npm - @edge-base/server - Versions diffs - 0.1.1 - Mend

@edge-base/server 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (309) hide show

package/admin-build/.gitkeep +0 -0
package/admin-build/_app/env.js +1 -0
package/admin-build/_app/immutable/assets/0.Bm6cF078.css +1 -0
package/admin-build/_app/immutable/assets/1.BfW3pUNa.css +1 -0
package/admin-build/_app/immutable/assets/11.CVmQOewb.css +1 -0
package/admin-build/_app/immutable/assets/12.B1EhbRZT.css +1 -0
package/admin-build/_app/immutable/assets/13.BvwYeuwE.css +1 -0
package/admin-build/_app/immutable/assets/14.CdVfcO0R.css +1 -0
package/admin-build/_app/immutable/assets/15.2yeZ66b-.css +1 -0
package/admin-build/_app/immutable/assets/17.BVg0JEVu.css +1 -0
package/admin-build/_app/immutable/assets/18.Rwnl3x_i.css +1 -0
package/admin-build/_app/immutable/assets/20.DsPWA9AV.css +1 -0
package/admin-build/_app/immutable/assets/21.Dz2RJ56c.css +1 -0
package/admin-build/_app/immutable/assets/22.DwNLk5Ai.css +1 -0
package/admin-build/_app/immutable/assets/23.CFpu0gOO.css +1 -0
package/admin-build/_app/immutable/assets/24.Cy5LBeoJ.css +1 -0
package/admin-build/_app/immutable/assets/25.pUyLVf-h.css +1 -0
package/admin-build/_app/immutable/assets/26.DBcGrlXa.css +1 -0
package/admin-build/_app/immutable/assets/27.BswYyAJD.css +1 -0
package/admin-build/_app/immutable/assets/28.B4ueB1Kf.css +1 -0
package/admin-build/_app/immutable/assets/29.B-qU6PdF.css +1 -0
package/admin-build/_app/immutable/assets/3.Dg81Pgmd.css +1 -0
package/admin-build/_app/immutable/assets/30.CsdWum94.css +1 -0
package/admin-build/_app/immutable/assets/31.U6OwIp50.css +1 -0
package/admin-build/_app/immutable/assets/4.CyawCCux.css +1 -0
package/admin-build/_app/immutable/assets/5.C0YO2HTk.css +1 -0
package/admin-build/_app/immutable/assets/8.Br5jd6kD.css +1 -0
package/admin-build/_app/immutable/assets/Badge.EMYLHBxE.css +1 -0
package/admin-build/_app/immutable/assets/Button.DpzMRTjK.css +1 -0
package/admin-build/_app/immutable/assets/ConfirmDialog.DAnaWRRk.css +1 -0
package/admin-build/_app/immutable/assets/EmptyState.CwKsu57Y.css +1 -0
package/admin-build/_app/immutable/assets/Input.BDUSenmU.css +1 -0
package/admin-build/_app/immutable/assets/Modal.Dm5B0Xie.css +1 -0
package/admin-build/_app/immutable/assets/PageShell.CmU-Xh-b.css +1 -0
package/admin-build/_app/immutable/assets/SchemaFieldEditor.g4NsCdno.css +1 -0
package/admin-build/_app/immutable/assets/Select.BW4Keufm.css +1 -0
package/admin-build/_app/immutable/assets/Skeleton.KWUulTKJ.css +1 -0
package/admin-build/_app/immutable/assets/Tabs.CniGYb67.css +1 -0
package/admin-build/_app/immutable/assets/TimeChart.BTCDAvmT.css +1 -0
package/admin-build/_app/immutable/assets/Toggle.Cy_K12OM.css +1 -0
package/admin-build/_app/immutable/assets/TopList.ClFzmPlA.css +1 -0
package/admin-build/_app/immutable/chunks/7B47DvSx.js +1 -0
package/admin-build/_app/immutable/chunks/7f08Id8e.js +1 -0
package/admin-build/_app/immutable/chunks/8wJeQ7LN.js +1 -0
package/admin-build/_app/immutable/chunks/B-h2afW5.js +1 -0
package/admin-build/_app/immutable/chunks/B8vJP3wz.js +1 -0
package/admin-build/_app/immutable/chunks/BR_fL5Yv.js +1 -0
package/admin-build/_app/immutable/chunks/BY92tFS2.js +1 -0
package/admin-build/_app/immutable/chunks/BcR-Rdj9.js +1 -0
package/admin-build/_app/immutable/chunks/BdrwyZv8.js +1 -0
package/admin-build/_app/immutable/chunks/Bh56EfQ_.js +1 -0
package/admin-build/_app/immutable/chunks/BkrCkgYp.js +1 -0
package/admin-build/_app/immutable/chunks/BmRjiP5k.js +1 -0
package/admin-build/_app/immutable/chunks/BsokvhWC.js +1 -0
package/admin-build/_app/immutable/chunks/C4D51vTW.js +1 -0
package/admin-build/_app/immutable/chunks/C6puvcoR.js +2 -0
package/admin-build/_app/immutable/chunks/CCKNu7m7.js +1 -0
package/admin-build/_app/immutable/chunks/CWj6FrbW.js +1 -0
package/admin-build/_app/immutable/chunks/Ce-ngf4p.js +5 -0
package/admin-build/_app/immutable/chunks/Cs0GwzJA.js +1 -0
package/admin-build/_app/immutable/chunks/CwROoZK0.js +1 -0
package/admin-build/_app/immutable/chunks/CxCPv_Ut.js +1 -0
package/admin-build/_app/immutable/chunks/CxbRue-5.js +1 -0
package/admin-build/_app/immutable/chunks/CyqB6g-D.js +1 -0
package/admin-build/_app/immutable/chunks/D5h5A1cc.js +2 -0
package/admin-build/_app/immutable/chunks/DnyL7Zq-.js +1 -0
package/admin-build/_app/immutable/chunks/DoPXzH7F.js +1 -0
package/admin-build/_app/immutable/chunks/DrQSgw-f.js +1 -0
package/admin-build/_app/immutable/chunks/DttM2zNO.js +1 -0
package/admin-build/_app/immutable/chunks/DuXuUBWN.js +1 -0
package/admin-build/_app/immutable/chunks/MdeqaOQx.js +10 -0
package/admin-build/_app/immutable/chunks/NuUjtcO2.js +1 -0
package/admin-build/_app/immutable/chunks/Q2nPFxS6.js +1 -0
package/admin-build/_app/immutable/chunks/R6arueIl.js +1 -0
package/admin-build/_app/immutable/chunks/UUazaC_N.js +1 -0
package/admin-build/_app/immutable/chunks/cOYbrQxx.js +1 -0
package/admin-build/_app/immutable/chunks/eFQHTGwA.js +1 -0
package/admin-build/_app/immutable/chunks/ehbppgYb.js +1 -0
package/admin-build/_app/immutable/chunks/glwixJlP.js +1 -0
package/admin-build/_app/immutable/chunks/vApWTCBs.js +1 -0
package/admin-build/_app/immutable/chunks/w89G9Xpi.js +1 -0
package/admin-build/_app/immutable/chunks/wJsUhbfZ.js +1 -0
package/admin-build/_app/immutable/chunks/zfauFM8P.js +1 -0
package/admin-build/_app/immutable/entry/app.CcO-Uos3.js +2 -0
package/admin-build/_app/immutable/entry/start.COebYq3I.js +1 -0
package/admin-build/_app/immutable/nodes/0.CjtHKU-6.js +1 -0
