@dudousxd/adonis-authkit-server 0.6.0 → 0.8.0

package/build/host/views/account/security.edge

@@ -33,13 +33,26 @@
       <div class="mb-6 rounded-xl bg-white p-6 shadow-sm ring-1 ring-black/5">
         <h2 class="mb-1 text-sm font-semibold text-gray-900">{{ t('account.profile.section') }}</h2>
         <p class="mb-4 text-xs text-gray-500">{{ t('account.profile.intro') }}</p>
-        <form method="POST" action="/account/security/profile" class="space-y-4">
+        <form method="POST" action="/account/security/profile" enctype="multipart/form-data" class="space-y-4">
           <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+          @if(avatarUrl)
+            <div>
+              <img src="{{ avatarUrl }}" alt="avatar" class="h-16 w-16 rounded-full object-cover ring-1 ring-black/5" />
+            </div>
+          @end
           <div>
             <label class="mb-1 block text-sm font-medium text-gray-700">{{ t('account.profile.name_label') }}</label>
             <input name="name" type="text" value="{{ name }}" maxlength="255"
               class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none focus:border-gray-900" />
           </div>
+          @if(avatarUploadSupported)
+            <div>
+              <label class="mb-1 block text-sm font-medium text-gray-700">{{ t('account.profile.avatar_upload_label') }}</label>
+              <input name="avatar" type="file" accept="image/jpeg,image/png,image/webp"
+                class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none focus:border-gray-900" />
+              <p class="mt-1 text-xs text-gray-500">{{ t('account.profile.avatar_upload_hint') }}</p>
+            </div>
+          @end
           <div>
             <label class="mb-1 block text-sm font-medium text-gray-700">{{ t('account.profile.avatar_label') }}</label>
             <input name="avatarUrl" type="url" value="{{ avatarUrl }}"

package/build/index.d.ts

@@ -5,8 +5,8 @@ export { withCredentials } from './src/mixins/with_credentials.js';
 export { withMfa } from './src/mixins/with_mfa.js';
 export { OidcService } from './src/provider/oidc_service.js';
 export { registerOidcRoutes } from './src/register_routes.js';
-export type { AuthServerConfigInput, ResolvedServerConfig, DynamicRegistrationConfigInput, ResolvedDynamicRegistrationConfig, AdminConfigInput, ResolvedAdminConfig, } from './src/define_config.js';
-export { resolveAdmin, resolveWebauthn, resolveDynamicRegistration } from './src/define_config.js';
+export type { AuthServerConfigInput, ResolvedServerConfig, DynamicRegistrationConfigInput, ResolvedDynamicRegistrationConfig, AdminConfigInput, ResolvedAdminConfig, AdminApiConfigInput, ResolvedAdminApiConfig, } from './src/define_config.js';
+export { resolveAdmin, resolveAdminApi, resolveWebauthn, resolveDynamicRegistration } from './src/define_config.js';
 export type { WebauthnConfigInput, ResolvedWebauthnConfig } from './src/define_config.js';
 export { resolvePasswordless } from './src/define_config.js';
 export type { PasswordlessConfigInput, ResolvedPasswordlessConfig, } from './src/define_config.js';
@@ -42,6 +42,18 @@ export type { NotificationsConfigInput, ResolvedNotificationsConfig, } from './s
 export type { RateLimitConfigInput, RateLimitBucket, ResolvedRateLimitConfig, } from './src/define_config.js';
 export { createAuthThrottles } from './src/host/rate_limit.js';
 export type { AuthThrottles, ThrottleMiddleware } from './src/host/rate_limit.js';
+/**
+ * Admin services compartilhados pelo console (B6/HTML), pela Admin REST API (R6)
+ * e pelo driver `embedded` do @dudousxd/adonis-authkit-sdk (in-process).
+ */
+export { AdminUsersService } from './src/host/admin_api/admin_users_service.js';
+export type { AdminActor, CreateUserInput as AdminCreateUserInput, CreateUserResult as AdminCreateUserResult, } from './src/host/admin_api/admin_users_service.js';
+export { AdminClientsService } from './src/host/admin_clients_service.js';
+export type { AdminClient, ClientInput as AdminClientInput, CreatedClient, TokenEndpointAuthMethod, } from './src/host/admin_clients_service.js';
+export { AdminSessionsService } from './src/host/admin_sessions_service.js';
+export type { AdminSession, AdminGrant, RevokeResult, } from './src/host/admin_sessions_service.js';
+export { TokenVerifyService } from './src/host/admin_api/token_verify_service.js';
+export type { VerifyResult } from './src/host/admin_api/token_verify_service.js';
 /**
  * Configure hook + stubsRoot resolvidos pelo `node ace configure @dudousxd/adonis-authkit-server`.
  * O comando do AdonisJS importa o entrypoint principal e procura por estes exports.

