values: ActionBody, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => Promise<Response>;
+            patch: (path: ActionPath, values: ActionBody, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => Promise<Response>;
+            del: (path: ActionPath, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => Promise<Response>;
+            cancellableHead: (path: ActionPath, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => _cobaltcore_dev_signal_openstack.CancellableRequest<Response>;
+            cancellableGet: (path: ActionPath, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => _cobaltcore_dev_signal_openstack.CancellableRequest<Response>;
+            cancellablePost: (path: ActionPath, values: ActionBody, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => _cobaltcore_dev_signal_openstack.CancellableRequest<Response>;
+            cancellablePut: (path: ActionPath, values: ActionBody, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => _cobaltcore_dev_signal_openstack.CancellableRequest<Response>;
+            cancellablePatch: (path: ActionPath, values: ActionBody, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => _cobaltcore_dev_signal_openstack.CancellableRequest<Response>;
+            cancellableDel: (path: ActionPath, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => _cobaltcore_dev_signal_openstack.CancellableRequest<Response>;
+        };
+        hasService: (name: string) => boolean;
+        terminate: () => Promise<void>;
+        rescope: (scope: _cobaltcore_dev_signal_openstack.AuthConfig["auth"]["scope"]) => Promise<void>;
+        getToken: () => {
+            authToken: string;
+            tokenData: {
+                application_credential?: {
+                    id: string;
+                    name: string;
+                    restricted: boolean;
+                };
+                audit_ids?: string[];
+                catalog?: {
+                    endpoints: {
+                        id: string;
+                        interface: string;
+                        region: string;
+                        region_id: string;
+                        url: string;
+                    }[];
+                    type: string;
+                    id: string;
+                    name: string;
+                }[];
+                expires_at: string;
+                issued_at: string;
+                methods: string[];
+                roles: {
+                    id: string;
+                    name: string;
+                }[];
+                system: {
+                    all: boolean;
+                };
+                project?: {
+                    domain?: {
+                        id?: string;
+                        name?: string;
+                    };
+                    id?: string;
+                    name?: string;
+                };
+                domain?: {
+                    id?: string;
+                    name?: string;
+                };
+                user: {
+                    domain: {
+                        id: string;
+                        name: string;
+                    };
+                    id: string;
+                    name: string;
+                    password_expires_at: string;
+                };
+            };
+            isExpired: () => boolean;
+            expiresAtDate: Date;
+            availableRegions: string[];
+            serviceEndpoint: (nameOrType: string, { region, interfaceName }: {
+                region?: string;
+                interfaceName: string;
+            }) => string | null;
+            hasService: (nameOrType: string) => boolean;
+            hasRole: (name: string) => boolean;
+        } | undefined;
+        isValid: () => boolean | "" | undefined;
+    };
+    getUserInfo: (() => Promise<{
+        availableDomains: Array<{
+            id: string;
+            name: string;
+        }>;
+    } | undefined>) | undefined;
+    imageMetadataExcludedProperties: string[];
+    formFields: FormFieldData | undefined;
+}, {
+    project_id: string;
+}, {
+    project_id: string;
+}, _trpc_server.TRPCUnsetMarker, _trpc_server.TRPCUnsetMarker, false>;
+/**
+ * Domain-scoped procedure middleware
+ *
+ * Automatically handles OpenStack token rescoping to a specific domain.
+ * This middleware ensures that all subsequent API calls have the correct
+ * domain-scoped token, which is required for accessing domain-level resources
+ * and performing administrative operations like user management, project creation, etc.
+ *
+ * Requirements:
+ * - User must be authenticated (extends protectedProcedure)
+ * - Input is pre-validated with domainScopedInputSchema (base schema applied)
+ * - User must have access to the requested domain (validated via lazy-loaded getUserInfo)
+ * - Additional input fields can be added by extending the base schema
+ *
+ * Behavior:
+ * - Validates domain_id through Zod schema (no manual validation needed)
+ * - Lazy-loads user info (calls /v3/auth/domains) only when this procedure is invoked
+ * - Verifies that the domain is in the user's available domains list
+ * - Rescopes the OpenStack session to the specified domain using Keystone
+ * - Keystone enforces permissions based on user's actual role assignments in that domain
+ * - Caches the scoped token in a cookie to avoid unnecessary rescoping on subsequent requests
+ * - Passes the rescoped session to downstream procedures via ctx.openstack
+ *
+ * Performance:
+ * - User info is fetched lazily (only when domainScopedProcedure is used)
+ * - This avoids unnecessary Keystone API calls for project-scoped or public procedures
+ * - User info is cached per session to avoid repeated API calls
+ *
+ * Error handling:
+ * - BAD_REQUEST: If domain_id is missing or invalid (handled by Zod schema)
+ * - FORBIDDEN: If user lacks access to the requested domain
+ * - UNAUTHORIZED: If token rescoping fails (e.g., invalid token, Keystone unavailable)
+ *
+ * Note: We don't check for specific role names (like "admin") because OpenStack roles
+ * are configurable. Instead, we rely on Keystone to enforce permissions when rescoping.