package/admin-build/_app/immutable/nodes/1.DEisjlM0.js +1 -0
package/admin-build/_app/immutable/nodes/10.CvhdyWVB.js +1 -0
package/admin-build/_app/immutable/nodes/11.DjHqcOvy.js +1 -0
package/admin-build/_app/immutable/nodes/12.mQLz4Mj_.js +1 -0
package/admin-build/_app/immutable/nodes/13.CBonZZyP.js +110 -0
package/admin-build/_app/immutable/nodes/14.d-oiZL0j.js +3 -0
package/admin-build/_app/immutable/nodes/15.CKPQsUYF.js +1 -0
package/admin-build/_app/immutable/nodes/16.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/17.DayhKyEZ.js +1 -0
package/admin-build/_app/immutable/nodes/18.DKwS0Ir0.js +1 -0
package/admin-build/_app/immutable/nodes/19.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/2.BKoKrw1i.js +1 -0
package/admin-build/_app/immutable/nodes/20.BvIkkkrW.js +1 -0
package/admin-build/_app/immutable/nodes/21.DMaFhdHk.js +128 -0
package/admin-build/_app/immutable/nodes/22.3xdgwuK1.js +1 -0
package/admin-build/_app/immutable/nodes/23.8Bvgjbsl.js +112 -0
package/admin-build/_app/immutable/nodes/24.DzSSzRhG.js +2 -0
package/admin-build/_app/immutable/nodes/25.9KKYBnAE.js +2 -0
package/admin-build/_app/immutable/nodes/26.Bhn9dfhY.js +1 -0
package/admin-build/_app/immutable/nodes/27.kRLiC24G.js +1 -0
package/admin-build/_app/immutable/nodes/28.BVIN1-7N.js +1 -0
package/admin-build/_app/immutable/nodes/29.3yabZWj4.js +1 -0
package/admin-build/_app/immutable/nodes/3.BFtSOkX7.js +2 -0
package/admin-build/_app/immutable/nodes/30.CyCQlwaP.js +1 -0
package/admin-build/_app/immutable/nodes/31.C4LDXjES.js +1 -0
package/admin-build/_app/immutable/nodes/4.CvbiMlCa.js +1 -0
package/admin-build/_app/immutable/nodes/5.C6BLv2eM.js +1 -0
package/admin-build/_app/immutable/nodes/6.BcXvfl2P.js +1 -0
package/admin-build/_app/immutable/nodes/7.CIuqhPiK.js +1 -0
package/admin-build/_app/immutable/nodes/8.BQOR_JfO.js +1 -0
package/admin-build/_app/immutable/nodes/9.NZqXQxPy.js +1 -0
package/admin-build/_app/version.json +1 -0
package/admin-build/favicon.svg +26 -0
package/admin-build/index.html +45 -0
package/openapi.json +19543 -0
package/package.json +66 -0
package/src/__tests__/admin-assets.test.ts +55 -0
package/src/__tests__/admin-data-routes.test.ts +488 -0
package/src/__tests__/admin-db-target.test.ts +103 -0
package/src/__tests__/admin-routing.test.ts +31 -0
package/src/__tests__/admin-user-management.test.ts +311 -0
package/src/__tests__/analytics-query.test.ts +75 -0
package/src/__tests__/auth-d1.test.ts +749 -0
package/src/__tests__/auth-db-adapter.test.ts +73 -0
package/src/__tests__/auth-jwt.test.ts +440 -0
package/src/__tests__/auth-oauth.test.ts +389 -0
package/src/__tests__/auth-password.test.ts +367 -0
package/src/__tests__/auth-redirect.test.ts +87 -0
package/src/__tests__/backup-restore.test.ts +711 -0
package/src/__tests__/broadcast.test.ts +128 -0
package/src/__tests__/cli.test.ts +178 -0
package/src/__tests__/cloudflare-realtime.test.ts +113 -0
package/src/__tests__/config.test.ts +469 -0
package/src/__tests__/cors.test.ts +154 -0
package/src/__tests__/cron.test.ts +302 -0
package/src/__tests__/d1-handler.test.ts +402 -0
package/src/__tests__/d1-sql.test.ts +120 -0
package/src/__tests__/database-live-config.test.ts +42 -0
package/src/__tests__/database-live-emitter.test.ts +56 -0
package/src/__tests__/database-live-filters.test.ts +63 -0
package/src/__tests__/database-live-route.test.ts +113 -0
package/src/__tests__/db-sql.test.ts +163 -0
package/src/__tests__/do-lifecycle.test.ts +263 -0
package/src/__tests__/do-router.test.ts +729 -0
package/src/__tests__/email-provider.test.ts +128 -0
package/src/__tests__/email-templates.test.ts +528 -0
package/src/__tests__/error-format.test.ts +250 -0
package/src/__tests__/field-ops.test.ts +242 -0
package/src/__tests__/functions-context.test.ts +334 -0
package/src/__tests__/functions-d1-proxy.test.ts +229 -0
package/src/__tests__/functions-registry-runtime-config.test.ts +17 -0
package/src/__tests__/functions-route.test.ts +139 -0
package/src/__tests__/internal-request.test.ts +77 -0
package/src/__tests__/log-writer.test.ts +44 -0
package/src/__tests__/logger.test.ts +58 -0
package/src/__tests__/meta-admin-proxy.test.ts +48 -0
package/src/__tests__/meta-export-coverage.test.ts +191 -0
package/src/__tests__/meta-route-registration.test.ts +47 -0
package/src/__tests__/namespace-dump.test.ts +28 -0
package/src/__tests__/oauth-providers.test.ts +337 -0
package/src/__tests__/openapi-coverage.test.ts +144 -0
package/src/__tests__/pagination.test.ts +59 -0
package/src/__tests__/password-policy.test.ts +191 -0
package/src/__tests__/plugin-migrations.test.ts +379 -0
package/src/__tests__/postgres-batch-compat.test.ts +133 -0
package/src/__tests__/postgres-dialect.test.ts +328 -0
package/src/__tests__/postgres-executor.test.ts +79 -0
package/src/__tests__/postgres-field-ops-compat.test.ts +222 -0
package/src/__tests__/postgres-schema-init.test.ts +105 -0
package/src/__tests__/postgres-table-utils.test.ts +107 -0
package/src/__tests__/presence.test.ts +199 -0
package/src/__tests__/provider.test.ts +550 -0
package/src/__tests__/public-user-profile.test.ts +339 -0
package/src/__tests__/push-handlers.test.ts +179 -0
package/src/__tests__/push-provider.test.ts +80 -0
package/src/__tests__/push-token.test.ts +418 -0
package/src/__tests__/query.test.ts +771 -0
package/src/__tests__/rate-limit.test.ts +260 -0
package/src/__tests__/room-access-policy.test.ts +101 -0
package/src/__tests__/room-handler-context.test.ts +130 -0
package/src/__tests__/room-monitoring.test.ts +138 -0