package/build/index.js

@@ -5,7 +5,7 @@ export { withCredentials } from './src/mixins/with_credentials.js';
 export { withMfa } from './src/mixins/with_mfa.js';
 export { OidcService } from './src/provider/oidc_service.js';
 export { registerOidcRoutes } from './src/register_routes.js';
-export { resolveAdmin, resolveWebauthn, resolveDynamicRegistration } from './src/define_config.js';
+export { resolveAdmin, resolveAdminApi, resolveWebauthn, resolveDynamicRegistration } from './src/define_config.js';
 export { resolvePasswordless } from './src/define_config.js';
 export { resolveTrustedDevices, isTrustedDeviceValid, buildTrustedDevicePayload, TRUSTED_DEVICE_COOKIE, } from './src/host/trusted_device.js';
 export { lucidAccountStore } from './src/accounts/lucid_account_store.js';
@@ -24,6 +24,14 @@ export { resolveMessages, translate, DEFAULT_MESSAGES, PT_BR_MESSAGES, BUILTIN_M
 export { registerAuthHost } from './src/host/register_auth_host.js';
 export { resolveRateLimit, resolveNotifications } from './src/define_config.js';
 export { createAuthThrottles } from './src/host/rate_limit.js';
+/**
+ * Admin services compartilhados pelo console (B6/HTML), pela Admin REST API (R6)
+ * e pelo driver `embedded` do @dudousxd/adonis-authkit-sdk (in-process).
+ */
+export { AdminUsersService } from './src/host/admin_api/admin_users_service.js';
+export { AdminClientsService } from './src/host/admin_clients_service.js';
+export { AdminSessionsService } from './src/host/admin_sessions_service.js';
+export { TokenVerifyService } from './src/host/admin_api/token_verify_service.js';
 /**
  * Configure hook + stubsRoot resolvidos pelo `node ace configure @dudousxd/adonis-authkit-server`.
  * O comando do AdonisJS importa o entrypoint principal e procura por estes exports.

