npm - @enterprisestandard/core - Versions diffs - 0.0.14-beta.20260327.5 → 0.0.14 - Mend

@enterprisestandard/core 0.0.14-beta.20260327.5 → 0.0.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.ts +311 -142
package/dist/index.js +1 -1
package/dist/server.d.ts +143 -123
package/dist/server.js +1 -1
package/dist/shared/core-kk9hdwwp.js +12 -0
package/package.json +3 -3
package/dist/shared/core-xq34ajgm.js +0 -12

package/dist/index.d.ts CHANGED Viewed

@@ -1860,7 +1860,7 @@ type MetaData = {
 	version: number;
 	created: Date;
 };
-type SecretsSourceType = "vault" | "lfv" | "azure" | "aws" | "gcp" | "dev";
+type SecretsSourceType = "vault" | "azure" | "aws" | "gcp" | "dev";
 type SecretRequestSeverity = "low" | "medium" | "high" | "critical";
 type SecretLifecycleRequest = {
 	reason?: string;
@@ -1917,7 +1917,7 @@ type SecretsValidators = {
 	* Optional hook to validate merged source configs before they are resolved.
 	* Throw from this callback to reject invalid secrets source configuration.
 	*/
-	validateSourceConfig?(name: string, config: SecretsSourceConfig): void;
+	validateSourceConfig?(sourceName: string, config: SecretsSourceConfig): void;
 };
 type Secrets = {
 	/** Named secrets sources client configurations from RemoteConfig. */
@@ -1925,27 +1925,27 @@ type Secrets = {
 	/** Returns configured secrets source names/keys. */
 	listSecretsSources(): string[];
 	/** Gets a named secrets source client. Throws when missing. */
-	getSecretsSource(name: string): SecretsSource;
+	getSecretsSource(sourceName: string): SecretsSource;
 	/** Reads a secret from a named secrets source client. */
-	getSecret<T>(name: string, path: string, options?: SecretsOperationOptions): Promise<T>;
+	getSecret<T>(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<T>;
 	/** Reads full secret data + metadata from a named secrets source client. */
-	getFullSecret<T>(name: string, path: string, options?: SecretsOperationOptions): Promise<Secret<T>>;
+	getFullSecret<T>(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<Secret<T>>;
 	/** Writes a secret to a named secrets source client. */
-	putSecret(name: string, path: string, value: Record<string, unknown>, options?: SecretsOperationOptions): Promise<void>;
+	putSecret(sourceName: string, path: string, value: Record<string, unknown>, options?: SecretsOperationOptions): Promise<void>;
 	/** Deletes a secret from a named secrets source client. */
-	deleteSecret(name: string, path: string, options?: SecretsOperationOptions): Promise<void>;
+	deleteSecret(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<void>;
 	/** Lists child paths under a base path for a named secrets source client. */
-	listPaths(name: string, path: string, options?: SecretsOperationOptions): Promise<string[]>;
+	listPaths(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<string[]>;
 	/** Returns true when a path exists for a named secrets source client. */
-	exists(name: string, path: string, options?: SecretsOperationOptions): Promise<boolean>;
+	exists(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<boolean>;
 	/** Requests rotation for a secret path in a named secrets source client. */
-	requestRotate(name: string, path: string, request?: SecretLifecycleRequest, options?: SecretsOperationOptions): Promise<void>;
+	requestRotate(sourceName: string, path: string, request?: SecretLifecycleRequest, options?: SecretsOperationOptions): Promise<void>;
 	/** Requests revocation for a secret path in a named secrets source client. */
-	requestRevoke(name: string, path: string, request?: SecretLifecycleRequest, options?: SecretsOperationOptions): Promise<void>;
+	requestRevoke(sourceName: string, path: string, request?: SecretLifecycleRequest, options?: SecretsOperationOptions): Promise<void>;
 	/** Reads metadata for a secret path in a named secrets source client. */
-	getMetadata(name: string, path: string, options?: SecretsOperationOptions): Promise<Record<string, unknown>>;
+	getMetadata(sourceName: string, path: string, options?: SecretsOperationOptions): Promise<Record<string, unknown>>;
 	/** Subscribes to secret changes on a named secrets source client. */
-	subscribe<T>(name: string, path: string, onChange: (fullSecret: Secret<T>) => void): () => void;
+	subscribe<T>(sourceName: string, path: string, onChange: (fullSecret: Secret<T>) => void): () => void;
 	/** Returns true when request matches any configured LFV delivery path. */
 	isLfvDeliveryRequest?(request: Request): boolean;
 	/** Returns true when request matches any configured LFV events path. */
@@ -1969,7 +1969,7 @@ type FrameworkSecretsModuleConfig = Record<string, FrameworkSecretsSourceConfig>
 * TODO: Let's see if we can do some clean inference and remove this!!!