package/src/__tests__/room-runtime-routing.test.ts +222 -0
package/src/__tests__/room.test.ts +254 -0
package/src/__tests__/route-parser.test.ts +490 -0
package/src/__tests__/rules.test.ts +234 -0
package/src/__tests__/runtime-surface-accounting.test.ts +120 -0
package/src/__tests__/scheduled.test.ts +80 -0
package/src/__tests__/schema.test.ts +1273 -0
package/src/__tests__/security-hardening.test.ts +312 -0
package/src/__tests__/server.unit.test.ts +333 -0
package/src/__tests__/service-key-db-proxy.test.ts +650 -0
package/src/__tests__/service-key-provider-bypass.test.ts +138 -0
package/src/__tests__/service-key.test.ts +757 -0
package/src/__tests__/smoke-skip-report.test.ts +72 -0
package/src/__tests__/sms-provider.test.ts +39 -0
package/src/__tests__/sql-route.test.ts +218 -0
package/src/__tests__/storage-hook-context.test.ts +115 -0
package/src/__tests__/totp.test.ts +200 -0
package/src/__tests__/uuid.test.ts +144 -0
package/src/__tests__/validation.test.ts +773 -0
package/src/__tests__/websocket-pending.test.ts +163 -0
package/src/_functions-registry.ts +51 -0
package/src/bench-entry.ts +9 -0
package/src/cloudflare-test.d.ts +1 -0
package/src/durable-objects/auth-do.ts +49 -0
package/src/durable-objects/database-do.ts +2240 -0
package/src/durable-objects/database-live-do.ts +949 -0
package/src/durable-objects/logs-do.ts +1200 -0
package/src/durable-objects/room-runtime-base.ts +1604 -0
package/src/durable-objects/rooms-do.ts +2191 -0
package/src/generated-config.ts +6 -0
package/src/index.ts +382 -0
package/src/lib/admin-assets.ts +54 -0
package/src/lib/admin-db-target.ts +301 -0
package/src/lib/admin-routing.ts +35 -0
package/src/lib/admin-user-management.ts +464 -0
package/src/lib/analytics-adapter.ts +103 -0
package/src/lib/analytics-query.ts +579 -0
package/src/lib/auth-d1-service.ts +1193 -0
package/src/lib/auth-d1.ts +1056 -0
package/src/lib/auth-db-adapter.ts +289 -0
package/src/lib/auth-redirect.ts +116 -0
package/src/lib/cidr.ts +115 -0
package/src/lib/client-ip.ts +51 -0
package/src/lib/cloudflare-realtime.ts +251 -0
package/src/lib/control-db.ts +36 -0
package/src/lib/cron.ts +163 -0
package/src/lib/d1-handler.ts +1425 -0
package/src/lib/d1-schema-init.ts +255 -0
package/src/lib/d1-sql.ts +33 -0
package/src/lib/database-live-config.ts +24 -0
package/src/lib/database-live-emitter.ts +111 -0
package/src/lib/db-sql.ts +66 -0
package/src/lib/do-retry.ts +36 -0
package/src/lib/do-router.ts +270 -0
package/src/lib/do-sql.ts +73 -0
package/src/lib/email-provider.ts +379 -0
package/src/lib/email-templates.ts +285 -0
package/src/lib/email-translations.ts +422 -0
package/src/lib/errors.ts +151 -0
package/src/lib/functions.ts +2091 -0
package/src/lib/hono.ts +56 -0
package/src/lib/internal-request.ts +56 -0
package/src/lib/jwt.ts +354 -0
package/src/lib/log-writer.ts +272 -0
package/src/lib/namespace-dump.ts +125 -0
package/src/lib/oauth-providers.ts +1225 -0
package/src/lib/op-parser.ts +99 -0
package/src/lib/openapi.ts +146 -0
package/src/lib/pagination.ts +19 -0
package/src/lib/password-policy.ts +102 -0
package/src/lib/password.ts +145 -0
package/src/lib/plugin-migrations.ts +612 -0
package/src/lib/postgres-executor.ts +203 -0
package/src/lib/postgres-handler.ts +1102 -0
package/src/lib/postgres-schema-init.ts +341 -0
package/src/lib/postgres-table-utils.ts +87 -0
package/src/lib/public-user-profile.ts +187 -0
package/src/lib/push-provider.ts +409 -0
package/src/lib/push-token.ts +294 -0
package/src/lib/query-engine.ts +768 -0
package/src/lib/room-monitoring.ts +97 -0
package/src/lib/room-runtime.ts +14 -0
package/src/lib/route-parser.ts +434 -0
package/src/lib/schema.ts +538 -0
package/src/lib/schemas.ts +152 -0
package/src/lib/service-key.ts +419 -0
package/src/lib/sms-provider.ts +230 -0
package/src/lib/startup-config.ts +99 -0
package/src/lib/totp.ts +242 -0
package/src/lib/uuid.ts +87 -0
package/src/lib/validation.ts +205 -0
package/src/lib/version.ts +2 -0
package/src/lib/websocket-pending.ts +40 -0
package/src/middleware/auth.ts +169 -0
package/src/middleware/captcha-verify.ts +217 -0
package/src/middleware/cors.ts +159 -0
package/src/middleware/error-handler.ts +54 -0
package/src/middleware/internal-guard.ts +26 -0
package/src/middleware/logger.ts +126 -0
package/src/middleware/rate-limit.ts +283 -0
package/src/middleware/rules.ts +475 -0
package/src/routes/admin-auth.ts +447 -0
package/src/routes/admin.ts +3501 -0
package/src/routes/analytics-api.ts +290 -0
package/src/routes/auth.ts +4222 -0
package/src/routes/backup.ts +1466 -0
package/src/routes/config.ts +53 -0
package/src/routes/d1.ts +109 -0
package/src/routes/database-live.ts +281 -0
package/src/routes/functions.ts +155 -0
package/src/routes/health.ts +32 -0
package/src/routes/kv.ts +167 -0
package/src/routes/oauth.ts +1055 -0
package/src/routes/push.ts +1465 -0
package/src/routes/room.ts +639 -0
package/src/routes/schema-endpoint.ts +76 -0
package/src/routes/sql.ts +176 -0
package/src/routes/storage.ts +1674 -0
package/src/routes/tables.ts +699 -0
package/src/routes/users.ts +21 -0
package/src/routes/vectorize.ts +372 -0
package/src/types.ts +99 -0

package/src/lib/oauth-providers.ts ADDED Viewed

@@ -0,0 +1,1225 @@
+/**
+ * OAuth Provider Abstraction Layer
+ *
+ * Supports: Google, GitHub, Apple, Discord, Microsoft, Facebook, Kakao, Naver,
+ *           X (Twitter), Reddit, Line, Slack, Spotify, Twitch
+ * Each provider implements a common interface for authorization URL generation,
+ * code exchange, and user info retrieval.