package/build/src/define_config.d.ts

@@ -161,6 +161,31 @@ export interface ResolvedDeviceFlowConfig {
     enabled: boolean;
 }
 export declare function resolveDeviceFlow(input?: DeviceFlowConfigInput): ResolvedDeviceFlowConfig;
+/**
+ * Uploads — usa o `@adonisjs/drive` JÁ configurado no app (mesmo princípio do
+ * mailer/limiter: a infra do host por padrão, sobreponível aqui). Hoje cobre o
+ * upload de avatar no console de conta. Se o drive estiver ausente, a feature
+ * degrada para o input de URL.
+ */
+export interface UploadsConfigInput {
+    avatars?: {
+        /** Disk do `@adonisjs/drive` a usar. Default: o disk DEFAULT do app. */
+        disk?: string;
+        /** Diretório/prefixo das chaves. Default: 'authkit/avatars'. */
+        directory?: string;
+        /** Tamanho máximo em MB. Default: 5. */
+        maxSizeMb?: number;
+    };
+}
+export interface ResolvedUploadsConfig {
+    avatars: {
+        /** Disk explícito; `undefined` = disk DEFAULT do app. */
+        disk?: string;
+        directory: string;
+        maxSizeMb: number;
+    };
+}
+export declare function resolveUploads(input?: UploadsConfigInput): ResolvedUploadsConfig;
 /**
  * DPoP — Demonstrating Proof of Possession (RFC 9449). Quando habilitado, o
  * oidc-provider aceita DPoP proofs e emite tokens sender-constrained
@@ -253,6 +278,23 @@ export interface ResolvedAdminConfig {
     roles: string[];
 }
 export declare function resolveAdmin(input?: AdminConfigInput): ResolvedAdminConfig;
+/**
+ * Admin REST API (R6) — superfície de gestão machine-to-machine, consumida por um
+ * futuro SDK. Default: DESLIGADA. A autenticação é por API key (Bearer), checada
+ * em tempo constante contra `apiKeys`. Independente do console admin (B6): pode
+ * ligar uma sem a outra.
+ */
+export interface AdminApiConfigInput {
+    /** Liga a Admin REST API (`/api/authkit/v1`). Default: false. */
+    enabled: boolean;
+    /** API keys aceitas no header `Authorization: Bearer <key>`. */
+    apiKeys?: string[];
+}
+export interface ResolvedAdminApiConfig {
+    enabled: boolean;
+    apiKeys: string[];
+}
+export declare function resolveAdminApi(input?: AdminApiConfigInput): ResolvedAdminApiConfig;
 /**
  * Parâmetros do Relying Party (RP) das cerimônias WebAuthn / passkeys. Quando
  * omitidos, são derivados do `issuer`: `rpId` = hostname (sem porta), `origin` =
@@ -337,6 +379,8 @@ export interface AuthServerConfigInput {
     dynamicRegistration?: DynamicRegistrationConfigInput;
     /** Device Authorization Grant (RFC 8628). Default: desligado. */
     deviceFlow?: DeviceFlowConfigInput;
+    /** Uploads (avatar) via o `@adonisjs/drive` do app. Default: drive default, 5MB. */
+    uploads?: UploadsConfigInput;
     /** DPoP — sender-constrained tokens (RFC 9449). Default: desligado. */
     dpop?: DpopConfigInput;
     /** Pushed Authorization Requests (RFC 9126). Default: desligado. */
@@ -360,6 +404,12 @@ export interface AuthServerConfigInput {
      * (a montagem das rotas acontece antes do config resolver).
      */
     admin?: AdminConfigInput;
+    /**
+     * Admin REST API (R6). Default: desligada. Quando ligada, o host também deve
+     * passar `adminApi: true` em {@link AuthHostOptions} no registro de rotas (a
+     * montagem das rotas acontece antes do config resolver). Autenticação por API key.
+     */
+    adminApi?: AdminApiConfigInput;
 }
 export interface ResolvedServerConfig {
     issuer: string;
@@ -401,6 +451,8 @@ export interface ResolvedServerConfig {
     dynamicRegistration: ResolvedDynamicRegistrationConfig;
     /** Device Authorization Grant resolvido (default desligado). */
     deviceFlow: ResolvedDeviceFlowConfig;
+    /** Uploads resolvido (avatar via drive do app; sempre presente). */
+    uploads: ResolvedUploadsConfig;
     /** DPoP resolvido (default desligado). */
     dpop: ResolvedDpopConfig;
     /** PAR resolvido (default desligado). */
@@ -413,6 +465,8 @@ export interface ResolvedServerConfig {
     passwordless: ResolvedPasswordlessConfig;
     /** Console admin resolvido (sempre presente; default desligado). */
     admin: ResolvedAdminConfig;
+    /** Admin REST API resolvida (sempre presente; default desligada). */
+    adminApi: ResolvedAdminApiConfig;
     /** Catálogo de mensagens ativo (locale resolvido), pronto para os renderers. */
     messages: AuthMessages;
     /** Locale ativo (default 'pt-BR'). */