 */
 type SecretsSourceMap = Record<string, SecretsSource>;
-type SecretsSourceConfig = DevSecretsConfig | GcpSecretsConfig | LfvSecretsConfig | VaultSecretsConfig | AwsSecretsConfig | AzureSecretsConfig;
+type SecretsSourceConfig = DevSecretsConfig | GcpSecretsConfig | VaultSecretsConfig | AwsSecretsConfig | AzureSecretsConfig;
 /**
 * Raw module config keyed by source name.
 * The secrets module resolves this into a runtime SecretsSourceMap.
@@ -1982,8 +1982,7 @@ type DevSecretsConfig = {
 type GcpSecretsConfig = {
 	type: "gcp";
 };
-type LfvSecretsConfig = {
-	type: "lfv";
+type VaultLfvSecretsConfig = {
 	/** LFV server base URL for OTP/action endpoints. */
 	lfvServerUrl?: string;
 	/** LFV client id used for OTP issuance. */
@@ -2017,15 +2016,28 @@ type LfvSecretsConfig = {
 * Runtime-ready LFV source config.
 * Input config can be partially declared/merged, but LFV operations require these fields.
 */
-type ResolvedLfvSecretsConfig = Omit<LfvSecretsConfig, "lfvServerUrl" | "clientId" | "path"> & {
+type ResolvedVaultLfvSecretsConfig = Omit<VaultLfvSecretsConfig, "lfvServerUrl" | "clientId" | "path"> & {
 	lfvServerUrl: string;
 	clientId: string;
 	path: string;
 };
+type VaultWebSocketAuthHeader = "X-Vault-Token" | "Authorization";
+type VaultWebSocketSecretsConfig = {
+	/** Websocket URL for vault command execution and live secret subscriptions. */
+	url?: string;
+	/** Token used during websocket connect/auth. */
+	token?: string;
+	/** Header name used to send the websocket token. Defaults to X-Vault-Token. */
+	header?: VaultWebSocketAuthHeader;
+};
 type VaultSecretsConfig = {
 	type: "vault";
 	url?: string;
 	token?: string;
+	/** Optional LFV transport capability for reads/lifecycle operations. */
+	lfv?: VaultLfvSecretsConfig;
+	/** Optional websocket capability for vault commands and live subscriptions. */
+	websocket?: VaultWebSocketSecretsConfig;
 	/**
 	* MINIMUM: 600_000 milliseconds (10 minutes). Polls the path every ttl milliseconds and calls onConfig when config changes.
 	*/
@@ -2131,7 +2143,6 @@ interface UpsertTenantRequest {
 	email?: string;
 	webhookUrl?: string;
 	callbackUrl?: string;
-	tenantUrl: string;
 	configSource: TenantSecretsConfig;
 }
 type UpsertTenantResponse = {
@@ -2193,26 +2204,22 @@ type TenantValidators = {
 */
 type TenantConfigEnv = {
 	ES_CONFIG_TYPE?: ConfigSourceType;
-	ES_APP_ID?: string;
-	ES_CONFIG_PATH?: string;
-	ES_IONITE_URL?: string;
-	ES_LFV_PATH?: string;
-	ES_LFV_SERVER_URL?: string;
-	ES_LFV_CLIENT_ID?: string;
-	ES_LFV_SIGNATURE?: string;
-	ES_LFV_DELIVERY_ENDPOINT?: string;
-	ES_LFV_VERIFY_PUBLIC_KEY?: string;
-	ES_LFV_EVENTS_ENDPOINT?: string;
-	ES_LFV_DELIVERY_TIMEOUT?: string;
-	ES_LFV_RETRY_INTERVAL?: string;
-	ES_LFV_WARN_INTERVAL?: string;
-	ES_FILE_PATH?: string;
-	ES_FILE_WATCH?: string;
-	ES_FILE_TTL?: string;
 	ES_VAULT_URL?: string;
 	ES_VAULT_TOKEN?: string;
 	ES_VAULT_PATH?: string;
 	ES_VAULT_TTL?: string;
+	ES_VAULT_LFV_SERVER_URL?: string;
+	ES_VAULT_LFV_CLIENT_ID?: string;
+	ES_VAULT_LFV_SIGNATURE?: string;
+	ES_VAULT_LFV_DELIVERY_ENDPOINT?: string;
+	ES_VAULT_LFV_VERIFY_PUBLIC_KEY?: string;
+	ES_VAULT_LFV_EVENTS_ENDPOINT?: string;
+	ES_VAULT_LFV_DELIVERY_TIMEOUT?: string;
+	ES_VAULT_LFV_RETRY_INTERVAL?: string;
+	ES_VAULT_LFV_WARN_INTERVAL?: string;
+	ES_VAULT_WEBSOCKET_URL?: string;
+	ES_VAULT_WEBSOCKET_TOKEN?: string;
+	ES_VAULT_WEBSOCKET_HEADER?: "X-Vault-Token" | "Authorization";
 	ES_AZURE_API_VERSION?: string;
 	ES_AZURE_SCOPE?: string;
 	ES_AZURE_SECRET_NAME_PREFIX?: string;
@@ -2230,23 +2237,32 @@ type TenantConfigEnv = {
 	ES_AWS_TTL?: string;
 	ES_GCP_TTL?: string;
 };
-type TenantSecretsConfig = LfvSecretsConfig | (VaultSecretsConfig & {
+type TenantSecretsConfig = (VaultSecretsConfig & {
 	path: string;
 	retryInterval?: number;
-}) | (DevSecretsConfig & {
-	path?: string;
-	appId?: string;
 }) | (AwsSecretsConfig & {
 	ttl?: number;