+ *
+ * M3: Google, GitHub, Apple, Discord
+ * M18: Microsoft, Facebook, Kakao, Naver, X, Line, Slack, Spotify, Twitch
+ */
+// ─── Types ───
+export interface OAuthUserInfo {
+  providerUserId: string;
+  email: string | null;
+  emailVerified: boolean;
+  displayName: string | null;
+  avatarUrl: string | null;
+  raw: Record<string, unknown>;
+}
+export interface OAuthTokens {
+  accessToken: string;
+  tokenType: string;
+  idToken?: string;
+  refreshToken?: string;
+  expiresIn?: number;
+}
+export interface OAuthProviderConfig {
+  clientId: string;
+  clientSecret: string;
+}
+export interface OAuthProvider {
+  name: string;
+  getAuthorizationUrl(
+    state: string,
+    redirectUri: string,
+    codeChallenge?: string,
+  ): string;
+  exchangeCode(
+    code: string,
+    redirectUri: string,
+    codeVerifier?: string,
+  ): Promise<OAuthTokens>;
+  getUserInfo(accessToken: string): Promise<OAuthUserInfo>;
+}
+// ─── PKCE Helper ───
+export async function generatePKCE(): Promise<{ codeVerifier: string; codeChallenge: string }> {
+  const array = new Uint8Array(32);
+  crypto.getRandomValues(array);
+  const codeVerifier = base64urlEncode(array);
+  const digest = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(codeVerifier));
+  const codeChallenge = base64urlEncode(new Uint8Array(digest));
+  return { codeVerifier, codeChallenge };
+}
+function base64urlEncode(buffer: Uint8Array): string {
+  const str = btoa(String.fromCharCode(...buffer));
+  return str.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+// ─── Google OAuth ───
+class GoogleOAuthProvider implements OAuthProvider {
+  readonly name = 'google';
+  constructor(private config: OAuthProviderConfig) {}
+  getAuthorizationUrl(state: string, redirectUri: string, codeChallenge?: string): string {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: redirectUri,
+      response_type: 'code',
+      scope: 'openid email profile',
+      state,
+      access_type: 'offline',
+      prompt: 'consent',
+    });
+    if (codeChallenge) {
+      params.set('code_challenge', codeChallenge);
+      params.set('code_challenge_method', 'S256');
+    }
+    return `https://accounts.google.com/o/oauth2/v2/auth?${params}`;
+  }
+  async exchangeCode(code: string, redirectUri: string, codeVerifier?: string): Promise<OAuthTokens> {
+    const body: Record<string, string> = {
+      client_id: this.config.clientId,
+      client_secret: this.config.clientSecret,
+      code,
+      redirect_uri: redirectUri,
+      grant_type: 'authorization_code',
+    };
+    if (codeVerifier) body.code_verifier = codeVerifier;
+    const resp = await fetch('https://oauth2.googleapis.com/token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams(body),
+    });
+    if (!resp.ok) throw new Error(`Google token exchange failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    return {
+      accessToken: data.access_token as string,
+      tokenType: data.token_type as string,
+      idToken: data.id_token as string | undefined,
+      refreshToken: data.refresh_token as string | undefined,
+      expiresIn: data.expires_in as number | undefined,
+    };
+  }
+  async getUserInfo(accessToken: string): Promise<OAuthUserInfo> {
+    const resp = await fetch('https://www.googleapis.com/oauth2/v2/userinfo', {
+      headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (!resp.ok) throw new Error(`Google userinfo failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    return {
+      providerUserId: String(data.id),
+      email: (data.email as string) || null,
+      emailVerified: Boolean(data.verified_email), // Google uses verified_email
+      displayName: (data.name as string) || null,
+      avatarUrl: (data.picture as string) || null,
+      raw: data,
+    };
+  }
+}
+// ─── GitHub OAuth ───
+class GitHubOAuthProvider implements OAuthProvider {
+  readonly name = 'github';
+  constructor(private config: OAuthProviderConfig) {}
+  getAuthorizationUrl(state: string, redirectUri: string): string {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: redirectUri,
+      scope: 'read:user user:email',
+      state,
+    });
+    return `https://github.com/login/oauth/authorize?${params}`;
+  }
+  async exchangeCode(code: string, redirectUri: string): Promise<OAuthTokens> {
+    const resp = await fetch('https://github.com/login/oauth/access_token', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        Accept: 'application/json',
+      },
+      body: JSON.stringify({
+        client_id: this.config.clientId,
+        client_secret: this.config.clientSecret,
+        code,
+        redirect_uri: redirectUri,
+      }),
+    });
+    if (!resp.ok) throw new Error(`GitHub token exchange failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    if (data.error) throw new Error(`GitHub OAuth error: ${data.error_description || data.error}`);
+    return {
+      accessToken: data.access_token as string,
+      tokenType: data.token_type as string,
+    };
+  }
+  async getUserInfo(accessToken: string): Promise<OAuthUserInfo> {
+    const [userResp, emailsResp] = await Promise.all([
+      fetch('https://api.github.com/user', {
+        headers: { Authorization: `Bearer ${accessToken}`, 'User-Agent': 'EdgeBase' },
+      }),
+      fetch('https://api.github.com/user/emails', {
+        headers: { Authorization: `Bearer ${accessToken}`, 'User-Agent': 'EdgeBase' },
+      }),
+    ]);
+    if (!userResp.ok) throw new Error(`GitHub user API failed: ${userResp.status}`);
+    const userData = await userResp.json() as Record<string, unknown>;
+    let email: string | null = null;
+    let emailVerified = false;
+    if (emailsResp.ok) {
+      const emails = await emailsResp.json() as Array<{ email: string; primary: boolean; verified: boolean }>;
+      const primary = emails.find((e) => e.primary && e.verified);
+      if (primary) {
+        email = primary.email;
+        emailVerified = primary.verified;
+      }
+    }
+    return {
+      providerUserId: String(userData.id),
+      email,
+      emailVerified,
+      displayName: (userData.name as string) || (userData.login as string) || null,
+      avatarUrl: (userData.avatar_url as string) || null,
+      raw: userData,
+    };
+  }
+}
+// ─── Apple OAuth ───
+class AppleOAuthProvider implements OAuthProvider {
+  readonly name = 'apple';
+  constructor(private config: OAuthProviderConfig) {}
+  getAuthorizationUrl(state: string, redirectUri: string): string {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: redirectUri,
+      response_type: 'code',
+      scope: 'name email',
+      state,
+      response_mode: 'form_post',
+    });
+    return `https://appleid.apple.com/auth/authorize?${params}`;
+  }
+  async exchangeCode(code: string, redirectUri: string): Promise<OAuthTokens> {
+    const resp = await fetch('https://appleid.apple.com/auth/token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        client_id: this.config.clientId,
+        client_secret: this.config.clientSecret,
+        code,
+        redirect_uri: redirectUri,
+        grant_type: 'authorization_code',
+      }),
+    });
+    if (!resp.ok) throw new Error(`Apple token exchange failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    return {
+      accessToken: data.access_token as string,
+      tokenType: data.token_type as string,
+      idToken: data.id_token as string | undefined,
+    };
+  }
+  async getUserInfo(accessToken: string): Promise<OAuthUserInfo> {
+    // Apple provides user info in the id_token, not a separate API
+    // The id_token is already returned from exchangeCode
+    // For Apple, we need the id_token from the token response
+    // This is handled in the callback route which passes idToken
+    void accessToken;
+    throw new Error('Apple getUserInfo should use id_token parsing instead');
+  }
+}
+/** Parse Apple id_token claims (JWT decode without verification — verification is via token exchange) */
+export function parseAppleIdToken(idToken: string): OAuthUserInfo {
+  const parts = idToken.split('.');
+  if (parts.length !== 3) throw new Error('Invalid Apple id_token');
+  const payload = JSON.parse(atob(parts[1].replace(/-/g, '+').replace(/_/g, '/')));
+  return {
+    providerUserId: payload.sub as string,
+    email: (payload.email as string) || null,
+    emailVerified: Boolean(payload.email_verified), // Apple always verified
+    displayName: null, // Apple sends name only on first sign-in via form_post body
+    avatarUrl: null,
+    raw: payload,
+  };
+}
+// ─── Discord OAuth ───
+class DiscordOAuthProvider implements OAuthProvider {