package/build/src/define_config.js

@@ -56,6 +56,15 @@ export function resolveDynamicRegistration(input) {
 export function resolveDeviceFlow(input) {
     return { enabled: input?.enabled ?? false };
 }
+export function resolveUploads(input) {
+    return {
+        avatars: {
+            disk: input?.avatars?.disk,
+            directory: input?.avatars?.directory ?? 'authkit/avatars',
+            maxSizeMb: input?.avatars?.maxSizeMb ?? 5,
+        },
+    };
+}
 export function resolveDpop(input) {
     return { enabled: input?.enabled ?? false };
 }
@@ -83,6 +92,12 @@ export function resolveAdmin(input) {
         roles: input?.roles && input.roles.length > 0 ? input.roles : ['ADMIN'],
     };
 }
+export function resolveAdminApi(input) {
+    return {
+        enabled: input?.enabled ?? false,
+        apiKeys: input?.apiKeys ?? [],
+    };
+}
 /**
  * Resolve os parâmetros do RP de WebAuthn a partir do `issuer` quando omitidos.
  * `rpName` cai no `fallbackName` (branding/mfaIssuer) quando ausente.
@@ -173,12 +188,14 @@ export function defineConfig(config) {
             webauthn: resolveWebauthn(config.issuer, config.mfaIssuer ?? 'AuthKit', config.webauthn),
             dynamicRegistration: resolveDynamicRegistration(config.dynamicRegistration),
             deviceFlow: resolveDeviceFlow(config.deviceFlow),
+            uploads: resolveUploads(config.uploads),
             dpop: resolveDpop(config.dpop),
             par: resolvePar(config.par),
             stepUp: resolveStepUp(config.stepUp),
             trustedDevices: resolveTrustedDevices(config.trustedDevices),
             passwordless: resolvePasswordless(config.passwordless),
             admin: resolveAdmin(config.admin),
+            adminApi: resolveAdminApi(config.adminApi),
             messages: resolveMessages(config.i18n),
             locale: config.i18n?.locale ?? 'pt-BR',
         };

package/build/src/host/admin_api/admin_api_guard.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Guard da Admin REST API (R6). Espelha o `adminGuard` do console (B6):
+ *   0. `config.adminApi.enabled` desligado → 404 (não vaza a existência da API);
+ *   1. `Authorization: Bearer <key>` ausente/inválido → 401 JSON.
+ * Sem nenhuma API key configurada, qualquer request é 401 (fail-safe). As respostas
+ * de erro seguem o envelope `{ error: { code, message } }`.
+ */
+export declare const adminApiGuard: (ctx: any, next: () => Promise<void>) => Promise<any>;

package/build/src/host/admin_api/admin_api_guard.js

@@ -0,0 +1,41 @@
+import { timingSafeEqual } from 'node:crypto';
+/**
+ * Compara o Bearer recebido contra a lista de API keys em tempo constante. Cada
+ * comparação só roda quando os comprimentos batem (o `timingSafeEqual` lança em
+ * tamanhos diferentes); o curto-circuito por comprimento NÃO vaza a key (só o seu
+ * tamanho), aceitável para um segredo de alta entropia gerado pelo operador.
+ */
+function keyMatches(header, keys) {
+    if (!header || !header.startsWith('Bearer '))
+        return false;
+    const provided = Buffer.from(header.slice(7));
+    let matched = false;
+    for (const key of keys) {
+        const expected = Buffer.from(key);
+        if (provided.length === expected.length && timingSafeEqual(provided, expected)) {
+            matched = true;
+        }
+    }
+    return matched;
+}
+/**
+ * Guard da Admin REST API (R6). Espelha o `adminGuard` do console (B6):
+ *   0. `config.adminApi.enabled` desligado → 404 (não vaza a existência da API);
+ *   1. `Authorization: Bearer <key>` ausente/inválido → 401 JSON.
+ * Sem nenhuma API key configurada, qualquer request é 401 (fail-safe). As respostas
+ * de erro seguem o envelope `{ error: { code, message } }`.
+ */
+export const adminApiGuard = async (ctx, next) => {
+    const service = await ctx.containerResolver.make('authkit.server');
+    const cfg = service.config;
+    if (!cfg.adminApi.enabled) {
+        return ctx.response.notFound();
+    }
+    const keys = cfg.adminApi.apiKeys;
+    if (keys.length === 0 || !keyMatches(ctx.request.header('authorization'), keys)) {
+        return ctx.response.unauthorized({
+            error: { code: 'unauthorized', message: 'API key ausente ou inválida.' },
+        });
+    }
+    return next();
+};