 }) | AzureSecretsConfig | (GcpSecretsConfig & {
 	ttl?: number;
-}) | {
-	type: "localFile";
-	path?: string;
-	watch?: boolean;
-	ttl?: number;
+});
+type TenantStoredConfigLocator = {
+	/** Indicates that the tenant config descriptor is stored securely outside the tenant record. */
+	type: "stored";
+	/** Root secure source type used to fetch the stored tenant config descriptor. */
+	sourceType: "vault";
+	/** Path to the stored tenant config descriptor. */
+	path: string;
 };
-type TenantConfigSourceInput = TenantSecretsConfig | ConfigSource;
+type TenantRemoteConfigLocator = {
+	/** Indicates that the tenant RemoteConfig already exists at this secure source path. */
+	type: "remoteConfig";
+	/** Secure source type used to load the RemoteConfig document directly. */
+	sourceType: "vault";
+	/** Path to the tenant RemoteConfig document. */
+	path: string;
+};
+type TenantConfigLocator = TenantStoredConfigLocator | TenantRemoteConfigLocator;
+type TenantConfigSourceInput = TenantConfigLocator | ConfigSource;
 type TenantBaseRecord = {
 	tenantId: string;
 	companyId: string;
@@ -2266,11 +2282,18 @@ type TenantBaseRecord = {
 	/** Persisted tenant config metadata, or a runtime ConfigSource for internal-only tenants. */
 	configSource: TenantConfigSourceInput;
 	/** Runtime helper that returns a ConfigSource for this tenant. */
-	config: () => ConfigSource;
+	config: (source?: SecretsSource) => ConfigSource;
 };
 type StoredTenant<TExtended extends object = Record<string, never>> = TenantBaseRecord & TExtended;
 type StoredTenantRecord<TExtended extends object = Record<string, never>> = Omit<StoredTenant<TExtended>, "config">;
 type TenantEsFactory<TExtended extends object = Record<string, never>> = (tenant: StoredTenant<TExtended>) => EnterpriseStandard;
+type TenantConfigStoreRequest<TExtended extends object = Record<string, never>> = {
+	es: EnterpriseStandard;
+	tenantId: string;
+	request: UpsertTenantRequest;
+	configData: TenantSecretsConfig;
+	existingTenant: StoredTenant<TExtended> | null;
+};
 type TenantStoreWithESOptions<TExtended extends object = Record<string, never>> = {
 	/**
 	* TTL for cached per-tenant EnterpriseStandard instances, in milliseconds.
@@ -2294,6 +2317,7 @@ type TenantStoreBase<
 	TMode extends UserMode = "singleTenantOnly",
 	TExtended extends object = Record<string, never>
 > = TenantUserRegistration<TMode> & {
+	storeConfig(config: TenantConfigStoreRequest<TExtended>): Promise<TenantConfigSourceInput>;
 	get(tenantId: string): Promise<StoredTenant<TExtended> | null>;
 	list(options?: TenantListOptions): Promise<ListResult<StoredTenant<TExtended>>>;
 	upsert(tenant: TenantStoreUpsertRecord<TExtended>): Promise<StoredTenant<TExtended>>;
@@ -2352,7 +2376,96 @@ declare class InMemoryTenantStore<
 	private resolveTenantsByUserId;
 }
 declare function sendTenantWebhook(webhookUrl: string, payload: TenantWebhookPayload, log: Logger): Promise<void>;
-type ConfigSourceType = "vault" | "lfv" | "azure" | "aws" | "gcp" | "dev" | "localFile";
+/**
+* Magic link data stored in the store.
+*
+* @template TExtended - Type-safe custom data that consumers can add to magic links
+*/
+type MagicLink<TExtended = object> = {
+	/**
+	* The magic link token (unique identifier)
+	*/
+	token: string;
+	/**
+	* User information associated with this magic link
+	*/
+	user: BaseUser;
+	/**
+	* Timestamp when the magic link was created
+	*/
+	createdAt: Date;
+	/**
+	* Timestamp when the magic link expires
+	*/
+	expiresAt: Date;
+	/**
+	* Allow consumers to add runtime data to magic links
+	*/
+	[key: string]: unknown;
+} & TExtended;
+/**
+* Abstract interface for magic link storage backends.
+*
+* Consumers can implement this interface to use different storage backends:
+* - In-memory (for development/testing)
+* - Redis (for production with fast lookups and automatic expiration)
+* - Database (PostgreSQL, MySQL, etc.)