+  readonly name = 'discord';
+  constructor(private config: OAuthProviderConfig) {}
+  getAuthorizationUrl(state: string, redirectUri: string): string {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: redirectUri,
+      response_type: 'code',
+      scope: 'identify email',
+      state,
+    });
+    return `https://discord.com/oauth2/authorize?${params}`;
+  }
+  async exchangeCode(code: string, redirectUri: string): Promise<OAuthTokens> {
+    const resp = await fetch('https://discord.com/api/v10/oauth2/token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        client_id: this.config.clientId,
+        client_secret: this.config.clientSecret,
+        code,
+        redirect_uri: redirectUri,
+        grant_type: 'authorization_code',
+      }),
+    });
+    if (!resp.ok) throw new Error(`Discord token exchange failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    return {
+      accessToken: data.access_token as string,
+      tokenType: data.token_type as string,
+    };
+  }
+  async getUserInfo(accessToken: string): Promise<OAuthUserInfo> {
+    const resp = await fetch('https://discord.com/api/v10/users/@me', {
+      headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (!resp.ok) throw new Error(`Discord user API failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    const avatarHash = data.avatar as string | null;
+    const avatarUrl = avatarHash
+      ? `https://cdn.discordapp.com/avatars/${data.id}/${avatarHash}.png`
+      : null;
+    return {
+      providerUserId: String(data.id),
+      email: (data.email as string) || null,
+      emailVerified: Boolean(data.verified), // Discord uses 'verified' field
+      displayName: (data.global_name as string) || (data.username as string) || null,
+      avatarUrl,
+      raw: data,
+    };
+  }
+}
+// ─── Microsoft (Azure AD) OAuth (M18) ───
+class MicrosoftOAuthProvider implements OAuthProvider {
+  readonly name = 'microsoft';
+  constructor(private config: OAuthProviderConfig) {}
+  getAuthorizationUrl(state: string, redirectUri: string, codeChallenge?: string): string {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: redirectUri,
+      response_type: 'code',
+      scope: 'openid email profile',
+      state,
+    });
+    if (codeChallenge) {
+      params.set('code_challenge', codeChallenge);
+      params.set('code_challenge_method', 'S256');
+    }
+    return `https://login.microsoftonline.com/common/oauth2/v2.0/authorize?${params}`;
+  }
+  async exchangeCode(code: string, redirectUri: string, codeVerifier?: string): Promise<OAuthTokens> {
+    const body: Record<string, string> = {
+      client_id: this.config.clientId,
+      client_secret: this.config.clientSecret,
+      code,
+      redirect_uri: redirectUri,
+      grant_type: 'authorization_code',
+      scope: 'openid email profile',
+    };
+    if (codeVerifier) body.code_verifier = codeVerifier;
+    const resp = await fetch('https://login.microsoftonline.com/common/oauth2/v2.0/token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams(body),
+    });
+    if (!resp.ok) throw new Error(`Microsoft token exchange failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    return {
+      accessToken: data.access_token as string,
+      tokenType: data.token_type as string,
+      idToken: data.id_token as string | undefined,
+      refreshToken: data.refresh_token as string | undefined,
+      expiresIn: data.expires_in as number | undefined,
+    };
+  }
+  async getUserInfo(accessToken: string): Promise<OAuthUserInfo> {
+    const resp = await fetch('https://graph.microsoft.com/oidc/userinfo', {
+      headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (!resp.ok) throw new Error(`Microsoft userinfo failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    return {
+      providerUserId: String(data.sub),
+      email: (data.email as string) || null,
+      emailVerified: Boolean(data.email_verified), //: Microsoft provides email_verified
+      displayName: (data.name as string) || null,
+      avatarUrl: null, // Microsoft Graph userinfo doesn't return avatar
+      raw: data,
+    };
+  }
+}
+// ─── Facebook/Meta OAuth (M18) ───
+class FacebookOAuthProvider implements OAuthProvider {
+  readonly name = 'facebook';
+  constructor(private config: OAuthProviderConfig) {}
+  getAuthorizationUrl(state: string, redirectUri: string): string {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: redirectUri,
+      response_type: 'code',
+      scope: 'email,public_profile',
+      state,
+    });
+    return `https://www.facebook.com/v19.0/dialog/oauth?${params}`;
+  }
+  async exchangeCode(code: string, redirectUri: string): Promise<OAuthTokens> {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      client_secret: this.config.clientSecret,
+      code,
+      redirect_uri: redirectUri,
+    });
+    const resp = await fetch(`https://graph.facebook.com/v19.0/oauth/access_token?${params}`);
+    if (!resp.ok) throw new Error(`Facebook token exchange failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    return {
+      accessToken: data.access_token as string,
+      tokenType: data.token_type as string || 'bearer',
+      expiresIn: data.expires_in as number | undefined,
+    };
+  }
+  async getUserInfo(accessToken: string): Promise<OAuthUserInfo> {
+    const resp = await fetch(
+      `https://graph.facebook.com/v19.0/me?fields=id,name,email,picture.type(large)&access_token=${accessToken}`,
+    );
+    if (!resp.ok) throw new Error(`Facebook user API failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    const picture = data.picture as { data?: { url?: string } } | undefined;
+    return {
+      providerUserId: String(data.id),
+      email: (data.email as string) || null,
+      emailVerified: false, //: Facebook — no email_verified field, force false
+      displayName: (data.name as string) || null,
+      avatarUrl: picture?.data?.url || null,
+      raw: data,
+    };
+  }
+}
+// ─── Kakao OAuth (M18) ───
+class KakaoOAuthProvider implements OAuthProvider {
+  readonly name = 'kakao';
+  constructor(private config: OAuthProviderConfig) {}
+  getAuthorizationUrl(state: string, redirectUri: string): string {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: redirectUri,
+      response_type: 'code',
+      state,
+    });
+    return `https://kauth.kakao.com/oauth/authorize?${params}`;
+  }
+  async exchangeCode(code: string, redirectUri: string): Promise<OAuthTokens> {
+    const resp = await fetch('https://kauth.kakao.com/oauth/token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        client_id: this.config.clientId,
+        client_secret: this.config.clientSecret,
+        code,
+        redirect_uri: redirectUri,
+        grant_type: 'authorization_code',
+      }),
+    });
+    if (!resp.ok) throw new Error(`Kakao token exchange failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    return {
+      accessToken: data.access_token as string,
+      tokenType: data.token_type as string,
+      refreshToken: data.refresh_token as string | undefined,
+      expiresIn: data.expires_in as number | undefined,
+    };
+  }
+  async getUserInfo(accessToken: string): Promise<OAuthUserInfo> {
+    const resp = await fetch('https://kapi.kakao.com/v2/user/me', {
+      headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (!resp.ok) throw new Error(`Kakao user API failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    const account = data.kakao_account as Record<string, unknown> | undefined;
+    const profile = account?.profile as Record<string, unknown> | undefined;
+    return {
+      providerUserId: String(data.id),
+      email: (account?.email as string) || null,
+      //: Kakao — conditional, use is_email_verified if available
+      emailVerified: Boolean(account?.is_email_verified),
+      displayName: (profile?.nickname as string) || null,
+      avatarUrl: (profile?.profile_image_url as string) || null,
+      raw: data,
+    };
+  }
+}
+// ─── Naver OAuth (M18) ───
+class NaverOAuthProvider implements OAuthProvider {
+  readonly name = 'naver';
+  constructor(private config: OAuthProviderConfig) {}
+  getAuthorizationUrl(state: string, redirectUri: string): string {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: redirectUri,
+      response_type: 'code',
+      state,
+    });
+    return `https://nid.naver.com/oauth2.0/authorize?${params}`;
+  }
+  async exchangeCode(code: string, redirectUri: string): Promise<OAuthTokens> {
+    void redirectUri; // Naver doesn't require redirect_uri in token exchange