package/build/src/host/admin_api/admin_users_service.d.ts

@@ -0,0 +1,59 @@
+import type { HttpContext } from '@adonisjs/core/http';
+import type { ResolvedServerConfig } from '../../define_config.js';
+import type { AuthAccount } from '../../accounts/account_store.js';
+/** Quem disparou a operação (para auditoria). `admin-api` quando via REST API. */
+export interface AdminActor {
+    actorId: string | null;
+    ip: string | null;
+    /** Marca metadata da auditoria — 'admin-api' nas escritas via REST. */
+    source?: 'admin-api';
+}
+export interface CreateUserInput {
+    email: string;
+    name?: string | null;
+    password?: string | null;
+    /** Quando true (e sem password), cria com senha aleatória e envia convite/reset. */
+    invite?: boolean;
+}
+export type CreateUserResult = {
+    ok: true;
+    account: AuthAccount;
+    invited: boolean;
+} | {
+    ok: false;
+    reason: 'email_taken';
+};
+/**
+ * Lógica de gestão de usuários compartilhada entre o console admin (B6, HTML) e a
+ * Admin REST API (R6, JSON). Encapsula o fluxo "create + invite", reset de senha,
+ * troca de status e atualização de perfil/roles — todos auditando com o `actor`
+ * informado (`admin-api` nas chamadas REST).
+ */
+export declare class AdminUsersService {
+    private cfg;
+    constructor(cfg: ResolvedServerConfig);
+    /**
+     * Cria uma conta. Com `password`: já nasce com a senha. Sem `password` (ou
+     * `invite: true`): cria com senha aleatória forte e dispara o e-mail de reset
+     * (o usuário define a própria). Audita `user.created`.
+     */
+    create(ctx: HttpContext, input: CreateUserInput, actor: AdminActor): Promise<CreateUserResult>;
+    /** Emite token de reset + envia e-mail. Retorna a conta (ou null se inexistente). */
+    resetPassword(ctx: HttpContext, accountId: string, actor: AdminActor): Promise<AuthAccount | null>;
+    /**
+     * Habilita/desabilita uma conta. Retorna false quando o store não suporta a
+     * capacidade (o caller responde 409). Audita `user.disabled`/`user.enabled`.
+     */
+    setStatus(accountId: string, disable: boolean, actor: AdminActor): Promise<boolean>;
+    /** Substitui as roles globais de uma conta (normaliza nada — recebe array pronto). */
+    setGlobalRoles(accountId: string, roles: string[]): Promise<void>;
+    /** Atualiza nome/avatar (capacidade opcional). Retorna a conta ou null. */
+    updateProfile(accountId: string, patch: {
+        name?: string | null;
+        avatarUrl?: string | null;
+    }): Promise<AuthAccount | null>;
+    /** Indica se a conta está desabilitada (false quando a capacidade não existe). */
+    isDisabled(accountId: string): Promise<boolean>;
+    /** Emite o token de reset e dispara o e-mail (hook do config tem prioridade). */
+    private sendResetEmail;
+}