+*
+* @template TExtended - Type-safe custom data that consumers can add to magic links
+*
+* @example
+* ```typescript
+* // Custom magic link data
+* type MyMagicLinkData = {
+*   source: string;
+*   metadata: Record<string, unknown>;
+* };
+*
+* // Implement custom store
+* class RedisMagicLinkStore implements MagicLinkStore<MyMagicLinkData> {
+*   async create(token: string, user: BaseUser, expiresAt: Date): Promise<void> {
+*     const magicLink: MagicLink<MyMagicLinkData> = {
+*       token,
+*       user,
+*       createdAt: new Date(),
+*       expiresAt,
+*       source: 'api',
+*       metadata: {},
+*     };
+*     const ttl = Math.floor((expiresAt.getTime() - Date.now()) / 1000);
+*     await redis.setex(`magic-link:${token}`, ttl, JSON.stringify(magicLink));
+*   }
+*   // ... other methods
+* }
+* ```
+*/
+interface MagicLinkStore<TExtended = object> {
+	/**
+	* Create a new magic link in the store.
+	*
+	* @param token - The magic link token (unique identifier)
+	* @param user - The user information to associate with this magic link
+	* @param expiresAt - When the magic link expires
+	* @throws Error if magic link with same token already exists
+	*/
+	create(token: string, user: BaseUser, expiresAt: Date): Promise<void>;
+	/**
+	* Retrieve a magic link by its token.
+	*
+	* @param token - The magic link token
+	* @returns The magic link if found and not expired, null otherwise
+	*/
+	get(token: string): Promise<MagicLink<TExtended> | null>;
+	/**
+	* Delete a magic link by its token.
+	*
+	* Used after a magic link has been consumed (one-time use).
+	*
+	* @param token - The magic link token to delete
+	*/
+	delete(token: string): Promise<void>;
+}
+type ConfigSourceType = "vault" | "azure" | "aws" | "gcp";
 type ESValidators = {
 	sso: SSOValidators;
 	iam: IAMValidators;
@@ -2405,13 +2518,26 @@ type RemoteConfig = {
 	secrets?: SecretsModuleConfig;
 	ciam?: CIAMConfig;
 };
+/**
+* Stores supplied by the framework/application when creating an Enterprise Standard instance.
+*/
+type FrameworkStores = {
+	sessionStore?: SessionStore<unknown>;
+	userStore?: UserStore<unknown>;
+	groupStore?: GroupStore<unknown>;
+	magicLinkStore?: MagicLinkStore<unknown>;
+	workloadTokenStore?: WorkloadTokenStore;
+};
+type ModifiableFrameworkConfig = FrameworkConfig & {
+	setStores(stores: FrameworkStores): void;
+};
 /** Return type from the beforeChange hook passed to enterpriseStandard(). */
 type ESConfigChangeResult = {
 	config?: RemoteConfig;
 	frameworkConfig?: FrameworkConfig;
 };
 /** beforeChange callback invoked on every config application (initial load and updates). */
-type ESConfigChangeCallback = (config: RemoteConfig, frameworkConfig: FrameworkConfig, oldConfig: RemoteConfig | undefined) => ESConfigChangeResult | void;
+type ESConfigChangeCallback = (config: RemoteConfig, frameworkConfig: ModifiableFrameworkConfig, oldConfig: RemoteConfig | undefined) => ESConfigChangeResult | void;
 type ConfigSource = {
 	load(): Promise<RemoteConfig>;
 	/**
@@ -2421,6 +2547,11 @@ type ConfigSource = {
 	*/
 	subscribe(onConfig: (config: RemoteConfig) => void): undefined | (() => void);
 	/**
+	* Default secret client for the config source itself.
+	* For vault-backed sources this is the vault used to read RemoteConfig.
+	*/
+	secret: SecretsSource;
+	/**
 	* Optional. If not set by the creator, the framework may set this before calling load/subscribe
 	* so the source can use the same logger.
 	*/
@@ -2473,6 +2604,8 @@ type EnterpriseStandardBase = {
 	tenantId?: string;
 	/** Most recent remote config applied to this instance (from ConfigSource, after beforeChange if any). */
 	config?: RemoteConfig;
+	/** Default config-source-backed secret client, typically the vault used for RemoteConfig. */
+	secret: SecretsSource;
 	secrets?: Secrets;
 	sso?: SSO;
 	iam?: IAM;
@@ -2497,6 +2630,7 @@ type EnterpriseStandardStrict<C extends FrameworkConfig> = {
 	logger?: Logger;
 	tenantId?: string;
 	config?: RemoteConfig;
+	secret: SecretsSource;
 	secrets: ESModuleFromConfig<C, "secrets", Secrets & NamedSecretsFromConfig<C>>;
 	sso: ESModuleFromConfig<C, "sso", SSO>;
 	iam: ESModuleFromConfig<C, "iam", IAM>;
@@ -2542,102 +2676,13 @@ type ESRoutingOptions = {
 */
 type ESConfigChangeOptions = {
 	beforeChange?: ESConfigChangeCallback;
-	afterChange?: (es: EnterpriseStandard, config: RemoteConfig, frameworkConfig: FrameworkConfig, oldConfig: RemoteConfig | undefined) => void;
+	afterChange?: (es: EnterpriseStandard, config: RemoteConfig, frameworkConfig: ModifiableFrameworkConfig, oldConfig: RemoteConfig | undefined) => void;
 	/**
 	* Optional runtime routing customization for `es.handler(request)`.