+    const resp = await fetch('https://nid.naver.com/oauth2.0/token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        client_id: this.config.clientId,
+        client_secret: this.config.clientSecret,
+        code,
+        grant_type: 'authorization_code',
+      }),
+    });
+    if (!resp.ok) throw new Error(`Naver token exchange failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    return {
+      accessToken: data.access_token as string,
+      tokenType: data.token_type as string,
+      refreshToken: data.refresh_token as string | undefined,
+      expiresIn: typeof data.expires_in === 'string' ? parseInt(data.expires_in) : (data.expires_in as number | undefined),
+    };
+  }
+  async getUserInfo(accessToken: string): Promise<OAuthUserInfo> {
+    const resp = await fetch('https://openapi.naver.com/v1/nid/me', {
+      headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (!resp.ok) throw new Error(`Naver user API failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    const response = data.response as Record<string, unknown> | undefined;
+    return {
+      providerUserId: String(response?.id),
+      email: (response?.email as string) || null,
+      emailVerified: false, //: Naver — no email_verified field, force false
+      displayName: (response?.name as string) || (response?.nickname as string) || null,
+      avatarUrl: (response?.profile_image as string) || null,
+      raw: data,
+    };
+  }
+}
+// ─── X (Twitter) OAuth 2.0 PKCE (M18) ───
+class XOAuthProvider implements OAuthProvider {
+  readonly name = 'x';
+  constructor(private config: OAuthProviderConfig) {}
+  getAuthorizationUrl(state: string, redirectUri: string, codeChallenge?: string): string {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: redirectUri,
+      response_type: 'code',
+      scope: 'tweet.read users.read',
+      state,
+      code_challenge_method: 'S256',
+    });
+    // X (Twitter) OAuth 2.0 requires PKCE
+    if (codeChallenge) {
+      params.set('code_challenge', codeChallenge);
+    }
+    return `https://twitter.com/i/oauth2/authorize?${params}`;
+  }
+  async exchangeCode(code: string, redirectUri: string, codeVerifier?: string): Promise<OAuthTokens> {
+    const body: Record<string, string> = {
+      code,
+      redirect_uri: redirectUri,
+      grant_type: 'authorization_code',
+      client_id: this.config.clientId,
+    };
+    if (codeVerifier) body.code_verifier = codeVerifier;
+    // X uses Basic Auth for confidential clients
+    const credentials = btoa(`${this.config.clientId}:${this.config.clientSecret}`);
+    const resp = await fetch('https://api.x.com/2/oauth2/token', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        Authorization: `Basic ${credentials}`,
+      },
+      body: new URLSearchParams(body),
+    });
+    if (!resp.ok) throw new Error(`X token exchange failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    return {
+      accessToken: data.access_token as string,
+      tokenType: data.token_type as string,
+      refreshToken: data.refresh_token as string | undefined,
+      expiresIn: data.expires_in as number | undefined,
+    };
+  }
+  async getUserInfo(accessToken: string): Promise<OAuthUserInfo> {
+    const resp = await fetch('https://api.x.com/2/users/me?user.fields=profile_image_url,name,username', {
+      headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (!resp.ok) throw new Error(`X user API failed: ${resp.status}`);
+    const json = await resp.json() as Record<string, unknown>;
+    const data = json.data as Record<string, unknown>;
+    return {
+      providerUserId: String(data.id),
+      email: null, //: X — email selectively provided, not requesting email scope
+      emailVerified: false, //: X — no email_verified, force false
+      displayName: (data.name as string) || (data.username as string) || null,
+      avatarUrl: (data.profile_image_url as string) || null,
+      raw: json,
+    };
+  }
+}
+// ─── Reddit OAuth 2.0 (M18) ───
+class RedditOAuthProvider implements OAuthProvider {
+  readonly name = 'reddit';
+  constructor(private config: OAuthProviderConfig) {}
+  getAuthorizationUrl(state: string, redirectUri: string): string {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: redirectUri,
+      response_type: 'code',
+      duration: 'permanent',
+      scope: 'identity',
+      state,
+    });
+    return `https://www.reddit.com/api/v1/authorize?${params}`;
+  }
+  async exchangeCode(code: string, redirectUri: string): Promise<OAuthTokens> {
+    const credentials = btoa(`${this.config.clientId}:${this.config.clientSecret}`);
+    const resp = await fetch('https://www.reddit.com/api/v1/access_token', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        Authorization: `Basic ${credentials}`,
+        'User-Agent': 'EdgeBase OAuth/1.0',
+      },
+      body: new URLSearchParams({
+        code,
+        redirect_uri: redirectUri,
+        grant_type: 'authorization_code',
+      }),
+    });
+    if (!resp.ok) throw new Error(`Reddit token exchange failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    return {
+      accessToken: data.access_token as string,
+      tokenType: data.token_type as string,
+      refreshToken: data.refresh_token as string | undefined,
+      expiresIn: data.expires_in as number | undefined,
+    };
+  }
+  async getUserInfo(accessToken: string): Promise<OAuthUserInfo> {
+    const resp = await fetch('https://oauth.reddit.com/api/v1/me', {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        'User-Agent': 'EdgeBase OAuth/1.0',
+      },
+    });
+    if (!resp.ok) throw new Error(`Reddit user API failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    return {
+      providerUserId: String(data.id),
+      email: null, //: Reddit does not expose email through this OAuth scope set
+      emailVerified: false, //: Reddit does not expose email verification through this API
+      displayName: (data.name as string) || null,
+      avatarUrl: (data.snoovatar_img as string) || (data.icon_img as string) || null,
+      raw: data,
+    };
+  }
+}
+// ─── Line OAuth (M18) ───
+class LineOAuthProvider implements OAuthProvider {
+  readonly name = 'line';
+  constructor(private config: OAuthProviderConfig) {}
+  getAuthorizationUrl(state: string, redirectUri: string): string {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: redirectUri,
+      response_type: 'code',
+      scope: 'profile openid email',
+      state,
+    });
+    return `https://access.line.me/oauth2/v2.1/authorize?${params}`;
+  }
+  async exchangeCode(code: string, redirectUri: string): Promise<OAuthTokens> {
+    const resp = await fetch('https://api.line.me/oauth2/v2.1/token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        client_id: this.config.clientId,
+        client_secret: this.config.clientSecret,
+        code,
+        redirect_uri: redirectUri,
+        grant_type: 'authorization_code',
+      }),
+    });
+    if (!resp.ok) throw new Error(`Line token exchange failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    return {
+      accessToken: data.access_token as string,
+      tokenType: data.token_type as string,
+      idToken: data.id_token as string | undefined,
+      refreshToken: data.refresh_token as string | undefined,
+      expiresIn: data.expires_in as number | undefined,
+    };
+  }
+  async getUserInfo(accessToken: string): Promise<OAuthUserInfo> {
+    const resp = await fetch('https://api.line.me/v2/profile', {
+      headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (!resp.ok) throw new Error(`Line user API failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    return {
+      providerUserId: String(data.userId),
+      email: null, // Line profile API doesn't return email; email comes from id_token
+      emailVerified: false, //: Line — no email_verified field, force false
+      displayName: (data.displayName as string) || null,
+      avatarUrl: (data.pictureUrl as string) || null,
+      raw: data,
+    };
+  }
+}
+// ─── Slack OAuth (OpenID Connect) (M18) ───
+class SlackOAuthProvider implements OAuthProvider {
+  readonly name = 'slack';
+  constructor(private config: OAuthProviderConfig) {}
+  getAuthorizationUrl(state: string, redirectUri: string): string {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: redirectUri,
+      response_type: 'code',
+      scope: 'openid email profile',
+      state,
+    });
+    return `https://slack.com/openid/connect/authorize?${params}`;
+  }
+  async exchangeCode(code: string, redirectUri: string): Promise<OAuthTokens> {