+ *
+ * Usage example:
+ * ```ts
+ * export const identityRouter = {
+ *   listUsers: domainScopedProcedure
+ *     .input(domainScopedInputSchema.extend({ includeDisabled: z.boolean().optional() }))
+ *     .query(async ({ ctx, input }) => {
+ *       // Token is already rescoped to the domain
+ *       // Keystone has validated user's permissions in this domain
+ *       const identity = ctx.openstack.service("identity")
+ *       return identity.users.list()
+ *     })
+ * }
+ * ```
+ *
+ * @important When extending the input schema, use domainScopedInputSchema.extend({ ... })
+ */
+declare const domainScopedProcedure: _trpc_server.TRPCProcedureBuilder<AuroraPortalContext, object, {
+    req: fastify.FastifyRequest<fastify.RouteGenericInterface, fastify.RawServerDefault, http.IncomingMessage, fastify.FastifySchema, fastify.FastifyTypeProviderDefault, unknown, fastify.FastifyBaseLogger, fastify_types_type_provider.ResolveFastifyRequestType<fastify.FastifyTypeProviderDefault, fastify.FastifySchema, fastify.RouteGenericInterface>>;
+    signal: AbortSignal;
+    createSession: (params: {
+        user: string;
+        password: string;
+        domain: string;
+    }) => _cobaltcore_dev_signal_openstack.SignalOpenstackSessionType;
+    rescopeSession: (scope: {
+        projectId?: string;
+        domainId?: string;
+    }) => Promise<Awaited<_cobaltcore_dev_signal_openstack.SignalOpenstackSessionType | null>>;
+    identityEndpoint: string;
+    cephRegion: string | undefined;
+    terminateSession: () => Promise<void>;
+    validateSession: () => boolean;
+    openstack: {
+        service: (name: string, serviceDefaultOptions?: _cobaltcore_dev_signal_openstack.SignalOpenstackOptions) => {
+            availableEndpoints: () => {
+                id: string;
+                interface: string;
+                region: string;
+                region_id: string;
+                url: string;
+            }[] | undefined;
+            getEndpoint: (options?: {
+                region?: string;
+                interfaceName?: string;
+            }) => string | null;
+            head: (path: ActionPath, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => Promise<Response>;
+            get: (path: ActionPath, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => Promise<Response>;
+            post: (path: ActionPath, values: ActionBody, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => Promise<Response>;
+            put: (path: ActionPath, values: ActionBody, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => Promise<Response>;
+            patch: (path: ActionPath, values: ActionBody, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => Promise<Response>;
+            del: (path: ActionPath, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => Promise<Response>;
+            cancellableHead: (path: ActionPath, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => _cobaltcore_dev_signal_openstack.CancellableRequest<Response>;
+            cancellableGet: (path: ActionPath, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => _cobaltcore_dev_signal_openstack.CancellableRequest<Response>;
+            cancellablePost: (path: ActionPath, values: ActionBody, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => _cobaltcore_dev_signal_openstack.CancellableRequest<Response>;
+            cancellablePut: (path: ActionPath, values: ActionBody, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => _cobaltcore_dev_signal_openstack.CancellableRequest<Response>;
+            cancellablePatch: (path: ActionPath, values: ActionBody, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => _cobaltcore_dev_signal_openstack.CancellableRequest<Response>;
+            cancellableDel: (path: ActionPath, options?: _cobaltcore_dev_signal_openstack.ServiceActionOptions) => _cobaltcore_dev_signal_openstack.CancellableRequest<Response>;
+        };
+        hasService: (name: string) => boolean;
+        terminate: () => Promise<void>;
+        rescope: (scope: _cobaltcore_dev_signal_openstack.AuthConfig["auth"]["scope"]) => Promise<void>;
+        getToken: () => {
+            authToken: string;
+            tokenData: {
+                application_credential?: {
+                    id: string;
+                    name: string;
+                    restricted: boolean;
+                };
+                audit_ids?: string[];
+                catalog?: {
+                    endpoints: {
+                        id: string;
+                        interface: string;
+                        region: string;
+                        region_id: string;
+                        url: string;
+                    }[];
+                    type: string;
+                    id: string;
+                    name: string;
+                }[];
+                expires_at: string;
+                issued_at: string;
+                methods: string[];
+                roles: {
+                    id: string;
+                    name: string;
+                }[];
+                system: {
+                    all: boolean;
+                };
+                project?: {
+                    domain?: {
+                        id?: string;
+                        name?: string;
+                    };
+                    id?: string;
+                    name?: string;
+                };
+                domain?: {
+                    id?: string;
+                    name?: string;
+                };
+                user: {
+                    domain: {
+                        id: string;
+                        name: string;
+                    };
+                    id: string;
+                    name: string;
+                    password_expires_at: string;
+                };
+            };
+            isExpired: () => boolean;
+            expiresAtDate: Date;
+            availableRegions: string[];
+            serviceEndpoint: (nameOrType: string, { region, interfaceName }: {
+                region?: string;
+                interfaceName: string;
+            }) => string | null;
+            hasService: (nameOrType: string) => boolean;
+            hasRole: (name: string) => boolean;
+        } | undefined;
+        isValid: () => boolean | "" | undefined;
+    };
+    getUserInfo: (() => Promise<{
+        availableDomains: Array<{
+            id: string;
+            name: string;
+        }>;
+    } | undefined>) | undefined;
+    imageMetadataExcludedProperties: string[];
+    formFields: FormFieldData | undefined;
+}, {
+    domain_id: string;
+}, {
+    domain_id: string;
+}, _trpc_server.TRPCUnsetMarker, _trpc_server.TRPCUnsetMarker, false>;
+
+export { type AuroraServerConfig, auroraRouter, createServer, domainScopedInputSchema, domainScopedProcedure, projectScopedInputSchema, projectScopedProcedure, protectedProcedure, publicProcedure };