 	*/
 	routing?: ESRoutingOptions;
 };
 /**
-* Magic link data stored in the store.
-*
-* @template TExtended - Type-safe custom data that consumers can add to magic links
-*/
-type MagicLink<TExtended = object> = {
-	/**
-	* The magic link token (unique identifier)
-	*/
-	token: string;
-	/**
-	* User information associated with this magic link
-	*/
-	user: BaseUser;
-	/**
-	* Timestamp when the magic link was created
-	*/
-	createdAt: Date;
-	/**
-	* Timestamp when the magic link expires
-	*/
-	expiresAt: Date;
-	/**
-	* Allow consumers to add runtime data to magic links
-	*/
-	[key: string]: unknown;
-} & TExtended;
-/**
-* Abstract interface for magic link storage backends.
-*
-* Consumers can implement this interface to use different storage backends:
-* - In-memory (for development/testing)
-* - Redis (for production with fast lookups and automatic expiration)
-* - Database (PostgreSQL, MySQL, etc.)
-*
-* @template TExtended - Type-safe custom data that consumers can add to magic links
-*
-* @example
-* ```typescript
-* // Custom magic link data
-* type MyMagicLinkData = {
-*   source: string;
-*   metadata: Record<string, unknown>;
-* };
-*
-* // Implement custom store
-* class RedisMagicLinkStore implements MagicLinkStore<MyMagicLinkData> {
-*   async create(token: string, user: BaseUser, expiresAt: Date): Promise<void> {
-*     const magicLink: MagicLink<MyMagicLinkData> = {
-*       token,
-*       user,
-*       createdAt: new Date(),
-*       expiresAt,
-*       source: 'api',
-*       metadata: {},
-*     };
-*     const ttl = Math.floor((expiresAt.getTime() - Date.now()) / 1000);
-*     await redis.setex(`magic-link:${token}`, ttl, JSON.stringify(magicLink));
-*   }
-*   // ... other methods
-* }
-* ```
-*/
-interface MagicLinkStore<TExtended = object> {
-	/**
-	* Create a new magic link in the store.
-	*
-	* @param token - The magic link token (unique identifier)
-	* @param user - The user information to associate with this magic link
-	* @param expiresAt - When the magic link expires
-	* @throws Error if magic link with same token already exists
-	*/
-	create(token: string, user: BaseUser, expiresAt: Date): Promise<void>;
-	/**
-	* Retrieve a magic link by its token.
-	*
-	* @param token - The magic link token
-	* @returns The magic link if found and not expired, null otherwise
-	*/
-	get(token: string): Promise<MagicLink<TExtended> | null>;
-	/**
-	* Delete a magic link by its token.
-	*
-	* Used after a magic link has been consumed (one-time use).
-	*
-	* @param token - The magic link token to delete
-	*/
-	delete(token: string): Promise<void>;
-}
-/**
 * Validators for CIAM (magic link) request bodies.
 * Used to validate the POST body for magic link generation (BaseUser).
 * baseUser includes a top-level .validate() for a cleaner API (see withValidate).