+    const resp = await fetch('https://slack.com/api/openid.connect.token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        client_id: this.config.clientId,
+        client_secret: this.config.clientSecret,
+        code,
+        redirect_uri: redirectUri,
+        grant_type: 'authorization_code',
+      }),
+    });
+    if (!resp.ok) throw new Error(`Slack token exchange failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    if (!data.ok) throw new Error(`Slack OAuth error: ${data.error}`);
+    return {
+      accessToken: data.access_token as string,
+      tokenType: data.token_type as string || 'bearer',
+      idToken: data.id_token as string | undefined,
+    };
+  }
+  async getUserInfo(accessToken: string): Promise<OAuthUserInfo> {
+    const resp = await fetch('https://slack.com/api/openid.connect.userInfo', {
+      headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (!resp.ok) throw new Error(`Slack userinfo failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    return {
+      providerUserId: String(data.sub),
+      email: (data.email as string) || null,
+      emailVerified: Boolean(data.email_verified), //: Slack — always true
+      displayName: (data.name as string) || null,
+      avatarUrl: (data.picture as string) || null,
+      raw: data,
+    };
+  }
+}
+// ─── Spotify OAuth (M18) ───
+class SpotifyOAuthProvider implements OAuthProvider {
+  readonly name = 'spotify';
+  constructor(private config: OAuthProviderConfig) {}
+  getAuthorizationUrl(state: string, redirectUri: string): string {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: redirectUri,
+      response_type: 'code',
+      scope: 'user-read-email user-read-private',
+      state,
+    });
+    return `https://accounts.spotify.com/authorize?${params}`;
+  }
+  async exchangeCode(code: string, redirectUri: string): Promise<OAuthTokens> {
+    const credentials = btoa(`${this.config.clientId}:${this.config.clientSecret}`);
+    const resp = await fetch('https://accounts.spotify.com/api/token', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        Authorization: `Basic ${credentials}`,
+      },
+      body: new URLSearchParams({
+        code,
+        redirect_uri: redirectUri,
+        grant_type: 'authorization_code',
+      }),
+    });
+    if (!resp.ok) throw new Error(`Spotify token exchange failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    return {
+      accessToken: data.access_token as string,
+      tokenType: data.token_type as string,
+      refreshToken: data.refresh_token as string | undefined,
+      expiresIn: data.expires_in as number | undefined,
+    };
+  }
+  async getUserInfo(accessToken: string): Promise<OAuthUserInfo> {
+    const resp = await fetch('https://api.spotify.com/v1/me', {
+      headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (!resp.ok) throw new Error(`Spotify user API failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    const images = data.images as Array<{ url: string }> | undefined;
+    return {
+      providerUserId: String(data.id),
+      email: (data.email as string) || null,
+      emailVerified: false, //: Spotify — no email_verified, force false
+      displayName: (data.display_name as string) || null,
+      avatarUrl: images?.[0]?.url || null,
+      raw: data,
+    };
+  }
+}
+// ─── Twitch OAuth (M18) ───
+class TwitchOAuthProvider implements OAuthProvider {
+  readonly name = 'twitch';
+  constructor(private config: OAuthProviderConfig) {}
+  getAuthorizationUrl(state: string, redirectUri: string): string {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: redirectUri,
+      response_type: 'code',
+      scope: 'user:read:email',
+      state,
+    });
+    return `https://id.twitch.tv/oauth2/authorize?${params}`;
+  }
+  async exchangeCode(code: string, redirectUri: string): Promise<OAuthTokens> {
+    const resp = await fetch('https://id.twitch.tv/oauth2/token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        client_id: this.config.clientId,
+        client_secret: this.config.clientSecret,
+        code,
+        redirect_uri: redirectUri,
+        grant_type: 'authorization_code',
+      }),
+    });
+    if (!resp.ok) throw new Error(`Twitch token exchange failed: ${resp.status}`);
+    const data = await resp.json() as Record<string, unknown>;
+    return {
+      accessToken: data.access_token as string,
+      tokenType: data.token_type as string,
+      refreshToken: data.refresh_token as string | undefined,
+      expiresIn: data.expires_in as number | undefined,
+    };
+  }
+  async getUserInfo(accessToken: string): Promise<OAuthUserInfo> {
+    const resp = await fetch('https://api.twitch.tv/helix/users', {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        'Client-Id': this.config.clientId,
+      },
+    });
+    if (!resp.ok) throw new Error(`Twitch user API failed: ${resp.status}`);
+    const json = await resp.json() as Record<string, unknown>;
+    const users = json.data as Array<Record<string, unknown>>;
+    const data = users?.[0];
+    if (!data) throw new Error('Twitch user not found');
+    return {
+      providerUserId: String(data.id),
+      email: (data.email as string) || null,
+      emailVerified: Boolean(data.email_verified), //: Twitch provides email_verified
+      displayName: (data.display_name as string) || (data.login as string) || null,
+      avatarUrl: (data.profile_image_url as string) || null,
+      raw: data,
+    };
+  }
+}
+// ─── OIDC Provider (Generic OpenID Connect, Phase 2 ⑦) ───
+/**
+ * Extended config for OIDC providers (adds issuer + optional scopes).
+ */
+export interface OIDCProviderConfig extends OAuthProviderConfig {
+  issuer: string;
+  scopes?: string[];
+}
+/**
+ * OpenID Connect discovery document (subset of fields we use).
+ */
+interface OIDCDiscoveryDocument {
+  authorization_endpoint: string;
+  token_endpoint: string;
+  userinfo_endpoint?: string;
+  jwks_uri?: string;
+  issuer: string;
+}
+/**
+ * In-memory cache for OIDC discovery documents (per Worker lifetime).
+ * Avoids refetching on every request within the same Worker instance.
+ */
+const oidcDiscoveryCache = new Map<string, { doc: OIDCDiscoveryDocument; expiresAt: number }>();
+async function fetchOIDCDiscovery(issuer: string): Promise<OIDCDiscoveryDocument> {
+  const cacheKey = issuer;
+  const cached = oidcDiscoveryCache.get(cacheKey);
+  if (cached && cached.expiresAt > Date.now()) {
+    return cached.doc;
+  }
+  const discoveryUrl = `${issuer.replace(/\/$/, '')}/.well-known/openid-configuration`;
+  const resp = await fetch(discoveryUrl, {
+    headers: { Accept: 'application/json' },
+  });
+  if (!resp.ok) {
+    throw new Error(`OIDC discovery failed for ${issuer}: ${resp.status} ${resp.statusText}`);
+  }
+  const doc = await resp.json() as OIDCDiscoveryDocument;
+  if (!doc.authorization_endpoint || !doc.token_endpoint) {
+    throw new Error(`OIDC discovery document missing required endpoints for ${issuer}`);
+  }
+  // Cache for 1 hour
+  oidcDiscoveryCache.set(cacheKey, { doc, expiresAt: Date.now() + 3600_000 });
+  return doc;
+}
+/**
+ * Parse OIDC ID token (JWT decode without cryptographic verification).
+ * Signature verification is delegated to the token endpoint trust (same pattern as Apple).
+ */
+export function parseOIDCIdToken(idToken: string): OAuthUserInfo {
+  const parts = idToken.split('.');
+  if (parts.length !== 3) throw new Error('Invalid OIDC id_token');
+  const payload = JSON.parse(atob(parts[1].replace(/-/g, '+').replace(/_/g, '/')));
+  return {
+    providerUserId: payload.sub as string,
+    email: (payload.email as string) || null,
+    emailVerified: Boolean(payload.email_verified),
+    displayName: (payload.name as string) || (payload.preferred_username as string) || null,
+    avatarUrl: (payload.picture as string) || null,
+    raw: payload,
+  };
+}
+class OIDCGenericProvider implements OAuthProvider {
+  readonly name: string;
+  private discovery: OIDCDiscoveryDocument | null = null;
+  constructor(
+    providerName: string,
+    private config: OIDCProviderConfig,
+  ) {
+    this.name = providerName;
+  }
+  private async getDiscovery(): Promise<OIDCDiscoveryDocument> {
+    if (!this.discovery) {
+      this.discovery = await fetchOIDCDiscovery(this.config.issuer);
+    }
+    return this.discovery;
+  }
+  getAuthorizationUrl(state: string, redirectUri: string, codeChallenge?: string): string {
+    // For OIDC, we need the discovery document synchronously in getAuthorizationUrl.
+    // We'll use a cached discovery doc if available, otherwise fall back to issuer + /authorize.