package/build/src/host/admin_api/admin_users_service.js

@@ -0,0 +1,112 @@
+import { randomBytes } from 'node:crypto';
+import { supportsAccountStatus, supportsProfile } from '../../accounts/account_store.js';
+import { sendPasswordResetEmail } from '../default_mailer.js';
+/**
+ * Lógica de gestão de usuários compartilhada entre o console admin (B6, HTML) e a
+ * Admin REST API (R6, JSON). Encapsula o fluxo "create + invite", reset de senha,
+ * troca de status e atualização de perfil/roles — todos auditando com o `actor`
+ * informado (`admin-api` nas chamadas REST).
+ */
+export class AdminUsersService {
+    cfg;
+    constructor(cfg) {
+        this.cfg = cfg;
+    }
+    /**
+     * Cria uma conta. Com `password`: já nasce com a senha. Sem `password` (ou
+     * `invite: true`): cria com senha aleatória forte e dispara o e-mail de reset
+     * (o usuário define a própria). Audita `user.created`.
+     */
+    async create(ctx, input, actor) {
+        const store = this.cfg.accountStore;
+        const existing = await store.findByEmail(input.email);
+        if (existing)
+            return { ok: false, reason: 'email_taken' };
+        const hasPassword = !!input.password;
+        const initialPassword = input.password ?? randomBytes(24).toString('hex');
+        const account = await store.create({
+            email: input.email,
+            password: initialPassword,
+            fullName: input.name ?? null,
+        });
+        await this.cfg.audit?.record({
+            type: 'user.created',
+            accountId: account.id,
+            email: input.email,
+            actorId: actor.actorId,
+            ip: actor.ip,
+            metadata: { invited: !hasPassword, ...(actor.source ? { actor: actor.source } : {}) },
+        });
+        if (!hasPassword) {
+            await this.sendResetEmail(ctx, account.email);
+        }
+        return { ok: true, account, invited: !hasPassword };
+    }
+    /** Emite token de reset + envia e-mail. Retorna a conta (ou null se inexistente). */
+    async resetPassword(ctx, accountId, actor) {
+        const account = await this.cfg.accountStore.findById(accountId);
+        if (!account)
+            return null;
+        await this.sendResetEmail(ctx, account.email);
+        await this.cfg.audit?.record({
+            type: 'user.password_reset_sent',
+            accountId,
+            email: account.email,
+            actorId: actor.actorId,
+            ip: actor.ip,
+            ...(actor.source ? { metadata: { actor: actor.source } } : {}),
+        });
+        return account;
+    }
+    /**
+     * Habilita/desabilita uma conta. Retorna false quando o store não suporta a
+     * capacidade (o caller responde 409). Audita `user.disabled`/`user.enabled`.
+     */
+    async setStatus(accountId, disable, actor) {
+        const store = this.cfg.accountStore;
+        if (!supportsAccountStatus(store))
+            return false;
+        if (disable)
+            await store.disableAccount(accountId);
+        else
+            await store.enableAccount(accountId);
+        await this.cfg.audit?.record({
+            type: disable ? 'user.disabled' : 'user.enabled',
+            accountId,
+            actorId: actor.actorId,
+            ip: actor.ip,
+            ...(actor.source ? { metadata: { actor: actor.source } } : {}),
+        });
+        return true;
+    }
+    /** Substitui as roles globais de uma conta (normaliza nada — recebe array pronto). */
+    async setGlobalRoles(accountId, roles) {
+        await this.cfg.accountStore.setGlobalRoles(accountId, roles);
+    }
+    /** Atualiza nome/avatar (capacidade opcional). Retorna a conta ou null. */
+    async updateProfile(accountId, patch) {
+        const store = this.cfg.accountStore;
+        if (!supportsProfile(store))
+            return null;
+        return store.updateProfile(accountId, patch);
+    }
+    /** Indica se a conta está desabilitada (false quando a capacidade não existe). */
+    async isDisabled(accountId) {
+        const store = this.cfg.accountStore;
+        return supportsAccountStatus(store) ? store.isDisabled(accountId) : false;
+    }
+    /** Emite o token de reset e dispara o e-mail (hook do config tem prioridade). */
+    async sendResetEmail(ctx, email) {
+        const issued = await this.cfg.accountStore.issuePasswordResetToken(email);
+        if (!issued)
+            return;
+        const origin = `${ctx.request.protocol()}://${ctx.request.host()}`;
+        const resetUrl = `${origin}/auth/reset-password?token=${encodeURIComponent(issued.token)}`;
+        if (this.cfg.mail?.onPasswordReset) {
+            await this.cfg.mail.onPasswordReset({ email, resetUrl, token: issued.token });
+        }
+        else {
+            await sendPasswordResetEmail(ctx, { email, resetUrl });
+        }
+    }
+}