@@ -3000,16 +3045,140 @@ interface EnterpriseUser extends BaseUser {
 	};
 }
 import { StandardSchemaV1 as StandardSchemaV19 } from "@standard-schema/spec";
+type RegisterSSOAppPayload = {
+	/** Redirect URIs for the client. */
+	redirectUris: string[];
+	/** Optional back-channel logout URI. */
+	backchannelLogoutUri?: string;
+	/** Optional display name for IdP UIs. */
+	displayName?: string;
+	/** Optional default scope (e.g. openid profile email). */
+	defaultScope?: string;
+	/** Optional customer tenant identifier for the tenant-scoped issuer. */
+	tenantId?: string;
+	/** Optional application identifier so one tenant can register multiple clients. */
+	applicationId?: string;
+};
+type RegisterSSOAppResult = {
+	registered: true;
+	/** OIDC client_id; required on success (issued by IdP). */
+	clientId: string;
+	/** OIDC client secret; required on success (issued by IdP). */
+	clientSecret: string;
+	/** OIDC authority/issuer base URL exposed by the IdP. */
+	authority: string;
+	/** OIDC authorization endpoint URL exposed by the IdP. */
+	authorizationUrl: string;
+	/** OIDC JWKS endpoint URL exposed by the IdP. */
+	jwksUri: string;
+	/** OIDC token endpoint URL exposed by the IdP. */
+	tokenUrl: string;
+	appId?: string;
+	message?: string;
+};
+type RegisterSSOAppError = {
+	status: number;
+	code?: string;
+	message?: string;
+	details?: unknown;
+};
+type SSOAppRegistry = {
+	register: (payload: RegisterSSOAppPayload) => Promise<RegisterSSOAppResult>;
+};
+type SSOAppValidators = {
+	registerSSOAppPayload: StandardSchemaV19<unknown, RegisterSSOAppPayload>;
+};
+type IAMAppRole = "authoritative_source" | "provisioning_target";
+type RegisterIAMAppPayload = {
+	/** App/tenant identifier (same tenantId used by the ESA). */
+	tenantId: string;
+	/** Company identifier (reporting only). */
+	companyId: string;
+	/** Company name. */
+	companyName: string;
+	/** Environment type (POC, DEV, QA, PROD). */
+	environmentType: EnvironmentType;
+	/** Base URL of the tenant (if known). */
+	tenantUrl?: string;
+	/** Display name for ESP UIs. */
+	displayName?: string;
+	/** Product identifier (optional categorization for ESPs/ESIs). */
+	productId?: string;
+	/** Application identifier (optional categorization for ESPs/ESIs). */
+	applicationId?: string;
+	/** Base URL for the ESA's SCIM endpoints (e.g. https://tenant/app/api/es/iam). */
+	scimBaseUrl?: string;
+	/** Workload identity configuration the ESP should use to call the ESA. */
+	workload?: WorkloadConfig;
+	/**
+	* SCIM userType values for which this ESA is an HR/source (e.g. Employee, Contractor, Vendor).
+	* The IAM ESP uses this to choose which ESA to pull from or trust for attributes per user type.
+	*/
+	sourceUserTypes?: string[];
+	/**
+	* Optional IAM-specific roles for this registration.
+	* Use `authoritative_source` when this app is the source of truth for identity attributes and
+	* `provisioning_target` when onboarding should provision into this app.
+	*/
+	iamRoles?: IAMAppRole[];
+};
+type RegisterIAMAppResult = {
+	registered: true;
+	appId?: string;
+	message?: string;
+};
+type RegisterIAMAppError = {
+	status: number;
+	code?: string;
+	message?: string;
+	details?: unknown;
+};
+type IAMAppRegistry = {
+	register: (payload: RegisterIAMAppPayload) => Promise<RegisterIAMAppResult>;
+};
+type IAMAppValidators = {
+	registerIAMAppPayload: StandardSchemaV19<unknown, RegisterIAMAppPayload>;
+};
+type LfvActionName = "read_secret" | "create_secret" | "update_secret" | "delete_secret" | "request_rotate" | "request_revoke" | "rotate_secret" | "revoke_secret" | "list_paths" | "list_secrets" | "read_metadata" | "read_acl" | "write_acl" | "remove_path";
+type LfvOtpRequest = {
+	request_id: string;
+	path: string;
+	action: LfvActionName;
+	ttl?: number;
+};
+type LfvOtpResponse = {
+	request_id: string;
+	otp: string;
+	expires_at: string;
+	action: LfvActionName;
+	path: string;
+};
+type LfvActionRequestBase = {
+	request_id: string;
+	otp: string;
+	path: string;
+};
+type LfvActionAcceptedResponse = {
+	request_id: string;
+	operation_id: string;
+	status: "pending" | "accepted" | "completed";
+};
+type LfvErrorCode = "invalid_request" | "invalid_signature" | "permission_denied" | "not_found" | "otp_already_used" | "otp_expired" | "rate_limited" | "internal_error";
+type LfvErrorResponse = {
+	error: LfvErrorCode;
+	message: string;
+};
+import { StandardSchemaV1 as StandardSchemaV110 } from "@standard-schema/spec";
 /**
 * Result type for Standard Schema validation (success or failure).
 */
-type ValidateResult<T> = StandardSchemaV19.Result<T>;
+type ValidateResult<T> = StandardSchemaV110.Result<T>;
 /**
 * A Standard Schema with a top-level `validate()` method for a cleaner API.
 * Use this so callers can call `schema.validate(value)` instead of `schema['~standard'].validate(value)`.
 */
-type StandardSchemaWithValidate<T> = StandardSchemaV19<unknown, T> & {
-	validate(value: unknown): Promise<StandardSchemaV19.Result<T>>;
+type StandardSchemaWithValidate<T> = StandardSchemaV110<unknown, T> & {
+	validate(value: unknown): Promise<StandardSchemaV110.Result<T>>;
 };
 /**
 * Wraps a Standard Schema so it has a top-level `validate(value)` method.
@@ -3020,7 +3189,7 @@ type StandardSchemaWithValidate<T> = StandardSchemaV19<unknown, T> & {
 * const baseUser = withValidate(createBaseUserValidator());
 * const result = await baseUser.validate(requestBody);
 */
-declare function withValidate<T>(schema: StandardSchemaV19<unknown, T>): StandardSchemaWithValidate<T>;
+declare function withValidate<T>(schema: StandardSchemaV110<unknown, T>): StandardSchemaWithValidate<T>;
 declare function must<T>(value: T | undefined | null, message?: string): T;
 /**
 * Returns a 400 Response with the issues if there are any.