+    const cached = oidcDiscoveryCache.get(this.config.issuer);
+    const authEndpoint = cached?.doc?.authorization_endpoint
+      || `${this.config.issuer.replace(/\/$/, '')}/authorize`;
+    const scopes = this.config.scopes || ['openid', 'email', 'profile'];
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: redirectUri,
+      response_type: 'code',
+      scope: scopes.join(' '),
+      state,
+    });
+    if (codeChallenge) {
+      params.set('code_challenge', codeChallenge);
+      params.set('code_challenge_method', 'S256');
+    }
+    return `${authEndpoint}?${params}`;
+  }
+  async exchangeCode(code: string, redirectUri: string, codeVerifier?: string): Promise<OAuthTokens> {
+    const discovery = await this.getDiscovery();
+    const bodyParams: Record<string, string> = {
+      client_id: this.config.clientId,
+      client_secret: this.config.clientSecret,
+      code,
+      redirect_uri: redirectUri,
+      grant_type: 'authorization_code',
+    };
+    if (codeVerifier) {
+      bodyParams.code_verifier = codeVerifier;
+    }
+    const resp = await fetch(discovery.token_endpoint, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams(bodyParams),
+    });
+    if (!resp.ok) {
+      const err = await resp.text().catch(() => '');
+      throw new Error(`OIDC token exchange failed: ${resp.status} ${err}`);
+    }
+    const data = await resp.json() as Record<string, unknown>;
+    return {
+      accessToken: data.access_token as string,
+      tokenType: (data.token_type as string) || 'Bearer',
+      idToken: data.id_token as string | undefined,
+      refreshToken: data.refresh_token as string | undefined,
+      expiresIn: data.expires_in as number | undefined,
+    };
+  }
+  async getUserInfo(accessToken: string): Promise<OAuthUserInfo> {
+    const discovery = await this.getDiscovery();
+    if (!discovery.userinfo_endpoint) {
+      throw new Error(`OIDC provider ${this.name} does not have a userinfo endpoint`);
+    }
+    const resp = await fetch(discovery.userinfo_endpoint, {
+      headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (!resp.ok) {
+      throw new Error(`OIDC userinfo failed: ${resp.status}`);
+    }
+    const data = await resp.json() as Record<string, unknown>;
+    return {
+      providerUserId: data.sub as string,
+      email: (data.email as string) || null,
+      emailVerified: Boolean(data.email_verified),
+      displayName: (data.name as string) || (data.preferred_username as string) || null,
+      avatarUrl: (data.picture as string) || null,
+      raw: data,
+    };
+  }
+}
+/**
+ * Pre-fetch OIDC discovery document before calling getAuthorizationUrl().
+ * This is needed because getAuthorizationUrl() is synchronous.
+ */
+export async function prefetchOIDCDiscovery(issuer: string): Promise<void> {
+  await fetchOIDCDiscovery(issuer);
+}
+// ─── Provider Factory ───
+const SUPPORTED_PROVIDERS = [
+  'google', 'github', 'apple', 'discord',
+  // M18: Additional providers
+  'microsoft', 'facebook', 'kakao', 'naver', 'x', 'reddit', 'line', 'slack', 'spotify', 'twitch',
+] as const;
+export type SupportedProvider = (typeof SUPPORTED_PROVIDERS)[number] | `oidc:${string}`;
+/**
+ * Check if a provider name is supported (built-in or OIDC federation).
+ */
+export function isSupportedProvider(name: string): name is SupportedProvider {
+  if ((SUPPORTED_PROVIDERS as readonly string[]).includes(name)) return true;
+  // OIDC federation: oidc:{name}
+  if (name.startsWith('oidc:') && name.length > 5) return true;
+  return false;
+}
+export function createOAuthProvider(name: SupportedProvider, config: OAuthProviderConfig): OAuthProvider {
+  // OIDC federation: oidc:{name}
+  if (name.startsWith('oidc:')) {
+    const oidcConfig = config as OIDCProviderConfig;
+    if (!oidcConfig.issuer) {
+      throw new Error(`OIDC provider ${name} requires an 'issuer' in config.`);
+    }
+    return new OIDCGenericProvider(name, oidcConfig);
+  }
+  switch (name) {
+    case 'google': return new GoogleOAuthProvider(config);
+    case 'github': return new GitHubOAuthProvider(config);
+    case 'apple': return new AppleOAuthProvider(config);
+    case 'discord': return new DiscordOAuthProvider(config);
+    // M18
+    case 'microsoft': return new MicrosoftOAuthProvider(config);
+    case 'facebook': return new FacebookOAuthProvider(config);
+    case 'kakao': return new KakaoOAuthProvider(config);
+    case 'naver': return new NaverOAuthProvider(config);
+    case 'x': return new XOAuthProvider(config);
+    case 'reddit': return new RedditOAuthProvider(config);
+    case 'line': return new LineOAuthProvider(config);
+    case 'slack': return new SlackOAuthProvider(config);
+    case 'spotify': return new SpotifyOAuthProvider(config);
+    case 'twitch': return new TwitchOAuthProvider(config);
+    default: throw new Error(`Unknown OAuth provider: ${name}`);
+  }
+}
+/**
+ * Get OAuth provider config from a serialized config object.
+ * Config format:
+ *   - Built-in: auth.oauth.{provider}.clientId, auth.oauth.{provider}.clientSecret
+ *   - OIDC: auth.oauth.oidc.{name}.clientId, auth.oauth.oidc.{name}.clientSecret, auth.oauth.oidc.{name}.issuer
+ */
+function parseOAuthConfigInput(
+  edgebaseConfig: Record<string, unknown> | string | undefined,
+): Record<string, unknown> | null {
+  if (!edgebaseConfig) return null;
+  if (typeof edgebaseConfig === 'string') {
+    try {
+      const parsed = JSON.parse(edgebaseConfig);
+      return parsed && typeof parsed === 'object' ? parsed as Record<string, unknown> : null;
+    } catch {
+      return null;
+    }
+  }
+  return edgebaseConfig;
+}
+export function getOAuthProviderConfig(
+  edgebaseConfig: Record<string, unknown> | string | undefined,
+  provider: SupportedProvider,
+): OAuthProviderConfig | OIDCProviderConfig | null {
+  const config = parseOAuthConfigInput(edgebaseConfig) as
+    | {
+        auth?: {
+          oauth?: Record<string, unknown> & {
+            oidc?: Record<string, { clientId?: string; clientSecret?: string; issuer?: string; scopes?: string[] }>;
+          };
+        };
+      }
+    | null;
+  if (!config) return null;
+  // OIDC federation: oidc:{name}
+  if (provider.startsWith('oidc:')) {
+    const oidcName = provider.slice(5); // Remove 'oidc:' prefix
+    const oidcConfig = config?.auth?.oauth?.oidc?.[oidcName];
+    if (!oidcConfig?.clientId || !oidcConfig?.clientSecret || !oidcConfig?.issuer) return null;
+    return {
+      clientId: oidcConfig.clientId,
+      clientSecret: oidcConfig.clientSecret,
+      issuer: oidcConfig.issuer,
+      scopes: oidcConfig.scopes,
+    } as OIDCProviderConfig;
+  }
+  const oauthConfig = config?.auth?.oauth?.[provider] as
+    | { clientId?: string; clientSecret?: string }
+    | undefined;
+  if (!oauthConfig?.clientId || !oauthConfig?.clientSecret) return null;
+  return { clientId: oauthConfig.clientId, clientSecret: oauthConfig.clientSecret };
+}
+/**
+ * Get list of allowed OAuth providers from config (includes OIDC federation providers).
+ */
+export function getAllowedOAuthProviders(
+  edgebaseConfig: Record<string, unknown> | string | undefined,
+): SupportedProvider[] {
+  const config = parseOAuthConfigInput(edgebaseConfig) as
+    | { auth?: { allowedOAuthProviders?: string[] } }
+    | null;
+  if (!config) return [];
+  const allowed = config?.auth?.allowedOAuthProviders;
+  if (!Array.isArray(allowed)) return [];
+  return allowed.filter((p: string) => isSupportedProvider(p)) as SupportedProvider[];
+}