package/build/src/host/admin_api/api_clients_controller.d.ts

@@ -0,0 +1,48 @@
+import '../augmentations.js';
+import type { HttpContext } from '@adonisjs/core/http';
+/**
+ * Recurso de clients OIDC da Admin REST API (R6). Reaproveita o
+ * {@link AdminClientsService} (mesmo que o console B6). O secret é retornado UMA vez
+ * em create/regenerate. Audita create/update/delete.
+ */
+export default class ApiClientsController {
+    index(ctx: HttpContext): Promise<{
+        data: {
+            clientId: string;
+            confidential: boolean;
+            grants: string[];
+            redirectUris: string[];
+            postLogoutRedirectUris: string[];
+            tokenEndpointAuthMethod: string;
+        }[];
+        canList: boolean;
+    }>;
+    show(ctx: HttpContext): Promise<void | {
+        clientId: string;
+        confidential: boolean;
+        grants: string[];
+        redirectUris: string[];
+        postLogoutRedirectUris: string[];
+        tokenEndpointAuthMethod: string;
+    }>;
+    store(ctx: HttpContext): Promise<{
+        clientId: string;
+        clientSecret: string | null;
+    }>;
+    update(ctx: HttpContext): Promise<void | {
+        clientId: string;
+        confidential: boolean;
+        grants: string[];
+        redirectUris: string[];
+        postLogoutRedirectUris: string[];
+        tokenEndpointAuthMethod: string;
+    }>;
+    regenerateSecret(ctx: HttpContext): Promise<void | {
+        clientId: any;
+        clientSecret: string;
+    }>;
+    destroy(ctx: HttpContext): Promise<{
+        clientId: any;
+        deleted: boolean;
+    }>;
+}

package/build/src/host/admin_api/api_clients_controller.js

@@ -0,0 +1,104 @@
+import '../augmentations.js';
+import { AdminClientsService } from '../admin_clients_service.js';
+import { clientDto, createdClientDto, apiError } from './dto.js';
+/** Resolve o serviço (== OidcService) + o AdminClientsService. */
+async function clientsService(ctx) {
+    const service = await ctx.containerResolver.make('authkit.server');
+    return { service, svc: new AdminClientsService(service) };
+}
+function asArray(value) {
+    if (Array.isArray(value))
+        return value.map((v) => String(v)).filter(Boolean);
+    if (typeof value === 'string' && value.trim())
+        return [value.trim()];
+    return [];
+}
+function readInput(ctx) {
+    return {
+        clientId: ctx.request.input('clientId')?.trim() || undefined,
+        redirectUris: asArray(ctx.request.input('redirectUris')),
+        postLogoutRedirectUris: asArray(ctx.request.input('postLogoutRedirectUris')),
+        grantTypes: asArray(ctx.request.input('grantTypes')),
+        tokenEndpointAuthMethod: ctx.request.input('tokenEndpointAuthMethod', 'client_secret_basic'),
+    };
+}
+/**
+ * Recurso de clients OIDC da Admin REST API (R6). Reaproveita o
+ * {@link AdminClientsService} (mesmo que o console B6). O secret é retornado UMA vez
+ * em create/regenerate. Audita create/update/delete.
+ */
+export default class ApiClientsController {
+    async index(ctx) {
+        const { svc } = await clientsService(ctx);
+        if (!svc.canList) {
+            return { data: [], canList: false };
+        }
+        const clients = await svc.list();
+        return { data: clients.map(clientDto), canList: true };
+    }
+    async show(ctx) {
+        const { svc } = await clientsService(ctx);
+        const client = await svc.find(ctx.request.param('id'));
+        if (!client)
+            return ctx.response.notFound(apiError('not_found', 'Client não encontrado.'));
+        return clientDto(client);
+    }
+    async store(ctx) {
+        const { service, svc } = await clientsService(ctx);
+        const input = readInput(ctx);
+        const created = await svc.create(input);
+        await service.config.audit?.record({
+            type: 'client.created',
+            clientId: created.clientId,
+            ip: ctx.request.ip?.() ?? null,
+            metadata: { actor: 'admin-api' },
+        });
+        ctx.response.status(201);
+        return createdClientDto(created);
+    }
+    async update(ctx) {
+        const { service, svc } = await clientsService(ctx);
+        const id = ctx.request.param('id');
+        const existing = await svc.find(id);
+        if (!existing)
+            return ctx.response.notFound(apiError('not_found', 'Client não encontrado.'));
+        await svc.update(id, readInput(ctx));
+        await service.config.audit?.record({
+            type: 'client.updated',
+            clientId: id,
+            ip: ctx.request.ip?.() ?? null,
+            metadata: { actor: 'admin-api' },
+        });
+        const updated = await svc.find(id);
+        return clientDto(updated);
+    }
+    async regenerateSecret(ctx) {
+        const { service, svc } = await clientsService(ctx);
+        const id = ctx.request.param('id');
+        try {
+            const secret = await svc.regenerateSecret(id);
+            await service.config.audit?.record({
+                type: 'client.updated',
+                clientId: id,
+                ip: ctx.request.ip?.() ?? null,
+                metadata: { actor: 'admin-api', action: 'regenerate_secret' },
+            });
+            return { clientId: id, clientSecret: secret };
+        }
+        catch (e) {
+            return ctx.response.conflict(apiError('cannot_regenerate', e.message));
+        }
+    }
+    async destroy(ctx) {
+        const { service, svc } = await clientsService(ctx);
+        const id = ctx.request.param('id');
+        await svc.delete(id);
+        await service.config.audit?.record({
+            type: 'client.deleted',
+            clientId: id,
+            ip: ctx.request.ip?.() ?? null,
+            metadata: { actor: 'admin-api' },
+        });
+        return { clientId: id, deleted: true };
+    }
+}