@@ -3053,4 +3222,4 @@ declare function parseJsonc<T>(content: string): T;
 * @returns A promise that resolves when the service is ready.
 */
 declare function waitOn(url: string, test?: (resp: Response) => boolean | Promise<boolean>, pingInterval?: number, warnInterval?: number, timeout?: number): Promise<void>;
-export { workloadTokenResponseSchema, withValidate, waitOn, version, validationFailureResponse, userSchema, tokenResponseSchema, stripJsonComments, silentLogger, setActiveSession, serializeESConfig, sendTenantWebhook, parseJsonc, oidcCallbackSchema, normalizeTenantRoutingStrategy, normalizeTenantPathNamespace, must, mergeConfig, matchTenantPath, listSsoClientIdsFromCookies, list, jwtAssertionClaimsSchema, infoLogger, idTokenClaimsSchema, groupResourceSchema, getActiveSession, findTenantFromStateParam, defaultLogger, decodeUser, debugLogger, consoleLogger, clearActiveSession, claimsToUser, buildTenantPath, X509Certificate, WorkloadValidators, WorkloadTokenStore, WorkloadTokenResponse, WorkloadIncomingOutgoing, WorkloadIdentity, WorkloadConfigMap, WorkloadConfig, WorkloadClient, Workload, VaultSecretsConfig, ValidateResult, UsersInboundHandlerConfig, UserStore, UserSortOptions, UserSortField, UserMode, UserListOptions, User2 as User, UpsertTenantResponse, UpsertTenantRequest, TokenValidationResult, TokenResponse, TenantWebhookPayload, TenantValidators, TenantUserRegistration, TenantStoreWithESOptions, TenantStoreWithES, TenantStoreUpsertRecord, TenantStore, TenantStatus, TenantSortOptions, TenantSortField, TenantSecretsConfig, TenantRoutingStrategy, TenantRequestError, TenantPathRoutingStrategy, TenantPathNamespace, TenantPathMatch, TenantListOptions, TenantJwtRoutingStrategy, TenantEsFactory, TenantDirectoryTenant, TenantDirectoryResponse, TenantDirectoryAccount, TenantConfigSourceInput, TenantConfigEnv, StoredUser, StoredTenantRecord, StoredTenant, StoredGroup, StateCookie, StandardSchemaWithValidate, SortDirection, SessionStore, Session, ServerOnlyWorkloadConfig, SecretsValidators, SecretsSourceType, SecretsSourceMap, SecretsSourceConfig, SecretsSource, SecretsOperationOptions, SecretsModuleConfig, Secrets, SecretRequestSeverity, SecretLifecycleRequest, Secret, User as ScimUser, ScimResult, ScimListResponse, ScimError, SSOValidators, SSOHandlerConfig, SSOConfig, SSO, Role, ResolvedLfvSecretsConfig, RemoteConfig, Photo, PhoneNumber, OidcCallbackParams, Name, MultipleTenantsForUserError, MetaData, MagicLinkStore, MagicLink, LoginConfig, Logger, ListResult, LfvSecretsConfig, JwtBearerWorkloadConfig, JWTAssertionClaims, InMemoryTenantStoreOptions, InMemoryTenantStore, IdTokenClaims, IAMValidators, IAMUsersInbound, IAMHandlerConfig, IAMGroupsOutbound, IAMGroupsInbound, IAMConfig, IAM, GroupsInboundHandlerConfig, GroupStore, GroupSortOptions, GroupSortField, GroupResource, GroupMember, GroupListOptions, Group, GcpSecretsConfig, FrameworkWorkloadIncomingOutgoing, FrameworkWorkloadConfig, FrameworkSecretsSourceConfig, FrameworkSecretsModuleConfig, FrameworkConfig, EnvironmentType, EnterpriseUser, EnterpriseStandardFromConfig, EnterpriseStandardBase, EnterpriseStandard, EnterpriseExtension, Email, ESValidators, ESRoutingOptions, ESRouteModule, ESRouteFilterResult, ESResolvedRoute, ESModuleFromConfig, ESConfigChangeResult, ESConfigChangeOptions, ESConfigChangeCallback, ESConfig, DevSecretsConfig, DEFAULT_TENANT_UI_NAMESPACE, DEFAULT_TENANT_API_NAMESPACE, CreateUserOptions, CreateTenantResponse, CreateTenantRequest, CreateGroupOptions, ConfigSourceType, ConfigSource, ClientCredentialsWorkloadConfig, CachedWorkloadToken, CIAMValidators, CIAMConfigFromCode, CIAMConfig, CIAM, BaseUser, AzureSecretsConfig, AwsSecretsConfig, AwsAuthMethod, ApplicationValidators, Address };