package/build/src/host/admin_api/api_misc_controller.d.ts

@@ -0,0 +1,17 @@
+import '../augmentations.js';
+import type { HttpContext } from '@adonisjs/core/http';
+/**
+ * Endpoints utilitários da Admin REST API: log de auditoria (`GET /audit`) e
+ * introspecção genérica de token (`POST /tokens/verify`).
+ */
+export default class ApiMiscController {
+    /** GET /audit — listagem paginada (501 JSON quando o sink não consulta). */
+    audit(ctx: HttpContext): Promise<void | {
+        data: any;
+        total: any;
+        page: number;
+        limit: number;
+    }>;
+    /** POST /tokens/verify — { token } → resultado de introspecção (PAT ou opaque AT). */
+    verify(ctx: HttpContext): Promise<void | import("./token_verify_service.js").VerifyResult>;
+}

package/build/src/host/admin_api/api_misc_controller.js

@@ -0,0 +1,37 @@
+import '../augmentations.js';
+import { TokenVerifyService } from './token_verify_service.js';
+import { auditDto, apiError } from './dto.js';
+/**
+ * Endpoints utilitários da Admin REST API: log de auditoria (`GET /audit`) e
+ * introspecção genérica de token (`POST /tokens/verify`).
+ */
+export default class ApiMiscController {
+    /** GET /audit — listagem paginada (501 JSON quando o sink não consulta). */
+    async audit(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const sink = cfg.audit;
+        if (!sink || typeof sink.list !== 'function') {
+            return ctx.response
+                .status(501)
+                .send(apiError('not_implemented', 'O sink de auditoria configurado não suporta consulta.'));
+        }
+        const page = Math.max(1, Number.parseInt(ctx.request.input('page', '1'), 10) || 1);
+        const limit = Math.max(1, Math.min(100, Number.parseInt(ctx.request.input('limit', '20'), 10) || 20));
+        const type = ctx.request.input('type')?.trim() || undefined;
+        const subject = ctx.request.input('subject')?.trim() || undefined;
+        const result = await sink.list({ page, limit, type, subject });
+        return { data: result.data.map(auditDto), total: result.total, page, limit };
+    }
+    /** POST /tokens/verify — { token } → resultado de introspecção (PAT ou opaque AT). */
+    async verify(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const token = ctx.request.input('token');
+        if (!token || typeof token !== 'string') {
+            return ctx.response.badRequest(apiError('invalid_request', 'O campo token é obrigatório.'));
+        }
+        const verifier = new TokenVerifyService(cfg, service.provider);
+        return verifier.verify(token);
+    }
+}