+export { workloadTokenResponseSchema, withValidate, waitOn, version, validationFailureResponse, userSchema, tokenResponseSchema, stripJsonComments, silentLogger, setActiveSession, serializeESConfig, sendTenantWebhook, parseJsonc, oidcCallbackSchema, normalizeTenantRoutingStrategy, normalizeTenantPathNamespace, must, mergeConfig, matchTenantPath, listSsoClientIdsFromCookies, list, jwtAssertionClaimsSchema, infoLogger, idTokenClaimsSchema, groupResourceSchema, getActiveSession, findTenantFromStateParam, defaultLogger, decodeUser, debugLogger, consoleLogger, clearActiveSession, claimsToUser, buildTenantPath, X509Certificate, WorkloadValidators, WorkloadTokenStore, WorkloadTokenResponse, WorkloadIncomingOutgoing, WorkloadIdentity, WorkloadConfigMap, WorkloadConfig, WorkloadClient, Workload, VaultWebSocketSecretsConfig, VaultWebSocketAuthHeader, VaultSecretsConfig, VaultLfvSecretsConfig, ValidateResult, UsersInboundHandlerConfig, UserStore, UserSortOptions, UserSortField, UserMode, UserListOptions, User2 as User, UpsertTenantResponse, UpsertTenantRequest, TokenValidationResult, TokenResponse, TenantWebhookPayload, TenantValidators, TenantUserRegistration, TenantStoredConfigLocator, TenantStoreWithESOptions, TenantStoreWithES, TenantStoreUpsertRecord, TenantStore, TenantStatus, TenantSortOptions, TenantSortField, TenantSecretsConfig, TenantRoutingStrategy, TenantRequestError, TenantRemoteConfigLocator, TenantPathRoutingStrategy, TenantPathNamespace, TenantPathMatch, TenantListOptions, TenantJwtRoutingStrategy, TenantEsFactory, TenantDirectoryTenant, TenantDirectoryResponse, TenantDirectoryAccount, TenantConfigStoreRequest, TenantConfigSourceInput, TenantConfigLocator, TenantConfigEnv, StoredUser, StoredTenantRecord, StoredTenant, StoredGroup, StateCookie, StandardSchemaWithValidate, SortDirection, SessionStore, Session, ServerOnlyWorkloadConfig, SecretsValidators, SecretsSourceType, SecretsSourceMap, SecretsSourceConfig, SecretsSource, SecretsOperationOptions, SecretsModuleConfig, Secrets, SecretRequestSeverity, SecretLifecycleRequest, Secret, User as ScimUser, ScimResult, ScimListResponse, ScimError, SSOValidators, SSOHandlerConfig, SSOConfig, SSOAppValidators, SSOAppRegistry, SSO, Role, ResolvedVaultLfvSecretsConfig, RemoteConfig, RegisterSSOAppResult, RegisterSSOAppPayload, RegisterSSOAppError, RegisterIAMAppResult, RegisterIAMAppPayload, RegisterIAMAppError, Photo, PhoneNumber, OidcCallbackParams, Name, MultipleTenantsForUserError, ModifiableFrameworkConfig, MetaData, MagicLinkStore, MagicLink, LoginConfig, Logger, ListResult, LfvOtpResponse, LfvOtpRequest, LfvErrorResponse, LfvErrorCode, LfvActionRequestBase, LfvActionName, LfvActionAcceptedResponse, JwtBearerWorkloadConfig, JWTAssertionClaims, InMemoryTenantStoreOptions, InMemoryTenantStore, IdTokenClaims, IAMValidators, IAMUsersInbound, IAMHandlerConfig, IAMGroupsOutbound, IAMGroupsInbound, IAMConfig, IAMAppValidators, IAMAppRole, IAMAppRegistry, IAM, GroupsInboundHandlerConfig, GroupStore, GroupSortOptions, GroupSortField, GroupResource, GroupMember, GroupListOptions, Group, GcpSecretsConfig, FrameworkWorkloadIncomingOutgoing, FrameworkWorkloadConfig, FrameworkStores, FrameworkSecretsSourceConfig, FrameworkSecretsModuleConfig, FrameworkConfig, EnvironmentType, EnterpriseUser, EnterpriseStandardFromConfig, EnterpriseStandardBase, EnterpriseStandard, EnterpriseExtension, Email, ESValidators, ESRoutingOptions, ESRouteModule, ESRouteFilterResult, ESResolvedRoute, ESModuleFromConfig, ESConfigChangeResult, ESConfigChangeOptions, ESConfigChangeCallback, ESConfig, DevSecretsConfig, DEFAULT_TENANT_UI_NAMESPACE, DEFAULT_TENANT_API_NAMESPACE, CreateUserOptions, CreateTenantResponse, CreateTenantRequest, CreateGroupOptions, ConfigSourceType, ConfigSource, ClientCredentialsWorkloadConfig, CachedWorkloadToken, CIAMValidators, CIAMConfigFromCode, CIAMConfig, CIAM, BaseUser, AzureSecretsConfig, AwsSecretsConfig, AwsAuthMethod, ApplicationValidators, Address };